Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
云duo
FFmpeg
提交
351423ae
F
FFmpeg
项目概览
云duo
/
FFmpeg
与 Fork 源项目一致
从无法访问的项目Fork
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
F
FFmpeg
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
351423ae
编写于
2月 18, 2011
作者:
J
Jean-Daniel Dupas
提交者:
Mans Rullgard
2月 18, 2011
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
targa: fix potential buffer overreads
Signed-off-by:
N
Mans Rullgard
<
mans@mansr.com
>
上级
ed040f35
变更
1
显示空白变更内容
内联
并排
Showing
1 changed file
with
34 addition
and
10 deletion
+34
-10
libavcodec/targa.c
libavcodec/targa.c
+34
-10
未找到文件。
libavcodec/targa.c
浏览文件 @
351423ae
...
@@ -33,22 +33,35 @@ typedef struct TargaContext {
...
@@ -33,22 +33,35 @@ typedef struct TargaContext {
int
compression_type
;
int
compression_type
;
}
TargaContext
;
}
TargaContext
;
static
void
targa_decode_rle
(
AVCodecContext
*
avctx
,
TargaContext
*
s
,
const
uint8_t
*
src
,
uint8_t
*
dst
,
int
w
,
int
h
,
int
stride
,
int
bpp
)
#define CHECK_BUFFER_SIZE(buf, buf_end, needed, where) \
if(buf + needed > buf_end){ \
av_log(avctx, AV_LOG_ERROR, "Problem: unexpected end of data while reading " where "\n"); \
return -1; \
} \
static
int
targa_decode_rle
(
AVCodecContext
*
avctx
,
TargaContext
*
s
,
const
uint8_t
*
src
,
int
src_size
,
uint8_t
*
dst
,
int
w
,
int
h
,
int
stride
,
int
bpp
)
{
{
int
i
,
x
,
y
;
int
i
,
x
,
y
;
int
depth
=
(
bpp
+
1
)
>>
3
;
int
depth
=
(
bpp
+
1
)
>>
3
;
int
type
,
count
;
int
type
,
count
;
int
diff
;
int
diff
;
const
uint8_t
*
src_end
=
src
+
src_size
;
diff
=
stride
-
w
*
depth
;
diff
=
stride
-
w
*
depth
;
x
=
y
=
0
;
x
=
y
=
0
;
while
(
y
<
h
){
while
(
y
<
h
){
CHECK_BUFFER_SIZE
(
src
,
src_end
,
1
,
"image type"
);
type
=
*
src
++
;
type
=
*
src
++
;
count
=
(
type
&
0x7F
)
+
1
;
count
=
(
type
&
0x7F
)
+
1
;
type
&=
0x80
;
type
&=
0x80
;
if
((
x
+
count
>
w
)
&&
(
x
+
count
+
1
>
(
h
-
y
)
*
w
)){
if
((
x
+
count
>
w
)
&&
(
x
+
count
+
1
>
(
h
-
y
)
*
w
)){
av_log
(
avctx
,
AV_LOG_ERROR
,
"Packet went out of bounds: position (%i,%i) size %i
\n
"
,
x
,
y
,
count
);
av_log
(
avctx
,
AV_LOG_ERROR
,
"Packet went out of bounds: position (%i,%i) size %i
\n
"
,
x
,
y
,
count
);
return
;
return
-
1
;
}
if
(
type
){
CHECK_BUFFER_SIZE
(
src
,
src_end
,
depth
,
"image data"
);
}
else
{
CHECK_BUFFER_SIZE
(
src
,
src_end
,
count
*
depth
,
"image data"
);
}
}
for
(
i
=
0
;
i
<
count
;
i
++
){
for
(
i
=
0
;
i
<
count
;
i
++
){
switch
(
depth
){
switch
(
depth
){
...
@@ -81,6 +94,7 @@ static void targa_decode_rle(AVCodecContext *avctx, TargaContext *s, const uint8
...
@@ -81,6 +94,7 @@ static void targa_decode_rle(AVCodecContext *avctx, TargaContext *s, const uint8
if
(
type
)
if
(
type
)
src
+=
depth
;
src
+=
depth
;
}
}
return
src_size
;
}
}
static
int
decode_frame
(
AVCodecContext
*
avctx
,
static
int
decode_frame
(
AVCodecContext
*
avctx
,
...
@@ -88,7 +102,7 @@ static int decode_frame(AVCodecContext *avctx,
...
@@ -88,7 +102,7 @@ static int decode_frame(AVCodecContext *avctx,
AVPacket
*
avpkt
)
AVPacket
*
avpkt
)
{
{
const
uint8_t
*
buf
=
avpkt
->
data
;
const
uint8_t
*
buf
=
avpkt
->
data
;
int
buf_size
=
avpkt
->
size
;
const
uint8_t
*
buf_end
=
avpkt
->
data
+
avpkt
->
size
;
TargaContext
*
const
s
=
avctx
->
priv_data
;
TargaContext
*
const
s
=
avctx
->
priv_data
;
AVFrame
*
picture
=
data
;
AVFrame
*
picture
=
data
;
AVFrame
*
const
p
=
(
AVFrame
*
)
&
s
->
picture
;
AVFrame
*
const
p
=
(
AVFrame
*
)
&
s
->
picture
;
...
@@ -98,6 +112,7 @@ static int decode_frame(AVCodecContext *avctx,
...
@@ -98,6 +112,7 @@ static int decode_frame(AVCodecContext *avctx,
int
first_clr
,
colors
,
csize
;
int
first_clr
,
colors
,
csize
;
/* parse image header */
/* parse image header */
CHECK_BUFFER_SIZE
(
buf
,
buf_end
,
18
,
"header"
);
idlen
=
*
buf
++
;
idlen
=
*
buf
++
;
pal
=
*
buf
++
;
pal
=
*
buf
++
;
compr
=
*
buf
++
;
compr
=
*
buf
++
;
...
@@ -111,6 +126,7 @@ static int decode_frame(AVCodecContext *avctx,
...
@@ -111,6 +126,7 @@ static int decode_frame(AVCodecContext *avctx,
bpp
=
*
buf
++
;
bpp
=
*
buf
++
;
flags
=
*
buf
++
;
flags
=
*
buf
++
;
//skip identifier if any
//skip identifier if any
CHECK_BUFFER_SIZE
(
buf
,
buf_end
,
idlen
,
"identifiers"
);
buf
+=
idlen
;
buf
+=
idlen
;
s
->
bpp
=
bpp
;
s
->
bpp
=
bpp
;
s
->
width
=
w
;
s
->
width
=
w
;
...
@@ -163,6 +179,7 @@ static int decode_frame(AVCodecContext *avctx,
...
@@ -163,6 +179,7 @@ static int decode_frame(AVCodecContext *avctx,
}
}
}
}
if
(
colors
){
if
(
colors
){
size_t
pal_size
;
if
((
colors
+
first_clr
)
>
256
){
if
((
colors
+
first_clr
)
>
256
){
av_log
(
avctx
,
AV_LOG_ERROR
,
"Incorrect palette: %i colors with offset %i
\n
"
,
colors
,
first_clr
);
av_log
(
avctx
,
AV_LOG_ERROR
,
"Incorrect palette: %i colors with offset %i
\n
"
,
colors
,
first_clr
);
return
-
1
;
return
-
1
;
...
@@ -171,8 +188,10 @@ static int decode_frame(AVCodecContext *avctx,
...
@@ -171,8 +188,10 @@ static int decode_frame(AVCodecContext *avctx,
av_log
(
avctx
,
AV_LOG_ERROR
,
"Palette entry size %i bits is not supported
\n
"
,
csize
);
av_log
(
avctx
,
AV_LOG_ERROR
,
"Palette entry size %i bits is not supported
\n
"
,
csize
);
return
-
1
;
return
-
1
;
}
}
pal_size
=
colors
*
((
csize
+
1
)
>>
3
);
CHECK_BUFFER_SIZE
(
buf
,
buf_end
,
pal_size
,
"color table"
);
if
(
avctx
->
pix_fmt
!=
PIX_FMT_PAL8
)
//should not occur but skip palette anyway
if
(
avctx
->
pix_fmt
!=
PIX_FMT_PAL8
)
//should not occur but skip palette anyway
buf
+=
colors
*
((
csize
+
1
)
>>
3
)
;
buf
+=
pal_size
;
else
{
else
{
int
r
,
g
,
b
,
t
;
int
r
,
g
,
b
,
t
;
int32_t
*
pal
=
((
int32_t
*
)
p
->
data
[
1
])
+
first_clr
;
int32_t
*
pal
=
((
int32_t
*
)
p
->
data
[
1
])
+
first_clr
;
...
@@ -188,9 +207,14 @@ static int decode_frame(AVCodecContext *avctx,
...
@@ -188,9 +207,14 @@ static int decode_frame(AVCodecContext *avctx,
if
((
compr
&
(
~
TGA_RLE
))
==
TGA_NODATA
)
if
((
compr
&
(
~
TGA_RLE
))
==
TGA_NODATA
)
memset
(
p
->
data
[
0
],
0
,
p
->
linesize
[
0
]
*
s
->
height
);
memset
(
p
->
data
[
0
],
0
,
p
->
linesize
[
0
]
*
s
->
height
);
else
{
else
{
if
(
compr
&
TGA_RLE
)
if
(
compr
&
TGA_RLE
){
targa_decode_rle
(
avctx
,
s
,
buf
,
dst
,
avctx
->
width
,
avctx
->
height
,
stride
,
bpp
);
int
res
=
targa_decode_rle
(
avctx
,
s
,
buf
,
buf_end
-
buf
,
dst
,
avctx
->
width
,
avctx
->
height
,
stride
,
bpp
);
else
{
if
(
res
<
0
)
return
-
1
;
buf
+=
res
;
}
else
{
size_t
img_size
=
s
->
width
*
((
s
->
bpp
+
1
)
>>
3
);
CHECK_BUFFER_SIZE
(
buf
,
buf_end
,
img_size
,
"image data"
);
for
(
y
=
0
;
y
<
s
->
height
;
y
++
){
for
(
y
=
0
;
y
<
s
->
height
;
y
++
){
#if HAVE_BIGENDIAN
#if HAVE_BIGENDIAN
if
((
s
->
bpp
+
1
)
>>
3
==
2
){
if
((
s
->
bpp
+
1
)
>>
3
==
2
){
...
@@ -203,10 +227,10 @@ static int decode_frame(AVCodecContext *avctx,
...
@@ -203,10 +227,10 @@ static int decode_frame(AVCodecContext *avctx,
dst32
[
x
]
=
AV_RL32
(
buf
+
x
*
4
);
dst32
[
x
]
=
AV_RL32
(
buf
+
x
*
4
);
}
else
}
else
#endif
#endif
memcpy
(
dst
,
buf
,
s
->
width
*
((
s
->
bpp
+
1
)
>>
3
)
);
memcpy
(
dst
,
buf
,
img_size
);
dst
+=
stride
;
dst
+=
stride
;
buf
+=
s
->
width
*
((
s
->
bpp
+
1
)
>>
3
)
;
buf
+=
img_size
;
}
}
}
}
}
}
...
@@ -214,7 +238,7 @@ static int decode_frame(AVCodecContext *avctx,
...
@@ -214,7 +238,7 @@ static int decode_frame(AVCodecContext *avctx,
*
picture
=
*
(
AVFrame
*
)
&
s
->
picture
;
*
picture
=
*
(
AVFrame
*
)
&
s
->
picture
;
*
data_size
=
sizeof
(
AVPicture
);
*
data_size
=
sizeof
(
AVPicture
);
return
buf_
size
;
return
avpkt
->
size
;
}
}
static
av_cold
int
targa_init
(
AVCodecContext
*
avctx
){
static
av_cold
int
targa_init
(
AVCodecContext
*
avctx
){
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录