cdgraphics: switch to bytestream2

Fixes possible invalid memory accesses on corrupted data. CC:libav-stable@libav.org Bug-ID: CVE-2013-3674

cdgraphics: switch to bytestream2
Fixes possible invalid memory accesses on corrupted data. CC:libav-stable@libav.org Bug-ID: CVE-2013-3674
a1599f3f · Anton Khirnov · ed6d9ce9 · a1599f3f
Commit a1599f3f authored Aug 06, 2014 by Anton Khirnov
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 9 deletions

cdgraphics.c libavcodec/cdgraphics.c +7 -9

No files found.
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -261,7 +261,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data,
 static int cdg_decode_frame(AVCodecContext *avctx,
                            void *data, int *got_frame, AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
+    GetByteContext gb;
    int buf_size       = avpkt->size;
    int ret;
    uint8_t command, inst;
@@ -269,10 +269,8 @@ static int cdg_decode_frame(AVCodecContext *avctx,
    AVFrame *frame = data;
    CDGraphicsContext *cc = avctx->priv_data;
-    if (buf_size < CDG_MINIMUM_PKT_SIZE) {
+    bytestream2_init(&gb, avpkt->data, avpkt->size);
-        av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n");
-        return AVERROR(EINVAL);
-    }
    ret = ff_reget_buffer(avctx, cc->frame);
    if (ret) {
@@ -282,11 +280,11 @@ static int cdg_decode_frame(AVCodecContext *avctx,
    if (!avctx->frame_number)
        memset(cc->frame->data[0], 0, cc->frame->linesize[0] * avctx->height);
-    command = bytestream_get_byte(&buf);
+    command = bytestream2_get_byte(&gb);
-    inst    = bytestream_get_byte(&buf);
+    inst    = bytestream2_get_byte(&gb);
    inst    &= CDG_MASK;
-    buf += 2;  /// skipping 2 unneeded bytes
+    bytestream2_skip(&gb, 2);
-    bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE);
+    bytestream2_get_buffer(&gb, cdg_data, sizeof(cdg_data));
    if ((command & CDG_MASK) == CDG_COMMAND) {
        switch (inst) {