const uint8_t *next_cell_data;
const uint8_t *last_byte;
const int8_t *mc_vectors;
+ unsigned num_vectors; ///< number of motion vectors in mc_vectors
int16_t width, height;
uint32_t frame_num; ///< current frame number (zero-based)
/* setup output and reference pointers */
offset_dst = (cell->ypos << 2) * plane->pitch + (cell->xpos << 2);
dst = plane->pixels[ctx->buf_sel] + offset_dst;
+ if(cell->mv_ptr){
mv_y = cell->mv_ptr[0];
mv_x = cell->mv_ptr[1];
+ }else
+ mv_x= mv_y= 0;
offset = offset_dst + mv_y * plane->pitch + mv_x;
src = plane->pixels[ctx->buf_sel ^ 1] + offset;
ref_cell->width -= curr_cell.width;
}
- while (1) { /* loop until return */
+ while (get_bits_left(&ctx->gb) >= 2) { /* loop until return */
RESYNC_BITSTREAM;
switch (code = get_bits(&ctx->gb, 2)) {
case H_SPLIT:
av_log(avctx, AV_LOG_ERROR, "SkipCell procedure not implemented yet!\n");
CHECK_CELL
+ if (!curr_cell.mv_ptr)
+ return AVERROR_INVALIDDATA;
copy_cell(ctx, plane, &curr_cell);
return 0;
}
break;
case INTER_DATA:
if (!curr_cell.tree) { /* MC tree INTER code */
+ unsigned mv_idx;
/* get motion vector index and setup the pointer to the mv set */
if (!ctx->need_resync)
ctx->next_cell_data = &ctx->gb.buffer[(get_bits_count(&ctx->gb) + 7) >> 3];
- curr_cell.mv_ptr = &ctx->mc_vectors[*(ctx->next_cell_data++) << 1];
+ if(ctx->mc_vectors)
+ mv_idx = *(ctx->next_cell_data++) << 1;
+ if (mv_idx >= ctx->num_vectors) {
+ av_log(avctx, AV_LOG_ERROR, "motion vector index out of range\n");
+ return AVERROR_INVALIDDATA;
+ }
+ curr_cell.mv_ptr = &ctx->mc_vectors[mv_idx];
curr_cell.tree = 1; /* enter the VQ tree */
UPDATE_BITPOS(8);
} else { /* VQ tree DATA code */
}
}//while
- return 0;
+ return AVERROR_INVALIDDATA;
}
int32_t strip_width)
{
Cell curr_cell;
- int num_vectors;
+ unsigned num_vectors;
/* each plane data starts with mc_vector_count field, */
/* an optional array of motion vectors followed by the vq data */
num_vectors = bytestream_get_le32(&data);
+ if (num_vectors > 256) {
+ av_log(ctx->avctx, AV_LOG_ERROR,
+ "Read invalid number of motion vectors %d\n", num_vectors);
+ return AVERROR_INVALIDDATA;
+ }
+ if (num_vectors * 2 >= data_size)
+ return AVERROR_INVALIDDATA;
+
+ ctx->num_vectors = num_vectors;
ctx->mc_vectors = num_vectors ? data : 0;
/* init the bitreader */
- init_get_bits(&ctx->gb, &data[num_vectors * 2], data_size << 3);
+ init_get_bits(&ctx->gb, &data[num_vectors * 2], (data_size - num_vectors * 2) << 3);
ctx->skip_bits = 0;
ctx->need_resync = 0;
ctx->height = height;
free_frame_buffers(ctx);
- allocate_frame_buffers(ctx, avctx);
+ if(allocate_frame_buffers(ctx, avctx) < 0)
+ return AVERROR_INVALIDDATA;
avcodec_set_dimensions(avctx, width, height);
}
dsputil_init(&ctx->dsp, avctx);
- allocate_frame_buffers(ctx, avctx);
-
- return 0;
+ return allocate_frame_buffers(ctx, avctx);
}