Browse code
Merge commit '4ff5167ee7fdee6d35c1bb2558172329ae6ec770' into release/0.10
* commit '4ff5167ee7fdee6d35c1bb2558172329ae6ec770':
wmapro: make sure there is room to store the current packet
lavc: move put_bits_left in put_bits.h
4xm: do not overread the source buffer in decode_p_block
4xm: check bitstream_size boundary before using it
4xm: reject frames not compatible with the declared version
4xm: use the correct logging context
4xm: check the return value of read_huffman_tables().
4xm: don't rely on get_buffer() initializing the frame.
vmdav: convert to bytestream2
smacker: check frame size validity
smacker: pad the extradata allocation
smacker: check the return value of smacker_decode_tree
smacker: fix an off by one in huff.length computation
Prepare for 0.8.8 Release
tiff: do not overread the source buffer
apetag: use int64_t for filesize
wavpack: return meaningful errors
Conflicts:
RELEASE
libavcodec/4xm.c
libavcodec/vmdav.c
libavformat/smacker.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2013/07/29 10:55:03Showing 10 changed files
- libavcodec/4xm.c
- libavcodec/dv.c
- libavcodec/put_bits.h
- libavcodec/smacker.c
- libavcodec/tiff.c
- libavcodec/vmdav.c
- libavcodec/wavpack.c
- libavcodec/wmaprodec.c
- libavformat/apetag.c
- libavformat/smacker.c
| ... | ... |
@@ -25,6 +25,7 @@ |
| 25 | 25 |
*/ |
| 26 | 26 |
|
| 27 | 27 |
#include "libavutil/intreadwrite.h" |
| 28 |
+#include "libavutil/avassert.h" |
|
| 28 | 29 |
#include "avcodec.h" |
| 29 | 30 |
#include "dsputil.h" |
| 30 | 31 |
#include "get_bits.h" |
| ... | ... |
@@ -347,6 +348,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo |
| 347 | 347 |
decode_p_block(f, dst , src , log2w, log2h, stride); |
| 348 | 348 |
decode_p_block(f, dst + (1<<log2w), src + (1<<log2w), log2w, log2h, stride); |
| 349 | 349 |
}else if(code == 3 && f->version<2){
|
| 350 |
+ if (start > src || src > end) {
|
|
| 351 |
+ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); |
|
| 352 |
+ return; |
|
| 353 |
+ } |
|
| 350 | 354 |
mcdc(dst, src, log2w, h, stride, 1, 0); |
| 351 | 355 |
}else if(code == 4){
|
| 352 | 356 |
if (f->g.buffer_end - f->g.buffer < 1){
|
| ... | ... |
@@ -368,6 +373,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo |
| 368 | 368 |
av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); |
| 369 | 369 |
return; |
| 370 | 370 |
} |
| 371 |
+ if (start > src || src > end) {
|
|
| 372 |
+ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); |
|
| 373 |
+ return; |
|
| 374 |
+ } |
|
| 371 | 375 |
mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2)); |
| 372 | 376 |
}else if(code == 6){
|
| 373 | 377 |
if (f->g2.buffer_end - f->g2.buffer < 2){
|
| ... | ... |
@@ -665,8 +674,8 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){
|
| 665 | 665 |
color[0]= bytestream2_get_le16u(&g3); |
| 666 | 666 |
color[1]= bytestream2_get_le16u(&g3); |
| 667 | 667 |
|
| 668 |
- if(color[0]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 1\n"); |
|
| 669 |
- if(color[1]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 2\n"); |
|
| 668 |
+ if(color[0]&0x8000) av_log(f->avctx, AV_LOG_ERROR, "unk bit 1\n"); |
|
| 669 |
+ if(color[1]&0x8000) av_log(f->avctx, AV_LOG_ERROR, "unk bit 2\n"); |
|
| 670 | 670 |
|
| 671 | 671 |
color[2]= mix(color[0], color[1]); |
| 672 | 672 |
color[3]= mix(color[1], color[0]); |
| ... | ... |
@@ -694,7 +703,10 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
|
| 694 | 694 |
unsigned int prestream_size; |
| 695 | 695 |
const uint8_t *prestream; |
| 696 | 696 |
|
| 697 |
- if (bitstream_size > (1<<26) || length < bitstream_size + 12) {
|
|
| 697 |
+ if (bitstream_size > (1 << 26)) |
|
| 698 |
+ return AVERROR_INVALIDDATA; |
|
| 699 |
+ |
|
| 700 |
+ if (length < bitstream_size + 12) {
|
|
| 698 | 701 |
av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); |
| 699 | 702 |
return AVERROR_INVALIDDATA; |
| 700 | 703 |
} |
| ... | ... |
@@ -702,15 +714,19 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
|
| 702 | 702 |
prestream_size = 4 * AV_RL32(buf + bitstream_size + 4); |
| 703 | 703 |
prestream = buf + bitstream_size + 12; |
| 704 | 704 |
|
| 705 |
- if (prestream_size > (1<<26) || |
|
| 706 |
- prestream_size != length - (bitstream_size + 12)){
|
|
| 705 |
+ if(prestream_size + bitstream_size + 12 != length |
|
| 706 |
+ || prestream_size > (1<<26)){
|
|
| 707 | 707 |
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length); |
| 708 | 708 |
return -1; |
| 709 | 709 |
} |
| 710 | 710 |
|
| 711 |
- prestream= read_huffman_tables(f, prestream, buf + length - prestream); |
|
| 712 |
- if (!prestream) |
|
| 713 |
- return -1; |
|
| 711 |
+ prestream = read_huffman_tables(f, prestream, prestream_size); |
|
| 712 |
+ if (!prestream) {
|
|
| 713 |
+ av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n"); |
|
| 714 |
+ return AVERROR_INVALIDDATA; |
|
| 715 |
+ } |
|
| 716 |
+ |
|
| 717 |
+ av_assert0(prestream <= buf + length); |
|
| 714 | 718 |
|
| 715 | 719 |
init_get_bits(&f->gb, buf + 4, 8*bitstream_size); |
| 716 | 720 |
|
| ... | ... |
@@ -805,6 +821,9 @@ static int decode_frame(AVCodecContext *avctx, |
| 805 | 805 |
av_log(f->avctx, AV_LOG_ERROR, "cframe id mismatch %d %d\n", id, avctx->frame_number); |
| 806 | 806 |
} |
| 807 | 807 |
|
| 808 |
+ if (f->version <= 1) |
|
| 809 |
+ return AVERROR_INVALIDDATA; |
|
| 810 |
+ |
|
| 808 | 811 |
cfrm->size= cfrm->id= 0; |
| 809 | 812 |
frame_4cc= AV_RL32("pfrm");
|
| 810 | 813 |
}else |
| ... | ... |
@@ -848,6 +867,7 @@ static int decode_frame(AVCodecContext *avctx, |
| 848 | 848 |
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); |
| 849 | 849 |
return -1; |
| 850 | 850 |
} |
| 851 |
+ memset(f->last_picture.data[0], 0, avctx->height * FFABS(f->last_picture.linesize[0])); |
|
| 851 | 852 |
} |
| 852 | 853 |
|
| 853 | 854 |
p->pict_type= AV_PICTURE_TYPE_P; |
| ... | ... |
@@ -372,11 +372,6 @@ typedef struct BlockInfo {
|
| 372 | 372 |
static const int vs_total_ac_bits = (100 * 4 + 68*2) * 5; |
| 373 | 373 |
static const int mb_area_start[5] = { 1, 6, 21, 43, 64 };
|
| 374 | 374 |
|
| 375 |
-static inline int put_bits_left(PutBitContext* s) |
|
| 376 |
-{
|
|
| 377 |
- return (s->buf_end - s->buf) * 8 - put_bits_count(s); |
|
| 378 |
-} |
|
| 379 |
- |
|
| 380 | 375 |
/* decode AC coefficients */ |
| 381 | 376 |
static void dv_decode_ac(GetBitContext *gb, BlockInfo *mb, DCTELEM *block) |
| 382 | 377 |
{
|
| ... | ... |
@@ -73,6 +73,14 @@ static inline int put_bits_count(PutBitContext *s) |
| 73 | 73 |
} |
| 74 | 74 |
|
| 75 | 75 |
/** |
| 76 |
+ * @return the number of bits available in the bitstream. |
|
| 77 |
+ */ |
|
| 78 |
+static inline int put_bits_left(PutBitContext* s) |
|
| 79 |
+{
|
|
| 80 |
+ return (s->buf_end - s->buf_ptr) * 8 - 32 + s->bit_left; |
|
| 81 |
+} |
|
| 82 |
+ |
|
| 83 |
+/** |
|
| 76 | 84 |
* Pad the end of the output stream with zeros. |
| 77 | 85 |
*/ |
| 78 | 86 |
static inline void flush_put_bits(PutBitContext *s) |
| ... | ... |
@@ -252,7 +252,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int |
| 252 | 252 |
ctx.recode2 = tmp2.values; |
| 253 | 253 |
ctx.last = last; |
| 254 | 254 |
|
| 255 |
- huff.length = ((size + 3) >> 2) + 3; |
|
| 255 |
+ huff.length = ((size + 3) >> 2) + 4; |
|
| 256 | 256 |
huff.maxlength = 0; |
| 257 | 257 |
huff.current = 0; |
| 258 | 258 |
huff.values = av_mallocz(huff.length * sizeof(int)); |
| ... | ... |
@@ -654,7 +654,16 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, |
| 654 | 654 |
h[i].lengths = av_mallocz(256 * sizeof(int)); |
| 655 | 655 |
h[i].values = av_mallocz(256 * sizeof(int)); |
| 656 | 656 |
skip_bits1(&gb); |
| 657 |
- smacker_decode_tree(&gb, &h[i], 0, 0); |
|
| 657 |
+ if (smacker_decode_tree(&gb, &h[i], 0, 0) < 0) {
|
|
| 658 |
+ for (; i >= 0; i--) {
|
|
| 659 |
+ if (vlc[i].table) |
|
| 660 |
+ ff_free_vlc(&vlc[i]); |
|
| 661 |
+ av_free(h[i].bits); |
|
| 662 |
+ av_free(h[i].lengths); |
|
| 663 |
+ av_free(h[i].values); |
|
| 664 |
+ } |
|
| 665 |
+ return AVERROR_INVALIDDATA; |
|
| 666 |
+ } |
|
| 658 | 667 |
skip_bits1(&gb); |
| 659 | 668 |
if(h[i].current > 1) {
|
| 660 | 669 |
res = init_vlc(&vlc[i], SMKTREE_BITS, h[i].length, |
| ... | ... |
@@ -235,10 +235,13 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin |
| 235 | 235 |
break; |
| 236 | 236 |
case TIFF_PACKBITS: |
| 237 | 237 |
for(pixels = 0; pixels < width;){
|
| 238 |
+ if (ssrc + size - src < 2) |
|
| 239 |
+ return AVERROR_INVALIDDATA; |
|
| 238 | 240 |
code = (int8_t)*src++; |
| 239 | 241 |
if(code >= 0){
|
| 240 | 242 |
code++; |
| 241 |
- if(pixels + code > width){
|
|
| 243 |
+ if (pixels + code > width || |
|
| 244 |
+ ssrc + size - src < code) {
|
|
| 242 | 245 |
av_log(s->avctx, AV_LOG_ERROR, "Copy went out of bounds\n"); |
| 243 | 246 |
return -1; |
| 244 | 247 |
} |
| ... | ... |
@@ -48,6 +48,7 @@ |
| 48 | 48 |
|
| 49 | 49 |
#define VMD_HEADER_SIZE 0x330 |
| 50 | 50 |
#define PALETTE_COUNT 256 |
| 51 |
+#include "bytestream.h" |
|
| 51 | 52 |
|
| 52 | 53 |
/* |
| 53 | 54 |
* Video Decoder |
| ... | ... |
@@ -75,8 +76,6 @@ typedef struct VmdVideoContext {
|
| 75 | 75 |
static void lz_unpack(const unsigned char *src, int src_len, |
| 76 | 76 |
unsigned char *dest, int dest_len) |
| 77 | 77 |
{
|
| 78 |
- const unsigned char *s; |
|
| 79 |
- const unsigned char *s_end; |
|
| 80 | 78 |
unsigned char *d; |
| 81 | 79 |
unsigned char *d_end; |
| 82 | 80 |
unsigned char queue[QUEUE_SIZE]; |
| ... | ... |
@@ -87,19 +86,17 @@ static void lz_unpack(const unsigned char *src, int src_len, |
| 87 | 87 |
unsigned int speclen; |
| 88 | 88 |
unsigned char tag; |
| 89 | 89 |
unsigned int i, j; |
| 90 |
+ GetByteContext gb; |
|
| 90 | 91 |
|
| 91 |
- s = src; |
|
| 92 |
- s_end = src + src_len; |
|
| 92 |
+ bytestream2_init(&gb, src, src_len); |
|
| 93 | 93 |
d = dest; |
| 94 | 94 |
d_end = d + dest_len; |
| 95 |
- |
|
| 96 |
- if (s_end - s < 8) |
|
| 97 |
- return; |
|
| 98 |
- dataleft = AV_RL32(s); |
|
| 99 |
- s += 4; |
|
| 95 |
+ dataleft = bytestream2_get_le32(&gb); |
|
| 100 | 96 |
memset(queue, 0x20, QUEUE_SIZE); |
| 101 |
- if (AV_RL32(s) == 0x56781234) {
|
|
| 102 |
- s += 4; |
|
| 97 |
+ if (bytestream2_get_bytes_left(&gb) < 4) |
|
| 98 |
+ return; |
|
| 99 |
+ if (bytestream2_peek_le32(&gb) == 0x56781234) {
|
|
| 100 |
+ bytestream2_get_le32(&gb); |
|
| 103 | 101 |
qpos = 0x111; |
| 104 | 102 |
speclen = 0xF + 3; |
| 105 | 103 |
} else {
|
| ... | ... |
@@ -107,13 +104,13 @@ static void lz_unpack(const unsigned char *src, int src_len, |
| 107 | 107 |
speclen = 100; /* no speclen */ |
| 108 | 108 |
} |
| 109 | 109 |
|
| 110 |
- while (s_end - s > 0 && dataleft > 0) {
|
|
| 111 |
- tag = *s++; |
|
| 110 |
+ while (dataleft > 0 && bytestream2_get_bytes_left(&gb) > 0) {
|
|
| 111 |
+ tag = bytestream2_get_byteu(&gb); |
|
| 112 | 112 |
if ((tag == 0xFF) && (dataleft > 8)) {
|
| 113 |
- if (d_end - d < 8 || s_end - s < 8) |
|
| 113 |
+ if (d_end - d < 8 || bytestream2_get_bytes_left(&gb) < 8) |
|
| 114 | 114 |
return; |
| 115 | 115 |
for (i = 0; i < 8; i++) {
|
| 116 |
- queue[qpos++] = *d++ = *s++; |
|
| 116 |
+ queue[qpos++] = *d++ = bytestream2_get_byteu(&gb); |
|
| 117 | 117 |
qpos &= QUEUE_MASK; |
| 118 | 118 |
} |
| 119 | 119 |
dataleft -= 8; |
| ... | ... |
@@ -122,21 +119,17 @@ static void lz_unpack(const unsigned char *src, int src_len, |
| 122 | 122 |
if (dataleft == 0) |
| 123 | 123 |
break; |
| 124 | 124 |
if (tag & 0x01) {
|
| 125 |
- if (d_end - d < 1 || s_end - s < 1) |
|
| 125 |
+ if (d_end - d < 1 || bytestream2_get_bytes_left(&gb) < 1) |
|
| 126 | 126 |
return; |
| 127 |
- queue[qpos++] = *d++ = *s++; |
|
| 127 |
+ queue[qpos++] = *d++ = bytestream2_get_byte(&gb); |
|
| 128 | 128 |
qpos &= QUEUE_MASK; |
| 129 | 129 |
dataleft--; |
| 130 | 130 |
} else {
|
| 131 |
- if (s_end - s < 2) |
|
| 132 |
- return; |
|
| 133 |
- chainofs = *s++; |
|
| 134 |
- chainofs |= ((*s & 0xF0) << 4); |
|
| 135 |
- chainlen = (*s++ & 0x0F) + 3; |
|
| 131 |
+ chainofs = bytestream2_get_byte(&gb); |
|
| 132 |
+ chainofs |= ((bytestream2_peek_byte(&gb) & 0xF0) << 4); |
|
| 133 |
+ chainlen = (bytestream2_get_byte(&gb) & 0x0F) + 3; |
|
| 136 | 134 |
if (chainlen == speclen) {
|
| 137 |
- if (s_end - s < 1) |
|
| 138 |
- return; |
|
| 139 |
- chainlen = *s++ + 0xF + 3; |
|
| 135 |
+ chainlen = bytestream2_get_byte(&gb) + 0xF + 3; |
|
| 140 | 136 |
} |
| 141 | 137 |
if (d_end - d < chainlen) |
| 142 | 138 |
return; |
| ... | ... |
@@ -152,51 +145,47 @@ static void lz_unpack(const unsigned char *src, int src_len, |
| 152 | 152 |
} |
| 153 | 153 |
} |
| 154 | 154 |
} |
| 155 |
- |
|
| 156 |
-static int rle_unpack(const unsigned char *src, int src_len, int src_count, |
|
| 157 |
- unsigned char *dest, int dest_len) |
|
| 155 |
+static int rle_unpack(const unsigned char *src, unsigned char *dest, |
|
| 156 |
+ int src_count, int src_size, int dest_len) |
|
| 158 | 157 |
{
|
| 159 |
- const unsigned char *ps; |
|
| 160 |
- const unsigned char *ps_end; |
|
| 161 | 158 |
unsigned char *pd; |
| 162 | 159 |
int i, l; |
| 163 | 160 |
unsigned char *dest_end = dest + dest_len; |
| 161 |
+ GetByteContext gb; |
|
| 164 | 162 |
|
| 165 |
- ps = src; |
|
| 166 |
- ps_end = src + src_len; |
|
| 163 |
+ bytestream2_init(&gb, src, src_size); |
|
| 167 | 164 |
pd = dest; |
| 168 | 165 |
if (src_count & 1) {
|
| 169 |
- if (ps_end - ps < 1) |
|
| 166 |
+ if (bytestream2_get_bytes_left(&gb) < 1) |
|
| 170 | 167 |
return 0; |
| 171 |
- *pd++ = *ps++; |
|
| 168 |
+ *pd++ = bytestream2_get_byteu(&gb); |
|
| 172 | 169 |
} |
| 173 | 170 |
|
| 174 | 171 |
src_count >>= 1; |
| 175 | 172 |
i = 0; |
| 176 | 173 |
do {
|
| 177 |
- if (ps_end - ps < 1) |
|
| 174 |
+ if (bytestream2_get_bytes_left(&gb) < 1) |
|
| 178 | 175 |
break; |
| 179 |
- l = *ps++; |
|
| 176 |
+ l = bytestream2_get_byteu(&gb); |
|
| 180 | 177 |
if (l & 0x80) {
|
| 181 | 178 |
l = (l & 0x7F) * 2; |
| 182 |
- if (dest_end - pd < l || ps_end - ps < l) |
|
| 183 |
- return ps - src; |
|
| 184 |
- memcpy(pd, ps, l); |
|
| 185 |
- ps += l; |
|
| 179 |
+ if (dest_end - pd < l || bytestream2_get_bytes_left(&gb) < l) |
|
| 180 |
+ return bytestream2_tell(&gb); |
|
| 181 |
+ bytestream2_get_buffer(&gb, pd, l); |
|
| 186 | 182 |
pd += l; |
| 187 | 183 |
} else {
|
| 188 |
- if (dest_end - pd < i || ps_end - ps < 2) |
|
| 189 |
- return ps - src; |
|
| 184 |
+ if (dest_end - pd < i || bytestream2_get_bytes_left(&gb) < 2) |
|
| 185 |
+ return bytestream2_tell(&gb); |
|
| 190 | 186 |
for (i = 0; i < l; i++) {
|
| 191 |
- *pd++ = ps[0]; |
|
| 192 |
- *pd++ = ps[1]; |
|
| 187 |
+ *pd++ = bytestream2_get_byteu(&gb); |
|
| 188 |
+ *pd++ = bytestream2_get_byteu(&gb); |
|
| 193 | 189 |
} |
| 194 |
- ps += 2; |
|
| 190 |
+ bytestream2_skip(&gb, 2); |
|
| 195 | 191 |
} |
| 196 | 192 |
i += l; |
| 197 | 193 |
} while (i < src_count); |
| 198 | 194 |
|
| 199 |
- return ps - src; |
|
| 195 |
+ return bytestream2_tell(&gb); |
|
| 200 | 196 |
} |
| 201 | 197 |
|
| 202 | 198 |
static void vmd_decode(VmdVideoContext *s) |
| ... | ... |
@@ -205,12 +194,8 @@ static void vmd_decode(VmdVideoContext *s) |
| 205 | 205 |
unsigned int *palette32; |
| 206 | 206 |
unsigned char r, g, b; |
| 207 | 207 |
|
| 208 |
- /* point to the start of the encoded data */ |
|
| 209 |
- const unsigned char *p = s->buf + 16; |
|
| 210 |
- const unsigned char *p_end = s->buf + s->size; |
|
| 208 |
+ GetByteContext gb; |
|
| 211 | 209 |
|
| 212 |
- const unsigned char *pb; |
|
| 213 |
- const unsigned char *pb_end; |
|
| 214 | 210 |
unsigned char meth; |
| 215 | 211 |
unsigned char *dp; /* pointer to current frame */ |
| 216 | 212 |
unsigned char *pp; /* pointer to previous frame */ |
| ... | ... |
@@ -255,29 +240,31 @@ static void vmd_decode(VmdVideoContext *s) |
| 255 | 255 |
} |
| 256 | 256 |
|
| 257 | 257 |
/* check if there is a new palette */ |
| 258 |
+ bytestream2_init(&gb, s->buf + 16, s->size - 16); |
|
| 258 | 259 |
if (s->buf[15] & 0x02) {
|
| 259 |
- if (p_end - p < 2 + 3 * PALETTE_COUNT) |
|
| 260 |
- return; |
|
| 261 |
- p += 2; |
|
| 260 |
+ bytestream2_skip(&gb, 2); |
|
| 262 | 261 |
palette32 = (unsigned int *)s->palette; |
| 263 |
- for (i = 0; i < PALETTE_COUNT; i++) {
|
|
| 264 |
- r = *p++ * 4; |
|
| 265 |
- g = *p++ * 4; |
|
| 266 |
- b = *p++ * 4; |
|
| 267 |
- palette32[i] = 0xFF << 24 | r << 16 | g << 8 | b; |
|
| 268 |
- palette32[i] |= palette32[i] >> 6 & 0x30303; |
|
| 262 |
+ if (bytestream2_get_bytes_left(&gb) >= PALETTE_COUNT * 3) {
|
|
| 263 |
+ for (i = 0; i < PALETTE_COUNT; i++) {
|
|
| 264 |
+ r = bytestream2_get_byteu(&gb) * 4; |
|
| 265 |
+ g = bytestream2_get_byteu(&gb) * 4; |
|
| 266 |
+ b = bytestream2_get_byteu(&gb) * 4; |
|
| 267 |
+ palette32[i] = 0xFFU << 24 | (r << 16) | (g << 8) | (b); |
|
| 268 |
+ palette32[i] |= palette32[i] >> 6 & 0x30303; |
|
| 269 |
+ } |
|
| 269 | 270 |
} |
| 270 | 271 |
} |
| 271 |
- if (p < p_end) {
|
|
| 272 |
+ if (s->size > 0) {
|
|
| 272 | 273 |
/* originally UnpackFrame in VAG's code */ |
| 273 |
- pb = p; |
|
| 274 |
- pb_end = p_end; |
|
| 275 |
- meth = *pb++; |
|
| 274 |
+ bytestream2_init(&gb, gb.buffer, s->buf + s->size - gb.buffer); |
|
| 275 |
+ if (bytestream2_get_bytes_left(&gb) < 1) |
|
| 276 |
+ return; |
|
| 277 |
+ meth = bytestream2_get_byteu(&gb); |
|
| 276 | 278 |
if (meth & 0x80) {
|
| 277 |
- lz_unpack(pb, p_end - pb, s->unpack_buffer, s->unpack_buffer_size); |
|
| 279 |
+ lz_unpack(gb.buffer, bytestream2_get_bytes_left(&gb), |
|
| 280 |
+ s->unpack_buffer, s->unpack_buffer_size); |
|
| 278 | 281 |
meth &= 0x7F; |
| 279 |
- pb = s->unpack_buffer; |
|
| 280 |
- pb_end = s->unpack_buffer + s->unpack_buffer_size; |
|
| 282 |
+ bytestream2_init(&gb, s->unpack_buffer, s->unpack_buffer_size); |
|
| 281 | 283 |
} |
| 282 | 284 |
|
| 283 | 285 |
dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x]; |
| ... | ... |
@@ -287,15 +274,12 @@ static void vmd_decode(VmdVideoContext *s) |
| 287 | 287 |
for (i = 0; i < frame_height; i++) {
|
| 288 | 288 |
ofs = 0; |
| 289 | 289 |
do {
|
| 290 |
- if (pb_end - pb < 1) |
|
| 291 |
- return; |
|
| 292 |
- len = *pb++; |
|
| 290 |
+ len = bytestream2_get_byte(&gb); |
|
| 293 | 291 |
if (len & 0x80) {
|
| 294 | 292 |
len = (len & 0x7F) + 1; |
| 295 |
- if (ofs + len > frame_width || pb_end - pb < len) |
|
| 293 |
+ if (ofs + len > frame_width || bytestream2_get_bytes_left(&gb) < len) |
|
| 296 | 294 |
return; |
| 297 |
- memcpy(&dp[ofs], pb, len); |
|
| 298 |
- pb += len; |
|
| 295 |
+ bytestream2_get_buffer(&gb, &dp[ofs], len); |
|
| 299 | 296 |
ofs += len; |
| 300 | 297 |
} else {
|
| 301 | 298 |
/* interframe pixel copy */ |
| ... | ... |
@@ -317,10 +301,7 @@ static void vmd_decode(VmdVideoContext *s) |
| 317 | 317 |
|
| 318 | 318 |
case 2: |
| 319 | 319 |
for (i = 0; i < frame_height; i++) {
|
| 320 |
- if (pb_end -pb < frame_width) |
|
| 321 |
- return; |
|
| 322 |
- memcpy(dp, pb, frame_width); |
|
| 323 |
- pb += frame_width; |
|
| 320 |
+ bytestream2_get_buffer(&gb, dp, frame_width); |
|
| 324 | 321 |
dp += s->frame.linesize[0]; |
| 325 | 322 |
pp += s->prev_frame.linesize[0]; |
| 326 | 323 |
} |
| ... | ... |
@@ -330,22 +311,16 @@ static void vmd_decode(VmdVideoContext *s) |
| 330 | 330 |
for (i = 0; i < frame_height; i++) {
|
| 331 | 331 |
ofs = 0; |
| 332 | 332 |
do {
|
| 333 |
- if (pb_end - pb < 1) |
|
| 334 |
- return; |
|
| 335 |
- len = *pb++; |
|
| 333 |
+ len = bytestream2_get_byte(&gb); |
|
| 336 | 334 |
if (len & 0x80) {
|
| 337 | 335 |
len = (len & 0x7F) + 1; |
| 338 |
- if (pb_end - pb < 1) |
|
| 339 |
- return; |
|
| 340 |
- if (*pb++ == 0xFF) |
|
| 341 |
- len = rle_unpack(pb, pb_end - pb, len, &dp[ofs], frame_width - ofs); |
|
| 342 |
- else {
|
|
| 343 |
- if (pb_end - pb < len) |
|
| 344 |
- return; |
|
| 345 |
- memcpy(&dp[ofs], pb, len); |
|
| 346 |
- } |
|
| 347 |
- pb += len; |
|
| 348 |
- ofs += len; |
|
| 336 |
+ if (bytestream2_get_byte(&gb) == 0xFF) |
|
| 337 |
+ len = rle_unpack(gb.buffer, &dp[ofs], |
|
| 338 |
+ len, bytestream2_get_bytes_left(&gb), |
|
| 339 |
+ frame_width - ofs); |
|
| 340 |
+ else |
|
| 341 |
+ bytestream2_get_buffer(&gb, &dp[ofs], len); |
|
| 342 |
+ bytestream2_skip(&gb, len); |
|
| 349 | 343 |
} else {
|
| 350 | 344 |
/* interframe pixel copy */ |
| 351 | 345 |
if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) |
| ... | ... |
@@ -773,13 +773,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, |
| 773 | 773 |
|
| 774 | 774 |
if (block_no >= wc->fdec_num && wv_alloc_frame_context(wc) < 0) {
|
| 775 | 775 |
av_log(avctx, AV_LOG_ERROR, "Error creating frame decode context\n"); |
| 776 |
- return -1; |
|
| 776 |
+ return AVERROR_INVALIDDATA; |
|
| 777 | 777 |
} |
| 778 | 778 |
|
| 779 | 779 |
s = wc->fdec[block_no]; |
| 780 | 780 |
if (!s) {
|
| 781 | 781 |
av_log(avctx, AV_LOG_ERROR, "Context for block %d is not present\n", block_no); |
| 782 |
- return -1; |
|
| 782 |
+ return AVERROR_INVALIDDATA; |
|
| 783 | 783 |
} |
| 784 | 784 |
|
| 785 | 785 |
memset(s->decorr, 0, MAX_TERMS * sizeof(Decorr)); |
| ... | ... |
@@ -1022,7 +1022,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, |
| 1022 | 1022 |
case WP_ID_CHANINFO: |
| 1023 | 1023 |
if (size <= 1) {
|
| 1024 | 1024 |
av_log(avctx, AV_LOG_ERROR, "Insufficient channel information\n"); |
| 1025 |
- return -1; |
|
| 1025 |
+ return AVERROR_INVALIDDATA; |
|
| 1026 | 1026 |
} |
| 1027 | 1027 |
chan = *buf++; |
| 1028 | 1028 |
switch (size - 2) {
|
| ... | ... |
@@ -1041,10 +1041,11 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, |
| 1041 | 1041 |
chmask = avctx->channel_layout; |
| 1042 | 1042 |
} |
| 1043 | 1043 |
if (chan != avctx->channels) {
|
| 1044 |
- av_log(avctx, AV_LOG_ERROR, "Block reports total %d channels, " |
|
| 1045 |
- "decoder believes it's %d channels\n", chan, |
|
| 1046 |
- avctx->channels); |
|
| 1047 |
- return -1; |
|
| 1044 |
+ av_log(avctx, AV_LOG_ERROR, |
|
| 1045 |
+ "Block reports total %d channels, " |
|
| 1046 |
+ "decoder believes it's %d channels\n", |
|
| 1047 |
+ chan, avctx->channels); |
|
| 1048 |
+ return AVERROR_INVALIDDATA; |
|
| 1048 | 1049 |
} |
| 1049 | 1050 |
if (!avctx->channel_layout) |
| 1050 | 1051 |
avctx->channel_layout = chmask; |
| ... | ... |
@@ -1059,31 +1060,31 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, |
| 1059 | 1059 |
|
| 1060 | 1060 |
if (!got_terms) {
|
| 1061 | 1061 |
av_log(avctx, AV_LOG_ERROR, "No block with decorrelation terms\n"); |
| 1062 |
- return -1; |
|
| 1062 |
+ return AVERROR_INVALIDDATA; |
|
| 1063 | 1063 |
} |
| 1064 | 1064 |
if (!got_weights) {
|
| 1065 | 1065 |
av_log(avctx, AV_LOG_ERROR, "No block with decorrelation weights\n"); |
| 1066 |
- return -1; |
|
| 1066 |
+ return AVERROR_INVALIDDATA; |
|
| 1067 | 1067 |
} |
| 1068 | 1068 |
if (!got_samples) {
|
| 1069 | 1069 |
av_log(avctx, AV_LOG_ERROR, "No block with decorrelation samples\n"); |
| 1070 |
- return -1; |
|
| 1070 |
+ return AVERROR_INVALIDDATA; |
|
| 1071 | 1071 |
} |
| 1072 | 1072 |
if (!got_entropy) {
|
| 1073 | 1073 |
av_log(avctx, AV_LOG_ERROR, "No block with entropy info\n"); |
| 1074 |
- return -1; |
|
| 1074 |
+ return AVERROR_INVALIDDATA; |
|
| 1075 | 1075 |
} |
| 1076 | 1076 |
if (s->hybrid && !got_hybrid) {
|
| 1077 | 1077 |
av_log(avctx, AV_LOG_ERROR, "Hybrid config not found\n"); |
| 1078 |
- return -1; |
|
| 1078 |
+ return AVERROR_INVALIDDATA; |
|
| 1079 | 1079 |
} |
| 1080 | 1080 |
if (!got_bs) {
|
| 1081 | 1081 |
av_log(avctx, AV_LOG_ERROR, "Packed samples not found\n"); |
| 1082 |
- return -1; |
|
| 1082 |
+ return AVERROR_INVALIDDATA; |
|
| 1083 | 1083 |
} |
| 1084 | 1084 |
if (!got_float && avctx->sample_fmt == AV_SAMPLE_FMT_FLT) {
|
| 1085 | 1085 |
av_log(avctx, AV_LOG_ERROR, "Float information not found\n"); |
| 1086 |
- return -1; |
|
| 1086 |
+ return AVERROR_INVALIDDATA; |
|
| 1087 | 1087 |
} |
| 1088 | 1088 |
if (s->got_extra_bits && avctx->sample_fmt != AV_SAMPLE_FMT_FLT) {
|
| 1089 | 1089 |
const int size = get_bits_left(&s->gb_extra_bits); |
| ... | ... |
@@ -1103,7 +1104,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, |
| 1103 | 1103 |
samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); |
| 1104 | 1104 |
|
| 1105 | 1105 |
if (samplecount < 0) |
| 1106 |
- return -1; |
|
| 1106 |
+ return samplecount; |
|
| 1107 | 1107 |
|
| 1108 | 1108 |
samplecount >>= 1; |
| 1109 | 1109 |
} else {
|
| ... | ... |
@@ -1117,7 +1118,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, |
| 1117 | 1117 |
samplecount = wv_unpack_mono(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); |
| 1118 | 1118 |
|
| 1119 | 1119 |
if (samplecount < 0) |
| 1120 |
- return -1; |
|
| 1120 |
+ return samplecount; |
|
| 1121 | 1121 |
|
| 1122 | 1122 |
if (s->stereo && avctx->sample_fmt == AV_SAMPLE_FMT_S16) {
|
| 1123 | 1123 |
int16_t *dst = (int16_t*)samples + 1; |
| ... | ... |
@@ -1194,7 +1195,7 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, |
| 1194 | 1194 |
if (s->samples <= 0) {
|
| 1195 | 1195 |
av_log(avctx, AV_LOG_ERROR, "Invalid number of samples: %d\n", |
| 1196 | 1196 |
s->samples); |
| 1197 |
- return AVERROR(EINVAL); |
|
| 1197 |
+ return AVERROR_INVALIDDATA; |
|
| 1198 | 1198 |
} |
| 1199 | 1199 |
|
| 1200 | 1200 |
if (frame_flags & 0x80) {
|
| ... | ... |
@@ -1228,13 +1229,13 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, |
| 1228 | 1228 |
av_log(avctx, AV_LOG_ERROR, "Block %d has invalid size (size %d " |
| 1229 | 1229 |
"vs. %d bytes left)\n", s->block, frame_size, buf_size); |
| 1230 | 1230 |
wavpack_decode_flush(avctx); |
| 1231 |
- return -1; |
|
| 1231 |
+ return AVERROR_INVALIDDATA; |
|
| 1232 | 1232 |
} |
| 1233 | 1233 |
if ((samplecount = wavpack_decode_block(avctx, s->block, |
| 1234 | 1234 |
s->frame.data[0], got_frame_ptr, |
| 1235 | 1235 |
buf, frame_size)) < 0) {
|
| 1236 | 1236 |
wavpack_decode_flush(avctx); |
| 1237 |
- return -1; |
|
| 1237 |
+ return samplecount; |
|
| 1238 | 1238 |
} |
| 1239 | 1239 |
s->block++; |
| 1240 | 1240 |
buf += frame_size; buf_size -= frame_size; |
| ... | ... |
@@ -1466,6 +1466,14 @@ static void save_bits(WMAProDecodeCtx *s, GetBitContext* gb, int len, |
| 1466 | 1466 |
return; |
| 1467 | 1467 |
} |
| 1468 | 1468 |
|
| 1469 |
+ if (len > put_bits_left(&s->pb)) {
|
|
| 1470 |
+ av_log(s->avctx, AV_LOG_ERROR, |
|
| 1471 |
+ "Cannot append %d bits, only %d bits available.\n", |
|
| 1472 |
+ len, put_bits_left(&s->pb)); |
|
| 1473 |
+ s->packet_loss = 1; |
|
| 1474 |
+ return; |
|
| 1475 |
+ } |
|
| 1476 |
+ |
|
| 1469 | 1477 |
s->num_saved_bits += len; |
| 1470 | 1478 |
if (!append) {
|
| 1471 | 1479 |
avpriv_copy_bits(&s->pb, gb->buffer + (get_bits_count(gb) >> 3), |
| ... | ... |
@@ -65,7 +65,7 @@ static int ape_tag_read_field(AVFormatContext *s) |
| 65 | 65 |
void ff_ape_parse_tag(AVFormatContext *s) |
| 66 | 66 |
{
|
| 67 | 67 |
AVIOContext *pb = s->pb; |
| 68 |
- int file_size = avio_size(pb); |
|
| 68 |
+ int64_t file_size = avio_size(pb); |
|
| 69 | 69 |
uint32_t val, fields, tag_bytes; |
| 70 | 70 |
uint8_t buf[8]; |
| 71 | 71 |
int i; |
| ... | ... |
@@ -203,7 +203,8 @@ static int smacker_read_header(AVFormatContext *s, AVFormatParameters *ap) |
| 203 | 203 |
|
| 204 | 204 |
|
| 205 | 205 |
/* load trees to extradata, they will be unpacked by decoder */ |
| 206 |
- st->codec->extradata = av_malloc(smk->treesize + 16); |
|
| 206 |
+ st->codec->extradata = av_mallocz(smk->treesize + 16 + |
|
| 207 |
+ FF_INPUT_BUFFER_PADDING_SIZE); |
|
| 207 | 208 |
st->codec->extradata_size = smk->treesize + 16; |
| 208 | 209 |
if(!st->codec->extradata){
|
| 209 | 210 |
av_log(s, AV_LOG_ERROR, "Cannot allocate %i bytes of extradata\n", smk->treesize + 16); |
| ... | ... |
@@ -298,12 +299,14 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) |
| 298 | 298 |
/* if audio chunks are present, put them to stack and retrieve later */ |
| 299 | 299 |
for(i = 0; i < 7; i++) {
|
| 300 | 300 |
if(flags & 1) {
|
| 301 |
- unsigned int size; |
|
| 301 |
+ uint32_t size; |
|
| 302 | 302 |
uint8_t *tmpbuf; |
| 303 | 303 |
|
| 304 | 304 |
size = avio_rl32(s->pb) - 4; |
| 305 |
- if(size + 4L > frame_size) |
|
| 305 |
+ if (!size || size + 4L > frame_size) {
|
|
| 306 |
+ av_log(s, AV_LOG_ERROR, "Invalid audio part size\n"); |
|
| 306 | 307 |
return AVERROR_INVALIDDATA; |
| 308 |
+ } |
|
| 307 | 309 |
frame_size -= size; |
| 308 | 310 |
frame_size -= 4; |
| 309 | 311 |
smk->curstream++; |