Skip to content

F
ffmpeg.wasm-core
Commit 3819db74 authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files
Options

avcodec/rpza: Perform pointer advance and checks before using the pointers 

Fixes out of array accesses
Fixes Ticket2850
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 920046ab
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 4 deletions
libavcodec/rpza.c
View file @ 3819db74
...@@ -85,7 +85,7 @@ static void rpza_decode_stream(RpzaContext *s) ...@@ -85,7 +85,7 @@ static void rpza_decode_stream(RpzaContext *s)
unsigned short *pixels = (unsigned short *)s->frame.data[0]; unsigned short *pixels = (unsigned short *)s->frame.data[0];
int row_ptr = 0; int row_ptr = 0;
int pixel_ptr = 0; int pixel_ptr = -4;
int block_ptr; int block_ptr;
int pixel_x, pixel_y; int pixel_x, pixel_y;
int total_blocks; int total_blocks;
...@@ -141,6 +141,7 @@ static void rpza_decode_stream(RpzaContext *s) ...@@ -141,6 +141,7 @@ static void rpza_decode_stream(RpzaContext *s)
colorA = AV_RB16 (&s->buf[stream_ptr]); colorA = AV_RB16 (&s->buf[stream_ptr]);
stream_ptr += 2; stream_ptr += 2;
while (n_blocks--) { while (n_blocks--) {
ADVANCE_BLOCK()
block_ptr = row_ptr + pixel_ptr; block_ptr = row_ptr + pixel_ptr;
for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_y = 0; pixel_y < 4; pixel_y++) {
for (pixel_x = 0; pixel_x < 4; pixel_x++){ for (pixel_x = 0; pixel_x < 4; pixel_x++){
...@@ -149,7 +150,6 @@ static void rpza_decode_stream(RpzaContext *s) ...@@ -149,7 +150,6 @@ static void rpza_decode_stream(RpzaContext *s)
} }
block_ptr += row_inc; block_ptr += row_inc;
} }
ADVANCE_BLOCK();
} }
break; break;
...@@ -188,6 +188,7 @@ static void rpza_decode_stream(RpzaContext *s) ...@@ -188,6 +188,7 @@ static void rpza_decode_stream(RpzaContext *s)
if (s->size - stream_ptr < n_blocks * 4) if (s->size - stream_ptr < n_blocks * 4)
return; return;
while (n_blocks--) { while (n_blocks--) {
ADVANCE_BLOCK();
block_ptr = row_ptr + pixel_ptr; block_ptr = row_ptr + pixel_ptr;
for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_y = 0; pixel_y < 4; pixel_y++) {
index = s->buf[stream_ptr++]; index = s->buf[stream_ptr++];
...@@ -198,7 +199,6 @@ static void rpza_decode_stream(RpzaContext *s) ...@@ -198,7 +199,6 @@ static void rpza_decode_stream(RpzaContext *s)
} }
block_ptr += row_inc; block_ptr += row_inc;
} }
ADVANCE_BLOCK();
} }
break; break;
...@@ -206,6 +206,7 @@ static void rpza_decode_stream(RpzaContext *s) ...@@ -206,6 +206,7 @@ static void rpza_decode_stream(RpzaContext *s)
case 0x00: case 0x00:
if (s->size - stream_ptr < 16) if (s->size - stream_ptr < 16)
return; return;
ADVANCE_BLOCK();
block_ptr = row_ptr + pixel_ptr; block_ptr = row_ptr + pixel_ptr;
for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_y = 0; pixel_y < 4; pixel_y++) {
for (pixel_x = 0; pixel_x < 4; pixel_x++){ for (pixel_x = 0; pixel_x < 4; pixel_x++){
...@@ -219,7 +220,6 @@ static void rpza_decode_stream(RpzaContext *s) ...@@ -219,7 +220,6 @@ static void rpza_decode_stream(RpzaContext *s)
} }
block_ptr += row_inc; block_ptr += row_inc;
} }
ADVANCE_BLOCK();
break; break;
/* Unknown opcode */ /* Unknown opcode */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment