RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

avcodec/movtextdec: Redo TextSampleModifierBox size checks 

The current checks just check whether the boxes fit into the remaining
size of the packet instead of whether they actually fit into the box
size. This has been changed; part of this change is to pass the size of
the box (minus the box header) as parameter instead of a pointer to
the AVPacket by which the box parsing function is supposed to
recalculate whether enough data is available.

Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This commit is contained in:
Andreas Rheinhardt 2021-12-08 16:03:03 +01:00
parent efd7b35d06
commit e1044e55e4
1 changed files with 15 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
libavcodec/movtextdec.c
View File

@ -103,7 +103,6 @@ typedef struct {
uint8_t box_flags; uint8_t box_flags;
uint16_t style_entries, ftab_entries; uint16_t style_entries, ftab_entries;
uint64_t tracksize; uint64_t tracksize;
int size_var;
int readorder; int readorder;
int frame_width; int frame_width;
int frame_height; int frame_height;
@ -112,7 +111,7 @@ typedef struct {
typedef struct { typedef struct {
uint32_t type; uint32_t type;
unsigned base_size; unsigned base_size;
int (*decode)(const uint8_t *tsmb, MovTextContext *m, const AVPacket *avpkt); int (*decode)(const uint8_t *tsmb, MovTextContext *m, uint64_t size);
} Box; } Box;
static void mov_text_cleanup(MovTextContext *m) static void mov_text_cleanup(MovTextContext *m)
@ -241,14 +240,14 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m)
return 0; return 0;
} }
static int decode_twrp(const uint8_t *tsmb, MovTextContext *m, const AVPacket *avpkt) static int decode_twrp(const uint8_t *tsmb, MovTextContext *m, uint64_t size)
{ {
m->box_flags |= TWRP_BOX; m->box_flags |= TWRP_BOX;
m->w.wrap_flag = bytestream_get_byte(&tsmb); m->w.wrap_flag = bytestream_get_byte(&tsmb);
return 0; return 0;
} }
static int decode_hlit(const uint8_t *tsmb, MovTextContext *m, const AVPacket *avpkt) static int decode_hlit(const uint8_t *tsmb, MovTextContext *m, uint64_t size)
{ {
m->box_flags |= HLIT_BOX; m->box_flags |= HLIT_BOX;
m->h.hlit_start = bytestream_get_be16(&tsmb); m->h.hlit_start = bytestream_get_be16(&tsmb);
@ -256,7 +255,7 @@ static int decode_hlit(const uint8_t *tsmb, MovTextContext *m, const AVPacket *a
return 0; return 0;
} }
static int decode_hclr(const uint8_t *tsmb, MovTextContext *m, const AVPacket *avpkt) static int decode_hclr(const uint8_t *tsmb, MovTextContext *m, uint64_t size)
{ {
m->box_flags |= HCLR_BOX; m->box_flags |= HCLR_BOX;
bytestream_get_buffer(&tsmb, m->c.hlit_color, 4); bytestream_get_buffer(&tsmb, m->c.hlit_color, 4);
@ -271,14 +270,14 @@ static int styles_equivalent(const StyleBox *a, const StyleBox *b)
#undef CMP #undef CMP
} }
static int decode_styl(const uint8_t *tsmb, MovTextContext *m, const AVPacket *avpkt) static int decode_styl(const uint8_t *tsmb, MovTextContext *m, uint64_t size)
{ {
int i; int i;
int style_entries = bytestream_get_be16(&tsmb); int style_entries = bytestream_get_be16(&tsmb);
StyleBox *tmp; StyleBox *tmp;
// A single style record is of length 12 bytes. // A single style record is of length 12 bytes.
if (m->tracksize + m->size_var + 2 + style_entries * 12 > avpkt->size) if (2 + style_entries * 12 > size)
return -1; return -1;
tmp = av_realloc_array(m->s, style_entries, sizeof(*m->s)); tmp = av_realloc_array(m->s, style_entries, sizeof(*m->s));
@ -519,6 +518,7 @@ static int mov_text_decode_frame(AVCodecContext *avctx,
av_bprint_init(&buf, 0, AV_BPRINT_SIZE_UNLIMITED); av_bprint_init(&buf, 0, AV_BPRINT_SIZE_UNLIMITED);
if (text_length + 2 != avpkt->size) { if (text_length + 2 != avpkt->size) {
while (m->tracksize + 8 <= avpkt->size) { while (m->tracksize + 8 <= avpkt->size) {
int size_var;
// A box is a minimum of 8 bytes. // A box is a minimum of 8 bytes.
tsmb = ptr + m->tracksize - 2; tsmb = ptr + m->tracksize - 2;
tsmb_size = AV_RB32(tsmb); tsmb_size = AV_RB32(tsmb);
@ -531,12 +531,12 @@ static int mov_text_decode_frame(AVCodecContext *avctx,
break; break;
tsmb_size = AV_RB64(tsmb); tsmb_size = AV_RB64(tsmb);
tsmb += 8; tsmb += 8;
m->size_var = 16; size_var = 16;
} else } else
m->size_var = 8; size_var = 8;
//size_var is equal to 8 or 16 depending on the size of box //size_var is equal to 8 or 16 depending on the size of box
if (tsmb_size < m->size_var) { if (tsmb_size < size_var) {
av_log(avctx, AV_LOG_ERROR, "tsmb_size invalid\n"); av_log(avctx, AV_LOG_ERROR, "tsmb_size invalid\n");
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
@ -544,16 +544,18 @@ static int mov_text_decode_frame(AVCodecContext *avctx,
if (tsmb_size > avpkt->size - m->tracksize) if (tsmb_size > avpkt->size - m->tracksize)
break; break;
m->tracksize += tsmb_size;
tsmb_size -= size_var;
for (i = 0; i < box_count; i++) { for (i = 0; i < box_count; i++) {
if (tsmb_type == box_types[i].type) { if (tsmb_type == box_types[i].type) {
if (m->tracksize + m->size_var + box_types[i].base_size > avpkt->size) if (tsmb_size < box_types[i].base_size)
break; break;
ret_tsmb = box_types[i].decode(tsmb, m, avpkt); ret_tsmb = box_types[i].decode(tsmb, m, tsmb_size);
if (ret_tsmb == -1) if (ret_tsmb == -1)
break; break;
} }
} }
m->tracksize = m->tracksize + tsmb_size;
} }
text_to_ass(&buf, ptr, end, avctx); text_to_ass(&buf, ptr, end, avctx);
mov_text_cleanup(m); mov_text_cleanup(m);