Merge remote-tracking branch 'qatar/master'

* qatar/master: (29 commits) cabac: Move code only used within the CABAC test program into the test program. vp56: Drop unnecessary cabac.h #include. h264-test: Initialize AVCodecContext.av_class. build: Skip compiling network.h and rtsp.h if networking is not enabled. cosmetics: drop some pointless parentheses Disable annoying warning without changing behavior faq: Solutions for common problems with sample paths when running FATE. avcodec: attempt to clarify the CODEC_CAP_DELAY documentation avcodec: fix avcodec_encode_audio() documentation. FATE: xmv-demux test; exercise the XMV demuxer without decoding the perceptual codecs inside. vqf: recognize more metadata chunks FATE test: BMV demuxer and associated video and audio decoders. FATE: indeo4 video decoder test. FATE: update xxan-wc4 test to a sample with more code coverage. Change the recent h264_mp4toannexb bitstream filter test to output to an elementary stream rather than a program stream. g722enc: validate AVCodecContext.trellis g722enc: set frame_size, and also handle an odd number of input samples g722enc: split encoding into separate functions for trellis vs. no trellis mpegaudiodec: Use clearer pointer math tta: Fix returned error code at EOF ... Conflicts: libavcodec/h264.c libavcodec/indeo3.c libavcodec/interplayvideo.c libavcodec/ivi_common.c libavcodec/libxvidff.c libavcodec/mpegvideo.c libavcodec/ppc/mpegvideo_altivec.c libavcodec/tta.c libavcodec/utils.c libavfilter/vsrc_buffer.c libavformat/Makefile tests/fate/indeo.mak tests/ref/acodec/g722 Merged-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-01-08 01:29:15 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-01-08 03:34:22 +0100
commit: 757473831c3e1cc231fb985bcaed622d66fd6b2e (patch)
tree: d3c83c1e3726c24b91bf9970b06fd1a83921fff0 /libavcodec/indeo3.c
parent: a407baba85c2999707868e975c98b5a9de50f46d (diff)
parent: badb195d139f15dc189dd3f78930c9cbfce89c24 (diff)
1 files changed, 18 insertions, 6 deletions
diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 83c97bb96d..ce84d72f8b 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -89,6 +89,7 @@ typedef struct Indeo3DecodeContext {
     const uint8_t   *next_cell_data;
     const uint8_t   *last_byte;
     const int8_t    *mc_vectors;
+    unsigned        num_vectors;    ///< number of motion vectors in mc_vectors
 
     int16_t         width, height;
     uint32_t        frame_num;      ///< current frame number (zero-based)
@@ -767,11 +768,17 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
             break;
         case INTER_DATA:
             if (!curr_cell.tree) { /* MC tree INTER code */
+                unsigned mv_idx;
                 /* get motion vector index and setup the pointer to the mv set */
                 if (!ctx->need_resync)
                     ctx->next_cell_data = &ctx->gb.buffer[(get_bits_count(&ctx->gb) + 7) >> 3];
                 if(ctx->mc_vectors)
-                    curr_cell.mv_ptr = &ctx->mc_vectors[*(ctx->next_cell_data++) << 1];
+                    mv_idx = *(ctx->next_cell_data++) << 1;
+                if (mv_idx >= ctx->num_vectors) {
+                    av_log(avctx, AV_LOG_ERROR, "motion vector index out of range\n");
+                    return AVERROR_INVALIDDATA;
+                }
+                curr_cell.mv_ptr = &ctx->mc_vectors[mv_idx];
                 curr_cell.tree   = 1; /* enter the VQ tree */
                 UPDATE_BITPOS(8);
             } else { /* VQ tree DATA code */
@@ -801,19 +808,24 @@ static int decode_plane(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
                         int32_t strip_width)
 {
     Cell            curr_cell;
-    uint32_t        num_vectors;
+    unsigned        num_vectors;
 
     /* each plane data starts with mc_vector_count field, */
     /* an optional array of motion vectors followed by the vq data */
     num_vectors = bytestream_get_le32(&data);
-    if(num_vectors >= data_size/2)
+    if (num_vectors > 256) {
+        av_log(ctx->avctx, AV_LOG_ERROR,
+               "Read invalid number of motion vectors %d\n", num_vectors);
         return AVERROR_INVALIDDATA;
+    }
+    if (num_vectors * 2 >= data_size)
+        return AVERROR_INVALIDDATA;
+
+    ctx->num_vectors = num_vectors;
     ctx->mc_vectors  = num_vectors ? data : 0;
-    data     += num_vectors * 2;
-    data_size-= num_vectors * 2;
 
     /* init the bitreader */
-    init_get_bits(&ctx->gb, data, data_size << 3);
+    init_get_bits(&ctx->gb, &data[num_vectors * 2], (data_size - num_vectors * 2) << 3);
     ctx->skip_bits   = 0;
     ctx->need_resync = 0;
author	Michael Niedermayer <michaelni@gmx.at>	2012-01-08 01:29:15 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-01-08 03:34:22 +0100
commit	757473831c3e1cc231fb985bcaed622d66fd6b2e (patch)
tree	d3c83c1e3726c24b91bf9970b06fd1a83921fff0 /libavcodec/indeo3.c
parent	a407baba85c2999707868e975c98b5a9de50f46d (diff)
parent	badb195d139f15dc189dd3f78930c9cbfce89c24 (diff)