har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix several security issues in flicvideo.c

Browse Source 
This fixes CVE-2010-3429


backport r25223 by michael


Originally committed as revision 25325 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5
This commit is contained in:
Reinhard Tartler 2010-10-03 14:51:50 +00:00
parent 2dea9a1266
commit 2f504d7a90
1 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
libavcodec/flicvideo.c
View File

@ -160,7 +160,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
int pixel_skip; int pixel_skip;
int pixel_countdown; int pixel_countdown;
unsigned char *pixels; unsigned char *pixels;
int pixel_limit; unsigned int pixel_limit;
s->frame.reference = 1; s->frame.reference = 1;
s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
@ -254,10 +254,13 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets); av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets);
} else if ((line_packets & 0xC000) == 0x8000) { } else if ((line_packets & 0xC000) == 0x8000) {
// "last byte" opcode // "last byte" opcode
pixels[y_ptr + s->frame.linesize[0] - 1] = line_packets & 0xff; pixel_ptr= y_ptr + s->frame.linesize[0] - 1;
CHECK_PIXEL_PTR(0);
pixels[pixel_ptr] = line_packets & 0xff;
} else { } else {
compressed_lines--; compressed_lines--;
pixel_ptr = y_ptr; pixel_ptr = y_ptr;
CHECK_PIXEL_PTR(0);
pixel_countdown = s->avctx->width; pixel_countdown = s->avctx->width;
for (i = 0; i < line_packets; i++) { for (i = 0; i < line_packets; i++) {
/* account for the skip bytes */ /* account for the skip bytes */
@ -269,7 +272,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
byte_run = -byte_run; byte_run = -byte_run;
palette_idx1 = buf[stream_ptr++]; palette_idx1 = buf[stream_ptr++];
palette_idx2 = buf[stream_ptr++]; palette_idx2 = buf[stream_ptr++];
CHECK_PIXEL_PTR(byte_run); CHECK_PIXEL_PTR(byte_run * 2);
for (j = 0; j < byte_run; j++, pixel_countdown -= 2) { for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {
pixels[pixel_ptr++] = palette_idx1; pixels[pixel_ptr++] = palette_idx1;
pixels[pixel_ptr++] = palette_idx2; pixels[pixel_ptr++] = palette_idx2;
@ -299,6 +302,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
stream_ptr += 2; stream_ptr += 2;
while (compressed_lines > 0) { while (compressed_lines > 0) {
pixel_ptr = y_ptr; pixel_ptr = y_ptr;
CHECK_PIXEL_PTR(0);
pixel_countdown = s->avctx->width; pixel_countdown = s->avctx->width;
line_packets = buf[stream_ptr++]; line_packets = buf[stream_ptr++];
if (line_packets > 0) { if (line_packets > 0) {
@ -454,7 +458,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
int pixel_countdown; int pixel_countdown;
unsigned char *pixels; unsigned char *pixels;
int pixel; int pixel;
int pixel_limit; unsigned int pixel_limit;
s->frame.reference = 1; s->frame.reference = 1;
s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
@ -504,6 +508,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
} else { } else {
compressed_lines--; compressed_lines--;
pixel_ptr = y_ptr; pixel_ptr = y_ptr;
CHECK_PIXEL_PTR(0);
pixel_countdown = s->avctx->width; pixel_countdown = s->avctx->width;
for (i = 0; i < line_packets; i++) { for (i = 0; i < line_packets; i++) {
/* account for the skip bytes */ /* account for the skip bytes */
@ -515,13 +520,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
byte_run = -byte_run; byte_run = -byte_run;
pixel = AV_RL16(&buf[stream_ptr]); pixel = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2; stream_ptr += 2;
CHECK_PIXEL_PTR(byte_run); CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++, pixel_countdown -= 2) { for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {
*((signed short*)(&pixels[pixel_ptr])) = pixel; *((signed short*)(&pixels[pixel_ptr])) = pixel;
pixel_ptr += 2; pixel_ptr += 2;
} }
} else { } else {
CHECK_PIXEL_PTR(byte_run); CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++, pixel_countdown--) { for (j = 0; j < byte_run; j++, pixel_countdown--) {
*((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]); *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2; stream_ptr += 2;
@ -612,7 +617,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
if (byte_run > 0) { if (byte_run > 0) {
pixel = AV_RL16(&buf[stream_ptr]); pixel = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2; stream_ptr += 2;
CHECK_PIXEL_PTR(byte_run); CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++) { for (j = 0; j < byte_run; j++) {
*((signed short*)(&pixels[pixel_ptr])) = pixel; *((signed short*)(&pixels[pixel_ptr])) = pixel;
pixel_ptr += 2; pixel_ptr += 2;
@ -623,7 +628,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
} }
} else { /* copy pixels if byte_run < 0 */ } else { /* copy pixels if byte_run < 0 */
byte_run = -byte_run; byte_run = -byte_run;
CHECK_PIXEL_PTR(byte_run); CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++) { for (j = 0; j < byte_run; j++) {
*((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]); *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2; stream_ptr += 2;