Merge commit '486c45767587151b517bb6fde602d43d178da203' into release/0.10
* commit '486c45767587151b517bb6fde602d43d178da203': mpc8: Check the seek table size parsed from the bitstream zmbvdec: Check the buffer size for uncompressed data ape: Don't allow the seektable to be omitted shorten: Break out of loop looking for fmt chunk if none is found shorten: Use a checked bytestream reader for the wave header smacker: Make sure we don't fill in huffman codes out of range Conflicts: libavcodec/shorten.c libavcodec/smacker.c libavcodec/zmbv.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
@@ -205,34 +205,38 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header,
|
||||
{
|
||||
int len;
|
||||
short wave_format;
|
||||
const uint8_t *end= header + header_size;
|
||||
GetByteContext gb;
|
||||
|
||||
if (bytestream_get_le32(&header) != MKTAG('R', 'I', 'F', 'F')) {
|
||||
bytestream2_init(&gb, header, header_size);
|
||||
|
||||
if (bytestream2_get_le32(&gb) != MKTAG('R', 'I', 'F', 'F')) {
|
||||
av_log(avctx, AV_LOG_ERROR, "missing RIFF tag\n");
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
||||
header += 4; /* chunk size */
|
||||
bytestream2_skip(&gb, 4); /* chunk size */
|
||||
|
||||
if (bytestream_get_le32(&header) != MKTAG('W', 'A', 'V', 'E')) {
|
||||
if (bytestream2_get_le32(&gb) != MKTAG('W', 'A', 'V', 'E')) {
|
||||
av_log(avctx, AV_LOG_ERROR, "missing WAVE tag\n");
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
||||
while (bytestream_get_le32(&header) != MKTAG('f', 'm', 't', ' ')) {
|
||||
len = bytestream_get_le32(&header);
|
||||
if (len < 0 || end - header - 8 < len)
|
||||
while (bytestream2_get_le32(&gb) != MKTAG('f', 'm', 't', ' ')) {
|
||||
len = bytestream2_get_le32(&gb);
|
||||
bytestream2_skip(&gb, len);
|
||||
if (bytestream2_get_bytes_left(&gb) < 16) {
|
||||
av_log(avctx, AV_LOG_ERROR, "no fmt chunk found\n");
|
||||
return AVERROR_INVALIDDATA;
|
||||
header += len;
|
||||
}
|
||||
}
|
||||
len = bytestream_get_le32(&header);
|
||||
len = bytestream2_get_le32(&gb);
|
||||
|
||||
if (len < 16) {
|
||||
av_log(avctx, AV_LOG_ERROR, "fmt chunk was too short\n");
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
||||
wave_format = bytestream_get_le16(&header);
|
||||
wave_format = bytestream2_get_le16(&gb);
|
||||
|
||||
switch (wave_format) {
|
||||
case WAVE_FORMAT_PCM:
|
||||
@@ -242,11 +246,11 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header,
|
||||
return AVERROR(ENOSYS);
|
||||
}
|
||||
|
||||
header += 2; // skip channels (already got from shorten header)
|
||||
avctx->sample_rate = bytestream_get_le32(&header);
|
||||
header += 4; // skip bit rate (represents original uncompressed bit rate)
|
||||
header += 2; // skip block align (not needed)
|
||||
avctx->bits_per_coded_sample = bytestream_get_le16(&header);
|
||||
bytestream2_skip(&gb, 2); // skip channels (already got from shorten header)
|
||||
avctx->sample_rate = bytestream2_get_le32(&gb);
|
||||
bytestream2_skip(&gb, 4); // skip bit rate (represents original uncompressed bit rate)
|
||||
bytestream2_skip(&gb, 2); // skip block align (not needed)
|
||||
avctx->bits_per_coded_sample = bytestream2_get_le16(&gb);
|
||||
|
||||
if (avctx->bits_per_coded_sample != 16) {
|
||||
av_log(avctx, AV_LOG_ERROR, "unsupported number of bits per sample\n");
|
||||
|
||||
@@ -263,10 +263,11 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
|
||||
if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
|
||||
if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
|
||||
if(ctx.last[2] == -1) ctx.last[2] = huff.current++;
|
||||
if(huff.current > huff.length){
|
||||
ctx.last[0] = ctx.last[1] = ctx.last[2] = 1;
|
||||
av_log(smk->avctx, AV_LOG_ERROR, "bigtree damaged\n");
|
||||
return -1;
|
||||
if (ctx.last[0] >= huff.length ||
|
||||
ctx.last[1] >= huff.length ||
|
||||
ctx.last[2] >= huff.length) {
|
||||
av_log(smk->avctx, AV_LOG_ERROR, "Huffman codes out of range\n");
|
||||
err = AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
||||
*recodes = huff.values;
|
||||
|
||||
@@ -500,10 +500,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (c->comp == 0) { //Uncompressed data
|
||||
memcpy(c->decomp_buf, buf, len);
|
||||
c->decomp_size = 1;
|
||||
} else { // ZLIB-compressed data
|
||||
if (c->comp == 0) { //Uncompressed data
|
||||
if (c->decomp_size < len) {
|
||||
av_log(avctx, AV_LOG_ERROR, "Buffer too small\n");
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
memcpy(c->decomp_buf, buf, len);
|
||||
} else { // ZLIB-compressed data
|
||||
c->zstream.total_in = c->zstream.total_out = 0;
|
||||
c->zstream.next_in = buf;
|
||||
c->zstream.avail_in = len;
|
||||
|
||||
@@ -255,7 +255,7 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap)
|
||||
ape->totalframes);
|
||||
return -1;
|
||||
}
|
||||
if (ape->seektablelength && (ape->seektablelength / sizeof(*ape->seektable)) < ape->totalframes) {
|
||||
if (ape->seektablelength / sizeof(*ape->seektable) < ape->totalframes) {
|
||||
av_log(s, AV_LOG_ERROR,
|
||||
"Number of seek entries is less than number of frames: %zu vs. %"PRIu32"\n",
|
||||
ape->seektablelength / sizeof(*ape->seektable), ape->totalframes);
|
||||
|
||||
@@ -143,6 +143,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
|
||||
av_log(s, AV_LOG_ERROR, "No seek table at given position\n");
|
||||
return;
|
||||
}
|
||||
if (size < 0 || size >= INT_MAX / 2) {
|
||||
av_log(s, AV_LOG_ERROR, "Bad seek table size\n");
|
||||
return;
|
||||
}
|
||||
if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE)))
|
||||
return;
|
||||
avio_read(s->pb, buf, size);
|
||||
|
||||
Reference in New Issue
Block a user