From 1098f5c0495c61a98d4ff6b8e24c17974d4bace5 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 12 Mar 2016 17:46:36 +0100 Subject: [PATCH] svq3: Use a separate buffer for decoding the slices The AVPacket.data should be considered read-only. --- libavcodec/svq3.c | 55 +++++++++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 23 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 80bc46abdb..90b20af72f 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -75,10 +75,12 @@ typedef struct SVQ3Context { H264Picture *cur_pic; H264Picture *next_pic; H264Picture *last_pic; + GetBitContext gb; + uint8_t *slice_buf; + int slice_size; int halfpel_flag; int thirdpel_flag; int unknown_flag; - int next_slice_index; uint32_t watermark_key; int adaptive_quant; int next_p_frame_damaged; @@ -780,37 +782,43 @@ static int svq3_decode_slice_header(AVCodecContext *avctx) int i, header; unsigned slice_id; - header = get_bits(&h->gb, 8); + header = get_bits(&s->gb, 8); if (((header & 0x9F) != 1 && (header & 0x9F) != 2) || (header & 0x60) == 0) { /* TODO: what? */ av_log(avctx, AV_LOG_ERROR, "unsupported slice header (%02X)\n", header); return -1; } else { + int slice_bits, slice_bytes, slice_length; int length = header >> 5 & 3; - s->next_slice_index = get_bits_count(&h->gb) + - 8 * show_bits(&h->gb, 8 * length) + - 8 * length; + slice_length = show_bits(&s->gb, 8 * length); + slice_bits = slice_length * 8; + slice_bytes = slice_length + length - 1; - if (s->next_slice_index > h->gb.size_in_bits) { + if (slice_bytes > get_bits_left(&s->gb)) { av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); return -1; } - h->gb.size_in_bits = s->next_slice_index - 8 * (length - 1); - skip_bits(&h->gb, 8); + skip_bits(&s->gb, 8); + + av_fast_malloc(&s->slice_buf, &s->slice_size, slice_bytes + AV_INPUT_BUFFER_PADDING_SIZE); + if (!s->slice_buf) + return AVERROR(ENOMEM); + + memcpy(s->slice_buf, s->gb.buffer + s->gb.index / 8, slice_bytes); + + init_get_bits(&h->gb, s->slice_buf, slice_bits); if (s->watermark_key) { - uint32_t header = AV_RL32(&h->gb.buffer[(get_bits_count(&h->gb) >> 3) + 1]); - AV_WL32(&h->gb.buffer[(get_bits_count(&h->gb) >> 3) + 1], - header ^ s->watermark_key); + uint32_t header = AV_RL32(&h->gb.buffer[1]); + AV_WL32(&h->gb.buffer[1], header ^ s->watermark_key); } if (length > 0) { - memcpy((uint8_t *) &h->gb.buffer[get_bits_count(&h->gb) >> 3], - &h->gb.buffer[h->gb.size_in_bits >> 3], length - 1); + memcpy(s->slice_buf, &s->slice_buf[slice_length], length - 1); } - skip_bits_long(&h->gb, 0); + skip_bits_long(&s->gb, slice_bytes * 8); } if ((slice_id = svq3_get_ue_golomb(&h->gb)) >= 3) { @@ -1153,7 +1161,9 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, return 0; } - init_get_bits(&h->gb, buf, 8 * buf_size); + ret = init_get_bits(&s->gb, buf, 8 * buf_size); + if (ret < 0) + return ret; sl->mb_x = sl->mb_y = sl->mb_xy = 0; @@ -1269,15 +1279,13 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, unsigned mb_type; sl->mb_xy = sl->mb_x + sl->mb_y * h->mb_stride; - if ((get_bits_count(&h->gb) + 7) >= h->gb.size_in_bits && - ((get_bits_count(&h->gb) & 7) == 0 || - show_bits(&h->gb, -get_bits_count(&h->gb) & 7) == 0)) { - skip_bits(&h->gb, s->next_slice_index - get_bits_count(&h->gb)); - h->gb.size_in_bits = 8 * buf_size; - - if (svq3_decode_slice_header(avctx)) - return -1; + if ((get_bits_left(&h->gb)) <= 7) { + if (((get_bits_count(&h->gb) & 7) == 0 || + show_bits(&h->gb, get_bits_left(&h->gb) & 7) == 0)) { + if (svq3_decode_slice_header(avctx)) + return -1; + } /* TODO: support s->mb_skip_run */ } @@ -1341,6 +1349,7 @@ static av_cold int svq3_decode_end(AVCodecContext *avctx) av_freep(&s->cur_pic); av_freep(&s->next_pic); av_freep(&s->last_pic); + av_freep(&s->slice_buf); memset(&h->cur_pic, 0, sizeof(h->cur_pic));