diff options
Diffstat (limited to 'libavcodec/kmvc.c')
| -rw-r--r-- | libavcodec/kmvc.c | 47 |
1 files changed, 33 insertions, 14 deletions
diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index d9fbbb0d71..edfafa0401 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -2,20 +2,20 @@ * KMVC decoder * Copyright (c) 2006 Konstantin Shishkov * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -107,6 +107,10 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, int w, int h) val = bytestream2_get_byte(&ctx->g); mx = val & 0xF; my = val >> 4; + if ((l0x-mx) + 320*(l0y-my) < 0 || (l0x-mx) + 320*(l0y-my) > 316*196) { + av_log(ctx->avctx, AV_LOG_ERROR, "Invalid MV\n"); + return AVERROR_INVALIDDATA; + } for (j = 0; j < 16; j++) BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = BLK(ctx->cur, l0x + (j & 3) - mx, l0y + (j >> 2) - my); @@ -128,6 +132,10 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, int w, int h) val = bytestream2_get_byte(&ctx->g); mx = val & 0xF; my = val >> 4; + if ((l1x-mx) + 320*(l1y-my) < 0 || (l1x-mx) + 320*(l1y-my) > 318*198) { + av_log(ctx->avctx, AV_LOG_ERROR, "Invalid MV\n"); + return AVERROR_INVALIDDATA; + } BLK(ctx->cur, l1x, l1y) = BLK(ctx->cur, l1x - mx, l1y - my); BLK(ctx->cur, l1x + 1, l1y) = BLK(ctx->cur, l1x + 1 - mx, l1y - my); @@ -199,6 +207,10 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, int w, int h) val = bytestream2_get_byte(&ctx->g); mx = (val & 0xF) - 8; my = (val >> 4) - 8; + if ((l0x+mx) + 320*(l0y+my) < 0 || (l0x+mx) + 320*(l0y+my) > 318*198) { + av_log(ctx->avctx, AV_LOG_ERROR, "Invalid MV\n"); + return AVERROR_INVALIDDATA; + } for (j = 0; j < 16; j++) BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = BLK(ctx->prev, l0x + (j & 3) + mx, l0y + (j >> 2) + my); @@ -220,6 +232,10 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, int w, int h) val = bytestream2_get_byte(&ctx->g); mx = (val & 0xF) - 8; my = (val >> 4) - 8; + if ((l1x+mx) + 320*(l1y+my) < 0 || (l1x+mx) + 320*(l1y+my) > 318*198) { + av_log(ctx->avctx, AV_LOG_ERROR, "Invalid MV\n"); + return AVERROR_INVALIDDATA; + } BLK(ctx->cur, l1x, l1y) = BLK(ctx->prev, l1x + mx, l1y + my); BLK(ctx->cur, l1x + 1, l1y) = BLK(ctx->prev, l1x + 1 + mx, l1y + my); @@ -252,16 +268,17 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame, int header; int blocksize; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int ret; bytestream2_init(&ctx->g, avpkt->data, avpkt->size); if (ctx->pic.data[0]) avctx->release_buffer(avctx, &ctx->pic); - ctx->pic.reference = 1; + ctx->pic.reference = 3; ctx->pic.buffer_hints = FF_BUFFER_HINTS_VALID; - if (ff_get_buffer(avctx, &ctx->pic) < 0) { + if ((ret = ff_get_buffer(avctx, &ctx->pic)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); - return -1; + return ret; } header = bytestream2_get_byte(&ctx->g); @@ -270,7 +287,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame, if (bytestream2_peek_byte(&ctx->g) == 127) { bytestream2_skip(&ctx->g, 3); for (i = 0; i < 127; i++) { - ctx->pal[i + (header & 0x81)] = bytestream2_get_be24(&ctx->g); + ctx->pal[i + (header & 0x81)] = 0xFFU << 24 | bytestream2_get_be24(&ctx->g); bytestream2_skip(&ctx->g, 1); } bytestream2_seek(&ctx->g, -127 * 4 - 3, SEEK_CUR); @@ -288,7 +305,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame, ctx->pic.palette_has_changed = 1; // palette starts from index 1 and has 127 entries for (i = 1; i <= ctx->palsize; i++) { - ctx->pal[i] = bytestream2_get_be24(&ctx->g); + ctx->pal[i] = 0xFFU << 24 | bytestream2_get_be24(&ctx->g); } } @@ -309,7 +326,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame, if (blocksize != 8 && blocksize != 127) { av_log(avctx, AV_LOG_ERROR, "Block size = %i\n", blocksize); - return -1; + return AVERROR_INVALIDDATA; } memset(ctx->cur, 0, 320 * 200); switch (header & KMVC_METHOD) { @@ -325,7 +342,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame, break; default: av_log(avctx, AV_LOG_ERROR, "Unknown compression method %i\n", header & KMVC_METHOD); - return -1; + return AVERROR_INVALIDDATA; } out = ctx->pic.data[0]; @@ -366,7 +383,7 @@ static av_cold int decode_init(AVCodecContext * avctx) if (avctx->width > 320 || avctx->height > 200) { av_log(avctx, AV_LOG_ERROR, "KMVC supports frames <= 320x200\n"); - return -1; + return AVERROR_INVALIDDATA; } c->frm0 = av_mallocz(320 * 200); @@ -375,7 +392,7 @@ static av_cold int decode_init(AVCodecContext * avctx) c->prev = c->frm1; for (i = 0; i < 256; i++) { - c->pal[i] = i * 0x10101; + c->pal[i] = 0xFFU << 24 | i * 0x10101; } if (avctx->extradata_size < 12) { @@ -384,7 +401,8 @@ static av_cold int decode_init(AVCodecContext * avctx) c->palsize = 127; } else { c->palsize = AV_RL16(avctx->extradata + 10); - if (c->palsize >= MAX_PALSIZE) { + if (c->palsize >= (unsigned)MAX_PALSIZE) { + c->palsize = 127; av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n"); return AVERROR_INVALIDDATA; } @@ -399,6 +417,7 @@ static av_cold int decode_init(AVCodecContext * avctx) c->setpal = 1; } + avcodec_get_frame_defaults(&c->pic); avctx->pix_fmt = AV_PIX_FMT_PAL8; return 0; |