sgidec: fix buffer size check in expand_rle_row()
[libav.git] / libavcodec / sgidec.c
1 /*
2 * SGI image decoder
3 * Todd Kirby <doubleshot@pacbell.net>
4 *
5 * This file is part of Libav.
6 *
7 * Libav is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * Libav is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with Libav; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 */
21
22 #include "libavutil/imgutils.h"
23 #include "avcodec.h"
24 #include "bytestream.h"
25 #include "internal.h"
26 #include "sgi.h"
27
28 typedef struct SgiState {
29 AVCodecContext *avctx;
30 unsigned int width;
31 unsigned int height;
32 unsigned int depth;
33 unsigned int bytes_per_channel;
34 int linesize;
35 GetByteContext g;
36 } SgiState;
37
38 /**
39 * Expand an RLE row into a channel.
40 * @param s the current image state
41 * @param out_buf Points to one line after the output buffer.
42 * @param len length of out_buf in bytes
43 * @param pixelstride pixel stride of input buffer
44 * @return size of output in bytes, -1 if buffer overflows
45 */
46 static int expand_rle_row(SgiState *s, uint8_t *out_buf,
47 int len, int pixelstride)
48 {
49 unsigned char pixel, count;
50 unsigned char *orig = out_buf;
51
52 while (1) {
53 if (bytestream2_get_bytes_left(&s->g) < 1)
54 return AVERROR_INVALIDDATA;
55 pixel = bytestream2_get_byteu(&s->g);
56 if (!(count = (pixel & 0x7f))) {
57 return (out_buf - orig) / pixelstride;
58 }
59
60 /* Check for buffer overflow. */
61 if (pixelstride * (count - 1) >= len) {
62 av_log(s->avctx, AV_LOG_ERROR, "Invalid pixel count.\n");
63 return AVERROR_INVALIDDATA;
64 }
65
66 if (pixel & 0x80) {
67 while (count--) {
68 *out_buf = bytestream2_get_byte(&s->g);
69 out_buf += pixelstride;
70 }
71 } else {
72 pixel = bytestream2_get_byte(&s->g);
73
74 while (count--) {
75 *out_buf = pixel;
76 out_buf += pixelstride;
77 }
78 }
79 }
80 }
81
82 /**
83 * Read a run length encoded SGI image.
84 * @param out_buf output buffer
85 * @param s the current image state
86 * @return 0 if no error, else return error number.
87 */
88 static int read_rle_sgi(uint8_t *out_buf, SgiState *s)
89 {
90 uint8_t *dest_row;
91 unsigned int len = s->height * s->depth * 4;
92 GetByteContext g_table = s->g;
93 unsigned int y, z;
94 unsigned int start_offset;
95
96 /* size of RLE offset and length tables */
97 if (len * 2 > bytestream2_get_bytes_left(&s->g)) {
98 return AVERROR_INVALIDDATA;
99 }
100
101 for (z = 0; z < s->depth; z++) {
102 dest_row = out_buf;
103 for (y = 0; y < s->height; y++) {
104 dest_row -= s->linesize;
105 start_offset = bytestream2_get_be32(&g_table);
106 bytestream2_seek(&s->g, start_offset, SEEK_SET);
107 if (expand_rle_row(s, dest_row + z, FFABS(s->linesize) - z,
108 s->depth) != s->width) {
109 return AVERROR_INVALIDDATA;
110 }
111 }
112 }
113 return 0;
114 }
115
116 /**
117 * Read an uncompressed SGI image.
118 * @param out_buf output buffer
119 * @param out_end end ofoutput buffer
120 * @param s the current image state
121 * @return 0 if read success, otherwise return -1.
122 */
123 static int read_uncompressed_sgi(unsigned char* out_buf, uint8_t* out_end,
124 SgiState *s)
125 {
126 int x, y, z;
127 unsigned int offset = s->height * s->width * s->bytes_per_channel;
128 GetByteContext gp[4];
129
130 /* Test buffer size. */
131 if (offset * s->depth > bytestream2_get_bytes_left(&s->g))
132 return AVERROR_INVALIDDATA;
133
134 /* Create a reader for each plane */
135 for (z = 0; z < s->depth; z++) {
136 gp[z] = s->g;
137 bytestream2_skip(&gp[z], z * offset);
138 }
139
140 for (y = s->height - 1; y >= 0; y--) {
141 out_end = out_buf + (y * s->linesize);
142 if (s->bytes_per_channel == 1) {
143 for (x = s->width; x > 0; x--)
144 for (z = 0; z < s->depth; z++)
145 *out_end++ = bytestream2_get_byteu(&gp[z]);
146 } else {
147 uint16_t *out16 = (uint16_t *)out_end;
148 for (x = s->width; x > 0; x--)
149 for (z = 0; z < s->depth; z++)
150 *out16++ = bytestream2_get_ne16u(&gp[z]);
151 }
152 }
153 return 0;
154 }
155
156 static int decode_frame(AVCodecContext *avctx,
157 void *data, int *got_frame,
158 AVPacket *avpkt)
159 {
160 SgiState *s = avctx->priv_data;
161 AVFrame *p = data;
162 unsigned int dimension, rle;
163 int ret = 0;
164 uint8_t *out_buf, *out_end;
165
166 bytestream2_init(&s->g, avpkt->data, avpkt->size);
167 if (bytestream2_get_bytes_left(&s->g) < SGI_HEADER_SIZE) {
168 av_log(avctx, AV_LOG_ERROR, "buf_size too small (%d)\n", avpkt->size);
169 return AVERROR_INVALIDDATA;
170 }
171
172 /* Test for SGI magic. */
173 if (bytestream2_get_be16(&s->g) != SGI_MAGIC) {
174 av_log(avctx, AV_LOG_ERROR, "bad magic number\n");
175 return AVERROR_INVALIDDATA;
176 }
177
178 rle = bytestream2_get_byte(&s->g);
179 s->bytes_per_channel = bytestream2_get_byte(&s->g);
180 dimension = bytestream2_get_be16(&s->g);
181 s->width = bytestream2_get_be16(&s->g);
182 s->height = bytestream2_get_be16(&s->g);
183 s->depth = bytestream2_get_be16(&s->g);
184
185 if (s->bytes_per_channel != 1 && (s->bytes_per_channel != 2 || rle)) {
186 av_log(avctx, AV_LOG_ERROR, "wrong channel number\n");
187 return -1;
188 }
189
190 /* Check for supported image dimensions. */
191 if (dimension != 2 && dimension != 3) {
192 av_log(avctx, AV_LOG_ERROR, "wrong dimension number\n");
193 return -1;
194 }
195
196 if (s->depth == SGI_GRAYSCALE) {
197 avctx->pix_fmt = s->bytes_per_channel == 2 ? AV_PIX_FMT_GRAY16BE : AV_PIX_FMT_GRAY8;
198 } else if (s->depth == SGI_RGB) {
199 avctx->pix_fmt = s->bytes_per_channel == 2 ? AV_PIX_FMT_RGB48BE : AV_PIX_FMT_RGB24;
200 } else if (s->depth == SGI_RGBA && s->bytes_per_channel == 1) {
201 avctx->pix_fmt = AV_PIX_FMT_RGBA;
202 } else {
203 av_log(avctx, AV_LOG_ERROR, "wrong picture format\n");
204 return -1;
205 }
206
207 ret = ff_set_dimensions(avctx, s->width, s->height);
208 if (ret < 0)
209 return ret;
210
211 if (ff_get_buffer(avctx, p, 0) < 0) {
212 av_log(avctx, AV_LOG_ERROR, "get_buffer() failed.\n");
213 return -1;
214 }
215
216 p->pict_type = AV_PICTURE_TYPE_I;
217 p->key_frame = 1;
218 out_buf = p->data[0];
219
220 out_end = out_buf + p->linesize[0] * s->height;
221
222 s->linesize = p->linesize[0];
223
224 /* Skip header. */
225 bytestream2_seek(&s->g, SGI_HEADER_SIZE, SEEK_SET);
226 if (rle) {
227 ret = read_rle_sgi(out_end, s);
228 } else {
229 ret = read_uncompressed_sgi(out_buf, out_end, s);
230 }
231
232 if (ret == 0) {
233 *got_frame = 1;
234 return avpkt->size;
235 } else {
236 return ret;
237 }
238 }
239
240 static av_cold int sgi_decode_init(AVCodecContext *avctx)
241 {
242 SgiState *s = avctx->priv_data;
243
244 s->avctx = avctx;
245
246 return 0;
247 }
248
249 AVCodec ff_sgi_decoder = {
250 .name = "sgi",
251 .long_name = NULL_IF_CONFIG_SMALL("SGI image"),
252 .type = AVMEDIA_TYPE_VIDEO,
253 .id = AV_CODEC_ID_SGI,
254 .priv_data_size = sizeof(SgiState),
255 .decode = decode_frame,
256 .init = sgi_decode_init,
257 .capabilities = CODEC_CAP_DR1,
258 };