aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2011-12-25 19:57:17 +0100
committerMichael Niedermayer <michaelni@gmx.at>2011-12-25 19:57:17 +0100
commitef0c89e969053827b77b734f1bc619f1efb4aad8 (patch)
treeb4cca3048951b5858d3d77637434132d94a482bb /libavcodec
parent0125c10217d37d5706835762b985b8e697d1ca1f (diff)
parent8413f12e1b234e633389c75c403d9aa712c9ef47 (diff)
downloadffmpeg-ef0c89e969053827b77b734f1bc619f1efb4aad8.tar.gz
Merge branch 'release/0.8' into release/0.7
* release/0.8: (22 commits) Update Changelog for 0.7.3 release 4xm: Add a check in decode_i_frame to prevent buffer overreads wma: initialize prev_block_len_bits, next_block_len_bits, and block_len_bits. Update RELEASE file for 0.7.3 swscale: #include "libavutil/mathematics.h" vp3dec: Check coefficient index in vp3_dequant() svq1dec: call avcodec_set_dimensions() after dimensions changed. mpegtsenc: fix handling of large audio packets (sorry i have no sample, just a user report) h264: Use mismatching frame numbers in fields swscale: Readd #define _SVID_SOURCE vp6: Fix illegal read. vp6: Fix illegal read. vp6: Reset the internal state when aborting key frames header parsing vp6: Check for huffman tree build errors vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling imgutils: Fix illegal read. qdm2: check output buffer size before decoding Fix out of bound reads in the QDM2 decoder. Check for out of bound writes in the QDM2 decoder. vmd: fix segfaults on corruped streams ... Conflicts: Doxyfile RELEASE VERSION Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/4xm.c11
-rw-r--r--libavcodec/vp3.c10
-rw-r--r--libavcodec/wma.c3
3 files changed, 18 insertions, 6 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 3f8061f942..bbddef4876 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -694,10 +694,13 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
unsigned int prestream_size;
const uint8_t *prestream;
- if (bitstream_size > (1<<26) || length < bitstream_size + 12)
- return -1;
- prestream_size = 4*AV_RL32(buf + bitstream_size + 4);
- prestream = buf + bitstream_size + 12;
+ if (length < bitstream_size + 12) {
+ av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
+ return AVERROR_INVALIDDATA;
+ }
+
+ prestream_size = 4 * AV_RL32(buf + bitstream_size + 4);
+ prestream = buf + bitstream_size + 12;
if (prestream_size > (1<<26) ||
prestream_size != length - (bitstream_size + 12)){
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 2f07af8c4b..3abc78b85a 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -1514,7 +1514,10 @@ static void render_slice(Vp3DecodeContext *s, int slice)
/* invert DCT and place (or add) in final output */
if (s->all_fragments[i].coding_method == MODE_INTRA) {
- vp3_dequant(s, s->all_fragments + i, plane, 0, block);
+ int index;
+ index = vp3_dequant(s, s->all_fragments + i, plane, 0, block);
+ if (index > 63)
+ continue;
if(s->avctx->idct_algo!=FF_IDCT_VP3)
block[0] += 128<<3;
s->dsp.idct_put(
@@ -1522,7 +1525,10 @@ static void render_slice(Vp3DecodeContext *s, int slice)
stride,
block);
} else {
- if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) {
+ int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block);
+ if (index > 63)
+ continue;
+ if (index > 0) {
s->dsp.idct_add(
output_plane + first_pixel,
stride,
diff --git a/libavcodec/wma.c b/libavcodec/wma.c
index 67599b7eab..8f464619c2 100644
--- a/libavcodec/wma.c
+++ b/libavcodec/wma.c
@@ -137,6 +137,9 @@ int ff_wma_init(AVCodecContext *avctx, int flags2)
/* compute MDCT block size */
s->frame_len_bits = ff_wma_get_frame_len_bits(s->sample_rate, s->version, 0);
+ s->next_block_len_bits = s->frame_len_bits;
+ s->prev_block_len_bits = s->frame_len_bits;
+ s->block_len_bits = s->frame_len_bits;
s->frame_len = 1 << s->frame_len_bits;
if (s->use_variable_block_len) {