{
FlicDecodeContext *s = avctx->priv_data;
- int stream_ptr = 0;
+ GetByteContext g2;
- int stream_ptr_after_color_chunk;
int pixel_ptr;
int palette_ptr;
unsigned char palette_idx1;
unsigned char *pixels;
unsigned int pixel_limit;
- s->frame.reference = 1;
+ bytestream2_init(&g2, buf, buf_size);
+
+ s->frame.reference = 3;
s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
if (avctx->reget_buffer(avctx, &s->frame) < 0) {
av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
pixels = s->frame.data[0];
pixel_limit = s->avctx->height * s->frame.linesize[0];
-
+ if (buf_size < 16 || buf_size > INT_MAX - (3 * 256 + FF_INPUT_BUFFER_PADDING_SIZE))
+ return AVERROR_INVALIDDATA;
- frame_size = AV_RL32(&buf[stream_ptr]);
+ frame_size = bytestream2_get_le32(&g2);
+ if (frame_size > buf_size)
+ frame_size = buf_size;
- stream_ptr += 6; /* skip the magic number */
- num_chunks = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 10; /* skip padding */
+ bytestream2_skip(&g2, 2); /* skip the magic number */
+ num_chunks = bytestream2_get_le16(&g2);
+ bytestream2_skip(&g2, 8); /* skip padding */
frame_size -= 16;
/* iterate through the chunks */
- while ((frame_size > 0) && (num_chunks > 0)) {
+ while ((frame_size >= 6) && (num_chunks > 0)) {
+ int stream_ptr_after_chunk;
- chunk_size = AV_RL32(&buf[stream_ptr]);
+ chunk_size = bytestream2_get_le32(&g2);
+ if (chunk_size > frame_size) {
+ av_log(avctx, AV_LOG_WARNING,
+ "Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size);
+ chunk_size = frame_size;
+ }
- stream_ptr_after_chunk = stream_ptr + chunk_size;
++ stream_ptr_after_chunk = bytestream2_tell(&g2) - 4 + chunk_size;
+
- stream_ptr += 4;
- chunk_type = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ chunk_type = bytestream2_get_le16(&g2);
switch (chunk_type) {
case FLI_256_COLOR:
if (color_changes == 0)
color_changes = 256;
- if (stream_ptr + color_changes * 3 > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + color_changes * 3 > stream_ptr_after_chunk)
+ break;
+
for (j = 0; j < color_changes; j++) {
unsigned int entry;
if ((unsigned)palette_ptr >= 256)
palette_ptr = 0;
- r = buf[stream_ptr++] << color_shift;
- g = buf[stream_ptr++] << color_shift;
- b = buf[stream_ptr++] << color_shift;
+ r = bytestream2_get_byte(&g2) << color_shift;
+ g = bytestream2_get_byte(&g2) << color_shift;
+ b = bytestream2_get_byte(&g2) << color_shift;
- entry = (r << 16) | (g << 8) | b;
+ entry = 0xFF << 24 | r << 16 | g << 8 | b;
+ if (color_shift == 2)
+ entry |= entry >> 6 & 0x30303;
if (s->palette[palette_ptr] != entry)
s->new_palette = 1;
s->palette[palette_ptr++] = entry;
case FLI_DELTA:
y_ptr = 0;
- compressed_lines = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ compressed_lines = bytestream2_get_le16(&g2);
while (compressed_lines > 0) {
- if (stream_ptr + 2 > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk)
+ break;
- line_packets = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ line_packets = bytestream2_get_le16(&g2);
if ((line_packets & 0xC000) == 0xC000) {
// line skip opcode
line_packets = -line_packets;
CHECK_PIXEL_PTR(0);
pixel_countdown = s->avctx->width;
for (i = 0; i < line_packets; i++) {
- if (stream_ptr + 2 > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk)
+ break;
/* account for the skip bytes */
- pixel_skip = buf[stream_ptr++];
+ pixel_skip = bytestream2_get_byte(&g2);
pixel_ptr += pixel_skip;
pixel_countdown -= pixel_skip;
- byte_run = (signed char)(buf[stream_ptr++]);
+ byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
if (byte_run < 0) {
byte_run = -byte_run;
- palette_idx1 = buf[stream_ptr++];
- palette_idx2 = buf[stream_ptr++];
+ palette_idx1 = bytestream2_get_byte(&g2);
+ palette_idx2 = bytestream2_get_byte(&g2);
CHECK_PIXEL_PTR(byte_run * 2);
for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {
pixels[pixel_ptr++] = palette_idx1;
}
} else {
CHECK_PIXEL_PTR(byte_run * 2);
- if (stream_ptr + byte_run * 2 > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + byte_run * 2 > stream_ptr_after_chunk)
+ break;
for (j = 0; j < byte_run * 2; j++, pixel_countdown--) {
- palette_idx1 = buf[stream_ptr++];
- pixels[pixel_ptr++] = palette_idx1;
+ pixels[pixel_ptr++] = bytestream2_get_byte(&g2);
}
}
}
pixel_ptr = y_ptr;
CHECK_PIXEL_PTR(0);
pixel_countdown = s->avctx->width;
- if (stream_ptr + 1 > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk)
+ break;
- line_packets = buf[stream_ptr++];
+ line_packets = bytestream2_get_byte(&g2);
if (line_packets > 0) {
for (i = 0; i < line_packets; i++) {
/* account for the skip bytes */
- if (stream_ptr + 2 > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk)
+ break;
- pixel_skip = buf[stream_ptr++];
+ pixel_skip = bytestream2_get_byte(&g2);
pixel_ptr += pixel_skip;
pixel_countdown -= pixel_skip;
- byte_run = (signed char)(buf[stream_ptr++]);
+ byte_run = sign_extend(bytestream2_get_byte(&g2),8);
if (byte_run > 0) {
CHECK_PIXEL_PTR(byte_run);
- if (stream_ptr + byte_run > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + byte_run > stream_ptr_after_chunk)
+ break;
for (j = 0; j < byte_run; j++, pixel_countdown--) {
- palette_idx1 = buf[stream_ptr++];
- pixels[pixel_ptr++] = palette_idx1;
+ pixels[pixel_ptr++] = bytestream2_get_byte(&g2);
}
} else if (byte_run < 0) {
byte_run = -byte_run;
pixel_ptr = y_ptr;
/* disregard the line packets; instead, iterate through all
* pixels on a row */
- stream_ptr++;
+ bytestream2_skip(&g2, 1);
pixel_countdown = s->avctx->width;
while (pixel_countdown > 0) {
- if (stream_ptr + 1 > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk)
+ break;
- byte_run = (signed char)(buf[stream_ptr++]);
+ byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
if (byte_run > 0) {
- palette_idx1 = buf[stream_ptr++];
+ palette_idx1 = bytestream2_get_byte(&g2);
CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++) {
pixels[pixel_ptr++] = palette_idx1;
} else { /* copy bytes if byte_run < 0 */
byte_run = -byte_run;
CHECK_PIXEL_PTR(byte_run);
- if (stream_ptr + byte_run > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + byte_run > stream_ptr_after_chunk)
+ break;
for (j = 0; j < byte_run; j++) {
- palette_idx1 = buf[stream_ptr++];
- pixels[pixel_ptr++] = palette_idx1;
+ pixels[pixel_ptr++] = bytestream2_get_byte(&g2);
pixel_countdown--;
if (pixel_countdown < 0)
av_log(avctx, AV_LOG_ERROR, "pixel_countdown < 0 (%d) at line %d\n",
case FLI_COPY:
/* copy the chunk (uncompressed frame) */
- if (chunk_size - 6 > s->avctx->width * s->avctx->height) {
+ if (chunk_size - 6 != s->avctx->width * s->avctx->height) {
av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \
- "bigger than image, skipping chunk\n", chunk_size - 6);
+ "has incorrect size, skipping chunk\n", chunk_size - 6);
+ bytestream2_skip(&g2, chunk_size - 6);
} else {
for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height;
y_ptr += s->frame.linesize[0]) {
break;
}
- stream_ptr = stream_ptr_after_chunk;
++ if (stream_ptr_after_chunk - bytestream2_tell(&g2) > 0)
++ bytestream2_skip(&g2, stream_ptr_after_chunk - bytestream2_tell(&g2));
+
frame_size -= chunk_size;
num_chunks--;
}
int pixel;
unsigned int pixel_limit;
- s->frame.reference = 1;
+ bytestream2_init(&g2, buf, buf_size);
+
+ s->frame.reference = 3;
s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
if (avctx->reget_buffer(avctx, &s->frame) < 0) {
av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
pixels = s->frame.data[0];
pixel_limit = s->avctx->height * s->frame.linesize[0];
- frame_size = AV_RL32(&buf[stream_ptr]);
- stream_ptr += 6; /* skip the magic number */
- num_chunks = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 10; /* skip padding */
+ frame_size = bytestream2_get_le32(&g2);
+ bytestream2_skip(&g2, 2); /* skip the magic number */
+ num_chunks = bytestream2_get_le16(&g2);
+ bytestream2_skip(&g2, 8); /* skip padding */
+ if (frame_size > buf_size)
+ frame_size = buf_size;
frame_size -= 16;
/* iterate through the chunks */
while ((frame_size > 0) && (num_chunks > 0)) {
- chunk_size = AV_RL32(&buf[stream_ptr]);
+ int stream_ptr_after_chunk;
- stream_ptr_after_chunk = stream_ptr + chunk_size;
+ chunk_size = bytestream2_get_le32(&g2);
+ if (chunk_size > frame_size) {
+ av_log(avctx, AV_LOG_WARNING,
+ "Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size);
+ chunk_size = frame_size;
+ }
- stream_ptr += 4;
- chunk_type = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
++ stream_ptr_after_chunk = bytestream2_tell(&g2) - 4 + chunk_size;
+
+ chunk_type = bytestream2_get_le16(&g2);
+
switch (chunk_type) {
case FLI_256_COLOR:
case FLI_COLOR:
case FLI_DELTA:
case FLI_DTA_LC:
y_ptr = 0;
- compressed_lines = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ compressed_lines = bytestream2_get_le16(&g2);
while (compressed_lines > 0) {
- if (stream_ptr + 2 > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk)
+ break;
- line_packets = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ line_packets = bytestream2_get_le16(&g2);
if (line_packets < 0) {
line_packets = -line_packets;
y_ptr += line_packets * s->frame.linesize[0];
pixel_countdown = s->avctx->width;
for (i = 0; i < line_packets; i++) {
/* account for the skip bytes */
- if (stream_ptr + 2 > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk)
+ break;
- pixel_skip = buf[stream_ptr++];
+ pixel_skip = bytestream2_get_byte(&g2);
pixel_ptr += (pixel_skip*2); /* Pixel is 2 bytes wide */
pixel_countdown -= pixel_skip;
- byte_run = (signed char)(buf[stream_ptr++]);
+ byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
if (byte_run < 0) {
byte_run = -byte_run;
- pixel = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ pixel = bytestream2_get_le16(&g2);
CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {
*((signed short*)(&pixels[pixel_ptr])) = pixel;
pixel_ptr += 2;
}
} else {
- if (stream_ptr + 2*byte_run > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + 2*byte_run > stream_ptr_after_chunk)
+ break;
CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++, pixel_countdown--) {
- *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ *((signed short*)(&pixels[pixel_ptr])) = bytestream2_get_le16(&g2);
pixel_ptr += 2;
}
}
pixel_countdown = (s->avctx->width * 2);
while (pixel_countdown > 0) {
- if (stream_ptr + 1 > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk)
+ break;
- byte_run = (signed char)(buf[stream_ptr++]);
+ byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
if (byte_run > 0) {
- palette_idx1 = buf[stream_ptr++];
+ palette_idx1 = bytestream2_get_byte(&g2);
CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++) {
pixels[pixel_ptr++] = palette_idx1;
}
} else { /* copy bytes if byte_run < 0 */
byte_run = -byte_run;
- if (stream_ptr + byte_run > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + byte_run > stream_ptr_after_chunk)
+ break;
CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++) {
- palette_idx1 = buf[stream_ptr++];
+ palette_idx1 = bytestream2_get_byte(&g2);
pixels[pixel_ptr++] = palette_idx1;
pixel_countdown--;
if (pixel_countdown < 0)
pixel_countdown = s->avctx->width; /* Width is in pixels, not bytes */
while (pixel_countdown > 0) {
- if (stream_ptr + 1 > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk)
+ break;
- byte_run = (signed char)(buf[stream_ptr++]);
+ byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
if (byte_run > 0) {
- pixel = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ pixel = bytestream2_get_le16(&g2);
CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++) {
*((signed short*)(&pixels[pixel_ptr])) = pixel;
}
} else { /* copy pixels if byte_run < 0 */
byte_run = -byte_run;
- if (stream_ptr + 2 * byte_run > stream_ptr_after_chunk)
++ if (bytestream2_tell(&g2) + 2 * byte_run > stream_ptr_after_chunk)
+ break;
CHECK_PIXEL_PTR(2 * byte_run);
for (j = 0; j < byte_run; j++) {
- *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]);
- stream_ptr += 2;
+ *((signed short*)(&pixels[pixel_ptr])) = bytestream2_get_le16(&g2);
pixel_ptr += 2;
pixel_countdown--;
if (pixel_countdown < 0)
projects / ffmpeg.git / commitdiff