Commit 796039ad authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files

Merge branch 'release/0.8' into release/0.7


* release/0.8:
  Update for 0.8.12
  mpc8: fix channel checks
  h263: disable loop filter with lowres
  wmv1: check that the input buffer is large enough
  yopdec: check frame oddness to be within supported limits
  yopdec: check that palette fits in the packet
  8svx: fix crash
  binkaudio: check number of channels
  indeo5: check quant_mat
  truemotion1: Check index, fix out of array read
  iff: check if there is extradata
  ape: Fix null ptr dereference with files missing a seekatable.
  4xm: fix division by zero caused by bps<8
  jvdec: check videosize
  motionpixels: check extradata size
  iff_ilbm: fix null ptr deref
  yop: check for missing extradata
  xan: fix out of array read
  cdgraphics: Fix out of array write

Conflicts:
	Doxyfile
	RELEASE
	VERSION
Merged-by: default avatarMichael Niedermayer <michaelni@gmx.at>
parents a56b07b5 858c3158
No related merge requests found
Showing with 86 additions and 10 deletions
+86 -10
......@@ -44,7 +44,7 @@ typedef struct EightSvxContext {
/* buffer used to store the whole audio decoded/interleaved chunk,
* which is sent with the first packet */
uint8_t *samples;
size_t samples_size;
int64_t samples_size;
int samples_idx;
} EightSvxContext;
......
......@@ -85,9 +85,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
frame_len_bits = 11;
}
if (avctx->channels > MAX_CHANNELS) {
av_log(avctx, AV_LOG_ERROR, "too many channels: %d\n", avctx->channels);
return -1;
if (avctx->channels < 1 || avctx->channels > MAX_CHANNELS) {
av_log(avctx, AV_LOG_ERROR, "invalid number of channels: %d\n", avctx->channels);
return AVERROR_INVALIDDATA;
}
if (avctx->extradata && avctx->extradata_size > 0)
......
......@@ -280,6 +280,10 @@ static int cdg_decode_frame(AVCodecContext *avctx,
av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n");
return AVERROR(EINVAL);
}
if (buf_size > CDG_HEADER_SIZE + CDG_DATA_SIZE) {
av_log(avctx, AV_LOG_ERROR, "buffer too big for decoder\n");
return AVERROR(EINVAL);
}
ret = avctx->reget_buffer(avctx, &cc->frame);
if (ret) {
......
......@@ -176,7 +176,13 @@ static int extract_header(AVCodecContext *const avctx,
const uint8_t *buf;
unsigned buf_size;
IffContext *s = avctx->priv_data;
int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
int palette_size;
if (avctx->extradata_size < 2) {
av_log(avctx, AV_LOG_ERROR, "not enough extradata\n");
return AVERROR_INVALIDDATA;
}
palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
if (avpkt) {
int image_size;
......@@ -192,8 +198,6 @@ static int extract_header(AVCodecContext *const avctx,
return AVERROR_INVALIDDATA;
}
} else {
if (avctx->extradata_size < 2)
return AVERROR_INVALIDDATA;
buf = avctx->extradata;
buf_size = bytestream_get_be16(&buf);
if (buf_size <= 1 || palette_size < 0) {
......@@ -281,7 +285,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
int err;
if (avctx->bits_per_coded_sample <= 8) {
int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
int palette_size;
if (avctx->extradata_size >= 2)
palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
else
palette_size = 0;
avctx->pix_fmt = (avctx->bits_per_coded_sample < 8) ||
(avctx->extradata_size >= 2 && palette_size) ? PIX_FMT_PAL8 : PIX_FMT_GRAY8;
} else if (avctx->bits_per_coded_sample <= 32) {
......
......@@ -219,6 +219,10 @@ static int decode_gop_header(IVI5DecContext *ctx, AVCodecContext *avctx)
}
if (band->blk_size == 8) {
if(quant_mat >= 5){
av_log(avctx, AV_LOG_ERROR, "quant_mat %d too large!\n", quant_mat);
return -1;
}
band->intra_base = &ivi5_base_quant_8x8_intra[quant_mat][0];
band->inter_base = &ivi5_base_quant_8x8_inter[quant_mat][0];
band->intra_scale = &ivi5_scale_quant_8x8_intra[quant_mat][0];
......
......@@ -77,7 +77,7 @@ int ff_intel_h263_decode_picture_header(MpegEncContext *s)
}
if(get_bits(&s->gb, 2))
av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n");
s->loop_filter = get_bits1(&s->gb);
s->loop_filter = get_bits1(&s->gb) * !s->avctx->lowres;
if(get_bits1(&s->gb))
av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n");
if(get_bits1(&s->gb))
......
......@@ -961,6 +961,8 @@ int h263_decode_picture_header(MpegEncContext *s)
s->h263_aic = get_bits1(&s->gb); /* Advanced Intra Coding (AIC) */
s->loop_filter= get_bits1(&s->gb);
s->unrestricted_mv = s->umvplus || s->obmc || s->loop_filter;
if(s->avctx->lowres)
s->loop_filter = 0;
s->h263_slice_structured= get_bits1(&s->gb);
if (get_bits1(&s->gb) != 0) {
......
......@@ -143,6 +143,10 @@ static int decode_frame(AVCodecContext *avctx,
buf += 5;
if (video_size) {
if(video_size < 0) {
av_log(avctx, AV_LOG_ERROR, "video size %d invalid\n", video_size);
return AVERROR_INVALIDDATA;
}
if (avctx->reget_buffer(avctx, &s->frame) < 0) {
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
return -1;
......
......@@ -55,6 +55,11 @@ static av_cold int mp_decode_init(AVCodecContext *avctx)
int w4 = (avctx->width + 3) & ~3;
int h4 = (avctx->height + 3) & ~3;
if(avctx->extradata_size < 2){
av_log(avctx, AV_LOG_ERROR, "extradata too small\n");
return AVERROR_INVALIDDATA;
}
motionpixels_tableinit();
mp->avctx = avctx;
dsputil_init(&mp->dsp, avctx);
......
......@@ -138,7 +138,8 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx)
c->frames = 1 << (get_bits(&gb, 3) * 2);
avctx->sample_fmt = AV_SAMPLE_FMT_S16;
avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
avctx->channel_layout = (channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
avctx->channels = channels;
if(vlc_initialized) return 0;
av_log(avctx, AV_LOG_DEBUG, "Initing VLC\n");
......
......@@ -520,6 +520,10 @@ hres,vres,i,i%vres (0 < i < 4)
}
#define APPLY_C_PREDICTOR() \
if(index > 1023){\
av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
return; \
}\
predictor_pair = s->c_predictor_table[index]; \
horiz_pred += (predictor_pair >> 1); \
if (predictor_pair & 1) { \
......@@ -537,6 +541,10 @@ hres,vres,i,i%vres (0 < i < 4)
index++;
#define APPLY_C_PREDICTOR_24() \
if(index > 1023){\
av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
return; \
}\
predictor_pair = s->c_predictor_table[index]; \
horiz_pred += (predictor_pair >> 1); \
if (predictor_pair & 1) { \
......@@ -555,6 +563,10 @@ hres,vres,i,i%vres (0 < i < 4)
#define APPLY_Y_PREDICTOR() \
if(index > 1023){\
av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
return; \
}\
predictor_pair = s->y_predictor_table[index]; \
horiz_pred += (predictor_pair >> 1); \
if (predictor_pair & 1) { \
......@@ -572,6 +584,10 @@ hres,vres,i,i%vres (0 < i < 4)
index++;
#define APPLY_Y_PREDICTOR_24() \
if(index > 1023){\
av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
return; \
}\
predictor_pair = s->y_predictor_table[index]; \
horiz_pred += (predictor_pair >> 1); \
if (predictor_pair & 1) { \
......
......@@ -70,6 +70,11 @@ static int decode_frame(AVCodecContext *avctx,
int prev_y = 0, prev_u = 0, prev_v = 0;
uint8_t *rbuf;
if(buf_size<=8) {
av_log(avctx, AV_LOG_ERROR, "buf_size %d is too small\n", buf_size);
return AVERROR_INVALIDDATA;
}
rbuf = av_malloc(buf_size + FF_INPUT_BUFFER_PADDING_SIZE);
if(!rbuf){
av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n");
......
......@@ -511,6 +511,10 @@ static int xan_decode_frame(AVCodecContext *avctx,
int i;
tag = bytestream_get_le32(&buf);
size = bytestream_get_be32(&buf);
if(size < 0) {
av_log(avctx, AV_LOG_ERROR, "Invalid tag size %d\n", size);
return AVERROR_INVALIDDATA;
}
size = FFMIN(size, buf_end - buf);
switch (tag) {
case PALT_TAG:
......
......@@ -90,6 +90,11 @@ static av_cold int yop_decode_init(AVCodecContext *avctx)
return -1;
}
if (!avctx->extradata) {
av_log(avctx, AV_LOG_ERROR, "extradata missing\n");
return AVERROR_INVALIDDATA;
}
avctx->pix_fmt = PIX_FMT_PAL8;
avcodec_get_frame_defaults(&s->frame);
......@@ -200,6 +205,11 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
if (s->frame.data[0])
avctx->release_buffer(avctx, &s->frame);
if (avpkt->size < 4 + 3*s->num_pal_colors) {
av_log(avctx, AV_LOG_ERROR, "packet of size %d too small\n", avpkt->size);
return AVERROR_INVALIDDATA;
}
ret = avctx->get_buffer(avctx, &s->frame);
if (ret < 0) {
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
......@@ -215,6 +225,10 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
s->low_nibble = NULL;
is_odd_frame = avpkt->data[0];
if(is_odd_frame>1){
av_log(avctx, AV_LOG_ERROR, "frame is too odd %d\n", is_odd_frame);
return AVERROR_INVALIDDATA;
}
firstcolor = s->first_color[is_odd_frame];
palette = (uint32_t *)s->frame.data[1];
......
......@@ -195,6 +195,11 @@ static int fourxm_read_header(AVFormatContext *s,
ret= -1;
goto fail;
}
if(!fourxm->tracks[current_track].adpcm && fourxm->tracks[current_track].bits<8){
av_log(s, AV_LOG_ERROR, "bits unspecified for non ADPCM\n");
ret = AVERROR_INVALIDDATA;
goto fail;
}
i += 8 + size;
/* allocate a new AVStream */
......
......@@ -274,6 +274,9 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap)
return AVERROR(ENOMEM);
for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++)
ape->seektable[i] = avio_rl32(pb);
}else{
av_log(s, AV_LOG_ERROR, "Missing seektable\n");
return -1;
}
ape->frames[0].pos = ape->firstframe;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment