1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-24 13:56:33 +02:00
FFmpeg/libavcodec/lscrdec.c
Michael Niedermayer 426c52c2ce avcodec/lscrdec: Check length in decode_idat()
Fixes: out of array access
Fixes: 32264/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LSCR_fuzzer-6684504010915840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c01cd2a8b2a67da975d51fdf03f18c502df2e13c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-04-01 11:38:45 +02:00

280 lines
7.8 KiB
C

/*
* Copyright (c) 2019 Paul B Mahol
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <stdint.h>
#include <zlib.h>
#include "libavutil/frame.h"
#include "libavutil/error.h"
#include "libavutil/log.h"
#include "avcodec.h"
#include "bytestream.h"
#include "codec.h"
#include "internal.h"
#include "packet.h"
#include "png.h"
#include "pngdsp.h"
typedef struct LSCRContext {
PNGDSPContext dsp;
AVCodecContext *avctx;
AVFrame *last_picture;
uint8_t *buffer;
int buffer_size;
uint8_t *crow_buf;
int crow_size;
uint8_t *last_row;
unsigned int last_row_size;
GetByteContext gb;
uint8_t *image_buf;
int image_linesize;
int row_size;
int cur_h;
int y;
z_stream zstream;
} LSCRContext;
static void handle_row(LSCRContext *s)
{
uint8_t *ptr, *last_row;
ptr = s->image_buf + s->image_linesize * s->y;
if (s->y == 0)
last_row = s->last_row;
else
last_row = ptr - s->image_linesize;
ff_png_filter_row(&s->dsp, ptr, s->crow_buf[0], s->crow_buf + 1,
last_row, s->row_size, 3);
s->y++;
}
static int decode_idat(LSCRContext *s, int length)
{
int ret;
s->zstream.avail_in = FFMIN(length, bytestream2_get_bytes_left(&s->gb));
s->zstream.next_in = s->gb.buffer;
if (length <= 0)
return AVERROR_INVALIDDATA;
bytestream2_skip(&s->gb, length);
/* decode one line if possible */
while (s->zstream.avail_in > 0) {
ret = inflate(&s->zstream, Z_PARTIAL_FLUSH);
if (ret != Z_OK && ret != Z_STREAM_END) {
av_log(s->avctx, AV_LOG_ERROR, "inflate returned error %d\n", ret);
return AVERROR_EXTERNAL;
}
if (s->zstream.avail_out == 0) {
if (s->y < s->cur_h) {
handle_row(s);
}
s->zstream.avail_out = s->crow_size;
s->zstream.next_out = s->crow_buf;
}
if (ret == Z_STREAM_END && s->zstream.avail_in > 0) {
av_log(s->avctx, AV_LOG_WARNING,
"%d undecompressed bytes left in buffer\n", s->zstream.avail_in);
return 0;
}
}
return 0;
}
static int decode_frame_lscr(AVCodecContext *avctx,
void *data, int *got_frame,
AVPacket *avpkt)
{
LSCRContext *const s = avctx->priv_data;
GetByteContext *gb = &s->gb;
AVFrame *frame = s->last_picture;
int ret, nb_blocks, offset = 0;
if (avpkt->size < 2)
return AVERROR_INVALIDDATA;
if (avpkt->size == 2)
return 0;
bytestream2_init(gb, avpkt->data, avpkt->size);
nb_blocks = bytestream2_get_le16(gb);
if (bytestream2_get_bytes_left(gb) < 2 + nb_blocks * (12 + 8))
return AVERROR_INVALIDDATA;
ret = ff_reget_buffer(avctx, frame,
nb_blocks ? 0 : FF_REGET_BUFFER_FLAG_READONLY);
if (ret < 0)
return ret;
for (int b = 0; b < nb_blocks; b++) {
int x, y, x2, y2, w, h, left;
uint32_t csize, size;
s->zstream.zalloc = ff_png_zalloc;
s->zstream.zfree = ff_png_zfree;
s->zstream.opaque = NULL;
if ((ret = inflateInit(&s->zstream)) != Z_OK) {
av_log(avctx, AV_LOG_ERROR, "inflateInit returned error %d\n", ret);
ret = AVERROR_EXTERNAL;
goto end;
}
bytestream2_seek(gb, 2 + b * 12, SEEK_SET);
x = bytestream2_get_le16(gb);
y = bytestream2_get_le16(gb);
x2 = bytestream2_get_le16(gb);
y2 = bytestream2_get_le16(gb);
w = x2-x;
s->cur_h = h = y2-y;
if (w <= 0 || x < 0 || x >= avctx->width || w + x > avctx->width ||
h <= 0 || y < 0 || y >= avctx->height || h + y > avctx->height) {
ret = AVERROR_INVALIDDATA;
goto end;
}
size = bytestream2_get_le32(gb);
frame->key_frame = (nb_blocks == 1) &&
(w == avctx->width) &&
(h == avctx->height) &&
(x == 0) && (y == 0);
bytestream2_seek(gb, 2 + nb_blocks * 12 + offset, SEEK_SET);
csize = bytestream2_get_be32(gb);
if (bytestream2_get_le32(gb) != MKTAG('I', 'D', 'A', 'T')) {
ret = AVERROR_INVALIDDATA;
goto end;
}
offset += size;
left = size;
s->y = 0;
s->row_size = w * 3;
av_fast_padded_malloc(&s->buffer, &s->buffer_size, s->row_size + 16);
if (!s->buffer) {
ret = AVERROR(ENOMEM);
goto end;
}
av_fast_padded_malloc(&s->last_row, &s->last_row_size, s->row_size);
if (!s->last_row) {
ret = AVERROR(ENOMEM);
goto end;
}
s->crow_size = w * 3 + 1;
s->crow_buf = s->buffer + 15;
s->zstream.avail_out = s->crow_size;
s->zstream.next_out = s->crow_buf;
s->image_buf = frame->data[0] + (avctx->height - y - 1) * frame->linesize[0] + x * 3;
s->image_linesize =-frame->linesize[0];
while (left > 16) {
ret = decode_idat(s, csize);
if (ret < 0)
goto end;
left -= csize + 16;
if (left > 16) {
bytestream2_skip(gb, 4);
csize = bytestream2_get_be32(gb);
if (bytestream2_get_le32(gb) != MKTAG('I', 'D', 'A', 'T')) {
ret = AVERROR_INVALIDDATA;
goto end;
}
}
}
inflateEnd(&s->zstream);
}
frame->pict_type = frame->key_frame ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P;
if ((ret = av_frame_ref(data, frame)) < 0)
return ret;
*got_frame = 1;
end:
inflateEnd(&s->zstream);
if (ret < 0)
return ret;
return avpkt->size;
}
static int lscr_decode_close(AVCodecContext *avctx)
{
LSCRContext *s = avctx->priv_data;
av_frame_free(&s->last_picture);
av_freep(&s->buffer);
av_freep(&s->last_row);
return 0;
}
static int lscr_decode_init(AVCodecContext *avctx)
{
LSCRContext *s = avctx->priv_data;
avctx->color_range = AVCOL_RANGE_JPEG;
avctx->pix_fmt = AV_PIX_FMT_BGR24;
s->avctx = avctx;
s->last_picture = av_frame_alloc();
if (!s->last_picture)
return AVERROR(ENOMEM);
ff_pngdsp_init(&s->dsp);
return 0;
}
static void lscr_decode_flush(AVCodecContext *avctx)
{
LSCRContext *s = avctx->priv_data;
av_frame_unref(s->last_picture);
}
AVCodec ff_lscr_decoder = {
.name = "lscr",
.long_name = NULL_IF_CONFIG_SMALL("LEAD Screen Capture"),
.type = AVMEDIA_TYPE_VIDEO,
.id = AV_CODEC_ID_LSCR,
.priv_data_size = sizeof(LSCRContext),
.init = lscr_decode_init,
.close = lscr_decode_close,
.decode = decode_frame_lscr,
.flush = lscr_decode_flush,
.capabilities = AV_CODEC_CAP_DR1,
.caps_internal = FF_CODEC_CAP_INIT_THREADSAFE,
};