diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2012-03-30 06:03:30 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2012-03-30 06:05:39 +0200 |
commit | 2b7c0c9fe10c2c702a3f2741d0f29b284f78d1ea (patch) | |
tree | ea8b7dfd1302e2288ab05a6297aa22058c7ee954 /libavcodec/truemotion2.c | |
parent | d3d5e84f33496f7c6ed704d53998db97a69f02e8 (diff) | |
parent | a05c41acd1e2dc0b7f6d82fa5ecbf7b8b5514ebc (diff) | |
download | ffmpeg-2b7c0c9fe10c2c702a3f2741d0f29b284f78d1ea.tar.gz |
Merge remote-tracking branch 'qatar/master'
* qatar/master:
mp3dec: perform I/S and M/S only when frame mode is joint stereo.
id3v2: add another mimetype for JPEG image
lzw: prevent buffer overreads.
WMAL: Remove inaccurate and unnecessary doxy
h264: fix cabac-on-stack after safe cabac reader.
truemotion2: convert packet header reading to bytestream2.
Conflicts:
libavcodec/lzw.c
libavcodec/truemotion2.c
libavformat/id3v2.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/truemotion2.c')
-rw-r--r-- | libavcodec/truemotion2.c | 54 |
1 files changed, 31 insertions, 23 deletions
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 28c712a0e4..38c01c100d 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -25,6 +25,7 @@ */ #include "avcodec.h" +#include "bytestream.h" #include "get_bits.h" #include "dsputil.h" @@ -251,18 +252,19 @@ static int tm2_read_deltas(TM2Context *ctx, int stream_id) { static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, int buf_size) { int i; - int cur = 0; int skip = 0; - int len, toks; + int len, toks, pos; TM2Codes codes; + GetByteContext gb; if (buf_size < 4) { av_log(ctx->avctx, AV_LOG_ERROR, "not enough space for len left\n"); - return -1; + return AVERROR_INVALIDDATA; } /* get stream length in dwords */ - len = AV_RB32(buf); buf += 4; cur += 4; + bytestream2_init(&gb, buf, buf_size); + len = bytestream2_get_be32(&gb); skip = len * 4 + 4; if(len == 0) @@ -273,36 +275,37 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i return -1; } - toks = AV_RB32(buf); buf += 4; cur += 4; + toks = bytestream2_get_be32(&gb); if(toks & 1) { - len = AV_RB32(buf); buf += 4; cur += 4; + len = bytestream2_get_be32(&gb); if(len == TM2_ESCAPE) { - len = AV_RB32(buf); buf += 4; cur += 4; + len = bytestream2_get_be32(&gb); } if(len > 0) { - if (skip <= cur) + pos = bytestream2_tell(&gb); + if (skip <= pos) return -1; - init_get_bits(&ctx->gb, buf, (skip - cur) * 8); + init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8); if(tm2_read_deltas(ctx, stream_id) == -1) return -1; - buf += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2; - cur += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2; + bytestream2_skip(&gb, ((get_bits_count(&ctx->gb) + 31) >> 5) << 2); } } /* skip unused fields */ - if(AV_RB32(buf) == TM2_ESCAPE) { - buf += 4; cur += 4; /* some unknown length - could be escaped too */ + len = bytestream2_get_be32(&gb); + if(len == TM2_ESCAPE) { /* some unknown length - could be escaped too */ + bytestream2_skip(&gb, 8); /* unused by decoder */ + } else { + bytestream2_skip(&gb, 4); /* unused by decoder */ } - buf += 4; cur += 4; - buf += 4; cur += 4; /* unused by decoder */ - if (skip <= cur) + pos = bytestream2_tell(&gb); + if (skip <= pos) return -1; - init_get_bits(&ctx->gb, buf, (skip - cur) * 8); + init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8); if(tm2_build_huff_table(ctx, &codes) == -1) return -1; - buf += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2; - cur += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2; + bytestream2_skip(&gb, ((get_bits_count(&ctx->gb) + 31) >> 5) << 2); toks >>= 1; /* check if we have sane number of tokens */ @@ -313,11 +316,12 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i } ctx->tokens[stream_id] = av_realloc(ctx->tokens[stream_id], toks * sizeof(int)); ctx->tok_lens[stream_id] = toks; - len = AV_RB32(buf); buf += 4; cur += 4; + len = bytestream2_get_be32(&gb); if(len > 0) { - if (skip <= cur) + pos = bytestream2_tell(&gb); + if (skip <= pos) return -1; - init_get_bits(&ctx->gb, buf, (skip - cur) * 8); + init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8); for(i = 0; i < toks; i++) { if (get_bits_left(&ctx->gb) <= 0) { av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of tokens: %i\n", toks); @@ -780,7 +784,7 @@ static int decode_frame(AVCodecContext *avctx, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; + int buf_size = avpkt->size & ~3; TM2Context * const l = avctx->priv_data; AVFrame * const p = &l->pic; int i, skip, t; @@ -805,6 +809,10 @@ static int decode_frame(AVCodecContext *avctx, } for(i = 0; i < TM2_NUM_STREAMS; i++){ + if (skip >= buf_size) { + av_log(avctx, AV_LOG_ERROR, "no space for tm2_read_stream\n"); + return AVERROR_INVALIDDATA; + } t = tm2_read_stream(l, l->buffer + skip, tm2_stream_order[i], buf_size - skip); if(t == -1){ return -1; |