Merge commit '9c713f30e4913a28d93eb37ea5db7f62be4c0ef6' into release/0.8

* commit '9c713f30e4913a28d93eb37ea5db7f62be4c0ef6': parser: fix large overreads dsputil: fix invalid array indexing shorten: use the unsigned type where needed Merged-by: Michael Niedermayer <michaelni@gmx.at>
2025-01-31 11:53:24 +00:00 · 2013-09-22 17:31:56 +02:00 · 2013-09-22 17:31:56 +02:00 · 49d597f058
commit 49d597f058
parent 44ebb2556d 9c713f30e4
3 changed files with 19 additions and 9 deletions
--- a/libavcodec/dsputil.c
+++ b/libavcodec/dsputil.c
@ -2836,7 +2836,7 @@ int ff_check_alignment(void){

 av_cold void dsputil_init(DSPContext* c, AVCodecContext *avctx)
 {
-    int i;
+    int i, j;

    ff_check_alignment();

@ -3222,11 +3222,15 @@ av_cold void dsputil_init(DSPContext* c, AVCodecContext *avctx)
    if (ARCH_SH4)        dsputil_init_sh4   (c, avctx);
    if (ARCH_BFIN)       dsputil_init_bfin  (c, avctx);

-    for(i=0; i<64; i++){
-        if(!c->put_2tap_qpel_pixels_tab[0][i])
-            c->put_2tap_qpel_pixels_tab[0][i]= c->put_h264_qpel_pixels_tab[0][i];
-        if(!c->avg_2tap_qpel_pixels_tab[0][i])
-            c->avg_2tap_qpel_pixels_tab[0][i]= c->avg_h264_qpel_pixels_tab[0][i];
+    for (i = 0; i < 4; i++) {
+        for (j = 0; j < 16; j++) {
+            if(!c->put_2tap_qpel_pixels_tab[i][j])
+                c->put_2tap_qpel_pixels_tab[i][j] =
+                    c->put_h264_qpel_pixels_tab[i][j];
+            if(!c->avg_2tap_qpel_pixels_tab[i][j])
+                c->avg_2tap_qpel_pixels_tab[i][j] =
+                    c->avg_h264_qpel_pixels_tab[i][j];
+        }
    }

    c->put_rv30_tpel_pixels_tab[0][0] = c->put_h264_qpel_pixels_tab[0][0];
--- a/libavcodec/parser.c
+++ b/libavcodec/parser.c
@ -260,7 +260,9 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s
        if(!new_buffer)
            return AVERROR(ENOMEM);
        pc->buffer = new_buffer;
-        memcpy(&pc->buffer[pc->index], *buf, next + FF_INPUT_BUFFER_PADDING_SIZE );
+        if (next > -FF_INPUT_BUFFER_PADDING_SIZE)
+            memcpy(&pc->buffer[pc->index], *buf,
+                   next + FF_INPUT_BUFFER_PADDING_SIZE);
        pc->index = 0;
        *buf= pc->buffer;
    }
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@ -78,7 +78,7 @@ typedef struct ShortenContext {
    GetBitContext gb;

    int min_framesize, max_framesize;
-    int channels;
+    unsigned channels;

    int32_t *decoded[MAX_CHANNELS];
    int32_t *decoded_base[MAX_CHANNELS];
@ -342,6 +342,10 @@ static int shorten_decode_frame(AVCodecContext *avctx,
        s->internal_ftype = get_uint(s, TYPESIZE);

        s->channels = get_uint(s, CHANSIZE);
+        if (!s->channels) {
+            av_log(s->avctx, AV_LOG_ERROR, "No channels reported\n");
+            return AVERROR_INVALIDDATA;
+        }
        if (s->channels <= 0 || s->channels > MAX_CHANNELS) {
            av_log(s->avctx, AV_LOG_ERROR, "too many channels: %d\n", s->channels);
            s->channels = 0;
@ -507,7 +511,7 @@ static int shorten_decode_frame(AVCodecContext *avctx,
                s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE);
                break;
            case FN_BLOCKSIZE: {
-                int blocksize = get_uint(s, av_log2(s->blocksize));
+                unsigned blocksize = get_uint(s, av_log2(s->blocksize));
                if (blocksize > s->blocksize) {
                    av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n");
                    return AVERROR_PATCHWELCOME;