[FFmpeg-cvslog] indeo3: ensure that decoded cell data is in 7-bit range as presumed by decoder
Kostya Shishkov
git at videolan.org
Thu Jan 17 02:04:33 CET 2013
ffmpeg | branch: release/0.10 | Kostya Shishkov <kostya.shishkov at gmail.com> | Mon May 14 19:30:54 2012 +0200| [e5ea6539d484d399291ad2731eb87abbc8c2f7cf] | committer: Reinhard Tartler
indeo3: ensure that decoded cell data is in 7-bit range as presumed by decoder
Related to CVE-2012-2804
(cherry picked from commit fc417db3f162d5269c0d22f8e467da4afa67c20a)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e5ea6539d484d399291ad2731eb87abbc8c2f7cf
---
libavcodec/indeo3.c | 30 ++++++++++++++++--------------
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 294527e..63517c6 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -344,8 +344,10 @@ if (*data_ptr >= last_ptr) \
fill_64(dst, pix64, num_lines << 1, row_offset)
#define APPLY_DELTA_4 \
- AV_WN16A(dst + line_offset , AV_RN16A(ref ) + delta_tab->deltas[dyad1]);\
- AV_WN16A(dst + line_offset + 2, AV_RN16A(ref + 2) + delta_tab->deltas[dyad2]);\
+ AV_WN16A(dst + line_offset ,\
+ (AV_RN16A(ref ) + delta_tab->deltas[dyad1]) & 0x7F7F);\
+ AV_WN16A(dst + line_offset + 2,\
+ (AV_RN16A(ref + 2) + delta_tab->deltas[dyad2]) & 0x7F7F);\
if (mode >= 3) {\
if (is_top_of_cell && !cell->ypos) {\
AV_COPY32(dst, dst + row_offset);\
@@ -358,14 +360,14 @@ if (*data_ptr >= last_ptr) \
/* apply two 32-bit VQ deltas to next even line */\
if (is_top_of_cell) { \
AV_WN32A(dst + row_offset , \
- replicate32(AV_RN32A(ref )) + delta_tab->deltas_m10[dyad1]);\
+ (replicate32(AV_RN32A(ref )) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\
AV_WN32A(dst + row_offset + 4, \
- replicate32(AV_RN32A(ref + 4)) + delta_tab->deltas_m10[dyad2]);\
+ (replicate32(AV_RN32A(ref + 4)) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\
} else { \
AV_WN32A(dst + row_offset , \
- AV_RN32A(ref ) + delta_tab->deltas_m10[dyad1]);\
+ (AV_RN32A(ref ) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\
AV_WN32A(dst + row_offset + 4, \
- AV_RN32A(ref + 4) + delta_tab->deltas_m10[dyad2]);\
+ (AV_RN32A(ref + 4) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\
} \
/* odd lines are not coded but rather interpolated/replicated */\
/* first line of the cell on the top of image? - replicate */\
@@ -379,22 +381,22 @@ if (*data_ptr >= last_ptr) \
#define APPLY_DELTA_1011_INTER \
if (mode == 10) { \
AV_WN32A(dst , \
- AV_RN32A(dst ) + delta_tab->deltas_m10[dyad1]);\
+ (AV_RN32A(dst ) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\
AV_WN32A(dst + 4 , \
- AV_RN32A(dst + 4 ) + delta_tab->deltas_m10[dyad2]);\
+ (AV_RN32A(dst + 4 ) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\
AV_WN32A(dst + row_offset , \
- AV_RN32A(dst + row_offset ) + delta_tab->deltas_m10[dyad1]);\
+ (AV_RN32A(dst + row_offset ) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\
AV_WN32A(dst + row_offset + 4, \
- AV_RN32A(dst + row_offset + 4) + delta_tab->deltas_m10[dyad2]);\
+ (AV_RN32A(dst + row_offset + 4) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\
} else { \
AV_WN16A(dst , \
- AV_RN16A(dst ) + delta_tab->deltas[dyad1]);\
+ (AV_RN16A(dst ) + delta_tab->deltas[dyad1]) & 0x7F7F);\
AV_WN16A(dst + 2 , \
- AV_RN16A(dst + 2 ) + delta_tab->deltas[dyad2]);\
+ (AV_RN16A(dst + 2 ) + delta_tab->deltas[dyad2]) & 0x7F7F);\
AV_WN16A(dst + row_offset , \
- AV_RN16A(dst + row_offset ) + delta_tab->deltas[dyad1]);\
+ (AV_RN16A(dst + row_offset ) + delta_tab->deltas[dyad1]) & 0x7F7F);\
AV_WN16A(dst + row_offset + 2, \
- AV_RN16A(dst + row_offset + 2) + delta_tab->deltas[dyad2]);\
+ (AV_RN16A(dst + row_offset + 2) + delta_tab->deltas[dyad2]) & 0x7F7F);\
}
More information about the ffmpeg-cvslog
mailing list