[FFmpeg-cvslog] avcodec/scpr: check that current row is in valid range

Paul B Mahol git at videolan.org
Thu Feb 23 19:51:10 EET 2017 

ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Thu Feb 23 18:46:24 2017 +0100| [95a5af446bd2180a6597828152a123e4a57662ba] | committer: Paul B Mahol

avcodec/scpr: check that current row is in valid range

Stops writing out of dst array.

Signed-off-by: Paul B Mahol <onemda at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=95a5af446bd2180a6597828152a123e4a57662ba
---

 libavcodec/scpr.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c
index 73e7eed..319057c 100644
--- a/libavcodec/scpr.c
+++ b/libavcodec/scpr.c
@@ -333,6 +333,9 @@ static int decompress_i(AVCodecContext *avctx, uint32_t *dst, int linesize)
         switch (ptype) {
         case 0:
             while (run-- > 0) {
+                if (y >= avctx->height)
+                    return AVERROR_INVALIDDATA;
+
                 dst[y * linesize + x] = clr;
                 lx = x;
                 ly = y;
@@ -345,6 +348,9 @@ static int decompress_i(AVCodecContext *avctx, uint32_t *dst, int linesize)
             break;
         case 1:
             while (run-- > 0) {
+                if (y >= avctx->height)
+                    return AVERROR_INVALIDDATA;
+
                 dst[y * linesize + x] = dst[ly * linesize + lx];
                 lx = x;
                 ly = y;
@@ -358,6 +364,9 @@ static int decompress_i(AVCodecContext *avctx, uint32_t *dst, int linesize)
             break;
         case 2:
             while (run-- > 0) {
+                if (y < 1 || y >= avctx->height)
+                    return AVERROR_INVALIDDATA;
+
                 clr = dst[y * linesize + x + off + 1];
                 dst[y * linesize + x] = clr;
                 lx = x;
@@ -372,6 +381,10 @@ static int decompress_i(AVCodecContext *avctx, uint32_t *dst, int linesize)
         case 4:
             while (run-- > 0) {
                 uint8_t *odst = (uint8_t *)dst;
+
+                if (y < 1 || y >= avctx->height)
+                    return AVERROR_INVALIDDATA;
+
                 r = odst[(ly * linesize + lx) * 4] +
                     odst[((y * linesize + x) + off) * 4 + 4] -
                     odst[((y * linesize + x) + off) * 4];
@@ -394,6 +407,9 @@ static int decompress_i(AVCodecContext *avctx, uint32_t *dst, int linesize)
             break;
         case 5:
             while (run-- > 0) {
+                if (y < 1 || y >= avctx->height)
+                    return AVERROR_INVALIDDATA;
+
                 clr = dst[y * linesize + x + off];
                 dst[y * linesize + x] = clr;
                 lx = x;

More information about the ffmpeg-cvslog mailing list