aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2012-06-04 13:12:41 +0200
committerMichael Niedermayer <michaelni@gmx.at>2012-06-04 13:12:41 +0200
commita56b07b5dc4fdacbb038a9fc9d51e6b98e6d12d8 (patch)
tree76f242090d28d996194ceab728be37801cdf9bb9 /libavformat
parente05fd37e028aae55abe9725a18bea9c83e63bcfa (diff)
parent64bc5f3bf75f6f009b66ba113da4afd1e7625d22 (diff)
downloadffmpeg-a56b07b5dc4fdacbb038a9fc9d51e6b98e6d12d8.tar.gz
Merge branch 'release/0.8' into release/0.7
* release/0.8: Update RELEASE file for 0.7.6 Update changelog for 0.7.6 release ea: check chunk_size for validity. png: check bit depth for PAL8/Y400A pixel formats. x86: fix build with gcc 4.7 qdm2: clip array indices returned by qdm2_get_vlc(). kmvc: Check palsize. aacsbr: prevent out of bounds memcpy(). rtpdec_asf: Fix integer underflow that could allow remote code execution dpcm: ignore extra unpaired bytes in stereo streams. tqi: Pass errors from the MB decoder h264: Add check for invalid chroma_format_idc adpcm: ADPCM Electronic Arts has always two channels h263dec: Disallow width/height changing with frame threads. vqavideo: return error if image size is not a multiple of block size celp filters: Do not read earlier than the start of the 'out' vector. motionpixels: Clip YUV values after applying a gradient. h263: more strictly forbid frame size changes with frame-mt. h264: additional protection against unsupported size/bitdepth changes. Update for 0.8.11 Conflicts: Doxyfile RELEASE VERSION Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/electronicarts.c7
-rw-r--r--libavformat/rtpdec_asf.c12
2 files changed, 13 insertions, 6 deletions
diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c
index 0b882aac87..8e44fadb55 100644
--- a/libavformat/electronicarts.c
+++ b/libavformat/electronicarts.c
@@ -470,12 +470,17 @@ static int ea_read_packet(AVFormatContext *s,
while (!packet_read) {
chunk_type = avio_rl32(pb);
- chunk_size = (ea->big_endian ? avio_rb32(pb) : avio_rl32(pb)) - 8;
+ chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb);
+ if (chunk_size <= 8)
+ return AVERROR_INVALIDDATA;
+ chunk_size -= 8;
switch (chunk_type) {
/* audio data */
case ISNh_TAG:
/* header chunk also contains data; skip over the header portion*/
+ if (chunk_size < 32)
+ return AVERROR_INVALIDDATA;
avio_skip(pb, 32);
chunk_size -= 32;
case ISNd_TAG:
diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c
index 643ea7a5a0..d97e8ee918 100644
--- a/libavformat/rtpdec_asf.c
+++ b/libavformat/rtpdec_asf.c
@@ -233,14 +233,16 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf,
int cur_len = start_off + len_off - off;
int prev_len = out_len;
- void *newbuf;
+ void *newmem;
+
out_len += cur_len;
- if(FFMIN(cur_len, len - off)<0)
+
+ if (FFMIN(cur_len, len - off) < 0)
return -1;
- newbuf = av_realloc(asf->buf, out_len);
- if(!newbuf)
+ newmem = av_realloc(asf->buf, out_len);
+ if (!newmem)
return -1;
- asf->buf= newbuf;
+ asf->buf = newmem;
memcpy(asf->buf + prev_len, buf + off,
FFMIN(cur_len, len - off));
avio_skip(pb, cur_len);