Mercurial > libavcodec.hg
comparison 4xm.c @ 2422:18b8b2dcc037 libavcodec
various security fixes and precautionary checks
author | michael |
---|---|
date | Wed, 12 Jan 2005 00:16:25 +0000 |
parents | 26560d4fdb1f |
children | f67b63ed036d |
comparison
equal
deleted
inserted
replaced
2421:e326490f58c4 | 2422:18b8b2dcc037 |
---|---|
321 const int width= f->avctx->width; | 321 const int width= f->avctx->width; |
322 const int height= f->avctx->height; | 322 const int height= f->avctx->height; |
323 uint16_t *src= (uint16_t*)f->last_picture.data[0]; | 323 uint16_t *src= (uint16_t*)f->last_picture.data[0]; |
324 uint16_t *dst= (uint16_t*)f->current_picture.data[0]; | 324 uint16_t *dst= (uint16_t*)f->current_picture.data[0]; |
325 const int stride= f->current_picture.linesize[0]>>1; | 325 const int stride= f->current_picture.linesize[0]>>1; |
326 const int bitstream_size= get32(buf+8); | 326 const unsigned int bitstream_size= get32(buf+8); |
327 const int bytestream_size= get32(buf+16); | 327 const unsigned int bytestream_size= get32(buf+16); |
328 const int wordstream_size= get32(buf+12); | 328 const unsigned int wordstream_size= get32(buf+12); |
329 | 329 |
330 if(bitstream_size+ bytestream_size+ wordstream_size + 20 != length) | 330 if(bitstream_size+ bytestream_size+ wordstream_size + 20 != length |
331 || bitstream_size > (1<<26) | |
332 || bytestream_size > (1<<26) | |
333 || wordstream_size > (1<<26) | |
334 ){ | |
331 av_log(f->avctx, AV_LOG_ERROR, "lengths %d %d %d %d\n", bitstream_size, bytestream_size, wordstream_size, | 335 av_log(f->avctx, AV_LOG_ERROR, "lengths %d %d %d %d\n", bitstream_size, bytestream_size, wordstream_size, |
332 bitstream_size+ bytestream_size+ wordstream_size - length); | 336 bitstream_size+ bytestream_size+ wordstream_size - length); |
337 return -1; | |
338 } | |
333 | 339 |
334 f->bitstream_buffer= av_fast_realloc(f->bitstream_buffer, &f->bitstream_buffer_size, bitstream_size + FF_INPUT_BUFFER_PADDING_SIZE); | 340 f->bitstream_buffer= av_fast_realloc(f->bitstream_buffer, &f->bitstream_buffer_size, bitstream_size + FF_INPUT_BUFFER_PADDING_SIZE); |
335 f->dsp.bswap_buf((uint32_t*)f->bitstream_buffer, (uint32_t*)(buf + 20), bitstream_size/4); | 341 f->dsp.bswap_buf((uint32_t*)f->bitstream_buffer, (uint32_t*)(buf + 20), bitstream_size/4); |
336 init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size); | 342 init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size); |
337 | 343 |
548 int x, y; | 554 int x, y; |
549 const int width= f->avctx->width; | 555 const int width= f->avctx->width; |
550 const int height= f->avctx->height; | 556 const int height= f->avctx->height; |
551 uint16_t *dst= (uint16_t*)f->current_picture.data[0]; | 557 uint16_t *dst= (uint16_t*)f->current_picture.data[0]; |
552 const int stride= f->current_picture.linesize[0]>>1; | 558 const int stride= f->current_picture.linesize[0]>>1; |
553 const int bitstream_size= get32(buf); | 559 const unsigned int bitstream_size= get32(buf); |
554 const int token_count __attribute__((unused)) = get32(buf + bitstream_size + 8); | 560 const int token_count __attribute__((unused)) = get32(buf + bitstream_size + 8); |
555 int prestream_size= 4*get32(buf + bitstream_size + 4); | 561 unsigned int prestream_size= 4*get32(buf + bitstream_size + 4); |
556 uint8_t *prestream= buf + bitstream_size + 12; | 562 uint8_t *prestream= buf + bitstream_size + 12; |
557 | 563 |
558 if(prestream_size + bitstream_size + 12 != length) | 564 if(prestream_size + bitstream_size + 12 != length |
565 || bitstream_size > (1<<26) | |
566 || prestream_size > (1<<26)){ | |
559 av_log(f->avctx, AV_LOG_ERROR, "size missmatch %d %d %d\n", prestream_size, bitstream_size, length); | 567 av_log(f->avctx, AV_LOG_ERROR, "size missmatch %d %d %d\n", prestream_size, bitstream_size, length); |
568 return -1; | |
569 } | |
560 | 570 |
561 prestream= read_huffman_tables(f, prestream); | 571 prestream= read_huffman_tables(f, prestream); |
562 | 572 |
563 init_get_bits(&f->gb, buf + 4, 8*bitstream_size); | 573 init_get_bits(&f->gb, buf + 4, 8*bitstream_size); |
564 | 574 |