Re: [libav-devel] [PATCH] ulti: Fix Invalid Reads

Tue, 13 Dec 2011 06:43:57 -0800 

On Tue, Dec 13, 2011 at 08:07:39PM +0530, Gaurav Narula wrote:
> ---
>  libavcodec/ulti.c |   51 +++++++++++++++++++++++++++++++++++++++++++++++----
>  1 files changed, 47 insertions(+), 4 deletions(-)
> 
> diff --git a/libavcodec/ulti.c b/libavcodec/ulti.c
> index a2802f7..7611ad2 100644
> --- a/libavcodec/ulti.c
> +++ b/libavcodec/ulti.c
> @@ -223,6 +223,7 @@ static int ulti_decode_frame(AVCodecContext *avctx,
>      int i;
>      int skip;
>      int tmp;
> +    const uint8_t *buf_end = buf + buf_size;
>  
>      s->frame.reference = 1;
>      s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE 
> | FF_BUFFER_HINTS_REUSABLE;
> @@ -235,11 +236,18 @@ static int ulti_decode_frame(AVCodecContext *avctx,
>          int idx;
>          if(blocks >= s->blocks || y >= s->height)
>              break;//all blocks decoded
> -

there was no need to drop this empty line

> +        if (buf >= buf_end) {
> +            av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
> +            return AVERROR_INVALIDDATA;
> +        }
>          idx = *buf++;
>          if((idx & 0xF8) == 0x70) {
>              switch(idx) {
>              case 0x70: //change modifier
> +                if (buf >= buf_end) {
> +                    av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
> +                    return AVERROR_INVALIDDATA;
> +                }
>                  modifier = *buf++;
>                  if(modifier>1)
>                      av_log(avctx, AV_LOG_INFO, "warning: modifier must be 0 
> or 1, got %i\n", modifier);
> @@ -254,6 +262,10 @@ static int ulti_decode_frame(AVCodecContext *avctx,
>                  done = 1;
>                  break;
>              case 0x74: //skip some blocks
> +                if (buf >= buf_end) {
> +                    av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
> +                    return AVERROR_INVALIDDATA;
> +                }
>                  skip = *buf++;
>                  if ((blocks + skip) >= s->blocks)
>                      break;
> @@ -280,19 +292,33 @@ static int ulti_decode_frame(AVCodecContext *avctx,
>                  chroma = 0;
>              } else {
>                  cf = 0;
> -                if (idx)
> +                if (idx) {
> +                    if (buf >= buf_end) {
> +                        av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
> +                        return AVERROR_INVALIDDATA;
> +                    }
>                      chroma = *buf++;
> +                }
>              }
>              for (i = 0; i < 4; i++) { // for every subblock
>                  code = (idx >> (6 - i*2)) & 3; //extract 2 bits
>                  if(!code) //skip subblock
>                      continue;
> -                if(cf)
> +                if(cf) {
> +                    if (buf >= buf_end) {
> +                        av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
> +                        return AVERROR_INVALIDDATA;
> +                    }
>                      chroma = *buf++;
> +                }
>                  tx = x + block_coords[i * 2];
>                  ty = y + block_coords[(i * 2) + 1];
>                  switch(code) {
>                  case 1:
> +                    if (buf >= buf_end) {
> +                        av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
> +                        return AVERROR_INVALIDDATA;
> +                    }
>                      tmp = *buf++;
>  
>                      angle = angle_by_index[(tmp >> 6) & 0x3];
> @@ -311,8 +337,12 @@ static int ulti_decode_frame(AVCodecContext *avctx,
>                      }
>                      break;
>  
> -                case 2:
> +                case 2:                    

trailing whitespaces

otherwise LGTM
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to