Re: [libav-devel] [PATCHv3] Canopus HQ/HQA decoder

Wed, 08 Apr 2015 04:11:05 -0700 

On Wed, Apr 8, 2015 at 10:24 AM, Anton Khirnov <[email protected]> wrote:
>> +    if (src[3] >= NUM_HQ_PROFILES) {
>> +        profile = &ff_hq_profile[0];
>> +        avpriv_request_sample(ctx->avctx, "Profile %d", src[3]);
>> +    } else
>> +        profile = &ff_hq_profile[src[3]];
>
> Unchecked reads.

This should be safe as in the caller there is

    if (data_size < 4) {
        av_log(avctx, AV_LOG_ERROR, "Frame is too small (%d).\n", data_size);
        return AVERROR_INVALIDDATA;
    }

>> +
>> +    ctx->avctx->coded_width         = FFALIGN(profile->width,  16);
>> +    ctx->avctx->coded_height        = FFALIGN(profile->height, 16);
>> +    ctx->avctx->width               = profile->width;
>> +    ctx->avctx->height              = profile->height;
>> +    ctx->avctx->bits_per_raw_sample = 8;
>> +    ctx->avctx->pix_fmt             = AV_PIX_FMT_YUV422P;
>> +
>> +    ret = ff_get_buffer(ctx->avctx, pic, 0);
>> +    if (ret < 0) {
>> +        av_log(ctx->avctx, AV_LOG_ERROR, "Could not allocate buffer.\n");
>> +        return ret;
>> +    }
>> +
>> +    for (i = 0; i < profile->num_slices + 1; i++)
>> +        slice_off[i] = AV_RB24(src + 4 + i * 3);
>
> Yet more unchecked reads.

ok

>> +static int hqa_decode_frame(HQContext *ctx, AVFrame *pic,
>> +                            uint8_t *src, int data_size)
>> +{
>> +    GetBitContext gb;
>> +    uint32_t slice_off[9];
>> +    int i, slice, ret;
>> +    int width, height, num_slices = 8;
>> +
>> +    width  = AV_RB16(src + 4);
>> +    height = AV_RB16(src + 6);
>
> What does the scouter say about those unchecked reads?

epic

>> +
>> +    ctx->avctx->coded_width         = FFALIGN(width,  16);
>> +    ctx->avctx->coded_height        = FFALIGN(height, 16);
>> +    ctx->avctx->width               = width;
>> +    ctx->avctx->height              = height;
>> +    ctx->avctx->bits_per_raw_sample = 8;
>> +    ctx->avctx->pix_fmt             = AV_PIX_FMT_YUVA422P;
>> +
>> +    ret = ff_get_buffer(ctx->avctx, pic, 0);
>> +    if (ret < 0) {
>> +        av_log(ctx->avctx, AV_LOG_ERROR, "Could not allocate buffer.\n");
>> +        return ret;
>> +    }
>> +
>> +    for (i = 0; i < num_slices + 1; i++)
>> +        slice_off[i] = AV_RB32(src + 12 + i * 4);
>
> At least 0x2329 unchecked reads.

ok

-- 
Vittorio
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to