← Back to branch summary

~siretart/xine-lib/ubuntu

« back to all changes in this revision

Viewing changes to src/libffmpeg/libavcodec/svq1.c

  • Committer: Bazaar Package Importer
  • Author(s): Martin Pitt
  • Date: 2005-12-15 13:13:45 UTC
  • mfrom: (0.1.2 upstream)
  • Revision ID: james.westby@ubuntu.com-20051215131345-8n4osv1j7fy9c1s1
* SECURITY UPDATE: Fix arbitrary code execution with crafted PNG images in
  embedded ffmpeg copy.
* src/libffmpeg/libavcodec/utils.c, avcodec_default_get_buffer(): Apply
  upstream patch to fix buffer overflow on decoding of small PIX_FMT_PAL8
  PNG files.
* References:
  CVE-2005-4048
  http://mplayerhq.hu/pipermail/ffmpeg-devel/2005-November/005333.html
  http://www1.mplayerhq.hu/cgi-bin/cvsweb.cgi/ffmpeg/libavcodec/
  utils.c.diff?r1=1.161&r2=1.162&cvsroot=FFMpeg

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/libffmpeg/libavcodec/svq1.c
600
600
  return value;
601
601
}
602
602
 
 
603
#if 0 /* unused, remove? */
603
604
static uint16_t svq1_component_checksum (uint16_t *pixels, int pitch,
604
605
                                         int width, int height, int value) {
605
606
  int x, y;
614
615
 
615
616
  return value;
616
617
}
 
618
#endif
617
619
 
618
620
static void svq1_parse_string (GetBitContext *bitbuf, uint8_t *out) {
619
621
  uint8_t seed;
713
715
  int           result, i, x, y, width, height;
714
716
  AVFrame *pict = data; 
715
717
 
716
 
  if(buf==NULL && buf_size==0){
717
 
      return 0;
718
 
  }
719
 
  
720
718
  /* initialize bit buffer */
721
719
  init_get_bits(&s->gb,buf,buf_size*8);
722
720
 
750
748
  if(s->pict_type==B_TYPE && s->last_picture_ptr==NULL) return buf_size;
751
749
  
752
750
  if(avctx->hurry_up && s->pict_type==B_TYPE) return buf_size;
 
751
  if(  (avctx->skip_frame >= AVDISCARD_NONREF && s->pict_type==B_TYPE)
 
752
     ||(avctx->skip_frame >= AVDISCARD_NONKEY && s->pict_type!=I_TYPE)
 
753
     || avctx->skip_frame >= AVDISCARD_ALL)
 
754
      return buf_size;                            
753
755
 
754
756
  if(MPV_frame_start(s, avctx) < 0)
755
757
      return -1;
844
846
 
845
847
    init_vlc(&svq1_block_type, 2, 4,
846
848
        &svq1_block_type_vlc[0][1], 2, 1,
847
 
        &svq1_block_type_vlc[0][0], 2, 1);
 
849
        &svq1_block_type_vlc[0][0], 2, 1, 1);
848
850
 
849
851
    init_vlc(&svq1_motion_component, 7, 33,
850
852
        &mvtab[0][1], 2, 1,
851
 
        &mvtab[0][0], 2, 1);
 
853
        &mvtab[0][0], 2, 1, 1);
852
854
 
853
855
    for (i = 0; i < 6; i++) {
854
856
        init_vlc(&svq1_intra_multistage[i], 3, 8,
855
857
            &svq1_intra_multistage_vlc[i][0][1], 2, 1,
856
 
            &svq1_intra_multistage_vlc[i][0][0], 2, 1);
 
858
            &svq1_intra_multistage_vlc[i][0][0], 2, 1, 1);
857
859
        init_vlc(&svq1_inter_multistage[i], 3, 8,
858
860
            &svq1_inter_multistage_vlc[i][0][1], 2, 1,
859
 
            &svq1_inter_multistage_vlc[i][0][0], 2, 1);
 
861
            &svq1_inter_multistage_vlc[i][0][0], 2, 1, 1);
860
862
    }
861
863
 
862
864
    init_vlc(&svq1_intra_mean, 8, 256,
863
865
        &svq1_intra_mean_vlc[0][1], 4, 2,
864
 
        &svq1_intra_mean_vlc[0][0], 4, 2);
 
866
        &svq1_intra_mean_vlc[0][0], 4, 2, 1);
865
867
 
866
868
    init_vlc(&svq1_inter_mean, 9, 512,
867
869
        &svq1_inter_mean_vlc[0][1], 4, 2,
868
 
        &svq1_inter_mean_vlc[0][0], 4, 2);
 
870
        &svq1_inter_mean_vlc[0][0], 4, 2, 1);
869
871
 
870
872
    return 0;
871
873
}
880
882
 
881
883
static void svq1_write_header(SVQ1Context *s, int frame_type)
882
884
{
 
885
    int i;
 
886
 
883
887
    /* frame code */
884
888
    put_bits(&s->pb, 22, 0x20);
885
889
 
898
902
        /* output 5 unknown bits (2 + 2 + 1) */
899
903
        put_bits(&s->pb, 5, 0);
900
904
 
901
 
        /* forget about matching up resolutions, just use the free-form
902
 
         * resolution code (7) for now */
903
 
        put_bits(&s->pb, 3, 7);
904
 
        put_bits(&s->pb, 12, s->frame_width);
905
 
        put_bits(&s->pb, 12, s->frame_height);
906
 
 
 
905
        for (i = 0; i < 7; i++)
 
906
        {
 
907
            if ((svq1_frame_size_table[i].width == s->frame_width) &&
 
908
                (svq1_frame_size_table[i].height == s->frame_height))
 
909
            {
 
910
                put_bits(&s->pb, 3, i);
 
911
                break;
 
912
            }
 
913
        }
 
914
        
 
915
        if (i == 7)
 
916
        {
 
917
            put_bits(&s->pb, 3, 7);
 
918
            put_bits(&s->pb, 12, s->frame_width);
 
919
            put_bits(&s->pb, 12, s->frame_height);
 
920
        }
907
921
    }
908
922
 
909
923
    /* no checksum or extra data (next 2 bits get 0) */
1069
1083
 
1070
1084
#ifdef CONFIG_ENCODERS
1071
1085
 
1072
 
static void svq1_encode_plane(SVQ1Context *s, int plane, unsigned char *src_plane, unsigned char *ref_plane, unsigned char *decoded_plane,
 
1086
static int svq1_encode_plane(SVQ1Context *s, int plane, unsigned char *src_plane, unsigned char *ref_plane, unsigned char *decoded_plane,
1073
1087
    int width, int height, int src_stride, int stride)
1074
1088
{
1075
1089
    int x, y;
1104
1118
        s->m.b8_stride= 2*s->m.mb_width+1;
1105
1119
        s->m.f_code=1;
1106
1120
        s->m.pict_type= s->picture.pict_type;
1107
 
        s->m.qscale= s->picture.quality/FF_QP2LAMBDA;
1108
1121
        s->m.me_method= s->avctx->me_method;
 
1122
        s->m.me.scene_change_score=0;
 
1123
        s->m.flags= s->avctx->flags;
 
1124
//        s->m.out_format = FMT_H263;
 
1125
//        s->m.unrestricted_mv= 1;
 
1126
        
 
1127
        s->m.lambda= s->picture.quality;
 
1128
        s->m.qscale= (s->m.lambda*139 + FF_LAMBDA_SCALE*64) >> (FF_LAMBDA_SHIFT + 7);
 
1129
        s->m.lambda2= (s->m.lambda*s->m.lambda + FF_LAMBDA_SCALE/2) >> FF_LAMBDA_SHIFT;
1109
1130
        
1110
1131
        if(!s->motion_val8[plane]){
1111
 
            s->motion_val8 [plane]= av_mallocz(s->m.b8_stride*block_height*2*2*sizeof(int16_t));
1112
 
            s->motion_val16[plane]= av_mallocz(s->m.mb_stride*block_height*2*sizeof(int16_t));
 
1132
            s->motion_val8 [plane]= av_mallocz((s->m.b8_stride*block_height*2 + 2)*2*sizeof(int16_t));
 
1133
            s->motion_val16[plane]= av_mallocz((s->m.mb_stride*(block_height + 2) + 1)*2*sizeof(int16_t));
1113
1134
        }
1114
 
        
 
1135
 
1115
1136
        s->m.mb_type= s->mb_type;
1116
1137
        
1117
1138
        //dummies, to avoid segfaults
1120
1141
        s->m.current_picture.mc_mb_var= (uint16_t*)s->dummy;
1121
1142
        s->m.current_picture.mb_type= s->dummy;
1122
1143
        
1123
 
        s->m.current_picture.motion_val[0]= s->motion_val8[plane];
1124
 
        s->m.p_mv_table= s->motion_val16[plane];
 
1144
        s->m.current_picture.motion_val[0]= s->motion_val8[plane] + 2;
 
1145
        s->m.p_mv_table= s->motion_val16[plane] + s->m.mb_stride + 1;
1125
1146
        s->m.dsp= s->dsp; //move
1126
1147
        ff_init_me(&s->m);
1127
1148
    
1176
1197
            uint8_t *ref= ref_plane + offset;
1177
1198
            int score[4]={0,0,0,0}, best;
1178
1199
            uint8_t temp[16*stride];
 
1200
            
 
1201
            if(s->pb.buf_end - s->pb.buf - (put_bits_count(&s->pb)>>3) < 3000){ //FIXME check size
 
1202
                av_log(s->avctx, AV_LOG_ERROR, "encoded frame too large\n");
 
1203
                return -1;
 
1204
            }
1179
1205
 
1180
1206
            s->m.mb_x= x;
1181
1207
            ff_init_block_index(&s->m);
1268
1294
        }
1269
1295
        s->m.first_slice_line=0;
1270
1296
    }
 
1297
    return 0;
1271
1298
}
1272
1299
 
1273
1300
static int svq1_encode_init(AVCodecContext *avctx)
1287
1314
    s->c_block_height = (s->frame_height / 4 + 15) / 16;
1288
1315
 
1289
1316
    s->avctx= avctx;
 
1317
    s->m.avctx= avctx;
1290
1318
    s->m.me.scratchpad= av_mallocz((avctx->width+64)*2*16*2*sizeof(uint8_t)); 
1291
1319
    s->m.me.map       = av_mallocz(ME_MAP_SIZE*sizeof(uint32_t));
1292
1320
    s->m.me.score_map = av_mallocz(ME_MAP_SIZE*sizeof(uint32_t));
1294
1322
    s->dummy          = av_mallocz((s->y_block_width+1)*s->y_block_height*sizeof(int32_t));
1295
1323
    h263_encode_init(&s->m); //mv_penalty
1296
1324
    
1297
 
av_log(s->avctx, AV_LOG_INFO, " Hey: %d x %d, %d x %d, %d x %d\n",
1298
 
  s->frame_width, s->frame_height,
1299
 
  s->y_block_width, s->y_block_height,
1300
 
  s->c_block_width, s->c_block_height);
1301
 
 
1302
1325
    return 0;
1303
1326
}
1304
1327
 
1333
1356
 
1334
1357
    svq1_write_header(s, p->pict_type);
1335
1358
    for(i=0; i<3; i++){
1336
 
        svq1_encode_plane(s, i,
 
1359
        if(svq1_encode_plane(s, i,
1337
1360
            s->picture.data[i], s->last_picture.data[i], s->current_picture.data[i],
1338
1361
            s->frame_width / (i?4:1), s->frame_height / (i?4:1), 
1339
 
            s->picture.linesize[i], s->current_picture.linesize[i]);
 
1362
            s->picture.linesize[i], s->current_picture.linesize[i]) < 0)
 
1363
                return -1;
1340
1364
    }
1341
1365
 
1342
1366
//    align_put_bits(&s->pb);