diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-11-04 19:07:21 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-11-04 19:07:21 +0100 |
| commit | 7c72398787316c82cc13d21fe318ec2fb8b991da (patch) | |
| tree | e7ea9cacf5199129c08f09d84bd3263dbde0e52e | |
| parent | 048e28420172ac5c1ae45f492172197dccbc8d00 (diff) | |
| parent | 86d0bf0e96bf917e283d24239ce0eed08351da86 (diff) | |
| download | ffmpeg-7c72398787316c82cc13d21fe318ec2fb8b991da.tar.gz | |
Merge commit '86d0bf0e96bf917e283d24239ce0eed08351da86' into release/0.10
* commit '86d0bf0e96bf917e283d24239ce0eed08351da86':
mov: Seek back if overreading an individual atom
vcr1: add sanity checks
pictordec: pass correct context to avpriv_request_sample
dsicinav: Clip the source size to the expected maximum
alsdec: Clean up error paths
ogg: Fix potential infinite discard loop
nuv: check rtjpeg_decode_frame_yuv420 return value
Conflicts:
libavcodec/pictordec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/alsdec.c | 137 | ||||
| -rw-r--r-- | libavcodec/dsicinav.c | 2 | ||||
| -rw-r--r-- | libavcodec/nuv.c | 5 | ||||
| -rw-r--r-- | libavcodec/vcr1.c | 21 | ||||
| -rw-r--r-- | libavformat/mov.c | 6 | ||||
| -rw-r--r-- | libavformat/oggdec.c | 6 |
6 files changed, 114 insertions, 63 deletions
diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index d5a805cb63..e908a05398 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -294,12 +294,12 @@ static av_cold int read_specific_config(ALSDecContext *ctx) avctx->extradata_size * 8, 1); if (config_offset < 0) - return -1; + return AVERROR_INVALIDDATA; skip_bits_long(&gb, config_offset); if (get_bits_left(&gb) < (30 << 3)) - return -1; + return AVERROR_INVALIDDATA; // read the fixed items als_id = get_bits_long(&gb, 32); @@ -334,7 +334,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // check for ALSSpecificConfig struct if (als_id != MKBETAG('A','L','S','\0')) - return -1; + return AVERROR_INVALIDDATA; ctx->cur_frame_length = sconf->frame_length; @@ -349,7 +349,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) int chan_pos_bits = av_ceil_log2(avctx->channels); int bits_needed = avctx->channels * chan_pos_bits + 7; if (get_bits_left(&gb) < bits_needed) - return -1; + return AVERROR_INVALIDDATA; if (!(sconf->chan_pos = av_malloc(avctx->channels * sizeof(*sconf->chan_pos)))) return AVERROR(ENOMEM); @@ -367,7 +367,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // read fixed header and trailer sizes, // if size = 0xFFFFFFFF then there is no data field! if (get_bits_left(&gb) < 64) - return -1; + return AVERROR_INVALIDDATA; header_size = get_bits_long(&gb, 32); trailer_size = get_bits_long(&gb, 32); @@ -381,10 +381,10 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // skip the header and trailer data if (get_bits_left(&gb) < ht_size) - return -1; + return AVERROR_INVALIDDATA; if (ht_size > INT32_MAX) - return -1; + return AVERROR_PATCHWELCOME; skip_bits_long(&gb, ht_size); @@ -392,7 +392,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // initialize CRC calculation if (sconf->crc_enabled) { if (get_bits_left(&gb) < 32) - return -1; + return AVERROR_INVALIDDATA; if (avctx->err_recognition & (AV_EF_CRCCHECK|AV_EF_CAREFUL)) { ctx->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE); @@ -632,7 +632,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) if (bd->block_length & (sub_blocks - 1)) { av_log(avctx, AV_LOG_WARNING, "Block length is not evenly divisible by the number of subblocks.\n"); - return -1; + return AVERROR_INVALIDDATA; } sb_length = bd->block_length >> log2_sub_blocks; @@ -963,18 +963,18 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) */ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) { + int ret = 0; GetBitContext *gb = &ctx->gb; *bd->shift_lsbs = 0; // read block type flag and read the samples accordingly if (get_bits1(gb)) { - if (read_var_block_data(ctx, bd)) - return -1; + ret = read_var_block_data(ctx, bd); } else { read_const_block_data(ctx, bd); } - return 0; + return ret; } @@ -983,12 +983,16 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) static int decode_block(ALSDecContext *ctx, ALSBlockData *bd) { unsigned int smp; + int ret = 0; // read block type flag and read the samples accordingly if (*bd->const_block) decode_const_block_data(ctx, bd); - else if (decode_var_block_data(ctx, bd)) - return -1; + else + ret = decode_var_block_data(ctx, bd); // always return 0 + + if (ret < 0) + return ret; // TODO: read RLSLMS extension data @@ -1006,14 +1010,10 @@ static int read_decode_block(ALSDecContext *ctx, ALSBlockData *bd) { int ret; - ret = read_block(ctx, bd); - - if (ret) + if ((ret = read_block(ctx, bd)) < 0) return ret; - ret = decode_block(ctx, bd); - - return ret; + return decode_block(ctx, bd); } @@ -1039,6 +1039,7 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame, unsigned int c, const unsigned int *div_blocks, unsigned int *js_blocks) { + int ret; unsigned int b; ALSBlockData bd; @@ -1061,10 +1062,10 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame, for (b = 0; b < ctx->num_blocks; b++) { bd.block_length = div_blocks[b]; - if (read_decode_block(ctx, &bd)) { + if ((ret = read_decode_block(ctx, &bd)) < 0) { // damaged block, write zero for the rest of the frame zero_remaining(b, ctx->num_blocks, div_blocks, bd.raw_samples); - return -1; + return ret; } bd.raw_samples += div_blocks[b]; bd.ra_block = 0; @@ -1083,6 +1084,7 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, ALSSpecificConfig *sconf = &ctx->sconf; unsigned int offset = 0; unsigned int b; + int ret; ALSBlockData bd[2]; memset(bd, 0, 2 * sizeof(ALSBlockData)); @@ -1126,12 +1128,10 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, bd[0].raw_other = bd[1].raw_samples; bd[1].raw_other = bd[0].raw_samples; - if(read_decode_block(ctx, &bd[0]) || read_decode_block(ctx, &bd[1])) { - // damaged block, write zero for the rest of the frame - zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples); - zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples); - return -1; - } + if ((ret = read_decode_block(ctx, &bd[0])) < 0 || + (ret = read_decode_block(ctx, &bd[1])) < 0) + goto fail; + // reconstruct joint-stereo blocks if (bd[0].js_blocks) { @@ -1157,6 +1157,11 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, sizeof(*ctx->raw_samples[c]) * sconf->max_order); return 0; +fail: + // damaged block, write zero for the rest of the frame + zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples); + zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples); + return ret; } static inline int als_weighting(GetBitContext *gb, int k, int off) @@ -1180,7 +1185,7 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (current->master_channel >= channels) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid master channel!\n"); - return -1; + return AVERROR_INVALIDDATA; } if (current->master_channel != c) { @@ -1205,7 +1210,7 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (entries == channels) { av_log(ctx->avctx, AV_LOG_ERROR, "Damaged channel data!\n"); - return -1; + return AVERROR_INVALIDDATA; } align_get_bits(gb); @@ -1237,7 +1242,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, if (dep == channels) { av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel correlation!\n"); - return -1; + return AVERROR_INVALIDDATA; } bd->const_block = ctx->const_block + c; @@ -1310,6 +1315,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) unsigned int js_blocks[2]; uint32_t bs_info = 0; + int ret; // skip the size of the ra unit if present in the frame if (sconf->ra_flag == RA_FLAG_FRAMES && ra_frame) @@ -1340,13 +1346,15 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) independent_bs = 1; if (independent_bs) { - if (decode_blocks_ind(ctx, ra_frame, c, div_blocks, js_blocks)) - return -1; - + ret = decode_blocks_ind(ctx, ra_frame, c, + div_blocks, js_blocks); + if (ret < 0) + return ret; independent_bs--; } else { - if (decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks)) - return -1; + ret = decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks); + if (ret < 0) + return ret; c++; } @@ -1365,7 +1373,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) for (c = 0; c < avctx->channels; c++) if (ctx->chan_data[c] < ctx->chan_data_buffer) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid channel data!\n"); - return -1; + return AVERROR_INVALIDDATA; } memset(&bd, 0, sizeof(ALSBlockData)); @@ -1397,11 +1405,12 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) return -1; } - for (c = 0; c < avctx->channels; c++) - if (revert_channel_correlation(ctx, &bd, ctx->chan_data, - reverted_channels, offset, c)) - return -1; - + for (c = 0; c < avctx->channels; c++) { + ret = revert_channel_correlation(ctx, &bd, ctx->chan_data, + reverted_channels, offset, c); + if (ret < 0) + return ret; + } for (c = 0; c < avctx->channels; c++) { bd.const_block = ctx->const_block + c; bd.shift_lsbs = ctx->shift_lsbs + c; @@ -1598,29 +1607,30 @@ static av_cold int decode_init(AVCodecContext *avctx) { unsigned int c; unsigned int channel_size; - int num_buffers; + int num_buffers, ret; ALSDecContext *ctx = avctx->priv_data; ALSSpecificConfig *sconf = &ctx->sconf; ctx->avctx = avctx; if (!avctx->extradata) { av_log(avctx, AV_LOG_ERROR, "Missing required ALS extradata.\n"); - return -1; + return AVERROR_INVALIDDATA; } - if (read_specific_config(ctx)) { + if ((ret = read_specific_config(ctx)) < 0) { av_log(avctx, AV_LOG_ERROR, "Reading ALSSpecificConfig failed.\n"); - decode_end(avctx); - return -1; + goto fail; } - if (check_specific_config(ctx)) { - decode_end(avctx); - return -1; + if ((ret = check_specific_config(ctx)) < 0) { + goto fail; } - if (sconf->bgmc) - ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status); + if (sconf->bgmc) { + ret = ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status); + if (ret < 0) + goto fail; + } if (sconf->floating) { avctx->sample_fmt = AV_SAMPLE_FMT_FLT; @@ -1656,7 +1666,8 @@ static av_cold int decode_init(AVCodecContext *avctx) !ctx->quant_cof_buffer || !ctx->lpc_cof_buffer || !ctx->lpc_cof_reversed_buffer) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } // assign quantized parcor coefficient buffers @@ -1681,8 +1692,8 @@ static av_cold int decode_init(AVCodecContext *avctx) !ctx->use_ltp || !ctx->ltp_lag || !ctx->ltp_gain || !ctx->ltp_gain_buffer) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } for (c = 0; c < num_buffers; c++) @@ -1699,8 +1710,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (!ctx->chan_data_buffer || !ctx->chan_data || !ctx->reverted_channels) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } for (c = 0; c < num_buffers; c++) @@ -1721,8 +1732,8 @@ static av_cold int decode_init(AVCodecContext *avctx) // allocate previous raw sample buffer if (!ctx->prev_raw_samples || !ctx->raw_buffer|| !ctx->raw_samples) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } // assign raw samples buffers @@ -1739,8 +1750,8 @@ static av_cold int decode_init(AVCodecContext *avctx) av_get_bytes_per_sample(avctx->sample_fmt)); if (!ctx->crc_buffer) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } } @@ -1750,6 +1761,10 @@ static av_cold int decode_init(AVCodecContext *avctx) avctx->coded_frame = &ctx->frame; return 0; + +fail: + decode_end(avctx); + return ret; } diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index 88187bb35f..456042703d 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -235,6 +235,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, } } + bitmap_frame_size = FFMIN(cin->bitmap_size, bitmap_frame_size); + /* note: the decoding routines below assumes that surface.width = surface.pitch */ switch (bitmap_frame_type) { case 9: diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index ec0f46a5b6..f1ef1fa540 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -146,6 +146,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, int keyframe; int size_change = 0; int result; + int ret; enum {NUV_UNCOMPRESSED = '0', NUV_RTJPEG = '1', NUV_RTJPEG_IN_LZO = '2', NUV_LZO = '3', NUV_BLACK = 'N', NUV_COPY_LAST = 'L'} comptype; @@ -246,7 +247,9 @@ retry: } case NUV_RTJPEG_IN_LZO: case NUV_RTJPEG: { - rtjpeg_decode_frame_yuv420(&c->rtj, &c->pic, buf, buf_size); + ret = rtjpeg_decode_frame_yuv420(&c->rtj, &c->pic, buf, buf_size); + if (ret < 0) + return ret; break; } case NUV_BLACK: { diff --git a/libavcodec/vcr1.c b/libavcodec/vcr1.c index 1526215314..ad91199f2f 100644 --- a/libavcodec/vcr1.c +++ b/libavcodec/vcr1.c @@ -69,9 +69,13 @@ static int decode_frame(AVCodecContext *avctx, p->pict_type= AV_PICTURE_TYPE_I; p->key_frame= 1; + if (buf_size < 32) + goto packet_small; + for(i=0; i<16; i++){ a->delta[i]= *(bytestream++); bytestream++; + buf_size--; } for(y=0; y<avctx->height; y++){ @@ -82,8 +86,12 @@ static int decode_frame(AVCodecContext *avctx, uint8_t *cb= &a->picture.data[1][ (y>>2)*a->picture.linesize[1] ]; uint8_t *cr= &a->picture.data[2][ (y>>2)*a->picture.linesize[2] ]; + if (buf_size < 4 + avctx->width) + goto packet_small; + for(i=0; i<4; i++) a->offset[i]= *(bytestream++); + buf_size -= 4; offset= a->offset[0] - a->delta[ bytestream[2]&0xF ]; for(x=0; x<avctx->width; x+=4){ @@ -97,8 +105,12 @@ static int decode_frame(AVCodecContext *avctx, *(cr++) = bytestream[1]; bytestream+= 4; + buf_size -= 4; } }else{ + if (buf_size < avctx->width / 2) + goto packet_small; + offset= a->offset[y&3] - a->delta[ bytestream[2]&0xF ]; for(x=0; x<avctx->width; x+=8){ @@ -112,6 +124,7 @@ static int decode_frame(AVCodecContext *avctx, luma[7]=( offset += a->delta[ bytestream[1]>>4 ]); luma += 8; bytestream+= 4; + buf_size -= 4; } } } @@ -120,6 +133,9 @@ static int decode_frame(AVCodecContext *avctx, *data_size = sizeof(AVPicture); return buf_size; +packet_small: + av_log(avctx, AV_LOG_ERROR, "Input packet too small.\n"); + return AVERROR_INVALIDDATA; } #if CONFIG_VCR1_ENCODER @@ -157,6 +173,11 @@ static av_cold int decode_init(AVCodecContext *avctx){ avctx->pix_fmt= PIX_FMT_YUV410P; + if (avctx->width & 7) { + av_log(avctx, AV_LOG_ERROR, "Width %d is not divisble by 8.\n", avctx->width); + return AVERROR_INVALIDDATA; + } + return 0; } diff --git a/libavformat/mov.c b/libavformat/mov.c index 7ac838cf09..efa73b7c6d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -360,6 +360,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) left = a.size - avio_tell(pb) + start_pos; if (left > 0) /* skip garbage at atom end */ avio_skip(pb, left); + else if (left < 0) { + av_log(c->fc, AV_LOG_WARNING, + "overread end of atom '%.4s' by %"PRId64" bytes\n", + (char*)&a.type, -left); + avio_seek(pb, left, SEEK_CUR); + } } total_size += a.size; diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index de239f308c..5e9db4a28d 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -375,7 +375,11 @@ static int ogg_packet(AVFormatContext *s, int *str, int *dstart, int *dsize, if (!complete && os->segp == os->nsegs){ ogg->curidx = -1; - os->incomplete = 1; + // Do not set incomplete for empty packets. + // Together with the code in ogg_read_page + // that discards all continuation of empty packets + // we would get an infinite loop. + os->incomplete = !!os->psize; } }while (!complete); |