diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-10-08 01:41:20 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-10-08 01:41:20 +0200 |
| commit | 8d14e1d64ee1780f839e05c22fc633b3cf1b8579 (patch) | |
| tree | 9a2259418c83ee5f4397f0fc921b52e45f817269 /libavformat | |
| parent | 5da68aff96ff77b0f82d80f250e23c2f3696938b (diff) | |
| parent | 7e350b7ddd19af856b55634233d609e29baab646 (diff) | |
| download | ffmpeg-8d14e1d64ee1780f839e05c22fc633b3cf1b8579.tar.gz | |
Merge commit '7e350b7ddd19af856b55634233d609e29baab646' into release/1.1
* commit '7e350b7ddd19af856b55634233d609e29baab646':
pcx: Check the packet size before assuming it fits a palette
rpza: Fix a buffer size check
xxan: Disallow odd width
xan: Only read within the data that actually was initialized
xan: Use bytestream2 to limit reading to within the buffer
pcx: Consume the whole packet if giving up due to missing palette
pngdec: Stop trying to decode once inflate returns Z_STREAM_END
mov: Make sure the read sample count is nonnegative
bfi: Add some very basic sanity checks for input packet sizes
bfi: Avoid divisions by zero
electronicarts: Add more sanity checking for the number of channels
riffdec: Add sanity checks for the sample rate
Conflicts:
libavcodec/pcx.c
libavcodec/xan.c
libavformat/mov.c
libavformat/riff.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat')
| -rw-r--r-- | libavformat/bfi.c | 11 | ||||
| -rw-r--r-- | libavformat/electronicarts.c | 5 | ||||
| -rw-r--r-- | libavformat/mov.c | 4 | ||||
| -rw-r--r-- | libavformat/riff.c | 5 |
4 files changed, 20 insertions, 5 deletions
diff --git a/libavformat/bfi.c b/libavformat/bfi.c index a28e09a4f1..212a6119da 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -134,6 +134,10 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) video_offset = avio_rl32(pb); audio_size = video_offset - audio_offset; bfi->video_size = chunk_size - video_offset; + if (audio_size < 0 || bfi->video_size < 0) { + av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n"); + return AVERROR_INVALIDDATA; + } //Tossing an audio packet at the audio decoder. ret = av_get_packet(pb, pkt, audio_size); @@ -142,9 +146,7 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) pkt->pts = bfi->audio_frame; bfi->audio_frame += ret; - } - - else { + } else if (bfi->video_size > 0) { //Tossing a video packet at the video decoder. ret = av_get_packet(pb, pkt, bfi->video_size); @@ -156,6 +158,9 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) /* One less frame to read. A cursory decrement. */ bfi->nframes--; + } else { + /* Empty video packet */ + ret = AVERROR(EAGAIN); } bfi->avflag = !bfi->avflag; diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index bc7ea140d5..4484355e94 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -453,8 +453,9 @@ static int ea_read_header(AVFormatContext *s) } if (ea->audio_codec) { - if (ea->num_channels <= 0) { - av_log(s, AV_LOG_WARNING, "Unsupported number of channels: %d\n", ea->num_channels); + if (ea->num_channels <= 0 || ea->num_channels > 2) { + av_log(s, AV_LOG_WARNING, + "Unsupported number of channels: %d\n", ea->num_channels); ea->audio_codec = 0; return 1; } diff --git a/libavformat/mov.c b/libavformat/mov.c index 32add6db03..db4ff274ce 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1821,6 +1821,10 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_ERROR, "Invalid SampleDelta in STTS %d\n", sample_duration); sample_duration = 1; } + if (sample_count < 0) { + av_log(c->fc, AV_LOG_ERROR, "Invalid sample_count=%d\n", sample_count); + return AVERROR_INVALIDDATA; + } sc->stts_data[i].count= sample_count; sc->stts_data[i].duration= sample_duration; diff --git a/libavformat/riff.c b/libavformat/riff.c index b417e2e594..02bf1e5962 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -736,6 +736,11 @@ int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size) if (size > 0) avio_skip(pb, size); } + if (codec->sample_rate <= 0) { + av_log(NULL, AV_LOG_ERROR, + "Invalid sample rate: %d\n", codec->sample_rate); + return AVERROR_INVALIDDATA; + } if (codec->codec_id == AV_CODEC_ID_AAC_LATM) { /* channels and sample_rate values are those prior to applying SBR and/or PS */ codec->channels = 0; |