mirror of https://git.ffmpeg.org/ffmpeg.git
indeo: reject negative array indexes
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
This commit is contained in:
parent
6dfacd7ab1
commit
6a10142faa
|
@ -44,6 +44,20 @@ static VLC ivi_blk_vlc_tabs[8]; ///< static block Huffman tables
|
||||||
typedef void (*ivi_mc_func) (int16_t *buf, const int16_t *ref_buf,
|
typedef void (*ivi_mc_func) (int16_t *buf, const int16_t *ref_buf,
|
||||||
uint32_t pitch, int mc_type);
|
uint32_t pitch, int mc_type);
|
||||||
|
|
||||||
|
static int ivi_mc(ivi_mc_func mc, int16_t *buf, const int16_t *ref_buf,
|
||||||
|
int offs, int mv_x, int mv_y, uint32_t pitch,
|
||||||
|
int mc_type)
|
||||||
|
{
|
||||||
|
int ref_offs = offs + mv_y * pitch + mv_x;
|
||||||
|
|
||||||
|
if (offs < 0 || ref_offs < 0 || !ref_buf)
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
|
||||||
|
mc(buf + offs, ref_buf + ref_offs, pitch, mc_type);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Reverse "nbits" bits of the value "val" and return the result
|
* Reverse "nbits" bits of the value "val" and return the result
|
||||||
* in the least significant bits.
|
* in the least significant bits.
|
||||||
|
@ -444,7 +458,7 @@ static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band,
|
||||||
|
|
||||||
/* de-zigzag and dequantize */
|
/* de-zigzag and dequantize */
|
||||||
scan_pos += run;
|
scan_pos += run;
|
||||||
if (scan_pos >= num_coeffs)
|
if (scan_pos >= num_coeffs || scan_pos < 0)
|
||||||
break;
|
break;
|
||||||
pos = band->scan[scan_pos];
|
pos = band->scan[scan_pos];
|
||||||
|
|
||||||
|
@ -459,7 +473,7 @@ static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band,
|
||||||
col_flags[pos & col_mask] |= !!val;
|
col_flags[pos & col_mask] |= !!val;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (scan_pos >= num_coeffs && sym != rvmap->eob_sym)
|
if (scan_pos < 0 || scan_pos >= num_coeffs && sym != rvmap->eob_sym)
|
||||||
return AVERROR_INVALIDDATA; /* corrupt block data */
|
return AVERROR_INVALIDDATA; /* corrupt block data */
|
||||||
|
|
||||||
/* undoing DC coeff prediction for intra-blocks */
|
/* undoing DC coeff prediction for intra-blocks */
|
||||||
|
@ -475,9 +489,8 @@ static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band,
|
||||||
|
|
||||||
/* apply motion compensation */
|
/* apply motion compensation */
|
||||||
if (!is_intra)
|
if (!is_intra)
|
||||||
mc(band->buf + offs,
|
return ivi_mc(mc, band->buf, band->ref_buf, offs, mv_x, mv_y,
|
||||||
band->ref_buf + offs + mv_y * band->pitch + mv_x,
|
band->pitch, mc_type);
|
||||||
band->pitch, mc_type);
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -579,10 +592,12 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band,
|
||||||
if (band->dc_transform)
|
if (band->dc_transform)
|
||||||
band->dc_transform(&prev_dc, band->buf + buf_offs,
|
band->dc_transform(&prev_dc, band->buf + buf_offs,
|
||||||
band->pitch, blk_size);
|
band->pitch, blk_size);
|
||||||
} else
|
} else {
|
||||||
mc_no_delta_func(band->buf + buf_offs,
|
ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf,
|
||||||
band->ref_buf + buf_offs + mv_y * band->pitch + mv_x,
|
buf_offs, mv_x, mv_y, band->pitch, mc_type);
|
||||||
band->pitch, mc_type);
|
if (ret < 0)
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
cbp >>= 1;
|
cbp >>= 1;
|
||||||
|
@ -607,7 +622,7 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
|
||||||
IVITile *tile, int32_t mv_scale)
|
IVITile *tile, int32_t mv_scale)
|
||||||
{
|
{
|
||||||
int x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type;
|
int x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type;
|
||||||
int offs, mb_offset, row_offset;
|
int offs, mb_offset, row_offset, ret;
|
||||||
IVIMbInfo *mb, *ref_mb;
|
IVIMbInfo *mb, *ref_mb;
|
||||||
const int16_t *src;
|
const int16_t *src;
|
||||||
int16_t *dst;
|
int16_t *dst;
|
||||||
|
@ -685,9 +700,10 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
|
||||||
for (blk = 0; blk < num_blocks; blk++) {
|
for (blk = 0; blk < num_blocks; blk++) {
|
||||||
/* adjust block position in the buffer according with its number */
|
/* adjust block position in the buffer according with its number */
|
||||||
offs = mb->buf_offs + band->blk_size * ((blk & 1) + !!(blk & 2) * band->pitch);
|
offs = mb->buf_offs + band->blk_size * ((blk & 1) + !!(blk & 2) * band->pitch);
|
||||||
mc_no_delta_func(band->buf + offs,
|
ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf,
|
||||||
band->ref_buf + offs + mv_y * band->pitch + mv_x,
|
offs, mv_x, mv_y, band->pitch, mc_type);
|
||||||
band->pitch, mc_type);
|
if (ret < 0)
|
||||||
|
return ret;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
|
Loading…
Reference in New Issue