Merge branch 'release/0.8' into release/0.7

* release/0.8: (154 commits) vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling Check for huffman tree building error in vp6 decoder. Release old pictures after a resolution change in vp5/6 decoder Check for missing reference in vp5/6 decoder. Check for invalid slices offsets in RV30/40 decoder. Check output buffer size in nellymoser decoder. Hack around gcc 4.6 breaking asm using call. Fix dxva2 decoding for some H264 samples. mp3demux: pass on error code on packet read. Check for invalid slice offsets in real decoder. rmdec: Reject invalid deinterleaving parameters Use deinterleavers for demangling audio packets in RealMedia. rv10: Reject slices that does not have the same type as the first one rmdec: use the deinterleaving mode and not the codec when creating audio packets. MAINTAINERS: add my GPG fingerprint. (cherry picked from commit 7882dc10f871bf25a848fe62a152f63814f9c7d1) Support 3IVD in isom, produced by 3ivx DivX Doctor. mpegpsdec: fix reading first mpegps packet (cherry picked from commit b2f230e23dd61112ac090b0c059d87b5f6bcb307) Avoid NULL dereference on corrupted bitstream with real decoder. Reject slices that does not have the same type than the first one in RV10/RV20 decoder. check all svq3_get_ue_golomb() returns. ... Conflicts: Doxyfile RELEASE VERSION libavcodec/rv34.c libavformat/utils.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2011-09-22 01:41:55 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2011-09-22 01:48:45 +0200
commit: a99a35c8ea633a252d3a52a21691478f1f8c1763 (patch)
tree: e38f9dd8ff73ba17809e7475c08e41ffb5e99f78 /libavcodec/xan.c
parent: a582b028a416a29e60b4748b2ae4221ada11c2b8 (diff)
parent: 056e9efc8e06faed3516b610d8a74484f24ac07f (diff)
download: ffmpeg-a99a35c8ea633a252d3a52a21691478f1f8c1763.tar.gz
1 files changed, 33 insertions, 11 deletions
diff --git a/libavcodec/xan.c b/libavcodec/xan.c
index f5d1812aec..357593bf2d 100644
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -97,17 +97,21 @@ static av_cold int xan_decode_init(AVCodecContext *avctx)
     return 0;
 }
 
-static int xan_huffman_decode(unsigned char *dest, const unsigned char *src,
-    int dest_len)
+static int xan_huffman_decode(unsigned char *dest, int dest_len,
+                              const unsigned char *src, int src_len)
 {
     unsigned char byte = *src++;
     unsigned char ival = byte + 0x16;
     const unsigned char * ptr = src + byte*2;
+    int ptr_len = src_len - 1 - byte*2;
     unsigned char val = ival;
     unsigned char *dest_end = dest + dest_len;
     GetBitContext gb;
 
-    init_get_bits(&gb, ptr, 0); // FIXME: no src size available
+    if (ptr_len < 0)
+        return AVERROR_INVALIDDATA;
+
+    init_get_bits(&gb, ptr, ptr_len * 8);
 
     while ( val != 0x16 ) {
         val = src[val - 0x17 + get_bits1(&gb) * byte];
@@ -246,7 +250,7 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s,
     }
 }
 
-static void xan_wc3_decode_frame(XanContext *s) {
+static int xan_wc3_decode_frame(XanContext *s) {
 
     int width = s->avctx->width;
     int height = s->avctx->height;
@@ -266,13 +270,30 @@ static void xan_wc3_decode_frame(XanContext *s) {
     const unsigned char *size_segment;
     const unsigned char *vector_segment;
     const unsigned char *imagedata_segment;
+    int huffman_offset, size_offset, vector_offset, imagedata_offset;
+
+    if (s->size < 8)
+        return AVERROR_INVALIDDATA;
+
+    huffman_offset    = AV_RL16(&s->buf[0]);
+    size_offset       = AV_RL16(&s->buf[2]);
+    vector_offset     = AV_RL16(&s->buf[4]);
+    imagedata_offset  = AV_RL16(&s->buf[6]);
 
-    huffman_segment =   s->buf + AV_RL16(&s->buf[0]);
-    size_segment =      s->buf + AV_RL16(&s->buf[2]);
-    vector_segment =    s->buf + AV_RL16(&s->buf[4]);
-    imagedata_segment = s->buf + AV_RL16(&s->buf[6]);
+    if (huffman_offset   >= s->size ||
+        size_offset      >= s->size ||
+        vector_offset    >= s->size ||
+        imagedata_offset >= s->size)
+        return AVERROR_INVALIDDATA;
 
-    xan_huffman_decode(opcode_buffer, huffman_segment, opcode_buffer_size);
+    huffman_segment   = s->buf + huffman_offset;
+    size_segment      = s->buf + size_offset;
+    vector_segment    = s->buf + vector_offset;
+    imagedata_segment = s->buf + imagedata_offset;
+
+    if (xan_huffman_decode(opcode_buffer, opcode_buffer_size,
+                           huffman_segment, s->size - huffman_offset) < 0)
+        return AVERROR_INVALIDDATA;
 
     if (imagedata_segment[0] == 2)
         xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size);
@@ -358,6 +379,7 @@ static void xan_wc3_decode_frame(XanContext *s) {
         y += (x + size) / width;
         x  = (x + size) % width;
     }
+    return 0;
 }
 
 #if RUNTIME_GAMMA
@@ -519,7 +541,8 @@ static int xan_decode_frame(AVCodecContext *avctx,
     s->buf = buf;
     s->size = buf_size;
 
-    xan_wc3_decode_frame(s);
+    if (xan_wc3_decode_frame(s) < 0)
+        return AVERROR_INVALIDDATA;
 
     /* release the last frame if it is allocated */
     if (s->last_frame.data[0])
@@ -564,4 +587,3 @@ AVCodec ff_xan_wc3_decoder = {
     CODEC_CAP_DR1,
     .long_name = NULL_IF_CONFIG_SMALL("Wing Commander III / Xan"),
 };
-
author	Michael Niedermayer <michaelni@gmx.at>	2011-09-22 01:41:55 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2011-09-22 01:48:45 +0200
commit	a99a35c8ea633a252d3a52a21691478f1f8c1763 (patch)
tree	e38f9dd8ff73ba17809e7475c08e41ffb5e99f78 /libavcodec/xan.c
parent	a582b028a416a29e60b4748b2ae4221ada11c2b8 (diff)
parent	056e9efc8e06faed3516b610d8a74484f24ac07f (diff)
download	ffmpeg-a99a35c8ea633a252d3a52a21691478f1f8c1763.tar.gz