[FFmpeg-cvslog] eamad: use the bytestream2 API instead of AV_RL

Anton Khirnov git at videolan.org
Wed Jul 30 20:12:10 CEST 2014


ffmpeg | branch: release/2.2 | Anton Khirnov <anton at khirnov.net> | Sun Jul 20 12:06:47 2014 +0000| [f9204ec56a4cf73843d1e5b8563d3584c2c05b47] | committer: Reinhard Tartler

eamad: use the bytestream2 API instead of AV_RL

This is safer and possibly fixes invalid reads on truncated data.
(cherry-picked from commit 541427ab4d5b4b6f5a90a687a06decdb78e7bc3c)

CC:libav-stable at libav.org

Conflicts:
	libavcodec/eamad.c

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f9204ec56a4cf73843d1e5b8563d3584c2c05b47
---

 libavcodec/eamad.c |   37 ++++++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c
index 22070a4..99a4e77 100644
--- a/libavcodec/eamad.c
+++ b/libavcodec/eamad.c
@@ -29,6 +29,7 @@
  */
 
 #include "avcodec.h"
+#include "bytestream.h"
 #include "get_bits.h"
 #include "aandcttab.h"
 #include "eaidct.h"
@@ -229,30 +230,32 @@ static int decode_frame(AVCodecContext *avctx,
 {
     const uint8_t *buf = avpkt->data;
     int buf_size       = avpkt->size;
-    const uint8_t *buf_end = buf+buf_size;
     MadContext *s     = avctx->priv_data;
     AVFrame *frame    = data;
+    GetByteContext gb;
     int width, height;
     int chunk_type;
     int inter, ret;
 
-    if (buf_size < 17) {
-        av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n");
-        *got_frame = 0;
-        return -1;
-    }
+    bytestream2_init(&gb, buf, buf_size);
 
-    chunk_type = AV_RL32(&buf[0]);
+    chunk_type = bytestream2_get_le32(&gb);
     inter = (chunk_type == MADm_TAG || chunk_type == MADe_TAG);
-    buf += 8;
+    bytestream2_skip(&gb, 10);
 
     av_reduce(&avctx->time_base.num, &avctx->time_base.den,
-              AV_RL16(&buf[6]), 1000, 1<<30);
+              bytestream2_get_le16(&gb), 1000, 1<<30);
+
+    width  = bytestream2_get_le16(&gb);
+    height = bytestream2_get_le16(&gb);
+    bytestream2_skip(&gb, 1);
+    calc_quant_matrix(s, bytestream2_get_byte(&gb));
+    bytestream2_skip(&gb, 2);
 
-    width  = AV_RL16(&buf[8]);
-    height = AV_RL16(&buf[10]);
-    calc_quant_matrix(s, buf[13]);
-    buf += 16;
+    if (bytestream2_get_bytes_left(&gb) < 2) {
+        av_log(avctx, AV_LOG_ERROR, "Input data too small\n");
+        return AVERROR_INVALIDDATA;
+    }
 
     if (avctx->width != width || avctx->height != height) {
         av_frame_unref(s->last_frame);
@@ -279,12 +282,12 @@ static int decode_frame(AVCodecContext *avctx,
     }
 
     av_fast_padded_malloc(&s->bitstream_buf, &s->bitstream_buf_size,
-                          buf_end - buf);
+                          bytestream2_get_bytes_left(&gb));
     if (!s->bitstream_buf)
         return AVERROR(ENOMEM);
-    s->dsp.bswap16_buf(s->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2);
-    init_get_bits(&s->gb, s->bitstream_buf, 8*(buf_end-buf));
-
+    s->dsp.bswap16_buf(s->bitstream_buf, (const uint16_t *)(buf + bytestream2_tell(&gb)),
+                         bytestream2_get_bytes_left(&gb) / 2);
+    init_get_bits(&s->gb, s->bitstream_buf, 8*(bytestream2_get_bytes_left(&gb)));
     for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++)
         for (s->mb_x=0; s->mb_x < (avctx->width +15)/16; s->mb_x++)
             decode_mb(s, frame, inter);



More information about the ffmpeg-cvslog mailing list