[FFmpeg-devel] [PATCH 04/16] txd: check for out of bound reads.
fenrir at elivagar.org
fenrir at elivagar.org
Sat Oct 8 23:40:29 CEST 2011
From: Laurent Aimar <fenrir at videolan.org>
---
libavcodec/txd.c | 21 +++++++++++++++++++--
1 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/libavcodec/txd.c b/libavcodec/txd.c
index 4299636..aa7dbd6 100644
--- a/libavcodec/txd.c
+++ b/libavcodec/txd.c
@@ -42,6 +42,7 @@ static av_cold int txd_init(AVCodecContext *avctx) {
static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
AVPacket *avpkt) {
const uint8_t *buf = avpkt->data;
+ const uint8_t *buf_end = avpkt->data + avpkt->size;
TXDContext * const s = avctx->priv_data;
AVFrame *picture = data;
AVFrame * const p = &s->picture;
@@ -52,6 +53,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
const uint32_t *palette = (const uint32_t *)(cur + 88);
uint32_t *pal;
+ if (buf_end - cur < 92)
+ return AVERROR_INVALIDDATA;
version = AV_RL32(cur);
d3d_format = AV_RL32(cur+76);
w = AV_RL16(cur+80);
@@ -68,6 +71,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
}
if (depth == 8) {
+ if (buf_end - cur < 1024)
+ return AVERROR_INVALIDDATA;
avctx->pix_fmt = PIX_FMT_PAL8;
cur += 1024;
} else if (depth == 16 || depth == 32)
@@ -100,6 +105,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
v = AV_RB32(palette+y);
pal[y] = (v>>8) + (v<<24);
}
+ if (buf_end - cur < w * h)
+ return AVERROR_INVALIDDATA;
for (y=0; y<h; y++) {
memcpy(ptr, cur, w);
ptr += stride;
@@ -110,9 +117,13 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
case 0:
if (!flags&1) goto unsupported;
case FF_S3TC_DXT1:
+ if (buf_end - cur < (w/4) * (h/4) * 8)
+ return AVERROR_INVALIDDATA;
ff_decode_dxt1(cur, ptr, w, h, stride);
break;
case FF_S3TC_DXT3:
+ if (buf_end - cur < (w/4) * (h/4) * 16)
+ return AVERROR_INVALIDDATA;
ff_decode_dxt3(cur, ptr, w, h, stride);
break;
default:
@@ -122,6 +133,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
switch (d3d_format) {
case 0x15:
case 0x16:
+ if (buf_end - cur < h * w * 4)
+ return AVERROR_INVALIDDATA;
for (y=0; y<h; y++) {
memcpy(ptr, cur, w*4);
ptr += stride;
@@ -133,8 +146,12 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
}
}
- for (; mipmap_count > 1; mipmap_count--)
- cur += AV_RL32(cur) + 4;
+ for (; mipmap_count > 1 && buf_end - cur >= 4; mipmap_count--) {
+ uint32_t length = AV_RL32(cur);
+ if (buf_end - cur - 4 < length )
+ break;
+ cur += length + 4;
+ }
*picture = s->picture;
*data_size = sizeof(AVPicture);
--
1.7.2.5
More information about the ffmpeg-devel
mailing list