generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

truemotion2: convert packet header reading to bytestream2.

Browse Source 
Also use correct buffer sizes in calls to tm2_read_stream(). Together,
this prevents overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bd508d435b94584db460c684e30ea7ce180cf50f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Ronald S. Bultje 2012-03-28 11:53:13 -07:00 committed by Reinhard Tartler
parent d6372e80fe
commit e711ccee4d
1 changed files with 31 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
libavcodec/truemotion2.c
View File

@ -25,6 +25,7 @@
*/ */
#include "avcodec.h" #include "avcodec.h"
#include "bytestream.h"
#include "get_bits.h" #include "get_bits.h"
#include "dsputil.h" #include "dsputil.h"
@ -248,13 +249,14 @@ static int tm2_read_deltas(TM2Context *ctx, int stream_id) {
static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, int buf_size) static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, int buf_size)
{ {
int i; int i;
int cur = 0;
int skip = 0; int skip = 0;
int len, toks; int len, toks, pos;
TM2Codes codes; TM2Codes codes;
GetByteContext gb;
/* get stream length in dwords */ /* get stream length in dwords */
len = AV_RB32(buf); buf += 4; cur += 4; bytestream2_init(&gb, buf, buf_size);
len = bytestream2_get_be32(&gb);
skip = len * 4 + 4; skip = len * 4 + 4;
if(len == 0) if(len == 0)
@ -265,36 +267,37 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
return -1; return -1;
} }
toks = AV_RB32(buf); buf += 4; cur += 4; toks = bytestream2_get_be32(&gb);
if(toks & 1) { if(toks & 1) {
len = AV_RB32(buf); buf += 4; cur += 4; len = bytestream2_get_be32(&gb);
if(len == TM2_ESCAPE) { if(len == TM2_ESCAPE) {
len = AV_RB32(buf); buf += 4; cur += 4; len = bytestream2_get_be32(&gb);
} }
if(len > 0) { if(len > 0) {
if (skip <= cur) pos = bytestream2_tell(&gb);
if (skip <= pos)
return -1; return -1;
init_get_bits(&ctx->gb, buf, (skip - cur) * 8); init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8);
if(tm2_read_deltas(ctx, stream_id) == -1) if(tm2_read_deltas(ctx, stream_id) == -1)
return -1; return -1;
buf += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2; bytestream2_skip(&gb, ((get_bits_count(&ctx->gb) + 31) >> 5) << 2);
cur += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2;
} }
} }
/* skip unused fields */ /* skip unused fields */
if(AV_RB32(buf) == TM2_ESCAPE) { len = bytestream2_get_be32(&gb);
buf += 4; cur += 4; /* some unknown length - could be escaped too */ if(len == TM2_ESCAPE) { /* some unknown length - could be escaped too */
bytestream2_skip(&gb, 8); /* unused by decoder */
} else {
bytestream2_skip(&gb, 4); /* unused by decoder */
} }
buf += 4; cur += 4;
buf += 4; cur += 4; /* unused by decoder */
if (skip <= cur) pos = bytestream2_tell(&gb);
if (skip <= pos)
return -1; return -1;
init_get_bits(&ctx->gb, buf, (skip - cur) * 8); init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8);
if(tm2_build_huff_table(ctx, &codes) == -1) if(tm2_build_huff_table(ctx, &codes) == -1)
return -1; return -1;
buf += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2; bytestream2_skip(&gb, ((get_bits_count(&ctx->gb) + 31) >> 5) << 2);
cur += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2;
toks >>= 1; toks >>= 1;
/* check if we have sane number of tokens */ /* check if we have sane number of tokens */
@ -305,11 +308,12 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
} }
ctx->tokens[stream_id] = av_realloc(ctx->tokens[stream_id], toks * sizeof(int)); ctx->tokens[stream_id] = av_realloc(ctx->tokens[stream_id], toks * sizeof(int));
ctx->tok_lens[stream_id] = toks; ctx->tok_lens[stream_id] = toks;
len = AV_RB32(buf); buf += 4; cur += 4; len = bytestream2_get_be32(&gb);
if(len > 0) { if(len > 0) {
if (skip <= cur) pos = bytestream2_tell(&gb);
if (skip <= pos)
return -1; return -1;
init_get_bits(&ctx->gb, buf, (skip - cur) * 8); init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8);
for(i = 0; i < toks; i++) { for(i = 0; i < toks; i++) {
if (get_bits_left(&ctx->gb) <= 0) { if (get_bits_left(&ctx->gb) <= 0) {
av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of tokens: %i\n", toks); av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of tokens: %i\n", toks);
@ -762,7 +766,7 @@ static int decode_frame(AVCodecContext *avctx,
AVPacket *avpkt) AVPacket *avpkt)
{ {
const uint8_t *buf = avpkt->data; const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size; int buf_size = avpkt->size & ~3;
TM2Context * const l = avctx->priv_data; TM2Context * const l = avctx->priv_data;
AVFrame * const p= (AVFrame*)&l->pic; AVFrame * const p= (AVFrame*)&l->pic;
int i, skip, t; int i, skip, t;
@ -790,7 +794,11 @@ static int decode_frame(AVCodecContext *avctx,
} }
for(i = 0; i < TM2_NUM_STREAMS; i++){ for(i = 0; i < TM2_NUM_STREAMS; i++){
t = tm2_read_stream(l, swbuf + skip, tm2_stream_order[i], buf_size); if (skip >= buf_size) {
av_free(swbuf);
return AVERROR_INVALIDDATA;
}
t = tm2_read_stream(l, swbuf + skip, tm2_stream_order[i], buf_size - skip);
if(t == -1){ if(t == -1){
av_free(swbuf); av_free(swbuf);
return -1; return -1;