[FFmpeg-devel] [PATCH] RV30/40 decoder

Michael Niedermayer michaelni
Sat Dec 1 02:27:44 CET 2007


On Sun, Nov 18, 2007 at 11:11:24AM +0200, Kostya wrote:
> Well, it roughly the same feature-wise as it was,
> I just don't think I will improve it soon, yet
> it is playable (and maybe will attract samples
> and patches, I'm an optimist).

last part: rv40.c

> +static int rv40_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceInfo *si)
> +{
> +    int t, mb_bits;
> +    int w = r->s.width, h = r->s.height;
> +    int mb_size;
> +
> +    memset(si, 0, sizeof(SliceInfo));
> +    if(get_bits1(gb))
> +        return -1;
> +    si->type = get_bits(gb, 2);
> +    if(si->type == 1) si->type = 0;
> +    si->quant = get_bits(gb, 5);
> +    if(get_bits(gb, 2))
> +        return -1;
> +    si->vlc_set = get_bits(gb, 2);

> +    get_bits1(gb);

skip_bits1();


> +    t = get_bits(gb, 13); /// ???
> +    if(!si->type || !get_bits1(gb))
> +        rv40_parse_picture_size(gb, &w, &h);
> +    si->width  = w;
> +    si->height = h;

looks like seriously inadequate checking of width/height -> exploitable
invalid width/height just cause rv34_decode_slice() to return -1
which is not even checked but even if so the context is alraedy filled
with invalid values and nothing will stop them from being used in 
future frames


> +    mb_size = ((w + 15) >> 4) * ((h + 15) >> 4);
> +    mb_bits = ff_rv34_get_start_offset(gb, mb_size);
> +    si->start = get_bits(gb, mb_bits);

> +    si->header_size = get_bits_count(gb);

the header size field is never read so it as well as the code writing
to it can be removed

the loop filter could also be simplified but i dont really suggest that due
to "//XXX these are probably not correct", it should be correct first ...

[...]

> +#define RV34_STRONG_FILTER(src, step, start, last, sub) \

RV34 in RV40 ?



[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Complexity theory is the science of finding the exact solution to an
approximation. Benchmarking OTOH is finding an approximation of the exact
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20071201/127ac230/attachment.pgp>



More information about the ffmpeg-devel mailing list