diff options
author | Matthias Vogelgesang <matthias.vogelgesang@kit.edu> | 2016-01-19 16:51:07 +0100 |
---|---|---|
committer | Matthias Vogelgesang <matthias.vogelgesang@kit.edu> | 2016-01-19 16:51:07 +0100 |
commit | 6dc338458113252ed59a991ba8c11f38ae3f3ba4 (patch) | |
tree | 731f1c1866541e9ec11c47f3ce2e0298077ebe47 | |
parent | 8c4d7d30621b7d446b25964a840080fc765a1492 (diff) | |
download | libufodecode-6dc338458113252ed59a991ba8c11f38ae3f3ba4.tar.gz libufodecode-6dc338458113252ed59a991ba8c11f38ae3f3ba4.tar.bz2 libufodecode-6dc338458113252ed59a991ba8c11f38ae3f3ba4.tar.xz libufodecode-6dc338458113252ed59a991ba8c11f38ae3f3ba4.zip |
Prevent buffer overflow with corrupt data
-rw-r--r-- | src/ufodecode.c | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/src/ufodecode.c b/src/ufodecode.c index 46af883..23a6018 100644 --- a/src/ufodecode.c +++ b/src/ufodecode.c @@ -163,7 +163,7 @@ ufo_decoder_set_raw_data (UfoDecoder *decoder, uint32_t *raw, size_t num_bytes) } static size_t -ufo_decode_frame_channels_v5 (UfoDecoder *decoder, uint16_t *pixel_buffer, uint32_t *raw, size_t num_rows, uint8_t output_mode) +ufo_decode_frame_channels_v5 (UfoDecoder *decoder, uint16_t *pixel_buffer, uint32_t *raw, size_t num_bytes, size_t num_rows, uint8_t output_mode) { payload_header_v5 *header; size_t base = 0, index = 0; @@ -229,7 +229,7 @@ ufo_decode_frame_channels_v5 (UfoDecoder *decoder, uint16_t *pixel_buffer, uint3 } static size_t -ufo_decode_frame_channels_v6 (UfoDecoder *decoder, uint16_t *pixel_buffer, uint32_t *raw, size_t num_rows, uint16_t start_offset) +ufo_decode_frame_channels_v6 (UfoDecoder *decoder, uint16_t *pixel_buffer, uint32_t *raw, size_t num_bytes, size_t num_rows, uint16_t start_offset) { size_t base = 0; size_t index = 0; @@ -240,8 +240,8 @@ ufo_decode_frame_channels_v6 (UfoDecoder *decoder, uint16_t *pixel_buffer, uint3 __m64 mm_r; #endif - while (raw[base] != 0xAAAAAAA) { - const size_t row_number = (raw[base] & 0xfff) - start_offset; + while ((raw[base] != 0xAAAAAAA) && ((num_bytes - base * 4) >= 32)) { + const size_t row_number = raw[base] & 0xfff; const size_t pixel_number = (raw[base + 1] >> 16) & 0xfff; base += 2; @@ -442,7 +442,6 @@ ufo_decoder_decode_frame (UfoDecoder *decoder, uint32_t *raw, size_t num_bytes, fprintf (stderr, "Unsupported header version %i\n", header_version); } - #ifdef DEBUG if ((meta->output_mode != IPECAMERA_MODE_4_CHAN_IO) && (meta->output_mode != IPECAMERA_MODE_16_CHAN_IO)) { fprintf (stderr, "Output mode 0x%x is not supported\n", meta->output_mode); @@ -468,11 +467,11 @@ ufo_decoder_decode_frame (UfoDecoder *decoder, uint32_t *raw, size_t num_bytes, switch (dataformat_version) { case 5: - advance = ufo_decode_frame_channels_v5 (decoder, pixels, raw + pos, rows_per_frame, meta->output_mode); + advance = ufo_decode_frame_channels_v5 (decoder, pixels, raw + pos, num_bytes - pos, rows_per_frame, meta->output_mode); break; case 6: - advance = ufo_decode_frame_channels_v6 (decoder, pixels, raw + pos, rows_per_frame, meta->cmosis_start_address); + advance = ufo_decode_frame_channels_v6 (decoder, pixels, raw + pos, num_bytes - pos, rows_per_frame, meta->cmosis_start_address); break; default: |