Merge commit 'cd9b0bb07a66d3299bd62922e9dfa742219abe79' into release/0.10

* commit 'cd9b0bb07a66d3299bd62922e9dfa742219abe79': 4xm: validate the buffer size before parsing it indeo: Do not reference mismatched tiles indeo: Sanitize ff_ivi_init_planes fail paths Conflicts: libavcodec/4xm.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-11-04 17:33:44 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2013-11-04 17:33:44 +0100
commit: a5115752cad0fdda77ce07ecb0cbc05988a7f7c7 (patch)
tree: d85214c5887f570874fa229835584896539f7960
parent: cb297f6ae79bf9e31e9981122c4161effdd9b8a1 (diff)
parent: cd9b0bb07a66d3299bd62922e9dfa742219abe79 (diff)
download: ffmpeg-a5115752cad0fdda77ce07ecb0cbc05988a7f7c7.tar.gz
4 files changed, 24 insertions, 10 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 7dc7b13da0..aa06638bbc 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -403,6 +403,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){
     unsigned int bitstream_size, bytestream_size, wordstream_size, extra, bytestream_offset, wordstream_offset;
 
     if(f->version>1){
+        if (length < 20)
+            return AVERROR_INVALIDDATA;
         extra=20;
         if (length < extra)
             return -1;
@@ -767,25 +769,29 @@ static int decode_frame(AVCodecContext *avctx,
     AVFrame *p, temp;
     int i, frame_4cc, frame_size;
 
-    if (buf_size < 12)
+    if (buf_size < 20)
         return AVERROR_INVALIDDATA;
-    frame_4cc= AV_RL32(buf);
-    if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){
-        av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4));
+
+    if (buf_size < AV_RL32(buf + 4) + 8) {
+        av_log(f->avctx, AV_LOG_ERROR,
+               "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4));
     }
 
+    frame_4cc = AV_RL32(buf);
+
     if(frame_4cc == AV_RL32("cfrm")){
         int free_index=-1;
-        const int data_size= buf_size - 20;
-        const int id= AV_RL32(buf+12);
-        const int whole_size= AV_RL32(buf+16);
+        int id, whole_size;
+        const int data_size = buf_size - 20;
         CFrameBuffer *cfrm;
 
+        id         = AV_RL32(buf + 12);
+        whole_size = AV_RL32(buf + 16);
+
         if (data_size < 0 || whole_size < 0){
             av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n");
             return AVERROR_INVALIDDATA;
         }
-
         for(i=0; i<CFRAME_BUFFER_COUNT; i++){
             if(f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number)
                 av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id);
diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c
index 02398c5750..9cbd493b5c 100644
--- a/libavcodec/indeo4.c
+++ b/libavcodec/indeo4.c
@@ -211,6 +211,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx)
     if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf)) {
         if (ff_ivi_init_planes(ctx->planes, &pic_conf)) {
             av_log(avctx, AV_LOG_ERROR, "Couldn't reallocate color planes!\n");
+            ctx->pic_conf.luma_bands = 0;
             return AVERROR(ENOMEM);
         }
 
diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c
index 7f3b4190be..d27bf41b5c 100644
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -113,7 +113,7 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx)
     }
 
     /* check if picture layout was changed and reallocate buffers */
-    if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf)) {
+    if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf) || ctx->gop_invalid) {
         result = ff_ivi_init_planes(ctx->planes, &pic_conf);
         if (result < 0) {
             av_log(avctx, AV_LOG_ERROR, "Couldn't reallocate color planes!\n");
@@ -319,9 +319,9 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx)
     ctx->frame_num = get_bits(&ctx->gb, 8);
 
     if (ctx->frame_type == FRAMETYPE_INTRA) {
-        ctx->gop_invalid = 1;
         if ((ret = decode_gop_header(ctx, avctx)) < 0) {
             av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n");
+            ctx->gop_invalid = 1;
             return ret;
         }
         ctx->gop_invalid = 0;
diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index fa997404d1..ee16b2a28c 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -205,6 +205,10 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
 
     ff_ivi_free_buffers(planes);
 
+    if (cfg->pic_width < 1 || cfg->pic_height < 1 ||
+        cfg->luma_bands < 1 || cfg->chroma_bands < 1)
+        return AVERROR_INVALIDDATA;
+
     /* fill in the descriptor of the luminance plane */
     planes[0].width     = cfg->pic_width;
     planes[0].height    = cfg->pic_height;
@@ -279,6 +283,7 @@ void av_cold ff_ivi_free_buffers(IVIPlaneDesc *planes)
             av_freep(&planes[p].bands[b].tiles);
         }
         av_freep(&planes[p].bands);
+        planes[p].num_bands = 0;
     }
 }
 
@@ -307,6 +312,8 @@ static int ivi_init_tiles(IVIBandDesc *band, IVITile *ref_tile,
 
             tile->ref_mbs = 0;
             if (p || b) {
+                if (tile->num_MBs != ref_tile->num_MBs)
+                    return AVERROR_INVALIDDATA;
                 tile->ref_mbs = ref_tile->mbs;
                 ref_tile++;
             }
author	Michael Niedermayer <michaelni@gmx.at>	2013-11-04 17:33:44 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2013-11-04 17:33:44 +0100
commit	a5115752cad0fdda77ce07ecb0cbc05988a7f7c7 (patch)
tree	d85214c5887f570874fa229835584896539f7960
parent	cb297f6ae79bf9e31e9981122c4161effdd9b8a1 (diff)
parent	cd9b0bb07a66d3299bd62922e9dfa742219abe79 (diff)
download	ffmpeg-a5115752cad0fdda77ce07ecb0cbc05988a7f7c7.tar.gz