changeset 2829:9ff4c2733422 libavcodec

tinfoil patch: be more diligent about checking array boundaries before writing to them
author melanson
date Sat, 13 Aug 2005 18:39:21 +0000
parents 2aae25679885
children 4e31ad3623cf
files vmdav.c
diffstat 1 files changed, 32 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/vmdav.c	Sat Aug 13 18:25:17 2005 +0000
+++ b/vmdav.c	Sat Aug 13 18:39:21 2005 +0000
@@ -66,16 +66,18 @@
 
     unsigned char palette[PALETTE_COUNT * 4];
     unsigned char *unpack_buffer;
+    int unpack_buffer_size;
 
 } VmdVideoContext;
 
 #define QUEUE_SIZE 0x1000
 #define QUEUE_MASK 0x0FFF
 
-static void lz_unpack(unsigned char *src, unsigned char *dest)
+static void lz_unpack(unsigned char *src, unsigned char *dest, int dest_len)
 {
     unsigned char *s;
     unsigned char *d;
+    unsigned char *d_end;
     unsigned char queue[QUEUE_SIZE];
     unsigned int qpos;
     unsigned int dataleft;
@@ -87,6 +89,7 @@
 
     s = src;
     d = dest;
+    d_end = d + dest_len;
     dataleft = LE_32(s);
     s += 4;
     memset(queue, QUEUE_SIZE, 0x20);
@@ -102,6 +105,8 @@
     while (dataleft > 0) {
         tag = *s++;
         if ((tag == 0xFF) && (dataleft > 8)) {
+            if (d + 8 > d_end)
+                return;
             for (i = 0; i < 8; i++) {
                 queue[qpos++] = *d++ = *s++;
                 qpos &= QUEUE_MASK;
@@ -112,6 +117,8 @@
                 if (dataleft == 0)
                     break;
                 if (tag & 0x01) {
+                    if (d + 1 > d_end)
+                        return;
                     queue[qpos++] = *d++ = *s++;
                     qpos &= QUEUE_MASK;
                     dataleft--;
@@ -121,6 +128,8 @@
                     chainlen = (*s++ & 0x0F) + 3;
                     if (chainlen == speclen)
                         chainlen = *s++ + 0xF + 3;
+                    if (d + chainlen > d_end)
+                        return;
                     for (j = 0; j < chainlen; j++) {
                         *d = queue[chainofs++ & QUEUE_MASK];
                         queue[qpos++] = *d++;
@@ -134,27 +143,33 @@
     }
 }
 
-static int rle_unpack(unsigned char *src, unsigned char *dest, int len)
+static int rle_unpack(unsigned char *src, unsigned char *dest, 
+    int src_len, int dest_len)
 {
     unsigned char *ps;
     unsigned char *pd;
     int i, l;
+    unsigned char *dest_end = dest + dest_len;
 
     ps = src;
     pd = dest;
-    if (len & 1)
+    if (src_len & 1)
         *pd++ = *ps++;
 
-    len >>= 1;
+    src_len >>= 1;
     i = 0;
     do {
         l = *ps++;
         if (l & 0x80) {
             l = (l & 0x7F) * 2;
+            if (pd + l > dest_end)
+                return (ps - src);
             memcpy(pd, ps, l);
             ps += l;
             pd += l;
         } else {
+            if (pd + i > dest_end)
+                return (ps - src);
             for (i = 0; i < l; i++) {
                 *pd++ = ps[0];
                 *pd++ = ps[1];
@@ -162,7 +177,7 @@
             ps += 2;
         }
         i += l;
-    } while (i < len);
+    } while (i < src_len);
 
     return (ps - src);
 }
@@ -185,6 +200,7 @@
 
     int frame_x, frame_y;
     int frame_width, frame_height;
+    int dp_size;
 
     frame_x = LE_16(&s->buf[6]);
     frame_y = LE_16(&s->buf[8]);
@@ -217,12 +233,13 @@
         pb = p;
         meth = *pb++;
         if (meth & 0x80) {
-            lz_unpack(pb, s->unpack_buffer);
+            lz_unpack(pb, s->unpack_buffer, s->unpack_buffer_size);
             meth &= 0x7F;
             pb = s->unpack_buffer;
         }
 
         dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x];
+        dp_size = s->frame.linesize[0] * s->avctx->height;
         pp = &s->prev_frame.data[0][frame_y * s->prev_frame.linesize[0] + frame_x];
         switch (meth) {
         case 1:
@@ -232,11 +249,15 @@
                     len = *pb++;
                     if (len & 0x80) {
                         len = (len & 0x7F) + 1;
+                        if (ofs + len > frame_width)
+                            return;
                         memcpy(&dp[ofs], pb, len);
                         pb += len;
                         ofs += len;
                     } else {
                         /* interframe pixel copy */
+                        if (ofs + len + 1 > frame_width)
+                            return;
                         memcpy(&dp[ofs], &pp[ofs], len + 1);
                         ofs += len + 1;
                     }
@@ -268,13 +289,15 @@
                     if (len & 0x80) {
                         len = (len & 0x7F) + 1;
                         if (*pb++ == 0xFF)
-                            len = rle_unpack(pb, &dp[ofs], len);
+                            len = rle_unpack(pb, &dp[ofs], len, frame_width - ofs);
                         else
                             memcpy(&dp[ofs], pb, len);
                         pb += len;
                         ofs += len;
                     } else {
                         /* interframe pixel copy */
+                        if (ofs + len + 1 > frame_width)
+                            return;
                         memcpy(&dp[ofs], &pp[ofs], len + 1);
                         ofs += len + 1;
                     }
@@ -314,7 +337,8 @@
     }
     vmd_header = (unsigned char *)avctx->extradata;
 
-    s->unpack_buffer = av_malloc(LE_32(&vmd_header[800]));
+    s->unpack_buffer_size = LE_32(&vmd_header[800]);
+    s->unpack_buffer = av_malloc(s->unpack_buffer_size);
     if (!s->unpack_buffer)
         return -1;