Mercurial > libavcodec.hg

comparison lcldec.c @ 9758:8ebcc162db3d libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add sanity check for mthread_inlen, avoids crashes due to invalid reads.
author reimar
date Sun, 31 May 2009 09:59:46 +0000
parents 8e4d442554b3
children 5968a9f15535
comparison
equal deleted inserted replaced
9757:8e4d442554b3 9758:8ebcc162db3d
188 case CODEC_ID_MSZH: 188 case CODEC_ID_MSZH:
189 switch (c->compression) { 189 switch (c->compression) {
190 case COMP_MSZH: 190 case COMP_MSZH:
191 if (c->flags & FLAG_MULTITHREAD) { 191 if (c->flags & FLAG_MULTITHREAD) {
192 mthread_inlen = *(unsigned int*)encoded; 192 mthread_inlen = *(unsigned int*)encoded;
193 mthread_inlen = FFMIN(mthread_inlen, len - 8);
193 mthread_outlen = *(unsigned int*)(encoded+4); 194 mthread_outlen = *(unsigned int*)(encoded+4);
194 mthread_outlen = FFMIN(mthread_outlen, c->decomp_size); 195 mthread_outlen = FFMIN(mthread_outlen, c->decomp_size);
195 mszh_dlen = mszh_decomp(encoded + 8, mthread_inlen, c->decomp_buf, c->decomp_size); 196 mszh_dlen = mszh_decomp(encoded + 8, mthread_inlen, c->decomp_buf, c->decomp_size);
196 if (mthread_outlen != mszh_dlen) { 197 if (mthread_outlen != mszh_dlen) {
197 av_log(avctx, AV_LOG_ERROR, "Mthread1 decoded size differs (%d != %d)\n", 198 av_log(avctx, AV_LOG_ERROR, "Mthread1 decoded size differs (%d != %d)\n",
234 len == width * height * 3) 235 len == width * height * 3)
235 break; 236 break;
236 if (c->flags & FLAG_MULTITHREAD) { 237 if (c->flags & FLAG_MULTITHREAD) {
237 int ret; 238 int ret;
238 mthread_inlen = *(unsigned int*)encoded; 239 mthread_inlen = *(unsigned int*)encoded;
240 mthread_inlen = FFMIN(mthread_inlen, len - 8);
239 mthread_outlen = *(unsigned int*)(encoded+4); 241 mthread_outlen = *(unsigned int*)(encoded+4);
240 mthread_outlen = FFMIN(mthread_outlen, c->decomp_size); 242 mthread_outlen = FFMIN(mthread_outlen, c->decomp_size);
241 ret = zlib_decomp(avctx, encoded + 8, mthread_inlen, 0, mthread_outlen); 243 ret = zlib_decomp(avctx, encoded + 8, mthread_inlen, 0, mthread_outlen);
242 if (ret < 0) return ret; 244 if (ret < 0) return ret;
243 ret = zlib_decomp(avctx, encoded + 8 + mthread_inlen, len - mthread_inlen, 245 ret = zlib_decomp(avctx, encoded + 8 + mthread_inlen, len - mthread_inlen,