Merge remote-tracking branch 'qatar/master'

* qatar/master:
  cook: expand dither_tab[], and make sure indexes into it don't overflow.
  xxan: reindent xan_unpack_luma().
  xxan: protect against chroma LUT overreads.
  xxan: convert to bytestream2 API.
  xxan: don't read before start of buffer in av_memcpy_backptr().
  vp8: convert mbedge loopfilter x86 assembly to use named arguments.
  vp8: convert inner loopfilter x86 assembly to use named arguments.

Conflicts:
	libavcodec/xxan.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2012-03-11 01:12:52 +01:00
commit c3c2db49a7
4 changed files with 465 additions and 513 deletions

View File

@ -514,7 +514,11 @@ static inline void expand_category(COOKContext *q, int *category,
{ {
int i; int i;
for (i = 0; i < q->num_vectors; i++) for (i = 0; i < q->num_vectors; i++)
++category[category_index[i]]; {
int idx = category_index[i];
if (++category[idx] >= FF_ARRAY_ELEMS(dither_tab))
--category[idx];
}
} }
/** /**

View File

@ -36,8 +36,8 @@ static const int expbits_tab[8] = {
52,47,43,37,29,22,16,0, 52,47,43,37,29,22,16,0,
}; };
static const float dither_tab[8] = { static const float dither_tab[9] = {
0.0, 0.0, 0.0, 0.0, 0.0, 0.176777, 0.25, 0.707107, 0.0, 0.0, 0.0, 0.0, 0.0, 0.176777, 0.25, 0.707107, 1.0
}; };
static const float quant_centroid_tab[7][14] = { static const float quant_centroid_tab[7][14] = {

File diff suppressed because it is too large Load Diff

View File

@ -35,6 +35,7 @@ typedef struct XanContext {
uint8_t *y_buffer; uint8_t *y_buffer;
uint8_t *scratch_buffer; uint8_t *scratch_buffer;
int buffer_size; int buffer_size;
GetByteContext gb;
} XanContext; } XanContext;
static av_cold int xan_decode_init(AVCodecContext *avctx) static av_cold int xan_decode_init(AVCodecContext *avctx)
@ -58,82 +59,83 @@ static av_cold int xan_decode_init(AVCodecContext *avctx)
return 0; return 0;
} }
static int xan_unpack_luma(const uint8_t *src, const int src_size, static int xan_unpack_luma(XanContext *s,
uint8_t *dst, const int dst_size) uint8_t *dst, const int dst_size)
{ {
int tree_size, eof; int tree_size, eof;
const uint8_t *tree; int bits, mask;
int bits, mask; int tree_root, node;
int tree_root, node; const uint8_t *dst_end = dst + dst_size;
const uint8_t *dst_end = dst + dst_size; GetByteContext tree = s->gb;
const uint8_t *src_end = src + src_size; int start_off = bytestream2_tell(&tree);
tree_size = *src++; tree_size = bytestream2_get_byte(&s->gb);
eof = *src++; eof = bytestream2_get_byte(&s->gb);
tree = src - eof * 2 - 2; tree_root = eof + tree_size;
tree_root = eof + tree_size; bytestream2_skip(&s->gb, tree_size * 2);
src += tree_size * 2;
node = tree_root; node = tree_root;
bits = *src++; bits = bytestream2_get_byte(&s->gb);
mask = 0x80; mask = 0x80;
for (;;) { for (;;) {
int bit = !!(bits & mask); int bit = !!(bits & mask);
mask >>= 1; mask >>= 1;
node = tree[node*2 + bit]; bytestream2_seek(&tree, start_off + node*2 + bit - eof * 2, SEEK_SET);
if (node == eof) node = bytestream2_get_byte(&tree);
break; if (node == eof)
if (node < eof) { break;
*dst++ = node; if (node < eof) {
if (dst > dst_end) *dst++ = node;
break; if (dst > dst_end)
node = tree_root; break;
} node = tree_root;
if (!mask) { }
bits = *src++; if (!mask) {
if (src > src_end) if (bytestream2_get_bytes_left(&s->gb) <= 0)
break; break;
mask = 0x80; bits = bytestream2_get_byteu(&s->gb);
} mask = 0x80;
} }
return dst != dst_end; }
return dst != dst_end ? AVERROR_INVALIDDATA : 0;
} }
/* almost the same as in xan_wc3 decoder */ /* almost the same as in xan_wc3 decoder */
static int xan_unpack(uint8_t *dest, const int dest_len, static int xan_unpack(XanContext *s,
const uint8_t *src, const int src_len) uint8_t *dest, const int dest_len)
{ {
uint8_t opcode; uint8_t opcode;
int size; int size;
uint8_t *orig_dest = dest; uint8_t *orig_dest = dest;
const uint8_t *src_end = src + src_len;
const uint8_t *dest_end = dest + dest_len; const uint8_t *dest_end = dest + dest_len;
while (dest < dest_end) { while (dest < dest_end) {
opcode = *src++; if (bytestream2_get_bytes_left(&s->gb) <= 0)
return AVERROR_INVALIDDATA;
opcode = bytestream2_get_byteu(&s->gb);
if (opcode < 0xe0) { if (opcode < 0xe0) {
int size2, back; int size2, back;
if ((opcode & 0x80) == 0) { if ((opcode & 0x80) == 0) {
size = opcode & 3; size = opcode & 3;
back = ((opcode & 0x60) << 3) + *src++ + 1; back = ((opcode & 0x60) << 3) + bytestream2_get_byte(&s->gb) + 1;
size2 = ((opcode & 0x1c) >> 2) + 3; size2 = ((opcode & 0x1c) >> 2) + 3;
} else if ((opcode & 0x40) == 0) { } else if ((opcode & 0x40) == 0) {
size = *src >> 6; size = bytestream2_peek_byte(&s->gb) >> 6;
back = (bytestream_get_be16(&src) & 0x3fff) + 1; back = (bytestream2_get_be16(&s->gb) & 0x3fff) + 1;
size2 = (opcode & 0x3f) + 4; size2 = (opcode & 0x3f) + 4;
} else { } else {
size = opcode & 3; size = opcode & 3;
back = ((opcode & 0x10) << 12) + bytestream_get_be16(&src) + 1; back = ((opcode & 0x10) << 12) + bytestream2_get_be16(&s->gb) + 1;
size2 = ((opcode & 0x0c) << 6) + *src++ + 5; size2 = ((opcode & 0x0c) << 6) + bytestream2_get_byte(&s->gb) + 5;
if (size + size2 > dest_end - dest) if (size + size2 > dest_end - dest)
