Merge remote-tracking branch 'qatar/release/0.7' into release/0.8

* qatar/release/0.7: Update changelog for 0.7.7 release mpeg12: do not decode extradata more than once. indeo4/5: check empty tile size in decode_mb_info(). dfa: improve boundary checks in decode_dds1() indeo5dec: Make sure we have had a valid gop header. rv34: error out on size changes with frame threading Conflicts: Changelog Merged-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-02-14 14:12:14 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2013-02-14 14:12:14 +0100
commit: acada70ffbd729516495ee683f70abad124f93d5 (patch)
tree: 3c4626e79bca9730658665863ec93e038a8ad93e
parent: 4f91c45644931064901986bca70a8903c7956564 (diff)
parent: db5b454c3d20f0e2e7fff8f0091e776ae9757725 (diff)
download: ffmpeg-acada70ffbd729516495ee683f70abad124f93d5.tar.gz
6 files changed, 42 insertions, 10 deletions
diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c
index 64b5c792a5..4ebd1d71c0 100644
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -159,8 +159,7 @@ static int decode_dds1(uint8_t *frame, int width, int height,
             bitbuf = bytestream_get_le16(&src);
             mask = 1;
         }
-        if (src_end - src < 2 || frame_end - frame < 2)
-            return -1;
+
         if (bitbuf & mask) {
             v = bytestream_get_le16(&src);
             offset = (v & 0x1FFF) << 2;
@@ -174,9 +173,12 @@ static int decode_dds1(uint8_t *frame, int width, int height,
                 frame += 2;
             }
         } else if (bitbuf & (mask << 1)) {
-            frame += bytestream_get_le16(&src) * 2;
+            v = bytestream_get_le16(&src)*2;
+            if (frame - frame_end < v)
+                return AVERROR_INVALIDDATA;
+            frame += v;
         } else {
-            if (frame_end - frame < width + 2)
+            if (frame_end - frame < width + 3)
                 return AVERROR_INVALIDDATA;
             frame[0] = frame[1] =
             frame[width] = frame[width + 1] =  *src++;
diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c
index 645ac33b16..15fad5872b 100644
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -76,6 +76,8 @@ typedef struct {
     int             is_scalable;
     uint32_t        lock_word;
     IVIPicConfig    pic_conf;
+
+    int gop_invalid;
 } IVI5DecContext;
 
 
@@ -339,8 +341,12 @@ static int decode_pic_hdr(IVI5DecContext *ctx, AVCodecContext *avctx)
     ctx->frame_num = get_bits(&ctx->gb, 8);
 
     if (ctx->frame_type == FRAMETYPE_INTRA) {
-        if (decode_gop_header(ctx, avctx))
-            return -1;
+        ctx->gop_invalid = 1;
+        if (decode_gop_header(ctx, avctx)) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n");
+            return AVERROR_INVALIDDATA;
+        }
+        ctx->gop_invalid = 0;
     }
 
     if (ctx->frame_type != FRAMETYPE_NULL) {
@@ -617,8 +623,10 @@ static int decode_band(IVI5DecContext *ctx, int plane_num,
 
         tile->is_empty = get_bits1(&ctx->gb);
         if (tile->is_empty) {
-            ff_ivi_process_empty_tile(avctx, band, tile,
+            result = ff_ivi_process_empty_tile(avctx, band, tile,
                                       (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3));
+            if (result < 0)
+                break;
         } else {
             tile->data_size = ff_ivi_dec_tile_data_size(&ctx->gb);
 
@@ -765,6 +773,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,
                "Error while decoding picture header: %d\n", result);
         return -1;
     }
+    if (ctx->gop_invalid)
+        return AVERROR_INVALIDDATA;
 
     if (ctx->gop_flags & IVI5_IS_PROTECTED) {
         av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n");
diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index d67544c27d..dae8b6aef2 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -495,7 +495,7 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
     return 0;
 }
 
-void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
+int ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
                                IVITile *tile, int32_t mv_scale)
 {
     int             x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type;
@@ -506,6 +506,13 @@ void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
     void (*mc_no_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch,
                              int mc_type);
 
+    if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) {
+        av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches "
+               "parameters %d in ivi_process_empty_tile()\n",
+               tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size));
+        return AVERROR_INVALIDDATA;
+    }
+
     offs       = tile->ypos * band->pitch + tile->xpos;
     mb         = tile->mbs;
     ref_mb     = tile->ref_mbs;
@@ -586,6 +593,8 @@ void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
             dst += band->pitch;
         }
     }
+
+    return 0;
 }
 
 
diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h
index aeeaf53cc4..654ee6f2bc 100644
--- a/libavcodec/ivi_common.h
+++ b/libavcodec/ivi_common.h
@@ -325,7 +325,7 @@ int  ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile);
  *  @param[in]  tile      pointer to the tile descriptor
  *  @param[in]  mv_scale  scaling factor for motion vectors
  */
-void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
+int ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
                                IVITile *tile, int32_t mv_scale);
 
 /**
diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c
index bd858a59b7..671406746b 100644
--- a/libavcodec/mpeg12.c
+++ b/libavcodec/mpeg12.c
@@ -1151,6 +1151,7 @@ typedef struct Mpeg1Context {
     int save_width, save_height, save_progressive_seq;
     AVRational frame_rate_ext;       ///< MPEG-2 specific framerate modificator
     int sync;                        ///< Did we reach a sync point like a GOP/SEQ/KEYFrame?
+    int extradata_decoded;
 } Mpeg1Context;
 
 static av_cold int mpeg_decode_init(AVCodecContext *avctx)
@@ -2315,8 +2316,10 @@ static int mpeg_decode_frame(AVCodecContext *avctx,
 
     s->slice_count= 0;
 
-    if(avctx->extradata && !avctx->frame_number)
+    if (avctx->extradata && !s->extradata_decoded) {
         decode_chunks(avctx, picture, data_size, avctx->extradata, avctx->extradata_size);
+        s->extradata_decoded = 1;
+    }
 
     return decode_chunks(avctx, picture, data_size, buf, buf_size);
 }
diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index 20f363754a..bf6f586289 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1280,6 +1280,14 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int
 
     if ((s->mb_x == 0 && s->mb_y == 0) || s->current_picture_ptr==NULL) {
         if(s->width != r->si.width || s->height != r->si.height){
+
+            if (HAVE_THREADS &&
+                (s->avctx->active_thread_type & FF_THREAD_FRAME)) {
+                av_log_missing_feature(s->avctx, "Width/height changing with "
+                                       "frame threading is", 0);
+                return AVERROR_PATCHWELCOME;
+            }
+
             av_log(s->avctx, AV_LOG_DEBUG, "Changing dimensions to %dx%d\n", r->si.width,r->si.height);
             MPV_common_end(s);
             s->width  = r->si.width;
author	Michael Niedermayer <michaelni@gmx.at>	2013-02-14 14:12:14 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2013-02-14 14:12:14 +0100
commit	acada70ffbd729516495ee683f70abad124f93d5 (patch)
tree	3c4626e79bca9730658665863ec93e038a8ad93e
parent	4f91c45644931064901986bca70a8903c7956564 (diff)
parent	db5b454c3d20f0e2e7fff8f0091e776ae9757725 (diff)
download	ffmpeg-acada70ffbd729516495ee683f70abad124f93d5.tar.gz