Mercurial > libavcodec.hg
comparison qpeg.c @ 2823:6bf98adb22a1 libavcodec
security fixes
* check for writing to lines -1,-2,...
* check for motion compensation (copying from and to valid place)
patch by (Kostya: kostya shishkov, gmail com)
| author | michael |
|---|---|
| date | Sat, 13 Aug 2005 09:12:09 +0000 |
| parents | 00d9abc5f76f |
| children | ef2149182f1c |
comparison
equal
deleted
inserted
replaced
| 2822:fdedaa2e6da4 | 2823:6bf98adb22a1 |
|---|---|
| 38 int i; | 38 int i; |
| 39 int code; | 39 int code; |
| 40 int c0, c1; | 40 int c0, c1; |
| 41 int run, copy; | 41 int run, copy; |
| 42 int filled = 0; | 42 int filled = 0; |
| 43 | 43 int rows_to_go; |
| 44 | |
| 45 rows_to_go = height; | |
| 44 height--; | 46 height--; |
| 45 dst = dst + height * stride; | 47 dst = dst + height * stride; |
| 46 | 48 |
| 47 while(size > 0) { | 49 while((size > 0) && (rows_to_go > 0)) { |
| 48 code = *src++; | 50 code = *src++; |
| 49 size--; | 51 size--; |
| 50 run = copy = 0; | 52 run = copy = 0; |
| 51 if(code == 0xFC) /* end-of-picture code */ | 53 if(code == 0xFC) /* end-of-picture code */ |
| 52 break; | 54 break; |
| 83 for(i = 0; i < run; i++) { | 85 for(i = 0; i < run; i++) { |
| 84 dst[filled++] = p; | 86 dst[filled++] = p; |
| 85 if (filled >= width) { | 87 if (filled >= width) { |
| 86 filled = 0; | 88 filled = 0; |
| 87 dst -= stride; | 89 dst -= stride; |
| 90 rows_to_go--; | |
| 91 if(rows_to_go <= 0) | |
| 92 break; | |
| 88 } | 93 } |
| 89 } | 94 } |
| 90 } else { | 95 } else { |
| 96 size -= copy; | |
| 91 for(i = 0; i < copy; i++) { | 97 for(i = 0; i < copy; i++) { |
| 92 dst[filled++] = *src++; | 98 dst[filled++] = *src++; |
| 93 if (filled >= width) { | 99 if (filled >= width) { |
| 94 filled = 0; | 100 filled = 0; |
| 95 dst -= stride; | 101 dst -= stride; |
| 96 } | 102 rows_to_go--; |
| 97 } | 103 if(rows_to_go <= 0) |
| 98 size -= copy; | 104 break; |
| 105 } | |
| 106 } | |
| 99 } | 107 } |
| 100 } | 108 } |
| 101 } | 109 } |
| 102 | 110 |
| 103 static int qpeg_table_h[16] = | 111 static int qpeg_table_h[16] = |
| 111 int delta, uint8_t *ctable, uint8_t *refdata) | 119 int delta, uint8_t *ctable, uint8_t *refdata) |
| 112 { | 120 { |
| 113 int i, j; | 121 int i, j; |
| 114 int code; | 122 int code; |
| 115 int filled = 0; | 123 int filled = 0; |
| 124 int orig_height; | |
| 116 uint8_t *blkdata; | 125 uint8_t *blkdata; |
| 117 | 126 |
| 118 /* copy prev frame */ | 127 /* copy prev frame */ |
| 119 for(i = 0; i < height; i++) | 128 for(i = 0; i < height; i++) |
| 120 memcpy(refdata + (i * width), dst + (i * stride), width); | 129 memcpy(refdata + (i * width), dst + (i * stride), width); |
| 121 | 130 |
| 131 orig_height = height; | |
| 122 blkdata = src - 0x86; | 132 blkdata = src - 0x86; |
| 123 height--; | 133 height--; |
| 124 dst = dst + height * stride; | 134 dst = dst + height * stride; |
| 125 | 135 |
| 126 while(size > 0) { | 136 while((size > 0) && (height >= 0)) { |
| 127 code = *src++; | 137 code = *src++; |
| 128 size--; | 138 size--; |
| 129 | 139 |
| 130 if(delta) { | 140 if(delta) { |
| 131 /* motion compensation */ | 141 /* motion compensation */ |
| 153 val = corr & 0xF; | 163 val = corr & 0xF; |
| 154 if(val > 7) | 164 if(val > 7) |
| 155 val -= 16; | 165 val -= 16; |
| 156 me_y = val; | 166 me_y = val; |
| 157 | 167 |
| 158 /* do motion compensation */ | 168 /* check motion vector */ |
| 159 me_plane = refdata + (filled + me_x) + (height - me_y) * width; | 169 if ((me_x + filled < 0) || (me_x + me_w + filled > width) || |
| 160 for(j = 0; j < me_h; j++) { | 170 (height - me_y - me_h < 0) || (height - me_y > orig_height) || |
| 161 for(i = 0; i < me_w; i++) | 171 (filled + me_w > width) || (height - me_h < 0)) |
| 162 dst[filled + i - (j * stride)] = me_plane[i - (j * width)]; | 172 av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n", |
| 173 me_x, me_y, me_w, me_h, filled, height); | |
| 174 else { | |
| 175 /* do motion compensation */ | |
| 176 me_plane = refdata + (filled + me_x) + (height - me_y) * width; | |
| 177 for(j = 0; j < me_h; j++) { | |
| 178 for(i = 0; i < me_w; i++) | |
| 179 dst[filled + i - (j * stride)] = me_plane[i - (j * width)]; | |
| 180 } | |
| 163 } | 181 } |
| 164 } | 182 } |
| 165 code = *src++; | 183 code = *src++; |
| 166 size--; | 184 size--; |
| 167 } | 185 } |
| 210 filled += skip; | 228 filled += skip; |
| 211 while( filled >= width) { | 229 while( filled >= width) { |
| 212 filled -= width; | 230 filled -= width; |
| 213 dst -= stride; | 231 dst -= stride; |
| 214 height--; | 232 height--; |
| 233 if(height < 0) | |
| 234 break; | |
| 215 } | 235 } |
| 216 } else { | 236 } else { |
| 217 /* zero code treated as one-pixel skip */ | 237 /* zero code treated as one-pixel skip */ |
| 218 if(code) | 238 if(code) |
| 219 dst[filled++] = ctable[code & 0x7F]; | 239 dst[filled++] = ctable[code & 0x7F]; |