diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2014-06-03 02:14:02 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2014-06-03 02:14:02 +0200 |
| commit | 7c520e5cd61a59ef2e243630ae407e274b8d84b9 (patch) | |
| tree | 53391fa2c33cb89b7b119f6b73e32dbc9b17f008 | |
| parent | d076ee521647d9851c92840ec9eb82d4e0dedac9 (diff) | |
| parent | 71b8c8430cf3f7056849257324fc39b423075ba1 (diff) | |
| download | ffmpeg-7c520e5cd61a59ef2e243630ae407e274b8d84b9.tar.gz | |
Merge commit '71b8c8430cf3f7056849257324fc39b423075ba1' into release/0.10
* commit '71b8c8430cf3f7056849257324fc39b423075ba1':
sgidec: fix buffer size check in expand_rle_row()
adx: check that the offset is not negative
mpegvideo: set reference/pict_type on generated reference frames
Conflicts:
libavcodec/mpegvideo.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/adx.c | 2 | ||||
| -rw-r--r-- | libavcodec/mpegvideo.c | 14 | ||||
| -rw-r--r-- | libavcodec/sgidec.c | 22 |
3 files changed, 31 insertions, 7 deletions
diff --git a/libavcodec/adx.c b/libavcodec/adx.c index 1e5d89c991..41e8e1c8c1 100644 --- a/libavcodec/adx.c +++ b/libavcodec/adx.c @@ -47,7 +47,7 @@ int avpriv_adx_decode_header(AVCodecContext *avctx, const uint8_t *buf, offset = AV_RB16(buf + 2) + 4; /* if copyright string is within the provided data, validate it */ - if (bufsize >= offset && memcmp(buf + offset - 6, "(c)CRI", 6)) + if (bufsize >= offset && offset >= 6 && memcmp(buf + offset - 6, "(c)CRI", 6)) return AVERROR_INVALIDDATA; /* check for encoding=3 block_size=18, sample_size=4 */ diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 61dde24019..9bb862af91 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1237,8 +1237,13 @@ int MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx) i = ff_find_unused_picture(s, 0); if (i < 0) return i; - s->last_picture_ptr= &s->picture[i]; + + s->last_picture_ptr = &s->picture[i]; + + s->last_picture_ptr->f.reference = 3; s->last_picture_ptr->f.key_frame = 0; + s->last_picture_ptr->f.pict_type = AV_PICTURE_TYPE_P; + if (ff_alloc_picture(s, s->last_picture_ptr, 0) < 0) return -1; @@ -1259,8 +1264,13 @@ int MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx) i = ff_find_unused_picture(s, 0); if (i < 0) return i; - s->next_picture_ptr= &s->picture[i]; + + s->next_picture_ptr = &s->picture[i]; + + s->next_picture_ptr->f.reference = 3; s->next_picture_ptr->f.key_frame = 0; + s->next_picture_ptr->f.pict_type = AV_PICTURE_TYPE_P; + if (ff_alloc_picture(s, s->next_picture_ptr, 0) < 0) return -1; ff_thread_report_progress((AVFrame *) s->next_picture_ptr, diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c index 6a98718131..b6b66bf182 100644 --- a/libavcodec/sgidec.c +++ b/libavcodec/sgidec.c @@ -26,6 +26,7 @@ #include "sgi.h" typedef struct SgiState { + AVCodecContext *avctx; AVFrame picture; unsigned int width; unsigned int height; @@ -39,12 +40,12 @@ typedef struct SgiState { * Expand an RLE row into a channel. * @param s the current image state * @param out_buf Points to one line after the output buffer. - * @param out_end end of line in output buffer + * @param len length of out_buf in bytes * @param pixelstride pixel stride of input buffer * @return size of output in bytes, -1 if buffer overflows */ static int expand_rle_row(SgiState *s, uint8_t *out_buf, - uint8_t *out_end, int pixelstride) + int len, int pixelstride) { unsigned char pixel, count; unsigned char *orig = out_buf; @@ -58,7 +59,10 @@ static int expand_rle_row(SgiState *s, uint8_t *out_buf, } /* Check for buffer overflow. */ - if(out_buf + pixelstride * count >= out_end) return -1; + if (pixelstride * (count - 1) >= len) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid pixel count.\n"); + return AVERROR_INVALIDDATA; + } if (pixel & 0x80) { while (count--) { @@ -101,7 +105,7 @@ static int read_rle_sgi(uint8_t *out_buf, SgiState *s) dest_row -= s->linesize; start_offset = bytestream2_get_be32(&g_table); bytestream2_seek(&s->g, start_offset, SEEK_SET); - if (expand_rle_row(s, dest_row + z, dest_row + FFABS(s->linesize), + if (expand_rle_row(s, dest_row + z, FFABS(s->linesize) - z, s->depth) != s->width) { return AVERROR_INVALIDDATA; } @@ -259,6 +263,15 @@ static av_cold int sgi_end(AVCodecContext *avctx) return 0; } +static av_cold int sgi_decode_init(AVCodecContext *avctx) +{ + SgiState *s = avctx->priv_data; + + s->avctx = avctx; + + return 0; +} + AVCodec ff_sgi_decoder = { .name = "sgi", .type = AVMEDIA_TYPE_VIDEO, @@ -267,6 +280,7 @@ AVCodec ff_sgi_decoder = { .init = sgi_init, .close = sgi_end, .decode = decode_frame, + .init = sgi_decode_init, .long_name = NULL_IF_CONFIG_SMALL("SGI image"), }; |