bethsoftvideo: Use bytestream2 functions to prevent buffer overreads.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
This commit is contained in:
Aneesh Dogra
committed by
Ronald S. Bultje
Ronald S. Bultje
parent
84e5159e25
commit
29112db8c0
@@ -34,6 +34,7 @@
|
|||||||
|
|
||||||
typedef struct BethsoftvidContext {
|
typedef struct BethsoftvidContext {
|
||||||
AVFrame frame;
|
AVFrame frame;
|
||||||
|
GetByteContext g;
|
||||||
} BethsoftvidContext;
|
} BethsoftvidContext;
|
||||||
|
|
||||||
static av_cold int bethsoftvid_decode_init(AVCodecContext *avctx)
|
static av_cold int bethsoftvid_decode_init(AVCodecContext *avctx)
|
||||||
@@ -46,18 +47,18 @@ static av_cold int bethsoftvid_decode_init(AVCodecContext *avctx)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int set_palette(AVFrame * frame, const uint8_t * palette_buffer, int buf_size)
|
static int set_palette(BethsoftvidContext *ctx)
|
||||||
{
|
{
|
||||||
uint32_t * palette = (uint32_t *)frame->data[1];
|
uint32_t *palette = (uint32_t *)ctx->frame.data[1];
|
||||||
int a;
|
int a;
|
||||||
|
|
||||||
if (buf_size < 256*3)
|
if (bytestream2_get_bytes_left(&ctx->g) < 256*3)
|
||||||
return AVERROR_INVALIDDATA;
|
return AVERROR_INVALIDDATA;
|
||||||
|
|
||||||
for(a = 0; a < 256; a++){
|
for(a = 0; a < 256; a++){
|
||||||
palette[a] = AV_RB24(&palette_buffer[a * 3]) * 4;
|
palette[a] = bytestream2_get_be24u(&ctx->g) * 4;
|
||||||
}
|
}
|
||||||
frame->palette_has_changed = 1;
|
ctx->frame.palette_has_changed = 1;
|
||||||
return 256*3;
|
return 256*3;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -65,8 +66,6 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
|
|||||||
void *data, int *data_size,
|
void *data, int *data_size,
|
||||||
AVPacket *avpkt)
|
AVPacket *avpkt)
|
||||||
{
|
{
|
||||||
const uint8_t *buf = avpkt->data;
|
|
||||||
int buf_size = avpkt->size;
|
|
||||||
BethsoftvidContext * vid = avctx->priv_data;
|
BethsoftvidContext * vid = avctx->priv_data;
|
||||||
char block_type;
|
char block_type;
|
||||||
uint8_t * dst;
|
uint8_t * dst;
|
||||||
@@ -80,29 +79,32 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
|
|||||||
av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
|
av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bytestream2_init(&vid->g, avpkt->data, avpkt->size);
|
||||||
dst = vid->frame.data[0];
|
dst = vid->frame.data[0];
|
||||||
frame_end = vid->frame.data[0] + vid->frame.linesize[0] * avctx->height;
|
frame_end = vid->frame.data[0] + vid->frame.linesize[0] * avctx->height;
|
||||||
|
|
||||||
switch(block_type = *buf++){
|
switch(block_type = bytestream2_get_byte(&vid->g)){
|
||||||
case PALETTE_BLOCK:
|
case PALETTE_BLOCK: {
|
||||||
return set_palette(&vid->frame, buf, buf_size);
|
return set_palette(vid);
|
||||||
|
}
|
||||||
case VIDEO_YOFF_P_FRAME:
|
case VIDEO_YOFF_P_FRAME:
|
||||||
yoffset = bytestream_get_le16(&buf);
|
yoffset = bytestream2_get_le16(&vid->g);
|
||||||
if(yoffset >= avctx->height)
|
if(yoffset >= avctx->height)
|
||||||
return -1;
|
return -1;
|
||||||
dst += vid->frame.linesize[0] * yoffset;
|
dst += vid->frame.linesize[0] * yoffset;
|
||||||
}
|
}
|
||||||
|
|
||||||
// main code
|
// main code
|
||||||
while((code = *buf++)){
|
while((code = bytestream2_get_byte(&vid->g))){
|
||||||
int length = code & 0x7f;
|
int length = code & 0x7f;
|
||||||
|
|
||||||
// copy any bytes starting at the current position, and ending at the frame width
|
// copy any bytes starting at the current position, and ending at the frame width
|
||||||
while(length > remaining){
|
while(length > remaining){
|
||||||
if(code < 0x80)
|
if(code < 0x80)
|
||||||
bytestream_get_buffer(&buf, dst, remaining);
|
bytestream2_get_buffer(&vid->g, dst, remaining);
|
||||||
else if(block_type == VIDEO_I_FRAME)
|
else if(block_type == VIDEO_I_FRAME)
|
||||||
memset(dst, buf[0], remaining);
|
memset(dst, bytestream2_peek_byte(&vid->g), remaining);
|
||||||
length -= remaining; // decrement the number of bytes to be copied
|
length -= remaining; // decrement the number of bytes to be copied
|
||||||
dst += remaining + wrap_to_next_line; // skip over extra bytes at end of frame
|
dst += remaining + wrap_to_next_line; // skip over extra bytes at end of frame
|
||||||
remaining = avctx->width;
|
remaining = avctx->width;
|
||||||
@@ -112,9 +114,9 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
|
|||||||
|
|
||||||
// copy any remaining bytes after / if line overflows
|
// copy any remaining bytes after / if line overflows
|
||||||
if(code < 0x80)
|
if(code < 0x80)
|
||||||
bytestream_get_buffer(&buf, dst, length);
|
bytestream2_get_buffer(&vid->g, dst, length);
|
||||||
else if(block_type == VIDEO_I_FRAME)
|
else if(block_type == VIDEO_I_FRAME)
|
||||||
memset(dst, *buf++, length);
|
memset(dst, bytestream2_get_byte(&vid->g), length);
|
||||||
remaining -= length;
|
remaining -= length;
|
||||||
dst += length;
|
dst += length;
|
||||||
}
|
}
|
||||||
@@ -123,7 +125,7 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
|
|||||||
*data_size = sizeof(AVFrame);
|
*data_size = sizeof(AVFrame);
|
||||||
*(AVFrame*)data = vid->frame;
|
*(AVFrame*)data = vid->frame;
|
||||||
|
|
||||||
return buf_size;
|
return avpkt->size;
|
||||||
}
|
}
|
||||||
|
|
||||||
static av_cold int bethsoftvid_decode_end(AVCodecContext *avctx)
|
static av_cold int bethsoftvid_decode_end(AVCodecContext *avctx)
|
||||||
|
|||||||
Reference in New Issue
Block a user