[SCM] libav/squeeze: Imported Upstream version 0.5.8
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Thu May 10 20:27:43 UTC 2012
The following commit has been merged in the squeeze branch:
commit d729d8ae0e65b6311173db88bdd917da41efe3d9
Author: Reinhard Tartler <siretart at tauware.de>
Date: Thu May 10 20:50:57 2012 +0200
Imported Upstream version 0.5.8
diff --git a/Changelog b/Changelog
index 1d9eb79..c5c5d31 100644
--- a/Changelog
+++ b/Changelog
@@ -2,6 +2,30 @@ Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.
+version 0.5.8:
+
+- id3v2: fix skipping extended header in id3v2.4
+- nsvdec: Several bugfixes related to CVE-2011-3940
+- dv: check stype
+- dv: Fix null pointer dereference due to ach=0
+- dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.
+- atrac3: Fix crash in tonal component decoding, fixes CVE-2012-0853
+- mjpegbdec: Fix overflow in SOS, fixes CVE-2011-3947
+- motionpixels: Clip YUV values after applying a gradient.
+- vqavideo: return error if image size is not a multiple of block size,
+ fixes CVE-2012-0947.
+
+
+version 0.5.7:
+- vorbis: An additional defense in the Vorbis codec. (CVE-2011-3895)
+- vorbisdec: Fix decoding bug with channel handling.
+- matroskadec: Fix a bug where a pointer was cached to an array that might
+ later move due to a realloc(). (CVE-2011-3893)
+- vorbis: Avoid some out-of-bounds reads. (CVE-2011-3893)
+- vp3: fix oob read for negative tokens and memleaks on error, (CVE-2011-3892)
+- vp3: fix streams with non-zero last coefficient.
+
+
version 0.5.6:
- svq1dec: call avcodec_set_dimensions() after dimensions changed. (NGS00148, CVE-2011-4579)
- vmd: fix segfaults on corruped streams (CVE-2011-4364)
diff --git a/RELEASE b/RELEASE
index 364a327..7c0086c 100644
--- a/RELEASE
+++ b/RELEASE
@@ -170,3 +170,36 @@ release.
Distributors and system integrators are encouraged to update and share
their patches against this branch.
+
+
+
+* 0.5.7 Jan 11, 2012
+
+General notes
+-------------
+
+This mostly maintenance-only release that addresses a number a number of
+bugs such as security and compilation issues that have been brought to
+our attention. Among other (rather minor) fixes, this release features
+fixes for the VP3 decoder (CVE-2011-3892), vorbis decoder, and matroska
+demuxer (CVE-2011-3893 and CVE-2011-3895).
+
+Distributors and system integrators are encouraged
+to update and share their patches against this branch. For a full list
+of changes please see the Changelog file.
+
+* 0.5.8 May 10, 2012
+
+General notes
+-------------
+
+This maintenance-only release that addresses a number a number of
+security issues that have been brought to our attention. Among other
+(rather minor) fixes, this release features fixes for the DV decoder
+(CVE-2011-3929 and CVE-2011-3936), nsvdec (CVE-2011-3940), Atrac3
+(CVE-2012-0853), mjpegdec (CVE-2011-3947) and the VQA video decoder
+(CVE-2012-0947).
+
+Distributors and system integrators are encouraged
+to update and share their patches against this branch. For a full list
+of changes please see the Changelog file.
diff --git a/VERSION b/VERSION
index b49b253..659914a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.5.6
+0.5.8
diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c
index 81d25ec..9205f35 100644
--- a/libavcodec/atrac3.c
+++ b/libavcodec/atrac3.c
@@ -454,6 +454,8 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent
for (k=0; k<coded_components; k++) {
sfIndx = get_bits(gb,6);
+ if (component_count >= 64)
+ return AVERROR_INVALIDDATA;
pComponent[component_count].pos = j * 64 + (get_bits(gb,6));
max_coded_values = 1024 - pComponent[component_count].pos;
coded_values = coded_values_per_component + 1;
diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c
index 62b29e0..f19a87f 100644
--- a/libavcodec/mjpegbdec.c
+++ b/libavcodec/mjpegbdec.c
@@ -49,6 +49,9 @@ read_header:
s->restart_count = 0;
s->mjpb_skiptosod = 0;
+ if (buf_end - buf_ptr >= 1 << 28)
+ return AVERROR_INVALIDDATA;
+
init_get_bits(&hgb, buf_ptr, /*buf_size*/(buf_end - buf_ptr)*8);
skip_bits(&hgb, 32); /* reserved zeros */
@@ -99,8 +102,8 @@ read_header:
av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs);
if (sos_offs)
{
-// init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8);
- init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8);
+ init_get_bits(&s->gb, buf_ptr + sos_offs,
+ 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs));
s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16));
s->start_code = SOS;
ff_mjpeg_decode_sos(s);
diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c
index f69dcf9..349a02d 100644
--- a/libavcodec/motionpixels.c
+++ b/libavcodec/motionpixels.c
@@ -239,10 +239,13 @@ static void mp_decode_line(MotionPixelsContext *mp, GetBitContext *gb, int y)
p = mp_get_yuv_from_rgb(mp, x - 1, y);
} else {
p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb));
+ p.y = av_clip(p.y, 0, 31);
if ((x & 3) == 0) {
if ((y & 3) == 0) {
p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb));
+ p.v = av_clip(p.v, -32, 31);
p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb));
+ p.u = av_clip(p.u, -32, 31);
mp->hpt[((y / 4) * mp->avctx->width + x) / 4] = p;
} else {
p.v = mp->hpt[((y / 4) * mp->avctx->width + x) / 4].v;
@@ -266,9 +269,12 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb)
p = mp_get_yuv_from_rgb(mp, 0, y);
} else {
p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb));
+ p.y = av_clip(p.y, 0, 31);
if ((y & 3) == 0) {
p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb));
+ p.v = av_clip(p.v, -32, 31);
p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb));
+ p.u = av_clip(p.u, -32, 31);
}
mp->vpt[y] = p;
mp_set_rgb_from_yuv(mp, 0, y, &p);
diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c
index dbc409f..13e7e65 100644
--- a/libavcodec/vorbis.c
+++ b/libavcodec/vorbis.c
@@ -146,13 +146,13 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) {
}
}
-static void render_line(int x0, int y0, int x1, int y1, float * buf) {
+static void render_line(int x0, uint8_t y0, int x1, int y1, float * buf) {
int dy = y1 - y0;
int adx = x1 - x0;
int base = dy / adx;
int ady = FFABS(dy) - FFABS(base) * adx;
int x = x0;
- int y = y0;
+ uint8_t y = y0;
int err = 0;
int sy = dy<0 ? -1 : 1;
buf[x] = ff_vorbis_floor1_inverse_db_table[y];
@@ -168,7 +168,8 @@ static void render_line(int x0, int y0, int x1, int y1, float * buf) {
}
void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values, uint_fast16_t * y_list, int * flag, int multiplier, float * out, int samples) {
- int lx, ly, i;
+ int lx, i;
+ uint8_t ly;
lx = 0;
ly = y_list[0] * multiplier;
for (i = 1; i < values; i++) {
diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
index 5b8b056..1321b08 100644
--- a/libavcodec/vorbis_dec.c
+++ b/libavcodec/vorbis_dec.c
@@ -654,7 +654,7 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc){
res_setup->partition_size=get_bits(gb, 24)+1;
/* Validations to prevent a buffer overflow later. */
if (res_setup->begin>res_setup->end
- || res_setup->end>vc->blocksize[1]/(res_setup->type==2?1:2)
+ || res_setup->end > (res_setup->type == 2 ? vc->avccontext->channels : 1) * vc->blocksize[1] / 2
|| (res_setup->end-res_setup->begin)/res_setup->partition_size>V_MAX_PARTITIONS) {
av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %d, %d, %d, %d, %d\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1]/2);
return 1;
@@ -1293,7 +1293,7 @@ static int vorbis_floor1_decode(vorbis_context *vc, vorbis_floor_data *vfu, floa
// Read and decode residue
-static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, vorbis_residue *vr, uint_fast8_t ch, uint_fast8_t *do_not_decode, float *vec, uint_fast16_t vlen, int vr_type) {
+static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, vorbis_residue *vr, uint_fast8_t ch, uint_fast8_t *do_not_decode, float *vec, uint_fast16_t vlen, unsigned ch_left, int vr_type) {
GetBitContext *gb=&vc->gb;
uint_fast8_t c_p_c=vc->codebooks[vr->classbook].dimensions;
uint_fast16_t n_to_read=vr->end-vr->begin;
@@ -1303,6 +1303,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, v
uint_fast8_t ch_used;
uint_fast8_t i,j,l;
uint_fast16_t k;
+ unsigned max_output = (ch - 1) * vlen;
if (vr_type==2) {
for(j=1;j<ch;++j) {
@@ -1310,8 +1311,15 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, v
}
if (do_not_decode[0]) return 0;
ch_used=1;
+ max_output += vr->end / ch;
} else {
ch_used=ch;
+ max_output += vr->end;
+ }
+
+ if (max_output > ch_left * vlen) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Insufficient output buffer\n");
+ return -1;
}
AV_DEBUG(" residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c_p_c);
@@ -1435,14 +1443,14 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, v
return 0;
}
-static inline int vorbis_residue_decode(vorbis_context *vc, vorbis_residue *vr, uint_fast8_t ch, uint_fast8_t *do_not_decode, float *vec, uint_fast16_t vlen)
+static inline int vorbis_residue_decode(vorbis_context *vc, vorbis_residue *vr, uint_fast8_t ch, uint_fast8_t *do_not_decode, float *vec, uint_fast16_t vlen, unsigned ch_left)
{
if (vr->type==2)
- return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 2);
- else if (vr->type==1)
- return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 1);
- else if (vr->type==0)
- return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 0);
+ return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 2);
+ else if (vr->type == 1)
+ return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 1);
+ else if (vr->type == 0)
+ return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 0);
else {
av_log(vc->avccontext, AV_LOG_ERROR, " Invalid residue type while residue decode?! \n");
return 1;
@@ -1505,6 +1513,8 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) {
uint_fast8_t res_num=0;
int_fast16_t retlen=0;
float fadd_bias = vc->add_bias;
+ unsigned ch_left = vc->audio_channels;
+ unsigned vlen;
if (get_bits1(gb)) {
av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n");
@@ -1527,12 +1537,13 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) {
blockflag=vc->modes[mode_number].blockflag;
blocksize=vc->blocksize[blockflag];
+ vlen = blocksize / 2;
if (blockflag) {
skip_bits(gb, 2); // previous_window, next_window
}
- memset(ch_res_ptr, 0, sizeof(float)*vc->audio_channels*blocksize/2); //FIXME can this be removed ?
- memset(ch_floor_ptr, 0, sizeof(float)*vc->audio_channels*blocksize/2); //FIXME can this be removed ?
+ memset(ch_res_ptr, 0, sizeof(float)*vc->audio_channels*vlen); //FIXME can this be removed ?
+ memset(ch_floor_ptr, 0, sizeof(float)*vc->audio_channels*vlen); //FIXME can this be removed ?
// Decode floor
@@ -1552,7 +1563,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) {
return -1;
}
no_residue[i] = ret;
- ch_floor_ptr += blocksize / 2;
+ ch_floor_ptr += vlen;
}
// Nonzero vector propagate
@@ -1569,6 +1580,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) {
for(i=0;i<mapping->submaps;++i) {
vorbis_residue *residue;
uint_fast8_t ch=0;
+ int ret;
for(j=0;j<vc->audio_channels;++j) {
if ((mapping->submaps==1) || (i==mapping->mux[j])) {
@@ -1583,9 +1595,18 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) {
}
}
residue=&vc->residues[mapping->submap_residue[i]];
- vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2);
+ if (ch_left < ch) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n");
+ return -1;
+ }
+ if (ch) {
+ ret = vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, vlen, ch_left);
+ if (ret < 0)
+ return ret;
+ }
- ch_res_ptr+=ch*blocksize/2;
+ ch_res_ptr += ch * vlen;
+ ch_left -= ch;
}
// Inverse coupling
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 429c4f9..69248d6 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -1011,12 +1011,12 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
/* decode a VLC into a token */
token = get_vlc2(gb, table->table, 5, 3);
/* use the token to get a zero run, a coefficient, and an eob run */
- if (token <= 6) {
+ if ((unsigned) token <= 6U) {
eob_run = eob_run_base[token];
if (eob_run_get_bits[token])
eob_run += get_bits(gb, eob_run_get_bits[token]);
coeff = zero_run = 0;
- } else {
+ } else if (token >= 0) {
bits_to_get = coeff_get_bits[token];
if (!bits_to_get)
coeff = coeff_tables[token][0];
@@ -1026,6 +1026,10 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
zero_run = zero_run_base[token];
if (zero_run_get_bits[token])
zero_run += get_bits(gb, zero_run_get_bits[token]);
+ } else {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "Invalid token %d\n", token);
+ return -1;
}
}
@@ -1071,6 +1075,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
/* unpack the C plane DC coefficients */
residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
s->first_coded_c_fragment, s->last_coded_c_fragment, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
/* fetch the AC table indexes */
ac_y_table = get_bits(gb, 4);
@@ -1080,36 +1086,52 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
for (i = 1; i <= 5; i++) {
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_1[ac_y_table], i,
s->first_coded_y_fragment, s->last_coded_y_fragment, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_1[ac_c_table], i,
s->first_coded_c_fragment, s->last_coded_c_fragment, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
}
/* unpack the group 2 AC coefficients (coeffs 6-14) */
for (i = 6; i <= 14; i++) {
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_2[ac_y_table], i,
s->first_coded_y_fragment, s->last_coded_y_fragment, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_2[ac_c_table], i,
s->first_coded_c_fragment, s->last_coded_c_fragment, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
}
/* unpack the group 3 AC coefficients (coeffs 15-27) */
for (i = 15; i <= 27; i++) {
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_3[ac_y_table], i,
s->first_coded_y_fragment, s->last_coded_y_fragment, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_3[ac_c_table], i,
s->first_coded_c_fragment, s->last_coded_c_fragment, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
}
/* unpack the group 4 AC coefficients (coeffs 28-63) */
for (i = 28; i <= 63; i++) {
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_4[ac_y_table], i,
s->first_coded_y_fragment, s->last_coded_y_fragment, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_4[ac_c_table], i,
s->first_coded_c_fragment, s->last_coded_c_fragment, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
}
return 0;
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 00df736..f34a631 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -163,6 +163,12 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
return -1;
}
+ if (s->width & (s->vector_width - 1) ||
+ s->height & (s->vector_height - 1)) {
+ av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n");
+ return AVERROR_INVALIDDATA;
+ }
+
/* allocate codebooks */
s->codebook_size = MAX_CODEBOOK_SIZE;
s->codebook = av_malloc(s->codebook_size);
diff --git a/libavformat/dv.c b/libavformat/dv.c
index 820c3b5..256dcd4 100644
--- a/libavformat/dv.c
+++ b/libavformat/dv.c
@@ -125,10 +125,14 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4],
/* We work with 720p frames split in half, thus even frames have
* channels 0,1 and odd 2,3. */
ipcm = (sys->height == 720 && !(frame[1] & 0x0C)) ? 2 : 0;
- pcm = ppcm[ipcm++];
/* for each DIF channel */
for (chan = 0; chan < sys->n_difchan; chan++) {
+ /* next stereo channel (50Mbps and 100Mbps only) */
+ pcm = ppcm[ipcm++];
+ if (!pcm)
+ break;
+
/* for each DIF segment */
for (i = 0; i < sys->difseg_size; i++) {
frame += 6 * 80; /* skip DIF segment header */
@@ -176,11 +180,6 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4],
frame += 16 * 80; /* 15 Video DIFs + 1 Audio DIF */
}
}
-
- /* next stereo channel (50Mbps and 100Mbps only) */
- pcm = ppcm[ipcm++];
- if (!pcm)
- break;
}
return size;
@@ -202,6 +201,12 @@ static int dv_extract_audio_info(DVDemuxContext* c, uint8_t* frame)
stype = (as_pack[3] & 0x1f); /* 0 - 2CH, 2 - 4CH, 3 - 8CH */
quant = as_pack[4] & 0x07; /* 0 - 16bit linear, 1 - 12bit nonlinear */
+ if (stype > 3) {
+ av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype);
+ c->ach = 0;
+ return 0;
+ }
+
/* note: ach counts PAIRS of channels (i.e. stereo channels) */
ach = ((int[4]){ 1, 0, 2, 4})[stype];
if (ach == 1 && quant && freq == 2)
@@ -335,7 +340,8 @@ int dv_produce_packet(DVDemuxContext *c, AVPacket *pkt,
c->audio_pkt[i].pts = c->abytes * 30000*8 / c->ast[i]->codec->bit_rate;
ppcm[i] = c->audio_buf[i];
}
- dv_extract_audio(buf, ppcm, c->sys);
+ if (c->ach)
+ dv_extract_audio(buf, ppcm, c->sys);
c->abytes += size;
/* We work with 720p frames split in half, thus even frames have
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index d9ffec3..e16cd1e 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1063,13 +1063,13 @@ static void matroska_convert_tags(AVFormatContext *s)
static void matroska_execute_seekhead(MatroskaDemuxContext *matroska)
{
EbmlList *seekhead_list = &matroska->seekhead;
- MatroskaSeekhead *seekhead = seekhead_list->elem;
uint32_t level_up = matroska->level_up;
int64_t before_pos = url_ftell(matroska->ctx->pb);
MatroskaLevel level;
int i;
for (i=0; i<seekhead_list->nb_elem; i++) {
+ MatroskaSeekhead *seekhead = seekhead_list->elem;
int64_t offset = seekhead[i].pos + matroska->segment_start;
if (seekhead[i].pos <= before_pos
diff --git a/libavformat/mp3.c b/libavformat/mp3.c
index fa383d6..ca41408 100644
--- a/libavformat/mp3.c
+++ b/libavformat/mp3.c
@@ -246,8 +246,17 @@ static void id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t fl
goto error;
}
- if(isv34 && flags & 0x40) /* Extended header present, just skip over it */
- url_fskip(s->pb, id3v2_get_size(s->pb, 4));
+ if (isv34 && flags & 0x40) { /* Extended header present, just skip over it */
+ int extlen = id3v2_get_size(s->pb, 4);
+ if (version == 4)
+ extlen -= 4; // in v2.4 the length includes the length field we just read
+
+ if (extlen < 0) {
+ reason = "invalid extended header length";
+ goto error;
+ }
+ url_fskip(s->pb, extlen);
+ }
while(len >= taghdrlen) {
if(isv34) {
diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
index 719337c..25b3d6c 100644
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -317,7 +317,9 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap)
char *token, *value;
char quote;
- p = strings = av_mallocz(strings_size + 1);
+ p = strings = av_mallocz((size_t)strings_size + 1);
+ if (!p)
+ return AVERROR(ENOMEM);
endp = strings + strings_size;
get_buffer(pb, strings, strings_size);
while (p < endp) {
@@ -351,6 +353,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap)
if((unsigned)table_entries >= UINT_MAX / sizeof(uint32_t))
return -1;
nsv->nsvf_index_data = av_malloc(table_entries * sizeof(uint32_t));
+ if (!nsv->nsvf_index_data)
+ return AVERROR(ENOMEM);
#warning "FIXME: Byteswap buffer as needed"
get_buffer(pb, (unsigned char *)nsv->nsvf_index_data, table_entries * sizeof(uint32_t));
}
@@ -507,11 +511,16 @@ static int nsv_read_header(AVFormatContext *s, AVFormatParameters *ap)
for (i = 0; i < NSV_MAX_RESYNC_TRIES; i++) {
if (nsv_resync(s) < 0)
return -1;
- if (nsv->state == NSV_FOUND_NSVF)
+ if (nsv->state == NSV_FOUND_NSVF) {
err = nsv_parse_NSVf_header(s, ap);
+ if (err < 0)
+ return err;
+ }
/* we need the first NSVs also... */
if (nsv->state == NSV_FOUND_NSVS) {
err = nsv_parse_NSVs_header(s, ap);
+ if (err < 0)
+ return err;
break; /* we just want the first one */
}
}
@@ -586,12 +595,12 @@ null_chunk_retry:
}
/* map back streams to v,a */
- if (s->streams[0])
+ if (s->nb_streams > 0)
st[s->streams[0]->id] = s->streams[0];
- if (s->streams[1])
+ if (s->nb_streams > 1)
st[s->streams[1]->id] = s->streams[1];
- if (vsize/* && st[NSV_ST_VIDEO]*/) {
+ if (vsize && st[NSV_ST_VIDEO]) {
nst = st[NSV_ST_VIDEO]->priv_data;
pkt = &nsv->ahead[NSV_ST_VIDEO];
av_get_packet(pb, pkt, vsize);
@@ -606,7 +615,7 @@ null_chunk_retry:
if(st[NSV_ST_VIDEO])
((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++;
- if (asize/*st[NSV_ST_AUDIO]*/) {
+ if (asize && st[NSV_ST_AUDIO]) {
nst = st[NSV_ST_AUDIO]->priv_data;
pkt = &nsv->ahead[NSV_ST_AUDIO];
/* read raw audio specific header on the first audio chunk... */
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list