[FFmpeg-cvslog] vmdav: Try to fix unpack_rle()
Michael Niedermayer
git at videolan.org
Thu May 2 00:31:58 CEST 2013
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Wed May 1 23:46:38 2013 +0200| [c1f2c4c3b49277d65b71ccdd3b6b2878f1b593eb] | committer: Michael Niedermayer
vmdav: Try to fix unpack_rle()
This fixes out of array accesses
The code prior to this commit could not have worked, thus obviously
was untested. I was also not able to find a valid sample that uses this
code.
This fix is thus only based on the description of the format
If someone has a sample that uses unpack_rle(), please mail me.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c1f2c4c3b49277d65b71ccdd3b6b2878f1b593eb
---
libavcodec/vmdav.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c
index 867d8c76..0e21aa6 100644
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@@ -151,7 +151,7 @@ static int rle_unpack(const unsigned char *src, unsigned char *dest,
int src_count, int src_size, int dest_len)
{
unsigned char *pd;
- int i, l;
+ int i, j, l;
unsigned char *dest_end = dest + dest_len;
GetByteContext gb;
@@ -176,13 +176,15 @@ static int rle_unpack(const unsigned char *src, unsigned char *dest,
bytestream2_get_bufferu(&gb, pd, l);
pd += l;
} else {
- if (dest_end - pd < i || bytestream2_get_bytes_left(&gb) < 2)
+ int ps[2];
+ if (dest_end - pd < 2*l || bytestream2_get_bytes_left(&gb) < 2)
return bytestream2_tell(&gb);
- for (i = 0; i < l; i++) {
- *pd++ = bytestream2_get_byteu(&gb);
- *pd++ = bytestream2_get_byteu(&gb);
+ ps[0] = bytestream2_get_byteu(&gb);
+ ps[1] = bytestream2_get_byteu(&gb);
+ for (j = 0; j < l; j++) {
+ *pd++ = ps[0];
+ *pd++ = ps[1];
}
- bytestream2_skip(&gb, 2);
}
i += l;
} while (i < src_count);
More information about the ffmpeg-cvslog
mailing list