Merge commit '04d2f9ace3fb6e880f3488770fc5a39de5b63cbb' into release/1.1
* commit '04d2f9ace3fb6e880f3488770fc5a39de5b63cbb': mvi: Add sanity checking for the audio frame size alac: Do bounds checking of lpc_order read from the bitstream xwma: Avoid division by zero avidec: Make sure a packet is large enough before reading its data vqf: Make sure the bitrate is in the valid range vqf: Make sure sample_rate is set to a valid value electronicarts: Check packet sizes before reading lavf: Avoid setting avg_frame_rate if delta_dts is negative vc1dec: Undo mpegvideo initialization if unable to allocate tables vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors wnv1: Make sure the input packet is large enough dcadec: Validate the lfe parameter Conflicts: libavcodec/dcadec.c libavcodec/wnv1.c libavformat/avidec.c libavformat/electronicarts.c libavformat/utils.c libavformat/xwma.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
@@ -321,6 +321,9 @@ static int decode_element(AVCodecContext *avctx, void *data, int ch_index,
|
||||
rice_history_mult[ch] = get_bits(&alac->gb, 3);
|
||||
lpc_order[ch] = get_bits(&alac->gb, 5);
|
||||
|
||||
if (lpc_order[ch] >= alac->max_samples_per_frame)
|
||||
return AVERROR_INVALIDDATA;
|
||||
|
||||
/* read the predictor table */
|
||||
for (i = lpc_order[ch] - 1; i >= 0; i--)
|
||||
lpc_coefs[ch][i] = get_sbits(&alac->gb, 16);
|
||||
|
||||
@@ -738,10 +738,10 @@ static int dca_parse_frame_header(DCAContext *s)
|
||||
s->lfe = get_bits(&s->gb, 2);
|
||||
s->predictor_history = get_bits(&s->gb, 1);
|
||||
|
||||
if (s->lfe == 3) {
|
||||
if (s->lfe > 2) {
|
||||
s->lfe = 0;
|
||||
av_log_ask_for_sample(s->avctx, "LFE is 3\n");
|
||||
return AVERROR_PATCHWELCOME;
|
||||
av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE value: %d\n", s->lfe);
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
||||
/* TODO: check CRC */
|
||||
|
||||
@@ -5141,8 +5141,19 @@ av_cold int ff_vc1_decode_init_alloc_tables(VC1Context *v)
|
||||
|
||||
if (!v->mv_type_mb_plane || !v->direct_mb_plane || !v->acpred_plane || !v->over_flags_plane ||
|
||||
!v->block || !v->cbp_base || !v->ttblk_base || !v->is_intra_base || !v->luma_mv_base ||
|
||||
!v->mb_type_base)
|
||||
return -1;
|
||||
!v->mb_type_base) {
|
||||
av_freep(&v->mv_type_mb_plane);
|
||||
av_freep(&v->direct_mb_plane);
|
||||
av_freep(&v->acpred_plane);
|
||||
av_freep(&v->over_flags_plane);
|
||||
av_freep(&v->block);
|
||||
av_freep(&v->cbp_base);
|
||||
av_freep(&v->ttblk_base);
|
||||
av_freep(&v->is_intra_base);
|
||||
av_freep(&v->luma_mv_base);
|
||||
av_freep(&v->mb_type_base);
|
||||
return AVERROR(ENOMEM);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -5514,8 +5525,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
|
||||
}
|
||||
|
||||
if (!s->context_initialized) {
|
||||
if (ff_msmpeg4_decode_init(avctx) < 0 || ff_vc1_decode_init_alloc_tables(v) < 0)
|
||||
if (ff_msmpeg4_decode_init(avctx) < 0)
|
||||
goto err;
|
||||
if (ff_vc1_decode_init_alloc_tables(v) < 0) {
|
||||
ff_MPV_common_end(s);
|
||||
goto err;
|
||||
}
|
||||
|
||||
s->low_delay = !avctx->has_b_frames || v->res_sprite;
|
||||
|
||||
|
||||
@@ -71,8 +71,8 @@ static int decode_frame(AVCodecContext *avctx,
|
||||
int prev_y = 0, prev_u = 0, prev_v = 0;
|
||||
uint8_t *rbuf;
|
||||
|
||||
if(buf_size<=8) {
|
||||
av_log(avctx, AV_LOG_ERROR, "buf_size %d is too small\n", buf_size);
|
||||
if (buf_size <= 8) {
|
||||
av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size);
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
||||
|
||||
@@ -818,8 +818,10 @@ static int avi_read_header(AVFormatContext *s)
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int read_gab2_sub(AVStream *st, AVPacket *pkt) {
|
||||
if (pkt->data && !strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data+5) == 2) {
|
||||
static int read_gab2_sub(AVStream *st, AVPacket *pkt)
|
||||
{
|
||||
if (pkt->size >= 7 &&
|
||||
!strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data + 5) == 2) {
|
||||
uint8_t desc[256];
|
||||
int score = AVPROBE_SCORE_MAX / 2, ret;
|
||||
AVIStream *ast = st->priv_data;
|
||||
|
||||
@@ -545,12 +545,16 @@ static int ea_read_packet(AVFormatContext *s,
|
||||
case AV_CODEC_ID_ADPCM_EA_R1:
|
||||
case AV_CODEC_ID_ADPCM_EA_R2:
|
||||
case AV_CODEC_ID_ADPCM_IMA_EA_EACS:
|
||||
if (pkt->size >= 4)
|
||||
pkt->duration = AV_RL32(pkt->data);
|
||||
break;
|
||||
case AV_CODEC_ID_ADPCM_EA_R3:
|
||||
if (pkt->size >= 4)
|
||||
if (pkt->size < 4) {
|
||||
av_log(s, AV_LOG_ERROR, "Packet is too short\n");
|
||||
av_free_packet(pkt);
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
if (ea->audio_codec == AV_CODEC_ID_ADPCM_EA_R3)
|
||||
pkt->duration = AV_RB32(pkt->data);
|
||||
else
|
||||
pkt->duration = AV_RL32(pkt->data);
|
||||
break;
|
||||
case AV_CODEC_ID_ADPCM_IMA_EA_SEAD:
|
||||
pkt->duration = ret * 2 / ea->num_channels;
|
||||
|
||||
@@ -95,6 +95,12 @@ static int read_header(AVFormatContext *s)
|
||||
mvi->get_int = (vst->codec->width * vst->codec->height < (1 << 16)) ? avio_rl16 : avio_rl24;
|
||||
|
||||
mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count;
|
||||
if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) {
|
||||
av_log(s, AV_LOG_ERROR, "Invalid audio_data_size (%d) or frames_count (%d)\n",
|
||||
mvi->audio_data_size, frames_count);
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
||||
mvi->audio_size_counter = (ast->codec->sample_rate * 830 / mvi->audio_frame_size - 1) * mvi->audio_frame_size;
|
||||
mvi->audio_size_left = mvi->audio_data_size;
|
||||
|
||||
|
||||
@@ -2982,7 +2982,8 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options)
|
||||
double best_error = 0.01;
|
||||
|
||||
if (st->info->codec_info_duration >= INT64_MAX / st->time_base.num / 2||
|
||||
st->info->codec_info_duration_fields >= INT64_MAX / st->time_base.den)
|
||||
st->info->codec_info_duration_fields >= INT64_MAX / st->time_base.den ||
|
||||
st->info->codec_info_duration < 0)
|
||||
continue;
|
||||
av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den,
|
||||
st->info->codec_info_duration_fields*(int64_t)st->time_base.den,
|
||||
|
||||
@@ -174,6 +174,10 @@ static int vqf_read_header(AVFormatContext *s)
|
||||
st->codec->sample_rate = 11025;
|
||||
break;
|
||||
default:
|
||||
if (rate_flag < 8 || rate_flag > 44) {
|
||||
av_log(s, AV_LOG_ERROR, "Invalid rate flag %d\n", rate_flag);
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
st->codec->sample_rate = rate_flag*1000;
|
||||
if (st->codec->sample_rate <= 0) {
|
||||
av_log(s, AV_LOG_ERROR, "sample rate %d is invalid\n", st->codec->sample_rate);
|
||||
@@ -182,6 +186,13 @@ static int vqf_read_header(AVFormatContext *s)
|
||||
break;
|
||||
}
|
||||
|
||||
if (read_bitrate / st->codec->channels < 8 ||
|
||||
read_bitrate / st->codec->channels > 48) {
|
||||
av_log(s, AV_LOG_ERROR, "Invalid bitrate per channel %d\n",
|
||||
read_bitrate / st->codec->channels);
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
||||
switch (((st->codec->sample_rate/1000) << 8) +
|
||||
read_bitrate/st->codec->channels) {
|
||||
case (11<<8) + 8 :
|
||||
|
||||
@@ -201,8 +201,10 @@ static int xwma_read_header(AVFormatContext *s)
|
||||
/* Estimate the duration from the total number of output bytes. */
|
||||
const uint64_t total_decoded_bytes = dpds_table[dpds_table_size - 1];
|
||||
|
||||
if(!bytes_per_sample) {
|
||||
av_log(s, AV_LOG_ERROR, "bytes_per_sample is 0\n");
|
||||
if (!bytes_per_sample) {
|
||||
av_log(s, AV_LOG_ERROR,
|
||||
"Invalid bits_per_coded_sample %d for %d channels\n",
|
||||
st->codec->bits_per_coded_sample, st->codec->channels);
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user