1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-19 05:49:09 +02:00
Michael Niedermayer e7011a0ca6 avcodec/mvha: Check remaining space when reading VLC table probabilities
Fixes: Infinite loop
Fixes: 19183/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-5666216765292544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-06 11:25:29 +01:00

316 lines
8.7 KiB
C

/*
* MidiVid Archive codec
*
* Copyright (c) 2019 Paul B Mahol
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define CACHED_BITSTREAM_READER !ARCH_X86_32
#include "libavutil/intreadwrite.h"
#include "avcodec.h"
#include "bytestream.h"
#include "get_bits.h"
#include "internal.h"
#include "lossless_videodsp.h"
#include <zlib.h>
typedef struct MVHAContext {
GetBitContext gb;
int nb_symbols;
uint8_t symb[256];
uint32_t prob[256];
VLC vlc;
z_stream zstream;
LLVidDSPContext llviddsp;
} MVHAContext;
typedef struct Node {
int16_t sym;
int16_t n0;
int16_t l, r;
uint32_t count;
} Node;
static void get_tree_codes(uint32_t *bits, int16_t *lens, uint8_t *xlat,
Node *nodes, int node,
uint32_t pfx, int pl, int *pos)
{
int s;
s = nodes[node].sym;
if (s != -1) {
bits[*pos] = (~pfx) & ((1ULL << FFMAX(pl, 1)) - 1);
lens[*pos] = FFMAX(pl, 1);
xlat[*pos] = s + (pl == 0);
(*pos)++;
} else {
pfx <<= 1;
pl++;
get_tree_codes(bits, lens, xlat, nodes, nodes[node].l, pfx, pl,
pos);
pfx |= 1;
get_tree_codes(bits, lens, xlat, nodes, nodes[node].r, pfx, pl,
pos);
}
}
static int build_vlc(AVCodecContext *avctx, VLC *vlc)
{
MVHAContext *s = avctx->priv_data;
Node nodes[512];
uint32_t bits[256];
int16_t lens[256];
uint8_t xlat[256];
int cur_node, i, j, pos = 0;
ff_free_vlc(vlc);
for (i = 0; i < s->nb_symbols; i++) {
nodes[i].count = s->prob[i];
nodes[i].sym = s->symb[i];
nodes[i].n0 = -2;
nodes[i].l = i;
nodes[i].r = i;
}
cur_node = s->nb_symbols;
j = 0;
do {
for (i = 0; ; i++) {
int new_node = j;
int first_node = cur_node;
int second_node = cur_node;
unsigned nd, st;
nodes[cur_node].count = -1;
do {
int val = nodes[new_node].count;
if (val && (val < nodes[first_node].count)) {
if (val >= nodes[second_node].count) {
first_node = new_node;
} else {
first_node = second_node;
second_node = new_node;
}
}
new_node += 1;
} while (new_node != cur_node);
if (first_node == cur_node)
break;
nd = nodes[second_node].count;
st = nodes[first_node].count;
nodes[second_node].count = 0;
nodes[first_node].count = 0;
if (nd >= UINT32_MAX - st) {
av_log(avctx, AV_LOG_ERROR, "count overflow\n");
return AVERROR_INVALIDDATA;
}
nodes[cur_node].count = nd + st;
nodes[cur_node].sym = -1;
nodes[cur_node].n0 = cur_node;
nodes[cur_node].l = first_node;
nodes[cur_node].r = second_node;
cur_node++;
}
j++;
} while (cur_node - s->nb_symbols == j);
get_tree_codes(bits, lens, xlat, nodes, cur_node - 1, 0, 0, &pos);
return ff_init_vlc_sparse(vlc, 12, pos, lens, 2, 2, bits, 4, 4, xlat, 1, 1, 0);
}
static int decode_frame(AVCodecContext *avctx,
void *data, int *got_frame,
AVPacket *avpkt)
{
MVHAContext *s = avctx->priv_data;
AVFrame *frame = data;
uint32_t type, size;
int ret;
if (avpkt->size <= 8)
return AVERROR_INVALIDDATA;
type = AV_RB32(avpkt->data);
size = AV_RL32(avpkt->data + 4);
if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
return ret;
if (type == MKTAG('L','Z','Y','V')) {
ret = inflateReset(&s->zstream);
if (ret != Z_OK) {
av_log(avctx, AV_LOG_ERROR, "Inflate reset error: %d\n", ret);
return AVERROR_EXTERNAL;
}
s->zstream.next_in = avpkt->data + 8;
s->zstream.avail_in = avpkt->size - 8;
for (int p = 0; p < 3; p++) {
for (int y = 0; y < avctx->height; y++) {
s->zstream.next_out = frame->data[p] + (avctx->height - y - 1) * frame->linesize[p];
s->zstream.avail_out = avctx->width >> (p > 0);
ret = inflate(&s->zstream, Z_SYNC_FLUSH);
if (ret != Z_OK && ret != Z_STREAM_END) {
av_log(avctx, AV_LOG_ERROR, "Inflate error: %d\n", ret);
return AVERROR_EXTERNAL;
}
}
}
} else if (type == MKTAG('H','U','F','Y')) {
GetBitContext *gb = &s->gb;
int first_symbol, symbol;
ret = init_get_bits8(gb, avpkt->data + 8, avpkt->size - 8);
if (ret < 0)
return ret;
skip_bits(gb, 24);
first_symbol = get_bits(gb, 8);
s->nb_symbols = get_bits(gb, 8) + 1;
symbol = first_symbol;
for (int i = 0; i < s->nb_symbols; symbol++) {
int prob;
if (get_bits_left(gb) < 4)
return AVERROR_INVALIDDATA;
if (get_bits1(gb)) {
prob = get_bits(gb, 12);
} else {
prob = get_bits(gb, 3);
}
if (prob) {
s->symb[i] = symbol;
s->prob[i] = prob;
i++;
}
}
ret = build_vlc(avctx, &s->vlc);
if (ret < 0)
return ret;
for (int p = 0; p < 3; p++) {
int width = avctx->width >> (p > 0);
ptrdiff_t stride = frame->linesize[p];
uint8_t *dst;
dst = frame->data[p] + (avctx->height - 1) * frame->linesize[p];
for (int y = 0; y < avctx->height; y++) {
for (int x = 0; x < width; x++) {
int v = get_vlc2(gb, s->vlc.table, s->vlc.bits, 3);
if (v < 0)
return AVERROR_INVALIDDATA;
dst[x] = v;
}
dst -= stride;
}
}
} else {
return AVERROR_INVALIDDATA;
}
for (int p = 0; p < 3; p++) {
int left, lefttop;
int width = avctx->width >> (p > 0);
ptrdiff_t stride = frame->linesize[p];
uint8_t *dst;
dst = frame->data[p] + (avctx->height - 1) * frame->linesize[p];
s->llviddsp.add_left_pred(dst, dst, width, 0);
dst -= stride;
lefttop = left = dst[0];
for (int y = 1; y < avctx->height; y++) {
s->llviddsp.add_median_pred(dst, dst + stride, dst, width, &left, &lefttop);
lefttop = left = dst[0];
dst -= stride;
}
}
frame->pict_type = AV_PICTURE_TYPE_I;
frame->key_frame = 1;
*got_frame = 1;
return avpkt->size;
}
static av_cold int decode_init(AVCodecContext *avctx)
{
MVHAContext *s = avctx->priv_data;
int zret;
avctx->pix_fmt = AV_PIX_FMT_YUV422P;
s->zstream.zalloc = Z_NULL;
s->zstream.zfree = Z_NULL;
s->zstream.opaque = Z_NULL;
zret = inflateInit(&s->zstream);
if (zret != Z_OK) {
av_log(avctx, AV_LOG_ERROR, "Inflate init error: %d\n", zret);
return AVERROR_EXTERNAL;
}
ff_llviddsp_init(&s->llviddsp);
return 0;
}
static av_cold int decode_close(AVCodecContext *avctx)
{
MVHAContext *s = avctx->priv_data;
inflateEnd(&s->zstream);
ff_free_vlc(&s->vlc);
return 0;
}
AVCodec ff_mvha_decoder = {
.name = "mvha",
.long_name = NULL_IF_CONFIG_SMALL("MidiVid Archive Codec"),
.type = AVMEDIA_TYPE_VIDEO,
.id = AV_CODEC_ID_MVHA,
.priv_data_size = sizeof(MVHAContext),
.init = decode_init,
.close = decode_close,
.decode = decode_frame,
.capabilities = AV_CODEC_CAP_DR1,
.caps_internal = FF_CODEC_CAP_INIT_THREADSAFE |
FF_CODEC_CAP_INIT_CLEANUP,
};