[FFmpeg-devel] [PATCH 2/2] lavf/swfdec: support DefineBitsLossless{, 2} tag.

Michael Niedermayer michaelni at gmx.at
Wed Oct 17 02:37:59 CEST 2012


On Tue, Oct 16, 2012 at 09:15:40PM +0200, Clément Bœsch wrote:
> On Sun, Oct 14, 2012 at 04:22:22AM +0200, Michael Niedermayer wrote:
> > On Fri, Oct 12, 2012 at 11:21:05PM +0200, Clément Bœsch wrote:
> > > ---
> > >  libavformat/swfdec.c | 114 +++++++++++++++++++++++++++++++++++++++++++++++++++
> > >  1 file changed, 114 insertions(+)
> > > 
> > > diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c
> > > index 48a2156..3fe31d4 100644
> > > --- a/libavformat/swfdec.c
> > > +++ b/libavformat/swfdec.c
> > > @@ -20,6 +20,7 @@
> > >   * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> > >   */
> > >  
> > > +#include "libavutil/avassert.h"
> > >  #include "libavutil/intreadwrite.h"
> > >  #include "swf.h"
> > >  
> > > @@ -253,6 +254,119 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
> > >                      return pkt->size;
> > >                  }
> > >              }
> > > +        } else if (tag == TAG_DEFINEBITSLOSSLESS || tag == TAG_DEFINEBITSLOSSLESS2) {
> > > +#if CONFIG_ZLIB
> > > +            long out_len;
> > > +            uint8_t *buf, *zbuf, *pal;
> > > +            uint32_t colormap[AVPALETTE_COUNT] = {0};
> > > +            const int alpha_bmp = tag == TAG_DEFINEBITSLOSSLESS2;
> > > +            const int colormapbpp = 3 + alpha_bmp;
> > > +            int linesize, colormapsize = 0;
> > > +
> > > +            const int ch_id   = avio_rl16(pb);
> > > +            const int bmp_fmt = avio_r8(pb);
> > > +            const int width   = avio_rl16(pb);
> > > +            const int height  = avio_rl16(pb);
> > > +
> > > +            len -= 2+1+2+2;
> > > +
> > > +            switch (bmp_fmt) {
> > > +            case 3: // PAL-8
> > > +                linesize = width;
> > > +                colormapsize = avio_r8(pb) + 1;
> > > +                len--;
> > > +                break;
> > > +            case 4: // RGB15
> > > +                linesize = width * 2;
> > > +                break;
> > > +            case 5: // RGB24 (0RGB)
> > > +                linesize = width * 4;
> > > +                break;
> > > +            default:
> > > +                av_log(s, AV_LOG_ERROR, "invalid bitmap format %d, skipped\n", bmp_fmt);
> > > +                goto bitmap_end_skip;
> > > +            }
> > > +
> > > +            linesize = FFALIGN(linesize, 4);
> > 
> > > +            out_len = colormapsize * colormapbpp + linesize * height;
> > 
> > this can overflow
> > 
> > also len can be negative here maybe, if so it maybe should be checked
> > 
> > also width/height could be 0
> > 
> 
> Added some checks. Hopefully it will be enough, see attached.

should be ok

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If a bugfix only changes things apparently unrelated to the bug with no
further explanation, that is a good sign that the bugfix is wrong.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20121017/e6139fd7/attachment.asc>


More information about the ffmpeg-devel mailing list