diff --git a/Changelog b/Changelog index 737ff7ac5a..7dc42e2851 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,88 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version : +- 4xm: check that bits per sample is strictly positive +- 4xm: Check that the read track value is non-negative +- 4xm: Reject not a multiple of 16 dimension +- 8bps: Bound-check the input buffer +- aac: Check init_get_bits return value +- aac: return meaningful errors +- ac3: Clean up the error paths +- ac3dec: Don't consume more data than the actual input packet size +- ac3dec: Increment channel pointers only once per channel +- ac3: Do not clash with normal AVERROR +- ac3: Return proper error codes +- adpcm: Write the correct number of samples for ima-dk4 +- alac: Check that the channels fit at the given offset +- alac: Limit max_samples_per_frame +- alsdec: Clean up error paths +- alsdec: Fix the clipping range +- ape demuxer: check for EOF in potentially long loops +- atrac3: Error on impossible encoding/channel combinations +- atrac3: fix error handling +- atrac3: set the getbits context the right buffer_end +- ffmpeg: do not use lavfi direct rendering with -deinterlace +- avidec: Let the inner dv demuxer take care of discarding +- avio: Handle AVERROR_EOF in the same way as the return value 0 +- bink: Bound check the quantization matrix. +- dca: Error out on missing DSYNC +- dca: Respect the current limits in the downmixing capabilities +- dsicinav: Bound-check the source buffer when needed +- dsicinav: Clip the source size to the expected maximum +- dv: Add a guard to not overread the ppcm array +- dxa: Make sure the reference frame exists +- h261: check the mtype index +- iff: Do not read over the source buffer +- imc: Catch a division by zero +- indeo4: Check the quantization matrix index +- indeo4: Do not access missing reference MV +- indeo4: Validate scantable dimension +- indeo5: return proper error codes +- indeo: Bound-check before applying motion compensation +- indeo: Bound-check before applying transform +- indeo: Do not reference mismatched tiles +- indeo: Reject impossible FRAMETYPE_NULL +- indeo: Sanitize ff_ivi_init_planes fail paths +- lavf: avoid integer overflow when estimating bitrate +- lavf: Make sure avg_frame_rate can be calculated without integer overflow +- matroskadec: Check that .lang was allocated and set before reading it +- mjpegb: Detect changing number of planes in interlaced video +- mlpdec: Do not set invalid context in read_restart_header +- mov: Do not allow updating the time scale after it has been set +- mov: Seek back if overreading an individual atom +- mpegvideo: Avoid 32-bit wrapping of linesize multiplications +- nuv: check ff_rtjpeg_decode_frame_yuv420 return value +- nuv: Do not ignore lzo decompression failures +- nuv: Pad the lzo outbuf +- nuv: Reset the frame on resize +- nuv: return meaningful error codes. +- nuv: Use av_fast_realloc +- ogg: Always alloc the private context in vorbis_header +- ogg: Fix potential infinite discard loop +- oma: check geob tag boundary +- oma: correctly mark and decrypt partial packets +- oma: refactor seek function +- pcm: always use codec->id instead of codec_id +- pcx: Do not overread source buffer in pcx_rle_decode +- pictordec: break out of both decoding loops when y drops below 0 +- pictordec: pass correct context to avpriv_request_sample +- qdm2: check and reset dithering index per channel +- qdm2: Conceal broken samples +- qdm2: refactor joined stereo support +- qdm2: use init_static_data +- rmdec: Use the AVIOContext given as parameter in rm_read_metadata() +- rtjpeg: Use init_get_bits8 +- rtmp: Do not misuse memcmp +- rtmp: rename data_size to size +- segafilm: Error out on impossible packet size +- vc1: check mb_height validity. +- vc1: check the source buffer in vc1_mc functions +- vcr1: add sanity checks +- vqavideo: check the version +- westwood_vqa: do not free extradata on error in read_header +- wmavoice: conceal clearly corrupted blocks +- wtv: Mark attachment with a negative stream id +- xl: Make sure the width is valid - kmvc: Clip pixel position to valid range - kmvc: Use fixed sized arrays in the context - indeo: Reject negative array indexes diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index bb46f0174c..c4cbe48b0c 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -157,6 +157,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int keyframe; int size_change = 0; int result; + int ret; enum { NUV_UNCOMPRESSED = '0', NUV_RTJPEG = '1', @@ -273,7 +274,9 @@ retry: } case NUV_RTJPEG_IN_LZO: case NUV_RTJPEG: - ff_rtjpeg_decode_frame_yuv420(&c->rtj, &c->pic, buf, buf_size); + ret = ff_rtjpeg_decode_frame_yuv420(&c->rtj, &c->pic, buf, buf_size); + if (ret < 0) + return ret; break; case NUV_BLACK: memset(c->pic.data[0], 0, c->width * c->height); diff --git a/libavformat/dv.c b/libavformat/dv.c index a04735ac25..cf513a83b2 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -113,7 +113,7 @@ static const int dv_audio_frequency[3] = { * 3. Audio is always returned as 16bit linear samples: 12bit nonlinear samples * are converted into 16bit linear ones. */ -static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4], +static int dv_extract_audio(uint8_t *frame, uint8_t **ppcm, const DVprofile *sys) { int size, chan, i, j, d, of, smpls, freq, quant, half_ch; @@ -358,7 +358,7 @@ int avpriv_dv_produce_packet(DVDemuxContext *c, AVPacket *pkt, uint8_t* buf, int buf_size, int64_t pos) { int size, i; - uint8_t *ppcm[4] = {0}; + uint8_t *ppcm[5] = { 0 }; if (buf_size < DV_PROFILE_BYTES || !(c->sys = avpriv_dv_frame_profile(c->sys, buf, buf_size)) || diff --git a/libavformat/utils.c b/libavformat/utils.c index 9619d95f5e..1d9130fd7c 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2258,15 +2258,18 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) /* if bit_rate is already set, we believe it */ if (ic->bit_rate <= 0) { - int64_t bit_rate = 0; + int bit_rate = 0; for(i=0;inb_streams;i++) { st = ic->streams[i]; if (st->codec->bit_rate > 0) { + if (INT_MAX - st->codec->bit_rate < bit_rate) { + bit_rate = 0; + break; + } bit_rate += st->codec->bit_rate; } } - if (bit_rate <= INT_MAX) - ic->bit_rate = bit_rate; + ic->bit_rate = bit_rate; } /* if duration is already set, we believe it */