Merge commit 'ce1dacb435460dda1f9d453eaaeac44bd502aca4' into release/1.1

* commit 'ce1dacb435460dda1f9d453eaaeac44bd502aca4': rl2: Avoid a division by zero wtv: Add more sanity checks for a length read from the file segafilm: Validate the number of audio channels qpeg: Add checks for running out of rows in qpeg_decode_inter mpegaudiodec: Validate that the number of channels fits at the given offset asvdec: Verify the amount of extradata idroqdec: Make sure a video stream has been allocated before returning packets rv10: Validate the dimensions set from the container xmv: Add more sanity checks for parameters read from the bitstream ffv1: Make sure at least one slice context is initialized truemotion2: Use av_freep properly in an error path eacmv: Make sure a reference frame exists before referencing it mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory ivi_common: Make sure color planes have been initialized mov: Don't use a negative duration for setting other fields Conflicts: libavcodec/eacmv.c libavcodec/ffv1.c libavcodec/mpeg4videodec.c libavcodec/mpegaudiodec.c libavcodec/qpeg.c libavformat/mov.c libavformat/wtv.c libavformat/xmv.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-10-08 01:06:45 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2013-10-08 01:06:45 +0200
commit: 55aedd679a24055e861c3debe0397b2cd05ef1be (patch)
tree: fe9eb65e1a6b02d3c484ddf732c08f2a5d21ff90 /libavformat
parent: af26185bdc35bab5183e5016becd048eb50c29a1 (diff)
parent: ce1dacb435460dda1f9d453eaaeac44bd502aca4 (diff)
download: ffmpeg-55aedd679a24055e861c3debe0397b2cd05ef1be.tar.gz
6 files changed, 28 insertions, 9 deletions
diff --git a/libavformat/idroqdec.c b/libavformat/idroqdec.c
index 6f843d7bc9..8cdd72e33a 100644
--- a/libavformat/idroqdec.c
+++ b/libavformat/idroqdec.c
@@ -145,6 +145,8 @@ static int roq_read_packet(AVFormatContext *s,
             break;
 
         case RoQ_QUAD_CODEBOOK:
+            if (roq->video_stream_index < 0)
+                return AVERROR_INVALIDDATA;
             /* packet needs to contain both this codebook and next VQ chunk */
             codebook_offset = avio_tell(pb) - RoQ_CHUNK_PREAMBLE_SIZE;
             codebook_size = chunk_size;
@@ -194,6 +196,11 @@ static int roq_read_packet(AVFormatContext *s,
                 st->codec->block_align = st->codec->channels * st->codec->bits_per_coded_sample;
             }
         case RoQ_QUAD_VQ:
+            if (chunk_type == RoQ_QUAD_VQ) {
+                if (roq->video_stream_index < 0)
+                    return AVERROR_INVALIDDATA;
+            }
+
             /* load up the packet */
             if (av_new_packet(pkt, chunk_size + RoQ_CHUNK_PREAMBLE_SIZE))
                 return AVERROR(EIO);
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 5992c15b05..32add6db03 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3209,7 +3209,7 @@ static int mov_read_header(AVFormatContext *s)
         for (i = 0; i < s->nb_streams; i++) {
             AVStream *st = s->streams[i];
             MOVStreamContext *sc = st->priv_data;
-            if (st->duration)
+            if (st->duration > 0)
                 st->codec->bit_rate = sc->data_size * 8 * sc->time_scale / st->duration;
         }
     }
diff --git a/libavformat/rl2.c b/libavformat/rl2.c
index 800e12edbe..c72b6655d0 100644
--- a/libavformat/rl2.c
+++ b/libavformat/rl2.c
@@ -107,6 +107,10 @@ static av_cold int rl2_read_header(AVFormatContext *s)
     rate = avio_rl16(pb);
     channels = avio_rl16(pb);
     def_sound_size = avio_rl16(pb);
+    if (!channels || channels > 42) {
+        av_log(s, AV_LOG_ERROR, "Invalid number of channels: %d\n", channels);
+        return AVERROR_INVALIDDATA;
+    }
 
     /** setup video stream */
     st = avformat_new_stream(s, NULL);
diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c
index 232a93117f..0e6ce0807b 100644
--- a/libavformat/segafilm.c
+++ b/libavformat/segafilm.c
@@ -112,6 +112,11 @@ static int film_read_header(AVFormatContext *s)
             return AVERROR(EIO);
         film->audio_samplerate = AV_RB16(&scratch[24]);
         film->audio_channels = scratch[21];
+        if (!film->audio_channels || film->audio_channels > 2) {
+            av_log(s, AV_LOG_ERROR,
+                   "Invalid number of channels: %d\n", film->audio_channels);
+            return AVERROR_INVALIDDATA;
+        }
         film->audio_bits = scratch[22];
         if (scratch[23] == 2 && film->audio_channels > 0)
             film->audio_type = AV_CODEC_ID_ADPCM_ADX;
diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c
index 3416ed5075..eb1dd3e0f1 100644
--- a/libavformat/wtvdec.c
+++ b/libavformat/wtvdec.c
@@ -258,7 +258,12 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b
         dir_length  = AV_RL16(buf + 16);
         file_length = AV_RL64(buf + 24);
         name_size   = 2 * AV_RL32(buf + 32);
-        if (buf + 48 + (int64_t)name_size > buf_end || name_size<0) {
+        if (name_size < 0) {
+            av_log(s, AV_LOG_ERROR,
+                   "bad filename length, remaining directory entries ignored\n");
+            break;
+        }
+        if (48 + (int64_t)name_size > buf_end - buf) {
             av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n");
             break;
         }
diff --git a/libavformat/xmv.c b/libavformat/xmv.c
index 7763337d4e..3a671972cf 100644
--- a/libavformat/xmv.c
+++ b/libavformat/xmv.c
@@ -49,6 +49,8 @@
                            XMV_AUDIO_ADPCM51_FRONTCENTERLOW | \
                            XMV_AUDIO_ADPCM51_REARLEFTRIGHT)
 
+#define XMV_BLOCK_ALIGN_SIZE 36
+
 /** A video packet with an XMV file. */
 typedef struct XMVVideoPacket {
     int stream_index; ///< The decoder stream index for this video packet.
@@ -196,15 +198,10 @@ static int xmv_read_header(AVFormatContext *s)
         packet->bits_per_sample = avio_rl16(pb);
         packet->flags           = avio_rl16(pb);
 
-        if (!packet->channels) {
-            av_log(s, AV_LOG_ERROR, "0 channels\n");
-            return AVERROR(EINVAL);
-        }
-
         packet->bit_rate      = packet->bits_per_sample *
                                 packet->sample_rate *
                                 packet->channels;
-        packet->block_align   = 36 * packet->channels;
+        packet->block_align   = XMV_BLOCK_ALIGN_SIZE * packet->channels;
         packet->block_samples = 64;
         packet->codec_id      = ff_wav_codec_get_id(packet->compression,
                                                     packet->bits_per_sample);
@@ -220,7 +217,8 @@ static int xmv_read_header(AVFormatContext *s)
             av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream "
                                       "(0x%04X)\n", packet->flags);
 
-        if (!packet->channels || !packet->sample_rate) {
+        if (!packet->channels || !packet->sample_rate ||
+             packet->channels >= UINT16_MAX / XMV_BLOCK_ALIGN_SIZE) {
             av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n",
                    audio_track);
             ret = AVERROR_INVALIDDATA;
author	Michael Niedermayer <michaelni@gmx.at>	2013-10-08 01:06:45 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2013-10-08 01:06:45 +0200
commit	55aedd679a24055e861c3debe0397b2cd05ef1be (patch)
tree	fe9eb65e1a6b02d3c484ddf732c08f2a5d21ff90 /libavformat
parent	af26185bdc35bab5183e5016becd048eb50c29a1 (diff)
parent	ce1dacb435460dda1f9d453eaaeac44bd502aca4 (diff)
download	ffmpeg-55aedd679a24055e861c3debe0397b2cd05ef1be.tar.gz