[FFmpeg-cvslog] Chronomaster DFA decoder
Reimar Döffinger
Reimar.Doeffinger at gmx.de
Tue Mar 29 07:45:27 CEST 2011
On 29 Mar 2011, at 03:09, git at videolan.org (Kostya Shishkov) wrote:
> FFmpeg | branch: master | Kostya Shishkov <kostya.shishkov at gmail.com> | Tue Mar 15 09:37:48 2011 +0100| [42315dabce376fd7085e2a1bbab4d230d3d2ccd8] | committer: Anton Khirnov
>
> Chronomaster DFA decoder
I strongly recommend to disable this.
This is full of incorrectly done security checks where either overflow is not even considered at all or gcc may optimise away a critical check because in accordance with the C standard it assumes pointer arithmetic will not overflow.
Checking for this kind of thing is really trivial to do once you learned it, I can only strongly advice anyone to learn it!
> + frame += bytestream_get_le32(&src);
> + if (frame < frame_start || frame > frame_end)
> + return -1;
First condition the compiler is allowed to remove.
> + if (frame - offset < frame_start || frame_end - frame < count)
> + return -1;
First condition can overflow with small enough null page
Haven't checked further.
> + av_memcpy_backptr(frame, offset, count);
> + frame += count;
> + } else {
> + *frame++ = *src++;
> + *frame++ = *src++;
> + }
> + mask <<= 1;
> + }
> +
> + return 0;
> +}
> +
> +static int decode_dsw1(uint8_t *frame, int width, int height,
> + const uint8_t *src, const uint8_t *src_end)
> +{
> + const uint8_t *frame_start = frame;
> + const uint8_t *frame_end = frame + width * height;
> + int mask = 0x10000, bitbuf = 0;
> + int v, offset, count, segments;
> +
> + segments = bytestream_get_le16(&src);
> + while (segments--) {
> + if (mask == 0x10000) {
> + if (src >= src_end)
> + return -1;
> + bitbuf = bytestream_get_le16(&src);
> + mask = 1;
> + }
> + if (src_end - src < 2 || frame_end - frame < 2)
> + return -1;
> + if (bitbuf & mask) {
> + v = bytestream_get_le16(&src);
> + offset = (v & 0x1FFF) << 1;
> + count = ((v >> 13) + 2) << 1;
> + if (frame - offset < frame_start || frame_end - frame < count)
> + return -1;
> + // can't use av_memcpy_backptr() since it can overwrite following pixels
> + for (v = 0; v < count; v++)
> + frame[v] = frame[v - offset];
> + frame += count;
> + } else if (bitbuf & (mask << 1)) {
> + frame += bytestream_get_le16(&src);
> + } else {
> + *frame++ = *src++;
> + *frame++ = *src++;
> + }
> + mask <<= 2;
> + }
> +
> + return 0;
> +}
> +
> +static int decode_dds1(uint8_t *frame, int width, int height,
> + const uint8_t *src, const uint8_t *src_end)
> +{
> + const uint8_t *frame_start = frame;
> + const uint8_t *frame_end = frame + width * height;
> + int mask = 0x10000, bitbuf = 0;
> + int i, v, offset, count, segments;
> +
> + segments = bytestream_get_le16(&src);
> + while (segments--) {
> + if (mask == 0x10000) {
> + if (src >= src_end)
> + return -1;
> + bitbuf = bytestream_get_le16(&src);
> + mask = 1;
> + }
> + if (src_end - src < 2 || frame_end - frame < 2)
> + return -1;
> + if (bitbuf & mask) {
> + v = bytestream_get_le16(&src);
> + offset = (v & 0x1FFF) << 2;
> + count = ((v >> 13) + 2) << 1;
> + if (frame - offset < frame_start || frame_end - frame < count*2 + width)
> + return -1;
> + for (i = 0; i < count; i++) {
> + frame[0] = frame[1] =
> + frame[width] = frame[width + 1] = frame[-offset];
> +
> + frame += 2;
> + }
> + } else if (bitbuf & (mask << 1)) {
> + frame += bytestream_get_le16(&src) * 2;
> + } else {
> + frame[0] = frame[1] =
> + frame[width] = frame[width + 1] = *src++;
> + frame += 2;
> + frame[0] = frame[1] =
> + frame[width] = frame[width + 1] = *src++;
> + frame += 2;
> + }
> + mask <<= 2;
> + }
> +
> + return 0;
> +}
> +
> +static int decode_bdlt(uint8_t *frame, int width, int height,
> + const uint8_t *src, const uint8_t *src_end)
> +{
> + const uint8_t *frame_end = frame + width * height;
> + uint8_t *line_ptr;
> + int count, lines, segments;
> +
> + count = bytestream_get_le16(&src);
> + if (count >= height || width * count < 0)
> + return -1;
> + frame += width * count;
> + lines = bytestream_get_le16(&src);
> + if (frame + lines * width > frame_end || src >= src_end)
> + return -1;
> +
> + while (lines--) {
> + line_ptr = frame;
> + frame += width;
> + segments = *src++;
> + while (segments--) {
> + if (src_end - src < 3)
> + return -1;
> + line_ptr += *src++;
> + if (line_ptr >= frame)
> + return -1;
> + count = (int8_t)*src++;
> + if (count >= 0) {
> + if (line_ptr + count > frame || src_end - src < count)
> + return -1;
> + bytestream_get_buffer(&src, line_ptr, count);
> + } else {
> + count = -count;
> + if (line_ptr + count > frame || src >= src_end)
> + return -1;
> + memset(line_ptr, *src++, count);
> + }
> + line_ptr += count;
> + }
> + }
> +
> + return 0;
> +}
> +
> +static int decode_wdlt(uint8_t *frame, int width, int height,
> + const uint8_t *src, const uint8_t *src_end)
> +{
> + const uint8_t *frame_end = frame + width * height;
> + uint8_t *line_ptr;
> + int count, i, v, lines, segments;
> +
> + lines = bytestream_get_le16(&src);
> + if (frame + lines * width > frame_end || src >= src_end)
> + return -1;
> +
> + while (lines--) {
> + segments = bytestream_get_le16(&src);
> + while ((segments & 0xC000) == 0xC000) {
> + frame -= (int16_t)segments * width;
> + if (frame >= frame_end)
> + return -1;
> + segments = bytestream_get_le16(&src);
> + }
> + if (segments & 0x8000) {
> + frame[width - 1] = segments & 0xFF;
> + segments = bytestream_get_le16(&src);
> + }
> + line_ptr = frame;
> + frame += width;
> + while (segments--) {
> + if (src_end - src < 2)
> + return -1;
> + line_ptr += *src++;
> + if (line_ptr >= frame)
> + return -1;
> + count = (int8_t)*src++;
> + if (count >= 0) {
> + if (line_ptr + count*2 > frame || src_end - src < count*2)
> + return -1;
> + bytestream_get_buffer(&src, line_ptr, count*2);
> + line_ptr += count * 2;
> + } else {
> + count = -count;
> + if (line_ptr + count*2 > frame || src_end - src < 2)
> + return -1;
> + v = bytestream_get_le16(&src);
> + for (i = 0; i < count; i++)
> + bytestream_put_le16(&line_ptr, v);
> + }
> + }
> + }
> +
> + return 0;
> +}
> +
> +static int decode_unk6(uint8_t *frame, int width, int height,
> + const uint8_t *src, const uint8_t *src_end)
> +{
> + return -1;
> +}
> +
> +static int decode_blck(uint8_t *frame, int width, int height,
> + const uint8_t *src, const uint8_t *src_end)
> +{
> + memset(frame, 0, width * height);
> + return 0;
> +}
> +
> +
> +typedef int (*chunk_decoder)(uint8_t *frame, int width, int height,
> + const uint8_t *src, const uint8_t *src_end);
> +
> +static const chunk_decoder decoder[8] = {
> + decode_copy, decode_tsw1, decode_bdlt, decode_wdlt,
> + decode_unk6, decode_dsw1, decode_blck, decode_dds1,
> +};
> +
> +static const char* chunk_name[8] = {
> + "COPY", "TSW1", "BDLT", "WDLT", "????", "DSW1", "BLCK", "DDS1"
> +};
> +
> +static int dfa_decode_frame(AVCodecContext *avctx,
> + void *data, int *data_size,
> + AVPacket *avpkt)
> +{
> + DfaContext *s = avctx->priv_data;
> + const uint8_t *buf = avpkt->data;
> + const uint8_t *buf_end = avpkt->data + avpkt->size;
> + const uint8_t *tmp_buf;
> + uint32_t chunk_type, chunk_size;
> + uint8_t *dst;
> + int ret;
> + int i, pal_elems;
> +
> + if (s->pic.data[0])
> + avctx->release_buffer(avctx, &s->pic);
> +
> + if ((ret = avctx->get_buffer(avctx, &s->pic))) {
> + av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
> + return ret;
> + }
> +
> + while (buf < buf_end) {
> + chunk_size = AV_RL32(buf + 4);
> + chunk_type = AV_RL32(buf + 8);
> + buf += 12;
> + if (buf_end - buf < chunk_size) {
> + av_log(avctx, AV_LOG_ERROR, "Chunk size is too big (%d bytes)\n", chunk_size);
> + return -1;
> + }
> + if (!chunk_type)
> + break;
> + if (chunk_type == 1) {
> + pal_elems = FFMIN(chunk_size / 3, 256);
> + tmp_buf = buf;
> + for (i = 0; i < pal_elems; i++) {
> + s->pal[i] = bytestream_get_be24(&tmp_buf) << 2;
> + s->pal[i] |= (s->pal[i] >> 6) & 0x333;
> + }
> + s->pic.palette_has_changed = 1;
> + } else if (chunk_type <= 9) {
> + if (decoder[chunk_type - 2](s->frame_buf, avctx->width, avctx->height,
> + buf, buf + chunk_size)) {
> + av_log(avctx, AV_LOG_ERROR, "Error decoding %s chunk\n",
> + chunk_name[chunk_type - 2]);
> + return -1;
> + }
> + } else {
> + av_log(avctx, AV_LOG_WARNING, "Ignoring unknown chunk type %d\n",
> + chunk_type);
> + }
> + buf += chunk_size;
> + }
> +
> + buf = s->frame_buf;
> + dst = s->pic.data[0];
> + for (i = 0; i < avctx->height; i++) {
> + memcpy(dst, buf, avctx->width);
> + dst += s->pic.linesize[0];
> + buf += avctx->width;
> + }
> + memcpy(s->pic.data[1], s->pal, sizeof(s->pal));
> +
> + *data_size = sizeof(AVFrame);
> + *(AVFrame*)data = s->pic;
> +
> + return avpkt->size;
> +}
> +
> +static av_cold int dfa_decode_end(AVCodecContext *avctx)
> +{
> + DfaContext *s = avctx->priv_data;
> +
> + if (s->pic.data[0])
> + avctx->release_buffer(avctx, &s->pic);
> +
> + av_freep(&s->frame_buf);
> +
> + return 0;
> +}
> +
> +AVCodec ff_dfa_decoder = {
> + "dfa",
> + AVMEDIA_TYPE_VIDEO,
> + CODEC_ID_DFA,
> + sizeof(DfaContext),
> + dfa_decode_init,
> + NULL,
> + dfa_decode_end,
> + dfa_decode_frame,
> + CODEC_CAP_DR1,
> + .long_name = NULL_IF_CONFIG_SMALL("Chronomaster DFA"),
> +};
> diff --git a/libavcodec/version.h b/libavcodec/version.h
> index 73a6f33..a1c8365 100644
> --- a/libavcodec/version.h
> +++ b/libavcodec/version.h
> @@ -21,7 +21,7 @@
> #define AVCODEC_VERSION_H
>
> #define LIBAVCODEC_VERSION_MAJOR 52
> -#define LIBAVCODEC_VERSION_MINOR 115
> +#define LIBAVCODEC_VERSION_MINOR 116
> #define LIBAVCODEC_VERSION_MICRO 0
>
> #define LIBAVCODEC_VERSION_INT AV_VERSION_INT(LIBAVCODEC_VERSION_MAJOR, \
> diff --git a/libavformat/Makefile b/libavformat/Makefile
> index c521cd3..719783c 100644
> --- a/libavformat/Makefile
> +++ b/libavformat/Makefile
> @@ -55,6 +55,7 @@ OBJS-$(CONFIG_CDG_DEMUXER) += cdg.o
> OBJS-$(CONFIG_CRC_MUXER) += crcenc.o
> OBJS-$(CONFIG_DAUD_DEMUXER) += daud.o
> OBJS-$(CONFIG_DAUD_MUXER) += daud.o
> +OBJS-$(CONFIG_DFA_DEMUXER) += dfa.o
> OBJS-$(CONFIG_DIRAC_DEMUXER) += diracdec.o rawdec.o
> OBJS-$(CONFIG_DIRAC_MUXER) += rawenc.o
> OBJS-$(CONFIG_DNXHD_DEMUXER) += dnxhddec.o rawdec.o
> diff --git a/libavformat/allformats.c b/libavformat/allformats.c
> index d6cab7a..e80d4b0 100644
> --- a/libavformat/allformats.c
> +++ b/libavformat/allformats.c
> @@ -75,6 +75,7 @@ void av_register_all(void)
> REGISTER_DEMUXER (CDG, cdg);
> REGISTER_MUXER (CRC, crc);
> REGISTER_MUXDEMUX (DAUD, daud);
> + REGISTER_DEMUXER (DFA, dfa);
> REGISTER_MUXDEMUX (DIRAC, dirac);
> REGISTER_MUXDEMUX (DNXHD, dnxhd);
> REGISTER_DEMUXER (DSICIN, dsicin);
> diff --git a/libavformat/dfa.c b/libavformat/dfa.c
> new file mode 100644
> index 0000000..8108535
> --- /dev/null
> +++ b/libavformat/dfa.c
> @@ -0,0 +1,119 @@
> +/*
> + * Chronomaster DFA Format Demuxer
> + * Copyright (c) 2011 Konstantin Shishkov
> + *
> + * This file is part of Libav.
