Merge commit '905988fe1a8accbc1ab93120aa4cd29252b81cce' into release/0.10
[ffmpeg.git] / libavcodec / eamad.c
index 40fdb37..02f7eb1 100644 (file)
@@ -29,6 +29,7 @@
  */
 
 #include "avcodec.h"
+#include "bytestream.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "aandcttab.h"
@@ -143,6 +144,11 @@ static inline int decode_block_intra(MadContext * t, DCTELEM * block)
                 break;
             } else if (level != 0) {
                 i += run;
+                if (i > 63) {
+                    av_log(s->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return -1;
+                }
                 j = scantable[i];
                 level = (level*quant_matrix[j]) >> 4;
                 level = (level-1)|1;
@@ -157,6 +163,11 @@ static inline int decode_block_intra(MadContext * t, DCTELEM * block)
                 run = SHOW_UBITS(re, &s->gb, 6)+1; LAST_SKIP_BITS(re, &s->gb, 6);
 
                 i += run;
+                if (i > 63) {
+                    av_log(s->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return -1;
+                }
                 j = scantable[i];
                 if (level < 0) {
                     level = -level;
@@ -168,10 +179,6 @@ static inline int decode_block_intra(MadContext * t, DCTELEM * block)
                     level = (level-1)|1;
                 }
             }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return -1;
-            }
 
             block[j] = level;
         }
@@ -246,32 +253,34 @@ static int decode_frame(AVCodecContext *avctx,
 {
     const uint8_t *buf = avpkt->data;
     int buf_size       = avpkt->size;
-    const uint8_t *buf_end = buf+buf_size;
     MadContext *t     = avctx->priv_data;
+    GetByteContext gb;
     MpegEncContext *s = &t->s;
     int chunk_type;
     int inter;
 
-    if (buf_size < 17) {
-        av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n");
-        *data_size = 0;
-        return -1;
-    }
+    bytestream2_init(&gb, buf, buf_size);
 
-    chunk_type = AV_RL32(&buf[0]);
+    chunk_type = bytestream2_get_le32(&gb);
     inter = (chunk_type == MADm_TAG || chunk_type == MADe_TAG);
-    buf += 8;
+    bytestream2_skip(&gb, 10);
 
     av_reduce(&avctx->time_base.num, &avctx->time_base.den,
-              AV_RL16(&buf[6]), 1000, 1<<30);
+              bytestream2_get_le16(&gb), 1000, 1<<30);
+
+    s->width  = bytestream2_get_le16(&gb);
+    s->height = bytestream2_get_le16(&gb);
+    bytestream2_skip(&gb, 1);
+    calc_intra_matrix(t, bytestream2_get_byte(&gb));
+    bytestream2_skip(&gb, 2);
 
-    s->width  = AV_RL16(&buf[8]);
-    s->height = AV_RL16(&buf[10]);
-    calc_intra_matrix(t, buf[13]);
-    buf += 16;
+    if (bytestream2_get_bytes_left(&gb) < 2) {
+        av_log(avctx, AV_LOG_ERROR, "Input data too small\n");
+        return AVERROR_INVALIDDATA;
+    }
 
     if (avctx->width != s->width || avctx->height != s->height) {
-        if((s->width * s->height)/2048*7 > buf_end-buf)
+        if((s->width * s->height)/2048*7 > bytestream2_get_bytes_left(&gb))
             return -1;
         if (av_image_check_size(s->width, s->height, 0, avctx) < 0)
             return -1;
@@ -290,13 +299,14 @@ static int decode_frame(AVCodecContext *avctx,
         }
     }
 
-    av_fast_malloc(&t->bitstream_buf, &t->bitstream_buf_size, (buf_end-buf) + FF_INPUT_BUFFER_PADDING_SIZE);
+    av_fast_malloc(&t->bitstream_buf, &t->bitstream_buf_size,
+                   bytestream2_get_bytes_left(&gb) + FF_INPUT_BUFFER_PADDING_SIZE);
     if (!t->bitstream_buf)
         return AVERROR(ENOMEM);
-    bswap16_buf(t->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2);
-    memset((uint8_t*)t->bitstream_buf + (buf_end-buf), 0, FF_INPUT_BUFFER_PADDING_SIZE);
-    init_get_bits(&s->gb, t->bitstream_buf, 8*(buf_end-buf));
-
+    bswap16_buf(t->bitstream_buf, (const uint16_t *)(buf + bytestream2_tell(&gb)),
+                bytestream2_get_bytes_left(&gb) / 2);
+    memset((uint8_t*)t->bitstream_buf + bytestream2_get_bytes_left(&gb), 0, FF_INPUT_BUFFER_PADDING_SIZE);
+    init_get_bits(&s->gb, t->bitstream_buf, 8*(bytestream2_get_bytes_left(&gb)));
     for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++)
         for (s->mb_x=0; s->mb_x < (avctx->width +15)/16; s->mb_x++)
             if(decode_mb(t, inter) < 0)