Fix memset(0) based buffer overflow.

[ffmpeg] / libavcodec / alac.c

diff --git a/libavcodec/alac.c b/libavcodec/alac.c
index c69b07c01052c20ec7b008fc7d813777163638a1..9fbba9544ac0a8cca24dcdfdc7075f43cb4d90c4 100644 (file)
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -55,6 +55,7 @@
 #include "avcodec.h"
 #include "bitstream.h"
 #include "bytestream.h"
+#include "unary.h"
 
 #define ALAC_EXTRADATA_SIZE 36
 #define MAX_CHANNELS 2
@@ -67,7 +68,6 @@ typedef struct {
      * set this to 1 */
     int context_initialized;
 
-    int samplesize;
     int numchannels;
     int bytespersample;
 
@@ -78,16 +78,10 @@ typedef struct {
 
     /* stuff from setinfo */
     uint32_t setinfo_max_samples_per_frame; /* 0x1000 = 4096 */    /* max samples per frame? */
-    uint8_t setinfo_7a; /* 0x00 */
     uint8_t setinfo_sample_size; /* 0x10 */
     uint8_t setinfo_rice_historymult; /* 0x28 */
     uint8_t setinfo_rice_initialhistory; /* 0x0a */
     uint8_t setinfo_rice_kmodifier; /* 0x0e */
-    uint8_t setinfo_7f; /* 0x02 */
-    uint16_t setinfo_80; /* 0x00ff */
-    uint32_t setinfo_82; /* 0x000020e7 */ /* max sample size?? */
-    uint32_t setinfo_86; /* 0x00069fe4 */ /* bit rate (average)?? */
-    uint32_t setinfo_8a_rate; /* 0x0000ac44 */
     /* end setinfo stuff */
 
 } ALACContext;
@@ -106,7 +100,7 @@ static void allocate_buffers(ALACContext *alac)
 
 static int alac_set_info(ALACContext *alac)
 {
-    unsigned char *ptr = alac->avctx->extradata;
+    const unsigned char *ptr = alac->avctx->extradata;
 
     ptr += 4; /* size */
     ptr += 4; /* alac */
@@ -119,29 +113,47 @@ static int alac_set_info(ALACContext *alac)
 
     /* buffer size / 2 ? */
     alac->setinfo_max_samples_per_frame = bytestream_get_be32(&ptr);
-    alac->setinfo_7a                    = *ptr++;
+    ptr++;                          /* ??? */
     alac->setinfo_sample_size           = *ptr++;
     alac->setinfo_rice_historymult      = *ptr++;
     alac->setinfo_rice_initialhistory   = *ptr++;
     alac->setinfo_rice_kmodifier        = *ptr++;
-    /* channels? */
-    alac->setinfo_7f                    = *ptr++;
-    alac->setinfo_80                    = bytestream_get_be16(&ptr);
-    /* max coded frame size */
-    alac->setinfo_82                    = bytestream_get_be32(&ptr);
-    /* bitrate ? */
-    alac->setinfo_86                    = bytestream_get_be32(&ptr);
-    /* samplerate */
-    alac->setinfo_8a_rate               = bytestream_get_be32(&ptr);
+    ptr++;                         /* channels? */
+    bytestream_get_be16(&ptr);      /* ??? */
+    bytestream_get_be32(&ptr);      /* max coded frame size */
+    bytestream_get_be32(&ptr);      /* bitrate ? */
+    bytestream_get_be32(&ptr);      /* samplerate */
 
     allocate_buffers(alac);
 
     return 0;
 }
 
-static inline int count_leading_zeros(int32_t input)
-{
-    return 31-av_log2(input);
+static inline int decode_scalar(GetBitContext *gb, int k, int limit, int readsamplesize){
+    /* read x - number of 1s before 0 represent the rice */
+    int x = get_unary_0_9(gb);
+
+    if (x > 8) { /* RICE THRESHOLD */
+        /* use alternative encoding */
+        x = get_bits(gb, readsamplesize);
+    } else {
+        if (k >= limit)
+            k = limit;
+
+        if (k != 1) {
+            int extrabits = show_bits(gb, k);
+
+            /* multiply x by 2^k - 1, as part of their strange algorithm */
+            x = (x << k) - x;
+
+            if (extrabits > 1) {
+                x += extrabits - 1;
+                skip_bits(gb, k);
+            } else
+                skip_bits(gb, k - 1);
+        }
+    }
+    return x;
 }
 
 static void bastardized_rice_decompress(ALACContext *alac,
@@ -159,53 +171,16 @@ static void bastardized_rice_decompress(ALACContext *alac,
     int sign_modifier = 0;
 
     for (output_count = 0; output_count < output_size; output_count++) {
-        int32_t x = 0;
+        int32_t x;
         int32_t x_modified;
         int32_t final_val;
 
-        /* read x - number of 1s before 0 represent the rice */
-        while (x <= 8 && get_bits1(&alac->gb)) {
-            x++;
-        }
-
-
-        if (x > 8) { /* RICE THRESHOLD */
-            /* use alternative encoding */
-            int32_t value;
-
-            value = get_bits(&alac->gb, readsamplesize);
-
-            /* mask value to readsamplesize size */
-            if (readsamplesize != 32)
-                value &= (0xffffffff >> (32 - readsamplesize));
-
-            x = value;
-        } else {
-            /* standard rice encoding */
-            int extrabits;
-            int k; /* size of extra bits */
-
-            /* read k, that is bits as is */
-            k = 31 - rice_kmodifier - count_leading_zeros((history >> 9) + 3);
-
-            if (k < 0)
-                k += rice_kmodifier;
-            else
-                k = rice_kmodifier;
-
-            if (k != 1) {
-                extrabits = show_bits(&alac->gb, k);
+        /* standard rice encoding */
+        int k; /* size of extra bits */
 
-                /* multiply x by 2^k - 1, as part of their strange algorithm */
-                x = (x << k) - x;
-
-                if (extrabits > 1) {
-                    x += extrabits - 1;
-                    get_bits(&alac->gb, k);
-                } else
-                    get_bits(&alac->gb, k - 1);
-            }
-        }
+        /* read k, that is bits as is */
+        k = av_log2((history >> 9) + 3);
+        x= decode_scalar(&alac->gb, k, rice_kmodifier, readsamplesize);
 
         x_modified = sign_modifier + x;
         final_val = (x_modified + 1) / 2;
@@ -224,39 +199,20 @@ static void bastardized_rice_decompress(ALACContext *alac,
 
         /* special case: there may be compressed blocks of 0 */
         if ((history < 128) && (output_count+1 < output_size)) {
-            int block_size;
+            int k;
+            unsigned int block_size;
 
             sign_modifier = 1;
 
-            x = 0;
-            while (x <= 8 && get_bits1(&alac->gb)) {
-                x++;
-            }
+            k = 7 - av_log2(history) + ((history + 16) >> 6 /* / 64 */);
 
-            if (x > 8) {
-                block_size = get_bits(&alac->gb, 16);
-                block_size &= 0xffff;
-            } else {
-                int k;
-                int extrabits;
-
-                k = count_leading_zeros(history) + ((history + 16) >> 6 /* / 64 */) - 24;
-
-                extrabits = show_bits(&alac->gb, k);
-
-                block_size = (((1 << k) - 1) & rice_kmodifier_mask) * x
-                           + extrabits - 1;
-
-                if (extrabits < 2) {
-                    x = 1 - extrabits;
-                    block_size += x;
-                    get_bits(&alac->gb, k - 1);
-                } else {
-                    get_bits(&alac->gb, k);
-                }
-            }
+            block_size= decode_scalar(&alac->gb, k, rice_kmodifier, 16);
 
             if (block_size > 0) {
+                if(block_size >= output_size - output_count){
+                    av_log(alac->avctx, AV_LOG_ERROR, "invalid zero block size of %d %d %d\n", block_size, output_size, output_count);
+                    block_size= output_size - output_count - 1;
+                }
                 memset(&output_buffer[output_count+1], 0, block_size * 4);
                 output_count += block_size;
             }
@@ -269,12 +225,15 @@ static void bastardized_rice_decompress(ALACContext *alac,
     }
 }
 
-#define SIGN_EXTENDED32(val, bits) ((val << (32 - bits)) >> (32 - bits))
+static inline int32_t extend_sign32(int32_t val, int bits)
+{
+    return (val << (32 - bits)) >> (32 - bits);
+}
 
-#define SIGN_ONLY(v) \
-                     ((v < 0) ? (-1) : \
-                                ((v > 0) ? (1) : \
-                                           (0)))
+static inline int sign_only(int v)
+{
+    return v ? FFSIGN(v) : 0;
+}
 
 static void predictor_decompress_fir_adapt(int32_t *error_buffer,
                                            int32_t *buffer_out,
@@ -310,7 +269,7 @@ static void predictor_decompress_fir_adapt(int32_t *error_buffer,
             prev_value = buffer_out[i];
             error_value = error_buffer[i+1];
             buffer_out[i+1] =
-                SIGN_EXTENDED32((prev_value + error_value), readsamplesize);
+                extend_sign32((prev_value + error_value), readsamplesize);
         }
         return;
     }
@@ -321,21 +280,21 @@ static void predictor_decompress_fir_adapt(int32_t *error_buffer,
             int32_t val;
 
             val = buffer_out[i] + error_buffer[i+1];
-            val = SIGN_EXTENDED32(val, readsamplesize);
+            val = extend_sign32(val, readsamplesize);
             buffer_out[i+1] = val;
         }
 
 #if 0
     /* 4 and 8 are very common cases (the only ones i've seen). these
-     * should be unrolled and optimised
+     * should be unrolled and optimized
      */
     if (predictor_coef_num == 4) {
-        /* FIXME: optimised general case */
+        /* FIXME: optimized general case */
         return;
     }
 
     if (predictor_coef_table == 8) {
-        /* FIXME: optimised general case */
+        /* FIXME: optimized general case */
         return;
     }
 #endif
@@ -356,7 +315,7 @@ static void predictor_decompress_fir_adapt(int32_t *error_buffer,
             outval = (1 << (predictor_quantitization-1)) + sum;
             outval = outval >> predictor_quantitization;
             outval = outval + buffer_out[0] + error_val;
-            outval = SIGN_EXTENDED32(outval, readsamplesize);
+            outval = extend_sign32(outval, readsamplesize);
 
             buffer_out[predictor_coef_num+1] = outval;
 
@@ -365,7 +324,7 @@ static void predictor_decompress_fir_adapt(int32_t *error_buffer,
 
                 while (predictor_num >= 0 && error_val > 0) {
                     int val = buffer_out[0] - buffer_out[predictor_coef_num - predictor_num];
-                    int sign = SIGN_ONLY(val);
+                    int sign = sign_only(val);
 
                     predictor_coef_table[predictor_num] -= sign;
 
@@ -381,7 +340,7 @@ static void predictor_decompress_fir_adapt(int32_t *error_buffer,
 
                 while (predictor_num >= 0 && error_val < 0) {
                     int val = buffer_out[0] - buffer_out[predictor_coef_num - predictor_num];
-                    int sign = - SIGN_ONLY(val);
+                    int sign = - sign_only(val);
 
                     predictor_coef_table[predictor_num] -= sign;
 
@@ -441,7 +400,7 @@ static void reconstruct_stereo_16(int32_t *buffer[MAX_CHANNELS],
 
 static int alac_decode_frame(AVCodecContext *avctx,
                              void *outbuffer, int *outputsize,
-                             uint8_t *inbuffer, int input_buffer_size)
+                             const uint8_t *inbuffer, int input_buffer_size)
 {
     ALACContext *alac = avctx->priv_data;
 
@@ -484,17 +443,17 @@ static int alac_decode_frame(AVCodecContext *avctx,
     /* 2^result = something to do with output waiting.
      * perhaps matters if we read > 1 frame in a pass?
      */
-    get_bits(&alac->gb, 4);
+    skip_bits(&alac->gb, 4);
 