> + *
> + * Libav is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2.1 of the License, or (at your option) any later version.
> + *
> + * Libav is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with Libav; if not, write to the Free Software
> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> + */
> +
> +#include "libavutil/intreadwrite.h"
> +#include "avformat.h"
> +
> +static int dfa_probe(AVProbeData *p)
> +{
> + if (p->buf_size < 4 || AV_RL32(p->buf) != MKTAG('D', 'F', 'I', 'A'))
> + return 0;
> +
> + return AVPROBE_SCORE_MAX;
> +}
> +
> +static int dfa_read_header(AVFormatContext *s,
> + AVFormatParameters *ap)
> +{
> + AVIOContext *pb = s->pb;
> + AVStream *st;
> + int frames;
> + uint32_t mspf;
> +
> + if (avio_rl32(pb) != MKTAG('D', 'F', 'I', 'A')) {
> + av_log(s, AV_LOG_ERROR, "Invalid magic for DFA\n");
> + return AVERROR_INVALIDDATA;
> + }
> + avio_skip(pb, 2); // unused
> + frames = avio_rl16(pb);
> +
> + st = av_new_stream(s, 0);
> + if (!st)
> + return AVERROR(ENOMEM);
> +
> + st->codec->codec_type = AVMEDIA_TYPE_VIDEO;
> + st->codec->codec_id = CODEC_ID_DFA;
> + st->codec->width = avio_rl16(pb);
> + st->codec->height = avio_rl16(pb);
> + mspf = avio_rl32(pb);
> + if (!mspf) {
> + av_log(s, AV_LOG_WARNING, "Zero FPS reported, defaulting to 10\n");
> + mspf = 100;
> + }
> + av_set_pts_info(st, 24, mspf, 1000);
> + avio_skip(pb, 128 - 16); // padding
> + st->duration = frames;
> +
> + return 0;
> +}
> +
> +static int dfa_read_packet(AVFormatContext *s, AVPacket *pkt)
> +{
> + AVIOContext *pb = s->pb;
> + uint32_t frame_size;
> + int ret, first = 1;
> +
> + if (pb->eof_reached)
> + return AVERROR_EOF;
> +
> + if (av_get_packet(pb, pkt, 12) != 12)
> + return AVERROR(EIO);
> + while (!pb->eof_reached) {
> + if (!first) {
> + ret = av_append_packet(pb, pkt, 12);
> + if (ret < 0) {
> + av_free_packet(pkt);
> + return ret;
> + }
> + } else
> + first = 0;
> + frame_size = AV_RL32(pkt->data + pkt->size - 8);
> + if (frame_size > INT_MAX - 4) {
> + av_log(s, AV_LOG_ERROR, "Too large chunk size: %d\n", frame_size);
> + return AVERROR(EIO);
> + }
> + if (AV_RL32(pkt->data + pkt->size - 12) == MKTAG('E', 'O', 'F', 'R')) {
> + if (frame_size) {
> + av_log(s, AV_LOG_WARNING, "skipping %d bytes of end-of-frame marker chunk\n",
> + frame_size);
> + avio_skip(pb, frame_size);
> + }
> + return 0;
> + }
> + ret = av_append_packet(pb, pkt, frame_size);
> + if (ret < 0) {
> + av_free_packet(pkt);
> + return ret;
> + }
> + }
> +
> + return 0;
> +}
> +
> +AVInputFormat ff_dfa_demuxer = {
> + "dfa",
> + NULL_IF_CONFIG_SMALL("Chronomaster DFA"),
> + 0,
> + dfa_probe,
> + dfa_read_header,
> + dfa_read_packet,
> + .flags = AVFMT_GENERIC_INDEX,
> +};
> diff --git a/libavformat/version.h b/libavformat/version.h
> index e52290f..7d61bef 100644
> --- a/libavformat/version.h
> +++ b/libavformat/version.h
> @@ -24,7 +24,7 @@
> #include "libavutil/avutil.h"
>
> #define LIBAVFORMAT_VERSION_MAJOR 52
> -#define LIBAVFORMAT_VERSION_MINOR 103
> +#define LIBAVFORMAT_VERSION_MINOR 104
> #define LIBAVFORMAT_VERSION_MICRO 0
>
> #define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \
>
> _______________________________________________
> ffmpeg-cvslog mailing list
> ffmpeg-cvslog at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
More information about the ffmpeg-cvslog
mailing list