Mercurial > libavcodec.hg
comparison 8bps.c @ 2418:82af834636c2 libavcodec
Check pointers before writing to memory, fix possible integer overflows
Force alignement for mszh and zlib decoders
| author | rtognimp |
|---|---|
| date | Sun, 09 Jan 2005 23:39:32 +0000 |
| parents | 639972344c6f |
| children | 4b350cc506a7 |
comparison
equal
deleted
inserted
replaced
| 2417:991f39305057 | 2418:82af834636c2 |
|---|---|
| 59 */ | 59 */ |
| 60 static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, uint8_t *buf, int buf_size) | 60 static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, uint8_t *buf, int buf_size) |
| 61 { | 61 { |
| 62 EightBpsContext * const c = (EightBpsContext *)avctx->priv_data; | 62 EightBpsContext * const c = (EightBpsContext *)avctx->priv_data; |
| 63 unsigned char *encoded = (unsigned char *)buf; | 63 unsigned char *encoded = (unsigned char *)buf; |
| 64 unsigned char *pixptr; | 64 unsigned char *pixptr, *pixptr_end; |
| 65 unsigned int height = avctx->height; // Real image height | 65 unsigned int height = avctx->height; // Real image height |
| 66 unsigned int dlen, p, row; | 66 unsigned int dlen, p, row; |
| 67 unsigned char *lp, *dp; | 67 unsigned char *lp, *dp; |
| 68 unsigned char count; | 68 unsigned char count; |
| 69 unsigned int px_inc; | 69 unsigned int px_inc; |
| 99 lp = encoded + p * (height << 1); | 99 lp = encoded + p * (height << 1); |
| 100 | 100 |
| 101 /* Decode a plane */ | 101 /* Decode a plane */ |
| 102 for(row = 0; row < height; row++) { | 102 for(row = 0; row < height; row++) { |
| 103 pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p]; | 103 pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p]; |
| 104 pixptr_end = pixptr + c->pic.linesize[0]; | |
| 104 dlen = be2me_16(*(unsigned short *)(lp+row*2)); | 105 dlen = be2me_16(*(unsigned short *)(lp+row*2)); |
| 105 /* Decode a row of this plane */ | 106 /* Decode a row of this plane */ |
| 106 while(dlen > 0) { | 107 while(dlen > 0) { |
| 107 if ((count = *dp++) <= 127) { | 108 if ((count = *dp++) <= 127) { |
| 108 count++; | 109 count++; |
| 109 dlen -= count + 1; | 110 dlen -= count + 1; |
| 111 if (pixptr + count * px_inc > pixptr_end) | |
| 112 break; | |
| 110 while(count--) { | 113 while(count--) { |
| 111 *pixptr = *dp++; | 114 *pixptr = *dp++; |
| 112 pixptr += px_inc; | 115 pixptr += px_inc; |
| 113 } | 116 } |
| 114 } else { | 117 } else { |
| 115 count = 257 - count; | 118 count = 257 - count; |
| 119 if (pixptr + count * px_inc > pixptr_end) | |
| 120 break; | |
| 116 while(count--) { | 121 while(count--) { |
| 117 *pixptr = *dp; | 122 *pixptr = *dp; |
| 118 pixptr += px_inc; | 123 pixptr += px_inc; |
| 119 } | 124 } |
| 120 dp++; | 125 dp++; |
| 152 | 157 |
| 153 c->avctx = avctx; | 158 c->avctx = avctx; |
| 154 avctx->has_b_frames = 0; | 159 avctx->has_b_frames = 0; |
| 155 | 160 |
| 156 c->pic.data[0] = NULL; | 161 c->pic.data[0] = NULL; |
| 162 | |
| 163 // FIXME: find a better way to prevent integer overflow | |
| 164 if (((unsigned int)avctx->width > 32000) || ((unsigned int)avctx->height > 32000)) { | |
| 165 av_log(avctx, AV_LOG_ERROR, "Bad image size (w = %d, h = %d).\n", avctx->width, avctx->height); | |
| 166 return 1; | |
| 167 } | |
| 157 | 168 |
| 158 switch (avctx->bits_per_sample) { | 169 switch (avctx->bits_per_sample) { |
| 159 case 8: | 170 case 8: |
| 160 avctx->pix_fmt = PIX_FMT_PAL8; | 171 avctx->pix_fmt = PIX_FMT_PAL8; |
| 161 c->planes = 1; | 172 c->planes = 1; |