Skip to content

F
ffmpeg.wasm-core
Commit da2e774f authored by Laurentiu Ion's avatar Laurentiu Ion Committed by Ronald S. Bultje
Browse files
Options

kmvc: Use bytestream2 functions to prevent buffer overreads. 

Signed-off-by: 's avatarRonald S. Bultje <rsbultje@gmail.com>
parent a67b8c86
Hide whitespace changes
Inline Side-by-side
Showing with 58 additions and 92 deletions
libavcodec/kmvc.c
View file @ da2e774f
...@@ -46,6 +46,7 @@ typedef struct KmvcContext { ...@@ -46,6 +46,7 @@ typedef struct KmvcContext {
uint32_t pal[256]; uint32_t pal[256];
uint8_t *cur, *prev; uint8_t *cur, *prev;
uint8_t *frm0, *frm1; uint8_t *frm0, *frm1;
GetByteContext g;
} KmvcContext; } KmvcContext;
typedef struct BitBuf { typedef struct BitBuf {
...@@ -55,23 +56,19 @@ typedef struct BitBuf { ...@@ -55,23 +56,19 @@ typedef struct BitBuf {
#define BLK(data, x, y) data[(x) + (y) * 320] #define BLK(data, x, y) data[(x) + (y) * 320]
#define kmvc_init_getbits(bb, src) bb.bits = 7; bb.bitbuf = *src++; #define kmvc_init_getbits(bb, g) bb.bits = 7; bb.bitbuf = bytestream2_get_byte(g);
#define kmvc_getbit(bb, src, src_end, res) {\ #define kmvc_getbit(bb, g, res) {\
res = 0; \ res = 0; \
if (bb.bitbuf & (1 << bb.bits)) res = 1; \ if (bb.bitbuf & (1 << bb.bits)) res = 1; \
bb.bits--; \ bb.bits--; \
if(bb.bits == -1) { \ if(bb.bits == -1) { \
if (src >= src_end) { \ bb.bitbuf = bytestream2_get_byte(g); \
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); \
return AVERROR_INVALIDDATA; \
} \
bb.bitbuf = *src++; \
bb.bits = 7; \ bb.bits = 7; \
} \ } \
} }
static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h) static int kmvc_decode_intra_8x8(KmvcContext * ctx, int w, int h)
{ {
BitBuf bb; BitBuf bb;
int res, val; int res, val;
...@@ -79,42 +76,33 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src ...@@ -79,42 +76,33 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src
int bx, by; int bx, by;
int l0x, l1x, l0y, l1y; int l0x, l1x, l0y, l1y;
int mx, my; int mx, my;
const uint8_t *src_end = src + src_size;
kmvc_init_getbits(bb, src); kmvc_init_getbits(bb, &ctx->g);
for (by = 0; by < h; by += 8) for (by = 0; by < h; by += 8)
for (bx = 0; bx < w; bx += 8) { for (bx = 0; bx < w; bx += 8) {
kmvc_getbit(bb, src, src_end, res); if (!bytestream2_get_bytes_left(&ctx->g)) {
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
kmvc_getbit(bb, &ctx->g, res);
if (!res) { // fill whole 8x8 block if (!res) { // fill whole 8x8 block
if (src >= src_end) { val = bytestream2_get_byte(&ctx->g);
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++;
for (i = 0; i < 64; i++) for (i = 0; i < 64; i++)
BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val; BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
} else { // handle four 4x4 subblocks } else { // handle four 4x4 subblocks
for (i = 0; i < 4; i++) { for (i = 0; i < 4; i++) {
l0x = bx + (i & 1) * 4; l0x = bx + (i & 1) * 4;
l0y = by + (i & 2) * 2; l0y = by + (i & 2) * 2;
kmvc_getbit(bb, src, src_end, res); kmvc_getbit(bb, &ctx->g, res);
if (!res) { if (!res) {
kmvc_getbit(bb, src, src_end, res); kmvc_getbit(bb, &ctx->g, res);
if (!res) { // fill whole 4x4 block if (!res) { // fill whole 4x4 block
if (src >= src_end) { val = bytestream2_get_byte(&ctx->g);
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++;
for (j = 0; j < 16; j++) for (j = 0; j < 16; j++)
BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val; BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
} else { // copy block from already decoded place } else { // copy block from already decoded place
if (src >= src_end) { val = bytestream2_get_byte(&ctx->g);
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++;
mx = val & 0xF; mx = val & 0xF;
my = val >> 4; my = val >> 4;
for (j = 0; j < 16; j++) for (j = 0; j < 16; j++)
...@@ -125,25 +113,17 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src ...@@ -125,25 +113,17 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src
for (j = 0; j < 4; j++) { for (j = 0; j < 4; j++) {
l1x = l0x + (j & 1) * 2; l1x = l0x + (j & 1) * 2;
l1y = l0y + (j & 2); l1y = l0y + (j & 2);
kmvc_getbit(bb, src, src_end, res); kmvc_getbit(bb, &ctx->g, res);
if (!res) { if (!res) {
kmvc_getbit(bb, src, src_end, res); kmvc_getbit(bb, &ctx->g, res);
if (!res) { // fill whole 2x2 block if (!res) { // fill whole 2x2 block
if (src >= src_end) { val = bytestream2_get_byte(&ctx->g);
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++;
BLK(ctx->cur, l1x, l1y) = val; BLK(ctx->cur, l1x, l1y) = val;
BLK(ctx->cur, l1x + 1, l1y) = val; BLK(ctx->cur, l1x + 1, l1y) = val;
BLK(ctx->cur, l1x, l1y + 1) = val; BLK(ctx->cur, l1x, l1y + 1) = val;
BLK(ctx->cur, l1x + 1, l1y + 1) = val; BLK(ctx->cur, l1x + 1, l1y + 1) = val;
} else { // copy block from already decoded place } else { // copy block from already decoded place
if (src >= src_end) { val = bytestream2_get_byte(&ctx->g);
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++;
mx = val & 0xF; mx = val & 0xF;
my = val >> 4; my = val >> 4;
BLK(ctx->cur, l1x, l1y) = BLK(ctx->cur, l1x - mx, l1y - my); BLK(ctx->cur, l1x, l1y) = BLK(ctx->cur, l1x - mx, l1y - my);
...@@ -155,10 +135,10 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src ...@@ -155,10 +135,10 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src
BLK(ctx->cur, l1x + 1 - mx, l1y + 1 - my); BLK(ctx->cur, l1x + 1 - mx, l1y + 1 - my);
} }
} else { // read values for block } else { // read values for block
BLK(ctx->cur, l1x, l1y) = *src++; BLK(ctx->cur, l1x, l1y) = bytestream2_get_byte(&ctx->g);
BLK(ctx->cur, l1x + 1, l1y) = *src++; BLK(ctx->cur, l1x + 1, l1y) = bytestream2_get_byte(&ctx->g);
BLK(ctx->cur, l1x, l1y + 1) = *src++; BLK(ctx->cur, l1x, l1y + 1) = bytestream2_get_byte(&ctx->g);
BLK(ctx->cur, l1x + 1, l1y + 1) = *src++; BLK(ctx->cur, l1x + 1, l1y + 1) = bytestream2_get_byte(&ctx->g);
} }
} }
} }
...@@ -169,7 +149,7 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src ...@@ -169,7 +149,7 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src
return 0; return 0;
} }
static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h) static int kmvc_decode_inter_8x8(KmvcContext * ctx, int w, int h)
{ {
BitBuf bb; BitBuf bb;
int res, val; int res, val;
...@@ -177,21 +157,20 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src ...@@ -177,21 +157,20 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src
int bx, by; int bx, by;
int l0x, l1x, l0y, l1y; int l0x, l1x, l0y, l1y;
int mx, my; int mx, my;
const uint8_t *src_end = src + src_size;
kmvc_init_getbits(bb, src); kmvc_init_getbits(bb, &ctx->g);
for (by = 0; by < h; by += 8) for (by = 0; by < h; by += 8)
for (bx = 0; bx < w; bx += 8) { for (bx = 0; bx < w; bx += 8) {
kmvc_getbit(bb, src, src_end, res); kmvc_getbit(bb, &ctx->g, res);
if (!res) { if (!res) {
kmvc_getbit(bb, src, src_end, res); kmvc_getbit(bb, &ctx->g, res);
if (!res) { // fill whole 8x8 block if (!res) { // fill whole 8x8 block
if (src >= src_end) { if (!bytestream2_get_bytes_left(&ctx->g)) {
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
val = *src++; val = bytestream2_get_byte(&ctx->g);
for (i = 0; i < 64; i++) for (i = 0; i < 64; i++)
BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val; BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
} else { // copy block from previous frame } else { // copy block from previous frame
...@@ -200,26 +179,22 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src ...@@ -200,26 +179,22 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src
BLK(ctx->prev, bx + (i & 0x7), by + (i >> 3)); BLK(ctx->prev, bx + (i & 0x7), by + (i >> 3));
} }
} else { // handle four 4x4 subblocks } else { // handle four 4x4 subblocks
if (!bytestream2_get_bytes_left(&ctx->g)) {
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
for (i = 0; i < 4; i++) { for (i = 0; i < 4; i++) {
l0x = bx + (i & 1) * 4; l0x = bx + (i & 1) * 4;
l0y = by + (i & 2) * 2; l0y = by + (i & 2) * 2;
kmvc_getbit(bb, src, src_end, res); kmvc_getbit(bb, &ctx->g, res);
if (!res) { if (!res) {
kmvc_getbit(bb, src, src_end, res); kmvc_getbit(bb, &ctx->g, res);
if (!res) { // fill whole 4x4 block if (!res) { // fill whole 4x4 block
if (src >= src_end) { val = bytestream2_get_byte(&ctx->g);
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++;
for (j = 0; j < 16; j++) for (j = 0; j < 16; j++)
BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val; BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
} else { // copy block } else { // copy block
if (src >= src_end) { val = bytestream2_get_byte(&ctx->g);
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++;
mx = (val & 0xF) - 8; mx = (val & 0xF) - 8;
my = (val >> 4) - 8; my = (val >> 4) - 8;
for (j = 0; j < 16; j++) for (j = 0; j < 16; j++)
...@@ -230,25 +205,17 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src ...@@ -230,25 +205,17 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src
for (j = 0; j < 4; j++) { for (j = 0; j < 4; j++) {
l1x = l0x + (j & 1) * 2; l1x = l0x + (j & 1) * 2;
l1y = l0y + (j & 2); l1y = l0y + (j & 2);
kmvc_getbit(bb, src, src_end, res); kmvc_getbit(bb, &ctx->g, res);
if (!res) { if (!res) {
kmvc_getbit(bb, src, src_end, res); kmvc_getbit(bb, &ctx->g, res);
if (!res) { // fill whole 2x2 block if (!res) { // fill whole 2x2 block
if (src >= src_end) { val = bytestream2_get_byte(&ctx->g);
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++;
BLK(ctx->cur, l1x, l1y) = val; BLK(ctx->cur, l1x, l1y) = val;
BLK(ctx->cur, l1x + 1, l1y) = val; BLK(ctx->cur, l1x + 1, l1y) = val;
BLK(ctx->cur, l1x, l1y + 1) = val; BLK(ctx->cur, l1x, l1y + 1) = val;
BLK(ctx->cur, l1x + 1, l1y + 1) = val; BLK(ctx->cur, l1x + 1, l1y + 1) = val;
} else { // copy block } else { // copy block
if (src >= src_end) { val = bytestream2_get_byte(&ctx->g);
av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
return AVERROR_INVALIDDATA;
}
val = *src++;
mx = (val & 0xF) - 8; mx = (val & 0xF) - 8;
my = (val >> 4) - 8; my = (val >> 4) - 8;
BLK(ctx->cur, l1x, l1y) = BLK(ctx->prev, l1x + mx, l1y + my); BLK(ctx->cur, l1x, l1y) = BLK(ctx->prev, l1x + mx, l1y + my);
...@@ -260,10 +227,10 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src ...@@ -260,10 +227,10 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src
BLK(ctx->prev, l1x + 1 + mx, l1y + 1 + my); BLK(ctx->prev, l1x + 1 + mx, l1y + 1 + my);
} }
} else { // read values for block } else { // read values for block
BLK(ctx->cur, l1x, l1y) = *src++; BLK(ctx->cur, l1x, l1y) = bytestream2_get_byte(&ctx->g);
BLK(ctx->cur, l1x + 1, l1y) = *src++; BLK(ctx->cur, l1x + 1, l1y) = bytestream2_get_byte(&ctx->g);
BLK(ctx->cur, l1x, l1y + 1) = *src++; BLK(ctx->cur, l1x, l1y + 1) = bytestream2_get_byte(&ctx->g);
BLK(ctx->cur, l1x + 1, l1y + 1) = *src++; BLK(ctx->cur, l1x + 1, l1y + 1) = bytestream2_get_byte(&ctx->g);
} }
} }
} }
...@@ -276,8 +243,6 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src ...@@ -276,8 +243,6 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src
static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt) static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt)
{ {
const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size;
KmvcContext *const ctx = avctx->priv_data; KmvcContext *const ctx = avctx->priv_data;
uint8_t *out, *src; uint8_t *out, *src;
int i; int i;
...@@ -285,6 +250,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa ...@@ -285,6 +250,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa
int blocksize; int blocksize;
const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL);
bytestream2_init(&ctx->g, avpkt->data, avpkt->size);
if (ctx->pic.data[0]) if (ctx->pic.data[0])
avctx->release_buffer(avctx, &ctx->pic); avctx->release_buffer(avctx, &ctx->pic);
...@@ -295,16 +261,16 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa ...@@ -295,16 +261,16 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa
return -1; return -1;
} }
header = *buf++; header = bytestream2_get_byte(&ctx->g);
/* blocksize 127 is really palette change event */ /* blocksize 127 is really palette change event */
if (buf[0] == 127) { if (bytestream2_peek_byte(&ctx->g) == 127) {
buf += 3; bytestream2_skip(&ctx->g, 3);
for (i = 0; i < 127; i++) { for (i = 0; i < 127; i++) {
ctx->pal[i + (header & 0x81)] = AV_RB24(buf); ctx->pal[i + (header & 0x81)] = bytestream2_get_be24(&ctx->g);
buf += 4; bytestream2_skip(&ctx->g, 1);
} }
buf -= 127 * 4 + 3; bytestream2_seek(&ctx->g, -127 * 4 - 3, SEEK_CUR);
} }
if (header & KMVC_KEYFRAME) { if (header & KMVC_KEYFRAME) {
...@@ -319,7 +285,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa ...@@ -319,7 +285,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa
ctx->pic.palette_has_changed = 1; ctx->pic.palette_has_changed = 1;
// palette starts from index 1 and has 127 entries // palette starts from index 1 and has 127 entries
for (i = 1; i <= ctx->palsize; i++) { for (i = 1; i <= ctx->palsize; i++) {
ctx->pal[i] = bytestream_get_be24(&buf); ctx->pal[i] = bytestream2_get_be24(&ctx->g);
} }
} }
...@@ -336,7 +302,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa ...@@ -336,7 +302,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa
/* make the palette available on the way out */ /* make the palette available on the way out */
memcpy(ctx->pic.data[1], ctx->pal, 1024); memcpy(ctx->pic.data[1], ctx->pal, 1024);
blocksize = *buf++; blocksize = bytestream2_get_byte(&ctx->g);
if (blocksize != 8 && blocksize != 127) { if (blocksize != 8 && blocksize != 127) {
av_log(avctx, AV_LOG_ERROR, "Block size = %i\n", blocksize); av_log(avctx, AV_LOG_ERROR, "Block size = %i\n", blocksize);
...@@ -349,10 +315,10 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa ...@@ -349,10 +315,10 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa
memcpy(ctx->cur, ctx->prev, 320 * 200); memcpy(ctx->cur, ctx->prev, 320 * 200);
break; break;
case 3: case 3:
kmvc_decode_intra_8x8(ctx, buf, buf_size, avctx->width, avctx->height); kmvc_decode_intra_8x8(ctx, avctx->width, avctx->height);
break; break;
case 4: case 4:
kmvc_decode_inter_8x8(ctx, buf, buf_size, avctx->width, avctx->height); kmvc_decode_inter_8x8(ctx, avctx->width, avctx->height);
break; break;
default: default:
av_log(avctx, AV_LOG_ERROR, "Unknown compression method %i\n", header & KMVC_METHOD); av_log(avctx, AV_LOG_ERROR, "Unknown compression method %i\n", header & KMVC_METHOD);
...@@ -380,7 +346,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa ...@@ -380,7 +346,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa
*(AVFrame *) data = ctx->pic; *(AVFrame *) data = ctx->pic;
/* always report that the buffer was completely consumed */ /* always report that the buffer was completely consumed */
return buf_size; return avpkt->size;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment