generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Check for out of bound reads in the flic decoder.

Browse Source 
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1f024b8820)
This commit is contained in:
Laurent Aimar
2011-09-27 22:05:15 +02:00
committed by Michael Niedermayer
parent 03a4b489f1
commit fa816e01f4
1 changed files with 29 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
libavcodec/flicvideo.c
View File

@@ -132,7 +132,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
FlicDecodeContext *s = avctx->priv_data; FlicDecodeContext *s = avctx->priv_data;
int stream_ptr = 0; int stream_ptr = 0;
int stream_ptr_after_color_chunk;
int pixel_ptr; int pixel_ptr;
int palette_ptr; int palette_ptr;
unsigned char palette_idx1; unsigned char palette_idx1;
@@ -172,7 +171,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
pixels = s->frame.data[0]; pixels = s->frame.data[0];
pixel_limit = s->avctx->height * s->frame.linesize[0]; pixel_limit = s->avctx->height * s->frame.linesize[0];
if (buf_size < 16 || buf_size > INT_MAX - (3 * 256 + FF_INPUT_BUFFER_PADDING_SIZE))
return AVERROR_INVALIDDATA;
frame_size = AV_RL32(&buf[stream_ptr]); frame_size = AV_RL32(&buf[stream_ptr]);
if (frame_size > buf_size)
frame_size = buf_size;
stream_ptr += 6; /* skip the magic number */ stream_ptr += 6; /* skip the magic number */
num_chunks = AV_RL16(&buf[stream_ptr]); num_chunks = AV_RL16(&buf[stream_ptr]);
stream_ptr += 10; /* skip padding */ stream_ptr += 10; /* skip padding */
@@ -180,13 +183,16 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
frame_size -= 16; frame_size -= 16;
/* iterate through the chunks */ /* iterate through the chunks */
while ((frame_size > 0) && (num_chunks > 0)) { while ((frame_size >= 6) && (num_chunks > 0)) {
int stream_ptr_after_chunk;
chunk_size = AV_RL32(&buf[stream_ptr]); chunk_size = AV_RL32(&buf[stream_ptr]);
if (chunk_size > frame_size) { if (chunk_size > frame_size) {
av_log(avctx, AV_LOG_WARNING, av_log(avctx, AV_LOG_WARNING,
"Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size); "Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size);
chunk_size = frame_size; chunk_size = frame_size;
} }
stream_ptr_after_chunk = stream_ptr + chunk_size;
stream_ptr += 4; stream_ptr += 4;
chunk_type = AV_RL16(&buf[stream_ptr]); chunk_type = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2; stream_ptr += 2;
@@ -194,8 +200,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
switch (chunk_type) { switch (chunk_type) {
case FLI_256_COLOR: case FLI_256_COLOR:
case FLI_COLOR: case FLI_COLOR:
stream_ptr_after_color_chunk = stream_ptr + chunk_size - 6;
/* check special case: If this file is from the Magic Carpet /* check special case: If this file is from the Magic Carpet
* game and uses 6-bit colors even though it reports 256-color * game and uses 6-bit colors even though it reports 256-color
* chunks in a 0xAF12-type file (fli_type is set to 0xAF13 during * chunks in a 0xAF12-type file (fli_type is set to 0xAF13 during
@@ -219,6 +223,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
if (color_changes == 0) if (color_changes == 0)
color_changes = 256; color_changes = 256;
if (stream_ptr + color_changes * 3 > stream_ptr_after_chunk)
break;
for (j = 0; j < color_changes; j++) { for (j = 0; j < color_changes; j++) {
unsigned int entry; unsigned int entry;
@@ -235,13 +242,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
s->palette[palette_ptr++] = entry; s->palette[palette_ptr++] = entry;
} }
} }
/* color chunks sometimes have weird 16-bit alignment issues;
* therefore, take the hardline approach and set the stream_ptr
* to the value calculated w.r.t. the size specified by the color
* chunk header */
stream_ptr = stream_ptr_after_color_chunk;
break; break;
case FLI_DELTA: case FLI_DELTA:
@@ -249,6 +249,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
compressed_lines = AV_RL16(&buf[stream_ptr]); compressed_lines = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2; stream_ptr += 2;
while (compressed_lines > 0) { while (compressed_lines > 0) {
if (stream_ptr + 2 > stream_ptr_after_chunk)
break;
line_packets = AV_RL16(&buf[stream_ptr]); line_packets = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2; stream_ptr += 2;
if ((line_packets & 0xC000) == 0xC000) { if ((line_packets & 0xC000) == 0xC000) {
@@ -268,6 +270,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
CHECK_PIXEL_PTR(0); CHECK_PIXEL_PTR(0);
pixel_countdown = s->avctx->width; pixel_countdown = s->avctx->width;
for (i = 0; i < line_packets; i++) { for (i = 0; i < line_packets; i++) {
if (stream_ptr + 2 > stream_ptr_after_chunk)
break;
/* account for the skip bytes */ /* account for the skip bytes */
pixel_skip = buf[stream_ptr++]; pixel_skip = buf[stream_ptr++];
pixel_ptr += pixel_skip; pixel_ptr += pixel_skip;
@@ -284,6 +288,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
} }
} else { } else {
CHECK_PIXEL_PTR(byte_run * 2); CHECK_PIXEL_PTR(byte_run * 2);
if (stream_ptr + byte_run * 2 > stream_ptr_after_chunk)
break;
for (j = 0; j < byte_run * 2; j++, pixel_countdown--) { for (j = 0; j < byte_run * 2; j++, pixel_countdown--) {
palette_idx1 = buf[stream_ptr++]; palette_idx1 = buf[stream_ptr++];
pixels[pixel_ptr++] = palette_idx1; pixels[pixel_ptr++] = palette_idx1;
@@ -310,6 +316,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
CHECK_PIXEL_PTR(0); CHECK_PIXEL_PTR(0);
pixel_countdown = s->avctx->width; pixel_countdown = s->avctx->width;
line_packets = buf[stream_ptr++]; line_packets = buf[stream_ptr++];
if (stream_ptr + 2 * line_packets > stream_ptr_after_chunk)
break;
if (line_packets > 0) { if (line_packets > 0) {
for (i = 0; i < line_packets; i++) { for (i = 0; i < line_packets; i++) {
/* account for the skip bytes */ /* account for the skip bytes */
@@ -319,6 +327,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
byte_run = (signed char)(buf[stream_ptr++]); byte_run = (signed char)(buf[stream_ptr++]);
if (byte_run > 0) { if (byte_run > 0) {
CHECK_PIXEL_PTR(byte_run); CHECK_PIXEL_PTR(byte_run);
if (stream_ptr + byte_run > stream_ptr_after_chunk)
break;
for (j = 0; j < byte_run; j++, pixel_countdown--) { for (j = 0; j < byte_run; j++, pixel_countdown--) {
palette_idx1 = buf[stream_ptr++]; palette_idx1 = buf[stream_ptr++];
pixels[pixel_ptr++] = palette_idx1; pixels[pixel_ptr++] = palette_idx1;
@@ -356,6 +366,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
stream_ptr++; stream_ptr++;
pixel_countdown = s->avctx->width; pixel_countdown = s->avctx->width;
while (pixel_countdown > 0) { while (pixel_countdown > 0) {
if (stream_ptr + 1 > stream_ptr_after_chunk)
break;
byte_run = (signed char)(buf[stream_ptr++]); byte_run = (signed char)(buf[stream_ptr++]);
if (byte_run > 0) { if (byte_run > 0) {
palette_idx1 = buf[stream_ptr++]; palette_idx1 = buf[stream_ptr++];
@@ -370,6 +382,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
} else { /* copy bytes if byte_run < 0 */ } else { /* copy bytes if byte_run < 0 */
byte_run = -byte_run; byte_run = -byte_run;
CHECK_PIXEL_PTR(byte_run); CHECK_PIXEL_PTR(byte_run);
if (stream_ptr + byte_run > stream_ptr_after_chunk)
break;
for (j = 0; j < byte_run; j++) { for (j = 0; j < byte_run; j++) {
palette_idx1 = buf[stream_ptr++]; palette_idx1 = buf[stream_ptr++];
pixels[pixel_ptr++] = palette_idx1; pixels[pixel_ptr++] = palette_idx1;
@@ -387,10 +401,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
case FLI_COPY: case FLI_COPY:
/* copy the chunk (uncompressed frame) */ /* copy the chunk (uncompressed frame) */
if (chunk_size - 6 > s->avctx->width * s->avctx->height) { if (chunk_size - 6 != s->avctx->width * s->avctx->height) {
av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \ av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \
"bigger than image, skipping chunk\n", chunk_size - 6); "has incorrect size, skipping chunk\n", chunk_size - 6);
stream_ptr += chunk_size - 6;
} else { } else {
for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height; for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height;
y_ptr += s->frame.linesize[0]) { y_ptr += s->frame.linesize[0]) {
@@ -403,7 +416,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
case FLI_MINI: case FLI_MINI:
/* some sort of a thumbnail? disregard this chunk... */ /* some sort of a thumbnail? disregard this chunk... */
stream_ptr += chunk_size - 6;
break; break;
default: default:
@@ -411,6 +423,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
break; break;
} }
stream_ptr = stream_ptr_after_chunk;
frame_size -= chunk_size; frame_size -= chunk_size;
num_chunks--; num_chunks--;
} }