[libav-devel] [PATCH] 4xm: Fixes Invalid Reads

Sun, 18 Dec 2011 11:22:31 -0800 

Add checks for over reading in the Bytestream API.
---
 libavcodec/4xm.c        |   20 ++++++--------------
 libavcodec/bytestream.h |   34 +++++++++++++++++++++++++++++++++-
 2 files changed, 39 insertions(+), 15 deletions(-)

diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 21bde52..c2ff45c 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -132,7 +132,6 @@ typedef struct FourXContext{
     AVFrame current_picture, last_picture;
     GetBitContext pre_gb;          ///< ac/dc prefix
     GetBitContext gb;
-    const uint8_t *bytestream;
     const uint16_t *wordstream;
     int mv[256];
     VLC pre_vlc;
@@ -142,6 +141,7 @@ typedef struct FourXContext{
     unsigned int bitstream_buffer_size;
     int version;
     CFrameBuffer cfrm[CFRAME_BUFFER_COUNT];
+    GetByteContext g;
 } FourXContext;
 
 
@@ -328,7 +328,7 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, 
uint16_t *src, int lo
     assert(code>=0 && code<=6);
 
     if(code == 0){
-        src += f->mv[ *f->bytestream++ ];
+        src += f->mv[ bytestream2_get_byte(&f->g) ];
         if(start > src || src > end){
             av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
             return;
@@ -345,7 +345,7 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, 
uint16_t *src, int lo
     }else if(code == 3 && f->version<2){
         mcdc(dst, src, log2w, h, stride, 1, 0);
     }else if(code == 4){
-        src += f->mv[ *f->bytestream++ ];
+        src += f->mv[ bytestream2_get_byte(&f->g) ];
         if(start > src || src > end){
             av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
             return;
@@ -371,7 +371,7 @@ static int decode_p_frame(FourXContext *f, const uint8_t 
*buf, int length){
     uint16_t *src= (uint16_t*)f->last_picture.data[0];
     uint16_t *dst= (uint16_t*)f->current_picture.data[0];
     const int stride= f->current_picture.linesize[0]>>1;
-    unsigned int bitstream_size, bytestream_size, wordstream_size, extra;
+    unsigned int bitstream_size, bytestream_size, wordstream_size, extra, 
bytestream_offset;
 
     if(f->version>1){
         extra=20;
@@ -403,7 +403,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t 
*buf, int length){
     init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size);
 
     f->wordstream= (const uint16_t*)(buf + extra + bitstream_size);
-    f->bytestream= buf + extra + bitstream_size + wordstream_size;
+    bytestream_offset = extra + bitstream_size + wordstream_size;
+    bytestream2_init(&f->g, buf + bytestream_offset , length - 
bytestream_offset );
 
     init_mv(f);
 
@@ -415,15 +416,6 @@ static int decode_p_frame(FourXContext *f, const uint8_t 
*buf, int length){
         dst += 8*stride;
     }
 
-    if(   bitstream_size != (get_bits_count(&f->gb)+31)/32*4
-       || (((const char*)f->wordstream - (const char*)buf + 2)&~2) != extra + 
bitstream_size + wordstream_size
-       || (((const char*)f->bytestream - (const char*)buf + 3)&~3) != extra + 
bitstream_size + wordstream_size + bytestream_size)
-        av_log(f->avctx, AV_LOG_ERROR, " %d %td %td bytes left\n",
-            bitstream_size - (get_bits_count(&f->gb)+31)/32*4,
-            -(((const char*)f->bytestream - (const char*)buf + 3)&~3) + (extra 
+ bitstream_size + wordstream_size + bytestream_size),
-            -(((const char*)f->wordstream - (const char*)buf + 2)&~2) + (extra 
+ bitstream_size + wordstream_size)
-        );
-
     return 0;
 }
 
diff --git a/libavcodec/bytestream.h b/libavcodec/bytestream.h
index 98f0087..4da9306 100644
--- a/libavcodec/bytestream.h
+++ b/libavcodec/bytestream.h
@@ -26,6 +26,10 @@
 #include "libavutil/common.h"
 #include "libavutil/intreadwrite.h"
 
+typedef struct {
+    const uint8_t *buffer, *buffer_end;
+} GetByteContext;
+
 #define DEF_T(type, name, bytes, read, write)                             \
 static av_always_inline type bytestream_get_ ## name(const uint8_t **b){\
     (*b) += bytes;\
@@ -34,6 +38,12 @@ static av_always_inline type bytestream_get_ ## name(const 
uint8_t **b){\
 static av_always_inline void bytestream_put_ ##name(uint8_t **b, const type 
value){\
     write(*b, value);\
     (*b) += bytes;\
+}\
+static av_always_inline type bytestream2_get_ ## name(GetByteContext *g)\
+{\
+    if (g->buffer_end - g->buffer < bytes)\
+        return 0;\
+    return bytestream_get_ ## name(&g->buffer);\
 }
 
 #define DEF(name, bytes, read, write) \
@@ -54,6 +64,29 @@ DEF  (byte, 1, AV_RB8 , AV_WB8 )
 #undef DEF
 #undef DEF64
 #undef DEF_T
+static av_always_inline void bytestream2_init(GetByteContext *g, const uint8_t 
*buf, int buf_size)
+{
+    g->buffer =  buf;
+    g->buffer_end = buf + buf_size;
+}
+
+static av_always_inline int bytestream2_peek_byte(GetByteContext *g)
+{
+    return *g->buffer;
+}
+
+static av_always_inline unsigned int bytestream2_get_bytes_left(GetByteContext 
*g)
+{
+    return g->buffer_end - g->buffer;
+}
+
+static av_always_inline unsigned int bytestream2_get_buffer(GetByteContext *g 
, uint8_t *dst, unsigned int size)
+{
+    int size2 = FFMIN(g->buffer_end - g->buffer, size);
+    memcpy(dst, g->buffer, size2);
+    g->buffer += size2;
+    return size2;
+}
 
 static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b, 
uint8_t *dst, unsigned int size)
 {
@@ -61,7 +94,6 @@ static av_always_inline unsigned int 
bytestream_get_buffer(const uint8_t **b, ui
     (*b) += size;
     return size;
 }
-
 static av_always_inline void bytestream_put_buffer(uint8_t **b, const uint8_t 
*src, unsigned int size)
 {
     memcpy(*b, src, size);
-- 
1.7.4.1

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to