From 3623589edc7b1257bb45aa9e52c9631e133f22b6 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 27 Mar 2013 18:18:38 +0100 Subject: [PATCH 1/2] dfa: check for invalid access in decode_wdlt(). This can happen when the number of skipped lines is not consistent with the number of coded lines. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavcodec/dfa.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index bbe4ce2888..6619b98301 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -255,6 +255,8 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le16(gb); } line_ptr = frame; + if (frame_end - frame < width) + return AVERROR_INVALIDDATA; frame += width; y++; while (segments--) { From 8d617b11cfc87b2c6056fee029ac5bc760af874a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Mar 2013 09:49:38 +0100 Subject: [PATCH 2/2] id3v2: pad the APIC packets as required by lavc. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavformat/id3v2.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 204ea745d4..7bcea21a6b 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -476,9 +476,10 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, char *tag goto fail; } - apic->buf = av_buffer_alloc(taglen); + apic->buf = av_buffer_alloc(taglen + FF_INPUT_BUFFER_PADDING_SIZE); if (!apic->buf || avio_read(pb, apic->buf->data, taglen) != taglen) goto fail; + memset(apic->buf->data + taglen, 0, FF_INPUT_BUFFER_PADDING_SIZE); new_extra->tag = "APIC"; new_extra->data = apic; @@ -735,7 +736,7 @@ int ff_id3v2_parse_apic(AVFormatContext *s, ID3v2ExtraMeta **extra_meta) av_init_packet(&st->attached_pic); st->attached_pic.buf = apic->buf; st->attached_pic.data = apic->buf->data; - st->attached_pic.size = apic->buf->size; + st->attached_pic.size = apic->buf->size - FF_INPUT_BUFFER_PADDING_SIZE; st->attached_pic.stream_index = st->index; st->attached_pic.flags |= AV_PKT_FLAG_KEY;