[libav-devel] [PATCH] pixel_ptr must never go back, fixes bug #131

Shitiz Garg Sun, 11 Dec 2011 10:19:02 -0800

---
 libavcodec/qtrle.c |   40 +++++++++++++++++++++++++++++++++++-----
 1 files changed, 35 insertions(+), 5 deletions(-)


diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c
index 0c74798..9f529f8 100644
--- a/libavcodec/qtrle.c
+++ b/libavcodec/qtrle.c
@@ -117,7 +117,7 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int 
stream_ptr,
                              int row_ptr, int lines_to_change, int bpp)
 {
     int rle_code, i;
-    int pixel_ptr;
+    int pixel_ptr = -1;
     int row_inc = s->frame.linesize[0];
     unsigned char pi[16];  /* 16 palette indices */
     unsigned char *rgb = s->frame.data[0];
@@ -126,6 +126,12 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, 
int stream_ptr,
 
     while (lines_to_change--) {
         CHECK_STREAM_PTR(2);
+
+        if (pixel_ptr > row_ptr + (num_pixels * (s->buf[stream_ptr] - 1))) {
+            av_log(s->avctx, AV_LOG_ERROR, "pixel_ptr cannot go backwards\n");
+            return;
+        }
+
         pixel_ptr = row_ptr + (num_pixels * (s->buf[stream_ptr++] - 1));
 
         while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
@@ -174,7 +180,7 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int 
stream_ptr,
 static void qtrle_decode_8bpp(QtrleContext *s, int stream_ptr, int row_ptr, 
int lines_to_change)
 {
     int rle_code;
-    int pixel_ptr;
+    int pixel_ptr = -1;
     int row_inc = s->frame.linesize[0];
     unsigned char pi1, pi2, pi3, pi4;  /* 4 palette indexes */
     unsigned char *rgb = s->frame.data[0];
@@ -182,6 +188,12 @@ static void qtrle_decode_8bpp(QtrleContext *s, int 
stream_ptr, int row_ptr, int
 
     while (lines_to_change--) {
         CHECK_STREAM_PTR(2);
+
+        if (pixel_ptr > row_ptr + (4 * (s->buf[stream_ptr] - 1))) {
+            av_log(s->avctx, AV_LOG_ERROR, "pixel_ptr cannot go backwards\n");
+            return;
+        }
+
         pixel_ptr = row_ptr + (4 * (s->buf[stream_ptr++] - 1));
 
         while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
@@ -227,7 +239,7 @@ static void qtrle_decode_8bpp(QtrleContext *s, int 
stream_ptr, int row_ptr, int
 static void qtrle_decode_16bpp(QtrleContext *s, int stream_ptr, int row_ptr, 
int lines_to_change)
 {
     int rle_code;
-    int pixel_ptr;
+    int pixel_ptr = -1;
     int row_inc = s->frame.linesize[0];
     unsigned short rgb16;
     unsigned char *rgb = s->frame.data[0];
@@ -235,6 +247,12 @@ static void qtrle_decode_16bpp(QtrleContext *s, int 
stream_ptr, int row_ptr, int
 
     while (lines_to_change--) {
         CHECK_STREAM_PTR(2);
+
+        if (pixel_ptr > row_ptr + (s->buf[stream_ptr] - 1) * 2) {
+            av_log(s->avctx, AV_LOG_ERROR, "pixel_ptr cannot go backwards\n");
+            return;
+        }
+
         pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 2;
 
         while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
@@ -276,7 +294,7 @@ static void qtrle_decode_16bpp(QtrleContext *s, int 
stream_ptr, int row_ptr, int
 static void qtrle_decode_24bpp(QtrleContext *s, int stream_ptr, int row_ptr, 
int lines_to_change)
 {
     int rle_code;
-    int pixel_ptr;
+    int pixel_ptr = -1;
     int row_inc = s->frame.linesize[0];
     unsigned char r, g, b;
     unsigned char *rgb = s->frame.data[0];
@@ -284,6 +302,12 @@ static void qtrle_decode_24bpp(QtrleContext *s, int 
stream_ptr, int row_ptr, int
 
     while (lines_to_change--) {
         CHECK_STREAM_PTR(2);
+
+        if (pixel_ptr > row_ptr + (s->buf[stream_ptr] - 1) * 3) {
+            av_log(s->avctx, AV_LOG_ERROR, "pixel_ptr cannot go backwards\n");
+            return;
+        }
+
         pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 3;
 
         while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
@@ -326,7 +350,7 @@ static void qtrle_decode_24bpp(QtrleContext *s, int 
stream_ptr, int row_ptr, int
 static void qtrle_decode_32bpp(QtrleContext *s, int stream_ptr, int row_ptr, 
int lines_to_change)
 {
     int rle_code;
-    int pixel_ptr;
+    int pixel_ptr = -1;
     int row_inc = s->frame.linesize[0];
     unsigned int argb;
     unsigned char *rgb = s->frame.data[0];
@@ -334,6 +358,12 @@ static void qtrle_decode_32bpp(QtrleContext *s, int 
stream_ptr, int row_ptr, int
 
     while (lines_to_change--) {
         CHECK_STREAM_PTR(2);
+
+        if (pixel_ptr > row_ptr + (s->buf[stream_ptr] - 1) * 4) {
+            av_log(s->avctx, AV_LOG_ERROR, "pixel_ptr cannot go backwards\n");
+            return;
+        }
+
         pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 4;
 
         while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
-- 
1.7.5.4

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH] pixel_ptr must never go back, fixes bug #131

Reply via email to