On 02/22/2013 12:38 PM, Alexandra Khirnova wrote:
> ---
> libavcodec/vmdav.c | 151
> ++++++++++++++++++++--------------------------------
> 1 file changed, 59 insertions(+), 92 deletions(-)
[...]
> - chainofs = *s++;
> - chainofs |= ((*s & 0xF0) << 4);
> - chainlen = (*s++ & 0x0F) + 3;
> - s_len -= 2;
> + chainofs = bytestream2_get_byte(&gb);
> + chainofs |= ((bytestream2_peek_le32(&gb) & 0xF0) << 4);
> + chainlen = (bytestream2_get_byte(&gb) & 0x0F) + 3;
That part looks wrong.
> - if (s_len < 1)
> - return;
> - chainlen = *s++ + 0xF + 3;
> - s_len--;
> + chainlen = bytestream2_get_byte(&gb) + 0xF + 3;
> }
> if (d + chainlen > d_end)
> return;
> @@ -162,49 +152,44 @@ static void lz_unpack(const unsigned char *src, int
> src_len,
> static int rle_unpack(const unsigned char *src, unsigned char *dest,
> int src_count, int src_size, int dest_len)
> {
> - const unsigned char *ps;
> unsigned char *pd;
> int i, l;
> unsigned char *dest_end = dest + dest_len;
> + GetByteContext gb;
>
> - ps = src;
> + bytestream2_init(&gb, src, src_size);
> pd = dest;
> if (src_count & 1) {
> - if (src_size < 1)
> + if (bytestream2_get_bytes_left(&gb) < 1)
> return 0;
> - *pd++ = *ps++;
> - src_size--;
> + *pd++ = bytestream2_get_byte(&gb);
> }
>
> src_count >>= 1;
> i = 0;
> do {
> - if (src_size < 1)
> + if (bytestream2_get_bytes_left(&gb) < 1)
> break;
> - l = *ps++;
> - src_size--;
> + l = bytestream2_get_byte(&gb);
> if (l & 0x80) {
> l = (l & 0x7F) * 2;
> - if (pd + l > dest_end || src_size < l)
> - return ps - src;
> - memcpy(pd, ps, l);
> - ps += l;
> - src_size -= l;
> + if (pd + l > dest_end || bytestream2_get_bytes_left(&gb) < l)
> + return bytestream2_tell(&gb);
> + bytestream2_get_buffer(&gb, pd, l);
> pd += l;
> } else {
> - if (pd + i > dest_end || src_size < 2)
> - return ps - src;
> + if (pd + i > dest_end || bytestream2_get_bytes_left(&gb) < 2)
> + return bytestream2_get_buffer(&gb, pd, l);
Are you sure that return value is correct?
[...]
> @@ -341,23 +315,16 @@ static void vmd_decode(VmdVideoContext *s)
> for (i = 0; i < frame_height; i++) {
> ofs = 0;
> do {
> - if (pb_size < 1)
> - return;
> - len = *pb++;
> - pb_size--;
> + len = bytestream2_get_byte(&gb);
> if (len & 0x80) {
> len = (len & 0x7F) + 1;
> - if (pb_size < 1)
> - return;
> - if (*pb++ == 0xFF)
> - len = rle_unpack(pb, &dp[ofs], len, pb_size,
> frame_width - ofs);
> - else {
> - if (pb_size < len)
> - return;
> - memcpy(&dp[ofs], pb, len);
> - }
> - pb += len;
> - pb_size -= 1 + len;
> + if (bytestream2_get_byteu(&gb) == 0xFF)
I believe that needs to be the checked version.
> + len = rle_unpack(gb.buffer, &dp[ofs],
> + len,
> bytestream2_get_bytes_left(&gb),
> + frame_width - ofs);
> + else
> + memcpy(&dp[ofs], gb.buffer, len);
bytestream2_get_buffer() instead of memcpy()
Thanks,
Justin
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
