Skip to content

F
ffmpeg.wasm-core
Commit e398990e authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files
Options

msrledec: fix output_end checks 

Fixes out of array accesses

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 3dbc0ff9
Hide whitespace changes
Inline Side-by-side
Showing with 6 additions and 5 deletions
libavcodec/msrledec.c
View file @ e398990e
...@@ -138,7 +138,8 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, ...@@ -138,7 +138,8 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic,
unsigned int width= FFABS(pic->linesize[0]) / (depth >> 3); unsigned int width= FFABS(pic->linesize[0]) / (depth >> 3);
output = pic->data[0] + (avctx->height - 1) * pic->linesize[0]; output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
output_end = pic->data[0] + avctx->height * pic->linesize[0]; output_end = output + FFABS(pic->linesize[0]);
while (bytestream2_get_bytes_left(gb) > 0) { while (bytestream2_get_bytes_left(gb) > 0) {
p1 = bytestream2_get_byteu(gb); p1 = bytestream2_get_byteu(gb);
if(p1 == 0) { //Escape code if(p1 == 0) { //Escape code
...@@ -155,6 +156,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, ...@@ -155,6 +156,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic,
} }
} }
output = pic->data[0] + line * pic->linesize[0]; output = pic->data[0] + line * pic->linesize[0];
output_end = output + FFABS(pic->linesize[0]);
pos = 0; pos = 0;
continue; continue;
} else if(p2 == 1) { //End-of-picture } else if(p2 == 1) { //End-of-picture
...@@ -169,11 +171,11 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, ...@@ -169,11 +171,11 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic,
return -1; return -1;
} }
output = pic->data[0] + line * pic->linesize[0] + pos * (depth >> 3); output = pic->data[0] + line * pic->linesize[0] + pos * (depth >> 3);
output_end = pic->data[0] + line * pic->linesize[0] + FFABS(pic->linesize[0]);
continue; continue;
} }
// Copy data // Copy data
if ((pic->linesize[0] > 0 && output + p2 * (depth >> 3) > output_end) || if (output + p2 * (depth >> 3) > output_end) {
(pic->linesize[0] < 0 && output + p2 * (depth >> 3) < output_end)) {
bytestream2_skip(gb, 2 * (depth >> 3)); bytestream2_skip(gb, 2 * (depth >> 3));
continue; continue;
} else if (bytestream2_get_bytes_left(gb) < p2 * (depth >> 3)) { } else if (bytestream2_get_bytes_left(gb) < p2 * (depth >> 3)) {
...@@ -203,8 +205,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, ...@@ -203,8 +205,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic,
pos += p2; pos += p2;
} else { //run of pixels } else { //run of pixels
uint8_t pix[3]; //original pixel uint8_t pix[3]; //original pixel
if ((pic->linesize[0] > 0 && output + p1 * (depth >> 3) > output_end) || if (output + p1 * (depth >> 3) > output_end)
(pic->linesize[0] < 0 && output + p1 * (depth >> 3) < output_end))
continue; continue;
switch(depth){ switch(depth){
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment