aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/nuv.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2011-11-09 00:54:58 +0100
committerMichael Niedermayer <michaelni@gmx.at>2011-11-09 01:03:40 +0100
commit57bf0d1fe53bd501cd2c060075ee9ba27a770bcd (patch)
tree5039c9b0d0fc2ed9419215d2219eff9c7d4c3aa1 /libavcodec/nuv.c
parent661e0811760844fd03d2f5cfe74c5736bb4b8ecc (diff)
parent3970d4e72809d9c9bf4c463ba1a6ab2650e3252b (diff)
downloadffmpeg-57bf0d1fe53bd501cd2c060075ee9ba27a770bcd.tar.gz
Merge branch 'release/0.7' into oldabi
* release/0.7: (290 commits) nuv: Fix combination of size changes and LZO compression. av_lzo1x_decode: properly handle negative buffer length. Do not call parse_keyframes_index with NULL stream. update versions for 0.7 branch Version numbers for 0.8.6 snow: emu edge support Fixes Ticket592 imc: validate channel count imc: check for ff_fft_init() failure (cherry picked from commit 95fee70d6773fde1c34ff6422f48e5e66f37f263) libgsmdec: check output buffer size before decoding (cherry picked from commit b03761b1309293bbf30edef767503875277b01cf) configure: fix arch x86_32 mp3enc: avoid truncating id3v1 tags by one byte asfdec: Check packet_replic_size earlier cin audio: validate the channel count binkaudio: add some buffer overread checks. atrac1: validate number of channels (cherry picked from commit bff5b2c1ca1290ea30587ff2f76171f9e3854872) atrac1: check output buffer size before decoding (cherry picked from commit 33684b9c12b74c0140fb91e8150263db4a48d55e) vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f) apedec: set s->currentframeblocks after validating nblocks apedec: use unsigned int for 'nblocks' and make sure that it's within int range apedec: check for data buffer realloc failure (cherry picked from commit 11ca8b2d7486e879926488404b3b79af774f0f2d) ... Conflicts: Changelog Makefile RELEASE configure libavcodec/error_resilience.c libavcodec/mpegvideo.c libavformat/matroskaenc.c tests/ref/lavf/mxf Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/nuv.c')
-rw-r--r--libavcodec/nuv.c38
1 files changed, 26 insertions, 12 deletions
diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c
index 2a60fe47fc..3d73fd225b 100644
--- a/libavcodec/nuv.c
+++ b/libavcodec/nuv.c
@@ -20,6 +20,7 @@
*/
#include <stdio.h>
#include <stdlib.h>
+#include <limits.h>
#include "libavutil/bswap.h"
#include "libavutil/lzo.h"
@@ -112,19 +113,23 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, int qualit
if (quality >= 0)
get_quant_quality(c, quality);
if (width != c->width || height != c->height) {
- if (av_image_check_size(height, width, 0, avctx) < 0)
- return 0;
+ // also reserve space for a possible additional header
+ int buf_size = 24 + height * width * 3 / 2 + AV_LZO_OUTPUT_PADDING;
+ if (av_image_check_size(height, width, 0, avctx) < 0 ||
+ buf_size > INT_MAX/8)
+ return -1;
avctx->width = c->width = width;
avctx->height = c->height = height;
- av_fast_malloc(&c->decomp_buf, &c->decomp_size, c->height * c->width * 3 / 2);
+ av_fast_malloc(&c->decomp_buf, &c->decomp_size, buf_size);
if (!c->decomp_buf) {
av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");
- return 0;
+ return AVERROR(ENOMEM);
}
rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq);
+ return 1;
} else if (quality != c->quality)
rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq);
- return 1;
+ return 0;
}
static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,
@@ -135,6 +140,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,
AVFrame *picture = data;
int orig_size = buf_size;
int keyframe;
+ int size_change = 0;
int result;
enum {NUV_UNCOMPRESSED = '0', NUV_RTJPEG = '1',
NUV_RTJPEG_IN_LZO = '2', NUV_LZO = '3',
@@ -172,18 +178,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,
default:
keyframe = 1; break;
}
+retry:
// skip rest of the frameheader.
buf = &buf[12];
buf_size -= 12;
if (comptype == NUV_RTJPEG_IN_LZO || comptype == NUV_LZO) {
- int outlen = c->decomp_size, inlen = buf_size;
+ int outlen = c->decomp_size - AV_LZO_OUTPUT_PADDING, inlen = buf_size;
if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen))
av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n");
buf = c->decomp_buf;
- buf_size = c->decomp_size;
+ buf_size = c->decomp_size - AV_LZO_OUTPUT_PADDING;
}
if (c->codec_frameheader) {
- int w, h, q;
+ int w, h, q, res;
if (buf_size < 12) {
av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n");
return -1;
@@ -191,13 +198,20 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,
w = AV_RL16(&buf[6]);
h = AV_RL16(&buf[8]);
q = buf[10];
- if (!codec_reinit(avctx, w, h, q))
- return -1;
+ res = codec_reinit(avctx, w, h, q);
+ if (res < 0)
+ return res;
+ if (res) {
+ buf = avpkt->data;
+ buf_size = avpkt->size;
+ size_change = 1;
+ goto retry;
+ }
buf = &buf[12];
buf_size -= 12;
}
- if (keyframe && c->pic.data[0])
+ if ((size_change || keyframe) && c->pic.data[0])
avctx->release_buffer(avctx, &c->pic);
c->pic.reference = 3;
c->pic.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_READABLE |
@@ -259,7 +273,7 @@ static av_cold int decode_init(AVCodecContext *avctx) {
if (avctx->extradata_size)
get_quant(avctx, c, avctx->extradata, avctx->extradata_size);
dsputil_init(&c->dsp, avctx);
- if (!codec_reinit(avctx, avctx->width, avctx->height, -1))
+ if (codec_reinit(avctx, avctx->width, avctx->height, -1) < 0)
return 1;
return 0;
}