aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2012-06-04 12:38:11 +0200
committerMichael Niedermayer <michaelni@gmx.at>2012-06-04 12:38:11 +0200
commit598eb973a7a30510b970bf94bb60a2f6709d3d0d (patch)
tree6b1deac6d45c8c754dd996e39f73071232a0db39
parentb56606e6bc1156f0edf5fca53216481ebde48630 (diff)
parent4451f9ae169534999c64b77cccc5cf2976832660 (diff)
downloadffmpeg-598eb973a7a30510b970bf94bb60a2f6709d3d0d.tar.gz
Merge remote-tracking branch 'qatar/release/0.6' into release/0.6
* qatar/release/0.6: (32 commits) Bump version number for 0.6.6 release. tqi: Pass errors from the MB decoder ea: check chunk_size for validity. png: check bit depth for PAL8/Y400A pixel formats. dxva2: define required feature selection macros mingw32: merge checks for mingw-w64 and mingw32-runtime >= 3.15 into one mingw32: properly check if vfw capture is supported by the system headers configure: properly check for mingw-w64 through installed headers. mingw-w64 can also target 32-bit code. qdm2: clip array indices returned by qdm2_get_vlc(). kmvc: Check palsize. shorten: Use separate pointers for the allocated memory for decoded samples. shorten: check for realloc failure shorten: Fix out of bound writes in fix_bitshift() shorten: Prevent block size from increasing shorten: remove VLA and check for buffer overflow adpcm: ADPCM Electronic Arts has always two channels h264: Add check for invalid chroma_format_idc aacsbr: prevent out of bounds memcpy(). dpcm: ignore extra unpaired bytes in stereo streams. vqavideo: return error if image size is not a multiple of block size ... Conflicts: libavcodec/atrac3.c libavcodec/h264_ps.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat
-rw-r--r--VERSION2
-rwxr-xr-xconfigure13
-rw-r--r--libavcodec/aacsbr.c7
-rw-r--r--libavcodec/adpcm.c10
-rw-r--r--libavcodec/atrac3.c2
-rw-r--r--libavcodec/celp_filters.c4
-rw-r--r--libavcodec/dpcm.c6
-rw-r--r--libavcodec/dxva2_internal.h2
-rw-r--r--libavcodec/eatqi.c10
-rw-r--r--libavcodec/h264_ps.c4
-rw-r--r--libavcodec/kgv1dec.c4
-rw-r--r--libavcodec/kmvc.c7
-rw-r--r--libavcodec/mjpegbdec.c7
-rw-r--r--libavcodec/motionpixels.c6
-rw-r--r--libavcodec/pngdec.c6
-rw-r--r--libavcodec/qdm2.c18
-rw-r--r--libavcodec/shorten.c60
-rw-r--r--libavcodec/vqavideo.c6
-rw-r--r--libavformat/dv.c20
-rw-r--r--libavformat/electronicarts.c7
-rw-r--r--libavformat/nsvdec.c23
-rw-r--r--tests/fate.mak2
-rw-r--r--tests/ref/fate/motionpixels1
23 files changed, 165 insertions, 62 deletions
diff --git a/VERSION b/VERSION
index ef5e445445..05e8a4593f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.6.5
+0.6.6
diff --git a/configure b/configure
index 954398f658..89bd4dc22d 100755
--- a/configure
+++ b/configure
@@ -1412,7 +1412,7 @@ oss_indev_deps_any="soundcard_h sys_soundcard_h"
oss_outdev_deps_any="soundcard_h sys_soundcard_h"
v4l_indev_deps="linux_videodev_h"
v4l2_indev_deps_any="linux_videodev2_h sys_videoio_h"
-vfwcap_indev_deps="capCreateCaptureWindow"
+vfwcap_indev_deps="capCreateCaptureWindow vfwcap_defines"
vfwcap_indev_extralibs="-lavicap32"
x11_grab_device_indev_deps="x11grab XShmCreateImage"
x11_grab_device_indev_extralibs="-lX11 -lXext -lXfixes"
@@ -2230,13 +2230,9 @@ case $target_os in
dlltool="${cross_prefix}dlltool"
enable dos_paths
check_cflags -fno-common
- if ! enabled x86_64; then
- check_cpp_condition _mingw.h "(__MINGW32_MAJOR_VERSION > 3) || (__MINGW32_MAJOR_VERSION == 3 && __MINGW32_MINOR_VERSION >= 15)" ||
+ check_cpp_condition _mingw.h "defined (__MINGW64_VERSION_MAJOR) || (__MINGW32_MAJOR_VERSION > 3) \
+ || (__MINGW32_MAJOR_VERSION == 3 && __MINGW32_MINOR_VERSION >= 15)" ||
die "ERROR: MinGW runtime version must be >= 3.15."
- enabled_any avisynth vfwcap_indev &&
- { check_cpp_condition w32api.h "(__W32API_MAJOR_VERSION > 3) || (__W32API_MAJOR_VERSION == 3 && __W32API_MINOR_VERSION >= 13)" ||
- die "ERROR: avisynth and vfwcap_indev require w32api version 3.13 or later."; }
- fi
;;
cygwin*)
target_os=cygwin
@@ -2689,6 +2685,9 @@ check_header linux/videodev2.h
check_header sys/videoio.h
check_func_headers "windows.h vfw.h" capCreateCaptureWindow "$vfwcap_indev_extralibs"
+# check that WM_CAP_DRIVER_CONNECT is defined to the proper value
+# w32api 3.12 had it defined wrong
+check_cpp_condition vfw.h "WM_CAP_DRIVER_CONNECT > WM_USER" && enable vfwcap_defines
# check for ioctl_meteor.h, ioctl_bt848.h and alternatives
{ check_header dev/bktr/ioctl_meteor.h &&
diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c
index cac34bb085..a8ce7ce9a2 100644
--- a/libavcodec/aacsbr.c
+++ b/libavcodec/aacsbr.c
@@ -1182,14 +1182,15 @@ static void sbr_qmf_synthesis(DSPContext *dsp, FFTContext *mdct,
int i, n;
const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us;
int scale_and_bias = scale != 1.0f || bias != 0.0f;
+ const int step = 128 >> div;
float *v;
for (i = 0; i < 32; i++) {
- if (*v_off == 0) {
+ if (*v_off < step) {
int saved_samples = (1280 - 128) >> div;
memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float));
- *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div);
+ *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - step;
} else {
- *v_off -= 128 >> div;
+ *v_off -= step;
}
v = v0 + *v_off;
if (div) {
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index 68bd656aa6..2cf2d20f46 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -678,17 +678,23 @@ static int adpcm_encode_frame(AVCodecContext *avctx,
static av_cold int adpcm_decode_init(AVCodecContext * avctx)
{
ADPCMContext *c = avctx->priv_data;
+ unsigned int min_channels = 1;
unsigned int max_channels = 2;
switch(avctx->codec->id) {
+ case CODEC_ID_ADPCM_EA:
+ min_channels = 2;
+ break;
case CODEC_ID_ADPCM_EA_R1:
case CODEC_ID_ADPCM_EA_R2:
case CODEC_ID_ADPCM_EA_R3:
max_channels = 6;
break;
}
- if(avctx->channels > max_channels){
- return -1;
+
+ if (avctx->channels < min_channels || avctx->channels > max_channels) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n");
+ return AVERROR(EINVAL);
}
switch(avctx->codec->id) {
diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c
index 49f70d2516..8452853d7b 100644
--- a/libavcodec/atrac3.c
+++ b/libavcodec/atrac3.c
@@ -393,7 +393,7 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent
for (k=0; k<coded_components; k++) {
sfIndx = get_bits(gb,6);
- if(component_count>=64)
+ if (component_count >= 64)
return AVERROR_INVALIDDATA;
pComponent[component_count].pos = j * 64 + (get_bits(gb,6));
max_coded_values = 1024 - pComponent[component_count].pos;
diff --git a/libavcodec/celp_filters.c b/libavcodec/celp_filters.c
index 26a62eed14..0f8e071735 100644
--- a/libavcodec/celp_filters.c
+++ b/libavcodec/celp_filters.c
@@ -133,9 +133,8 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs,
out2 -= val * old_out2;
out3 -= val * old_out3;
- old_out3 = out[-5];
-
for (i = 5; i <= filter_length; i += 2) {
+ old_out3 = out[-i];
val = filter_coeffs[i-1];
out0 -= val * old_out3;
@@ -154,7 +153,6 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs,
FFSWAP(float, old_out0, old_out2);
old_out1 = old_out3;
- old_out3 = out[-i-2];
}
tmp0 = out0;
diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c
index 7c5351686e..8cc8fb56a2 100644
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -169,6 +169,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
int in, out = 0;
int predictor[2];
int channel_number = 0;
+ int stereo = s->channels - 1;
short *output_samples = data;
int shift[2];
unsigned char byte;
@@ -177,6 +178,9 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
if (!buf_size)
return 0;
+ if (stereo && (buf_size & 1))
+ buf_size--;
+
// almost every DPCM variant expands one byte of data into two
if(*data_size/2 < buf_size)
return -1;
@@ -295,7 +299,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
}
*data_size = out * sizeof(short);
- return buf_size;
+ return avpkt->size;
}
#define DPCM_DECODER(id, name, long_name_) \
diff --git a/libavcodec/dxva2_internal.h b/libavcodec/dxva2_internal.h
index a9be7a07e7..23d4d87522 100644
--- a/libavcodec/dxva2_internal.h
+++ b/libavcodec/dxva2_internal.h
@@ -23,6 +23,8 @@
#ifndef AVCODEC_DXVA_INTERNAL_H
#define AVCODEC_DXVA_INTERNAL_H
+#define _WIN32_WINNT 0x0600
+#define COBJMACROS
#include "dxva2.h"
#include "avcodec.h"
#include "mpegvideo.h"
diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c
index 7f1901d309..53f21a2c84 100644
--- a/libavcodec/eatqi.c
+++ b/libavcodec/eatqi.c
@@ -59,12 +59,15 @@ static av_cold int tqi_decode_init(AVCodecContext *avctx)
return 0;
}
-static void tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64])
+static int tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64])
{
int n;
s->dsp.clear_blocks(block[0]);
for (n=0; n<6; n++)
- ff_mpeg1_decode_block_intra(s, block[n], n);
+ if (ff_mpeg1_decode_block_intra(s, block[n], n) < 0)
+ return -1;
+
+ return 0;
}
static inline void tqi_idct_put(TqiContext *t, DCTELEM (*block)[64])
@@ -136,7 +139,8 @@ static int tqi_decode_frame(AVCodecContext *avctx,
for (s->mb_y=0; s->mb_y<(avctx->height+15)/16; s->mb_y++)
for (s->mb_x=0; s->mb_x<(avctx->width+15)/16; s->mb_x++)
{
- tqi_decode_mb(s, t->block);
+ if (tqi_decode_mb(s, t->block) < 0)
+ break;
tqi_idct_put(t, t->block);
}
diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 351d52b6c0..f36e38d959 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -300,9 +300,9 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
if (sps->chroma_format_idc > 3U) {
av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc %d is illegal\n", sps->chroma_format_idc);
goto fail;
- }
- if(sps->chroma_format_idc == 3)
+ } else if(sps->chroma_format_idc == 3) {
sps->residual_color_transform_flag = get_bits1(&s->gb);
+ }
sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8;
sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8;
sps->transform_bypass = get_bits1(&s->gb);
diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c
index 5af6b3b2bb..494aa11b0b 100644
--- a/libavcodec/kgv1dec.c
+++ b/libavcodec/kgv1dec.c
@@ -38,7 +38,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
const uint8_t *buf = avpkt->data;
const uint8_t *buf_end = buf + avpkt->size;
KgvContext * const c = avctx->priv_data;
- int offsets[7];
+ int offsets[8];
uint16_t *out, *prev;
int outcnt = 0, maxcnt;
int w, h, i;
@@ -68,7 +68,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
return -1;
c->prev = prev;
- for (i = 0; i < 7; i++)
+ for (i = 0; i < 8; i++)
offsets[i] = -1;
while (outcnt < maxcnt && buf_end - 2 > buf) {
diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c
index 3e8dccd363..c8de28b3e5 100644
--- a/libavcodec/kmvc.c
+++ b/libavcodec/kmvc.c
@@ -33,6 +33,7 @@
#define KMVC_KEYFRAME 0x80
#define KMVC_PALETTE 0x40
#define KMVC_METHOD 0x0F
+#define MAX_PALSIZE 256
/*
* Decoder context
@@ -43,7 +44,7 @@ typedef struct KmvcContext {
int setpal;
int palsize;
- uint32_t pal[256];
+ uint32_t pal[MAX_PALSIZE];
uint8_t *cur, *prev;
uint8_t *frm0, *frm1;
} KmvcContext;
@@ -365,6 +366,10 @@ static av_cold int decode_init(AVCodecContext * avctx)
c->palsize = 127;
} else {
c->palsize = AV_RL16(avctx->extradata + 10);
+ if (c->palsize >= MAX_PALSIZE) {
+ av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n");
+ return AVERROR_INVALIDDATA;
+ }
}
if (avctx->extradata_size == 1036) { // palette in extradata
diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c
index b418f5734c..324806e5e2 100644
--- a/libavcodec/mjpegbdec.c
+++ b/libavcodec/mjpegbdec.c
@@ -59,6 +59,9 @@ read_header:
s->restart_count = 0;
s->mjpb_skiptosod = 0;
+ if (buf_end - buf_ptr >= 1 << 28)
+ return AVERROR_INVALIDDATA;
+
init_get_bits(&hgb, buf_ptr, /*buf_size*/(buf_end - buf_ptr)*8);
skip_bits(&hgb, 32); /* reserved zeros */
@@ -109,8 +112,8 @@ read_header:
av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs);
if (sos_offs)
{
-// init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8);
- init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8);
+ init_get_bits(&s->gb, buf_ptr + sos_offs,
+ 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs));
s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16));
s->start_code = SOS;
ff_mjpeg_decode_sos(s);
diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c
index 9bc5e2035d..91f28cfe62 100644
--- a/libavcodec/motionpixels.c
+++ b/libavcodec/motionpixels.c
@@ -188,10 +188,13 @@ static void mp_decode_line(MotionPixelsContext *mp, GetBitContext *gb, int y)
p = mp_get_yuv_from_rgb(mp, x - 1, y);
} else {
p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb));
+ p.y = av_clip(p.y, 0, 31);
if ((x & 3) == 0) {
if ((y & 3) == 0) {
p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb));
+ p.v = av_clip(p.v, -32, 31);
p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb));
+ p.u = av_clip(p.u, -32, 31);
mp->hpt[((y / 4) * mp->avctx->width + x) / 4] = p;
} else {
p.v = mp->hpt[((y / 4) * mp->avctx->width + x) / 4].v;
@@ -215,9 +218,12 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb)
p = mp_get_yuv_from_rgb(mp, 0, y);
} else {
p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb));
+ p.y = av_clip(p.y, 0, 31);
if ((y & 3) == 0) {
p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb));
+ p.v = av_clip(p.v, -32, 31);
p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb));
+ p.u = av_clip(p.u, -32, 31);
}
mp->vpt[y] = p;
mp_set_rgb_from_yuv(mp, 0, y, &p);
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 03859a9913..24b0fd4cc7 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -487,9 +487,11 @@ static int decode_frame(AVCodecContext *avctx,
} else if (s->bit_depth == 1 &&
s->color_type == PNG_COLOR_TYPE_GRAY) {
avctx->pix_fmt = PIX_FMT_MONOBLACK;
- } else if (s->color_type == PNG_COLOR_TYPE_PALETTE) {
+ } else if (s->bit_depth == 8 &&
+ s->color_type == PNG_COLOR_TYPE_PALETTE) {
avctx->pix_fmt = PIX_FMT_PAL8;
- } else if (s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) {
+ } else if (s->bit_depth == 8 &&
+ s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) {
avctx->pix_fmt = PIX_FMT_Y400A;
} else {
goto fail;
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 839e3fe1bf..946f7d29f7 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -883,9 +883,13 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l
break;
case 30:
- if (BITS_LEFT(length,gb) >= 4)
- samples[0] = type30_dequant[qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1)];
- else
+ if (BITS_LEFT(length,gb) >= 4) {
+ unsigned index = qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1);
+ if (index < FF_ARRAY_ELEMS(type30_dequant)) {
+ samples[0] = type30_dequant[index];
+ } else
+ samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
+ } else
samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
run = 1;
@@ -899,8 +903,12 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l
type34_predictor = samples[0];
type34_first = 0;
} else {
- samples[0] = type34_delta[qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1)] / type34_div + type34_predictor;
- type34_predictor = samples[0];
+ unsigned index = qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1);
+ if (index < FF_ARRAY_ELEMS(type34_delta)) {
+ samples[0] = type34_delta[index] / type34_div + type34_predictor;
+ type34_predictor = samples[0];
+ } else
+ samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
}
} else {
samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 7e17f18e17..49708ef54c 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -82,7 +82,9 @@ typedef struct ShortenContext {
int channels;
int32_t *decoded[MAX_CHANNELS];
+ int32_t *decoded_base[MAX_CHANNELS];
int32_t *offset[MAX_CHANNELS];
+ int *coeffs;
uint8_t *bitstream;
int bitstream_size;
int bitstream_index;
@@ -112,6 +114,9 @@ static av_cold int shorten_decode_init(AVCodecContext * avctx)
static int allocate_buffers(ShortenContext *s)
{
int i, chan;
+ int *coeffs;
+ void *tmp_ptr;
+
for (chan=0; chan<s->channels; chan++) {
if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n");
@@ -122,13 +127,26 @@ static int allocate_buffers(ShortenContext *s)
return -1;
}
- s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
+ tmp_ptr = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
+ if (!tmp_ptr)
+ return AVERROR(ENOMEM);
+ s->offset[chan] = tmp_ptr;
- s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
+ tmp_ptr = av_realloc(s->decoded_base[chan], (s->blocksize + s->nwrap) *
+ sizeof(s->decoded_base[0][0]));
+ if (!tmp_ptr)
+ return AVERROR(ENOMEM);
+ s->decoded_base[chan] = tmp_ptr;
for (i=0; i<s->nwrap; i++)
- s->decoded[chan][i] = 0;
- s->decoded[chan] += s->nwrap;
+ s->decoded_base[chan][i] = 0;
+ s->decoded[chan] = s->decoded_base[chan] + s->nwrap;
}
+
+ coeffs = av_realloc(s->coeffs, s->nwrap * sizeof(*s->coeffs));
+ if (!coeffs)
+ return AVERROR(ENOMEM);
+ s->coeffs = coeffs;
+
return 0;
}
@@ -147,7 +165,7 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer)
if (s->bitshift != 0)
for (i = 0; i < s->blocksize; i++)
- buffer[s->nwrap + i] <<= s->bitshift;
+ buffer[i] <<= s->bitshift;
}
@@ -253,7 +271,7 @@ static int16_t * interleave_buffer(int16_t *samples, int nchan, int blocksize, i
static void decode_subframe_lpc(ShortenContext *s, int channel, int residual_size, int pred_order)
{
int sum, i, j;
- int coeffs[pred_order];
+ int *coeffs = s->coeffs;
for (i=0; i<pred_order; i++)
coeffs[i] = get_sr_golomb_shorten(&s->gb, LPCQUANT);
@@ -277,8 +295,15 @@ static int shorten_decode_frame(AVCodecContext *avctx,
int i, input_buf_size = 0;
int16_t *samples = data;
if(s->max_framesize == 0){
+ void *tmp_ptr;
s->max_framesize= 1024; // should hopefully be enough for the first header
- s->bitstream= av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, s->max_framesize);
+ tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size,
+ s->max_framesize);
+ if (!tmp_ptr) {
+ av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n");
+ return AVERROR(ENOMEM);
+ }
+ s->bitstream = tmp_ptr;
}
if(1 && s->max_framesize){//FIXME truncated
@@ -427,6 +452,12 @@ static int shorten_decode_frame(AVCodecContext *avctx,
case FN_QLPC:
{
int pred_order = get_ur_golomb_shorten(&s->gb, LPCQSIZE);
+ if (pred_order > s->nwrap) {
+ av_log(avctx, AV_LOG_ERROR,
+ "invalid pred_order %d\n",
+ pred_order);
+ return -1;
+ }
for (i=0; i<pred_order; i++)
s->decoded[channel][i - pred_order] -= coffset;
decode_subframe_lpc(s, channel, residual_size, pred_order);
@@ -471,9 +502,15 @@ static int shorten_decode_frame(AVCodecContext *avctx,
case FN_BITSHIFT:
s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE);
break;
- case FN_BLOCKSIZE:
- s->blocksize = get_uint(s, av_log2(s->blocksize));
+ case FN_BLOCKSIZE: {
+ int blocksize = get_uint(s, av_log2(s->blocksize));
+ if (blocksize > s->blocksize) {
+ av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n");
+ return AVERROR_PATCHWELCOME;
+ }
+ s->blocksize = blocksize;
break;
+ }
case FN_QUIT:
*data_size = 0;
return buf_size;
@@ -510,11 +547,12 @@ static av_cold int shorten_decode_close(AVCodecContext *avctx)
int i;
for (i = 0; i < s->channels; i++) {
- s->decoded[i] -= s->nwrap;
- av_freep(&s->decoded[i]);
+ s->decoded[i] = NULL;
+ av_freep(&s->decoded_base[i]);
av_freep(&s->offset[i]);
}
av_freep(&s->bitstream);
+ av_freep(&s->coeffs);
return 0;
}
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index a1698394ef..12f4dbcaca 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -162,6 +162,12 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
return -1;
}
+ if (s->width & (s->vector_width - 1) ||
+ s->height & (s->vector_height - 1)) {
