From da2e774fd6841da7cede8c8ef30337449329727c Mon Sep 17 00:00:00 2001 From: Laurentiu Ion Date: Tue, 10 Jan 2012 03:21:17 +0200 Subject: kmvc: Use bytestream2 functions to prevent buffer overreads. Signed-off-by: Ronald S. Bultje --- libavcodec/kmvc.c | 150 +++++++++++++++++++++--------------------------------- 1 file changed, 58 insertions(+), 92 deletions(-) (limited to 'libavcodec') diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index 6c55863e7d..2b54b84e99 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -46,6 +46,7 @@ typedef struct KmvcContext { uint32_t pal[256]; uint8_t *cur, *prev; uint8_t *frm0, *frm1; + GetByteContext g; } KmvcContext; typedef struct BitBuf { @@ -55,23 +56,19 @@ typedef struct BitBuf { #define BLK(data, x, y) data[(x) + (y) * 320] -#define kmvc_init_getbits(bb, src) bb.bits = 7; bb.bitbuf = *src++; +#define kmvc_init_getbits(bb, g) bb.bits = 7; bb.bitbuf = bytestream2_get_byte(g); -#define kmvc_getbit(bb, src, src_end, res) {\ +#define kmvc_getbit(bb, g, res) {\ res = 0; \ if (bb.bitbuf & (1 << bb.bits)) res = 1; \ bb.bits--; \ if(bb.bits == -1) { \ - if (src >= src_end) { \ - av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); \ - return AVERROR_INVALIDDATA; \ - } \ - bb.bitbuf = *src++; \ + bb.bitbuf = bytestream2_get_byte(g); \ bb.bits = 7; \ } \ } -static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h) +static int kmvc_decode_intra_8x8(KmvcContext * ctx, int w, int h) { BitBuf bb; int res, val; @@ -79,42 +76,33 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src int bx, by; int l0x, l1x, l0y, l1y; int mx, my; - const uint8_t *src_end = src + src_size; - kmvc_init_getbits(bb, src); + kmvc_init_getbits(bb, &ctx->g); for (by = 0; by < h; by += 8) for (bx = 0; bx < w; bx += 8) { - kmvc_getbit(bb, src, src_end, res); + if (!bytestream2_get_bytes_left(&ctx->g)) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } + kmvc_getbit(bb, &ctx->g, res); if (!res) { // fill whole 8x8 block - if (src >= src_end) { - av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); - return AVERROR_INVALIDDATA; - } - val = *src++; + val = bytestream2_get_byte(&ctx->g); for (i = 0; i < 64; i++) BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val; } else { // handle four 4x4 subblocks for (i = 0; i < 4; i++) { l0x = bx + (i & 1) * 4; l0y = by + (i & 2) * 2; - kmvc_getbit(bb, src, src_end, res); + kmvc_getbit(bb, &ctx->g, res); if (!res) { - kmvc_getbit(bb, src, src_end, res); + kmvc_getbit(bb, &ctx->g, res); if (!res) { // fill whole 4x4 block - if (src >= src_end) { - av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); - return AVERROR_INVALIDDATA; - } - val = *src++; + val = bytestream2_get_byte(&ctx->g); for (j = 0; j < 16; j++) BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val; } else { // copy block from already decoded place - if (src >= src_end) { - av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); - return AVERROR_INVALIDDATA; - } - val = *src++; + val = bytestream2_get_byte(&ctx->g); mx = val & 0xF; my = val >> 4; for (j = 0; j < 16; j++) @@ -125,25 +113,17 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src for (j = 0; j < 4; j++) { l1x = l0x + (j & 1) * 2; l1y = l0y + (j & 2); - kmvc_getbit(bb, src, src_end, res); + kmvc_getbit(bb, &ctx->g, res); if (!res) { - kmvc_getbit(bb, src, src_end, res); + kmvc_getbit(bb, &ctx->g, res); if (!res) { // fill whole 2x2 block - if (src >= src_end) { - av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); - return AVERROR_INVALIDDATA; - } - val = *src++; + val = bytestream2_get_byte(&ctx->g); BLK(ctx->cur, l1x, l1y) = val; BLK(ctx->cur, l1x + 1, l1y) = val; BLK(ctx->cur, l1x, l1y + 1) = val; BLK(ctx->cur, l1x + 1, l1y + 1) = val; } else { // copy block from already decoded place - if (src >= src_end) { - av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); - return AVERROR_INVALIDDATA; - } - val = *src++; + val = bytestream2_get_byte(&ctx->g); mx = val & 0xF; my = val >> 4; BLK(ctx->cur, l1x, l1y) = BLK(ctx->cur, l1x - mx, l1y - my); @@ -155,10 +135,10 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src BLK(ctx->cur, l1x + 1 - mx, l1y + 1 - my); } } else { // read values for block - BLK(ctx->cur, l1x, l1y) = *src++; - BLK(ctx->cur, l1x + 1, l1y) = *src++; - BLK(ctx->cur, l1x, l1y + 1) = *src++; - BLK(ctx->cur, l1x + 1, l1y + 1) = *src++; + BLK(ctx->cur, l1x, l1y) = bytestream2_get_byte(&ctx->g); + BLK(ctx->cur, l1x + 1, l1y) = bytestream2_get_byte(&ctx->g); + BLK(ctx->cur, l1x, l1y + 1) = bytestream2_get_byte(&ctx->g); + BLK(ctx->cur, l1x + 1, l1y + 1) = bytestream2_get_byte(&ctx->g); } } } @@ -169,7 +149,7 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src return 0; } -static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h) +static int kmvc_decode_inter_8x8(KmvcContext * ctx, int w, int h) { BitBuf bb; int res, val; @@ -177,21 +157,20 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src int bx, by; int l0x, l1x, l0y, l1y; int mx, my; - const uint8_t *src_end = src + src_size; - kmvc_init_getbits(bb, src); + kmvc_init_getbits(bb, &ctx->g); for (by = 0; by < h; by += 8) for (bx = 0; bx < w; bx += 8) { - kmvc_getbit(bb, src, src_end, res); + kmvc_getbit(bb, &ctx->g, res); if (!res) { - kmvc_getbit(bb, src, src_end, res); + kmvc_getbit(bb, &ctx->g, res); if (!res) { // fill whole 8x8 block - if (src >= src_end) { + if (!bytestream2_get_bytes_left(&ctx->g)) { av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); return AVERROR_INVALIDDATA; } - val = *src++; + val = bytestream2_get_byte(&ctx->g); for (i = 0; i < 64; i++) BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val; } else { // copy block from previous frame @@ -200,26 +179,22 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src BLK(ctx->prev, bx + (i & 0x7), by + (i >> 3)); } } else { // handle four 4x4 subblocks + if (!bytestream2_get_bytes_left(&ctx->g)) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } for (i = 0; i < 4; i++) { l0x = bx + (i & 1) * 4; l0y = by + (i & 2) * 2; - kmvc_getbit(bb, src, src_end, res); + kmvc_getbit(bb, &ctx->g, res); if (!res) { - kmvc_getbit(bb, src, src_end, res); + kmvc_getbit(bb, &ctx->g, res); if (!res) { // fill whole 4x4 block - if (src >= src_end) { - av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); - return AVERROR_INVALIDDATA; - } - val = *src++; + val = bytestream2_get_byte(&ctx->g); for (j = 0; j < 16; j++) BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val; } else { // copy block - if (src >= src_end) { - av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); - return AVERROR_INVALIDDATA; - } - val = *src++; + val = bytestream2_get_byte(&ctx->g); mx = (val & 0xF) - 8; my = (val >> 4) - 8; for (j = 0; j < 16; j++) @@ -230,25 +205,17 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src for (j = 0; j < 4; j++) { l1x = l0x + (j & 1) * 2; l1y = l0y + (j & 2); - kmvc_getbit(bb, src, src_end, res); + kmvc_getbit(bb, &ctx->g, res); if (!res) { - kmvc_getbit(bb, src, src_end, res); + kmvc_getbit(bb, &ctx->g, res); if (!res) { // fill whole 2x2 block - if (src >= src_end) { - av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); - return AVERROR_INVALIDDATA; - } - val = *src++; + val = bytestream2_get_byte(&ctx->g); BLK(ctx->cur, l1x, l1y) = val; BLK(ctx->cur, l1x + 1, l1y) = val; BLK(ctx->cur, l1x, l1y + 1) = val; BLK(ctx->cur, l1x + 1, l1y + 1) = val; } else { // copy block - if (src >= src_end) { - av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); - return