Commit 9b55b4bb authored by Aneesh Dogra's avatar Aneesh Dogra Committed by Ronald S. Bultje

4xm: Prevent buffer overreads.

4xm decoder while decoding i2 frames can overread the buffer if proper checks
are not made.
Signed-off-by: 's avatarRonald S. Bultje <rsbultje@gmail.com>
parent e268a352
...@@ -614,16 +614,24 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){ ...@@ -614,16 +614,24 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){
int x, y, x2, y2; int x, y, x2, y2;
const int width= f->avctx->width; const int width= f->avctx->width;
const int height= f->avctx->height; const int height= f->avctx->height;
const int mbs = (FFALIGN(width, 16) >> 4) * (FFALIGN(height, 16) >> 4);
uint16_t *dst= (uint16_t*)f->current_picture.data[0]; uint16_t *dst= (uint16_t*)f->current_picture.data[0];
const int stride= f->current_picture.linesize[0]>>1; const int stride= f->current_picture.linesize[0]>>1;
GetByteContext g3;
if(length < mbs * 8) {
av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
return AVERROR_INVALIDDATA;
}
bytestream2_init(&g3, buf, length);
for(y=0; y<height; y+=16){ for(y=0; y<height; y+=16){
for(x=0; x<width; x+=16){ for(x=0; x<width; x+=16){
unsigned int color[4], bits; unsigned int color[4], bits;
memset(color, 0, sizeof(color)); memset(color, 0, sizeof(color));
//warning following is purely guessed ... //warning following is purely guessed ...
color[0]= bytestream_get_le16(&buf); color[0]= bytestream2_get_le16u(&g3);
color[1]= bytestream_get_le16(&buf); color[1]= bytestream2_get_le16u(&g3);
if(color[0]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 1\n"); if(color[0]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 1\n");
if(color[1]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 2\n"); if(color[1]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 2\n");
...@@ -631,7 +639,7 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){ ...@@ -631,7 +639,7 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){
color[2]= mix(color[0], color[1]); color[2]= mix(color[0], color[1]);
color[3]= mix(color[1], color[0]); color[3]= mix(color[1], color[0]);
bits= bytestream_get_le32(&buf); bits= bytestream2_get_le32u(&g3);
for(y2=0; y2<16; y2++){ for(y2=0; y2<16; y2++){
for(x2=0; x2<16; x2++){ for(x2=0; x2<16; x2++){
int index= 2*(x2>>2) + 8*(y2>>2); int index= 2*(x2>>2) + 8*(y2>>2);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment