From b348c852aa8312d361123df0fa20e16feff7c2f1 Mon Sep 17 00:00:00 2001 From: Laurentiu Ion Date: Fri, 6 Jan 2012 20:42:00 +0200 Subject: flicvideo: fix invalid reads Prevent invalid reads using bytestream2 functions. Fixes bug #126. Signed-off-by: Justin Ruggles --- libavcodec/flicvideo.c | 166 +++++++++++++++++++++++-------------------------- 1 file changed, 77 insertions(+), 89 deletions(-) (limited to 'libavcodec/flicvideo.c') diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 8e8a813258..b7bbfb4f5d 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -41,6 +41,8 @@ #include "libavutil/intreadwrite.h" #include "avcodec.h" +#include "bytestream.h" +#include "mathops.h" #define FLI_256_COLOR 4 #define FLI_DELTA 7 @@ -132,7 +134,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, { FlicDecodeContext *s = avctx->priv_data; - int stream_ptr = 0; + GetByteContext g2; int stream_ptr_after_color_chunk; int pixel_ptr; int palette_ptr; @@ -163,6 +165,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, unsigned char *pixels; unsigned int pixel_limit; + bytestream2_init(&g2, buf, buf_size); + s->frame.reference = 1; s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; if (avctx->reget_buffer(avctx, &s->frame) < 0) { @@ -172,25 +176,22 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, pixels = s->frame.data[0]; pixel_limit = s->avctx->height * s->frame.linesize[0]; - - frame_size = AV_RL32(&buf[stream_ptr]); - stream_ptr += 6; /* skip the magic number */ - num_chunks = AV_RL16(&buf[stream_ptr]); - stream_ptr += 10; /* skip padding */ + frame_size = bytestream2_get_le32(&g2); + bytestream2_skip(&g2, 2); /* skip the magic number */ + num_chunks = bytestream2_get_le16(&g2); + bytestream2_skip(&g2, 8); /* skip padding */ frame_size -= 16; /* iterate through the chunks */ while ((frame_size > 0) && (num_chunks > 0)) { - chunk_size = AV_RL32(&buf[stream_ptr]); - stream_ptr += 4; - chunk_type = AV_RL16(&buf[stream_ptr]); - stream_ptr += 2; + chunk_size = bytestream2_get_le32(&g2); + chunk_type = bytestream2_get_le16(&g2); switch (chunk_type) { case FLI_256_COLOR: case FLI_COLOR: - stream_ptr_after_color_chunk = stream_ptr + chunk_size - 6; + stream_ptr_after_color_chunk = bytestream2_tell(&g2) + chunk_size - 6; /* check special case: If this file is from the Magic Carpet * game and uses 6-bit colors even though it reports 256-color @@ -201,15 +202,14 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, else color_shift = 2; /* set up the palette */ - color_packets = AV_RL16(&buf[stream_ptr]); - stream_ptr += 2; + color_packets = bytestream2_get_le16(&g2); palette_ptr = 0; for (i = 0; i < color_packets; i++) { /* first byte is how many colors to skip */ - palette_ptr += buf[stream_ptr++]; + palette_ptr += bytestream2_get_byte(&g2); /* next byte indicates how many entries to change */ - color_changes = buf[stream_ptr++]; + color_changes = bytestream2_get_byte(&g2); /* if there are 0 color changes, there are actually 256 */ if (color_changes == 0) @@ -222,9 +222,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, if ((unsigned)palette_ptr >= 256) palette_ptr = 0; - r = buf[stream_ptr++] << color_shift; - g = buf[stream_ptr++] << color_shift; - b = buf[stream_ptr++] << color_shift; + r = bytestream2_get_byte(&g2) << color_shift; + g = bytestream2_get_byte(&g2) << color_shift; + b = bytestream2_get_byte(&g2) << color_shift; entry = (r << 16) | (g << 8) | b; if (s->palette[palette_ptr] != entry) s->new_palette = 1; @@ -233,20 +233,19 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, } /* color chunks sometimes have weird 16-bit alignment issues; - * therefore, take the hardline approach and set the stream_ptr + * therefore, take the hardline approach and skip * to the value calculated w.r.t. the size specified by the color * chunk header */ - stream_ptr = stream_ptr_after_color_chunk; + if (stream_ptr_after_color_chunk - bytestream2_tell(&g2) > 0) + bytestream2_skip(&g2, stream_ptr_after_color_chunk - bytestream2_tell(&g2)); break; case FLI_DELTA: y_ptr = 0; - compressed_lines = AV_RL16(&buf[stream_ptr]); - stream_ptr += 2; + compressed_lines = bytestream2_get_le16(&g2); while (compressed_lines > 0) { - line_packets = AV_RL16(&buf[stream_ptr]); - stream_ptr += 2; + line_packets = bytestream2_get_le16(&g2); if ((line_packets & 0xC000) == 0xC000) { // line skip opcode line_packets = -line_packets; @@ -265,14 +264,14 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { /* account for the skip bytes */ - pixel_skip = buf[stream_ptr++]; + pixel_skip = bytestream2_get_byte(&g2); pixel_ptr += pixel_skip; pixel_countdown -= pixel_skip; - byte_run = (signed char)(buf[stream_ptr++]); + byte_run = sign_extend(bytestream2_get_byte(&g2), 8); if (byte_run < 0) { byte_run = -byte_run; - palette_idx1 = buf[stream_ptr++]; - palette_idx2 = buf[stream_ptr++]; + palette_idx1 = bytestream2_get_byte(&g2); + palette_idx2 = bytestream2_get_byte(&g2); CHECK_PIXEL_PTR(byte_run * 2); for (j = 0; j < byte_run; j++, pixel_countdown -= 2) { pixels[pixel_ptr++] = palette_idx1; @@ -281,8 +280,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, } else { CHECK_PIXEL_PTR(byte_run * 2); for (j = 0; j < byte_run * 2; j++, pixel_countdown--) { - palette_idx1 = buf[stream_ptr++]; - pixels[pixel_ptr++] = palette_idx1; + pixels[pixel_ptr++] = bytestream2_get_byte(&g2); } } } @@ -294,34 +292,31 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, case FLI_LC: /* line compressed */ - starting_line = AV_RL16(&buf[stream_ptr]); - stream_ptr += 2; + starting_line = bytestream2_get_le16(&g2); y_ptr = 0; y_ptr += starting_line * s->frame.linesize[0]; - compressed_lines = AV_RL16(&buf[stream_ptr]); - stream_ptr += 2; + compressed_lines = bytestream2_get_le16(&g2); while (compressed_lines > 0) { pixel_ptr = y_ptr; CHECK_PIXEL_PTR(0); pixel_countdown = s->avctx->width; - line_packets = buf[stream_ptr++]; + line_packets = bytestream2_get_byte(&g2); if (line_packets > 0) { for (i = 0; i < line_packets; i++) { /* account for the skip bytes */ - pixel_skip = buf[stream_ptr++]; + pixel_skip = bytestream2_get_byte(&g2); pixel_ptr += pixel_skip; pixel_countdown -= pixel_skip; - byte_run = (signed char)(buf[stream_ptr++]); + byte_run = sign_extend(bytestream2_get_byte(&g2),8); if (byte_run > 0) { CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++, pixel_countdown--) { - palette_idx1 = buf[stream_ptr++]; - pixels[pixel_ptr++] = palette_idx1; + pixels[pixel_ptr++] = bytestream2_get_byte(&g2); } } else if (byte_run < 0) { byte_run = -byte_run; - palette_idx1 = buf[stream_ptr++]; + palette_idx1 = bytestream2_get_byte(&g2); CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++, pixel_countdown--) { pixels[pixel_ptr++] = palette_idx1; @@ -349,12 +344,12 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, pixel_ptr = y_ptr; /* disregard the line packets; instead, iterate through all * pixels on a row */ - stream_ptr++; + bytestream2_skip(&g2, 1); pixel_countdown = s->avctx->width; while (pixel_countdown > 0) { - byte_run = (signed char)(buf[stream_ptr++]); + byte_run = sign_extend(bytestream2_get_byte(&g2), 8); if (byte_run > 0) { - palette_idx1 = buf[stream_ptr++]; + palette_idx1 = bytestream2_get_byte(&g2); CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++) { pixels[pixel_ptr++] = palette_idx1; @@ -367,8 +362,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, byte_run = -byte_run; CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++) { - palette_idx1 = buf[stream_ptr++]; - pixels[pixel_ptr++] = palette_idx1; + pixels[pixel_ptr++] = bytestream2_get_byte(&g2); pixel_countdown--; if (pixel_countdown < 0) av_log(avctx, AV_LOG_ERROR, "pixel_countdown < 0 (%d) at line %d\n", @@ -386,20 +380,19 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, if (chunk_size - 6 > s->avctx->width * s->avctx->height) { av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \ "bigger than image, skipping chunk\n", chunk_size - 6); - stream_ptr += chunk_size - 6; + bytestream2_skip(&g2, chunk_size - 6); } else { for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height; y_ptr += s->frame.linesize[0]) { - memcpy(&pixels[y_ptr], &buf[stream_ptr], - s->avctx->width); - stream_ptr += s->avctx->width; + bytestream2_get_buffer(&g2, &pixels[y_ptr], + s->avctx->width); } } break; case FLI_MINI: /* some sort of a thumbnail? disregard this chunk... */ - stream_ptr += chunk_size - 6; + bytestream2_skip(&g2, chunk_size - 6); break; default: @@ -413,9 +406,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, /* by the end of the chunk, the stream ptr should equal the frame * size (minus 1, possibly); if it doesn't, issue a warning */ - if ((stream_ptr != buf_size) && (stream_ptr != buf_size - 1)) + if ((bytestream2_get_bytes_left(&g2) != 0) && + (bytestream2_get_bytes_left(&g2) != 1)) av_log(avctx, AV_LOG_ERROR, "Processed FLI chunk where chunk size = %d " \ - "and final chunk ptr = %d\n", buf_size, stream_ptr); + "and final chunk ptr = %d\n", buf_size, + buf_size - bytestream2_get_bytes_left(&g2)); /* make the palette available on the way out */ memcpy(s->frame.data[1], s->palette, AVPALETTE_SIZE); @@ -438,7 +433,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, /* Format is the pixel format, the packets are processed the same. */ FlicDecodeContext *s = avctx->priv_data; - int stream_ptr = 0; + GetByteContext g2; int pixel_ptr; unsigned char palette_idx1; @@ -461,6 +456,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, int pixel; unsigned int pixel_limit; + bytestream2_init(&g2, buf, buf_size); + s->frame.reference = 1; s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; if (avctx->reget_buffer(avctx, &s->frame) < 0) { @@ -471,19 +468,17 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, pixels = s->frame.data[0]; pixel_limit = s->avctx->height * s->frame.linesize[0]; - frame_size = AV_RL32(&buf[stream_ptr]); - stream_ptr += 6; /* skip the magic number */ - num_chunks = AV_RL16(&buf[stream_ptr]); - stream_ptr += 10; /* skip padding */ + frame_size = bytestream2_get_le32(&g2); + bytestream2_skip(&g2, 2); /* skip the magic number */ + num_chunks = bytestream2_get_le16(&g2); + bytestream2_skip(&g2, 8); /* skip padding */ frame_size -= 16; /* iterate through the chunks */ while ((frame_size > 0) && (num_chunks > 0)) { - chunk_size = AV_RL32(&buf[stream_ptr]); - stream_ptr += 4; - chunk_type = AV_RL16(&buf[stream_ptr]); - stream_ptr += 2; + chunk_size = bytestream2_get_le32(&g2); + chunk_type = bytestream2_get_le16(&g2); switch (chunk_type) { case FLI_256_COLOR: @@ -492,17 +487,15 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, * include one of these chunks in their first frame. * Why I do not know, it seems rather extraneous. */ /* av_log(avctx, AV_LOG_ERROR, "Unexpected Palette chunk %d in non-paletised FLC\n",chunk_type);*/ - stream_ptr = stream_ptr + chunk_size - 6; + bytestream2_skip(&g2, chunk_size - 6); break; case FLI_DELTA: case FLI_DTA_LC: y_ptr = 0; - compressed_lines = AV_RL16(&buf[stream_ptr]); - stream_ptr += 2; + compressed_lines = bytestream2_get_le16(&g2); while (compressed_lines > 0) { - line_packets = AV_RL16(&buf[stream_ptr]); - stream_ptr += 2; + line_packets = bytestream2_get_le16(&g2); if (line_packets < 0) { line_packets = -line_packets; y_ptr += line_packets * s->frame.linesize[0]; @@ -513,14 +506,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { /* account for the skip bytes */ - pixel_skip = buf[stream_ptr++]; + pixel_skip = bytestream2_get_byte(&g2); pixel_ptr += (pixel_skip*2); /* Pixel is 2 bytes wide */ pixel_countdown -= pixel_skip; - byte_run = (signed char)(buf[stream_ptr++]); + byte_run = sign_extend(bytestream2_get_byte(&g2), 8); if (byte_run < 0) { byte_run = -byte_run; - pixel = AV_RL16(&buf[stream_ptr]); - stream_ptr += 2; + pixel = bytestream2_get_le16(&g2); CHECK_PIXEL_PTR(2 * byte_run); for (j = 0; j < byte_run; j++, pixel_countdown -= 2) { *((signed short*)(&pixels[pixel_ptr])) = pixel; @@ -529,8 +521,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, } else { CHECK_PIXEL_PTR(2 * byte_run); for (j = 0; j < byte_run; j++, pixel_countdown--) { - *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]); - stream_ptr += 2; + *((signed short*)(&pixels[pixel_ptr])) = bytestream2_get_le16(&g2); pixel_ptr += 2; } } @@ -543,7 +534,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, case FLI_LC: av_log(avctx, AV_LOG_ERROR, "Unexpected FLI_LC chunk in non-paletised FLC\n"); - stream_ptr = stream_ptr + chunk_size - 6; + bytestream2_skip(&g2, chunk_size - 6); break; case FLI_BLACK: @@ -558,13 +549,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, pixel_ptr = y_ptr; /* disregard the line packets; instead, iterate through all * pixels on a row */ - stream_ptr++; + bytestream2_skip(&g2, 1); pixel_countdown = (s->avctx->width * 2); while (pixel_countdown > 0) { - byte_run = (signed char)(buf[stream_ptr++]); + byte_run = sign_extend(bytestream2_get_byte(&g2), 8); if (byte_run > 0) { - palette_idx1 = buf[stream_ptr++]; + palette_idx1 = bytestream2_get_byte(&g2); CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++) { pixels[pixel_ptr++] = palette_idx1; @@ -577,7 +568,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, byte_run = -byte_run; CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++) { - palette_idx1 = buf[stream_ptr++]; + palette_idx1 = bytestream2_get_byte(&g2); pixels[pixel_ptr++] = palette_idx1; pixel_countdown--; if (pixel_countdown < 0) @@ -610,14 +601,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, pixel_ptr = y_ptr; /* disregard the line packets; instead, iterate through all * pixels on a row */ - stream_ptr++; + bytestream2_skip(&g2, 1); pixel_countdown = s->avctx->width; /* Width is in pixels, not bytes */ while (pixel_countdown > 0) { - byte_run = (signed char)(buf[stream_ptr++]); + byte_run = sign_extend(bytestream2_get_byte(&g2), 8); if (byte_run > 0) { - pixel = AV_RL16(&buf[stream_ptr]); - stream_ptr += 2; + pixel = bytestream2_get_le16(&g2); CHECK_PIXEL_PTR(2 * byte_run); for (j = 0; j < byte_run; j++) { *((signed short*)(&pixels[pixel_ptr])) = pixel; @@ -631,8 +621,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, byte_run = -byte_run; CHECK_PIXEL_PTR(2 * byte_run); for (j = 0; j < byte_run; j++) { - *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]); - stream_ptr += 2; + *((signed short*)(&pixels[pixel_ptr])) = bytestream2_get_le16(&g2); pixel_ptr += 2; pixel_countdown--; if (pixel_countdown < 0) @@ -652,7 +641,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, if (chunk_size - 6 > (unsigned int)(s->avctx->width * s->avctx->height)*2) { av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \ "bigger than image, skipping chunk\n", chunk_size - 6); - stream_ptr += chunk_size - 6; + bytestream2_skip(&g2, chunk_size - 6); } else { for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height; @@ -661,18 +650,17 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, pixel_countdown = s->avctx->width; pixel_ptr = 0; while (pixel_countdown > 0) { - *((signed short*)(&pixels[y_ptr + pixel_ptr])) = AV_RL16(&buf[stream_ptr+pixel_ptr]); + *((signed short*)(&pixels[y_ptr + pixel_ptr])) = bytestream2_get_le16(&g2); pixel_ptr += 2; pixel_countdown--; } - stream_ptr += s->avctx->width*2; } } break; case FLI_MINI: /* some sort of a thumbnail? disregard this chunk... */ - stream_ptr += chunk_size - 6; + bytestream2_skip(&g2, chunk_size - 6); break; default: @@ -686,9 +674,9 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, /* by the end of the chunk, the stream ptr should equal the frame * size (minus 1, possibly); if it doesn't, issue a warning */ - if ((stream_ptr != buf_size) && (stream_ptr != buf_size - 1)) + if ((bytestream2_get_bytes_left(&g2) != 0) && (bytestream2_get_bytes_left(&g2) != 1)) av_log(avctx, AV_LOG_ERROR, "Processed FLI chunk where chunk size = %d " \ - "and final chunk ptr = %d\n", buf_size, stream_ptr); + "and final chunk ptr = %d\n", buf_size, bytestream2_tell(&g2)); *data_size=sizeof(AVFrame); -- cgit v1.2.3