RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-02-21 14:26:59 +00:00
Code Issues Projects Releases Wiki Activity

Merge commit '42fed7f433e6d2167ffd4aae31905b583a53b988' into release/0.10

Browse Source 
* commit '42fed7f433e6d2167ffd4aae31905b583a53b988':
  wavpack: check packet size early
  mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac
  mjpeg: Validate sampling factors
  ljpeg: use the correct number of components in yuv
  wavpack: validate samples size parsed in wavpack_decode_block
  jpegls: check the scan offset
  jpegls: factorize return paths
  jpegls: return meaningful errors
  mjpegdec: properly report unsupported disabled features
  update Changelog
  proresdec: support mixed interlaced/non-interlaced content
  update Changelog
  wav: Always seek to an even offset
  id3v2: check for end of file while unescaping tags
  indeo3: fix off by one in MV validity check
  aac: check the maximum number of channels
  update Changelog
  oggdec: fix faulty cleanup prototype

Conflicts:
	Changelog
	libavcodec/jpeglsdec.c
	libavcodec/mjpegdec.c
	libavformat/id3v2.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2013-07-29 02:54:53 +02:00
commit 7118358a95
9 changed files with 99 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Changelog
View File

@ -3,6 +3,29 @@ releases are sorted from youngest to oldest.
version next:
version 0.10.8
- avfiltergraph: check for sws opts being non-NULL before using them
- bmv: check for len being valid in bmv_decode_frame()
- dfa: check for invalid access in decode_wdlt()
- indeo3: check motion vectors
- indeo3: fix data size check
- indeo3: switch parsing the header to bytestream2
- lavf: make sure stream probe data gets freed.
- oggdec: fix faulty cleanup prototype
- oma: Validate sample rates
- qdm2: check that the FFT size is a power of 2
- rv10: check that extradata is large enough
- xmv: check audio track parameters validity
- xmv: do not leak memory in the error paths in xmv_read_header()
- aac: check the maximum number of channels
- indeo3: fix off by one in MV validity check, Bug #503
- id3v2: check for end of file while unescaping tags
- wav: Always seek to an even offset, Bug #500, LP: #1174737
- proresdec: support mixed interlaced/non-interlaced content
version 0.10.6:
- many bug fixes that where found with Coverity

2
libavcodec/aacdec.c
View File

@ -192,6 +192,8 @@ static av_cold int che_configure(AACContext *ac,
enum ChannelPosition che_pos[4][MAX_ELEM_ID],
int type, int id, int *channels)
{
if (*channels >= MAX_CHANNELS)
return AVERROR_INVALIDDATA;
if (che_pos[type][id]) {
if (!ac->che[type][id]) {
if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement))))

8
libavcodec/indeo3.c
View File

@ -238,8 +238,8 @@ static int copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell)
/* -1 because there is an extra line on top for prediction */
if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 ||
((cell->ypos + cell->height) << 2) + mv_y >= plane->height ||
((cell->xpos + cell->width) << 2) + mv_x >= plane->width) {
((cell->ypos + cell->height) << 2) + mv_y > plane->height ||
((cell->xpos + cell->width) << 2) + mv_x > plane->width) {
av_log(ctx->avctx, AV_LOG_ERROR,
"Motion vectors point out of the frame.\n");
return AVERROR_INVALIDDATA;
@ -609,8 +609,8 @@ static int decode_cell(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
/* -1 because there is an extra line on top for prediction */
if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 ||
((cell->ypos + cell->height) << 2) + mv_y >= plane->height ||
((cell->xpos + cell->width) << 2) + mv_x >= plane->width) {
((cell->ypos + cell->height) << 2) + mv_y > plane->height ||
((cell->xpos + cell->width) << 2) + mv_x > plane->width) {
av_log(ctx->avctx, AV_LOG_ERROR,
"Motion vectors point out of the frame.\n");
return AVERROR_INVALIDDATA;

23
libavcodec/jpeglsdec.c
View File

@ -71,13 +71,13 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
case 2:
case 3:
av_log(s->avctx, AV_LOG_ERROR, "palette not supported\n");
return -1;
return AVERROR(ENOSYS);
case 4:
av_log(s->avctx, AV_LOG_ERROR, "oversize image not supported\n");
return -1;
return AVERROR(ENOSYS);
default:
av_log(s->avctx, AV_LOG_ERROR, "invalid id %d\n", id);
return -1;
return AVERROR_INVALIDDATA;
}
// av_log(s->avctx, AV_LOG_DEBUG, "ID=%i, T=%i,%i,%i\n", id, s->t1, s->t2, s->t3);
@ -263,7 +263,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor
int i, t = 0;
uint8_t *zero, *last, *cur;
JLSState *state;
int off = 0, stride = 1, width, shift;
int off = 0, stride = 1, width, shift, ret = 0;
zero = av_mallocz(s->picture.linesize[0]);
last = zero;
@ -289,6 +289,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor
// av_log(s->avctx, AV_LOG_DEBUG, "JPEG-LS params: %ix%i NEAR=%i MV=%i T(%i,%i,%i) RESET=%i, LIMIT=%i, qbpp=%i, RANGE=%i\n",s->width,s->height,state->near,state->maxval,state->T1,state->T2,state->T3,state->reset,state->limit,state->qbpp, state->range);
// av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan);
if(ilv == 0) { /* separate planes */
if (s->cur_scan > s->nb_components) {
ret = AVERROR_INVALIDDATA;
goto end;
}
stride = (s->nb_components > 1) ? 3 : 1;
off = av_clip(s->cur_scan - 1, 0, stride - 1);
width = s->width * stride;
@ -328,11 +332,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor
last = cur;
cur += s->picture.linesize[0];
}
} else if(ilv == 2) { /* sample interleaving */
} else if (ilv == 2) { /* sample interleaving */
av_log(s->avctx, AV_LOG_ERROR, "Sample interleaved images are not supported.\n");
av_free(state);
av_free(zero);
return -1;
ret = AVERROR_PATCHWELCOME;
goto end;
}
if(shift){ /* we need to do point transform or normalize samples */
@ -360,10 +363,12 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor
}
}
}
end:
av_free(state);
av_free(zero);
return 0;
return ret;
}

25
libavcodec/mjpegdec.c
View File

@ -276,6 +276,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
s->quant_index[i] = get_bits(&s->gb, 8);
if (s->quant_index[i] >= 4)
return -1;
if (!s->h_count[i] || !s->v_count[i]) {
av_log(s->avctx, AV_LOG_ERROR,
"Invalid sampling factor in component %d %d:%d\n",
i, s->h_count[i], s->v_count[i]);
return AVERROR_INVALIDDATA;
}
av_log(s->avctx, AV_LOG_DEBUG, "component %d %d:%d id: %d quant:%d\n",
i, s->h_count[i], s->v_count[i],
s->component_id[i], s->quant_index[i]);
@ -783,10 +790,9 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p
}
static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
int point_transform)
int point_transform, int nb_components)
{
int i, mb_x, mb_y;
const int nb_components=s->nb_components;
int bits= (s->bits+7)&~7;
int resync_mb_y = 0;
int resync_mb_x = 0;
@ -1085,6 +1091,12 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss,
int last_scan = 0;
int16_t *quant_matrix = s->quant_matrixes[s->quant_index[c]];
if (ss < 0 || ss >= 64 ||
se < ss || se >= 64 ||
Ah < 0 || Al < 0)
return AVERROR_INVALIDDATA;
if (!Al) {
s->coefs_finished[c] |= (1LL << (se + 1)) - (1LL << ss);
last_scan = !~s->coefs_finished[c];
@ -1226,7 +1238,8 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask,
if (ljpeg_decode_rgb_scan(s, nb_components, predictor, point_transform) < 0)
return -1;
} else {
if (ljpeg_decode_yuv_scan(s, predictor, point_transform) < 0)
if (ljpeg_decode_yuv_scan(s, predictor, point_transform,
nb_components))
return -1;
}
}
@ -1597,6 +1610,12 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
else if (start_code == COM)
mjpeg_decode_com(s);
if (!CONFIG_JPEGLS_DECODER &&
(start_code == SOF48 || start_code == LSE)) {
av_log(avctx, AV_LOG_ERROR, "JPEG-LS support not enabled.\n");
return AVERROR(ENOSYS);
}
switch (start_code) {
case SOI:
s->restart_interval = 0;

2
libavcodec/proresdec_lgpl.c
View File

@ -186,6 +186,8 @@ static int decode_frame_header(ProresContext *ctx, const uint8_t *buf,
if (ctx->frame_type) { /* if interlaced */
ctx->picture.interlaced_frame = 1;
ctx->picture.top_field_first = ctx->frame_type & 1;
} else {
ctx->picture.interlaced_frame = 0;
}
ctx->alpha_info = buf[17] & 0xf;

6
libavcodec/wavpack.c
View File

@ -790,6 +790,9 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
if (!wc->mkv_mode) {
s->samples = AV_RL32(buf); buf += 4;
if (s->samples != wc->samples)
return AVERROR_INVALIDDATA;
if (!s->samples) {
*got_frame_ptr = 0;
return 0;
@ -1169,6 +1172,9 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data,
int frame_size, ret, frame_flags;
int samplecount = 0;
if (avpkt->size < 12 + s->multichannel * 4)
return AVERROR_INVALIDDATA;
s->block = 0;
s->ch_offset = 0;

28
libavformat/id3v2.c
View File

@ -543,13 +543,15 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
/* check for text tag or supported special meta tag */
} else if (tag[0] == 'T' || (extra_meta && (extra_func = get_extra_meta_func(tag, isv34)))) {
if (unsync || tunsync || tcomp) {
int i, j;
int64_t end = avio_tell(s->pb) + tlen;
uint8_t *b;
av_fast_malloc(&buffer, &buffer_size, dlen);
if (!buffer) {
av_log(s, AV_LOG_ERROR, "Failed to alloc %ld bytes\n", dlen);
goto seek;
}
b = buffer;
#if CONFIG_ZLIB
if (tcomp) {
int n, err;
@ -573,19 +575,25 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
av_log(s, AV_LOG_ERROR, "Failed to uncompress tag: %d\n", err);
goto seek;
}
b += dlen;
}
#endif
for (i = 0, j = 0; i < dlen; i++, j++) {
if (!tcomp)
buffer[j] = avio_r8(s->pb);
if (j > 0 && !buffer[j] && buffer[j - 1] == 0xff) {
/* Unsynchronised byte, skip it */
j--;
if (unsync || tunsync) {
if (tcomp) {
av_log_ask_for_sample(s, "tcomp with unsync\n");
goto seek;
}
while (avio_tell(s->pb) < end && !s->pb->eof_reached) {
*b++ = avio_r8(s->pb);
if (*(b - 1) == 0xff && avio_tell(s->pb) < end - 1 &&
!s->pb->eof_reached) {
uint8_t val = avio_r8(s->pb);
*b++ = val ? val : avio_r8(s->pb);
}
}
ffio_init_context(&pb, buffer, j, 0, NULL, NULL, NULL, NULL);
tlen = j;
}
ffio_init_context(&pb, buffer, b - buffer, 0, NULL, NULL, NULL, NULL);
tlen = b - buffer;
pbx = &pb; // read from sync buffer
} else {
pbx = s->pb; // read straight from input

10
libavformat/wav.c
View File

@ -238,6 +238,12 @@ static int64_t next_tag(AVIOContext *pb, uint32_t *tag)
return avio_rl32(pb);
}
/* RIFF chunks are always on a even offset. */
static int64_t wav_seek_tag(AVIOContext *s, int64_t offset, int whence)
{
return avio_seek(s, offset + (offset & 1), whence);
}
/* return the size of the found tag */
static int64_t find_tag(AVIOContext *pb, uint32_t tag1)
{
@ -250,7 +256,7 @@ static int64_t find_tag(AVIOContext *pb, uint32_t tag1)
size = next_tag(pb, &tag);
if (tag == tag1)
break;
avio_skip(pb, size);
wav_seek_tag(pb, size, SEEK_CUR);
}
return size;
}
@ -520,7 +526,7 @@ static int wav_read_header(AVFormatContext *s,
/* seek to next tag unless we know that we'll run into EOF */
if ((avio_size(pb) > 0 && next_tag_ofs >= avio_size(pb)) ||
avio_seek(pb, next_tag_ofs, SEEK_SET) < 0) {
wav_seek_tag(pb, next_tag_ofs, SEEK_SET) < 0) {
break;
}
}