mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-24 13:56:33 +02:00
fe6d46490f
Fixes: out of array access Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-6035022714634240 Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-6422176201572352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
385 lines
12 KiB
C
385 lines
12 KiB
C
/*
|
|
* Escape 124 Video Decoder
|
|
* Copyright (C) 2008 Eli Friedman (eli.friedman@gmail.com)
|
|
*
|
|
* This file is part of FFmpeg.
|
|
*
|
|
* FFmpeg is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* FFmpeg is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with FFmpeg; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*/
|
|
|
|
#define BITSTREAM_READER_LE
|
|
#include "avcodec.h"
|
|
#include "codec_internal.h"
|
|
#include "decode.h"
|
|
#include "get_bits.h"
|
|
|
|
typedef union MacroBlock {
|
|
uint16_t pixels[4];
|
|
uint32_t pixels32[2];
|
|
} MacroBlock;
|
|
|
|
typedef union SuperBlock {
|
|
uint16_t pixels[64];
|
|
uint32_t pixels32[32];
|
|
} SuperBlock;
|
|
|
|
typedef struct CodeBook {
|
|
unsigned depth;
|
|
unsigned size;
|
|
MacroBlock* blocks;
|
|
} CodeBook;
|
|
|
|
typedef struct Escape124Context {
|
|
AVFrame *frame;
|
|
|
|
unsigned num_superblocks;
|
|
|
|
CodeBook codebooks[3];
|
|
} Escape124Context;
|
|
|
|
/**
|
|
* Initialize the decoder
|
|
* @param avctx decoder context
|
|
* @return 0 success, negative on error
|
|
*/
|
|
static av_cold int escape124_decode_init(AVCodecContext *avctx)
|
|
{
|
|
Escape124Context *s = avctx->priv_data;
|
|
|
|
avctx->pix_fmt = AV_PIX_FMT_RGB555;
|
|
|
|
s->num_superblocks = ((unsigned)avctx->width / 8) *
|
|
((unsigned)avctx->height / 8);
|
|
|
|
s->frame = av_frame_alloc();
|
|
if (!s->frame)
|
|
return AVERROR(ENOMEM);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static av_cold int escape124_decode_close(AVCodecContext *avctx)
|
|
{
|
|
unsigned i;
|
|
Escape124Context *s = avctx->priv_data;
|
|
|
|
for (i = 0; i < 3; i++)
|
|
av_freep(&s->codebooks[i].blocks);
|
|
|
|
av_frame_free(&s->frame);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth,
|
|
unsigned size)
|
|
{
|
|
unsigned i, j;
|
|
CodeBook cb = { 0 };
|
|
|
|
cb.blocks = av_malloc(size ? size * sizeof(MacroBlock) : 1);
|
|
if (!cb.blocks)
|
|
return cb;
|
|
|
|
cb.depth = depth;
|
|
cb.size = size;
|
|
for (i = 0; i < size; i++) {
|
|
unsigned mask_bits = get_bits(gb, 4);
|
|
unsigned color[2];
|
|
color[0] = get_bits(gb, 15);
|
|
color[1] = get_bits(gb, 15);
|
|
|
|
for (j = 0; j < 4; j++)
|
|
cb.blocks[i].pixels[j] = color[(mask_bits>>j) & 1];
|
|
}
|
|
return cb;
|
|
}
|
|
|
|
static unsigned decode_skip_count(GetBitContext* gb)
|
|
{
|
|
unsigned value;
|
|
// This function reads a maximum of 23 bits,
|
|
// which is within the padding space
|
|
if (get_bits_left(gb) < 1)
|
|
return -1;
|
|
value = get_bits1(gb);
|
|
if (!value)
|
|
return value;
|
|
|
|
value += get_bits(gb, 3);
|
|
if (value != (1 + ((1 << 3) - 1)))
|
|
return value;
|
|
|
|
value += get_bits(gb, 7);
|
|
if (value != (1 + ((1 << 3) - 1)) + ((1 << 7) - 1))
|
|
return value;
|
|
|
|
return value + get_bits(gb, 12);
|
|
}
|
|
|
|
static MacroBlock decode_macroblock(Escape124Context* s, GetBitContext* gb,
|
|
int* codebook_index, int superblock_index)
|
|
{
|
|
// This function reads a maximum of 22 bits; the callers
|
|
// guard this function appropriately
|
|
unsigned block_index, depth;
|
|
int value = get_bits1(gb);
|
|
if (value) {
|
|
static const int8_t transitions[3][2] = { {2, 1}, {0, 2}, {1, 0} };
|
|
value = get_bits1(gb);
|
|
*codebook_index = transitions[*codebook_index][value];
|
|
}
|
|
|
|
depth = s->codebooks[*codebook_index].depth;
|
|
|
|
// depth = 0 means that this shouldn't read any bits;
|
|
// in theory, this is the same as get_bits(gb, 0), but
|
|
// that doesn't actually work.
|
|
block_index = get_bitsz(gb, depth);
|
|
|
|
if (*codebook_index == 1) {
|
|
block_index += superblock_index << s->codebooks[1].depth;
|
|
}
|
|
|
|
// This condition can occur with invalid bitstreams and
|
|
// *codebook_index == 2
|
|
if (block_index >= s->codebooks[*codebook_index].size || !s->codebooks[*codebook_index].blocks)
|
|
return (MacroBlock) { { 0 } };
|
|
|
|
return s->codebooks[*codebook_index].blocks[block_index];
|
|
}
|
|
|
|
static void insert_mb_into_sb(SuperBlock* sb, MacroBlock mb, unsigned index) {
|
|
// Formula: ((index / 4) * 16 + (index % 4) * 2) / 2
|
|
uint32_t *dst = sb->pixels32 + index + (index & -4);
|
|
|
|
// This technically violates C99 aliasing rules, but it should be safe.
|
|
dst[0] = mb.pixels32[0];
|
|
dst[4] = mb.pixels32[1];
|
|
}
|
|
|
|
static void copy_superblock(uint16_t* dest, ptrdiff_t dest_stride,
|
|
uint16_t* src, ptrdiff_t src_stride)
|
|
{
|
|
unsigned y;
|
|
if (src)
|
|
for (y = 0; y < 8; y++)
|
|
memcpy(dest + y * dest_stride, src + y * src_stride,
|
|
sizeof(uint16_t) * 8);
|
|
else
|
|
for (y = 0; y < 8; y++)
|
|
memset(dest + y * dest_stride, 0, sizeof(uint16_t) * 8);
|
|
}
|
|
|
|
static const uint16_t mask_matrix[] = {0x1, 0x2, 0x10, 0x20,
|
|
0x4, 0x8, 0x40, 0x80,
|
|
0x100, 0x200, 0x1000, 0x2000,
|
|
0x400, 0x800, 0x4000, 0x8000};
|
|
|
|
static int escape124_decode_frame(AVCodecContext *avctx, AVFrame *frame,
|
|
int *got_frame, AVPacket *avpkt)
|
|
{
|
|
int buf_size = avpkt->size;
|
|
Escape124Context *s = avctx->priv_data;
|
|
|
|
GetBitContext gb;
|
|
unsigned frame_flags, frame_size;
|
|
unsigned i;
|
|
|
|
unsigned superblock_index, cb_index = 1,
|
|
superblock_col_index = 0,
|
|
superblocks_per_row = avctx->width / 8, skip = -1;
|
|
|
|
uint16_t* old_frame_data, *new_frame_data;
|
|
ptrdiff_t old_stride, new_stride;
|
|
|
|
int ret;
|
|
|
|
if ((ret = init_get_bits8(&gb, avpkt->data, avpkt->size)) < 0)
|
|
return ret;
|
|
|
|
// This call also guards the potential depth reads for the
|
|
// codebook unpacking.
|
|
// Check if the amount we will read minimally is available on input.
|
|
// The 64 represent the immediately next 2 frame_* elements read, the 23/4320
|
|
// represent a lower bound of the space needed for skipped superblocks. Non
|
|
// skipped SBs need more space.
|
|
if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320)
|
|
return AVERROR_INVALIDDATA;
|
|
|
|
frame_flags = get_bits_long(&gb, 32);
|
|
frame_size = get_bits_long(&gb, 32);
|
|
|
|
// Leave last frame unchanged
|
|
// FIXME: Is this necessary? I haven't seen it in any real samples
|
|
if (!(frame_flags & 0x114) || !(frame_flags & 0x7800000)) {
|
|
if (!s->frame->data[0])
|
|
return AVERROR_INVALIDDATA;
|
|
|
|
av_log(avctx, AV_LOG_DEBUG, "Skipping frame\n");
|
|
|
|
*got_frame = 1;
|
|
if ((ret = av_frame_ref(frame, s->frame)) < 0)
|
|
return ret;
|
|
|
|
return 0;
|
|
}
|
|
|
|
for (i = 0; i < 3; i++) {
|
|
if (frame_flags & (1 << (17 + i))) {
|
|
unsigned cb_depth, cb_size;
|
|
if (i == 2) {
|
|
// This codebook can be cut off at places other than
|
|
// powers of 2, leaving some of the entries undefined.
