1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-03 05:10:03 +02:00
FFmpeg/libavcodec/pafvideo.c
Michael Niedermayer 4423cbf1b4 avcodec/pafvideo: Check allocated frame size
Fixes: OOM
Fixes: 5549/clusterfuzz-testcase-minimized-5390553567985664

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 66acb63028)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-11 19:41:43 +01:00

412 lines
12 KiB
C

/*
* Packed Animation File video decoder
* Copyright (c) 2012 Paul B Mahol
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include "libavutil/imgutils.h"
#include "avcodec.h"
#include "bytestream.h"
#include "copy_block.h"
#include "internal.h"
static const uint8_t block_sequences[16][8] = {
{ 0, 0, 0, 0, 0, 0, 0, 0 },
{ 2, 0, 0, 0, 0, 0, 0, 0 },
{ 5, 7, 0, 0, 0, 0, 0, 0 },
{ 5, 0, 0, 0, 0, 0, 0, 0 },
{ 6, 0, 0, 0, 0, 0, 0, 0 },
{ 5, 7, 5, 7, 0, 0, 0, 0 },
{ 5, 7, 5, 0, 0, 0, 0, 0 },
{ 5, 7, 6, 0, 0, 0, 0, 0 },
{ 5, 5, 0, 0, 0, 0, 0, 0 },
{ 3, 0, 0, 0, 0, 0, 0, 0 },
{ 6, 6, 0, 0, 0, 0, 0, 0 },
{ 2, 4, 0, 0, 0, 0, 0, 0 },
{ 2, 4, 5, 7, 0, 0, 0, 0 },
{ 2, 4, 5, 0, 0, 0, 0, 0 },
{ 2, 4, 6, 0, 0, 0, 0, 0 },
{ 2, 4, 5, 7, 5, 7, 0, 0 },
};
typedef struct PAFVideoDecContext {
AVFrame *pic;
GetByteContext gb;
int width;
int height;
int current_frame;
uint8_t *frame[4];
int frame_size;
int video_size;
uint8_t *opcodes;
} PAFVideoDecContext;
static av_cold int paf_video_close(AVCodecContext *avctx)
{
PAFVideoDecContext *c = avctx->priv_data;
int i;
av_frame_free(&c->pic);
for (i = 0; i < 4; i++)
av_freep(&c->frame[i]);
return 0;
}
static av_cold int paf_video_init(AVCodecContext *avctx)
{
PAFVideoDecContext *c = avctx->priv_data;
int i;
int ret;
c->width = avctx->width;
c->height = avctx->height;
if (avctx->height & 3 || avctx->width & 3) {
av_log(avctx, AV_LOG_ERROR,
"width %d and height %d must be multiplie of 4.\n",
avctx->width, avctx->height);
return AVERROR_INVALIDDATA;
}
avctx->pix_fmt = AV_PIX_FMT_PAL8;
ret = av_image_check_size2(avctx->width, FFALIGN(avctx->height, 256), avctx->max_pixels, avctx->pix_fmt, 0, avctx);
if (ret < 0)
return ret;
c->pic = av_frame_alloc();
if (!c->pic)
return AVERROR(ENOMEM);
c->frame_size = avctx->width * FFALIGN(avctx->height, 256);
c->video_size = avctx->width * avctx->height;
for (i = 0; i < 4; i++) {
c->frame[i] = av_mallocz(c->frame_size);
if (!c->frame[i]) {
paf_video_close(avctx);
return AVERROR(ENOMEM);
}
}
return 0;
}
static void read4x4block(PAFVideoDecContext *c, uint8_t *dst, int width)
{
int i;
for (i = 0; i < 4; i++) {
bytestream2_get_buffer(&c->gb, dst, 4);
dst += width;
}
}
static void copy_color_mask(uint8_t *dst, int width, uint8_t mask, uint8_t color)
{
int i;
for (i = 0; i < 4; i++) {
if (mask & (1 << 7 - i))
dst[i] = color;
if (mask & (1 << 3 - i))
dst[width + i] = color;
}
}
static void copy_src_mask(uint8_t *dst, int width, uint8_t mask, const uint8_t *src)
{
int i;
for (i = 0; i < 4; i++) {
if (mask & (1 << 7 - i))
dst[i] = src[i];
if (mask & (1 << 3 - i))
dst[width + i] = src[width + i];
}
}
static void set_src_position(PAFVideoDecContext *c,
const uint8_t **p,
const uint8_t **pend)
{
int val = bytestream2_get_be16(&c->gb);
int page = val >> 14;
int x = (val & 0x7F);
int y = ((val >> 7) & 0x7F);
*p = c->frame[page] + x * 2 + y * 2 * c->width;
*pend = c->frame[page] + c->frame_size;
}
static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code)
{
uint32_t opcode_size, offset;
uint8_t *dst, *dend, mask = 0, color = 0;
const uint8_t *src, *send, *opcodes;
int i, j, op = 0;
i = bytestream2_get_byte(&c->gb);
if (i) {
if (code & 0x10) {
int align;
align = bytestream2_tell(&c->gb) & 3;
if (align)
bytestream2_skip(&c->gb, 4 - align);
}
do {
int page, val, x, y;
val = bytestream2_get_be16(&c->gb);
page = val >> 14;
x = (val & 0x7F) * 2;
y = ((val >> 7) & 0x7F) * 2;
dst = c->frame[page] + x + y * c->width;
dend = c->frame[page] + c->frame_size;
offset = (x & 0x7F) * 2;
j = bytestream2_get_le16(&c->gb) + offset;
if (bytestream2_get_bytes_left(&c->gb) < (j - offset) * 16)
return AVERROR_INVALIDDATA;
do {
offset++;
if (dst + 3 * c->width + 4 > dend)
return AVERROR_INVALIDDATA;
read4x4block(c, dst, c->width);
if ((offset & 0x3F) == 0)
dst += c->width * 3;
dst += 4;
} while (offset < j);
} while (--i);
}
dst = c->frame[c->current_frame];
dend = c->frame[c->current_frame] + c->frame_size;
do {
set_src_position(c, &src, &send);
if ((src + 3 * c->width + 4 > send) ||
(dst + 3 * c->width + 4 > dend) ||
bytestream2_get_bytes_left(&c->gb) < 4)
return AVERROR_INVALIDDATA;
copy_block4(dst, src, c->width, c->width, 4);
i++;
if ((i & 0x3F) == 0)
dst += c->width * 3;
dst += 4;
} while (i < c->video_size / 16);
opcode_size = bytestream2_get_le16(&c->gb);
bytestream2_skip(&c->gb, 2);
if (bytestream2_get_bytes_left(&c->gb) < opcode_size)
return AVERROR_INVALIDDATA;
opcodes = pkt + bytestream2_tell(&c->gb);
bytestream2_skipu(&c->gb, opcode_size);
dst = c->frame[c->current_frame];
for (i = 0; i < c->height; i += 4, dst += c->width * 3)
for (j = 0; j < c->width; j += 4, dst += 4) {
int opcode, k = 0;
if (op > opcode_size)
return AVERROR_INVALIDDATA;
if (j & 4) {
opcode = opcodes[op] & 15;
op++;
} else {
opcode = opcodes[op] >> 4;
}
while (block_sequences[opcode][k]) {
offset = c->width * 2;
code = block_sequences[opcode][k++];
switch (code) {
case 2:
offset = 0;
case 3:
color = bytestream2_get_byte(&c->gb);
case 4:
mask = bytestream2_get_byte(&c->gb);
copy_color_mask(dst + offset, c->width, mask, color);
break;
case 5:
offset = 0;
case 6:
set_src_position(c, &src, &send);
case 7:
if (src + offset + c->width + 4 > send)
return AVERROR_INVALIDDATA;
mask = bytestream2_get_byte(&c->gb);
copy_src_mask(dst + offset, c->width, mask, src + offset);
break;
}
}
}
return 0;
}
static int paf_video_decode(AVCodecContext *avctx, void *data,
int *got_frame, AVPacket *pkt)
{
PAFVideoDecContext *c = avctx->priv_data;
uint8_t code, *dst, *end;
int i, frame, ret;
if (pkt->size < 2)
return AVERROR_INVALIDDATA;
bytestream2_init(&c->gb, pkt->data, pkt->size);
code = bytestream2_get_byte(&c->gb);
if ((code & 0xF) > 4 || (code & 0xF) == 3) {
avpriv_request_sample(avctx, "unknown/invalid code");
return AVERROR_INVALIDDATA;
}
if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
