diff options
Diffstat (limited to 'libavcodec/qdm2.c')
| -rw-r--r-- | libavcodec/qdm2.c | 67 |
1 files changed, 49 insertions, 18 deletions
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 54782a2..c38282f 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -5,20 +5,20 @@ * Copyright (c) 2005 Alex Beregszaszi * Copyright (c) 2005 Roberto Togni * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -169,7 +169,7 @@ typedef struct { /// I/O data const uint8_t *compressed_data; int compressed_size; - float output_buffer[QDM2_MAX_FRAME_SIZE * 2]; + float output_buffer[QDM2_MAX_FRAME_SIZE * MPA_MAX_CHANNELS * 2]; /// Synthesis filter MPADSPContext mpadsp; @@ -343,7 +343,14 @@ static int qdm2_get_vlc (GetBitContext *gb, VLC *vlc, int flag, int depth) /* stage-3, optional */ if (flag) { - int tmp = vlc_stage3_values[value]; + int tmp; + + if (value >= 60) { + av_log(0, AV_LOG_ERROR, "value %d in qdm2_get_vlc too large\n", value); + return 0; + } + + tmp= vlc_stage3_values[value]; if ((value & ~3) > 0) tmp += get_bits (gb, (value >> 2)); @@ -761,7 +768,7 @@ static void fill_coding_method_array (sb_int8_array tone_level_idx, sb_int8_arra * @param sb_min lower subband processed (sb_min included) * @param sb_max higher subband processed (sb_max excluded) */ -static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int length, int sb_min, int sb_max) +static int synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int length, int sb_min, int sb_max) { int sb, j, k, n, ch, run, channels; int joined_stereo, zero_encoding, chs; @@ -775,7 +782,7 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l for (sb=sb_min; sb < sb_max; sb++) build_sb_samples_from_noise (q, sb); - return; + return 0; } for (sb = sb_min; sb < sb_max; sb++) { @@ -879,9 +886,12 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l break; case 30: - if (get_bits_left(gb) >= 4) - samples[0] = type30_dequant[qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1)]; - else + if (get_bits_left(gb) >= 4) { + unsigned v = qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1); + if (v >= FF_ARRAY_ELEMS(type30_dequant)) + return AVERROR_INVALIDDATA; + samples[0] = type30_dequant[v]; + } else samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); run = 1; @@ -895,7 +905,10 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l type34_predictor = samples[0]; type34_first = 0; } else { - samples[0] = type34_delta[qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1)] / type34_div + type34_predictor; + unsigned v = qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1); + if (v >= FF_ARRAY_ELEMS(type34_delta)) + return AVERROR_INVALIDDATA; + samples[0] = type34_delta[v] / type34_div + type34_predictor; type34_predictor = samples[0]; } } else { @@ -931,6 +944,7 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l } // j loop } // channel loop } // subband loop + return 0; } @@ -942,23 +956,26 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l * @param quantized_coeffs pointer to quantized_coeffs[ch][0] * @param gb bitreader context */ -static void init_quantized_coeffs_elem0 (int8_t *quantized_coeffs, GetBitContext *gb) +static int init_quantized_coeffs_elem0 (int8_t *quantized_coeffs, GetBitContext *gb) { int i, k, run, level, diff; if (get_bits_left(gb) < 16) - return; + return -1; level = qdm2_get_vlc(gb, &vlc_tab_level, 0, 2); quantized_coeffs[0] = level; for (i = 0; i < 7; ) { if (get_bits_left(gb) < 16) - break; + return -1; run = qdm2_get_vlc(gb, &vlc_tab_run, 0, 1) + 1; + if (i + run >= 8) + return -1; + if (get_bits_left(gb) < 16) - break; + return -1; diff = qdm2_get_se_vlc(&vlc_tab_diff, gb, 2); for (k = 1; k <= run; k++) @@ -967,6 +984,7 @@ static void init_quantized_coeffs_elem0 (int8_t *quantized_coeffs, GetBitContext level += diff; i += run; } + return 0; } @@ -1041,7 +1059,7 @@ static void init_tone_level_dequantization (QDM2Context *q, GetBitContext *gb) * @param q context * @param node pointer to node with packet */ -static void process_subpacket_9 (QDM2Context *q, QDM2SubPNode *node) +static int process_subpacket_9 (QDM2Context *q, QDM2SubPNode *node) { GetBitContext gb; int i, j, k, n, ch, run, level, diff; @@ -1059,6 +1077,9 @@ static void process_subpacket_9 (QDM2Context *q, QDM2SubPNode *node) run = qdm2_get_vlc(&gb, &vlc_tab_run, 0, 1) + 1; diff = qdm2_get_se_vlc(&vlc_tab_diff, &gb, 2); + if (j + run >= 8) + return -1; + for (k = 1; k <= run; k++) q->quantized_coeffs[ch][i][j + k] = (level + ((k*diff) / run)); @@ -1070,6 +1091,8 @@ static void process_subpacket_9 (QDM2Context *q, QDM2SubPNode *node) for (ch = 0; ch < q->nb_channels; ch++) for (i = 0; i < 8; i++) q->quantized_coeffs[ch][0][i] = 0; + + return 0; } @@ -1332,9 +1355,13 @@ static void qdm2_fft_decode_tones (QDM2Context *q, int duration, GetBitContext * local_int_10 = 1 << (q->group_order - duration - 1); offset = 1; - while (1) { + while (get_bits_left(gb)>0) { if (q->superblocktype_2_3) { while ((n = qdm2_get_vlc(gb, &vlc_tab_fft_tone_offset[local_int_8], 1, 2)) < 2) { + if (get_bits_left(gb)<0) { + av_log(0, AV_LOG_ERROR, "overread in qdm2_fft_decode_tones()\n"); + return; + } offset = 1; if (n == 0) { local_int_4 += local_int_10; @@ -1833,6 +1860,7 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) // something like max decodable tones s->group_order = av_log2(s->group_size) + 1; s->frame_size = s->group_size / 16; // 16 iterations per super block + if (s->frame_size > QDM2_MAX_FRAME_SIZE) return AVERROR_INVALIDDATA; @@ -1907,6 +1935,9 @@ static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out) int ch, i; const int frame_size = (q->frame_size * q->channels); + if((unsigned)frame_size > FF_ARRAY_ELEMS(q->output_buffer)/2) + return -1; + /* select input buffer */ q->compressed_data = in; q->compressed_size = q->checksum_size; |
