From 7b588bb691644e1b3c168b99accf74248a24e3cf Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 3 Aug 2014 10:14:48 +0200 Subject: svq1: do not modify the input packet The input data must remain constant, make a copy instead. This is in theory a performance hit, but since I failed to find any samples using this feature, this should not matter in practice. Also, check the size of the header, avoiding invalid reads on truncated data. CC:libav-stable@libav.org --- libavcodec/svq1dec.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) (limited to 'libavcodec/svq1dec.c') diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 000487b197..14ff41cc18 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -60,6 +60,10 @@ typedef struct SVQ1Context { HpelDSPContext hdsp; GetBitContext gb; AVFrame *prev; + + uint8_t *pkt_swapped; + int pkt_swapped_allocated; + int width; int height; int frame_code; @@ -626,7 +630,24 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data, /* swap some header bytes (why?) */ if (s->frame_code != 0x20) { - uint32_t *src = (uint32_t *)(buf + 4); + uint32_t *src; + + if (buf_size < 9 * 4) { + av_log(avctx, AV_LOG_ERROR, "Input packet too small\n"); + return AVERROR_INVALIDDATA; + } + + av_fast_malloc(s->pkt_swapped, &s->pkt_swapped_allocated, + buf_size); + if (!s->pkt_swapped) + return AVERROR(ENOMEM); + + memcpy(s->pkt_swapped, buf, buf_size); + buf = s->pkt_swapped; + init_get_bits(&s->gb, buf, buf_size * 8); + skip_bits(&s->gb, 22); + + src = (uint32_t *)(s->pkt_swapped + 4); for (i = 0; i < 4; i++) src[i] = ((src[i] << 16) | (src[i] >> 16)) ^ src[7 - i]; @@ -796,6 +817,7 @@ static av_cold int svq1_decode_end(AVCodecContext *avctx) SVQ1Context *s = avctx->priv_data; av_frame_free(&s->prev); + av_freep(&s->pkt_swapped); return 0; } -- cgit v1.2.3