diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-03-09 01:22:31 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-03-09 01:22:31 +0100 |
| commit | a8cedbebf163ad376abc4703b3156c44d0858404 (patch) | |
| tree | 7198ad7a96b58d3ea53b2208601b707da2db3c00 /libavcodec | |
| parent | a4524930d9299dbb8fafe165105d83bf7b6d3b89 (diff) | |
| parent | ea1d64ab1066145ba919b79a2080f3091d562217 (diff) | |
| download | ffmpeg-a8cedbebf163ad376abc4703b3156c44d0858404.tar.gz | |
Merge remote-tracking branch 'qatar/master'
* qatar/master:
ttadec: unbreak playback of matroska files
vorbisdec: avoid invalid memory access
Fix uninitialized reads on malformed ogg files.
huffyuv: add padding to classic (v1) huffman tables.
png: convert to bytestream2 API.
dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2
avs: fix infinite loop on end-of-stream.
tiffdec: Prevent illegal memory access caused by recycled pointers.
rtpenc: Fix the AVRational used for av_rescale_q_rnd
wma: fix off-by-one in array bounds check.
Conflicts:
libavcodec/huffyuv.c
libavcodec/pngdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/cavsdec.c | 1 | ||||
| -rw-r--r-- | libavcodec/dca.c | 1 | ||||
| -rw-r--r-- | libavcodec/huffyuv.c | 10 | ||||
| -rw-r--r-- | libavcodec/pngdec.c | 72 | ||||
| -rw-r--r-- | libavcodec/tiff.c | 2 | ||||
| -rw-r--r-- | libavcodec/tta.c | 3 | ||||
| -rw-r--r-- | libavcodec/vorbisdec.c | 3 |
7 files changed, 46 insertions, 46 deletions
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index b06bd53c00..6e5539c2d7 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -657,6 +657,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size, if (!s->low_delay && h->DPB[0].f.data[0]) { *data_size = sizeof(AVPicture); *picture = h->DPB[0].f; + memset(&h->DPB[0], 0, sizeof(h->DPB[0])); } return 0; } diff --git a/libavcodec/dca.c b/libavcodec/dca.c index a37341af0c..d9fafbad01 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -29,6 +29,7 @@ #include "libavutil/common.h" #include "libavutil/intmath.h" #include "libavutil/intreadwrite.h" +#include "libavutil/mathematics.h" #include "libavutil/audioconvert.h" #include "avcodec.h" #include "dsputil.h" diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index ff52eaac73..81144a1c42 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -82,14 +82,16 @@ typedef struct HYuvContext{ DSPContext dsp; }HYuvContext; -static const unsigned char classic_shift_luma[] = { +#define classic_shift_luma_table_size 42 +static const unsigned char classic_shift_luma[classic_shift_luma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = { 34,36,35,69,135,232,9,16,10,24,11,23,12,16,13,10,14,8,15,8, 16,8,17,20,16,10,207,206,205,236,11,8,10,21,9,23,8,8,199,70, 69,68, 0, 0,0,0,0,0,0,0,0, }; -static const unsigned char classic_shift_chroma[] = { +#define classic_shift_chroma_table_size 59 +static const unsigned char classic_shift_chroma[classic_shift_chroma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = { 66,36,37,38,39,40,41,75,76,77,110,239,144,81,82,83,84,85,118,183, 56,57,88,89,56,89,154,57,58,57,26,141,57,56,58,57,58,57,184,119, 214,245,116,83,82,49,80,79,78,77,44,75,41,40,39,38,37,36,34, 0, @@ -396,10 +398,10 @@ static int read_old_huffman_tables(HYuvContext *s){ GetBitContext gb; int i; - init_get_bits(&gb, classic_shift_luma, (sizeof(classic_shift_luma)-8)*8); + init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8); if(read_len_table(s->len[0], &gb)<0) return -1; - init_get_bits(&gb, classic_shift_chroma, (sizeof(classic_shift_chroma)-8)*8); + init_get_bits(&gb, classic_shift_chroma, classic_shift_chroma_table_size*8); if(read_len_table(s->len[1], &gb)<0) return -1; diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 55df8b0a57..398c48b419 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -38,9 +38,7 @@ typedef struct PNGDecContext { PNGDSPContext dsp; - const uint8_t *bytestream; - const uint8_t *bytestream_start; - const uint8_t *bytestream_end; + GetByteContext gb; AVFrame picture1, picture2; AVFrame *current_picture, *last_picture; @@ -360,12 +358,9 @@ static void png_handle_row(PNGDecContext *s) static int png_decode_idat(PNGDecContext *s, int length) { int ret; - s->zstream.avail_in = length; - s->zstream.next_in = s->bytestream; - s->bytestream += length; - - if(s->bytestream > s->bytestream_end) - return -1; + s->zstream.avail_in = FFMIN(length, bytestream2_get_bytes_left(&s->gb)); + s->zstream.next_in = s->gb.buffer; + bytestream2_skip(&s->gb, length); /* decode one line if possible */ while (s->zstream.avail_in > 0) { @@ -401,17 +396,15 @@ static int decode_frame(AVCodecContext *avctx, avctx->coded_frame= s->current_picture; p = s->current_picture; - s->bytestream_start= - s->bytestream= buf; - s->bytestream_end= buf + buf_size; - /* check signature */ - if (memcmp(s->bytestream, ff_pngsig, 8) != 0 && - memcmp(s->bytestream, ff_mngsig, 8) != 0) { + if (buf_size < 8 || + memcmp(buf, ff_pngsig, 8) != 0 && + memcmp(buf, ff_mngsig, 8) != 0) { av_log(avctx, AV_LOG_ERROR, "Missing png signature\n"); return -1; } - s->bytestream+= 8; + + bytestream2_init(&s->gb, buf + 8, buf_size - 8); s->y= s->state=0; // memset(s, 0, sizeof(PNGDecContext)); @@ -423,14 +416,13 @@ static int decode_frame(AVCodecContext *avctx, if (ret != Z_OK) return -1; for(;;) { - int tag32; - if (s->bytestream >= s->bytestream_end) + if (bytestream2_get_bytes_left(&s->gb) <= 0) goto fail; - length = bytestream_get_be32(&s->bytestream); - if (length > 0x7fffffff || length > s->bytestream_end - s->bytestream) + + length = bytestream2_get_be32(&s->gb); + if (length > 0x7fffffff || length > bytestream2_get_bytes_left(&s->gb)) goto fail; - tag32 = bytestream_get_be32(&s->bytestream); - tag = av_bswap32(tag32); + tag = bytestream2_get_le32(&s->gb); if (avctx->debug & FF_DEBUG_STARTCODE) av_log(avctx, AV_LOG_DEBUG, "png: tag=%c%c%c%c length=%u\n", (tag & 0xff), @@ -441,18 +433,18 @@ static int decode_frame(AVCodecContext *avctx, case MKTAG('I', 'H', 'D', 'R'): if (length != 13) goto fail; - s->width = bytestream_get_be32(&s->bytestream); - s->height = bytestream_get_be32(&s->bytestream); + s->width = bytestream2_get_be32(&s->gb); + s->height = bytestream2_get_be32(&s->gb); if(av_image_check_size(s->width, s->height, 0, avctx)){ s->width= s->height= 0; goto fail; } - s->bit_depth = *s->bytestream++; - s->color_type = *s->bytestream++; - s->compression_type = *s->bytestream++; - s->filter_type = *s->bytestream++; - s->interlace_type = *s->bytestream++; - s->bytestream += 4; /* crc */ + s->bit_depth = bytestream2_get_byte(&s->gb); + s->color_type = bytestream2_get_byte(&s->gb); + s->compression_type = bytestream2_get_byte(&s->gb); + s->filter_type = bytestream2_get_byte(&s->gb); + s->interlace_type = bytestream2_get_byte(&s->gb); + bytestream2_skip(&s->gb, 4); /* crc */ s->state |= PNG_IHDR; if (avctx->debug & FF_DEBUG_PICT_INFO) av_log(avctx, AV_LOG_DEBUG, "width=%d height=%d depth=%d color_type=%d compression_type=%d filter_type=%d interlace_type=%d\n", @@ -555,7 +547,7 @@ static int decode_frame(AVCodecContext *avctx, s->state |= PNG_IDAT; if (png_decode_idat(s, length) < 0) goto fail; - s->bytestream += 4; /* crc */ + bytestream2_skip(&s->gb, 4); /* crc */ break; case MKTAG('P', 'L', 'T', 'E'): { @@ -566,16 +558,16 @@ static int decode_frame(AVCodecContext *avctx, /* read the palette */ n = length / 3; for(i=0;i<n;i++) { - r = *s->bytestream++; - g = *s->bytestream++; - b = *s->bytestream++; + r = bytestream2_get_byte(&s->gb); + g = bytestream2_get_byte(&s->gb); + b = bytestream2_get_byte(&s->gb); s->palette[i] = (0xff << 24) | (r << 16) | (g << 8) | b; } for(;i<256;i++) { s->palette[i] = (0xff << 24); } s->state |= PNG_PLTE; - s->bytestream += 4; /* crc */ + bytestream2_skip(&s->gb, 4); /* crc */ } break; case MKTAG('t', 'R', 'N', 'S'): @@ -588,21 +580,21 @@ static int decode_frame(AVCodecContext *avctx, !(s->state & PNG_PLTE)) goto skip_tag; for(i=0;i<length;i++) { - v = *s->bytestream++; + v = bytestream2_get_byte(&s->gb); s->palette[i] = (s->palette[i] & 0x00ffffff) | (v << 24); } - s->bytestream += 4; /* crc */ + bytestream2_skip(&s->gb, 4); /* crc */ } break; case MKTAG('I', 'E', 'N', 'D'): if (!(s->state & PNG_ALLIMAGE)) goto fail; - s->bytestream += 4; /* crc */ + bytestream2_skip(&s->gb, 4); /* crc */ goto exit_loop; default: /* skip tag */ skip_tag: - s->bytestream += length + 4; + bytestream2_skip(&s->gb, length + 4); break; } } @@ -686,7 +678,7 @@ static int decode_frame(AVCodecContext *avctx, *picture= *s->current_picture; *data_size = sizeof(AVFrame); - ret = s->bytestream - s->bytestream_start; + ret = bytestream2_tell(&s->gb); the_end: inflateEnd(&s->zstream); av_free(crow_buf_base); diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 5adf5a3b55..28bae611c1 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -606,6 +606,8 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "The answer to life, universe and everything is not correct!\n"); return -1; } + // Reset these pointers so we can tell if they were set this frame + s->stripsizes = s->stripdata = NULL; /* parse image file directory */ off = tget_long(&buf, le); if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) { diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 4dc879cd09..b463946724 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -218,8 +218,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) { if (avctx->err_recognition & AV_EF_CRCCHECK) { s->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE); - if (tta_check_crc(s, avctx->extradata, 18)) - return AVERROR_INVALIDDATA; + tta_check_crc(s, avctx->extradata, 18); } /* signature */ diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 702c0d0429..08a2c48df9 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1593,6 +1593,9 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) ch_left -= ch; } + if (ch_left > 0) + return AVERROR_INVALIDDATA; + // Inverse coupling for (i = mapping->coupling_steps - 1; i >= 0; --i) { //warning: i has to be signed |