Mercurial > libavcodec.hg
annotate lzw.c @ 12530:63edd10ad4bc libavcodec tip
Try to fix crashes introduced by r25218
r25218 made assumptions about the existence of past reference frames that
weren't necessarily true.
| author | darkshikari |
|---|---|
| date | Tue, 28 Sep 2010 09:06:22 +0000 |
| parents | 25e9cb2b9477 |
| children |
| rev | line source |
|---|---|
| 4080 | 1 /* |
| 2 * LZW decoder | |
|
8629
04423b2f6e0b
cosmetics: Remove pointless period after copyright statement non-sentences.
diego
parents:
7266
diff
changeset
|
3 * Copyright (c) 2003 Fabrice Bellard |
|
04423b2f6e0b
cosmetics: Remove pointless period after copyright statement non-sentences.
diego
parents:
7266
diff
changeset
|
4 * Copyright (c) 2006 Konstantin Shishkov |
| 4080 | 5 * |
| 6 * This file is part of FFmpeg. | |
| 7 * | |
| 8 * FFmpeg is free software; you can redistribute it and/or | |
| 9 * modify it under the terms of the GNU Lesser General Public | |
| 10 * License as published by the Free Software Foundation; either | |
| 11 * version 2.1 of the License, or (at your option) any later version. | |
| 12 * | |
| 13 * FFmpeg is distributed in the hope that it will be useful, | |
| 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
| 16 * Lesser General Public License for more details. | |
| 17 * | |
| 18 * You should have received a copy of the GNU Lesser General Public | |
| 19 * License along with FFmpeg; if not, write to the Free Software | |
| 20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
| 21 */ | |
| 22 | |
| 23 /** | |
|
11644
7dd2a45249a9
Remove explicit filename from Doxygen @file commands.
diego
parents:
8718
diff
changeset
|
24 * @file |
| 4080 | 25 * @brief LZW decoding routines |
| 26 * @author Fabrice Bellard | |
| 27 * Modified for use in TIFF by Konstantin Shishkov | |
| 28 */ | |
| 29 | |
| 30 #include "avcodec.h" | |
| 31 #include "lzw.h" | |
| 32 | |
| 33 #define LZW_MAXBITS 12 | |
| 34 #define LZW_SIZTABLE (1<<LZW_MAXBITS) | |
| 35 | |
| 36 static const uint16_t mask[17] = | |
| 37 { | |
| 38 0x0000, 0x0001, 0x0003, 0x0007, | |
| 39 0x000F, 0x001F, 0x003F, 0x007F, | |
| 40 0x00FF, 0x01FF, 0x03FF, 0x07FF, | |
| 41 0x0FFF, 0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF | |
| 42 }; | |
| 43 | |
| 44 struct LZWState { | |
| 6218 | 45 const uint8_t *pbuf, *ebuf; |
| 4080 | 46 int bbits; |
| 47 unsigned int bbuf; | |
| 48 | |
| 49 int mode; ///< Decoder mode | |
| 50 int cursize; ///< The current code size | |
| 51 int curmask; | |
| 52 int codesize; | |
| 53 int clear_code; | |
| 54 int end_code; | |
| 55 int newcodes; ///< First available code | |
| 56 int top_slot; ///< Highest code for current size | |
| 4725 | 57 int extra_slot; |
| 4080 | 58 int slot; ///< Last read code |
| 59 int fc, oc; | |
| 60 uint8_t *sp; | |
| 61 uint8_t stack[LZW_SIZTABLE]; | |
| 62 uint8_t suffix[LZW_SIZTABLE]; | |
| 63 uint16_t prefix[LZW_SIZTABLE]; | |
| 64 int bs; ///< current buffer size for GIF | |
| 65 }; | |
| 66 | |
| 67 /* get one code from stream */ | |
| 68 static int lzw_get_code(struct LZWState * s) | |
| 69 { | |
| 4727 | 70 int c; |
| 4080 | 71 |
| 72 if(s->mode == FF_LZW_GIF) { | |
| 73 while (s->bbits < s->cursize) { | |
| 74 if (!s->bs) { | |
| 4727 | 75 s->bs = *s->pbuf++; |
| 4080 | 76 } |
| 77 s->bbuf |= (*s->pbuf++) << s->bbits; | |
| 78 s->bbits += 8; | |
| 79 s->bs--; | |
| 80 } | |
| 4736 | 81 c = s->bbuf; |
| 4716 | 82 s->bbuf >>= s->cursize; |
| 4080 | 83 } else { // TIFF |
| 84 while (s->bbits < s->cursize) { | |
| 85 s->bbuf = (s->bbuf << 8) | (*s->pbuf++); | |
| 86 s->bbits += 8; | |
| 87 } | |
| 4736 | 88 c = s->bbuf >> (s->bbits - s->cursize); |
| 4080 | 89 } |
| 90 s->bbits -= s->cursize; | |
| 4736 | 91 return c & s->curmask; |
| 4080 | 92 } |
| 93 | |
| 6218 | 94 const uint8_t* ff_lzw_cur_ptr(LZWState *p) |
| 4080 | 95 { |
| 96 return ((struct LZWState*)p)->pbuf; | |
| 97 } | |
| 98 | |
| 99 void ff_lzw_decode_tail(LZWState *p) | |
| 100 { | |
| 101 struct LZWState *s = (struct LZWState *)p; | |
|
4728
5db8e9e8f71d
move eob_reached logic into ff_lzw_decode_tail() which simplifies the code, avoids some checks in the innermost loop and also gets rid of the controversal break while hopefully retaining the last byte in a valid bytestream, invalid bytestreams still can have very significant overread
michael
parents:
4727
diff
changeset
|
102 |
|
5db8e9e8f71d
move eob_reached logic into ff_lzw_decode_tail() which simplifies the code, avoids some checks in the innermost loop and also gets rid of the controversal break while hopefully retaining the last byte in a valid bytestream, invalid bytestreams still can have very significant overread
michael
parents:
4727
diff
changeset
|
103 if(s->mode == FF_LZW_GIF) { |
|
5db8e9e8f71d
move eob_reached logic into ff_lzw_decode_tail() which simplifies the code, avoids some checks in the innermost loop and also gets rid of the controversal break while hopefully retaining the last byte in a valid bytestream, invalid bytestreams still can have very significant overread
michael
parents:
4727
diff
changeset
|
104 while(s->pbuf < s->ebuf && s->bs>0){ |
|
5db8e9e8f71d
move eob_reached logic into ff_lzw_decode_tail() which simplifies the code, avoids some checks in the innermost loop and also gets rid of the controversal break while hopefully retaining the last byte in a valid bytestream, invalid bytestreams still can have very significant overread
michael
parents:
4727
diff
changeset
|
105 s->pbuf += s->bs; |
|
5db8e9e8f71d
move eob_reached logic into ff_lzw_decode_tail() which simplifies the code, avoids some checks in the innermost loop and also gets rid of the controversal break while hopefully retaining the last byte in a valid bytestream, invalid bytestreams still can have very significant overread
michael
parents:
4727
diff
changeset
|
106 s->bs = *s->pbuf++; |
|
5db8e9e8f71d
move eob_reached logic into ff_lzw_decode_tail() which simplifies the code, avoids some checks in the innermost loop and also gets rid of the controversal break while hopefully retaining the last byte in a valid bytestream, invalid bytestreams still can have very significant overread
michael
parents:
4727
diff
changeset
|
107 } |
|
5db8e9e8f71d
move eob_reached logic into ff_lzw_decode_tail() which simplifies the code, avoids some checks in the innermost loop and also gets rid of the controversal break while hopefully retaining the last byte in a valid bytestream, invalid bytestreams still can have very significant overread
michael
parents:
4727
diff
changeset
|
108 }else |
|
5db8e9e8f71d
move eob_reached logic into ff_lzw_decode_tail() which simplifies the code, avoids some checks in the innermost loop and also gets rid of the controversal break while hopefully retaining the last byte in a valid bytestream, invalid bytestreams still can have very significant overread
michael
parents:
4727
diff
changeset
|
109 s->pbuf= s->ebuf; |
| 4080 | 110 } |
| 111 | |
|
6517
48759bfbd073
Apply 'cold' attribute to init/uninit functions in libavcodec
zuxy
parents:
6218
diff
changeset
|
112 av_cold void ff_lzw_decode_open(LZWState **p) |
| 4080 | 113 { |
| 114 *p = av_mallocz(sizeof(struct LZWState)); | |
| 115 } | |
| 116 | |
|
6517
48759bfbd073
Apply 'cold' attribute to init/uninit functions in libavcodec
zuxy
parents:
6218
diff
changeset
|
117 av_cold void ff_lzw_decode_close(LZWState **p) |
| 4080 | 118 { |
| 119 av_freep(p); | |
| 120 } | |
| 121 | |
| 122 /** | |
| 123 * Initialize LZW decoder | |
|
12056
25e9cb2b9477
Fix misspelled parameter names in Doxygen documentation.
diego
parents:
11644
diff
changeset
|
124 * @param p LZW context |
| 4080 | 125 * @param csize initial code size in bits |
| 126 * @param buf input data | |
| 127 * @param buf_size input data size | |
| 128 * @param mode decoder working mode - either GIF or TIFF | |
| 129 */ | |
| 6218 | 130 int ff_lzw_decode_init(LZWState *p, int csize, const uint8_t *buf, int buf_size, int mode) |
| 4080 | 131 { |
| 132 struct LZWState *s = (struct LZWState *)p; | |
| 133 | |
|
7266
451bc2b25bcb
check that csize in ff_lzw_decode_init is < LZW_MAXBITS, <= is not enough and
reimar
parents:
6517
diff
changeset
|
134 if(csize < 1 || csize >= LZW_MAXBITS) |
| 4080 | 135 return -1; |
| 136 /* read buffer */ | |
| 137 s->pbuf = buf; | |
| 138 s->ebuf = s->pbuf + buf_size; | |
| 139 s->bbuf = 0; | |
| 140 s->bbits = 0; | |
| 141 s->bs = 0; | |
| 142 | |
| 143 /* decoder */ | |
| 144 s->codesize = csize; | |
| 145 s->cursize = s->codesize + 1; | |
| 146 s->curmask = mask[s->cursize]; | |
| 147 s->top_slot = 1 << s->cursize; | |
| 148 s->clear_code = 1 << s->codesize; | |
| 149 s->end_code = s->clear_code + 1; | |
| 150 s->slot = s->newcodes = s->clear_code + 2; | |
| 4732 | 151 s->oc = s->fc = -1; |
| 4080 | 152 s->sp = s->stack; |
| 153 | |
| 154 s->mode = mode; | |
| 4735 | 155 s->extra_slot = s->mode == FF_LZW_TIFF; |
| 4080 | 156 return 0; |
| 157 } | |
| 158 | |
| 159 /** | |
| 160 * Decode given number of bytes | |
| 161 * NOTE: the algorithm here is inspired from the LZW GIF decoder | |
| 162 * written by Steven A. Bennett in 1987. | |
| 163 * | |
|
12056
25e9cb2b9477
Fix misspelled parameter names in Doxygen documentation.
diego
parents:
11644
diff
changeset
|
164 * @param p LZW context |
| 4080 | 165 * @param buf output buffer |
| 166 * @param len number of bytes to decode | |
| 167 * @return number of bytes decoded | |
| 168 */ | |
| 169 int ff_lzw_decode(LZWState *p, uint8_t *buf, int len){ | |
| 170 int l, c, code, oc, fc; | |
| 171 uint8_t *sp; | |
| 172 struct LZWState *s = (struct LZWState *)p; | |
| 173 | |
| 174 if (s->end_code < 0) | |
| 175 return 0; | |
| 176 | |
| 177 l = len; | |
| 178 sp = s->sp; | |
| 179 oc = s->oc; | |
| 180 fc = s->fc; | |
| 181 | |
| 182 for (;;) { | |
| 4726 | 183 while (sp > s->stack) { |
| 184 *buf++ = *(--sp); | |
| 185 if ((--l) == 0) | |
| 186 goto the_end; | |
| 187 } | |
| 4080 | 188 c = lzw_get_code(s); |
| 189 if (c == s->end_code) { | |
| 190 break; | |
| 191 } else if (c == s->clear_code) { | |
| 192 s->cursize = s->codesize + 1; | |
| 193 s->curmask = mask[s->cursize]; | |
| 194 s->slot = s->newcodes; | |
| 195 s->top_slot = 1 << s->cursize; | |
| 4732 | 196 fc= oc= -1; |
| 4080 | 197 } else { |
| 198 code = c; | |
|
4733
507d08212e36
check input validity, this prevents a few variables from reachin odd values which might have lead to out of array writes and thus might have been exploitable
michael
parents:
4732
diff
changeset
|
199 if (code == s->slot && fc>=0) { |
| 4080 | 200 *sp++ = fc; |
| 201 code = oc; | |
|
4733
507d08212e36
check input validity, this prevents a few variables from reachin odd values which might have lead to out of array writes and thus might have been exploitable
michael
parents:
4732
diff
changeset
|
202 }else if(code >= s->slot) |
|
507d08212e36
check input validity, this prevents a few variables from reachin odd values which might have lead to out of array writes and thus might have been exploitable
michael
parents:
4732
diff
changeset
|
203 break; |
| 4080 | 204 while (code >= s->newcodes) { |
| 205 *sp++ = s->suffix[code]; | |
| 206 code = s->prefix[code]; | |
| 207 } | |
| 208 *sp++ = code; | |
| 4732 | 209 if (s->slot < s->top_slot && oc>=0) { |
| 210 s->suffix[s->slot] = code; | |
| 4080 | 211 s->prefix[s->slot++] = oc; |
| 212 } | |
| 4732 | 213 fc = code; |
| 214 oc = c; | |
| 4725 | 215 if (s->slot >= s->top_slot - s->extra_slot) { |
| 4080 | 216 if (s->cursize < LZW_MAXBITS) { |
| 217 s->top_slot <<= 1; | |
| 218 s->curmask = mask[++s->cursize]; | |
| 219 } | |
| 220 } | |
| 221 } | |
| 222 } | |
|
4733
507d08212e36
check input validity, this prevents a few variables from reachin odd values which might have lead to out of array writes and thus might have been exploitable
michael
parents:
4732
diff
changeset
|
223 s->end_code = -1; |
| 4080 | 224 the_end: |
| 225 s->sp = sp; | |
| 226 s->oc = oc; | |
| 227 s->fc = fc; | |
| 228 return len - l; | |
| 229 } |