Merge commit '44079902c49e526f464bb4eb855665e1af867e91' into release/1.1

* commit '44079902c49e526f464bb4eb855665e1af867e91': mov: Free intermediate arrays in the normal cleanup function segafilm: fix leaks if reading the header fails h264_cavlc: check the size of the intra PCM data. h263: Check init_get_bits return value cavsdec: check ff_get_buffer() return value Conflicts: libavcodec/cavsdec.c libavcodec/h263dec.c libavformat/mov.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2014-02-04 06:17:49 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2014-02-04 06:23:46 +0100
commit: e2781db62a406114519d55c31dd534db6d60dd0d (patch)
tree: 177a15668587407f6601758a21ef6fe84c49cf6b
parent: 9ac7d8f85d71f50d01d97f33cf0cc9f7707d62a3 (diff)
parent: 44079902c49e526f464bb4eb855665e1af867e91 (diff)
download: ffmpeg-e2781db62a406114519d55c31dd534db6d60dd0d.tar.gz
5 files changed, 47 insertions, 29 deletions
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 6a783f70f3..14a8e9cfbd 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -979,7 +979,8 @@ static int decode_pic(AVSContext *h)
     if (h->cur.f->data[0])
         h->avctx->release_buffer(h->avctx, h->cur.f);
 
-    if ((ret = ff_get_buffer(h->avctx, h->cur.f)) < 0)
+    ret = ff_get_buffer(h->avctx, h->cur.f);
+    if (ret < 0)
         return ret;
 
     if (!h->edge_emu_buffer) {
diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c
index 24df411410..a0cb82c624 100644
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -392,7 +392,6 @@ uint64_t time= rdtsc();
             return buf_size;
     }
 
-
 retry:
     if(s->divx_packed && s->bitstream_buffer_size){
         int i;
@@ -407,16 +406,20 @@ retry:
         }
     }
 
-    if(s->bitstream_buffer_size && (s->divx_packed || buf_size<20)){ //divx 5.01+/xvid frame reorder
-        init_get_bits(&s->gb, s->bitstream_buffer, s->bitstream_buffer_size*8);
-    }else
-        init_get_bits(&s->gb, buf, buf_size*8);
+    if (s->bitstream_buffer_size && (s->divx_packed || buf_size < 20)) // divx 5.01+/xvid frame reorder
+        ret = init_get_bits8(&s->gb, s->bitstream_buffer,
+                             s->bitstream_buffer_size);
+    else
+        ret = init_get_bits8(&s->gb, buf, buf_size);
+
     s->bitstream_buffer_size=0;
+    if (ret < 0)
+        return ret;
 
-    if (!s->context_initialized) {
-        if ((ret = ff_MPV_common_init(s)) < 0) //we need the idct permutaton for reading a custom matrix
+    if (!s->context_initialized)
+        // we need the idct permutaton for reading a custom matrix
+        if ((ret = ff_MPV_common_init(s)) < 0)
             return ret;
-    }
 
     /* We need to set current_picture_ptr before reading the header,
      * otherwise we cannot store anyting in there */
@@ -436,8 +439,11 @@ retry:
         if(s->avctx->extradata_size && s->picture_number==0){
             GetBitContext gb;
 
-            init_get_bits(&gb, s->avctx->extradata, s->avctx->extradata_size*8);
-            ret = ff_mpeg4_decode_picture_header(s, &gb);
+            ret = init_get_bits8(&gb, s->avctx->extradata,
+                                 s->avctx->extradata_size);
+            if (ret < 0)
+                return ret;
+            ff_mpeg4_decode_picture_header(s, &gb);
         }
         ret = ff_mpeg4_decode_picture_header(s, &s->gb);
     } else if (CONFIG_H263I_DECODER && s->codec_id == AV_CODEC_ID_H263I) {
diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index 7cbc553cc3..eb3869ff39 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -771,6 +771,10 @@ decode_intra_mb:
 
         // We assume these blocks are very rare so we do not optimize it.
         align_get_bits(&s->gb);
+        if (get_bits_left(&s->gb) < mb_size) {
+            av_log(s->avctx, AV_LOG_ERROR, "Not enough data for an intra PCM block.\n");
+            return AVERROR_INVALIDDATA;
+        }
 
         // The pixels are stored in the same order as levels in h->mb array.
         for(x=0; x < mb_size; x++){
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 2e069ead13..1e6e1140a6 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3089,13 +3089,15 @@ static int mov_read_close(AVFormatContext *s)
         av_freep(&sc->drefs);
         if (sc->pb && sc->pb != s->pb)
             avio_close(sc->pb);
+
         sc->pb = NULL;
         av_freep(&sc->chunk_offsets);
-        av_freep(&sc->keyframes);
-        av_freep(&sc->sample_sizes);
-        av_freep(&sc->stps_data);
         av_freep(&sc->stsc_data);
+        av_freep(&sc->sample_sizes);
+        av_freep(&sc->keyframes);
         av_freep(&sc->stts_data);
+        av_freep(&sc->stps_data);
+        av_freep(&sc->rap_group);
     }
 
     if (mov->dv_demux) {
diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c
index 0e6ce0807b..506244d185 100644
--- a/libavformat/segafilm.c
+++ b/libavformat/segafilm.c
@@ -76,13 +76,23 @@ static int film_probe(AVProbeData *p)
     return AVPROBE_SCORE_MAX;
 }
 
+static int film_read_close(AVFormatContext *s)
+{
+    FilmDemuxContext *film = s->priv_data;
+
+    av_freep(&film->sample_table);
+    av_freep(&film->stereo_buffer);
+
+    return 0;
+}
+
 static int film_read_header(AVFormatContext *s)
 {
     FilmDemuxContext *film = s->priv_data;
     AVIOContext *pb = s->pb;
     AVStream *st;
     unsigned char scratch[256];
-    int i;
+    int i, ret;
     unsigned int data_offset;
     unsigned int audio_frame_counter;
 
@@ -214,14 +224,16 @@ static int film_read_header(AVFormatContext *s)
     for (i = 0; i < film->sample_count; i++) {
         /* load the next sample record and transfer it to an internal struct */
         if (avio_read(pb, scratch, 16) != 16) {
-            av_free(film->sample_table);
-            return AVERROR(EIO);
+            ret = AVERROR(EIO);
+            goto fail;
         }
         film->sample_table[i].sample_offset =
             data_offset + AV_RB32(&scratch[0]);
         film->sample_table[i].sample_size = AV_RB32(&scratch[4]);
-        if (film->sample_table[i].sample_size > INT_MAX / 4)
-            return AVERROR_INVALIDDATA;
+        if (film->sample_table[i].sample_size > INT_MAX / 4) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
         if (AV_RB32(&scratch[8]) == 0xFFFFFFFF) {
             film->sample_table[i].stream = film->audio_stream_index;
             film->sample_table[i].pts = audio_frame_counter;
@@ -242,6 +254,9 @@ static int film_read_header(AVFormatContext *s)
     film->current_sample = 0;
 
     return 0;
+fail:
+    film_read_close(s);
+    return ret;
 }
 
 static int film_read_packet(AVFormatContext *s,
@@ -322,16 +337,6 @@ static int film_read_packet(AVFormatContext *s,
     return ret;
 }
 
-static int film_read_close(AVFormatContext *s)
-{
-    FilmDemuxContext *film = s->priv_data;
-
-    av_free(film->sample_table);
-    av_free(film->stereo_buffer);
-
-    return 0;
-}
-
 AVInputFormat ff_segafilm_demuxer = {
     .name           = "film_cpk",
     .long_name      = NULL_IF_CONFIG_SMALL("Sega FILM / CPK"),
author	Michael Niedermayer <michaelni@gmx.at>	2014-02-04 06:17:49 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2014-02-04 06:23:46 +0100
commit	e2781db62a406114519d55c31dd534db6d60dd0d (patch)
tree	177a15668587407f6601758a21ef6fe84c49cf6b
parent	9ac7d8f85d71f50d01d97f33cf0cc9f7707d62a3 (diff)
parent	44079902c49e526f464bb4eb855665e1af867e91 (diff)
download	ffmpeg-e2781db62a406114519d55c31dd534db6d60dd0d.tar.gz