avcodec/rpza: Perform pointer advance and checks before using the pointers
Fixes out of array accesses
Fixes Ticket2850
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3819db745d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
@@ -84,7 +84,7 @@ static void rpza_decode_stream(RpzaContext *s)
|
|||||||
unsigned short *pixels = (unsigned short *)s->frame.data[0];
|
unsigned short *pixels = (unsigned short *)s->frame.data[0];
|
||||||
|
|
||||||
int row_ptr = 0;
|
int row_ptr = 0;
|
||||||
int pixel_ptr = 0;
|
int pixel_ptr = -4;
|
||||||
int block_ptr;
|
int block_ptr;
|
||||||
int pixel_x, pixel_y;
|
int pixel_x, pixel_y;
|
||||||
int total_blocks;
|
int total_blocks;
|
||||||
@@ -140,6 +140,7 @@ static void rpza_decode_stream(RpzaContext *s)
|
|||||||
colorA = AV_RB16 (&s->buf[stream_ptr]);
|
colorA = AV_RB16 (&s->buf[stream_ptr]);
|
||||||
stream_ptr += 2;
|
stream_ptr += 2;
|
||||||
while (n_blocks--) {
|
while (n_blocks--) {
|
||||||
|
ADVANCE_BLOCK()
|
||||||
block_ptr = row_ptr + pixel_ptr;
|
block_ptr = row_ptr + pixel_ptr;
|
||||||
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
|
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
|
||||||
for (pixel_x = 0; pixel_x < 4; pixel_x++){
|
for (pixel_x = 0; pixel_x < 4; pixel_x++){
|
||||||
@@ -148,7 +149,6 @@ static void rpza_decode_stream(RpzaContext *s)
|
|||||||
}
|
}
|
||||||
block_ptr += row_inc;
|
block_ptr += row_inc;
|
||||||
}
|
}
|
||||||
ADVANCE_BLOCK();
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@@ -187,6 +187,7 @@ static void rpza_decode_stream(RpzaContext *s)
|
|||||||
if (s->size - stream_ptr < n_blocks * 4)
|
if (s->size - stream_ptr < n_blocks * 4)
|
||||||
return;
|
return;
|
||||||
while (n_blocks--) {
|
while (n_blocks--) {
|
||||||
|
ADVANCE_BLOCK();
|
||||||
block_ptr = row_ptr + pixel_ptr;
|
block_ptr = row_ptr + pixel_ptr;
|
||||||
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
|
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
|
||||||
index = s->buf[stream_ptr++];
|
index = s->buf[stream_ptr++];
|
||||||
@@ -197,7 +198,6 @@ static void rpza_decode_stream(RpzaContext *s)
|
|||||||
}
|
}
|
||||||
block_ptr += row_inc;
|
block_ptr += row_inc;
|
||||||
}
|
}
|
||||||
ADVANCE_BLOCK();
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@@ -205,6 +205,7 @@ static void rpza_decode_stream(RpzaContext *s)
|
|||||||
case 0x00:
|
case 0x00:
|
||||||
if (s->size - stream_ptr < 16)
|
if (s->size - stream_ptr < 16)
|
||||||
return;
|
return;
|
||||||
|
ADVANCE_BLOCK();
|
||||||
block_ptr = row_ptr + pixel_ptr;
|
block_ptr = row_ptr + pixel_ptr;
|
||||||
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
|
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
|
||||||
for (pixel_x = 0; pixel_x < 4; pixel_x++){
|
for (pixel_x = 0; pixel_x < 4; pixel_x++){
|
||||||
@@ -218,7 +219,6 @@ static void rpza_decode_stream(RpzaContext *s)
|
|||||||
}
|
}
|
||||||
block_ptr += row_inc;
|
block_ptr += row_inc;
|
||||||
}
|
}
|
||||||
ADVANCE_BLOCK();
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
/* Unknown opcode */
|
/* Unknown opcode */
|
||||||
|
|||||||
Reference in New Issue
Block a user