|
[-]
[+]
|
Changed |
ffmpeg.spec
|
|
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/Doxyfile
^
|
| @@ -31,7 +31,7 @@
# This could be handy for archiving the generated documentation or
# if some version control system is used.
-PROJECT_NUMBER = 0.8.4
+PROJECT_NUMBER = 0.8.6
# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
# base path where the generated documentation will be put.
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/LICENSE
^
|
| @@ -41,6 +41,6 @@
those licenses. So to combine the OpenCORE libraries with FFmpeg, the license
version needs to be upgraded by passing --enable-version3 to configure.
-The nonfree external library libfaac can be hooked up in FFmpeg. You need to
-pass --enable-nonfree to configure to enable it. Employ this option with care
-as FFmpeg then becomes nonfree and unredistributable.
+The nonfree external libraries libfaac and libaacplus can be hooked up in FFmpeg.
+You need to pass --enable-nonfree to configure to enable it. Employ this option
+with care as FFmpeg then becomes nonfree and unredistributable.
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/MAINTAINERS
^
|
| @@ -19,7 +19,7 @@
ffmpeg.c Michael Niedermayer
ffplay:
- ffplay.c Michael Niedermayer
+ ffplay.c Marton Balint
ffprobe:
ffprobe.c Stefano Sabatini
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/Makefile
^
|
| @@ -258,9 +258,12 @@
FATE = $(FATE_ACODEC) \
$(FATE_VCODEC) \
$(FATE_LAVF) \
- $(FATE_LAVFI) \
$(FATE_SEEK) \
+FATE-$(CONFIG_AVFILTER) += $(FATE_LAVFI)
+
+FATE += $(FATE-yes)
+
$(filter-out %-aref,$(FATE_ACODEC)): $(AREF)
$(filter-out %-vref,$(FATE_VCODEC)): $(VREF)
$(FATE_LAVF): $(REFS)
@@ -282,7 +285,7 @@
fate-seek: $(FATE_SEEK)
ifdef SAMPLES
-FATE += $(FATE_TESTS)
+FATE += $(FATE_TESTS) $(FATE_TESTS-yes)
fate-rsync:
rsync -vaLW rsync://fate-suite.libav.org/fate-suite/ $(SAMPLES)
else
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/RELEASE
^
|
| @@ -1 +1 @@
-0.8.4
+0.8.6
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/VERSION
^
|
| @@ -1 +1 @@
-0.8.4
+0.8.6
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/configure
^
|
| @@ -162,6 +162,7 @@
--enable-bzlib enable bzlib [autodetect]
--enable-libcelt enable CELT/Opus decoding via libcelt [no]
--enable-frei0r enable frei0r video filtering
+ --enable-libaacplus enable AAC+ encoding via libaacplus [no]
--enable-libopencore-amrnb enable AMR-NB de/encoding via libopencore-amrnb [no]
--enable-libopencore-amrwb enable AMR-WB decoding via libopencore-amrwb [no]
--enable-libopencv enable video filtering via libopencv [no]
@@ -927,6 +928,8 @@
h264pred
hardcoded_tables
huffman
+ libaacplus
+ libcdio
libcelt
libdc1394
libdirac
@@ -1401,6 +1404,7 @@
h264_parser_select="golomb h264dsp h264pred"
# external libraries
+libaacplus_encoder_deps="libaacplus"
libcelt_decoder_deps="libcelt"
libdirac_decoder_deps="libdirac !libschroedinger"
libdirac_encoder_deps="libdirac"
@@ -1532,7 +1536,7 @@
dep=${v%=*}
tests=${v#*=}
for name in ${tests}; do
- eval ${name}_test_deps="'${dep}$suf1 ${dep}$suf2'"
+ append ${name}_test_deps ${dep}$suf1 ${dep}$suf2
done
done
}
@@ -1542,6 +1546,9 @@
eval ${1}_le_test_deps="!bigendian"
}
+mxf_d10_test_deps="avfilter"
+seek_lavf_mxf_d10_test_deps="mxf_d10_test"
+
test_deps _encoder _decoder \
adpcm_g726=g726 \
adpcm_ima_qt \
@@ -1604,7 +1611,7 @@
mmf \
mov \
pcm_mulaw=mulaw \
- mxf \
+ mxf="mxf mxf_d10" \
nut \
ogg \
rawvideo=pixfmt \
@@ -2196,7 +2203,7 @@
arch="sparc"
subarch="sparc64"
;;
- i[3-6]86|i86pc|BePC|x86pc|x86_64|amd64)
+ i[3-6]86|i86pc|BePC|x86pc|x86_64|x86_32|amd64)
arch="x86"
;;
esac
@@ -2584,6 +2591,7 @@
die_license_disabled gpl libxvid
die_license_disabled gpl x11grab
+die_license_disabled nonfree libaacplus
die_license_disabled nonfree libfaac
die_license_disabled version3 libopencore_amrnb
@@ -2916,6 +2924,7 @@
enabled avisynth && require2 vfw32 "windows.h vfw.h" AVIFileInit -lavifil32
enabled libcelt && require libcelt celt/celt.h celt_decode -lcelt0
enabled frei0r && { check_header frei0r.h || die "ERROR: frei0r.h header not found"; }
+enabled libaacplus && require "libaacplus >= 2.0.0" aacplus.h aacplusEncOpen -laacplus
enabled libdc1394 && require_pkg_config libdc1394-2 dc1394/dc1394.h dc1394_new
enabled libdirac && require_pkg_config dirac \
"libdirac_decoder/dirac_parser.h libdirac_encoder/dirac_encoder.h" \
@@ -3073,6 +3082,10 @@
fi
check_cflags -fno-math-errno
check_cflags -fno-signed-zeros
+check_cc -mno-red-zone <<EOF && noredzone_flags="-mno-red-zone"
+int x;
+EOF
+
if enabled icc; then
# Just warnings, no remarks
@@ -3151,7 +3164,7 @@
enabled asm || { arch=c; disable $ARCH_LIST $ARCH_EXT_LIST; }
-if test $target_os == "haiku"; then
+if test $target_os = "haiku"; then
disable memalign
disable posix_memalign
fi
@@ -3223,6 +3236,7 @@
echo "libdc1394 support ${libdc1394-no}"
echo "libdirac enabled ${libdirac-no}"
echo "libfaac enabled ${libfaac-no}"
+echo "libaacplus enabled ${libaacplus-no}"
echo "libgsm enabled ${libgsm-no}"
echo "libmp3lame enabled ${libmp3lame-no}"
echo "libnut enabled ${libnut-no}"
@@ -3383,6 +3397,7 @@
SLIB_INSTALL_EXTRA_CMD=${SLIB_INSTALL_EXTRA_CMD}
SLIB_UNINSTALL_EXTRA_CMD=${SLIB_UNINSTALL_EXTRA_CMD}
SAMPLES:=${samples:-\$(FATE_SAMPLES)}
+NOREDZONE_FLAGS=$noredzone_flags
EOF
get_version(){
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/doc/filters.texi
^
|
| @@ -1683,7 +1683,7 @@
Negative values for the amount will blur the input video, while positive
values will sharpen. All parameters are optional and default to the
-equivalent of the string '5:5:1.0:0:0:0.0'.
+equivalent of the string '5:5:1.0:5:5:0.0'.
@table @option
@@ -1701,11 +1701,11 @@
@item chroma_msize_x
Set the chroma matrix horizontal size. It can be an integer between 3
-and 13, default value is 0.
+and 13, default value is 5.
@item chroma_msize_y
Set the chroma matrix vertical size. It can be an integer between 3
-and 13, default value is 0.
+and 13, default value is 5.
@item luma_amount
Set the chroma effect strength. It can be a float number between -2.0
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/doc/general.texi
^
|
| @@ -542,6 +542,8 @@
@multitable @columnfractions .4 .1 .1 .4
@item Name @tab Encoding @tab Decoding @tab Comments
@item 8SVX audio @tab @tab X
+@item AAC+ @tab E @tab X
+ @tab encoding supported through external library libaacplus
@item AAC @tab E @tab X
@tab encoding supported through external library libfaac and libvo-aacenc
@item AC-3 @tab IX @tab X
@@ -1060,7 +1062,7 @@
(@url{http://sourceware.org/cygwinports/}) :
@example
-yasm, libSDL-devel, libdirac-devel, libfaac-devel, libgsm-devel,
+yasm, libSDL-devel, libdirac-devel, libfaac-devel, libaacplus-devel, libgsm-devel,
libmp3lame-devel, libschroedinger1.0-devel, speex-devel, libtheora-devel,
libxvidcore-devel
@end example
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/ffmpeg.c
^
|
| @@ -2379,9 +2379,9 @@
}
}
if(codec->codec_type == AVMEDIA_TYPE_VIDEO){
- /* maximum video buffer size is 6-bytes per pixel, plus DPX header size */
+ /* maximum video buffer size is 6-bytes per pixel, plus DPX header size (1664)*/
int size= codec->width * codec->height;
- bit_buffer_size= FFMAX(bit_buffer_size, 6*size + 1664);
+ bit_buffer_size= FFMAX(bit_buffer_size, 7*size + 10000);
}
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/4xm.c
^
|
| @@ -133,7 +133,9 @@
GetBitContext pre_gb; ///< ac/dc prefix
GetBitContext gb;
const uint8_t *bytestream;
+ const uint8_t *bytestream_end;
const uint16_t *wordstream;
+ const uint16_t *wordstream_end;
int mv[256];
VLC pre_vlc;
int last_dc;
@@ -277,7 +279,7 @@
}
#endif
-static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, int dc){
+static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, unsigned dc){
int i;
dc*= 0x10001;
@@ -328,6 +330,10 @@
assert(code>=0 && code<=6);
if(code == 0){
+ if (f->bytestream_end - f->bytestream < 1){
+ av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n");
+ return;
+ }
src += f->mv[ *f->bytestream++ ];
if(start > src || src > end){
av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
@@ -345,15 +351,31 @@
}else if(code == 3 && f->version<2){
mcdc(dst, src, log2w, h, stride, 1, 0);
}else if(code == 4){
+ if (f->bytestream_end - f->bytestream < 1){
+ av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n");
+ return;
+ }
src += f->mv[ *f->bytestream++ ];
if(start > src || src > end){
av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
return;
}
+ if (f->wordstream_end - f->wordstream < 1){
+ av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n");
+ return;
+ }
mcdc(dst, src, log2w, h, stride, 1, av_le2ne16(*f->wordstream++));
}else if(code == 5){
+ if (f->wordstream_end - f->wordstream < 1){
+ av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n");
+ return;
+ }
mcdc(dst, src, log2w, h, stride, 0, av_le2ne16(*f->wordstream++));
}else if(code == 6){
+ if (f->wordstream_end - f->wordstream < 2){
+ av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n");
+ return;
+ }
if(log2w){
dst[0] = av_le2ne16(*f->wordstream++);
dst[1] = av_le2ne16(*f->wordstream++);
@@ -375,6 +397,8 @@
if(f->version>1){
extra=20;
+ if (length < extra)
+ return -1;
bitstream_size= AV_RL32(buf+8);
wordstream_size= AV_RL32(buf+12);
bytestream_size= AV_RL32(buf+16);
@@ -385,11 +409,10 @@
bytestream_size= FFMAX(length - bitstream_size - wordstream_size, 0);
}
- if(bitstream_size+ bytestream_size+ wordstream_size + extra != length
- || bitstream_size > (1<<26)
- || bytestream_size > (1<<26)
- || wordstream_size > (1<<26)
- ){
+ if (bitstream_size > length ||
+ bytestream_size > length - bitstream_size ||
+ wordstream_size > length - bytestream_size - bitstream_size ||
+ extra > length - bytestream_size - bitstream_size - wordstream_size){
av_log(f->avctx, AV_LOG_ERROR, "lengths %d %d %d %d\n", bitstream_size, bytestream_size, wordstream_size,
bitstream_size+ bytestream_size+ wordstream_size - length);
return -1;
@@ -399,10 +422,13 @@
if (!f->bitstream_buffer)
return AVERROR(ENOMEM);
f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)(buf + extra), bitstream_size/4);
+ memset((uint8_t*)f->bitstream_buffer + bitstream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size);
f->wordstream= (const uint16_t*)(buf + extra + bitstream_size);
+ f->wordstream_end= f->wordstream + wordstream_size/2;
f->bytestream= buf + extra + bitstream_size + wordstream_size;
+ f->bytestream_end = f->bytestream + bytestream_size;
init_mv(f);
@@ -531,7 +557,7 @@
return 0;
}
-static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf){
+static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf, int buf_size){
int frequency[512];
uint8_t flag[512];
int up[512];
@@ -539,6 +565,7 @@
int bits_tab[257];
int start, end;
const uint8_t *ptr= buf;
+ const uint8_t *ptr_end = buf + buf_size;
int j;
memset(frequency, 0, sizeof(frequency));
@@ -549,6 +576,8 @@
for(;;){
int i;
+ if (start <= end && ptr_end - ptr < end - start + 1 + 1)
+ return NULL;
for(i=start; i<=end; i++){
frequency[i]= *ptr++;
}
@@ -601,9 +630,10 @@
len_tab[j]= len;
}
- init_vlc(&f->pre_vlc, ACDC_VLC_BITS, 257,
- len_tab , 1, 1,
- bits_tab, 4, 4, 0);
+ if (init_vlc(&f->pre_vlc, ACDC_VLC_BITS, 257,
+ len_tab , 1, 1,
+ bits_tab, 4, 4, 0))
+ return NULL;
return ptr;
}
@@ -621,10 +651,13 @@
const int height= f->avctx->height;
uint16_t *dst= (uint16_t*)f->current_picture.data[0];
const int stride= f->current_picture.linesize[0]>>1;
+ const uint8_t *buf_end = buf + length;
for(y=0; y<height; y+=16){
for(x=0; x<width; x+=16){
unsigned int color[4], bits;
+ if (buf_end - buf < 8)
+ return -1;
memset(color, 0, sizeof(color));
//warning following is purely guessed ...
color[0]= bytestream_get_le16(&buf);
@@ -658,18 +691,23 @@
uint16_t *dst= (uint16_t*)f->current_picture.data[0];
const int stride= f->current_picture.linesize[0]>>1;
const unsigned int bitstream_size= AV_RL32(buf);
- const int token_count av_unused = AV_RL32(buf + bitstream_size + 8);
- unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4);
- const uint8_t *prestream= buf + bitstream_size + 12;
-
- if(prestream_size + bitstream_size + 12 != length
- || bitstream_size > (1<<26)
- || prestream_size > (1<<26)){
+ unsigned int prestream_size;
+ const uint8_t *prestream;
+
+ if (bitstream_size > (1<<26) || length < bitstream_size + 12)
+ return -1;
+ prestream_size = 4*AV_RL32(buf + bitstream_size + 4);
+ prestream = buf + bitstream_size + 12;
+
+ if (prestream_size > (1<<26) ||
+ prestream_size != length - (bitstream_size + 12)){
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length);
return -1;
}
- prestream= read_huffman_tables(f, prestream);
+ prestream= read_huffman_tables(f, prestream, buf + length - prestream);
+ if (!prestream)
+ return -1;
init_get_bits(&f->gb, buf + 4, 8*bitstream_size);
@@ -679,6 +717,7 @@
if (!f->bitstream_buffer)
return AVERROR(ENOMEM);
f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)prestream, prestream_size/4);
+ memset((uint8_t*)f->bitstream_buffer + prestream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
init_get_bits(&f->pre_gb, f->bitstream_buffer, 8*prestream_size);
f->last_dc= 0*128*8*8;
@@ -710,6 +749,8 @@
AVFrame *p, temp;
int i, frame_4cc, frame_size;
+ if (buf_size < 12)
+ return AVERROR_INVALIDDATA;
frame_4cc= AV_RL32(buf);
if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4));
@@ -722,6 +763,11 @@
const int whole_size= AV_RL32(buf+16);
CFrameBuffer *cfrm;
+ if (data_size < 0 || whole_size < 0){
+ av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n");
+ return AVERROR_INVALIDDATA;
+ }
+
for(i=0; i<CFRAME_BUFFER_COUNT; i++){
if(f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number)
av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id);
@@ -738,6 +784,8 @@
}
cfrm= &f->cfrm[i];
+ if (data_size > UINT_MAX - cfrm->size - FF_INPUT_BUFFER_PADDING_SIZE)
+ return AVERROR_INVALIDDATA;
cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);
if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL
av_log(f->avctx, AV_LOG_ERROR, "realloc falure");
@@ -781,12 +829,16 @@
if(frame_4cc == AV_RL32("ifr2")){
p->pict_type= AV_PICTURE_TYPE_I;
- if(decode_i2_frame(f, buf-4, frame_size) < 0)
+ if(decode_i2_frame(f, buf-4, frame_size+4) < 0){
+ av_log(f->avctx, AV_LOG_ERROR, "decode i2 frame failed\n");
return -1;
+ }
}else if(frame_4cc == AV_RL32("ifrm")){
p->pict_type= AV_PICTURE_TYPE_I;
- if(decode_i_frame(f, buf, frame_size) < 0)
+ if(decode_i_frame(f, buf, frame_size) < 0){
+ av_log(f->avctx, AV_LOG_ERROR, "decode i frame failed\n");
return -1;
+ }
}else if(frame_4cc == AV_RL32("pfrm") || frame_4cc == AV_RL32("pfr2")){
if(!f->last_picture.data[0]){
f->last_picture.reference= 1;
@@ -797,8 +849,10 @@
}
p->pict_type= AV_PICTURE_TYPE_P;
- if(decode_p_frame(f, buf, frame_size) < 0)
+ if(decode_p_frame(f, buf, frame_size) < 0){
+ av_log(f->avctx, AV_LOG_ERROR, "decode p frame failed\n");
return -1;
+ }
}else if(frame_4cc == AV_RL32("snd_")){
av_log(avctx, AV_LOG_ERROR, "ignoring snd_ chunk length:%d\n", buf_size);
}else{
@@ -831,6 +885,10 @@
av_log(avctx, AV_LOG_ERROR, "extradata wrong or missing\n");
return 1;
}
+ if((avctx->width % 16) || (avctx->height % 16)) {
+ av_log(avctx, AV_LOG_ERROR, "unsupported width/height\n");
+ return AVERROR_INVALIDDATA;
+ }
avcodec_get_frame_defaults(&f->current_picture);
avcodec_get_frame_defaults(&f->last_picture);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/Makefile
^
|
| @@ -567,6 +567,7 @@
OBJS-$(CONFIG_WTV_DEMUXER) += mpeg4audio.o mpegaudiodata.o
# external codec libraries
+OBJS-$(CONFIG_LIBAACPLUS_ENCODER) += libaacplus.o
OBJS-$(CONFIG_LIBCELT_DECODER) += libcelt_dec.o
OBJS-$(CONFIG_LIBDIRAC_DECODER) += libdiracdec.o
OBJS-$(CONFIG_LIBDIRAC_ENCODER) += libdiracenc.o libdirac_libschro.o
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/aacdec.c
^
|
| @@ -1090,7 +1090,7 @@
GET_VLC(code, re, gb, vlc_tab, 8, 2);
cb_idx = cb_vector_idx[code];
nnz = cb_idx >> 8 & 15;
- bits = SHOW_UBITS(re, gb, nnz) << (32-nnz);
+ bits = nnz ? GET_CACHE(re, gb) : 0;
LAST_SKIP_BITS(re, gb, nnz);
cf = VMUL4S(cf, vq, cb_idx, bits, sf + idx);
} while (len -= 4);
@@ -1130,7 +1130,7 @@
GET_VLC(code, re, gb, vlc_tab, 8, 2);
cb_idx = cb_vector_idx[code];
nnz = cb_idx >> 8 & 15;
- sign = SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12);
+ sign = nnz ? SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12) : 0;
LAST_SKIP_BITS(re, gb, nnz);
cf = VMUL2S(cf, vq, cb_idx, sign, sf + idx);
} while (len -= 2);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/aacsbr.c
^
|
| @@ -33,6 +33,7 @@
#include "fft.h"
#include "aacps.h"
#include "libavutil/libm.h"
+#include "libavutil/avassert.h"
#include <stdint.h>
#include <float.h>
@@ -1457,6 +1458,7 @@
uint16_t *table = ch_data->bs_freq_res[e + 1] ? sbr->f_tablehigh : sbr->f_tablelow;
int k;
+ av_assert0(sbr->kx[1] <= table[0]);
for (i = 0; i < ilim; i++)
for (m = table[i]; m < table[i + 1]; m++)
sbr->e_origmapped[e][m - sbr->kx[1]] = ch_data->env_facs[e+1][i];
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/adpcm.c
^
|
| @@ -1333,10 +1333,11 @@
buf_size -= 128;
}
break;
- case CODEC_ID_ADPCM_IMA_EA_EACS:
+ case CODEC_ID_ADPCM_IMA_EA_EACS: {
+ unsigned header_size = 4 + (8<<st);
samples_in_chunk = bytestream_get_le32(&src) >> (1-st);
- if (samples_in_chunk > buf_size-4-(8<<st)) {
+ if (buf_size < header_size || samples_in_chunk > buf_size - header_size) {
src += buf_size - 4;
break;
}
@@ -1351,6 +1352,7 @@
*samples++ = adpcm_ima_expand_nibble(&c->status[st], *src&0x0F, 3);
}
break;
+ }
case CODEC_ID_ADPCM_IMA_EA_SEAD:
for (; src < buf+buf_size; src++) {
*samples++ = adpcm_ima_expand_nibble(&c->status[0], src[0] >> 4, 6);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/allcodecs.c
^
|
| @@ -370,6 +370,7 @@
REGISTER_ENCDEC (XSUB, xsub);
/* external libraries */
+ REGISTER_ENCODER (LIBAACPLUS, libaacplus);
REGISTER_DECODER (LIBCELT, libcelt);
REGISTER_ENCDEC (LIBDIRAC, libdirac);
REGISTER_ENCODER (LIBFAAC, libfaac);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/anm.c
^
|
| @@ -79,6 +79,8 @@
int striplen = FFMIN(count, remaining);
if (buf) {
striplen = FFMIN(striplen, buf_end - *buf);
+ if (*buf >= buf_end)
+ goto exhausted;
memcpy(*dst, *buf, striplen);
*buf += striplen;
} else if (pixel >= 0)
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/apedec.c
^
|
| @@ -163,6 +163,18 @@
// TODO: dsputilize
+static av_cold int ape_decode_close(AVCodecContext * avctx)
+{
+ APEContext *s = avctx->priv_data;
+ int i;
+
+ for (i = 0; i < APE_FILTER_LEVELS; i++)
+ av_freep(&s->filterbuf[i]);
+
+ av_freep(&s->data);
+ return 0;
+}
+
static av_cold int ape_decode_init(AVCodecContext * avctx)
{
APEContext *s = avctx->priv_data;
@@ -195,25 +207,18 @@
for (i = 0; i < APE_FILTER_LEVELS; i++) {
if (!ape_filter_orders[s->fset][i])
break;
- s->filterbuf[i] = av_malloc((ape_filter_orders[s->fset][i] * 3 + HISTORY_SIZE) * 4);
+ FF_ALLOC_OR_GOTO(avctx, s->filterbuf[i],
+ (ape_filter_orders[s->fset][i] * 3 + HISTORY_SIZE) * 4,
+ filter_alloc_fail);
}
dsputil_init(&s->dsp, avctx);
avctx->sample_fmt = AV_SAMPLE_FMT_S16;
avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
return 0;
-}
-
-static av_cold int ape_decode_close(AVCodecContext * avctx)
-{
- APEContext *s = avctx->priv_data;
- int i;
-
- for (i = 0; i < APE_FILTER_LEVELS; i++)
- av_freep(&s->filterbuf[i]);
-
- av_freep(&s->data);
- return 0;
+filter_alloc_fail:
+ ape_decode_close(avctx);
+ return AVERROR(ENOMEM);
}
/**
@@ -797,7 +802,7 @@
int buf_size = avpkt->size;
APEContext *s = avctx->priv_data;
int16_t *samples = data;
- int nblocks;
+ uint32_t nblocks;
int i, n;
int blockstodecode;
int bytes_used;
@@ -814,12 +819,15 @@
}
if(!s->samples){
- s->data = av_realloc(s->data, (buf_size + 3) & ~3);
+ void *tmp_data = av_realloc(s->data, (buf_size + 3) & ~3);
+ if (!tmp_data)
+ return AVERROR(ENOMEM);
+ s->data = tmp_data;
s->dsp.bswap_buf((uint32_t*)s->data, (const uint32_t*)buf, buf_size >> 2);
s->ptr = s->last_ptr = s->data;
s->data_end = s->data + buf_size;
- nblocks = s->samples = bytestream_get_be32(&s->ptr);
+ nblocks = bytestream_get_be32(&s->ptr);
n = bytestream_get_be32(&s->ptr);
if(n < 0 || n > 3){
av_log(avctx, AV_LOG_ERROR, "Incorrect offset passed\n");
@@ -828,12 +836,13 @@
}
s->ptr += n;
- s->currentframeblocks = nblocks;
buf += 4;
- if (s->samples <= 0) {
+ if (!nblocks || nblocks > INT_MAX) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %u.\n", nblocks);
*data_size = 0;
- return buf_size;
+ return AVERROR_INVALIDDATA;
}
+ s->currentframeblocks = s->samples = nblocks;
memset(s->decoded0, 0, sizeof(s->decoded0));
memset(s->decoded1, 0, sizeof(s->decoded1));
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/atrac1.c
^
|
| @@ -276,7 +276,7 @@
const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size;
AT1Ctx *q = avctx->priv_data;
- int ch, ret, i;
+ int ch, ret, i, out_size;
GetBitContext gb;
float* samples = data;
@@ -286,6 +286,13 @@
return -1;
}
+ out_size = q->channels * AT1_SU_SAMPLES *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
for (ch = 0; ch < q->channels; ch++) {
AT1SUCtx* su = &q->SUs[ch];
@@ -318,7 +325,7 @@
}
}
- *data_size = q->channels * AT1_SU_SAMPLES * sizeof(*samples);
+ *data_size = out_size;
return avctx->block_align;
}
@@ -329,6 +336,11 @@
avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
+ if (avctx->channels < 1 || avctx->channels > AT1_MAX_CHANNELS) {
+ av_log(avctx, AV_LOG_ERROR, "Unsupported number of channels: %d\n",
+ avctx->channels);
+ return AVERROR(EINVAL);
+ }
q->channels = avctx->channels;
/* Init the mdct transforms */
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/avs.c
^
|
| @@ -47,6 +47,7 @@
void *data, int *data_size, AVPacket *avpkt)
{
const uint8_t *buf = avpkt->data;
+ const uint8_t *buf_end = avpkt->data + avpkt->size;
int buf_size = avpkt->size;
AvsContext *const avs = avctx->priv_data;
AVFrame *picture = data;
@@ -69,6 +70,8 @@
out = avs->picture.data[0];
stride = avs->picture.linesize[0];
+ if (buf_end - buf < 4)
+ return AVERROR_INVALIDDATA;
sub_type = buf[0];
type = buf[1];
buf += 4;
@@ -79,6 +82,8 @@
first = AV_RL16(buf);
last = first + AV_RL16(buf + 2);
+ if (first >= 256 || last > 256 || buf_end - buf < 4 + 4 + 3 * (last - first))
+ return AVERROR_INVALIDDATA;
buf += 4;
for (i=first; i<last; i++, buf+=3)
pal[i] = (buf[0] << 18) | (buf[1] << 10) | (buf[2] << 2);
@@ -114,9 +119,13 @@
return -1;
}
+ if (buf_end - buf < 256 * vect_w * vect_h)
+ return AVERROR_INVALIDDATA;
table = buf + (256 * vect_w * vect_h);
if (sub_type != AVS_I_FRAME) {
int map_size = ((318 / vect_w + 7) / 8) * (198 / vect_h);
+ if (buf_end - table < map_size)
+ return AVERROR_INVALIDDATA;
init_get_bits(&change_map, table, map_size * 8);
table += map_size;
}
@@ -124,6 +133,8 @@
for (y=0; y<198; y+=vect_h) {
for (x=0; x<318; x+=vect_w) {
if (sub_type == AVS_I_FRAME || get_bits1(&change_map)) {
+ if (buf_end - table < 1)
+ return AVERROR_INVALIDDATA;
vect = &buf[*table++ * (vect_w * vect_h)];
for (j=0; j<vect_w; j++) {
out[(y + 0) * stride + x + j] = vect[(0 * vect_w) + j];
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/bink.c
^
|
| @@ -246,7 +246,7 @@
tree->syms[i] = get_bits(gb, 4);
tmp1[tree->syms[i]] = 1;
}
- for (i = 0; i < 16; i++)
+ for (i = 0; i < 16 && len < 16 - 1; i++)
if (!tmp1[i])
tree->syms[++len] = i;
} else {
@@ -343,14 +343,14 @@
memset(b->cur_dec, v, t);
b->cur_dec += t;
} else {
- do {
+ while (b->cur_dec < dec_end) {
v = GET_HUFF(gb, b->tree);
if (v) {
sign = -get_bits1(gb);
v = (v ^ sign) - sign;
}
*b->cur_dec++ = v;
- } while (b->cur_dec < dec_end);
+ }
}
return 0;
}
@@ -374,7 +374,7 @@
memset(b->cur_dec, v, t);
b->cur_dec += t;
} else {
- do {
+ while (b->cur_dec < dec_end) {
v = GET_HUFF(gb, b->tree);
if (v < 12) {
last = v;
@@ -382,10 +382,12 @@
} else {
int run = bink_rlelens[v - 12];
+ if (dec_end - b->cur_dec < run)
+ return -1;
memset(b->cur_dec, last, run);
b->cur_dec += run;
}
- } while (b->cur_dec < dec_end);
+ }
}
return 0;
}
@@ -456,6 +458,7 @@
{
int i, j, len, len2, bsize, sign, v, v2;
int16_t *dst = (int16_t*)b->cur_dec;
+ int16_t *dst_end =( int16_t*)b->data_end;
CHECK_READ_VAL(gb, b, len);
v = get_bits(gb, start_bits - has_sign);
@@ -463,10 +466,14 @@
sign = -get_bits1(gb);
v = (v ^ sign) - sign;
}
+ if (dst_end - dst < 1)
+ return -1;
*dst++ = v;
len--;
for (i = 0; i < len; i += 8) {
len2 = FFMIN(len - i, 8);
+ if (dst_end - dst < len2)
+ return -1;
bsize = get_bits(gb, 4);
if (bsize) {
for (j = 0; j < len2; j++) {
@@ -534,6 +541,8 @@
int i, len;
CHECK_READ_VAL(gb, b, len);
+ if (b->data_end - b->cur_dec < len * (1 + (bits > 8)))
+ return -1;
if (bits <= 8) {
if (!issigned) {
for (i = 0; i < len; i++)
@@ -964,8 +973,9 @@
for (i = 0; i < BINK_NB_SRC; i++)
read_bundle(gb, c, i);
- ref_start = c->last.data[plane_idx];
- ref_end = c->last.data[plane_idx]
+ ref_start = c->last.data[plane_idx] ? c->last.data[plane_idx]
+ : c->pic.data[plane_idx];
+ ref_end = ref_start
+ (bw - 1 + c->last.linesize[plane_idx] * (bh - 1)) * 8;
for (i = 0; i < 64; i++)
@@ -994,7 +1004,8 @@
if (by == bh)
break;
dst = c->pic.data[plane_idx] + 8*by*stride;
- prev = c->last.data[plane_idx] + 8*by*stride;
+ prev = (c->last.data[plane_idx] ? c->last.data[plane_idx]
+ : c->pic.data[plane_idx]) + 8*by*stride;
for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) {
blk = get_value(c, BINK_SRC_BLOCK_TYPES);
// 16x16 block type on odd line means part of the already decoded block, so skip it
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/binkaudio.c
^
|
| @@ -153,11 +153,18 @@
2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 32, 64
};
+#define GET_BITS_SAFE(out, nbits) do { \
+ if (get_bits_left(gb) < nbits) \
+ return AVERROR_INVALIDDATA; \
+ out = get_bits(gb, nbits); \
+} while (0)
+
/**
* Decode Bink Audio block
* @param[out] out Output buffer (must contain s->block_size elements)
+ * @return 0 on success, negative error code on failure
*/
-static void decode_block(BinkAudioContext *s, short *out, int use_dct)
+static int decode_block(BinkAudioContext *s, short *out, int use_dct)
{
int ch, i, j, k;
float q, quant[25];
@@ -170,13 +177,19 @@
for (ch = 0; ch < s->channels; ch++) {
FFTSample *coeffs = s->coeffs_ptr[ch];
if (s->version_b) {
+ if (get_bits_left(gb) < 64)
+ return AVERROR_INVALIDDATA;
coeffs[0] = av_int2flt(get_bits(gb, 32)) * s->root;
coeffs[1] = av_int2flt(get_bits(gb, 32)) * s->root;
} else {
+ if (get_bits_left(gb) < 58)
+ return AVERROR_INVALIDDATA;
coeffs[0] = get_float(gb) * s->root;
coeffs[1] = get_float(gb) * s->root;
}
+ if (get_bits_left(gb) < s->num_bands * 8)
+ return AVERROR_INVALIDDATA;
for (i = 0; i < s->num_bands; i++) {
/* constant is result of 0.066399999/log10(M_E) */
int value = get_bits(gb, 8);
@@ -191,15 +204,20 @@
while (i < s->frame_len) {
if (s->version_b) {
j = i + 16;
- } else if (get_bits1(gb)) {
- j = i + rle_length_tab[get_bits(gb, 4)] * 8;
} else {
- j = i + 8;
+ int v;
+ GET_BITS_SAFE(v, 1);
+ if (v) {
+ GET_BITS_SAFE(v, 4);
+ j = i + rle_length_tab[v] * 8;
+ } else {
+ j = i + 8;
+ }
}
j = FFMIN(j, s->frame_len);
- width = get_bits(gb, 4);
+ GET_BITS_SAFE(width, 4);
if (width == 0) {
memset(coeffs + i, 0, (j - i) * sizeof(*coeffs));
i = j;
@@ -209,9 +227,11 @@
while (i < j) {
if (s->bands[k] == i)
q = quant[k++];
- coeff = get_bits(gb, width);
+ GET_BITS_SAFE(coeff, width);
if (coeff) {
- if (get_bits1(gb))
+ int v;
+ GET_BITS_SAFE(v, 1);
+ if (v)
coeffs[i] = -q * coeff;
else
coeffs[i] = q * coeff;
@@ -247,6 +267,8 @@
s->overlap_len * s->channels * sizeof(*out));
s->first = 0;
+
+ return 0;
}
static av_cold int decode_end(AVCodecContext *avctx)
@@ -278,12 +300,17 @@
int reported_size;
GetBitContext *gb = &s->gb;
+ if (buf_size < 4) {
+ av_log(avctx, AV_LOG_ERROR, "Packet is too small\n");
+ return AVERROR_INVALIDDATA;
+ }
+
init_get_bits(gb, buf, buf_size * 8);
reported_size = get_bits_long(gb, 32);
- while (get_bits_count(gb) / 8 < buf_size &&
- samples + s->block_size <= samples_end) {
- decode_block(s, samples, avctx->codec->id == CODEC_ID_BINKAUDIO_DCT);
+ while (samples + s->block_size <= samples_end) {
+ if (decode_block(s, samples, avctx->codec->id == CODEC_ID_BINKAUDIO_DCT))
+ break;
samples += s->block_size;
get_bits_align32(gb);
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/bitstream.c
^
|
| @@ -109,8 +109,8 @@
if(use_static)
abort(); //cant do anything, init_vlc() is used with too little memory
vlc->table_allocated += (1 << vlc->bits);
- vlc->table = av_realloc(vlc->table,
- sizeof(VLC_TYPE) * 2 * vlc->table_allocated);
+ vlc->table = av_realloc_f(vlc->table,
+ vlc->table_allocated, sizeof(VLC_TYPE) * 2);
if (!vlc->table)
return -1;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/dca.c
^
|
| @@ -898,15 +898,17 @@
else /* Perfect reconstruction */
prCoeff = fir_32bands_perfect;
+ for (i = sb_act; i < 32; i++)
+ s->raXin[i] = 0.0;
+
/* Reconstructed channel sample index */
for (subindex = 0; subindex < 8; subindex++) {
/* Load in one sample from each subband and clear inactive subbands */
for (i = 0; i < sb_act; i++){
- uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ ((i-1)&2)<<30;
+ unsigned sign = (i - 1) & 2;
+ uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ sign << 30;
AV_WN32A(&s->raXin[i], v);
}
- for (; i < 32; i++)
- s->raXin[i] = 0.0;
s->synth.synth_filter_float(&s->imdct,
s->subband_fir_hist[chans], &s->hist_index[chans],
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/dsicinav.c
^
|
| @@ -217,7 +217,11 @@
bitmap_frame_size = buf_size - 4;
/* handle palette */
+ if (bitmap_frame_size < palette_colors_count * (3 + (palette_type != 0)))
+ return AVERROR_INVALIDDATA;
if (palette_type == 0) {
+ if (palette_colors_count > 256)
+ return AVERROR_INVALIDDATA;
for (i = 0; i < palette_colors_count; ++i) {
cin->palette[i] = bytestream_get_le24(&buf);
bitmap_frame_size -= 3;
@@ -306,6 +310,11 @@
CinAudioContext *cin = avctx->priv_data;
cin->avctx = avctx;
+ if (avctx->channels != 1) {
+ av_log_ask_for_sample(avctx, "Number of channels is not supported\n");
+ return AVERROR_PATCHWELCOME;
+ }
+
cin->initial_decode_frame = 1;
cin->delta = 0;
avctx->sample_fmt = AV_SAMPLE_FMT_S16;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/dvdata.c
^
|
| @@ -248,11 +248,13 @@
const DVprofile* ff_dv_frame_profile(const DVprofile *sys,
const uint8_t* frame, unsigned buf_size)
{
- int i;
+ int i, dsf, stype;
- int dsf = (frame[3] & 0x80) >> 7;
+ if(buf_size < DV_PROFILE_BYTES)
+ return NULL;
- int stype = frame[80*5 + 48 + 3] & 0x1f;
+ dsf = (frame[3] & 0x80) >> 7;
+ stype = frame[80*5 + 48 + 3] & 0x1f;
/* 576i50 25Mbps 4:1:1 is a special case */
if (dsf == 1 && stype == 0 && frame[4] & 0x07 /* the APT field */) {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/eacmv.c
^
|
| @@ -56,7 +56,7 @@
unsigned char *dst = s->frame.data[0];
int i;
- for (i=0; i < s->avctx->height && buf+s->avctx->width<=buf_end; i++) {
+ for (i=0; i < s->avctx->height && buf_end - buf >= s->avctx->width; i++) {
memcpy(dst, buf, s->avctx->width);
dst += s->frame.linesize[0];
buf += s->avctx->width;
@@ -88,7 +88,7 @@
i = 0;
for(y=0; y<s->avctx->height/4; y++)
- for(x=0; x<s->avctx->width/4 && buf+i<buf_end; x++) {
+ for(x=0; x<s->avctx->width/4 && buf_end - buf > i; x++) {
if (buf[i]==0xFF) {
unsigned char *dst = s->frame.data[0] + (y*4)*s->frame.linesize[0] + x*4;
if (raw+16<buf_end && *raw==0xFF) { /* intra */
@@ -110,9 +110,10 @@
}else{ /* inter using last frame as reference */
int xoffset = (buf[i] & 0xF) - 7;
int yoffset = ((buf[i] >> 4)) - 7;
- cmv_motcomp(s->frame.data[0], s->frame.linesize[0],
- s->last_frame.data[0], s->last_frame.linesize[0],
- x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height);
+ if (s->last_frame.data[0])
+ cmv_motcomp(s->frame.data[0], s->frame.linesize[0],
+ s->last_frame.data[0], s->last_frame.linesize[0],
+ x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height);
}
i++;
}
@@ -122,7 +123,7 @@
{
int pal_start, pal_count, i;
- if(buf+16>=buf_end) {
+ if(buf_end - buf < 16) {
av_log(s->avctx, AV_LOG_WARNING, "truncated header\n");
return;
}
@@ -139,7 +140,7 @@
pal_count = AV_RL16(&buf[14]);
buf += 16;
- for (i=pal_start; i<pal_start+pal_count && i<AVPALETTE_COUNT && buf+2<buf_end; i++) {
+ for (i=pal_start; i<pal_start+pal_count && i<AVPALETTE_COUNT && buf_end - buf >= 3; i++) {
s->palette[i] = AV_RB24(buf);
buf += 3;
}
@@ -157,6 +158,9 @@
CmvContext *s = avctx->priv_data;
const uint8_t *buf_end = buf + buf_size;
+ if (buf_end - buf < EA_PREAMBLE_SIZE)
+ return AVERROR_INVALIDDATA;
+
if (AV_RL32(buf)==MVIh_TAG||AV_RB32(buf)==MVIh_TAG) {
cmv_process_header(s, buf+EA_PREAMBLE_SIZE, buf_end);
return buf_size;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/eamad.c
^
|
| @@ -85,15 +85,21 @@
{
MpegEncContext *s = &t->s;
if (j < 4) {
+ unsigned offset = (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x;
+ if (offset >= (s->height - 7) * t->last_frame.linesize[0] - 7)
+ return;
comp(t->frame.data[0] + (mb_y*16 + ((j&2)<<2))*t->frame.linesize[0] + mb_x*16 + ((j&1)<<3),
t->frame.linesize[0],
- t->last_frame.data[0] + (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x,
+ t->last_frame.data[0] + offset,
t->last_frame.linesize[0], add);
} else if (!(s->avctx->flags & CODEC_FLAG_GRAY)) {
int index = j - 3;
+ unsigned offset = (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2);
+ if (offset >= (s->height/2 - 7) * t->last_frame.linesize[index] - 7)
+ return;
comp(t->frame.data[index] + (mb_y*8)*t->frame.linesize[index] + mb_x * 8,
t->frame.linesize[index],
- t->last_frame.data[index] + (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2),
+ t->last_frame.data[index] + offset,
t->last_frame.linesize[index], add);
}
}
@@ -205,7 +211,8 @@
for (j=0; j<6; j++) {
if (mv_map & (1<<j)) { // mv_x and mv_y are guarded by mv_map
int add = 2*decode_motion(&s->gb);
- comp_block(t, s->mb_x, s->mb_y, j, mv_x, mv_y, add);
+ if (t->last_frame.data[0])
+ comp_block(t, s->mb_x, s->mb_y, j, mv_x, mv_y, add);
} else {
s->dsp.clear_block(t->block);
decode_block_intra(t, t->block);
@@ -266,6 +273,8 @@
avcodec_set_dimensions(avctx, s->width, s->height);
if (t->frame.data[0])
avctx->release_buffer(avctx, &t->frame);
+ if (t->last_frame.data[0])
+ avctx->release_buffer(avctx, &t->last_frame);
}
t->frame.reference = 1;
@@ -280,6 +289,7 @@
if (!t->bitstream_buf)
return AVERROR(ENOMEM);
bswap16_buf(t->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2);
+ memset((uint8_t*)t->bitstream_buf + (buf_end-buf), 0, FF_INPUT_BUFFER_PADDING_SIZE);
init_get_bits(&s->gb, t->bitstream_buf, 8*(buf_end-buf));
for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++)
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/eatgv.c
^
|
| @@ -74,7 +74,7 @@
else
src += 2;
- if (src+3>src_end)
+ if (src_end - src < 3)
return -1;
size = AV_RB24(src);
src += 3;
@@ -138,7 +138,7 @@
* @return 0 on success, -1 on critical buffer underflow
*/
static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){
- unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->width*s->last_frame.linesize[0];
+ unsigned last_frame_size = s->avctx->height*s->last_frame.linesize[0];
int num_mvs;
int num_blocks_raw;
int num_blocks_packed;
@@ -148,7 +148,7 @@
int mvbits;
const unsigned char *blocks_raw;
- if(buf+12>buf_end)
+ if(buf_end - buf < 12)
return -1;
num_mvs = AV_RL16(&buf[0]);
@@ -171,7 +171,7 @@
/* read motion vectors */
mvbits = (num_mvs*2*10+31) & ~31;
- if (buf+(mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed>buf_end)
+ if (buf_end - buf < (mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed)
return -1;
init_get_bits(&gb, buf, mvbits);
@@ -207,12 +207,14 @@
int src_stride;
if (vector < num_mvs) {
- src = s->last_frame.data[0] +
- (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] +
- x*4 + s->mv_codebook[vector][0];
+ unsigned offset =
+ (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] +
+ x*4 + s->mv_codebook[vector][0];
+
src_stride = s->last_frame.linesize[0];
- if (src+3*src_stride+3>=frame0_end)
+ if (offset >= last_frame_size - (3*src_stride+3))
continue;
+ src = s->last_frame.data[0] + offset;
}else{
int offset = vector - num_mvs;
if (offset<num_blocks_raw)
@@ -252,12 +254,15 @@
const uint8_t *buf_end = buf + buf_size;
int chunk_type;
+ if (buf_end - buf < EA_PREAMBLE_SIZE)
+ return AVERROR_INVALIDDATA;
+
chunk_type = AV_RL32(&buf[0]);
buf += EA_PREAMBLE_SIZE;
if (chunk_type==kVGT_TAG) {
int pal_count, i;
- if(buf+12>buf_end) {
+ if(buf_end - buf < 12) {
av_log(avctx, AV_LOG_WARNING, "truncated header\n");
return -1;
}
@@ -272,7 +277,7 @@
pal_count = AV_RL16(&buf[6]);
buf += 12;
- for(i=0; i<pal_count && i<AVPALETTE_COUNT && buf+2<buf_end; i++) {
+ for(i=0; i<pal_count && i<AVPALETTE_COUNT && buf_end - buf >= 3; i++) {
s->palette[i] = AV_RB24(buf);
buf += 3;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/error_resilience.c
^
|
| @@ -660,7 +660,7 @@
if(s->codec_id == CODEC_ID_H264){
H264Context *h= (void*)s;
- if(h->ref_count[0] <= 0 || !h->ref_list[0][0].data[0])
+ if (h->list_count <= 0 || h->ref_count[0] <= 0 || !h->ref_list[0][0].data[0])
return 1;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/flacdec.c
^
|
| @@ -228,9 +228,11 @@
buf += 4;
do {
+ if (buf_end - buf < 4)
+ return 0;
ff_flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size);
buf += 4;
- if (buf + metadata_size > buf_end) {
+ if (buf_end - buf < metadata_size) {
/* need more data in order to read the complete header */
return 0;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/flicvideo.c
^
|
| @@ -132,7 +132,6 @@
FlicDecodeContext *s = avctx->priv_data;
int stream_ptr = 0;
- int stream_ptr_after_color_chunk;
int pixel_ptr;
int palette_ptr;
unsigned char palette_idx1;
@@ -172,7 +171,11 @@
pixels = s->frame.data[0];
pixel_limit = s->avctx->height * s->frame.linesize[0];
+ if (buf_size < 16 || buf_size > INT_MAX - (3 * 256 + FF_INPUT_BUFFER_PADDING_SIZE))
+ return AVERROR_INVALIDDATA;
frame_size = AV_RL32(&buf[stream_ptr]);
+ if (frame_size > buf_size)
+ frame_size = buf_size;
stream_ptr += 6; /* skip the magic number */
num_chunks = AV_RL16(&buf[stream_ptr]);
stream_ptr += 10; /* skip padding */
@@ -180,13 +183,16 @@
frame_size -= 16;
/* iterate through the chunks */
- while ((frame_size > 0) && (num_chunks > 0)) {
+ while ((frame_size >= 6) && (num_chunks > 0)) {
+ int stream_ptr_after_chunk;
chunk_size = AV_RL32(&buf[stream_ptr]);
if (chunk_size > frame_size) {
av_log(avctx, AV_LOG_WARNING,
"Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size);
chunk_size = frame_size;
}
+ stream_ptr_after_chunk = stream_ptr + chunk_size;
+
stream_ptr += 4;
chunk_type = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
@@ -194,8 +200,6 @@
switch (chunk_type) {
case FLI_256_COLOR:
case FLI_COLOR:
- stream_ptr_after_color_chunk = stream_ptr + chunk_size - 6;
-
/* check special case: If this file is from the Magic Carpet
* game and uses 6-bit colors even though it reports 256-color
* chunks in a 0xAF12-type file (fli_type is set to 0xAF13 during
@@ -219,6 +223,9 @@
if (color_changes == 0)
color_changes = 256;
+ if (stream_ptr + color_changes * 3 > stream_ptr_after_chunk)
+ break;
+
for (j = 0; j < color_changes; j++) {
unsigned int entry;
@@ -235,13 +242,6 @@
s->palette[palette_ptr++] = entry;
}
}
-
- /* color chunks sometimes have weird 16-bit alignment issues;
- * therefore, take the hardline approach and set the stream_ptr
- * to the value calculated w.r.t. the size specified by the color
- * chunk header */
- stream_ptr = stream_ptr_after_color_chunk;
-
break;
case FLI_DELTA:
@@ -249,6 +249,8 @@
compressed_lines = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
while (compressed_lines > 0) {
+ if (stream_ptr + 2 > stream_ptr_after_chunk)
+ break;
line_packets = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
if ((line_packets & 0xC000) == 0xC000) {
@@ -268,6 +270,8 @@
CHECK_PIXEL_PTR(0);
pixel_countdown = s->avctx->width;
for (i = 0; i < line_packets; i++) {
+ if (stream_ptr + 2 > stream_ptr_after_chunk)
+ break;
/* account for the skip bytes */
pixel_skip = buf[stream_ptr++];
pixel_ptr += pixel_skip;
@@ -284,6 +288,8 @@
}
} else {
CHECK_PIXEL_PTR(byte_run * 2);
+ if (stream_ptr + byte_run * 2 > stream_ptr_after_chunk)
+ break;
for (j = 0; j < byte_run * 2; j++, pixel_countdown--) {
palette_idx1 = buf[stream_ptr++];
pixels[pixel_ptr++] = palette_idx1;
@@ -310,6 +316,8 @@
CHECK_PIXEL_PTR(0);
pixel_countdown = s->avctx->width;
line_packets = buf[stream_ptr++];
+ if (stream_ptr + 2 * line_packets > stream_ptr_after_chunk)
+ break;
if (line_packets > 0) {
for (i = 0; i < line_packets; i++) {
/* account for the skip bytes */
@@ -319,6 +327,8 @@
byte_run = (signed char)(buf[stream_ptr++]);
if (byte_run > 0) {
CHECK_PIXEL_PTR(byte_run);
+ if (stream_ptr + byte_run > stream_ptr_after_chunk)
+ break;
for (j = 0; j < byte_run; j++, pixel_countdown--) {
palette_idx1 = buf[stream_ptr++];
pixels[pixel_ptr++] = palette_idx1;
@@ -356,6 +366,8 @@
stream_ptr++;
pixel_countdown = s->avctx->width;
while (pixel_countdown > 0) {
+ if (stream_ptr + 1 > stream_ptr_after_chunk)
+ break;
byte_run = (signed char)(buf[stream_ptr++]);
if (byte_run > 0) {
palette_idx1 = buf[stream_ptr++];
@@ -370,6 +382,8 @@
} else { /* copy bytes if byte_run < 0 */
byte_run = -byte_run;
CHECK_PIXEL_PTR(byte_run);
+ if (stream_ptr + byte_run > stream_ptr_after_chunk)
+ break;
for (j = 0; j < byte_run; j++) {
palette_idx1 = buf[stream_ptr++];
pixels[pixel_ptr++] = palette_idx1;
@@ -387,10 +401,9 @@
case FLI_COPY:
/* copy the chunk (uncompressed frame) */
- if (chunk_size - 6 > s->avctx->width * s->avctx->height) {
+ if (chunk_size - 6 != s->avctx->width * s->avctx->height) {
av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \
- "bigger than image, skipping chunk\n", chunk_size - 6);
- stream_ptr += chunk_size - 6;
+ "has incorrect size, skipping chunk\n", chunk_size - 6);
} else {
for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height;
y_ptr += s->frame.linesize[0]) {
@@ -403,7 +416,6 @@
case FLI_MINI:
/* some sort of a thumbnail? disregard this chunk... */
- stream_ptr += chunk_size - 6;
break;
default:
@@ -411,6 +423,8 @@
break;
}
+ stream_ptr = stream_ptr_after_chunk;
+
frame_size -= chunk_size;
num_chunks--;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/golomb.h
^
|
| @@ -75,6 +75,20 @@
}
}
+/**
+ * Read an unsigned Exp-Golomb code in the range 0 to UINT32_MAX-1.
+ */
+static inline unsigned get_ue_golomb_long(GetBitContext *gb)
+{
+ unsigned buf, log;
+
+ buf = show_bits_long(gb, 32);
+ log = 31 - av_log2(buf);
+ skip_bits_long(gb, log);
+
+ return get_bits_long(gb, log + 1) - 1;
+}
+
/**
* read unsigned exp golomb code, constraint to a max of 31.
* the return value is undefined if the stored value exceeds 31.
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/h264.c
^
|
| @@ -106,12 +106,9 @@
}
return 0;
-} //FIXME cleanup like ff_h264_check_intra_pred_mode
+} //FIXME cleanup like check_intra_pred_mode
-/**
- * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra_pred_mode(H264Context *h, int mode){
+static int check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
MpegEncContext * const s = &h->s;
static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1};
static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8};
@@ -131,7 +128,7 @@
if((h->left_samples_available&0x8080) != 0x8080){
mode= left[ mode ];
- if(h->left_samples_available&0x8080){ //mad cow disease mode, aka MBAFF + constrained_intra_pred
+ if(is_chroma && (h->left_samples_available&0x8080)){ //mad cow disease mode, aka MBAFF + constrained_intra_pred
mode= ALZHEIMER_DC_L0T_PRED8x8 + (!(h->left_samples_available&0x8000)) + 2*(mode == DC_128_PRED8x8);
}
if(mode<0){
@@ -143,6 +140,23 @@
return mode;
}
+/**
+ * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
+ */
+int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode)
+{
+ return check_intra_pred_mode(h, mode, 0);
+}
+
+/**
+ * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
+ */
+int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode)
+{
+ return check_intra_pred_mode(h, mode, 1);
+}
+
+
const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, int *dst_length, int *consumed, int length){
int i, si, di;
uint8_t *dst;
@@ -1005,8 +1019,12 @@
s->height = s->avctx->height;
s->codec_id= s->avctx->codec->id;
- ff_h264dsp_init(&h->h264dsp, 8);
- ff_h264_pred_init(&h->hpc, s->codec_id, 8);
+ s->avctx->bits_per_raw_sample = 8;
+
+ ff_h264dsp_init(&h->h264dsp,
+ s->avctx->bits_per_raw_sample);
+ ff_h264_pred_init(&h->hpc, s->codec_id,
+ s->avctx->bits_per_raw_sample);
h->dequant_coeff_pps= -1;
s->unrestricted_mv=1;
@@ -1018,17 +1036,20 @@
memset(h->pps.scaling_matrix8, 16, 2*64*sizeof(uint8_t));
}
-int ff_h264_decode_extradata(H264Context *h)
+int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size)
{
AVCodecContext *avctx = h->s.avctx;
- if(avctx->extradata[0] == 1){
+ if(!buf || size <= 0)
+ return -1;
+
+ if(buf[0] == 1){
int i, cnt, nalsize;
- unsigned char *p = avctx->extradata;
+ const unsigned char *p = buf;
h->is_avc = 1;
- if(avctx->extradata_size < 7) {
+ if(size < 7) {
av_log(avctx, AV_LOG_ERROR, "avcC too short\n");
return -1;
}
@@ -1040,6 +1061,8 @@
p += 6;
for (i = 0; i < cnt; i++) {
nalsize = AV_RB16(p) + 2;
+ if(nalsize > size - (p-buf))
+ return -1;
if(decode_nal_units(h, p, nalsize) < 0) {
av_log(avctx, AV_LOG_ERROR, "Decoding sps %d from avcC failed\n", i);
return -1;
@@ -1050,6 +1073,8 @@
cnt = *(p++); // Number of pps
for (i = 0; i < cnt; i++) {
nalsize = AV_RB16(p) + 2;
+ if(nalsize > size - (p-buf))
+ return -1;
if (decode_nal_units(h, p, nalsize) < 0) {
av_log(avctx, AV_LOG_ERROR, "Decoding pps %d from avcC failed\n", i);
return -1;
@@ -1057,10 +1082,10 @@
p += nalsize;
}
// Now store right nal length size, that will be use to parse all other nals
- h->nal_length_size = (avctx->extradata[4] & 0x03) + 1;
+ h->nal_length_size = (buf[4] & 0x03) + 1;
} else {
h->is_avc = 0;
- if(decode_nal_units(h, avctx->extradata, avctx->extradata_size) < 0)
+ if(decode_nal_units(h, buf, size) < 0)
return -1;
}
return 0;
@@ -1104,7 +1129,7 @@
}
if(avctx->extradata_size > 0 && avctx->extradata &&
- ff_h264_decode_extradata(h))
+ ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size))
return -1;
if(h->sps.bitstream_restriction_flag && s->avctx->has_b_frames < h->sps.num_reorder_frames){
@@ -2612,6 +2637,7 @@
free_tables(h, 0);
flush_dpb(s->avctx);
MPV_common_end(s);
+ h->list_count = 0;
}
if (!s->context_initialized) {
if (h != h0) {
@@ -2872,6 +2898,7 @@
h->ref_count[1]= h->pps.ref_count[1];
if(h->slice_type_nos != AV_PICTURE_TYPE_I){
+ unsigned max= (16<<(s->picture_structure != PICT_FRAME))-1;
if(h->slice_type_nos == AV_PICTURE_TYPE_B){
h->direct_spatial_mv_pred= get_bits1(&s->gb);
}
@@ -2882,25 +2909,27 @@
if(h->slice_type_nos==AV_PICTURE_TYPE_B)
h->ref_count[1]= get_ue_golomb(&s->gb) + 1;
- if(h->ref_count[0]-1 > 32-1 || h->ref_count[1]-1 > 32-1){
- av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
- h->ref_count[0]= h->ref_count[1]= 1;
- return -1;
- }
+ }
+ if(h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){
+ av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
+ h->ref_count[0]= h->ref_count[1]= 1;
+ return -1;
}
if(h->slice_type_nos == AV_PICTURE_TYPE_B)
h->list_count= 2;
else
h->list_count= 1;
}else
- h->list_count= 0;
+ h->ref_count[1]= h->ref_count[0]= h->list_count= 0;
if(!default_ref_list_done){
ff_h264_fill_default_ref_list(h);
}
- if(h->slice_type_nos!=AV_PICTURE_TYPE_I && ff_h264_decode_ref_pic_list_reordering(h) < 0)
+ if(h->slice_type_nos!=AV_PICTURE_TYPE_I && ff_h264_decode_ref_pic_list_reordering(h) < 0) {
+ h->ref_count[1]= h->ref_count[0]= 0;
return -1;
+ }
if(h->slice_type_nos!=AV_PICTURE_TYPE_I){
s->last_picture_ptr= &h->ref_list[0][0];
@@ -3729,9 +3758,13 @@
switch (hx->nal_unit_type) {
case NAL_SPS:
case NAL_PPS:
+ nals_needed = nal_index;
+ break;
case NAL_IDR_SLICE:
case NAL_SLICE:
- nals_needed = nal_index;
+ init_get_bits(&hx->s.gb, ptr, bit_length);
+ if(!get_ue_golomb(&hx->s.gb))
+ nals_needed = nal_index;
}
continue;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/h264.h
^
|
| @@ -101,7 +101,7 @@
*/
#define DELAYED_PIC_REF 4
-#define QP_MAX_NUM (51 + 2*6) // The maximum supported qp
+#define QP_MAX_NUM (51 + 4*6) // The maximum supported qp
/* NAL unit types */
enum {
@@ -227,7 +227,7 @@
int transform_8x8_mode; ///< transform_8x8_mode_flag
uint8_t scaling_matrix4[6][16];
uint8_t scaling_matrix8[6][64];
- uint8_t chroma_qp_table[2][64]; ///< pre-scaled (with chroma_qp_index_offset) version of qp_table
+ uint8_t chroma_qp_table[2][QP_MAX_NUM+1]; ///< pre-scaled (with chroma_qp_index_offset) version of qp_table
int chroma_qp_diff;
}PPS;
@@ -584,7 +584,7 @@
}H264Context;
-extern const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1]; ///< One chroma qp table for each supported bit depth (8, 9, 10).
+extern const uint8_t ff_h264_chroma_qp[5][QP_MAX_NUM+1]; ///< One chroma qp table for each possible bit depth (8-12).
/**
* Decode SEI
@@ -658,12 +658,17 @@
/**
* Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
*/
-int ff_h264_check_intra_pred_mode(H264Context *h, int mode);
+int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode);
+
+/**
+ * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
+ */
+int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode);
void ff_h264_write_back_intra_pred_mode(H264Context *h);
void ff_h264_hl_decode_mb(H264Context *h);
int ff_h264_frame_start(H264Context *h);
-int ff_h264_decode_extradata(H264Context *h);
+int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size);
av_cold int ff_h264_decode_init(AVCodecContext *avctx);
av_cold int ff_h264_decode_end(AVCodecContext *avctx);
av_cold void ff_h264_decode_init_vlc(void);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/h264_cabac.c
^
|
| @@ -2003,14 +2003,14 @@
ff_h264_write_back_intra_pred_mode(h);
if( ff_h264_check_intra4x4_pred_mode(h) < 0 ) return -1;
} else {
- h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode );
+ h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode( h, h->intra16x16_pred_mode );
if( h->intra16x16_pred_mode < 0 ) return -1;
}
if(decode_chroma){
h->chroma_pred_mode_table[mb_xy] =
pred_mode = decode_cabac_mb_chroma_pre_mode( h );
- pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode );
+ pred_mode= ff_h264_check_intra_chroma_pred_mode( h, pred_mode );
if( pred_mode < 0 ) return -1;
h->chroma_pred_mode= pred_mode;
} else {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/h264_cavlc.c
^
|
| @@ -735,12 +735,12 @@
if( ff_h264_check_intra4x4_pred_mode(h) < 0)
return -1;
}else{
- h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode);
+ h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode(h, h->intra16x16_pred_mode);
if(h->intra16x16_pred_mode < 0)
return -1;
}
if(decode_chroma){
- pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb));
+ pred_mode= ff_h264_check_intra_chroma_pred_mode(h, get_ue_golomb_31(&s->gb));
if(pred_mode < 0)
return -1;
h->chroma_pred_mode= pred_mode;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/h264_direct.c
^
|
| @@ -89,7 +89,8 @@
for(j=start; j<end; j++){
if(4*h->ref_list[0][j].frame_num + (h->ref_list[0][j].reference&3) == poc){
int cur_ref= mbafi ? (j-16)^field : j;
- map[list][2*old_ref + (rfield^field) + 16] = cur_ref;
+ if(ref1->mbaff)
+ map[list][2*old_ref + (rfield^field) + 16] = cur_ref;
if(rfield == field || !interl)
map[list][old_ref] = cur_ref;
break;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/h264_parser.c
^
|
| @@ -251,7 +251,7 @@
h->got_first = 1;
if (avctx->extradata_size) {
h->s.avctx = avctx;
- ff_h264_decode_extradata(h);
+ ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size);
}
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/h264_ps.c
^
|
| @@ -70,7 +70,7 @@
QP(37,d), QP(37,d), QP(37,d), QP(38,d), QP(38,d), QP(38,d),\
QP(39,d), QP(39,d), QP(39,d), QP(39,d)
-const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1] = {
+const uint8_t ff_h264_chroma_qp[5][QP_MAX_NUM+1] = {
{
CHROMA_QP_TABLE_END(8)
},
@@ -83,6 +83,19 @@
6, 7, 8, 9, 10, 11,
CHROMA_QP_TABLE_END(10)
},
+ {
+ 0, 1, 2, 3, 4, 5,
+ 6, 7, 8, 9, 10, 11,
+ 12,13,14,15, 16, 17,
+ CHROMA_QP_TABLE_END(11)
+ },
+ {
+ 0, 1, 2, 3, 4, 5,
+ 6, 7, 8, 9, 10, 11,
+ 12,13,14,15, 16, 17,
+ 18,19,20,21, 22, 23,
+ CHROMA_QP_TABLE_END(12)
+ },
};
static const uint8_t default_scaling4[2][16]={
@@ -130,8 +143,8 @@
get_bits(&s->gb, 4); /* bit_rate_scale */
get_bits(&s->gb, 4); /* cpb_size_scale */
for(i=0; i<cpb_count; i++){
- get_ue_golomb(&s->gb); /* bit_rate_value_minus1 */
- get_ue_golomb(&s->gb); /* cpb_size_value_minus1 */
+ get_ue_golomb_long(&s->gb); /* bit_rate_value_minus1 */
+ get_ue_golomb_long(&s->gb); /* cpb_size_value_minus1 */
get_bits1(&s->gb); /* cbr_flag */
}
sps->initial_cpb_removal_delay_length = get_bits(&s->gb, 5) + 1;
@@ -333,6 +346,11 @@
sps->residual_color_transform_flag = get_bits1(&s->gb);
sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8;
sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8;
+ if (sps->bit_depth_luma > 12U || sps->bit_depth_chroma > 12U) {
+ av_log(h->s.avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n",
+ sps->bit_depth_luma, sps->bit_depth_chroma);
+ goto fail;
+ }
sps->transform_bypass = get_bits1(&s->gb);
decode_scaling_matrices(h, sps, NULL, 1, sps->scaling_matrix4, sps->scaling_matrix8);
}else{
@@ -365,7 +383,7 @@
}
sps->ref_frame_count= get_ue_golomb_31(&s->gb);
- if(sps->ref_frame_count > MAX_PICTURE_COUNT-2 || sps->ref_frame_count >= 32U){
+ if(sps->ref_frame_count > MAX_PICTURE_COUNT-2 || sps->ref_frame_count > 16U){
av_log(h->s.avctx, AV_LOG_ERROR, "too many reference frames\n");
goto fail;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/h264_refs.c
^
|
| @@ -301,7 +301,7 @@
void ff_h264_fill_mbaff_ref_list(H264Context *h){
int list, i, j;
- for(list=0; list<2; list++){ //FIXME try list_count
+ for(list=0; list<h->list_count; list++){
for(i=0; i<h->ref_count[list]; i++){
Picture *frame = &h->ref_list[list][i];
Picture *field = &h->ref_list[list][16+2*i];
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/h264pred.c
^
|
| @@ -40,7 +40,7 @@
#undef BIT_DEPTH
static void pred4x4_vertical_vp8_c(uint8_t *src, const uint8_t *topright, int stride){
- const int lt= src[-1-1*stride];
+ const unsigned lt = src[-1-1*stride];
LOAD_TOP_EDGE
LOAD_TOP_RIGHT_EDGE
uint32_t v = PACK_4U8((lt + 2*t0 + t1 + 2) >> 2,
@@ -55,7 +55,7 @@
}
static void pred4x4_horizontal_vp8_c(uint8_t *src, const uint8_t *topright, int stride){
- const int lt= src[-1-1*stride];
+ const unsigned lt = src[-1-1*stride];
LOAD_LEFT_EDGE
AV_WN32A(src+0*stride, ((lt + 2*l0 + l1 + 2) >> 2)*0x01010101);
@@ -292,7 +292,7 @@
static void pred8x8_left_dc_rv40_c(uint8_t *src, int stride){
int i;
- int dc0;
+ unsigned dc0;
dc0=0;
for(i=0;i<8; i++)
@@ -307,7 +307,7 @@
static void pred8x8_top_dc_rv40_c(uint8_t *src, int stride){
int i;
- int dc0;
+ unsigned dc0;
dc0=0;
for(i=0;i<8; i++)
@@ -322,7 +322,7 @@
static void pred8x8_dc_rv40_c(uint8_t *src, int stride){
int i;
- int dc0=0;
+ unsigned dc0 = 0;
for(i=0;i<4; i++){
dc0+= src[-1+i*stride] + src[i-stride];
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/h264pred_template.c
^
|
| @@ -120,28 +120,28 @@
#define LOAD_TOP_RIGHT_EDGE\
- const int av_unused t4= topright[0];\
- const int av_unused t5= topright[1];\
- const int av_unused t6= topright[2];\
- const int av_unused t7= topright[3];\
+ const unsigned av_unused t4 = topright[0];\
+ const unsigned av_unused t5 = topright[1];\
+ const unsigned av_unused t6 = topright[2];\
+ const unsigned av_unused t7 = topright[3];\
#define LOAD_DOWN_LEFT_EDGE\
- const int av_unused l4= src[-1+4*stride];\
- const int av_unused l5= src[-1+5*stride];\
- const int av_unused l6= src[-1+6*stride];\
- const int av_unused l7= src[-1+7*stride];\
+ const unsigned av_unused l4 = src[-1+4*stride];\
+ const unsigned av_unused l5 = src[-1+5*stride];\
+ const unsigned av_unused l6 = src[-1+6*stride];\
+ const unsigned av_unused l7 = src[-1+7*stride];\
#define LOAD_LEFT_EDGE\
- const int av_unused l0= src[-1+0*stride];\
- const int av_unused l1= src[-1+1*stride];\
- const int av_unused l2= src[-1+2*stride];\
- const int av_unused l3= src[-1+3*stride];\
+ const unsigned av_unused l0 = src[-1+0*stride];\
+ const unsigned av_unused l1 = src[-1+1*stride];\
+ const unsigned av_unused l2 = src[-1+2*stride];\
+ const unsigned av_unused l3 = src[-1+3*stride];\
#define LOAD_TOP_EDGE\
- const int av_unused t0= src[ 0-1*stride];\
- const int av_unused t1= src[ 1-1*stride];\
- const int av_unused t2= src[ 2-1*stride];\
- const int av_unused t3= src[ 3-1*stride];\
+ const unsigned av_unused t0 = src[ 0-1*stride];\
+ const unsigned av_unused t1 = src[ 1-1*stride];\
+ const unsigned av_unused t2 = src[ 2-1*stride];\
+ const unsigned av_unused t3 = src[ 3-1*stride];\
static void FUNCC(pred4x4_down_right)(uint8_t *_src, const uint8_t *topright, int _stride){
pixel *src = (pixel*)_src;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/imc.c
^
|
| @@ -104,10 +104,15 @@
static av_cold int imc_decode_init(AVCodecContext * avctx)
{
- int i, j;
+ int i, j, ret;
IMCContext *q = avctx->priv_data;
double r1, r2;
+ if (avctx->channels != 1) {
+ av_log_ask_for_sample(avctx, "Number of channels is not supported\n");
+ return AVERROR_PATCHWELCOME;
+ }
+
q->decoder_reset = 1;
for(i = 0; i < BANDS; i++)
@@ -156,7 +161,10 @@
}
q->one_div_log2 = 1/log(2);
- ff_fft_init(&q->fft, 7, 1);
+ if ((ret = ff_fft_init(&q->fft, 7, 1))) {
+ av_log(avctx, AV_LOG_INFO, "FFT init failed\n");
+ return ret;
+ }
dsputil_init(&q->dsp, avctx);
avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/imgconvert.c
^
|
| @@ -470,6 +470,16 @@
}
}
+ switch (pix_fmt) {
+ case PIX_FMT_RGB8:
+ case PIX_FMT_BGR8:
+ case PIX_FMT_RGB4_BYTE:
+ case PIX_FMT_BGR4_BYTE:
+ case PIX_FMT_GRAY8:
+ // do not include palette for these pseudo-paletted formats
+ return size;
+ }
+
if (desc->flags & PIX_FMT_PAL)
memcpy((unsigned char *)(((size_t)dest + 3) & ~3), src->data[1], 256 * 4);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/j2k_dwt.c
^
|
| @@ -321,6 +321,8 @@
int i, j, lev = decomp_levels, maxlen,
b[2][2];
+ if (decomp_levels >= FF_DWT_MAX_DECLVLS)
+ return AVERROR_INVALIDDATA;
s->ndeclevels = decomp_levels;
s->type = type;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/j2kdec.c
^
|
| @@ -961,18 +961,20 @@
static int jp2_find_codestream(J2kDecoderContext *s)
{
- int32_t atom_size;
+ uint32_t atom_size;
int found_codestream = 0, search_range = 10;
// skip jpeg2k signature atom
s->buf += 12;
- while(!found_codestream && search_range) {
+ while(!found_codestream && search_range && s->buf_end - s->buf >= 8) {
atom_size = AV_RB32(s->buf);
if(AV_RB32(s->buf + 4) == JP2_CODESTREAM) {
found_codestream = 1;
s->buf += 8;
} else {
+ if (s->buf_end - s->buf < atom_size)
+ return 0;
s->buf += atom_size;
search_range--;
}
@@ -1005,7 +1007,8 @@
return AVERROR(EINVAL);
// check if the image is in jp2 format
- if((AV_RB32(s->buf) == 12) && (AV_RB32(s->buf + 4) == JP2_SIG_TYPE) &&
+ if(s->buf_end - s->buf >= 12 &&
+ (AV_RB32(s->buf) == 12) && (AV_RB32(s->buf + 4) == JP2_SIG_TYPE) &&
(AV_RB32(s->buf + 8) == JP2_SIG_VALUE)) {
if(!jp2_find_codestream(s)) {
av_log(avctx, AV_LOG_ERROR, "couldn't find jpeg2k codestream atom\n");
|
|
[-]
[+]
|
Added |
ffmpeg-0.8.6.tar.bz2/libavcodec/libaacplus.c
^
|
| @@ -0,0 +1,136 @@
+/*
+ * Interface to libaacplus for aac+ (sbr+ps) encoding
+ * Copyright (c) 2010 tipok <piratfm@gmail.com>
+ *
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with FFmpeg; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/**
+ * @file
+ * Interface to libaacplus for aac+ (sbr+ps) encoding.
+ */
+
+#include "avcodec.h"
+#include <aacplus.h>
+
+typedef struct aacPlusAudioContext {
+ aacplusEncHandle aacplus_handle;
+} aacPlusAudioContext;
+
+static av_cold int aacPlus_encode_init(AVCodecContext *avctx)
+{
+ aacPlusAudioContext *s = avctx->priv_data;
+ aacplusEncConfiguration *aacplus_cfg;
+ unsigned long samples_input, max_bytes_output;
+
+ /* number of channels */
+ if (avctx->channels < 1 || avctx->channels > 2) {
+ av_log(avctx, AV_LOG_ERROR, "encoding %d channel(s) is not allowed\n", avctx->channels);
+ return -1;
+ }
+
+ s->aacplus_handle = aacplusEncOpen(avctx->sample_rate,
+ avctx->channels,
+ &samples_input, &max_bytes_output);
+ if(!s->aacplus_handle) {
+ av_log(avctx, AV_LOG_ERROR, "can't open encoder\n");
+ return -1;
+ }
+
+ /* check aacplus version */
+ aacplus_cfg = aacplusEncGetCurrentConfiguration(s->aacplus_handle);
+
+ /* put the options in the configuration struct */
+ if(avctx->profile != FF_PROFILE_AAC_LOW && avctx->profile != FF_PROFILE_UNKNOWN) {
+ av_log(avctx, AV_LOG_ERROR, "invalid AAC profile: %d, only LC supported\n", avctx->profile);
+ aacplusEncClose(s->aacplus_handle);
+ return -1;
+ }
+
+ aacplus_cfg->bitRate = avctx->bit_rate;
+ aacplus_cfg->bandWidth = avctx->cutoff;
+ if (avctx->flags & CODEC_FLAG_GLOBAL_HEADER) {
+ aacplus_cfg->outputFormat = 0; //raw aac
+ }
+ aacplus_cfg->inputFormat = AACPLUS_INPUT_16BIT;
+ if (!aacplusEncSetConfiguration(s->aacplus_handle, aacplus_cfg)) {
+ av_log(avctx, AV_LOG_ERROR, "libaacplus doesn't support this output format!\n");
+ return -1;
+ }
+
+ avctx->frame_size = samples_input / avctx->channels;
+
+ avctx->coded_frame= avcodec_alloc_frame();
+ avctx->coded_frame->key_frame= 1;
+
+ /* Set decoder specific info */
+ avctx->extradata_size = 0;
+ if (avctx->flags & CODEC_FLAG_GLOBAL_HEADER) {
+
+ unsigned char *buffer = NULL;
+ unsigned long decoder_specific_info_size;
+
+ if (aacplusEncGetDecoderSpecificInfo(s->aacplus_handle, &buffer,
+ &decoder_specific_info_size) == 1) {
+ avctx->extradata = av_malloc(decoder_specific_info_size + FF_INPUT_BUFFER_PADDING_SIZE);
+ avctx->extradata_size = decoder_specific_info_size;
+ memcpy(avctx->extradata, buffer, avctx->extradata_size);
+ }
+#undef free
+ free(buffer);
+#define free please_use_av_free
+ }
+ return 0;
+}
+
+static int aacPlus_encode_frame(AVCodecContext *avctx,
+ unsigned char *frame, int buf_size, void *data)
+{
+ aacPlusAudioContext *s = avctx->priv_data;
+ int bytes_written;
+
+ bytes_written = aacplusEncEncode(s->aacplus_handle,
+ data,
+ avctx->frame_size * avctx->channels,
+ frame,
+ buf_size);
+
+ return bytes_written;
+}
+
+static av_cold int aacPlus_encode_close(AVCodecContext *avctx)
+{
+ aacPlusAudioContext *s = avctx->priv_data;
+
+ av_freep(&avctx->coded_frame);
+ av_freep(&avctx->extradata);
+
+ aacplusEncClose(s->aacplus_handle);
+ return 0;
+}
+
+AVCodec ff_libaacplus_encoder = {
+ "libaacplus",
+ AVMEDIA_TYPE_AUDIO,
+ CODEC_ID_AAC,
+ sizeof(aacPlusAudioContext),
+ aacPlus_encode_init,
+ aacPlus_encode_frame,
+ aacPlus_encode_close,
+ .sample_fmts = (const enum SampleFormat[]){SAMPLE_FMT_S16,SAMPLE_FMT_NONE},
+ .long_name = NULL_IF_CONFIG_SMALL("libaacplus AAC+ (Advanced Audio Codec with SBR+PS)"),
+};
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/libgsm.c
^
|
| @@ -141,18 +141,25 @@
AVPacket *avpkt) {
const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size;
+ int out_size = avctx->frame_size * av_get_bytes_per_sample(avctx->sample_fmt);
+
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
*data_size = 0; /* In case of error */
if(buf_size < avctx->block_align) return -1;
switch(avctx->codec_id) {
case CODEC_ID_GSM:
if(gsm_decode(avctx->priv_data,buf,data)) return -1;
- *data_size = GSM_FRAME_SIZE*sizeof(int16_t);
break;
case CODEC_ID_GSM_MS:
if(gsm_decode(avctx->priv_data,buf,data) ||
gsm_decode(avctx->priv_data,buf+33,((int16_t*)data)+GSM_FRAME_SIZE)) return -1;
- *data_size = GSM_FRAME_SIZE*sizeof(int16_t)*2;
}
+
+ *data_size = out_size;
return avctx->block_align;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/libvpxenc.c
^
|
| @@ -481,8 +481,8 @@
break;
case VPX_CODEC_STATS_PKT: {
struct vpx_fixed_buf *stats = &ctx->twopass_stats;
- stats->buf = av_realloc(stats->buf,
- stats->sz + pkt->data.twopass_stats.sz);
+ stats->buf = av_realloc_f(stats->buf, 1,
+ stats->sz + pkt->data.twopass_stats.sz);
if (!stats->buf) {
av_log(avctx, AV_LOG_ERROR, "Stat buffer realloc failed\n");
return AVERROR(ENOMEM);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/libx264.c
^
|
| @@ -70,9 +70,14 @@
/* Write the SEI as part of the first frame. */
if (x4->sei_size > 0 && nnal > 0) {
+ if (x4->sei_size > size) {
+ av_log(ctx, AV_LOG_ERROR, "Error: nal buffer is too small\n");
+ return -1;
+ }
memcpy(p, x4->sei, x4->sei_size);
p += x4->sei_size;
x4->sei_size = 0;
+ // why is x4->sei not freed?
}
for (i = 0; i < nnal; i++){
@@ -83,6 +88,11 @@
memcpy(x4->sei, nals[i].p_payload, nals[i].i_payload);
continue;
}
+ if (nals[i].i_payload > (size - (p - buf))) {
+ // return only complete nals which fit in buf
+ av_log(ctx, AV_LOG_ERROR, "Error: nal buffer is too small\n");
+ break;
+ }
memcpy(p, nals[i].p_payload, nals[i].i_payload);
p += nals[i].i_payload;
}
@@ -91,13 +101,14 @@
}
static int X264_frame(AVCodecContext *ctx, uint8_t *buf,
- int bufsize, void *data)
+ int orig_bufsize, void *data)
{
X264Context *x4 = ctx->priv_data;
AVFrame *frame = data;
x264_nal_t *nal;
int nnal, i;
x264_picture_t pic_out;
+ int bufsize;
x264_picture_init( &x4->pic );
x4->pic.img.i_csp = X264_CSP_I420;
@@ -128,6 +139,7 @@
}
do {
+ bufsize = orig_bufsize;
if (x264_encoder_encode(x4->enc, &nal, &nnal, frame? &x4->pic: NULL, &pic_out) < 0)
return -1;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/mlpdec.c
^
|
| @@ -950,7 +950,12 @@
int32_t *data_32 = (int32_t*) data;
int16_t *data_16 = (int16_t*) data;
- if (*data_size < (s->max_channel + 1) * s->blockpos * (is32 ? 4 : 2))
+ if (m->avctx->channels != s->max_matrix_channel + 1) {
+ av_log(m->avctx, AV_LOG_ERROR, "channel count mismatch\n");
+ return AVERROR_INVALIDDATA;
+ }
+
+ if (*data_size < m->avctx->channels * s->blockpos * (is32 ? 4 : 2))
return -1;
for (i = 0; i < s->blockpos; i++) {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/motion_est.c
^
|
| @@ -1040,7 +1040,7 @@
/* intra / predictive decision */
pix = c->src[0][0];
sum = s->dsp.pix_sum(pix, s->linesize);
- varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)(sum*sum))>>8) + 500;
+ varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)sum*sum)>>8) + 500;
pic->mb_mean[s->mb_stride * mb_y + mb_x] = (sum+128)>>8;
pic->mb_var [s->mb_stride * mb_y + mb_x] = (varc+128)>>8;
@@ -1202,7 +1202,7 @@
if((c->avctx->mb_cmp&0xFF)==FF_CMP_SSE){
intra_score= varc - 500;
}else{
- int mean= (sum+128)>>8;
+ unsigned mean = (sum+128)>>8;
mean*= 0x01010101;
for(i=0; i<16; i++){
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/motionpixels.c
^
|
| @@ -52,14 +52,16 @@
static av_cold int mp_decode_init(AVCodecContext *avctx)
{
MotionPixelsContext *mp = avctx->priv_data;
+ int w4 = (avctx->width + 3) & ~3;
+ int h4 = (avctx->height + 3) & ~3;
motionpixels_tableinit();
mp->avctx = avctx;
dsputil_init(&mp->dsp, avctx);
- mp->changes_map = av_mallocz(avctx->width * avctx->height);
+ mp->changes_map = av_mallocz(avctx->width * h4);
mp->offset_bits_len = av_log2(avctx->width * avctx->height) + 1;
mp->vpt = av_mallocz(avctx->height * sizeof(YuvPixel));
- mp->hpt = av_mallocz(avctx->height * avctx->width / 16 * sizeof(YuvPixel));
+ mp->hpt = av_mallocz(h4 * w4 / 16 * sizeof(YuvPixel));
avctx->pix_fmt = PIX_FMT_RGB555;
avcodec_get_frame_defaults(&mp->frame);
return 0;
@@ -253,6 +255,7 @@
mp->dsp.bswap_buf((uint32_t *)mp->bswapbuf, (const uint32_t *)buf, buf_size / 4);
if (buf_size & 3)
memcpy(mp->bswapbuf + (buf_size & ~3), buf + (buf_size & ~3), buf_size & 3);
+ memset(mp->bswapbuf + buf_size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
init_get_bits(&gb, mp->bswapbuf, buf_size * 8);
memset(mp->changes_map, 0, avctx->width * avctx->height);
@@ -279,6 +282,8 @@
if (sz == 0)
goto end;
+ if (mp->max_codes_bits <= 0)
+ goto end;
if (init_vlc(&mp->vlc, mp->max_codes_bits, mp->codes_count, &mp->codes[0].size, sizeof(HuffCode), 1, &mp->codes[0].code, sizeof(HuffCode), 4, 0))
goto end;
mp_decode_frame_helper(mp, &gb);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/mpc7.c
^
|
| @@ -197,12 +197,19 @@
int i, ch;
int mb = -1;
Band *bands = c->bands;
- int off;
+ int off, out_size;
int bits_used, bits_avail;
memset(bands, 0, sizeof(bands));
if(buf_size <= 4){
av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size);
+ return AVERROR(EINVAL);
+ }
+
+ out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4;
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
}
bits = av_malloc(((buf_size - 1) & ~3) + FF_INPUT_BUFFER_PADDING_SIZE);
@@ -277,7 +284,7 @@
*data_size = 0;
return buf_size;
}
- *data_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4;
+ *data_size = out_size;
return buf_size;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/mpc8.c
^
|
| @@ -127,6 +127,8 @@
skip_bits(&gb, 3);//sample rate
c->maxbands = get_bits(&gb, 5) + 1;
+ if (c->maxbands >= BANDS)
+ return AVERROR_INVALIDDATA;
channels = get_bits(&gb, 4) + 1;
if (channels > 2) {
av_log_missing_feature(avctx, "Multichannel MPC SV8", 1);
@@ -241,10 +243,16 @@
GetBitContext gb2, *gb = &gb2;
int i, j, k, ch, cnt, res, t;
Band *bands = c->bands;
- int off;
+ int off, out_size;
int maxband, keyframe;
int last[2];
+ out_size = MPC_FRAME_SIZE * 2 * avctx->channels;
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
keyframe = c->cur_frame == 0;
if(keyframe){
@@ -260,6 +268,8 @@
maxband = c->last_max_band + get_vlc2(gb, band_vlc.table, MPC8_BANDS_BITS, 2);
if(maxband > 32) maxband -= 33;
}
+ if(maxband > c->maxbands)
+ return AVERROR_INVALIDDATA;
c->last_max_band = maxband;
/* read subband indexes */
@@ -400,7 +410,7 @@
c->last_bits_used = get_bits_count(gb);
if(c->cur_frame >= c->frames)
c->cur_frame = 0;
- *data_size = MPC_FRAME_SIZE * 2 * avctx->channels;
+ *data_size = out_size;
return c->cur_frame ? c->last_bits_used >> 3 : buf_size;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/mpegaudiodec.c
^
|
| @@ -1801,8 +1801,8 @@
avctx->bit_rate = s->bit_rate;
avctx->sub_id = s->layer;
- if(*data_size < 1152*avctx->channels*sizeof(OUT_INT))
- return -1;
+ if (*data_size < avctx->frame_size * avctx->channels * sizeof(OUT_INT))
+ return AVERROR(EINVAL);
*data_size = 0;
if(s->frame_size<=0 || s->frame_size > buf_size){
@@ -1870,6 +1870,9 @@
avctx->bit_rate = s->bit_rate;
avctx->sub_id = s->layer;
+ if (*data_size < avctx->frame_size * avctx->channels * sizeof(OUT_INT))
+ return AVERROR(EINVAL);
+
s->frame_size = len;
if (avctx->parse_only) {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/mpegvideo.c
^
|
| @@ -366,8 +366,8 @@
int i;
// edge emu needs blocksize + filter length - 1 (=17x17 for halfpel / 21x21 for h264)
- FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance
- s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21;
+ FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance
+ s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21*2;
//FIXME should be linesize instead of s->width*2 but that is not known before get_buffer()
FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad, (s->width+64)*4*16*2*sizeof(uint8_t), fail)
@@ -2302,12 +2302,15 @@
edge_h= FFMIN(h, s->v_edge_pos - y);
- s->dsp.draw_edges(s->current_picture_ptr->data[0] + y *s->linesize , s->linesize,
- s->h_edge_pos , edge_h , EDGE_WIDTH , EDGE_WIDTH , sides);
- s->dsp.draw_edges(s->current_picture_ptr->data[1] + (y>>vshift)*s->uvlinesize, s->uvlinesize,
- s->h_edge_pos>>hshift, edge_h>>hshift, EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides);
- s->dsp.draw_edges(s->current_picture_ptr->data[2] + (y>>vshift)*s->uvlinesize, s->uvlinesize,
- s->h_edge_pos>>hshift, edge_h>>hshift, EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides);
+ s->dsp.draw_edges(s->current_picture_ptr->data[0] + y *s->linesize,
+ s->linesize, s->h_edge_pos, edge_h,
+ EDGE_WIDTH, EDGE_WIDTH, sides);
+ s->dsp.draw_edges(s->current_picture_ptr->data[1] + (y>>vshift)*s->uvlinesize,
+ s->uvlinesize, s->h_edge_pos>>hshift, edge_h>>vshift,
+ EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides);
+ s->dsp.draw_edges(s->current_picture_ptr->data[2] + (y>>vshift)*s->uvlinesize,
+ s->uvlinesize, s->h_edge_pos>>hshift, edge_h>>vshift,
+ EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides);
}
h= FFMIN(h, s->avctx->height - y);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/mpegvideo.h
^
|
| @@ -123,7 +123,7 @@
int pic_id; /**< h264 pic_num (short -> no wrap version of pic_num,
pic_num & max_pic_num; long -> long_pic_num) */
int long_ref; ///< 1->long term reference 0->short term reference
- int ref_poc[2][2][16]; ///< h264 POCs of the frames used as reference (FIXME need per slice)
+ int ref_poc[2][2][32]; ///< h264 POCs of the frames/fields used as reference (FIXME need per slice)
int ref_count[2][2]; ///< number of entries in ref_poc (FIXME need per slice)
int mbaff; ///< h264 1 -> MBAFF frame 0-> not MBAFF
int field_picture; ///< whether or not the picture was encoded in seperate fields
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/mpegvideo_enc.c
^
|
| @@ -411,9 +411,10 @@
if ((s->codec_id == CODEC_ID_MPEG4 || s->codec_id == CODEC_ID_H263 ||
s->codec_id == CODEC_ID_H263P) &&
(avctx->sample_aspect_ratio.num > 255 || avctx->sample_aspect_ratio.den > 255)) {
- av_log(avctx, AV_LOG_ERROR, "Invalid pixel aspect ratio %i/%i, limit is 255/255\n",
+ av_log(avctx, AV_LOG_WARNING, "Invalid pixel aspect ratio %i/%i, limit is 255/255 reducing\n",
avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den);
- return -1;
+ av_reduce(&avctx->sample_aspect_ratio.num, &avctx->sample_aspect_ratio.den,
+ avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den, 255);
}
if((s->flags & (CODEC_FLAG_INTERLACED_DCT|CODEC_FLAG_INTERLACED_ME|CODEC_FLAG_ALT_SCAN))
@@ -2006,7 +2007,7 @@
int varc;
int sum = s->dsp.pix_sum(pix, s->linesize);
- varc = (s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)(sum*sum))>>8) + 500 + 128)>>8;
+ varc = (s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)sum*sum)>>8) + 500 + 128)>>8;
s->current_picture.mb_var [s->mb_stride * mb_y + mb_x] = varc;
s->current_picture.mb_mean[s->mb_stride * mb_y + mb_x] = (sum+128)>>8;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/ppc/asm.S
^
|
| @@ -44,10 +44,13 @@
L(\name):
.endm
-.macro movrel rd, sym
+.macro movrel rd, sym, gp
ld \rd, \sym@got(r2)
.endm
+.macro get_got rd
+.endm
+
#else /* ARCH_PPC64 */
#define PTR .int
@@ -65,19 +68,25 @@
\name:
.endm
-.macro movrel rd, sym
+.macro movrel rd, sym, gp
#if CONFIG_PIC
- bcl 20, 31, lab_pic_\@
-lab_pic_\@:
- mflr \rd
- addis \rd, \rd, (\sym - lab_pic_\@)@ha
- addi \rd, \rd, (\sym - lab_pic_\@)@l
+ lwz \rd, \sym@got(\gp)
#else
lis \rd, \sym@ha
la \rd, \sym@l(\rd)
#endif
.endm
+.macro get_got rd
+#if CONFIG_PIC
+ bcl 20, 31, .Lgot\@
+.Lgot\@:
+ mflr \rd
+ addis \rd, \rd, _GLOBAL_OFFSET_TABLE_ - .Lgot\@@ha
+ addi \rd, \rd, _GLOBAL_OFFSET_TABLE_ - .Lgot\@@l
+#endif
+.endm
+
#endif /* ARCH_PPC64 */
#if HAVE_IBM_ASM
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/ppc/fft_altivec_s.S
^
|
| @@ -353,6 +353,7 @@
mflr r0
stp r0, 2*PS(r1)
stpu r1, -(160+16*PS)(r1)
+ get_got r11
addi r6, r1, 16*PS
stvm r6, v20, v21, v22, v23, v24, v25, v26, v27, v28, v29
mfvrsave r0
@@ -360,14 +361,14 @@
li r6, 0xfffffffc
mtvrsave r6
- movrel r6, fft_data
+ movrel r6, fft_data, r11
lvm r6, v14, v15, v16, v17, v18, v19, v20, v21
lvm r6, v22, v23, v24, v25, v26, v27, v28, v29
li r9, 16
- movrel r12, X(ff_cos_tabs)
+ movrel r12, X(ff_cos_tabs), r11
- movrel r6, fft_dispatch_tab\interleave\()_altivec
+ movrel r6, fft_dispatch_tab\interleave\()_altivec, r11
lwz r3, 0(r3)
subi r3, r3, 2
slwi r3, r3, 2+ARCH_PPC64
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/pthread.c
^
|
| @@ -332,6 +332,9 @@
dst->height = src->height;
dst->pix_fmt = src->pix_fmt;
+ dst->coded_width = src->coded_width;
+ dst->coded_height = src->coded_height;
+
dst->has_b_frames = src->has_b_frames;
dst->idct_algo = src->idct_algo;
dst->slice_count = src->slice_count;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/ptx.c
^
|
| @@ -39,12 +39,15 @@
static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
AVPacket *avpkt) {
const uint8_t *buf = avpkt->data;
+ const uint8_t *buf_end = avpkt->data + avpkt->size;
PTXContext * const s = avctx->priv_data;
AVFrame *picture = data;
AVFrame * const p = &s->picture;
unsigned int offset, w, h, y, stride, bytes_per_pixel;
uint8_t *ptr;
+ if (buf_end - buf < 14)
+ return AVERROR_INVALIDDATA;
offset = AV_RL16(buf);
w = AV_RL16(buf+8);
h = AV_RL16(buf+10);
@@ -57,6 +60,9 @@
avctx->pix_fmt = PIX_FMT_RGB555;
+
+ if (buf_end - buf < offset)
+ return AVERROR_INVALIDDATA;
if (offset != 0x2c)
av_log_ask_for_sample(avctx, "offset != 0x2c\n");
@@ -80,6 +86,8 @@
stride = p->linesize[0];
for (y=0; y<h; y++) {
+ if (buf_end - buf < w * bytes_per_pixel)
+ break;
#if HAVE_BIGENDIAN
unsigned int x;
for (x=0; x<w*bytes_per_pixel; x+=bytes_per_pixel)
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/put_bits.h
^
|
| @@ -100,7 +100,8 @@
align_put_bits(s);
#else
#ifndef BITSTREAM_WRITER_LE
- s->bit_buf<<= s->bit_left;
+ if (s->bit_left < 32)
+ s->bit_buf<<= s->bit_left;
#endif
while (s->bit_left < 32) {
/* XXX: should test end of buffer */
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/qcelpdec.c
^
|
| @@ -738,11 +738,17 @@
int buf_size = avpkt->size;
QCELPContext *q = avctx->priv_data;
float *outbuffer = data;
- int i;
+ int i, out_size;
float quantized_lspf[10], lpc[10];
float gain[16];
float *formant_mem;
+ out_size = 160 * av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
if((q->bitrate = determine_bitrate(avctx, buf_size, &buf)) == I_F_Q)
{
warn_insufficient_frame_quality(avctx, "bitrate cannot be determined.");
@@ -837,7 +843,7 @@
memcpy(q->prev_lspf, quantized_lspf, sizeof(q->prev_lspf));
q->prev_bitrate = q->bitrate;
- *data_size = 160 * sizeof(*outbuffer);
+ *data_size = out_size;
return buf_size;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/qdm2.c
^
|
| @@ -1353,6 +1353,8 @@
return;
local_int_14 = (offset >> local_int_8);
+ if (local_int_14 >= FF_ARRAY_ELEMS(fft_level_index_table))
+ return;
if (q->nb_channels > 1) {
channel = get_bits1(gb);
@@ -1797,6 +1799,8 @@
avctx->channels = s->nb_channels = s->channels = AV_RB32(extradata);
extradata += 4;
+ if (s->channels > MPA_MAX_CHANNELS)
+ return AVERROR_INVALIDDATA;
avctx->sample_rate = AV_RB32(extradata);
extradata += 4;
@@ -1818,6 +1822,8 @@
// something like max decodable tones
s->group_order = av_log2(s->group_size) + 1;
s->frame_size = s->group_size / 16; // 16 iterations per super block
+ if (s->frame_size > FF_ARRAY_ELEMS(s->output_buffer) / 2)
+ return AVERROR_INVALIDDATA;
s->sub_sampling = s->fft_order - 7;
s->frequency_range = 255 / (1 << (2 - s->sub_sampling));
@@ -1952,13 +1958,20 @@
int buf_size = avpkt->size;
QDM2Context *s = avctx->priv_data;
int16_t *out = data;
- int i;
+ int i, out_size;
if(!buf)
return 0;
if(buf_size < s->checksum_size)
return -1;
+ out_size = 16 * s->channels * s->frame_size *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
av_log(avctx, AV_LOG_DEBUG, "decode(%d): %p[%d] -> %p[%d]\n",
buf_size, buf, s->checksum_size, data, *data_size);
@@ -1968,7 +1981,7 @@
out += s->channels * s->frame_size;
}
- *data_size = (uint8_t*)out - (uint8_t*)data;
+ *data_size = out_size;
return s->checksum_size;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/qdrw.c
^
|
| @@ -37,6 +37,7 @@
AVPacket *avpkt)
{
const uint8_t *buf = avpkt->data;
+ const uint8_t *buf_end = avpkt->data + avpkt->size;
int buf_size = avpkt->size;
QdrawContext * const a = avctx->priv_data;
AVFrame * const p= (AVFrame*)&a->pic;
@@ -59,6 +60,8 @@
outdata = a->pic.data[0];
+ if (buf_end - buf < 0x68 + 4)
+ return AVERROR_INVALIDDATA;
buf += 0x68; /* jump to palette */
colors = AV_RB32(buf);
buf += 4;
@@ -67,6 +70,8 @@
av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors);
return -1;
}
+ if (buf_end - buf < (colors + 1) * 8)
+ return AVERROR_INVALIDDATA;
pal = (uint32_t*)p->data[1];
for (i = 0; i <= colors; i++) {
@@ -89,6 +94,8 @@
}
p->palette_has_changed = 1;
+ if (buf_end - buf < 18)
+ return AVERROR_INVALIDDATA;
buf += 18; /* skip unneeded data */
for (i = 0; i < avctx->height; i++) {
int size, left, code, pix;
@@ -100,6 +107,9 @@
out = outdata;
size = AV_RB16(buf); /* size of packed line */
buf += 2;
+ if (buf_end - buf < size)
+ return AVERROR_INVALIDDATA;
+
left = size;
next = buf + size;
while (left > 0) {
@@ -115,6 +125,8 @@
} else { /* copy */
if ((out + code) > (outdata + a->pic.linesize[0]))
break;
+ if (buf_end - buf < code + 1)
+ return AVERROR_INVALIDDATA;
memcpy(out, buf, code + 1);
out += code + 1;
buf += code + 1;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/qtrle.c
^
|
| @@ -127,6 +127,7 @@
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (num_pixels * (s->buf[stream_ptr++] - 1));
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -183,6 +184,7 @@
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (4 * (s->buf[stream_ptr++] - 1));
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -236,6 +238,7 @@
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 2;
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -285,6 +288,7 @@
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 3;
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -336,6 +340,7 @@
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 4;
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -464,6 +469,8 @@
stream_ptr += 4;
height = AV_RB16(&s->buf[stream_ptr]);
stream_ptr += 4;
+ if (height > s->avctx->height - start_line)
+ goto done;
} else {
start_line = 0;
height = s->avctx->height;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/resample.c
^
|
| @@ -326,9 +326,9 @@
if (s->sample_fmt[1] != AV_SAMPLE_FMT_S16) {
output_bak = output;
- if (!s->buffer_size[1] || s->buffer_size[1] < lenout) {
+ if (!s->buffer_size[1] || s->buffer_size[1] < 2*lenout) {
av_free(s->buffer[1]);
- s->buffer_size[1] = lenout;
+ s->buffer_size[1] = 2*lenout;
s->buffer[1] = av_malloc(s->buffer_size[1]);
if (!s->buffer[1]) {
av_log(s->resample_context, AV_LOG_ERROR, "Could not allocate buffer\n");
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/resample2.c
^
|
| @@ -207,8 +207,10 @@
memcpy(&c->filter_bank[c->filter_length*phase_count+1], c->filter_bank, (c->filter_length-1)*sizeof(FELEM));
c->filter_bank[c->filter_length*phase_count]= c->filter_bank[c->filter_length - 1];
- c->src_incr= out_rate;
- c->ideal_dst_incr= c->dst_incr= in_rate * phase_count;
+ if(!av_reduce(&c->src_incr, &c->dst_incr, out_rate, in_rate * (int64_t)phase_count, INT32_MAX/2))
+ goto error;
+ c->ideal_dst_incr= c->dst_incr;
+
c->index= -phase_count*((c->filter_length-1)/2);
return c;
@@ -246,10 +248,9 @@
dst[dst_index] = src[index2>>32];
index2 += incr;
}
- frac += dst_index * dst_incr_frac;
index += dst_index * dst_incr;
- index += frac / c->src_incr;
- frac %= c->src_incr;
+ index += (frac + dst_index * (int64_t)dst_incr_frac) / c->src_incr;
+ frac = (frac + dst_index * (int64_t)dst_incr_frac) % c->src_incr;
}else{
for(dst_index=0; dst_index < dst_size; dst_index++){
FELEM *filter= c->filter_bank + c->filter_length*(index & c->phase_mask);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/shorten.c
^
|
| @@ -113,6 +113,7 @@
{
int i, chan;
int *coeffs;
+ void *tmp_ptr;
for (chan=0; chan<s->channels; chan++) {
if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
@@ -124,9 +125,15 @@
return -1;
}
- s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
-
- s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
+ tmp_ptr = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
+ if (!tmp_ptr)
+ return AVERROR(ENOMEM);
+ s->offset[chan] = tmp_ptr;
+
+ tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
+ if (!tmp_ptr)
+ return AVERROR(ENOMEM);
+ s->decoded[chan] = tmp_ptr;
for (i=0; i<s->nwrap; i++)
s->decoded[chan][i] = 0;
s->decoded[chan] += s->nwrap;
@@ -155,7 +162,7 @@
if (s->bitshift != 0)
for (i = 0; i < s->blocksize; i++)
- buffer[s->nwrap + i] <<= s->bitshift;
+ buffer[i] <<= s->bitshift;
}
@@ -284,8 +291,15 @@
int i, input_buf_size = 0;
int16_t *samples = data;
if(s->max_framesize == 0){
+ void *tmp_ptr;
s->max_framesize= 1024; // should hopefully be enough for the first header
- s->bitstream= av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, s->max_framesize);
+ tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size,
+ s->max_framesize);
+ if (!tmp_ptr) {
+ av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n");
+ return AVERROR(ENOMEM);
+ }
+ s->bitstream = tmp_ptr;
}
if(1 && s->max_framesize){//FIXME truncated
@@ -467,6 +481,12 @@
s->cur_chan++;
if (s->cur_chan == s->channels) {
+ int out_size = s->blocksize * s->channels *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
samples = interleave_buffer(samples, s->channels, s->blocksize, s->decoded);
s->cur_chan = 0;
goto frame_done;
@@ -483,9 +503,15 @@
case FN_BITSHIFT:
s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE);
break;
- case FN_BLOCKSIZE:
- s->blocksize = get_uint(s, av_log2(s->blocksize));
+ case FN_BLOCKSIZE: {
+ int blocksize = get_uint(s, av_log2(s->blocksize));
+ if (blocksize > s->blocksize) {
+ av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n");
+ return AVERROR_PATCHWELCOME;
+ }
+ s->blocksize = blocksize;
break;
+ }
case FN_QUIT:
*data_size = 0;
return buf_size;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/sipr.c
^
|
| @@ -194,14 +194,16 @@
{
int i, j;
- parms->ma_pred_switch = get_bits(pgb, p->ma_predictor_bits);
+ if (p->ma_predictor_bits)
+ parms->ma_pred_switch = get_bits(pgb, p->ma_predictor_bits);
for (i = 0; i < 5; i++)
parms->vq_indexes[i] = get_bits(pgb, p->vq_indexes_bits[i]);
for (i = 0; i < p->subframe_count; i++) {
parms->pitch_delay[i] = get_bits(pgb, p->pitch_delay_bits[i]);
- parms->gp_index[i] = get_bits(pgb, p->gp_index_bits);
+ if (p->gp_index_bits)
+ parms->gp_index[i] = get_bits(pgb, p->gp_index_bits);
for (j = 0; j < p->number_of_fc_indexes; j++)
parms->fc_indexes[i][j] = get_bits(pgb, p->fc_index_bits[j]);
@@ -509,7 +511,7 @@
GetBitContext gb;
float *data = datap;
int subframe_size = ctx->mode == MODE_16k ? L_SUBFR_16k : SUBFR_SIZE;
- int i;
+ int i, out_size;
ctx->avctx = avctx;
if (avpkt->size < (mode_par->bits_per_frame >> 3)) {
@@ -520,7 +522,11 @@
*data_size = 0;
return -1;
}
- if (*data_size < subframe_size * mode_par->subframe_count * sizeof(float)) {
+
+ out_size = mode_par->frames_per_packet * subframe_size *
+ mode_par->subframe_count *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
av_log(avctx, AV_LOG_ERROR,
"Error processing packet: output buffer (%d) too small\n",
*data_size);
@@ -542,8 +548,7 @@
data += subframe_size * mode_par->subframe_count;
}
- *data_size = mode_par->frames_per_packet * subframe_size *
- mode_par->subframe_count * sizeof(float);
+ *data_size = out_size;
return mode_par->bits_per_frame >> 3;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/smacker.c
^
|
| @@ -560,6 +560,10 @@
static av_cold int smka_decode_init(AVCodecContext *avctx)
{
+ if (avctx->channels < 1 || avctx->channels > 2) {
+ av_log(avctx, AV_LOG_ERROR, "invalid number of channels\n");
+ return AVERROR(EINVAL);
+ }
avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
avctx->sample_fmt = avctx->bits_per_coded_sample == 8 ? AV_SAMPLE_FMT_U8 : AV_SAMPLE_FMT_S16;
return 0;
@@ -583,6 +587,11 @@
int bits, stereo;
int pred[2] = {0, 0};
+ if (buf_size <= 4) {
+ av_log(avctx, AV_LOG_ERROR, "packet is too small\n");
+ return AVERROR(EINVAL);
+ }
+
unp_size = AV_RL32(buf);
init_get_bits(&gb, buf + 4, (buf_size - 4) * 8);
@@ -598,6 +607,14 @@
av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n");
return -1;
}
+ if (stereo ^ (avctx->channels != 1)) {
+ av_log(avctx, AV_LOG_ERROR, "channels mismatch\n");
+ return AVERROR(EINVAL);
+ }
+ if (bits && avctx->sample_fmt == AV_SAMPLE_FMT_U8) {
+ av_log(avctx, AV_LOG_ERROR, "sample format mismatch\n");
+ return AVERROR(EINVAL);
+ }
memset(vlc, 0, sizeof(VLC) * 4);
memset(h, 0, sizeof(HuffContext) * 4);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/snow.c
^
|
| @@ -1917,8 +1917,6 @@
static void halfpel_interpol(SnowContext *s, uint8_t *halfpel[4][4], AVFrame *frame){
int p,x,y;
- assert(!(s->avctx->flags & CODEC_FLAG_EMU_EDGE));
-
for(p=0; p<3; p++){
int is_chroma= !!p;
int w= s->avctx->width >>is_chroma;
@@ -1975,7 +1973,7 @@
int w= s->avctx->width; //FIXME round up to x16 ?
int h= s->avctx->height;
- if(s->current_picture.data[0]){
+ if(s->current_picture.data[0] && !(s->avctx->flags&CODEC_FLAG_EMU_EDGE)){
s->dsp.draw_edges(s->current_picture.data[0],
s->current_picture.linesize[0], w , h ,
EDGE_WIDTH , EDGE_WIDTH , EDGE_TOP | EDGE_BOTTOM);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/sunrast.c
^
|
| @@ -46,6 +46,7 @@
static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
int *data_size, AVPacket *avpkt) {
const uint8_t *buf = avpkt->data;
+ const uint8_t *buf_end = avpkt->data + avpkt->size;
SUNRASTContext * const s = avctx->priv_data;
AVFrame *picture = data;
AVFrame * const p = &s->picture;
@@ -53,6 +54,9 @@
uint8_t *ptr;
const uint8_t *bufstart = buf;
+ if (avpkt->size < 32)
+ return AVERROR_INVALIDDATA;
+
if (AV_RB32(buf) != 0x59a66a95) {
av_log(avctx, AV_LOG_ERROR, "this is not sunras encoded data\n");
return -1;
@@ -64,13 +68,14 @@
type = AV_RB32(buf+20);
maptype = AV_RB32(buf+24);
maplength = AV_RB32(buf+28);
+ buf += 32;
- if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) {
- av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n");
+ if (type < RT_OLD || type > RT_FORMAT_IFF) {
+ av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n");
return -1;
}
- if (type > RT_FORMAT_IFF) {
- av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n");
+ if (av_image_check_size(w, h, 0, avctx)) {
+ av_log(avctx, AV_LOG_ERROR, "invalid image size\n");
return -1;
}
if (maptype & ~1) {
@@ -78,7 +83,10 @@
return -1;
}
- buf += 32;
+ if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) {
+ av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n");
+ return -1;
+ }
switch (depth) {
case 1:
@@ -98,8 +106,6 @@
if (p->data[0])
avctx->release_buffer(avctx, p);
- if (av_image_check_size(w, h, 0, avctx))
- return -1;
if (w != avctx->width || h != avctx->height)
avcodec_set_dimensions(avctx, w, h);
if (avctx->get_buffer(avctx, p) < 0) {
@@ -109,6 +115,9 @@
p->pict_type = AV_PICTURE_TYPE_I;
+ if (buf_end - buf < maplength)
+ return AVERROR_INVALIDDATA;
+
if (depth != 8 && maplength) {
av_log(avctx, AV_LOG_WARNING, "useless colormap found or file is corrupted, trying to recover\n");
@@ -143,8 +152,11 @@
uint8_t *end = ptr + h*stride;
x = 0;
- while (ptr != end) {
+ while (ptr != end && buf < buf_end) {
run = 1;
+ if (buf_end - buf < 1)
+ return AVERROR_INVALIDDATA;
+
if ((value = *buf++) == 0x80) {
run = *buf++ + 1;
if (run != 1)
@@ -163,6 +175,8 @@
}
} else {
for (y=0; y<h; y++) {
+ if (buf_end - buf < len)
+ break;
memcpy(ptr, buf, len);
ptr += stride;
buf += alen;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/svq3.c
^
|
| @@ -612,7 +612,7 @@
dir = i_mb_type_info[mb_type - 8].pred_mode;
dir = (dir >> 1) ^ 3*(dir & 1) ^ 1;
- if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir)) == -1){
+ if ((h->intra16x16_pred_mode = ff_h264_check_intra16x16_pred_mode(h, dir)) == -1){
av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n");
return -1;
}
@@ -711,7 +711,7 @@
s->current_picture.mb_type[mb_xy] = mb_type;
if (IS_INTRA(mb_type)) {
- h->chroma_pred_mode = ff_h264_check_intra_pred_mode(h, DC_PRED8x8);
+ h->chroma_pred_mode = ff_h264_check_intra_chroma_pred_mode(h, DC_PRED8x8);
}
return 0;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/tiertexseqv.c
^
|
| @@ -35,15 +35,19 @@
} SeqVideoContext;
-static const unsigned char *seq_unpack_rle_block(const unsigned char *src, unsigned char *dst, int dst_size)
+static const unsigned char *seq_unpack_rle_block(const unsigned char *src,
+ const unsigned char *src_end,
+ unsigned char *dst, int dst_size)
{
int i, len, sz;
GetBitContext gb;
int code_table[64];
- /* get the rle codes (at most 64 bytes) */
- init_get_bits(&gb, src, 64 * 8);
+ /* get the rle codes */
+ init_get_bits(&gb, src, (src_end - src) * 8);
for (i = 0, sz = 0; i < 64 && sz < dst_size; i++) {
+ if (get_bits_left(&gb) < 4)
+ return NULL;
code_table[i] = get_sbits(&gb, 4);
sz += FFABS(code_table[i]);
}
@@ -54,8 +58,12 @@
len = code_table[i];
if (len < 0) {
len = -len;
+ if (src_end - src < 1)
+ return NULL;
memset(dst, *src++, FFMIN(len, dst_size));
} else {
+ if (src_end - src < len)
+ return NULL;
memcpy(dst, src, FFMIN(len, dst_size));
src += len;
}
@@ -65,25 +73,30 @@
return src;
}
-static const unsigned char *seq_decode_op1(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst)
+static const unsigned char *seq_decode_op1(SeqVideoContext *seq,
+ const unsigned char *src,
+ const unsigned char *src_end,
+ unsigned char *dst)
{
const unsigned char *color_table;
int b, i, len, bits;
GetBitContext gb;
unsigned char block[8 * 8];
+ if (src_end - src < 1)
+ return NULL;
len = *src++;
if (len & 0x80) {
switch (len & 3) {
case 1:
- src = seq_unpack_rle_block(src, block, sizeof(block));
+ src = seq_unpack_rle_block(src, src_end, block, sizeof(block));
for (b = 0; b < 8; b++) {
memcpy(dst, &block[b * 8], 8);
dst += seq->frame.linesize[0];
}
break;
case 2:
- src = seq_unpack_rle_block(src, block, sizeof(block));
+ src = seq_unpack_rle_block(src, src_end, block, sizeof(block));
for (i = 0; i < 8; i++) {
for (b = 0; b < 8; b++)
dst[b * seq->frame.linesize[0]] = block[i * 8 + b];
@@ -92,9 +105,13 @@
break;
}
} else {
+ if (len <= 0)
+ return NULL;
+ bits = ff_log2_tab[len - 1] + 1;
+ if (src_end - src < len + 8 * bits)
+ return NULL;
color_table = src;
src += len;
- bits = ff_log2_tab[len - 1] + 1;
init_get_bits(&gb, src, bits * 8 * 8); src += bits * 8;
for (b = 0; b < 8; b++) {
for (i = 0; i < 8; i++)
@@ -106,10 +123,16 @@
return src;
}
-static const unsigned char *seq_decode_op2(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst)
+static const unsigned char *seq_decode_op2(SeqVideoContext *seq,
+ const unsigned char *src,
+ const unsigned char *src_end,
+ unsigned char *dst)
{
int i;
+ if (src_end - src < 8 * 8)
+ return NULL;
+
for (i = 0; i < 8; i++) {
memcpy(dst, src, 8);
src += 8;
@@ -119,11 +142,16 @@
return src;
}
-static const unsigned char *seq_decode_op3(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst)
+static const unsigned char *seq_decode_op3(SeqVideoContext *seq,
+ const unsigned char *src,
+ const unsigned char *src_end,
+ unsigned char *dst)
{
int pos, offset;
do {
+ if (src_end - src < 2)
+ return NULL;
pos = *src++;
offset = ((pos >> 3) & 7) * seq->frame.linesize[0] + (pos & 7);
dst[offset] = *src++;
@@ -132,8 +160,9 @@
return src;
}
-static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int data_size)
+static int seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int data_size)
{
+ const unsigned char *data_end = data + data_size;
GetBitContext gb;
int flags, i, j, x, y, op;
unsigned char c[3];
@@ -144,6 +173,8 @@
if (flags & 1) {
palette = (uint32_t *)seq->frame.data[1];
+ if (data_end - data < 256 * 3)
+ return AVERROR_INVALIDDATA;
for (i = 0; i < 256; i++) {
for (j = 0; j < 3; j++, data++)
c[j] = (*data << 2) | (*data >> 4);
@@ -153,6 +184,8 @@
}
if (flags & 2) {
+ if (data_end - data < 128)
+ return AVERROR_INVALIDDATA;
init_get_bits(&gb, data, 128 * 8); data += 128;
for (y = 0; y < 128; y += 8)
for (x = 0; x < 256; x += 8) {
@@ -160,17 +193,20 @@
op = get_bits(&gb, 2);
switch (op) {
case 1:
- data = seq_decode_op1(seq, data, dst);
+ data = seq_decode_op1(seq, data, data_end, dst);
break;
case 2:
- data = seq_decode_op2(seq, data, dst);
+ data = seq_decode_op2(seq, data, data_end, dst);
break;
case 3:
- data = seq_decode_op3(seq, data, dst);
+ data = seq_decode_op3(seq, data, data_end, dst);
break;
}
+ if (!data)
+ return AVERROR_INVALIDDATA;
}
}
+ return 0;
}
static av_cold int seqvideo_decode_init(AVCodecContext *avctx)
@@ -202,7 +238,8 @@
return -1;
}
- seqvideo_decode(seq, buf, buf_size);
+ if (seqvideo_decode(seq, buf, buf_size))
+ return AVERROR_INVALIDDATA;
*data_size = sizeof(AVFrame);
*(AVFrame *)data = seq->frame;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/tiff.c
^
|
| @@ -170,6 +170,8 @@
}
switch(s->compr){
case TIFF_RAW:
+ if (ssrc + size - src < width)
+ return AVERROR_INVALIDDATA;
if (!s->fill_order) {
memcpy(dst, src, width);
} else {
@@ -277,6 +279,8 @@
uint32_t *pal;
const uint8_t *rp, *gp, *bp;
+ if (end_buf - buf < 12)
+ return -1;
tag = tget_short(&buf, s->le);
type = tget_short(&buf, s->le);
count = tget_long(&buf, s->le);
@@ -336,7 +340,7 @@
case TIFF_SHORT:
case TIFF_LONG:
s->bpp = 0;
- for(i = 0; i < count; i++) s->bpp += tget(&buf, type, s->le);
+ for(i = 0; i < count && buf < end_buf; i++) s->bpp += tget(&buf, type, s->le);
break;
default:
s->bpp = -1;
@@ -450,6 +454,8 @@
case TIFF_PAL:
pal = (uint32_t *) s->palette;
off = type_sizes[type];
+ if (count / 3 > 256 || end_buf - buf < count / 3 * off * 3)
+ return -1;
rp = buf;
gp = buf + count / 3 * off;
bp = buf + count / 3 * off * 2;
@@ -493,12 +499,16 @@
AVFrame *picture = data;
AVFrame * const p= (AVFrame*)&s->picture;
const uint8_t *orig_buf = buf, *end_buf = buf + buf_size;
- int id, le, off, ret;
+ unsigned off;
+ int id, le, ret;
int i, j, entries;
- int stride, soff, ssize;
+ int stride;
+ unsigned soff, ssize;
uint8_t *dst;
//parse image header
+ if (end_buf - buf < 8)
+ return AVERROR_INVALIDDATA;
id = AV_RL16(buf); buf += 2;
if(id == 0x4949) le = 1;
else if(id == 0x4D4D) le = 0;
@@ -518,9 +528,9 @@
}
/* parse image file directory */
off = tget_long(&buf, le);
- if(orig_buf + off + 14 >= end_buf){
+ if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) {
av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n");
- return -1;
+ return AVERROR_INVALIDDATA;
}
buf = orig_buf + off;
entries = tget_short(&buf, le);
@@ -544,23 +554,23 @@
stride = p->linesize[0];
dst = p->data[0];
for(i = 0; i < s->height; i += s->rps){
- if(s->stripsizes)
+ if(s->stripsizes) {
+ if (s->stripsizes >= end_buf)
+ return AVERROR_INVALIDDATA;
ssize = tget(&s->stripsizes, s->sstype, s->le);
- else
+ } else
ssize = s->stripsize;
- if (ssize > buf_size) {
- av_log(avctx, AV_LOG_ERROR, "Buffer size is smaller than strip size\n");
- return -1;
- }
-
if(s->stripdata){
+ if (s->stripdata >= end_buf)
+ return AVERROR_INVALIDDATA;
soff = tget(&s->stripdata, s->sot, s->le);
}else
soff = s->stripoff;
- if (soff < 0) {
- av_log(avctx, AV_LOG_ERROR, "Invalid stripoff: %d\n", soff);
- return AVERROR(EINVAL);
+
+ if (soff > buf_size || ssize > buf_size - soff) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid strip size/offset\n");
+ return -1;
}
if(tiff_unpack_strip(s, dst, stride, orig_buf + soff, ssize, FFMIN(s->rps, s->height - i)) < 0)
break;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/tiffenc.c
^
|
| @@ -42,6 +42,7 @@
};
typedef struct TiffEncoderContext {
+ AVClass *avclass;
AVCodecContext *avctx;
AVFrame picture;
@@ -216,6 +217,7 @@
uint8_t *yuv_line = NULL;
int shift_h, shift_v;
+ s->avctx = avctx;
s->buf_start = buf;
s->buf = &ptr;
s->buf_size = buf_size;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/truespeech.c
^
|
| @@ -56,6 +56,11 @@
{
// TSContext *c = avctx->priv_data;
+ if (avctx->channels != 1) {
+ av_log_ask_for_sample(avctx, "Unsupported channel count: %d\n", avctx->channels);
+ return AVERROR(EINVAL);
+ }
+
avctx->sample_fmt = AV_SAMPLE_FMT_S16;
return 0;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/twinvq.c
^
|
| @@ -822,7 +822,7 @@
const ModeTab *mtab = tctx->mtab;
float *out = data;
enum FrameType ftype;
- int window_type;
+ int window_type, out_size;
static const enum FrameType wtype_to_ftype_table[] = {
FT_LONG, FT_LONG, FT_SHORT, FT_LONG,
FT_MEDIUM, FT_LONG, FT_LONG, FT_MEDIUM, FT_MEDIUM
@@ -835,6 +835,13 @@
return buf_size;
}
+ out_size = mtab->size * avctx->channels *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
init_get_bits(&gb, buf, buf_size * 8);
skip_bits(&gb, get_bits(&gb, 8));
window_type = get_bits(&gb, WINDOW_TYPE_BITS);
@@ -857,7 +864,7 @@
return buf_size;
}
- *data_size = mtab->size*avctx->channels*4;
+ *data_size = out_size;
return buf_size;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/txd.c
^
|
| @@ -23,6 +23,7 @@
#include "libavutil/intreadwrite.h"
#include "libavutil/imgutils.h"
+#include "bytestream.h"
#include "avcodec.h"
#include "s3tc.h"
@@ -42,6 +43,7 @@
static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
AVPacket *avpkt) {
const uint8_t *buf = avpkt->data;
+ const uint8_t *buf_end = avpkt->data + avpkt->size;
TXDContext * const s = avctx->priv_data;
AVFrame *picture = data;
AVFrame * const p = &s->picture;
@@ -52,6 +54,8 @@
const uint32_t *palette = (const uint32_t *)(cur + 88);
uint32_t *pal;
+ if (buf_end - cur < 92)
+ return AVERROR_INVALIDDATA;
version = AV_RL32(cur);
d3d_format = AV_RL32(cur+76);
w = AV_RL16(cur+80);
@@ -69,6 +73,8 @@
if (depth == 8) {
avctx->pix_fmt = PIX_FMT_PAL8;
+ if (buf_end - cur < 1024)
+ return AVERROR_INVALIDDATA;
cur += 1024;
} else if (depth == 16 || depth == 32)
avctx->pix_fmt = PIX_FMT_RGB32;
@@ -100,6 +106,8 @@
v = AV_RB32(palette+y);
pal[y] = (v>>8) + (v<<24);
}
+ if (buf_end - cur < w * h)
+ return AVERROR_INVALIDDATA;
for (y=0; y<h; y++) {
memcpy(ptr, cur, w);
ptr += stride;
@@ -110,9 +118,13 @@
case 0:
if (!flags&1) goto unsupported;
case FF_S3TC_DXT1:
+ if (buf_end - cur < (w/4) * (h/4) * 8)
+ return AVERROR_INVALIDDATA;
ff_decode_dxt1(cur, ptr, w, h, stride);
break;
case FF_S3TC_DXT3:
+ if (buf_end - cur < (w/4) * (h/4) * 16)
+ return AVERROR_INVALIDDATA;
ff_decode_dxt3(cur, ptr, w, h, stride);
break;
default:
@@ -122,6 +134,8 @@
switch (d3d_format) {
case 0x15:
case 0x16:
+ if (buf_end - cur < h * w * 4)
+ return AVERROR_INVALIDDATA;
for (y=0; y<h; y++) {
memcpy(ptr, cur, w*4);
ptr += stride;
@@ -133,8 +147,12 @@
}
}
- for (; mipmap_count > 1; mipmap_count--)
- cur += AV_RL32(cur) + 4;
+ for (; mipmap_count > 1 && buf_end - cur >= 4; mipmap_count--) {
+ uint32_t length = bytestream_get_le32(&cur);
+ if (buf_end - cur < length)
+ break;
+ cur += length;
+ }
*picture = s->picture;
*data_size = sizeof(AVPicture);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/utils.c
^
|
| @@ -785,6 +785,11 @@
avctx->pkt = avpkt;
+ if (!avpkt->data && avpkt->size) {
+ av_log(avctx, AV_LOG_ERROR, "invalid packet: NULL data, size != 0\n");
+ return AVERROR(EINVAL);
+ }
+
if((avctx->codec->capabilities & CODEC_CAP_DELAY) || avpkt->size){
//FIXME remove the check below _after_ ensuring that all audio check that the available space is enough
if(*frame_size_ptr < AVCODEC_MAX_AUDIO_FRAME_SIZE){
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/vaapi_vc1.c
^
|
| @@ -116,6 +116,18 @@
return 0;
}
+/** Reconstruct bitstream TTFRM (7.1.1.41, Table-53) */
+static inline int vc1_get_TTFRM(VC1Context *v)
+{
+ switch (v->ttfrm) {
+ case TT_8X8: return 0;
+ case TT_8X4: return 1;
+ case TT_4X8: return 2;
+ case TT_4X4: return 3;
+ }
+ return 0;
+}
+
/** Pack FFmpeg bitplanes into a VABitPlaneBuffer element */
static inline void vc1_pack_bitplanes(uint8_t *bitplane, int n, const uint8_t *ff_bp[3], int x, int y, int stride)
{
@@ -239,7 +251,7 @@
pic_param->transform_fields.value = 0; /* reset all bits */
pic_param->transform_fields.bits.variable_sized_transform_flag = v->vstransform;
pic_param->transform_fields.bits.mb_level_transform_type_flag = v->ttmbf;
- pic_param->transform_fields.bits.frame_level_transform_type = v->ttfrm;
+ pic_param->transform_fields.bits.frame_level_transform_type = vc1_get_TTFRM(v);
pic_param->transform_fields.bits.transform_ac_codingset_idx1 = v->c_ac_table_index;
pic_param->transform_fields.bits.transform_ac_codingset_idx2 = v->y_ac_table_index;
pic_param->transform_fields.bits.intra_transform_dc_table = v->s.dc_table_index;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/vmdav.c
^
|
| @@ -72,9 +72,11 @@
#define QUEUE_SIZE 0x1000
#define QUEUE_MASK 0x0FFF
-static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_len)
+static void lz_unpack(const unsigned char *src, int src_len,
+ unsigned char *dest, int dest_len)
{
const unsigned char *s;
+ const unsigned char *s_end;
unsigned char *d;
unsigned char *d_end;
unsigned char queue[QUEUE_SIZE];
@@ -87,8 +89,12 @@
unsigned int i, j;
s = src;
+ s_end = src + src_len;
d = dest;
d_end = d + dest_len;
+
+ if (s_end - s < 8)
+ return;
dataleft = AV_RL32(s);
s += 4;
memset(queue, 0x20, QUEUE_SIZE);
@@ -101,10 +107,10 @@
speclen = 100; /* no speclen */
}
- while (dataleft > 0) {
+ while (s_end - s > 0 && dataleft > 0) {
tag = *s++;
if ((tag == 0xFF) && (dataleft > 8)) {
- if (d + 8 > d_end)
+ if (d_end - d < 8 || s_end - s < 8)
return;
for (i = 0; i < 8; i++) {
queue[qpos++] = *d++ = *s++;
@@ -116,18 +122,23 @@
if (dataleft == 0)
break;
if (tag & 0x01) {
- if (d + 1 > d_end)
+ if (d_end - d < 1 || s_end - s < 1)
return;
queue[qpos++] = *d++ = *s++;
qpos &= QUEUE_MASK;
dataleft--;
} else {
+ if (s_end - s < 2)
+ return;
chainofs = *s++;
chainofs |= ((*s & 0xF0) << 4);
chainlen = (*s++ & 0x0F) + 3;
- if (chainlen == speclen)
+ if (chainlen == speclen) {
+ if (s_end - s < 1)
+ return;
chainlen = *s++ + 0xF + 3;
- if (d + chainlen > d_end)
+ }
+ if (d_end - d < chainlen)
return;
for (j = 0; j < chainlen; j++) {
*d = queue[chainofs++ & QUEUE_MASK];
@@ -142,32 +153,39 @@
}
}
-static int rle_unpack(const unsigned char *src, unsigned char *dest,
- int src_len, int dest_len)
+static int rle_unpack(const unsigned char *src, int src_len, int src_count,
+ unsigned char *dest, int dest_len)
{
const unsigned char *ps;
+ const unsigned char *ps_end;
unsigned char *pd;
int i, l;
unsigned char *dest_end = dest + dest_len;
ps = src;
+ ps_end = src + src_len;
pd = dest;
- if (src_len & 1)
+ if (src_count & 1) {
+ if (ps_end - ps < 1)
+ return 0;
*pd++ = *ps++;
+ }
- src_len >>= 1;
+ src_count >>= 1;
i = 0;
do {
+ if (ps_end - ps < 1)
+ break;
l = *ps++;
if (l & 0x80) {
l = (l & 0x7F) * 2;
- if (pd + l > dest_end)
+ if (dest_end - pd < l || ps_end - ps < l)
return ps - src;
memcpy(pd, ps, l);
ps += l;
pd += l;
} else {
- if (pd + i > dest_end)
+ if (dest_end - pd < i || ps_end - ps < 2)
return ps - src;
for (i = 0; i < l; i++) {
*pd++ = ps[0];
@@ -176,7 +194,7 @@
ps += 2;
}
i += l;
- } while (i < src_len);
+ } while (i < src_count);
return ps - src;
}
@@ -189,8 +207,10 @@
/* point to the start of the encoded data */
const unsigned char *p = s->buf + 16;
+ const unsigned char *p_end = s->buf + s->size;
const unsigned char *pb;
+ const unsigned char *pb_end;
unsigned char meth;
unsigned char *dp; /* pointer to current frame */
unsigned char *pp; /* pointer to previous frame */
@@ -204,6 +224,16 @@
frame_y = AV_RL16(&s->buf[8]);
frame_width = AV_RL16(&s->buf[10]) - frame_x + 1;
frame_height = AV_RL16(&s->buf[12]) - frame_y + 1;
+ if (frame_x < 0 || frame_width < 0 ||
+ frame_x >= s->avctx->width ||
+ frame_width > s->avctx->width ||
+ frame_x + frame_width > s->avctx->width)
+ return;
+ if (frame_y < 0 || frame_height < 0 ||
+ frame_y >= s->avctx->height ||
+ frame_height > s->avctx->height ||
+ frame_y + frame_height > s->avctx->height)
+ return;
if ((frame_width == s->avctx->width && frame_height == s->avctx->height) &&
(frame_x || frame_y)) {
@@ -216,8 +246,9 @@
/* if only a certain region will be updated, copy the entire previous
* frame before the decode */
- if (frame_x || frame_y || (frame_width != s->avctx->width) ||
- (frame_height != s->avctx->height)) {
+ if (s->prev_frame.data[0] &&
+ (frame_x || frame_y || (frame_width != s->avctx->width) ||
+ (frame_height != s->avctx->height))) {
memcpy(s->frame.data[0], s->prev_frame.data[0],
s->avctx->height * s->frame.linesize[0]);
@@ -225,6 +256,8 @@
/* check if there is a new palette */
if (s->buf[15] & 0x02) {
+ if (p_end - p < 2 + 3 * PALETTE_COUNT)
+ return;
p += 2;
palette32 = (unsigned int *)s->palette;
for (i = 0; i < PALETTE_COUNT; i++) {
@@ -233,16 +266,17 @@
b = *p++ * 4;
palette32[i] = (r << 16) | (g << 8) | (b);
}
- s->size -= (256 * 3 + 2);
}
- if (s->size >= 0) {
+ if (p < p_end) {
/* originally UnpackFrame in VAG's code */
pb = p;
+ pb_end = p_end;
meth = *pb++;
if (meth & 0x80) {
- lz_unpack(pb, s->unpack_buffer, s->unpack_buffer_size);
+ lz_unpack(pb, p_end - pb, s->unpack_buffer, s->unpack_buffer_size);
meth &= 0x7F;
pb = s->unpack_buffer;
+ pb_end = s->unpack_buffer + s->unpack_buffer_size;
}
dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x];
@@ -252,17 +286,19 @@
for (i = 0; i < frame_height; i++) {
ofs = 0;
do {
+ if (pb_end - pb < 1)
+ return;
len = *pb++;
if (len & 0x80) {
len = (len & 0x7F) + 1;
- if (ofs + len > frame_width)
+ if (ofs + len > frame_width || pb_end - pb < len)
return;
memcpy(&dp[ofs], pb, len);
pb += len;
ofs += len;
} else {
/* interframe pixel copy */
- if (ofs + len + 1 > frame_width)
+ if (ofs + len + 1 > frame_width || !s->prev_frame.data[0])
return;
memcpy(&dp[ofs], &pp[ofs], len + 1);
ofs += len + 1;
@@ -280,6 +316,8 @@
case 2:
for (i = 0; i < frame_height; i++) {
+ if (pb_end -pb < frame_width)
+ return;
memcpy(dp, pb, frame_width);
pb += frame_width;
dp += s->frame.linesize[0];
@@ -291,18 +329,25 @@
for (i = 0; i < frame_height; i++) {
ofs = 0;
do {
+ if (pb_end - pb < 1)
+ return;
len = *pb++;
if (len & 0x80) {
len = (len & 0x7F) + 1;
+ if (pb_end - pb < 1)
+ return;
if (*pb++ == 0xFF)
- len = rle_unpack(pb, &dp[ofs], len, frame_width - ofs);
- else
+ len = rle_unpack(pb, pb_end - pb, len, &dp[ofs], frame_width - ofs);
+ else {
+ if (pb_end - pb < len)
+ return;
memcpy(&dp[ofs], pb, len);
+ }
pb += len;
ofs += len;
} else {
/* interframe pixel copy */
- if (ofs + len + 1 > frame_width)
+ if (ofs + len + 1 > frame_width || !s->prev_frame.data[0])
return;
memcpy(&dp[ofs], &pp[ofs], len + 1);
ofs += len + 1;
@@ -523,7 +568,10 @@
silent_chunks = 0;
if (block_type == BLOCK_TYPE_INITIAL) {
- uint32_t flags = AV_RB32(buf);
+ uint32_t flags;
+ if (buf_size < 4)
+ return -1;
+ flags = AV_RB32(buf);
silent_chunks = av_popcount(flags);
buf += 4;
buf_size -= 4;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/vorbisdec.c
^
|
| @@ -1605,7 +1605,7 @@
vorbis_context *vc = avccontext->priv_data ;
GetBitContext *gb = &(vc->gb);
const float *channel_ptrs[255];
- int i, len;
+ int i, len, out_size;
if (!buf_size)
return 0;
@@ -1630,6 +1630,13 @@
av_dlog(NULL, "parsed %d bytes %d bits, returned %d samples (*ch*bits) \n",
get_bits_count(gb) / 8, get_bits_count(gb) % 8, len);
+ out_size = len * vc->audio_channels *
+ av_get_bytes_per_sample(avccontext->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avccontext, AV_LOG_ERROR, "output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
if (vc->audio_channels > 8) {
for (i = 0; i < vc->audio_channels; i++)
channel_ptrs[i] = vc->channel_floors + i * len;
@@ -1645,8 +1652,7 @@
vc->fmt_conv.float_to_int16_interleave(data, channel_ptrs, len,
vc->audio_channels);
- *data_size = len * vc->audio_channels *
- av_get_bytes_per_sample(avccontext->sample_fmt);
+ *data_size = out_size;
return buf_size ;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/vp3.c
^
|
| @@ -45,6 +45,7 @@
#define FRAGMENT_PIXELS 8
static av_cold int vp3_decode_end(AVCodecContext *avctx);
+static void vp3_decode_flush(AVCodecContext *avctx);
//FIXME split things out into their own arrays
typedef struct Vp3Fragment {
@@ -890,7 +891,7 @@
/* decode a VLC into a token */
token = get_vlc2(gb, vlc_table, 11, 3);
/* use the token to get a zero run, a coefficient, and an eob run */
- if (token <= 6) {
+ if ((unsigned) token <= 6U) {
eob_run = eob_run_base[token];
if (eob_run_get_bits[token])
eob_run += get_bits(gb, eob_run_get_bits[token]);
@@ -908,7 +909,7 @@
coeff_i += eob_run;
eob_run = 0;
}
- } else {
+ } else if (token >= 0) {
bits_to_get = coeff_get_bits[token];
if (bits_to_get)
bits_to_get = get_bits(gb, bits_to_get);
@@ -942,6 +943,10 @@
for (i = coeff_index+1; i <= coeff_index+zero_run; i++)
s->num_coded_frags[plane][i]--;
coeff_i++;
+ } else {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "Invalid token %d\n", token);
+ return -1;
}
}
@@ -991,6 +996,8 @@
/* unpack the Y plane DC coefficients */
residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0,
0, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
/* reverse prediction of the Y-plane DC coefficients */
reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]);
@@ -998,8 +1005,12 @@
/* unpack the C plane DC coefficients */
residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
1, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
2, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
/* reverse prediction of the C-plane DC coefficients */
if (!(s->avctx->flags & CODEC_FLAG_GRAY))
@@ -1036,11 +1047,17 @@
for (i = 1; i <= 63; i++) {
residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i,
0, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
1, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
2, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
}
return 0;
@@ -1777,10 +1794,15 @@
Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data;
int qps_changed = 0, i, err;
+#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
+
if (!s1->current_frame.data[0]
||s->width != s1->width
- ||s->height!= s1->height)
+ ||s->height!= s1->height) {
+ if (s != s1)
+ copy_fields(s, s1, golden_frame, current_frame);
return -1;
+ }
if (s != s1) {
// init tables if the first frame hasn't been decoded
@@ -1796,8 +1818,6 @@
memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1]));
}
-#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
-
// copy previous frame data
copy_fields(s, s1, golden_frame, dsp);
@@ -1987,9 +2007,6 @@
Vp3DecodeContext *s = avctx->priv_data;
int i;
- if (avctx->is_copy && !s->current_frame.data[0])
- return 0;
-
av_free(s->superblock_coding);
av_free(s->all_fragments);
av_free(s->coded_fragment_list[0]);
@@ -2016,12 +2033,7 @@
free_vlc(&s->motion_vector_vlc);
/* release all frames */
- if (s->golden_frame.data[0])
- ff_thread_release_buffer(avctx, &s->golden_frame);
- if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY)
- ff_thread_release_buffer(avctx, &s->last_frame);
- /* no need to release the current_frame since it will always be pointing
- * to the same frame as either the golden or last frame */
+ vp3_decode_flush(avctx);
return 0;
}
@@ -2341,6 +2353,23 @@
ff_thread_release_buffer(avctx, &s->current_frame);
}
+static int vp3_init_thread_copy(AVCodecContext *avctx)
+{
+ Vp3DecodeContext *s = avctx->priv_data;
+
+ s->superblock_coding = NULL;
+ s->all_fragments = NULL;
+ s->coded_fragment_list[0] = NULL;
+ s->dct_tokens_base = NULL;
+ s->superblock_fragments = NULL;
+ s->macroblock_coding = NULL;
+ s->motion_val[0] = NULL;
+ s->motion_val[1] = NULL;
+ s->edge_emu_buffer = NULL;
+
+ return 0;
+}
+
AVCodec ff_theora_decoder = {
"theora",
AVMEDIA_TYPE_VIDEO,
@@ -2354,6 +2383,7 @@
NULL,
.flush = vp3_decode_flush,
.long_name = NULL_IF_CONFIG_SMALL("Theora"),
+ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
.update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
};
#endif
@@ -2371,5 +2401,6 @@
NULL,
.flush = vp3_decode_flush,
.long_name = NULL_IF_CONFIG_SMALL("On2 VP3"),
+ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
.update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
};
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/vp56.c
^
|
| @@ -465,6 +465,7 @@
s->mb_height = (avctx->coded_height+15) / 16;
if (s->mb_width > 1000 || s->mb_height > 1000) {
+ avcodec_set_dimensions(avctx, 0, 0);
av_log(avctx, AV_LOG_ERROR, "picture too big\n");
return -1;
}
@@ -519,8 +520,10 @@
if (s->frames[i].data[0])
avctx->release_buffer(avctx, &s->frames[i]);
}
- if (is_alpha)
+ if (is_alpha) {
+ avcodec_set_dimensions(avctx, 0, 0);
return -1;
+ }
}
if (!is_alpha) {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/vp6.c
^
|
| @@ -137,8 +137,11 @@
if (coeff_offset) {
buf += coeff_offset;
buf_size -= coeff_offset;
- if (buf_size < 0)
+ if (buf_size < 0) {
+ if (s->framep[VP56_FRAME_CURRENT]->key_frame)
+ avcodec_set_dimensions(s->avctx, 0, 0);
return 0;
+ }
if (s->use_huffman) {
s->parse_coeff = vp6_parse_coeff_huffman;
init_get_bits(&s->gb, buf, buf_size<<3);
@@ -371,7 +374,7 @@
if (b > 3) pt = 1;
vlc_coeff = &s->dccv_vlc[pt];
- for (coeff_idx=0; coeff_idx<64; ) {
+ for (coeff_idx = 0;;) {
int run = 1;
if (coeff_idx<2 && s->nb_null[coeff_idx][pt]) {
s->nb_null[coeff_idx][pt]--;
@@ -408,6 +411,8 @@
}
}
coeff_idx+=run;
+ if (coeff_idx >= 64)
+ break;
cg = FFMIN(vp6_coeff_groups[coeff_idx], 3);
vlc_coeff = &s->ract_vlc[pt][ct][cg];
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/vp8.c
^
|
| @@ -33,6 +33,19 @@
# include "arm/vp8.h"
#endif
+static void free_buffers(VP8Context *s)
+{
+ av_freep(&s->macroblocks_base);
+ av_freep(&s->filter_strength);
+ av_freep(&s->intra4x4_pred_mode_top);
+ av_freep(&s->top_nnz);
+ av_freep(&s->edge_emu_buffer);
+ av_freep(&s->top_border);
+ av_freep(&s->segmentation_map);
+
+ s->macroblocks = NULL;
+}
+
static void vp8_decode_flush(AVCodecContext *avctx)
{
VP8Context *s = avctx->priv_data;
@@ -45,15 +58,7 @@
}
memset(s->framep, 0, sizeof(s->framep));
- av_freep(&s->macroblocks_base);
- av_freep(&s->filter_strength);
- av_freep(&s->intra4x4_pred_mode_top);
- av_freep(&s->top_nnz);
- av_freep(&s->edge_emu_buffer);
- av_freep(&s->top_border);
- av_freep(&s->segmentation_map);
-
- s->macroblocks = NULL;
+ free_buffers(s);
}
static int update_dimensions(VP8Context *s, int width, int height)
@@ -273,7 +278,7 @@
if (!s->macroblocks_base || /* first frame */
width != s->avctx->width || height != s->avctx->height) {
- if ((ret = update_dimensions(s, width, height) < 0))
+ if ((ret = update_dimensions(s, width, height)) < 0)
return ret;
}
@@ -487,6 +492,7 @@
AV_ZERO32(&near_mv[0]);
AV_ZERO32(&near_mv[1]);
+ AV_ZERO32(&near_mv[2]);
/* Process MB on top, left and top-left */
#define MV_EDGE_CHECK(n)\
@@ -919,7 +925,8 @@
int mb_x, int mb_y)
{
AVCodecContext *avctx = s->avctx;
- int x, y, mode, nnz, tr;
+ int x, y, mode, nnz;
+ uint32_t tr;
// for the first row, we need to run xchg_mb_border to init the top edge to 127
// otherwise, skip it if we aren't going to deblock
@@ -948,7 +955,7 @@
// from the top macroblock
if (!(!mb_y && avctx->flags & CODEC_FLAG_EMU_EDGE) &&
mb_x == s->mb_width-1) {
- tr = tr_right[-1]*0x01010101;
+ tr = tr_right[-1]*0x01010101u;
tr_right = (uint8_t *)&tr;
}
@@ -1749,6 +1756,11 @@
{
VP8Context *s = dst->priv_data, *s_src = src->priv_data;
+ if (s->macroblocks_base &&
+ (s_src->mb_width != s->mb_width || s_src->mb_height != s->mb_height)) {
+ free_buffers(s);
+ }
+
s->prob[0] = s_src->prob[!s_src->update_probabilities];
s->segmentation = s_src->segmentation;
s->lf_delta = s_src->lf_delta;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/vqavideo.c
^
|
| @@ -138,6 +138,10 @@
/* load up the VQA parameters from the header */
vqa_header = (unsigned char *)s->avctx->extradata;
s->vqa_version = vqa_header[0];
+ if (s->vqa_version < 1 || s->vqa_version > 3) {
+ av_log(s->avctx, AV_LOG_ERROR, " VQA video: unsupported version %d\n", s->vqa_version);
+ return -1;
+ }
s->width = AV_RL16(&vqa_header[6]);
s->height = AV_RL16(&vqa_header[8]);
if(av_image_check_size(s->width, s->height, 0, avctx)){
@@ -226,6 +230,8 @@
src_index += 2;
av_dlog(NULL, "(1) copy %X bytes from absolute pos %X\n", count, src_pos);
CHECK_COUNT();
+ if (src_pos + count > dest_size)
+ return;
for (i = 0; i < count; i++)
dest[dest_index + i] = dest[src_pos + i];
dest_index += count;
@@ -248,6 +254,8 @@
src_index += 2;
av_dlog(NULL, "(3) copy %X bytes from absolute pos %X\n", count, src_pos);
CHECK_COUNT();
+ if (src_pos + count > dest_size)
+ return;
for (i = 0; i < count; i++)
dest[dest_index + i] = dest[src_pos + i];
dest_index += count;
@@ -268,6 +276,8 @@
src_index += 2;
av_dlog(NULL, "(5) copy %X bytes from relpos %X\n", count, src_pos);
CHECK_COUNT();
+ if (dest_index < src_pos)
+ return;
for (i = 0; i < count; i++)
dest[dest_index + i] = dest[dest_index - src_pos + i];
dest_index += count;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/wavpack.c
^
|
| @@ -1173,6 +1173,15 @@
return samplecount * bpp;
}
+static void wavpack_decode_flush(AVCodecContext *avctx)
+{
+ WavpackContext *s = avctx->priv_data;
+ int i;
+
+ for (i = 0; i < s->fdec_num; i++)
+ wv_reset_saved_context(s->fdec[i]);
+}
+
static int wavpack_decode_frame(AVCodecContext *avctx,
void *data, int *data_size,
AVPacket *avpkt)
@@ -1205,11 +1214,14 @@
if(frame_size < 0 || frame_size > buf_size){
av_log(avctx, AV_LOG_ERROR, "Block %d has invalid size (size %d vs. %d bytes left)\n",
s->block, frame_size, buf_size);
+ wavpack_decode_flush(avctx);
return -1;
}
if((samplecount = wavpack_decode_block(avctx, s->block, data,
- data_size, buf, frame_size)) < 0)
+ data_size, buf, frame_size)) < 0) {
+ wavpack_decode_flush(avctx);
return -1;
+ }
s->block++;
buf += frame_size; buf_size -= frame_size;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/wmaprodec.c
^
|
| @@ -309,10 +309,6 @@
s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate,
3, s->decode_flags);
- /** init previous block len */
- for (i = 0; i < avctx->channels; i++)
- s->channel[i].prev_block_len = s->samples_per_frame;
-
/** subframe info */
log2_max_num_subframes = ((s->decode_flags & 0x38) >> 3);
s->max_num_subframes = 1 << log2_max_num_subframes;
@@ -332,6 +328,18 @@
s->num_channels = avctx->channels;
+ if (s->num_channels < 0) {
+ av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", s->num_channels);
+ return AVERROR_INVALIDDATA;
+ } else if (s->num_channels > WMAPRO_MAX_CHANNELS) {
+ av_log_ask_for_sample(avctx, "unsupported number of channels\n");
+ return AVERROR_PATCHWELCOME;
+ }
+
+ /** init previous block len */
+ for (i = 0; i < s->num_channels; i++)
+ s->channel[i].prev_block_len = s->samples_per_frame;
+
/** extract lfe channel position */
s->lfe_channel = -1;
@@ -343,14 +351,6 @@
}
}
- if (s->num_channels < 0) {
- av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", s->num_channels);
- return AVERROR_INVALIDDATA;
- } else if (s->num_channels > WMAPRO_MAX_CHANNELS) {
- av_log_ask_for_sample(avctx, "unsupported number of channels\n");
- return AVERROR_PATCHWELCOME;
- }
-
INIT_VLC_STATIC(&sf_vlc, SCALEVLCBITS, HUFF_SCALE_SIZE,
scale_huffbits, 1, 1,
scale_huffcodes, 2, 2, 616);
@@ -1436,7 +1436,7 @@
init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE);
}
- buflen = (s->num_saved_bits + len + 8) >> 3;
+ buflen = (put_bits_count(&s->pb) + len + 8) >> 3;
if (len <= 0 || buflen > MAX_FRAMESIZE) {
av_log_ask_for_sample(s->avctx, "input buffer too small\n");
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/wmavoice.c
^
|
| @@ -401,6 +401,10 @@
s->min_pitch_val = ((ctx->sample_rate << 8) / 400 + 50) >> 8;
s->max_pitch_val = ((ctx->sample_rate << 8) * 37 / 2000 + 50) >> 8;
pitch_range = s->max_pitch_val - s->min_pitch_val;
+ if (pitch_range <= 0) {
+ av_log(ctx, AV_LOG_ERROR, "Invalid pitch range; broken extradata?\n");
+ return -1;
+ }
s->pitch_nbits = av_ceil_log2(pitch_range);
s->last_pitch_val = 40;
s->last_acb_type = ACB_TYPE_NONE;
@@ -422,6 +426,10 @@
s->block_conv_table[2] = (pitch_range * 44) >> 6;
s->block_conv_table[3] = s->max_pitch_val - 1;
s->block_delta_pitch_hrange = (pitch_range >> 3) & ~0xF;
+ if (s->block_delta_pitch_hrange <= 0) {
+ av_log(ctx, AV_LOG_ERROR, "Invalid delta pitch hrange; broken extradata?\n");
+ return -1;
+ }
s->block_delta_pitch_nbits = 1 + av_ceil_log2(s->block_delta_pitch_hrange);
s->block_pitch_range = s->block_conv_table[2] +
s->block_conv_table[3] + 1 +
@@ -1077,7 +1085,7 @@
int excl_range = s->aw_pulse_range; // always 16 or 24
uint16_t *use_mask_ptr = &use_mask[idx >> 4];
int first_sh = 16 - (idx & 15);
- *use_mask_ptr++ &= 0xFFFF << first_sh;
+ *use_mask_ptr++ &= 0xFFFFu << first_sh;
excl_range -= first_sh;
if (excl_range >= 16) {
*use_mask_ptr++ = 0;
@@ -1880,6 +1888,8 @@
rmn_bits = rmn_bytes = get_bits_left(gb);
if (rmn_bits < nbits)
return;
+ if (nbits > pb->size_in_bits - put_bits_count(pb))
+ return;
rmn_bits &= 7; rmn_bytes >>= 3;
if ((rmn_bits = FFMIN(rmn_bits, nbits)) > 0)
put_bits(pb, rmn_bits, get_bits(gb, rmn_bits));
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/ws-snd1.c
^
|
| @@ -37,13 +37,16 @@
-9, -8, -6, -5, -4, -3, -2, -1,
0, 1, 2, 3, 4, 5, 6, 8 };
-#define CLIP8(a) if(a>127)a=127;if(a<-128)a=-128;
-
static av_cold int ws_snd_decode_init(AVCodecContext * avctx)
{
// WSSNDContext *c = avctx->priv_data;
- avctx->sample_fmt = AV_SAMPLE_FMT_S16;
+ if (avctx->channels != 1) {
+ av_log_ask_for_sample(avctx, "unsupported number of channels\n");
+ return AVERROR(EINVAL);
+ }
+
+ avctx->sample_fmt = AV_SAMPLE_FMT_U8;
return 0;
}
@@ -56,15 +59,19 @@
// WSSNDContext *c = avctx->priv_data;
int in_size, out_size;
- int sample = 0;
+ int sample = 128;
int i;
- short *samples = data;
+ uint8_t *samples = data;
if (!buf_size)
return 0;
+ if (buf_size < 4) {
+ av_log(avctx, AV_LOG_ERROR, "packet is too small\n");
+ return AVERROR(EINVAL);
+ }
+
out_size = AV_RL16(&buf[0]);
- *data_size = out_size * 2;
in_size = AV_RL16(&buf[2]);
buf += 4;
@@ -76,34 +83,54 @@
av_log(avctx, AV_LOG_ERROR, "Frame data is larger than input buffer\n");
return -1;
}
+
if (in_size == out_size) {
for (i = 0; i < out_size; i++)
- *samples++ = (*buf++ - 0x80) << 8;
+ *samples++ = *buf++;
+ *data_size = out_size;
return buf_size;
}
- while (out_size > 0) {
- int code;
+ while (out_size > 0 && buf - avpkt->data < buf_size) {
+ int code, smp, size;
uint8_t count;
code = (*buf) >> 6;
count = (*buf) & 0x3F;
buf++;
+
+ /* make sure we don't write more than out_size samples */
+ switch (code) {
+ case 0: smp = 4; break;
+ case 1: smp = 2; break;
+ case 2: smp = (count & 0x20) ? 1 : count + 1; break;
+ default: smp = count + 1; break;
+ }
+ if (out_size < smp) {
+ out_size = 0;
+ break;
+ }
+
+ /* make sure we don't read past the input buffer */
+ size = ((code == 2 && (count & 0x20)) || code == 3) ? 0 : count + 1;
+ if ((buf - avpkt->data) + size > buf_size)
+ break;
+
switch(code) {
case 0: /* ADPCM 2-bit */
for (count++; count > 0; count--) {
code = *buf++;
sample += ws_adpcm_2bit[code & 0x3];
- CLIP8(sample);
- *samples++ = sample << 8;
+ sample = av_clip_uint8(sample);
+ *samples++ = sample;
sample += ws_adpcm_2bit[(code >> 2) & 0x3];
- CLIP8(sample);
- *samples++ = sample << 8;
+ sample = av_clip_uint8(sample);
+ *samples++ = sample;
sample += ws_adpcm_2bit[(code >> 4) & 0x3];
- CLIP8(sample);
- *samples++ = sample << 8;
+ sample = av_clip_uint8(sample);
+ *samples++ = sample;
sample += ws_adpcm_2bit[(code >> 6) & 0x3];
- CLIP8(sample);
- *samples++ = sample << 8;
+ sample = av_clip_uint8(sample);
+ *samples++ = sample;
out_size -= 4;
}
break;
@@ -111,11 +138,11 @@
for (count++; count > 0; count--) {
code = *buf++;
sample += ws_adpcm_4bit[code & 0xF];
- CLIP8(sample);
- *samples++ = sample << 8;
+ sample = av_clip_uint8(sample);
+ *samples++ = sample;
sample += ws_adpcm_4bit[code >> 4];
- CLIP8(sample);
- *samples++ = sample << 8;
+ sample = av_clip_uint8(sample);
+ *samples++ = sample;
out_size -= 2;
}
break;
@@ -125,24 +152,27 @@
t = count;
t <<= 3;
sample += t >> 3;
- *samples++ = sample << 8;
+ sample = av_clip_uint8(sample);
+ *samples++ = sample;
out_size--;
} else { /* copy */
for (count++; count > 0; count--) {
- *samples++ = (*buf++ - 0x80) << 8;
+ *samples++ = *buf++;
out_size--;
}
- sample = buf[-1] - 0x80;
+ sample = buf[-1];
}
break;
default: /* run */
for(count++; count > 0; count--) {
- *samples++ = sample << 8;
+ *samples++ = sample;
out_size--;
}
}
}
+ *data_size = samples - (uint8_t *)data;
+
return buf_size;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/x86/fft_3dn2.c
^
|
| @@ -23,7 +23,7 @@
#include "libavcodec/dsputil.h"
#include "fft.h"
-DECLARE_ALIGNED(8, static const int, m1m1)[2] = { 1<<31, 1<<31 };
+DECLARE_ALIGNED(8, static const unsigned int, m1m1)[2] = { 1U<<31, 1U<<31 };
#ifdef EMULATE_3DNOWEXT
#define PSWAPD(s,d)\
@@ -70,7 +70,7 @@
in1 = input;
in2 = input + n2 - 1;
#ifdef EMULATE_3DNOWEXT
- __asm__ volatile("movd %0, %%mm7" ::"r"(1<<31));
+ __asm__ volatile("movd %0, %%mm7" ::"r"(1U<<31));
#endif
for(k = 0; k < n4; k++) {
// FIXME a single block is faster, but gcc 2.95 and 3.4.x on 32bit can't compile it
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/x86/fft_sse.c
^
|
| @@ -24,8 +24,8 @@
#include "fft.h"
#include "config.h"
-DECLARE_ASM_CONST(16, int, ff_m1m1m1m1)[4] =
- { 1 << 31, 1 << 31, 1 << 31, 1 << 31 };
+DECLARE_ASM_CONST(16, unsigned int, ff_m1m1m1m1)[4] =
+ { 1U << 31, 1U << 31, 1U << 31, 1U << 31 };
void ff_fft_dispatch_sse(FFTComplex *z, int nbits);
void ff_fft_dispatch_interleave_sse(FFTComplex *z, int nbits);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/xan.c
^
|
| @@ -114,7 +114,10 @@
init_get_bits(&gb, ptr, ptr_len * 8);
while ( val != 0x16 ) {
- val = src[val - 0x17 + get_bits1(&gb) * byte];
+ unsigned idx = val - 0x17 + get_bits1(&gb) * byte;
+ if (idx >= 2 * byte)
+ return -1;
+ val = src[idx];
if ( val < 0x16 ) {
if (dest >= dest_end)
@@ -132,13 +135,16 @@
*
* @param dest destination buffer of dest_len, must be padded with at least 130 bytes
*/
-static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_len)
+static void xan_unpack(unsigned char *dest, int dest_len,
+ const unsigned char *src, int src_len)
{
unsigned char opcode;
int size;
+ unsigned char *dest_org = dest;
unsigned char *dest_end = dest + dest_len;
+ const unsigned char *src_end = src + src_len;
- while (dest < dest_end) {
+ while (dest < dest_end && src < src_end) {
opcode = *src++;
if (opcode < 0xe0) {
@@ -163,9 +169,11 @@
back = ((opcode & 0x10) << 12) + bytestream_get_be16(&src) + 1;
size2 = ((opcode & 0x0c) << 6) + *src++ + 5;
- if (size + size2 > dest_end - dest)
- return;
}
+ if (dest_end - dest < size + size2 ||
+ dest + size - dest_org < back ||
+ src_end - src < size)
+ return;
memcpy(dest, src, size); dest += size; src += size;
av_memcpy_backptr(dest, back, size2);
dest += size2;
@@ -173,6 +181,8 @@
int finish = opcode >= 0xfc;
size = finish ? opcode & 3 : ((opcode & 0x1f) << 2) + 4;
+ if (dest_end - dest < size || src_end - src < size)
+ return;
memcpy(dest, src, size); dest += size; src += size;
if (finish)
return;
@@ -220,15 +230,23 @@
int width = s->avctx->width;
unsigned char *palette_plane, *prev_palette_plane;
+ if ( y + motion_y < 0 || y + motion_y >= s->avctx->height ||
+ x + motion_x < 0 || x + motion_x >= s->avctx->width)
+ return;
+
palette_plane = s->current_frame.data[0];
prev_palette_plane = s->last_frame.data[0];
+ if (!prev_palette_plane)
+ prev_palette_plane = palette_plane;
stride = s->current_frame.linesize[0];
line_inc = stride - width;
curframe_index = y * stride + x;
curframe_x = x;
prevframe_index = (y + motion_y) * stride + x + motion_x;
prevframe_x = x + motion_x;
- while(pixel_count && (curframe_index < s->frame_size)) {
+ while(pixel_count &&
+ curframe_index < s->frame_size &&
+ prevframe_index < s->frame_size) {
int count = FFMIN3(pixel_count, width - curframe_x, width - prevframe_x);
memcpy(palette_plane + curframe_index, prev_palette_plane + prevframe_index, count);
@@ -262,6 +280,7 @@
int x, y;
unsigned char *opcode_buffer = s->buffer1;
+ unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size;
int opcode_buffer_size = s->buffer1_size;
const unsigned char *imagedata_buffer = s->buffer2;
@@ -270,7 +289,7 @@
const unsigned char *size_segment;
const unsigned char *vector_segment;
const unsigned char *imagedata_segment;
- int huffman_offset, size_offset, vector_offset, imagedata_offset;
+ int huffman_offset, size_offset, vector_offset, imagedata_offset, imagedata_size;
if (s->size < 8)
return AVERROR_INVALIDDATA;
@@ -295,14 +314,18 @@
huffman_segment, s->size - huffman_offset) < 0)
return AVERROR_INVALIDDATA;
- if (imagedata_segment[0] == 2)
- xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size);
- else
+ if (imagedata_segment[0] == 2) {
+ xan_unpack(s->buffer2, s->buffer2_size,
+ &imagedata_segment[1], s->size - imagedata_offset - 1);
+ imagedata_size = s->buffer2_size;
+ } else {
+ imagedata_size = s->size - imagedata_offset - 1;
imagedata_buffer = &imagedata_segment[1];
+ }
/* use the decoded data segments to build the frame */
x = y = 0;
- while (total_pixels) {
+ while (total_pixels && opcode_buffer < opcode_buffer_end) {
opcode = *opcode_buffer++;
size = 0;
@@ -351,6 +374,8 @@
size_segment += 3;
break;
}
+ if (size > total_pixels)
+ break;
if (opcode < 12) {
flag ^= 1;
@@ -359,8 +384,11 @@
xan_wc3_copy_pixel_run(s, x, y, size, 0, 0);
} else {
/* output a run of pixels from imagedata_buffer */
+ if (imagedata_size < size)
+ break;
xan_wc3_output_pixel_run(s, imagedata_buffer, x, y, size);
imagedata_buffer += size;
+ imagedata_size -= size;
}
} else {
/* run-based motion compensation from last frame */
@@ -527,6 +555,9 @@
}
buf_size = buf_end - buf;
}
+ if (s->palettes_count <= 0)
+ return AVERROR_INVALIDDATA;
+
if ((ret = avctx->get_buffer(avctx, &s->current_frame))) {
av_log(s->avctx, AV_LOG_ERROR, "get_buffer() failed\n");
return ret;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavcodec/xxan.c
^
|
| @@ -129,7 +129,9 @@
if (size + size2 > dest_end - dest)
break;
}
- if (src + size > src_end || dest + size + size2 > dest_end)
+ if (src + size > src_end ||
+ dest + size + size2 > dest_end ||
+ dest + size - orig_dest < back )
return -1;
bytestream_get_buffer(&src, dest, size);
dest += size;
@@ -194,6 +196,8 @@
if (mode) {
for (j = 0; j < avctx->height >> 1; j++) {
for (i = 0; i < avctx->width >> 1; i++) {
+ if (src_end - src < 1)
+ return 0;
val = *src++;
if (val) {
val = AV_RL16(table + (val << 1));
@@ -202,8 +206,6 @@
U[i] = uval | (uval >> 5);
V[i] = vval | (vval >> 5);
}
- if (src == src_end)
- return 0;
}
U += s->pic.linesize[1];
V += s->pic.linesize[2];
@@ -214,6 +216,8 @@
for (j = 0; j < avctx->height >> 2; j++) {
for (i = 0; i < avctx->width >> 1; i += 2) {
+ if (src_end - src < 1)
+ return 0;
val = *src++;
if (val) {
val = AV_RL16(table + (val << 1));
@@ -302,6 +306,9 @@
corr_end - corr_off);
if (dec_size < 0)
dec_size = 0;
+ else
+ dec_size = FFMIN(dec_size, s->buffer_size/2 - 1);
+
for (i = 0; i < dec_size; i++)
s->y_buffer[i*2+1] = (s->y_buffer[i*2+1] + (s->scratch_buffer[i] << 1)) & 0x3F;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavfilter/vf_scale.c
^
|
| @@ -229,7 +229,7 @@
scale->isws[1] = sws_getContext(inlink ->w, inlink ->h/2, inlink ->format,
outlink->w, outlink->h/2, outlink->format,
scale->flags, NULL, NULL, NULL);
- if (!scale->sws)
+ if (!scale->sws || !scale->isws[0] || !scale->isws[1])
return AVERROR(EINVAL);
if (inlink->sample_aspect_ratio.num){
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavfilter/vf_unsharp.c
^
|
| @@ -70,6 +70,7 @@
int32_t res;
int x, y, z;
+ const uint8_t *src2;
if (!fp->amount) {
if (dst_stride == src_stride)
@@ -84,9 +85,12 @@
memset(sc[y], 0, sizeof(sc[y][0]) * (width + 2 * fp->steps_x));
for (y = -fp->steps_y; y < height + fp->steps_y; y++) {
+ if (y < height)
+ src2 = src;
+
memset(sr, 0, sizeof(sr[0]) * (2 * fp->steps_x - 1));
for (x = -fp->steps_x; x < width + fp->steps_x; x++) {
- tmp1 = x <= 0 ? src[0] : x >= width ? src[width-1] : src[x];
+ tmp1 = x <= 0 ? src2[0] : x >= width ? src2[width-1] : src2[x];
for (z = 0; z < fp->steps_x * 2; z += 2) {
tmp2 = sr[z + 0] + tmp1; sr[z + 0] = tmp1;
tmp1 = sr[z + 1] + tmp2; sr[z + 1] = tmp2;
@@ -125,8 +129,8 @@
static av_cold int init(AVFilterContext *ctx, const char *args, void *opaque)
{
UnsharpContext *unsharp = ctx->priv;
- int lmsize_x = 5, cmsize_x = 0;
- int lmsize_y = 5, cmsize_y = 0;
+ int lmsize_x = 5, cmsize_x = 5;
+ int lmsize_y = 5, cmsize_y = 5;
double lamount = 1.0f, camount = 0.0f;
if (args)
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/4xm.c
^
|
| @@ -172,13 +172,16 @@
goto fail;
}
if (current_track + 1 > fourxm->track_count) {
- fourxm->track_count = current_track + 1;
- fourxm->tracks = av_realloc(fourxm->tracks,
- fourxm->track_count * sizeof(AudioTrack));
+ fourxm->tracks = av_realloc_f(fourxm->tracks,
+ sizeof(AudioTrack),
+ current_track + 1);
if (!fourxm->tracks) {
ret= AVERROR(ENOMEM);
goto fail;
}
+ memset(&fourxm->tracks[fourxm->track_count], 0,
+ sizeof(AudioTrack) * (current_track + 1 - fourxm->track_count));
+ fourxm->track_count = current_track + 1;
}
fourxm->tracks[current_track].adpcm = AV_RL32(&header[i + 12]);
fourxm->tracks[current_track].channels = AV_RL32(&header[i + 36]);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/anm.c
^
|
| @@ -134,18 +134,17 @@
/* color cycling and palette data */
st->codec->extradata_size = 16*8 + 4*256;
st->codec->extradata = av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
- if (!st->codec->extradata) {
- ret = AVERROR(ENOMEM);
- goto close_and_return;
- }
+ if (!st->codec->extradata)
+ return AVERROR(ENOMEM);
+
ret = avio_read(pb, st->codec->extradata, st->codec->extradata_size);
if (ret < 0)
- goto close_and_return;
+ return ret;
/* read page table */
ret = avio_seek(pb, anm->page_table_offset, SEEK_SET);
if (ret < 0)
- goto close_and_return;
+ return ret;
for (i = 0; i < MAX_PAGES; i++) {
Page *p = &anm->pt[i];
@@ -156,21 +155,15 @@
/* find page of first frame */
anm->page = find_record(anm, 0);
- if (anm->page < 0) {
- ret = anm->page;
- goto close_and_return;
- }
+ if (anm->page < 0)
+ return anm->page;
anm->record = -1;
return 0;
invalid:
av_log_ask_for_sample(s, NULL);
- ret = AVERROR_INVALIDDATA;
-
-close_and_return:
- av_close_input_stream(s);
- return ret;
+ return AVERROR_INVALIDDATA;
}
static int read_packet(AVFormatContext *s,
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/asfdec.c
^
|
| @@ -808,6 +808,10 @@
DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0);
DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
//printf("key:%d stream:%d seq:%d offset:%d replic_size:%d\n", asf->packet_key_frame, asf->stream_index, asf->packet_seq, //asf->packet_frag_offset, asf->packet_replic_size);
+ if (rsize+asf->packet_replic_size > asf->packet_size_left) {
+ av_log(s, AV_LOG_ERROR, "packet_replic_size %d is invalid\n", asf->packet_replic_size);
+ return -1;
+ }
if (asf->packet_replic_size >= 8) {
asf->packet_obj_size = avio_rl32(pb);
if(asf->packet_obj_size >= (1<<24) || asf->packet_obj_size <= 0){
@@ -842,10 +846,6 @@
av_log(s, AV_LOG_ERROR, "unexpected packet_replic_size of %d\n", asf->packet_replic_size);
return -1;
}
- if (rsize > asf->packet_size_left) {
- av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
- return -1;
- }
if (asf->packet_flags & 0x01) {
DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal
if (rsize > asf->packet_size_left) {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/avidec.c
^
|
| @@ -639,7 +639,7 @@
if(st->codec->codec_tag==0 && st->codec->height > 0 && st->codec->extradata_size < 1U<<30){
st->codec->extradata_size+= 9;
- st->codec->extradata= av_realloc(st->codec->extradata, st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
+ st->codec->extradata= av_realloc_f(st->codec->extradata, 1, st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
if(st->codec->extradata)
memcpy(st->codec->extradata + st->codec->extradata_size - 9, "BottomUp", 9);
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/avienc.c
^
|
| @@ -523,6 +523,11 @@
while(enc->block_align==0 && pkt->dts != AV_NOPTS_VALUE && pkt->dts > avist->packet_count){
AVPacket empty_packet;
+ if(pkt->dts - avist->packet_count > 60000){
+ av_log(s, AV_LOG_ERROR, "Too large number of skiped frames %Ld\n", pkt->dts - avist->packet_count);
+ return AVERROR(EINVAL);
+ }
+
av_init_packet(&empty_packet);
empty_packet.size= 0;
empty_packet.data= NULL;
@@ -558,7 +563,7 @@
int cl = idx->entry / AVI_INDEX_CLUSTER_SIZE;
int id = idx->entry % AVI_INDEX_CLUSTER_SIZE;
if (idx->ents_allocated <= idx->entry) {
- idx->cluster = av_realloc(idx->cluster, (cl+1)*sizeof(void*));
+ idx->cluster = av_realloc_f(idx->cluster, sizeof(void*), cl+1);
if (!idx->cluster)
return -1;
idx->cluster[cl] = av_malloc(AVI_INDEX_CLUSTER_SIZE*sizeof(AVIIentry));
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/aviobuf.c
^
|
| @@ -778,13 +778,14 @@
{
int i;
+ if (buflen <= 0)
+ return AVERROR(EINVAL);
// reserve 1 byte for terminating 0
buflen = FFMIN(buflen - 1, maxlen);
for (i = 0; i < buflen; i++)
if (!(buf[i] = avio_r8(s)))
return i + 1;
- if (buflen)
- buf[i] = 0;
+ buf[i] = 0;
for (; i < maxlen; i++)
if (!avio_r8(s))
return i + 1;
@@ -796,6 +797,8 @@
{\
char* q = buf;\
int ret = 0;\
+ if (buflen <= 0) \
+ return AVERROR(EINVAL); \
while (ret + 1 < maxlen) {\
uint8_t tmp;\
uint32_t ch;\
@@ -921,7 +924,7 @@
alloc_size = FFMAX(s->buffer_size, new_size);
if (alloc_size > buf_size)
- if (!(buf = av_realloc(buf, alloc_size)))
+ if (!(buf = av_realloc_f(buf, 1, alloc_size)))
return AVERROR(ENOMEM);
if (new_size > buf_size) {
@@ -1090,7 +1093,7 @@
}
if (new_allocated_size > d->allocated_size) {
- d->buffer = av_realloc(d->buffer, new_allocated_size);
+ d->buffer = av_realloc_f(d->buffer, 1, new_allocated_size);
if(d->buffer == NULL)
return AVERROR(ENOMEM);
d->allocated_size = new_allocated_size;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/avs.c
^
|
| @@ -163,10 +163,14 @@
sub_type = avio_r8(s->pb);
type = avio_r8(s->pb);
size = avio_rl16(s->pb);
+ if (size < 4)
+ return AVERROR_INVALIDDATA;
avs->remaining_frame_size -= size;
switch (type) {
case AVS_PALETTE:
+ if (size - 4 > sizeof(palette))
+ return AVERROR_INVALIDDATA;
ret = avio_read(s->pb, palette, size - 4);
if (ret < size - 4)
return AVERROR(EIO);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/gxfenc.c
^
|
| @@ -340,8 +340,9 @@
if (!rewrite) {
if (!(gxf->map_offsets_nb % 30)) {
- gxf->map_offsets = av_realloc(gxf->map_offsets,
- (gxf->map_offsets_nb+30)*sizeof(*gxf->map_offsets));
+ gxf->map_offsets = av_realloc_f(gxf->map_offsets,
+ sizeof(*gxf->map_offsets),
+ gxf->map_offsets_nb+30);
if (!gxf->map_offsets) {
av_log(s, AV_LOG_ERROR, "could not realloc map offsets\n");
return -1;
@@ -876,8 +877,9 @@
if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO) {
if (!(gxf->flt_entries_nb % 500)) {
- gxf->flt_entries = av_realloc(gxf->flt_entries,
- (gxf->flt_entries_nb+500)*sizeof(*gxf->flt_entries));
+ gxf->flt_entries = av_realloc_f(gxf->flt_entries,
+ sizeof(*gxf->flt_entries),
+ gxf->flt_entries_nb+500);
if (!gxf->flt_entries) {
av_log(s, AV_LOG_ERROR, "could not reallocate flt entries\n");
return -1;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/matroskadec.c
^
|
| @@ -964,6 +964,7 @@
uint8_t* data = *buf;
int isize = *buf_size;
uint8_t* pkt_data = NULL;
+ uint8_t* newpktdata;
int pkt_size = isize;
int result = 0;
int olen;
@@ -993,7 +994,12 @@
zstream.avail_in = isize;
do {
pkt_size *= 3;
- pkt_data = av_realloc(pkt_data, pkt_size);
+ newpktdata = av_realloc(pkt_data, pkt_size);
+ if (!newpktdata) {
+ inflateEnd(&zstream);
+ goto failed;
+ }
+ pkt_data = newpktdata;
zstream.avail_out = pkt_size - zstream.total_out;
zstream.next_out = pkt_data + zstream.total_out;
if (pkt_data) {
@@ -1017,7 +1023,12 @@
bzstream.avail_in = isize;
do {
pkt_size *= 3;
- pkt_data = av_realloc(pkt_data, pkt_size);
+ newpktdata = av_realloc(pkt_data, pkt_size);
+ if (!newpktdata) {
+ BZ2_bzDecompressEnd(&bzstream);
+ goto failed;
+ }
+ pkt_data = newpktdata;
bzstream.avail_out = pkt_size - bzstream.total_out_lo32;
bzstream.next_out = pkt_data + bzstream.total_out_lo32;
if (pkt_data) {
@@ -1800,7 +1811,7 @@
lace_size[n] = lace_size[n - 1] + snum;
total += lace_size[n];
}
- lace_size[n] = size - total;
+ lace_size[laces - 1] = size - total;
break;
}
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/matroskaenc.c
^
|
| @@ -1209,7 +1209,6 @@
mkv_write_packet,
mkv_write_trailer,
.flags = AVFMT_GLOBALHEADER | AVFMT_VARIABLE_FPS,
- .codec_tag = (const AVCodecTag* const []){ff_codec_bmp_tags, ff_codec_wav_tags, 0},
.subtitle_codec = CODEC_ID_TEXT,
};
#endif
@@ -1243,6 +1242,5 @@
mkv_write_packet,
mkv_write_trailer,
.flags = AVFMT_GLOBALHEADER,
- .codec_tag = (const AVCodecTag* const []){ff_codec_wav_tags, 0},
};
#endif
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/mov.c
^
|
| @@ -755,7 +755,8 @@
}
/* FIXME modify qdm2/svq3/h264 decoders to take full atom as extradata */
-static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom)
+static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom,
+ enum CodecID codec_id)
{
AVStream *st;
uint64_t size;
@@ -764,6 +765,10 @@
if (c->fc->nb_streams < 1) // will happen with jp2 files
return 0;
st= c->fc->streams[c->fc->nb_streams-1];
+
+ if (st->codec->codec_id != codec_id)
+ return 0; /* unexpected codec_id - don't mess with extradata */
+
size= (uint64_t)st->codec->extradata_size + atom.size + 8 + FF_INPUT_BUFFER_PADDING_SIZE;
if(size > INT_MAX || (uint64_t)atom.size > INT_MAX)
return -1;
@@ -779,6 +784,27 @@
return 0;
}
+/* wrapper functions for reading ALAC/AVS/MJPEG/MJPEG2000 extradata atoms only for those codecs */
+static int mov_read_alac(MOVContext *c, AVIOContext *pb, MOVAtom atom)
+{
+ return mov_read_extradata(c, pb, atom, CODEC_ID_ALAC);
+}
+
+static int mov_read_avss(MOVContext *c, AVIOContext *pb, MOVAtom atom)
+{
+ return mov_read_extradata(c, pb, atom, CODEC_ID_AVS);
+}
+
+static int mov_read_fiel(MOVContext *c, AVIOContext *pb, MOVAtom atom)
+{
+ return mov_read_extradata(c, pb, atom, CODEC_ID_MJPEG);
+}
+
+static int mov_read_jp2h(MOVContext *c, AVIOContext *pb, MOVAtom atom)
+{
+ return mov_read_extradata(c, pb, atom, CODEC_ID_JPEG2000);
+}
+
static int mov_read_wave(MOVContext *c, AVIOContext *pb, MOVAtom atom)
{
AVStream *st;
@@ -2228,7 +2254,7 @@
}
static const MOVParseTableEntry mov_default_parse_table[] = {
-{ MKTAG('a','v','s','s'), mov_read_extradata },
+{ MKTAG('a','v','s','s'), mov_read_avss },
{ MKTAG('c','h','p','l'), mov_read_chpl },
{ MKTAG('c','o','6','4'), mov_read_stco },
{ MKTAG('c','t','t','s'), mov_read_ctts }, /* composition time to sample */
@@ -2237,12 +2263,12 @@
{ MKTAG('e','d','t','s'), mov_read_default },
{ MKTAG('e','l','s','t'), mov_read_elst },
{ MKTAG('e','n','d','a'), mov_read_enda },
-{ MKTAG('f','i','e','l'), mov_read_extradata },
+{ MKTAG('f','i','e','l'), mov_read_fiel },
{ MKTAG('f','t','y','p'), mov_read_ftyp },
{ MKTAG('g','l','b','l'), mov_read_glbl },
{ MKTAG('h','d','l','r'), mov_read_hdlr },
{ MKTAG('i','l','s','t'), mov_read_ilst },
-{ MKTAG('j','p','2','h'), mov_read_extradata },
+{ MKTAG('j','p','2','h'), mov_read_jp2h },
{ MKTAG('m','d','a','t'), mov_read_mdat },
{ MKTAG('m','d','h','d'), mov_read_mdhd },
{ MKTAG('m','d','i','a'), mov_read_default },
@@ -2253,7 +2279,7 @@
{ MKTAG('m','v','e','x'), mov_read_default },
{ MKTAG('m','v','h','d'), mov_read_mvhd },
{ MKTAG('S','M','I',' '), mov_read_smi }, /* Sorenson extension ??? */
-{ MKTAG('a','l','a','c'), mov_read_extradata }, /* alac specific atom */
+{ MKTAG('a','l','a','c'), mov_read_alac }, /* alac specific atom */
{ MKTAG('a','v','c','C'), mov_read_glbl },
{ MKTAG('p','a','s','p'), mov_read_pasp },
{ MKTAG('s','t','b','l'), mov_read_default },
@@ -2376,14 +2402,21 @@
// The samples could theoretically be in any encoding if there's an encd
// atom following, but in practice are only utf-8 or utf-16, distinguished
// instead by the presence of a BOM
- ch = avio_rb16(sc->pb);
- if (ch == 0xfeff)
- avio_get_str16be(sc->pb, len, title, title_len);
- else if (ch == 0xfffe)
- avio_get_str16le(sc->pb, len, title, title_len);
- else {
- AV_WB16(title, ch);
- get_strz(sc->pb, title + 2, len - 1);
+ if (!len) {
+ title[0] = 0;
+ } else {
+ ch = avio_rb16(sc->pb);
+ if (ch == 0xfeff)
+ avio_get_str16be(sc->pb, len, title, title_len);
+ else if (ch == 0xfffe)
+ avio_get_str16le(sc->pb, len, title, title_len);
+ else {
+ AV_WB16(title, ch);
+ if (len == 1 || len == 2)
+ title[len] = 0;
+ else
+ get_strz(sc->pb, title + 2, len - 1);
+ }
}
ff_new_chapter(s, i, st->time_base, sample->timestamp, end, title);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/movenc.c
^
|
| @@ -1223,7 +1223,8 @@
avio_wb32(pb, 0); /* reserved */
avio_wb32(pb, 0); /* reserved */
- avio_wb32(pb, 0x0); /* reserved (Layer & Alternate group) */
+ avio_wb16(pb, 0); /* layer */
+ avio_wb16(pb, st ? st->codec->codec_type : 0); /* alternate group) */
/* Volume, only for audio */
if(track->enc->codec_type == AVMEDIA_TYPE_AUDIO)
avio_wb16(pb, 0x0100);
@@ -2058,7 +2059,7 @@
}
if (!(trk->entry % MOV_INDEX_CLUSTER_SIZE)) {
- trk->cluster = av_realloc(trk->cluster, (trk->entry + MOV_INDEX_CLUSTER_SIZE) * sizeof(*trk->cluster));
+ trk->cluster = av_realloc_f(trk->cluster, sizeof(*trk->cluster), (trk->entry + MOV_INDEX_CLUSTER_SIZE));
if (!trk->cluster)
return -1;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/mp3enc.c
^
|
| @@ -51,11 +51,12 @@
buf[0] = 'T';
buf[1] = 'A';
buf[2] = 'G';
- count += id3v1_set_string(s, "TIT2", buf + 3, 30); //title
- count += id3v1_set_string(s, "TPE1", buf + 33, 30); //author|artist
- count += id3v1_set_string(s, "TALB", buf + 63, 30); //album
- count += id3v1_set_string(s, "TDRL", buf + 93, 4); //date
- count += id3v1_set_string(s, "comment", buf + 97, 30);
+ /* we knowingly overspecify each tag length by one byte to compensate for the mandatory null byte added by av_strlcpy */
+ count += id3v1_set_string(s, "TIT2", buf + 3, 30 + 1); //title
+ count += id3v1_set_string(s, "TPE1", buf + 33, 30 + 1); //author|artist
+ count += id3v1_set_string(s, "TALB", buf + 63, 30 + 1); //album
+ count += id3v1_set_string(s, "TDRL", buf + 93, 4 + 1); //date
+ count += id3v1_set_string(s, "comment", buf + 97, 30 + 1);
if ((tag = av_dict_get(s->metadata, "TRCK", NULL, 0))) { //track
buf[125] = 0;
buf[126] = atoi(tag->value);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/mpc8.c
^
|
| @@ -264,7 +264,7 @@
return AVERROR(EIO);
mpc8_handle_chunk(s, tag, pos, size);
}
- return 0;
+ return AVERROR_EOF;
}
static int mpc8_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags)
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/mpegts.c
^
|
| @@ -1083,7 +1083,7 @@
// stop parsing after pmt, we found header
if (!ts->stream->nb_streams)
- ts->stop_parse = 1;
+ ts->stop_parse = 2;
for(;;) {
st = 0;
@@ -1403,11 +1403,15 @@
ts->stop_parse = 0;
packet_num = 0;
for(;;) {
- if (ts->stop_parse>0)
- break;
packet_num++;
- if (nb_packets != 0 && packet_num >= nb_packets)
+ if (nb_packets != 0 && packet_num >= nb_packets ||
+ ts->stop_parse > 1) {
+ ret = AVERROR(EAGAIN);
+ break;
+ }
+ if (ts->stop_parse > 0)
break;
+
ret = read_packet(s, packet, ts->raw_packet_size);
if (ret != 0)
return ret;
@@ -1858,10 +1862,8 @@
len1 = len;
ts->pkt = pkt;
- ts->stop_parse = 0;
for(;;) {
- if (ts->stop_parse>0)
- break;
+ ts->stop_parse = 0;
if (len < TS_PACKET_SIZE)
return -1;
if (buf[0] != 0x47) {
@@ -1871,6 +1873,8 @@
handle_packet(ts, buf);
buf += TS_PACKET_SIZE;
len -= TS_PACKET_SIZE;
+ if (ts->stop_parse == 1)
+ break;
}
}
return len1 - len;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/mpegtsenc.c
^
|
| @@ -84,7 +84,7 @@
{ "mpegts_service_id", "Set service_id field.",
offsetof(MpegTSWrite, service_id), FF_OPT_TYPE_INT, {.dbl = 0x0001 }, 0x0001, 0xffff, AV_OPT_FLAG_ENCODING_PARAM},
{ "mpegts_pmt_start_pid", "Set the first pid of the PMT.",
- offsetof(MpegTSWrite, pmt_start_pid), FF_OPT_TYPE_INT, {.dbl = 0x1000 }, 0x1000, 0x1f00, AV_OPT_FLAG_ENCODING_PARAM},
+ offsetof(MpegTSWrite, pmt_start_pid), FF_OPT_TYPE_INT, {.dbl = 0x1000 }, 0x0010, 0x1f00, AV_OPT_FLAG_ENCODING_PARAM},
{ "mpegts_start_pid", "Set the first pid.",
offsetof(MpegTSWrite, start_pid), FF_OPT_TYPE_INT, {.dbl = 0x0100 }, 0x0100, 0x0f00, AV_OPT_FLAG_ENCODING_PARAM},
{ NULL },
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/mxfdec.c
^
|
| @@ -223,12 +223,13 @@
if (length > 61444) /* worst case PAL 1920 samples 8 channels */
return -1;
- av_new_packet(pkt, length);
- avio_read(pb, pkt->data, length);
+ length = av_get_packet(pb, pkt, length);
+ if (length < 0)
+ return length;
data_ptr = pkt->data;
end_ptr = pkt->data + length;
buf_ptr = pkt->data + 4; /* skip SMPTE 331M header */
- for (; buf_ptr < end_ptr; ) {
+ for (; buf_ptr + st->codec->channels*4 < end_ptr; ) {
for (i = 0; i < st->codec->channels; i++) {
uint32_t sample = bytestream_get_le32(&buf_ptr);
if (st->codec->bits_per_coded_sample == 24)
@@ -238,7 +239,7 @@
}
buf_ptr += 32 - st->codec->channels*4; // always 8 channels stored SMPTE 331M
}
- pkt->size = data_ptr - pkt->data;
+ av_shrink_packet(pkt, data_ptr - pkt->data);
return 0;
}
@@ -290,12 +291,16 @@
if (memcmp(tmpbuf, checkv, 16))
av_log(s, AV_LOG_ERROR, "probably incorrect decryption key\n");
size -= 32;
- av_get_packet(pb, pkt, size);
+ size = av_get_packet(pb, pkt, size);
+ if (size < 0)
+ return size;
+ else if (size < plaintext_size)
+ return AVERROR_INVALIDDATA;
size -= plaintext_size;
if (mxf->aesc)
av_aes_crypt(mxf->aesc, &pkt->data[plaintext_size],
&pkt->data[plaintext_size], size >> 4, ivec, 1);
- pkt->size = orig_size;
+ av_shrink_packet(pkt, orig_size);
pkt->stream_index = index;
avio_skip(pb, end - avio_tell(pb));
return 0;
@@ -332,8 +337,11 @@
av_log(s, AV_LOG_ERROR, "error reading D-10 aes3 frame\n");
return -1;
}
- } else
- av_get_packet(s->pb, pkt, klv.length);
+ } else {
+ int ret = av_get_packet(s->pb, pkt, klv.length);
+ if (ret < 0)
+ return ret;
+ }
pkt->stream_index = index;
pkt->pos = klv.offset;
return 0;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/psxstr.c
^
|
| @@ -68,6 +68,8 @@
static int str_probe(AVProbeData *p)
{
uint8_t *sector= p->buf;
+ uint8_t *end= sector + p->buf_size;
+ int aud=0, vid=0;
if (p->buf_size < RAW_CD_SECTOR_SIZE)
return 0;
@@ -79,20 +81,52 @@
sector += RIFF_HEADER_SIZE;
}
- /* look for CD sync header (00, 0xFF x 10, 00) */
- if (memcmp(sector,sync_header,sizeof(sync_header)))
- return 0;
-
- if(sector[0x11] >= 32)
- return 0;
- if( (sector[0x12] & CDXA_TYPE_MASK) != CDXA_TYPE_VIDEO
- && (sector[0x12] & CDXA_TYPE_MASK) != CDXA_TYPE_AUDIO
- && (sector[0x12] & CDXA_TYPE_MASK) != CDXA_TYPE_DATA)
- return 0;
-
+ while (end - sector >= RAW_CD_SECTOR_SIZE) {
+ /* look for CD sync header (00, 0xFF x 10, 00) */
+ if (memcmp(sector,sync_header,sizeof(sync_header)))
+ return 0;
+
+ if (sector[0x11] >= 32)
+ return 0;
+
+ switch (sector[0x12] & CDXA_TYPE_MASK) {
+ case CDXA_TYPE_DATA:
+ case CDXA_TYPE_VIDEO: {
+ int current_sector = AV_RL16(§or[0x1C]);
+ int sector_count = AV_RL16(§or[0x1E]);
+ int frame_size = AV_RL32(§or[0x24]);
+
+ if(!( frame_size>=0
+ && current_sector < sector_count
+ && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){
+ return 0;
+ }
+
+ /*st->codec->width = AV_RL16(§or[0x28]);
+ st->codec->height = AV_RL16(§or[0x2A]);*/
+
+// if (current_sector == sector_count-1) {
+ vid++;
+// }
+
+ }
+ break;
+ case CDXA_TYPE_AUDIO:
+ if(sector[0x13]&0x2A)
+ return 0;
+ aud++;
+ break;
+ default:
+ if(sector[0x12] & CDXA_TYPE_MASK)
+ return 0;
+ }
+ sector += RAW_CD_SECTOR_SIZE;
+ }
/* MPEG files (like those ripped from VCDs) can also look like this;
* only return half certainty */
- return 50;
+ if(vid+aud > 3) return 50;
+ else if(vid+aud) return 1;
+ else return 0;
}
static int str_read_header(AVFormatContext *s,
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/riff.c
^
|
| @@ -287,6 +287,7 @@
{ CODEC_ID_ADPCM_YAMAHA, 0x0020 },
{ CODEC_ID_TRUESPEECH, 0x0022 },
{ CODEC_ID_GSM_MS, 0x0031 },
+ { CODEC_ID_AMR_NB, 0x0038 }, /* rogue format number */
{ CODEC_ID_ADPCM_G726, 0x0045 },
{ CODEC_ID_MP2, 0x0050 },
{ CODEC_ID_MP3, 0x0055 },
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/rtpdec.c
^
|
| @@ -111,14 +111,15 @@
static int rtcp_parse_packet(RTPDemuxContext *s, const unsigned char *buf, int len)
{
int payload_len;
- while (len >= 2) {
+ while (len >= 4) {
+ payload_len = FFMIN(len, (AV_RB16(buf + 2) + 1) * 4);
+
switch (buf[1]) {
case RTCP_SR:
- if (len < 16) {
+ if (payload_len < 20) {
av_log(NULL, AV_LOG_ERROR, "Invalid length for RTCP SR packet\n");
return AVERROR_INVALIDDATA;
}
- payload_len = (AV_RB16(buf + 2) + 1) * 4;
s->last_rtcp_ntp_time = AV_RB64(buf + 8);
s->last_rtcp_timestamp = AV_RB32(buf + 16);
@@ -129,14 +130,13 @@
s->rtcp_ts_offset = s->last_rtcp_timestamp - s->base_timestamp;
}
- buf += payload_len;
- len -= payload_len;
break;
case RTCP_BYE:
return -RTCP_BYE;
- default:
- return -1;
}
+
+ buf += payload_len;
+ len -= payload_len;
}
return -1;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/tta.c
^
|
| @@ -107,6 +107,10 @@
return -1;
}
st->codec->extradata = av_mallocz(st->codec->extradata_size+FF_INPUT_BUFFER_PADDING_SIZE);
+ if (!st->codec->extradata) {
+ st->codec->extradata_size = 0;
+ return AVERROR(ENOMEM);
+ }
avio_seek(s->pb, start_offset, SEEK_SET);
avio_read(s->pb, st->codec->extradata, st->codec->extradata_size);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/utils.c
^
|
| @@ -2396,9 +2396,9 @@
}
{
int64_t last = st->info->last_dts;
- int64_t duration= pkt->dts - last;
- if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && duration>0){
+ if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && pkt->dts > last){
+ int64_t duration= pkt->dts - last;
double dur= duration * av_q2d(st->time_base);
// if(st->codec->codec_type == AVMEDIA_TYPE_VIDEO)
@@ -2659,13 +2659,13 @@
av_free_packet(&st->cur_pkt);
}
av_dict_free(&st->metadata);
- av_free(st->index_entries);
- av_free(st->codec->extradata);
- av_free(st->codec->subtitle_header);
- av_free(st->codec);
- av_free(st->priv_data);
- av_free(st->info);
- av_free(st);
+ av_freep(&st->index_entries);
+ av_freep(&st->codec->extradata);
+ av_freep(&st->codec->subtitle_header);
+ av_freep(&st->codec);
+ av_freep(&st->priv_data);
+ av_freep(&st->info);
+ av_freep(&st);
}
for(i=s->nb_programs-1; i>=0; i--) {
av_dict_free(&s->programs[i]->metadata);
@@ -2676,7 +2676,7 @@
av_freep(&s->priv_data);
while(s->nb_chapters--) {
av_dict_free(&s->chapters[s->nb_chapters]->metadata);
- av_free(s->chapters[s->nb_chapters]);
+ av_freep(&s->chapters[s->nb_chapters]);
}
av_freep(&s->chapters);
av_dict_free(&s->metadata);
@@ -2958,7 +2958,9 @@
ret = AVERROR(EINVAL);
goto fail;
}
- if(av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio)){
+ if(av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio)
+ && FFABS(av_q2d(st->sample_aspect_ratio) - av_q2d(st->codec->sample_aspect_ratio)) > 0.004*av_q2d(st->sample_aspect_ratio)
+ ){
av_log(s, AV_LOG_ERROR, "Aspect ratio mismatch between encoder and muxer layer\n");
ret = AVERROR(EINVAL);
goto fail;
@@ -3435,7 +3437,7 @@
int is_output)
{
int i;
- uint8_t *printed = av_mallocz(ic->nb_streams);
+ uint8_t *printed = ic->nb_streams ? av_mallocz(ic->nb_streams) : NULL;
if (ic->nb_streams && !printed)
return;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavformat/westwood.c
^
|
| @@ -277,10 +277,8 @@
/* there are 0 or more chunks before the FINF chunk; iterate until
* FINF has been skipped and the file will be ready to be demuxed */
do {
- if (avio_read(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE) {
- av_free(st->codec->extradata);
+ if (avio_read(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE)
return AVERROR(EIO);
- }
chunk_tag = AV_RB32(&scratch[0]);
chunk_size = AV_RB32(&scratch[4]);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavutil/arm/intmath.h
^
|
| @@ -104,7 +104,7 @@
"mvnne %1, #1<<31 \n\t"
"moveq %0, %Q2 \n\t"
"eorne %0, %1, %R2, asr #31 \n\t"
- : "=r"(x), "=&r"(y) : "r"(a));
+ : "=r"(x), "=&r"(y) : "r"(a):"cc");
return x;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavutil/crc.c
^
|
| @@ -57,7 +57,7 @@
* @return <0 on failure
*/
int av_crc_init(AVCRC *ctx, int le, int bits, uint32_t poly, int ctx_size){
- int i, j;
+ unsigned i, j;
uint32_t c;
if (bits < 8 || bits > 32 || poly >= (1LL<<bits))
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavutil/mem.c
^
|
| @@ -137,12 +137,29 @@
//FIXME this isn't aligned correctly, though it probably isn't needed
if(!ptr) return av_malloc(size);
diff= ((char*)ptr)[-1];
- return (char*)realloc((char*)ptr - diff, size + diff) + diff;
+ ptr= realloc((char*)ptr - diff, size + diff);
+ if(ptr) ptr = (char*)ptr + diff;
+ return ptr;
#else
return realloc(ptr, size + !size);
#endif
}
+void *av_realloc_f(void *ptr, size_t nelem, size_t elsize)
+{
+ size_t size;
+ void *r;
+
+ if (av_size_mult(elsize, nelem, &size)) {
+ av_free(ptr);
+ return NULL;
+ }
+ r = av_realloc(ptr, size);
+ if (!r && size)
+ av_free(ptr);
+ return r;
+}
+
void av_free(void *ptr)
{
#if CONFIG_MEMALIGN_HACK
@@ -168,6 +185,13 @@
return ptr;
}
+void *av_calloc(size_t nmemb, size_t size)
+{
+ if (size <= 0 || nmemb >= INT_MAX / size)
+ return NULL;
+ return av_mallocz(nmemb * size);
+}
+
char *av_strdup(const char *s)
{
char *ptr= NULL;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libavutil/mem.h
^
|
| @@ -27,6 +27,7 @@
#define AVUTIL_MEM_H
#include "attributes.h"
+#include "error.h"
#include "avutil.h"
#if defined(__INTEL_COMPILER) && __INTEL_COMPILER < 1110 || defined(__SUNPRO_C)
@@ -87,6 +88,16 @@
void *av_realloc(void *ptr, size_t size) av_alloc_size(2);
/**
+ * Allocate or reallocate a block of memory.
+ * This function does the same thing as av_realloc, except:
+ * - It takes two arguments and checks the result of the multiplication for
+ * integer overflow.
+ * - It frees the input block in case of failure, thus avoiding the memory
+ * leak with the classic "buf = realloc(buf); if (!buf) return -1;".
+ */
+void *av_realloc_f(void *ptr, size_t nelem, size_t elsize);
+
+/**
* Free a memory block which has been allocated with av_malloc(z)() or
* av_realloc().
* @param ptr Pointer to the memory block which should be freed.
@@ -107,6 +118,18 @@
void *av_mallocz(size_t size) av_malloc_attrib av_alloc_size(1);
/**
+ * Allocate a block of nmemb * size bytes with alignment suitable for all
+ * memory accesses (including vectors if available on the CPU) and
+ * zero all the bytes of the block.
+ * The allocation will fail if nmemb * size is greater than or equal
+ * to INT_MAX.
+ * @param nmemb
+ * @param size
+ * @return Pointer to the allocated block, NULL if it cannot be allocated.
+ */
+void *av_calloc(size_t nmemb, size_t size) av_malloc_attrib;
+
+/**
* Duplicate the string s.
* @param s string to be duplicated
* @return Pointer to a newly allocated string containing a
@@ -132,4 +155,19 @@
*/
void av_dynarray_add(void *tab_ptr, int *nb_ptr, void *elem);
+/**
+ * Multiply two size_t values checking for overflow.
+ * @return 0 if success, AVERROR(EINVAL) if overflow.
+ */
+static inline int av_size_mult(size_t a, size_t b, size_t *r)
+{
+ size_t t = a * b;
+ /* Hack inspired from glibc: only try the division if nelem and elsize
+ * are both greater than sqrt(SIZE_MAX). */
+ if ((a | b) >= ((size_t)1 << (sizeof(size_t) * 4)) && a && t / a != b)
+ return AVERROR(EINVAL);
+ *r = t;
+ return 0;
+}
+
#endif /* AVUTIL_MEM_H */
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libswscale/Makefile
^
|
| @@ -20,6 +20,8 @@
x86/yuv2rgb_mmx.o
OBJS-$(HAVE_VIS) += sparc/yuv2rgb_vis.o
+$(SUBDIR)x86/swscale_mmx.o: CFLAGS += $(NOREDZONE_FLAGS)
+
TESTPROGS = colorspace swscale
DIRS = bfin mlib ppc sparc x86
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libswscale/ppc/swscale_altivec.c
^
|
| @@ -251,7 +251,7 @@
vector unsigned char src_v1, src_vF;
vector signed short src_v, filter_v;
vector signed int val_vEven, val_s;
- if ((((int)src + srcPos)% 16) > 12) {
+ if ((((uintptr_t)src + srcPos) % 16) > 12) {
src_v1 = vec_ld(srcPos + 16, src);
}
src_vF = vec_perm(src_v0, src_v1, vec_lvsl(srcPos, src));
@@ -290,7 +290,7 @@
vector unsigned char src_v1, src_vF;
vector signed short src_v, filter_v;
vector signed int val_v, val_s;
- if ((((int)src + srcPos)% 16) > 8) {
+ if ((((uintptr_t)src + srcPos) % 16) > 8) {
src_v1 = vec_ld(srcPos + 16, src);
}
src_vF = vec_perm(src_v0, src_v1, vec_lvsl(srcPos, src));
@@ -376,7 +376,7 @@
//vector unsigned char src_v0 = vec_ld(srcPos + j, src);
vector unsigned char src_v1, src_vF;
vector signed short src_v, filter_v1R, filter_v;
- if ((((int)src + srcPos)% 16) > 8) {
+ if ((((uintptr_t)src + srcPos) % 16) > 8) {
src_v1 = vec_ld(srcPos + j + 16, src);
}
src_vF = vec_perm(src_v0, src_v1, permS);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/libswscale/x86/swscale_template.c
^
|
| @@ -2240,10 +2240,6 @@
#if defined(PIC)
DECLARE_ALIGNED(8, uint64_t, ebxsave);
#endif
- // HACK: gcc 4.6 no longer decrements esp,
- // use this to make it reserve space for the call
- // return address
- void *dummy;
__asm__ volatile(
#if defined(PIC)
@@ -2295,7 +2291,6 @@
#if defined(PIC)
,"m" (ebxsave)
#endif
- ,"m" (dummy)
: "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D
#if !defined(PIC)
,"%"REG_b
@@ -2317,10 +2312,6 @@
#if defined(PIC)
DECLARE_ALIGNED(8, uint64_t, ebxsave);
#endif
- // HACK: gcc 4.6 no longer decrements esp,
- // use this to make it reserve space for the call
- // return address
- void *dummy;
__asm__ volatile(
#if defined(PIC)
@@ -2360,7 +2351,6 @@
#if defined(PIC)
,"m" (ebxsave)
#endif
- ,"m" (dummy)
: "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D
#if !defined(PIC)
,"%"REG_b
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/tests/fate.mak
^
|
| @@ -128,7 +128,7 @@
fate-id-cin-video: CMD = framecrc -i $(SAMPLES)/idcin/idlog-2MB.cin -pix_fmt rgb24
FATE_TESTS += fate-idroq-video-dpcm
fate-idroq-video-dpcm: CMD = framecrc -i $(SAMPLES)/idroq/idlogo.roq
-FATE_TESTS += fate-idroq-video-encode
+FATE_TESTS-$(CONFIG_AVFILTER) += fate-idroq-video-encode
fate-idroq-video-encode: CMD = md5 -t 0.2 -f image2 -vcodec pgmyuv -i $(SAMPLES)/ffmpeg-synthetic/vsynth1/%02d.pgm -sws_flags +bitexact -vf pad=512:512:80:112 -f RoQ
FATE_TESTS += fate-iff-byterun1
fate-iff-byterun1: CMD = framecrc -i $(SAMPLES)/iff/ASH.LBM -pix_fmt rgb24
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/tests/lavf-regression.sh
^
|
| @@ -66,6 +66,9 @@
if [ -n "$do_mxf" ] ; then
do_lavf mxf "-ar 48000 -bf 2 -timecode_frame_start 264363"
+fi
+
+if [ -n "$do_mxf_d10" ]; then
do_lavf mxf_d10 "-ar 48000 -ac 2 -r 25 -s 720x576 -vf pad=720:608:0:32 -vcodec mpeg2video -intra -flags +ildct+low_delay -dc 10 -flags2 +ivlc+non_linear_q -qscale 1 -ps 1 -qmin 1 -rc_max_vbv_use 1 -rc_min_vbv_use 1 -pix_fmt yuv422p -minrate 30000k -maxrate 30000k -b 30000k -bufsize 1200000 -top 1 -rc_init_occupancy 1200000 -qmax 12 -f mxf_d10"
fi
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/tests/ref/acodec/alac
^
|
| @@ -1,4 +1,4 @@
-c68f649777ab8e7c9a0f1f221451d3ad *./tests/data/acodec/alac.m4a
+b25bcc7ec3f5c19cdfc01a6bbd32edb8 *./tests/data/acodec/alac.m4a
389386 ./tests/data/acodec/alac.m4a
95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/alac.acodec.out.wav
stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/tests/ref/acodec/pcm
^
|
| @@ -6,7 +6,7 @@
529256 ./tests/data/acodec/pcm_mulaw.wav
1c3eeaa8814ebd4916780dff80ed6dc5 *./tests/data/pcm.acodec.out.wav
stddev: 103.38 PSNR: 56.04 MAXDIFF: 644 bytes: 1058400/ 1058400
-b7936d7170e0efefb379349d81aed360 *./tests/data/acodec/pcm_s8.mov
+760f85fb9f4e8aba326fb44ae84c9507 *./tests/data/acodec/pcm_s8.mov
530837 ./tests/data/acodec/pcm_s8.mov
652edf30f35ad89bf27bcc9d2f9c7b53 *./tests/data/pcm.acodec.out.wav
stddev: 147.89 PSNR: 52.93 MAXDIFF: 255 bytes: 1058400/ 1058400
@@ -14,7 +14,7 @@
529244 ./tests/data/acodec/pcm_u8.wav
652edf30f35ad89bf27bcc9d2f9c7b53 *./tests/data/pcm.acodec.out.wav
stddev: 147.89 PSNR: 52.93 MAXDIFF: 255 bytes: 1058400/ 1058400
-c42b9c04305455250366c84e17c1023f *./tests/data/acodec/pcm_s16be.mov
+a4e18d1ca9ef5b8132a84d43625ddc47 *./tests/data/acodec/pcm_s16be.mov
1060037 ./tests/data/acodec/pcm_s16be.mov
95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav
stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400
@@ -30,7 +30,7 @@
1060638 ./tests/data/acodec/pcm_s16le.mkv
95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav
stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400
-07ffe7ffb78f3648b6524debdde5aec1 *./tests/data/acodec/pcm_s24be.mov
+971d2d2633e41a0326fe2d04a2d0350f *./tests/data/acodec/pcm_s24be.mov
1589237 ./tests/data/acodec/pcm_s24be.mov
95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav
stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400
@@ -38,7 +38,7 @@
1587668 ./tests/data/acodec/pcm_s24le.wav
95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav
stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400
-d7792f0343cd66fda8b50b569e2bcc48 *./tests/data/acodec/pcm_s32be.mov
+fc4f4e3e195bbde037ed31021d229f12 *./tests/data/acodec/pcm_s32be.mov
2118437 ./tests/data/acodec/pcm_s32be.mov
95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav
stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/tests/ref/fate/motionpixels
^
|
| @@ -109,4 +109,4 @@
0, 648003, 230400, 0xb343f372
0, 654003, 230400, 0xf7f1e588
0, 660003, 230400, 0x9682bdb2
-0, 666003, 230400, 0x538a3db8
+0, 666003, 230400, 0x009f4640
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/tests/ref/lavf/mov
^
|
| @@ -1,3 +1,3 @@
-a901cd05609080e8f5c09ca5da7290f0 *./tests/data/lavf/lavf.mov
+2e2529d01dbe42e4dd63580a351898f5 *./tests/data/lavf/lavf.mov
357681 ./tests/data/lavf/lavf.mov
./tests/data/lavf/lavf.mov CRC=0x2f6a9b26
|
|
[-]
[+]
|
Changed |
ffmpeg-0.8.6.tar.bz2/tests/ref/lavf/mxf
^
|
| @@ -1,6 +1,3 @@
785e38ddd2466046f30aa36399b8f8fa *./tests/data/lavf/lavf.mxf
525881 ./tests/data/lavf/lavf.mxf
./tests/data/lavf/lavf.mxf CRC=0x4ace0849
-b3174e2db508564c1cce0b5e3c1bc1bd *./tests/data/lavf/lavf.mxf_d10
-5330989 ./tests/data/lavf/lavf.mxf_d10
-./tests/data/lavf/lavf.mxf_d10 CRC=0xc3f4f92e
|
|
[-]
[+]
|
Added |
ffmpeg-0.8.6.tar.bz2/tests/ref/lavf/mxf_d10
^
|
| @@ -0,0 +1,3 @@
+b3174e2db508564c1cce0b5e3c1bc1bd *./tests/data/lavf/lavf.mxf_d10
+5330989 ./tests/data/lavf/lavf.mxf_d10
+./tests/data/lavf/lavf.mxf_d10 CRC=0xc3f4f92e
|
