Commit d5b76410 authored by melanson's avatar melanson

tinfoil patch: be more diligent about checking array boundaries before

writing to them


git-svn-id: file:///var/local/repositories/ffmpeg/trunk@4515 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
parent daa82fb3
...@@ -66,16 +66,18 @@ typedef struct VmdVideoContext { ...@@ -66,16 +66,18 @@ typedef struct VmdVideoContext {
unsigned char palette[PALETTE_COUNT * 4]; unsigned char palette[PALETTE_COUNT * 4];
unsigned char *unpack_buffer; unsigned char *unpack_buffer;
int unpack_buffer_size;
} VmdVideoContext; } VmdVideoContext;
#define QUEUE_SIZE 0x1000 #define QUEUE_SIZE 0x1000
#define QUEUE_MASK 0x0FFF #define QUEUE_MASK 0x0FFF
static void lz_unpack(unsigned char *src, unsigned char *dest) static void lz_unpack(unsigned char *src, unsigned char *dest, int dest_len)
{ {
unsigned char *s; unsigned char *s;
unsigned char *d; unsigned char *d;
unsigned char *d_end;
unsigned char queue[QUEUE_SIZE]; unsigned char queue[QUEUE_SIZE];
unsigned int qpos; unsigned int qpos;
unsigned int dataleft; unsigned int dataleft;
...@@ -87,6 +89,7 @@ static void lz_unpack(unsigned char *src, unsigned char *dest) ...@@ -87,6 +89,7 @@ static void lz_unpack(unsigned char *src, unsigned char *dest)
s = src; s = src;
d = dest; d = dest;
d_end = d + dest_len;
dataleft = LE_32(s); dataleft = LE_32(s);
s += 4; s += 4;
memset(queue, QUEUE_SIZE, 0x20); memset(queue, QUEUE_SIZE, 0x20);
...@@ -102,6 +105,8 @@ static void lz_unpack(unsigned char *src, unsigned char *dest) ...@@ -102,6 +105,8 @@ static void lz_unpack(unsigned char *src, unsigned char *dest)
while (dataleft > 0) { while (dataleft > 0) {
tag = *s++; tag = *s++;
if ((tag == 0xFF) && (dataleft > 8)) { if ((tag == 0xFF) && (dataleft > 8)) {
if (d + 8 > d_end)
return;
for (i = 0; i < 8; i++) { for (i = 0; i < 8; i++) {
queue[qpos++] = *d++ = *s++; queue[qpos++] = *d++ = *s++;
qpos &= QUEUE_MASK; qpos &= QUEUE_MASK;
...@@ -112,6 +117,8 @@ static void lz_unpack(unsigned char *src, unsigned char *dest) ...@@ -112,6 +117,8 @@ static void lz_unpack(unsigned char *src, unsigned char *dest)
if (dataleft == 0) if (dataleft == 0)
break; break;
if (tag & 0x01) { if (tag & 0x01) {
if (d + 1 > d_end)
return;
queue[qpos++] = *d++ = *s++; queue[qpos++] = *d++ = *s++;
qpos &= QUEUE_MASK; qpos &= QUEUE_MASK;
dataleft--; dataleft--;
...@@ -121,6 +128,8 @@ static void lz_unpack(unsigned char *src, unsigned char *dest) ...@@ -121,6 +128,8 @@ static void lz_unpack(unsigned char *src, unsigned char *dest)
chainlen = (*s++ & 0x0F) + 3; chainlen = (*s++ & 0x0F) + 3;
if (chainlen == speclen) if (chainlen == speclen)
chainlen = *s++ + 0xF + 3; chainlen = *s++ + 0xF + 3;
if (d + chainlen > d_end)
return;
for (j = 0; j < chainlen; j++) { for (j = 0; j < chainlen; j++) {
*d = queue[chainofs++ & QUEUE_MASK]; *d = queue[chainofs++ & QUEUE_MASK];
queue[qpos++] = *d++; queue[qpos++] = *d++;
...@@ -134,27 +143,33 @@ static void lz_unpack(unsigned char *src, unsigned char *dest) ...@@ -134,27 +143,33 @@ static void lz_unpack(unsigned char *src, unsigned char *dest)
} }
} }
static int rle_unpack(unsigned char *src, unsigned char *dest, int len) static int rle_unpack(unsigned char *src, unsigned char *dest,
int src_len, int dest_len)
{ {
unsigned char *ps; unsigned char *ps;
unsigned char *pd; unsigned char *pd;
int i, l; int i, l;
unsigned char *dest_end = dest + dest_len;
ps = src; ps = src;
pd = dest; pd = dest;
if (len & 1) if (src_len & 1)
*pd++ = *ps++; *pd++ = *ps++;
len >>= 1; src_len >>= 1;
i = 0; i = 0;
do { do {
l = *ps++; l = *ps++;
if (l & 0x80) { if (l & 0x80) {
l = (l & 0x7F) * 2; l = (l & 0x7F) * 2;
if (pd + l > dest_end)
return (ps - src);
memcpy(pd, ps, l); memcpy(pd, ps, l);
ps += l; ps += l;
pd += l; pd += l;
} else { } else {
if (pd + i > dest_end)
return (ps - src);
for (i = 0; i < l; i++) { for (i = 0; i < l; i++) {
*pd++ = ps[0]; *pd++ = ps[0];
*pd++ = ps[1]; *pd++ = ps[1];
...@@ -162,7 +177,7 @@ static int rle_unpack(unsigned char *src, unsigned char *dest, int len) ...@@ -162,7 +177,7 @@ static int rle_unpack(unsigned char *src, unsigned char *dest, int len)
ps += 2; ps += 2;
} }
i += l; i += l;
} while (i < len); } while (i < src_len);
return (ps - src); return (ps - src);
} }
...@@ -185,6 +200,7 @@ static void vmd_decode(VmdVideoContext *s) ...@@ -185,6 +200,7 @@ static void vmd_decode(VmdVideoContext *s)
int frame_x, frame_y; int frame_x, frame_y;
int frame_width, frame_height; int frame_width, frame_height;
int dp_size;
frame_x = LE_16(&s->buf[6]); frame_x = LE_16(&s->buf[6]);
frame_y = LE_16(&s->buf[8]); frame_y = LE_16(&s->buf[8]);
...@@ -217,12 +233,13 @@ static void vmd_decode(VmdVideoContext *s) ...@@ -217,12 +233,13 @@ static void vmd_decode(VmdVideoContext *s)
pb = p; pb = p;
meth = *pb++; meth = *pb++;
if (meth & 0x80) { if (meth & 0x80) {
lz_unpack(pb, s->unpack_buffer); lz_unpack(pb, s->unpack_buffer, s->unpack_buffer_size);
meth &= 0x7F; meth &= 0x7F;
pb = s->unpack_buffer; pb = s->unpack_buffer;
} }
dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x]; dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x];
dp_size = s->frame.linesize[0] * s->avctx->height;
pp = &s->prev_frame.data[0][frame_y * s->prev_frame.linesize[0] + frame_x]; pp = &s->prev_frame.data[0][frame_y * s->prev_frame.linesize[0] + frame_x];
switch (meth) { switch (meth) {
case 1: case 1:
...@@ -232,11 +249,15 @@ static void vmd_decode(VmdVideoContext *s) ...@@ -232,11 +249,15 @@ static void vmd_decode(VmdVideoContext *s)
len = *pb++; len = *pb++;
if (len & 0x80) { if (len & 0x80) {
len = (len & 0x7F) + 1; len = (len & 0x7F) + 1;
if (ofs + len > frame_width)
return;
memcpy(&dp[ofs], pb, len); memcpy(&dp[ofs], pb, len);
pb += len; pb += len;
ofs += len; ofs += len;
} else { } else {
/* interframe pixel copy */ /* interframe pixel copy */
if (ofs + len + 1 > frame_width)
return;
memcpy(&dp[ofs], &pp[ofs], len + 1); memcpy(&dp[ofs], &pp[ofs], len + 1);
ofs += len + 1; ofs += len + 1;
} }
...@@ -268,13 +289,15 @@ static void vmd_decode(VmdVideoContext *s) ...@@ -268,13 +289,15 @@ static void vmd_decode(VmdVideoContext *s)
if (len & 0x80) { if (len & 0x80) {
len = (len & 0x7F) + 1; len = (len & 0x7F) + 1;
if (*pb++ == 0xFF) if (*pb++ == 0xFF)
len = rle_unpack(pb, &dp[ofs], len); len = rle_unpack(pb, &dp[ofs], len, frame_width - ofs);
else else
memcpy(&dp[ofs], pb, len); memcpy(&dp[ofs], pb, len);
pb += len; pb += len;
ofs += len; ofs += len;
} else { } else {
/* interframe pixel copy */ /* interframe pixel copy */
if (ofs + len + 1 > frame_width)
return;
memcpy(&dp[ofs], &pp[ofs], len + 1); memcpy(&dp[ofs], &pp[ofs], len + 1);
ofs += len + 1; ofs += len + 1;
} }
...@@ -314,7 +337,8 @@ static int vmdvideo_decode_init(AVCodecContext *avctx) ...@@ -314,7 +337,8 @@ static int vmdvideo_decode_init(AVCodecContext *avctx)
} }
vmd_header = (unsigned char *)avctx->extradata; vmd_header = (unsigned char *)avctx->extradata;
s->unpack_buffer = av_malloc(LE_32(&vmd_header[800])); s->unpack_buffer_size = LE_32(&vmd_header[800]);
s->unpack_buffer = av_malloc(s->unpack_buffer_size);
if (!s->unpack_buffer) if (!s->unpack_buffer)
return -1; return -1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment