mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-13 21:28:01 +02:00
kvmc: fix invalid reads
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
This commit is contained in:
parent
355d917c0b
commit
ad3161ec1d
@ -57,17 +57,21 @@ typedef struct BitBuf {
|
|||||||
|
|
||||||
#define kmvc_init_getbits(bb, src) bb.bits = 7; bb.bitbuf = *src++;
|
#define kmvc_init_getbits(bb, src) bb.bits = 7; bb.bitbuf = *src++;
|
||||||
|
|
||||||
#define kmvc_getbit(bb, src, res) {\
|
#define kmvc_getbit(bb, src, src_end, res) {\
|
||||||
res = 0; \
|
res = 0; \
|
||||||
if (bb.bitbuf & (1 << bb.bits)) res = 1; \
|
if (bb.bitbuf & (1 << bb.bits)) res = 1; \
|
||||||
bb.bits--; \
|
bb.bits--; \
|
||||||
if(bb.bits == -1) { \
|
if(bb.bits == -1) { \
|
||||||
|
if (src >= src_end) { \
|
||||||
|
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); \
|
||||||
|
return AVERROR_INVALIDDATA; \
|
||||||
|
} \
|
||||||
bb.bitbuf = *src++; \
|
bb.bitbuf = *src++; \
|
||||||
bb.bits = 7; \
|
bb.bits = 7; \
|
||||||
} \
|
} \
|
||||||
}
|
}
|
||||||
|
|
||||||
static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h)
|
static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h)
|
||||||
{
|
{
|
||||||
BitBuf bb;
|
BitBuf bb;
|
||||||
int res, val;
|
int res, val;
|
||||||
@ -75,13 +79,18 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
|
|||||||
int bx, by;
|
int bx, by;
|
||||||
int l0x, l1x, l0y, l1y;
|
int l0x, l1x, l0y, l1y;
|
||||||
int mx, my;
|
int mx, my;
|
||||||
|
const uint8_t *src_end = src + src_size;
|
||||||
|
|
||||||
kmvc_init_getbits(bb, src);
|
kmvc_init_getbits(bb, src);
|
||||||
|
|
||||||
for (by = 0; by < h; by += 8)
|
for (by = 0; by < h; by += 8)
|
||||||
for (bx = 0; bx < w; bx += 8) {
|
for (bx = 0; bx < w; bx += 8) {
|
||||||
kmvc_getbit(bb, src, res);
|
kmvc_getbit(bb, src, src_end, res);
|
||||||
if (!res) { // fill whole 8x8 block
|
if (!res) { // fill whole 8x8 block
|
||||||
|
if (src >= src_end) {
|
||||||
|
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
val = *src++;
|
val = *src++;
|
||||||
for (i = 0; i < 64; i++)
|
for (i = 0; i < 64; i++)
|
||||||
BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
|
BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
|
||||||
@ -89,14 +98,22 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
|
|||||||
for (i = 0; i < 4; i++) {
|
for (i = 0; i < 4; i++) {
|
||||||
l0x = bx + (i & 1) * 4;
|
l0x = bx + (i & 1) * 4;
|
||||||
l0y = by + (i & 2) * 2;
|
l0y = by + (i & 2) * 2;
|
||||||
kmvc_getbit(bb, src, res);
|
kmvc_getbit(bb, src, src_end, res);
|
||||||
if (!res) {
|
if (!res) {
|
||||||
kmvc_getbit(bb, src, res);
|
kmvc_getbit(bb, src, src_end, res);
|
||||||
if (!res) { // fill whole 4x4 block
|
if (!res) { // fill whole 4x4 block
|
||||||
|
if (src >= src_end) {
|
||||||
|
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
val = *src++;
|
val = *src++;
|
||||||
for (j = 0; j < 16; j++)
|
for (j = 0; j < 16; j++)
|
||||||
BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
|
BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
|
||||||
} else { // copy block from already decoded place
|
