Commit 61cd19b8 authored by Luca Barbato's avatar Luca Barbato

vmnc: Port to bytestream2

Fix some buffer overreads.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
parent a66aa0da
...@@ -32,6 +32,7 @@ ...@@ -32,6 +32,7 @@
#include "libavutil/intreadwrite.h" #include "libavutil/intreadwrite.h"
#include "avcodec.h" #include "avcodec.h"
#include "internal.h" #include "internal.h"
#include "bytestream.h"
enum EncTypes { enum EncTypes {
MAGIC_WMVd = 0x574D5664, MAGIC_WMVd = 0x574D5664,
...@@ -63,6 +64,7 @@ typedef struct VmncContext { ...@@ -63,6 +64,7 @@ typedef struct VmncContext {
int bigendian; int bigendian;
uint8_t pal[768]; uint8_t pal[768];
int width, height; int width, height;
GetByteContext gb;
/* cursor data */ /* cursor data */
int cur_w, cur_h; int cur_w, cur_h;
...@@ -73,26 +75,25 @@ typedef struct VmncContext { ...@@ -73,26 +75,25 @@ typedef struct VmncContext {
} VmncContext; } VmncContext;
/* read pixel value from stream */ /* read pixel value from stream */
static av_always_inline int vmnc_get_pixel(const uint8_t *buf, int bpp, int be) static av_always_inline int vmnc_get_pixel(GetByteContext *gb, int bpp, int be)
{ {
switch (bpp * 2 + be) { switch (bpp * 2 + be) {
case 2: case 2:
case 3: case 3:
return *buf; return bytestream2_get_byte(gb);
case 4: case 4:
return AV_RL16(buf); return bytestream2_get_le16(gb);
case 5: case 5:
return AV_RB16(buf); return bytestream2_get_be16(gb);
case 8: case 8:
return AV_RL32(buf); return bytestream2_get_le32(gb);
case 9: case 9:
return AV_RB32(buf); return bytestream2_get_be32(gb);
default: default: return 0;
return 0;
} }
} }
static void load_cursor(VmncContext *c, const uint8_t *src) static void load_cursor(VmncContext *c)
{ {
int i, j, p; int i, j, p;
const int bpp = c->bpp2; const int bpp = c->bpp2;
...@@ -102,8 +103,7 @@ static void load_cursor(VmncContext *c, const uint8_t *src) ...@@ -102,8 +103,7 @@ static void load_cursor(VmncContext *c, const uint8_t *src)
for (j = 0; j < c->cur_h; j++) { for (j = 0; j < c->cur_h; j++) {
for (i = 0; i < c->cur_w; i++) { for (i = 0; i < c->cur_w; i++) {
p = vmnc_get_pixel(src, bpp, c->bigendian); p = vmnc_get_pixel(&c->gb, bpp, c->bigendian);
src += bpp;
if (bpp == 1) if (bpp == 1)
*dst8++ = p; *dst8++ = p;
if (bpp == 2) if (bpp == 2)
...@@ -117,8 +117,7 @@ static void load_cursor(VmncContext *c, const uint8_t *src) ...@@ -117,8 +117,7 @@ static void load_cursor(VmncContext *c, const uint8_t *src)
dst32 = (uint32_t*)c->curmask; dst32 = (uint32_t*)c->curmask;
for (j = 0; j < c->cur_h; j++) { for (j = 0; j < c->cur_h; j++) {
for (i = 0; i < c->cur_w; i++) { for (i = 0; i < c->cur_w; i++) {
p = vmnc_get_pixel(src, bpp, c->bigendian); p = vmnc_get_pixel(&c->gb, bpp, c->bigendian);
src += bpp;
if (bpp == 1) if (bpp == 1)
*dst8++ = p; *dst8++ = p;
if (bpp == 2) if (bpp == 2)
...@@ -220,14 +219,13 @@ static av_always_inline void paint_rect(uint8_t *dst, int dx, int dy, ...@@ -220,14 +219,13 @@ static av_always_inline void paint_rect(uint8_t *dst, int dx, int dy,
} }
static av_always_inline void paint_raw(uint8_t *dst, int w, int h, static av_always_inline void paint_raw(uint8_t *dst, int w, int h,
const uint8_t *src, int bpp, GetByteContext *gb, int bpp,
int be, int stride) int be, int stride)
{ {
int i, j, p; int i, j, p;
for (j = 0; j < h; j++) { for (j = 0; j < h; j++) {
for (i = 0; i < w; i++) { for (i = 0; i < w; i++) {
p = vmnc_get_pixel(src, bpp, be); p = vmnc_get_pixel(gb, bpp, be);
src += bpp;
switch (bpp) { switch (bpp) {
case 1: case 1:
dst[i] = p; dst[i] = p;
...@@ -244,15 +242,14 @@ static av_always_inline void paint_raw(uint8_t *dst, int w, int h, ...@@ -244,15 +242,14 @@ static av_always_inline void paint_raw(uint8_t *dst, int w, int h,
} }
} }
static int decode_hextile(VmncContext *c, uint8_t *dst, const uint8_t *src, static int decode_hextile(VmncContext *c, uint8_t* dst, GetByteContext *gb,
int ssize, int w, int h, int stride) int w, int h, int stride)
{ {
int i, j, k; int i, j, k;
int bg = 0, fg = 0, rects, color, flags, xy, wh; int bg = 0, fg = 0, rects, color, flags, xy, wh;
const int bpp = c->bpp2; const int bpp = c->bpp2;
uint8_t *dst2; uint8_t *dst2;
int bw = 16, bh = 16; int bw = 16, bh = 16;
const uint8_t *ssrc = src;
for (j = 0; j < h; j += 16) { for (j = 0; j < h; j += 16) {
dst2 = dst; dst2 = dst;
...@@ -260,55 +257,48 @@ static int decode_hextile(VmncContext *c, uint8_t *dst, const uint8_t *src, ...@@ -260,55 +257,48 @@ static int decode_hextile(VmncContext *c, uint8_t *dst, const uint8_t *src,
if (j + 16 > h) if (j + 16 > h)
bh = h - j; bh = h - j;
for (i = 0; i < w; i += 16, dst2 += 16 * bpp) { for (i = 0; i < w; i += 16, dst2 += 16 * bpp) {
if (src - ssrc >= ssize) { if (bytestream2_get_bytes_left(gb) <= 0) {
av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n"); av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n");
return -1; return -1;
} }
if (i + 16 > w) if (i + 16 > w)
bw = w - i; bw = w - i;
flags = *src++; flags = bytestream2_get_byte(gb);
if (flags & HT_RAW) { if (flags & HT_RAW) {
if (src - ssrc > ssize - bw * bh * bpp) { if (bytestream2_get_bytes_left(gb) < bw * bh * bpp) {
av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n"); av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n");
return -1; return -1;
} }
paint_raw(dst2, bw, bh, src, bpp, c->bigendian, stride); paint_raw(dst2, bw, bh, gb, bpp, c->bigendian, stride);
src += bw * bh * bpp;
} else { } else {
if (flags & HT_BKG) { if (flags & HT_BKG)
bg = vmnc_get_pixel(src, bpp, c->bigendian); bg = vmnc_get_pixel(gb, bpp, c->bigendian);
src += bpp; if (flags & HT_FG)
} fg = vmnc_get_pixel(gb, bpp, c->bigendian);
if (flags & HT_FG) {
fg = vmnc_get_pixel(src, bpp, c->bigendian);
src += bpp;
}
rects = 0; rects = 0;
if (flags & HT_SUB) if (flags & HT_SUB)
rects = *src++; rects = bytestream2_get_byte(gb);
color = !!(flags & HT_CLR); color = !!(flags & HT_CLR);
paint_rect(dst2, 0, 0, bw, bh, bg, bpp, stride); paint_rect(dst2, 0, 0, bw, bh, bg, bpp, stride);
if (src - ssrc > ssize - rects * (color * bpp + 2)) { if (bytestream2_get_bytes_left(gb) < rects * (color * bpp + 2)) {
av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n"); av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n");
return -1; return -1;
} }
for (k = 0; k < rects; k++) { for (k = 0; k < rects; k++) {
if (color) { if (color)
fg = vmnc_get_pixel(src, bpp, c->bigendian); fg = vmnc_get_pixel(gb, bpp, c->bigendian);
src += bpp; xy = bytestream2_get_byte(gb);
} wh = bytestream2_get_byte(gb);
xy = *src++; paint_rect(dst2, xy >> 4, xy & 0xF,
wh = *src++; (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride);
paint_rect(dst2, xy >> 4, xy & 0xF, (wh >> 4) + 1,
(wh & 0xF) + 1, fg, bpp, stride);
} }
} }
} }
dst += stride * 16; dst += stride * 16;
} }
return src - ssrc; return 0;
} }
static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
...@@ -317,8 +307,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ...@@ -317,8 +307,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
const uint8_t *buf = avpkt->data; const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size; int buf_size = avpkt->size;
VmncContext * const c = avctx->priv_data; VmncContext * const c = avctx->priv_data;
GetByteContext *gb = &c->gb;
uint8_t *outptr; uint8_t *outptr;
const uint8_t *src = buf;
int dx, dy, w, h, depth, enc, chunks, res, size_left, ret; int dx, dy, w, h, depth, enc, chunks, res, size_left, ret;
if ((ret = ff_reget_buffer(avctx, &c->pic)) < 0) { if ((ret = ff_reget_buffer(avctx, &c->pic)) < 0) {
...@@ -326,6 +316,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ...@@ -326,6 +316,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
return ret; return ret;
} }
bytestream2_init(gb, buf, buf_size);
c->pic.key_frame = 0; c->pic.key_frame = 0;
c->pic.pict_type = AV_PICTURE_TYPE_P; c->pic.pict_type = AV_PICTURE_TYPE_P;
...@@ -357,22 +349,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ...@@ -357,22 +349,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
} }
} }
} }
src += 2; bytestream2_skip(gb, 2);
chunks = AV_RB16(src); chunks = bytestream2_get_be16(gb);
src += 2;
while (chunks--) { while (chunks--) {
dx = AV_RB16(src); dx = bytestream2_get_be16(gb);
src += 2; dy = bytestream2_get_be16(gb);
dy = AV_RB16(src); w = bytestream2_get_be16(gb);
src += 2; h = bytestream2_get_be16(gb);
w = AV_RB16(src); enc = bytestream2_get_be32(gb);
src += 2;
h = AV_RB16(src);
src += 2;
enc = AV_RB32(src);
src += 4;
outptr = c->pic.data[0] + dx * c->bpp2 + dy * c->pic.linesize[0]; outptr = c->pic.data[0] + dx * c->bpp2 + dy * c->pic.linesize[0];
size_left = buf_size - (src - buf); size_left = bytestream2_get_bytes_left(gb);
switch (enc) { switch (enc) {
case MAGIC_WMVd: // cursor case MAGIC_WMVd: // cursor
if (size_left < 2 + w * h * c->bpp2 * 2) { if (size_left < 2 + w * h * c->bpp2 * 2) {
...@@ -381,7 +367,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ...@@ -381,7 +367,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
2 + w * h * c->bpp2 * 2, size_left); 2 + w * h * c->bpp2 * 2, size_left);
return -1; return -1;
} }
src += 2; bytestream2_skip(gb, 2);
c->cur_w = w; c->cur_w = w;
c->cur_h = h; c->cur_h = h;
c->cur_hx = dx; c->cur_hx = dx;
...@@ -396,44 +382,43 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ...@@ -396,44 +382,43 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
c->curbits = av_realloc(c->curbits, c->cur_w * c->cur_h * c->bpp2); c->curbits = av_realloc(c->curbits, c->cur_w * c->cur_h * c->bpp2);
c->curmask = av_realloc(c->curmask, c->cur_w * c->cur_h * c->bpp2); c->curmask = av_realloc(c->curmask, c->cur_w * c->cur_h * c->bpp2);
c->screendta = av_realloc(c->screendta, c->cur_w * c->cur_h * c->bpp2); c->screendta = av_realloc(c->screendta, c->cur_w * c->cur_h * c->bpp2);
load_cursor(c, src); load_cursor(c);
src += w * h * c->bpp2 * 2;
break; break;
case MAGIC_WMVe: // unknown case MAGIC_WMVe: // unknown
src += 2; bytestream2_skip(gb, 2);
break; break;
case MAGIC_WMVf: // update cursor position case MAGIC_WMVf: // update cursor position
c->cur_x = dx - c->cur_hx; c->cur_x = dx - c->cur_hx;
c->cur_y = dy - c->cur_hy; c->cur_y = dy - c->cur_hy;
break; break;
case MAGIC_WMVg: // unknown case MAGIC_WMVg: // unknown
src += 10; bytestream2_skip(gb, 10);
break; break;
case MAGIC_WMVh: // unknown case MAGIC_WMVh: // unknown
src += 4; bytestream2_skip(gb, 4);
break; break;
case MAGIC_WMVi: // ServerInitialization struct case MAGIC_WMVi: // ServerInitialization struct
c->pic.key_frame = 1; c->pic.key_frame = 1;
c->pic.pict_type = AV_PICTURE_TYPE_I; c->pic.pict_type = AV_PICTURE_TYPE_I;
depth = *src++; depth = bytestream2_get_byte(gb);
if (depth != c->bpp) { if (depth != c->bpp) {
av_log(avctx, AV_LOG_INFO, av_log(avctx, AV_LOG_INFO,
"Depth mismatch. Container %i bpp, " "Depth mismatch. Container %i bpp, "
"Frame data: %i bpp\n", "Frame data: %i bpp\n",
c->bpp, depth); c->bpp, depth);
} }
src++; bytestream2_skip(gb, 1);
c->bigendian = *src++; c->bigendian = bytestream2_get_byte(gb);
if (c->bigendian & (~1)) { if (c->bigendian & (~1)) {
av_log(avctx, AV_LOG_INFO, av_log(avctx, AV_LOG_INFO,
"Invalid header: bigendian flag = %i\n", c->bigendian); "Invalid header: bigendian flag = %i\n", c->bigendian);
return -1; return -1;
} }
// skip the rest of pixel format data //skip the rest of pixel format data
src += 13; bytestream2_skip(gb, 13);
break; break;
case MAGIC_WMVj: // unknown case MAGIC_WMVj: // unknown
src += 2; bytestream2_skip(gb, 2);
break; break;
case 0x00000000: // raw rectangle data case 0x00000000: // raw rectangle data
if ((dx + w > c->width) || (dy + h > c->height)) { if ((dx + w > c->width) || (dy + h > c->height)) {
...@@ -448,9 +433,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ...@@ -448,9 +433,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
w * h * c->bpp2, size_left); w * h * c->bpp2, size_left);
return -1; return -1;
} }
paint_raw(outptr, w, h, src, c->bpp2, c->bigendian, paint_raw(outptr, w, h, gb, c->bpp2, c->bigendian,
c->pic.linesize[0]); c->pic.linesize[0]);
src += w * h * c->bpp2;
break; break;
case 0x00000005: // HexTile encoded rectangle case 0x00000005: // HexTile encoded rectangle
if ((dx + w > c->width) || (dy + h > c->height)) { if ((dx + w > c->width) || (dy + h > c->height)) {
...@@ -459,11 +443,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ...@@ -459,11 +443,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
w, h, dx, dy, c->width, c->height); w, h, dx, dy, c->width, c->height);
return -1; return -1;
} }
res = decode_hextile(c, outptr, src, size_left, w, h, res = decode_hextile(c, outptr, gb, w, h, c->pic.linesize[0]);
c->pic.linesize[0]);
if (res < 0) if (res < 0)
return -1; return -1;
src += res;
break; break;
default: default:
av_log(avctx, AV_LOG_ERROR, "Unsupported block type 0x%08X\n", enc); av_log(avctx, AV_LOG_ERROR, "Unsupported block type 0x%08X\n", enc);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment