Mercurial > libavcodec.hg
comparison qdrw.c @ 2455:d74d342cabb9 libavcodec
Check pointers before writing to memory
| author | rtognimp |
|---|---|
| date | Sun, 23 Jan 2005 21:36:24 +0000 |
| parents | f67b63ed036d |
| children | ef2149182f1c |
comparison
equal
deleted
inserted
replaced
| 2454:300f1207768d | 2455:d74d342cabb9 |
|---|---|
| 63 av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors); | 63 av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors); |
| 64 return -1; | 64 return -1; |
| 65 } | 65 } |
| 66 | 66 |
| 67 for (i = 0; i <= colors; i++) { | 67 for (i = 0; i <= colors; i++) { |
| 68 int idx; | 68 unsigned int idx; |
| 69 idx = BE_16(buf); /* color index */ | 69 idx = BE_16(buf); /* color index */ |
| 70 buf += 2; | 70 buf += 2; |
| 71 | 71 |
| 72 if (idx > 255) { | |
| 73 av_log(avctx, AV_LOG_ERROR, "Palette index out of range: %u\n", idx); | |
| 74 buf += 6; | |
| 75 continue; | |
| 76 } | |
| 72 a->palette[idx * 3 + 0] = *buf++; | 77 a->palette[idx * 3 + 0] = *buf++; |
| 73 buf++; | 78 buf++; |
| 74 a->palette[idx * 3 + 1] = *buf++; | 79 a->palette[idx * 3 + 1] = *buf++; |
| 75 buf++; | 80 buf++; |
| 76 a->palette[idx * 3 + 2] = *buf++; | 81 a->palette[idx * 3 + 2] = *buf++; |
| 77 buf++; | 82 buf++; |
| 78 } | 83 } |
| 79 | |
| 80 if (colors) | |
| 81 a->pic.palette_has_changed = 1; | |
| 82 | 84 |
| 83 buf += 18; /* skip unneeded data */ | 85 buf += 18; /* skip unneeded data */ |
| 84 for (i = 0; i < avctx->height; i++) { | 86 for (i = 0; i < avctx->height; i++) { |
| 85 int size, left, code, pix; | 87 int size, left, code, pix; |
| 86 uint8_t *next; | 88 uint8_t *next; |
| 96 while (left > 0) { | 98 while (left > 0) { |
| 97 code = *buf++; | 99 code = *buf++; |
| 98 if (code & 0x80 ) { /* run */ | 100 if (code & 0x80 ) { /* run */ |
| 99 int i; | 101 int i; |
| 100 pix = *buf++; | 102 pix = *buf++; |
| 103 if ((out + (257 - code) * 3) > (outdata + a->pic.linesize[0])) | |
| 104 break; | |
| 101 for (i = 0; i < 257 - code; i++) { | 105 for (i = 0; i < 257 - code; i++) { |
| 102 *out++ = a->palette[pix * 3 + 0]; | 106 *out++ = a->palette[pix * 3 + 0]; |
| 103 *out++ = a->palette[pix * 3 + 1]; | 107 *out++ = a->palette[pix * 3 + 1]; |
| 104 *out++ = a->palette[pix * 3 + 2]; | 108 *out++ = a->palette[pix * 3 + 2]; |
| 105 } | 109 } |
| 106 tsize += 257 - code; | 110 tsize += 257 - code; |
| 107 left -= 2; | 111 left -= 2; |
| 108 } else { /* copy */ | 112 } else { /* copy */ |
| 109 int i, pix; | 113 int i, pix; |
| 114 if ((out + code * 3) > (outdata + a->pic.linesize[0])) | |
| 115 break; | |
| 110 for (i = 0; i <= code; i++) { | 116 for (i = 0; i <= code; i++) { |
| 111 pix = *buf++; | 117 pix = *buf++; |
| 112 *out++ = a->palette[pix * 3 + 0]; | 118 *out++ = a->palette[pix * 3 + 0]; |
| 113 *out++ = a->palette[pix * 3 + 1]; | 119 *out++ = a->palette[pix * 3 + 1]; |
| 114 *out++ = a->palette[pix * 3 + 2]; | 120 *out++ = a->palette[pix * 3 + 2]; |
| 128 } | 134 } |
| 129 | 135 |
| 130 static int decode_init(AVCodecContext *avctx){ | 136 static int decode_init(AVCodecContext *avctx){ |
| 131 // QdrawContext * const a = avctx->priv_data; | 137 // QdrawContext * const a = avctx->priv_data; |
| 132 | 138 |
| 139 if (avcodec_check_dimensions(avctx, avctx->height, avctx->width) < 0) { | |
| 140 return 1; | |
| 141 } | |
| 142 | |
| 133 avctx->pix_fmt= PIX_FMT_RGB24; | 143 avctx->pix_fmt= PIX_FMT_RGB24; |
| 134 | 144 |
| 135 return 0; | 145 return 0; |
| 136 } | 146 } |
| 137 | 147 |