highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

txd: check for out of bound reads.

Browse Source 
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e182de9a98272fbe4f368000911191aaeb0d6fb3)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Laurent Aimar 2011-10-08 21:57:27 +02:00 committed by Michael Niedermayer
parent 67c46b9b30
commit ca58b215ab
1 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
libavcodec/txd.c
View File

@ -23,6 +23,7 @@
#include "libavutil/intreadwrite.h" #include "libavutil/intreadwrite.h"
#include "libavutil/imgutils.h" #include "libavutil/imgutils.h"
#include "bytestream.h"
#include "avcodec.h" #include "avcodec.h"
#include "s3tc.h" #include "s3tc.h"
@ -42,6 +43,7 @@ static av_cold int txd_init(AVCodecContext *avctx) {
static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
AVPacket *avpkt) { AVPacket *avpkt) {
const uint8_t *buf = avpkt->data; const uint8_t *buf = avpkt->data;
const uint8_t *buf_end = avpkt->data + avpkt->size;
TXDContext * const s = avctx->priv_data; TXDContext * const s = avctx->priv_data;
AVFrame *picture = data; AVFrame *picture = data;
AVFrame * const p = &s->picture; AVFrame * const p = &s->picture;
@ -52,6 +54,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
const uint32_t *palette = (const uint32_t *)(cur + 88); const uint32_t *palette = (const uint32_t *)(cur + 88);
uint32_t *pal; uint32_t *pal;
if (buf_end - cur < 92)
return AVERROR_INVALIDDATA;
version = AV_RL32(cur); version = AV_RL32(cur);
d3d_format = AV_RL32(cur+76); d3d_format = AV_RL32(cur+76);
w = AV_RL16(cur+80); w = AV_RL16(cur+80);
@ -69,6 +73,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
if (depth == 8) { if (depth == 8) {
avctx->pix_fmt = PIX_FMT_PAL8; avctx->pix_fmt = PIX_FMT_PAL8;
if (buf_end - cur < 1024)
return AVERROR_INVALIDDATA;
cur += 1024; cur += 1024;
} else if (depth == 16 || depth == 32) } else if (depth == 16 || depth == 32)
avctx->pix_fmt = PIX_FMT_RGB32; avctx->pix_fmt = PIX_FMT_RGB32;
@ -100,6 +106,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
v = AV_RB32(palette+y); v = AV_RB32(palette+y);
pal[y] = (v>>8) + (v<<24); pal[y] = (v>>8) + (v<<24);
} }
if (buf_end - cur < w * h)
return AVERROR_INVALIDDATA;
for (y=0; y<h; y++) { for (y=0; y<h; y++) {
memcpy(ptr, cur, w); memcpy(ptr, cur, w);
ptr += stride; ptr += stride;
@ -110,9 +118,13 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
case 0: case 0:
if (!flags&1) goto unsupported; if (!flags&1) goto unsupported;
case FF_S3TC_DXT1: case FF_S3TC_DXT1:
if (buf_end - cur < (w/4) * (h/4) * 8)
return AVERROR_INVALIDDATA;
ff_decode_dxt1(cur, ptr, w, h, stride); ff_decode_dxt1(cur, ptr, w, h, stride);
break; break;
case FF_S3TC_DXT3: case FF_S3TC_DXT3:
if (buf_end - cur < (w/4) * (h/4) * 16)
return AVERROR_INVALIDDATA;
ff_decode_dxt3(cur, ptr, w, h, stride); ff_decode_dxt3(cur, ptr, w, h, stride);
break; break;
default: default:
@ -122,6 +134,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
switch (d3d_format) { switch (d3d_format) {
case 0x15: case 0x15:
case 0x16: case 0x16:
if (buf_end - cur < h * w * 4)
return AVERROR_INVALIDDATA;
for (y=0; y<h; y++) { for (y=0; y<h; y++) {
memcpy(ptr, cur, w*4); memcpy(ptr, cur, w*4);
ptr += stride; ptr += stride;
@ -133,8 +147,12 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
} }
} }
for (; mipmap_count > 1; mipmap_count--) for (; mipmap_count > 1 && buf_end - cur >= 4; mipmap_count--) {
cur += AV_RL32(cur) + 4; uint32_t length = bytestream_get_le32(&cur);
if (buf_end - cur < length)
break;
cur += length;
}
*picture = s->picture; *picture = s->picture;
*data_size = sizeof(AVPicture); *data_size = sizeof(AVPicture);