diff options
| author | Martin Storsjö <martin@martin.st> | 2013-09-29 00:53:58 +0300 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2014-01-07 09:43:57 +0100 |
| commit | 993977032a0adb47eb70e7fef6ce0d5370027e83 (patch) | |
| tree | a54e9ccea32ccb4070731bcee85e85c1d6877742 | |
| parent | 5a40e4c64d909006b401419f9ab9cc96ce0b7337 (diff) | |
| download | ffmpeg-993977032a0adb47eb70e7fef6ce0d5370027e83.tar.gz | |
xan: Use bytestream2 to limit reading to within the buffer
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 30db94dc399f6e4ef8905049d9b740556f0fce47)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 145de32896b37a508f11bcf11dfcc94487301716)
| -rw-r--r-- | libavcodec/xan.c | 22 |
1 files changed, 10 insertions, 12 deletions
diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 4c4721ada2..3078e0a977 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -283,8 +283,8 @@ static int xan_wc3_decode_frame(XanContext *s) { /* pointers to segments inside the compressed chunk */ const unsigned char *huffman_segment; - const unsigned char *size_segment; - const unsigned char *vector_segment; + GetByteContext size_segment; + GetByteContext vector_segment; const unsigned char *imagedata_segment; int huffman_offset, size_offset, vector_offset, imagedata_offset, imagedata_size; @@ -304,8 +304,8 @@ static int xan_wc3_decode_frame(XanContext *s) { return AVERROR_INVALIDDATA; huffman_segment = s->buf + huffman_offset; - size_segment = s->buf + size_offset; - vector_segment = s->buf + vector_offset; + bytestream2_init(&size_segment, s->buf + size_offset, s->size - size_offset); + bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset); imagedata_segment = s->buf + imagedata_offset; if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, @@ -357,19 +357,17 @@ static int xan_wc3_decode_frame(XanContext *s) { case 9: case 19: - size = *size_segment++; + size = bytestream2_get_byte(&size_segment); break; case 10: case 20: - size = AV_RB16(&size_segment[0]); - size_segment += 2; + size = bytestream2_get_be16(&size_segment); break; case 11: case 21: - size = AV_RB24(size_segment); - size_segment += 3; + size = bytestream2_get_be24(&size_segment); break; } @@ -391,9 +389,9 @@ static int xan_wc3_decode_frame(XanContext *s) { } } else { /* run-based motion compensation from last frame */ - motion_x = sign_extend(*vector_segment >> 4, 4); - motion_y = sign_extend(*vector_segment & 0xF, 4); - vector_segment++; + uint8_t vector = bytestream2_get_byte(&vector_segment); + motion_x = sign_extend(vector >> 4, 4); + motion_y = sign_extend(vector & 0xF, 4); /* copy a run of pixels from the previous frame */ xan_wc3_copy_pixel_run(s, x, y, size, motion_x, motion_y); |