c93: convert to bytestream2 API

Protects against overreads.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
pull/3/merge
Paul B Mahol 13 years ago committed by Martin Storsjö
parent 947e103a8f
commit 85aded741e
  1. 52
      libavcodec/c93.c

@ -121,8 +121,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,
AVFrame * const newpic = &c93->pictures[c93->currentpic]; AVFrame * const newpic = &c93->pictures[c93->currentpic];
AVFrame * const oldpic = &c93->pictures[c93->currentpic^1]; AVFrame * const oldpic = &c93->pictures[c93->currentpic^1];
AVFrame *picture = data; AVFrame *picture = data;
GetByteContext gb;
uint8_t *out; uint8_t *out;
int stride, i, x, y, bt = 0; int stride, i, x, y, b, bt = 0;
c93->currentpic ^= 1; c93->currentpic ^= 1;
@ -136,7 +137,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,
stride = newpic->linesize[0]; stride = newpic->linesize[0];
if (buf[0] & C93_FIRST_FRAME) { bytestream2_init(&gb, buf, buf_size);
b = bytestream2_get_byte(&gb);
if (b & C93_FIRST_FRAME) {
newpic->pict_type = AV_PICTURE_TYPE_I; newpic->pict_type = AV_PICTURE_TYPE_I;
newpic->key_frame = 1; newpic->key_frame = 1;
} else { } else {
@ -144,17 +147,6 @@ static int decode_frame(AVCodecContext *avctx, void *data,
newpic->key_frame = 0; newpic->key_frame = 0;
} }
if (*buf++ & C93_HAS_PALETTE) {
uint32_t *palette = (uint32_t *) newpic->data[1];
const uint8_t *palbuf = buf + buf_size - 768 - 1;
for (i = 0; i < 256; i++) {
palette[i] = bytestream_get_be24(&palbuf);
}
} else {
if (oldpic->data[1])
memcpy(newpic->data[1], oldpic->data[1], 256 * 4);
}
for (y = 0; y < HEIGHT; y += 8) { for (y = 0; y < HEIGHT; y += 8) {
out = newpic->data[0] + y * stride; out = newpic->data[0] + y * stride;
for (x = 0; x < WIDTH; x += 8) { for (x = 0; x < WIDTH; x += 8) {
@ -164,12 +156,12 @@ static int decode_frame(AVCodecContext *avctx, void *data,
C93BlockType block_type; C93BlockType block_type;
if (!bt) if (!bt)
bt = *buf++; bt = bytestream2_get_byte(&gb);
block_type= bt & 0x0F; block_type= bt & 0x0F;
switch (block_type) { switch (block_type) {
case C93_8X8_FROM_PREV: case C93_8X8_FROM_PREV:
offset = bytestream_get_le16(&buf); offset = bytestream2_get_le16(&gb);
if (copy_block(avctx, out, copy_from, offset, 8, stride)) if (copy_block(avctx, out, copy_from, offset, 8, stride))
return -1; return -1;
break; break;
@ -179,7 +171,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
case C93_4X4_FROM_PREV: case C93_4X4_FROM_PREV:
for (j = 0; j < 8; j += 4) { for (j = 0; j < 8; j += 4) {
for (i = 0; i < 8; i += 4) { for (i = 0; i < 8; i += 4) {
offset = bytestream_get_le16(&buf); offset = bytestream2_get_le16(&gb);
if (copy_block(avctx, &out[j*stride+i], if (copy_block(avctx, &out[j*stride+i],
copy_from, offset, 4, stride)) copy_from, offset, 4, stride))
return -1; return -1;
@ -188,10 +180,10 @@ static int decode_frame(AVCodecContext *avctx, void *data,
break; break;
case C93_8X8_2COLOR: case C93_8X8_2COLOR:
bytestream_get_buffer(&buf, cols, 2); bytestream2_get_buffer(&gb, cols, 2);
for (i = 0; i < 8; i++) { for (i = 0; i < 8; i++) {
draw_n_color(out + i*stride, stride, 8, 1, 1, cols, draw_n_color(out + i*stride, stride, 8, 1, 1, cols,
NULL, *buf++); NULL, bytestream2_get_byte(&gb));
} }
break; break;
@ -202,17 +194,17 @@ static int decode_frame(AVCodecContext *avctx, void *data,
for (j = 0; j < 8; j += 4) { for (j = 0; j < 8; j += 4) {
for (i = 0; i < 8; i += 4) { for (i = 0; i < 8; i += 4) {
if (block_type == C93_4X4_2COLOR) { if (block_type == C93_4X4_2COLOR) {
bytestream_get_buffer(&buf, cols, 2); bytestream2_get_buffer(&gb, cols, 2);
draw_n_color(out + i + j*stride, stride, 4, 4, draw_n_color(out + i + j*stride, stride, 4, 4,
1, cols, NULL, bytestream_get_le16(&buf)); 1, cols, NULL, bytestream2_get_le16(&gb));
} else if (block_type == C93_4X4_4COLOR) { } else if (block_type == C93_4X4_4COLOR) {
bytestream_get_buffer(&buf, cols, 4); bytestream2_get_buffer(&gb, cols, 4);
draw_n_color(out + i + j*stride, stride, 4, 4, draw_n_color(out + i + j*stride, stride, 4, 4,
2, cols, NULL, bytestream_get_le32(&buf)); 2, cols, NULL, bytestream2_get_le32(&gb));
} else { } else {
bytestream_get_buffer(&buf, grps, 4); bytestream2_get_buffer(&gb, grps, 4);
draw_n_color(out + i + j*stride, stride, 4, 4, draw_n_color(out + i + j*stride, stride, 4, 4,
1, cols, grps, bytestream_get_le16(&buf)); 1, cols, grps, bytestream2_get_le16(&gb));
} }
} }
} }
@ -223,7 +215,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
case C93_8X8_INTRA: case C93_8X8_INTRA:
for (j = 0; j < 8; j++) for (j = 0; j < 8; j++)
bytestream_get_buffer(&buf, out + j*stride, 8); bytestream2_get_buffer(&gb, out + j*stride, 8);
break; break;
default: default:
@ -236,6 +228,16 @@ static int decode_frame(AVCodecContext *avctx, void *data,
} }
} }
if (b & C93_HAS_PALETTE) {
uint32_t *palette = (uint32_t *) newpic->data[1];
for (i = 0; i < 256; i++) {
palette[i] = bytestream2_get_be24(&gb);
}
} else {
if (oldpic->data[1])
memcpy(newpic->data[1], oldpic->data[1], 256 * 4);
}
*picture = *newpic; *picture = *newpic;
*data_size = sizeof(AVFrame); *data_size = sizeof(AVFrame);

Loading…
Cancel
Save