← Back to branch summary

~siretart/xine-lib/ubuntu

« back to all changes in this revision

Viewing changes to src/libffmpeg/libavcodec/cinepak.c

  • Committer: Bazaar Package Importer
  • Author(s): Martin Pitt
  • Date: 2005-12-15 13:13:45 UTC
  • mfrom: (0.1.2 upstream)
  • Revision ID: james.westby@ubuntu.com-20051215131345-8n4osv1j7fy9c1s1
* SECURITY UPDATE: Fix arbitrary code execution with crafted PNG images in
  embedded ffmpeg copy.
* src/libffmpeg/libavcodec/utils.c, avcodec_default_get_buffer(): Apply
  upstream patch to fix buffer overflow on decoding of small PIX_FMT_PAL8
  PNG files.
* References:
  CVE-2005-4048
  http://mplayerhq.hu/pipermail/ffmpeg-devel/2005-November/005333.html
  http://www1.mplayerhq.hu/cgi-bin/cvsweb.cgi/ffmpeg/libavcodec/
  utils.c.diff?r1=1.161&r2=1.162&cvsroot=FFMpeg

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/libffmpeg/libavcodec/cinepak.c
35
35
#include "avcodec.h"
36
36
#include "dsputil.h"
37
37
 
38
 
#define PALETTE_COUNT 256
39
38
 
40
39
typedef struct {
41
40
    uint8_t  y0, y1, y2, y3;
63
62
 
64
63
    int width, height;
65
64
 
66
 
    unsigned char palette[PALETTE_COUNT * 4];
67
65
    int palette_video;
68
66
    cvid_strip_t strips[MAX_STRIPS];
69
67
 
177
175
                        s->frame.data[2][iv[0]] = codebook->v;
178
176
                    }
179
177
 
180
 
                    s->frame.data[0][iy[0] + 2] = codebook->y0;
181
 
                    s->frame.data[0][iy[0] + 3] = codebook->y0;
182
 
                    s->frame.data[0][iy[1] + 2] = codebook->y0;
183
 
                    s->frame.data[0][iy[1] + 3] = codebook->y0;
 
178
                    s->frame.data[0][iy[0] + 2] = codebook->y1;
 
179
                    s->frame.data[0][iy[0] + 3] = codebook->y1;
 
180
                    s->frame.data[0][iy[1] + 2] = codebook->y1;
 
181
                    s->frame.data[0][iy[1] + 3] = codebook->y1;
184
182
                    if (!s->palette_video) {
185
183
                        s->frame.data[1][iu[0] + 1] = codebook->u;
186
184
                        s->frame.data[2][iv[0] + 1] = codebook->v;
187
185
                    }
188
186
 
189
 
                    s->frame.data[0][iy[2] + 0] = codebook->y0;
190
 
                    s->frame.data[0][iy[2] + 1] = codebook->y0;
191
 
                    s->frame.data[0][iy[3] + 0] = codebook->y0;
192
 
                    s->frame.data[0][iy[3] + 1] = codebook->y0;
 
187
                    s->frame.data[0][iy[2] + 0] = codebook->y2;
 
188
                    s->frame.data[0][iy[2] + 1] = codebook->y2;
 
189
                    s->frame.data[0][iy[3] + 0] = codebook->y2;
 
190
                    s->frame.data[0][iy[3] + 1] = codebook->y2;
193
191
                    if (!s->palette_video) {
194
192
                        s->frame.data[1][iu[1]] = codebook->u;
195
193
                        s->frame.data[2][iv[1]] = codebook->v;
196
194
                    }
197
195
 
198
 
                    s->frame.data[0][iy[2] + 2] = codebook->y0;
199
 
                    s->frame.data[0][iy[2] + 3] = codebook->y0;
200
 
                    s->frame.data[0][iy[3] + 2] = codebook->y0;
201
 
                    s->frame.data[0][iy[3] + 3] = codebook->y0;
 
196
                    s->frame.data[0][iy[2] + 2] = codebook->y3;
 
197
                    s->frame.data[0][iy[2] + 3] = codebook->y3;
 
198
                    s->frame.data[0][iy[3] + 2] = codebook->y3;
 
199
                    s->frame.data[0][iy[3] + 3] = codebook->y3;
202
200
                    if (!s->palette_video) {
203
201
                        s->frame.data[1][iu[1] + 1] = codebook->u;
204
202
                        s->frame.data[2][iv[1] + 1] = codebook->v;
276
274
    while ((data + 4) <= eod) {
277
275
        chunk_id   = BE_16 (&data[0]);
278
276
        chunk_size = BE_16 (&data[2]) - 4;
 
277
        if(chunk_size < 0)
 
278
            return -1;
 
279
 
279
280
        data      += 4;
280
281
        chunk_size = ((data + chunk_size) > eod) ? (eod - data) : chunk_size;
281
282
 
315
316
    uint8_t      *eod = (s->data + s->size);
316
317
    int           i, result, strip_size, frame_flags, num_strips;
317
318
    int           y0 = 0;
 
319
    int           encoded_buf_size;
 
320
    /* if true, Cinepak data is from a Sega FILM/CPK file */
 
321
    int           sega_film_data = 0;
318
322
 
319
323
    if (s->size < 10)
320
324
        return -1;
321
325
 
322
326
    frame_flags = s->data[0];
323
327
    num_strips  = BE_16 (&s->data[8]);
324
 
    s->data    += 10;
 
328
    encoded_buf_size = BE_16 (&s->data[2]);
 
329
    if (encoded_buf_size != s->size)
 
330
        sega_film_data = 1;
 
331
    if (sega_film_data)
 
332
        s->data    += 12;
 
333
    else
 
334
        s->data    += 10;
325
335
 
326
336
    if (num_strips > MAX_STRIPS)
327
337
        num_strips = MAX_STRIPS;
361
371
static int cinepak_decode_init(AVCodecContext *avctx)
362
372
{
363
373
    CinepakContext *s = (CinepakContext *)avctx->priv_data;
364
 
/*
365
 
    int i;
366
 
    unsigned char r, g, b;
367
 
    unsigned char *raw_palette;
368
 
    unsigned int *palette32;
369
 
*/
370
374
 
371
375
    s->avctx = avctx;
372
376
    s->width = (avctx->width + 3) & ~3;
373
377
    s->height = (avctx->height + 3) & ~3;
374
378
 
375
 
// check for paletted data
376
 
s->palette_video = 0;
377
 
 
378
 
 
379
 
    avctx->pix_fmt = PIX_FMT_YUV420P;
 
379
    // check for paletted data
 
380
    if ((avctx->palctrl == NULL) || (avctx->bits_per_sample == 40)) {
 
381
        s->palette_video = 0;
 
382
        avctx->pix_fmt = PIX_FMT_YUV420P;
 
383
    } else {
 
384
        s->palette_video = 1;
 
385
        avctx->pix_fmt = PIX_FMT_PAL8;
 
386
    }
 
387
 
380
388
    avctx->has_b_frames = 0;
381
389
    dsputil_init(&s->dsp, avctx);
382
390
 
404
412
 
405
413
    cinepak_decode(s);
406
414
 
 
415
    if (s->palette_video) {
 
416
        memcpy (s->frame.data[1], avctx->palctrl->palette, AVPALETTE_SIZE);
 
417
        if (avctx->palctrl->palette_changed) {
 
418
            s->frame.palette_has_changed = 1;
 
419
            avctx->palctrl->palette_changed = 0;
 
420
        } else
 
421
            s->frame.palette_has_changed = 0;
 
422
    }
 
423
 
407
424
    *data_size = sizeof(AVFrame);
408
425
    *(AVFrame*)data = s->frame;
409
426