generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

qpeg: Check for overread in qpeg_decode_intra.

Browse Source 
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
2011-12-29 05:16:34 +01:00
parent 6071e4d87a
commit e7c1e38ba6
1 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
libavcodec/qpeg.c
View File

@@ -32,7 +32,7 @@ typedef struct QpegContext{
uint32_t pal[256]; uint32_t pal[256];
} QpegContext; } QpegContext;
static void qpeg_decode_intra(const uint8_t *src, uint8_t *dst, int size, static int qpeg_decode_intra(const uint8_t *src, uint8_t *dst, int size,
int stride, int width, int height) int stride, int width, int height)
{ {
int i; int i;
@@ -94,6 +94,8 @@ static void qpeg_decode_intra(const uint8_t *src, uint8_t *dst, int size,
} }
} else { } else {
size -= copy; size -= copy;
if (size<0)
return AVERROR_INVALIDDATA;
for(i = 0; i < copy; i++) { for(i = 0; i < copy; i++) {
dst[filled++] = *src++; dst[filled++] = *src++;
if (filled >= width) { if (filled >= width) {
@@ -106,6 +108,7 @@ static void qpeg_decode_intra(const uint8_t *src, uint8_t *dst, int size,
} }
} }
} }
return 0;
} }
static const int qpeg_table_h[16] = static const int qpeg_table_h[16] =
@@ -259,7 +262,7 @@ static int decode_frame(AVCodecContext *avctx,
AVFrame * p= (AVFrame*)&a->pic; AVFrame * p= (AVFrame*)&a->pic;
AVFrame * ref= (AVFrame*)&a->ref; AVFrame * ref= (AVFrame*)&a->ref;
uint8_t* outdata; uint8_t* outdata;
int delta; int delta, ret = 0;
const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL);
if(ref->data[0]) if(ref->data[0])
@@ -273,12 +276,15 @@ static int decode_frame(AVCodecContext *avctx,
} }
outdata = a->pic.data[0]; outdata = a->pic.data[0];
if(buf[0x85] == 0x10) { if(buf[0x85] == 0x10) {
qpeg_decode_intra(buf+0x86, outdata, buf_size - 0x86, a->pic.linesize[0], avctx->width, avctx->height); ret = qpeg_decode_intra(buf+0x86, outdata, buf_size - 0x86, a->pic.linesize[0], avctx->width, avctx->height);
} else { } else {
delta = buf[0x85]; delta = buf[0x85];
qpeg_decode_inter(buf+0x86, outdata, buf_size - 0x86, a->pic.linesize[0], avctx->width, avctx->height, delta, buf + 4, a->ref.data[0]); qpeg_decode_inter(buf+0x86, outdata, buf_size - 0x86, a->pic.linesize[0], avctx->width, avctx->height, delta, buf + 4, a->ref.data[0]);
} }
if (ret<0)
return ret;
/* make the palette available on the way out */ /* make the palette available on the way out */
if (pal) { if (pal) {
a->pic.palette_has_changed = 1; a->pic.palette_has_changed = 1;