[SCM] libav/upstream: Imported Upstream version 0.8.3

siretart at users.alioth.debian.org siretart at users.alioth.debian.org
Sat Jun 9 11:23:02 UTC 2012 

The following commit has been merged in the upstream branch:
commit 7cdba4421fe7f0329eb1b0255eca6d10ab666e9d
Author: Reinhard Tartler <siretart at tauware.de>
Date:   Sat Jun 9 13:22:16 2012 +0200

    Imported Upstream version 0.8.3

diff --git a/Changelog b/Changelog
index 846aa5a..fb9a7a6 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,13 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+
+version 0.8.3:
+
+- Several bugs and crashes have been fixed in the following codecs: PNG,
+  Electronic Arts TQI, H.264 (CVE-2012-0851) and H.263 (CVE-2011-3937)
+
+
 version 0.8.2:
 
 - Several bugs and crashes have been fixed in the following codecs: AAC,
diff --git a/RELEASE b/RELEASE
index 100435b..ee94dd8 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-0.8.2
+0.8.3
diff --git a/VERSION b/VERSION
index 100435b..ee94dd8 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.8.2
+0.8.3
diff --git a/cmdutils.c b/cmdutils.c
index e96fa81..7b2ff08 100644
--- a/cmdutils.c
+++ b/cmdutils.c
@@ -55,7 +55,7 @@
 struct SwsContext *sws_opts;
 AVDictionary *format_opts, *codec_opts;
 
-static const int this_year = 2011;
+static const int this_year = 2012;
 
 void init_opts(void)
 {
diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c
index aaf704b..66d3819 100644
--- a/libavcodec/eatqi.c
+++ b/libavcodec/eatqi.c
@@ -57,12 +57,15 @@ static av_cold int tqi_decode_init(AVCodecContext *avctx)
     return 0;
 }
 
-static void tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64])
+static int tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64])
 {
     int n;
     s->dsp.clear_blocks(block[0]);
     for (n=0; n<6; n++)
-        ff_mpeg1_decode_block_intra(s, block[n], n);
+        if (ff_mpeg1_decode_block_intra(s, block[n], n) < 0)
+            return -1;
+
+    return 0;
 }
 
 static inline void tqi_idct_put(TqiContext *t, DCTELEM (*block)[64])
@@ -134,7 +137,8 @@ static int tqi_decode_frame(AVCodecContext *avctx,
     for (s->mb_y=0; s->mb_y<(avctx->height+15)/16; s->mb_y++)
     for (s->mb_x=0; s->mb_x<(avctx->width+15)/16; s->mb_x++)
     {
-        tqi_decode_mb(s, t->block);
+        if (tqi_decode_mb(s, t->block) < 0)
+            break;
         tqi_idct_put(t, t->block);
     }
 
diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c
index 7f0934a..1ddca19 100644
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -578,6 +578,11 @@ retry:
         /* H.263 could change picture size any time */
         ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat
 
+        if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) {
+            av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
+            return -1;   // width / height changed during parallelized decoding
+        }
+
         s->parse_context.buffer=0;
         MPV_common_end(s);
         s->parse_context= pc;
diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index c6623a9..ff6103c 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -332,8 +332,12 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
 
     if(sps->profile_idc >= 100){ //high profile
         sps->chroma_format_idc= get_ue_golomb_31(&s->gb);
-        if(sps->chroma_format_idc == 3)
+        if(sps->chroma_format_idc > 3) {
+            av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc (%u) out of range\n", sps->chroma_format_idc);
+            return -1;
+        } else if(sps->chroma_format_idc == 3) {
             sps->residual_color_transform_flag = get_bits1(&s->gb);
+        }
         sps->bit_depth_luma   = get_ue_golomb(&s->gb) + 8;
         sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8;
         sps->transform_bypass = get_bits1(&s->gb);
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 94eb6eb..ac98f70 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -479,9 +479,11 @@ static int decode_frame(AVCodecContext *avctx,
                 } else if (s->bit_depth == 1 &&
                            s->color_type == PNG_COLOR_TYPE_GRAY) {
                     avctx->pix_fmt = PIX_FMT_MONOBLACK;
-                } else if (s->color_type == PNG_COLOR_TYPE_PALETTE) {
+                } else if (s->bit_depth == 8 &&
+                           s->color_type == PNG_COLOR_TYPE_PALETTE) {
                     avctx->pix_fmt = PIX_FMT_PAL8;
-                } else if (s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) {
+                } else if (s->bit_depth == 8 &&
+                           s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) {
                     avctx->pix_fmt = PIX_FMT_Y400A;
                 } else {
                     goto fail;
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 6acb7d8..739971e 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -884,9 +884,13 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l
                         break;
 
                     case 30:
-                        if (BITS_LEFT(length,gb) >= 4)
-                            samples[0] = type30_dequant[qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1)];
-                        else
+                        if (BITS_LEFT(length,gb) >= 4) {
+                            unsigned index = qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1);
+                            if (index < FF_ARRAY_ELEMS(type30_dequant)) {
+                                samples[0] = type30_dequant[index];
+                            } else
+                                samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
+                        } else
                             samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
 
                         run = 1;
@@ -900,8 +904,12 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l
                                 type34_predictor = samples[0];
                                 type34_first = 0;
                             } else {
-                                samples[0] = type34_delta[qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1)] / type34_div + type34_predictor;
-                                type34_predictor = samples[0];
+                                unsigned index = qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1);
+                                if (index < FF_ARRAY_ELEMS(type34_delta)) {
+                                    samples[0] = type34_delta[index] / type34_div + type34_predictor;
+                                    type34_predictor = samples[0];
+                                } else
+                                    samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
                             }
                         } else {
                             samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c
index 01ba479..0113683 100644
--- a/libavformat/electronicarts.c
+++ b/libavformat/electronicarts.c
@@ -474,12 +474,17 @@ static int ea_read_packet(AVFormatContext *s,
 
     while (!packet_read) {
         chunk_type = avio_rl32(pb);
-        chunk_size = (ea->big_endian ? avio_rb32(pb) : avio_rl32(pb)) - 8;
+        chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb);
+        if (chunk_size <= 8)
+            return AVERROR_INVALIDDATA;
+        chunk_size -= 8;
 
         switch (chunk_type) {
         /* audio data */
         case ISNh_TAG:
             /* header chunk also contains data; skip over the header portion*/
+            if (chunk_size < 32)
+                return AVERROR_INVALIDDATA;
             avio_skip(pb, 32);
             chunk_size -= 32;
         case ISNd_TAG:

-- 
Libav/FFmpeg packaging

More information about the pkg-multimedia-commits mailing list