aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2011-11-04 20:20:37 +0100
committerMichael Niedermayer <michaelni@gmx.at>2011-11-04 20:20:37 +0100
commit3e17543491dd6db043090f9edfc2ad8677fde868 (patch)
tree35fc291c862d3b57c108461dc6beb3f712491dee /libavformat
parent7275dc28f6eec4168dbef79275b605bc73dbc0e4 (diff)
parent1e1015fd223ff33a88585db13047ce766369c21b (diff)
downloadffmpeg-3e17543491dd6db043090f9edfc2ad8677fde868.tar.gz
Merge branch 'release/0.8' into release/0.7
* release/0.8: (96 commits) Version numbers for 0.8.6 snow: emu edge support Fixes Ticket592 imc: validate channel count imc: check for ff_fft_init() failure (cherry picked from commit 95fee70d6773fde1c34ff6422f48e5e66f37f263) libgsmdec: check output buffer size before decoding (cherry picked from commit b03761b1309293bbf30edef767503875277b01cf) configure: fix arch x86_32 mp3enc: avoid truncating id3v1 tags by one byte asfdec: Check packet_replic_size earlier cin audio: validate the channel count binkaudio: add some buffer overread checks. atrac1: validate number of channels (cherry picked from commit bff5b2c1ca1290ea30587ff2f76171f9e3854872) atrac1: check output buffer size before decoding (cherry picked from commit 33684b9c12b74c0140fb91e8150263db4a48d55e) vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f) apedec: set s->currentframeblocks after validating nblocks apedec: use unsigned int for 'nblocks' and make sure that it's within int range apedec: check for data buffer realloc failure (cherry picked from commit 11ca8b2d7486e879926488404b3b79af774f0f2d) apedec: check for filter buffer allocation failure (cherry picked from commit 7500781313d11b37772c05a28da20fbc112db478) mpegaudiodec: check output data size based on avctx->frame_size resample: Fix array size resample2: fix potential overflow ... Conflicts: Doxyfile RELEASE VERSION Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/asfdec.c8
-rw-r--r--libavformat/aviobuf.c7
-rw-r--r--libavformat/matroskadec.c2
-rw-r--r--libavformat/mov.c23
-rw-r--r--libavformat/mp3enc.c11
-rw-r--r--libavformat/mpegts.c18
-rw-r--r--libavformat/mpegtsenc.c2
-rw-r--r--libavformat/mxfdec.c24
-rw-r--r--libavformat/riff.c1
-rw-r--r--libavformat/rtpdec.c14
-rw-r--r--libavformat/tta.c4
-rw-r--r--libavformat/utils.c4
-rw-r--r--libavformat/westwood.c4
13 files changed, 74 insertions, 48 deletions
diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index 7ee00277b1..0fb04c43eb 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -809,6 +809,10 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){
DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0);
DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
//printf("key:%d stream:%d seq:%d offset:%d replic_size:%d\n", asf->packet_key_frame, asf->stream_index, asf->packet_seq, //asf->packet_frag_offset, asf->packet_replic_size);
+ if (rsize+asf->packet_replic_size > asf->packet_size_left) {
+ av_log(s, AV_LOG_ERROR, "packet_replic_size %d is invalid\n", asf->packet_replic_size);
+ return -1;
+ }
if (asf->packet_replic_size >= 8) {
asf->packet_obj_size = avio_rl32(pb);
if(asf->packet_obj_size >= (1<<24) || asf->packet_obj_size <= 0){
@@ -843,10 +847,6 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){
av_log(s, AV_LOG_ERROR, "unexpected packet_replic_size of %d\n", asf->packet_replic_size);
return -1;
}
- if (rsize > asf->packet_size_left) {
- av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
- return -1;
- }
if (asf->packet_flags & 0x01) {
DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal
if (rsize > asf->packet_size_left) {
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 0d13a9f02c..626261ab24 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -780,13 +780,14 @@ int avio_get_str(AVIOContext *s, int maxlen, char *buf, int buflen)
{
int i;
+ if (buflen <= 0)
+ return AVERROR(EINVAL);
// reserve 1 byte for terminating 0
buflen = FFMIN(buflen - 1, maxlen);
for (i = 0; i < buflen; i++)
if (!(buf[i] = avio_r8(s)))
return i + 1;
- if (buflen)
- buf[i] = 0;
+ buf[i] = 0;
for (; i < maxlen; i++)
if (!avio_r8(s))
return i + 1;
@@ -798,6 +799,8 @@ int avio_get_str(AVIOContext *s, int maxlen, char *buf, int buflen)
{\
char* q = buf;\
int ret = 0;\
+ if (buflen <= 0) \
+ return AVERROR(EINVAL); \
while (ret + 1 < maxlen) {\
uint8_t tmp;\
uint32_t ch;\
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 14b1c1f120..ffc189825e 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1811,7 +1811,7 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
lace_size[n] = lace_size[n - 1] + snum;
total += lace_size[n];
}
- lace_size[n] = size - total;
+ lace_size[laces - 1] = size - total;
break;
}
}
diff --git a/libavformat/mov.c b/libavformat/mov.c
index b083a4985f..8fd9b320a3 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2403,14 +2403,21 @@ static void mov_read_chapters(AVFormatContext *s)
// The samples could theoretically be in any encoding if there's an encd
// atom following, but in practice are only utf-8 or utf-16, distinguished
// instead by the presence of a BOM
- ch = avio_rb16(sc->pb);
- if (ch == 0xfeff)
- avio_get_str16be(sc->pb, len, title, title_len);
- else if (ch == 0xfffe)
- avio_get_str16le(sc->pb, len, title, title_len);
- else {
- AV_WB16(title, ch);
- get_strz(sc->pb, title + 2, len - 1);
+ if (!len) {
+ title[0] = 0;
+ } else {
+ ch = avio_rb16(sc->pb);
+ if (ch == 0xfeff)
+ avio_get_str16be(sc->pb, len, title, title_len);
+ else if (ch == 0xfffe)
+ avio_get_str16le(sc->pb, len, title, title_len);
+ else {
+ AV_WB16(title, ch);
+ if (len == 1 || len == 2)
+ title[len] = 0;
+ else
+ get_strz(sc->pb, title + 2, len - 1);
+ }
}
ff_new_chapter(s, i, st->time_base, sample->timestamp, end, title);
diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c
index 50342bb950..76d1813172 100644
--- a/libavformat/mp3enc.c
+++ b/libavformat/mp3enc.c
@@ -51,11 +51,12 @@ static int id3v1_create_tag(AVFormatContext *s, uint8_t *buf)
buf[0] = 'T';
buf[1] = 'A';
buf[2] = 'G';
- count += id3v1_set_string(s, "TIT2", buf + 3, 30); //title
- count += id3v1_set_string(s, "TPE1", buf + 33, 30); //author|artist
- count += id3v1_set_string(s, "TALB", buf + 63, 30); //album
- count += id3v1_set_string(s, "TDRL", buf + 93, 4); //date
- count += id3v1_set_string(s, "comment", buf + 97, 30);
+ /* we knowingly overspecify each tag length by one byte to compensate for the mandatory null byte added by av_strlcpy */
+ count += id3v1_set_string(s, "TIT2", buf + 3, 30 + 1); //title
+ count += id3v1_set_string(s, "TPE1", buf + 33, 30 + 1); //author|artist
+ count += id3v1_set_string(s, "TALB", buf + 63, 30 + 1); //album
+ count += id3v1_set_string(s, "TDRL", buf + 93, 4 + 1); //date
+ count += id3v1_set_string(s, "comment", buf + 97, 30 + 1);
if ((tag = av_dict_get(s->metadata, "TRCK", NULL, 0))) { //track
buf[125] = 0;
buf[126] = atoi(tag->value);
diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index d3c9e78ed4..e5c21ccbf3 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -1088,7 +1088,7 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len
// stop parsing after pmt, we found header
if (!ts->stream->nb_streams)
- ts->stop_parse = 1;
+ ts->stop_parse = 2;
for(;;) {
st = 0;
@@ -1408,11 +1408,15 @@ static int handle_packets(MpegTSContext *ts, int nb_packets)
ts->stop_parse = 0;
packet_num = 0;
for(;;) {
- if (ts->stop_parse>0)
- break;
packet_num++;
- if (nb_packets != 0 && packet_num >= nb_packets)
+ if (nb_packets != 0 && packet_num >= nb_packets ||
+ ts->stop_parse > 1) {
+ ret = AVERROR(EAGAIN);
+ break;
+ }
+ if (ts->stop_parse > 0)
break;
+
ret = read_packet(s, packet, ts->raw_packet_size);
if (ret != 0)
return ret;
@@ -1863,10 +1867,8 @@ int ff_mpegts_parse_packet(MpegTSContext *ts, AVPacket *pkt,
len1 = len;
ts->pkt = pkt;
- ts->stop_parse = 0;
for(;;) {
- if (ts->stop_parse>0)
- break;
+ ts->stop_parse = 0;
if (len < TS_PACKET_SIZE)
return -1;
if (buf[0] != 0x47) {
@@ -1876,6 +1878,8 @@ int ff_mpegts_parse_packet(MpegTSContext *ts, AVPacket *pkt,
handle_packet(ts, buf);
buf += TS_PACKET_SIZE;
len -= TS_PACKET_SIZE;
+ if (ts->stop_parse == 1)
+ break;
}
}
return len1 - len;
diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c
index 7e9647257f..32dedfbae6 100644
--- a/libavformat/mpegtsenc.c
+++ b/libavformat/mpegtsenc.c
@@ -84,7 +84,7 @@ static const AVOption options[] = {
{ "mpegts_service_id", "Set service_id field.",
offsetof(MpegTSWrite, service_id), FF_OPT_TYPE_INT, {.dbl = 0x0001 }, 0x0001, 0xffff, AV_OPT_FLAG_ENCODING_PARAM},
{ "mpegts_pmt_start_pid", "Set the first pid of the PMT.",
- offsetof(MpegTSWrite, pmt_start_pid), FF_OPT_TYPE_INT, {.dbl = 0x1000 }, 0x1000, 0x1f00, AV_OPT_FLAG_ENCODING_PARAM},
+ offsetof(MpegTSWrite, pmt_start_pid), FF_OPT_TYPE_INT, {.dbl = 0x1000 }, 0x0010, 0x1f00, AV_OPT_FLAG_ENCODING_PARAM},
{ "mpegts_start_pid", "Set the first pid.",
offsetof(MpegTSWrite, start_pid), FF_OPT_TYPE_INT, {.dbl = 0x0100 }, 0x0100, 0x0f00, AV_OPT_FLAG_ENCODING_PARAM},
{ NULL },
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index a69944d8d2..953d3b0002 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -223,12 +223,13 @@ static int mxf_get_d10_aes3_packet(AVIOContext *pb, AVStream *st, AVPacket *pkt,
if (length > 61444) /* worst case PAL 1920 samples 8 channels */
return -1;
- av_new_packet(pkt, length);
- avio_read(pb, pkt->data, length);
+ length = av_get_packet(pb, pkt, length);
+ if (length < 0)
+ return length;
data_ptr = pkt->data;
end_ptr = pkt->data + length;
buf_ptr = pkt->data + 4; /* skip SMPTE 331M header */
- for (; buf_ptr < end_ptr; ) {
+ for (; buf_ptr + st->codec->channels*4 < end_ptr; ) {
for (i = 0; i < st->codec->channels; i++) {
uint32_t sample = bytestream_get_le32(&buf_ptr);
if (st->codec->bits_per_coded_sample == 24)
@@ -238,7 +239,7 @@ static int mxf_get_d10_aes3_packet(AVIOContext *pb, AVStream *st, AVPacket *pkt,
}
buf_ptr += 32 - st->codec->channels*4; // always 8 channels stored SMPTE 331M
}
- pkt->size = data_ptr - pkt->data;
+ av_shrink_packet(pkt, data_ptr - pkt->data);
return 0;
}
@@ -290,12 +291,16 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv
if (memcmp(tmpbuf, checkv, 16))
av_log(s, AV_LOG_ERROR, "probably incorrect decryption key\n");
size -= 32;
- av_get_packet(pb, pkt, size);
+ size = av_get_packet(pb, pkt, size);
+ if (size < 0)
+ return size;
+ else if (size < plaintext_size)
+ return AVERROR_INVALIDDATA;
size -= plaintext_size;
if (mxf->aesc)
av_aes_crypt(mxf->aesc, &pkt->data[plaintext_size],
&pkt->data[plaintext_size], size >> 4, ivec, 1);
- pkt->size = orig_size;
+ av_shrink_packet(pkt, orig_size);
pkt->stream_index = index;
avio_skip(pb, end - avio_tell(pb));
return 0;
@@ -332,8 +337,11 @@ static int mxf_read_packet(AVFormatContext *s, AVPacket *pkt)
av_log(s, AV_LOG_ERROR, "error reading D-10 aes3 frame\n");
return -1;
}
- } else
- av_get_packet(s->pb, pkt, klv.length);
+ } else {
+ int ret = av_get_packet(s->pb, pkt, klv.length);
+ if (ret < 0)
+ return ret;
+ }
pkt->stream_index = index;
pkt->pos = klv.offset;
return 0;
diff --git a/libavformat/riff.c b/libavformat/riff.c
index 1ccd9091be..a834084b71 100644
--- a/libavformat/riff.c
+++ b/libavformat/riff.c
@@ -287,6 +287,7 @@ const AVCodecTag ff_codec_wav_tags[] = {
{ CODEC_ID_ADPCM_YAMAHA, 0x0020 },
{ CODEC_ID_TRUESPEECH, 0x0022 },
{ CODEC_ID_GSM_MS, 0x0031 },
+ { CODEC_ID_AMR_NB, 0x0038 }, /* rogue format number */
{ CODEC_ID_ADPCM_G726, 0x0045 },
{ CODEC_ID_MP2, 0x0050 },
{ CODEC_ID_MP3, 0x0055 },
diff --git a/libavformat/rtpdec.c b/libavformat/rtpdec.c
index 9fc30d7b66..130a78d0d1 100644
--- a/libavformat/rtpdec.c
+++ b/libavformat/rtpdec.c
@@ -111,14 +111,15 @@ RTPDynamicProtocolHandler *ff_rtp_handler_find_by_id(int id,
static int rtcp_parse_packet(RTPDemuxContext *s, const unsigned char *buf, int len)
{
int payload_len;
- while (len >= 2) {
+ while (len >= 4) {
+ payload_len = FFMIN(len, (AV_RB16(buf + 2) + 1) * 4);
+
switch (buf[1]) {
case RTCP_SR:
- if (len < 16) {
+ if (payload_len < 20) {
av_log(NULL, AV_LOG_ERROR, "Invalid length for RTCP SR packet\n");
return AVERROR_INVALIDDATA;
}
- payload_len = (AV_RB16(buf + 2) + 1) * 4;
s->last_rtcp_ntp_time = AV_RB64(buf + 8);
s->last_rtcp_timestamp = AV_RB32(buf + 16);
@@ -129,14 +130,13 @@ static int rtcp_parse_packet(RTPDemuxContext *s, const unsigned char *buf, int l
s->rtcp_ts_offset = s->last_rtcp_timestamp - s->base_timestamp;
}
- buf += payload_len;
- len -= payload_len;
break;
case RTCP_BYE:
return -RTCP_BYE;
- default:
- return -1;
}
+
+ buf += payload_len;
+ len -= payload_len;
}
return -1;
}
diff --git a/libavformat/tta.c b/libavformat/tta.c
index c37039d0da..9df9763c74 100644
--- a/libavformat/tta.c
+++ b/libavformat/tta.c
@@ -107,6 +107,10 @@ static int tta_read_header(AVFormatContext *s, AVFormatParameters *ap)
return -1;
}
st->codec->extradata = av_mallocz(st->codec->extradata_size+FF_INPUT_BUFFER_PADDING_SIZE);
+ if (!st->codec->extradata) {
+ st->codec->extradata_size = 0;
+ return AVERROR(ENOMEM);
+ }
avio_seek(s->pb, start_offset, SEEK_SET);
avio_read(s->pb, st->codec->extradata, st->codec->extradata_size);
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 591a121ec2..96ceae9a63 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -2465,9 +2465,9 @@ int av_find_stream_info(AVFormatContext *ic)
}
{
int64_t last = st->info->last_dts;
- int64_t duration= pkt->dts - last;
- if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && duration>0){
+ if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && pkt->dts > last){
+ int64_t duration= pkt->dts - last;
double dur= duration * av_q2d(st->time_base);
// if(st->codec->codec_type == AVMEDIA_TYPE_VIDEO)
diff --git a/libavformat/westwood.c b/libavformat/westwood.c
index 818fe2d8d3..dd6ddef905 100644
--- a/libavformat/westwood.c
+++ b/libavformat/westwood.c
@@ -277,10 +277,8 @@ static int wsvqa_read_header(AVFormatContext *s,
/* there are 0 or more chunks before the FINF chunk; iterate until
* FINF has been skipped and the file will be ready to be demuxed */
do {
- if (avio_read(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE) {
- av_free(st->codec->extradata);
+ if (avio_read(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE)
return AVERROR(EIO);
- }
chunk_tag = AV_RB32(&scratch[0]);
chunk_size = AV_RB32(&scratch[4]);
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-12 04:22:15 +0000