diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2005-01-12 00:16:25 +0000 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2005-01-12 00:16:25 +0000 |
| commit | 0ecca7a49f8e254c12a3a1de048d738bfbb614c6 (patch) | |
| tree | 816c7073739d918ca579171204e6d3caf9977da5 /libavcodec/mpegvideo.c | |
| parent | f14d4e7e21c48967c1a877fa9c4eb9943d2c30f5 (diff) | |
| download | ffmpeg-0ecca7a49f8e254c12a3a1de048d738bfbb614c6.tar.gz | |
various security fixes and precautionary checks
Originally committed as revision 3822 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec/mpegvideo.c')
| -rw-r--r-- | libavcodec/mpegvideo.c | 37 |
1 files changed, 28 insertions, 9 deletions
diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 55c8601b26..ffb7e0f854 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -619,6 +619,9 @@ int MPV_common_init(MpegEncContext *s) return -1; } + if((s->width || s->height) && avcodec_check_dimensions(s->avctx, s->width, s->height)) + return -1; + dsputil_init(&s->dsp, s->avctx); DCT_common_init(s); @@ -742,9 +745,6 @@ int MPV_common_init(MpegEncContext *s) CHECKED_ALLOCZ(s->coded_block_base, y_size); s->coded_block= s->coded_block_base + s->b8_stride + 1; - /* divx501 bitstream reorder buffer */ - CHECKED_ALLOCZ(s->bitstream_buffer, BITSTREAM_BUFFER_SIZE); - /* cbp, ac_pred, pred_dir */ CHECKED_ALLOCZ(s->cbp_table , mb_array_size * sizeof(uint8_t)) CHECKED_ALLOCZ(s->pred_dir_table, mb_array_size * sizeof(uint8_t)) @@ -849,6 +849,8 @@ void MPV_common_end(MpegEncContext *s) av_freep(&s->mbskip_table); av_freep(&s->prev_pict_types); av_freep(&s->bitstream_buffer); + s->allocated_bitstream_buffer_size=0; + av_freep(&s->avctx->stats_out); av_freep(&s->ac_stats); av_freep(&s->error_status_table); @@ -2314,6 +2316,11 @@ int MPV_encode_picture(AVCodecContext *avctx, stuffing_count= ff_vbv_update(s, s->frame_bits); if(stuffing_count){ + if(s->pb.buf_end - s->pb.buf - (put_bits_count(&s->pb)>>3) < stuffing_count + 50){ + av_log(s->avctx, AV_LOG_ERROR, "stuffing too large\n"); + return -1; + } + switch(s->codec_id){ case CODEC_ID_MPEG1VIDEO: case CODEC_ID_MPEG2VIDEO: @@ -4555,16 +4562,16 @@ static int encode_thread(AVCodecContext *c, void *arg){ int mb_x, mb_y, pdif = 0; int i, j; MpegEncContext best_s, backup_s; - uint8_t bit_buf[2][3000]; - uint8_t bit_buf2[2][3000]; - uint8_t bit_buf_tex[2][3000]; + uint8_t bit_buf[2][MAX_MB_BYTES]; + uint8_t bit_buf2[2][MAX_MB_BYTES]; + uint8_t bit_buf_tex[2][MAX_MB_BYTES]; PutBitContext pb[2], pb2[2], tex_pb[2]; //printf("%d->%d\n", s->resync_mb_y, s->end_mb_y); for(i=0; i<2; i++){ - init_put_bits(&pb [i], bit_buf [i], 3000); - init_put_bits(&pb2 [i], bit_buf2 [i], 3000); - init_put_bits(&tex_pb[i], bit_buf_tex[i], 3000); + init_put_bits(&pb [i], bit_buf [i], MAX_MB_BYTES); + init_put_bits(&pb2 [i], bit_buf2 [i], MAX_MB_BYTES); + init_put_bits(&tex_pb[i], bit_buf_tex[i], MAX_MB_BYTES); } s->last_bits= put_bits_count(&s->pb); @@ -4622,6 +4629,18 @@ static int encode_thread(AVCodecContext *c, void *arg){ int dmin= INT_MAX; int dir; + if(s->pb.buf_end - s->pb.buf - (put_bits_count(&s->pb)>>3) < MAX_MB_BYTES){ + av_log(s->avctx, AV_LOG_ERROR, "encoded frame too large\n"); + return -1; + } + if(s->data_partitioning){ + if( s->pb2 .buf_end - s->pb2 .buf - (put_bits_count(&s-> pb2)>>3) < MAX_MB_BYTES + || s->tex_pb.buf_end - s->tex_pb.buf - (put_bits_count(&s->tex_pb )>>3) < MAX_MB_BYTES){ + av_log(s->avctx, AV_LOG_ERROR, "encoded frame too large\n"); + return -1; + } + } + s->mb_x = mb_x; s->mb_y = mb_y; // moved into loop, can get changed by H.261 ff_update_block_index(s); |