diff options
| author | Anton Khirnov <anton@khirnov.net> | 2014-07-20 12:06:47 +0000 |
|---|---|---|
| committer | Diego Biurrun <diego@biurrun.de> | 2014-07-30 11:35:41 -0700 |
| commit | e8ff7972064631afbdf240ec6bfd9dec30cf2ce8 (patch) | |
| tree | 52eea0655dffeebab91664ac376e5ebae9bf19c9 | |
| parent | 3ecbd911ff9177097820e5d00401c9bf29e5d167 (diff) | |
| download | ffmpeg-e8ff7972064631afbdf240ec6bfd9dec30cf2ce8.tar.gz | |
eamad: use the bytestream2 API instead of AV_RL
This is safer and possibly fixes invalid reads on truncated data.
(cherry-picked from commit 541427ab4d5b4b6f5a90a687a06decdb78e7bc3c)
CC:libav-stable@libav.org
Conflicts:
libavcodec/eamad.c
(cherry picked from commit f9204ec56a4cf73843d1e5b8563d3584c2c05b47)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
| -rw-r--r-- | libavcodec/eamad.c | 37 |
1 files changed, 20 insertions, 17 deletions
diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index bb4c7babde..405cc2a6ac 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -29,6 +29,7 @@ */ #include "avcodec.h" +#include "bytestream.h" #include "get_bits.h" #include "dsputil.h" #include "aandcttab.h" @@ -224,29 +225,31 @@ static int decode_frame(AVCodecContext *avctx, { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; - const uint8_t *buf_end = buf+buf_size; MadContext *s = avctx->priv_data; + GetByteContext gb; int width, height; int chunk_type; int inter; - if (buf_size < 17) { - av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n"); - *got_frame = 0; - return -1; - } + bytestream2_init(&gb, buf, buf_size); - chunk_type = AV_RL32(&buf[0]); + chunk_type = bytestream2_get_le32(&gb); inter = (chunk_type == MADm_TAG || chunk_type == MADe_TAG); - buf += 8; + bytestream2_skip(&gb, 10); av_reduce(&avctx->time_base.num, &avctx->time_base.den, - AV_RL16(&buf[6]), 1000, 1<<30); + bytestream2_get_le16(&gb), 1000, 1<<30); + + width = bytestream2_get_le16(&gb); + height = bytestream2_get_le16(&gb); + bytestream2_skip(&gb, 1); + calc_quant_matrix(s, bytestream2_get_byte(&gb)); + bytestream2_skip(&gb, 2); - width = AV_RL16(&buf[8]); - height = AV_RL16(&buf[10]); - calc_quant_matrix(s, buf[13]); - buf += 16; + if (bytestream2_get_bytes_left(&gb) < 2) { + av_log(avctx, AV_LOG_ERROR, "Input data too small\n"); + return AVERROR_INVALIDDATA; + } if (avctx->width != width || avctx->height != height) { if (av_image_check_size(width, height, 0, avctx) < 0) @@ -280,12 +283,12 @@ static int decode_frame(AVCodecContext *avctx, } av_fast_padded_malloc(&s->bitstream_buf, &s->bitstream_buf_size, - buf_end - buf); + bytestream2_get_bytes_left(&gb)); if (!s->bitstream_buf) return AVERROR(ENOMEM); - s->dsp.bswap16_buf(s->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2); - init_get_bits(&s->gb, s->bitstream_buf, 8*(buf_end-buf)); - + s->dsp.bswap16_buf(s->bitstream_buf, (const uint16_t *)(buf + bytestream2_tell(&gb)), + bytestream2_get_bytes_left(&gb) / 2); + init_get_bits(&s->gb, s->bitstream_buf, 8*(bytestream2_get_bytes_left(&gb))); for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++) for (s->mb_x=0; s->mb_x < (avctx->width +15)/16; s->mb_x++) decode_mb(s, inter); |