# HG changeset patch # User rtognimp # Date 1105313972 0 # Node ID 82af834636c247341b32326ce23e3145be815faf # Parent 991f39305057eef447055b86ec3528bcd34c1ea6 Check pointers before writing to memory, fix possible integer overflows Force alignement for mszh and zlib decoders diff -r 991f39305057 -r 82af834636c2 8bps.c --- a/8bps.c Sun Jan 09 00:48:37 2005 +0000 +++ b/8bps.c Sun Jan 09 23:39:32 2005 +0000 @@ -61,7 +61,7 @@ { EightBpsContext * const c = (EightBpsContext *)avctx->priv_data; unsigned char *encoded = (unsigned char *)buf; - unsigned char *pixptr; + unsigned char *pixptr, *pixptr_end; unsigned int height = avctx->height; // Real image height unsigned int dlen, p, row; unsigned char *lp, *dp; @@ -101,18 +101,23 @@ /* Decode a plane */ for(row = 0; row < height; row++) { pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p]; + pixptr_end = pixptr + c->pic.linesize[0]; dlen = be2me_16(*(unsigned short *)(lp+row*2)); /* Decode a row of this plane */ while(dlen > 0) { if ((count = *dp++) <= 127) { count++; dlen -= count + 1; + if (pixptr + count * px_inc > pixptr_end) + break; while(count--) { *pixptr = *dp++; pixptr += px_inc; } } else { count = 257 - count; + if (pixptr + count * px_inc > pixptr_end) + break; while(count--) { *pixptr = *dp; pixptr += px_inc; @@ -155,6 +160,12 @@ c->pic.data[0] = NULL; + // FIXME: find a better way to prevent integer overflow + if (((unsigned int)avctx->width > 32000) || ((unsigned int)avctx->height > 32000)) { + av_log(avctx, AV_LOG_ERROR, "Bad image size (w = %d, h = %d).\n", avctx->width, avctx->height); + return 1; + } + switch (avctx->bits_per_sample) { case 8: avctx->pix_fmt = PIX_FMT_PAL8; diff -r 991f39305057 -r 82af834636c2 lcl.c --- a/lcl.c Sun Jan 09 00:48:37 2005 +0000 +++ b/lcl.c Sun Jan 09 23:39:32 2005 +0000 @@ -145,14 +145,15 @@ -static int mszh_decomp(unsigned char * srcptr, int srclen, unsigned char * destptr) +static unsigned int mszh_decomp(unsigned char * srcptr, int srclen, unsigned char * destptr, unsigned int destsize) { unsigned char *destptr_bak = destptr; + unsigned char *destptr_end = destptr + destsize; unsigned char mask = 0; unsigned char maskbit = 0; unsigned int ofs, cnt; - while (srclen > 0) { + while ((srclen > 0) && (destptr < destptr_end)) { if (maskbit == 0) { mask = *(srcptr++); maskbit = 8; @@ -160,6 +161,8 @@ continue; } if ((mask & (1 << (--maskbit))) == 0) { + if (destptr + 4 > destptr_end) + break; *(int*)destptr = *(int*)srcptr; srclen -= 4; destptr += 4; @@ -172,6 +175,9 @@ ofs &= 0x7ff; srclen -= 2; cnt *= 4; + if (destptr + cnt > destptr_end) { + cnt = destptr_end - destptr; + } for (; cnt > 0; cnt--) { *(destptr) = *(destptr - ofs); destptr++; @@ -194,7 +200,7 @@ { LclContext * const c = (LclContext *)avctx->priv_data; unsigned char *encoded = (unsigned char *)buf; - int pixel_ptr; + unsigned int pixel_ptr; int row, col; unsigned char *outptr; unsigned int width = avctx->width; // Real image width @@ -206,7 +212,7 @@ #ifdef CONFIG_ZLIB int