xan: Use bytestream2 to limit reading to within the buffer
authorMartin Storsjö <martin@martin.st>
Sat, 28 Sep 2013 21:53:58 +0000 (00:53 +0300)
committerLuca Barbato <lu_zero@gentoo.org>
Tue, 7 Jan 2014 08:43:57 +0000 (09:43 +0100)
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 30db94dc399f6e4ef8905049d9b740556f0fce47)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 145de32896b37a508f11bcf11dfcc94487301716)

libavcodec/xan.c

index 4c4721a..3078e0a 100644 (file)
@@ -283,8 +283,8 @@ static int xan_wc3_decode_frame(XanContext *s) {
 
     /* pointers to segments inside the compressed chunk */
     const unsigned char *huffman_segment;
-    const unsigned char *size_segment;
-    const unsigned char *vector_segment;
+    GetByteContext       size_segment;
+    GetByteContext       vector_segment;
     const unsigned char *imagedata_segment;
     int huffman_offset, size_offset, vector_offset, imagedata_offset,
         imagedata_size;
@@ -304,8 +304,8 @@ static int xan_wc3_decode_frame(XanContext *s) {
         return AVERROR_INVALIDDATA;
 
     huffman_segment   = s->buf + huffman_offset;
-    size_segment      = s->buf + size_offset;
-    vector_segment    = s->buf + vector_offset;
+    bytestream2_init(&size_segment,   s->buf + size_offset,   s->size - size_offset);
+    bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset);
     imagedata_segment = s->buf + imagedata_offset;
 
     if (xan_huffman_decode(opcode_buffer, opcode_buffer_size,
@@ -357,19 +357,17 @@ static int xan_wc3_decode_frame(XanContext *s) {
 
         case 9:
         case 19:
-            size = *size_segment++;
+            size = bytestream2_get_byte(&size_segment);
             break;
 
         case 10:
         case 20:
-            size = AV_RB16(&size_segment[0]);
-            size_segment += 2;
+            size = bytestream2_get_be16(&size_segment);
             break;
 
         case 11:
         case 21:
-            size = AV_RB24(size_segment);
-            size_segment += 3;
+            size = bytestream2_get_be24(&size_segment);
             break;
         }
 
@@ -391,9 +389,9 @@ static int xan_wc3_decode_frame(XanContext *s) {
             }
         } else {
             /* run-based motion compensation from last frame */
-            motion_x = sign_extend(*vector_segment >> 4,  4);
-            motion_y = sign_extend(*vector_segment & 0xF, 4);
-            vector_segment++;
+            uint8_t vector = bytestream2_get_byte(&vector_segment);
+            motion_x = sign_extend(vector >> 4,  4);
+            motion_y = sign_extend(vector & 0xF, 4);
 
             /* copy a run of pixels from the previous frame */
             xan_wc3_copy_pixel_run(s, x, y, size, motion_x, motion_y);