virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

qpeg: Use bytestream2 functions to prevent buffer overreads.

Browse Source 
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
This commit is contained in:
Aneesh Dogra 2012-03-04 09:59:43 +05:30 committed by Ronald S. Bultje
parent dccb2cd3f9
commit 3e9cd8b4b0
1 changed files with 44 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
libavcodec/qpeg.c
View File

@ -25,16 +25,18 @@
*/ */
#include "avcodec.h" #include "avcodec.h"
#include "bytestream.h"
typedef struct QpegContext{ typedef struct QpegContext{
AVCodecContext *avctx; AVCodecContext *avctx;
AVFrame pic; AVFrame pic;
uint8_t *refdata; uint8_t *refdata;
uint32_t pal[256]; uint32_t pal[256];
GetByteContext buffer;
} QpegContext; } QpegContext;
static void qpeg_decode_intra(const uint8_t *src, uint8_t *dst, int size, static void qpeg_decode_intra(QpegContext *qctx, uint8_t *dst,
int stride, int width, int height) int stride, int width, int height)
{ {
int i; int i;
int code; int code;
@ -47,31 +49,26 @@ static void qpeg_decode_intra(const uint8_t *src, uint8_t *dst, int size,
height--; height--;
dst = dst + height * stride; dst = dst + height * stride;
while((size > 0) && (rows_to_go > 0)) { while ((bytestream2_get_bytes_left(&qctx->buffer) > 0) && (rows_to_go > 0)) {
code = *src++; code = bytestream2_get_byte(&qctx->buffer);
size--;
run = copy = 0; run = copy = 0;
if(code == 0xFC) /* end-of-picture code */ if(code == 0xFC) /* end-of-picture code */
break; break;
if(code >= 0xF8) { /* very long run */ if(code >= 0xF8) { /* very long run */
c0 = *src++; c0 = bytestream2_get_byte(&qctx->buffer);
c1 = *src++; c1 = bytestream2_get_byte(&qctx->buffer);
size -= 2;
run = ((code & 0x7) << 16) + (c0 << 8) + c1 + 2; run = ((code & 0x7) << 16) + (c0 << 8) + c1 + 2;
} else if (code >= 0xF0) { /* long run */ } else if (code >= 0xF0) { /* long run */
c0 = *src++; c0 = bytestream2_get_byte(&qctx->buffer);
size--;
run = ((code & 0xF) << 8) + c0 + 2; run = ((code & 0xF) << 8) + c0 + 2;
} else if (code >= 0xE0) { /* short run */ } else if (code >= 0xE0) { /* short run */
run = (code & 0x1F) + 2; run = (code & 0x1F) + 2;
} else if (code >= 0xC0) { /* very long copy */ } else if (code >= 0xC0) { /* very long copy */
c0 = *src++; c0 = bytestream2_get_byte(&qctx->buffer);
c1 = *src++; c1 = bytestream2_get_byte(&qctx->buffer);
size -= 2;
copy = ((code & 0x3F) << 16) + (c0 << 8) + c1 + 1; copy = ((code & 0x3F) << 16) + (c0 << 8) + c1 + 1;
} else if (code >= 0x80) { /* long copy */ } else if (code >= 0x80) { /* long copy */
c0 = *src++; c0 = bytestream2_get_byte(&qctx->buffer);
size--;
copy = ((code & 0x7F) << 8) + c0 + 1; copy = ((code & 0x7F) << 8) + c0 + 1;
} else { /* short copy */ } else { /* short copy */
copy = code + 1; copy = code + 1;
@ -81,8 +78,7 @@ static void qpeg_decode_intra(const uint8_t *src, uint8_t *dst, int size,
if(run) { if(run) {
int p; int p;
p = *src++; p = bytestream2_get_byte(&qctx->buffer);
size--;
for(i = 0; i < run; i++) { for(i = 0; i < run; i++) {
dst[filled++] = p; dst[filled++] = p;
if (filled >= width) { if (filled >= width) {
@ -94,9 +90,8 @@ static void qpeg_decode_intra(const uint8_t *src, uint8_t *dst, int size,
} }
} }
} else { } else {
size -= copy;
for(i = 0; i < copy; i++) { for(i = 0; i < copy; i++) {
dst[filled++] = *src++; dst[filled++] = bytestream2_get_byte(&qctx->buffer);
if (filled >= width) { if (filled >= width) {
filled = 0; filled = 0;
dst -= stride; dst -= stride;
@ -115,9 +110,10 @@ static const int qpeg_table_w[16] =
{ 0x00, 0x20, 0x18, 0x08, 0x18, 0x10, 0x20, 0x10, 0x08, 0x10, 0x20, 0x20, 0x08, 0x10, 0x18, 0x04}; { 0x00, 0x20, 0x18, 0x08, 0x18, 0x10, 0x20, 0x10, 0x08, 0x10, 0x20, 0x20, 0x08, 0x10, 0x18, 0x04};
/* Decodes delta frames */ /* Decodes delta frames */
static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size, static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst,
int stride, int width, int height, int stride, int width, int height,
int delta, const uint8_t *ctable, uint8_t *refdata) int delta, const uint8_t *ctable,
uint8_t *refdata)
{ {
int i, j; int i, j;
int code; int code;
@ -132,9 +128,8 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
height--; height--;
dst = dst + height * stride; dst = dst + height * stride;
while((size > 0) && (height >= 0)) { while ((bytestream2_get_bytes_left(&qctx->buffer) > 0) && (height >= 0)) {
code = *src++; code = bytestream2_get_byte(&qctx->buffer);
size--;
if(delta) { if(delta) {
/* motion compensation */ /* motion compensation */
@ -151,8 +146,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
me_h = qpeg_table_h[me_idx]; me_h = qpeg_table_h[me_idx];
/* extract motion vector */ /* extract motion vector */
corr = *src++; corr = bytestream2_get_byte(&qctx->buffer);
size--;
val = corr >> 4; val = corr >> 4;
if(val > 7) if(val > 7)
@ -179,8 +173,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
} }
} }
} }
code = *src++; code = bytestream2_get_byte(&qctx->buffer);
size--;
} }
} }
@ -190,8 +183,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
int p; int p;
code &= 0x1F; code &= 0x1F;
p = *src++; p = bytestream2_get_byte(&qctx->buffer);
size--;
for(i = 0; i <= code; i++) { for(i = 0; i <= code; i++) {
dst[filled++] = p; dst[filled++] = p;
if(filled >= width) { if(filled >= width) {
@ -204,14 +196,13 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
code &= 0x1F; code &= 0x1F;
for(i = 0; i <= code; i++) { for(i = 0; i <= code; i++) {
dst[filled++] = *src++; dst[filled++] = bytestream2_get_byte(&qctx->buffer);
if(filled >= width) { if(filled >= width) {
filled = 0; filled = 0;
dst -= stride; dst -= stride;
height--; height--;
} }
} }
size -= code + 1;
} else if(code >= 0x80) { /* skip code: 0x80..0xBF */ } else if(code >= 0x80) { /* skip code: 0x80..0xBF */
int skip; int skip;
@ -219,9 +210,9 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
/* codes 0x80 and 0x81 are actually escape codes, /* codes 0x80 and 0x81 are actually escape codes,
skip value minus constant is in the next byte */ skip value minus constant is in the next byte */
if(!code) if(!code)
skip = (*src++) + 64; skip = bytestream2_get_byte(&qctx->buffer) + 64;
else if(code == 1) else if(code == 1)
skip = (*src++) + 320; skip = bytestream2_get_byte(&qctx->buffer) + 320;
else else
skip = code; skip = code;
filled += skip; filled += skip;
@ -234,8 +225,9 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
} }
} else { } else {
/* zero code treated as one-pixel skip */ /* zero code treated as one-pixel skip */
if(code) if(code) {
dst[filled++] = ctable[code & 0x7F]; dst[filled++] = ctable[code & 0x7F];
}
else else
filled++; filled++;
if(filled >= width) { if(filled >= width) {
@ -251,25 +243,34 @@ static int decode_frame(AVCodecContext *avctx,
void *data, int *data_size, void *data, int *data_size,
AVPacket *avpkt) AVPacket *avpkt)
{ {
const uint8_t *buf = avpkt->data; uint8_t ctable[128];
int buf_size = avpkt->size;
QpegContext * const a = avctx->priv_data; QpegContext * const a = avctx->priv_data;
AVFrame * const p = &a->pic; AVFrame * const p = &a->pic;
uint8_t* outdata; uint8_t* outdata;
int delta; int delta;
const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL);
if (avpkt->size < 0x86) {
av_log(avctx, AV_LOG_ERROR, "Packet is too small\n");
return AVERROR_INVALIDDATA;
}
bytestream2_init(&a->buffer, avpkt->data, avpkt->size);
p->reference = 3; p->reference = 3;
if (avctx->reget_buffer(avctx, p) < 0) { if (avctx->reget_buffer(avctx, p) < 0) {
av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
return -1; return -1;
} }
outdata = a->pic.data[0]; outdata = a->pic.data[0];
if(buf[0x85] == 0x10) { bytestream2_skip(&a->buffer, 4);
qpeg_decode_intra(buf+0x86, outdata, buf_size - 0x86, a->pic.linesize[0], avctx->width, avctx->height); bytestream2_get_buffer(&a->buffer, ctable, 128);
bytestream2_skip(&a->buffer, 1);
delta = bytestream2_get_byte(&a->buffer);
if(delta == 0x10) {
qpeg_decode_intra(a, outdata, a->pic.linesize[0], avctx->width, avctx->height);
} else { } else {
delta = buf[0x85]; qpeg_decode_inter(a, outdata, a->pic.linesize[0], avctx->width, avctx->height, delta, ctable, a->refdata);
qpeg_decode_inter(buf+0x86, outdata, buf_size - 0x86, a->pic.linesize[0], avctx->width, avctx->height, delta, buf + 4, a->refdata);
} }
/* make the palette available on the way out */ /* make the palette available on the way out */
@ -282,7 +283,7 @@ static int decode_frame(AVCodecContext *avctx,
*data_size = sizeof(AVFrame); *data_size = sizeof(AVFrame);
*(AVFrame*)data = a->pic; *(AVFrame*)data = a->pic;
return buf_size; return avpkt->size;
} }
static av_cold int decode_init(AVCodecContext *avctx){ static av_cold int decode_init(AVCodecContext *avctx){