|
[-]
[+]
|
Changed |
ffmpeg_oldabi.spec
|
|
|
|
[-]
[+]
|
Added |
baselibs.conf
^
|
| @@ -0,0 +1,7 @@
+libavcodec52
+libavdevice52
+libavformat52
+libavutil50
+libavfilter1
+libpostproc51
+libswscale0
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/Doxyfile
^
|
| @@ -31,7 +31,7 @@
# This could be handy for archiving the generated documentation or
# if some version control system is used.
-PROJECT_NUMBER = 0.7.8
+PROJECT_NUMBER = 0.7.13
# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
# base path where the generated documentation will be put.
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/RELEASE
^
|
| @@ -1 +1 @@
-0.7.8
+0.7.13
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/VERSION
^
|
| @@ -1 +1 @@
-0.7.8
+0.7.13
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/doc/filters.texi
^
|
| @@ -1760,9 +1760,9 @@
@table @option
@item 0
-assume bottom field first
-@item 1
assume top field first
+@item 1
+assume bottom field first
@item -1
enable automatic detection
@end table
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/ffserver.c
^
|
| @@ -518,6 +518,7 @@
tmp = 1;
setsockopt(server_fd, SOL_SOCKET, SO_REUSEADDR, &tmp, sizeof(tmp));
+ my_addr->sin_family = AF_INET;
if (bind (server_fd, (struct sockaddr *) my_addr, sizeof (*my_addr)) < 0) {
char bindmsg[32];
snprintf(bindmsg, sizeof(bindmsg), "bind(port %d)", ntohs(my_addr->sin_port));
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/4xm.c
^
|
| @@ -694,10 +694,13 @@
unsigned int prestream_size;
const uint8_t *prestream;
- if (bitstream_size > (1<<26) || length < bitstream_size + 12)
- return -1;
- prestream_size = 4*AV_RL32(buf + bitstream_size + 4);
- prestream = buf + bitstream_size + 12;
+ if (length < bitstream_size + 12) {
+ av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
+ return AVERROR_INVALIDDATA;
+ }
+
+ prestream_size = 4 * AV_RL32(buf + bitstream_size + 4);
+ prestream = buf + bitstream_size + 12;
if (prestream_size > (1<<26) ||
prestream_size != length - (bitstream_size + 12)){
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/8svx.c
^
|
| @@ -44,7 +44,7 @@
/* buffer used to store the whole audio decoded/interleaved chunk,
* which is sent with the first packet */
uint8_t *samples;
- size_t samples_size;
+ int64_t samples_size;
int samples_idx;
} EightSvxContext;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/aacdec.c
^
|
| @@ -754,19 +754,20 @@
av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n");
return -1;
}
- while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1)
+ do {
+ sect_len_incr = get_bits(gb, bits);
sect_end += sect_len_incr;
- sect_end += sect_len_incr;
- if (get_bits_left(gb) < 0) {
- av_log(ac->avctx, AV_LOG_ERROR, overread_err);
- return -1;
- }
- if (sect_end > ics->max_sfb) {
- av_log(ac->avctx, AV_LOG_ERROR,
- "Number of bands (%d) exceeds limit (%d).\n",
- sect_end, ics->max_sfb);
- return -1;
- }
+ if (get_bits_left(gb) < 0) {
+ av_log(ac->avctx, AV_LOG_ERROR, overread_err);
+ return -1;
+ }
+ if (sect_end > ics->max_sfb) {
+ av_log(ac->avctx, AV_LOG_ERROR,
+ "Number of bands (%d) exceeds limit (%d).\n",
+ sect_end, ics->max_sfb);
+ return -1;
+ }
+ } while (sect_len_incr == (1 << bits) - 1);
for (; k < sect_end; k++) {
band_type [idx] = sect_band_type;
band_type_run_end[idx++] = sect_end;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/aacsbr.c
^
|
| @@ -1183,14 +1183,15 @@
{
int i, n;
const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us;
+ const int step = 128 >> div;
float *v;
for (i = 0; i < 32; i++) {
- if (*v_off == 0) {
+ if (*v_off < step) {
int saved_samples = (1280 - 128) >> div;
memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float));
- *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div);
+ *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - step;
} else {
- *v_off -= 128 >> div;
+ *v_off -= step;
}
v = v0 + *v_off;
if (div) {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/ac3dsp.c
^
|
| @@ -108,7 +108,7 @@
int snr_offset, int floor,
const uint8_t *bap_tab, uint8_t *bap)
{
- int bin, band;
+ int bin, band, band_end;
/* special case, if snr offset is -960, set all bap's to zero */
if (snr_offset == -960) {
@@ -120,12 +120,14 @@
band = ff_ac3_bin_to_band_tab[start];
do {
int m = (FFMAX(mask[band] - snr_offset - floor, 0) & 0x1FE0) + floor;
- int band_end = FFMIN(ff_ac3_band_start_tab[band+1], end);
+ band_end = ff_ac3_band_start_tab[++band];
+ band_end = FFMIN(band_end, end);
+
for (; bin < band_end; bin++) {
int address = av_clip((psd[bin] - m) >> 5, 0, 63);
bap[bin] = bap_tab[address];
}
- } while (end > ff_ac3_band_start_tab[band++]);
+ } while (end > band_end);
}
static void ac3_update_bap_counts_c(uint16_t mant_cnt[16], uint8_t *bap,
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/adpcm.c
^
|
| @@ -778,9 +778,13 @@
static av_cold int adpcm_decode_init(AVCodecContext * avctx)
{
ADPCMContext *c = avctx->priv_data;
+ unsigned int min_channels = 1;
unsigned int max_channels = 2;
switch(avctx->codec->id) {
+ case CODEC_ID_ADPCM_EA:
+ min_channels = 2;
+ break;
case CODEC_ID_ADPCM_EA_R1:
case CODEC_ID_ADPCM_EA_R2:
case CODEC_ID_ADPCM_EA_R3:
@@ -788,8 +792,10 @@
max_channels = 6;
break;
}
- if(avctx->channels > max_channels){
- return -1;
+
+ if (avctx->channels < min_channels || avctx->channels > max_channels) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n");
+ return AVERROR(EINVAL);
}
switch(avctx->codec->id) {
@@ -1360,11 +1366,17 @@
}
break;
case CODEC_ID_ADPCM_EA:
- if (buf_size < 12 || AV_RL32(src) > (buf_size - 12)/30*28) {
- src += buf_size;
- break;
+ /* Each EA ADPCM frame has a 12-byte header followed by 30-byte pieces,
+ each coding 28 stereo samples. */
+ if (buf_size < 12) {
+ av_log(avctx, AV_LOG_ERROR, "frame too small\n");
+ return AVERROR(EINVAL);
}
samples_in_chunk = AV_RL32(src);
+ if (samples_in_chunk / 28 > (buf_size - 12) / 30) {
+ av_log(avctx, AV_LOG_ERROR, "invalid frame\n");
+ return AVERROR(EINVAL);
+ }
src += 4;
current_left_sample = (int16_t)bytestream_get_le16(&src);
previous_left_sample = (int16_t)bytestream_get_le16(&src);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/alsdec.c
^
|
| @@ -1010,7 +1010,7 @@
{
unsigned int count = 0;
- while (b < b_max)
+ for (; b < b_max; b++)
count += div_blocks[b];
if (count)
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/atrac3.c
^
|
| @@ -395,6 +395,8 @@
for (k=0; k<coded_components; k++) {
sfIndx = get_bits(gb,6);
+ if (component_count >= 64)
+ return AVERROR_INVALIDDATA;
pComponent[component_count].pos = j * 64 + (get_bits(gb,6));
max_coded_values = 1024 - pComponent[component_count].pos;
coded_values = coded_values_per_component + 1;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/avcodec.h
^
|
| @@ -544,7 +544,7 @@
/**
* LPC analysis type
*/
-attribute_deprecated enum AVLPCType {
+enum AVLPCType {
AV_LPC_TYPE_DEFAULT = -1, ///< use the codec default LPC type
AV_LPC_TYPE_NONE = 0, ///< do not use LPC prediction or use all zero coefficients
AV_LPC_TYPE_FIXED = 1, ///< fixed LPC coefficients
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/bink.c
^
|
| @@ -457,8 +457,8 @@
int start_bits, int has_sign)
{
int i, j, len, len2, bsize, sign, v, v2;
- int16_t *dst = (int16_t*)b->cur_dec;
- int16_t *dst_end =( int16_t*)b->data_end;
+ int16_t *dst = (int16_t*)b->cur_dec;
+ int16_t *dst_end = (int16_t*)b->data_end;
CHECK_READ_VAL(gb, b, len);
v = get_bits(gb, start_bits - has_sign);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/binkaudio.c
^
|
| @@ -85,9 +85,9 @@
frame_len_bits = 11;
}
- if (avctx->channels > MAX_CHANNELS) {
- av_log(avctx, AV_LOG_ERROR, "too many channels: %d\n", avctx->channels);
- return -1;
+ if (avctx->channels < 1 || avctx->channels > MAX_CHANNELS) {
+ av_log(avctx, AV_LOG_ERROR, "invalid number of channels: %d\n", avctx->channels);
+ return AVERROR_INVALIDDATA;
}
if (avctx->extradata && avctx->extradata_size > 0)
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/cdgraphics.c
^
|
| @@ -280,6 +280,10 @@
av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n");
return AVERROR(EINVAL);
}
+ if (buf_size > CDG_HEADER_SIZE + CDG_DATA_SIZE) {
+ av_log(avctx, AV_LOG_ERROR, "buffer too big for decoder\n");
+ return AVERROR(EINVAL);
+ }
ret = avctx->reget_buffer(avctx, &cc->frame);
if (ret) {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/celp_filters.c
^
|
| @@ -133,9 +133,8 @@
out2 -= val * old_out2;
out3 -= val * old_out3;
- old_out3 = out[-5];
-
for (i = 5; i <= filter_length; i += 2) {
+ old_out3 = out[-i];
val = filter_coeffs[i-1];
out0 -= val * old_out3;
@@ -154,7 +153,6 @@
FFSWAP(float, old_out0, old_out2);
old_out1 = old_out3;
- old_out3 = out[-i-2];
}
tmp0 = out0;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/cook.c
^
|
| @@ -1066,6 +1066,10 @@
q->sample_rate = avctx->sample_rate;
q->nb_channels = avctx->channels;
q->bit_rate = avctx->bit_rate;
+ if (!q->nb_channels) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n");
+ return AVERROR_INVALIDDATA;
+ }
/* Initialize RNG. */
av_lfg_init(&q->random_state, 0);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/cscd.c
^
|
| @@ -228,7 +228,7 @@
av_log(avctx, AV_LOG_ERROR,
"CamStudio codec error: invalid depth %i bpp\n",
avctx->bits_per_coded_sample);
- return 1;
+ return AVERROR_INVALIDDATA;
}
c->bpp = avctx->bits_per_coded_sample;
avcodec_get_frame_defaults(&c->pic);
@@ -242,7 +242,7 @@
c->decomp_buf = av_malloc(c->decomp_size + AV_LZO_OUTPUT_PADDING);
if (!c->decomp_buf) {
av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");
- return 1;
+ return AVERROR(ENOMEM);
}
return 0;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/dca.c
^
|
| @@ -29,6 +29,7 @@
#include "libavutil/common.h"
#include "libavutil/intmath.h"
#include "libavutil/intreadwrite.h"
+#include "libavutil/mathematics.h"
#include "libavutil/audioconvert.h"
#include "avcodec.h"
#include "dsputil.h"
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/dpcm.c
^
|
| @@ -169,6 +169,7 @@
int in, out = 0;
int predictor[2];
int channel_number = 0;
+ int stereo = s->channels - 1;
short *output_samples = data;
int shift[2];
unsigned char byte;
@@ -177,6 +178,9 @@
if (!buf_size)
return 0;
+ if (stereo && (buf_size & 1))
+ buf_size--;
+
// almost every DPCM variant expands one byte of data into two
if(*data_size/2 < buf_size)
return -1;
@@ -295,7 +299,7 @@
}
*data_size = out * sizeof(short);
- return buf_size;
+ return avpkt->size;
}
#define DPCM_DECODER(id, name, long_name_) \
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/dsicinav.c
^
|
| @@ -146,11 +146,11 @@
return dst_cur - dst;
}
-static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
+static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
{
uint16_t cmd;
int i, sz, offset, code;
- unsigned char *dst_end = dst + dst_size;
+ unsigned char *dst_end = dst + dst_size, *dst_start = dst;
const unsigned char *src_end = src + src_size;
while (src < src_end && dst < dst_end) {
@@ -161,6 +161,8 @@
} else {
cmd = AV_RL16(src); src += 2;
offset = cmd >> 4;
+ if ((int) (dst - dst_start) < offset + 1)
+ return AVERROR_INVALIDDATA;
sz = (cmd & 0xF) + 2;
/* don't use memcpy/memmove here as the decoding routine (ab)uses */
/* buffer overlappings to repeat bytes in the destination */
@@ -172,6 +174,8 @@
}
}
}
+
+ return 0;
}
static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
@@ -201,13 +205,7 @@
const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size;
CinVideoContext *cin = avctx->priv_data;
- int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size;
-
- cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
- if (avctx->reget_buffer(avctx, &cin->frame)) {
- av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
- return -1;
- }
+ int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0;
palette_type = buf[0];
palette_colors_count = AV_RL16(buf+1);
@@ -233,8 +231,6 @@
bitmap_frame_size -= 4;
}
}
- memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
- cin->frame.palette_has_changed = 1;
/* note: the decoding routines below assumes that surface.width = surface.pitch */
switch (bitmap_frame_type) {
@@ -267,17 +263,31 @@
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
break;
case 38:
- cin_decode_lzss(buf, bitmap_frame_size,
- cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+ res = cin_decode_lzss(buf, bitmap_frame_size,
+ cin->bitmap_table[CIN_CUR_BMP],
+ cin->bitmap_size);
+ if (res < 0)
+ return res;
break;
case 39:
- cin_decode_lzss(buf, bitmap_frame_size,
- cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+ res = cin_decode_lzss(buf, bitmap_frame_size,
+ cin->bitmap_table[CIN_CUR_BMP],
+ cin->bitmap_size);
+ if (res < 0)
+ return res;
cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
break;
}
+ cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
+ if (avctx->reget_buffer(avctx, &cin->frame)) {
+ av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
+ return -1;
+ }
+
+ memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
+ cin->frame.palette_has_changed = 1;
for (y = 0; y < cin->avctx->height; ++y)
memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0],
cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width,
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/eatqi.c
^
|
| @@ -59,12 +59,15 @@
return 0;
}
-static void tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64])
+static int tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64])
{
int n;
s->dsp.clear_blocks(block[0]);
for (n=0; n<6; n++)
- ff_mpeg1_decode_block_intra(s, block[n], n);
+ if (ff_mpeg1_decode_block_intra(s, block[n], n) < 0)
+ return -1;
+
+ return 0;
}
static inline void tqi_idct_put(TqiContext *t, DCTELEM (*block)[64])
@@ -136,7 +139,8 @@
for (s->mb_y=0; s->mb_y<(avctx->height+15)/16; s->mb_y++)
for (s->mb_x=0; s->mb_x<(avctx->width+15)/16; s->mb_x++)
{
- tqi_decode_mb(s, t->block);
+ if (tqi_decode_mb(s, t->block) < 0)
+ break;
tqi_idct_put(t, t->block);
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/flacdec.c
^
|
| @@ -420,7 +420,16 @@
type = get_bits(&s->gb, 6);
if (get_bits1(&s->gb)) {
+ int left = get_bits_left(&s->gb);
wasted = 1;
+ if ( left < 0 ||
+ (left < s->curr_bps && !show_bits_long(&s->gb, left)) ||
+ !show_bits_long(&s->gb, s->curr_bps)) {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "Invalid number of wasted bits > available bits (%d) - left=%d\n",
+ s->curr_bps, left);
+ return AVERROR_INVALIDDATA;
+ }
while (!get_bits1(&s->gb))
wasted++;
s->curr_bps -= wasted;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/fraps.c
^
|
| @@ -135,7 +135,7 @@
uint32_t *luma1,*luma2,*cb,*cr;
uint32_t offs[4];
int i, j, is_chroma, planes;
-
+ enum PixelFormat pix_fmt;
header = AV_RL32(buf);
version = header & 0xff;
@@ -152,12 +152,16 @@
if (header_size == 8)
buf+=4;
+ pix_fmt = version & 1 ? PIX_FMT_BGR24 : PIX_FMT_YUVJ420P;
+ if (avctx->pix_fmt != pix_fmt && f->data[0]) {
+ avctx->release_buffer(avctx, f);
+ }
+ avctx->pix_fmt = pix_fmt;
+
switch(version) {
case 0:
default:
/* Fraps v0 is a reordered YUV420 */
- avctx->pix_fmt = PIX_FMT_YUVJ420P;
-
if ( (buf_size != avctx->width*avctx->height*3/2+header_size) &&
(buf_size != header_size) ) {
av_log(avctx, AV_LOG_ERROR,
@@ -205,8 +209,6 @@
case 1:
/* Fraps v1 is an upside-down BGR24 */
- avctx->pix_fmt = PIX_FMT_BGR24;
-
if ( (buf_size != avctx->width*avctx->height*3+header_size) &&
(buf_size != header_size) ) {
av_log(avctx, AV_LOG_ERROR,
@@ -241,7 +243,6 @@
* Fraps v2 is Huffman-coded YUV420 planes
* Fraps v4 is virtually the same
*/
- avctx->pix_fmt = PIX_FMT_YUVJ420P;
planes = 3;
f->reference = 1;
f->buffer_hints = FF_BUFFER_HINTS_VALID |
@@ -286,7 +287,6 @@
case 3:
case 5:
/* Virtually the same as version 4, but is for RGB24 */
- avctx->pix_fmt = PIX_FMT_BGR24;
planes = 3;
f->reference = 1;
f->buffer_hints = FF_BUFFER_HINTS_VALID |
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/golomb.h
^
|
| @@ -123,7 +123,7 @@
}else{
int ret = 1;
- while (1) {
+ do {
buf >>= 32 - 8;
LAST_SKIP_BITS(re, gb, FFMIN(ff_interleaved_golomb_vlc_len[buf], 8));
@@ -135,7 +135,7 @@
ret = (ret << 4) | ff_interleaved_dirac_golomb_vlc_code[buf];
UPDATE_CACHE(re, gb);
buf = GET_CACHE(re, gb);
- }
+ } while (ret);
CLOSE_READER(re, gb);
return ret - 1;
@@ -301,7 +301,7 @@
return buf;
}else{
int i;
- for(i=0; SHOW_UBITS(re, gb, 1) == 0; i++){
+ for (i = 0; i < limit && SHOW_UBITS(re, gb, 1) == 0; i++) {
LAST_SKIP_BITS(re, gb, 1);
UPDATE_CACHE(re, gb);
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/h263dec.c
^
|
| @@ -438,6 +438,13 @@
if (ret < 0){
av_log(s->avctx, AV_LOG_ERROR, "header damaged\n");
return -1;
+ } else if ((s->width != avctx->coded_width ||
+ s->height != avctx->coded_height ||
+ (s->width + 15) >> 4 != s->mb_width ||
+ (s->height + 15) >> 4 != s->mb_height) &&
+ (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME))) {
+ av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
+ return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding
}
avctx->has_b_frames= !s->low_delay;
@@ -564,8 +571,7 @@
#if HAVE_MMX
if (s->codec_id == CODEC_ID_MPEG4 && s->xvid_build>=0 && avctx->idct_algo == FF_IDCT_AUTO && (av_get_cpu_flags() & AV_CPU_FLAG_MMX)) {
avctx->idct_algo= FF_IDCT_XVIDMMX;
- avctx->coded_width= 0; // force reinit
-// dsputil_init(&s->dsp, avctx);
+ ff_dct_common_init(s);
s->picture_number=0;
}
#endif
@@ -579,6 +585,12 @@
|| s->height != avctx->coded_height) {
/* H.263 could change picture size any time */
ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat
+
+ if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) {
+ av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
+ return -1; // width / height changed during parallelized decoding
+ }
+
s->parse_context.buffer=0;
MPV_common_end(s);
s->parse_context= pc;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/h264.c
^
|
| @@ -108,7 +108,10 @@
return 0;
} //FIXME cleanup like check_intra_pred_mode
-static int check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
+/**
+ * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
+ */
+int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
MpegEncContext * const s = &h->s;
static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1};
static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8};
@@ -140,23 +143,6 @@
return mode;
}
-/**
- * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode)
-{
- return check_intra_pred_mode(h, mode, 0);
-}
-
-/**
- * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode)
-{
- return check_intra_pred_mode(h, mode, 1);
-}
-
-
const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, int *dst_length, int *consumed, int length){
int i, si, di;
uint8_t *dst;
@@ -2231,7 +2217,11 @@
}
if(field < 0){
- cur_poc = s->current_picture_ptr->poc;
+ if (s->picture_structure == PICT_FRAME) {
+ cur_poc = s->current_picture_ptr->poc;
+ } else {
+ cur_poc = s->current_picture_ptr->field_poc[s->picture_structure - 1];
+ }
if( h->ref_count[0] == 1 && h->ref_count[1] == 1 && !FRAME_MBAFF
&& h->ref_list[0][0].poc + h->ref_list[1][0].poc == 2*cur_poc){
h->use_weight= 0;
@@ -2630,9 +2620,9 @@
if (s->context_initialized
&& ( s->width != s->avctx->width || s->height != s->avctx->height
|| av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) {
- if(h != h0) {
+ if(h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) {
av_log_missing_feature(s->avctx, "Width/height changing with threads is", 0);
- return -1; // width / height changed during parallelized decoding
+ return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding
}
free_tables(h, 0);
flush_dpb(s->avctx);
@@ -2810,11 +2800,9 @@
s0->first_field = FIELD_PICTURE;
} else {
- if (h->nal_ref_idc &&
- s0->current_picture_ptr->reference &&
- s0->current_picture_ptr->frame_num != h->frame_num) {
+ if (s0->current_picture_ptr->frame_num != h->frame_num) {
/*
- * This and previous field were reference, but had
+ * This and previous field had
* different frame_nums. Consider this field first in
* pair. Throw away previous field except for reference
* purposes.
@@ -2898,7 +2886,8 @@
h->ref_count[1]= h->pps.ref_count[1];
if(h->slice_type_nos != AV_PICTURE_TYPE_I){
- unsigned max= (16<<(s->picture_structure != PICT_FRAME))-1;
+ unsigned max= s->picture_structure == PICT_FRAME ? 15 : 31;
+
if(h->slice_type_nos == AV_PICTURE_TYPE_B){
h->direct_spatial_mv_pred= get_bits1(&s->gb);
}
@@ -2908,13 +2897,14 @@
h->ref_count[0]= get_ue_golomb(&s->gb) + 1;
if(h->slice_type_nos==AV_PICTURE_TYPE_B)
h->ref_count[1]= get_ue_golomb(&s->gb) + 1;
-
}
- if(h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){
+
+ if (h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){
av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
- h->ref_count[0]= h->ref_count[1]= 1;
- return -1;
+ h->ref_count[0] = h->ref_count[1] = 1;
+ return AVERROR_INVALIDDATA;
}
+
if(h->slice_type_nos == AV_PICTURE_TYPE_B)
h->list_count= 2;
else
@@ -3763,7 +3753,7 @@
case NAL_IDR_SLICE:
case NAL_SLICE:
init_get_bits(&hx->s.gb, ptr, bit_length);
- if(!get_ue_golomb(&hx->s.gb))
+ if (!get_ue_golomb(&hx->s.gb))
nals_needed = nal_index;
}
continue;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/h264.h
^
|
| @@ -658,12 +658,7 @@
/**
* Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
*/
-int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode);
-
-/**
- * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode);
+int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma);
void ff_h264_write_back_intra_pred_mode(H264Context *h);
void ff_h264_hl_decode_mb(H264Context *h);
@@ -1075,7 +1070,7 @@
AV_ZERO32(h->mv_cache [list][scan8[0] + 4 - 1*8]);
h->ref_cache[list][scan8[0] + 4 - 1*8]= topright_type ? LIST_NOT_USED : PART_NOT_AVAILABLE;
}
- if(h->ref_cache[list][scan8[0] + 4 - 1*8] < 0){
+ if(h->ref_cache[list][scan8[0] + 2 - 1*8] < 0 || h->ref_cache[list][scan8[0] + 4 - 1*8] < 0){
if(USES_LIST(topleft_type, list)){
const int b_xy = h->mb2b_xy [topleft_xy] + 3 + h->b_stride + (h->topleft_partition & 2*h->b_stride);
const int b8_xy= 4*topleft_xy + 1 + (h->topleft_partition & 2);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/h264_cabac.c
^
|
| @@ -1959,6 +1959,8 @@
}
// The pixels are stored in the same order as levels in h->mb array.
+ if ((int) (h->cabac.bytestream_end - ptr) < mb_size)
+ return -1;
memcpy(h->mb, ptr, mb_size); ptr+=mb_size;
ff_init_cabac_decoder(&h->cabac, ptr, h->cabac.bytestream_end - ptr);
@@ -2003,14 +2005,14 @@
ff_h264_write_back_intra_pred_mode(h);
if( ff_h264_check_intra4x4_pred_mode(h) < 0 ) return -1;
} else {
- h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode( h, h->intra16x16_pred_mode );
+ h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode, 0 );
if( h->intra16x16_pred_mode < 0 ) return -1;
}
if(decode_chroma){
h->chroma_pred_mode_table[mb_xy] =
pred_mode = decode_cabac_mb_chroma_pre_mode( h );
- pred_mode= ff_h264_check_intra_chroma_pred_mode( h, pred_mode );
+ pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode, 1 );
if( pred_mode < 0 ) return -1;
h->chroma_pred_mode= pred_mode;
} else {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/h264_cavlc.c
^
|
| @@ -238,17 +238,18 @@
}
static av_cold void init_cavlc_level_tab(void){
- int suffix_length, mask;
+ int suffix_length;
unsigned int i;
for(suffix_length=0; suffix_length<7; suffix_length++){
for(i=0; i<(1<<LEVEL_TAB_BITS); i++){
int prefix= LEVEL_TAB_BITS - av_log2(2*i);
- int level_code= (prefix<<suffix_length) + (i>>(LEVEL_TAB_BITS-prefix-1-suffix_length)) - (1<<suffix_length);
- mask= -(level_code&1);
- level_code= (((2+level_code)>>1) ^ mask) - mask;
if(prefix + 1 + suffix_length <= LEVEL_TAB_BITS){
+ int level_code = (prefix << suffix_length) +
+ (i >> (av_log2(i) - suffix_length)) - (1 << suffix_length);
+ int mask = -(level_code&1);
+ level_code = (((2 + level_code) >> 1) ^ mask) - mask;
cavlc_level_tab[suffix_length][i][0]= level_code;
cavlc_level_tab[suffix_length][i][1]= prefix + 1 + suffix_length;
}else if(prefix + 1 <= LEVEL_TAB_BITS){
@@ -735,12 +736,12 @@
if( ff_h264_check_intra4x4_pred_mode(h) < 0)
return -1;
}else{
- h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode(h, h->intra16x16_pred_mode);
+ h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode, 0);
if(h->intra16x16_pred_mode < 0)
return -1;
}
if(decode_chroma){
- pred_mode= ff_h264_check_intra_chroma_pred_mode(h, get_ue_golomb_31(&s->gb));
+ pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb), 1);
if(pred_mode < 0)
return -1;
h->chroma_pred_mode= pred_mode;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/h264_parser.c
^
|
| @@ -251,6 +251,12 @@
h->got_first = 1;
if (avctx->extradata_size) {
h->s.avctx = avctx;
+ // must be done like in decoder, otherwise opening the parser,
+ // letting it create extradata and then closing and opening again
+ // will cause has_b_frames to be always set.
+ // Note that estimate_timings_from_pts does exactly this.
+ if (!avctx->has_b_frames)
+ h->s.low_delay = 1;
ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size);
}
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/h264_ps.c
^
|
| @@ -342,8 +342,12 @@
if(sps->profile_idc >= 100){ //high profile
sps->chroma_format_idc= get_ue_golomb_31(&s->gb);
- if(sps->chroma_format_idc == 3)
+ if (sps->chroma_format_idc > 3U) {
+ av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc %d is illegal\n", sps->chroma_format_idc);
+ goto fail;
+ } else if(sps->chroma_format_idc == 3) {
sps->residual_color_transform_flag = get_bits1(&s->gb);
+ }
sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8;
sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8;
if (sps->bit_depth_luma > 12U || sps->bit_depth_chroma > 12U) {
@@ -481,10 +485,14 @@
unsigned int pps_id= get_ue_golomb(&s->gb);
PPS *pps;
const int qp_bd_offset = 6*(h->sps.bit_depth_luma-8);
+ int bits_left;
if(pps_id >= MAX_PPS_COUNT) {
av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id);
return -1;
+ } else if (h->sps.bit_depth_luma > 10) {
+ av_log(h->s.avctx, AV_LOG_ERROR, "Unimplemented luma bit depth=%d (max=10)\n", h->sps.bit_depth_luma);
+ return AVERROR_PATCHWELCOME;
}
pps= av_mallocz(sizeof(PPS));
@@ -557,7 +565,9 @@
memcpy(pps->scaling_matrix4, h->sps_buffers[pps->sps_id]->scaling_matrix4, sizeof(pps->scaling_matrix4));
memcpy(pps->scaling_matrix8, h->sps_buffers[pps->sps_id]->scaling_matrix8, sizeof(pps->scaling_matrix8));
- if(get_bits_count(&s->gb) < bit_length){
+ bits_left = bit_length - get_bits_count(&s->gb);
+ if (bits_left && (bits_left > 8 ||
+ show_bits(&s->gb, bits_left) != 1 << (bits_left - 1))) {
pps->transform_8x8_mode= get_bits1(&s->gb);
decode_scaling_matrices(h, h->sps_buffers[pps->sps_id], pps, 0, pps->scaling_matrix4, pps->scaling_matrix8);
pps->chroma_qp_index_offset[1]= get_se_golomb(&s->gb); //second_chroma_qp_index_offset
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/huffyuv.c
^
|
| @@ -82,13 +82,15 @@
DSPContext dsp;
}HYuvContext;
-static const unsigned char classic_shift_luma[] = {
+#define classic_shift_luma_table_size 42
+static const unsigned char classic_shift_luma[classic_shift_luma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = {
34,36,35,69,135,232,9,16,10,24,11,23,12,16,13,10,14,8,15,8,
16,8,17,20,16,10,207,206,205,236,11,8,10,21,9,23,8,8,199,70,
69,68, 0
};
-static const unsigned char classic_shift_chroma[] = {
+#define classic_shift_chroma_table_size 59
+static const unsigned char classic_shift_chroma[classic_shift_chroma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = {
66,36,37,38,39,40,41,75,76,77,110,239,144,81,82,83,84,85,118,183,
56,57,88,89,56,89,154,57,58,57,26,141,57,56,58,57,58,57,184,119,
214,245,116,83,82,49,80,79,78,77,44,75,41,40,39,38,37,36,34, 0
@@ -184,7 +186,7 @@
if(repeat==0)
repeat= get_bits(gb, 8);
//printf("%d %d\n", val, repeat);
- if(i+repeat > 256) {
+ if(i+repeat > 256 || get_bits_left(gb) < 0) {
av_log(NULL, AV_LOG_ERROR, "Error reading huffman table\n");
return -1;
}
@@ -366,10 +368,10 @@
GetBitContext gb;
int i;
- init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8);
+ init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8);
if(read_len_table(s->len[0], &gb)<0)
return -1;
- init_get_bits(&gb, classic_shift_chroma, sizeof(classic_shift_chroma)*8);
+ init_get_bits(&gb, classic_shift_chroma, classic_shift_chroma_table_size*8);
if(read_len_table(s->len[1], &gb)<0)
return -1;
@@ -515,7 +517,7 @@
}
break;
default:
- assert(0);
+ return AVERROR_INVALIDDATA;
}
alloc_temp(s);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/iff.c
^
|
| @@ -176,7 +176,13 @@
const uint8_t *buf;
unsigned buf_size;
IffContext *s = avctx->priv_data;
- int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
+ int palette_size;
+
+ if (avctx->extradata_size < 2) {
+ av_log(avctx, AV_LOG_ERROR, "not enough extradata\n");
+ return AVERROR_INVALIDDATA;
+ }
+ palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
if (avpkt) {
int image_size;
@@ -192,8 +198,6 @@
return AVERROR_INVALIDDATA;
}
} else {
- if (avctx->extradata_size < 2)
- return AVERROR_INVALIDDATA;
buf = avctx->extradata;
buf_size = bytestream_get_be16(&buf);
if (buf_size <= 1 || palette_size < 0) {
@@ -281,7 +285,12 @@
int err;
if (avctx->bits_per_coded_sample <= 8) {
- int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
+ int palette_size;
+
+ if (avctx->extradata_size >= 2)
+ palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
+ else
+ palette_size = 0;
avctx->pix_fmt = (avctx->bits_per_coded_sample < 8) ||
(avctx->extradata_size >= 2 && palette_size) ? PIX_FMT_PAL8 : PIX_FMT_GRAY8;
} else if (avctx->bits_per_coded_sample <= 32) {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/indeo5.c
^
|
| @@ -219,6 +219,10 @@
}
if (band->blk_size == 8) {
+ if(quant_mat >= 5){
+ av_log(avctx, AV_LOG_ERROR, "quant_mat %d too large!\n", quant_mat);
+ return -1;
+ }
band->intra_base = &ivi5_base_quant_8x8_intra[quant_mat][0];
band->inter_base = &ivi5_base_quant_8x8_inter[quant_mat][0];
band->intra_scale = &ivi5_scale_quant_8x8_intra[quant_mat][0];
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/intelh263dec.c
^
|
| @@ -77,7 +77,7 @@
}
if(get_bits(&s->gb, 2))
av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n");
- s->loop_filter = get_bits1(&s->gb);
+ s->loop_filter = get_bits1(&s->gb) * !s->avctx->lowres;
if(get_bits1(&s->gb))
av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n");
if(get_bits1(&s->gb))
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/ituh263dec.c
^
|
| @@ -961,6 +961,8 @@
s->h263_aic = get_bits1(&s->gb); /* Advanced Intra Coding (AIC) */
s->loop_filter= get_bits1(&s->gb);
s->unrestricted_mv = s->umvplus || s->obmc || s->loop_filter;
+ if(s->avctx->lowres)
+ s->loop_filter = 0;
s->h263_slice_structured= get_bits1(&s->gb);
if (get_bits1(&s->gb) != 0) {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/j2k_dwt.c
^
|
| @@ -321,7 +321,7 @@
int i, j, lev = decomp_levels, maxlen,
b[2][2];
- if (decomp_levels >= FF_DWT_MAX_DECLVLS)
+ if ((unsigned)decomp_levels >= FF_DWT_MAX_DECLVLS)
return AVERROR_INVALIDDATA;
s->ndeclevels = decomp_levels;
s->type = type;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/j2kdec.c
^
|
| @@ -359,7 +359,7 @@
if (q->quantsty == J2K_QSTY_NONE){
n -= 3;
- if (s->buf_end - s->buf < n)
+ if (s->buf_end - s->buf < n || 32*3 < n)
return AVERROR(EINVAL);
for (i = 0; i < n; i++)
q->expn[i] = bytestream_get_byte(&s->buf) >> 3;
@@ -376,7 +376,7 @@
}
} else{
n = (n - 3) >> 1;
- if (s->buf_end - s->buf < n)
+ if (s->buf_end - s->buf < n || 32*3 < n)
return AVERROR(EINVAL);
for (i = 0; i < n; i++){
x = bytestream_get_be16(&s->buf);
@@ -421,6 +421,10 @@
return AVERROR(EINVAL);
s->curtileno = bytestream_get_be16(&s->buf); ///< Isot
+ if((unsigned)s->curtileno >= s->numXtiles * s->numYtiles){
+ s->curtileno=0;
+ return AVERROR(EINVAL);
+ }
s->buf += 4; ///< Psot (ignored)
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/jvdec.c
^
|
| @@ -143,6 +143,10 @@
buf += 5;
if (video_size) {
+ if(video_size < 0) {
+ av_log(avctx, AV_LOG_ERROR, "video size %d invalid\n", video_size);
+ return AVERROR_INVALIDDATA;
+ }
if (avctx->reget_buffer(avctx, &s->frame) < 0) {
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
return -1;
@@ -150,7 +154,7 @@
if (video_type == 0 || video_type == 1) {
GetBitContext gb;
- init_get_bits(&gb, buf, FFMIN(video_size, (buf_end - buf) * 8));
+ init_get_bits(&gb, buf, 8 * FFMIN(video_size, buf_end - buf));
for (j = 0; j < avctx->height; j += 8)
for (i = 0; i < avctx->width; i += 8)
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/kgv1dec.c
^
|
| @@ -30,19 +30,26 @@
typedef struct {
AVCodecContext *avctx;
- AVFrame pic;
- uint16_t *prev, *cur;
+ AVFrame prev, cur;
} KgvContext;
+static void decode_flush(AVCodecContext *avctx)
+{
+ KgvContext * const c = avctx->priv_data;
+
+ if (c->prev.data[0])
+ avctx->release_buffer(avctx, &c->prev);
+}
+
static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt)
{
const uint8_t *buf = avpkt->data;
const uint8_t *buf_end = buf + avpkt->size;
KgvContext * const c = avctx->priv_data;
- int offsets[7];
+ int offsets[8];
uint16_t *out, *prev;
int outcnt = 0, maxcnt;
- int w, h, i;
+ int w, h, i, res;
if (avpkt->size < 2)
return -1;
@@ -54,22 +61,25 @@
if (av_image_check_size(w, h, 0, avctx))
return -1;
- if (w != avctx->width || h != avctx->height)
+ if (w != avctx->width || h != avctx->height) {
+ if (c->prev.data[0])
+ avctx->release_buffer(avctx, &c->prev);
avcodec_set_dimensions(avctx, w, h);
+ }
maxcnt = w * h;
- out = av_realloc(c->cur, w * h * 2);
- if (!out)
- return -1;
- c->cur = out;
-
- prev = av_realloc(c->prev, w * h * 2);
- if (!prev)
- return -1;
- c->prev = prev;
+ c->cur.reference = 3;
+ if ((res = avctx->get_buffer(avctx, &c->cur)) < 0)
+ return res;
+ out = (uint16_t *) c->cur.data[0];
+ if (c->prev.data[0]) {
+ prev = (uint16_t *) c->prev.data[0];
+ } else {
+ prev = NULL;
+ }
- for (i = 0; i < 7; i++)
+ for (i = 0; i < 8; i++)
offsets[i] = -1;
while (outcnt < maxcnt && buf_end - 2 > buf) {
@@ -80,6 +90,7 @@
out[outcnt++] = code; // rgb555 pixel coded directly
} else {
int count;
+ int inp_off;
uint16_t *inp;
if ((code & 0x6000) == 0x6000) {
@@ -101,7 +112,14 @@
if (maxcnt - start < count)
break;
- inp = prev + start;
+ if (!prev) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Frame reference does not exist\n");
+ break;
+ }
+
+ inp = prev;
+ inp_off = start;
} else {
// copy from earlier in this frame
int offset = (code & 0x1FFF) + 1;
@@ -119,27 +137,28 @@
if (outcnt < offset)
break;
- inp = out + outcnt - offset;
+ inp = out;
+ inp_off = outcnt - offset;
}
if (maxcnt - outcnt < count)
break;
- for (i = 0; i < count; i++)
+ for (i = inp_off; i < count + inp_off; i++) {
out[outcnt++] = inp[i];
+ }
}
}
if (outcnt - maxcnt)
av_log(avctx, AV_LOG_DEBUG, "frame finished with %d diff\n", outcnt - maxcnt);
- c->pic.data[0] = (uint8_t *)c->cur;
- c->pic.linesize[0] = w * 2;
-
*data_size = sizeof(AVFrame);
- *(AVFrame*)data = c->pic;
+ *(AVFrame*)data = c->cur;
- FFSWAP(uint16_t *, c->cur, c->prev);
+ if (c->prev.data[0])
+ avctx->release_buffer(avctx, &c->prev);
+ FFSWAP(AVFrame, c->cur, c->prev);
return avpkt->size;
}
@@ -150,29 +169,25 @@
c->avctx = avctx;
avctx->pix_fmt = PIX_FMT_RGB555;
- avcodec_get_frame_defaults(&c->pic);
+ avctx->flags |= CODEC_FLAG_EMU_EDGE;
return 0;
}
static av_cold int decode_end(AVCodecContext *avctx)
{
- KgvContext * const c = avctx->priv_data;
-
- av_freep(&c->cur);
- av_freep(&c->prev);
-
+ decode_flush(avctx);
return 0;
}
AVCodec ff_kgv1_decoder = {
- "kgv1",
- AVMEDIA_TYPE_VIDEO,
- CODEC_ID_KGV1,
- sizeof(KgvContext),
- decode_init,
- NULL,
- decode_end,
- decode_frame,
+ .name = "kgv1",
+ .type = AVMEDIA_TYPE_VIDEO,
+ .id = CODEC_ID_KGV1,
+ .priv_data_size = sizeof(KgvContext),
+ .init = decode_init,
+ .close = decode_end,
+ .decode = decode_frame,
+ .flush = decode_flush,
.long_name = NULL_IF_CONFIG_SMALL("Kega Game Video"),
};
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/kmvc.c
^
|
| @@ -33,6 +33,7 @@
#define KMVC_KEYFRAME 0x80
#define KMVC_PALETTE 0x40
#define KMVC_METHOD 0x0F
+#define MAX_PALSIZE 256
/*
* Decoder context
@@ -43,7 +44,7 @@
int setpal;
int palsize;
- uint32_t pal[256];
+ uint32_t pal[MAX_PALSIZE];
uint8_t *cur, *prev;
uint8_t *frm0, *frm1;
} KmvcContext;
@@ -57,17 +58,21 @@
#define kmvc_init_getbits(bb, src) bb.bits = 7; bb.bitbuf = *src++;
-#define kmvc_getbit(bb, src, res) {\
+#define kmvc_getbit(bb, src, src_end, res) {\
res = 0; \
if (bb.bitbuf & (1 << bb.bits)) res = 1; \
bb.bits--; \
if(bb.bits == -1) { \
+ if (src >= src_end) { \
+ av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); \
+ return AVERROR_INVALIDDATA; \
+ } \
bb.bitbuf = *src++; \
bb.bits = 7; \
} \
}
-static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h)
+static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h)
{
BitBuf bb;
int res, val;
@@ -75,13 +80,18 @@
int bx, by;
int l0x, l1x, l0y, l1y;
int mx, my;
+ const uint8_t *src_end = src + src_size;
kmvc_init_getbits(bb, src);
for (by = 0; by < h; by += 8)
for (bx = 0; bx < w; bx += 8) {
- kmvc_getbit(bb, src, res);
+ kmvc_getbit(bb, src, src_end, res);
if (!res) { // fill whole 8x8 block
+ if (src >= src_end) {
+ av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+ return AVERROR_INVALIDDATA;
+ }
val = *src++;
for (i = 0; i < 64; i++)
BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
@@ -89,14 +99,22 @@
for (i = 0; i < 4; i++) {
l0x = bx + (i & 1) * 4;
l0y = by + (i & 2) * 2;
- kmvc_getbit(bb, src, res);
+ kmvc_getbit(bb, src, src_end, res);
if (!res) {
- kmvc_getbit(bb, src, res);
+ kmvc_getbit(bb, src, src_end, res);
if (!res) { // fill whole 4x4 block
+ if (src >= src_end) {
+ av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+ return AVERROR_INVALIDDATA;
+ }
val = *src++;
for (j = 0; j < 16; j++)
BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
} else { // copy block from already decoded place
+ if (src >= src_end) {
+ av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+ return AVERROR_INVALIDDATA;
+ }
val = *src++;
mx = val & 0xF;
my = val >> 4;
@@ -108,16 +126,24 @@
for (j = 0; j < 4; j++) {
l1x = l0x + (j & 1) * 2;
l1y = l0y + (j & 2);
- kmvc_getbit(bb, src, res);
+ kmvc_getbit(bb, src, src_end, res);
if (!res) {
- kmvc_getbit(bb, src, res);
+ kmvc_getbit(bb, src, src_end, res);
if (!res) { // fill whole 2x2 block
+ if (src >= src_end) {
+ av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+ return AVERROR_INVALIDDATA;
+ }
val = *src++;
BLK(ctx->cur, l1x, l1y) = val;
BLK(ctx->cur, l1x + 1, l1y) = val;
BLK(ctx->cur, l1x, l1y + 1) = val;
BLK(ctx->cur, l1x + 1, l1y + 1) = val;
} else { // copy block from already decoded place
+ if (src >= src_end) {
+ av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+ return AVERROR_INVALIDDATA;
+ }
val = *src++;
mx = val & 0xF;
my = val >> 4;
@@ -140,9 +166,11 @@
}
}
}
+
+ return 0;
}
-static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h)
+static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h)
{
BitBuf bb;
int res, val;
@@ -150,15 +178,20 @@
int bx, by;
int l0x, l1x, l0y, l1y;
int mx, my;
+ const uint8_t *src_end = src + src_size;
kmvc_init_getbits(bb, src);
for (by = 0; by < h; by += 8)
for (bx = 0; bx < w; bx += 8) {
- kmvc_getbit(bb, src, res);
+ kmvc_getbit(bb, src, src_end, res);
if (!res) {
- kmvc_getbit(bb, src, res);
+ kmvc_getbit(bb, src, src_end, res);
if (!res) { // fill whole 8x8 block
+ if (src >= src_end) {
+ av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+ return AVERROR_INVALIDDATA;
+ }
val = *src++;
for (i = 0; i < 64; i++)
BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
@@ -171,14 +204,22 @@
for (i = 0; i < 4; i++) {
l0x = bx + (i & 1) * 4;
l0y = by + (i & 2) * 2;
- kmvc_getbit(bb, src, res);
+ kmvc_getbit(bb, src, src_end, res);
if (!res) {
- kmvc_getbit(bb, src, res);
+ kmvc_getbit(bb, src, src_end, res);
if (!res) { // fill whole 4x4 block
+ if (src >= src_end) {
+ av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+ return AVERROR_INVALIDDATA;
+ }
val = *src++;
for (j = 0; j < 16; j++)
BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
} else { // copy block
+ if (src >= src_end) {
+ av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+ return AVERROR_INVALIDDATA;
+ }
val = *src++;
mx = (val & 0xF) - 8;
my = (val >> 4) - 8;
@@ -190,16 +231,24 @@
for (j = 0; j < 4; j++) {
l1x = l0x + (j & 1) * 2;
l1y = l0y + (j & 2);
- kmvc_getbit(bb, src, res);
+ kmvc_getbit(bb, src, src_end, res);
if (!res) {
- kmvc_getbit(bb, src, res);
+ kmvc_getbit(bb, src, src_end, res);
if (!res) { // fill whole 2x2 block
+ if (src >= src_end) {
+ av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+ return AVERROR_INVALIDDATA;
+ }
val = *src++;
BLK(ctx->cur, l1x, l1y) = val;
BLK(ctx->cur, l1x + 1, l1y) = val;
BLK(ctx->cur, l1x, l1y + 1) = val;
BLK(ctx->cur, l1x + 1, l1y + 1) = val;
} else { // copy block
+ if (src >= src_end) {
+ av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+ return AVERROR_INVALIDDATA;
+ }
val = *src++;
mx = (val & 0xF) - 8;
my = (val >> 4) - 8;
@@ -222,6 +271,8 @@
}
}
}
+
+ return 0;
}
static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt)
@@ -300,10 +351,10 @@
memcpy(ctx->cur, ctx->prev, 320 * 200);
break;
case 3:
- kmvc_decode_intra_8x8(ctx, buf, avctx->width, avctx->height);
+ kmvc_decode_intra_8x8(ctx, buf, buf_size, avctx->width, avctx->height);
break;
case 4:
- kmvc_decode_inter_8x8(ctx, buf, avctx->width, avctx->height);
+ kmvc_decode_inter_8x8(ctx, buf, buf_size, avctx->width, avctx->height);
break;
default:
av_log(avctx, AV_LOG_ERROR, "Unknown compression method %i\n", header & KMVC_METHOD);
@@ -365,6 +416,10 @@
c->palsize = 127;
} else {
c->palsize = AV_RL16(avctx->extradata + 10);
+ if (c->palsize >= MAX_PALSIZE) {
+ av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n");
+ return AVERROR_INVALIDDATA;
+ }
}
if (avctx->extradata_size == 1036) { // palette in extradata
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/lcldec.c
^
|
| @@ -223,8 +223,29 @@
len = mszh_dlen;
}
break;
- case COMP_MSZH_NOCOMP:
+ case COMP_MSZH_NOCOMP: {
+ int bppx2;
+ switch (c->imgtype) {
+ case IMGTYPE_YUV111:
+ case IMGTYPE_RGB24:
+ bppx2 = 6;
+ break;
+ case IMGTYPE_YUV422:
+ case IMGTYPE_YUV211:
+ bppx2 = 4;
+ break;
+ case IMGTYPE_YUV411:
+ case IMGTYPE_YUV420:
+ bppx2 = 3;
+ break;
+ default:
+ bppx2 = 0; // will error out below
+ break;
+ }
+ if (len < ((width * height * bppx2) >> 1))
+ return AVERROR_INVALIDDATA;
break;
+ }
default:
av_log(avctx, AV_LOG_ERROR, "BUG! Unknown MSZH compression in frame decoder.\n");
return -1;
@@ -456,7 +477,7 @@
avcodec_get_frame_defaults(&c->pic);
if (avctx->extradata_size < 8) {
av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n");
- return 1;
+ return AVERROR_INVALIDDATA;
}
/* Check codec type */
@@ -505,7 +526,7 @@
break;
default:
av_log(avctx, AV_LOG_ERROR, "Unsupported image format %d.\n", c->imgtype);
- return 1;
+ return AVERROR_INVALIDDATA;
}
/* Detect compression method */
@@ -522,7 +543,7 @@
break;
default:
av_log(avctx, AV_LOG_ERROR, "Unsupported compression format for MSZH (%d).\n", c->compression);
- return 1;
+ return AVERROR_INVALIDDATA;
}
break;
#if CONFIG_ZLIB_DECODER
@@ -540,7 +561,7 @@
default:
if (c->compression < Z_NO_COMPRESSION || c->compression > Z_BEST_COMPRESSION) {
av_log(avctx, AV_LOG_ERROR, "Unsupported compression level for ZLIB: (%d).\n", c->compression);
- return 1;
+ return AVERROR_INVALIDDATA;
}
av_log(avctx, AV_LOG_DEBUG, "Compression level for ZLIB: (%d).\n", c->compression);
}
@@ -548,14 +569,14 @@
#endif
default:
av_log(avctx, AV_LOG_ERROR, "BUG! Unknown codec in compression switch.\n");
- return 1;
+ return AVERROR_INVALIDDATA;
}
/* Allocate decompression buffer */
if (c->decomp_size) {
if ((c->decomp_buf = av_malloc(max_decomp_size)) == NULL) {
av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");
- return 1;
+ return AVERROR(ENOMEM);
}
}
@@ -581,7 +602,7 @@
if (zret != Z_OK) {
av_log(avctx, AV_LOG_ERROR, "Inflate init error: %d\n", zret);
av_freep(&c->decomp_buf);
- return 1;
+ return AVERROR_INVALIDDATA;
}
}
#endif
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/libaacplus.c
^
|
| @@ -63,9 +63,7 @@
aacplus_cfg->bitRate = avctx->bit_rate;
aacplus_cfg->bandWidth = avctx->cutoff;
- if (avctx->flags & CODEC_FLAG_GLOBAL_HEADER) {
- aacplus_cfg->outputFormat = 0; //raw aac
- }
+ aacplus_cfg->outputFormat = !(avctx->flags & CODEC_FLAG_GLOBAL_HEADER);
aacplus_cfg->inputFormat = AACPLUS_INPUT_16BIT;
if (!aacplusEncSetConfiguration(s->aacplus_handle, aacplus_cfg)) {
av_log(avctx, AV_LOG_ERROR, "libaacplus doesn't support this output format!\n");
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/mjpegbdec.c
^
|
| @@ -59,6 +59,9 @@
s->restart_count = 0;
s->mjpb_skiptosod = 0;
+ if (buf_end - buf_ptr >= 1 << 28)
+ return AVERROR_INVALIDDATA;
+
init_get_bits(&hgb, buf_ptr, /*buf_size*/(buf_end - buf_ptr)*8);
skip_bits(&hgb, 32); /* reserved zeros */
@@ -66,7 +69,7 @@
if (get_bits_long(&hgb, 32) != MKBETAG('m','j','p','g'))
{
av_log(avctx, AV_LOG_WARNING, "not mjpeg-b (bad fourcc)\n");
- return 0;
+ return AVERROR_INVALIDDATA;
}
field_size = get_bits_long(&hgb, 32); /* field size */
@@ -109,8 +112,8 @@
av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs);
if (sos_offs)
{
-// init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8);
- init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8);
+ init_get_bits(&s->gb, buf_ptr + sos_offs,
+ 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs));
s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16));
s->start_code = SOS;
ff_mjpeg_decode_sos(s, NULL, NULL);
@@ -142,7 +145,7 @@
picture->quality*= FF_QP2LAMBDA;
}
- return buf_ptr - buf;
+ return buf_size;
}
AVCodec ff_mjpegb_decoder = {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/motion_est.c
^
|
| @@ -52,7 +52,7 @@
int src_index, int ref_index,
int size, int h);
-static inline int update_map_generation(MotionEstContext *c)
+static inline unsigned update_map_generation(MotionEstContext *c)
{
c->map_generation+= 1<<(ME_MAP_MV_BITS*2);
if(c->map_generation==0){
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/motion_est_template.c
^
|
| @@ -158,9 +158,8 @@
const int b= score_map[(index+(1<<ME_MAP_SHIFT))&(ME_MAP_SIZE-1)]
+ (mv_penalty[bx - pred_x] + mv_penalty[by+2 - pred_y])*c->penalty_factor;
-#if 1
- int key;
- int map_generation= c->map_generation;
+ unsigned key;
+ unsigned map_generation= c->map_generation;
#ifndef NDEBUG
uint32_t *map= c->map;
#endif
@@ -172,7 +171,6 @@
assert(map[(index+1)&(ME_MAP_SIZE-1)] == key);
key= ((my)<<ME_MAP_MV_BITS) + (mx-1) + map_generation;
assert(map[(index-1)&(ME_MAP_SIZE-1)] == key);
-#endif
if(t<=b){
CHECK_HALF_MV(0, 1, mx ,my-1)
if(l<=r){
@@ -280,7 +278,7 @@
const int mx = *mx_ptr;
const int my = *my_ptr;
const int penalty_factor= c->sub_penalty_factor;
- const int map_generation= c->map_generation;
+ const unsigned map_generation = c->map_generation;
const int subpel_quality= c->avctx->me_subpel_quality;
uint32_t *map= c->map;
me_cmp_func cmpf, chroma_cmpf;
@@ -497,7 +495,7 @@
#define CHECK_MV(x,y)\
{\
- const int key= ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
+ const unsigned key = ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
const int index= (((y)<<ME_MAP_SHIFT) + (x))&(ME_MAP_SIZE-1);\
assert((x) >= xmin);\
assert((x) <= xmax);\
@@ -525,7 +523,7 @@
#define CHECK_MV_DIR(x,y,new_dir)\
{\
- const int key= ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
+ const unsigned key = ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
const int index= (((y)<<ME_MAP_SHIFT) + (x))&(ME_MAP_SIZE-1);\
/*printf("check_mv_dir %d %d %d\n", x, y, new_dir);*/\
if(map[index]!=key){\
@@ -563,13 +561,13 @@
int next_dir=-1;
LOAD_COMMON
LOAD_COMMON2
- int map_generation= c->map_generation;
+ unsigned map_generation = c->map_generation;
cmpf= s->dsp.me_cmp[size];
chroma_cmpf= s->dsp.me_cmp[size+1];
{ /* ensure that the best point is in the MAP as h/qpel refinement needs it */
- const int key= (best[1]<<ME_MAP_MV_BITS) + best[0] + map_generation;
+ const unsigned key = (best[1]<<ME_MAP_MV_BITS) + best[0] + map_generation;
const int index= ((best[1]<<ME_MAP_SHIFT) + best[0])&(ME_MAP_SIZE-1);
if(map[index]!=key){ //this will be executed only very rarey
score_map[index]= cmp(s, best[0], best[1], 0, 0, size, h, ref_index, src_index, cmpf, chroma_cmpf, flags);
@@ -605,7 +603,7 @@
int dia_size;
LOAD_COMMON
LOAD_COMMON2
- int map_generation= c->map_generation;
+ unsigned map_generation = c->map_generation;
cmpf= s->dsp.me_cmp[size];
chroma_cmpf= s->dsp.me_cmp[size+1];
@@ -646,7 +644,7 @@
me_cmp_func cmpf, chroma_cmpf;
LOAD_COMMON
LOAD_COMMON2
- int map_generation= c->map_generation;
+ unsigned map_generation = c->map_generation;
int x,y,d;
const int dec= dia_size & (dia_size-1);
@@ -680,7 +678,7 @@
me_cmp_func cmpf, chroma_cmpf;
LOAD_COMMON
LOAD_COMMON2
- int map_generation= c->map_generation;
+ unsigned map_generation = c->map_generation;
int x,y,i,d;
int dia_size= c->dia_size&0xFF;
const int dec= dia_size & (dia_size-1);
@@ -718,7 +716,7 @@
me_cmp_func cmpf, chroma_cmpf;
LOAD_COMMON
LOAD_COMMON2
- int map_generation= c->map_generation;
+ unsigned map_generation = c->map_generation;
int x,y,x2,y2, i, j, d;
const int dia_size= c->dia_size&0xFE;
static const int hex[16][2]={{-4,-2}, {-4,-1}, {-4, 0}, {-4, 1}, {-4, 2},
@@ -765,7 +763,7 @@
me_cmp_func cmpf, chroma_cmpf;
LOAD_COMMON
LOAD_COMMON2
- int map_generation= c->map_generation;
+ unsigned map_generation = c->map_generation;
int x,y, d;
const int dia_size= c->dia_size&0xFF;
@@ -794,7 +792,7 @@
#define SAB_CHECK_MV(ax,ay)\
{\
- const int key= ((ay)<<ME_MAP_MV_BITS) + (ax) + map_generation;\
+ const unsigned key = ((ay)<<ME_MAP_MV_BITS) + (ax) + map_generation;\
const int index= (((ay)<<ME_MAP_SHIFT) + (ax))&(ME_MAP_SIZE-1);\
/*printf("sab check %d %d\n", ax, ay);*/\
if(map[index]!=key){\
@@ -833,7 +831,7 @@
int i, j;
LOAD_COMMON
LOAD_COMMON2
- int map_generation= c->map_generation;
+ unsigned map_generation = c->map_generation;
cmpf= s->dsp.me_cmp[size];
chroma_cmpf= s->dsp.me_cmp[size+1];
@@ -918,7 +916,7 @@
int dia_size;
LOAD_COMMON
LOAD_COMMON2
- int map_generation= c->map_generation;
+ unsigned map_generation = c->map_generation;
cmpf= s->dsp.me_cmp[size];
chroma_cmpf= s->dsp.me_cmp[size+1];
@@ -1010,7 +1008,7 @@
int d; ///< the score (cmp + penalty) of any given mv
int dmin; /*!< the best value of d, i.e. the score
corresponding to the mv stored in best[]. */
- int map_generation;
+ unsigned map_generation;
int penalty_factor;
const int ref_mv_stride= s->mb_stride; //pass as arg FIXME
const int ref_mv_xy= s->mb_x + s->mb_y*ref_mv_stride; //add to last_mv beforepassing FIXME
@@ -1138,7 +1136,7 @@
MotionEstContext * const c= &s->me;
int best[2]={0, 0};
int d, dmin;
- int map_generation;
+ unsigned map_generation;
const int penalty_factor= c->penalty_factor;
const int size=1;
const int h=8;
@@ -1198,7 +1196,7 @@
MotionEstContext * const c= &s->me;
int best[2]={0, 0};
int d, dmin;
- int map_generation;
+ unsigned map_generation;
const int penalty_factor= c->penalty_factor;
const int size=0; //FIXME pass as arg
const int h=8;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/motionpixels.c
^
|
| @@ -55,6 +55,11 @@
int w4 = (avctx->width + 3) & ~3;
int h4 = (avctx->height + 3) & ~3;
+ if(avctx->extradata_size < 2){
+ av_log(avctx, AV_LOG_ERROR, "extradata too small\n");
+ return AVERROR_INVALIDDATA;
+ }
+
motionpixels_tableinit();
mp->avctx = avctx;
dsputil_init(&mp->dsp, avctx);
@@ -191,10 +196,13 @@
p = mp_get_yuv_from_rgb(mp, x - 1, y);
} else {
p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb));
+ p.y = av_clip(p.y, 0, 31);
if ((x & 3) == 0) {
if ((y & 3) == 0) {
p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb));
+ p.v = av_clip(p.v, -32, 31);
p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb));
+ p.u = av_clip(p.u, -32, 31);
mp->hpt[((y / 4) * mp->avctx->width + x) / 4] = p;
} else {
p.v = mp->hpt[((y / 4) * mp->avctx->width + x) / 4].v;
@@ -218,9 +226,12 @@
p = mp_get_yuv_from_rgb(mp, 0, y);
} else {
p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb));
+ p.y = av_clip(p.y, 0, 31);
if ((y & 3) == 0) {
p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb));
+ p.v = av_clip(p.v, -32, 31);
p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb));
+ p.u = av_clip(p.u, -32, 31);
}
mp->vpt[y] = p;
mp_set_rgb_from_yuv(mp, 0, y, &p);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/mpc8.c
^
|
| @@ -138,7 +138,8 @@
c->frames = 1 << (get_bits(&gb, 3) * 2);
avctx->sample_fmt = AV_SAMPLE_FMT_S16;
- avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
+ avctx->channel_layout = (channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
+ avctx->channels = channels;
if(vlc_initialized) return 0;
av_log(avctx, AV_LOG_DEBUG, "Initing VLC\n");
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/mpeg12enc.c
^
|
| @@ -27,6 +27,7 @@
#include "avcodec.h"
#include "dsputil.h"
+#include "mathops.h"
#include "mpegvideo.h"
#include "mpeg12.h"
@@ -681,8 +682,7 @@
int bit_size = f_or_b_code - 1;
int range = 1 << bit_size;
/* modulo encoding */
- int l= INT_BIT - 5 - bit_size;
- val= (val<<l)>>l;
+ val = sign_extend(val, 5 + bit_size);
if (val >= 0) {
val--;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/mpegvideo.c
^
|
| @@ -366,8 +366,8 @@
int i;
// edge emu needs blocksize + filter length - 1 (=17x17 for halfpel / 21x21 for h264)
- FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance
- s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21*2;
+ FF_ALLOCZ_OR_GOTO(s->avctx, s->edge_emu_buffer, (s->width+64)*2*21*2*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance
+
//FIXME should be linesize instead of s->width*2 but that is not known before get_buffer()
FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad, (s->width+64)*4*16*2*sizeof(uint8_t), fail)
@@ -405,7 +405,7 @@
static void free_duplicate_context(MpegEncContext *s){
if(s==NULL) return;
- av_freep(&s->allocated_edge_emu_buffer); s->edge_emu_buffer= NULL;
+ av_freep(&s->edge_emu_buffer);
av_freep(&s->me.scratchpad);
s->me.temp=
s->rd_scratchpad=
@@ -422,7 +422,6 @@
static void backup_duplicate_context(MpegEncContext *bak, MpegEncContext *src){
#define COPY(a) bak->a= src->a
- COPY(allocated_edge_emu_buffer);
COPY(edge_emu_buffer);
COPY(me.scratchpad);
COPY(me.temp);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/mpegvideo.h
^
|
| @@ -153,7 +153,7 @@
int best_bits;
uint32_t *map; ///< map to avoid duplicate evaluations
uint32_t *score_map; ///< map to store the scores
- int map_generation;
+ unsigned map_generation;
int pre_penalty_factor;
int penalty_factor; /*!< an estimate of the bits required to
code a given mv value, e.g. (1,0) takes
@@ -317,8 +317,7 @@
uint8_t *mbintra_table; ///< used to avoid setting {ac, dc, cbp}-pred stuff to zero on inter MB decoding
uint8_t *cbp_table; ///< used to store cbp, ac_pred for partitioned decoding
uint8_t *pred_dir_table; ///< used to store pred_dir for partitioned decoding
- uint8_t *allocated_edge_emu_buffer;
- uint8_t *edge_emu_buffer; ///< points into the middle of allocated_edge_emu_buffer
+ uint8_t *edge_emu_buffer; ///< temporary buffer for if MVs point to out-of-frame data
uint8_t *rd_scratchpad; ///< scratchpad for rate distortion mb decision
uint8_t *obmc_scratchpad;
uint8_t *b_scratchpad; ///< scratchpad used for writing into write only buffers
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/nellymoserdec.c
^
|
| @@ -157,19 +157,26 @@
int buf_size = avpkt->size;
NellyMoserDecodeContext *s = avctx->priv_data;
int data_max = *data_size;
- int blocks, i;
+ int blocks, i, block_size;
int16_t* samples;
- *data_size = 0;
samples = (int16_t*)data;
- if (buf_size < avctx->block_align)
+ if (buf_size < avctx->block_align) {
+ *data_size = 0;
return buf_size;
+ }
if (buf_size % 64) {
av_log(avctx, AV_LOG_ERROR, "Tag size %d.\n", buf_size);
+ *data_size = 0;
return buf_size;
}
- blocks = buf_size / 64;
+ block_size = NELLY_SAMPLES * av_get_bytes_per_sample(avctx->sample_fmt);
+ blocks = FFMIN(buf_size / 64, *data_size / block_size);
+ if (blocks <= 0) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
/* Normal numbers of blocks for sample rates:
* 8000 Hz - 1
* 11025 Hz - 2
@@ -183,8 +190,8 @@
return i > 0 ? i * NELLY_BLOCK_LEN : -1;
nelly_decode_block(s, &buf[i*NELLY_BLOCK_LEN], s->float_buf);
s->fmt_conv.float_to_int16(&samples[i*NELLY_SAMPLES], s->float_buf, NELLY_SAMPLES);
- *data_size += NELLY_SAMPLES*sizeof(int16_t);
}
+ *data_size = blocks * block_size;
return buf_size;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/pngdec.c
^
|
| @@ -469,11 +469,12 @@
avctx->pix_fmt = PIX_FMT_RGB48BE;
} else if (s->bit_depth == 1) {
avctx->pix_fmt = PIX_FMT_MONOBLACK;
- } else if (s->color_type == PNG_COLOR_TYPE_PALETTE) {
+ } else if (s->bit_depth == 8 &&
+ s->color_type == PNG_COLOR_TYPE_PALETTE) {
avctx->pix_fmt = PIX_FMT_PAL8;
} else if (s->bit_depth == 8 &&
s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) {
- avctx->pix_fmt = PIX_FMT_GRAY8A;
+ avctx->pix_fmt = PIX_FMT_Y400A;
} else {
goto fail;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/pngenc.c
^
|
| @@ -55,7 +55,7 @@
uint8_t *d;
const uint8_t *s;
- mask = ff_png_pass_mask[pass];
+ mask = (int[]){0x80, 0x08, 0x88, 0x22, 0xaa, 0x55, 0xff}[pass];
switch(bits_per_pixel) {
case 1:
memset(dst, 0, row_size);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/ptx.c
^
|
| @@ -60,7 +60,6 @@
avctx->pix_fmt = PIX_FMT_RGB555;
-
if (buf_end - buf < offset)
return AVERROR_INVALIDDATA;
if (offset != 0x2c)
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/qdm2.c
^
|
| @@ -881,9 +881,13 @@
break;
case 30:
- if (BITS_LEFT(length,gb) >= 4)
- samples[0] = type30_dequant[qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1)];
- else
+ if (BITS_LEFT(length,gb) >= 4) {
+ unsigned index = qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1);
+ if (index < FF_ARRAY_ELEMS(type30_dequant)) {
+ samples[0] = type30_dequant[index];
+ } else
+ samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
+ } else
samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
run = 1;
@@ -897,8 +901,12 @@
type34_predictor = samples[0];
type34_first = 0;
} else {
- samples[0] = type34_delta[qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1)] / type34_div + type34_predictor;
- type34_predictor = samples[0];
+ unsigned index = qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1);
+ if (index < FF_ARRAY_ELEMS(type34_delta)) {
+ samples[0] = type34_delta[index] / type34_div + type34_predictor;
+ type34_predictor = samples[0];
+ } else
+ samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
}
} else {
samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
@@ -1816,6 +1824,10 @@
extradata += 4;
s->checksum_size = AV_RB32(extradata);
+ if (s->checksum_size >= 1U << 28) {
+ av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size);
+ return AVERROR_INVALIDDATA;
+ }
s->fft_order = av_log2(s->fft_size) + 1;
s->fft_frame_size = 2 * s->fft_size; // complex has two floats
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/qtrle.c
^
|
| @@ -418,7 +418,7 @@
default:
av_log (avctx, AV_LOG_ERROR, "Unsupported colorspace: %d bits/sample?\n",
avctx->bits_per_coded_sample);
- break;
+ return AVERROR_INVALIDDATA;
}
avcodec_get_frame_defaults(&s->frame);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/rawdec.c
^
|
| @@ -151,6 +151,9 @@
frame->top_field_first = context->tff;
}
+ if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
+ return -1;
+
//2bpp and 4bpp raw in avi and mov (yes this is ugly ...)
if (context->buffer) {
int i;
@@ -175,9 +178,6 @@
avctx->codec_tag == MKTAG('A', 'V', 'u', 'p'))
buf += buf_size - context->length;
- if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
- return -1;
-
avpicture_fill(picture, buf, avctx->pix_fmt, avctx->width, avctx->height);
if((avctx->pix_fmt==PIX_FMT_PAL8 && buf_size < context->length) ||
(avctx->pix_fmt!=PIX_FMT_PAL8 &&
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/rpza.c
^
|
| @@ -183,6 +183,8 @@
color4[1] |= ((11 * ta + 21 * tb) >> 5);
color4[2] |= ((21 * ta + 11 * tb) >> 5);
+ if (s->size - stream_ptr < n_blocks * 4)
+ return;
while (n_blocks--) {
block_ptr = row_ptr + pixel_ptr;
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
@@ -200,6 +202,8 @@
/* Fill block with 16 colors */
case 0x00:
+ if (s->size - stream_ptr < 16)
+ return;
block_ptr = row_ptr + pixel_ptr;
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
for (pixel_x = 0; pixel_x < 4; pixel_x++){
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/rv10.c
^
|
| @@ -672,8 +672,12 @@
if(!avctx->slice_count){
slice_count = (*buf++) + 1;
+ buf_size--;
slices_hdr = buf + 4;
buf += 8 * slice_count;
+ buf_size -= 8 * slice_count;
+ if (buf_size <= 0)
+ return AVERROR_INVALIDDATA;
}else
slice_count = avctx->slice_count;
@@ -712,7 +716,7 @@
s->current_picture_ptr= NULL; //so we can detect if frame_end wasnt called (find some nicer solution...)
}
- return buf_size;
+ return avpkt->size;
}
AVCodec ff_rv10_decoder = {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/shorten.c
^
|
| @@ -81,6 +81,7 @@
int channels;
int32_t *decoded[MAX_CHANNELS];
+ int32_t *decoded_base[MAX_CHANNELS];
int32_t *offset[MAX_CHANNELS];
int *coeffs;
uint8_t *bitstream;
@@ -130,13 +131,14 @@
return AVERROR(ENOMEM);
s->offset[chan] = tmp_ptr;
- tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
+ tmp_ptr = av_realloc(s->decoded_base[chan], (s->blocksize + s->nwrap) *
+ sizeof(s->decoded_base[0][0]));
if (!tmp_ptr)
return AVERROR(ENOMEM);
- s->decoded[chan] = tmp_ptr;
+ s->decoded_base[chan] = tmp_ptr;
for (i=0; i<s->nwrap; i++)
- s->decoded[chan][i] = 0;
- s->decoded[chan] += s->nwrap;
+ s->decoded_base[chan][i] = 0;
+ s->decoded[chan] = s->decoded_base[chan] + s->nwrap;
}
coeffs = av_realloc(s->coeffs, s->nwrap * sizeof(*s->coeffs));
@@ -548,8 +550,8 @@
int i;
for (i = 0; i < s->channels; i++) {
- s->decoded[i] -= s->nwrap;
- av_freep(&s->decoded[i]);
+ s->decoded[i] = NULL;
+ av_freep(&s->decoded_base[i]);
av_freep(&s->offset[i]);
}
av_freep(&s->bitstream);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/smacker.c
^
|
| @@ -127,12 +127,12 @@
*/
static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx)
{
+ if (hc->current + 1 >= hc->length) {
+ av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
+ return -1;
+ }
if(!get_bits1(gb)){ //Leaf
int val, i1, i2, b1, b2;
- if(hc->current >= hc->length){
- av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
- return -1;
- }
b1 = get_bits_count(gb);
i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0;
b1 = get_bits_count(gb) - b1;
@@ -156,7 +156,7 @@
hc->values[hc->current++] = val;
return 1;
} else { //Node
- int r = 0, t;
+ int r = 0, r_new, t;
t = hc->current++;
r = smacker_decode_bigtree(gb, hc, ctx);
@@ -164,8 +164,10 @@
return r;
hc->values[t] = SMK_NODE | r;
r++;
- r += smacker_decode_bigtree(gb, hc, ctx);
- return r;
+ r_new = smacker_decode_bigtree(gb, hc, ctx);
+ if (r_new < 0)
+ return r_new;
+ return r + r_new;
}
}
@@ -180,6 +182,7 @@
VLC vlc[2];
int escapes[3];
DBCtx ctx;
+ int err = 0;
if(size >= UINT_MAX>>4){ // (((size + 3) >> 2) + 3) << 2 must not overflow
av_log(smk->avctx, AV_LOG_ERROR, "size too large\n");
@@ -253,7 +256,8 @@
huff.current = 0;
huff.values = av_mallocz(huff.length * sizeof(int));
- smacker_decode_bigtree(gb, &huff, &ctx);
+ if (smacker_decode_bigtree(gb, &huff, &ctx) < 0)
+ err = -1;
skip_bits1(gb);
if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
@@ -272,7 +276,7 @@
av_free(tmp2.lengths);
av_free(tmp2.values);
- return 0;
+ return err;
}
static int decode_header_trees(SmackVContext *smk) {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/srtdec.c
^
|
| @@ -110,7 +110,7 @@
for (j=sptr-2; j>=0; j--)
if (stack[j].param[i][0]) {
out += snprintf(out, out_end-out,
- stack[j].param[i]);
+ "%s", stack[j].param[i]);
break;
}
} else {
@@ -146,7 +146,7 @@
for (i=0; i<PARAM_NUMBER; i++)
if (stack[sptr].param[i][0])
out += snprintf(out, out_end-out,
- stack[sptr].param[i]);
+ "%s", stack[sptr].param[i]);
}
} else if (!buffer[1] && strspn(buffer, "bisu") == 1) {
out += snprintf(out, out_end-out,
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/svq3.c
^
|
| @@ -612,7 +612,7 @@
dir = i_mb_type_info[mb_type - 8].pred_mode;
dir = (dir >> 1) ^ 3*(dir & 1) ^ 1;
- if ((h->intra16x16_pred_mode = ff_h264_check_intra16x16_pred_mode(h, dir)) == -1){
+ if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) == -1){
av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n");
return -1;
}
@@ -711,7 +711,7 @@
s->current_picture.mb_type[mb_xy] = mb_type;
if (IS_INTRA(mb_type)) {
- h->chroma_pred_mode = ff_h264_check_intra_chroma_pred_mode(h, DC_PRED8x8);
+ h->chroma_pred_mode = ff_h264_check_intra_pred_mode(h, DC_PRED8x8, 1);
}
return 0;
@@ -811,7 +811,9 @@
MpegEncContext *s = &h->s;
int m;
unsigned char *extradata;
+ unsigned char *extradata_end;
unsigned int size;
+ int marker_found = 0;
if (ff_h264_decode_init(avctx) < 0)
return -1;
@@ -832,19 +834,26 @@
/* prowl for the "SEQH" marker in the extradata */
extradata = (unsigned char *)avctx->extradata;
- for (m = 0; m < avctx->extradata_size; m++) {
- if (!memcmp(extradata, "SEQH", 4))
- break;
- extradata++;
+ extradata_end = avctx->extradata + avctx->extradata_size;
+ if (extradata) {
+ for (m = 0; m + 8 < avctx->extradata_size; m++) {
+ if (!memcmp(extradata, "SEQH", 4)) {
+ marker_found = 1;
+ break;
+ }
+ extradata++;
+ }
}
/* if a match was found, parse the extra data */
- if (extradata && !memcmp(extradata, "SEQH", 4)) {
+ if (marker_found) {
GetBitContext gb;
int frame_size_code;
size = AV_RB32(&extradata[4]);
+ if (size > extradata_end - extradata - 8)
+ return AVERROR_INVALIDDATA;
init_get_bits(&gb, extradata + 8, size*8);
/* 'frame size code' and optional 'width, height' */
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/tiff.c
^
|
| @@ -56,24 +56,24 @@
LZWState *lzw;
} TiffContext;
-static int tget_short(const uint8_t **p, int le){
- int v = le ? AV_RL16(*p) : AV_RB16(*p);
+static unsigned tget_short(const uint8_t **p, int le) {
+ unsigned v = le ? AV_RL16(*p) : AV_RB16(*p);
*p += 2;
return v;
}
-static int tget_long(const uint8_t **p, int le){
- int v = le ? AV_RL32(*p) : AV_RB32(*p);
+static unsigned tget_long(const uint8_t **p, int le) {
+ unsigned v = le ? AV_RL32(*p) : AV_RB32(*p);
*p += 4;
return v;
}
-static int tget(const uint8_t **p, int type, int le){
+static unsigned tget(const uint8_t **p, int type, int le) {
switch(type){
case TIFF_BYTE : return *(*p)++;
case TIFF_SHORT: return tget_short(p, le);
case TIFF_LONG : return tget_long (p, le);
- default : return -1;
+ default : return UINT_MAX;
}
}
@@ -274,7 +274,7 @@
static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *buf, const uint8_t *end_buf)
{
- int tag, type, count, off, value = 0;
+ unsigned tag, type, count, off, value = 0;
int i, j;
uint32_t *pal;
const uint8_t *rp, *gp, *bp;
@@ -286,6 +286,11 @@
count = tget_long(&buf, s->le);
off = tget_long(&buf, s->le);
+ if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) {
+ av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type);
+ return 0;
+ }
+
if(count == 1){
switch(type){
case TIFF_BYTE:
@@ -304,13 +309,15 @@
break;
}
default:
- value = -1;
+ value = UINT_MAX;
+ buf = start + off;
+ }
+ } else {
+ if (count <= 4 && type_sizes[type] * count <= 4) {
+ buf -= 4;
+ } else {
buf = start + off;
}
- }else if(type_sizes[type] * count <= 4){
- buf -= 4;
- }else{
- buf = start + off;
}
if(buf && (buf < start || buf > end_buf)){
@@ -388,7 +395,7 @@
}
break;
case TIFF_ROWSPERSTRIP:
- if(type == TIFF_LONG && value == -1)
+ if (type == TIFF_LONG && value == UINT_MAX)
value = s->avctx->height;
if(value < 1){
av_log(s->avctx, AV_LOG_ERROR, "Incorrect value of rows per strip\n");
@@ -526,6 +533,8 @@
av_log(avctx, AV_LOG_ERROR, "The answer to life, universe and everything is not correct!\n");
return -1;
}
+ // Reset these pointers so we can tell if they were set this frame
+ s->stripsizes = s->stripdata = NULL;
/* parse image file directory */
off = tget_long(&buf, le);
if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/truemotion1.c
^
|
| @@ -520,6 +520,10 @@
}
#define APPLY_C_PREDICTOR() \
+ if(index > 1023){\
+ av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+ return; \
+ }\
predictor_pair = s->c_predictor_table[index]; \
horiz_pred += (predictor_pair >> 1); \
if (predictor_pair & 1) { \
@@ -537,6 +541,10 @@
index++;
#define APPLY_C_PREDICTOR_24() \
+ if(index > 1023){\
+ av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+ return; \
+ }\
predictor_pair = s->c_predictor_table[index]; \
horiz_pred += (predictor_pair >> 1); \
if (predictor_pair & 1) { \
@@ -555,6 +563,10 @@
#define APPLY_Y_PREDICTOR() \
+ if(index > 1023){\
+ av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+ return; \
+ }\
predictor_pair = s->y_predictor_table[index]; \
horiz_pred += (predictor_pair >> 1); \
if (predictor_pair & 1) { \
@@ -572,6 +584,10 @@
index++;
#define APPLY_Y_PREDICTOR_24() \
+ if(index > 1023){\
+ av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+ return; \
+ }\
predictor_pair = s->y_predictor_table[index]; \
horiz_pred += (predictor_pair >> 1); \
if (predictor_pair & 1) { \
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/truemotion2.c
^
|
| @@ -132,7 +132,7 @@
huff.val_bits, huff.max_bits);
return -1;
}
- if((huff.nodes < 0) || (huff.nodes > 0x10000)) {
+ if((huff.nodes <= 0) || (huff.nodes > 0x10000)) {
av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of Huffman tree nodes: %i\n", huff.nodes);
return -1;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/vmnc.c
^
|
| @@ -484,6 +484,7 @@
break;
default:
av_log(avctx, AV_LOG_ERROR, "Unsupported bitdepth %i\n", c->bpp);
+ return AVERROR_INVALIDDATA;
}
return 0;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/vorbis.c
^
|
| @@ -150,7 +150,7 @@
}
}
-static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1,
+static inline void render_line_unrolled(intptr_t x, int y, int x1,
intptr_t sy, int ady, int adx,
float *buf)
{
@@ -162,14 +162,14 @@
if (err >= 0) {
err += ady - adx;
y += sy;
- buf[x++] = ff_vorbis_floor1_inverse_db_table[y];
+ buf[x++] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
}
- buf[x] = ff_vorbis_floor1_inverse_db_table[y];
+ buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
}
if (x <= 0) {
if (err + ady >= 0)
y += sy;
- buf[x] = ff_vorbis_floor1_inverse_db_table[y];
+ buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
}
}
@@ -179,14 +179,14 @@
int adx = x1 - x0;
int ady = FFABS(dy);
int sy = dy < 0 ? -1 : 1;
- buf[x0] = ff_vorbis_floor1_inverse_db_table[y0];
+ buf[x0] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y0)];
if (ady*2 <= adx) { // optimized common case
render_line_unrolled(x0, y0, x1, sy, ady, adx, buf);
} else {
- int base = dy / adx;
- int x = x0;
- int y = y0;
- int err = -adx;
+ int base = dy / adx;
+ int x = x0;
+ int y = y0;
+ int err = -adx;
ady -= FFABS(base) * adx;
while (++x < x1) {
y += base;
@@ -195,7 +195,7 @@
err -= adx;
y += sy;
}
- buf[x] = ff_vorbis_floor1_inverse_db_table[y];
+ buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
}
}
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/vorbisdec.c
^
|
| @@ -660,7 +660,7 @@
res_setup->partition_size = get_bits(gb, 24) + 1;
/* Validations to prevent a buffer overflow later. */
if (res_setup->begin>res_setup->end ||
- res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 ||
+ res_setup->end > (res_setup->type == 2 ? vc->avccontext->channels : 1) * vc->blocksize[1] / 2 ||
(res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) {
av_log(vc->avccontext, AV_LOG_ERROR,
"partition out of bounds: type, begin, end, size, blocksize: %"PRIu16", %"PRIu32", %"PRIu32", %u, %"PRIu32"\n",
@@ -1232,20 +1232,20 @@
floor1_flag[i] = 1;
if (val >= room) {
if (highroom > lowroom) {
- floor1_Y_final[i] = val - lowroom + predicted;
+ floor1_Y_final[i] = av_clip_uint16(val - lowroom + predicted);
} else {
- floor1_Y_final[i] = predicted - val + highroom - 1;
+ floor1_Y_final[i] = av_clip_uint16(predicted - val + highroom - 1);
}
} else {
if (val & 1) {
- floor1_Y_final[i] = predicted - (val + 1) / 2;
+ floor1_Y_final[i] = av_clip_uint16(predicted - (val + 1) / 2);
} else {
- floor1_Y_final[i] = predicted + val / 2;
+ floor1_Y_final[i] = av_clip_uint16(predicted + val / 2);
}
}
} else {
floor1_flag[i] = 0;
- floor1_Y_final[i] = predicted;
+ floor1_Y_final[i] = av_clip_uint16(predicted);
}
av_dlog(NULL, " Decoded floor(%d) = %u / val %u\n",
@@ -1269,6 +1269,7 @@
uint8_t *do_not_decode,
float *vec,
unsigned vlen,
+ unsigned ch_left,
int vr_type)
{
GetBitContext *gb = &vc->gb;
@@ -1276,6 +1277,7 @@
unsigned ptns_to_read = vr->ptns_to_read;
uint8_t *classifs = vr->classifs;
unsigned pass, ch_used, i, j, k, l;
+ unsigned max_output = (ch - 1) * vlen;
if (vr_type == 2) {
for (j = 1; j < ch; ++j)
@@ -1283,8 +1285,15 @@
if (do_not_decode[0])
return 0;
ch_used = 1;
+ max_output += vr->end / ch;
} else {
ch_used = ch;
+ max_output += vr->end;
+ }
+
+ if (max_output > ch_left * vlen) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Insufficient output buffer\n");
+ return -1;
}
av_dlog(NULL, " residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c_p_c);
@@ -1411,14 +1420,15 @@
static inline int vorbis_residue_decode(vorbis_context *vc, vorbis_residue *vr,
unsigned ch,
uint8_t *do_not_decode,
- float *vec, unsigned vlen)
+ float *vec, unsigned vlen,
+ unsigned ch_left)
{
if (vr->type == 2)
- return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 2);
+ return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 2);
else if (vr->type == 1)
- return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 1);
+ return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 1);
else if (vr->type == 0)
- return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 0);
+ return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 0);
else {
av_log(vc->avccontext, AV_LOG_ERROR, " Invalid residue type while residue decode?! \n");
return -1;
@@ -1466,6 +1476,8 @@
uint8_t res_chan[255];
unsigned res_num = 0;
int retlen = 0;
+ unsigned ch_left = vc->audio_channels;
+ unsigned vlen;
if (get_bits1(gb)) {
av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n");
@@ -1485,11 +1497,12 @@
blockflag = vc->modes[mode_number].blockflag;
blocksize = vc->blocksize[blockflag];
+ vlen = blocksize / 2;
if (blockflag)
skip_bits(gb, 2); // previous_window, next_window
- memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ?
- memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ?
+ memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ?
+ memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ?
// Decode floor
@@ -1509,7 +1522,7 @@
return -1;
}
no_residue[i] = ret;
- ch_floor_ptr += blocksize / 2;
+ ch_floor_ptr += vlen;
}
// Nonzero vector propagate
@@ -1526,6 +1539,7 @@
for (i = 0; i < mapping->submaps; ++i) {
vorbis_residue *residue;
unsigned ch = 0;
+ int ret;
for (j = 0; j < vc->audio_channels; ++j) {
if ((mapping->submaps == 1) || (i == mapping->mux[j])) {
@@ -1540,9 +1554,18 @@
}
}
residue = &vc->residues[mapping->submap_residue[i]];
- vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2);
+ if (ch_left < ch) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n");
+ return -1;
+ }
+ if (ch) {
+ ret = vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, vlen, ch_left);
+ if (ret < 0)
+ return ret;
+ }
- ch_res_ptr += ch * blocksize / 2;
+ ch_res_ptr += ch * vlen;
+ ch_left -= ch;
}
// Inverse coupling
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/vp3.c
^
|
| @@ -1323,6 +1323,8 @@
return i;
}
} while (i < 64);
+ // return value is expected to be a valid level
+ i--;
end:
// the actual DC+prediction is in the fragment structure
block[0] = frag->dc * s->qmat[0][inter][plane][0];
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/vp5.c
^
|
| @@ -55,6 +55,11 @@
}
rows = vp56_rac_gets(c, 8); /* number of stored macroblock rows */
cols = vp56_rac_gets(c, 8); /* number of stored macroblock cols */
+ if (!rows || !cols) {
+ av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n",
+ cols << 4, rows << 4);
+ return 0;
+ }
vp56_rac_gets(c, 8); /* number of displayed macroblock rows */
vp56_rac_gets(c, 8); /* number of displayed macroblock cols */
vp56_rac_gets(c, 2);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/vp6.c
^
|
| @@ -75,6 +75,10 @@
cols = buf[3]; /* number of stored macroblock cols */
/* buf[4] is number of displayed macroblock rows */
/* buf[5] is number of displayed macroblock cols */
+ if (!rows || !cols) {
+ av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4);
+ return 0;
+ }
if (!s->macroblocks || /* first frame */
16*cols != s->avctx->coded_width ||
@@ -95,7 +99,7 @@
vrt_shift = 5;
s->sub_version = sub_version;
} else {
- if (!s->sub_version)
+ if (!s->sub_version || !s->avctx->coded_width || !s->avctx->coded_height)
return 0;
if (separated_coeff || !s->filter_header) {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/vqavideo.c
^
|
| @@ -159,6 +159,12 @@
return -1;
}
+ if (s->width & (s->vector_width - 1) ||
+ s->height & (s->vector_height - 1)) {
+ av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n");
+ return AVERROR_INVALIDDATA;
+ }
+
/* allocate codebooks */
s->codebook_size = MAX_CODEBOOK_SIZE;
s->codebook = av_malloc(s->codebook_size);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/wma.c
^
|
| @@ -85,7 +85,7 @@
} else if (sample_rate <= 22050 ||
(sample_rate <= 32000 && version == 1)) {
frame_len_bits = 10;
- } else if (sample_rate <= 48000) {
+ } else if (sample_rate <= 48000 || version < 3) {
frame_len_bits = 11;
} else if (sample_rate <= 96000) {
frame_len_bits = 12;
@@ -137,6 +137,9 @@
/* compute MDCT block size */
s->frame_len_bits = ff_wma_get_frame_len_bits(s->sample_rate, s->version, 0);
+ s->next_block_len_bits = s->frame_len_bits;
+ s->prev_block_len_bits = s->frame_len_bits;
+ s->block_len_bits = s->frame_len_bits;
s->frame_len = 1 << s->frame_len_bits;
if (s->use_variable_block_len) {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/wmadec.c
^
|
| @@ -364,7 +364,7 @@
}
/* NOTE: this offset is the same as MPEG4 AAC ! */
last_exp += code - 60;
- if ((unsigned)last_exp + 60 > FF_ARRAY_ELEMS(pow_tab)) {
+ if ((unsigned)last_exp + 60 >= FF_ARRAY_ELEMS(pow_tab)) {
av_log(s->avctx, AV_LOG_ERROR, "Exponent out of range: %d\n",
last_exp);
return -1;
@@ -882,6 +882,8 @@
/* read each frame starting from bit_offset */
pos = bit_offset + 4 + 4 + s->byte_offset_bits + 3;
+ if (pos >= MAX_CODED_SUPERFRAME_SIZE * 8)
+ return AVERROR_INVALIDDATA;
init_get_bits(&s->gb, buf + (pos >> 3), (MAX_CODED_SUPERFRAME_SIZE - (pos >> 3))*8);
len = pos & 7;
if (len > 0)
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/wmaenc.c
^
|
| @@ -39,6 +39,12 @@
return AVERROR(EINVAL);
}
+ if (avctx->sample_rate > 48000) {
+ av_log(avctx, AV_LOG_ERROR, "sample rate is too high: %d > 48kHz",
+ avctx->sample_rate);
+ return AVERROR(EINVAL);
+ }
+
if(avctx->bit_rate < 24*1000) {
av_log(avctx, AV_LOG_ERROR, "bitrate too low: got %i, need 24000 or higher\n",
avctx->bit_rate);
@@ -64,6 +70,8 @@
s->use_exp_vlc = flags2 & 0x0001;
s->use_bit_reservoir = flags2 & 0x0002;
s->use_variable_block_len = flags2 & 0x0004;
+ if (avctx->channels == 2)
+ s->ms_stereo = 1;
ff_wma_init(avctx, flags2);
@@ -71,8 +79,12 @@
for(i = 0; i < s->nb_block_sizes; i++)
ff_mdct_init(&s->mdct_ctx[i], s->frame_len_bits - i + 1, 0, 1.0);
- avctx->block_align=
- s->block_align= avctx->bit_rate*(int64_t)s->frame_len / (avctx->sample_rate*8);
+ s->block_align = avctx->bit_rate * (int64_t)s->frame_len /
+ (avctx->sample_rate * 8);
+ s->block_align = FFMIN(s->block_align, MAX_CODED_SUPERFRAME_SIZE);
+ avctx->block_align = s->block_align;
+ avctx->bit_rate = avctx->block_align * 8LL * avctx->sample_rate /
+ s->frame_len;
//av_log(NULL, AV_LOG_ERROR, "%d %d %d %d\n", s->block_align, avctx->bit_rate, s->frame_len, avctx->sample_rate);
avctx->frame_size= s->frame_len;
@@ -181,7 +193,7 @@
}
if (s->nb_channels == 2) {
- put_bits(&s->pb, 1, s->ms_stereo= 1);
+ put_bits(&s->pb, 1, !!s->ms_stereo);
}
for(ch = 0; ch < s->nb_channels; ch++) {
@@ -355,6 +367,11 @@
}
}
+ if (buf_size < 2 * MAX_CODED_SUPERFRAME_SIZE) {
+ av_log(avctx, AV_LOG_ERROR, "output buffer size is too small\n");
+ return AVERROR(EINVAL);
+ }
+
#if 1
total_gain= 128;
for(i=64; i; i>>=1){
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/wnv1.c
^
|
| @@ -70,6 +70,11 @@
int prev_y = 0, prev_u = 0, prev_v = 0;
uint8_t *rbuf;
+ if(buf_size<=8) {
+ av_log(avctx, AV_LOG_ERROR, "buf_size %d is too small\n", buf_size);
+ return AVERROR_INVALIDDATA;
+ }
+
rbuf = av_malloc(buf_size + FF_INPUT_BUFFER_PADDING_SIZE);
if(!rbuf){
av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n");
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/ws-snd1.c
^
|
| @@ -100,8 +100,8 @@
/* make sure we don't write more than out_size samples */
switch (code) {
- case 0: smp = 4; break;
- case 1: smp = 2; break;
+ case 0: smp = 4*(count+1); break;
+ case 1: smp = 2*(count+1); break;
case 2: smp = (count & 0x20) ? 1 : count + 1; break;
default: smp = count + 1; break;
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/x86/dsputil_yasm.asm
^
|
| @@ -474,7 +474,7 @@
shufps xmm0, xmm0, 1
addss xmm0, xmm1
%ifndef ARCH_X86_64
- movd r0m, xmm0
+ movss r0m, xmm0
fld dword r0m
%endif
RET
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/x86/dsputilenc_mmx.c
^
|
| @@ -823,6 +823,7 @@
static void diff_bytes_mmx(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
x86_reg i=0;
+ if(w>=16)
__asm__ volatile(
"1: \n\t"
"movq (%2, %0), %%mm0 \n\t"
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/x86/h264_deblock_10bit.asm
^
|
| @@ -876,7 +876,7 @@
%if mmsize < 16
add r0, mmsize
add r5, mmsize
- add r4, mmsize/8
+ add r4, mmsize/4
dec r6
jg .loop
REP_RET
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/xan.c
^
|
| @@ -511,6 +511,10 @@
int i;
tag = bytestream_get_le32(&buf);
size = bytestream_get_be32(&buf);
+ if(size < 0) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid tag size %d\n", size);
+ return AVERROR_INVALIDDATA;
+ }
size = FFMIN(size, buf_end - buf);
switch (tag) {
case PALT_TAG:
@@ -555,8 +559,10 @@
}
buf_size = buf_end - buf;
}
- if (s->palettes_count <= 0)
+ if (s->palettes_count <= 0) {
+ av_log(s->avctx, AV_LOG_ERROR, "No palette found\n");
return AVERROR_INVALIDDATA;
+ }
if ((ret = avctx->get_buffer(avctx, &s->current_frame))) {
av_log(s->avctx, AV_LOG_ERROR, "get_buffer() failed\n");
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavcodec/yop.c
^
|
| @@ -90,6 +90,11 @@
return -1;
}
+ if (!avctx->extradata) {
+ av_log(avctx, AV_LOG_ERROR, "extradata missing\n");
+ return AVERROR_INVALIDDATA;
+ }
+
avctx->pix_fmt = PIX_FMT_PAL8;
avcodec_get_frame_defaults(&s->frame);
@@ -200,6 +205,11 @@
if (s->frame.data[0])
avctx->release_buffer(avctx, &s->frame);
+ if (avpkt->size < 4 + 3*s->num_pal_colors) {
+ av_log(avctx, AV_LOG_ERROR, "packet of size %d too small\n", avpkt->size);
+ return AVERROR_INVALIDDATA;
+ }
+
ret = avctx->get_buffer(avctx, &s->frame);
if (ret < 0) {
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
@@ -215,6 +225,10 @@
s->low_nibble = NULL;
is_odd_frame = avpkt->data[0];
+ if(is_odd_frame>1){
+ av_log(avctx, AV_LOG_ERROR, "frame is too odd %d\n", is_odd_frame);
+ return AVERROR_INVALIDDATA;
+ }
firstcolor = s->first_color[is_odd_frame];
palette = (uint32_t *)s->frame.data[1];
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavfilter/avfilter.c
^
|
| @@ -614,7 +614,7 @@
link->cur_buf->audio->sample_rate = samplesref->audio->sample_rate;
/* Copy actual data into new samples buffer */
- for (i = 0; samplesref->data[i]; i++)
+ for (i = 0; samplesref->data[i] && i < 8; i++)
memcpy(link->cur_buf->data[i], samplesref->data[i], samplesref->linesize[0]);
avfilter_unref_buffer(samplesref);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavfilter/vf_pad.c
^
|
| @@ -157,7 +157,7 @@
var_values[VAR_OUT_H] = var_values[VAR_OH] = NAN;
var_values[VAR_A] = (float) inlink->w / inlink->h;
var_values[VAR_HSUB] = 1<<pad->hsub;
- var_values[VAR_VSUB] = 2<<pad->vsub;
+ var_values[VAR_VSUB] = 1<<pad->vsub;
/* evaluate width and height */
av_expr_parse_and_eval(&res, (expr = pad->w_expr),
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavfilter/vf_scale.c
^
|
| @@ -232,9 +232,11 @@
if (!scale->sws || !scale->isws[0] || !scale->isws[1])
return AVERROR(EINVAL);
- if (inlink->sample_aspect_ratio.num){
- outlink->sample_aspect_ratio = av_mul_q((AVRational){outlink->h * inlink->w, outlink->w * inlink->h}, inlink->sample_aspect_ratio);
- } else
+ if (inlink->sample_aspect_ratio.num)
+ outlink->sample_aspect_ratio = av_mul_q((AVRational){outlink->h*inlink->w,
+ outlink->w*inlink->h},
+ inlink->sample_aspect_ratio);
+ else
outlink->sample_aspect_ratio = inlink->sample_aspect_ratio;
return 0;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavfilter/vf_yadif.c
^
|
| @@ -36,8 +36,8 @@
int mode;
/**
- * 0: bottom field first
- * 1: top field first
+ * 0: top field first
+ * 1: bottom field first
* -1: auto-detection
*/
int parity;
@@ -195,9 +195,12 @@
tff = yadif->parity^1;
}
- if (is_second)
+ if (is_second) {
yadif->out = avfilter_get_video_buffer(link, AV_PERM_WRITE | AV_PERM_PRESERVE |
AV_PERM_REUSE, link->w, link->h);
+ avfilter_copy_buffer_ref_props(yadif->out, yadif->cur);
+ yadif->out->video->interlaced = 0;
+ }
if (!yadif->csp)
yadif->csp = &av_pix_fmt_descriptors[link->format];
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/4xm.c
^
|
| @@ -176,7 +176,7 @@
sizeof(AudioTrack),
current_track + 1);
if (!fourxm->tracks) {
- ret= AVERROR(ENOMEM);
+ ret = AVERROR(ENOMEM);
goto fail;
}
memset(&fourxm->tracks[fourxm->track_count], 0,
@@ -195,6 +195,11 @@
ret= -1;
goto fail;
}
+ if(!fourxm->tracks[current_track].adpcm && fourxm->tracks[current_track].bits<8){
+ av_log(s, AV_LOG_ERROR, "bits unspecified for non ADPCM\n");
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
+ }
i += 8 + size;
/* allocate a new AVStream */
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/ape.c
^
|
| @@ -274,6 +274,9 @@
return AVERROR(ENOMEM);
for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++)
ape->seektable[i] = avio_rl32(pb);
+ }else{
+ av_log(s, AV_LOG_ERROR, "Missing seektable\n");
+ return -1;
}
ape->frames[0].pos = ape->firstframe;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/asfdec.c
^
|
| @@ -196,6 +196,8 @@
asf->hdr.flags = avio_rl32(pb);
asf->hdr.min_pktsize = avio_rl32(pb);
asf->hdr.max_pktsize = avio_rl32(pb);
+ if (asf->hdr.min_pktsize >= (1U<<29))
+ return AVERROR_INVALIDDATA;
asf->hdr.max_bitrate = avio_rl32(pb);
s->packet_size = asf->hdr.max_pktsize;
@@ -610,7 +612,9 @@
if (gsize < 24)
return -1;
if (!ff_guidcmp(&g, &ff_asf_file_header)) {
- asf_read_file_properties(s, gsize);
+ int ret = asf_read_file_properties(s, gsize);
+ if (ret < 0)
+ return ret;
} else if (!ff_guidcmp(&g, &ff_asf_stream_header)) {
asf_read_stream_properties(s, gsize);
} else if (!ff_guidcmp(&g, &ff_asf_comment_header)) {
@@ -751,7 +755,7 @@
c= avio_r8(pb);
d= avio_r8(pb);
rsize+=3;
- }else{
+ } else if (!pb->eof_reached) {
avio_seek(pb, -1, SEEK_CUR); //FIXME
}
@@ -783,6 +787,13 @@
asf->packet_segments = 1;
asf->packet_segsizetype = 0x80;
}
+ if (rsize > packet_length - padsize) {
+ asf->packet_size_left = 0;
+ av_log(s, AV_LOG_ERROR,
+ "invalid packet header length %d for pktlen %d-%d at %"PRId64"\n",
+ rsize, packet_length, padsize, avio_tell(pb));
+ return -1;
+ }
asf->packet_size_left = packet_length - padsize - rsize;
if (packet_length < asf->hdr.min_pktsize)
padsize += asf->hdr.min_pktsize - packet_length;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/dv.c
^
|
| @@ -119,16 +119,23 @@
if (quant > 1)
return -1; /* unsupported quantization */
+ if (freq >= FF_ARRAY_ELEMS(dv_audio_frequency))
+ return AVERROR_INVALIDDATA;
+
size = (sys->audio_min_samples[freq] + smpls) * 4; /* 2ch, 2bytes */
half_ch = sys->difseg_size / 2;
/* We work with 720p frames split in half, thus even frames have
* channels 0,1 and odd 2,3. */
ipcm = (sys->height == 720 && !(frame[1] & 0x0C)) ? 2 : 0;
- pcm = ppcm[ipcm++];
/* for each DIF channel */
for (chan = 0; chan < sys->n_difchan; chan++) {
+ /* next stereo channel (50Mbps and 100Mbps only) */
+ pcm = ppcm[ipcm++];
+ if (!pcm)
+ break;
+
/* for each DIF segment */
for (i = 0; i < sys->difseg_size; i++) {
frame += 6 * 80; /* skip DIF segment header */
@@ -176,11 +183,6 @@
frame += 16 * 80; /* 15 Video DIFs + 1 Audio DIF */
}
}
-
- /* next stereo channel (50Mbps and 100Mbps only) */
- pcm = ppcm[ipcm++];
- if (!pcm)
- break;
}
return size;
@@ -202,6 +204,18 @@
stype = (as_pack[3] & 0x1f); /* 0 - 2CH, 2 - 4CH, 3 - 8CH */
quant = as_pack[4] & 0x07; /* 0 - 16bit linear, 1 - 12bit nonlinear */
+ if (freq >= FF_ARRAY_ELEMS(dv_audio_frequency)) {
+ av_log(c->fctx, AV_LOG_ERROR,
+ "Unrecognized audio sample rate index (%d)\n", freq);
+ return 0;
+ }
+
+ if (stype > 3) {
+ av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype);
+ c->ach = 0;
+ return 0;
+ }
+
/* note: ach counts PAIRS of channels (i.e. stereo channels) */
ach = ((int[4]){ 1, 0, 2, 4})[stype];
if (ach == 1 && quant && freq == 2)
@@ -336,7 +350,8 @@
c->audio_pkt[i].pts = c->abytes * 30000*8 / c->ast[i]->codec->bit_rate;
ppcm[i] = c->audio_buf[i];
}
- dv_extract_audio(buf, ppcm, c->sys);
+ if (c->ach)
+ dv_extract_audio(buf, ppcm, c->sys);
/* We work with 720p frames split in half, thus even frames have
* channels 0,1 and odd 2,3. */
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/electronicarts.c
^
|
| @@ -470,12 +470,17 @@
while (!packet_read) {
chunk_type = avio_rl32(pb);
- chunk_size = (ea->big_endian ? avio_rb32(pb) : avio_rl32(pb)) - 8;
+ chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb);
+ if (chunk_size <= 8)
+ return AVERROR_INVALIDDATA;
+ chunk_size -= 8;
switch (chunk_type) {
/* audio data */
case ISNh_TAG:
/* header chunk also contains data; skip over the header portion*/
+ if (chunk_size < 32)
+ return AVERROR_INVALIDDATA;
avio_skip(pb, 32);
chunk_size -= 32;
case ISNd_TAG:
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/flvdec.c
^
|
| @@ -173,8 +173,8 @@
}
}
- if (timeslen == fileposlen) {
- for(i = 0; i < timeslen; i++)
+ if (!ret && timeslen == fileposlen) {
+ for (i = 0; i < fileposlen; i++)
av_add_index_entry(vstream, filepositions[i], times[i]*1000, 0, 0, AVINDEX_KEYFRAME);
} else
av_log(s, AV_LOG_WARNING, "Invalid keyframes object, skipping.\n");
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/id3v2.c
^
|
| @@ -224,8 +224,17 @@
unsync = flags & 0x80;
- if (isv34 && flags & 0x40) /* Extended header present, just skip over it */
- avio_skip(s->pb, get_size(s->pb, 4));
+ if (isv34 && flags & 0x40) { /* Extended header present, just skip over it */
+ int extlen = get_size(s->pb, 4);
+ if (version == 4)
+ extlen -= 4; // in v2.4 the length includes the length field we just read
+
+ if (extlen < 0) {
+ reason = "invalid extended header length";
+ goto error;
+ }
+ avio_skip(s->pb, extlen);
+ }
while (len >= taghdrlen) {
unsigned int tflags = 0;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/isom.c
^
|
| @@ -149,10 +149,13 @@
{ CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '1') }, /* MPEG2 HDV 720p30 */
{ CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '2') }, /* MPEG2 HDV 1080i60 */
{ CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '3') }, /* MPEG2 HDV 1080i50 */
+ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '4') }, /* MPEG2 HDV 720p24 */
{ CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '5') }, /* MPEG2 HDV 720p25 */
{ CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '6') }, /* MPEG2 HDV 1080p24 */
{ CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '7') }, /* MPEG2 HDV 1080p25 */
{ CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '8') }, /* MPEG2 HDV 1080p30 */
+ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '9') }, /* MPEG2 HDV 720p60 JVC */
+ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', 'a') }, /* MPEG2 HDV 720p50 */
{ CODEC_ID_MPEG2VIDEO, MKTAG('m', 'x', '5', 'n') }, /* MPEG2 IMX NTSC 525/60 50mb/s produced by FCP */
{ CODEC_ID_MPEG2VIDEO, MKTAG('m', 'x', '5', 'p') }, /* MPEG2 IMX PAL 625/50 50mb/s produced by FCP */
{ CODEC_ID_MPEG2VIDEO, MKTAG('m', 'x', '4', 'n') }, /* MPEG2 IMX NTSC 525/60 40mb/s produced by FCP */
@@ -183,6 +186,8 @@
{ CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'v', 'd') }, /* XDCAM EX 1080p24 VBR */
{ CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'v', 'e') }, /* XDCAM EX 1080p25 VBR */
{ CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'v', 'f') }, /* XDCAM EX 1080p30 VBR */
+ { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'h', 'd') }, /* XDCAM HD 540p */
+ { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'h', '2') }, /* XDCAM HD422 540p */
{ CODEC_ID_MPEG2VIDEO, MKTAG('A', 'V', 'm', 'p') }, /* AVID IMX PAL */
{ CODEC_ID_JPEG2000, MKTAG('m', 'j', 'p', '2') }, /* JPEG 2000 produced by FCP */
@@ -397,7 +402,7 @@
len = ff_mp4_read_descr(fc, pb, &tag);
if (tag == MP4DecSpecificDescrTag) {
av_dlog(fc, "Specific MPEG4 header len=%d\n", len);
- if((uint64_t)len > (1<<30))
+ if (!len || (uint64_t)len > (1<<30))
return -1;
av_free(st->codec->extradata);
st->codec->extradata = av_mallocz(len + FF_INPUT_BUFFER_PADDING_SIZE);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/matroskadec.c
^
|
| @@ -664,16 +664,19 @@
*/
static int ebml_read_ascii(AVIOContext *pb, int size, char **str)
{
- av_free(*str);
+ char *res;
+
/* EBML strings are usually not 0-terminated, so we allocate one
* byte more, read the string and NULL-terminate it ourselves. */
- if (!(*str = av_malloc(size + 1)))
+ if (!(res = av_malloc(size + 1)))
return AVERROR(ENOMEM);
- if (avio_read(pb, (uint8_t *) *str, size) != size) {
- av_freep(str);
+ if (avio_read(pb, (uint8_t *) res, size) != size) {
+ av_free(res);
return AVERROR(EIO);
}
- (*str)[size] = '\0';
+ (res)[size] = '\0';
+ av_free(*str);
+ *str = res;
return 0;
}
@@ -1169,7 +1172,6 @@
static void matroska_execute_seekhead(MatroskaDemuxContext *matroska)
{
EbmlList *seekhead_list = &matroska->seekhead;
- MatroskaSeekhead *seekhead = seekhead_list->elem;
uint32_t level_up = matroska->level_up;
int64_t before_pos = avio_tell(matroska->ctx->pb);
uint32_t saved_id = matroska->current_id;
@@ -1182,6 +1184,7 @@
return;
for (i=0; i<seekhead_list->nb_elem; i++) {
+ MatroskaSeekhead *seekhead = seekhead_list->elem;
int64_t offset = seekhead[i].pos + matroska->segment_start;
if (seekhead[i].pos <= before_pos
@@ -1427,7 +1430,7 @@
} else if (codec_id == CODEC_ID_AAC && !track->codec_priv.size) {
int profile = matroska_aac_profile(track->codec_id);
int sri = matroska_aac_sri(track->audio.samplerate);
- extradata = av_malloc(5);
+ extradata = av_mallocz(5 + FF_INPUT_BUFFER_PADDING_SIZE);
if (extradata == NULL)
return AVERROR(ENOMEM);
extradata[0] = (profile << 3) | ((sri&0x0E) >> 1);
@@ -1836,15 +1839,31 @@
if (!track->audio.pkt_cnt) {
if (track->audio.sub_packet_cnt == 0)
track->audio.buf_timecode = timecode;
- if (st->codec->codec_id == CODEC_ID_RA_288)
+ if (st->codec->codec_id == CODEC_ID_RA_288) {
+ if (size < cfs * h / 2) {
+ av_log(matroska->ctx, AV_LOG_ERROR,
+ "Corrupt int4 RM-style audio packet size\n");
+ return AVERROR_INVALIDDATA;
+ }
for (x=0; x<h/2; x++)
memcpy(track->audio.buf+x*2*w+y*cfs,
data+x*cfs, cfs);
- else if (st->codec->codec_id == CODEC_ID_SIPR)
+ } else if (st->codec->codec_id == CODEC_ID_SIPR) {
+ if (size < w) {
+ av_log(matroska->ctx, AV_LOG_ERROR,
+ "Corrupt sipr RM-style audio packet size\n");
+ return AVERROR_INVALIDDATA;
+ }
memcpy(track->audio.buf + y*w, data, w);
- else
+ } else {
+ if (size < sps * w / sps) {
+ av_log(matroska->ctx, AV_LOG_ERROR,
+ "Corrupt generic RM-style audio packet size\n");
+ return AVERROR_INVALIDDATA;
+ }
for (x=0; x<w/sps; x++)
memcpy(track->audio.buf+sps*(h*x+((h+1)/2)*(y&1)+(y>>1)), data+x*sps, sps);
+ }
if (++track->audio.sub_packet_cnt >= h) {
if (st->codec->codec_id == CODEC_ID_SIPR)
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/mpeg.c
^
|
| @@ -423,7 +423,7 @@
{
MpegDemuxContext *m = s->priv_data;
AVStream *st;
- int len, startcode, i, es_type;
+ int len, startcode, i, es_type, ret;
int request_probe= 0;
enum CodecID codec_id = CODEC_ID_NONE;
enum AVMediaType type;
@@ -568,8 +568,7 @@
else if (st->codec->bits_per_coded_sample == 28)
return AVERROR(EINVAL);
}
- av_new_packet(pkt, len);
- avio_read(s->pb, pkt->data, pkt->size);
+ ret = av_get_packet(s->pb, pkt, len);
pkt->pts = pts;
pkt->dts = dts;
pkt->pos = dummy_pos;
@@ -578,7 +577,7 @@
pkt->stream_index, pkt->pts / 90000.0, pkt->dts / 90000.0,
pkt->size);
- return 0;
+ return (ret < 0) ? ret : 0;
}
static int64_t mpegps_read_dts(AVFormatContext *s, int stream_index,
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/mpegtsenc.c
^
|
| @@ -23,6 +23,7 @@
#include "libavutil/crc.h"
#include "libavutil/dict.h"
#include "libavutil/opt.h"
+#include "libavutil/avassert.h"
#include "libavcodec/mpegvideo.h"
#include "avformat.h"
#include "internal.h"
@@ -947,19 +948,20 @@
}
}
- if (st->codec->codec_type != AVMEDIA_TYPE_AUDIO) {
+ if (ts_st->payload_index && ts_st->payload_index + size > DEFAULT_PES_PAYLOAD_SIZE) {
+ mpegts_write_pes(s, st, ts_st->payload, ts_st->payload_index,
+ ts_st->payload_pts, ts_st->payload_dts);
+ ts_st->payload_index = 0;
+ }
+
+ if (st->codec->codec_type != AVMEDIA_TYPE_AUDIO || size > DEFAULT_PES_PAYLOAD_SIZE) {
+ av_assert0(!ts_st->payload_index);
// for video and subtitle, write a single pes packet
mpegts_write_pes(s, st, buf, size, pts, dts);
av_free(data);
return 0;
}
- if (ts_st->payload_index + size > DEFAULT_PES_PAYLOAD_SIZE) {
- mpegts_write_pes(s, st, ts_st->payload, ts_st->payload_index,
- ts_st->payload_pts, ts_st->payload_dts);
- ts_st->payload_index = 0;
- }
-
if (!ts_st->payload_index) {
ts_st->payload_pts = pts;
ts_st->payload_dts = dts;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/nsvdec.c
^
|
| @@ -308,7 +308,9 @@
char *token, *value;
char quote;
- p = strings = av_mallocz(strings_size + 1);
+ p = strings = av_mallocz((size_t)strings_size + 1);
+ if (!p)
+ return AVERROR(ENOMEM);
endp = strings + strings_size;
avio_read(pb, strings, strings_size);
while (p < endp) {
@@ -343,6 +345,8 @@
if((unsigned)table_entries_used >= UINT_MAX / sizeof(uint32_t))
return -1;
nsv->nsvs_file_offset = av_malloc((unsigned)table_entries_used * sizeof(uint32_t));
+ if (!nsv->nsvs_file_offset)
+ return AVERROR(ENOMEM);
for(i=0;i<table_entries_used;i++)
nsv->nsvs_file_offset[i] = avio_rl32(pb) + size;
@@ -350,6 +354,8 @@
if(table_entries > table_entries_used &&
avio_rl32(pb) == MKTAG('T','O','C','2')) {
nsv->nsvs_timestamps = av_malloc((unsigned)table_entries_used*sizeof(uint32_t));
+ if (!nsv->nsvs_timestamps)
+ return AVERROR(ENOMEM);
for(i=0;i<table_entries_used;i++) {
nsv->nsvs_timestamps[i] = avio_rl32(pb);
}
@@ -518,11 +524,16 @@
for (i = 0; i < NSV_MAX_RESYNC_TRIES; i++) {
if (nsv_resync(s) < 0)
return -1;
- if (nsv->state == NSV_FOUND_NSVF)
+ if (nsv->state == NSV_FOUND_NSVF) {
err = nsv_parse_NSVf_header(s, ap);
+ if (err < 0)
+ return err;
+ }
/* we need the first NSVs also... */
if (nsv->state == NSV_FOUND_NSVS) {
err = nsv_parse_NSVs_header(s, ap);
+ if (err < 0)
+ return err;
break; /* we just want the first one */
}
}
@@ -597,12 +608,12 @@
}
/* map back streams to v,a */
- if (s->streams[0])
+ if (s->nb_streams > 0)
st[s->streams[0]->id] = s->streams[0];
- if (s->streams[1])
+ if (s->nb_streams > 1)
st[s->streams[1]->id] = s->streams[1];
- if (vsize/* && st[NSV_ST_VIDEO]*/) {
+ if (vsize && st[NSV_ST_VIDEO]) {
nst = st[NSV_ST_VIDEO]->priv_data;
pkt = &nsv->ahead[NSV_ST_VIDEO];
av_get_packet(pb, pkt, vsize);
@@ -615,7 +626,7 @@
if(st[NSV_ST_VIDEO])
((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++;
- if (asize/*st[NSV_ST_AUDIO]*/) {
+ if (asize && st[NSV_ST_AUDIO]) {
nst = st[NSV_ST_AUDIO]->priv_data;
pkt = &nsv->ahead[NSV_ST_AUDIO];
/* read raw audio specific header on the first audio chunk... */
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/rmdec.c
^
|
| @@ -378,8 +378,19 @@
st = s->streams[n];
break;
}
- if (n == s->nb_streams)
+ if (n == s->nb_streams) {
+ av_log(s, AV_LOG_ERROR,
+ "Invalid stream index %d for index at pos %"PRId64"\n",
+ str_id, avio_tell(pb));
goto skip;
+ } else if ((avio_size(pb) - avio_tell(pb)) / 14 < n_pkts) {
+ av_log(s, AV_LOG_ERROR,
+ "Nr. of packets in packet index for stream index %d "
+ "exceeds filesize (%"PRId64" at %"PRId64" = %d)\n",
+ str_id, avio_size(pb), avio_tell(pb),
+ (avio_size(pb) - avio_tell(pb)) / 14);
+ goto skip;
+ }
for (n = 0; n < n_pkts; n++) {
avio_skip(pb, 2);
@@ -391,9 +402,12 @@
}
skip:
- if (next_off && avio_tell(pb) != next_off &&
- avio_seek(pb, next_off, SEEK_SET) < 0)
+ if (next_off && avio_tell(pb) < next_off &&
+ avio_seek(pb, next_off, SEEK_SET) < 0) {
+ av_log(s, AV_LOG_ERROR,
+ "Non-linear index detected, not supported\n");
return -1;
+ }
} while (next_off);
return 0;
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/rtpdec_asf.c
^
|
| @@ -233,14 +233,16 @@
int cur_len = start_off + len_off - off;
int prev_len = out_len;
- void *newbuf;
+ void *newmem;
+
out_len += cur_len;
- if(FFMIN(cur_len, len - off)<0)
+
+ if (FFMIN(cur_len, len - off) < 0)
return -1;
- newbuf = av_realloc(asf->buf, out_len);
- if(!newbuf)
+ newmem = av_realloc(asf->buf, out_len);
+ if (!newmem)
return -1;
- asf->buf= newbuf;
+ asf->buf = newmem;
memcpy(asf->buf + prev_len, buf + off,
FFMIN(cur_len, len - off));
avio_skip(pb, cur_len);
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/smacker.c
^
|
| @@ -261,8 +261,15 @@
sz += (t & 0x7F) + 1;
pal += ((t & 0x7F) + 1) * 3;
} else if(t & 0x40){ /* copy with offset */
- off = avio_r8(s->pb) * 3;
+ off = avio_r8(s->pb);
j = (t & 0x3F) + 1;
+ if (off + j > 0xff) {
+ av_log(s, AV_LOG_ERROR,
+ "Invalid palette update, offset=%d length=%d extends beyond palette size\n",
+ off, j);
+ return AVERROR_INVALIDDATA;
+ }
+ off *= 3;
while(j-- && sz < 256) {
*pal++ = oldpal[off + 0];
*pal++ = oldpal[off + 1];
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/sol.c
^
|
| @@ -132,6 +132,8 @@
if (url_feof(s->pb))
return AVERROR(EIO);
ret= av_get_packet(s->pb, pkt, MAX_SIZE);
+ if (ret < 0)
+ return ret;
pkt->stream_index = 0;
/* note: we need to modify the packet size here to handle the last
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavformat/swfdec.c
^
|
| @@ -84,7 +84,7 @@
SWFContext *swf = s->priv_data;
AVIOContext *pb = s->pb;
AVStream *vst = NULL, *ast = NULL, *st = 0;
- int tag, len, i, frame, v;
+ int tag, len, i, frame, v, res;
for(;;) {
uint64_t pos = avio_tell(pb);
@@ -147,7 +147,8 @@
st = s->streams[i];
if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO && st->id == ch_id) {
frame = avio_rl16(pb);
- av_get_packet(pb, pkt, len-2);
+ if ((res = av_get_packet(pb, pkt, len-2)) < 0)
+ return res;
pkt->pos = pos;
pkt->pts = frame;
pkt->stream_index = st->index;
@@ -160,9 +161,11 @@
if (st->codec->codec_type == AVMEDIA_TYPE_AUDIO && st->id == -1) {
if (st->codec->codec_id == CODEC_ID_MP3) {
avio_skip(pb, 4);
- av_get_packet(pb, pkt, len-4);
+ if ((res = av_get_packet(pb, pkt, len-4)) < 0)
+ return res;
} else { // ADPCM, PCM
- av_get_packet(pb, pkt, len);
+ if ((res = av_get_packet(pb, pkt, len)) < 0)
+ return res;
}
pkt->pos = pos;
pkt->stream_index = st->index;
@@ -186,7 +189,8 @@
st = vst;
}
avio_rl16(pb); /* BITMAP_ID */
- av_new_packet(pkt, len-2);
+ if ((res = av_new_packet(pkt, len-2)) < 0)
+ return res;
avio_read(pb, pkt->data, 4);
if (AV_RB32(pkt->data) == 0xffd8ffd9 ||
AV_RB32(pkt->data) == 0xffd9ffd8) {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libavutil/intfloat_readwrite.c
^
|
| @@ -30,13 +30,13 @@
#include "intfloat_readwrite.h"
double av_int2dbl(int64_t v){
- if(v+v > 0xFFEULL<<52)
+ if((uint64_t)v+v > 0xFFEULL<<52)
return NAN;
return ldexp(((v&((1LL<<52)-1)) + (1LL<<52)) * (v>>63|1), (v>>52&0x7FF)-1075);
}
float av_int2flt(int32_t v){
- if(v+v > 0xFF000000U)
+ if((uint32_t)v+v > 0xFF000000U)
return NAN;
return ldexp(((v&0x7FFFFF) + (1<<23)) * (v>>31|1), (v>>23&0xFF)-150);
}
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libswscale/utils.c
^
|
| @@ -44,6 +44,7 @@
#include "libavutil/cpu.h"
#include "libavutil/avutil.h"
#include "libavutil/bswap.h"
+#include "libavutil/mathematics.h"
#include "libavutil/opt.h"
#include "libavutil/pixdesc.h"
@@ -271,7 +272,7 @@
xDstInSrc+= xInc;
}
} else {
- int xDstInSrc;
+ int64_t xDstInSrc;
int sizeFactor;
if (flags&SWS_BICUBIC) sizeFactor= 4;
@@ -290,7 +291,7 @@
if (xInc <= 1<<16) filterSize= 1 + sizeFactor; // upscale
else filterSize= 1 + (sizeFactor*srcW + dstW - 1)/ dstW;
- if (filterSize > srcW-2) filterSize=srcW-2;
+ filterSize = av_clip(filterSize, 1, srcW - 2);
FF_ALLOC_OR_GOTO(NULL, filter, dstW*sizeof(*filter)*filterSize, fail);
@@ -823,8 +824,8 @@
if (!dstFilter) dstFilter= &dummyFilter;
if (!srcFilter) srcFilter= &dummyFilter;
- c->lumXInc= ((srcW<<16) + (dstW>>1))/dstW;
- c->lumYInc= ((srcH<<16) + (dstH>>1))/dstH;
+ c->lumXInc= (((int64_t)srcW<<16) + (dstW>>1))/dstW;
+ c->lumYInc= (((int64_t)srcH<<16) + (dstH>>1))/dstH;
c->dstFormatBpp = av_get_bits_per_pixel(&av_pix_fmt_descriptors[dstFormat]);
c->srcFormatBpp = av_get_bits_per_pixel(&av_pix_fmt_descriptors[srcFormat]);
c->vRounder= 4* 0x0001000100010001ULL;
@@ -886,8 +887,8 @@
else
c->canMMX2BeUsed=0;
- c->chrXInc= ((c->chrSrcW<<16) + (c->chrDstW>>1))/c->chrDstW;
- c->chrYInc= ((c->chrSrcH<<16) + (c->chrDstH>>1))/c->chrDstH;
+ c->chrXInc= (((int64_t)c->chrSrcW<<16) + (c->chrDstW>>1))/c->chrDstW;
+ c->chrYInc= (((int64_t)c->chrSrcH<<16) + (c->chrDstH>>1))/c->chrDstH;
// match pixel 0 of the src to pixel 0 of dst and match pixel n-2 of src to pixel n-2 of dst
// but only for the FAST_BILINEAR mode otherwise do correct scaling
@@ -902,8 +903,8 @@
}
//we don't use the x86 asm scaler if MMX is available
else if (HAVE_MMX && cpu_flags & AV_CPU_FLAG_MMX) {
- c->lumXInc = ((srcW-2)<<16)/(dstW-2) - 20;
- c->chrXInc = ((c->chrSrcW-2)<<16)/(c->chrDstW-2) - 20;
+ c->lumXInc = ((int64_t)(srcW-2)<<16)/(dstW-2) - 20;
+ c->chrXInc = ((int64_t)(c->chrSrcW-2)<<16)/(c->chrDstW-2) - 20;
}
}
@@ -1007,7 +1008,7 @@
c->vLumBufSize= c->vLumFilterSize;
c->vChrBufSize= c->vChrFilterSize;
for (i=0; i<dstH; i++) {
- int chrI= (int64_t)i*c->chrDstH / dstH;
+ int chrI = (int64_t) i * c->chrDstH / dstH;
int nextSlice= FFMAX(c->vLumFilterPos[i ] + c->vLumFilterSize - 1,
((c->vChrFilterPos[chrI] + c->vChrFilterSize - 1)<<c->chrSrcVSubSample));
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libswscale/x86/swscale_mmx.c
^
|
| @@ -132,6 +132,44 @@
const int16_t **chrUSrcPtr= (const int16_t **) chrUPixBuf + chrBufIndex + firstChrSrcY - lastInChrBuf + vChrBufSize;
const int16_t **alpSrcPtr= (CONFIG_SWSCALE_ALPHA && alpPixBuf) ? (const int16_t **) alpPixBuf + lumBufIndex + firstLumSrcY - lastInLumBuf + vLumBufSize : NULL;
int i;
+
+ if (firstLumSrcY < 0 || firstLumSrcY + vLumFilterSize > c->srcH) {
+ const int16_t **tmpY = (const int16_t **) lumPixBuf + 2 * vLumBufSize;
+ int neg = -firstLumSrcY, i, end = FFMIN(c->srcH - firstLumSrcY, vLumFilterSize);
+ for (i = 0; i < neg; i++)
+ tmpY[i] = lumSrcPtr[neg];
+ for ( ; i < end; i++)
+ tmpY[i] = lumSrcPtr[i];
+ for ( ; i < vLumFilterSize; i++)
+ tmpY[i] = tmpY[i-1];
+ lumSrcPtr = tmpY;
+
+ if (alpSrcPtr) {
+ const int16_t **tmpA = (const int16_t **) alpPixBuf + 2 * vLumBufSize;
+ for (i = 0; i < neg; i++)
+ tmpA[i] = alpSrcPtr[neg];
+ for ( ; i < end; i++)
+ tmpA[i] = alpSrcPtr[i];
+ for ( ; i < vLumFilterSize; i++)
+ tmpA[i] = tmpA[i - 1];
+ alpSrcPtr = tmpA;
+ }
+ }
+ if (firstChrSrcY < 0 || firstChrSrcY + vChrFilterSize > c->chrSrcH) {
+ const int16_t **tmpU = (const int16_t **) chrUPixBuf + 2 * vChrBufSize;
+ int neg = -firstChrSrcY, i, end = FFMIN(c->chrSrcH - firstChrSrcY, vChrFilterSize);
+ for (i = 0; i < neg; i++) {
+ tmpU[i] = chrUSrcPtr[neg];
+ }
+ for ( ; i < end; i++) {
+ tmpU[i] = chrUSrcPtr[i];
+ }
+ for ( ; i < vChrFilterSize; i++) {
+ tmpU[i] = tmpU[i - 1];
+ }
+ chrUSrcPtr = tmpU;
+ }
+
if (flags & SWS_ACCURATE_RND) {
int s= APCK_SIZE / 8;
for (i=0; i<vLumFilterSize; i+=2) {
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/libswscale/x86/swscale_template.c
^
|
| @@ -2238,12 +2238,24 @@
void *mmx2FilterCode= c->lumMmx2FilterCode;
int i;
#if defined(PIC)
- DECLARE_ALIGNED(8, uint64_t, ebxsave);
+ uint64_t ebxsave;
+#endif
+#if ARCH_X86_64
+ uint64_t retsave;
#endif
__asm__ volatile(
#if defined(PIC)
"mov %%"REG_b", %5 \n\t"
+#if ARCH_X86_64
+ "mov -8(%%rsp), %%"REG_a" \n\t"
+ "mov %%"REG_a", %6 \n\t"
+#endif
+#else
+#if ARCH_X86_64
+ "mov -8(%%rsp), %%"REG_a" \n\t"
+ "mov %%"REG_a", %5 \n\t"
+#endif
#endif
"pxor %%mm7, %%mm7 \n\t"
"mov %0, %%"REG_c" \n\t"
@@ -2285,12 +2297,24 @@
#if defined(PIC)
"mov %5, %%"REG_b" \n\t"
+#if ARCH_X86_64
+ "mov %6, %%"REG_a" \n\t"
+ "mov %%"REG_a", -8(%%rsp) \n\t"
+#endif
+#else
+#if ARCH_X86_64
+ "mov %5, %%"REG_a" \n\t"
+ "mov %%"REG_a", -8(%%rsp) \n\t"
+#endif
#endif
:: "m" (src), "m" (dst), "m" (filter), "m" (filterPos),
"m" (mmx2FilterCode)
#if defined(PIC)
,"m" (ebxsave)
#endif
+#if ARCH_X86_64
+ ,"m"(retsave)
+#endif
: "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D
#if !defined(PIC)
,"%"REG_b
@@ -2312,10 +2336,22 @@
#if defined(PIC)
DECLARE_ALIGNED(8, uint64_t, ebxsave);
#endif
+#if ARCH_X86_64
+ DECLARE_ALIGNED(8, uint64_t, retsave);
+#endif
__asm__ volatile(
#if defined(PIC)
"mov %%"REG_b", %7 \n\t"
+#if ARCH_X86_64
+ "mov -8(%%rsp), %%"REG_a" \n\t"
+ "mov %%"REG_a", %8 \n\t"
+#endif
+#else
+#if ARCH_X86_64
+ "mov -8(%%rsp), %%"REG_a" \n\t"
+ "mov %%"REG_a", %7 \n\t"
+#endif
#endif
"pxor %%mm7, %%mm7 \n\t"
"mov %0, %%"REG_c" \n\t"
@@ -2345,12 +2381,24 @@
#if defined(PIC)
"mov %7, %%"REG_b" \n\t"
+#if ARCH_X86_64
+ "mov %8, %%"REG_a" \n\t"
+ "mov %%"REG_a", -8(%%rsp) \n\t"
+#endif
+#else
+#if ARCH_X86_64
+ "mov %7, %%"REG_a" \n\t"
+ "mov %%"REG_a", -8(%%rsp) \n\t"
+#endif
#endif
:: "m" (src1), "m" (dst1), "m" (filter), "m" (filterPos),
"m" (mmx2FilterCode), "m" (src2), "m"(dst2)
#if defined(PIC)
,"m" (ebxsave)
#endif
+#if ARCH_X86_64
+ ,"m"(retsave)
+#endif
: "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D
#if !defined(PIC)
,"%"REG_b
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/tests/fate.mak
^
|
| @@ -175,7 +175,7 @@
FATE_TESTS += fate-mimic
fate-mimic: CMD = framecrc -idct simple -i $(SAMPLES)/mimic/mimic2-womanloveffmpeg.cam -vsync 0
FATE_TESTS += fate-motionpixels
-fate-motionpixels: CMD = framecrc -i $(SAMPLES)/motion-pixels/INTRO-partial.MVI -an -pix_fmt rgb24
+fate-motionpixels: CMD = framecrc -i $(SAMPLES)/motion-pixels/INTRO-partial.MVI -an -pix_fmt rgb24 -vframes 111
FATE_TESTS += fate-mpc7-demux
fate-mpc7-demux: CMD = crc -i $(SAMPLES)/musepack/inside-mp7.mpc -acodec copy
FATE_TESTS += fate-mpc8-demux
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/tests/ref/acodec/wmav1
^
|
| @@ -1,4 +1,4 @@
-26a7f6b0f0b7181df8df3fa589f6bf81 *./tests/data/acodec/wmav1.asf
+0260385b8a54df11ad349f9ba8240fd8 *./tests/data/acodec/wmav1.asf
106004 ./tests/data/acodec/wmav1.asf
-stddev:12245.52 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400
-stddev: 2095.89 PSNR: 29.90 MAXDIFF:27658 bytes: 1056768/ 1058400
+stddev:12241.90 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400
+stddev: 2074.79 PSNR: 29.99 MAXDIFF:27658 bytes: 1056768/ 1058400
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/tests/ref/acodec/wmav2
^
|
| @@ -1,4 +1,4 @@
-7c6c0cb692af01b312ae345723674b5f *./tests/data/acodec/wmav2.asf
+bdb4c312fb109f990be83a70f8ec9bdc *./tests/data/acodec/wmav2.asf
106044 ./tests/data/acodec/wmav2.asf
-stddev:12249.93 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400
-stddev: 2089.21 PSNR: 29.93 MAXDIFF:27650 bytes: 1056768/ 1058400
+stddev:12246.35 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400
+stddev: 2068.08 PSNR: 30.02 MAXDIFF:27650 bytes: 1056768/ 1058400
|
|
[-]
[+]
|
Changed |
ffmpeg-0.7.13.tar.bz2/tests/ref/fate/motionpixels
^
|
| @@ -109,4 +109,3 @@
0, 648003, 230400, 0xb343f372
0, 654003, 230400, 0xf7f1e588
0, 660003, 230400, 0x9682bdb2
-0, 666003, 230400, 0x009f4640
|
