Chiebot-Mirror
/
FFmpeg
mirror of https://github.com/FFmpeg/FFmpeg.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

png: convert to bytestream2 API.

Browse Source 
Protects against overreads in the input buffer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
pull/3/merge
Ronald S. Bultje 13 years ago
parent 681e726865
commit 4c25269ced
1 changed files with 30 additions and 39 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 69
      libavcodec/pngdec.c

69
libavcodec/pngdec.c
Unescape View File

@ -35,9 +35,7 @@
typedef struct PNGDecContext { typedef struct PNGDecContext {
PNGDSPContext dsp; PNGDSPContext dsp;
const uint8_t *bytestream; GetByteContext gb;
const uint8_t *bytestream_start;
const uint8_t *bytestream_end;
AVFrame picture1, picture2; AVFrame picture1, picture2;
AVFrame *current_picture, *last_picture; AVFrame *current_picture, *last_picture;
@ -362,12 +360,9 @@ static void png_handle_row(PNGDecContext *s)
static int png_decode_idat(PNGDecContext *s, int length) static int png_decode_idat(PNGDecContext *s, int length)
{ {
int ret; int ret;
s->zstream.avail_in = length; s->zstream.avail_in = FFMIN(length, bytestream2_get_bytes_left(&s->gb));
s->zstream.next_in = s->bytestream; s->zstream.next_in = s->gb.buffer;
s->bytestream += length; bytestream2_skip(&s->gb, length);
if(s->bytestream > s->bytestream_end)
return -1;
/* decode one line if possible */ /* decode one line if possible */
while (s->zstream.avail_in > 0) { while (s->zstream.avail_in > 0) {
@ -403,15 +398,13 @@ static int decode_frame(AVCodecContext *avctx,
avctx->coded_frame= s->current_picture; avctx->coded_frame= s->current_picture;
p = s->current_picture; p = s->current_picture;
s->bytestream_start=
s->bytestream= buf;
s->bytestream_end= buf + buf_size;
/* check signature */ /* check signature */
if (memcmp(s->bytestream, ff_pngsig, 8) != 0 && if (buf_size < 8 ||
memcmp(s->bytestream, ff_mngsig, 8) != 0) memcmp(buf, ff_pngsig, 8) != 0 &&
memcmp(buf, ff_mngsig, 8) != 0)
return -1; return -1;
s->bytestream+= 8;
bytestream2_init(&s->gb, buf + 8, buf_size - 8);
s->y= s->y=
s->state=0; s->state=0;
// memset(s, 0, sizeof(PNGDecContext)); // memset(s, 0, sizeof(PNGDecContext));
@ -423,14 +416,12 @@ static int decode_frame(AVCodecContext *avctx,
if (ret != Z_OK) if (ret != Z_OK)
return -1; return -1;
for(;;) { for(;;) {
int tag32; if (bytestream2_get_bytes_left(&s->gb) <= 0)
if (s->bytestream >= s->bytestream_end)
goto fail; goto fail;
length = bytestream_get_be32(&s->bytestream); length = bytestream2_get_be32(&s->gb);
if (length > 0x7fffffff) if (length > 0x7fffffff)
goto fail; goto fail;
tag32 = bytestream_get_be32(&s->bytestream); tag = bytestream2_get_le32(&s->gb);
tag = av_bswap32(tag32);
av_dlog(avctx, "png: tag=%c%c%c%c length=%u\n", av_dlog(avctx, "png: tag=%c%c%c%c length=%u\n",
(tag & 0xff), (tag & 0xff),
((tag >> 8) & 0xff), ((tag >> 8) & 0xff),
@ -440,18 +431,18 @@ static int decode_frame(AVCodecContext *avctx,
case MKTAG('I', 'H', 'D', 'R'): case MKTAG('I', 'H', 'D', 'R'):
if (length != 13) if (length != 13)
goto fail; goto fail;
s->width = bytestream_get_be32(&s->bytestream); s->width = bytestream2_get_be32(&s->gb);
s->height = bytestream_get_be32(&s->bytestream); s->height = bytestream2_get_be32(&s->gb);
if(av_image_check_size(s->width, s->height, 0, avctx)){ if(av_image_check_size(s->width, s->height, 0, avctx)){
