generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge commit '0b6adcf76bda8994902f5b6d8e694b0b916ea210' into release/1.1

Browse Source 
* commit '0b6adcf76bda8994902f5b6d8e694b0b916ea210':
  oma: refactor seek function
  xl: Make sure the width is valid
  8bps: Bound-check the input buffer
  4xm: Reject not a multiple of 16 dimension
  alsdec: Clean up error paths
  alsdec: Fix the clipping range
  dsicinav: Clip the source size to the expected maximum
  dsicinav: Bound-check the source buffer when needed
  dsicinav: K&R formatting cosmetics
  lavf: Make sure avg_frame_rate can be calculated without integer overflow
  mov: Do not allow updating the time scale after it has been set
  mov: Seek back if overreading an individual atom
  ac3dec: Don't consume more data than the actual input packet size
  indeo: Reject impossible FRAMETYPE_NULL
  indeo: Do not reference mismatched tiles

Conflicts:
	libavcodec/4xm.c
	libavcodec/8bps.c
	libavcodec/alsdec.c
	libavcodec/dsicinav.c
	libavcodec/ivi_common.c
	libavcodec/xl.c
	libavformat/mov.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
2013-08-27 18:20:09 +02:00
parent fd85d03162 0b6adcf76b
commit 0930a562e7
8 changed files with 190 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
libavcodec/8bps.c
View File

@@ -64,7 +64,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
unsigned char *pixptr, *pixptr_end;
unsigned int height = avctx->height; // Real image height
unsigned int dlen, p, row;
const unsigned char *lp, *dp;
const unsigned char *lp, *dp, *ep;
unsigned char count;
unsigned int planes = c->planes;
unsigned char *planemap = c->planemap;
@@ -79,6 +79,8 @@ static int decode_frame(AVCodecContext *avctx, void *data,
return -1;
}
ep = encoded + buf_size;
/* Set data pointer after line lengths */
dp = encoded + planes * (height << 1);
@@ -90,19 +92,19 @@ static int decode_frame(AVCodecContext *avctx, void *data,
for (row = 0; row < height; row++) {
pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p];
pixptr_end = pixptr + c->pic.linesize[0];
if(lp - encoded + row*2 + 1 >= buf_size)
return -1;
if (ep - lp < row * 2 + 2)
return AVERROR_INVALIDDATA;
dlen = av_be2ne16(*(const unsigned short *)(lp + row * 2));
/* Decode a row of this plane */
while (dlen > 0) {
if (dp + 1 >= buf + buf_size)
if (ep - dp <= 1)
return -1;
if ((count = *dp++) <= 127) {
count++;
dlen -= count + 1;
if (pixptr + count * planes > pixptr_end)
break;
if (dp + count > buf + buf_size)
if (ep - dp < count)
return -1;
while (count--) {
*pixptr = *dp++;

2
libavcodec/ac3dec.c
View File

@@ -1308,7 +1308,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
av_log(avctx, AV_LOG_ERROR, "unsupported frame type : "
"skipping frame\n");
*got_frame_ptr = 0;
return s->frame_size;
return buf_size;
} else {
av_log(avctx, AV_LOG_ERROR, "invalid frame type\n");
}

155
libavcodec/alsdec.c
View File

@@ -296,12 +296,12 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
avctx->extradata_size * 8, 1);
if (config_offset < 0)
return -1;
return AVERROR_INVALIDDATA;
skip_bits_long(&gb, config_offset);
if (get_bits_left(&gb) < (30 << 3))
return -1;
return AVERROR_INVALIDDATA;
// read the fixed items
als_id = get_bits_long(&gb, 32);
@@ -336,7 +336,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
// check for ALSSpecificConfig struct
if (als_id != MKBETAG('A','L','S','\0'))
return -1;
return AVERROR_INVALIDDATA;
ctx->cur_frame_length = sconf->frame_length;
@@ -351,7 +351,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
int chan_pos_bits = av_ceil_log2(avctx->channels);
int bits_needed = avctx->channels * chan_pos_bits + 7;
if (get_bits_left(&gb) < bits_needed)
return -1;
return AVERROR_INVALIDDATA;
if (!(sconf->chan_pos = av_malloc(avctx->channels * sizeof(*sconf->chan_pos))))
return AVERROR(ENOMEM);
@@ -377,7 +377,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
// read fixed header and trailer sizes,
// if size = 0xFFFFFFFF then there is no data field!
if (get_bits_left(&gb) < 64)
return -1;
return AVERROR_INVALIDDATA;
header_size = get_bits_long(&gb, 32);
trailer_size = get_bits_long(&gb, 32);
@@ -391,10 +391,10 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
// skip the header and trailer data
if (get_bits_left(&gb) < ht_size)
return -1;
return AVERROR_INVALIDDATA;
if (ht_size > INT32_MAX)
return -1;
return AVERROR_PATCHWELCOME;
skip_bits_long(&gb, ht_size);
@@ -402,7 +402,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
// initialize CRC calculation
if (sconf->crc_enabled) {
if (get_bits_left(&gb) < 32)
return -1;
return AVERROR_INVALIDDATA;
if (avctx->err_recognition & (AV_EF_CRCCHECK|AV_EF_CAREFUL)) {
ctx->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE);
@@ -646,7 +646,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
if (bd->block_length & (sub_blocks - 1)) {
av_log(avctx, AV_LOG_WARNING,
"Block length is not evenly divisible by the number of subblocks.\n");
return -1;
return AVERROR_INVALIDDATA;
}
sb_length = bd->block_length >> log2_sub_blocks;
@@ -983,14 +983,13 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
*bd->shift_lsbs = 0;
// read block type flag and read the samples accordingly
if (get_bits1(gb)) {
if ((ret = read_var_block_data(ctx, bd)) < 0)
return ret;
ret = read_var_block_data(ctx, bd);
} else {
if ((ret = read_const_block_data(ctx, bd)) < 0)
return ret;
}
return 0;
return ret;
}
@@ -999,12 +998,16 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
static int decode_block(ALSDecContext *ctx, ALSBlockData *bd)
{
unsigned int smp;
int ret = 0;
// read block type flag and read the samples accordingly
if (*bd->const_block)
decode_const_block_data(ctx, bd);
else if (decode_var_block_data(ctx, bd))
return -1;
else
ret = decode_var_block_data(ctx, bd); // always return 0
if (ret < 0)
return ret;
// TODO: read RLSLMS extension data
@@ -1022,14 +1025,10 @@ static int read_decode_block(ALSDecContext *ctx, ALSBlockData *bd)
{
int ret;
ret = read_block(ctx, bd);
if (ret)
if ((ret = read_block(ctx, bd)) < 0)
return ret;
ret = decode_block(ctx, bd);
return ret;
return decode_block(ctx, bd);
}
@@ -1055,6 +1054,7 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame,
unsigned int c, const unsigned int *div_blocks,
unsigned int *js_blocks)
{
int ret;
unsigned int b;
ALSBlockData bd = { 0 };
@@ -1075,10 +1075,10 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame,
for (b = 0; b < ctx->num_blocks; b++) {
bd.block_length = div_blocks[b];
if (read_decode_block(ctx, &bd)) {
if ((ret = read_decode_block(ctx, &bd)) < 0) {
// damaged block, write zero for the rest of the frame
zero_remaining(b, ctx->num_blocks, div_blocks, bd.raw_samples);
return -1;
return ret;
}
bd.raw_samples += div_blocks[b];
bd.ra_block = 0;
@@ -1097,6 +1097,7 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
ALSSpecificConfig *sconf = &ctx->sconf;
unsigned int offset = 0;
unsigned int b;
int ret;
ALSBlockData bd[2] = { { 0 } };
bd[0].ra_block = ra_frame;
@@ -1138,12 +1139,9 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
bd[0].raw_other = bd[1].raw_samples;
bd[1].raw_other = bd[0].raw_samples;
if(read_decode_block(ctx, &bd[0]) || read_decode_block(ctx, &bd[1])) {
// damaged block, write zero for the rest of the frame
zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples);
zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples);
return -1;
}
if ((ret = read_decode_block(ctx, &bd[0])) < 0 ||
(ret = read_decode_block(ctx, &bd[1])) < 0)
goto fail;
// reconstruct joint-stereo blocks
if (bd[0].js_blocks) {
@@ -1169,8 +1167,19 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
sizeof(*ctx->raw_samples[c]) * sconf->max_order);
return 0;
fail:
// damaged block, write zero for the rest of the frame
zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples);
zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples);
return ret;
}
static inline int als_weighting(GetBitContext *gb, int k, int off)
{
int idx = av_clip(decode_rice(gb, k) + off,
0, FF_ARRAY_ELEMS(mcc_weightings) - 1);
return mcc_weightings[idx];
}
/** Read the channel data.
*/
@@ -1186,19 +1195,19 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c)
if (current->master_channel >= channels) {
av_log(ctx->avctx, AV_LOG_ERROR, "Invalid master channel.\n");
return -1;
return AVERROR_INVALIDDATA;
}
if (current->master_channel != c) {
current->time_diff_flag = get_bits1(gb);
current->weighting[0] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
current->weighting[1] = mcc_weightings[av_clip(decode_rice(gb, 2) + 14, 0, 31)];
current->weighting[2] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
current->weighting[0] = als_weighting(gb, 1, 16);
current->weighting[1] = als_weighting(gb, 2, 14);
current->weighting[2] = als_weighting(gb, 1, 16);
if (current->time_diff_flag) {
current->weighting[3] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
current->weighting[4] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
current->weighting[5] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
current->weighting[3] = als_weighting(gb, 1, 16);
current->weighting[4] = als_weighting(gb, 1, 16);
current->weighting[5] = als_weighting(gb, 1, 16);
current->time_diff_sign = get_bits1(gb);
current->time_diff_index = get_bits(gb, ctx->ltp_lag_length - 3) + 3;
@@ -1211,7 +1220,7 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c)
if (entries == channels) {
av_log(ctx->avctx, AV_LOG_ERROR, "Damaged channel data.\n");
return -1;
return AVERROR_INVALIDDATA;
}
align_get_bits(gb);
@@ -1243,7 +1252,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
if (dep == channels) {
av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel correlation.\n");
return -1;
return AVERROR_INVALIDDATA;
}
bd->const_block = ctx->const_block + c;
@@ -1314,8 +1323,8 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
unsigned int div_blocks[32]; ///< block sizes.
unsigned int c;
unsigned int js_blocks[2];
uint32_t bs_info = 0;
int ret;
// skip the size of the ra unit if present in the frame
if (sconf->ra_flag == RA_FLAG_FRAMES && ra_frame)
@@ -1346,13 +1355,15 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
independent_bs = 1;
if (independent_bs) {
if (decode_blocks_ind(ctx, ra_frame, c, div_blocks, js_blocks))
return -1;
ret = decode_blocks_ind(ctx, ra_frame, c,
div_blocks, js_blocks);
if (ret < 0)
return ret;
independent_bs--;
} else {
if (decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks))
return -1;
ret = decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks);
if (ret < 0)
return ret;
c++;
}
@@ -1371,7 +1382,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
for (c = 0; c < avctx->channels; c++)
if (ctx->chan_data[c] < ctx->chan_data_buffer) {
av_log(ctx->avctx, AV_LOG_ERROR, "Invalid channel data.\n");
return -1;
return AVERROR_INVALIDDATA;
}
memset(reverted_channels, 0, sizeof(*reverted_channels) * avctx->channels);
@@ -1403,11 +1414,12 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
return ret;
}
for (c = 0; c < avctx->channels; c++)
if (revert_channel_correlation(ctx, &bd, ctx->chan_data,
reverted_channels, offset, c))
return -1;
for (c = 0; c < avctx->channels; c++) {
ret = revert_channel_correlation(ctx, &bd, ctx->chan_data,
reverted_channels, offset, c);
if (ret < 0)
return ret;
}
for (c = 0; c < avctx->channels; c++) {
bd.const_block = ctx->const_block + c;
bd.shift_lsbs = ctx->shift_lsbs + c;
@@ -1612,30 +1624,30 @@ static av_cold int decode_init(AVCodecContext *avctx)
{
unsigned int c;
unsigned int channel_size;
int num_buffers;
int num_buffers, ret;
ALSDecContext *ctx = avctx->priv_data;
ALSSpecificConfig *sconf = &ctx->sconf;
ctx->avctx = avctx;
if (!avctx->extradata) {
av_log(avctx, AV_LOG_ERROR, "Missing required ALS extradata.\n");
return -1;
return AVERROR_INVALIDDATA;
}
if (read_specific_config(ctx)) {
if ((ret = read_specific_config(ctx)) < 0) {
av_log(avctx, AV_LOG_ERROR, "Reading ALSSpecificConfig failed.\n");
decode_end(avctx);
return -1;
goto fail;
}
if (check_specific_config(ctx)) {
decode_end(avctx);
return -1;
if ((ret = check_specific_config(ctx)) < 0) {
goto fail;
}
if (sconf->bgmc)
ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status);
if (sconf->bgmc) {
ret = ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status);
if (ret < 0)
goto fail;
}
if (sconf->floating) {
avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
avctx->bits_per_raw_sample = 32;
@@ -1670,7 +1682,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
!ctx->quant_cof_buffer || !ctx->lpc_cof_buffer ||
!ctx->lpc_cof_reversed_buffer) {
av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
return AVERROR(ENOMEM);
ret = AVERROR(ENOMEM);
goto fail;
}
// assign quantized parcor coefficient buffers
@@ -1695,8 +1708,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
!ctx->use_ltp || !ctx->ltp_lag ||
!ctx->ltp_gain || !ctx->ltp_gain_buffer) {
av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
decode_end(avctx);
return AVERROR(ENOMEM);
ret = AVERROR(ENOMEM);
goto fail;
}
for (c = 0; c < num_buffers; c++)
@@ -1713,8 +1726,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
if (!ctx->chan_data_buffer || !ctx->chan_data || !ctx->reverted_channels) {
av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
decode_end(avctx);
return AVERROR(ENOMEM);
ret = AVERROR(ENOMEM);
goto fail;
}
for (c = 0; c < num_buffers; c++)
@@ -1734,8 +1747,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
// allocate previous raw sample buffer
if (!ctx->prev_raw_samples || !ctx->raw_buffer|| !ctx->raw_samples) {
av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
decode_end(avctx);
return AVERROR(ENOMEM);
ret = AVERROR(ENOMEM);
goto fail;
}
// assign raw samples buffers
@@ -1752,8 +1765,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
av_get_bytes_per_sample(avctx->sample_fmt));
if (!ctx->crc_buffer) {
av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
decode_end(avctx);
return AVERROR(ENOMEM);
ret = AVERROR(ENOMEM);
goto fail;
}
}
@@ -1763,6 +1776,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
avctx->coded_frame = &ctx->frame;
return 0;
fail:
decode_end(avctx);
return ret;
}

42
libavcodec/dsicinav.c
View File

@@ -128,13 +128,15 @@ static av_cold int cinvideo_decode_init(AVCodecContext *avctx)
return 0;
}
static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst, int size)
static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst,
int size)
{
while (size--)
*dst++ += *src++;
}
static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
static int cin_decode_huffman(const unsigned char *src, int src_size,
unsigned char *dst, int dst_size)
{
int b, huff_code = 0;
unsigned char huff_code_table[15];
@@ -142,7 +144,8 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c
unsigned char *dst_end = dst + dst_size;
const unsigned char *src_end = src + src_size;
memcpy(huff_code_table, src, 15); src += 15;
memcpy(huff_code_table, src, 15);
src += 15;
while (src < src_end) {
huff_code = *src++;
@@ -167,7 +170,8 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c
return dst_cur - dst;
}
static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
static int cin_decode_lzss(const unsigned char *src, int src_size,
unsigned char *dst, int dst_size)
{
uint16_t cmd;
int i, sz, offset, code;
@@ -180,13 +184,15 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char
if (code & (1 << i)) {
*dst++ = *src++;
} else {
cmd = AV_RL16(src); src += 2;
cmd = AV_RL16(src);
src += 2;
offset = cmd >> 4;
if ((int)(dst - dst_start) < offset + 1)
return AVERROR_INVALIDDATA;
sz = (cmd & 0xF) + 2;
/* don't use memcpy/memmove here as the decoding routine (ab)uses */
/* buffer overlappings to repeat bytes in the destination */
/* don't use memcpy/memmove here as the decoding routine
* (ab)uses buffer overlappings to repeat bytes in the
* destination */
sz = FFMIN(sz, dst_end - dst);
while (sz--) {
*dst = *(dst - offset - 1);
@@ -199,7 +205,8 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char
return 0;
}
static int cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
static int cin_decode_rle(const unsigned char *src, int src_size,
unsigned char *dst, int dst_size)
{
int len, code;
unsigned char *dst_end = dst + dst_size;
@@ -216,7 +223,7 @@ static int cin_decode_rle(const unsigned char *src, int src_size, unsigned char
av_log(NULL, AV_LOG_ERROR, "RLE overread\n");
return AVERROR_INVALIDDATA;
}
memcpy(dst, src, FFMIN(len, dst_end - dst));
memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src));
src += len;
}
dst += len;
@@ -231,7 +238,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size;
CinVideoContext *cin = avctx->priv_data;
int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0;
int i, y, palette_type, palette_colors_count,
bitmap_frame_type, bitmap_frame_size, res = 0;
palette_type = buf[0];
palette_colors_count = AV_RL16(buf + 1);
@@ -258,7 +266,10 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
}
}
/* note: the decoding routines below assumes that surface.width = surface.pitch */
bitmap_frame_size = FFMIN(cin->bitmap_size, bitmap_frame_size);
/* note: the decoding routines below assumes that
* surface.width = surface.pitch */
switch (bitmap_frame_type) {
case 9:
cin_decode_rle(buf, bitmap_frame_size,
@@ -278,7 +289,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
break;
case 36:
bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
cin->bitmap_table[CIN_INT_BMP],
cin->bitmap_size);
cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
@@ -307,7 +319,7 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
}
cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
if ((res = avctx->reget_buffer(avctx, &cin->frame))) {
if ((res = avctx->reget_buffer(avctx, &cin->frame)) < 0) {
av_log(cin->avctx, AV_LOG_ERROR, "failed to allocate a frame\n");
return res;
}
@@ -319,7 +331,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width,
cin->avctx->width);
FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_table[CIN_PRE_BMP]);
FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP],
cin->bitmap_table[CIN_PRE_BMP]);
*got_frame = 1;
*(AVFrame *)data = cin->frame;
@@ -392,7 +405,6 @@ static int cinaudio_decode_frame(AVCodecContext *avctx, void *data,
return avpkt->size;
}
AVCodec ff_dsicinvideo_decoder = {
.name = "dsicinvideo",
.type = AVMEDIA_TYPE_VIDEO,

10
libavcodec/ivi_common.c
View File

@@ -345,6 +345,8 @@ static int ivi_init_tiles(IVIBandDesc *band, IVITile *ref_tile,
tile->ref_mbs = 0;
if (p || b) {
if (tile->num_MBs != ref_tile->num_MBs)
return AVERROR_INVALIDDATA;
tile->ref_mbs = ref_tile->mbs;
ref_tile++;
}
@@ -984,6 +986,14 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
}
}
ctx->buf_invalid[ctx->dst_buf] = 0;
} else {
if (ctx->is_scalable)
return AVERROR_INVALIDDATA;
for (p = 0; p < 3; p++) {
if (!ctx->planes[p].bands[0].buf)
return AVERROR_INVALIDDATA;
}
}
if (ctx->buf_invalid[ctx->dst_buf])
return -1;

9
libavformat/mov.c
View File

@@ -833,6 +833,11 @@ static int mov_read_mdhd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
st = c->fc->streams[c->fc->nb_streams-1];
sc = st->priv_data;
if (sc->time_scale) {
av_log(c->fc, AV_LOG_ERROR, "Multiple mdhd?\n");
return AVERROR_INVALIDDATA;
}
version = avio_r8(pb);
if (version > 1) {
av_log_ask_for_sample(c->fc, "unsupported version %d\n", version);
@@ -2853,7 +2858,9 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if (left > 0) /* skip garbage at atom end */
avio_skip(pb, left);
else if (left < 0) {
av_log(c->fc, AV_LOG_DEBUG, "undoing overread of %"PRId64" in '%.4s'\n", -left, (char*)&a.type);
av_log(c->fc, AV_LOG_WARNING,
"overread end of atom '%.4s' by %"PRId64" bytes\n",
(char*)&a.type, -left);
avio_seek(pb, left, SEEK_CUR);
}
}

25
libavformat/omadec.c
View File

@@ -432,23 +432,26 @@ static int oma_read_probe(AVProbeData *p)
static int oma_read_seek(struct AVFormatContext *s, int stream_index, int64_t timestamp, int flags)
{
OMAContext *oc = s->priv_data;
int err = ff_pcm_read_seek(s, stream_index, timestamp, flags);
ff_pcm_read_seek(s, stream_index, timestamp, flags);
if (!oc->encrypted)
return err;
if (oc->encrypted) {
/* readjust IV for CBC */
int64_t pos = avio_tell(s->pb);
if (pos < oc->content_start)
memset(oc->iv, 0, 8);
else {
if (avio_seek(s->pb, -8, SEEK_CUR) < 0 || avio_read(s->pb, oc->iv, 8) < 8) {
memset(oc->iv, 0, 8);
return -1;
}
}
if (err || avio_tell(s->pb) < oc->content_start)
goto wipe;
if ((err = avio_seek(s->pb, -8, SEEK_CUR)) < 0)
goto wipe;
if ((err = avio_read(s->pb, oc->iv, 8)) < 8) {
if (err >= 0)
err = AVERROR_EOF;
goto wipe;
}
return 0;
wipe:
memset(oc->iv, 0, 8);
return err;
}
AVInputFormat ff_oma_demuxer = {

3
libavformat/utils.c
View File

@@ -2976,6 +2976,9 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options)
int best_fps = 0;
double best_error = 0.01;
if (st->info->codec_info_duration >= INT64_MAX / st->time_base.num / 2||
st->info->codec_info_duration_fields >= INT64_MAX / st->time_base.den)
continue;
av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den,
st->info->codec_info_duration_fields*(int64_t)st->time_base.den,
st->info->codec_info_duration*2*(int64_t)st->time_base.num, 60000);