Merge commit 'b19eafa2b930ee40abfde6d1f026b7fa5591c4dc' into release/0.10

* commit 'b19eafa2b930ee40abfde6d1f026b7fa5591c4dc': eacmv: Make sure a reference frame exists before referencing it mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory ivi_common: Make sure color planes have been initialized oggparseogm: Convert to use bytestream2 rv34: Check the return value from ff_rv34_decode_init matroskadec: Verify realaudio codec parameters mace: Make sure that the channel count is set to a valid value svq3: Check for any negative return value from ff_h264_check_intra_pred_mode vp3: Check the framerate for validity cavsdec: Make sure a sequence header has been decoded before decoding pictures sierravmd: Do sanity checking of frame sizes omadec: Properly check lengths before incrementing the position mpc8: Make sure the first stream exists before parsing the seek table Conflicts: libavcodec/eacmv.c libavcodec/mpeg4videodec.c libavformat/omadec.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2014-01-16 21:53:50 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2014-01-16 21:53:50 +0100
commit: 5339a9f000519851d111d747a9c582981be7ee82 (patch)
tree: 263715bdda7df2c5cad55d74d98a4d80b6779773 /libavformat
parent: bd953f94044eec49142d3d61993682f8b2186613 (diff)
parent: b19eafa2b930ee40abfde6d1f026b7fa5591c4dc (diff)
download: ffmpeg-5339a9f000519851d111d747a9c582981be7ee82.tar.gz
5 files changed, 56 insertions, 33 deletions
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 5e52f86e81..45bafe5ec4 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1536,6 +1536,10 @@ static int matroska_read_header(AVFormatContext *s, AVFormatParameters *ap)
             track->audio.sub_packet_h    = avio_rb16(&b);
             track->audio.frame_size      = avio_rb16(&b);
             track->audio.sub_packet_size = avio_rb16(&b);
+            if (flavor <= 0 || track->audio.coded_framesize <= 0 ||
+                track->audio.sub_packet_h <= 0 || track->audio.frame_size <= 0 ||
+                track->audio.sub_packet_size <= 0)
+                return AVERROR_INVALIDDATA;
             track->audio.buf = av_malloc(track->audio.frame_size * track->audio.sub_packet_h);
             if (codec_id == CODEC_ID_RA_288) {
                 st->codec->block_align = track->audio.coded_framesize;
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index 4117d03e5a..a3fc1be894 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -137,6 +137,11 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
     int i, t, seekd;
     GetBitContext gb;
 
+    if (s->nb_streams == 0) {
+        av_log(s, AV_LOG_ERROR, "No stream added before parsing seek table\n");
+        return;
+    }
+
     avio_seek(s->pb, off, SEEK_SET);
     mpc8_get_chunk_header(s->pb, &tag, &size);
     if(tag != TAG_SEEKTABLE){
diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c
index 0a8a7c6bd4..c761bbd7db 100644
--- a/libavformat/oggparseogm.c
+++ b/libavformat/oggparseogm.c
@@ -37,62 +37,64 @@ ogm_header(AVFormatContext *s, int idx)
     struct ogg *ogg = s->priv_data;
     struct ogg_stream *os = ogg->streams + idx;
     AVStream *st = s->streams[idx];
-    const uint8_t *p = os->buf + os->pstart;
+    GetByteContext p;
     uint64_t time_unit;
     uint64_t spu;
 
-    if(!(*p & 1))
+    bytestream2_init(&p, os->buf + os->pstart, os->psize);
+    if (!(bytestream2_peek_byte(&p) & 1))
         return 0;
 
-    if(*p == 1) {
-        p++;
+    if (bytestream2_peek_byte(&p) == 1) {
+        bytestream2_skip(&p, 1);
 
-        if(*p == 'v'){
+        if (bytestream2_peek_byte(&p) == 'v'){
             int tag;
             st->codec->codec_type = AVMEDIA_TYPE_VIDEO;
-            p += 8;
-            tag = bytestream_get_le32(&p);
+            bytestream2_skip(&p, 8);
+            tag = bytestream2_get_le32(&p);
             st->codec->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag);
             st->codec->codec_tag = tag;
-        } else if (*p == 't') {
+        } else if (bytestream2_peek_byte(&p) == 't') {
             st->codec->codec_type = AVMEDIA_TYPE_SUBTITLE;
             st->codec->codec_id = CODEC_ID_TEXT;
-            p += 12;
+            bytestream2_skip(&p, 12);
         } else {
-            uint8_t acid[5];
+            uint8_t acid[5] = { 0 };
             int cid;
             st->codec->codec_type = AVMEDIA_TYPE_AUDIO;
-            p += 8;
-            bytestream_get_buffer(&p, acid, 4);
+            bytestream2_skip(&p, 8);
+            bytestream2_get_buffer(&p, acid, 4);
             acid[4] = 0;
             cid = strtol(acid, NULL, 16);
             st->codec->codec_id = ff_codec_get_id(ff_codec_wav_tags, cid);
             st->need_parsing = AVSTREAM_PARSE_FULL;
         }
 
-        p += 4;                     /* useless size field */
+        bytestream2_skip(&p, 4);    /* useless size field */
 
-        time_unit   = bytestream_get_le64(&p);
-        spu         = bytestream_get_le64(&p);
-        p += 4;                     /* default_len */
-        p += 8;                     /* buffersize + bits_per_sample */
+        time_unit   = bytestream2_get_le64(&p);
+        spu         = bytestream2_get_le64(&p);
+        bytestream2_skip(&p, 4);    /* default_len */
+        bytestream2_skip(&p, 8);    /* buffersize + bits_per_sample */
 
         if(st->codec->codec_type == AVMEDIA_TYPE_VIDEO){
-            st->codec->width = bytestream_get_le32(&p);
-            st->codec->height = bytestream_get_le32(&p);
+            st->codec->width = bytestream2_get_le32(&p);
+            st->codec->height = bytestream2_get_le32(&p);
             st->codec->time_base.den = spu * 10000000;
             st->codec->time_base.num = time_unit;
             avpriv_set_pts_info(st, 64, st->codec->time_base.num, st->codec->time_base.den);
         } else {
-            st->codec->channels = bytestream_get_le16(&p);
-            p += 2;                 /* block_align */
-            st->codec->bit_rate = bytestream_get_le32(&p) * 8;
+            st->codec->channels = bytestream2_get_le16(&p);
+            bytestream2_skip(&p, 2); /* block_align */
+            st->codec->bit_rate = bytestream2_get_le32(&p) * 8;
             st->codec->sample_rate = spu * 10000000 / time_unit;
             avpriv_set_pts_info(st, 64, 1, st->codec->sample_rate);
         }
-    } else if (*p == 3) {
-        if (os->psize > 8)
-            ff_vorbis_comment(s, &st->metadata, p+7, os->psize-8);
+    } else if (bytestream2_peek_byte(&p) == 3) {
+        bytestream2_skip(&p, 7);
+        if (bytestream2_get_bytes_left(&p) > 1)
+            ff_vorbis_comment(s, &st->metadata, p.buffer, bytestream2_get_bytes_left(&p) - 1);
     }
 
     return 1;
diff --git a/libavformat/omadec.c b/libavformat/omadec.c
index 1df2244607..93c661e615 100644
--- a/libavformat/omadec.c
+++ b/libavformat/omadec.c
@@ -173,7 +173,11 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size,
     if(taglen + (((uint64_t)datalen)<<4) + 44 > size)
         return -1;
 
-    pos += 44 + taglen;
+    pos += 44;
+    if (size - pos < taglen)
+        return -1;
+
+    pos += taglen;
 
     if (datalen << 4 > size - pos)
         return -1;
diff --git a/libavformat/sierravmd.c b/libavformat/sierravmd.c
index 6fb7d8a700..560ffe6792 100644
--- a/libavformat/sierravmd.c
+++ b/libavformat/sierravmd.c
@@ -89,7 +89,7 @@ static int vmd_read_header(AVFormatContext *s,
     unsigned char *raw_frame_table;
     int raw_frame_table_size;
     int64_t current_offset;
-    int i, j;
+    int i, j, ret;
     unsigned int total_frames;
     int64_t current_audio_pts = 0;
     unsigned char chunk[BYTES_PER_FRAME_RECORD];
@@ -170,15 +170,13 @@ static int vmd_read_header(AVFormatContext *s,
     raw_frame_table = av_malloc(raw_frame_table_size);
     vmd->frame_table = av_malloc((vmd->frame_count * vmd->frames_per_block + sound_buffers) * sizeof(vmd_frame));
     if (!raw_frame_table || !vmd->frame_table) {
-        av_free(raw_frame_table);
-        av_free(vmd->frame_table);
-        return AVERROR(ENOMEM);
+        ret = AVERROR(ENOMEM);
+        goto error;
     }
     if (avio_read(pb, raw_frame_table, raw_frame_table_size) !=
         raw_frame_table_size) {
-        av_free(raw_frame_table);
-        av_free(vmd->frame_table);
-        return AVERROR(EIO);
+        ret = AVERROR(EIO);
+        goto error;
     }
 
     total_frames = 0;
@@ -194,6 +192,11 @@ static int vmd_read_header(AVFormatContext *s,
             avio_read(pb, chunk, BYTES_PER_FRAME_RECORD);
             type = chunk[0];
             size = AV_RL32(&chunk[2]);
+            if (size > INT_MAX / 2) {
+                av_log(s, AV_LOG_ERROR, "Invalid frame size\n");
+                ret = AVERROR_INVALIDDATA;
+                goto error;
+            }
             if(!size && type != 1)
                 continue;
             switch(type) {
@@ -230,6 +233,11 @@ static int vmd_read_header(AVFormatContext *s,
     vmd->frame_count = total_frames;
 
     return 0;
+
+error:
+    av_free(raw_frame_table);
+    av_free(vmd->frame_table);
+    return ret;
 }
 
 static int vmd_read_packet(AVFormatContext *s,
author	Michael Niedermayer <michaelni@gmx.at>	2014-01-16 21:53:50 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2014-01-16 21:53:50 +0100
commit	5339a9f000519851d111d747a9c582981be7ee82 (patch)
tree	263715bdda7df2c5cad55d74d98a4d80b6779773 /libavformat
parent	bd953f94044eec49142d3d61993682f8b2186613 (diff)
parent	b19eafa2b930ee40abfde6d1f026b7fa5591c4dc (diff)
download	ffmpeg-5339a9f000519851d111d747a9c582981be7ee82.tar.gz