# HG changeset patch # User michael # Date 1215974844 0 # Node ID c1762e7b1ff307210559606675354d7733eb9fa8 # Parent 270e9f324405a1206f7ef0e9dd1a49d0d8790a5d Remove gif demuxer, the code contains a gif decoder and lzw decoder neither belongs in a demuxer, furthermore the code might be exploitable. Fixes issue530 diff -r 270e9f324405 -r c1762e7b1ff3 allformats.c --- a/allformats.c Sat Jul 12 22:17:13 2008 +0000 +++ b/allformats.c Sun Jul 13 18:47:24 2008 +0000 @@ -82,7 +82,7 @@ REGISTER_MUXDEMUX (FLV, flv); REGISTER_DEMUXER (FOURXM, fourxm); REGISTER_MUXER (FRAMECRC, framecrc); - REGISTER_MUXDEMUX (GIF, gif); + REGISTER_MUXER (GIF, gif); REGISTER_DEMUXER (GSM, gsm); REGISTER_MUXDEMUX (GXF, gxf); REGISTER_MUXDEMUX (H261, h261); diff -r 270e9f324405 -r c1762e7b1ff3 gifdec.c --- a/gifdec.c Sat Jul 12 22:17:13 2008 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,590 +0,0 @@ -/* - * GIF demuxer - * Copyright (c) 2003 Fabrice Bellard. - * - * This file is part of FFmpeg. - * - * FFmpeg is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * FFmpeg is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with FFmpeg; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - */ -#include "avformat.h" - -//#define DEBUG - -#define MAXBITS 12 -#define SIZTABLE (1<buf_size < 24 || - memcmp(pd->buf, gif89a_sig, 6) != 0) - return 0; - p_end = pd->buf + pd->buf_size; - p = pd->buf + 6; - bits_per_pixel = (p[4] & 0x07) + 1; - has_global_palette = (p[4] & 0x80); - p += 7; - if (has_global_palette) - p += (1 << bits_per_pixel) * 3; - for(;;) { - if (p >= p_end) - return 0; - if (*p != '!') - break; - p++; - if (p >= p_end) - return 0; - ext_code = *p++; - if (p >= p_end) - return 0; - ext_len = *p++; - if (ext_code == 0xf9) { - if (p >= p_end) - return 0; - /* if GCE extension found with gce_disposal != 0: it is - likely to be an animation */ - gce_flags = *p++; - gce_disposal = (gce_flags >> 2) & 0x7; - if (gce_disposal != 0) - return AVPROBE_SCORE_MAX; - else - return 0; - } - for(;;) { - if (ext_len == 0) - break; - p += ext_len; - if (p >= p_end) - return 0; - ext_len = *p++; - } - } - return 0; -} - -static void GLZWDecodeInit(GifState * s, int csize) -{ - /* read buffer */ - s->eob_reached = 0; - s->pbuf = s->buf; - s->ebuf = s->buf; - s->bbuf = 0; - s->bbits = 0; - - /* decoder */ - s->codesize = csize; - s->cursize = s->codesize + 1; - s->curmask = mask[s->cursize]; - s->top_slot = 1 << s->cursize; - s->clear_code = 1 << s->codesize; - s->end_code = s->clear_code + 1; - s->slot = s->newcodes = s->clear_code + 2; - s->oc = s->fc = 0; - s->sp = s->stack; -} - -/* XXX: optimize */ -static inline int GetCode(GifState * s) -{ - int c, sizbuf; - uint8_t *ptr; - - while (s->bbits < s->cursize) { - ptr = s->pbuf; - if (ptr >= s->ebuf) { - if (!s->eob_reached) { - sizbuf = get_byte(s->f); - s->ebuf = s->buf + sizbuf; - s->pbuf = s->buf; - if (sizbuf > 0) { - get_buffer(s->f, s->buf, sizbuf); - } else { - s->eob_reached = 1; - } - } - ptr = s->pbuf; - } - s->bbuf |= ptr[0] << s->bbits; - ptr++; - s->pbuf = ptr; - s->bbits += 8; - } - c = s->bbuf & s->curmask; - s->bbuf >>= s->cursize; - s->bbits -= s->cursize; - return c; -} - -/* NOTE: the algorithm here is inspired from the LZW GIF decoder - written by Steven A. Bennett in 1987. */ -/* return the number of byte decoded */ -static int GLZWDecode(GifState * s, uint8_t * buf, int len) -{ - int l, c, code, oc, fc; - uint8_t *sp; - - if (s->end_code < 0) - return 0; - - l = len; - sp = s->sp; - oc = s->oc; - fc = s->fc; - - while (sp > s->stack) { - *buf++ = *(--sp); - if ((--l) == 0) - goto the_end; - } - - for (;;) { - c = GetCode(s); - if (c == s->end_code) { - s->end_code = -1; - break; - } else if (c == s->clear_code) { - s->cursize = s->codesize + 1; - s->curmask = mask[s->cursize]; - s->slot = s->newcodes; - s->top_slot = 1 << s->cursize; - while ((c = GetCode(s)) == s->clear_code); - if (c == s->end_code) { - s->end_code = -1; - break; - } - /* test error */ - if (c >= s->slot) - c = 0; - fc = oc = c; - *buf++ = c; - if ((--l) == 0) - break; - } else { - code = c; - if (code >= s->slot) { - *sp++ = fc; - code = oc; - } - while (code >= s->newcodes) { - *sp++ = s->suffix[code]; - code = s->prefix[code]; - } - *sp++ = code; - if (s->slot < s->top_slot) { - s->suffix[s->slot] = fc = code; - s->prefix[s->slot++] = oc; - oc = c; - } - if (s->slot >= s->top_slot) { - if (s->cursize < MAXBITS) { - s->top_slot <<= 1; - s->curmask = mask[++s->cursize]; - } - } - while (sp > s->stack) { - *buf++ = *(--sp); - if ((--l) == 0) - goto the_end; - } - } - } - the_end: - s->sp = sp; - s->oc = oc; - s->fc = fc; - return len - l; -} - -static int gif_read_image(GifState *s) -{ - ByteIOContext *f = s->f; - int left, top, width, height, bits_per_pixel, code_size, flags; - int is_interleaved, has_local_palette, y, x, pass, y1, linesize, n, i; - uint8_t *ptr, *line, *d, *spal, *palette, *sptr, *ptr1; - - left = get_le16(f); - top = get_le16(f); - width = get_le16(f); - height = get_le16(f); - flags = get_byte(f); - is_interleaved = flags & 0x40; - has_local_palette = flags & 0x80; - bits_per_pixel = (flags & 0x07) + 1; -#ifdef DEBUG - printf("gif: image x=%d y=%d w=%d h=%d\n", left, top, width, height); -#endif - - if (has_local_palette) { - get_buffer(f, s->local_palette, 3 * (1 << bits_per_pixel)); - palette = s->local_palette; - } else { - palette = s->global_palette; - bits_per_pixel = s->bits_per_pixel; - } - - /* verify that all the image is inside the screen dimensions */ - if (left + width > s->screen_width || - top + height > s->screen_height) - return AVERROR(EINVAL); - - /* build the palette */ - if (s->pix_fmt == PIX_FMT_RGB24) { - line = av_malloc(width); - if (!line) - return AVERROR(ENOMEM); - } else { - n = (1 << bits_per_pixel); - spal = palette; - for(i = 0; i < n; i++) { - s->image_palette[i] = (0xff << 24) | - (spal[0] << 16) | (spal[1] << 8) | (spal[2]); - spal += 3; - } - for(; i < 256; i++) - s->image_palette[i] = (0xff << 24); - /* handle transparency */ - if (s->transparent_color_index >= 0) - s->image_palette[s->transparent_color_index] = 0; - line = NULL; - } - - /* now get the image data */ - s->f = f; - code_size = get_byte(f); - GLZWDecodeInit(s, code_size); - - /* read all the image */ - linesize = s->image_linesize; - ptr1 = s->image_buf + top * linesize + (left * 3); - ptr = ptr1; - pass = 0; - y1 = 0; - for (y = 0; y < height; y++) { - if (s->pix_fmt == PIX_FMT_RGB24) { - /* transcode to RGB24 */ - GLZWDecode(s, line, width); - d = ptr; - sptr = line; - for(x = 0; x < width; x++) { - spal = palette + sptr[0] * 3; - d[0] = spal[0]; - d[1] = spal[1]; - d[2] = spal[2]; - d += 3; - sptr++; - } - } else { - GLZWDecode(s, ptr, width); - } - if (is_interleaved) { - switch(pass) { - default: - case 0: - case 1: - y1 += 8; - ptr += linesize * 8; - if (y1 >= height) { - y1 = pass == 0 ? 4 : 2; - ptr = ptr1 + linesize * y1; - pass++; - } - break; - case 2: - y1 += 4; - ptr += linesize * 4; - if (y1 >= height) { - y1 = 1; - ptr = ptr1 + linesize; - pass++; - } - break; - case 3: - y1 += 2; - ptr += linesize * 2; - break; - } - } else { - ptr += linesize; - } - } - av_free(line); - - /* read the garbage data until end marker is found */ - while (!s->eob_reached) - GetCode(s); - return 0; -} - -static int gif_read_extension(GifState *s) -{ - ByteIOContext *f = s->f; - int ext_code, ext_len, i, gce_flags, gce_transparent_index; - - /* extension */ - ext_code = get_byte(f); - ext_len = get_byte(f); -#ifdef DEBUG - printf("gif: ext_code=0x%x len=%d\n", ext_code, ext_len); -#endif - switch(ext_code) { - case 0xf9: - if (ext_len != 4) - goto discard_ext; - s->transparent_color_index = -1; - gce_flags = get_byte(f); - s->gce_delay = get_le16(f); - gce_transparent_index = get_byte(f); - if (gce_flags & 0x01) - s->transparent_color_index = gce_transparent_index; - else - s->transparent_color_index = -1; - s->gce_disposal = (gce_flags >> 2) & 0x7; -#ifdef DEBUG - printf("gif: gce_flags=%x delay=%d tcolor=%d disposal=%d\n", - gce_flags, s->gce_delay, - s->transparent_color_index, s->gce_disposal); -#endif - ext_len = get_byte(f); - break; - } - - /* NOTE: many extension blocks can come after */ - discard_ext: - while (ext_len != 0) { - for (i = 0; i < ext_len; i++) - get_byte(f); - ext_len = get_byte(f); -#ifdef DEBUG - printf("gif: ext_len1=%d\n", ext_len); -#endif - } - return 0; -} - -static int gif_read_header1(GifState *s) -{ - ByteIOContext *f = s->f; - uint8_t sig[6]; - int ret, v, n; - int has_global_palette; - - /* read gif signature */ - ret = get_buffer(f, sig, 6); - if (ret != 6) - return -1; - if (memcmp(sig, gif87a_sig, 6) != 0 && - memcmp(sig, gif89a_sig, 6) != 0) - return -1; - - /* read screen header */ - s->transparent_color_index = -1; - s->screen_width = get_le16(f); - s->screen_height = get_le16(f); - if( (unsigned)s->screen_width > 32767 - || (unsigned)s->screen_height > 32767){ - av_log(NULL, AV_LOG_ERROR, "picture size too large\n"); - return -1; - } - - v = get_byte(f); - s->color_resolution = ((v & 0x70) >> 4) + 1; - has_global_palette = (v & 0x80); - s->bits_per_pixel = (v & 0x07) + 1; - s->background_color_index = get_byte(f); - get_byte(f); /* ignored */ -#ifdef DEBUG - printf("gif: screen_w=%d screen_h=%d bpp=%d global_palette=%d\n", - s->screen_width, s->screen_height, s->bits_per_pixel, - has_global_palette); -#endif - if (has_global_palette) { - n = 1 << s->bits_per_pixel; - get_buffer(f, s->global_palette, n * 3); - } - return 0; -} - -static int gif_parse_next_image(GifState *s) -{ - ByteIOContext *f = s->f; - int ret, code; - - for (;;) { - code = url_fgetc(f); -#ifdef DEBUG - printf("gif: code=%02x '%c'\n", code, code); -#endif - switch (code) { - case ',': - if (gif_read_image(s) < 0) - return AVERROR(EIO); - ret = 0; - goto the_end; - case ';': - /* end of image */ - ret = AVERROR(EIO); - goto the_end; - case '!': - if (gif_read_extension(s) < 0) - return AVERROR(EIO); - break; - case EOF: - default: - /* error or errneous EOF */ - ret = AVERROR(EIO); - goto the_end; - } - } - the_end: - return ret; -} - -static int gif_read_header(AVFormatContext * s1, - AVFormatParameters * ap) -{ - GifState *s = s1->priv_data; - ByteIOContext *f = s1->pb; - AVStream *st; - - s->f = f; - if (gif_read_header1(s) < 0) - return -1; - - /* allocate image buffer */ - s->image_linesize = s->screen_width * 3; - s->image_buf = av_malloc(s->screen_height * s->image_linesize); - if (!s->image_buf) - return AVERROR(ENOMEM); - s->pix_fmt = PIX_FMT_RGB24; - /* now we are ready: build format streams */ - st = av_new_stream(s1, 0); - if (!st) - return -1; - - st->codec->codec_type = CODEC_TYPE_VIDEO; - st->codec->codec_id = CODEC_ID_RAWVIDEO; - st->codec->time_base.den = 5; - st->codec->time_base.num = 1; - /* XXX: check if screen size is always valid */ - st->codec->width = s->screen_width; - st->codec->height = s->screen_height; - st->codec->pix_fmt = PIX_FMT_RGB24; - return 0; -} - -static int gif_read_packet(AVFormatContext * s1, - AVPacket * pkt) -{ - GifState *s = s1->priv_data; - int ret; - - ret = gif_parse_next_image(s); - if (ret < 0) - return ret; - - /* XXX: avoid copying */ - if (av_new_packet(pkt, s->screen_width * s->screen_height * 3)) { - return AVERROR(EIO); - } - pkt->stream_index = 0; - memcpy(pkt->data, s->image_buf, s->screen_width * s->screen_height * 3); - return 0; -} - -static int gif_read_close(AVFormatContext *s1) -{ - GifState *s = s1->priv_data; - av_free(s->image_buf); - return 0; -} - -AVInputFormat gif_demuxer = -{ - "gif", - NULL_IF_CONFIG_SMALL("GIF format"), - sizeof(GifState), - gif_video_probe, - gif_read_header, - gif_read_packet, - gif_read_close, -};