s->width= s->height= 0; s->width= s->height= 0;
goto fail; goto fail;
} }
s->bit_depth = *s->bytestream++; s->bit_depth = bytestream2_get_byte(&s->gb);
s->color_type = *s->bytestream++; s->color_type = bytestream2_get_byte(&s->gb);
s->compression_type = *s->bytestream++; s->compression_type = bytestream2_get_byte(&s->gb);
s->filter_type = *s->bytestream++; s->filter_type = bytestream2_get_byte(&s->gb);
s->interlace_type = *s->bytestream++; s->interlace_type = bytestream2_get_byte(&s->gb);
s->bytestream += 4; /* crc */ bytestream2_skip(&s->gb, 4); /* crc */
s->state |= PNG_IHDR; s->state |= PNG_IHDR;
av_dlog(avctx, "width=%d height=%d depth=%d color_type=%d compression_type=%d filter_type=%d interlace_type=%d\n", av_dlog(avctx, "width=%d height=%d depth=%d color_type=%d compression_type=%d filter_type=%d interlace_type=%d\n",
s->width, s->height, s->bit_depth, s->color_type, s->width, s->height, s->bit_depth, s->color_type,
@ -547,7 +538,7 @@ static int decode_frame(AVCodecContext *avctx,
s->state |= PNG_IDAT; s->state |= PNG_IDAT;
if (png_decode_idat(s, length) < 0) if (png_decode_idat(s, length) < 0)
goto fail; goto fail;
s->bytestream += 4; /* crc */ bytestream2_skip(&s->gb, 4); /* crc */
break; break;
case MKTAG('P', 'L', 'T', 'E'): case MKTAG('P', 'L', 'T', 'E'):
{ {
@ -558,16 +549,16 @@ static int decode_frame(AVCodecContext *avctx,
/* read the palette */ /* read the palette */
n = length / 3; n = length / 3;
for(i=0;i<n;i++) { for(i=0;i<n;i++) {
r = *s->bytestream++; r = bytestream2_get_byte(&s->gb);
g = *s->bytestream++; g = bytestream2_get_byte(&s->gb);
b = *s->bytestream++; b = bytestream2_get_byte(&s->gb);
s->palette[i] = (0xff << 24) | (r << 16) | (g << 8) | b; s->palette[i] = (0xff << 24) | (r << 16) | (g << 8) | b;
} }
for(;i<256;i++) { for(;i<256;i++) {
s->palette[i] = (0xff << 24); s->palette[i] = (0xff << 24);
} }
s->state |= PNG_PLTE; s->state |= PNG_PLTE;
s->bytestream += 4; /* crc */ bytestream2_skip(&s->gb, 4); /* crc */
} }
break; break;
case MKTAG('t', 'R', 'N', 'S'): case MKTAG('t', 'R', 'N', 'S'):
@ -580,21 +571,21 @@ static int decode_frame(AVCodecContext *avctx,
!(s->state & PNG_PLTE)) !(s->state & PNG_PLTE))
goto skip_tag; goto skip_tag;
for(i=0;i<length;i++) { for(i=0;i<length;i++) {
v = *s->bytestream++; v = bytestream2_get_byte(&s->gb);
s->palette[i] = (s->palette[i] & 0x00ffffff) | (v << 24); s->palette[i] = (s->palette[i] & 0x00ffffff) | (v << 24);
} }
s->bytestream += 4; /* crc */ bytestream2_skip(&s->gb, 4); /* crc */
} }
break; break;
case MKTAG('I', 'E', 'N', 'D'): case MKTAG('I', 'E', 'N', 'D'):
if (!(s->state & PNG_ALLIMAGE)) if (!(s->state & PNG_ALLIMAGE))
goto fail; goto fail;
s->bytestream += 4; /* crc */ bytestream2_skip(&s->gb, 4); /* crc */
goto exit_loop; goto exit_loop;
default: default:
/* skip tag */ /* skip tag */
skip_tag: skip_tag:
s->bytestream += length + 4; bytestream2_skip(&s->gb, length + 4);
break; break;
} }
} }
@ -619,7 +610,7 @@ static int decode_frame(AVCodecContext *avctx,
*picture= *s->current_picture; *picture= *s->current_picture;
*data_size = sizeof(AVFrame); *data_size = sizeof(AVFrame);
ret = s->bytestream - s->bytestream_start; ret = bytestream2_tell(&s->gb);
the_end: the_end:
inflateEnd(&s->zstream); inflateEnd(&s->zstream);
av_free(crow_buf_base); av_free(crow_buf_base);

Write Preview
Loading…
Cancel
Save