diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-10-08 01:06:45 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-10-08 01:06:45 +0200 |
| commit | 55aedd679a24055e861c3debe0397b2cd05ef1be (patch) | |
| tree | fe9eb65e1a6b02d3c484ddf732c08f2a5d21ff90 | |
| parent | af26185bdc35bab5183e5016becd048eb50c29a1 (diff) | |
| parent | ce1dacb435460dda1f9d453eaaeac44bd502aca4 (diff) | |
| download | ffmpeg-55aedd679a24055e861c3debe0397b2cd05ef1be.tar.gz | |
Merge commit 'ce1dacb435460dda1f9d453eaaeac44bd502aca4' into release/1.1
* commit 'ce1dacb435460dda1f9d453eaaeac44bd502aca4':
rl2: Avoid a division by zero
wtv: Add more sanity checks for a length read from the file
segafilm: Validate the number of audio channels
qpeg: Add checks for running out of rows in qpeg_decode_inter
mpegaudiodec: Validate that the number of channels fits at the given offset
asvdec: Verify the amount of extradata
idroqdec: Make sure a video stream has been allocated before returning packets
rv10: Validate the dimensions set from the container
xmv: Add more sanity checks for parameters read from the bitstream
ffv1: Make sure at least one slice context is initialized
truemotion2: Use av_freep properly in an error path
eacmv: Make sure a reference frame exists before referencing it
mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory
ivi_common: Make sure color planes have been initialized
mov: Don't use a negative duration for setting other fields
Conflicts:
libavcodec/eacmv.c
libavcodec/ffv1.c
libavcodec/mpeg4videodec.c
libavcodec/mpegaudiodec.c
libavcodec/qpeg.c
libavformat/mov.c
libavformat/wtv.c
libavformat/xmv.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/asvdec.c | 5 | ||||
| -rw-r--r-- | libavcodec/eacmv.c | 4 | ||||
| -rw-r--r-- | libavcodec/ivi_common.c | 5 | ||||
| -rw-r--r-- | libavcodec/mpeg4videodec.c | 14 | ||||
| -rw-r--r-- | libavcodec/mpegaudiodec.c | 3 | ||||
| -rw-r--r-- | libavcodec/qpeg.c | 4 | ||||
| -rw-r--r-- | libavcodec/rv10.c | 5 | ||||
| -rw-r--r-- | libavcodec/truemotion2.c | 16 | ||||
| -rw-r--r-- | libavformat/idroqdec.c | 7 | ||||
| -rw-r--r-- | libavformat/mov.c | 2 | ||||
| -rw-r--r-- | libavformat/rl2.c | 4 | ||||
| -rw-r--r-- | libavformat/segafilm.c | 5 | ||||
| -rw-r--r-- | libavformat/wtvdec.c | 7 | ||||
| -rw-r--r-- | libavformat/xmv.c | 12 |
14 files changed, 63 insertions, 30 deletions
diff --git a/libavcodec/asvdec.c b/libavcodec/asvdec.c index 7c3b30c8db..5e70d4b32a 100644 --- a/libavcodec/asvdec.c +++ b/libavcodec/asvdec.c @@ -282,6 +282,11 @@ static av_cold int decode_init(AVCodecContext *avctx) const int scale = avctx->codec_id == AV_CODEC_ID_ASV1 ? 1 : 2; int i; + if (avctx->extradata_size < 1) { + av_log(avctx, AV_LOG_ERROR, "No extradata provided\n"); + return AVERROR_INVALIDDATA; + } + ff_asv_common_init(avctx); init_vlcs(a); ff_init_scantable(a->dsp.idct_permutation, &a->scantable, ff_asv_scantab); diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index a129161386..fe32cf6ce6 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -114,8 +114,8 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t * int yoffset = ((buf[i] >> 4)) - 7; if (s->last_frame.data[0]) cmv_motcomp(s->frame.data[0], s->frame.linesize[0], - s->last_frame.data[0], s->last_frame.linesize[0], - x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); + s->last_frame.data[0], s->last_frame.linesize[0], + x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); } i++; } diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 60bb9a2533..d8b5e00a6a 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -969,6 +969,11 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, return AVERROR_PATCHWELCOME; } + if (!ctx->planes[0].bands) { + av_log(avctx, AV_LOG_ERROR, "Color planes not initialized yet\n"); + return AVERROR_INVALIDDATA; + } + ctx->switch_buffers(ctx); //{ START_TIMER; diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index acbc525a38..39f946078d 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -160,7 +160,7 @@ static inline int mpeg4_is_resync(MpegEncContext *s){ return 0; } -static int mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb) +static int mpeg4_decode_sprite_trajectory(MpegEncContext *s, GetBitContext *gb) { int i; int a= 2<<s->sprite_warping_accuracy; @@ -176,8 +176,8 @@ static int mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb) int h= s->height; int min_ab; - if(w<=0 || h<=0) - return -1; + if (w <= 0 || h <= 0) + return AVERROR_INVALIDDATA; for(i=0; i<s->num_sprite_warping_points; i++){ int length; @@ -415,8 +415,8 @@ int ff_mpeg4_decode_video_packet_header(MpegEncContext *s) skip_bits(&s->gb, 3); /* intra dc vlc threshold */ //FIXME don't just ignore everything if(s->pict_type == AV_PICTURE_TYPE_S && s->vol_sprite_usage==GMC_SPRITE){ - if(mpeg4_decode_sprite_trajectory(s, &s->gb) < 0) - return -1; + if (mpeg4_decode_sprite_trajectory(s, &s->gb) < 0) + return AVERROR_INVALIDDATA; av_log(s->avctx, AV_LOG_ERROR, "untested\n"); } @@ -2081,8 +2081,8 @@ static int decode_vop_header(MpegEncContext *s, GetBitContext *gb){ } if(s->pict_type == AV_PICTURE_TYPE_S && (s->vol_sprite_usage==STATIC_SPRITE || s->vol_sprite_usage==GMC_SPRITE)){ - if(mpeg4_decode_sprite_trajectory(s, gb) < 0) - return -1; + if (mpeg4_decode_sprite_trajectory(s, gb) < 0) + return AVERROR_INVALIDDATA; if(s->sprite_brightness_change) av_log(s->avctx, AV_LOG_ERROR, "sprite_brightness_change not supported\n"); if(s->vol_sprite_usage==STATIC_SPRITE) av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); } diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index beef38dde3..14a47eb400 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -1965,7 +1965,8 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data, avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header); - if (ch + m->nb_channels > avctx->channels || s->coff[fr] + m->nb_channels > avctx->channels) { + if (ch + m->nb_channels > avctx->channels || + s->coff[fr] + m->nb_channels > avctx->channels) { av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec " "channel count\n"); return AVERROR_INVALIDDATA; diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 105ac69600..2446060cdb 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -193,7 +193,7 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, filled = 0; dst -= stride; height--; - if(height < 0) + if (height < 0) break; } } @@ -209,7 +209,7 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, filled = 0; dst -= stride; height--; - if(height < 0) + if (height < 0) break; } } diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 92a5574371..f005bcc33c 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -458,12 +458,15 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) RVDecContext *rv = avctx->priv_data; MpegEncContext *s = &rv->m; static int done=0; - int major_ver, minor_ver, micro_ver; + int major_ver, minor_ver, micro_ver, ret; if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n"); return -1; } + if ((ret = av_image_check_size(avctx->coded_width, + avctx->coded_height, 0, avctx)) < 0) + return ret; ff_MPV_decode_defaults(s); diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 5ba2cf10e7..3b5b09e98e 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -922,14 +922,14 @@ static av_cold int decode_init(AVCodecContext *avctx){ if (!l->Y1_base || !l->Y2_base || !l->U1_base || !l->V1_base || !l->U2_base || !l->V2_base || !l->last || !l->clast) { - av_freep(l->Y1_base); - av_freep(l->Y2_base); - av_freep(l->U1_base); - av_freep(l->U2_base); - av_freep(l->V1_base); - av_freep(l->V2_base); - av_freep(l->last); - av_freep(l->clast); + av_freep(&l->Y1_base); + av_freep(&l->Y2_base); + av_freep(&l->U1_base); + av_freep(&l->U2_base); + av_freep(&l->V1_base); + av_freep(&l->V2_base); + av_freep(&l->last); + av_freep(&l->clast); return AVERROR(ENOMEM); } l->Y1 = l->Y1_base + l->y_stride * 4 + 4; diff --git a/libavformat/idroqdec.c b/libavformat/idroqdec.c index 6f843d7bc9..8cdd72e33a 100644 --- a/libavformat/idroqdec.c +++ b/libavformat/idroqdec.c @@ -145,6 +145,8 @@ static int roq_read_packet(AVFormatContext *s, break; case RoQ_QUAD_CODEBOOK: + if (roq->video_stream_index < 0) + return AVERROR_INVALIDDATA; /* packet needs to contain both this codebook and next VQ chunk */ codebook_offset = avio_tell(pb) - RoQ_CHUNK_PREAMBLE_SIZE; codebook_size = chunk_size; @@ -194,6 +196,11 @@ static int roq_read_packet(AVFormatContext *s, st->codec->block_align = st->codec->channels * st->codec->bits_per_coded_sample; } case RoQ_QUAD_VQ: + if (chunk_type == RoQ_QUAD_VQ) { + if (roq->video_stream_index < 0) + return AVERROR_INVALIDDATA; + } + /* load up the packet */ if (av_new_packet(pkt, chunk_size + RoQ_CHUNK_PREAMBLE_SIZE)) return AVERROR(EIO); diff --git a/libavformat/mov.c b/libavformat/mov.c index 5992c15b05..32add6db03 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3209,7 +3209,7 @@ static int mov_read_header(AVFormatContext *s) for (i = 0; i < s->nb_streams; i++) { AVStream *st = s->streams[i]; MOVStreamContext *sc = st->priv_data; - if (st->duration) + if (st->duration > 0) st->codec->bit_rate = sc->data_size * 8 * sc->time_scale / st->duration; } } diff --git a/libavformat/rl2.c b/libavformat/rl2.c index 800e12edbe..c72b6655d0 100644 --- a/libavformat/rl2.c +++ b/libavformat/rl2.c @@ -107,6 +107,10 @@ static av_cold int rl2_read_header(AVFormatContext *s) rate = avio_rl16(pb); channels = avio_rl16(pb); def_sound_size = avio_rl16(pb); + if (!channels || channels > 42) { + av_log(s, AV_LOG_ERROR, "Invalid number of channels: %d\n", channels); + return AVERROR_INVALIDDATA; + } /** setup video stream */ st = avformat_new_stream(s, NULL); diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 232a93117f..0e6ce0807b 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -112,6 +112,11 @@ static int film_read_header(AVFormatContext *s) return AVERROR(EIO); film->audio_samplerate = AV_RB16(&scratch[24]); film->audio_channels = scratch[21]; + if (!film->audio_channels || film->audio_channels > 2) { + av_log(s, AV_LOG_ERROR, + "Invalid number of channels: %d\n", film->audio_channels); + return AVERROR_INVALIDDATA; + } film->audio_bits = scratch[22]; if (scratch[23] == 2 && film->audio_channels > 0) film->audio_type = AV_CODEC_ID_ADPCM_ADX; diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 3416ed5075..eb1dd3e0f1 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -258,7 +258,12 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b dir_length = AV_RL16(buf + 16); file_length = AV_RL64(buf + 24); name_size = 2 * AV_RL32(buf + 32); - if (buf + 48 + (int64_t)name_size > buf_end || name_size<0) { + if (name_size < 0) { + av_log(s, AV_LOG_ERROR, + "bad filename length, remaining directory entries ignored\n"); + break; + } + if (48 + (int64_t)name_size > buf_end - buf) { av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n"); break; } diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 7763337d4e..3a671972cf 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -49,6 +49,8 @@ XMV_AUDIO_ADPCM51_FRONTCENTERLOW | \ XMV_AUDIO_ADPCM51_REARLEFTRIGHT) +#define XMV_BLOCK_ALIGN_SIZE 36 + /** A video packet with an XMV file. */ typedef struct XMVVideoPacket { int stream_index; ///< The decoder stream index for this video packet. @@ -196,15 +198,10 @@ static int xmv_read_header(AVFormatContext *s) packet->bits_per_sample = avio_rl16(pb); packet->flags = avio_rl16(pb); - if (!packet->channels) { - av_log(s, AV_LOG_ERROR, "0 channels\n"); - return AVERROR(EINVAL); - } - packet->bit_rate = packet->bits_per_sample * packet->sample_rate * packet->channels; - packet->block_align = 36 * packet->channels; + packet->block_align = XMV_BLOCK_ALIGN_SIZE * packet->channels; packet->block_samples = 64; packet->codec_id = ff_wav_codec_get_id(packet->compression, packet->bits_per_sample); @@ -220,7 +217,8 @@ static int xmv_read_header(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream " "(0x%04X)\n", packet->flags); - if (!packet->channels || !packet->sample_rate) { + if (!packet->channels || !packet->sample_rate || + packet->channels >= UINT16_MAX / XMV_BLOCK_ALIGN_SIZE) { av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n", audio_track); ret = AVERROR_INVALIDDATA; |