diff options
Diffstat (limited to 'libavcodec/motionpixels.c')
-rw-r--r-- | libavcodec/motionpixels.c | 54 |
1 files changed, 37 insertions, 17 deletions
diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 6c1efadd56..089909a4d8 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -2,20 +2,20 @@ * Motion Pixels Video Decoder * Copyright (c) 2008 Gregory Montoir (cyx@users.sourceforge.net) * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -69,6 +69,11 @@ static av_cold int mp_decode_init(AVCodecContext *avctx) int w4 = (avctx->width + 3) & ~3; int h4 = (avctx->height + 3) & ~3; + if(avctx->extradata_size < 2){ + av_log(avctx, AV_LOG_ERROR, "extradata too small\n"); + return AVERROR_INVALIDDATA; + } + motionpixels_tableinit(); mp->avctx = avctx; ff_dsputil_init(&mp->dsp, avctx); @@ -76,6 +81,12 @@ static av_cold int mp_decode_init(AVCodecContext *avctx) mp->offset_bits_len = av_log2(avctx->width * avctx->height) + 1; mp->vpt = av_mallocz(avctx->height * sizeof(YuvPixel)); mp->hpt = av_mallocz(h4 * w4 / 16 * sizeof(YuvPixel)); + if (!mp->changes_map || !mp->vpt || !mp->hpt) { + av_freep(&mp->changes_map); + av_freep(&mp->vpt); + av_freep(&mp->hpt); + return AVERROR(ENOMEM); + } avctx->pix_fmt = AV_PIX_FMT_RGB555; mp->frame = av_frame_alloc(); @@ -116,38 +127,48 @@ static void mp_read_changes_map(MotionPixelsContext *mp, GetBitContext *gb, int } } -static void mp_get_code(MotionPixelsContext *mp, GetBitContext *gb, int size, int code) +static int mp_get_code(MotionPixelsContext *mp, GetBitContext *gb, int size, int code) { while (get_bits1(gb)) { ++size; if (size > mp->max_codes_bits) { av_log(mp->avctx, AV_LOG_ERROR, "invalid code size %d/%d\n", size, mp->max_codes_bits); - return; + return AVERROR_INVALIDDATA; } code <<= 1; - mp_get_code(mp, gb, size, code + 1); + if (mp_get_code(mp, gb, size, code + 1) < 0) + return AVERROR_INVALIDDATA; } if (mp->current_codes_count >= MAX_HUFF_CODES) { av_log(mp->avctx, AV_LOG_ERROR, "too many codes\n"); - return; + return AVERROR_INVALIDDATA; } + mp->codes[mp->current_codes_count ].code = code; mp->codes[mp->current_codes_count++].size = size; + return 0; } -static void mp_read_codes_table(MotionPixelsContext *mp, GetBitContext *gb) +static int mp_read_codes_table(MotionPixelsContext *mp, GetBitContext *gb) { if (mp->codes_count == 1) { mp->codes[0].delta = get_bits(gb, 4); } else { int i; + int ret; mp->max_codes_bits = get_bits(gb, 4); for (i = 0; i < mp->codes_count; ++i) mp->codes[i].delta = get_bits(gb, 4); mp->current_codes_count = 0; - mp_get_code(mp, gb, 0, 0); + if ((ret = mp_get_code(mp, gb, 0, 0)) < 0) + return ret; + if (mp->current_codes_count < mp->codes_count) { + av_log(mp->avctx, AV_LOG_ERROR, "too few codes\n"); + return AVERROR_INVALIDDATA; + } } + return 0; } static int mp_gradient(MotionPixelsContext *mp, int component, int v) @@ -180,7 +201,6 @@ static int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb) int i; i = (mp->codes_count == 1) ? 0 : get_vlc2(gb, mp->vlc.table, mp->max_codes_bits, 1); - i = FFMIN(i, FF_ARRAY_ELEMS(mp->codes) - 1); return mp->codes[i].delta; } @@ -236,6 +256,8 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb) YuvPixel p; int y, y0; + av_assert1(mp->changes_map[0]); + for (y = 0; y < mp->avctx->height; ++y) { if (mp->changes_map[y * mp->avctx->width] != 0) { memset(mp->gradient_scale, 1, sizeof(mp->gradient_scale)); @@ -268,19 +290,16 @@ static int mp_decode_frame(AVCodecContext *avctx, GetBitContext gb; int i, count1, count2, sz, ret; - if ((ret = ff_reget_buffer(avctx, mp->frame)) < 0) { - av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); + if ((ret = ff_reget_buffer(avctx, mp->frame)) < 0) return ret; - } /* le32 bitstream msb first */ - av_fast_malloc(&mp->bswapbuf, &mp->bswapbuf_size, buf_size + FF_INPUT_BUFFER_PADDING_SIZE); + av_fast_padded_malloc(&mp->bswapbuf, &mp->bswapbuf_size, buf_size); if (!mp->bswapbuf) return AVERROR(ENOMEM); mp->dsp.bswap_buf((uint32_t *)mp->bswapbuf, (const uint32_t *)buf, buf_size / 4); if (buf_size & 3) memcpy(mp->bswapbuf + (buf_size & ~3), buf + (buf_size & ~3), buf_size & 3); - memset(mp->bswapbuf + buf_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&gb, mp->bswapbuf, buf_size * 8); memset(mp->changes_map, 0, avctx->width * avctx->height); @@ -299,7 +318,8 @@ static int mp_decode_frame(AVCodecContext *avctx, *(uint16_t *)mp->frame->data[0] = get_bits(&gb, 15); mp->changes_map[0] = 1; } - mp_read_codes_table(mp, &gb); + if (mp_read_codes_table(mp, &gb) < 0) + goto end; sz = get_bits(&gb, 18); if (avctx->extradata[0] != 5) |