1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-11-26 19:01:44 +02:00
FFmpeg/libavformat/fitsdec.c
Michael Niedermayer 14bbb6bb30 avformat/fitsdec: Better size checks
Fixes: out of array access
Fixes: 26819/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5634559355650048
Fixes: 26820/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5760774955597824
Fixes: 27379/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5129775942991872.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-01-23 01:05:25 +01:00

236 lines
6.4 KiB
C

/*
* FITS demuxer
* Copyright (c) 2017 Paras Chadha
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
/**
* @file
* FITS demuxer.
*/
#include "libavutil/avassert.h"
#include "libavutil/intreadwrite.h"
#include "internal.h"
#include "libavutil/opt.h"
#include "libavcodec/fits.h"
#include "libavutil/bprint.h"
#define FITS_BLOCK_SIZE 2880
typedef struct FITSContext {
const AVClass *class;
AVRational framerate;
int first_image;
int64_t pts;
} FITSContext;
static int fits_probe(const AVProbeData *p)
{
const uint8_t *b = p->buf;
if (!memcmp(b, "SIMPLE = T", 30))
return AVPROBE_SCORE_MAX - 1;
return 0;
}
static int fits_read_header(AVFormatContext *s)
{
AVStream *st;
FITSContext * fits = s->priv_data;
st = avformat_new_stream(s, NULL);
if (!st)
return AVERROR(ENOMEM);
st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO;
st->codecpar->codec_id = AV_CODEC_ID_FITS;
avpriv_set_pts_info(st, 64, fits->framerate.den, fits->framerate.num);
fits->pts = 0;
fits->first_image = 1;
return 0;
}
/**
* Parses header and checks that the current HDU contains image or not
* It also stores the header in the avbuf and stores the size of data part in data_size
* @param s pointer to AVFormat Context
* @param fits pointer to FITSContext
* @param header pointer to FITSHeader
* @param avbuf pointer to AVBPrint to store the header
* @param data_size to store the size of data part
* @return 1 if image found, 0 if any other extension and AVERROR_INVALIDDATA otherwise
*/
static int64_t is_image(AVFormatContext *s, FITSContext *fits, FITSHeader *header,
AVBPrint *avbuf, uint64_t *data_size)
{
int i, ret, image = 0;
char buf[FITS_BLOCK_SIZE] = { 0 };
int64_t buf_size = 0, size = 0, t;
do {
ret = avio_read(s->pb, buf, FITS_BLOCK_SIZE);
if (ret < 0) {
return ret;
} else if (ret < FITS_BLOCK_SIZE) {
return AVERROR_INVALIDDATA;
}
av_bprint_append_data(avbuf, buf, FITS_BLOCK_SIZE);
ret = 0;
buf_size = 0;
while(!ret && buf_size < FITS_BLOCK_SIZE) {
ret = avpriv_fits_header_parse_line(s, header, buf + buf_size, NULL);
buf_size += 80;
}
} while (!ret);
if (ret < 0)
return ret;
image = fits->first_image || header->image_extension;
fits->first_image = 0;
if (header->groups) {
image = 0;
if (header->naxis > 1)
size = 1;
} else if (header->naxis) {
size = header->naxisn[0];
} else {
image = 0;
}
for (i = 1; i < header->naxis; i++) {
if(size && header->naxisn[i] > UINT64_MAX / size)
return AVERROR_INVALIDDATA;
size *= header->naxisn[i];
}
if(header->pcount > UINT64_MAX - size)
return AVERROR_INVALIDDATA;
size += header->pcount;
t = (abs(header->bitpix) >> 3) * ((int64_t) header->gcount);
if(size && t > INT64_MAX / size)
return AVERROR_INVALIDDATA;
size *= t;
if (!size) {
image = 0;
} else {
if(FITS_BLOCK_SIZE - 1 > INT64_MAX - size)
return AVERROR_INVALIDDATA;
size = ((size + FITS_BLOCK_SIZE - 1) / FITS_BLOCK_SIZE) * FITS_BLOCK_SIZE;
}
*data_size = size;
return image;
}
static int fits_read_packet(AVFormatContext *s, AVPacket *pkt)
{
int64_t pos, ret;
uint64_t size;
FITSContext *fits = s->priv_data;
FITSHeader header;
AVBPrint avbuf;
char *buf;
if (fits->first_image) {
avpriv_fits_header_init(&header, STATE_SIMPLE);
} else {
avpriv_fits_header_init(&header, STATE_XTENSION);
}
av_bprint_init(&avbuf, FITS_BLOCK_SIZE, AV_BPRINT_SIZE_UNLIMITED);
while ((ret = is_image(s, fits, &header, &avbuf, &size)) == 0) {
av_bprint_finalize(&avbuf, NULL);
pos = avio_skip(s->pb, size);
if (pos < 0)
return pos;
av_bprint_init(&avbuf, FITS_BLOCK_SIZE, AV_BPRINT_SIZE_UNLIMITED);
avpriv_fits_header_init(&header, STATE_XTENSION);
}
if (ret < 0)
goto fail;
if (!av_bprint_is_complete(&avbuf)) {
ret = AVERROR(ENOMEM);
goto fail;
}
av_assert0(avbuf.len <= INT64_MAX && size <= INT64_MAX);
if (avbuf.len + size > INT_MAX - 80) {
ret = AVERROR_INVALIDDATA;
goto fail;
}
// Header is sent with the first line removed...
ret = av_new_packet(pkt, avbuf.len - 80 + size);
if (ret < 0)
goto fail;
pkt->stream_index = 0;
pkt->flags |= AV_PKT_FLAG_KEY;
ret = av_bprint_finalize(&avbuf, &buf);
if (ret < 0) {
return ret;
}
memcpy(pkt->data, buf + 80, avbuf.len - 80);
pkt->size = avbuf.len - 80;
av_freep(&buf);
ret = avio_read(s->pb, pkt->data + pkt->size, size);
if (ret < 0) {
return ret;
}
pkt->size += ret;
pkt->pts = fits->pts;
fits->pts++;
return 0;
fail:
av_bprint_finalize(&avbuf, NULL);
return ret;
}
static const AVOption fits_options[] = {
{ "framerate", "set the framerate", offsetof(FITSContext, framerate), AV_OPT_TYPE_VIDEO_RATE, {.str = "1"}, 0, INT_MAX, AV_OPT_FLAG_DECODING_PARAM},
{ NULL },
};
static const AVClass fits_demuxer_class = {
.class_name = "FITS demuxer",
.item_name = av_default_item_name,
.option = fits_options,
.version = LIBAVUTIL_VERSION_INT,
};
AVInputFormat ff_fits_demuxer = {
.name = "fits",
.long_name = NULL_IF_CONFIG_SMALL("Flexible Image Transport System"),
.priv_data_size = sizeof(FITSContext),
.read_probe = fits_probe,
.read_header = fits_read_header,
.read_packet = fits_read_packet,
.priv_class = &fits_demuxer_class,
.raw_codec_id = AV_CODEC_ID_FITS,
};