From d6d2617d07fcb25665543a3b7300ef17facaa809 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 20 Oct 2013 22:01:54 +0200 Subject: [PATCH 1/6] avio: Use AVERROR_PROTOCOL_NOT_FOUND When the protocol is missing ffurl_alloc() should return AVERROR_PROTOCOL_NOT_FOUND instead of AVERROR(ENOENT). Bug-Id: 577 CC: libav-stable@libav.org (cherry picked from commit ea71aafd6881d7ce5cffec56feb45488e3ac5221) Signed-off-by: Reinhard Tartler --- libavformat/avio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avio.c b/libavformat/avio.c index ad39e6fdb0..689d4a1b07 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -197,7 +197,7 @@ int ffurl_alloc(URLContext **puc, const char *filename, int flags, return url_alloc_for_protocol (puc, up, filename, flags, int_cb); } *puc = NULL; - return AVERROR(ENOENT); + return AVERROR_PROTOCOL_NOT_FOUND; } int ffurl_open(URLContext **puc, const char *filename, int flags, From e776a1e8f37dbaf8c89ae13dcbcc3b387b782619 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2013 18:46:53 -0400 Subject: [PATCH 2/6] ac3dec: fix outptr increment. Fixes corrupt data errors when downmixing in the AC-3 decoder. Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles CC:libav-stable@libav.org (cherry picked from commit 6c82c87dbbc0582658968eae46cfebeea90a9c5e) Signed-off-by: Reinhard Tartler --- libavcodec/ac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 51ac334775..ce14737141 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1398,7 +1398,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, memcpy(s->outptr[channel_map[ch]], output[ch], 1024); for (ch = 0; ch < s->out_channels; ch++) output[ch] = s->outptr[channel_map[ch]]; - for (ch = 0; ch < s->channels; ch++) + for (ch = 0; ch < s->out_channels; ch++) s->outptr[ch] += AC3_BLOCK_SIZE; } From cdc47c48137fd5eb2e8195a005b6d59480b4d570 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Oct 2013 15:24:25 +0200 Subject: [PATCH 3/6] omadec: check GEOB sizes against buffer size Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: David Goldwich CC:libav-stable@libav.org Signed-off-by: Anton Khirnov (cherry picked from commit 1c736bedd9891501960ebac0f7c05eb60225e947) Signed-off-by: Reinhard Tartler --- libavformat/omadec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 040345187b..158e1a6abe 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -234,6 +234,11 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header) av_log(s, AV_LOG_ERROR, "Invalid encryption header\n"); return -1; } + if (OMA_ENC_HEADER_SIZE + oc->k_size + oc->e_size + oc->i_size + 8 > geob->datasize || + OMA_ENC_HEADER_SIZE + 48 > geob->datasize) { + av_log(s, AV_LOG_ERROR, "Too little GEOB data\n"); + return AVERROR_INVALIDDATA; + } oc->rid = AV_RB32(&gdata[OMA_ENC_HEADER_SIZE + 28]); av_log(s, AV_LOG_DEBUG, "RID: %.8x\n", oc->rid); From 35f9a0896ee6858114831a5a8e951872e4473a75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Oct 2013 15:24:24 +0200 Subject: [PATCH 4/6] omadec: Fix wrong number of array elements Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: David Goldwich CC:libav-stable@libav.org Signed-off-by: Anton Khirnov (cherry picked from commit 97f50e92b5cf3b47a76f75d76ed4340e822030db) Signed-off-by: Reinhard Tartler --- libavformat/omadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 158e1a6abe..e3b151886e 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -263,7 +263,7 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header) !nprobe(s, gdata, geob->datasize, oc->n_val)) break; } - if (i >= sizeof(leaf_table)) { + if (i >= FF_ARRAY_ELEMS(leaf_table)) { av_log(s, AV_LOG_ERROR, "Invalid key\n"); return -1; } From 51ff11647f8dea26abfc63a533f7144b0502197d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 19:06:23 +0100 Subject: [PATCH 5/6] pcx: round up in bits->bytes conversion in a buffer size check Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 430d12196432ded13f011a3bf7690f03c9b2e5d6) Signed-off-by: Reinhard Tartler --- libavcodec/pcx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c index 223429d35e..4bc9adc744 100644 --- a/libavcodec/pcx.c +++ b/libavcodec/pcx.c @@ -120,7 +120,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, nplanes = buf[65]; bytes_per_scanline = nplanes * bytes_per_line; - if (bytes_per_scanline < w * bits_per_pixel * nplanes / 8 || + if (bytes_per_scanline < (w * bits_per_pixel * nplanes + 7) / 8 || (!compressed && bytes_per_scanline > buf_size / h)) { av_log(avctx, AV_LOG_ERROR, "PCX data is corrupted\n"); return -1; From 7b337b122959b9bf634c31b549892df974f35b40 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 19:06:23 +0100 Subject: [PATCH 6/6] truemotion1: make sure index does not go out of bounds Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit c918e08b9cc9ce8d06159c51da55ec5ab018039a) Signed-off-by: Reinhard Tartler --- libavcodec/truemotion1.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index c49f9fecbf..63cd05b66c 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -512,6 +512,15 @@ hres,vres,i,i%vres (0 < i < 4) index = s->index_stream[index_stream_index++] * 4; \ } +#define INC_INDEX \ +do { \ + if (index >= 1023) { \ + av_log(s->avctx, AV_LOG_ERROR, "Invalid index value.\n"); \ + return; \ + } \ + index++; \ +} while (0) + #define APPLY_C_PREDICTOR() \ predictor_pair = s->c_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ @@ -524,10 +533,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define APPLY_C_PREDICTOR_24() \ predictor_pair = s->c_predictor_table[index]; \ @@ -541,10 +550,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define APPLY_Y_PREDICTOR() \ @@ -559,10 +568,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define APPLY_Y_PREDICTOR_24() \ predictor_pair = s->y_predictor_table[index]; \ @@ -576,10 +585,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define OUTPUT_PIXEL_PAIR() \ *current_pixel_pair = *vert_pred + horiz_pred; \