bfi: Use bytestream2 functions to prevent buffer overreads.
[libav.git] / libavcodec / bfi.c
1 /*
2 * Brute Force & Ignorance (BFI) video decoder
3 * Copyright (c) 2008 Sisir Koppaka
4 *
5 * This file is part of Libav.
6 *
7 * Libav is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * Libav is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with Libav; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 */
21
22 /**
23 * @file
24 * @brief Brute Force & Ignorance (.bfi) video decoder
25 * @author Sisir Koppaka ( sisir.koppaka at gmail dot com )
26 * @see http://wiki.multimedia.cx/index.php?title=BFI
27 */
28
29 #include "libavutil/common.h"
30 #include "avcodec.h"
31 #include "bytestream.h"
32
33 typedef struct BFIContext {
34 AVCodecContext *avctx;
35 AVFrame frame;
36 uint8_t *dst;
37 } BFIContext;
38
39 static av_cold int bfi_decode_init(AVCodecContext *avctx)
40 {
41 BFIContext *bfi = avctx->priv_data;
42 avctx->pix_fmt = PIX_FMT_PAL8;
43 bfi->dst = av_mallocz(avctx->width * avctx->height);
44 return 0;
45 }
46
47 static int bfi_decode_frame(AVCodecContext *avctx, void *data,
48 int *data_size, AVPacket *avpkt)
49 {
50 GetByteContext g;
51 int buf_size = avpkt->size;
52 BFIContext *bfi = avctx->priv_data;
53 uint8_t *dst = bfi->dst;
54 uint8_t *src, *dst_offset, colour1, colour2;
55 uint8_t *frame_end = bfi->dst + avctx->width * avctx->height;
56 uint32_t *pal;
57 int i, j, height = avctx->height;
58
59 if (bfi->frame.data[0])
60 avctx->release_buffer(avctx, &bfi->frame);
61
62 bfi->frame.reference = 1;
63
64 if (avctx->get_buffer(avctx, &bfi->frame) < 0) {
65 av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
66 return -1;
67 }
68
69 bytestream2_init(&g, avpkt->data, buf_size);
70
71 /* Set frame parameters and palette, if necessary */
72 if (!avctx->frame_number) {
73 bfi->frame.pict_type = AV_PICTURE_TYPE_I;
74 bfi->frame.key_frame = 1;
75 /* Setting the palette */
76 if (avctx->extradata_size > 768) {
77 av_log(NULL, AV_LOG_ERROR, "Palette is too large.\n");
78 return -1;
79 }
80 pal = (uint32_t *)bfi->frame.data[1];
81 for (i = 0; i < avctx->extradata_size / 3; i++) {
82 int shift = 16;
83 *pal = 0;
84 for (j = 0; j < 3; j++, shift -= 8)
85 *pal +=
86 ((avctx->extradata[i * 3 + j] << 2) |
87 (avctx->extradata[i * 3 + j] >> 4)) << shift;
88 pal++;
89 }
90 bfi->frame.palette_has_changed = 1;
91 } else {
92 bfi->frame.pict_type = AV_PICTURE_TYPE_P;
93 bfi->frame.key_frame = 0;
94 }
95
96 bytestream2_skip(&g, 4); // Unpacked size, not required.
97
98 while (dst != frame_end) {
99 static const uint8_t lentab[4] = { 0, 2, 0, 1 };
100 unsigned int byte = bytestream2_get_byte(&g), av_uninit(offset);
101 unsigned int code = byte >> 6;
102 unsigned int length = byte & ~0xC0;
103
104 if (!bytestream2_get_bytes_left(&g)) {
105 av_log(avctx, AV_LOG_ERROR,
106 "Input resolution larger than actual frame.\n");
107 return -1;
108 }
109
110 /* Get length and offset(if required) */
111 if (length == 0) {
112 if (code == 1) {
113 length = bytestream2_get_byte(&g);
114 offset = bytestream2_get_le16(&g);
115 } else {
116 length = bytestream2_get_le16(&g);
117 if (code == 2 && length == 0)
118 break;
119 }
120 } else {
121 if (code == 1)
122 offset = bytestream2_get_byte(&g);
123 }
124
125 /* Do boundary check */
126 if (dst + (length << lentab[code]) > frame_end)
127 break;
128
129 switch (code) {
130
131 case 0: //Normal Chain
132 if (length >= bytestream2_get_bytes_left(&g)) {
133 av_log(avctx, AV_LOG_ERROR, "Frame larger than buffer.\n");
134 return -1;
135 }
136 bytestream2_get_buffer(&g, dst, length);
137 dst += length;
138 break;
139
140 case 1: //Back Chain
141 dst_offset = dst - offset;
142 length *= 4; //Convert dwords to bytes.
143 if (dst_offset < bfi->dst)
144 break;
145 while (length--)
146 *dst++ = *dst_offset++;
147 break;
148
149 case 2: //Skip Chain
150 dst += length;
151 break;
152
153 case 3: //Fill Chain
154 colour1 = bytestream2_get_byte(&g);
155 colour2 = bytestream2_get_byte(&g);
156 while (length--) {
157 *dst++ = colour1;
158 *dst++ = colour2;
159 }
160 break;
161
162 }
163 }
164
165 src = bfi->dst;
166 dst = bfi->frame.data[0];
167 while (height--) {
168 memcpy(dst, src, avctx->width);
169 src += avctx->width;
170 dst += bfi->frame.linesize[0];
171 }
172 *data_size = sizeof(AVFrame);
173 *(AVFrame *)data = bfi->frame;
174 return buf_size;
175 }
176
177 static av_cold int bfi_decode_close(AVCodecContext * avctx)
178 {
179 BFIContext *bfi = avctx->priv_data;
180 if (bfi->frame.data[0])
181 avctx->release_buffer(avctx, &bfi->frame);
182 av_free(bfi->dst);
183 return 0;
184 }
185
186 AVCodec ff_bfi_decoder = {
187 .name = "bfi",
188 .type = AVMEDIA_TYPE_VIDEO,
189 .id = CODEC_ID_BFI,
190 .priv_data_size = sizeof(BFIContext),
191 .init = bfi_decode_init,
192 .close = bfi_decode_close,
193 .decode = bfi_decode_frame,
194 .capabilities = CODEC_CAP_DR1,
195 .long_name = NULL_IF_CONFIG_SMALL("Brute Force & Ignorance"),
196 };