|
|
cb_size = get_bits(&gb, 20);
|
|
if (!cb_size) {
|
|
av_log(avctx, AV_LOG_ERROR, "Invalid codebook size 0.\n");
|
|
return AVERROR_INVALIDDATA;
|
|
}
|
|
cb_depth = av_log2(cb_size - 1) + 1;
|
|
} else {
|
|
cb_depth = get_bits(&gb, 4);
|
|
if (i == 0) {
|
|
// This is the most basic codebook: pow(2,depth) entries
|
|
// for a depth-length key
|
|
cb_size = 1 << cb_depth;
|
|
} else {
|
|
// This codebook varies per superblock
|
|
// FIXME: I don't think this handles integer overflow
|
|
// properly
|
|
cb_size = s->num_superblocks << cb_depth;
|
|
}
|
|
}
|
|
if (s->num_superblocks >= INT_MAX >> cb_depth) {
|
|
av_log(avctx, AV_LOG_ERROR, "Depth or num_superblocks are too large\n");
|
|
return AVERROR_INVALIDDATA;
|
|
}
|
|
|
|
av_freep(&s->codebooks[i].blocks);
|
|
if (cb_size >= INT_MAX / 34 || get_bits_left(&gb) < (int)cb_size * 34)
|
|
return AVERROR_INVALIDDATA;
|
|
|
|
if (cb_size >= INT_MAX / sizeof(MacroBlock))
|
|
return AVERROR_INVALIDDATA;
|
|
s->codebooks[i] = unpack_codebook(&gb, cb_depth, cb_size);
|
|
if (!s->codebooks[i].blocks)
|
|
return AVERROR(ENOMEM);
|
|
}
|
|
}
|
|
|
|
if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0)
|
|
return ret;
|
|
|
|
new_frame_data = (uint16_t*)frame->data[0];
|
|
new_stride = frame->linesize[0] / 2;
|
|
old_frame_data = (uint16_t*)s->frame->data[0];
|
|
old_stride = s->frame->linesize[0] / 2;
|
|
|
|
for (superblock_index = 0; superblock_index < s->num_superblocks;
|
|
superblock_index++) {
|
|
MacroBlock mb;
|
|
SuperBlock sb;
|
|
unsigned multi_mask = 0;
|
|
|
|
if (skip == -1) {
|
|
// Note that this call will make us skip the rest of the blocks
|
|
// if the frame prematurely ends
|
|
skip = decode_skip_count(&gb);
|
|
}
|
|
|
|
if (skip) {
|
|
copy_superblock(new_frame_data, new_stride,
|
|
old_frame_data, old_stride);
|
|
} else {
|
|
copy_superblock(sb.pixels, 8,
|
|
old_frame_data, old_stride);
|
|
|
|
while (get_bits_left(&gb) >= 1 && !get_bits1(&gb)) {
|
|
unsigned mask;
|
|
mb = decode_macroblock(s, &gb, &cb_index, superblock_index);
|
|
mask = get_bits(&gb, 16);
|
|
multi_mask |= mask;
|
|
for (i = 0; i < 16; i++) {
|
|
if (mask & mask_matrix[i]) {
|
|
insert_mb_into_sb(&sb, mb, i);
|
|
}
|
|
}
|
|
}
|
|
|
|
if (!get_bits1(&gb)) {
|
|
unsigned inv_mask = get_bits(&gb, 4);
|
|
for (i = 0; i < 4; i++) {
|
|
if (inv_mask & (1 << i)) {
|
|
multi_mask ^= 0xF << i*4;
|
|
} else {
|
|
multi_mask ^= get_bits(&gb, 4) << i*4;
|
|
}
|
|
}
|
|
|
|
for (i = 0; i < 16; i++) {
|
|
if (multi_mask & mask_matrix[i]) {
|
|
mb = decode_macroblock(s, &gb, &cb_index,
|
|
superblock_index);
|
|
insert_mb_into_sb(&sb, mb, i);
|
|
}
|
|
}
|
|
} else if (frame_flags & (1 << 16)) {
|
|
while (get_bits_left(&gb) >= 1 && !get_bits1(&gb)) {
|
|
mb = decode_macroblock(s, &gb, &cb_index, superblock_index);
|
|
insert_mb_into_sb(&sb, mb, get_bits(&gb, 4));
|
|
}
|
|
}
|
|
|
|
copy_superblock(new_frame_data, new_stride, sb.pixels, 8);
|
|
}
|
|
|
|
superblock_col_index++;
|
|
new_frame_data += 8;
|
|
if (old_frame_data)
|
|
old_frame_data += 8;
|
|
if (superblock_col_index == superblocks_per_row) {
|
|
new_frame_data += new_stride * 8 - superblocks_per_row * 8;
|
|
if (old_frame_data)
|
|
old_frame_data += old_stride * 8 - superblocks_per_row * 8;
|
|
superblock_col_index = 0;
|
|
}
|
|
skip--;
|
|
}
|
|
|
|
av_log(avctx, AV_LOG_DEBUG,
|
|
"Escape sizes: %i, %i, %i\n",
|
|
frame_size, buf_size, get_bits_count(&gb) / 8);
|
|
|
|
if ((ret = av_frame_replace(s->frame, frame)) < 0)
|
|
return ret;
|
|
|
|
*got_frame = 1;
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
const FFCodec ff_escape124_decoder = {
|
|
.p.name = "escape124",
|
|
CODEC_LONG_NAME("Escape 124"),
|
|
.p.type = AVMEDIA_TYPE_VIDEO,
|
|
.p.id = AV_CODEC_ID_ESCAPE124,
|
|
.priv_data_size = sizeof(Escape124Context),
|
|
.init = escape124_decode_init,
|
|
.close = escape124_decode_close,
|
|
FF_CODEC_DECODE_CB(escape124_decode_frame),
|
|
.p.capabilities = AV_CODEC_CAP_DR1,
|
|
};
|