highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/gif: Fix lzw buffer size

Browse Source 
Fixes out of array access
Fixes: aaa479088e6fb40b04837b3119f47b04/asan_heap-oob_e38c68_8576_9d653078b2470700e2834636f12ff557.tga

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 03d83ba34b)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2016-01-18 19:20:03 +01:00
parent aa833e1a60
commit 828d85bf86
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
libavcodec/gif.c
View File

@@ -43,6 +43,7 @@ typedef struct GIFContext {
const AVClass *class; const AVClass *class;
LZWState *lzw; LZWState *lzw;
uint8_t *buf; uint8_t *buf;
int buf_size;
AVFrame *last_frame; AVFrame *last_frame;
int flags; int flags;
uint32_t palette[AVPALETTE_COUNT]; ///< local reference palette for !pal8 uint32_t palette[AVPALETTE_COUNT]; ///< local reference palette for !pal8
@@ -174,7 +175,7 @@ static int gif_image_write_image(AVCodecContext *avctx,
bytestream_put_byte(bytestream, 0x08); bytestream_put_byte(bytestream, 0x08);
ff_lzw_encode_init(s->lzw, s->buf, 2 * width * height, ff_lzw_encode_init(s->lzw, s->buf, s->buf_size,
12, FF_LZW_GIF, put_bits); 12, FF_LZW_GIF, put_bits);
ptr = buf + y_start*linesize + x_start; ptr = buf + y_start*linesize + x_start;
@@ -231,7 +232,8 @@ FF_ENABLE_DEPRECATION_WARNINGS
s->transparent_index = -1; s->transparent_index = -1;
s->lzw = av_mallocz(ff_lzw_encode_state_size); s->lzw = av_mallocz(ff_lzw_encode_state_size);
s->buf = av_malloc(avctx->width*avctx->height*2); s->buf_size = avctx->width*avctx->height*2 + 1000;
s->buf = av_malloc(s->buf_size);
s->tmpl = av_malloc(avctx->width); s->tmpl = av_malloc(avctx->width);
if (!s->tmpl || !s->buf || !s->lzw) if (!s->tmpl || !s->buf || !s->lzw)
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
@@ -321,6 +323,7 @@ static int gif_encode_close(AVCodecContext *avctx)
av_freep(&s->lzw); av_freep(&s->lzw);
av_freep(&s->buf); av_freep(&s->buf);
s->buf_size = 0;
av_frame_free(&s->last_frame); av_frame_free(&s->last_frame);
av_freep(&s->tmpl); av_freep(&s->tmpl);
return 0; return 0;