* commit '4ff5167ee7fdee6d35c1bb2558172329ae6ec770':
wmapro: make sure there is room to store the current packet
lavc: move put_bits_left in put_bits.h
4xm: do not overread the source buffer in decode_p_block
4xm: check bitstream_size boundary before using it
4xm: reject frames not compatible with the declared version
4xm: use the correct logging context
4xm: check the return value of read_huffman_tables().
4xm: don't rely on get_buffer() initializing the frame.
vmdav: convert to bytestream2
smacker: check frame size validity
smacker: pad the extradata allocation
smacker: check the return value of smacker_decode_tree
smacker: fix an off by one in huff.length computation
Prepare for 0.8.8 Release
tiff: do not overread the source buffer
apetag: use int64_t for filesize
wavpack: return meaningful errors
Conflicts:
RELEASE
libavcodec/4xm.c
libavcodec/vmdav.c
libavformat/smacker.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
... | ... |
@@ -25,6 +25,7 @@ |
25 | 25 |
*/ |
26 | 26 |
|
27 | 27 |
#include "libavutil/intreadwrite.h" |
28 |
+#include "libavutil/avassert.h" |
|
28 | 29 |
#include "avcodec.h" |
29 | 30 |
#include "dsputil.h" |
30 | 31 |
#include "get_bits.h" |
... | ... |
@@ -347,6 +348,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo |
347 | 347 |
decode_p_block(f, dst , src , log2w, log2h, stride); |
348 | 348 |
decode_p_block(f, dst + (1<<log2w), src + (1<<log2w), log2w, log2h, stride); |
349 | 349 |
}else if(code == 3 && f->version<2){ |
350 |
+ if (start > src || src > end) { |
|
351 |
+ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); |
|
352 |
+ return; |
|
353 |
+ } |
|
350 | 354 |
mcdc(dst, src, log2w, h, stride, 1, 0); |
351 | 355 |
}else if(code == 4){ |
352 | 356 |
if (f->g.buffer_end - f->g.buffer < 1){ |
... | ... |
@@ -368,6 +373,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo |
368 | 368 |
av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); |
369 | 369 |
return; |
370 | 370 |
} |
371 |
+ if (start > src || src > end) { |
|
372 |
+ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); |
|
373 |
+ return; |
|
374 |
+ } |
|
371 | 375 |
mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2)); |
372 | 376 |
}else if(code == 6){ |
373 | 377 |
if (f->g2.buffer_end - f->g2.buffer < 2){ |
... | ... |
@@ -665,8 +674,8 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){ |
665 | 665 |
color[0]= bytestream2_get_le16u(&g3); |
666 | 666 |
color[1]= bytestream2_get_le16u(&g3); |
667 | 667 |
|
668 |
- if(color[0]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 1\n"); |
|
669 |
- if(color[1]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 2\n"); |
|
668 |
+ if(color[0]&0x8000) av_log(f->avctx, AV_LOG_ERROR, "unk bit 1\n"); |
|
669 |
+ if(color[1]&0x8000) av_log(f->avctx, AV_LOG_ERROR, "unk bit 2\n"); |
|
670 | 670 |
|
671 | 671 |
color[2]= mix(color[0], color[1]); |
672 | 672 |
color[3]= mix(color[1], color[0]); |
... | ... |
@@ -694,7 +703,10 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ |
694 | 694 |
unsigned int prestream_size; |
695 | 695 |
const uint8_t *prestream; |
696 | 696 |
|
697 |
- if (bitstream_size > (1<<26) || length < bitstream_size + 12) { |
|
697 |
+ if (bitstream_size > (1 << 26)) |
|
698 |
+ return AVERROR_INVALIDDATA; |
|
699 |
+ |
|
700 |
+ if (length < bitstream_size + 12) { |
|
698 | 701 |
av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); |
699 | 702 |
return AVERROR_INVALIDDATA; |
700 | 703 |
} |
... | ... |
@@ -702,15 +714,19 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ |
702 | 702 |
prestream_size = 4 * AV_RL32(buf + bitstream_size + 4); |
703 | 703 |
prestream = buf + bitstream_size + 12; |
704 | 704 |
|
705 |
- if (prestream_size > (1<<26) || |
|
706 |
- prestream_size != length - (bitstream_size + 12)){ |
|
705 |
+ if(prestream_size + bitstream_size + 12 != length |
|
706 |
+ || prestream_size > (1<<26)){ |
|
707 | 707 |
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length); |
708 | 708 |
return -1; |
709 | 709 |
} |
710 | 710 |
|
711 |
- prestream= read_huffman_tables(f, prestream, buf + length - prestream); |
|
712 |
- if (!prestream) |
|
713 |
- return -1; |
|
711 |
+ prestream = read_huffman_tables(f, prestream, prestream_size); |
|
712 |
+ if (!prestream) { |
|
713 |
+ av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n"); |
|
714 |
+ return AVERROR_INVALIDDATA; |
|
715 |
+ } |
|
716 |
+ |
|
717 |
+ av_assert0(prestream <= buf + length); |
|
714 | 718 |
|
715 | 719 |
init_get_bits(&f->gb, buf + 4, 8*bitstream_size); |
716 | 720 |
|
... | ... |
@@ -805,6 +821,9 @@ static int decode_frame(AVCodecContext *avctx, |
805 | 805 |
av_log(f->avctx, AV_LOG_ERROR, "cframe id mismatch %d %d\n", id, avctx->frame_number); |
806 | 806 |
} |
807 | 807 |
|
808 |
+ if (f->version <= 1) |
|
809 |
+ return AVERROR_INVALIDDATA; |
|
810 |
+ |
|
808 | 811 |
cfrm->size= cfrm->id= 0; |
809 | 812 |
frame_4cc= AV_RL32("pfrm"); |
810 | 813 |
}else |
... | ... |
@@ -848,6 +867,7 @@ static int decode_frame(AVCodecContext *avctx, |
848 | 848 |
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); |
849 | 849 |
return -1; |
850 | 850 |
} |
851 |
+ memset(f->last_picture.data[0], 0, avctx->height * FFABS(f->last_picture.linesize[0])); |
|
851 | 852 |
} |
852 | 853 |
|
853 | 854 |
p->pict_type= AV_PICTURE_TYPE_P; |
... | ... |
@@ -372,11 +372,6 @@ typedef struct BlockInfo { |
372 | 372 |
static const int vs_total_ac_bits = (100 * 4 + 68*2) * 5; |
373 | 373 |
static const int mb_area_start[5] = { 1, 6, 21, 43, 64 }; |
374 | 374 |
|
375 |
-static inline int put_bits_left(PutBitContext* s) |
|
376 |
-{ |
|
377 |
- return (s->buf_end - s->buf) * 8 - put_bits_count(s); |
|
378 |
-} |
|
379 |
- |
|
380 | 375 |
/* decode AC coefficients */ |
381 | 376 |
static void dv_decode_ac(GetBitContext *gb, BlockInfo *mb, DCTELEM *block) |
382 | 377 |
{ |
... | ... |
@@ -73,6 +73,14 @@ static inline int put_bits_count(PutBitContext *s) |
73 | 73 |
} |
74 | 74 |
|
75 | 75 |
/** |
76 |
+ * @return the number of bits available in the bitstream. |
|
77 |
+ */ |
|
78 |
+static inline int put_bits_left(PutBitContext* s) |
|
79 |
+{ |
|
80 |
+ return (s->buf_end - s->buf_ptr) * 8 - 32 + s->bit_left; |
|
81 |
+} |
|
82 |
+ |
|
83 |
+/** |
|
76 | 84 |
* Pad the end of the output stream with zeros. |
77 | 85 |
*/ |
78 | 86 |
static inline void flush_put_bits(PutBitContext *s) |
... | ... |
@@ -252,7 +252,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int |
252 | 252 |
ctx.recode2 = tmp2.values; |
253 | 253 |
ctx.last = last; |
254 | 254 |
|
255 |
- huff.length = ((size + 3) >> 2) + 3; |
|
255 |
+ huff.length = ((size + 3) >> 2) + 4; |
|
256 | 256 |
huff.maxlength = 0; |
257 | 257 |
huff.current = 0; |
258 | 258 |
huff.values = av_mallocz(huff.length * sizeof(int)); |
... | ... |
@@ -654,7 +654,16 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, |
654 | 654 |
h[i].lengths = av_mallocz(256 * sizeof(int)); |
655 | 655 |
h[i].values = av_mallocz(256 * sizeof(int)); |
656 | 656 |
skip_bits1(&gb); |
657 |
- smacker_decode_tree(&gb, &h[i], 0, 0); |
|
657 |
+ if (smacker_decode_tree(&gb, &h[i], 0, 0) < 0) { |
|
658 |
+ for (; i >= 0; i--) { |
|
659 |
+ if (vlc[i].table) |
|
660 |
+ ff_free_vlc(&vlc[i]); |
|
661 |
+ av_free(h[i].bits); |
|
662 |
+ av_free(h[i].lengths); |
|
663 |
+ av_free(h[i].values); |
|
664 |
+ } |
|
665 |
+ return AVERROR_INVALIDDATA; |
|
666 |
+ } |
|
658 | 667 |
skip_bits1(&gb); |
659 | 668 |
if(h[i].current > 1) { |
660 | 669 |
res = init_vlc(&vlc[i], SMKTREE_BITS, h[i].length, |
... | ... |
@@ -235,10 +235,13 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin |
235 | 235 |
break; |
236 | 236 |
case TIFF_PACKBITS: |
237 | 237 |
for(pixels = 0; pixels < width;){ |
238 |
+ if (ssrc + size - src < 2) |
|
239 |
+ return AVERROR_INVALIDDATA; |
|
238 | 240 |
code = (int8_t)*src++; |
239 | 241 |
if(code >= 0){ |
240 | 242 |
code++; |
241 |
- if(pixels + code > width){ |
|
243 |
+ if (pixels + code > width || |
|
244 |
+ ssrc + size - src < code) { |
|
242 | 245 |
av_log(s->avctx, AV_LOG_ERROR, "Copy went out of bounds\n"); |
243 | 246 |
return -1; |
244 | 247 |
} |
... | ... |
@@ -48,6 +48,7 @@ |
48 | 48 |
|
49 | 49 |
#define VMD_HEADER_SIZE 0x330 |
50 | 50 |
#define PALETTE_COUNT 256 |
51 |
+#include "bytestream.h" |
|
51 | 52 |
|
52 | 53 |
/* |
53 | 54 |
* Video Decoder |
... | ... |
@@ -75,8 +76,6 @@ typedef struct VmdVideoContext { |
75 | 75 |
static void lz_unpack(const unsigned char *src, int src_len, |
76 | 76 |
unsigned char *dest, int dest_len) |
77 | 77 |
{ |
78 |
- const unsigned char *s; |
|
79 |
- const unsigned char *s_end; |
|
80 | 78 |
unsigned char *d; |
81 | 79 |
unsigned char *d_end; |
82 | 80 |
unsigned char queue[QUEUE_SIZE]; |
... | ... |
@@ -87,19 +86,17 @@ static void lz_unpack(const unsigned char *src, int src_len, |
87 | 87 |
unsigned int speclen; |
88 | 88 |
unsigned char tag; |
89 | 89 |
unsigned int i, j; |
90 |
+ GetByteContext gb; |
|
90 | 91 |
|
91 |
- s = src; |
|
92 |
- s_end = src + src_len; |
|
92 |
+ bytestream2_init(&gb, src, src_len); |
|
93 | 93 |
d = dest; |
94 | 94 |
d_end = d + dest_len; |
95 |
- |
|
96 |
- if (s_end - s < 8) |
|
97 |
- return; |
|
98 |
- dataleft = AV_RL32(s); |
|
99 |
- s += 4; |
|
95 |
+ dataleft = bytestream2_get_le32(&gb); |
|
100 | 96 |
memset(queue, 0x20, QUEUE_SIZE); |
101 |
- if (AV_RL32(s) == 0x56781234) { |
|
102 |
- s += 4; |
|
97 |
+ if (bytestream2_get_bytes_left(&gb) < 4) |
|
98 |
+ return; |
|
99 |
+ if (bytestream2_peek_le32(&gb) == 0x56781234) { |
|
100 |
+ bytestream2_get_le32(&gb); |
|
103 | 101 |
qpos = 0x111; |
104 | 102 |
speclen = 0xF + 3; |
105 | 103 |
} else { |
... | ... |
@@ -107,13 +104,13 @@ static void lz_unpack(const unsigned char *src, int src_len, |
107 | 107 |
speclen = 100; /* no speclen */ |
108 | 108 |
} |
109 | 109 |
|
110 |
- while (s_end - s > 0 && dataleft > 0) { |
|
111 |
- tag = *s++; |
|
110 |
+ while (dataleft > 0 && bytestream2_get_bytes_left(&gb) > 0) { |
|
111 |
+ tag = bytestream2_get_byteu(&gb); |
|
112 | 112 |
if ((tag == 0xFF) && (dataleft > 8)) { |
113 |
- if (d_end - d < 8 || s_end - s < 8) |
|
113 |
+ if (d_end - d < 8 || bytestream2_get_bytes_left(&gb) < 8) |
|
114 | 114 |
return; |
115 | 115 |
for (i = 0; i < 8; i++) { |
116 |
- queue[qpos++] = *d++ = *s++; |
|
116 |
+ queue[qpos++] = *d++ = bytestream2_get_byteu(&gb); |
|
117 | 117 |
qpos &= QUEUE_MASK; |
118 | 118 |
} |
119 | 119 |
dataleft -= 8; |
... | ... |
@@ -122,21 +119,17 @@ static void lz_unpack(const unsigned char *src, int src_len, |
122 | 122 |
if (dataleft == 0) |
123 | 123 |
break; |
124 | 124 |
if (tag & 0x01) { |
125 |
- if (d_end - d < 1 || s_end - s < 1) |
|
125 |
+ if (d_end - d < 1 || bytestream2_get_bytes_left(&gb) < 1) |
|
126 | 126 |
return; |
127 |
- queue[qpos++] = *d++ = *s++; |
|
127 |
+ queue[qpos++] = *d++ = bytestream2_get_byte(&gb); |
|
128 | 128 |
qpos &= QUEUE_MASK; |
129 | 129 |
dataleft--; |
130 | 130 |
} else { |
131 |
- if (s_end - s < 2) |
|
132 |
- return; |
|
133 |
- chainofs = *s++; |
|
134 |
- chainofs |= ((*s & 0xF0) << 4); |
|
135 |
- chainlen = (*s++ & 0x0F) + 3; |
|
131 |
+ chainofs = bytestream2_get_byte(&gb); |
|
132 |
+ chainofs |= ((bytestream2_peek_byte(&gb) & 0xF0) << 4); |
|
133 |
+ chainlen = (bytestream2_get_byte(&gb) & 0x0F) + 3; |
|
136 | 134 |
if (chainlen == speclen) { |
137 |
- if (s_end - s < 1) |
|
138 |
- return; |
|
139 |
- chainlen = *s++ + 0xF + 3; |
|
135 |
+ chainlen = bytestream2_get_byte(&gb) + 0xF + 3; |
|
140 | 136 |
} |
141 | 137 |
if (d_end - d < chainlen) |
142 | 138 |
return; |
... | ... |
@@ -152,51 +145,47 @@ static void lz_unpack(const unsigned char *src, int src_len, |
152 | 152 |
} |
153 | 153 |
} |
154 | 154 |
} |
155 |
- |
|
156 |
-static int rle_unpack(const unsigned char *src, int src_len, int src_count, |
|
157 |
- unsigned char *dest, int dest_len) |
|
155 |
+static int rle_unpack(const unsigned char *src, unsigned char *dest, |
|
156 |
+ int src_count, int src_size, int dest_len) |
|
158 | 157 |
{ |
159 |
- const unsigned char *ps; |
|
160 |
- const unsigned char *ps_end; |
|
161 | 158 |
unsigned char *pd; |
162 | 159 |
int i, l; |
163 | 160 |
unsigned char *dest_end = dest + dest_len; |
161 |
+ GetByteContext gb; |
|
164 | 162 |
|
165 |
- ps = src; |
|
166 |
- ps_end = src + src_len; |
|
163 |
+ bytestream2_init(&gb, src, src_size); |
|
167 | 164 |
pd = dest; |
168 | 165 |
if (src_count & 1) { |
169 |
- if (ps_end - ps < 1) |
|
166 |
+ if (bytestream2_get_bytes_left(&gb) < 1) |
|
170 | 167 |
return 0; |
171 |
- *pd++ = *ps++; |
|
168 |
+ *pd++ = bytestream2_get_byteu(&gb); |
|
172 | 169 |
} |
173 | 170 |
|
174 | 171 |
src_count >>= 1; |
175 | 172 |
i = 0; |
176 | 173 |
do { |
177 |
- if (ps_end - ps < 1) |
|
174 |
+ if (bytestream2_get_bytes_left(&gb) < 1) |
|
178 | 175 |
break; |
179 |
- l = *ps++; |
|
176 |
+ l = bytestream2_get_byteu(&gb); |
|
180 | 177 |
if (l & 0x80) { |
181 | 178 |
l = (l & 0x7F) * 2; |
182 |
- if (dest_end - pd < l || ps_end - ps < l) |
|
183 |
- return ps - src; |
|
184 |
- memcpy(pd, ps, l); |
|
185 |
- ps += l; |
|
179 |
+ if (dest_end - pd < l || bytestream2_get_bytes_left(&gb) < l) |
|
180 |
+ return bytestream2_tell(&gb); |
|
181 |
+ bytestream2_get_buffer(&gb, pd, l); |
|
186 | 182 |
pd += l; |
187 | 183 |
} else { |
188 |
- if (dest_end - pd < i || ps_end - ps < 2) |
|
189 |
- return ps - src; |
|
184 |
+ if (dest_end - pd < i || bytestream2_get_bytes_left(&gb) < 2) |
|
185 |
+ return bytestream2_tell(&gb); |
|
190 | 186 |
for (i = 0; i < l; i++) { |
191 |
- *pd++ = ps[0]; |
|
192 |
- *pd++ = ps[1]; |
|
187 |
+ *pd++ = bytestream2_get_byteu(&gb); |
|
188 |
+ *pd++ = bytestream2_get_byteu(&gb); |
|
193 | 189 |
} |
194 |
- ps += 2; |
|
190 |
+ bytestream2_skip(&gb, 2); |
|
195 | 191 |
} |
196 | 192 |
i += l; |
197 | 193 |
} while (i < src_count); |
198 | 194 |
|
199 |
- return ps - src; |
|
195 |
+ return bytestream2_tell(&gb); |
|
200 | 196 |
} |
201 | 197 |
|
202 | 198 |
static void vmd_decode(VmdVideoContext *s) |
... | ... |
@@ -205,12 +194,8 @@ static void vmd_decode(VmdVideoContext *s) |
205 | 205 |
unsigned int *palette32; |
206 | 206 |
unsigned char r, g, b; |
207 | 207 |
|
208 |
- /* point to the start of the encoded data */ |
|
209 |
- const unsigned char *p = s->buf + 16; |
|
210 |
- const unsigned char *p_end = s->buf + s->size; |
|
208 |
+ GetByteContext gb; |
|
211 | 209 |
|
212 |
- const unsigned char *pb; |
|
213 |
- const unsigned char *pb_end; |
|
214 | 210 |
unsigned char meth; |
215 | 211 |
unsigned char *dp; /* pointer to current frame */ |
216 | 212 |
unsigned char *pp; /* pointer to previous frame */ |
... | ... |
@@ -255,29 +240,31 @@ static void vmd_decode(VmdVideoContext *s) |
255 | 255 |
} |
256 | 256 |
|
257 | 257 |
/* check if there is a new palette */ |
258 |
+ bytestream2_init(&gb, s->buf + 16, s->size - 16); |
|
258 | 259 |
if (s->buf[15] & 0x02) { |
259 |
- if (p_end - p < 2 + 3 * PALETTE_COUNT) |
|
260 |
- return; |
|
261 |
- p += 2; |
|
260 |
+ bytestream2_skip(&gb, 2); |
|
262 | 261 |
palette32 = (unsigned int *)s->palette; |
263 |
- for (i = 0; i < PALETTE_COUNT; i++) { |
|
264 |
- r = *p++ * 4; |
|
265 |
- g = *p++ * 4; |
|
266 |
- b = *p++ * 4; |
|
267 |
- palette32[i] = 0xFF << 24 | r << 16 | g << 8 | b; |
|
268 |
- palette32[i] |= palette32[i] >> 6 & 0x30303; |
|
262 |
+ if (bytestream2_get_bytes_left(&gb) >= PALETTE_COUNT * 3) { |
|
263 |
+ for (i = 0; i < PALETTE_COUNT; i++) { |
|
264 |
+ r = bytestream2_get_byteu(&gb) * 4; |
|
265 |
+ g = bytestream2_get_byteu(&gb) * 4; |
|
266 |
+ b = bytestream2_get_byteu(&gb) * 4; |
|
267 |
+ palette32[i] = 0xFFU << 24 | (r << 16) | (g << 8) | (b); |
|
268 |
+ palette32[i] |= palette32[i] >> 6 & 0x30303; |
|
269 |
+ } |
|
269 | 270 |
} |
270 | 271 |
} |
271 |
- if (p < p_end) { |
|
272 |
+ if (s->size > 0) { |
|
272 | 273 |
/* originally UnpackFrame in VAG's code */ |
273 |
- pb = p; |
|
274 |
- pb_end = p_end; |
|
275 |
- meth = *pb++; |
|
274 |
+ bytestream2_init(&gb, gb.buffer, s->buf + s->size - gb.buffer); |
|
275 |
+ if (bytestream2_get_bytes_left(&gb) < 1) |
|
276 |
+ return; |
|
277 |
+ meth = bytestream2_get_byteu(&gb); |
|
276 | 278 |
if (meth & 0x80) { |
277 |
- lz_unpack(pb, p_end - pb, s->unpack_buffer, s->unpack_buffer_size); |
|
279 |
+ lz_unpack(gb.buffer, bytestream2_get_bytes_left(&gb), |
|
280 |
+ s->unpack_buffer, s->unpack_buffer_size); |
|
278 | 281 |
meth &= 0x7F; |
279 |
- pb = s->unpack_buffer; |
|
280 |
- pb_end = s->unpack_buffer + s->unpack_buffer_size; |
|
282 |
+ bytestream2_init(&gb, s->unpack_buffer, s->unpack_buffer_size); |
|
281 | 283 |
} |
282 | 284 |
|
283 | 285 |
dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x]; |
... | ... |
@@ -287,15 +274,12 @@ static void vmd_decode(VmdVideoContext *s) |
287 | 287 |
for (i = 0; i < frame_height; i++) { |
288 | 288 |
ofs = 0; |
289 | 289 |
do { |
290 |
- if (pb_end - pb < 1) |
|
291 |
- return; |
|
292 |
- len = *pb++; |
|
290 |
+ len = bytestream2_get_byte(&gb); |
|
293 | 291 |
if (len & 0x80) { |
294 | 292 |
len = (len & 0x7F) + 1; |
295 |
- if (ofs + len > frame_width || pb_end - pb < len) |
|
293 |
+ if (ofs + len > frame_width || bytestream2_get_bytes_left(&gb) < len) |
|
296 | 294 |
return; |
297 |
- memcpy(&dp[ofs], pb, len); |
|
298 |
- pb += len; |
|
295 |
+ bytestream2_get_buffer(&gb, &dp[ofs], len); |
|
299 | 296 |
ofs += len; |
300 | 297 |
} else { |
301 | 298 |
/* interframe pixel copy */ |
... | ... |
@@ -317,10 +301,7 @@ static void vmd_decode(VmdVideoContext *s) |
317 | 317 |
|
318 | 318 |
case 2: |
319 | 319 |
for (i = 0; i < frame_height; i++) { |
320 |
- if (pb_end -pb < frame_width) |
|
321 |
- return; |
|
322 |
- memcpy(dp, pb, frame_width); |
|
323 |
- pb += frame_width; |
|
320 |
+ bytestream2_get_buffer(&gb, dp, frame_width); |
|
324 | 321 |
dp += s->frame.linesize[0]; |
325 | 322 |
pp += s->prev_frame.linesize[0]; |
326 | 323 |
} |
... | ... |
@@ -330,22 +311,16 @@ static void vmd_decode(VmdVideoContext *s) |
330 | 330 |
for (i = 0; i < frame_height; i++) { |
331 | 331 |
ofs = 0; |
332 | 332 |
do { |
333 |
- if (pb_end - pb < 1) |
|
334 |
- return; |
|
335 |
- len = *pb++; |
|
333 |
+ len = bytestream2_get_byte(&gb); |
|
336 | 334 |
if (len & 0x80) { |
337 | 335 |
len = (len & 0x7F) + 1; |
338 |
- if (pb_end - pb < 1) |
|
339 |
- return; |
|
340 |
- if (*pb++ == 0xFF) |
|
341 |
- len = rle_unpack(pb, pb_end - pb, len, &dp[ofs], frame_width - ofs); |
|
342 |
- else { |
|
343 |
- if (pb_end - pb < len) |
|
344 |
- return; |
|
345 |
- memcpy(&dp[ofs], pb, len); |
|
346 |
- } |
|
347 |
- pb += len; |
|
348 |
- ofs += len; |
|
336 |
+ if (bytestream2_get_byte(&gb) == 0xFF) |
|
337 |
+ len = rle_unpack(gb.buffer, &dp[ofs], |
|
338 |
+ len, bytestream2_get_bytes_left(&gb), |
|
339 |
+ frame_width - ofs); |
|
340 |
+ else |
|
341 |
+ bytestream2_get_buffer(&gb, &dp[ofs], len); |
|
342 |
+ bytestream2_skip(&gb, len); |
|
349 | 343 |
} else { |
350 | 344 |
/* interframe pixel copy */ |
351 | 345 |
if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) |
... | ... |
@@ -773,13 +773,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, |
773 | 773 |
|
774 | 774 |
if (block_no >= wc->fdec_num && wv_alloc_frame_context(wc) < 0) { |
775 | 775 |
av_log(avctx, AV_LOG_ERROR, "Error creating frame decode context\n"); |
776 |
- return -1; |
|
776 |
+ return AVERROR_INVALIDDATA; |
|
777 | 777 |
} |
778 | 778 |
|
779 | 779 |
s = wc->fdec[block_no]; |
780 | 780 |
if (!s) { |
781 | 781 |
av_log(avctx, AV_LOG_ERROR, "Context for block %d is not present\n", block_no); |
782 |
- return -1; |
|
782 |
+ return AVERROR_INVALIDDATA; |
|
783 | 783 |
} |
784 | 784 |
|
785 | 785 |
memset(s->decorr, 0, MAX_TERMS * sizeof(Decorr)); |
... | ... |
@@ -1022,7 +1022,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, |
1022 | 1022 |
case WP_ID_CHANINFO: |
1023 | 1023 |
if (size <= 1) { |
1024 | 1024 |
av_log(avctx, AV_LOG_ERROR, "Insufficient channel information\n"); |
1025 |
- return -1; |
|
1025 |
+ return AVERROR_INVALIDDATA; |
|
1026 | 1026 |
} |
1027 | 1027 |
chan = *buf++; |
1028 | 1028 |
switch (size - 2) { |
... | ... |
@@ -1041,10 +1041,11 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, |
1041 | 1041 |
chmask = avctx->channel_layout; |
1042 | 1042 |
} |
1043 | 1043 |
if (chan != avctx->channels) { |
1044 |
- av_log(avctx, AV_LOG_ERROR, "Block reports total %d channels, " |
|
1045 |
- "decoder believes it's %d channels\n", chan, |
|
1046 |
- avctx->channels); |
|
1047 |
- return -1; |
|
1044 |
+ av_log(avctx, AV_LOG_ERROR, |
|
1045 |
+ "Block reports total %d channels, " |
|
1046 |
+ "decoder believes it's %d channels\n", |
|
1047 |
+ chan, avctx->channels); |
|
1048 |
+ return AVERROR_INVALIDDATA; |
|
1048 | 1049 |
} |
1049 | 1050 |
if (!avctx->channel_layout) |
1050 | 1051 |
avctx->channel_layout = chmask; |
... | ... |
@@ -1059,31 +1060,31 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, |
1059 | 1059 |
|
1060 | 1060 |
if (!got_terms) { |
1061 | 1061 |
av_log(avctx, AV_LOG_ERROR, "No block with decorrelation terms\n"); |
1062 |
- return -1; |
|
1062 |
+ return AVERROR_INVALIDDATA; |
|
1063 | 1063 |
} |
1064 | 1064 |
if (!got_weights) { |
1065 | 1065 |
av_log(avctx, AV_LOG_ERROR, "No block with decorrelation weights\n"); |
1066 |
- return -1; |
|
1066 |
+ return AVERROR_INVALIDDATA; |
|
1067 | 1067 |
} |
1068 | 1068 |
if (!got_samples) { |
1069 | 1069 |
av_log(avctx, AV_LOG_ERROR, "No block with decorrelation samples\n"); |
1070 |
- return -1; |
|
1070 |
+ return AVERROR_INVALIDDATA; |
|
1071 | 1071 |
} |
1072 | 1072 |
if (!got_entropy) { |
1073 | 1073 |
av_log(avctx, AV_LOG_ERROR, "No block with entropy info\n"); |
1074 |
- return -1; |
|
1074 |
+ return AVERROR_INVALIDDATA; |
|
1075 | 1075 |
} |
1076 | 1076 |
if (s->hybrid && !got_hybrid) { |
1077 | 1077 |
av_log(avctx, AV_LOG_ERROR, "Hybrid config not found\n"); |
1078 |
- return -1; |
|
1078 |
+ return AVERROR_INVALIDDATA; |
|
1079 | 1079 |
} |
1080 | 1080 |
if (!got_bs) { |
1081 | 1081 |
av_log(avctx, AV_LOG_ERROR, "Packed samples not found\n"); |
1082 |
- return -1; |
|
1082 |
+ return AVERROR_INVALIDDATA; |
|
1083 | 1083 |
} |
1084 | 1084 |
if (!got_float && avctx->sample_fmt == AV_SAMPLE_FMT_FLT) { |
1085 | 1085 |
av_log(avctx, AV_LOG_ERROR, "Float information not found\n"); |
1086 |
- return -1; |
|
1086 |
+ return AVERROR_INVALIDDATA; |
|
1087 | 1087 |
} |
1088 | 1088 |
if (s->got_extra_bits && avctx->sample_fmt != AV_SAMPLE_FMT_FLT) { |
1089 | 1089 |
const int size = get_bits_left(&s->gb_extra_bits); |
... | ... |
@@ -1103,7 +1104,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, |
1103 | 1103 |
samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); |
1104 | 1104 |
|
1105 | 1105 |
if (samplecount < 0) |
1106 |
- return -1; |
|
1106 |
+ return samplecount; |
|
1107 | 1107 |
|
1108 | 1108 |
samplecount >>= 1; |
1109 | 1109 |
} else { |
... | ... |
@@ -1117,7 +1118,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, |
1117 | 1117 |
samplecount = wv_unpack_mono(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); |
1118 | 1118 |
|
1119 | 1119 |
if (samplecount < 0) |
1120 |
- return -1; |
|
1120 |
+ return samplecount; |
|
1121 | 1121 |
|
1122 | 1122 |
if (s->stereo && avctx->sample_fmt == AV_SAMPLE_FMT_S16) { |
1123 | 1123 |
int16_t *dst = (int16_t*)samples + 1; |
... | ... |
@@ -1194,7 +1195,7 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, |
1194 | 1194 |
if (s->samples <= 0) { |
1195 | 1195 |
av_log(avctx, AV_LOG_ERROR, "Invalid number of samples: %d\n", |
1196 | 1196 |
s->samples); |
1197 |
- return AVERROR(EINVAL); |
|
1197 |
+ return AVERROR_INVALIDDATA; |
|
1198 | 1198 |
} |
1199 | 1199 |
|
1200 | 1200 |
if (frame_flags & 0x80) { |
... | ... |
@@ -1228,13 +1229,13 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, |
1228 | 1228 |
av_log(avctx, AV_LOG_ERROR, "Block %d has invalid size (size %d " |
1229 | 1229 |
"vs. %d bytes left)\n", s->block, frame_size, buf_size); |
1230 | 1230 |
wavpack_decode_flush(avctx); |
1231 |
- return -1; |
|
1231 |
+ return AVERROR_INVALIDDATA; |
|
1232 | 1232 |
} |
1233 | 1233 |
if ((samplecount = wavpack_decode_block(avctx, s->block, |
1234 | 1234 |
s->frame.data[0], got_frame_ptr, |
1235 | 1235 |
buf, frame_size)) < 0) { |
1236 | 1236 |
wavpack_decode_flush(avctx); |
1237 |
- return -1; |
|
1237 |
+ return samplecount; |
|
1238 | 1238 |
} |
1239 | 1239 |
s->block++; |
1240 | 1240 |
buf += frame_size; buf_size -= frame_size; |
... | ... |
@@ -1466,6 +1466,14 @@ static void save_bits(WMAProDecodeCtx *s, GetBitContext* gb, int len, |
1466 | 1466 |
return; |
1467 | 1467 |
} |
1468 | 1468 |
|
1469 |
+ if (len > put_bits_left(&s->pb)) { |
|
1470 |
+ av_log(s->avctx, AV_LOG_ERROR, |
|
1471 |
+ "Cannot append %d bits, only %d bits available.\n", |
|
1472 |
+ len, put_bits_left(&s->pb)); |
|
1473 |
+ s->packet_loss = 1; |
|
1474 |
+ return; |
|
1475 |
+ } |
|
1476 |
+ |
|
1469 | 1477 |
s->num_saved_bits += len; |
1470 | 1478 |
if (!append) { |
1471 | 1479 |
avpriv_copy_bits(&s->pb, gb->buffer + (get_bits_count(gb) >> 3), |
... | ... |
@@ -65,7 +65,7 @@ static int ape_tag_read_field(AVFormatContext *s) |
65 | 65 |
void ff_ape_parse_tag(AVFormatContext *s) |
66 | 66 |
{ |
67 | 67 |
AVIOContext *pb = s->pb; |
68 |
- int file_size = avio_size(pb); |
|
68 |
+ int64_t file_size = avio_size(pb); |
|
69 | 69 |
uint32_t val, fields, tag_bytes; |
70 | 70 |
uint8_t buf[8]; |
71 | 71 |
int i; |
... | ... |
@@ -203,7 +203,8 @@ static int smacker_read_header(AVFormatContext *s, AVFormatParameters *ap) |
203 | 203 |
|
204 | 204 |
|
205 | 205 |
/* load trees to extradata, they will be unpacked by decoder */ |
206 |
- st->codec->extradata = av_malloc(smk->treesize + 16); |
|
206 |
+ st->codec->extradata = av_mallocz(smk->treesize + 16 + |
|
207 |
+ FF_INPUT_BUFFER_PADDING_SIZE); |
|
207 | 208 |
st->codec->extradata_size = smk->treesize + 16; |
208 | 209 |
if(!st->codec->extradata){ |
209 | 210 |
av_log(s, AV_LOG_ERROR, "Cannot allocate %i bytes of extradata\n", smk->treesize + 16); |
... | ... |
@@ -298,12 +299,14 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) |
298 | 298 |
/* if audio chunks are present, put them to stack and retrieve later */ |
299 | 299 |
for(i = 0; i < 7; i++) { |
300 | 300 |
if(flags & 1) { |
301 |
- unsigned int size; |
|
301 |
+ uint32_t size; |
|
302 | 302 |
uint8_t *tmpbuf; |
303 | 303 |
|
304 | 304 |
size = avio_rl32(s->pb) - 4; |
305 |
- if(size + 4L > frame_size) |
|
305 |
+ if (!size || size + 4L > frame_size) { |
|
306 |
+ av_log(s, AV_LOG_ERROR, "Invalid audio part size\n"); |
|
306 | 307 |
return AVERROR_INVALIDDATA; |
308 |
+ } |
|
307 | 309 |
frame_size -= size; |
308 | 310 |
frame_size -= 4; |
309 | 311 |
smk->curstream++; |