diff options
Diffstat (limited to 'libavcodec/smacker.c')
-rw-r--r-- | libavcodec/smacker.c | 141 |
1 files changed, 94 insertions, 47 deletions
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index a27997f361..c070150f7d 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -2,20 +2,20 @@ * Smacker decoder * Copyright (c) 2006 Konstantin Shishkov * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -97,10 +97,14 @@ enum SmkBlockTypes { */ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t prefix, int length) { + if(length > 32 || length > 3*SMKTREE_BITS) { + av_log(NULL, AV_LOG_ERROR, "length too long\n"); + return AVERROR_INVALIDDATA; + } if(!get_bits1(gb)){ //Leaf if(hc->current >= 256){ av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); - return -1; + return AVERROR_INVALIDDATA; } if(length){ hc->bits[hc->current] = prefix; @@ -131,14 +135,14 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx { if (hc->current + 1 >= hc->length) { av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); - return -1; + return AVERROR_INVALIDDATA; } if(!get_bits1(gb)){ //Leaf int val, i1, i2; i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0; i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0; if (i1 < 0 || i2 < 0) - return -1; + return AVERROR_INVALIDDATA; val = ctx->recode1[i1] | (ctx->recode2[i2] << 8); if(val == ctx->escapes[0]) { ctx->last[0] = hc->current; @@ -170,7 +174,7 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx } /** - * Store large tree as Libav's vlc codes + * Store large tree as FFmpeg's vlc codes */ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int **recodes, int *last, int size) { @@ -184,7 +188,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int if(size >= UINT_MAX>>4){ // (((size + 3) >> 2) + 3) << 2 must not overflow av_log(smk->avctx, AV_LOG_ERROR, "size too large\n"); - return -1; + return AVERROR_INVALIDDATA; } tmp1.length = 256; @@ -202,38 +206,45 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int tmp2.values = av_mallocz(256 * sizeof(int)); if(get_bits1(gb)) { - smacker_decode_tree(gb, &tmp1, 0, 0); + res = smacker_decode_tree(gb, &tmp1, 0, 0); + if (res < 0) + return res; skip_bits1(gb); - res = init_vlc(&vlc[0], SMKTREE_BITS, tmp1.length, - tmp1.lengths, sizeof(int), sizeof(int), - tmp1.bits, sizeof(uint32_t), sizeof(uint32_t), INIT_VLC_LE); - if(res < 0) { - av_log(smk->avctx, AV_LOG_ERROR, "Cannot build VLC table\n"); - return -1; + if(tmp1.current > 1) { + res = init_vlc(&vlc[0], SMKTREE_BITS, tmp1.length, + tmp1.lengths, sizeof(int), sizeof(int), + tmp1.bits, sizeof(uint32_t), sizeof(uint32_t), INIT_VLC_LE); + if(res < 0) { + av_log(smk->avctx, AV_LOG_ERROR, "Cannot build VLC table\n"); + return AVERROR_INVALIDDATA; + } } - } else { + } + if (!vlc[0].table) { av_log(smk->avctx, AV_LOG_ERROR, "Skipping low bytes tree\n"); } if(get_bits1(gb)){ - smacker_decode_tree(gb, &tmp2, 0, 0); + res = smacker_decode_tree(gb, &tmp2, 0, 0); + if (res < 0) + return res; skip_bits1(gb); - res = init_vlc(&vlc[1], SMKTREE_BITS, tmp2.length, - tmp2.lengths, sizeof(int), sizeof(int), - tmp2.bits, sizeof(uint32_t), sizeof(uint32_t), INIT_VLC_LE); - if(res < 0) { - av_log(smk->avctx, AV_LOG_ERROR, "Cannot build VLC table\n"); - return -1; + if(tmp2.current > 1) { + res = init_vlc(&vlc[1], SMKTREE_BITS, tmp2.length, + tmp2.lengths, sizeof(int), sizeof(int), + tmp2.bits, sizeof(uint32_t), sizeof(uint32_t), INIT_VLC_LE); + if(res < 0) { + av_log(smk->avctx, AV_LOG_ERROR, "Cannot build VLC table\n"); + return AVERROR_INVALIDDATA; + } } - } else { + } + if (!vlc[1].table) { av_log(smk->avctx, AV_LOG_ERROR, "Skipping high bytes tree\n"); } - escapes[0] = get_bits(gb, 8); - escapes[0] |= get_bits(gb, 8) << 8; - escapes[1] = get_bits(gb, 8); - escapes[1] |= get_bits(gb, 8) << 8; - escapes[2] = get_bits(gb, 8); - escapes[2] |= get_bits(gb, 8) << 8; + escapes[0] = get_bits(gb, 16); + escapes[1] = get_bits(gb, 16); + escapes[2] = get_bits(gb, 16); last[0] = last[1] = last[2] = -1; @@ -257,6 +268,11 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int if(ctx.last[0] == -1) ctx.last[0] = huff.current++; if(ctx.last[1] == -1) ctx.last[1] = huff.current++; if(ctx.last[2] == -1) ctx.last[2] = huff.current++; + if(huff.current > huff.length){ + ctx.last[0] = ctx.last[1] = ctx.last[2] = 1; + av_log(smk->avctx, AV_LOG_ERROR, "bigtree damaged\n"); + return AVERROR_INVALIDDATA; + } *recodes = huff.values; @@ -292,7 +308,7 @@ static int decode_header_trees(SmackVContext *smk) { smk->mmap_last[0] = smk->mmap_last[1] = smk->mmap_last[2] = 1; } else { if (smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size)) - return -1; + return AVERROR_INVALIDDATA; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping MCLR tree\n"); @@ -301,7 +317,7 @@ static int decode_header_trees(SmackVContext *smk) { smk->mclr_last[0] = smk->mclr_last[1] = smk->mclr_last[2] = 1; } else { if (smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size)) - return -1; + return AVERROR_INVALIDDATA; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping FULL tree\n"); @@ -310,7 +326,7 @@ static int decode_header_trees(SmackVContext *smk) { smk->full_last[0] = smk->full_last[1] = smk->full_last[2] = 1; } else { if (smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size)) - return -1; + return AVERROR_INVALIDDATA; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping TYPE tree\n"); @@ -319,7 +335,7 @@ static int decode_header_trees(SmackVContext *smk) { smk->type_last[0] = smk->type_last[1] = smk->type_last[2] = 1; } else { if (smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size)) - return -1; + return AVERROR_INVALIDDATA; } return 0; @@ -363,12 +379,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int flags; if (avpkt->size <= 769) - return 0; + return AVERROR_INVALIDDATA; - if ((ret = ff_reget_buffer(avctx, &smk->pic)) < 0) { - av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + if ((ret = ff_reget_buffer(avctx, &smk->pic)) < 0) return ret; - } /* make the palette available on the way out */ pal = (uint32_t*)smk->pic.data[1]; @@ -382,7 +396,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, smk->pic.pict_type = AV_PICTURE_TYPE_P; for(i = 0; i < 256; i++) - *pal++ = bytestream2_get_be24u(&gb2); + *pal++ = 0xFFU << 24 | bytestream2_get_be24u(&gb2); last_reset(smk->mmap_tbl, smk->mmap_last); last_reset(smk->mclr_tbl, smk->mclr_last); @@ -523,11 +537,11 @@ static av_cold int decode_init(AVCodecContext *avctx) /* decode huffman trees from extradata */ if(avctx->extradata_size < 16){ av_log(avctx, AV_LOG_ERROR, "Extradata missing!\n"); - return -1; + return AVERROR(EINVAL); } if (decode_header_trees(c)) - return -1; + return AVERROR_INVALIDDATA; return 0; } @@ -593,6 +607,11 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, unp_size = AV_RL32(buf); + if (unp_size > (1U<<24)) { + av_log(avctx, AV_LOG_ERROR, "packet is too big\n"); + return AVERROR_INVALIDDATA; + } + init_get_bits(&gb, buf + 4, (buf_size - 4) * 8); if(!get_bits1(&gb)){ @@ -613,10 +632,8 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ frame->nb_samples = unp_size / (avctx->channels * (bits + 1)); - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) { - av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; - } samples = (int16_t *)frame->data[0]; samples8 = frame->data[0]; @@ -629,7 +646,9 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, h[i].lengths = av_mallocz(256 * sizeof(int)); h[i].values = av_mallocz(256 * sizeof(int)); skip_bits1(&gb); - smacker_decode_tree(&gb, &h[i], 0, 0); + res = smacker_decode_tree(&gb, &h[i], 0, 0); + if (res < 0) + return res; skip_bits1(&gb); if(h[i].current > 1) { res = init_vlc(&vlc[i], SMKTREE_BITS, h[i].length, @@ -637,7 +656,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, h[i].bits, sizeof(uint32_t), sizeof(uint32_t), INIT_VLC_LE); if(res < 0) { av_log(avctx, AV_LOG_ERROR, "Cannot build VLC table\n"); - return -1; + return AVERROR_INVALIDDATA; } } } @@ -647,16 +666,26 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, for(i = 0; i <= stereo; i++) *samples++ = pred[i]; for(; i < unp_size / 2; i++) { + if(get_bits_left(&gb)<0) + return AVERROR_INVALIDDATA; if(i & stereo) { if(vlc[2].table) res = get_vlc2(&gb, vlc[2].table, SMKTREE_BITS, 3); else res = 0; + if (res < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid vlc\n"); + return AVERROR_INVALIDDATA; + } val = h[2].values[res]; if(vlc[3].table) res = get_vlc2(&gb, vlc[3].table, SMKTREE_BITS, 3); else res = 0; + if (res < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid vlc\n"); + return AVERROR_INVALIDDATA; + } val |= h[3].values[res] << 8; pred[1] += sign_extend(val, 16); *samples++ = av_clip_int16(pred[1]); @@ -665,11 +694,19 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, res = get_vlc2(&gb, vlc[0].table, SMKTREE_BITS, 3); else res = 0; + if (res < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid vlc\n"); + return AVERROR_INVALIDDATA; + } val = h[0].values[res]; if(vlc[1].table) res = get_vlc2(&gb, vlc[1].table, SMKTREE_BITS, 3); else res = 0; + if (res < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid vlc\n"); + return AVERROR_INVALIDDATA; + } val |= h[1].values[res] << 8; pred[0] += sign_extend(val, 16); *samples++ = av_clip_int16(pred[0]); @@ -681,11 +718,17 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, for(i = 0; i <= stereo; i++) *samples8++ = pred[i]; for(; i < unp_size; i++) { + if(get_bits_left(&gb)<0) + return AVERROR_INVALIDDATA; if(i & stereo){ if(vlc[1].table) res = get_vlc2(&gb, vlc[1].table, SMKTREE_BITS, 3); else res = 0; + if (res < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid vlc\n"); + return AVERROR_INVALIDDATA; + } pred[1] += sign_extend(h[1].values[res], 8); *samples8++ = av_clip_uint8(pred[1]); } else { @@ -693,6 +736,10 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, res = get_vlc2(&gb, vlc[0].table, SMKTREE_BITS, 3); else res = 0; + if (res < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid vlc\n"); + return AVERROR_INVALIDDATA; + } pred[0] += sign_extend(h[0].values[res], 8); *samples8++ = av_clip_uint8(pred[0]); } |