diff options
Diffstat (limited to 'libavcodec/motionpixels.c')
-rw-r--r-- | libavcodec/motionpixels.c | 50 |
1 files changed, 36 insertions, 14 deletions
diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 6a7dd23..f8aa08b 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -2,20 +2,20 @@ * Motion Pixels Video Decoder * Copyright (c) 2008 Gregory Montoir (cyx@users.sourceforge.net) * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -56,6 +56,11 @@ static av_cold int mp_decode_init(AVCodecContext *avctx) int w4 = (avctx->width + 3) & ~3; int h4 = (avctx->height + 3) & ~3; + if(avctx->extradata_size < 2){ + av_log(avctx, AV_LOG_ERROR, "extradata too small\n"); + return AVERROR_INVALIDDATA; + } + motionpixels_tableinit(); mp->avctx = avctx; ff_dsputil_init(&mp->dsp, avctx); @@ -63,6 +68,12 @@ static av_cold int mp_decode_init(AVCodecContext *avctx) mp->offset_bits_len = av_log2(avctx->width * avctx->height) + 1; mp->vpt = av_mallocz(avctx->height * sizeof(YuvPixel)); mp->hpt = av_mallocz(h4 * w4 / 16 * sizeof(YuvPixel)); + if (!mp->changes_map || !mp->vpt || !mp->hpt) { + av_freep(&mp->changes_map); + av_freep(&mp->vpt); + av_freep(&mp->hpt); + return AVERROR(ENOMEM); + } avctx->pix_fmt = AV_PIX_FMT_RGB555; avcodec_get_frame_defaults(&mp->frame); return 0; @@ -97,38 +108,48 @@ static void mp_read_changes_map(MotionPixelsContext *mp, GetBitContext *gb, int } } -static void mp_get_code(MotionPixelsContext *mp, GetBitContext *gb, int size, int code) +static int mp_get_code(MotionPixelsContext *mp, GetBitContext *gb, int size, int code) { while (get_bits1(gb)) { ++size; if (size > mp->max_codes_bits) { av_log(mp->avctx, AV_LOG_ERROR, "invalid code size %d/%d\n", size, mp->max_codes_bits); - return; + return AVERROR_INVALIDDATA; } code <<= 1; - mp_get_code(mp, gb, size, code + 1); + if (mp_get_code(mp, gb, size, code + 1) < 0) + return AVERROR_INVALIDDATA; } if (mp->current_codes_count >= MAX_HUFF_CODES) { av_log(mp->avctx, AV_LOG_ERROR, "too many codes\n"); - return; + return AVERROR_INVALIDDATA; } + mp->codes[mp->current_codes_count ].code = code; mp->codes[mp->current_codes_count++].size = size; + return 0; } -static void mp_read_codes_table(MotionPixelsContext *mp, GetBitContext *gb) +static int mp_read_codes_table(MotionPixelsContext *mp, GetBitContext *gb) { if (mp->codes_count == 1) { mp->codes[0].delta = get_bits(gb, 4); } else { int i; + int ret; mp->max_codes_bits = get_bits(gb, 4); for (i = 0; i < mp->codes_count; ++i) mp->codes[i].delta = get_bits(gb, 4); mp->current_codes_count = 0; - mp_get_code(mp, gb, 0, 0); + if ((ret = mp_get_code(mp, gb, 0, 0)) < 0) + return ret; + if (mp->current_codes_count < mp->codes_count) { + av_log(mp->avctx, AV_LOG_ERROR, "too few codes\n"); + return AVERROR_INVALIDDATA; + } } + return 0; } static int mp_gradient(MotionPixelsContext *mp, int component, int v) @@ -216,6 +237,8 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb) YuvPixel p; int y, y0; + av_assert1(mp->changes_map[0]); + for (y = 0; y < mp->avctx->height; ++y) { if (mp->changes_map[y * mp->avctx->width] != 0) { memset(mp->gradient_scale, 1, sizeof(mp->gradient_scale)); @@ -248,10 +271,8 @@ static int mp_decode_frame(AVCodecContext *avctx, GetBitContext gb; int i, count1, count2, sz, ret; - if ((ret = ff_reget_buffer(avctx, &mp->frame)) < 0) { - av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); + if ((ret = ff_reget_buffer(avctx, &mp->frame)) < 0) return ret; - } /* le32 bitstream msb first */ av_fast_malloc(&mp->bswapbuf, &mp->bswapbuf_size, buf_size + FF_INPUT_BUFFER_PADDING_SIZE); @@ -279,7 +300,8 @@ static int mp_decode_frame(AVCodecContext *avctx, *(uint16_t *)mp->frame.data[0] = get_bits(&gb, 15); mp->changes_map[0] = 1; } - mp_read_codes_table(mp, &gb); + if (mp_read_codes_table(mp, &gb) < 0) + goto end; sz = get_bits(&gb, 18); if (avctx->extradata[0] != 5) |