[FFmpeg-devel] [PATCH 2/2] lavf/swfdec: support DefineBitsLossless{, 2} tag.

Michael Niedermayer michaelni at gmx.at
Sun Oct 14 04:22:22 CEST 2012


On Fri, Oct 12, 2012 at 11:21:05PM +0200, Clément Bœsch wrote:
> ---
>  libavformat/swfdec.c | 114 +++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 114 insertions(+)
> 
> diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c
> index 48a2156..3fe31d4 100644
> --- a/libavformat/swfdec.c
> +++ b/libavformat/swfdec.c
> @@ -20,6 +20,7 @@
>   * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>   */
>  
> +#include "libavutil/avassert.h"
>  #include "libavutil/intreadwrite.h"
>  #include "swf.h"
>  
> @@ -253,6 +254,119 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
>                      return pkt->size;
>                  }
>              }
> +        } else if (tag == TAG_DEFINEBITSLOSSLESS || tag == TAG_DEFINEBITSLOSSLESS2) {
> +#if CONFIG_ZLIB
> +            long out_len;
> +            uint8_t *buf, *zbuf, *pal;
> +            uint32_t colormap[AVPALETTE_COUNT] = {0};
> +            const int alpha_bmp = tag == TAG_DEFINEBITSLOSSLESS2;
> +            const int colormapbpp = 3 + alpha_bmp;
> +            int linesize, colormapsize = 0;
> +
> +            const int ch_id   = avio_rl16(pb);
> +            const int bmp_fmt = avio_r8(pb);
> +            const int width   = avio_rl16(pb);
> +            const int height  = avio_rl16(pb);
> +
> +            len -= 2+1+2+2;
> +
> +            switch (bmp_fmt) {
> +            case 3: // PAL-8
> +                linesize = width;
> +                colormapsize = avio_r8(pb) + 1;
> +                len--;
> +                break;
> +            case 4: // RGB15
> +                linesize = width * 2;
> +                break;
> +            case 5: // RGB24 (0RGB)
> +                linesize = width * 4;
> +                break;
> +            default:
> +                av_log(s, AV_LOG_ERROR, "invalid bitmap format %d, skipped\n", bmp_fmt);
> +                goto bitmap_end_skip;
> +            }
> +
> +            linesize = FFALIGN(linesize, 4);

> +            out_len = colormapsize * colormapbpp + linesize * height;

this can overflow

also len can be negative here maybe, if so it maybe should be checked

also width/height could be 0


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

It is dangerous to be right in matters on which the established authorities
are wrong. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20121014/932ff6f6/attachment.asc>


More information about the ffmpeg-devel mailing list