generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

indeo3: add out-of-buffer write check

Browse Source 
Prevent out-of-buffer writes. In particular fix smclocki32.avi.1.1
crash, trac issue #114, roundup issue #1482.
This commit is contained in:
Stefano Sabatini
2011-05-17 22:21:33 +02:00
parent 39d983461a
commit 48df6a2415
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
libavcodec/indeo3.c
View File

@@ -213,6 +213,7 @@ static void iv_Decode_Chunk(Indeo3DecodeContext *s,
int *width_tbl, width_tbl_arr[10]; int *width_tbl, width_tbl_arr[10];
const signed char *ref_vectors; const signed char *ref_vectors;
uint8_t *cur_frm_pos, *ref_frm_pos, *cp, *cp2; uint8_t *cur_frm_pos, *ref_frm_pos, *cp, *cp2;
uint8_t *cur_end = cur + width*height + width;
uint32_t *cur_lp, *ref_lp; uint32_t *cur_lp, *ref_lp;
const uint32_t *correction_lp[2], *correctionloworder_lp[2], *correctionhighorder_lp[2]; const uint32_t *correction_lp[2], *correctionloworder_lp[2], *correctionhighorder_lp[2];
uint8_t *correction_type_sp[2]; uint8_t *correction_type_sp[2];
@@ -359,6 +360,8 @@ static void iv_Decode_Chunk(Indeo3DecodeContext *s,
k = *buf1++; k = *buf1++;
cur_lp = ((uint32_t *)cur_frm_pos) + width_tbl[lp2]; cur_lp = ((uint32_t *)cur_frm_pos) + width_tbl[lp2];
ref_lp = ((uint32_t *)ref_frm_pos) + width_tbl[lp2]; ref_lp = ((uint32_t *)ref_frm_pos) + width_tbl[lp2];
if ((uint8_t *)cur_lp >= cur_end-3)
break;
switch(correction_type_sp[0][k]) { switch(correction_type_sp[0][k]) {
case 0: case 0: