Merge branch 'release/0.8' into release/0.7

* release/0.8: (21 commits) rtp: Fix integer underflow that could allow remote code execution. cavsdec: avoid possible crash with crafted input vf_scale: apply the same transform to the aspect during init that is applied per frame Fix memory corruption in case of memory allocation failure in av_probe_input_buffer() Make all option parsing functions match the function pointer type through which they are called. mjpegdec; even better RSTn skiping Fixes Ticket426 jpegdec: better rst skiping Fixes Ticket426 mpeg4: fix another packed divx issue. Fixes getting_stuck.avi mpeg4: adjust dummy frame threashold for packed divx. Fixes Ticket427 configure: add missing CFLAGS to fix building on the HURD cavs: fix some crashes with invalid bitstreams jpegdec: actually search for and parse RSTn Fix compilation with --disable-avfilter. (cherry picked from commit 67a8251690a17f05630eb6f45a73db0f0e806c72) libavfilter: fix --enable-small 0.8.2 cavs: fix oCERT #2011-002 FFmpeg/libavcodec insufficient boundary check Fix possible crash when decoding mpeg streams. Bink: clip AC coefficients during dequantization. ffmpeg: fix passlogfile regression Fix several security issues in matroskadec.c (MSVR-11-0080). ... Conflicts: Doxyfile RELEASE VERSION Merged-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2011-09-07 15:04:56 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2011-09-07 15:04:56 +0200
commit: 21d99be9dc00a03be94bbcc1be0a2ec6a83d9b4e (patch)
tree: d0b74bea0b49b6e4e9b6e115ca87f3ca10589584
parent: 7b6b9be8614aa53e79db565c9203b9afaa452d8d (diff)
parent: c2a2ad133eb9d42361804a568dee336992349a5e (diff)
download: ffmpeg-21d99be9dc00a03be94bbcc1be0a2ec6a83d9b4e.tar.gz
6 files changed, 25 insertions, 5 deletions
diff --git a/VERSION b/VERSION
index f38fc5393f..dc5add7e4d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1,2 @@
 0.7.3
+
diff --git a/configure b/configure
index f6d8415366..a877c2c6b9 100755
--- a/configure
+++ b/configure
@@ -2537,6 +2537,7 @@ case $target_os in
         add_cppflags -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_BSD_SOURCE
         ;;
     gnu)
+        add_cppflags -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600
         ;;
     qnx)
         add_cppflags -D_QNX_SOURCE
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 6e83a7d381..906afdb668 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -125,6 +125,8 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb,
         level_code = get_ue_code(gb,r->golomb_order);
         if(level_code >= ESCAPE_CODE) {
             run = ((level_code - ESCAPE_CODE) >> 1) + 1;
+            if(run > 64)
+                return -1;
             esc_code = get_ue_code(gb,esc_golomb_order);
             level = esc_code + (run > r->max_run ? 1 : r->level_add[run]);
             while(level > r->inc_limit)
@@ -164,7 +166,7 @@ static inline int decode_residual_inter(AVSContext *h) {
 
     /* get coded block pattern */
     int cbp= get_ue_golomb(&h->s.gb);
-    if(cbp > 63){
+    if(cbp > 63U){
         av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n");
         return -1;
     }
@@ -190,7 +192,8 @@ static inline int decode_residual_inter(AVSContext *h) {
 
 static int decode_mb_i(AVSContext *h, int cbp_code) {
     GetBitContext *gb = &h->s.gb;
-    int block, pred_mode_uv;
+    unsigned pred_mode_uv;
+    int block;
     uint8_t top[18];
     uint8_t *left = NULL;
     uint8_t *d;
@@ -223,7 +226,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) {
     /* get coded block pattern */
     if(h->pic_type == AV_PICTURE_TYPE_I)
         cbp_code = get_ue_golomb(gb);
-    if(cbp_code > 63){
+    if(cbp_code > 63U){
         av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n");
         return -1;
     }
@@ -446,6 +449,8 @@ static inline int check_for_slice(AVSContext *h) {
     if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) {
         skip_bits_long(gb,24+align);
         h->stc = get_bits(gb,8);
+        if (h->stc >= h->mb_height)
+            return 0;
         decode_slice_header(h,gb);
         return 1;
     }
@@ -660,7 +665,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size,
     buf_end = buf + buf_size;
     for(;;) {
         buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc);
-        if(stc & 0xFFFFFE00)
+        if((stc & 0xFFFFFE00) || buf_ptr == buf_end)
             return FFMAX(0, buf_ptr - buf - s->parse_context.last_index);
         input_size = (buf_end - buf_ptr)*8;
         switch(stc) {
diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c
index e172a2e586..ba8f9e1e82 100644
--- a/libavfilter/vf_scale.c
+++ b/libavfilter/vf_scale.c
@@ -232,6 +232,11 @@ static int config_props(AVFilterLink *outlink)
     if (!scale->sws)
         return AVERROR(EINVAL);
 
+    if (inlink->sample_aspect_ratio.num){
+        outlink->sample_aspect_ratio = av_mul_q((AVRational){outlink->h * inlink->w, outlink->w * inlink->h}, inlink->sample_aspect_ratio);
+    } else
+        outlink->sample_aspect_ratio = inlink->sample_aspect_ratio;
+
     return 0;
 
 fail:
diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c
index 4f776453d7..384aeb24f3 100644
--- a/libavformat/rtpdec_asf.c
+++ b/libavformat/rtpdec_asf.c
@@ -235,6 +235,8 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf,
                 int prev_len = out_len;
                 out_len += cur_len;
                 asf->buf = av_realloc(asf->buf, out_len);
+                if(!asf->buf || FFMIN(cur_len, len - off)<0)
+                    return -1;
                 memcpy(asf->buf + prev_len, buf + off,
                        FFMIN(cur_len, len - off));
                 avio_skip(pb, cur_len);
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 662b49ae19..3414ce14f0 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -596,13 +596,19 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
         probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) {
         int ret, score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0;
         int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1;
+        void *buftmp;
 
         if (probe_size < offset) {
             continue;
         }
 
         /* read probe data */
-        buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE);
+        buftmp = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE);
+        if(!buftmp){
+            av_free(buf);
+            return AVERROR(ENOMEM);
+        }
+        buf=buftmp;
         if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) {
             /* fail if error was not end of file, otherwise, lower score */
             if (ret != AVERROR_EOF) {
author	Michael Niedermayer <michaelni@gmx.at>	2011-09-07 15:04:56 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2011-09-07 15:04:56 +0200
commit	21d99be9dc00a03be94bbcc1be0a2ec6a83d9b4e (patch)
tree	d0b74bea0b49b6e4e9b6e115ca87f3ca10589584
parent	7b6b9be8614aa53e79db565c9203b9afaa452d8d (diff)
parent	c2a2ad133eb9d42361804a568dee336992349a5e (diff)
download	ffmpeg-21d99be9dc00a03be94bbcc1be0a2ec6a83d9b4e.tar.gz