On Tue, Feb 21, 2017 at 12:22:06PM +0100, Paul B Mahol wrote: > ffmpeg | branch: master | Paul B Mahol <one...@gmail.com> | Tue Feb 21 > 12:17:21 2017 +0100| [f4777d1b89c65166394a459399704fc034a782d6] | committer: > Paul B Mahol > > avcodec/qdrw: add support for decoding rgb555 > > Signed-off-by: Paul B Mahol <one...@gmail.com> > > > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f4777d1b89c65166394a459399704fc034a782d6 > --- > > libavcodec/qdrw.c | 65 > +++++++++++++++++++++++++++++++++++++++++++++++++++++-- > 1 file changed, 63 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c > index 65914fa..34b97dc 100644 > --- a/libavcodec/qdrw.c > +++ b/libavcodec/qdrw.c > @@ -68,6 +68,57 @@ static int parse_palette(AVCodecContext *avctx, > GetByteContext *gbc, > return 0; > } > > +static int decode_rle16(AVCodecContext *avctx, AVFrame *p, GetByteContext > *gbc) > +{ > + int offset = avctx->width * 2; > + uint8_t *outdata = p->data[0]; > + int i, j; > + > + for (i = 0; i < avctx->height; i++) { > + int size, left, code, pix; > + uint16_t *out = (uint16_t *)outdata; > + int pos = 0; > + > + /* size of packed line */ > + size = left = bytestream2_get_be16(gbc); > + if (bytestream2_get_bytes_left(gbc) < size) > + return AVERROR_INVALIDDATA; > + > + /* decode line */ > + while (left > 0) { > + code = bytestream2_get_byte(gbc); > + if (code & 0x80 ) { /* run */ > + pix = bytestream2_get_be16(gbc); > + for (j = 0; j < 257 - code; j++) { > + out[pos] = pix; > + pos++; > + if (pos >= offset) { > + pos -= offset; > + pos++; > + } > + if (pos >= offset) > + return AVERROR_INVALIDDATA; > + } > + left -= 3; > + } else { /* copy */ > + for (j = 0; j < code + 1; j++) { > + out[pos] = bytestream2_get_be16(gbc); > + pos++; > + if (pos >= offset) { > + pos -= offset; > + pos++; > + } > + if (pos >= offset) > + return AVERROR_INVALIDDATA;
out[pos] can write outside the array, the check for offset does not prevent that as its twice as many pixels as in a line also as written the check cannot trigger as 2 is the smallest offset. If this printed an error message this bug could have been spotted by the absence of such error during testing. thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Opposition brings concord. Out of discord comes the fairest harmony. -- Heraclitus
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
