[FFmpeg-devel] [PATCH 2/2] lavf/swfdec: support DefineBitsLossless{, 2} tag.
Michael Niedermayer
michaelni at gmx.at
Wed Oct 17 02:37:59 CEST 2012
On Tue, Oct 16, 2012 at 09:15:40PM +0200, Clément Bœsch wrote:
> On Sun, Oct 14, 2012 at 04:22:22AM +0200, Michael Niedermayer wrote:
> > On Fri, Oct 12, 2012 at 11:21:05PM +0200, Clément Bœsch wrote:
> > > ---
> > > libavformat/swfdec.c | 114 +++++++++++++++++++++++++++++++++++++++++++++++++++
> > > 1 file changed, 114 insertions(+)
> > >
> > > diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c
> > > index 48a2156..3fe31d4 100644
> > > --- a/libavformat/swfdec.c
> > > +++ b/libavformat/swfdec.c
> > > @@ -20,6 +20,7 @@
> > > * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> > > */
> > >
> > > +#include "libavutil/avassert.h"
> > > #include "libavutil/intreadwrite.h"
> > > #include "swf.h"
> > >
> > > @@ -253,6 +254,119 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
> > > return pkt->size;
> > > }
> > > }
> > > + } else if (tag == TAG_DEFINEBITSLOSSLESS || tag == TAG_DEFINEBITSLOSSLESS2) {
> > > +#if CONFIG_ZLIB
> > > + long out_len;
> > > + uint8_t *buf, *zbuf, *pal;
> > > + uint32_t colormap[AVPALETTE_COUNT] = {0};
> > > + const int alpha_bmp = tag == TAG_DEFINEBITSLOSSLESS2;
> > > + const int colormapbpp = 3 + alpha_bmp;
> > > + int linesize, colormapsize = 0;
> > > +
> > > + const int ch_id = avio_rl16(pb);
> > > + const int bmp_fmt = avio_r8(pb);
> > > + const int width = avio_rl16(pb);
> > > + const int height = avio_rl16(pb);
> > > +
> > > + len -= 2+1+2+2;
> > > +
> > > + switch (bmp_fmt) {
> > > + case 3: // PAL-8
> > > + linesize = width;
> > > + colormapsize = avio_r8(pb) + 1;
> > > + len--;
> > > + break;
> > > + case 4: // RGB15
> > > + linesize = width * 2;
> > > + break;
> > > + case 5: // RGB24 (0RGB)
> > > + linesize = width * 4;
> > > + break;
> > > + default:
> > > + av_log(s, AV_LOG_ERROR, "invalid bitmap format %d, skipped\n", bmp_fmt);
> > > + goto bitmap_end_skip;
> > > + }
> > > +
> > > + linesize = FFALIGN(linesize, 4);
> >
> > > + out_len = colormapsize * colormapbpp + linesize * height;
> >
> > this can overflow
> >
> > also len can be negative here maybe, if so it maybe should be checked
> >
> > also width/height could be 0
> >
>
> Added some checks. Hopefully it will be enough, see attached.
should be ok
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
If a bugfix only changes things apparently unrelated to the bug with no
further explanation, that is a good sign that the bugfix is wrong.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20121017/e6139fd7/attachment.asc>
More information about the ffmpeg-devel
mailing list