Skip to content

F
ffmpeg.wasm-core
Commit f707a5eb authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files
Options

buffer overflows 

Originally committed as revision 4142 to svn://svn.ffmpeg.org/ffmpeg/trunk
parent 856dbbff
Hide whitespace changes
Inline Side-by-side
Showing with 15 additions and 3 deletions
libavcodec/indeo2.c
View file @ f707a5eb
...@@ -53,7 +53,7 @@ if (value > 255) \ ...@@ -53,7 +53,7 @@ if (value > 255) \
else if (value < 0) \ else if (value < 0) \
value = 0; \ value = 0; \
static void ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst, int stride, static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst, int stride,
const uint8_t *table) const uint8_t *table)
{ {
int i; int i;
...@@ -62,11 +62,16 @@ static void ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *ds ...@@ -62,11 +62,16 @@ static void ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *ds
int c; int c;
int t; int t;
if(width&1)
return -1;
/* first line contain absolute values, other lines contain deltas */ /* first line contain absolute values, other lines contain deltas */
while (out < width){ while (out < width){
c = ir2_get_code(&ctx->gb); c = ir2_get_code(&ctx->gb);
if(c > 0x80) { /* we have a run */ if(c > 0x80) { /* we have a run */
c -= 0x80; c -= 0x80;
if(out + c*2 > width)
return -1;
for (i = 0; i < c * 2; i++) for (i = 0; i < c * 2; i++)
dst[out++] = 0x80; dst[out++] = 0x80;
} else { /* copy two values from table */ } else { /* copy two values from table */
...@@ -82,6 +87,8 @@ static void ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *ds ...@@ -82,6 +87,8 @@ static void ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *ds
c = ir2_get_code(&ctx->gb); c = ir2_get_code(&ctx->gb);
if(c > 0x80) { /* we have a skip */ if(c > 0x80) { /* we have a skip */
c -= 0x80; c -= 0x80;
if(out + c*2 > width)
return -1;
for (i = 0; i < c * 2; i++) { for (i = 0; i < c * 2; i++) {
dst[out] = dst[out - stride]; dst[out] = dst[out - stride];
out++; out++;
...@@ -99,16 +106,20 @@ static void ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *ds ...@@ -99,16 +106,20 @@ static void ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *ds
} }
dst += stride; dst += stride;
} }
return 0;
} }
static void ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_t *dst, int stride, static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_t *dst, int stride,
const uint8_t *table) const uint8_t *table)
{ {
int j; int j;
int out = 0; int out = 0;
int c; int c;
int t; int t;
if(width&1)
return -1;
for (j = 0; j < height; j++){ for (j = 0; j < height; j++){
out = 0; out = 0;
while (out < width){ while (out < width){
...@@ -129,6 +140,7 @@ static void ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8 ...@@ -129,6 +140,7 @@ static void ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8
} }
dst += stride; dst += stride;
} }
return 0;
} }
static int ir2_decode_frame(AVCodecContext *avctx, static int ir2_decode_frame(AVCodecContext *avctx,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment