Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
V
vlc-1.1
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Redmine
Redmine
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Metrics
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
videolan
vlc-1.1
Commits
d7e6e4af
Commit
d7e6e4af
authored
Mar 24, 2008
by
Rafaël Carré
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
cinepak: do not access arrays beyond allocated size
reported by Drew Yao
parent
6db7a77a
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
31 additions
and
11 deletions
+31
-11
modules/codec/cinepak.c
modules/codec/cinepak.c
+31
-11
No files found.
modules/codec/cinepak.c
View file @
d7e6e4af
...
...
@@ -63,8 +63,8 @@ typedef struct
{
int
b_grayscale
;
/* force to grayscale */
int
i_width
;
int
i_height
;
unsigned
int
i_width
;
unsigned
int
i_height
;
int
i_stride_x
;
int
i_stride_y
;
...
...
@@ -93,7 +93,7 @@ struct decoder_sys_t
static
picture_t
*
DecodeBlock
(
decoder_t
*
,
block_t
**
);
static
int
cinepak_decode_frame
(
cinepak_context_t
*
,
in
t
,
uint8_t
*
);
static
int
cinepak_decode_frame
(
cinepak_context_t
*
,
size_
t
,
uint8_t
*
);
/*****************************************************************************
* OpenDecoder: probe the decoder and return score
...
...
@@ -281,6 +281,16 @@ static void cinepak_Getv4( cinepak_context_t *p_context,
uint8_t
i_index
[
4
];
int
i
,
j
;
size_t
y_max
=
p_context
->
i_stride
[
0
]
*
(
i_y
+
5
)
+
i_x
+
5
;
size_t
u_max
=
p_context
->
i_stride
[
1
]
*
(
(
i_y
/
2
)
+
2
)
+
2
+
(
i_x
/
2
);
size_t
v_max
=
p_context
->
i_stride
[
2
]
*
(
(
i_y
/
2
)
+
2
)
+
2
+
(
i_x
/
2
);
size_t
y_siz
=
p_context
->
i_stride
[
0
]
*
p_context
->
i_lines
[
0
];
size_t
u_siz
=
p_context
->
i_stride
[
1
]
*
p_context
->
i_lines
[
1
];
size_t
v_siz
=
p_context
->
i_stride
[
2
]
*
p_context
->
i_lines
[
2
];
/* boundary check */
if
(
y_max
>=
y_siz
||
u_max
>=
u_siz
||
v_max
>=
v_siz
)
return
;
uint8_t
*
p_dst_y
,
*
p_dst_u
,
*
p_dst_v
;
#define PIX_SET_Y( x, y, v ) \
p_dst_y[(x) + (y)* p_context->i_stride[0]] = (v);
...
...
@@ -328,6 +338,16 @@ static void cinepak_Getv1( cinepak_context_t *p_context,
uint8_t
i_index
;
int
i
,
j
;
size_t
y_max
=
p_context
->
i_stride
[
0
]
*
(
i_y
+
5
)
+
i_x
+
5
;
size_t
u_max
=
p_context
->
i_stride
[
1
]
*
(
(
i_y
/
2
)
+
2
)
+
2
+
(
i_x
/
2
);
size_t
v_max
=
p_context
->
i_stride
[
2
]
*
(
(
i_y
/
2
)
+
2
)
+
2
+
(
i_x
/
2
);
size_t
y_siz
=
p_context
->
i_stride
[
0
]
*
p_context
->
i_lines
[
0
];
size_t
u_siz
=
p_context
->
i_stride
[
1
]
*
p_context
->
i_lines
[
1
];
size_t
v_siz
=
p_context
->
i_stride
[
2
]
*
p_context
->
i_lines
[
2
];
/* boundary check */
if
(
y_max
>=
y_siz
||
u_max
>=
u_siz
||
v_max
>=
v_siz
)
return
;
uint8_t
*
p_dst_y
,
*
p_dst_u
,
*
p_dst_v
;
#define PIX_SET_Y( x, y, v ) \
p_dst_y[(x) + (y)* p_context->i_stride[0]] = (v);
...
...
@@ -370,14 +390,14 @@ static void cinepak_Getv1( cinepak_context_t *p_context,
* The function that decode one frame
*****************************************************************************/
static
int
cinepak_decode_frame
(
cinepak_context_t
*
p_context
,
in
t
i_length
,
uint8_t
*
p_data
)
size_
t
i_length
,
uint8_t
*
p_data
)
{
int
i_strip
;
int
i_frame_flags
;
in
t
i_frame_size
;
in
t
i_width
,
i_height
;
in
t
i_frame_strips
;
int
8_t
i_frame_flags
;
uint32_
t
i_frame_size
;
uint16_
t
i_width
,
i_height
;
uint16_
t
i_frame_strips
;
int
i_index
;
int
i_strip_x1
=
0
,
i_strip_y1
=
0
;
int
i_strip_x2
=
0
,
i_strip_y2
=
0
;
...
...
@@ -447,15 +467,15 @@ static int cinepak_decode_frame( cinepak_context_t *p_context,
/* Now decode each strip */
for
(
i_strip
=
0
;
i_strip
<
i_frame_strips
;
i_strip
++
)
{
int
i_strip_id
;
int
i_strip_size
;
uint16_t
i_strip_size
;
if
(
i_length
<=
12
)
{
break
;
}
i_strip_id
=
GET2BYTES
(
p_data
);
p_data
+=
2
;
/* int16_t i_strip_id = GET2BYTES( p_data ); */
i_strip_size
=
GET2BYTES
(
p_data
);
i_strip_size
=
__MIN
(
i_strip_size
,
i_length
);
/* FIXME I don't really understand how it works; */
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment