diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2014-03-10 18:39:02 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2014-03-10 18:39:02 +0100 |
| commit | 5640ea43d7202e6bc6bc032079f66456323d1008 (patch) | |
| tree | 88b6869c593b55a917214610557cc087a11fb007 | |
| parent | 15efd9a7c0a6ccc59c07c3118a2e075449c91e68 (diff) | |
| parent | 2c1d84499bfe06d75e9160b824eeffd9f5587337 (diff) | |
| download | ffmpeg-5640ea43d7202e6bc6bc032079f66456323d1008.tar.gz | |
Merge commit '2c1d84499bfe06d75e9160b824eeffd9f5587337' into release/0.10
* commit '2c1d84499bfe06d75e9160b824eeffd9f5587337':
lagarith: pad RGB buffer by 1 byte.
truemotion1: check the header size
shorten: pad the internal bitstream buffer
samplefmt: avoid integer overflow in av_samples_get_buffer_size()
h264: Fix a typo from the previous commit
h264: Lower bound check for slice offsets
rpza: limit the number of blocks to the total remaining blocks in the frame
Conflicts:
libavcodec/lagarith.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/h264.c | 37 | ||||
| -rw-r--r-- | libavcodec/h264_loopfilter.c | 8 | ||||
| -rw-r--r-- | libavcodec/lagarith.c | 2 | ||||
| -rw-r--r-- | libavcodec/rpza.c | 3 | ||||
| -rw-r--r-- | libavcodec/shorten.c | 2 | ||||
| -rw-r--r-- | libavcodec/truemotion1.c | 5 | ||||
| -rw-r--r-- | libavutil/samplefmt.c | 5 |
7 files changed, 38 insertions, 24 deletions
diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 9a0b07f0b0..877b0a3a7b 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3231,8 +3231,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ } h->deblocking_filter = 1; - h->slice_alpha_c0_offset = 52; - h->slice_beta_offset = 52; + h->slice_alpha_c0_offset = 0; + h->slice_beta_offset = 0; if( h->pps.deblocking_filter_parameters_present ) { tmp= get_ue_golomb_31(&s->gb); if(tmp > 2){ @@ -3243,12 +3243,16 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ if(h->deblocking_filter < 2) h->deblocking_filter^= 1; // 1<->0 - if( h->deblocking_filter ) { - h->slice_alpha_c0_offset += get_se_golomb(&s->gb) << 1; - h->slice_beta_offset += get_se_golomb(&s->gb) << 1; - if( h->slice_alpha_c0_offset > 104U - || h->slice_beta_offset > 104U){ - av_log(s->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", h->slice_alpha_c0_offset, h->slice_beta_offset); + if (h->deblocking_filter) { + h->slice_alpha_c0_offset = get_se_golomb(&s->gb) * 2; + h->slice_beta_offset = get_se_golomb(&s->gb) * 2; + if (h->slice_alpha_c0_offset > 12 || + h->slice_alpha_c0_offset < -12 || + h->slice_beta_offset > 12 || + h->slice_beta_offset < -12) { + av_log(s->avctx, AV_LOG_ERROR, + "deblocking filter parameters %d %d out of range\n", + h->slice_alpha_c0_offset, h->slice_beta_offset); return -1; } } @@ -3277,14 +3281,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ } } } - h->qp_thresh = 15 + 52 - FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) - - FFMAX3(0, h->pps.chroma_qp_index_offset[0], h->pps.chroma_qp_index_offset[1]) - + 6 * (h->sps.bit_depth_luma - 8); - -#if 0 //FMO - if( h->pps.num_slice_groups > 1 && h->pps.mb_slice_group_map_type >= 3 && h->pps.mb_slice_group_map_type <= 5) - slice_group_change_cycle= get_bits(&s->gb, ?); -#endif + h->qp_thresh = 15 - + FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) - + FFMAX3(0, + h->pps.chroma_qp_index_offset[0], + h->pps.chroma_qp_index_offset[1]) + + 6 * (h->sps.bit_depth_luma - 8); h0->last_slice_type = slice_type; h->slice_num = ++h0->current_slice; @@ -3345,7 +3347,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ s->current_picture_ptr->field_poc[0], s->current_picture_ptr->field_poc[1], h->ref_count[0], h->ref_count[1], s->qscale, - h->deblocking_filter, h->slice_alpha_c0_offset/2-26, h->slice_beta_offset/2-26, + h->deblocking_filter, + h->slice_alpha_c0_offset, h->slice_beta_offset, h->use_weight, h->use_weight==1 && h->use_weight_chroma ? "c" : "", h->slice_type == AV_PICTURE_TYPE_B ? (h->direct_spatial_mv_pred ? "SPAT" : "TEMP") : "" diff --git a/libavcodec/h264_loopfilter.c b/libavcodec/h264_loopfilter.c index f3a5ff6783..d98b642c35 100644 --- a/libavcodec/h264_loopfilter.c +++ b/libavcodec/h264_loopfilter.c @@ -254,8 +254,8 @@ static av_always_inline void h264_filter_mb_fast_internal(H264Context *h, int top_type= h->top_type; int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8); - int a = h->slice_alpha_c0_offset - qp_bd_offset; - int b = h->slice_beta_offset - qp_bd_offset; + int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset; + int b = 52 + h->slice_beta_offset - qp_bd_offset; int mb_type = s->current_picture.f.mb_type[mb_xy]; int qp = s->current_picture.f.qscale_table[mb_xy]; @@ -715,8 +715,8 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint av_unused int dir; int chroma = !(CONFIG_GRAY && (s->flags&CODEC_FLAG_GRAY)); int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8); - int a = h->slice_alpha_c0_offset - qp_bd_offset; - int b = h->slice_beta_offset - qp_bd_offset; + int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset; + int b = 52 + h->slice_beta_offset - qp_bd_offset; if (FRAME_MBAFF // and current and left pair do not have the same interlaced type diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 22becdfc37..addd4814ce 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -509,7 +509,7 @@ static int lag_decode_frame(AVCodecContext *avctx, if (!l->rgb_planes) { l->rgb_stride = FFALIGN(avctx->width, 16); - l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * 4); + l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * 4 + 1); if (!l->rgb_planes) { av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n"); return AVERROR(ENOMEM); diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 1de808074e..8dafba72c4 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -38,6 +38,7 @@ #include <stdlib.h> #include <string.h> +#include "libavutil/common.h" #include "libavutil/intreadwrite.h" #include "avcodec.h" @@ -125,6 +126,8 @@ static void rpza_decode_stream(RpzaContext *s) } } + n_blocks = FFMIN(n_blocks, total_blocks); + switch (opcode & 0xe0) { /* Skip blocks */ diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index fa815e9f15..008a022a97 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -431,7 +431,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, void *tmp_ptr; s->max_framesize = 1024; // should hopefully be enough for the first header tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, - s->max_framesize); + s->max_framesize + FF_INPUT_BUFFER_PADDING_SIZE); if (!tmp_ptr) { av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n"); return AVERROR(ENOMEM); diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 4576aa0c8e..ecf27aa8d8 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -320,6 +320,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s) return -1; } + if (header.header_size + 1 > s->size) { + av_log(s->avctx, AV_LOG_ERROR, "Input packet too small.\n"); + return AVERROR_INVALIDDATA; + } + /* unscramble the header bytes with a XOR operation */ memset(header_buffer, 0, 128); for (i = 1; i < header.header_size; i++) diff --git a/libavutil/samplefmt.c b/libavutil/samplefmt.c index 1e4e56fd0a..be3bdeb18f 100644 --- a/libavutil/samplefmt.c +++ b/libavutil/samplefmt.c @@ -115,8 +115,11 @@ int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples, return AVERROR(EINVAL); /* auto-select alignment if not specified */ - if (!align) + if (!align) { + if (nb_samples > INT_MAX - 31) + return AVERROR(EINVAL); align = 32; + } /* check for integer overflow */ if (nb_channels > INT_MAX / align || |