sön 2019-11-24 klockan 11:12 +0100 skrev Paul B Mahol:
> +static ptrdiff_t lzss_uncompress(MidiVidContext *s, GetByteContext *gb,
> uint8_t *dst, int size)
> +{
> + uint8_t *dst_start = dst;
> + uint8_t *dst_end = dst + size;
> +
> + for (;bytestream2_get_bytes_left(gb) > 0;) {
bytestream2_get_bytes_left(gb) >= 3 perhaps?
> + int op = bytestream2_get_le16(gb);
> +
> + for (int i = 0; i < 16; i++) {
> + if (op & 1) {
> + int s0 = bytestream2_get_byte(gb);
> + int s1 = bytestream2_get_byte(gb);
> + int offset = ((s0 & 0xF0) << 4) | s1;
> + int length = (s0 & 0xF) + 3;
> +
> + if (dst + length >= dst_end ||
Seems to be dst + length > dst_end should be enough
> + dst - offset < dst_start)
> + return AVERROR_INVALIDDATA;
> + for (int j = 0; j < length; j++) {
> + dst[j] = dst[j - offset];
This is UB if offset == 0
> + }
> + dst += length;
> + } else {
> + if (dst >= dst_end)
> + return AVERROR_INVALIDDATA;
> + *dst++ = bytestream2_get_byte(gb);
> + }
> + op >>= 1;
> + }
> + }
> +
> + return dst - dst_start;
> +}
> +
> +static int decode_frame(AVCodecContext *avctx, void *data,
> + int *got_frame, AVPacket *avpkt)
> +{
> + MidiVidContext *s = avctx->priv_data;
> + GetByteContext *gb = &s->gb;
> + AVFrame *frame = s->frame;
> + int ret, key, uncompressed;
> +
> + if (avpkt->size <= 13)
> + return AVERROR_INVALIDDATA;
> +
> + bytestream2_init(gb, avpkt->data, avpkt->size);
> + bytestream2_skip(gb, 8);
> + uncompressed = bytestream2_get_le32(gb);
> +
> + if ((ret = ff_reget_buffer(avctx, s->frame, 0)) < 0)
> + return ret;
> +
> + if (uncompressed) {
> + ret = decode_mvdv(s, avctx, frame);
> + } else {
> + av_fast_padded_malloc(&s->uncompressed, &s->uncompressed_size, 16LL
> * (avpkt->size - 12));
Can avpkt->size be > LLONG_MAX/16+12 here?
/Tomas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
