diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-08-27 18:20:09 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-08-27 18:29:55 +0200 |
| commit | 0930a562e7f2f7198f654dc268c71871da047c29 (patch) | |
| tree | a1a98b4833d2b79b60f4fce9df46ce04e81e4171 | |
| parent | fd85d031626bf1b6af12b4b5444e53c3bb614e3e (diff) | |
| parent | 0b6adcf76bda8994902f5b6d8e694b0b916ea210 (diff) | |
| download | ffmpeg-0930a562e7f2f7198f654dc268c71871da047c29.tar.gz | |
Merge commit '0b6adcf76bda8994902f5b6d8e694b0b916ea210' into release/1.1
* commit '0b6adcf76bda8994902f5b6d8e694b0b916ea210':
oma: refactor seek function
xl: Make sure the width is valid
8bps: Bound-check the input buffer
4xm: Reject not a multiple of 16 dimension
alsdec: Clean up error paths
alsdec: Fix the clipping range
dsicinav: Clip the source size to the expected maximum
dsicinav: Bound-check the source buffer when needed
dsicinav: K&R formatting cosmetics
lavf: Make sure avg_frame_rate can be calculated without integer overflow
mov: Do not allow updating the time scale after it has been set
mov: Seek back if overreading an individual atom
ac3dec: Don't consume more data than the actual input packet size
indeo: Reject impossible FRAMETYPE_NULL
indeo: Do not reference mismatched tiles
Conflicts:
libavcodec/4xm.c
libavcodec/8bps.c
libavcodec/alsdec.c
libavcodec/dsicinav.c
libavcodec/ivi_common.c
libavcodec/xl.c
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/8bps.c | 12 | ||||
| -rw-r--r-- | libavcodec/ac3dec.c | 2 | ||||
| -rw-r--r-- | libavcodec/alsdec.c | 155 | ||||
| -rw-r--r-- | libavcodec/dsicinav.c | 106 | ||||
| -rw-r--r-- | libavcodec/ivi_common.c | 10 | ||||
| -rw-r--r-- | libavformat/mov.c | 11 | ||||
| -rw-r--r-- | libavformat/omadec.c | 31 | ||||
| -rw-r--r-- | libavformat/utils.c | 3 |
8 files changed, 192 insertions, 138 deletions
diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index cfeedb108e..bfbb63c178 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -64,7 +64,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, unsigned char *pixptr, *pixptr_end; unsigned int height = avctx->height; // Real image height unsigned int dlen, p, row; - const unsigned char *lp, *dp; + const unsigned char *lp, *dp, *ep; unsigned char count; unsigned int planes = c->planes; unsigned char *planemap = c->planemap; @@ -79,6 +79,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, return -1; } + ep = encoded + buf_size; + /* Set data pointer after line lengths */ dp = encoded + planes * (height << 1); @@ -90,19 +92,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, for (row = 0; row < height; row++) { pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p]; pixptr_end = pixptr + c->pic.linesize[0]; - if(lp - encoded + row*2 + 1 >= buf_size) - return -1; + if (ep - lp < row * 2 + 2) + return AVERROR_INVALIDDATA; dlen = av_be2ne16(*(const unsigned short *)(lp + row * 2)); /* Decode a row of this plane */ while (dlen > 0) { - if (dp + 1 >= buf + buf_size) + if (ep - dp <= 1) return -1; if ((count = *dp++) <= 127) { count++; dlen -= count + 1; if (pixptr + count * planes > pixptr_end) break; - if (dp + count > buf + buf_size) + if (ep - dp < count) return -1; while (count--) { *pixptr = *dp++; diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index b98ffa9889..ca8d24e084 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1308,7 +1308,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, av_log(avctx, AV_LOG_ERROR, "unsupported frame type : " "skipping frame\n"); *got_frame_ptr = 0; - return s->frame_size; + return buf_size; } else { av_log(avctx, AV_LOG_ERROR, "invalid frame type\n"); } diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index d7baa6eccb..7e43478405 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -296,12 +296,12 @@ static av_cold int read_specific_config(ALSDecContext *ctx) avctx->extradata_size * 8, 1); if (config_offset < 0) - return -1; + return AVERROR_INVALIDDATA; skip_bits_long(&gb, config_offset); if (get_bits_left(&gb) < (30 << 3)) - return -1; + return AVERROR_INVALIDDATA; // read the fixed items als_id = get_bits_long(&gb, 32); @@ -336,7 +336,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // check for ALSSpecificConfig struct if (als_id != MKBETAG('A','L','S','\0')) - return -1; + return AVERROR_INVALIDDATA; ctx->cur_frame_length = sconf->frame_length; @@ -351,7 +351,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) int chan_pos_bits = av_ceil_log2(avctx->channels); int bits_needed = avctx->channels * chan_pos_bits + 7; if (get_bits_left(&gb) < bits_needed) - return -1; + return AVERROR_INVALIDDATA; if (!(sconf->chan_pos = av_malloc(avctx->channels * sizeof(*sconf->chan_pos)))) return AVERROR(ENOMEM); @@ -377,7 +377,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // read fixed header and trailer sizes, // if size = 0xFFFFFFFF then there is no data field! if (get_bits_left(&gb) < 64) - return -1; + return AVERROR_INVALIDDATA; header_size = get_bits_long(&gb, 32); trailer_size = get_bits_long(&gb, 32); @@ -391,10 +391,10 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // skip the header and trailer data if (get_bits_left(&gb) < ht_size) - return -1; + return AVERROR_INVALIDDATA; if (ht_size > INT32_MAX) - return -1; + return AVERROR_PATCHWELCOME; skip_bits_long(&gb, ht_size); @@ -402,7 +402,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // initialize CRC calculation if (sconf->crc_enabled) { if (get_bits_left(&gb) < 32) - return -1; + return AVERROR_INVALIDDATA; if (avctx->err_recognition & (AV_EF_CRCCHECK|AV_EF_CAREFUL)) { ctx->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE); @@ -646,7 +646,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) if (bd->block_length & (sub_blocks - 1)) { av_log(avctx, AV_LOG_WARNING, "Block length is not evenly divisible by the number of subblocks.\n"); - return -1; + return AVERROR_INVALIDDATA; } sb_length = bd->block_length >> log2_sub_blocks; @@ -983,14 +983,13 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) *bd->shift_lsbs = 0; // read block type flag and read the samples accordingly if (get_bits1(gb)) { - if ((ret = read_var_block_data(ctx, bd)) < 0) - return ret; + ret = read_var_block_data(ctx, bd); } else { if ((ret = read_const_block_data(ctx, bd)) < 0) return ret; } - return 0; + return ret; } @@ -999,12 +998,16 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) static int decode_block(ALSDecContext *ctx, ALSBlockData *bd) { unsigned int smp; + int ret = 0; // read block type flag and read the samples accordingly if (*bd->const_block) decode_const_block_data(ctx, bd); - else if (decode_var_block_data(ctx, bd)) - return -1; + else + ret = decode_var_block_data(ctx, bd); // always return 0 + + if (ret < 0) + return ret; // TODO: read RLSLMS extension data @@ -1022,14 +1025,10 @@ static int read_decode_block(ALSDecContext *ctx, ALSBlockData *bd) { int ret; - ret = read_block(ctx, bd); - - if (ret) + if ((ret = read_block(ctx, bd)) < 0) return ret; - ret = decode_block(ctx, bd); - - return ret; + return decode_block(ctx, bd); } @@ -1055,6 +1054,7 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame, unsigned int c, const unsigned int *div_blocks, unsigned int *js_blocks) { + int ret; unsigned int b; ALSBlockData bd = { 0 }; @@ -1075,10 +1075,10 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame, for (b = 0; b < ctx->num_blocks; b++) { bd.block_length = div_blocks[b]; - if (read_decode_block(ctx, &bd)) { + if ((ret = read_decode_block(ctx, &bd)) < 0) { // damaged block, write zero for the rest of the frame zero_remaining(b, ctx->num_blocks, div_blocks, bd.raw_samples); - return -1; + return ret; } bd.raw_samples += div_blocks[b]; bd.ra_block = 0; @@ -1097,6 +1097,7 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, ALSSpecificConfig *sconf = &ctx->sconf; unsigned int offset = 0; unsigned int b; + int ret; ALSBlockData bd[2] = { { 0 } }; bd[0].ra_block = ra_frame; @@ -1138,12 +1139,9 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, bd[0].raw_other = bd[1].raw_samples; bd[1].raw_other = bd[0].raw_samples; - if(read_decode_block(ctx, &bd[0]) || read_decode_block(ctx, &bd[1])) { - // damaged block, write zero for the rest of the frame - zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples); - zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples); - return -1; - } + if ((ret = read_decode_block(ctx, &bd[0])) < 0 || + (ret = read_decode_block(ctx, &bd[1])) < 0) + goto fail; // reconstruct joint-stereo blocks if (bd[0].js_blocks) { @@ -1169,8 +1167,19 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, sizeof(*ctx->raw_samples[c]) * sconf->max_order); return 0; +fail: + // damaged block, write zero for the rest of the frame + zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples); + zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples); + return ret; } +static inline int als_weighting(GetBitContext *gb, int k, int off) +{ + int idx = av_clip(decode_rice(gb, k) + off, + 0, FF_ARRAY_ELEMS(mcc_weightings) - 1); + return mcc_weightings[idx]; +} /** Read the channel data. */ @@ -1186,19 +1195,19 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (current->master_channel >= channels) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid master channel.\n"); - return -1; + return AVERROR_INVALIDDATA; } if (current->master_channel != c) { current->time_diff_flag = get_bits1(gb); - current->weighting[0] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; - current->weighting[1] = mcc_weightings[av_clip(decode_rice(gb, 2) + 14, 0, 31)]; - current->weighting[2] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; + current->weighting[0] = als_weighting(gb, 1, 16); + current->weighting[1] = als_weighting(gb, 2, 14); + current->weighting[2] = als_weighting(gb, 1, 16); if (current->time_diff_flag) { - current->weighting[3] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; - current->weighting[4] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; - current->weighting[5] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; + current->weighting[3] = als_weighting(gb, 1, 16); + current->weighting[4] = als_weighting(gb, 1, 16); + current->weighting[5] = als_weighting(gb, 1, 16); current->time_diff_sign = get_bits1(gb); current->time_diff_index = get_bits(gb, ctx->ltp_lag_length - 3) + 3; @@ -1211,7 +1220,7 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (entries == channels) { av_log(ctx->avctx, AV_LOG_ERROR, "Damaged channel data.\n"); - return -1; + return AVERROR_INVALIDDATA; } align_get_bits(gb); @@ -1243,7 +1252,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, if (dep == channels) { av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel correlation.\n"); - return -1; + return AVERROR_INVALIDDATA; } bd->const_block = ctx->const_block + c; @@ -1314,8 +1323,8 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) unsigned int div_blocks[32]; ///< block sizes. unsigned int c; unsigned int js_blocks[2]; - uint32_t bs_info = 0; + int ret; // skip the size of the ra unit if present in the frame if (sconf->ra_flag == RA_FLAG_FRAMES && ra_frame) @@ -1346,13 +1355,15 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) independent_bs = 1; if (independent_bs) { - if (decode_blocks_ind(ctx, ra_frame, c, div_blocks, js_blocks)) - return -1; - + ret = decode_blocks_ind(ctx, ra_frame, c, + div_blocks, js_blocks); + if (ret < 0) + return ret; independent_bs--; } else { - if (decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks)) - return -1; + ret = decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks); + if (ret < 0) + return ret; c++; } @@ -1371,7 +1382,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) for (c = 0; c < avctx->channels; c++) if (ctx->chan_data[c] < ctx->chan_data_buffer) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid channel data.\n"); - return -1; + return AVERROR_INVALIDDATA; } memset(reverted_channels, 0, sizeof(*reverted_channels) * avctx->channels); @@ -1403,11 +1414,12 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) return ret; } - for (c = 0; c < avctx->channels; c++) - if (revert_channel_correlation(ctx, &bd, ctx->chan_data, - reverted_channels, offset, c)) - return -1; - + for (c = 0; c < avctx->channels; c++) { + ret = revert_channel_correlation(ctx, &bd, ctx->chan_data, + reverted_channels, offset, c); + if (ret < 0) + return ret; + } for (c = 0; c < avctx->channels; c++) { bd.const_block = ctx->const_block + c; bd.shift_lsbs = ctx->shift_lsbs + c; @@ -1612,30 +1624,30 @@ static av_cold int decode_init(AVCodecContext *avctx) { unsigned int c; unsigned int channel_size; - int num_buffers; + int num_buffers, ret; ALSDecContext *ctx = avctx->priv_data; ALSSpecificConfig *sconf = &ctx->sconf; ctx->avctx = avctx; if (!avctx->extradata) { av_log(avctx, AV_LOG_ERROR, "Missing required ALS extradata.\n"); - return -1; + return AVERROR_INVALIDDATA; } - if (read_specific_config(ctx)) { + if ((ret = read_specific_config(ctx)) < 0) { av_log(avctx, AV_LOG_ERROR, "Reading ALSSpecificConfig failed.\n"); - decode_end(avctx); - return -1; + goto fail; } - if (check_specific_config(ctx)) { - decode_end(avctx); - return -1; + if ((ret = check_specific_config(ctx)) < 0) { + goto fail; } - if (sconf->bgmc) - ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status); - + if (sconf->bgmc) { + ret = ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status); + if (ret < 0) + goto fail; + } if (sconf->floating) { avctx->sample_fmt = AV_SAMPLE_FMT_FLT; avctx->bits_per_raw_sample = 32; @@ -1670,7 +1682,8 @@ static av_cold int decode_init(AVCodecContext *avctx) !ctx->quant_cof_buffer || !ctx->lpc_cof_buffer || !ctx->lpc_cof_reversed_buffer) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } // assign quantized parcor coefficient buffers @@ -1695,8 +1708,8 @@ static av_cold int decode_init(AVCodecContext *avctx) !ctx->use_ltp || !ctx->ltp_lag || !ctx->ltp_gain || !ctx->ltp_gain_buffer) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } for (c = 0; c < num_buffers; c++) @@ -1713,8 +1726,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (!ctx->chan_data_buffer || !ctx->chan_data || !ctx->reverted_channels) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } for (c = 0; c < num_buffers; c++) @@ -1734,8 +1747,8 @@ static av_cold int decode_init(AVCodecContext *avctx) // allocate previous raw sample buffer if (!ctx->prev_raw_samples || !ctx->raw_buffer|| !ctx->raw_samples) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } // assign raw samples buffers @@ -1752,8 +1765,8 @@ static av_cold int decode_init(AVCodecContext *avctx) av_get_bytes_per_sample(avctx->sample_fmt)); if (!ctx->crc_buffer) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } } @@ -1763,6 +1776,10 @@ static av_cold int decode_init(AVCodecContext *avctx) avctx->coded_frame = &ctx->frame; return 0; + +fail: + decode_end(avctx); + return ret; } diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index 76d4d1fc4d..567b1f83da 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -128,27 +128,30 @@ static av_cold int cinvideo_decode_init(AVCodecContext *avctx) return 0; } -static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst, int size) +static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst, + int size) { while (size--) *dst++ += *src++; } -static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) +static int cin_decode_huffman(const unsigned char *src, int src_size, + unsigned char *dst, int dst_size) { int b, huff_code = 0; unsigned char huff_code_table[15]; - unsigned char *dst_cur = dst; - unsigned char *dst_end = dst + dst_size; + unsigned char *dst_cur = dst; + unsigned char *dst_end = dst + dst_size; const unsigned char *src_end = src + src_size; - memcpy(huff_code_table, src, 15); src += 15; + memcpy(huff_code_table, src, 15); + src += 15; while (src < src_end) { huff_code = *src++; if ((huff_code >> 4) == 15) { - b = huff_code << 4; - huff_code = *src++; + b = huff_code << 4; + huff_code = *src++; *dst_cur++ = b | (huff_code >> 4); } else *dst_cur++ = huff_code_table[huff_code >> 4]; @@ -167,11 +170,12 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c return dst_cur - dst; } -static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) +static int cin_decode_lzss(const unsigned char *src, int src_size, + unsigned char *dst, int dst_size) { uint16_t cmd; int i, sz, offset, code; - unsigned char *dst_end = dst + dst_size, *dst_start = dst; + unsigned char *dst_end = dst + dst_size, *dst_start = dst; const unsigned char *src_end = src + src_size; while (src < src_end && dst < dst_end) { @@ -180,13 +184,15 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char if (code & (1 << i)) { *dst++ = *src++; } else { - cmd = AV_RL16(src); src += 2; + cmd = AV_RL16(src); + src += 2; offset = cmd >> 4; - if ((int) (dst - dst_start) < offset + 1) + if ((int)(dst - dst_start) < offset + 1) return AVERROR_INVALIDDATA; sz = (cmd & 0xF) + 2; - /* don't use memcpy/memmove here as the decoding routine (ab)uses */ - /* buffer overlappings to repeat bytes in the destination */ + /* don't use memcpy/memmove here as the decoding routine + * (ab)uses buffer overlappings to repeat bytes in the + * destination */ sz = FFMIN(sz, dst_end - dst); while (sz--) { *dst = *(dst - offset - 1); @@ -199,10 +205,11 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char return 0; } -static int cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) +static int cin_decode_rle(const unsigned char *src, int src_size, + unsigned char *dst, int dst_size) { int len, code; - unsigned char *dst_end = dst + dst_size; + unsigned char *dst_end = dst + dst_size; const unsigned char *src_end = src + src_size; while (src + 1 < src_end && dst < dst_end) { @@ -216,7 +223,7 @@ static int cin_decode_rle(const unsigned char *src, int src_size, unsigned char av_log(NULL, AV_LOG_ERROR, "RLE overread\n"); return AVERROR_INVALIDDATA; } - memcpy(dst, src, FFMIN(len, dst_end - dst)); + memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src)); src += len; } dst += len; @@ -228,15 +235,16 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; + const uint8_t *buf = avpkt->data; + int buf_size = avpkt->size; CinVideoContext *cin = avctx->priv_data; - int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0; + int i, y, palette_type, palette_colors_count, + bitmap_frame_type, bitmap_frame_size, res = 0; - palette_type = buf[0]; - palette_colors_count = AV_RL16(buf+1); - bitmap_frame_type = buf[3]; - buf += 4; + palette_type = buf[0]; + palette_colors_count = AV_RL16(buf + 1); + bitmap_frame_type = buf[3]; + buf += 4; bitmap_frame_size = buf_size - 4; @@ -247,46 +255,50 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, if (palette_colors_count > 256) return AVERROR_INVALIDDATA; for (i = 0; i < palette_colors_count; ++i) { - cin->palette[i] = 0xFFU << 24 | bytestream_get_le24(&buf); + cin->palette[i] = 0xFFU << 24 | bytestream_get_le24(&buf); bitmap_frame_size -= 3; } } else { for (i = 0; i < palette_colors_count; ++i) { - cin->palette[buf[0]] = 0xFFU << 24 | AV_RL24(buf+1); + cin->palette[buf[0]] = 0xFFU << 24 | AV_RL24(buf + 1); buf += 4; bitmap_frame_size -= 4; } } - /* note: the decoding routines below assumes that surface.width = surface.pitch */ + bitmap_frame_size = FFMIN(cin->bitmap_size, bitmap_frame_size); + + /* note: the decoding routines below assumes that + * surface.width = surface.pitch */ switch (bitmap_frame_type) { case 9: cin_decode_rle(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 34: cin_decode_rle(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 35: bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 36: bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, - cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_INT_BMP], + cin->bitmap_size); cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 37: cin_decode_huffman(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 38: res = cin_decode_lzss(buf, bitmap_frame_size, @@ -302,12 +314,12 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, if (res < 0) return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; } cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; - if ((res = avctx->reget_buffer(avctx, &cin->frame))) { + if ((res = avctx->reget_buffer(avctx, &cin->frame)) < 0) { av_log(cin->avctx, AV_LOG_ERROR, "failed to allocate a frame\n"); return res; } @@ -316,10 +328,11 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, cin->frame.palette_has_changed = 1; for (y = 0; y < cin->avctx->height; ++y) memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0], - cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width, - cin->avctx->width); + cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width, + cin->avctx->width); - FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_table[CIN_PRE_BMP]); + FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP], + cin->bitmap_table[CIN_PRE_BMP]); *got_frame = 1; *(AVFrame *)data = cin->frame; @@ -358,8 +371,8 @@ static av_cold int cinaudio_decode_init(AVCodecContext *avctx) static int cinaudio_decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; - CinAudioContext *cin = avctx->priv_data; + const uint8_t *buf = avpkt->data; + CinAudioContext *cin = avctx->priv_data; const uint8_t *buf_end = buf + avpkt->size; int16_t *samples; int delta, ret; @@ -375,13 +388,13 @@ static int cinaudio_decode_frame(AVCodecContext *avctx, void *data, delta = cin->delta; if (cin->initial_decode_frame) { cin->initial_decode_frame = 0; - delta = sign_extend(AV_RL16(buf), 16); - buf += 2; - *samples++ = delta; + delta = sign_extend(AV_RL16(buf), 16); + buf += 2; + *samples++ = delta; } while (buf < buf_end) { - delta += cinaudio_delta16_table[*buf++]; - delta = av_clip_int16(delta); + delta += cinaudio_delta16_table[*buf++]; + delta = av_clip_int16(delta); *samples++ = delta; } cin->delta = delta; @@ -392,7 +405,6 @@ static int cinaudio_decode_frame(AVCodecContext *avctx, void *data, return avpkt->size; } - AVCodec ff_dsicinvideo_decoder = { .name = "dsicinvideo", .type = AVMEDIA_TYPE_VIDEO, diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index ab35c59185..60bb9a2533 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -345,6 +345,8 @@ static int ivi_init_tiles(IVIBandDesc *band, IVITile *ref_tile, tile->ref_mbs = 0; if (p || b) { + if (tile->num_MBs != ref_tile->num_MBs) + return AVERROR_INVALIDDATA; tile->ref_mbs = ref_tile->mbs; ref_tile++; } @@ -984,6 +986,14 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } } ctx->buf_invalid[ctx->dst_buf] = 0; + } else { + if (ctx->is_scalable) + return AVERROR_INVALIDDATA; + + for (p = 0; p < 3; p++) { + if (!ctx->planes[p].bands[0].buf) + return AVERROR_INVALIDDATA; + } } if (ctx->buf_invalid[ctx->dst_buf]) return -1; diff --git a/libavformat/mov.c b/libavformat/mov.c index cc1d596ac1..5992c15b05 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -833,6 +833,11 @@ static int mov_read_mdhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) st = c->fc->streams[c->fc->nb_streams-1]; sc = st->priv_data; + if (sc->time_scale) { + av_log(c->fc, AV_LOG_ERROR, "Multiple mdhd?\n"); + return AVERROR_INVALIDDATA; + } + version = avio_r8(pb); if (version > 1) { av_log_ask_for_sample(c->fc, "unsupported version %d\n", version); @@ -2852,8 +2857,10 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) left = a.size - avio_tell(pb) + start_pos; if (left > 0) /* skip garbage at atom end */ avio_skip(pb, left); - else if(left < 0) { - av_log(c->fc, AV_LOG_DEBUG, "undoing overread of %"PRId64" in '%.4s'\n", -left, (char*)&a.type); + else if (left < 0) { + av_log(c->fc, AV_LOG_WARNING, + "overread end of atom '%.4s' by %"PRId64" bytes\n", + (char*)&a.type, -left); avio_seek(pb, left, SEEK_CUR); } } diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 39ac652811..6d69195426 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -432,23 +432,26 @@ static int oma_read_probe(AVProbeData *p) static int oma_read_seek(struct AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { OMAContext *oc = s->priv_data; - - ff_pcm_read_seek(s, stream_index, timestamp, flags); - - if (oc->encrypted) { - /* readjust IV for CBC */ - int64_t pos = avio_tell(s->pb); - if (pos < oc->content_start) - memset(oc->iv, 0, 8); - else { - if (avio_seek(s->pb, -8, SEEK_CUR) < 0 || avio_read(s->pb, oc->iv, 8) < 8) { - memset(oc->iv, 0, 8); - return -1; - } - } + int err = ff_pcm_read_seek(s, stream_index, timestamp, flags); + + if (!oc->encrypted) + return err; + + /* readjust IV for CBC */ + if (err || avio_tell(s->pb) < oc->content_start) + goto wipe; + if ((err = avio_seek(s->pb, -8, SEEK_CUR)) < 0) + goto wipe; + if ((err = avio_read(s->pb, oc->iv, 8)) < 8) { + if (err >= 0) + err = AVERROR_EOF; + goto wipe; } return 0; +wipe: + memset(oc->iv, 0, 8); + return err; } AVInputFormat ff_oma_demuxer = { diff --git a/libavformat/utils.c b/libavformat/utils.c index b1a3417bfc..05b8feb277 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2976,6 +2976,9 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) int best_fps = 0; double best_error = 0.01; + if (st->info->codec_info_duration >= INT64_MAX / st->time_base.num / 2|| + st->info->codec_info_duration_fields >= INT64_MAX / st->time_base.den) + continue; av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, st->info->codec_info_duration_fields*(int64_t)st->time_base.den, st->info->codec_info_duration*2*(int64_t)st->time_base.num, 60000); |