[libav-devel] [PATCH] smc: add input buffer overread checks.

Wed, 29 Feb 2012 14:36:15 -0800 

From: "Ronald S. Bultje" <rsbul...@gmail.com>

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
 libavcodec/smc.c |   26 +++++++++++++++++++++++++-
 1 files changed, 25 insertions(+), 1 deletions(-)

diff --git a/libavcodec/smc.c b/libavcodec/smc.c
index f4a0b6a..09f3b54 100644
--- a/libavcodec/smc.c
+++ b/libavcodec/smc.c
@@ -270,6 +270,12 @@ static void smc_decode_stream(SmcContext *s)
             } else
                 color_table_index = CPAIR * s->buf[stream_ptr++];
 
+            if (chunk_size - stream_ptr < n_blocks * 2) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                       "Not enough data to read 2-color blocks (stream ptr = 
%d, chunk size = %d, n_blocks = %d)\n",
+                       stream_ptr, chunk_size, n_blocks);
+                return;
+            }
             while (n_blocks--) {
                 color_flags = AV_RB16(&s->buf[stream_ptr]);
                 stream_ptr += 2;
@@ -313,6 +319,12 @@ static void smc_decode_stream(SmcContext *s)
             } else
                 color_table_index = CQUAD * s->buf[stream_ptr++];
 
+            if (chunk_size - stream_ptr < n_blocks * 4) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                        "Not enough data to read 4-color blocks (stream ptr = 
%d, chunk size = %d, n_blocks = %d)\n",
+                        stream_ptr, chunk_size, n_blocks);
+                return;
+            }
             while (n_blocks--) {
                 color_flags = AV_RB32(&s->buf[stream_ptr]);
                 stream_ptr += 4;
@@ -355,6 +367,12 @@ static void smc_decode_stream(SmcContext *s)
             } else
                 color_table_index = COCTET * s->buf[stream_ptr++];
 
+            if (chunk_size - stream_ptr < n_blocks * 6) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                        "Not enough data to read 8-color blocks (stream ptr = 
%d, chunk size = %d, n_blocks = %d)\n",
+                        stream_ptr, chunk_size, n_blocks);
+                return;
+            }
             while (n_blocks--) {
                 /*
                   For this input of 6 hex bytes:
@@ -399,6 +417,12 @@ static void smc_decode_stream(SmcContext *s)
         case 0xE0:
             n_blocks = (opcode & 0x0F) + 1;
 
+            if (chunk_size - stream_ptr < 16 * n_blocks) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                        "Not enough data to read 16-color blocks (stream ptr = 
%d, chunk size = %d, n_blocks = %d)\n",
+                        stream_ptr, chunk_size, n_blocks);
+                return;
+            }
             while (n_blocks--) {
                 block_ptr = row_ptr + pixel_ptr;
                 for (pixel_y = 0; pixel_y < 4; pixel_y++) {
@@ -412,7 +436,7 @@ static void smc_decode_stream(SmcContext *s)
             break;
 
         case 0xF0:
-            av_log(s->avctx, AV_LOG_INFO, "0xF0 opcode seen in SMC chunk 
(contact the developers)\n");
+            av_log_missing_feature(s->avctx, "0xF0 opcode", 1);
             break;
         }
     }
-- 
1.7.7.4

_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to