mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-19 05:49:09 +02:00
2aa07c6b8e
Fixes: signed integer overflow: 2099257366 * 2 cannot be represented in type 'int' Fixes: 27486/clusterfuzz-testcase-minimized-ffmpeg_dem_FOURXM_fuzzer-5112179134824448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 842c268c6436c9e90e689402be138c2e539f7059) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
402 lines
13 KiB
C
402 lines
13 KiB
C
/*
|
|
* 4X Technologies .4xm File Demuxer (no muxer)
|
|
* Copyright (c) 2003 The FFmpeg project
|
|
*
|
|
* This file is part of FFmpeg.
|
|
*
|
|
* FFmpeg is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* FFmpeg is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with FFmpeg; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*/
|
|
|
|
/**
|
|
* @file
|
|
* 4X Technologies file demuxer
|
|
* by Mike Melanson (melanson@pcisys.net)
|
|
* for more information on the .4xm file format, visit:
|
|
* http://www.pcisys.net/~melanson/codecs/
|
|
*/
|
|
|
|
#include "libavutil/intreadwrite.h"
|
|
#include "libavutil/intfloat.h"
|
|
#include "libavcodec/internal.h"
|
|
#include "avformat.h"
|
|
#include "internal.h"
|
|
|
|
#define RIFF_TAG MKTAG('R', 'I', 'F', 'F')
|
|
#define FOURXMV_TAG MKTAG('4', 'X', 'M', 'V')
|
|
#define LIST_TAG MKTAG('L', 'I', 'S', 'T')
|
|
#define HEAD_TAG MKTAG('H', 'E', 'A', 'D')
|
|
#define TRK__TAG MKTAG('T', 'R', 'K', '_')
|
|
#define MOVI_TAG MKTAG('M', 'O', 'V', 'I')
|
|
#define VTRK_TAG MKTAG('V', 'T', 'R', 'K')
|
|
#define STRK_TAG MKTAG('S', 'T', 'R', 'K')
|
|
#define std__TAG MKTAG('s', 't', 'd', '_')
|
|
#define name_TAG MKTAG('n', 'a', 'm', 'e')
|
|
#define vtrk_TAG MKTAG('v', 't', 'r', 'k')
|
|
#define strk_TAG MKTAG('s', 't', 'r', 'k')
|
|
#define ifrm_TAG MKTAG('i', 'f', 'r', 'm')
|
|
#define pfrm_TAG MKTAG('p', 'f', 'r', 'm')
|
|
#define cfrm_TAG MKTAG('c', 'f', 'r', 'm')
|
|
#define ifr2_TAG MKTAG('i', 'f', 'r', '2')
|
|
#define pfr2_TAG MKTAG('p', 'f', 'r', '2')
|
|
#define cfr2_TAG MKTAG('c', 'f', 'r', '2')
|
|
#define snd__TAG MKTAG('s', 'n', 'd', '_')
|
|
|
|
#define vtrk_SIZE 0x44
|
|
#define strk_SIZE 0x28
|
|
|
|
#define GET_LIST_HEADER() \
|
|
fourcc_tag = avio_rl32(pb); \
|
|
size = avio_rl32(pb); \
|
|
if (fourcc_tag != LIST_TAG) { \
|
|
ret = AVERROR_INVALIDDATA; \
|
|
goto fail; \
|
|
} \
|
|
fourcc_tag = avio_rl32(pb);
|
|
|
|
typedef struct AudioTrack {
|
|
int sample_rate;
|
|
int bits;
|
|
int channels;
|
|
int stream_index;
|
|
int adpcm;
|
|
int64_t audio_pts;
|
|
} AudioTrack;
|
|
|
|
typedef struct FourxmDemuxContext {
|
|
int video_stream_index;
|
|
int track_count;
|
|
AudioTrack *tracks;
|
|
|
|
int64_t video_pts;
|
|
AVRational fps;
|
|
} FourxmDemuxContext;
|
|
|
|
static int fourxm_probe(AVProbeData *p)
|
|
{
|
|
if ((AV_RL32(&p->buf[0]) != RIFF_TAG) ||
|
|
(AV_RL32(&p->buf[8]) != FOURXMV_TAG))
|
|
return 0;
|
|
|
|
return AVPROBE_SCORE_MAX;
|
|
}
|
|
|
|
static int parse_vtrk(AVFormatContext *s,
|
|
FourxmDemuxContext *fourxm, uint8_t *buf, int size,
|
|
int left)
|
|
{
|
|
AVStream *st;
|
|
