diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2014-01-16 22:41:41 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2014-01-16 22:44:32 +0100 |
| commit | 93e3ec451caf12ebb22fbf3ecdb7bba41f7835c6 (patch) | |
| tree | 59f9dbe216cc6860b8556a3a6b615a131d1e44e7 | |
| parent | 76c48a78d1c0842d26b8ae926af3610935b0f280 (diff) | |
| parent | 9925f7df0a50387ade8d83cb85b40c53e41e7041 (diff) | |
| download | ffmpeg-93e3ec451caf12ebb22fbf3ecdb7bba41f7835c6.tar.gz | |
Merge commit '9925f7df0a50387ade8d83cb85b40c53e41e7041' into release/0.10
* commit '9925f7df0a50387ade8d83cb85b40c53e41e7041':
vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks
r3d: Add more input value validation
fraps: Make the input buffer size checks more strict
svq3: Avoid a division by zero
rmdec: Validate the fps value
twinvqdec: Check the ibps parameter separately
asfdec: Check the return value of asf_read_stream_properties
mxfdec: set audio timebase to 1/samplerate
pcx: Check the packet size before assuming it fits a palette
rpza: Fix a buffer size check
xxan: Disallow odd width
xan: Only read within the data that actually was initialized
Conflicts:
libavcodec/fraps.c
libavformat/mxfdec.c
tests/ref/seek/lavf_mxf
tests/ref/seek/lavf_mxf_d10
Merged-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/fraps.c | 8 | ||||
| -rw-r--r-- | libavcodec/pcx.c | 8 | ||||
| -rw-r--r-- | libavcodec/rpza.c | 2 | ||||
| -rw-r--r-- | libavcodec/svq3.c | 3 | ||||
| -rw-r--r-- | libavcodec/twinvq.c | 4 | ||||
| -rw-r--r-- | libavcodec/vc1dec.c | 3 | ||||
| -rw-r--r-- | libavcodec/xan.c | 12 | ||||
| -rw-r--r-- | libavcodec/xxan.c | 5 | ||||
| -rw-r--r-- | libavformat/asfdec.c | 4 | ||||
| -rw-r--r-- | libavformat/mxfdec.c | 13 | ||||
| -rw-r--r-- | libavformat/r3d.c | 4 | ||||
| -rw-r--r-- | libavformat/rmdec.c | 9 | ||||
| -rw-r--r-- | tests/ref/seek/lavf_mxf | 18 | ||||
| -rw-r--r-- | tests/ref/seek/lavf_mxf_d10 | 30 |
14 files changed, 85 insertions, 38 deletions
diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c index 01677f87d7..c1d520cca5 100644 --- a/libavcodec/fraps.c +++ b/libavcodec/fraps.c @@ -142,6 +142,11 @@ static int decode_frame(AVCodecContext *avctx, const int planes = 3; enum PixelFormat pix_fmt; + if (buf_size < 4) { + av_log(avctx, AV_LOG_ERROR, "Packet is too short\n"); + return AVERROR_INVALIDDATA; + } + header = AV_RL32(buf); version = header & 0xff; header_size = (header & (1<<30))? 8 : 4; /* bit 30 means pad to 8 bytes */ @@ -180,7 +185,7 @@ static int decode_frame(AVCodecContext *avctx, } avctx->pix_fmt = pix_fmt; - switch(version) { + switch (version) { case 0: default: /* Fraps v0 is a reordered YUV420 */ @@ -219,6 +224,7 @@ static int decode_frame(AVCodecContext *avctx, case 1: /* Fraps v1 is an upside-down BGR24 */ + if (avctx->reget_buffer(avctx, f)) { av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return -1; diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c index 7c98bfa4f9..570bc93aff 100644 --- a/libavcodec/pcx.c +++ b/libavcodec/pcx.c @@ -183,7 +183,13 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } else if (nplanes == 1 && bits_per_pixel == 8) { const uint8_t *palstart = bufstart + buf_size - 769; - for (y=0; y<h; y++, ptr+=stride) { + if (buf_size < 769) { + av_log(avctx, AV_LOG_ERROR, "File is too short\n"); + ret = buf_size; + goto end; + } + + for (y = 0; y < h; y++, ptr += stride) { buf = pcx_rle_decode(buf, buf_end, scanline, bytes_per_scanline, compressed); memcpy(ptr, scanline, w); diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index f291a95ea5..1de808074e 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -202,7 +202,7 @@ static void rpza_decode_stream(RpzaContext *s) /* Fill block with 16 colors */ case 0x00: - if (s->size - stream_ptr < 16) + if (s->size - stream_ptr < 30) return; ADVANCE_BLOCK(); block_ptr = row_ptr + pixel_ptr; diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 6f5a2a91ac..c9fb6c9778 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -905,7 +905,8 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) int offset = (get_bits_count(&gb)+7)>>3; uint8_t *buf; - if ((uint64_t)watermark_width*4 > UINT_MAX/watermark_height) + if (watermark_height > 0 && + (uint64_t)watermark_width * 4 > UINT_MAX / watermark_height) return -1; buf = av_malloc(buf_len); diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index 6a0bd4d145..6c958d9df1 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -1137,6 +1137,10 @@ static av_cold int twin_decode_init(AVCodecContext *avctx) return -1; } ibps = avctx->bit_rate / (1000 * avctx->channels); + if (ibps < 8 || ibps > 48) { + av_log(avctx, AV_LOG_ERROR, "Bad bitrate per channel value %d\n", ibps); + return AVERROR_INVALIDDATA; + } switch ((isampf << 8) + ibps) { case (8 <<8) + 8: tctx->mtab = &mode_08_08; break; diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 4137b704d4..d94cd77899 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -4741,6 +4741,9 @@ static void vc1_decode_skip_blocks(VC1Context *v) { MpegEncContext *s = &v->s; + if (!v->s.last_picture.f.data[0]) + return; + ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, ER_MB_END); s->first_slice_line = 1; for (s->mb_y = s->start_mb_y; s->mb_y < s->end_mb_y; s->mb_y++) { diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 4afc087c32..7339e5b209 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -106,6 +106,7 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, int ptr_len = src_len - 1 - byte*2; unsigned char val = ival; unsigned char *dest_end = dest + dest_len; + unsigned char *dest_start = dest; GetBitContext gb; if (ptr_len < 0) @@ -121,13 +122,13 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, if (val < 0x16) { if (dest >= dest_end) - return 0; + return dest_len; *dest++ = val; val = ival; } } - return 0; + return dest - dest_start; } /** @@ -276,7 +277,7 @@ static int xan_wc3_decode_frame(XanContext *s) { unsigned char flag = 0; int size = 0; int motion_x, motion_y; - int x, y; + int x, y, ret; unsigned char *opcode_buffer = s->buffer1; unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size; @@ -310,9 +311,10 @@ static int xan_wc3_decode_frame(XanContext *s) { bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset); imagedata_segment = s->buf + imagedata_offset; - if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, - huffman_segment, s->size - huffman_offset) < 0) + if ((ret = xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - huffman_offset)) < 0) return AVERROR_INVALIDDATA; + opcode_buffer_end = opcode_buffer + ret; if (imagedata_segment[0] == 2) { xan_unpack(s->buffer2, s->buffer2_size, diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index f701861447..350211f128 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -46,6 +46,11 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) avctx->pix_fmt = PIX_FMT_YUV420P; + if (avctx->width & 1) { + av_log(avctx, AV_LOG_ERROR, "Invalid frame width: %d.\n", avctx->width); + return AVERROR(EINVAL); + } + s->buffer_size = avctx->width * avctx->height; s->y_buffer = av_malloc(s->buffer_size); if (!s->y_buffer) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 27685ee218..9ae0d43c87 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -618,7 +618,9 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap) if (ret < 0) return ret; } else if (!ff_guidcmp(&g, &ff_asf_stream_header)) { - asf_read_stream_properties(s, gsize); + int ret = asf_read_stream_properties(s, gsize); + if (ret < 0) + return ret; } else if (!ff_guidcmp(&g, &ff_asf_comment_header)) { asf_read_content_desc(s, gsize); } else if (!ff_guidcmp(&g, &ff_asf_language_guid)) { diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index f63cff9be8..b7bb4dff19 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1397,8 +1397,17 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) st->codec->codec_id = container_ul->id; st->codec->channels = descriptor->channels; st->codec->bits_per_coded_sample = descriptor->bits_per_sample; - if (descriptor->sample_rate.den > 0) - st->codec->sample_rate = descriptor->sample_rate.num / descriptor->sample_rate.den; + if (descriptor->sample_rate.den > 0) { + st->codec->sample_rate = descriptor->sample_rate.num / descriptor->sample_rate.den; + avpriv_set_pts_info(st, 64, descriptor->sample_rate.den, descriptor->sample_rate.num); + } else { + av_log(mxf->fc, AV_LOG_WARNING, "invalid sample rate (%d/%d) " + "found for stream #%d, time base forced to 1/48000\n", + descriptor->sample_rate.num, descriptor->sample_rate.den, + st->index); + avpriv_set_pts_info(st, 64, 1, 48000); + } + /* TODO: implement CODEC_ID_RAWAUDIO */ if (st->codec->codec_id == CODEC_ID_PCM_S16LE) { if (descriptor->bits_per_sample > 16 && descriptor->bits_per_sample <= 24) diff --git a/libavformat/r3d.c b/libavformat/r3d.c index 874c361406..ada239f550 100644 --- a/libavformat/r3d.c +++ b/libavformat/r3d.c @@ -277,6 +277,10 @@ static int r3d_read_reda(AVFormatContext *s, AVPacket *pkt, Atom *atom) dts = avio_rb32(s->pb); st->codec->sample_rate = avio_rb32(s->pb); + if (st->codec->sample_rate <= 0) { + av_log(s, AV_LOG_ERROR, "Bad sample rate\n"); + return AVERROR_INVALIDDATA; + } samples = avio_rb32(s->pb); diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 5d1791f79f..dfd229e93e 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -336,8 +336,13 @@ ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, if ((ret = rm_read_extradata(pb, st->codec, codec_data_size - (avio_tell(pb) - codec_pos))) < 0) return ret; - av_reduce(&st->r_frame_rate.den, &st->r_frame_rate.num, - 0x10000, fps, (1 << 30) - 1); + if (fps > 0) { + av_reduce(&st->r_frame_rate.den, &st->r_frame_rate.num, + 0x10000, fps, (1 << 30) - 1); + } else if (s->error_recognition & AV_EF_EXPLODE) { + av_log(s, AV_LOG_ERROR, "Invalid framerate\n"); + return AVERROR_INVALIDDATA; + } st->avg_frame_rate = st->r_frame_rate; } diff --git a/tests/ref/seek/lavf_mxf b/tests/ref/seek/lavf_mxf index cc634a8af2..5f2cf5d1b0 100644 --- a/tests/ref/seek/lavf_mxf +++ b/tests/ref/seek/lavf_mxf @@ -7,8 +7,8 @@ ret: 0 st: 0 flags:0 ts: 0.800000 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret: 0 st: 0 flags:1 ts:-0.320000 ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 -ret:-1 st: 1 flags:0 ts: 2.560000 -ret: 0 st: 1 flags:1 ts: 1.480000 +ret:-1 st: 1 flags:0 ts: 2.576667 +ret: 0 st: 1 flags:1 ts: 1.470833 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret: 0 st:-1 flags:0 ts: 0.365002 ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.480000 pos: 211968 size: 24787 @@ -17,9 +17,9 @@ ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 ret:-1 st: 0 flags:0 ts: 2.160000 ret: 0 st: 0 flags:1 ts: 1.040000 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 -ret: 0 st: 1 flags:0 ts:-0.040000 +ret: 0 st: 1 flags:0 ts:-0.058333 ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 -ret: 0 st: 1 flags:1 ts: 2.840000 +ret: 0 st: 1 flags:1 ts: 2.835833 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret:-1 st:-1 flags:0 ts: 1.730004 ret: 0 st:-1 flags:1 ts: 0.624171 @@ -28,9 +28,9 @@ ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 ret: 0 st: 0 flags:1 ts: 2.400000 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 -ret:-1 st: 1 flags:0 ts: 1.320000 -ret: 0 st: 1 flags:1 ts: 0.200000 -ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 +ret:-1 st: 1 flags:0 ts: 1.306667 +ret: 0 st: 1 flags:1 ts: 0.200833 +ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret: 0 st:-1 flags:0 ts:-0.904994 ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 ret: 0 st:-1 flags:1 ts: 1.989173 @@ -39,8 +39,8 @@ ret: 0 st: 0 flags:0 ts: 0.880000 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret: 0 st: 0 flags:1 ts:-0.240000 ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 -ret:-1 st: 1 flags:0 ts: 2.680000 -ret: 0 st: 1 flags:1 ts: 1.560000 +ret:-1 st: 1 flags:0 ts: 2.671667 +ret: 0 st: 1 flags:1 ts: 1.565833 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret: 0 st:-1 flags:0 ts: 0.460008 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 diff --git a/tests/ref/seek/lavf_mxf_d10 b/tests/ref/seek/lavf_mxf_d10 index 4cfe595415..e091c77633 100644 --- a/tests/ref/seek/lavf_mxf_d10 +++ b/tests/ref/seek/lavf_mxf_d10 @@ -7,10 +7,10 @@ ret: 0 st: 0 flags:0 ts: 0.800000 ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos:4265984 size:150000 ret: 0 st: 0 flags:1 ts:-0.320000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 -ret: 0 st: 1 flags:0 ts: 2.560000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 -ret: 0 st: 1 flags:1 ts: 1.480000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 +ret: 0 st: 1 flags:0 ts: 2.576667 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 +ret: 0 st: 1 flags:1 ts: 1.470833 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 ret: 0 st:-1 flags:0 ts: 0.365002 ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos:1923072 size:150000 ret: 0 st:-1 flags:1 ts:-0.740831 @@ -19,10 +19,10 @@ ret: 0 st: 0 flags:0 ts: 2.160000 ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 ret: 0 st: 0 flags:1 ts: 1.040000 ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 -ret: 0 st: 1 flags:0 ts:-0.040000 +ret: 0 st: 1 flags:0 ts:-0.058333 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 -ret: 0 st: 1 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 +ret: 0 st: 1 flags:1 ts: 2.835833 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 ret: 0 st:-1 flags:0 ts: 1.730004 ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 ret: 0 st:-1 flags:1 ts: 0.624171 @@ -31,10 +31,10 @@ ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 ret: 0 st: 0 flags:1 ts: 2.400000 ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 -ret: 0 st: 1 flags:0 ts: 1.320000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 -ret: 0 st: 1 flags:1 ts: 0.200000 -ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos:1071104 size:150000 +ret: 0 st: 1 flags:0 ts: 1.306667 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 +ret: 0 st: 1 flags:1 ts: 0.200833 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 ret: 0 st:-1 flags:0 ts:-0.904994 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 ret: 0 st:-1 flags:1 ts: 1.989173 @@ -43,10 +43,10 @@ ret: 0 st: 0 flags:0 ts: 0.880000 ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos:4691968 size:150000 ret: 0 st: 0 flags:1 ts:-0.240000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 -ret: 0 st: 1 flags:0 ts: 2.680000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 -ret: 0 st: 1 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 +ret: 0 st: 1 flags:0 ts: 2.671667 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 +ret: 0 st: 1 flags:1 ts: 1.565833 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 ret: 0 st:-1 flags:0 ts: 0.460008 ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos:2562048 size:150000 ret: 0 st:-1 flags:1 ts:-0.645825 |