Chiebot-Mirror
/
FFmpeg
mirror of https://github.com/FFmpeg/FFmpeg.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

flicvideo: fix invalid reads

Browse Source 
Prevent invalid reads using bytestream2 functions.
Fixes bug #126.

Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
pull/3/head
Laurentiu Ion 13 years ago committed by Justin Ruggles
parent 57cd6d7095
commit b348c852aa
1 changed files with 77 additions and 89 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 166
      libavcodec/flicvideo.c

166
libavcodec/flicvideo.c
Unescape View File

@ -41,6 +41,8 @@
#include "libavutil/intreadwrite.h"
#include "avcodec.h"
#include "bytestream.h"
#include "mathops.h"
#define FLI_256_COLOR 4
#define FLI_DELTA 7
@ -132,7 +134,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
{
FlicDecodeContext *s = avctx->priv_data;
int stream_ptr = 0;
GetByteContext g2;
int stream_ptr_after_color_chunk;
int pixel_ptr;
int palette_ptr;
@ -163,6 +165,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
unsigned char *pixels;
unsigned int pixel_limit;
bytestream2_init(&g2, buf, buf_size);
s->frame.reference = 1;
s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
if (avctx->reget_buffer(avctx, &s->frame) < 0) {
@ -172,25 +176,22 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
pixels = s->frame.data[0];
pixel_limit = s->avctx->height * s->frame.linesize[0];
frame_size = AV_RL32(&buf[stream_ptr]);
stream_ptr += 6; /* skip the magic number */
num_chunks = AV_RL16(&buf[stream_ptr]);
stream_ptr += 10; /* skip padding */
frame_size = bytestream2_get_le32(&g2);
bytestream2_skip(&g2, 2); /* skip the magic number */
num_chunks = bytestream2_get_le16(&g2);
bytestream2_skip(&g2, 8); /* skip padding */
frame_size -= 16;
/* iterate through the chunks */
while ((frame_size > 0) && (num_chunks > 0)) {
chunk_size = AV_RL32(&buf[stream_ptr]);
stream_ptr += 4;
chunk_type = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
chunk_size = bytestream2_get_le32(&g2);
chunk_type = bytestream2_get_le16(&g2);
switch (chunk_type) {
case FLI_256_COLOR:
case FLI_COLOR:
stream_ptr_after_color_chunk = stream_ptr + chunk_size - 6;
stream_ptr_after_color_chunk = bytestream2_tell(&g2) + chunk_size - 6;
/* check special case: If this file is from the Magic Carpet
* game and uses 6-bit colors even though it reports 256-color
@ -201,15 +202,14 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
else
color_shift = 2;
/* set up the palette */
color_packets = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
color_packets = bytestream2_get_le16(&g2);
palette_ptr = 0;
for (i = 0; i < color_packets; i++) {
/* first byte is how many colors to skip */
palette_ptr += buf[stream_ptr++];
palette_ptr += bytestream2_get_byte(&g2);
/* next byte indicates how many entries to change */
color_changes = buf[stream_ptr++];
color_changes = bytestream2_get_byte(&g2);
/* if there are 0 color changes, there are actually 256 */
if (color_changes == 0)
@ -222,9 +222,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
if ((unsigned)palette_ptr >= 256)
palette_ptr = 0;
r = buf[stream_ptr++] << color_shift;
g = buf[stream_ptr++] << color_shift;
b = buf[stream_ptr++] << color_shift;
r = bytestream2_get_byte(&g2) << color_shift;
g = bytestream2_get_byte(&g2) << color_shift;
b = bytestream2_get_byte(&g2) << color_shift;
entry = (r << 16) | (g << 8) | b;
if (s->palette[palette_ptr] != entry)
s->new_palette = 1;
@ -233,20 +233,19 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
}
