ffmpeg | branch: master | Michael Niedermayer <mich...@niedermayer.cc> | Thu Feb 20 18:49:56 2020 +0100| [4c31db5a32724662ac97448fd6ae2bfa42ffd732] | committer: Michael Niedermayer
avcodec/cdtoons: Correct several end of data checks in cdtoons_render_sprite() No testcases, found by code review when debuging issue found by oss-fuzz Reviewed-by: Paul B Mahol <one...@gmail.com> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4c31db5a32724662ac97448fd6ae2bfa42ffd732 --- libavcodec/cdtoons.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/libavcodec/cdtoons.c b/libavcodec/cdtoons.c index 24a328352c..dc4fa6bf0b 100644 --- a/libavcodec/cdtoons.c +++ b/libavcodec/cdtoons.c @@ -82,9 +82,11 @@ static int cdtoons_render_sprite(AVCodecContext *avctx, const uint8_t *data, for (int y = 0; y < height; y++) { /* one scanline at a time, size is provided */ data = next_line; - if (data > end - 2) + if (end - data < 2) return 1; line_size = bytestream_get_be16(&data); + if (end - data < line_size) + return 1; next_line = data + line_size; if (dst_y + y < 0) continue; @@ -94,7 +96,7 @@ static int cdtoons_render_sprite(AVCodecContext *avctx, const uint8_t *data, to_skip = skip; x = 0; while (x < width - skip) { - int raw, size; + int raw, size, step; uint8_t val; if (data >= end) @@ -108,20 +110,22 @@ static int cdtoons_render_sprite(AVCodecContext *avctx, const uint8_t *data, if (to_skip >= size) { to_skip -= size; if (raw) { - data += size; + step = size; } else { - data += 1; + step = 1; } - if (data > next_line) + if (next_line - data < step) return 1; + data += step; continue; } else if (to_skip) { size -= to_skip; - if (raw) + if (raw) { + if (next_line - data < to_skip) + return 1; data += to_skip; + } to_skip = 0; - if (data > next_line) - return 1; } if (x + size >= width - skip) @@ -129,10 +133,10 @@ static int cdtoons_render_sprite(AVCodecContext *avctx, const uint8_t *data, /* either raw data, or a run of a single color */ if (raw) { + if (next_line - data < size) + return 1; memcpy(dest + x, data, size); data += size; - if (data > next_line) - return 1; } else { uint8_t color = bytestream_get_byte(&data); /* ignore transparent runs */ _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
