diff options
Diffstat (limited to 'ffmpeg/libavcodec/h264_cavlc.c')
| -rw-r--r-- | ffmpeg/libavcodec/h264_cavlc.c | 44 |
1 files changed, 27 insertions, 17 deletions
diff --git a/ffmpeg/libavcodec/h264_cavlc.c b/ffmpeg/libavcodec/h264_cavlc.c index 63f8d78..a06203b 100644 --- a/ffmpeg/libavcodec/h264_cavlc.c +++ b/ffmpeg/libavcodec/h264_cavlc.c @@ -549,9 +549,15 @@ static int decode_residual(H264Context *h, GetBitContext *gb, int16_t *block, in if(prefix<15){ level_code = (prefix<<suffix_length) + get_bits(gb, suffix_length); }else{ - level_code = (15<<suffix_length) + get_bits(gb, prefix-3); - if(prefix>=16) + level_code = 15<<suffix_length; + if (prefix>=16) { + if(prefix > 25+3){ + av_log(h->avctx, AV_LOG_ERROR, "Invalid level prefix\n"); + return AVERROR_INVALIDDATA; + } level_code += (1<<(prefix-3))-4096; + } + level_code += get_bits(gb, prefix-3); } mask= -(level_code&1); level_code= (((2+level_code)>>1) ^ mask) - mask; @@ -706,7 +712,7 @@ int ff_h264_decode_mb_cavlc(H264Context *h){ down the code */ if(h->slice_type_nos != AV_PICTURE_TYPE_I){ if(h->mb_skip_run==-1) - h->mb_skip_run= get_ue_golomb(&h->gb); + h->mb_skip_run= get_ue_golomb_long(&h->gb); if (h->mb_skip_run--) { if(FRAME_MBAFF(h) && (h->mb_y&1) == 0){ @@ -767,6 +773,10 @@ decode_intra_mb: // We assume these blocks are very rare so we do not optimize it. h->intra_pcm_ptr = align_get_bits(&h->gb); + if (get_bits_left(&h->gb) < mb_size) { + av_log(h->avctx, AV_LOG_ERROR, "Not enough data for an intra PCM block.\n"); + return AVERROR_INVALIDDATA; + } skip_bits_long(&h->gb, mb_size); // In deblocking, the quantizer is 0 @@ -860,7 +870,7 @@ decode_intra_mb: } for(list=0; list<h->list_count; list++){ - int ref_count= IS_REF0(mb_type) ? 1 : local_ref_count[list]; + int ref_count = IS_REF0(mb_type) ? 1 : local_ref_count[list]; for(i=0; i<4; i++){ if(IS_DIRECT(h->sub_mb_type[i])) continue; if(IS_DIR(h->sub_mb_type[i], 0, list)){ @@ -942,11 +952,11 @@ decode_intra_mb: if(IS_DIR(mb_type, 0, list)){ if(local_ref_count[list]==1){ val= 0; - }else if(local_ref_count[list]==2){ + } else if(local_ref_count[list]==2){ val= get_bits1(&h->gb)^1; }else{ val= get_ue_golomb_31(&h->gb); - if(val >= local_ref_count[list]){ + if (val >= local_ref_count[list]){ av_log(h->avctx, AV_LOG_ERROR, "ref %u overflow\n", val); return -1; } @@ -970,13 +980,13 @@ decode_intra_mb: for(i=0; i<2; i++){ unsigned int val; if(IS_DIR(mb_type, i, list)){ - if(local_ref_count[list] == 1){ + if(local_ref_count[list] == 1) { val= 0; - }else if(local_ref_count[list] == 2){ + } else if(local_ref_count[list] == 2) { val= get_bits1(&h->gb)^1; }else{ val= get_ue_golomb_31(&h->gb); - if(val >= local_ref_count[list]){ + if (val >= local_ref_count[list]){ av_log(h->avctx, AV_LOG_ERROR, "ref %u overflow\n", val); return -1; } @@ -1009,11 +1019,11 @@ decode_intra_mb: if(IS_DIR(mb_type, i, list)){ //FIXME optimize if(local_ref_count[list]==1){ val= 0; - }else if(local_ref_count[list]==2){ + } else if(local_ref_count[list]==2){ val= get_bits1(&h->gb)^1; }else{ val= get_ue_golomb_31(&h->gb); - if(val >= local_ref_count[list]){ + if (val >= local_ref_count[list]){ av_log(h->avctx, AV_LOG_ERROR, "ref %u overflow\n", val); return -1; } @@ -1112,7 +1122,7 @@ decode_intra_mb: return -1; } h->cbp_table[mb_xy] |= ret << 12; - if(CHROMA444){ + if (CHROMA444(h)) { if( decode_luma_residual(h, gb, scan, scan8x8, pixel_shift, mb_type, cbp, 1) < 0 ){ return -1; } @@ -1126,7 +1136,7 @@ decode_intra_mb: for(chroma_idx=0; chroma_idx<2; chroma_idx++) if (decode_residual(h, gb, h->mb + ((256 + 16*16*chroma_idx) << pixel_shift), CHROMA_DC_BLOCK_INDEX+chroma_idx, - CHROMA422 ? chroma422_dc_scan : chroma_dc_scan, + CHROMA422(h) ? chroma422_dc_scan : chroma_dc_scan, NULL, 4*num_c8x8) < 0) { return -1; } @@ -1136,12 +1146,12 @@ decode_intra_mb: for(chroma_idx=0; chroma_idx<2; chroma_idx++){ const uint32_t *qmul = h->dequant4_coeff[chroma_idx+1+(IS_INTRA( mb_type ) ? 0:3)][h->chroma_qp[chroma_idx]]; int16_t *mb = h->mb + (16*(16 + 16*chroma_idx) << pixel_shift); - for (i8x8=0; i8x8<num_c8x8; i8x8++) { - for (i4x4=0; i4x4<4; i4x4++) { - const int index= 16 + 16*chroma_idx + 8*i8x8 + i4x4; + for (i8x8 = 0; i8x8<num_c8x8; i8x8++) { + for (i4x4 = 0; i4x4 < 4; i4x4++) { + const int index = 16 + 16*chroma_idx + 8*i8x8 + i4x4; if (decode_residual(h, gb, mb, index, scan + 1, qmul, 15) < 0) return -1; - mb += 16<<pixel_shift; + mb += 16 << pixel_shift; } } } |