Compare commits
27 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
8e101086eb | ||
|
|
f13de3c653 | ||
|
|
1eb7872238 | ||
|
|
15df4428d2 | ||
|
|
ec0124203c | ||
|
|
6b01bcebb9 | ||
|
|
efd453d82d | ||
|
|
7209c2b13f | ||
|
|
7ee536e87a | ||
|
|
665421f3b1 | ||
|
|
3eb6983dbc | ||
|
|
e75056bc54 | ||
|
|
8755a7890e | ||
|
|
d0688fdd31 | ||
|
|
0e05292a6c | ||
|
|
23f228a0d0 | ||
|
|
110aff4b24 | ||
|
|
4a1c3df592 | ||
|
|
185abfb218 | ||
|
|
280590e338 | ||
|
|
9767ea7aa7 | ||
|
|
771ceb19f2 | ||
|
|
7739947671 | ||
|
|
8abf1d882e | ||
|
|
1a53095406 | ||
|
|
60eebf5c12 | ||
|
|
30ee6c1995 |
26
Changelog
26
Changelog
@@ -2,6 +2,32 @@ Entries are sorted chronologically from oldest to youngest within each release,
|
||||
releases are sorted from youngest to oldest.
|
||||
|
||||
|
||||
version 0.5.7:
|
||||
- vorbis: An additional defense in the Vorbis codec. (CVE-2011-3895)
|
||||
- vorbisdec: Fix decoding bug with channel handling.
|
||||
- matroskadec: Fix a bug where a pointer was cached to an array that might
|
||||
later move due to a realloc(). (CVE-2011-3893)
|
||||
- vorbis: Avoid some out-of-bounds reads. (CVE-2011-3893)
|
||||
- vp3: fix oob read for negative tokens and memleaks on error, (CVE-2011-3892)
|
||||
- vp3: fix streams with non-zero last coefficient.
|
||||
|
||||
|
||||
version 0.5.6:
|
||||
- svq1dec: call avcodec_set_dimensions() after dimensions changed. (NGS00148, CVE-2011-4579)
|
||||
- vmd: fix segfaults on corruped streams (CVE-2011-4364)
|
||||
- commits related to CVE-2011-4353:
|
||||
- vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling
|
||||
- Plug some memory leaks in the VP6 decoder
|
||||
- vp6: Reset the internal state when aborting key frames header parsing
|
||||
- vp6: Fix illegal read.
|
||||
- vp6: Fix illegal read.
|
||||
- Fix out of bound reads in the QDM2 decoder.
|
||||
- commits related to CVE-2011-4351:
|
||||
- Check for out of bound writes in the QDM2 decoder.
|
||||
- qdm2: check output buffer size before decoding
|
||||
- Fix qdm2 decoder packet handling to match the api
|
||||
|
||||
|
||||
version 0.5.5:
|
||||
|
||||
- Fix memory (re)allocation in matroskadec.c (MSVR11-011/CVE-2011-3504)
|
||||
|
||||
34
RELEASE
34
RELEASE
@@ -163,3 +163,37 @@ General notes
|
||||
This maintenance-only release addresses several security issues that
|
||||
were brought to our attention.
|
||||
|
||||
|
||||
|
||||
* 0.5.7 Dec 25, 2011
|
||||
|
||||
General notes
|
||||
-------------
|
||||
|
||||
This maintenance-only release addresses several security issues that
|
||||
were brought to our attention. In details, it features fixes for the
|
||||
QDM2 decoder (CVE-2011-4351), DoS in the VP5/VP6 decoders
|
||||
(CVE-2011-4353), and a buffer overflow in the Sierra VMD decoder
|
||||
CVE-2011-4364, and a safety fix in the SVQ1 decoder (CVE-2011-4579).
|
||||
CVE-2011-4352, a bug in the VP3 decoder, is not known to affect this
|
||||
release.
|
||||
|
||||
Distributors and system integrators are encouraged to update and share
|
||||
their patches against this branch.
|
||||
|
||||
|
||||
|
||||
* 0.5.8 Jan 12, 2012
|
||||
|
||||
General notes
|
||||
-------------
|
||||
|
||||
This mostly maintenance-only release that addresses a number a number of
|
||||
bugs such as security and compilation issues that have been brought to
|
||||
our attention. Among other (rather minor) fixes, this release features
|
||||
fixes for the VP3 decoder (CVE-2011-3892), vorbis decoder, and matroska
|
||||
demuxer (CVE-2011-3893 and CVE-2011-3895).
|
||||
|
||||
Distributors and system integrators are encouraged
|
||||
to update and share their patches against this branch. For a full list
|
||||
of changes please see the Changelog file.
|
||||
|
||||
@@ -454,6 +454,8 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent
|
||||
|
||||
for (k=0; k<coded_components; k++) {
|
||||
sfIndx = get_bits(gb,6);
|
||||
if(component_count>=64)
|
||||
return AVERROR_INVALIDDATA;
|
||||
pComponent[component_count].pos = j * 64 + (get_bits(gb,6));
|
||||
max_coded_values = 1024 - pComponent[component_count].pos;
|
||||
coded_values = coded_values_per_component + 1;
|
||||
|
||||
@@ -1378,6 +1378,8 @@ static void qdm2_fft_decode_tones (QDM2Context *q, int duration, GetBitContext *
|
||||
return;
|
||||
|
||||
local_int_14 = (offset >> local_int_8);
|
||||
if (local_int_14 >= FF_ARRAY_ELEMS(fft_level_index_table))
|
||||
return;
|
||||
|
||||
if (q->nb_channels > 1) {
|
||||
channel = get_bits1(gb);
|
||||
@@ -1912,7 +1914,7 @@ static av_cold int qdm2_decode_close(AVCodecContext *avctx)
|
||||
}
|
||||
|
||||
|
||||
static void qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out)
|
||||
static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out)
|
||||
{
|
||||
int ch, i;
|
||||
const int frame_size = (q->frame_size * q->channels);
|
||||
@@ -1951,7 +1953,7 @@ static void qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out)
|
||||
|
||||
if (!q->has_errors && q->sub_packet_list_C[0].packet != NULL) {
|
||||
SAMPLES_NEEDED_2("has errors, and C list is not empty")
|
||||
return;
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1972,6 +1974,8 @@ static void qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out)
|
||||
|
||||
out[i] = value;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
@@ -1980,25 +1984,33 @@ static int qdm2_decode_frame(AVCodecContext *avctx,
|
||||
const uint8_t *buf, int buf_size)
|
||||
{
|
||||
QDM2Context *s = avctx->priv_data;
|
||||
int16_t *out = data;
|
||||
int i, out_size;
|
||||
|
||||
if(!buf)
|
||||
return 0;
|
||||
if(buf_size < s->checksum_size)
|
||||
return -1;
|
||||
|
||||
*data_size = s->channels * s->frame_size * sizeof(int16_t);
|
||||
out_size = 16 * s->channels * s->frame_size *
|
||||
av_get_bits_per_sample_format(avctx->sample_fmt)/8;
|
||||
if (*data_size < out_size) {
|
||||
av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
|
||||
return AVERROR(EINVAL);
|
||||
}
|
||||
|
||||
av_log(avctx, AV_LOG_DEBUG, "decode(%d): %p[%d] -> %p[%d]\n",
|
||||
buf_size, buf, s->checksum_size, data, *data_size);
|
||||
|
||||
qdm2_decode(s, buf, data);
|
||||
|
||||
// reading only when next superblock found
|
||||
if (s->sub_packet == 0) {
|
||||
return s->checksum_size;
|
||||
for (i = 0; i < 16; i++) {
|
||||
if (qdm2_decode(s, buf, out) < 0)
|
||||
return -1;
|
||||
out += s->channels * s->frame_size;
|
||||
}
|
||||
|
||||
return 0;
|
||||
*data_size = out_size;
|
||||
|
||||
return buf_size;
|
||||
}
|
||||
|
||||
AVCodec qdm2_decoder =
|
||||
|
||||
@@ -73,9 +73,11 @@ typedef struct VmdVideoContext {
|
||||
#define QUEUE_SIZE 0x1000
|
||||
#define QUEUE_MASK 0x0FFF
|
||||
|
||||
static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_len)
|
||||
static void lz_unpack(const unsigned char *src, int src_len,
|
||||
unsigned char *dest, int dest_len)
|
||||
{
|
||||
const unsigned char *s;
|
||||
unsigned int s_len;
|
||||
unsigned char *d;
|
||||
unsigned char *d_end;
|
||||
unsigned char queue[QUEUE_SIZE];
|
||||
@@ -88,13 +90,16 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le
|
||||
unsigned int i, j;
|
||||
|
||||
s = src;
|
||||
s_len = src_len;
|
||||
d = dest;
|
||||
d_end = d + dest_len;
|
||||
dataleft = AV_RL32(s);
|
||||
s += 4;
|
||||
s += 4; s_len -= 4;
|
||||
memset(queue, 0x20, QUEUE_SIZE);
|
||||
if (s_len < 4)
|
||||
return;
|
||||
if (AV_RL32(s) == 0x56781234) {
|
||||
s += 4;
|
||||
s += 4; s_len -= 4;
|
||||
qpos = 0x111;
|
||||
speclen = 0xF + 3;
|
||||
} else {
|
||||
@@ -102,32 +107,41 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le
|
||||
speclen = 100; /* no speclen */
|
||||
}
|
||||
|
||||
while (dataleft > 0) {
|
||||
tag = *s++;
|
||||
while (dataleft > 0 && s_len > 0) {
|
||||
tag = *s++; s_len--;
|
||||
if ((tag == 0xFF) && (dataleft > 8)) {
|
||||
if (d + 8 > d_end)
|
||||
if (d + 8 > d_end || s_len < 8)
|
||||
return;
|
||||
for (i = 0; i < 8; i++) {
|
||||
queue[qpos++] = *d++ = *s++;
|
||||
qpos &= QUEUE_MASK;
|
||||
}
|
||||
s_len -= 8;
|
||||
dataleft -= 8;
|
||||
} else {
|
||||
for (i = 0; i < 8; i++) {
|
||||
if (dataleft == 0)
|
||||
break;
|
||||
if (tag & 0x01) {
|
||||
if (d + 1 > d_end)
|
||||
if (d + 1 > d_end || s_len < 1)
|
||||
return;
|
||||
queue[qpos++] = *d++ = *s++;
|
||||
qpos &= QUEUE_MASK;
|
||||
dataleft--;
|
||||
s_len--;
|
||||
} else {
|
||||
if (s_len < 2)
|
||||
return;
|
||||
chainofs = *s++;
|
||||
chainofs |= ((*s & 0xF0) << 4);
|
||||
chainlen = (*s++ & 0x0F) + 3;
|
||||
if (chainlen == speclen)
|
||||
s_len -= 2;
|
||||
if (chainlen == speclen) {
|
||||
if (s_len < 1)
|
||||
return;
|
||||
chainlen = *s++ + 0xF + 3;
|
||||
s_len--;
|
||||
}
|
||||
if (d + chainlen > d_end)
|
||||
return;
|
||||
for (j = 0; j < chainlen; j++) {
|
||||
@@ -144,7 +158,7 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le
|
||||
}
|
||||
|
||||
static int rle_unpack(const unsigned char *src, unsigned char *dest,
|
||||
int src_len, int dest_len)
|
||||
int src_count, int src_size, int dest_len)
|
||||
{
|
||||
const unsigned char *ps;
|
||||
unsigned char *pd;
|
||||
@@ -153,31 +167,40 @@ static int rle_unpack(const unsigned char *src, unsigned char *dest,
|
||||
|
||||
ps = src;
|
||||
pd = dest;
|
||||
if (src_len & 1)
|
||||
if (src_count & 1) {
|
||||
if (src_size < 1)
|
||||
return 0;
|
||||
*pd++ = *ps++;
|
||||
src_size--;
|
||||
}
|
||||
|
||||
src_len >>= 1;
|
||||
src_count >>= 1;
|
||||
i = 0;
|
||||
do {
|
||||
if (src_size < 1)
|
||||
break;
|
||||
l = *ps++;
|
||||
src_size--;
|
||||
if (l & 0x80) {
|
||||
l = (l & 0x7F) * 2;
|
||||
if (pd + l > dest_end)
|
||||
if (pd + l > dest_end || src_size < l)
|
||||
return ps - src;
|
||||
memcpy(pd, ps, l);
|
||||
ps += l;
|
||||
src_size -= l;
|
||||
pd += l;
|
||||
} else {
|
||||
if (pd + i > dest_end)
|
||||
if (pd + i > dest_end || src_size < 2)
|
||||
return ps - src;
|
||||
for (i = 0; i < l; i++) {
|
||||
*pd++ = ps[0];
|
||||
*pd++ = ps[1];
|
||||
}
|
||||
ps += 2;
|
||||
src_size -= 2;
|
||||
}
|
||||
i += l;
|
||||
} while (i < src_len);
|
||||
} while (i < src_count);
|
||||
|
||||
return ps - src;
|
||||
}
|
||||
@@ -192,6 +215,7 @@ static void vmd_decode(VmdVideoContext *s)
|
||||
const unsigned char *p = s->buf + 16;
|
||||
|
||||
const unsigned char *pb;
|
||||
unsigned int pb_size;
|
||||
unsigned char meth;
|
||||
unsigned char *dp; /* pointer to current frame */
|
||||
unsigned char *pp; /* pointer to previous frame */
|
||||
@@ -228,8 +252,9 @@ static void vmd_decode(VmdVideoContext *s)
|
||||
|
||||
/* if only a certain region will be updated, copy the entire previous
|
||||
* frame before the decode */
|
||||
if (frame_x || frame_y || (frame_width != s->avctx->width) ||
|
||||
(frame_height != s->avctx->height)) {
|
||||
if (s->prev_frame.data[0] &&
|
||||
(frame_x || frame_y || (frame_width != s->avctx->width) ||
|
||||
(frame_height != s->avctx->height))) {
|
||||
|
||||
memcpy(s->frame.data[0], s->prev_frame.data[0],
|
||||
s->avctx->height * s->frame.linesize[0]);
|
||||
@@ -247,14 +272,19 @@ static void vmd_decode(VmdVideoContext *s)
|
||||
}
|
||||
s->size -= (256 * 3 + 2);
|
||||
}
|
||||
if (s->size >= 0) {
|
||||
if (s->size > 0) {
|
||||
/* originally UnpackFrame in VAG's code */
|
||||
pb = p;
|
||||
meth = *pb++;
|
||||
pb_size = s->buf + s->size - pb;
|
||||
if (pb_size < 1)
|
||||
return;
|
||||
meth = *pb++; pb_size--;
|
||||
if (meth & 0x80) {
|
||||
lz_unpack(pb, s->unpack_buffer, s->unpack_buffer_size);
|
||||
lz_unpack(pb, pb_size,
|
||||
s->unpack_buffer, s->unpack_buffer_size);
|
||||
meth &= 0x7F;
|
||||
pb = s->unpack_buffer;
|
||||
pb_size = s->unpack_buffer_size;
|
||||
}
|
||||
|
||||
dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x];
|
||||
@@ -265,17 +295,21 @@ static void vmd_decode(VmdVideoContext *s)
|
||||
for (i = 0; i < frame_height; i++) {
|
||||
ofs = 0;
|
||||
do {
|
||||
if (pb_size < 1)
|
||||
return;
|
||||
len = *pb++;
|
||||
pb_size--;
|
||||
if (len & 0x80) {
|
||||
len = (len & 0x7F) + 1;
|
||||
if (ofs + len > frame_width)
|
||||
if (ofs + len > frame_width || pb_size < len)
|
||||
return;
|
||||
memcpy(&dp[ofs], pb, len);
|
||||
pb += len;
|
||||
pb_size -= len;
|
||||
ofs += len;
|
||||
} else {
|
||||
/* interframe pixel copy */
|
||||
if (ofs + len + 1 > frame_width)
|
||||
if (ofs + len + 1 > frame_width || !s->prev_frame.data[0])
|
||||
return;
|
||||
memcpy(&dp[ofs], &pp[ofs], len + 1);
|
||||
ofs += len + 1;
|
||||
@@ -293,8 +327,11 @@ static void vmd_decode(VmdVideoContext *s)
|
||||
|
||||
case 2:
|
||||
for (i = 0; i < frame_height; i++) {
|
||||
if (pb_size < frame_width)
|
||||
return;
|
||||
memcpy(dp, pb, frame_width);
|
||||
pb += frame_width;
|
||||
pb_size -= frame_width;
|
||||
dp += s->frame.linesize[0];
|
||||
pp += s->prev_frame.linesize[0];
|
||||
}
|
||||
@@ -304,18 +341,27 @@ static void vmd_decode(VmdVideoContext *s)
|
||||
for (i = 0; i < frame_height; i++) {
|
||||
ofs = 0;
|
||||
do {
|
||||
if (pb_size < 1)
|
||||
return;
|
||||
len = *pb++;
|
||||
pb_size--;
|
||||
if (len & 0x80) {
|
||||
len = (len & 0x7F) + 1;
|
||||
if (pb_size < 1)
|
||||
return;
|
||||
if (*pb++ == 0xFF)
|
||||
len = rle_unpack(pb, &dp[ofs], len, frame_width - ofs);
|
||||
else
|
||||
len = rle_unpack(pb, &dp[ofs], len, pb_size, frame_width - ofs);
|
||||
else {
|
||||
if (pb_size < len)
|
||||
return;
|
||||
memcpy(&dp[ofs], pb, len);
|
||||
}
|
||||
pb += len;
|
||||
pb_size -= 1 + len;
|
||||
ofs += len;
|
||||
} else {
|
||||
/* interframe pixel copy */
|
||||
if (ofs + len + 1 > frame_width)
|
||||
if (ofs + len + 1 > frame_width || !s->prev_frame.data[0])
|
||||
return;
|
||||
memcpy(&dp[ofs], &pp[ofs], len + 1);
|
||||
ofs += len + 1;
|
||||
|
||||
@@ -146,13 +146,13 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) {
|
||||
}
|
||||
}
|
||||
|
||||
static void render_line(int x0, int y0, int x1, int y1, float * buf) {
|
||||
static void render_line(int x0, uint8_t y0, int x1, int y1, float * buf) {
|
||||
int dy = y1 - y0;
|
||||
int adx = x1 - x0;
|
||||
int base = dy / adx;
|
||||
int ady = FFABS(dy) - FFABS(base) * adx;
|
||||
int x = x0;
|
||||
int y = y0;
|
||||
uint8_t y = y0;
|
||||
int err = 0;
|
||||
int sy = dy<0 ? -1 : 1;
|
||||
buf[x] = ff_vorbis_floor1_inverse_db_table[y];
|
||||
@@ -168,7 +168,8 @@ static void render_line(int x0, int y0, int x1, int y1, float * buf) {
|
||||
}
|
||||
|
||||
void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values, uint_fast16_t * y_list, int * flag, int multiplier, float * out, int samples) {
|
||||
int lx, ly, i;
|
||||
int lx, i;
|
||||
uint8_t ly;
|
||||
lx = 0;
|
||||
ly = y_list[0] * multiplier;
|
||||
for (i = 1; i < values; i++) {
|
||||
|
||||
@@ -654,7 +654,7 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc){
|
||||
res_setup->partition_size=get_bits(gb, 24)+1;
|
||||
/* Validations to prevent a buffer overflow later. */
|
||||
if (res_setup->begin>res_setup->end
|
||||
|| res_setup->end>vc->blocksize[1]/(res_setup->type==2?1:2)
|
||||
|| res_setup->end > (res_setup->type == 2 ? vc->avccontext->channels : 1) * vc->blocksize[1] / 2
|
||||
|| (res_setup->end-res_setup->begin)/res_setup->partition_size>V_MAX_PARTITIONS) {
|
||||
av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %d, %d, %d, %d, %d\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1]/2);
|
||||
return 1;
|
||||
@@ -1293,7 +1293,7 @@ static int vorbis_floor1_decode(vorbis_context *vc, vorbis_floor_data *vfu, floa
|
||||
|
||||
// Read and decode residue
|
||||
|
||||
static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, vorbis_residue *vr, uint_fast8_t ch, uint_fast8_t *do_not_decode, float *vec, uint_fast16_t vlen, int vr_type) {
|
||||
static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, vorbis_residue *vr, uint_fast8_t ch, uint_fast8_t *do_not_decode, float *vec, uint_fast16_t vlen, unsigned ch_left, int vr_type) {
|
||||
GetBitContext *gb=&vc->gb;
|
||||
uint_fast8_t c_p_c=vc->codebooks[vr->classbook].dimensions;
|
||||
uint_fast16_t n_to_read=vr->end-vr->begin;
|
||||
@@ -1303,6 +1303,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, v
|
||||
uint_fast8_t ch_used;
|
||||
uint_fast8_t i,j,l;
|
||||
uint_fast16_t k;
|
||||
unsigned max_output = (ch - 1) * vlen;
|
||||
|
||||
if (vr_type==2) {
|
||||
for(j=1;j<ch;++j) {
|
||||
@@ -1310,8 +1311,15 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, v
|
||||
}
|
||||
if (do_not_decode[0]) return 0;
|
||||
ch_used=1;
|
||||
max_output += vr->end / ch;
|
||||
} else {
|
||||
ch_used=ch;
|
||||
max_output += vr->end;
|
||||
}
|
||||
|
||||
if (max_output > ch_left * vlen) {
|
||||
av_log(vc->avccontext, AV_LOG_ERROR, "Insufficient output buffer\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
AV_DEBUG(" residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c_p_c);
|
||||
@@ -1435,14 +1443,14 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, v
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int vorbis_residue_decode(vorbis_context *vc, vorbis_residue *vr, uint_fast8_t ch, uint_fast8_t *do_not_decode, float *vec, uint_fast16_t vlen)
|
||||
static inline int vorbis_residue_decode(vorbis_context *vc, vorbis_residue *vr, uint_fast8_t ch, uint_fast8_t *do_not_decode, float *vec, uint_fast16_t vlen, unsigned ch_left)
|
||||
{
|
||||
if (vr->type==2)
|
||||
return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 2);
|
||||
else if (vr->type==1)
|
||||
return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 1);
|
||||
else if (vr->type==0)
|
||||
return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 0);
|
||||
return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 2);
|
||||
else if (vr->type == 1)
|
||||
return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 1);
|
||||
else if (vr->type == 0)
|
||||
return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 0);
|
||||
else {
|
||||
av_log(vc->avccontext, AV_LOG_ERROR, " Invalid residue type while residue decode?! \n");
|
||||
return 1;
|
||||
@@ -1505,6 +1513,8 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) {
|
||||
uint_fast8_t res_num=0;
|
||||
int_fast16_t retlen=0;
|
||||
float fadd_bias = vc->add_bias;
|
||||
unsigned ch_left = vc->audio_channels;
|
||||
unsigned vlen;
|
||||
|
||||
if (get_bits1(gb)) {
|
||||
av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n");
|
||||
@@ -1527,12 +1537,13 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) {
|
||||
|
||||
blockflag=vc->modes[mode_number].blockflag;
|
||||
blocksize=vc->blocksize[blockflag];
|
||||
vlen = blocksize / 2;
|
||||
if (blockflag) {
|
||||
skip_bits(gb, 2); // previous_window, next_window
|
||||
}
|
||||
|
||||
memset(ch_res_ptr, 0, sizeof(float)*vc->audio_channels*blocksize/2); //FIXME can this be removed ?
|
||||
memset(ch_floor_ptr, 0, sizeof(float)*vc->audio_channels*blocksize/2); //FIXME can this be removed ?
|
||||
memset(ch_res_ptr, 0, sizeof(float)*vc->audio_channels*vlen); //FIXME can this be removed ?
|
||||
memset(ch_floor_ptr, 0, sizeof(float)*vc->audio_channels*vlen); //FIXME can this be removed ?
|
||||
|
||||
// Decode floor
|
||||
|
||||
@@ -1552,7 +1563,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) {
|
||||
return -1;
|
||||
}
|
||||
no_residue[i] = ret;
|
||||
ch_floor_ptr += blocksize / 2;
|
||||
ch_floor_ptr += vlen;
|
||||
}
|
||||
|
||||
// Nonzero vector propagate
|
||||
@@ -1569,6 +1580,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) {
|
||||
for(i=0;i<mapping->submaps;++i) {
|
||||
vorbis_residue *residue;
|
||||
uint_fast8_t ch=0;
|
||||
int ret;
|
||||
|
||||
for(j=0;j<vc->audio_channels;++j) {
|
||||
if ((mapping->submaps==1) || (i==mapping->mux[j])) {
|
||||
@@ -1583,9 +1595,18 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) {
|
||||
}
|
||||
}
|
||||
residue=&vc->residues[mapping->submap_residue[i]];
|
||||
vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2);
|
||||
if (ch_left < ch) {
|
||||
av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n");
|
||||
return -1;
|
||||
}
|
||||
if (ch) {
|
||||
ret = vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, vlen, ch_left);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
}
|
||||
|
||||
ch_res_ptr+=ch*blocksize/2;
|
||||
ch_res_ptr += ch * vlen;
|
||||
ch_left -= ch;
|
||||
}
|
||||
|
||||
// Inverse coupling
|
||||
|
||||
@@ -1011,12 +1011,12 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
|
||||
/* decode a VLC into a token */
|
||||
token = get_vlc2(gb, table->table, 5, 3);
|
||||
/* use the token to get a zero run, a coefficient, and an eob run */
|
||||
if (token <= 6) {
|
||||
if ((unsigned) token <= 6U) {
|
||||
eob_run = eob_run_base[token];
|
||||
if (eob_run_get_bits[token])
|
||||
eob_run += get_bits(gb, eob_run_get_bits[token]);
|
||||
coeff = zero_run = 0;
|
||||
} else {
|
||||
} else if (token >= 0) {
|
||||
bits_to_get = coeff_get_bits[token];
|
||||
if (!bits_to_get)
|
||||
coeff = coeff_tables[token][0];
|
||||
@@ -1026,6 +1026,10 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
|
||||
zero_run = zero_run_base[token];
|
||||
if (zero_run_get_bits[token])
|
||||
zero_run += get_bits(gb, zero_run_get_bits[token]);
|
||||
} else {
|
||||
av_log(s->avctx, AV_LOG_ERROR,
|
||||
"Invalid token %d\n", token);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1071,6 +1075,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
|
||||
/* unpack the C plane DC coefficients */
|
||||
residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
|
||||
s->first_coded_c_fragment, s->last_coded_c_fragment, residual_eob_run);
|
||||
if (residual_eob_run < 0)
|
||||
return residual_eob_run;
|
||||
|
||||
/* fetch the AC table indexes */
|
||||
ac_y_table = get_bits(gb, 4);
|
||||
@@ -1080,36 +1086,52 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
|
||||
for (i = 1; i <= 5; i++) {
|
||||
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_1[ac_y_table], i,
|
||||
s->first_coded_y_fragment, s->last_coded_y_fragment, residual_eob_run);
|
||||
if (residual_eob_run < 0)
|
||||
return residual_eob_run;
|
||||
|
||||
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_1[ac_c_table], i,
|
||||
s->first_coded_c_fragment, s->last_coded_c_fragment, residual_eob_run);
|
||||
if (residual_eob_run < 0)
|
||||
return residual_eob_run;
|
||||
}
|
||||
|
||||
/* unpack the group 2 AC coefficients (coeffs 6-14) */
|
||||
for (i = 6; i <= 14; i++) {
|
||||
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_2[ac_y_table], i,
|
||||
s->first_coded_y_fragment, s->last_coded_y_fragment, residual_eob_run);
|
||||
if (residual_eob_run < 0)
|
||||
return residual_eob_run;
|
||||
|
||||
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_2[ac_c_table], i,
|
||||
s->first_coded_c_fragment, s->last_coded_c_fragment, residual_eob_run);
|
||||
if (residual_eob_run < 0)
|
||||
return residual_eob_run;
|
||||
}
|
||||
|
||||
/* unpack the group 3 AC coefficients (coeffs 15-27) */
|
||||
for (i = 15; i <= 27; i++) {
|
||||
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_3[ac_y_table], i,
|
||||
s->first_coded_y_fragment, s->last_coded_y_fragment, residual_eob_run);
|
||||
if (residual_eob_run < 0)
|
||||
return residual_eob_run;
|
||||
|
||||
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_3[ac_c_table], i,
|
||||
s->first_coded_c_fragment, s->last_coded_c_fragment, residual_eob_run);
|
||||
if (residual_eob_run < 0)
|
||||
return residual_eob_run;
|
||||
}
|
||||
|
||||
/* unpack the group 4 AC coefficients (coeffs 28-63) */
|
||||
for (i = 28; i <= 63; i++) {
|
||||
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_4[ac_y_table], i,
|
||||
s->first_coded_y_fragment, s->last_coded_y_fragment, residual_eob_run);
|
||||
if (residual_eob_run < 0)
|
||||
return residual_eob_run;
|
||||
|
||||
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_4[ac_c_table], i,
|
||||
s->first_coded_c_fragment, s->last_coded_c_fragment, residual_eob_run);
|
||||
if (residual_eob_run < 0)
|
||||
return residual_eob_run;
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
||||
@@ -695,6 +695,7 @@ av_cold void vp56_init(AVCodecContext *avctx, int flip, int has_alpha)
|
||||
av_cold int vp56_free(AVCodecContext *avctx)
|
||||
{
|
||||
VP56Context *s = avctx->priv_data;
|
||||
int pt;
|
||||
|
||||
av_free(s->above_blocks);
|
||||
av_free(s->macroblocks);
|
||||
@@ -705,5 +706,15 @@ av_cold int vp56_free(AVCodecContext *avctx)
|
||||
avctx->release_buffer(avctx, s->framep[VP56_FRAME_GOLDEN2]);
|
||||
if (s->framep[VP56_FRAME_PREVIOUS]->data[0])
|
||||
avctx->release_buffer(avctx, s->framep[VP56_FRAME_PREVIOUS]);
|
||||
|
||||
for (pt=0; pt < 2; pt++) {
|
||||
int ct, cg;
|
||||
free_vlc(&s->dccv_vlc[pt]);
|
||||
free_vlc(&s->runv_vlc[pt]);
|
||||
for (ct=0; ct<3; ct++)
|
||||
for (cg = 0; cg < 6; cg++)
|
||||
free_vlc(&s->ract_vlc[pt][ct][cg]);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -136,8 +136,11 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
|
||||
if (coeff_offset) {
|
||||
buf += coeff_offset;
|
||||
buf_size -= coeff_offset;
|
||||
if (buf_size < 0)
|
||||
if (buf_size < 0) {
|
||||
if (s->framep[VP56_FRAME_CURRENT]->key_frame)
|
||||
avcodec_set_dimensions(s->avctx, 0, 0);
|
||||
return 0;
|
||||
}
|
||||
if (s->use_huffman) {
|
||||
s->parse_coeff = vp6_parse_coeff_huffman;
|
||||
init_get_bits(&s->gb, buf, buf_size<<3);
|
||||
@@ -212,8 +215,8 @@ static int vp6_huff_cmp(const void *va, const void *vb)
|
||||
return (a->count - b->count)*16 + (b->sym - a->sym);
|
||||
}
|
||||
|
||||
static void vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[],
|
||||
const uint8_t *map, unsigned size, VLC *vlc)
|
||||
static int vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[],
|
||||
const uint8_t *map, unsigned size, VLC *vlc)
|
||||
{
|
||||
Node nodes[2*size], *tmp = &nodes[size];
|
||||
int a, b, i;
|
||||
@@ -227,9 +230,10 @@ static void vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[],
|
||||
nodes[map[2*i+1]].count = b + !b;
|
||||
}
|
||||
|
||||
/* then build the huffman tree accodring to probabilities */
|
||||
ff_huff_build_tree(s->avctx, vlc, size, nodes, vp6_huff_cmp,
|
||||
FF_HUFFMAN_FLAG_HNODE_FIRST);
|
||||
free_vlc(vlc);
|
||||
/* then build the huffman tree according to probabilities */
|
||||
return ff_huff_build_tree(s->avctx, vlc, size, nodes, vp6_huff_cmp,
|
||||
FF_HUFFMAN_FLAG_HNODE_FIRST);
|
||||
}
|
||||
|
||||
static void vp6_parse_coeff_models(VP56Context *s)
|
||||
@@ -365,7 +369,7 @@ static void vp6_parse_coeff_huffman(VP56Context *s)
|
||||
if (b > 3) pt = 1;
|
||||
vlc_coeff = &s->dccv_vlc[pt];
|
||||
|
||||
for (coeff_idx=0; coeff_idx<64; ) {
|
||||
for (coeff_idx = 0;;) {
|
||||
int run = 1;
|
||||
if (coeff_idx<2 && s->nb_null[coeff_idx][pt]) {
|
||||
s->nb_null[coeff_idx][pt]--;
|
||||
@@ -400,6 +404,8 @@ static void vp6_parse_coeff_huffman(VP56Context *s)
|
||||
}
|
||||
}
|
||||
coeff_idx+=run;
|
||||
if (coeff_idx >= 64)
|
||||
break;
|
||||
cg = FFMIN(vp6_coeff_groups[coeff_idx], 3);
|
||||
vlc_coeff = &s->ract_vlc[pt][ct][cg];
|
||||
}
|
||||
|
||||
@@ -1063,13 +1063,13 @@ static void matroska_convert_tags(AVFormatContext *s)
|
||||
static void matroska_execute_seekhead(MatroskaDemuxContext *matroska)
|
||||
{
|
||||
EbmlList *seekhead_list = &matroska->seekhead;
|
||||
MatroskaSeekhead *seekhead = seekhead_list->elem;
|
||||
uint32_t level_up = matroska->level_up;
|
||||
int64_t before_pos = url_ftell(matroska->ctx->pb);
|
||||
MatroskaLevel level;
|
||||
int i;
|
||||
|
||||
for (i=0; i<seekhead_list->nb_elem; i++) {
|
||||
MatroskaSeekhead *seekhead = seekhead_list->elem;
|
||||
int64_t offset = seekhead[i].pos + matroska->segment_start;
|
||||
|
||||
if (seekhead[i].pos <= before_pos
|
||||
|
||||
Reference in New Issue
Block a user