Check pointers before writing to memory, fix possible integer overflows

Force alignement for mszh and zlib decoders git-svn-id: file:///var/local/repositories/ffmpeg/trunk@3817 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b

Check pointers before writing to memory, fix possible integer overflows
Force alignement for mszh and zlib decoders git-svn-id: file:///var/local/repositories/ffmpeg/trunk@3817 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
34ad497f · rtognimp · 19efce04 · 34ad497f · 34ad497f · 34ad497f
Commit 34ad497f authored Jan 09, 2005 by rtognimp
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 63 additions and 17 deletions

libavcodec/8bps.c libavcodec/8bps.c +12 -1

libavcodec/lcl.c libavcodec/lcl.c +45 -16

libavcodec/utils.c libavcodec/utils.c +6 -0

No files found.
--- a/libavcodec/8bps.c
+++ b/libavcodec/8bps.c
@@ -61,7 +61,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, uint8
 {
 	EightBpsContext * const c = (EightBpsContext *)avctx->priv_data;
 	unsigned char *encoded = (unsigned char *)buf;
-	unsigned char *pixptr;
+	unsigned char *pixptr, *pixptr_end;
 	unsigned int height = avctx->height; // Real image height
 	unsigned int dlen, p, row;
 	unsigned char *lp, *dp;
@@ -101,18 +101,23 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, uint8
 		/* Decode a plane */
 		for(row = 0; row < height; row++) {
 			pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p];
+			pixptr_end = pixptr + c->pic.linesize[0];
 			dlen = be2me_16(*(unsigned short *)(lp+row*2));
 			/* Decode a row of this plane */
 			while(dlen > 0) {
 				if ((count = *dp++) <= 127) {
 					count++;
 					dlen -= count + 1;
+					if (pixptr + count * px_inc > pixptr_end)
+					    break;
 					while(count--) {
 						*pixptr = *dp++;
 						pixptr += px_inc;
 					}
 				} else {
 					count = 257 - count;
+					if (pixptr + count * px_inc > pixptr_end)
+					    break;
 					while(count--) {
 						*pixptr = *dp;
 						pixptr += px_inc;
@@ -155,6 +160,12 @@ static int decode_init(AVCodecContext *avctx)

 	c->pic.data[0] = NULL;

+    // FIXME: find a better way to prevent integer overflow
+    if (((unsigned int)avctx->width > 32000) || ((unsigned int)avctx->height > 32000)) {
+        av_log(avctx, AV_LOG_ERROR, "Bad image size (w = %d, h = %d).\n", avctx->width, avctx->height);
+        return 1;
+    }
+
 	switch (avctx->bits_per_sample) {
 		case 8:
 			avctx->pix_fmt = PIX_FMT_PAL8;

--- a/libavcodec/lcl.c
+++ b/libavcodec/lcl.c
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -217,6 +217,12 @@ void avcodec_align_dimensions(AVCodecContext *s, int *width, int *height){
            h_align=4;
        }
        break;
+    case PIX_FMT_BGR24:
+        if((s->codec_id == CODEC_ID_MSZH) || (s->codec_id == CODEC_ID_ZLIB)){
+            w_align=4;
+            h_align=4;
+        }
+        break;
    default:
        w_align= 1;
        h_align= 1;