mirror of
https://git.ffmpeg.org/ffmpeg.git
synced 2025-01-06 23:31:13 +00:00
utvideo: port header reading to bytestream2.
Fixes crash during slice size reading if slice_end goes negative. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
This commit is contained in:
parent
d5ed5e7d0c
commit
ec0ed97b04
@ -358,13 +358,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
|
|||||||
{
|
{
|
||||||
const uint8_t *buf = avpkt->data;
|
const uint8_t *buf = avpkt->data;
|
||||||
int buf_size = avpkt->size;
|
int buf_size = avpkt->size;
|
||||||
const uint8_t *buf_end = buf + buf_size;
|
|
||||||
UtvideoContext *c = avctx->priv_data;
|
UtvideoContext *c = avctx->priv_data;
|
||||||
const uint8_t *ptr;
|
|
||||||
int i, j;
|
int i, j;
|
||||||
const uint8_t *plane_start[5];
|
const uint8_t *plane_start[5];
|
||||||
int plane_size, max_slice_size = 0, slice_start, slice_end, slice_size;
|
int plane_size, max_slice_size = 0, slice_start, slice_end, slice_size;
|
||||||
int ret;
|
int ret;
|
||||||
|
GetByteContext gb;
|
||||||
|
|
||||||
if (c->pic.data[0])
|
if (c->pic.data[0])
|
||||||
ff_thread_release_buffer(avctx, &c->pic);
|
ff_thread_release_buffer(avctx, &c->pic);
|
||||||
@ -379,20 +378,21 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
|
|||||||
ff_thread_finish_setup(avctx);
|
ff_thread_finish_setup(avctx);
|
||||||
|
|
||||||
/* parse plane structure to retrieve frame flags and validate slice offsets */
|
/* parse plane structure to retrieve frame flags and validate slice offsets */
|
||||||
ptr = buf;
|
bytestream2_init(&gb, buf, buf_size);
|
||||||
for (i = 0; i < c->planes; i++) {
|
for (i = 0; i < c->planes; i++) {
|
||||||
plane_start[i] = ptr;
|
plane_start[i] = gb.buffer;
|
||||||
if (buf_end - ptr < 256 + 4 * c->slices) {
|
if (bytestream2_get_bytes_left(&gb) < 256 + 4 * c->slices) {
|
||||||
av_log(avctx, AV_LOG_ERROR, "Insufficient data for a plane\n");
|
av_log(avctx, AV_LOG_ERROR, "Insufficient data for a plane\n");
|
||||||
return AVERROR_INVALIDDATA;
|
return AVERROR_INVALIDDATA;
|
||||||
}
|
}
|
||||||
ptr += 256;
|
bytestream2_skipu(&gb, 256);
|
||||||
slice_start = 0;
|
slice_start = 0;
|
||||||
slice_end = 0;
|
slice_end = 0;
|
||||||
for (j = 0; j < c->slices; j++) {
|
for (j = 0; j < c->slices; j++) {
|
||||||
slice_end = bytestream_get_le32(&ptr);
|
slice_end = bytestream2_get_le32u(&gb);
|
||||||
slice_size = slice_end - slice_start;
|
slice_size = slice_end - slice_start;
|
||||||
if (slice_size < 0) {
|
if (slice_end <= 0 || slice_size <= 0 ||
|
||||||
|
bytestream2_get_bytes_left(&gb) < slice_end) {
|
||||||
av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n");
|
av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n");
|
||||||
return AVERROR_INVALIDDATA;
|
return AVERROR_INVALIDDATA;
|
||||||
}
|
}
|
||||||
@ -400,18 +400,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
|
|||||||
max_slice_size = FFMAX(max_slice_size, slice_size);
|
max_slice_size = FFMAX(max_slice_size, slice_size);
|
||||||
}
|
}
|
||||||
plane_size = slice_end;
|
plane_size = slice_end;
|
||||||
if (buf_end - ptr < plane_size) {
|
bytestream2_skipu(&gb, plane_size);
|
||||||
av_log(avctx, AV_LOG_ERROR, "Plane size is bigger than available data\n");
|
|
||||||
return AVERROR_INVALIDDATA;
|
|
||||||
}
|
|
||||||
ptr += plane_size;
|
|
||||||
}
|
}
|
||||||
plane_start[c->planes] = ptr;
|
plane_start[c->planes] = gb.buffer;
|
||||||
if (buf_end - ptr < c->frame_info_size) {
|
if (bytestream2_get_bytes_left(&gb) < c->frame_info_size) {
|
||||||
av_log(avctx, AV_LOG_ERROR, "Not enough data for frame information\n");
|
av_log(avctx, AV_LOG_ERROR, "Not enough data for frame information\n");
|
||||||
return AVERROR_INVALIDDATA;
|
return AVERROR_INVALIDDATA;
|
||||||
}
|
}
|
||||||
c->frame_info = AV_RL32(ptr);
|
c->frame_info = bytestream2_get_le32u(&gb);
|
||||||
av_log(avctx, AV_LOG_DEBUG, "frame information flags %X\n", c->frame_info);
|
av_log(avctx, AV_LOG_DEBUG, "frame information flags %X\n", c->frame_info);
|
||||||
|
|
||||||
c->frame_pred = (c->frame_info >> 8) & 3;
|
c->frame_pred = (c->frame_info >> 8) & 3;
|
||||||
|
Loading…
Reference in New Issue
Block a user