[FFmpeg-devel] [PATCH] Correct MS RLE decoding

Michael Niedermayer michaelni
Sat May 16 03:15:02 CEST 2009


On Tue, May 12, 2009 at 08:08:42AM +0300, Kostya wrote:
> Looks like M$ RLE and its friends (TSCC, AASC) code an additional line
> when height is odd.
> 
> The patch attached was intended to fix off-by-one error for "line"
> variable which fixes issue 1069 but during that this side effect was
> discovered and an additional care is needed.

>  msrledec.c |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 4745e36d382ba1e740b12e0e0c020e31615cb415  rle.patch
> Index: libavcodec/msrledec.c
> ===================================================================
> --- libavcodec/msrledec.c	(revision 18797)
> +++ libavcodec/msrledec.c	(working copy)
> @@ -134,19 +134,19 @@
>  {
>      uint8_t *output, *output_end;
>      const uint8_t* src = data;
> -    int p1, p2, line=avctx->height, pos=0, i;
> +    int p1, p2, line=avctx->height-!(avctx->height&1), pos=0, i;
>      uint16_t av_uninit(pix16);
>      uint32_t av_uninit(pix32);
>  
>      output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
> -    output_end = pic->data[0] + (avctx->height) * pic->linesize[0];
> +    output_end = pic->data[0] + (avctx->height + (avctx->height & 1)) * pic->linesize[0];
>      while(src < data + srcsize) {
>          p1 = *src++;
>          if(p1 == 0) { //Escape code
>              p2 = *src++;
>              if(p2 == 0) { //End-of-line
>                  output = pic->data[0] + (--line) * pic->linesize[0];
> -                if (line < 0){
> +                if (line < 0 && src[0] && src[1] != 1){
>                      av_log(avctx, AV_LOG_ERROR, "Next line is beyond picture bounds\n");
>                      return -1;
>                  }

your code looks exploitable

> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at mplayerhq.hu
> https://lists.mplayerhq.hu/mailman/listinfo/ffmpeg-devel

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Complexity theory is the science of finding the exact solution to an
approximation. Benchmarking OTOH is finding an approximation of the exact
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090516/647f6f95/attachment.pgp>



More information about the ffmpeg-devel mailing list