diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2011-12-25 19:57:17 +0100 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2011-12-25 19:57:17 +0100 |
commit | ef0c89e969053827b77b734f1bc619f1efb4aad8 (patch) | |
tree | b4cca3048951b5858d3d77637434132d94a482bb /libavcodec | |
parent | 0125c10217d37d5706835762b985b8e697d1ca1f (diff) | |
parent | 8413f12e1b234e633389c75c403d9aa712c9ef47 (diff) | |
download | ffmpeg-ef0c89e969053827b77b734f1bc619f1efb4aad8.tar.gz |
Merge branch 'release/0.8' into release/0.7
* release/0.8: (22 commits)
Update Changelog for 0.7.3 release
4xm: Add a check in decode_i_frame to prevent buffer overreads
wma: initialize prev_block_len_bits, next_block_len_bits, and block_len_bits.
Update RELEASE file for 0.7.3
swscale: #include "libavutil/mathematics.h"
vp3dec: Check coefficient index in vp3_dequant()
svq1dec: call avcodec_set_dimensions() after dimensions changed.
mpegtsenc: fix handling of large audio packets (sorry i have no sample, just a user report)
h264: Use mismatching frame numbers in fields
swscale: Readd #define _SVID_SOURCE
vp6: Fix illegal read.
vp6: Fix illegal read.
vp6: Reset the internal state when aborting key frames header parsing
vp6: Check for huffman tree build errors
vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling
imgutils: Fix illegal read.
qdm2: check output buffer size before decoding
Fix out of bound reads in the QDM2 decoder.
Check for out of bound writes in the QDM2 decoder.
vmd: fix segfaults on corruped streams
...
Conflicts:
Doxyfile
RELEASE
VERSION
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/4xm.c | 11 | ||||
-rw-r--r-- | libavcodec/vp3.c | 10 | ||||
-rw-r--r-- | libavcodec/wma.c | 3 |
3 files changed, 18 insertions, 6 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 3f8061f942..bbddef4876 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -694,10 +694,13 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ unsigned int prestream_size; const uint8_t *prestream; - if (bitstream_size > (1<<26) || length < bitstream_size + 12) - return -1; - prestream_size = 4*AV_RL32(buf + bitstream_size + 4); - prestream = buf + bitstream_size + 12; + if (length < bitstream_size + 12) { + av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); + return AVERROR_INVALIDDATA; + } + + prestream_size = 4 * AV_RL32(buf + bitstream_size + 4); + prestream = buf + bitstream_size + 12; if (prestream_size > (1<<26) || prestream_size != length - (bitstream_size + 12)){ diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 2f07af8c4b..3abc78b85a 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1514,7 +1514,10 @@ static void render_slice(Vp3DecodeContext *s, int slice) /* invert DCT and place (or add) in final output */ if (s->all_fragments[i].coding_method == MODE_INTRA) { - vp3_dequant(s, s->all_fragments + i, plane, 0, block); + int index; + index = vp3_dequant(s, s->all_fragments + i, plane, 0, block); + if (index > 63) + continue; if(s->avctx->idct_algo!=FF_IDCT_VP3) block[0] += 128<<3; s->dsp.idct_put( @@ -1522,7 +1525,10 @@ static void render_slice(Vp3DecodeContext *s, int slice) stride, block); } else { - if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) { + int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block); + if (index > 63) + continue; + if (index > 0) { s->dsp.idct_add( output_plane + first_pixel, stride, diff --git a/libavcodec/wma.c b/libavcodec/wma.c index 67599b7eab..8f464619c2 100644 --- a/libavcodec/wma.c +++ b/libavcodec/wma.c @@ -137,6 +137,9 @@ int ff_wma_init(AVCodecContext *avctx, int flags2) /* compute MDCT block size */ s->frame_len_bits = ff_wma_get_frame_len_bits(s->sample_rate, s->version, 0); + s->next_block_len_bits = s->frame_len_bits; + s->prev_block_len_bits = s->frame_len_bits; + s->block_len_bits = s->frame_len_bits; s->frame_len = 1 << s->frame_len_bits; if (s->use_variable_block_len) { |