Commit da0f67b1 authored by Michael Niedermayer's avatar Michael Niedermayer

Merge commit 'bd7b4da0'

* commit 'bd7b4da0':
  8bps: Bound-check the input buffer

Conflicts:
	libavcodec/8bps.c

See: 66ff90f4Merged-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parents 82654172 bd7b4da0
...@@ -64,7 +64,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, ...@@ -64,7 +64,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
unsigned char *pixptr, *pixptr_end; unsigned char *pixptr, *pixptr_end;
unsigned int height = avctx->height; // Real image height unsigned int height = avctx->height; // Real image height
unsigned int dlen, p, row; unsigned int dlen, p, row;
const unsigned char *lp, *dp; const unsigned char *lp, *dp, *ep;
unsigned char count; unsigned char count;
unsigned int planes = c->planes; unsigned int planes = c->planes;
unsigned char *planemap = c->planemap; unsigned char *planemap = c->planemap;
...@@ -73,6 +73,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, ...@@ -73,6 +73,8 @@ static int decode_frame(AVCodecContext *avctx, void *data,
if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
return ret; return ret;
ep = encoded + buf_size;
/* Set data pointer after line lengths */ /* Set data pointer after line lengths */
dp = encoded + planes * (height << 1); dp = encoded + planes * (height << 1);
...@@ -84,19 +86,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, ...@@ -84,19 +86,19 @@ static int decode_frame(AVCodecContext *avctx, void *data,
for (row = 0; row < height; row++) { for (row = 0; row < height; row++) {
pixptr = frame->data[0] + row * frame->linesize[0] + planemap[p]; pixptr = frame->data[0] + row * frame->linesize[0] + planemap[p];
pixptr_end = pixptr + frame->linesize[0]; pixptr_end = pixptr + frame->linesize[0];
if(lp - encoded + row*2 + 1 >= buf_size) if (ep - lp < row * 2 + 2)
return -1; return AVERROR_INVALIDDATA;
dlen = av_be2ne16(*(const unsigned short *)(lp + row * 2)); dlen = av_be2ne16(*(const unsigned short *)(lp + row * 2));
/* Decode a row of this plane */ /* Decode a row of this plane */
while (dlen > 0) { while (dlen > 0) {
if (dp + 1 >= buf + buf_size) if (ep - dp <= 1)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
if ((count = *dp++) <= 127) { if ((count = *dp++) <= 127) {
count++; count++;
dlen -= count + 1; dlen -= count + 1;
if (pixptr + count * planes > pixptr_end) if (pixptr + count * planes > pixptr_end)
break; break;
if (dp + count > buf + buf_size) if (ep - dp < count)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
while (count--) { while (count--) {
*pixptr = *dp++; *pixptr = *dp++;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment