X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Frv34.c;h=295a633f383d65972680105bdd24d8bcf5adde86;hb=8d61eef917f736ebd4bc23c36d1b0cb3934e7dd6;hp=8223e92df35dba614f9a73369271100b278ecd4d;hpb=b4ed3d78cb6c41c9d3ee5918c326ab925edd6a89;p=ffmpeg

diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index 8223e92df35..295a633f383 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -171,82 +171,6 @@ static av_cold void rv34_init_tables(void)
 
 /** @} */ // vlc group
 
-
-/**
- * @name RV30/40 inverse transform functions
- * @{
- */
-
-static av_always_inline void rv34_row_transform(int temp[16], DCTELEM *block)
-{
-    int i;
-
-    for(i = 0; i < 4; i++){
-        const int z0 = 13*(block[i+8*0] +    block[i+8*2]);
-        const int z1 = 13*(block[i+8*0] -    block[i+8*2]);
-        const int z2 =  7* block[i+8*1] - 17*block[i+8*3];
-        const int z3 = 17* block[i+8*1] +  7*block[i+8*3];
-
-        temp[4*i+0] = z0 + z3;
-        temp[4*i+1] = z1 + z2;
-        temp[4*i+2] = z1 - z2;
-        temp[4*i+3] = z0 - z3;
-    }
-}
-
-/**
- * Real Video 3.0/4.0 inverse transform
- * Code is almost the same as in SVQ3, only scaling is different.
- */
-static void rv34_inv_transform(DCTELEM *block){
-    int temp[16];
-    int i;
-
-    rv34_row_transform(temp, block);
-
-    for(i = 0; i < 4; i++){
-        const int z0 = 13*(temp[4*0+i] +    temp[4*2+i]) + 0x200;
-        const int z1 = 13*(temp[4*0+i] -    temp[4*2+i]) + 0x200;
-        const int z2 =  7* temp[4*1+i] - 17*temp[4*3+i];
-        const int z3 = 17* temp[4*1+i] +  7*temp[4*3+i];
-
-        block[i*8+0] = (z0 + z3) >> 10;
-        block[i*8+1] = (z1 + z2) >> 10;
-        block[i*8+2] = (z1 - z2) >> 10;
-        block[i*8+3] = (z0 - z3) >> 10;
-    }
-
-}
-
-/**
- * RealVideo 3.0/4.0 inverse transform for DC block
- *
- * Code is almost the same as rv34_inv_transform()
- * but final coefficients are multiplied by 1.5 and have no rounding.
- */
-static void rv34_inv_transform_noround(DCTELEM *block){
-    int temp[16];
-    int i;
-
-    rv34_row_transform(temp, block);
-
-    for(i = 0; i < 4; i++){
-        const int z0 = 13*(temp[4*0+i] +    temp[4*2+i]);
-        const int z1 = 13*(temp[4*0+i] -    temp[4*2+i]);
-        const int z2 =  7* temp[4*1+i] - 17*temp[4*3+i];
-        const int z3 = 17* temp[4*1+i] +  7*temp[4*3+i];
-
-        block[i*8+0] = ((z0 + z3) * 3) >> 11;
-        block[i*8+1] = ((z1 + z2) * 3) >> 11;
-        block[i*8+2] = ((z1 - z2) * 3) >> 11;
-        block[i*8+3] = ((z0 - z3) * 3) >> 11;
-    }
-
-}
-
-/** @} */ // transform
-
-
 /**
  * @name RV30/40 4x4 block decoding functions
  * @{
@@ -1009,7 +933,7 @@ static void rv34_pred_4x4_block(RV34DecContext *r, uint8_t *dst, int stride, int
         if(itype == VERT_LEFT_PRED) itype = VERT_LEFT_PRED_RV40_NODOWN;
     }
     if(!right && up){
-        topleft = dst[-stride + 3] * 0x01010101;
+        topleft = dst[-stride + 3] * 0x01010101u;
         prev = (uint8_t*)&topleft;
     }
     r->h.pred4x4[itype](dst, prev, stride);
@@ -1188,7 +1112,7 @@ static int rv34_decode_macroblock(RV34DecContext *r, int8_t *intra_types)
     GetBitContext *gb = &s->gb;
     int cbp, cbp2;
     int i, blknum, blkoff;
-    DCTELEM block16[64];
+    LOCAL_ALIGNED_16(DCTELEM, block16, [64]);
     int luma_dc_quant;
     int dist;
     int mb_pos = s->mb_x + s->mb_y * s->mb_stride;
@@ -1223,10 +1147,10 @@ static int rv34_decode_macroblock(RV34DecContext *r, int8_t *intra_types)
 
     luma_dc_quant = r->block_type == RV34_MB_P_MIX16x16 ? r->luma_dc_quant_p[s->qscale] : r->luma_dc_quant_i[s->qscale];
     if(r->is16){
-        memset(block16, 0, sizeof(block16));
+        memset(block16, 0, 64 * sizeof(*block16));
         rv34_decode_block(block16, gb, r->cur_vlcs, 3, 0);
         rv34_dequant4x4_16x16(block16, rv34_qscale_tab[luma_dc_quant],rv34_qscale_tab[s->qscale]);
-        rv34_inv_transform_noround(block16);
+        r->rdsp.rv34_inv_transform_tab[1](block16);
     }
 
     for(i = 0; i < 16; i++, cbp >>= 1){
@@ -1238,7 +1162,7 @@ static int rv34_decode_macroblock(RV34DecContext *r, int8_t *intra_types)
         rv34_dequant4x4(s->block[blknum] + blkoff, rv34_qscale_tab[s->qscale],rv34_qscale_tab[s->qscale]);
         if(r->is16) //FIXME: optimize
             s->block[blknum][blkoff] = block16[(i & 3) | ((i & 0xC) << 1)];
-        rv34_inv_transform(s->block[blknum] + blkoff);
+        r->rdsp.rv34_inv_transform_tab[0](s->block[blknum] + blkoff);
     }
     if(r->block_type == RV34_MB_P_MIX16x16)
         r->cur_vlcs = choose_vlc_set(r->si.quant, r->si.vlc_set, 1);
@@ -1248,7 +1172,7 @@ static int rv34_decode_macroblock(RV34DecContext *r, int8_t *intra_types)
         blkoff = ((i & 1) << 2) + ((i & 2) << 4);
         rv34_decode_block(s->block[blknum] + blkoff, gb, r->cur_vlcs, r->chroma_vlc, 1);
         rv34_dequant4x4(s->block[blknum] + blkoff, rv34_qscale_tab[rv34_chroma_quant[1][s->qscale]],rv34_qscale_tab[rv34_chroma_quant[0][s->qscale]]);
-        rv34_inv_transform(s->block[blknum] + blkoff);
+        r->rdsp.rv34_inv_transform_tab[0](s->block[blknum] + blkoff);
     }
     if (IS_INTRA(s->current_picture_ptr->f.mb_type[mb_pos]))
         rv34_output_macroblock(r, intra_types, cbp2, r->is16);
@@ -1419,7 +1343,7 @@ av_cold int ff_rv34_decode_init(AVCodecContext *avctx)
     if (MPV_common_init(s) < 0)
         return -1;
 
-    ff_h264_pred_init(&r->h, CODEC_ID_RV40, 8);
+    ff_h264_pred_init(&r->h, CODEC_ID_RV40, 8, 1);
 
 #if CONFIG_RV30_DECODER
     if (avctx->codec_id == CODEC_ID_RV30)
@@ -1488,8 +1412,9 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
         slice_count = avctx->slice_count;
 
     //parse first slice header to check whether this frame can be decoded
-    if(get_slice_offset(avctx, slices_hdr, 0) > buf_size){
-        av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n");
+    if(get_slice_offset(avctx, slices_hdr, 0) < 0 ||
+       get_slice_offset(avctx, slices_hdr, 0) > buf_size){
+        av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
         return -1;
     }
     init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8);
@@ -1512,13 +1437,18 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
         else
             size = get_slice_offset(avctx, slices_hdr, i+1) - offset;
 
-        if(offset > buf_size){
-            av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n");
+        if(offset < 0 || offset > buf_size){
+            av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
             break;
         }
 
         r->si.end = s->mb_width * s->mb_height;
         if(i+1 < slice_count){
+            if (get_slice_offset(avctx, slices_hdr, i+1) < 0 ||
+                get_slice_offset(avctx, slices_hdr, i+1) > buf_size) {
+                av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
+                break;
+            }
             init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8);
             if(r->parse_slice_header(r, &r->s.gb, &si) < 0){
                 if(i+2 < slice_count)
@@ -1528,6 +1458,10 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
             }else
                 r->si.end = si.start;
         }
+        if (size < 0 || size > buf_size - offset) {
+            av_log(avctx, AV_LOG_ERROR, "Slice size is invalid\n");
+            break;
+        }
         last = rv34_decode_slice(r, r->si.end, buf + offset, size);
         s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start;
         if(last)