[FFmpeg-cvslog] 8bps: Bound-check the input buffer

Luca Barbato git at videolan.org
Tue Aug 27 18:38:50 CEST 2013


ffmpeg | branch: release/1.1 | Luca Barbato <lu_zero at gentoo.org> | Mon Jul 22 23:26:05 2013 +0200| [e6cf47ee9e36f249f63e7dee5f99ad8b5386eaa4] | committer: Luca Barbato

8bps: Bound-check the input buffer

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit bd7b4da0f4627bb6c4a7c2575da83fe6b261a21c)

Signed-off-by: Luca Barbato <lu_zero at gentoo.org>

Conflicts:
	libavcodec/8bps.c

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e6cf47ee9e36f249f63e7dee5f99ad8b5386eaa4
---

 libavcodec/8bps.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c
index 8f0692c..3d81810 100644
--- a/libavcodec/8bps.c
+++ b/libavcodec/8bps.c
@@ -64,7 +64,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
     unsigned char *pixptr, *pixptr_end;
     unsigned int height = avctx->height; // Real image height
     unsigned int dlen, p, row;
-    const unsigned char *lp, *dp;
+    const unsigned char *lp, *dp, *ep;
     unsigned char count;
     unsigned int px_inc;
     unsigned int planes     = c->planes;
@@ -80,6 +80,8 @@ static int decode_frame(AVCodecContext *avctx, void *data,
         return -1;
     }
 
+    ep = encoded + buf_size;
+
     /* Set data pointer after line lengths */
     dp = encoded + planes * (height << 1);
 
@@ -97,17 +99,19 @@ static int decode_frame(AVCodecContext *avctx, void *data,
         for (row = 0; row < height; row++) {
             pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p];
             pixptr_end = pixptr + c->pic.linesize[0];
+            if (ep - lp < row * 2 + 2)
+                return AVERROR_INVALIDDATA;
             dlen = av_be2ne16(*(const unsigned short *)(lp + row * 2));
             /* Decode a row of this plane */
             while (dlen > 0) {
-                if (dp + 1 >= buf + buf_size)
+                if (ep - dp <= 1)
                     return -1;
                 if ((count = *dp++) <= 127) {
                     count++;
                     dlen -= count + 1;
                     if (pixptr + count * px_inc > pixptr_end)
                         break;
-                    if (dp + count > buf + buf_size)
+                    if (ep - dp < count)
                         return -1;
                     while (count--) {
                         *pixptr = *dp++;



More information about the ffmpeg-cvslog mailing list