diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2011-09-07 15:04:56 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-09-07 15:04:56 +0200 |
| commit | 21d99be9dc00a03be94bbcc1be0a2ec6a83d9b4e (patch) | |
| tree | d0b74bea0b49b6e4e9b6e115ca87f3ca10589584 /libavcodec/cavsdec.c | |
| parent | 7b6b9be8614aa53e79db565c9203b9afaa452d8d (diff) | |
| parent | c2a2ad133eb9d42361804a568dee336992349a5e (diff) | |
| download | ffmpeg-21d99be9dc00a03be94bbcc1be0a2ec6a83d9b4e.tar.gz | |
Merge branch 'release/0.8' into release/0.7
* release/0.8: (21 commits)
rtp: Fix integer underflow that could allow remote code execution.
cavsdec: avoid possible crash with crafted input
vf_scale: apply the same transform to the aspect during init that is applied per frame
Fix memory corruption in case of memory allocation failure in av_probe_input_buffer()
Make all option parsing functions match the function pointer type through which they are called.
mjpegdec; even better RSTn skiping Fixes Ticket426
jpegdec: better rst skiping Fixes Ticket426
mpeg4: fix another packed divx issue. Fixes getting_stuck.avi
mpeg4: adjust dummy frame threashold for packed divx. Fixes Ticket427
configure: add missing CFLAGS to fix building on the HURD
cavs: fix some crashes with invalid bitstreams
jpegdec: actually search for and parse RSTn
Fix compilation with --disable-avfilter. (cherry picked from commit 67a8251690a17f05630eb6f45a73db0f0e806c72)
libavfilter: fix --enable-small
0.8.2
cavs: fix oCERT #2011-002 FFmpeg/libavcodec insufficient boundary check
Fix possible crash when decoding mpeg streams.
Bink: clip AC coefficients during dequantization.
ffmpeg: fix passlogfile regression
Fix several security issues in matroskadec.c (MSVR-11-0080).
...
Conflicts:
Doxyfile
RELEASE
VERSION
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/cavsdec.c')
| -rw-r--r-- | libavcodec/cavsdec.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 6e83a7d381..906afdb668 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -125,6 +125,8 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, level_code = get_ue_code(gb,r->golomb_order); if(level_code >= ESCAPE_CODE) { run = ((level_code - ESCAPE_CODE) >> 1) + 1; + if(run > 64) + return -1; esc_code = get_ue_code(gb,esc_golomb_order); level = esc_code + (run > r->max_run ? 1 : r->level_add[run]); while(level > r->inc_limit) @@ -164,7 +166,7 @@ static inline int decode_residual_inter(AVSContext *h) { /* get coded block pattern */ int cbp= get_ue_golomb(&h->s.gb); - if(cbp > 63){ + if(cbp > 63U){ av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n"); return -1; } @@ -190,7 +192,8 @@ static inline int decode_residual_inter(AVSContext *h) { static int decode_mb_i(AVSContext *h, int cbp_code) { GetBitContext *gb = &h->s.gb; - int block, pred_mode_uv; + unsigned pred_mode_uv; + int block; uint8_t top[18]; uint8_t *left = NULL; uint8_t *d; @@ -223,7 +226,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) { /* get coded block pattern */ if(h->pic_type == AV_PICTURE_TYPE_I) cbp_code = get_ue_golomb(gb); - if(cbp_code > 63){ + if(cbp_code > 63U){ av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n"); return -1; } @@ -446,6 +449,8 @@ static inline int check_for_slice(AVSContext *h) { if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) { skip_bits_long(gb,24+align); h->stc = get_bits(gb,8); + if (h->stc >= h->mb_height) + return 0; decode_slice_header(h,gb); return 1; } @@ -660,7 +665,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size, buf_end = buf + buf_size; for(;;) { buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc); - if(stc & 0xFFFFFE00) + if((stc & 0xFFFFFE00) || buf_ptr == buf_end) return FFMAX(0, buf_ptr - buf - s->parse_context.last_index); input_size = (buf_end - buf_ptr)*8; switch(stc) { |