[Ffmpeg-cvslog] CVS: ffmpeg/libavcodec indeo2.c,1.1,1.2
Michael Niedermayer CVS
michael
Wed Apr 20 11:52:07 CEST 2005
Update of /cvsroot/ffmpeg/ffmpeg/libavcodec
In directory mail:/var2/tmp/cvs-serv11595
Modified Files:
indeo2.c
Log Message:
buffer overflows
Index: indeo2.c
===================================================================
RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/indeo2.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- indeo2.c 20 Apr 2005 09:40:04 -0000 1.1
+++ indeo2.c 20 Apr 2005 09:52:04 -0000 1.2
@@ -53,7 +53,7 @@
else if (value < 0) \
value = 0; \
-static void ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst, int stride,
+static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst, int stride,
const uint8_t *table)
{
int i;
@@ -62,11 +62,16 @@
int c;
int t;
+ if(width&1)
+ return -1;
+
/* first line contain absolute values, other lines contain deltas */
while (out < width){
c = ir2_get_code(&ctx->gb);
if(c > 0x80) { /* we have a run */
c -= 0x80;
+ if(out + c*2 > width)
+ return -1;
for (i = 0; i < c * 2; i++)
dst[out++] = 0x80;
} else { /* copy two values from table */
@@ -82,6 +87,8 @@
c = ir2_get_code(&ctx->gb);
if(c > 0x80) { /* we have a skip */
c -= 0x80;
+ if(out + c*2 > width)
+ return -1;
for (i = 0; i < c * 2; i++) {
dst[out] = dst[out - stride];
out++;
@@ -99,16 +106,20 @@
}
dst += stride;
}
+ return 0;
}
-static void ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_t *dst, int stride,
+static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_t *dst, int stride,
const uint8_t *table)
{
int j;
int out = 0;
int c;
int t;
-
+
+ if(width&1)
+ return -1;
+
for (j = 0; j < height; j++){
out = 0;
while (out < width){
@@ -129,6 +140,7 @@
}
dst += stride;
}
+ return 0;
}
static int ir2_decode_frame(AVCodecContext *avctx,
More information about the ffmpeg-cvslog
mailing list