diff options
Diffstat (limited to 'libavcodec/truemotion2.c')
-rw-r--r-- | libavcodec/truemotion2.c | 55 |
1 files changed, 36 insertions, 19 deletions
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index f17415b34c..5d7a3a443a 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -2,20 +2,20 @@ * Duck/ON2 TrueMotion 2 Decoder * Copyright (c) 2005 Konstantin Shishkov * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -45,6 +45,9 @@ typedef struct TM2Context{ GetBitContext gb; DSPContext dsp; + uint8_t *buffer; + int buffer_size; + /* TM2 streams */ int *tokens[TM2_NUM_STREAMS]; int tok_lens[TM2_NUM_STREAMS]; @@ -67,7 +70,7 @@ typedef struct TM2Context{ * Huffman codes for each of streams */ typedef struct TM2Codes{ - VLC vlc; ///< table for Libav bitstream reader + VLC vlc; ///< table for FFmpeg bitstream reader int bits; int *recode; ///< table for converting from code indexes to values int length; @@ -256,6 +259,11 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i TM2Codes codes; GetByteContext gb; + if (buf_size < 4) { + av_log(ctx->avctx, AV_LOG_ERROR, "not enough space for len left\n"); + return AVERROR_INVALIDDATA; + } + /* get stream length in dwords */ bytestream2_init(&gb, buf, buf_size); len = bytestream2_get_be32(&gb); @@ -264,7 +272,7 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i if(len == 0) return 4; - if (len >= INT_MAX/4-1 || len < 0 || len > buf_size) { + if (len >= INT_MAX/4-1 || len < 0 || skip > buf_size) { av_log(ctx->avctx, AV_LOG_ERROR, "Error, invalid stream size.\n"); return -1; } @@ -348,8 +356,13 @@ static inline int GET_TOK(TM2Context *ctx,int type) { av_log(ctx->avctx, AV_LOG_ERROR, "Read token from stream %i out of bounds (%i>=%i)\n", type, ctx->tok_ptrs[type], ctx->tok_lens[type]); return 0; } - if(type <= TM2_MOT) + if(type <= TM2_MOT) { + if (ctx->tokens[type][ctx->tok_ptrs[type]] >= TM2_DELTAS) { + av_log(ctx->avctx, AV_LOG_ERROR, "token %d is too large\n", ctx->tokens[type][ctx->tok_ptrs[type]]); + return 0; + } return ctx->deltas[type][ctx->tokens[type][ctx->tok_ptrs[type]++]]; + } return ctx->tokens[type][ctx->tok_ptrs[type]++]; } @@ -654,6 +667,11 @@ static inline void tm2_motion_block(TM2Context *ctx, AVFrame *pic, int bx, int b mx = av_clip(mx, -(bx * 4 + 4), ctx->avctx->width - bx * 4); my = av_clip(my, -(by * 4 + 4), ctx->avctx->height - by * 4); + if (4*bx+mx<0 || 4*by+my<0 || 4*bx+mx+4 > ctx->avctx->width || 4*by+my+4 > ctx->avctx->height) { + av_log(0,0, "MV out of picture\n"); + return; + } + Yo += my * oYstride + mx; Uo += (my >> 1) * oUstride + (mx >> 1); Vo += (my >> 1) * oVstride + (mx >> 1); @@ -819,37 +837,34 @@ static int decode_frame(AVCodecContext *avctx, TM2Context * const l = avctx->priv_data; AVFrame * const p = &l->pic; int i, skip, t; - uint8_t *swbuf; - swbuf = av_malloc(buf_size + FF_INPUT_BUFFER_PADDING_SIZE); - if(!swbuf){ + av_fast_padded_malloc(&l->buffer, &l->buffer_size, buf_size); + if(!l->buffer){ av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n"); return -1; } - p->reference = 1; + p->reference = 3; p->buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; if(avctx->reget_buffer(avctx, p) < 0){ av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); - av_free(swbuf); return -1; } - l->dsp.bswap_buf((uint32_t*)swbuf, (const uint32_t*)buf, buf_size >> 2); - skip = tm2_read_header(l, swbuf); + l->dsp.bswap_buf((uint32_t*)l->buffer, (const uint32_t*)buf, buf_size >> 2); + skip = tm2_read_header(l, l->buffer); if(skip == -1){ - av_free(swbuf); return -1; } for(i = 0; i < TM2_NUM_STREAMS; i++){ if (skip >= buf_size) { - av_free(swbuf); + av_log(avctx, AV_LOG_ERROR, "no space for tm2_read_stream\n"); return AVERROR_INVALIDDATA; } - t = tm2_read_stream(l, swbuf + skip, tm2_stream_order[i], buf_size - skip); + + t = tm2_read_stream(l, l->buffer + skip, tm2_stream_order[i], buf_size - skip); if(t < 0){ - av_free(swbuf); return t; } skip += t; @@ -863,7 +878,6 @@ static int decode_frame(AVCodecContext *avctx, l->cur = !l->cur; *data_size = sizeof(AVFrame); *(AVFrame*)data = l->pic; - av_free(swbuf); return buf_size; } @@ -880,6 +894,7 @@ static av_cold int decode_init(AVCodecContext *avctx){ l->avctx = avctx; l->pic.data[0]=NULL; avctx->pix_fmt = PIX_FMT_BGR24; + avcodec_get_frame_defaults(&l->pic); ff_dsputil_init(&l->dsp, avctx); @@ -944,6 +959,8 @@ static av_cold int decode_end(AVCodecContext *avctx){ av_free(l->U2_base); av_free(l->V2_base); } + av_freep(&l->buffer); + l->buffer_size = 0; if (pic->data[0]) avctx->release_buffer(avctx, pic); |