[FFmpeg-devel] [PATCH] Moving netgem dvbsubdec fixes in (Part 1)
Reimar Döffinger
Reimar.Doeffinger
Sat Apr 11 22:24:27 CEST 2009
On Sat, Apr 11, 2009 at 03:03:41PM -0400, Reynaldo H. Verdejo Pinochet wrote:
> As on subject. There is some more context here:
>
> https://roundup.ffmpeg.org/roundup/ffmpeg/issue536
>
> I'd be applying this on Monday if OK.
I really don't think this should be applied in one batch.
> Index: libavcodec/dvbsubdec.c
> ===================================================================
> --- libavcodec/dvbsubdec.c (revision 18443)
> +++ libavcodec/dvbsubdec.c (working copy)
> @@ -439,27 +439,31 @@
> int run_length;
> int pixels_read = 0;
>
> - init_get_bits(&gb, *srcbuf, buf_size << 8);
> + init_get_bits(&gb, *srcbuf, buf_size << 3);
>
> - while (get_bits_count(&gb) < (buf_size << 8) && pixels_read < dbuf_len) {
> + while (get_bits_count(&gb) < (buf_size << 3)) {
The 8 -> 3 is obviously ok, but the pixels_read < dbuf_len should stay
> bits = get_bits(&gb, 2);
>
> if (bits) {
> - if (non_mod != 1 || bits != 1) {
> - if (map_table)
> - *destbuf++ = map_table[bits];
> - else
> - *destbuf++ = bits;
> + if (pixels_read < dbuf_len) {
> + if (non_mod != 1 || bits != 1) {
> + if (map_table)
> + *destbuf++ = map_table[bits];
> + else
> + *destbuf++ = bits;
> + }
> + pixels_read++;
> }
> - pixels_read++;
Pointless if you just leave the while condition as-is.
> } else {
> bits = get_bits1(&gb);
> if (bits == 1) {
> run_length = get_bits(&gb, 3) + 3;
> bits = get_bits(&gb, 2);
>
> - if (non_mod == 1 && bits == 1)
> - pixels_read += run_length;
> + if (non_mod == 1 && bits == 1) {
> + if (pixels_read < dbuf_len - run_length)
> + pixels_read += run_length;
> + }
The same. You can still clamp pixels_read if you want the function to
never return more than dbuf_len
> else {
> if (map_table)
> bits = map_table[bits];
> @@ -476,8 +480,10 @@
> run_length = get_bits(&gb, 4) + 12;
> bits = get_bits(&gb, 2);
>
> - if (non_mod == 1 && bits == 1)
> - pixels_read += run_length;
> + if (non_mod == 1 && bits == 1) {
> + if (pixels_read < dbuf_len - run_length)
> + pixels_read += run_length;
> + }
> else {
> if (map_table)
> bits = map_table[bits];
The same.
> @@ -490,8 +496,10 @@
> run_length = get_bits(&gb, 8) + 29;
> bits = get_bits(&gb, 2);
>
> - if (non_mod == 1 && bits == 1)
> - pixels_read += run_length;
> + if (non_mod == 1 && bits == 1) {
> + if (pixels_read < dbuf_len - run_length)
> + pixels_read += run_length;
> + }
> else {
> if (map_table)
> bits = map_table[bits];
The same.
> @@ -501,34 +509,32 @@
> }
> }
> } else if (bits == 1) {
> - pixels_read += 2;
> if (map_table)
> bits = map_table[0];
> else
> bits = 0;
> - if (pixels_read <= dbuf_len) {
> + if (pixels_read <= dbuf_len -1) {
> *destbuf++ = bits;
> *destbuf++ = bits;
> + pixels_read += 2;
> }
Huh? Looks to me like that introduces a buffer overflow...
> } else {
> - (*srcbuf) += (get_bits_count(&gb) + 7) >> 3;
> - return pixels_read;
> + break;
No idea, but certainly must be a separate patch
> }
> } else {
> if (map_table)
> bits = map_table[0];
> else
> bits = 0;
> - *destbuf++ = bits;
> - pixels_read++;
> + if (pixels_read < dbuf_len) {
> + *destbuf++ = bits;
> + pixels_read++;
> + }
Pointless as above.
> - if (get_bits(&gb, 6))
> - av_log(0, AV_LOG_ERROR, "DVBSub error: line overflow\n");
> -
Certainly unrelated.
More information about the ffmpeg-devel
mailing list