Luca Barbato
5ecabd3c54
msrle: Use FFABS to determine the frame size in msrle_decode_pal4
...
As done in msrle_decode_8_16_24_32.
Bug-Id: CVE-2015-3395
CC: libav-stable@libav.org
10 years ago
Michael Niedermayer
50d878d930
avcodec/msrledec: Ask for sample that uses a branch with a unused byte
...
Finding out if this is correct or buggy is easiest with a sample
Fixes: CID1297620
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
10 years ago
Andreas Cadhalpun
ae6fd7300b
msrledec: use signed pixel_ptr in msrle_decode_pal4
...
This fixes segmentation faults, when pic->linesize[0] is negative.
In that case 'line * pic->linesize[0] + pixel_ptr' is treated as
unsigned and wraps around.
This reverts commit 7d78a964
.
The problem was introduced in commit f7e1367f
, which should obsolete
that commit.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
10 years ago
Michael Niedermayer
c20eab5c85
avcodec/msrledec: More verbose error message
...
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
10 years ago
Michael Niedermayer
f7e1367f58
avcodec/msrledec: restructure msrle_decode_pal4() based on the line number instead of the pixel pointer
...
Fixes out of array access
Fixes: da14e86d8462be6493eab16bc2d40f88/asan_heap-oob_204cfd2_528_cov_340150052_COMPRESS.BMP
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
10 years ago
Paul B Mahol
e6e26b8a91
msrledec: use memset()
...
Signed-off-by: Paul B Mahol <onemda@gmail.com>
11 years ago
Paul B Mahol
6638738968
msrledec: use bytestream2_get_bufferu()
...
Signed-off-by: Paul B Mahol <onemda@gmail.com>
11 years ago
Michael Niedermayer
e398990eb8
msrledec: fix output_end checks
...
Fixes out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
12 years ago
Anton Khirnov
9bd6375d5f
msrledec: check bounds before constructing a possibly invalid pointer,
...
CC:libav-stable@libav.org
12 years ago
Michael Niedermayer
d2e0a276d5
msrledec: merge switches
...
More speedup and fixes 'may be used uninitialized in this function' warnings
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
12 years ago
Michael Niedermayer
dbaae33c2c
msrledec: move loop into switch
...
speeds up code and allows more simplifications
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
12 years ago
Michael Niedermayer
c2992b7053
msrledec: move output pointer test up
...
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
12 years ago
Ronald Bultje
992f71e95d
msrle: convert MS RLE decoding function to bytestream2.
...
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
13 years ago
Diego Biurrun
a8798c7eb9
Drop unnecessary av_uninit attributes from some variable declarations.
...
Recent versions of gcc (4.4+) no longer give false positive warnings.
13 years ago
Alex Converse
7181c4edee
cosmetics: Remove extra newlines at EOF
13 years ago
Michael Niedermayer
53be37e368
msrledec: Check for overreads
...
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Diego Biurrun
ee41963f19
cosmetics: drop some completely pointless parentheses
13 years ago
Mans Rullgard
2912e87a6c
Replace FFmpeg with Libav in licence headers
...
Signed-off-by: Mans Rullgard <mans@mansr.com>
14 years ago
Michael Niedermayer
7d78a96441
Fix possibly exploitable out of buffer writes in msrle_decode_pal4().
...
This fix is minimalistic, that function should be cleaned up by someone.
Originally committed as revision 25633 to svn://svn.ffmpeg.org/ffmpeg/trunk
14 years ago
Michael Niedermayer
7429783101
Fix possibly exploitable buffer overrun in msrle_decode_8_16_24_32().
...
Issue has been reported to me by Gynvael Coldwind
Originally committed as revision 25632 to svn://svn.ffmpeg.org/ffmpeg/trunk
14 years ago
Michael Niedermayer
81a646140f
remove impossible condition from msrle_decode_pal4()
...
Originally committed as revision 25631 to svn://svn.ffmpeg.org/ffmpeg/trunk
14 years ago
Michael Niedermayer
94ee6c100d
fix indent
...
Originally committed as revision 25630 to svn://svn.ffmpeg.org/ffmpeg/trunk
14 years ago
Diego Biurrun
ba87f0801d
Remove explicit filename from Doxygen @file commands.
...
Passing an explicit filename to this command is only necessary if the
documentation in the @file block refers to a file different from the
one the block resides in.
Originally committed as revision 22921 to svn://svn.ffmpeg.org/ffmpeg/trunk
15 years ago
Carl Eugen Hoyos
ccd17ea13c
Include msrledec.h: It contains the prototype for ff_msrle_decode().
...
Originally committed as revision 22105 to svn://svn.ffmpeg.org/ffmpeg/trunk
15 years ago
Kostya Shishkov
b08de903cd
Make MS RLE decoder produce both bottom-up and top-down pictures
...
Originally committed as revision 20111 to svn://svn.ffmpeg.org/ffmpeg/trunk
15 years ago
Baptiste Coudurier
25178da302
do not print false error if eof follows eol
...
Originally committed as revision 18965 to svn://svn.ffmpeg.org/ffmpeg/trunk
16 years ago
Diego Biurrun
607694c77b
cosmetics: Fix some typos.
...
Originally committed as revision 18894 to svn://svn.ffmpeg.org/ffmpeg/trunk
16 years ago
Kostya Shishkov
b3867c93d1
Fix off-by-one error in MS RLE decoder which may result into writing past
...
picture buffer.
Originally committed as revision 18852 to svn://svn.ffmpeg.org/ffmpeg/trunk
16 years ago
Diego Biurrun
1e4eb387d4
Add av_uninit macro to variables to avoid false positive warnings:
...
libavcodec/msrledec.c: In function ‘ff_msrle_decode’:
libavcodec/msrledec.c:139: warning: ‘pix32’ may be used uninitialized in this function
libavcodec/msrledec.c:138: warning: ‘pix16’ may be used uninitialized in this function
Originally committed as revision 17156 to svn://svn.ffmpeg.org/ffmpeg/trunk
16 years ago
Diego Biurrun
bad5537e2c
Use full internal pathname in doxygen @file directives.
...
Otherwise doxygen complains about ambiguous filenames when files exist
under the same name in different subdirectories.
Originally committed as revision 16912 to svn://svn.ffmpeg.org/ffmpeg/trunk
16 years ago
Diego Biurrun
6a5d31ac25
Fix build: Add intreadwrite.h and bswap.h #includes where necessary.
...
Originally committed as revision 16556 to svn://svn.ffmpeg.org/ffmpeg/trunk
16 years ago
Kostya Shishkov
6149cdbe9d
Make decoding run of pixels in MS RLE saner.
...
This is based on patches by Alex Converse and Mans Rullgard
Thread "[PATCH] Fix MSRLE type punning"
Originally committed as revision 16013 to svn://svn.ffmpeg.org/ffmpeg/trunk
16 years ago
Kostya Shishkov
ce60c2d133
Print out some errors found during MS RLE decoding
...
Originally committed as revision 16012 to svn://svn.ffmpeg.org/ffmpeg/trunk
16 years ago
Kostya Shishkov
44aa9771c9
Factorize out code used for MS RLE format decoding in different decoders.
...
Originally committed as revision 15356 to svn://svn.ffmpeg.org/ffmpeg/trunk
16 years ago