aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/vqavideo.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2012-05-02 22:49:14 +0200
committerMichael Niedermayer <michaelni@gmx.at>2012-05-03 00:20:54 +0200
commit15e9aee544f0ff2b556cff1fa87e4c348b861991 (patch)
tree58078a2dfb33ae858a57d4aeac0964bfd4f847a5 /libavcodec/vqavideo.c
parent265a628f162168f188f9756a06727a4ec41a183d (diff)
parente8050f313e7e3e1893155f878475872c4cc3a6e7 (diff)
downloadffmpeg-15e9aee544f0ff2b556cff1fa87e4c348b861991.tar.gz
Merge remote-tracking branch 'qatar/release/0.8' into release/0.10
* qatar/release/0.8: (24 commits) apedec: check bits <= 32. truemotion: forbid invalid VLC bitsizes and token values. mov: don't overwrite existing indexes. truemotion2: handle out-of-frame motion vectors through edge extension. lzw: prevent buffer overreads. truemotion2: convert packet header reading to bytestream2. lagarith: fix buffer overreads. raw: forward avpicture_fill() error code in raw_decode(). vc1: Do not read from array if index is invalid. utvideo: port header reading to bytestream2. bytestream: add more unchecked variants for bytestream2 API bytestream: K&R formatting cosmetics bytestream: Add bytestream2 writing API. aac: Reset PS parameters on header decode failure. mov: Do not read past the end of the ctts_data table. xwma: Validate channels and bits_per_coded_sample. asf: reset side data elements on packet copy. vqa: check palette chunk size before reading data. vqavideo: port to bytestream2 API wmavoice: fix stack overread. ... Conflicts: cmdutils.c cmdutils.h libavcodec/lagarith.c libavcodec/truemotion2.c libavcodec/vqavideo.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/vqavideo.c')
-rw-r--r--libavcodec/vqavideo.c203
1 files changed, 100 insertions, 103 deletions
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index ae99c6d9c1..08d419dd73 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -70,10 +70,10 @@
#include "libavutil/intreadwrite.h"
#include "libavutil/imgutils.h"
#include "avcodec.h"
+#include "bytestream.h"
#define PALETTE_COUNT 256
#define VQA_HEADER_SIZE 0x2A
-#define CHUNK_PREAMBLE_SIZE 8
/* allocate the maximum vector space, regardless of the file version:
* (0xFF00 codebook vectors + 0x100 solid pixel vectors) * (4x4 pixels/block) */
@@ -94,9 +94,7 @@ typedef struct VqaContext {
AVCodecContext *avctx;
AVFrame frame;
-
- const unsigned char *buf;
- int size;
+ GetByteContext gb;
uint32_t palette[PALETTE_COUNT];
@@ -123,7 +121,6 @@ typedef struct VqaContext {
static av_cold int vqa_decode_init(AVCodecContext *avctx)
{
VqaContext *s = avctx->priv_data;
- unsigned char *vqa_header;
int i, j, codebook_index;
s->avctx = avctx;
@@ -136,21 +133,20 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
}
/* load up the VQA parameters from the header */
- vqa_header = (unsigned char *)s->avctx->extradata;
- s->vqa_version = vqa_header[0];
+ s->vqa_version = s->avctx->extradata[0];
if (s->vqa_version < 1 || s->vqa_version > 3) {
av_log(s->avctx, AV_LOG_ERROR, " VQA video: unsupported version %d\n", s->vqa_version);
