Skip to content

F
ffmpeg.wasm-core
Commit 76cc0f0f authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files
Options

avcodec/utvideodec: Add several out of array read related checks 

Fixes: OV_decode_plane.avi
Found-by: 's avatarGwanYeong Kim <gy741.kim@gmail.com>
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 66acb630
Hide whitespace changes
Inline Side-by-side
Showing with 10 additions and 4 deletions
libavcodec/utvideodec.c
View file @ 76cc0f0f
...@@ -268,6 +268,9 @@ static int decode_plane(UtvideoContext *c, int plane_no, ...@@ -268,6 +268,9 @@ static int decode_plane(UtvideoContext *c, int plane_no,
send = (height * (slice + 1) / c->slices) & cmask; send = (height * (slice + 1) / c->slices) & cmask;
dest = dst + sstart * stride; dest = dst + sstart * stride;
if (3 * ((dst + send * stride - dest + 7)/8) > get_bits_left(&cbit))
return AVERROR_INVALIDDATA;
for (p = dest; p < dst + send * stride; p += 8) { for (p = dest; p < dst + send * stride; p += 8) {
int bits = get_bits_le(&cbit, 3); int bits = get_bits_le(&cbit, 3);
...@@ -277,6 +280,9 @@ static int decode_plane(UtvideoContext *c, int plane_no, ...@@ -277,6 +280,9 @@ static int decode_plane(UtvideoContext *c, int plane_no,
uint32_t sub = 0x80 >> (8 - (bits + 1)), add; uint32_t sub = 0x80 >> (8 - (bits + 1)), add;
int k; int k;
if ((bits + 1) * 8 > get_bits_left(&pbit))
return AVERROR_INVALIDDATA;
for (k = 0; k < 8; k++) { for (k = 0; k < 8; k++) {
p[k] = get_bits_le(&pbit, bits + 1); p[k] = get_bits_le(&pbit, bits + 1);
...@@ -639,9 +645,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ...@@ -639,9 +645,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
for (j = 0; j < c->slices; j++) { for (j = 0; j < c->slices; j++) {
c->packed_stream[i][j] = packed_stream; c->packed_stream[i][j] = packed_stream;
c->packed_stream_size[i][j] = bytestream2_get_le32(&pb); c->packed_stream_size[i][j] = bytestream2_get_le32(&pb);
left -= c->packed_stream_size[i][j]; if (c->packed_stream_size[i][j] > left)
if (left < 0)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
left -= c->packed_stream_size[i][j];
packed_stream += c->packed_stream_size[i][j]; packed_stream += c->packed_stream_size[i][j];
} }
} }
...@@ -652,9 +658,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ...@@ -652,9 +658,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
for (j = 0; j < c->slices; j++) { for (j = 0; j < c->slices; j++) {
c->control_stream[i][j] = control_stream; c->control_stream[i][j] = control_stream;
c->control_stream_size[i][j] = bytestream2_get_le32(&pb); c->control_stream_size[i][j] = bytestream2_get_le32(&pb);
left -= c->control_stream_size[i][j]; if (c->control_stream_size[i][j] > left)
if (left < 0)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
left -= c->control_stream_size[i][j];
control_stream += c->control_stream_size[i][j]; control_stream += c->control_stream_size[i][j];
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment