From 380e3732676828decd54dccaba96db30be78aecf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 00:59:50 +0300 Subject: [PATCH 01/12] xan: Only read within the data that actually was initialized MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit fc739b3eefa0b58d64e7661621da94a94dbc8a82) Signed-off-by: Luca Barbato (cherry picked from commit 09ace619d6ccb2c0a45b5fdead29f926409fa129) --- libavcodec/xan.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 3078e0a977..d0def65f20 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -104,6 +104,7 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, int ptr_len = src_len - 1 - byte*2; unsigned char val = ival; unsigned char *dest_end = dest + dest_len; + unsigned char *dest_start = dest; GetBitContext gb; if (ptr_len < 0) @@ -119,13 +120,13 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, if (val < 0x16) { if (dest >= dest_end) - return 0; + return dest_len; *dest++ = val; val = ival; } } - return 0; + return dest - dest_start; } /** @@ -274,7 +275,7 @@ static int xan_wc3_decode_frame(XanContext *s) { unsigned char flag = 0; int size = 0; int motion_x, motion_y; - int x, y; + int x, y, ret; unsigned char *opcode_buffer = s->buffer1; unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size; @@ -308,9 +309,10 @@ static int xan_wc3_decode_frame(XanContext *s) { bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset); imagedata_segment = s->buf + imagedata_offset; - if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, - huffman_segment, s->size - huffman_offset) < 0) + if ((ret = xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - huffman_offset)) < 0) return AVERROR_INVALIDDATA; + opcode_buffer_end = opcode_buffer + ret; if (imagedata_segment[0] == 2) { xan_unpack(s->buffer2, s->buffer2_size, From d3986f4f1baf8397c1f12154387c2c1950125d72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 01:04:05 +0300 Subject: [PATCH 02/12] xxan: Disallow odd width MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Decoded data is always written in pairs within this decoder. This fixes writes out of bounds. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit aa0dd52434768da64f1f3d8ae92bcf980c1adffc) Signed-off-by: Luca Barbato --- libavcodec/xxan.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 59e1229802..e9c6169ad8 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -46,6 +46,11 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) avctx->pix_fmt = PIX_FMT_YUV420P; + if (avctx->width & 1) { + av_log(avctx, AV_LOG_ERROR, "Invalid frame width: %d.\n", avctx->width); + return AVERROR(EINVAL); + } + s->buffer_size = avctx->width * avctx->height; s->y_buffer = av_malloc(s->buffer_size); if (!s->y_buffer) From cb4a101fbe2729f77d636c264b11789d251bfe84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 01:24:20 +0300 Subject: [PATCH 03/12] rpza: Fix a buffer size check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We read 2 bytes for 15 out of 16 pixels, therefore we need to have at least 30 bytes, not 16. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 7ba0cedbfeff5671b264d1d7e90777057b5714c6) Signed-off-by: Luca Barbato (cherry picked from commit f06e39fe6b272a11782c023c31eec43bfce3138d) --- libavcodec/rpza.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 59c3a7b3a7..c0cea865df 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -202,7 +202,7 @@ static void rpza_decode_stream(RpzaContext *s) /* Fill block with 16 colors */ case 0x00: - if (s->size - stream_ptr < 16) + if (s->size - stream_ptr < 30) return; block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { From d92c908e235a0632176b1b037860c73bcd2ed97f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 13:02:27 +0300 Subject: [PATCH 04/12] pcx: Check the packet size before assuming it fits a palette MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes reads out of bounds. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d1d99e3befea5d411ac3aae72dbdecce94f8b547) Signed-off-by: Luca Barbato Conflicts: libavcodec/pcx.c (cherry picked from commit 7e350b7ddd19af856b55634233d609e29baab646) --- libavcodec/pcx.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c index 0e8201267a..8419e5cd76 100644 --- a/libavcodec/pcx.c +++ b/libavcodec/pcx.c @@ -183,7 +183,13 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } else if (nplanes == 1 && bits_per_pixel == 8) { const uint8_t *palstart = bufstart + buf_size - 769; - for (y=0; y Date: Sat, 28 Sep 2013 16:56:54 +0200 Subject: [PATCH 05/12] mxfdec: set audio timebase to 1/samplerate Fixes sync in some samples (e.g. bugs 7581 and 8374 in VLC). Based on a commit by Matthieu Bouron Reported-by: Jean-Baptiste Kempf CC: libav-stable@libav.org (cherry picked from commit 93370d12164236d59645314871a1d6808b2a8ddb) Signed-off-by: Luca Barbato --- libavformat/mxfdec.c | 12 +++++++++++- tests/ref/seek/lavf_mxf | 16 ++++++++-------- tests/ref/seek/lavf_mxf_d10 | 16 ++++++++-------- 3 files changed, 27 insertions(+), 17 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index cb2ae86e48..c0f71136ad 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -830,7 +830,17 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) st->codec->codec_id = container_ul->id; st->codec->channels = descriptor->channels; st->codec->bits_per_coded_sample = descriptor->bits_per_sample; - st->codec->sample_rate = descriptor->sample_rate.num / descriptor->sample_rate.den; + if (descriptor->sample_rate.den > 0) { + st->codec->sample_rate = descriptor->sample_rate.num / descriptor->sample_rate.den; + avpriv_set_pts_info(st, 64, descriptor->sample_rate.den, descriptor->sample_rate.num); + } else { + av_log(mxf->fc, AV_LOG_WARNING, "invalid sample rate (%d/%d) " + "found for stream #%d, time base forced to 1/48000\n", + descriptor->sample_rate.num, descriptor->sample_rate.den, + st->index); + avpriv_set_pts_info(st, 64, 1, 48000); + } + /* TODO: implement CODEC_ID_RAWAUDIO */ if (st->codec->codec_id == CODEC_ID_PCM_S16LE) { if (descriptor->bits_per_sample > 16 && descriptor->bits_per_sample <= 24) diff --git a/tests/ref/seek/lavf_mxf b/tests/ref/seek/lavf_mxf index 4c1aecc68e..ce0d6ed873 100644 --- a/tests/ref/seek/lavf_mxf +++ b/tests/ref/seek/lavf_mxf @@ -7,9 +7,9 @@ ret: 0 st: 0 flags:0 ts: 0.800000 ret:-1 ret: 0 st: 0 flags:1 ts:-0.320000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 6144 size: 24801 -ret: 0 st: 1 flags:0 ts: 2.560000 +ret: 0 st: 1 flags:0 ts: 2.576667 ret:-1 -ret: 0 st: 1 flags:1 ts: 1.480000 +ret: 0 st: 1 flags:1 ts: 1.470833 ret:-1 ret: 0 st:-1 flags:0 ts: 0.365002 ret: 0 st: 0 flags:1 dts: 0.360000 pts: NOPTS pos: 6144 size: 24801 @@ -19,9 +19,9 @@ ret: 0 st: 0 flags:0 ts: 2.160000 ret:-1 ret: 0 st: 0 flags:1 ts: 1.040000 ret:-1 -ret: 0 st: 1 flags:0 ts:-0.040000 +ret: 0 st: 1 flags:0 ts:-0.058333 ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 6144 size: 24801 -ret: 0 st: 1 flags:1 ts: 2.840000 +ret: 0 st: 1 flags:1 ts: 2.835833 ret:-1 ret: 0 st:-1 flags:0 ts: 1.730004 ret:-1 @@ -31,9 +31,9 @@ ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 6144 size: 24801 ret: 0 st: 0 flags:1 ts: 2.400000 ret:-1 -ret: 0 st: 1 flags:0 ts: 1.320000 +ret: 0 st: 1 flags:0 ts: 1.306667 ret:-1 -ret: 0 st: 1 flags:1 ts: 0.200000 +ret: 0 st: 1 flags:1 ts: 0.200833 ret: 0 st: 0 flags:1 dts: 0.200000 pts: NOPTS pos: 6144 size: 24801 ret: 0 st:-1 flags:0 ts:-0.904994 ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 6144 size: 24801 @@ -43,9 +43,9 @@ ret: 0 st: 0 flags:0 ts: 0.880000 ret:-1 ret: 0 st: 0 flags:1 ts:-0.240000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 6144 size: 24801 -ret: 0 st: 1 flags:0 ts: 2.680000 +ret: 0 st: 1 flags:0 ts: 2.671667 ret:-1 -ret: 0 st: 1 flags:1 ts: 1.560000 +ret: 0 st: 1 flags:1 ts: 1.565833 ret:-1 ret: 0 st:-1 flags:0 ts: 0.460008 ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 6144 size: 24801 diff --git a/tests/ref/seek/lavf_mxf_d10 b/tests/ref/seek/lavf_mxf_d10 index c05870f402..dba05ce9cb 100644 --- a/tests/ref/seek/lavf_mxf_d10 +++ b/tests/ref/seek/lavf_mxf_d10 @@ -7,9 +7,9 @@ ret: 0 st: 0 flags:0 ts: 0.800000 ret:-1 ret: 0 st: 0 flags:1 ts:-0.320000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 -ret: 0 st: 1 flags:0 ts: 2.560000 +ret: 0 st: 1 flags:0 ts: 2.576667 ret:-1 -ret: 0 st: 1 flags:1 ts: 1.480000 +ret: 0 st: 1 flags:1 ts: 1.470833 ret:-1 ret: 0 st:-1 flags:0 ts: 0.365002 ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 6144 size:150000 @@ -19,9 +19,9 @@ ret: 0 st: 0 flags:0 ts: 2.160000 ret:-1 ret: 0 st: 0 flags:1 ts: 1.040000 ret:-1 -ret: 0 st: 1 flags:0 ts:-0.040000 +ret: 0 st: 1 flags:0 ts:-0.058333 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 -ret: 0 st: 1 flags:1 ts: 2.840000 +ret: 0 st: 1 flags:1 ts: 2.835833 ret:-1 ret: 0 st:-1 flags:0 ts: 1.730004 ret:-1 @@ -31,9 +31,9 @@ ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 ret: 0 st: 0 flags:1 ts: 2.400000 ret:-1 -ret: 0 st: 1 flags:0 ts: 1.320000 +ret: 0 st: 1 flags:0 ts: 1.306667 ret:-1 -ret: 0 st: 1 flags:1 ts: 0.200000 +ret: 0 st: 1 flags:1 ts: 0.200833 ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 6144 size:150000 ret: 0 st:-1 flags:0 ts:-0.904994 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 @@ -43,9 +43,9 @@ ret: 0 st: 0 flags:0 ts: 0.880000 ret:-1 ret: 0 st: 0 flags:1 ts:-0.240000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 -ret: 0 st: 1 flags:0 ts: 2.680000 +ret: 0 st: 1 flags:0 ts: 2.671667 ret:-1 -ret: 0 st: 1 flags:1 ts: 1.560000 +ret: 0 st: 1 flags:1 ts: 1.565833 ret:-1 ret: 0 st:-1 flags:0 ts: 0.460008 ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 6144 size:150000 From e972338e3596036d5d1f3ef214c465fa8a4a8504 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:32:57 +0300 Subject: [PATCH 06/12] asfdec: Check the return value of asf_read_stream_properties MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This makes sure errors in setting stream parameters are passed on to the caller. This avoids successfully opening files while some parameters aren't filled in properly. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit cc41167aede4c101ad17eeffa8f39bb6c23d3dad) Signed-off-by: Luca Barbato (cherry picked from commit fc4d11ec9b4c9710e2dac012d4ed0e7d08c6df7d) --- libavformat/asfdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 3b487888ba..a6affbbe53 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -622,7 +622,9 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap) if (ret < 0) return ret; } else if (!ff_guidcmp(&g, &ff_asf_stream_header)) { - asf_read_stream_properties(s, gsize); + int ret = asf_read_stream_properties(s, gsize); + if (ret < 0) + return ret; } else if (!ff_guidcmp(&g, &ff_asf_comment_header)) { asf_read_content_desc(s, gsize); } else if (!ff_guidcmp(&g, &ff_asf_language_guid)) { From 591d5281f5bccd2ee398ca46bf7de507be65036b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 17 Sep 2013 19:33:48 +0300 Subject: [PATCH 07/12] twinvqdec: Check the ibps parameter separately MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is required, since invalid parameters actually could pass the switch check below. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit c77d409bf95954aceb762dd800d1ee2868c4b0d4) (cherry picked from commit 9b9aee27f4e43b4a6b0884f8a6f49eb0289d7c09) --- libavcodec/twinvq.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index 22be07a5b5..3006e9f108 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -1137,6 +1137,10 @@ static av_cold int twin_decode_init(AVCodecContext *avctx) return -1; } ibps = avctx->bit_rate / (1000 * avctx->channels); + if (ibps < 8 || ibps > 48) { + av_log(avctx, AV_LOG_ERROR, "Bad bitrate per channel value %d\n", ibps); + return AVERROR_INVALIDDATA; + } switch ((isampf << 8) + ibps) { case (8 <<8) + 8: tctx->mtab = &mode_08_08; break; From 871baf312791b5bdf00affa34ceb6dbc239cd077 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 20:58:38 +0300 Subject: [PATCH 08/12] rmdec: Validate the fps value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Abort if it is invalid if strict error checking has been requested. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 0f310a6f333b016d336674d086045e8473fdf918) Signed-off-by: Luca Barbato Conflicts: libavformat/rmdec.c --- libavformat/rmdec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 37e18f02ac..62b0802caa 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -334,8 +334,13 @@ ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, if ((ret = rm_read_extradata(pb, st->codec, codec_data_size - (avio_tell(pb) - codec_pos))) < 0) return ret; - av_reduce(&st->r_frame_rate.den, &st->r_frame_rate.num, - 0x10000, fps, (1 << 30) - 1); + if (fps > 0) { + av_reduce(&st->r_frame_rate.den, &st->r_frame_rate.num, + 0x10000, fps, (1 << 30) - 1); + } else if (s->error_recognition & AV_EF_EXPLODE) { + av_log(s, AV_LOG_ERROR, "Invalid framerate\n"); + return AVERROR_INVALIDDATA; + } st->avg_frame_rate = st->r_frame_rate; } From 49c1defee5221cb8b533cc5cf731fb61f0508647 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 15:58:59 +0300 Subject: [PATCH 09/12] svq3: Avoid a division by zero MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the height is zero, the decompression will probably end up failing due to not fitting into the allocated buffer later anyway, so this doesn't need any more elaborate check. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 601c2015bc16f0b281160292a6a760cbbbb0eacb) --- libavcodec/svq3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 5097af5b5f..601afb6b7f 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -902,7 +902,8 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) int offset = (get_bits_count(&gb)+7)>>3; uint8_t *buf; - if ((uint64_t)watermark_width*4 > UINT_MAX/watermark_height) + if (watermark_height > 0 && + (uint64_t)watermark_width * 4 > UINT_MAX / watermark_height) return -1; buf = av_malloc(buf_len); From fbc52044f3d07f4f059214b314d17fd07bc4e12f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 16:29:23 +0300 Subject: [PATCH 10/12] fraps: Make the input buffer size checks more strict MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö Conflicts: libavcodec/fraps.c --- libavcodec/fraps.c | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c index 4d03057f43..23cfee89ce 100644 --- a/libavcodec/fraps.c +++ b/libavcodec/fraps.c @@ -139,10 +139,17 @@ static int decode_frame(AVCodecContext *avctx, uint32_t offs[4]; int i, j, is_chroma, planes; enum PixelFormat pix_fmt; + int prev_pic_bit, expected_size; + + if (buf_size < 4) { + av_log(avctx, AV_LOG_ERROR, "Packet is too short\n"); + return AVERROR_INVALIDDATA; + } header = AV_RL32(buf); version = header & 0xff; header_size = (header & (1<<30))? 8 : 4; /* bit 30 means pad to 8 bytes */ + prev_pic_bit = header & (1U << 31); /* bit 31 means same as previous pic */ if (version > 5) { av_log(avctx, AV_LOG_ERROR, @@ -161,16 +168,19 @@ static int decode_frame(AVCodecContext *avctx, } avctx->pix_fmt = pix_fmt; - switch(version) { + expected_size = header_size; + + switch (version) { case 0: default: /* Fraps v0 is a reordered YUV420 */ - if ( (buf_size != avctx->width*avctx->height*3/2+header_size) && - (buf_size != header_size) ) { + if (!prev_pic_bit) + expected_size += avctx->width * avctx->height * 3 / 2; + if (buf_size != expected_size) { av_log(avctx, AV_LOG_ERROR, "Invalid frame length %d (should be %d)\n", - buf_size, avctx->width*avctx->height*3/2+header_size); - return -1; + buf_size, expected_size); + return AVERROR_INVALIDDATA; } if (( (avctx->width % 8) != 0) || ( (avctx->height % 2) != 0 )) { @@ -187,8 +197,7 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return -1; } - /* bit 31 means same as previous pic */ - f->pict_type = (header & (1U<<31))? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; + f->pict_type = prev_pic_bit ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; f->key_frame = f->pict_type == AV_PICTURE_TYPE_I; if (f->pict_type == AV_PICTURE_TYPE_I) { @@ -212,12 +221,13 @@ static int decode_frame(AVCodecContext *avctx, case 1: /* Fraps v1 is an upside-down BGR24 */ - if ( (buf_size != avctx->width*avctx->height*3+header_size) && - (buf_size != header_size) ) { + if (!prev_pic_bit) + expected_size += avctx->width * avctx->height * 3; + if (buf_size != expected_size) { av_log(avctx, AV_LOG_ERROR, "Invalid frame length %d (should be %d)\n", - buf_size, avctx->width*avctx->height*3+header_size); - return -1; + buf_size, expected_size); + return AVERROR_INVALIDDATA; } f->reference = 1; @@ -228,8 +238,7 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return -1; } - /* bit 31 means same as previous pic */ - f->pict_type = (header & (1U<<31))? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; + f->pict_type = prev_pic_bit ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; f->key_frame = f->pict_type == AV_PICTURE_TYPE_I; if (f->pict_type == AV_PICTURE_TYPE_I) { From 29fa517d40ed485a24128d005ee796f0355398e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 17:02:36 +0300 Subject: [PATCH 11/12] r3d: Add more input value validation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö Conflicts: libavformat/r3d.c --- libavformat/r3d.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/r3d.c b/libavformat/r3d.c index 73e73986ff..877c901748 100644 --- a/libavformat/r3d.c +++ b/libavformat/r3d.c @@ -277,6 +277,10 @@ static int r3d_read_reda(AVFormatContext *s, AVPacket *pkt, Atom *atom) dts = avio_rb32(s->pb); st->codec->sample_rate = avio_rb32(s->pb); + if (st->codec->sample_rate <= 0) { + av_log(s, AV_LOG_ERROR, "Bad sample rate\n"); + return AVERROR_INVALIDDATA; + } samples = avio_rb32(s->pb); From 9925f7df0a50387ade8d83cb85b40c53e41e7041 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 11:32:25 +0300 Subject: [PATCH 12/12] vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 5e25fdbfe01635cfc650ac4adc27d434b2df0d64) Signed-off-by: Luca Barbato Conflicts: libavcodec/vc1dec.c (cherry picked from commit 494f2d4f9e834db1eaf1a7d0160d497f9802013d) --- libavcodec/vc1dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 8c28aa9bc2..cf960f6816 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -4741,6 +4741,9 @@ static void vc1_decode_skip_blocks(VC1Context *v) { MpegEncContext *s = &v->s; + if (!v->s.last_picture.f.data[0]) + return; + ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, ER_MB_END); s->first_slice_line = 1; for (s->mb_y = s->start_mb_y; s->mb_y < s->end_mb_y; s->mb_y++) {