diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-06-09 21:13:58 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-06-09 21:13:58 +0200 |
| commit | 796039ad3807da88a443050fa16da313be3ce250 (patch) | |
| tree | a2a6d4e183557321e15d9726c15d569234caa10c | |
| parent | a56b07b5dc4fdacbb038a9fc9d51e6b98e6d12d8 (diff) | |
| parent | 858c3158b58eafee2fedd9d83651c06aa57ef217 (diff) | |
| download | ffmpeg-796039ad3807da88a443050fa16da313be3ce250.tar.gz | |
Merge branch 'release/0.8' into release/0.7
* release/0.8:
Update for 0.8.12
mpc8: fix channel checks
h263: disable loop filter with lowres
wmv1: check that the input buffer is large enough
yopdec: check frame oddness to be within supported limits
yopdec: check that palette fits in the packet
8svx: fix crash
binkaudio: check number of channels
indeo5: check quant_mat
truemotion1: Check index, fix out of array read
iff: check if there is extradata
ape: Fix null ptr dereference with files missing a seekatable.
4xm: fix division by zero caused by bps<8
jvdec: check videosize
motionpixels: check extradata size
iff_ilbm: fix null ptr deref
yop: check for missing extradata
xan: fix out of array read
cdgraphics: Fix out of array write
Conflicts:
Doxyfile
RELEASE
VERSION
Merged-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/8svx.c | 2 | ||||
| -rw-r--r-- | libavcodec/binkaudio.c | 6 | ||||
| -rw-r--r-- | libavcodec/cdgraphics.c | 4 | ||||
| -rw-r--r-- | libavcodec/iff.c | 17 | ||||
| -rw-r--r-- | libavcodec/indeo5.c | 4 | ||||
| -rw-r--r-- | libavcodec/intelh263dec.c | 2 | ||||
| -rw-r--r-- | libavcodec/ituh263dec.c | 2 | ||||
| -rw-r--r-- | libavcodec/jvdec.c | 4 | ||||
| -rw-r--r-- | libavcodec/motionpixels.c | 5 | ||||
| -rw-r--r-- | libavcodec/mpc8.c | 3 | ||||
| -rw-r--r-- | libavcodec/truemotion1.c | 16 | ||||
| -rw-r--r-- | libavcodec/wnv1.c | 5 | ||||
| -rw-r--r-- | libavcodec/xan.c | 4 | ||||
| -rw-r--r-- | libavcodec/yop.c | 14 | ||||
| -rw-r--r-- | libavformat/4xm.c | 5 | ||||
| -rw-r--r-- | libavformat/ape.c | 3 |
16 files changed, 86 insertions, 10 deletions
diff --git a/libavcodec/8svx.c b/libavcodec/8svx.c index 5d94e005a2..336fa70852 100644 --- a/libavcodec/8svx.c +++ b/libavcodec/8svx.c @@ -44,7 +44,7 @@ typedef struct EightSvxContext { /* buffer used to store the whole audio decoded/interleaved chunk, * which is sent with the first packet */ uint8_t *samples; - size_t samples_size; + int64_t samples_size; int samples_idx; } EightSvxContext; diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c index 3b65a19261..a93131dcbb 100644 --- a/libavcodec/binkaudio.c +++ b/libavcodec/binkaudio.c @@ -85,9 +85,9 @@ static av_cold int decode_init(AVCodecContext *avctx) frame_len_bits = 11; } - if (avctx->channels > MAX_CHANNELS) { - av_log(avctx, AV_LOG_ERROR, "too many channels: %d\n", avctx->channels); - return -1; + if (avctx->channels < 1 || avctx->channels > MAX_CHANNELS) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels: %d\n", avctx->channels); + return AVERROR_INVALIDDATA; } if (avctx->extradata && avctx->extradata_size > 0) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index aae7bbbb1b..3edeefc6d7 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -280,6 +280,10 @@ static int cdg_decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n"); return AVERROR(EINVAL); } + if (buf_size > CDG_HEADER_SIZE + CDG_DATA_SIZE) { + av_log(avctx, AV_LOG_ERROR, "buffer too big for decoder\n"); + return AVERROR(EINVAL); + } ret = avctx->reget_buffer(avctx, &cc->frame); if (ret) { diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 195ef10ac7..622bd4f020 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -176,7 +176,13 @@ static int extract_header(AVCodecContext *const avctx, const uint8_t *buf; unsigned buf_size; IffContext *s = avctx->priv_data; - int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata); + int palette_size; + + if (avctx->extradata_size < 2) { + av_log(avctx, AV_LOG_ERROR, "not enough extradata\n"); + return AVERROR_INVALIDDATA; + } + palette_size = avctx->extradata_size - AV_RB16(avctx->extradata); if (avpkt) { int image_size; @@ -192,8 +198,6 @@ static int extract_header(AVCodecContext *const avctx, return AVERROR_INVALIDDATA; } } else { - if (avctx->extradata_size < 2) - return AVERROR_INVALIDDATA; buf = avctx->extradata; buf_size = bytestream_get_be16(&buf); if (buf_size <= 1 || palette_size < 0) { @@ -281,7 +285,12 @@ static av_cold int decode_init(AVCodecContext *avctx) int err; if (avctx->bits_per_coded_sample <= 8) { - int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata); + int palette_size; + + if (avctx->extradata_size >= 2) + palette_size = avctx->extradata_size - AV_RB16(avctx->extradata); + else + palette_size = 0; avctx->pix_fmt = (avctx->bits_per_coded_sample < 8) || (avctx->extradata_size >= 2 && palette_size) ? PIX_FMT_PAL8 : PIX_FMT_GRAY8; } else if (avctx->bits_per_coded_sample <= 32) { diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 4c6bfd66d1..eb16726a81 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -219,6 +219,10 @@ static int decode_gop_header(IVI5DecContext *ctx, AVCodecContext *avctx) } if (band->blk_size == 8) { + if(quant_mat >= 5){ + av_log(avctx, AV_LOG_ERROR, "quant_mat %d too large!\n", quant_mat); + return -1; + } band->intra_base = &ivi5_base_quant_8x8_intra[quant_mat][0]; band->inter_base = &ivi5_base_quant_8x8_inter[quant_mat][0]; band->intra_scale = &ivi5_scale_quant_8x8_intra[quant_mat][0]; diff --git a/libavcodec/intelh263dec.c b/libavcodec/intelh263dec.c index a011a9f597..a2ce68be78 100644 --- a/libavcodec/intelh263dec.c +++ b/libavcodec/intelh263dec.c @@ -77,7 +77,7 @@ int ff_intel_h263_decode_picture_header(MpegEncContext *s) } if(get_bits(&s->gb, 2)) av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n"); - s->loop_filter = get_bits1(&s->gb); + s->loop_filter = get_bits1(&s->gb) * !s->avctx->lowres; if(get_bits1(&s->gb)) av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n"); if(get_bits1(&s->gb)) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index b1e67231fd..634fd8a32b 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -961,6 +961,8 @@ int h263_decode_picture_header(MpegEncContext *s) s->h263_aic = get_bits1(&s->gb); /* Advanced Intra Coding (AIC) */ s->loop_filter= get_bits1(&s->gb); s->unrestricted_mv = s->umvplus || s->obmc || s->loop_filter; + if(s->avctx->lowres) + s->loop_filter = 0; s->h263_slice_structured= get_bits1(&s->gb); if (get_bits1(&s->gb) != 0) { diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index 288e53c9d8..238cfffe7d 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -143,6 +143,10 @@ static int decode_frame(AVCodecContext *avctx, buf += 5; if (video_size) { + if(video_size < 0) { + av_log(avctx, AV_LOG_ERROR, "video size %d invalid\n", video_size); + return AVERROR_INVALIDDATA; + } if (avctx->reget_buffer(avctx, &s->frame) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return -1; diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index aa398c9592..1806e4703d 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -55,6 +55,11 @@ static av_cold int mp_decode_init(AVCodecContext *avctx) int w4 = (avctx->width + 3) & ~3; int h4 = (avctx->height + 3) & ~3; + if(avctx->extradata_size < 2){ + av_log(avctx, AV_LOG_ERROR, "extradata too small\n"); + return AVERROR_INVALIDDATA; + } + motionpixels_tableinit(); mp->avctx = avctx; dsputil_init(&mp->dsp, avctx); diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index 90bc8c8b96..4adc28ed25 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -138,7 +138,8 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx) c->frames = 1 << (get_bits(&gb, 3) * 2); avctx->sample_fmt = AV_SAMPLE_FMT_S16; - avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; + avctx->channel_layout = (channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; + avctx->channels = channels; if(vlc_initialized) return 0; av_log(avctx, AV_LOG_DEBUG, "Initing VLC\n"); diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 284dbd8e12..839af44fd5 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -520,6 +520,10 @@ hres,vres,i,i%vres (0 < i < 4) } #define APPLY_C_PREDICTOR() \ + if(index > 1023){\ + av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \ + return; \ + }\ predictor_pair = s->c_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ if (predictor_pair & 1) { \ @@ -537,6 +541,10 @@ hres,vres,i,i%vres (0 < i < 4) index++; #define APPLY_C_PREDICTOR_24() \ + if(index > 1023){\ + av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \ + return; \ + }\ predictor_pair = s->c_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ if (predictor_pair & 1) { \ @@ -555,6 +563,10 @@ hres,vres,i,i%vres (0 < i < 4) #define APPLY_Y_PREDICTOR() \ + if(index > 1023){\ + av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \ + return; \ + }\ predictor_pair = s->y_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ if (predictor_pair & 1) { \ @@ -572,6 +584,10 @@ hres,vres,i,i%vres (0 < i < 4) index++; #define APPLY_Y_PREDICTOR_24() \ + if(index > 1023){\ + av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \ + return; \ + }\ predictor_pair = s->y_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ if (predictor_pair & 1) { \ diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 197cf7985d..4947ea5598 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -70,6 +70,11 @@ static int decode_frame(AVCodecContext *avctx, int prev_y = 0, prev_u = 0, prev_v = 0; uint8_t *rbuf; + if(buf_size<=8) { + av_log(avctx, AV_LOG_ERROR, "buf_size %d is too small\n", buf_size); + return AVERROR_INVALIDDATA; + } + rbuf = av_malloc(buf_size + FF_INPUT_BUFFER_PADDING_SIZE); if(!rbuf){ av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n"); diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 17b994bd81..5341e0eb70 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -511,6 +511,10 @@ static int xan_decode_frame(AVCodecContext *avctx, int i; tag = bytestream_get_le32(&buf); size = bytestream_get_be32(&buf); + if(size < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid tag size %d\n", size); + return AVERROR_INVALIDDATA; + } size = FFMIN(size, buf_end - buf); switch (tag) { case PALT_TAG: diff --git a/libavcodec/yop.c b/libavcodec/yop.c index 45a3344b9e..bbe78bc0a7 100644 --- a/libavcodec/yop.c +++ b/libavcodec/yop.c @@ -90,6 +90,11 @@ static av_cold int yop_decode_init(AVCodecContext *avctx) return -1; } + if (!avctx->extradata) { + av_log(avctx, AV_LOG_ERROR, "extradata missing\n"); + return AVERROR_INVALIDDATA; + } + avctx->pix_fmt = PIX_FMT_PAL8; avcodec_get_frame_defaults(&s->frame); @@ -200,6 +205,11 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (s->frame.data[0]) avctx->release_buffer(avctx, &s->frame); + if (avpkt->size < 4 + 3*s->num_pal_colors) { + av_log(avctx, AV_LOG_ERROR, "packet of size %d too small\n", avpkt->size); + return AVERROR_INVALIDDATA; + } + ret = avctx->get_buffer(avctx, &s->frame); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); @@ -215,6 +225,10 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *data_size, s->low_nibble = NULL; is_odd_frame = avpkt->data[0]; + if(is_odd_frame>1){ + av_log(avctx, AV_LOG_ERROR, "frame is too odd %d\n", is_odd_frame); + return AVERROR_INVALIDDATA; + } firstcolor = s->first_color[is_odd_frame]; palette = (uint32_t *)s->frame.data[1]; diff --git a/libavformat/4xm.c b/libavformat/4xm.c index b4dd3d4416..755a21168c 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -195,6 +195,11 @@ static int fourxm_read_header(AVFormatContext *s, ret= -1; goto fail; } + if(!fourxm->tracks[current_track].adpcm && fourxm->tracks[current_track].bits<8){ + av_log(s, AV_LOG_ERROR, "bits unspecified for non ADPCM\n"); + ret = AVERROR_INVALIDDATA; + goto fail; + } i += 8 + size; /* allocate a new AVStream */ diff --git a/libavformat/ape.c b/libavformat/ape.c index b0f2394ad8..7e18a403c3 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -274,6 +274,9 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap) return AVERROR(ENOMEM); for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++) ape->seektable[i] = avio_rl32(pb); + }else{ + av_log(s, AV_LOG_ERROR, "Missing seektable\n"); + return -1; } ape->frames[0].pos = ape->firstframe; |