diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2014-01-16 22:31:18 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2014-01-16 22:31:18 +0100 |
| commit | 76c48a78d1c0842d26b8ae926af3610935b0f280 (patch) | |
| tree | 66f9c2fb0840ac526bd0f135ea4cf166e5c84d14 | |
| parent | 6c0c799bd5869b3baccb57012d69490a0b35c62b (diff) | |
| parent | 993977032a0adb47eb70e7fef6ce0d5370027e83 (diff) | |
| download | ffmpeg-76c48a78d1c0842d26b8ae926af3610935b0f280.tar.gz | |
Merge commit '993977032a0adb47eb70e7fef6ce0d5370027e83' into release/0.10
* commit '993977032a0adb47eb70e7fef6ce0d5370027e83':
xan: Use bytestream2 to limit reading to within the buffer
pcx: Consume the whole packet if giving up due to missing palette
pngdec: Stop trying to decode once inflate returns Z_STREAM_END
mov: Make sure the read sample count is nonnegative
bfi: Add some very basic sanity checks for input packet sizes
Conflicts:
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/pcx.c | 1 | ||||
| -rw-r--r-- | libavcodec/pngdec.c | 4 | ||||
| -rw-r--r-- | libavcodec/xan.c | 22 | ||||
| -rw-r--r-- | libavformat/bfi.c | 4 | ||||
| -rw-r--r-- | libavformat/mov.c | 4 |
5 files changed, 23 insertions, 12 deletions
diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c index b23a0a8d51..7c98bfa4f9 100644 --- a/libavcodec/pcx.c +++ b/libavcodec/pcx.c @@ -195,6 +195,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } if (*buf++ != 12) { av_log(avctx, AV_LOG_ERROR, "expected palette after image data\n"); + ret = buf_size; goto end; } diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 5a76918e29..1edef54035 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -378,6 +378,10 @@ static int png_decode_idat(PNGDecContext *s, int length) s->zstream.avail_out = s->crow_size; s->zstream.next_out = s->crow_buf; } + if (ret == Z_STREAM_END && s->zstream.avail_in > 0) { + av_log(NULL, AV_LOG_WARNING, "%d undecompressed bytes left in buffer\n", s->zstream.avail_in); + return 0; + } } return 0; } diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 62bec83490..4afc087c32 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -285,8 +285,8 @@ static int xan_wc3_decode_frame(XanContext *s) { /* pointers to segments inside the compressed chunk */ const unsigned char *huffman_segment; - const unsigned char *size_segment; - const unsigned char *vector_segment; + GetByteContext size_segment; + GetByteContext vector_segment; const unsigned char *imagedata_segment; int huffman_offset, size_offset, vector_offset, imagedata_offset, imagedata_size; @@ -306,8 +306,8 @@ static int xan_wc3_decode_frame(XanContext *s) { return AVERROR_INVALIDDATA; huffman_segment = s->buf + huffman_offset; - size_segment = s->buf + size_offset; - vector_segment = s->buf + vector_offset; + bytestream2_init(&size_segment, s->buf + size_offset, s->size - size_offset); + bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset); imagedata_segment = s->buf + imagedata_offset; if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, @@ -359,19 +359,17 @@ static int xan_wc3_decode_frame(XanContext *s) { case 9: case 19: - size = *size_segment++; + size = bytestream2_get_byte(&size_segment); break; case 10: case 20: - size = AV_RB16(&size_segment[0]); - size_segment += 2; + size = bytestream2_get_be16(&size_segment); break; case 11: case 21: - size = AV_RB24(size_segment); - size_segment += 3; + size = bytestream2_get_be24(&size_segment); break; } @@ -393,9 +391,9 @@ static int xan_wc3_decode_frame(XanContext *s) { } } else { /* run-based motion compensation from last frame */ - motion_x = sign_extend(*vector_segment >> 4, 4); - motion_y = sign_extend(*vector_segment & 0xF, 4); - vector_segment++; + uint8_t vector = bytestream2_get_byte(&vector_segment); + motion_x = sign_extend(vector >> 4, 4); + motion_y = sign_extend(vector & 0xF, 4); /* copy a run of pixels from the previous frame */ xan_wc3_copy_pixel_run(s, x, y, size, motion_x, motion_y); diff --git a/libavformat/bfi.c b/libavformat/bfi.c index 35a6a51f04..37a15c9b68 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -130,6 +130,10 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) video_offset = avio_rl32(pb); audio_size = video_offset - audio_offset; bfi->video_size = chunk_size - video_offset; + if (audio_size < 0 || bfi->video_size < 0) { + av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n"); + return AVERROR_INVALIDDATA; + } //Tossing an audio packet at the audio decoder. ret = av_get_packet(pb, pkt, audio_size); diff --git a/libavformat/mov.c b/libavformat/mov.c index efa73b7c6d..4cb456744f 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1711,6 +1711,10 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_ERROR, "Invalid SampleDelta in STTS %d\n", sample_duration); sample_duration = 1; } + if (sample_count < 0) { + av_log(c->fc, AV_LOG_ERROR, "Invalid sample_count=%d\n", sample_count); + return AVERROR_INVALIDDATA; + } sc->stts_data[i].count= sample_count; sc->stts_data[i].duration= sample_duration; |