X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fwmv2dec.c;h=c500e3e7797d6a9058ab9b546489a0559a968d61;hb=a247ac640df3da573cd661065bf53f37863e2b46;hp=4f97d9227ce1e032d9951e8eb23180ad6b95fedb;hpb=03210fe138f3b3bd7f5272fe29aca810cf517329;p=ffmpeg diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c index 4f97d9227ce..c500e3e7797 100644 --- a/libavcodec/wmv2dec.c +++ b/libavcodec/wmv2dec.c @@ -33,6 +33,7 @@ static int parse_mb_skip(Wmv2Context *w) { int mb_x, mb_y; + int coded_mb_count = 0; MpegEncContext *const s = &w->s; uint32_t *const mb_type = s->current_picture_ptr->mb_type; @@ -83,6 +84,14 @@ static int parse_mb_skip(Wmv2Context *w) } break; } + + for (mb_y = 0; mb_y < s->mb_height; mb_y++) + for (mb_x = 0; mb_x < s->mb_width; mb_x++) + coded_mb_count += !IS_SKIP(mb_type[mb_y * s->mb_stride + mb_x]); + + if (coded_mb_count > get_bits_left(&s->gb)) + return AVERROR_INVALIDDATA; + return 0; } @@ -181,6 +190,14 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext *s) } s->dc_table_index = get_bits1(&s->gb); + + // at minimum one bit per macroblock is required at least in a valid frame, + // we discard frames much smaller than this. Frames smaller than 1/8 of the + // smallest "black/skip" frame generally contain not much recoverable content + // while at the same time they have the highest computational requirements + // per byte + if (get_bits_left(&s->gb) * 8LL < (s->width+15)/16 * ((s->height+15)/16)) + return AVERROR_INVALIDDATA; } s->inter_intra_pred = 0; s->no_rounding = 1; @@ -222,6 +239,9 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext *s) s->rl_chroma_table_index = s->rl_table_index; } + if (get_bits_left(&s->gb) < 2) + return AVERROR_INVALIDDATA; + s->dc_table_index = get_bits1(&s->gb); s->mv_table_index = get_bits1(&s->gb); @@ -258,22 +278,16 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext *s) return 0; } -static inline int wmv2_decode_motion(Wmv2Context *w, int *mx_ptr, int *my_ptr) +static inline void wmv2_decode_motion(Wmv2Context *w, int *mx_ptr, int *my_ptr) { MpegEncContext *const s = &w->s; - int ret; - ret = ff_msmpeg4_decode_motion(s, mx_ptr, my_ptr); - - if (ret < 0) - return ret; + ff_msmpeg4_decode_motion(s, mx_ptr, my_ptr); if ((((*mx_ptr) | (*my_ptr)) & 1) && s->mspel) w->hshift = get_bits1(&s->gb); else w->hshift = 0; - - return 0; } static int16_t *wmv2_pred_motion(Wmv2Context *w, int *px, int *py) @@ -389,8 +403,6 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t block[6][64]) code = get_vlc2(&s->gb, ff_mb_non_intra_vlc[w->cbp_table_index].table, MB_NON_INTRA_VLC_BITS, 3); - if (code < 0) - return AVERROR_INVALIDDATA; s->mb_intra = (~code & 0x40) >> 6; cbp = code & 0x3f; @@ -399,11 +411,6 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t block[6][64]) if (get_bits_left(&s->gb) <= 0) return AVERROR_INVALIDDATA; code = get_vlc2(&s->gb, ff_msmp4_mb_i_vlc.table, MB_INTRA_VLC_BITS, 2); - if (code < 0) { - av_log(s->avctx, AV_LOG_ERROR, - "II-cbp illegal at %d %d\n", s->mb_x, s->mb_y); - return AVERROR_INVALIDDATA; - } /* predict coded block pattern */ cbp = 0; for (i = 0; i < 6; i++) { @@ -436,8 +443,7 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t block[6][64]) w->per_block_abt = 0; } - if ((ret = wmv2_decode_motion(w, &mx, &my)) < 0) - return ret; + wmv2_decode_motion(w, &mx, &my); s->mv_dir = MV_DIR_FORWARD; s->mv_type = MV_TYPE_16X16; @@ -507,7 +513,7 @@ static av_cold int wmv2_decode_end(AVCodecContext *avctx) return ff_h263_decode_end(avctx); } -AVCodec ff_wmv2_decoder = { +const AVCodec ff_wmv2_decoder = { .name = "wmv2", .long_name = NULL_IF_CONFIG_SMALL("Windows Media Video 8"), .type = AVMEDIA_TYPE_VIDEO, @@ -517,6 +523,7 @@ AVCodec ff_wmv2_decoder = { .close = wmv2_decode_end, .decode = ff_h263_decode_frame, .capabilities = AV_CODEC_CAP_DRAW_HORIZ_BAND | AV_CODEC_CAP_DR1, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .pix_fmts = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUV420P, AV_PIX_FMT_NONE }, };