libavcodec.hg: vmnc.c comparison

comparison vmnc.c @ 3685:dd2da6e09d32 libavcodec

Tests for overreading input data

author	kostya
date	Thu, 07 Sep 2006 04:05:04 +0000
parents	9f77f4f577b4
children	5fc587a5feea

comparison

equal deleted inserted replaced

-:9f77f4f577b4
+:dd2da6e09d32
 }
 dst += stride;
 }
 }
-static int decode_hextile(VmncContext *c, uint8_t* dst, uint8_t* src, int w, int h, int stride)
+static int decode_hextile(VmncContext *c, uint8_t* dst, uint8_t* src, int ssize, int w, int h, int stride)
 {
 int i, j, k;
 int bg = 0, fg = 0, rects, color, flags, xy, wh;
 const int bpp = c->bpp2;
 uint8_t *dst2;
 for(j = 0; j < h; j += 16) {
 dst2 = dst;
 bw = 16;
 if(j + 16 > h) bh = h - j;
 for(i = 0; i < w; i += 16, dst2 += 16 * bpp) {
+if(src - ssrc >= ssize) {
+av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n");
+return -1;
+}
 if(i + 16 > w) bw = w - i;
 flags = *src++;
 if(flags & HT_RAW) {
+if(src - ssrc > ssize - bw * bh * bpp) {
+av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n");
+return -1;
+}
 paint_raw(dst2, bw, bh, src, bpp, c->bigendian, stride);
 src += bw * bh * bpp;
 } else {
 if(flags & HT_BKG) {
 bg = vmnc_get_pixel(src, bpp, c->bigendian); src += bpp;
 fg = vmnc_get_pixel(src, bpp, c->bigendian); src += bpp;
 }
 rects = 0;
 if(flags & HT_SUB)
 rects = *src++;
-color = (flags & HT_CLR);
+color = !!(flags & HT_CLR);
 paint_rect(dst2, 0, 0, bw, bh, bg, bpp, stride);
+if(src - ssrc > ssize - rects * (color * bpp + 2)) {
+av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n");
+return -1;
+}
 for(k = 0; k < rects; k++) {
 if(color) {
 fg = vmnc_get_pixel(src, bpp, c->bigendian); src += bpp;
 }
 xy = *src++;
 static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, uint8_t *buf, int buf_size)
 {
 VmncContext * const c = (VmncContext *)avctx->priv_data;
 uint8_t *outptr;
 uint8_t *src = buf;
-int dx, dy, w, h, depth, enc, chunks, res;
+int dx, dy, w, h, depth, enc, chunks, res, size_left;
 c->pic.reference = 1;
 c->pic.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
 if(avctx->reget_buffer(avctx, &c->pic) < 0){
 av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
 dy = BE_16(src); src += 2;
 w  = BE_16(src); src += 2;
 h  = BE_16(src); src += 2;
 enc = BE_32(src); src += 4;
 outptr = c->pic.data[0] + dx * c->bpp2 + dy * c->pic.linesize[0];
+size_left = buf_size - (src - buf);
 switch(enc) {
 case MAGIC_WMVd: // cursor
+if(size_left < 2 + w * h * c->bpp2 * 2) {
+av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", 2 + w * h * c->bpp2 * 2, size_left);
+return -1;
+}
 src += 2;
 c->cur_w = w;
 c->cur_h = h;
 c->cur_hx = dx;
 c->cur_hy = dy;
 case 0x00000000: // raw rectangle data
 if((dx + w > c->width) || (dy + h > c->height)) {
 av_log(avctx, AV_LOG_ERROR, "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", w, h, dx, dy, c->width, c->height);
 return -1;
 }
+if(size_left < w * h * c->bpp2) {
+av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", w * h * c->bpp2, size_left);
+return -1;
+}
 paint_raw(outptr, w, h, src, c->bpp2, c->bigendian, c->pic.linesize[0]);
 src += w * h * c->bpp2;
 break;
 case 0x00000005: // HexTile encoded rectangle
 if((dx + w > c->width) || (dy + h > c->height)) {
 av_log(avctx, AV_LOG_ERROR, "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", w, h, dx, dy, c->width, c->height);
 return -1;
 }
-res = decode_hextile(c, outptr, src, w, h, c->pic.linesize[0]);
+res = decode_hextile(c, outptr, src, size_left, w, h, c->pic.linesize[0]);
 if(res < 0)
 return -1;
 src += res;
 break;
 default:

Mercurial > libavcodec.hg

comparison vmnc.c @ 3685:dd2da6e09d32 libavcodec