aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2013-02-18 00:56:01 +0100
committerMichael Niedermayer <michaelni@gmx.at>2013-02-18 00:56:01 +0100
commit7378101d41020ee9f4643740ebf1b9142afca557 (patch)
treed23ff231538f8385182a4138a2d874fbc72fa378 /libavformat
parentda5f4e4d19917bce4b9213ff3d433ddf30e22fe5 (diff)
parent377fabc9e687a3c73fdb235f773f6e9151378ca5 (diff)
downloadffmpeg-7378101d41020ee9f4643740ebf1b9142afca557.tar.gz
Merge branch 'release/0.8' into release/0.7
* release/0.8: (92 commits) Update for 0.8.13 pngdec/filter: dont access out of array elements at the end aacdec: check channel count vqavideo: check chunk sizes before reading chunks eamad: fix out of array accesses roqvideodec: check dimensions validity qdm2: check array index before use, fix out of array accesses alsdec: check block length huffyuvdec: Skip len==0 cases huffyuvdec: Check init_vlc() return codes. Update changelog for 0.7.7 release mpeg12: do not decode extradata more than once. indeo4/5: check empty tile size in decode_mb_info(). dfa: improve boundary checks in decode_dds1() indeo5dec: Make sure we have had a valid gop header. rv34: error out on size changes with frame threading rtmp: fix buffer overflows in ff_amf_tag_contents() rtmp: fix multiple broken overflow checks Revert "h264: allow cropping to AVCodecContext.width/height" h264: check ref_count validity for num_ref_idx_active_override_flag ... Conflicts: Doxyfile RELEASE VERSION libavcodec/rv34.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/avidec.c4
-rw-r--r--libavformat/oggdec.c56
-rw-r--r--libavformat/rtmppkt.c21
-rw-r--r--libavformat/rtsp.c8
-rw-r--r--libavformat/utils.c7
-rw-r--r--libavformat/yuv4mpeg.c27
6 files changed, 73 insertions, 50 deletions
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index a06ed546d8..1a1db244b5 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -1028,7 +1028,7 @@ resync:
}
ast->frame_offset += get_duration(ast, pkt->size);
}
- ast->remaining -= size;
+ ast->remaining -= err;
if(!ast->remaining){
avi->stream_index= -1;
ast->packet_size= 0;
@@ -1040,7 +1040,7 @@ resync:
}
ast->seek_pos= 0;
- return size;
+ return 0;
}
memset(d, -1, sizeof(int)*8);
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 6ae4d804ce..88b297f481 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -69,8 +69,7 @@ static int ogg_save(AVFormatContext *s)
for (i = 0; i < ogg->nstreams; i++){
struct ogg_stream *os = ogg->streams + i;
- os->buf = av_malloc (os->bufsize);
- memset (os->buf, 0, os->bufsize);
+ os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
memcpy (os->buf, ost->streams[i].buf, os->bufpos);
}
@@ -161,13 +160,18 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream)
AVStream *st;
struct ogg_stream *os;
- ogg->streams = av_realloc (ogg->streams,
- ogg->nstreams * sizeof (*ogg->streams));
+ os = av_realloc (ogg->streams, ogg->nstreams * sizeof (*ogg->streams));
+
+ if (!os)
+ return AVERROR(ENOMEM);
+
+ ogg->streams = os;
+
memset (ogg->streams + idx, 0, sizeof (*ogg->streams));
os = ogg->streams + idx;
os->serial = serial;
os->bufsize = DECODER_BUFFER_SIZE;
- os->buf = av_malloc(os->bufsize);
+ os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
os->header = -1;
if (new_avstream) {
@@ -184,7 +188,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream)
static int ogg_new_buf(struct ogg *ogg, int idx)
{
struct ogg_stream *os = ogg->streams + idx;
- uint8_t *nb = av_malloc(os->bufsize);
+ uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
int size = os->bufpos - os->pstart;
if(os->buf){
memcpy(nb, os->buf + os->pstart, size);
@@ -295,7 +299,9 @@ static int ogg_read_page(AVFormatContext *s, int *str)
}
if (os->bufsize - os->bufpos < size){
- uint8_t *nb = av_malloc (os->bufsize *= 2);
+ uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE);
+ if (!nb)
+ return AVERROR(ENOMEM);
memcpy (nb, os->buf, os->bufpos);
av_free (os->buf);
os->buf = nb;
@@ -309,6 +315,7 @@ static int ogg_read_page(AVFormatContext *s, int *str)
os->granule = gp;
os->flags = flags;
+ memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE);
if (str)
*str = idx;
@@ -504,14 +511,28 @@ static int ogg_get_length(AVFormatContext *s)
return 0;
}
-static int ogg_read_header(AVFormatContext *s, AVFormatParameters *ap)
+static int ogg_read_close(AVFormatContext *s)
{
struct ogg *ogg = s->priv_data;
- int ret, i;
+ int i;
+
+ for (i = 0; i < ogg->nstreams; i++) {
+ av_free(ogg->streams[i].buf);
+ av_free(ogg->streams[i].private);
+ }
+ av_free(ogg->streams);
+ return 0;
+}
+
+static int ogg_read_header(AVFormatContext *s)
+{
+ struct ogg *ogg = s->priv_data;
+ int i, ret;
ogg->curidx = -1;
//linear headers seek from start
- ret = ogg_get_headers (s);
- if (ret < 0){
+ ret = ogg_get_headers(s);
+ if (ret < 0) {
+ ogg_read_close(s);
return ret;
}
@@ -596,19 +617,6 @@ retry:
return psize;
}
-static int ogg_read_close(AVFormatContext *s)
-{
- struct ogg *ogg = s->priv_data;
- int i;
-
- for (i = 0; i < ogg->nstreams; i++){
- av_free (ogg->streams[i].buf);
- av_free (ogg->streams[i].private);
- }
- av_free (ogg->streams);
- return 0;
-}
-
static int64_t ogg_read_timestamp(AVFormatContext *s, int stream_index,
int64_t *pos_arg, int64_t pos_limit)
{
diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c
index 4b6d549f74..c65cfc1439 100644
--- a/libavformat/rtmppkt.c
+++ b/libavformat/rtmppkt.c
@@ -278,11 +278,11 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end)
data++;
break;
}
- if (data + size >= data_end || data + size < data)
+ if (size < 0 || size >= data_end - data)
return -1;
data += size;
t = ff_amf_tag_size(data, data_end);
- if (t < 0 || data + t >= data_end)
+ if (t < 0 || t >= data_end - data)
return -1;
data += t;
}
@@ -311,7 +311,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
int size = bytestream_get_be16(&data);
if (!size)
break;
- if (data + size >= data_end || data + size < data)
+ if (size < 0 || size >= data_end - data)
return -1;
data += size;
if (size == namelen && !memcmp(data-size, name, namelen)) {
@@ -332,7 +332,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
return 0;
}
len = ff_amf_tag_size(data, data_end);
- if (len < 0 || data + len >= data_end || data + len < data)
+ if (len < 0 || len >= data_end - data)
return -1;
data += len;
}
@@ -362,7 +362,7 @@ static const char* rtmp_packet_type(int type)
static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *data_end)
{
- int size;
+ unsigned int size;
char buf[1024];
if (data >= data_end)
@@ -381,7 +381,7 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d
} else {
size = bytestream_get_be32(&data);
}
- size = FFMIN(size, 1023);
+ size = FFMIN(size, sizeof(buf) - 1);
memcpy(buf, data, size);
buf[size] = 0;
av_log(ctx, AV_LOG_DEBUG, " string '%s'\n", buf);
@@ -394,22 +394,21 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d
case AMF_DATA_TYPE_OBJECT:
av_log(ctx, AV_LOG_DEBUG, " {\n");
for (;;) {
- int size = bytestream_get_be16(&data);
int t;
- memcpy(buf, data, size);
- buf[size] = 0;
+ size = bytestream_get_be16(&data);
+ av_strlcpy(buf, data, FFMIN(sizeof(buf), size + 1));
if (!size) {
av_log(ctx, AV_LOG_DEBUG, " }\n");
data++;
break;
}
- if (data + size >= data_end || data + size < data)
+ if (size >= data_end - data)
return;
data += size;
av_log(ctx, AV_LOG_DEBUG, " %s: ", buf);
ff_amf_tag_contents(ctx, data, data_end);
t = ff_amf_tag_size(data, data_end);
- if (t < 0 || data + t >= data_end)
+ if (t < 0 || t >= data_end - data)
return;
data += t;
}
diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
index 07f7217b6e..f8525ea539 100644
--- a/libavformat/rtsp.c
+++ b/libavformat/rtsp.c
@@ -1641,6 +1641,7 @@ int ff_rtsp_fetch_packet(AVFormatContext *s, AVPacket *pkt)
rt->cur_transport_priv = NULL;
}
+redo:
if (rt->transport == RTSP_TRANSPORT_RTP) {
int i;
int64_t first_queue_time = 0;
@@ -1656,12 +1657,15 @@ int ff_rtsp_fetch_packet(AVFormatContext *s, AVPacket *pkt)
first_queue_st = rt->rtsp_streams[i];
}
}
- if (first_queue_time)
+ if (first_queue_time) {
wait_end = first_queue_time + s->max_delay;
+ } else {
+ wait_end = 0;
+ first_queue_st = NULL;
+ }
}
/* read next RTP packet */
- redo:
if (!rt->recvbuf) {
rt->recvbuf = av_malloc(RECVBUF_SIZE);
if (!rt->recvbuf)
diff --git a/libavformat/utils.c b/libavformat/utils.c
index d11b1365a2..79381ab485 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -722,7 +722,7 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, AVInputForma
}
s->duration = s->start_time = AV_NOPTS_VALUE;
- av_strlcpy(s->filename, filename, sizeof(s->filename));
+ av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename));
/* allocate private data */
if (s->iformat->priv_data_size > 0) {
@@ -917,7 +917,10 @@ static void compute_frame_duration(int *pnum, int *pden, AVStream *st,
*pnum = st->codec->time_base.num;
*pden = st->codec->time_base.den;
if (pc && pc->repeat_pict) {
- *pnum = (*pnum) * (1 + pc->repeat_pict);
+ if (*pnum > INT_MAX / (1 + pc->repeat_pict))
+ *pden /= 1 + pc->repeat_pict;
+ else
+ *pnum *= 1 + pc->repeat_pict;
}
//If this codec can be interlaced or progressive then we need a parser to compute duration of a packet
//Thus if we have no parser in such case leave duration undefined.
diff --git a/libavformat/yuv4mpeg.c b/libavformat/yuv4mpeg.c
index 90b222d1d4..2fd8c2c5d2 100644
--- a/libavformat/yuv4mpeg.c
+++ b/libavformat/yuv4mpeg.c
@@ -155,9 +155,8 @@ static int yuv4_write_header(AVFormatContext *s)
return AVERROR(EIO);
if (s->streams[0]->codec->codec_id != CODEC_ID_RAWVIDEO) {
- av_log(s, AV_LOG_ERROR,
- "A non-rawvideo stream was selected, but yuv4mpeg only handles rawvideo streams\n");
- return AVERROR(EINVAL);
+ av_log(s, AV_LOG_ERROR, "ERROR: Only rawvideo supported.\n");
+ return AVERROR_INVALIDDATA;
}
if (s->streams[0]->codec->pix_fmt == PIX_FMT_YUV411P) {
@@ -353,7 +352,7 @@ static int yuv4_read_packet(AVFormatContext *s, AVPacket *pkt)
{
int i;
char header[MAX_FRAME_HEADER+1];
- int packet_size, width, height;
+ int packet_size, width, height, ret;
AVStream *st = s->streams[0];
struct frame_attributes *s1 = s->priv_data;
@@ -364,18 +363,28 @@ static int yuv4_read_packet(AVFormatContext *s, AVPacket *pkt)
break;
}
}
- if (i == MAX_FRAME_HEADER) return -1;
- if (strncmp(header, Y4M_FRAME_MAGIC, strlen(Y4M_FRAME_MAGIC))) return -1;
+ if (s->pb->error)
+ return s->pb->error;
+ else if (s->pb->eof_reached)
+ return AVERROR_EOF;
+ else if (i == MAX_FRAME_HEADER)
+ return AVERROR_INVALIDDATA;
+
+ if (strncmp(header, Y4M_FRAME_MAGIC, strlen(Y4M_FRAME_MAGIC)))
+ return AVERROR_INVALIDDATA;
width = st->codec->width;
height = st->codec->height;
packet_size = avpicture_get_size(st->codec->pix_fmt, width, height);
if (packet_size < 0)
- return -1;
+ return packet_size;
- if (av_get_packet(s->pb, pkt, packet_size) != packet_size)
- return AVERROR(EIO);
+ ret = av_get_packet(s->pb, pkt, packet_size);
+ if (ret < 0)
+ return ret;
+ else if (ret != packet_size)
+ return s->pb->eof_reached ? AVERROR_EOF : AVERROR(EIO);
if (s->streams[0]->codec->coded_frame) {
s->streams[0]->codec->coded_frame->interlaced_frame = s1->interlaced_frame;
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-16 19:15:14 +0000