Commit f382ee01 authored by tmmm's avatar tmmm

fix image buffer leak on keyframes, add more error condition checks


git-svn-id: file:///var/local/repositories/ffmpeg/trunk@1856 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
parent 7191272f
...@@ -280,8 +280,8 @@ typedef struct Vp3DecodeContext { ...@@ -280,8 +280,8 @@ typedef struct Vp3DecodeContext {
* numbers corresponds to the fragment indices 0..5 which comprise * numbers corresponds to the fragment indices 0..5 which comprise
* the macroblock (4 Y fragments and 2 C fragments). */ * the macroblock (4 Y fragments and 2 C fragments). */
int *macroblock_fragments; int *macroblock_fragments;
/* This is an array of that indicates how a particular /* This is an array that indicates how a particular macroblock
* macroblock is coded. */ * is coded. */
unsigned char *macroblock_coding; unsigned char *macroblock_coding;
int first_coded_y_fragment; int first_coded_y_fragment;
...@@ -1656,6 +1656,16 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, ...@@ -1656,6 +1656,16 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
DCTELEM coeff; DCTELEM coeff;
Vp3Fragment *fragment; Vp3Fragment *fragment;
if ((first_fragment < 0) ||
(first_fragment >= s->fragment_count) ||
(last_fragment < 0) ||
(last_fragment >= s->fragment_count)) {
printf (" vp3:unpack_vlcs(): bad fragment number (%d -> %d ?)\n",
first_fragment, last_fragment);
return 1;
}
for (i = first_fragment; i <= last_fragment; i++) { for (i = first_fragment; i <= last_fragment; i++) {
fragment = &s->all_fragments[s->coded_fragment_list[i]]; fragment = &s->all_fragments[s->coded_fragment_list[i]];
...@@ -2117,6 +2127,11 @@ static void render_fragments(Vp3DecodeContext *s, ...@@ -2117,6 +2127,11 @@ static void render_fragments(Vp3DecodeContext *s,
/* for each fragment in a row... */ /* for each fragment in a row... */
for (x = 0; x < width; x += 8, i++) { for (x = 0; x < width; x += 8, i++) {
if ((i < 0) || (i >= s->fragment_count)) {
printf (" vp3:render_fragments(): bad fragment number (%d)\n", i);
return;
}
/* transform if this block was coded */ /* transform if this block was coded */
if (s->all_fragments[i].coding_method != MODE_COPY) { if (s->all_fragments[i].coding_method != MODE_COPY) {
...@@ -2418,11 +2433,15 @@ static int vp3_decode_frame(AVCodecContext *avctx, ...@@ -2418,11 +2433,15 @@ static int vp3_decode_frame(AVCodecContext *avctx,
counter++; counter++;
if (s->keyframe) { if (s->keyframe) {
if ((s->golden_frame.data[0]) && if (s->last_frame.data[0] == s->golden_frame.data[0]) {
(s->last_frame.data[0] == s->golden_frame.data[0])) if (s->golden_frame.data[0])
avctx->release_buffer(avctx, &s->golden_frame); avctx->release_buffer(avctx, &s->golden_frame);
else if (s->last_frame.data[0]) } else {
avctx->release_buffer(avctx, &s->last_frame); if (s->golden_frame.data[0])
avctx->release_buffer(avctx, &s->golden_frame);
if (s->last_frame.data[0])
avctx->release_buffer(avctx, &s->last_frame);
}
s->golden_frame.reference = 0; s->golden_frame.reference = 0;
if(avctx->get_buffer(avctx, &s->golden_frame) < 0) { if(avctx->get_buffer(avctx, &s->golden_frame) < 0) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment