diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-04-02 01:25:31 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-04-02 01:25:31 +0200 |
| commit | b6cc1c77fd7d6a037c0c0c848c3621c7b1ff33b6 (patch) | |
| tree | c199a1262a7f194a52cb3790790614e4f7f05590 /libavcodec/svq3.c | |
| parent | ceeaf424513fc019228f2cb88ea468940eb61648 (diff) | |
| parent | bc5d86d23d1ad377addf54d65ee665327836075e (diff) | |
| download | ffmpeg-b6cc1c77fd7d6a037c0c0c848c3621c7b1ff33b6.tar.gz | |
Merge remote-tracking branch 'qatar/release/0.7' into release/0.8
* qatar/release/0.7: (84 commits)
id3v2: fix skipping extended header in id3v2.4
Update RELEASE file for 0.7.5
lcl: use AVERROR_INVALIDDATA instead of AVERROR_UNKNOWN
kgv1dec: Increase offsets array size so it is large enough.
kgv1: use avctx->get/release_buffer().
kvmc: fix invalid reads
nsvdec: Propagate error values instead of returning 0 in nsv_read_header().
mjpegbdec: Fix overflow in SOS.
shorten: Use separate pointers for the allocated memory for decoded samples.
shorten: check for realloc failure (cherry picked from commit 9e5e2c2d010c05c10337e9c1ec9d0d61495e0c9c)
atrac3: Fix crash in tonal component decoding.
ws_snd1: Fix wrong samples count and crash.
ws_snd: add some checks to prevent buffer overread or overwrite. (cherry picked from commit 417364ce1f979031ef6fee661fc15e1869bdb1b4)
ws_snd: decode to AV_SAMPLE_FMT_U8 instead of S16.
dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2
h264: stricter reference limit enforcement.
jvdec: unbreak video decoding
xxan: don't read before start of buffer in av_memcpy_backptr().
dsicinvideo: validate buffer offset before copying pixels.
huffyuv: add padding to classic (v1) huffman tables.
...
Conflicts:
RELEASE
libavcodec/atrac3.c
libavcodec/h264.c
libavcodec/h264_parser.c
libavcodec/kgv1dec.c
libavcodec/shorten.c
libavcodec/svq3.c
libavcodec/ws-snd1.c
libavcodec/xxan.c
libswscale/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/svq3.c')
| -rw-r--r-- | libavcodec/svq3.c | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 2deb16ad3c..eb883b4f4f 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -811,7 +811,9 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) MpegEncContext *s = &h->s; int m; unsigned char *extradata; + unsigned char *extradata_end; unsigned int size; + int marker_found = 0; if (ff_h264_decode_init(avctx) < 0) return -1; @@ -832,19 +834,26 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) /* prowl for the "SEQH" marker in the extradata */ extradata = (unsigned char *)avctx->extradata; - for (m = 0; m < avctx->extradata_size; m++) { - if (!memcmp(extradata, "SEQH", 4)) - break; - extradata++; + extradata_end = avctx->extradata + avctx->extradata_size; + if (extradata) { + for (m = 0; m + 8 < avctx->extradata_size; m++) { + if (!memcmp(extradata, "SEQH", 4)) { + marker_found = 1; + break; + } + extradata++; + } } /* if a match was found, parse the extra data */ - if (extradata && !memcmp(extradata, "SEQH", 4)) { + if (marker_found) { GetBitContext gb; int frame_size_code; size = AV_RB32(&extradata[4]); + if (size > extradata_end - extradata - 8) + return AVERROR_INVALIDDATA; init_get_bits(&gb, extradata + 8, size*8); /* 'frame size code' and optional 'width, height' */ |