ffmpeg/libavcodec/wnv1.c
Michael Niedermayer 7f50c25124 avcodec/wnv1: More strict buffer size check
This requires at least 25% of a picture to allocate and decode it

Fixes: Timeout
Fixes: 1845/clusterfuzz-testcase-minimized-5075974343360512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-28 03:20:09 +02:00

160 lines
4.6 KiB
C

/*
* Winnov WNV1 codec
* Copyright (c) 2005 Konstantin Shishkov
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
/**
* @file
* Winnov WNV1 codec.
*/
#include "avcodec.h"
#include "get_bits.h"
#include "internal.h"
#include "mathops.h"
typedef struct WNV1Context {
int shift;
GetBitContext gb;
} WNV1Context;
static const uint16_t code_tab[16][2] = {
{ 0x1FD, 9 }, { 0xFD, 8 }, { 0x7D, 7 }, { 0x3D, 6 }, { 0x1D, 5 }, { 0x0D, 4 }, { 0x005, 3 },
{ 0x000, 1 },
{ 0x004, 3 }, { 0x0C, 4 }, { 0x1C, 5 }, { 0x3C, 6 }, { 0x7C, 7 }, { 0xFC, 8 }, { 0x1FC, 9 }, { 0xFF, 8 }
};
#define CODE_VLC_BITS 9
static VLC code_vlc;
/* returns modified base_value */
static inline int wnv1_get_code(WNV1Context *w, int base_value)
{
int v = get_vlc2(&w->gb, code_vlc.table, CODE_VLC_BITS, 1);
if (v == 15)
return ff_reverse[get_bits(&w->gb, 8 - w->shift)];
else
return base_value + ((v - 7U) << w->shift);
}
static int decode_frame(AVCodecContext *avctx,
void *data, int *got_frame,
AVPacket *avpkt)
{
WNV1Context * const l = avctx->priv_data;
const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size;
AVFrame * const p = data;
unsigned char *Y,*U,*V;
int i, j, ret;
int prev_y = 0, prev_u = 0, prev_v = 0;
uint8_t *rbuf;
if (buf_size < 8 + avctx->height * (avctx->width/2)/8) {
av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size);
return AVERROR_INVALIDDATA;
}
rbuf = av_malloc(buf_size + AV_INPUT_BUFFER_PADDING_SIZE);
if (!rbuf) {
av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n");
return AVERROR(ENOMEM);
}
memset(rbuf + buf_size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
if ((ret = ff_get_buffer(avctx, p, 0)) < 0) {
av_free(rbuf);
return ret;
}
p->key_frame = 1;
for (i = 8; i < buf_size; i++)
rbuf[i] = ff_reverse[buf[i]];
if ((ret = init_get_bits8(&l->gb, rbuf + 8, buf_size - 8)) < 0)
return ret;
if (buf[2] >> 4 == 6)
l->shift = 2;
else {
l->shift = 8 - (buf[2] >> 4);
if (l->shift > 4) {
avpriv_request_sample(avctx,
"Unknown WNV1 frame header value %i",
buf[2] >> 4);
l->shift = 4;
}
if (l->shift < 1) {
avpriv_request_sample(avctx,
"Unknown WNV1 frame header value %i",
buf[2] >> 4);
l->shift = 1;
}
}
Y = p->data[0];
U = p->data[1];
V = p->data[2];
for (j = 0; j < avctx->height; j++) {
for (i = 0; i < avctx->width / 2; i++) {
Y[i * 2] = wnv1_get_code(l, prev_y);
prev_u = U[i] = wnv1_get_code(l, prev_u);
prev_y = Y[(i * 2) + 1] = wnv1_get_code(l, Y[i * 2]);
prev_v = V[i] = wnv1_get_code(l, prev_v);
}
Y += p->linesize[0];
U += p->linesize[1];
V += p->linesize[2];
}
*got_frame = 1;
av_free(rbuf);
return buf_size;
}
static av_cold int decode_init(AVCodecContext *avctx)
{
static VLC_TYPE code_table[1 << CODE_VLC_BITS][2];
avctx->pix_fmt = AV_PIX_FMT_YUV422P;
code_vlc.table = code_table;
code_vlc.table_allocated = 1 << CODE_VLC_BITS;
init_vlc(&code_vlc, CODE_VLC_BITS, 16,
&code_tab[0][1], 4, 2,
&code_tab[0][0], 4, 2, INIT_VLC_USE_NEW_STATIC);
return 0;
}
AVCodec ff_wnv1_decoder = {
.name = "wnv1",
.long_name = NULL_IF_CONFIG_SMALL("Winnov WNV1"),
.type = AVMEDIA_TYPE_VIDEO,
.id = AV_CODEC_ID_WNV1,
.priv_data_size = sizeof(WNV1Context),
.init = decode_init,
.decode = decode_frame,
.capabilities = AV_CODEC_CAP_DR1,
};