Merge commit '54e03863691dcae73260f70108b3731b70773e7c' into release/0.10
* commit '54e03863691dcae73260f70108b3731b70773e7c': vc1: check the source buffer in vc1_mc functions bink: Bound check the quantization matrix. xl: Make sure the width is valid alsdec: Fix the clipping range dsicinav: Bound-check the source buffer when needed mov: Do not allow updating the time scale after it has been set ac3dec: Don't consume more data than the actual input packet size indeo: Reject impossible FRAMETYPE_NULL Conflicts: libavcodec/alsdec.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
commit
210a437e10
@ -1345,7 +1345,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
|
||||
av_log(avctx, AV_LOG_ERROR, "unsupported frame type : "
|
||||
"skipping frame\n");
|
||||
*got_frame_ptr = 0;
|
||||
return s->frame_size;
|
||||
return buf_size;
|
||||
} else {
|
||||
av_log(avctx, AV_LOG_ERROR, "invalid frame type\n");
|
||||
}
|
||||
|
||||
@ -1159,6 +1159,12 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int als_weighting(GetBitContext *gb, int k, int off)
|
||||
{
|
||||
int idx = av_clip(decode_rice(gb, k) + off,
|
||||
0, FF_ARRAY_ELEMS(mcc_weightings) - 1);
|
||||
return mcc_weightings[idx];
|
||||
}
|
||||
|
||||
/** Read the channel data.
|
||||
*/
|
||||
@ -1179,14 +1185,14 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c)
|
||||
|
||||
if (current->master_channel != c) {
|
||||
current->time_diff_flag = get_bits1(gb);
|
||||
current->weighting[0] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
|
||||
current->weighting[1] = mcc_weightings[av_clip(decode_rice(gb, 2) + 14, 0, 31)];
|
||||
current->weighting[2] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
|
||||
current->weighting[0] = als_weighting(gb, 1, 16);
|
||||
current->weighting[1] = als_weighting(gb, 2, 14);
|
||||
current->weighting[2] = als_weighting(gb, 1, 16);
|
||||
|
||||
if (current->time_diff_flag) {
|
||||
current->weighting[3] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
|
||||
current->weighting[4] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
|
||||
current->weighting[5] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
|
||||
current->weighting[3] = als_weighting(gb, 1, 16);
|
||||
current->weighting[4] = als_weighting(gb, 1, 16);
|
||||
current->weighting[5] = als_weighting(gb, 1, 16);
|
||||
|
||||
current->time_diff_sign = get_bits1(gb);
|
||||
current->time_diff_index = get_bits(gb, ctx->ltp_lag_length - 3) + 3;
|
||||
|
||||
@ -679,6 +679,9 @@ static int read_dct_coeffs(GetBitContext *gb, int32_t block[64], const uint8_t *
|
||||
quant_idx = q;
|
||||
}
|
||||
|
||||
if (quant_idx >= 16)
|
||||
return AVERROR_INVALIDDATA;
|
||||
|
||||
quant = quant_matrices[quant_idx];
|
||||
|
||||
block[0] = (block[0] * quant[0]) >> 11;
|
||||
|
||||
@ -188,11 +188,13 @@ static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char
|
||||
while (src < src_end && dst < dst_end) {
|
||||
code = *src++;
|
||||
if (code & 0x80) {
|
||||
if (src >= src_end)
|
||||
break;
|
||||
len = code - 0x7F;
|
||||
memset(dst, *src++, FFMIN(len, dst_end - dst));
|
||||
} else {
|
||||
len = code + 1;
|
||||
memcpy(dst, src, FFMIN(len, dst_end - dst));
|
||||
memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src));
|
||||
src += len;
|
||||
}
|
||||
dst += len;
|
||||
|
||||
@ -822,6 +822,14 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if (ctx->is_scalable)
|
||||
return AVERROR_INVALIDDATA;
|
||||
|
||||
for (p = 0; p < 3; p++) {
|
||||
if (!ctx->planes[p].bands[0].buf)
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
}
|
||||
|
||||
//STOP_TIMER("decode_planes"); }
|
||||
|
||||
@ -395,6 +395,11 @@ static void vc1_mc_1mv(VC1Context *v, int dir)
|
||||
}
|
||||
}
|
||||
|
||||
if (!srcY || !srcU) {
|
||||
av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n");
|
||||
return;
|
||||
}
|
||||
|
||||
src_x = s->mb_x * 16 + (mx >> 2);
|
||||
src_y = s->mb_y * 16 + (my >> 2);
|
||||
uvsrc_x = s->mb_x * 8 + (uvmx >> 2);
|
||||
@ -570,6 +575,11 @@ static void vc1_mc_4mv_luma(VC1Context *v, int n, int dir)
|
||||
} else
|
||||
srcY = s->next_picture.f.data[0];
|
||||
|
||||
if (!srcY) {
|
||||
av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n");
|
||||
return;
|
||||
}
|
||||
|
||||
if (v->field_mode) {
|
||||
if (v->cur_field_type != v->ref_field_type[dir])
|
||||
my = my - 2 + 4 * v->cur_field_type;
|
||||
@ -856,6 +866,11 @@ static void vc1_mc_4mv_chroma(VC1Context *v, int dir)
|
||||
srcV = s->next_picture.f.data[2] + uvsrc_y * s->uvlinesize + uvsrc_x;
|
||||
}
|
||||
|
||||
if (!srcU) {
|
||||
av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n");
|
||||
return;
|
||||
}
|
||||
|
||||
if (v->field_mode) {
|
||||
if (chroma_ref_type) {
|
||||
srcU += s->current_picture_ptr->f.linesize[1];
|
||||
|
||||
@ -69,6 +69,11 @@ static int decode_frame(AVCodecContext *avctx,
|
||||
|
||||
stride = avctx->width - 4;
|
||||
|
||||
if (avctx->width % 4) {
|
||||
av_log(avctx, AV_LOG_ERROR, "Width not a multiple of 4.\n");
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
||||
if (buf_size < avctx->width * avctx->height) {
|
||||
av_log(avctx, AV_LOG_ERROR, "Packet is too small\n");
|
||||
return AVERROR_INVALIDDATA;
|
||||
|
||||
@ -754,6 +754,11 @@ static int mov_read_mdhd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
|
||||
st = c->fc->streams[c->fc->nb_streams-1];
|
||||
sc = st->priv_data;
|
||||
|
||||
if (sc->time_scale) {
|
||||
av_log(c->fc, AV_LOG_ERROR, "Multiple mdhd?\n");
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
||||
version = avio_r8(pb);
|
||||
if (version > 1) {
|
||||
av_log_ask_for_sample(c, "unsupported version %d\n", version);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user