diff options
| author | Sebastian Dröge <sebastian@centricular.com> | 2013-11-09 17:00:42 +0100 |
|---|---|---|
| committer | Sebastian Dröge <sebastian@centricular.com> | 2013-11-09 17:00:42 +0100 |
| commit | 6f5ff9b84f6e3ad68f3e777622282d5db6ccc0e0 (patch) | |
| tree | 1b956fe5fecdb053bf78525970f32322fe1d8eca /gst-libs/ext/libav/libavcodec | |
| parent | 7cb19d4fb99d5bcd2eba76245bc2af9d889b4ff1 (diff) | |
Imported Upstream version 1.2.1upstream/1.2.1
Diffstat (limited to 'gst-libs/ext/libav/libavcodec')
31 files changed, 205 insertions, 96 deletions
diff --git a/gst-libs/ext/libav/libavcodec/alac.c b/gst-libs/ext/libav/libavcodec/alac.c index 72e9353..139e352 100644 --- a/gst-libs/ext/libav/libavcodec/alac.c +++ b/gst-libs/ext/libav/libavcodec/alac.c @@ -315,6 +315,9 @@ static int decode_element(AVCodecContext *avctx, void *data, int ch_index, rice_history_mult[ch] = get_bits(&alac->gb, 3); lpc_order[ch] = get_bits(&alac->gb, 5); + if (lpc_order[ch] >= alac->max_samples_per_frame) + return AVERROR_INVALIDDATA; + /* read the predictor table */ for (i = lpc_order[ch] - 1; i >= 0; i--) lpc_coefs[ch][i] = get_sbits(&alac->gb, 16); diff --git a/gst-libs/ext/libav/libavcodec/asvdec.c b/gst-libs/ext/libav/libavcodec/asvdec.c index 16722a9..d3579de 100644 --- a/gst-libs/ext/libav/libavcodec/asvdec.c +++ b/gst-libs/ext/libav/libavcodec/asvdec.c @@ -285,6 +285,11 @@ static av_cold int decode_init(AVCodecContext *avctx) const int scale = avctx->codec_id == AV_CODEC_ID_ASV1 ? 1 : 2; int i; + if (avctx->extradata_size < 1) { + av_log(avctx, AV_LOG_ERROR, "No extradata provided\n"); + return AVERROR_INVALIDDATA; + } + ff_asv_common_init(avctx); init_vlcs(a); ff_init_scantable(a->dsp.idct_permutation, &a->scantable, ff_asv_scantab); diff --git a/gst-libs/ext/libav/libavcodec/cavsdec.c b/gst-libs/ext/libav/libavcodec/cavsdec.c index cef6b95..7cfb2ca 100644 --- a/gst-libs/ext/libav/libavcodec/cavsdec.c +++ b/gst-libs/ext/libav/libavcodec/cavsdec.c @@ -931,6 +931,11 @@ static int decode_pic(AVSContext *h) int skip_count = -1; enum cavs_mb mb_type; + if (!h->top_qp) { + av_log(h->avctx, AV_LOG_ERROR, "No sequence header decoded yet\n"); + return AVERROR_INVALIDDATA; + } + skip_bits(&h->gb, 16);//bbv_dwlay if (h->stc == PIC_PB_START_CODE) { h->cur.f->pict_type = get_bits(&h->gb, 2) + AV_PICTURE_TYPE_I; diff --git a/gst-libs/ext/libav/libavcodec/dcadec.c b/gst-libs/ext/libav/libavcodec/dcadec.c index 561c30c..eecdeaa 100644 --- a/gst-libs/ext/libav/libavcodec/dcadec.c +++ b/gst-libs/ext/libav/libavcodec/dcadec.c @@ -582,6 +582,11 @@ static int dca_parse_frame_header(DCAContext *s) s->lfe = get_bits(&s->gb, 2); s->predictor_history = get_bits(&s->gb, 1); + if (s->lfe > 2) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE value: %d\n", s->lfe); + return AVERROR_INVALIDDATA; + } + /* TODO: check CRC */ if (s->crc_present) s->header_crc = get_bits(&s->gb, 16); diff --git a/gst-libs/ext/libav/libavcodec/eacmv.c b/gst-libs/ext/libav/libavcodec/eacmv.c index 0dce066..b7e13b1 100644 --- a/gst-libs/ext/libav/libavcodec/eacmv.c +++ b/gst-libs/ext/libav/libavcodec/eacmv.c @@ -108,9 +108,10 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t * }else{ /* inter using last frame as reference */ int xoffset = (buf[i] & 0xF) - 7; int yoffset = ((buf[i] >> 4)) - 7; - cmv_motcomp(s->frame.data[0], s->frame.linesize[0], - s->last_frame.data[0], s->last_frame.linesize[0], - x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); + if (s->last_frame.data[0]) + cmv_motcomp(s->frame.data[0], s->frame.linesize[0], + s->last_frame.data[0], s->last_frame.linesize[0], + x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); } i++; } diff --git a/gst-libs/ext/libav/libavcodec/ffv1.c b/gst-libs/ext/libav/libavcodec/ffv1.c index 682d111..f6d9eaf 100644 --- a/gst-libs/ext/libav/libavcodec/ffv1.c +++ b/gst-libs/ext/libav/libavcodec/ffv1.c @@ -194,6 +194,10 @@ av_cold int ffv1_init_slice_contexts(FFV1Context *f) int i; f->slice_count = f->num_h_slices * f->num_v_slices; + if (f->slice_count <= 0) { + av_log(f->avctx, AV_LOG_ERROR, "Invalid number of slices\n"); + return AVERROR(EINVAL); + } for (i = 0; i < f->slice_count; i++) { FFV1Context *fs = av_mallocz(sizeof(*fs)); diff --git a/gst-libs/ext/libav/libavcodec/fraps.c b/gst-libs/ext/libav/libavcodec/fraps.c index 6ac0c61..a691d9e 100644 --- a/gst-libs/ext/libav/libavcodec/fraps.c +++ b/gst-libs/ext/libav/libavcodec/fraps.c @@ -140,10 +140,17 @@ static int decode_frame(AVCodecContext *avctx, uint32_t offs[4]; int i, j, is_chroma, planes; enum AVPixelFormat pix_fmt; + int prev_pic_bit, expected_size; + + if (buf_size < 4) { + av_log(avctx, AV_LOG_ERROR, "Packet is too short\n"); + return AVERROR_INVALIDDATA; + } header = AV_RL32(buf); version = header & 0xff; header_size = (header & (1<<30))? 8 : 4; /* bit 30 means pad to 8 bytes */ + prev_pic_bit = header & (1U << 31); /* bit 31 means same as previous pic */ if (version > 5) { av_log(avctx, AV_LOG_ERROR, @@ -162,16 +169,19 @@ static int decode_frame(AVCodecContext *avctx, } avctx->pix_fmt = pix_fmt; - switch(version) { + expected_size = header_size; + + switch (version) { case 0: default: /* Fraps v0 is a reordered YUV420 */ - if ( (buf_size != avctx->width*avctx->height*3/2+header_size) && - (buf_size != header_size) ) { + if (!prev_pic_bit) + expected_size += avctx->width * avctx->height * 3 / 2; + if (buf_size != expected_size) { av_log(avctx, AV_LOG_ERROR, "Invalid frame length %d (should be %d)\n", - buf_size, avctx->width*avctx->height*3/2+header_size); - return -1; + buf_size, expected_size); + return AVERROR_INVALIDDATA; } if (( (avctx->width % 8) != 0) || ( (avctx->height % 2) != 0 )) { @@ -188,8 +198,7 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return -1; } - /* bit 31 means same as previous pic */ - f->pict_type = (header & (1U<<31))? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; + f->pict_type = prev_pic_bit ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; f->key_frame = f->pict_type == AV_PICTURE_TYPE_I; if (f->pict_type == AV_PICTURE_TYPE_I) { @@ -213,12 +222,13 @@ static int decode_frame(AVCodecContext *avctx, case 1: /* Fraps v1 is an upside-down BGR24 */ - if ( (buf_size != avctx->width*avctx->height*3+header_size) && - (buf_size != header_size) ) { + if (!prev_pic_bit) + expected_size += avctx->width * avctx->height * 3; + if (buf_size != expected_size) { av_log(avctx, AV_LOG_ERROR, "Invalid frame length %d (should be %d)\n", - buf_size, avctx->width*avctx->height*3+header_size); - return -1; + buf_size, expected_size); + return AVERROR_INVALIDDATA; } f->reference = 1; @@ -229,8 +239,7 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return -1; } - /* bit 31 means same as previous pic */ - f->pict_type = (header & (1U<<31))? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; + f->pict_type = prev_pic_bit ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; f->key_frame = f->pict_type == AV_PICTURE_TYPE_I; if (f->pict_type == AV_PICTURE_TYPE_I) { diff --git a/gst-libs/ext/libav/libavcodec/h263dec.c b/gst-libs/ext/libav/libavcodec/h263dec.c index fc5f565..db58fd2 100644 --- a/gst-libs/ext/libav/libavcodec/h263dec.c +++ b/gst-libs/ext/libav/libavcodec/h263dec.c @@ -385,8 +385,6 @@ uint64_t time= rdtsc(); } -retry: - if(s->bitstream_buffer_size && (s->divx_packed || buf_size<20)){ //divx 5.01+/xvid frame reorder init_get_bits(&s->gb, s->bitstream_buffer, s->bitstream_buffer_size*8); }else @@ -569,17 +567,6 @@ retry: /* FIXME: By the way H263 decoder is evolving it should have */ /* an H263EncContext */ - if (!avctx->coded_width || !avctx->coded_height) { - ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat - - s->parse_context.buffer=0; - ff_MPV_common_end(s); - s->parse_context= pc; - avcodec_set_dimensions(avctx, s->width, s->height); - - goto retry; - } - if (s->width != avctx->coded_width || s->height != avctx->coded_height || s->context_reinit) { diff --git a/gst-libs/ext/libav/libavcodec/ivi_common.c b/gst-libs/ext/libav/libavcodec/ivi_common.c index 2a73754..152e9c4 100644 --- a/gst-libs/ext/libav/libavcodec/ivi_common.c +++ b/gst-libs/ext/libav/libavcodec/ivi_common.c @@ -938,6 +938,11 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, return AVERROR_PATCHWELCOME; } + if (!ctx->planes[0].bands) { + av_log(avctx, AV_LOG_ERROR, "Color planes not initialized yet\n"); + return AVERROR_INVALIDDATA; + } + ctx->switch_buffers(ctx); //{ START_TIMER; diff --git a/gst-libs/ext/libav/libavcodec/mace.c b/gst-libs/ext/libav/libavcodec/mace.c index c78a207..5074e4b 100644 --- a/gst-libs/ext/libav/libavcodec/mace.c +++ b/gst-libs/ext/libav/libavcodec/mace.c @@ -229,8 +229,8 @@ static av_cold int mace_decode_init(AVCodecContext * avctx) { MACEContext *ctx = avctx->priv_data; - if (avctx->channels > 2) - return -1; + if (avctx->channels > 2 || avctx->channels < 1) + return AVERROR(EINVAL); avctx->sample_fmt = AV_SAMPLE_FMT_S16P; avcodec_get_frame_defaults(&ctx->frame); diff --git a/gst-libs/ext/libav/libavcodec/mpeg4videodec.c b/gst-libs/ext/libav/libavcodec/mpeg4videodec.c index faa9866..7ff290c 100644 --- a/gst-libs/ext/libav/libavcodec/mpeg4videodec.c +++ b/gst-libs/ext/libav/libavcodec/mpeg4videodec.c @@ -152,7 +152,7 @@ static inline int mpeg4_is_resync(MpegEncContext *s){ return 0; } -static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb) +static int mpeg4_decode_sprite_trajectory(MpegEncContext *s, GetBitContext *gb) { int i; int a= 2<<s->sprite_warping_accuracy; @@ -168,6 +168,9 @@ static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb int h= s->height; int min_ab; + if (w <= 0 || h <= 0) + return AVERROR_INVALIDDATA; + for(i=0; i<s->num_sprite_warping_points; i++){ int length; int x=0, y=0; @@ -340,6 +343,7 @@ static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb } s->real_sprite_warping_points= s->num_sprite_warping_points; } + return 0; } /** @@ -414,7 +418,8 @@ int ff_mpeg4_decode_video_packet_header(MpegEncContext *s) skip_bits(&s->gb, 3); /* intra dc vlc threshold */ //FIXME don't just ignore everything if(s->pict_type == AV_PICTURE_TYPE_S && s->vol_sprite_usage==GMC_SPRITE){ - mpeg4_decode_sprite_trajectory(s, &s->gb); + if (mpeg4_decode_sprite_trajectory(s, &s->gb) < 0) + return AVERROR_INVALIDDATA; av_log(s->avctx, AV_LOG_ERROR, "untested\n"); } @@ -2029,7 +2034,8 @@ static int decode_vop_header(MpegEncContext *s, GetBitContext *gb){ } if(s->pict_type == AV_PICTURE_TYPE_S && (s->vol_sprite_usage==STATIC_SPRITE || s->vol_sprite_usage==GMC_SPRITE)){ - mpeg4_decode_sprite_trajectory(s, gb); + if (mpeg4_decode_sprite_trajectory(s, gb) < 0) + return AVERROR_INVALIDDATA; if(s->sprite_brightness_change) av_log(s->avctx, AV_LOG_ERROR, "sprite_brightness_change not supported\n"); if(s->vol_sprite_usage==STATIC_SPRITE) av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); } diff --git a/gst-libs/ext/libav/libavcodec/mpegaudiodec.c b/gst-libs/ext/libav/libavcodec/mpegaudiodec.c index fda0280..bd096df 100644 --- a/gst-libs/ext/libav/libavcodec/mpegaudiodec.c +++ b/gst-libs/ext/libav/libavcodec/mpegaudiodec.c @@ -1936,7 +1936,8 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data, avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header); - if (ch + m->nb_channels > avctx->channels) { + if (ch + m->nb_channels > avctx->channels || + s->coff[fr] + m->nb_channels > avctx->channels) { av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec " "channel count\n"); return AVERROR_INVALIDDATA; diff --git a/gst-libs/ext/libav/libavcodec/mpegvideo.c b/gst-libs/ext/libav/libavcodec/mpegvideo.c index 77e21d2..0274f01 100644 --- a/gst-libs/ext/libav/libavcodec/mpegvideo.c +++ b/gst-libs/ext/libav/libavcodec/mpegvideo.c @@ -914,17 +914,17 @@ av_cold int ff_MPV_common_init(MpegEncContext *s) s->flags = s->avctx->flags; s->flags2 = s->avctx->flags2; - if (s->width && s->height) { - /* set chroma shifts */ - av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, - &s->chroma_x_shift, - &s->chroma_y_shift); + /* set chroma shifts */ + av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, + &s->chroma_x_shift, + &s->chroma_y_shift); - /* convert fourcc to upper case */ - s->codec_tag = avpriv_toupper4(s->avctx->codec_tag); + /* convert fourcc to upper case */ + s->codec_tag = avpriv_toupper4(s->avctx->codec_tag); - s->stream_codec_tag = avpriv_toupper4(s->avctx->stream_codec_tag); + s->stream_codec_tag = avpriv_toupper4(s->avctx->stream_codec_tag); + if (s->width && s->height) { s->avctx->coded_frame = &s->current_picture.f; if (s->encoding) { diff --git a/gst-libs/ext/libav/libavcodec/pcx.c b/gst-libs/ext/libav/libavcodec/pcx.c index ba3703a..223429d 100644 --- a/gst-libs/ext/libav/libavcodec/pcx.c +++ b/gst-libs/ext/libav/libavcodec/pcx.c @@ -184,7 +184,13 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } else if (nplanes == 1 && bits_per_pixel == 8) { const uint8_t *palstart = bufstart + buf_size - 769; - for (y=0; y<h; y++, ptr+=stride) { + if (buf_size < 769) { + av_log(avctx, AV_LOG_ERROR, "File is too short\n"); + ret = buf_size; + goto end; + } + + for (y = 0; y < h; y++, ptr += stride) { buf = pcx_rle_decode(buf, buf_end, scanline, bytes_per_scanline, compressed); memcpy(ptr, scanline, w); @@ -196,6 +202,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } if (*buf++ != 12) { av_log(avctx, AV_LOG_ERROR, "expected palette after image data\n"); + ret = buf_size; goto end; } diff --git a/gst-libs/ext/libav/libavcodec/pngdec.c b/gst-libs/ext/libav/libavcodec/pngdec.c index 9c340ea..6c2df12 100644 --- a/gst-libs/ext/libav/libavcodec/pngdec.c +++ b/gst-libs/ext/libav/libavcodec/pngdec.c @@ -378,6 +378,10 @@ static int png_decode_idat(PNGDecContext *s, int length) s->zstream.avail_out = s->crow_size; s->zstream.next_out = s->crow_buf; } + if (ret == Z_STREAM_END && s->zstream.avail_in > 0) { + av_log(NULL, AV_LOG_WARNING, "%d undecompressed bytes left in buffer\n", s->zstream.avail_in); + return 0; + } } return 0; } diff --git a/gst-libs/ext/libav/libavcodec/qpeg.c b/gst-libs/ext/libav/libavcodec/qpeg.c index 4a918e7..75e1223 100644 --- a/gst-libs/ext/libav/libavcodec/qpeg.c +++ b/gst-libs/ext/libav/libavcodec/qpeg.c @@ -190,6 +190,8 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, filled = 0; dst -= stride; height--; + if (height < 0) + break; } } } else if(code >= 0xC0) { /* copy code: 0xC0..0xDF */ @@ -201,6 +203,8 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, filled = 0; dst -= stride; height--; + if (height < 0) + break; } } } else if(code >= 0x80) { /* skip code: 0x80..0xBF */ diff --git a/gst-libs/ext/libav/libavcodec/rpza.c b/gst-libs/ext/libav/libavcodec/rpza.c index 57d4d2d..59b15c6 100644 --- a/gst-libs/ext/libav/libavcodec/rpza.c +++ b/gst-libs/ext/libav/libavcodec/rpza.c @@ -203,7 +203,7 @@ static void rpza_decode_stream(RpzaContext *s) /* Fill block with 16 colors */ case 0x00: - if (s->size - stream_ptr < 16) + if (s->size - stream_ptr < 30) return; block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { diff --git a/gst-libs/ext/libav/libavcodec/rv10.c b/gst-libs/ext/libav/libavcodec/rv10.c index 26af29f..04518dd 100644 --- a/gst-libs/ext/libav/libavcodec/rv10.c +++ b/gst-libs/ext/libav/libavcodec/rv10.c @@ -426,12 +426,15 