Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Contribute to GitLab
Sign in / Register
Toggle navigation
F
ffmpeg.wasm-core
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Linshizhi
ffmpeg.wasm-core
Commits
de049a95
Commit
de049a95
authored
Sep 30, 2011
by
Laurent Aimar
Committed by
Janne Grunau
Oct 10, 2011
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
avs: check for out of bound reads
Signed-off-by:
Janne Grunau
<
janne-libav@jannau.net
>
parent
76c6971a
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
11 additions
and
0 deletions
+11
-0
avs.c
libavcodec/avs.c
+11
-0
No files found.
libavcodec/avs.c
View file @
de049a95
...
...
@@ -47,6 +47,7 @@ avs_decode_frame(AVCodecContext * avctx,
void
*
data
,
int
*
data_size
,
AVPacket
*
avpkt
)
{
const
uint8_t
*
buf
=
avpkt
->
data
;
const
uint8_t
*
buf_end
=
avpkt
->
data
+
avpkt
->
size
;
int
buf_size
=
avpkt
->
size
;
AvsContext
*
const
avs
=
avctx
->
priv_data
;
AVFrame
*
picture
=
data
;
...
...
@@ -69,6 +70,8 @@ avs_decode_frame(AVCodecContext * avctx,
out
=
avs
->
picture
.
data
[
0
];
stride
=
avs
->
picture
.
linesize
[
0
];
if
(
buf_end
-
buf
<
4
)
return
AVERROR_INVALIDDATA
;
sub_type
=
buf
[
0
];
type
=
buf
[
1
];
buf
+=
4
;
...
...
@@ -79,6 +82,8 @@ avs_decode_frame(AVCodecContext * avctx,
first
=
AV_RL16
(
buf
);
last
=
first
+
AV_RL16
(
buf
+
2
);
if
(
first
>=
256
||
last
>
256
||
buf_end
-
buf
<
4
+
4
+
3
*
(
last
-
first
))
return
AVERROR_INVALIDDATA
;
buf
+=
4
;
for
(
i
=
first
;
i
<
last
;
i
++
,
buf
+=
3
)
pal
[
i
]
=
(
buf
[
0
]
<<
18
)
|
(
buf
[
1
]
<<
10
)
|
(
buf
[
2
]
<<
2
);
...
...
@@ -114,9 +119,13 @@ avs_decode_frame(AVCodecContext * avctx,
return
-
1
;
}
if
(
buf_end
-
buf
<
256
*
vect_w
*
vect_h
)
return
AVERROR_INVALIDDATA
;
table
=
buf
+
(
256
*
vect_w
*
vect_h
);
if
(
sub_type
!=
AVS_I_FRAME
)
{
int
map_size
=
((
318
/
vect_w
+
7
)
/
8
)
*
(
198
/
vect_h
);
if
(
buf_end
-
table
<
map_size
)
return
AVERROR_INVALIDDATA
;
init_get_bits
(
&
change_map
,
table
,
map_size
*
8
);
table
+=
map_size
;
}
...
...
@@ -124,6 +133,8 @@ avs_decode_frame(AVCodecContext * avctx,
for
(
y
=
0
;
y
<
198
;
y
+=
vect_h
)
{
for
(
x
=
0
;
x
<
318
;
x
+=
vect_w
)
{
if
(
sub_type
==
AVS_I_FRAME
||
get_bits1
(
&
change_map
))
{
if
(
buf_end
-
table
<
1
)
return
AVERROR_INVALIDDATA
;
vect
=
&
buf
[
*
table
++
*
(
vect_w
*
vect_h
)];
for
(
j
=
0
;
j
<
vect_w
;
j
++
)
{
out
[(
y
+
0
)
*
stride
+
x
+
j
]
=
vect
[(
0
*
vect_w
)
+
j
];
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
Janne Grunau <janne-libav@jannau.net>Janne Grunau <janne-libav@jannau.net>