[FFmpeg-cvslog] indeo4: check transform size.

Michael Niedermayer git at videolan.org
Sun Apr 15 13:55:42 CEST 2012


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Sun Apr 15 13:26:19 2012 +0200| [0846719dd11ab3f7a7caee13e7af71f71d913389] | committer: Michael Niedermayer

indeo4: check transform size.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0846719dd11ab3f7a7caee13e7af71f71d913389
---

 libavcodec/indeo4.c     |    5 +++++
 libavcodec/ivi_common.c |    5 ++++-
 libavcodec/ivi_common.h |    1 +
 3 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c
index 4d315b5..eacf70d 100644
--- a/libavcodec/indeo4.c
+++ b/libavcodec/indeo4.c
@@ -383,6 +383,10 @@ static int decode_band_hdr(IVI4DecContext *ctx, IVIBandDesc *band,
                 return AVERROR_PATCHWELCOME;
             }
 
+            if (transform_id < 10 && band->blk_size < 8) {
+                av_log(avctx, AV_LOG_ERROR, "wrong transform size!\n");
+                return AVERROR_INVALIDDATA;
+            }
 #if IVI4_STREAM_ANALYSER
             if ((transform_id >= 0 && transform_id <= 2) || transform_id == 10)
                 ctx->uses_haar = 1;
@@ -391,6 +395,7 @@ static int decode_band_hdr(IVI4DecContext *ctx, IVIBandDesc *band,
             band->inv_transform = transforms[transform_id].inv_trans;
             band->dc_transform  = transforms[transform_id].dc_trans;
             band->is_2d_trans   = transforms[transform_id].is_2d_trans;
+            band->transform_size= (transform_id < 10) ? 8 : 4;
 
             scan_indx = get_bits(&ctx->gb, 4);
             if ((scan_indx>4 && scan_indx<10) != (band->blk_size==4)) {
diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index 6b2ddc8..64f7363 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -440,7 +440,10 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
                     trvec[0]      = prev_dc;
                     col_flags[0] |= !!prev_dc;
                 }
-
+                if(band->transform_size > band->blk_size){
+                    av_log(0, AV_LOG_ERROR, "Too large transform\n");
+                    return AVERROR_INVALIDDATA;
+                }
                 /* apply inverse transform */
                 band->inv_transform(trvec, band->buf + buf_offs,
                                     band->pitch, col_flags);
diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h
index dd06085..78b6e1c 100644
--- a/libavcodec/ivi_common.h
+++ b/libavcodec/ivi_common.h
@@ -160,6 +160,7 @@ typedef struct {
     InvTransformPtr *inv_transform;
     DCTransformPtr  *dc_transform;
     int             is_2d_trans;    ///< 1 indicates that the two-dimensional inverse transform is used
+    int             transform_size; ///< block size of the transform
     int32_t         checksum;       ///< for debug purposes
     int             checksum_present;
     int             bufsize;        ///< band buffer size in bytes



More information about the ffmpeg-cvslog mailing list