generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge commit '0b6adcf76bda8994902f5b6d8e694b0b916ea210' into release/1.1

Browse Source 
* commit '0b6adcf76bda8994902f5b6d8e694b0b916ea210':
  oma: refactor seek function
  xl: Make sure the width is valid
  8bps: Bound-check the input buffer
  4xm: Reject not a multiple of 16 dimension
  alsdec: Clean up error paths
  alsdec: Fix the clipping range
  dsicinav: Clip the source size to the expected maximum
  dsicinav: Bound-check the source buffer when needed
  dsicinav: K&R formatting cosmetics
  lavf: Make sure avg_frame_rate can be calculated without integer overflow
  mov: Do not allow updating the time scale after it has been set
  mov: Seek back if overreading an individual atom
  ac3dec: Don't consume more data than the actual input packet size
  indeo: Reject impossible FRAMETYPE_NULL
  indeo: Do not reference mismatched tiles

Conflicts:
	libavcodec/4xm.c
	libavcodec/8bps.c
	libavcodec/alsdec.c
	libavcodec/dsicinav.c
	libavcodec/ivi_common.c
	libavcodec/xl.c
	libavformat/mov.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
2013-08-27 18:20:09 +02:00
parent fd85d03162 0b6adcf76b
commit 0930a562e7
8 changed files with 190 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
libavcodec/8bps.c
View File

@@ -64,7 +64,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
unsigned char *pixptr, *pixptr_end; unsigned char *pixptr, *pixptr_end;
unsigned int height = avctx->height; // Real image height unsigned int height = avctx->height; // Real image height
unsigned int dlen, p, row; unsigned int dlen, p, row;
const unsigned char *lp, *dp; const unsigned char *lp, *dp, *ep;
unsigned char count; unsigned char count;
unsigned int planes = c->planes; unsigned int planes = c->planes;
unsigned char *planemap = c->planemap; unsigned char *planemap = c->planemap;
@@ -79,6 +79,8 @@ static int decode_frame(AVCodecContext *avctx, void *data,
return -1; return -1;
} }
ep = encoded + buf_size;
/* Set data pointer after line lengths */ /* Set data pointer after line lengths */
dp = encoded + planes * (height << 1); dp = encoded + planes * (height << 1);
@@ -90,19 +92,19 @@ static int decode_frame(AVCodecContext *avctx, void *data,
for (row = 0; row < height; row++) { for (row = 0; row < height; row++) {
pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p]; pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p];
pixptr_end = pixptr + c->pic.linesize[0]; pixptr_end = pixptr + c->pic.linesize[0];
if(lp - encoded + row*2 + 1 >= buf_size) if (ep - lp < row * 2 + 2)
return -1; return AVERROR_INVALIDDATA;
dlen = av_be2ne16(*(const unsigned short *)(lp + row * 2)); dlen = av_be2ne16(*(const unsigned short *)(lp + row * 2));
/* Decode a row of this plane */ /* Decode a row of this plane */
while (dlen > 0) { while (dlen > 0) {
if (dp + 1 >= buf + buf_size) if (ep - dp <= 1)
return -1; return -1;
if ((count = *dp++) <= 127) { if ((count = *dp++) <= 127) {
count++; count++;
dlen -= count + 1; dlen -= count + 1;
if (pixptr + count * planes > pixptr_end) if (pixptr + count * planes > pixptr_end)
break; break;
if (dp + count > buf + buf_size) if (ep - dp < count)
return -1; return -1;
while (count--) { while (count--) {
*pixptr = *dp++; *pixptr = *dp++;

2
libavcodec/ac3dec.c
View File

@@ -1308,7 +1308,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
av_log(avctx, AV_LOG_ERROR, "unsupported frame type : " av_log(avctx, AV_LOG_ERROR, "unsupported frame type : "
"skipping frame\n"); "skipping frame\n");
*got_frame_ptr = 0; *got_frame_ptr = 0;
return s->frame_size; return buf_size;
} else { } else {
av_log(avctx, AV_LOG_ERROR, "invalid frame type\n"); av_log(avctx, AV_LOG_ERROR, "invalid frame type\n");
} }

155
libavcodec/alsdec.c
View File

@@ -296,12 +296,12 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
avctx->extradata_size * 8, 1); avctx->extradata_size * 8, 1);
if (config_offset < 0) if (config_offset < 0)
return -1; return AVERROR_INVALIDDATA;
skip_bits_long(&gb, config_offset); skip_bits_long(&gb, config_offset);
if (get_bits_left(&gb) < (30 << 3)) if (get_bits_left(&gb) < (30 << 3))
return -1; return AVERROR_INVALIDDATA;
// read the fixed items // read the fixed items
als_id = get_bits_long(&gb, 32); als_id = get_bits_long(&gb, 32);
@@ -336,7 +336,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
// check for ALSSpecificConfig struct // check for ALSSpecificConfig struct
if (als_id != MKBETAG('A','L','S','\0')) if (als_id != MKBETAG('A','L','S','\0'))
return -1; return AVERROR_INVALIDDATA;
ctx->cur_frame_length = sconf->frame_length; ctx->cur_frame_length = sconf->frame_length;
@@ -351,7 +351,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
int chan_pos_bits = av_ceil_log2(avctx->channels); int chan_pos_bits = av_ceil_log2(avctx->channels);
int bits_needed = avctx->channels * chan_pos_bits + 7; int bits_needed = avctx->channels * chan_pos_bits + 7;
if (get_bits_left(&gb) < bits_needed) if (get_bits_left(&gb) < bits_needed)
return -1; return AVERROR_INVALIDDATA;
if (!(sconf->chan_pos = av_malloc(avctx->channels * sizeof(*sconf->chan_pos)))) if (!(sconf->chan_pos = av_malloc(avctx->channels * sizeof(*sconf->chan_pos))))
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
@@ -377,7 +377,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
// read fixed header and trailer sizes, // read fixed header and trailer sizes,
// if size = 0xFFFFFFFF then there is no data field! // if size = 0xFFFFFFFF then there is no data field!
if (get_bits_left(&gb) < 64) if (get_bits_left(&gb) < 64)
return -1; return AVERROR_INVALIDDATA;
header_size = get_bits_long(&gb, 32); header_size = get_bits_long(&gb, 32);
trailer_size = get_bits_long(&gb, 32); trailer_size = get_bits_long(&gb, 32);
@@ -391,10 +391,10 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
// skip the header and trailer data // skip the header and trailer data
if (get_bits_left(&gb) < ht_size) if (get_bits_left(&gb) < ht_size)
return -1; return AVERROR_INVALIDDATA;
if (ht_size > INT32_MAX) if (ht_size > INT32_MAX)
return -1; return AVERROR_PATCHWELCOME;
skip_bits_long(&gb, ht_size); skip_bits_long(&gb, ht_size);
@@ -402,7 +402,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
// initialize CRC calculation // initialize CRC calculation
if (sconf->crc_enabled) { if (sconf->crc_enabled) {
if (get_bits_left(&gb) < 32) if (get_bits_left(&gb) < 32)
return -1; return AVERROR_INVALIDDATA;
if (avctx->err_recognition & (AV_EF_CRCCHECK|AV_EF_CAREFUL)) { if (avctx->err_recognition & (AV_EF_CRCCHECK|AV_EF_CAREFUL)) {
ctx->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE); ctx->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE);
@@ -646,7 +646,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
if (bd->block_length & (sub_blocks - 1)) { if (bd->block_length & (sub_blocks - 1)) {
av_log(avctx, AV_LOG_WARNING, av_log(avctx, AV_LOG_WARNING,
"Block length is not evenly divisible by the number of subblocks.\n"); "Block length is not evenly divisible by the number of subblocks.\n");
return -1; return AVERROR_INVALIDDATA;
} }
sb_length = bd->block_length >> log2_sub_blocks; sb_length = bd->block_length >> log2_sub_blocks;
@@ -983,14 +983,13 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
*bd->shift_lsbs = 0; *bd->shift_lsbs = 0;
// read block type flag and read the samples accordingly // read block type flag and read the samples accordingly
if (get_bits1(gb)) { if (get_bits1(gb)) {
if ((ret = read_var_block_data(ctx, bd)) < 0) ret = read_var_block_data(ctx, bd);
return ret;
} else { } else {
if ((ret = read_const_block_data(ctx, bd)) < 0) if ((ret = read_const_block_data(ctx, bd)) < 0)
return ret; return ret;
} }
return 0; return ret;
} }
@@ -999,12 +998,16 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
static int decode_block(ALSDecContext *ctx, ALSBlockData *bd) static int decode_block(ALSDecContext *ctx, ALSBlockData *bd)
{ {
unsigned int smp; unsigned int smp;
int ret = 0;
// read block type flag and read the samples accordingly // read block type flag and read the samples accordingly
if (*bd->const_block) if (*bd->const_block)
decode_const_block_data(ctx, bd); decode_const_block_data(ctx, bd);
else if (decode_var_block_data(ctx, bd)) else
return -1; ret = decode_var_block_data(ctx, bd); // always return 0
if (ret < 0)
return ret;
// TODO: read RLSLMS extension data // TODO: read RLSLMS extension data
@@ -1022,14 +1025,10 @@ static int read_decode_block(ALSDecContext *ctx, ALSBlockData *bd)
{ {
int ret; int ret;
ret = read_block(ctx, bd); if ((ret = read_block(ctx, bd)) < 0)
if (ret)
return ret; return ret;
ret = decode_block(ctx, bd); return decode_block(ctx, bd);
return ret;
} }
@@ -1055,6 +1054,7 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame,
unsigned int c, const unsigned int *div_blocks, unsigned int c, const unsigned int *div_blocks,
unsigned int *js_blocks) unsigned int *js_blocks)
{ {
int ret;
unsigned int b; unsigned int b;
ALSBlockData bd = { 0 }; ALSBlockData bd = { 0 };
@@ -1075,10 +1075,10 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame,
for (b = 0; b < ctx->num_blocks; b++) { for (b = 0; b < ctx->num_blocks; b++) {
bd.block_length = div_blocks[b]; bd.block_length = div_blocks[b];
if (read_decode_block(ctx, &bd)) { if ((ret = read_decode_block(ctx, &bd)) < 0) {
// damaged block, write zero for the rest of the frame // damaged block, write zero for the rest of the frame
zero_remaining(b, ctx->num_blocks, div_blocks, bd.raw_samples); zero_remaining(b, ctx->num_blocks, div_blocks, bd.raw_samples);
return -1; return ret;
} }
bd.raw_samples += div_blocks[b]; bd.raw_samples += div_blocks[b];
bd.ra_block = 0; bd.ra_block = 0;
@@ -1097,6 +1097,7 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
ALSSpecificConfig *sconf = &ctx->sconf; ALSSpecificConfig *sconf = &ctx->sconf;
unsigned int offset = 0; unsigned int offset = 0;
unsigned int b; unsigned int b;
int ret;
ALSBlockData bd[2] = { { 0 } }; ALSBlockData bd[2] = { { 0 } };
bd[0].ra_block = ra_frame; bd[0].ra_block = ra_frame;
@@ -1138,12 +1139,9 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
bd[0].raw_other = bd[1].raw_samples; bd[0].raw_other = bd[1].raw_samples;
bd[1].raw_other = bd[0].raw_samples; bd[1].raw_other = bd[0].raw_samples;
if(read_decode_block(ctx, &bd[0]) || read_decode_block(ctx, &bd[1])) { if ((ret = read_decode_block(ctx, &bd[0])) < 0 ||
// damaged block, write zero for the rest of the frame (ret = read_decode_block(ctx, &bd[1])) < 0)
zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples); goto fail;
zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples);
return -1;
}
// reconstruct joint-stereo blocks // reconstruct joint-stereo blocks
if (bd[0].js_blocks) { if (bd[0].js_blocks) {
@@ -1169,8 +1167,19 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
sizeof(*ctx->raw_samples[c]) * sconf->max_order); sizeof(*ctx->raw_samples[c]) * sconf->max_order);
return 0; return 0;
fail:
// damaged block, write zero for the rest of the frame
zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples);
zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples);
return ret;
} }
static inline int als_weighting(GetBitContext *gb, int k, int off)
{
int idx = av_clip(decode_rice(gb, k) + off,
0, FF_ARRAY_ELEMS(mcc_weightings) - 1);
return mcc_weightings[idx];
}
/** Read the channel data. /** Read the channel data.
*/ */
@@ -1186,19 +1195,19 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c)
if (current->master_channel >= channels) { if (current->master_channel >= channels) {
av_log(ctx->avctx, AV_LOG_ERROR, "Invalid master channel.\n"); av_log(ctx->avctx, AV_LOG_ERROR, "Invalid master channel.\n");
return -1; return AVERROR_INVALIDDATA;
} }
if (current->master_channel != c) { if (current->master_channel != c) {
current->time_diff_flag = get_bits1(gb); current->time_diff_flag = get_bits1(gb);
current->weighting[0] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; current->weighting[0] = als_weighting(gb, 1, 16);
current->weighting[1] = mcc_weightings[av_clip(decode_rice(gb, 2) + 14, 0, 31)]; current->weighting[1] = als_weighting(gb, 2, 14);
current->weighting[2] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; current->weighting[2] = als_weighting(gb, 1, 16);
if (current->time_diff_flag) { if (current->time_diff_flag) {
current->weighting[3] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; current->weighting[3] = als_weighting(gb, 1, 16);
current->weighting[4] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; current->weighting[4] = als_weighting(gb, 1, 16);
current->weighting[5] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; current->weighting[5] = als_weighting(gb, 1, 16);
current->time_diff_sign = get_bits1(gb); current->time_diff_sign = get_bits1(gb);
current->time_diff_index = get_bits(gb, ctx->ltp_lag_length - 3) + 3; current->time_diff_index = get_bits(gb, ctx->ltp_lag_length - 3) + 3;
@@ -1211,7 +1220,7 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c)
if (entries == channels) { if (entries == channels) {
av_log(ctx->avctx, AV_LOG_ERROR, "Damaged channel data.\n"); av_log(ctx->avctx, AV_LOG_ERROR, "Damaged channel data.\n");
return -1; return AVERROR_INVALIDDATA;
} }
align_get_bits(gb); align_get_bits(gb);
@@ -1243,7 +1252,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
if (dep == channels) { if (dep == channels) {
av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel correlation.\n"); av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel correlation.\n");
return -1; return AVERROR_INVALIDDATA;
} }
bd->const_block = ctx->const_block + c; bd->const_block = ctx->const_block + c;
@@ -1314,8 +1323,8 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
unsigned int div_blocks[32]; ///< block sizes. unsigned int div_blocks[32]; ///< block sizes.
unsigned int c; unsigned int c;
unsigned int js_blocks[2]; unsigned int js_blocks[2];
uint32_t bs_info = 0; uint32_t bs_info = 0;
int ret;
// skip the size of the ra unit if present in the frame // skip the size of the ra unit if present in the frame
if (sconf->ra_flag == RA_FLAG_FRAMES && ra_frame) if (sconf->ra_flag == RA_FLAG_FRAMES && ra_frame)
@@ -1346,13 +1355,15 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
independent_bs = 1; independent_bs = 1;
if (independent_bs) { if (independent_bs) {
if (decode_blocks_ind(ctx, ra_frame, c, div_blocks, js_blocks)) ret = decode_blocks_ind(ctx, ra_frame, c,
return -1; div_blocks, js_blocks);
if (ret < 0)
return ret;
independent_bs--; independent_bs--;
} else { } else {
if (decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks)) ret = decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks);
return -1; if (ret < 0)
return ret;
c++; c++;
} }
@@ -1371,7 +1382,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
for (c = 0; c < avctx->channels; c++) for (c = 0; c < avctx->channels; c++)
if (ctx->chan_data[c] < ctx->chan_data_buffer) { if (ctx->chan_data[c] < ctx->chan_data_buffer) {
av_log(ctx->avctx, AV_LOG_ERROR, "Invalid channel data.\n"); av_log(ctx->avctx, AV_LOG_ERROR, "Invalid channel data.\n");
return -1; return AVERROR_INVALIDDATA;
} }
memset(reverted_channels, 0, sizeof(*reverted_channels) * avctx->channels); memset(reverted_channels, 0, sizeof(*reverted_channels) * avctx->channels);
@@ -1403,11 +1414,12 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
return ret; return ret;
} }
for (c = 0; c < avctx->channels; c++) for (c = 0; c < avctx->channels; c++) {
if (revert_channel_correlation(ctx, &bd, ctx->chan_data, ret = revert_channel_correlation(ctx, &bd, ctx->chan_data,
reverted_channels, offset, c)) reverted_channels, offset, c);
return -1; if (ret < 0)
return ret;
}
for (c = 0; c < avctx->channels; c++) { for (c = 0; c < avctx->channels; c++) {
bd.const_block = ctx->const_block + c; bd.const_block = ctx->const_block + c;
bd.shift_lsbs = ctx->shift_lsbs + c; bd.shift_lsbs = ctx->shift_lsbs + c;
@@ -1612,30 +1624,30 @@ static av_cold int decode_init(AVCodecContext *avctx)
{ {
unsigned int c; unsigned int c;
unsigned int channel_size; unsigned int channel_size;
int num_buffers; int num_buffers, ret;
ALSDecContext *ctx = avctx->priv_data; ALSDecContext *ctx = avctx->priv_data;
ALSSpecificConfig *sconf = &ctx->sconf; ALSSpecificConfig *sconf = &ctx->sconf;
ctx->avctx = avctx; ctx->avctx = avctx;
if (!avctx->extradata) { if (!avctx->extradata) {
av_log(avctx, AV_LOG_ERROR, "Missing required ALS extradata.\n"); av_log(avctx, AV_LOG_ERROR, "Missing required ALS extradata.\n");
return -1; return AVERROR_INVALIDDATA;
} }
if (read_specific_config(ctx)) { if ((ret = read_specific_config(ctx)) < 0) {
av_log(avctx, AV_LOG_ERROR, "Reading ALSSpecificConfig failed.\n"); av_log(avctx, AV_LOG_ERROR, "Reading ALSSpecificConfig failed.\n");
decode_end(avctx); goto fail;
return -1;
} }
if (check_specific_config(ctx)) { if ((ret = check_specific_config(ctx)) < 0) {
decode_end(avctx); goto fail;
return -1;
} }
if (sconf->bgmc) if (sconf->bgmc) {
ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status); ret = ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status);
if (ret < 0)
goto fail;
}
if (sconf->floating) { if (sconf->floating) {
avctx->sample_fmt = AV_SAMPLE_FMT_FLT; avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
avctx->bits_per_raw_sample = 32; avctx->bits_per_raw_sample = 32;
@@ -1670,7 +1682,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
!ctx->quant_cof_buffer || !ctx->lpc_cof_buffer || !ctx->quant_cof_buffer || !ctx->lpc_cof_buffer ||
!ctx->lpc_cof_reversed_buffer) { !ctx->lpc_cof_reversed_buffer) {
av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
return AVERROR(ENOMEM); ret = AVERROR(ENOMEM);
goto fail;
} }
// assign quantized parcor coefficient buffers // assign quantized parcor coefficient buffers
@@ -1695,8 +1708,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
!ctx->use_ltp || !ctx->ltp_lag || !ctx->use_ltp || !ctx->ltp_lag ||
!ctx->ltp_gain || !ctx->ltp_gain_buffer) { !ctx->ltp_gain || !ctx->ltp_gain_buffer) {
av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
decode_end(avctx); ret = AVERROR(ENOMEM);
return AVERROR(ENOMEM); goto fail;
} }
for (c = 0; c < num_buffers; c++) for (c = 0; c < num_buffers; c++)
@@ -1713,8 +1726,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
if (!ctx->chan_data_buffer || !ctx->chan_data || !ctx->reverted_channels) { if (!ctx->chan_data_buffer || !ctx->chan_data || !ctx->reverted_channels) {
av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
decode_end(avctx); ret = AVERROR(ENOMEM);
return AVERROR(ENOMEM); goto fail;
} }
for (c = 0; c < num_buffers; c++) for (c = 0; c < num_buffers; c++)
@@ -1734,8 +1747,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
// allocate previous raw sample buffer // allocate previous raw sample buffer
if (!ctx->prev_raw_samples || !ctx->raw_buffer|| !ctx->raw_samples) { if (!ctx->prev_raw_samples || !ctx->raw_buffer|| !ctx->raw_samples) {
av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
decode_end(avctx); ret = AVERROR(ENOMEM);
return AVERROR(ENOMEM); goto fail;
} }
// assign raw samples buffers // assign raw samples buffers
@@ -1752,8 +1765,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
av_get_bytes_per_sample(avctx->sample_fmt)); av_get_bytes_per_sample(avctx->sample_fmt));
if (!ctx->crc_buffer) { if (!ctx->crc_buffer) {
av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
decode_end(avctx); ret = AVERROR(ENOMEM);
return AVERROR(ENOMEM); goto fail;
} }
} }
@@ -1763,6 +1776,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
avctx->coded_frame = &ctx->frame; avctx->coded_frame = &ctx->frame;
return 0; return 0;
fail:
decode_end(avctx);
return ret;
} }

42
libavcodec/dsicinav.c
View File

@@ -128,13 +128,15 @@ static av_cold int cinvideo_decode_init(AVCodecContext *avctx)
return 0; return 0;
} }
static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst, int size) static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst,
int size)
{ {
while (size--) while (size--)
*dst++ += *src++; *dst++ += *src++;
} }
static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) static int cin_decode_huffman(const unsigned char *src, int src_size,
unsigned char *dst, int dst_size)
{ {
int b, huff_code = 0; int b, huff_code = 0;
unsigned char huff_code_table[15]; unsigned char huff_code_table[15];
@@ -142,7 +144,8 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c
unsigned char *dst_end = dst + dst_size; unsigned char *dst_end = dst + dst_size;
const unsigned char *src_end = src + src_size; const unsigned char *src_end = src + src_size;
memcpy(huff_code_table, src, 15); src += 15; memcpy(huff_code_table, src, 15);
src += 15;
while (src < src_end) { while (src < src_end) {
huff_code = *src++; huff_code = *src++;
@@ -167,7 +170,8 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c
return dst_cur - dst; return dst_cur - dst;
} }
static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) static int cin_decode_lzss(const unsigned char *src, int src_size,
unsigned char *dst, int dst_size)
{ {
uint16_t cmd; uint16_t cmd;
int i, sz, offset, code; int i, sz, offset, code;
@@ -180,13 +184,15 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char
if (code & (1 << i)) { if (code & (1 << i)) {
*dst++ = *src++; *dst++ = *src++;
} else { } else {
cmd = AV_RL16(src); src += 2; cmd = AV_RL16(src);
src += 2;
offset = cmd >> 4; offset = cmd >> 4;
if ((int)(dst - dst_start) < offset + 1) if ((int)(dst - dst_start) < offset + 1)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
sz = (cmd & 0xF) + 2; sz = (cmd & 0xF) + 2;
/* don't use memcpy/memmove here as the decoding routine (ab)uses */ /* don't use memcpy/memmove here as the decoding routine
/* buffer overlappings to repeat bytes in the destination */ * (ab)uses buffer overlappings to repeat bytes in the
* destination */
sz = FFMIN(sz, dst_end - dst); sz = FFMIN(sz, dst_end - dst);
while (sz--) { while (sz--) {
*dst = *(dst - offset - 1); *dst = *(dst - offset - 1);
@@ -199,7 +205,8 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char
return 0; return 0;
} }
static int cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) static int cin_decode_rle(const unsigned char *src, int src_size,
unsigned char *dst, int dst_size)
{ {
int len, code; int len, code;
unsigned char *dst_end = dst + dst_size; unsigned char *dst_end = dst + dst_size;
@@ -216,7 +223,7 @@ static int cin_decode_rle(const unsigned char *src, int src_size, unsigned char
av_log(NULL, AV_LOG_ERROR, "RLE overread\n"); av_log(NULL, AV_LOG_ERROR, "RLE overread\n");
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
memcpy(dst, src, FFMIN(len, dst_end - dst)); memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src));
src += len; src += len;
} }
dst += len; dst += len;
@@ -231,7 +238,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
const uint8_t *buf = avpkt->data; const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size; int buf_size = avpkt->size;
CinVideoContext *cin = avctx->priv_data; CinVideoContext *cin = avctx->priv_data;
int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0; int i, y, palette_type, palette_colors_count,
bitmap_frame_type, bitmap_frame_size, res = 0;
palette_type = buf[0]; palette_type = buf[0];
palette_colors_count = AV_RL16(buf + 1); palette_colors_count = AV_RL16(buf + 1);
@@ -258,7 +266,10 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
} }
} }
/* note: the decoding routines below assumes that surface.width = surface.pitch */ bitmap_frame_size = FFMIN(cin->bitmap_size, bitmap_frame_size);
/* note: the decoding routines below assumes that
* surface.width = surface.pitch */
switch (bitmap_frame_type) { switch (bitmap_frame_type) {
case 9: case 9:
cin_decode_rle(buf, bitmap_frame_size, cin_decode_rle(buf, bitmap_frame_size,
@@ -278,7 +289,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
break; break;
case 36: case 36:
bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); cin->bitmap_table[CIN_INT_BMP],
cin->bitmap_size);
cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
@@ -307,7 +319,7 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
} }
cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
if ((res = avctx->reget_buffer(avctx, &cin->frame))) { if ((res = avctx->reget_buffer(avctx, &cin->frame)) < 0) {
av_log(cin->avctx, AV_LOG_ERROR, "failed to allocate a frame\n"); av_log(cin->avctx, AV_LOG_ERROR, "failed to allocate a frame\n");
return res; return res;
} }
@@ -319,7 +331,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width, cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width,
cin->avctx->width); cin->avctx->width);
FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_table[CIN_PRE_BMP]); FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP],
cin->bitmap_table[CIN_PRE_BMP]);
*got_frame = 1; *got_frame = 1;
*(AVFrame *)data = cin->frame; *(AVFrame *)data = cin->frame;
@@ -392,7 +405,6 @@ static int cinaudio_decode_frame(AVCodecContext *avctx, void *data,
return avpkt->size; return avpkt->size;
} }
AVCodec ff_dsicinvideo_decoder = { AVCodec ff_dsicinvideo_decoder = {
.name = "dsicinvideo", .name = "dsicinvideo",
.type = AVMEDIA_TYPE_VIDEO, .type = AVMEDIA_TYPE_VIDEO,

10
libavcodec/ivi_common.c
View File

@@ -345,6 +345,8 @@ static int ivi_init_tiles(IVIBandDesc *band, IVITile *ref_tile,
tile->ref_mbs = 0; tile->ref_mbs = 0;
if (p || b) { if (p || b) {
if (tile->num_MBs != ref_tile->num_MBs)
return AVERROR_INVALIDDATA;
tile->ref_mbs = ref_tile->mbs; tile->ref_mbs = ref_tile->mbs;
ref_tile++; ref_tile++;
} }
@@ -984,6 +986,14 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
} }
} }
ctx->buf_invalid[ctx->dst_buf] = 0; ctx->buf_invalid[ctx->dst_buf] = 0;
} else {
if (ctx->is_scalable)
return AVERROR_INVALIDDATA;
for (p = 0; p < 3; p++) {
if (!ctx->planes[p].bands[0].buf)
return AVERROR_INVALIDDATA;
}
} }
if (ctx->buf_invalid[ctx->dst_buf]) if (ctx->buf_invalid[ctx->dst_buf])
return -1; return -1;

9
libavformat/mov.c
View File

@@ -833,6 +833,11 @@ static int mov_read_mdhd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
st = c->fc->streams[c->fc->nb_streams-1]; st = c->fc->streams[c->fc->nb_streams-1];
sc = st->priv_data; sc = st->priv_data;
if (sc->time_scale) {
av_log(c->fc, AV_LOG_ERROR, "Multiple mdhd?\n");
return AVERROR_INVALIDDATA;
}
version = avio_r8(pb); version = avio_r8(pb);
if (version > 1) { if (version > 1) {
av_log_ask_for_sample(c->fc, "unsupported version %d\n", version); av_log_ask_for_sample(c->fc, "unsupported version %d\n", version);
@@ -2853,7 +2858,9 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if (left > 0) /* skip garbage at atom end */ if (left > 0) /* skip garbage at atom end */
avio_skip(pb, left); avio_skip(pb, left);
else if (left < 0) { else if (left < 0) {
av_log(c->fc, AV_LOG_DEBUG, "undoing overread of %"PRId64" in '%.4s'\n", -left, (char*)&a.type); av_log(c->fc, AV_LOG_WARNING,
"overread end of atom '%.4s' by %"PRId64" bytes\n",
(char*)&a.type, -left);
avio_seek(pb, left, SEEK_CUR); avio_seek(pb, left, SEEK_CUR);
} }
} }

25
libavformat/omadec.c
View File

@@ -432,23 +432,26 @@ static int oma_read_probe(AVProbeData *p)
static int oma_read_seek(struct AVFormatContext *s, int stream_index, int64_t timestamp, int flags) static int oma_read_seek(struct AVFormatContext *s, int stream_index, int64_t timestamp, int flags)
{ {
OMAContext *oc = s->priv_data; OMAContext *oc = s->priv_data;
int err = ff_pcm_read_seek(s, stream_index, timestamp, flags);
ff_pcm_read_seek(s, stream_index, timestamp, flags); if (!oc->encrypted)
return err;
if (oc->encrypted) {
/* readjust IV for CBC */ /* readjust IV for CBC */
int64_t pos = avio_tell(s->pb); if (err || avio_tell(s->pb) < oc->content_start)
if (pos < oc->content_start) goto wipe;
memset(oc->iv, 0, 8); if ((err = avio_seek(s->pb, -8, SEEK_CUR)) < 0)
else { goto wipe;
if (avio_seek(s->pb, -8, SEEK_CUR) < 0 || avio_read(s->pb, oc->iv, 8) < 8) { if ((err = avio_read(s->pb, oc->iv, 8)) < 8) {
memset(oc->iv, 0, 8); if (err >= 0)
return -1; err = AVERROR_EOF;
} goto wipe;
}
} }
return 0; return 0;
wipe:
memset(oc->iv, 0, 8);
return err;
} }
AVInputFormat ff_oma_demuxer = { AVInputFormat ff_oma_demuxer = {

3
libavformat/utils.c
View File

@@ -2976,6 +2976,9 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options)
int best_fps = 0; int best_fps = 0;
double best_error = 0.01; double best_error = 0.01;
if (st->info->codec_info_duration >= INT64_MAX / st->time_base.num / 2||
st->info->codec_info_duration_fields >= INT64_MAX / st->time_base.den)
continue;
av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den,
st->info->codec_info_duration_fields*(int64_t)st->time_base.den, st->info->codec_info_duration_fields*(int64_t)st->time_base.den,
st->info->codec_info_duration*2*(int64_t)st->time_base.num, 60000); st->info->codec_info_duration*2*(int64_t)st->time_base.num, 60000);