diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 83e0d810e6..0e6c549dd5 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -636,10 +636,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx) alac->avctx = avctx; /* initialize from the extradata */ - if (alac->avctx->extradata_size != ALAC_EXTRADATA_SIZE) { - av_log(avctx, AV_LOG_ERROR, "alac: expected %d extradata bytes\n", - ALAC_EXTRADATA_SIZE); - return -1; + if (alac->avctx->extradata_size < ALAC_EXTRADATA_SIZE) { + av_log(avctx, AV_LOG_ERROR, "alac: extradata is too small\n"); + return AVERROR_INVALIDDATA; } if (alac_set_info(alac)) { av_log(avctx, AV_LOG_ERROR, "alac: set_info failed\n"); diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 90876c3778..805dd068fe 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3127,8 +3127,13 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ if(num_ref_idx_active_override_flag){ h->ref_count[0]= get_ue_golomb(&s->gb) + 1; - if(h->slice_type_nos==AV_PICTURE_TYPE_B) + if (h->ref_count[0] < 1) + return AVERROR_INVALIDDATA; + if (h->slice_type_nos == AV_PICTURE_TYPE_B) { h->ref_count[1]= get_ue_golomb(&s->gb) + 1; + if (h->ref_count[1] < 1) + return AVERROR_INVALIDDATA; + } } if (h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){ @@ -4047,6 +4052,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ hx->inter_gb_ptr= &hx->inter_gb; if(hx->redundant_pic_count==0 && hx->intra_gb_ptr && hx->s.data_partitioning + && s->current_picture_ptr && s->context_initialized && (avctx->skip_frame < AVDISCARD_NONREF || hx->nal_ref_idc) && (avctx->skip_frame < AVDISCARD_BIDIR || hx->slice_type_nos!=AV_PICTURE_TYPE_B) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index ceb4091c6e..0342747204 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -69,8 +69,7 @@ static int ogg_save(AVFormatContext *s) for (i = 0; i < ogg->nstreams; i++){ struct ogg_stream *os = ogg->streams + i; - os->buf = av_malloc (os->bufsize); - memset (os->buf, 0, os->bufsize); + os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); memcpy (os->buf, ost->streams[i].buf, os->bufpos); } @@ -161,13 +160,18 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) AVStream *st; struct ogg_stream *os; - ogg->streams = av_realloc (ogg->streams, - ogg->nstreams * sizeof (*ogg->streams)); + os = av_realloc (ogg->streams, ogg->nstreams * sizeof (*ogg->streams)); + + if (!os) + return AVERROR(ENOMEM); + + ogg->streams = os; + memset (ogg->streams + idx, 0, sizeof (*ogg->streams)); os = ogg->streams + idx; os->serial = serial; os->bufsize = DECODER_BUFFER_SIZE; - os->buf = av_malloc(os->bufsize); + os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); os->header = -1; if (new_avstream) { @@ -185,7 +189,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) static int ogg_new_buf(struct ogg *ogg, int idx) { struct ogg_stream *os = ogg->streams + idx; - uint8_t *nb = av_malloc(os->bufsize); + uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); int size = os->bufpos - os->pstart; if(os->buf){ memcpy(nb, os->buf + os->pstart, size); @@ -296,7 +300,9 @@ static int ogg_read_page(AVFormatContext *s, int *str) } if (os->bufsize - os->bufpos < size){ - uint8_t *nb = av_malloc (os->bufsize *= 2); + uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE); + if (!nb) + return AVERROR(ENOMEM); memcpy (nb, os->buf, os->bufpos); av_free (os->buf); os->buf = nb; @@ -310,6 +316,7 @@ static int ogg_read_page(AVFormatContext *s, int *str) os->granule = gp; os->flags = flags; + memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE); if (str) *str = idx; @@ -518,15 +525,30 @@ static int ogg_get_length(AVFormatContext *s) return 0; } -static int ogg_read_header(AVFormatContext *s, AVFormatParameters *ap) +static int ogg_read_close(AVFormatContext *s) +{ + struct ogg *ogg = s->priv_data; + int i; + + for (i = 0; i < ogg->nstreams; i++) { + av_free(ogg->streams[i].buf); + av_free(ogg->streams[i].private); + } + av_free(ogg->streams); + return 0; +} + +static int ogg_read_header(AVFormatContext *s) { struct ogg *ogg = s->priv_data; int ret, i; ogg->curidx = -1; //linear headers seek from start ret = ogg_get_headers(s); - if (ret < 0) + if (ret < 0) { + ogg_read_close(s); return ret; + } for (i = 0; i < ogg->nstreams; i++) if (ogg->streams[i].header < 0) @@ -611,19 +633,6 @@ retry: return psize; } -static int ogg_read_close(AVFormatContext *s) -{ - struct ogg *ogg = s->priv_data; - int i; - - for (i = 0; i < ogg->nstreams; i++){ - av_free (ogg->streams[i].buf); - av_free (ogg->streams[i].private); - } - av_free (ogg->streams); - return 0; -} - static int64_t ogg_read_timestamp(AVFormatContext *s, int stream_index, int64_t *pos_arg, int64_t pos_limit) { diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index c2a0d26e5e..9442ddcf88 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1720,6 +1720,7 @@ int ff_rtsp_fetch_packet(AVFormatContext *s, AVPacket *pkt) rt->cur_transport_priv = NULL; } +redo: if (rt->transport == RTSP_TRANSPORT_RTP) { int i; int64_t first_queue_time = 0; @@ -1735,12 +1736,15 @@ int ff_rtsp_fetch_packet(AVFormatContext *s, AVPacket *pkt) first_queue_st = rt->rtsp_streams[i]; } } - if (first_queue_time) + if (first_queue_time) { wait_end = first_queue_time + s->max_delay; + } else { + wait_end = 0; + first_queue_st = NULL; + } } /* read next RTP packet */ - redo: if (!rt->recvbuf) { rt->recvbuf = av_malloc(RECVBUF_SIZE); if (!rt->recvbuf) diff --git a/libavutil/opt.c b/libavutil/opt.c index 2f8be3bfba..9f8171541c 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -56,8 +56,10 @@ const AVOption *av_next_option(void *obj, const AVOption *last) const AVOption *av_opt_next(void *obj, const AVOption *last) { AVClass *class = *(AVClass**)obj; - if (!last && class->option[0].name) return class->option; - if (last && last[1].name) return ++last; + if (!last && class->option && class->option[0].name) + return class->option; + if (last && last[1].name) + return ++last; return NULL; }