From 1443ea93d935784370f41d85e224718484b0e32c Mon Sep 17 00:00:00 2001
From: Aneesh Dogra <lionaneesh@gmail.com>
Date: Tue, 20 Dec 2011 03:54:50 +0530
Subject: [PATCH] 4xm: Use bytestream2 functions to prevent overreads

Fixes Bug 110.

Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
---
 libavcodec/4xm.c | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 0ae10d5905..ba8bb4a652 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -132,8 +132,8 @@ typedef struct FourXContext{
     AVFrame current_picture, last_picture;
     GetBitContext pre_gb;          ///< ac/dc prefix
     GetBitContext gb;
-    const uint8_t *bytestream;
-    const uint16_t *wordstream;
+    GetByteContext g;
+    GetByteContext g2;
     int mv[256];
     VLC pre_vlc;
     int last_dc;
@@ -328,7 +328,7 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo
     assert(code>=0 && code<=6);
 
     if(code == 0){
-        src += f->mv[ *f->bytestream++ ];
+        src += f->mv[bytestream2_get_byte(&f->g)];
         if(start > src || src > end){
             av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
             return;
@@ -345,21 +345,21 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo
     }else if(code == 3 && f->version<2){
         mcdc(dst, src, log2w, h, stride, 1, 0);
     }else if(code == 4){
-        src += f->mv[ *f->bytestream++ ];
+        src += f->mv[bytestream2_get_byte(&f->g)];
         if(start > src || src > end){
             av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
             return;
         }
-        mcdc(dst, src, log2w, h, stride, 1, av_le2ne16(*f->wordstream++));
+        mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2));
     }else if(code == 5){
-        mcdc(dst, src, log2w, h, stride, 0, av_le2ne16(*f->wordstream++));
+        mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2));
     }else if(code == 6){
         if(log2w){
-            dst[0] = av_le2ne16(*f->wordstream++);
-            dst[1] = av_le2ne16(*f->wordstream++);
+            dst[0] = bytestream2_get_le16(&f->g2);
+            dst[1] = bytestream2_get_le16(&f->g2);
         }else{
-            dst[0     ] = av_le2ne16(*f->wordstream++);
-            dst[stride] = av_le2ne16(*f->wordstream++);
+            dst[0     ] = bytestream2_get_le16(&f->g2);
+            dst[stride] = bytestream2_get_le16(&f->g2);
         }
     }
 }
@@ -371,7 +371,7 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){
     uint16_t *src= (uint16_t*)f->last_picture.data[0];
     uint16_t *dst= (uint16_t*)f->current_picture.data[0];
     const int stride= f->current_picture.linesize[0]>>1;
-    unsigned int bitstream_size, bytestream_size, wordstream_size, extra;
+    unsigned int bitstream_size, bytestream_size, wordstream_size, extra, bytestream_offset, wordstream_offset;
 
     if(f->version>1){
         extra=20;
@@ -402,8 +402,10 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){
     memset((uint8_t*)f->bitstream_buffer + bitstream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
     init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size);
 
-    f->wordstream= (const uint16_t*)(buf + extra + bitstream_size);
-    f->bytestream= buf + extra + bitstream_size + wordstream_size;
+    wordstream_offset = extra + bitstream_size;
+    bytestream_offset = extra + bitstream_size + wordstream_size;
+    bytestream2_init(&f->g2, buf + wordstream_offset, length - wordstream_offset);
+    bytestream2_init(&f->g,  buf + bytestream_offset, length - bytestream_offset);
 
     init_mv(f);