diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2013-12-19 17:14:59 +0100 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2013-12-19 17:16:34 +0100 |
commit | 5a5c1b244281c3edcffca322b0c664ed620b1e24 (patch) | |
tree | 3ed678eef689369cf637cbad94024d9215c03d9b /libavcodec | |
parent | f6c95f4f8c2f592c14239baf11a47b42170830e6 (diff) | |
download | ffmpeg-5a5c1b244281c3edcffca322b0c664ed620b1e24.tar.gz |
avcodec/dxa: check for overread in decode_13()
Fixes use of uninitialized memory
Fixes part of msan_uninit-mem_7f5ea8284fb7_8317_scummvm.dxa
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/dxa.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/libavcodec/dxa.c b/libavcodec/dxa.c index e6750e95bd..0f64b5e619 100644 --- a/libavcodec/dxa.c +++ b/libavcodec/dxa.c @@ -51,13 +51,17 @@ static const int shift1[6] = { 0, 8, 8, 8, 4, 4 }; static const int shift2[6] = { 0, 0, 8, 4, 0, 4 }; static int decode_13(AVCodecContext *avctx, DxaDecContext *c, uint8_t* dst, - int stride, uint8_t *src, uint8_t *ref) + int stride, uint8_t *src, int srcsize, uint8_t *ref) { uint8_t *code, *data, *mv, *msk, *tmp, *tmp2; + uint8_t *src_end = src + srcsize; int i, j, k; int type, x, y, d, d2; uint32_t mask; + if (12ULL + ((avctx->width * avctx->height) >> 4) + AV_RB32(src + 0) + AV_RB32(src + 4) > srcsize) + return AVERROR_INVALIDDATA; + code = src + 12; data = code + ((avctx->width * avctx->height) >> 4); mv = data + AV_RB32(src + 0); @@ -65,6 +69,8 @@ static int decode_13(AVCodecContext *avctx, DxaDecContext *c, uint8_t* dst, for(j = 0; j < avctx->height; j += 4){ for(i = 0; i < avctx->width; i += 4){ + if (data > src_end || mv > src_end || msk > src_end) + return AVERROR_INVALIDDATA; tmp = dst + i; tmp2 = ref + i; type = *code++; @@ -302,7 +308,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac av_log(avctx, AV_LOG_ERROR, "Missing reference frame\n"); return AVERROR_INVALIDDATA; } - decode_13(avctx, c, frame->data[0], frame->linesize[0], srcptr, c->prev->data[0]); + decode_13(avctx, c, frame->data[0], frame->linesize[0], srcptr, dsize, c->prev->data[0]); break; default: av_log(avctx, AV_LOG_ERROR, "Unknown/unsupported compression type %d\n", compr); |