generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

bmv: fix integer overflows in vlc decoder.

Browse Source 
Fixes part of Ticket1373

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Based-on-patch-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 679c578cb8e82df6fdee977e3137a26a680ad346)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2012-06-02 04:04:29 +02:00
parent 321bbb6f49
commit c4926cba15
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libavcodec/bmv.c
View File

@ -21,6 +21,7 @@
#include "avcodec.h" #include "avcodec.h"
#include "bytestream.h" #include "bytestream.h"
#include "libavutil/avassert.h"
enum BMVFlags{ enum BMVFlags{
BMV_NOP = 0, BMV_NOP = 0,
@ -52,7 +53,7 @@ typedef struct BMVDecContext {
static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, int frame_off) static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, int frame_off)
{ {
int val, saved_val = 0; unsigned val, saved_val = 0;
int tmplen = src_len; int tmplen = src_len;
const uint8_t *src, *source_end = source + src_len; const uint8_t *src, *source_end = source + src_len;
uint8_t *frame_end = frame + SCREEN_WIDE * SCREEN_HIGH; uint8_t *frame_end = frame + SCREEN_WIDE * SCREEN_HIGH;
@ -98,6 +99,8 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame,
} }
if (!(val & 0xC)) { if (!(val & 0xC)) {
for (;;) { for (;;) {
if(shift>22)
return -1;
if (!read_two_nibbles) { if (!read_two_nibbles) {
if (src < source || src >= source_end) if (src < source || src >= source_end)
return -1; return -1;
@ -131,6 +134,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame,
} }
advance_mode = val & 1; advance_mode = val & 1;
len = (val >> 1) - 1; len = (val >> 1) - 1;
av_assert0(len>0);
mode += 1 + advance_mode; mode += 1 + advance_mode;
if (mode >= 4) if (mode >= 4)
mode -= 3; mode -= 3;