diff options
author | Stefano Sabatini <stefano.sabatini-lala@poste.it> | 2010-12-02 19:49:55 +0000 |
---|---|---|
committer | Stefano Sabatini <stefano.sabatini-lala@poste.it> | 2010-12-02 19:49:55 +0000 |
commit | 9398024c048092786f1dcf0809fb55bdbf96a70f (patch) | |
tree | f976aabfe5e3cc90cace9df694890241833f5f46 /libavcore/imgutils.c | |
parent | 3694ac240bc374528e7e83768d6cfd22882a6a11 (diff) | |
download | ffmpeg-9398024c048092786f1dcf0809fb55bdbf96a70f.tar.gz |
Add missing overflow checks in av_image_fill_pointers() and
av_image_fill_linesizes().
Originally committed as revision 25861 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcore/imgutils.c')
-rw-r--r-- | libavcore/imgutils.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/libavcore/imgutils.c b/libavcore/imgutils.c index 554639f3b2..cf7909342d 100644 --- a/libavcore/imgutils.c +++ b/libavcore/imgutils.c @@ -71,6 +71,8 @@ int av_image_fill_linesizes(int linesizes[4], enum PixelFormat pix_fmt, int widt return AVERROR(EINVAL); if (desc->flags & PIX_FMT_BITSTREAM) { + if (width > (INT_MAX -7) / (desc->comp[0].step_minus1+1)) + return AVERROR(EINVAL); linesizes[0] = (width * (desc->comp[0].step_minus1+1) + 7) >> 3; return 0; } @@ -78,7 +80,10 @@ int av_image_fill_linesizes(int linesizes[4], enum PixelFormat pix_fmt, int widt av_image_fill_max_pixsteps(max_step, max_step_comp, desc); for (i = 0; i < 4; i++) { int s = (max_step_comp[i] == 1 || max_step_comp[i] == 2) ? desc->log2_chroma_w : 0; - linesizes[i] = max_step[i] * (((width + (1 << s) - 1)) >> s); + int shifted_w = ((width + (1 << s) - 1)) >> s; + if (max_step[i] > INT_MAX / shifted_w) + return AVERROR(EINVAL); + linesizes[i] = max_step[i] * shifted_w; } return 0; @@ -98,6 +103,8 @@ int av_image_fill_pointers(uint8_t *data[4], enum PixelFormat pix_fmt, int heigh return AVERROR(EINVAL); data[0] = ptr; + if (linesizes[0] > (INT_MAX - 1024) / height) + return AVERROR(EINVAL); size[0] = linesizes[0] * height; if (desc->flags & PIX_FMT_PAL) { @@ -114,7 +121,11 @@ int av_image_fill_pointers(uint8_t *data[4], enum PixelFormat pix_fmt, int heigh int h, s = (i == 1 || i == 2) ? desc->log2_chroma_h : 0; data[i] = data[i-1] + size[i-1]; h = (height + (1 << s) - 1) >> s; + if (linesizes[i] > INT_MAX / h) + return AVERROR(EINVAL); size[i] = h * linesizes[i]; + if (total_size > INT_MAX - size[i]) + return AVERROR(EINVAL); total_size += size[i]; } |