From 8cfb44cd2ec76306f0c4fbfd030b411f77298074 Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Date: Mon, 4 Jul 2022 12:18:23 +0200
Subject: [PATCH] avcodec/mscc: Don't modify input packet

This packet may not be writable, hence we must not write to it.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavcodec/mscc.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/libavcodec/mscc.c b/libavcodec/mscc.c
index ac67ec9c47..3666b881a1 100644
--- a/libavcodec/mscc.c
+++ b/libavcodec/mscc.c
@@ -134,7 +134,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
 {
     MSCCContext *s = avctx->priv_data;
     z_stream *const zstream = &s->zstream.zstream;
-    uint8_t *buf = avpkt->data;
+    const uint8_t *buf = avpkt->data;
     int buf_size = avpkt->size;
     GetByteContext gb;
     PutByteContext pb;
@@ -146,12 +146,6 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
     if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
         return ret;
 
-    if (avctx->codec_id == AV_CODEC_ID_MSCC) {
-        avpkt->data[2] ^= avpkt->data[0];
-        buf += 2;
-        buf_size -= 2;
-    }
-
     if (avctx->pix_fmt == AV_PIX_FMT_PAL8) {
         size_t size;
         const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size);
@@ -172,12 +166,25 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
         av_log(avctx, AV_LOG_ERROR, "Inflate reset error: %d\n", ret);
         return AVERROR_UNKNOWN;
     }
-    zstream->next_in   = buf;
-    zstream->avail_in  = buf_size;
     zstream->next_out  = s->decomp_buf;
     zstream->avail_out = s->decomp_size;
+    if (avctx->codec_id == AV_CODEC_ID_MSCC) {
+        const uint8_t start = avpkt->data[2] ^ avpkt->data[0];
+
+        zstream->next_in  = &start;
+        zstream->avail_in = 1;
+        ret = inflate(zstream, Z_NO_FLUSH);
+        if (ret != Z_OK || zstream->avail_in != 0)
+            goto inflate_error;
+
+        buf      += 3;
+        buf_size -= 3;
+    }
+    zstream->next_in   = buf;
+    zstream->avail_in  = buf_size;
     ret = inflate(zstream, Z_FINISH);
     if (ret != Z_STREAM_END) {
+inflate_error:
         av_log(avctx, AV_LOG_ERROR, "Inflate error: %d\n", ret);
         return AVERROR_UNKNOWN;
     }