diff options
| author | Anton Khirnov <anton@khirnov.net> | 2014-01-02 09:34:20 +0100 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2014-05-31 20:05:19 -0400 |
| commit | 71b8c8430cf3f7056849257324fc39b423075ba1 (patch) | |
| tree | 7cb1611fc1ad7b02691879931781636d7053d0c2 /libavcodec | |
| parent | d0ecfe32492bbf27274bbb0c525d2ea59518cd5f (diff) | |
| download | ffmpeg-71b8c8430cf3f7056849257324fc39b423075ba1.tar.gz | |
sgidec: fix buffer size check in expand_rle_row()
Right now it will spuriously fail if the linesize is exactly equal to
the data width.
CC:libav-stable@libav.org
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/sgidec.c | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c index dfa00ed79f..13f505a559 100644 --- a/libavcodec/sgidec.c +++ b/libavcodec/sgidec.c @@ -25,6 +25,7 @@ #include "sgi.h" typedef struct SgiState { + AVCodecContext *avctx; AVFrame picture; unsigned int width; unsigned int height; @@ -38,12 +39,12 @@ typedef struct SgiState { * Expand an RLE row into a channel. * @param s the current image state * @param out_buf Points to one line after the output buffer. - * @param out_end end of line in output buffer + * @param len length of out_buf in bytes * @param pixelstride pixel stride of input buffer * @return size of output in bytes, -1 if buffer overflows */ static int expand_rle_row(SgiState *s, uint8_t *out_buf, - uint8_t *out_end, int pixelstride) + int len, int pixelstride) { unsigned char pixel, count; unsigned char *orig = out_buf; @@ -57,7 +58,10 @@ static int expand_rle_row(SgiState *s, uint8_t *out_buf, } /* Check for buffer overflow. */ - if(out_buf + pixelstride * count >= out_end) return -1; + if (pixelstride * (count - 1) >= len) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid pixel count.\n"); + return AVERROR_INVALIDDATA; + } if (pixel & 0x80) { while (count--) { @@ -100,7 +104,7 @@ static int read_rle_sgi(uint8_t *out_buf, SgiState *s) dest_row -= s->linesize; start_offset = bytestream2_get_be32(&g_table); bytestream2_seek(&s->g, start_offset, SEEK_SET); - if (expand_rle_row(s, dest_row + z, dest_row + FFABS(s->linesize), + if (expand_rle_row(s, dest_row + z, FFABS(s->linesize) - z, s->depth) != s->width) { return AVERROR_INVALIDDATA; } @@ -258,6 +262,15 @@ static av_cold int sgi_end(AVCodecContext *avctx) return 0; } +static av_cold int sgi_decode_init(AVCodecContext *avctx) +{ + SgiState *s = avctx->priv_data; + + s->avctx = avctx; + + return 0; +} + AVCodec ff_sgi_decoder = { .name = "sgi", .type = AVMEDIA_TYPE_VIDEO, @@ -266,6 +279,7 @@ AVCodec ff_sgi_decoder = { .init = sgi_init, .close = sgi_end, .decode = decode_frame, + .init = sgi_decode_init, .long_name = NULL_IF_CONFIG_SMALL("SGI image"), }; |