Mercurial > libavcodec.hg

comparison 4xm.c @ 2422:18b8b2dcc037 libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
various security fixes and precautionary checks
author michael
date Wed, 12 Jan 2005 00:16:25 +0000
parents 26560d4fdb1f
children f67b63ed036d
comparison
equal deleted inserted replaced
2421:e326490f58c4 2422:18b8b2dcc037
321 const int width= f->avctx->width; 321 const int width= f->avctx->width;
322 const int height= f->avctx->height; 322 const int height= f->avctx->height;
323 uint16_t *src= (uint16_t*)f->last_picture.data[0]; 323 uint16_t *src= (uint16_t*)f->last_picture.data[0];
324 uint16_t *dst= (uint16_t*)f->current_picture.data[0]; 324 uint16_t *dst= (uint16_t*)f->current_picture.data[0];
325 const int stride= f->current_picture.linesize[0]>>1; 325 const int stride= f->current_picture.linesize[0]>>1;
326 const int bitstream_size= get32(buf+8); 326 const unsigned int bitstream_size= get32(buf+8);
327 const int bytestream_size= get32(buf+16); 327 const unsigned int bytestream_size= get32(buf+16);
328 const int wordstream_size= get32(buf+12); 328 const unsigned int wordstream_size= get32(buf+12);
329 329
330 if(bitstream_size+ bytestream_size+ wordstream_size + 20 != length) 330 if(bitstream_size+ bytestream_size+ wordstream_size + 20 != length
331 || bitstream_size > (1<<26)
332 || bytestream_size > (1<<26)
333 || wordstream_size > (1<<26)
334 ){
331 av_log(f->avctx, AV_LOG_ERROR, "lengths %d %d %d %d\n", bitstream_size, bytestream_size, wordstream_size, 335 av_log(f->avctx, AV_LOG_ERROR, "lengths %d %d %d %d\n", bitstream_size, bytestream_size, wordstream_size,
332 bitstream_size+ bytestream_size+ wordstream_size - length); 336 bitstream_size+ bytestream_size+ wordstream_size - length);
337 return -1;
338 }
333 339
334 f->bitstream_buffer= av_fast_realloc(f->bitstream_buffer, &f->bitstream_buffer_size, bitstream_size + FF_INPUT_BUFFER_PADDING_SIZE); 340 f->bitstream_buffer= av_fast_realloc(f->bitstream_buffer, &f->bitstream_buffer_size, bitstream_size + FF_INPUT_BUFFER_PADDING_SIZE);
335 f->dsp.bswap_buf((uint32_t*)f->bitstream_buffer, (uint32_t*)(buf + 20), bitstream_size/4); 341 f->dsp.bswap_buf((uint32_t*)f->bitstream_buffer, (uint32_t*)(buf + 20), bitstream_size/4);
336 init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size); 342 init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size);
337 343
548 int x, y; 554 int x, y;
549 const int width= f->avctx->width; 555 const int width= f->avctx->width;
550 const int height= f->avctx->height; 556 const int height= f->avctx->height;
551 uint16_t *dst= (uint16_t*)f->current_picture.data[0]; 557 uint16_t *dst= (uint16_t*)f->current_picture.data[0];
552 const int stride= f->current_picture.linesize[0]>>1; 558 const int stride= f->current_picture.linesize[0]>>1;
553 const int bitstream_size= get32(buf); 559 const unsigned int bitstream_size= get32(buf);
554 const int token_count __attribute__((unused)) = get32(buf + bitstream_size + 8); 560 const int token_count __attribute__((unused)) = get32(buf + bitstream_size + 8);
555 int prestream_size= 4*get32(buf + bitstream_size + 4); 561 unsigned int prestream_size= 4*get32(buf + bitstream_size + 4);
556 uint8_t *prestream= buf + bitstream_size + 12; 562 uint8_t *prestream= buf + bitstream_size + 12;
557 563
558 if(prestream_size + bitstream_size + 12 != length) 564 if(prestream_size + bitstream_size + 12 != length
565 || bitstream_size > (1<<26)
566 || prestream_size > (1<<26)){
559 av_log(f->avctx, AV_LOG_ERROR, "size missmatch %d %d %d\n", prestream_size, bitstream_size, length); 567 av_log(f->avctx, AV_LOG_ERROR, "size missmatch %d %d %d\n", prestream_size, bitstream_size, length);
568 return -1;
569 }
560 570
561 prestream= read_huffman_tables(f, prestream); 571 prestream= read_huffman_tables(f, prestream);
562 572
563 init_get_bits(&f->gb, buf + 4, 8*bitstream_size); 573 init_get_bits(&f->gb, buf + 4, 8*bitstream_size);
564 574