Merge commit 'c85e5f13f6ac9c4c90125e7671d89009e57f9df9' into release/1.1
authorMichael Niedermayer <michaelni@gmx.at>
Tue, 4 Feb 2014 05:05:36 +0000 (06:05 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Tue, 4 Feb 2014 05:05:36 +0000 (06:05 +0100)
* commit 'c85e5f13f6ac9c4c90125e7671d89009e57f9df9':
  cavs: Check for negative cbp
  avi: DV in AVI must be considered single stream
  vmnc: Check the cursor dimensions
  vmnc: Port to bytestream2

Conflicts:
libavcodec/cavsdec.c
libavcodec/vmnc.c
libavformat/avidec.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
1  2 
libavcodec/cavsdec.c
libavcodec/vmnc.c
libavformat/avidec.c

@@@ -604,8 -602,8 +604,9 @@@ static inline int decode_residual_inter
  
      /* get coded block pattern */
      int cbp = get_ue_golomb(&h->gb);
-     if (cbp > 63U) {
-         av_log(h->avctx, AV_LOG_ERROR, "illegal inter cbp\n");
++
+     if (cbp > 63 || cbp < 0) {
+         av_log(h->avctx, AV_LOG_ERROR, "illegal inter cbp %d\n", cbp);
          return -1;
      }
      h->cbp = cbp_tab[cbp][1];
@@@ -294,19 -286,12 +286,17 @@@ static int decode_hextile(VmncContext *
                      return -1;
                  }
                  for (k = 0; k < rects; k++) {
-                     if (color) {
-                         fg = vmnc_get_pixel(src, bpp, c->bigendian);
-                         src += bpp;
-                     }
-                     xy = *src++;
-                     wh = *src++;
+                     if (color)
+                         fg = vmnc_get_pixel(gb, bpp, c->bigendian);
+                     xy = bytestream2_get_byte(gb);
+                     wh = bytestream2_get_byte(gb);
 +                    if (   (xy >> 4) + (wh >> 4) + 1 > w - i
 +                        || (xy & 0xF) + (wh & 0xF)+1 > h - j) {
 +                        av_log(c->avctx, AV_LOG_ERROR, "Rectangle outside picture\n");
 +                        return AVERROR_INVALIDDATA;
 +                    }
-                     paint_rect(dst2, xy >> 4, xy & 0xF, (wh >> 4) + 1,
-                                (wh & 0xF) + 1, fg, bpp, stride);
+                     paint_rect(dst2, xy >> 4, xy & 0xF,
+                                (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride);
                  }
              }
          }
@@@ -321,11 -314,11 +319,11 @@@ static int decode_frame(AVCodecContext 
      const uint8_t *buf = avpkt->data;
      int buf_size       = avpkt->size;
      VmncContext * const c = avctx->priv_data;
+     GetByteContext *gb = &c->gb;
      uint8_t *outptr;
-     const uint8_t *src = buf;
      int dx, dy, w, h, depth, enc, chunks, res, size_left;
  
 -    c->pic.reference = 1;
 +    c->pic.reference = 3;
      c->pic.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
      if(avctx->reget_buffer(avctx, &c->pic) < 0){
          av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
              }
          }
      }
-     src += 2;
-     chunks = AV_RB16(src);
-     src += 2;
-     while(chunks--) {
-         if(buf_size - (src - buf) < 12) {
+     bytestream2_skip(gb, 2);
+     chunks = bytestream2_get_be16(gb);
+     while (chunks--) {
++        if (bytestream2_get_bytes_left(gb) < 12) {
 +            av_log(avctx, AV_LOG_ERROR, "Premature end of data!\n");
 +            return -1;
 +        }
-         dx  = AV_RB16(src);
-         src += 2;
-         dy  = AV_RB16(src);
-         src += 2;
-         w   = AV_RB16(src);
-         src += 2;
-         h   = AV_RB16(src);
-         src += 2;
-         enc = AV_RB32(src);
-         src += 4;
+         dx  = bytestream2_get_be16(gb);
+         dy  = bytestream2_get_be16(gb);
+         w   = bytestream2_get_be16(gb);
+         h   = bytestream2_get_be16(gb);
+         enc = bytestream2_get_be32(gb);
          outptr = c->pic.data[0] + dx * c->bpp2 + dy * c->pic.linesize[0];
-         size_left = buf_size - (src - buf);
+         size_left = bytestream2_get_bytes_left(gb);
          switch (enc) {
          case MAGIC_WMVd: // cursor
 -            if (size_left < 2 + w * h * c->bpp2 * 2) {
 +            if (w*(int64_t)h*c->bpp2 > INT_MAX/2 - 2) {
 +                av_log(avctx, AV_LOG_ERROR, "dimensions too large\n");
 +                return AVERROR_INVALIDDATA;
 +            }
 +            if(size_left < 2 + w * h * c->bpp2 * 2) {
                  av_log(avctx, AV_LOG_ERROR,
                         "Premature end of data! (need %i got %i)\n",
                         2 + w * h * c->bpp2 * 2, size_left);
@@@ -1458,9 -1288,15 +1458,15 @@@ static int avi_read_seek(AVFormatContex
      AVIContext *avi = s->priv_data;
      AVStream *st;
      int i, index;
 -    int64_t pos;
 +    int64_t pos, pos_min;
      AVIStream *ast;
  
+     /* Does not matter which stream is requested dv in avi has the
+      * stream information in the first video stream.
+      */
+     if (avi->dv_demux)
+         stream_index = 0;
      if (!avi->index_loaded) {
          /* we only load the index on demand */
          avi_load_index(s);
          /* One and only one real stream for DV in AVI, and it has video  */
          /* offsets. Calling with other stream indexes should have failed */
          /* the av_index_search_timestamp call above.                     */
-         av_assert0(stream_index == 0);
 +        if(avio_seek(s->pb, pos, SEEK_SET) < 0)
 +            return -1;
  
          /* Feed the DV video stream version of the timestamp to the */
          /* DV demux so it can synthesize correct timestamps.        */