[FFmpeg-cvslog] avcodec/cdtoons: Correct several end of data checks in cdtoons_render_sprite()
Michael Niedermayer
git at videolan.org
Fri Feb 21 23:19:29 EET 2020
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Thu Feb 20 18:49:56 2020 +0100| [4c31db5a32724662ac97448fd6ae2bfa42ffd732] | committer: Michael Niedermayer
avcodec/cdtoons: Correct several end of data checks in cdtoons_render_sprite()
No testcases, found by code review when debuging issue found by oss-fuzz
Reviewed-by: Paul B Mahol <onemda at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4c31db5a32724662ac97448fd6ae2bfa42ffd732
---
libavcodec/cdtoons.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/libavcodec/cdtoons.c b/libavcodec/cdtoons.c
index 24a328352c..dc4fa6bf0b 100644
--- a/libavcodec/cdtoons.c
+++ b/libavcodec/cdtoons.c
@@ -82,9 +82,11 @@ static int cdtoons_render_sprite(AVCodecContext *avctx, const uint8_t *data,
for (int y = 0; y < height; y++) {
/* one scanline at a time, size is provided */
data = next_line;
- if (data > end - 2)
+ if (end - data < 2)
return 1;
line_size = bytestream_get_be16(&data);
+ if (end - data < line_size)
+ return 1;
next_line = data + line_size;
if (dst_y + y < 0)
continue;
@@ -94,7 +96,7 @@ static int cdtoons_render_sprite(AVCodecContext *avctx, const uint8_t *data,
to_skip = skip;
x = 0;
while (x < width - skip) {
- int raw, size;
+ int raw, size, step;
uint8_t val;
if (data >= end)
@@ -108,20 +110,22 @@ static int cdtoons_render_sprite(AVCodecContext *avctx, const uint8_t *data,
if (to_skip >= size) {
to_skip -= size;
if (raw) {
- data += size;
+ step = size;
} else {
- data += 1;
+ step = 1;
}
- if (data > next_line)
+ if (next_line - data < step)
return 1;
+ data += step;
continue;
} else if (to_skip) {
size -= to_skip;
- if (raw)
+ if (raw) {
+ if (next_line - data < to_skip)
+ return 1;
data += to_skip;
+ }
to_skip = 0;
- if (data > next_line)
- return 1;
}
if (x + size >= width - skip)
@@ -129,10 +133,10 @@ static int cdtoons_render_sprite(AVCodecContext *avctx, const uint8_t *data,
/* either raw data, or a run of a single color */
if (raw) {
+ if (next_line - data < size)
+ return 1;
memcpy(dest + x, data, size);
data += size;
- if (data > next_line)
- return 1;
} else {
uint8_t color = bytestream_get_byte(&data);
/* ignore transparent runs */
More information about the ffmpeg-cvslog
mailing list