generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge commit 'a0a90b1a1116250a2494021da810cc5da89ea36f' into release/0.10

Browse Source 
* commit 'a0a90b1a1116250a2494021da810cc5da89ea36f':
  tiffdec: use bytestream2 to simplify overread/overwrite protection

Conflicts:
	libavcodec/tiff.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
2014-06-03 02:27:34 +02:00
parent b827189c6f a0a90b1a11
commit c437ab3c4e
1 changed files with 117 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

246
libavcodec/tiff.c
View File

@@ -25,6 +25,7 @@
*/
#include "avcodec.h"
#include "bytestream.h"
#if CONFIG_ZLIB
#include <zlib.h>
#endif
@@ -38,6 +39,7 @@
typedef struct TiffContext {
AVCodecContext *avctx;
AVFrame picture;
GetByteContext gb;
int width, height;
unsigned int bpp, bppcount;
@@ -52,30 +54,27 @@ typedef struct TiffContext {
int strips, rps, sstype;
int sot;
const uint8_t* stripdata;
const uint8_t* stripsizes;
int stripsize, stripoff;
int stripsizesoff, stripsize, stripoff, strippos;
LZWState *lzw;
} TiffContext;
static unsigned tget_short(const uint8_t **p, int le) {
unsigned v = le ? AV_RL16(*p) : AV_RB16(*p);
*p += 2;
return v;
static unsigned tget_short(GetByteContext *gb, int le)
{
return le ? bytestream2_get_le16(gb) : bytestream2_get_be16(gb);
}
static unsigned tget_long(const uint8_t **p, int le) {
unsigned v = le ? AV_RL32(*p) : AV_RB32(*p);
*p += 4;
return v;
static unsigned tget_long(GetByteContext *gb, int le)
{
return le ? bytestream2_get_le32(gb) : bytestream2_get_be32(gb);
}
static unsigned tget(const uint8_t **p, int type, int le) {
static unsigned tget(GetByteContext *gb, int type, int le)
{
switch(type){
case TIFF_BYTE : return *(*p)++;
case TIFF_SHORT: return tget_short(p, le);
case TIFF_LONG : return tget_long (p, le);
default : return UINT_MAX;
case TIFF_BYTE: return bytestream2_get_byte(gb);
case TIFF_SHORT: return tget_short(gb, le);
case TIFF_LONG: return tget_long(gb, le);
default: return UINT_MAX;
}
}
@@ -143,8 +142,8 @@ static void av_always_inline horizontal_fill(unsigned int bpp, uint8_t* dst,
}
static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uint8_t *src, int size, int lines){
PutByteContext pb;
int c, line, pixels, code;
const uint8_t *ssrc = src;
int width = ((s->width * s->bpp) + 7) >> 3;
#if CONFIG_ZLIB
uint8_t *zbuf; unsigned long outlen;
@@ -178,6 +177,16 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin
av_log(s->avctx, AV_LOG_ERROR, "Error initializing LZW decoder\n");
return -1;
}
for (line = 0; line < lines; line++) {
pixels = ff_lzw_decode(s->lzw, dst, width);
if (pixels < width) {
av_log(s->avctx, AV_LOG_ERROR, "Decoded only %i bytes of %i\n",
pixels, width);
return AVERROR_INVALIDDATA;
}
dst += stride;
}
return 0;
}
if(s->compr == TIFF_CCITT_RLE || s->compr == TIFF_G3 || s->compr == TIFF_G4){
int i, ret = 0;
@@ -214,65 +223,40 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin
av_free(src2);
return ret;
}
bytestream2_init(&s->gb, src, size);
bytestream2_init_writer(&pb, dst, stride * lines);
for(line = 0; line < lines; line++){
if(src - ssrc > size){
av_log(s->avctx, AV_LOG_ERROR, "Source data overread\n");
return -1;
}
if (bytestream2_get_bytes_left(&s->gb) == 0 || bytestream2_get_eof(&pb))
break;
bytestream2_seek_p(&pb, stride * line, SEEK_SET);
switch(s->compr){
case TIFF_RAW:
if (ssrc + size - src < width)
return AVERROR_INVALIDDATA;
if (!s->fill_order) {
horizontal_fill(s->bpp * (s->avctx->pix_fmt == PIX_FMT_PAL8),
dst, 1, src, 0, width, 0);
bytestream2_copy_buffer(&pb, &s->gb, width);
} else {
int i;
for (i = 0; i < width; i++)
dst[i] = av_reverse[src[i]];
bytestream2_put_byte(&pb, av_reverse[bytestream2_get_byte(&s->gb)]);
}
src += width;
break;
case TIFF_PACKBITS:
for(pixels = 0; pixels < width;){
if (ssrc + size - src < 2)
return AVERROR_INVALIDDATA;
code = (int8_t)*src++;
code = (int8_t)bytestream2_get_byte(&s->gb);
if(code >= 0){
code++;
if (pixels + code > width ||
ssrc + size - src < code) {
av_log(s->avctx, AV_LOG_ERROR, "Copy went out of bounds\n");
return -1;
}
horizontal_fill(s->bpp * (s->avctx->pix_fmt == PIX_FMT_PAL8),
dst, 1, src, 0, code, pixels);
src += code;
bytestream2_copy_buffer(&pb, &s->gb, code);
pixels += code;
}else if(code != -128){ // -127..-1
code = (-code) + 1;
if(pixels + code > width){
av_log(s->avctx, AV_LOG_ERROR, "Run went out of bounds\n");
return -1;
}
c = *src++;
horizontal_fill(s->bpp * (s->avctx->pix_fmt == PIX_FMT_PAL8),
dst, 0, NULL, c, code, pixels);
c = bytestream2_get_byte(&s->gb);
bytestream2_set_buffer(&pb, c, code);
pixels += code;
}
}
break;
case TIFF_LZW:
pixels = ff_lzw_decode(s->lzw, dst, width);
if(pixels < width){
av_log(s->avctx, AV_LOG_ERROR, "Decoded only %i bytes of %i\n", pixels, width);
return -1;
}
if (s->bpp < 8 && s->avctx->pix_fmt == PIX_FMT_PAL8)
horizontal_fill(s->bpp, dst, 1, dst, 0, width, 0);
break;
}
dst += stride;
}
return 0;
}
@@ -341,19 +325,19 @@ static int init_image(TiffContext *s)
return 0;
}
static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *buf, const uint8_t *end_buf)
static int tiff_decode_tag(TiffContext *s)
{
unsigned tag, type, count, off, value = 0;
int i, j;
int i, start;
uint32_t *pal;
const uint8_t *rp, *gp, *bp;
if (end_buf - buf < 12)
if (bytestream2_get_bytes_left(&s->gb) < 12)
return -1;
tag = tget_short(&buf, s->le);
type = tget_short(&buf, s->le);
count = tget_long(&buf, s->le);
off = tget_long(&buf, s->le);
tag = tget_short(&s->gb, s->le);
type = tget_short(&s->gb, s->le);
count = tget_long(&s->gb, s->le);
off = tget_long(&s->gb, s->le);
start = bytestream2_tell(&s->gb);
if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) {
av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type);
@@ -364,34 +348,26 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
switch(type){
case TIFF_BYTE:
case TIFF_SHORT:
buf -= 4;
value = tget(&buf, type, s->le);
buf = NULL;
bytestream2_seek(&s->gb, -4, SEEK_CUR);
value = tget(&s->gb, type, s->le);
break;
case TIFF_LONG:
value = off;
buf = NULL;
break;
case TIFF_STRING:
if(count <= 4){
buf -= 4;
bytestream2_seek(&s->gb, -4, SEEK_CUR);
break;
}
default:
value = UINT_MAX;
buf = start + off;
bytestream2_seek(&s->gb, off, SEEK_SET);
}
} else {
if (count <= 4 && type_sizes[type] * count <= 4) {
buf -= 4;
} else {
buf = start + off;
}
}
if(buf && (buf < start || buf > end_buf)){
av_log(s->avctx, AV_LOG_ERROR, "Tag referencing position outside the image\n");
return -1;
if (count <= 4 && type_sizes[type] * count <= 4)
bytestream2_seek(&s->gb, -4, SEEK_CUR);
else
bytestream2_seek(&s->gb, off, SEEK_SET);
}
switch(tag){
@@ -416,7 +392,8 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
case TIFF_SHORT:
case TIFF_LONG:
s->bpp = 0;
for(i = 0; i < count && buf < end_buf; i++) s->bpp += tget(&buf, type, s->le);
for (i = 0; i < count; i++)
s->bpp += tget(&s->gb, type, s->le);
break;
default:
s->bpp = -1;
@@ -474,32 +451,24 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
break;
case TIFF_STRIP_OFFS:
if(count == 1){
s->stripdata = NULL;
s->strippos = 0;
s->stripoff = value;
}else
s->stripdata = start + off;
s->strippos = off;
s->strips = count;
if(s->strips == 1) s->rps = s->height;
s->sot = type;
if(s->stripdata > end_buf){
av_log(s->avctx, AV_LOG_ERROR, "Tag referencing position outside the image\n");
return -1;
}
break;
case TIFF_STRIP_SIZE:
if(count == 1){
s->stripsizes = NULL;
s->stripsizesoff = 0;
s->stripsize = value;
s->strips = 1;
}else{
s->stripsizes = start + off;
s->stripsizesoff = off;
}
s->strips = count;
s->sstype = type;
if(s->stripsizes > end_buf){
av_log(s->avctx, AV_LOG_ERROR, "Tag referencing position outside the image\n");
return -1;
}
break;
case TIFF_TILE_BYTE_COUNTS:
case TIFF_TILE_LENGTH:
@@ -534,24 +503,27 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
}
s->fill_order = value - 1;
break;
case TIFF_PAL:
case TIFF_PAL: {
GetByteContext pal_gb[3];
pal = (uint32_t *) s->palette;
off = type_sizes[type];
if (count / 3 > 256 || end_buf - buf < count / 3 * off * 3)
if (count / 3 > 256 ||
bytestream2_get_bytes_left(&s->gb) < count / 3 * off * 3)
return -1;
rp = buf;
gp = buf + count / 3 * off;
bp = buf + count / 3 * off * 2;
pal_gb[0] = pal_gb[1] = pal_gb[2] = s->gb;
bytestream2_skip(&pal_gb[1], count / 3 * off);
bytestream2_skip(&pal_gb[2], count / 3 * off * 2);
off = (type_sizes[type] - 1) << 3;
for(i = 0; i < count / 3; i++){
j = 0xff << 24;
j |= (tget(&rp, type, s->le) >> off) << 16;
j |= (tget(&gp, type, s->le) >> off) << 8;
j |= tget(&bp, type, s->le) >> off;
pal[i] = j;
uint32_t p = 0xFF000000;
p |= (tget(&pal_gb[0], type, s->le) >> off) << 16;
p |= (tget(&pal_gb[1], type, s->le) >> off) << 8;
p |= tget(&pal_gb[2], type, s->le) >> off;
pal[i] = p;
}
s->palette_is_set = 1;
break;
}
case TIFF_PLANAR:
if(value == 2){
av_log(s->avctx, AV_LOG_ERROR, "Planar format is not supported\n");
@@ -569,6 +541,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
default:
av_log(s->avctx, AV_LOG_DEBUG, "Unknown or unsupported tag %d/0X%0X\n", tag, tag);
}
bytestream2_seek(&s->gb, start, SEEK_SET);
return 0;
}
@@ -576,23 +549,24 @@ static int decode_frame(AVCodecContext *avctx,
void *data, int *data_size,
AVPacket *avpkt)
{
const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size;
TiffContext * const s = avctx->priv_data;
AVFrame *picture = data;
AVFrame * const p= (AVFrame*)&s->picture;
const uint8_t *orig_buf = buf, *end_buf = buf + buf_size;
unsigned off;
int id, le, ret;
int i, j, entries;
int stride;
unsigned soff, ssize;
uint8_t *dst;
GetByteContext stripsizes;
GetByteContext stripdata;
bytestream2_init(&s->gb, avpkt->data, avpkt->size);
//parse image header
if (end_buf - buf < 8)
if (avpkt->size < 8)
return AVERROR_INVALIDDATA;
id = AV_RL16(buf); buf += 2;
id = bytestream2_get_le16(&s->gb);
if(id == 0x4949) le = 1;
else if(id == 0x4D4D) le = 0;
else{
@@ -605,26 +579,25 @@ static int decode_frame(AVCodecContext *avctx,
s->fill_order = 0;
// As TIFF 6.0 specification puts it "An arbitrary but carefully chosen number
// that further identifies the file as a TIFF file"
if(tget_short(&buf, le) != 42){
if (tget_short(&s->gb, le) != 42) {
av_log(avctx, AV_LOG_ERROR, "The answer to life, universe and everything is not correct!\n");
return -1;
}
// Reset these pointers so we can tell if they were set this frame
s->stripsizes = s->stripdata = NULL;
// Reset these offsets so we can tell if they were set this frame
s->stripsizesoff = s->strippos = 0;
/* parse image file directory */
off = tget_long(&buf, le);
if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) {
off = tget_long(&s->gb, le);
if (off >= UINT_MAX - 14 || avpkt->size < off + 14) {
av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n");
return AVERROR_INVALIDDATA;
}
buf = orig_buf + off;
entries = tget_short(&buf, le);
bytestream2_seek(&s->gb, off, SEEK_SET);
entries = tget_short(&s->gb, le);
for(i = 0; i < entries; i++){
if(tiff_decode_tag(s, orig_buf, buf, end_buf) < 0)
if (tiff_decode_tag(s) < 0)
return -1;
buf += 12;
}
if(!s->stripdata && !s->stripoff){
if (!s->strippos && !s->stripoff) {
av_log(avctx, AV_LOG_ERROR, "Image data is missing\n");
return -1;
}
@@ -634,30 +607,41 @@ static int decode_frame(AVCodecContext *avctx,
if(s->strips == 1 && !s->stripsize){
av_log(avctx, AV_LOG_WARNING, "Image data size missing\n");
s->stripsize = buf_size - s->stripoff;
s->stripsize = avpkt->size - s->stripoff;
}
stride = p->linesize[0];
dst = p->data[0];
for(i = 0; i < s->height; i += s->rps){
if(s->stripsizes) {
if (s->stripsizes >= end_buf)
if (s->stripsizesoff) {
if (s->stripsizesoff >= avpkt->size)
return AVERROR_INVALIDDATA;
ssize = tget(&s->stripsizes, s->sstype, s->le);
} else
bytestream2_init(&stripsizes, avpkt->data + s->stripsizesoff,
avpkt->size - s->stripsizesoff);
}
if (s->strippos) {
if (s->strippos >= avpkt->size)
return AVERROR_INVALIDDATA;
bytestream2_init(&stripdata, avpkt->data + s->strippos,
avpkt->size - s->strippos);
}
for(i = 0; i < s->height; i += s->rps){
if (s->stripsizesoff)
ssize = tget(&stripsizes, s->sstype, le);
else
ssize = s->stripsize;
if(s->stripdata){
if (s->stripdata >= end_buf)
return AVERROR_INVALIDDATA;
soff = tget(&s->stripdata, s->sot, s->le);
}else
if (s->strippos)
soff = tget(&stripdata, s->sot, le);
else
soff = s->stripoff;
if (soff > buf_size || ssize > buf_size - soff) {
if (soff > avpkt->size || ssize > avpkt->size - soff) {
av_log(avctx, AV_LOG_ERROR, "Invalid strip size/offset\n");
return -1;
}
if(tiff_unpack_strip(s, dst, stride, orig_buf + soff, ssize, FFMIN(s->rps, s->height - i)) < 0)
if (tiff_unpack_strip(s, dst, stride, avpkt->data + soff, ssize,
FFMIN(s->rps, s->height - i)) < 0)
break;
dst += s->rps * stride;
}
@@ -699,7 +683,7 @@ static int decode_frame(AVCodecContext *avctx,
*picture= *(AVFrame*)&s->picture;
*data_size = sizeof(AVPicture);
return buf_size;
return avpkt->size;
}
static av_cold int tiff_init(AVCodecContext *avctx){