diff options
Diffstat (limited to 'libavcodec/dfa.c')
-rw-r--r-- | libavcodec/dfa.c | 62 |
1 files changed, 34 insertions, 28 deletions
diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 9664b47d4f..2f8e4f122d 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -49,7 +49,7 @@ static int decode_copy(GetByteContext *gb, uint8_t *frame, int width, int height const int size = width * height; if (bytestream2_get_buffer(gb, frame, size) != size) - return -1; + return AVERROR_INVALIDDATA; return 0; } @@ -66,23 +66,23 @@ static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height if (segments == 0 && offset == frame_end - frame) return 0; // skip frame if (frame_end - frame <= offset) - return -1; + return AVERROR_INVALIDDATA; frame += offset; while (segments--) { if (bytestream2_get_bytes_left(gb) < 2) - return -1; + return AVERROR_INVALIDDATA; if (mask == 0x10000) { bitbuf = bytestream2_get_le16u(gb); mask = 1; } if (frame_end - frame < 2) - return -1; + return AVERROR_INVALIDDATA; if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 1; count = ((v >> 13) + 2) << 1; if (frame - frame_start < offset || frame_end - frame < count) - return -1; + return AVERROR_INVALIDDATA; av_memcpy_backptr(frame, offset, count); frame += count; } else { @@ -105,19 +105,19 @@ static int decode_dsw1(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le16(gb); while (segments--) { if (bytestream2_get_bytes_left(gb) < 2) - return -1; + return AVERROR_INVALIDDATA; if (mask == 0x10000) { bitbuf = bytestream2_get_le16u(gb); mask = 1; } if (frame_end - frame < 2) - return -1; + return AVERROR_INVALIDDATA; if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 1; count = ((v >> 13) + 2) << 1; if (frame - frame_start < offset || frame_end - frame < count) - return -1; + return AVERROR_INVALIDDATA; // can't use av_memcpy_backptr() since it can overwrite following pixels for (v = 0; v < count; v++) frame[v] = frame[v - offset]; @@ -144,19 +144,19 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le16(gb); while (segments--) { if (bytestream2_get_bytes_left(gb) < 2) - return -1; + return AVERROR_INVALIDDATA; if (mask == 0x10000) { bitbuf = bytestream2_get_le16u(gb); mask = 1; } if (frame_end - frame < width + 2) - return -1; + return AVERROR_INVALIDDATA; if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 2; count = ((v >> 13) + 2) << 1; if (frame - frame_start < offset || frame_end - frame < count*2 + width) - return -1; + return AVERROR_INVALIDDATA; for (i = 0; i < count; i++) { frame[0] = frame[1] = frame[width] = frame[width + 1] = frame[-offset]; @@ -166,6 +166,8 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height } else if (bitbuf & (mask << 1)) { frame += bytestream2_get_le16(gb) * 2; } else { + if (frame_end - frame < width + 2) + return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); frame += 2; @@ -186,32 +188,32 @@ static int decode_bdlt(GetByteContext *gb, uint8_t *frame, int width, int height count = bytestream2_get_le16(gb); if (count >= height) - return -1; + return AVERROR_INVALIDDATA; frame += width * count; lines = bytestream2_get_le16(gb); if (count + lines > height) - return -1; + return AVERROR_INVALIDDATA; while (lines--) { if (bytestream2_get_bytes_left(gb) < 1) - return -1; + return AVERROR_INVALIDDATA; line_ptr = frame; frame += width; segments = bytestream2_get_byteu(gb); while (segments--) { if (frame - line_ptr <= bytestream2_peek_byte(gb)) - return -1; + return AVERROR_INVALIDDATA; line_ptr += bytestream2_get_byte(gb); count = (int8_t)bytestream2_get_byte(gb); if (count >= 0) { if (frame - line_ptr < count) - return -1; + return AVERROR_INVALIDDATA; if (bytestream2_get_buffer(gb, line_ptr, count) != count) - return -1; + return AVERROR_INVALIDDATA; } else { count = -count; if (frame - line_ptr < count) - return -1; + return AVERROR_INVALIDDATA; memset(line_ptr, bytestream2_get_byte(gb), count); } line_ptr += count; @@ -226,20 +228,23 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height const uint8_t *frame_end = frame + width * height; uint8_t *line_ptr; int count, i, v, lines, segments; + int y = 0; lines = bytestream2_get_le16(gb); if (lines > height) - return -1; + return AVERROR_INVALIDDATA; while (lines--) { if (bytestream2_get_bytes_left(gb) < 2) - return -1; + return AVERROR_INVALIDDATA; segments = bytestream2_get_le16u(gb); while ((segments & 0xC000) == 0xC000) { + unsigned skip_lines = -(int16_t)segments; unsigned delta = -((int16_t)segments * width); - if (frame_end - frame <= delta) - return -1; + if (frame_end - frame <= delta || y + lines + skip_lines > height) + return AVERROR_INVALIDDATA; frame += delta; + y += skip_lines; segments = bytestream2_get_le16(gb); } if (frame_end <= frame) @@ -250,21 +255,22 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height } line_ptr = frame; frame += width; + y++; while (segments--) { if (frame - line_ptr <= bytestream2_peek_byte(gb)) - return -1; + return AVERROR_INVALIDDATA; line_ptr += bytestream2_get_byte(gb); count = (int8_t)bytestream2_get_byte(gb); if (count >= 0) { if (frame - line_ptr < count * 2) - return -1; + return AVERROR_INVALIDDATA; if (bytestream2_get_buffer(gb, line_ptr, count * 2) != count * 2) - return -1; + return AVERROR_INVALIDDATA; line_ptr += count * 2; } else { count = -count; if (frame - line_ptr < count * 2) - return -1; + return AVERROR_INVALIDDATA; v = bytestream2_get_le16(gb); for (i = 0; i < count; i++) bytestream_put_le16(&line_ptr, v); @@ -277,7 +283,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height static int decode_unk6(GetByteContext *gb, uint8_t *frame, int width, int height) { - return -1; + return AVERROR_PATCHWELCOME; } static int decode_blck(GetByteContext *gb, uint8_t *frame, int width, int height) @@ -336,7 +342,7 @@ static int dfa_decode_frame(AVCodecContext *avctx, if (decoder[chunk_type - 2](&gb, s->frame_buf, avctx->width, avctx->height)) { av_log(avctx, AV_LOG_ERROR, "Error decoding %s chunk\n", chunk_name[chunk_type - 2]); - return -1; + return AVERROR_INVALIDDATA; } } else { av_log(avctx, AV_LOG_WARNING, "Ignoring unknown chunk type %d\n", |