-    get_bits(&alac->gb, 12); /* unknown, skip 12 bits */
+    skip_bits(&alac->gb, 12); /* unknown, skip 12 bits */
 
     /* the output sample size is stored soon */
-    hassize = get_bits(&alac->gb, 1);
+    hassize = get_bits1(&alac->gb);
 
     wasted_bytes = get_bits(&alac->gb, 2); /* unknown ? */
 
     /* whether the frame is compressed */
-    isnotcompressed = get_bits(&alac->gb, 1);
+    isnotcompressed = get_bits1(&alac->gb);
 
     if (hassize) {
         /* now read the number of samples as a 32bit integer */
@@ -570,7 +529,7 @@ static int alac_decode_frame(AVCodecContext *avctx,
                     int32_t audiobits;
 
                     audiobits = get_bits(&alac->gb, alac->setinfo_sample_size);
-                    audiobits = SIGN_EXTENDED32(audiobits, readsamplesize);
+                    audiobits = extend_sign32(audiobits, readsamplesize);
 
                     alac->outputsamples_buffer[chan][i] = audiobits;
                 }
@@ -594,16 +553,18 @@ static int alac_decode_frame(AVCodecContext *avctx,
         interlacing_shift = 0;
         interlacing_leftweight = 0;
     }
+    if (get_bits(&alac->gb, 3) != 7)
+        av_log(avctx, AV_LOG_ERROR, "Error : Wrong End Of Frame\n");
 
     switch(alac->setinfo_sample_size) {
     case 16:
         if (channels == 2) {
             reconstruct_stereo_16(alac->outputsamples_buffer,
-                           (int16_t*)outbuffer,
-                           alac->numchannels,
-                           outputsamples,
-                           interlacing_shift,
-                           interlacing_leftweight);
+                                  (int16_t*)outbuffer,
+                                  alac->numchannels,
+                                  outputsamples,
+                                  interlacing_shift,
+                                  interlacing_leftweight);
         } else {
             int i;
             for (i = 0; i < outputsamples; i++) {
@@ -614,6 +575,8 @@ static int alac_decode_frame(AVCodecContext *avctx,
         break;
     case 20:
     case 24:
+        // It is not clear if there exist any encoder that creates 24 bit ALAC
+        // files. iTunes convert 24 bit raw files to 16 bit before encoding.
     case 32:
         av_log(avctx, AV_LOG_ERROR, "FIXME: unimplemented sample size %i\n", alac->setinfo_sample_size);
         break;
@@ -621,23 +584,25 @@ static int alac_decode_frame(AVCodecContext *avctx,
         break;
     }
 
+    if (input_buffer_size * 8 - get_bits_count(&alac->gb) > 8)
+        av_log(avctx, AV_LOG_ERROR, "Error : %d bits left\n", input_buffer_size * 8 - get_bits_count(&alac->gb));
+
     return input_buffer_size;
 }
 
-static int alac_decode_init(AVCodecContext * avctx)
+static av_cold int alac_decode_init(AVCodecContext * avctx)
 {
     ALACContext *alac = avctx->priv_data;
     alac->avctx = avctx;
     alac->context_initialized = 0;
 
-    alac->samplesize = alac->avctx->bits_per_sample;
     alac->numchannels = alac->avctx->channels;
-    alac->bytespersample = (alac->samplesize / 8) * alac->numchannels;
+    alac->bytespersample = (avctx->bits_per_sample / 8) * alac->numchannels;
 
     return 0;
 }
 
-static int alac_decode_close(AVCodecContext *avctx)
+static av_cold int alac_decode_close(AVCodecContext *avctx)
 {
     ALACContext *alac = avctx->priv_data;
 
@@ -659,4 +624,5 @@ AVCodec alac_decoder = {
     NULL,
     alac_decode_close,
     alac_decode_frame,
+    .long_name = "ALAC (Apple Lossless Audio Codec)",
 };