mirror of
https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg
synced 2026-04-22 05:40:27 +08:00
avcodec/vc1dec: check return values of all init_get_bits() calls
And replace them with init_get_bits8, to prevent integer overflows on huge values. Fixes issue #21463. Signed-off-by: James Almer <jamrial@gmail.com>
This commit is contained in:
James Almer
@@ -683,7 +683,11 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx)
|
||||
if (size <= 0)
|
||||
continue;
|
||||
buf2_size = v->vc1dsp.vc1_unescape_buffer(start + 4, size, buf2);
|
||||
init_get_bits(&gb, buf2, buf2_size * 8);
|
||||
ret = init_get_bits8(&gb, buf2, buf2_size);
|
||||
if (ret < 0) {
|
||||
av_free(buf2);
|
||||
return ret;
|
||||
}
|
||||
switch (AV_RB32(start)) {
|
||||
case VC1_CODE_SEQHDR:
|
||||
if ((ret = ff_vc1_decode_sequence_header(avctx, v, &gb)) < 0) {
|
||||
@@ -888,8 +892,11 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame *pict,
|
||||
}
|
||||
buf_size3 = v->vc1dsp.vc1_unescape_buffer(start + 4, size,
|
||||
slices[n_slices].buf);
|
||||
init_get_bits(&slices[n_slices].gb, slices[n_slices].buf,
|
||||
buf_size3 << 3);
|
||||
ret = init_get_bits8(&slices[n_slices].gb, slices[n_slices].buf, buf_size3);
|
||||
if (ret < 0) {
|
||||
ret = AVERROR(ENOMEM);
|
||||
goto err;
|
||||
}
|
||||
slices[n_slices].mby_start = avctx->coded_height + 31 >> 5;
|
||||
slices[n_slices].rawbuf = start;
|
||||
slices[n_slices].raw_size = size + 4;
|
||||
@@ -899,7 +906,11 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame *pict,
|
||||
}
|
||||
case VC1_CODE_ENTRYPOINT: /* it should be before frame data */
|
||||
buf_size2 = v->vc1dsp.vc1_unescape_buffer(start + 4, size, buf2);
|
||||
init_get_bits(&v->gb, buf2, buf_size2 * 8);
|
||||
ret = init_get_bits8(&v->gb, buf2, buf_size2);
|
||||
if (ret < 0) {
|
||||
ret = AVERROR(ENOMEM);
|
||||
goto err;
|
||||
}
|
||||
ff_vc1_decode_entry_point(avctx, v, &v->gb);
|
||||
break;
|
||||
case VC1_CODE_SLICE: {
|
||||
@@ -918,8 +929,11 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame *pict,
|
||||
}
|
||||
buf_size3 = v->vc1dsp.vc1_unescape_buffer(start + 4, size,
|
||||
slices[n_slices].buf);
|
||||
init_get_bits(&slices[n_slices].gb, slices[n_slices].buf,
|
||||
buf_size3 << 3);
|
||||
ret = init_get_bits8(&slices[n_slices].gb, slices[n_slices].buf, buf_size3);
|
||||
if (ret < 0) {
|
||||
ret = AVERROR(ENOMEM);
|
||||
goto err;
|
||||
}
|
||||
slices[n_slices].mby_start = get_bits(&slices[n_slices].gb, 9);
|
||||
slices[n_slices].rawbuf = start;
|
||||
slices[n_slices].raw_size = size + 4;
|
||||
@@ -952,8 +966,11 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame *pict,
|
||||
goto err;
|
||||
}
|
||||
buf_size3 = v->vc1dsp.vc1_unescape_buffer(divider + 4, buf + buf_size - divider - 4, slices[n_slices].buf);
|
||||
init_get_bits(&slices[n_slices].gb, slices[n_slices].buf,
|
||||
buf_size3 << 3);
|
||||
ret = init_get_bits8(&slices[n_slices].gb, slices[n_slices].buf, buf_size3);
|
||||
if (ret < 0) {
|
||||
ret = AVERROR(ENOMEM);
|
||||
goto err;
|
||||
}
|
||||
slices[n_slices].mby_start = s->mb_height + 1 >> 1;
|
||||
slices[n_slices].rawbuf = divider;
|
||||
slices[n_slices].raw_size = buf + buf_size - divider;
|
||||
@@ -964,7 +981,9 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame *pict,
|
||||
} else {
|
||||
buf_size2 = v->vc1dsp.vc1_unescape_buffer(buf, buf_size, buf2);
|
||||
}
|
||||
init_get_bits(&v->gb, buf2, buf_size2*8);
|
||||
ret = init_get_bits8(&v->gb, buf2, buf_size2);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
} else{
|
||||
ret = init_get_bits8(&v->gb, buf, buf_size);
|
||||
if (ret < 0)
|
||||
|
||||
Reference in New Issue
Block a user