Merge remote-tracking branch 'shariman/wmall'

[ffmpeg] / libavcodec / bink.c

diff --git a/libavcodec/bink.c b/libavcodec/bink.c
index e13731269387353d796b5f319d6c9a84644b1d7e..6df7a3237b945bbe7264036d723614676dc180d5 100644 (file)
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -247,7 +247,7 @@ static void read_tree(GetBitContext *gb, Tree *tree)
             tree->syms[i] = get_bits(gb, 4);
             tmp1[tree->syms[i]] = 1;
         }
-        for (i = 0; i < 16; i++)
+        for (i = 0; i < 16 && len < 16 - 1; i++)
             if (!tmp1[i])
                 tree->syms[++len] = i;
     } else {
@@ -344,14 +344,14 @@ static int read_motion_values(AVCodecContext *avctx, GetBitContext *gb, Bundle *
         memset(b->cur_dec, v, t);
         b->cur_dec += t;
     } else {
-        do {
+        while (b->cur_dec < dec_end) {
             v = GET_HUFF(gb, b->tree);
             if (v) {
                 sign = -get_bits1(gb);
                 v = (v ^ sign) - sign;
             }
             *b->cur_dec++ = v;
-        } while (b->cur_dec < dec_end);
+        }
     }
     return 0;
 }
@@ -375,7 +375,7 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b)
         memset(b->cur_dec, v, t);
         b->cur_dec += t;
     } else {
-        do {
+        while (b->cur_dec < dec_end) {
             v = GET_HUFF(gb, b->tree);
             if (v < 12) {
                 last = v;
@@ -383,10 +383,12 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b)
             } else {
                 int run = bink_rlelens[v - 12];
 
+                if (dec_end - b->cur_dec < run)
+                    return -1;
                 memset(b->cur_dec, last, run);
                 b->cur_dec += run;
             }
-        } while (b->cur_dec < dec_end);
+        }
     }
     return 0;
 }
@@ -456,7 +458,8 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
                     int start_bits, int has_sign)
 {
     int i, j, len, len2, bsize, sign, v, v2;
-    int16_t *dst = (int16_t*)b->cur_dec;
+    int16_t *dst     = (int16_t*)b->cur_dec;
+    int16_t *dst_end = (int16_t*)b->data_end;
 
     CHECK_READ_VAL(gb, b, len);
     v = get_bits(gb, start_bits - has_sign);
@@ -464,10 +467,14 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
         sign = -get_bits1(gb);
         v = (v ^ sign) - sign;
     }
+    if (dst_end - dst < 1)
+        return -1;
     *dst++ = v;
     len--;
     for (i = 0; i < len; i += 8) {
         len2 = FFMIN(len - i, 8);
+        if (dst_end - dst < len2)
+            return -1;
         bsize = get_bits(gb, 4);
         if (bsize) {
             for (j = 0; j < len2; j++) {
@@ -535,6 +542,8 @@ static int binkb_read_bundle(BinkContext *c, GetBitContext *gb, int bundle_num)
     int i, len;
 
     CHECK_READ_VAL(gb, b, len);
+    if (b->data_end - b->cur_dec < len * (1 + (bits > 8)))
+        return -1;
     if (bits <= 8) {
         if (!issigned) {
             for (i = 0; i < len; i++)
@@ -586,7 +595,7 @@ static int read_dct_coeffs(GetBitContext *gb, int32_t block[64], const uint8_t *
 {
     int coef_list[128];
     int mode_list[128];
-    int i, t, mask, bits, ccoef, mode, sign;
+    int i, t, bits, ccoef, mode, sign;
     int list_start = 64, list_end = 64, list_pos;
     int coef_count = 0;
     int coef_idx[64];
@@ -600,8 +609,7 @@ static int read_dct_coeffs(GetBitContext *gb, int32_t block[64], const uint8_t *
     coef_list[list_end] = 2;  mode_list[list_end++] = 3;
     coef_list[list_end] = 3;  mode_list[list_end++] = 3;
 
-    bits = get_bits(gb, 4) - 1;
-    for (mask = 1 << bits; bits >= 0; mask >>= 1, bits--) {
+    for (bits = get_bits(gb, 4) - 1; bits >= 0; bits--) {
         list_pos = list_start;
         while (list_pos < list_end) {
             if (!(mode_list[list_pos] | coef_list[list_pos]) || !get_bits1(gb)) {
@@ -627,7 +635,7 @@ static int read_dct_coeffs(GetBitContext *gb, int32_t block[64], const uint8_t *
                         if (!bits) {
                             t = 1 - (get_bits1(gb) << 1);
                         } else {
-                            t = get_bits(gb, bits) | mask;
+                            t = get_bits(gb, bits) | 1 << bits;
                             sign = -get_bits1(gb);
                             t = (t ^ sign) - sign;
                         }
@@ -648,7 +656,7 @@ static int read_dct_coeffs(GetBitContext *gb, int32_t block[64], const uint8_t *
                 if (!bits) {
                     t = 1 - (get_bits1(gb) << 1);
                 } else {
-                    t = get_bits(gb, bits) | mask;
+                    t = get_bits(gb, bits) | 1 << bits;
                     sign = -get_bits1(gb);
                     t = (t ^ sign) - sign;
                 }
@@ -950,8 +958,9 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx,
     for (i = 0; i < BINK_NB_SRC; i++)
         read_bundle(gb, c, i);
 
-    ref_start = c->last.data[plane_idx];
-    ref_end   = c->last.data[plane_idx]
+    ref_start = c->last.data[plane_idx] ? c->last.data[plane_idx]
+                                        : c->pic.data[plane_idx];
+    ref_end   = ref_start
                 + (bw - 1 + c->last.linesize[plane_idx] * (bh - 1)) * 8;
 
     for (i = 0; i < 64; i++)
@@ -980,7 +989,8 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx,
         if (by == bh)
             break;
         dst  = c->pic.data[plane_idx]  + 8*by*stride;
-        prev = c->last.data[plane_idx] + 8*by*stride;
+        prev = (c->last.data[plane_idx] ? c->last.data[plane_idx]
+                                        : c->pic.data[plane_idx]) + 8*by*stride;
         for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) {
             blk = get_value(c, BINK_SRC_BLOCK_TYPES);
             // 16x16 block type on odd line means part of the already decoded block, so skip it