From 7f596368a404363d72b1be6d16c51420a71bc523 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 3 Jun 2015 02:09:31 +0200 Subject: [PATCH] bink: Factorize bink put_pixel And make sure to check INTER_BLOCK as had been fixed by Michael Niedermayer. Reported-By: Andreas Cadhalpun CC: libav-stable@libav.org --- libavcodec/bink.c | 55 ++++++++++++++++++++++++++--------------------- 1 file changed, 31 insertions(+), 24 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index e34585b8a5..58a5ac6c89 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -944,15 +944,32 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, return 0; } +static int bink_put_pixels(BinkContext *c, + uint8_t *dst, uint8_t *prev, int stride, + uint8_t *ref_start, + uint8_t *ref_end) +{ + int xoff = get_value(c, BINK_SRC_X_OFF); + int yoff = get_value(c, BINK_SRC_Y_OFF); + uint8_t *ref = prev + xoff + yoff * stride; + if (ref < ref_start || ref > ref_end) { + av_log(c->avctx, AV_LOG_ERROR, "Copy out of bounds @%d, %d\n", + xoff, yoff); + return AVERROR_INVALIDDATA; + } + c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); + + return 0; +} + static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, int plane_idx, int is_chroma) { int blk, ret; int i, j, bx, by; - uint8_t *dst, *prev, *ref, *ref_start, *ref_end; + uint8_t *dst, *prev, *ref_start, *ref_end; int v, col[2]; const uint8_t *scan; - int xoff, yoff; LOCAL_ALIGNED_16(int16_t, block, [64]); LOCAL_ALIGNED_16(uint8_t, ublock, [64]); LOCAL_ALIGNED_16(int32_t, dctblock, [64]); @@ -1074,15 +1091,10 @@ static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, prev += 8; break; case MOTION_BLOCK: - xoff = get_value(c, BINK_SRC_X_OFF); - yoff = get_value(c, BINK_SRC_Y_OFF); - ref = prev + xoff + yoff * stride; - if (ref < ref_start || ref > ref_end) { - av_log(c->avctx, AV_LOG_ERROR, "Copy out of bounds @%d, %d\n", - bx*8 + xoff, by*8 + yoff); - return AVERROR_INVALIDDATA; - } - c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); + ret = bink_put_pixels(c, dst, prev, stride, + ref_start, ref_end); + if (ret < 0) + return ret; break; case RUN_BLOCK: scan = bink_patterns[get_bits(gb, 4)]; @@ -1108,15 +1120,10 @@ static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, dst[coordmap[*scan++]] = get_value(c, BINK_SRC_COLORS); break; case RESIDUE_BLOCK: - xoff = get_value(c, BINK_SRC_X_OFF); - yoff = get_value(c, BINK_SRC_Y_OFF); - ref = prev + xoff + yoff * stride; - if (ref < ref_start || ref > ref_end) { - av_log(c->avctx, AV_LOG_ERROR, "Copy out of bounds @%d, %d\n", - bx*8 + xoff, by*8 + yoff); - return AVERROR_INVALIDDATA; - } - c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); + ret = bink_put_pixels(c, dst, prev, stride, + ref_start, ref_end); + if (ret < 0) + return ret; c->bdsp.clear_block(block); v = get_bits(gb, 7); read_residue(gb, block, v); @@ -1133,10 +1140,10 @@ static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, c->bdsp.fill_block_tab[1](dst, v, stride, 8); break; case INTER_BLOCK: - xoff = get_value(c, BINK_SRC_X_OFF); - yoff = get_value(c, BINK_SRC_Y_OFF); - ref = prev + xoff + yoff * stride; - c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); + ret = bink_put_pixels(c, dst, prev, stride, + ref_start, ref_end); + if (ret < 0) + return ret; memset(dctblock, 0, sizeof(*dctblock) * 64); dctblock[0] = get_value(c, BINK_SRC_INTER_DC); read_dct_coeffs(gb, dctblock, bink_scan, bink_inter_quant, -1);