Mercurial > libavcodec.hg
view v210x.c @ 10229:bd1c4a438c7f libavcodec
Check codec_id and codec_type in avcodec_open(), based on 43_codec_type_mismatch.patch from chrome
This is said to be able to lead to a stack based buffer overflow.
author | michael |
---|---|
date | Tue, 22 Sep 2009 22:44:56 +0000 |
parents | 2f804e0a17fc |
children | 2bb3882075b6 |
line wrap: on
line source
/* * Copyright (C) 2009 Michael Niedermayer <michaelni@gmx.at> * * This file is part of FFmpeg. * * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ #include "avcodec.h" #include "libavutil/bswap.h" static av_cold int decode_init(AVCodecContext *avctx) { if(avctx->width & 1){ av_log(avctx, AV_LOG_ERROR, "v210x needs even width\n"); return -1; } if(avcodec_check_dimensions(avctx, avctx->width, avctx->height) < 0) return -1; avctx->pix_fmt = PIX_FMT_YUV422P16; avctx->bits_per_raw_sample= 10; avctx->coded_frame= avcodec_alloc_frame(); return 0; } static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { int y=0; int width= avctx->width; AVFrame *pic= avctx->coded_frame; const uint32_t *src= (const uint32_t *)avpkt->data; uint16_t *ydst, *udst, *vdst, *yend; if(pic->data[0]) avctx->release_buffer(avctx, pic); if(avpkt->size < avctx->width * avctx->height * 8 / 3){ av_log(avctx, AV_LOG_ERROR, "Packet too small\n"); return -1; } if(avpkt->size > avctx->width * avctx->height * 8 / 3){ av_log(avctx, AV_LOG_ERROR, "Probably padded data, need sample!\n"); } pic->reference= 0; if(avctx->get_buffer(avctx, pic) < 0) return -1; ydst= (uint16_t *)pic->data[0]; udst= (uint16_t *)pic->data[1]; vdst= (uint16_t *)pic->data[2]; yend= ydst + width; pic->pict_type= FF_I_TYPE; pic->key_frame= 1; for(;;){ uint32_t v= be2me_32(*src++); *udst++= (v>>16) & 0xFFC0; *ydst++= (v>>6 ) & 0xFFC0; *vdst++= (v<<4 ) & 0xFFC0; v= be2me_32(*src++); *ydst++= (v>>16) & 0xFFC0; if(ydst >= yend){ ydst+= pic->linesize[0]/2 - width; udst+= pic->linesize[1]/2 - width/2; vdst+= pic->linesize[2]/2 - width/2; yend= ydst + width; if(++y >= avctx->height) break; } *udst++= (v>>6 ) & 0xFFC0; *ydst++= (v<<4 ) & 0xFFC0; v= be2me_32(*src++); *vdst++= (v>>16) & 0xFFC0; *ydst++= (v>>6 ) & 0xFFC0; if(ydst >= yend){ ydst+= pic->linesize[0]/2 - width; udst+= pic->linesize[1]/2 - width/2; vdst+= pic->linesize[2]/2 - width/2; yend= ydst + width; if(++y >= avctx->height) break; } *udst++= (v<<4 ) & 0xFFC0; v= be2me_32(*src++); *ydst++= (v>>16) & 0xFFC0; *vdst++= (v>>6 ) & 0xFFC0; *ydst++= (v<<4 ) & 0xFFC0; if(ydst >= yend){ ydst+= pic->linesize[0]/2 - width; udst+= pic->linesize[1]/2 - width/2; vdst+= pic->linesize[2]/2 - width/2; yend= ydst + width; if(++y >= avctx->height) break; } } *data_size=sizeof(AVFrame); *(AVFrame*)data= *avctx->coded_frame; return avpkt->size; } AVCodec v210x_decoder = { "v210x", CODEC_TYPE_VIDEO, CODEC_ID_V210X, 0, decode_init, NULL, NULL, decode_frame, CODEC_CAP_DR1, };