Mercurial > libavcodec.hg
comparison tscc.c @ 2455:d74d342cabb9 libavcodec
Check pointers before writing to memory
| author | rtognimp |
|---|---|
| date | Sun, 23 Jan 2005 21:36:24 +0000 |
| parents | f67b63ed036d |
| children | 0803adcb3ec3 |
comparison
equal
deleted
inserted
replaced
| 2454:300f1207768d | 2455:d74d342cabb9 |
|---|---|
| 70 * Decode RLE - almost identical to Windows BMP RLE8 | 70 * Decode RLE - almost identical to Windows BMP RLE8 |
| 71 * and enhanced to bigger color depths | 71 * and enhanced to bigger color depths |
| 72 * | 72 * |
| 73 */ | 73 */ |
| 74 | 74 |
| 75 static int decode_rle(CamtasiaContext *c) | 75 static int decode_rle(CamtasiaContext *c, unsigned int srcsize) |
| 76 { | 76 { |
| 77 unsigned char *src = c->decomp_buf; | 77 unsigned char *src = c->decomp_buf; |
| 78 unsigned char *output; | 78 unsigned char *output, *output_end; |
| 79 int p1, p2, line=c->height, pos=0, i; | 79 int p1, p2, line=c->height, pos=0, i; |
| 80 | 80 |
| 81 output = c->pic.data[0] + (c->height - 1) * c->pic.linesize[0]; | 81 output = c->pic.data[0] + (c->height - 1) * c->pic.linesize[0]; |
| 82 while(src < c->decomp_buf + c->decomp_size) { | 82 output_end = c->pic.data[0] + (c->height) * c->pic.linesize[0]; |
| 83 while(src < c->decomp_buf + srcsize) { | |
| 83 p1 = *src++; | 84 p1 = *src++; |
| 84 if(p1 == 0) { //Escape code | 85 if(p1 == 0) { //Escape code |
| 85 p2 = *src++; | 86 p2 = *src++; |
| 86 if(p2 == 0) { //End-of-line | 87 if(p2 == 0) { //End-of-line |
| 87 output = c->pic.data[0] + (--line) * c->pic.linesize[0]; | 88 output = c->pic.data[0] + (--line) * c->pic.linesize[0]; |
| 89 if (line < 0) | |
| 90 return -1; | |
| 88 pos = 0; | 91 pos = 0; |
| 89 continue; | 92 continue; |
| 90 } else if(p2 == 1) { //End-of-picture | 93 } else if(p2 == 1) { //End-of-picture |
| 91 return 0; | 94 return 0; |
| 92 } else if(p2 == 2) { //Skip | 95 } else if(p2 == 2) { //Skip |
| 93 p1 = *src++; | 96 p1 = *src++; |
| 94 p2 = *src++; | 97 p2 = *src++; |
| 95 line -= p2; | 98 line -= p2; |
| 99 if (line < 0) | |
| 100 return -1; | |
| 96 pos += p1; | 101 pos += p1; |
| 97 output = c->pic.data[0] + line * c->pic.linesize[0] + pos * (c->bpp / 8); | 102 output = c->pic.data[0] + line * c->pic.linesize[0] + pos * (c->bpp / 8); |
| 98 continue; | 103 continue; |
| 99 } | 104 } |
| 100 // Copy data | 105 // Copy data |
| 106 if (output + p2 * (c->bpp / 8) > output_end) { | |
| 107 src += p2 * (c->bpp / 8); | |
| 108 continue; | |
| 109 } | |
| 101 for(i = 0; i < p2 * (c->bpp / 8); i++) { | 110 for(i = 0; i < p2 * (c->bpp / 8); i++) { |
| 102 *output++ = *src++; | 111 *output++ = *src++; |
| 103 } | 112 } |
| 104 // RLE8 copy is actually padded - and runs are not! | 113 // RLE8 copy is actually padded - and runs are not! |
| 105 if(c->bpp == 8 && (p2 & 1)) { | 114 if(c->bpp == 8 && (p2 & 1)) { |
| 117 case 24: pix[0] = *src++; | 126 case 24: pix[0] = *src++; |
| 118 pix[1] = *src++; | 127 pix[1] = *src++; |
| 119 pix[2] = *src++; | 128 pix[2] = *src++; |
| 120 break; | 129 break; |
| 121 } | 130 } |
| 131 if (output + p1 * (c->bpp / 8) > output_end) | |
| 132 continue; | |
| 122 for(i = 0; i < p1; i++) { | 133 for(i = 0; i < p1; i++) { |
| 123 switch(c->bpp){ | 134 switch(c->bpp){ |
| 124 case 8: *output++ = pix[0]; | 135 case 8: *output++ = pix[0]; |
| 125 break; | 136 break; |
| 126 case 16: *output++ = pix[0]; | 137 case 16: *output++ = pix[0]; |
| 181 // Z_DATA_ERROR means empty picture | 192 // Z_DATA_ERROR means empty picture |
| 182 if ((zret != Z_OK) && (zret != Z_STREAM_END) && (zret != Z_DATA_ERROR)) { | 193 if ((zret != Z_OK) && (zret != Z_STREAM_END) && (zret != Z_DATA_ERROR)) { |
| 183 av_log(avctx, AV_LOG_ERROR, "Inflate error: %d\n", zret); | 194 av_log(avctx, AV_LOG_ERROR, "Inflate error: %d\n", zret); |
| 184 return -1; | 195 return -1; |
| 185 } | 196 } |
| 186 encoded = c->decomp_buf; | 197 |
| 187 len = c->decomp_size; | 198 |
| 188 if(zret != Z_DATA_ERROR) | 199 if(zret != Z_DATA_ERROR) |
| 189 decode_rle(c); | 200 decode_rle(c, c->zstream.avail_out); |
| 190 | 201 |
| 191 /* make the palette available on the way out */ | 202 /* make the palette available on the way out */ |
| 192 if (c->avctx->pix_fmt == PIX_FMT_PAL8) { | 203 if (c->avctx->pix_fmt == PIX_FMT_PAL8) { |
| 193 memcpy(c->pic.data[1], c->avctx->palctrl->palette, AVPALETTE_SIZE); | 204 memcpy(c->pic.data[1], c->avctx->palctrl->palette, AVPALETTE_SIZE); |
| 194 if (c->avctx->palctrl->palette_changed) { | 205 if (c->avctx->palctrl->palette_changed) { |
| 224 c->avctx = avctx; | 235 c->avctx = avctx; |
| 225 avctx->has_b_frames = 0; | 236 avctx->has_b_frames = 0; |
| 226 | 237 |
| 227 c->pic.data[0] = NULL; | 238 c->pic.data[0] = NULL; |
| 228 c->height = avctx->height; | 239 c->height = avctx->height; |
| 240 | |
| 241 if (avcodec_check_dimensions(avctx, avctx->height, avctx->width) < 0) { | |
| 242 return 1; | |
| 243 } | |
| 229 | 244 |
| 230 #ifdef CONFIG_ZLIB | 245 #ifdef CONFIG_ZLIB |
| 231 // Needed if zlib unused or init aborted before inflateInit | 246 // Needed if zlib unused or init aborted before inflateInit |
| 232 memset(&(c->zstream), 0, sizeof(z_stream)); | 247 memset(&(c->zstream), 0, sizeof(z_stream)); |
| 233 #else | 248 #else |