return ret;
if (code & 0x20) { // frame is keyframe
for (i = 0; i < 4; i++)
memset(c->frame[i], 0, c->frame_size);
memset(c->pic->data[1], 0, AVPALETTE_SIZE);
c->current_frame = 0;
c->pic->key_frame = 1;
c->pic->pict_type = AV_PICTURE_TYPE_I;
} else {
c->pic->key_frame = 0;
c->pic->pict_type = AV_PICTURE_TYPE_P;
}
if (code & 0x40) { // palette update
uint32_t *out = (uint32_t *)c->pic->data[1];
int index, count;
index = bytestream2_get_byte(&c->gb);
count = bytestream2_get_byte(&c->gb) + 1;
if (index + count > 256)
return AVERROR_INVALIDDATA;
if (bytestream2_get_bytes_left(&c->gb) < 3 * count)
return AVERROR_INVALIDDATA;
out += index;
for (i = 0; i < count; i++) {
unsigned r, g, b;
r = bytestream2_get_byteu(&c->gb);
r = r << 2 | r >> 4;
g = bytestream2_get_byteu(&c->gb);
g = g << 2 | g >> 4;
b = bytestream2_get_byteu(&c->gb);
b = b << 2 | b >> 4;
*out++ = (0xFFU << 24) | (r << 16) | (g << 8) | b;
}
c->pic->palette_has_changed = 1;
}
switch (code & 0x0F) {
case 0:
/* Block-based motion compensation using 4x4 blocks with either
* horizontal or vertical vectors; might incorporate VQ as well. */
if ((ret = decode_0(c, pkt->data, code)) < 0)
return ret;
break;
case 1:
/* Uncompressed data. This mode specifies that (width * height) bytes
* should be copied directly from the encoded buffer into the output. */
dst = c->frame[c->current_frame];
// possibly chunk length data
bytestream2_skip(&c->gb, 2);
if (bytestream2_get_bytes_left(&c->gb) < c->video_size)
return AVERROR_INVALIDDATA;
bytestream2_get_bufferu(&c->gb, dst, c->video_size);
break;
case 2:
/* Copy reference frame: Consume the next byte in the stream as the
* reference frame (which should be 0, 1, 2, or 3, and should not be
* the same as the current frame number). */
frame = bytestream2_get_byte(&c->gb);
if (frame > 3)
return AVERROR_INVALIDDATA;
if (frame != c->current_frame)
memcpy(c->frame[c->current_frame], c->frame[frame], c->frame_size);
break;
case 4:
/* Run length encoding.*/
dst = c->frame[c->current_frame];
end = dst + c->video_size;
bytestream2_skip(&c->gb, 2);
while (dst < end) {
int8_t code;
int count;
if (bytestream2_get_bytes_left(&c->gb) < 2)
return AVERROR_INVALIDDATA;
code = bytestream2_get_byteu(&c->gb);
count = FFABS(code) + 1;
if (dst + count > end)
return AVERROR_INVALIDDATA;
if (code < 0)
memset(dst, bytestream2_get_byteu(&c->gb), count);
else
bytestream2_get_buffer(&c->gb, dst, count);
dst += count;
}
break;
default:
av_assert0(0);
}
av_image_copy_plane(c->pic->data[0], c->pic->linesize[0],
c->frame[c->current_frame], c->width,
c->width, c->height);
c->current_frame = (c->current_frame + 1) & 3;
if ((ret = av_frame_ref(data, c->pic)) < 0)
return ret;
*got_frame = 1;
return pkt->size;
}
AVCodec ff_paf_video_decoder = {
.name = "paf_video",
.long_name = NULL_IF_CONFIG_SMALL("Amazing Studio Packed Animation File Video"),
.type = AVMEDIA_TYPE_VIDEO,
.id = AV_CODEC_ID_PAF_VIDEO,
.priv_data_size = sizeof(PAFVideoDecContext),
.init = paf_video_init,
.close = paf_video_close,
.decode = paf_video_decode,
.capabilities = AV_CODEC_CAP_DR1,
};