diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2011-11-22 01:43:58 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-11-22 01:43:58 +0100 |
| commit | b55aca6b8b3969e988e24f253b88e22ead80d8ba (patch) | |
| tree | 9b576cdd8f8b312e09c9c5819a2c7bcddfae7dcf /libavcodec/qdm2.c | |
| parent | 57bf0d1fe53bd501cd2c060075ee9ba27a770bcd (diff) | |
| parent | 4e9b2c57326fe254d0251fbf268b3481705b4c65 (diff) | |
| download | ffmpeg-b55aca6b8b3969e988e24f253b88e22ead80d8ba.tar.gz | |
Merge branch 'release/0.7' into oldabi
* release/0.7: (33 commits)
Update for 0.7.8
svq1dec: call avcodec_set_dimensions() after dimensions changed. Fixes NGS00148
vp3dec: Check coefficient index in vp3_dequant() Fixes NGS00145
qdm2dec: fix buffer overflow. Fixes NGS00144
h264: Fix invalid interlaced progressive MB combinations for direct mode prediction. Fixes Ticket312
mpegvideo: dont use ff_mspel_motion() for vc1 Fixes Ticket655
imgutils: Fix illegal read.
ac3probe: Detect Sonic Foundry Soft Encode AC3 as raw AC3. Our ac3 code chain can handle it fine. More ideal would be to write a demuxer that actually extracts what can be from the additional headers and uses it for whatever it can be used for.
mjpeg: support mpo Fixes stereoscopic_photo.mpo
Add a version bump and APIchanges entry for avcodec_open2 and avformat_find_stream_info.
lavf: fix multiplication overflow in avformat_find_stream_info()
lavf: fix invalid reads in avformat_find_stream_info()
lavf: add avformat_find_stream_info()
lavc: fix parentheses placement in avcodec_open2().
lavc: introduce avcodec_open2() as a replacement for avcodec_open().
rawdec: use a default sample rate if none is specified. Fixes "ffmpeg -f s16le -i /dev/zero"
rawdec: add check on sample_rate
qdm2dec: check remaining input bits in the mainloop of qdm2_fft_decode_tones() This is neccessary but likely not sufficient to prevent out of array reads.
cinepak: check strip_size
wma: Check channel number before init. Fixes Ticket240
...
Conflicts:
RELEASE
doc/APIchanges
libavcodec/avcodec.h
libavcodec/utils.c
libavcodec/version.h
libavdevice/v4l2.c
libavformat/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/qdm2.c')
| -rw-r--r-- | libavcodec/qdm2.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index bc9ba95afa..e2eb0eacb8 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -77,6 +77,7 @@ do { \ #define SAMPLES_NEEDED_2(why) \ av_log (NULL,AV_LOG_INFO,"This file triggers some missing code. Please contact the developers.\nPosition: %s\n",why); +#define QDM2_MAX_FRAME_SIZE 512 typedef int8_t sb_int8_array[2][30][64]; @@ -169,7 +170,7 @@ typedef struct { /// I/O data const uint8_t *compressed_data; int compressed_size; - float output_buffer[1024]; + float output_buffer[QDM2_MAX_FRAME_SIZE * MPA_MAX_CHANNELS * 2]; /// Synthesis filter MPADSPContext mpadsp; @@ -1328,7 +1329,7 @@ static void qdm2_fft_decode_tones (QDM2Context *q, int duration, GetBitContext * local_int_10 = 1 << (q->group_order - duration - 1); offset = 1; - while (1) { + while (get_bits_left(gb)>0) { if (q->superblocktype_2_3) { while ((n = qdm2_get_vlc(gb, &vlc_tab_fft_tone_offset[local_int_8], 1, 2)) < 2) { offset = 1; @@ -1823,7 +1824,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) // something like max decodable tones s->group_order = av_log2(s->group_size) + 1; s->frame_size = s->group_size / 16; // 16 iterations per super block - if (s->frame_size > FF_ARRAY_ELEMS(s->output_buffer) / 2) + + if (s->frame_size > QDM2_MAX_FRAME_SIZE) return AVERROR_INVALIDDATA; s->sub_sampling = s->fft_order - 7; @@ -1894,6 +1896,9 @@ static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out) int ch, i; const int frame_size = (q->frame_size * q->channels); + if((unsigned)frame_size > FF_ARRAY_ELEMS(q->output_buffer)/2) + return -1; + /* select input buffer */ q->compressed_data = in; q->compressed_size = q->checksum_size; |