mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-08 13:22:53 +02:00
ulti: Fix invalid reads
Signed-off-by: Martin Storsjö <martin@martin.st>
This commit is contained in:
Gaurav Narula
Martin Storsjö
parent
4badb386ce
commit
a99273ebf3
@ -40,6 +40,14 @@ typedef struct UltimotionDecodeContext {
|
|||||||
const uint8_t *ulti_codebook;
|
const uint8_t *ulti_codebook;
|
||||||
} UltimotionDecodeContext;
|
} UltimotionDecodeContext;
|
||||||
|
|
||||||
|
#define CHECK_OVERREAD_SIZE(size) \
|
||||||
|
do { \
|
||||||
|
if (buf_end - buf < (size)) { \
|
||||||
|
av_log(avctx, AV_LOG_ERROR, "Insufficient data\n"); \
|
||||||
|
return AVERROR_INVALIDDATA; \
|
||||||
|
} \
|
||||||
|
} while(0)
|
||||||
|
|
||||||
static av_cold int ulti_decode_init(AVCodecContext *avctx)
|
static av_cold int ulti_decode_init(AVCodecContext *avctx)
|
||||||
{
|
{
|
||||||
UltimotionDecodeContext *s = avctx->priv_data;
|
UltimotionDecodeContext *s = avctx->priv_data;
|
||||||
@ -223,6 +231,7 @@ static int ulti_decode_frame(AVCodecContext *avctx,
|
|||||||
int i;
|
int i;
|
||||||
int skip;
|
int skip;
|
||||||
int tmp;
|
int tmp;
|
||||||
|
const uint8_t *buf_end = buf + buf_size;
|
||||||
|
|
||||||
s->frame.reference = 1;
|
s->frame.reference = 1;
|
||||||
s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
|
s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
|
||||||
@ -236,10 +245,12 @@ static int ulti_decode_frame(AVCodecContext *avctx,
|
|||||||
if(blocks >= s->blocks || y >= s->height)
|
if(blocks >= s->blocks || y >= s->height)
|
||||||
break;//all blocks decoded
|
break;//all blocks decoded
|
||||||
|
|
||||||
|
CHECK_OVERREAD_SIZE(1);
|
||||||
idx = *buf++;
|
idx = *buf++;
|
||||||
if((idx & 0xF8) == 0x70) {
|
if((idx & 0xF8) == 0x70) {
|
||||||
switch(idx) {
|
switch(idx) {
|
||||||
case 0x70: //change modifier
|
case 0x70: //change modifier
|
||||||
|
CHECK_OVERREAD_SIZE(1);
|
||||||
modifier = *buf++;
|
modifier = *buf++;
|
||||||
if(modifier>1)
|
if(modifier>1)
|
||||||
av_log(avctx, AV_LOG_INFO, "warning: modifier must be 0 or 1, got %i\n", modifier);
|
av_log(avctx, AV_LOG_INFO, "warning: modifier must be 0 or 1, got %i\n", modifier);
|
||||||
@ -254,6 +265,7 @@ static int ulti_decode_frame(AVCodecContext *avctx,
|
|||||||
done = 1;
|
done = 1;
|
||||||
break;
|
break;
|
||||||
case 0x74: //skip some blocks
|
case 0x74: //skip some blocks
|
||||||
|
CHECK_OVERREAD_SIZE(1);
|
||||||
skip = *buf++;
|
skip = *buf++;
|
||||||
if ((blocks + skip) >= s->blocks)
|
if ((blocks + skip) >= s->blocks)
|
||||||
break;
|
break;
|
||||||
@ -280,19 +292,24 @@ static int ulti_decode_frame(AVCodecContext *avctx,
|
|||||||
chroma = 0;
|
chroma = 0;
|
||||||
} else {
|
} else {
|
||||||
cf = 0;
|
cf = 0;
|
||||||
if (idx)
|
if (idx) {
|
||||||
|
CHECK_OVERREAD_SIZE(1);
|
||||||
chroma = *buf++;
|
chroma = *buf++;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
for (i = 0; i < 4; i++) { // for every subblock
|
for (i = 0; i < 4; i++) { // for every subblock
|
||||||
code = (idx >> (6 - i*2)) & 3; //extract 2 bits
|
code = (idx >> (6 - i*2)) & 3; //extract 2 bits
|
||||||
if(!code) //skip subblock
|
if(!code) //skip subblock
|
||||||
continue;
|
continue;
|
||||||
if(cf)
|
if(cf) {
|
||||||
|
CHECK_OVERREAD_SIZE(1);
|
||||||
chroma = *buf++;
|
chroma = *buf++;
|
||||||
|
}
|
||||||
tx = x + block_coords[i * 2];
|
tx = x + block_coords[i * 2];
|
||||||
ty = y + block_coords[(i * 2) + 1];
|
ty = y + block_coords[(i * 2) + 1];
|
||||||
switch(code) {
|
switch(code) {
|
||||||
case 1:
|
case 1:
|
||||||
|
CHECK_OVERREAD_SIZE(1);
|
||||||
tmp = *buf++;
|
tmp = *buf++;
|
||||||
|
|
||||||
angle = angle_by_index[(tmp >> 6) & 0x3];
|
angle = angle_by_index[(tmp >> 6) & 0x3];
|
||||||
@ -313,6 +330,7 @@ static int ulti_decode_frame(AVCodecContext *avctx,
|
|||||||
|
|
||||||
case 2:
|
case 2:
|
||||||
if (modifier) { // unpack four luma samples
|
if (modifier) { // unpack four luma samples
|
||||||
|
CHECK_OVERREAD_SIZE(3);
|
||||||
tmp = bytestream_get_be24(&buf);
|
tmp = bytestream_get_be24(&buf);
|
||||||
|
|
||||||
Y[0] = (tmp >> 18) & 0x3F;
|
Y[0] = (tmp >> 18) & 0x3F;
|
||||||
@ -321,6 +339,7 @@ static int ulti_decode_frame(AVCodecContext *avctx,
|
|||||||
Y[3] = tmp & 0x3F;
|
Y[3] = tmp & 0x3F;
|
||||||
angle = 16;
|
angle = 16;
|
||||||
} else { // retrieve luma samples from codebook
|
} else { // retrieve luma samples from codebook
|
||||||
|
CHECK_OVERREAD_SIZE(2);
|
||||||
tmp = bytestream_get_be16(&buf);
|
tmp = bytestream_get_be16(&buf);
|
||||||
|
|
||||||
angle = (tmp >> 12) & 0xF;
|
angle = (tmp >> 12) & 0xF;
|
||||||
@ -337,6 +356,8 @@ static int ulti_decode_frame(AVCodecContext *avctx,
|
|||||||
if (modifier) { // all 16 luma samples
|
if (modifier) { // all 16 luma samples
|
||||||
uint8_t Luma[16];
|
uint8_t Luma[16];
|
||||||
|
|
||||||
|
CHECK_OVERREAD_SIZE(12);
|
||||||
|
|
||||||
tmp = bytestream_get_be24(&buf);
|
tmp = bytestream_get_be24(&buf);
|
||||||
Luma[0] = (tmp >> 18) & 0x3F;
|
Luma[0] = (tmp >> 18) & 0x3F;
|
||||||
Luma[1] = (tmp >> 12) & 0x3F;
|
Luma[1] = (tmp >> 12) & 0x3F;
|
||||||
@ -363,6 +384,7 @@ static int ulti_decode_frame(AVCodecContext *avctx,
|
|||||||
|
|
||||||
ulti_convert_yuv(&s->frame, tx, ty, Luma, chroma);
|
ulti_convert_yuv(&s->frame, tx, ty, Luma, chroma);
|
||||||
} else {
|
} else {
|
||||||
|
CHECK_OVERREAD_SIZE(4);
|
||||||
tmp = *buf++;
|
tmp = *buf++;
|
||||||
if(tmp & 0x80) {
|
if(tmp & 0x80) {
|
||||||
angle = (tmp >> 4) & 0x7;
|
angle = (tmp >> 4) & 0x7;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user