Based on work by Michael Niedermayer and Laurent Aimar. Fixes infinite loop for fuzzed sample from bug 92.
Signed-off-by: Paul B Mahol <[email protected]> --- libavcodec/flicvideo.c | 61 ++++++++++++++++++++++++++++++++++++++++++++---- 1 files changed, 56 insertions(+), 5 deletions(-) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index b7bbfb4..3059789 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -135,7 +135,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, FlicDecodeContext *s = avctx->priv_data; GetByteContext g2; - int stream_ptr_after_color_chunk; int pixel_ptr; int palette_ptr; unsigned char palette_idx1; @@ -185,14 +184,20 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, /* iterate through the chunks */ while ((frame_size > 0) && (num_chunks > 0)) { + int stream_ptr_after_chunk; chunk_size = bytestream2_get_le32(&g2); + if (chunk_size > frame_size) { + av_log(avctx, AV_LOG_WARNING, + "Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size); + chunk_size = frame_size; + } + stream_ptr_after_chunk = bytestream2_tell(&g2) - 4 + chunk_size; + chunk_type = bytestream2_get_le16(&g2); switch (chunk_type) { case FLI_256_COLOR: case FLI_COLOR: - stream_ptr_after_color_chunk = bytestream2_tell(&g2) + chunk_size - 6; - /* check special case: If this file is from the Magic Carpet * game and uses 6-bit colors even though it reports 256-color * chunks in a 0xAF12-type file (fli_type is set to 0xAF13 during @@ -215,6 +220,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, if (color_changes == 0) color_changes = 256; + if (bytestream2_tell(&g2) + color_changes * 3 > stream_ptr_after_chunk) + break; + for (j = 0; j < color_changes; j++) { unsigned int entry; @@ -236,8 +244,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, * therefore, take the hardline approach and skip * to the value calculated w.r.t. the size specified by the color * chunk header */ - if (stream_ptr_after_color_chunk - bytestream2_tell(&g2) > 0) - bytestream2_skip(&g2, stream_ptr_after_color_chunk - bytestream2_tell(&g2)); + if (stream_ptr_after_chunk - bytestream2_tell(&g2) > 0) + bytestream2_skip(&g2, stream_ptr_after_chunk - bytestream2_tell(&g2)); break; @@ -245,6 +253,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, y_ptr = 0; compressed_lines = bytestream2_get_le16(&g2); while (compressed_lines > 0) { + if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) + break; line_packets = bytestream2_get_le16(&g2); if ((line_packets & 0xC000) == 0xC000) { // line skip opcode @@ -263,6 +273,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, CHECK_PIXEL_PTR(0); pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { + if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) + break; /* account for the skip bytes */ pixel_skip = bytestream2_get_byte(&g2); pixel_ptr += pixel_skip; @@ -279,6 +291,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, } } else { CHECK_PIXEL_PTR(byte_run * 2); + if (bytestream2_tell(&g2) + byte_run * 2 > stream_ptr_after_chunk) + break; for (j = 0; j < byte_run * 2; j++, pixel_countdown--) { pixels[pixel_ptr++] = bytestream2_get_byte(&g2); } @@ -301,16 +315,22 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, pixel_ptr = y_ptr; CHECK_PIXEL_PTR(0); pixel_countdown = s->avctx->width; + if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk) + break; line_packets = bytestream2_get_byte(&g2); if (line_packets > 0) { for (i = 0; i < line_packets; i++) { /* account for the skip bytes */ + if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk) + break; pixel_skip = bytestream2_get_byte(&g2); pixel_ptr += pixel_skip; pixel_countdown -= pixel_skip; byte_run = sign_extend(bytestream2_get_byte(&g2),8); if (byte_run > 0) { CHECK_PIXEL_PTR(byte_run); + if (bytestream2_tell(&g2) + byte_run > stream_ptr_after_chunk) + break; for (j = 0; j < byte_run; j++, pixel_countdown--) { pixels[pixel_ptr++] = bytestream2_get_byte(&g2); } @@ -347,6 +367,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, bytestream2_skip(&g2, 1); pixel_countdown = s->avctx->width; while (pixel_countdown > 0) { + if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk) + break; byte_run = sign_extend(bytestream2_get_byte(&g2), 8); if (byte_run > 0) { palette_idx1 = bytestream2_get_byte(&g2); @@ -361,6 +383,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, } else { /* copy bytes if byte_run < 0 */ byte_run = -byte_run; CHECK_PIXEL_PTR(byte_run); + if (bytestream2_tell(&g2) + byte_run > stream_ptr_after_chunk) + break; for (j = 0; j < byte_run; j++) { pixels[pixel_ptr++] = bytestream2_get_byte(&g2); pixel_countdown--; @@ -400,6 +424,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, break; } + if (stream_ptr_after_chunk - bytestream2_tell(&g2) > 0) + bytestream2_skip(&g2, stream_ptr_after_chunk - bytestream2_tell(&g2)); + frame_size -= chunk_size; num_chunks--; } @@ -472,12 +499,22 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, bytestream2_skip(&g2, 2); /* skip the magic number */ num_chunks = bytestream2_get_le16(&g2); bytestream2_skip(&g2, 8); /* skip padding */ + if (frame_size > buf_size) + frame_size = buf_size; frame_size -= 16; /* iterate through the chunks */ while ((frame_size > 0) && (num_chunks > 0)) { + int stream_ptr_after_chunk; chunk_size = bytestream2_get_le32(&g2); + if (chunk_size > frame_size) { + av_log(avctx, AV_LOG_WARNING, + "Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size); + chunk_size = frame_size; + } + stream_ptr_after_chunk = bytestream2_tell(&g2) - 4 + chunk_size; + chunk_type = bytestream2_get_le16(&g2); switch (chunk_type) { @@ -495,6 +532,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, y_ptr = 0; compressed_lines = bytestream2_get_le16(&g2); while (compressed_lines > 0) { + if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) + break; line_packets = bytestream2_get_le16(&g2); if (line_packets < 0) { line_packets = -line_packets; @@ -506,6 +545,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { /* account for the skip bytes */ + if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) + break; pixel_skip = bytestream2_get_byte(&g2); pixel_ptr += (pixel_skip*2); /* Pixel is 2 bytes wide */ pixel_countdown -= pixel_skip; @@ -519,6 +560,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, pixel_ptr += 2; } } else { + if (bytestream2_tell(&g2) + 2*byte_run > stream_ptr_after_chunk) + break; CHECK_PIXEL_PTR(2 * byte_run); for (j = 0; j < byte_run; j++, pixel_countdown--) { *((signed short*)(&pixels[pixel_ptr])) = bytestream2_get_le16(&g2); @@ -553,6 +596,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, pixel_countdown = (s->avctx->width * 2); while (pixel_countdown > 0) { + if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk) + break; byte_run = sign_extend(bytestream2_get_byte(&g2), 8); if (byte_run > 0) { palette_idx1 = bytestream2_get_byte(&g2); @@ -566,6 +611,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, } } else { /* copy bytes if byte_run < 0 */ byte_run = -byte_run; + if (bytestream2_tell(&g2) + byte_run > stream_ptr_after_chunk) + break; CHECK_PIXEL_PTR(byte_run); for (j = 0; j < byte_run; j++) { palette_idx1 = bytestream2_get_byte(&g2); @@ -605,6 +652,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, pixel_countdown = s->avctx->width; /* Width is in pixels, not bytes */ while (pixel_countdown > 0) { + if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk) + break; byte_run = sign_extend(bytestream2_get_byte(&g2), 8); if (byte_run > 0) { pixel = bytestream2_get_le16(&g2); @@ -619,6 +668,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, } } else { /* copy pixels if byte_run < 0 */ byte_run = -byte_run; + if (bytestream2_tell(&g2) + 2 * byte_run > stream_ptr_after_chunk) + break; CHECK_PIXEL_PTR(2 * byte_run); for (j = 0; j < byte_run; j++) { *((signed short*)(&pixels[pixel_ptr])) = bytestream2_get_le16(&g2); -- 1.7.7 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
