RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-02-20 05:46:57 +00:00
Code Issues Projects Releases Wiki Activity

Merge commit '159993acc7f4e3155510d42c543e09fe972b933c' into release/0.10

Browse Source 
* commit '159993acc7f4e3155510d42c543e09fe972b933c':
  vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors
  wnv1: Make sure the input packet is large enough
  dca: Validate the lfe parameter
  rl2: Avoid a division by zero
  wtv: Add more sanity checks for a length read from the file
  segafilm: Validate the number of audio channels
  qpeg: Add checks for running out of rows in qpeg_decode_inter
  mpegaudiodec: Validate that the number of channels fits at the given offset
  asv1: Verify the amount of extradata
  idroqdec: Make sure a video stream has been allocated before returning packets
  rv10: Validate the dimensions set from the container
  xmv: Add more sanity checks for parameters read from the bitstream
  ffv1: Make sure at least one slice context is initialized
  truemotion2: Use av_freep properly in an error path

Conflicts:
	libavcodec/qpeg.c
	libavcodec/wnv1.c
	libavformat/wtv.c
	libavformat/xmv.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2014-01-16 22:02:02 +01:00
commit d1c7a7776f
13 changed files with 63 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libavcodec/asv1.c
View File

@ -535,6 +535,11 @@ static av_cold int decode_init(AVCodecContext *avctx){
int i;
const int scale= avctx->codec_id == CODEC_ID_ASV1 ? 1 : 2;
if (avctx->extradata_size < 1) {
av_log(avctx, AV_LOG_ERROR, "No extradata provided\n");
return AVERROR_INVALIDDATA;
}
common_init(avctx);
init_vlcs(a);
ff_init_scantable(a->dsp.idct_permutation, &a->scantable, scantab);

5
libavcodec/dca.c
View File

@ -577,6 +577,11 @@ static int dca_parse_frame_header(DCAContext *s)
s->lfe = get_bits(&s->gb, 2);
s->predictor_history = get_bits(&s->gb, 1);
if (s->lfe > 2) {
av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE value: %d\n", s->lfe);
return AVERROR_INVALIDDATA;
}
/* TODO: check CRC */
if (s->crc_present)
s->header_crc = get_bits(&s->gb, 16);

4
libavcodec/ffv1.c
View File

@ -722,6 +722,10 @@ static av_cold int init_slice_contexts(FFV1Context *f){
int i;
f->slice_count= f->num_h_slices * f->num_v_slices;
if (f->slice_count <= 0) {
av_log(f->avctx, AV_LOG_ERROR, "Invalid number of slices\n");
return AVERROR(EINVAL);
}
for(i=0; i<f->slice_count; i++){
FFV1Context *fs= av_mallocz(sizeof(*fs));

3
libavcodec/mpegaudiodec.c
View File

@ -1941,7 +1941,8 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data,
avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header);
if (ch + m->nb_channels > avctx->channels) {
if (ch + m->nb_channels > avctx->channels ||
s->coff[fr] + m->nb_channels > avctx->channels) {
av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec "
"channel count\n");
return AVERROR_INVALIDDATA;

4
libavcodec/qpeg.c
View File

@ -203,7 +203,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
filled = 0;
dst -= stride;
height--;
if(height < 0)
if (height < 0)
break;
}
}
@ -216,7 +216,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
filled = 0;
dst -= stride;
height--;
if(height < 0)
if (height < 0)
break;
}
}

5
libavcodec/rv10.c
View File

@ -442,12 +442,15 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx)
{
MpegEncContext *s = avctx->priv_data;
static int done=0;
int major_ver, minor_ver, micro_ver;
int major_ver, minor_ver, micro_ver, ret;
if (avctx->extradata_size < 8) {
av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n");
return -1;
}
if ((ret = av_image_check_size(avctx->coded_width,
avctx->coded_height, 0, avctx)) < 0)
return ret;
MPV_decode_defaults(s);

15
libavcodec/vc1dec.c
View File

@ -5126,8 +5126,19 @@ static av_cold int vc1_decode_init_alloc_tables(VC1Context *v)
if (!v->mv_type_mb_plane || !v->direct_mb_plane || !v->acpred_plane || !v->over_flags_plane ||
!v->block || !v->cbp_base || !v->ttblk_base || !v->is_intra_base || !v->luma_mv_base ||
!v->mb_type_base)
return -1;
!v->mb_type_base) {
av_freep(&v->mv_type_mb_plane);
av_freep(&v->direct_mb_plane);
av_freep(&v->acpred_plane);
av_freep(&v->over_flags_plane);
av_freep(&v->block);
av_freep(&v->cbp_base);
av_freep(&v->ttblk_base);
av_freep(&v->is_intra_base);
av_freep(&v->luma_mv_base);
av_freep(&v->mb_type_base);
return AVERROR(ENOMEM);
}
return 0;
}

2
libavcodec/wnv1.c
View File

@ -70,7 +70,7 @@ static int decode_frame(AVCodecContext *avctx,
int prev_y = 0, prev_u = 0, prev_v = 0;
uint8_t *rbuf;
if(buf_size<=8) {
if (buf_size<=8) {
av_log(avctx, AV_LOG_ERROR, "buf_size %d is too small\n", buf_size);
return AVERROR_INVALIDDATA;
}

7
libavformat/idroqdec.c
View File

@ -145,6 +145,8 @@ static int roq_read_packet(AVFormatContext *s,
break;
case RoQ_QUAD_CODEBOOK:
if (roq->video_stream_index < 0)
return AVERROR_INVALIDDATA;
/* packet needs to contain both this codebook and next VQ chunk */
codebook_offset = avio_tell(pb) - RoQ_CHUNK_PREAMBLE_SIZE;
codebook_size = chunk_size;
@ -187,6 +189,11 @@ static int roq_read_packet(AVFormatContext *s,
st->codec->block_align = st->codec->channels * st->codec->bits_per_coded_sample;
}
case RoQ_QUAD_VQ:
if (chunk_type == RoQ_QUAD_VQ) {
if (roq->video_stream_index < 0)
return AVERROR_INVALIDDATA;
}
/* load up the packet */
if (av_new_packet(pkt, chunk_size + RoQ_CHUNK_PREAMBLE_SIZE))
return AVERROR(EIO);

4
libavformat/rl2.c
View File

@ -109,6 +109,10 @@ static av_cold int rl2_read_header(AVFormatContext *s,
rate = avio_rl16(pb);
channels = avio_rl16(pb);
def_sound_size = avio_rl16(pb);
if (!channels || channels > 42) {
av_log(s, AV_LOG_ERROR, "Invalid number of channels: %d\n", channels);
return AVERROR_INVALIDDATA;
}
/** setup video stream */
st = avformat_new_stream(s, NULL);

5
libavformat/segafilm.c
View File

@ -113,6 +113,11 @@ static int film_read_header(AVFormatContext *s,
return AVERROR(EIO);
film->audio_samplerate = AV_RB16(&scratch[24]);
film->audio_channels = scratch[21];
if (!film->audio_channels || film->audio_channels > 2) {
av_log(s, AV_LOG_ERROR,
"Invalid number of channels: %d\n", film->audio_channels);
return AVERROR_INVALIDDATA;
}
film->audio_bits = scratch[22];
if (scratch[23] == 2)
film->audio_type = CODEC_ID_ADPCM_ADX;

7
libavformat/wtvdec.c
View File

@ -258,7 +258,12 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b
dir_length = AV_RL16(buf + 16);
file_length = AV_RL64(buf + 24);
name_size = 2 * AV_RL32(buf + 32);
if (buf + 48 + name_size > buf_end) {
if (name_size < 0) {
av_log(s, AV_LOG_ERROR,
"bad filename length, remaining directory entries ignored\n");
break;
}
if (48 + name_size > buf_end - buf) {
av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n");
break;
}

7
libavformat/xmv.c
View File

@ -48,6 +48,8 @@
XMV_AUDIO_ADPCM51_FRONTCENTERLOW | \
XMV_AUDIO_ADPCM51_REARLEFTRIGHT)
#define XMV_BLOCK_ALIGN_SIZE 36
/** A video packet with an XMV file. */
typedef struct XMVVideoPacket {
int stream_index; ///< The decoder stream index for this video packet.
@ -199,7 +201,7 @@ static int xmv_read_header(AVFormatContext *s,
packet->bit_rate = packet->bits_per_sample *
packet->sample_rate *
packet->channels;
packet->block_align = 36 * packet->channels;
packet->block_align = XMV_BLOCK_ALIGN_SIZE * packet->channels;
packet->block_samples = 64;
packet->codec_id = ff_wav_codec_get_id(packet->compression,
packet->bits_per_sample);
@ -215,7 +217,8 @@ static int xmv_read_header(AVFormatContext *s,
av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream "
"(0x%04X)\n", packet->flags);
if (!packet->channels || !packet->sample_rate) {
if (!packet->channels || !packet->sample_rate ||
packet->channels >= UINT16_MAX / XMV_BLOCK_ALIGN_SIZE) {
av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n",
audio_track);
ret = AVERROR_INVALIDDATA;