Changes of Revision 12
| [-] | Changed | ffmpeg.spec |
|
1 2 %define majorswscale 23 %define libswscale libswscale4 %define libnameswscale %{libswscale}%{majorswscale}5 -%define lastrelease 0.8.46 +%define lastrelease 0.8.67 #define svnsnapshot 2011062123008 9 %bcond_without avfilter10 |
||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/Doxyfile ^ |
| @@ -31,7 +31,7 @@ # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.4 +PROJECT_NUMBER = 0.8.6 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/LICENSE ^ |
| @@ -41,6 +41,6 @@ those licenses. So to combine the OpenCORE libraries with FFmpeg, the license version needs to be upgraded by passing --enable-version3 to configure. -The nonfree external library libfaac can be hooked up in FFmpeg. You need to -pass --enable-nonfree to configure to enable it. Employ this option with care -as FFmpeg then becomes nonfree and unredistributable. +The nonfree external libraries libfaac and libaacplus can be hooked up in FFmpeg. +You need to pass --enable-nonfree to configure to enable it. Employ this option +with care as FFmpeg then becomes nonfree and unredistributable. | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/MAINTAINERS ^ |
| @@ -19,7 +19,7 @@ ffmpeg.c Michael Niedermayer ffplay: - ffplay.c Michael Niedermayer + ffplay.c Marton Balint ffprobe: ffprobe.c Stefano Sabatini | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/Makefile ^ |
| @@ -258,9 +258,12 @@ FATE = $(FATE_ACODEC) \ $(FATE_VCODEC) \ $(FATE_LAVF) \ - $(FATE_LAVFI) \ $(FATE_SEEK) \ +FATE-$(CONFIG_AVFILTER) += $(FATE_LAVFI) + +FATE += $(FATE-yes) + $(filter-out %-aref,$(FATE_ACODEC)): $(AREF) $(filter-out %-vref,$(FATE_VCODEC)): $(VREF) $(FATE_LAVF): $(REFS) @@ -282,7 +285,7 @@ fate-seek: $(FATE_SEEK) ifdef SAMPLES -FATE += $(FATE_TESTS) +FATE += $(FATE_TESTS) $(FATE_TESTS-yes) fate-rsync: rsync -vaLW rsync://fate-suite.libav.org/fate-suite/ $(SAMPLES) else | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/RELEASE ^ |
| @@ -1 +1 @@ -0.8.4 +0.8.6 | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/VERSION ^ |
| @@ -1 +1 @@ -0.8.4 +0.8.6 | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/configure ^ |
| @@ -162,6 +162,7 @@ --enable-bzlib enable bzlib [autodetect] --enable-libcelt enable CELT/Opus decoding via libcelt [no] --enable-frei0r enable frei0r video filtering + --enable-libaacplus enable AAC+ encoding via libaacplus [no] --enable-libopencore-amrnb enable AMR-NB de/encoding via libopencore-amrnb [no] --enable-libopencore-amrwb enable AMR-WB decoding via libopencore-amrwb [no] --enable-libopencv enable video filtering via libopencv [no] @@ -927,6 +928,8 @@ h264pred hardcoded_tables huffman + libaacplus + libcdio libcelt libdc1394 libdirac @@ -1401,6 +1404,7 @@ h264_parser_select="golomb h264dsp h264pred" # external libraries +libaacplus_encoder_deps="libaacplus" libcelt_decoder_deps="libcelt" libdirac_decoder_deps="libdirac !libschroedinger" libdirac_encoder_deps="libdirac" @@ -1532,7 +1536,7 @@ dep=${v%=*} tests=${v#*=} for name in ${tests}; do - eval ${name}_test_deps="'${dep}$suf1 ${dep}$suf2'" + append ${name}_test_deps ${dep}$suf1 ${dep}$suf2 done done } @@ -1542,6 +1546,9 @@ eval ${1}_le_test_deps="!bigendian" } +mxf_d10_test_deps="avfilter" +seek_lavf_mxf_d10_test_deps="mxf_d10_test" + test_deps _encoder _decoder \ adpcm_g726=g726 \ adpcm_ima_qt \ @@ -1604,7 +1611,7 @@ mmf \ mov \ pcm_mulaw=mulaw \ - mxf \ + mxf="mxf mxf_d10" \ nut \ ogg \ rawvideo=pixfmt \ @@ -2196,7 +2203,7 @@ arch="sparc" subarch="sparc64" ;; - i[3-6]86|i86pc|BePC|x86pc|x86_64|amd64) + i[3-6]86|i86pc|BePC|x86pc|x86_64|x86_32|amd64) arch="x86" ;; esac @@ -2584,6 +2591,7 @@ die_license_disabled gpl libxvid die_license_disabled gpl x11grab +die_license_disabled nonfree libaacplus die_license_disabled nonfree libfaac die_license_disabled version3 libopencore_amrnb @@ -2916,6 +2924,7 @@ enabled avisynth && require2 vfw32 "windows.h vfw.h" AVIFileInit -lavifil32 enabled libcelt && require libcelt celt/celt.h celt_decode -lcelt0 enabled frei0r && { check_header frei0r.h || die "ERROR: frei0r.h header not found"; } +enabled libaacplus && require "libaacplus >= 2.0.0" aacplus.h aacplusEncOpen -laacplus enabled libdc1394 && require_pkg_config libdc1394-2 dc1394/dc1394.h dc1394_new enabled libdirac && require_pkg_config dirac \ "libdirac_decoder/dirac_parser.h libdirac_encoder/dirac_encoder.h" \ @@ -3073,6 +3082,10 @@ fi check_cflags -fno-math-errno check_cflags -fno-signed-zeros +check_cc -mno-red-zone <<EOF && noredzone_flags="-mno-red-zone" +int x; +EOF + if enabled icc; then # Just warnings, no remarks @@ -3151,7 +3164,7 @@ enabled asm || { arch=c; disable $ARCH_LIST $ARCH_EXT_LIST; } -if test $target_os == "haiku"; then +if test $target_os = "haiku"; then disable memalign disable posix_memalign fi @@ -3223,6 +3236,7 @@ echo "libdc1394 support ${libdc1394-no}" echo "libdirac enabled ${libdirac-no}" echo "libfaac enabled ${libfaac-no}" +echo "libaacplus enabled ${libaacplus-no}" echo "libgsm enabled ${libgsm-no}" echo "libmp3lame enabled ${libmp3lame-no}" echo "libnut enabled ${libnut-no}" @@ -3383,6 +3397,7 @@ SLIB_INSTALL_EXTRA_CMD=${SLIB_INSTALL_EXTRA_CMD} SLIB_UNINSTALL_EXTRA_CMD=${SLIB_UNINSTALL_EXTRA_CMD} SAMPLES:=${samples:-\$(FATE_SAMPLES)} +NOREDZONE_FLAGS=$noredzone_flags EOF get_version(){ | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/doc/filters.texi ^ |
| @@ -1683,7 +1683,7 @@ Negative values for the amount will blur the input video, while positive values will sharpen. All parameters are optional and default to the -equivalent of the string '5:5:1.0:0:0:0.0'. +equivalent of the string '5:5:1.0:5:5:0.0'. @table @option @@ -1701,11 +1701,11 @@ @item chroma_msize_x Set the chroma matrix horizontal size. It can be an integer between 3 -and 13, default value is 0. +and 13, default value is 5. @item chroma_msize_y Set the chroma matrix vertical size. It can be an integer between 3 -and 13, default value is 0. +and 13, default value is 5. @item luma_amount Set the chroma effect strength. It can be a float number between -2.0 | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/doc/general.texi ^ |
| @@ -542,6 +542,8 @@ @multitable @columnfractions .4 .1 .1 .4 @item Name @tab Encoding @tab Decoding @tab Comments @item 8SVX audio @tab @tab X +@item AAC+ @tab E @tab X + @tab encoding supported through external library libaacplus @item AAC @tab E @tab X @tab encoding supported through external library libfaac and libvo-aacenc @item AC-3 @tab IX @tab X @@ -1060,7 +1062,7 @@ (@url{http://sourceware.org/cygwinports/}) : @example -yasm, libSDL-devel, libdirac-devel, libfaac-devel, libgsm-devel, +yasm, libSDL-devel, libdirac-devel, libfaac-devel, libaacplus-devel, libgsm-devel, libmp3lame-devel, libschroedinger1.0-devel, speex-devel, libtheora-devel, libxvidcore-devel @end example | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/ffmpeg.c ^ |
| @@ -2379,9 +2379,9 @@ } } if(codec->codec_type == AVMEDIA_TYPE_VIDEO){ - /* maximum video buffer size is 6-bytes per pixel, plus DPX header size */ + /* maximum video buffer size is 6-bytes per pixel, plus DPX header size (1664)*/ int size= codec->width * codec->height; - bit_buffer_size= FFMAX(bit_buffer_size, 6*size + 1664); + bit_buffer_size= FFMAX(bit_buffer_size, 7*size + 10000); } } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/4xm.c ^ |
| @@ -133,7 +133,9 @@ GetBitContext pre_gb; ///< ac/dc prefix GetBitContext gb; const uint8_t *bytestream; + const uint8_t *bytestream_end; const uint16_t *wordstream; + const uint16_t *wordstream_end; int mv[256]; VLC pre_vlc; int last_dc; @@ -277,7 +279,7 @@ } #endif -static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, int dc){ +static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, unsigned dc){ int i; dc*= 0x10001; @@ -328,6 +330,10 @@ assert(code>=0 && code<=6); if(code == 0){ + if (f->bytestream_end - f->bytestream < 1){ + av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n"); + return; + } src += f->mv[ *f->bytestream++ ]; if(start > src || src > end){ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); @@ -345,15 +351,31 @@ }else if(code == 3 && f->version<2){ mcdc(dst, src, log2w, h, stride, 1, 0); }else if(code == 4){ + if (f->bytestream_end - f->bytestream < 1){ + av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n"); + return; + } src += f->mv[ *f->bytestream++ ]; if(start > src || src > end){ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); return; } + if (f->wordstream_end - f->wordstream < 1){ + av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); + return; + } mcdc(dst, src, log2w, h, stride, 1, av_le2ne16(*f->wordstream++)); }else if(code == 5){ + if (f->wordstream_end - f->wordstream < 1){ + av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); + return; + } mcdc(dst, src, log2w, h, stride, 0, av_le2ne16(*f->wordstream++)); }else if(code == 6){ + if (f->wordstream_end - f->wordstream < 2){ + av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); + return; + } if(log2w){ dst[0] = av_le2ne16(*f->wordstream++); dst[1] = av_le2ne16(*f->wordstream++); @@ -375,6 +397,8 @@ if(f->version>1){ extra=20; + if (length < extra) + return -1; bitstream_size= AV_RL32(buf+8); wordstream_size= AV_RL32(buf+12); bytestream_size= AV_RL32(buf+16); @@ -385,11 +409,10 @@ bytestream_size= FFMAX(length - bitstream_size - wordstream_size, 0); } - if(bitstream_size+ bytestream_size+ wordstream_size + extra != length - || bitstream_size > (1<<26) - || bytestream_size > (1<<26) - || wordstream_size > (1<<26) - ){ + if (bitstream_size > length || + bytestream_size > length - bitstream_size || + wordstream_size > length - bytestream_size - bitstream_size || + extra > length - bytestream_size - bitstream_size - wordstream_size){ av_log(f->avctx, AV_LOG_ERROR, "lengths %d %d %d %d\n", bitstream_size, bytestream_size, wordstream_size, bitstream_size+ bytestream_size+ wordstream_size - length); return -1; @@ -399,10 +422,13 @@ if (!f->bitstream_buffer) return AVERROR(ENOMEM); f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)(buf + extra), bitstream_size/4); + memset((uint8_t*)f->bitstream_buffer + bitstream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size); f->wordstream= (const uint16_t*)(buf + extra + bitstream_size); + f->wordstream_end= f->wordstream + wordstream_size/2; f->bytestream= buf + extra + bitstream_size + wordstream_size; + f->bytestream_end = f->bytestream + bytestream_size; init_mv(f); @@ -531,7 +557,7 @@ return 0; } -static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf){ +static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf, int buf_size){ int frequency[512]; uint8_t flag[512]; int up[512]; @@ -539,6 +565,7 @@ int bits_tab[257]; int start, end; const uint8_t *ptr= buf; + const uint8_t *ptr_end = buf + buf_size; int j; memset(frequency, 0, sizeof(frequency)); @@ -549,6 +576,8 @@ for(;;){ int i; + if (start <= end && ptr_end - ptr < end - start + 1 + 1) + return NULL; for(i=start; i<=end; i++){ frequency[i]= *ptr++; } @@ -601,9 +630,10 @@ len_tab[j]= len; } - init_vlc(&f->pre_vlc, ACDC_VLC_BITS, 257, - len_tab , 1, 1, - bits_tab, 4, 4, 0); + if (init_vlc(&f->pre_vlc, ACDC_VLC_BITS, 257, + len_tab , 1, 1, + bits_tab, 4, 4, 0)) + return NULL; return ptr; } @@ -621,10 +651,13 @@ const int height= f->avctx->height; uint16_t *dst= (uint16_t*)f->current_picture.data[0]; const int stride= f->current_picture.linesize[0]>>1; + const uint8_t *buf_end = buf + length; for(y=0; y<height; y+=16){ for(x=0; x<width; x+=16){ unsigned int color[4], bits; + if (buf_end - buf < 8) + return -1; memset(color, 0, sizeof(color)); //warning following is purely guessed ... color[0]= bytestream_get_le16(&buf); @@ -658,18 +691,23 @@ uint16_t *dst= (uint16_t*)f->current_picture.data[0]; const int stride= f->current_picture.linesize[0]>>1; const unsigned int bitstream_size= AV_RL32(buf); - const int token_count av_unused = AV_RL32(buf + bitstream_size + 8); - unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4); - const uint8_t *prestream= buf + bitstream_size + 12; - - if(prestream_size + bitstream_size + 12 != length - || bitstream_size > (1<<26) - || prestream_size > (1<<26)){ + unsigned int prestream_size; + const uint8_t *prestream; + + if (bitstream_size > (1<<26) || length < bitstream_size + 12) + return -1; + prestream_size = 4*AV_RL32(buf + bitstream_size + 4); + prestream = buf + bitstream_size + 12; + + if (prestream_size > (1<<26) || + prestream_size != length - (bitstream_size + 12)){ av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length); return -1; } - prestream= read_huffman_tables(f, prestream); + prestream= read_huffman_tables(f, prestream, buf + length - prestream); + if (!prestream) + return -1; init_get_bits(&f->gb, buf + 4, 8*bitstream_size); @@ -679,6 +717,7 @@ if (!f->bitstream_buffer) return AVERROR(ENOMEM); f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)prestream, prestream_size/4); + memset((uint8_t*)f->bitstream_buffer + prestream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&f->pre_gb, f->bitstream_buffer, 8*prestream_size); f->last_dc= 0*128*8*8; @@ -710,6 +749,8 @@ AVFrame *p, temp; int i, frame_4cc, frame_size; + if (buf_size < 12) + return AVERROR_INVALIDDATA; frame_4cc= AV_RL32(buf); if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){ av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4)); @@ -722,6 +763,11 @@ const int whole_size= AV_RL32(buf+16); CFrameBuffer *cfrm; + if (data_size < 0 || whole_size < 0){ + av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n"); + return AVERROR_INVALIDDATA; + } + for(i=0; i<CFRAME_BUFFER_COUNT; i++){ if(f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number) av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id); @@ -738,6 +784,8 @@ } cfrm= &f->cfrm[i]; + if (data_size > UINT_MAX - cfrm->size - FF_INPUT_BUFFER_PADDING_SIZE) + return AVERROR_INVALIDDATA; cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE); if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL av_log(f->avctx, AV_LOG_ERROR, "realloc falure"); @@ -781,12 +829,16 @@ if(frame_4cc == AV_RL32("ifr2")){ p->pict_type= AV_PICTURE_TYPE_I; - if(decode_i2_frame(f, buf-4, frame_size) < 0) + if(decode_i2_frame(f, buf-4, frame_size+4) < 0){ + av_log(f->avctx, AV_LOG_ERROR, "decode i2 frame failed\n"); return -1; + } }else if(frame_4cc == AV_RL32("ifrm")){ p->pict_type= AV_PICTURE_TYPE_I; - if(decode_i_frame(f, buf, frame_size) < 0) + if(decode_i_frame(f, buf, frame_size) < 0){ + av_log(f->avctx, AV_LOG_ERROR, "decode i frame failed\n"); return -1; + } }else if(frame_4cc == AV_RL32("pfrm") || frame_4cc == AV_RL32("pfr2")){ if(!f->last_picture.data[0]){ f->last_picture.reference= 1; @@ -797,8 +849,10 @@ } p->pict_type= AV_PICTURE_TYPE_P; - if(decode_p_frame(f, buf, frame_size) < 0) + if(decode_p_frame(f, buf, frame_size) < 0){ + av_log(f->avctx, AV_LOG_ERROR, "decode p frame failed\n"); return -1; + } }else if(frame_4cc == AV_RL32("snd_")){ av_log(avctx, AV_LOG_ERROR, "ignoring snd_ chunk length:%d\n", buf_size); }else{ @@ -831,6 +885,10 @@ av_log(avctx, AV_LOG_ERROR, "extradata wrong or missing\n"); return 1; } + if((avctx->width % 16) || (avctx->height % 16)) { + av_log(avctx, AV_LOG_ERROR, "unsupported width/height\n"); + return AVERROR_INVALIDDATA; + } avcodec_get_frame_defaults(&f->current_picture); avcodec_get_frame_defaults(&f->last_picture); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/Makefile ^ |
| @@ -567,6 +567,7 @@ OBJS-$(CONFIG_WTV_DEMUXER) += mpeg4audio.o mpegaudiodata.o # external codec libraries +OBJS-$(CONFIG_LIBAACPLUS_ENCODER) += libaacplus.o OBJS-$(CONFIG_LIBCELT_DECODER) += libcelt_dec.o OBJS-$(CONFIG_LIBDIRAC_DECODER) += libdiracdec.o OBJS-$(CONFIG_LIBDIRAC_ENCODER) += libdiracenc.o libdirac_libschro.o | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/aacdec.c ^ |
| @@ -1090,7 +1090,7 @@ GET_VLC(code, re, gb, vlc_tab, 8, 2); cb_idx = cb_vector_idx[code]; nnz = cb_idx >> 8 & 15; - bits = SHOW_UBITS(re, gb, nnz) << (32-nnz); + bits = nnz ? GET_CACHE(re, gb) : 0; LAST_SKIP_BITS(re, gb, nnz); cf = VMUL4S(cf, vq, cb_idx, bits, sf + idx); } while (len -= 4); @@ -1130,7 +1130,7 @@ GET_VLC(code, re, gb, vlc_tab, 8, 2); cb_idx = cb_vector_idx[code]; nnz = cb_idx >> 8 & 15; - sign = SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12); + sign = nnz ? SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12) : 0; LAST_SKIP_BITS(re, gb, nnz); cf = VMUL2S(cf, vq, cb_idx, sign, sf + idx); } while (len -= 2); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/aacsbr.c ^ |
| @@ -33,6 +33,7 @@ #include "fft.h" #include "aacps.h" #include "libavutil/libm.h" +#include "libavutil/avassert.h" #include <stdint.h> #include <float.h> @@ -1457,6 +1458,7 @@ uint16_t *table = ch_data->bs_freq_res[e + 1] ? sbr->f_tablehigh : sbr->f_tablelow; int k; + av_assert0(sbr->kx[1] <= table[0]); for (i = 0; i < ilim; i++) for (m = table[i]; m < table[i + 1]; m++) sbr->e_origmapped[e][m - sbr->kx[1]] = ch_data->env_facs[e+1][i]; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/adpcm.c ^ |
| @@ -1333,10 +1333,11 @@ buf_size -= 128; } break; - case CODEC_ID_ADPCM_IMA_EA_EACS: + case CODEC_ID_ADPCM_IMA_EA_EACS: { + unsigned header_size = 4 + (8<<st); samples_in_chunk = bytestream_get_le32(&src) >> (1-st); - if (samples_in_chunk > buf_size-4-(8<<st)) { + if (buf_size < header_size || samples_in_chunk > buf_size - header_size) { src += buf_size - 4; break; } @@ -1351,6 +1352,7 @@ *samples++ = adpcm_ima_expand_nibble(&c->status[st], *src&0x0F, 3); } break; + } case CODEC_ID_ADPCM_IMA_EA_SEAD: for (; src < buf+buf_size; src++) { *samples++ = adpcm_ima_expand_nibble(&c->status[0], src[0] >> 4, 6); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/allcodecs.c ^ |
| @@ -370,6 +370,7 @@ REGISTER_ENCDEC (XSUB, xsub); /* external libraries */ + REGISTER_ENCODER (LIBAACPLUS, libaacplus); REGISTER_DECODER (LIBCELT, libcelt); REGISTER_ENCDEC (LIBDIRAC, libdirac); REGISTER_ENCODER (LIBFAAC, libfaac); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/anm.c ^ |
| @@ -79,6 +79,8 @@ int striplen = FFMIN(count, remaining); if (buf) { striplen = FFMIN(striplen, buf_end - *buf); + if (*buf >= buf_end) + goto exhausted; memcpy(*dst, *buf, striplen); *buf += striplen; } else if (pixel >= 0) | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/apedec.c ^ |
| @@ -163,6 +163,18 @@ // TODO: dsputilize +static av_cold int ape_decode_close(AVCodecContext * avctx) +{ + APEContext *s = avctx->priv_data; + int i; + + for (i = 0; i < APE_FILTER_LEVELS; i++) + av_freep(&s->filterbuf[i]); + + av_freep(&s->data); + return 0; +} + static av_cold int ape_decode_init(AVCodecContext * avctx) { APEContext *s = avctx->priv_data; @@ -195,25 +207,18 @@ for (i = 0; i < APE_FILTER_LEVELS; i++) { if (!ape_filter_orders[s->fset][i]) break; - s->filterbuf[i] = av_malloc((ape_filter_orders[s->fset][i] * 3 + HISTORY_SIZE) * 4); + FF_ALLOC_OR_GOTO(avctx, s->filterbuf[i], + (ape_filter_orders[s->fset][i] * 3 + HISTORY_SIZE) * 4, + filter_alloc_fail); } dsputil_init(&s->dsp, avctx); avctx->sample_fmt = AV_SAMPLE_FMT_S16; avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; return 0; -} - -static av_cold int ape_decode_close(AVCodecContext * avctx) -{ - APEContext *s = avctx->priv_data; - int i; - - for (i = 0; i < APE_FILTER_LEVELS; i++) - av_freep(&s->filterbuf[i]); - - av_freep(&s->data); - return 0; +filter_alloc_fail: + ape_decode_close(avctx); + return AVERROR(ENOMEM); } /** @@ -797,7 +802,7 @@ int buf_size = avpkt->size; APEContext *s = avctx->priv_data; int16_t *samples = data; - int nblocks; + uint32_t nblocks; int i, n; int blockstodecode; int bytes_used; @@ -814,12 +819,15 @@ } if(!s->samples){ - s->data = av_realloc(s->data, (buf_size + 3) & ~3); + void *tmp_data = av_realloc(s->data, (buf_size + 3) & ~3); + if (!tmp_data) + return AVERROR(ENOMEM); + s->data = tmp_data; s->dsp.bswap_buf((uint32_t*)s->data, (const uint32_t*)buf, buf_size >> 2); s->ptr = s->last_ptr = s->data; s->data_end = s->data + buf_size; - nblocks = s->samples = bytestream_get_be32(&s->ptr); + nblocks = bytestream_get_be32(&s->ptr); n = bytestream_get_be32(&s->ptr); if(n < 0 || n > 3){ av_log(avctx, AV_LOG_ERROR, "Incorrect offset passed\n"); @@ -828,12 +836,13 @@ } s->ptr += n; - s->currentframeblocks = nblocks; buf += 4; - if (s->samples <= 0) { + if (!nblocks || nblocks > INT_MAX) { + av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %u.\n", nblocks); *data_size = 0; - return buf_size; + return AVERROR_INVALIDDATA; } + s->currentframeblocks = s->samples = nblocks; memset(s->decoded0, 0, sizeof(s->decoded0)); memset(s->decoded1, 0, sizeof(s->decoded1)); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/atrac1.c ^ |
| @@ -276,7 +276,7 @@ const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; AT1Ctx *q = avctx->priv_data; - int ch, ret, i; + int ch, ret, i, out_size; GetBitContext gb; float* samples = data; @@ -286,6 +286,13 @@ return -1; } + out_size = q->channels * AT1_SU_SAMPLES * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + for (ch = 0; ch < q->channels; ch++) { AT1SUCtx* su = &q->SUs[ch]; @@ -318,7 +325,7 @@ } } - *data_size = q->channels * AT1_SU_SAMPLES * sizeof(*samples); + *data_size = out_size; return avctx->block_align; } @@ -329,6 +336,11 @@ avctx->sample_fmt = AV_SAMPLE_FMT_FLT; + if (avctx->channels < 1 || avctx->channels > AT1_MAX_CHANNELS) { + av_log(avctx, AV_LOG_ERROR, "Unsupported number of channels: %d\n", + avctx->channels); + return AVERROR(EINVAL); + } q->channels = avctx->channels; /* Init the mdct transforms */ | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/avs.c ^ |
| @@ -47,6 +47,7 @@ void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; int buf_size = avpkt->size; AvsContext *const avs = avctx->priv_data; AVFrame *picture = data; @@ -69,6 +70,8 @@ out = avs->picture.data[0]; stride = avs->picture.linesize[0]; + if (buf_end - buf < 4) + return AVERROR_INVALIDDATA; sub_type = buf[0]; type = buf[1]; buf += 4; @@ -79,6 +82,8 @@ first = AV_RL16(buf); last = first + AV_RL16(buf + 2); + if (first >= 256 || last > 256 || buf_end - buf < 4 + 4 + 3 * (last - first)) + return AVERROR_INVALIDDATA; buf += 4; for (i=first; i<last; i++, buf+=3) pal[i] = (buf[0] << 18) | (buf[1] << 10) | (buf[2] << 2); @@ -114,9 +119,13 @@ return -1; } + if (buf_end - buf < 256 * vect_w * vect_h) + return AVERROR_INVALIDDATA; table = buf + (256 * vect_w * vect_h); if (sub_type != AVS_I_FRAME) { int map_size = ((318 / vect_w + 7) / 8) * (198 / vect_h); + if (buf_end - table < map_size) + return AVERROR_INVALIDDATA; init_get_bits(&change_map, table, map_size * 8); table += map_size; } @@ -124,6 +133,8 @@ for (y=0; y<198; y+=vect_h) { for (x=0; x<318; x+=vect_w) { if (sub_type == AVS_I_FRAME || get_bits1(&change_map)) { + if (buf_end - table < 1) + return AVERROR_INVALIDDATA; vect = &buf[*table++ * (vect_w * vect_h)]; for (j=0; j<vect_w; j++) { out[(y + 0) * stride + x + j] = vect[(0 * vect_w) + j]; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/bink.c ^ |
| @@ -246,7 +246,7 @@ tree->syms[i] = get_bits(gb, 4); tmp1[tree->syms[i]] = 1; } - for (i = 0; i < 16; i++) + for (i = 0; i < 16 && len < 16 - 1; i++) if (!tmp1[i]) tree->syms[++len] = i; } else { @@ -343,14 +343,14 @@ memset(b->cur_dec, v, t); b->cur_dec += t; } else { - do { + while (b->cur_dec < dec_end) { v = GET_HUFF(gb, b->tree); if (v) { sign = -get_bits1(gb); v = (v ^ sign) - sign; } *b->cur_dec++ = v; - } while (b->cur_dec < dec_end); + } } return 0; } @@ -374,7 +374,7 @@ memset(b->cur_dec, v, t); b->cur_dec += t; } else { - do { + while (b->cur_dec < dec_end) { v = GET_HUFF(gb, b->tree); if (v < 12) { last = v; @@ -382,10 +382,12 @@ } else { int run = bink_rlelens[v - 12]; + if (dec_end - b->cur_dec < run) + return -1; memset(b->cur_dec, last, run); b->cur_dec += run; } - } while (b->cur_dec < dec_end); + } } return 0; } @@ -456,6 +458,7 @@ { int i, j, len, len2, bsize, sign, v, v2; int16_t *dst = (int16_t*)b->cur_dec; + int16_t *dst_end =( int16_t*)b->data_end; CHECK_READ_VAL(gb, b, len); v = get_bits(gb, start_bits - has_sign); @@ -463,10 +466,14 @@ sign = -get_bits1(gb); v = (v ^ sign) - sign; } + if (dst_end - dst < 1) + return -1; *dst++ = v; len--; for (i = 0; i < len; i += 8) { len2 = FFMIN(len - i, 8); + if (dst_end - dst < len2) + return -1; bsize = get_bits(gb, 4); if (bsize) { for (j = 0; j < len2; j++) { @@ -534,6 +541,8 @@ int i, len; CHECK_READ_VAL(gb, b, len); + if (b->data_end - b->cur_dec < len * (1 + (bits > 8))) + return -1; if (bits <= 8) { if (!issigned) { for (i = 0; i < len; i++) @@ -964,8 +973,9 @@ for (i = 0; i < BINK_NB_SRC; i++) read_bundle(gb, c, i); - ref_start = c->last.data[plane_idx]; - ref_end = c->last.data[plane_idx] + ref_start = c->last.data[plane_idx] ? c->last.data[plane_idx] + : c->pic.data[plane_idx]; + ref_end = ref_start + (bw - 1 + c->last.linesize[plane_idx] * (bh - 1)) * 8; for (i = 0; i < 64; i++) @@ -994,7 +1004,8 @@ if (by == bh) break; dst = c->pic.data[plane_idx] + 8*by*stride; - prev = c->last.data[plane_idx] + 8*by*stride; + prev = (c->last.data[plane_idx] ? c->last.data[plane_idx] + : c->pic.data[plane_idx]) + 8*by*stride; for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) { blk = get_value(c, BINK_SRC_BLOCK_TYPES); // 16x16 block type on odd line means part of the already decoded block, so skip it | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/binkaudio.c ^ |
| @@ -153,11 +153,18 @@ 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 32, 64 }; +#define GET_BITS_SAFE(out, nbits) do { \ + if (get_bits_left(gb) < nbits) \ + return AVERROR_INVALIDDATA; \ + out = get_bits(gb, nbits); \ +} while (0) + /** * Decode Bink Audio block * @param[out] out Output buffer (must contain s->block_size elements) + * @return 0 on success, negative error code on failure */ -static void decode_block(BinkAudioContext *s, short *out, int use_dct) +static int decode_block(BinkAudioContext *s, short *out, int use_dct) { int ch, i, j, k; float q, quant[25]; @@ -170,13 +177,19 @@ for (ch = 0; ch < s->channels; ch++) { FFTSample *coeffs = s->coeffs_ptr[ch]; if (s->version_b) { + if (get_bits_left(gb) < 64) + return AVERROR_INVALIDDATA; coeffs[0] = av_int2flt(get_bits(gb, 32)) * s->root; coeffs[1] = av_int2flt(get_bits(gb, 32)) * s->root; } else { + if (get_bits_left(gb) < 58) + return AVERROR_INVALIDDATA; coeffs[0] = get_float(gb) * s->root; coeffs[1] = get_float(gb) * s->root; } + if (get_bits_left(gb) < s->num_bands * 8) + return AVERROR_INVALIDDATA; for (i = 0; i < s->num_bands; i++) { /* constant is result of 0.066399999/log10(M_E) */ int value = get_bits(gb, 8); @@ -191,15 +204,20 @@ while (i < s->frame_len) { if (s->version_b) { j = i + 16; - } else if (get_bits1(gb)) { - j = i + rle_length_tab[get_bits(gb, 4)] * 8; } else { - j = i + 8; + int v; + GET_BITS_SAFE(v, 1); + if (v) { + GET_BITS_SAFE(v, 4); + j = i + rle_length_tab[v] * 8; + } else { + j = i + 8; + } } j = FFMIN(j, s->frame_len); - width = get_bits(gb, 4); + GET_BITS_SAFE(width, 4); if (width == 0) { memset(coeffs + i, 0, (j - i) * sizeof(*coeffs)); i = j; @@ -209,9 +227,11 @@ while (i < j) { if (s->bands[k] == i) q = quant[k++]; - coeff = get_bits(gb, width); + GET_BITS_SAFE(coeff, width); if (coeff) { - if (get_bits1(gb)) + int v; + GET_BITS_SAFE(v, 1); + if (v) coeffs[i] = -q * coeff; else coeffs[i] = q * coeff; @@ -247,6 +267,8 @@ s->overlap_len * s->channels * sizeof(*out)); s->first = 0; + + return 0; } static av_cold int decode_end(AVCodecContext *avctx) @@ -278,12 +300,17 @@ int reported_size; GetBitContext *gb = &s->gb; + if (buf_size < 4) { + av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); + return AVERROR_INVALIDDATA; + } + init_get_bits(gb, buf, buf_size * 8); reported_size = get_bits_long(gb, 32); - while (get_bits_count(gb) / 8 < buf_size && - samples + s->block_size <= samples_end) { - decode_block(s, samples, avctx->codec->id == CODEC_ID_BINKAUDIO_DCT); + while (samples + s->block_size <= samples_end) { + if (decode_block(s, samples, avctx->codec->id == CODEC_ID_BINKAUDIO_DCT)) + break; samples += s->block_size; get_bits_align32(gb); } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/bitstream.c ^ |
| @@ -109,8 +109,8 @@ if(use_static) abort(); //cant do anything, init_vlc() is used with too little memory vlc->table_allocated += (1 << vlc->bits); - vlc->table = av_realloc(vlc->table, - sizeof(VLC_TYPE) * 2 * vlc->table_allocated); + vlc->table = av_realloc_f(vlc->table, + vlc->table_allocated, sizeof(VLC_TYPE) * 2); if (!vlc->table) return -1; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/dca.c ^ |
| @@ -898,15 +898,17 @@ else /* Perfect reconstruction */ prCoeff = fir_32bands_perfect; + for (i = sb_act; i < 32; i++) + s->raXin[i] = 0.0; + /* Reconstructed channel sample index */ for (subindex = 0; subindex < 8; subindex++) { /* Load in one sample from each subband and clear inactive subbands */ for (i = 0; i < sb_act; i++){ - uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ ((i-1)&2)<<30; + unsigned sign = (i - 1) & 2; + uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ sign << 30; AV_WN32A(&s->raXin[i], v); } - for (; i < 32; i++) - s->raXin[i] = 0.0; s->synth.synth_filter_float(&s->imdct, s->subband_fir_hist[chans], &s->hist_index[chans], | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/dsicinav.c ^ |
| @@ -217,7 +217,11 @@ bitmap_frame_size = buf_size - 4; /* handle palette */ + if (bitmap_frame_size < palette_colors_count * (3 + (palette_type != 0))) + return AVERROR_INVALIDDATA; if (palette_type == 0) { + if (palette_colors_count > 256) + return AVERROR_INVALIDDATA; for (i = 0; i < palette_colors_count; ++i) { cin->palette[i] = bytestream_get_le24(&buf); bitmap_frame_size -= 3; @@ -306,6 +310,11 @@ CinAudioContext *cin = avctx->priv_data; cin->avctx = avctx; + if (avctx->channels != 1) { + av_log_ask_for_sample(avctx, "Number of channels is not supported\n"); + return AVERROR_PATCHWELCOME; + } + cin->initial_decode_frame = 1; cin->delta = 0; avctx->sample_fmt = AV_SAMPLE_FMT_S16; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/dvdata.c ^ |
| @@ -248,11 +248,13 @@ const DVprofile* ff_dv_frame_profile(const DVprofile *sys, const uint8_t* frame, unsigned buf_size) { - int i; + int i, dsf, stype; - int dsf = (frame[3] & 0x80) >> 7; + if(buf_size < DV_PROFILE_BYTES) + return NULL; - int stype = frame[80*5 + 48 + 3] & 0x1f; + dsf = (frame[3] & 0x80) >> 7; + stype = frame[80*5 + 48 + 3] & 0x1f; /* 576i50 25Mbps 4:1:1 is a special case */ if (dsf == 1 && stype == 0 && frame[4] & 0x07 /* the APT field */) { | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/eacmv.c ^ |
| @@ -56,7 +56,7 @@ unsigned char *dst = s->frame.data[0]; int i; - for (i=0; i < s->avctx->height && buf+s->avctx->width<=buf_end; i++) { + for (i=0; i < s->avctx->height && buf_end - buf >= s->avctx->width; i++) { memcpy(dst, buf, s->avctx->width); dst += s->frame.linesize[0]; buf += s->avctx->width; @@ -88,7 +88,7 @@ i = 0; for(y=0; y<s->avctx->height/4; y++) - for(x=0; x<s->avctx->width/4 && buf+i<buf_end; x++) { + for(x=0; x<s->avctx->width/4 && buf_end - buf > i; x++) { if (buf[i]==0xFF) { unsigned char *dst = s->frame.data[0] + (y*4)*s->frame.linesize[0] + x*4; if (raw+16<buf_end && *raw==0xFF) { /* intra */ @@ -110,9 +110,10 @@ }else{ /* inter using last frame as reference */ int xoffset = (buf[i] & 0xF) - 7; int yoffset = ((buf[i] >> 4)) - 7; - cmv_motcomp(s->frame.data[0], s->frame.linesize[0], - s->last_frame.data[0], s->last_frame.linesize[0], - x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); + if (s->last_frame.data[0]) + cmv_motcomp(s->frame.data[0], s->frame.linesize[0], + s->last_frame.data[0], s->last_frame.linesize[0], + x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); } i++; } @@ -122,7 +123,7 @@ { int pal_start, pal_count, i; - if(buf+16>=buf_end) { + if(buf_end - buf < 16) { av_log(s->avctx, AV_LOG_WARNING, "truncated header\n"); return; } @@ -139,7 +140,7 @@ pal_count = AV_RL16(&buf[14]); buf += 16; - for (i=pal_start; i<pal_start+pal_count && i<AVPALETTE_COUNT && buf+2<buf_end; i++) { + for (i=pal_start; i<pal_start+pal_count && i<AVPALETTE_COUNT && buf_end - buf >= 3; i++) { s->palette[i] = AV_RB24(buf); buf += 3; } @@ -157,6 +158,9 @@ CmvContext *s = avctx->priv_data; const uint8_t *buf_end = buf + buf_size; + if (buf_end - buf < EA_PREAMBLE_SIZE) + return AVERROR_INVALIDDATA; + if (AV_RL32(buf)==MVIh_TAG||AV_RB32(buf)==MVIh_TAG) { cmv_process_header(s, buf+EA_PREAMBLE_SIZE, buf_end); return buf_size; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/eamad.c ^ |
| @@ -85,15 +85,21 @@ { MpegEncContext *s = &t->s; if (j < 4) { + unsigned offset = (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x; + if (offset >= (s->height - 7) * t->last_frame.linesize[0] - 7) + return; comp(t->frame.data[0] + (mb_y*16 + ((j&2)<<2))*t->frame.linesize[0] + mb_x*16 + ((j&1)<<3), t->frame.linesize[0], - t->last_frame.data[0] + (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x, + t->last_frame.data[0] + offset, t->last_frame.linesize[0], add); } else if (!(s->avctx->flags & CODEC_FLAG_GRAY)) { int index = j - 3; + unsigned offset = (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2); + if (offset >= (s->height/2 - 7) * t->last_frame.linesize[index] - 7) + return; comp(t->frame.data[index] + (mb_y*8)*t->frame.linesize[index] + mb_x * 8, t->frame.linesize[index], - t->last_frame.data[index] + (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2), + t->last_frame.data[index] + offset, t->last_frame.linesize[index], add); } } @@ -205,7 +211,8 @@ for (j=0; j<6; j++) { if (mv_map & (1<<j)) { // mv_x and mv_y are guarded by mv_map int add = 2*decode_motion(&s->gb); - comp_block(t, s->mb_x, s->mb_y, j, mv_x, mv_y, add); + if (t->last_frame.data[0]) + comp_block(t, s->mb_x, s->mb_y, j, mv_x, mv_y, add); } else { s->dsp.clear_block(t->block); decode_block_intra(t, t->block); @@ -266,6 +273,8 @@ avcodec_set_dimensions(avctx, s->width, s->height); if (t->frame.data[0]) avctx->release_buffer(avctx, &t->frame); + if (t->last_frame.data[0]) + avctx->release_buffer(avctx, &t->last_frame); } t->frame.reference = 1; @@ -280,6 +289,7 @@ if (!t->bitstream_buf) return AVERROR(ENOMEM); bswap16_buf(t->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2); + memset((uint8_t*)t->bitstream_buf + (buf_end-buf), 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&s->gb, t->bitstream_buf, 8*(buf_end-buf)); for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++) | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/eatgv.c ^ |
| @@ -74,7 +74,7 @@ else src += 2; - if (src+3>src_end) + if (src_end - src < 3) return -1; size = AV_RB24(src); src += 3; @@ -138,7 +138,7 @@ * @return 0 on success, -1 on critical buffer underflow */ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){ - unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->width*s->last_frame.linesize[0]; + unsigned last_frame_size = s->avctx->height*s->last_frame.linesize[0]; int num_mvs; int num_blocks_raw; int num_blocks_packed; @@ -148,7 +148,7 @@ int mvbits; const unsigned char *blocks_raw; - if(buf+12>buf_end) + if(buf_end - buf < 12) return -1; num_mvs = AV_RL16(&buf[0]); @@ -171,7 +171,7 @@ /* read motion vectors */ mvbits = (num_mvs*2*10+31) & ~31; - if (buf+(mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed>buf_end) + if (buf_end - buf < (mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed) return -1; init_get_bits(&gb, buf, mvbits); @@ -207,12 +207,14 @@ int src_stride; if (vector < num_mvs) { - src = s->last_frame.data[0] + - (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] + - x*4 + s->mv_codebook[vector][0]; + unsigned offset = + (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] + + x*4 + s->mv_codebook[vector][0]; + src_stride = s->last_frame.linesize[0]; - if (src+3*src_stride+3>=frame0_end) + if (offset >= last_frame_size - (3*src_stride+3)) continue; + src = s->last_frame.data[0] + offset; }else{ int offset = vector - num_mvs; if (offset<num_blocks_raw) @@ -252,12 +254,15 @@ const uint8_t *buf_end = buf + buf_size; int chunk_type; + if (buf_end - buf < EA_PREAMBLE_SIZE) + return AVERROR_INVALIDDATA; + chunk_type = AV_RL32(&buf[0]); buf += EA_PREAMBLE_SIZE; if (chunk_type==kVGT_TAG) { int pal_count, i; - if(buf+12>buf_end) { + if(buf_end - buf < 12) { av_log(avctx, AV_LOG_WARNING, "truncated header\n"); return -1; } @@ -272,7 +277,7 @@ pal_count = AV_RL16(&buf[6]); buf += 12; - for(i=0; i<pal_count && i<AVPALETTE_COUNT && buf+2<buf_end; i++) { + for(i=0; i<pal_count && i<AVPALETTE_COUNT && buf_end - buf >= 3; i++) { s->palette[i] = AV_RB24(buf); buf += 3; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/error_resilience.c ^ |
| @@ -660,7 +660,7 @@ if(s->codec_id == CODEC_ID_H264){ H264Context *h= (void*)s; - if(h->ref_count[0] <= 0 || !h->ref_list[0][0].data[0]) + if (h->list_count <= 0 || h->ref_count[0] <= 0 || !h->ref_list[0][0].data[0]) return 1; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/flacdec.c ^ |
| @@ -228,9 +228,11 @@ buf += 4; do { + if (buf_end - buf < 4) + return 0; ff_flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size); buf += 4; - if (buf + metadata_size > buf_end) { + if (buf_end - buf < metadata_size) { /* need more data in order to read the complete header */ return 0; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/flicvideo.c ^ |
| @@ -132,7 +132,6 @@ FlicDecodeContext *s = avctx->priv_data; int stream_ptr = 0; - int stream_ptr_after_color_chunk; int pixel_ptr; int palette_ptr; unsigned char palette_idx1; @@ -172,7 +171,11 @@ pixels = s->frame.data[0]; pixel_limit = s->avctx->height * s->frame.linesize[0]; + if (buf_size < 16 || buf_size > INT_MAX - (3 * 256 + FF_INPUT_BUFFER_PADDING_SIZE)) + return AVERROR_INVALIDDATA; frame_size = AV_RL32(&buf[stream_ptr]); + if (frame_size > buf_size) + frame_size = buf_size; stream_ptr += 6; /* skip the magic number */ num_chunks = AV_RL16(&buf[stream_ptr]); stream_ptr += 10; /* skip padding */ @@ -180,13 +183,16 @@ frame_size -= 16; /* iterate through the chunks */ - while ((frame_size > 0) && (num_chunks > 0)) { + while ((frame_size >= 6) && (num_chunks > 0)) { + int stream_ptr_after_chunk; chunk_size = AV_RL32(&buf[stream_ptr]); if (chunk_size > frame_size) { av_log(avctx, AV_LOG_WARNING, "Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size); chunk_size = frame_size; } + stream_ptr_after_chunk = stream_ptr + chunk_size; + stream_ptr += 4; chunk_type = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; @@ -194,8 +200,6 @@ switch (chunk_type) { case FLI_256_COLOR: case FLI_COLOR: - stream_ptr_after_color_chunk = stream_ptr + chunk_size - 6; - /* check special case: If this file is from the Magic Carpet * game and uses 6-bit colors even though it reports 256-color * chunks in a 0xAF12-type file (fli_type is set to 0xAF13 during @@ -219,6 +223,9 @@ if (color_changes == 0) color_changes = 256; + if (stream_ptr + color_changes * 3 > stream_ptr_after_chunk) + break; + for (j = 0; j < color_changes; j++) { unsigned int entry; @@ -235,13 +242,6 @@ s->palette[palette_ptr++] = entry; } } - - /* color chunks sometimes have weird 16-bit alignment issues; - * therefore, take the hardline approach and set the stream_ptr - * to the value calculated w.r.t. the size specified by the color - * chunk header */ - stream_ptr = stream_ptr_after_color_chunk; - break; case FLI_DELTA: @@ -249,6 +249,8 @@ compressed_lines = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; while (compressed_lines > 0) { + if (stream_ptr + 2 > stream_ptr_after_chunk) + break; line_packets = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; if ((line_packets & 0xC000) == 0xC000) { @@ -268,6 +270,8 @@ CHECK_PIXEL_PTR(0); pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { + if (stream_ptr + 2 > stream_ptr_after_chunk) + break; /* account for the skip bytes */ pixel_skip = buf[stream_ptr++]; pixel_ptr += pixel_skip; @@ -284,6 +288,8 @@ } } else { CHECK_PIXEL_PTR(byte_run * 2); + if (stream_ptr + byte_run * 2 > stream_ptr_after_chunk) + break; for (j = 0; j < byte_run * 2; j++, pixel_countdown--) { palette_idx1 = buf[stream_ptr++]; pixels[pixel_ptr++] = palette_idx1; @@ -310,6 +316,8 @@ CHECK_PIXEL_PTR(0); pixel_countdown = s->avctx->width; line_packets = buf[stream_ptr++]; + if (stream_ptr + 2 * line_packets > stream_ptr_after_chunk) + break; if (line_packets > 0) { for (i = 0; i < line_packets; i++) { /* account for the skip bytes */ @@ -319,6 +327,8 @@ byte_run = (signed char)(buf[stream_ptr++]); if (byte_run > 0) { CHECK_PIXEL_PTR(byte_run); + if (stream_ptr + byte_run > stream_ptr_after_chunk) + break; for (j = 0; j < byte_run; j++, pixel_countdown--) { palette_idx1 = buf[stream_ptr++]; pixels[pixel_ptr++] = palette_idx1; @@ -356,6 +366,8 @@ stream_ptr++; pixel_countdown = s->avctx->width; while (pixel_countdown > 0) { + if (stream_ptr + 1 > stream_ptr_after_chunk) + break; byte_run = (signed char)(buf[stream_ptr++]); if (byte_run > 0) { palette_idx1 = buf[stream_ptr++]; @@ -370,6 +382,8 @@ } else { /* copy bytes if byte_run < 0 */ byte_run = -byte_run; CHECK_PIXEL_PTR(byte_run); + if (stream_ptr + byte_run > stream_ptr_after_chunk) + break; for (j = 0; j < byte_run; j++) { palette_idx1 = buf[stream_ptr++]; pixels[pixel_ptr++] = palette_idx1; @@ -387,10 +401,9 @@ case FLI_COPY: /* copy the chunk (uncompressed frame) */ - if (chunk_size - 6 > s->avctx->width * s->avctx->height) { + if (chunk_size - 6 != s->avctx->width * s->avctx->height) { av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \ - "bigger than image, skipping chunk\n", chunk_size - 6); - stream_ptr += chunk_size - 6; + "has incorrect size, skipping chunk\n", chunk_size - 6); } else { for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height; y_ptr += s->frame.linesize[0]) { @@ -403,7 +416,6 @@ case FLI_MINI: /* some sort of a thumbnail? disregard this chunk... */ - stream_ptr += chunk_size - 6; break; default: @@ -411,6 +423,8 @@ break; } + stream_ptr = stream_ptr_after_chunk; + frame_size -= chunk_size; num_chunks--; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/golomb.h ^ |
| @@ -75,6 +75,20 @@ } } +/** + * Read an unsigned Exp-Golomb code in the range 0 to UINT32_MAX-1. + */ +static inline unsigned get_ue_golomb_long(GetBitContext *gb) +{ + unsigned buf, log; + + buf = show_bits_long(gb, 32); + log = 31 - av_log2(buf); + skip_bits_long(gb, log); + + return get_bits_long(gb, log + 1) - 1; +} + /** * read unsigned exp golomb code, constraint to a max of 31. * the return value is undefined if the stored value exceeds 31. | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/h264.c ^ |
| @@ -106,12 +106,9 @@ } return 0; -} //FIXME cleanup like ff_h264_check_intra_pred_mode +} //FIXME cleanup like check_intra_pred_mode -/** - * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks. - */ -int ff_h264_check_intra_pred_mode(H264Context *h, int mode){ +static int check_intra_pred_mode(H264Context *h, int mode, int is_chroma){ MpegEncContext * const s = &h->s; static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1}; static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8}; @@ -131,7 +128,7 @@ if((h->left_samples_available&0x8080) != 0x8080){ mode= left[ mode ]; - if(h->left_samples_available&0x8080){ //mad cow disease mode, aka MBAFF + constrained_intra_pred + if(is_chroma && (h->left_samples_available&0x8080)){ //mad cow disease mode, aka MBAFF + constrained_intra_pred mode= ALZHEIMER_DC_L0T_PRED8x8 + (!(h->left_samples_available&0x8000)) + 2*(mode == DC_128_PRED8x8); } if(mode<0){ @@ -143,6 +140,23 @@ return mode; } +/** + * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks. + */ +int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode) +{ + return check_intra_pred_mode(h, mode, 0); +} + +/** + * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks. + */ +int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode) +{ + return check_intra_pred_mode(h, mode, 1); +} + + const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, int *dst_length, int *consumed, int length){ int i, si, di; uint8_t *dst; @@ -1005,8 +1019,12 @@ s->height = s->avctx->height; s->codec_id= s->avctx->codec->id; - ff_h264dsp_init(&h->h264dsp, 8); - ff_h264_pred_init(&h->hpc, s->codec_id, 8); + s->avctx->bits_per_raw_sample = 8; + + ff_h264dsp_init(&h->h264dsp, + s->avctx->bits_per_raw_sample); + ff_h264_pred_init(&h->hpc, s->codec_id, + s->avctx->bits_per_raw_sample); h->dequant_coeff_pps= -1; s->unrestricted_mv=1; @@ -1018,17 +1036,20 @@ memset(h->pps.scaling_matrix8, 16, 2*64*sizeof(uint8_t)); } -int ff_h264_decode_extradata(H264Context *h) +int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size) { AVCodecContext *avctx = h->s.avctx; - if(avctx->extradata[0] == 1){ + if(!buf || size <= 0) + return -1; + + if(buf[0] == 1){ int i, cnt, nalsize; - unsigned char *p = avctx->extradata; + const unsigned char *p = buf; h->is_avc = 1; - if(avctx->extradata_size < 7) { + if(size < 7) { av_log(avctx, AV_LOG_ERROR, "avcC too short\n"); return -1; } @@ -1040,6 +1061,8 @@ p += 6; for (i = 0; i < cnt; i++) { nalsize = AV_RB16(p) + 2; + if(nalsize > size - (p-buf)) + return -1; if(decode_nal_units(h, p, nalsize) < 0) { av_log(avctx, AV_LOG_ERROR, "Decoding sps %d from avcC failed\n", i); return -1; @@ -1050,6 +1073,8 @@ cnt = *(p++); // Number of pps for (i = 0; i < cnt; i++) { nalsize = AV_RB16(p) + 2; + if(nalsize > size - (p-buf)) + return -1; if (decode_nal_units(h, p, nalsize) < 0) { av_log(avctx, AV_LOG_ERROR, "Decoding pps %d from avcC failed\n", i); return -1; @@ -1057,10 +1082,10 @@ p += nalsize; } // Now store right nal length size, that will be use to parse all other nals - h->nal_length_size = (avctx->extradata[4] & 0x03) + 1; + h->nal_length_size = (buf[4] & 0x03) + 1; } else { h->is_avc = 0; - if(decode_nal_units(h, avctx->extradata, avctx->extradata_size) < 0) + if(decode_nal_units(h, buf, size) < 0) return -1; } return 0; @@ -1104,7 +1129,7 @@ } if(avctx->extradata_size > 0 && avctx->extradata && - ff_h264_decode_extradata(h)) + ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size)) return -1; if(h->sps.bitstream_restriction_flag && s->avctx->has_b_frames < h->sps.num_reorder_frames){ @@ -2612,6 +2637,7 @@ free_tables(h, 0); flush_dpb(s->avctx); MPV_common_end(s); + h->list_count = 0; } if (!s->context_initialized) { if (h != h0) { @@ -2872,6 +2898,7 @@ h->ref_count[1]= h->pps.ref_count[1]; if(h->slice_type_nos != AV_PICTURE_TYPE_I){ + unsigned max= (16<<(s->picture_structure != PICT_FRAME))-1; if(h->slice_type_nos == AV_PICTURE_TYPE_B){ h->direct_spatial_mv_pred= get_bits1(&s->gb); } @@ -2882,25 +2909,27 @@ if(h->slice_type_nos==AV_PICTURE_TYPE_B) h->ref_count[1]= get_ue_golomb(&s->gb) + 1; - if(h->ref_count[0]-1 > 32-1 || h->ref_count[1]-1 > 32-1){ - av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); - h->ref_count[0]= h->ref_count[1]= 1; - return -1; - } + } + if(h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){ + av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); + h->ref_count[0]= h->ref_count[1]= 1; + return -1; } if(h->slice_type_nos == AV_PICTURE_TYPE_B) h->list_count= 2; else h->list_count= 1; }else - h->list_count= 0; + h->ref_count[1]= h->ref_count[0]= h->list_count= 0; if(!default_ref_list_done){ ff_h264_fill_default_ref_list(h); } - if(h->slice_type_nos!=AV_PICTURE_TYPE_I && ff_h264_decode_ref_pic_list_reordering(h) < 0) + if(h->slice_type_nos!=AV_PICTURE_TYPE_I && ff_h264_decode_ref_pic_list_reordering(h) < 0) { + h->ref_count[1]= h->ref_count[0]= 0; return -1; + } if(h->slice_type_nos!=AV_PICTURE_TYPE_I){ s->last_picture_ptr= &h->ref_list[0][0]; @@ -3729,9 +3758,13 @@ switch (hx->nal_unit_type) { case NAL_SPS: case NAL_PPS: + nals_needed = nal_index; + break; case NAL_IDR_SLICE: case NAL_SLICE: - nals_needed = nal_index; + init_get_bits(&hx->s.gb, ptr, bit_length); + if(!get_ue_golomb(&hx->s.gb)) + nals_needed = nal_index; } continue; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/h264.h ^ |
| @@ -101,7 +101,7 @@ */ #define DELAYED_PIC_REF 4 -#define QP_MAX_NUM (51 + 2*6) // The maximum supported qp +#define QP_MAX_NUM (51 + 4*6) // The maximum supported qp /* NAL unit types */ enum { @@ -227,7 +227,7 @@ int transform_8x8_mode; ///< transform_8x8_mode_flag uint8_t scaling_matrix4[6][16]; uint8_t scaling_matrix8[6][64]; - uint8_t chroma_qp_table[2][64]; ///< pre-scaled (with chroma_qp_index_offset) version of qp_table + uint8_t chroma_qp_table[2][QP_MAX_NUM+1]; ///< pre-scaled (with chroma_qp_index_offset) version of qp_table int chroma_qp_diff; }PPS; @@ -584,7 +584,7 @@ }H264Context; -extern const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1]; ///< One chroma qp table for each supported bit depth (8, 9, 10). +extern const uint8_t ff_h264_chroma_qp[5][QP_MAX_NUM+1]; ///< One chroma qp table for each possible bit depth (8-12). /** * Decode SEI @@ -658,12 +658,17 @@ /** * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks. */ -int ff_h264_check_intra_pred_mode(H264Context *h, int mode); +int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode); + +/** + * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks. + */ +int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode); void ff_h264_write_back_intra_pred_mode(H264Context *h); void ff_h264_hl_decode_mb(H264Context *h); int ff_h264_frame_start(H264Context *h); -int ff_h264_decode_extradata(H264Context *h); +int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size); av_cold int ff_h264_decode_init(AVCodecContext *avctx); av_cold int ff_h264_decode_end(AVCodecContext *avctx); av_cold void ff_h264_decode_init_vlc(void); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/h264_cabac.c ^ |
| @@ -2003,14 +2003,14 @@ ff_h264_write_back_intra_pred_mode(h); if( ff_h264_check_intra4x4_pred_mode(h) < 0 ) return -1; } else { - h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode ); + h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode( h, h->intra16x16_pred_mode ); if( h->intra16x16_pred_mode < 0 ) return -1; } if(decode_chroma){ h->chroma_pred_mode_table[mb_xy] = pred_mode = decode_cabac_mb_chroma_pre_mode( h ); - pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode ); + pred_mode= ff_h264_check_intra_chroma_pred_mode( h, pred_mode ); if( pred_mode < 0 ) return -1; h->chroma_pred_mode= pred_mode; } else { | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/h264_cavlc.c ^ |
| @@ -735,12 +735,12 @@ if( ff_h264_check_intra4x4_pred_mode(h) < 0) return -1; }else{ - h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode); + h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode(h, h->intra16x16_pred_mode); if(h->intra16x16_pred_mode < 0) return -1; } if(decode_chroma){ - pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb)); + pred_mode= ff_h264_check_intra_chroma_pred_mode(h, get_ue_golomb_31(&s->gb)); if(pred_mode < 0) return -1; h->chroma_pred_mode= pred_mode; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/h264_direct.c ^ |
| @@ -89,7 +89,8 @@ for(j=start; j<end; j++){ if(4*h->ref_list[0][j].frame_num + (h->ref_list[0][j].reference&3) == poc){ int cur_ref= mbafi ? (j-16)^field : j; - map[list][2*old_ref + (rfield^field) + 16] = cur_ref; + if(ref1->mbaff) + map[list][2*old_ref + (rfield^field) + 16] = cur_ref; if(rfield == field || !interl) map[list][old_ref] = cur_ref; break; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/h264_parser.c ^ |
| @@ -251,7 +251,7 @@ h->got_first = 1; if (avctx->extradata_size) { h->s.avctx = avctx; - ff_h264_decode_extradata(h); + ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size); } } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/h264_ps.c ^ |
| @@ -70,7 +70,7 @@ QP(37,d), QP(37,d), QP(37,d), QP(38,d), QP(38,d), QP(38,d),\ QP(39,d), QP(39,d), QP(39,d), QP(39,d) -const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1] = { +const uint8_t ff_h264_chroma_qp[5][QP_MAX_NUM+1] = { { CHROMA_QP_TABLE_END(8) }, @@ -83,6 +83,19 @@ 6, 7, 8, 9, 10, 11, CHROMA_QP_TABLE_END(10) }, + { + 0, 1, 2, 3, 4, 5, + 6, 7, 8, 9, 10, 11, + 12,13,14,15, 16, 17, + CHROMA_QP_TABLE_END(11) + }, + { + 0, 1, 2, 3, 4, 5, + 6, 7, 8, 9, 10, 11, + 12,13,14,15, 16, 17, + 18,19,20,21, 22, 23, + CHROMA_QP_TABLE_END(12) + }, }; static const uint8_t default_scaling4[2][16]={ @@ -130,8 +143,8 @@ get_bits(&s->gb, 4); /* bit_rate_scale */ get_bits(&s->gb, 4); /* cpb_size_scale */ for(i=0; i<cpb_count; i++){ - get_ue_golomb(&s->gb); /* bit_rate_value_minus1 */ - get_ue_golomb(&s->gb); /* cpb_size_value_minus1 */ + get_ue_golomb_long(&s->gb); /* bit_rate_value_minus1 */ + get_ue_golomb_long(&s->gb); /* cpb_size_value_minus1 */ get_bits1(&s->gb); /* cbr_flag */ } sps->initial_cpb_removal_delay_length = get_bits(&s->gb, 5) + 1; @@ -333,6 +346,11 @@ sps->residual_color_transform_flag = get_bits1(&s->gb); sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8; sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8; + if (sps->bit_depth_luma > 12U || sps->bit_depth_chroma > 12U) { + av_log(h->s.avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n", + sps->bit_depth_luma, sps->bit_depth_chroma); + goto fail; + } sps->transform_bypass = get_bits1(&s->gb); decode_scaling_matrices(h, sps, NULL, 1, sps->scaling_matrix4, sps->scaling_matrix8); }else{ @@ -365,7 +383,7 @@ } sps->ref_frame_count= get_ue_golomb_31(&s->gb); - if(sps->ref_frame_count > MAX_PICTURE_COUNT-2 || sps->ref_frame_count >= 32U){ + if(sps->ref_frame_count > MAX_PICTURE_COUNT-2 || sps->ref_frame_count > 16U){ av_log(h->s.avctx, AV_LOG_ERROR, "too many reference frames\n"); goto fail; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/h264_refs.c ^ |
| @@ -301,7 +301,7 @@ void ff_h264_fill_mbaff_ref_list(H264Context *h){ int list, i, j; - for(list=0; list<2; list++){ //FIXME try list_count + for(list=0; list<h->list_count; list++){ for(i=0; i<h->ref_count[list]; i++){ Picture *frame = &h->ref_list[list][i]; Picture *field = &h->ref_list[list][16+2*i]; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/h264pred.c ^ |
| @@ -40,7 +40,7 @@ #undef BIT_DEPTH static void pred4x4_vertical_vp8_c(uint8_t *src, const uint8_t *topright, int stride){ - const int lt= src[-1-1*stride]; + const unsigned lt = src[-1-1*stride]; LOAD_TOP_EDGE LOAD_TOP_RIGHT_EDGE uint32_t v = PACK_4U8((lt + 2*t0 + t1 + 2) >> 2, @@ -55,7 +55,7 @@ } static void pred4x4_horizontal_vp8_c(uint8_t *src, const uint8_t *topright, int stride){ - const int lt= src[-1-1*stride]; + const unsigned lt = src[-1-1*stride]; LOAD_LEFT_EDGE AV_WN32A(src+0*stride, ((lt + 2*l0 + l1 + 2) >> 2)*0x01010101); @@ -292,7 +292,7 @@ static void pred8x8_left_dc_rv40_c(uint8_t *src, int stride){ int i; - int dc0; + unsigned dc0; dc0=0; for(i=0;i<8; i++) @@ -307,7 +307,7 @@ static void pred8x8_top_dc_rv40_c(uint8_t *src, int stride){ int i; - int dc0; + unsigned dc0; dc0=0; for(i=0;i<8; i++) @@ -322,7 +322,7 @@ static void pred8x8_dc_rv40_c(uint8_t *src, int stride){ int i; - int dc0=0; + unsigned dc0 = 0; for(i=0;i<4; i++){ dc0+= src[-1+i*stride] + src[i-stride]; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/h264pred_template.c ^ |
| @@ -120,28 +120,28 @@ #define LOAD_TOP_RIGHT_EDGE\ - const int av_unused t4= topright[0];\ - const int av_unused t5= topright[1];\ - const int av_unused t6= topright[2];\ - const int av_unused t7= topright[3];\ + const unsigned av_unused t4 = topright[0];\ + const unsigned av_unused t5 = topright[1];\ + const unsigned av_unused t6 = topright[2];\ + const unsigned av_unused t7 = topright[3];\ #define LOAD_DOWN_LEFT_EDGE\ - const int av_unused l4= src[-1+4*stride];\ - const int av_unused l5= src[-1+5*stride];\ - const int av_unused l6= src[-1+6*stride];\ - const int av_unused l7= src[-1+7*stride];\ + const unsigned av_unused l4 = src[-1+4*stride];\ + const unsigned av_unused l5 = src[-1+5*stride];\ + const unsigned av_unused l6 = src[-1+6*stride];\ + const unsigned av_unused l7 = src[-1+7*stride];\ #define LOAD_LEFT_EDGE\ - const int av_unused l0= src[-1+0*stride];\ - const int av_unused l1= src[-1+1*stride];\ - const int av_unused l2= src[-1+2*stride];\ - const int av_unused l3= src[-1+3*stride];\ + const unsigned av_unused l0 = src[-1+0*stride];\ + const unsigned av_unused l1 = src[-1+1*stride];\ + const unsigned av_unused l2 = src[-1+2*stride];\ + const unsigned av_unused l3 = src[-1+3*stride];\ #define LOAD_TOP_EDGE\ - const int av_unused t0= src[ 0-1*stride];\ - const int av_unused t1= src[ 1-1*stride];\ - const int av_unused t2= src[ 2-1*stride];\ - const int av_unused t3= src[ 3-1*stride];\ + const unsigned av_unused t0 = src[ 0-1*stride];\ + const unsigned av_unused t1 = src[ 1-1*stride];\ + const unsigned av_unused t2 = src[ 2-1*stride];\ + const unsigned av_unused t3 = src[ 3-1*stride];\ static void FUNCC(pred4x4_down_right)(uint8_t *_src, const uint8_t *topright, int _stride){ pixel *src = (pixel*)_src; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/imc.c ^ |
| @@ -104,10 +104,15 @@ static av_cold int imc_decode_init(AVCodecContext * avctx) { - int i, j; + int i, j, ret; IMCContext *q = avctx->priv_data; double r1, r2; + if (avctx->channels != 1) { + av_log_ask_for_sample(avctx, "Number of channels is not supported\n"); + return AVERROR_PATCHWELCOME; + } + q->decoder_reset = 1; for(i = 0; i < BANDS; i++) @@ -156,7 +161,10 @@ } q->one_div_log2 = 1/log(2); - ff_fft_init(&q->fft, 7, 1); + if ((ret = ff_fft_init(&q->fft, 7, 1))) { + av_log(avctx, AV_LOG_INFO, "FFT init failed\n"); + return ret; + } dsputil_init(&q->dsp, avctx); avctx->sample_fmt = AV_SAMPLE_FMT_FLT; avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/imgconvert.c ^ |
| @@ -470,6 +470,16 @@ } } + switch (pix_fmt) { + case PIX_FMT_RGB8: + case PIX_FMT_BGR8: + case PIX_FMT_RGB4_BYTE: + case PIX_FMT_BGR4_BYTE: + case PIX_FMT_GRAY8: + // do not include palette for these pseudo-paletted formats + return size; + } + if (desc->flags & PIX_FMT_PAL) memcpy((unsigned char *)(((size_t)dest + 3) & ~3), src->data[1], 256 * 4); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/j2k_dwt.c ^ |
| @@ -321,6 +321,8 @@ int i, j, lev = decomp_levels, maxlen, b[2][2]; + if (decomp_levels >= FF_DWT_MAX_DECLVLS) + return AVERROR_INVALIDDATA; s->ndeclevels = decomp_levels; s->type = type; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/j2kdec.c ^ |
| @@ -961,18 +961,20 @@ static int jp2_find_codestream(J2kDecoderContext *s) { - int32_t atom_size; + uint32_t atom_size; int found_codestream = 0, search_range = 10; // skip jpeg2k signature atom s->buf += 12; - while(!found_codestream && search_range) { + while(!found_codestream && search_range && s->buf_end - s->buf >= 8) { atom_size = AV_RB32(s->buf); if(AV_RB32(s->buf + 4) == JP2_CODESTREAM) { found_codestream = 1; s->buf += 8; } else { + if (s->buf_end - s->buf < atom_size) + return 0; s->buf += atom_size; search_range--; } @@ -1005,7 +1007,8 @@ return AVERROR(EINVAL); // check if the image is in jp2 format - if((AV_RB32(s->buf) == 12) && (AV_RB32(s->buf + 4) == JP2_SIG_TYPE) && + if(s->buf_end - s->buf >= 12 && + (AV_RB32(s->buf) == 12) && (AV_RB32(s->buf + 4) == JP2_SIG_TYPE) && (AV_RB32(s->buf + 8) == JP2_SIG_VALUE)) { if(!jp2_find_codestream(s)) { av_log(avctx, AV_LOG_ERROR, "couldn't find jpeg2k codestream atom\n"); | ||
| [+] | Added | ffmpeg-0.8.6.tar.bz2/libavcodec/libaacplus.c ^ |
| @@ -0,0 +1,136 @@ +/* + * Interface to libaacplus for aac+ (sbr+ps) encoding + * Copyright (c) 2010 tipok <piratfm@gmail.com> + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/** + * @file + * Interface to libaacplus for aac+ (sbr+ps) encoding. + */ + +#include "avcodec.h" +#include <aacplus.h> + +typedef struct aacPlusAudioContext { + aacplusEncHandle aacplus_handle; +} aacPlusAudioContext; + +static av_cold int aacPlus_encode_init(AVCodecContext *avctx) +{ + aacPlusAudioContext *s = avctx->priv_data; + aacplusEncConfiguration *aacplus_cfg; + unsigned long samples_input, max_bytes_output; + + /* number of channels */ + if (avctx->channels < 1 || avctx->channels > 2) { + av_log(avctx, AV_LOG_ERROR, "encoding %d channel(s) is not allowed\n", avctx->channels); + return -1; + } + + s->aacplus_handle = aacplusEncOpen(avctx->sample_rate, + avctx->channels, + &samples_input, &max_bytes_output); + if(!s->aacplus_handle) { + av_log(avctx, AV_LOG_ERROR, "can't open encoder\n"); + return -1; + } + + /* check aacplus version */ + aacplus_cfg = aacplusEncGetCurrentConfiguration(s->aacplus_handle); + + /* put the options in the configuration struct */ + if(avctx->profile != FF_PROFILE_AAC_LOW && avctx->profile != FF_PROFILE_UNKNOWN) { + av_log(avctx, AV_LOG_ERROR, "invalid AAC profile: %d, only LC supported\n", avctx->profile); + aacplusEncClose(s->aacplus_handle); + return -1; + } + + aacplus_cfg->bitRate = avctx->bit_rate; + aacplus_cfg->bandWidth = avctx->cutoff; + if (avctx->flags & CODEC_FLAG_GLOBAL_HEADER) { + aacplus_cfg->outputFormat = 0; //raw aac + } + aacplus_cfg->inputFormat = AACPLUS_INPUT_16BIT; + if (!aacplusEncSetConfiguration(s->aacplus_handle, aacplus_cfg)) { + av_log(avctx, AV_LOG_ERROR, "libaacplus doesn't support this output format!\n"); + return -1; + } + + avctx->frame_size = samples_input / avctx->channels; + + avctx->coded_frame= avcodec_alloc_frame(); + avctx->coded_frame->key_frame= 1; + + /* Set decoder specific info */ + avctx->extradata_size = 0; + if (avctx->flags & CODEC_FLAG_GLOBAL_HEADER) { + + unsigned char *buffer = NULL; + unsigned long decoder_specific_info_size; + + if (aacplusEncGetDecoderSpecificInfo(s->aacplus_handle, &buffer, + &decoder_specific_info_size) == 1) { + avctx->extradata = av_malloc(decoder_specific_info_size + FF_INPUT_BUFFER_PADDING_SIZE); + avctx->extradata_size = decoder_specific_info_size; + memcpy(avctx->extradata, buffer, avctx->extradata_size); + } +#undef free + free(buffer); +#define free please_use_av_free + } + return 0; +} + +static int aacPlus_encode_frame(AVCodecContext *avctx, + unsigned char *frame, int buf_size, void *data) +{ + aacPlusAudioContext *s = avctx->priv_data; + int bytes_written; + + bytes_written = aacplusEncEncode(s->aacplus_handle, + data, + avctx->frame_size * avctx->channels, + frame, + buf_size); + + return bytes_written; +} + +static av_cold int aacPlus_encode_close(AVCodecContext *avctx) +{ + aacPlusAudioContext *s = avctx->priv_data; + + av_freep(&avctx->coded_frame); + av_freep(&avctx->extradata); + + aacplusEncClose(s->aacplus_handle); + return 0; +} + +AVCodec ff_libaacplus_encoder = { + "libaacplus", + AVMEDIA_TYPE_AUDIO, + CODEC_ID_AAC, + sizeof(aacPlusAudioContext), + aacPlus_encode_init, + aacPlus_encode_frame, + aacPlus_encode_close, + .sample_fmts = (const enum SampleFormat[]){SAMPLE_FMT_S16,SAMPLE_FMT_NONE}, + .long_name = NULL_IF_CONFIG_SMALL("libaacplus AAC+ (Advanced Audio Codec with SBR+PS)"), +}; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/libgsm.c ^ |
| @@ -141,18 +141,25 @@ AVPacket *avpkt) { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; + int out_size = avctx->frame_size * av_get_bytes_per_sample(avctx->sample_fmt); + + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + *data_size = 0; /* In case of error */ if(buf_size < avctx->block_align) return -1; switch(avctx->codec_id) { case CODEC_ID_GSM: if(gsm_decode(avctx->priv_data,buf,data)) return -1; - *data_size = GSM_FRAME_SIZE*sizeof(int16_t); break; case CODEC_ID_GSM_MS: if(gsm_decode(avctx->priv_data,buf,data) || gsm_decode(avctx->priv_data,buf+33,((int16_t*)data)+GSM_FRAME_SIZE)) return -1; - *data_size = GSM_FRAME_SIZE*sizeof(int16_t)*2; } + + *data_size = out_size; return avctx->block_align; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/libvpxenc.c ^ |
| @@ -481,8 +481,8 @@ break; case VPX_CODEC_STATS_PKT: { struct vpx_fixed_buf *stats = &ctx->twopass_stats; - stats->buf = av_realloc(stats->buf, - stats->sz + pkt->data.twopass_stats.sz); + stats->buf = av_realloc_f(stats->buf, 1, + stats->sz + pkt->data.twopass_stats.sz); if (!stats->buf) { av_log(avctx, AV_LOG_ERROR, "Stat buffer realloc failed\n"); return AVERROR(ENOMEM); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/libx264.c ^ |
| @@ -70,9 +70,14 @@ /* Write the SEI as part of the first frame. */ if (x4->sei_size > 0 && nnal > 0) { + if (x4->sei_size > size) { + av_log(ctx, AV_LOG_ERROR, "Error: nal buffer is too small\n"); + return -1; + } memcpy(p, x4->sei, x4->sei_size); p += x4->sei_size; x4->sei_size = 0; + // why is x4->sei not freed? } for (i = 0; i < nnal; i++){ @@ -83,6 +88,11 @@ memcpy(x4->sei, nals[i].p_payload, nals[i].i_payload); continue; } + if (nals[i].i_payload > (size - (p - buf))) { + // return only complete nals which fit in buf + av_log(ctx, AV_LOG_ERROR, "Error: nal buffer is too small\n"); + break; + } memcpy(p, nals[i].p_payload, nals[i].i_payload); p += nals[i].i_payload; } @@ -91,13 +101,14 @@ } static int X264_frame(AVCodecContext *ctx, uint8_t *buf, - int bufsize, void *data) + int orig_bufsize, void *data) { X264Context *x4 = ctx->priv_data; AVFrame *frame = data; x264_nal_t *nal; int nnal, i; x264_picture_t pic_out; + int bufsize; x264_picture_init( &x4->pic ); x4->pic.img.i_csp = X264_CSP_I420; @@ -128,6 +139,7 @@ } do { + bufsize = orig_bufsize; if (x264_encoder_encode(x4->enc, &nal, &nnal, frame? &x4->pic: NULL, &pic_out) < 0) return -1; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/mlpdec.c ^ |
| @@ -950,7 +950,12 @@ int32_t *data_32 = (int32_t*) data; int16_t *data_16 = (int16_t*) data; - if (*data_size < (s->max_channel + 1) * s->blockpos * (is32 ? 4 : 2)) + if (m->avctx->channels != s->max_matrix_channel + 1) { + av_log(m->avctx, AV_LOG_ERROR, "channel count mismatch\n"); + return AVERROR_INVALIDDATA; + } + + if (*data_size < m->avctx->channels * s->blockpos * (is32 ? 4 : 2)) return -1; for (i = 0; i < s->blockpos; i++) { | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/motion_est.c ^ |
| @@ -1040,7 +1040,7 @@ /* intra / predictive decision */ pix = c->src[0][0]; sum = s->dsp.pix_sum(pix, s->linesize); - varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)(sum*sum))>>8) + 500; + varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)sum*sum)>>8) + 500; pic->mb_mean[s->mb_stride * mb_y + mb_x] = (sum+128)>>8; pic->mb_var [s->mb_stride * mb_y + mb_x] = (varc+128)>>8; @@ -1202,7 +1202,7 @@ if((c->avctx->mb_cmp&0xFF)==FF_CMP_SSE){ intra_score= varc - 500; }else{ - int mean= (sum+128)>>8; + unsigned mean = (sum+128)>>8; mean*= 0x01010101; for(i=0; i<16; i++){ | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/motionpixels.c ^ |
| @@ -52,14 +52,16 @@ static av_cold int mp_decode_init(AVCodecContext *avctx) { MotionPixelsContext *mp = avctx->priv_data; + int w4 = (avctx->width + 3) & ~3; + int h4 = (avctx->height + 3) & ~3; motionpixels_tableinit(); mp->avctx = avctx; dsputil_init(&mp->dsp, avctx); - mp->changes_map = av_mallocz(avctx->width * avctx->height); + mp->changes_map = av_mallocz(avctx->width * h4); mp->offset_bits_len = av_log2(avctx->width * avctx->height) + 1; mp->vpt = av_mallocz(avctx->height * sizeof(YuvPixel)); - mp->hpt = av_mallocz(avctx->height * avctx->width / 16 * sizeof(YuvPixel)); + mp->hpt = av_mallocz(h4 * w4 / 16 * sizeof(YuvPixel)); avctx->pix_fmt = PIX_FMT_RGB555; avcodec_get_frame_defaults(&mp->frame); return 0; @@ -253,6 +255,7 @@ mp->dsp.bswap_buf((uint32_t *)mp->bswapbuf, (const uint32_t *)buf, buf_size / 4); if (buf_size & 3) memcpy(mp->bswapbuf + (buf_size & ~3), buf + (buf_size & ~3), buf_size & 3); + memset(mp->bswapbuf + buf_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&gb, mp->bswapbuf, buf_size * 8); memset(mp->changes_map, 0, avctx->width * avctx->height); @@ -279,6 +282,8 @@ if (sz == 0) goto end; + if (mp->max_codes_bits <= 0) + goto end; if (init_vlc(&mp->vlc, mp->max_codes_bits, mp->codes_count, &mp->codes[0].size, sizeof(HuffCode), 1, &mp->codes[0].code, sizeof(HuffCode), 4, 0)) goto end; mp_decode_frame_helper(mp, &gb); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/mpc7.c ^ |
| @@ -197,12 +197,19 @@ int i, ch; int mb = -1; Band *bands = c->bands; - int off; + int off, out_size; int bits_used, bits_avail; memset(bands, 0, sizeof(bands)); if(buf_size <= 4){ av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size); + return AVERROR(EINVAL); + } + + out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); } bits = av_malloc(((buf_size - 1) & ~3) + FF_INPUT_BUFFER_PADDING_SIZE); @@ -277,7 +284,7 @@ *data_size = 0; return buf_size; } - *data_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; + *data_size = out_size; return buf_size; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/mpc8.c ^ |
| @@ -127,6 +127,8 @@ skip_bits(&gb, 3);//sample rate c->maxbands = get_bits(&gb, 5) + 1; + if (c->maxbands >= BANDS) + return AVERROR_INVALIDDATA; channels = get_bits(&gb, 4) + 1; if (channels > 2) { av_log_missing_feature(avctx, "Multichannel MPC SV8", 1); @@ -241,10 +243,16 @@ GetBitContext gb2, *gb = &gb2; int i, j, k, ch, cnt, res, t; Band *bands = c->bands; - int off; + int off, out_size; int maxband, keyframe; int last[2]; + out_size = MPC_FRAME_SIZE * 2 * avctx->channels; + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + keyframe = c->cur_frame == 0; if(keyframe){ @@ -260,6 +268,8 @@ maxband = c->last_max_band + get_vlc2(gb, band_vlc.table, MPC8_BANDS_BITS, 2); if(maxband > 32) maxband -= 33; } + if(maxband > c->maxbands) + return AVERROR_INVALIDDATA; c->last_max_band = maxband; /* read subband indexes */ @@ -400,7 +410,7 @@ c->last_bits_used = get_bits_count(gb); if(c->cur_frame >= c->frames) c->cur_frame = 0; - *data_size = MPC_FRAME_SIZE * 2 * avctx->channels; + *data_size = out_size; return c->cur_frame ? c->last_bits_used >> 3 : buf_size; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/mpegaudiodec.c ^ |
| @@ -1801,8 +1801,8 @@ avctx->bit_rate = s->bit_rate; avctx->sub_id = s->layer; - if(*data_size < 1152*avctx->channels*sizeof(OUT_INT)) - return -1; + if (*data_size < avctx->frame_size * avctx->channels * sizeof(OUT_INT)) + return AVERROR(EINVAL); *data_size = 0; if(s->frame_size<=0 || s->frame_size > buf_size){ @@ -1870,6 +1870,9 @@ avctx->bit_rate = s->bit_rate; avctx->sub_id = s->layer; + if (*data_size < avctx->frame_size * avctx->channels * sizeof(OUT_INT)) + return AVERROR(EINVAL); + s->frame_size = len; if (avctx->parse_only) { | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/mpegvideo.c ^ |
| @@ -366,8 +366,8 @@ int i; // edge emu needs blocksize + filter length - 1 (=17x17 for halfpel / 21x21 for h264) - FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance - s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21; + FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance + s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21*2; //FIXME should be linesize instead of s->width*2 but that is not known before get_buffer() FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad, (s->width+64)*4*16*2*sizeof(uint8_t), fail) @@ -2302,12 +2302,15 @@ edge_h= FFMIN(h, s->v_edge_pos - y); - s->dsp.draw_edges(s->current_picture_ptr->data[0] + y *s->linesize , s->linesize, - s->h_edge_pos , edge_h , EDGE_WIDTH , EDGE_WIDTH , sides); - s->dsp.draw_edges(s->current_picture_ptr->data[1] + (y>>vshift)*s->uvlinesize, s->uvlinesize, - s->h_edge_pos>>hshift, edge_h>>hshift, EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); - s->dsp.draw_edges(s->current_picture_ptr->data[2] + (y>>vshift)*s->uvlinesize, s->uvlinesize, - s->h_edge_pos>>hshift, edge_h>>hshift, EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); + s->dsp.draw_edges(s->current_picture_ptr->data[0] + y *s->linesize, + s->linesize, s->h_edge_pos, edge_h, + EDGE_WIDTH, EDGE_WIDTH, sides); + s->dsp.draw_edges(s->current_picture_ptr->data[1] + (y>>vshift)*s->uvlinesize, + s->uvlinesize, s->h_edge_pos>>hshift, edge_h>>vshift, + EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); + s->dsp.draw_edges(s->current_picture_ptr->data[2] + (y>>vshift)*s->uvlinesize, + s->uvlinesize, s->h_edge_pos>>hshift, edge_h>>vshift, + EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); } h= FFMIN(h, s->avctx->height - y); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/mpegvideo.h ^ |
| @@ -123,7 +123,7 @@ int pic_id; /**< h264 pic_num (short -> no wrap version of pic_num, pic_num & max_pic_num; long -> long_pic_num) */ int long_ref; ///< 1->long term reference 0->short term reference - int ref_poc[2][2][16]; ///< h264 POCs of the frames used as reference (FIXME need per slice) + int ref_poc[2][2][32]; ///< h264 POCs of the frames/fields used as reference (FIXME need per slice) int ref_count[2][2]; ///< number of entries in ref_poc (FIXME need per slice) int mbaff; ///< h264 1 -> MBAFF frame 0-> not MBAFF int field_picture; ///< whether or not the picture was encoded in seperate fields | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/mpegvideo_enc.c ^ |
| @@ -411,9 +411,10 @@ if ((s->codec_id == CODEC_ID_MPEG4 || s->codec_id == CODEC_ID_H263 || s->codec_id == CODEC_ID_H263P) && (avctx->sample_aspect_ratio.num > 255 || avctx->sample_aspect_ratio.den > 255)) { - av_log(avctx, AV_LOG_ERROR, "Invalid pixel aspect ratio %i/%i, limit is 255/255\n", + av_log(avctx, AV_LOG_WARNING, "Invalid pixel aspect ratio %i/%i, limit is 255/255 reducing\n", avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den); - return -1; + av_reduce(&avctx->sample_aspect_ratio.num, &avctx->sample_aspect_ratio.den, + avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den, 255); } if((s->flags & (CODEC_FLAG_INTERLACED_DCT|CODEC_FLAG_INTERLACED_ME|CODEC_FLAG_ALT_SCAN)) @@ -2006,7 +2007,7 @@ int varc; int sum = s->dsp.pix_sum(pix, s->linesize); - varc = (s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)(sum*sum))>>8) + 500 + 128)>>8; + varc = (s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)sum*sum)>>8) + 500 + 128)>>8; s->current_picture.mb_var [s->mb_stride * mb_y + mb_x] = varc; s->current_picture.mb_mean[s->mb_stride * mb_y + mb_x] = (sum+128)>>8; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/ppc/asm.S ^ |
| @@ -44,10 +44,13 @@ L(\name): .endm -.macro movrel rd, sym +.macro movrel rd, sym, gp ld \rd, \sym@got(r2) .endm +.macro get_got rd +.endm + #else /* ARCH_PPC64 */ #define PTR .int @@ -65,19 +68,25 @@ \name: .endm -.macro movrel rd, sym +.macro movrel rd, sym, gp #if CONFIG_PIC - bcl 20, 31, lab_pic_\@ -lab_pic_\@: - mflr \rd - addis \rd, \rd, (\sym - lab_pic_\@)@ha - addi \rd, \rd, (\sym - lab_pic_\@)@l + lwz \rd, \sym@got(\gp) #else lis \rd, \sym@ha la \rd, \sym@l(\rd) #endif .endm +.macro get_got rd +#if CONFIG_PIC + bcl 20, 31, .Lgot\@ +.Lgot\@: + mflr \rd + addis \rd, \rd, _GLOBAL_OFFSET_TABLE_ - .Lgot\@@ha + addi \rd, \rd, _GLOBAL_OFFSET_TABLE_ - .Lgot\@@l +#endif +.endm + #endif /* ARCH_PPC64 */ #if HAVE_IBM_ASM | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/ppc/fft_altivec_s.S ^ |
| @@ -353,6 +353,7 @@ mflr r0 stp r0, 2*PS(r1) stpu r1, -(160+16*PS)(r1) + get_got r11 addi r6, r1, 16*PS stvm r6, v20, v21, v22, v23, v24, v25, v26, v27, v28, v29 mfvrsave r0 @@ -360,14 +361,14 @@ li r6, 0xfffffffc mtvrsave r6 - movrel r6, fft_data + movrel r6, fft_data, r11 lvm r6, v14, v15, v16, v17, v18, v19, v20, v21 lvm r6, v22, v23, v24, v25, v26, v27, v28, v29 li r9, 16 - movrel r12, X(ff_cos_tabs) + movrel r12, X(ff_cos_tabs), r11 - movrel r6, fft_dispatch_tab\interleave\()_altivec + movrel r6, fft_dispatch_tab\interleave\()_altivec, r11 lwz r3, 0(r3) subi r3, r3, 2 slwi r3, r3, 2+ARCH_PPC64 | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/pthread.c ^ |
| @@ -332,6 +332,9 @@ dst->height = src->height; dst->pix_fmt = src->pix_fmt; + dst->coded_width = src->coded_width; + dst->coded_height = src->coded_height; + dst->has_b_frames = src->has_b_frames; dst->idct_algo = src->idct_algo; dst->slice_count = src->slice_count; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/ptx.c ^ |
| @@ -39,12 +39,15 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; PTXContext * const s = avctx->priv_data; AVFrame *picture = data; AVFrame * const p = &s->picture; unsigned int offset, w, h, y, stride, bytes_per_pixel; uint8_t *ptr; + if (buf_end - buf < 14) + return AVERROR_INVALIDDATA; offset = AV_RL16(buf); w = AV_RL16(buf+8); h = AV_RL16(buf+10); @@ -57,6 +60,9 @@ avctx->pix_fmt = PIX_FMT_RGB555; + + if (buf_end - buf < offset) + return AVERROR_INVALIDDATA; if (offset != 0x2c) av_log_ask_for_sample(avctx, "offset != 0x2c\n"); @@ -80,6 +86,8 @@ stride = p->linesize[0]; for (y=0; y<h; y++) { + if (buf_end - buf < w * bytes_per_pixel) + break; #if HAVE_BIGENDIAN unsigned int x; for (x=0; x<w*bytes_per_pixel; x+=bytes_per_pixel) | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/put_bits.h ^ |
| @@ -100,7 +100,8 @@ align_put_bits(s); #else #ifndef BITSTREAM_WRITER_LE - s->bit_buf<<= s->bit_left; + if (s->bit_left < 32) + s->bit_buf<<= s->bit_left; #endif while (s->bit_left < 32) { /* XXX: should test end of buffer */ | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/qcelpdec.c ^ |
| @@ -738,11 +738,17 @@ int buf_size = avpkt->size; QCELPContext *q = avctx->priv_data; float *outbuffer = data; - int i; + int i, out_size; float quantized_lspf[10], lpc[10]; float gain[16]; float *formant_mem; + out_size = 160 * av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + if((q->bitrate = determine_bitrate(avctx, buf_size, &buf)) == I_F_Q) { warn_insufficient_frame_quality(avctx, "bitrate cannot be determined."); @@ -837,7 +843,7 @@ memcpy(q->prev_lspf, quantized_lspf, sizeof(q->prev_lspf)); q->prev_bitrate = q->bitrate; - *data_size = 160 * sizeof(*outbuffer); + *data_size = out_size; return buf_size; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/qdm2.c ^ |
| @@ -1353,6 +1353,8 @@ return; local_int_14 = (offset >> local_int_8); + if (local_int_14 >= FF_ARRAY_ELEMS(fft_level_index_table)) + return; if (q->nb_channels > 1) { channel = get_bits1(gb); @@ -1797,6 +1799,8 @@ avctx->channels = s->nb_channels = s->channels = AV_RB32(extradata); extradata += 4; + if (s->channels > MPA_MAX_CHANNELS) + return AVERROR_INVALIDDATA; avctx->sample_rate = AV_RB32(extradata); extradata += 4; @@ -1818,6 +1822,8 @@ // something like max decodable tones s->group_order = av_log2(s->group_size) + 1; s->frame_size = s->group_size / 16; // 16 iterations per super block + if (s->frame_size > FF_ARRAY_ELEMS(s->output_buffer) / 2) + return AVERROR_INVALIDDATA; s->sub_sampling = s->fft_order - 7; s->frequency_range = 255 / (1 << (2 - s->sub_sampling)); @@ -1952,13 +1958,20 @@ int buf_size = avpkt->size; QDM2Context *s = avctx->priv_data; int16_t *out = data; - int i; + int i, out_size; if(!buf) return 0; if(buf_size < s->checksum_size) return -1; + out_size = 16 * s->channels * s->frame_size * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + av_log(avctx, AV_LOG_DEBUG, "decode(%d): %p[%d] -> %p[%d]\n", buf_size, buf, s->checksum_size, data, *data_size); @@ -1968,7 +1981,7 @@ out += s->channels * s->frame_size; } - *data_size = (uint8_t*)out - (uint8_t*)data; + *data_size = out_size; return s->checksum_size; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/qdrw.c ^ |
| @@ -37,6 +37,7 @@ AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; int buf_size = avpkt->size; QdrawContext * const a = avctx->priv_data; AVFrame * const p= (AVFrame*)&a->pic; @@ -59,6 +60,8 @@ outdata = a->pic.data[0]; + if (buf_end - buf < 0x68 + 4) + return AVERROR_INVALIDDATA; buf += 0x68; /* jump to palette */ colors = AV_RB32(buf); buf += 4; @@ -67,6 +70,8 @@ av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors); return -1; } + if (buf_end - buf < (colors + 1) * 8) + return AVERROR_INVALIDDATA; pal = (uint32_t*)p->data[1]; for (i = 0; i <= colors; i++) { @@ -89,6 +94,8 @@ } p->palette_has_changed = 1; + if (buf_end - buf < 18) + return AVERROR_INVALIDDATA; buf += 18; /* skip unneeded data */ for (i = 0; i < avctx->height; i++) { int size, left, code, pix; @@ -100,6 +107,9 @@ out = outdata; size = AV_RB16(buf); /* size of packed line */ buf += 2; + if (buf_end - buf < size) + return AVERROR_INVALIDDATA; + left = size; next = buf + size; while (left > 0) { @@ -115,6 +125,8 @@ } else { /* copy */ if ((out + code) > (outdata + a->pic.linesize[0])) break; + if (buf_end - buf < code + 1) + return AVERROR_INVALIDDATA; memcpy(out, buf, code + 1); out += code + 1; buf += code + 1; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/qtrle.c ^ |
| @@ -127,6 +127,7 @@ while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (num_pixels * (s->buf[stream_ptr++] - 1)); + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -183,6 +184,7 @@ while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (4 * (s->buf[stream_ptr++] - 1)); + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -236,6 +238,7 @@ while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 2; + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -285,6 +288,7 @@ while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 3; + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -336,6 +340,7 @@ while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 4; + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -464,6 +469,8 @@ stream_ptr += 4; height = AV_RB16(&s->buf[stream_ptr]); stream_ptr += 4; + if (height > s->avctx->height - start_line) + goto done; } else { start_line = 0; height = s->avctx->height; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/resample.c ^ |
| @@ -326,9 +326,9 @@ if (s->sample_fmt[1] != AV_SAMPLE_FMT_S16) { output_bak = output; - if (!s->buffer_size[1] || s->buffer_size[1] < lenout) { + if (!s->buffer_size[1] || s->buffer_size[1] < 2*lenout) { av_free(s->buffer[1]); - s->buffer_size[1] = lenout; + s->buffer_size[1] = 2*lenout; s->buffer[1] = av_malloc(s->buffer_size[1]); if (!s->buffer[1]) { av_log(s->resample_context, AV_LOG_ERROR, "Could not allocate buffer\n"); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/resample2.c ^ |
| @@ -207,8 +207,10 @@ memcpy(&c->filter_bank[c->filter_length*phase_count+1], c->filter_bank, (c->filter_length-1)*sizeof(FELEM)); c->filter_bank[c->filter_length*phase_count]= c->filter_bank[c->filter_length - 1]; - c->src_incr= out_rate; - c->ideal_dst_incr= c->dst_incr= in_rate * phase_count; + if(!av_reduce(&c->src_incr, &c->dst_incr, out_rate, in_rate * (int64_t)phase_count, INT32_MAX/2)) + goto error; + c->ideal_dst_incr= c->dst_incr; + c->index= -phase_count*((c->filter_length-1)/2); return c; @@ -246,10 +248,9 @@ dst[dst_index] = src[index2>>32]; index2 += incr; } - frac += dst_index * dst_incr_frac; index += dst_index * dst_incr; - index += frac / c->src_incr; - frac %= c->src_incr; + index += (frac + dst_index * (int64_t)dst_incr_frac) / c->src_incr; + frac = (frac + dst_index * (int64_t)dst_incr_frac) % c->src_incr; }else{ for(dst_index=0; dst_index < dst_size; dst_index++){ FELEM *filter= c->filter_bank + c->filter_length*(index & c->phase_mask); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/shorten.c ^ |
| @@ -113,6 +113,7 @@ { int i, chan; int *coeffs; + void *tmp_ptr; for (chan=0; chan<s->channels; chan++) { if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){ @@ -124,9 +125,15 @@ return -1; } - s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); - - s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + tmp_ptr = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); + if (!tmp_ptr) + return AVERROR(ENOMEM); + s->offset[chan] = tmp_ptr; + + tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + if (!tmp_ptr) + return AVERROR(ENOMEM); + s->decoded[chan] = tmp_ptr; for (i=0; i<s->nwrap; i++) s->decoded[chan][i] = 0; s->decoded[chan] += s->nwrap; @@ -155,7 +162,7 @@ if (s->bitshift != 0) for (i = 0; i < s->blocksize; i++) - buffer[s->nwrap + i] <<= s->bitshift; + buffer[i] <<= s->bitshift; } @@ -284,8 +291,15 @@ int i, input_buf_size = 0; int16_t *samples = data; if(s->max_framesize == 0){ + void *tmp_ptr; s->max_framesize= 1024; // should hopefully be enough for the first header - s->bitstream= av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, s->max_framesize); + tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, + s->max_framesize); + if (!tmp_ptr) { + av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n"); + return AVERROR(ENOMEM); + } + s->bitstream = tmp_ptr; } if(1 && s->max_framesize){//FIXME truncated @@ -467,6 +481,12 @@ s->cur_chan++; if (s->cur_chan == s->channels) { + int out_size = s->blocksize * s->channels * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } samples = interleave_buffer(samples, s->channels, s->blocksize, s->decoded); s->cur_chan = 0; goto frame_done; @@ -483,9 +503,15 @@ case FN_BITSHIFT: s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE); break; - case FN_BLOCKSIZE: - s->blocksize = get_uint(s, av_log2(s->blocksize)); + case FN_BLOCKSIZE: { + int blocksize = get_uint(s, av_log2(s->blocksize)); + if (blocksize > s->blocksize) { + av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n"); + return AVERROR_PATCHWELCOME; + } + s->blocksize = blocksize; break; + } case FN_QUIT: *data_size = 0; return buf_size; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/sipr.c ^ |
| @@ -194,14 +194,16 @@ { int i, j; - parms->ma_pred_switch = get_bits(pgb, p->ma_predictor_bits); + if (p->ma_predictor_bits) + parms->ma_pred_switch = get_bits(pgb, p->ma_predictor_bits); for (i = 0; i < 5; i++) parms->vq_indexes[i] = get_bits(pgb, p->vq_indexes_bits[i]); for (i = 0; i < p->subframe_count; i++) { parms->pitch_delay[i] = get_bits(pgb, p->pitch_delay_bits[i]); - parms->gp_index[i] = get_bits(pgb, p->gp_index_bits); + if (p->gp_index_bits) + parms->gp_index[i] = get_bits(pgb, p->gp_index_bits); for (j = 0; j < p->number_of_fc_indexes; j++) parms->fc_indexes[i][j] = get_bits(pgb, p->fc_index_bits[j]); @@ -509,7 +511,7 @@ GetBitContext gb; float *data = datap; int subframe_size = ctx->mode == MODE_16k ? L_SUBFR_16k : SUBFR_SIZE; - int i; + int i, out_size; ctx->avctx = avctx; if (avpkt->size < (mode_par->bits_per_frame >> 3)) { @@ -520,7 +522,11 @@ *data_size = 0; return -1; } - if (*data_size < subframe_size * mode_par->subframe_count * sizeof(float)) { + + out_size = mode_par->frames_per_packet * subframe_size * + mode_par->subframe_count * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { av_log(avctx, AV_LOG_ERROR, "Error processing packet: output buffer (%d) too small\n", *data_size); @@ -542,8 +548,7 @@ data += subframe_size * mode_par->subframe_count; } - *data_size = mode_par->frames_per_packet * subframe_size * - mode_par->subframe_count * sizeof(float); + *data_size = out_size; return mode_par->bits_per_frame >> 3; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/smacker.c ^ |
| @@ -560,6 +560,10 @@ static av_cold int smka_decode_init(AVCodecContext *avctx) { + if (avctx->channels < 1 || avctx->channels > 2) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels\n"); + return AVERROR(EINVAL); + } avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; avctx->sample_fmt = avctx->bits_per_coded_sample == 8 ? AV_SAMPLE_FMT_U8 : AV_SAMPLE_FMT_S16; return 0; @@ -583,6 +587,11 @@ int bits, stereo; int pred[2] = {0, 0}; + if (buf_size <= 4) { + av_log(avctx, AV_LOG_ERROR, "packet is too small\n"); + return AVERROR(EINVAL); + } + unp_size = AV_RL32(buf); init_get_bits(&gb, buf + 4, (buf_size - 4) * 8); @@ -598,6 +607,14 @@ av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n"); return -1; } + if (stereo ^ (avctx->channels != 1)) { + av_log(avctx, AV_LOG_ERROR, "channels mismatch\n"); + return AVERROR(EINVAL); + } + if (bits && avctx->sample_fmt == AV_SAMPLE_FMT_U8) { + av_log(avctx, AV_LOG_ERROR, "sample format mismatch\n"); + return AVERROR(EINVAL); + } memset(vlc, 0, sizeof(VLC) * 4); memset(h, 0, sizeof(HuffContext) * 4); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/snow.c ^ |
| @@ -1917,8 +1917,6 @@ static void halfpel_interpol(SnowContext *s, uint8_t *halfpel[4][4], AVFrame *frame){ int p,x,y; - assert(!(s->avctx->flags & CODEC_FLAG_EMU_EDGE)); - for(p=0; p<3; p++){ int is_chroma= !!p; int w= s->avctx->width >>is_chroma; @@ -1975,7 +1973,7 @@ int w= s->avctx->width; //FIXME round up to x16 ? int h= s->avctx->height; - if(s->current_picture.data[0]){ + if(s->current_picture.data[0] && !(s->avctx->flags&CODEC_FLAG_EMU_EDGE)){ s->dsp.draw_edges(s->current_picture.data[0], s->current_picture.linesize[0], w , h , EDGE_WIDTH , EDGE_WIDTH , EDGE_TOP | EDGE_BOTTOM); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/sunrast.c ^ |
| @@ -46,6 +46,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; SUNRASTContext * const s = avctx->priv_data; AVFrame *picture = data; AVFrame * const p = &s->picture; @@ -53,6 +54,9 @@ uint8_t *ptr; const uint8_t *bufstart = buf; + if (avpkt->size < 32) + return AVERROR_INVALIDDATA; + if (AV_RB32(buf) != 0x59a66a95) { av_log(avctx, AV_LOG_ERROR, "this is not sunras encoded data\n"); return -1; @@ -64,13 +68,14 @@ type = AV_RB32(buf+20); maptype = AV_RB32(buf+24); maplength = AV_RB32(buf+28); + buf += 32; - if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) { - av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n"); + if (type < RT_OLD || type > RT_FORMAT_IFF) { + av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n"); return -1; } - if (type > RT_FORMAT_IFF) { - av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n"); + if (av_image_check_size(w, h, 0, avctx)) { + av_log(avctx, AV_LOG_ERROR, "invalid image size\n"); return -1; } if (maptype & ~1) { @@ -78,7 +83,10 @@ return -1; } - buf += 32; + if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) { + av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n"); + return -1; + } switch (depth) { case 1: @@ -98,8 +106,6 @@ if (p->data[0]) avctx->release_buffer(avctx, p); - if (av_image_check_size(w, h, 0, avctx)) - return -1; if (w != avctx->width || h != avctx->height) avcodec_set_dimensions(avctx, w, h); if (avctx->get_buffer(avctx, p) < 0) { @@ -109,6 +115,9 @@ p->pict_type = AV_PICTURE_TYPE_I; + if (buf_end - buf < maplength) + return AVERROR_INVALIDDATA; + if (depth != 8 && maplength) { av_log(avctx, AV_LOG_WARNING, "useless colormap found or file is corrupted, trying to recover\n"); @@ -143,8 +152,11 @@ uint8_t *end = ptr + h*stride; x = 0; - while (ptr != end) { + while (ptr != end && buf < buf_end) { run = 1; + if (buf_end - buf < 1) + return AVERROR_INVALIDDATA; + if ((value = *buf++) == 0x80) { run = *buf++ + 1; if (run != 1) @@ -163,6 +175,8 @@ } } else { for (y=0; y<h; y++) { + if (buf_end - buf < len) + break; memcpy(ptr, buf, len); ptr += stride; buf += alen; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/svq3.c ^ |
| @@ -612,7 +612,7 @@ dir = i_mb_type_info[mb_type - 8].pred_mode; dir = (dir >> 1) ^ 3*(dir & 1) ^ 1; - if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir)) == -1){ + if ((h->intra16x16_pred_mode = ff_h264_check_intra16x16_pred_mode(h, dir)) == -1){ av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n"); return -1; } @@ -711,7 +711,7 @@ s->current_picture.mb_type[mb_xy] = mb_type; if (IS_INTRA(mb_type)) { - h->chroma_pred_mode = ff_h264_check_intra_pred_mode(h, DC_PRED8x8); + h->chroma_pred_mode = ff_h264_check_intra_chroma_pred_mode(h, DC_PRED8x8); } return 0; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/tiertexseqv.c ^ |
| @@ -35,15 +35,19 @@ } SeqVideoContext; -static const unsigned char *seq_unpack_rle_block(const unsigned char *src, unsigned char *dst, int dst_size) +static const unsigned char *seq_unpack_rle_block(const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst, int dst_size) { int i, len, sz; GetBitContext gb; int code_table[64]; - /* get the rle codes (at most 64 bytes) */ - init_get_bits(&gb, src, 64 * 8); + /* get the rle codes */ + init_get_bits(&gb, src, (src_end - src) * 8); for (i = 0, sz = 0; i < 64 && sz < dst_size; i++) { + if (get_bits_left(&gb) < 4) + return NULL; code_table[i] = get_sbits(&gb, 4); sz += FFABS(code_table[i]); } @@ -54,8 +58,12 @@ len = code_table[i]; if (len < 0) { len = -len; + if (src_end - src < 1) + return NULL; memset(dst, *src++, FFMIN(len, dst_size)); } else { + if (src_end - src < len) + return NULL; memcpy(dst, src, FFMIN(len, dst_size)); src += len; } @@ -65,25 +73,30 @@ return src; } -static const unsigned char *seq_decode_op1(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst) +static const unsigned char *seq_decode_op1(SeqVideoContext *seq, + const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst) { const unsigned char *color_table; int b, i, len, bits; GetBitContext gb; unsigned char block[8 * 8]; + if (src_end - src < 1) + return NULL; len = *src++; if (len & 0x80) { switch (len & 3) { case 1: - src = seq_unpack_rle_block(src, block, sizeof(block)); + src = seq_unpack_rle_block(src, src_end, block, sizeof(block)); for (b = 0; b < 8; b++) { memcpy(dst, &block[b * 8], 8); dst += seq->frame.linesize[0]; } break; case 2: - src = seq_unpack_rle_block(src, block, sizeof(block)); + src = seq_unpack_rle_block(src, src_end, block, sizeof(block)); for (i = 0; i < 8; i++) { for (b = 0; b < 8; b++) dst[b * seq->frame.linesize[0]] = block[i * 8 + b]; @@ -92,9 +105,13 @@ break; } } else { + if (len <= 0) + return NULL; + bits = ff_log2_tab[len - 1] + 1; + if (src_end - src < len + 8 * bits) + return NULL; color_table = src; src += len; - bits = ff_log2_tab[len - 1] + 1; init_get_bits(&gb, src, bits * 8 * 8); src += bits * 8; for (b = 0; b < 8; b++) { for (i = 0; i < 8; i++) @@ -106,10 +123,16 @@ return src; } -static const unsigned char *seq_decode_op2(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst) +static const unsigned char *seq_decode_op2(SeqVideoContext *seq, + const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst) { int i; + if (src_end - src < 8 * 8) + return NULL; + for (i = 0; i < 8; i++) { memcpy(dst, src, 8); src += 8; @@ -119,11 +142,16 @@ return src; } -static const unsigned char *seq_decode_op3(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst) +static const unsigned char *seq_decode_op3(SeqVideoContext *seq, + const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst) { int pos, offset; do { + if (src_end - src < 2) + return NULL; pos = *src++; offset = ((pos >> 3) & 7) * seq->frame.linesize[0] + (pos & 7); dst[offset] = *src++; @@ -132,8 +160,9 @@ return src; } -static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int data_size) +static int seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int data_size) { + const unsigned char *data_end = data + data_size; GetBitContext gb; int flags, i, j, x, y, op; unsigned char c[3]; @@ -144,6 +173,8 @@ if (flags & 1) { palette = (uint32_t *)seq->frame.data[1]; + if (data_end - data < 256 * 3) + return AVERROR_INVALIDDATA; for (i = 0; i < 256; i++) { for (j = 0; j < 3; j++, data++) c[j] = (*data << 2) | (*data >> 4); @@ -153,6 +184,8 @@ } if (flags & 2) { + if (data_end - data < 128) + return AVERROR_INVALIDDATA; init_get_bits(&gb, data, 128 * 8); data += 128; for (y = 0; y < 128; y += 8) for (x = 0; x < 256; x += 8) { @@ -160,17 +193,20 @@ op = get_bits(&gb, 2); switch (op) { case 1: - data = seq_decode_op1(seq, data, dst); + data = seq_decode_op1(seq, data, data_end, dst); break; case 2: - data = seq_decode_op2(seq, data, dst); + data = seq_decode_op2(seq, data, data_end, dst); break; case 3: - data = seq_decode_op3(seq, data, dst); + data = seq_decode_op3(seq, data, data_end, dst); break; } + if (!data) + return AVERROR_INVALIDDATA; } } + return 0; } static av_cold int seqvideo_decode_init(AVCodecContext *avctx) @@ -202,7 +238,8 @@ return -1; } - seqvideo_decode(seq, buf, buf_size); + if (seqvideo_decode(seq, buf, buf_size)) + return AVERROR_INVALIDDATA; *data_size = sizeof(AVFrame); *(AVFrame *)data = seq->frame; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/tiff.c ^ |
| @@ -170,6 +170,8 @@ } switch(s->compr){ case TIFF_RAW: + if (ssrc + size - src < width) + return AVERROR_INVALIDDATA; if (!s->fill_order) { memcpy(dst, src, width); } else { @@ -277,6 +279,8 @@ uint32_t *pal; const uint8_t *rp, *gp, *bp; + if (end_buf - buf < 12) + return -1; tag = tget_short(&buf, s->le); type = tget_short(&buf, s->le); count = tget_long(&buf, s->le); @@ -336,7 +340,7 @@ case TIFF_SHORT: case TIFF_LONG: s->bpp = 0; - for(i = 0; i < count; i++) s->bpp += tget(&buf, type, s->le); + for(i = 0; i < count && buf < end_buf; i++) s->bpp += tget(&buf, type, s->le); break; default: s->bpp = -1; @@ -450,6 +454,8 @@ case TIFF_PAL: pal = (uint32_t *) s->palette; off = type_sizes[type]; + if (count / 3 > 256 || end_buf - buf < count / 3 * off * 3) + return -1; rp = buf; gp = buf + count / 3 * off; bp = buf + count / 3 * off * 2; @@ -493,12 +499,16 @@ AVFrame *picture = data; AVFrame * const p= (AVFrame*)&s->picture; const uint8_t *orig_buf = buf, *end_buf = buf + buf_size; - int id, le, off, ret; + unsigned off; + int id, le, ret; int i, j, entries; - int stride, soff, ssize; + int stride; + unsigned soff, ssize; uint8_t *dst; //parse image header + if (end_buf - buf < 8) + return AVERROR_INVALIDDATA; id = AV_RL16(buf); buf += 2; if(id == 0x4949) le = 1; else if(id == 0x4D4D) le = 0; @@ -518,9 +528,9 @@ } /* parse image file directory */ off = tget_long(&buf, le); - if(orig_buf + off + 14 >= end_buf){ + if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) { av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n"); - return -1; + return AVERROR_INVALIDDATA; } buf = orig_buf + off; entries = tget_short(&buf, le); @@ -544,23 +554,23 @@ stride = p->linesize[0]; dst = p->data[0]; for(i = 0; i < s->height; i += s->rps){ - if(s->stripsizes) + if(s->stripsizes) { + if (s->stripsizes >= end_buf) + return AVERROR_INVALIDDATA; ssize = tget(&s->stripsizes, s->sstype, s->le); - else + } else ssize = s->stripsize; - if (ssize > buf_size) { - av_log(avctx, AV_LOG_ERROR, "Buffer size is smaller than strip size\n"); - return -1; - } - if(s->stripdata){ + if (s->stripdata >= end_buf) + return AVERROR_INVALIDDATA; soff = tget(&s->stripdata, s->sot, s->le); }else soff = s->stripoff; - if (soff < 0) { - av_log(avctx, AV_LOG_ERROR, "Invalid stripoff: %d\n", soff); - return AVERROR(EINVAL); + + if (soff > buf_size || ssize > buf_size - soff) { + av_log(avctx, AV_LOG_ERROR, "Invalid strip size/offset\n"); + return -1; } if(tiff_unpack_strip(s, dst, stride, orig_buf + soff, ssize, FFMIN(s->rps, s->height - i)) < 0) break; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/tiffenc.c ^ |
| @@ -42,6 +42,7 @@ }; typedef struct TiffEncoderContext { + AVClass *avclass; AVCodecContext *avctx; AVFrame picture; @@ -216,6 +217,7 @@ uint8_t *yuv_line = NULL; int shift_h, shift_v; + s->avctx = avctx; s->buf_start = buf; s->buf = &ptr; s->buf_size = buf_size; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/truespeech.c ^ |
| @@ -56,6 +56,11 @@ { // TSContext *c = avctx->priv_data; + if (avctx->channels != 1) { + av_log_ask_for_sample(avctx, "Unsupported channel count: %d\n", avctx->channels); + return AVERROR(EINVAL); + } + avctx->sample_fmt = AV_SAMPLE_FMT_S16; return 0; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/twinvq.c ^ |
| @@ -822,7 +822,7 @@ const ModeTab *mtab = tctx->mtab; float *out = data; enum FrameType ftype; - int window_type; + int window_type, out_size; static const enum FrameType wtype_to_ftype_table[] = { FT_LONG, FT_LONG, FT_SHORT, FT_LONG, FT_MEDIUM, FT_LONG, FT_LONG, FT_MEDIUM, FT_MEDIUM @@ -835,6 +835,13 @@ return buf_size; } + out_size = mtab->size * avctx->channels * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n"); + return AVERROR(EINVAL); + } + init_get_bits(&gb, buf, buf_size * 8); skip_bits(&gb, get_bits(&gb, 8)); window_type = get_bits(&gb, WINDOW_TYPE_BITS); @@ -857,7 +864,7 @@ return buf_size; } - *data_size = mtab->size*avctx->channels*4; + *data_size = out_size; return buf_size; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/txd.c ^ |
| @@ -23,6 +23,7 @@ #include "libavutil/intreadwrite.h" #include "libavutil/imgutils.h" +#include "bytestream.h" #include "avcodec.h" #include "s3tc.h" @@ -42,6 +43,7 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; TXDContext * const s = avctx->priv_data; AVFrame *picture = data; AVFrame * const p = &s->picture; @@ -52,6 +54,8 @@ const uint32_t *palette = (const uint32_t *)(cur + 88); uint32_t *pal; + if (buf_end - cur < 92) + return AVERROR_INVALIDDATA; version = AV_RL32(cur); d3d_format = AV_RL32(cur+76); w = AV_RL16(cur+80); @@ -69,6 +73,8 @@ if (depth == 8) { avctx->pix_fmt = PIX_FMT_PAL8; + if (buf_end - cur < 1024) + return AVERROR_INVALIDDATA; cur += 1024; } else if (depth == 16 || depth == 32) avctx->pix_fmt = PIX_FMT_RGB32; @@ -100,6 +106,8 @@ v = AV_RB32(palette+y); pal[y] = (v>>8) + (v<<24); } + if (buf_end - cur < w * h) + return AVERROR_INVALIDDATA; for (y=0; y<h; y++) { memcpy(ptr, cur, w); ptr += stride; @@ -110,9 +118,13 @@ case 0: if (!flags&1) goto unsupported; case FF_S3TC_DXT1: + if (buf_end - cur < (w/4) * (h/4) * 8) + return AVERROR_INVALIDDATA; ff_decode_dxt1(cur, ptr, w, h, stride); break; case FF_S3TC_DXT3: + if (buf_end - cur < (w/4) * (h/4) * 16) + return AVERROR_INVALIDDATA; ff_decode_dxt3(cur, ptr, w, h, stride); break; default: @@ -122,6 +134,8 @@ switch (d3d_format) { case 0x15: case 0x16: + if (buf_end - cur < h * w * 4) + return AVERROR_INVALIDDATA; for (y=0; y<h; y++) { memcpy(ptr, cur, w*4); ptr += stride; @@ -133,8 +147,12 @@ } } - for (; mipmap_count > 1; mipmap_count--) - cur += AV_RL32(cur) + 4; + for (; mipmap_count > 1 && buf_end - cur >= 4; mipmap_count--) { + uint32_t length = bytestream_get_le32(&cur); + if (buf_end - cur < length) + break; + cur += length; + } *picture = s->picture; *data_size = sizeof(AVPicture); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/utils.c ^ |
| @@ -785,6 +785,11 @@ avctx->pkt = avpkt; + if (!avpkt->data && avpkt->size) { + av_log(avctx, AV_LOG_ERROR, "invalid packet: NULL data, size != 0\n"); + return AVERROR(EINVAL); + } + if((avctx->codec->capabilities & CODEC_CAP_DELAY) || avpkt->size){ //FIXME remove the check below _after_ ensuring that all audio check that the available space is enough if(*frame_size_ptr < AVCODEC_MAX_AUDIO_FRAME_SIZE){ | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/vaapi_vc1.c ^ |
| @@ -116,6 +116,18 @@ return 0; } +/** Reconstruct bitstream TTFRM (7.1.1.41, Table-53) */ +static inline int vc1_get_TTFRM(VC1Context *v) +{ + switch (v->ttfrm) { + case TT_8X8: return 0; + case TT_8X4: return 1; + case TT_4X8: return 2; + case TT_4X4: return 3; + } + return 0; +} + /** Pack FFmpeg bitplanes into a VABitPlaneBuffer element */ static inline void vc1_pack_bitplanes(uint8_t *bitplane, int n, const uint8_t *ff_bp[3], int x, int y, int stride) { @@ -239,7 +251,7 @@ pic_param->transform_fields.value = 0; /* reset all bits */ pic_param->transform_fields.bits.variable_sized_transform_flag = v->vstransform; pic_param->transform_fields.bits.mb_level_transform_type_flag = v->ttmbf; - pic_param->transform_fields.bits.frame_level_transform_type = v->ttfrm; + pic_param->transform_fields.bits.frame_level_transform_type = vc1_get_TTFRM(v); pic_param->transform_fields.bits.transform_ac_codingset_idx1 = v->c_ac_table_index; pic_param->transform_fields.bits.transform_ac_codingset_idx2 = v->y_ac_table_index; pic_param->transform_fields.bits.intra_transform_dc_table = v->s.dc_table_index; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/vmdav.c ^ |
| @@ -72,9 +72,11 @@ #define QUEUE_SIZE 0x1000 #define QUEUE_MASK 0x0FFF -static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_len) +static void lz_unpack(const unsigned char *src, int src_len, + unsigned char *dest, int dest_len) { const unsigned char *s; + const unsigned char *s_end; unsigned char *d; unsigned char *d_end; unsigned char queue[QUEUE_SIZE]; @@ -87,8 +89,12 @@ unsigned int i, j; s = src; + s_end = src + src_len; d = dest; d_end = d + dest_len; + + if (s_end - s < 8) + return; dataleft = AV_RL32(s); s += 4; memset(queue, 0x20, QUEUE_SIZE); @@ -101,10 +107,10 @@ speclen = 100; /* no speclen */ } - while (dataleft > 0) { + while (s_end - s > 0 && dataleft > 0) { tag = *s++; if ((tag == 0xFF) && (dataleft > 8)) { - if (d + 8 > d_end) + if (d_end - d < 8 || s_end - s < 8) return; for (i = 0; i < 8; i++) { queue[qpos++] = *d++ = *s++; @@ -116,18 +122,23 @@ if (dataleft == 0) break; if (tag & 0x01) { - if (d + 1 > d_end) + if (d_end - d < 1 || s_end - s < 1) return; queue[qpos++] = *d++ = *s++; qpos &= QUEUE_MASK; dataleft--; } else { + if (s_end - s < 2) + return; chainofs = *s++; chainofs |= ((*s & 0xF0) << 4); chainlen = (*s++ & 0x0F) + 3; - if (chainlen == speclen) + if (chainlen == speclen) { + if (s_end - s < 1) + return; chainlen = *s++ + 0xF + 3; - if (d + chainlen > d_end) + } + if (d_end - d < chainlen) return; for (j = 0; j < chainlen; j++) { *d = queue[chainofs++ & QUEUE_MASK]; @@ -142,32 +153,39 @@ } } -static int rle_unpack(const unsigned char *src, unsigned char *dest, - int src_len, int dest_len) +static int rle_unpack(const unsigned char *src, int src_len, int src_count, + unsigned char *dest, int dest_len) { const unsigned char *ps; + const unsigned char *ps_end; unsigned char *pd; int i, l; unsigned char *dest_end = dest + dest_len; ps = src; + ps_end = src + src_len; pd = dest; - if (src_len & 1) + if (src_count & 1) { + if (ps_end - ps < 1) + return 0; *pd++ = *ps++; + } - src_len >>= 1; + src_count >>= 1; i = 0; do { + if (ps_end - ps < 1) + break; l = *ps++; if (l & 0x80) { l = (l & 0x7F) * 2; - if (pd + l > dest_end) + if (dest_end - pd < l || ps_end - ps < l) return ps - src; memcpy(pd, ps, l); ps += l; pd += l; } else { - if (pd + i > dest_end) + if (dest_end - pd < i || ps_end - ps < 2) return ps - src; for (i = 0; i < l; i++) { *pd++ = ps[0]; @@ -176,7 +194,7 @@ ps += 2; } i += l; - } while (i < src_len); + } while (i < src_count); return ps - src; } @@ -189,8 +207,10 @@ /* point to the start of the encoded data */ const unsigned char *p = s->buf + 16; + const unsigned char *p_end = s->buf + s->size; const unsigned char *pb; + const unsigned char *pb_end; unsigned char meth; unsigned char *dp; /* pointer to current frame */ unsigned char *pp; /* pointer to previous frame */ @@ -204,6 +224,16 @@ frame_y = AV_RL16(&s->buf[8]); frame_width = AV_RL16(&s->buf[10]) - frame_x + 1; frame_height = AV_RL16(&s->buf[12]) - frame_y + 1; + if (frame_x < 0 || frame_width < 0 || + frame_x >= s->avctx->width || + frame_width > s->avctx->width || + frame_x + frame_width > s->avctx->width) + return; + if (frame_y < 0 || frame_height < 0 || + frame_y >= s->avctx->height || + frame_height > s->avctx->height || + frame_y + frame_height > s->avctx->height) + return; if ((frame_width == s->avctx->width && frame_height == s->avctx->height) && (frame_x || frame_y)) { @@ -216,8 +246,9 @@ /* if only a certain region will be updated, copy the entire previous * frame before the decode */ - if (frame_x || frame_y || (frame_width != s->avctx->width) || - (frame_height != s->avctx->height)) { + if (s->prev_frame.data[0] && + (frame_x || frame_y || (frame_width != s->avctx->width) || + (frame_height != s->avctx->height))) { memcpy(s->frame.data[0], s->prev_frame.data[0], s->avctx->height * s->frame.linesize[0]); @@ -225,6 +256,8 @@ /* check if there is a new palette */ if (s->buf[15] & 0x02) { + if (p_end - p < 2 + 3 * PALETTE_COUNT) + return; p += 2; palette32 = (unsigned int *)s->palette; for (i = 0; i < PALETTE_COUNT; i++) { @@ -233,16 +266,17 @@ b = *p++ * 4; palette32[i] = (r << 16) | (g << 8) | (b); } - s->size -= (256 * 3 + 2); } - if (s->size >= 0) { + if (p < p_end) { /* originally UnpackFrame in VAG's code */ pb = p; + pb_end = p_end; meth = *pb++; if (meth & 0x80) { - lz_unpack(pb, s->unpack_buffer, s->unpack_buffer_size); + lz_unpack(pb, p_end - pb, s->unpack_buffer, s->unpack_buffer_size); meth &= 0x7F; pb = s->unpack_buffer; + pb_end = s->unpack_buffer + s->unpack_buffer_size; } dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x]; @@ -252,17 +286,19 @@ for (i = 0; i < frame_height; i++) { ofs = 0; do { + if (pb_end - pb < 1) + return; len = *pb++; if (len & 0x80) { len = (len & 0x7F) + 1; - if (ofs + len > frame_width) + if (ofs + len > frame_width || pb_end - pb < len) return; memcpy(&dp[ofs], pb, len); pb += len; ofs += len; } else { /* interframe pixel copy */ - if (ofs + len + 1 > frame_width) + if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) return; memcpy(&dp[ofs], &pp[ofs], len + 1); ofs += len + 1; @@ -280,6 +316,8 @@ case 2: for (i = 0; i < frame_height; i++) { + if (pb_end -pb < frame_width) + return; memcpy(dp, pb, frame_width); pb += frame_width; dp += s->frame.linesize[0]; @@ -291,18 +329,25 @@ for (i = 0; i < frame_height; i++) { ofs = 0; do { + if (pb_end - pb < 1) + return; len = *pb++; if (len & 0x80) { len = (len & 0x7F) + 1; + if (pb_end - pb < 1) + return; if (*pb++ == 0xFF) - len = rle_unpack(pb, &dp[ofs], len, frame_width - ofs); - else + len = rle_unpack(pb, pb_end - pb, len, &dp[ofs], frame_width - ofs); + else { + if (pb_end - pb < len) + return; memcpy(&dp[ofs], pb, len); + } pb += len; ofs += len; } else { /* interframe pixel copy */ - if (ofs + len + 1 > frame_width) + if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) return; memcpy(&dp[ofs], &pp[ofs], len + 1); ofs += len + 1; @@ -523,7 +568,10 @@ silent_chunks = 0; if (block_type == BLOCK_TYPE_INITIAL) { - uint32_t flags = AV_RB32(buf); + uint32_t flags; + if (buf_size < 4) + return -1; + flags = AV_RB32(buf); silent_chunks = av_popcount(flags); buf += 4; buf_size -= 4; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/vorbisdec.c ^ |
| @@ -1605,7 +1605,7 @@ vorbis_context *vc = avccontext->priv_data ; GetBitContext *gb = &(vc->gb); const float *channel_ptrs[255]; - int i, len; + int i, len, out_size; if (!buf_size) return 0; @@ -1630,6 +1630,13 @@ av_dlog(NULL, "parsed %d bytes %d bits, returned %d samples (*ch*bits) \n", get_bits_count(gb) / 8, get_bits_count(gb) % 8, len); + out_size = len * vc->audio_channels * + av_get_bytes_per_sample(avccontext->sample_fmt); + if (*data_size < out_size) { + av_log(avccontext, AV_LOG_ERROR, "output buffer is too small\n"); + return AVERROR(EINVAL); + } + if (vc->audio_channels > 8) { for (i = 0; i < vc->audio_channels; i++) channel_ptrs[i] = vc->channel_floors + i * len; @@ -1645,8 +1652,7 @@ vc->fmt_conv.float_to_int16_interleave(data, channel_ptrs, len, vc->audio_channels); - *data_size = len * vc->audio_channels * - av_get_bytes_per_sample(avccontext->sample_fmt); + *data_size = out_size; return buf_size ; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/vp3.c ^ |
| @@ -45,6 +45,7 @@ #define FRAGMENT_PIXELS 8 static av_cold int vp3_decode_end(AVCodecContext *avctx); +static void vp3_decode_flush(AVCodecContext *avctx); //FIXME split things out into their own arrays typedef struct Vp3Fragment { @@ -890,7 +891,7 @@ /* decode a VLC into a token */ token = get_vlc2(gb, vlc_table, 11, 3); /* use the token to get a zero run, a coefficient, and an eob run */ - if (token <= 6) { + if ((unsigned) token <= 6U) { eob_run = eob_run_base[token]; if (eob_run_get_bits[token]) eob_run += get_bits(gb, eob_run_get_bits[token]); @@ -908,7 +909,7 @@ coeff_i += eob_run; eob_run = 0; } - } else { + } else if (token >= 0) { bits_to_get = coeff_get_bits[token]; if (bits_to_get) bits_to_get = get_bits(gb, bits_to_get); @@ -942,6 +943,10 @@ for (i = coeff_index+1; i <= coeff_index+zero_run; i++) s->num_coded_frags[plane][i]--; coeff_i++; + } else { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid token %d\n", token); + return -1; } } @@ -991,6 +996,8 @@ /* unpack the Y plane DC coefficients */ residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0, 0, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; /* reverse prediction of the Y-plane DC coefficients */ reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]); @@ -998,8 +1005,12 @@ /* unpack the C plane DC coefficients */ residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0, 1, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0, 2, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; /* reverse prediction of the C-plane DC coefficients */ if (!(s->avctx->flags & CODEC_FLAG_GRAY)) @@ -1036,11 +1047,17 @@ for (i = 1; i <= 63; i++) { residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i, 0, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i, 1, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i, 2, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; } return 0; @@ -1777,10 +1794,15 @@ Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data; int qps_changed = 0, i, err; +#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field) + if (!s1->current_frame.data[0] ||s->width != s1->width - ||s->height!= s1->height) + ||s->height!= s1->height) { + if (s != s1) + copy_fields(s, s1, golden_frame, current_frame); return -1; + } if (s != s1) { // init tables if the first frame hasn't been decoded @@ -1796,8 +1818,6 @@ memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1])); } -#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field) - // copy previous frame data copy_fields(s, s1, golden_frame, dsp); @@ -1987,9 +2007,6 @@ Vp3DecodeContext *s = avctx->priv_data; int i; - if (avctx->is_copy && !s->current_frame.data[0]) - return 0; - av_free(s->superblock_coding); av_free(s->all_fragments); av_free(s->coded_fragment_list[0]); @@ -2016,12 +2033,7 @@ free_vlc(&s->motion_vector_vlc); /* release all frames */ - if (s->golden_frame.data[0]) - ff_thread_release_buffer(avctx, &s->golden_frame); - if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY) - ff_thread_release_buffer(avctx, &s->last_frame); - /* no need to release the current_frame since it will always be pointing - * to the same frame as either the golden or last frame */ + vp3_decode_flush(avctx); return 0; } @@ -2341,6 +2353,23 @@ ff_thread_release_buffer(avctx, &s->current_frame); } +static int vp3_init_thread_copy(AVCodecContext *avctx) +{ + Vp3DecodeContext *s = avctx->priv_data; + + s->superblock_coding = NULL; + s->all_fragments = NULL; + s->coded_fragment_list[0] = NULL; + s->dct_tokens_base = NULL; + s->superblock_fragments = NULL; + s->macroblock_coding = NULL; + s->motion_val[0] = NULL; + s->motion_val[1] = NULL; + s->edge_emu_buffer = NULL; + + return 0; +} + AVCodec ff_theora_decoder = { "theora", AVMEDIA_TYPE_VIDEO, @@ -2354,6 +2383,7 @@ NULL, .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("Theora"), + .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; #endif @@ -2371,5 +2401,6 @@ NULL, .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"), + .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/vp56.c ^ |
| @@ -465,6 +465,7 @@ s->mb_height = (avctx->coded_height+15) / 16; if (s->mb_width > 1000 || s->mb_height > 1000) { + avcodec_set_dimensions(avctx, 0, 0); av_log(avctx, AV_LOG_ERROR, "picture too big\n"); return -1; } @@ -519,8 +520,10 @@ if (s->frames[i].data[0]) avctx->release_buffer(avctx, &s->frames[i]); } - if (is_alpha) + if (is_alpha) { + avcodec_set_dimensions(avctx, 0, 0); return -1; + } } if (!is_alpha) { | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/vp6.c ^ |
| @@ -137,8 +137,11 @@ if (coeff_offset) { buf += coeff_offset; buf_size -= coeff_offset; - if (buf_size < 0) + if (buf_size < 0) { + if (s->framep[VP56_FRAME_CURRENT]->key_frame) + avcodec_set_dimensions(s->avctx, 0, 0); return 0; + } if (s->use_huffman) { s->parse_coeff = vp6_parse_coeff_huffman; init_get_bits(&s->gb, buf, buf_size<<3); @@ -371,7 +374,7 @@ if (b > 3) pt = 1; vlc_coeff = &s->dccv_vlc[pt]; - for (coeff_idx=0; coeff_idx<64; ) { + for (coeff_idx = 0;;) { int run = 1; if (coeff_idx<2 && s->nb_null[coeff_idx][pt]) { s->nb_null[coeff_idx][pt]--; @@ -408,6 +411,8 @@ } } coeff_idx+=run; + if (coeff_idx >= 64) + break; cg = FFMIN(vp6_coeff_groups[coeff_idx], 3); vlc_coeff = &s->ract_vlc[pt][ct][cg]; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/vp8.c ^ |
| @@ -33,6 +33,19 @@ # include "arm/vp8.h" #endif +static void free_buffers(VP8Context *s) +{ + av_freep(&s->macroblocks_base); + av_freep(&s->filter_strength); + av_freep(&s->intra4x4_pred_mode_top); + av_freep(&s->top_nnz); + av_freep(&s->edge_emu_buffer); + av_freep(&s->top_border); + av_freep(&s->segmentation_map); + + s->macroblocks = NULL; +} + static void vp8_decode_flush(AVCodecContext *avctx) { VP8Context *s = avctx->priv_data; @@ -45,15 +58,7 @@ } memset(s->framep, 0, sizeof(s->framep)); - av_freep(&s->macroblocks_base); - av_freep(&s->filter_strength); - av_freep(&s->intra4x4_pred_mode_top); - av_freep(&s->top_nnz); - av_freep(&s->edge_emu_buffer); - av_freep(&s->top_border); - av_freep(&s->segmentation_map); - - s->macroblocks = NULL; + free_buffers(s); } static int update_dimensions(VP8Context *s, int width, int height) @@ -273,7 +278,7 @@ if (!s->macroblocks_base || /* first frame */ width != s->avctx->width || height != s->avctx->height) { - if ((ret = update_dimensions(s, width, height) < 0)) + if ((ret = update_dimensions(s, width, height)) < 0) return ret; } @@ -487,6 +492,7 @@ AV_ZERO32(&near_mv[0]); AV_ZERO32(&near_mv[1]); + AV_ZERO32(&near_mv[2]); /* Process MB on top, left and top-left */ #define MV_EDGE_CHECK(n)\ @@ -919,7 +925,8 @@ int mb_x, int mb_y) { AVCodecContext *avctx = s->avctx; - int x, y, mode, nnz, tr; + int x, y, mode, nnz; + uint32_t tr; // for the first row, we need to run xchg_mb_border to init the top edge to 127 // otherwise, skip it if we aren't going to deblock @@ -948,7 +955,7 @@ // from the top macroblock if (!(!mb_y && avctx->flags & CODEC_FLAG_EMU_EDGE) && mb_x == s->mb_width-1) { - tr = tr_right[-1]*0x01010101; + tr = tr_right[-1]*0x01010101u; tr_right = (uint8_t *)&tr; } @@ -1749,6 +1756,11 @@ { VP8Context *s = dst->priv_data, *s_src = src->priv_data; + if (s->macroblocks_base && + (s_src->mb_width != s->mb_width || s_src->mb_height != s->mb_height)) { + free_buffers(s); + } + s->prob[0] = s_src->prob[!s_src->update_probabilities]; s->segmentation = s_src->segmentation; s->lf_delta = s_src->lf_delta; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/vqavideo.c ^ |
| @@ -138,6 +138,10 @@ /* load up the VQA parameters from the header */ vqa_header = (unsigned char *)s->avctx->extradata; s->vqa_version = vqa_header[0]; + if (s->vqa_version < 1 || s->vqa_version > 3) { + av_log(s->avctx, AV_LOG_ERROR, " VQA video: unsupported version %d\n", s->vqa_version); + return -1; + } s->width = AV_RL16(&vqa_header[6]); s->height = AV_RL16(&vqa_header[8]); if(av_image_check_size(s->width, s->height, 0, avctx)){ @@ -226,6 +230,8 @@ src_index += 2; av_dlog(NULL, "(1) copy %X bytes from absolute pos %X\n", count, src_pos); CHECK_COUNT(); + if (src_pos + count > dest_size) + return; for (i = 0; i < count; i++) dest[dest_index + i] = dest[src_pos + i]; dest_index += count; @@ -248,6 +254,8 @@ src_index += 2; av_dlog(NULL, "(3) copy %X bytes from absolute pos %X\n", count, src_pos); CHECK_COUNT(); + if (src_pos + count > dest_size) + return; for (i = 0; i < count; i++) dest[dest_index + i] = dest[src_pos + i]; dest_index += count; @@ -268,6 +276,8 @@ src_index += 2; av_dlog(NULL, "(5) copy %X bytes from relpos %X\n", count, src_pos); CHECK_COUNT(); + if (dest_index < src_pos) + return; for (i = 0; i < count; i++) dest[dest_index + i] = dest[dest_index - src_pos + i]; dest_index += count; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/wavpack.c ^ |
| @@ -1173,6 +1173,15 @@ return samplecount * bpp; } +static void wavpack_decode_flush(AVCodecContext *avctx) +{ + WavpackContext *s = avctx->priv_data; + int i; + + for (i = 0; i < s->fdec_num; i++) + wv_reset_saved_context(s->fdec[i]); +} + static int wavpack_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) @@ -1205,11 +1214,14 @@ if(frame_size < 0 || frame_size > buf_size){ av_log(avctx, AV_LOG_ERROR, "Block %d has invalid size (size %d vs. %d bytes left)\n", s->block, frame_size, buf_size); + wavpack_decode_flush(avctx); return -1; } if((samplecount = wavpack_decode_block(avctx, s->block, data, - data_size, buf, frame_size)) < 0) + data_size, buf, frame_size)) < 0) { + wavpack_decode_flush(avctx); return -1; + } s->block++; buf += frame_size; buf_size -= frame_size; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/wmaprodec.c ^ |
| @@ -309,10 +309,6 @@ s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate, 3, s->decode_flags); - /** init previous block len */ - for (i = 0; i < avctx->channels; i++) - s->channel[i].prev_block_len = s->samples_per_frame; - /** subframe info */ log2_max_num_subframes = ((s->decode_flags & 0x38) >> 3); s->max_num_subframes = 1 << log2_max_num_subframes; @@ -332,6 +328,18 @@ s->num_channels = avctx->channels; + if (s->num_channels < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", s->num_channels); + return AVERROR_INVALIDDATA; + } else if (s->num_channels > WMAPRO_MAX_CHANNELS) { + av_log_ask_for_sample(avctx, "unsupported number of channels\n"); + return AVERROR_PATCHWELCOME; + } + + /** init previous block len */ + for (i = 0; i < s->num_channels; i++) + s->channel[i].prev_block_len = s->samples_per_frame; + /** extract lfe channel position */ s->lfe_channel = -1; @@ -343,14 +351,6 @@ } } - if (s->num_channels < 0) { - av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", s->num_channels); - return AVERROR_INVALIDDATA; - } else if (s->num_channels > WMAPRO_MAX_CHANNELS) { - av_log_ask_for_sample(avctx, "unsupported number of channels\n"); - return AVERROR_PATCHWELCOME; - } - INIT_VLC_STATIC(&sf_vlc, SCALEVLCBITS, HUFF_SCALE_SIZE, scale_huffbits, 1, 1, scale_huffcodes, 2, 2, 616); @@ -1436,7 +1436,7 @@ init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE); } - buflen = (s->num_saved_bits + len + 8) >> 3; + buflen = (put_bits_count(&s->pb) + len + 8) >> 3; if (len <= 0 || buflen > MAX_FRAMESIZE) { av_log_ask_for_sample(s->avctx, "input buffer too small\n"); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/wmavoice.c ^ |
| @@ -401,6 +401,10 @@ s->min_pitch_val = ((ctx->sample_rate << 8) / 400 + 50) >> 8; s->max_pitch_val = ((ctx->sample_rate << 8) * 37 / 2000 + 50) >> 8; pitch_range = s->max_pitch_val - s->min_pitch_val; + if (pitch_range <= 0) { + av_log(ctx, AV_LOG_ERROR, "Invalid pitch range; broken extradata?\n"); + return -1; + } s->pitch_nbits = av_ceil_log2(pitch_range); s->last_pitch_val = 40; s->last_acb_type = ACB_TYPE_NONE; @@ -422,6 +426,10 @@ s->block_conv_table[2] = (pitch_range * 44) >> 6; s->block_conv_table[3] = s->max_pitch_val - 1; s->block_delta_pitch_hrange = (pitch_range >> 3) & ~0xF; + if (s->block_delta_pitch_hrange <= 0) { + av_log(ctx, AV_LOG_ERROR, "Invalid delta pitch hrange; broken extradata?\n"); + return -1; + } s->block_delta_pitch_nbits = 1 + av_ceil_log2(s->block_delta_pitch_hrange); s->block_pitch_range = s->block_conv_table[2] + s->block_conv_table[3] + 1 + @@ -1077,7 +1085,7 @@ int excl_range = s->aw_pulse_range; // always 16 or 24 uint16_t *use_mask_ptr = &use_mask[idx >> 4]; int first_sh = 16 - (idx & 15); - *use_mask_ptr++ &= 0xFFFF << first_sh; + *use_mask_ptr++ &= 0xFFFFu << first_sh; excl_range -= first_sh; if (excl_range >= 16) { *use_mask_ptr++ = 0; @@ -1880,6 +1888,8 @@ rmn_bits = rmn_bytes = get_bits_left(gb); if (rmn_bits < nbits) return; + if (nbits > pb->size_in_bits - put_bits_count(pb)) + return; rmn_bits &= 7; rmn_bytes >>= 3; if ((rmn_bits = FFMIN(rmn_bits, nbits)) > 0) put_bits(pb, rmn_bits, get_bits(gb, rmn_bits)); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/ws-snd1.c ^ |
| @@ -37,13 +37,16 @@ -9, -8, -6, -5, -4, -3, -2, -1, 0, 1, 2, 3, 4, 5, 6, 8 }; -#define CLIP8(a) if(a>127)a=127;if(a<-128)a=-128; - static av_cold int ws_snd_decode_init(AVCodecContext * avctx) { // WSSNDContext *c = avctx->priv_data; - avctx->sample_fmt = AV_SAMPLE_FMT_S16; + if (avctx->channels != 1) { + av_log_ask_for_sample(avctx, "unsupported number of channels\n"); + return AVERROR(EINVAL); + } + + avctx->sample_fmt = AV_SAMPLE_FMT_U8; return 0; } @@ -56,15 +59,19 @@ // WSSNDContext *c = avctx->priv_data; int in_size, out_size; - int sample = 0; + int sample = 128; int i; - short *samples = data; + uint8_t *samples = data; if (!buf_size) return 0; + if (buf_size < 4) { + av_log(avctx, AV_LOG_ERROR, "packet is too small\n"); + return AVERROR(EINVAL); + } + out_size = AV_RL16(&buf[0]); - *data_size = out_size * 2; in_size = AV_RL16(&buf[2]); buf += 4; @@ -76,34 +83,54 @@ av_log(avctx, AV_LOG_ERROR, "Frame data is larger than input buffer\n"); return -1; } + if (in_size == out_size) { for (i = 0; i < out_size; i++) - *samples++ = (*buf++ - 0x80) << 8; + *samples++ = *buf++; + *data_size = out_size; return buf_size; } - while (out_size > 0) { - int code; + while (out_size > 0 && buf - avpkt->data < buf_size) { + int code, smp, size; uint8_t count; code = (*buf) >> 6; count = (*buf) & 0x3F; buf++; + + /* make sure we don't write more than out_size samples */ + switch (code) { + case 0: smp = 4; break; + case 1: smp = 2; break; + case 2: smp = (count & 0x20) ? 1 : count + 1; break; + default: smp = count + 1; break; + } + if (out_size < smp) { + out_size = 0; + break; + } + + /* make sure we don't read past the input buffer */ + size = ((code == 2 && (count & 0x20)) || code == 3) ? 0 : count + 1; + if ((buf - avpkt->data) + size > buf_size) + break; + switch(code) { case 0: /* ADPCM 2-bit */ for (count++; count > 0; count--) { code = *buf++; sample += ws_adpcm_2bit[code & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_2bit[(code >> 2) & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_2bit[(code >> 4) & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_2bit[(code >> 6) & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; out_size -= 4; } break; @@ -111,11 +138,11 @@ for (count++; count > 0; count--) { code = *buf++; sample += ws_adpcm_4bit[code & 0xF]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_4bit[code >> 4]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; out_size -= 2; } break; @@ -125,24 +152,27 @@ t = count; t <<= 3; sample += t >> 3; - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; out_size--; } else { /* copy */ for (count++; count > 0; count--) { - *samples++ = (*buf++ - 0x80) << 8; + *samples++ = *buf++; out_size--; } - sample = buf[-1] - 0x80; + sample = buf[-1]; } break; default: /* run */ for(count++; count > 0; count--) { - *samples++ = sample << 8; + *samples++ = sample; out_size--; } } } + *data_size = samples - (uint8_t *)data; + return buf_size; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/x86/fft_3dn2.c ^ |
| @@ -23,7 +23,7 @@ #include "libavcodec/dsputil.h" #include "fft.h" -DECLARE_ALIGNED(8, static const int, m1m1)[2] = { 1<<31, 1<<31 }; +DECLARE_ALIGNED(8, static const unsigned int, m1m1)[2] = { 1U<<31, 1U<<31 }; #ifdef EMULATE_3DNOWEXT #define PSWAPD(s,d)\ @@ -70,7 +70,7 @@ in1 = input; in2 = input + n2 - 1; #ifdef EMULATE_3DNOWEXT - __asm__ volatile("movd %0, %%mm7" ::"r"(1<<31)); + __asm__ volatile("movd %0, %%mm7" ::"r"(1U<<31)); #endif for(k = 0; k < n4; k++) { // FIXME a single block is faster, but gcc 2.95 and 3.4.x on 32bit can't compile it | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/x86/fft_sse.c ^ |
| @@ -24,8 +24,8 @@ #include "fft.h" #include "config.h" -DECLARE_ASM_CONST(16, int, ff_m1m1m1m1)[4] = - { 1 << 31, 1 << 31, 1 << 31, 1 << 31 }; +DECLARE_ASM_CONST(16, unsigned int, ff_m1m1m1m1)[4] = + { 1U << 31, 1U << 31, 1U << 31, 1U << 31 }; void ff_fft_dispatch_sse(FFTComplex *z, int nbits); void ff_fft_dispatch_interleave_sse(FFTComplex *z, int nbits); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/xan.c ^ |
| @@ -114,7 +114,10 @@ init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { - val = src[val - 0x17 + get_bits1(&gb) * byte]; + unsigned idx = val - 0x17 + get_bits1(&gb) * byte; + if (idx >= 2 * byte) + return -1; + val = src[idx]; if ( val < 0x16 ) { if (dest >= dest_end) @@ -132,13 +135,16 @@ * * @param dest destination buffer of dest_len, must be padded with at least 130 bytes */ -static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_len) +static void xan_unpack(unsigned char *dest, int dest_len, + const unsigned char *src, int src_len) { unsigned char opcode; int size; + unsigned char *dest_org = dest; unsigned char *dest_end = dest + dest_len; + const unsigned char *src_end = src + src_len; - while (dest < dest_end) { + while (dest < dest_end && src < src_end) { opcode = *src++; if (opcode < 0xe0) { @@ -163,9 +169,11 @@ back = ((opcode & 0x10) << 12) + bytestream_get_be16(&src) + 1; size2 = ((opcode & 0x0c) << 6) + *src++ + 5; - if (size + size2 > dest_end - dest) - return; } + if (dest_end - dest < size + size2 || + dest + size - dest_org < back || + src_end - src < size) + return; memcpy(dest, src, size); dest += size; src += size; av_memcpy_backptr(dest, back, size2); dest += size2; @@ -173,6 +181,8 @@ int finish = opcode >= 0xfc; size = finish ? opcode & 3 : ((opcode & 0x1f) << 2) + 4; + if (dest_end - dest < size || src_end - src < size) + return; memcpy(dest, src, size); dest += size; src += size; if (finish) return; @@ -220,15 +230,23 @@ int width = s->avctx->width; unsigned char *palette_plane, *prev_palette_plane; + if ( y + motion_y < 0 || y + motion_y >= s->avctx->height || + x + motion_x < 0 || x + motion_x >= s->avctx->width) + return; + palette_plane = s->current_frame.data[0]; prev_palette_plane = s->last_frame.data[0]; + if (!prev_palette_plane) + prev_palette_plane = palette_plane; stride = s->current_frame.linesize[0]; line_inc = stride - width; curframe_index = y * stride + x; curframe_x = x; prevframe_index = (y + motion_y) * stride + x + motion_x; prevframe_x = x + motion_x; - while(pixel_count && (curframe_index < s->frame_size)) { + while(pixel_count && + curframe_index < s->frame_size && + prevframe_index < s->frame_size) { int count = FFMIN3(pixel_count, width - curframe_x, width - prevframe_x); memcpy(palette_plane + curframe_index, prev_palette_plane + prevframe_index, count); @@ -262,6 +280,7 @@ int x, y; unsigned char *opcode_buffer = s->buffer1; + unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size; int opcode_buffer_size = s->buffer1_size; const unsigned char *imagedata_buffer = s->buffer2; @@ -270,7 +289,7 @@ const unsigned char *size_segment; const unsigned char *vector_segment; const unsigned char *imagedata_segment; - int huffman_offset, size_offset, vector_offset, imagedata_offset; + int huffman_offset, size_offset, vector_offset, imagedata_offset, imagedata_size; if (s->size < 8) return AVERROR_INVALIDDATA; @@ -295,14 +314,18 @@ huffman_segment, s->size - huffman_offset) < 0) return AVERROR_INVALIDDATA; - if (imagedata_segment[0] == 2) - xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); - else + if (imagedata_segment[0] == 2) { + xan_unpack(s->buffer2, s->buffer2_size, + &imagedata_segment[1], s->size - imagedata_offset - 1); + imagedata_size = s->buffer2_size; + } else { + imagedata_size = s->size - imagedata_offset - 1; imagedata_buffer = &imagedata_segment[1]; + } /* use the decoded data segments to build the frame */ x = y = 0; - while (total_pixels) { + while (total_pixels && opcode_buffer < opcode_buffer_end) { opcode = *opcode_buffer++; size = 0; @@ -351,6 +374,8 @@ size_segment += 3; break; } + if (size > total_pixels) + break; if (opcode < 12) { flag ^= 1; @@ -359,8 +384,11 @@ xan_wc3_copy_pixel_run(s, x, y, size, 0, 0); } else { /* output a run of pixels from imagedata_buffer */ + if (imagedata_size < size) + break; xan_wc3_output_pixel_run(s, imagedata_buffer, x, y, size); imagedata_buffer += size; + imagedata_size -= size; } } else { /* run-based motion compensation from last frame */ @@ -527,6 +555,9 @@ } buf_size = buf_end - buf; } + if (s->palettes_count <= 0) + return AVERROR_INVALIDDATA; + if ((ret = avctx->get_buffer(avctx, &s->current_frame))) { av_log(s->avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavcodec/xxan.c ^ |
| @@ -129,7 +129,9 @@ if (size + size2 > dest_end - dest) break; } - if (src + size > src_end || dest + size + size2 > dest_end) + if (src + size > src_end || + dest + size + size2 > dest_end || + dest + size - orig_dest < back ) return -1; bytestream_get_buffer(&src, dest, size); dest += size; @@ -194,6 +196,8 @@ if (mode) { for (j = 0; j < avctx->height >> 1; j++) { for (i = 0; i < avctx->width >> 1; i++) { + if (src_end - src < 1) + return 0; val = *src++; if (val) { val = AV_RL16(table + (val << 1)); @@ -202,8 +206,6 @@ U[i] = uval | (uval >> 5); V[i] = vval | (vval >> 5); } - if (src == src_end) - return 0; } U += s->pic.linesize[1]; V += s->pic.linesize[2]; @@ -214,6 +216,8 @@ for (j = 0; j < avctx->height >> 2; j++) { for (i = 0; i < avctx->width >> 1; i += 2) { + if (src_end - src < 1) + return 0; val = *src++; if (val) { val = AV_RL16(table + (val << 1)); @@ -302,6 +306,9 @@ corr_end - corr_off); if (dec_size < 0) dec_size = 0; + else + dec_size = FFMIN(dec_size, s->buffer_size/2 - 1); + for (i = 0; i < dec_size; i++) s->y_buffer[i*2+1] = (s->y_buffer[i*2+1] + (s->scratch_buffer[i] << 1)) & 0x3F; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavfilter/vf_scale.c ^ |
| @@ -229,7 +229,7 @@ scale->isws[1] = sws_getContext(inlink ->w, inlink ->h/2, inlink ->format, outlink->w, outlink->h/2, outlink->format, scale->flags, NULL, NULL, NULL); - if (!scale->sws) + if (!scale->sws || !scale->isws[0] || !scale->isws[1]) return AVERROR(EINVAL); if (inlink->sample_aspect_ratio.num){ | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavfilter/vf_unsharp.c ^ |
| @@ -70,6 +70,7 @@ int32_t res; int x, y, z; + const uint8_t *src2; if (!fp->amount) { if (dst_stride == src_stride) @@ -84,9 +85,12 @@ memset(sc[y], 0, sizeof(sc[y][0]) * (width + 2 * fp->steps_x)); for (y = -fp->steps_y; y < height + fp->steps_y; y++) { + if (y < height) + src2 = src; + memset(sr, 0, sizeof(sr[0]) * (2 * fp->steps_x - 1)); for (x = -fp->steps_x; x < width + fp->steps_x; x++) { - tmp1 = x <= 0 ? src[0] : x >= width ? src[width-1] : src[x]; + tmp1 = x <= 0 ? src2[0] : x >= width ? src2[width-1] : src2[x]; for (z = 0; z < fp->steps_x * 2; z += 2) { tmp2 = sr[z + 0] + tmp1; sr[z + 0] = tmp1; tmp1 = sr[z + 1] + tmp2; sr[z + 1] = tmp2; @@ -125,8 +129,8 @@ static av_cold int init(AVFilterContext *ctx, const char *args, void *opaque) { UnsharpContext *unsharp = ctx->priv; - int lmsize_x = 5, cmsize_x = 0; - int lmsize_y = 5, cmsize_y = 0; + int lmsize_x = 5, cmsize_x = 5; + int lmsize_y = 5, cmsize_y = 5; double lamount = 1.0f, camount = 0.0f; if (args) | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/4xm.c ^ |
| @@ -172,13 +172,16 @@ goto fail; } if (current_track + 1 > fourxm->track_count) { - fourxm->track_count = current_track + 1; - fourxm->tracks = av_realloc(fourxm->tracks, - fourxm->track_count * sizeof(AudioTrack)); + fourxm->tracks = av_realloc_f(fourxm->tracks, + sizeof(AudioTrack), + current_track + 1); if (!fourxm->tracks) { ret= AVERROR(ENOMEM); goto fail; } + memset(&fourxm->tracks[fourxm->track_count], 0, + sizeof(AudioTrack) * (current_track + 1 - fourxm->track_count)); + fourxm->track_count = current_track + 1; } fourxm->tracks[current_track].adpcm = AV_RL32(&header[i + 12]); fourxm->tracks[current_track].channels = AV_RL32(&header[i + 36]); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/anm.c ^ |
| @@ -134,18 +134,17 @@ /* color cycling and palette data */ st->codec->extradata_size = 16*8 + 4*256; st->codec->extradata = av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); - if (!st->codec->extradata) { - ret = AVERROR(ENOMEM); - goto close_and_return; - } + if (!st->codec->extradata) + return AVERROR(ENOMEM); + ret = avio_read(pb, st->codec->extradata, st->codec->extradata_size); if (ret < 0) - goto close_and_return; + return ret; /* read page table */ ret = avio_seek(pb, anm->page_table_offset, SEEK_SET); if (ret < 0) - goto close_and_return; + return ret; for (i = 0; i < MAX_PAGES; i++) { Page *p = &anm->pt[i]; @@ -156,21 +155,15 @@ /* find page of first frame */ anm->page = find_record(anm, 0); - if (anm->page < 0) { - ret = anm->page; - goto close_and_return; - } + if (anm->page < 0) + return anm->page; anm->record = -1; return 0; invalid: av_log_ask_for_sample(s, NULL); - ret = AVERROR_INVALIDDATA; - -close_and_return: - av_close_input_stream(s); - return ret; + return AVERROR_INVALIDDATA; } static int read_packet(AVFormatContext *s, | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/asfdec.c ^ |
| @@ -808,6 +808,10 @@ DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0); DO_2BITS(asf->packet_property, asf->packet_replic_size, 0); //printf("key:%d stream:%d seq:%d offset:%d replic_size:%d\n", asf->packet_key_frame, asf->stream_index, asf->packet_seq, //asf->packet_frag_offset, asf->packet_replic_size); + if (rsize+asf->packet_replic_size > asf->packet_size_left) { + av_log(s, AV_LOG_ERROR, "packet_replic_size %d is invalid\n", asf->packet_replic_size); + return -1; + } if (asf->packet_replic_size >= 8) { asf->packet_obj_size = avio_rl32(pb); if(asf->packet_obj_size >= (1<<24) || asf->packet_obj_size <= 0){ @@ -842,10 +846,6 @@ av_log(s, AV_LOG_ERROR, "unexpected packet_replic_size of %d\n", asf->packet_replic_size); return -1; } - if (rsize > asf->packet_size_left) { - av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n"); - return -1; - } if (asf->packet_flags & 0x01) { DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal if (rsize > asf->packet_size_left) { | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/avidec.c ^ |
| @@ -639,7 +639,7 @@ if(st->codec->codec_tag==0 && st->codec->height > 0 && st->codec->extradata_size < 1U<<30){ st->codec->extradata_size+= 9; - st->codec->extradata= av_realloc(st->codec->extradata, st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); + st->codec->extradata= av_realloc_f(st->codec->extradata, 1, st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); if(st->codec->extradata) memcpy(st->codec->extradata + st->codec->extradata_size - 9, "BottomUp", 9); } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/avienc.c ^ |
| @@ -523,6 +523,11 @@ while(enc->block_align==0 && pkt->dts != AV_NOPTS_VALUE && pkt->dts > avist->packet_count){ AVPacket empty_packet; + if(pkt->dts - avist->packet_count > 60000){ + av_log(s, AV_LOG_ERROR, "Too large number of skiped frames %Ld\n", pkt->dts - avist->packet_count); + return AVERROR(EINVAL); + } + av_init_packet(&empty_packet); empty_packet.size= 0; empty_packet.data= NULL; @@ -558,7 +563,7 @@ int cl = idx->entry / AVI_INDEX_CLUSTER_SIZE; int id = idx->entry % AVI_INDEX_CLUSTER_SIZE; if (idx->ents_allocated <= idx->entry) { - idx->cluster = av_realloc(idx->cluster, (cl+1)*sizeof(void*)); + idx->cluster = av_realloc_f(idx->cluster, sizeof(void*), cl+1); if (!idx->cluster) return -1; idx->cluster[cl] = av_malloc(AVI_INDEX_CLUSTER_SIZE*sizeof(AVIIentry)); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/aviobuf.c ^ |
| @@ -778,13 +778,14 @@ { int i; + if (buflen <= 0) + return AVERROR(EINVAL); // reserve 1 byte for terminating 0 buflen = FFMIN(buflen - 1, maxlen); for (i = 0; i < buflen; i++) if (!(buf[i] = avio_r8(s))) return i + 1; - if (buflen) - buf[i] = 0; + buf[i] = 0; for (; i < maxlen; i++) if (!avio_r8(s)) return i + 1; @@ -796,6 +797,8 @@ {\ char* q = buf;\ int ret = 0;\ + if (buflen <= 0) \ + return AVERROR(EINVAL); \ while (ret + 1 < maxlen) {\ uint8_t tmp;\ uint32_t ch;\ @@ -921,7 +924,7 @@ alloc_size = FFMAX(s->buffer_size, new_size); if (alloc_size > buf_size) - if (!(buf = av_realloc(buf, alloc_size))) + if (!(buf = av_realloc_f(buf, 1, alloc_size))) return AVERROR(ENOMEM); if (new_size > buf_size) { @@ -1090,7 +1093,7 @@ } if (new_allocated_size > d->allocated_size) { - d->buffer = av_realloc(d->buffer, new_allocated_size); + d->buffer = av_realloc_f(d->buffer, 1, new_allocated_size); if(d->buffer == NULL) return AVERROR(ENOMEM); d->allocated_size = new_allocated_size; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/avs.c ^ |
| @@ -163,10 +163,14 @@ sub_type = avio_r8(s->pb); type = avio_r8(s->pb); size = avio_rl16(s->pb); + if (size < 4) + return AVERROR_INVALIDDATA; avs->remaining_frame_size -= size; switch (type) { case AVS_PALETTE: + if (size - 4 > sizeof(palette)) + return AVERROR_INVALIDDATA; ret = avio_read(s->pb, palette, size - 4); if (ret < size - 4) return AVERROR(EIO); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/gxfenc.c ^ |
| @@ -340,8 +340,9 @@ if (!rewrite) { if (!(gxf->map_offsets_nb % 30)) { - gxf->map_offsets = av_realloc(gxf->map_offsets, - (gxf->map_offsets_nb+30)*sizeof(*gxf->map_offsets)); + gxf->map_offsets = av_realloc_f(gxf->map_offsets, + sizeof(*gxf->map_offsets), + gxf->map_offsets_nb+30); if (!gxf->map_offsets) { av_log(s, AV_LOG_ERROR, "could not realloc map offsets\n"); return -1; @@ -876,8 +877,9 @@ if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO) { if (!(gxf->flt_entries_nb % 500)) { - gxf->flt_entries = av_realloc(gxf->flt_entries, - (gxf->flt_entries_nb+500)*sizeof(*gxf->flt_entries)); + gxf->flt_entries = av_realloc_f(gxf->flt_entries, + sizeof(*gxf->flt_entries), + gxf->flt_entries_nb+500); if (!gxf->flt_entries) { av_log(s, AV_LOG_ERROR, "could not reallocate flt entries\n"); return -1; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/matroskadec.c ^ |
| @@ -964,6 +964,7 @@ uint8_t* data = *buf; int isize = *buf_size; uint8_t* pkt_data = NULL; + uint8_t* newpktdata; int pkt_size = isize; int result = 0; int olen; @@ -993,7 +994,12 @@ zstream.avail_in = isize; do { pkt_size *= 3; - pkt_data = av_realloc(pkt_data, pkt_size); + newpktdata = av_realloc(pkt_data, pkt_size); + if (!newpktdata) { + inflateEnd(&zstream); + goto failed; + } + pkt_data = newpktdata; zstream.avail_out = pkt_size - zstream.total_out; zstream.next_out = pkt_data + zstream.total_out; if (pkt_data) { @@ -1017,7 +1023,12 @@ bzstream.avail_in = isize; do { pkt_size *= 3; - pkt_data = av_realloc(pkt_data, pkt_size); + newpktdata = av_realloc(pkt_data, pkt_size); + if (!newpktdata) { + BZ2_bzDecompressEnd(&bzstream); + goto failed; + } + pkt_data = newpktdata; bzstream.avail_out = pkt_size - bzstream.total_out_lo32; bzstream.next_out = pkt_data + bzstream.total_out_lo32; if (pkt_data) { @@ -1800,7 +1811,7 @@ lace_size[n] = lace_size[n - 1] + snum; total += lace_size[n]; } - lace_size[n] = size - total; + lace_size[laces - 1] = size - total; break; } } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/matroskaenc.c ^ |
| @@ -1209,7 +1209,6 @@ mkv_write_packet, mkv_write_trailer, .flags = AVFMT_GLOBALHEADER | AVFMT_VARIABLE_FPS, - .codec_tag = (const AVCodecTag* const []){ff_codec_bmp_tags, ff_codec_wav_tags, 0}, .subtitle_codec = CODEC_ID_TEXT, }; #endif @@ -1243,6 +1242,5 @@ mkv_write_packet, mkv_write_trailer, .flags = AVFMT_GLOBALHEADER, - .codec_tag = (const AVCodecTag* const []){ff_codec_wav_tags, 0}, }; #endif | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/mov.c ^ |
| @@ -755,7 +755,8 @@ } /* FIXME modify qdm2/svq3/h264 decoders to take full atom as extradata */ -static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom) +static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom, + enum CodecID codec_id) { AVStream *st; uint64_t size; @@ -764,6 +765,10 @@ if (c->fc->nb_streams < 1) // will happen with jp2 files return 0; st= c->fc->streams[c->fc->nb_streams-1]; + + if (st->codec->codec_id != codec_id) + return 0; /* unexpected codec_id - don't mess with extradata */ + size= (uint64_t)st->codec->extradata_size + atom.size + 8 + FF_INPUT_BUFFER_PADDING_SIZE; if(size > INT_MAX || (uint64_t)atom.size > INT_MAX) return -1; @@ -779,6 +784,27 @@ return 0; } +/* wrapper functions for reading ALAC/AVS/MJPEG/MJPEG2000 extradata atoms only for those codecs */ +static int mov_read_alac(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + return mov_read_extradata(c, pb, atom, CODEC_ID_ALAC); +} + +static int mov_read_avss(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + return mov_read_extradata(c, pb, atom, CODEC_ID_AVS); +} + +static int mov_read_fiel(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + return mov_read_extradata(c, pb, atom, CODEC_ID_MJPEG); +} + +static int mov_read_jp2h(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + return mov_read_extradata(c, pb, atom, CODEC_ID_JPEG2000); +} + static int mov_read_wave(MOVContext *c, AVIOContext *pb, MOVAtom atom) { AVStream *st; @@ -2228,7 +2254,7 @@ } static const MOVParseTableEntry mov_default_parse_table[] = { -{ MKTAG('a','v','s','s'), mov_read_extradata }, +{ MKTAG('a','v','s','s'), mov_read_avss }, { MKTAG('c','h','p','l'), mov_read_chpl }, { MKTAG('c','o','6','4'), mov_read_stco }, { MKTAG('c','t','t','s'), mov_read_ctts }, /* composition time to sample */ @@ -2237,12 +2263,12 @@ { MKTAG('e','d','t','s'), mov_read_default }, { MKTAG('e','l','s','t'), mov_read_elst }, { MKTAG('e','n','d','a'), mov_read_enda }, -{ MKTAG('f','i','e','l'), mov_read_extradata }, +{ MKTAG('f','i','e','l'), mov_read_fiel }, { MKTAG('f','t','y','p'), mov_read_ftyp }, { MKTAG('g','l','b','l'), mov_read_glbl }, { MKTAG('h','d','l','r'), mov_read_hdlr }, { MKTAG('i','l','s','t'), mov_read_ilst }, -{ MKTAG('j','p','2','h'), mov_read_extradata }, +{ MKTAG('j','p','2','h'), mov_read_jp2h }, { MKTAG('m','d','a','t'), mov_read_mdat }, { MKTAG('m','d','h','d'), mov_read_mdhd }, { MKTAG('m','d','i','a'), mov_read_default }, @@ -2253,7 +2279,7 @@ { MKTAG('m','v','e','x'), mov_read_default }, { MKTAG('m','v','h','d'), mov_read_mvhd }, { MKTAG('S','M','I',' '), mov_read_smi }, /* Sorenson extension ??? */ -{ MKTAG('a','l','a','c'), mov_read_extradata }, /* alac specific atom */ +{ MKTAG('a','l','a','c'), mov_read_alac }, /* alac specific atom */ { MKTAG('a','v','c','C'), mov_read_glbl }, { MKTAG('p','a','s','p'), mov_read_pasp }, { MKTAG('s','t','b','l'), mov_read_default }, @@ -2376,14 +2402,21 @@ // The samples could theoretically be in any encoding if there's an encd // atom following, but in practice are only utf-8 or utf-16, distinguished // instead by the presence of a BOM - ch = avio_rb16(sc->pb); - if (ch == 0xfeff) - avio_get_str16be(sc->pb, len, title, title_len); - else if (ch == 0xfffe) - avio_get_str16le(sc->pb, len, title, title_len); - else { - AV_WB16(title, ch); - get_strz(sc->pb, title + 2, len - 1); + if (!len) { + title[0] = 0; + } else { + ch = avio_rb16(sc->pb); + if (ch == 0xfeff) + avio_get_str16be(sc->pb, len, title, title_len); + else if (ch == 0xfffe) + avio_get_str16le(sc->pb, len, title, title_len); + else { + AV_WB16(title, ch); + if (len == 1 || len == 2) + title[len] = 0; + else + get_strz(sc->pb, title + 2, len - 1); + } } ff_new_chapter(s, i, st->time_base, sample->timestamp, end, title); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/movenc.c ^ |
| @@ -1223,7 +1223,8 @@ avio_wb32(pb, 0); /* reserved */ avio_wb32(pb, 0); /* reserved */ - avio_wb32(pb, 0x0); /* reserved (Layer & Alternate group) */ + avio_wb16(pb, 0); /* layer */ + avio_wb16(pb, st ? st->codec->codec_type : 0); /* alternate group) */ /* Volume, only for audio */ if(track->enc->codec_type == AVMEDIA_TYPE_AUDIO) avio_wb16(pb, 0x0100); @@ -2058,7 +2059,7 @@ } if (!(trk->entry % MOV_INDEX_CLUSTER_SIZE)) { - trk->cluster = av_realloc(trk->cluster, (trk->entry + MOV_INDEX_CLUSTER_SIZE) * sizeof(*trk->cluster)); + trk->cluster = av_realloc_f(trk->cluster, sizeof(*trk->cluster), (trk->entry + MOV_INDEX_CLUSTER_SIZE)); if (!trk->cluster) return -1; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/mp3enc.c ^ |
| @@ -51,11 +51,12 @@ buf[0] = 'T'; buf[1] = 'A'; buf[2] = 'G'; - count += id3v1_set_string(s, "TIT2", buf + 3, 30); //title - count += id3v1_set_string(s, "TPE1", buf + 33, 30); //author|artist - count += id3v1_set_string(s, "TALB", buf + 63, 30); //album - count += id3v1_set_string(s, "TDRL", buf + 93, 4); //date - count += id3v1_set_string(s, "comment", buf + 97, 30); + /* we knowingly overspecify each tag length by one byte to compensate for the mandatory null byte added by av_strlcpy */ + count += id3v1_set_string(s, "TIT2", buf + 3, 30 + 1); //title + count += id3v1_set_string(s, "TPE1", buf + 33, 30 + 1); //author|artist + count += id3v1_set_string(s, "TALB", buf + 63, 30 + 1); //album + count += id3v1_set_string(s, "TDRL", buf + 93, 4 + 1); //date + count += id3v1_set_string(s, "comment", buf + 97, 30 + 1); if ((tag = av_dict_get(s->metadata, "TRCK", NULL, 0))) { //track buf[125] = 0; buf[126] = atoi(tag->value); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/mpc8.c ^ |
| @@ -264,7 +264,7 @@ return AVERROR(EIO); mpc8_handle_chunk(s, tag, pos, size); } - return 0; + return AVERROR_EOF; } static int mpc8_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/mpegts.c ^ |
| @@ -1083,7 +1083,7 @@ // stop parsing after pmt, we found header if (!ts->stream->nb_streams) - ts->stop_parse = 1; + ts->stop_parse = 2; for(;;) { st = 0; @@ -1403,11 +1403,15 @@ ts->stop_parse = 0; packet_num = 0; for(;;) { - if (ts->stop_parse>0) - break; packet_num++; - if (nb_packets != 0 && packet_num >= nb_packets) + if (nb_packets != 0 && packet_num >= nb_packets || + ts->stop_parse > 1) { + ret = AVERROR(EAGAIN); + break; + } + if (ts->stop_parse > 0) break; + ret = read_packet(s, packet, ts->raw_packet_size); if (ret != 0) return ret; @@ -1858,10 +1862,8 @@ len1 = len; ts->pkt = pkt; - ts->stop_parse = 0; for(;;) { - if (ts->stop_parse>0) - break; + ts->stop_parse = 0; if (len < TS_PACKET_SIZE) return -1; if (buf[0] != 0x47) { @@ -1871,6 +1873,8 @@ handle_packet(ts, buf); buf += TS_PACKET_SIZE; len -= TS_PACKET_SIZE; + if (ts->stop_parse == 1) + break; } } return len1 - len; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/mpegtsenc.c ^ |
| @@ -84,7 +84,7 @@ { "mpegts_service_id", "Set service_id field.", offsetof(MpegTSWrite, service_id), FF_OPT_TYPE_INT, {.dbl = 0x0001 }, 0x0001, 0xffff, AV_OPT_FLAG_ENCODING_PARAM}, { "mpegts_pmt_start_pid", "Set the first pid of the PMT.", - offsetof(MpegTSWrite, pmt_start_pid), FF_OPT_TYPE_INT, {.dbl = 0x1000 }, 0x1000, 0x1f00, AV_OPT_FLAG_ENCODING_PARAM}, + offsetof(MpegTSWrite, pmt_start_pid), FF_OPT_TYPE_INT, {.dbl = 0x1000 }, 0x0010, 0x1f00, AV_OPT_FLAG_ENCODING_PARAM}, { "mpegts_start_pid", "Set the first pid.", offsetof(MpegTSWrite, start_pid), FF_OPT_TYPE_INT, {.dbl = 0x0100 }, 0x0100, 0x0f00, AV_OPT_FLAG_ENCODING_PARAM}, { NULL }, | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/mxfdec.c ^ |
| @@ -223,12 +223,13 @@ if (length > 61444) /* worst case PAL 1920 samples 8 channels */ return -1; - av_new_packet(pkt, length); - avio_read(pb, pkt->data, length); + length = av_get_packet(pb, pkt, length); + if (length < 0) + return length; data_ptr = pkt->data; end_ptr = pkt->data + length; buf_ptr = pkt->data + 4; /* skip SMPTE 331M header */ - for (; buf_ptr < end_ptr; ) { + for (; buf_ptr + st->codec->channels*4 < end_ptr; ) { for (i = 0; i < st->codec->channels; i++) { uint32_t sample = bytestream_get_le32(&buf_ptr); if (st->codec->bits_per_coded_sample == 24) @@ -238,7 +239,7 @@ } buf_ptr += 32 - st->codec->channels*4; // always 8 channels stored SMPTE 331M } - pkt->size = data_ptr - pkt->data; + av_shrink_packet(pkt, data_ptr - pkt->data); return 0; } @@ -290,12 +291,16 @@ if (memcmp(tmpbuf, checkv, 16)) av_log(s, AV_LOG_ERROR, "probably incorrect decryption key\n"); size -= 32; - av_get_packet(pb, pkt, size); + size = av_get_packet(pb, pkt, size); + if (size < 0) + return size; + else if (size < plaintext_size) + return AVERROR_INVALIDDATA; size -= plaintext_size; if (mxf->aesc) av_aes_crypt(mxf->aesc, &pkt->data[plaintext_size], &pkt->data[plaintext_size], size >> 4, ivec, 1); - pkt->size = orig_size; + av_shrink_packet(pkt, orig_size); pkt->stream_index = index; avio_skip(pb, end - avio_tell(pb)); return 0; @@ -332,8 +337,11 @@ av_log(s, AV_LOG_ERROR, "error reading D-10 aes3 frame\n"); return -1; } - } else - av_get_packet(s->pb, pkt, klv.length); + } else { + int ret = av_get_packet(s->pb, pkt, klv.length); + if (ret < 0) + return ret; + } pkt->stream_index = index; pkt->pos = klv.offset; return 0; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/psxstr.c ^ |
| @@ -68,6 +68,8 @@ static int str_probe(AVProbeData *p) { uint8_t *sector= p->buf; + uint8_t *end= sector + p->buf_size; + int aud=0, vid=0; if (p->buf_size < RAW_CD_SECTOR_SIZE) return 0; @@ -79,20 +81,52 @@ sector += RIFF_HEADER_SIZE; } - /* look for CD sync header (00, 0xFF x 10, 00) */ - if (memcmp(sector,sync_header,sizeof(sync_header))) - return 0; - - if(sector[0x11] >= 32) - return 0; - if( (sector[0x12] & CDXA_TYPE_MASK) != CDXA_TYPE_VIDEO - && (sector[0x12] & CDXA_TYPE_MASK) != CDXA_TYPE_AUDIO - && (sector[0x12] & CDXA_TYPE_MASK) != CDXA_TYPE_DATA) - return 0; - + while (end - sector >= RAW_CD_SECTOR_SIZE) { + /* look for CD sync header (00, 0xFF x 10, 00) */ + if (memcmp(sector,sync_header,sizeof(sync_header))) + return 0; + + if (sector[0x11] >= 32) + return 0; + + switch (sector[0x12] & CDXA_TYPE_MASK) { + case CDXA_TYPE_DATA: + case CDXA_TYPE_VIDEO: { + int current_sector = AV_RL16(§or[0x1C]); + int sector_count = AV_RL16(§or[0x1E]); + int frame_size = AV_RL32(§or[0x24]); + + if(!( frame_size>=0 + && current_sector < sector_count + && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){ + return 0; + } + + /*st->codec->width = AV_RL16(§or[0x28]); + st->codec->height = AV_RL16(§or[0x2A]);*/ + +// if (current_sector == sector_count-1) { + vid++; +// } + + } + break; + case CDXA_TYPE_AUDIO: + if(sector[0x13]&0x2A) + return 0; + aud++; + break; + default: + if(sector[0x12] & CDXA_TYPE_MASK) + return 0; + } + sector += RAW_CD_SECTOR_SIZE; + } /* MPEG files (like those ripped from VCDs) can also look like this; * only return half certainty */ - return 50; + if(vid+aud > 3) return 50; + else if(vid+aud) return 1; + else return 0; } static int str_read_header(AVFormatContext *s, | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/riff.c ^ |
| @@ -287,6 +287,7 @@ { CODEC_ID_ADPCM_YAMAHA, 0x0020 }, { CODEC_ID_TRUESPEECH, 0x0022 }, { CODEC_ID_GSM_MS, 0x0031 }, + { CODEC_ID_AMR_NB, 0x0038 }, /* rogue format number */ { CODEC_ID_ADPCM_G726, 0x0045 }, { CODEC_ID_MP2, 0x0050 }, { CODEC_ID_MP3, 0x0055 }, | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/rtpdec.c ^ |
| @@ -111,14 +111,15 @@ static int rtcp_parse_packet(RTPDemuxContext *s, const unsigned char *buf, int len) { int payload_len; - while (len >= 2) { + while (len >= 4) { + payload_len = FFMIN(len, (AV_RB16(buf + 2) + 1) * 4); + switch (buf[1]) { case RTCP_SR: - if (len < 16) { + if (payload_len < 20) { av_log(NULL, AV_LOG_ERROR, "Invalid length for RTCP SR packet\n"); return AVERROR_INVALIDDATA; } - payload_len = (AV_RB16(buf + 2) + 1) * 4; s->last_rtcp_ntp_time = AV_RB64(buf + 8); s->last_rtcp_timestamp = AV_RB32(buf + 16); @@ -129,14 +130,13 @@ s->rtcp_ts_offset = s->last_rtcp_timestamp - s->base_timestamp; } - buf += payload_len; - len -= payload_len; break; case RTCP_BYE: return -RTCP_BYE; - default: - return -1; } + + buf += payload_len; + len -= payload_len; } return -1; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/tta.c ^ |
| @@ -107,6 +107,10 @@ return -1; } st->codec->extradata = av_mallocz(st->codec->extradata_size+FF_INPUT_BUFFER_PADDING_SIZE); + if (!st->codec->extradata) { + st->codec->extradata_size = 0; + return AVERROR(ENOMEM); + } avio_seek(s->pb, start_offset, SEEK_SET); avio_read(s->pb, st->codec->extradata, st->codec->extradata_size); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/utils.c ^ |
| @@ -2396,9 +2396,9 @@ } { int64_t last = st->info->last_dts; - int64_t duration= pkt->dts - last; - if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && duration>0){ + if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && pkt->dts > last){ + int64_t duration= pkt->dts - last; double dur= duration * av_q2d(st->time_base); // if(st->codec->codec_type == AVMEDIA_TYPE_VIDEO) @@ -2659,13 +2659,13 @@ av_free_packet(&st->cur_pkt); } av_dict_free(&st->metadata); - av_free(st->index_entries); - av_free(st->codec->extradata); - av_free(st->codec->subtitle_header); - av_free(st->codec); - av_free(st->priv_data); - av_free(st->info); - av_free(st); + av_freep(&st->index_entries); + av_freep(&st->codec->extradata); + av_freep(&st->codec->subtitle_header); + av_freep(&st->codec); + av_freep(&st->priv_data); + av_freep(&st->info); + av_freep(&st); } for(i=s->nb_programs-1; i>=0; i--) { av_dict_free(&s->programs[i]->metadata); @@ -2676,7 +2676,7 @@ av_freep(&s->priv_data); while(s->nb_chapters--) { av_dict_free(&s->chapters[s->nb_chapters]->metadata); - av_free(s->chapters[s->nb_chapters]); + av_freep(&s->chapters[s->nb_chapters]); } av_freep(&s->chapters); av_dict_free(&s->metadata); @@ -2958,7 +2958,9 @@ ret = AVERROR(EINVAL); goto fail; } - if(av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio)){ + if(av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio) + && FFABS(av_q2d(st->sample_aspect_ratio) - av_q2d(st->codec->sample_aspect_ratio)) > 0.004*av_q2d(st->sample_aspect_ratio) + ){ av_log(s, AV_LOG_ERROR, "Aspect ratio mismatch between encoder and muxer layer\n"); ret = AVERROR(EINVAL); goto fail; @@ -3435,7 +3437,7 @@ int is_output) { int i; - uint8_t *printed = av_mallocz(ic->nb_streams); + uint8_t *printed = ic->nb_streams ? av_mallocz(ic->nb_streams) : NULL; if (ic->nb_streams && !printed) return; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavformat/westwood.c ^ |
| @@ -277,10 +277,8 @@ /* there are 0 or more chunks before the FINF chunk; iterate until * FINF has been skipped and the file will be ready to be demuxed */ do { - if (avio_read(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE) { - av_free(st->codec->extradata); + if (avio_read(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE) return AVERROR(EIO); - } chunk_tag = AV_RB32(&scratch[0]); chunk_size = AV_RB32(&scratch[4]); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavutil/arm/intmath.h ^ |
| @@ -104,7 +104,7 @@ "mvnne %1, #1<<31 \n\t" "moveq %0, %Q2 \n\t" "eorne %0, %1, %R2, asr #31 \n\t" - : "=r"(x), "=&r"(y) : "r"(a)); + : "=r"(x), "=&r"(y) : "r"(a):"cc"); return x; } | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavutil/crc.c ^ |
| @@ -57,7 +57,7 @@ * @return <0 on failure */ int av_crc_init(AVCRC *ctx, int le, int bits, uint32_t poly, int ctx_size){ - int i, j; + unsigned i, j; uint32_t c; if (bits < 8 || bits > 32 || poly >= (1LL<<bits)) | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavutil/mem.c ^ |
| @@ -137,12 +137,29 @@ //FIXME this isn't aligned correctly, though it probably isn't needed if(!ptr) return av_malloc(size); diff= ((char*)ptr)[-1]; - return (char*)realloc((char*)ptr - diff, size + diff) + diff; + ptr= realloc((char*)ptr - diff, size + diff); + if(ptr) ptr = (char*)ptr + diff; + return ptr; #else return realloc(ptr, size + !size); #endif } +void *av_realloc_f(void *ptr, size_t nelem, size_t elsize) +{ + size_t size; + void *r; + + if (av_size_mult(elsize, nelem, &size)) { + av_free(ptr); + return NULL; + } + r = av_realloc(ptr, size); + if (!r && size) + av_free(ptr); + return r; +} + void av_free(void *ptr) { #if CONFIG_MEMALIGN_HACK @@ -168,6 +185,13 @@ return ptr; } +void *av_calloc(size_t nmemb, size_t size) +{ + if (size <= 0 || nmemb >= INT_MAX / size) + return NULL; + return av_mallocz(nmemb * size); +} + char *av_strdup(const char *s) { char *ptr= NULL; | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libavutil/mem.h ^ |
| @@ -27,6 +27,7 @@ #define AVUTIL_MEM_H #include "attributes.h" +#include "error.h" #include "avutil.h" #if defined(__INTEL_COMPILER) && __INTEL_COMPILER < 1110 || defined(__SUNPRO_C) @@ -87,6 +88,16 @@ void *av_realloc(void *ptr, size_t size) av_alloc_size(2); /** + * Allocate or reallocate a block of memory. + * This function does the same thing as av_realloc, except: + * - It takes two arguments and checks the result of the multiplication for + * integer overflow. + * - It frees the input block in case of failure, thus avoiding the memory + * leak with the classic "buf = realloc(buf); if (!buf) return -1;". + */ +void *av_realloc_f(void *ptr, size_t nelem, size_t elsize); + +/** * Free a memory block which has been allocated with av_malloc(z)() or * av_realloc(). * @param ptr Pointer to the memory block which should be freed. @@ -107,6 +118,18 @@ void *av_mallocz(size_t size) av_malloc_attrib av_alloc_size(1); /** + * Allocate a block of nmemb * size bytes with alignment suitable for all + * memory accesses (including vectors if available on the CPU) and + * zero all the bytes of the block. + * The allocation will fail if nmemb * size is greater than or equal + * to INT_MAX. + * @param nmemb + * @param size + * @return Pointer to the allocated block, NULL if it cannot be allocated. + */ +void *av_calloc(size_t nmemb, size_t size) av_malloc_attrib; + +/** * Duplicate the string s. * @param s string to be duplicated * @return Pointer to a newly allocated string containing a @@ -132,4 +155,19 @@ */ void av_dynarray_add(void *tab_ptr, int *nb_ptr, void *elem); +/** + * Multiply two size_t values checking for overflow. + * @return 0 if success, AVERROR(EINVAL) if overflow. + */ +static inline int av_size_mult(size_t a, size_t b, size_t *r) +{ + size_t t = a * b; + /* Hack inspired from glibc: only try the division if nelem and elsize + * are both greater than sqrt(SIZE_MAX). */ + if ((a | b) >= ((size_t)1 << (sizeof(size_t) * 4)) && a && t / a != b) + return AVERROR(EINVAL); + *r = t; + return 0; +} + #endif /* AVUTIL_MEM_H */ | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libswscale/Makefile ^ |
| @@ -20,6 +20,8 @@ x86/yuv2rgb_mmx.o OBJS-$(HAVE_VIS) += sparc/yuv2rgb_vis.o +$(SUBDIR)x86/swscale_mmx.o: CFLAGS += $(NOREDZONE_FLAGS) + TESTPROGS = colorspace swscale DIRS = bfin mlib ppc sparc x86 | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libswscale/ppc/swscale_altivec.c ^ |
| @@ -251,7 +251,7 @@ vector unsigned char src_v1, src_vF; vector signed short src_v, filter_v; vector signed int val_vEven, val_s; - if ((((int)src + srcPos)% 16) > 12) { + if ((((uintptr_t)src + srcPos) % 16) > 12) { src_v1 = vec_ld(srcPos + 16, src); } src_vF = vec_perm(src_v0, src_v1, vec_lvsl(srcPos, src)); @@ -290,7 +290,7 @@ vector unsigned char src_v1, src_vF; vector signed short src_v, filter_v; vector signed int val_v, val_s; - if ((((int)src + srcPos)% 16) > 8) { + if ((((uintptr_t)src + srcPos) % 16) > 8) { src_v1 = vec_ld(srcPos + 16, src); } src_vF = vec_perm(src_v0, src_v1, vec_lvsl(srcPos, src)); @@ -376,7 +376,7 @@ //vector unsigned char src_v0 = vec_ld(srcPos + j, src); vector unsigned char src_v1, src_vF; vector signed short src_v, filter_v1R, filter_v; - if ((((int)src + srcPos)% 16) > 8) { + if ((((uintptr_t)src + srcPos) % 16) > 8) { src_v1 = vec_ld(srcPos + j + 16, src); } src_vF = vec_perm(src_v0, src_v1, permS); | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/libswscale/x86/swscale_template.c ^ |
| @@ -2240,10 +2240,6 @@ #if defined(PIC) DECLARE_ALIGNED(8, uint64_t, ebxsave); #endif - // HACK: gcc 4.6 no longer decrements esp, - // use this to make it reserve space for the call - // return address - void *dummy; __asm__ volatile( #if defined(PIC) @@ -2295,7 +2291,6 @@ #if defined(PIC) ,"m" (ebxsave) #endif - ,"m" (dummy) : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D #if !defined(PIC) ,"%"REG_b @@ -2317,10 +2312,6 @@ #if defined(PIC) DECLARE_ALIGNED(8, uint64_t, ebxsave); #endif - // HACK: gcc 4.6 no longer decrements esp, - // use this to make it reserve space for the call - // return address - void *dummy; __asm__ volatile( #if defined(PIC) @@ -2360,7 +2351,6 @@ #if defined(PIC) ,"m" (ebxsave) #endif - ,"m" (dummy) : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D #if !defined(PIC) ,"%"REG_b | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/tests/fate.mak ^ |
| @@ -128,7 +128,7 @@ fate-id-cin-video: CMD = framecrc -i $(SAMPLES)/idcin/idlog-2MB.cin -pix_fmt rgb24 FATE_TESTS += fate-idroq-video-dpcm fate-idroq-video-dpcm: CMD = framecrc -i $(SAMPLES)/idroq/idlogo.roq -FATE_TESTS += fate-idroq-video-encode +FATE_TESTS-$(CONFIG_AVFILTER) += fate-idroq-video-encode fate-idroq-video-encode: CMD = md5 -t 0.2 -f image2 -vcodec pgmyuv -i $(SAMPLES)/ffmpeg-synthetic/vsynth1/%02d.pgm -sws_flags +bitexact -vf pad=512:512:80:112 -f RoQ FATE_TESTS += fate-iff-byterun1 fate-iff-byterun1: CMD = framecrc -i $(SAMPLES)/iff/ASH.LBM -pix_fmt rgb24 | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/tests/lavf-regression.sh ^ |
| @@ -66,6 +66,9 @@ if [ -n "$do_mxf" ] ; then do_lavf mxf "-ar 48000 -bf 2 -timecode_frame_start 264363" +fi + +if [ -n "$do_mxf_d10" ]; then do_lavf mxf_d10 "-ar 48000 -ac 2 -r 25 -s 720x576 -vf pad=720:608:0:32 -vcodec mpeg2video -intra -flags +ildct+low_delay -dc 10 -flags2 +ivlc+non_linear_q -qscale 1 -ps 1 -qmin 1 -rc_max_vbv_use 1 -rc_min_vbv_use 1 -pix_fmt yuv422p -minrate 30000k -maxrate 30000k -b 30000k -bufsize 1200000 -top 1 -rc_init_occupancy 1200000 -qmax 12 -f mxf_d10" fi | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/tests/ref/acodec/alac ^ |
| @@ -1,4 +1,4 @@ -c68f649777ab8e7c9a0f1f221451d3ad *./tests/data/acodec/alac.m4a +b25bcc7ec3f5c19cdfc01a6bbd32edb8 *./tests/data/acodec/alac.m4a 389386 ./tests/data/acodec/alac.m4a 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/alac.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/tests/ref/acodec/pcm ^ |
| @@ -6,7 +6,7 @@ 529256 ./tests/data/acodec/pcm_mulaw.wav 1c3eeaa8814ebd4916780dff80ed6dc5 *./tests/data/pcm.acodec.out.wav stddev: 103.38 PSNR: 56.04 MAXDIFF: 644 bytes: 1058400/ 1058400 -b7936d7170e0efefb379349d81aed360 *./tests/data/acodec/pcm_s8.mov +760f85fb9f4e8aba326fb44ae84c9507 *./tests/data/acodec/pcm_s8.mov 530837 ./tests/data/acodec/pcm_s8.mov 652edf30f35ad89bf27bcc9d2f9c7b53 *./tests/data/pcm.acodec.out.wav stddev: 147.89 PSNR: 52.93 MAXDIFF: 255 bytes: 1058400/ 1058400 @@ -14,7 +14,7 @@ 529244 ./tests/data/acodec/pcm_u8.wav 652edf30f35ad89bf27bcc9d2f9c7b53 *./tests/data/pcm.acodec.out.wav stddev: 147.89 PSNR: 52.93 MAXDIFF: 255 bytes: 1058400/ 1058400 -c42b9c04305455250366c84e17c1023f *./tests/data/acodec/pcm_s16be.mov +a4e18d1ca9ef5b8132a84d43625ddc47 *./tests/data/acodec/pcm_s16be.mov 1060037 ./tests/data/acodec/pcm_s16be.mov 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 @@ -30,7 +30,7 @@ 1060638 ./tests/data/acodec/pcm_s16le.mkv 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 -07ffe7ffb78f3648b6524debdde5aec1 *./tests/data/acodec/pcm_s24be.mov +971d2d2633e41a0326fe2d04a2d0350f *./tests/data/acodec/pcm_s24be.mov 1589237 ./tests/data/acodec/pcm_s24be.mov 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 @@ -38,7 +38,7 @@ 1587668 ./tests/data/acodec/pcm_s24le.wav 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 -d7792f0343cd66fda8b50b569e2bcc48 *./tests/data/acodec/pcm_s32be.mov +fc4f4e3e195bbde037ed31021d229f12 *./tests/data/acodec/pcm_s32be.mov 2118437 ./tests/data/acodec/pcm_s32be.mov 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/tests/ref/fate/motionpixels ^ |
| @@ -109,4 +109,4 @@ 0, 648003, 230400, 0xb343f372 0, 654003, 230400, 0xf7f1e588 0, 660003, 230400, 0x9682bdb2 -0, 666003, 230400, 0x538a3db8 +0, 666003, 230400, 0x009f4640 | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/tests/ref/lavf/mov ^ |
| @@ -1,3 +1,3 @@ -a901cd05609080e8f5c09ca5da7290f0 *./tests/data/lavf/lavf.mov +2e2529d01dbe42e4dd63580a351898f5 *./tests/data/lavf/lavf.mov 357681 ./tests/data/lavf/lavf.mov ./tests/data/lavf/lavf.mov CRC=0x2f6a9b26 | ||
| [+] | Changed | ffmpeg-0.8.6.tar.bz2/tests/ref/lavf/mxf ^ |
| @@ -1,6 +1,3 @@ 785e38ddd2466046f30aa36399b8f8fa *./tests/data/lavf/lavf.mxf 525881 ./tests/data/lavf/lavf.mxf ./tests/data/lavf/lavf.mxf CRC=0x4ace0849 -b3174e2db508564c1cce0b5e3c1bc1bd *./tests/data/lavf/lavf.mxf_d10 -5330989 ./tests/data/lavf/lavf.mxf_d10 -./tests/data/lavf/lavf.mxf_d10 CRC=0xc3f4f92e | ||
| [+] | Added | ffmpeg-0.8.6.tar.bz2/tests/ref/lavf/mxf_d10 ^ |
| @@ -0,0 +1,3 @@ +b3174e2db508564c1cce0b5e3c1bc1bd *./tests/data/lavf/lavf.mxf_d10 +5330989 ./tests/data/lavf/lavf.mxf_d10 +./tests/data/lavf/lavf.mxf_d10 CRC=0xc3f4f92e | ||