Browse Source
quickdraw: Check for out of bound reads
Signed-off-by: Janne Grunau <janne-libav@jannau.net>tags/n0.9
Laurent Aimar
Janne Grunau
14 years ago
1 changed files with 12 additions and 0 deletions
Unified View
Diff Options
-
+12 -0libavcodec/qdrw.c
+ 12
- 0
libavcodec/qdrw.c
View File
| @@ -37,6 +37,7 @@ static int decode_frame(AVCodecContext *avctx, | |||||
| AVPacket *avpkt) | AVPacket *avpkt) | ||||
| { | { | ||||
| const uint8_t *buf = avpkt->data; | const uint8_t *buf = avpkt->data; | ||||
| const uint8_t *buf_end = avpkt->data + avpkt->size; | |||||
| int buf_size = avpkt->size; | int buf_size = avpkt->size; | ||||
| QdrawContext * const a = avctx->priv_data; | QdrawContext * const a = avctx->priv_data; | ||||
| AVFrame * const p= (AVFrame*)&a->pic; | AVFrame * const p= (AVFrame*)&a->pic; | ||||
| @@ -59,6 +60,8 @@ static int decode_frame(AVCodecContext *avctx, | |||||
| outdata = a->pic.data[0]; | outdata = a->pic.data[0]; | ||||
| if (buf_end - buf < 0x68 + 4) | |||||
| return AVERROR_INVALIDDATA; | |||||
| buf += 0x68; /* jump to palette */ | buf += 0x68; /* jump to palette */ | ||||
| colors = AV_RB32(buf); | colors = AV_RB32(buf); | ||||
| buf += 4; | buf += 4; | ||||
| @@ -67,6 +70,8 @@ static int decode_frame(AVCodecContext *avctx, | |||||
| av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors); | av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors); | ||||
| return -1; | return -1; | ||||
| } | } | ||||
| if (buf_end - buf < (colors + 1) * 8) | |||||
| return AVERROR_INVALIDDATA; | |||||
| pal = (uint32_t*)p->data[1]; | pal = (uint32_t*)p->data[1]; | ||||
| for (i = 0; i <= colors; i++) { | for (i = 0; i <= colors; i++) { | ||||
| @@ -89,6 +94,8 @@ static int decode_frame(AVCodecContext *avctx, | |||||
| } | } | ||||
| p->palette_has_changed = 1; | p->palette_has_changed = 1; | ||||
| if (buf_end - buf < 18) | |||||
| return AVERROR_INVALIDDATA; | |||||
| buf += 18; /* skip unneeded data */ | buf += 18; /* skip unneeded data */ | ||||
| for (i = 0; i < avctx->height; i++) { | for (i = 0; i < avctx->height; i++) { | ||||
| int size, left, code, pix; | int size, left, code, pix; | ||||
| @@ -100,6 +107,9 @@ static int decode_frame(AVCodecContext *avctx, | |||||
| out = outdata; | out = outdata; | ||||
| size = AV_RB16(buf); /* size of packed line */ | size = AV_RB16(buf); /* size of packed line */ | ||||
| buf += 2; | buf += 2; | ||||
| if (buf_end - buf < size) | |||||
| return AVERROR_INVALIDDATA; | |||||
| left = size; | left = size; | ||||
| next = buf + size; | next = buf + size; | ||||
| while (left > 0) { | while (left > 0) { | ||||
| @@ -115,6 +125,8 @@ static int decode_frame(AVCodecContext *avctx, | |||||
| } else { /* copy */ | } else { /* copy */ | ||||
| if ((out + code) > (outdata + a->pic.linesize[0])) | if ((out + code) > (outdata + a->pic.linesize[0])) | ||||
| break; | break; | ||||
| if (buf_end - buf < code + 1) | |||||
| return AVERROR_INVALIDDATA; | |||||
| memcpy(out, buf, code + 1); | memcpy(out, buf, code + 1); | ||||
| out += code + 1; | out += code + 1; | ||||
| buf += code + 1; | buf += code + 1; | ||||