diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-07-29 02:54:53 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-07-29 03:16:38 +0200 |
| commit | 7118358a950e20a4439d796f16892b27dad6c754 (patch) | |
| tree | 356da393ce8365c6cd9f0187fc2da8876e903e36 | |
| parent | be90f0279d0784c396407e152a8d817953381886 (diff) | |
| parent | 42fed7f433e6d2167ffd4aae31905b583a53b988 (diff) | |
| download | ffmpeg-7118358a950e20a4439d796f16892b27dad6c754.tar.gz | |
Merge commit '42fed7f433e6d2167ffd4aae31905b583a53b988' into release/0.10
* commit '42fed7f433e6d2167ffd4aae31905b583a53b988':
wavpack: check packet size early
mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac
mjpeg: Validate sampling factors
ljpeg: use the correct number of components in yuv
wavpack: validate samples size parsed in wavpack_decode_block
jpegls: check the scan offset
jpegls: factorize return paths
jpegls: return meaningful errors
mjpegdec: properly report unsupported disabled features
update Changelog
proresdec: support mixed interlaced/non-interlaced content
update Changelog
wav: Always seek to an even offset
id3v2: check for end of file while unescaping tags
indeo3: fix off by one in MV validity check
aac: check the maximum number of channels
update Changelog
oggdec: fix faulty cleanup prototype
Conflicts:
Changelog
libavcodec/jpeglsdec.c
libavcodec/mjpegdec.c
libavformat/id3v2.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | Changelog | 23 | ||||
| -rw-r--r-- | libavcodec/aacdec.c | 2 | ||||
| -rw-r--r-- | libavcodec/indeo3.c | 8 | ||||
| -rw-r--r-- | libavcodec/jpeglsdec.c | 23 | ||||
| -rw-r--r-- | libavcodec/mjpegdec.c | 25 | ||||
| -rw-r--r-- | libavcodec/proresdec_lgpl.c | 2 | ||||
| -rw-r--r-- | libavcodec/wavpack.c | 6 | ||||
| -rw-r--r-- | libavformat/id3v2.c | 28 | ||||
| -rw-r--r-- | libavformat/wav.c | 10 |
9 files changed, 99 insertions, 28 deletions
@@ -3,6 +3,29 @@ releases are sorted from youngest to oldest. version next: + +version 0.10.8 + +- avfiltergraph: check for sws opts being non-NULL before using them +- bmv: check for len being valid in bmv_decode_frame() +- dfa: check for invalid access in decode_wdlt() +- indeo3: check motion vectors +- indeo3: fix data size check +- indeo3: switch parsing the header to bytestream2 +- lavf: make sure stream probe data gets freed. +- oggdec: fix faulty cleanup prototype +- oma: Validate sample rates +- qdm2: check that the FFT size is a power of 2 +- rv10: check that extradata is large enough +- xmv: check audio track parameters validity +- xmv: do not leak memory in the error paths in xmv_read_header() +- aac: check the maximum number of channels +- indeo3: fix off by one in MV validity check, Bug #503 +- id3v2: check for end of file while unescaping tags +- wav: Always seek to an even offset, Bug #500, LP: #1174737 +- proresdec: support mixed interlaced/non-interlaced content + + version 0.10.6: - many bug fixes that where found with Coverity diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index a592c50585..6249619b42 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -192,6 +192,8 @@ static av_cold int che_configure(AACContext *ac, enum ChannelPosition che_pos[4][MAX_ELEM_ID], int type, int id, int *channels) { + if (*channels >= MAX_CHANNELS) + return AVERROR_INVALIDDATA; if (che_pos[type][id]) { if (!ac->che[type][id]) { if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement)))) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index c19fffd941..86a2dfbd2d 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -238,8 +238,8 @@ static int copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell) /* -1 because there is an extra line on top for prediction */ if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 || - ((cell->ypos + cell->height) << 2) + mv_y >= plane->height || - ((cell->xpos + cell->width) << 2) + mv_x >= plane->width) { + ((cell->ypos + cell->height) << 2) + mv_y > plane->height || + ((cell->xpos + cell->width) << 2) + mv_x > plane->width) { av_log(ctx->avctx, AV_LOG_ERROR, "Motion vectors point out of the frame.\n"); return AVERROR_INVALIDDATA; @@ -609,8 +609,8 @@ static int decode_cell(Indeo3DecodeContext *ctx, AVCodecContext *avctx, /* -1 because there is an extra line on top for prediction */ if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 || - ((cell->ypos + cell->height) << 2) + mv_y >= plane->height || - ((cell->xpos + cell->width) << 2) + mv_x >= plane->width) { + ((cell->ypos + cell->height) << 2) + mv_y > plane->height || + ((cell->xpos + cell->width) << 2) + mv_x > plane->width) { av_log(ctx->avctx, AV_LOG_ERROR, "Motion vectors point out of the frame.\n"); return AVERROR_INVALIDDATA; diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 8eb9ec8d36..7814ad6640 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -71,13 +71,13 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) case 2: case 3: av_log(s->avctx, AV_LOG_ERROR, "palette not supported\n"); - return -1; + return AVERROR(ENOSYS); case 4: av_log(s->avctx, AV_LOG_ERROR, "oversize image not supported\n"); - return -1; + return AVERROR(ENOSYS); default: av_log(s->avctx, AV_LOG_ERROR, "invalid id %d\n", id); - return -1; + return AVERROR_INVALIDDATA; } // av_log(s->avctx, AV_LOG_DEBUG, "ID=%i, T=%i,%i,%i\n", id, s->t1, s->t2, s->t3); @@ -263,7 +263,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor int i, t = 0; uint8_t *zero, *last, *cur; JLSState *state; - int off = 0, stride = 1, width, shift; + int off = 0, stride = 1, width, shift, ret = 0; zero = av_mallocz(s->picture.linesize[0]); last = zero; @@ -289,6 +289,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor // av_log(s->avctx, AV_LOG_DEBUG, "JPEG-LS params: %ix%i NEAR=%i MV=%i T(%i,%i,%i) RESET=%i, LIMIT=%i, qbpp=%i, RANGE=%i\n",s->width,s->height,state->near,state->maxval,state->T1,state->T2,state->T3,state->reset,state->limit,state->qbpp, state->range); // av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan); if(ilv == 0) { /* separate planes */ + if (s->cur_scan > s->nb_components) { + ret = AVERROR_INVALIDDATA; + goto end; + } stride = (s->nb_components > 1) ? 3 : 1; off = av_clip(s->cur_scan - 1, 0, stride - 1); width = s->width * stride; @@ -328,11 +332,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor last = cur; cur += s->picture.linesize[0]; } - } else if(ilv == 2) { /* sample interleaving */ + } else if (ilv == 2) { /* sample interleaving */ av_log(s->avctx, AV_LOG_ERROR, "Sample interleaved images are not supported.\n"); - av_free(state); - av_free(zero); - return -1; + ret = AVERROR_PATCHWELCOME; + goto end; } if(shift){ /* we need to do point transform or normalize samples */ @@ -360,10 +363,12 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor } } } + +end: av_free(state); av_free(zero); - return 0; + return ret; } diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index e4c9574118..dd437ebefd 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -276,6 +276,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) s->quant_index[i] = get_bits(&s->gb, 8); if (s->quant_index[i] >= 4) return -1; + if (!s->h_count[i] || !s->v_count[i]) { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid sampling factor in component %d %d:%d\n", + i, s->h_count[i], s->v_count[i]); + return AVERROR_INVALIDDATA; + } + av_log(s->avctx, AV_LOG_DEBUG, "component %d %d:%d id: %d quant:%d\n", i, s->h_count[i], s->v_count[i], s->component_id[i], s->quant_index[i]); @@ -783,10 +790,9 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p } static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, - int point_transform) + int point_transform, int nb_components) { int i, mb_x, mb_y; - const int nb_components=s->nb_components; int bits= (s->bits+7)&~7; int resync_mb_y = 0; int resync_mb_x = 0; @@ -1085,6 +1091,12 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, int last_scan = 0; int16_t *quant_matrix = s->quant_matrixes[s->quant_index[c]]; + + if (ss < 0 || ss >= 64 || + se < ss || se >= 64 || + Ah < 0 || Al < 0) + return AVERROR_INVALIDDATA; + if (!Al) { s->coefs_finished[c] |= (1LL << (se + 1)) - (1LL << ss); last_scan = !~s->coefs_finished[c]; @@ -1226,7 +1238,8 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask, if (ljpeg_decode_rgb_scan(s, nb_components, predictor, point_transform) < 0) return -1; } else { - if (ljpeg_decode_yuv_scan(s, predictor, point_transform) < 0) + if (ljpeg_decode_yuv_scan(s, predictor, point_transform, + nb_components)) return -1; } } @@ -1597,6 +1610,12 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_size, else if (start_code == COM) mjpeg_decode_com(s); + if (!CONFIG_JPEGLS_DECODER && + (start_code == SOF48 || start_code == LSE)) { + av_log(avctx, AV_LOG_ERROR, "JPEG-LS support not enabled.\n"); + return AVERROR(ENOSYS); + } + switch (start_code) { case SOI: s->restart_interval = 0; diff --git a/libavcodec/proresdec_lgpl.c b/libavcodec/proresdec_lgpl.c index 5fe47755c2..986e69bca7 100644 --- a/libavcodec/proresdec_lgpl.c +++ b/libavcodec/proresdec_lgpl.c @@ -186,6 +186,8 @@ static int decode_frame_header(ProresContext *ctx, const uint8_t *buf, if (ctx->frame_type) { /* if interlaced */ ctx->picture.interlaced_frame = 1; ctx->picture.top_field_first = ctx->frame_type & 1; + } else { + ctx->picture.interlaced_frame = 0; } ctx->alpha_info = buf[17] & 0xf; diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 71eaf70ecc..6e33dcbb6e 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -790,6 +790,9 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, if (!wc->mkv_mode) { s->samples = AV_RL32(buf); buf += 4; + if (s->samples != wc->samples) + return AVERROR_INVALIDDATA; + if (!s->samples) { *got_frame_ptr = 0; return 0; @@ -1169,6 +1172,9 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, int frame_size, ret, frame_flags; int samplecount = 0; + if (avpkt->size < 12 + s->multichannel * 4) + return AVERROR_INVALIDDATA; + s->block = 0; s->ch_offset = 0; diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index e4c4fc90b2..dc313b8ccb 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -543,13 +543,15 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t /* check for text tag or supported special meta tag */ } else if (tag[0] == 'T' || (extra_meta && (extra_func = get_extra_meta_func(tag, isv34)))) { if (unsync || tunsync || tcomp) { - int i, j; + int64_t end = avio_tell(s->pb) + tlen; + uint8_t *b; av_fast_malloc(&buffer, &buffer_size, dlen); if (!buffer) { av_log(s, AV_LOG_ERROR, "Failed to alloc %ld bytes\n", dlen); goto seek; } + b = buffer; #if CONFIG_ZLIB if (tcomp) { int n, err; @@ -573,19 +575,25 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t av_log(s, AV_LOG_ERROR, "Failed to uncompress tag: %d\n", err); goto seek; } + b += dlen; } #endif - - for (i = 0, j = 0; i < dlen; i++, j++) { - if (!tcomp) - buffer[j] = avio_r8(s->pb); - if (j > 0 && !buffer[j] && buffer[j - 1] == 0xff) { - /* Unsynchronised byte, skip it */ - j--; + if (unsync || tunsync) { + if (tcomp) { + av_log_ask_for_sample(s, "tcomp with unsync\n"); + goto seek; } + while (avio_tell(s->pb) < end && !s->pb->eof_reached) { + *b++ = avio_r8(s->pb); + if (*(b - 1) == 0xff && avio_tell(s->pb) < end - 1 && + !s->pb->eof_reached) { + uint8_t val = avio_r8(s->pb); + *b++ = val ? val : avio_r8(s->pb); + } + } } - ffio_init_context(&pb, buffer, j, 0, NULL, NULL, NULL, NULL); - tlen = j; + ffio_init_context(&pb, buffer, b - buffer, 0, NULL, NULL, NULL, NULL); + tlen = b - buffer; pbx = &pb; // read from sync buffer } else { pbx = s->pb; // read straight from input diff --git a/libavformat/wav.c b/libavformat/wav.c index 2080d8e664..8f0d50c270 100644 --- a/libavformat/wav.c +++ b/libavformat/wav.c @@ -238,6 +238,12 @@ static int64_t next_tag(AVIOContext *pb, uint32_t *tag) return avio_rl32(pb); } +/* RIFF chunks are always on a even offset. */ +static int64_t wav_seek_tag(AVIOContext *s, int64_t offset, int whence) +{ + return avio_seek(s, offset + (offset & 1), whence); +} + /* return the size of the found tag */ static int64_t find_tag(AVIOContext *pb, uint32_t tag1) { @@ -250,7 +256,7 @@ static int64_t find_tag(AVIOContext *pb, uint32_t tag1) size = next_tag(pb, &tag); if (tag == tag1) break; - avio_skip(pb, size); + wav_seek_tag(pb, size, SEEK_CUR); } return size; } @@ -520,7 +526,7 @@ static int wav_read_header(AVFormatContext *s, /* seek to next tag unless we know that we'll run into EOF */ if ((avio_size(pb) > 0 && next_tag_ofs >= avio_size(pb)) || - avio_seek(pb, next_tag_ofs, SEEK_SET) < 0) { + wav_seek_tag(pb, next_tag_ofs, SEEK_SET) < 0) { break; } } |