Applied FFMPEG patches since 08/2012
Change-Id: Ifab6efef733e78c5691ff092b7e73e6eaaa77003
diff --git a/cmdutils.c b/cmdutils.c
index 9fc4fc6..c20af02 100755
--- a/cmdutils.c
+++ b/cmdutils.c
@@ -50,7 +50,7 @@
AVFormatContext *avformat_opts;
struct SwsContext *sws_opts;
-const int this_year = 2012;
+const int this_year = 2014;
double parse_number_or_die(const char *context, const char *numstr, int type, double min, double max)
{
diff --git a/libavcodec/avs.c b/libavcodec/avs.c
index 3b29c85..e8a55fd 100755
--- a/libavcodec/avs.c
+++ b/libavcodec/avs.c
@@ -145,6 +145,7 @@
static av_cold int avs_decode_init(AVCodecContext * avctx)
{
avctx->pix_fmt = PIX_FMT_PAL8;
+ avcodec_set_dimensions(avctx, 318, 198);
return 0;
}
diff --git a/libavcodec/bmp.c b/libavcodec/bmp.c
index 14c070d..30bae8c 100755
--- a/libavcodec/bmp.c
+++ b/libavcodec/bmp.c
@@ -217,9 +217,6 @@
if(comp == BMP_RLE4 || comp == BMP_RLE8)
memset(p->data[0], 0, avctx->height * p->linesize[0]);
- if(depth == 4 || depth == 8)
- memset(p->data[1], 0, 1024);
-
if(height > 0){
ptr = p->data[0] + (avctx->height - 1) * p->linesize[0];
linesize = -p->linesize[0];
@@ -229,6 +226,9 @@
}
if(avctx->pix_fmt == PIX_FMT_PAL8){
+
+ memset(p->data[1], 0, 1024);
+
buf = buf0 + 14 + ihsize; //palette location
if((hsize-ihsize-14)>>depth < 4){ // OS/2 bitmap, 3 bytes per palette entry
for(i = 0; i < (1 << depth); i++)
diff --git a/libavcodec/bytestream.h b/libavcodec/bytestream.h
index b56f6ce..7ca36f8 100644
--- a/libavcodec/bytestream.h
+++ b/libavcodec/bytestream.h
@@ -26,6 +26,10 @@
#include "libavutil/common.h"
#include "libavutil/intreadwrite.h"
+typedef struct {
+ const uint8_t *buffer, *buffer_end;
+} GetByteContext;
+
#define DEF_T(type, name, bytes, read, write) \
static av_always_inline type bytestream_get_ ## name(const uint8_t **b){\
(*b) += bytes;\
@@ -34,6 +38,18 @@
static av_always_inline void bytestream_put_ ##name(uint8_t **b, const type value){\
write(*b, value);\
(*b) += bytes;\
+}\
+static av_always_inline type bytestream2_get_ ## name(GetByteContext *g)\
+{\
+ if (g->buffer_end - g->buffer < bytes)\
+ return 0;\
+ return bytestream_get_ ## name(&g->buffer);\
+}\
+static av_always_inline type bytestream2_peek_ ## name(GetByteContext *g)\
+{\
+ if (g->buffer_end - g->buffer < bytes)\
+ return 0;\
+ return read(g->buffer);\
}
#define DEF(name, bytes, read, write) \
@@ -55,6 +71,34 @@
#undef DEF64
#undef DEF_T
+static av_always_inline void bytestream2_init(GetByteContext *g,
+ const uint8_t *buf, int buf_size)
+{
+ g->buffer = buf;
+ g->buffer_end = buf + buf_size;
+}
+
+static av_always_inline unsigned int bytestream2_get_bytes_left(GetByteContext *g)
+{
+ return g->buffer_end - g->buffer;
+}
+
+static av_always_inline void bytestream2_skip(GetByteContext *g,
+ unsigned int size)
+{
+ g->buffer += FFMIN(g->buffer_end - g->buffer, size);
+}
+
+static av_always_inline unsigned int bytestream2_get_buffer(GetByteContext *g,
+ uint8_t *dst,
+ unsigned int size)
+{
+ int size2 = FFMIN(g->buffer_end - g->buffer, size);
+ memcpy(dst, g->buffer, size2);
+ g->buffer += size2;
+ return size2;
+}
+
static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b, uint8_t *dst, unsigned int size)
{
memcpy(dst, *b, size);
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 25b97bf..26c9cc7 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -599,12 +599,20 @@
static int decode_seq_header(AVSContext *h) {
MpegEncContext *s = &h->s;
int frame_rate_code;
+ int width, height;
h->profile = get_bits(&s->gb,8);
h->level = get_bits(&s->gb,8);
skip_bits1(&s->gb); //progressive sequence
- s->width = get_bits(&s->gb,14);
- s->height = get_bits(&s->gb,14);
+
+ width = get_bits(&s->gb, 14);
+ height = get_bits(&s->gb, 14);
+ if ((s->width || s->height) && (s->width != width || s->height != height)) {
+ av_log(s, AV_LOG_ERROR, "Width/height changing in CAVS is unsupported");
+ return AVERROR_PATCHWELCOME;
+ }
+ s->width = width;
+ s->height = height;
skip_bits(&s->gb,2); //chroma format
skip_bits(&s->gb,3); //sample_precision
h->aspect_ratio = get_bits(&s->gb,4);
diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c
index da41bf8..ba3d88a 100644
--- a/libavcodec/dsputil.c
+++ b/libavcodec/dsputil.c
@@ -3499,7 +3499,7 @@
static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
long i;
- for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+ for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
long a = *(long*)(src+i);
long b = *(long*)(dst+i);
*(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
@@ -3510,7 +3510,7 @@
static void add_bytes_l2_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
long i;
- for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+ for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
long a = *(long*)(src1+i);
long b = *(long*)(src2+i);
*(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
@@ -3535,7 +3535,7 @@
}
}else
#endif
- for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+ for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
long a = *(long*)(src1+i);
long b = *(long*)(src2+i);
*(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);
diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c
index ccfcb62..db68a18 100755
--- a/libavcodec/ffv1.c
+++ b/libavcodec/ffv1.c
@@ -360,7 +360,7 @@
int run_mode=0;
if(s->ac){
- if(c->bytestream_end - c->bytestream < w*20){
+ if(c->bytestream_end - c->bytestream < w*35){
av_log(s->avctx, AV_LOG_ERROR, "encoded frame too large\n");
return -1;
}
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index a7ab3ae..cb81271 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -7462,7 +7462,10 @@
break;
}
- if(buf_index+3 >= buf_size) break;
+ if (buf_index + 3 >= buf_size) {
+ buf_index = buf_size;
+ break;
+ }
buf_index+=3;
}
@@ -7556,6 +7559,7 @@
hx->inter_gb_ptr= &hx->inter_gb;
if(hx->redundant_pic_count==0 && hx->intra_gb_ptr && hx->s.data_partitioning
+ && s->current_picture_ptr
&& s->context_initialized
&& s->hurry_up < 5
&& (avctx->skip_frame < AVDISCARD_NONREF || hx->nal_ref_idc)
diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
index 242589f..d231431 100755
--- a/libavcodec/huffyuv.c
+++ b/libavcodec/huffyuv.c
@@ -312,12 +312,13 @@
for(i=y=0; y<256; y++){
int len0 = s->len[0][y];
int limit = VLC_BITS - len0;
- if(limit <= 0)
+ if(limit <= 0 || !len0)
continue;
for(u=0; u<256; u++){
int len1 = s->len[p][u];
- if(len1 > limit)
+ if(len1 > limit || !len1)
continue;
+ assert(i < (1 << VLC_BITS));
len[i] = len0 + len1;
bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
symbols[i] = (y<<8) + u;
@@ -339,18 +340,19 @@
for(i=0, g=-16; g<16; g++){
int len0 = s->len[p0][g&255];
int limit0 = VLC_BITS - len0;
- if(limit0 < 2)
+ if(limit0 < 2 || !len0)
continue;
for(b=-16; b<16; b++){
int len1 = s->len[p1][b&255];
int limit1 = limit0 - len1;
- if(limit1 < 1)
+ if(limit1 < 1 || !len1)
continue;
code = (s->bits[p0][g&255] << len1) + s->bits[p1][b&255];
for(r=-16; r<16; r++){
int len2 = s->len[2][r&255];
- if(len2 > limit1)
+ if(len2 > limit1 || !len2)
continue;
+ assert(i < (1 << VLC_BITS));
len[i] = len0 + len1 + len2;
bits[i] = (code << len2) + s->bits[2][r&255];
if(s->decorrelate){
@@ -374,6 +376,7 @@
static int read_huffman_tables(HYuvContext *s, uint8_t *src, int length){
GetBitContext gb;
int i;
+ int ret;
init_get_bits(&gb, src, length*8);
@@ -389,7 +392,8 @@
}
#endif
free_vlc(&s->vlc[i]);
- init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
+ if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0)) < 0)
+ return ret;
}
generate_joint_tables(s);
@@ -401,6 +405,7 @@
#if 1
GetBitContext gb;
int i;
+ int ret;
init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8);
read_len_table(s->len[0], &gb);
@@ -419,7 +424,8 @@
for(i=0; i<3; i++){
free_vlc(&s->vlc[i]);
- init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
+ if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0)) < 0)
+ return ret;
}
generate_joint_tables(s);
diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c
index c48e938..f31c8ea 100755
--- a/libavcodec/imgconvert.c
+++ b/libavcodec/imgconvert.c
@@ -966,7 +966,8 @@
/* find exact color match with smallest size */
dst_pix_fmt = -1;
min_dist = 0x7fffffff;
- for(i = 0;i < PIX_FMT_NB; i++) {
+ /* test only the first 64 pixel formats to avoid undefined behavior */
+ for(i = 0; i < 64; i++) {
if (pix_fmt_mask & (1ULL << i)) {
loss = avcodec_get_pix_fmt_loss(i, src_pix_fmt, has_alpha) & loss_mask;
if (loss == 0) {
diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index fdf4c4c..1eb8c05 100755
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -143,6 +143,8 @@
ret = ret >> 1;
}
+ if(FFABS(ret) > 0xFFFF)
+ return -0x10000;
/* update state */
state->A[Q] += FFABS(ret) - RItype;
ret *= state->twonear;
diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c
index b353b88..3c8aced 100755
--- a/libavcodec/mpeg12.c
+++ b/libavcodec/mpeg12.c
@@ -1163,6 +1163,7 @@
int save_width, save_height;
AVRational frame_rate_ext; ///< MPEG-2 specific framerate modificator
+ int extradata_decoded;
} Mpeg1Context;
static av_cold int mpeg_decode_init(AVCodecContext *avctx)
@@ -2302,8 +2303,10 @@
s->slice_count= 0;
- if(avctx->extradata && !avctx->frame_number)
+ if (avctx->extradata && !s->extradata_decoded) {
decode_chunks(avctx, picture, data_size, avctx->extradata, avctx->extradata_size);
+ s->extradata_decoded = 1;
+ }
return decode_chunks(avctx, picture, data_size, buf, buf_size);
}
diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
index 822228e..c1d8d2b 100755
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -177,7 +177,7 @@
else
g->long_end = 4; /* 8000 Hz */
- g->short_start = 2 + (s->sample_rate_index != 8);
+ g->short_start = 3;
} else {
g->long_end = 0;
g->short_start = 0;
diff --git a/libavcodec/mpegvideo_common.h b/libavcodec/mpegvideo_common.h
index cf66dc7..6c39ac7 100755
--- a/libavcodec/mpegvideo_common.h
+++ b/libavcodec/mpegvideo_common.h
@@ -727,7 +727,7 @@
0, 0, 0,
ref_picture, pix_op, qpix_op,
s->mv[dir][0][0], s->mv[dir][0][1], 16);
- }else if(!is_mpeg12 && CONFIG_WMV2 && s->mspel){
+ }else if(!is_mpeg12 && CONFIG_WMV2 && s->mspel && s->codec_id == CODEC_ID_WMV2){
ff_mspel_motion(s, dest_y, dest_cb, dest_cr,
ref_picture, pix_op,
s->mv[dir][0][0], s->mv[dir][0][1], 16);
diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c
index 109ef41..64ba3cc 100755
--- a/libavcodec/nuv.c
+++ b/libavcodec/nuv.c
@@ -182,17 +182,18 @@
}
if (c->codec_frameheader) {
int w, h, q;
- if (buf_size < 12) {
+ if (buf_size < RTJPEG_HEADER_SIZE || buf[4] != RTJPEG_HEADER_SIZE ||
+ buf[5] != RTJPEG_FILE_VERSION) {
av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n");
- return -1;
+ return AVERROR_INVALIDDATA;
}
w = AV_RL16(&buf[6]);
h = AV_RL16(&buf[8]);
q = buf[10];
if (!codec_reinit(avctx, w, h, q))
return -1;
- buf = &buf[12];
- buf_size -= 12;
+ buf = &buf[RTJPEG_HEADER_SIZE];
+ buf_size -= RTJPEG_HEADER_SIZE;
}
if (keyframe && c->pic.data[0])
diff --git a/libavcodec/parser.c b/libavcodec/parser.c
index 7f2eaf7..577898f 100755
--- a/libavcodec/parser.c
+++ b/libavcodec/parser.c
@@ -270,8 +270,10 @@
if(next == END_NOT_FOUND){
void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, (*buf_size) + pc->index + FF_INPUT_BUFFER_PADDING_SIZE);
- if(!new_buffer)
+ if(!new_buffer) {
+ pc->index = 0;
return AVERROR(ENOMEM);
+ }
pc->buffer = new_buffer;
memcpy(&pc->buffer[pc->index], *buf, *buf_size);
pc->index += *buf_size;
@@ -285,8 +287,11 @@
if(pc->index){
void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, next + pc->index + FF_INPUT_BUFFER_PADDING_SIZE);
- if(!new_buffer)
+ if(!new_buffer) {
+ pc->overread_index =
+ pc->index = 0;
return AVERROR(ENOMEM);
+ }
pc->buffer = new_buffer;
memcpy(&pc->buffer[pc->index], *buf, next + FF_INPUT_BUFFER_PADDING_SIZE );
pc->index = 0;
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 6775abc..0b132f2 100755
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1262,6 +1262,11 @@
for (i = 0; packet_bytes > 0; i++) {
int j;
+ if (i>=FF_ARRAY_ELEMS(q->sub_packet_list_A)) {
+ SAMPLES_NEEDED_2("too many packet bytes");
+ return;
+ }
+
q->sub_packet_list_A[i].next = NULL;
if (i > 0) {
diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c
index c9daec7..8d59981 100755
--- a/libavcodec/roqvideodec.c
+++ b/libavcodec/roqvideodec.c
@@ -158,6 +158,12 @@
RoqContext *s = avctx->priv_data;
s->avctx = avctx;
+
+ if (avctx->width%16 || avctx->height%16) {
+ av_log(avctx, AV_LOG_ERROR, "dimensions not being a multiple of 16 are unsupported\n");
+ return AVERROR_PATCHWELCOME;
+ }
+
s->width = avctx->width;
s->height = avctx->height;
s->last_frame = &s->frames[0];
diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
index 27ed71f..4a0025b 100755
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -84,7 +84,7 @@
unsigned short *pixels = (unsigned short *)s->frame.data[0];
int row_ptr = 0;
- int pixel_ptr = 0;
+ int pixel_ptr = -4;
int block_ptr;
int pixel_x, pixel_y;
int total_blocks;
@@ -140,6 +140,7 @@
colorA = AV_RB16 (&s->buf[stream_ptr]);
stream_ptr += 2;
while (n_blocks--) {
+ ADVANCE_BLOCK()
block_ptr = row_ptr + pixel_ptr;
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
for (pixel_x = 0; pixel_x < 4; pixel_x++){
@@ -148,7 +149,6 @@
}
block_ptr += row_inc;
}
- ADVANCE_BLOCK();
}
break;
@@ -185,6 +185,7 @@
color4[2] |= ((21 * ta + 11 * tb) >> 5);
while (n_blocks--) {
+ ADVANCE_BLOCK();
block_ptr = row_ptr + pixel_ptr;
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
index = s->buf[stream_ptr++];
@@ -195,12 +196,12 @@
}
block_ptr += row_inc;
}
- ADVANCE_BLOCK();
}
break;
/* Fill block with 16 colors */
case 0x00:
+ ADVANCE_BLOCK();
block_ptr = row_ptr + pixel_ptr;
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
for (pixel_x = 0; pixel_x < 4; pixel_x++){
@@ -214,7 +215,6 @@
}
block_ptr += row_inc;
}
- ADVANCE_BLOCK();
break;
/* Unknown opcode */
diff --git a/libavcodec/rtjpeg.h b/libavcodec/rtjpeg.h
index 02f2058..c12a78c 100755
--- a/libavcodec/rtjpeg.h
+++ b/libavcodec/rtjpeg.h
@@ -25,6 +25,9 @@
#include <stdint.h>
#include "dsputil.h"
+#define RTJPEG_FILE_VERSION 0
+#define RTJPEG_HEADER_SIZE 12
+
typedef struct {
int w, h;
DSPContext *dsp;
diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 8f87a62..c091e81 100755
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -82,6 +82,7 @@
int channels;
int32_t *decoded[MAX_CHANNELS];
+ int32_t *decoded_base[MAX_CHANNELS];
int32_t *offset[MAX_CHANNELS];
uint8_t *bitstream;
int bitstream_size;
@@ -112,6 +113,7 @@
static int allocate_buffers(ShortenContext *s)
{
int i, chan;
+ void *tmp_ptr;
for (chan=0; chan<s->channels; chan++) {
if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n");
@@ -122,12 +124,19 @@
return -1;
}
- s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
+ tmp_ptr = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
+ if (!tmp_ptr)
+ return AVERROR(ENOMEM);
+ s->offset[chan] = tmp_ptr;
- s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
+ tmp_ptr = av_realloc(s->decoded_base[chan], (s->blocksize + s->nwrap) *
+ sizeof(s->decoded_base[0][0]));
+ if (!tmp_ptr)
+ return AVERROR(ENOMEM);
+ s->decoded_base[chan] = tmp_ptr;
for (i=0; i<s->nwrap; i++)
- s->decoded[chan][i] = 0;
- s->decoded[chan] += s->nwrap;
+ s->decoded_base[chan][i] = 0;
+ s->decoded[chan] = s->decoded_base[chan] + s->nwrap;
}
return 0;
}
@@ -275,8 +284,15 @@
int i, input_buf_size = 0;
int16_t *samples = data;
if(s->max_framesize == 0){
+ void *tmp_ptr;
s->max_framesize= 1024; // should hopefully be enough for the first header
- s->bitstream= av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, s->max_framesize);
+ tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size,
+ s->max_framesize);
+ if (!tmp_ptr) {
+ av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n");
+ return AVERROR(ENOMEM);
+ }
+ s->bitstream = tmp_ptr;
}
if(1 && s->max_framesize){//FIXME truncated
@@ -514,8 +530,8 @@
int i;
for (i = 0; i < s->channels; i++) {
- s->decoded[i] -= s->nwrap;
- av_freep(&s->decoded[i]);
+ s->decoded[i] = NULL;
+ av_freep(&s->decoded_base[i]);
av_freep(&s->offset[i]);
}
av_freep(&s->bitstream);
diff --git a/libavcodec/tiffenc.c b/libavcodec/tiffenc.c
index 1bc3c82..4d6172f 100644
--- a/libavcodec/tiffenc.c
+++ b/libavcodec/tiffenc.c
@@ -304,6 +304,10 @@
strip_sizes = av_mallocz(sizeof(*strip_sizes) * strips);
strip_offsets = av_mallocz(sizeof(*strip_offsets) * strips);
+ if (!strip_sizes || !strip_offsets) {
+ ret = AVERROR(ENOMEM);
+ goto fail;
+ }
bytes_per_row = (((s->width - 1)/s->subsampling[0] + 1) * s->bpp
* s->subsampling[0] * s->subsampling[1] + 7) >> 3;
@@ -311,6 +315,7 @@
yuv_line = av_malloc(bytes_per_row);
if (yuv_line == NULL){
av_log(s->avctx, AV_LOG_ERROR, "Not enough memory\n");
+ ret = AVERROR(ENOMEM);
goto fail;
}
}
@@ -323,6 +328,10 @@
zlen = bytes_per_row * s->rps;
zbuf = av_malloc(zlen);
+ if (!zbuf) {
+ ret = AVERROR(ENOMEM);
+ goto fail;
+ }
strip_offsets[0] = ptr - buf;
zn = 0;
for (j = 0; j < s->rps; j++) {
@@ -347,8 +356,13 @@
} else
#endif
{
- if(s->compr == TIFF_LZW)
+ if (s->compr == TIFF_LZW) {
s->lzws = av_malloc(ff_lzw_encode_state_size);
+ if (!s->lzws) {
+ ret = AVERROR(ENOMEM);
+ goto fail;
+ }
+ }
for (i = 0; i < s->height; i++) {
if (strip_sizes[i / s->rps] == 0) {
if(s->compr == TIFF_LZW){
diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 04ed39a..4a56ac9 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -174,7 +174,8 @@
case PIX_FMT_PAL8:
case PIX_FMT_BGR8:
case PIX_FMT_RGB8:
- if(s->codec_id == CODEC_ID_SMC){
+ if(s->codec_id == CODEC_ID_SMC ||
+ s->codec_id == CODEC_ID_CINEPAK) {
w_align=4;
h_align=4;
}
@@ -185,6 +186,12 @@
h_align=4;
}
break;
+ case PIX_FMT_RGB24:
+ if (s->codec_id == CODEC_ID_CINEPAK) {
+ w_align = 4;
+ h_align = 4;
+ }
+ break;
default:
w_align= 1;
h_align= 1;
diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c
index 571d787..acd7fe8 100755
--- a/libavcodec/vc1.c
+++ b/libavcodec/vc1.c
@@ -4356,6 +4356,7 @@
vc1_decode_frame,
CODEC_CAP_DELAY,
NULL,
+ .flush = ff_mpeg_flush,
.long_name = NULL_IF_CONFIG_SMALL("SMPTE VC-1"),
.pix_fmts = ff_hwaccel_pixfmt_list_420
};
@@ -4371,6 +4372,7 @@
vc1_decode_frame,
CODEC_CAP_DELAY,
NULL,
+ .flush = ff_mpeg_flush,
.long_name = NULL_IF_CONFIG_SMALL("Windows Media Video 9"),
.pix_fmts = ff_hwaccel_pixfmt_list_420
};
diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c
index c7efaf8..aafd89c 100644
--- a/libavcodec/vmnc.c
+++ b/libavcodec/vmnc.c
@@ -275,6 +275,11 @@
}
xy = *src++;
wh = *src++;
+ if ( (xy >> 4) + (wh >> 4) + 1 > w - i
+ || (xy & 0xF) + (wh & 0xF)+1 > h - j) {
+ av_log(c->avctx, AV_LOG_ERROR, "Rectangle outside picture\n");
+ return AVERROR_INVALIDDATA;
+ }
paint_rect(dst2, xy >> 4, xy & 0xF, (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride);
}
}
diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
index 1ca8a40..f48dd15 100644
--- a/libavcodec/vp56.c
+++ b/libavcodec/vp56.c
@@ -516,8 +516,14 @@
s->modelp = &s->models[is_alpha];
res = s->parse_header(s, buf, remaining_buf_size, &golden_frame);
- if (!res)
- return -1;
+ if (!res) {
+ int i;
+ for (i = 0; i < 4; i++) {
+ if (s->frames[i].data[0])
+ avctx->release_buffer(avctx, &s->frames[i]);
+ }
+ return res;
+ }
if (res == 2) {
int i;
diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
index fbfa385..e815ca5 100644
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -61,8 +61,8 @@
return 0;
s->filter_header = buf[1] & 0x06;
if (buf[1] & 1) {
- av_log(s->avctx, AV_LOG_ERROR, "interlacing not supported\n");
- return 0;
+ av_log(s->avctx, AV_LOG_WARNING, "interlacing not supported\n");
+ return AVERROR_PATCHWELCOME;
}
if (separated_coeff || !s->filter_header) {
coeff_offset = AV_RB16(buf+2) - 2;
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index f34a631..9edee58 100755
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -526,6 +526,11 @@
chunk_size = AV_RB32(&s->buf[cbp0_chunk + 4]);
cbp0_chunk += CHUNK_PREAMBLE_SIZE;
+ if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
+ av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (0x%X bytes)\n", chunk_size);
+ return;
+ }
+
/* accumulate partial codebook */
memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index],
&s->buf[cbp0_chunk], chunk_size);
@@ -549,6 +554,11 @@
chunk_size = AV_RB32(&s->buf[cbpz_chunk + 4]);
cbpz_chunk += CHUNK_PREAMBLE_SIZE;
+ if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
+ av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (0x%X bytes)\n", chunk_size);
+ return;
+ }
+
/* accumulate partial codebook */
memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index],
&s->buf[cbpz_chunk], chunk_size);
diff --git a/libavcodec/wma.c b/libavcodec/wma.c
index ff01f49..12faf27 100755
--- a/libavcodec/wma.c
+++ b/libavcodec/wma.c
@@ -133,6 +133,10 @@
bps = (float)s->bit_rate / (float)(s->nb_channels * s->sample_rate);
s->byte_offset_bits = av_log2((int)(bps * s->frame_len / 8.0 + 0.5)) + 2;
+ if (s->byte_offset_bits + 3 > MIN_CACHE_BITS) {
+ av_log(avctx, AV_LOG_ERROR, "byte_offset_bits %d is too large\n", s->byte_offset_bits);
+ return AVERROR_PATCHWELCOME;
+ }
/* compute high frequency value and choose if noise coding should
be activated */
diff --git a/libavfilter/formats.c b/libavfilter/formats.c
index 33fec16..79449d4 100755
--- a/libavfilter/formats.c
+++ b/libavfilter/formats.c
@@ -43,6 +43,9 @@
AVFilterFormats *ret;
unsigned i, j, k = 0;
+ if (a == b)
+ return a;
+
ret = av_mallocz(sizeof(AVFilterFormats));
/* merge list of formats */
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index d499978..32249a9 100755
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -922,7 +922,7 @@
ast->frame_offset);
#endif
}
- ast->remaining -= size;
+ ast->remaining -= err;
if(!ast->remaining){
avi->stream_index= -1;
#if 0
@@ -937,7 +937,7 @@
ast->packet_size= 0;
}
- return size;
+ return 0;
}
memset(d, -1, sizeof(int)*8);
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index e026dc2..a71d566 100755
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1604,6 +1604,7 @@
*/
static void matroska_clear_queue(MatroskaDemuxContext *matroska)
{
+ matroska->prev_pkt = NULL;
if (matroska->packets) {
int n;
for (n = 0; n < matroska->num_packets; n++) {
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 24a0c46..daa01af 100755
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -66,8 +66,7 @@
for (i = 0; i < ogg->nstreams; i++){
struct ogg_stream *os = ogg->streams + i;
- os->buf = av_malloc (os->bufsize);
- memset (os->buf, 0, os->bufsize);
+ os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
memcpy (os->buf, ost->streams[i].buf, os->bufpos);
}
@@ -170,13 +169,18 @@
AVStream *st;
struct ogg_stream *os;
- ogg->streams = av_realloc (ogg->streams,
- ogg->nstreams * sizeof (*ogg->streams));
+ os = av_realloc (ogg->streams, ogg->nstreams * sizeof (*ogg->streams));
+
+ if (!os)
+ return AVERROR(ENOMEM);
+
+ ogg->streams = os;
+
memset (ogg->streams + idx, 0, sizeof (*ogg->streams));
os = ogg->streams + idx;
os->serial = serial;
os->bufsize = DECODER_BUFFER_SIZE;
- os->buf = av_malloc(os->bufsize);
+ os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
os->header = -1;
st = av_new_stream (s, idx);
@@ -192,7 +196,7 @@
ogg_new_buf(struct ogg *ogg, int idx)
{
struct ogg_stream *os = ogg->streams + idx;
- uint8_t *nb = av_malloc(os->bufsize);
+ uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
int size = os->bufpos - os->pstart;
if(os->buf){
memcpy(nb, os->buf + os->pstart, size);
@@ -291,7 +295,9 @@
}
if (os->bufsize - os->bufpos < size){
- uint8_t *nb = av_malloc (os->bufsize *= 2);
+ uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE);
+ if (!nb)
+ return AVERROR(ENOMEM);
memcpy (nb, os->buf, os->bufpos);
av_free (os->buf);
os->buf = nb;
@@ -305,6 +311,7 @@
os->granule = gp;
os->flags = flags;
+ memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE);
if (str)
*str = idx;
diff --git a/libavformat/swfenc.c b/libavformat/swfenc.c
index 8caf0d1..ddad1c6 100755
--- a/libavformat/swfenc.c
+++ b/libavformat/swfenc.c
@@ -496,8 +496,10 @@
put_le32(pb, file_size);
url_fseek(pb, swf->duration_pos, SEEK_SET);
put_le16(pb, swf->video_frame_number);
+ if (swf->vframes_pos) {
url_fseek(pb, swf->vframes_pos, SEEK_SET);
put_le16(pb, swf->video_frame_number);
+ }
url_fseek(pb, file_size, SEEK_SET);
}
return 0;
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 3d2c6a3..ccc144f 100755
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -735,7 +735,10 @@
*pnum = st->codec->time_base.num;
*pden = st->codec->time_base.den;
if (pc && pc->repeat_pict) {
- *pnum = (*pnum) * (1 + pc->repeat_pict);
+ if (*pnum > INT_MAX / (1 + pc->repeat_pict))
+ *pden /= 1 + pc->repeat_pict;
+ else
+ *pnum *= 1 + pc->repeat_pict;
}
}
break;
diff --git a/libavformat/yuv4mpeg.c b/libavformat/yuv4mpeg.c
index 3fd7927..19e8be7 100755
--- a/libavformat/yuv4mpeg.c
+++ b/libavformat/yuv4mpeg.c
@@ -152,6 +152,11 @@
if (s->nb_streams != 1)
return AVERROR(EIO);
+ if (s->streams[0]->codec->codec_id != CODEC_ID_RAWVIDEO) {
+ av_log(s, AV_LOG_ERROR, "ERROR: Only rawvideo supported.\n");
+ return AVERROR_INVALIDDATA;
+ }
+
if (s->streams[0]->codec->pix_fmt == PIX_FMT_YUV411P) {
av_log(s, AV_LOG_ERROR, "Warning: generating rarely used 4:1:1 YUV stream, some mjpegtools might not work.\n");
}
@@ -340,7 +345,7 @@
{
int i;
char header[MAX_FRAME_HEADER+1];
- int packet_size, width, height;
+ int packet_size, width, height, ret;
AVStream *st = s->streams[0];
struct frame_attributes *s1 = s->priv_data;
@@ -351,18 +356,28 @@
break;
}
}
- if (i == MAX_FRAME_HEADER) return -1;
- if (strncmp(header, Y4M_FRAME_MAGIC, strlen(Y4M_FRAME_MAGIC))) return -1;
+ if (s->pb->error)
+ return s->pb->error;
+ else if (s->pb->eof_reached)
+ return AVERROR_EOF;
+ else if (i == MAX_FRAME_HEADER)
+ return AVERROR_INVALIDDATA;
+
+ if (strncmp(header, Y4M_FRAME_MAGIC, strlen(Y4M_FRAME_MAGIC)))
+ return AVERROR_INVALIDDATA;
width = st->codec->width;
height = st->codec->height;
packet_size = avpicture_get_size(st->codec->pix_fmt, width, height);
if (packet_size < 0)
- return -1;
+ return packet_size;
- if (av_get_packet(s->pb, pkt, packet_size) != packet_size)
- return AVERROR(EIO);
+ ret = av_get_packet(s->pb, pkt, packet_size);
+ if (ret < 0)
+ return ret;
+ else if (ret != packet_size)
+ return s->pb->eof_reached ? AVERROR_EOF : AVERROR(EIO);
if (s->streams[0]->codec->coded_frame) {
s->streams[0]->codec->coded_frame->interlaced_frame = s1->interlaced_frame;
diff --git a/libavutil/lzo.c b/libavutil/lzo.c
index 83fa9bf..e284fa8 100755
--- a/libavutil/lzo.c
+++ b/libavutil/lzo.c
@@ -62,7 +62,13 @@
static inline int get_len(LZOContext *c, int x, int mask) {
int cnt = x & mask;
if (!cnt) {
- while (!(x = get_byte(c))) cnt += 255;
+ while (!(x = get_byte(c))) {
+ if (cnt >= INT_MAX - 1000) {
+ c->error |= AV_LZO_ERROR;
+ break;
+ }
+ cnt += 255;
+ }
cnt += mask + x;
}
return cnt;
@@ -118,10 +124,10 @@
* cnt > back is valid, this will copy the bytes we just copied,
* thus creating a repeating pattern with a period length of back.
*/
-static inline void copy_backptr(LZOContext *c, int back, int cnt) {
- register const uint8_t *src = &c->out[-back];
- register uint8_t *dst = c->out;
- if (src < c->out_start || src > dst) {
+static inline void copy_backptr(LZOContext *c, int back, int cnt)
+{
+ register uint8_t *dst = c->out;
+ if (dst - c->out_start < back) {
c->error |= AV_LZO_INVALID_BACKPTR;
return;
}