AVERROR_INVALIDDATA; - } - val = *src++; + val = bytestream2_get_byte(&ctx->g); mx = (val & 0xF) - 8; my = (val >> 4) - 8; BLK(ctx->cur, l1x, l1y) = BLK(ctx->prev, l1x + mx, l1y + my); @@ -260,10 +227,10 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src BLK(ctx->prev, l1x + 1 + mx, l1y + 1 + my); } } else { // read values for block - BLK(ctx->cur, l1x, l1y) = *src++; - BLK(ctx->cur, l1x + 1, l1y) = *src++; - BLK(ctx->cur, l1x, l1y + 1) = *src++; - BLK(ctx->cur, l1x + 1, l1y + 1) = *src++; + BLK(ctx->cur, l1x, l1y) = bytestream2_get_byte(&ctx->g); + BLK(ctx->cur, l1x + 1, l1y) = bytestream2_get_byte(&ctx->g); + BLK(ctx->cur, l1x, l1y + 1) = bytestream2_get_byte(&ctx->g); + BLK(ctx->cur, l1x + 1, l1y + 1) = bytestream2_get_byte(&ctx->g); } } } @@ -276,8 +243,6 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; KmvcContext *const ctx = avctx->priv_data; uint8_t *out, *src; int i; @@ -285,6 +250,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa int blocksize; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + bytestream2_init(&ctx->g, avpkt->data, avpkt->size); if (ctx->pic.data[0]) avctx->release_buffer(avctx, &ctx->pic); @@ -295,16 +261,16 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa return -1; } - header = *buf++; + header = bytestream2_get_byte(&ctx->g); /* blocksize 127 is really palette change event */ - if (buf[0] == 127) { - buf += 3; + if (bytestream2_peek_byte(&ctx->g) == 127) { + bytestream2_skip(&ctx->g, 3); for (i = 0; i < 127; i++) { - ctx->pal[i + (header & 0x81)] = AV_RB24(buf); - buf += 4; + ctx->pal[i + (header & 0x81)] = bytestream2_get_be24(&ctx->g); + bytestream2_skip(&ctx->g, 1); } - buf -= 127 * 4 + 3; + bytestream2_seek(&ctx->g, -127 * 4 - 3, SEEK_CUR); } if (header & KMVC_KEYFRAME) { @@ -319,7 +285,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa ctx->pic.palette_has_changed = 1; // palette starts from index 1 and has 127 entries for (i = 1; i <= ctx->palsize; i++) { - ctx->pal[i] = bytestream_get_be24(&buf); + ctx->pal[i] = bytestream2_get_be24(&ctx->g); } } @@ -336,7 +302,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa /* make the palette available on the way out */ memcpy(ctx->pic.data[1], ctx->pal, 1024); - blocksize = *buf++; + blocksize = bytestream2_get_byte(&ctx->g); if (blocksize != 8 && blocksize != 127) { av_log(avctx, AV_LOG_ERROR, "Block size = %i\n", blocksize); @@ -349,10 +315,10 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa memcpy(ctx->cur, ctx->prev, 320 * 200); break; case 3: - kmvc_decode_intra_8x8(ctx, buf, buf_size, avctx->width, avctx->height); + kmvc_decode_intra_8x8(ctx, avctx->width, avctx->height); break; case 4: - kmvc_decode_inter_8x8(ctx, buf, buf_size, avctx->width, avctx->height); + kmvc_decode_inter_8x8(ctx, avctx->width, avctx->height); break; default: av_log(avctx, AV_LOG_ERROR, "Unknown compression method %i\n", header & KMVC_METHOD); @@ -380,7 +346,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa *(AVFrame *) data = ctx->pic; /* always report that the buffer was completely consumed */ - return buf_size; + return avpkt->size; } -- cgit v1.2.3 From 353a2d2164c09740e42f33014c4773b93e96a0d2 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 9 Jan 2012 23:37:24 +0000 Subject: bmpdec: support for rgb444 with bitfields compression Do not display garbage for invalid/unsupported bitfields values. Signed-off-by: Ronald S. Bultje --- libavcodec/bmp.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'libavcodec') diff --git a/libavcodec/bmp.c b/libavcodec/bmp.c index f438d10613..1f725f5369 100644 --- a/libavcodec/bmp.c +++ b/libavcodec/bmp.c @@ -162,8 +162,18 @@ static int bmp_decode_frame(AVCodecContext *avctx, case 16: if(comp == BMP_RGB) avctx->pix_fmt = PIX_FMT_RGB555; - if(comp == BMP_BITFIELDS) - avctx->pix_fmt = rgb[1] == 0x07E0 ? PIX_FMT_RGB565 : PIX_FMT_RGB555; + else if (comp == BMP_BITFIELDS) { + if (rgb[0] == 0xF800 && rgb[1] == 0x07E0 && rgb[2] == 0x001F) + avctx->pix_fmt = PIX_FMT_RGB565; + else if (rgb[0] == 0x7C00 && rgb[1] == 0x03E0 && rgb[2] == 0x001F) + avctx->pix_fmt = PIX_FMT_RGB555; + else if (rgb[0] == 0x0F00 && rgb[1] == 0x00F0 && rgb[2] == 0x000F) + avctx->pix_fmt = PIX_FMT_RGB444; + else { + av_log(avctx, AV_LOG_ERROR, "Unknown bitfields %0X %0X %0X\n", rgb[0], rgb[1], rgb[2]); + return AVERROR(EINVAL); + } + } break; case 8: if(hsize - ihsize - 14 > 0) -- cgit v1.2.3 From e652cc9606068189cb512a36f0335a5cf2ecf287 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 9 Jan 2012 02:06:59 +0100 Subject: rv34: use get_bits_left() It is not necessary to store the bit stream length in a RV34DecContext field. --- libavcodec/rv34.c | 3 +-- libavcodec/rv34.h | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) (limited to 'libavcodec') diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 91d678876a..f9f8677385 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1186,7 +1186,7 @@ static int check_slice_end(RV34DecContext *r, MpegEncContext *s) return 1; if(r->s.mb_skip_run > 1) return 0; - bits = r->bits - get_bits_count(&s->gb); + bits = get_bits_left(&s->gb); if(bits < 0 || (bits < 8 && !show_bits(&s->gb, bits))) return 1; return 0; @@ -1266,7 +1266,6 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int r->si.end = end; s->qscale = r->si.quant; - r->bits = buf_size*8; s->mb_num_left = r->si.end - r->si.start; r->s.mb_skip_run = 0; diff --git a/libavcodec/rv34.h b/libavcodec/rv34.h index 12607fb806..3f3b879306 100644 --- a/libavcodec/rv34.h +++ b/libavcodec/rv34.h @@ -92,7 +92,6 @@ typedef struct RV34DecContext{ const uint8_t *luma_dc_quant_p;///< luma subblock DC quantizer for interframes RV34VLC *cur_vlcs; ///< VLC set used for current frame decoding - int bits; ///< slice size in bits H264PredContext h; ///< functions for 4x4 and 16x16 intra block prediction SliceInfo si; ///< current slice information -- cgit v1.2.3 From 84e5159e25d2fd35bdceef4678c199e27d1b88ce Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 10 Jan 2012 16:06:02 +0000 Subject: bmpenc: support for PIX_FMT_RGB444 Signed-off-by: Ronald S. Bultje --- libavcodec/bmpenc.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'libavcodec') diff --git a/libavcodec/bmpenc.c b/libavcodec/bmpenc.c index 9cd7adb390..ca2951ab37 100644 --- a/libavcodec/bmpenc.c +++ b/libavcodec/bmpenc.c @@ -27,6 +27,7 @@ static const uint32_t monoblack_pal[] = { 0x000000, 0xFFFFFF }; static const uint32_t rgb565_masks[] = { 0xF800, 0x07E0, 0x001F }; +static const uint32_t rgb444_masks[] = { 0x0F00, 0x00F0, 0x000F }; static av_cold int bmp_encode_init(AVCodecContext *avctx){ BMPContext *s = avctx->priv_data; @@ -39,9 +40,8 @@ static av_cold int bmp_encode_init(AVCodecContext *avctx){ avctx->bits_per_coded_sample = 24; break; case PIX_FMT_RGB555: - avctx->bits_per_coded_sample = 16; - break; case PIX_FMT_RGB565: + case PIX_FMT_RGB444: avctx->bits_per_coded_sample = 16; break; case PIX_FMT_RGB8: @@ -77,6 +77,11 @@ static int bmp_encode_frame(AVCodecContext *avctx, unsigned char *buf, int buf_s p->pict_type= AV_PICTURE_TYPE_I; p->key_frame= 1; switch (avctx->pix_fmt) { + case PIX_FMT_RGB444: + compression = BMP_BITFIELDS; + pal = rgb444_masks; // abuse pal to hold color masks + pal_entries = 3; + break; case PIX_FMT_RGB565: compression = BMP_BITFIELDS; pal = rgb565_masks; // abuse pal to hold color masks @@ -158,7 +163,7 @@ AVCodec ff_bmp_encoder = { .encode = bmp_encode_frame, .pix_fmts = (const enum PixelFormat[]){ PIX_FMT_BGR24, - PIX_FMT_RGB555, PIX_FMT_RGB565, + PIX_FMT_RGB555, PIX_FMT_RGB444, PIX_FMT_RGB565, PIX_FMT_RGB8, PIX_FMT_BGR8, PIX_FMT_RGB4_BYTE, PIX_FMT_BGR4_BYTE, PIX_FMT_GRAY8, PIX_FMT_PAL8, PIX_FMT_MONOBLACK, PIX_FMT_NONE}, -- cgit v1.2.3 From 29112db8c0f65886e69cbbd6f4e5c44d2d14d238 Mon Sep 17 00:00:00 2001 From: Aneesh Dogra Date: Tue, 10 Jan 2012 23:38:03 +0530 Subject: bethsoftvideo: Use bytestream2 functions to prevent buffer overreads. Signed-off-by: Ronald S. Bultje --- libavcodec/bethsoftvideo.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) (limited to 'libavcodec') diff --git a/libavcodec/bethsoftvideo.c b/libavcodec/bethsoftvideo.c index f4020d6ee5..fa0457cc66 100644 --- a/libavcodec/bethsoftvideo.c +++ b/libavcodec/bethsoftvideo.c @@ -34,6 +34,7 @@ typedef struct BethsoftvidContext { AVFrame frame; + GetByteContext g; } BethsoftvidContext; static av_cold int bethsoftvid_decode_init(AVCodecContext *avctx) @@ -46,18 +47,18 @@ static av_cold int bethsoftvid_decode_init(AVCodecContext *avctx) return 0; } -static int set_palette(AVFrame * frame, const uint8_t * palette_buffer, int buf_size) +static int set_palette(BethsoftvidContext *ctx) { - uint32_t * palette = (uint32_t *)frame->data[1]; + uint32_t *palette = (uint32_t *)ctx->frame.data[1]; int a; - if (buf_size < 256*3) + if (bytestream2_get_bytes_left(&ctx->g) < 256*3) return AVERROR_INVALIDDATA; for(a = 0; a < 256; a++){ - palette[a] = AV_RB24(&palette_buffer[a * 3]) * 4; + palette[a] = bytestream2_get_be24u(&ctx->g) * 4; } - frame->palette_has_changed = 1; + ctx->frame.palette_has_changed = 1; return 256*3; } @@ -65,8 +66,6 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; BethsoftvidContext * vid = avctx->priv_data; char block_type; uint8_t * dst; @@ -80,29 +79,32 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return -1; } + + bytestream2_init(&vid->g, avpkt->data, avpkt->size); dst = vid->frame.data[0]; frame_end = vid->frame.data[0] + vid->frame.linesize[0] * avctx->height; - switch(block_type = *buf++){ - case PALETTE_BLOCK: - return set_palette(&vid->frame, buf, buf_size); + switch(block_type = bytestream2_get_byte(&vid->g)){ + case PALETTE_BLOCK: { + return set_palette(vid); + } case VIDEO_YOFF_P_FRAME: - yoffset = bytestream_get_le16(&buf); + yoffset = bytestream2_get_le16(&vid->g); if(yoffset >= avctx->height) return -1; dst += vid->frame.linesize[0] * yoffset; } // main code - while((code = *buf++)){ + while((code = bytestream2_get_byte(&vid->g))){ int length = code & 0x7f; // copy any bytes starting at the current position, and ending at the frame width while(length > remaining){ if(code < 0x80) - bytestream_get_buffer(&buf, dst, remaining); + bytestream2_get_buffer(&vid->g, dst, remaining); else if(block_type == VIDEO_I_FRAME) - memset(dst, buf[0], remaining); + memset(dst, bytestream2_peek_byte(&vid->g), remaining); length -= remaining; // decrement the number of bytes to be copied dst += remaining + wrap_to_next_line; // skip over extra bytes at end of frame remaining = avctx->width; @@ -112,9 +114,9 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx, // copy any remaining bytes after / if line overflows if(code < 0x80) - bytestream_get_buffer(&buf, dst, length); + bytestream2_get_buffer(&vid->g, dst, length); else if(block_type == VIDEO_I_FRAME) - memset(dst, *buf++, length); + memset(dst, bytestream2_get_byte(&vid->g), length); remaining -= length; dst += length; } @@ -123,7 +125,7 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx, *data_size = sizeof(AVFrame); *(AVFrame*)data = vid->frame; - return buf_size; + return avpkt->size; } static av_cold int bethsoftvid_decode_end(AVCodecContext *avctx) -- cgit v1.2.3 From 17ce52912f59a74ecc265e062578fb1181456e18 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 10 Jan 2012 13:07:09 -0800 Subject: aacsbr: prevent out of bounds memcpy(). Fixes Libav Bug 195. This doesn't make the code handle sample rate or upsample/downsample change properly but this is still a good sanity check. Based on change by Michael Niedermayer. Signed-off-by: Alex Converse --- libavcodec/aacsbr.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'libavcodec') diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 81b0b4c001..0bfcabb06b 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1181,14 +1181,15 @@ static void sbr_qmf_synthesis(DSPContext *dsp, FFTContext *mdct, { int i, n; const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us; + const int step = 128 >> div; float *v; for (i = 0; i < 32; i++) { - if (*v_off == 0) { + if (*v_off < step) { int saved_samples = (1280 - 128) >> div; memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float)); - *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div); + *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - step; } else { - *v_off -= 128 >> div; + *v_off -= step; } v = v0 + *v_off; if (div) { -- cgit v1.2.3 From 3ab770001817e0f52114a9876819f07fcd8ed93a Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Tue, 10 Jan 2012 15:08:20 +0100 Subject: mpegvideo: claim ownership of referenced pictures Under certain conditions pictures could be released before they were returned with frame-threading. Broken mv computation in the upcoming rv34 frame-threading patch was caused by this. To prevent contexts from running out of available pictures the loop releasing "unused" pictures has to be run for B frames too. --- libavcodec/mpegvideo.c | 41 +++++++++++++++++++++++++---------------- 1 file changed, 25 insertions(+), 16 deletions(-) (limited to 'libavcodec') diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index e4c45886dc..f711d36aec 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1170,25 +1170,26 @@ int MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx) s->codec_id == CODEC_ID_SVQ3); /* mark & release old frames */ - if (s->pict_type != AV_PICTURE_TYPE_B && s->last_picture_ptr && - s->last_picture_ptr != s->next_picture_ptr && - s->last_picture_ptr->f.data[0]) { - if (s->out_format != FMT_H264 || s->codec_id == CODEC_ID_SVQ3) { + if (s->out_format != FMT_H264 || s->codec_id == CODEC_ID_SVQ3) { + if (s->pict_type != AV_PICTURE_TYPE_B && s->last_picture_ptr && + s->last_picture_ptr != s->next_picture_ptr && + s->last_picture_ptr->f.data[0]) { if (s->last_picture_ptr->owner2 == s) free_frame_buffer(s, s->last_picture_ptr); + } - /* release forgotten pictures */ - /* if (mpeg124/h263) */ - if (!s->encoding) { - for (i = 0; i < s->picture_count; i++) { - if (s->picture[i].owner2 == s && s->picture[i].f.data[0] && - &s->picture[i] != s->next_picture_ptr && - s->picture[i].f.reference) { - if (!(avctx->active_thread_type & FF_THREAD_FRAME)) - av_log(avctx, AV_LOG_ERROR, - "releasing zombie picture\n"); - free_frame_buffer(s, &s->picture[i]); - } + /* release forgotten pictures */ + /* if (mpeg124/h263) */ + if (!s->encoding) { + for (i = 0; i < s->picture_count; i++) { + if (s->picture[i].owner2 == s && s->picture[i].f.data[0] && + &s->picture[i] != s->last_picture_ptr && + &s->picture[i] != s->next_picture_ptr && + s->picture[i].f.reference) { + if (!(avctx->active_thread_type & FF_THREAD_FRAME)) + av_log(avctx, AV_LOG_ERROR, + "releasing zombie picture\n"); + free_frame_buffer(s, &s->picture[i]); } } } @@ -1295,6 +1296,14 @@ int MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx) if (s->next_picture_ptr) ff_copy_picture(&s->next_picture, s->next_picture_ptr); + if (HAVE_THREADS && (avctx->active_thread_type & FF_THREAD_FRAME) && + (s->out_format != FMT_H264 || s->codec_id == CODEC_ID_SVQ3)) { + if (s->next_picture_ptr) + s->next_picture_ptr->owner2 = s; + if (s->last_picture_ptr) + s->last_picture_ptr->owner2 = s; + } + assert(s->pict_type == AV_PICTURE_TYPE_I || (s->last_picture_ptr && s->last_picture_ptr->f.data[0])); -- cgit v1.2.3 From 9472d37d8e137df1e78e973b8b0e0d5607a799d5 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 9 Sep 2011 14:26:32 +0200 Subject: rv34: frame-level multi-threading Statistics for bourne.rmvb -an -f null 1 thread: 37.12s user 0.03s system 99% cpu 37.174 total 2 threads: 47.63s user 0.24s system 185% cpu 25.807 total 4 threads: 41.21s user 0.30s system 327% cpu 12.674 total --- libavcodec/rv30.c | 4 ++- libavcodec/rv34.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ libavcodec/rv34.h | 2 ++ libavcodec/rv40.c | 4 ++- 4 files changed, 98 insertions(+), 2 deletions(-) (limited to 'libavcodec') diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index 26708db4fa..4828e982b7 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -275,8 +275,10 @@ AVCodec ff_rv30_decoder = { .init = rv30_decode_init, .close = ff_rv34_decode_end, .decode = ff_rv34_decode_frame, - .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DELAY, + .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DELAY | CODEC_CAP_FRAME_THREADS, .flush = ff_mpeg_flush, .long_name = NULL_IF_CONFIG_SMALL("RealVideo 3.0"), .pix_fmts = ff_pixfmt_list_420, + .init_thread_copy = ONLY_IF_THREADS_ENABLED(ff_rv34_decode_init_thread_copy), + .update_thread_context = ONLY_IF_THREADS_ENABLED(ff_rv34_decode_update_thread_context), }; diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index f9f8677385..ec826fd074 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -24,12 +24,16 @@ * RV30/40 decoder common data */ +#include "libavutil/internal.h" + #include "avcodec.h" #include "dsputil.h" #include "mpegvideo.h" #include "golomb.h" +#include "internal.h" #include "mathops.h" #include "rectangle.h" +#include "thread.h" #include "rv34vlc.h" #include "rv34data.h" @@ -669,6 +673,14 @@ static inline void rv34_mc(RV34DecContext *r, const int block_type, if(uvmx == 6 && uvmy == 6) uvmx = uvmy = 4; } + + if (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME)) { + /* wait for the referenced mb row to be finished */ + int mb_row = FFMIN(s->mb_height - 1, s->mb_y + ((yoff + my + 21) >> 4)); + AVFrame *f = dir ? &s->next_picture_ptr->f : &s->last_picture_ptr->f; + ff_thread_await_progress(f, mb_row, 0); + } + dxy = ly*4 + lx; srcY = dir ? s->next_picture_ptr->f.data[0] : s->last_picture_ptr->f.data[0]; srcU = dir ? s->next_picture_ptr->f.data[1] : s->last_picture_ptr->f.data[1]; @@ -824,6 +836,10 @@ static int rv34_decode_mv(RV34DecContext *r, int block_type) } case RV34_MB_B_DIRECT: //surprisingly, it uses motion scheme from next reference frame + /* wait for the current mb row to be finished */ + if (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME)) + ff_thread_await_progress(&s->next_picture_ptr->f, s->mb_y - 1, 0); + next_bt = s->next_picture_ptr->f.mb_type[s->mb_x + s->mb_y * s->mb_stride]; if(IS_INTRA(next_bt) || IS_SKIP(next_bt)){ ZERO8x2(s->current_picture_ptr->f.motion_val[0][s->mb_x * 2 + s->mb_y * 2 * s->b8_stride], s->b8_stride); @@ -1255,6 +1271,7 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int } } s->mb_x = s->mb_y = 0; + ff_thread_finish_setup(s->avctx); } else { int slice_type = r->si.type ? r->si.type : AV_PICTURE_TYPE_I; @@ -1299,6 +1316,11 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int if(r->loop_filter && s->mb_y >= 2) r->loop_filter(r, s->mb_y - 2); + + if (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME)) + ff_thread_report_progress(&s->current_picture_ptr->f, + s->mb_y - 2, 0); + } if(s->mb_x == s->resync_mb_x) s->first_slice_line=0; @@ -1364,6 +1386,71 @@ av_cold int ff_rv34_decode_init(AVCodecContext *avctx) return 0; } +int ff_rv34_decode_init_thread_copy(AVCodecContext *avctx) +{ + RV34DecContext *r = avctx->priv_data; + + r->s.avctx = avctx; + + if (avctx->internal->is_copy) { + r->cbp_chroma = av_malloc(r->s.mb_stride * r->s.mb_height * + sizeof(*r->cbp_chroma)); + r->cbp_luma = av_malloc(r->s.mb_stride * r->s.mb_height * + sizeof(*r->cbp_luma)); + r->deblock_coefs = av_malloc(r->s.mb_stride * r->s.mb_height * + sizeof(*r->deblock_coefs)); + r->intra_types_hist = av_malloc(r->intra_types_stride * 4 * 2 * + sizeof(*r->intra_types_hist)); + r->mb_type = av_malloc(r->s.mb_stride * r->s.mb_height * + sizeof(*r->mb_type)); + + if (!(r->cbp_chroma && r->cbp_luma && r->deblock_coefs && + r->intra_types_hist && r->mb_type)) { + av_freep(&r->cbp_chroma); + av_freep(&r->cbp_luma); + av_freep(&r->deblock_coefs); + av_freep(&r->intra_types_hist); + av_freep(&r->mb_type); + r->intra_types = NULL; + return AVERROR(ENOMEM); + } + + r->intra_types = r->intra_types_hist + r->intra_types_stride * 4; + r->tmp_b_block_base = NULL; + + memset(r->mb_type, 0, r->s.mb_stride * r->s.mb_height * + sizeof(*r->mb_type)); + + MPV_common_init(&r->s); + } + return 0; +} + +int ff_rv34_decode_update_thread_context(AVCodecContext *dst, const AVCodecContext *src) +{ + RV34DecContext *r = dst->priv_data, *r1 = src->priv_data; + MpegEncContext * const s = &r->s, * const s1 = &r1->s; + int err; + + if (dst == src || !s1->context_initialized) + return 0; + + if ((err = ff_mpeg_update_thread_context(dst, src))) + return err; + + r->cur_pts = r1->cur_pts; + r->last_pts = r1->last_pts; + r->next_pts = r1->next_pts; + + memset(&r->si, 0, sizeof(r->si)); + + /* necessary since it is it the condition checked for in decode_slice + * to call MPV_frame_start. cmp. comment at the end of decode_frame */ + s->current_picture_ptr = NULL; + + return 0; +} + static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n) { if(avctx->slice_count) return avctx->slice_offset[n]; @@ -1465,6 +1552,9 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if(last && s->current_picture_ptr){ if(r->loop_filter) r->loop_filter(r, s->mb_height - 1); + if (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME)) + ff_thread_report_progress(&s->current_picture_ptr->f, + s->mb_height - 1, 0); ff_er_frame_end(s); MPV_frame_end(s); if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) { diff --git a/libavcodec/rv34.h b/libavcodec/rv34.h index 3f3b879306..d86b009705 100644 --- a/libavcodec/rv34.h +++ b/libavcodec/rv34.h @@ -133,5 +133,7 @@ int ff_rv34_get_start_offset(GetBitContext *gb, int blocks); int ff_rv34_decode_init(AVCodecContext *avctx); int ff_rv34_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt); int ff_rv34_decode_end(AVCodecContext *avctx); +int ff_rv34_decode_init_thread_copy(AVCodecContext *avctx); +int ff_rv34_decode_update_thread_context(AVCodecContext *dst, const AVCodecContext *src); #endif /* AVCODEC_RV34_H */ diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c index bde63e19a5..c55a07a7d0 100644 --- a/libavcodec/rv40.c +++ b/libavcodec/rv40.c @@ -563,8 +563,10 @@ AVCodec ff_rv40_decoder = { .init = rv40_decode_init, .close = ff_rv34_decode_end, .decode = ff_rv34_decode_frame, - .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DELAY, + .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DELAY | CODEC_CAP_FRAME_THREADS, .flush = ff_mpeg_flush, .long_name = NULL_IF_CONFIG_SMALL("RealVideo 4.0"), .pix_fmts = ff_pixfmt_list_420, + .init_thread_copy = ONLY_IF_THREADS_ENABLED(ff_rv34_decode_init_thread_copy), + .update_thread_context = ONLY_IF_THREADS_ENABLED(ff_rv34_decode_update_thread_context), }; -- cgit v1.2.3