[SCM] libav/experimental: Imported Upstream version 9.4
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Mon May 27 20:38:48 UTC 2013
The following commit has been merged in the experimental branch:
commit 7e680b9e49144b3090862e9bd24b579ca09e4692
Author: Reinhard Tartler <siretart at tauware.de>
Date: Sun Mar 24 07:26:19 2013 +0100
Imported Upstream version 9.4
diff --git a/Changelog b/Changelog
index 707bc69..b7f7e94 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,29 @@
Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.
+version 9.4:
+- atrac3: avoid oversized shifting in decode_bytes()
+- eamad: allocate a dummy reference frame when the real one is missing
+- ffv1: fix calculating slice dimensions for version 2
+- flacdec: simplify bounds checking in flac_probe()
+- h264: check for luma and chroma bit dept being equal (CVE-2013-2277)
+- hqdn3d: Fix out of array read in LOWPASS
+- iff: validate CMAP palette size (CVE-2013-2495)
+- ivi_common: do not call MC for intra frames when dc_transform is unset
+- libmp3lame: use the correct remaining buffer size when flushing
+- lzo: fix overflow checking in copy_backptr()
+- mp3dec: Fix VBR bit rate parsing
+- png: use av_mallocz_array() for the zlib zalloc function
+- roqvideodec: fix a potential infinite loop in roqvideo_decode_frame()
+- shorten: fix various programming mistakes
+- vf_gradfun: fix uninitialized variable use
+- vf_hqdn3d: fix uninitialized variable use
+- vmdaudio: fix invalid reads when packet size is not a multiple of chunk size
+- wmadec: require block_align to be set
+- wmaprodec: require block_align to be set
+- wmaprodec: return an error, not 0, when the input is too small
+- xxan: fix invalid memory access in xan_decode_frame_type0()
+
version 9.3:
- h264: fix deadlocks with broken/fuzzed files
- flvdec: make decoder more robust
@@ -28,7 +51,7 @@ version 9.2:
- libopencore-amr: Conditionally compile decoder and encoder bits
- arm: Fall back to runtime cpu feature detection via /proc/cpuinfo
- xxan: properly handle odd heights
-- msrledec: check bounds before constructing a possibly invalid pointer,
+- msrledec: check bounds before constructing a possibly invalid pointer (CVE-2496)
- qtrle: fix the topmost line for 1bit
- aasc: fix output for msrle compression
- yop: check for input overreads
diff --git a/RELEASE b/RELEASE
index c3cae12..0359f24 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-9.3
+9.4
diff --git a/VERSION b/VERSION
index c3cae12..0359f24 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-9.3
+9.4
diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c
index a46b0b1..910c15e 100644
--- a/libavcodec/atrac3.c
+++ b/libavcodec/atrac3.c
@@ -164,7 +164,10 @@ static int decode_bytes(const uint8_t *input, uint8_t *out, int bytes)
off = (intptr_t)input & 3;
buf = (const uint32_t *)(input - off);
- c = av_be2ne32((0x537F6103 >> (off * 8)) | (0x537F6103 << (32 - (off * 8))));
+ if (off)
+ c = av_be2ne32((0x537F6103U >> (off * 8)) | (0x537F6103U << (32 - (off * 8))));
+ else
+ c = av_be2ne32(0x537F6103U);
bytes += 3 + off;
for (i = 0; i < bytes / 4; i++)
output[i] = c ^ buf[i];
diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c
index cf44ae9..bb4c7ba 100644
--- a/libavcodec/eamad.c
+++ b/libavcodec/eamad.c
@@ -264,6 +264,21 @@ static int decode_frame(AVCodecContext *avctx,
}
}
+ if (inter && !s->last_frame.data[0]) {
+ int ret;
+ av_log(avctx, AV_LOG_WARNING, "Missing reference frame.\n");
+ s->last_frame.reference = 1;
+ ret = ff_get_buffer(avctx, &s->last_frame);
+ if (ret < 0)
+ return ret;
+ memset(s->last_frame.data[0], 0, s->last_frame.height *
+ s->last_frame.linesize[0]);
+ memset(s->last_frame.data[1], 0x80, s->last_frame.height / 2 *
+ s->last_frame.linesize[1]);
+ memset(s->last_frame.data[2], 0x80, s->last_frame.height / 2 *
+ s->last_frame.linesize[2]);
+ }
+
av_fast_padded_malloc(&s->bitstream_buf, &s->bitstream_buf_size,
buf_end - buf);
if (!s->bitstream_buf)
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 72f255c..97e2bd5 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -735,8 +735,8 @@ static int read_header(FFV1Context *f)
fs->slice_x /= f->num_h_slices;
fs->slice_y /= f->num_v_slices;
- fs->slice_width /= f->num_h_slices - fs->slice_x;
- fs->slice_height /= f->num_v_slices - fs->slice_y;
+ fs->slice_width = fs->slice_width / f->num_h_slices - fs->slice_x;
+ fs->slice_height = fs->slice_height / f->num_v_slices - fs->slice_y;
if ((unsigned)fs->slice_width > f->width ||
(unsigned)fs->slice_height > f->height)
return AVERROR_INVALIDDATA;
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 54f6186..8625b0f 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -2421,6 +2421,12 @@ static int h264_set_parameter_from_sps(H264Context *h)
if (s->avctx->has_b_frames < 2)
s->avctx->has_b_frames = !s->low_delay;
+ if (h->sps.bit_depth_luma != h->sps.bit_depth_chroma) {
+ av_log_missing_feature(s->avctx,
+ "Different bit depth between chroma and luma", 1);
+ return AVERROR_PATCHWELCOME;
+ }
+
if (s->avctx->bits_per_raw_sample != h->sps.bit_depth_luma ||
h->cur_chroma_format_idc != h->sps.chroma_format_idc) {
if (s->avctx->codec &&
diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index 76782e5..3bdcbab 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -527,9 +527,10 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile
/* block not coded */
/* for intra blocks apply the dc slant transform */
/* for inter - perform the motion compensation without delta */
- if (is_intra && band->dc_transform) {
- band->dc_transform(&prev_dc, band->buf + buf_offs,
- band->pitch, blk_size);
+ if (is_intra) {
+ if (band->dc_transform)
+ band->dc_transform(&prev_dc, band->buf + buf_offs,
+ band->pitch, blk_size);
} else
mc_no_delta_func(band->buf + buf_offs,
band->ref_buf + buf_offs + mv_y * band->pitch + mv_x,
diff --git a/libavcodec/libmp3lame.c b/libavcodec/libmp3lame.c
index 264a0e2..8746573 100644
--- a/libavcodec/libmp3lame.c
+++ b/libavcodec/libmp3lame.c
@@ -217,7 +217,7 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
}
} else {
lame_result = lame_encode_flush(s->gfp, s->buffer + s->buffer_index,
- BUFFER_SIZE - s->buffer_index);
+ s->buffer_size - s->buffer_index);
}
if (lame_result < 0) {
if (lame_result == -1) {
diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c
index c904873..58ea452 100644
--- a/libavcodec/mpegaudio_parser.c
+++ b/libavcodec/mpegaudio_parser.c
@@ -30,6 +30,7 @@ typedef struct MpegAudioParseContext {
int frame_size;
uint32_t header;
int header_count;
+ int no_bitrate;
} MpegAudioParseContext;
#define MPA_HEADER_SIZE 4
@@ -80,7 +81,10 @@ static int mpegaudio_parse(AVCodecParserContext *s1,
avctx->sample_rate= sr;
avctx->channels = channels;
s1->duration = frame_size;
- avctx->bit_rate = bit_rate;
+ if (s->no_bitrate || !avctx->bit_rate) {
+ s->no_bitrate = 1;
+ avctx->bit_rate += (bit_rate - avctx->bit_rate) / s->header_count;
+ }
}
break;
}
diff --git a/libavcodec/png.c b/libavcodec/png.c
index 70a080e..65d6964 100644
--- a/libavcodec/png.c
+++ b/libavcodec/png.c
@@ -47,9 +47,7 @@ const uint8_t ff_png_pass_mask[NB_PASSES] = {
void *ff_png_zalloc(void *opaque, unsigned int items, unsigned int size)
{
- if(items >= UINT_MAX / size)
- return NULL;
- return av_malloc(items * size);
+ return av_mallocz_array(items, size);
}
void ff_png_zfree(void *opaque, void *ptr)
diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c
index 3ee62c0..d156a84 100644
--- a/libavcodec/roqvideodec.c
+++ b/libavcodec/roqvideodec.c
@@ -43,7 +43,7 @@ static void roqvideo_decode_frame(RoqContext *ri)
roq_qcell *qcell;
int64_t chunk_start;
- while (bytestream2_get_bytes_left(&ri->gb) > 0) {
+ while (bytestream2_get_bytes_left(&ri->gb) >= 8) {
chunk_id = bytestream2_get_le16(&ri->gb);
chunk_size = bytestream2_get_le32(&ri->gb);
chunk_arg = bytestream2_get_le16(&ri->gb);
diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 1dc010f..0b4a473 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -84,7 +84,7 @@ typedef struct ShortenContext {
GetBitContext gb;
int min_framesize, max_framesize;
- int channels;
+ unsigned channels;
int32_t *decoded[MAX_CHANNELS];
int32_t *decoded_base[MAX_CHANNELS];
@@ -109,10 +109,10 @@ typedef struct ShortenContext {
int got_quit_command;
} ShortenContext;
-static av_cold int shorten_decode_init(AVCodecContext * avctx)
+static av_cold int shorten_decode_init(AVCodecContext *avctx)
{
ShortenContext *s = avctx->priv_data;
- s->avctx = avctx;
+ s->avctx = avctx;
avctx->sample_fmt = AV_SAMPLE_FMT_S16P;
avcodec_get_frame_defaults(&s->frame);
@@ -127,17 +127,20 @@ static int allocate_buffers(ShortenContext *s)
int *coeffs;
void *tmp_ptr;
- for (chan=0; chan<s->channels; chan++) {
- if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
+ for (chan = 0; chan < s->channels; chan++) {
+ if (FFMAX(1, s->nmean) >= UINT_MAX / sizeof(int32_t)) {
av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n");
- return -1;
+ return AVERROR_INVALIDDATA;
}
- if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){
- av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n");
- return -1;
+ if (s->blocksize + s->nwrap >= UINT_MAX / sizeof(int32_t) ||
+ s->blocksize + s->nwrap <= (unsigned)s->nwrap) {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "s->blocksize + s->nwrap too large\n");
+ return AVERROR_INVALIDDATA;
}
- tmp_ptr = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
+ tmp_ptr =
+ av_realloc(s->offset[chan], sizeof(int32_t) * FFMAX(1, s->nmean));
if (!tmp_ptr)
return AVERROR(ENOMEM);
s->offset[chan] = tmp_ptr;
@@ -147,7 +150,7 @@ static int allocate_buffers(ShortenContext *s)
if (!tmp_ptr)
return AVERROR(ENOMEM);
s->decoded_base[chan] = tmp_ptr;
- for (i=0; i<s->nwrap; i++)
+ for (i = 0; i < s->nwrap; i++)
s->decoded_base[chan][i] = 0;
s->decoded[chan] = s->decoded_base[chan] + s->nwrap;
}
@@ -160,7 +163,6 @@ static int allocate_buffers(ShortenContext *s)
return 0;
}
-
static inline unsigned int get_uint(ShortenContext *s, int k)
{
if (s->version != 0)
@@ -168,7 +170,6 @@ static inline unsigned int get_uint(ShortenContext *s, int k)
return get_ur_golomb_shorten(&s->gb, k);
}
-
static void fix_bitshift(ShortenContext *s, int32_t *buffer)
{
int i;
@@ -178,22 +179,20 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer)
buffer[i] <<= s->bitshift;
}
-
static int init_offset(ShortenContext *s)
{
int32_t mean = 0;
- int chan, i;
+ int chan, i;
int nblock = FFMAX(1, s->nmean);
/* initialise offset */
- switch (s->internal_ftype)
- {
- case TYPE_S16HL:
- case TYPE_S16LH:
- mean = 0;
- break;
- default:
- av_log(s->avctx, AV_LOG_ERROR, "unknown audio type");
- return AVERROR_INVALIDDATA;
+ switch (s->internal_ftype) {
+ case TYPE_S16HL:
+ case TYPE_S16LH:
+ mean = 0;
+ break;
+ default:
+ av_log(s->avctx, AV_LOG_ERROR, "unknown audio type");
+ return AVERROR_INVALIDDATA;
}
for (chan = 0; chan < s->channels; chan++)
@@ -208,38 +207,37 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header,
int len;
short wave_format;
-
- if (bytestream_get_le32(&header) != MKTAG('R','I','F','F')) {
+ if (bytestream_get_le32(&header) != MKTAG('R', 'I', 'F', 'F')) {
av_log(avctx, AV_LOG_ERROR, "missing RIFF tag\n");
- return -1;
+ return AVERROR_INVALIDDATA;
}
- header += 4; /* chunk size */;
+ header += 4; /* chunk size */
- if (bytestream_get_le32(&header) != MKTAG('W','A','V','E')) {
+ if (bytestream_get_le32(&header) != MKTAG('W', 'A', 'V', 'E')) {
av_log(avctx, AV_LOG_ERROR, "missing WAVE tag\n");
- return -1;
+ return AVERROR_INVALIDDATA;
}
- while (bytestream_get_le32(&header) != MKTAG('f','m','t',' ')) {
- len = bytestream_get_le32(&header);
+ while (bytestream_get_le32(&header) != MKTAG('f', 'm', 't', ' ')) {
+ len = bytestream_get_le32(&header);
header += len;
}
len = bytestream_get_le32(&header);
if (len < 16) {
av_log(avctx, AV_LOG_ERROR, "fmt chunk was too short\n");
- return -1;
+ return AVERROR_INVALIDDATA;
}
wave_format = bytestream_get_le16(&header);
switch (wave_format) {
- case WAVE_FORMAT_PCM:
- break;
- default:
- av_log(avctx, AV_LOG_ERROR, "unsupported wave format\n");
- return -1;
+ case WAVE_FORMAT_PCM:
+ break;
+ default:
+ av_log(avctx, AV_LOG_ERROR, "unsupported wave format\n");
+ return AVERROR(ENOSYS);
}
header += 2; // skip channels (already got from shorten header)
@@ -250,7 +248,7 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header,
if (avctx->bits_per_coded_sample != 16) {
av_log(avctx, AV_LOG_ERROR, "unsupported number of bits per sample\n");
- return -1;
+ return AVERROR(ENOSYS);
}
len -= 16;
@@ -288,11 +286,12 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel,
/* read/validate prediction order */
pred_order = get_ur_golomb_shorten(&s->gb, LPCQSIZE);
if (pred_order > s->nwrap) {
- av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n", pred_order);
+ av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n",
+ pred_order);
return AVERROR(EINVAL);
}
/* read LPC coefficients */
- for (i=0; i<pred_order; i++)
+ for (i = 0; i < pred_order; i++)
s->coeffs[i] = get_sr_golomb_shorten(&s->gb, LPCQUANT);
coeffs = s->coeffs;
@@ -300,7 +299,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel,
} else {
/* fixed LPC coeffs */
pred_order = command;
- coeffs = fixed_coeffs[pred_order-1];
+ coeffs = fixed_coeffs[pred_order - 1];
qshift = 0;
}
@@ -311,11 +310,12 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel,
/* decode residual and do LPC prediction */
init_sum = pred_order ? (command == FN_QLPC ? s->lpcqoffset : 0) : coffset;
- for (i=0; i < s->blocksize; i++) {
+ for (i = 0; i < s->blocksize; i++) {
sum = init_sum;
- for (j=0; j<pred_order; j++)
- sum += coeffs[j] * s->decoded[channel][i-j-1];
- s->decoded[channel][i] = get_sr_golomb_shorten(&s->gb, residual_size) + (sum >> qshift);
+ for (j = 0; j < pred_order; j++)
+ sum += coeffs[j] * s->decoded[channel][i - j - 1];
+ s->decoded[channel][i] = get_sr_golomb_shorten(&s->gb, residual_size) +
+ (sum >> qshift);
}
/* add offset to current samples */
@@ -333,41 +333,47 @@ static int read_header(ShortenContext *s)
/* shorten signature */
if (get_bits_long(&s->gb, 32) != AV_RB32("ajkg")) {
av_log(s->avctx, AV_LOG_ERROR, "missing shorten magic 'ajkg'\n");
- return -1;
+ return AVERROR_INVALIDDATA;
}
- s->lpcqoffset = 0;
- s->blocksize = DEFAULT_BLOCK_SIZE;
- s->nmean = -1;
- s->version = get_bits(&s->gb, 8);
+ s->lpcqoffset = 0;
+ s->blocksize = DEFAULT_BLOCK_SIZE;
+ s->nmean = -1;
+ s->version = get_bits(&s->gb, 8);
s->internal_ftype = get_uint(s, TYPESIZE);
s->channels = get_uint(s, CHANSIZE);
- if (s->channels <= 0 || s->channels > MAX_CHANNELS) {
+ if (!s->channels) {
+ av_log(s->avctx, AV_LOG_ERROR, "No channels reported\n");
+ return AVERROR_INVALIDDATA;
+ }
+ if (s->channels > MAX_CHANNELS) {
av_log(s->avctx, AV_LOG_ERROR, "too many channels: %d\n", s->channels);
- return -1;
+ s->channels = 0;
+ return AVERROR_INVALIDDATA;
}
s->avctx->channels = s->channels;
/* get blocksize if version > 0 */
if (s->version > 0) {
- int skip_bytes, blocksize;
+ int skip_bytes;
+ unsigned blocksize;
blocksize = get_uint(s, av_log2(DEFAULT_BLOCK_SIZE));
if (!blocksize || blocksize > MAX_BLOCKSIZE) {
- av_log(s->avctx, AV_LOG_ERROR, "invalid or unsupported block size: %d\n",
+ av_log(s->avctx, AV_LOG_ERROR,
+ "invalid or unsupported block size: %d\n",
blocksize);
return AVERROR(EINVAL);
}
s->blocksize = blocksize;
- maxnlpc = get_uint(s, LPCQSIZE);
+ maxnlpc = get_uint(s, LPCQSIZE);
s->nmean = get_uint(s, 0);
skip_bytes = get_uint(s, NSKIPSIZE);
- for (i=0; i<skip_bytes; i++) {
+ for (i = 0; i < skip_bytes; i++)
skip_bits(&s->gb, 8);
- }
}
s->nwrap = FFMAX(NWRAP, maxnlpc);
@@ -381,21 +387,24 @@ static int read_header(ShortenContext *s)
s->lpcqoffset = V2LPCQOFFSET;
if (get_ur_golomb_shorten(&s->gb, FNSIZE) != FN_VERBATIM) {
- av_log(s->avctx, AV_LOG_ERROR, "missing verbatim section at beginning of stream\n");
- return -1;
+ av_log(s->avctx, AV_LOG_ERROR,
+ "missing verbatim section at beginning of stream\n");
+ return AVERROR_INVALIDDATA;
}
s->header_size = get_ur_golomb_shorten(&s->gb, VERBATIM_CKSIZE_SIZE);
- if (s->header_size >= OUT_BUFFER_SIZE || s->header_size < CANONICAL_HEADER_SIZE) {
- av_log(s->avctx, AV_LOG_ERROR, "header is wrong size: %d\n", s->header_size);
- return -1;
+ if (s->header_size >= OUT_BUFFER_SIZE ||
+ s->header_size < CANONICAL_HEADER_SIZE) {
+ av_log(s->avctx, AV_LOG_ERROR, "header is wrong size: %d\n",
+ s->header_size);
+ return AVERROR_INVALIDDATA;
}
- for (i=0; i<s->header_size; i++)
+ for (i = 0; i < s->header_size; i++)
s->header[i] = (char)get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE);
- if (decode_wave_header(s->avctx, s->header, s->header_size) < 0)
- return -1;
+ if ((ret = decode_wave_header(s->avctx, s->header, s->header_size)) < 0)
+ return ret;
s->cur_chan = 0;
s->bitshift = 0;
@@ -409,15 +418,15 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
int *got_frame_ptr, AVPacket *avpkt)
{
const uint8_t *buf = avpkt->data;
- int buf_size = avpkt->size;
- ShortenContext *s = avctx->priv_data;
+ int buf_size = avpkt->size;
+ ShortenContext *s = avctx->priv_data;
int i, input_buf_size = 0;
int ret;
/* allocate internal bitstream buffer */
- if(s->max_framesize == 0){
+ if (s->max_framesize == 0) {
void *tmp_ptr;
- s->max_framesize= 1024; // should hopefully be enough for the first header
+ s->max_framesize = 1024; // should hopefully be enough for the first header
tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size,
s->max_framesize);
if (!tmp_ptr) {
@@ -428,29 +437,32 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
}
/* append current packet data to bitstream buffer */
- if(1 && s->max_framesize){//FIXME truncated
- buf_size= FFMIN(buf_size, s->max_framesize - s->bitstream_size);
- input_buf_size= buf_size;
-
- if(s->bitstream_index + s->bitstream_size + buf_size > s->allocated_bitstream_size){
- memmove(s->bitstream, &s->bitstream[s->bitstream_index], s->bitstream_size);
- s->bitstream_index=0;
+ if (1 && s->max_framesize) { //FIXME truncated
+ buf_size = FFMIN(buf_size, s->max_framesize - s->bitstream_size);
+ input_buf_size = buf_size;
+
+ if (s->bitstream_index + s->bitstream_size + buf_size >
+ s->allocated_bitstream_size) {
+ memmove(s->bitstream, &s->bitstream[s->bitstream_index],
+ s->bitstream_size);
+ s->bitstream_index = 0;
}
if (buf)
- memcpy(&s->bitstream[s->bitstream_index + s->bitstream_size], buf, buf_size);
- buf= &s->bitstream[s->bitstream_index];
- buf_size += s->bitstream_size;
- s->bitstream_size= buf_size;
+ memcpy(&s->bitstream[s->bitstream_index + s->bitstream_size], buf,
+ buf_size);
+ buf = &s->bitstream[s->bitstream_index];
+ buf_size += s->bitstream_size;
+ s->bitstream_size = buf_size;
/* do not decode until buffer has at least max_framesize bytes or
- the end of the file has been reached */
+ * the end of the file has been reached */
if (buf_size < s->max_framesize && avpkt->data) {
*got_frame_ptr = 0;
return input_buf_size;
}
}
/* init and position bitstream reader */
- init_get_bits(&s->gb, buf, buf_size*8);
+ init_get_bits(&s->gb, buf, buf_size * 8);
skip_bits(&s->gb, s->bitindex);
/* process header or next subblock */
@@ -472,7 +484,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
int cmd;
int len;
- if (get_bits_left(&s->gb) < 3+FNSIZE) {
+ if (get_bits_left(&s->gb) < 3 + FNSIZE) {
*got_frame_ptr = 0;
break;
}
@@ -488,32 +500,32 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
if (!is_audio_command[cmd]) {
/* process non-audio command */
switch (cmd) {
- case FN_VERBATIM:
- len = get_ur_golomb_shorten(&s->gb, VERBATIM_CKSIZE_SIZE);
- while (len--) {
- get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE);
- }
- break;
- case FN_BITSHIFT:
- s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE);
- break;
- case FN_BLOCKSIZE: {
- int blocksize = get_uint(s, av_log2(s->blocksize));
- if (blocksize > s->blocksize) {
- av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n");
- return AVERROR_PATCHWELCOME;
- }
- if (!blocksize || blocksize > MAX_BLOCKSIZE) {
- av_log(avctx, AV_LOG_ERROR, "invalid or unsupported "
- "block size: %d\n", blocksize);
- return AVERROR(EINVAL);
- }
- s->blocksize = blocksize;
- break;
+ case FN_VERBATIM:
+ len = get_ur_golomb_shorten(&s->gb, VERBATIM_CKSIZE_SIZE);
+ while (len--)
+ get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE);
+ break;
+ case FN_BITSHIFT:
+ s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE);
+ break;
+ case FN_BLOCKSIZE: {
+ unsigned blocksize = get_uint(s, av_log2(s->blocksize));
+ if (blocksize > s->blocksize) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Increasing block size is not supported\n");
+ return AVERROR_PATCHWELCOME;
+ }
+ if (!blocksize || blocksize > MAX_BLOCKSIZE) {
+ av_log(avctx, AV_LOG_ERROR, "invalid or unsupported "
+ "block size: %d\n", blocksize);
+ return AVERROR(EINVAL);
}
- case FN_QUIT:
- s->got_quit_command = 1;
- break;
+ s->blocksize = blocksize;
+ break;
+ }
+ case FN_QUIT:
+ s->got_quit_command = 1;
+ break;
}
if (cmd == FN_BLOCKSIZE || cmd == FN_QUIT) {
*got_frame_ptr = 0;
@@ -539,7 +551,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
coffset = s->offset[channel][0];
else {
int32_t sum = (s->version < 2) ? 0 : s->nmean / 2;
- for (i=0; i<s->nmean; i++)
+ for (i = 0; i < s->nmean; i++)
sum += s->offset[channel][i];
coffset = sum / s->nmean;
if (s->version >= 2)
@@ -548,21 +560,22 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
/* decode samples for this channel */
if (cmd == FN_ZERO) {
- for (i=0; i<s->blocksize; i++)
+ for (i = 0; i < s->blocksize; i++)
s->decoded[channel][i] = 0;
} else {
- if ((ret = decode_subframe_lpc(s, cmd, channel, residual_size, coffset)) < 0)
+ if ((ret = decode_subframe_lpc(s, cmd, channel,
+ residual_size, coffset)) < 0)
return ret;
}
/* update means with info from the current block */
if (s->nmean > 0) {
int32_t sum = (s->version < 2) ? 0 : s->blocksize / 2;
- for (i=0; i<s->blocksize; i++)
+ for (i = 0; i < s->blocksize; i++)
sum += s->decoded[channel][i];
- for (i=1; i<s->nmean; i++)
- s->offset[channel][i-1] = s->offset[channel][i];
+ for (i = 1; i < s->nmean; i++)
+ s->offset[channel][i - 1] = s->offset[channel][i];
if (s->version < 2)
s->offset[channel][s->nmean - 1] = sum / s->blocksize;
@@ -571,11 +584,11 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
}
/* copy wrap samples for use with next block */
- for (i=-s->nwrap; i<0; i++)
+ for (i = -s->nwrap; i < 0; i++)
s->decoded[channel][i] = s->decoded[channel][i + s->blocksize];
/* shift samples to add in unused zero bits which were removed
- during encoding */
+ * during encoding */
fix_bitshift(s, s->decoded[channel]);
/* if this is the last channel in the block, output the samples */
@@ -600,13 +613,13 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
*got_frame_ptr = 0;
finish_frame:
- s->bitindex = get_bits_count(&s->gb) - 8*((get_bits_count(&s->gb))/8);
- i= (get_bits_count(&s->gb))/8;
+ s->bitindex = get_bits_count(&s->gb) - 8 * (get_bits_count(&s->gb) / 8);
+ i = get_bits_count(&s->gb) / 8;
if (i > buf_size) {
av_log(s->avctx, AV_LOG_ERROR, "overread: %d\n", i - buf_size);
- s->bitstream_size=0;
- s->bitstream_index=0;
- return -1;
+ s->bitstream_size = 0;
+ s->bitstream_index = 0;
+ return AVERROR_INVALIDDATA;
}
if (s->bitstream_size) {
s->bitstream_index += i;
diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c
index cffc00a..2bb1fc3 100644
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@@ -631,7 +631,7 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, void *data,
/* decode audio chunks */
if (audio_chunks > 0) {
buf_end = buf + buf_size;
- while (buf < buf_end) {
+ while (buf + s->chunk_size <= buf_end) {
if (s->out_bps == 2) {
decode_audio_s16(output_samples_s16, buf, s->chunk_size,
avctx->channels);
diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c
index e2803bb..2f4afd3 100644
--- a/libavcodec/wmadec.c
+++ b/libavcodec/wmadec.c
@@ -72,6 +72,11 @@ static int wma_decode_init(AVCodecContext * avctx)
int i, flags2;
uint8_t *extradata;
+ if (!avctx->block_align) {
+ av_log(avctx, AV_LOG_ERROR, "block_align is not set\n");
+ return AVERROR(EINVAL);
+ }
+
s->avctx = avctx;
/* extract flag infos */
diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c
index d58278b..efc8fce 100644
--- a/libavcodec/wmaprodec.c
+++ b/libavcodec/wmaprodec.c
@@ -280,6 +280,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
int log2_max_num_subframes;
int num_possible_block_sizes;
+ if (!avctx->block_align) {
+ av_log(avctx, AV_LOG_ERROR, "block_align is not set\n");
+ return AVERROR(EINVAL);
+ }
+
s->avctx = avctx;
ff_dsputil_init(&s->dsp, avctx);
avpriv_float_dsp_init(&s->fdsp, avctx->flags & CODEC_FLAG_BITEXACT);
@@ -1504,8 +1509,11 @@ static int decode_packet(AVCodecContext *avctx, void *data,
s->packet_done = 0;
/** sanity check for the buffer length */
- if (buf_size < avctx->block_align)
- return 0;
+ if (buf_size < avctx->block_align) {
+ av_log(avctx, AV_LOG_ERROR, "Input packet too small (%d < %d)\n",
+ buf_size, avctx->block_align);
+ return AVERROR_INVALIDDATA;
+ }
s->next_packet_start = buf_size - avctx->block_align;
buf_size = avctx->block_align;
diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c
index 231ed90..84ffdec 100644
--- a/libavcodec/xxan.c
+++ b/libavcodec/xxan.c
@@ -307,7 +307,7 @@ static int xan_decode_frame_type0(AVCodecContext *avctx)
int dec_size;
bytestream2_seek(&s->gb, 8 + corr_off, SEEK_SET);
- dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size);
+ dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size / 2);
if (dec_size < 0)
dec_size = 0;
for (i = 0; i < dec_size; i++)
diff --git a/libavfilter/vf_gradfun.c b/libavfilter/vf_gradfun.c
index 2c9a976..79e1490 100644
--- a/libavfilter/vf_gradfun.c
+++ b/libavfilter/vf_gradfun.c
@@ -193,6 +193,7 @@ static int filter_frame(AVFilterLink *inlink, AVFilterBufferRef *in)
direct = 1;
out = in;
} else {
+ direct = 0;
out = ff_get_video_buffer(outlink, AV_PERM_WRITE, outlink->w, outlink->h);
if (!out) {
avfilter_unref_bufferp(&in);
diff --git a/libavfilter/vf_hqdn3d.c b/libavfilter/vf_hqdn3d.c
index 085900f..e2d90d5 100644
--- a/libavfilter/vf_hqdn3d.c
+++ b/libavfilter/vf_hqdn3d.c
@@ -50,10 +50,10 @@ void ff_hqdn3d_row_10_x86(uint8_t *src, uint8_t *dst, uint16_t *line_ant, uint16
void ff_hqdn3d_row_16_x86(uint8_t *src, uint8_t *dst, uint16_t *line_ant, uint16_t *frame_ant, ptrdiff_t w, int16_t *spatial, int16_t *temporal);
#define LUT_BITS (depth==16 ? 8 : 4)
-#define RIGHTSHIFT(a,b) (((a)+(((1<<(b))-1)>>1))>>(b))
-#define LOAD(x) ((depth==8 ? src[x] : AV_RN16A(src+(x)*2)) << (16-depth))
-#define STORE(x,val) (depth==8 ? dst[x] = RIGHTSHIFT(val, 16-depth)\
- : AV_WN16A(dst+(x)*2, RIGHTSHIFT(val, 16-depth)))
+#define LOAD(x) (((depth == 8 ? src[x] : AV_RN16A(src + (x) * 2)) << (16 - depth))\
+ + (((1 << (16 - depth)) - 1) >> 1))
+#define STORE(x,val) (depth == 8 ? dst[x] = (val) >> (16 - depth) : \
+ AV_WN16A(dst + (x) * 2, (val) >> (16 - depth)))
av_always_inline
static uint32_t lowpass(int prev, int cur, int16_t *coef, int depth)
@@ -333,6 +333,7 @@ static int filter_frame(AVFilterLink *inlink, AVFilterBufferRef *in)
direct = 1;
out = in;
} else {
+ direct = 0;
out = ff_get_video_buffer(outlink, AV_PERM_WRITE, outlink->w, outlink->h);
if (!out) {
avfilter_unref_bufferp(&in);
diff --git a/libavfilter/x86/hqdn3d.asm b/libavfilter/x86/hqdn3d.asm
index dee2c96..02632a1 100644
--- a/libavfilter/x86/hqdn3d.asm
+++ b/libavfilter/x86/hqdn3d.asm
@@ -39,6 +39,7 @@ SECTION .text
%endif
%if %3 != 16
shl %1, 16-%3
+ add %1, (1<<(15-%3))-1
%endif
%endmacro
@@ -86,7 +87,6 @@ ALIGN 16
mov [frameantq+xq*2], t0w
movifnidn dstq, dstmp
%if %1 != 16
- add t0d, (1<<(15-%1))-1
shr t0d, 16-%1 ; could eliminate this by storing from t0h, but only with some contraints on register allocation
%endif
%if %1 == 8
diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c
index f19f95d..fcacf19 100644
--- a/libavformat/flacdec.c
+++ b/libavformat/flacdec.c
@@ -278,11 +278,9 @@ static int flac_read_header(AVFormatContext *s)
static int flac_probe(AVProbeData *p)
{
- uint8_t *bufptr = p->buf;
- uint8_t *end = p->buf + p->buf_size;
-
- if(bufptr > end-4 || memcmp(bufptr, "fLaC", 4)) return 0;
- else return AVPROBE_SCORE_MAX/2;
+ if (p->buf_size < 4 || memcmp(p->buf, "fLaC", 4))
+ return 0;
+ return AVPROBE_SCORE_MAX/2;
}
AVInputFormat ff_flac_demuxer = {
diff --git a/libavformat/iff.c b/libavformat/iff.c
index ab22e11..79f5f16 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -166,6 +166,11 @@ static int iff_read_header(AVFormatContext *s)
break;
case ID_CMAP:
+ if (data_size < 3 || data_size > 768 || data_size % 3) {
+ av_log(s, AV_LOG_ERROR, "Invalid CMAP chunk size %d\n",
+ data_size);
+ return AVERROR_INVALIDDATA;
+ }
st->codec->extradata_size = data_size;
st->codec->extradata = av_malloc(data_size);
if (!st->codec->extradata)
diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c
index 7d0c2fb..48deefd 100644
--- a/libavformat/mp3dec.c
+++ b/libavformat/mp3dec.c
@@ -128,6 +128,7 @@ static int mp3_parse_vbr_tags(AVFormatContext *s, AVStream *st, int64_t base)
const int64_t xing_offtbl[2][2] = {{32, 17}, {17,9}};
MPADecodeHeader c;
int vbrtag_size = 0;
+ int is_cbr;
v = avio_rb32(s->pb);
if(ff_mpa_check_header(v) < 0)
@@ -143,7 +144,8 @@ static int mp3_parse_vbr_tags(AVFormatContext *s, AVStream *st, int64_t base)
/* Check for Xing / Info tag */
avio_skip(s->pb, xing_offtbl[c.lsf == 1][c.nb_channels == 1]);
v = avio_rb32(s->pb);
- if(v == MKBETAG('X', 'i', 'n', 'g') || v == MKBETAG('I', 'n', 'f', 'o')) {
+ is_cbr = v == MKBETAG('I', 'n', 'f', 'o');
+ if (v == MKBETAG('X', 'i', 'n', 'g') || is_cbr) {
v = avio_rb32(s->pb);
if(v & XING_FLAG_FRAMES)
frames = avio_rb32(s->pb);
@@ -176,7 +178,7 @@ static int mp3_parse_vbr_tags(AVFormatContext *s, AVStream *st, int64_t base)
if(frames)
st->duration = av_rescale_q(frames, (AVRational){spf, c.sample_rate},
st->time_base);
- if(size && frames)
+ if (size && frames && !is_cbr)
st->codec->bit_rate = av_rescale(size, 8 * c.sample_rate, frames * (int64_t)spf);
return 0;
diff --git a/libavutil/lzo.c b/libavutil/lzo.c
index eff3cd2..5c5ebc8 100644
--- a/libavutil/lzo.c
+++ b/libavutil/lzo.c
@@ -110,9 +110,8 @@ static inline void copy(LZOContext *c, int cnt)
*/
static inline void copy_backptr(LZOContext *c, int back, int cnt)
{
- register const uint8_t *src = &c->out[-back];
register uint8_t *dst = c->out;
- if (src < c->out_start || src > dst) {
+ if (dst - c->out_start < back) {
c->error |= AV_LZO_INVALID_BACKPTR;
return;
}
diff --git a/tests/Makefile b/tests/Makefile
index 4e4eb89..8b56b4c 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -104,7 +104,7 @@ $(FATE_AVCONV) $(FATE_SAMPLES_AVCONV): avconv$(EXESUF)
ifdef SAMPLES
FATE += $(FATE_SAMPLES)
fate-rsync:
- rsync -vaLW rsync://fate-suite.libav.org/fate-suite/ $(SAMPLES)
+ rsync -vaLW rsync://fate-suite.libav.org/fate-suite-9/ $(SAMPLES)
else
fate-rsync:
@echo "use 'make fate-rsync SAMPLES=/path/to/samples' to sync the fate suite"
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list