Skip to content
Snippets Groups Projects
Commit 8aba7968 authored by Anton Khirnov's avatar Anton Khirnov
Browse files

vcr1: add sanity checks 

Fixes invalid reads with corrupted files.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
parent 21ffd410
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 21 additions and 0 deletions
libavcodec/vcr1.c
+ 21
0
View file @ 8aba7968
...@@ -37,6 +37,11 @@ static av_cold int vcr1_decode_init(AVCodecContext *avctx) ...@@ -37,6 +37,11 @@ static av_cold int vcr1_decode_init(AVCodecContext *avctx)
{ {
avctx->pix_fmt = AV_PIX_FMT_YUV410P; avctx->pix_fmt = AV_PIX_FMT_YUV410P;
if (avctx->width & 7) {
av_log(avctx, AV_LOG_ERROR, "Width %d is not divisble by 8.\n", avctx->width);
return AVERROR_INVALIDDATA;
}
return 0; return 0;
} }
...@@ -57,9 +62,13 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, ...@@ -57,9 +62,13 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
p->pict_type = AV_PICTURE_TYPE_I; p->pict_type = AV_PICTURE_TYPE_I;
p->key_frame = 1; p->key_frame = 1;
if (buf_size < 32)
goto packet_small;
for (i = 0; i < 16; i++) { for (i = 0; i < 16; i++) {
a->delta[i] = *bytestream++; a->delta[i] = *bytestream++;
bytestream++; bytestream++;
buf_size--;
} }
for (y = 0; y < avctx->height; y++) { for (y = 0; y < avctx->height; y++) {
...@@ -70,8 +79,12 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, ...@@ -70,8 +79,12 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
uint8_t *cb = &p->data[1][(y >> 2) * p->linesize[1]]; uint8_t *cb = &p->data[1][(y >> 2) * p->linesize[1]];
uint8_t *cr = &p->data[2][(y >> 2) * p->linesize[2]]; uint8_t *cr = &p->data[2][(y >> 2) * p->linesize[2]];
if (buf_size < 4 + avctx->width)
goto packet_small;
for (i = 0; i < 4; i++) for (i = 0; i < 4; i++)
a->offset[i] = *bytestream++; a->offset[i] = *bytestream++;
buf_size -= 4;
offset = a->offset[0] - a->delta[bytestream[2] & 0xF]; offset = a->offset[0] - a->delta[bytestream[2] & 0xF];
for (x = 0; x < avctx->width; x += 4) { for (x = 0; x < avctx->width; x += 4) {
...@@ -85,8 +98,12 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, ...@@ -85,8 +98,12 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
*cr++ = bytestream[1]; *cr++ = bytestream[1];
bytestream += 4; bytestream += 4;
buf_size -= 4;
} }
} else { } else {
if (buf_size < avctx->width / 2)
goto packet_small;
offset = a->offset[y & 3] - a->delta[bytestream[2] & 0xF]; offset = a->offset[y & 3] - a->delta[bytestream[2] & 0xF];
for (x = 0; x < avctx->width; x += 8) { for (x = 0; x < avctx->width; x += 8) {
...@@ -100,6 +117,7 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, ...@@ -100,6 +117,7 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
luma[7] = offset += a->delta[bytestream[1] >> 4]; luma[7] = offset += a->delta[bytestream[1] >> 4];
luma += 8; luma += 8;
bytestream += 4; bytestream += 4;
buf_size -= 4;
} }
} }
} }
...@@ -107,6 +125,9 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, ...@@ -107,6 +125,9 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
*got_frame = 1; *got_frame = 1;
return buf_size; return buf_size;
packet_small:
av_log(avctx, AV_LOG_ERROR, "Input packet too small.\n");
return AVERROR_INVALIDDATA;
} }
AVCodec ff_vcr1_decoder = { AVCodec ff_vcr1_decoder = {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment