aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2011-11-04 20:20:37 +0100
committerMichael Niedermayer <michaelni@gmx.at>2011-11-04 20:20:37 +0100
commit3e17543491dd6db043090f9edfc2ad8677fde868 (patch)
tree35fc291c862d3b57c108461dc6beb3f712491dee /libavcodec
parent7275dc28f6eec4168dbef79275b605bc73dbc0e4 (diff)
parent1e1015fd223ff33a88585db13047ce766369c21b (diff)
downloadffmpeg-3e17543491dd6db043090f9edfc2ad8677fde868.tar.gz
Merge branch 'release/0.8' into release/0.7
* release/0.8: (96 commits) Version numbers for 0.8.6 snow: emu edge support Fixes Ticket592 imc: validate channel count imc: check for ff_fft_init() failure (cherry picked from commit 95fee70d6773fde1c34ff6422f48e5e66f37f263) libgsmdec: check output buffer size before decoding (cherry picked from commit b03761b1309293bbf30edef767503875277b01cf) configure: fix arch x86_32 mp3enc: avoid truncating id3v1 tags by one byte asfdec: Check packet_replic_size earlier cin audio: validate the channel count binkaudio: add some buffer overread checks. atrac1: validate number of channels (cherry picked from commit bff5b2c1ca1290ea30587ff2f76171f9e3854872) atrac1: check output buffer size before decoding (cherry picked from commit 33684b9c12b74c0140fb91e8150263db4a48d55e) vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f) apedec: set s->currentframeblocks after validating nblocks apedec: use unsigned int for 'nblocks' and make sure that it's within int range apedec: check for data buffer realloc failure (cherry picked from commit 11ca8b2d7486e879926488404b3b79af774f0f2d) apedec: check for filter buffer allocation failure (cherry picked from commit 7500781313d11b37772c05a28da20fbc112db478) mpegaudiodec: check output data size based on avctx->frame_size resample: Fix array size resample2: fix potential overflow ... Conflicts: Doxyfile RELEASE VERSION Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/4xm.c2
-rw-r--r--libavcodec/aacdec.c4
-rw-r--r--libavcodec/apedec.c47
-rw-r--r--libavcodec/atrac1.c16
-rw-r--r--libavcodec/binkaudio.c47
-rw-r--r--libavcodec/dca.c3
-rw-r--r--libavcodec/dsicinav.c5
-rw-r--r--libavcodec/dvdata.c8
-rw-r--r--libavcodec/eamad.c16
-rw-r--r--libavcodec/eatgv.c25
-rw-r--r--libavcodec/golomb.h14
-rw-r--r--libavcodec/h264.c15
-rw-r--r--libavcodec/h264.h2
-rw-r--r--libavcodec/h264_direct.c3
-rw-r--r--libavcodec/h264_ps.c4
-rw-r--r--libavcodec/h264pred.c10
-rw-r--r--libavcodec/h264pred_template.c32
-rw-r--r--libavcodec/imc.c12
-rw-r--r--libavcodec/imgconvert.c10
-rw-r--r--libavcodec/libgsm.c11
-rw-r--r--libavcodec/libx264.c4
-rw-r--r--libavcodec/mlpdec.c7
-rw-r--r--libavcodec/motion_est.c4
-rw-r--r--libavcodec/mpc7.c11
-rw-r--r--libavcodec/mpc8.c10
-rw-r--r--libavcodec/mpegaudiodec.c7
-rw-r--r--libavcodec/mpegvideo.c15
-rw-r--r--libavcodec/mpegvideo_enc.c2
-rw-r--r--libavcodec/pthread.c3
-rw-r--r--libavcodec/put_bits.h3
-rw-r--r--libavcodec/qcelpdec.c10
-rw-r--r--libavcodec/qdm2.c11
-rw-r--r--libavcodec/qtrle.c7
-rw-r--r--libavcodec/resample.c4
-rw-r--r--libavcodec/resample2.c11
-rw-r--r--libavcodec/shorten.c26
-rw-r--r--libavcodec/sipr.c17
-rw-r--r--libavcodec/smacker.c17
-rw-r--r--libavcodec/snow.c4
-rw-r--r--libavcodec/truespeech.c5
-rw-r--r--libavcodec/twinvq.c11
-rw-r--r--libavcodec/txd.c22
-rw-r--r--libavcodec/vorbisdec.c12
-rw-r--r--libavcodec/vp3.c59
-rw-r--r--libavcodec/vp6.c4
-rw-r--r--libavcodec/vp8.c36
-rw-r--r--libavcodec/vqavideo.c10
-rw-r--r--libavcodec/wmavoice.c2
-rw-r--r--libavcodec/xxan.c13
49 files changed, 471 insertions, 162 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 7344f4cd1f..3f8061f942 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -279,7 +279,7 @@ static void init_mv(FourXContext *f){
}
#endif
-static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, int dc){
+static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, unsigned dc){
int i;
dc*= 0x10001;
diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 6cc0cec0f0..e9f2cc53e9 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -1090,7 +1090,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024],
GET_VLC(code, re, gb, vlc_tab, 8, 2);
cb_idx = cb_vector_idx[code];
nnz = cb_idx >> 8 & 15;
- bits = SHOW_UBITS(re, gb, nnz) << (32-nnz);
+ bits = nnz ? GET_CACHE(re, gb) : 0;
LAST_SKIP_BITS(re, gb, nnz);
cf = VMUL4S(cf, vq, cb_idx, bits, sf + idx);
} while (len -= 4);
@@ -1130,7 +1130,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024],
GET_VLC(code, re, gb, vlc_tab, 8, 2);
cb_idx = cb_vector_idx[code];
nnz = cb_idx >> 8 & 15;
- sign = SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12);
+ sign = nnz ? SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12) : 0;
LAST_SKIP_BITS(re, gb, nnz);
cf = VMUL2S(cf, vq, cb_idx, sign, sf + idx);
} while (len -= 2);
diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index f036c4a1d7..4d8a9401c1 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -163,6 +163,18 @@ typedef struct APEContext {
// TODO: dsputilize
+static av_cold int ape_decode_close(AVCodecContext * avctx)
+{
+ APEContext *s = avctx->priv_data;
+ int i;
+
+ for (i = 0; i < APE_FILTER_LEVELS; i++)
+ av_freep(&s->filterbuf[i]);
+
+ av_freep(&s->data);
+ return 0;
+}
+
static av_cold int ape_decode_init(AVCodecContext * avctx)
{
APEContext *s = avctx->priv_data;
@@ -195,25 +207,18 @@ static av_cold int ape_decode_init(AVCodecContext * avctx)
for (i = 0; i < APE_FILTER_LEVELS; i++) {
if (!ape_filter_orders[s->fset][i])
break;
- s->filterbuf[i] = av_malloc((ape_filter_orders[s->fset][i] * 3 + HISTORY_SIZE) * 4);
+ FF_ALLOC_OR_GOTO(avctx, s->filterbuf[i],
+ (ape_filter_orders[s->fset][i] * 3 + HISTORY_SIZE) * 4,
+ filter_alloc_fail);
}
dsputil_init(&s->dsp, avctx);
avctx->sample_fmt = AV_SAMPLE_FMT_S16;
avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
return 0;
-}
-
-static av_cold int ape_decode_close(AVCodecContext * avctx)
-{
- APEContext *s = avctx->priv_data;
- int i;
-
- for (i = 0; i < APE_FILTER_LEVELS; i++)
- av_freep(&s->filterbuf[i]);
-
- av_freep(&s->data);
- return 0;
+filter_alloc_fail:
+ ape_decode_close(avctx);
+ return AVERROR(ENOMEM);
}
/**
@@ -797,7 +802,7 @@ static int ape_decode_frame(AVCodecContext * avctx,
int buf_size = avpkt->size;
APEContext *s = avctx->priv_data;
int16_t *samples = data;
- int nblocks;
+ uint32_t nblocks;
int i, n;
int blockstodecode;
int bytes_used;
@@ -814,12 +819,15 @@ static int ape_decode_frame(AVCodecContext * avctx,
}
if(!s->samples){
- s->data = av_realloc(s->data, (buf_size + 3) & ~3);
+ void *tmp_data = av_realloc(s->data, (buf_size + 3) & ~3);
+ if (!tmp_data)
+ return AVERROR(ENOMEM);
+ s->data = tmp_data;
s->dsp.bswap_buf((uint32_t*)s->data, (const uint32_t*)buf, buf_size >> 2);
s->ptr = s->last_ptr = s->data;
s->data_end = s->data + buf_size;
- nblocks = s->samples = bytestream_get_be32(&s->ptr);
+ nblocks = bytestream_get_be32(&s->ptr);
n = bytestream_get_be32(&s->ptr);
if(n < 0 || n > 3){
av_log(avctx, AV_LOG_ERROR, "Incorrect offset passed\n");
@@ -828,12 +836,13 @@ static int ape_decode_frame(AVCodecContext * avctx,
}
s->ptr += n;
- s->currentframeblocks = nblocks;
buf += 4;
- if (s->samples <= 0) {
+ if (!nblocks || nblocks > INT_MAX) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %u.\n", nblocks);
*data_size = 0;
- return buf_size;
+ return AVERROR_INVALIDDATA;
}
+ s->currentframeblocks = s->samples = nblocks;
memset(s->decoded0, 0, sizeof(s->decoded0));
memset(s->decoded1, 0, sizeof(s->decoded1));
diff --git a/libavcodec/atrac1.c b/libavcodec/atrac1.c
index 1f4c36c141..6897790307 100644
--- a/libavcodec/atrac1.c
+++ b/libavcodec/atrac1.c
@@ -276,7 +276,7 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data,
const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size;
AT1Ctx *q = avctx->priv_data;
- int ch, ret, i;
+ int ch, ret, i, out_size;
GetBitContext gb;
float* samples = data;
@@ -286,6 +286,13 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data,
return -1;
}
+ out_size = q->channels * AT1_SU_SAMPLES *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
for (ch = 0; ch < q->channels; ch++) {
AT1SUCtx* su = &q->SUs[ch];
@@ -318,7 +325,7 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data,
}
}
- *data_size = q->channels * AT1_SU_SAMPLES * sizeof(*samples);
+ *data_size = out_size;
return avctx->block_align;
}
@@ -329,6 +336,11 @@ static av_cold int atrac1_decode_init(AVCodecContext *avctx)
avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
+ if (avctx->channels < 1 || avctx->channels > AT1_MAX_CHANNELS) {
+ av_log(avctx, AV_LOG_ERROR, "Unsupported number of channels: %d\n",
+ avctx->channels);
+ return AVERROR(EINVAL);
+ }
q->channels = avctx->channels;
/* Init the mdct transforms */
diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c
index ff36458c7e..3b65a19261 100644
--- a/libavcodec/binkaudio.c
+++ b/libavcodec/binkaudio.c
@@ -153,11 +153,18 @@ static const uint8_t rle_length_tab[16] = {
2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 32, 64
};
+#define GET_BITS_SAFE(out, nbits) do { \
+ if (get_bits_left(gb) < nbits) \
+ return AVERROR_INVALIDDATA; \
+ out = get_bits(gb, nbits); \
+} while (0)
+
/**
* Decode Bink Audio block
* @param[out] out Output buffer (must contain s->block_size elements)
+ * @return 0 on success, negative error code on failure
*/
-static void decode_block(BinkAudioContext *s, short *out, int use_dct)
+static int decode_block(BinkAudioContext *s, short *out, int use_dct)
{
int ch, i, j, k;
float q, quant[25];
@@ -170,13 +177,19 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct)
for (ch = 0; ch < s->channels; ch++) {
FFTSample *coeffs = s->coeffs_ptr[ch];
if (s->version_b) {
+ if (get_bits_left(gb) < 64)
+ return AVERROR_INVALIDDATA;
coeffs[0] = av_int2flt(get_bits(gb, 32)) * s->root;
coeffs[1] = av_int2flt(get_bits(gb, 32)) * s->root;
} else {
+ if (get_bits_left(gb) < 58)
+ return AVERROR_INVALIDDATA;
coeffs[0] = get_float(gb) * s->root;
coeffs[1] = get_float(gb) * s->root;
}
+ if (get_bits_left(gb) < s->num_bands * 8)
+ return AVERROR_INVALIDDATA;
for (i = 0; i < s->num_bands; i++) {
/* constant is result of 0.066399999/log10(M_E) */
int value = get_bits(gb, 8);
@@ -191,15 +204,20 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct)
while (i < s->frame_len) {
if (s->version_b) {
j = i + 16;
- } else if (get_bits1(gb)) {
- j = i + rle_length_tab[get_bits(gb, 4)] * 8;
} else {
- j = i + 8;
+ int v;
+ GET_BITS_SAFE(v, 1);
+ if (v) {
+ GET_BITS_SAFE(v, 4);
+ j = i + rle_length_tab[v] * 8;
+ } else {
+ j = i + 8;
+ }
}
j = FFMIN(j, s->frame_len);
- width = get_bits(gb, 4);
+ GET_BITS_SAFE(width, 4);
if (width == 0) {
memset(coeffs + i, 0, (j - i) * sizeof(*coeffs));
i = j;
@@ -209,9 +227,11 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct)
while (i < j) {
if (s->bands[k] == i)
q = quant[k++];
- coeff = get_bits(gb, width);
+ GET_BITS_SAFE(coeff, width);
if (coeff) {
- if (get_bits1(gb))
+ int v;
+ GET_BITS_SAFE(v, 1);
+ if (v)
coeffs[i] = -q * coeff;
else
coeffs[i] = q * coeff;
@@ -247,6 +267,8 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct)
s->overlap_len * s->channels * sizeof(*out));
s->first = 0;
+
+ return 0;
}
static av_cold int decode_end(AVCodecContext *avctx)
@@ -278,12 +300,17 @@ static int decode_frame(AVCodecContext *avctx,
int reported_size;
GetBitContext *gb = &s->gb;
+ if (buf_size < 4) {
+ av_log(avctx, AV_LOG_ERROR, "Packet is too small\n");
+ return AVERROR_INVALIDDATA;
+ }
+
init_get_bits(gb, buf, buf_size * 8);
reported_size = get_bits_long(gb, 32);
- while (get_bits_count(gb) / 8 < buf_size &&
- samples + s->block_size <= samples_end) {
- decode_block(s, samples, avctx->codec->id == CODEC_ID_BINKAUDIO_DCT);
+ while (samples + s->block_size <= samples_end) {
+ if (decode_block(s, samples, avctx->codec->id == CODEC_ID_BINKAUDIO_DCT))
+ break;
samples += s->block_size;
get_bits_align32(gb);
}
diff --git a/libavcodec/dca.c b/libavcodec/dca.c
index 69df8f4597..24153ebdd2 100644
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -905,7 +905,8 @@ static void qmf_32_subbands(DCAContext * s, int chans,
for (subindex = 0; subindex < 8; subindex++) {
/* Load in one sample from each subband and clear inactive subbands */
for (i = 0; i < sb_act; i++){
- uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ ((i-1)&2)<<30;
+ unsigned sign = (i - 1) & 2;
+ uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ sign << 30;
AV_WN32A(&s->raXin[i], v);
}
diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c
index faca821c7d..d4dbb35472 100644
--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@@ -310,6 +310,11 @@ static av_cold int cinaudio_decode_init(AVCodecContext *avctx)
CinAudioContext *cin = avctx->priv_data;
cin->avctx = avctx;
+ if (avctx->channels != 1) {
+ av_log_ask_for_sample(avctx, "Number of channels is not supported\n");
+ return AVERROR_PATCHWELCOME;
+ }
+
cin->initial_decode_frame = 1;
cin->delta = 0;
avctx->sample_fmt = AV_SAMPLE_FMT_S16;
diff --git a/libavcodec/dvdata.c b/libavcodec/dvdata.c
index 05993d874f..db6ed2b871 100644
--- a/libavcodec/dvdata.c
+++ b/libavcodec/dvdata.c
@@ -248,11 +248,13 @@ static const DVprofile dv_profiles[] = {
const DVprofile* ff_dv_frame_profile(const DVprofile *sys,
const uint8_t* frame, unsigned buf_size)
{
- int i;
+ int i, dsf, stype;
- int dsf = (frame[3] & 0x80) >> 7;
+ if(buf_size < DV_PROFILE_BYTES)
+ return NULL;
- int stype = frame[80*5 + 48 + 3] & 0x1f;
+ dsf = (frame[3] & 0x80) >> 7;
+ stype = frame[80*5 + 48 + 3] & 0x1f;
/* 576i50 25Mbps 4:1:1 is a special case */
if (dsf == 1 && stype == 0 && frame[4] & 0x07 /* the APT field */) {
diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c
index d4881ab843..602bbfcf93 100644
--- a/libavcodec/eamad.c
+++ b/libavcodec/eamad.c
@@ -85,15 +85,21 @@ static inline void comp_block(MadContext *t, int mb_x, int mb_y,
{
MpegEncContext *s = &t->s;
if (j < 4) {
+ unsigned offset = (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x;
+ if (offset >= (s->height - 7) * t->last_frame.linesize[0] - 7)
+ return;
comp(t->frame.data[0] + (mb_y*16 + ((j&2)<<2))*t->frame.linesize[0] + mb_x*16 + ((j&1)<<3),
t->frame.linesize[0],
- t->last_frame.data[0] + (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x,
+ t->last_frame.data[0] + offset,
t->last_frame.linesize[0], add);
} else if (!(s->avctx->flags & CODEC_FLAG_GRAY)) {
int index = j - 3;
+ unsigned offset = (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2);
+ if (offset >= (s->height/2 - 7) * t->last_frame.linesize[index] - 7)
+ return;
comp(t->frame.data[index] + (mb_y*8)*t->frame.linesize[index] + mb_x * 8,
t->frame.linesize[index],
- t->last_frame.data[index] + (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2),
+ t->last_frame.data[index] + offset,
t->last_frame.linesize[index], add);
}
}
@@ -205,7 +211,8 @@ static void decode_mb(MadContext *t, int inter)
for (j=0; j<6; j++) {
if (mv_map & (1<<j)) { // mv_x and mv_y are guarded by mv_map
int add = 2*decode_motion(&s->gb);
- comp_block(t, s->mb_x, s->mb_y, j, mv_x, mv_y, add);
+ if (t->last_frame.data[0])
+ comp_block(t, s->mb_x, s->mb_y, j, mv_x, mv_y, add);
} else {
s->dsp.clear_block(t->block);
decode_block_intra(t, t->block);
@@ -266,6 +273,8 @@ static int decode_frame(AVCodecContext *avctx,
avcodec_set_dimensions(avctx, s->width, s->height);
if (t->frame.data[0])
avctx->release_buffer(avctx, &t->frame);
+ if (t->last_frame.data[0])
+ avctx->release_buffer(avctx, &t->last_frame);
}
t->frame.reference = 1;
@@ -280,6 +289,7 @@ static int decode_frame(AVCodecContext *avctx,
if (!t->bitstream_buf)
return AVERROR(ENOMEM);
bswap16_buf(t->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2);
+ memset((uint8_t*)t->bitstream_buf + (buf_end-buf), 0, FF_INPUT_BUFFER_PADDING_SIZE);
init_get_bits(&s->gb, t->bitstream_buf, 8*(buf_end-buf));
for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++)
diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c
index 0855f10417..fb88dce5d3 100644
--- a/libavcodec/eatgv.c
+++ b/libavcodec/eatgv.c
@@ -74,7 +74,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst
else
src += 2;
- if (src+3>src_end)
+ if (src_end - src < 3)
return -1;
size = AV_RB24(src);
src += 3;
@@ -138,7 +138,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst
* @return 0 on success, -1 on critical buffer underflow
*/
static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){
- unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->width*s->last_frame.linesize[0];
+ unsigned last_frame_size = s->avctx->height*s->last_frame.linesize[0];
int num_mvs;
int num_blocks_raw;
int num_blocks_packed;
@@ -148,7 +148,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
int mvbits;
const unsigned char *blocks_raw;
- if(buf+12>buf_end)
+ if(buf_end - buf < 12)
return -1;
num_mvs = AV_RL16(&buf[0]);
@@ -171,7 +171,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
/* read motion vectors */
mvbits = (num_mvs*2*10+31) & ~31;
- if (buf+(mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed>buf_end)
+ if (buf_end - buf < (mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed)
return -1;
init_get_bits(&gb, buf, mvbits);
@@ -207,12 +207,14 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
int src_stride;
if (vector < num_mvs) {
- src = s->last_frame.data[0] +
- (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] +
- x*4 + s->mv_codebook[vector][0];
+ unsigned offset =
+ (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] +
+ x*4 + s->mv_codebook[vector][0];
+
src_stride = s->last_frame.linesize[0];
- if (src+3*src_stride+3>=frame0_end)
+ if (offset >= last_frame_size - (3*src_stride+3))
continue;
+ src = s->last_frame.data[0] + offset;
}else{
int offset = vector - num_mvs;
if (offset<num_blocks_raw)
@@ -252,12 +254,15 @@ static int tgv_decode_frame(AVCodecContext *avctx,
const uint8_t *buf_end = buf + buf_size;
int chunk_type;
+ if (buf_end - buf < EA_PREAMBLE_SIZE)
+ return AVERROR_INVALIDDATA;
+
chunk_type = AV_RL32(&buf[0]);
buf += EA_PREAMBLE_SIZE;
if (chunk_type==kVGT_TAG) {
int pal_count, i;
- if(buf+12>buf_end) {
+ if(buf_end - buf < 12) {
av_log(avctx, AV_LOG_WARNING, "truncated header\n");
return -1;
}
@@ -272,7 +277,7 @@ static int tgv_decode_frame(AVCodecContext *avctx,
pal_count = AV_RL16(&buf[6]);
buf += 12;
- for(i=0; i<pal_count && i<AVPALETTE_COUNT && buf+2<buf_end; i++) {
+ for(i=0; i<pal_count && i<AVPALETTE_COUNT && buf_end - buf >= 3; i++) {
s->palette[i] = AV_RB24(buf);
buf += 3;
}
diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h
index 90eeb30b54..8dff0322a7 100644
--- a/libavcodec/golomb.h
+++ b/libavcodec/golomb.h
@@ -75,6 +75,20 @@ static inline int get_ue_golomb(GetBitContext *gb){
}
}
+/**
+ * Read an unsigned Exp-Golomb code in the range 0 to UINT32_MAX-1.
+ */
+static inline unsigned get_ue_golomb_long(GetBitContext *gb)
+{
+ unsigned buf, log;
+
+ buf = show_bits_long(gb, 32);
+ log = 31 - av_log2(buf);
+ skip_bits_long(gb, log);
+
+ return get_bits_long(gb, log + 1) - 1;
+}
+
/**
* read unsigned exp golomb code, constraint to a max of 31.
* the return value is undefined if the stored value exceeds 31.
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 47ac9f02c6..ff38bd7db7 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -1019,8 +1019,12 @@ static av_cold void common_init(H264Context *h){
s->height = s->avctx->height;
s->codec_id= s->avctx->codec->id;
- ff_h264dsp_init(&h->h264dsp, 8);
- ff_h264_pred_init(&h->hpc, s->codec_id, 8);
+ s->avctx->bits_per_raw_sample = 8;
+
+ ff_h264dsp_init(&h->h264dsp,
+ s->avctx->bits_per_raw_sample);
+ ff_h264_pred_init(&h->hpc, s->codec_id,
+ s->avctx->bits_per_raw_sample);
h->dequant_coeff_pps= -1;
s->unrestricted_mv=1;
@@ -2633,6 +2637,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
free_tables(h, 0);
flush_dpb(s->avctx);
MPV_common_end(s);
+ h->list_count = 0;
}
if (!s->context_initialized) {
if (h != h0) {
@@ -3753,9 +3758,13 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
switch (hx->nal_unit_type) {
case NAL_SPS:
case NAL_PPS:
+ nals_needed = nal_index;
+ break;
case NAL_IDR_SLICE:
case NAL_SLICE:
- nals_needed = nal_index;
+ init_get_bits(&hx->s.gb, ptr, bit_length);
+ if(!get_ue_golomb(&hx->s.gb))
+ nals_needed = nal_index;
}
continue;
}
diff --git a/libavcodec/h264.h b/libavcodec/h264.h
index 0a380e03c1..a6f39730ff 100644
--- a/libavcodec/h264.h
+++ b/libavcodec/h264.h
@@ -227,7 +227,7 @@ typedef struct PPS{
int transform_8x8_mode; ///< transform_8x8_mode_flag
uint8_t scaling_matrix4[6][16];
uint8_t scaling_matrix8[6][64];
- uint8_t chroma_qp_table[2][64]; ///< pre-scaled (with chroma_qp_index_offset) version of qp_table
+ uint8_t chroma_qp_table[2][QP_MAX_NUM+1]; ///< pre-scaled (with chroma_qp_index_offset) version of qp_table
int chroma_qp_diff;
}PPS;
diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c
index 34a4ff727f..0b19353656 100644
--- a/libavcodec/h264_direct.c
+++ b/libavcodec/h264_direct.c
@@ -89,7 +89,8 @@ static void fill_colmap(H264Context *h, int map[2][16+32], int list, int field,
for(j=start; j<end; j++){
if(4*h->ref_list[0][j].frame_num + (h->ref_list[0][j].reference&3) == poc){
int cur_ref= mbafi ? (j-16)^field : j;
- map[list][2*old_ref + (rfield^field) + 16] = cur_ref;
+ if(ref1->mbaff)
+ map[list][2*old_ref + (rfield^field) + 16] = cur_ref;
if(rfield == field || !interl)
map[list][old_ref] = cur_ref;
break;
diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 423f54b324..89e2502e0d 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -143,8 +143,8 @@ static inline int decode_hrd_parameters(H264Context *h, SPS *sps){
get_bits(&s->gb, 4); /* bit_rate_scale */
get_bits(&s->gb, 4); /* cpb_size_scale */
for(i=0; i<cpb_count; i++){
- get_ue_golomb(&s->gb); /* bit_rate_value_minus1 */
- get_ue_golomb(&s->gb); /* cpb_size_value_minus1 */
+ get_ue_golomb_long(&s->gb); /* bit_rate_value_minus1 */
+ get_ue_golomb_long(&s->gb); /* cpb_size_value_minus1 */
get_bits1(&s->gb); /* cbr_flag */
}
sps->initial_cpb_removal_delay_length = get_bits(&s->gb, 5) + 1;
diff --git a/libavcodec/h264pred.c b/libavcodec/h264pred.c
index f6533cf9ba..4917e0d3a0 100644
--- a/libavcodec/h264pred.c
+++ b/libavcodec/h264pred.c
@@ -40,7 +40,7 @@
#undef BIT_DEPTH
static void pred4x4_vertical_vp8_c(uint8_t *src, const uint8_t *topright, int stride){
- const int lt= src[-1-1*stride];
+ const unsigned lt = src[-1-1*stride];
LOAD_TOP_EDGE
LOAD_TOP_RIGHT_EDGE
uint32_t v = PACK_4U8((lt + 2*t0 + t1 + 2) >> 2,
@@ -55,7 +55,7 @@ static void pred4x4_vertical_vp8_c(uint8_t *src, const uint8_t *topright, int st
}
static void pred4x4_horizontal_vp8_c(uint8_t *src, const uint8_t *topright, int stride){
- const int lt= src[-1-1*stride];
+ const unsigned lt = src[-1-1*stride];
LOAD_LEFT_EDGE
AV_WN32A(src+0*stride, ((lt + 2*l0 + l1 + 2) >> 2)*0x01010101);
@@ -292,7 +292,7 @@ static void pred16x16_tm_vp8_c(uint8_t *src, int stride){
static void pred8x8_left_dc_rv40_c(uint8_t *src, int stride){
int i;
- int dc0;
+ unsigned dc0;
dc0=0;
for(i=0;i<8; i++)
@@ -307,7 +307,7 @@ static void pred8x8_left_dc_rv40_c(uint8_t *src, int stride){
static void pred8x8_top_dc_rv40_c(uint8_t *src, int stride){
int i;
- int dc0;
+ unsigned dc0;
dc0=0;
for(i=0;i<8; i++)
@@ -322,7 +322,7 @@ static void pred8x8_top_dc_rv40_c(uint8_t *src, int stride){
static void pred8x8_dc_rv40_c(uint8_t *src, int stride){
int i;
- int dc0=0;
+ unsigned dc0 = 0;
for(i=0;i<4; i++){
dc0+= src[-1+i*stride] + src[i-stride];
diff --git a/libavcodec/h264pred_template.c b/libavcodec/h264pred_template.c
index 3cd4463d76..153aabc5f2 100644
--- a/libavcodec/h264pred_template.c
+++ b/libavcodec/h264pred_template.c
@@ -120,28 +120,28 @@ static void FUNCC(pred4x4_129_dc)(uint8_t *_src, const uint8_t *topright, int _s
#define LOAD_TOP_RIGHT_EDGE\
- const int av_unused t4= topright[0];\
- const int av_unused t5= topright[1];\
- const int av_unused t6= topright[2];\
- const int av_unused t7= topright[3];\
+ const unsigned av_unused t4 = topright[0];\
+ const unsigned av_unused t5 = topright[1];\
+ const unsigned av_unused t6 = topright[2];\
+ const unsigned av_unused t7 = topright[3];\
#define LOAD_DOWN_LEFT_EDGE\
- const int av_unused l4= src[-1+4*stride];\
- const int av_unused l5= src[-1+5*stride];\
- const int av_unused l6= src[-1+6*stride];\
- const int av_unused l7= src[-1+7*stride];\
+ const unsigned av_unused l4 = src[-1+4*stride];\
+ const unsigned av_unused l5 = src[-1+5*stride];\
+ const unsigned av_unused l6 = src[-1+6*stride];\
+ const unsigned av_unused l7 = src[-1+7*stride];\
#define LOAD_LEFT_EDGE\
- const int av_unused l0= src[-1+0*stride];\
- const int av_unused l1= src[-1+1*stride];\
- const int av_unused l2= src[-1+2*stride];\
- const int av_unused l3= src[-1+3*stride];\
+ const unsigned av_unused l0 = src[-1+0*stride];\
+ const unsigned av_unused l1 = src[-1+1*stride];\
+ const unsigned av_unused l2 = src[-1+2*stride];\
+ const unsigned av_unused l3 = src[-1+3*stride];\
#define LOAD_TOP_EDGE\
- const int av_unused t0= src[ 0-1*stride];\
- const int av_unused t1= src[ 1-1*stride];\
- const int av_unused t2= src[ 2-1*stride];\
- const int av_unused t3= src[ 3-1*stride];\
+ const unsigned av_unused t0 = src[ 0-1*stride];\
+ const unsigned av_unused t1 = src[ 1-1*stride];\
+ const unsigned av_unused t2 = src[ 2-1*stride];\
+ const unsigned av_unused t3 = src[ 3-1*stride];\
static void FUNCC(pred4x4_down_right)(uint8_t *_src, const uint8_t *topright, int _stride){
pixel *src = (pixel*)_src;
diff --git a/libavcodec/imc.c b/libavcodec/imc.c
index f08efe46ec..bc1a6a9f3c 100644
--- a/libavcodec/imc.c
+++ b/libavcodec/imc.c
@@ -104,10 +104,15 @@ static VLC_TYPE vlc_tables[VLC_TABLES_SIZE][2];
static av_cold int imc_decode_init(AVCodecContext * avctx)
{
- int i, j;
+ int i, j, ret;
IMCContext *q = avctx->priv_data;
double r1, r2;
+ if (avctx->channels != 1) {
+ av_log_ask_for_sample(avctx, "Number of channels is not supported\n");
+ return AVERROR_PATCHWELCOME;
+ }
+
q->decoder_reset = 1;
for(i = 0; i < BANDS; i++)
@@ -156,7 +161,10 @@ static av_cold int imc_decode_init(AVCodecContext * avctx)
}
q->one_div_log2 = 1/log(2);
- ff_fft_init(&q->fft, 7, 1);
+ if ((ret = ff_fft_init(&q->fft, 7, 1))) {
+ av_log(avctx, AV_LOG_INFO, "FFT init failed\n");
+ return ret;
+ }
dsputil_init(&q->dsp, avctx);
avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c
index 78ac2d83bb..beb3ee11cb 100644
--- a/libavcodec/imgconvert.c
+++ b/libavcodec/imgconvert.c
@@ -499,6 +499,16 @@ int avpicture_layout(const AVPicture* src, enum PixelFormat pix_fmt, int width,
}
}
+ switch (pix_fmt) {
+ case PIX_FMT_RGB8:
+ case PIX_FMT_BGR8:
+ case PIX_FMT_RGB4_BYTE:
+ case PIX_FMT_BGR4_BYTE:
+ case PIX_FMT_GRAY8:
+ // do not include palette for these pseudo-paletted formats
+ return size;
+ }
+
if (desc->flags & PIX_FMT_PAL)
memcpy((unsigned char *)(((size_t)dest + 3) & ~3), src->data[1], 256 * 4);
diff --git a/libavcodec/libgsm.c b/libavcodec/libgsm.c
index 1f76f82d55..073cf4498d 100644
--- a/libavcodec/libgsm.c
+++ b/libavcodec/libgsm.c
@@ -141,18 +141,25 @@ static int libgsm_decode_frame(AVCodecContext *avctx,
AVPacket *avpkt) {
const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size;
+ int out_size = avctx->frame_size * av_get_bytes_per_sample(avctx->sample_fmt);
+
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
*data_size = 0; /* In case of error */
if(buf_size < avctx->block_align) return -1;
switch(avctx->codec_id) {
case CODEC_ID_GSM:
if(gsm_decode(avctx->priv_data,buf,data)) return -1;
- *data_size = GSM_FRAME_SIZE*sizeof(int16_t);
break;
case CODEC_ID_GSM_MS:
if(gsm_decode(avctx->priv_data,buf,data) ||
gsm_decode(avctx->priv_data,buf+33,((int16_t*)data)+GSM_FRAME_SIZE)) return -1;
- *data_size = GSM_FRAME_SIZE*sizeof(int16_t)*2;
}
+
+ *data_size = out_size;
return avctx->block_align;
}
diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c
index bf542accdf..6477f3fbe0 100644
--- a/libavcodec/libx264.c
+++ b/libavcodec/libx264.c
@@ -101,13 +101,14 @@ static int encode_nals(AVCodecContext *ctx, uint8_t *buf, int size,
}
static int X264_frame(AVCodecContext *ctx, uint8_t *buf,
- int bufsize, void *data)
+ int orig_bufsize, void *data)
{
X264Context *x4 = ctx->priv_data;
AVFrame *frame = data;
x264_nal_t *nal;
int nnal, i;
x264_picture_t pic_out;
+ int bufsize;
x264_picture_init( &x4->pic );
x4->pic.img.i_csp = X264_CSP_I420;
@@ -138,6 +139,7 @@ static int X264_frame(AVCodecContext *ctx, uint8_t *buf,
}
do {
+ bufsize = orig_bufsize;
if (x264_encoder_encode(x4->enc, &nal, &nnal, frame? &x4->pic: NULL, &pic_out) < 0)
return -1;
diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index b13d0795cd..baae9a321d 100644
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -950,7 +950,12 @@ static int output_data_internal(MLPDecodeContext *m, unsigned int substr,
int32_t *data_32 = (int32_t*) data;
int16_t *data_16 = (int16_t*) data;
- if (*data_size < (s->max_channel + 1) * s->blockpos * (is32 ? 4 : 2))
+ if (m->avctx->channels != s->max_matrix_channel + 1) {
+ av_log(m->avctx, AV_LOG_ERROR, "channel count mismatch\n");
+ return AVERROR_INVALIDDATA;
+ }
+
+ if (*data_size < m->avctx->channels * s->blockpos * (is32 ? 4 : 2))
return -1;
for (i = 0; i < s->blockpos; i++) {
diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c
index c12ebf4c7c..02e804d88f 100644
--- a/libavcodec/motion_est.c
+++ b/libavcodec/motion_est.c
@@ -1040,7 +1040,7 @@ void ff_estimate_p_frame_motion(MpegEncContext * s,
/* intra / predictive decision */
pix = c->src[0][0];
sum = s->dsp.pix_sum(pix, s->linesize);
- varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)(sum*sum))>>8) + 500;
+ varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)sum*sum)>>8) + 500;
pic->mb_mean[s->mb_stride * mb_y + mb_x] = (sum+128)>>8;
pic->mb_var [s->mb_stride * mb_y + mb_x] = (varc+128)>>8;
@@ -1202,7 +1202,7 @@ void ff_estimate_p_frame_motion(MpegEncContext * s,
if((c->avctx->mb_cmp&0xFF)==FF_CMP_SSE){
intra_score= varc - 500;
}else{
- int mean= (sum+128)>>8;
+ unsigned mean = (sum+128)>>8;
mean*= 0x01010101;
for(i=0; i<16; i++){
diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c
index bb21469356..6477edcf28 100644
--- a/libavcodec/mpc7.c
+++ b/libavcodec/mpc7.c
@@ -197,12 +197,19 @@ static int mpc7_decode_frame(AVCodecContext * avctx,
int i, ch;
int mb = -1;
Band *bands = c->bands;
- int off;
+ int off, out_size;
int bits_used, bits_avail;
memset(bands, 0, sizeof(bands));
if(buf_size <= 4){
av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size);
+ return AVERROR(EINVAL);
+ }
+
+ out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4;
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
}
bits = av_malloc(((buf_size - 1) & ~3) + FF_INPUT_BUFFER_PADDING_SIZE);
@@ -277,7 +284,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx,
*data_size = 0;
return buf_size;
}
- *data_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4;
+ *data_size = out_size;
return buf_size;
}
diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c
index bca57451ca..90bc8c8b96 100644
--- a/libavcodec/mpc8.c
+++ b/libavcodec/mpc8.c
@@ -243,10 +243,16 @@ static int mpc8_decode_frame(AVCodecContext * avctx,
GetBitContext gb2, *gb = &gb2;
int i, j, k, ch, cnt, res, t;
Band *bands = c->bands;
- int off;
+ int off, out_size;
int maxband, keyframe;
int last[2];
+ out_size = MPC_FRAME_SIZE * 2 * avctx->channels;
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
keyframe = c->cur_frame == 0;
if(keyframe){
@@ -404,7 +410,7 @@ static int mpc8_decode_frame(AVCodecContext * avctx,
c->last_bits_used = get_bits_count(gb);
if(c->cur_frame >= c->frames)
c->cur_frame = 0;
- *data_size = MPC_FRAME_SIZE * 2 * avctx->channels;
+ *data_size = out_size;
return c->cur_frame ? c->last_bits_used >> 3 : buf_size;
}
diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
index 9fbae0c316..32dfd23bc1 100644
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -1801,8 +1801,8 @@ static int decode_frame(AVCodecContext * avctx,
avctx->bit_rate = s->bit_rate;
avctx->sub_id = s->layer;
- if(*data_size < 1152*avctx->channels*sizeof(OUT_INT))
- return -1;
+ if (*data_size < avctx->frame_size * avctx->channels * sizeof(OUT_INT))
+ return AVERROR(EINVAL);
*data_size = 0;
if(s->frame_size<=0 || s->frame_size > buf_size){
@@ -1870,6 +1870,9 @@ static int decode_frame_adu(AVCodecContext * avctx,
avctx->bit_rate = s->bit_rate;
avctx->sub_id = s->layer;
+ if (*data_size < avctx->frame_size * avctx->channels * sizeof(OUT_INT))
+ return AVERROR(EINVAL);
+
s->frame_size = len;
if (avctx->parse_only) {
diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c
index f4743c5000..d56ca825e5 100644
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -2308,12 +2308,15 @@ void ff_draw_horiz_band(MpegEncContext *s, int y, int h){
edge_h= FFMIN(h, s->v_edge_pos - y);
- s->dsp.draw_edges(s->current_picture_ptr->data[0] + y *s->linesize , s->linesize,
- s->h_edge_pos , edge_h , EDGE_WIDTH , EDGE_WIDTH , sides);
- s->dsp.draw_edges(s->current_picture_ptr->data[1] + (y>>vshift)*s->uvlinesize, s->uvlinesize,
- s->h_edge_pos>>hshift, edge_h>>hshift, EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides);
- s->dsp.draw_edges(s->current_picture_ptr->data[2] + (y>>vshift)*s->uvlinesize, s->uvlinesize,
- s->h_edge_pos>>hshift, edge_h>>hshift, EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides);
+ s->dsp.draw_edges(s->current_picture_ptr->data[0] + y *s->linesize,
+ s->linesize, s->h_edge_pos, edge_h,
+ EDGE_WIDTH, EDGE_WIDTH, sides);
+ s->dsp.draw_edges(s->current_picture_ptr->data[1] + (y>>vshift)*s->uvlinesize,
+ s->uvlinesize, s->h_edge_pos>>hshift, edge_h>>vshift,
+ EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides);
+ s->dsp.draw_edges(s->current_picture_ptr->data[2] + (y>>vshift)*s->uvlinesize,
+ s->uvlinesize, s->h_edge_pos>>hshift, edge_h>>vshift,
+ EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides);
}
h= FFMIN(h, s->avctx->height - y);
diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c
index 3c92aa93f4..b9e141d4cd 100644
--- a/libavcodec/mpegvideo_enc.c
+++ b/libavcodec/mpegvideo_enc.c
@@ -2007,7 +2007,7 @@ static int mb_var_thread(AVCodecContext *c, void *arg){
int varc;
int sum = s->dsp.pix_sum(pix, s->linesize);
- varc = (s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)(sum*sum))>>8) + 500 + 128)>>8;
+ varc = (s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)sum*sum)>>8) + 500 + 128)>>8;
s->current_picture.mb_var [s->mb_stride * mb_y + mb_x] = varc;
s->current_picture.mb_mean[s->mb_stride * mb_y + mb_x] = (sum+128)>>8;
diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c
index 4c0d4210ad..af0048ac5e 100644
--- a/libavcodec/pthread.c
+++ b/libavcodec/pthread.c
@@ -332,6 +332,9 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src,
dst->height = src->height;
dst->pix_fmt = src->pix_fmt;
+ dst->coded_width = src->coded_width;
+ dst->coded_height = src->coded_height;
+
dst->has_b_frames = src->has_b_frames;
dst->idct_algo = src->idct_algo;
dst->slice_count = src->slice_count;
diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h
index 79016912d5..ccd2565920 100644
--- a/libavcodec/put_bits.h
+++ b/libavcodec/put_bits.h
@@ -100,7 +100,8 @@ static inline void flush_put_bits(PutBitContext *s)
align_put_bits(s);
#else
#ifndef BITSTREAM_WRITER_LE
- s->bit_buf<<= s->bit_left;
+ if (s->bit_left < 32)
+ s->bit_buf<<= s->bit_left;
#endif
while (s->bit_left < 32) {
/* XXX: should test end of buffer */
diff --git a/libavcodec/qcelpdec.c b/libavcodec/qcelpdec.c
index e83704d801..61c812c85d 100644
--- a/libavcodec/qcelpdec.c
+++ b/libavcodec/qcelpdec.c
@@ -738,11 +738,17 @@ static int qcelp_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
int buf_size = avpkt->size;
QCELPContext *q = avctx->priv_data;
float *outbuffer = data;
- int i;
+ int i, out_size;
float quantized_lspf[10], lpc[10];
float gain[16];
float *formant_mem;
+ out_size = 160 * av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
if((q->bitrate = determine_bitrate(avctx, buf_size, &buf)) == I_F_Q)
{
warn_insufficient_frame_quality(avctx, "bitrate cannot be determined.");
@@ -837,7 +843,7 @@ erasure:
memcpy(q->prev_lspf, quantized_lspf, sizeof(q->prev_lspf));
q->prev_bitrate = q->bitrate;
- *data_size = 160 * sizeof(*outbuffer);
+ *data_size = out_size;
return buf_size;
}
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 1665c8daed..144ce98042 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1958,13 +1958,20 @@ static int qdm2_decode_frame(AVCodecContext *avctx,
int buf_size = avpkt->size;
QDM2Context *s = avctx->priv_data;
int16_t *out = data;
- int i;
+ int i, out_size;
if(!buf)
return 0;
if(buf_size < s->checksum_size)
return -1;
+ out_size = 16 * s->channels * s->frame_size *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
av_log(avctx, AV_LOG_DEBUG, "decode(%d): %p[%d] -> %p[%d]\n",
buf_size, buf, s->checksum_size, data, *data_size);
@@ -1974,7 +1981,7 @@ static int qdm2_decode_frame(AVCodecContext *avctx,
out += s->channels * s->frame_size;
}
- *data_size = (uint8_t*)out - (uint8_t*)data;
+ *data_size = out_size;
return s->checksum_size;
}
diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c
index a2b6c7f991..8bcbbd3456 100644
--- a/libavcodec/qtrle.c
+++ b/libavcodec/qtrle.c
@@ -126,6 +126,7 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int stream_ptr,
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (num_pixels * (s->buf[stream_ptr++] - 1));
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -182,6 +183,7 @@ static void qtrle_decode_8bpp(QtrleContext *s, int stream_ptr, int row_ptr, int
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (4 * (s->buf[stream_ptr++] - 1));
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -235,6 +237,7 @@ static void qtrle_decode_16bpp(QtrleContext *s, int stream_ptr, int row_ptr, int
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 2;
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -284,6 +287,7 @@ static void qtrle_decode_24bpp(QtrleContext *s, int stream_ptr, int row_ptr, int
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 3;
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -335,6 +339,7 @@ static void qtrle_decode_32bpp(QtrleContext *s, int stream_ptr, int row_ptr, int
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 4;
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -463,6 +468,8 @@ static int qtrle_decode_frame(AVCodecContext *avctx,
stream_ptr += 4;
height = AV_RB16(&s->buf[stream_ptr]);
stream_ptr += 4;
+ if (height > s->avctx->height - start_line)
+ goto done;
} else {
start_line = 0;
height = s->avctx->height;
diff --git a/libavcodec/resample.c b/libavcodec/resample.c
index 62ece22ca6..d53c7315b1 100644
--- a/libavcodec/resample.c
+++ b/libavcodec/resample.c
@@ -337,9 +337,9 @@ int audio_resample(ReSampleContext *s, short *output, short *input, int nb_sampl
if (s->sample_fmt[1] != AV_SAMPLE_FMT_S16) {
output_bak = output;
- if (!s->buffer_size[1] || s->buffer_size[1] < lenout) {
+ if (!s->buffer_size[1] || s->buffer_size[1] < 2*lenout) {
av_free(s->buffer[1]);
- s->buffer_size[1] = lenout;
+ s->buffer_size[1] = 2*lenout;
s->buffer[1] = av_malloc(s->buffer_size[1]);
if (!s->buffer[1]) {
av_log(s->resample_context, AV_LOG_ERROR, "Could not allocate buffer\n");
diff --git a/libavcodec/resample2.c b/libavcodec/resample2.c
index b940059d84..5c425587ab 100644
--- a/libavcodec/resample2.c
+++ b/libavcodec/resample2.c
@@ -207,8 +207,10 @@ AVResampleContext *av_resample_init(int out_rate, int in_rate, int filter_size,
memcpy(&c->filter_bank[c->filter_length*phase_count+1], c->filter_bank, (c->filter_length-1)*sizeof(FELEM));
c->filter_bank[c->filter_length*phase_count]= c->filter_bank[c->filter_length - 1];
- c->src_incr= out_rate;
- c->ideal_dst_incr= c->dst_incr= in_rate * phase_count;
+ if(!av_reduce(&c->src_incr, &c->dst_incr, out_rate, in_rate * (int64_t)phase_count, INT32_MAX/2))
+ goto error;
+ c->ideal_dst_incr= c->dst_incr;
+
c->index= -phase_count*((c->filter_length-1)/2);
return c;
@@ -246,10 +248,9 @@ int av_resample(AVResampleContext *c, short *dst, short *src, int *consumed, int
dst[dst_index] = src[index2>>32];
index2 += incr;
}
- frac += dst_index * dst_incr_frac;
index += dst_index * dst_incr;
- index += frac / c->src_incr;
- frac %= c->src_incr;
+ index += (frac + dst_index * (int64_t)dst_incr_frac) / c->src_incr;
+ frac = (frac + dst_index * (int64_t)dst_incr_frac) % c->src_incr;
}else{
for(dst_index=0; dst_index < dst_size; dst_index++){
FELEM *filter= c->filter_bank + c->filter_length*(index & c->phase_mask);
diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 4c1abe8e4c..0b9d420d86 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -113,6 +113,7 @@ static int allocate_buffers(ShortenContext *s)
{
int i, chan;
int *coeffs;
+ void *tmp_ptr;
for (chan=0; chan<s->channels; chan++) {
if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
@@ -124,9 +125,15 @@ static int allocate_buffers(ShortenContext *s)
return -1;
}
- s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
+ tmp_ptr = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
+ if (!tmp_ptr)
+ return AVERROR(ENOMEM);
+ s->offset[chan] = tmp_ptr;
- s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
+ tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
+ if (!tmp_ptr)
+ return AVERROR(ENOMEM);
+ s->decoded[chan] = tmp_ptr;
for (i=0; i<s->nwrap; i++)
s->decoded[chan][i] = 0;
s->decoded[chan] += s->nwrap;
@@ -284,8 +291,15 @@ static int shorten_decode_frame(AVCodecContext *avctx,
int i, input_buf_size = 0;
int16_t *samples = data;
if(s->max_framesize == 0){
+ void *tmp_ptr;
s->max_framesize= 1024; // should hopefully be enough for the first header
- s->bitstream= av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, s->max_framesize);
+ tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size,
+ s->max_framesize);
+ if (!tmp_ptr) {
+ av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n");
+ return AVERROR(ENOMEM);
+ }
+ s->bitstream = tmp_ptr;
}
if(1 && s->max_framesize){//FIXME truncated
@@ -467,6 +481,12 @@ static int shorten_decode_frame(AVCodecContext *avctx,
s->cur_chan++;
if (s->cur_chan == s->channels) {
+ int out_size = s->blocksize * s->channels *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
samples = interleave_buffer(samples, s->channels, s->blocksize, s->decoded);
s->cur_chan = 0;
goto frame_done;
diff --git a/libavcodec/sipr.c b/libavcodec/sipr.c
index 9befe8a158..bd7d22388a 100644
--- a/libavcodec/sipr.c
+++ b/libavcodec/sipr.c
@@ -194,14 +194,16 @@ static void decode_parameters(SiprParameters* parms, GetBitContext *pgb,
{
int i, j;
- parms->ma_pred_switch = get_bits(pgb, p->ma_predictor_bits);
+ if (p->ma_predictor_bits)
+ parms->ma_pred_switch = get_bits(pgb, p->ma_predictor_bits);
for (i = 0; i < 5; i++)
parms->vq_indexes[i] = get_bits(pgb, p->vq_indexes_bits[i]);
for (i = 0; i < p->subframe_count; i++) {
parms->pitch_delay[i] = get_bits(pgb, p->pitch_delay_bits[i]);
- parms->gp_index[i] = get_bits(pgb, p->gp_index_bits);
+ if (p->gp_index_bits)
+ parms->gp_index[i] = get_bits(pgb, p->gp_index_bits);
for (j = 0; j < p->number_of_fc_indexes; j++)
parms->fc_indexes[i][j] = get_bits(pgb, p->fc_index_bits[j]);
@@ -509,7 +511,7 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *datap,
GetBitContext gb;
float *data = datap;
int subframe_size = ctx->mode == MODE_16k ? L_SUBFR_16k : SUBFR_SIZE;
- int i;
+ int i, out_size;
ctx->avctx = avctx;
if (avpkt->size < (mode_par->bits_per_frame >> 3)) {
@@ -520,7 +522,11 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *datap,
*data_size = 0;
return -1;
}
- if (*data_size < subframe_size * mode_par->subframe_count * sizeof(float)) {
+
+ out_size = mode_par->frames_per_packet * subframe_size *
+ mode_par->subframe_count *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
av_log(avctx, AV_LOG_ERROR,
"Error processing packet: output buffer (%d) too small\n",
*data_size);
@@ -542,8 +548,7 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *datap,
data += subframe_size * mode_par->subframe_count;
}
- *data_size = mode_par->frames_per_packet * subframe_size *
- mode_par->subframe_count * sizeof(float);
+ *data_size = out_size;
return mode_par->bits_per_frame >> 3;
}
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index be4bc2336f..0b7a19aa32 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -560,6 +560,10 @@ static av_cold int decode_end(AVCodecContext *avctx)
static av_cold int smka_decode_init(AVCodecContext *avctx)
{
+ if (avctx->channels < 1 || avctx->channels > 2) {
+ av_log(avctx, AV_LOG_ERROR, "invalid number of channels\n");
+ return AVERROR(EINVAL);
+ }
avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
avctx->sample_fmt = avctx->bits_per_coded_sample == 8 ? AV_SAMPLE_FMT_U8 : AV_SAMPLE_FMT_S16;
return 0;
@@ -583,6 +587,11 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
int bits, stereo;
int pred[2] = {0, 0};
+ if (buf_size <= 4) {
+ av_log(avctx, AV_LOG_ERROR, "packet is too small\n");
+ return AVERROR(EINVAL);
+ }
+
unp_size = AV_RL32(buf);
init_get_bits(&gb, buf + 4, (buf_size - 4) * 8);
@@ -598,6 +607,14 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n");
return -1;
}
+ if (stereo ^ (avctx->channels != 1)) {
+ av_log(avctx, AV_LOG_ERROR, "channels mismatch\n");
+ return AVERROR(EINVAL);
+ }
+ if (bits && avctx->sample_fmt == AV_SAMPLE_FMT_U8) {
+ av_log(avctx, AV_LOG_ERROR, "sample format mismatch\n");
+ return AVERROR(EINVAL);
+ }
memset(vlc, 0, sizeof(VLC) * 4);
memset(h, 0, sizeof(HuffContext) * 4);
diff --git a/libavcodec/snow.c b/libavcodec/snow.c
index 43a71904eb..86ab710f80 100644
--- a/libavcodec/snow.c
+++ b/libavcodec/snow.c
@@ -1917,8 +1917,6 @@ static void dwt_quantize(SnowContext *s, Plane *p, DWTELEM *buffer, int width, i
static void halfpel_interpol(SnowContext *s, uint8_t *halfpel[4][4], AVFrame *frame){
int p,x,y;
- assert(!(s->avctx->flags & CODEC_FLAG_EMU_EDGE));
-
for(p=0; p<3; p++){
int is_chroma= !!p;
int w= s->avctx->width >>is_chroma;
@@ -1975,7 +1973,7 @@ static int frame_start(SnowContext *s){
int w= s->avctx->width; //FIXME round up to x16 ?
int h= s->avctx->height;
- if(s->current_picture.data[0]){
+ if(s->current_picture.data[0] && !(s->avctx->flags&CODEC_FLAG_EMU_EDGE)){
s->dsp.draw_edges(s->current_picture.data[0],
s->current_picture.linesize[0], w , h ,
EDGE_WIDTH , EDGE_WIDTH , EDGE_TOP | EDGE_BOTTOM);
diff --git a/libavcodec/truespeech.c b/libavcodec/truespeech.c
index d903a0119e..b5f74662ba 100644
--- a/libavcodec/truespeech.c
+++ b/libavcodec/truespeech.c
@@ -56,6 +56,11 @@ static av_cold int truespeech_decode_init(AVCodecContext * avctx)
{
// TSContext *c = avctx->priv_data;
+ if (avctx->channels != 1) {
+ av_log_ask_for_sample(avctx, "Unsupported channel count: %d\n", avctx->channels);
+ return AVERROR(EINVAL);
+ }
+
avctx->sample_fmt = AV_SAMPLE_FMT_S16;
return 0;
}
diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c
index f8e75bb933..7be13bcf0c 100644
--- a/libavcodec/twinvq.c
+++ b/libavcodec/twinvq.c
@@ -822,7 +822,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data,
const ModeTab *mtab = tctx->mtab;
float *out = data;
enum FrameType ftype;
- int window_type;
+ int window_type, out_size;
static const enum FrameType wtype_to_ftype_table[] = {
FT_LONG, FT_LONG, FT_SHORT, FT_LONG,
FT_MEDIUM, FT_LONG, FT_LONG, FT_MEDIUM, FT_MEDIUM
@@ -835,6 +835,13 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data,
return buf_size;
}
+ out_size = mtab->size * avctx->channels *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
init_get_bits(&gb, buf, buf_size * 8);
skip_bits(&gb, get_bits(&gb, 8));
window_type = get_bits(&gb, WINDOW_TYPE_BITS);
@@ -857,7 +864,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data,
return buf_size;
}
- *data_size = mtab->size*avctx->channels*4;
+ *data_size = out_size;
return buf_size;
}
diff --git a/libavcodec/txd.c b/libavcodec/txd.c
index 0e25458c86..219c337534 100644
--- a/libavcodec/txd.c
+++ b/libavcodec/txd.c
@@ -23,6 +23,7 @@
#include "libavutil/intreadwrite.h"
#include "libavutil/imgutils.h"
+#include "bytestream.h"
#include "avcodec.h"
#include "s3tc.h"
@@ -42,6 +43,7 @@ static av_cold int txd_init(AVCodecContext *avctx) {
static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
AVPacket *avpkt) {
const uint8_t *buf = avpkt->data;
+ const uint8_t *buf_end = avpkt->data + avpkt->size;
TXDContext * const s = avctx->priv_data;
AVFrame *picture = data;
AVFrame * const p = &s->picture;
@@ -52,6 +54,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
const uint32_t *palette = (const uint32_t *)(cur + 88);
uint32_t *pal;
+ if (buf_end - cur < 92)
+ return AVERROR_INVALIDDATA;
version = AV_RL32(cur);
d3d_format = AV_RL32(cur+76);
w = AV_RL16(cur+80);
@@ -69,6 +73,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
if (depth == 8) {
avctx->pix_fmt = PIX_FMT_PAL8;
+ if (buf_end - cur < 1024)
+ return AVERROR_INVALIDDATA;
cur += 1024;
} else if (depth == 16 || depth == 32)
avctx->pix_fmt = PIX_FMT_RGB32;
@@ -100,6 +106,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
v = AV_RB32(palette+y);
pal[y] = (v>>8) + (v<<24);
}
+ if (buf_end - cur < w * h)
+ return AVERROR_INVALIDDATA;
for (y=0; y<h; y++) {
memcpy(ptr, cur, w);
ptr += stride;
@@ -110,9 +118,13 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
case 0:
if (!flags&1) goto unsupported;
case FF_S3TC_DXT1:
+ if (buf_end - cur < (w/4) * (h/4) * 8)
+ return AVERROR_INVALIDDATA;
ff_decode_dxt1(cur, ptr, w, h, stride);
break;
case FF_S3TC_DXT3:
+ if (buf_end - cur < (w/4) * (h/4) * 16)
+ return AVERROR_INVALIDDATA;
ff_decode_dxt3(cur, ptr, w, h, stride);
break;
default:
@@ -122,6 +134,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
switch (d3d_format) {
case 0x15:
case 0x16:
+ if (buf_end - cur < h * w * 4)
+ return AVERROR_INVALIDDATA;
for (y=0; y<h; y++) {
memcpy(ptr, cur, w*4);
ptr += stride;
@@ -133,8 +147,12 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
}
}
- for (; mipmap_count > 1; mipmap_count--)
- cur += AV_RL32(cur) + 4;
+ for (; mipmap_count > 1 && buf_end - cur >= 4; mipmap_count--) {
+ uint32_t length = bytestream_get_le32(&cur);
+ if (buf_end - cur < length)
+ break;
+ cur += length;
+ }
*picture = s->picture;
*data_size = sizeof(AVPicture);
diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c
index 024c8fd3cf..8f16d3a5a5 100644
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -1605,7 +1605,7 @@ static int vorbis_decode_frame(AVCodecContext *avccontext,
vorbis_context *vc = avccontext->priv_data ;
GetBitContext *gb = &(vc->gb);
const float *channel_ptrs[255];
- int i, len;
+ int i, len, out_size;
if (!buf_size)
return 0;
@@ -1630,6 +1630,13 @@ static int vorbis_decode_frame(AVCodecContext *avccontext,
av_dlog(NULL, "parsed %d bytes %d bits, returned %d samples (*ch*bits) \n",
get_bits_count(gb) / 8, get_bits_count(gb) % 8, len);
+ out_size = len * vc->audio_channels *
+ av_get_bytes_per_sample(avccontext->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avccontext, AV_LOG_ERROR, "output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
if (vc->audio_channels > 8) {
for (i = 0; i < vc->audio_channels; i++)
channel_ptrs[i] = vc->channel_floors + i * len;
@@ -1645,8 +1652,7 @@ static int vorbis_decode_frame(AVCodecContext *avccontext,
vc->fmt_conv.float_to_int16_interleave(data, channel_ptrs, len,
vc->audio_channels);
- *data_size = len * vc->audio_channels *
- av_get_bytes_per_sample(avccontext->sample_fmt);
+ *data_size = out_size;
return buf_size ;
}
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index b9af998bc5..549f494ff6 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -45,6 +45,7 @@
#define FRAGMENT_PIXELS 8
static av_cold int vp3_decode_end(AVCodecContext *avctx);
+static void vp3_decode_flush(AVCodecContext *avctx);
//FIXME split things out into their own arrays
typedef struct Vp3Fragment {
@@ -890,7 +891,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
/* decode a VLC into a token */
token = get_vlc2(gb, vlc_table, 11, 3);
/* use the token to get a zero run, a coefficient, and an eob run */
- if (token <= 6) {
+ if ((unsigned) token <= 6U) {
eob_run = eob_run_base[token];
if (eob_run_get_bits[token])
eob_run += get_bits(gb, eob_run_get_bits[token]);
@@ -908,7 +909,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
coeff_i += eob_run;
eob_run = 0;
}
- } else {
+ } else if (token >= 0) {
bits_to_get = coeff_get_bits[token];
if (bits_to_get)
bits_to_get = get_bits(gb, bits_to_get);
@@ -942,6 +943,10 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
for (i = coeff_index+1; i <= coeff_index+zero_run; i++)
s->num_coded_frags[plane][i]--;
coeff_i++;
+ } else {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "Invalid token %d\n", token);
+ return -1;
}
}
@@ -991,6 +996,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
/* unpack the Y plane DC coefficients */
residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0,
0, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
/* reverse prediction of the Y-plane DC coefficients */
reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]);
@@ -998,8 +1005,12 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
/* unpack the C plane DC coefficients */
residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
1, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
2, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
/* reverse prediction of the C-plane DC coefficients */
if (!(s->avctx->flags & CODEC_FLAG_GRAY))
@@ -1036,11 +1047,17 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
for (i = 1; i <= 63; i++) {
residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i,
0, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
1, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
2, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
}
return 0;
@@ -1777,10 +1794,15 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data;
int qps_changed = 0, i, err;
+#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
+
if (!s1->current_frame.data[0]
||s->width != s1->width
- ||s->height!= s1->height)
+ ||s->height!= s1->height) {
+ if (s != s1)
+ copy_fields(s, s1, golden_frame, current_frame);
return -1;
+ }
if (s != s1) {
// init tables if the first frame hasn't been decoded
@@ -1796,8 +1818,6 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1]));
}
-#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
-
// copy previous frame data
copy_fields(s, s1, golden_frame, dsp);
@@ -1987,9 +2007,6 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx)
Vp3DecodeContext *s = avctx->priv_data;
int i;
- if (avctx->is_copy && !s->current_frame.data[0])
- return 0;
-
av_free(s->superblock_coding);
av_free(s->all_fragments);
av_free(s->coded_fragment_list[0]);
@@ -2016,12 +2033,7 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx)
free_vlc(&s->motion_vector_vlc);
/* release all frames */
- if (s->golden_frame.data[0])
- ff_thread_release_buffer(avctx, &s->golden_frame);
- if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY)
- ff_thread_release_buffer(avctx, &s->last_frame);
- /* no need to release the current_frame since it will always be pointing
- * to the same frame as either the golden or last frame */
+ vp3_decode_flush(avctx);
return 0;
}
@@ -2341,6 +2353,23 @@ static void vp3_decode_flush(AVCodecContext *avctx)
ff_thread_release_buffer(avctx, &s->current_frame);
}
+static int vp3_init_thread_copy(AVCodecContext *avctx)
+{
+ Vp3DecodeContext *s = avctx->priv_data;
+
+ s->superblock_coding = NULL;
+ s->all_fragments = NULL;
+ s->coded_fragment_list[0] = NULL;
+ s->dct_tokens_base = NULL;
+ s->superblock_fragments = NULL;
+ s->macroblock_coding = NULL;
+ s->motion_val[0] = NULL;
+ s->motion_val[1] = NULL;
+ s->edge_emu_buffer = NULL;
+
+ return 0;
+}
+
AVCodec ff_theora_decoder = {
"theora",
AVMEDIA_TYPE_VIDEO,
@@ -2354,6 +2383,7 @@ AVCodec ff_theora_decoder = {
NULL,
.flush = vp3_decode_flush,
.long_name = NULL_IF_CONFIG_SMALL("Theora"),
+ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
.update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
};
#endif
@@ -2371,5 +2401,6 @@ AVCodec ff_vp3_decoder = {
NULL,
.flush = vp3_decode_flush,
.long_name = NULL_IF_CONFIG_SMALL("On2 VP3"),
+ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
.update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
};
diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
index 3721d52192..c66d2e74ff 100644
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -374,7 +374,7 @@ static void vp6_parse_coeff_huffman(VP56Context *s)
if (b > 3) pt = 1;
vlc_coeff = &s->dccv_vlc[pt];
- for (coeff_idx=0; coeff_idx<64; ) {
+ for (coeff_idx = 0;;) {
int run = 1;
if (coeff_idx<2 && s->nb_null[coeff_idx][pt]) {
s->nb_null[coeff_idx][pt]--;
@@ -411,6 +411,8 @@ static void vp6_parse_coeff_huffman(VP56Context *s)
}
}
coeff_idx+=run;
+ if (coeff_idx >= 64)
+ break;
cg = FFMIN(vp6_coeff_groups[coeff_idx], 3);
vlc_coeff = &s->ract_vlc[pt][ct][cg];
}
diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
index 3e93653085..3217605e58 100644
--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -33,6 +33,19 @@
# include "arm/vp8.h"
#endif
+static void free_buffers(VP8Context *s)
+{
+ av_freep(&s->macroblocks_base);
+ av_freep(&s->filter_strength);
+ av_freep(&s->intra4x4_pred_mode_top);
+ av_freep(&s->top_nnz);
+ av_freep(&s->edge_emu_buffer);
+ av_freep(&s->top_border);
+ av_freep(&s->segmentation_map);
+
+ s->macroblocks = NULL;
+}
+
static void vp8_decode_flush(AVCodecContext *avctx)
{
VP8Context *s = avctx->priv_data;
@@ -45,15 +58,7 @@ static void vp8_decode_flush(AVCodecContext *avctx)
}
memset(s->framep, 0, sizeof(s->framep));
- av_freep(&s->macroblocks_base);
- av_freep(&s->filter_strength);
- av_freep(&s->intra4x4_pred_mode_top);
- av_freep(&s->top_nnz);
- av_freep(&s->edge_emu_buffer);
- av_freep(&s->top_border);
- av_freep(&s->segmentation_map);
-
- s->macroblocks = NULL;
+ free_buffers(s);
}
static int update_dimensions(VP8Context *s, int width, int height)
@@ -273,7 +278,7 @@ static int decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_size)
if (!s->macroblocks_base || /* first frame */
width != s->avctx->width || height != s->avctx->height) {
- if ((ret = update_dimensions(s, width, height) < 0))
+ if ((ret = update_dimensions(s, width, height)) < 0)
return ret;
}
@@ -487,6 +492,7 @@ void decode_mvs(VP8Context *s, VP8Macroblock *mb, int mb_x, int mb_y)
AV_ZERO32(&near_mv[0]);
AV_ZERO32(&near_mv[1]);
+ AV_ZERO32(&near_mv[2]);
/* Process MB on top, left and top-left */
#define MV_EDGE_CHECK(n)\
@@ -919,7 +925,8 @@ void intra_predict(VP8Context *s, uint8_t *dst[3], VP8Macroblock *mb,
int mb_x, int mb_y)
{
AVCodecContext *avctx = s->avctx;
- int x, y, mode, nnz, tr;
+ int x, y, mode, nnz;
+ uint32_t tr;
// for the first row, we need to run xchg_mb_border to init the top edge to 127
// otherwise, skip it if we aren't going to deblock
@@ -948,7 +955,7 @@ void intra_predict(VP8Context *s, uint8_t *dst[3], VP8Macroblock *mb,
// from the top macroblock
if (!(!mb_y && avctx->flags & CODEC_FLAG_EMU_EDGE) &&
mb_x == s->mb_width-1) {
- tr = tr_right[-1]*0x01010101;
+ tr = tr_right[-1]*0x01010101u;
tr_right = (uint8_t *)&tr;
}
@@ -1749,6 +1756,11 @@ static int vp8_decode_update_thread_context(AVCodecContext *dst, const AVCodecCo
{
VP8Context *s = dst->priv_data, *s_src = src->priv_data;
+ if (s->macroblocks_base &&
+ (s_src->mb_width != s->mb_width || s_src->mb_height != s->mb_height)) {
+ free_buffers(s);
+ }
+
s->prob[0] = s_src->prob[!s_src->update_probabilities];
s->segmentation = s_src->segmentation;
s->lf_delta = s_src->lf_delta;
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index ca4fd94d75..64a68e1ca1 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -138,6 +138,10 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
/* load up the VQA parameters from the header */
vqa_header = (unsigned char *)s->avctx->extradata;
s->vqa_version = vqa_header[0];
+ if (s->vqa_version < 1 || s->vqa_version > 3) {
+ av_log(s->avctx, AV_LOG_ERROR, " VQA video: unsupported version %d\n", s->vqa_version);
+ return -1;
+ }
s->width = AV_RL16(&vqa_header[6]);
s->height = AV_RL16(&vqa_header[8]);
if(av_image_check_size(s->width, s->height, 0, avctx)){
@@ -226,6 +230,8 @@ static void decode_format80(const unsigned char *src, int src_size,
src_index += 2;
av_dlog(NULL, "(1) copy %X bytes from absolute pos %X\n", count, src_pos);
CHECK_COUNT();
+ if (src_pos + count > dest_size)
+ return;
for (i = 0; i < count; i++)
dest[dest_index + i] = dest[src_pos + i];
dest_index += count;
@@ -248,6 +254,8 @@ static void decode_format80(const unsigned char *src, int src_size,
src_index += 2;
av_dlog(NULL, "(3) copy %X bytes from absolute pos %X\n", count, src_pos);
CHECK_COUNT();
+ if (src_pos + count > dest_size)
+ return;
for (i = 0; i < count; i++)
dest[dest_index + i] = dest[src_pos + i];
dest_index += count;
@@ -268,6 +276,8 @@ static void decode_format80(const unsigned char *src, int src_size,
src_index += 2;
av_dlog(NULL, "(5) copy %X bytes from relpos %X\n", count, src_pos);
CHECK_COUNT();
+ if (dest_index < src_pos)
+ return;
for (i = 0; i < count; i++)
dest[dest_index + i] = dest[dest_index - src_pos + i];
dest_index += count;
diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index c343080b36..22273527af 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -1085,7 +1085,7 @@ static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb,
int excl_range = s->aw_pulse_range; // always 16 or 24
uint16_t *use_mask_ptr = &use_mask[idx >> 4];
int first_sh = 16 - (idx & 15);
- *use_mask_ptr++ &= 0xFFFF << first_sh;
+ *use_mask_ptr++ &= 0xFFFFu << first_sh;
excl_range -= first_sh;
if (excl_range >= 16) {
*use_mask_ptr++ = 0;
diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c
index 10ec53f467..c93ff43663 100644
--- a/libavcodec/xxan.c
+++ b/libavcodec/xxan.c
@@ -129,7 +129,9 @@ static int xan_unpack(uint8_t *dest, const int dest_len,
if (size + size2 > dest_end - dest)
break;
}
- if (src + size > src_end || dest + size + size2 > dest_end)
+ if (src + size > src_end ||
+ dest + size + size2 > dest_end ||
+ dest + size - orig_dest < back )
return -1;
bytestream_get_buffer(&src, dest, size);
dest += size;
@@ -194,6 +196,8 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt)
if (mode) {
for (j = 0; j < avctx->height >> 1; j++) {
for (i = 0; i < avctx->width >> 1; i++) {
+ if (src_end - src < 1)
+ return 0;
val = *src++;
if (val) {
val = AV_RL16(table + (val << 1));
@@ -202,8 +206,6 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt)
U[i] = uval | (uval >> 5);
V[i] = vval | (vval >> 5);
}
- if (src == src_end)
- return 0;
}
U += s->pic.linesize[1];
V += s->pic.linesize[2];
@@ -214,6 +216,8 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt)
for (j = 0; j < avctx->height >> 2; j++) {
for (i = 0; i < avctx->width >> 1; i += 2) {
+ if (src_end - src < 1)
+ return 0;
val = *src++;
if (val) {
val = AV_RL16(table + (val << 1));
@@ -302,6 +306,9 @@ static int xan_decode_frame_type0(AVCodecContext *avctx, AVPacket *avpkt)
corr_end - corr_off);
if (dec_size < 0)
dec_size = 0;
+ else
+ dec_size = FFMIN(dec_size, s->buffer_size/2 - 1);
+
for (i = 0; i < dec_size; i++)
s->y_buffer[i*2+1] = (s->y_buffer[i*2+1] + (s->scratch_buffer[i] << 1)) & 0x3F;
}