From c225c620c664c4b66a439485d226d03374cb3d33 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 27 Jul 2013 10:16:35 +0200 Subject: [PATCH 1/8] ac3: Return proper error codes (cherry picked from commit b1f9cdc37ff5d5b391d2cd9af737ab4e5a0fc1c0) Signed-off-by: Luca Barbato --- libavcodec/ac3dec.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 86726c311f..039062b3d6 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -297,7 +297,7 @@ static int parse_frame_header(AC3DecodeContext *s) return ff_eac3_parse_header(s); } else { av_log(s->avctx, AV_LOG_ERROR, "E-AC-3 support not compiled in\n"); - return -1; + return AVERROR(ENOSYS); } } @@ -822,12 +822,12 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) if (start_subband >= end_subband) { av_log(s->avctx, AV_LOG_ERROR, "invalid spectral extension " "range (%d >= %d)\n", start_subband, end_subband); - return -1; + return AVERROR_INVALIDDATA; } if (dst_start_freq >= src_start_freq) { av_log(s->avctx, AV_LOG_ERROR, "invalid spectral extension " "copy start bin (%d >= %d)\n", dst_start_freq, src_start_freq); - return -1; + return AVERROR_INVALIDDATA; } s->spx_dst_start_freq = dst_start_freq; @@ -904,7 +904,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) if (channel_mode < AC3_CHMODE_STEREO) { av_log(s->avctx, AV_LOG_ERROR, "coupling not allowed in mono or dual-mono\n"); - return -1; + return AVERROR_INVALIDDATA; } /* check for enhanced coupling */ @@ -934,7 +934,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) if (cpl_start_subband >= cpl_end_subband) { av_log(s->avctx, AV_LOG_ERROR, "invalid coupling range (%d >= %d)\n", cpl_start_subband, cpl_end_subband); - return -1; + return AVERROR_INVALIDDATA; } s->start_freq[CPL_CH] = cpl_start_subband * 12 + 37; s->end_freq[CPL_CH] = cpl_end_subband * 12 + 37; @@ -956,7 +956,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) if (!blk) { av_log(s->avctx, AV_LOG_ERROR, "new coupling strategy must " "be present in block 0\n"); - return -1; + return AVERROR_INVALIDDATA; } else { s->cpl_in_use[blk] = s->cpl_in_use[blk-1]; } @@ -986,7 +986,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) } else if (!blk) { av_log(s->avctx, AV_LOG_ERROR, "new coupling coordinates must " "be present in block 0\n"); - return -1; + return AVERROR_INVALIDDATA; } } else { /* channel not in coupling */ @@ -1041,7 +1041,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) int bandwidth_code = get_bits(gbc, 6); if (bandwidth_code > 60) { av_log(s->avctx, AV_LOG_ERROR, "bandwidth code = %d > 60\n", bandwidth_code); - return -1; + return AVERROR_INVALIDDATA; } s->end_freq[ch] = bandwidth_code * 3 + 73; } @@ -1064,7 +1064,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) s->num_exp_groups[ch], s->dexps[ch][0], &s->dexps[ch][s->start_freq[ch]+!!ch])) { av_log(s->avctx, AV_LOG_ERROR, "exponent out-of-range\n"); - return -1; + return AVERROR_INVALIDDATA; } if (ch != CPL_CH && ch != s->lfe_ch) skip_bits(gbc, 2); /* skip gainrng */ @@ -1084,7 +1084,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) } else if (!blk) { av_log(s->avctx, AV_LOG_ERROR, "new bit allocation info must " "be present in block 0\n"); - return -1; + return AVERROR_INVALIDDATA; } } @@ -1115,7 +1115,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) } } else if (!s->eac3 && !blk) { av_log(s->avctx, AV_LOG_ERROR, "new snr offsets must be present in block 0\n"); - return -1; + return AVERROR_INVALIDDATA; } } @@ -1154,7 +1154,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) } else if (!s->eac3 && !blk) { av_log(s->avctx, AV_LOG_ERROR, "new coupling leak info must " "be present in block 0\n"); - return -1; + return AVERROR_INVALIDDATA; } s->first_cpl_leak = 0; } @@ -1166,7 +1166,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) s->dba_mode[ch] = get_bits(gbc, 2); if (s->dba_mode[ch] == DBA_RESERVED) { av_log(s->avctx, AV_LOG_ERROR, "delta bit allocation strategy reserved\n"); - return -1; + return AVERROR_INVALIDDATA; } bit_alloc_stages[ch] = FFMAX(bit_alloc_stages[ch], 2); } @@ -1207,7 +1207,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) s->dba_offsets[ch], s->dba_lengths[ch], s->dba_values[ch], s->mask[ch])) { av_log(s->avctx, AV_LOG_ERROR, "error in bit allocation\n"); - return -1; + return AVERROR_INVALIDDATA; } } if (bit_alloc_stages[ch] > 0) { @@ -1328,7 +1328,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, switch (err) { case AAC_AC3_PARSE_ERROR_SYNC: av_log(avctx, AV_LOG_ERROR, "frame sync error\n"); - return -1; + return AVERROR_INVALIDDATA; case AAC_AC3_PARSE_ERROR_BSID: av_log(avctx, AV_LOG_ERROR, "invalid bitstream id\n"); break; From 5773065a71055b5000717fab68e79647eea3dd6d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 2/8] pictordec: break out of both decoding loops when y drops below 0 Otherwise picmemset can get called with negative y, resulting in an invalid write. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5f7aecde02a95451e514c809f2794c1deba80695) Signed-off-by: Luca Barbato --- libavcodec/pictordec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index e0bc899946..88add167cf 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -226,7 +226,7 @@ static int decode_frame(AVCodecContext *avctx, if (bits_per_plane == 8) { picmemset_8bpp(s, val, run, &x, &y); if (y < 0) - break; + goto finish; } else { picmemset(s, val, run, &x, &y, &plane, bits_per_plane); } @@ -236,6 +236,7 @@ static int decode_frame(AVCodecContext *avctx, av_log_ask_for_sample(s, "uncompressed image\n"); return avpkt->size; } +finish: *data_size = sizeof(AVFrame); *(AVFrame*)data = s->frame; From 8d2a86a29055d375eed9c1e93983f42c42fe856d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 3/8] lavf: avoid integer overflow when estimating bitrate Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit df33a58e5311ee9a64a573889b883a80e981af7b) Signed-off-by: Luca Barbato --- libavformat/utils.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 98c3af4e83..e31c5799e7 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1953,8 +1953,13 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) bit_rate = 0; for(i=0;inb_streams;i++) { st = ic->streams[i]; - if (st->codec->bit_rate > 0) - bit_rate += st->codec->bit_rate; + if (st->codec->bit_rate > 0) { + if (INT_MAX - st->codec->bit_rate > bit_rate) { + bit_rate = 0; + break; + } + bit_rate += st->codec->bit_rate; + } } ic->bit_rate = bit_rate; } From 23f73fc241da56ba00b76f975bff56d85c8caa58 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 4/8] ape demuxer: check for EOF in potentially long loops Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry-picked from commit 488b2984fece7ad0c2596826fee18e74aa904667) Signed-off-by: Luca Barbato --- libavformat/ape.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index a60626e133..7d4cd39568 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -276,7 +276,9 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap) ape->seektable = av_malloc(ape->seektablelength); if (!ape->seektable) return AVERROR(ENOMEM); - for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++) + for (i = 0; + i < ape->seektablelength / sizeof(uint32_t) && !pb->eof_reached; + i++) ape->seektable[i] = avio_rl32(pb); } From 068c8672866858d56ea8747fca5f1e0fcd2d920c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 3 Sep 2013 12:10:50 +0300 Subject: [PATCH 5/8] matroskadec: Check that .lang was allocated and set before reading it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 5bcd3ae5b167fb74215520b01d5d810e0c8986ab) Signed-off-by: Luca Barbato --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 891eb8380f..03839f89fb 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1079,7 +1079,8 @@ static void matroska_convert_tag(AVFormatContext *s, EbmlList *list, int i; for (i=0; i < list->nb_elem; i++) { - const char *lang = strcmp(tags[i].lang, "und") ? tags[i].lang : NULL; + const char *lang = tags[i].lang && strcmp(tags[i].lang, "und") ? + tags[i].lang : NULL; if (!tags[i].name) { av_log(s, AV_LOG_WARNING, "Skipping invalid tag with no TagName.\n"); From 7a9af1da39009167a3dd62204ad2bfd6bbe114b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Mar 2012 22:02:46 +0100 Subject: [PATCH 6/8] mjpegb: Detect changing number of planes in interlaced video MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit af11fa5409cc72fc45ca7f3527400beca10967b9) Signed-off-by: Luca Barbato --- libavcodec/mjpegdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 5256a8e04c..a1a67893b6 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -245,6 +245,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) if (nb_components <= 0 || nb_components > MAX_COMPONENTS) return -1; + if (s->interlaced && (s->bottom_field == !s->interlace_polarity)) { + if (nb_components != s->nb_components) { + av_log(s->avctx, AV_LOG_ERROR, + "nb_components changing in interlaced picture\n"); + return AVERROR_INVALIDDATA; + } + } if (s->ls && !(s->bits <= 8 || nb_components == 1)) { av_log(s->avctx, AV_LOG_ERROR, "only <= 8 bits/component or 16-bit gray accepted for JPEG-LS\n"); From 5473d23ece9e42a8003fc880027fe242604ce367 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 4 Sep 2013 01:36:51 +0300 Subject: [PATCH 7/8] mpegvideo: Avoid 32-bit wrapping of linesize multiplications MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This makes sure that linesize * start_y doesn't overflow, so that emulated_edge_mc can get back the original value if needed. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit a711a2cb473dc95708f371a82c85c97fe789b5c2) Signed-off-by: Luca Barbato --- libavcodec/mpegvideo_common.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_common.h b/libavcodec/mpegvideo_common.h index e8daf2ece3..763c3197ff 100644 --- a/libavcodec/mpegvideo_common.h +++ b/libavcodec/mpegvideo_common.h @@ -244,7 +244,8 @@ void mpeg_motion_internal(MpegEncContext *s, { uint8_t *ptr_y, *ptr_cb, *ptr_cr; int dxy, uvdxy, mx, my, src_x, src_y, - uvsrc_x, uvsrc_y, v_edge_pos, uvlinesize, linesize; + uvsrc_x, uvsrc_y, v_edge_pos; + ptrdiff_t uvlinesize, linesize; #if 0 if(s->quarter_sample) From b0ca5fef09d1b1268ea0c8f89bf53cd38aaa85e7 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 5 Aug 2013 22:15:24 +0200 Subject: [PATCH 8/8] dv: Add a guard to not overread the ppcm array Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 7ee191cab0dc44700f26c5784e2adeb6a779651b) Signed-off-by: Luca Barbato Conflicts: libavformat/dv.c --- libavformat/dv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dv.c b/libavformat/dv.c index 65d0f873dc..ac662371e2 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -102,7 +102,7 @@ static const uint8_t* dv_extract_pack(uint8_t* frame, enum dv_pack_type t) * 3. Audio is always returned as 16bit linear samples: 12bit nonlinear samples * are converted into 16bit linear ones. */ -static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4], +static int dv_extract_audio(uint8_t *frame, uint8_t **ppcm, const DVprofile *sys) { int size, chan, i, j, d, of, smpls, freq, quant, half_ch; @@ -335,7 +335,7 @@ int avpriv_dv_produce_packet(DVDemuxContext *c, AVPacket *pkt, uint8_t* buf, int buf_size) { int size, i; - uint8_t *ppcm[4] = {0}; + uint8_t *ppcm[5] = { 0 }; if (buf_size < DV_PROFILE_BYTES || !(c->sys = avpriv_dv_frame_profile(c->sys, buf, buf_size)) ||