diff options
Diffstat (limited to 'libavcodec/flicvideo.c')
| -rw-r--r-- | libavcodec/flicvideo.c | 126 |
1 files changed, 96 insertions, 30 deletions
diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 3d43e5e827..27584cb23b 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -2,20 +2,20 @@ * FLI/FLC Animation Video Decoder * Copyright (C) 2003, 2004 the ffmpeg project * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -64,7 +64,7 @@ #define CHECK_PIXEL_PTR(n) \ if (pixel_ptr + n > pixel_limit) { \ - av_log (s->avctx, AV_LOG_INFO, "Problem: pixel_ptr >= pixel_limit (%d >= %d)\n", \ + av_log (s->avctx, AV_LOG_ERROR, "Invalid pixel_ptr = %d > pixel_limit = %d\n", \ pixel_ptr + n, pixel_limit); \ return AVERROR_INVALIDDATA; \ } \ @@ -84,22 +84,40 @@ static av_cold int flic_decode_init(AVCodecContext *avctx) unsigned char *fli_header = (unsigned char *)avctx->extradata; int depth; - if (avctx->extradata_size != 12 && - avctx->extradata_size != 128) { - av_log(avctx, AV_LOG_ERROR, "Expected extradata of 12 or 128 bytes\n"); + if (avctx->extradata_size != 0 && + avctx->extradata_size != 12 && + avctx->extradata_size != 128 && + avctx->extradata_size != 256 && + avctx->extradata_size != 904 && + avctx->extradata_size != 1024) { + av_log(avctx, AV_LOG_ERROR, "Unexpected extradata size %d\n", avctx->extradata_size); return AVERROR_INVALIDDATA; } s->avctx = avctx; - s->fli_type = AV_RL16(&fli_header[4]); /* Might be overridden if a Magic Carpet FLC */ - - depth = 0; if (s->avctx->extradata_size == 12) { /* special case for magic carpet FLIs */ s->fli_type = FLC_MAGIC_CARPET_SYNTHETIC_TYPE_CODE; depth = 8; + } else if (avctx->extradata_size == 1024) { + uint8_t *ptr = avctx->extradata; + int i; + + for (i = 0; i < 256; i++) { + s->palette[i] = AV_RL32(ptr); + ptr += 4; + } + depth = 8; + /* FLI in MOV, see e.g. FFmpeg trac issue #626 */ + } else if (avctx->extradata_size == 0 || + avctx->extradata_size == 256 || + /* see FFmpeg ticket #1234 */ + avctx->extradata_size == 904) { + s->fli_type = FLI_TYPE_CODE; + depth = 8; } else { + s->fli_type = AV_RL16(&fli_header[4]); depth = AV_RL16(&fli_header[12]); } @@ -136,7 +154,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, FlicDecodeContext *s = avctx->priv_data; GetByteContext g2; - int stream_ptr_after_color_chunk; int pixel_ptr; int palette_ptr; unsigned char palette_idx1; @@ -175,7 +192,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, pixels = s->frame.data[0]; pixel_limit = s->avctx->height * s->frame.linesize[0]; + if (buf_size < 16 || buf_size > INT_MAX - (3 * 256 + FF_INPUT_BUFFER_PADDING_SIZE)) + return AVERROR_INVALIDDATA; frame_size = bytestream2_get_le32(&g2); + if (frame_size > buf_size) + frame_size = buf_size; bytestream2_skip(&g2, 2); /* skip the magic number */ num_chunks = bytestream2_get_le16(&g2); bytestream2_skip(&g2, 8); /* skip padding */ @@ -183,15 +204,21 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, frame_size -= 16; /* iterate through the chunks */ - while ((frame_size > 0) && (num_chunks > 0)) { + while ((frame_size >= 6) && (num_chunks > 0)) { + int stream_ptr_after_chunk; chunk_size = bytestream2_get_le32(&g2); + if (chunk_size > frame_size) { + av_log(avctx, AV_LOG_WARNING, + "Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size); + chunk_size = frame_size; + } + stream_ptr_after_chunk = bytestream2_tell(&g2) - 4 + chunk_size; + chunk_type = bytestream2_get_le16(&g2); switch (chunk_type) { case FLI_256_COLOR: case FLI_COLOR: - stream_ptr_after_color_chunk = bytestream2_tell(&g2) + chunk_size - 6; - /* check special case: If this file is from the Magic Carpet * game and uses 6-bit colors even though it reports 256-color * chunks in a 0xAF12-type file (fli_type is set to 0xAF13 during @@ -214,6 +241,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, if (color_changes == 0) color_changes = 256; + if (bytestream2_tell(&g2) + color_changes * 3 > stream_ptr_after_chunk) + break; + for (j = 0; j < color_changes; j++) { unsigned int entry; @@ -224,26 +254,22 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, r = bytestream2_get_byte(&g2) << color_shift; g = bytestream2_get_byte(&g2) << color_shift; b = bytestream2_get_byte(&g2) << color_shift; - entry = (r << 16) | (g << 8) | b; + entry = 0xFFU << 24 | r << 16 | g << 8 | b; + if (color_shift == 2) + entry |= entry >> 6 & 0x30303; if (s->palette[palette_ptr] != entry) s->new_palette = 1; s->palette[palette_ptr++] = entry; } } - - /* color chunks sometimes have weird 16-bit alignment issues; - * therefore, take the hardline approach and skip - * to the value calculated w.r.t. the size specified by the color - * chunk header */ - if (stream_ptr_after_color_chunk - bytestream2_tell(&g2) > 0) - bytestream2_skip(&g2, stream_ptr_after_color_chunk - bytestream2_tell(&g2)); - break; case FLI_DELTA: y_ptr = 0; compressed_lines = bytestream2_get_le16(&g2); while (compressed_lines > 0) { + if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) + break; line_packets = bytestream2_get_le16(&g2); if ((line_packets & 0xC000) == 0xC000) { // line skip opcode @@ -262,6 +288,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, CHECK_PIXEL_PTR(0); pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { + if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) + break; /* account for the skip bytes */ pixel_skip = bytestream2_get_byte(&g2); pixel_ptr += pixel_skip; @@ -278,6 +306,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, } } else { CHECK_PIXEL_PTR(byte_run * 2); + if (bytestream2_tell(&g2) + byte_run * 2 > stream_ptr_after_chunk) + break; for (j = 0; j < byte_run * 2; j++, pixel_countdown--) { pixels[pixel_ptr++] = bytestream2_get_byte(&g2); } @@ -300,16 +330,22 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, pixel_ptr = y_ptr; CHECK_PIXEL_PTR(0); pixel_countdown = s->avctx->width; + if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk) + break; line_packets = bytestream2_get_byte(&g2); if (line_packets > 0) { for (i = 0; i < line_packets; i++) { /* account for the skip bytes */ + if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk) + break; pixel_skip = bytestream2_get_byte(&g2); pixel_ptr += pixel_skip; pixel_countdown -= pixel_skip; byte_run = sign_extend(bytestream2_get_byte(&g2),8); if (byte_run > 0) { CHECK_PIXEL_PTR(byte_run); + if (bytestream2_tell(&g2) + byte_run > stream_ptr_after_chunk) + break; for (j = 0; j < byte_run; j++, pixel_countdown--) { pixels[pixel_ptr++] = bytestream2_get_byte(&g2); } @@ -346,6 +382,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, bytestream2_skip(&g2, 1); pixel_countdown = s->avctx->width; while (pixel_countdown > 0) { + if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk) + break; byte_run = sign_extend(bytestream2_get_byte(&g2), 8); if (!byte_run) { av_log(avctx, AV_LOG_ERROR, "Invalid byte run value.\n"); @@ -365,6 +403,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, } else { /* copy bytes if byte_run < 0 */ byte_run = -byte_run; CHECK_PIXEL_PTR(byte_run); + if (bytestream2_tell(&g2) + byte_run > stream_ptr_after_chunk) + break; for (j = 0; j < byte_run; j++) { pixels[pixel_ptr++] = bytestream2_get_byte(&g2); pixel_countdown--; @@ -381,9 +421,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, case FLI_COPY: /* copy the chunk (uncompressed frame) */ - if (chunk_size - 6 > s->avctx->width * s->avctx->height) { + if (chunk_size - 6 != s->avctx->width * s->avctx->height) { av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \ - "bigger than image, skipping chunk\n", chunk_size - 6); + "has incorrect size, skipping chunk\n", chunk_size - 6); bytestream2_skip(&g2, chunk_size - 6); } else { for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height; @@ -396,7 +436,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, case FLI_MINI: /* some sort of a thumbnail? disregard this chunk... */ - bytestream2_skip(&g2, chunk_size - 6); break; default: @@ -404,14 +443,16 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, break; } + if (stream_ptr_after_chunk - bytestream2_tell(&g2) > 0) + bytestream2_skip(&g2, stream_ptr_after_chunk - bytestream2_tell(&g2)); + frame_size -= chunk_size; num_chunks--; } /* by the end of the chunk, the stream ptr should equal the frame - * size (minus 1, possibly); if it doesn't, issue a warning */ - if ((bytestream2_get_bytes_left(&g2) != 0) && - (bytestream2_get_bytes_left(&g2) != 1)) + * size (minus 1 or 2, possibly); if it doesn't, issue a warning */ + if (bytestream2_get_bytes_left(&g2) > 2) av_log(avctx, AV_LOG_ERROR, "Processed FLI chunk where chunk size = %d " \ "and final chunk ptr = %d\n", buf_size, buf_size - bytestream2_get_bytes_left(&g2)); @@ -476,14 +517,25 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, bytestream2_skip(&g2, 2); /* skip the magic number */ num_chunks = bytestream2_get_le16(&g2); bytestream2_skip(&g2, 8); /* skip padding */ + if (frame_size > buf_size) + frame_size = buf_size; frame_size -= 16; /* iterate through the chunks */ while ((frame_size > 0) && (num_chunks > 0)) { + int stream_ptr_after_chunk; chunk_size = bytestream2_get_le32(&g2); + if (chunk_size > frame_size) { + av_log(avctx, AV_LOG_WARNING, + "Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size); + chunk_size = frame_size; + } + stream_ptr_after_chunk = bytestream2_tell(&g2) - 4 + chunk_size; + chunk_type = bytestream2_get_le16(&g2); + switch (chunk_type) { case FLI_256_COLOR: case FLI_COLOR: @@ -501,6 +553,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, y_ptr = 0; compressed_lines = bytestream2_get_le16(&g2); while (compressed_lines > 0) { + if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) + break; line_packets = bytestream2_get_le16(&g2); if (line_packets < 0) { line_packets = -line_packets; @@ -512,6 +566,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { /* account for the skip bytes */ + if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) + break; pixel_skip = bytestream2_get_byte(&g2); pixel_ptr += (pixel_skip*2); /* Pixel is 2 bytes wide */ pixel_countdown -= pixel_skip; @@ -525,6 +581,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, pixel_ptr += 2; } } else { + if (bytestream2_tell(&g2) + 2*byte_run > stream_ptr_after_chunk) + break; CHECK_PIXEL_PTR(2 * byte_run); for (j = 0; j < byte_run; j++, pixel_countdown--) { *((signed short*)(&pixels[pixel_ptr])) = bytestream2_get_le16(&g2); @@ -559,6 +617,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, pixel_countdown = (s->avctx->width * 2); while (pixel_countdown > 0) { + if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk) + break; byte_run = sign_extend(bytestream2_get_byte(&g2), 8); if (byte_run > 0) { palette_idx1 = bytestream2_get_byte(&g2); @@ -572,6 +632,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, } } else { /* copy bytes if byte_run < 0 */ byte_run = -byte_run; + if (bytestream2_tell(&g2) + byte_run > stream_ptr_after_chunk) + break; CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++) { palette_idx1 = bytestream2_get_byte(&g2); @@ -611,6 +673,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, pixel_countdown = s->avctx->width; /* Width is in pixels, not bytes */ while (pixel_countdown > 0) { + if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk) + break; byte_run = sign_extend(bytestream2_get_byte(&g2), 8); if (byte_run > 0) { pixel = bytestream2_get_le16(&g2); @@ -625,6 +689,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, } } else { /* copy pixels if byte_run < 0 */ byte_run = -byte_run; + if (bytestream2_tell(&g2) + 2 * byte_run > stream_ptr_after_chunk) + break; CHECK_PIXEL_PTR(2 * byte_run); for (j = 0; j < byte_run; j++) { *((signed short*)(&pixels[pixel_ptr])) = bytestream2_get_le16(&g2); |