virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-11-26 19:01:44 +02:00
Code Issues Releases Activity

Merge remote-tracking branch 'qatar/master'

Browse Source 
* qatar/master:
  ttadec: unbreak playback of matroska files
  vorbisdec: avoid invalid memory access
  Fix uninitialized reads on malformed ogg files.
  huffyuv: add padding to classic (v1) huffman tables.
  png: convert to bytestream2 API.
  dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2
  avs: fix infinite loop on end-of-stream.
  tiffdec: Prevent illegal memory access caused by recycled pointers.
  rtpenc: Fix the AVRational used for av_rescale_q_rnd
  wma: fix off-by-one in array bounds check.

Conflicts:
	libavcodec/huffyuv.c
	libavcodec/pngdec.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2012-03-09 01:22:31 +01:00
commit a8cedbebf1
9 changed files with 52 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
libavcodec/cavsdec.c
View File

@ -657,6 +657,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size,
if (!s->low_delay && h->DPB[0].f.data[0]) { if (!s->low_delay && h->DPB[0].f.data[0]) {
*data_size = sizeof(AVPicture); *data_size = sizeof(AVPicture);
*picture = h->DPB[0].f; *picture = h->DPB[0].f;
memset(&h->DPB[0], 0, sizeof(h->DPB[0]));
} }
return 0; return 0;
} }

1
libavcodec/dca.c
View File

@ -29,6 +29,7 @@
#include "libavutil/common.h" #include "libavutil/common.h"
#include "libavutil/intmath.h" #include "libavutil/intmath.h"
#include "libavutil/intreadwrite.h" #include "libavutil/intreadwrite.h"
#include "libavutil/mathematics.h"
#include "libavutil/audioconvert.h" #include "libavutil/audioconvert.h"
#include "avcodec.h" #include "avcodec.h"
#include "dsputil.h" #include "dsputil.h"

10
libavcodec/huffyuv.c
View File

@ -82,14 +82,16 @@ typedef struct HYuvContext{
DSPContext dsp; DSPContext dsp;
}HYuvContext; }HYuvContext;
static const unsigned char classic_shift_luma[] = { #define classic_shift_luma_table_size 42
static const unsigned char classic_shift_luma[classic_shift_luma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = {
34,36,35,69,135,232,9,16,10,24,11,23,12,16,13,10,14,8,15,8, 34,36,35,69,135,232,9,16,10,24,11,23,12,16,13,10,14,8,15,8,
16,8,17,20,16,10,207,206,205,236,11,8,10,21,9,23,8,8,199,70, 16,8,17,20,16,10,207,206,205,236,11,8,10,21,9,23,8,8,199,70,
69,68, 0, 69,68, 0,
0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,
}; };
static const unsigned char classic_shift_chroma[] = { #define classic_shift_chroma_table_size 59
static const unsigned char classic_shift_chroma[classic_shift_chroma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = {
66,36,37,38,39,40,41,75,76,77,110,239,144,81,82,83,84,85,118,183, 66,36,37,38,39,40,41,75,76,77,110,239,144,81,82,83,84,85,118,183,
56,57,88,89,56,89,154,57,58,57,26,141,57,56,58,57,58,57,184,119, 56,57,88,89,56,89,154,57,58,57,26,141,57,56,58,57,58,57,184,119,
214,245,116,83,82,49,80,79,78,77,44,75,41,40,39,38,37,36,34, 0, 214,245,116,83,82,49,80,79,78,77,44,75,41,40,39,38,37,36,34, 0,
@ -396,10 +398,10 @@ static int read_old_huffman_tables(HYuvContext *s){
GetBitContext gb; GetBitContext gb;
int i; int i;
init_get_bits(&gb, classic_shift_luma, (sizeof(classic_shift_luma)-8)*8); init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8);
if(read_len_table(s->len[0], &gb)<0) if(read_len_table(s->len[0], &gb)<0)
return -1; return -1;
init_get_bits(&gb, classic_shift_chroma, (sizeof(classic_shift_chroma)-8)*8); init_get_bits(&gb, classic_shift_chroma, classic_shift_chroma_table_size*8);
if(read_len_table(s->len[1], &gb)<0) if(read_len_table(s->len[1], &gb)<0)
return -1; return -1;

72
libavcodec/pngdec.c
View File

@ -38,9 +38,7 @@
typedef struct PNGDecContext { typedef struct PNGDecContext {
PNGDSPContext dsp; PNGDSPContext dsp;
const uint8_t *bytestream; GetByteContext gb;
const uint8_t *bytestream_start;
const uint8_t *bytestream_end;
AVFrame picture1, picture2; AVFrame picture1, picture2;
AVFrame *current_picture, *last_picture; AVFrame *current_picture, *last_picture;
@ -360,12 +358,9 @@ static void png_handle_row(PNGDecContext *s)
static int png_decode_idat(PNGDecContext *s, int length) static int png_decode_idat(PNGDecContext *s, int length)
{ {
int ret; int ret;
s->zstream.avail_in = length; s->zstream.avail_in = FFMIN(length, bytestream2_get_bytes_left(&s->gb));
s->zstream.next_in = s->bytestream; s->zstream.next_in = s->gb.buffer;
s->bytestream += length; bytestream2_skip(&s->gb, length);
if(s->bytestream > s->bytestream_end)
return -1;
/* decode one line if possible */ /* decode one line if possible */
while (s->zstream.avail_in > 0) { while (s->zstream.avail_in > 0) {
@ -401,17 +396,15 @@ static int decode_frame(AVCodecContext *avctx,
avctx->coded_frame= s->current_picture; avctx->coded_frame= s->current_picture;
p = s->current_picture; p = s->current_picture;
s->bytestream_start=
s->bytestream= buf;
s->bytestream_end= buf + buf_size;
/* check signature */ /* check signature */
if (memcmp(s->bytestream, ff_pngsig, 8) != 0 && if (buf_size < 8 ||
memcmp(s->bytestream, ff_mngsig, 8) != 0) { memcmp(buf, ff_pngsig, 8) != 0 &&
memcmp(buf, ff_mngsig, 8) != 0) {
av_log(avctx, AV_LOG_ERROR, "Missing png signature\n"); av_log(avctx, AV_LOG_ERROR, "Missing png signature\n");
return -1; return -1;
} }
s->bytestream+= 8;
bytestream2_init(&s->gb, buf + 8, buf_size - 8);
s->y= s->y=
s->state=0; s->state=0;
// memset(s, 0, sizeof(PNGDecContext)); // memset(s, 0, sizeof(PNGDecContext));
@ -423,14 +416,13 @@ static int decode_frame(AVCodecContext *avctx,
if (ret != Z_OK) if (ret != Z_OK)
return -1; return -1;
for(;;) { for(;;) {
int tag32; if (bytestream2_get_bytes_left(&s->gb) <= 0)
if (s->bytestream >= s->bytestream_end)
goto fail; goto fail;
length = bytestream_get_be32(&s->bytestream);
if (length > 0x7fffffff || length > s->bytestream_end - s->bytestream) length = bytestream2_get_be32(&s->gb);
if (length > 0x7fffffff || length > bytestream2_get_bytes_left(&s->gb))
goto fail; goto fail;
tag32 = bytestream_get_be32(&s->bytestream); tag = bytestream2_get_le32(&s->gb);
tag = av_bswap32(tag32);
if (avctx->debug & FF_DEBUG_STARTCODE) if (avctx->debug & FF_DEBUG_STARTCODE)
av_log(avctx, AV_LOG_DEBUG, "png: tag=%c%c%c%c length=%u\n", av_log(avctx, AV_LOG_DEBUG, "png: tag=%c%c%c%c length=%u\n",
(tag & 0xff), (tag & 0xff),
@ -441,18 +433,18 @@ static int decode_frame(AVCodecContext *avctx,
case MKTAG('I', 'H', 'D', 'R'): case MKTAG('I', 'H', 'D', 'R'):
if (length != 13) if (length != 13)
goto fail; goto fail;
s->width = bytestream_get_be32(&s->bytestream); s->width = bytestream2_get_be32(&s->gb);
s->height = bytestream_get_be32(&s->bytestream); s->height = bytestream2_get_be32(&s->gb);
if(av_image_check_size(s->width, s->height, 0, avctx)){ if(av_image_check_size(s->width, s->height, 0, avctx)){
s->width= s->height= 0; s->width= s->height= 0;
goto fail; goto fail;
} }
s->bit_depth = *s->bytestream++; s->bit_depth = bytestream2_get_byte(&s->gb);
s->color_type = *s->bytestream++; s->color_type = bytestream2_get_byte(&s->gb);
s->compression_type = *s->bytestream++; s->compression_type = bytestream2_get_byte(&s->gb);
s->filter_type = *s->bytestream++; s->filter_type = bytestream2_get_byte(&s->gb);
s->interlace_type = *s->bytestream++; s->interlace_type = bytestream2_get_byte(&s->gb);
s->bytestream += 4; /* crc */ bytestream2_skip(&s->gb, 4); /* crc */
s->state |= PNG_IHDR; s->state |= PNG_IHDR;
if (avctx->debug & FF_DEBUG_PICT_INFO) if (avctx->debug & FF_DEBUG_PICT_INFO)
av_log(avctx, AV_LOG_DEBUG, "width=%d height=%d depth=%d color_type=%d compression_type=%d filter_type=%d interlace_type=%d\n", av_log(avctx, AV_LOG_DEBUG, "width=%d height=%d depth=%d color_type=%d compression_type=%d filter_type=%d interlace_type=%d\n",
@ -555,7 +547,7 @@ static int decode_frame(AVCodecContext *avctx,
s->state |= PNG_IDAT; s->state |= PNG_IDAT;
if (png_decode_idat(s, length) < 0) if (png_decode_idat(s, length) < 0)
goto fail; goto fail;
s->bytestream += 4; /* crc */ bytestream2_skip(&s->gb, 4); /* crc */
break; break;
case MKTAG('P', 'L', 'T', 'E'): case MKTAG('P', 'L', 'T', 'E'):
{ {
@ -566,16 +558,16 @@ static int decode_frame(AVCodecContext *avctx,
/* read the palette */ /* read the palette */
n = length / 3; n = length / 3;
for(i=0;i<n;i++) { for(i=0;i<n;i++) {
r = *s->bytestream++; r = bytestream2_get_byte(&s->gb);
g = *s->bytestream++; g = bytestream2_get_byte(&s->gb);
b = *s->bytestream++; b = bytestream2_get_byte(&s->gb);
s->palette[i] = (0xff << 24) | (r << 16) | (g << 8) | b; s->palette[i] = (0xff << 24) | (r << 16) | (g << 8) | b;
} }
for(;i<256;i++) { for(;i<256;i++) {
s->palette[i] = (0xff << 24); s->palette[i] = (0xff << 24);
} }
s->state |= PNG_PLTE; s->state |= PNG_PLTE;
s->bytestream += 4; /* crc */ bytestream2_skip(&s->gb, 4); /* crc */
} }
break; break;
case MKTAG('t', 'R', 'N', 'S'): case MKTAG('t', 'R', 'N', 'S'):
@ -588,21 +580,21 @@ static int decode_frame(AVCodecContext *avctx,
!(s->state & PNG_PLTE)) !(s->state & PNG_PLTE))
goto skip_tag; goto skip_tag;
for(i=0;i<length;i++) { for(i=0;i<length;i++) {
v = *s->bytestream++; v = bytestream2_get_byte(&s->gb);
s->palette[i] = (s->palette[i] & 0x00ffffff) | (v << 24); s->palette[i] = (s->palette[i] & 0x00ffffff) | (v << 24);
} }
s->bytestream += 4; /* crc */ bytestream2_skip(&s->gb, 4); /* crc */
} }
break; break;
case MKTAG('I', 'E', 'N', 'D'): case MKTAG('I', 'E', 'N', 'D'):
if (!(s->state & PNG_ALLIMAGE)) if (!(s->state & PNG_ALLIMAGE))
goto fail; goto fail;
s->bytestream += 4; /* crc */ bytestream2_skip(&s->gb, 4); /* crc */
goto exit_loop; goto exit_loop;
default: default:
/* skip tag */ /* skip tag */
skip_tag: skip_tag:
s->bytestream += length + 4; bytestream2_skip(&s->gb, length + 4);
break; break;
} }
} }
@ -686,7 +678,7 @@ static int decode_frame(AVCodecContext *avctx,
*picture= *s->current_picture; *picture= *s->current_picture;
*data_size = sizeof(AVFrame); *data_size = sizeof(AVFrame);
ret = s->bytestream - s->bytestream_start; ret = bytestream2_tell(&s->gb);
the_end: the_end:
inflateEnd(&s->zstream); inflateEnd(&s->zstream);
av_free(crow_buf_base); av_free(crow_buf_base);

2
libavcodec/tiff.c
View File

@ -606,6 +606,8 @@ static int decode_frame(AVCodecContext *avctx,
av_log(avctx, AV_LOG_ERROR, "The answer to life, universe and everything is not correct!\n"); av_log(avctx, AV_LOG_ERROR, "The answer to life, universe and everything is not correct!\n");
return -1; return -1;
} }
// Reset these pointers so we can tell if they were set this frame
s->stripsizes = s->stripdata = NULL;
/* parse image file directory */ /* parse image file directory */
off = tget_long(&buf, le); off = tget_long(&buf, le);
if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) { if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) {

3
libavcodec/tta.c
View File

@ -218,8 +218,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
{ {
if (avctx->err_recognition & AV_EF_CRCCHECK) { if (avctx->err_recognition & AV_EF_CRCCHECK) {
s->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE); s->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE);
if (tta_check_crc(s, avctx->extradata, 18)) tta_check_crc(s, avctx->extradata, 18);
return AVERROR_INVALIDDATA;
} }
/* signature */ /* signature */

3
libavcodec/vorbisdec.c
View File

@ -1593,6 +1593,9 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
ch_left -= ch; ch_left -= ch;
} }
if (ch_left > 0)
return AVERROR_INVALIDDATA;
// Inverse coupling // Inverse coupling
for (i = mapping->coupling_steps - 1; i >= 0; --i) { //warning: i has to be signed for (i = mapping->coupling_steps - 1; i >= 0; --i) { //warning: i has to be signed

10
libavformat/oggdec.c
View File

@ -69,8 +69,7 @@ static int ogg_save(AVFormatContext *s)
for (i = 0; i < ogg->nstreams; i++){ for (i = 0; i < ogg->nstreams; i++){
struct ogg_stream *os = ogg->streams + i; struct ogg_stream *os = ogg->streams + i;
os->buf = av_malloc (os->bufsize); os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
memset (os->buf, 0, os->bufsize);
memcpy (os->buf, ost->streams[i].buf, os->bufpos); memcpy (os->buf, ost->streams[i].buf, os->bufpos);
} }
@ -167,7 +166,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream)
os = ogg->streams + idx; os = ogg->streams + idx;
os->serial = serial; os->serial = serial;
os->bufsize = DECODER_BUFFER_SIZE; os->bufsize = DECODER_BUFFER_SIZE;
os->buf = av_malloc(os->bufsize); os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
os->header = -1; os->header = -1;
if (new_avstream) { if (new_avstream) {
@ -185,7 +184,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream)
static int ogg_new_buf(struct ogg *ogg, int idx) static int ogg_new_buf(struct ogg *ogg, int idx)
{ {
struct ogg_stream *os = ogg->streams + idx; struct ogg_stream *os = ogg->streams + idx;
uint8_t *nb = av_malloc(os->bufsize); uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
int size = os->bufpos - os->pstart; int size = os->bufpos - os->pstart;
if(os->buf){ if(os->buf){
memcpy(nb, os->buf + os->pstart, size); memcpy(nb, os->buf + os->pstart, size);
@ -299,7 +298,7 @@ static int ogg_read_page(AVFormatContext *s, int *str)
} }
if (os->bufsize - os->bufpos < size){ if (os->bufsize - os->bufpos < size){
uint8_t *nb = av_malloc (os->bufsize *= 2); uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE);
memcpy (nb, os->buf, os->bufpos); memcpy (nb, os->buf, os->bufpos);
av_free (os->buf); av_free (os->buf);
os->buf = nb; os->buf = nb;
@ -313,6 +312,7 @@ static int ogg_read_page(AVFormatContext *s, int *str)
os->granule = gp; os->granule = gp;
os->flags = flags; os->flags = flags;
memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE);
if (str) if (str)
*str = idx; *str = idx;

2
libavformat/rtpenc.c
View File

@ -138,7 +138,7 @@ static int rtp_write_header(AVFormatContext *s1)
s->max_frames_per_packet = s->max_frames_per_packet =
av_rescale_q_rnd(s1->max_delay, av_rescale_q_rnd(s1->max_delay,
AV_TIME_BASE_Q, AV_TIME_BASE_Q,
(AVRational){ frame_size / st->codec->sample_rate }, (AVRational){ frame_size, st->codec->sample_rate },
AV_ROUND_DOWN); AV_ROUND_DOWN);
} }
} }