From 09b23786b3986502ee88d4907356979127169bdd Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Aug 2016 10:18:39 +0200 Subject: [PATCH] pcx: use the bytestream2 API for reading from input Fixes possible invalid reads. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind --- libavcodec/pcx.c | 73 +++++++++++++++++++----------------------------- 1 file changed, 29 insertions(+), 44 deletions(-) diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c index 2191ad15036..a2d49b454d9 100644 --- a/libavcodec/pcx.c +++ b/libavcodec/pcx.c @@ -33,41 +33,37 @@ /** * @return advanced src pointer */ -static const uint8_t *pcx_rle_decode(const uint8_t *src, - const uint8_t *end, - uint8_t *dst, - unsigned int bytes_per_scanline, - int compressed) +static void pcx_rle_decode(GetByteContext *gb, + uint8_t *dst, + unsigned int bytes_per_scanline, + int compressed) { unsigned int i = 0; unsigned char run, value; if (compressed) { - while (i < bytes_per_scanline && src < end) { + while (i < bytes_per_scanline && bytestream2_get_bytes_left(gb)) { run = 1; - value = *src++; - if (value >= 0xc0 && src < end) { + value = bytestream2_get_byte(gb); + if (value >= 0xc0 && bytestream2_get_bytes_left(gb)) { run = value & 0x3f; - value = *src++; + value = bytestream2_get_byte(gb); } while (i < bytes_per_scanline && run--) dst[i++] = value; } } else { - memcpy(dst, src, bytes_per_scanline); - src += bytes_per_scanline; + bytestream2_get_buffer(gb, dst, bytes_per_scanline); } - - return src; } -static void pcx_palette(const uint8_t **src, uint32_t *dst, +static void pcx_palette(GetByteContext *gb, uint32_t *dst, unsigned int pallen) { unsigned int i; for (i = 0; i < pallen; i++) - *dst++ = bytestream_get_be24(src); + *dst++ = bytestream2_get_be24(gb); if (pallen < 256) memset(dst, 0, (256 - pallen) * sizeof(*dst)); } @@ -78,12 +74,11 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; AVFrame *const p = data; + GetByteContext gb; int compressed, xmin, ymin, xmax, ymax; unsigned int w, h, bits_per_pixel, bytes_per_line, nplanes, stride, y, x, bytes_per_scanline; uint8_t *ptr; - const uint8_t *buf_end = buf + buf_size; - const uint8_t *bufstart = buf; uint8_t *scanline; int ret = -1; @@ -140,7 +135,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, return AVERROR_INVALIDDATA; } - buf += 128; + bytestream2_init(&gb, buf + PCX_HEADER_SIZE, buf_size - PCX_HEADER_SIZE); if ((ret = ff_set_dimensions(avctx, w, h)) < 0) return ret; @@ -161,8 +156,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (nplanes == 3 && bits_per_pixel == 8) { for (y = 0; y < h; y++) { - buf = pcx_rle_decode(buf, buf_end, - scanline, bytes_per_scanline, compressed); + pcx_rle_decode(&gb, scanline, bytes_per_scanline, compressed); for (x = 0; x < w; x++) { ptr[3 * x] = scanline[x]; @@ -173,26 +167,12 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ptr += stride; } } else if (nplanes == 1 && bits_per_pixel == 8) { - const uint8_t *palstart = bufstart + buf_size - 769; - - if (buf_size < 769) { - av_log(avctx, AV_LOG_ERROR, "File is too short\n"); - ret = avctx->err_recognition & AV_EF_EXPLODE ? - AVERROR_INVALIDDATA : buf_size; - goto end; - } - for (y = 0; y < h; y++, ptr += stride) { - buf = pcx_rle_decode(buf, buf_end, - scanline, bytes_per_scanline, compressed); + pcx_rle_decode(&gb, scanline, bytes_per_scanline, compressed); memcpy(ptr, scanline, w); } - if (buf != palstart) { - av_log(avctx, AV_LOG_WARNING, "image data possibly corrupted\n"); - buf = palstart; - } - if (*buf++ != 12) { + if (bytestream2_get_byte(&gb) != 12) { av_log(avctx, AV_LOG_ERROR, "expected palette after image data\n"); ret = avctx->err_recognition & AV_EF_EXPLODE ? AVERROR_INVALIDDATA : buf_size; @@ -204,8 +184,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for (y = 0; y < h; y++) { init_get_bits(&s, scanline, bytes_per_scanline << 3); - buf = pcx_rle_decode(buf, buf_end, - scanline, bytes_per_scanline, compressed); + pcx_rle_decode(&gb, scanline, bytes_per_scanline, compressed); for (x = 0; x < w; x++) ptr[x] = get_bits(&s, bits_per_pixel); @@ -215,8 +194,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int i; for (y = 0; y < h; y++) { - buf = pcx_rle_decode(buf, buf_end, - scanline, bytes_per_scanline, compressed); + pcx_rle_decode(&gb, scanline, bytes_per_scanline, compressed); for (x = 0; x < w; x++) { int m = 0x80 >> (x & 7), v = 0; @@ -231,15 +209,22 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } if (nplanes == 1 && bits_per_pixel == 8) { - pcx_palette(&buf, (uint32_t *)p->data[1], 256); + if (bytestream2_get_bytes_left(&gb) < 768) { + av_log(avctx, AV_LOG_ERROR, "Palette truncated\n"); + ret = AVERROR_INVALIDDATA; + goto end; + } + + pcx_palette(&gb, (uint32_t *)p->data[1], 256); } else if (bits_per_pixel < 8) { - const uint8_t *palette = bufstart + 16; - pcx_palette(&palette, (uint32_t *)p->data[1], 16); + GetByteContext gb1; + bytestream2_init(&gb1, avpkt->data + 16, 48); + pcx_palette(&gb1, (uint32_t *)p->data[1], 16); } *got_frame = 1; - ret = buf - bufstart; + ret = bytestream2_tell(&gb); end: av_free(scanline); return ret; -- 2.39.5