+ av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n");
+ return AVERROR_INVALIDDATA;
+ }
+
/* allocate codebooks */
s->codebook_size = MAX_CODEBOOK_SIZE;
s->codebook = av_malloc(s->codebook_size);
diff --git a/libavformat/dv.c b/libavformat/dv.c
index b6f9c6ae54..d65d4fffbd 100644
--- a/libavformat/dv.c
+++ b/libavformat/dv.c
@@ -125,10 +125,14 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4],
/* We work with 720p frames split in half, thus even frames have
* channels 0,1 and odd 2,3. */
ipcm = (sys->height == 720 && !(frame[1] & 0x0C)) ? 2 : 0;
- pcm = ppcm[ipcm++];
/* for each DIF channel */
for (chan = 0; chan < sys->n_difchan; chan++) {
+ /* next stereo channel (50Mbps and 100Mbps only) */
+ pcm = ppcm[ipcm++];
+ if (!pcm)
+ break;
+
/* for each DIF segment */
for (i = 0; i < sys->difseg_size; i++) {
frame += 6 * 80; /* skip DIF segment header */
@@ -176,11 +180,6 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4],
frame += 16 * 80; /* 15 Video DIFs + 1 Audio DIF */
}
}
-
- /* next stereo channel (50Mbps and 100Mbps only) */
- pcm = ppcm[ipcm++];
- if (!pcm)
- break;
}
return size;
@@ -202,6 +201,12 @@ static int dv_extract_audio_info(DVDemuxContext* c, uint8_t* frame)
stype = (as_pack[3] & 0x1f); /* 0 - 2CH, 2 - 4CH, 3 - 8CH */
quant = as_pack[4] & 0x07; /* 0 - 16bit linear, 1 - 12bit nonlinear */
+ if (stype > 3) {
+ av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype);
+ c->ach = 0;
+ return 0;
+ }
+
/* note: ach counts PAIRS of channels (i.e. stereo channels) */
ach = ((int[4]){ 1, 0, 2, 4})[stype];
if (ach == 1 && quant && freq == 2)
@@ -335,7 +340,8 @@ int dv_produce_packet(DVDemuxContext *c, AVPacket *pkt,
c->audio_pkt[i].pts = c->abytes * 30000*8 / c->ast[i]->codec->bit_rate;
ppcm[i] = c->audio_buf[i];
}
- dv_extract_audio(buf, ppcm, c->sys);
+ if (c->ach)
+ dv_extract_audio(buf, ppcm, c->sys);
/* We work with 720p frames split in half, thus even frames have
* channels 0,1 and odd 2,3. */
diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c
index 86d7f91e66..5f485290c8 100644
--- a/libavformat/electronicarts.c
+++ b/libavformat/electronicarts.c
@@ -457,12 +457,17 @@ static int ea_read_packet(AVFormatContext *s,
while (!packet_read) {
chunk_type = get_le32(pb);
- chunk_size = (ea->big_endian ? get_be32(pb) : get_le32(pb)) - 8;
+ chunk_size = ea->big_endian ? get_be32(pb) : get_le32(pb);
+ if (chunk_size <= 8)
+ return AVERROR_INVALIDDATA;
+ chunk_size -= 8;
switch (chunk_type) {
/* audio data */
case ISNh_TAG:
/* header chunk also contains data; skip over the header portion*/
+ if (chunk_size < 32)
+ return AVERROR_INVALIDDATA;
url_fskip(pb, 32);
chunk_size -= 32;
case ISNd_TAG:
diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
index 44e5097d59..169e95e321 100644
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -319,7 +319,9 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap)
char *token, *value;
char quote;
- p = strings = av_mallocz(strings_size + 1);
+ p = strings = av_mallocz((size_t)strings_size + 1);
+ if (!p)
+ return AVERROR(ENOMEM);
endp = strings + strings_size;
get_buffer(pb, strings, strings_size);
while (p < endp) {
@@ -354,6 +356,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap)
if((unsigned)table_entries_used >= UINT_MAX / sizeof(uint32_t))
return -1;
nsv->nsvs_file_offset = av_malloc((unsigned)table_entries_used * sizeof(uint32_t));
+ if (!nsv->nsvs_file_offset)
+ return AVERROR(ENOMEM);
for(i=0;i<table_entries_used;i++)
nsv->nsvs_file_offset[i] = get_le32(pb) + size;
@@ -361,6 +365,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap)
if(table_entries > table_entries_used &&
get_le32(pb) == MKTAG('T','O','C','2')) {
nsv->nsvs_timestamps = av_malloc((unsigned)table_entries_used*sizeof(uint32_t));
+ if (!nsv->nsvs_timestamps)
+ return AVERROR(ENOMEM);
for(i=0;i<table_entries_used;i++) {
nsv->nsvs_timestamps[i] = get_le32(pb);
}
@@ -530,11 +536,16 @@ static int nsv_read_header(AVFormatContext *s, AVFormatParameters *ap)
for (i = 0; i < NSV_MAX_RESYNC_TRIES; i++) {
if (nsv_resync(s) < 0)
return -1;
- if (nsv->state == NSV_FOUND_NSVF)
+ if (nsv->state == NSV_FOUND_NSVF) {
err = nsv_parse_NSVf_header(s, ap);
+ if (err < 0)
+ return err;
+ }
/* we need the first NSVs also... */
if (nsv->state == NSV_FOUND_NSVS) {
err = nsv_parse_NSVs_header(s, ap);
+ if (err < 0)
+ return err;
break; /* we just want the first one */
}
}
@@ -609,12 +620,12 @@ null_chunk_retry:
}
/* map back streams to v,a */
- if (s->streams[0])
+ if (s->nb_streams > 0)
st[s->streams[0]->id] = s->streams[0];
- if (s->streams[1])
+ if (s->nb_streams > 1)
st[s->streams[1]->id] = s->streams[1];
- if (vsize/* && st[NSV_ST_VIDEO]*/) {
+ if (vsize && st[NSV_ST_VIDEO]) {
nst = st[NSV_ST_VIDEO]->priv_data;
pkt = &nsv->ahead[NSV_ST_VIDEO];
av_get_packet(pb, pkt, vsize);
@@ -629,7 +640,7 @@ null_chunk_retry:
if(st[NSV_ST_VIDEO])
((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++;
- if (asize/*st[NSV_ST_AUDIO]*/) {
+ if (asize && st[NSV_ST_AUDIO]) {
nst = st[NSV_ST_AUDIO]->priv_data;
pkt = &nsv->ahead[NSV_ST_AUDIO];
/* read raw audio specific header on the first audio chunk... */
diff --git a/tests/fate.mak b/tests/fate.mak
index 933dec6348..c44de42eb2 100644
--- a/tests/fate.mak
+++ b/tests/fate.mak
@@ -503,7 +503,7 @@ fate-maxis-xa: CMD = $$BUILD_PATH/ffmpeg -i $$SAMPLES_PATH/maxis-xa/SC2KBUG.XA
FATE_TESTS += fate-mimic
fate-mimic: CMD = $$BUILD_PATH/ffmpeg -idct simple -i $$SAMPLES_PATH/mimic/mimic2-womanloveffmpeg.cam -vsync 0 -f framecrc -
FATE_TESTS += fate-motionpixels
-fate-motionpixels: CMD = $$BUILD_PATH/ffmpeg -i $$SAMPLES_PATH/motion-pixels/INTRO-partial.MVI -an -pix_fmt rgb24 -f framecrc -
+fate-motionpixels: CMD = $$BUILD_PATH/ffmpeg -i $$SAMPLES_PATH/motion-pixels/INTRO-partial.MVI -an -pix_fmt rgb24 -vframes 111 -f framecrc -
FATE_TESTS += fate-mpc7-demux
fate-mpc7-demux: CMD = $$BUILD_PATH/ffmpeg -i $$SAMPLES_PATH/musepack/inside-mp7.mpc -acodec copy -f crc -
FATE_TESTS += fate-mpc8-demux
diff --git a/tests/ref/fate/motionpixels b/tests/ref/fate/motionpixels
index e588ed3e18..fa86f7379f 100644
--- a/tests/ref/fate/motionpixels
+++ b/tests/ref/fate/motionpixels
@@ -109,4 +109,3 @@
0, 648003, 230400, 0xb343f372
0, 654003, 230400, 0xf7f1e588
0, 660003, 230400, 0x9682bdb2
-0, 666003, 230400, 0x538a3db8
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-11 16:39:52 +0000