Skip to content

F
ffmpeg.wasm-core
Commit 73562f1f authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files
Options

Merge commit '8136f234' 

* commit '8136f234':
  yop: check for input overreads.
Merged-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parents 3138b158 8136f234
Hide whitespace changes
Inline Side-by-side
Showing with 17 additions and 7 deletions
libavcodec/yop.c
View file @ 73562f1f
...@@ -39,6 +39,7 @@ typedef struct YopDecContext { ...@@ -39,6 +39,7 @@ typedef struct YopDecContext {
uint8_t *low_nibble; uint8_t *low_nibble;
uint8_t *srcptr; uint8_t *srcptr;
uint8_t *src_end;
uint8_t *dstptr; uint8_t *dstptr;
uint8_t *dstbuf; uint8_t *dstbuf;
} YopDecContext; } YopDecContext;
...@@ -124,8 +125,13 @@ static av_cold int yop_decode_close(AVCodecContext *avctx) ...@@ -124,8 +125,13 @@ static av_cold int yop_decode_close(AVCodecContext *avctx)
* @param s codec context * @param s codec context
* @param tag the tag that was in the nibble * @param tag the tag that was in the nibble
*/ */
static void yop_paint_block(YopDecContext *s, int tag) static int yop_paint_block(YopDecContext *s, int tag)
{ {
if (s->src_end - s->srcptr < paint_lut[tag][3]) {
av_log(s->avctx, AV_LOG_ERROR, "Packet too small.\n");
return AVERROR_INVALIDDATA;
}
s->dstptr[0] = s->srcptr[0]; s->dstptr[0] = s->srcptr[0];
s->dstptr[1] = s->srcptr[paint_lut[tag][0]]; s->dstptr[1] = s->srcptr[paint_lut[tag][0]];
s->dstptr[s->frame.linesize[0]] = s->srcptr[paint_lut[tag][1]]; s->dstptr[s->frame.linesize[0]] = s->srcptr[paint_lut[tag][1]];
...@@ -133,6 +139,7 @@ static void yop_paint_block(YopDecContext *s, int tag) ...@@ -133,6 +139,7 @@ static void yop_paint_block(YopDecContext *s, int tag)
// The number of src bytes consumed is in the last part of the lut entry. // The number of src bytes consumed is in the last part of the lut entry.
s->srcptr += paint_lut[tag][3]; s->srcptr += paint_lut[tag][3];
return 0;
} }
/** /**
...@@ -185,14 +192,14 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ...@@ -185,14 +192,14 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
int ret, i, x, y; int ret, i, x, y;
uint32_t *palette; uint32_t *palette;
if (s->frame.data[0]) if (avpkt->size < 4 + 3 * s->num_pal_colors) {
avctx->release_buffer(avctx, &s->frame); av_log(avctx, AV_LOG_ERROR, "Packet too small.\n");
if (avpkt->size < 4 + 3*s->num_pal_colors) {
av_log(avctx, AV_LOG_ERROR, "packet of size %d too small\n", avpkt->size);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
if (s->frame.data[0])
avctx->release_buffer(avctx, &s->frame);
ret = ff_get_buffer(avctx, &s->frame); ret = ff_get_buffer(avctx, &s->frame);
if (ret < 0) { if (ret < 0) {
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
...@@ -202,6 +209,7 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ...@@ -202,6 +209,7 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
s->dstbuf = s->frame.data[0]; s->dstbuf = s->frame.data[0];
s->dstptr = s->frame.data[0]; s->dstptr = s->frame.data[0];
s->srcptr = avpkt->data + 4; s->srcptr = avpkt->data + 4;
s->src_end = avpkt->data + avpkt->size;
s->low_nibble = NULL; s->low_nibble = NULL;
is_odd_frame = avpkt->data[0]; is_odd_frame = avpkt->data[0];
...@@ -232,7 +240,9 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ...@@ -232,7 +240,9 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
tag = yop_get_next_nibble(s); tag = yop_get_next_nibble(s);
if (tag != 0xf) { if (tag != 0xf) {
yop_paint_block(s, tag); ret = yop_paint_block(s, tag);
if (ret < 0)
return ret;
} else { } else {
tag = yop_get_next_nibble(s); tag = yop_get_next_nibble(s);
ret = yop_copy_previous_block(s, tag); ret = yop_copy_previous_block(s, tag);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment