From d55f7a174d49c0b2e87254c075013a7008ddf798 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 14 Jul 2013 16:49:43 +0200 Subject: [PATCH 01/15] indeo: Do not reference mismatched tiles Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit f9e5261cab067be7278f73d515bc9b601eb56202) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 80d35725be..36293a12cb 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -343,6 +343,8 @@ static int ivi_init_tiles(IVIBandDesc *band, IVITile *ref_tile, tile->ref_mbs = 0; if (p || b) { + if (tile->num_MBs != ref_tile->num_MBs) + return AVERROR_INVALIDDATA; tile->ref_mbs = ref_tile->mbs; ref_tile++; } From 505415b98599777f8951d3d86821f542e661e581 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 14 Jul 2013 18:16:56 +0200 Subject: [PATCH 02/15] indeo: Reject impossible FRAMETYPE_NULL A frame marked FRAMETYPE_NULL cannot be scalable and requires a previous frame successfully decoded. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5b2a29552ca09edd4646b6aa1828b32912b7ab36) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 36293a12cb..2a737547a5 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -953,6 +953,14 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } } } + } else { + if (ctx->is_scalable) + return AVERROR_INVALIDDATA; + + for (p = 0; p < 3; p++) { + if (!ctx->planes[p].bands[0].buf) + return AVERROR_INVALIDDATA; + } } //STOP_TIMER("decode_planes"); } From 9680f84a31fa97272777e43a9234eb20d6da5930 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 15 Jul 2013 11:28:46 +0300 Subject: [PATCH 03/15] ac3dec: Don't consume more data than the actual input packet size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was handled properly in the normal return case at the end of the function, but not in this special case. Returning a value larger than the input packet size can cause problems for certain library users. Returning the actual input buffer size unconditionally, since it is not guaranteed that frame_size is set to a sensible value at this point. Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 8f24c12be7a3b3ea105e67bba9a867fe210a2333) Signed-off-by: Luca Barbato --- libavcodec/ac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 6fb7b0b3ab..4f32c2d166 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1308,7 +1308,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, av_log(avctx, AV_LOG_ERROR, "unsupported frame type : " "skipping frame\n"); *got_frame_ptr = 0; - return s->frame_size; + return buf_size; } else { av_log(avctx, AV_LOG_ERROR, "invalid frame type\n"); } From 256d61538336973c91c0c0c11c16b30522e12e00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 15 Jul 2013 15:59:50 +0300 Subject: [PATCH 04/15] mov: Seek back if overreading an individual atom MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 5b4eb243bce10a3e8345401a353749e0414c54ca) Signed-off-by: Luca Barbato --- libavformat/mov.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7fe0548daa..52b73a98e8 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2601,6 +2601,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) left = a.size - avio_tell(pb) + start_pos; if (left > 0) /* skip garbage at atom end */ avio_skip(pb, left); + else if (left < 0) { + av_log(c->fc, AV_LOG_WARNING, + "overread end of atom '%.4s' by %"PRId64" bytes\n", + (char*)&a.type, -left); + avio_seek(pb, left, SEEK_CUR); + } } total_size += a.size; From 7e9debb083d95db6601224ac13a4e7419528d03b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 15 Jul 2013 17:13:54 +0300 Subject: [PATCH 05/15] mov: Do not allow updating the time scale after it has been set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The time scale is set in mdhd, and later validated in the enclosing trak atom once all of its children have been parsed. A loose mdhd atom outside of a trak atom could update the time scale of the last stream without any validation. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 31931520df35a6f9606fe8293c8a39e2d1fabedf) Signed-off-by: Luca Barbato --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 52b73a98e8..f6529340a3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -716,6 +716,11 @@ static int mov_read_mdhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) st = c->fc->streams[c->fc->nb_streams-1]; sc = st->priv_data; + if (sc->time_scale) { + av_log(c->fc, AV_LOG_ERROR, "Multiple mdhd?\n"); + return AVERROR_INVALIDDATA; + } + version = avio_r8(pb); if (version > 1) { av_log_ask_for_sample(c->fc, "unsupported version %d\n", version); From dc556d8bf71d7cf463fb14234707e827f790818c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 15 Jul 2013 16:44:20 +0300 Subject: [PATCH 06/15] lavf: Make sure avg_frame_rate can be calculated without integer overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If either of the deltas is too large for the multiplications to succeed, don't use this for setting the avg frame rate. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit e740929a071ab032ffa382e89da69c6ec7cf882c) Signed-off-by: Luca Barbato --- libavformat/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 085ae835ab..e1511ee215 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2493,6 +2493,9 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) int best_fps = 0; double best_error = 0.01; + if (delta_dts >= INT64_MAX / st->time_base.num || + delta_packets >= INT64_MAX / st->time_base.den) + continue; av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, delta_packets*(int64_t)st->time_base.den, delta_dts*(int64_t)st->time_base.num, 60000); From 47cb05d78340dcbd7ae571b53ab646583716cd16 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 19 Jul 2013 21:05:44 +0200 Subject: [PATCH 07/15] dsicinav: K&R formatting cosmetics (cherry picked from commit fcae3ff124ee97c9265e3b93f3d41238b2aee9bd) Signed-off-by: Luca Barbato Conflicts: libavcodec/dsicinav.c --- libavcodec/dsicinav.c | 113 +++++++++++++++++++++++------------------- 1 file changed, 62 insertions(+), 51 deletions(-) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index 39b6a4cabb..df81c58c8e 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -109,27 +109,30 @@ static av_cold int cinvideo_decode_init(AVCodecContext *avctx) return 0; } -static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst, int size) +static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst, + int size) { while (size--) *dst++ += *src++; } -static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) +static int cin_decode_huffman(const unsigned char *src, int src_size, + unsigned char *dst, int dst_size) { int b, huff_code = 0; unsigned char huff_code_table[15]; - unsigned char *dst_cur = dst; - unsigned char *dst_end = dst + dst_size; + unsigned char *dst_cur = dst; + unsigned char *dst_end = dst + dst_size; const unsigned char *src_end = src + src_size; - memcpy(huff_code_table, src, 15); src += 15; + memcpy(huff_code_table, src, 15); + src += 15; while (src < src_end) { huff_code = *src++; if ((huff_code >> 4) == 15) { - b = huff_code << 4; - huff_code = *src++; + b = huff_code << 4; + huff_code = *src++; *dst_cur++ = b | (huff_code >> 4); } else *dst_cur++ = huff_code_table[huff_code >> 4]; @@ -148,11 +151,12 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c return dst_cur - dst; } -static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) +static int cin_decode_lzss(const unsigned char *src, int src_size, + unsigned char *dst, int dst_size) { uint16_t cmd; int i, sz, offset, code; - unsigned char *dst_end = dst + dst_size, *dst_start = dst; + unsigned char *dst_end = dst + dst_size, *dst_start = dst; const unsigned char *src_end = src + src_size; while (src < src_end && dst < dst_end) { @@ -161,13 +165,15 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char if (code & (1 << i)) { *dst++ = *src++; } else { - cmd = AV_RL16(src); src += 2; + cmd = AV_RL16(src); + src += 2; offset = cmd >> 4; - if ((int) (dst - dst_start) < offset + 1) + if ((int)(dst - dst_start) < offset + 1) return AVERROR_INVALIDDATA; sz = (cmd & 0xF) + 2; - /* don't use memcpy/memmove here as the decoding routine (ab)uses */ - /* buffer overlappings to repeat bytes in the destination */ + /* don't use memcpy/memmove here as the decoding routine + * (ab)uses buffer overlappings to repeat bytes in the + * destination */ sz = FFMIN(sz, dst_end - dst); while (sz--) { *dst = *(dst - offset - 1); @@ -180,10 +186,11 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char return 0; } -static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) +static void cin_decode_rle(const unsigned char *src, int src_size, + unsigned char *dst, int dst_size) { int len, code; - unsigned char *dst_end = dst + dst_size; + unsigned char *dst_end = dst + dst_size; const unsigned char *src_end = src + src_size; while (src < src_end && dst < dst_end) { @@ -204,15 +211,16 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; + const uint8_t *buf = avpkt->data; + int buf_size = avpkt->size; CinVideoContext *cin = avctx->priv_data; - int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0; + int i, y, palette_type, palette_colors_count, + bitmap_frame_type, bitmap_frame_size, res = 0; - palette_type = buf[0]; - palette_colors_count = AV_RL16(buf+1); - bitmap_frame_type = buf[3]; - buf += 4; + palette_type = buf[0]; + palette_colors_count = AV_RL16(buf + 1); + bitmap_frame_type = buf[3]; + buf += 4; bitmap_frame_size = buf_size - 4; @@ -223,46 +231,48 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, if (palette_colors_count > 256) return AVERROR_INVALIDDATA; for (i = 0; i < palette_colors_count; ++i) { - cin->palette[i] = bytestream_get_le24(&buf); + cin->palette[i] = bytestream_get_le24(&buf); bitmap_frame_size -= 3; } } else { for (i = 0; i < palette_colors_count; ++i) { - cin->palette[buf[0]] = AV_RL24(buf+1); - buf += 4; - bitmap_frame_size -= 4; + cin->palette[buf[0]] = AV_RL24(buf + 1); + buf += 4; + bitmap_frame_size -= 4; } } - /* note: the decoding routines below assumes that surface.width = surface.pitch */ + /* note: the decoding routines below assumes that + * surface.width = surface.pitch */ switch (bitmap_frame_type) { case 9: cin_decode_rle(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 34: cin_decode_rle(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 35: cin_decode_huffman(buf, bitmap_frame_size, - cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 36: bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, - cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_INT_BMP], + cin->bitmap_size); cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 37: cin_decode_huffman(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 38: res = cin_decode_lzss(buf, bitmap_frame_size, @@ -278,24 +288,26 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, if (res < 0) return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; } cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; - if (avctx->reget_buffer(avctx, &cin->frame)) { - av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n"); - return -1; + if ((res = avctx->reget_buffer(avctx, &cin->frame)) < 0) { + av_log(cin->avctx, AV_LOG_ERROR, + "delphinecinvideo: reget_buffer() failed to allocate a frame\n"); + return res; } memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette)); cin->frame.palette_has_changed = 1; for (y = 0; y < cin->avctx->height; ++y) memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0], - cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width, - cin->avctx->width); + cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width, + cin->avctx->width); - FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_table[CIN_PRE_BMP]); + FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP], + cin->bitmap_table[CIN_PRE_BMP]); *got_frame = 1; *(AVFrame *)data = cin->frame; @@ -336,8 +348,8 @@ static av_cold int cinaudio_decode_init(AVCodecContext *avctx) static int cinaudio_decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; - CinAudioContext *cin = avctx->priv_data; + const uint8_t *buf = avpkt->data; + CinAudioContext *cin = avctx->priv_data; const uint8_t *buf_end = buf + avpkt->size; int16_t *samples; int delta, ret; @@ -353,13 +365,13 @@ static int cinaudio_decode_frame(AVCodecContext *avctx, void *data, delta = cin->delta; if (cin->initial_decode_frame) { cin->initial_decode_frame = 0; - delta = sign_extend(AV_RL16(buf), 16); - buf += 2; - *samples++ = delta; + delta = sign_extend(AV_RL16(buf), 16); + buf += 2; + *samples++ = delta; } while (buf < buf_end) { - delta += cinaudio_delta16_table[*buf++]; - delta = av_clip_int16(delta); + delta += cinaudio_delta16_table[*buf++]; + delta = av_clip_int16(delta); *samples++ = delta; } cin->delta = delta; @@ -370,7 +382,6 @@ static int cinaudio_decode_frame(AVCodecContext *avctx, void *data, return avpkt->size; } - AVCodec ff_dsicinvideo_decoder = { .name = "dsicinvideo", .type = AVMEDIA_TYPE_VIDEO, From 95275723aee38ee841706e667d09ca9f325e634b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 19 Jul 2013 21:09:40 +0200 Subject: [PATCH 08/15] dsicinav: Bound-check the source buffer when needed Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit dd0bfc3a6a310e3e3674ce7742672d689a9a0e93) Signed-off-by: Luca Barbato --- libavcodec/dsicinav.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index df81c58c8e..7f5c1daa23 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -196,11 +196,13 @@ static void cin_decode_rle(const unsigned char *src, int src_size, while (src < src_end && dst < dst_end) { code = *src++; if (code & 0x80) { + if (src >= src_end) + break; len = code - 0x7F; memset(dst, *src++, FFMIN(len, dst_end - dst)); } else { len = code + 1; - memcpy(dst, src, FFMIN(len, dst_end - dst)); + memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src)); src += len; } dst += len; From 068bc633f2999d81c87177acc637e11726e31926 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 19 Jul 2013 21:34:21 +0200 Subject: [PATCH 09/15] dsicinav: Clip the source size to the expected maximum A packet larger than cin->bitmap_size does not make sense. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit fd8189932147a524fe43532b46baa35e8be92a1b) Signed-off-by: Luca Barbato --- libavcodec/dsicinav.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index 7f5c1daa23..772fb8d51c 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -244,6 +244,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, } } + bitmap_frame_size = FFMIN(cin->bitmap_size, bitmap_frame_size); + /* note: the decoding routines below assumes that * surface.width = surface.pitch */ switch (bitmap_frame_type) { From dcbfba3bb60df59668ed14397b7c8780b77a6d90 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 12 Jul 2013 23:02:25 +0200 Subject: [PATCH 10/15] alsdec: Fix the clipping range mcc_weightings is only 32 elements. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 70ecc175c7b513a153ac87d1c5d219556ca55070) Signed-off-by: Luca Barbato --- libavcodec/alsdec.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index ff2a735bdf..c71b0ddafd 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1156,6 +1156,12 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, return 0; } +static inline int als_weighting(GetBitContext *gb, int k, int off) +{ + int idx = av_clip(decode_rice(gb, k) + off, + 0, FF_ARRAY_ELEMS(mcc_weightings) - 1); + return mcc_weightings[idx]; +} /** Read the channel data. */ @@ -1176,14 +1182,14 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (current->master_channel != c) { current->time_diff_flag = get_bits1(gb); - current->weighting[0] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; - current->weighting[1] = mcc_weightings[av_clip(decode_rice(gb, 2) + 14, 0, 32)]; - current->weighting[2] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; + current->weighting[0] = als_weighting(gb, 1, 16); + current->weighting[1] = als_weighting(gb, 2, 14); + current->weighting[2] = als_weighting(gb, 1, 16); if (current->time_diff_flag) { - current->weighting[3] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; - current->weighting[4] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; - current->weighting[5] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; + current->weighting[3] = als_weighting(gb, 1, 16); + current->weighting[4] = als_weighting(gb, 1, 16); + current->weighting[5] = als_weighting(gb, 1, 16); current->time_diff_sign = get_bits1(gb); current->time_diff_index = get_bits(gb, ctx->ltp_lag_length - 3) + 3; From a5bdec1c75bab2c35b03d46b4b15ea00d3172e3c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 12 Jul 2013 23:38:02 +0200 Subject: [PATCH 11/15] alsdec: Clean up error paths Fix at least a memory leak. CC: libav-stable@libav.org (cherry picked from commit ca488ad480360dfafcb5766f7bfbb567a0638979) Signed-off-by: Luca Barbato --- libavcodec/alsdec.c | 138 ++++++++++++++++++++++++-------------------- 1 file changed, 75 insertions(+), 63 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index c71b0ddafd..f1d01a2569 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -295,12 +295,12 @@ static av_cold int read_specific_config(ALSDecContext *ctx) avctx->extradata_size * 8, 1); if (config_offset < 0) - return -1; + return AVERROR_INVALIDDATA; skip_bits_long(&gb, config_offset); if (get_bits_left(&gb) < (30 << 3)) - return -1; + return AVERROR_INVALIDDATA; // read the fixed items als_id = get_bits_long(&gb, 32); @@ -335,7 +335,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // check for ALSSpecificConfig struct if (als_id != MKBETAG('A','L','S','\0')) - return -1; + return AVERROR_INVALIDDATA; ctx->cur_frame_length = sconf->frame_length; @@ -350,7 +350,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) int chan_pos_bits = av_ceil_log2(avctx->channels); int bits_needed = avctx->channels * chan_pos_bits + 7; if (get_bits_left(&gb) < bits_needed) - return -1; + return AVERROR_INVALIDDATA; if (!(sconf->chan_pos = av_malloc(avctx->channels * sizeof(*sconf->chan_pos)))) return AVERROR(ENOMEM); @@ -368,7 +368,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // read fixed header and trailer sizes, // if size = 0xFFFFFFFF then there is no data field! if (get_bits_left(&gb) < 64) - return -1; + return AVERROR_INVALIDDATA; header_size = get_bits_long(&gb, 32); trailer_size = get_bits_long(&gb, 32); @@ -382,10 +382,10 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // skip the header and trailer data if (get_bits_left(&gb) < ht_size) - return -1; + return AVERROR_INVALIDDATA; if (ht_size > INT32_MAX) - return -1; + return AVERROR_PATCHWELCOME; skip_bits_long(&gb, ht_size); @@ -393,7 +393,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // initialize CRC calculation if (sconf->crc_enabled) { if (get_bits_left(&gb) < 32) - return -1; + return AVERROR_INVALIDDATA; if (avctx->err_recognition & AV_EF_CRCCHECK) { ctx->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE); @@ -633,7 +633,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) if (bd->block_length & (sub_blocks - 1)) { av_log(avctx, AV_LOG_WARNING, "Block length is not evenly divisible by the number of subblocks.\n"); - return -1; + return AVERROR_INVALIDDATA; } sb_length = bd->block_length >> log2_sub_blocks; @@ -964,18 +964,18 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) */ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) { + int ret = 0; GetBitContext *gb = &ctx->gb; *bd->shift_lsbs = 0; // read block type flag and read the samples accordingly if (get_bits1(gb)) { - if (read_var_block_data(ctx, bd)) - return -1; + ret = read_var_block_data(ctx, bd); } else { read_const_block_data(ctx, bd); } - return 0; + return ret; } @@ -984,12 +984,16 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) static int decode_block(ALSDecContext *ctx, ALSBlockData *bd) { unsigned int smp; + int ret = 0; // read block type flag and read the samples accordingly if (*bd->const_block) decode_const_block_data(ctx, bd); - else if (decode_var_block_data(ctx, bd)) - return -1; + else + ret = decode_var_block_data(ctx, bd); // always return 0 + + if (ret < 0) + return ret; // TODO: read RLSLMS extension data @@ -1007,14 +1011,10 @@ static int read_decode_block(ALSDecContext *ctx, ALSBlockData *bd) { int ret; - ret = read_block(ctx, bd); - - if (ret) + if ((ret = read_block(ctx, bd)) < 0) return ret; - ret = decode_block(ctx, bd); - - return ret; + return decode_block(ctx, bd); } @@ -1040,6 +1040,7 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame, unsigned int c, const unsigned int *div_blocks, unsigned int *js_blocks) { + int ret; unsigned int b; ALSBlockData bd = { 0 }; @@ -1060,10 +1061,10 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame, for (b = 0; b < ctx->num_blocks; b++) { bd.block_length = div_blocks[b]; - if (read_decode_block(ctx, &bd)) { + if ((ret = read_decode_block(ctx, &bd)) < 0) { // damaged block, write zero for the rest of the frame zero_remaining(b, ctx->num_blocks, div_blocks, bd.raw_samples); - return -1; + return ret; } bd.raw_samples += div_blocks[b]; bd.ra_block = 0; @@ -1082,6 +1083,7 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, ALSSpecificConfig *sconf = &ctx->sconf; unsigned int offset = 0; unsigned int b; + int ret; ALSBlockData bd[2] = { { 0 } }; bd[0].ra_block = ra_frame; @@ -1123,12 +1125,9 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, bd[0].raw_other = bd[1].raw_samples; bd[1].raw_other = bd[0].raw_samples; - if(read_decode_block(ctx, &bd[0]) || read_decode_block(ctx, &bd[1])) { - // damaged block, write zero for the rest of the frame - zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples); - zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples); - return -1; - } + if ((ret = read_decode_block(ctx, &bd[0])) < 0 || + (ret = read_decode_block(ctx, &bd[1])) < 0) + goto fail; // reconstruct joint-stereo blocks if (bd[0].js_blocks) { @@ -1154,6 +1153,11 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, sizeof(*ctx->raw_samples[c]) * sconf->max_order); return 0; +fail: + // damaged block, write zero for the rest of the frame + zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples); + zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples); + return ret; } static inline int als_weighting(GetBitContext *gb, int k, int off) @@ -1177,7 +1181,7 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (current->master_channel >= channels) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid master channel!\n"); - return -1; + return AVERROR_INVALIDDATA; } if (current->master_channel != c) { @@ -1202,7 +1206,7 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (entries == channels) { av_log(ctx->avctx, AV_LOG_ERROR, "Damaged channel data!\n"); - return -1; + return AVERROR_INVALIDDATA; } align_get_bits(gb); @@ -1234,7 +1238,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, if (dep == channels) { av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel correlation!\n"); - return -1; + return AVERROR_INVALIDDATA; } bd->const_block = ctx->const_block + c; @@ -1305,8 +1309,8 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) unsigned int div_blocks[32]; ///< block sizes. unsigned int c; unsigned int js_blocks[2]; - uint32_t bs_info = 0; + int ret; // skip the size of the ra unit if present in the frame if (sconf->ra_flag == RA_FLAG_FRAMES && ra_frame) @@ -1337,13 +1341,15 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) independent_bs = 1; if (independent_bs) { - if (decode_blocks_ind(ctx, ra_frame, c, div_blocks, js_blocks)) - return -1; - + ret = decode_blocks_ind(ctx, ra_frame, c, + div_blocks, js_blocks); + if (ret < 0) + return ret; independent_bs--; } else { - if (decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks)) - return -1; + ret = decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks); + if (ret < 0) + return ret; c++; } @@ -1362,7 +1368,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) for (c = 0; c < avctx->channels; c++) if (ctx->chan_data[c] < ctx->chan_data_buffer) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid channel data!\n"); - return -1; + return AVERROR_INVALIDDATA; } memset(reverted_channels, 0, sizeof(*reverted_channels) * avctx->channels); @@ -1394,11 +1400,12 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) return ret; } - for (c = 0; c < avctx->channels; c++) - if (revert_channel_correlation(ctx, &bd, ctx->chan_data, - reverted_channels, offset, c)) - return -1; - + for (c = 0; c < avctx->channels; c++) { + ret = revert_channel_correlation(ctx, &bd, ctx->chan_data, + reverted_channels, offset, c); + if (ret < 0) + return ret; + } for (c = 0; c < avctx->channels; c++) { bd.const_block = ctx->const_block + c; bd.shift_lsbs = ctx->shift_lsbs + c; @@ -1596,30 +1603,30 @@ static av_cold int decode_init(AVCodecContext *avctx) { unsigned int c; unsigned int channel_size; - int num_buffers; + int num_buffers, ret; ALSDecContext *ctx = avctx->priv_data; ALSSpecificConfig *sconf = &ctx->sconf; ctx->avctx = avctx; if (!avctx->extradata) { av_log(avctx, AV_LOG_ERROR, "Missing required ALS extradata.\n"); - return -1; + return AVERROR_INVALIDDATA; } - if (read_specific_config(ctx)) { + if ((ret = read_specific_config(ctx)) < 0) { av_log(avctx, AV_LOG_ERROR, "Reading ALSSpecificConfig failed.\n"); - decode_end(avctx); - return -1; + goto fail; } - if (check_specific_config(ctx)) { - decode_end(avctx); - return -1; + if ((ret = check_specific_config(ctx)) < 0) { + goto fail; } - if (sconf->bgmc) - ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status); - + if (sconf->bgmc) { + ret = ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status); + if (ret < 0) + goto fail; + } if (sconf->floating) { avctx->sample_fmt = AV_SAMPLE_FMT_FLT; avctx->bits_per_raw_sample = 32; @@ -1654,7 +1661,8 @@ static av_cold int decode_init(AVCodecContext *avctx) !ctx->quant_cof_buffer || !ctx->lpc_cof_buffer || !ctx->lpc_cof_reversed_buffer) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } // assign quantized parcor coefficient buffers @@ -1679,8 +1687,8 @@ static av_cold int decode_init(AVCodecContext *avctx) !ctx->use_ltp || !ctx->ltp_lag || !ctx->ltp_gain || !ctx->ltp_gain_buffer) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } for (c = 0; c < num_buffers; c++) @@ -1697,8 +1705,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (!ctx->chan_data_buffer || !ctx->chan_data || !ctx->reverted_channels) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } for (c = 0; c < num_buffers; c++) @@ -1718,8 +1726,8 @@ static av_cold int decode_init(AVCodecContext *avctx) // allocate previous raw sample buffer if (!ctx->prev_raw_samples || !ctx->raw_buffer|| !ctx->raw_samples) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } // assign raw samples buffers @@ -1736,8 +1744,8 @@ static av_cold int decode_init(AVCodecContext *avctx) av_get_bytes_per_sample(avctx->sample_fmt)); if (!ctx->crc_buffer) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } } @@ -1747,6 +1755,10 @@ static av_cold int decode_init(AVCodecContext *avctx) avctx->coded_frame = &ctx->frame; return 0; + +fail: + decode_end(avctx); + return ret; } From f8602ef7176d45521ea82176c9342e9298e119a8 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Jul 2013 12:44:19 +0200 Subject: [PATCH 12/15] 4xm: Reject not a multiple of 16 dimension Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2f034f255c49050e894ab9b88087c09ebe249f3f) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 99e0e2e4da..cc0361dd2e 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -810,6 +810,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, if (buf_size < 20) return AVERROR_INVALIDDATA; + if (avctx->width % 16 || avctx->height % 16) { + av_log(avctx, AV_LOG_ERROR, + "Dimensions non-multiple of 16 are invalid.\n"); + return AVERROR_INVALIDDATA; + } + if (buf_size < AV_RL32(buf + 4) + 8) { av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4)); From e6cf47ee9e36f249f63e7dee5f99ad8b5386eaa4 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Jul 2013 23:26:05 +0200 Subject: [PATCH 13/15] 8bps: Bound-check the input buffer Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bd7b4da0f4627bb6c4a7c2575da83fe6b261a21c) Signed-off-by: Luca Barbato Conflicts: libavcodec/8bps.c --- libavcodec/8bps.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index 8f0692c4ba..3d81810fe4 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -64,7 +64,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, unsigned char *pixptr, *pixptr_end; unsigned int height = avctx->height; // Real image height unsigned int dlen, p, row; - const unsigned char *lp, *dp; + const unsigned char *lp, *dp, *ep; unsigned char count; unsigned int px_inc; unsigned int planes = c->planes; @@ -80,6 +80,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, return -1; } + ep = encoded + buf_size; + /* Set data pointer after line lengths */ dp = encoded + planes * (height << 1); @@ -97,17 +99,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, for (row = 0; row < height; row++) { pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p]; pixptr_end = pixptr + c->pic.linesize[0]; + if (ep - lp < row * 2 + 2) + return AVERROR_INVALIDDATA; dlen = av_be2ne16(*(const unsigned short *)(lp + row * 2)); /* Decode a row of this plane */ while (dlen > 0) { - if (dp + 1 >= buf + buf_size) + if (ep - dp <= 1) return -1; if ((count = *dp++) <= 127) { count++; dlen -= count + 1; if (pixptr + count * px_inc > pixptr_end) break; - if (dp + count > buf + buf_size) + if (ep - dp < count) return -1; while (count--) { *pixptr = *dp++; From 116aa30db4ae28f0b67cb2861ea534bfb840f3bc Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 28 Jul 2013 18:24:15 +0200 Subject: [PATCH 14/15] xl: Make sure the width is valid CC: libav-stable@libav.org Signed-off-by: Luca Barbato --- libavcodec/xl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/xl.c b/libavcodec/xl.c index 1cadeab561..240339ea8b 100644 --- a/libavcodec/xl.c +++ b/libavcodec/xl.c @@ -71,6 +71,11 @@ static int decode_frame(AVCodecContext *avctx, stride = avctx->width - 4; + if (avctx->width % 4) { + av_log(avctx, AV_LOG_ERROR, "Width not a multiple of 4.\n"); + return AVERROR_INVALIDDATA; + } + if (buf_size < avctx->width * avctx->height) { av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); return AVERROR_INVALIDDATA; From 0b6adcf76bda8994902f5b6d8e694b0b916ea210 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 4 May 2013 07:40:09 +0200 Subject: [PATCH 15/15] oma: refactor seek function Properly propagate seek errors from avio and the generic pcm seek. (cherry picked from commit 4f03a77e52596cbe9ec179666ddb3e0345a8133a) Signed-off-by: Luca Barbato Conflicts: libavformat/omadec.c --- libavformat/omadec.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index cd255c1704..db599f5dbd 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -427,23 +427,26 @@ static int oma_read_probe(AVProbeData *p) static int oma_read_seek(struct AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { OMAContext *oc = s->priv_data; + int err = ff_pcm_read_seek(s, stream_index, timestamp, flags); - ff_pcm_read_seek(s, stream_index, timestamp, flags); + if (!oc->encrypted) + return err; - if (oc->encrypted) { - /* readjust IV for CBC */ - int64_t pos = avio_tell(s->pb); - if (pos < oc->content_start) - memset(oc->iv, 0, 8); - else { - if (avio_seek(s->pb, -8, SEEK_CUR) < 0 || avio_read(s->pb, oc->iv, 8) < 8) { - memset(oc->iv, 0, 8); - return -1; - } - } + /* readjust IV for CBC */ + if (err || avio_tell(s->pb) < oc->content_start) + goto wipe; + if ((err = avio_seek(s->pb, -8, SEEK_CUR)) < 0) + goto wipe; + if ((err = avio_read(s->pb, oc->iv, 8)) < 8) { + if (err >= 0) + err = AVERROR_EOF; + goto wipe; } return 0; +wipe: + memset(oc->iv, 0, 8); + return err; } AVInputFormat ff_oma_demuxer = {