---
libavcodec/ulti.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++----
1 files changed, 47 insertions(+), 4 deletions(-)
diff --git a/libavcodec/ulti.c b/libavcodec/ulti.c
index a2802f7..7611ad2 100644
--- a/libavcodec/ulti.c
+++ b/libavcodec/ulti.c
@@ -223,6 +223,7 @@ static int ulti_decode_frame(AVCodecContext *avctx,
int i;
int skip;
int tmp;
+ const uint8_t *buf_end = buf + buf_size;
s->frame.reference = 1;
s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE |
FF_BUFFER_HINTS_REUSABLE;
@@ -235,11 +236,18 @@ static int ulti_decode_frame(AVCodecContext *avctx,
int idx;
if(blocks >= s->blocks || y >= s->height)
break;//all blocks decoded
-
+ if (buf >= buf_end) {
+ av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
+ return AVERROR_INVALIDDATA;
+ }
idx = *buf++;
if((idx & 0xF8) == 0x70) {
switch(idx) {
case 0x70: //change modifier
+ if (buf >= buf_end) {
+ av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
+ return AVERROR_INVALIDDATA;
+ }
modifier = *buf++;
if(modifier>1)
av_log(avctx, AV_LOG_INFO, "warning: modifier must be 0 or
1, got %i\n", modifier);
@@ -254,6 +262,10 @@ static int ulti_decode_frame(AVCodecContext *avctx,
done = 1;
break;
case 0x74: //skip some blocks
+ if (buf >= buf_end) {
+ av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
+ return AVERROR_INVALIDDATA;
+ }
skip = *buf++;
if ((blocks + skip) >= s->blocks)
break;
@@ -280,19 +292,33 @@ static int ulti_decode_frame(AVCodecContext *avctx,
chroma = 0;
} else {
cf = 0;
- if (idx)
+ if (idx) {
+ if (buf >= buf_end) {
+ av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
+ return AVERROR_INVALIDDATA;
+ }
chroma = *buf++;
+ }
}
for (i = 0; i < 4; i++) { // for every subblock
code = (idx >> (6 - i*2)) & 3; //extract 2 bits
if(!code) //skip subblock
continue;
- if(cf)
+ if(cf) {
+ if (buf >= buf_end) {
+ av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
+ return AVERROR_INVALIDDATA;
+ }
chroma = *buf++;
+ }
tx = x + block_coords[i * 2];
ty = y + block_coords[(i * 2) + 1];
switch(code) {
case 1:
+ if (buf >= buf_end) {
+ av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
+ return AVERROR_INVALIDDATA;
+ }
tmp = *buf++;
angle = angle_by_index[(tmp >> 6) & 0x3];
@@ -311,8 +337,12 @@ static int ulti_decode_frame(AVCodecContext *avctx,
}
break;
- case 2:
+ case 2:
if (modifier) { // unpack four luma samples
+ if (buf_end - buf < 3) {
+ av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
+ return AVERROR_INVALIDDATA;
+ }
tmp = bytestream_get_be24(&buf);
Y[0] = (tmp >> 18) & 0x3F;
@@ -321,6 +351,10 @@ static int ulti_decode_frame(AVCodecContext *avctx,
Y[3] = tmp & 0x3F;
angle = 16;
} else { // retrieve luma samples from codebook
+ if (buf_end - buf < 2) {
+ av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
+ return AVERROR_INVALIDDATA;
+ }
tmp = bytestream_get_be16(&buf);
angle = (tmp >> 12) & 0xF;
@@ -337,6 +371,11 @@ static int ulti_decode_frame(AVCodecContext *avctx,
if (modifier) { // all 16 luma samples
uint8_t Luma[16];
+ if (buf_end - buf < 12) {
+ av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
+ return AVERROR_INVALIDDATA;
+ }
+
tmp = bytestream_get_be24(&buf);
Luma[0] = (tmp >> 18) & 0x3F;
Luma[1] = (tmp >> 12) & 0x3F;
@@ -363,6 +402,10 @@ static int ulti_decode_frame(AVCodecContext *avctx,
ulti_convert_yuv(&s->frame, tx, ty, Luma, chroma);
} else {
+ if (buf_end - buf < 4) {
+ av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
+ return AVERROR_INVALIDDATA;
+ }
tmp = *buf++;
if(tmp & 0x80) {
angle = (tmp >> 4) & 0x7;
--
1.7.1
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
