cdgraphics: switch to bytestream2

Fixes possible invalid memory accesses on corrupted data.

CC:libav-stable@libav.org
Bug-ID: CVE-2013-3674
(cherry picked from commit a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812)
Signed-off-by: Anton Khirnov <anton@khirnov.net>

1 files changed, 7 insertions, 9 deletions

diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c
index b8a6fb845b..752003f434 100644
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -261,7 +261,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data,
 static int cdg_decode_frame(AVCodecContext *avctx,
                             void *data, int *got_frame, AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
+    GetByteContext gb;
     int buf_size       = avpkt->size;
     int ret;
     uint8_t command, inst;
@@ -269,10 +269,8 @@ static int cdg_decode_frame(AVCodecContext *avctx,
     AVFrame *frame = data;
     CDGraphicsContext *cc = avctx->priv_data;
 
-    if (buf_size < CDG_MINIMUM_PKT_SIZE) {
-        av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n");
-        return AVERROR(EINVAL);
-    }
+    bytestream2_init(&gb, avpkt->data, avpkt->size);
+
 
     ret = ff_reget_buffer(avctx, cc->frame);
     if (ret) {
@@ -282,11 +280,11 @@ static int cdg_decode_frame(AVCodecContext *avctx,
     if (!avctx->frame_number)
         memset(cc->frame->data[0], 0, cc->frame->linesize[0] * avctx->height);
 
-    command = bytestream_get_byte(&buf);
-    inst    = bytestream_get_byte(&buf);
+    command = bytestream2_get_byte(&gb);
+    inst    = bytestream2_get_byte(&gb);
     inst    &= CDG_MASK;
-    buf += 2;  /// skipping 2 unneeded bytes
-    bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE);
+    bytestream2_skip(&gb, 2);
+    bytestream2_get_buffer(&gb, cdg_data, sizeof(cdg_data));
 
     if ((command & CDG_MASK) == CDG_COMMAND) {
         switch (inst) {