Mercurial > libavcodec.hg
comparison vp3.c @ 11636:a9e758788a12 libavcodec
vp3: More buffer length checks
.5% slower to fix some crashes on invalid streams
| author | conrad |
|---|---|
| date | Fri, 16 Apr 2010 12:21:44 +0000 |
| parents | 0c2b399b2e27 |
| children | f7281af560fe |
comparison
equal
deleted
inserted
replaced
| 11635:0c2b399b2e27 | 11636:a9e758788a12 |
|---|---|
| 377 | 377 |
| 378 } else { | 378 } else { |
| 379 | 379 |
| 380 /* unpack the list of partially-coded superblocks */ | 380 /* unpack the list of partially-coded superblocks */ |
| 381 bit = get_bits1(gb); | 381 bit = get_bits1(gb); |
| 382 while (current_superblock < s->superblock_count) { | 382 while (current_superblock < s->superblock_count && get_bits_left(gb) > 0) { |
| 383 current_run = get_vlc2(gb, | 383 current_run = get_vlc2(gb, |
| 384 s->superblock_run_length_vlc.table, 6, 2) + 1; | 384 s->superblock_run_length_vlc.table, 6, 2) + 1; |
| 385 if (current_run == 34) | 385 if (current_run == 34) |
| 386 current_run += get_bits(gb, 12); | 386 current_run += get_bits(gb, 12); |
| 387 | 387 |
| 407 if (num_partial_superblocks < s->superblock_count) { | 407 if (num_partial_superblocks < s->superblock_count) { |
| 408 int superblocks_decoded = 0; | 408 int superblocks_decoded = 0; |
| 409 | 409 |
| 410 current_superblock = 0; | 410 current_superblock = 0; |
| 411 bit = get_bits1(gb); | 411 bit = get_bits1(gb); |
| 412 while (superblocks_decoded < s->superblock_count - num_partial_superblocks) { | 412 while (superblocks_decoded < s->superblock_count - num_partial_superblocks |
| 413 && get_bits_left(gb) > 0) { | |
| 413 current_run = get_vlc2(gb, | 414 current_run = get_vlc2(gb, |
| 414 s->superblock_run_length_vlc.table, 6, 2) + 1; | 415 s->superblock_run_length_vlc.table, 6, 2) + 1; |
| 415 if (current_run == 34) | 416 if (current_run == 34) |
| 416 current_run += get_bits(gb, 12); | 417 current_run += get_bits(gb, 12); |
| 417 | 418 |
| 456 for (plane = 0; plane < 3; plane++) { | 457 for (plane = 0; plane < 3; plane++) { |
| 457 int sb_start = superblock_starts[plane]; | 458 int sb_start = superblock_starts[plane]; |
| 458 int sb_end = sb_start + (plane ? s->c_superblock_count : s->y_superblock_count); | 459 int sb_end = sb_start + (plane ? s->c_superblock_count : s->y_superblock_count); |
| 459 int num_coded_frags = 0; | 460 int num_coded_frags = 0; |
| 460 | 461 |
| 461 for (i = sb_start; i < sb_end; i++) { | 462 for (i = sb_start; i < sb_end && get_bits_left(gb) > 0; i++) { |
| 462 | 463 |
| 463 /* iterate through all 16 fragments in a superblock */ | 464 /* iterate through all 16 fragments in a superblock */ |
| 464 for (j = 0; j < 16; j++) { | 465 for (j = 0; j < 16; j++) { |
| 465 | 466 |
| 466 /* if the fragment is in bounds, check its coding status */ | 467 /* if the fragment is in bounds, check its coding status */ |
| 540 | 541 |
| 541 /* iterate through all of the macroblocks that contain 1 or more | 542 /* iterate through all of the macroblocks that contain 1 or more |
| 542 * coded fragments */ | 543 * coded fragments */ |
| 543 for (sb_y = 0; sb_y < s->y_superblock_height; sb_y++) { | 544 for (sb_y = 0; sb_y < s->y_superblock_height; sb_y++) { |
| 544 for (sb_x = 0; sb_x < s->y_superblock_width; sb_x++) { | 545 for (sb_x = 0; sb_x < s->y_superblock_width; sb_x++) { |
| 546 if (get_bits_left(gb) <= 0) | |
| 547 return -1; | |
| 545 | 548 |
| 546 for (j = 0; j < 4; j++) { | 549 for (j = 0; j < 4; j++) { |
| 547 int mb_x = 2*sb_x + (j>>1); | 550 int mb_x = 2*sb_x + (j>>1); |
| 548 int mb_y = 2*sb_y + (((j>>1)+j)&1); | 551 int mb_y = 2*sb_y + (((j>>1)+j)&1); |
| 549 current_macroblock = mb_y * s->macroblock_width + mb_x; | 552 current_macroblock = mb_y * s->macroblock_width + mb_x; |
| 634 | 637 |
| 635 /* iterate through all of the macroblocks that contain 1 or more | 638 /* iterate through all of the macroblocks that contain 1 or more |
| 636 * coded fragments */ | 639 * coded fragments */ |
| 637 for (sb_y = 0; sb_y < s->y_superblock_height; sb_y++) { | 640 for (sb_y = 0; sb_y < s->y_superblock_height; sb_y++) { |
| 638 for (sb_x = 0; sb_x < s->y_superblock_width; sb_x++) { | 641 for (sb_x = 0; sb_x < s->y_superblock_width; sb_x++) { |
| 642 if (get_bits_left(gb) <= 0) | |
| 643 return -1; | |
| 639 | 644 |
| 640 for (j = 0; j < 4; j++) { | 645 for (j = 0; j < 4; j++) { |
| 641 int mb_x = 2*sb_x + (j>>1); | 646 int mb_x = 2*sb_x + (j>>1); |
| 642 int mb_y = 2*sb_y + (((j>>1)+j)&1); | 647 int mb_y = 2*sb_y + (((j>>1)+j)&1); |
| 643 current_macroblock = mb_y * s->macroblock_width + mb_x; | 648 current_macroblock = mb_y * s->macroblock_width + mb_x; |
| 818 | 823 |
| 819 if (run_length == MAXIMUM_LONG_BIT_RUN) | 824 if (run_length == MAXIMUM_LONG_BIT_RUN) |
| 820 bit = get_bits1(gb); | 825 bit = get_bits1(gb); |
| 821 else | 826 else |
| 822 bit ^= 1; | 827 bit ^= 1; |
| 823 } while (blocks_decoded < num_blocks); | 828 } while (blocks_decoded < num_blocks && get_bits_left(gb) > 0); |
| 824 | 829 |
| 825 num_blocks -= num_blocks_at_qpi; | 830 num_blocks -= num_blocks_at_qpi; |
| 826 } | 831 } |
| 827 | 832 |
| 828 return 0; | 833 return 0; |