On 12/13/2011 09:37 AM, Gaurav Narula wrote:
> ---
> libavcodec/ulti.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++----
> 1 files changed, 47 insertions(+), 4 deletions(-)
>
> diff --git a/libavcodec/ulti.c b/libavcodec/ulti.c
> index a2802f7..7611ad2 100644
> --- a/libavcodec/ulti.c
> +++ b/libavcodec/ulti.c
> @@ -223,6 +223,7 @@ static int ulti_decode_frame(AVCodecContext *avctx,
> int i;
> int skip;
> int tmp;
> + const uint8_t *buf_end = buf + buf_size;
>
> s->frame.reference = 1;
> s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE
> | FF_BUFFER_HINTS_REUSABLE;
> @@ -235,11 +236,18 @@ static int ulti_decode_frame(AVCodecContext *avctx,
> int idx;
> if(blocks >= s->blocks || y >= s->height)
> break;//all blocks decoded
> -
> + if (buf >= buf_end) {
> + av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
> + return AVERROR_INVALIDDATA;
> + }
> idx = *buf++;
> if((idx & 0xF8) == 0x70) {
> switch(idx) {
> case 0x70: //change modifier
> + if (buf >= buf_end) {
> + av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
> + return AVERROR_INVALIDDATA;
> + }
> modifier = *buf++;
> if(modifier>1)
> av_log(avctx, AV_LOG_INFO, "warning: modifier must be 0
> or 1, got %i\n", modifier);
> @@ -254,6 +262,10 @@ static int ulti_decode_frame(AVCodecContext *avctx,
> done = 1;
> break;
> case 0x74: //skip some blocks
> + if (buf >= buf_end) {
> + av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
> + return AVERROR_INVALIDDATA;
> + }
> skip = *buf++;
> if ((blocks + skip) >= s->blocks)
> break;
> @@ -280,19 +292,33 @@ static int ulti_decode_frame(AVCodecContext *avctx,
> chroma = 0;
> } else {
> cf = 0;
> - if (idx)
> + if (idx) {
> + if (buf >= buf_end) {
> + av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
> + return AVERROR_INVALIDDATA;
> + }
> chroma = *buf++;
> + }
> }
> for (i = 0; i < 4; i++) { // for every subblock
> code = (idx >> (6 - i*2)) & 3; //extract 2 bits
> if(!code) //skip subblock
> continue;
> - if(cf)
> + if(cf) {
> + if (buf >= buf_end) {
> + av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
> + return AVERROR_INVALIDDATA;
> + }
> chroma = *buf++;
> + }
> tx = x + block_coords[i * 2];
> ty = y + block_coords[(i * 2) + 1];
> switch(code) {
> case 1:
> + if (buf >= buf_end) {
> + av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
> + return AVERROR_INVALIDDATA;
> + }
> tmp = *buf++;
>
> angle = angle_by_index[(tmp >> 6) & 0x3];
> @@ -311,8 +337,12 @@ static int ulti_decode_frame(AVCodecContext *avctx,
> }
> break;
>
> - case 2:
> + case 2:
> if (modifier) { // unpack four luma samples
> + if (buf_end - buf < 3) {
> + av_log(avctx, AV_LOG_ERROR, "Insufficient
> data\n");
> + return AVERROR_INVALIDDATA;
> + }
> tmp = bytestream_get_be24(&buf);
>
> Y[0] = (tmp >> 18) & 0x3F;
> @@ -321,6 +351,10 @@ static int ulti_decode_frame(AVCodecContext *avctx,
> Y[3] = tmp & 0x3F;
> angle = 16;
> } else { // retrieve luma samples from codebook
> + if (buf_end - buf < 2) {
> + av_log(avctx, AV_LOG_ERROR, "Insufficient
> data\n");
> + return AVERROR_INVALIDDATA;
> + }
> tmp = bytestream_get_be16(&buf);
>
> angle = (tmp >> 12) & 0xF;
> @@ -337,6 +371,11 @@ static int ulti_decode_frame(AVCodecContext *avctx,
> if (modifier) { // all 16 luma samples
> uint8_t Luma[16];
>
> + if (buf_end - buf < 12) {
> + av_log(avctx, AV_LOG_ERROR, "Insufficient
> data\n");
> + return AVERROR_INVALIDDATA;
> + }
> +
> tmp = bytestream_get_be24(&buf);
> Luma[0] = (tmp >> 18) & 0x3F;
> Luma[1] = (tmp >> 12) & 0x3F;
> @@ -363,6 +402,10 @@ static int ulti_decode_frame(AVCodecContext *avctx,
>
> ulti_convert_yuv(&s->frame, tx, ty, Luma, chroma);
> } else {
> + if (buf_end - buf < 4) {
> + av_log(avctx, AV_LOG_ERROR, "Insufficient
> data\n");
> + return AVERROR_INVALIDDATA;
> + }
> tmp = *buf++;
> if(tmp & 0x80) {
> angle = (tmp >> 4) & 0x7;
Using a macro for all these would be nice.
-Justin
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
