generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge commit '04d2f9ace3fb6e880f3488770fc5a39de5b63cbb' into release/1.1

Browse Source 
* commit '04d2f9ace3fb6e880f3488770fc5a39de5b63cbb':
  mvi: Add sanity checking for the audio frame size
  alac: Do bounds checking of lpc_order read from the bitstream
  xwma: Avoid division by zero
  avidec: Make sure a packet is large enough before reading its data
  vqf: Make sure the bitrate is in the valid range
  vqf: Make sure sample_rate is set to a valid value
  electronicarts: Check packet sizes before reading
  lavf: Avoid setting avg_frame_rate if delta_dts is negative
  vc1dec: Undo mpegvideo initialization if unable to allocate tables
  vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors
  wnv1: Make sure the input packet is large enough
  dcadec: Validate the lfe parameter

Conflicts:
	libavcodec/dcadec.c
	libavcodec/wnv1.c
	libavformat/avidec.c
	libavformat/electronicarts.c
	libavformat/utils.c
	libavformat/xwma.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
2013-10-08 01:26:51 +02:00
parent 55aedd679a 04d2f9ace3
commit 5da68aff96
10 changed files with 61 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
libavcodec/alac.c
View File

@@ -321,6 +321,9 @@ static int decode_element(AVCodecContext *avctx, void *data, int ch_index,
rice_history_mult[ch] = get_bits(&alac->gb, 3); rice_history_mult[ch] = get_bits(&alac->gb, 3);
lpc_order[ch] = get_bits(&alac->gb, 5); lpc_order[ch] = get_bits(&alac->gb, 5);
if (lpc_order[ch] >= alac->max_samples_per_frame)
return AVERROR_INVALIDDATA;
/* read the predictor table */ /* read the predictor table */
for (i = lpc_order[ch] - 1; i >= 0; i--) for (i = lpc_order[ch] - 1; i >= 0; i--)
lpc_coefs[ch][i] = get_sbits(&alac->gb, 16); lpc_coefs[ch][i] = get_sbits(&alac->gb, 16);

6
libavcodec/dcadec.c
View File

@@ -738,10 +738,10 @@ static int dca_parse_frame_header(DCAContext *s)
s->lfe = get_bits(&s->gb, 2); s->lfe = get_bits(&s->gb, 2);
s->predictor_history = get_bits(&s->gb, 1); s->predictor_history = get_bits(&s->gb, 1);
if (s->lfe == 3) { if (s->lfe > 2) {
s->lfe = 0; s->lfe = 0;
av_log_ask_for_sample(s->avctx, "LFE is 3\n"); av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE value: %d\n", s->lfe);
return AVERROR_PATCHWELCOME; return AVERROR_INVALIDDATA;
} }
/* TODO: check CRC */ /* TODO: check CRC */

21
libavcodec/vc1dec.c
View File

@@ -5141,8 +5141,19 @@ av_cold int ff_vc1_decode_init_alloc_tables(VC1Context *v)
if (!v->mv_type_mb_plane || !v->direct_mb_plane || !v->acpred_plane || !v->over_flags_plane || if (!v->mv_type_mb_plane || !v->direct_mb_plane || !v->acpred_plane || !v->over_flags_plane ||
!v->block || !v->cbp_base || !v->ttblk_base || !v->is_intra_base || !v->luma_mv_base || !v->block || !v->cbp_base || !v->ttblk_base || !v->is_intra_base || !v->luma_mv_base ||
!v->mb_type_base) !v->mb_type_base) {
return -1; av_freep(&v->mv_type_mb_plane);
av_freep(&v->direct_mb_plane);
av_freep(&v->acpred_plane);
av_freep(&v->over_flags_plane);
av_freep(&v->block);
av_freep(&v->cbp_base);
av_freep(&v->ttblk_base);
av_freep(&v->is_intra_base);
av_freep(&v->luma_mv_base);
av_freep(&v->mb_type_base);
return AVERROR(ENOMEM);
}
return 0; return 0;
} }
@@ -5514,8 +5525,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
} }
if (!s->context_initialized) { if (!s->context_initialized) {
if (ff_msmpeg4_decode_init(avctx) < 0 || ff_vc1_decode_init_alloc_tables(v) < 0) if (ff_msmpeg4_decode_init(avctx) < 0)
goto err; goto err;
if (ff_vc1_decode_init_alloc_tables(v) < 0) {
ff_MPV_common_end(s);
goto err;
}
s->low_delay = !avctx->has_b_frames || v->res_sprite; s->low_delay = !avctx->has_b_frames || v->res_sprite;

4
libavcodec/wnv1.c
View File

@@ -71,8 +71,8 @@ static int decode_frame(AVCodecContext *avctx,
int prev_y = 0, prev_u = 0, prev_v = 0; int prev_y = 0, prev_u = 0, prev_v = 0;
uint8_t *rbuf; uint8_t *rbuf;
if(buf_size<=8) { if (buf_size <= 8) {
av_log(avctx, AV_LOG_ERROR, "buf_size %d is too small\n", buf_size); av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }

6
libavformat/avidec.c
View File

@@ -818,8 +818,10 @@ static int avi_read_header(AVFormatContext *s)
return 0; return 0;
} }
static int read_gab2_sub(AVStream *st, AVPacket *pkt) { static int read_gab2_sub(AVStream *st, AVPacket *pkt)
if (pkt->data && !strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data+5) == 2) { {
if (pkt->size >= 7 &&
!strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data + 5) == 2) {
uint8_t desc[256]; uint8_t desc[256];
int score = AVPROBE_SCORE_MAX / 2, ret; int score = AVPROBE_SCORE_MAX / 2, ret;
AVIStream *ast = st->priv_data; AVIStream *ast = st->priv_data;

12
libavformat/electronicarts.c
View File

@@ -545,12 +545,16 @@ static int ea_read_packet(AVFormatContext *s,
case AV_CODEC_ID_ADPCM_EA_R1: case AV_CODEC_ID_ADPCM_EA_R1:
case AV_CODEC_ID_ADPCM_EA_R2: case AV_CODEC_ID_ADPCM_EA_R2:
case AV_CODEC_ID_ADPCM_IMA_EA_EACS: case AV_CODEC_ID_ADPCM_IMA_EA_EACS:
if (pkt->size >= 4)
pkt->duration = AV_RL32(pkt->data);
break;
case AV_CODEC_ID_ADPCM_EA_R3: case AV_CODEC_ID_ADPCM_EA_R3:
if (pkt->size >= 4) if (pkt->size < 4) {
av_log(s, AV_LOG_ERROR, "Packet is too short\n");
av_free_packet(pkt);
return AVERROR_INVALIDDATA;
}
if (ea->audio_codec == AV_CODEC_ID_ADPCM_EA_R3)
pkt->duration = AV_RB32(pkt->data); pkt->duration = AV_RB32(pkt->data);
else
pkt->duration = AV_RL32(pkt->data);
break; break;
case AV_CODEC_ID_ADPCM_IMA_EA_SEAD: case AV_CODEC_ID_ADPCM_IMA_EA_SEAD:
pkt->duration = ret * 2 / ea->num_channels; pkt->duration = ret * 2 / ea->num_channels;

6
libavformat/mvi.c
View File

@@ -95,6 +95,12 @@ static int read_header(AVFormatContext *s)
mvi->get_int = (vst->codec->width * vst->codec->height < (1 << 16)) ? avio_rl16 : avio_rl24; mvi->get_int = (vst->codec->width * vst->codec->height < (1 << 16)) ? avio_rl16 : avio_rl24;
mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count; mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count;
if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) {
av_log(s, AV_LOG_ERROR, "Invalid audio_data_size (%d) or frames_count (%d)\n",
mvi->audio_data_size, frames_count);
return AVERROR_INVALIDDATA;
}
mvi->audio_size_counter = (ast->codec->sample_rate * 830 / mvi->audio_frame_size - 1) * mvi->audio_frame_size; mvi->audio_size_counter = (ast->codec->sample_rate * 830 / mvi->audio_frame_size - 1) * mvi->audio_frame_size;
mvi->audio_size_left = mvi->audio_data_size; mvi->audio_size_left = mvi->audio_data_size;

3
libavformat/utils.c
View File

@@ -2982,7 +2982,8 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options)
double best_error = 0.01; double best_error = 0.01;
if (st->info->codec_info_duration >= INT64_MAX / st->time_base.num / 2|| if (st->info->codec_info_duration >= INT64_MAX / st->time_base.num / 2||
st->info->codec_info_duration_fields >= INT64_MAX / st->time_base.den) st->info->codec_info_duration_fields >= INT64_MAX / st->time_base.den ||
st->info->codec_info_duration < 0)
continue; continue;
av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den,
st->info->codec_info_duration_fields*(int64_t)st->time_base.den, st->info->codec_info_duration_fields*(int64_t)st->time_base.den,

11
libavformat/vqf.c
View File

@@ -174,6 +174,10 @@ static int vqf_read_header(AVFormatContext *s)
st->codec->sample_rate = 11025; st->codec->sample_rate = 11025;
break; break;
default: default:
if (rate_flag < 8 || rate_flag > 44) {
av_log(s, AV_LOG_ERROR, "Invalid rate flag %d\n", rate_flag);
return AVERROR_INVALIDDATA;
}
st->codec->sample_rate = rate_flag*1000; st->codec->sample_rate = rate_flag*1000;
if (st->codec->sample_rate <= 0) { if (st->codec->sample_rate <= 0) {
av_log(s, AV_LOG_ERROR, "sample rate %d is invalid\n", st->codec->sample_rate); av_log(s, AV_LOG_ERROR, "sample rate %d is invalid\n", st->codec->sample_rate);
@@ -182,6 +186,13 @@ static int vqf_read_header(AVFormatContext *s)
break; break;
} }
if (read_bitrate / st->codec->channels < 8 ||
read_bitrate / st->codec->channels > 48) {
av_log(s, AV_LOG_ERROR, "Invalid bitrate per channel %d\n",
read_bitrate / st->codec->channels);
return AVERROR_INVALIDDATA;
}
switch (((st->codec->sample_rate/1000) << 8) + switch (((st->codec->sample_rate/1000) << 8) +
read_bitrate/st->codec->channels) { read_bitrate/st->codec->channels) {
case (11<<8) + 8 : case (11<<8) + 8 :

6
libavformat/xwma.c
View File

@@ -201,8 +201,10 @@ static int xwma_read_header(AVFormatContext *s)
/* Estimate the duration from the total number of output bytes. */ /* Estimate the duration from the total number of output bytes. */
const uint64_t total_decoded_bytes = dpds_table[dpds_table_size - 1]; const uint64_t total_decoded_bytes = dpds_table[dpds_table_size - 1];
if(!bytes_per_sample) { if (!bytes_per_sample) {
av_log(s, AV_LOG_ERROR, "bytes_per_sample is 0\n"); av_log(s, AV_LOG_ERROR,
"Invalid bits_per_coded_sample %d for %d channels\n",
st->codec->bits_per_coded_sample, st->codec->channels);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }