diff options
Diffstat (limited to 'libavcodec/eamad.c')
| -rw-r--r-- | libavcodec/eamad.c | 55 |
1 files changed, 35 insertions, 20 deletions
diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index c7183896d6..7fef1c8127 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -2,20 +2,20 @@ * Electronic Arts Madcow Video Decoder * Copyright (c) 2007-2009 Peter Ross * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -94,15 +94,21 @@ static inline void comp_block(MadContext *t, AVFrame *frame, int j, int mv_x, int mv_y, int add) { if (j < 4) { + unsigned offset = (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame->linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x; + if (offset >= (t->avctx->height - 7) * t->last_frame->linesize[0] - 7) + return; comp(frame->data[0] + (mb_y*16 + ((j&2)<<2))*frame->linesize[0] + mb_x*16 + ((j&1)<<3), frame->linesize[0], - t->last_frame->data[0] + (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame->linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x, + t->last_frame->data[0] + offset, t->last_frame->linesize[0], add); } else if (!(t->avctx->flags & CODEC_FLAG_GRAY)) { int index = j - 3; + unsigned offset = (mb_y * 8 + (mv_y/2))*t->last_frame->linesize[index] + mb_x * 8 + (mv_x/2); + if (offset >= (t->avctx->height/2 - 7) * t->last_frame->linesize[index] - 7) + return; comp(frame->data[index] + (mb_y*8)*frame->linesize[index] + mb_x * 8, frame->linesize[index], - t->last_frame->data[index] + (mb_y * 8 + (mv_y/2))*t->last_frame->linesize[index] + mb_x * 8 + (mv_x/2), + t->last_frame->data[index] + offset, t->last_frame->linesize[index], add); } } @@ -122,7 +128,7 @@ static inline void idct_put(MadContext *t, AVFrame *frame, int16_t *block, } } -static inline void decode_block_intra(MadContext *s, int16_t * block) +static inline int decode_block_intra(MadContext *s, int16_t * block) { int level, i, j, run; RLTable *rl = &ff_rl_mpeg1; @@ -148,7 +154,7 @@ static inline void decode_block_intra(MadContext *s, int16_t * block) if (i > 63) { av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); - return; + return -1; } j = scantable[i]; level = (level*quant_matrix[j]) >> 4; @@ -167,7 +173,7 @@ static inline void decode_block_intra(MadContext *s, int16_t * block) if (i > 63) { av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); - return; + return -1; } j = scantable[i]; if (level < 0) { @@ -185,6 +191,7 @@ static inline void decode_block_intra(MadContext *s, int16_t * block) } CLOSE_READER(re, &s->gb); } + return 0; } static int decode_motion(GetBitContext *gb) @@ -198,10 +205,10 @@ static int decode_motion(GetBitContext *gb) return value; } -static void decode_mb(MadContext *s, AVFrame *frame, int inter) +static int decode_mb(MadContext *s, AVFrame *frame, int inter) { int mv_map = 0; - int mv_x, mv_y; + int av_uninit(mv_x), av_uninit(mv_y); int j; if (inter) { @@ -210,21 +217,22 @@ static void decode_mb(MadContext *s, AVFrame *frame, int inter) mv_map = v ? get_bits(&s->gb, 6) : 63; mv_x = decode_motion(&s->gb); mv_y = decode_motion(&s->gb); - } else { - mv_map = 0; } } for (j=0; j<6; j++) { if (mv_map & (1<<j)) { // mv_x and mv_y are guarded by mv_map int add = 2*decode_motion(&s->gb); - comp_block(s, frame, s->mb_x, s->mb_y, j, mv_x, mv_y, add); + if (s->last_frame->data[0]) + comp_block(s, frame, s->mb_x, s->mb_y, j, mv_x, mv_y, add); } else { s->bdsp.clear_block(s->block); - decode_block_intra(s, s->block); + if(decode_block_intra(s, s->block) < 0) + return -1; idct_put(s, frame, s->block, s->mb_x, s->mb_y, j); } } + return 0; } static void calc_quant_matrix(MadContext *s, int qscale) @@ -269,16 +277,21 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } + if (width < 16 || height < 16) { + av_log(avctx, AV_LOG_ERROR, "Dimensions too small\n"); + return AVERROR_INVALIDDATA; + } + if (avctx->width != width || avctx->height != height) { av_frame_unref(s->last_frame); + if((width * height)/2048*7 > bytestream2_get_bytes_left(&gb)) + return AVERROR_INVALIDDATA; if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; } - if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) { - av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; - } if (inter && !s->last_frame->data[0]) { av_log(avctx, AV_LOG_WARNING, "Missing reference frame.\n"); @@ -299,11 +312,13 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR(ENOMEM); s->bbdsp.bswap16_buf(s->bitstream_buf, (const uint16_t *)(buf + bytestream2_tell(&gb)), bytestream2_get_bytes_left(&gb) / 2); + memset((uint8_t*)s->bitstream_buf + bytestream2_get_bytes_left(&gb), 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&s->gb, s->bitstream_buf, 8*(bytestream2_get_bytes_left(&gb))); for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++) for (s->mb_x=0; s->mb_x < (avctx->width +15)/16; s->mb_x++) - decode_mb(s, frame, inter); + if(decode_mb(s, frame, inter) < 0) + return AVERROR_INVALIDDATA; *got_frame = 1; @@ -320,7 +335,7 @@ static av_cold int decode_end(AVCodecContext *avctx) { MadContext *t = avctx->priv_data; av_frame_free(&t->last_frame); - av_free(t->bitstream_buf); + av_freep(&t->bitstream_buf); return 0; } |