diff options
Diffstat (limited to 'ffmpeg/libavcodec/4xm.c')
| -rw-r--r-- | ffmpeg/libavcodec/4xm.c | 200 |
1 files changed, 116 insertions, 84 deletions
diff --git a/ffmpeg/libavcodec/4xm.c b/ffmpeg/libavcodec/4xm.c index cd22aa4..eb07cc3 100644 --- a/ffmpeg/libavcodec/4xm.c +++ b/ffmpeg/libavcodec/4xm.c @@ -24,6 +24,7 @@ * 4XM codec. */ +#include "libavutil/avassert.h" #include "libavutil/frame.h" #include "libavutil/intreadwrite.h" #include "avcodec.h" @@ -32,7 +33,6 @@ #include "get_bits.h" #include "internal.h" -#include "libavutil/avassert.h" #define BLOCK_TYPE_VLC_BITS 5 #define ACDC_VLC_BITS 9 @@ -329,12 +329,12 @@ static inline void mcdc(uint16_t *dst, const uint16_t *src, int log2w, } break; default: - av_assert2(0); + av_assert0(0); } } -static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, - int log2w, int log2h, int stride) +static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, + int log2w, int log2h, int stride) { const int index = size2index[log2h][log2w]; const int h = 1 << log2h; @@ -343,57 +343,30 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, BLOCK_TYPE_VLC_BITS, 1); uint16_t *start = (uint16_t *)f->last_picture->data[0]; uint16_t *end = start + stride * (f->avctx->height - h + 1) - (1 << log2w); + int ret; + int scale = 1; + unsigned dc = 0; - av_assert2(code >= 0 && code <= 6); + av_assert0(code >= 0 && code <= 6 && log2w >= 0); - if (code == 0) { - if (bytestream2_get_bytes_left(&f->g) < 1) { - av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n"); - return; - } - src += f->mv[bytestream2_get_byteu(&f->g)]; - if (start > src || src > end) { - av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); - return; - } - mcdc(dst, src, log2w, h, stride, 1, 0); - } else if (code == 1) { + if (code == 1) { log2h--; - decode_p_block(f, dst, src, log2w, log2h, stride); - decode_p_block(f, dst + (stride << log2h), - src + (stride << log2h), log2w, log2h, stride); + if ((ret = decode_p_block(f, dst, src, log2w, log2h, stride)) < 0) + return ret; + return decode_p_block(f, dst + (stride << log2h), + src + (stride << log2h), + log2w, log2h, stride); } else if (code == 2) { log2w--; - decode_p_block(f, dst , src, log2w, log2h, stride); - decode_p_block(f, dst + (1 << log2w), - src + (1 << log2w), log2w, log2h, stride); - } else if (code == 3 && f->version < 2) { - mcdc(dst, src, log2w, h, stride, 1, 0); - } else if (code == 4) { - if (bytestream2_get_bytes_left(&f->g) < 1) { - av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n"); - return; - } - src += f->mv[bytestream2_get_byteu(&f->g)]; - if (start > src || src > end) { - av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); - return; - } - if (bytestream2_get_bytes_left(&f->g2) < 2){ - av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); - return; - } - mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16u(&f->g2)); - } else if (code == 5) { - if (bytestream2_get_bytes_left(&f->g2) < 2) { - av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); - return; - } - mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16u(&f->g2)); + if ((ret = decode_p_block(f, dst , src, log2w, log2h, stride)) < 0) + return ret; + return decode_p_block(f, dst + (1 << log2w), + src + (1 << log2w), + log2w, log2h, stride); } else if (code == 6) { if (bytestream2_get_bytes_left(&f->g2) < 4) { av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); - return; + return AVERROR_INVALIDDATA; } if (log2w) { dst[0] = bytestream2_get_le16u(&f->g2); @@ -402,7 +375,43 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, dst[0] = bytestream2_get_le16u(&f->g2); dst[stride] = bytestream2_get_le16u(&f->g2); } + return 0; + } + + if ((code&3)==0 && bytestream2_get_bytes_left(&f->g) < 1) { + av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n"); + return AVERROR_INVALIDDATA; + } + + if (code == 0) { + src += f->mv[bytestream2_get_byte(&f->g)]; + } else if (code == 3 && f->version >= 2) { + return 0; + } else if (code == 4) { + src += f->mv[bytestream2_get_byte(&f->g)]; + if (bytestream2_get_bytes_left(&f->g2) < 2){ + av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); + return AVERROR_INVALIDDATA; + } + dc = bytestream2_get_le16(&f->g2); + } else if (code == 5) { + if (bytestream2_get_bytes_left(&f->g2) < 2){ + av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); + return AVERROR_INVALIDDATA; + } + av_assert0(start <= src && src <= end); + scale = 0; + dc = bytestream2_get_le16(&f->g2); } + + if (start > src || src > end) { + av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); + return AVERROR_INVALIDDATA; + } + + mcdc(dst, src, log2w, h, stride, scale, dc); + + return 0; } static int decode_p_frame(FourXContext *f, AVFrame *frame, @@ -411,16 +420,28 @@ static int decode_p_frame(FourXContext *f, AVFrame *frame, int x, y; const int width = f->avctx->width; const int height = f->avctx->height; - uint16_t *src = (uint16_t *)f->last_picture->data[0]; uint16_t *dst = (uint16_t *)frame->data[0]; const int stride = frame->linesize[0] >> 1; + uint16_t *src; unsigned int bitstream_size, bytestream_size, wordstream_size, extra, bytestream_offset, wordstream_offset; + int ret; + + if (!f->last_picture->data[0]) { + if ((ret = ff_get_buffer(f->avctx, f->last_picture, + AV_GET_BUFFER_FLAG_REF)) < 0) { + return ret; + } + for (y=0; y<f->avctx->height; y++) + memset(f->last_picture->data[0] + y*f->last_picture->linesize[0], 0, 2*f->avctx->width); + } + + src = (uint16_t *)f->last_picture->data[0]; if (f->version > 1) { extra = 20; if (length < extra) - return -1; + return AVERROR_INVALIDDATA; bitstream_size = AV_RL32(buf + 8); wordstream_size = AV_RL32(buf + 12); bytestream_size = AV_RL32(buf + 16); @@ -440,14 +461,12 @@ static int decode_p_frame(FourXContext *f, AVFrame *frame, return AVERROR_INVALIDDATA; } - av_fast_malloc(&f->bitstream_buffer, &f->bitstream_buffer_size, - bitstream_size + FF_INPUT_BUFFER_PADDING_SIZE); + av_fast_padded_malloc(&f->bitstream_buffer, &f->bitstream_buffer_size, + bitstream_size); if (!f->bitstream_buffer) return AVERROR(ENOMEM); f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)(buf + extra), bitstream_size / 4); - memset((uint8_t*)f->bitstream_buffer + bitstream_size, - 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&f->gb, f->bitstream_buffer, 8 * bitstream_size); wordstream_offset = extra + bitstream_size; @@ -461,7 +480,8 @@ static int decode_p_frame(FourXContext *f, AVFrame *frame, for (y = 0; y < height; y += 8) { for (x = 0; x < width; x += 8) - decode_p_block(f, dst + x, src + x, 3, 3, stride); + if ((ret = decode_p_block(f, dst + x, src + x, 3, 3, stride)) < 0) + return ret; src += 8 * stride; dst += 8 * stride; } @@ -484,8 +504,10 @@ static int decode_i_block(FourXContext *f, int16_t *block) /* DC coef */ val = get_vlc2(&f->pre_gb, f->pre_vlc.table, ACDC_VLC_BITS, 3); - if (val >> 4) + if (val >> 4) { av_log(f->avctx, AV_LOG_ERROR, "error dc run != 0\n"); + return AVERROR_INVALIDDATA; + } if (val) val = get_xbits(&f->gb, val); @@ -503,7 +525,12 @@ static int decode_i_block(FourXContext *f, int16_t *block) if (code == 0xf0) { i += 16; } else { - level = get_xbits(&f->gb, code & 0xf); + if (code & 0xf) { + level = get_xbits(&f->gb, code & 0xf); + } else { + av_log(f->avctx, AV_LOG_ERROR, "0 coeff\n"); + return AVERROR_INVALIDDATA; + } i += code >> 4; if (i >= 64) { av_log(f->avctx, AV_LOG_ERROR, "run %d oveflow\n", i); @@ -582,7 +609,8 @@ static int decode_i_mb(FourXContext *f) } static const uint8_t *read_huffman_tables(FourXContext *f, - const uint8_t * const buf, int buf_size) + const uint8_t * const buf, + int buf_size) { int frequency[512] = { 0 }; uint8_t flag[512]; @@ -605,6 +633,7 @@ static const uint8_t *read_huffman_tables(FourXContext *f, av_log(f->avctx, AV_LOG_ERROR, "invalid data in read_huffman_tables\n"); return NULL; } + for (i = start; i <= end; i++) frequency[i] = *ptr++; start = *ptr++; @@ -711,9 +740,9 @@ static int decode_i2_frame(FourXContext *f, AVFrame *frame, const uint8_t *buf, color[1] = bytestream2_get_le16u(&g3); if (color[0] & 0x8000) - av_log(NULL, AV_LOG_ERROR, "unk bit 1\n"); + av_log(f->avctx, AV_LOG_ERROR, "unk bit 1\n"); if (color[1] & 0x8000) - av_log(NULL, AV_LOG_ERROR, "unk bit 2\n"); + av_log(f->avctx, AV_LOG_ERROR, "unk bit 2\n"); color[2] = mix(color[0], color[1]); color[3] = mix(color[1], color[0]); @@ -742,7 +771,10 @@ static int decode_i_frame(FourXContext *f, AVFrame *frame, const uint8_t *buf, i unsigned int prestream_size; const uint8_t *prestream; - if (bitstream_size > (1<<26) || length < bitstream_size + 12) { + if (bitstream_size > (1 << 26)) + return AVERROR_INVALIDDATA; + + if (length < bitstream_size + 12) { av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); return AVERROR_INVALIDDATA; } @@ -751,14 +783,13 @@ static int decode_i_frame(FourXContext *f, AVFrame *frame, const uint8_t *buf, i prestream = buf + bitstream_size + 12; if (prestream_size + bitstream_size + 12 != length - || bitstream_size > (1 << 26) || prestream_size > (1 << 26)) { av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length); return AVERROR_INVALIDDATA; } - prestream = read_huffman_tables(f, prestream, buf + length - prestream); + prestream = read_huffman_tables(f, prestream, prestream_size); if (!prestream) { av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n"); return AVERROR_INVALIDDATA; @@ -770,14 +801,12 @@ static int decode_i_frame(FourXContext *f, AVFrame *frame, const uint8_t *buf, i prestream_size = length + buf - prestream; - av_fast_malloc(&f->bitstream_buffer, &f->bitstream_buffer_size, - prestream_size + FF_INPUT_BUFFER_PADDING_SIZE); + av_fast_padded_malloc(&f->bitstream_buffer, &f->bitstream_buffer_size, + prestream_size); if (!f->bitstream_buffer) return AVERROR(ENOMEM); f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)prestream, prestream_size / 4); - memset((uint8_t*)f->bitstream_buffer + prestream_size, - 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&f->pre_gb, f->bitstream_buffer, 8 * prestream_size); f->last_dc = 0 * 128 * 8 * 8; @@ -806,27 +835,35 @@ static int decode_frame(AVCodecContext *avctx, void *data, AVFrame *picture = data; int i, frame_4cc, frame_size, ret; - if (buf_size < 12) + if (buf_size < 20) return AVERROR_INVALIDDATA; - frame_4cc = AV_RL32(buf); - if (buf_size != AV_RL32(buf + 4) + 8 || buf_size < 20) + + av_assert0(avctx->width % 16 == 0 && avctx->height % 16 == 0); + + if (buf_size < AV_RL32(buf + 4) + 8) { av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4)); + return AVERROR_INVALIDDATA; + } + + frame_4cc = AV_RL32(buf); if (frame_4cc == AV_RL32("cfrm")) { int free_index = -1; + int id, whole_size; const int data_size = buf_size - 20; - const int id = AV_RL32(buf + 12); - const int whole_size = AV_RL32(buf + 16); CFrameBuffer *cfrm; - if (data_size < 0 || whole_size < 0) { - av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n"); + if (f->version <= 1) { + av_log(f->avctx, AV_LOG_ERROR, "cfrm in version %d\n", f->version); return AVERROR_INVALIDDATA; } - if (f->version <= 1) { - av_log(f->avctx, AV_LOG_ERROR, "cfrm in version %d\n", f->version); + id = AV_RL32(buf + 12); + whole_size = AV_RL32(buf + 16); + + if (data_size < 0 || whole_size < 0) { + av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n"); return AVERROR_INVALIDDATA; } @@ -870,6 +907,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, av_log(f->avctx, AV_LOG_ERROR, "cframe id mismatch %d %d\n", id, avctx->frame_number); + if (f->version <= 1) + return AVERROR_INVALIDDATA; + cfrm->size = cfrm->id = 0; frame_4cc = AV_RL32("pfrm"); } else @@ -900,14 +940,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, return ret; } } else if (frame_4cc == AV_RL32("pfrm") || frame_4cc == AV_RL32("pfr2")) { - if (!f->last_picture->data[0]) { - if ((ret = ff_get_buffer(avctx, f->last_picture, - AV_GET_BUFFER_FLAG_REF)) < 0) - return ret; - for (i=0; i<avctx->height; i++) - memset(f->last_picture->data[0] + i*f->last_picture->linesize[0], 0, 2*avctx->width); - } - f->current_picture->pict_type = AV_PICTURE_TYPE_P; if ((ret = decode_p_frame(f, f->current_picture, buf, frame_size)) < 0) { av_log(f->avctx, AV_LOG_ERROR, "decode p frame failed\n"); @@ -984,6 +1016,7 @@ static av_cold int decode_end(AVCodecContext *avctx) AVCodec ff_fourxm_decoder = { .name = "4xm", + .long_name = NULL_IF_CONFIG_SMALL("4X Movie"), .type = AVMEDIA_TYPE_VIDEO, .id = AV_CODEC_ID_4XM, .priv_data_size = sizeof(FourXContext), @@ -991,5 +1024,4 @@ AVCodec ff_fourxm_decoder = { .close = decode_end, .decode = decode_frame, .capabilities = CODEC_CAP_DR1, - .long_name = NULL_IF_CONFIG_SMALL("4X Movie"), }; |