break; break;
} }
if (src + size > src_end || if (dest + size + size2 > dest_end ||
dest + size + size2 > dest_end || dest - orig_dest + size < back)
dest + size - orig_dest < back )
return -1; return -1;
bytestream_get_buffer(&src, dest, size); bytestream2_get_buffer(&s->gb, dest, size);
dest += size; dest += size;
av_memcpy_backptr(dest, back, size2); av_memcpy_backptr(dest, back, size2);
dest += size2; dest += size2;
@ -141,9 +143,9 @@ static int xan_unpack(uint8_t *dest, const int dest_len,
int finish = opcode >= 0xfc; int finish = opcode >= 0xfc;
size = finish ? opcode & 3 : ((opcode & 0x1f) << 2) + 4; size = finish ? opcode & 3 : ((opcode & 0x1f) << 2) + 4;
if (src + size > src_end || dest + size > dest_end) if (dest_end - dest < size)
return -1; return -1;
bytestream_get_buffer(&src, dest, size); bytestream2_get_buffer(&s->gb, dest, size);
dest += size; dest += size;
if (finish) if (finish)
break; break;
@ -152,40 +154,37 @@ static int xan_unpack(uint8_t *dest, const int dest_len,
return dest - orig_dest; return dest - orig_dest;
} }
static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt) static int xan_decode_chroma(AVCodecContext *avctx, unsigned chroma_off)
{ {
const uint8_t *buf = avpkt->data;
XanContext *s = avctx->priv_data; XanContext *s = avctx->priv_data;
uint8_t *U, *V; uint8_t *U, *V;
unsigned chroma_off;
int val, uval, vval; int val, uval, vval;
int i, j; int i, j;
const uint8_t *src, *src_end; const uint8_t *src, *src_end;
const uint8_t *table; const uint8_t *table;
int table_size; int mode, offset, dec_size, table_size;
int mode, offset, dec_size;
chroma_off = AV_RL32(buf + 4);
if (!chroma_off) if (!chroma_off)
return 0; return 0;
if (chroma_off + 10 >= avpkt->size) { if (chroma_off + 4 >= bytestream2_get_bytes_left(&s->gb)) {
av_log(avctx, AV_LOG_ERROR, "Invalid chroma block position\n"); av_log(avctx, AV_LOG_ERROR, "Invalid chroma block position\n");
return -1; return -1;
} }
src = avpkt->data + 4 + chroma_off; bytestream2_seek(&s->gb, chroma_off + 4, SEEK_SET);
table = src + 2; mode = bytestream2_get_le16(&s->gb);
table_size = avpkt->data + avpkt->size - table; table = s->gb.buffer;
mode = bytestream_get_le16(&src); table_size = bytestream2_get_le16(&s->gb);
offset = bytestream_get_le16(&src) * 2; offset = table_size * 2;
table_size += 1;
if (src - avpkt->data >= avpkt->size - offset) { if (offset >= bytestream2_get_bytes_left(&s->gb)) {
av_log(avctx, AV_LOG_ERROR, "Invalid chroma block offset\n"); av_log(avctx, AV_LOG_ERROR, "Invalid chroma block offset\n");
return -1; return -1;
} }
bytestream2_skip(&s->gb, offset);
memset(s->scratch_buffer, 0, s->buffer_size); memset(s->scratch_buffer, 0, s->buffer_size);
dec_size = xan_unpack(s->scratch_buffer, s->buffer_size, src + offset, dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size);
avpkt->size - offset - (src - avpkt->data));
if (dec_size < 0) { if (dec_size < 0) {
av_log(avctx, AV_LOG_ERROR, "Chroma unpacking failed\n"); av_log(avctx, AV_LOG_ERROR, "Chroma unpacking failed\n");
return -1; return -1;
@ -202,7 +201,7 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt)
return 0; return 0;
val = *src++; val = *src++;
if (val) { if (val) {
if (val << 1 >= table_size) if (val >= table_size)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
val = AV_RL16(table + (val << 1)); val = AV_RL16(table + (val << 1));
uval = (val >> 3) & 0xF8; uval = (val >> 3) & 0xF8;
@ -224,7 +223,7 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt)
return 0; return 0;
val = *src++; val = *src++;
if (val) { if (val) {
if (val << 1 >= table_size) if (val >= table_size)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
val = AV_RL16(table + (val << 1)); val = AV_RL16(table + (val << 1));
uval = (val >> 3) & 0xF8; uval = (val >> 3) & 0xF8;
@ -243,32 +242,27 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt)
return 0; return 0;
} }
static int xan_decode_frame_type0(AVCodecContext *avctx, AVPacket *avpkt) static int xan_decode_frame_type0(AVCodecContext *avctx)
{ {
const uint8_t *buf = avpkt->data;
XanContext *s = avctx->priv_data; XanContext *s = avctx->priv_data;
uint8_t *ybuf, *prev_buf, *src = s->scratch_buffer; uint8_t *ybuf, *prev_buf, *src = s->scratch_buffer;
unsigned chroma_off, corr_off; unsigned chroma_off, corr_off;
int cur, last, size; int cur, last;
int i, j; int i, j;
int ret; int ret;
corr_off = AV_RL32(buf + 8); chroma_off = bytestream2_get_le32(&s->gb);
chroma_off = AV_RL32(buf + 4); corr_off = bytestream2_get_le32(&s->gb);
if ((ret = xan_decode_chroma(avctx, avpkt)) != 0) if ((ret = xan_decode_chroma(avctx, chroma_off)) != 0)
return ret; return ret;
size = avpkt->size - 4; if (corr_off >= (s->gb.buffer_end - s->gb.buffer_start)) {
if (corr_off >= avpkt->size) {
av_log(avctx, AV_LOG_WARNING, "Ignoring invalid correction block position\n"); av_log(avctx, AV_LOG_WARNING, "Ignoring invalid correction block position\n");
corr_off = 0; corr_off = 0;
} }
if (corr_off) bytestream2_seek(&s->gb, 12, SEEK_SET);
size = corr_off; ret = xan_unpack_luma(s, src, s->buffer_size >> 1);
if (chroma_off)
size = FFMIN(size, chroma_off);
ret = xan_unpack_luma(buf + 12, size, src, s->buffer_size >> 1);
if (ret) { if (ret) {
av_log(avctx, AV_LOG_ERROR, "Luma decoding failed\n"); av_log(avctx, AV_LOG_ERROR, "Luma decoding failed\n");
return ret; return ret;
@ -304,12 +298,11 @@ static int xan_decode_frame_type0(AVCodecContext *avctx, AVPacket *avpkt)
if (corr_off) { if (corr_off) {
int corr_end, dec_size; int corr_end, dec_size;
corr_end = avpkt->size; corr_end = (s->gb.buffer_end - s->gb.buffer_start);
if (chroma_off > corr_off) if (chroma_off > corr_off)
corr_end = chroma_off; corr_end = chroma_off;
dec_size = xan_unpack(s->scratch_buffer, s->buffer_size, bytestream2_seek(&s->gb, 8 + corr_off, SEEK_SET);
avpkt->data + 8 + corr_off, dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size);
corr_end - corr_off);
if (dec_size < 0) if (dec_size < 0)
dec_size = 0; dec_size = 0;
else else
@ -331,19 +324,19 @@ static int xan_decode_frame_type0(AVCodecContext *avctx, AVPacket *avpkt)
return 0; return 0;
} }
static int xan_decode_frame_type1(AVCodecContext *avctx, AVPacket *avpkt) static int xan_decode_frame_type1(AVCodecContext *avctx)
{ {
const uint8_t *buf = avpkt->data;
XanContext *s = avctx->priv_data; XanContext *s = avctx->priv_data;
uint8_t *ybuf, *src = s->scratch_buffer; uint8_t *ybuf, *src = s->scratch_buffer;
int cur, last; int cur, last;
int i, j; int i, j;
int ret; int ret;
if ((ret = xan_decode_chroma(avctx, avpkt)) != 0) if ((ret = xan_decode_chroma(avctx, bytestream2_get_le32(&s->gb))) != 0)
return ret; return ret;
ret = xan_unpack_luma(buf + 16, avpkt->size - 16, src, bytestream2_seek(&s->gb, 16, SEEK_SET);
ret = xan_unpack_luma(s, src,
s->buffer_size >> 1); s->buffer_size >> 1);
if (ret) { if (ret) {
av_log(avctx, AV_LOG_ERROR, "Luma decoding failed\n"); av_log(avctx, AV_LOG_ERROR, "Luma decoding failed\n");
@ -393,13 +386,14 @@ static int xan_decode_frame(AVCodecContext *avctx,
return ret; return ret;
} }
ftype = AV_RL32(avpkt->data); bytestream2_init(&s->gb, avpkt->data, avpkt->size);
ftype = bytestream2_get_le32(&s->gb);
switch (ftype) { switch (ftype) {
case 0: case 0:
ret = xan_decode_frame_type0(avctx, avpkt); ret = xan_decode_frame_type0(avctx);
break; break;
case 1: case 1:
ret = xan_decode_frame_type1(avctx, avpkt); ret = xan_decode_frame_type1(avctx);
break; break;
default: default:
av_log(avctx, AV_LOG_ERROR, "Unknown frame type %d\n", ftype); av_log(avctx, AV_LOG_ERROR, "Unknown frame type %d\n", ftype);