mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-13 21:28:01 +02:00
xan: Use bytestream2 to limit reading to within the buffer
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>
This commit is contained in:
parent
9fb0de86b4
commit
30db94dc39
@ -287,8 +287,8 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame)
|
|||||||
|
|
||||||
/* pointers to segments inside the compressed chunk */
|
/* pointers to segments inside the compressed chunk */
|
||||||
const unsigned char *huffman_segment;
|
const unsigned char *huffman_segment;
|
||||||
const unsigned char *size_segment;
|
GetByteContext size_segment;
|
||||||
const unsigned char *vector_segment;
|
GetByteContext vector_segment;
|
||||||
const unsigned char *imagedata_segment;
|
const unsigned char *imagedata_segment;
|
||||||
int huffman_offset, size_offset, vector_offset, imagedata_offset,
|
int huffman_offset, size_offset, vector_offset, imagedata_offset,
|
||||||
imagedata_size;
|
imagedata_size;
|
||||||
@ -308,8 +308,8 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame)
|
|||||||
return AVERROR_INVALIDDATA;
|
return AVERROR_INVALIDDATA;
|
||||||
|
|
||||||
huffman_segment = s->buf + huffman_offset;
|
huffman_segment = s->buf + huffman_offset;
|
||||||
size_segment = s->buf + size_offset;
|
bytestream2_init(&size_segment, s->buf + size_offset, s->size - size_offset);
|
||||||
vector_segment = s->buf + vector_offset;
|
bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset);
|
||||||
imagedata_segment = s->buf + imagedata_offset;
|
imagedata_segment = s->buf + imagedata_offset;
|
||||||
|
|
||||||
if (xan_huffman_decode(opcode_buffer, opcode_buffer_size,
|
if (xan_huffman_decode(opcode_buffer, opcode_buffer_size,
|
||||||
@ -361,19 +361,17 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame)
|
|||||||
|
|
||||||
case 9:
|
case 9:
|
||||||
case 19:
|
case 19:
|
||||||
size = *size_segment++;
|
size = bytestream2_get_byte(&size_segment);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 10:
|
case 10:
|
||||||
case 20:
|
case 20:
|
||||||
size = AV_RB16(&size_segment[0]);
|
size = bytestream2_get_be16(&size_segment);
|
||||||
size_segment += 2;
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 11:
|
case 11:
|
||||||
case 21:
|
case 21:
|
||||||
size = AV_RB24(size_segment);
|
size = bytestream2_get_be24(&size_segment);
|
||||||
size_segment += 3;
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -395,9 +393,9 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame)
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
/* run-based motion compensation from last frame */
|
/* run-based motion compensation from last frame */
|
||||||
motion_x = sign_extend(*vector_segment >> 4, 4);
|
uint8_t vector = bytestream2_get_byte(&vector_segment);
|
||||||
motion_y = sign_extend(*vector_segment & 0xF, 4);
|
motion_x = sign_extend(vector >> 4, 4);
|
||||||
vector_segment++;
|
motion_y = sign_extend(vector & 0xF, 4);
|
||||||
|
|
||||||
/* copy a run of pixels from the previous frame */
|
/* copy a run of pixels from the previous frame */
|
||||||
xan_wc3_copy_pixel_run(s, frame, x, y, size, motion_x, motion_y);
|
xan_wc3_copy_pixel_run(s, frame, x, y, size, motion_x, motion_y);
|
||||||
|
Loading…
Reference in New Issue
Block a user