/* check that there is enough data */
|
|
if (size != vtrk_SIZE || left < size + 8) {
|
|
return AVERROR_INVALIDDATA;
|
|
}
|
|
|
|
/* allocate a new AVStream */
|
|
st = avformat_new_stream(s, NULL);
|
|
if (!st)
|
|
return AVERROR(ENOMEM);
|
|
|
|
avpriv_set_pts_info(st, 60, fourxm->fps.den, fourxm->fps.num);
|
|
|
|
fourxm->video_stream_index = st->index;
|
|
|
|
st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO;
|
|
st->codecpar->codec_id = AV_CODEC_ID_4XM;
|
|
|
|
st->codecpar->extradata = av_mallocz(4 + AV_INPUT_BUFFER_PADDING_SIZE);
|
|
if (!st->codecpar->extradata)
|
|
return AVERROR(ENOMEM);
|
|
st->codecpar->extradata_size = 4;
|
|
AV_WL32(st->codecpar->extradata, AV_RL32(buf + 16));
|
|
st->codecpar->width = AV_RL32(buf + 36);
|
|
st->codecpar->height = AV_RL32(buf + 40);
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
static int parse_strk(AVFormatContext *s,
|
|
FourxmDemuxContext *fourxm, uint8_t *buf, int size,
|
|
int left)
|
|
{
|
|
AVStream *st;
|
|
int track;
|
|
/* check that there is enough data */
|
|
if (size != strk_SIZE || left < size + 8)
|
|
return AVERROR_INVALIDDATA;
|
|
|
|
track = AV_RL32(buf + 8);
|
|
if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) {
|
|
av_log(s, AV_LOG_ERROR, "current_track too large\n");
|
|
return AVERROR_INVALIDDATA;
|
|
}
|
|
|
|
if (track + 1 > fourxm->track_count) {
|
|
if (av_reallocp_array(&fourxm->tracks, track + 1, sizeof(AudioTrack)))
|
|
return AVERROR(ENOMEM);
|
|
memset(&fourxm->tracks[fourxm->track_count], 0,
|
|
sizeof(AudioTrack) * (track + 1 - fourxm->track_count));
|
|
fourxm->track_count = track + 1;
|
|
}
|
|
fourxm->tracks[track].adpcm = AV_RL32(buf + 12);
|
|
fourxm->tracks[track].channels = AV_RL32(buf + 36);
|
|
fourxm->tracks[track].sample_rate = AV_RL32(buf + 40);
|
|
fourxm->tracks[track].bits = AV_RL32(buf + 44);
|
|
fourxm->tracks[track].audio_pts = 0;
|
|
|
|
if (fourxm->tracks[track].channels <= 0 ||
|
|
fourxm->tracks[track].channels > FF_SANE_NB_CHANNELS ||
|
|
fourxm->tracks[track].sample_rate <= 0 ||
|
|
fourxm->tracks[track].bits <= 0 ||
|
|
fourxm->tracks[track].bits > INT_MAX / FF_SANE_NB_CHANNELS) {
|
|
av_log(s, AV_LOG_ERROR, "audio header invalid\n");
|
|
return AVERROR_INVALIDDATA;
|
|
}
|
|
if (!fourxm->tracks[track].adpcm && fourxm->tracks[track].bits<8) {
|
|
av_log(s, AV_LOG_ERROR, "bits unspecified for non ADPCM\n");
|
|
return AVERROR_INVALIDDATA;
|
|
}
|
|
|
|
if (fourxm->tracks[track].sample_rate > INT64_MAX / fourxm->tracks[track].bits / fourxm->tracks[track].channels) {
|
|
av_log(s, AV_LOG_ERROR, "Overflow during bit rate calculation %d * %d * %d\n",
|
|
fourxm->tracks[track].sample_rate, fourxm->tracks[track].bits, fourxm->tracks[track].channels);
|
|
return AVERROR_INVALIDDATA;
|
|
}
|
|
|
|
/* allocate a new AVStream */
|
|
st = avformat_new_stream(s, NULL);
|
|
if (!st)
|
|
return AVERROR(ENOMEM);
|
|
|
|
st->id = track;
|
|
avpriv_set_pts_info(st, 60, 1, fourxm->tracks[track].sample_rate);
|
|
|
|
fourxm->tracks[track].stream_index = st->index;
|
|
|
|
st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO;
|
|
st->codecpar->codec_tag = 0;
|
|
st->codecpar->channels = fourxm->tracks[track].channels;
|
|
st->codecpar->sample_rate = fourxm->tracks[track].sample_rate;
|
|
st->codecpar->bits_per_coded_sample = fourxm->tracks[track].bits;
|
|
st->codecpar->bit_rate = (int64_t)st->codecpar->channels *
|
|
st->codecpar->sample_rate *
|
|
st->codecpar->bits_per_coded_sample;
|
|
st->codecpar->block_align = st->codecpar->channels *
|
|
st->codecpar->bits_per_coded_sample;
|
|
|
|
if (fourxm->tracks[track].adpcm){
|
|
st->codecpar->codec_id = AV_CODEC_ID_ADPCM_4XM;
|
|
} else if (st->codecpar->bits_per_coded_sample == 8) {
|
|
st->codecpar->codec_id = AV_CODEC_ID_PCM_U8;
|
|
} else
|
|
st->codecpar->codec_id = AV_CODEC_ID_PCM_S16LE;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int fourxm_read_header(AVFormatContext *s)
|
|
{
|
|
AVIOContext *pb = s->pb;
|
|
unsigned int fourcc_tag;
|
|
unsigned int size;
|
|
int header_size;
|
|
FourxmDemuxContext *fourxm = s->priv_data;
|
|
unsigned char *header = NULL;
|
|
int i, ret;
|
|
|
|
fourxm->track_count = 0;
|
|
fourxm->tracks = NULL;
|
|
fourxm->fps = (AVRational){1,1};
|
|
fourxm->video_stream_index = -1;
|
|
|
|
/* skip the first 3 32-bit numbers */
|
|
avio_skip(pb, 12);
|
|
|
|
/* check for LIST-HEAD */
|
|
GET_LIST_HEADER();
|
|
header_size = size - 4;
|
|
if (fourcc_tag != HEAD_TAG || header_size < 0)
|
|
return AVERROR_INVALIDDATA;
|
|
|
|
/* allocate space for the header and load the whole thing */
|
|
header = av_malloc(header_size);
|
|
if (!header)
|
|
return AVERROR(ENOMEM);
|
|
if (avio_read(pb, header, header_size) != header_size) {
|
|
av_free(header);
|
|
return AVERROR(EIO);
|
|
}
|
|
|
|
/* take the lazy approach and search for any and all vtrk and strk chunks */
|
|
for (i = 0; i < header_size - 8; i++) {
|
|
fourcc_tag = AV_RL32(&header[i]);
|
|
size = AV_RL32(&header[i + 4]);
|
|
if (size > header_size - i - 8 && (fourcc_tag == vtrk_TAG || fourcc_tag == strk_TAG)) {
|
|
av_log(s, AV_LOG_ERROR, "chunk larger than array %d>%d\n", size, header_size - i - 8);
|
|
return AVERROR_INVALIDDATA;
|
|
}
|
|
|
|
if (fourcc_tag == std__TAG) {
|
|
if (header_size - i < 16) {
|
|
av_log(s, AV_LOG_ERROR, "std TAG truncated\n");
|
|
ret = AVERROR_INVALIDDATA;
|
|
goto fail;
|
|
}
|
|
fourxm->fps = av_d2q(av_int2float(AV_RL32(&header[i + 12])), 10000);
|
|
} else if (fourcc_tag == vtrk_TAG) {
|
|
if ((ret = parse_vtrk(s, fourxm, header + i, size,
|
|
header_size - i)) < 0)
|
|
goto fail;
|
|
|
|
i += 8 + size;
|
|
} else if (fourcc_tag == strk_TAG) {
|
|
if ((ret = parse_strk(s, fourxm, header + i, size,
|
|
header_size - i)) < 0)
|
|
goto fail;
|
|
|
|
i += 8 + size;
|
|
}
|
|
}
|
|
|
|
/* skip over the LIST-MOVI chunk (which is where the stream should be */
|
|
GET_LIST_HEADER();
|
|
if (fourcc_tag != MOVI_TAG) {
|
|
ret = AVERROR_INVALIDDATA;
|
|
goto fail;
|
|
}
|
|
|
|
av_free(header);
|
|
/* initialize context members */
|
|
fourxm->video_pts = -1; /* first frame will push to 0 */
|
|
|
|
return 0;
|
|
fail:
|
|
av_freep(&fourxm->tracks);
|
|
av_free(header);
|
|
return ret;
|
|
}
|
|
|
|
static int fourxm_read_packet(AVFormatContext *s,
|
|
AVPacket *pkt)
|
|
{
|
|
FourxmDemuxContext *fourxm = s->priv_data;
|
|
AVIOContext *pb = s->pb;
|
|
unsigned int fourcc_tag;
|
|
unsigned int size;
|
|
int ret = 0;
|
|
unsigned int track_number;
|
|
int packet_read = 0;
|
|
unsigned char header[8];
|
|
int64_t audio_frame_count;
|
|
|
|
while (!packet_read) {
|
|
if ((ret = avio_read(s->pb, header, 8)) < 0)
|
|
return ret;
|
|
fourcc_tag = AV_RL32(&header[0]);
|
|
size = AV_RL32(&header[4]);
|
|
if (avio_feof(pb))
|
|
return AVERROR(EIO);
|
|
switch (fourcc_tag) {
|
|
case LIST_TAG:
|
|
/* this is a good time to bump the video pts */
|
|
fourxm->video_pts++;
|
|
|
|
/* skip the LIST-* tag and move on to the next fourcc */
|
|
avio_rl32(pb);
|
|
break;
|
|
|
|
case ifrm_TAG:
|
|
case pfrm_TAG:
|
|
case cfrm_TAG:
|
|
case ifr2_TAG:
|
|
case pfr2_TAG:
|
|
case cfr2_TAG:
|
|
/* allocate 8 more bytes than 'size' to account for fourcc
|
|
* and size */
|
|
if (fourxm->video_stream_index < 0)
|
|
return AVERROR_INVALIDDATA;
|
|
if (size + 8 < size || av_new_packet(pkt, size + 8))
|
|
return AVERROR(EIO);
|
|
pkt->stream_index = fourxm->video_stream_index;
|
|
pkt->pts = fourxm->video_pts;
|
|
pkt->pos = avio_tell(s->pb);
|
|
memcpy(pkt->data, header, 8);
|
|
ret = avio_read(s->pb, &pkt->data[8], size);
|
|
|
|
if (ret < 0) {
|
|
av_packet_unref(pkt);
|
|
} else {
|
|
packet_read = 1;
|
|
av_shrink_packet(pkt, ret + 8);
|
|
}
|
|
break;
|
|
|
|
case snd__TAG:
|
|
track_number = avio_rl32(pb);
|
|
avio_skip(pb, 4);
|
|
size -= 8;
|
|
|
|
if (track_number < fourxm->track_count &&
|
|
fourxm->tracks[track_number].channels > 0) {
|
|
ret = av_get_packet(s->pb, pkt, size);
|
|
if (ret < 0)
|
|
return AVERROR(EIO);
|
|
pkt->stream_index =
|
|
fourxm->tracks[track_number].stream_index;
|
|
pkt->pts = fourxm->tracks[track_number].audio_pts;
|
|
packet_read = 1;
|
|
|
|
/* pts accounting */
|
|
audio_frame_count = size;
|
|
if (fourxm->tracks[track_number].adpcm)
|
|
audio_frame_count -= 2 * (fourxm->tracks[track_number].channels);
|
|
audio_frame_count /= fourxm->tracks[track_number].channels;
|
|
if (fourxm->tracks[track_number].adpcm) {
|
|
audio_frame_count *= 2;
|
|
} else
|
|
audio_frame_count /=
|
|
(fourxm->tracks[track_number].bits / 8);
|
|
fourxm->tracks[track_number].audio_pts += audio_frame_count;
|
|
} else {
|
|
avio_skip(pb, size);
|
|
}
|
|
break;
|
|
|
|
default:
|
|
avio_skip(pb, size);
|
|
break;
|
|
}
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
static int fourxm_read_close(AVFormatContext *s)
|
|
{
|
|
FourxmDemuxContext *fourxm = s->priv_data;
|
|
|
|
av_freep(&fourxm->tracks);
|
|
|
|
return 0;
|
|
}
|
|
|
|
AVInputFormat ff_fourxm_demuxer = {
|
|
.name = "4xm",
|
|
.long_name = NULL_IF_CONFIG_SMALL("4X Technologies"),
|
|
.priv_data_size = sizeof(FourxmDemuxContext),
|
|
.read_probe = fourxm_probe,
|
|
.read_header = fourxm_read_header,
|
|
.read_packet = fourxm_read_packet,
|
|
.read_close = fourxm_read_close,
|
|
};
|