projects
/
libav.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Close gaping sechole. That is, a series of run=0 allows arbitrary data to
[libav.git]
/
libavcodec
/
faxcompr.c
diff --git
a/libavcodec/faxcompr.c
b/libavcodec/faxcompr.c
index
6277512
..
bb18abf
100644
(file)
--- a/
libavcodec/faxcompr.c
+++ b/
libavcodec/faxcompr.c
@@
-123,7
+123,7
@@
av_cold void ff_ccitt_unpack_init()
static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb,
static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb,
- int pix_left, int *runs)
+ int pix_left, int *runs
, const int *runend
)
{
int mode = 0, run = 0;
unsigned int t;
{
int mode = 0, run = 0;
unsigned int t;
@@
-133,6
+133,10
@@
static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb,
if(t < 64){
pix_left -= run;
*runs++ = run;
if(t < 64){
pix_left -= run;
*runs++ = run;
+ if(runs >= runend){
+ av_log(avctx, AV_LOG_ERROR, "Run overrun\n");
+ return -1;
+ }
if(pix_left <= 0){
if(!pix_left)
break;
if(pix_left <= 0){
if(!pix_left)
break;
@@
-152,12
+156,14
@@
static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb,
}
static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
}
static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
- int pix_left, int *runs, const int *ref)
+ int pix_left, int *runs, const int *r
unend, const int *r
ef)
{
int mode = 0, offs = 0, run = 0, saved_run = 0, t;
int run_off = *ref++;
int *run_start = runs;
{
int mode = 0, offs = 0, run = 0, saved_run = 0, t;
int run_off = *ref++;
int *run_start = runs;
+ runend--; // for the last written 0
+
while(pix_left > 0){
int cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1);
if(cmode == -1){
while(pix_left > 0){
int cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1);
if(cmode == -1){
@@
-195,6
+201,10
@@
static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
break;
}
*runs++ = run + saved_run;
break;
}
*runs++ = run + saved_run;
+ if(runs >= runend){
+ av_log(avctx, AV_LOG_ERROR, "Run overrun\n");
+ return -1;
+ }
saved_run = 0;
pix_left -= run;
if(pix_left < 0){
saved_run = 0;
pix_left -= run;
if(pix_left < 0){
@@
-220,6
+230,10
@@
static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
}
offs += run;
*runs++ = run + saved_run;
}
offs += run;
*runs++ = run + saved_run;
+ if(runs >= runend){
+ av_log(avctx, AV_LOG_ERROR, "Run overrun\n");
+ return -1;
+ }
saved_run = 0;
mode = !mode;
}
saved_run = 0;
mode = !mode;
}
@@
-264,7
+278,7
@@
int ff_ccitt_unpack(AVCodecContext *avctx,
{
int j;
GetBitContext gb;
{
int j;
GetBitContext gb;
- int *runs, *ref;
+ int *runs, *ref
, *runend
;
int ret;
runs = av_malloc((avctx->width + 2) * sizeof(runs[0]));
int ret;
runs = av_malloc((avctx->width + 2) * sizeof(runs[0]));
@@
-274,8
+288,9
@@
int ff_ccitt_unpack(AVCodecContext *avctx,
ref[2] = 0;
init_get_bits(&gb, src, srcsize*8);
for(j = 0; j < height; j++){
ref[2] = 0;
init_get_bits(&gb, src, srcsize*8);
for(j = 0; j < height; j++){
+ runend = runs + avctx->width + 2;
if(compr == TIFF_G4){
if(compr == TIFF_G4){
- ret = decode_group3_2d_line(avctx, &gb, avctx->width, runs, ref);
+ ret = decode_group3_2d_line(avctx, &gb, avctx->width, runs, r
unend, r
ef);
if(ret < 0){
av_free(runs);
av_free(ref);
if(ret < 0){
av_free(runs);
av_free(ref);
@@
-285,9
+300,9
@@
int ff_ccitt_unpack(AVCodecContext *avctx,
if(find_group3_syncmarker(&gb, srcsize*8) < 0)
break;
if(compr==TIFF_CCITT_RLE || get_bits1(&gb))
if(find_group3_syncmarker(&gb, srcsize*8) < 0)
break;
if(compr==TIFF_CCITT_RLE || get_bits1(&gb))
- ret = decode_group3_1d_line(avctx, &gb, avctx->width, runs);
+ ret = decode_group3_1d_line(avctx, &gb, avctx->width, runs
, runend
);
else
else
- ret = decode_group3_2d_line(avctx, &gb, avctx->width, runs, ref);
+ ret = decode_group3_2d_line(avctx, &gb, avctx->width, runs, r
unend, r
ef);
}
if(ret < 0){
put_line(dst, stride, avctx->width, ref);
}
if(ret < 0){
put_line(dst, stride, avctx->width, ref);
projects / libav.git / blobdiff