[FFmpeg-cvslog] dxv: Check to make sure we don't overrun buffers on corrupt inputs

Martin Storsjö git at videolan.org
Thu Mar 16 00:28:43 EET 2017


ffmpeg | branch: master | Martin Storsjö <martin at martin.st> | Thu Jul 28 13:45:24 2016 +0300| [7ebdffc353f3f0827864e8e3461fdc00cc243b14] | committer: Martin Storsjö

dxv: Check to make sure we don't overrun buffers on corrupt inputs

Signed-off-by: Martin Storsjö <martin at martin.st>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7ebdffc353f3f0827864e8e3461fdc00cc243b14
---

 libavcodec/dxv.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 32137f5..99327df 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -125,7 +125,7 @@ static int dxv_decompress_dxt1(AVCodecContext *avctx)
     AV_WL32(ctx->tex_data + 4, bytestream2_get_le32(gbc));
 
     /* Process input until the whole texture has been filled */
-    while (pos < ctx->tex_size / 4) {
+    while (pos + 2 <= ctx->tex_size / 4) {
         CHECKPOINT(2);
 
         /* Copy two elements from a previous offset or from the input buffer */
@@ -178,7 +178,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
     AV_WL32(ctx->tex_data + 12, bytestream2_get_le32(gbc));
 
     /* Process input until the whole texture has been filled */
-    while (pos < ctx->tex_size / 4) {
+    while (pos + 2 <= ctx->tex_size / 4) {
         if (run) {
             run--;
 
@@ -207,7 +207,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
                         check += probe;
                     } while (probe == 0xFFFF);
                 }
-                while (check && pos < ctx->tex_size / 4) {
+                while (check && pos + 4 <= ctx->tex_size / 4) {
                     prev = AV_RL32(ctx->tex_data + 4 * (pos - 4));
                     AV_WL32(ctx->tex_data + 4 * pos, prev);
                     pos++;
@@ -252,6 +252,8 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
             case 2:
                 /* Copy two dwords from a previous index */
                 idx = 8 + bytestream2_get_le16(gbc);
+                if (idx > pos || (unsigned int)(pos - idx) + 2 > ctx->tex_size / 4)
+                    return AVERROR_INVALIDDATA;
                 prev = AV_RL32(ctx->tex_data + 4 * (pos - idx));
                 AV_WL32(ctx->tex_data + 4 * pos, prev);
                 pos++;
@@ -274,9 +276,13 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
         }
 
         CHECKPOINT(4);
+        if (pos + 2 > ctx->tex_size / 4)
+            return AVERROR_INVALIDDATA;
 
         /* Copy two elements from a previous offset or from the input buffer */
         if (op) {
+            if (idx > pos || (unsigned int)(pos - idx) + 2 > ctx->tex_size / 4)
+                return AVERROR_INVALIDDATA;
             prev = AV_RL32(ctx->tex_data + 4 * (pos - idx));
             AV_WL32(ctx->tex_data + 4 * pos, prev);
             pos++;
@@ -287,6 +293,8 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
         } else {
             CHECKPOINT(4);
 
+            if (op && (idx > pos || (unsigned int)(pos - idx) + 2 > ctx->tex_size / 4))
+                return AVERROR_INVALIDDATA;
             if (op)
                 prev = AV_RL32(ctx->tex_data + 4 * (pos - idx));
             else



More information about the ffmpeg-cvslog mailing list