diff options
author | Laurent Aimar <fenrir@videolan.org> | 2011-09-30 23:42:31 +0000 |
---|---|---|
committer | Janne Grunau <janne-libav@jannau.net> | 2011-10-10 21:36:12 +0200 |
commit | de049a95f4a8089b2878c7fcef6cac7e88a8f1bf (patch) | |
tree | ac730c2e5d34151c6a62b31a348162dc8cfb95b2 /libavcodec | |
parent | 76c6971a6464705f263fc30e537b370a3a7c853b (diff) | |
download | ffmpeg-de049a95f4a8089b2878c7fcef6cac7e88a8f1bf.tar.gz |
avs: check for out of bound reads
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/avs.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/libavcodec/avs.c b/libavcodec/avs.c index 8221b7b766..3ccded3f8c 100644 --- a/libavcodec/avs.c +++ b/libavcodec/avs.c @@ -47,6 +47,7 @@ avs_decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; int buf_size = avpkt->size; AvsContext *const avs = avctx->priv_data; AVFrame *picture = data; @@ -69,6 +70,8 @@ avs_decode_frame(AVCodecContext * avctx, out = avs->picture.data[0]; stride = avs->picture.linesize[0]; + if (buf_end - buf < 4) + return AVERROR_INVALIDDATA; sub_type = buf[0]; type = buf[1]; buf += 4; @@ -79,6 +82,8 @@ avs_decode_frame(AVCodecContext * avctx, first = AV_RL16(buf); last = first + AV_RL16(buf + 2); + if (first >= 256 || last > 256 || buf_end - buf < 4 + 4 + 3 * (last - first)) + return AVERROR_INVALIDDATA; buf += 4; for (i=first; i<last; i++, buf+=3) pal[i] = (buf[0] << 18) | (buf[1] << 10) | (buf[2] << 2); @@ -114,9 +119,13 @@ avs_decode_frame(AVCodecContext * avctx, return -1; } + if (buf_end - buf < 256 * vect_w * vect_h) + return AVERROR_INVALIDDATA; table = buf + (256 * vect_w * vect_h); if (sub_type != AVS_I_FRAME) { int map_size = ((318 / vect_w + 7) / 8) * (198 / vect_h); + if (buf_end - table < map_size) + return AVERROR_INVALIDDATA; init_get_bits(&change_map, table, map_size * 8); table += map_size; } @@ -124,6 +133,8 @@ avs_decode_frame(AVCodecContext * avctx, for (y=0; y<198; y+=vect_h) { for (x=0; x<318; x+=vect_w) { if (sub_type == AVS_I_FRAME || get_bits1(&change_map)) { + if (buf_end - table < 1) + return AVERROR_INVALIDDATA; vect = &buf[*table++ * (vect_w * vect_h)]; for (j=0; j<vect_w; j++) { out[(y + 0) * stride + x + j] = vect[(0 * vect_w) + j]; |