virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

Merge remote-tracking branch 'qatar/master'

Browse Source 
* qatar/master:
  Employ FF_ARRAY_ELEMS instead of manually calculating array length.
  Fixed invalid access in wavpack decoder on corrupted bitstream.
  Fixed invalid writes in wavpack decoder on corrupted bitstreams.
  Fixed invalid access in wavpack decoder on corrupted extra bits sub-blocks.
  rtpdec_asf: Fix integer underflow that could allow remote code execution

Conflicts:
	libavformat/rtpdec_asf.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2011-09-08 22:37:31 +02:00
commit 78d7d8fe91
4 changed files with 48 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
libavcodec/wavpack.c
View File

@ -292,7 +292,14 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel
}
}else{
t = get_unary_0_33(gb);
if(t >= 2) t = get_bits(gb, t - 1) | (1 << (t-1));
if(t >= 2){
if(get_bits_left(gb) < t-1)
goto error;
t = get_bits(gb, t - 1) | (1 << (t-1));
}else{
if(get_bits_left(gb) < 0)
goto error;
}
ctx->zeroes = t;
if(ctx->zeroes){
memset(ctx->ch[0].median, 0, sizeof(ctx->ch[0].median));
@ -303,24 +310,24 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel
}
}
if(get_bits_count(gb) >= ctx->data_size){
*last = 1;
return 0;
}
if(ctx->zero){
t = 0;
ctx->zero = 0;
}else{
t = get_unary_0_33(gb);
if(get_bits_count(gb) >= ctx->data_size){
*last = 1;
return 0;
}
if(get_bits_left(gb) < 0)
goto error;
if(t == 16) {
t2 = get_unary_0_33(gb);
if(t2 < 2) t += t2;
else t += get_bits(gb, t2 - 1) | (1 << (t2 - 1));
if(t2 < 2){
if(get_bits_left(gb) < 0)
goto error;
t += t2;
}else{
if(get_bits_left(gb) < t2 - 1)
goto error;
t += get_bits(gb, t2 - 1) | (1 << (t2 - 1));
}
}
if(ctx->one){
@ -360,9 +367,13 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel
}
if(!c->error_limit){
ret = base + get_tail(gb, add);
if (get_bits_left(gb) <= 0)
goto error;
}else{
int mid = (base*2 + add + 1) >> 1;
while(add > c->error_limit){
if(get_bits_left(gb) <= 0)
goto error;
if(get_bits1(gb)){
add -= (mid - base);
base = mid;
@ -376,6 +387,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel
if(ctx->hybrid_bitrate)
c->slow_level += wp_log2(ret) - LEVEL_DECAY(c->slow_level);
return sign ? ~ret : ret;
error:
*last = 1;
return 0;
}
static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, int S)
@ -385,7 +400,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, in
if(s->extra_bits){
S <<= s->extra_bits;
if(s->got_extra_bits){
if(s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits){
S |= get_bits(&s->gb_extra_bits, s->extra_bits);
*crc = *crc * 9 + (S&0xffff) * 3 + ((unsigned)S>>16);
}
@ -581,6 +596,9 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, vo
count++;
}while(!last && count < s->max_samples);
if (last)
s->samples_left = 0;
else
s->samples_left -= count;
if(!s->samples_left){
wv_reset_saved_context(s);
@ -659,6 +677,9 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, void
count++;
}while(!last && count < s->max_samples);
if (last)
s->samples_left = 0;
else
s->samples_left -= count;
if(!s->samples_left){
wv_reset_saved_context(s);
@ -1114,7 +1135,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
int16_t *dst = (int16_t*)samples + 1;
int16_t *src = (int16_t*)samples;
int cnt = samplecount;
while(cnt--){
while(cnt-- > 0){
*dst = *src;
src += channel_stride;
dst += channel_stride;
@ -1123,7 +1144,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
int32_t *dst = (int32_t*)samples + 1;
int32_t *src = (int32_t*)samples;
int cnt = samplecount;
while(cnt--){
while(cnt-- > 0){
*dst = *src;
src += channel_stride;
dst += channel_stride;
@ -1132,7 +1153,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
float *dst = (float*)samples + 1;
float *src = (float*)samples;
int cnt = samplecount;
while(cnt--){
while(cnt-- > 0){
*dst = *src;
src += channel_stride;
dst += channel_stride;

3
libavformat/avlanguage.c
View File

@ -20,6 +20,7 @@
#include "avlanguage.h"
#include "libavutil/avstring.h"
#include "libavutil/common.h"
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
@ -736,7 +737,7 @@ const char *av_convert_lang_to(const char *lang, enum AVLangCodespace target_cod
{
int i;
const LangEntry *entry = NULL;
const int NB_CODESPACES = sizeof(lang_table_counts)/sizeof(*lang_table_counts);
const int NB_CODESPACES = FF_ARRAY_ELEMS(lang_table_counts);
if (target_codespace >= NB_CODESPACES)
return NULL;

3
libavformat/mxf.c
View File

@ -19,6 +19,7 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include "libavutil/common.h"
#include "mxf.h"
/**
@ -81,7 +82,7 @@ static const struct {
{PIX_FMT_PAL8, {'P', 8 }},
};
static const int num_pixel_layouts = sizeof(ff_mxf_pixel_layouts) / sizeof(*ff_mxf_pixel_layouts);
static const int num_pixel_layouts = FF_ARRAY_ELEMS(ff_mxf_pixel_layouts);
int ff_mxf_decode_pixel_layout(const char pixel_layout[16], enum PixelFormat *pix_fmt)
{

8
libavformat/rtpdec_asf.c
View File

@ -233,14 +233,14 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf,
int cur_len = start_off + len_off - off;
int prev_len = out_len;
void *newbuf;
void *newmem;
out_len += cur_len;
if (FFMIN(cur_len, len - off) < 0)
return -1;
newbuf = av_realloc(asf->buf, out_len);
if(!newbuf)
newmem = av_realloc(asf->buf, out_len);
if (!newmem)
return -1;
asf->buf= newbuf;
asf->buf = newmem;
memcpy(asf->buf + prev_len, buf + off,
FFMIN(cur_len, len - off));
avio_skip(pb, cur_len);