Skip to content

F
ffmpeg.wasm-core
Commit 2b790b1c authored by Paul B Mahol's avatar Paul B Mahol
Browse files
Options

avcodec/xpmdec: do not allow number of colors to be higher than allocated 

Signed-off-by: 's avatarPaul B Mahol <onemda@gmail.com>
parent fbc1f323
Hide whitespace changes
Inline Side-by-side
Showing with 8 additions and 15 deletions
libavcodec/xpmdec.c
View file @ 2b790b1c
...@@ -328,29 +328,22 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, ...@@ -328,29 +328,22 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data,
if ((ret = ff_get_buffer(avctx, p, 0)) < 0) if ((ret = ff_get_buffer(avctx, p, 0)) < 0)
return ret; return ret;
if (ncolors <= 0) { if (cpp <= 0 || cpp >= 5) {
av_log(avctx, AV_LOG_ERROR, "invalid number of colors: %d\n", ncolors); av_log(avctx, AV_LOG_ERROR, "unsupported/invalid number of chars per pixel: %d\n", cpp);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
if (cpp <= 0) { size = 1;
av_log(avctx, AV_LOG_ERROR, "invalid number of chars per pixel: %d\n", cpp); for (i = 0; i < cpp; i++)
size *= 94;
if (ncolors <= 0 || ncolors > size) {
av_log(avctx, AV_LOG_ERROR, "invalid number of colors: %d\n", ncolors);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
size = 1;
j = 1;
for (i = 0; i < cpp; i++) {
size += j * 94;
j *= 95;
}
size *= 4; size *= 4;
if (size < 0) {
av_log(avctx, AV_LOG_ERROR, "unsupported number of chars per pixel: %d\n", cpp);
return AVERROR(ENOMEM);
}
av_fast_padded_malloc(&x->pixels, &x->pixels_size, size); av_fast_padded_malloc(&x->pixels, &x->pixels_size, size);
if (!x->pixels) if (!x->pixels)
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment