diff options
| author | Sebastian Dröge <sebastian@centricular.com> | 2013-11-09 17:00:42 +0100 |
|---|---|---|
| committer | Sebastian Dröge <sebastian@centricular.com> | 2013-11-09 17:00:42 +0100 |
| commit | 6f5ff9b84f6e3ad68f3e777622282d5db6ccc0e0 (patch) | |
| tree | 1b956fe5fecdb053bf78525970f32322fe1d8eca /gst-libs | |
| parent | 7cb19d4fb99d5bcd2eba76245bc2af9d889b4ff1 (diff) | |
Imported Upstream version 1.2.1upstream/1.2.1
Diffstat (limited to 'gst-libs')
63 files changed, 490 insertions, 187 deletions
diff --git a/gst-libs/ext/libav/Changelog b/gst-libs/ext/libav/Changelog index a0b1186..594a6ff 100644 --- a/gst-libs/ext/libav/Changelog +++ b/gst-libs/ext/libav/Changelog @@ -1,5 +1,76 @@ -Entries are sorted chronologically from oldest to youngest within each release, -releases are sorted from youngest to oldest. +Releases are sorted from youngest to oldest. + +version 9.10: +- alac: Do bounds checking of lpc_order read from the bitstream +- ape: Don't allow the seektable to be omitted +- asfdec: Check the return value of asf_read_stream_properties +- asvdec: Verify the amount of extradata +- avidec: Make sure a packet is large enough before reading its data +- bfi: Add some very basic sanity checks for input packet sizes +- bfi: Avoid divisions by zero +- cavsdec: Make sure a sequence header has been decoded before decoding pictures +- dcadec: Validate the lfe parameter +- dsicin: Add some basic sanity checks for fields read from the file +- eacmv: Make sure a reference frame exists before referencing it +- electronicarts: Add more sanity checking for the number of channels +- electronicarts: Check packet sizes before reading +- ffv1: Make sure at least one slice context is initialized +- fraps: Make the input buffer size checks more strict +- h263dec: Remove a hack that can cause infinite loops +- idroqdec: Make sure a video stream has been allocated before returning packets +- ivi_common: Make sure color planes have been initialized +- lavf: Avoid setting avg_frame_rate if delta_dts is negative +- mace: Make sure that the channel count is set to a valid value +- matroskadec: Verify realaudio codec parameters +- mov: Don't use a negative duration for setting other fields +- mov: Make sure the read sample count is nonnegative +- mpc8: Check the seek table size parsed from the bitstream +- mpc8: Make sure the first stream exists before parsing the seek table +- mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory +- mpegaudiodec: Validate that the number of channels fits at the given offset +- mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0 +- mvi: Add sanity checking for the audio frame size +- mxfdec: set audio timebase to 1/samplerate +- oggparseogm: Convert to use bytestream2 +- omadec: Properly check lengths before incrementing the position +- pcx: Check the packet size before assuming it fits a palette +- pcx: Consume the whole packet if giving up due to missing palette +- pngdec: Stop trying to decode once inflate returns Z_STREAM_END +- qpeg: Add checks for running out of rows in qpeg_decode_inter +- r3d: Add more input value validation +- riffdec: Add sanity checks for the sample rate +- rl2: Avoid a division by zero +- rmdec: Validate the fps value +- rpza: Fix a buffer size check +- rv10: Validate the dimensions set from the container +- rv34: Check the return value from ff_rv34_decode_init +- segafilm: Validate the number of audio channels +- shorten: Break out of loop looking for fmt chunk if none is found +- shorten: Use a checked bytestream reader for the wave header +- sierravmd: Do sanity checking of frame sizes +- smacker: Avoid integer overflow when allocating packets +- smacker: Don't return packets in unallocated streams +- smacker: Make sure we don't fill in huffman codes out of range +- svq3: Avoid a division by zero +- svq3: Check for any negative return value from ff_h264_check_intra_pred_mode +- truemotion2: Use av_freep properly in an error path +- twinvqdec: Check the ibps parameter separately +- vc1dec: Don't decode slices when the latest slice header failed to decode +- vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors +- vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks +- vc1dec: Undo mpegvideo initialization if unable to allocate tables +- vocdec: Don't update codec parameters mid-stream +- vp3: Check the framerate for validity +- vqf: Make sure sample_rate is set to a valid value +- vqf: Make sure the bitrate is in the valid range +- wnv1: Make sure the input packet is large enough +- wtv: Add more sanity checks for a length read from the file +- xan: Only read within the data that actually was initialized +- xan: Use bytestream2 to limit reading to within the buffer +- xmv: Add more sanity checks for parameters read from the bitstream +- xwma: Avoid division by zero +- xxan: Disallow odd width +- zmbvdec: Check the buffer size for uncompressed data version 9.9: - 4xm: check that bits per sample is strictly positive diff --git a/gst-libs/ext/libav/RELEASE b/gst-libs/ext/libav/RELEASE index a61a79b..5f3c440 100644 --- a/gst-libs/ext/libav/RELEASE +++ b/gst-libs/ext/libav/RELEASE @@ -1 +1 @@ -9.9 +9.10 diff --git a/gst-libs/ext/libav/libavcodec/alac.c b/gst-libs/ext/libav/libavcodec/alac.c index 72e9353..139e352 100644 --- a/gst-libs/ext/libav/libavcodec/alac.c +++ b/gst-libs/ext/libav/libavcodec/alac.c @@ -315,6 +315,9 @@ static int decode_element(AVCodecContext *avctx, void *data, int ch_index, rice_history_mult[ch] = get_bits(&alac->gb, 3); lpc_order[ch] = get_bits(&alac->gb, 5); + if (lpc_order[ch] >= alac->max_samples_per_frame) + return AVERROR_INVALIDDATA; + /* read the predictor table */ for (i = lpc_order[ch] - 1; i >= 0; i--) lpc_coefs[ch][i] = get_sbits(&alac->gb, 16); diff --git a/gst-libs/ext/libav/libavcodec/asvdec.c b/gst-libs/ext/libav/libavcodec/asvdec.c index 16722a9..d3579de 100644 --- a/gst-libs/ext/libav/libavcodec/asvdec.c +++ b/gst-libs/ext/libav/libavcodec/asvdec.c @@ -285,6 +285,11 @@ static av_cold int decode_init(AVCodecContext *avctx) const int scale = avctx->codec_id == AV_CODEC_ID_ASV1 ? 1 : 2; int i; + if (avctx->extradata_size < 1) { + av_log(avctx, AV_LOG_ERROR, "No extradata provided\n"); + return AVERROR_INVALIDDATA; + } + ff_asv_common_init(avctx); init_vlcs(a); ff_init_scantable(a->dsp.idct_permutation, &a->scantable, ff_asv_scantab); diff --git a/gst-libs/ext/libav/libavcodec/cavsdec.c b/gst-libs/ext/libav/libavcodec/cavsdec.c index cef6b95..7cfb2ca 100644 --- a/gst-libs/ext/libav/libavcodec/cavsdec.c +++ b/gst-libs/ext/libav/libavcodec/cavsdec.c @@ -931,6 +931,11 @@ static int decode_pic(AVSContext *h) int skip_count = -1; enum cavs_mb mb_type; + if (!h->top_qp) { + av_log(h->avctx, AV_LOG_ERROR, "No sequence header decoded yet\n"); + return AVERROR_INVALIDDATA; + } + skip_bits(&h->gb, 16);//bbv_dwlay if (h->stc == PIC_PB_START_CODE) { h->cur.f->pict_type = get_bits(&h->gb, 2) + AV_PICTURE_TYPE_I; diff --git a/gst-libs/ext/libav/libavcodec/dcadec.c b/gst-libs/ext/libav/libavcodec/dcadec.c index 561c30c..eecdeaa 100644 --- a/gst-libs/ext/libav/libavcodec/dcadec.c +++ b/gst-libs/ext/libav/libavcodec/dcadec.c @@ -582,6 +582,11 @@ static int dca_parse_frame_header(DCAContext *s) s->lfe = get_bits(&s->gb, 2); s->predictor_history = get_bits(&s->gb, 1); + if (s->lfe > 2) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE value: %d\n", s->lfe); + return AVERROR_INVALIDDATA; + } + /* TODO: check CRC */ if (s->crc_present) s->header_crc = get_bits(&s->gb, 16); diff --git a/gst-libs/ext/libav/libavcodec/eacmv.c b/gst-libs/ext/libav/libavcodec/eacmv.c index 0dce066..b7e13b1 100644 --- a/gst-libs/ext/libav/libavcodec/eacmv.c +++ b/gst-libs/ext/libav/libavcodec/eacmv.c @@ -108,9 +108,10 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t * }else{ /* inter using last frame as reference */ int xoffset = (buf[i] & 0xF) - 7; int yoffset = ((buf[i] >> 4)) - 7; - cmv_motcomp(s->frame.data[0], s->frame.linesize[0], - s->last_frame.data[0], s->last_frame.linesize[0], - x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); + if (s->last_frame.data[0]) + cmv_motcomp(s->frame.data[0], s->frame.linesize[0], + s->last_frame.data[0], s->last_frame.linesize[0], + x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); } i++; } diff --git a/gst-libs/ext/libav/libavcodec/ffv1.c b/gst-libs/ext/libav/libavcodec/ffv1.c index 682d111..f6d9eaf 100644 --- a/gst-libs/ext/libav/libavcodec/ffv1.c +++ b/gst-libs/ext/libav/libavcodec/ffv1.c @@ -194,6 +194,10 @@ av_cold int ffv1_init_slice_contexts(FFV1Context *f) int i; f->slice_count = f->num_h_slices * f->num_v_slices; + if (f->slice_count <= 0) { + av_log(f->avctx, AV_LOG_ERROR, "Invalid number of slices\n"); + return AVERROR(EINVAL); + } for (i = 0; i < f->slice_count; i++) { FFV1Context *fs = av_mallocz(sizeof(*fs)); diff --git a/gst-libs/ext/libav/libavcodec/fraps.c b/gst-libs/ext/libav/libavcodec/fraps.c index 6ac0c61..a691d9e 100644 --- a/gst-libs/ext/libav/libavcodec/fraps.c +++ b/gst-libs/ext/libav/libavcodec/fraps.c @@ -140,10 +140,17 @@ static int decode_frame(AVCodecContext *avctx, uint32_t offs[4]; int i, j, is_chroma, planes; enum AVPixelFormat pix_fmt; + int prev_pic_bit, expected_size; + + if (buf_size < 4) { + av_log(avctx, AV_LOG_ERROR, "Packet is too short\n"); + return AVERROR_INVALIDDATA; + } header = AV_RL32(buf); version = header & 0xff; header_size = (header & (1<<30))? 8 : 4; /* bit 30 means pad to 8 bytes */ + prev_pic_bit = header & (1U << 31); /* bit 31 means same as previous pic */ if (version > 5) { av_log(avctx, AV_LOG_ERROR, @@ -162,16 +169,19 @@ static int decode_frame(AVCodecContext *avctx, } avctx->pix_fmt = pix_fmt; - switch(version) { + expected_size = header_size; + + switch (version) { case 0: default: /* Fraps v0 is a reordered YUV420 */ - if ( (buf_size != avctx->width*avctx->height*3/2+header_size) && - (buf_size != header_size) ) { + if (!prev_pic_bit) + expected_size += avctx->width * avctx->height * 3 / 2; + if (buf_size != expected_size) { av_log(avctx, AV_LOG_ERROR, "Invalid frame length %d (should be %d)\n", - buf_size, avctx->width*avctx->height*3/2+header_size); - return -1; + buf_size, expected_size); + return AVERROR_INVALIDDATA; } if (( (avctx->width % 8) != 0) || ( (avctx->height % 2) != 0 )) { @@ -188,8 +198,7 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return -1; } - /* bit 31 means same as previous pic */ - f->pict_type = (header & (1U<<31))? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; + f->pict_type = prev_pic_bit ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; f->key_frame = f->pict_type == AV_PICTURE_TYPE_I; if (f->pict_type == AV_PICTURE_TYPE_I) { @@ -213,12 +222,13 @@ static int decode_frame(AVCodecContext *avctx, case 1: /* Fraps v1 is an upside-down BGR24 */ - if ( (buf_size != avctx->width*avctx->height*3+header_size) && - (buf_size != header_size) ) { + if (!prev_pic_bit) + expected_size += avctx->width * avctx->height * 3; + if (buf_size != expected_size) { av_log(avctx, AV_LOG_ERROR, "Invalid frame length %d (should be %d)\n", - buf_size, avctx->width*avctx->height*3+header_size); - return -1; + buf_size, expected_size); + return AVERROR_INVALIDDATA; } f->reference = 1; @@ -229,8 +239,7 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return -1; } - /* bit 31 means same as previous pic */ - f->pict_type = (header & (1U<<31))? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; + f->pict_type = prev_pic_bit ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; f->key_frame = f->pict_type == AV_PICTURE_TYPE_I; if (f->pict_type == AV_PICTURE_TYPE_I) { diff --git a/gst-libs/ext/libav/libavcodec/h263dec.c b/gst-libs/ext/libav/libavcodec/h263dec.c index fc5f565..db58fd2 100644 --- a/gst-libs/ext/libav/libavcodec/h263dec.c +++ b/gst-libs/ext/libav/libavcodec/h263dec.c @@ -385,8 +385,6 @@ uint64_t time= rdtsc(); } -retry: - if(s->bitstream_buffer_size && (s->divx_packed || buf_size<20)){ //divx 5.01+/xvid frame reorder init_get_bits(&s->gb, s->bitstream_buffer, s->bitstream_buffer_size*8); }else @@ -569,17 +567,6 @@ retry: /* FIXME: By the way H263 decoder is evolving it should have */ /* an H263EncContext */ - if (!avctx->coded_width || !avctx->coded_height) { - ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat - - s->parse_context.buffer=0; - ff_MPV_common_end(s); - s->parse_context= pc; - avcodec_set_dimensions(avctx, s->width, s->height); - - goto retry; - } - if (s->width != avctx->coded_width || s->height != avctx->coded_height || s->context_reinit) { diff --git a/gst-libs/ext/libav/libavcodec/ivi_common.c b/gst-libs/ext/libav/libavcodec/ivi_common.c index 2a73754..152e9c4 100644 --- a/gst-libs/ext/libav/libavcodec/ivi_common.c +++ b/gst-libs/ext/libav/libavcodec/ivi_common.c @@ -938,6 +938,11 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, return AVERROR_PATCHWELCOME; } + if (!ctx->planes[0].bands) { + av_log(avctx, AV_LOG_ERROR, "Color planes not initialized yet\n"); + return AVERROR_INVALIDDATA; + } + ctx->switch_buffers(ctx); //{ START_TIMER; diff --git a/gst-libs/ext/libav/libavcodec/mace.c b/gst-libs/ext/libav/libavcodec/mace.c index c78a207..5074e4b 100644 --- a/gst-libs/ext/libav/libavcodec/mace.c +++ b/gst-libs/ext/libav/libavcodec/mace.c @@ -229,8 +229,8 @@ static av_cold int mace_decode_init(AVCodecContext * avctx) { MACEContext *ctx = avctx->priv_data; - if (avctx->channels > 2) - return -1; + if (avctx->channels > 2 || avctx->channels < 1) + return AVERROR(EINVAL); avctx->sample_fmt = AV_SAMPLE_FMT_S16P; avcodec_get_frame_defaults(&ctx->frame); diff --git a/gst-libs/ext/libav/libavcodec/mpeg4videodec.c b/gst-libs/ext/libav/libavcodec/mpeg4videodec.c index faa9866..7ff290c 100644 --- a/gst-libs/ext/libav/libavcodec/mpeg4videodec.c +++ b/gst-libs/ext/libav/libavcodec/mpeg4videodec.c @@ -152,7 +152,7 @@ static inline int mpeg4_is_resync(MpegEncContext *s){ return 0; } -static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb) +static int mpeg4_decode_sprite_trajectory(MpegEncContext *s, GetBitContext *gb) { int i; int a= 2<<s->sprite_warping_accuracy; @@ -168,6 +168,9 @@ static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb int h= s->height; int min_ab; + if (w <= 0 || h <= 0) + return AVERROR_INVALIDDATA; + for(i=0; i<s->num_sprite_warping_points; i++){ int length; int x=0, y=0; @@ -340,6 +343,7 @@ static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb } s->real_sprite_warping_points= s->num_sprite_warping_points; } + return 0; } /** @@ -414,7 +418,8 @@ int ff_mpeg4_decode_video_packet_header(MpegEncContext *s) skip_bits(&s->gb, 3); /* intra dc vlc threshold */ //FIXME don't just ignore everything if(s->pict_type == AV_PICTURE_TYPE_S && s->vol_sprite_usage==GMC_SPRITE){ - mpeg4_decode_sprite_trajectory(s, &s->gb); + if (mpeg4_decode_sprite_trajectory(s, &s->gb) < 0) + return AVERROR_INVALIDDATA; av_log(s->avctx, AV_LOG_ERROR, "untested\n"); } @@ -2029,7 +2034,8 @@ static int decode_vop_header(MpegEncContext *s, GetBitContext *gb){ } if(s->pict_type == AV_PICTURE_TYPE_S && (s->vol_sprite_usage==STATIC_SPRITE || s->vol_sprite_usage==GMC_SPRITE)){ - mpeg4_decode_sprite_trajectory(s, gb); + if (mpeg4_decode_sprite_trajectory(s, gb) < 0) + return AVERROR_INVALIDDATA; if(s->sprite_brightness_change) av_log(s->avctx, AV_LOG_ERROR, "sprite_brightness_change not supported\n"); if(s->vol_sprite_usage==STATIC_SPRITE) av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); } diff --git a/gst-libs/ext/libav/libavcodec/mpegaudiodec.c b/gst-libs/ext/libav/libavcodec/mpegaudiodec.c index fda0280..bd096df 100644 --- a/gst-libs/ext/libav/libavcodec/mpegaudiodec.c +++ b/gst-libs/ext/libav/libavcodec/mpegaudiodec.c @@ -1936,7 +1936,8 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data, avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header); - if (ch + m->nb_channels > avctx->channels) { + if (ch + m->nb_channels > avctx->channels || + s->coff[fr] + m->nb_channels > avctx->channels) { av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec " "channel count\n"); return AVERROR_INVALIDDATA; diff --git a/gst-libs/ext/libav/libavcodec/mpegvideo.c b/gst-libs/ext/libav/libavcodec/mpegvideo.c index 77e21d2..0274f01 100644 --- a/gst-libs/ext/libav/libavcodec/mpegvideo.c +++ b/gst-libs/ext/libav/libavcodec/mpegvideo.c @@ -914,17 +914,17 @@ av_cold int ff_MPV_common_init(MpegEncContext *s) s->flags = s->avctx->flags; s->flags2 = s->avctx->flags2; - if (s->width && s->height) { - /* set chroma shifts */ - av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, - &s->chroma_x_shift, - &s->chroma_y_shift); + /* set chroma shifts */ + av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, + &s->chroma_x_shift, + &s->chroma_y_shift); - /* convert fourcc to upper case */ - s->codec_tag = avpriv_toupper4(s->avctx->codec_tag); + /* convert fourcc to upper case */ + s->codec_tag = avpriv_toupper4(s->avctx->codec_tag); - s->stream_codec_tag = avpriv_toupper4(s->avctx->stream_codec_tag); + s->stream_codec_tag = avpriv_toupper4(s->avctx->stream_codec_tag); + if (s->width && s->height) { s->avctx->coded_frame = &s->current_picture.f; if (s->encoding) { diff --git a/gst-libs/ext/libav/libavcodec/pcx.c b/gst-libs/ext/libav/libavcodec/pcx.c index ba3703a..223429d 100644 --- a/gst-libs/ext/libav/libavcodec/pcx.c +++ b/gst-libs/ext/libav/libavcodec/pcx.c @@ -184,7 +184,13 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } else if (nplanes == 1 && bits_per_pixel == 8) { const uint8_t *palstart = bufstart + buf_size - 769; - for (y=0; y<h; y++, ptr+=stride) { + if (buf_size < 769) { + av_log(avctx, AV_LOG_ERROR, "File is too short\n"); + ret = buf_size; + goto end; + } + + for (y = 0; y < h; y++, ptr += stride) { buf = pcx_rle_decode(buf, buf_end, scanline, bytes_per_scanline, compressed); memcpy(ptr, scanline, w); @@ -196,6 +202,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } if (*buf++ != 12) { av_log(avctx, AV_LOG_ERROR, "expected palette after image data\n"); + ret = buf_size; goto end; } diff --git a/gst-libs/ext/libav/libavcodec/pngdec.c b/gst-libs/ext/libav/libavcodec/pngdec.c index 9c340ea..6c2df12 100644 --- a/gst-libs/ext/libav/libavcodec/pngdec.c +++ b/gst-libs/ext/libav/libavcodec/pngdec.c @@ -378,6 +378,10 @@ static int png_decode_idat(PNGDecContext *s, int length) s->zstream.avail_out = s->crow_size; s->zstream.next_out = s->crow_buf; } + if (ret == Z_STREAM_END && s->zstream.avail_in > 0) { + av_log(NULL, AV_LOG_WARNING, "%d undecompressed bytes left in buffer\n", s->zstream.avail_in); + return 0; + } } return 0; } diff --git a/gst-libs/ext/libav/libavcodec/qpeg.c b/gst-libs/ext/libav/libavcodec/qpeg.c index 4a918e7..75e1223 100644 --- a/gst-libs/ext/libav/libavcodec/qpeg.c +++ b/gst-libs/ext/libav/libavcodec/qpeg.c @@ -190,6 +190,8 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, filled = 0; dst -= stride; height--; + if (height < 0) + break; } } } else if(code >= 0xC0) { /* copy code: 0xC0..0xDF */ @@ -201,6 +203,8 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, filled = 0; dst -= stride; height--; + if (height < 0) + break; } } } else if(code >= 0x80) { /* skip code: 0x80..0xBF */ diff --git a/gst-libs/ext/libav/libavcodec/rpza.c b/gst-libs/ext/libav/libavcodec/rpza.c index 57d4d2d..59b15c6 100644 --- a/gst-libs/ext/libav/libavcodec/rpza.c +++ b/gst-libs/ext/libav/libavcodec/rpza.c @@ -203,7 +203,7 @@ static void rpza_decode_stream(RpzaContext *s) /* Fill block with 16 colors */ case 0x00: - if (s->size - stream_ptr < 16) + if (s->size - stream_ptr < 30) return; block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { diff --git a/gst-libs/ext/libav/libavcodec/rv10.c b/gst-libs/ext/libav/libavcodec/rv10.c index 26af29f..04518dd 100644 --- a/gst-libs/ext/libav/libavcodec/rv10.c +++ b/gst-libs/ext/libav/libavcodec/rv10.c @@ -426,12 +426,15 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) RVDecContext *rv = avctx->priv_data; MpegEncContext *s = &rv->m; static int done=0; - int major_ver, minor_ver, micro_ver; + int major_ver, minor_ver, micro_ver, ret; if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n"); return -1; } + if ((ret = av_image_check_size(avctx->coded_width, + avctx->coded_height, 0, avctx)) < 0) + return ret; ff_MPV_decode_defaults(s); diff --git a/gst-libs/ext/libav/libavcodec/rv30.c b/gst-libs/ext/libav/libavcodec/rv30.c index 3c3579b..b61b75d 100644 --- a/gst-libs/ext/libav/libavcodec/rv30.c +++ b/gst-libs/ext/libav/libavcodec/rv30.c @@ -244,9 +244,11 @@ static void rv30_loop_filter(RV34DecContext *r, int row) static av_cold int rv30_decode_init(AVCodecContext *avctx) { RV34DecContext *r = avctx->priv_data; + int ret; r->rv30 = 1; - ff_rv34_decode_init(avctx); + if ((ret = ff_rv34_decode_init(avctx)) < 0) + return ret; if(avctx->extradata_size < 2){ av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n"); return -1; diff --git a/gst-libs/ext/libav/libavcodec/rv40.c b/gst-libs/ext/libav/libavcodec/rv40.c index f95622a..d317d07 100644 --- a/gst-libs/ext/libav/libavcodec/rv40.c +++ b/gst-libs/ext/libav/libavcodec/rv40.c @@ -545,9 +545,11 @@ static void rv40_loop_filter(RV34DecContext *r, int row) static av_cold int rv40_decode_init(AVCodecContext *avctx) { RV34DecContext *r = avctx->priv_data; + int ret; r->rv30 = 0; - ff_rv34_decode_init(avctx); + if ((ret = ff_rv34_decode_init(avctx)) < 0) + return ret; if(!aic_top_vlc.bits) rv40_init_tables(); r->parse_slice_header = rv40_parse_slice_header; diff --git a/gst-libs/ext/libav/libavcodec/shorten.c b/gst-libs/ext/libav/libavcodec/shorten.c index 0b4a473..fda90fe 100644 --- a/gst-libs/ext/libav/libavcodec/shorten.c +++ b/gst-libs/ext/libav/libavcodec/shorten.c @@ -206,31 +206,38 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, { int len; short wave_format; + GetByteContext gb; - if (bytestream_get_le32(&header) != MKTAG('R', 'I', 'F', 'F')) { + bytestream2_init(&gb, header, header_size); + + if (bytestream2_get_le32(&gb) != MKTAG('R', 'I', 'F', 'F')) { av_log(avctx, AV_LOG_ERROR, "missing RIFF tag\n"); return AVERROR_INVALIDDATA; } - header += 4; /* chunk size */ + bytestream2_skip(&gb, 4); /* chunk size */ - if (bytestream_get_le32(&header) != MKTAG('W', 'A', 'V', 'E')) { + if (bytestream2_get_le32(&gb) != MKTAG('W', 'A', 'V', 'E')) { av_log(avctx, AV_LOG_ERROR, "missing WAVE tag\n"); return AVERROR_INVALIDDATA; } - while (bytestream_get_le32(&header) != MKTAG('f', 'm', 't', ' ')) { - len = bytestream_get_le32(&header); - header += len; + while (bytestream2_get_le32(&gb) != MKTAG('f', 'm', 't', ' ')) { + len = bytestream2_get_le32(&gb); + bytestream2_skip(&gb, len); + if (bytestream2_get_bytes_left(&gb) < 16) { + av_log(avctx, AV_LOG_ERROR, "no fmt chunk found\n"); + return AVERROR_INVALIDDATA; + } } - len = bytestream_get_le32(&header); + len = bytestream2_get_le32(&gb); if (len < 16) { av_log(avctx, AV_LOG_ERROR, "fmt chunk was too short\n"); return AVERROR_INVALIDDATA; } - wave_format = bytestream_get_le16(&header); + wave_format = bytestream2_get_le16(&gb); switch (wave_format) { case WAVE_FORMAT_PCM: @@ -240,11 +247,11 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, return AVERROR(ENOSYS); } - header += 2; // skip channels (already got from shorten header) - avctx->sample_rate = bytestream_get_le32(&header); - header += 4; // skip bit rate (represents original uncompressed bit rate) - header += 2; // skip block align (not needed) - avctx->bits_per_coded_sample = bytestream_get_le16(&header); + bytestream2_skip(&gb, 2); // skip channels (already got from shorten header) + avctx->sample_rate = bytestream2_get_le32(&gb); + bytestream2_skip(&gb, 4); // skip bit rate (represents original uncompressed bit rate) + bytestream2_skip(&gb, 2); // skip block align (not needed) + avctx->bits_per_coded_sample = bytestream2_get_le16(&gb); if (avctx->bits_per_coded_sample != 16) { av_log(avctx, AV_LOG_ERROR, "unsupported number of bits per sample\n"); diff --git a/gst-libs/ext/libav/libavcodec/smacker.c b/gst-libs/ext/libav/libavcodec/smacker.c index a72d7c5..2baf059 100644 --- a/gst-libs/ext/libav/libavcodec/smacker.c +++ b/gst-libs/ext/libav/libavcodec/smacker.c @@ -257,6 +257,12 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int if(ctx.last[0] == -1) ctx.last[0] = huff.current++; if(ctx.last[1] == -1) ctx.last[1] = huff.current++; if(ctx.last[2] == -1) ctx.last[2] = huff.current++; + if (ctx.last[0] >= huff.length || + ctx.last[1] >= huff.length || + ctx.last[2] >= huff.length) { + av_log(smk->avctx, AV_LOG_ERROR, "Huffman codes out of range\n"); + err = AVERROR_INVALIDDATA; + } *recodes = huff.values; diff --git a/gst-libs/ext/libav/libavcodec/svq3.c b/gst-libs/ext/libav/libavcodec/svq3.c index 68bf2f7..34cda32 100644 --- a/gst-libs/ext/libav/libavcodec/svq3.c +++ b/gst-libs/ext/libav/libavcodec/svq3.c @@ -634,9 +634,9 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) dir = i_mb_type_info[mb_type - 8].pred_mode; dir = (dir >> 1) ^ 3 * (dir & 1) ^ 1; - if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) == -1) { - av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n"); - return -1; + if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) < 0) { + av_log(h->s.avctx, AV_LOG_ERROR, "ff_h264_check_intra_pred_mode < 0\n"); + return h->intra16x16_pred_mode; } cbp = i_mb_type_info[mb_type - 8].cbp; @@ -956,7 +956,8 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) int offset = get_bits_count(&gb) + 7 >> 3; uint8_t *buf; - if ((uint64_t)watermark_width * 4 > UINT_MAX / watermark_height) + if (watermark_height > 0 && + (uint64_t)watermark_width * 4 > UINT_MAX / watermark_height) return -1; buf = av_malloc(buf_len); diff --git a/gst-libs/ext/libav/libavcodec/truemotion2.c b/gst-libs/ext/libav/libavcodec/truemotion2.c index 2d7a510..7691989 100644 --- a/gst-libs/ext/libav/libavcodec/truemotion2.c +++ b/gst-libs/ext/libav/libavcodec/truemotion2.c @@ -905,14 +905,14 @@ static av_cold int decode_init(AVCodecContext *avctx){ if (!l->Y1_base || !l->Y2_base || !l->U1_base || !l->V1_base || !l->U2_base || !l->V2_base || !l->last || !l->clast) { - av_freep(l->Y1_base); - av_freep(l->Y2_base); - av_freep(l->U1_base); - av_freep(l->U2_base); - av_freep(l->V1_base); - av_freep(l->V2_base); - av_freep(l->last); - av_freep(l->clast); + av_freep(&l->Y1_base); + av_freep(&l->Y2_base); + av_freep(&l->U1_base); + av_freep(&l->U2_base); + av_freep(&l->V1_base); + av_freep(&l->V2_base); + av_freep(&l->last); + av_freep(&l->clast); return AVERROR(ENOMEM); } l->Y1 = l->Y1_base + l->y_stride * 4 + 4; diff --git a/gst-libs/ext/libav/libavcodec/twinvq.c b/gst-libs/ext/libav/libavcodec/twinvq.c index 8989469..f6c897f 100644 --- a/gst-libs/ext/libav/libavcodec/twinvq.c +++ b/gst-libs/ext/libav/libavcodec/twinvq.c @@ -1142,6 +1142,10 @@ static av_cold int twin_decode_init(AVCodecContext *avctx) AV_CH_LAYOUT_STEREO; ibps = avctx->bit_rate / (1000 * avctx->channels); + if (ibps < 8 || ibps > 48) { + av_log(avctx, AV_LOG_ERROR, "Bad bitrate per channel value %d\n", ibps); + return AVERROR_INVALIDDATA; + } switch ((isampf << 8) + ibps) { case (8 <<8) + 8: tctx->mtab = &mode_08_08; break; diff --git a/gst-libs/ext/libav/libavcodec/vc1dec.c b/gst-libs/ext/libav/libavcodec/vc1dec.c index bafd6a2..6b32116 100644 --- a/gst-libs/ext/libav/libavcodec/vc1dec.c +++ b/gst-libs/ext/libav/libavcodec/vc1dec.c @@ -4742,6 +4742,9 @@ static void vc1_decode_skip_blocks(VC1Context *v) { MpegEncContext *s = &v->s; + if (!v->s.last_picture.f.data[0]) + return; + ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, ER_MB_END); s->first_slice_line = 1; for (s->mb_y = s->start_mb_y; s->mb_y < s->end_mb_y; s->mb_y++) { @@ -5131,8 +5134,19 @@ av_cold int ff_vc1_decode_init_alloc_tables(VC1Context *v) if (!v->mv_type_mb_plane || !v->direct_mb_plane || !v->acpred_plane || !v->over_flags_plane || !v->block || !v->cbp_base || !v->ttblk_base || !v->is_intra_base || !v->luma_mv_base || - !v->mb_type_base) - return -1; + !v->mb_type_base) { + av_freep(&v->mv_type_mb_plane); + av_freep(&v->direct_mb_plane); + av_freep(&v->acpred_plane); + av_freep(&v->over_flags_plane); + av_freep(&v->block); + av_freep(&v->cbp_base); + av_freep(&v->ttblk_base); + av_freep(&v->is_intra_base); + av_freep(&v->luma_mv_base); + av_freep(&v->mb_type_base); + return AVERROR(ENOMEM); + } return 0; } @@ -5484,8 +5498,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, } if (!s->context_initialized) { - if (ff_msmpeg4_decode_init(avctx) < 0 || ff_vc1_decode_init_alloc_tables(v) < 0) + if (ff_msmpeg4_decode_init(avctx) < 0) goto err; + if (ff_vc1_decode_init_alloc_tables(v) < 0) { + ff_MPV_common_end(s); + goto err; + } s->low_delay = !avctx->has_b_frames || v->res_sprite; @@ -5573,6 +5591,8 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, if (avctx->hwaccel->end_frame(avctx) < 0) goto err; } else { + int header_ret = 0; + ff_er_frame_start(s); v->bits = buf_size * 8; @@ -5619,18 +5639,20 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, if (i) { v->pic_header_flag = 0; if (v->field_mode && i == n_slices1 + 2) { - if (ff_vc1_parse_frame_header_adv(v, &s->gb) < 0) { + if ((header_ret = ff_vc1_parse_frame_header_adv(v, &s->gb)) < 0) { av_log(v->s.avctx, AV_LOG_ERROR, "Field header damaged\n"); continue; } } else if (get_bits1(&s->gb)) { v->pic_header_flag = 1; - if (ff_vc1_parse_frame_header_adv(v, &s->gb) < 0) { + if ((header_ret = ff_vc1_parse_frame_header_adv(v, &s->gb)) < 0) { av_log(v->s.avctx, AV_LOG_ERROR, "Slice header damaged\n"); continue; } } } + if (header_ret < 0) + continue; s->start_mb_y = (i == 0) ? 0 : FFMAX(0, slices[i-1].mby_start % mb_height); if (!v->field_mode || v->second_field) s->end_mb_y = (i == n_slices ) ? mb_height : FFMIN(mb_height, slices[i].mby_start % mb_height); diff --git a/gst-libs/ext/libav/libavcodec/vp3.c b/gst-libs/ext/libav/libavcodec/vp3.c index 0340c22..1d68c09 100644 --- a/gst-libs/ext/libav/libavcodec/vp3.c +++ b/gst-libs/ext/libav/libavcodec/vp3.c @@ -2160,6 +2160,10 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) fps.num = get_bits_long(gb, 32); fps.den = get_bits_long(gb, 32); if (fps.num && fps.den) { + if (fps.num < 0 || fps.den < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid framerate\n"); + return AVERROR_INVALIDDATA; + } av_reduce(&avctx->time_base.num, &avctx->time_base.den, fps.den, fps.num, 1<<30); } diff --git a/gst-libs/ext/libav/libavcodec/wnv1.c b/gst-libs/ext/libav/libavcodec/wnv1.c index 1636f16..362fafc 100644 --- a/gst-libs/ext/libav/libavcodec/wnv1.c +++ b/gst-libs/ext/libav/libavcodec/wnv1.c @@ -71,6 +71,11 @@ static int decode_frame(AVCodecContext *avctx, int prev_y = 0, prev_u = 0, prev_v = 0; uint8_t *rbuf; + if (buf_size < 8) { + av_log(avctx, AV_LOG_ERROR, "Packet is too short\n"); + return AVERROR_INVALIDDATA; + } + rbuf = av_malloc(buf_size + FF_INPUT_BUFFER_PADDING_SIZE); if (!rbuf) { av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n"); diff --git a/gst-libs/ext/libav/libavcodec/xan.c b/gst-libs/ext/libav/libavcodec/xan.c index 8c90bb6..369f89b 100644 --- a/gst-libs/ext/libav/libavcodec/xan.c +++ b/gst-libs/ext/libav/libavcodec/xan.c @@ -104,6 +104,7 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, int ptr_len = src_len - 1 - byte*2; unsigned char val = ival; unsigned char *dest_end = dest + dest_len; + unsigned char *dest_start = dest; GetBitContext gb; if (ptr_len < 0) @@ -119,13 +120,13 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, if (val < 0x16) { if (dest >= dest_end) - return 0; + return dest_len; *dest++ = val; val = ival; } } - return 0; + return dest - dest_start; } /** @@ -274,7 +275,7 @@ static int xan_wc3_decode_frame(XanContext *s) { unsigned char flag = 0; int size = 0; int motion_x, motion_y; - int x, y; + int x, y, ret; unsigned char *opcode_buffer = s->buffer1; unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size; @@ -283,8 +284,8 @@ static int xan_wc3_decode_frame(XanContext *s) { /* pointers to segments inside the compressed chunk */ const unsigned char *huffman_segment; - const unsigned char *size_segment; - const unsigned char *vector_segment; + GetByteContext size_segment; + GetByteContext vector_segment; const unsigned char *imagedata_segment; int huffman_offset, size_offset, vector_offset, imagedata_offset, imagedata_size; @@ -304,13 +305,14 @@ static int xan_wc3_decode_frame(XanContext *s) { return AVERROR_INVALIDDATA; huffman_segment = s->buf + huffman_offset; - size_segment = s->buf + size_offset; - vector_segment = s->buf + vector_offset; + bytestream2_init(&size_segment, s->buf + size_offset, s->size - size_offset); + bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset); imagedata_segment = s->buf + imagedata_offset; - if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, - huffman_segment, s->size - huffman_offset) < 0) + if ((ret = xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - huffman_offset)) < 0) return AVERROR_INVALIDDATA; + opcode_buffer_end = opcode_buffer + ret; if (imagedata_segment[0] == 2) { xan_unpack(s->buffer2, s->buffer2_size, @@ -357,19 +359,17 @@ static int xan_wc3_decode_frame(XanContext *s) { case 9: case 19: - size = *size_segment++; + size = bytestream2_get_byte(&size_segment); break; case 10: case 20: - size = AV_RB16(&size_segment[0]); - size_segment += 2; + size = bytestream2_get_be16(&size_segment); break; case 11: case 21: - size = AV_RB24(size_segment); - size_segment += 3; + size = bytestream2_get_be24(&size_segment); break; } @@ -391,9 +391,9 @@ static int xan_wc3_decode_frame(XanContext *s) { } } else { /* run-based motion compensation from last frame */ - motion_x = sign_extend(*vector_segment >> 4, 4); - motion_y = sign_extend(*vector_segment & 0xF, 4); - vector_segment++; + uint8_t vector = bytestream2_get_byte(&vector_segment); + motion_x = sign_extend(vector >> 4, 4); + motion_y = sign_extend(vector & 0xF, 4); /* copy a run of pixels from the previous frame */ xan_wc3_copy_pixel_run(s, x, y, size, motion_x, motion_y); diff --git a/gst-libs/ext/libav/libavcodec/xxan.c b/gst-libs/ext/libav/libavcodec/xxan.c index 84ffdec..7a0cdc4 100644 --- a/gst-libs/ext/libav/libavcodec/xxan.c +++ b/gst-libs/ext/libav/libavcodec/xxan.c @@ -49,6 +49,10 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "Invalid frame height: %d.\n", avctx->height); return AVERROR(EINVAL); } + if (avctx->width & 1) { + av_log(avctx, AV_LOG_ERROR, "Invalid frame width: %d.\n", avctx->width); + return AVERROR(EINVAL); + } s->buffer_size = avctx->width * avctx->height; s->y_buffer = av_malloc(s->buffer_size); diff --git a/gst-libs/ext/libav/libavcodec/zmbv.c b/gst-libs/ext/libav/libavcodec/zmbv.c index c92e553..c7a90f0 100644 --- a/gst-libs/ext/libav/libavcodec/zmbv.c +++ b/gst-libs/ext/libav/libavcodec/zmbv.c @@ -508,8 +508,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } if (c->comp == 0) { //Uncompressed data + if (c->decomp_size < len) { + av_log(avctx, AV_LOG_ERROR, "Buffer too small\n"); + return AVERROR_INVALIDDATA; + } memcpy(c->decomp_buf, buf, len); - c->decomp_size = 1; } else { // ZLIB-compressed data c->zstream.total_in = c->zstream.total_out = 0; c->zstream.next_in = buf; diff --git a/gst-libs/ext/libav/libavformat/ape.c b/gst-libs/ext/libav/libavformat/ape.c index a9c695e..3c25630 100644 --- a/gst-libs/ext/libav/libavformat/ape.c +++ b/gst-libs/ext/libav/libavformat/ape.c @@ -255,7 +255,7 @@ static int ape_read_header(AVFormatContext * s) ape->totalframes); return -1; } - if (ape->seektablelength && (ape->seektablelength / sizeof(*ape->seektable)) < ape->totalframes) { + if (ape->seektablelength / sizeof(*ape->seektable) < ape->totalframes) { av_log(s, AV_LOG_ERROR, "Number of seek entries is less than number of frames: %zu vs. %"PRIu32"\n", ape->seektablelength / sizeof(*ape->seektable), ape->totalframes); diff --git a/gst-libs/ext/libav/libavformat/asfdec.c b/gst-libs/ext/libav/libavformat/asfdec.c index c6b322d..e8587af 100644 --- a/gst-libs/ext/libav/libavformat/asfdec.c +++ b/gst-libs/ext/libav/libavformat/asfdec.c @@ -714,7 +714,9 @@ static int asf_read_header(AVFormatContext *s) if (ret < 0) return ret; } else if (!ff_guidcmp(&g, &ff_asf_stream_header)) { - asf_read_stream_properties(s, gsize); + int ret = asf_read_stream_properties(s, gsize); + if (ret < 0) + return ret; } else if (!ff_guidcmp(&g, &ff_asf_comment_header)) { asf_read_content_desc(s, gsize); } else if (!ff_guidcmp(&g, &ff_asf_language_guid)) { diff --git a/gst-libs/ext/libav/libavformat/avidec.c b/gst-libs/ext/libav/libavformat/avidec.c index ee341c2..e17d932 100644 --- a/gst-libs/ext/libav/libavformat/avidec.c +++ b/gst-libs/ext/libav/libavformat/avidec.c @@ -752,8 +752,10 @@ static int avi_read_header(AVFormatContext *s) return 0; } -static int read_gab2_sub(AVStream *st, AVPacket *pkt) { - if (!strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data+5) == 2) { +static int read_gab2_sub(AVStream *st, AVPacket *pkt) +{ + if (pkt->size >= 7 && + !strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data + 5) == 2) { uint8_t desc[256]; int score = AVPROBE_SCORE_MAX / 2, ret; AVIStream *ast = st->priv_data; diff --git a/gst-libs/ext/libav/libavformat/bfi.c b/gst-libs/ext/libav/libavformat/bfi.c index e60bbf4..19060e7 100644 --- a/gst-libs/ext/libav/libavformat/bfi.c +++ b/gst-libs/ext/libav/libavformat/bfi.c @@ -132,6 +132,10 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) video_offset = avio_rl32(pb); audio_size = video_offset - audio_offset; bfi->video_size = chunk_size - video_offset; + if (audio_size < 0 || bfi->video_size < 0) { + av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n"); + return AVERROR_INVALIDDATA; + } //Tossing an audio packet at the audio decoder. ret = av_get_packet(pb, pkt, audio_size); @@ -140,9 +144,7 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) pkt->pts = bfi->audio_frame; bfi->audio_frame += ret; - } - - else { + } else if (bfi->video_size > 0) { //Tossing a video packet at the video decoder. ret = av_get_packet(pb, pkt, bfi->video_size); @@ -154,6 +156,9 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) /* One less frame to read. A cursory decrement. */ bfi->nframes--; + } else { + /* Empty video packet */ + ret = AVERROR(EAGAIN); } bfi->avflag = !bfi->avflag; diff --git a/gst-libs/ext/libav/libavformat/dsicin.c b/gst-libs/ext/libav/libavformat/dsicin.c index ecc8c0b..6a7c8b9 100644 --- a/gst-libs/ext/libav/libavformat/dsicin.c +++ b/gst-libs/ext/libav/libavformat/dsicin.c @@ -154,6 +154,8 @@ static int cin_read_frame_header(CinDemuxContext *cin, AVIOContext *pb) { if (avio_rl32(pb) != 0xAA55AA55) return AVERROR_INVALIDDATA; + if (hdr->video_frame_size < 0 || hdr->audio_frame_size < 0) + return AVERROR_INVALIDDATA; return 0; } diff --git a/gst-libs/ext/libav/libavformat/electronicarts.c b/gst-libs/ext/libav/libavformat/electronicarts.c index ae2fda0..b85b4c2 100644 --- a/gst-libs/ext/libav/libavformat/electronicarts.c +++ b/gst-libs/ext/libav/libavformat/electronicarts.c @@ -439,8 +439,9 @@ static int ea_read_header(AVFormatContext *s) } if (ea->audio_codec) { - if (ea->num_channels <= 0) { - av_log(s, AV_LOG_WARNING, "Unsupported number of channels: %d\n", ea->num_channels); + if (ea->num_channels <= 0 || ea->num_channels > 2) { + av_log(s, AV_LOG_WARNING, + "Unsupported number of channels: %d\n", ea->num_channels); ea->audio_codec = 0; return 1; } @@ -525,10 +526,16 @@ static int ea_read_packet(AVFormatContext *s, case AV_CODEC_ID_ADPCM_EA_R1: case AV_CODEC_ID_ADPCM_EA_R2: case AV_CODEC_ID_ADPCM_IMA_EA_EACS: - pkt->duration = AV_RL32(pkt->data); - break; case AV_CODEC_ID_ADPCM_EA_R3: - pkt->duration = AV_RB32(pkt->data); + if (pkt->size < 4) { + av_log(s, AV_LOG_ERROR, "Packet is too short\n"); + av_free_packet(pkt); + return AVERROR_INVALIDDATA; + } + if (ea->audio_codec == AV_CODEC_ID_ADPCM_EA_R3) + pkt->duration = AV_RB32(pkt->data); + else + pkt->duration = AV_RL32(pkt->data); break; case AV_CODEC_ID_ADPCM_IMA_EA_SEAD: pkt->duration = ret * 2 / ea->num_channels; diff --git a/gst-libs/ext/libav/libavformat/idroqdec.c b/gst-libs/ext/libav/libavformat/idroqdec.c index eeaafec..82eff24 100644 --- a/gst-libs/ext/libav/libavformat/idroqdec.c +++ b/gst-libs/ext/libav/libavformat/idroqdec.c @@ -142,6 +142,8 @@ static int roq_read_packet(AVFormatContext *s, break; case RoQ_QUAD_CODEBOOK: + if (roq->video_stream_index < 0) + return AVERROR_INVALIDDATA; /* packet needs to contain both this codebook and next VQ chunk */ codebook_offset = avio_tell(pb) - RoQ_CHUNK_PREAMBLE_SIZE; codebook_size = chunk_size; @@ -191,6 +193,11 @@ static int roq_read_packet(AVFormatContext *s, st->codec->block_align = st->codec->channels * st->codec->bits_per_coded_sample; } case RoQ_QUAD_VQ: + if (chunk_type == RoQ_QUAD_VQ) { + if (roq->video_stream_index < 0) + return AVERROR_INVALIDDATA; + } + /* load up the packet */ if (av_new_packet(pkt, chunk_size + RoQ_CHUNK_PREAMBLE_SIZE)) return AVERROR(EIO); diff --git a/gst-libs/ext/libav/libavformat/matroskadec.c b/gst-libs/ext/libav/libavformat/matroskadec.c index fe4d932..8a0c91b 100644 --- a/gst-libs/ext/libav/libavformat/matroskadec.c +++ b/gst-libs/ext/libav/libavformat/matroskadec.c @@ -1580,6 +1580,10 @@ static int matroska_read_header(AVFormatContext *s) track->audio.sub_packet_h = avio_rb16(&b); track->audio.frame_size = avio_rb16(&b); track->audio.sub_packet_size = avio_rb16(&b); + if (flavor <= 0 || track->audio.coded_framesize <= 0 || + track->audio.sub_packet_h <= 0 || track->audio.frame_size <= 0 || + track->audio.sub_packet_size <= 0) + return AVERROR_INVALIDDATA; track->audio.buf = av_malloc(track->audio.frame_size * track->audio.sub_packet_h); if (codec_id == AV_CODEC_ID_RA_288) { st->codec->block_align = track->audio.coded_framesize; diff --git a/gst-libs/ext/libav/libavformat/mov.c b/gst-libs/ext/libav/libavformat/mov.c index f652934..6b89a2d 100644 --- a/gst-libs/ext/libav/libavformat/mov.c +++ b/gst-libs/ext/libav/libavformat/mov.c @@ -1659,6 +1659,10 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) sample_count=avio_rb32(pb); sample_duration = avio_rb32(pb); + if (sample_count < 0) { + av_log(c->fc, AV_LOG_ERROR, "Invalid sample_count=%d\n", sample_count); + return AVERROR_INVALIDDATA; + } sc->stts_data[i].count= sample_count; sc->stts_data[i].duration= sample_duration; @@ -2063,7 +2067,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) ((double)st->codec->width * sc->height), INT_MAX); } - if (st->duration != AV_NOPTS_VALUE) + if (st->duration != AV_NOPTS_VALUE && st->duration > 0) av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, sc->time_scale*st->nb_frames, st->duration, INT_MAX); @@ -2805,7 +2809,7 @@ static int mov_read_header(AVFormatContext *s) for (i = 0; i < s->nb_streams; i++) { AVStream *st = s->streams[i]; MOVStreamContext *sc = st->priv_data; - if (st->duration) + if (st->duration > 0) st->codec->bit_rate = sc->data_size * 8 * sc->time_scale / st->duration; } } diff --git a/gst-libs/ext/libav/libavformat/mpc8.c b/gst-libs/ext/libav/libavformat/mpc8.c index f60a314..c7aa875 100644 --- a/gst-libs/ext/libav/libavformat/mpc8.c +++ b/gst-libs/ext/libav/libavformat/mpc8.c @@ -139,12 +139,21 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) int i, t, seekd; GetBitContext gb; + if (s->nb_streams == 0) { + av_log(s, AV_LOG_ERROR, "No stream added before parsing seek table\n"); + return; + } + avio_seek(s->pb, off, SEEK_SET); mpc8_get_chunk_header(s->pb, &tag, &size); if(tag != TAG_SEEKTABLE){ av_log(s, AV_LOG_ERROR, "No seek table at given position\n"); return; } + if (size < 0 || size >= INT_MAX / 2) { + av_log(s, AV_LOG_ERROR, "Bad seek table size\n"); + return; + } if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE))) return; avio_read(s->pb, buf, size); diff --git a/gst-libs/ext/libav/libavformat/mvi.c b/gst-libs/ext/libav/libavformat/mvi.c index 10ec8bb..65096f1 100644 --- a/gst-libs/ext/libav/libavformat/mvi.c +++ b/gst-libs/ext/libav/libavformat/mvi.c @@ -93,6 +93,12 @@ static int read_header(AVFormatContext *s) mvi->get_int = (vst->codec->width * vst->codec->height < (1 << 16)) ? avio_rl16 : avio_rl24; mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count; + if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) { + av_log(s, AV_LOG_ERROR, "Invalid audio_data_size (%d) or frames_count (%d)\n", + mvi->audio_data_size, frames_count); + return AVERROR_INVALIDDATA; + } + mvi->audio_size_counter = (ast->codec->sample_rate * 830 / mvi->audio_frame_size - 1) * mvi->audio_frame_size; mvi->audio_size_left = mvi->audio_data_size; diff --git a/gst-libs/ext/libav/libavformat/mxfdec.c b/gst-libs/ext/libav/libavformat/mxfdec.c index 18f7b26..d380b36 100644 --- a/gst-libs/ext/libav/libavformat/mxfdec.c +++ b/gst-libs/ext/libav/libavformat/mxfdec.c @@ -1527,8 +1527,16 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) st->codec->channels = descriptor->channels; st->codec->bits_per_coded_sample = descriptor->bits_per_sample; - if (descriptor->sample_rate.den > 0) + if (descriptor->sample_rate.den > 0) { st->codec->sample_rate = descriptor->sample_rate.num / descriptor->sample_rate.den; + avpriv_set_pts_info(st, 64, descriptor->sample_rate.den, descriptor->sample_rate.num); + } else { + av_log(mxf->fc, AV_LOG_WARNING, "invalid sample rate (%d/%d) " + "found for stream #%d, time base forced to 1/48000\n", + descriptor->sample_rate.num, descriptor->sample_rate.den, + st->index); + avpriv_set_pts_info(st, 64, 1, 48000); + } /* TODO: implement AV_CODEC_ID_RAWAUDIO */ if (st->codec->codec_id == AV_CODEC_ID_PCM_S16LE) { diff --git a/gst-libs/ext/libav/libavformat/oggparseogm.c b/gst-libs/ext/libav/libavformat/oggparseogm.c index 7b3cda2..56ea557 100644 --- a/gst-libs/ext/libav/libavformat/oggparseogm.c +++ b/gst-libs/ext/libav/libavformat/oggparseogm.c @@ -37,60 +37,62 @@ ogm_header(AVFormatContext *s, int idx) struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; AVStream *st = s->streams[idx]; - const uint8_t *p = os->buf + os->pstart; + GetByteContext p; uint64_t time_unit; uint64_t spu; - if(!(*p & 1)) + bytestream2_init(&p, os->buf + os->pstart, os->psize); + if (!(bytestream2_peek_byte(&p) & 1)) return 0; - if(*p == 1) { - p++; + if (bytestream2_peek_byte(&p) == 1) { + bytestream2_skip(&p, 1); - if(*p == 'v'){ + if (bytestream2_peek_byte(&p) == 'v'){ int tag; st->codec->codec_type = AVMEDIA_TYPE_VIDEO; - p += 8; - tag = bytestream_get_le32(&p); + bytestream2_skip(&p, 8); + tag = bytestream2_get_le32(&p); st->codec->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag); st->codec->codec_tag = tag; - } else if (*p == 't') { + } else if (bytestream2_peek_byte(&p) == 't') { st->codec->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codec->codec_id = AV_CODEC_ID_TEXT; - p += 12; + bytestream2_skip(&p, 12); } else { - uint8_t acid[5]; + uint8_t acid[5] = { 0 }; int cid; st->codec->codec_type = AVMEDIA_TYPE_AUDIO; - p += 8; - bytestream_get_buffer(&p, acid, 4); + bytestream2_skip(&p, 8); + bytestream2_get_buffer(&p, acid, 4); acid[4] = 0; cid = strtol(acid, NULL, 16); st->codec->codec_id = ff_codec_get_id(ff_codec_wav_tags, cid); st->need_parsing = AVSTREAM_PARSE_FULL; } - p += 4; /* useless size field */ + bytestream2_skip(&p, 4); /* useless size field */ - time_unit = bytestream_get_le64(&p); - spu = bytestream_get_le64(&p); - p += 4; /* default_len */ - p += 8; /* buffersize + bits_per_sample */ + time_unit = bytestream2_get_le64(&p); + spu = bytestream2_get_le64(&p); + bytestream2_skip(&p, 4); /* default_len */ + bytestream2_skip(&p, 8); /* buffersize + bits_per_sample */ if(st->codec->codec_type == AVMEDIA_TYPE_VIDEO){ - st->codec->width = bytestream_get_le32(&p); - st->codec->height = bytestream_get_le32(&p); + st->codec->width = bytestream2_get_le32(&p); + st->codec->height = bytestream2_get_le32(&p); avpriv_set_pts_info(st, 64, time_unit, spu * 10000000); } else { - st->codec->channels = bytestream_get_le16(&p); - p += 2; /* block_align */ - st->codec->bit_rate = bytestream_get_le32(&p) * 8; + st->codec->channels = bytestream2_get_le16(&p); + bytestream2_skip(&p, 2); /* block_align */ + st->codec->bit_rate = bytestream2_get_le32(&p) * 8; st->codec->sample_rate = spu * 10000000 / time_unit; avpriv_set_pts_info(st, 64, 1, st->codec->sample_rate); } - } else if (*p == 3) { - if (os->psize > 8) - ff_vorbis_comment(s, &st->metadata, p+7, os->psize-8); + } else if (bytestream2_peek_byte(&p) == 3) { + bytestream2_skip(&p, 7); + if (bytestream2_get_bytes_left(&p) > 1) + ff_vorbis_comment(s, &st->metadata, p.buffer, bytestream2_get_bytes_left(&p) - 1); } return 1; diff --git a/gst-libs/ext/libav/libavformat/omadec.c b/gst-libs/ext/libav/libavformat/omadec.c index 8548fb5..0403451 100644 --- a/gst-libs/ext/libav/libavformat/omadec.c +++ b/gst-libs/ext/libav/libavformat/omadec.c @@ -170,7 +170,11 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size, taglen = AV_RB32(&enc_header[pos+32]); datalen = AV_RB32(&enc_header[pos+36]) >> 4; - pos += 44 + taglen; + pos += 44; + if (size - pos < taglen) + return -1; + + pos += taglen; if (datalen << 4 > size - pos) return -1; diff --git a/gst-libs/ext/libav/libavformat/r3d.c b/gst-libs/ext/libav/libavformat/r3d.c index a4cb20a..543043e 100644 --- a/gst-libs/ext/libav/libavformat/r3d.c +++ b/gst-libs/ext/libav/libavformat/r3d.c @@ -87,7 +87,7 @@ static int r3d_read_red1(AVFormatContext *s) framerate.num = avio_rb16(s->pb); framerate.den = avio_rb16(s->pb); - if (framerate.num && framerate.den) { + if (framerate.num > 0 && framerate.den > 0) { #if FF_API_R_FRAME_RATE st->r_frame_rate = #endif @@ -286,6 +286,10 @@ static int r3d_read_reda(AVFormatContext *s, AVPacket *pkt, Atom *atom) dts = avio_rb32(s->pb); st->codec->sample_rate = avio_rb32(s->pb); + if (st->codec->sample_rate <= 0) { + av_log(s, AV_LOG_ERROR, "Bad sample rate\n"); + return AVERROR_INVALIDDATA; + } samples = avio_rb32(s->pb); diff --git a/gst-libs/ext/libav/libavformat/riff.c b/gst-libs/ext/libav/libavformat/riff.c index e9463c0..09d8dbb 100644 --- a/gst-libs/ext/libav/libavformat/riff.c +++ b/gst-libs/ext/libav/libavformat/riff.c @@ -653,6 +653,11 @@ int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size) if (size > 0) avio_skip(pb, size); } + if (codec->sample_rate <= 0) { + av_log(NULL, AV_LOG_ERROR, + "Invalid sample rate: %d\n", codec->sample_rate); + return AVERROR_INVALIDDATA; + } codec->codec_id = ff_wav_codec_get_id(id, codec->bits_per_coded_sample); if (codec->codec_id == AV_CODEC_ID_AAC_LATM) { /* channels and sample_rate values are those prior to applying SBR and/or PS */ diff --git a/gst-libs/ext/libav/libavformat/rl2.c b/gst-libs/ext/libav/libavformat/rl2.c index ac0532f..ab33aab 100644 --- a/gst-libs/ext/libav/libavformat/rl2.c +++ b/gst-libs/ext/libav/libavformat/rl2.c @@ -107,6 +107,10 @@ static av_cold int rl2_read_header(AVFormatContext *s) rate = avio_rl16(pb); channels = avio_rl16(pb); def_sound_size = avio_rl16(pb); + if (!channels || channels > 42) { + av_log(s, AV_LOG_ERROR, "Invalid number of channels: %d\n", channels); + return AVERROR_INVALIDDATA; + } /** setup video stream */ st = avformat_new_stream(s, NULL); diff --git a/gst-libs/ext/libav/libavformat/rmdec.c b/gst-libs/ext/libav/libavformat/rmdec.c index 6495bdf..f8362c0 100644 --- a/gst-libs/ext/libav/libavformat/rmdec.c +++ b/gst-libs/ext/libav/libavformat/rmdec.c @@ -331,8 +331,13 @@ ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, if ((ret = rm_read_extradata(pb, st->codec, codec_data_size - (avio_tell(pb) - codec_pos))) < 0) return ret; - av_reduce(&st->avg_frame_rate.den, &st->avg_frame_rate.num, - 0x10000, fps, (1 << 30) - 1); + if (fps > 0) { + av_reduce(&st->avg_frame_rate.den, &st->avg_frame_rate.num, + 0x10000, fps, (1 << 30) - 1); + } else if (s->error_recognition & AV_EF_EXPLODE) { + av_log(s, AV_LOG_ERROR, "Invalid framerate\n"); + return AVERROR_INVALIDDATA; + } #if FF_API_R_FRAME_RATE st->r_frame_rate = st->avg_frame_rate; #endif diff --git a/gst-libs/ext/libav/libavformat/segafilm.c b/gst-libs/ext/libav/libavformat/segafilm.c index adf2475..5643f33 100644 --- a/gst-libs/ext/libav/libavformat/segafilm.c +++ b/gst-libs/ext/libav/libavformat/segafilm.c @@ -111,6 +111,11 @@ static int film_read_header(AVFormatContext *s) return AVERROR(EIO); film->audio_samplerate = AV_RB16(&scratch[24]); film->audio_channels = scratch[21]; + if (!film->audio_channels || film->audio_channels > 2) { + av_log(s, AV_LOG_ERROR, + "Invalid number of channels: %d\n", film->audio_channels); + return AVERROR_INVALIDDATA; + } film->audio_bits = scratch[22]; if (scratch[23] == 2) film->audio_type = AV_CODEC_ID_ADPCM_ADX; diff --git a/gst-libs/ext/libav/libavformat/sierravmd.c b/gst-libs/ext/libav/libavformat/sierravmd.c index 359282c..a8534be 100644 --- a/gst-libs/ext/libav/libavformat/sierravmd.c +++ b/gst-libs/ext/libav/libavformat/sierravmd.c @@ -88,7 +88,7 @@ static int vmd_read_header(AVFormatContext *s) unsigned char *raw_frame_table; int raw_frame_table_size; int64_t current_offset; - int i, j; + int i, j, ret; unsigned int total_frames; int64_t current_audio_pts = 0; unsigned char chunk[BYTES_PER_FRAME_RECORD]; @@ -175,15 +175,13 @@ static int vmd_read_header(AVFormatContext *s) raw_frame_table = av_malloc(raw_frame_table_size); vmd->frame_table = av_malloc((vmd->frame_count * vmd->frames_per_block + sound_buffers) * sizeof(vmd_frame)); if (!raw_frame_table || !vmd->frame_table) { - av_free(raw_frame_table); - av_free(vmd->frame_table); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto error; } if (avio_read(pb, raw_frame_table, raw_frame_table_size) != raw_frame_table_size) { - av_free(raw_frame_table); - av_free(vmd->frame_table); - return AVERROR(EIO); + ret = AVERROR(EIO); + goto error; } total_frames = 0; @@ -199,6 +197,11 @@ static int vmd_read_header(AVFormatContext *s) avio_read(pb, chunk, BYTES_PER_FRAME_RECORD); type = chunk[0]; size = AV_RL32(&chunk[2]); + if (size > INT_MAX / 2) { + av_log(s, AV_LOG_ERROR, "Invalid frame size\n"); + ret = AVERROR_INVALIDDATA; + goto error; + } if(!size && type != 1) continue; switch(type) { @@ -235,6 +238,11 @@ static int vmd_read_header(AVFormatContext *s) vmd->frame_count = total_frames; return 0; + +error: + av_free(raw_frame_table); + av_free(vmd->frame_table); + return ret; } static int vmd_read_packet(AVFormatContext *s, diff --git a/gst-libs/ext/libav/libavformat/smacker.c b/gst-libs/ext/libav/libavformat/smacker.c index 4a3a2b3..a6a6933 100644 --- a/gst-libs/ext/libav/libavformat/smacker.c +++ b/gst-libs/ext/libav/libavformat/smacker.c @@ -327,7 +327,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } flags >>= 1; } - if (frame_size < 0) + if (frame_size < 0 || frame_size >= INT_MAX/2) return AVERROR_INVALIDDATA; if (av_new_packet(pkt, frame_size + 769)) return AVERROR(ENOMEM); @@ -343,6 +343,8 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) smk->cur_frame++; smk->nextpos = avio_tell(s->pb); } else { + if (smk->stream_id[smk->curstream] < 0) + return AVERROR_INVALIDDATA; if (av_new_packet(pkt, smk->buf_sizes[smk->curstream])) return AVERROR(ENOMEM); memcpy(pkt->data, smk->bufs[smk->curstream], smk->buf_sizes[smk->curstream]); diff --git a/gst-libs/ext/libav/libavformat/utils.c b/gst-libs/ext/libav/libavformat/utils.c index 4f73dfe..b0bfea2 100644 --- a/gst-libs/ext/libav/libavformat/utils.c +++ b/gst-libs/ext/libav/libavformat/utils.c @@ -2499,7 +2499,8 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) double best_error = 0.01; if (delta_dts >= INT64_MAX / st->time_base.num || - delta_packets >= INT64_MAX / st->time_base.den) + delta_packets >= INT64_MAX / st->time_base.den || + delta_dts < 0) continue; av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, delta_packets*(int64_t)st->time_base.den, diff --git a/gst-libs/ext/libav/libavformat/vocdec.c b/gst-libs/ext/libav/libavformat/vocdec.c index 4e06513..2fb8440 100644 --- a/gst-libs/ext/libav/libavformat/vocdec.c +++ b/gst-libs/ext/libav/libavformat/vocdec.c @@ -91,11 +91,11 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) if (sample_rate) dec->sample_rate = sample_rate; avpriv_set_pts_info(st, 64, 1, dec->sample_rate); + dec->channels = channels; + dec->bits_per_coded_sample = av_get_bits_per_sample(dec->codec_id); } else avio_skip(pb, 1); - dec->channels = channels; tmp_codec = avio_r8(pb); - dec->bits_per_coded_sample = av_get_bits_per_sample(dec->codec_id); voc->remaining_size -= 2; max_size -= 2; channels = 1; @@ -117,10 +117,10 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) if (!dec->sample_rate) { dec->sample_rate = avio_rl32(pb); avpriv_set_pts_info(st, 64, 1, dec->sample_rate); + dec->bits_per_coded_sample = avio_r8(pb); + dec->channels = avio_r8(pb); } else - avio_skip(pb, 4); - dec->bits_per_coded_sample = avio_r8(pb); - dec->channels = avio_r8(pb); + avio_skip(pb, 6); tmp_codec = avio_rl16(pb); avio_skip(pb, 4); voc->remaining_size -= 12; diff --git a/gst-libs/ext/libav/libavformat/vqf.c b/gst-libs/ext/libav/libavformat/vqf.c index 66ced37..aba6ab1 100644 --- a/gst-libs/ext/libav/libavformat/vqf.c +++ b/gst-libs/ext/libav/libavformat/vqf.c @@ -174,10 +174,21 @@ static int vqf_read_header(AVFormatContext *s) st->codec->sample_rate = 11025; break; default: + if (rate_flag < 8 || rate_flag > 44) { + av_log(s, AV_LOG_ERROR, "Invalid rate flag %d\n", rate_flag); + return AVERROR_INVALIDDATA; + } st->codec->sample_rate = rate_flag*1000; break; } + if (read_bitrate / st->codec->channels < 8 || + read_bitrate / st->codec->channels > 48) { + av_log(s, AV_LOG_ERROR, "Invalid bitrate per channel %d\n", + read_bitrate / st->codec->channels); + return AVERROR_INVALIDDATA; + } + switch (((st->codec->sample_rate/1000) << 8) + read_bitrate/st->codec->channels) { case (11<<8) + 8 : diff --git a/gst-libs/ext/libav/libavformat/wtv.c b/gst-libs/ext/libav/libavformat/wtv.c index 1811e46..7f029ff 100644 --- a/gst-libs/ext/libav/libavformat/wtv.c +++ b/gst-libs/ext/libav/libavformat/wtv.c @@ -274,7 +274,12 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b dir_length = AV_RL16(buf + 16); file_length = AV_RL64(buf + 24); name_size = 2 * AV_RL32(buf + 32); - if (buf + 48 + name_size > buf_end) { + if (name_size < 0) { + av_log(s, AV_LOG_ERROR, + "bad filename length, remaining directory entries ignored\n"); + break; + } + if (48 + name_size > buf_end - buf) { av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n"); break; } diff --git a/gst-libs/ext/libav/libavformat/xmv.c b/gst-libs/ext/libav/libavformat/xmv.c index d491dec..201dc3a 100644 --- a/gst-libs/ext/libav/libavformat/xmv.c +++ b/gst-libs/ext/libav/libavformat/xmv.c @@ -43,6 +43,8 @@ XMV_AUDIO_ADPCM51_FRONTCENTERLOW | \ XMV_AUDIO_ADPCM51_REARLEFTRIGHT) +#define XMV_BLOCK_ALIGN_SIZE 36 + typedef struct XMVAudioTrack { uint16_t compression; uint16_t channels; @@ -207,7 +209,7 @@ static int xmv_read_header(AVFormatContext *s) track->bit_rate = track->bits_per_sample * track->sample_rate * track->channels; - track->block_align = 36 * track->channels; + track->block_align = XMV_BLOCK_ALIGN_SIZE * track->channels; track->block_samples = 64; track->codec_id = ff_wav_codec_get_id(track->compression, track->bits_per_sample); @@ -224,7 +226,8 @@ static int xmv_read_header(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream " "(0x%04X)\n", track->flags); - if (!track->channels || !track->sample_rate) { + if (!track->channels || !track->sample_rate || + track->channels >= UINT16_MAX / XMV_BLOCK_ALIGN_SIZE) { av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n", audio_track); ret = AVERROR_INVALIDDATA; diff --git a/gst-libs/ext/libav/libavformat/xwma.c b/gst-libs/ext/libav/libavformat/xwma.c index 46ca0b8..5500db8 100644 --- a/gst-libs/ext/libav/libavformat/xwma.c +++ b/gst-libs/ext/libav/libavformat/xwma.c @@ -200,6 +200,14 @@ static int xwma_read_header(AVFormatContext *s) /* Estimate the duration from the total number of output bytes. */ const uint64_t total_decoded_bytes = dpds_table[dpds_table_size - 1]; + + if (!bytes_per_sample) { + av_log(s, AV_LOG_ERROR, + "Invalid bits_per_coded_sample %d for %d channels\n", + st->codec->bits_per_coded_sample, st->codec->channels); + return AVERROR_INVALIDDATA; + } + st->duration = total_decoded_bytes / bytes_per_sample; /* Use the dpds data to build a seek table. We can only do this after diff --git a/gst-libs/ext/libav/tests/ref/fate/mxf-demux b/gst-libs/ext/libav/tests/ref/fate/mxf-demux index e162775..426afae 100644 --- a/gst-libs/ext/libav/tests/ref/fate/mxf-demux +++ b/gst-libs/ext/libav/tests/ref/fate/mxf-demux @@ -1,7 +1,7 @@ #tb 0: 1/25 -#tb 1: 1/25 +#tb 1: 1/8000 0, 0, -9223372036854775808, 1, 8468, 0xc0855553 -1, 0, 0, 50, 32000, 0x479155e6 +1, 0, 0, 16000, 32000, 0x479155e6 0, 1, -9223372036854775808, 1, 3814, 0xa10783b4 0, 2, -9223372036854775808, 1, 3747, 0xb7bf6973 0, 3, -9223372036854775808, 1, 3705, 0x5462a600 @@ -52,7 +52,7 @@ 0, 48, -9223372036854775808, 1, 3688, 0x1db45852 0, 49, -9223372036854775808, 1, 38412, 0x2ee26a63 0, 50, -9223372036854775808, 1, 8385, 0x0bc20a27 -1, 50, 50, 50, 32000, 0x8f7e5009 +1, 16000, 16000, 16000, 32000, 0x8f7e5009 0, 51, -9223372036854775808, 1, 3733, 0xa3e2a9a0 0, 52, -9223372036854775808, 1, 3773, 0x27769caa 0, 53, -9223372036854775808, 1, 3670, 0xc8335e98 diff --git a/gst-libs/ext/libav/tests/ref/seek/lavf-mxf b/gst-libs/ext/libav/tests/ref/seek/lavf-mxf index cc634a8..5f2cf5d 100644 --- a/gst-libs/ext/libav/tests/ref/seek/lavf-mxf +++ b/gst-libs/ext/libav/tests/ref/seek/lavf-mxf @@ -7,8 +7,8 @@ ret: 0 st: 0 flags:0 ts: 0.800000 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret: 0 st: 0 flags:1 ts:-0.320000 ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 -ret:-1 st: 1 flags:0 ts: 2.560000 -ret: 0 st: 1 flags:1 ts: 1.480000 +ret:-1 st: 1 flags:0 ts: 2.576667 +ret: 0 st: 1 flags:1 ts: 1.470833 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret: 0 st:-1 flags:0 ts: 0.365002 ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.480000 pos: 211968 size: 24787 @@ -17,9 +17,9 @@ ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 ret:-1 st: 0 flags:0 ts: 2.160000 ret: 0 st: 0 flags:1 ts: 1.040000 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 -ret: 0 st: 1 flags:0 ts:-0.040000 +ret: 0 st: 1 flags:0 ts:-0.058333 ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 -ret: 0 st: 1 flags:1 ts: 2.840000 +ret: 0 st: 1 flags:1 ts: 2.835833 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret:-1 st:-1 flags:0 ts: 1.730004 ret: 0 st:-1 flags:1 ts: 0.624171 @@ -28,9 +28,9 @@ ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 ret: 0 st: 0 flags:1 ts: 2.400000 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 -ret:-1 st: 1 flags:0 ts: 1.320000 -ret: 0 st: 1 flags:1 ts: 0.200000 -ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 +ret:-1 st: 1 flags:0 ts: 1.306667 +ret: 0 st: 1 flags:1 ts: 0.200833 +ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret: 0 st:-1 flags:0 ts:-0.904994 ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 ret: 0 st:-1 flags:1 ts: 1.989173 @@ -39,8 +39,8 @@ ret: 0 st: 0 flags:0 ts: 0.880000 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret: 0 st: 0 flags:1 ts:-0.240000 ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 -ret:-1 st: 1 flags:0 ts: 2.680000 -ret: 0 st: 1 flags:1 ts: 1.560000 +ret:-1 st: 1 flags:0 ts: 2.671667 +ret: 0 st: 1 flags:1 ts: 1.565833 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret: 0 st:-1 flags:0 ts: 0.460008 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 diff --git a/gst-libs/ext/libav/tests/ref/seek/lavf-mxf_d10 b/gst-libs/ext/libav/tests/ref/seek/lavf-mxf_d10 index 4cfe595..e091c77 100644 --- a/gst-libs/ext/libav/tests/ref/seek/lavf-mxf_d10 +++ b/gst-libs/ext/libav/tests/ref/seek/lavf-mxf_d10 @@ -7,10 +7,10 @@ ret: 0 st: 0 flags:0 ts: 0.800000 ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos:4265984 size:150000 ret: 0 st: 0 flags:1 ts:-0.320000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 -ret: 0 st: 1 flags:0 ts: 2.560000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 -ret: 0 st: 1 flags:1 ts: 1.480000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 +ret: 0 st: 1 flags:0 ts: 2.576667 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 +ret: 0 st: 1 flags:1 ts: 1.470833 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 ret: 0 st:-1 flags:0 ts: 0.365002 ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos:1923072 size:150000 ret: 0 st:-1 flags:1 ts:-0.740831 @@ -19,10 +19,10 @@ ret: 0 st: 0 flags:0 ts: 2.160000 ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 ret: 0 st: 0 flags:1 ts: 1.040000 ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 -ret: 0 st: 1 flags:0 ts:-0.040000 +ret: 0 st: 1 flags:0 ts:-0.058333 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 -ret: 0 st: 1 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 +ret: 0 st: 1 flags:1 ts: 2.835833 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 ret: 0 st:-1 flags:0 ts: 1.730004 ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 ret: 0 st:-1 flags:1 ts: 0.624171 @@ -31,10 +31,10 @@ ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 ret: 0 st: 0 flags:1 ts: 2.400000 ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 -ret: 0 st: 1 flags:0 ts: 1.320000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 -ret: 0 st: 1 flags:1 ts: 0.200000 -ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos:1071104 size:150000 +ret: 0 st: 1 flags:0 ts: 1.306667 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 +ret: 0 st: 1 flags:1 ts: 0.200833 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 ret: 0 st:-1 flags:0 ts:-0.904994 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 ret: 0 st:-1 flags:1 ts: 1.989173 @@ -43,10 +43,10 @@ ret: 0 st: 0 flags:0 ts: 0.880000 ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos:4691968 size:150000 ret: 0 st: 0 flags:1 ts:-0.240000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 -ret: 0 st: 1 flags:0 ts: 2.680000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 -ret: 0 st: 1 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 +ret: 0 st: 1 flags:0 ts: 2.671667 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 +ret: 0 st: 1 flags:1 ts: 1.565833 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 ret: 0 st:-1 flags:0 ts: 0.460008 ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos:2562048 size:150000 ret: 0 st:-1 flags:1 ts:-0.645825 |