diff options
Diffstat (limited to 'libavcodec/smacker.c')
| -rw-r--r-- | libavcodec/smacker.c | 273 |
1 files changed, 159 insertions, 114 deletions
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 7deccffa54..2077dde4a1 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -2,20 +2,20 @@ * Smacker decoder * Copyright (c) 2006 Konstantin Shishkov * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -35,14 +35,14 @@ #define BITSTREAM_READER_LE #include "avcodec.h" -#include "bitstream.h" #include "bytestream.h" +#include "get_bits.h" #include "internal.h" #include "mathops.h" -#include "vlc.h" #define SMKTREE_BITS 9 #define SMK_NODE 0x80000000 + #define SMKTREE_DECODE_MAX_RECURSION 32 typedef struct SmackVContext { @@ -94,16 +94,15 @@ enum SmkBlockTypes { /** * Decode local frame tree */ -static int smacker_decode_tree(BitstreamContext *bc, HuffContext *hc, - uint32_t prefix, int length) +static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t prefix, int length) { - if (length > SMKTREE_DECODE_MAX_RECURSION) { + if (length > SMKTREE_DECODE_MAX_RECURSION || length > 3 * SMKTREE_BITS) { av_log(NULL, AV_LOG_ERROR, "Maximum tree recursion level exceeded.\n"); return AVERROR_INVALIDDATA; } - if (!bitstream_read_bit(bc)) { // Leaf - if(hc->current >= 256){ + if(!get_bits1(gb)){ //Leaf + if(hc->current >= hc->length){ av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); return AVERROR_INVALIDDATA; } @@ -114,7 +113,7 @@ static int smacker_decode_tree(BitstreamContext *bc, HuffContext *hc, hc->bits[hc->current] = 0; hc->lengths[hc->current] = 0; } - hc->values[hc->current] = bitstream_read(bc, 8); + hc->values[hc->current] = get_bits(gb, 8); hc->current++; if(hc->maxlength < length) hc->maxlength = length; @@ -122,27 +121,30 @@ static int smacker_decode_tree(BitstreamContext *bc, HuffContext *hc, } else { //Node int r; length++; - r = smacker_decode_tree(bc, hc, prefix, length); + r = smacker_decode_tree(gb, hc, prefix, length); if(r) return r; - return smacker_decode_tree(bc, hc, prefix | (1 << (length - 1)), length); + return smacker_decode_tree(gb, hc, prefix | (1 << (length - 1)), length); } } /** * Decode header tree */ -static int smacker_decode_bigtree(BitstreamContext *bc, HuffContext *hc, - DBCtx *ctx) +static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx, int length) { + if(length > 500) { // Larger length can cause segmentation faults due to too deep recursion. + av_log(NULL, AV_LOG_ERROR, "length too long\n"); + return AVERROR_INVALIDDATA; + } if (hc->current + 1 >= hc->length) { av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); return AVERROR_INVALIDDATA; } - if (!bitstream_read_bit(bc)) { // Leaf + if(!get_bits1(gb)){ //Leaf int val, i1, i2; - i1 = ctx->v1->table ? bitstream_read_vlc(bc, ctx->v1->table, SMKTREE_BITS, 3) : 0; - i2 = ctx->v2->table ? bitstream_read_vlc(bc, ctx->v2->table, SMKTREE_BITS, 3) : 0; + i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0; + i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0; if (i1 < 0 || i2 < 0) return AVERROR_INVALIDDATA; val = ctx->recode1[i1] | (ctx->recode2[i2] << 8); @@ -163,12 +165,12 @@ static int smacker_decode_bigtree(BitstreamContext *bc, HuffContext *hc, int r = 0, r_new, t; t = hc->current++; - r = smacker_decode_bigtree(bc, hc, ctx); + r = smacker_decode_bigtree(gb, hc, ctx, length + 1); if(r < 0) return r; hc->values[t] = SMK_NODE | r; r++; - r_new = smacker_decode_bigtree(bc, hc, ctx); + r_new = smacker_decode_bigtree(gb, hc, ctx, length + 1); if (r_new < 0) return r_new; return r + r_new; @@ -176,10 +178,9 @@ static int smacker_decode_bigtree(BitstreamContext *bc, HuffContext *hc, } /** - * Store large tree as Libav's vlc codes + * Store large tree as FFmpeg's vlc codes */ -static int smacker_decode_header_tree(SmackVContext *smk, BitstreamContext *bc, - int **recodes, int *last, int size) +static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int **recodes, int *last, int size) { int res; HuffContext huff; @@ -213,41 +214,52 @@ static int smacker_decode_header_tree(SmackVContext *smk, BitstreamContext *bc, goto error; } - if (bitstream_read_bit(bc)) { - smacker_decode_tree(bc, &tmp1, 0, 0); - bitstream_skip(bc, 1); - res = init_vlc(&vlc[0], SMKTREE_BITS, tmp1.length, - tmp1.lengths, sizeof(int), sizeof(int), - tmp1.bits, sizeof(uint32_t), sizeof(uint32_t), INIT_VLC_LE); - if(res < 0) { - av_log(smk->avctx, AV_LOG_ERROR, "Cannot build VLC table\n"); + if(get_bits1(gb)) { + res = smacker_decode_tree(gb, &tmp1, 0, 0); + if (res < 0) { err = res; goto error; } - } else { + skip_bits1(gb); + if(tmp1.current > 1) { + res = init_vlc(&vlc[0], SMKTREE_BITS, tmp1.length, + tmp1.lengths, sizeof(int), sizeof(int), + tmp1.bits, sizeof(uint32_t), sizeof(uint32_t), INIT_VLC_LE); + if(res < 0) { + av_log(smk->avctx, AV_LOG_ERROR, "Cannot build VLC table\n"); + err = res; + goto error; + } + } + } + if (!vlc[0].table) { av_log(smk->avctx, AV_LOG_ERROR, "Skipping low bytes tree\n"); } - if (bitstream_read_bit(bc)) { - smacker_decode_tree(bc, &tmp2, 0, 0); - bitstream_skip(bc, 1); - res = init_vlc(&vlc[1], SMKTREE_BITS, tmp2.length, - tmp2.lengths, sizeof(int), sizeof(int), - tmp2.bits, sizeof(uint32_t), sizeof(uint32_t), INIT_VLC_LE); - if(res < 0) { - av_log(smk->avctx, AV_LOG_ERROR, "Cannot build VLC table\n"); + if(get_bits1(gb)){ + res = smacker_decode_tree(gb, &tmp2, 0, 0); + if (res < 0) { err = res; goto error; } - } else { + skip_bits1(gb); + if(tmp2.current > 1) { + res = init_vlc(&vlc[1], SMKTREE_BITS, tmp2.length, + tmp2.lengths, sizeof(int), sizeof(int), + tmp2.bits, sizeof(uint32_t), sizeof(uint32_t), INIT_VLC_LE); + if(res < 0) { + av_log(smk->avctx, AV_LOG_ERROR, "Cannot build VLC table\n"); + err = res; + goto error; + } + } + } + if (!vlc[1].table) { av_log(smk->avctx, AV_LOG_ERROR, "Skipping high bytes tree\n"); } - escapes[0] = bitstream_read(bc, 8); - escapes[0] |= bitstream_read(bc, 8) << 8; - escapes[1] = bitstream_read(bc, 8); - escapes[1] |= bitstream_read(bc, 8) << 8; - escapes[2] = bitstream_read(bc, 8); - escapes[2] |= bitstream_read(bc, 8) << 8; + escapes[0] = get_bits(gb, 16); + escapes[1] = get_bits(gb, 16); + escapes[2] = get_bits(gb, 16); last[0] = last[1] = last[2] = -1; @@ -263,15 +275,16 @@ static int smacker_decode_header_tree(SmackVContext *smk, BitstreamContext *bc, huff.length = ((size + 3) >> 2) + 4; huff.maxlength = 0; huff.current = 0; - huff.values = av_mallocz(huff.length * sizeof(int)); + huff.values = av_mallocz_array(huff.length, sizeof(int)); if (!huff.values) { err = AVERROR(ENOMEM); goto error; } - if ((res = smacker_decode_bigtree(bc, &huff, &ctx)) < 0) + res = smacker_decode_bigtree(gb, &huff, &ctx, 0); + if (res < 0) err = res; - bitstream_skip(bc, 1); + skip_bits1(gb); if(ctx.last[0] == -1) ctx.last[0] = huff.current++; if(ctx.last[1] == -1) ctx.last[1] = huff.current++; if(ctx.last[2] == -1) ctx.last[2] = huff.current++; @@ -300,7 +313,7 @@ error: } static int decode_header_trees(SmackVContext *smk) { - BitstreamContext bc; + GetBitContext gb; int mmap_size, mclr_size, full_size, type_size, ret; mmap_size = AV_RL32(smk->avctx->extradata); @@ -308,9 +321,11 @@ static int decode_header_trees(SmackVContext *smk) { full_size = AV_RL32(smk->avctx->extradata + 8); type_size = AV_RL32(smk->avctx->extradata + 12); - bitstream_init8(&bc, smk->avctx->extradata + 16, smk->avctx->extradata_size - 16); + ret = init_get_bits8(&gb, smk->avctx->extradata + 16, smk->avctx->extradata_size - 16); + if (ret < 0) + return ret; - if (!bitstream_read_bit(&bc)) { + if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping MMAP tree\n"); smk->mmap_tbl = av_malloc(sizeof(int) * 2); if (!smk->mmap_tbl) @@ -318,10 +333,11 @@ static int decode_header_trees(SmackVContext *smk) { smk->mmap_tbl[0] = 0; smk->mmap_last[0] = smk->mmap_last[1] = smk->mmap_last[2] = 1; } else { - if ((ret = smacker_decode_header_tree(smk, &bc, &smk->mmap_tbl, smk->mmap_last, mmap_size)) < 0) + ret = smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size); + if (ret < 0) return ret; } - if (!bitstream_read_bit(&bc)) { + if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping MCLR tree\n"); smk->mclr_tbl = av_malloc(sizeof(int) * 2); if (!smk->mclr_tbl) @@ -329,10 +345,11 @@ static int decode_header_trees(SmackVContext *smk) { smk->mclr_tbl[0] = 0; smk->mclr_last[0] = smk->mclr_last[1] = smk->mclr_last[2] = 1; } else { - if ((ret = smacker_decode_header_tree(smk, &bc, &smk->mclr_tbl, smk->mclr_last, mclr_size)) < 0) + ret = smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size); + if (ret < 0) return ret; } - if (!bitstream_read_bit(&bc)) { + if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping FULL tree\n"); smk->full_tbl = av_malloc(sizeof(int) * 2); if (!smk->full_tbl) @@ -340,10 +357,11 @@ static int decode_header_trees(SmackVContext *smk) { smk->full_tbl[0] = 0; smk->full_last[0] = smk->full_last[1] = smk->full_last[2] = 1; } else { - if ((ret = smacker_decode_header_tree(smk, &bc, &smk->full_tbl, smk->full_last, full_size)) < 0) + ret = smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size); + if (ret < 0) return ret; } - if (!bitstream_read_bit(&bc)) { + if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping TYPE tree\n"); smk->type_tbl = av_malloc(sizeof(int) * 2); if (!smk->type_tbl) @@ -351,7 +369,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->type_tbl[0] = 0; smk->type_last[0] = smk->type_last[1] = smk->type_last[2] = 1; } else { - if ((ret = smacker_decode_header_tree(smk, &bc, &smk->type_tbl, smk->type_last, type_size)) < 0) + ret = smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size); + if (ret < 0) return ret; } @@ -363,14 +382,12 @@ static av_always_inline void last_reset(int *recode, int *last) { } /* get code and update history */ -static av_always_inline int smk_get_code(BitstreamContext *bc, int *recode, - int *last) -{ +static av_always_inline int smk_get_code(GetBitContext *gb, int *recode, int *last) { register int *table = recode; int v; while(*table & SMK_NODE) { - if (bitstream_read_bit(bc)) + if(get_bits1(gb)) table += (*table) & (~SMK_NODE); table++; } @@ -391,19 +408,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint8_t *out; uint32_t *pal; GetByteContext gb2; - BitstreamContext bc; + GetBitContext gb; int blocks, blk, bw, bh; int i, ret; int stride; int flags; if (avpkt->size <= 769) - return 0; + return AVERROR_INVALIDDATA; - if ((ret = ff_reget_buffer(avctx, smk->pic)) < 0) { - av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + if ((ret = ff_reget_buffer(avctx, smk->pic)) < 0) return ret; - } /* make the palette available on the way out */ pal = (uint32_t*)smk->pic->data[1]; @@ -411,39 +426,39 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, flags = bytestream2_get_byteu(&gb2); smk->pic->palette_has_changed = flags & 1; smk->pic->key_frame = !!(flags & 2); - if(smk->pic->key_frame) + if (smk->pic->key_frame) smk->pic->pict_type = AV_PICTURE_TYPE_I; else smk->pic->pict_type = AV_PICTURE_TYPE_P; for(i = 0; i < 256; i++) - *pal++ = bytestream2_get_be24u(&gb2); + *pal++ = 0xFFU << 24 | bytestream2_get_be24u(&gb2); last_reset(smk->mmap_tbl, smk->mmap_last); last_reset(smk->mclr_tbl, smk->mclr_last); last_reset(smk->full_tbl, smk->full_last); last_reset(smk->type_tbl, smk->type_last); - bitstream_init8(&bc, avpkt->data + 769, avpkt->size - 769); + if ((ret = init_get_bits8(&gb, avpkt->data + 769, avpkt->size - 769)) < 0) + return ret; blk = 0; bw = avctx->width >> 2; bh = avctx->height >> 2; blocks = bw * bh; - out = smk->pic->data[0]; stride = smk->pic->linesize[0]; while(blk < blocks) { int type, run, mode; uint16_t pix; - type = smk_get_code(&bc, smk->type_tbl, smk->type_last); + type = smk_get_code(&gb, smk->type_tbl, smk->type_last); run = block_runs[(type >> 2) & 0x3F]; switch(type & 3){ case SMK_BLK_MONO: while(run-- && blk < blocks){ int clr, map; int hi, lo; - clr = smk_get_code(&bc, smk->mclr_tbl, smk->mclr_last); - map = smk_get_code(&bc, smk->mmap_tbl, smk->mmap_last); + clr = smk_get_code(&gb, smk->mclr_tbl, smk->mclr_last); + map = smk_get_code(&gb, smk->mmap_tbl, smk->mmap_last); out = smk->pic->data[0] + (blk / bw) * (stride * 4) + (blk % bw) * 4; hi = clr >> 8; lo = clr & 0xFF; @@ -461,44 +476,41 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case SMK_BLK_FULL: mode = 0; if(avctx->codec_tag == MKTAG('S', 'M', 'K', '4')) { // In case of Smacker v4 we have three modes - if (bitstream_read_bit(&bc)) - mode = 1; - else if (bitstream_read_bit(&bc)) - mode = 2; + if(get_bits1(&gb)) mode = 1; + else if(get_bits1(&gb)) mode = 2; } while(run-- && blk < blocks){ out = smk->pic->data[0] + (blk / bw) * (stride * 4) + (blk % bw) * 4; switch(mode){ case 0: for(i = 0; i < 4; i++) { - pix = smk_get_code(&bc, smk->full_tbl, smk->full_last); + pix = smk_get_code(&gb, smk->full_tbl, smk->full_last); AV_WL16(out+2,pix); - pix = smk_get_code(&bc, smk->full_tbl, smk->full_last); + pix = smk_get_code(&gb, smk->full_tbl, smk->full_last); AV_WL16(out,pix); out += stride; } break; case 1: - pix = smk_get_code(&bc, smk->full_tbl, smk->full_last); + pix = smk_get_code(&gb, smk->full_tbl, smk->full_last); out[0] = out[1] = pix & 0xFF; out[2] = out[3] = pix >> 8; out += stride; out[0] = out[1] = pix & 0xFF; out[2] = out[3] = pix >> 8; out += stride; - pix = smk_get_code(&bc, smk->full_tbl, smk->full_last); + pix = smk_get_code(&gb, smk->full_tbl, smk->full_last); out[0] = out[1] = pix & 0xFF; out[2] = out[3] = pix >> 8; out += stride; out[0] = out[1] = pix & 0xFF; out[2] = out[3] = pix >> 8; - out += stride; break; case 2: for(i = 0; i < 2; i++) { uint16_t pix1, pix2; - pix2 = smk_get_code(&bc, smk->full_tbl, smk->full_last); - pix1 = smk_get_code(&bc, smk->full_tbl, smk->full_last); + pix2 = smk_get_code(&gb, smk->full_tbl, smk->full_last); + pix1 = smk_get_code(&gb, smk->full_tbl, smk->full_last); AV_WL16(out,pix1); AV_WL16(out+2,pix2); out += stride; @@ -573,10 +585,12 @@ static av_cold int decode_init(AVCodecContext *avctx) /* decode huffman trees from extradata */ if(avctx->extradata_size < 16){ av_log(avctx, AV_LOG_ERROR, "Extradata missing!\n"); - return AVERROR_INVALIDDATA; + decode_end(avctx); + return AVERROR(EINVAL); } - if ((ret = decode_header_trees(c))) { + ret = decode_header_trees(c); + if (ret < 0) { decode_end(avctx); return ret; } @@ -585,7 +599,6 @@ static av_cold int decode_init(AVCodecContext *avctx) } - static av_cold int smka_decode_init(AVCodecContext *avctx) { if (avctx->channels < 1 || avctx->channels > 2) { @@ -607,7 +620,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, AVFrame *frame = data; const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; - BitstreamContext bc; + GetBitContext gb; HuffContext h[4] = { { 0 } }; VLC vlc[4] = { { 0 } }; int16_t *samples; @@ -625,35 +638,39 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, unp_size = AV_RL32(buf); - bitstream_init8(&bc, buf + 4, buf_size - 4); + if (unp_size > (1U<<24)) { + av_log(avctx, AV_LOG_ERROR, "packet is too big\n"); + return AVERROR_INVALIDDATA; + } - if (!bitstream_read_bit(&bc)) { + if ((ret = init_get_bits8(&gb, buf + 4, buf_size - 4)) < 0) + return ret; + + if(!get_bits1(&gb)){ av_log(avctx, AV_LOG_INFO, "Sound: no data\n"); *got_frame_ptr = 0; return 1; } - stereo = bitstream_read_bit(&bc); - bits = bitstream_read_bit(&bc); + stereo = get_bits1(&gb); + bits = get_bits1(&gb); if (stereo ^ (avctx->channels != 1)) { av_log(avctx, AV_LOG_ERROR, "channels mismatch\n"); return AVERROR_INVALIDDATA; } - if (bits && avctx->sample_fmt == AV_SAMPLE_FMT_U8) { + if (bits == (avctx->sample_fmt == AV_SAMPLE_FMT_U8)) { av_log(avctx, AV_LOG_ERROR, "sample format mismatch\n"); return AVERROR_INVALIDDATA; } + + /* get output buffer */ + frame->nb_samples = unp_size / (avctx->channels * (bits + 1)); if (unp_size % (avctx->channels * (bits + 1))) { av_log(avctx, AV_LOG_ERROR, "The buffer does not contain an integer number of samples\n"); return AVERROR_INVALIDDATA; } - - /* get output buffer */ - frame->nb_samples = unp_size / (avctx->channels * (bits + 1)); - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) { - av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; - } samples = (int16_t *)frame->data[0]; samples8 = frame->data[0]; @@ -669,12 +686,12 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR(ENOMEM); goto error; } - bitstream_skip(&bc, 1); - if (smacker_decode_tree(&bc, &h[i], 0, 0) < 0) { + skip_bits1(&gb); + if (smacker_decode_tree(&gb, &h[i], 0, 0) < 0) { ret = AVERROR_INVALIDDATA; goto error; } - bitstream_skip(&bc, 1); + skip_bits1(&gb); if(h[i].current > 1) { res = init_vlc(&vlc[i], SMKTREE_BITS, h[i].length, h[i].lengths, sizeof(int), sizeof(int), @@ -689,33 +706,51 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, /* this codec relies on wraparound instead of clipping audio */ if(bits) { //decode 16-bit data for(i = stereo; i >= 0; i--) - pred[i] = sign_extend(av_bswap16(bitstream_read(&bc, 16)), 16); + pred[i] = sign_extend(av_bswap16(get_bits(&gb, 16)), 16); for(i = 0; i <= stereo; i++) *samples++ = pred[i]; for(; i < unp_size / 2; i++) { + if(get_bits_left(&gb)<0) + return AVERROR_INVALIDDATA; if(i & stereo) { if(vlc[2].table) - res = bitstream_read_vlc(&bc, vlc[2].table, SMKTREE_BITS, 3); + res = get_vlc2(&gb, vlc[2].table, SMKTREE_BITS, 3); else res = 0; + if (res < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid vlc\n"); + return AVERROR_INVALIDDATA; + } val = h[2].values[res]; if(vlc[3].table) - res = bitstream_read_vlc(&bc, vlc[3].table, SMKTREE_BITS, 3); + res = get_vlc2(&gb, vlc[3].table, SMKTREE_BITS, 3); else res = 0; + if (res < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid vlc\n"); + return AVERROR_INVALIDDATA; + } val |= h[3].values[res] << 8; pred[1] += sign_extend(val, 16); *samples++ = pred[1]; } else { if(vlc[0].table) - res = bitstream_read_vlc(&bc, vlc[0].table, SMKTREE_BITS, 3); + res = get_vlc2(&gb, vlc[0].table, SMKTREE_BITS, 3); else res = 0; + if (res < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid vlc\n"); + return AVERROR_INVALIDDATA; + } val = h[0].values[res]; if(vlc[1].table) - res = bitstream_read_vlc(&bc, vlc[1].table, SMKTREE_BITS, 3); + res = get_vlc2(&gb, vlc[1].table, SMKTREE_BITS, 3); else res = 0; + if (res < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid vlc\n"); + return AVERROR_INVALIDDATA; + } val |= h[1].values[res] << 8; pred[0] += sign_extend(val, 16); *samples++ = pred[0]; @@ -723,22 +758,32 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, } } else { //8-bit data for(i = stereo; i >= 0; i--) - pred[i] = bitstream_read(&bc, 8); + pred[i] = get_bits(&gb, 8); for(i = 0; i <= stereo; i++) *samples8++ = pred[i]; for(; i < unp_size; i++) { + if(get_bits_left(&gb)<0) + return AVERROR_INVALIDDATA; if(i & stereo){ if(vlc[1].table) - res = bitstream_read_vlc(&bc, vlc[1].table, SMKTREE_BITS, 3); + res = get_vlc2(&gb, vlc[1].table, SMKTREE_BITS, 3); else res = 0; + if (res < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid vlc\n"); + return AVERROR_INVALIDDATA; + } pred[1] += sign_extend(h[1].values[res], 8); *samples8++ = pred[1]; } else { if(vlc[0].table) - res = bitstream_read_vlc(&bc, vlc[0].table, SMKTREE_BITS, 3); + res = get_vlc2(&gb, vlc[0].table, SMKTREE_BITS, 3); else res = 0; + if (res < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid vlc\n"); + return AVERROR_INVALIDDATA; + } pred[0] += sign_extend(h[0].values[res], 8); *samples8++ = pred[0]; } |