diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2011-12-23 03:00:12 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-12-23 03:25:51 +0100 |
| commit | d1c28e35300130f0ee28a3e5bbeb2cea403fad57 (patch) | |
| tree | a18d0b0989962e2e2cab201fbf6128ae8332d8a4 /libavcodec/kmvc.c | |
| parent | 9f50dafe9025555f11e66e3b09cf3db2cd53cfb2 (diff) | |
| parent | 4e8d6218c3cb8b9feffb70f8a53859540b975b36 (diff) | |
| download | ffmpeg-d1c28e35300130f0ee28a3e5bbeb2cea403fad57.tar.gz | |
Merge remote-tracking branch 'qatar/master'
* qatar/master:
build: fix standalone compilation of OMA muxer
build: fix standalone compilation of Microsoft XMV demuxer
build: fix standalone compilation of Core Audio Format demuxer
kvmc: fix invalid reads
4xm: Add a check in decode_i_frame to prevent buffer overreads
adpcm: fix IMA SMJPEG decoding
options: set minimum for "threads" to zero
bsd: use number of logical CPUs as automatic thread count
windows: use number of CPUs as automatic thread count
linux: use number of CPUs as automatic thread count
pthreads: reset active_thread_type when slice thread_init returrns early
v410dec: include correct headers
Drop ALT_ prefix from BITSTREAM_READER_LE name.
lavfi: always build vsrc_buffer.
ra144enc: zero the reflection coeffs if the filter is unstable
sws: readd PAL8 to isPacked()
mov: Don't stick the QuickTime field ordering atom in extradata.
truespeech: fix invalid reads in truespeech_apply_twopoint_filter()
Conflicts:
configure
libavcodec/4xm.c
libavcodec/avcodec.h
libavfilter/Makefile
libavfilter/allfilters.c
libavformat/Makefile
libswscale/swscale_internal.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/kmvc.c')
| -rw-r--r-- | libavcodec/kmvc.c | 82 |
1 files changed, 66 insertions, 16 deletions
diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index 8663c9524a..19f9677649 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -57,17 +57,21 @@ typedef struct BitBuf { #define kmvc_init_getbits(bb, src) bb.bits = 7; bb.bitbuf = *src++; -#define kmvc_getbit(bb, src, res) {\ +#define kmvc_getbit(bb, src, src_end, res) {\ res = 0; \ if (bb.bitbuf & (1 << bb.bits)) res = 1; \ bb.bits--; \ if(bb.bits == -1) { \ + if (src >= src_end) { \ + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); \ + return AVERROR_INVALIDDATA; \ + } \ bb.bitbuf = *src++; \ bb.bits = 7; \ } \ } -static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h) +static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h) { BitBuf bb; int res, val; @@ -75,13 +79,18 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, int bx, by; int l0x, l1x, l0y, l1y; int mx, my; + const uint8_t *src_end = src + src_size; kmvc_init_getbits(bb, src); for (by = 0; by < h; by += 8) for (bx = 0; bx < w; bx += 8) { - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { // fill whole 8x8 block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; for (i = 0; i < 64; i++) BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val; @@ -89,14 +98,22 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, for (i = 0; i < 4; i++) { l0x = bx + (i & 1) * 4; l0y = by + (i & 2) * 2; - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { // fill whole 4x4 block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; for (j = 0; j < 16; j++) BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val; } else { // copy block from already decoded place + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; mx = val & 0xF; my = val >> 4; @@ -108,16 +125,24 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, for (j = 0; j < 4; j++) { l1x = l0x + (j & 1) * 2; l1y = l0y + (j & 2); - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { // fill whole 2x2 block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; BLK(ctx->cur, l1x, l1y) = val; BLK(ctx->cur, l1x + 1, l1y) = val; BLK(ctx->cur, l1x, l1y + 1) = val; BLK(ctx->cur, l1x + 1, l1y + 1) = val; } else { // copy block from already decoded place + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; mx = val & 0xF; my = val >> 4; @@ -140,9 +165,11 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, } } } + + return 0; } -static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h) +static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h) { BitBuf bb; int res, val; @@ -150,15 +177,20 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, int bx, by; int l0x, l1x, l0y, l1y; int mx, my; + const uint8_t *src_end = src + src_size; kmvc_init_getbits(bb, src); for (by = 0; by < h; by += 8) for (bx = 0; bx < w; bx += 8) { - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { // fill whole 8x8 block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; for (i = 0; i < 64; i++) BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val; @@ -171,14 +203,22 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, for (i = 0; i < 4; i++) { l0x = bx + (i & 1) * 4; l0y = by + (i & 2) * 2; - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { // fill whole 4x4 block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; for (j = 0; j < 16; j++) BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val; } else { // copy block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; mx = (val & 0xF) - 8; my = (val >> 4) - 8; @@ -190,16 +230,24 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, for (j = 0; j < 4; j++) { l1x = l0x + (j & 1) * 2; l1y = l0y + (j & 2); - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { // fill whole 2x2 block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; BLK(ctx->cur, l1x, l1y) = val; BLK(ctx->cur, l1x + 1, l1y) = val; BLK(ctx->cur, l1x, l1y + 1) = val; BLK(ctx->cur, l1x + 1, l1y + 1) = val; } else { // copy block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; mx = (val & 0xF) - 8; my = (val >> 4) - 8; @@ -222,6 +270,8 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, } } } + + return 0; } static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt) @@ -299,10 +349,10 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa memcpy(ctx->cur, ctx->prev, 320 * 200); break; case 3: - kmvc_decode_intra_8x8(ctx, buf, avctx->width, avctx->height); + kmvc_decode_intra_8x8(ctx, buf, buf_size, avctx->width, avctx->height); break; case 4: - kmvc_decode_inter_8x8(ctx, buf, avctx->width, avctx->height); + kmvc_decode_inter_8x8(ctx, buf, buf_size, avctx->width, avctx->height); break; default: av_log(avctx, AV_LOG_ERROR, "Unknown compression method %i\n", header & KMVC_METHOD); |