diff options
Diffstat (limited to 'libavcodec/lagarith.c')
-rw-r--r-- | libavcodec/lagarith.c | 63 |
1 files changed, 38 insertions, 25 deletions
diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 665bd963b9..9178f9294a 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -2,20 +2,20 @@ * Lagarith lossless decoder * Copyright (c) 2009 Nathan Caldwell <saintdev (at) gmail.com> * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -30,6 +30,7 @@ #include "mathops.h" #include "dsputil.h" #include "lagarithrac.h" +#include "thread.h" enum LagarithFrameType { FRAME_RAW = 1, /**< uncompressed */ @@ -198,7 +199,7 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb) /* Comment from reference source: * if (b & 0x80 == 0) { // order of operations is 'wrong'; it has been left this way * // since the compression change is negligable and fixing it - * // breaks backwards compatibilty + * // breaks backwards compatibility * b =- (signed int)b; * b &= 0xFF; * } else { @@ -360,6 +361,10 @@ static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst, output_zeros: if (l->zeros_rem) { count = FFMIN(l->zeros_rem, width - i); + if(end - dst < count) { + av_log(l->avctx, AV_LOG_ERROR, "too many zeros remaining\n"); + return AVERROR_INVALIDDATA; + } memset(dst, 0, count); l->zeros_rem -= count; dst += count; @@ -369,7 +374,7 @@ output_zeros: i = 0; while (!zero_run && dst + i < end) { i++; - if (src + i >= src_end) + if (i+2 >= src_end - src) return AVERROR_INVALIDDATA; zero_run = !(src[i] | (src[i + 1] & mask1) | (src[i + 2] & mask2)); @@ -389,7 +394,7 @@ output_zeros: dst += i; } } - return src_start - src; + return src - src_start; } @@ -402,7 +407,7 @@ static int lag_decode_arith_plane(LagarithContext *l, uint8_t *dst, int read = 0; uint32_t length; uint32_t offset = 1; - int esc_count = src[0]; + int esc_count; GetBitContext gb; lag_rac rac; const uint8_t *src_end = src + src_size; @@ -410,8 +415,14 @@ static int lag_decode_arith_plane(LagarithContext *l, uint8_t *dst, rac.avctx = l->avctx; l->zeros = 0; + if(src_size < 2) + return AVERROR_INVALIDDATA; + + esc_count = src[0]; if (esc_count < 4) { length = width * height; + if(src_size < 5) + return AVERROR_INVALIDDATA; if (esc_count && AV_RL32(src + 1) < length) { length = AV_RL32(src + 1); offset += 4; @@ -494,7 +505,7 @@ static int lag_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; + unsigned int buf_size = avpkt->size; LagarithContext *l = avctx->priv_data; AVFrame *const p = &l->picture; uint8_t frametype = 0; @@ -506,7 +517,7 @@ static int lag_decode_frame(AVCodecContext *avctx, AVFrame *picture = data; if (p->data[0]) - avctx->release_buffer(avctx, p); + ff_thread_release_buffer(avctx, p); p->reference = 0; p->key_frame = 1; @@ -520,7 +531,7 @@ static int lag_decode_frame(AVCodecContext *avctx, case FRAME_SOLID_RGBA: avctx->pix_fmt = PIX_FMT_RGB32; - if (avctx->get_buffer(avctx, p) < 0) { + if (ff_thread_get_buffer(avctx, p) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return -1; } @@ -542,7 +553,7 @@ static int lag_decode_frame(AVCodecContext *avctx, if (frametype == FRAME_ARITH_RGB24 || frametype == FRAME_U_RGB24) avctx->pix_fmt = PIX_FMT_RGB24; - if (avctx->get_buffer(avctx, p) < 0) { + if (ff_thread_get_buffer(avctx, p) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return -1; } @@ -553,7 +564,7 @@ static int lag_decode_frame(AVCodecContext *avctx, if (!l->rgb_planes) { l->rgb_stride = FFALIGN(avctx->width, 16); - l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * planes + 1); + l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * planes + 16); if (!l->rgb_planes) { av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n"); return AVERROR(ENOMEM); @@ -561,14 +572,13 @@ static int lag_decode_frame(AVCodecContext *avctx, } for (i = 0; i < planes; i++) srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride; - if (offset_ry >= buf_size || - offset_gu >= buf_size || - offset_bv >= buf_size || - (planes == 4 && offs[3] >= buf_size)) { - av_log(avctx, AV_LOG_ERROR, - "Invalid frame offsets\n"); - return AVERROR_INVALIDDATA; - } + for (i = 0; i < planes; i++) + if (buf_size <= offs[i]) { + av_log(avctx, AV_LOG_ERROR, + "Invalid frame offsets\n"); + return AVERROR_INVALIDDATA; + } + for (i = 0; i < planes; i++) lag_decode_arith_plane(l, srcs[i], avctx->width, avctx->height, @@ -602,7 +612,7 @@ static int lag_decode_frame(AVCodecContext *avctx, case FRAME_ARITH_YUY2: avctx->pix_fmt = PIX_FMT_YUV422P; - if (avctx->get_buffer(avctx, p) < 0) { + if (ff_thread_get_buffer(avctx, p) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return -1; } @@ -628,10 +638,13 @@ static int lag_decode_frame(AVCodecContext *avctx, case FRAME_ARITH_YV12: avctx->pix_fmt = PIX_FMT_YUV420P; - if (avctx->get_buffer(avctx, p) < 0) { + if (ff_thread_get_buffer(avctx, p) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return -1; } + if (buf_size <= offset_ry || buf_size <= offset_gu || buf_size <= offset_bv) { + return AVERROR_INVALIDDATA; + } if (offset_ry >= buf_size || offset_gu >= buf_size || @@ -678,7 +691,7 @@ static av_cold int lag_decode_end(AVCodecContext *avctx) LagarithContext *l = avctx->priv_data; if (l->picture.data[0]) - avctx->release_buffer(avctx, &l->picture); + ff_thread_release_buffer(avctx, &l->picture); av_freep(&l->rgb_planes); return 0; @@ -692,6 +705,6 @@ AVCodec ff_lagarith_decoder = { .init = lag_decode_init, .close = lag_decode_end, .decode = lag_decode_frame, - .capabilities = CODEC_CAP_DR1, + .capabilities = CODEC_CAP_DR1 | CODEC_CAP_FRAME_THREADS, .long_name = NULL_IF_CONFIG_SMALL("Lagarith lossless"), }; |