lavc: Rewrite VAAPI decode infrastructure

[ffmpeg] / libavcodec / interplayacm.c

diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c
index 0fd350167a82050966ba9788da815b0235d53322..c897e72bb629f651b89a040e9d3f20787e9deca7 100644 (file)
--- a/libavcodec/interplayacm.c
+++ b/libavcodec/interplayacm.c
@@ -62,6 +62,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
     if (avctx->extradata_size < 14)
         return AVERROR_INVALIDDATA;
 
+    if (avctx->channels <= 0) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid number of channels: %d\n", avctx->channels);
+        return AVERROR_INVALIDDATA;
+    }
+
     s->level = AV_RL16(avctx->extradata + 12) & 0xf;
     s->rows  = AV_RL16(avctx->extradata + 12) >>  4;
     s->cols  = 1 << s->level;
@@ -72,7 +77,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
     s->block   = av_calloc(s->block_len, sizeof(int));
     s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int));
     s->ampbuf  = av_calloc(0x10000, sizeof(int));
-    s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream));
+    s->bitstream = av_calloc(s->max_framesize + AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1, sizeof(*s->bitstream));
     if (!s->block || !s->wrapbuf || !s->ampbuf || !s->bitstream)
         return AVERROR(ENOMEM);
 
@@ -326,6 +331,10 @@ static int t15(InterplayACMContext *s, unsigned ind, unsigned col)
     for (i = 0; i < s->rows; i++) {
         /* b = (x1) + (x2 * 3) + (x3 * 9) */
         b = get_bits(gb, 5);
+        if (b > 26) {
+            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b);
+            return AVERROR_INVALIDDATA;
+        }
 
         n1 =  (mul_3x3[b] & 0x0F) - 1;
         n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1;
@@ -351,6 +360,10 @@ static int t27(InterplayACMContext *s, unsigned ind, unsigned col)
     for (i = 0; i < s->rows; i++) {
         /* b = (x1) + (x2 * 5) + (x3 * 25) */
         b = get_bits(gb, 7);
+        if (b > 124) {
+            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b);
+            return AVERROR_INVALIDDATA;
+        }
 
         n1 =  (mul_3x5[b] & 0x0F) - 2;
         n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2;
@@ -375,6 +388,10 @@ static int t37(InterplayACMContext *s, unsigned ind, unsigned col)
     for (i = 0; i < s->rows; i++) {
         /* b = (x1) + (x2 * 11) */
         b = get_bits(gb, 7);
+        if (b > 120) {
+            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b);
+            return AVERROR_INVALIDDATA;
+        }
 
         n1 =  (mul_2x11[b] & 0x0F) - 5;
         n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5;