ffmpeg/libavcodec/sunrast.c
Michael Niedermayer f8a2a65078
avcodec/sunrast: Fix maplength check
Fixes: out of bounds read

Found-by: Ibrahim Mohamed <ielsayed@meta.com>
Reviewed-by; Ibrahim Mohamed <ielsayed@meta.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-12-24 23:43:45 +01:00

231 lines
7.2 KiB
C

/*
* Sun Rasterfile (.sun/.ras/im{1,8,24}/.sunras) image decoder
* Copyright (c) 2007, 2008 Ivo van Poorten
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include "libavutil/avassert.h"
#include "libavutil/common.h"
#include "libavutil/intreadwrite.h"
#include "avcodec.h"
#include "codec_internal.h"
#include "decode.h"
#include "sunrast.h"
static int sunrast_decode_frame(AVCodecContext *avctx, AVFrame *p,
int *got_frame, AVPacket *avpkt)
{
const uint8_t *buf = avpkt->data;
const uint8_t *buf_end = avpkt->data + avpkt->size;
unsigned int w, h, depth, type, maptype, maplength, x, y, len, alen;
ptrdiff_t stride;
uint8_t *ptr, *ptr2 = NULL;
const uint8_t *bufstart = buf;
int ret;
if (avpkt->size < 32)
return AVERROR_INVALIDDATA;
if (AV_RB32(buf) != RAS_MAGIC) {
av_log(avctx, AV_LOG_ERROR, "this is not sunras encoded data\n");
return AVERROR_INVALIDDATA;
}
w = AV_RB32(buf + 4);
h = AV_RB32(buf + 8);
depth = AV_RB32(buf + 12);
type = AV_RB32(buf + 20);
maptype = AV_RB32(buf + 24);
maplength = AV_RB32(buf + 28);
buf += 32;
if (type == RT_EXPERIMENTAL) {
avpriv_request_sample(avctx, "TIFF/IFF/EXPERIMENTAL (compression) type");
return AVERROR_PATCHWELCOME;
}
if (type > RT_FORMAT_IFF) {
av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n");
return AVERROR_INVALIDDATA;
}
if (maptype == RMT_RAW) {
avpriv_request_sample(avctx, "Unknown colormap type");
return AVERROR_PATCHWELCOME;
}
if (maptype > RMT_RAW) {
av_log(avctx, AV_LOG_ERROR, "invalid colormap type\n");
return AVERROR_INVALIDDATA;
}
if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) {
av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n");
return AVERROR_PATCHWELCOME;
}
if (maplength > 768) {
av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n");
return AVERROR_INVALIDDATA;
}
// This also checks depth to be valid
switch (depth) {
case 1:
avctx->pix_fmt = maplength ? AV_PIX_FMT_PAL8 : AV_PIX_FMT_MONOWHITE;
break;
case 4:
avctx->pix_fmt = maplength ? AV_PIX_FMT_PAL8 : AV_PIX_FMT_NONE;
break;
case 8:
avctx->pix_fmt = maplength ? AV_PIX_FMT_PAL8 : AV_PIX_FMT_GRAY8;
break;
case 24:
avctx->pix_fmt = (type == RT_FORMAT_RGB) ? AV_PIX_FMT_RGB24 : AV_PIX_FMT_BGR24;
break;
case 32:
avctx->pix_fmt = (type == RT_FORMAT_RGB) ? AV_PIX_FMT_0RGB : AV_PIX_FMT_0BGR;
break;
default:
av_log(avctx, AV_LOG_ERROR, "invalid depth\n");
return AVERROR_INVALIDDATA;
}
// This checks w and h to be valid in the sense that bytes of a padded bitmap are addressable with 32bit int
ret = ff_set_dimensions(avctx, w, h);
if (ret < 0)
return ret;
// ensured by ff_set_dimensions()
av_assert0(w <= (INT32_MAX - 7) / depth);
/* scanlines are aligned on 16 bit boundaries */
len = (depth * w + 7) >> 3;
alen = len + (len & 1);
// ensured by ff_set_dimensions()
av_assert0(h <= INT32_MAX / (3 * len));
// maplength is limited to 768 and the right term is limited to INT32_MAX / 256 so the add needs no check
if (buf_end - buf < (uint64_t)maplength + (len * h) * 3 / 256)
return AVERROR_INVALIDDATA;
if ((ret = ff_get_buffer(avctx, p, 0)) < 0)
return ret;
p->pict_type = AV_PICTURE_TYPE_I;
if (depth > 8 && maplength) {
av_log(avctx, AV_LOG_WARNING, "useless colormap found or file is corrupted, trying to recover\n");
} else if (maplength) {
unsigned int len = maplength / 3;
if (maplength % 3) {
av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n");
return AVERROR_INVALIDDATA;
}
ptr = p->data[1];
for (x = 0; x < len; x++, ptr += 4)
*(uint32_t *)ptr = (0xFFU<<24) + (buf[x]<<16) + (buf[len+x]<<8) + buf[len+len+x];
}
buf += maplength;
if (maplength && depth < 8) {
ptr = ptr2 = av_malloc_array((w + 15), h);
if (!ptr)
return AVERROR(ENOMEM);
stride = (w + 15 >> 3) * depth;
} else {
ptr = p->data[0];
stride = p->linesize[0];
}
if (type == RT_BYTE_ENCODED) {
int value, run;
uint8_t *end = ptr + (ptrdiff_t)h * stride;
x = 0;
while (ptr != end && buf < buf_end) {
run = 1;
if (buf_end - buf < 1)
return AVERROR_INVALIDDATA;
if ((value = *buf++) == RLE_TRIGGER) {
run = *buf++ + 1;
if (run != 1)
value = *buf++;
}
while (run--) {
if (x < len)
ptr[x] = value;
if (++x >= alen) {
x = 0;
ptr += stride;
if (ptr == end)
break;
}
}
}
} else {
for (y = 0; y < h; y++) {
if (buf_end - buf < alen)
break;
memcpy(ptr, buf, len);
ptr += stride;
buf += alen;
}
}
if (avctx->pix_fmt == AV_PIX_FMT_PAL8 && depth < 8) {
uint8_t *ptr_free = ptr2;
ptr = p->data[0];
for (y=0; y<h; y++) {
for (x = 0; x < (w + 7 >> 3) * depth; x++) {
if (depth == 1) {
ptr[8*x] = ptr2[x] >> 7;
ptr[8*x+1] = ptr2[x] >> 6 & 1;
ptr[8*x+2] = ptr2[x] >> 5 & 1;
ptr[8*x+3] = ptr2[x] >> 4 & 1;
ptr[8*x+4] = ptr2[x] >> 3 & 1;
ptr[8*x+5] = ptr2[x] >> 2 & 1;
ptr[8*x+6] = ptr2[x] >> 1 & 1;
ptr[8*x+7] = ptr2[x] & 1;
} else {
ptr[2*x] = ptr2[x] >> 4;
ptr[2*x+1] = ptr2[x] & 0xF;
}
}
ptr += p->linesize[0];
ptr2 += (w + 15 >> 3) * depth;
}
av_freep(&ptr_free);
}
*got_frame = 1;
return buf - bufstart;
}
const FFCodec ff_sunrast_decoder = {
.p.name = "sunrast",
CODEC_LONG_NAME("Sun Rasterfile image"),
.p.type = AVMEDIA_TYPE_VIDEO,
.p.id = AV_CODEC_ID_SUNRAST,
.p.capabilities = AV_CODEC_CAP_DR1,
FF_CODEC_DECODE_CB(sunrast_decode_frame),
};