[FFmpeg-cvslog] flicvideo: fix invalid reads
Laurentiu Ion
git at videolan.org
Sat Jan 7 02:44:32 CET 2012
ffmpeg | branch: master | Laurentiu Ion <ionlaurentiucristian at gmail.com> | Fri Jan 6 20:42:00 2012 +0200| [b348c852aa8312d361123df0fa20e16feff7c2f1] | committer: Justin Ruggles
flicvideo: fix invalid reads
Prevent invalid reads using bytestream2 functions.
Fixes bug #126.
Signed-off-by: Justin Ruggles <justin.ruggles at gmail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b348c852aa8312d361123df0fa20e16feff7c2f1
---
libavcodec/flicvideo.c | 166 ++++++++++++++++++++++--------------------------
1 files changed, 77 insertions(+), 89 deletions(-)
diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c
index 8e8a813..b7bbfb4 100644
--- a/libavcodec/flicvideo.c
+++ b/libavcodec/flicvideo.c
@@ -41,6 +41,8 @@
#include "libavutil/intreadwrite.h"
#include "avcodec.h"
+#include "bytestream.h"
+#include "mathops.h"
#define FLI_256_COLOR 4
#define FLI_DELTA 7
@@ -132,7 +134,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
{
FlicDecodeContext *s = avctx->priv_data;
- int stream_ptr = 0;
+ GetByteContext g2;
int stream_ptr_after_color_chunk;
int pixel_ptr;
int palette_ptr;
@@ -163,6 +165,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
unsigned char *pixels;
unsigned int pixel_limit;
+ bytestream2_init(&g2, buf, buf_size);
+
s->frame.reference = 1;
s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
if (avctx->reget_buffer(avctx, &s->frame) < 0) {
@@ -172,25 +176,22 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
pixels = s->frame.data[0];
pixel_limit = s->avctx->height * s->frame.linesize[0];
-
- frame_size = AV_RL32(&buf[stream_ptr]);
- stream_ptr += 6; /* skip the magic number */
- num_chunks = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 10; /* skip padding */
+ frame_size = bytestream2_get_le32(&g2);
+ bytestream2_skip(&g2, 2); /* skip the magic number */
+ num_chunks = bytestream2_get_le16(&g2);
+ bytestream2_skip(&g2, 8); /* skip padding */
frame_size -= 16;
/* iterate through the chunks */
while ((frame_size > 0) && (num_chunks > 0)) {
- chunk_size = AV_RL32(&buf[stream_ptr]);
- stream_ptr += 4;
- chunk_type = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ chunk_size = bytestream2_get_le32(&g2);
+ chunk_type = bytestream2_get_le16(&g2);
switch (chunk_type) {
case FLI_256_COLOR:
case FLI_COLOR:
- stream_ptr_after_color_chunk = stream_ptr + chunk_size - 6;
+ stream_ptr_after_color_chunk = bytestream2_tell(&g2) + chunk_size - 6;
/* check special case: If this file is from the Magic Carpet
* game and uses 6-bit colors even though it reports 256-color
@@ -201,15 +202,14 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
else
color_shift = 2;
/* set up the palette */
- color_packets = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ color_packets = bytestream2_get_le16(&g2);
palette_ptr = 0;
for (i = 0; i < color_packets; i++) {
/* first byte is how many colors to skip */
- palette_ptr += buf[stream_ptr++];
+ palette_ptr += bytestream2_get_byte(&g2);
/* next byte indicates how many entries to change */
- color_changes = buf[stream_ptr++];
+ color_changes = bytestream2_get_byte(&g2);
/* if there are 0 color changes, there are actually 256 */
if (color_changes == 0)
@@ -222,9 +222,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
if ((unsigned)palette_ptr >= 256)
palette_ptr = 0;
- r = buf[stream_ptr++] << color_shift;
- g = buf[stream_ptr++] << color_shift;
- b = buf[stream_ptr++] << color_shift;
+ r = bytestream2_get_byte(&g2) << color_shift;
+ g = bytestream2_get_byte(&g2) << color_shift;
+ b = bytestream2_get_byte(&g2) << color_shift;
entry = (r << 16) | (g << 8) | b;
if (s->palette[palette_ptr] != entry)
s->new_palette = 1;
@@ -233,20 +233,19 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
}
/* color chunks sometimes have weird 16-bit alignment issues;
- * therefore, take the hardline approach and set the stream_ptr
+ * therefore, take the hardline approach and skip
* to the value calculated w.r.t. the size specified by the color
* chunk header */
- stream_ptr = stream_ptr_after_color_chunk;
+ if (stream_ptr_after_color_chunk - bytestream2_tell(&g2) > 0)
+ bytestream2_skip(&g2, stream_ptr_after_color_chunk - bytestream2_tell(&g2));
break;
case FLI_DELTA:
y_ptr = 0;
- compressed_lines = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ compressed_lines = bytestream2_get_le16(&g2);
while (compressed_lines > 0) {
- line_packets = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ line_packets = bytestream2_get_le16(&g2);
if ((line_packets & 0xC000) == 0xC000) {
// line skip opcode
line_packets = -line_packets;
@@ -265,14 +264,14 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
pixel_countdown = s->avctx->width;
for (i = 0; i < line_packets; i++) {
/* account for the skip bytes */
- pixel_skip = buf[stream_ptr++];
+ pixel_skip = bytestream2_get_byte(&g2);
pixel_ptr += pixel_skip;
pixel_countdown -= pixel_skip;
- byte_run = (signed char)(buf[stream_ptr++]);
+ byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
if (byte_run < 0) {
byte_run = -byte_run;
- palette_idx1 = buf[stream_ptr++];
- palette_idx2 = buf[stream_ptr++];
+ palette_idx1 = bytestream2_get_byte(&g2);
+ palette_idx2 = bytestream2_get_byte(&g2);
CHECK_PIXEL_PTR(byte_run * 2);
for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {
pixels[pixel_ptr++] = palette_idx1;
@@ -281,8 +280,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
} else {
CHECK_PIXEL_PTR(byte_run * 2);
for (j = 0; j < byte_run * 2; j++, pixel_countdown--) {
- palette_idx1 = buf[stream_ptr++];
- pixels[pixel_ptr++] = palette_idx1;
+ pixels[pixel_ptr++] = bytestream2_get_byte(&g2);
}
}
}
@@ -294,34 +292,31 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
case FLI_LC:
/* line compressed */
- starting_line = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ starting_line = bytestream2_get_le16(&g2);
y_ptr = 0;
y_ptr += starting_line * s->frame.linesize[0];
- compressed_lines = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ compressed_lines = bytestream2_get_le16(&g2);
while (compressed_lines > 0) {
pixel_ptr = y_ptr;
CHECK_PIXEL_PTR(0);
pixel_countdown = s->avctx->width;
- line_packets = buf[stream_ptr++];
+ line_packets = bytestream2_get_byte(&g2);
if (line_packets > 0) {
for (i = 0; i < line_packets; i++) {
/* account for the skip bytes */
- pixel_skip = buf[stream_ptr++];
+ pixel_skip = bytestream2_get_byte(&g2);
pixel_ptr += pixel_skip;
pixel_countdown -= pixel_skip;
- byte_run = (signed char)(buf[stream_ptr++]);
+ byte_run = sign_extend(bytestream2_get_byte(&g2),8);
if (byte_run > 0) {
CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++, pixel_countdown--) {
- palette_idx1 = buf[stream_ptr++];
- pixels[pixel_ptr++] = palette_idx1;
+ pixels[pixel_ptr++] = bytestream2_get_byte(&g2);
}
} else if (byte_run < 0) {
byte_run = -byte_run;
- palette_idx1 = buf[stream_ptr++];
+ palette_idx1 = bytestream2_get_byte(&g2);
CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++, pixel_countdown--) {
pixels[pixel_ptr++] = palette_idx1;
@@ -349,12 +344,12 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
pixel_ptr = y_ptr;
/* disregard the line packets; instead, iterate through all
* pixels on a row */
- stream_ptr++;
+ bytestream2_skip(&g2, 1);
pixel_countdown = s->avctx->width;
while (pixel_countdown > 0) {
- byte_run = (signed char)(buf[stream_ptr++]);
+ byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
if (byte_run > 0) {
- palette_idx1 = buf[stream_ptr++];
+ palette_idx1 = bytestream2_get_byte(&g2);
CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++) {
pixels[pixel_ptr++] = palette_idx1;
@@ -367,8 +362,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
byte_run = -byte_run;
CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++) {
- palette_idx1 = buf[stream_ptr++];
- pixels[pixel_ptr++] = palette_idx1;
+ pixels[pixel_ptr++] = bytestream2_get_byte(&g2);
pixel_countdown--;
if (pixel_countdown < 0)
av_log(avctx, AV_LOG_ERROR, "pixel_countdown < 0 (%d) at line %d\n",
@@ -386,20 +380,19 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
if (chunk_size - 6 > s->avctx->width * s->avctx->height) {
av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \
"bigger than image, skipping chunk\n", chunk_size - 6);
- stream_ptr += chunk_size - 6;
+ bytestream2_skip(&g2, chunk_size - 6);
} else {
for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height;
y_ptr += s->frame.linesize[0]) {
- memcpy(&pixels[y_ptr], &buf[stream_ptr],
- s->avctx->width);
- stream_ptr += s->avctx->width;
+ bytestream2_get_buffer(&g2, &pixels[y_ptr],
+ s->avctx->width);
}
}
break;
case FLI_MINI:
/* some sort of a thumbnail? disregard this chunk... */
- stream_ptr += chunk_size - 6;
+ bytestream2_skip(&g2, chunk_size - 6);
break;
default:
@@ -413,9 +406,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
/* by the end of the chunk, the stream ptr should equal the frame
* size (minus 1, possibly); if it doesn't, issue a warning */
- if ((stream_ptr != buf_size) && (stream_ptr != buf_size - 1))
+ if ((bytestream2_get_bytes_left(&g2) != 0) &&
+ (bytestream2_get_bytes_left(&g2) != 1))
av_log(avctx, AV_LOG_ERROR, "Processed FLI chunk where chunk size = %d " \
- "and final chunk ptr = %d\n", buf_size, stream_ptr);
+ "and final chunk ptr = %d\n", buf_size,
+ buf_size - bytestream2_get_bytes_left(&g2));
/* make the palette available on the way out */
memcpy(s->frame.data[1], s->palette, AVPALETTE_SIZE);
@@ -438,7 +433,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
/* Format is the pixel format, the packets are processed the same. */
FlicDecodeContext *s = avctx->priv_data;
- int stream_ptr = 0;
+ GetByteContext g2;
int pixel_ptr;
unsigned char palette_idx1;
@@ -461,6 +456,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
int pixel;
unsigned int pixel_limit;
+ bytestream2_init(&g2, buf, buf_size);
+
s->frame.reference = 1;
s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
if (avctx->reget_buffer(avctx, &s->frame) < 0) {
@@ -471,19 +468,17 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
pixels = s->frame.data[0];
pixel_limit = s->avctx->height * s->frame.linesize[0];
- frame_size = AV_RL32(&buf[stream_ptr]);
- stream_ptr += 6; /* skip the magic number */
- num_chunks = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 10; /* skip padding */
+ frame_size = bytestream2_get_le32(&g2);
+ bytestream2_skip(&g2, 2); /* skip the magic number */
+ num_chunks = bytestream2_get_le16(&g2);
+ bytestream2_skip(&g2, 8); /* skip padding */
frame_size -= 16;
/* iterate through the chunks */
while ((frame_size > 0) && (num_chunks > 0)) {
- chunk_size = AV_RL32(&buf[stream_ptr]);
- stream_ptr += 4;
- chunk_type = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ chunk_size = bytestream2_get_le32(&g2);
+ chunk_type = bytestream2_get_le16(&g2);
switch (chunk_type) {
case FLI_256_COLOR:
@@ -492,17 +487,15 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
* include one of these chunks in their first frame.
* Why I do not know, it seems rather extraneous. */
/* av_log(avctx, AV_LOG_ERROR, "Unexpected Palette chunk %d in non-paletised FLC\n",chunk_type);*/
- stream_ptr = stream_ptr + chunk_size - 6;
+ bytestream2_skip(&g2, chunk_size - 6);
break;
case FLI_DELTA:
case FLI_DTA_LC:
y_ptr = 0;
- compressed_lines = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ compressed_lines = bytestream2_get_le16(&g2);
while (compressed_lines > 0) {
- line_packets = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ line_packets = bytestream2_get_le16(&g2);
if (line_packets < 0) {
line_packets = -line_packets;
y_ptr += line_packets * s->frame.linesize[0];
@@ -513,14 +506,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
pixel_countdown = s->avctx->width;
for (i = 0; i < line_packets; i++) {
/* account for the skip bytes */
- pixel_skip = buf[stream_ptr++];
+ pixel_skip = bytestream2_get_byte(&g2);
pixel_ptr += (pixel_skip*2); /* Pixel is 2 bytes wide */
pixel_countdown -= pixel_skip;
- byte_run = (signed char)(buf[stream_ptr++]);
+ byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
if (byte_run < 0) {
byte_run = -byte_run;
- pixel = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ pixel = bytestream2_get_le16(&g2);
CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {
*((signed short*)(&pixels[pixel_ptr])) = pixel;
@@ -529,8 +521,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
} else {
CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++, pixel_countdown--) {
- *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ *((signed short*)(&pixels[pixel_ptr])) = bytestream2_get_le16(&g2);
pixel_ptr += 2;
}
}
@@ -543,7 +534,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
case FLI_LC:
av_log(avctx, AV_LOG_ERROR, "Unexpected FLI_LC chunk in non-paletised FLC\n");
- stream_ptr = stream_ptr + chunk_size - 6;
+ bytestream2_skip(&g2, chunk_size - 6);
break;
case FLI_BLACK:
@@ -558,13 +549,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
pixel_ptr = y_ptr;
/* disregard the line packets; instead, iterate through all
* pixels on a row */
- stream_ptr++;
+ bytestream2_skip(&g2, 1);
pixel_countdown = (s->avctx->width * 2);
while (pixel_countdown > 0) {
- byte_run = (signed char)(buf[stream_ptr++]);
+ byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
if (byte_run > 0) {
- palette_idx1 = buf[stream_ptr++];
+ palette_idx1 = bytestream2_get_byte(&g2);
CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++) {
pixels[pixel_ptr++] = palette_idx1;
@@ -577,7 +568,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
byte_run = -byte_run;
CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++) {
- palette_idx1 = buf[stream_ptr++];
+ palette_idx1 = bytestream2_get_byte(&g2);
pixels[pixel_ptr++] = palette_idx1;
pixel_countdown--;
if (pixel_countdown < 0)
@@ -610,14 +601,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
pixel_ptr = y_ptr;
/* disregard the line packets; instead, iterate through all
* pixels on a row */
- stream_ptr++;
+ bytestream2_skip(&g2, 1);
pixel_countdown = s->avctx->width; /* Width is in pixels, not bytes */
while (pixel_countdown > 0) {
- byte_run = (signed char)(buf[stream_ptr++]);
+ byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
if (byte_run > 0) {
- pixel = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ pixel = bytestream2_get_le16(&g2);
CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++) {
*((signed short*)(&pixels[pixel_ptr])) = pixel;
@@ -631,8 +621,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
byte_run = -byte_run;
CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++) {
- *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ *((signed short*)(&pixels[pixel_ptr])) = bytestream2_get_le16(&g2);
pixel_ptr += 2;
pixel_countdown--;
if (pixel_countdown < 0)
@@ -652,7 +641,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
if (chunk_size - 6 > (unsigned int)(s->avctx->width * s->avctx->height)*2) {
av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \
"bigger than image, skipping chunk\n", chunk_size - 6);
- stream_ptr += chunk_size - 6;
+ bytestream2_skip(&g2, chunk_size - 6);
} else {
for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height;
@@ -661,18 +650,17 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
pixel_countdown = s->avctx->width;
pixel_ptr = 0;
while (pixel_countdown > 0) {
- *((signed short*)(&pixels[y_ptr + pixel_ptr])) = AV_RL16(&buf[stream_ptr+pixel_ptr]);
+ *((signed short*)(&pixels[y_ptr + pixel_ptr])) = bytestream2_get_le16(&g2);
pixel_ptr += 2;
pixel_countdown--;
}
- stream_ptr += s->avctx->width*2;
}
}
break;
case FLI_MINI:
/* some sort of a thumbnail? disregard this chunk... */
- stream_ptr += chunk_size - 6;
+ bytestream2_skip(&g2, chunk_size - 6);
break;
default:
@@ -686,9 +674,9 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
/* by the end of the chunk, the stream ptr should equal the frame
* size (minus 1, possibly); if it doesn't, issue a warning */
- if ((stream_ptr != buf_size) && (stream_ptr != buf_size - 1))
+ if ((bytestream2_get_bytes_left(&g2) != 0) && (bytestream2_get_bytes_left(&g2) != 1))
av_log(avctx, AV_LOG_ERROR, "Processed FLI chunk where chunk size = %d " \
- "and final chunk ptr = %d\n", buf_size, stream_ptr);
+ "and final chunk ptr = %d\n", buf_size, bytestream2_tell(&g2));
*data_size=sizeof(AVFrame);
More information about the ffmpeg-cvslog
mailing list