/* color chunks sometimes have weird 16-bit alignment issues;
* therefore, take the hardline approach and set the stream_ptr
* therefore, take the hardline approach and skip
* to the value calculated w.r.t. the size specified by the color
* chunk header */
stream_ptr = stream_ptr_after_color_chunk;
if (stream_ptr_after_color_chunk - bytestream2_tell(&g2) > 0)
bytestream2_skip(&g2, stream_ptr_after_color_chunk - bytestream2_tell(&g2));
break;
case FLI_DELTA:
y_ptr = 0;
compressed_lines = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
compressed_lines = bytestream2_get_le16(&g2);
while (compressed_lines > 0) {
line_packets = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
line_packets = bytestream2_get_le16(&g2);
if ((line_packets & 0xC000) == 0xC000) {
// line skip opcode
line_packets = -line_packets;
@ -265,14 +264,14 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
pixel_countdown = s->avctx->width;
for (i = 0; i < line_packets; i++) {
/* account for the skip bytes */
pixel_skip = buf[stream_ptr++];
pixel_skip = bytestream2_get_byte(&g2);
pixel_ptr += pixel_skip;
pixel_countdown -= pixel_skip;
byte_run = (signed char)(buf[stream_ptr++]);
byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
if (byte_run < 0) {
byte_run = -byte_run;
palette_idx1 = buf[stream_ptr++];
palette_idx2 = buf[stream_ptr++];
palette_idx1 = bytestream2_get_byte(&g2);
palette_idx2 = bytestream2_get_byte(&g2);
CHECK_PIXEL_PTR(byte_run * 2);
for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {
pixels[pixel_ptr++] = palette_idx1;
@ -281,8 +280,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
} else {
CHECK_PIXEL_PTR(byte_run * 2);
for (j = 0; j < byte_run * 2; j++, pixel_countdown--) {
palette_idx1 = buf[stream_ptr++];
pixels[pixel_ptr++] = palette_idx1;
pixels[pixel_ptr++] = bytestream2_get_byte(&g2);
}
}
}
@ -294,34 +292,31 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
case FLI_LC:
/* line compressed */
starting_line = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
starting_line = bytestream2_get_le16(&g2);
y_ptr = 0;
y_ptr += starting_line * s->frame.linesize[0];
compressed_lines = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
compressed_lines = bytestream2_get_le16(&g2);
while (compressed_lines > 0) {
pixel_ptr = y_ptr;
CHECK_PIXEL_PTR(0);
pixel_countdown = s->avctx->width;
line_packets = buf[stream_ptr++];
line_packets = bytestream2_get_byte(&g2);
if (line_packets > 0) {
for (i = 0; i < line_packets; i++) {
/* account for the skip bytes */
pixel_skip = buf[stream_ptr++];
pixel_skip = bytestream2_get_byte(&g2);
pixel_ptr += pixel_skip;
pixel_countdown -= pixel_skip;
byte_run = (signed char)(buf[stream_ptr++]);
byte_run = sign_extend(bytestream2_get_byte(&g2),8);
if (byte_run > 0) {
CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++, pixel_countdown--) {
palette_idx1 = buf[stream_ptr++];
pixels[pixel_ptr++] = palette_idx1;
pixels[pixel_ptr++] = bytestream2_get_byte(&g2);
}
} else if (byte_run < 0) {
byte_run = -byte_run;
palette_idx1 = buf[stream_ptr++];
palette_idx1 = bytestream2_get_byte(&g2);
CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++, pixel_countdown--) {
pixels[pixel_ptr++] = palette_idx1;
@ -349,12 +344,12 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
pixel_ptr = y_ptr;
/* disregard the line packets; instead, iterate through all
* pixels on a row */
stream_ptr++;
bytestream2_skip(&g2, 1);
pixel_countdown = s->avctx->width;
while (pixel_countdown > 0) {
byte_run = (signed char)(buf[stream_ptr++]);
byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
if (byte_run > 0) {
palette_idx1 = buf[stream_ptr++];
palette_idx1 = bytestream2_get_byte(&g2);
CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++) {
pixels[pixel_ptr++] = palette_idx1;
@ -367,8 +362,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
byte_run = -byte_run;
CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++) {
palette_idx1 = buf[stream_ptr++];
pixels[pixel_ptr++] = palette_idx1;
pixels[pixel_ptr++] = bytestream2_get_byte(&g2);
pixel_countdown--;
if (pixel_countdown < 0)
av_log(avctx, AV_LOG_ERROR, "pixel_countdown < 0 (%d) at line %d\n",
@ -386,20 +380,19 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
if (chunk_size - 6 > s->avctx->width * s->avctx->height) {
av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \
"bigger than image, skipping chunk\n", chunk_size - 6);
stream_ptr += chunk_size - 6;
bytestream2_skip(&g2, chunk_size - 6);
} else {
for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height;
y_ptr += s->frame.linesize[0]) {
memcpy(&pixels[y_ptr], &buf[stream_ptr],
s->avctx->width);
stream_ptr += s->avctx->width;
bytestream2_get_buffer(&g2, &pixels[y_ptr],
s->avctx->width);
}
}
break;
case FLI_MINI:
/* some sort of a thumbnail? disregard this chunk... */
stream_ptr += chunk_size - 6;
bytestream2_skip(&g2, chunk_size - 6);
break;
default:
@ -413,9 +406,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
/* by the end of the chunk, the stream ptr should equal the frame
* size (minus 1, possibly); if it doesn't, issue a warning */
if ((stream_ptr != buf_size) && (stream_ptr != buf_size - 1))
if ((bytestream2_get_bytes_left(&g2) != 0) &&
(bytestream2_get_bytes_left(&g2) != 1))
av_log(avctx, AV_LOG_ERROR, "Processed FLI chunk where chunk size = %d " \
"and final chunk ptr = %d\n", buf_size, stream_ptr);
"and final chunk ptr = %d\n", buf_size,
buf_size - bytestream2_get_bytes_left(&g2));
/* make the palette available on the way out */
memcpy(s->frame.data[1], s->palette, AVPALETTE_SIZE);
@ -438,7 +433,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
/* Format is the pixel format, the packets are processed the same. */
FlicDecodeContext *s = avctx->priv_data;
int stream_ptr = 0;
GetByteContext g2;
int pixel_ptr;
unsigned char palette_idx1;
@ -461,6 +456,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
int pixel;
unsigned int pixel_limit;
bytestream2_init(&g2, buf, buf_size);
s->frame.reference = 1;
s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
if (avctx->reget_buffer(avctx, &s->frame) < 0) {
@ -471,19 +468,17 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
pixels = s->frame.data[0];
pixel_limit = s->avctx->height * s->frame.linesize[0];
frame_size = AV_RL32(&buf[stream_ptr]);
stream_ptr += 6; /* skip the magic number */
num_chunks = AV_RL16(&buf[stream_ptr]);
stream_ptr += 10; /* skip padding */
frame_size = bytestream2_get_le32(&g2);
bytestream2_skip(&g2, 2); /* skip the magic number */
num_chunks = bytestream2_get_le16(&g2);
bytestream2_skip(&g2, 8); /* skip padding */
frame_size -= 16;
/* iterate through the chunks */
while ((frame_size > 0) && (num_chunks > 0)) {
chunk_size = AV_RL32(&buf[stream_ptr]);
stream_ptr += 4;
chunk_type = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
chunk_size = bytestream2_get_le32(&g2);
chunk_type = bytestream2_get_le16(&g2);
switch (chunk_type) {
case FLI_256_COLOR:
@ -492,17 +487,15 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
* include one of these chunks in their first frame.
* Why I do not know, it seems rather extraneous. */
/* av_log(avctx, AV_LOG_ERROR, "Unexpected Palette chunk %d in non-paletised FLC\n",chunk_type);*/
stream_ptr = stream_ptr + chunk_size - 6;
bytestream2_skip(&g2, chunk_size - 6);
break;
case FLI_DELTA:
case FLI_DTA_LC:
y_ptr = 0;
compressed_lines = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
compressed_lines = bytestream2_get_le16(&g2);
while (compressed_lines > 0) {
line_packets = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
line_packets = bytestream2_get_le16(&g2);
if (line_packets < 0) {
line_packets = -line_packets;
y_ptr += line_packets * s->frame.linesize[0];
@ -513,14 +506,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
pixel_countdown = s->avctx->width;
for (i = 0; i < line_packets; i++) {
/* account for the skip bytes */
pixel_skip = buf[stream_ptr++];
pixel_skip = bytestream2_get_byte(&g2);
pixel_ptr += (pixel_skip*2); /* Pixel is 2 bytes wide */
pixel_countdown -= pixel_skip;
byte_run = (signed char)(buf[stream_ptr++]);
byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
if (byte_run < 0) {
byte_run = -byte_run;
pixel = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
pixel = bytestream2_get_le16(&g2);
CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {
*((signed short*)(&pixels[pixel_ptr])) = pixel;
@ -529,8 +521,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
} else {
CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++, pixel_countdown--) {
*((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
*((signed short*)(&pixels[pixel_ptr])) = bytestream2_get_le16(&g2);
pixel_ptr += 2;
}
}
@ -543,7 +534,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
case FLI_LC:
av_log(avctx, AV_LOG_ERROR, "Unexpected FLI_LC chunk in non-paletised FLC\n");
stream_ptr = stream_ptr + chunk_size - 6;
bytestream2_skip(&g2, chunk_size - 6);
break;
case FLI_BLACK:
@ -558,13 +549,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
pixel_ptr = y_ptr;
/* disregard the line packets; instead, iterate through all
* pixels on a row */
stream_ptr++;
bytestream2_skip(&g2, 1);
pixel_countdown = (s->avctx->width * 2);
while (pixel_countdown > 0) {
byte_run = (signed char)(buf[stream_ptr++]);
byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
if (byte_run > 0) {
palette_idx1 = buf[stream_ptr++];
palette_idx1 = bytestream2_get_byte(&g2);
CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++) {
pixels[pixel_ptr++] = palette_idx1;
@ -577,7 +568,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
byte_run = -byte_run;
CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++) {
palette_idx1 = buf[stream_ptr++];
palette_idx1 = bytestream2_get_byte(&g2);
pixels[pixel_ptr++] = palette_idx1;
pixel_countdown--;
if (pixel_countdown < 0)
@ -610,14 +601,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
pixel_ptr = y_ptr;
/* disregard the line packets; instead, iterate through all
* pixels on a row */
stream_ptr++;
bytestream2_skip(&g2, 1);
pixel_countdown = s->avctx->width; /* Width is in pixels, not bytes */
while (pixel_countdown > 0) {
byte_run = (signed char)(buf[stream_ptr++]);
byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
if (byte_run > 0) {
pixel = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
pixel = bytestream2_get_le16(&g2);
CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++) {
*((signed short*)(&pixels[pixel_ptr])) = pixel;
@ -631,8 +621,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
byte_run = -byte_run;
CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++) {
*((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
*((signed short*)(&pixels[pixel_ptr])) = bytestream2_get_le16(&g2);
pixel_ptr += 2;
pixel_countdown--;
if (pixel_countdown < 0)
@ -652,7 +641,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
if (chunk_size - 6 > (unsigned int)(s->avctx->width * s->avctx->height)*2) {
av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \
"bigger than image, skipping chunk\n", chunk_size - 6);
stream_ptr += chunk_size - 6;
bytestream2_skip(&g2, chunk_size - 6);
} else {
for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height;
@ -661,18 +650,17 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
pixel_countdown = s->avctx->width;
pixel_ptr = 0;
while (pixel_countdown > 0) {
*((signed short*)(&pixels[y_ptr + pixel_ptr])) = AV_RL16(&buf[stream_ptr+pixel_ptr]);
*((signed short*)(&pixels[y_ptr + pixel_ptr])) = bytestream2_get_le16(&g2);
pixel_ptr += 2;
pixel_countdown--;
}
stream_ptr += s->avctx->width*2;
}
}
break;
case FLI_MINI:
/* some sort of a thumbnail? disregard this chunk... */
stream_ptr += chunk_size - 6;
bytestream2_skip(&g2, chunk_size - 6);
break;
default:
@ -686,9 +674,9 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
/* by the end of the chunk, the stream ptr should equal the frame
* size (minus 1, possibly); if it doesn't, issue a warning */
if ((stream_ptr != buf_size) && (stream_ptr != buf_size - 1))
if ((bytestream2_get_bytes_left(&g2) != 0) && (bytestream2_get_bytes_left(&g2) != 1))
av_log(avctx, AV_LOG_ERROR, "Processed FLI chunk where chunk size = %d " \
"and final chunk ptr = %d\n", buf_size, stream_ptr);
"and final chunk ptr = %d\n", buf_size, bytestream2_tell(&g2));
*data_size=sizeof(AVFrame);

Write Preview
Loading…
Cancel
Save