* @param gb context for reading bits
* @param tree pointer for storing tree data
*/
-static void read_tree(GetBitContext *gb, Tree *tree)
+static int read_tree(GetBitContext *gb, Tree *tree)
{
uint8_t tmp1[16] = { 0 }, tmp2[16], *in = tmp1, *out = tmp2;
int i, t, len;
+ if (get_bits_left(gb) < 4)
+ return AVERROR_INVALIDDATA;
+
tree->vlc_num = get_bits(gb, 4);
if (!tree->vlc_num) {
for (i = 0; i < 16; i++)
tree->syms[i] = i;
- return;
+ return 0;
}
if (get_bits1(gb)) {
len = get_bits(gb, 3);
}
memcpy(tree->syms, in, 16);
}
+ return 0;
}
/**
* @param c decoder context
* @param bundle_num number of the bundle to initialize
*/
-static void read_bundle(GetBitContext *gb, BinkContext *c, int bundle_num)
+static int read_bundle(GetBitContext *gb, BinkContext *c, int bundle_num)
{
int i;
if (bundle_num == BINK_SRC_COLORS) {
- for (i = 0; i < 16; i++)
- read_tree(gb, &c->col_high[i]);
+ for (i = 0; i < 16; i++) {
+ int ret = read_tree(gb, &c->col_high[i]);
+ if (ret < 0)
+ return ret;
+ }
c->col_lastval = 0;
}
- if (bundle_num != BINK_SRC_INTRA_DC && bundle_num != BINK_SRC_INTER_DC)
- read_tree(gb, &c->bundle[bundle_num].tree);
+ if (bundle_num != BINK_SRC_INTRA_DC && bundle_num != BINK_SRC_INTER_DC) {
+ int ret = read_tree(gb, &c->bundle[bundle_num].tree);
+ if (ret < 0)
+ return ret;
+ }
c->bundle[bundle_num].cur_dec =
c->bundle[bundle_num].cur_ptr = c->bundle[bundle_num].data;
+
+ return 0;
}
/**
av_log(avctx, AV_LOG_ERROR, "Run value went out of bounds\n");
return AVERROR_INVALIDDATA;
}
+ if (get_bits_left(gb) < 1)
+ return AVERROR_INVALIDDATA;
if (get_bits1(gb)) {
v = get_bits(gb, 4);
memset(b->cur_dec, v, t);
av_log(avctx, AV_LOG_ERROR, "Too many motion values\n");
return AVERROR_INVALIDDATA;
}
+ if (get_bits_left(gb) < 1)
+ return AVERROR_INVALIDDATA;
if (get_bits1(gb)) {
v = get_bits(gb, 4);
if (v) {
av_log(avctx, AV_LOG_ERROR, "Too many block type values\n");
return AVERROR_INVALIDDATA;
}
+ if (get_bits_left(gb) < 1)
+ return AVERROR_INVALIDDATA;
if (get_bits1(gb)) {
v = get_bits(gb, 4);
memset(b->cur_dec, v, t);
return AVERROR_INVALIDDATA;
}
while (b->cur_dec < dec_end) {
+ if (get_bits_left(gb) < 2)
+ return AVERROR_INVALIDDATA;
v = GET_HUFF(gb, b->tree);
v |= GET_HUFF(gb, b->tree) << 4;
*b->cur_dec++ = v;
av_log(c->avctx, AV_LOG_ERROR, "Too many color values\n");
return AVERROR_INVALIDDATA;
}
+ if (get_bits_left(gb) < 1)
+ return AVERROR_INVALIDDATA;
if (get_bits1(gb)) {
c->col_lastval = GET_HUFF(gb, c->col_high[c->col_lastval]);
v = GET_HUFF(gb, b->tree);
b->cur_dec += t;
} else {
while (b->cur_dec < dec_end) {
+ if (get_bits_left(gb) < 2)
+ return AVERROR_INVALIDDATA;
c->col_lastval = GET_HUFF(gb, c->col_high[c->col_lastval]);
v = GET_HUFF(gb, b->tree);
v = (c->col_lastval << 4) | v;
int16_t *dst_end = (int16_t*)b->data_end;
CHECK_READ_VAL(gb, b, len);
+ if (get_bits_left(gb) < start_bits - has_sign)
+ return AVERROR_INVALIDDATA;
v = get_bits(gb, start_bits - has_sign);
if (v && has_sign) {
sign = -get_bits1(gb);
int coef_count = 0;
int quant_idx;
+ if (get_bits_left(gb) < 4)
+ return AVERROR_INVALIDDATA;
+
coef_list[list_end] = 4; mode_list[list_end++] = 0;
coef_list[list_end] = 24; mode_list[list_end++] = 0;
coef_list[list_end] = 44; mode_list[list_end++] = 0;
return quant_idx;
}
-static void unquantize_dct_coeffs(int32_t block[64], const int32_t quant[64],
+static void unquantize_dct_coeffs(int32_t block[64], const uint32_t quant[64],
int coef_count, int coef_idx[64],
const uint8_t *scan)
{
int i;
- block[0] = (block[0] * quant[0]) >> 11;
+ block[0] = (int)(block[0] * quant[0]) >> 11;
for (i = 0; i < coef_count; i++) {
int idx = coef_idx[i];
- block[scan[idx]] = (block[scan[idx]] * quant[idx]) >> 11;
+ block[scan[idx]] = (int)(block[scan[idx]] * quant[idx]) >> 11;
}
}
}
init_lengths(c, FFMAX(width, 8), bw);
- for (i = 0; i < BINK_NB_SRC; i++)
- read_bundle(gb, c, i);
+ for (i = 0; i < BINK_NB_SRC; i++) {
+ ret = read_bundle(gb, c, i);
+ if (ret < 0)
+ return ret;
+ }
ref_start = c->last->data[plane_idx] ? c->last->data[plane_idx]
: frame->data[plane_idx];
if ((ret = read_runs(c->avctx, gb, &c->bundle[BINK_SRC_RUN])) < 0)
return ret;
- if (by == bh)
- break;
dst = frame->data[plane_idx] + 8*by*stride;
prev = (c->last->data[plane_idx] ? c->last->data[plane_idx]
: frame->data[plane_idx]) + 8*by*stride;
blk = get_value(c, BINK_SRC_SUB_BLOCK_TYPES);
switch (blk) {
case RUN_BLOCK:
+ if (get_bits_left(gb) < 4)
+ return AVERROR_INVALIDDATA;
scan = bink_patterns[get_bits(gb, 4)];
i = 0;
do {
if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0)
return ret;
} else {
- if ((ret = ff_reget_buffer(avctx, c->last)) < 0)
+ if ((ret = ff_reget_buffer(avctx, c->last, 0)) < 0)
return ret;
if ((ret = av_frame_ref(frame, c->last)) < 0)
return ret;
}
c->avctx = avctx;
+ if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0)
+ return ret;
+
c->last = av_frame_alloc();
if (!c->last)
return AVERROR(ENOMEM);
- if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0)
- return ret;
-
avctx->pix_fmt = c->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P;
avctx->color_range = c->version == 'k' ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG;