diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-05-05 21:18:48 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-05-06 00:25:39 +0200 |
| commit | 581a83082967ffd0bcb92c42085b009eb6551165 (patch) | |
| tree | c3aca77b9493009f64aea75d74c1c67638626c52 /libavcodec | |
| parent | 1ee1e9e43ff35c3d3f0e36c6f3f2e604179d2c73 (diff) | |
| parent | 43e5fda45cf540a052d6f78248a3bf99f87095a8 (diff) | |
| download | ffmpeg-581a83082967ffd0bcb92c42085b009eb6551165.tar.gz | |
Merge remote-tracking branch 'qatar/release/0.8' into release/0.10
* qatar/release/0.8:
Update Changelog for the 0.8.2 Release
Prepare for 0.8.2 Release
vqavideo: return error if image size is not a multiple of block size
celp filters: Do not read earlier than the start of the 'out' vector.
motionpixels: Clip YUV values after applying a gradient.
jpeg: handle progressive in second field of interlaced.
h263: more strictly forbid frame size changes with frame-mt.
h264: additional protection against unsupported size/bitdepth changes.
tta: prevents overflows for 32bit integers in header.
ttadec: CRC checking
tta: use skip_bits_long()
Conflicts:
Changelog
RELEASE
libavcodec/h264.c
libavcodec/tta.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/celp_filters.c | 4 | ||||
| -rw-r--r-- | libavcodec/h263dec.c | 12 | ||||
| -rw-r--r-- | libavcodec/h264.c | 4 | ||||
| -rw-r--r-- | libavcodec/h264_ps.c | 3 | ||||
| -rw-r--r-- | libavcodec/mjpegdec.c | 5 | ||||
| -rw-r--r-- | libavcodec/motionpixels.c | 6 | ||||
| -rw-r--r-- | libavcodec/tta.c | 51 | ||||
| -rw-r--r-- | libavcodec/vqavideo.c | 10 |
8 files changed, 68 insertions, 27 deletions
diff --git a/libavcodec/celp_filters.c b/libavcodec/celp_filters.c index 1535060c9d..04ede491ac 100644 --- a/libavcodec/celp_filters.c +++ b/libavcodec/celp_filters.c @@ -133,9 +133,8 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs, out2 -= val * old_out2; out3 -= val * old_out3; - old_out3 = out[-5]; - for (i = 5; i <= filter_length; i += 2) { + old_out3 = out[-i]; val = filter_coeffs[i-1]; out0 -= val * old_out3; @@ -154,7 +153,6 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs, FFSWAP(float, old_out0, old_out2); old_out1 = old_out3; - old_out3 = out[-i-2]; } tmp0 = out0; diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 6db3d39777..b41ba7ab19 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -444,6 +444,13 @@ retry: if (ret < 0){ av_log(s->avctx, AV_LOG_ERROR, "header damaged\n"); return -1; + } else if ((s->width != avctx->coded_width || + s->height != avctx->coded_height || + (s->width + 15) >> 4 != s->mb_width || + (s->height + 15) >> 4 != s->mb_height) && + (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME))) { + av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0); + return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding } avctx->has_b_frames= !s->low_delay; @@ -584,11 +591,6 @@ retry: /* H.263 could change picture size any time */ ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat - if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) { - av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0); - return -1; // width / height changed during parallelized decoding - } - s->parse_context.buffer=0; MPV_common_end(s); s->parse_context= pc; diff --git a/libavcodec/h264.c b/libavcodec/h264.c index d010b5570d..18cb18ffa7 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2706,9 +2706,9 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ || s->avctx->bits_per_raw_sample != h->sps.bit_depth_luma || h->cur_chroma_format_idc != h->sps.chroma_format_idc || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) { - if(h != h0 || (s->avctx->active_thread_type & FF_THREAD_FRAME)) { + if(h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) { av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0); - return -1; // width / height changed during parallelized decoding + return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding } free_tables(h, 0); flush_dpb(s->avctx); diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 229be1be8d..0ef591ccfa 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -515,6 +515,9 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){ if(pps_id >= MAX_PPS_COUNT) { av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id); return -1; + } else if (h->sps.bit_depth_luma > 10) { + av_log(h->s.avctx, AV_LOG_ERROR, "Unimplemented luma bit depth=%d (max=10)\n", h->sps.bit_depth_luma); + return AVERROR_PATCHWELCOME; } pps= av_mallocz(sizeof(PPS)); diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index a81b1222b7..92676102cb 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -316,9 +316,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) s->first_picture = 0; } - if (s->interlaced && (s->bottom_field == !s->interlace_polarity)) - return 0; - + if (!(s->interlaced && (s->bottom_field == !s->interlace_polarity))) { /* XXX: not complete test ! */ pix_fmt_id = (s->h_count[0] << 28) | (s->v_count[0] << 24) | (s->h_count[1] << 20) | (s->v_count[1] << 16) | @@ -431,6 +429,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) if (len != (8 + (3 * nb_components))) av_log(s->avctx, AV_LOG_DEBUG, "decode_sof0: error, len(%d) mismatch\n", len); + } /* totally blank picture as progressive JPEG will only add details to it */ if (s->progressive) { diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index f23a8799b1..508a0aa26e 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -191,10 +191,13 @@ static void mp_decode_line(MotionPixelsContext *mp, GetBitContext *gb, int y) p = mp_get_yuv_from_rgb(mp, x - 1, y); } else { p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb)); + p.y = av_clip(p.y, 0, 31); if ((x & 3) == 0) { if ((y & 3) == 0) { p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb)); + p.v = av_clip(p.v, -32, 31); p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb)); + p.u = av_clip(p.u, -32, 31); mp->hpt[((y / 4) * mp->avctx->width + x) / 4] = p; } else { p.v = mp->hpt[((y / 4) * mp->avctx->width + x) / 4].v; @@ -218,9 +221,12 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb) p = mp_get_yuv_from_rgb(mp, 0, y); } else { p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb)); + p.y = av_clip(p.y, 0, 31); if ((y & 3) == 0) { p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb)); + p.v = av_clip(p.v, -32, 31); p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb)); + p.u = av_clip(p.u, -32, 31); } mp->vpt[y] = p; mp_set_rgb_from_yuv(mp, 0, y, &p); diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 3e2e46b89d..455810774d 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -32,6 +32,7 @@ #include <limits.h> #include "avcodec.h" #include "get_bits.h" +#include "libavutil/crc.h" #define FORMAT_SIMPLE 1 #define FORMAT_ENCRYPTED 2 @@ -58,8 +59,10 @@ typedef struct TTAContext { AVCodecContext *avctx; AVFrame frame; GetBitContext gb; + const AVCRC *crc_table; - int format, channels, bps, data_length; + int format, channels, bps; + unsigned data_length; int frame_length, last_frame_length, total_frames; int32_t *decode_buffer; @@ -198,10 +201,23 @@ static const int64_t tta_channel_layouts[7] = { AV_CH_LAYOUT_7POINT1_WIDE }; +static int tta_check_crc(TTAContext *s, const uint8_t *buf, int buf_size) +{ + uint32_t crc, CRC; + + CRC = AV_RL32(buf + buf_size); + crc = av_crc(s->crc_table, 0xFFFFFFFFU, buf, buf_size); + if (CRC != (crc ^ 0xFFFFFFFFU)) { + av_log(s->avctx, AV_LOG_ERROR, "CRC error\n"); + return AVERROR_INVALIDDATA; + } + + return 0; +} + static av_cold int tta_decode_init(AVCodecContext * avctx) { TTAContext *s = avctx->priv_data; - int i; s->avctx = avctx; @@ -212,8 +228,14 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) init_get_bits(&s->gb, avctx->extradata, avctx->extradata_size * 8); if (show_bits_long(&s->gb, 32) == AV_RL32("TTA1")) { + if (avctx->err_recognition & AV_EF_CRCCHECK) { + s->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE); + if (tta_check_crc(s, avctx->extradata, 18)) + return AVERROR_INVALIDDATA; + } + /* signature */ - skip_bits(&s->gb, 32); + skip_bits_long(&s->gb, 32); s->format = get_bits(&s->gb, 16); if (s->format > 2) { @@ -231,7 +253,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) s->bps = (avctx->bits_per_coded_sample + 7) / 8; avctx->sample_rate = get_bits_long(&s->gb, 32); s->data_length = get_bits_long(&s->gb, 32); - skip_bits(&s->gb, 32); // CRC32 of header + skip_bits_long(&s->gb, 32); // CRC32 of header if (s->channels == 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid number of channels\n"); @@ -258,7 +280,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) } // prevent overflow - if (avctx->sample_rate > 0x7FFFFF) { + if (avctx->sample_rate > 0x7FFFFFu) { av_log(avctx, AV_LOG_ERROR, "sample_rate too large\n"); return AVERROR(EINVAL); } @@ -275,9 +297,15 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) s->data_length, s->frame_length, s->last_frame_length, s->total_frames); // FIXME: seek table - for (i = 0; i < s->total_frames; i++) - skip_bits(&s->gb, 32); - skip_bits(&s->gb, 32); // CRC32 of seektable + if (avctx->extradata_size <= 26 || s->total_frames > INT_MAX / 4 || + avctx->extradata_size - 26 < s->total_frames * 4) + av_log(avctx, AV_LOG_WARNING, "Seek table missing or too small\n"); + else if (avctx->err_recognition & AV_EF_CRCCHECK) { + if (tta_check_crc(s, avctx->extradata + 22, s->total_frames * 4)) + return AVERROR_INVALIDDATA; + } + skip_bits_long(&s->gb, 32 * s->total_frames); + skip_bits_long(&s->gb, 32); // CRC32 of seektable if(s->frame_length >= UINT_MAX / (s->channels * sizeof(int32_t))){ av_log(avctx, AV_LOG_ERROR, "frame_length too large\n"); @@ -313,6 +341,11 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, int cur_chan = 0, framelen = s->frame_length; int32_t *p; + if (avctx->err_recognition & AV_EF_CRCCHECK) { + if (buf_size < 4 || tta_check_crc(s, buf, buf_size - 4)) + return AVERROR_INVALIDDATA; + } + init_get_bits(&s->gb, buf, buf_size*8); // FIXME: seeking @@ -416,7 +449,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, if (get_bits_left(&s->gb) < 32) return -1; - skip_bits(&s->gb, 32); // frame crc + skip_bits_long(&s->gb, 32); // frame crc // convert to output buffer switch(s->bps) { diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index d5182ed853..3ffac08170 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -155,16 +155,16 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) return -1; } + if (s->width % s->vector_width || s->height % s->vector_height) { + av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n"); + return AVERROR_INVALIDDATA; + } + /* allocate codebooks */ s->codebook_size = MAX_CODEBOOK_SIZE; s->codebook = av_malloc(s->codebook_size); s->next_codebook_buffer = av_malloc(s->codebook_size); - if (s->width % s->vector_width || s->height % s->vector_height) { - av_log(avctx, AV_LOG_ERROR, "Picture dimensions are not a multiple of the vector size\n"); - return AVERROR_INVALIDDATA; - } - /* initialize the solid-color vectors */ if (s->vector_height == 4) { codebook_index = 0xFF00 * 16; |