Skip to content

F
ffmpeg.wasm-core
Commit 37fca5da authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files
Options

mmvideo: fix overreads of the input buffer. 

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 999d38f3
Hide whitespace changes
Inline Side-by-side
Showing with 16 additions and 4 deletions
libavcodec/mmvideo.c
View file @ 37fca5da
...@@ -123,11 +123,18 @@ static void mm_decode_intra(MmContext * s, int half_horiz, int half_vert, const ...@@ -123,11 +123,18 @@ static void mm_decode_intra(MmContext * s, int half_horiz, int half_vert, const
*/ */
static void mm_decode_inter(MmContext * s, int half_horiz, int half_vert, const uint8_t *buf, int buf_size) static void mm_decode_inter(MmContext * s, int half_horiz, int half_vert, const uint8_t *buf, int buf_size)
{ {
const int data_ptr = 2 + AV_RL16(&buf[0]); int data_ptr;
int d, r, y; int d, r, y;
if(buf_size < 2) {
av_log(s->avctx, AV_LOG_ERROR, "1 or less byte inter frame\n");
return;
}
data_ptr = 2 + AV_RL16(&buf[0]);
d = data_ptr; r = 2; y = 0; d = data_ptr; r = 2; y = 0;
while(r < data_ptr) { while(r + 1 < data_ptr) {
int i, j; int i, j;
int length = buf[r] & 0x7f; int length = buf[r] & 0x7f;
int x = buf[r+1] + ((buf[r] & 0x80) << 1); int x = buf[r+1] + ((buf[r] & 0x80) << 1);
...@@ -138,14 +145,19 @@ static void mm_decode_inter(MmContext * s, int half_horiz, int half_vert, const ...@@ -138,14 +145,19 @@ static void mm_decode_inter(MmContext * s, int half_horiz, int half_vert, const
continue; continue;
} }
if (y + half_vert >= s->avctx->height) if (y + half_vert >= s->avctx->height || r+length > buf_size)
return; return;
for(i=0; i<length; i++) { for(i=0; i<length; i++) {
for(j=0; j<8; j++) { for(j=0; j<8; j++) {
int replace = (buf[r+i] >> (7-j)) & 1; int replace = (buf[r+i] >> (7-j)) & 1;
if (replace) { if (replace) {
int color = buf[d]; int color;
if (d >= buf_size) {
av_log(s->avctx, AV_LOG_ERROR, "overread buf\n");
return;
}
color = buf[d];
s->frame.data[0][y*s->frame.linesize[0] + x] = color; s->frame.data[0][y*s->frame.linesize[0] + x] = color;
if (half_horiz) if (half_horiz)
s->frame.data[0][y*s->frame.linesize[0] + x + 1] = color; s->frame.data[0][y*s->frame.linesize[0] + x + 1] = color;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment