[SCM] libav/experimental: Imported Upstream version 9.3
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Mon May 27 20:38:47 UTC 2013
The following commit has been merged in the experimental branch:
commit 424c52a1a1849a7002c6f430634977f33edb5069
Author: Reinhard Tartler <siretart at tauware.de>
Date: Sat Mar 2 14:33:26 2013 +0100
Imported Upstream version 9.3
diff --git a/Changelog b/Changelog
index d20dca9..707bc69 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,13 @@
Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.
+version 9.3:
+- h264: fix deadlocks with broken/fuzzed files
+- flvdec: make decoder more robust
+- vorbisdec: fix buffer overflow (CVE-2013-0894)
+- ac3dec: validate channel output mode against channel count
+- doc: minor improvements
+
version 9.2:
- loco: check that there is data left after decoding a plane.
- mov: use the format context for logging.
diff --git a/RELEASE b/RELEASE
index 1a2c355..c3cae12 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-9.2
+9.3
diff --git a/VERSION b/VERSION
index 1a2c355..c3cae12 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-9.2
+9.3
diff --git a/doc/developer.texi b/doc/developer.texi
index 682a239..7d39f2d 100644
--- a/doc/developer.texi
+++ b/doc/developer.texi
@@ -221,8 +221,8 @@ set shiftwidth=4
set softtabstop=4
set cindent
set cinoptions=(0
-" allow tabs in Makefiles
-autocmd FileType make set noexpandtab shiftwidth=8 softtabstop=8
+" Allow tabs in Makefiles.
+autocmd FileType make,automake set noexpandtab shiftwidth=8 softtabstop=8
" Trailing whitespace and tabs are forbidden, so highlight them.
highlight ForbiddenWhitespace ctermbg=red guibg=red
match ForbiddenWhitespace /\s\+$\|\t/
diff --git a/doc/filters.texi b/doc/filters.texi
index 34db2f4..1933b17 100644
--- a/doc/filters.texi
+++ b/doc/filters.texi
@@ -90,7 +90,7 @@ Follows a BNF description for the filtergraph syntax:
@var{LINKLABEL} ::= "[" @var{NAME} "]"
@var{LINKLABELS} ::= @var{LINKLABEL} [@var{LINKLABELS}]
@var{FILTER_ARGUMENTS} ::= sequence of chars (eventually quoted)
- at var{FILTER} ::= [@var{LINKNAMES}] @var{NAME} ["=" @var{ARGUMENTS}] [@var{LINKNAMES}]
+ at var{FILTER} ::= [@var{LINKLABELS}] @var{NAME} ["=" @var{FILTER_ARGUMENTS}] [@var{LINKLABELS}]
@var{FILTERCHAIN} ::= @var{FILTER} [, at var{FILTERCHAIN}]
@var{FILTERGRAPH} ::= [sws_flags=@var{flags};] @var{FILTERCHAIN} [;@var{FILTERGRAPH}]
@end example
diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c
index f15bfa2..0d1ba89 100644
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -1336,8 +1336,10 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
if (!err) {
avctx->sample_rate = s->sample_rate;
avctx->bit_rate = s->bit_rate;
+ }
- /* channel config */
+ /* channel config */
+ if (!err || (s->channels && s->out_channels != s->channels)) {
s->out_channels = s->channels;
s->output_mode = s->channel_mode;
if (s->lfe_on)
@@ -1356,18 +1358,18 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
s->fbw_channels == s->out_channels)) {
set_downmix_coeffs(s);
}
- } else if (!s->out_channels) {
- s->out_channels = avctx->channels;
- if (s->out_channels < s->channels)
- s->output_mode = s->out_channels == 1 ? AC3_CHMODE_MONO : AC3_CHMODE_STEREO;
+ } else if (!s->channels) {
+ av_log(avctx, AV_LOG_ERROR, "unable to determine channel mode\n");
+ return AVERROR_INVALIDDATA;
}
+ avctx->channels = s->out_channels;
+
/* set audio service type based on bitstream mode for AC-3 */
avctx->audio_service_type = s->bitstream_mode;
if (s->bitstream_mode == 0x7 && s->channels > 1)
avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE;
/* get output buffer */
- avctx->channels = s->out_channels;
s->frame.nb_samples = s->num_blocks * 256;
if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 848d6a2..54f6186 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -3039,14 +3039,17 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
h->list_count = 2;
else
h->list_count = 1;
- } else
+ } else {
h->list_count = 0;
+ h->ref_count[0] = h->ref_count[1] = 0;
+ }
+
max_refs = s->picture_structure == PICT_FRAME ? 16 : 32;
if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) {
av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
- h->ref_count[0] = h->ref_count[1] = 1;
+ h->ref_count[0] = h->ref_count[1] = 0;
return AVERROR_INVALIDDATA;
}
diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c
index aac9019..884cd5b 100644
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -585,16 +585,24 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc)
floor_setup->decode = vorbis_floor0_decode;
floor_setup->data.t0.order = get_bits(gb, 8);
+ if (!floor_setup->data.t0.order) {
+ av_log(vc->avccontext, AV_LOG_ERROR,
+ "Floor 0 order is 0.\n");
+ return AVERROR_INVALIDDATA;
+ }
floor_setup->data.t0.rate = get_bits(gb, 16);
+ if (!floor_setup->data.t0.rate) {
+ av_log(vc->avccontext, AV_LOG_ERROR,
+ "Floor 0 rate is 0.\n");
+ return AVERROR_INVALIDDATA;
+ }
floor_setup->data.t0.bark_map_size = get_bits(gb, 16);
- floor_setup->data.t0.amplitude_bits = get_bits(gb, 6);
- /* zero would result in a div by zero later *
- * 2^0 - 1 == 0 */
- if (floor_setup->data.t0.amplitude_bits == 0) {
+ if (floor_setup->data.t0.bark_map_size == 0) {
av_log(vc->avccontext, AV_LOG_ERROR,
- "Floor 0 amplitude bits is 0.\n");
+ "Floor 0 bark map size is 0.\n");
return AVERROR_INVALIDDATA;
}
+ floor_setup->data.t0.amplitude_bits = get_bits(gb, 6);
floor_setup->data.t0.amplitude_offset = get_bits(gb, 8);
floor_setup->data.t0.num_books = get_bits(gb, 4) + 1;
@@ -1048,6 +1056,9 @@ static int vorbis_floor0_decode(vorbis_context *vc,
unsigned amplitude, book_idx;
unsigned blockflag = vc->modes[vc->mode_number].blockflag;
+ if (!vf->amplitude_bits)
+ return 1;
+
amplitude = get_bits(&vc->gb, vf->amplitude_bits);
if (amplitude > 0) {
float last = 0;
diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index 7d5ea56..403a9b5 100644
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -201,7 +201,7 @@ static int flv_same_video_codec(AVCodecContext *vcodec, int flags)
return 0;
}
-static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, int flv_codecid) {
+static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, int flv_codecid, int read) {
AVCodecContext *vcodec = vstream->codec;
switch(flv_codecid) {
case FLV_CODECID_H263 : vcodec->codec_id = AV_CODEC_ID_FLV1 ; break;
@@ -211,11 +211,17 @@ static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, int flv_co
case FLV_CODECID_VP6A :
if(flv_codecid == FLV_CODECID_VP6A)
vcodec->codec_id = AV_CODEC_ID_VP6A;
- if(vcodec->extradata_size != 1) {
- vcodec->extradata_size = 1;
- vcodec->extradata = av_malloc(1);
+ if (read) {
+ if (vcodec->extradata_size != 1) {
+ vcodec->extradata = av_malloc(1);
+ if (vcodec->extradata)
+ vcodec->extradata_size = 1;
+ }
+ if (vcodec->extradata)
+ vcodec->extradata[0] = avio_r8(s->pb);
+ else
+ avio_skip(s->pb, 1);
}
- vcodec->extradata[0] = avio_r8(s->pb);
return 1; // 1 byte body size adjustment for flv_read_packet()
case FLV_CODECID_H264:
vcodec->codec_id = AV_CODEC_ID_H264;
@@ -408,7 +414,7 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, AVStream *vst
st->codec->codec_id = AV_CODEC_ID_TEXT;
} else if (flv->trust_metadata) {
if (!strcmp(key, "videocodecid") && vcodec) {
- flv_set_video_codec(s, vstream, num_val);
+ flv_set_video_codec(s, vstream, num_val, 0);
} else
if (!strcmp(key, "audiocodecid") && acodec) {
flv_set_audio_codec(s, astream, acodec, num_val);
@@ -766,7 +772,7 @@ static int flv_read_packet(AVFormatContext *s, AVPacket *pkt)
sample_rate = ctx.sample_rate;
}
}else{
- size -= flv_set_video_codec(s, st, flags & FLV_VIDEO_CODECID_MASK);
+ size -= flv_set_video_codec(s, st, flags & FLV_VIDEO_CODECID_MASK, 1);
}
if (st->codec->codec_id == AV_CODEC_ID_AAC ||
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list