} else { // copy block from already decoded place
|
||||||
|
if (src >= src_end) {
|
||||||
|
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
val = *src++;
|
val = *src++;
|
||||||
mx = val & 0xF;
|
mx = val & 0xF;
|
||||||
my = val >> 4;
|
my = val >> 4;
|
||||||
@ -108,16 +125,24 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
|
|||||||
for (j = 0; j < 4; j++) {
|
for (j = 0; j < 4; j++) {
|
||||||
l1x = l0x + (j & 1) * 2;
|
l1x = l0x + (j & 1) * 2;
|
||||||
l1y = l0y + (j & 2);
|
l1y = l0y + (j & 2);
|
||||||
kmvc_getbit(bb, src, res);
|
kmvc_getbit(bb, src, src_end, res);
|
||||||
if (!res) {
|
if (!res) {
|
||||||
kmvc_getbit(bb, src, res);
|
kmvc_getbit(bb, src, src_end, res);
|
||||||
if (!res) { // fill whole 2x2 block
|
if (!res) { // fill whole 2x2 block
|
||||||
|
if (src >= src_end) {
|
||||||
|
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
val = *src++;
|
val = *src++;
|
||||||
BLK(ctx->cur, l1x, l1y) = val;
|
BLK(ctx->cur, l1x, l1y) = val;
|
||||||
BLK(ctx->cur, l1x + 1, l1y) = val;
|
BLK(ctx->cur, l1x + 1, l1y) = val;
|
||||||
BLK(ctx->cur, l1x, l1y + 1) = val;
|
BLK(ctx->cur, l1x, l1y + 1) = val;
|
||||||
BLK(ctx->cur, l1x + 1, l1y + 1) = val;
|
BLK(ctx->cur, l1x + 1, l1y + 1) = val;
|
||||||
} else { // copy block from already decoded place
|
} else { // copy block from already decoded place
|
||||||
|
if (src >= src_end) {
|
||||||
|
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
val = *src++;
|
val = *src++;
|
||||||
mx = val & 0xF;
|
mx = val & 0xF;
|
||||||
my = val >> 4;
|
my = val >> 4;
|
||||||
@ -140,9 +165,11 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h)
|
static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h)
|
||||||
{
|
{
|
||||||
BitBuf bb;
|
BitBuf bb;
|
||||||
int res, val;
|
int res, val;
|
||||||
@ -150,15 +177,20 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
|
|||||||
int bx, by;
|
int bx, by;
|
||||||
int l0x, l1x, l0y, l1y;
|
int l0x, l1x, l0y, l1y;
|
||||||
int mx, my;
|
int mx, my;
|
||||||
|
const uint8_t *src_end = src + src_size;
|
||||||
|
|
||||||
kmvc_init_getbits(bb, src);
|
kmvc_init_getbits(bb, src);
|
||||||
|
|
||||||
for (by = 0; by < h; by += 8)
|
for (by = 0; by < h; by += 8)
|
||||||
for (bx = 0; bx < w; bx += 8) {
|
for (bx = 0; bx < w; bx += 8) {
|
||||||
kmvc_getbit(bb, src, res);
|
kmvc_getbit(bb, src, src_end, res);
|
||||||
if (!res) {
|
if (!res) {
|
||||||
kmvc_getbit(bb, src, res);
|
kmvc_getbit(bb, src, src_end, res);
|
||||||
if (!res) { // fill whole 8x8 block
|
if (!res) { // fill whole 8x8 block
|
||||||
|
if (src >= src_end) {
|
||||||
|
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
val = *src++;
|
val = *src++;
|
||||||
for (i = 0; i < 64; i++)
|
for (i = 0; i < 64; i++)
|
||||||
BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
|
BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
|
||||||
@ -171,14 +203,22 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
|
|||||||
for (i = 0; i < 4; i++) {
|
for (i = 0; i < 4; i++) {
|
||||||
l0x = bx + (i & 1) * 4;
|
l0x = bx + (i & 1) * 4;
|
||||||
l0y = by + (i & 2) * 2;
|
l0y = by + (i & 2) * 2;
|
||||||
kmvc_getbit(bb, src, res);
|
kmvc_getbit(bb, src, src_end, res);
|
||||||
if (!res) {
|
if (!res) {
|
||||||
kmvc_getbit(bb, src, res);
|
kmvc_getbit(bb, src, src_end, res);
|
||||||
if (!res) { // fill whole 4x4 block
|
if (!res) { // fill whole 4x4 block
|
||||||
|
if (src >= src_end) {
|
||||||
|
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
val = *src++;
|
val = *src++;
|
||||||
for (j = 0; j < 16; j++)
|
for (j = 0; j < 16; j++)
|
||||||
BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
|
BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
|
||||||
} else { // copy block
|
} else { // copy block
|
||||||
|
if (src >= src_end) {
|
||||||
|
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
val = *src++;
|
val = *src++;
|
||||||
mx = (val & 0xF) - 8;
|
mx = (val & 0xF) - 8;
|
||||||
my = (val >> 4) - 8;
|
my = (val >> 4) - 8;
|
||||||
@ -190,16 +230,24 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
|
|||||||
for (j = 0; j < 4; j++) {
|
for (j = 0; j < 4; j++) {
|
||||||
l1x = l0x + (j & 1) * 2;
|
l1x = l0x + (j & 1) * 2;
|
||||||
l1y = l0y + (j & 2);
|
l1y = l0y + (j & 2);
|
||||||
kmvc_getbit(bb, src, res);
|
kmvc_getbit(bb, src, src_end, res);
|
||||||
if (!res) {
|
if (!res) {
|
||||||
kmvc_getbit(bb, src, res);
|
kmvc_getbit(bb, src, src_end, res);
|
||||||
if (!res) { // fill whole 2x2 block
|
if (!res) { // fill whole 2x2 block
|
||||||
|
if (src >= src_end) {
|
||||||
|
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
val = *src++;
|
val = *src++;
|
||||||
BLK(ctx->cur, l1x, l1y) = val;
|
BLK(ctx->cur, l1x, l1y) = val;
|
||||||
BLK(ctx->cur, l1x + 1, l1y) = val;
|
BLK(ctx->cur, l1x + 1, l1y) = val;
|
||||||
BLK(ctx->cur, l1x, l1y + 1) = val;
|
BLK(ctx->cur, l1x, l1y + 1) = val;
|
||||||
BLK(ctx->cur, l1x + 1, l1y + 1) = val;
|
BLK(ctx->cur, l1x + 1, l1y + 1) = val;
|
||||||
} else { // copy block
|
} else { // copy block
|
||||||
|
if (src >= src_end) {
|
||||||
|
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
val = *src++;
|
val = *src++;
|
||||||
mx = (val & 0xF) - 8;
|
mx = (val & 0xF) - 8;
|
||||||
my = (val >> 4) - 8;
|
my = (val >> 4) - 8;
|
||||||
@ -222,6 +270,8 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt)
|
static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt)
|
||||||
@ -299,10 +349,10 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa
|
|||||||
memcpy(ctx->cur, ctx->prev, 320 * 200);
|
memcpy(ctx->cur, ctx->prev, 320 * 200);
|
||||||
break;
|
break;
|
||||||
case 3:
|
case 3:
|
||||||
kmvc_decode_intra_8x8(ctx, buf, avctx->width, avctx->height);
|
kmvc_decode_intra_8x8(ctx, buf, buf_size, avctx->width, avctx->height);
|
||||||
break;
|
break;
|
||||||
case 4:
|
case 4:
|
||||||
kmvc_decode_inter_8x8(ctx, buf, avctx->width, avctx->height);
|
kmvc_decode_inter_8x8(ctx, buf, buf_size, avctx->width, avctx->height);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
av_log(avctx, AV_LOG_ERROR, "Unknown compression method %i\n", header & KMVC_METHOD);
|
av_log(avctx, AV_LOG_ERROR, "Unknown compression method %i\n", header & KMVC_METHOD);
|
||||||
|
Loading…
Reference in New Issue
Block a user