From cca1a4265388eed91156216cec7ed5c8c9f8016d Mon Sep 17 00:00:00 2001 From: Roberto Togni Date: Sun, 23 Jan 2005 21:36:24 +0000 Subject: Check pointers before writing to memory Originally committed as revision 3874 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/qdrw.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'libavcodec/qdrw.c') diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index 4fc9703227..a12d450679 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -65,10 +65,15 @@ static int decode_frame(AVCodecContext *avctx, } for (i = 0; i <= colors; i++) { - int idx; + unsigned int idx; idx = BE_16(buf); /* color index */ buf += 2; + if (idx > 255) { + av_log(avctx, AV_LOG_ERROR, "Palette index out of range: %u\n", idx); + buf += 6; + continue; + } a->palette[idx * 3 + 0] = *buf++; buf++; a->palette[idx * 3 + 1] = *buf++; @@ -77,9 +82,6 @@ static int decode_frame(AVCodecContext *avctx, buf++; } - if (colors) - a->pic.palette_has_changed = 1; - buf += 18; /* skip unneeded data */ for (i = 0; i < avctx->height; i++) { int size, left, code, pix; @@ -98,6 +100,8 @@ static int decode_frame(AVCodecContext *avctx, if (code & 0x80 ) { /* run */ int i; pix = *buf++; + if ((out + (257 - code) * 3) > (outdata + a->pic.linesize[0])) + break; for (i = 0; i < 257 - code; i++) { *out++ = a->palette[pix * 3 + 0]; *out++ = a->palette[pix * 3 + 1]; @@ -107,6 +111,8 @@ static int decode_frame(AVCodecContext *avctx, left -= 2; } else { /* copy */ int i, pix; + if ((out + code * 3) > (outdata + a->pic.linesize[0])) + break; for (i = 0; i <= code; i++) { pix = *buf++; *out++ = a->palette[pix * 3 + 0]; @@ -130,6 +136,10 @@ static int decode_frame(AVCodecContext *avctx, static int decode_init(AVCodecContext *avctx){ // QdrawContext * const a = avctx->priv_data; + if (avcodec_check_dimensions(avctx, avctx->height, avctx->width) < 0) { + return 1; + } + avctx->pix_fmt= PIX_FMT_RGB24; return 0; -- cgit v1.2.3