[FFmpeg-cvslog] bethsoftvideo: Use bytestream2 functions to prevent buffer overreads.
Aneesh Dogra
git at videolan.org
Wed Jan 11 02:57:13 CET 2012
ffmpeg | branch: master | Aneesh Dogra <lionaneesh at gmail.com> | Tue Jan 10 23:56:03 2012 +0530| [29112db8c0f65886e69cbbd6f4e5c44d2d14d238] | committer: Ronald S. Bultje
bethsoftvideo: Use bytestream2 functions to prevent buffer overreads.
Signed-off-by: Ronald S. Bultje <rsbultje at gmail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=29112db8c0f65886e69cbbd6f4e5c44d2d14d238
---
libavcodec/bethsoftvideo.c | 36 +++++++++++++++++++-----------------
1 files changed, 19 insertions(+), 17 deletions(-)
diff --git a/libavcodec/bethsoftvideo.c b/libavcodec/bethsoftvideo.c
index f4020d6..fa0457c 100644
--- a/libavcodec/bethsoftvideo.c
+++ b/libavcodec/bethsoftvideo.c
@@ -34,6 +34,7 @@
typedef struct BethsoftvidContext {
AVFrame frame;
+ GetByteContext g;
} BethsoftvidContext;
static av_cold int bethsoftvid_decode_init(AVCodecContext *avctx)
@@ -46,18 +47,18 @@ static av_cold int bethsoftvid_decode_init(AVCodecContext *avctx)
return 0;
}
-static int set_palette(AVFrame * frame, const uint8_t * palette_buffer, int buf_size)
+static int set_palette(BethsoftvidContext *ctx)
{
- uint32_t * palette = (uint32_t *)frame->data[1];
+ uint32_t *palette = (uint32_t *)ctx->frame.data[1];
int a;
- if (buf_size < 256*3)
+ if (bytestream2_get_bytes_left(&ctx->g) < 256*3)
return AVERROR_INVALIDDATA;
for(a = 0; a < 256; a++){
- palette[a] = AV_RB24(&palette_buffer[a * 3]) * 4;
+ palette[a] = bytestream2_get_be24u(&ctx->g) * 4;
}
- frame->palette_has_changed = 1;
+ ctx->frame.palette_has_changed = 1;
return 256*3;
}
@@ -65,8 +66,6 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
void *data, int *data_size,
AVPacket *avpkt)
{
- const uint8_t *buf = avpkt->data;
- int buf_size = avpkt->size;
BethsoftvidContext * vid = avctx->priv_data;
char block_type;
uint8_t * dst;
@@ -80,29 +79,32 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
return -1;
}
+
+ bytestream2_init(&vid->g, avpkt->data, avpkt->size);
dst = vid->frame.data[0];
frame_end = vid->frame.data[0] + vid->frame.linesize[0] * avctx->height;
- switch(block_type = *buf++){
- case PALETTE_BLOCK:
- return set_palette(&vid->frame, buf, buf_size);
+ switch(block_type = bytestream2_get_byte(&vid->g)){
+ case PALETTE_BLOCK: {
+ return set_palette(vid);
+ }
case VIDEO_YOFF_P_FRAME:
- yoffset = bytestream_get_le16(&buf);
+ yoffset = bytestream2_get_le16(&vid->g);
if(yoffset >= avctx->height)
return -1;
dst += vid->frame.linesize[0] * yoffset;
}
// main code
- while((code = *buf++)){
+ while((code = bytestream2_get_byte(&vid->g))){
int length = code & 0x7f;
// copy any bytes starting at the current position, and ending at the frame width
while(length > remaining){
if(code < 0x80)
- bytestream_get_buffer(&buf, dst, remaining);
+ bytestream2_get_buffer(&vid->g, dst, remaining);
else if(block_type == VIDEO_I_FRAME)
- memset(dst, buf[0], remaining);
+ memset(dst, bytestream2_peek_byte(&vid->g), remaining);
length -= remaining; // decrement the number of bytes to be copied
dst += remaining + wrap_to_next_line; // skip over extra bytes at end of frame
remaining = avctx->width;
@@ -112,9 +114,9 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
// copy any remaining bytes after / if line overflows
if(code < 0x80)
- bytestream_get_buffer(&buf, dst, length);
+ bytestream2_get_buffer(&vid->g, dst, length);
else if(block_type == VIDEO_I_FRAME)
- memset(dst, *buf++, length);
+ memset(dst, bytestream2_get_byte(&vid->g), length);
remaining -= length;
dst += length;
}
@@ -123,7 +125,7 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
*data_size = sizeof(AVFrame);
*(AVFrame*)data = vid->frame;
- return buf_size;
+ return avpkt->size;
}
static av_cold int bethsoftvid_decode_end(AVCodecContext *avctx)
More information about the ffmpeg-cvslog
mailing list