zret; // Zlib return code #endif - int len = buf_size; + unsigned int len = buf_size; /* no supplementary picture */ if (buf_size == 0) @@ -232,24 +238,29 @@ if (c->flags & FLAG_MULTITHREAD) { mthread_inlen = *((unsigned int*)encoded); mthread_outlen = *((unsigned int*)(encoded+4)); - mszh_dlen = mszh_decomp(encoded + 8, mthread_inlen, c->decomp_buf); + if (mthread_outlen > c->decomp_size) // this should not happen + mthread_outlen = c->decomp_size; + mszh_dlen = mszh_decomp(encoded + 8, mthread_inlen, c->decomp_buf, c->decomp_size); if (mthread_outlen != mszh_dlen) { av_log(avctx, AV_LOG_ERROR, "Mthread1 decoded size differs (%d != %d)\n", mthread_outlen, mszh_dlen); + return -1; } mszh_dlen = mszh_decomp(encoded + 8 + mthread_inlen, len - mthread_inlen, - c->decomp_buf + mthread_outlen); - if ((c->decomp_size - mthread_outlen) != mszh_dlen) { + c->decomp_buf + mthread_outlen, c->decomp_size - mthread_outlen); + if (mthread_outlen != mszh_dlen) { av_log(avctx, AV_LOG_ERROR, "Mthread2 decoded size differs (%d != %d)\n", - c->decomp_size - mthread_outlen, mszh_dlen); + mthread_outlen, mszh_dlen); + return -1; } encoded = c->decomp_buf; len = c->decomp_size; } else { - mszh_dlen = mszh_decomp(encoded, len, c->decomp_buf); + mszh_dlen = mszh_decomp(encoded, len, c->decomp_buf, c->decomp_size); if (c->decomp_size != mszh_dlen) { av_log(avctx, AV_LOG_ERROR, "Decoded size differs (%d != %d)\n", c->decomp_size, mszh_dlen); + return -1; } encoded = c->decomp_buf; len = mszh_dlen; @@ -278,10 +289,12 @@ if (c->flags & FLAG_MULTITHREAD) { mthread_inlen = *((unsigned int*)encoded); mthread_outlen = *((unsigned int*)(encoded+4)); + if (mthread_outlen > c->decomp_size) + mthread_outlen = c->decomp_size; c->zstream.next_in = encoded + 8; c->zstream.avail_in = mthread_inlen; c->zstream.next_out = c->decomp_buf; - c->zstream.avail_out = mthread_outlen; + c->zstream.avail_out = c->decomp_size; zret = inflate(&(c->zstream), Z_FINISH); if ((zret != Z_OK) && (zret != Z_STREAM_END)) { av_log(avctx, AV_LOG_ERROR, "Mthread1 inflate error: %d\n", zret); @@ -290,6 +303,7 @@ if (mthread_outlen != (unsigned int)(c->zstream.total_out)) { av_log(avctx, AV_LOG_ERROR, "Mthread1 decoded size differs (%u != %lu)\n", mthread_outlen, c->zstream.total_out); + return -1; } zret = inflateReset(&(c->zstream)); if (zret != Z_OK) { @@ -299,15 +313,16 @@ c->zstream.next_in = encoded + 8 + mthread_inlen; c->zstream.avail_in = len - mthread_inlen; c->zstream.next_out = c->decomp_buf + mthread_outlen; - c->zstream.avail_out = mthread_outlen; + c->zstream.avail_out = c->decomp_size - mthread_outlen; zret = inflate(&(c->zstream), Z_FINISH); if ((zret != Z_OK) && (zret != Z_STREAM_END)) { av_log(avctx, AV_LOG_ERROR, "Mthread2 inflate error: %d\n", zret); return -1; } - if ((c->decomp_size - mthread_outlen) != (unsigned int)(c->zstream.total_out)) { + if (mthread_outlen != (unsigned int)(c->zstream.total_out)) { av_log(avctx, AV_LOG_ERROR, "Mthread2 decoded size differs (%d != %lu)\n", - c->decomp_size - mthread_outlen, c->zstream.total_out); + mthread_outlen, c->zstream.total_out); + return -1; } } else { c->zstream.next_in = encoded; @@ -322,6 +337,7 @@ if (c->decomp_size != (unsigned int)(c->zstream.total_out)) { av_log(avctx, AV_LOG_ERROR, "Decoded size differs (%d != %lu)\n", c->decomp_size, c->zstream.total_out); + return -1; } } encoded = c->decomp_buf; @@ -604,7 +620,9 @@ static int decode_init(AVCodecContext *avctx) { LclContext * const c = (LclContext *)avctx->priv_data; - int basesize = avctx->width * avctx->height; + unsigned int basesize = avctx->width * avctx->height; + unsigned int max_basesize = ((avctx->width + 3) & ~3) * ((avctx->height + 3) & ~3); + unsigned int max_decomp_size; int zret; // Zlib return code c->avctx = avctx; @@ -622,6 +640,12 @@ return 1; } + // FIXME: find a better way to prevent integer overflow + if (((unsigned int)avctx->width > 32000) || ((unsigned int)avctx->height > 32000)) { + av_log(avctx, AV_LOG_ERROR, "Bad image size (w = %d, h = %d).\n", avctx->width, avctx->height); + return 1; + } + /* Check codec type */ if (((avctx->codec_id == CODEC_ID_MSZH) && (*((char *)avctx->extradata + 7) != CODEC_MSZH)) || ((avctx->codec_id == CODEC_ID_ZLIB) && (*((char *)avctx->extradata + 7) != CODEC_ZLIB))) { @@ -632,26 +656,32 @@ switch (c->imgtype = *((char *)avctx->extradata + 4)) { case IMGTYPE_YUV111: c->decomp_size = basesize * 3; + max_decomp_size = max_basesize * 3; av_log(avctx, AV_LOG_INFO, "Image type is YUV 1:1:1.\n"); break; case IMGTYPE_YUV422: c->decomp_size = basesize * 2; + max_decomp_size = max_basesize * 2; av_log(avctx, AV_LOG_INFO, "Image type is YUV 4:2:2.\n"); break; case IMGTYPE_RGB24: c->decomp_size = basesize * 3; + max_decomp_size = max_basesize * 3; av_log(avctx, AV_LOG_INFO, "Image type is RGB 24.\n"); break; case IMGTYPE_YUV411: c->decomp_size = basesize / 2 * 3; + max_decomp_size = max_basesize / 2 * 3; av_log(avctx, AV_LOG_INFO, "Image type is YUV 4:1:1.\n"); break; case IMGTYPE_YUV211: c->decomp_size = basesize * 2; + max_decomp_size = max_basesize * 2; av_log(avctx, AV_LOG_INFO, "Image type is YUV 2:1:1.\n"); break; case IMGTYPE_YUV420: c->decomp_size = basesize / 2 * 3; + max_decomp_size = max_basesize / 2 * 3; av_log(avctx, AV_LOG_INFO, "Image type is YUV 4:2:0.\n"); break; default: @@ -706,9 +736,8 @@ } /* Allocate decompression buffer */ - /* 4*8 max overflow space for mszh decomp algorithm */ if (c->decomp_size) { - if ((c->decomp_buf = av_malloc(c->decomp_size+4*8)) == NULL) { + if ((c->decomp_buf = av_malloc(max_decomp_size)) == NULL) { av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n"); return 1; } diff -r 991f39305057 -r 82af834636c2 utils.c --- a/utils.c Sun Jan 09 00:48:37 2005 +0000 +++ b/utils.c Sun Jan 09 23:39:32 2005 +0000 @@ -217,6 +217,12 @@ h_align=4; } break; + case PIX_FMT_BGR24: + if((s->codec_id == CODEC_ID_MSZH) || (s->codec_id == CODEC_ID_ZLIB)){ + w_align=4; + h_align=4; + } + break; default: w_align= 1; h_align= 1;