Mercurial > libavcodec.hg
comparison 8bps.c @ 2418:82af834636c2 libavcodec
Check pointers before writing to memory, fix possible integer overflows
Force alignement for mszh and zlib decoders
author | rtognimp |
---|---|
date | Sun, 09 Jan 2005 23:39:32 +0000 |
parents | 639972344c6f |
children | 4b350cc506a7 |
comparison
equal
deleted
inserted
replaced
2417:991f39305057 | 2418:82af834636c2 |
---|---|
59 */ | 59 */ |
60 static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, uint8_t *buf, int buf_size) | 60 static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, uint8_t *buf, int buf_size) |
61 { | 61 { |
62 EightBpsContext * const c = (EightBpsContext *)avctx->priv_data; | 62 EightBpsContext * const c = (EightBpsContext *)avctx->priv_data; |
63 unsigned char *encoded = (unsigned char *)buf; | 63 unsigned char *encoded = (unsigned char *)buf; |
64 unsigned char *pixptr; | 64 unsigned char *pixptr, *pixptr_end; |
65 unsigned int height = avctx->height; // Real image height | 65 unsigned int height = avctx->height; // Real image height |
66 unsigned int dlen, p, row; | 66 unsigned int dlen, p, row; |
67 unsigned char *lp, *dp; | 67 unsigned char *lp, *dp; |
68 unsigned char count; | 68 unsigned char count; |
69 unsigned int px_inc; | 69 unsigned int px_inc; |
99 lp = encoded + p * (height << 1); | 99 lp = encoded + p * (height << 1); |
100 | 100 |
101 /* Decode a plane */ | 101 /* Decode a plane */ |
102 for(row = 0; row < height; row++) { | 102 for(row = 0; row < height; row++) { |
103 pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p]; | 103 pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p]; |
104 pixptr_end = pixptr + c->pic.linesize[0]; | |
104 dlen = be2me_16(*(unsigned short *)(lp+row*2)); | 105 dlen = be2me_16(*(unsigned short *)(lp+row*2)); |
105 /* Decode a row of this plane */ | 106 /* Decode a row of this plane */ |
106 while(dlen > 0) { | 107 while(dlen > 0) { |
107 if ((count = *dp++) <= 127) { | 108 if ((count = *dp++) <= 127) { |
108 count++; | 109 count++; |
109 dlen -= count + 1; | 110 dlen -= count + 1; |
111 if (pixptr + count * px_inc > pixptr_end) | |
112 break; | |
110 while(count--) { | 113 while(count--) { |
111 *pixptr = *dp++; | 114 *pixptr = *dp++; |
112 pixptr += px_inc; | 115 pixptr += px_inc; |
113 } | 116 } |
114 } else { | 117 } else { |
115 count = 257 - count; | 118 count = 257 - count; |
119 if (pixptr + count * px_inc > pixptr_end) | |
120 break; | |
116 while(count--) { | 121 while(count--) { |
117 *pixptr = *dp; | 122 *pixptr = *dp; |
118 pixptr += px_inc; | 123 pixptr += px_inc; |
119 } | 124 } |
120 dp++; | 125 dp++; |
152 | 157 |
153 c->avctx = avctx; | 158 c->avctx = avctx; |
154 avctx->has_b_frames = 0; | 159 avctx->has_b_frames = 0; |
155 | 160 |
156 c->pic.data[0] = NULL; | 161 c->pic.data[0] = NULL; |
162 | |
163 // FIXME: find a better way to prevent integer overflow | |
164 if (((unsigned int)avctx->width > 32000) || ((unsigned int)avctx->height > 32000)) { | |
165 av_log(avctx, AV_LOG_ERROR, "Bad image size (w = %d, h = %d).\n", avctx->width, avctx->height); | |
166 return 1; | |
167 } | |
157 | 168 |
158 switch (avctx->bits_per_sample) { | 169 switch (avctx->bits_per_sample) { |
159 case 8: | 170 case 8: |
160 avctx->pix_fmt = PIX_FMT_PAL8; | 171 avctx->pix_fmt = PIX_FMT_PAL8; |
161 c->planes = 1; | 172 c->planes = 1; |