Skip to content

F
ffmpeg.wasm-core
Commit ad3161ec authored by Gaurav Narula's avatar Gaurav Narula Committed by Janne Grunau
Browse files
Options

kvmc: fix invalid reads 

Signed-off-by: 's avatarJanne Grunau <janne-libav@jannau.net>
parent 355d917c
Hide whitespace changes
Inline Side-by-side
Showing with 66 additions and 16 deletions
libavcodec/kmvc.c
View file @ ad3161ec
...@@ -57,17 +57,21 @@ typedef struct BitBuf { ...@@ -57,17 +57,21 @@ typedef struct BitBuf {
#define kmvc_init_getbits(bb, src) bb.bits = 7; bb.bitbuf = *src++; #define kmvc_init_getbits(bb, src) bb.bits = 7; bb.bitbuf = *src++;
#define kmvc_getbit(bb, src, res) {\ #define kmvc_getbit(bb, src, src_end, res) {\
res = 0; \ res = 0; \
if (bb.bitbuf & (1 << bb.bits)) res = 1; \ if (bb.bitbuf & (1 << bb.bits)) res = 1; \
bb.bits--; \ bb.bits--; \
if(bb.bits == -1) { \ if(bb.bits == -1) { \
if (src >= src_end) { \
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); \
return AVERROR_INVALIDDATA; \
} \
bb.bitbuf = *src++; \ bb.bitbuf = *src++; \
bb.bits = 7; \ bb.bits = 7; \
} \ } \
} }
static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h) static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h)
{ {
BitBuf bb; BitBuf bb;
int res, val; int res, val;
...@@ -75,13 +79,18 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, ...@@ -75,13 +79,18 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
int bx, by; int bx, by;
int l0x, l1x, l0y, l1y; int l0x, l1x, l0y, l1y;
int mx, my; int mx, my;
const uint8_t *src_end = src + src_size;
kmvc_init_getbits(bb, src); kmvc_init_getbits(bb, src);
for (by = 0; by < h; by += 8) for (by = 0; by < h; by += 8)
for (bx = 0; bx < w; bx += 8) { for (bx = 0; bx < w; bx += 8) {
kmvc_getbit(bb, src, res); kmvc_getbit(bb, src, src_end, res);
if (!res) { // fill whole 8x8 block if (!res) { // fill whole 8x8 block
if (src >= src_end) {
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++; val = *src++;
for (i = 0; i < 64; i++) for (i = 0; i < 64; i++)
BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val; BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
...@@ -89,14 +98,22 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, ...@@ -89,14 +98,22 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
for (i = 0; i < 4; i++) { for (i = 0; i < 4; i++) {
l0x = bx + (i & 1) * 4; l0x = bx + (i & 1) * 4;
l0y = by + (i & 2) * 2; l0y = by + (i & 2) * 2;
kmvc_getbit(bb, src, res); kmvc_getbit(bb, src, src_end, res);
if (!res) { if (!res) {
kmvc_getbit(bb, src, res); kmvc_getbit(bb, src, src_end, res);
if (!res) { // fill whole 4x4 block if (!res) { // fill whole 4x4 block
if (src >= src_end) {
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++; val = *src++;
for (j = 0; j < 16; j++) for (j = 0; j < 16; j++)
BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val; BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
} else { // copy block from already decoded place } else { // copy block from already decoded place
if (src >= src_end) {
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++; val = *src++;
mx = val & 0xF; mx = val & 0xF;
my = val >> 4; my = val >> 4;
...@@ -108,16 +125,24 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, ...@@ -108,16 +125,24 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
for (j = 0; j < 4; j++) { for (j = 0; j < 4; j++) {
l1x = l0x + (j & 1) * 2; l1x = l0x + (j & 1) * 2;
l1y = l0y + (j & 2); l1y = l0y + (j & 2);
kmvc_getbit(bb, src, res); kmvc_getbit(bb, src, src_end, res);
if (!res) { if (!res) {
kmvc_getbit(bb, src, res); kmvc_getbit(bb, src, src_end, res);
if (!res) { // fill whole 2x2 block if (!res) { // fill whole 2x2 block
if (src >= src_end) {
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++; val = *src++;
BLK(ctx->cur, l1x, l1y) = val; BLK(ctx->cur, l1x, l1y) = val;
BLK(ctx->cur, l1x + 1, l1y) = val; BLK(ctx->cur, l1x + 1, l1y) = val;
BLK(ctx->cur, l1x, l1y + 1) = val; BLK(ctx->cur, l1x, l1y + 1) = val;
BLK(ctx->cur, l1x + 1, l1y + 1) = val; BLK(ctx->cur, l1x + 1, l1y + 1) = val;
} else { // copy block from already decoded place } else { // copy block from already decoded place
if (src >= src_end) {
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++; val = *src++;
mx = val & 0xF; mx = val & 0xF;
my = val >> 4; my = val >> 4;
...@@ -140,9 +165,11 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, ...@@ -140,9 +165,11 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
} }
} }
} }
return 0;
} }
static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h) static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h)
{ {
BitBuf bb; BitBuf bb;
int res, val; int res, val;
...@@ -150,15 +177,20 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, ...@@ -150,15 +177,20 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
int bx, by; int bx, by;
int l0x, l1x, l0y, l1y; int l0x, l1x, l0y, l1y;
int mx, my; int mx, my;
const uint8_t *src_end = src + src_size;
kmvc_init_getbits(bb, src); kmvc_init_getbits(bb, src);
for (by = 0; by < h; by += 8) for (by = 0; by < h; by += 8)
for (bx = 0; bx < w; bx += 8) { for (bx = 0; bx < w; bx += 8) {
kmvc_getbit(bb, src, res); kmvc_getbit(bb, src, src_end, res);
if (!res) { if (!res) {
kmvc_getbit(bb, src, res); kmvc_getbit(bb, src, src_end, res);
if (!res) { // fill whole 8x8 block if (!res) { // fill whole 8x8 block
if (src >= src_end) {
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++; val = *src++;
for (i = 0; i < 64; i++) for (i = 0; i < 64; i++)
BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val; BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
...@@ -171,14 +203,22 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, ...@@ -171,14 +203,22 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
for (i = 0; i < 4; i++) { for (i = 0; i < 4; i++) {
l0x = bx + (i & 1) * 4; l0x = bx + (i & 1) * 4;
l0y = by + (i & 2) * 2; l0y = by + (i & 2) * 2;
kmvc_getbit(bb, src, res); kmvc_getbit(bb, src, src_end, res);
if (!res) { if (!res) {
kmvc_getbit(bb, src, res); kmvc_getbit(bb, src, src_end, res);
if (!res) { // fill whole 4x4 block if (!res) { // fill whole 4x4 block
if (src >= src_end) {
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++; val = *src++;
for (j = 0; j < 16; j++) for (j = 0; j < 16; j++)
BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val; BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
} else { // copy block } else { // copy block
if (src >= src_end) {
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++; val = *src++;
mx = (val & 0xF) - 8; mx = (val & 0xF) - 8;
my = (val >> 4) - 8; my = (val >> 4) - 8;
...@@ -190,16 +230,24 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, ...@@ -190,16 +230,24 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
for (j = 0; j < 4; j++) { for (j = 0; j < 4; j++) {
l1x = l0x + (j & 1) * 2; l1x = l0x + (j & 1) * 2;
l1y = l0y + (j & 2); l1y = l0y + (j & 2);
kmvc_getbit(bb, src, res); kmvc_getbit(bb, src, src_end, res);
if (!res) { if (!res) {
kmvc_getbit(bb, src, res); kmvc_getbit(bb, src, src_end, res);
if (!res) { // fill whole 2x2 block if (!res) { // fill whole 2x2 block
if (src >= src_end) {
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++; val = *src++;
BLK(ctx->cur, l1x, l1y) = val; BLK(ctx->cur, l1x, l1y) = val;
BLK(ctx->cur, l1x + 1, l1y) = val; BLK(ctx->cur, l1x + 1, l1y) = val;
BLK(ctx->cur, l1x, l1y + 1) = val; BLK(ctx->cur, l1x, l1y + 1) = val;
BLK(ctx->cur, l1x + 1, l1y + 1) = val; BLK(ctx->cur, l1x + 1, l1y + 1) = val;
} else { // copy block } else { // copy block
if (src >= src_end) {
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++; val = *src++;
mx = (val & 0xF) - 8; mx = (val & 0xF) - 8;
my = (val >> 4) - 8; my = (val >> 4) - 8;
...@@ -222,6 +270,8 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, ...@@ -222,6 +270,8 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
} }
} }
} }
return 0;
} }
static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt) static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt)
...@@ -299,10 +349,10 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa ...@@ -299,10 +349,10 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa
memcpy(ctx->cur, ctx->prev, 320 * 200); memcpy(ctx->cur, ctx->prev, 320 * 200);
break; break;
case 3: case 3:
kmvc_decode_intra_8x8(ctx, buf, avctx->width, avctx->height); kmvc_decode_intra_8x8(ctx, buf, buf_size, avctx->width, avctx->height);
break; break;
case 4: case 4:
kmvc_decode_inter_8x8(ctx, buf, avctx->width, avctx->height); kmvc_decode_inter_8x8(ctx, buf, buf_size, avctx->width, avctx->height);
break; break;
default: default:
av_log(avctx, AV_LOG_ERROR, "Unknown compression method %i\n", header & KMVC_METHOD); av_log(avctx, AV_LOG_ERROR, "Unknown compression method %i\n", header & KMVC_METHOD);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment