[FFmpeg-devel] [PATCH] Correct MS RLE decoding
Michael Niedermayer
michaelni
Sat May 16 03:15:02 CEST 2009
On Tue, May 12, 2009 at 08:08:42AM +0300, Kostya wrote:
> Looks like M$ RLE and its friends (TSCC, AASC) code an additional line
> when height is odd.
>
> The patch attached was intended to fix off-by-one error for "line"
> variable which fixes issue 1069 but during that this side effect was
> discovered and an additional care is needed.
> msrledec.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
> 4745e36d382ba1e740b12e0e0c020e31615cb415 rle.patch
> Index: libavcodec/msrledec.c
> ===================================================================
> --- libavcodec/msrledec.c (revision 18797)
> +++ libavcodec/msrledec.c (working copy)
> @@ -134,19 +134,19 @@
> {
> uint8_t *output, *output_end;
> const uint8_t* src = data;
> - int p1, p2, line=avctx->height, pos=0, i;
> + int p1, p2, line=avctx->height-!(avctx->height&1), pos=0, i;
> uint16_t av_uninit(pix16);
> uint32_t av_uninit(pix32);
>
> output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
> - output_end = pic->data[0] + (avctx->height) * pic->linesize[0];
> + output_end = pic->data[0] + (avctx->height + (avctx->height & 1)) * pic->linesize[0];
> while(src < data + srcsize) {
> p1 = *src++;
> if(p1 == 0) { //Escape code
> p2 = *src++;
> if(p2 == 0) { //End-of-line
> output = pic->data[0] + (--line) * pic->linesize[0];
> - if (line < 0){
> + if (line < 0 && src[0] && src[1] != 1){
> av_log(avctx, AV_LOG_ERROR, "Next line is beyond picture bounds\n");
> return -1;
> }
your code looks exploitable
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at mplayerhq.hu
> https://lists.mplayerhq.hu/mailman/listinfo/ffmpeg-devel
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Complexity theory is the science of finding the exact solution to an
approximation. Benchmarking OTOH is finding an approximation of the exact
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090516/647f6f95/attachment.pgp>
More information about the ffmpeg-devel
mailing list