[FFmpeg-devel] [PATCH] pcx: covert to bytestream2 API
Paul B Mahol
onemda at gmail.com
Wed Oct 10 20:11:54 CEST 2012
Protects againts overreads in input buffer.
Signed-off-by: Paul B Mahol <onemda at gmail.com>
---
libavcodec/pcx.c | 77 ++++++++++++++++++++++++++++----------------------------
1 file changed, 39 insertions(+), 38 deletions(-)
diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c
index 6baca27..ef7ed29 100644
--- a/libavcodec/pcx.c
+++ b/libavcodec/pcx.c
@@ -40,67 +40,67 @@ static av_cold int pcx_init(AVCodecContext *avctx) {
return 0;
}
-/**
- * @return advanced src pointer
- */
-static const uint8_t *pcx_rle_decode(const uint8_t *src, uint8_t *dst,
- unsigned int bytes_per_scanline, int compressed) {
+static void pcx_rle_decode(GetByteContext *gb, uint8_t *dst,
+ unsigned int bytes_per_scanline, int compressed)
+{
unsigned int i = 0;
unsigned char run, value;
if (compressed) {
while (i<bytes_per_scanline) {
run = 1;
- value = *src++;
+ value = bytestream2_get_byte(gb);
if (value >= 0xc0) {
run = value & 0x3f;
- value = *src++;
+ value = bytestream2_get_byte(gb);
}
while (i<bytes_per_scanline && run--)
dst[i++] = value;
}
} else {
- memcpy(dst, src, bytes_per_scanline);
- src += bytes_per_scanline;
+ bytestream2_get_buffer(gb, dst, bytes_per_scanline);
}
-
- return src;
}
-static void pcx_palette(const uint8_t **src, uint32_t *dst, unsigned int pallen) {
+static void pcx_palette(GetByteContext *gb, uint32_t *dst, unsigned int pallen)
+{
unsigned int i;
for (i=0; i<pallen; i++)
- *dst++ = 0xFF000000 | bytestream_get_be24(src);
+ *dst++ = 0xFF000000 | bytestream2_get_be24(gb);
if (pallen < 256)
memset(dst, 0, (256 - pallen) * sizeof(*dst));
}
static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
AVPacket *avpkt) {
- const uint8_t *buf = avpkt->data;
- int buf_size = avpkt->size;
PCXContext * const s = avctx->priv_data;
AVFrame *picture = data;
AVFrame * const p = &s->picture;
+ GetByteContext gb;
int compressed, xmin, ymin, xmax, ymax;
unsigned int w, h, bits_per_pixel, bytes_per_line, nplanes, stride, y, x,
bytes_per_scanline;
uint8_t *ptr;
- uint8_t const *bufstart = buf;
uint8_t *scanline;
int ret = -1;
- if (buf[0] != 0x0a || buf[1] > 5) {
+ if (avpkt->size < 128)
+ return AVERROR_INVALIDDATA;
+
+ bytestream2_init(&gb, avpkt->data, avpkt->size);
+
+ if (bytestream2_get_byteu(&gb) != 0x0a || bytestream2_get_byteu(&gb) > 5) {
av_log(avctx, AV_LOG_ERROR, "this is not PCX encoded data\n");
return AVERROR_INVALIDDATA;
}
- compressed = buf[2];
- xmin = AV_RL16(buf+ 4);
- ymin = AV_RL16(buf+ 6);
- xmax = AV_RL16(buf+ 8);
- ymax = AV_RL16(buf+10);
+ compressed = bytestream2_get_byteu(&gb);
+ bits_per_pixel = bytestream2_get_byteu(&gb);
+ xmin = bytestream2_get_le16u(&gb);
+ ymin = bytestream2_get_le16u(&gb);
+ xmax = bytestream2_get_le16u(&gb);
+ ymax = bytestream2_get_le16u(&gb);
if (xmax < xmin || ymax < ymin) {
av_log(avctx, AV_LOG_ERROR, "invalid image dimensions\n");
@@ -110,9 +110,9 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
w = xmax - xmin + 1;
h = ymax - ymin + 1;
- bits_per_pixel = buf[3];
- bytes_per_line = AV_RL16(buf+66);
- nplanes = buf[65];
+ bytestream2_skipu(&gb, 53);
+ nplanes = bytestream2_get_byteu(&gb);
+ bytes_per_line = bytestream2_get_le16u(&gb);
bytes_per_scanline = nplanes * bytes_per_line;
if (bytes_per_scanline < w * bits_per_pixel * nplanes / 8) {
@@ -138,7 +138,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
return AVERROR_INVALIDDATA;
}
- buf += 128;
+ bytestream2_skipu(&gb, 60);
if (p->data[0])
avctx->release_buffer(avctx, p);
@@ -163,7 +163,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
if (nplanes == 3 && bits_per_pixel == 8) {
for (y=0; y<h; y++) {
- buf = pcx_rle_decode(buf, scanline, bytes_per_scanline, compressed);
+ pcx_rle_decode(&gb, scanline, bytes_per_scanline, compressed);
for (x=0; x<w; x++) {
ptr[3*x ] = scanline[x ];
@@ -175,18 +175,18 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
}
} else if (nplanes == 1 && bits_per_pixel == 8) {
- const uint8_t *palstart = bufstart + buf_size - 769;
+ int palstart = avpkt->size - 769;
for (y=0; y<h; y++, ptr+=stride) {
- buf = pcx_rle_decode(buf, scanline, bytes_per_scanline, compressed);
+ pcx_rle_decode(&gb, scanline, bytes_per_scanline, compressed);
memcpy(ptr, scanline, w);
}
- if (buf != palstart) {
+ if (bytestream2_tell(&gb) != palstart) {
av_log(avctx, AV_LOG_WARNING, "image data possibly corrupted\n");
- buf = palstart;
+ bytestream2_seek(&gb, palstart, SEEK_SET);
}
- if (*buf++ != 12) {
+ if (bytestream2_get_byte(&gb) != 12) {
av_log(avctx, AV_LOG_ERROR, "expected palette after image data\n");
ret = AVERROR_INVALIDDATA;
goto end;
@@ -198,7 +198,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
for (y=0; y<h; y++) {
init_get_bits(&s, scanline, bytes_per_scanline<<3);
- buf = pcx_rle_decode(buf, scanline, bytes_per_scanline, compressed);
+ pcx_rle_decode(&gb, scanline, bytes_per_scanline, compressed);
for (x=0; x<w; x++)
ptr[x] = get_bits(&s, bits_per_pixel);
@@ -209,7 +209,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
int i;
for (y=0; y<h; y++) {
- buf = pcx_rle_decode(buf, scanline, bytes_per_scanline, compressed);
+ pcx_rle_decode(&gb, scanline, bytes_per_scanline, compressed);
for (x=0; x<w; x++) {
int m = 0x80 >> (x&7), v = 0;
@@ -223,20 +223,21 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
}
}
+ ret = bytestream2_tell(&gb);
if (nplanes == 1 && bits_per_pixel == 8) {
- pcx_palette(&buf, (uint32_t *) p->data[1], 256);
+ pcx_palette(&gb, (uint32_t *) p->data[1], 256);
+ ret += 256 * 3;
} else if (bits_per_pixel * nplanes == 1) {
AV_WN32A(p->data[1] , 0xFF000000);
AV_WN32A(p->data[1]+4, 0xFFFFFFFF);
} else if (bits_per_pixel < 8) {
- const uint8_t *palette = bufstart+16;
- pcx_palette(&palette, (uint32_t *) p->data[1], 16);
+ bytestream2_seek(&gb, 16, SEEK_SET);
+ pcx_palette(&gb, (uint32_t *) p->data[1], 16);
}
*picture = s->picture;
*data_size = sizeof(AVFrame);
- ret = buf - bufstart;
end:
av_free(scanline);
return ret;
--
1.7.11.4
More information about the ffmpeg-devel
mailing list