Merge commit '46fd6e4f2ebbcd5a00847cdb05fe416466d06d37' into release/1.1

* commit '46fd6e4f2ebbcd5a00847cdb05fe416466d06d37': aac: check the maximum number of channels update Changelog riff: check for eof if chunk size and code are 0 oggdec: fix faulty cleanup prototype Conflicts: Changelog Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-05-12 14:11:03 +02:00
parent d2b9da2f37 46fd6e4f2e
commit 9767d7513c
3 changed files with 34 additions and 1 deletions
--- a/27
+++ b/27
@@ -2,6 +2,33 @@ Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

 version <next>:
+
+Most of the following fixes resulted from test samples that the Google
+Security Team has kindly made available to us:
+
+- af_channelmap: sanity check input channel indices in all cases
+- avfiltergraph: check for sws opts being non-NULL before using them
+- bmv: check for len being valid in bmv_decode_frame()
+- configure: Enable hwaccels without external dependencies by default
+- dfa: check for invalid access in decode_wdlt()
+- id3v2: pad the APIC packets as required by lavc
+- indeo3: check motion vectors
+- indeo3: fix data size check
+- indeo3: switch parsing the header to bytestream2
+- lavf: make sure stream probe data gets freed
+- matroska: Update the available size after lace parsing
+- matroska: fix a corner case in ebml-lace parsing
+- matroska: pass the lace size to the matroska_parse_rm_audio
+- mp3dec: fallback to generic seeking when a TOC is not present
+- oggdec: fix faulty cleanup prototype
+- oma: Validate sample rates
+- qdm2: check that the FFT size is a power of 2
+- riff: check for eof if chunk size and code are 0 to prevent an infinite loop
+- rv10: check that extradata is large enough
+- svq1dec: check that the reference frame has the same dimensions as the current one
+- svq1dec: clip motion vectors to the frame size
+- xmv: check audio track parameters validity
+- xmv: do not leak memory in the error paths in xmv_read_header()
 - atrac3: avoid oversized shifting in decode_bytes()
 - eamad: allocate a dummy reference frame when the real one is missing
 - ffv1: fix calculating slice dimensions for version 2
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -147,6 +147,8 @@ static av_cold int che_configure(AACContext *ac,
                                 enum ChannelPosition che_pos,
                                 int type, int id, int *channels)
 {
+    if (*channels >= MAX_CHANNELS)
+        return AVERROR_INVALIDDATA;
    if (che_pos) {
        if (!ac->che[type][id]) {
            if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement))))
--- a/libavformat/riff.c
+++ b/libavformat/riff.c
@@ -822,7 +822,7 @@ int ff_read_riff_info(AVFormatContext *s, int64_t size)
                av_log(s, AV_LOG_WARNING, "INFO subchunk truncated\n");
                return AVERROR_INVALIDDATA;
            }
-            break;
+            return AVERROR_EOF;
        }
        if (chunk_size > end || end - chunk_size < cur || chunk_size == UINT_MAX) {
            avio_seek(pb, -9, SEEK_CUR);
@@ -839,6 +839,10 @@ int ff_read_riff_info(AVFormatContext *s, int64_t size)
        if (!chunk_code) {
            if (chunk_size)
                avio_skip(pb, chunk_size);
+            else if (pb->eof_reached) {
+                av_log(s, AV_LOG_WARNING, "truncated file\n");
+                return AVERROR_EOF;
+            }
            continue;
        }