| Message ID | 20200530043300.19951-2-andreas.rheinhardt@gmail.com |
|---|---|
| State | Accepted |
| Commit | a8867850185a14e580dfeed2b39e8aae5e306e7c |
| Headers | show |
| Series | [FFmpeg-devel,1/2] avcodec/anm: Check extradata length before allocating frame | expand |
| Context | Check | Description |
|---|---|---|
| andriy/default | pending | |
| andriy/make | success | Make finished |
| andriy/make_fate | success | Make fate finished |
On Sat, May 30, 2020 at 06:33:00AM +0200, Andreas Rheinhardt wrote: > Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> > --- > libavcodec/anm.c | 39 +++++++++++++++++++-------------------- > 1 file changed, 19 insertions(+), 20 deletions(-) > > diff --git a/libavcodec/anm.c b/libavcodec/anm.c > index e9b19d880d..134640ee36 100644 > --- a/libavcodec/anm.c > +++ b/libavcodec/anm.c > @@ -31,13 +31,12 @@ > typedef struct AnmContext { > AVFrame *frame; > int palette[AVPALETTE_COUNT]; > - GetByteContext gb; > - int x; ///< x coordinate position > } AnmContext; > > static av_cold int decode_init(AVCodecContext *avctx) > { > AnmContext *s = avctx->priv_data; > + GetByteContext gb; > int i; > > if (avctx->extradata_size < 16 * 8 + 4 * 256) > @@ -49,10 +48,10 @@ static av_cold int decode_init(AVCodecContext *avctx) > if (!s->frame) > return AVERROR(ENOMEM); > > - bytestream2_init(&s->gb, avctx->extradata, avctx->extradata_size); > - bytestream2_skipu(&s->gb, 16 * 8); > + bytestream2_init(&gb, avctx->extradata, avctx->extradata_size); > + bytestream2_skipu(&gb, 16 * 8); > for (i = 0; i < 256; i++) > - s->palette[i] = (0xFFU << 24) | bytestream2_get_le32u(&s->gb); > + s->palette[i] = (0xFFU << 24) | bytestream2_get_le32u(&gb); > > return 0; > } > @@ -115,7 +114,8 @@ static int decode_frame(AVCodecContext *avctx, > AnmContext *s = avctx->priv_data; > const int buf_size = avpkt->size; > uint8_t *dst, *dst_end; > - int count, ret; > + GetByteContext gb; > + int count, ret, x = 0; > > if (buf_size < 7) > return AVERROR_INVALIDDATA; > @@ -125,37 +125,36 @@ static int decode_frame(AVCodecContext *avctx, > dst = s->frame->data[0]; > dst_end = s->frame->data[0] + s->frame->linesize[0]*avctx->height; > > - bytestream2_init(&s->gb, avpkt->data, buf_size); > + bytestream2_init(&gb, avpkt->data, buf_size); > > - if (bytestream2_get_byte(&s->gb) != 0x42) { > + if (bytestream2_get_byte(&gb) != 0x42) { > avpriv_request_sample(avctx, "Unknown record type"); > return AVERROR_INVALIDDATA; > } > - if (bytestream2_get_byte(&s->gb)) { > + if (bytestream2_get_byte(&gb)) { > avpriv_request_sample(avctx, "Padding bytes"); > return AVERROR_PATCHWELCOME; > } > - bytestream2_skip(&s->gb, 2); > + bytestream2_skip(&gb, 2); > > - s->x = 0; > do { > /* if statements are ordered by probability */ > #define OP(gb, pixel, count) \ > - op(&dst, dst_end, (gb), (pixel), (count), &s->x, avctx->width, s->frame->linesize[0]) > + op(&dst, dst_end, (gb), (pixel), (count), &x, avctx->width, s->frame->linesize[0]) > > - int type = bytestream2_get_byte(&s->gb); > + int type = bytestream2_get_byte(&gb); > count = type & 0x7F; > type >>= 7; > if (count) { > - if (OP(type ? NULL : &s->gb, -1, count)) break; > + if (OP(type ? NULL : &gb, -1, count)) break; > } else if (!type) { > int pixel; > - count = bytestream2_get_byte(&s->gb); /* count==0 gives nop */ > - pixel = bytestream2_get_byte(&s->gb); > + count = bytestream2_get_byte(&gb); /* count==0 gives nop */ > + pixel = bytestream2_get_byte(&gb); > if (OP(NULL, pixel, count)) break; > } else { > int pixel; > - type = bytestream2_get_le16(&s->gb); > + type = bytestream2_get_le16(&gb); > count = type & 0x3FFF; > type >>= 14; > if (!count) { > @@ -167,11 +166,11 @@ static int decode_frame(AVCodecContext *avctx, > } > continue; > } > - pixel = type == 3 ? bytestream2_get_byte(&s->gb) : -1; > + pixel = type == 3 ? bytestream2_get_byte(&gb) : -1; > if (type == 1) count += 0x4000; > - if (OP(type == 2 ? &s->gb : NULL, pixel, count)) break; > + if (OP(type == 2 ? &gb : NULL, pixel, count)) break; > } > - } while (bytestream2_get_bytes_left(&s->gb) > 0); > + } while (bytestream2_get_bytes_left(&gb) > 0); > > memcpy(s->frame->data[1], s->palette, AVPALETTE_SIZE); > > -- > 2.20.1 ok. -- Peter (A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
diff --git a/libavcodec/anm.c b/libavcodec/anm.c index e9b19d880d..134640ee36 100644 --- a/libavcodec/anm.c +++ b/libavcodec/anm.c @@ -31,13 +31,12 @@ typedef struct AnmContext { AVFrame *frame; int palette[AVPALETTE_COUNT]; - GetByteContext gb; - int x; ///< x coordinate position } AnmContext; static av_cold int decode_init(AVCodecContext *avctx) { AnmContext *s = avctx->priv_data; + GetByteContext gb; int i; if (avctx->extradata_size < 16 * 8 + 4 * 256) @@ -49,10 +48,10 @@ static av_cold int decode_init(AVCodecContext *avctx) if (!s->frame) return AVERROR(ENOMEM); - bytestream2_init(&s->gb, avctx->extradata, avctx->extradata_size); - bytestream2_skipu(&s->gb, 16 * 8); + bytestream2_init(&gb, avctx->extradata, avctx->extradata_size); + bytestream2_skipu(&gb, 16 * 8); for (i = 0; i < 256; i++) - s->palette[i] = (0xFFU << 24) | bytestream2_get_le32u(&s->gb); + s->palette[i] = (0xFFU << 24) | bytestream2_get_le32u(&gb); return 0; } @@ -115,7 +114,8 @@ static int decode_frame(AVCodecContext *avctx, AnmContext *s = avctx->priv_data; const int buf_size = avpkt->size; uint8_t *dst, *dst_end; - int count, ret; + GetByteContext gb; + int count, ret, x = 0; if (buf_size < 7) return AVERROR_INVALIDDATA; @@ -125,37 +125,36 @@ static int decode_frame(AVCodecContext *avctx, dst = s->frame->data[0]; dst_end = s->frame->data[0] + s->frame->linesize[0]*avctx->height; - bytestream2_init(&s->gb, avpkt->data, buf_size); + bytestream2_init(&gb, avpkt->data, buf_size); - if (bytestream2_get_byte(&s->gb) != 0x42) { + if (bytestream2_get_byte(&gb) != 0x42) { avpriv_request_sample(avctx, "Unknown record type"); return AVERROR_INVALIDDATA; } - if (bytestream2_get_byte(&s->gb)) { + if (bytestream2_get_byte(&gb)) { avpriv_request_sample(avctx, "Padding bytes"); return AVERROR_PATCHWELCOME; } - bytestream2_skip(&s->gb, 2); + bytestream2_skip(&gb, 2); - s->x = 0; do { /* if statements are ordered by probability */ #define OP(gb, pixel, count) \ - op(&dst, dst_end, (gb), (pixel), (count), &s->x, avctx->width, s->frame->linesize[0]) + op(&dst, dst_end, (gb), (pixel), (count), &x, avctx->width, s->frame->linesize[0]) - int type = bytestream2_get_byte(&s->gb); + int type = bytestream2_get_byte(&gb); count = type & 0x7F; type >>= 7; if (count) { - if (OP(type ? NULL : &s->gb, -1, count)) break; + if (OP(type ? NULL : &gb, -1, count)) break; } else if (!type) { int pixel; - count = bytestream2_get_byte(&s->gb); /* count==0 gives nop */ - pixel = bytestream2_get_byte(&s->gb); + count = bytestream2_get_byte(&gb); /* count==0 gives nop */ + pixel = bytestream2_get_byte(&gb); if (OP(NULL, pixel, count)) break; } else { int pixel; - type = bytestream2_get_le16(&s->gb); + type = bytestream2_get_le16(&gb); count = type & 0x3FFF; type >>= 14; if (!count) { @@ -167,11 +166,11 @@ static int decode_frame(AVCodecContext *avctx, } continue; } - pixel = type == 3 ? bytestream2_get_byte(&s->gb) : -1; + pixel = type == 3 ? bytestream2_get_byte(&gb) : -1; if (type == 1) count += 0x4000; - if (OP(type == 2 ? &s->gb : NULL, pixel, count)) break; + if (OP(type == 2 ? &gb : NULL, pixel, count)) break; } - } while (bytestream2_get_bytes_left(&s->gb) > 0); + } while (bytestream2_get_bytes_left(&gb) > 0); memcpy(s->frame->data[1], s->palette, AVPALETTE_SIZE);
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> --- libavcodec/anm.c | 39 +++++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 20 deletions(-)