Commit d96f6df3 authored by Clément Bœsch's avatar Clément Bœsch

Merge commit '7ebdffc3'

* commit '7ebdffc3':
  dxv: Check to make sure we don't overrun buffers on corrupt inputs
Merged-by: 's avatarClément Bœsch <u@pkh.me>
parents aabe5257 7ebdffc3
...@@ -133,7 +133,7 @@ static int dxv_decompress_dxt1(AVCodecContext *avctx) ...@@ -133,7 +133,7 @@ static int dxv_decompress_dxt1(AVCodecContext *avctx)
AV_WL32(ctx->tex_data + 4, bytestream2_get_le32(gbc)); AV_WL32(ctx->tex_data + 4, bytestream2_get_le32(gbc));
/* Process input until the whole texture has been filled */ /* Process input until the whole texture has been filled */
while (pos < ctx->tex_size / 4) { while (pos + 2 <= ctx->tex_size / 4) {
CHECKPOINT(2); CHECKPOINT(2);
/* Copy two elements from a previous offset or from the input buffer */ /* Copy two elements from a previous offset or from the input buffer */
...@@ -186,7 +186,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx) ...@@ -186,7 +186,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
AV_WL32(ctx->tex_data + 12, bytestream2_get_le32(gbc)); AV_WL32(ctx->tex_data + 12, bytestream2_get_le32(gbc));
/* Process input until the whole texture has been filled */ /* Process input until the whole texture has been filled */
while (pos < ctx->tex_size / 4) { while (pos + 2 <= ctx->tex_size / 4) {
if (run) { if (run) {
run--; run--;
...@@ -215,7 +215,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx) ...@@ -215,7 +215,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
check += probe; check += probe;
} while (probe == 0xFFFF); } while (probe == 0xFFFF);
} }
while (check && pos < ctx->tex_size / 4) { while (check && pos + 4 <= ctx->tex_size / 4) {
prev = AV_RL32(ctx->tex_data + 4 * (pos - 4)); prev = AV_RL32(ctx->tex_data + 4 * (pos - 4));
AV_WL32(ctx->tex_data + 4 * pos, prev); AV_WL32(ctx->tex_data + 4 * pos, prev);
pos++; pos++;
...@@ -260,10 +260,8 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx) ...@@ -260,10 +260,8 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
case 2: case 2:
/* Copy two dwords from a previous index */ /* Copy two dwords from a previous index */
idx = 8 + bytestream2_get_le16(gbc); idx = 8 + bytestream2_get_le16(gbc);
if (idx > pos) { if (idx > pos || (unsigned int)(pos - idx) + 2 > ctx->tex_size / 4)
av_log(avctx, AV_LOG_ERROR, "idx %d > %d\n", idx, pos);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
}
prev = AV_RL32(ctx->tex_data + 4 * (pos - idx)); prev = AV_RL32(ctx->tex_data + 4 * (pos - idx));
AV_WL32(ctx->tex_data + 4 * pos, prev); AV_WL32(ctx->tex_data + 4 * pos, prev);
pos++; pos++;
...@@ -286,9 +284,13 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx) ...@@ -286,9 +284,13 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
} }
CHECKPOINT(4); CHECKPOINT(4);
if (pos + 2 > ctx->tex_size / 4)
return AVERROR_INVALIDDATA;
/* Copy two elements from a previous offset or from the input buffer */ /* Copy two elements from a previous offset or from the input buffer */
if (op) { if (op) {
if (idx > pos || (unsigned int)(pos - idx) + 2 > ctx->tex_size / 4)
return AVERROR_INVALIDDATA;
prev = AV_RL32(ctx->tex_data + 4 * (pos - idx)); prev = AV_RL32(ctx->tex_data + 4 * (pos - idx));
AV_WL32(ctx->tex_data + 4 * pos, prev); AV_WL32(ctx->tex_data + 4 * pos, prev);
pos++; pos++;
...@@ -299,6 +301,8 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx) ...@@ -299,6 +301,8 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
} else { } else {
CHECKPOINT(4); CHECKPOINT(4);
if (op && (idx > pos || (unsigned int)(pos - idx) + 2 > ctx->tex_size / 4))
return AVERROR_INVALIDDATA;
if (op) if (op)
prev = AV_RL32(ctx->tex_data + 4 * (pos - idx)); prev = AV_RL32(ctx->tex_data + 4 * (pos - idx));
else else
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment