From a32dbf2aed3bb720a28141e1e84284ade3969a49 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 6 Jan 2016 21:09:19 +0100 Subject: [PATCH 1/5] asfdec: break if EOF is reached after asf_read_packet_header MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit asf_read_payload can unset eof_reached, so check it also before calling that function. This fixes infinite loops. Signed-off-by: Andreas Cadhalpun Signed-off-by: Alexandra Hájková Signed-off-by: Luca Barbato --- libavformat/asfdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 90a1df4c6a..460df2aeaf 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -1425,6 +1425,8 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt) while (!pb->eof_reached) { if (asf->state == PARSE_PACKET_HEADER) { asf_read_packet_header(s); + if (pb->eof_reached) + break; if (!asf->nb_mult_left) asf->state = READ_SINGLE; else From e4d1621c6e51c623061676439a55dfab89d330f6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 7 Jan 2016 10:22:00 +0100 Subject: [PATCH 2/5] asfdec: check avio_skip in asf_read_simple_index MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The loop can be very long, even though the file is very short. Signed-off-by: Andreas Cadhalpun Signed-off-by: Alexandra Hájková Signed-off-by: Luca Barbato --- libavformat/asfdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 460df2aeaf..aef61bbdd4 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -970,7 +970,7 @@ static int asf_read_simple_index(AVFormatContext *s, const GUIDParseTable *g) uint64_t interval; // index entry time interval in 100 ns units, usually it's 1s uint32_t pkt_num, nb_entries; int32_t prev_pkt_num = -1; - int i; + int i, ret; uint64_t size = avio_rl64(pb); // simple index objects should be ordered by stream number, this loop tries to find @@ -992,7 +992,11 @@ static int asf_read_simple_index(AVFormatContext *s, const GUIDParseTable *g) nb_entries = avio_rl32(pb); for (i = 0; i < nb_entries; i++) { pkt_num = avio_rl32(pb); - avio_skip(pb, 2); + ret = avio_skip(pb, 2); + if (ret < 0) { + av_log(s, AV_LOG_ERROR, "Skipping failed in asf_read_simple_index.\n"); + return ret; + } if (prev_pkt_num != pkt_num) { av_add_index_entry(st, asf->first_packet_offset + asf->packet_size * pkt_num, av_rescale(interval, i, 10000), From bf50607ab76157ba251a01f5baa5cf67b23b2ee9 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 6 Jan 2016 20:59:58 +0100 Subject: [PATCH 3/5] asfdec: check for too small size in asf_read_unknown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes infinite loops due to seeking back. Signed-off-by: Alexandra Hájková Signed-off-by: Luca Barbato --- libavformat/asfdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index aef61bbdd4..cbab9a2dd6 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -190,8 +190,13 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g) if ((ret = detect_unknown_subobject(s, asf->unknown_offset, asf->unknown_size)) < 0) return ret; - } else + } else { + if (size < 24) { + av_log(s, AV_LOG_ERROR, "Too small size %"PRIu64" (< 24).\n", size); + return AVERROR_INVALIDDATA; + } avio_skip(pb, size - 24); + } return 0; } From 2e6ba1993ef41af4a224e854077e4ba4d30f246b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 7 Jan 2016 10:02:53 +0100 Subject: [PATCH 4/5] asfdec: make sure packet_size is non-zero before seeking MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes infinite loops due to seeking back. Signed-off-by: Alexandra Hájková Signed-off-by: Luca Barbato --- libavformat/asfdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index cbab9a2dd6..85d32668f8 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -1291,6 +1291,10 @@ static int asf_read_payload(AVFormatContext *s, AVPacket *pkt) } if (!asf_pkt) { if (asf->packet_offset + asf->packet_size <= asf->data_offset + asf->data_size) { + if (!asf->packet_size) { + av_log(s, AV_LOG_ERROR, "Invalid packet size 0.\n"); + return AVERROR_INVALIDDATA; + } avio_seek(pb, asf->packet_offset + asf->packet_size, SEEK_SET); av_log(s, AV_LOG_WARNING, "Skipping the stream with the invalid stream index %d.\n", asf->stream_index); From 5781bfae0cf4271278a8bea176d615cb5c222335 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Feb 2016 15:57:39 +0100 Subject: [PATCH 5/5] flacenc: Load default prediction_order parameters if none is selected Signed-off-by: Michael Niedermayer Signed-off-by: Vittorio Giovara --- libavcodec/flacenc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/flacenc.c b/libavcodec/flacenc.c index 81c3bb698a..d05a0c673c 100644 --- a/libavcodec/flacenc.c +++ b/libavcodec/flacenc.c @@ -305,8 +305,10 @@ static av_cold int flac_encode_init(AVCodecContext *avctx) FF_LPC_TYPE_LEVINSON, FF_LPC_TYPE_LEVINSON, FF_LPC_TYPE_LEVINSON, FF_LPC_TYPE_LEVINSON})[level]; - s->options.min_prediction_order = ((int[]){ 2, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1})[level]; - s->options.max_prediction_order = ((int[]){ 3, 4, 4, 6, 8, 8, 8, 8, 12, 12, 12, 32, 32})[level]; + if (s->options.min_prediction_order < 0) + s->options.min_prediction_order = ((int[]){ 2, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1})[level]; + if (s->options.max_prediction_order < 0) + s->options.max_prediction_order = ((int[]){ 3, 4, 4, 6, 8, 8, 8, 8, 12, 12, 12, 32, 32})[level]; if (s->options.prediction_order_method < 0) s->options.prediction_order_method = ((int[]){ ORDER_METHOD_EST, ORDER_METHOD_EST, ORDER_METHOD_EST,