1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-13 21:28:01 +02:00
FFmpeg/libavformat/bintext.c
Michael Niedermayer f6dc285fb5 avformat/bintext: Check width
Fixes: division by 0
Fixes: 26780/clusterfuzz-testcase-minimized-ffmpeg_dem_ADF_fuzzer-5117945027756032
Fixes: 26998/clusterfuzz-testcase-minimized-ffmpeg_dem_ADF_fuzzer-5119352359354368

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-11 17:05:24 +01:00

444 lines
13 KiB
C

/*
* Binary text demuxer
* eXtended BINary text (XBIN) demuxer
* Artworx Data Format demuxer
* iCEDraw File demuxer
* Copyright (c) 2010 Peter Ross <pross@xvid.org>
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
/**
* @file
* Binary text demuxer
* eXtended BINary text (XBIN) demuxer
* Artworx Data Format demuxer
* iCEDraw File demuxer
*/
#include "libavutil/intreadwrite.h"
#include "libavutil/opt.h"
#include "libavutil/parseutils.h"
#include "avformat.h"
#include "internal.h"
#include "sauce.h"
#include "libavcodec/bintext.h"
typedef struct {
const AVClass *class;
int chars_per_frame; /**< characters to send decoder per frame;
set by private options as characters per second, and then
converted to characters per frame at runtime */
int width, height; /**< video size (WxH pixels) (private option) */
AVRational framerate; /**< frames per second (private option) */
uint64_t fsize; /**< file size less metadata buffer */
} BinDemuxContext;
static AVStream * init_stream(AVFormatContext *s)
{
BinDemuxContext *bin = s->priv_data;
AVStream *st = avformat_new_stream(s, NULL);
if (!st)
return NULL;
st->codecpar->codec_tag = 0;
st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO;
if (!bin->width) {
st->codecpar->width = (80<<3);
st->codecpar->height = (25<<4);
}
avpriv_set_pts_info(st, 60, bin->framerate.den, bin->framerate.num);
/* simulate tty display speed */
bin->chars_per_frame = av_clip(av_q2d(st->time_base) * bin->chars_per_frame, 1, INT_MAX);
return st;
}
#if CONFIG_BINTEXT_DEMUXER | CONFIG_ADF_DEMUXER | CONFIG_IDF_DEMUXER
/**
* Given filesize and width, calculate height (assume font_height of 16)
*/
static void calculate_height(AVCodecParameters *par, uint64_t fsize)
{
par->height = (fsize / ((par->width>>3)*2)) << 4;
}
#endif
#if CONFIG_BINTEXT_DEMUXER
static const uint8_t next_magic[]={
0x1A, 0x1B, '[', '0', ';', '3', '0', ';', '4', '0', 'm', 'N', 'E', 'X', 'T', 0x00
};
static int next_tag_read(AVFormatContext *avctx, uint64_t *fsize)
{
AVIOContext *pb = avctx->pb;
char buf[36];
int len;
uint64_t start_pos = avio_size(pb) - 256;
avio_seek(pb, start_pos, SEEK_SET);
if (avio_read(pb, buf, sizeof(next_magic)) != sizeof(next_magic))
return -1;
if (memcmp(buf, next_magic, sizeof(next_magic)))
return -1;
if (avio_r8(pb) != 0x01)
return -1;
*fsize -= 256;
#define GET_EFI2_META(name,size) \
len = avio_r8(pb); \
if (len < 1 || len > size) \
return -1; \
if (avio_read(pb, buf, size) == size && *buf) { \
buf[len] = 0; \
av_dict_set(&avctx->metadata, name, buf, 0); \
}
GET_EFI2_META("filename", 12)
GET_EFI2_META("author", 20)
GET_EFI2_META("publisher", 20)
GET_EFI2_META("title", 35)
return 0;
}
static void predict_width(AVCodecParameters *par, uint64_t fsize, int got_width)
{
/** attempt to guess width */
if (!got_width)
par->width = fsize > 4000 ? (160<<3) : (80<<3);
}
static int bin_probe(const AVProbeData *p)
{
const uint8_t *d = p->buf;
int magic = 0, sauce = 0;
int invisible = 0;
int i;
if (p->buf_size > 256)
magic = !memcmp(d + p->buf_size - 256, next_magic, sizeof(next_magic));
if (p->buf_size > 128)
sauce = !memcmp(d + p->buf_size - 128, "SAUCE00", 7);
if (magic)
return AVPROBE_SCORE_EXTENSION + 1;
if (av_match_ext(p->filename, "bin")) {
AVCodecParameters par;
int got_width = 0;
par.width = par.height = 0;
if (sauce)
return AVPROBE_SCORE_EXTENSION + 1;
predict_width(&par, p->buf_size, got_width);
if (par.width < 8)
return 0;
calculate_height(&par, p->buf_size);
if (par.height <= 0)
return 0;
for (i = 0; i < p->buf_size - 256; i+=2) {
if ((d[i+1] & 15) == (d[i+1] >> 4) && d[i] && d[i] != 0xFF && d[i] != ' ') {
invisible ++;
}
}
if (par.width * par.height * 2 / (8*16) == p->buf_size)
return AVPROBE_SCORE_MAX / 2;
return 0;
}
if (sauce)
return 1;
return 0;
}
static int bintext_read_header(AVFormatContext *s)
{
BinDemuxContext *bin = s->priv_data;
AVIOContext *pb = s->pb;
int ret;
AVStream *st = init_stream(s);
if (!st)
return AVERROR(ENOMEM);
st->codecpar->codec_id = AV_CODEC_ID_BINTEXT;
if ((ret = ff_alloc_extradata(st->codecpar, 2)) < 0)
return ret;
st->codecpar->extradata[0] = 16;
st->codecpar->extradata[1] = 0;
if (pb->seekable & AVIO_SEEKABLE_NORMAL) {
int got_width = 0;
bin->fsize = avio_size(pb);
if (ff_sauce_read(s, &bin->fsize, &got_width, 0) < 0)
next_tag_read(s, &bin->fsize);
if (!bin->width) {
predict_width(st->codecpar, bin->fsize, got_width);
if (st->codecpar->width < 8)
return AVERROR_INVALIDDATA;
calculate_height(st->codecpar, bin->fsize);
}
avio_seek(pb, 0, SEEK_SET);
}
return 0;
}
#endif /* CONFIG_BINTEXT_DEMUXER */
#if CONFIG_XBIN_DEMUXER
static int xbin_probe(const AVProbeData *p)
{
const uint8_t *d = p->buf;
if (AV_RL32(d) == MKTAG('X','B','I','N') && d[4] == 0x1A &&
AV_RL16(d+5) > 0 && AV_RL16(d+5) <= 160 &&
d[9] > 0 && d[9] <= 32)
return AVPROBE_SCORE_MAX;
return 0;
}
static int xbin_read_header(AVFormatContext *s)
{
BinDemuxContext *bin = s->priv_data;
AVIOContext *pb = s->pb;
char fontheight, flags;
int ret;
AVStream *st = init_stream(s);
if (!st)
return AVERROR(ENOMEM);
avio_skip(pb, 5);
st->codecpar->width = avio_rl16(pb)<<3;
st->codecpar->height = avio_rl16(pb);
fontheight = avio_r8(pb);
st->codecpar->height *= fontheight;
flags = avio_r8(pb);
st->codecpar->extradata_size = 2;
if ((flags & BINTEXT_PALETTE))
st->codecpar->extradata_size += 48;
if ((flags & BINTEXT_FONT))
st->codecpar->extradata_size += fontheight * (flags & 0x10 ? 512 : 256);
st->codecpar->codec_id = flags & 4 ? AV_CODEC_ID_XBIN : AV_CODEC_ID_BINTEXT;
ret = ff_alloc_extradata(st->codecpar, st->codecpar->extradata_size);
if (ret < 0)
return ret;
st->codecpar->extradata[0] = fontheight;
st->codecpar->extradata[1] = flags;
if (avio_read(pb, st->codecpar->extradata + 2, st->codecpar->extradata_size - 2) < 0)
return AVERROR(EIO);
if (pb->seekable & AVIO_SEEKABLE_NORMAL) {
bin->fsize = avio_size(pb) - 9 - st->codecpar->extradata_size;
ff_sauce_read(s, &bin->fsize, NULL, 0);
avio_seek(pb, 9 + st->codecpar->extradata_size, SEEK_SET);
}
return 0;
}
#endif /* CONFIG_XBIN_DEMUXER */
#if CONFIG_ADF_DEMUXER
static int adf_read_header(AVFormatContext *s)
{
BinDemuxContext *bin = s->priv_data;
AVIOContext *pb = s->pb;
AVStream *st;
int ret;
if (avio_r8(pb) != 1)
return AVERROR_INVALIDDATA;
st = init_stream(s);
if (!st)
return AVERROR(ENOMEM);
st->codecpar->codec_id = AV_CODEC_ID_BINTEXT;
if ((ret = ff_alloc_extradata(st->codecpar, 2 + 48 + 4096)) < 0)
return ret;
st->codecpar->extradata[0] = 16;
st->codecpar->extradata[1] = BINTEXT_PALETTE|BINTEXT_FONT;
if (avio_read(pb, st->codecpar->extradata + 2, 24) < 0)
return AVERROR(EIO);
avio_skip(pb, 144);
if (avio_read(pb, st->codecpar->extradata + 2 + 24, 24) < 0)
return AVERROR(EIO);
if (avio_read(pb, st->codecpar->extradata + 2 + 48, 4096) < 0)
return AVERROR(EIO);
if (pb->seekable & AVIO_SEEKABLE_NORMAL) {
int got_width = 0;
bin->fsize = avio_size(pb) - 1 - 192 - 4096;
st->codecpar->width = 80<<3;
ff_sauce_read(s, &bin->fsize, &got_width, 0);
if (st->codecpar->width < 8)
return AVERROR_INVALIDDATA;
if (!bin->width)
calculate_height(st->codecpar, bin->fsize);
avio_seek(pb, 1 + 192 + 4096, SEEK_SET);
}
return 0;
}
#endif /* CONFIG_ADF_DEMUXER */
#if CONFIG_IDF_DEMUXER
static const uint8_t idf_magic[] = {
0x04, 0x31, 0x2e, 0x34, 0x00, 0x00, 0x00, 0x00, 0x4f, 0x00, 0x15, 0x00
};
static int idf_probe(const AVProbeData *p)
{
if (p->buf_size < sizeof(idf_magic))
return 0;
if (!memcmp(p->buf, idf_magic, sizeof(idf_magic)))
return AVPROBE_SCORE_MAX;
return 0;
}
static int idf_read_header(AVFormatContext *s)
{
BinDemuxContext *bin = s->priv_data;
AVIOContext *pb = s->pb;
AVStream *st;
int got_width = 0, ret;
if (!(pb->seekable & AVIO_SEEKABLE_NORMAL))
return AVERROR(EIO);
st = init_stream(s);
if (!st)
return AVERROR(ENOMEM);
st->codecpar->codec_id = AV_CODEC_ID_IDF;
if ((ret = ff_alloc_extradata(st->codecpar, 2 + 48 + 4096)) < 0)
return ret;
st->codecpar->extradata[0] = 16;
st->codecpar->extradata[1] = BINTEXT_PALETTE|BINTEXT_FONT;
avio_seek(pb, avio_size(pb) - 4096 - 48, SEEK_SET);
if (avio_read(pb, st->codecpar->extradata + 2 + 48, 4096) < 0)
return AVERROR(EIO);
