X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;ds=sidebyside;f=libavcodec%2Frasc.c;h=c1e91851926a1a9b5b310ecd013a0e1010d282bc;hb=2606c48391377681541111263de41c79adeffa49;hp=fbbb134f4b3c2661eca3c42bf9f138916ef30330;hpb=f4cf6ba8c9646814af842a99335c6ee312ded299;p=ffmpeg diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c index fbbb134f4b3..c1e91851926 100644 --- a/libavcodec/rasc.c +++ b/libavcodec/rasc.c @@ -70,6 +70,9 @@ static void clear_plane(AVCodecContext *avctx, AVFrame *frame) RASCContext *s = avctx->priv_data; uint8_t *dst = frame->data[0]; + if (!dst) + return; + for (int y = 0; y < avctx->height; y++) { memset(dst, 0, avctx->width * s->bpp); dst += frame->linesize[0]; @@ -95,10 +98,10 @@ static int init_frames(AVCodecContext *avctx) int ret; av_frame_unref(s->frame1); + av_frame_unref(s->frame2); if ((ret = ff_get_buffer(avctx, s->frame1, 0)) < 0) return ret; - av_frame_unref(s->frame2); if ((ret = ff_get_buffer(avctx, s->frame2, 0)) < 0) return ret; @@ -109,7 +112,7 @@ static int init_frames(AVCodecContext *avctx) } static int decode_fint(AVCodecContext *avctx, - AVPacket *avpkt, unsigned size) + const AVPacket *avpkt, unsigned size) { RASCContext *s = avctx->priv_data; GetByteContext *gb = &s->gb; @@ -124,6 +127,8 @@ static int decode_fint(AVCodecContext *avctx, clear_plane(avctx, s->frame1); return 0; } + if (bytestream2_get_bytes_left(gb) < 72) + return AVERROR_INVALIDDATA; bytestream2_skip(gb, 8); w = bytestream2_get_le32(gb); @@ -166,7 +171,7 @@ static int decode_fint(AVCodecContext *avctx, return 0; } -static int decode_zlib(AVCodecContext *avctx, AVPacket *avpkt, +static int decode_zlib(AVCodecContext *avctx, const AVPacket *avpkt, unsigned size, unsigned uncompressed_size) { RASCContext *s = avctx->priv_data; @@ -200,7 +205,7 @@ static int decode_zlib(AVCodecContext *avctx, AVPacket *avpkt, } static int decode_move(AVCodecContext *avctx, - AVPacket *avpkt, unsigned size) + const AVPacket *avpkt, unsigned size) { RASCContext *s = avctx->priv_data; GetByteContext *gb = &s->gb; @@ -215,7 +220,7 @@ static int decode_move(AVCodecContext *avctx, bytestream2_skip(gb, 8); compression = bytestream2_get_le32(gb); - if (nb_moves > INT32_MAX / 16) + if (nb_moves > INT32_MAX / 16 || nb_moves > avctx->width * avctx->height) return AVERROR_INVALIDDATA; uncompressed_size = 16 * nb_moves; @@ -272,9 +277,9 @@ static int decode_move(AVCodecContext *avctx, if (!s->frame2->data[0] || !s->frame1->data[0]) return AVERROR_INVALIDDATA; - b1 = s->frame1->data[0] + s->frame1->linesize[0] * (start_y + h) + start_x * s->bpp; - b2 = s->frame2->data[0] + s->frame2->linesize[0] * (start_y + h) + start_x * s->bpp; - e2 = s->frame2->data[0] + s->frame2->linesize[0] * (mov_y + h) + mov_x * s->bpp; + b1 = s->frame1->data[0] + s->frame1->linesize[0] * (start_y + h - 1) + start_x * s->bpp; + b2 = s->frame2->data[0] + s->frame2->linesize[0] * (start_y + h - 1) + start_x * s->bpp; + e2 = s->frame2->data[0] + s->frame2->linesize[0] * (mov_y + h - 1) + mov_x * s->bpp; if (type == 2) { for (int j = 0; j < h; j++) { @@ -324,7 +329,7 @@ static int decode_move(AVCodecContext *avctx, len--; static int decode_dlta(AVCodecContext *avctx, - AVPacket *avpkt, unsigned size) + const AVPacket *avpkt, unsigned size) { RASCContext *s = avctx->priv_data; GetByteContext *gb = &s->gb; @@ -353,6 +358,8 @@ static int decode_dlta(AVCodecContext *avctx, compression = bytestream2_get_le32(gb); if (compression == 1) { + if (w * h * s->bpp * 3 < uncompressed_size) + return AVERROR_INVALIDDATA; ret = decode_zlib(avctx, avpkt, size, uncompressed_size); if (ret < 0) return ret; @@ -464,7 +471,7 @@ static int decode_dlta(AVCodecContext *avctx, } static int decode_kfrm(AVCodecContext *avctx, - AVPacket *avpkt, unsigned size) + const AVPacket *avpkt, unsigned size) { RASCContext *s = avctx->priv_data; GetByteContext *gb = &s->gb; @@ -527,7 +534,7 @@ static int decode_kfrm(AVCodecContext *avctx, } static int decode_mous(AVCodecContext *avctx, - AVPacket *avpkt, unsigned size) + const AVPacket *avpkt, unsigned size) { RASCContext *s = avctx->priv_data; GetByteContext *gb = &s->gb; @@ -567,7 +574,7 @@ static int decode_mous(AVCodecContext *avctx, } static int decode_mpos(AVCodecContext *avctx, - AVPacket *avpkt, unsigned size) + const AVPacket *avpkt, unsigned size) { RASCContext *s = avctx->priv_data; GetByteContext *gb = &s->gb; @@ -680,6 +687,9 @@ static int decode_frame(AVCodecContext *avctx, while (bytestream2_get_bytes_left(gb) > 0) { unsigned type, size = 0; + if (bytestream2_get_bytes_left(gb) < 8) + return AVERROR_INVALIDDATA; + type = bytestream2_get_le32(gb); if (type == KBND || type == BNDL) { intra = type == KBND; @@ -718,12 +728,12 @@ static int decode_frame(AVCodecContext *avctx, return ret; } - if ((ret = ff_get_buffer(avctx, s->frame, 0)) < 0) - return ret; - if (!s->frame2->data[0] || !s->frame1->data[0]) return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, s->frame, 0)) < 0) + return ret; + copy_plane(avctx, s->frame2, s->frame); if (avctx->pix_fmt == AV_PIX_FMT_PAL8) memcpy(s->frame->data[1], s->frame2->data[1], 1024); @@ -795,7 +805,7 @@ static const AVClass rasc_decoder_class = { .version = LIBAVUTIL_VERSION_INT, }; -AVCodec ff_rasc_decoder = { +const AVCodec ff_rasc_decoder = { .name = "rasc", .long_name = NULL_IF_CONFIG_SMALL("RemotelyAnywhere Screen Capture"), .type = AVMEDIA_TYPE_VIDEO,