From 29112db8c0f65886e69cbbd6f4e5c44d2d14d238 Mon Sep 17 00:00:00 2001
From: Aneesh Dogra <lionaneesh@gmail.com>
Date: Tue, 10 Jan 2012 23:38:03 +0530
Subject: bethsoftvideo: Use bytestream2 functions to prevent buffer overreads.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
---
 libavcodec/bethsoftvideo.c | 36 +++++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 17 deletions(-)

(limited to 'libavcodec/bethsoftvideo.c')

diff --git a/libavcodec/bethsoftvideo.c b/libavcodec/bethsoftvideo.c
index f4020d6ee5..fa0457cc66 100644
--- a/libavcodec/bethsoftvideo.c
+++ b/libavcodec/bethsoftvideo.c
@@ -34,6 +34,7 @@
 
 typedef struct BethsoftvidContext {
     AVFrame frame;
+    GetByteContext g;
 } BethsoftvidContext;
 
 static av_cold int bethsoftvid_decode_init(AVCodecContext *avctx)
@@ -46,18 +47,18 @@ static av_cold int bethsoftvid_decode_init(AVCodecContext *avctx)
     return 0;
 }
 
-static int set_palette(AVFrame * frame, const uint8_t * palette_buffer, int buf_size)
+static int set_palette(BethsoftvidContext *ctx)
 {
-    uint32_t * palette = (uint32_t *)frame->data[1];
+    uint32_t *palette = (uint32_t *)ctx->frame.data[1];
     int a;
 
-    if (buf_size < 256*3)
+    if (bytestream2_get_bytes_left(&ctx->g) < 256*3)
         return AVERROR_INVALIDDATA;
 
     for(a = 0; a < 256; a++){
-        palette[a] = AV_RB24(&palette_buffer[a * 3]) * 4;
+        palette[a] = bytestream2_get_be24u(&ctx->g) * 4;
     }
-    frame->palette_has_changed = 1;
+    ctx->frame.palette_has_changed = 1;
     return 256*3;
 }
 
@@ -65,8 +66,6 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
                               void *data, int *data_size,
                               AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
-    int buf_size = avpkt->size;
     BethsoftvidContext * vid = avctx->priv_data;
     char block_type;
     uint8_t * dst;
@@ -80,29 +79,32 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
         av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
         return -1;
     }
+
+    bytestream2_init(&vid->g, avpkt->data, avpkt->size);
     dst = vid->frame.data[0];
     frame_end = vid->frame.data[0] + vid->frame.linesize[0] * avctx->height;
 
-    switch(block_type = *buf++){
-        case PALETTE_BLOCK:
-            return set_palette(&vid->frame, buf, buf_size);
+    switch(block_type = bytestream2_get_byte(&vid->g)){
+        case PALETTE_BLOCK: {
+            return set_palette(vid);
+        }
         case VIDEO_YOFF_P_FRAME:
-            yoffset = bytestream_get_le16(&buf);
+            yoffset = bytestream2_get_le16(&vid->g);
             if(yoffset >= avctx->height)
                 return -1;
             dst += vid->frame.linesize[0] * yoffset;
     }
 
     // main code
-    while((code = *buf++)){
+    while((code = bytestream2_get_byte(&vid->g))){
         int length = code & 0x7f;
 
         // copy any bytes starting at the current position, and ending at the frame width
         while(length > remaining){
             if(code < 0x80)
-                bytestream_get_buffer(&buf, dst, remaining);
+                bytestream2_get_buffer(&vid->g, dst, remaining);
             else if(block_type == VIDEO_I_FRAME)
-                memset(dst, buf[0], remaining);
+                memset(dst, bytestream2_peek_byte(&vid->g), remaining);
             length -= remaining;      // decrement the number of bytes to be copied
             dst += remaining + wrap_to_next_line;    // skip over extra bytes at end of frame
             remaining = avctx->width;
@@ -112,9 +114,9 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
 
         // copy any remaining bytes after / if line overflows
         if(code < 0x80)
-            bytestream_get_buffer(&buf, dst, length);
+            bytestream2_get_buffer(&vid->g, dst, length);
         else if(block_type == VIDEO_I_FRAME)
-            memset(dst, *buf++, length);
+            memset(dst, bytestream2_get_byte(&vid->g), length);
         remaining -= length;
         dst += length;
     }
@@ -123,7 +125,7 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
     *data_size = sizeof(AVFrame);
     *(AVFrame*)data = vid->frame;
 
-    return buf_size;
+    return avpkt->size;
 }
 
 static av_cold int bethsoftvid_decode_end(AVCodecContext *avctx)
-- 
cgit v1.2.3