[libav-devel] [PATCH] stream buffer value cannot be 0 fixes bug #131

[Shitiz Garg]

---
 libavcodec/qtrle.c |   62 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 61 insertions(+), 1 deletions(-)

diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c
index 0c74798..f1f0346 100644
--- a/libavcodec/qtrle.c
+++ b/libavcodec/qtrle.c
@@ -66,7 +66,7 @@ typedef struct QtrleContext {
 static void qtrle_decode_1bpp(QtrleContext *s, int stream_ptr, int row_ptr, 
int lines_to_change)
 {
     int rle_code;
-    int pixel_ptr = 0;
+    int pixel_ptr;
     int row_inc = s->frame.linesize[0];
     unsigned char pi0, pi1;  /* 2 8-pixel values */
     unsigned char *rgb = s->frame.data[0];
@@ -126,12 +126,24 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, 
int stream_ptr,
 
     while (lines_to_change--) {
         CHECK_STREAM_PTR(2);
+
+        if (s->buf[stream_ptr] == 0) {
+            av_log(s->avctx, AV_LOG_ERROR, "buffer value cannot be zero\n");
+            return;
+        }
+
         pixel_ptr = row_ptr + (num_pixels * (s->buf[stream_ptr++] - 1));
 
         while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
             if (rle_code == 0) {
                 /* there's another skip code in the stream */
                 CHECK_STREAM_PTR(1);
+
+                if (s->buf[stream_ptr] == 0) {
+                    av_log(s->avctx, AV_LOG_ERROR, "buffer value cannot be 
zero\n");
+                    return;
+                }
+
                 pixel_ptr += (num_pixels * (s->buf[stream_ptr++] - 1));
                 CHECK_PIXEL_PTR(0);  /* make sure pixel_ptr is positive */
             } else if (rle_code < 0) {
@@ -182,12 +194,24 @@ static void qtrle_decode_8bpp(QtrleContext *s, int 
stream_ptr, int row_ptr, int
 
     while (lines_to_change--) {
         CHECK_STREAM_PTR(2);
+
+        if (s->buf[stream_ptr] == 0) {
+            av_log(s->avctx, AV_LOG_ERROR, "buffer value cannot be zero\n");
+            return;
+        }
+
         pixel_ptr = row_ptr + (4 * (s->buf[stream_ptr++] - 1));
 
         while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
             if (rle_code == 0) {
                 /* there's another skip code in the stream */
                 CHECK_STREAM_PTR(1);
+
+                if (s->buf[stream_ptr] == 0) {
+                    av_log(s->avctx, AV_LOG_ERROR, "buffer value cannot be 
zero\n");
+                    return;
+                }
+
                 pixel_ptr += (4 * (s->buf[stream_ptr++] - 1));
                 CHECK_PIXEL_PTR(0);  /* make sure pixel_ptr is positive */
             } else if (rle_code < 0) {
@@ -235,12 +259,24 @@ static void qtrle_decode_16bpp(QtrleContext *s, int 
stream_ptr, int row_ptr, int
 
     while (lines_to_change--) {
         CHECK_STREAM_PTR(2);
+
+        if (s->buf[stream_ptr] == 0) {
+            av_log(s->avctx, AV_LOG_ERROR, "buffer value cannot be zero\n");
+            return;
+        }
+
         pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 2;
 
         while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
             if (rle_code == 0) {
                 /* there's another skip code in the stream */
                 CHECK_STREAM_PTR(1);
+
+                if (s->buf[stream_ptr] == 0) {
+                    av_log(s->avctx, AV_LOG_ERROR, "buffer value cannot be 
zero\n");
+                    return;
+                }
+
                 pixel_ptr += (s->buf[stream_ptr++] - 1) * 2;
                 CHECK_PIXEL_PTR(0);  /* make sure pixel_ptr is positive */
             } else if (rle_code < 0) {
@@ -284,12 +320,24 @@ static void qtrle_decode_24bpp(QtrleContext *s, int 
stream_ptr, int row_ptr, int
 
     while (lines_to_change--) {
         CHECK_STREAM_PTR(2);
+
+        if (s->buf[stream_ptr] == 0) {
+            av_log(s->avctx, AV_LOG_ERROR, "buffer value cannot be zero\n");
+            return;
+        }
+
         pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 3;
 
         while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
             if (rle_code == 0) {
                 /* there's another skip code in the stream */
                 CHECK_STREAM_PTR(1);
+
+                if (s->buf[stream_ptr] == 0) {
+                    av_log(s->avctx, AV_LOG_ERROR, "buffer value cannot be 
zero\n");
+                    return;
+                }
+
                 pixel_ptr += (s->buf[stream_ptr++] - 1) * 3;
                 CHECK_PIXEL_PTR(0);  /* make sure pixel_ptr is positive */
             } else if (rle_code < 0) {
@@ -334,12 +382,24 @@ static void qtrle_decode_32bpp(QtrleContext *s, int 
stream_ptr, int row_ptr, int
 
     while (lines_to_change--) {
         CHECK_STREAM_PTR(2);
+
+        if (s->buf[stream_ptr] == 0) {
+            av_log(s->avctx, AV_LOG_ERROR, "buffer value cannot be zero\n");
+            return;
+        }
+
         pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 4;
 
         while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
             if (rle_code == 0) {
                 /* there's another skip code in the stream */
                 CHECK_STREAM_PTR(1);
+
+                if (s->buf[stream_ptr] == 0) {
+                    av_log(s->avctx, AV_LOG_ERROR, "buffer value cannot be 
zero\n");
+                    return;
+                }
+
                 pixel_ptr += (s->buf[stream_ptr++] - 1) * 4;
                 CHECK_PIXEL_PTR(0);  /* make sure pixel_ptr is positive */
             } else if (rle_code < 0) {
-- 
1.7.5.4

_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel