[SCM] libav/experimental: svq1: do not modify the input packet
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Sun Aug 10 16:04:14 UTC 2014
The following commit has been merged in the experimental branch:
commit 7b588bb691644e1b3c168b99accf74248a24e3cf
Author: Anton Khirnov <anton at khirnov.net>
Date: Sun Aug 3 10:14:48 2014 +0200
svq1: do not modify the input packet
The input data must remain constant, make a copy instead. This is in
theory a performance hit, but since I failed to find any samples
using this feature, this should not matter in practice.
Also, check the size of the header, avoiding invalid reads on truncated
data.
CC:libav-stable at libav.org
diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c
index 000487b..14ff41c 100644
--- a/libavcodec/svq1dec.c
+++ b/libavcodec/svq1dec.c
@@ -60,6 +60,10 @@ typedef struct SVQ1Context {
HpelDSPContext hdsp;
GetBitContext gb;
AVFrame *prev;
+
+ uint8_t *pkt_swapped;
+ int pkt_swapped_allocated;
+
int width;
int height;
int frame_code;
@@ -626,7 +630,24 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data,
/* swap some header bytes (why?) */
if (s->frame_code != 0x20) {
- uint32_t *src = (uint32_t *)(buf + 4);
+ uint32_t *src;
+
+ if (buf_size < 9 * 4) {
+ av_log(avctx, AV_LOG_ERROR, "Input packet too small\n");
+ return AVERROR_INVALIDDATA;
+ }
+
+ av_fast_malloc(s->pkt_swapped, &s->pkt_swapped_allocated,
+ buf_size);
+ if (!s->pkt_swapped)
+ return AVERROR(ENOMEM);
+
+ memcpy(s->pkt_swapped, buf, buf_size);
+ buf = s->pkt_swapped;
+ init_get_bits(&s->gb, buf, buf_size * 8);
+ skip_bits(&s->gb, 22);
+
+ src = (uint32_t *)(s->pkt_swapped + 4);
for (i = 0; i < 4; i++)
src[i] = ((src[i] << 16) | (src[i] >> 16)) ^ src[7 - i];
@@ -796,6 +817,7 @@ static av_cold int svq1_decode_end(AVCodecContext *avctx)
SVQ1Context *s = avctx->priv_data;
av_frame_free(&s->prev);
+ av_freep(&s->pkt_swapped);
return 0;
}
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list