diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2011-12-25 01:24:17 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-12-25 01:24:40 +0100 |
| commit | 57eb787ed3fabe4eb996aa2aad3fd4b10fa5c878 (patch) | |
| tree | 83fbdf6483bb7cb3da8fc9759af3318c60b259c6 /libavcodec/xan.c | |
| parent | 603a282f8ff1a84677fc0279b6d83e4a23729675 (diff) | |
| parent | dbe7e209df03c18eabdc29f87b73bbc4e3430d20 (diff) | |
| download | ffmpeg-57eb787ed3fabe4eb996aa2aad3fd4b10fa5c878.tar.gz | |
Merge remote-tracking branch 'qatar/release/0.6' into release/0.6
* qatar/release/0.6: (58 commits)
Bump version number for 0.6.4 release.
qdm2: check output buffer size before decoding
Fix qdm2 decoder packet handling to match the api
4xm: Add a check in decode_i_frame to prevent buffer overreads
wma: initialize prev_block_len_bits, next_block_len_bits, and block_len_bits.
swscale: #include "libavutil/mathematics.h"
vp3dec: Check coefficient index in vp3_dequant()
svq1dec: call avcodec_set_dimensions() after dimensions changed.
vp6: Fix illegal read.
vp6: Fix illegal read.
vp6: Reset the internal state when aborting key frames header parsing
vp6: Check for huffman tree build errors
vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling
Fix out of bound reads in the QDM2 decoder.
Check for out of bound writes in the QDM2 decoder.
vmd: fix segfaults on corruped streams
rv34: Check for invalid slice offsets
rv34: Fix potential overreads
rv34: Avoid NULL dereference on corrupted bitstream
rv10: Reject slices that does not have the same type as the first one
...
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/xan.c')
| -rw-r--r-- | libavcodec/xan.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 3f6aa8cee5..9f20b7f280 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -88,17 +88,18 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) return 0; } -static int xan_huffman_decode(unsigned char *dest, const unsigned char *src, - int dest_len) +static int xan_huffman_decode(unsigned char *dest, int dest_len, + const unsigned char *src, int src_len) { unsigned char byte = *src++; unsigned char ival = byte + 0x16; const unsigned char * ptr = src + byte*2; + int ptr_len = src_len - 1 - byte*2; unsigned char val = ival; unsigned char *dest_end = dest + dest_len; GetBitContext gb; - init_get_bits(&gb, ptr, 0); // FIXME: no src size available + init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { val = src[val - 0x17 + get_bits1(&gb) * byte]; @@ -263,7 +264,8 @@ static void xan_wc3_decode_frame(XanContext *s) { vector_segment = s->buf + AV_RL16(&s->buf[4]); imagedata_segment = s->buf + AV_RL16(&s->buf[6]); - xan_huffman_decode(opcode_buffer, huffman_segment, opcode_buffer_size); + xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - (huffman_segment - s->buf) ); if (imagedata_segment[0] == 2) xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); |