[FFmpeg-cvslog] svq1: do not modify the input packet

Fri, 08 Aug 2014 07:01:59 -0700 

ffmpeg | branch: release/1.1 | Anton Khirnov <an...@khirnov.net> | Sun Aug  3 
10:14:48 2014 +0200| [af9b62654d5aa023a96906215365532d18541a09] | committer: 
Anton Khirnov

svq1: do not modify the input packet

The input data must remain constant, make a copy instead. This is in
theory a performance hit, but since I failed to find any samples
using this feature, this should not matter in practice.

Also, check the size of the header, avoiding invalid reads on truncated
data.

CC:libav-sta...@libav.org
(cherry picked from commit 7b588bb691644e1b3c168b99accf74248a24e3cf)
Signed-off-by: Anton Khirnov <an...@khirnov.net>

Conflicts:
        libavcodec/svq1dec.c

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=af9b62654d5aa023a96906215365532d18541a09
---

 libavcodec/svq1dec.c |   24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c
index 82f9301..75eb6b2 100644
--- a/libavcodec/svq1dec.c
+++ b/libavcodec/svq1dec.c
@@ -61,6 +61,10 @@ typedef struct SVQ1Context {
     DSPContext dsp;
     GetBitContext gb;
     AVFrame *cur, *prev;
+
+    uint8_t *pkt_swapped;
+    int pkt_swapped_allocated;
+
     int width;
     int height;
     int frame_code;
@@ -630,7 +634,24 @@ static int svq1_decode_frame(AVCodecContext *avctx, void 
*data,
 
     /* swap some header bytes (why?) */
     if (s->frame_code != 0x20) {
-        uint32_t *src = (uint32_t *)(buf + 4);
+        uint32_t *src;
+
+        if (buf_size < 9 * 4) {
+            av_log(avctx, AV_LOG_ERROR, "Input packet too small\n");
+            return AVERROR_INVALIDDATA;
+        }
+
+        av_fast_malloc(s->pkt_swapped, &s->pkt_swapped_allocated,
+                       buf_size);
+        if (!s->pkt_swapped)
+            return AVERROR(ENOMEM);
+
+        memcpy(s->pkt_swapped, buf, buf_size);
+        buf = s->pkt_swapped;
+        init_get_bits(&s->gb, buf, buf_size * 8);
+        skip_bits(&s->gb, 22);
+
+        src = (uint32_t *)(s->pkt_swapped + 4);
 
         for (i = 0; i < 4; i++)
             src[i] = ((src[i] << 16) | (src[i] >> 16)) ^ src[7 - i];
@@ -803,6 +824,7 @@ static av_cold int svq1_decode_end(AVCodecContext *avctx)
         avctx->release_buffer(avctx, s->prev);
     avcodec_free_frame(&s->cur);
     avcodec_free_frame(&s->prev);
+    av_freep(&s->pkt_swapped);
 
     return 0;
 }

_______________________________________________
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

Reply via email to