mmvideo: fix overreads of the input buffer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-03-04 08:14:07 +01:00 · 2012-03-04 08:14:07 +01:00 · 37fca5daa0
commit 37fca5daa0
parent 999d38f3a9
1 changed files with 16 additions and 4 deletions
--- a/libavcodec/mmvideo.c
+++ b/libavcodec/mmvideo.c
@ -123,11 +123,18 @@ static void mm_decode_intra(MmContext * s, int half_horiz, int half_vert, const
 */
 static void mm_decode_inter(MmContext * s, int half_horiz, int half_vert, const uint8_t *buf, int buf_size)
 {
-    const int data_ptr = 2 + AV_RL16(&buf[0]);
+    int data_ptr;
    int d, r, y;
+
+    if(buf_size < 2) {
+        av_log(s->avctx, AV_LOG_ERROR, "1 or less byte inter frame\n");
+        return;
+    }
+
+    data_ptr = 2 + AV_RL16(&buf[0]);
    d = data_ptr; r = 2; y = 0;

-    while(r < data_ptr) {
+    while(r + 1 < data_ptr) {
        int i, j;
        int length = buf[r] & 0x7f;
        int x = buf[r+1] + ((buf[r] & 0x80) << 1);
@ -138,14 +145,19 @@ static void mm_decode_inter(MmContext * s, int half_horiz, int half_vert, const
            continue;
        }

-        if (y + half_vert >= s->avctx->height)
+        if (y + half_vert >= s->avctx->height || r+length > buf_size)
            return;

        for(i=0; i<length; i++) {
            for(j=0; j<8; j++) {
                int replace = (buf[r+i] >> (7-j)) & 1;
                if (replace) {
-                    int color = buf[d];
+                    int color;
+                    if (d >= buf_size) {
+                        av_log(s->avctx, AV_LOG_ERROR, "overread buf\n");
+                        return;
+                    }
+                    color = buf[d];
                    s->frame.data[0][y*s->frame.linesize[0] + x] = color;
                    if (half_horiz)
                        s->frame.data[0][y*s->frame.linesize[0] + x + 1] = color;