Mercurial > libavcodec.hg
annotate ac3dec.c @ 4362:0271b214458b libavcodec
harden h264 decoding to prevent some crashes when input data is corrupted.
Patch by Frank %eucloid A gmail P com%
date: Jan 18, 2007 6:48 PM
subject: Re: [Ffmpeg-devel] h264, protection against corrupted data (second try patch)
AND
date: Jan 17, 2007 8:22 PM
subject: [Ffmpeg-devel] h264, protection against corrupted data
this also fixes a possible security issue (the sps and pps ids where not checked,
then used as index into an array of sps/pps structs which was then filled with data from the bitstream)
author | gpoirier |
---|---|
date | Fri, 19 Jan 2007 09:37:04 +0000 |
parents | c8c591fe26f8 |
children |
rev | line source |
---|---|
0 | 1 /* |
2 * AC3 decoder | |
429 | 3 * Copyright (c) 2001 Fabrice Bellard. |
0 | 4 * |
3947
c8c591fe26f8
Change license headers to say 'FFmpeg' instead of 'this program/this library'
diego
parents:
3036
diff
changeset
|
5 * This file is part of FFmpeg. |
c8c591fe26f8
Change license headers to say 'FFmpeg' instead of 'this program/this library'
diego
parents:
3036
diff
changeset
|
6 * |
c8c591fe26f8
Change license headers to say 'FFmpeg' instead of 'this program/this library'
diego
parents:
3036
diff
changeset
|
7 * FFmpeg is free software; you can redistribute it and/or |
429 | 8 * modify it under the terms of the GNU Lesser General Public |
9 * License as published by the Free Software Foundation; either | |
3947
c8c591fe26f8
Change license headers to say 'FFmpeg' instead of 'this program/this library'
diego
parents:
3036
diff
changeset
|
10 * version 2.1 of the License, or (at your option) any later version. |
0 | 11 * |
3947
c8c591fe26f8
Change license headers to say 'FFmpeg' instead of 'this program/this library'
diego
parents:
3036
diff
changeset
|
12 * FFmpeg is distributed in the hope that it will be useful, |
0 | 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of |
429 | 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
15 * Lesser General Public License for more details. | |
0 | 16 * |
429 | 17 * You should have received a copy of the GNU Lesser General Public |
3947
c8c591fe26f8
Change license headers to say 'FFmpeg' instead of 'this program/this library'
diego
parents:
3036
diff
changeset
|
18 * License along with FFmpeg; if not, write to the Free Software |
3036
0b546eab515d
Update licensing information: The FSF changed postal address.
diego
parents:
2979
diff
changeset
|
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
0 | 20 */ |
1106 | 21 |
22 /** | |
23 * @file ac3dec.c | |
24 * AC3 decoder. | |
25 */ | |
26 | |
27 //#define DEBUG | |
28 | |
0 | 29 #include "avcodec.h" |
30 #include "libac3/ac3.h" | |
31 | |
32 /* currently, I use libac3 which is Copyright (C) Aaron Holtzman and | |
33 released under the GPL license. I may reimplement it someday... */ | |
34 typedef struct AC3DecodeState { | |
1064 | 35 uint8_t inbuf[4096]; /* input buffer */ |
36 uint8_t *inbuf_ptr; | |
0 | 37 int frame_size; |
38 int flags; | |
314 | 39 int channels; |
0 | 40 ac3_state_t state; |
41 } AC3DecodeState; | |
42 | |
43 static int ac3_decode_init(AVCodecContext *avctx) | |
44 { | |
45 AC3DecodeState *s = avctx->priv_data; | |
46 | |
47 ac3_init (); | |
48 s->inbuf_ptr = s->inbuf; | |
49 s->frame_size = 0; | |
50 return 0; | |
51 } | |
52 | |
53 stream_samples_t samples; | |
54 | |
55 /**** the following two functions comes from ac3dec */ | |
56 static inline int blah (int32_t i) | |
57 { | |
58 if (i > 0x43c07fff) | |
2979 | 59 return 32767; |
0 | 60 else if (i < 0x43bf8000) |
2979 | 61 return -32768; |
0 | 62 else |
2979 | 63 return i - 0x43c00000; |
0 | 64 } |
65 | |
1064 | 66 static inline void float_to_int (float * _f, int16_t * s16, int nchannels) |
0 | 67 { |
314 | 68 int i, j, c; |
2979 | 69 int32_t * f = (int32_t *) _f; // XXX assumes IEEE float format |
0 | 70 |
314 | 71 j = 0; |
72 nchannels *= 256; | |
0 | 73 for (i = 0; i < 256; i++) { |
2979 | 74 for (c = 0; c < nchannels; c += 256) |
75 s16[j++] = blah (f[i + c]); | |
0 | 76 } |
77 } | |
78 | |
79 /**** end */ | |
80 | |
81 #define HEADER_SIZE 7 | |
82 | |
2967 | 83 static int ac3_decode_frame(AVCodecContext *avctx, |
0 | 84 void *data, int *data_size, |
1064 | 85 uint8_t *buf, int buf_size) |
0 | 86 { |
87 AC3DecodeState *s = avctx->priv_data; | |
1064 | 88 uint8_t *buf_ptr; |
0 | 89 int flags, i, len; |
90 int sample_rate, bit_rate; | |
91 short *out_samples = data; | |
92 float level; | |
323 | 93 static const int ac3_channels[8] = { |
2979 | 94 2, 1, 2, 3, 3, 4, 4, 5 |
314 | 95 }; |
0 | 96 |
97 buf_ptr = buf; | |
98 while (buf_size > 0) { | |
99 len = s->inbuf_ptr - s->inbuf; | |
100 if (s->frame_size == 0) { | |
101 /* no header seen : find one. We need at least 7 bytes to parse it */ | |
102 len = HEADER_SIZE - len; | |
103 if (len > buf_size) | |
104 len = buf_size; | |
105 memcpy(s->inbuf_ptr, buf_ptr, len); | |
106 buf_ptr += len; | |
107 s->inbuf_ptr += len; | |
108 buf_size -= len; | |
109 if ((s->inbuf_ptr - s->inbuf) == HEADER_SIZE) { | |
110 len = ac3_syncinfo (s->inbuf, &s->flags, &sample_rate, &bit_rate); | |
111 if (len == 0) { | |
112 /* no sync found : move by one byte (inefficient, but simple!) */ | |
113 memcpy(s->inbuf, s->inbuf + 1, HEADER_SIZE - 1); | |
114 s->inbuf_ptr--; | |
115 } else { | |
2979 | 116 s->frame_size = len; |
0 | 117 /* update codec info */ |
118 avctx->sample_rate = sample_rate; | |
314 | 119 s->channels = ac3_channels[s->flags & 7]; |
318
21697f35a9ca
- Fixed AC3 decoding for 5:1 AC3 streams. Now when calling av_audio_decode for
pulento
parents:
314
diff
changeset
|
120 if (s->flags & AC3_LFE) |
2979 | 121 s->channels++; |
122 if (avctx->channels == 0) | |
123 /* No specific number of channel requested */ | |
124 avctx->channels = s->channels; | |
125 else if (s->channels < avctx->channels) { | |
2846
40765c51a7a9
Compilation fixes part 1 patch by (Arvind R. and Burkhard Plaum, plaum, ipf uni-stuttgart de)
michael
parents:
2028
diff
changeset
|
126 av_log( avctx, AV_LOG_INFO, "ac3dec: AC3 Source channels are less than specified: output to %d channels.. (frmsize: %d)\n", s->channels, len); |
2979 | 127 avctx->channels = s->channels; |
128 } | |
129 avctx->bit_rate = bit_rate; | |
0 | 130 } |
131 } | |
132 } else if (len < s->frame_size) { | |
133 len = s->frame_size - len; | |
134 if (len > buf_size) | |
135 len = buf_size; | |
323 | 136 |
0 | 137 memcpy(s->inbuf_ptr, buf_ptr, len); |
138 buf_ptr += len; | |
139 s->inbuf_ptr += len; | |
140 buf_size -= len; | |
141 } else { | |
318
21697f35a9ca
- Fixed AC3 decoding for 5:1 AC3 streams. Now when calling av_audio_decode for
pulento
parents:
314
diff
changeset
|
142 flags = s->flags; |
0 | 143 if (avctx->channels == 1) |
144 flags = AC3_MONO; | |
318
21697f35a9ca
- Fixed AC3 decoding for 5:1 AC3 streams. Now when calling av_audio_decode for
pulento
parents:
314
diff
changeset
|
145 else if (avctx->channels == 2) |
0 | 146 flags = AC3_STEREO; |
318
21697f35a9ca
- Fixed AC3 decoding for 5:1 AC3 streams. Now when calling av_audio_decode for
pulento
parents:
314
diff
changeset
|
147 else |
21697f35a9ca
- Fixed AC3 decoding for 5:1 AC3 streams. Now when calling av_audio_decode for
pulento
parents:
314
diff
changeset
|
148 flags |= AC3_ADJUST_LEVEL; |
0 | 149 level = 1; |
150 if (ac3_frame (&s->state, s->inbuf, &flags, &level, 384)) { | |
151 fail: | |
152 s->inbuf_ptr = s->inbuf; | |
153 s->frame_size = 0; | |
154 continue; | |
155 } | |
156 for (i = 0; i < 6; i++) { | |
157 if (ac3_block (&s->state)) | |
158 goto fail; | |
318
21697f35a9ca
- Fixed AC3 decoding for 5:1 AC3 streams. Now when calling av_audio_decode for
pulento
parents:
314
diff
changeset
|
159 float_to_int (*samples, out_samples + i * 256 * avctx->channels, avctx->channels); |
0 | 160 } |
161 s->inbuf_ptr = s->inbuf; | |
162 s->frame_size = 0; | |
1064 | 163 *data_size = 6 * avctx->channels * 256 * sizeof(int16_t); |
0 | 164 break; |
165 } | |
166 } | |
167 return buf_ptr - buf; | |
168 } | |
169 | |
170 static int ac3_decode_end(AVCodecContext *s) | |
171 { | |
172 return 0; | |
173 } | |
174 | |
175 AVCodec ac3_decoder = { | |
176 "ac3", | |
177 CODEC_TYPE_AUDIO, | |
178 CODEC_ID_AC3, | |
179 sizeof(AC3DecodeState), | |
180 ac3_decode_init, | |
181 NULL, | |
182 ac3_decode_end, | |
183 ac3_decode_frame, | |
184 }; |