Merge branch 'release/0.8' into release/0.7
* release/0.8: (96 commits)
Version numbers for 0.8.6
snow: emu edge support Fixes Ticket592
imc: validate channel count
imc: check for ff_fft_init() failure (cherry picked from commit 95fee70d6773fde1c34ff6422f48e5e66f37f263)
libgsmdec: check output buffer size before decoding (cherry picked from commit b03761b1309293bbf30edef767503875277b01cf)
configure: fix arch x86_32
mp3enc: avoid truncating id3v1 tags by one byte
asfdec: Check packet_replic_size earlier
cin audio: validate the channel count
binkaudio: add some buffer overread checks.
atrac1: validate number of channels (cherry picked from commit bff5b2c1ca1290ea30587ff2f76171f9e3854872)
atrac1: check output buffer size before decoding (cherry picked from commit 33684b9c12b74c0140fb91e8150263db4a48d55e)
vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f)
apedec: set s->currentframeblocks after validating nblocks
apedec: use unsigned int for 'nblocks' and make sure that it's within int range
apedec: check for data buffer realloc failure (cherry picked from commit 11ca8b2d7486e879926488404b3b79af774f0f2d)
apedec: check for filter buffer allocation failure (cherry picked from commit 7500781313d11b37772c05a28da20fbc112db478)
mpegaudiodec: check output data size based on avctx->frame_size
resample: Fix array size
resample2: fix potential overflow
...
Conflicts:
Doxyfile
RELEASE
VERSION
Merged-by: Michael Niedermayer <michaelni@gmx.at>
diff --git a/MAINTAINERS b/MAINTAINERS
index fb28a4e..8409cd1 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -19,7 +19,7 @@
ffmpeg.c Michael Niedermayer
ffplay:
- ffplay.c Michael Niedermayer
+ ffplay.c Marton Balint
ffprobe:
ffprobe.c Stefano Sabatini
diff --git a/configure b/configure
index 576daf0..822c500 100755
--- a/configure
+++ b/configure
@@ -2203,7 +2203,7 @@
arch="sparc"
subarch="sparc64"
;;
- i[3-6]86|i86pc|BePC|x86pc|x86_64|amd64)
+ i[3-6]86|i86pc|BePC|x86pc|x86_64|x86_32|amd64)
arch="x86"
;;
esac
@@ -3164,7 +3164,7 @@
enabled asm || { arch=c; disable $ARCH_LIST $ARCH_EXT_LIST; }
-if test $target_os == "haiku"; then
+if test $target_os = "haiku"; then
disable memalign
disable posix_memalign
fi
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 7344f4c..3f8061f 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -279,7 +279,7 @@
}
#endif
-static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, int dc){
+static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, unsigned dc){
int i;
dc*= 0x10001;
diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 6cc0cec..e9f2cc5 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -1090,7 +1090,7 @@
GET_VLC(code, re, gb, vlc_tab, 8, 2);
cb_idx = cb_vector_idx[code];
nnz = cb_idx >> 8 & 15;
- bits = SHOW_UBITS(re, gb, nnz) << (32-nnz);
+ bits = nnz ? GET_CACHE(re, gb) : 0;
LAST_SKIP_BITS(re, gb, nnz);
cf = VMUL4S(cf, vq, cb_idx, bits, sf + idx);
} while (len -= 4);
@@ -1130,7 +1130,7 @@
GET_VLC(code, re, gb, vlc_tab, 8, 2);
cb_idx = cb_vector_idx[code];
nnz = cb_idx >> 8 & 15;
- sign = SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12);
+ sign = nnz ? SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12) : 0;
LAST_SKIP_BITS(re, gb, nnz);
cf = VMUL2S(cf, vq, cb_idx, sign, sf + idx);
} while (len -= 2);
diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index f036c4a..4d8a940 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -163,6 +163,18 @@
// TODO: dsputilize
+static av_cold int ape_decode_close(AVCodecContext * avctx)
+{
+ APEContext *s = avctx->priv_data;
+ int i;
+
+ for (i = 0; i < APE_FILTER_LEVELS; i++)
+ av_freep(&s->filterbuf[i]);
+
+ av_freep(&s->data);
+ return 0;
+}
+
static av_cold int ape_decode_init(AVCodecContext * avctx)
{
APEContext *s = avctx->priv_data;
@@ -195,25 +207,18 @@
for (i = 0; i < APE_FILTER_LEVELS; i++) {
if (!ape_filter_orders[s->fset][i])
break;
- s->filterbuf[i] = av_malloc((ape_filter_orders[s->fset][i] * 3 + HISTORY_SIZE) * 4);
+ FF_ALLOC_OR_GOTO(avctx, s->filterbuf[i],
+ (ape_filter_orders[s->fset][i] * 3 + HISTORY_SIZE) * 4,
+ filter_alloc_fail);
}
dsputil_init(&s->dsp, avctx);
avctx->sample_fmt = AV_SAMPLE_FMT_S16;
avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
return 0;
-}
-
-static av_cold int ape_decode_close(AVCodecContext * avctx)
-{
- APEContext *s = avctx->priv_data;
- int i;
-
- for (i = 0; i < APE_FILTER_LEVELS; i++)
- av_freep(&s->filterbuf[i]);
-
- av_freep(&s->data);
- return 0;
+filter_alloc_fail:
+ ape_decode_close(avctx);
+ return AVERROR(ENOMEM);
}
/**
@@ -797,7 +802,7 @@
int buf_size = avpkt->size;
APEContext *s = avctx->priv_data;
int16_t *samples = data;
- int nblocks;
+ uint32_t nblocks;
int i, n;
int blockstodecode;
int bytes_used;
@@ -814,12 +819,15 @@
}
if(!s->samples){
- s->data = av_realloc(s->data, (buf_size + 3) & ~3);
+ void *tmp_data = av_realloc(s->data, (buf_size + 3) & ~3);
+ if (!tmp_data)
+ return AVERROR(ENOMEM);
+ s->data = tmp_data;
s->dsp.bswap_buf((uint32_t*)s->data, (const uint32_t*)buf, buf_size >> 2);
s->ptr = s->last_ptr = s->data;
s->data_end = s->data + buf_size;
- nblocks = s->samples = bytestream_get_be32(&s->ptr);
+ nblocks = bytestream_get_be32(&s->ptr);
n = bytestream_get_be32(&s->ptr);
if(n < 0 || n > 3){
av_log(avctx, AV_LOG_ERROR, "Incorrect offset passed\n");
@@ -828,12 +836,13 @@
}
s->ptr += n;
- s->currentframeblocks = nblocks;
buf += 4;
- if (s->samples <= 0) {
+ if (!nblocks || nblocks > INT_MAX) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %u.\n", nblocks);
*data_size = 0;
- return buf_size;
+ return AVERROR_INVALIDDATA;
}
+ s->currentframeblocks = s->samples = nblocks;
memset(s->decoded0, 0, sizeof(s->decoded0));
memset(s->decoded1, 0, sizeof(s->decoded1));
diff --git a/libavcodec/atrac1.c b/libavcodec/atrac1.c
index 1f4c36c..6897790 100644
--- a/libavcodec/atrac1.c
+++ b/libavcodec/atrac1.c
@@ -276,7 +276,7 @@
const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size;
AT1Ctx *q = avctx->priv_data;
- int ch, ret, i;
+ int ch, ret, i, out_size;
GetBitContext gb;
float* samples = data;
@@ -286,6 +286,13 @@
return -1;
}
+ out_size = q->channels * AT1_SU_SAMPLES *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
for (ch = 0; ch < q->channels; ch++) {
AT1SUCtx* su = &q->SUs[ch];
@@ -318,7 +325,7 @@
}
}
- *data_size = q->channels * AT1_SU_SAMPLES * sizeof(*samples);
+ *data_size = out_size;
return avctx->block_align;
}
@@ -329,6 +336,11 @@
avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
+ if (avctx->channels < 1 || avctx->channels > AT1_MAX_CHANNELS) {
+ av_log(avctx, AV_LOG_ERROR, "Unsupported number of channels: %d\n",
+ avctx->channels);
+ return AVERROR(EINVAL);
+ }
q->channels = avctx->channels;
/* Init the mdct transforms */
diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c
index ff36458..3b65a19 100644
--- a/libavcodec/binkaudio.c
+++ b/libavcodec/binkaudio.c
@@ -153,11 +153,18 @@
2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 32, 64
};
+#define GET_BITS_SAFE(out, nbits) do { \
+ if (get_bits_left(gb) < nbits) \
+ return AVERROR_INVALIDDATA; \
+ out = get_bits(gb, nbits); \
+} while (0)
+
/**
* Decode Bink Audio block
* @param[out] out Output buffer (must contain s->block_size elements)
+ * @return 0 on success, negative error code on failure
*/
-static void decode_block(BinkAudioContext *s, short *out, int use_dct)
+static int decode_block(BinkAudioContext *s, short *out, int use_dct)
{
int ch, i, j, k;
float q, quant[25];
@@ -170,13 +177,19 @@
for (ch = 0; ch < s->channels; ch++) {
FFTSample *coeffs = s->coeffs_ptr[ch];
if (s->version_b) {
+ if (get_bits_left(gb) < 64)
+ return AVERROR_INVALIDDATA;
coeffs[0] = av_int2flt(get_bits(gb, 32)) * s->root;
coeffs[1] = av_int2flt(get_bits(gb, 32)) * s->root;
} else {
+ if (get_bits_left(gb) < 58)
+ return AVERROR_INVALIDDATA;
coeffs[0] = get_float(gb) * s->root;
coeffs[1] = get_float(gb) * s->root;
}
+ if (get_bits_left(gb) < s->num_bands * 8)
+ return AVERROR_INVALIDDATA;
for (i = 0; i < s->num_bands; i++) {
/* constant is result of 0.066399999/log10(M_E) */
int value = get_bits(gb, 8);
@@ -191,15 +204,20 @@
while (i < s->frame_len) {
if (s->version_b) {
j = i + 16;
- } else if (get_bits1(gb)) {
- j = i + rle_length_tab[get_bits(gb, 4)] * 8;
} else {
- j = i + 8;
+ int v;
+ GET_BITS_SAFE(v, 1);
+ if (v) {
+ GET_BITS_SAFE(v, 4);
+ j = i + rle_length_tab[v] * 8;
+ } else {
+ j = i + 8;
+ }
}
j = FFMIN(j, s->frame_len);
- width = get_bits(gb, 4);
+ GET_BITS_SAFE(width, 4);
if (width == 0) {
memset(coeffs + i, 0, (j - i) * sizeof(*coeffs));
i = j;
@@ -209,9 +227,11 @@
while (i < j) {
if (s->bands[k] == i)
q = quant[k++];
- coeff = get_bits(gb, width);
+ GET_BITS_SAFE(coeff, width);
if (coeff) {
- if (get_bits1(gb))
+ int v;
+ GET_BITS_SAFE(v, 1);
+ if (v)
coeffs[i] = -q * coeff;
else
coeffs[i] = q * coeff;
@@ -247,6 +267,8 @@
s->overlap_len * s->channels * sizeof(*out));
s->first = 0;
+
+ return 0;
}
static av_cold int decode_end(AVCodecContext *avctx)
@@ -278,12 +300,17 @@
int reported_size;
GetBitContext *gb = &s->gb;
+ if (buf_size < 4) {
+ av_log(avctx, AV_LOG_ERROR, "Packet is too small\n");
+ return AVERROR_INVALIDDATA;
+ }
+
init_get_bits(gb, buf, buf_size * 8);
reported_size = get_bits_long(gb, 32);
- while (get_bits_count(gb) / 8 < buf_size &&
- samples + s->block_size <= samples_end) {
- decode_block(s, samples, avctx->codec->id == CODEC_ID_BINKAUDIO_DCT);
+ while (samples + s->block_size <= samples_end) {
+ if (decode_block(s, samples, avctx->codec->id == CODEC_ID_BINKAUDIO_DCT))
+ break;
samples += s->block_size;
get_bits_align32(gb);
}
diff --git a/libavcodec/dca.c b/libavcodec/dca.c
index 69df8f4..24153eb 100644
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -905,7 +905,8 @@
for (subindex = 0; subindex < 8; subindex++) {
/* Load in one sample from each subband and clear inactive subbands */
for (i = 0; i < sb_act; i++){
- uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ ((i-1)&2)<<30;
+ unsigned sign = (i - 1) & 2;
+ uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ sign << 30;
AV_WN32A(&s->raXin[i], v);
}
diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c
index faca821..d4dbb35 100644
--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@@ -310,6 +310,11 @@
CinAudioContext *cin = avctx->priv_data;
cin->avctx = avctx;
+ if (avctx->channels != 1) {
+ av_log_ask_for_sample(avctx, "Number of channels is not supported\n");
+ return AVERROR_PATCHWELCOME;
+ }
+
cin->initial_decode_frame = 1;
cin->delta = 0;
avctx->sample_fmt = AV_SAMPLE_FMT_S16;
diff --git a/libavcodec/dvdata.c b/libavcodec/dvdata.c
index 05993d8..db6ed2b87 100644
--- a/libavcodec/dvdata.c
+++ b/libavcodec/dvdata.c
@@ -248,11 +248,13 @@
const DVprofile* ff_dv_frame_profile(const DVprofile *sys,
const uint8_t* frame, unsigned buf_size)
{
- int i;
+ int i, dsf, stype;
- int dsf = (frame[3] & 0x80) >> 7;
+ if(buf_size < DV_PROFILE_BYTES)
+ return NULL;
- int stype = frame[80*5 + 48 + 3] & 0x1f;
+ dsf = (frame[3] & 0x80) >> 7;
+ stype = frame[80*5 + 48 + 3] & 0x1f;
/* 576i50 25Mbps 4:1:1 is a special case */
if (dsf == 1 && stype == 0 && frame[4] & 0x07 /* the APT field */) {
diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c
index d4881ab..602bbfc 100644
--- a/libavcodec/eamad.c
+++ b/libavcodec/eamad.c
@@ -85,15 +85,21 @@
{
MpegEncContext *s = &t->s;
if (j < 4) {
+ unsigned offset = (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x;
+ if (offset >= (s->height - 7) * t->last_frame.linesize[0] - 7)
+ return;
comp(t->frame.data[0] + (mb_y*16 + ((j&2)<<2))*t->frame.linesize[0] + mb_x*16 + ((j&1)<<3),
t->frame.linesize[0],
- t->last_frame.data[0] + (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x,
+ t->last_frame.data[0] + offset,
t->last_frame.linesize[0], add);
} else if (!(s->avctx->flags & CODEC_FLAG_GRAY)) {
int index = j - 3;
+ unsigned offset = (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2);
+ if (offset >= (s->height/2 - 7) * t->last_frame.linesize[index] - 7)
+ return;
comp(t->frame.data[index] + (mb_y*8)*t->frame.linesize[index] + mb_x * 8,
t->frame.linesize[index],
- t->last_frame.data[index] + (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2),
+ t->last_frame.data[index] + offset,
t->last_frame.linesize[index], add);
}
}
@@ -205,7 +211,8 @@
for (j=0; j<6; j++) {
if (mv_map & (1<<j)) { // mv_x and mv_y are guarded by mv_map
int add = 2*decode_motion(&s->gb);
- comp_block(t, s->mb_x, s->mb_y, j, mv_x, mv_y, add);
+ if (t->last_frame.data[0])
+ comp_block(t, s->mb_x, s->mb_y, j, mv_x, mv_y, add);
} else {
s->dsp.clear_block(t->block);
decode_block_intra(t, t->block);
@@ -266,6 +273,8 @@
avcodec_set_dimensions(avctx, s->width, s->height);
if (t->frame.data[0])
avctx->release_buffer(avctx, &t->frame);
+ if (t->last_frame.data[0])
+ avctx->release_buffer(avctx, &t->last_frame);
}
t->frame.reference = 1;
@@ -280,6 +289,7 @@
if (!t->bitstream_buf)
return AVERROR(ENOMEM);
bswap16_buf(t->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2);
+ memset((uint8_t*)t->bitstream_buf + (buf_end-buf), 0, FF_INPUT_BUFFER_PADDING_SIZE);
init_get_bits(&s->gb, t->bitstream_buf, 8*(buf_end-buf));
for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++)
diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c
index 0855f10..fb88dce 100644
--- a/libavcodec/eatgv.c
+++ b/libavcodec/eatgv.c
@@ -74,7 +74,7 @@
else
src += 2;
- if (src+3>src_end)
+ if (src_end - src < 3)
return -1;
size = AV_RB24(src);
src += 3;
@@ -138,7 +138,7 @@
* @return 0 on success, -1 on critical buffer underflow
*/
static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){
- unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->width*s->last_frame.linesize[0];
+ unsigned last_frame_size = s->avctx->height*s->last_frame.linesize[0];
int num_mvs;
int num_blocks_raw;
int num_blocks_packed;
@@ -148,7 +148,7 @@
int mvbits;
const unsigned char *blocks_raw;
- if(buf+12>buf_end)
+ if(buf_end - buf < 12)
return -1;
num_mvs = AV_RL16(&buf[0]);
@@ -171,7 +171,7 @@
/* read motion vectors */
mvbits = (num_mvs*2*10+31) & ~31;
- if (buf+(mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed>buf_end)
+ if (buf_end - buf < (mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed)
return -1;
init_get_bits(&gb, buf, mvbits);
@@ -207,12 +207,14 @@
int src_stride;
if (vector < num_mvs) {
- src = s->last_frame.data[0] +
- (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] +
- x*4 + s->mv_codebook[vector][0];
+ unsigned offset =
+ (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] +
+ x*4 + s->mv_codebook[vector][0];
+
src_stride = s->last_frame.linesize[0];
- if (src+3*src_stride+3>=frame0_end)
+ if (offset >= last_frame_size - (3*src_stride+3))
continue;
+ src = s->last_frame.data[0] + offset;
}else{
int offset = vector - num_mvs;
if (offset<num_blocks_raw)
@@ -252,12 +254,15 @@
const uint8_t *buf_end = buf + buf_size;
int chunk_type;
+ if (buf_end - buf < EA_PREAMBLE_SIZE)
+ return AVERROR_INVALIDDATA;
+
chunk_type = AV_RL32(&buf[0]);
buf += EA_PREAMBLE_SIZE;
if (chunk_type==kVGT_TAG) {
int pal_count, i;
- if(buf+12>buf_end) {
+ if(buf_end - buf < 12) {
av_log(avctx, AV_LOG_WARNING, "truncated header\n");
return -1;
}
@@ -272,7 +277,7 @@
pal_count = AV_RL16(&buf[6]);
buf += 12;
- for(i=0; i<pal_count && i<AVPALETTE_COUNT && buf+2<buf_end; i++) {
+ for(i=0; i<pal_count && i<AVPALETTE_COUNT && buf_end - buf >= 3; i++) {
s->palette[i] = AV_RB24(buf);
buf += 3;
}
diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h
index 90eeb30..8dff032 100644
--- a/libavcodec/golomb.h
+++ b/libavcodec/golomb.h
@@ -75,6 +75,20 @@
}
}
+/**
+ * Read an unsigned Exp-Golomb code in the range 0 to UINT32_MAX-1.
+ */
+static inline unsigned get_ue_golomb_long(GetBitContext *gb)
+{
+ unsigned buf, log;
+
+ buf = show_bits_long(gb, 32);
+ log = 31 - av_log2(buf);
+ skip_bits_long(gb, log);
+
+ return get_bits_long(gb, log + 1) - 1;
+}
+
/**
* read unsigned exp golomb code, constraint to a max of 31.
* the return value is undefined if the stored value exceeds 31.
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 47ac9f0..ff38bd7 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -1019,8 +1019,12 @@
s->height = s->avctx->height;
s->codec_id= s->avctx->codec->id;
- ff_h264dsp_init(&h->h264dsp, 8);
- ff_h264_pred_init(&h->hpc, s->codec_id, 8);
+ s->avctx->bits_per_raw_sample = 8;
+
+ ff_h264dsp_init(&h->h264dsp,
+ s->avctx->bits_per_raw_sample);
+ ff_h264_pred_init(&h->hpc, s->codec_id,
+ s->avctx->bits_per_raw_sample);
h->dequant_coeff_pps= -1;
s->unrestricted_mv=1;
@@ -2633,6 +2637,7 @@
free_tables(h, 0);
flush_dpb(s->avctx);
MPV_common_end(s);
+ h->list_count = 0;
}
if (!s->context_initialized) {
if (h != h0) {
@@ -3753,9 +3758,13 @@
switch (hx->nal_unit_type) {
case NAL_SPS:
case NAL_PPS:
+ nals_needed = nal_index;
+ break;
case NAL_IDR_SLICE:
case NAL_SLICE:
- nals_needed = nal_index;
+ init_get_bits(&hx->s.gb, ptr, bit_length);
+ if(!get_ue_golomb(&hx->s.gb))
+ nals_needed = nal_index;
}
continue;
}
diff --git a/libavcodec/h264.h b/libavcodec/h264.h
index 0a380e0..a6f3973 100644
--- a/libavcodec/h264.h
+++ b/libavcodec/h264.h
@@ -227,7 +227,7 @@
int transform_8x8_mode; ///< transform_8x8_mode_flag
uint8_t scaling_matrix4[6][16];
uint8_t scaling_matrix8[6][64];
- uint8_t chroma_qp_table[2][64]; ///< pre-scaled (with chroma_qp_index_offset) version of qp_table
+ uint8_t chroma_qp_table[2][QP_MAX_NUM+1]; ///< pre-scaled (with chroma_qp_index_offset) version of qp_table
int chroma_qp_diff;
}PPS;
diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c
index 34a4ff7..0b19353 100644
--- a/libavcodec/h264_direct.c
+++ b/libavcodec/h264_direct.c
@@ -89,7 +89,8 @@
for(j=start; j<end; j++){
if(4*h->ref_list[0][j].frame_num + (h->ref_list[0][j].reference&3) == poc){
int cur_ref= mbafi ? (j-16)^field : j;
- map[list][2*old_ref + (rfield^field) + 16] = cur_ref;
+ if(ref1->mbaff)
+ map[list][2*old_ref + (rfield^field) + 16] = cur_ref;
if(rfield == field || !interl)
map[list][old_ref] = cur_ref;
break;
diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 423f54b..89e2502 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -143,8 +143,8 @@
get_bits(&s->gb, 4); /* bit_rate_scale */
get_bits(&s->gb, 4); /* cpb_size_scale */
for(i=0; i<cpb_count; i++){
- get_ue_golomb(&s->gb); /* bit_rate_value_minus1 */
- get_ue_golomb(&s->gb); /* cpb_size_value_minus1 */
+ get_ue_golomb_long(&s->gb); /* bit_rate_value_minus1 */
+ get_ue_golomb_long(&s->gb); /* cpb_size_value_minus1 */
get_bits1(&s->gb); /* cbr_flag */
}
sps->initial_cpb_removal_delay_length = get_bits(&s->gb, 5) + 1;
diff --git a/libavcodec/h264pred.c b/libavcodec/h264pred.c
index f6533cf9..4917e0d 100644
--- a/libavcodec/h264pred.c
+++ b/libavcodec/h264pred.c
@@ -40,7 +40,7 @@
#undef BIT_DEPTH
static void pred4x4_vertical_vp8_c(uint8_t *src, const uint8_t *topright, int stride){
- const int lt= src[-1-1*stride];
+ const unsigned lt = src[-1-1*stride];
LOAD_TOP_EDGE
LOAD_TOP_RIGHT_EDGE
uint32_t v = PACK_4U8((lt + 2*t0 + t1 + 2) >> 2,
@@ -55,7 +55,7 @@
}
static void pred4x4_horizontal_vp8_c(uint8_t *src, const uint8_t *topright, int stride){
- const int lt= src[-1-1*stride];
+ const unsigned lt = src[-1-1*stride];
LOAD_LEFT_EDGE
AV_WN32A(src+0*stride, ((lt + 2*l0 + l1 + 2) >> 2)*0x01010101);
@@ -292,7 +292,7 @@
static void pred8x8_left_dc_rv40_c(uint8_t *src, int stride){
int i;
- int dc0;
+ unsigned dc0;
dc0=0;
for(i=0;i<8; i++)
@@ -307,7 +307,7 @@
static void pred8x8_top_dc_rv40_c(uint8_t *src, int stride){
int i;
- int dc0;
+ unsigned dc0;
dc0=0;
for(i=0;i<8; i++)
@@ -322,7 +322,7 @@
static void pred8x8_dc_rv40_c(uint8_t *src, int stride){
int i;
- int dc0=0;
+ unsigned dc0 = 0;
for(i=0;i<4; i++){
dc0+= src[-1+i*stride] + src[i-stride];
diff --git a/libavcodec/h264pred_template.c b/libavcodec/h264pred_template.c
index 3cd4463..153aabc 100644
--- a/libavcodec/h264pred_template.c
+++ b/libavcodec/h264pred_template.c
@@ -120,28 +120,28 @@
#define LOAD_TOP_RIGHT_EDGE\
- const int av_unused t4= topright[0];\
- const int av_unused t5= topright[1];\
- const int av_unused t6= topright[2];\
- const int av_unused t7= topright[3];\
+ const unsigned av_unused t4 = topright[0];\
+ const unsigned av_unused t5 = topright[1];\
+ const unsigned av_unused t6 = topright[2];\
+ const unsigned av_unused t7 = topright[3];\
#define LOAD_DOWN_LEFT_EDGE\
- const int av_unused l4= src[-1+4*stride];\
- const int av_unused l5= src[-1+5*stride];\
- const int av_unused l6= src[-1+6*stride];\
- const int av_unused l7= src[-1+7*stride];\
+ const unsigned av_unused l4 = src[-1+4*stride];\
+ const unsigned av_unused l5 = src[-1+5*stride];\
+ const unsigned av_unused l6 = src[-1+6*stride];\
+ const unsigned av_unused l7 = src[-1+7*stride];\
#define LOAD_LEFT_EDGE\
- const int av_unused l0= src[-1+0*stride];\
- const int av_unused l1= src[-1+1*stride];\
- const int av_unused l2= src[-1+2*stride];\
- const int av_unused l3= src[-1+3*stride];\
+ const unsigned av_unused l0 = src[-1+0*stride];\
+ const unsigned av_unused l1 = src[-1+1*stride];\
+ const unsigned av_unused l2 = src[-1+2*stride];\
+ const unsigned av_unused l3 = src[-1+3*stride];\
#define LOAD_TOP_EDGE\
- const int av_unused t0= src[ 0-1*stride];\
- const int av_unused t1= src[ 1-1*stride];\
- const int av_unused t2= src[ 2-1*stride];\
- const int av_unused t3= src[ 3-1*stride];\
+ const unsigned av_unused t0 = src[ 0-1*stride];\
+ const unsigned av_unused t1 = src[ 1-1*stride];\
+ const unsigned av_unused t2 = src[ 2-1*stride];\
+ const unsigned av_unused t3 = src[ 3-1*stride];\
static void FUNCC(pred4x4_down_right)(uint8_t *_src, const uint8_t *topright, int _stride){
pixel *src = (pixel*)_src;
diff --git a/libavcodec/imc.c b/libavcodec/imc.c
index f08efe4..bc1a6a9 100644
--- a/libavcodec/imc.c
+++ b/libavcodec/imc.c
@@ -104,10 +104,15 @@
static av_cold int imc_decode_init(AVCodecContext * avctx)
{
- int i, j;
+ int i, j, ret;
IMCContext *q = avctx->priv_data;
double r1, r2;
+ if (avctx->channels != 1) {
+ av_log_ask_for_sample(avctx, "Number of channels is not supported\n");
+ return AVERROR_PATCHWELCOME;
+ }
+
q->decoder_reset = 1;
for(i = 0; i < BANDS; i++)
@@ -156,7 +161,10 @@
}
q->one_div_log2 = 1/log(2);
- ff_fft_init(&q->fft, 7, 1);
+ if ((ret = ff_fft_init(&q->fft, 7, 1))) {
+ av_log(avctx, AV_LOG_INFO, "FFT init failed\n");
+ return ret;
+ }
dsputil_init(&q->dsp, avctx);
avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c
index 78ac2d8..beb3ee1 100644
--- a/libavcodec/imgconvert.c
+++ b/libavcodec/imgconvert.c
@@ -499,6 +499,16 @@
}
}
+ switch (pix_fmt) {
+ case PIX_FMT_RGB8:
+ case PIX_FMT_BGR8:
+ case PIX_FMT_RGB4_BYTE:
+ case PIX_FMT_BGR4_BYTE:
+ case PIX_FMT_GRAY8:
+ // do not include palette for these pseudo-paletted formats
+ return size;
+ }
+
if (desc->flags & PIX_FMT_PAL)
memcpy((unsigned char *)(((size_t)dest + 3) & ~3), src->data[1], 256 * 4);
diff --git a/libavcodec/libgsm.c b/libavcodec/libgsm.c
index 1f76f82..073cf44 100644
--- a/libavcodec/libgsm.c
+++ b/libavcodec/libgsm.c
@@ -141,18 +141,25 @@
AVPacket *avpkt) {
const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size;
+ int out_size = avctx->frame_size * av_get_bytes_per_sample(avctx->sample_fmt);
+
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
*data_size = 0; /* In case of error */
if(buf_size < avctx->block_align) return -1;
switch(avctx->codec_id) {
case CODEC_ID_GSM:
if(gsm_decode(avctx->priv_data,buf,data)) return -1;
- *data_size = GSM_FRAME_SIZE*sizeof(int16_t);
break;
case CODEC_ID_GSM_MS:
if(gsm_decode(avctx->priv_data,buf,data) ||
gsm_decode(avctx->priv_data,buf+33,((int16_t*)data)+GSM_FRAME_SIZE)) return -1;
- *data_size = GSM_FRAME_SIZE*sizeof(int16_t)*2;
}
+
+ *data_size = out_size;
return avctx->block_align;
}
diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c
index bf542ac..6477f3f 100644
--- a/libavcodec/libx264.c
+++ b/libavcodec/libx264.c
@@ -101,13 +101,14 @@
}
static int X264_frame(AVCodecContext *ctx, uint8_t *buf,
- int bufsize, void *data)
+ int orig_bufsize, void *data)
{
X264Context *x4 = ctx->priv_data;
AVFrame *frame = data;
x264_nal_t *nal;
int nnal, i;
x264_picture_t pic_out;
+ int bufsize;
x264_picture_init( &x4->pic );
x4->pic.img.i_csp = X264_CSP_I420;
@@ -138,6 +139,7 @@
}
do {
+ bufsize = orig_bufsize;
if (x264_encoder_encode(x4->enc, &nal, &nnal, frame? &x4->pic: NULL, &pic_out) < 0)
return -1;
diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index b13d079..baae9a3 100644
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -950,7 +950,12 @@
int32_t *data_32 = (int32_t*) data;
int16_t *data_16 = (int16_t*) data;
- if (*data_size < (s->max_channel + 1) * s->blockpos * (is32 ? 4 : 2))
+ if (m->avctx->channels != s->max_matrix_channel + 1) {
+ av_log(m->avctx, AV_LOG_ERROR, "channel count mismatch\n");
+ return AVERROR_INVALIDDATA;
+ }
+
+ if (*data_size < m->avctx->channels * s->blockpos * (is32 ? 4 : 2))
return -1;
for (i = 0; i < s->blockpos; i++) {
diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c
index c12ebf4..02e804d 100644
--- a/libavcodec/motion_est.c
+++ b/libavcodec/motion_est.c
@@ -1040,7 +1040,7 @@
/* intra / predictive decision */
pix = c->src[0][0];
sum = s->dsp.pix_sum(pix, s->linesize);
- varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)(sum*sum))>>8) + 500;
+ varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)sum*sum)>>8) + 500;
pic->mb_mean[s->mb_stride * mb_y + mb_x] = (sum+128)>>8;
pic->mb_var [s->mb_stride * mb_y + mb_x] = (varc+128)>>8;
@@ -1202,7 +1202,7 @@
if((c->avctx->mb_cmp&0xFF)==FF_CMP_SSE){
intra_score= varc - 500;
}else{
- int mean= (sum+128)>>8;
+ unsigned mean = (sum+128)>>8;
mean*= 0x01010101;
for(i=0; i<16; i++){
diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c
index bb21469..6477edc 100644
--- a/libavcodec/mpc7.c
+++ b/libavcodec/mpc7.c
@@ -197,12 +197,19 @@
int i, ch;
int mb = -1;
Band *bands = c->bands;
- int off;
+ int off, out_size;
int bits_used, bits_avail;
memset(bands, 0, sizeof(bands));
if(buf_size <= 4){
av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size);
+ return AVERROR(EINVAL);
+ }
+
+ out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4;
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
}
bits = av_malloc(((buf_size - 1) & ~3) + FF_INPUT_BUFFER_PADDING_SIZE);
@@ -277,7 +284,7 @@
*data_size = 0;
return buf_size;
}
- *data_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4;
+ *data_size = out_size;
return buf_size;
}
diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c
index bca5745..90bc8c8 100644
--- a/libavcodec/mpc8.c
+++ b/libavcodec/mpc8.c
@@ -243,10 +243,16 @@
GetBitContext gb2, *gb = &gb2;
int i, j, k, ch, cnt, res, t;
Band *bands = c->bands;
- int off;
+ int off, out_size;
int maxband, keyframe;
int last[2];
+ out_size = MPC_FRAME_SIZE * 2 * avctx->channels;
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
keyframe = c->cur_frame == 0;
if(keyframe){
@@ -404,7 +410,7 @@
c->last_bits_used = get_bits_count(gb);
if(c->cur_frame >= c->frames)
c->cur_frame = 0;
- *data_size = MPC_FRAME_SIZE * 2 * avctx->channels;
+ *data_size = out_size;
return c->cur_frame ? c->last_bits_used >> 3 : buf_size;
}
diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
index 9fbae0c..32dfd23 100644
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -1801,8 +1801,8 @@
avctx->bit_rate = s->bit_rate;
avctx->sub_id = s->layer;
- if(*data_size < 1152*avctx->channels*sizeof(OUT_INT))
- return -1;
+ if (*data_size < avctx->frame_size * avctx->channels * sizeof(OUT_INT))
+ return AVERROR(EINVAL);
*data_size = 0;
if(s->frame_size<=0 || s->frame_size > buf_size){
@@ -1870,6 +1870,9 @@
avctx->bit_rate = s->bit_rate;
avctx->sub_id = s->layer;
+ if (*data_size < avctx->frame_size * avctx->channels * sizeof(OUT_INT))
+ return AVERROR(EINVAL);
+
s->frame_size = len;
if (avctx->parse_only) {
diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c
index f4743c5..d56ca82 100644
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -2308,12 +2308,15 @@
edge_h= FFMIN(h, s->v_edge_pos - y);
- s->dsp.draw_edges(s->current_picture_ptr->data[0] + y *s->linesize , s->linesize,
- s->h_edge_pos , edge_h , EDGE_WIDTH , EDGE_WIDTH , sides);
- s->dsp.draw_edges(s->current_picture_ptr->data[1] + (y>>vshift)*s->uvlinesize, s->uvlinesize,
- s->h_edge_pos>>hshift, edge_h>>hshift, EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides);
- s->dsp.draw_edges(s->current_picture_ptr->data[2] + (y>>vshift)*s->uvlinesize, s->uvlinesize,
- s->h_edge_pos>>hshift, edge_h>>hshift, EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides);
+ s->dsp.draw_edges(s->current_picture_ptr->data[0] + y *s->linesize,
+ s->linesize, s->h_edge_pos, edge_h,
+ EDGE_WIDTH, EDGE_WIDTH, sides);
+ s->dsp.draw_edges(s->current_picture_ptr->data[1] + (y>>vshift)*s->uvlinesize,
+ s->uvlinesize, s->h_edge_pos>>hshift, edge_h>>vshift,
+ EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides);
+ s->dsp.draw_edges(s->current_picture_ptr->data[2] + (y>>vshift)*s->uvlinesize,
+ s->uvlinesize, s->h_edge_pos>>hshift, edge_h>>vshift,
+ EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides);
}
h= FFMIN(h, s->avctx->height - y);
diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c
index 3c92aa93..b9e141d 100644
--- a/libavcodec/mpegvideo_enc.c
+++ b/libavcodec/mpegvideo_enc.c
@@ -2007,7 +2007,7 @@
int varc;
int sum = s->dsp.pix_sum(pix, s->linesize);
- varc = (s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)(sum*sum))>>8) + 500 + 128)>>8;
+ varc = (s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)sum*sum)>>8) + 500 + 128)>>8;
s->current_picture.mb_var [s->mb_stride * mb_y + mb_x] = varc;
s->current_picture.mb_mean[s->mb_stride * mb_y + mb_x] = (sum+128)>>8;
diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c
index 4c0d421..af0048a 100644
--- a/libavcodec/pthread.c
+++ b/libavcodec/pthread.c
@@ -332,6 +332,9 @@
dst->height = src->height;
dst->pix_fmt = src->pix_fmt;
+ dst->coded_width = src->coded_width;
+ dst->coded_height = src->coded_height;
+
dst->has_b_frames = src->has_b_frames;
dst->idct_algo = src->idct_algo;
dst->slice_count = src->slice_count;
diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h
index 7901691..ccd2565 100644
--- a/libavcodec/put_bits.h
+++ b/libavcodec/put_bits.h
@@ -100,7 +100,8 @@
align_put_bits(s);
#else
#ifndef BITSTREAM_WRITER_LE
- s->bit_buf<<= s->bit_left;
+ if (s->bit_left < 32)
+ s->bit_buf<<= s->bit_left;
#endif
while (s->bit_left < 32) {
/* XXX: should test end of buffer */
diff --git a/libavcodec/qcelpdec.c b/libavcodec/qcelpdec.c
index e83704d..61c812c 100644
--- a/libavcodec/qcelpdec.c
+++ b/libavcodec/qcelpdec.c
@@ -738,11 +738,17 @@
int buf_size = avpkt->size;
QCELPContext *q = avctx->priv_data;
float *outbuffer = data;
- int i;
+ int i, out_size;
float quantized_lspf[10], lpc[10];
float gain[16];
float *formant_mem;
+ out_size = 160 * av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
if((q->bitrate = determine_bitrate(avctx, buf_size, &buf)) == I_F_Q)
{
warn_insufficient_frame_quality(avctx, "bitrate cannot be determined.");
@@ -837,7 +843,7 @@
memcpy(q->prev_lspf, quantized_lspf, sizeof(q->prev_lspf));
q->prev_bitrate = q->bitrate;
- *data_size = 160 * sizeof(*outbuffer);
+ *data_size = out_size;
return buf_size;
}
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 1665c8d..144ce98 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1958,13 +1958,20 @@
int buf_size = avpkt->size;
QDM2Context *s = avctx->priv_data;
int16_t *out = data;
- int i;
+ int i, out_size;
if(!buf)
return 0;
if(buf_size < s->checksum_size)
return -1;
+ out_size = 16 * s->channels * s->frame_size *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
av_log(avctx, AV_LOG_DEBUG, "decode(%d): %p[%d] -> %p[%d]\n",
buf_size, buf, s->checksum_size, data, *data_size);
@@ -1974,7 +1981,7 @@
out += s->channels * s->frame_size;
}
- *data_size = (uint8_t*)out - (uint8_t*)data;
+ *data_size = out_size;
return s->checksum_size;
}
diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c
index a2b6c7f..8bcbbd3 100644
--- a/libavcodec/qtrle.c
+++ b/libavcodec/qtrle.c
@@ -126,6 +126,7 @@
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (num_pixels * (s->buf[stream_ptr++] - 1));
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -182,6 +183,7 @@
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (4 * (s->buf[stream_ptr++] - 1));
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -235,6 +237,7 @@
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 2;
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -284,6 +287,7 @@
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 3;
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -335,6 +339,7 @@
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 4;
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -463,6 +468,8 @@
stream_ptr += 4;
height = AV_RB16(&s->buf[stream_ptr]);
stream_ptr += 4;
+ if (height > s->avctx->height - start_line)
+ goto done;
} else {
start_line = 0;
height = s->avctx->height;
diff --git a/libavcodec/resample.c b/libavcodec/resample.c
index 62ece22..d53c731 100644
--- a/libavcodec/resample.c
+++ b/libavcodec/resample.c
@@ -337,9 +337,9 @@
if (s->sample_fmt[1] != AV_SAMPLE_FMT_S16) {
output_bak = output;
- if (!s->buffer_size[1] || s->buffer_size[1] < lenout) {
+ if (!s->buffer_size[1] || s->buffer_size[1] < 2*lenout) {
av_free(s->buffer[1]);
- s->buffer_size[1] = lenout;
+ s->buffer_size[1] = 2*lenout;
s->buffer[1] = av_malloc(s->buffer_size[1]);
if (!s->buffer[1]) {
av_log(s->resample_context, AV_LOG_ERROR, "Could not allocate buffer\n");
diff --git a/libavcodec/resample2.c b/libavcodec/resample2.c
index b940059..5c42558 100644
--- a/libavcodec/resample2.c
+++ b/libavcodec/resample2.c
@@ -207,8 +207,10 @@
memcpy(&c->filter_bank[c->filter_length*phase_count+1], c->filter_bank, (c->filter_length-1)*sizeof(FELEM));
c->filter_bank[c->filter_length*phase_count]= c->filter_bank[c->filter_length - 1];
- c->src_incr= out_rate;
- c->ideal_dst_incr= c->dst_incr= in_rate * phase_count;
+ if(!av_reduce(&c->src_incr, &c->dst_incr, out_rate, in_rate * (int64_t)phase_count, INT32_MAX/2))
+ goto error;
+ c->ideal_dst_incr= c->dst_incr;
+
c->index= -phase_count*((c->filter_length-1)/2);
return c;
@@ -246,10 +248,9 @@
dst[dst_index] = src[index2>>32];
index2 += incr;
}
- frac += dst_index * dst_incr_frac;
index += dst_index * dst_incr;
- index += frac / c->src_incr;
- frac %= c->src_incr;
+ index += (frac + dst_index * (int64_t)dst_incr_frac) / c->src_incr;
+ frac = (frac + dst_index * (int64_t)dst_incr_frac) % c->src_incr;
}else{
for(dst_index=0; dst_index < dst_size; dst_index++){
FELEM *filter= c->filter_bank + c->filter_length*(index & c->phase_mask);
diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 4c1abe8..0b9d420 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -113,6 +113,7 @@
{
int i, chan;
int *coeffs;
+ void *tmp_ptr;
for (chan=0; chan<s->channels; chan++) {
if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
@@ -124,9 +125,15 @@
return -1;
}
- s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
+ tmp_ptr = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
+ if (!tmp_ptr)
+ return AVERROR(ENOMEM);
+ s->offset[chan] = tmp_ptr;
- s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
+ tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
+ if (!tmp_ptr)
+ return AVERROR(ENOMEM);
+ s->decoded[chan] = tmp_ptr;
for (i=0; i<s->nwrap; i++)
s->decoded[chan][i] = 0;
s->decoded[chan] += s->nwrap;
@@ -284,8 +291,15 @@
int i, input_buf_size = 0;
int16_t *samples = data;
if(s->max_framesize == 0){
+ void *tmp_ptr;
s->max_framesize= 1024; // should hopefully be enough for the first header
- s->bitstream= av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, s->max_framesize);
+ tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size,
+ s->max_framesize);
+ if (!tmp_ptr) {
+ av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n");
+ return AVERROR(ENOMEM);
+ }
+ s->bitstream = tmp_ptr;
}
if(1 && s->max_framesize){//FIXME truncated
@@ -467,6 +481,12 @@
s->cur_chan++;
if (s->cur_chan == s->channels) {
+ int out_size = s->blocksize * s->channels *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
samples = interleave_buffer(samples, s->channels, s->blocksize, s->decoded);
s->cur_chan = 0;
goto frame_done;
diff --git a/libavcodec/sipr.c b/libavcodec/sipr.c
index 9befe8a..bd7d223 100644
--- a/libavcodec/sipr.c
+++ b/libavcodec/sipr.c
@@ -194,14 +194,16 @@
{
int i, j;
- parms->ma_pred_switch = get_bits(pgb, p->ma_predictor_bits);
+ if (p->ma_predictor_bits)
+ parms->ma_pred_switch = get_bits(pgb, p->ma_predictor_bits);
for (i = 0; i < 5; i++)
parms->vq_indexes[i] = get_bits(pgb, p->vq_indexes_bits[i]);
for (i = 0; i < p->subframe_count; i++) {
parms->pitch_delay[i] = get_bits(pgb, p->pitch_delay_bits[i]);
- parms->gp_index[i] = get_bits(pgb, p->gp_index_bits);
+ if (p->gp_index_bits)
+ parms->gp_index[i] = get_bits(pgb, p->gp_index_bits);
for (j = 0; j < p->number_of_fc_indexes; j++)
parms->fc_indexes[i][j] = get_bits(pgb, p->fc_index_bits[j]);
@@ -509,7 +511,7 @@
GetBitContext gb;
float *data = datap;
int subframe_size = ctx->mode == MODE_16k ? L_SUBFR_16k : SUBFR_SIZE;
- int i;
+ int i, out_size;
ctx->avctx = avctx;
if (avpkt->size < (mode_par->bits_per_frame >> 3)) {
@@ -520,7 +522,11 @@
*data_size = 0;
return -1;
}
- if (*data_size < subframe_size * mode_par->subframe_count * sizeof(float)) {
+
+ out_size = mode_par->frames_per_packet * subframe_size *
+ mode_par->subframe_count *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
av_log(avctx, AV_LOG_ERROR,
"Error processing packet: output buffer (%d) too small\n",
*data_size);
@@ -542,8 +548,7 @@
data += subframe_size * mode_par->subframe_count;
}
- *data_size = mode_par->frames_per_packet * subframe_size *
- mode_par->subframe_count * sizeof(float);
+ *data_size = out_size;
return mode_par->bits_per_frame >> 3;
}
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index be4bc23..0b7a19a 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -560,6 +560,10 @@
static av_cold int smka_decode_init(AVCodecContext *avctx)
{
+ if (avctx->channels < 1 || avctx->channels > 2) {
+ av_log(avctx, AV_LOG_ERROR, "invalid number of channels\n");
+ return AVERROR(EINVAL);
+ }
avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
avctx->sample_fmt = avctx->bits_per_coded_sample == 8 ? AV_SAMPLE_FMT_U8 : AV_SAMPLE_FMT_S16;
return 0;
@@ -583,6 +587,11 @@
int bits, stereo;
int pred[2] = {0, 0};
+ if (buf_size <= 4) {
+ av_log(avctx, AV_LOG_ERROR, "packet is too small\n");
+ return AVERROR(EINVAL);
+ }
+
unp_size = AV_RL32(buf);
init_get_bits(&gb, buf + 4, (buf_size - 4) * 8);
@@ -598,6 +607,14 @@
av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n");
return -1;
}
+ if (stereo ^ (avctx->channels != 1)) {
+ av_log(avctx, AV_LOG_ERROR, "channels mismatch\n");
+ return AVERROR(EINVAL);
+ }
+ if (bits && avctx->sample_fmt == AV_SAMPLE_FMT_U8) {
+ av_log(avctx, AV_LOG_ERROR, "sample format mismatch\n");
+ return AVERROR(EINVAL);
+ }
memset(vlc, 0, sizeof(VLC) * 4);
memset(h, 0, sizeof(HuffContext) * 4);
diff --git a/libavcodec/snow.c b/libavcodec/snow.c
index 43a7190..86ab710 100644
--- a/libavcodec/snow.c
+++ b/libavcodec/snow.c
@@ -1917,8 +1917,6 @@
static void halfpel_interpol(SnowContext *s, uint8_t *halfpel[4][4], AVFrame *frame){
int p,x,y;
- assert(!(s->avctx->flags & CODEC_FLAG_EMU_EDGE));
-
for(p=0; p<3; p++){
int is_chroma= !!p;
int w= s->avctx->width >>is_chroma;
@@ -1975,7 +1973,7 @@
int w= s->avctx->width; //FIXME round up to x16 ?
int h= s->avctx->height;
- if(s->current_picture.data[0]){
+ if(s->current_picture.data[0] && !(s->avctx->flags&CODEC_FLAG_EMU_EDGE)){
s->dsp.draw_edges(s->current_picture.data[0],
s->current_picture.linesize[0], w , h ,
EDGE_WIDTH , EDGE_WIDTH , EDGE_TOP | EDGE_BOTTOM);
diff --git a/libavcodec/truespeech.c b/libavcodec/truespeech.c
index d903a01..b5f7466 100644
--- a/libavcodec/truespeech.c
+++ b/libavcodec/truespeech.c
@@ -56,6 +56,11 @@
{
// TSContext *c = avctx->priv_data;
+ if (avctx->channels != 1) {
+ av_log_ask_for_sample(avctx, "Unsupported channel count: %d\n", avctx->channels);
+ return AVERROR(EINVAL);
+ }
+
avctx->sample_fmt = AV_SAMPLE_FMT_S16;
return 0;
}
diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c
index f8e75bb..7be13bc 100644
--- a/libavcodec/twinvq.c
+++ b/libavcodec/twinvq.c
@@ -822,7 +822,7 @@
const ModeTab *mtab = tctx->mtab;
float *out = data;
enum FrameType ftype;
- int window_type;
+ int window_type, out_size;
static const enum FrameType wtype_to_ftype_table[] = {
FT_LONG, FT_LONG, FT_SHORT, FT_LONG,
FT_MEDIUM, FT_LONG, FT_LONG, FT_MEDIUM, FT_MEDIUM
@@ -835,6 +835,13 @@
return buf_size;
}
+ out_size = mtab->size * avctx->channels *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
init_get_bits(&gb, buf, buf_size * 8);
skip_bits(&gb, get_bits(&gb, 8));
window_type = get_bits(&gb, WINDOW_TYPE_BITS);
@@ -857,7 +864,7 @@
return buf_size;
}
- *data_size = mtab->size*avctx->channels*4;
+ *data_size = out_size;
return buf_size;
}
diff --git a/libavcodec/txd.c b/libavcodec/txd.c
index 0e25458..219c337 100644
--- a/libavcodec/txd.c
+++ b/libavcodec/txd.c
@@ -23,6 +23,7 @@
#include "libavutil/intreadwrite.h"
#include "libavutil/imgutils.h"
+#include "bytestream.h"
#include "avcodec.h"
#include "s3tc.h"
@@ -42,6 +43,7 @@
static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
AVPacket *avpkt) {
const uint8_t *buf = avpkt->data;
+ const uint8_t *buf_end = avpkt->data + avpkt->size;
TXDContext * const s = avctx->priv_data;
AVFrame *picture = data;
AVFrame * const p = &s->picture;
@@ -52,6 +54,8 @@
const uint32_t *palette = (const uint32_t *)(cur + 88);
uint32_t *pal;
+ if (buf_end - cur < 92)
+ return AVERROR_INVALIDDATA;
version = AV_RL32(cur);
d3d_format = AV_RL32(cur+76);
w = AV_RL16(cur+80);
@@ -69,6 +73,8 @@
if (depth == 8) {
avctx->pix_fmt = PIX_FMT_PAL8;
+ if (buf_end - cur < 1024)
+ return AVERROR_INVALIDDATA;
cur += 1024;
} else if (depth == 16 || depth == 32)
avctx->pix_fmt = PIX_FMT_RGB32;
@@ -100,6 +106,8 @@
v = AV_RB32(palette+y);
pal[y] = (v>>8) + (v<<24);
}
+ if (buf_end - cur < w * h)
+ return AVERROR_INVALIDDATA;
for (y=0; y<h; y++) {
memcpy(ptr, cur, w);
ptr += stride;
@@ -110,9 +118,13 @@
case 0:
if (!flags&1) goto unsupported;
case FF_S3TC_DXT1:
+ if (buf_end - cur < (w/4) * (h/4) * 8)
+ return AVERROR_INVALIDDATA;
ff_decode_dxt1(cur, ptr, w, h, stride);
break;
case FF_S3TC_DXT3:
+ if (buf_end - cur < (w/4) * (h/4) * 16)
+ return AVERROR_INVALIDDATA;
ff_decode_dxt3(cur, ptr, w, h, stride);
break;
default:
@@ -122,6 +134,8 @@
switch (d3d_format) {
case 0x15:
case 0x16:
+ if (buf_end - cur < h * w * 4)
+ return AVERROR_INVALIDDATA;
for (y=0; y<h; y++) {
memcpy(ptr, cur, w*4);
ptr += stride;
@@ -133,8 +147,12 @@
}
}
- for (; mipmap_count > 1; mipmap_count--)
- cur += AV_RL32(cur) + 4;
+ for (; mipmap_count > 1 && buf_end - cur >= 4; mipmap_count--) {
+ uint32_t length = bytestream_get_le32(&cur);
+ if (buf_end - cur < length)
+ break;
+ cur += length;
+ }
*picture = s->picture;
*data_size = sizeof(AVPicture);
diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c
index 024c8fd..8f16d3a 100644
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -1605,7 +1605,7 @@
vorbis_context *vc = avccontext->priv_data ;
GetBitContext *gb = &(vc->gb);
const float *channel_ptrs[255];
- int i, len;
+ int i, len, out_size;
if (!buf_size)
return 0;
@@ -1630,6 +1630,13 @@
av_dlog(NULL, "parsed %d bytes %d bits, returned %d samples (*ch*bits) \n",
get_bits_count(gb) / 8, get_bits_count(gb) % 8, len);
+ out_size = len * vc->audio_channels *
+ av_get_bytes_per_sample(avccontext->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avccontext, AV_LOG_ERROR, "output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
if (vc->audio_channels > 8) {
for (i = 0; i < vc->audio_channels; i++)
channel_ptrs[i] = vc->channel_floors + i * len;
@@ -1645,8 +1652,7 @@
vc->fmt_conv.float_to_int16_interleave(data, channel_ptrs, len,
vc->audio_channels);
- *data_size = len * vc->audio_channels *
- av_get_bytes_per_sample(avccontext->sample_fmt);
+ *data_size = out_size;
return buf_size ;
}
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index b9af998..549f494 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -45,6 +45,7 @@
#define FRAGMENT_PIXELS 8
static av_cold int vp3_decode_end(AVCodecContext *avctx);
+static void vp3_decode_flush(AVCodecContext *avctx);
//FIXME split things out into their own arrays
typedef struct Vp3Fragment {
@@ -890,7 +891,7 @@
/* decode a VLC into a token */
token = get_vlc2(gb, vlc_table, 11, 3);
/* use the token to get a zero run, a coefficient, and an eob run */
- if (token <= 6) {
+ if ((unsigned) token <= 6U) {
eob_run = eob_run_base[token];
if (eob_run_get_bits[token])
eob_run += get_bits(gb, eob_run_get_bits[token]);
@@ -908,7 +909,7 @@
coeff_i += eob_run;
eob_run = 0;
}
- } else {
+ } else if (token >= 0) {
bits_to_get = coeff_get_bits[token];
if (bits_to_get)
bits_to_get = get_bits(gb, bits_to_get);
@@ -942,6 +943,10 @@
for (i = coeff_index+1; i <= coeff_index+zero_run; i++)
s->num_coded_frags[plane][i]--;
coeff_i++;
+ } else {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "Invalid token %d\n", token);
+ return -1;
}
}
@@ -991,6 +996,8 @@
/* unpack the Y plane DC coefficients */
residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0,
0, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
/* reverse prediction of the Y-plane DC coefficients */
reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]);
@@ -998,8 +1005,12 @@
/* unpack the C plane DC coefficients */
residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
1, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
2, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
/* reverse prediction of the C-plane DC coefficients */
if (!(s->avctx->flags & CODEC_FLAG_GRAY))
@@ -1036,11 +1047,17 @@
for (i = 1; i <= 63; i++) {
residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i,
0, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
1, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
2, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
}
return 0;
@@ -1777,10 +1794,15 @@
Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data;
int qps_changed = 0, i, err;
+#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
+
if (!s1->current_frame.data[0]
||s->width != s1->width
- ||s->height!= s1->height)
+ ||s->height!= s1->height) {
+ if (s != s1)
+ copy_fields(s, s1, golden_frame, current_frame);
return -1;
+ }
if (s != s1) {
// init tables if the first frame hasn't been decoded
@@ -1796,8 +1818,6 @@
memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1]));
}
-#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
-
// copy previous frame data
copy_fields(s, s1, golden_frame, dsp);
@@ -1987,9 +2007,6 @@
Vp3DecodeContext *s = avctx->priv_data;
int i;
- if (avctx->is_copy && !s->current_frame.data[0])
- return 0;
-
av_free(s->superblock_coding);
av_free(s->all_fragments);
av_free(s->coded_fragment_list[0]);
@@ -2016,12 +2033,7 @@
free_vlc(&s->motion_vector_vlc);
/* release all frames */
- if (s->golden_frame.data[0])
- ff_thread_release_buffer(avctx, &s->golden_frame);
- if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY)
- ff_thread_release_buffer(avctx, &s->last_frame);
- /* no need to release the current_frame since it will always be pointing
- * to the same frame as either the golden or last frame */
+ vp3_decode_flush(avctx);
return 0;
}
@@ -2341,6 +2353,23 @@
ff_thread_release_buffer(avctx, &s->current_frame);
}
+static int vp3_init_thread_copy(AVCodecContext *avctx)
+{
+ Vp3DecodeContext *s = avctx->priv_data;
+
+ s->superblock_coding = NULL;
+ s->all_fragments = NULL;
+ s->coded_fragment_list[0] = NULL;
+ s->dct_tokens_base = NULL;
+ s->superblock_fragments = NULL;
+ s->macroblock_coding = NULL;
+ s->motion_val[0] = NULL;
+ s->motion_val[1] = NULL;
+ s->edge_emu_buffer = NULL;
+
+ return 0;
+}
+
AVCodec ff_theora_decoder = {
"theora",
AVMEDIA_TYPE_VIDEO,
@@ -2354,6 +2383,7 @@
NULL,
.flush = vp3_decode_flush,
.long_name = NULL_IF_CONFIG_SMALL("Theora"),
+ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
.update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
};
#endif
@@ -2371,5 +2401,6 @@
NULL,
.flush = vp3_decode_flush,
.long_name = NULL_IF_CONFIG_SMALL("On2 VP3"),
+ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
.update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
};
diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
index 3721d52..c66d2e7 100644
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -374,7 +374,7 @@
if (b > 3) pt = 1;
vlc_coeff = &s->dccv_vlc[pt];
- for (coeff_idx=0; coeff_idx<64; ) {
+ for (coeff_idx = 0;;) {
int run = 1;
if (coeff_idx<2 && s->nb_null[coeff_idx][pt]) {
s->nb_null[coeff_idx][pt]--;
@@ -411,6 +411,8 @@
}
}
coeff_idx+=run;
+ if (coeff_idx >= 64)
+ break;
cg = FFMIN(vp6_coeff_groups[coeff_idx], 3);
vlc_coeff = &s->ract_vlc[pt][ct][cg];
}
diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
index 3e93653..3217605 100644
--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -33,6 +33,19 @@
# include "arm/vp8.h"
#endif
+static void free_buffers(VP8Context *s)
+{
+ av_freep(&s->macroblocks_base);
+ av_freep(&s->filter_strength);
+ av_freep(&s->intra4x4_pred_mode_top);
+ av_freep(&s->top_nnz);
+ av_freep(&s->edge_emu_buffer);
+ av_freep(&s->top_border);
+ av_freep(&s->segmentation_map);
+
+ s->macroblocks = NULL;
+}
+
static void vp8_decode_flush(AVCodecContext *avctx)
{
VP8Context *s = avctx->priv_data;
@@ -45,15 +58,7 @@
}
memset(s->framep, 0, sizeof(s->framep));
- av_freep(&s->macroblocks_base);
- av_freep(&s->filter_strength);
- av_freep(&s->intra4x4_pred_mode_top);
- av_freep(&s->top_nnz);
- av_freep(&s->edge_emu_buffer);
- av_freep(&s->top_border);
- av_freep(&s->segmentation_map);
-
- s->macroblocks = NULL;
+ free_buffers(s);
}
static int update_dimensions(VP8Context *s, int width, int height)
@@ -273,7 +278,7 @@
if (!s->macroblocks_base || /* first frame */
width != s->avctx->width || height != s->avctx->height) {
- if ((ret = update_dimensions(s, width, height) < 0))
+ if ((ret = update_dimensions(s, width, height)) < 0)
return ret;
}
@@ -487,6 +492,7 @@
AV_ZERO32(&near_mv[0]);
AV_ZERO32(&near_mv[1]);
+ AV_ZERO32(&near_mv[2]);
/* Process MB on top, left and top-left */
#define MV_EDGE_CHECK(n)\
@@ -919,7 +925,8 @@
int mb_x, int mb_y)
{
AVCodecContext *avctx = s->avctx;
- int x, y, mode, nnz, tr;
+ int x, y, mode, nnz;
+ uint32_t tr;
// for the first row, we need to run xchg_mb_border to init the top edge to 127
// otherwise, skip it if we aren't going to deblock
@@ -948,7 +955,7 @@
// from the top macroblock
if (!(!mb_y && avctx->flags & CODEC_FLAG_EMU_EDGE) &&
mb_x == s->mb_width-1) {
- tr = tr_right[-1]*0x01010101;
+ tr = tr_right[-1]*0x01010101u;
tr_right = (uint8_t *)&tr;
}
@@ -1749,6 +1756,11 @@
{
VP8Context *s = dst->priv_data, *s_src = src->priv_data;
+ if (s->macroblocks_base &&
+ (s_src->mb_width != s->mb_width || s_src->mb_height != s->mb_height)) {
+ free_buffers(s);
+ }
+
s->prob[0] = s_src->prob[!s_src->update_probabilities];
s->segmentation = s_src->segmentation;
s->lf_delta = s_src->lf_delta;
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index ca4fd94..64a68e1 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -138,6 +138,10 @@
/* load up the VQA parameters from the header */
vqa_header = (unsigned char *)s->avctx->extradata;
s->vqa_version = vqa_header[0];
+ if (s->vqa_version < 1 || s->vqa_version > 3) {
+ av_log(s->avctx, AV_LOG_ERROR, " VQA video: unsupported version %d\n", s->vqa_version);
+ return -1;
+ }
s->width = AV_RL16(&vqa_header[6]);
s->height = AV_RL16(&vqa_header[8]);
if(av_image_check_size(s->width, s->height, 0, avctx)){
@@ -226,6 +230,8 @@
src_index += 2;
av_dlog(NULL, "(1) copy %X bytes from absolute pos %X\n", count, src_pos);
CHECK_COUNT();
+ if (src_pos + count > dest_size)
+ return;
for (i = 0; i < count; i++)
dest[dest_index + i] = dest[src_pos + i];
dest_index += count;
@@ -248,6 +254,8 @@
src_index += 2;
av_dlog(NULL, "(3) copy %X bytes from absolute pos %X\n", count, src_pos);
CHECK_COUNT();
+ if (src_pos + count > dest_size)
+ return;
for (i = 0; i < count; i++)
dest[dest_index + i] = dest[src_pos + i];
dest_index += count;
@@ -268,6 +276,8 @@
src_index += 2;
av_dlog(NULL, "(5) copy %X bytes from relpos %X\n", count, src_pos);
CHECK_COUNT();
+ if (dest_index < src_pos)
+ return;
for (i = 0; i < count; i++)
dest[dest_index + i] = dest[dest_index - src_pos + i];
dest_index += count;
diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index c343080..2227352 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -1085,7 +1085,7 @@
int excl_range = s->aw_pulse_range; // always 16 or 24
uint16_t *use_mask_ptr = &use_mask[idx >> 4];
int first_sh = 16 - (idx & 15);
- *use_mask_ptr++ &= 0xFFFF << first_sh;
+ *use_mask_ptr++ &= 0xFFFFu << first_sh;
excl_range -= first_sh;
if (excl_range >= 16) {
*use_mask_ptr++ = 0;
diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c
index 10ec53f..c93ff43 100644
--- a/libavcodec/xxan.c
+++ b/libavcodec/xxan.c
@@ -129,7 +129,9 @@
if (size + size2 > dest_end - dest)
break;
}
- if (src + size > src_end || dest + size + size2 > dest_end)
+ if (src + size > src_end ||
+ dest + size + size2 > dest_end ||
+ dest + size - orig_dest < back )
return -1;
bytestream_get_buffer(&src, dest, size);
dest += size;
@@ -194,6 +196,8 @@
if (mode) {
for (j = 0; j < avctx->height >> 1; j++) {
for (i = 0; i < avctx->width >> 1; i++) {
+ if (src_end - src < 1)
+ return 0;
val = *src++;
if (val) {
val = AV_RL16(table + (val << 1));
@@ -202,8 +206,6 @@
U[i] = uval | (uval >> 5);
V[i] = vval | (vval >> 5);
}
- if (src == src_end)
- return 0;
}
U += s->pic.linesize[1];
V += s->pic.linesize[2];
@@ -214,6 +216,8 @@
for (j = 0; j < avctx->height >> 2; j++) {
for (i = 0; i < avctx->width >> 1; i += 2) {
+ if (src_end - src < 1)
+ return 0;
val = *src++;
if (val) {
val = AV_RL16(table + (val << 1));
@@ -302,6 +306,9 @@
corr_end - corr_off);
if (dec_size < 0)
dec_size = 0;
+ else
+ dec_size = FFMIN(dec_size, s->buffer_size/2 - 1);
+
for (i = 0; i < dec_size; i++)
s->y_buffer[i*2+1] = (s->y_buffer[i*2+1] + (s->scratch_buffer[i] << 1)) & 0x3F;
}
diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index 7ee0027..0fb04c4 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -809,6 +809,10 @@
DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0);
DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
//printf("key:%d stream:%d seq:%d offset:%d replic_size:%d\n", asf->packet_key_frame, asf->stream_index, asf->packet_seq, //asf->packet_frag_offset, asf->packet_replic_size);
+ if (rsize+asf->packet_replic_size > asf->packet_size_left) {
+ av_log(s, AV_LOG_ERROR, "packet_replic_size %d is invalid\n", asf->packet_replic_size);
+ return -1;
+ }
if (asf->packet_replic_size >= 8) {
asf->packet_obj_size = avio_rl32(pb);
if(asf->packet_obj_size >= (1<<24) || asf->packet_obj_size <= 0){
@@ -843,10 +847,6 @@
av_log(s, AV_LOG_ERROR, "unexpected packet_replic_size of %d\n", asf->packet_replic_size);
return -1;
}
- if (rsize > asf->packet_size_left) {
- av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
- return -1;
- }
if (asf->packet_flags & 0x01) {
DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal
if (rsize > asf->packet_size_left) {
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 0d13a9f..626261a 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -780,13 +780,14 @@
{
int i;
+ if (buflen <= 0)
+ return AVERROR(EINVAL);
// reserve 1 byte for terminating 0
buflen = FFMIN(buflen - 1, maxlen);
for (i = 0; i < buflen; i++)
if (!(buf[i] = avio_r8(s)))
return i + 1;
- if (buflen)
- buf[i] = 0;
+ buf[i] = 0;
for (; i < maxlen; i++)
if (!avio_r8(s))
return i + 1;
@@ -798,6 +799,8 @@
{\
char* q = buf;\
int ret = 0;\
+ if (buflen <= 0) \
+ return AVERROR(EINVAL); \
while (ret + 1 < maxlen) {\
uint8_t tmp;\
uint32_t ch;\
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 14b1c1f..ffc1898 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1811,7 +1811,7 @@
lace_size[n] = lace_size[n - 1] + snum;
total += lace_size[n];
}
- lace_size[n] = size - total;
+ lace_size[laces - 1] = size - total;
break;
}
}
diff --git a/libavformat/mov.c b/libavformat/mov.c
index b083a49..8fd9b32 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2403,14 +2403,21 @@
// The samples could theoretically be in any encoding if there's an encd
// atom following, but in practice are only utf-8 or utf-16, distinguished
// instead by the presence of a BOM
- ch = avio_rb16(sc->pb);
- if (ch == 0xfeff)
- avio_get_str16be(sc->pb, len, title, title_len);
- else if (ch == 0xfffe)
- avio_get_str16le(sc->pb, len, title, title_len);
- else {
- AV_WB16(title, ch);
- get_strz(sc->pb, title + 2, len - 1);
+ if (!len) {
+ title[0] = 0;
+ } else {
+ ch = avio_rb16(sc->pb);
+ if (ch == 0xfeff)
+ avio_get_str16be(sc->pb, len, title, title_len);
+ else if (ch == 0xfffe)
+ avio_get_str16le(sc->pb, len, title, title_len);
+ else {
+ AV_WB16(title, ch);
+ if (len == 1 || len == 2)
+ title[len] = 0;
+ else
+ get_strz(sc->pb, title + 2, len - 1);
+ }
}
ff_new_chapter(s, i, st->time_base, sample->timestamp, end, title);
diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c
index 50342bb..76d1813 100644
--- a/libavformat/mp3enc.c
+++ b/libavformat/mp3enc.c
@@ -51,11 +51,12 @@
buf[0] = 'T';
buf[1] = 'A';
buf[2] = 'G';
- count += id3v1_set_string(s, "TIT2", buf + 3, 30); //title
- count += id3v1_set_string(s, "TPE1", buf + 33, 30); //author|artist
- count += id3v1_set_string(s, "TALB", buf + 63, 30); //album
- count += id3v1_set_string(s, "TDRL", buf + 93, 4); //date
- count += id3v1_set_string(s, "comment", buf + 97, 30);
+ /* we knowingly overspecify each tag length by one byte to compensate for the mandatory null byte added by av_strlcpy */
+ count += id3v1_set_string(s, "TIT2", buf + 3, 30 + 1); //title
+ count += id3v1_set_string(s, "TPE1", buf + 33, 30 + 1); //author|artist
+ count += id3v1_set_string(s, "TALB", buf + 63, 30 + 1); //album
+ count += id3v1_set_string(s, "TDRL", buf + 93, 4 + 1); //date
+ count += id3v1_set_string(s, "comment", buf + 97, 30 + 1);
if ((tag = av_dict_get(s->metadata, "TRCK", NULL, 0))) { //track
buf[125] = 0;
buf[126] = atoi(tag->value);
diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index d3c9e78..e5c21cc 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -1088,7 +1088,7 @@
// stop parsing after pmt, we found header
if (!ts->stream->nb_streams)
- ts->stop_parse = 1;
+ ts->stop_parse = 2;
for(;;) {
st = 0;
@@ -1408,11 +1408,15 @@
ts->stop_parse = 0;
packet_num = 0;
for(;;) {
- if (ts->stop_parse>0)
- break;
packet_num++;
- if (nb_packets != 0 && packet_num >= nb_packets)
+ if (nb_packets != 0 && packet_num >= nb_packets ||
+ ts->stop_parse > 1) {
+ ret = AVERROR(EAGAIN);
break;
+ }
+ if (ts->stop_parse > 0)
+ break;
+
ret = read_packet(s, packet, ts->raw_packet_size);
if (ret != 0)
return ret;
@@ -1863,10 +1867,8 @@
len1 = len;
ts->pkt = pkt;
- ts->stop_parse = 0;
for(;;) {
- if (ts->stop_parse>0)
- break;
+ ts->stop_parse = 0;
if (len < TS_PACKET_SIZE)
return -1;
if (buf[0] != 0x47) {
@@ -1876,6 +1878,8 @@
handle_packet(ts, buf);
buf += TS_PACKET_SIZE;
len -= TS_PACKET_SIZE;
+ if (ts->stop_parse == 1)
+ break;
}
}
return len1 - len;
diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c
index 7e96472..32dedfb 100644
--- a/libavformat/mpegtsenc.c
+++ b/libavformat/mpegtsenc.c
@@ -84,7 +84,7 @@
{ "mpegts_service_id", "Set service_id field.",
offsetof(MpegTSWrite, service_id), FF_OPT_TYPE_INT, {.dbl = 0x0001 }, 0x0001, 0xffff, AV_OPT_FLAG_ENCODING_PARAM},
{ "mpegts_pmt_start_pid", "Set the first pid of the PMT.",
- offsetof(MpegTSWrite, pmt_start_pid), FF_OPT_TYPE_INT, {.dbl = 0x1000 }, 0x1000, 0x1f00, AV_OPT_FLAG_ENCODING_PARAM},
+ offsetof(MpegTSWrite, pmt_start_pid), FF_OPT_TYPE_INT, {.dbl = 0x1000 }, 0x0010, 0x1f00, AV_OPT_FLAG_ENCODING_PARAM},
{ "mpegts_start_pid", "Set the first pid.",
offsetof(MpegTSWrite, start_pid), FF_OPT_TYPE_INT, {.dbl = 0x0100 }, 0x0100, 0x0f00, AV_OPT_FLAG_ENCODING_PARAM},
{ NULL },
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index a69944d..953d3b0 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -223,12 +223,13 @@
if (length > 61444) /* worst case PAL 1920 samples 8 channels */
return -1;
- av_new_packet(pkt, length);
- avio_read(pb, pkt->data, length);
+ length = av_get_packet(pb, pkt, length);
+ if (length < 0)
+ return length;
data_ptr = pkt->data;
end_ptr = pkt->data + length;
buf_ptr = pkt->data + 4; /* skip SMPTE 331M header */
- for (; buf_ptr < end_ptr; ) {
+ for (; buf_ptr + st->codec->channels*4 < end_ptr; ) {
for (i = 0; i < st->codec->channels; i++) {
uint32_t sample = bytestream_get_le32(&buf_ptr);
if (st->codec->bits_per_coded_sample == 24)
@@ -238,7 +239,7 @@
}
buf_ptr += 32 - st->codec->channels*4; // always 8 channels stored SMPTE 331M
}
- pkt->size = data_ptr - pkt->data;
+ av_shrink_packet(pkt, data_ptr - pkt->data);
return 0;
}
@@ -290,12 +291,16 @@
if (memcmp(tmpbuf, checkv, 16))
av_log(s, AV_LOG_ERROR, "probably incorrect decryption key\n");
size -= 32;
- av_get_packet(pb, pkt, size);
+ size = av_get_packet(pb, pkt, size);
+ if (size < 0)
+ return size;
+ else if (size < plaintext_size)
+ return AVERROR_INVALIDDATA;
size -= plaintext_size;
if (mxf->aesc)
av_aes_crypt(mxf->aesc, &pkt->data[plaintext_size],
&pkt->data[plaintext_size], size >> 4, ivec, 1);
- pkt->size = orig_size;
+ av_shrink_packet(pkt, orig_size);
pkt->stream_index = index;
avio_skip(pb, end - avio_tell(pb));
return 0;
@@ -332,8 +337,11 @@
av_log(s, AV_LOG_ERROR, "error reading D-10 aes3 frame\n");
return -1;
}
- } else
- av_get_packet(s->pb, pkt, klv.length);
+ } else {
+ int ret = av_get_packet(s->pb, pkt, klv.length);
+ if (ret < 0)
+ return ret;
+ }
pkt->stream_index = index;
pkt->pos = klv.offset;
return 0;
diff --git a/libavformat/riff.c b/libavformat/riff.c
index 1ccd909..a834084 100644
--- a/libavformat/riff.c
+++ b/libavformat/riff.c
@@ -287,6 +287,7 @@
{ CODEC_ID_ADPCM_YAMAHA, 0x0020 },
{ CODEC_ID_TRUESPEECH, 0x0022 },
{ CODEC_ID_GSM_MS, 0x0031 },
+ { CODEC_ID_AMR_NB, 0x0038 }, /* rogue format number */
{ CODEC_ID_ADPCM_G726, 0x0045 },
{ CODEC_ID_MP2, 0x0050 },
{ CODEC_ID_MP3, 0x0055 },
diff --git a/libavformat/rtpdec.c b/libavformat/rtpdec.c
index 9fc30d7..130a78d 100644
--- a/libavformat/rtpdec.c
+++ b/libavformat/rtpdec.c
@@ -111,14 +111,15 @@
static int rtcp_parse_packet(RTPDemuxContext *s, const unsigned char *buf, int len)
{
int payload_len;
- while (len >= 2) {
+ while (len >= 4) {
+ payload_len = FFMIN(len, (AV_RB16(buf + 2) + 1) * 4);
+
switch (buf[1]) {
case RTCP_SR:
- if (len < 16) {
+ if (payload_len < 20) {
av_log(NULL, AV_LOG_ERROR, "Invalid length for RTCP SR packet\n");
return AVERROR_INVALIDDATA;
}
- payload_len = (AV_RB16(buf + 2) + 1) * 4;
s->last_rtcp_ntp_time = AV_RB64(buf + 8);
s->last_rtcp_timestamp = AV_RB32(buf + 16);
@@ -129,14 +130,13 @@
s->rtcp_ts_offset = s->last_rtcp_timestamp - s->base_timestamp;
}
- buf += payload_len;
- len -= payload_len;
break;
case RTCP_BYE:
return -RTCP_BYE;
- default:
- return -1;
}
+
+ buf += payload_len;
+ len -= payload_len;
}
return -1;
}
diff --git a/libavformat/tta.c b/libavformat/tta.c
index c37039d..9df9763 100644
--- a/libavformat/tta.c
+++ b/libavformat/tta.c
@@ -107,6 +107,10 @@
return -1;
}
st->codec->extradata = av_mallocz(st->codec->extradata_size+FF_INPUT_BUFFER_PADDING_SIZE);
+ if (!st->codec->extradata) {
+ st->codec->extradata_size = 0;
+ return AVERROR(ENOMEM);
+ }
avio_seek(s->pb, start_offset, SEEK_SET);
avio_read(s->pb, st->codec->extradata, st->codec->extradata_size);
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 591a121..96ceae9 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -2465,9 +2465,9 @@
}
{
int64_t last = st->info->last_dts;
- int64_t duration= pkt->dts - last;
- if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && duration>0){
+ if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && pkt->dts > last){
+ int64_t duration= pkt->dts - last;
double dur= duration * av_q2d(st->time_base);
// if(st->codec->codec_type == AVMEDIA_TYPE_VIDEO)
diff --git a/libavformat/westwood.c b/libavformat/westwood.c
index 818fe2d..dd6ddef 100644
--- a/libavformat/westwood.c
+++ b/libavformat/westwood.c
@@ -277,10 +277,8 @@
/* there are 0 or more chunks before the FINF chunk; iterate until
* FINF has been skipped and the file will be ready to be demuxed */
do {
- if (avio_read(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE) {
- av_free(st->codec->extradata);
+ if (avio_read(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE)
return AVERROR(EIO);
- }
chunk_tag = AV_RB32(&scratch[0]);
chunk_size = AV_RB32(&scratch[4]);
diff --git a/libavutil/arm/intmath.h b/libavutil/arm/intmath.h
index 4130177..1e9d3e8 100644
--- a/libavutil/arm/intmath.h
+++ b/libavutil/arm/intmath.h
@@ -104,7 +104,7 @@
"mvnne %1, #1<<31 \n\t"
"moveq %0, %Q2 \n\t"
"eorne %0, %1, %R2, asr #31 \n\t"
- : "=r"(x), "=&r"(y) : "r"(a));
+ : "=r"(x), "=&r"(y) : "r"(a):"cc");
return x;
}
diff --git a/libavutil/crc.c b/libavutil/crc.c
index c3d74a2..d0e736e 100644
--- a/libavutil/crc.c
+++ b/libavutil/crc.c
@@ -57,7 +57,7 @@
* @return <0 on failure
*/
int av_crc_init(AVCRC *ctx, int le, int bits, uint32_t poly, int ctx_size){
- int i, j;
+ unsigned i, j;
uint32_t c;
if (bits < 8 || bits > 32 || poly >= (1LL<<bits))
diff --git a/libavutil/mem.c b/libavutil/mem.c
index 9c2e120..9916234 100644
--- a/libavutil/mem.c
+++ b/libavutil/mem.c
@@ -137,7 +137,9 @@
//FIXME this isn't aligned correctly, though it probably isn't needed
if(!ptr) return av_malloc(size);
diff= ((char*)ptr)[-1];
- return (char*)realloc((char*)ptr - diff, size + diff) + diff;
+ ptr= realloc((char*)ptr - diff, size + diff);
+ if(ptr) ptr = (char*)ptr + diff;
+ return ptr;
#else
return realloc(ptr, size + !size);
#endif
