Merge commit '159993acc7f4e3155510d42c543e09fe972b933c' into release/0.10

* commit '159993acc7f4e3155510d42c543e09fe972b933c': vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors wnv1: Make sure the input packet is large enough dca: Validate the lfe parameter rl2: Avoid a division by zero wtv: Add more sanity checks for a length read from the file segafilm: Validate the number of audio channels qpeg: Add checks for running out of rows in qpeg_decode_inter mpegaudiodec: Validate that the number of channels fits at the given offset asv1: Verify the amount of extradata idroqdec: Make sure a video stream has been allocated before returning packets rv10: Validate the dimensions set from the container xmv: Add more sanity checks for parameters read from the bitstream ffv1: Make sure at least one slice context is initialized truemotion2: Use av_freep properly in an error path Conflicts: libavcodec/qpeg.c libavcodec/wnv1.c libavformat/wtv.c libavformat/xmv.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2014-01-16 22:02:02 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2014-01-16 22:02:02 +0100
commit: d1c7a7776f6775cf43c3a5025d0544f0470125f4 (patch)
tree: 5df137fce84cf350c411a87805da88f7baf7d0d7 /libavcodec
parent: 5339a9f000519851d111d747a9c582981be7ee82 (diff)
parent: 159993acc7f4e3155510d42c543e09fe972b933c (diff)
download: ffmpeg-d1c7a7776f6775cf43c3a5025d0544f0470125f4.tar.gz
8 files changed, 36 insertions, 7 deletions
diff --git a/libavcodec/asv1.c b/libavcodec/asv1.c
index 9eeec2675a..d9a5968793 100644
--- a/libavcodec/asv1.c
+++ b/libavcodec/asv1.c
@@ -535,6 +535,11 @@ static av_cold int decode_init(AVCodecContext *avctx){
     int i;
     const int scale= avctx->codec_id == CODEC_ID_ASV1 ? 1 : 2;
 
+    if (avctx->extradata_size < 1) {
+        av_log(avctx, AV_LOG_ERROR, "No extradata provided\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     common_init(avctx);
     init_vlcs(a);
     ff_init_scantable(a->dsp.idct_permutation, &a->scantable, scantab);
diff --git a/libavcodec/dca.c b/libavcodec/dca.c
index ea40821766..314e04d8ae 100644
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -577,6 +577,11 @@ static int dca_parse_frame_header(DCAContext *s)
     s->lfe               = get_bits(&s->gb, 2);
     s->predictor_history = get_bits(&s->gb, 1);
 
+    if (s->lfe > 2) {
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE value: %d\n", s->lfe);
+        return AVERROR_INVALIDDATA;
+    }
+
     /* TODO: check CRC */
     if (s->crc_present)
         s->header_crc    = get_bits(&s->gb, 16);
diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c
index b363c9606b..e2301e6ce3 100644
--- a/libavcodec/ffv1.c
+++ b/libavcodec/ffv1.c
@@ -722,6 +722,10 @@ static av_cold int init_slice_contexts(FFV1Context *f){
     int i;
 
     f->slice_count= f->num_h_slices * f->num_v_slices;
+    if (f->slice_count <= 0) {
+        av_log(f->avctx, AV_LOG_ERROR, "Invalid number of slices\n");
+        return AVERROR(EINVAL);
+    }
 
     for(i=0; i<f->slice_count; i++){
         FFV1Context *fs= av_mallocz(sizeof(*fs));
diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
index c6dc025e5f..fd195a1234 100644
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -1941,7 +1941,8 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data,
 
         avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header);
 
-        if (ch + m->nb_channels > avctx->channels) {
+        if (ch + m->nb_channels > avctx->channels ||
+            s->coff[fr] + m->nb_channels > avctx->channels) {
             av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec "
                                         "channel count\n");
             return AVERROR_INVALIDDATA;
diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c
index adbeff03ae..d85d967a16 100644
--- a/libavcodec/qpeg.c
+++ b/libavcodec/qpeg.c
@@ -203,7 +203,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
                     filled = 0;
                     dst -= stride;
                     height--;
-                    if(height < 0)
+                    if (height < 0)
                         break;
                 }
             }
@@ -216,7 +216,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
                     filled = 0;
                     dst -= stride;
                     height--;
-                    if(height < 0)
+                    if (height < 0)
                         break;
                 }
             }
diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index 62266dc2d7..84962f65d0 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -442,12 +442,15 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx)
 {
     MpegEncContext *s = avctx->priv_data;
     static int done=0;
-    int major_ver, minor_ver, micro_ver;
+    int major_ver, minor_ver, micro_ver, ret;
 
     if (avctx->extradata_size < 8) {
         av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n");
         return -1;
     }
+    if ((ret = av_image_check_size(avctx->coded_width,
+                                   avctx->coded_height, 0, avctx)) < 0)
+        return ret;
 
     MPV_decode_defaults(s);
 
diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index cc0632c667..dc97774f2b 100644
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -5126,8 +5126,19 @@ static av_cold int vc1_decode_init_alloc_tables(VC1Context *v)
 
     if (!v->mv_type_mb_plane || !v->direct_mb_plane || !v->acpred_plane || !v->over_flags_plane ||
         !v->block || !v->cbp_base || !v->ttblk_base || !v->is_intra_base || !v->luma_mv_base ||
-        !v->mb_type_base)
-            return -1;
+        !v->mb_type_base) {
+        av_freep(&v->mv_type_mb_plane);
+        av_freep(&v->direct_mb_plane);
+        av_freep(&v->acpred_plane);
+        av_freep(&v->over_flags_plane);
+        av_freep(&v->block);
+        av_freep(&v->cbp_base);
+        av_freep(&v->ttblk_base);
+        av_freep(&v->is_intra_base);
+        av_freep(&v->luma_mv_base);
+        av_freep(&v->mb_type_base);
+        return AVERROR(ENOMEM);
+    }
 
     return 0;
 }
diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c
index 6e4742e8e7..39b552fcf2 100644
--- a/libavcodec/wnv1.c
+++ b/libavcodec/wnv1.c
@@ -70,7 +70,7 @@ static int decode_frame(AVCodecContext *avctx,
     int prev_y = 0, prev_u = 0, prev_v = 0;
     uint8_t *rbuf;
 
-    if(buf_size<=8) {
+    if (buf_size<=8) {
         av_log(avctx, AV_LOG_ERROR, "buf_size %d is too small\n", buf_size);
         return AVERROR_INVALIDDATA;
     }
author	Michael Niedermayer <michaelni@gmx.at>	2014-01-16 22:02:02 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2014-01-16 22:02:02 +0100
commit	d1c7a7776f6775cf43c3a5025d0544f0470125f4 (patch)
tree	5df137fce84cf350c411a87805da88f7baf7d0d7 /libavcodec
parent	5339a9f000519851d111d747a9c582981be7ee82 (diff)
parent	159993acc7f4e3155510d42c543e09fe972b933c (diff)
download	ffmpeg-d1c7a7776f6775cf43c3a5025d0544f0470125f4.tar.gz