diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-10-08 01:56:25 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-10-08 02:03:40 +0200 |
| commit | 829e43017fa733479a72e6518bb9c1f0da441dc5 (patch) | |
| tree | 3aed439a815c447314574ea29481938ea1f76e97 | |
| parent | 8d14e1d64ee1780f839e05c22fc633b3cf1b8579 (diff) | |
| parent | 494f2d4f9e834db1eaf1a7d0160d497f9802013d (diff) | |
| download | ffmpeg-829e43017fa733479a72e6518bb9c1f0da441dc5.tar.gz | |
Merge commit '494f2d4f9e834db1eaf1a7d0160d497f9802013d' into release/1.1
* commit '494f2d4f9e834db1eaf1a7d0160d497f9802013d':
vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks
r3d: Add more input value validation
fraps: Make the input buffer size checks more strict
svq3: Avoid a division by zero
rmdec: Validate the fps value
twinvqdec: Check the ibps parameter separately
asfdec: Check the return value of asf_read_stream_properties
mxfdec: set audio timebase to 1/samplerate
Conflicts:
libavcodec/fraps.c
libavcodec/svq3.c
libavformat/mxfdec.c
tests/ref/fate/mxf-demux
tests/ref/seek/lavf-mxf
tests/ref/seek/lavf-mxf_d10
Merged-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/fraps.c | 29 | ||||
| -rw-r--r-- | libavcodec/svq3.c | 3 | ||||
| -rw-r--r-- | libavcodec/twinvq.c | 6 | ||||
| -rw-r--r-- | libavcodec/vc1dec.c | 3 | ||||
| -rw-r--r-- | libavformat/asfdec.c | 4 | ||||
| -rw-r--r-- | libavformat/mxfdec.c | 8 | ||||
| -rw-r--r-- | libavformat/r3d.c | 6 | ||||
| -rw-r--r-- | libavformat/rmdec.c | 9 |
8 files changed, 45 insertions, 23 deletions
diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c index e0fa916481..bfceb38f38 100644 --- a/libavcodec/fraps.c +++ b/libavcodec/fraps.c @@ -145,6 +145,11 @@ static int decode_frame(AVCodecContext *avctx, enum AVPixelFormat pix_fmt; int ret; + if (buf_size < 4) { + av_log(avctx, AV_LOG_ERROR, "Packet is too short\n"); + return AVERROR_INVALIDDATA; + } + header = AV_RL32(buf); version = header & 0xff; header_size = (header & (1<<30))? 8 : 4; /* bit 30 means pad to 8 bytes */ @@ -216,7 +221,7 @@ static int decode_frame(AVCodecContext *avctx, return ret; } - switch(version) { + switch (version) { case 0: default: /* Fraps v0 is a reordered YUV420 */ @@ -226,13 +231,13 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } - buf32=(const uint32_t*)buf; - for(y=0; y<avctx->height/2; y++){ - luma1=(uint32_t*)&f->data[0][ y*2*f->linesize[0] ]; - luma2=(uint32_t*)&f->data[0][ (y*2+1)*f->linesize[0] ]; - cr=(uint32_t*)&f->data[1][ y*f->linesize[1] ]; - cb=(uint32_t*)&f->data[2][ y*f->linesize[2] ]; - for(x=0; x<avctx->width; x+=8){ + buf32 = (const uint32_t*)buf; + for (y = 0; y < avctx->height / 2; y++) { + luma1 = (uint32_t*)&f->data[0][ y * 2 * f->linesize[0] ]; + luma2 = (uint32_t*)&f->data[0][ (y * 2 + 1) * f->linesize[0] ]; + cr = (uint32_t*)&f->data[1][ y * f->linesize[1] ]; + cb = (uint32_t*)&f->data[2][ y * f->linesize[2] ]; + for(x=0; x<avctx->width; x+=8) { *luma1++ = *buf32++; *luma1++ = *buf32++; *luma2++ = *buf32++; @@ -245,10 +250,10 @@ static int decode_frame(AVCodecContext *avctx, case 1: /* Fraps v1 is an upside-down BGR24 */ - for(y=0; y<avctx->height; y++) - memcpy(&f->data[0][ (avctx->height - y -1) * f->linesize[0]], - &buf[y*avctx->width*3], - 3*avctx->width); + for (y = 0; y < avctx->height; y++) + memcpy(&f->data[0][ (avctx->height - y - 1) * f->linesize[0]], + &buf[y * avctx->width * 3], + 3 * avctx->width); break; case 2: diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 3484964fb2..0017608351 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -962,7 +962,8 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) int offset = get_bits_count(&gb) + 7 >> 3; uint8_t *buf; - if (watermark_height <= 0 || (uint64_t)watermark_width*4 > UINT_MAX/watermark_height) + if (watermark_height <= 0 || + (uint64_t)watermark_width * 4 > UINT_MAX / watermark_height) return -1; buf = av_malloc(buf_len); diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index b34f159485..6dba7b91be 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -1142,12 +1142,12 @@ static av_cold int twin_decode_init(AVCodecContext *avctx) AV_CH_LAYOUT_STEREO; ibps = avctx->bit_rate / (1000 * avctx->channels); - - if (ibps > 255U) { - av_log(avctx, AV_LOG_ERROR, "unsupported per channel bitrate %dkbps\n", ibps); + if (ibps < 8 || ibps > 48) { + av_log(avctx, AV_LOG_ERROR, "Bad bitrate per channel value %d\n", ibps); return AVERROR_INVALIDDATA; } + switch ((isampf << 8) + ibps) { case (8 <<8) + 8: tctx->mtab = &mode_08_08; break; case (11<<8) + 8: tctx->mtab = &mode_11_08; break; diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index f604c2937f..01d09efd62 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -4750,6 +4750,9 @@ static void vc1_decode_skip_blocks(VC1Context *v) { MpegEncContext *s = &v->s; + if (!v->s.last_picture.f.data[0]) + return; + ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, ER_MB_END); s->first_slice_line = 1; for (s->mb_y = s->start_mb_y; s->mb_y < s->end_mb_y; s->mb_y++) { diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 2dcdf56adb..1f799bc234 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -718,7 +718,9 @@ static int asf_read_header(AVFormatContext *s) if (ret < 0) return ret; } else if (!ff_guidcmp(&g, &ff_asf_stream_header)) { - asf_read_stream_properties(s, gsize); + int ret = asf_read_stream_properties(s, gsize); + if (ret < 0) + return ret; } else if (!ff_guidcmp(&g, &ff_asf_comment_header)) { asf_read_content_desc(s, gsize); } else if (!ff_guidcmp(&g, &ff_asf_language_guid)) { diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 88cfd5d5a2..dc7930eefe 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1562,11 +1562,13 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) st->codec->bits_per_coded_sample = descriptor->bits_per_sample; if (descriptor->sample_rate.den > 0) { - avpriv_set_pts_info(st, 64, descriptor->sample_rate.den, descriptor->sample_rate.num); st->codec->sample_rate = descriptor->sample_rate.num / descriptor->sample_rate.den; + avpriv_set_pts_info(st, 64, descriptor->sample_rate.den, descriptor->sample_rate.num); } else { - av_log(mxf->fc, AV_LOG_WARNING, "invalid sample rate (%d/%d) found for stream #%d, time base forced to 1/48000\n", - descriptor->sample_rate.num, descriptor->sample_rate.den, st->index); + av_log(mxf->fc, AV_LOG_WARNING, "invalid sample rate (%d/%d) " + "found for stream #%d, time base forced to 1/48000\n", + descriptor->sample_rate.num, descriptor->sample_rate.den, + st->index); avpriv_set_pts_info(st, 64, 1, 48000); } diff --git a/libavformat/r3d.c b/libavformat/r3d.c index 35da81eff1..1c673e3720 100644 --- a/libavformat/r3d.c +++ b/libavformat/r3d.c @@ -87,7 +87,7 @@ static int r3d_read_red1(AVFormatContext *s) framerate.num = avio_rb16(s->pb); framerate.den = avio_rb16(s->pb); - if (framerate.num && framerate.den) { + if (framerate.num > 0 && framerate.den > 0) { #if FF_API_R_FRAME_RATE st->r_frame_rate = #endif @@ -285,6 +285,10 @@ static int r3d_read_reda(AVFormatContext *s, AVPacket *pkt, Atom *atom) dts = avio_rb32(s->pb); st->codec->sample_rate = avio_rb32(s->pb); + if (st->codec->sample_rate <= 0) { + av_log(s, AV_LOG_ERROR, "Bad sample rate\n"); + return AVERROR_INVALIDDATA; + } samples = avio_rb32(s->pb); diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index c2d2495e49..37d91ec12f 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -375,8 +375,13 @@ ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, if ((ret = rm_read_extradata(pb, st->codec, codec_data_size - (avio_tell(pb) - codec_pos))) < 0) return ret; - av_reduce(&st->avg_frame_rate.den, &st->avg_frame_rate.num, - 0x10000, fps, (1 << 30) - 1); + if (fps > 0) { + av_reduce(&st->avg_frame_rate.den, &st->avg_frame_rate.num, + 0x10000, fps, (1 << 30) - 1); + } else if (s->error_recognition & AV_EF_EXPLODE) { + av_log(s, AV_LOG_ERROR, "Invalid framerate\n"); + return AVERROR_INVALIDDATA; + } #if FF_API_R_FRAME_RATE st->r_frame_rate = st->avg_frame_rate; #endif |