[MPlayer-dev-eng] [PATCH] safe lzo decompression should be used

[Reimar Döffinger]

Hi,
currently some decoders in libmpcodecs use lzo1x_decompress instead of
lzo1x_decompress_safe, which means that there are no checks at all if
the data fits in the output buffer. Despite the speed loss I think this
really needs to be fixed (see attached patch). If speed really matters
that much for somebody it would still be possible to add an switch to
configure (like --extra-insecure :-P)

Greetings,
Reimar Döffinger
-------------- next part --------------
Index: libmpcodecs/vd_lzo.c
===================================================================
RCS file: /cvsroot/mplayer/main/libmpcodecs/vd_lzo.c,v
retrieving revision 1.7
diff -u -r1.7 vd_lzo.c
--- libmpcodecs/vd_lzo.c	8 Mar 2006 10:50:16 -0000	1.7
+++ libmpcodecs/vd_lzo.c	9 Apr 2006 09:16:01 -0000
@@ -119,7 +119,8 @@
 	    );
 
 	/* decompress the frame */
-	r = lzo1x_decompress (data, len, tmp, &w, priv->wrkmem);
+	w = sh->bih->biSizeImage;
+	r = lzo1x_decompress_safe (data, len, tmp, &w, priv->wrkmem);
 	free(tmp);
 
 	if (r != LZO_E_OK) {
@@ -154,7 +155,8 @@
 	    return NULL;
     }
 
-    r = lzo1x_decompress (data, len, mpi->planes[0], &w, priv->wrkmem);
+    w = mpi->w * mpi->h;
+    r = lzo1x_decompress_safe (data, len, mpi->planes[0], &w, priv->wrkmem);
     if (r != LZO_E_OK) {
 	/* this should NEVER happen */
 	mp_msg (MSGT_DECVIDEO, MSGL_ERR, 
Index: libmpcodecs/native/nuppelvideo.c
===================================================================
RCS file: /cvsroot/mplayer/main/libmpcodecs/native/nuppelvideo.c,v
retrieving revision 1.11
diff -u -r1.11 nuppelvideo.c
--- libmpcodecs/native/nuppelvideo.c	18 Nov 2005 14:39:25 -0000	1.11
+++ libmpcodecs/native/nuppelvideo.c	9 Apr 2006 09:16:09 -0000
@@ -27,7 +27,7 @@
 		unsigned char *decoded, int width, int height)
 {
 	int r;
-	unsigned int out_len;
+	unsigned int out_len = width * height + ( width * height ) / 2;
 	struct rtframeheader *encodedh = ( struct rtframeheader* ) encoded;
 	static unsigned char *buffer = 0; /* for RTJpeg with LZO decompress */
 #ifdef KEEP_BUFFER
@@ -56,7 +56,7 @@
 	    {
 #ifdef KEEP_BUFFER		
 		if (!previous_buffer) 
-			previous_buffer = ( unsigned char * ) malloc ( width * height + ( width * height ) / 2 );
+			previous_buffer = ( unsigned char * ) malloc ( out_len );
 #endif
 
 		if (((encodedh->comptype == '2') ||
@@ -74,20 +74,20 @@
 		switch(encodedh->comptype)
 		{
 		    case '0': /* raw YUV420 */
-			memcpy(decoded, encoded + 12, width*height*3/2);
+			memcpy(decoded, encoded + 12, out_len);
 			break;
 		    case '1': /* RTJpeg */
 			RTjpeg_decompressYUV420 ( ( __s8 * ) encoded + 12, decoded );
 			break;
 		    case '2': /* RTJpeg with LZO */
 			if (!buffer) 
-			    buffer = ( unsigned char * ) malloc ( width * height + ( width * height ) / 2 );
+			    buffer = ( unsigned char * ) malloc ( out_len );
 			if (!buffer)
 			{
 			    mp_msg(MSGT_DECVIDEO, MSGL_ERR, "Nuppelvideo: error decompressing\n");
 			    break;
 			}
-			r = lzo1x_decompress ( encoded + 12, encodedh->packetlength, buffer, &out_len, NULL );
+			r = lzo1x_decompress_safe ( encoded + 12, encodedh->packetlength, buffer, &out_len, NULL );
 			if ( r != LZO_E_OK ) 
 			{
 			    mp_msg(MSGT_DECVIDEO, MSGL_ERR, "Nuppelvideo: error decompressing\n");
@@ -96,7 +96,7 @@
 			RTjpeg_decompressYUV420 ( ( __s8 * ) buffer, decoded );
 			break;
 		    case '3': /* raw YUV420 with LZO */
-			r = lzo1x_decompress ( encoded + 12, encodedh->packetlength, decoded, &out_len, NULL );
+			r = lzo1x_decompress_safe ( encoded + 12, encodedh->packetlength, decoded, &out_len, NULL );
 			if ( r != LZO_E_OK ) 
 			{
 			    mp_msg(MSGT_DECVIDEO, MSGL_ERR, "Nuppelvideo: error decompressing\n");