if (avio_read(pb, st->codecpar->extradata + 2, 48) < 0)
return AVERROR(EIO);
bin->fsize = avio_size(pb) - 12 - 4096 - 48;
ff_sauce_read(s, &bin->fsize, &got_width, 0);
if (st->codecpar->width < 8)
return AVERROR_INVALIDDATA;
if (!bin->width)
calculate_height(st->codecpar, bin->fsize);
avio_seek(pb, 12, SEEK_SET);
return 0;
}
#endif /* CONFIG_IDF_DEMUXER */
static int read_packet(AVFormatContext *s,
AVPacket *pkt)
{
BinDemuxContext *bin = s->priv_data;
if (bin->fsize > 0) {
if (av_get_packet(s->pb, pkt, bin->fsize) < 0)
return AVERROR(EIO);
bin->fsize = -1; /* done */
} else if (!bin->fsize) {
if (avio_feof(s->pb))
return AVERROR(EIO);
if (av_get_packet(s->pb, pkt, bin->chars_per_frame) < 0)
return AVERROR(EIO);
} else {
return AVERROR(EIO);
}
pkt->flags |= AV_PKT_FLAG_KEY;
return 0;
}
#define OFFSET(x) offsetof(BinDemuxContext, x)
static const AVOption options[] = {
{ "linespeed", "set simulated line speed (bytes per second)", OFFSET(chars_per_frame), AV_OPT_TYPE_INT, {.i64 = 6000}, 1, INT_MAX, AV_OPT_FLAG_DECODING_PARAM},
{ "video_size", "set video size, such as 640x480 or hd720.", OFFSET(width), AV_OPT_TYPE_IMAGE_SIZE, {.str = NULL}, 0, 0, AV_OPT_FLAG_DECODING_PARAM },
{ "framerate", "set framerate (frames per second)", OFFSET(framerate), AV_OPT_TYPE_VIDEO_RATE, {.str = "25"}, 0, INT_MAX, AV_OPT_FLAG_DECODING_PARAM },
{ NULL },
};
#define CLASS(name) \
(const AVClass[1]){{ \
.class_name = name, \
.item_name = av_default_item_name, \
.option = options, \
.version = LIBAVUTIL_VERSION_INT, \
}}
#if CONFIG_BINTEXT_DEMUXER
AVInputFormat ff_bintext_demuxer = {
.name = "bin",
.long_name = NULL_IF_CONFIG_SMALL("Binary text"),
.priv_data_size = sizeof(BinDemuxContext),
.read_probe = bin_probe,
.read_header = bintext_read_header,
.read_packet = read_packet,
.priv_class = CLASS("Binary text demuxer"),
};
#endif
#if CONFIG_XBIN_DEMUXER
AVInputFormat ff_xbin_demuxer = {
.name = "xbin",
.long_name = NULL_IF_CONFIG_SMALL("eXtended BINary text (XBIN)"),
.priv_data_size = sizeof(BinDemuxContext),
.read_probe = xbin_probe,
.read_header = xbin_read_header,
.read_packet = read_packet,
.priv_class = CLASS("eXtended BINary text (XBIN) demuxer"),
};
#endif
#if CONFIG_ADF_DEMUXER
AVInputFormat ff_adf_demuxer = {
.name = "adf",
.long_name = NULL_IF_CONFIG_SMALL("Artworx Data Format"),
.priv_data_size = sizeof(BinDemuxContext),
.read_header = adf_read_header,
.read_packet = read_packet,
.extensions = "adf",
.priv_class = CLASS("Artworx Data Format demuxer"),
};
#endif
#if CONFIG_IDF_DEMUXER
AVInputFormat ff_idf_demuxer = {
.name = "idf",
.long_name = NULL_IF_CONFIG_SMALL("iCE Draw File"),
.priv_data_size = sizeof(BinDemuxContext),
.read_probe = idf_probe,
.read_header = idf_read_header,
.read_packet = read_packet,
.extensions = "idf",
.priv_class = CLASS("iCE Draw File demuxer"),
};
#endif