aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2014-01-16 22:02:02 +0100
committerMichael Niedermayer <michaelni@gmx.at>2014-01-16 22:02:02 +0100
commitd1c7a7776f6775cf43c3a5025d0544f0470125f4 (patch)
tree5df137fce84cf350c411a87805da88f7baf7d0d7
parent5339a9f000519851d111d747a9c582981be7ee82 (diff)
parent159993acc7f4e3155510d42c543e09fe972b933c (diff)
downloadffmpeg-d1c7a7776f6775cf43c3a5025d0544f0470125f4.tar.gz
Merge commit '159993acc7f4e3155510d42c543e09fe972b933c' into release/0.10
* commit '159993acc7f4e3155510d42c543e09fe972b933c': vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors wnv1: Make sure the input packet is large enough dca: Validate the lfe parameter rl2: Avoid a division by zero wtv: Add more sanity checks for a length read from the file segafilm: Validate the number of audio channels qpeg: Add checks for running out of rows in qpeg_decode_inter mpegaudiodec: Validate that the number of channels fits at the given offset asv1: Verify the amount of extradata idroqdec: Make sure a video stream has been allocated before returning packets rv10: Validate the dimensions set from the container xmv: Add more sanity checks for parameters read from the bitstream ffv1: Make sure at least one slice context is initialized truemotion2: Use av_freep properly in an error path Conflicts: libavcodec/qpeg.c libavcodec/wnv1.c libavformat/wtv.c libavformat/xmv.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat
-rw-r--r--libavcodec/asv1.c5
-rw-r--r--libavcodec/dca.c5
-rw-r--r--libavcodec/ffv1.c4
-rw-r--r--libavcodec/mpegaudiodec.c3
-rw-r--r--libavcodec/qpeg.c4
-rw-r--r--libavcodec/rv10.c5
-rw-r--r--libavcodec/vc1dec.c15
-rw-r--r--libavcodec/wnv1.c2
-rw-r--r--libavformat/idroqdec.c7
-rw-r--r--libavformat/rl2.c4
-rw-r--r--libavformat/segafilm.c5
-rw-r--r--libavformat/wtvdec.c7
-rw-r--r--libavformat/xmv.c7
13 files changed, 63 insertions, 10 deletions
diff --git a/libavcodec/asv1.c b/libavcodec/asv1.c
index 9eeec2675a..d9a5968793 100644
--- a/libavcodec/asv1.c
+++ b/libavcodec/asv1.c
@@ -535,6 +535,11 @@ static av_cold int decode_init(AVCodecContext *avctx){
int i;
const int scale= avctx->codec_id == CODEC_ID_ASV1 ? 1 : 2;
+ if (avctx->extradata_size < 1) {
+ av_log(avctx, AV_LOG_ERROR, "No extradata provided\n");
+ return AVERROR_INVALIDDATA;
+ }
+
common_init(avctx);
init_vlcs(a);
ff_init_scantable(a->dsp.idct_permutation, &a->scantable, scantab);
diff --git a/libavcodec/dca.c b/libavcodec/dca.c
index ea40821766..314e04d8ae 100644
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -577,6 +577,11 @@ static int dca_parse_frame_header(DCAContext *s)
s->lfe = get_bits(&s->gb, 2);
s->predictor_history = get_bits(&s->gb, 1);
+ if (s->lfe > 2) {
+ av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE value: %d\n", s->lfe);
+ return AVERROR_INVALIDDATA;
+ }
+
/* TODO: check CRC */
if (s->crc_present)
s->header_crc = get_bits(&s->gb, 16);
diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c
index b363c9606b..e2301e6ce3 100644
--- a/libavcodec/ffv1.c
+++ b/libavcodec/ffv1.c
@@ -722,6 +722,10 @@ static av_cold int init_slice_contexts(FFV1Context *f){
int i;
f->slice_count= f->num_h_slices * f->num_v_slices;
+ if (f->slice_count <= 0) {
+ av_log(f->avctx, AV_LOG_ERROR, "Invalid number of slices\n");
+ return AVERROR(EINVAL);
+ }
for(i=0; i<f->slice_count; i++){
FFV1Context *fs= av_mallocz(sizeof(*fs));
diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
index c6dc025e5f..fd195a1234 100644
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -1941,7 +1941,8 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data,
avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header);
- if (ch + m->nb_channels > avctx->channels) {
+ if (ch + m->nb_channels > avctx->channels ||
+ s->coff[fr] + m->nb_channels > avctx->channels) {
av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec "
"channel count\n");
return AVERROR_INVALIDDATA;
diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c
index adbeff03ae..d85d967a16 100644
--- a/libavcodec/qpeg.c
+++ b/libavcodec/qpeg.c
@@ -203,7 +203,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
filled = 0;
dst -= stride;
height--;
- if(height < 0)
+ if (height < 0)
break;
}
}
@@ -216,7 +216,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
filled = 0;
dst -= stride;
height--;
- if(height < 0)
+ if (height < 0)
break;
}
}
diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index 62266dc2d7..84962f65d0 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -442,12 +442,15 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx)
{
MpegEncContext *s = avctx->priv_data;
static int done=0;
- int major_ver, minor_ver, micro_ver;
+ int major_ver, minor_ver, micro_ver, ret;
if (avctx->extradata_size < 8) {
av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n");
return -1;
}
+ if ((ret = av_image_check_size(avctx->coded_width,
+ avctx->coded_height, 0, avctx)) < 0)
+ return ret;
MPV_decode_defaults(s);
diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index cc0632c667..dc97774f2b 100644
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -5126,8 +5126,19 @@ static av_cold int vc1_decode_init_alloc_tables(VC1Context *v)
if (!v->mv_type_mb_plane || !v->direct_mb_plane || !v->acpred_plane || !v->over_flags_plane ||
!v->block || !v->cbp_base || !v->ttblk_base || !v->is_intra_base || !v->luma_mv_base ||
- !v->mb_type_base)
- return -1;
+ !v->mb_type_base) {
+ av_freep(&v->mv_type_mb_plane);
+ av_freep(&v->direct_mb_plane);
+ av_freep(&v->acpred_plane);
+ av_freep(&v->over_flags_plane);
+ av_freep(&v->block);
+ av_freep(&v->cbp_base);
+ av_freep(&v->ttblk_base);
+ av_freep(&v->is_intra_base);
+ av_freep(&v->luma_mv_base);
+ av_freep(&v->mb_type_base);
+ return AVERROR(ENOMEM);
+ }
return 0;
}
diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c
index 6e4742e8e7..39b552fcf2 100644
--- a/libavcodec/wnv1.c
+++ b/libavcodec/wnv1.c
@@ -70,7 +70,7 @@ static int decode_frame(AVCodecContext *avctx,
int prev_y = 0, prev_u = 0, prev_v = 0;
uint8_t *rbuf;
- if(buf_size<=8) {
+ if (buf_size<=8) {
av_log(avctx, AV_LOG_ERROR, "buf_size %d is too small\n", buf_size);
return AVERROR_INVALIDDATA;
}
diff --git a/libavformat/idroqdec.c b/libavformat/idroqdec.c
index fffee9d76e..62c017ba6d 100644
--- a/libavformat/idroqdec.c
+++ b/libavformat/idroqdec.c
@@ -145,6 +145,8 @@ static int roq_read_packet(AVFormatContext *s,
break;
case RoQ_QUAD_CODEBOOK:
+ if (roq->video_stream_index < 0)
+ return AVERROR_INVALIDDATA;
/* packet needs to contain both this codebook and next VQ chunk */
codebook_offset = avio_tell(pb) - RoQ_CHUNK_PREAMBLE_SIZE;
codebook_size = chunk_size;
@@ -187,6 +189,11 @@ static int roq_read_packet(AVFormatContext *s,
st->codec->block_align = st->codec->channels * st->codec->bits_per_coded_sample;
}
case RoQ_QUAD_VQ:
+ if (chunk_type == RoQ_QUAD_VQ) {
+ if (roq->video_stream_index < 0)
+ return AVERROR_INVALIDDATA;
+ }
+
/* load up the packet */
if (av_new_packet(pkt, chunk_size + RoQ_CHUNK_PREAMBLE_SIZE))
return AVERROR(EIO);
diff --git a/libavformat/rl2.c b/libavformat/rl2.c
index 78edec5b18..cd4f51a097 100644
--- a/libavformat/rl2.c
+++ b/libavformat/rl2.c
@@ -109,6 +109,10 @@ static av_cold int rl2_read_header(AVFormatContext *s,
rate = avio_rl16(pb);
channels = avio_rl16(pb);
def_sound_size = avio_rl16(pb);
+ if (!channels || channels > 42) {
+ av_log(s, AV_LOG_ERROR, "Invalid number of channels: %d\n", channels);
+ return AVERROR_INVALIDDATA;
+ }
/** setup video stream */
st = avformat_new_stream(s, NULL);
diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c
index 7f7982468d..194a3b60bc 100644
--- a/libavformat/segafilm.c
+++ b/libavformat/segafilm.c
@@ -113,6 +113,11 @@ static int film_read_header(AVFormatContext *s,
return AVERROR(EIO);
film->audio_samplerate = AV_RB16(&scratch[24]);
film->audio_channels = scratch[21];
+ if (!film->audio_channels || film->audio_channels > 2) {
+ av_log(s, AV_LOG_ERROR,
+ "Invalid number of channels: %d\n", film->audio_channels);
+ return AVERROR_INVALIDDATA;
+ }
film->audio_bits = scratch[22];
if (scratch[23] == 2)
film->audio_type = CODEC_ID_ADPCM_ADX;
diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c
index 3980aca154..fb768d1244 100644
--- a/libavformat/wtvdec.c
+++ b/libavformat/wtvdec.c
@@ -258,7 +258,12 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b
dir_length = AV_RL16(buf + 16);
file_length = AV_RL64(buf + 24);
name_size = 2 * AV_RL32(buf + 32);
- if (buf + 48 + name_size > buf_end) {
+ if (name_size < 0) {
+ av_log(s, AV_LOG_ERROR,
+ "bad filename length, remaining directory entries ignored\n");
+ break;
+ }
+ if (48 + name_size > buf_end - buf) {
av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n");
break;
}
diff --git a/libavformat/xmv.c b/libavformat/xmv.c
index 9c365c8df1..8fbb666b84 100644
--- a/libavformat/xmv.c
+++ b/libavformat/xmv.c
@@ -48,6 +48,8 @@
XMV_AUDIO_ADPCM51_FRONTCENTERLOW | \
XMV_AUDIO_ADPCM51_REARLEFTRIGHT)
+#define XMV_BLOCK_ALIGN_SIZE 36
+
/** A video packet with an XMV file. */
typedef struct XMVVideoPacket {
int stream_index; ///< The decoder stream index for this video packet.
@@ -199,7 +201,7 @@ static int xmv_read_header(AVFormatContext *s,
packet->bit_rate = packet->bits_per_sample *
packet->sample_rate *
packet->channels;
- packet->block_align = 36 * packet->channels;
+ packet->block_align = XMV_BLOCK_ALIGN_SIZE * packet->channels;
packet->block_samples = 64;
packet->codec_id = ff_wav_codec_get_id(packet->compression,
packet->bits_per_sample);
@@ -215,7 +217,8 @@ static int xmv_read_header(AVFormatContext *s,
av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream "
"(0x%04X)\n", packet->flags);
- if (!packet->channels || !packet->sample_rate) {
+ if (!packet->channels || !packet->sample_rate ||
+ packet->channels >= UINT16_MAX / XMV_BLOCK_ALIGN_SIZE) {
av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n",
audio_track);
ret = AVERROR_INVALIDDATA;
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-22 01:32:07 +0000