Merge remote-tracking branch 'qatar/master'

* qatar/master: bfi: Use bytestream2 functions to prevent buffer overreads. dpcm: Fix invalid writes utvideo: frame multithreading. vorbis: An additional defense in the Vorbis codec. vorbisdec: Fix decoding bug with channel handling Conflicts: libavcodec/dpcm.c Merged-by: Michael Niedermayer <michaelni@gmx.at>

Merge remote-tracking branch 'qatar/master'
9273efac · Michael Niedermayer · b1435626 · ccc27e21 · 9273efac · 9273efac
Commit 9273efac authored 13 years ago by Michael Niedermayer
--- a/libavcodec/bfi.c
+++ b/libavcodec/bfi.c
@@ -49,7 +49,7 @@ static av_cold int bfi_decode_init(AVCodecContext *avctx)
 static int bfi_decode_frame(AVCodecContext *avctx, void *data,
                            int *data_size, AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data, *buf_end = avpkt->data + avpkt->size;
+    GetByteContext g;
    int buf_size = avpkt->size;
    BFIContext *bfi = avctx->priv_data;
    uint8_t *dst = bfi->dst;
@@ -68,6 +68,8 @@ static int bfi_decode_frame(AVCodecContext *avctx, void *data,
        return -1;
    }
+    bytestream2_init(&g, avpkt->data, buf_size);
    /* Set frame parameters and palette, if necessary */
    if (!avctx->frame_number) {
        bfi->frame.pict_type = AV_PICTURE_TYPE_I;
@@ -96,15 +98,15 @@ static int bfi_decode_frame(AVCodecContext *avctx, void *data,
        memcpy(bfi->frame.data[1], bfi->pal, sizeof(bfi->pal));
    }
-    buf += 4; // Unpacked size, not required.
+    bytestream2_skip(&g, 4); // Unpacked size, not required.
    while (dst != frame_end) {
        static const uint8_t lentab[4] = { 0, 2, 0, 1 };
-        unsigned int byte   = *buf++, av_uninit(offset);
+        unsigned int byte   = bytestream2_get_byte(&g), av_uninit(offset);
        unsigned int code   = byte >> 6;
        unsigned int length = byte & ~0xC0;
-        if (buf >= buf_end) {
+        if (!bytestream2_get_bytes_left(&g)) {
            av_log(avctx, AV_LOG_ERROR,
                   "Input resolution larger than actual frame.\n");
            return -1;
@@ -113,16 +115,16 @@ static int bfi_decode_frame(AVCodecContext *avctx, void *data,
        /* Get length and offset(if required) */
        if (length == 0) {
            if (code == 1) {
-                length = bytestream_get_byte(&buf);
+                length = bytestream2_get_byte(&g);
-                offset = bytestream_get_le16(&buf);
+                offset = bytestream2_get_le16(&g);
            } else {
-                length = bytestream_get_le16(&buf);
+                length = bytestream2_get_le16(&g);
                if (code == 2 && length == 0)
                    break;
            }
        } else {
            if (code == 1)
-                offset = bytestream_get_byte(&buf);
+                offset = bytestream2_get_byte(&g);
        }
        /* Do boundary check */
@@ -132,11 +134,11 @@ static int bfi_decode_frame(AVCodecContext *avctx, void *data,
        switch (code) {
        case 0:                //Normal Chain
-            if (length >= buf_end - buf) {
+            if (length >= bytestream2_get_bytes_left(&g)) {
                av_log(avctx, AV_LOG_ERROR, "Frame larger than buffer.\n");
                return -1;
            }
-            bytestream_get_buffer(&buf, dst, length);
+            bytestream2_get_buffer(&g, dst, length);
            dst += length;
            break;
@@ -154,8 +156,8 @@ static int bfi_decode_frame(AVCodecContext *avctx, void *data,
            break;
        case 3:                //Fill Chain
-            colour1 = bytestream_get_byte(&buf);
+            colour1 = bytestream2_get_byte(&g);
-            colour2 = bytestream_get_byte(&buf);
+            colour2 = bytestream2_get_byte(&g);
            while (length--) {
                *dst++ = colour1;
                *dst++ = colour2;

--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -288,7 +288,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
    }
    case CODEC_ID_SOL_DPCM:
        if (avctx->codec_tag != 3) {
-            uint8_t *output_samples_u8 = output_samples;
+            uint8_t *output_samples_u8 = s->frame.data[0];
            while (buf < buf_end) {
                uint8_t n = *buf++;

--- a/libavcodec/utvideo.c
+++ b/libavcodec/utvideo.c
@@ -31,6 +31,7 @@
 #include "bytestream.h"
 #include "get_bits.h"
 #include "dsputil.h"
+#include "thread.h"
 enum {
    PRED_NONE = 0,
@@ -366,15 +367,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
    int ret;
    if (c->pic.data[0])
-        avctx->release_buffer(avctx, &c->pic);
+        ff_thread_release_buffer(avctx, &c->pic);
    c->pic.reference = 3;
    c->pic.buffer_hints = FF_BUFFER_HINTS_VALID;
-    if ((ret = avctx->get_buffer(avctx, &c->pic)) < 0) {
+    if ((ret = ff_thread_get_buffer(avctx, &c->pic)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
+    ff_thread_finish_setup(avctx);
    /* parse plane structure to retrieve frame flags and validate slice offsets */
    ptr = buf;
    for (i = 0; i < c->planes; i++) {
@@ -557,7 +560,7 @@ static av_cold int decode_end(AVCodecContext *avctx)
    UtvideoContext * const c = avctx->priv_data;
    if (c->pic.data[0])
-        avctx->release_buffer(avctx, &c->pic);
+        ff_thread_release_buffer(avctx, &c->pic);
    av_freep(&c->slice_bits);
@@ -572,7 +575,7 @@ AVCodec ff_utvideo_decoder = {
    .init           = decode_init,
    .close          = decode_end,
    .decode         = decode_frame,
-    .capabilities   = CODEC_CAP_DR1,
+    .capabilities   = CODEC_CAP_DR1 | CODEC_CAP_FRAME_THREADS,
    .long_name      = NULL_IF_CONFIG_SMALL("Ut Video"),
 };