diff options
Diffstat (limited to 'libavcodec/qdm2.c')
| -rw-r--r-- | libavcodec/qdm2.c | 92 |
1 files changed, 66 insertions, 26 deletions
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 269a051f69..c8727c6b1c 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -5,20 +5,20 @@ * Copyright (c) 2005 Alex Beregszaszi * Copyright (c) 2005 Roberto Togni * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -171,7 +171,7 @@ typedef struct { /// I/O data const uint8_t *compressed_data; int compressed_size; - float output_buffer[QDM2_MAX_FRAME_SIZE * 2]; + float output_buffer[QDM2_MAX_FRAME_SIZE * MPA_MAX_CHANNELS * 2]; /// Synthesis filter MPADSPContext mpadsp; @@ -345,7 +345,14 @@ static int qdm2_get_vlc (GetBitContext *gb, VLC *vlc, int flag, int depth) /* stage-3, optional */ if (flag) { - int tmp = vlc_stage3_values[value]; + int tmp; + + if (value >= 60) { + av_log(NULL, AV_LOG_ERROR, "value %d in qdm2_get_vlc too large\n", value); + return 0; + } + + tmp= vlc_stage3_values[value]; if ((value & ~3) > 0) tmp += get_bits (gb, (value >> 2)); @@ -755,7 +762,7 @@ static void fill_coding_method_array (sb_int8_array tone_level_idx, sb_int8_arra * @param sb_min lower subband processed (sb_min included) * @param sb_max higher subband processed (sb_max excluded) */ -static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int length, int sb_min, int sb_max) +static int synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int length, int sb_min, int sb_max) { int sb, j, k, n, ch, run, channels; int joined_stereo, zero_encoding, chs; @@ -769,7 +776,7 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l for (sb=sb_min; sb < sb_max; sb++) build_sb_samples_from_noise (q, sb); - return; + return 0; } for (sb = sb_min; sb < sb_max; sb++) { @@ -789,6 +796,11 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l for (j = 0; j < 16; j++) sign_bits[j] = get_bits1 (gb); + if (q->coding_method[0][sb][0] <= 0) { + av_log(NULL, AV_LOG_ERROR, "coding method invalid\n"); + return AVERROR_INVALIDDATA; + } + for (j = 0; j < 64; j++) if (q->coding_method[1][sb][j] > q->coding_method[0][sb][j]) q->coding_method[0][sb][j] = q->coding_method[1][sb][j]; @@ -875,10 +887,11 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l case 30: if (get_bits_left(gb) >= 4) { unsigned index = qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1); - if (index < FF_ARRAY_ELEMS(type30_dequant)) { - samples[0] = type30_dequant[index]; - } else - samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); + if (index >= FF_ARRAY_ELEMS(type30_dequant)) { + av_log(NULL, AV_LOG_ERROR, "index %d out of type30_dequant array\n", index); + return AVERROR_INVALIDDATA; + } + samples[0] = type30_dequant[index]; } else samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); @@ -894,11 +907,12 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l type34_first = 0; } else { unsigned index = qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1); - if (index < FF_ARRAY_ELEMS(type34_delta)) { - samples[0] = type34_delta[index] / type34_div + type34_predictor; - type34_predictor = samples[0]; - } else - samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); + if (index >= FF_ARRAY_ELEMS(type34_delta)) { + av_log(NULL, AV_LOG_ERROR, "index %d out of type34_delta array\n", index); + return AVERROR_INVALIDDATA; + } + samples[0] = type34_delta[index] / type34_div + type34_predictor; + type34_predictor = samples[0]; } } else { samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); @@ -933,6 +947,7 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l } // j loop } // channel loop } // subband loop + return 0; } @@ -944,23 +959,26 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l * @param quantized_coeffs pointer to quantized_coeffs[ch][0] * @param gb bitreader context */ -static void init_quantized_coeffs_elem0 (int8_t *quantized_coeffs, GetBitContext *gb) +static int init_quantized_coeffs_elem0 (int8_t *quantized_coeffs, GetBitContext *gb) { int i, k, run, level, diff; if (get_bits_left(gb) < 16) - return; + return -1; level = qdm2_get_vlc(gb, &vlc_tab_level, 0, 2); quantized_coeffs[0] = level; for (i = 0; i < 7; ) { if (get_bits_left(gb) < 16) - break; + return -1; run = qdm2_get_vlc(gb, &vlc_tab_run, 0, 1) + 1; + if (i + run >= 8) + return -1; + if (get_bits_left(gb) < 16) - break; + return -1; diff = qdm2_get_se_vlc(&vlc_tab_diff, gb, 2); for (k = 1; k <= run; k++) @@ -969,6 +987,7 @@ static void init_quantized_coeffs_elem0 (int8_t *quantized_coeffs, GetBitContext level += diff; i += run; } + return 0; } @@ -1043,7 +1062,7 @@ static void init_tone_level_dequantization (QDM2Context *q, GetBitContext *gb) * @param q context * @param node pointer to node with packet */ -static void process_subpacket_9 (QDM2Context *q, QDM2SubPNode *node) +static int process_subpacket_9 (QDM2Context *q, QDM2SubPNode *node) { GetBitContext gb; int i, j, k, n, ch, run, level, diff; @@ -1061,6 +1080,9 @@ static void process_subpacket_9 (QDM2Context *q, QDM2SubPNode *node) run = qdm2_get_vlc(&gb, &vlc_tab_run, 0, 1) + 1; diff = qdm2_get_se_vlc(&vlc_tab_diff, &gb, 2); + if (j + run >= 8) + return -1; + for (k = 1; k <= run; k++) q->quantized_coeffs[ch][i][j + k] = (level + ((k*diff) / run)); @@ -1072,6 +1094,8 @@ static void process_subpacket_9 (QDM2Context *q, QDM2SubPNode *node) for (ch = 0; ch < q->nb_channels; ch++) for (i = 0; i < 8; i++) q->quantized_coeffs[ch][0][i] = 0; + + return 0; } @@ -1142,7 +1166,7 @@ static void process_subpacket_12 (QDM2Context *q, QDM2SubPNode *node) synthfilt_build_sb_samples(q, &gb, length, 8, QDM2_SB_USED(q->sub_sampling)); } -/* +/** * Process new subpackets for synthesis filter * * @param q context @@ -1176,7 +1200,7 @@ static void process_synthesis_subpackets (QDM2Context *q, QDM2SubPNode *list) } -/* +/** * Decode superblock, fill packet lists. * * @param q context @@ -1234,6 +1258,11 @@ static void qdm2_decode_super_block (QDM2Context *q) for (i = 0; packet_bytes > 0; i++) { int j; + if (i>=FF_ARRAY_ELEMS(q->sub_packet_list_A)) { + SAMPLES_NEEDED_2("too many packet bytes"); + return; + } + q->sub_packet_list_A[i].next = NULL; if (i > 0) { @@ -1332,9 +1361,14 @@ static void qdm2_fft_decode_tones (QDM2Context *q, int duration, GetBitContext * local_int_10 = 1 << (q->group_order - duration - 1); offset = 1; - while (1) { + while (get_bits_left(gb)>0) { if (q->superblocktype_2_3) { while ((n = qdm2_get_vlc(gb, &vlc_tab_fft_tone_offset[local_int_8], 1, 2)) < 2) { + if (get_bits_left(gb)<0) { + if(local_int_4 < q->group_size) + av_log(NULL, AV_LOG_ERROR, "overread in qdm2_fft_decode_tones()\n"); + return; + } offset = 1; if (n == 0) { local_int_4 += local_int_10; @@ -1762,8 +1796,10 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) avctx->channels = s->nb_channels = s->channels = AV_RB32(extradata); extradata += 4; - if (s->channels <= 0 || s->channels > MPA_MAX_CHANNELS) + if (s->channels <= 0 || s->channels > MPA_MAX_CHANNELS) { + av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n"); return AVERROR_INVALIDDATA; + } avctx->channel_layout = avctx->channels == 2 ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; @@ -1790,6 +1826,7 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) // something like max decodable tones s->group_order = av_log2(s->group_size) + 1; s->frame_size = s->group_size / 16; // 16 iterations per super block + if (s->frame_size > QDM2_MAX_FRAME_SIZE) return AVERROR_INVALIDDATA; @@ -1863,6 +1900,9 @@ static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out) int ch, i; const int frame_size = (q->frame_size * q->channels); + if((unsigned)frame_size > FF_ARRAY_ELEMS(q->output_buffer)/2) + return -1; + /* select input buffer */ q->compressed_data = in; q->compressed_size = q->checksum_size; |