Browse code
Merge remote-tracking branch 'qatar/master'
* qatar/master:
mp3dec: perform I/S and M/S only when frame mode is joint stereo.
id3v2: add another mimetype for JPEG image
lzw: prevent buffer overreads.
WMAL: Remove inaccurate and unnecessary doxy
h264: fix cabac-on-stack after safe cabac reader.
truemotion2: convert packet header reading to bytestream2.
Conflicts:
libavcodec/lzw.c
libavcodec/truemotion2.c
libavformat/id3v2.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2012/03/30 13:03:30Showing 5 changed files
- libavcodec/lzw.c
- libavcodec/mpegaudiodec.c
- libavcodec/truemotion2.c
- libavcodec/wmalosslessdec.c
- libavformat/id3v2.c
| ... | ... |
@@ -101,9 +101,14 @@ void ff_lzw_decode_tail(LZWState *p) |
| 101 | 101 |
struct LZWState *s = (struct LZWState *)p; |
| 102 | 102 |
|
| 103 | 103 |
if(s->mode == FF_LZW_GIF) {
|
| 104 |
- while(s->pbuf + s->bs < s->ebuf && s->bs>0){
|
|
| 105 |
- s->pbuf += s->bs; |
|
| 106 |
- s->bs = *s->pbuf++; |
|
| 104 |
+ while (s->bs > 0) {
|
|
| 105 |
+ if (s->pbuf + s->bs >= s->ebuf) {
|
|
| 106 |
+ s->pbuf = s->ebuf; |
|
| 107 |
+ break; |
|
| 108 |
+ } else {
|
|
| 109 |
+ s->pbuf += s->bs; |
|
| 110 |
+ s->bs = *s->pbuf++; |
|
| 111 |
+ } |
|
| 107 | 112 |
} |
| 108 | 113 |
}else |
| 109 | 114 |
s->pbuf= s->ebuf; |
| ... | ... |
@@ -1532,7 +1532,7 @@ static int mp_decode_layer3(MPADecodeContext *s) |
| 1532 | 1532 |
huffman_decode(s, g, exponents, bits_pos + g->part2_3_length); |
| 1533 | 1533 |
} /* ch */ |
| 1534 | 1534 |
|
| 1535 |
- if (s->nb_channels == 2) |
|
| 1535 |
+ if (s->mode == MPA_JSTEREO) |
|
| 1536 | 1536 |
compute_stereo(s, &s->granules[0][gr], &s->granules[1][gr]); |
| 1537 | 1537 |
|
| 1538 | 1538 |
for (ch = 0; ch < s->nb_channels; ch++) {
|
| ... | ... |
@@ -25,6 +25,7 @@ |
| 25 | 25 |
*/ |
| 26 | 26 |
|
| 27 | 27 |
#include "avcodec.h" |
| 28 |
+#include "bytestream.h" |
|
| 28 | 29 |
#include "get_bits.h" |
| 29 | 30 |
#include "dsputil.h" |
| 30 | 31 |
|
| ... | ... |
@@ -251,18 +252,19 @@ static int tm2_read_deltas(TM2Context *ctx, int stream_id) {
|
| 251 | 251 |
static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, int buf_size) |
| 252 | 252 |
{
|
| 253 | 253 |
int i; |
| 254 |
- int cur = 0; |
|
| 255 | 254 |
int skip = 0; |
| 256 |
- int len, toks; |
|
| 255 |
+ int len, toks, pos; |
|
| 257 | 256 |
TM2Codes codes; |
| 257 |
+ GetByteContext gb; |
|
| 258 | 258 |
|
| 259 | 259 |
if (buf_size < 4) {
|
| 260 | 260 |
av_log(ctx->avctx, AV_LOG_ERROR, "not enough space for len left\n"); |
| 261 |
- return -1; |
|
| 261 |
+ return AVERROR_INVALIDDATA; |
|
| 262 | 262 |
} |
| 263 | 263 |
|
| 264 | 264 |
/* get stream length in dwords */ |
| 265 |
- len = AV_RB32(buf); buf += 4; cur += 4; |
|
| 265 |
+ bytestream2_init(&gb, buf, buf_size); |
|
| 266 |
+ len = bytestream2_get_be32(&gb); |
|
| 266 | 267 |
skip = len * 4 + 4; |
| 267 | 268 |
|
| 268 | 269 |
if(len == 0) |
| ... | ... |
@@ -273,36 +275,37 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i |
| 273 | 273 |
return -1; |
| 274 | 274 |
} |
| 275 | 275 |
|
| 276 |
- toks = AV_RB32(buf); buf += 4; cur += 4; |
|
| 276 |
+ toks = bytestream2_get_be32(&gb); |
|
| 277 | 277 |
if(toks & 1) {
|
| 278 |
- len = AV_RB32(buf); buf += 4; cur += 4; |
|
| 278 |
+ len = bytestream2_get_be32(&gb); |
|
| 279 | 279 |
if(len == TM2_ESCAPE) {
|
| 280 |
- len = AV_RB32(buf); buf += 4; cur += 4; |
|
| 280 |
+ len = bytestream2_get_be32(&gb); |
|
| 281 | 281 |
} |
| 282 | 282 |
if(len > 0) {
|
| 283 |
- if (skip <= cur) |
|
| 283 |
+ pos = bytestream2_tell(&gb); |
|
| 284 |
+ if (skip <= pos) |
|
| 284 | 285 |
return -1; |
| 285 |
- init_get_bits(&ctx->gb, buf, (skip - cur) * 8); |
|
| 286 |
+ init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8); |
|
| 286 | 287 |
if(tm2_read_deltas(ctx, stream_id) == -1) |
| 287 | 288 |
return -1; |
| 288 |
- buf += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2; |
|
| 289 |
- cur += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2; |
|
| 289 |
+ bytestream2_skip(&gb, ((get_bits_count(&ctx->gb) + 31) >> 5) << 2); |
|
| 290 | 290 |
} |
| 291 | 291 |
} |
| 292 | 292 |
/* skip unused fields */ |
| 293 |
- if(AV_RB32(buf) == TM2_ESCAPE) {
|
|
| 294 |
- buf += 4; cur += 4; /* some unknown length - could be escaped too */ |
|
| 293 |
+ len = bytestream2_get_be32(&gb); |
|
| 294 |
+ if(len == TM2_ESCAPE) { /* some unknown length - could be escaped too */
|
|
| 295 |
+ bytestream2_skip(&gb, 8); /* unused by decoder */ |
|
| 296 |
+ } else {
|
|
| 297 |
+ bytestream2_skip(&gb, 4); /* unused by decoder */ |
|
| 295 | 298 |
} |
| 296 |
- buf += 4; cur += 4; |
|
| 297 |
- buf += 4; cur += 4; /* unused by decoder */ |
|
| 298 | 299 |
|
| 299 |
- if (skip <= cur) |
|
| 300 |
+ pos = bytestream2_tell(&gb); |
|
| 301 |
+ if (skip <= pos) |
|
| 300 | 302 |
return -1; |
| 301 |
- init_get_bits(&ctx->gb, buf, (skip - cur) * 8); |
|
| 303 |
+ init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8); |
|
| 302 | 304 |
if(tm2_build_huff_table(ctx, &codes) == -1) |
| 303 | 305 |
return -1; |
| 304 |
- buf += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2; |
|
| 305 |
- cur += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2; |
|
| 306 |
+ bytestream2_skip(&gb, ((get_bits_count(&ctx->gb) + 31) >> 5) << 2); |
|
| 306 | 307 |
|
| 307 | 308 |
toks >>= 1; |
| 308 | 309 |
/* check if we have sane number of tokens */ |
| ... | ... |
@@ -313,11 +316,12 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i |
| 313 | 313 |
} |
| 314 | 314 |
ctx->tokens[stream_id] = av_realloc(ctx->tokens[stream_id], toks * sizeof(int)); |
| 315 | 315 |
ctx->tok_lens[stream_id] = toks; |
| 316 |
- len = AV_RB32(buf); buf += 4; cur += 4; |
|
| 316 |
+ len = bytestream2_get_be32(&gb); |
|
| 317 | 317 |
if(len > 0) {
|
| 318 |
- if (skip <= cur) |
|
| 318 |
+ pos = bytestream2_tell(&gb); |
|
| 319 |
+ if (skip <= pos) |
|
| 319 | 320 |
return -1; |
| 320 |
- init_get_bits(&ctx->gb, buf, (skip - cur) * 8); |
|
| 321 |
+ init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8); |
|
| 321 | 322 |
for(i = 0; i < toks; i++) {
|
| 322 | 323 |
if (get_bits_left(&ctx->gb) <= 0) {
|
| 323 | 324 |
av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of tokens: %i\n", toks); |
| ... | ... |
@@ -780,7 +784,7 @@ static int decode_frame(AVCodecContext *avctx, |
| 780 | 780 |
AVPacket *avpkt) |
| 781 | 781 |
{
|
| 782 | 782 |
const uint8_t *buf = avpkt->data; |
| 783 |
- int buf_size = avpkt->size; |
|
| 783 |
+ int buf_size = avpkt->size & ~3; |
|
| 784 | 784 |
TM2Context * const l = avctx->priv_data; |
| 785 | 785 |
AVFrame * const p = &l->pic; |
| 786 | 786 |
int i, skip, t; |
| ... | ... |
@@ -805,6 +809,10 @@ static int decode_frame(AVCodecContext *avctx, |
| 805 | 805 |
} |
| 806 | 806 |
|
| 807 | 807 |
for(i = 0; i < TM2_NUM_STREAMS; i++){
|
| 808 |
+ if (skip >= buf_size) {
|
|
| 809 |
+ av_log(avctx, AV_LOG_ERROR, "no space for tm2_read_stream\n"); |
|
| 810 |
+ return AVERROR_INVALIDDATA; |
|
| 811 |
+ } |
|
| 808 | 812 |
t = tm2_read_stream(l, l->buffer + skip, tm2_stream_order[i], buf_size - skip); |
| 809 | 813 |
if(t == -1){
|
| 810 | 814 |
return -1; |
| ... | ... |
@@ -1153,14 +1153,6 @@ static void save_bits(WmallDecodeCtx *s, GetBitContext* gb, int len, |
| 1153 | 1153 |
skip_bits(&s->gb, s->frame_offset); |
| 1154 | 1154 |
} |
| 1155 | 1155 |
|
| 1156 |
-/** |
|
| 1157 |
- * @brief Decode a single WMA packet. |
|
| 1158 |
- * @param avctx codec context |
|
| 1159 |
- * @param data the output buffer |
|
| 1160 |
- * @param data_size number of bytes that were written to the output buffer |
|
| 1161 |
- * @param avpkt input packet |
|
| 1162 |
- * @return number of bytes that were read from the input buffer |
|
| 1163 |
- */ |
|
| 1164 | 1156 |
static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, |
| 1165 | 1157 |
AVPacket* avpkt) |
| 1166 | 1158 |
{
|
| ... | ... |
@@ -127,7 +127,7 @@ const char *ff_id3v2_picture_types[21] = {
|
| 127 | 127 |
const CodecMime ff_id3v2_mime_tags[] = {
|
| 128 | 128 |
{"image/gif" , CODEC_ID_GIF},
|
| 129 | 129 |
{"image/jpeg", CODEC_ID_MJPEG},
|
| 130 |
- {"image/jpg" , CODEC_ID_MJPEG},
|
|
| 130 |
+ {"image/jpg", CODEC_ID_MJPEG},
|
|
| 131 | 131 |
{"image/png" , CODEC_ID_PNG},
|
| 132 | 132 |
{"image/tiff", CODEC_ID_TIFF},
|
| 133 | 133 |
{"", CODEC_ID_NONE},
|