Commit 7f884640 authored by Michael Niedermayer's avatar Michael Niedermayer

Merge commit 'b7765d00' into release/1.1

* commit 'b7765d00':
  msrledec: check bounds before constructing a possibly invalid pointer,
  qtrle: fix the topmost line for 1bit
  aasc: fix output for msrle compression.

Conflicts:
	tests/ref/fate/aasc
	tests/ref/fate/qtrle-1bit
Merged-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parents 81bcf945 b7765d00
......@@ -1851,7 +1851,7 @@ static int alloc_buffer(FrameBuffer **pool, AVCodecContext *s, FrameBuffer **pbu
/* XXX this shouldn't be needed, but some tests break without this line
* those decoders are buggy and need to be fixed.
* the following tests fail:
* cdgraphics, ansi, aasc, qtrle-1bit
* cdgraphics, ansi
*/
memset(buf->base[0], 128, ret);
......
......@@ -144,8 +144,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic,
if(p1 == 0) { //Escape code
p2 = bytestream2_get_byte(gb);
if(p2 == 0) { //End-of-line
output = pic->data[0] + (--line) * pic->linesize[0];
if (line < 0) {
if (--line < 0) {
if (bytestream2_get_be16(gb) == 1) { // end-of-picture
return 0;
} else {
......@@ -155,6 +154,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic,
return AVERROR_INVALIDDATA;
}
}
output = pic->data[0] + line * pic->linesize[0];
pos = 0;
continue;
} else if(p2 == 1) { //End-of-picture
......
......@@ -56,22 +56,16 @@ typedef struct QtrleContext {
static void qtrle_decode_1bpp(QtrleContext *s, int row_ptr, int lines_to_change)
{
int rle_code;
int pixel_ptr = 0;
int pixel_ptr;
int row_inc = s->frame.linesize[0];
unsigned char pi0, pi1; /* 2 8-pixel values */
unsigned char *rgb = s->frame.data[0];
int pixel_limit = s->frame.linesize[0] * s->avctx->height;
int skip;
/* skip & 0x80 appears to mean 'start a new line', which can be interpreted
* as 'go to next line' during the decoding of a frame but is 'go to first
* line' at the beginning. Since we always interpret it as 'go to next line'
* in the decoding loop (which makes code simpler/faster), the first line
* would not be counted, so we count one more.
* See: https://ffmpeg.org/trac/ffmpeg/ticket/226
* In the following decoding loop, row_ptr will be the position of the
* _next_ row. */
lines_to_change++;
row_ptr -= row_inc;
pixel_ptr = row_ptr;
lines_to_change++;
while (lines_to_change) {
skip = bytestream2_get_byte(&s->g);
rle_code = (signed char)bytestream2_get_byte(&s->g);
......@@ -79,8 +73,8 @@ static void qtrle_decode_1bpp(QtrleContext *s, int row_ptr, int lines_to_change)
break;
if(skip & 0x80) {
lines_to_change--;
pixel_ptr = row_ptr + 2 * (skip & 0x7f);
row_ptr += row_inc;
pixel_ptr = row_ptr + 2 * (skip & 0x7f);
} else
pixel_ptr += 2 * skip;
CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment