diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-02-26 03:04:03 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-02-26 03:09:41 +0100 |
| commit | f64e4a8c9a19d086c4de99da76e5eb7b664e60d2 (patch) | |
| tree | 56b12010d8efad70da58f59c05018d84e8383256 | |
| parent | d92a7870d74e199d143cdf1fa4606cbdef689e2c (diff) | |
| parent | dc745b76aa9a7682004c96372a9e77549de1b765 (diff) | |
| download | ffmpeg-f64e4a8c9a19d086c4de99da76e5eb7b664e60d2.tar.gz | |
Merge remote-tracking branch 'qatar/release/9' into release/1.1
* qatar/release/9:
doc: developer: Allow tabs in the vim configuration for Automake files
doc: filters: Correct BNF FILTER description
Prepare for 9.3 Release
update Changelog
cavs: initialize various context tables to 0
4xm: check the return value of read_huffman_tables().
qtrle: add more checks against pixel_ptr being negative.
mlpdec: do not try to allocate a zero-sized output buffer.
av_memcpy_backptr: avoid an infinite loop for back = 0
flicvideo: avoid an infinite loop in byte run compression
lagarith: avoid infinite loop in lag_rac_refill()
mov: use the format context for logging.
loco: check that there is data left after decoding a plane.
update Changelog
x86: h264: Don't use redzone in AVX h264_deblock on Win64
Conflicts:
Changelog
RELEASE
libavcodec/4xm.c
libavcodec/loco.c
libavcodec/qtrle.c
libavutil/mem.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | Changelog | 58 | ||||
| -rw-r--r-- | doc/developer.texi | 4 | ||||
| -rw-r--r-- | doc/filters.texi | 2 | ||||
| -rw-r--r-- | libavcodec/4xm.c | 6 | ||||
| -rw-r--r-- | libavcodec/flicvideo.c | 5 | ||||
| -rw-r--r-- | libavcodec/lagarithrac.h | 3 | ||||
| -rw-r--r-- | libavcodec/loco.c | 12 | ||||
| -rw-r--r-- | libavcodec/mlpdec.c | 5 | ||||
| -rw-r--r-- | libavcodec/qtrle.c | 10 | ||||
| -rw-r--r-- | libavformat/mov.c | 2 |
10 files changed, 91 insertions, 16 deletions
@@ -2,9 +2,65 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version <next>: +- loco: check that there is data left after decoding a plane. +- mov: use the format context for logging. +- lagarith: avoid infinite loop in lag_rac_refill() with corrupted files +- flicvideo: avoid an infinite loop in byte run compression +- av_memcpy_backptr: avoid an infinite loop for back = 0 +- mlpdec: do not try to allocate a zero-sized output buffer. +- qtrle: add more checks against pixel_ptr being negative. +- 4xm: check the return value of read_huffman_tables(). +- cavs: initialize various context tables, avoids crashes with corrupted files +- x86/H.264: Don't use redzone in AVX h264_deblock on Win64 +- VQA video: check chunk sizes before reading chunks +- RoQ video decoder: check dimensions validity +- QDM2: check array index before use, fix out of array accesses +- mpegvideo: Do REBASE_PICTURE with byte pointers +- SVQ3: unbreak decoding +- libopencore-amrwb: Make AMR-WB ifdeffery more precise +- libopencore-amr: Conditionally compile decoder and encoder bits +- arm: Fall back to runtime cpu feature detection via /proc/cpuinfo +- xxan: properly handle odd heights +- msrledec: check bounds before constructing a possibly invalid pointer, +- qtrle: fix the topmost line for 1bit +- aasc: fix output for msrle compression +- yop: check for input overreads +- yop: check that extradata is large enough +- fraps: fix off-by one bug for version 1 +- vf_delogo: fix copying the input frame +- vf_delogo: fix an uninitialized read +- dnxhdenc: fix invalid reads in dnxhd_mb_var_thread() +- ATRAC3: use correct loop variable in add_tonal_components() +- MLP: store the channel layout for each substream +- MLP decoder: TrueHD: use Libav channel order +- x86: ac3: Fix HAVE_MMXEXT condition to only refer to external assembly +- arm: vp8: Fix the plain-armv6 version of vp8_luma_dc_wht +- lavr: call mix_function_init() in ff_audio_mix_set_matrix() +- rtpenc_chain: Use the original AVFormatContext for getting payload type +- rtp: Make sure the output format pointer is set +- rtp: Make sure priv_data is set before reading it +- videodsp_armv5te: remove #if HAVE_ARMV5TE_EXTERNAL +- get_bits: change the failure condition in init_get_bits +- mpegvideo: fix loop condition in draw_line() +- fate: update ref after rv30_loop_filter fix +- RV30: fix masking in rv30_loop_filter() +- libcdio: support recent cdio-paranoia +- Theora: Skip zero-sized headers +- H.264: add 3 pixels below for subpixel filter wait position +- H.264: fix ff_generate_sliding_window_mmcos() prototype +- H.264: don't clobber mmco opcode tables for non-first slice headers +- libx264: use the library specific default rc_initial_buffer_occupancy +- lavc: set the default rc_initial_buffer_occupancy +- lavc: introduce the convenience function init_get_bits8 +- lavc: check for overflow in init_get_bits +- configure: enable pic for shared libs on AArch64 +- zmbv: Reset the decoder on keyframe errors +- VC1 decoder: prevent a crash due missing pred_flag parameter +- matroska: Fix use after free +- VP3: Fix double free in vp3_decode_end() - Fix a crash on windows platforms related to automatic stack alignment in libavresample -- Fix memleaks in the ogg demuxer. Related to CVE-2012-2882 +- Fix memleaks in the Ogg demuxer. Related to CVE-2012-2882 version 1.1: diff --git a/doc/developer.texi b/doc/developer.texi index e75f3b9403..be1b62a3f3 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -190,8 +190,8 @@ set shiftwidth=4 set softtabstop=4 set cindent set cinoptions=(0 -" allow tabs in Makefiles -autocmd FileType make set noexpandtab shiftwidth=8 softtabstop=8 +" Allow tabs in Makefiles. +autocmd FileType make,automake set noexpandtab shiftwidth=8 softtabstop=8 " Trailing whitespace and tabs are forbidden, so highlight them. highlight ForbiddenWhitespace ctermbg=red guibg=red match ForbiddenWhitespace /\s\+$\|\t/ diff --git a/doc/filters.texi b/doc/filters.texi index da7e816364..937addf17d 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -179,7 +179,7 @@ Follows a BNF description for the filtergraph syntax: @var{LINKLABEL} ::= "[" @var{NAME} "]" @var{LINKLABELS} ::= @var{LINKLABEL} [@var{LINKLABELS}] @var{FILTER_ARGUMENTS} ::= sequence of chars (eventually quoted) -@var{FILTER} ::= [@var{LINKNAMES}] @var{NAME} ["=" @var{ARGUMENTS}] [@var{LINKNAMES}] +@var{FILTER} ::= [@var{LINKLABELS}] @var{NAME} ["=" @var{FILTER_ARGUMENTS}] [@var{LINKLABELS}] @var{FILTERCHAIN} ::= @var{FILTER} [,@var{FILTERCHAIN}] @var{FILTERGRAPH} ::= [sws_flags=@var{flags};] @var{FILTERCHAIN} [;@var{FILTERGRAPH}] @end example diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index c7e3c68ccf..ee20a529eb 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -749,8 +749,10 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length) } prestream = read_huffman_tables(f, prestream, buf + length - prestream); - if (!prestream) - return -1; + if (!prestream) { + av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n"); + return AVERROR_INVALIDDATA; + } init_get_bits(&f->gb, buf + 4, 8 * bitstream_size); diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index eb70249ef7..e1bb2dd7d3 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -387,6 +387,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, if (bytestream2_tell(&g2) + 1 > stream_ptr_after_chunk) break; byte_run = sign_extend(bytestream2_get_byte(&g2), 8); + if (!byte_run) { + av_log(avctx, AV_LOG_ERROR, "Invalid byte run value.\n"); + return AVERROR_INVALIDDATA; + } + if (byte_run > 0) { palette_idx1 = bytestream2_get_byte(&g2); CHECK_PIXEL_PTR(byte_run); diff --git a/libavcodec/lagarithrac.h b/libavcodec/lagarithrac.h index d8d38f2054..9892d11fb3 100644 --- a/libavcodec/lagarithrac.h +++ b/libavcodec/lagarithrac.h @@ -107,6 +107,9 @@ static inline uint8_t lag_get_rac(lag_rac *l) l->range -= range_scaled * l->prob[255]; } + if (!l->range) + l->range = 0x80; + l->low -= range_scaled * l->prob[val]; return val; diff --git a/libavcodec/loco.c b/libavcodec/loco.c index b437aaa214..f53e11cea3 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -181,7 +181,7 @@ static int decode_frame(AVCodecContext *avctx, p->key_frame = 1; #define ADVANCE_BY_DECODED do { \ - if (decoded < 0) goto stop; \ + if (decoded < 0 || decoded >= buf_size) goto buf_too_small; \ buf += decoded; buf_size -= decoded; \ } while(0) switch(l->mode) { @@ -215,7 +215,8 @@ static int decode_frame(AVCodecContext *avctx, decoded = loco_decode_plane(l, p->data[0] + p->linesize[0]*(avctx->height-1) + 2, avctx->width, avctx->height, -p->linesize[0], buf, buf_size, 3); break; - case LOCO_CRGBA: case LOCO_RGBA: + case LOCO_CRGBA: + case LOCO_RGBA: decoded = loco_decode_plane(l, p->data[0] + p->linesize[0]*(avctx->height-1), avctx->width, avctx->height, -p->linesize[0], buf, buf_size, 4); ADVANCE_BY_DECODED; @@ -229,15 +230,18 @@ static int decode_frame(AVCodecContext *avctx, -p->linesize[0], buf, buf_size, 4); break; } -stop: *got_frame = 1; *(AVFrame*)data = l->pic; return buf_size < 0 ? -1 : avpkt->size - buf_size; +buf_too_small: + av_log(avctx, AV_LOG_ERROR, "Input data too small.\n"); + return AVERROR(EINVAL); } -static av_cold int decode_init(AVCodecContext *avctx){ +static av_cold int decode_init(AVCodecContext *avctx) +{ LOCOContext * const l = avctx->priv_data; int version; diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 501f4937b9..28b5502ad0 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -1009,6 +1009,11 @@ static int output_data(MLPDecodeContext *m, unsigned int substr, return AVERROR_INVALIDDATA; } + if (!s->blockpos) { + av_log(avctx, AV_LOG_ERROR, "No samples to output.\n"); + return AVERROR_INVALIDDATA; + } + /* get output buffer */ m->frame.nb_samples = s->blockpos; if ((ret = ff_get_buffer(avctx, &m->frame)) < 0) { diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index f211b76b42..c778ee3e37 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -120,7 +120,7 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int row_ptr, while (lines_to_change--) { pixel_ptr = row_ptr + (num_pixels * (bytestream2_get_byte(&s->g) - 1)); - CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ + CHECK_PIXEL_PTR(0); while ((rle_code = (signed char)bytestream2_get_byte(&s->g)) != -1) { if (rle_code == 0) { @@ -175,7 +175,7 @@ static void qtrle_decode_8bpp(QtrleContext *s, int row_ptr, int lines_to_change) while (lines_to_change--) { pixel_ptr = row_ptr + (4 * (bytestream2_get_byte(&s->g) - 1)); - CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ + CHECK_PIXEL_PTR(0); while ((rle_code = (signed char)bytestream2_get_byte(&s->g)) != -1) { if (rle_code == 0) { @@ -225,7 +225,7 @@ static void qtrle_decode_16bpp(QtrleContext *s, int row_ptr, int lines_to_change while (lines_to_change--) { pixel_ptr = row_ptr + (bytestream2_get_byte(&s->g) - 1) * 2; - CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ + CHECK_PIXEL_PTR(0); while ((rle_code = (signed char)bytestream2_get_byte(&s->g)) != -1) { if (rle_code == 0) { @@ -269,7 +269,7 @@ static void qtrle_decode_24bpp(QtrleContext *s, int row_ptr, int lines_to_change while (lines_to_change--) { pixel_ptr = row_ptr + (bytestream2_get_byte(&s->g) - 1) * 3; - CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ + CHECK_PIXEL_PTR(0); while ((rle_code = (signed char)bytestream2_get_byte(&s->g)) != -1) { if (rle_code == 0) { @@ -316,7 +316,7 @@ static void qtrle_decode_32bpp(QtrleContext *s, int row_ptr, int lines_to_change while (lines_to_change--) { pixel_ptr = row_ptr + (bytestream2_get_byte(&s->g) - 1) * 4; - CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ + CHECK_PIXEL_PTR(0); while ((rle_code = (signed char)bytestream2_get_byte(&s->g)) != -1) { if (rle_code == 0) { diff --git a/libavformat/mov.c b/libavformat/mov.c index b818a801df..a789750a55 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -835,7 +835,7 @@ static int mov_read_mdhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) version = avio_r8(pb); if (version > 1) { - av_log_ask_for_sample(c, "unsupported version %d\n", version); + av_log_ask_for_sample(c->fc, "unsupported version %d\n", version); return AVERROR_PATCHWELCOME; } avio_rb24(pb); /* flags */ |