diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2012-06-04 13:12:41 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2012-06-04 13:12:41 +0200 |
commit | a56b07b5dc4fdacbb038a9fc9d51e6b98e6d12d8 (patch) | |
tree | 76f242090d28d996194ceab728be37801cdf9bb9 /libavformat | |
parent | e05fd37e028aae55abe9725a18bea9c83e63bcfa (diff) | |
parent | 64bc5f3bf75f6f009b66ba113da4afd1e7625d22 (diff) | |
download | ffmpeg-a56b07b5dc4fdacbb038a9fc9d51e6b98e6d12d8.tar.gz |
Merge branch 'release/0.8' into release/0.7
* release/0.8:
Update RELEASE file for 0.7.6
Update changelog for 0.7.6 release
ea: check chunk_size for validity.
png: check bit depth for PAL8/Y400A pixel formats.
x86: fix build with gcc 4.7
qdm2: clip array indices returned by qdm2_get_vlc().
kmvc: Check palsize.
aacsbr: prevent out of bounds memcpy().
rtpdec_asf: Fix integer underflow that could allow remote code execution
dpcm: ignore extra unpaired bytes in stereo streams.
tqi: Pass errors from the MB decoder
h264: Add check for invalid chroma_format_idc
adpcm: ADPCM Electronic Arts has always two channels
h263dec: Disallow width/height changing with frame threads.
vqavideo: return error if image size is not a multiple of block size
celp filters: Do not read earlier than the start of the 'out' vector.
motionpixels: Clip YUV values after applying a gradient.
h263: more strictly forbid frame size changes with frame-mt.
h264: additional protection against unsupported size/bitdepth changes.
Update for 0.8.11
Conflicts:
Doxyfile
RELEASE
VERSION
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat')
-rw-r--r-- | libavformat/electronicarts.c | 7 | ||||
-rw-r--r-- | libavformat/rtpdec_asf.c | 12 |
2 files changed, 13 insertions, 6 deletions
diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 0b882aac87..8e44fadb55 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -470,12 +470,17 @@ static int ea_read_packet(AVFormatContext *s, while (!packet_read) { chunk_type = avio_rl32(pb); - chunk_size = (ea->big_endian ? avio_rb32(pb) : avio_rl32(pb)) - 8; + chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb); + if (chunk_size <= 8) + return AVERROR_INVALIDDATA; + chunk_size -= 8; switch (chunk_type) { /* audio data */ case ISNh_TAG: /* header chunk also contains data; skip over the header portion*/ + if (chunk_size < 32) + return AVERROR_INVALIDDATA; avio_skip(pb, 32); chunk_size -= 32; case ISNd_TAG: diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c index 643ea7a5a0..d97e8ee918 100644 --- a/libavformat/rtpdec_asf.c +++ b/libavformat/rtpdec_asf.c @@ -233,14 +233,16 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf, int cur_len = start_off + len_off - off; int prev_len = out_len; - void *newbuf; + void *newmem; + out_len += cur_len; - if(FFMIN(cur_len, len - off)<0) + + if (FFMIN(cur_len, len - off) < 0) return -1; - newbuf = av_realloc(asf->buf, out_len); - if(!newbuf) + newmem = av_realloc(asf->buf, out_len); + if (!newmem) return -1; - asf->buf= newbuf; + asf->buf = newmem; memcpy(asf->buf + prev_len, buf + off, FFMIN(cur_len, len - off)); avio_skip(pb, cur_len); |