diff options
| author | Aneesh Dogra <lionaneesh@gmail.com> | 2011-12-20 03:54:50 +0530 |
|---|---|---|
| committer | Justin Ruggles <justin.ruggles@gmail.com> | 2011-12-20 13:17:09 -0500 |
| commit | 1443ea93d935784370f41d85e224718484b0e32c (patch) | |
| tree | 203b9b4b832aeb1951b307f308216641901c4448 /libavcodec/4xm.c | |
| parent | fd22616c593156a35b4fe6acbd3668b0802f5f84 (diff) | |
| download | ffmpeg-streaming-1443ea93d935784370f41d85e224718484b0e32c.zip ffmpeg-streaming-1443ea93d935784370f41d85e224718484b0e32c.tar.gz | |
4xm: Use bytestream2 functions to prevent overreads
Fixes Bug 110.
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
Diffstat (limited to 'libavcodec/4xm.c')
| -rw-r--r-- | libavcodec/4xm.c | 28 |
1 files changed, 15 insertions, 13 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 0ae10d5..ba8bb4a 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -132,8 +132,8 @@ typedef struct FourXContext{ AVFrame current_picture, last_picture; GetBitContext pre_gb; ///< ac/dc prefix GetBitContext gb; - const uint8_t *bytestream; - const uint16_t *wordstream; + GetByteContext g; + GetByteContext g2; int mv[256]; VLC pre_vlc; int last_dc; @@ -328,7 +328,7 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo assert(code>=0 && code<=6); if(code == 0){ - src += f->mv[ *f->bytestream++ ]; + src += f->mv[bytestream2_get_byte(&f->g)]; if(start > src || src > end){ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); return; @@ -345,21 +345,21 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo }else if(code == 3 && f->version<2){ mcdc(dst, src, log2w, h, stride, 1, 0); }else if(code == 4){ - src += f->mv[ *f->bytestream++ ]; + src += f->mv[bytestream2_get_byte(&f->g)]; if(start > src || src > end){ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); return; } - mcdc(dst, src, log2w, h, stride, 1, av_le2ne16(*f->wordstream++)); + mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2)); }else if(code == 5){ - mcdc(dst, src, log2w, h, stride, 0, av_le2ne16(*f->wordstream++)); + mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2)); }else if(code == 6){ if(log2w){ - dst[0] = av_le2ne16(*f->wordstream++); - dst[1] = av_le2ne16(*f->wordstream++); + dst[0] = bytestream2_get_le16(&f->g2); + dst[1] = bytestream2_get_le16(&f->g2); }else{ - dst[0 ] = av_le2ne16(*f->wordstream++); - dst[stride] = av_le2ne16(*f->wordstream++); + dst[0 ] = bytestream2_get_le16(&f->g2); + dst[stride] = bytestream2_get_le16(&f->g2); } } } @@ -371,7 +371,7 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){ uint16_t *src= (uint16_t*)f->last_picture.data[0]; uint16_t *dst= (uint16_t*)f->current_picture.data[0]; const int stride= f->current_picture.linesize[0]>>1; - unsigned int bitstream_size, bytestream_size, wordstream_size, extra; + unsigned int bitstream_size, bytestream_size, wordstream_size, extra, bytestream_offset, wordstream_offset; if(f->version>1){ extra=20; @@ -402,8 +402,10 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){ memset((uint8_t*)f->bitstream_buffer + bitstream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size); - f->wordstream= (const uint16_t*)(buf + extra + bitstream_size); - f->bytestream= buf + extra + bitstream_size + wordstream_size; + wordstream_offset = extra + bitstream_size; + bytestream_offset = extra + bitstream_size + wordstream_size; + bytestream2_init(&f->g2, buf + wordstream_offset, length - wordstream_offset); + bytestream2_init(&f->g, buf + bytestream_offset, length - bytestream_offset); init_mv(f); |