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) RVDecContext *rv = avctx->priv_data; MpegEncContext *s = &rv->m; static int done=0; - int major_ver, minor_ver, micro_ver; + int major_ver, minor_ver, micro_ver, ret; if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n"); return -1; } + if ((ret = av_image_check_size(avctx->coded_width, + avctx->coded_height, 0, avctx)) < 0) + return ret; ff_MPV_decode_defaults(s); diff --git a/gst-libs/ext/libav/libavcodec/rv30.c b/gst-libs/ext/libav/libavcodec/rv30.c index 3c3579b..b61b75d 100644 --- a/gst-libs/ext/libav/libavcodec/rv30.c +++ b/gst-libs/ext/libav/libavcodec/rv30.c @@ -244,9 +244,11 @@ static void rv30_loop_filter(RV34DecContext *r, int row) static av_cold int rv30_decode_init(AVCodecContext *avctx) { RV34DecContext *r = avctx->priv_data; + int ret; r->rv30 = 1; - ff_rv34_decode_init(avctx); + if ((ret = ff_rv34_decode_init(avctx)) < 0) + return ret; if(avctx->extradata_size < 2){ av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n"); return -1; diff --git a/gst-libs/ext/libav/libavcodec/rv40.c b/gst-libs/ext/libav/libavcodec/rv40.c index f95622a..d317d07 100644 --- a/gst-libs/ext/libav/libavcodec/rv40.c +++ b/gst-libs/ext/libav/libavcodec/rv40.c @@ -545,9 +545,11 @@ static void rv40_loop_filter(RV34DecContext *r, int row) static av_cold int rv40_decode_init(AVCodecContext *avctx) { RV34DecContext *r = avctx->priv_data; + int ret; r->rv30 = 0; - ff_rv34_decode_init(avctx); + if ((ret = ff_rv34_decode_init(avctx)) < 0) + return ret; if(!aic_top_vlc.bits) rv40_init_tables(); r->parse_slice_header = rv40_parse_slice_header; diff --git a/gst-libs/ext/libav/libavcodec/shorten.c b/gst-libs/ext/libav/libavcodec/shorten.c index 0b4a473..fda90fe 100644 --- a/gst-libs/ext/libav/libavcodec/shorten.c +++ b/gst-libs/ext/libav/libavcodec/shorten.c @@ -206,31 +206,38 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, { int len; short wave_format; + GetByteContext gb; - if (bytestream_get_le32(&header) != MKTAG('R', 'I', 'F', 'F')) { + bytestream2_init(&gb, header, header_size); + + if (bytestream2_get_le32(&gb) != MKTAG('R', 'I', 'F', 'F')) { av_log(avctx, AV_LOG_ERROR, "missing RIFF tag\n"); return AVERROR_INVALIDDATA; } - header += 4; /* chunk size */ + bytestream2_skip(&gb, 4); /* chunk size */ - if (bytestream_get_le32(&header) != MKTAG('W', 'A', 'V', 'E')) { + if (bytestream2_get_le32(&gb) != MKTAG('W', 'A', 'V', 'E')) { av_log(avctx, AV_LOG_ERROR, "missing WAVE tag\n"); return AVERROR_INVALIDDATA; } - while (bytestream_get_le32(&header) != MKTAG('f', 'm', 't', ' ')) { - len = bytestream_get_le32(&header); - header += len; + while (bytestream2_get_le32(&gb) != MKTAG('f', 'm', 't', ' ')) { + len = bytestream2_get_le32(&gb); + bytestream2_skip(&gb, len); + if (bytestream2_get_bytes_left(&gb) < 16) { + av_log(avctx, AV_LOG_ERROR, "no fmt chunk found\n"); + return AVERROR_INVALIDDATA; + } } - len = bytestream_get_le32(&header); + len = bytestream2_get_le32(&gb); if (len < 16) { av_log(avctx, AV_LOG_ERROR, "fmt chunk was too short\n"); return AVERROR_INVALIDDATA; } - wave_format = bytestream_get_le16(&header); + wave_format = bytestream2_get_le16(&gb); switch (wave_format) { case WAVE_FORMAT_PCM: @@ -240,11 +247,11 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, return AVERROR(ENOSYS); } - header += 2; // skip channels (already got from shorten header) - avctx->sample_rate = bytestream_get_le32(&header); - header += 4; // skip bit rate (represents original uncompressed bit rate) - header += 2; // skip block align (not needed) - avctx->bits_per_coded_sample = bytestream_get_le16(&header); + bytestream2_skip(&gb, 2); // skip channels (already got from shorten header) + avctx->sample_rate = bytestream2_get_le32(&gb); + bytestream2_skip(&gb, 4); // skip bit rate (represents original uncompressed bit rate) + bytestream2_skip(&gb, 2); // skip block align (not needed) + avctx->bits_per_coded_sample = bytestream2_get_le16(&gb); if (avctx->bits_per_coded_sample != 16) { av_log(avctx, AV_LOG_ERROR, "unsupported number of bits per sample\n"); diff --git a/gst-libs/ext/libav/libavcodec/smacker.c b/gst-libs/ext/libav/libavcodec/smacker.c index a72d7c5..2baf059 100644 --- a/gst-libs/ext/libav/libavcodec/smacker.c +++ b/gst-libs/ext/libav/libavcodec/smacker.c @@ -257,6 +257,12 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int if(ctx.last[0] == -1) ctx.last[0] = huff.current++; if(ctx.last[1] == -1) ctx.last[1] = huff.current++; if(ctx.last[2] == -1) ctx.last[2] = huff.current++; + if (ctx.last[0] >= huff.length || + ctx.last[1] >= huff.length || + ctx.last[2] >= huff.length) { + av_log(smk->avctx, AV_LOG_ERROR, "Huffman codes out of range\n"); + err = AVERROR_INVALIDDATA; + } *recodes = huff.values; diff --git a/gst-libs/ext/libav/libavcodec/svq3.c b/gst-libs/ext/libav/libavcodec/svq3.c index 68bf2f7..34cda32 100644 --- a/gst-libs/ext/libav/libavcodec/svq3.c +++ b/gst-libs/ext/libav/libavcodec/svq3.c @@ -634,9 +634,9 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) dir = i_mb_type_info[mb_type - 8].pred_mode; dir = (dir >> 1) ^ 3 * (dir & 1) ^ 1; - if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) == -1) { - av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n"); - return -1; + if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) < 0) { + av_log(h->s.avctx, AV_LOG_ERROR, "ff_h264_check_intra_pred_mode < 0\n"); + return h->intra16x16_pred_mode; } cbp = i_mb_type_info[mb_type - 8].cbp; @@ -956,7 +956,8 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) int offset = get_bits_count(&gb) + 7 >> 3; uint8_t *buf; - if ((uint64_t)watermark_width * 4 > UINT_MAX / watermark_height) + if (watermark_height > 0 && + (uint64_t)watermark_width * 4 > UINT_MAX / watermark_height) return -1; buf = av_malloc(buf_len); diff --git a/gst-libs/ext/libav/libavcodec/truemotion2.c b/gst-libs/ext/libav/libavcodec/truemotion2.c index 2d7a510..7691989 100644 --- a/gst-libs/ext/libav/libavcodec/truemotion2.c +++ b/gst-libs/ext/libav/libavcodec/truemotion2.c @@ -905,14 +905,14 @@ static av_cold int decode_init(AVCodecContext *avctx){ if (!l->Y1_base || !l->Y2_base || !l->U1_base || !l->V1_base || !l->U2_base || !l->V2_base || !l->last || !l->clast) { - av_freep(l->Y1_base); - av_freep(l->Y2_base); - av_freep(l->U1_base); - av_freep(l->U2_base); - av_freep(l->V1_base); - av_freep(l->V2_base); - av_freep(l->last); - av_freep(l->clast); + av_freep(&l->Y1_base); + av_freep(&l->Y2_base); + av_freep(&l->U1_base); + av_freep(&l->U2_base); + av_freep(&l->V1_base); + av_freep(&l->V2_base); + av_freep(&l->last); + av_freep(&l->clast); return AVERROR(ENOMEM); } l->Y1 = l->Y1_base + l->y_stride * 4 + 4; diff --git a/gst-libs/ext/libav/libavcodec/twinvq.c b/gst-libs/ext/libav/libavcodec/twinvq.c index 8989469..f6c897f 100644 --- a/gst-libs/ext/libav/libavcodec/twinvq.c +++ b/gst-libs/ext/libav/libavcodec/twinvq.c @@ -1142,6 +1142,10 @@ static av_cold int twin_decode_init(AVCodecContext *avctx) AV_CH_LAYOUT_STEREO; ibps = avctx->bit_rate / (1000 * avctx->channels); + if (ibps < 8 || ibps > 48) { + av_log(avctx, AV_LOG_ERROR, "Bad bitrate per channel value %d\n", ibps); + return AVERROR_INVALIDDATA; + } switch ((isampf << 8) + ibps) { case (8 <<8) + 8: tctx->mtab = &mode_08_08; break; diff --git a/gst-libs/ext/libav/libavcodec/vc1dec.c b/gst-libs/ext/libav/libavcodec/vc1dec.c index bafd6a2..6b32116 100644 --- a/gst-libs/ext/libav/libavcodec/vc1dec.c +++ b/gst-libs/ext/libav/libavcodec/vc1dec.c @@ -4742,6 +4742,9 @@ static void vc1_decode_skip_blocks(VC1Context *v) { MpegEncContext *s = &v->s; + if (!v->s.last_picture.f.data[0]) + return; + ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, ER_MB_END); s->first_slice_line = 1; for (s->mb_y = s->start_mb_y; s->mb_y < s->end_mb_y; s->mb_y++) { @@ -5131,8 +5134,19 @@ av_cold int ff_vc1_decode_init_alloc_tables(VC1Context *v) if (!v->mv_type_mb_plane || !v->direct_mb_plane || !v->acpred_plane || !v->over_flags_plane || !v->block || !v->cbp_base || !v->ttblk_base || !v->is_intra_base || !v->luma_mv_base || - !v->mb_type_base) - return -1; + !v->mb_type_base) { + av_freep(&v->mv_type_mb_plane); + av_freep(&v->direct_mb_plane); + av_freep(&v->acpred_plane); + av_freep(&v->over_flags_plane); + av_freep(&v->block); + av_freep(&v->cbp_base); + av_freep(&v->ttblk_base); + av_freep(&v->is_intra_base); + av_freep(&v->luma_mv_base); + av_freep(&v->mb_type_base); + return AVERROR(ENOMEM); + } return 0; } @@ -5484,8 +5498,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, } if (!s->context_initialized) { - if (ff_msmpeg4_decode_init(avctx) < 0 || ff_vc1_decode_init_alloc_tables(v) < 0) + if (ff_msmpeg4_decode_init(avctx) < 0) goto err; + if (ff_vc1_decode_init_alloc_tables(v) < 0) { + ff_MPV_common_end(s); + goto err; + } s->low_delay = !avctx->has_b_frames || v->res_sprite; @@ -5573,6 +5591,8 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, if (avctx->hwaccel->end_frame(avctx) < 0) goto err; } else { + int header_ret = 0; + ff_er_frame_start(s); v->bits = buf_size * 8; @@ -5619,18 +5639,20 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, if (i) { v->pic_header_flag = 0; if (v->field_mode && i == n_slices1 + 2) { - if (ff_vc1_parse_frame_header_adv(v, &s->gb) < 0) { + if ((header_ret = ff_vc1_parse_frame_header_adv(v, &s->gb)) < 0) { av_log(v->s.avctx, AV_LOG_ERROR, "Field header damaged\n"); continue; } } else if (get_bits1(&s->gb)) { v->pic_header_flag = 1; - if (ff_vc1_parse_frame_header_adv(v, &s->gb) < 0) { + if ((header_ret = ff_vc1_parse_frame_header_adv(v, &s->gb)) < 0) { av_log(v->s.avctx, AV_LOG_ERROR, "Slice header damaged\n"); continue; } } } + if (header_ret < 0) + continue; s->start_mb_y = (i == 0) ? 0 : FFMAX(0, slices[i-1].mby_start % mb_height); if (!v->field_mode || v->second_field) s->end_mb_y = (i == n_slices ) ? mb_height : FFMIN(mb_height, slices[i].mby_start % mb_height); diff --git a/gst-libs/ext/libav/libavcodec/vp3.c b/gst-libs/ext/libav/libavcodec/vp3.c index 0340c22..1d68c09 100644 --- a/gst-libs/ext/libav/libavcodec/vp3.c +++ b/gst-libs/ext/libav/libavcodec/vp3.c @@ -2160,6 +2160,10 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) fps.num = get_bits_long(gb, 32); fps.den = get_bits_long(gb, 32); if (fps.num && fps.den) { + if (fps.num < 0 || fps.den < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid framerate\n"); + return AVERROR_INVALIDDATA; + } av_reduce(&avctx->time_base.num, &avctx->time_base.den, fps.den, fps.num, 1<<30); } diff --git a/gst-libs/ext/libav/libavcodec/wnv1.c b/gst-libs/ext/libav/libavcodec/wnv1.c index 1636f16..362fafc 100644 --- a/gst-libs/ext/libav/libavcodec/wnv1.c +++ b/gst-libs/ext/libav/libavcodec/wnv1.c @@ -71,6 +71,11 @@ static int decode_frame(AVCodecContext *avctx, int prev_y = 0, prev_u = 0, prev_v = 0; uint8_t *rbuf; + if (buf_size < 8) { + av_log(avctx, AV_LOG_ERROR, "Packet is too short\n"); + return AVERROR_INVALIDDATA; + } + rbuf = av_malloc(buf_size + FF_INPUT_BUFFER_PADDING_SIZE); if (!rbuf) { av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n"); diff --git a/gst-libs/ext/libav/libavcodec/xan.c b/gst-libs/ext/libav/libavcodec/xan.c index 8c90bb6..369f89b 100644 --- a/gst-libs/ext/libav/libavcodec/xan.c +++ b/gst-libs/ext/libav/libavcodec/xan.c @@ -104,6 +104,7 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, int ptr_len = src_len - 1 - byte*2; unsigned char val = ival; unsigned char *dest_end = dest + dest_len; + unsigned char *dest_start = dest; GetBitContext gb; if (ptr_len < 0) @@ -119,13 +120,13 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, if (val < 0x16) { if (dest >= dest_end) - return 0; + return dest_len; *dest++ = val; val = ival; } } - return 0; + return dest - dest_start; } /** @@ -274,7 +275,7 @@ static int xan_wc3_decode_frame(XanContext *s) { unsigned char flag = 0; int size = 0; int motion_x, motion_y; - int x, y; + int x, y, ret; unsigned char *opcode_buffer = s->buffer1; unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size; @@ -283,8 +284,8 @@ static int xan_wc3_decode_frame(XanContext *s) { /* pointers to segments inside the compressed chunk */ const unsigned char *huffman_segment; - const unsigned char *size_segment; - const unsigned char *vector_segment; + GetByteContext size_segment; + GetByteContext vector_segment; const unsigned char *imagedata_segment; int huffman_offset, size_offset, vector_offset, imagedata_offset, imagedata_size; @@ -304,13 +305,14 @@ static int xan_wc3_decode_frame(XanContext *s) { return AVERROR_INVALIDDATA; huffman_segment = s->buf + huffman_offset; - size_segment = s->buf + size_offset; - vector_segment = s->buf + vector_offset; + bytestream2_init(&size_segment, s->buf + size_offset, s->size - size_offset); + bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset); imagedata_segment = s->buf + imagedata_offset; - if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, - huffman_segment, s->size - huffman_offset) < 0) + if ((ret = xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - huffman_offset)) < 0) return AVERROR_INVALIDDATA; + opcode_buffer_end = opcode_buffer + ret; if (imagedata_segment[0] == 2) { xan_unpack(s->buffer2, s->buffer2_size, @@ -357,19 +359,17 @@ static int xan_wc3_decode_frame(XanContext *s) { case 9: case 19: - size = *size_segment++; + size = bytestream2_get_byte(&size_segment); break; case 10: case 20: - size = AV_RB16(&size_segment[0]); - size_segment += 2; + size = bytestream2_get_be16(&size_segment); break; case 11: case 21: - size = AV_RB24(size_segment); - size_segment += 3; + size = bytestream2_get_be24(&size_segment); break; } @@ -391,9 +391,9 @@ static int xan_wc3_decode_frame(XanContext *s) { } } else { /* run-based motion compensation from last frame */ - motion_x = sign_extend(*vector_segment >> 4, 4); - motion_y = sign_extend(*vector_segment & 0xF, 4); - vector_segment++; + uint8_t vector = bytestream2_get_byte(&vector_segment); + motion_x = sign_extend(vector >> 4, 4); + motion_y = sign_extend(vector & 0xF, 4); /* copy a run of pixels from the previous frame */ xan_wc3_copy_pixel_run(s, x, y, size, motion_x, motion_y); diff --git a/gst-libs/ext/libav/libavcodec/xxan.c b/gst-libs/ext/libav/libavcodec/xxan.c index 84ffdec..7a0cdc4 100644 --- a/gst-libs/ext/libav/libavcodec/xxan.c +++ b/gst-libs/ext/libav/libavcodec/xxan.c @@ -49,6 +49,10 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "Invalid frame height: %d.\n", avctx->height); return AVERROR(EINVAL); } + if (avctx->width & 1) { + av_log(avctx, AV_LOG_ERROR, "Invalid frame width: %d.\n", avctx->width); + return AVERROR(EINVAL); + } s->buffer_size = avctx->width * avctx->height; s->y_buffer = av_malloc(s->buffer_size); diff --git a/gst-libs/ext/libav/libavcodec/zmbv.c b/gst-libs/ext/libav/libavcodec/zmbv.c index c92e553..c7a90f0 100644 --- a/gst-libs/ext/libav/libavcodec/zmbv.c +++ b/gst-libs/ext/libav/libavcodec/zmbv.c @@ -508,8 +508,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } if (c->comp == 0) { //Uncompressed data + if (c->decomp_size < len) { + av_log(avctx, AV_LOG_ERROR, "Buffer too small\n"); + return AVERROR_INVALIDDATA; + } memcpy(c->decomp_buf, buf, len); - c->decomp_size = 1; } else { // ZLIB-compressed data c->zstream.total_in = c->zstream.total_out = 0; c->zstream.next_in = buf; |