diff options
| author | Roberto Togni <r_togni@tiscali.it> | 2005-01-23 21:36:24 +0000 |
|---|---|---|
| committer | Roberto Togni <r_togni@tiscali.it> | 2005-01-23 21:36:24 +0000 |
| commit | cca1a4265388eed91156216cec7ed5c8c9f8016d (patch) | |
| tree | b7794ade44d0078f6c9ca150b32372f9b7cfb96a /libavcodec/qdrw.c | |
| parent | 4ae33c9b52a463e8580176046bd4ad6eecfabc2e (diff) | |
| download | ffmpeg-cca1a4265388eed91156216cec7ed5c8c9f8016d.tar.gz | |
Check pointers before writing to memory
Originally committed as revision 3874 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec/qdrw.c')
| -rw-r--r-- | libavcodec/qdrw.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index 4fc9703227..a12d450679 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -65,10 +65,15 @@ static int decode_frame(AVCodecContext *avctx, } for (i = 0; i <= colors; i++) { - int idx; + unsigned int idx; idx = BE_16(buf); /* color index */ buf += 2; + if (idx > 255) { + av_log(avctx, AV_LOG_ERROR, "Palette index out of range: %u\n", idx); + buf += 6; + continue; + } a->palette[idx * 3 + 0] = *buf++; buf++; a->palette[idx * 3 + 1] = *buf++; @@ -77,9 +82,6 @@ static int decode_frame(AVCodecContext *avctx, buf++; } - if (colors) - a->pic.palette_has_changed = 1; - buf += 18; /* skip unneeded data */ for (i = 0; i < avctx->height; i++) { int size, left, code, pix; @@ -98,6 +100,8 @@ static int decode_frame(AVCodecContext *avctx, if (code & 0x80 ) { /* run */ int i; pix = *buf++; + if ((out + (257 - code) * 3) > (outdata + a->pic.linesize[0])) + break; for (i = 0; i < 257 - code; i++) { *out++ = a->palette[pix * 3 + 0]; *out++ = a->palette[pix * 3 + 1]; @@ -107,6 +111,8 @@ static int decode_frame(AVCodecContext *avctx, left -= 2; } else { /* copy */ int i, pix; + if ((out + code * 3) > (outdata + a->pic.linesize[0])) + break; for (i = 0; i <= code; i++) { pix = *buf++; *out++ = a->palette[pix * 3 + 0]; @@ -130,6 +136,10 @@ static int decode_frame(AVCodecContext *avctx, static int decode_init(AVCodecContext *avctx){ // QdrawContext * const a = avctx->priv_data; + if (avcodec_check_dimensions(avctx, avctx->height, avctx->width) < 0) { + return 1; + } + avctx->pix_fmt= PIX_FMT_RGB24; return 0; |