From 8099187e897ddc90cb3902332c76fb2542dac308 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Thu, 3 May 2012 20:10:36 +0200 Subject: dfa: add some checks to ensure that decoder won't write past frame end --- libavcodec/dfa.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'libavcodec/dfa.c') diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 788e9ca90a..4fe6519a93 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -164,6 +164,8 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height } else if (bitbuf & (mask << 1)) { frame += bytestream2_get_le16(gb) * 2; } else { + if (frame_end - frame < width + 2) + return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); frame += 2; @@ -224,6 +226,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height const uint8_t *frame_end = frame + width * height; uint8_t *line_ptr; int count, i, v, lines, segments; + int y = 0; lines = bytestream2_get_le16(gb); if (lines > height) @@ -234,10 +237,12 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height return -1; segments = bytestream2_get_le16u(gb); while ((segments & 0xC000) == 0xC000) { + unsigned skip_lines = -(int16_t)segments; unsigned delta = -((int16_t)segments * width); - if (frame_end - frame <= delta) + if (frame_end - frame <= delta || y + lines + skip_lines > height) return -1; frame += delta; + y += skip_lines; segments = bytestream2_get_le16(gb); } if (segments & 0x8000) { @@ -246,6 +251,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height } line_ptr = frame; frame += width; + y++; while (segments--) { if (frame - line_ptr <= bytestream2_peek_byte(gb)) return -1; -- cgit v1.2.3 From fb5c1aaea60a714dab3d4e6e71228855fd816222 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sun, 6 May 2012 09:46:19 +0200 Subject: dfa: use more meaningful return codes --- libavcodec/dfa.c | 54 +++++++++++++++++++++++++++--------------------------- 1 file changed, 27 insertions(+), 27 deletions(-) (limited to 'libavcodec/dfa.c') diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 4fe6519a93..7b6c5d5254 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -49,7 +49,7 @@ static int decode_copy(GetByteContext *gb, uint8_t *frame, int width, int height const int size = width * height; if (bytestream2_get_buffer(gb, frame, size) != size) - return -1; + return AVERROR_INVALIDDATA; return 0; } @@ -64,23 +64,23 @@ static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le32(gb); offset = bytestream2_get_le32(gb); if (frame_end - frame <= offset) - return -1; + return AVERROR_INVALIDDATA; frame += offset; while (segments--) { if (bytestream2_get_bytes_left(gb) < 2) - return -1; + return AVERROR_INVALIDDATA; if (mask == 0x10000) { bitbuf = bytestream2_get_le16u(gb); mask = 1; } if (frame_end - frame < 2) - return -1; + return AVERROR_INVALIDDATA; if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 1; count = ((v >> 13) + 2) << 1; if (frame - frame_start < offset || frame_end - frame < count) - return -1; + return AVERROR_INVALIDDATA; av_memcpy_backptr(frame, offset, count); frame += count; } else { @@ -103,19 +103,19 @@ static int decode_dsw1(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le16(gb); while (segments--) { if (bytestream2_get_bytes_left(gb) < 2) - return -1; + return AVERROR_INVALIDDATA; if (mask == 0x10000) { bitbuf = bytestream2_get_le16u(gb); mask = 1; } if (frame_end - frame < 2) - return -1; + return AVERROR_INVALIDDATA; if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 1; count = ((v >> 13) + 2) << 1; if (frame - frame_start < offset || frame_end - frame < count) - return -1; + return AVERROR_INVALIDDATA; // can't use av_memcpy_backptr() since it can overwrite following pixels for (v = 0; v < count; v++) frame[v] = frame[v - offset]; @@ -142,19 +142,19 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le16(gb); while (segments--) { if (bytestream2_get_bytes_left(gb) < 2) - return -1; + return AVERROR_INVALIDDATA; if (mask == 0x10000) { bitbuf = bytestream2_get_le16u(gb); mask = 1; } if (frame_end - frame < 2) - return -1; + return AVERROR_INVALIDDATA; if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 2; count = ((v >> 13) + 2) << 1; if (frame - frame_start < offset || frame_end - frame < count*2 + width) - return -1; + return AVERROR_INVALIDDATA; for (i = 0; i < count; i++) { frame[0] = frame[1] = frame[width] = frame[width + 1] = frame[-offset]; @@ -186,32 +186,32 @@ static int decode_bdlt(GetByteContext *gb, uint8_t *frame, int width, int height count = bytestream2_get_le16(gb); if (count >= height) - return -1; + return AVERROR_INVALIDDATA; frame += width * count; lines = bytestream2_get_le16(gb); if (count + lines > height) - return -1; + return AVERROR_INVALIDDATA; while (lines--) { if (bytestream2_get_bytes_left(gb) < 1) - return -1; + return AVERROR_INVALIDDATA; line_ptr = frame; frame += width; segments = bytestream2_get_byteu(gb); while (segments--) { if (frame - line_ptr <= bytestream2_peek_byte(gb)) - return -1; + return AVERROR_INVALIDDATA; line_ptr += bytestream2_get_byte(gb); count = (int8_t)bytestream2_get_byte(gb); if (count >= 0) { if (frame - line_ptr < count) - return -1; + return AVERROR_INVALIDDATA; if (bytestream2_get_buffer(gb, line_ptr, count) != count) - return -1; + return AVERROR_INVALIDDATA; } else { count = -count; if (frame - line_ptr < count) - return -1; + return AVERROR_INVALIDDATA; memset(line_ptr, bytestream2_get_byte(gb), count); } line_ptr += count; @@ -230,17 +230,17 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height lines = bytestream2_get_le16(gb); if (lines > height) - return -1; + return AVERROR_INVALIDDATA; while (lines--) { if (bytestream2_get_bytes_left(gb) < 2) - return -1; + return AVERROR_INVALIDDATA; segments = bytestream2_get_le16u(gb); while ((segments & 0xC000) == 0xC000) { unsigned skip_lines = -(int16_t)segments; unsigned delta = -((int16_t)segments * width); if (frame_end - frame <= delta || y + lines + skip_lines > height) - return -1; + return AVERROR_INVALIDDATA; frame += delta; y += skip_lines; segments = bytestream2_get_le16(gb); @@ -254,19 +254,19 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height y++; while (segments--) { if (frame - line_ptr <= bytestream2_peek_byte(gb)) - return -1; + return AVERROR_INVALIDDATA; line_ptr += bytestream2_get_byte(gb); count = (int8_t)bytestream2_get_byte(gb); if (count >= 0) { if (frame - line_ptr < count * 2) - return -1; + return AVERROR_INVALIDDATA; if (bytestream2_get_buffer(gb, line_ptr, count * 2) != count * 2) - return -1; + return AVERROR_INVALIDDATA; line_ptr += count * 2; } else { count = -count; if (frame - line_ptr < count * 2) - return -1; + return AVERROR_INVALIDDATA; v = bytestream2_get_le16(gb); for (i = 0; i < count; i++) bytestream_put_le16(&line_ptr, v); @@ -279,7 +279,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height static int decode_unk6(GetByteContext *gb, uint8_t *frame, int width, int height) { - return -1; + return AVERROR_PATCHWELCOME; } static int decode_blck(GetByteContext *gb, uint8_t *frame, int width, int height) @@ -338,7 +338,7 @@ static int dfa_decode_frame(AVCodecContext *avctx, if (decoder[chunk_type - 2](&gb, s->frame_buf, avctx->width, avctx->height)) { av_log(avctx, AV_LOG_ERROR, "Error decoding %s chunk\n", chunk_name[chunk_type - 2]); - return -1; + return AVERROR_INVALIDDATA; } } else { av_log(avctx, AV_LOG_WARNING, "Ignoring unknown chunk type %d\n", -- cgit v1.2.3