[FFmpeg-devel] [PATCH 04/16] txd: check for out of bound reads.

fenrir at elivagar.org fenrir at elivagar.org
Sat Oct 8 23:40:29 CEST 2011


From: Laurent Aimar <fenrir at videolan.org>

---
 libavcodec/txd.c |   21 +++++++++++++++++++--
 1 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/libavcodec/txd.c b/libavcodec/txd.c
index 4299636..aa7dbd6 100644
--- a/libavcodec/txd.c
+++ b/libavcodec/txd.c
@@ -42,6 +42,7 @@ static av_cold int txd_init(AVCodecContext *avctx) {
 static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
                             AVPacket *avpkt) {
     const uint8_t *buf = avpkt->data;
+    const uint8_t *buf_end = avpkt->data + avpkt->size;
     TXDContext * const s = avctx->priv_data;
     AVFrame *picture = data;
     AVFrame * const p = &s->picture;
@@ -52,6 +53,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
     const uint32_t *palette = (const uint32_t *)(cur + 88);
     uint32_t *pal;
 
+    if (buf_end - cur < 92)
+        return AVERROR_INVALIDDATA;
     version         = AV_RL32(cur);
     d3d_format      = AV_RL32(cur+76);
     w               = AV_RL16(cur+80);
@@ -68,6 +71,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
     }
 
     if (depth == 8) {
+        if (buf_end - cur < 1024)
+            return AVERROR_INVALIDDATA;
         avctx->pix_fmt = PIX_FMT_PAL8;
         cur += 1024;
     } else if (depth == 16 || depth == 32)
@@ -100,6 +105,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
             v = AV_RB32(palette+y);
             pal[y] = (v>>8) + (v<<24);
         }
+        if (buf_end - cur < w * h)
+            return AVERROR_INVALIDDATA;
         for (y=0; y<h; y++) {
             memcpy(ptr, cur, w);
             ptr += stride;
@@ -110,9 +117,13 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
         case 0:
             if (!flags&1) goto unsupported;
         case FF_S3TC_DXT1:
+            if (buf_end - cur < (w/4) * (h/4) * 8)
+                return AVERROR_INVALIDDATA;
             ff_decode_dxt1(cur, ptr, w, h, stride);
             break;
         case FF_S3TC_DXT3:
+            if (buf_end - cur < (w/4) * (h/4) * 16)
+                return AVERROR_INVALIDDATA;
             ff_decode_dxt3(cur, ptr, w, h, stride);
             break;
         default:
@@ -122,6 +133,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
         switch (d3d_format) {
         case 0x15:
         case 0x16:
+            if (buf_end - cur < h * w * 4)
+                return AVERROR_INVALIDDATA;
             for (y=0; y<h; y++) {
                 memcpy(ptr, cur, w*4);
                 ptr += stride;
@@ -133,8 +146,12 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
         }
     }
 
-    for (; mipmap_count > 1; mipmap_count--)
-        cur += AV_RL32(cur) + 4;
+    for (; mipmap_count > 1 && buf_end - cur >= 4; mipmap_count--) {
+        uint32_t length = AV_RL32(cur);
+        if (buf_end - cur - 4 < length )
+            break;
+        cur += length + 4;
+    }
 
     *picture   = s->picture;
     *data_size = sizeof(AVPicture);
-- 
1.7.2.5



More information about the ffmpeg-devel mailing list