return -1;
}
- s->width = AV_RL16(&vqa_header[6]);
- s->height = AV_RL16(&vqa_header[8]);
+ s->width = AV_RL16(&s->avctx->extradata[6]);
+ s->height = AV_RL16(&s->avctx->extradata[8]);
if(av_image_check_size(s->width, s->height, 0, avctx)){
s->width= s->height= 0;
return -1;
}
- s->vector_width = vqa_header[10];
- s->vector_height = vqa_header[11];
- s->partial_count = s->partial_countdown = vqa_header[13];
+ s->vector_width = s->avctx->extradata[10];
+ s->vector_height = s->avctx->extradata[11];
+ s->partial_count = s->partial_countdown = s->avctx->extradata[13];
/* the vector dimensions have to meet very stringent requirements */
if ((s->vector_width != 4) ||
@@ -194,90 +190,88 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
av_log(NULL, AV_LOG_ERROR, " VQA video: decode_format80 problem: next op would overflow dest_index\n"); \
av_log(NULL, AV_LOG_ERROR, " VQA video: current dest_index = %d, count = %d, dest_size = %d\n", \
dest_index, count, dest_size); \
- return; \
+ return AVERROR_INVALIDDATA; \
+ }
+
+#define CHECK_COPY(idx) \
+ if (idx < 0 || idx + count > dest_size) { \
+ av_log(NULL, AV_LOG_ERROR, " VQA video: decode_format80 problem: next op would overflow dest_index\n"); \
+ av_log(NULL, AV_LOG_ERROR, " VQA video: current src_pos = %d, count = %d, dest_size = %d\n", \
+ src_pos, count, dest_size); \
+ return AVERROR_INVALIDDATA; \
}
-static void decode_format80(const unsigned char *src, int src_size,
+
+static int decode_format80(GetByteContext *gb, int src_size,
unsigned char *dest, int dest_size, int check_size) {
- int src_index = 0;
int dest_index = 0;
- int count;
+ int count, opcode, start;
int src_pos;
unsigned char color;
int i;
- while (src_index < src_size) {
-
- av_dlog(NULL, " opcode %02X: ", src[src_index]);
+ start = bytestream2_tell(gb);
+ while (bytestream2_tell(gb) - start < src_size) {
+ opcode = bytestream2_get_byte(gb);
+ av_dlog(NULL, " opcode %02X: ", opcode);
/* 0x80 means that frame is finished */
- if (src[src_index] == 0x80)
- return;
+ if (opcode == 0x80)
+ return 0;
if (dest_index >= dest_size) {
av_log(NULL, AV_LOG_ERROR, " VQA video: decode_format80 problem: dest_index (%d) exceeded dest_size (%d)\n",
dest_index, dest_size);
- return;
+ return AVERROR_INVALIDDATA;
}
- if (src[src_index] == 0xFF) {
+ if (opcode == 0xFF) {
- src_index++;
- count = AV_RL16(&src[src_index]);
- src_index += 2;
- src_pos = AV_RL16(&src[src_index]);
- src_index += 2;
+ count = bytestream2_get_le16(gb);
+ src_pos = bytestream2_get_le16(gb);
av_dlog(NULL, "(1) copy %X bytes from absolute pos %X\n", count, src_pos);
CHECK_COUNT();
- if (src_pos + count > dest_size)
- return;
+ CHECK_COPY(src_pos);
for (i = 0; i < count; i++)
dest[dest_index + i] = dest[src_pos + i];
dest_index += count;
- } else if (src[src_index] == 0xFE) {
+ } else if (opcode == 0xFE) {
- src_index++;
- count = AV_RL16(&src[src_index]);
- src_index += 2;
- color = src[src_index++];
+ count = bytestream2_get_le16(gb);
+ color = bytestream2_get_byte(gb);
av_dlog(NULL, "(2) set %X bytes to %02X\n", count, color);
CHECK_COUNT();
memset(&dest[dest_index], color, count);
dest_index += count;
- } else if ((src[src_index] & 0xC0) == 0xC0) {
+ } else if ((opcode & 0xC0) == 0xC0) {
- count = (src[src_index++] & 0x3F) + 3;
- src_pos = AV_RL16(&src[src_index]);
- src_index += 2;
+ count = (opcode & 0x3F) + 3;
+ src_pos = bytestream2_get_le16(gb);
av_dlog(NULL, "(3) copy %X bytes from absolute pos %X\n", count, src_pos);
CHECK_COUNT();
- if (src_pos + count > dest_size)
- return;
+ CHECK_COPY(src_pos);
for (i = 0; i < count; i++)
dest[dest_index + i] = dest[src_pos + i];
dest_index += count;
- } else if (src[src_index] > 0x80) {
+ } else if (opcode > 0x80) {
- count = src[src_index++] & 0x3F;
+ count = opcode & 0x3F;
av_dlog(NULL, "(4) copy %X bytes from source to dest\n", count);
CHECK_COUNT();
- memcpy(&dest[dest_index], &src[src_index], count);
- src_index += count;
+ bytestream2_get_buffer(gb, &dest[dest_index], count);
dest_index += count;
} else {
- count = ((src[src_index] & 0x70) >> 4) + 3;
- src_pos = AV_RB16(&src[src_index]) & 0x0FFF;
- src_index += 2;
+ count = ((opcode & 0x70) >> 4) + 3;
+ src_pos = bytestream2_get_byte(gb) | ((opcode & 0x0F) << 8);
av_dlog(NULL, "(5) copy %X bytes from relpos %X\n", count, src_pos);
CHECK_COUNT();
- if (dest_index < src_pos)
- return;
+ CHECK_COPY(dest_index - src_pos);
for (i = 0; i < count; i++)
dest[dest_index + i] = dest[dest_index - src_pos + i];
dest_index += count;
@@ -292,9 +286,11 @@ static void decode_format80(const unsigned char *src, int src_size,
if (dest_index < dest_size)
av_log(NULL, AV_LOG_ERROR, " VQA video: decode_format80 problem: decode finished with dest_index (%d) < dest_size (%d)\n",
dest_index, dest_size);
+
+ return 0; // let's display what we decoded anyway
}
-static void vqa_decode_chunk(VqaContext *s)
+static int vqa_decode_chunk(VqaContext *s)
{
unsigned int chunk_type;
unsigned int chunk_size;
@@ -303,6 +299,7 @@ static void vqa_decode_chunk(VqaContext *s)
int i;
unsigned char r, g, b;
int index_shift;
+ int res;
int cbf0_chunk = -1;
int cbfz_chunk = -1;
@@ -322,17 +319,11 @@ static void vqa_decode_chunk(VqaContext *s)
int hibytes = s->decode_buffer_size / 2;
/* first, traverse through the frame and find the subchunks */
- while (index + CHUNK_PREAMBLE_SIZE <= s->size) {
- unsigned next_index;
+ while (bytestream2_get_bytes_left(&s->gb) >= 8) {
- chunk_type = AV_RB32(&s->buf[index]);
- chunk_size = AV_RB32(&s->buf[index + 4]);
- byte_skip = chunk_size & 0x01;
- next_index = index + CHUNK_PREAMBLE_SIZE + chunk_size + byte_skip;
- if (next_index > s->size) {
- av_log(s->avctx, AV_LOG_ERROR, "Dropping incomplete chunk\n");
- break;
- }
+ chunk_type = bytestream2_get_be32u(&s->gb);
+ index = bytestream2_tell(&s->gb);
+ chunk_size = bytestream2_get_be32u(&s->gb);
switch (chunk_type) {
@@ -373,7 +364,9 @@ static void vqa_decode_chunk(VqaContext *s)
chunk_type);
break;
}
- index = next_index;
+
+ byte_skip = chunk_size & 0x01;
+ bytestream2_skip(&s->gb, chunk_size + byte_skip);
}
/* next, deal with the palette */
@@ -381,7 +374,7 @@ static void vqa_decode_chunk(VqaContext *s)
/* a chunk should not have both chunk types */
av_log(s->avctx, AV_LOG_ERROR, " VQA video: problem: found both CPL0 and CPLZ chunks\n");
- return;
+ return AVERROR_INVALIDDATA;
}
/* decompress the palette chunk */
@@ -394,19 +387,19 @@ static void vqa_decode_chunk(VqaContext *s)
/* convert the RGB palette into the machine's endian format */
if (cpl0_chunk != -1) {
- chunk_size = AV_RB32(&s->buf[cpl0_chunk + 4]);
+ bytestream2_seek(&s->gb, cpl0_chunk, SEEK_SET);
+ chunk_size = bytestream2_get_be32(&s->gb);
/* sanity check the palette size */
- if (chunk_size / 3 > 256) {
+ if (chunk_size / 3 > 256 || chunk_size > bytestream2_get_bytes_left(&s->gb)) {
av_log(s->avctx, AV_LOG_ERROR, " VQA video: problem: found a palette chunk with %d colors\n",
chunk_size / 3);
- return;
+ return AVERROR_INVALIDDATA;
}
- cpl0_chunk += CHUNK_PREAMBLE_SIZE;
for (i = 0; i < chunk_size / 3; i++) {
/* scale by 4 to transform 6-bit palette -> 8-bit */
- r = s->buf[cpl0_chunk++] * 4;
- g = s->buf[cpl0_chunk++] * 4;
- b = s->buf[cpl0_chunk++] * 4;
+ r = bytestream2_get_byteu(&s->gb) * 4;
+ g = bytestream2_get_byteu(&s->gb) * 4;
+ b = bytestream2_get_byteu(&s->gb) * 4;
s->palette[i] = 0xFF << 24 | r << 16 | g << 8 | b;
s->palette[i] |= s->palette[i] >> 6 & 0x30303;
}
@@ -417,31 +410,32 @@ static void vqa_decode_chunk(VqaContext *s)
/* a chunk should not have both chunk types */
av_log(s->avctx, AV_LOG_ERROR, " VQA video: problem: found both CBF0 and CBFZ chunks\n");
- return;
+ return AVERROR_INVALIDDATA;
}
/* decompress the full codebook chunk */
if (cbfz_chunk != -1) {
- chunk_size = AV_RB32(&s->buf[cbfz_chunk + 4]);
- cbfz_chunk += CHUNK_PREAMBLE_SIZE;
- decode_format80(&s->buf[cbfz_chunk], chunk_size,
- s->codebook, s->codebook_size, 0);
+ bytestream2_seek(&s->gb, cbfz_chunk, SEEK_SET);
+ chunk_size = bytestream2_get_be32(&s->gb);
+ if ((res = decode_format80(&s->gb, chunk_size, s->codebook,
+ s->codebook_size, 0)) < 0)
+ return res;
}
/* copy a full codebook */
if (cbf0_chunk != -1) {
- chunk_size = AV_RB32(&s->buf[cbf0_chunk + 4]);
+ bytestream2_seek(&s->gb, cbf0_chunk, SEEK_SET);
+ chunk_size = bytestream2_get_be32(&s->gb);
/* sanity check the full codebook size */
if (chunk_size > MAX_CODEBOOK_SIZE) {
av_log(s->avctx, AV_LOG_ERROR, " VQA video: problem: CBF0 chunk too large (0x%X bytes)\n",
chunk_size);
- return;
+ return AVERROR_INVALIDDATA;
}
- cbf0_chunk += CHUNK_PREAMBLE_SIZE;
- memcpy(s->codebook, &s->buf[cbf0_chunk], chunk_size);
+ bytestream2_get_buffer(&s->gb, s->codebook, chunk_size);
}
/* decode the frame */
@@ -449,13 +443,14 @@ static void vqa_decode_chunk(VqaContext *s)
/* something is wrong if there is no VPTZ chunk */
av_log(s->avctx, AV_LOG_ERROR, " VQA video: problem: no VPTZ chunk found\n");
- return;
+ return AVERROR_INVALIDDATA;
}
- chunk_size = AV_RB32(&s->buf[vptz_chunk + 4]);
- vptz_chunk += CHUNK_PREAMBLE_SIZE;
- decode_format80(&s->buf[vptz_chunk], chunk_size,
- s->decode_buffer, s->decode_buffer_size, 1);
+ bytestream2_seek(&s->gb, vptz_chunk, SEEK_SET);
+ chunk_size = bytestream2_get_be32(&s->gb);
+ if ((res = decode_format80(&s->gb, chunk_size,
+ s->decode_buffer, s->decode_buffer_size, 1)) < 0)
+ return res;
/* render the final PAL8 frame */
if (s->vector_height == 4)
@@ -519,17 +514,17 @@ static void vqa_decode_chunk(VqaContext *s)
if ((cbp0_chunk != -1) && (cbpz_chunk != -1)) {
/* a chunk should not have both chunk types */
av_log(s->avctx, AV_LOG_ERROR, " VQA video: problem: found both CBP0 and CBPZ chunks\n");
- return;
+ return AVERROR_INVALIDDATA;
}
if (cbp0_chunk != -1) {
- chunk_size = AV_RB32(&s->buf[cbp0_chunk + 4]);
- cbp0_chunk += CHUNK_PREAMBLE_SIZE;
+ bytestream2_seek(&s->gb, cbp0_chunk, SEEK_SET);
+ chunk_size = bytestream2_get_be32(&s->gb);
/* accumulate partial codebook */
- memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index],
- &s->buf[cbp0_chunk], chunk_size);
+ bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index],
+ chunk_size);
s->next_codebook_buffer_index += chunk_size;
s->partial_countdown--;
@@ -547,39 +542,39 @@ static void vqa_decode_chunk(VqaContext *s)
if (cbpz_chunk != -1) {
- chunk_size = AV_RB32(&s->buf[cbpz_chunk + 4]);
- cbpz_chunk += CHUNK_PREAMBLE_SIZE;
+ bytestream2_seek(&s->gb, cbpz_chunk, SEEK_SET);
+ chunk_size = bytestream2_get_be32(&s->gb);
/* accumulate partial codebook */
- memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index],
- &s->buf[cbpz_chunk], chunk_size);
+ bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index],
+ chunk_size);
s->next_codebook_buffer_index += chunk_size;
s->partial_countdown--;
if (s->partial_countdown == 0) {
+ GetByteContext gb;
+ bytestream2_init(&gb, s->next_codebook_buffer, s->next_codebook_buffer_index);
/* decompress codebook */
- decode_format80(s->next_codebook_buffer,
- s->next_codebook_buffer_index,
- s->codebook, s->codebook_size, 0);
+ if ((res = decode_format80(&gb, s->next_codebook_buffer_index,
+ s->codebook, s->codebook_size, 0)) < 0)
+ return res;
/* reset accounting */
s->next_codebook_buffer_index = 0;
s->partial_countdown = s->partial_count;
}
}
+
+ return 0;
}
static int vqa_decode_frame(AVCodecContext *avctx,
void *data, int *data_size,
AVPacket *avpkt)
{
- const uint8_t *buf = avpkt->data;
- int buf_size = avpkt->size;
VqaContext *s = avctx->priv_data;
-
- s->buf = buf;
- s->size = buf_size;
+ int res;
if (s->frame.data[0])
avctx->release_buffer(avctx, &s->frame);
@@ -589,7 +584,9 @@ static int vqa_decode_frame(AVCodecContext *avctx,
return -1;
}
- vqa_decode_chunk(s);
+ bytestream2_init(&s->gb, avpkt->data, avpkt->size);
+ if ((res = vqa_decode_chunk(s)) < 0)
+ return res;
/* make the palette available on the way out */
memcpy(s->frame.data[1], s->palette, PALETTE_COUNT * 4);
@@ -599,7 +596,7 @@ static int vqa_decode_frame(AVCodecContext *avctx,
*(AVFrame*)data = s->frame;
/* report that the buffer was completely consumed */
- return buf_size;
+ return avpkt->size;
}
static av_cold int vqa_decode_end(AVCodecContext *avctx)
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-08 00:29:32 +0000