Merge remote-tracking branch 'qatar/release/0.5' into release/0.5
* qatar/release/0.5:
update version
Release notes and changelog for 0.5.5
Fix ff_imdct_calc_sse() on gcc-4.6
Make DECLARE_ALIGNED macros work with external array specifiers
Fix MMX rgb24 to yuv conversion with gcc 4.6
Merged-by: Michael Niedermayer <michaelni@gmx.at>
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 8d30040..25b97bf 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -165,7 +165,7 @@
/* get coded block pattern */
int cbp= get_ue_golomb(&h->s.gb);
- if(cbp > 63){
+ if(cbp > 63U){
av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n");
return -1;
}
@@ -225,7 +225,7 @@
/* get coded block pattern */
if(h->pic_type == FF_I_TYPE)
cbp_code = get_ue_golomb(gb);
- if(cbp_code > 63){
+ if(cbp_code > 63U){
av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n");
return -1;
}
diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c
index d0f5adb..c248f00 100644
--- a/libavcodec/cinepak.c
+++ b/libavcodec/cinepak.c
@@ -336,7 +336,8 @@
* If the frame header is followed by the bytes FE 00 00 06 00 00 then
* this is probably one of the two known files that have 6 extra bytes
* after the frame header. Else, assume 2 extra bytes. */
- if ((s->data[10] == 0xFE) &&
+ if (s->size >= 16 &&
+ (s->data[10] == 0xFE) &&
(s->data[11] == 0x00) &&
(s->data[12] == 0x00) &&
(s->data[13] == 0x06) &&
diff --git a/libavcodec/cljr.c b/libavcodec/cljr.c
index 9f7ab61..39ac7d6 100644
--- a/libavcodec/cljr.c
+++ b/libavcodec/cljr.c
@@ -60,7 +60,7 @@
p->pict_type= FF_I_TYPE;
p->key_frame= 1;
- init_get_bits(&a->gb, buf, buf_size);
+ init_get_bits(&a->gb, buf, buf_size * 8);
for(y=0; y<avctx->height; y++){
uint8_t *luma= &a->picture.data[0][ y*a->picture.linesize[0] ];
diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c
index 40c561a..8ee6a86 100644
--- a/libavcodec/indeo2.c
+++ b/libavcodec/indeo2.c
@@ -153,6 +153,13 @@
return -1;
}
+ start = 48; /* hardcoded for now */
+
+ if (start >= buf_size) {
+ av_log(s->avctx, AV_LOG_ERROR, "input buffer size too small (%d)\n", buf_size);
+ return AVERROR_INVALIDDATA;
+ }
+
s->decode_delta = buf[18];
/* decide whether frame uses deltas or not */
@@ -160,9 +167,8 @@
for (i = 0; i < buf_size; i++)
buf[i] = ff_reverse[buf[i]];
#endif
- start = 48; /* hardcoded for now */
- init_get_bits(&s->gb, buf + start, buf_size - start);
+ init_get_bits(&s->gb, buf + start, (buf_size - start) * 8);
if (s->decode_delta) { /* intraframe */
ir2_decode_plane(s, avctx->width, avctx->height,
diff --git a/libavcodec/libxvidff.c b/libavcodec/libxvidff.c
index bdf70a0..0bbb712 100644
--- a/libavcodec/libxvidff.c
+++ b/libavcodec/libxvidff.c
@@ -485,6 +485,7 @@
if( x->twopassbuffer != NULL ) {
av_free(x->twopassbuffer);
av_free(x->old_twopassbuffer);
+ avctx->stats_out = NULL;
}
if( x->twopassfile != NULL )
av_free(x->twopassfile);
diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c
index f69dcf9..2839d07 100644
--- a/libavcodec/motionpixels.c
+++ b/libavcodec/motionpixels.c
@@ -325,7 +325,8 @@
if (sz == 0)
goto end;
- init_vlc(&mp->vlc, mp->max_codes_bits, mp->codes_count, &mp->codes[0].size, sizeof(HuffCode), 1, &mp->codes[0].code, sizeof(HuffCode), 4, 0);
+ if (init_vlc(&mp->vlc, mp->max_codes_bits, mp->codes_count, &mp->codes[0].size, sizeof(HuffCode), 1, &mp->codes[0].code, sizeof(HuffCode), 4, 0))
+ goto end;
mp_decode_frame_helper(mp, &gb);
free_vlc(&mp->vlc);
diff --git a/libavcodec/qcelpdec.c b/libavcodec/qcelpdec.c
index 59eff1f..3a18470 100644
--- a/libavcodec/qcelpdec.c
+++ b/libavcodec/qcelpdec.c
@@ -802,7 +802,7 @@
*data_size = 160 * sizeof(*outbuffer);
- return *data_size;
+ return buf_size;
}
AVCodec qcelp_decoder =
diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index 71a25d6..ddf0f1d 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -642,6 +642,11 @@
if(MPV_frame_start(s, avctx) < 0)
return -1;
ff_er_frame_start(s);
+ } else {
+ if (s->current_picture_ptr->pict_type != s->pict_type) {
+ av_log(s->avctx, AV_LOG_ERROR, "Slice type mismatch\n");
+ return -1;
+ }
}
#ifdef DEBUG
diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c
index e1b3ad1..a2dc57e 100644
--- a/libavcodec/rv30.c
+++ b/libavcodec/rv30.c
@@ -51,6 +51,11 @@
skip_bits1(gb);
si->pts = get_bits(gb, 13);
rpr = get_bits(gb, r->rpr);
+ if (r->s.avctx->extradata_size < 8 + rpr*2) {
+ av_log(r->s.avctx, AV_LOG_WARNING,
+ "Extradata does not contain selected resolution\n");
+ rpr = 0;
+ }
if(rpr){
w = r->s.avctx->extradata[6 + rpr*2] << 2;
h = r->s.avctx->extradata[7 + rpr*2] << 2;
diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index 4d8d968..da20dbb 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1269,6 +1269,13 @@
r->next_pts = r->cur_pts;
}
s->mb_x = s->mb_y = 0;
+ } else {
+ int slice_type = r->si.type ? r->si.type : FF_I_TYPE;
+
+ if (slice_type != s->pict_type) {
+ av_log(s->avctx, AV_LOG_ERROR, "Slice type mismatch\n");
+ return AVERROR_INVALIDDATA;
+ }
}
r->si.end = end;
@@ -1401,8 +1408,9 @@
slice_count = avctx->slice_count;
//parse first slice header to check whether this frame can be decoded
- if(get_slice_offset(avctx, slices_hdr, 0) > buf_size){
- av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n");
+ if(get_slice_offset(avctx, slices_hdr, 0) < 0 ||
+ get_slice_offset(avctx, slices_hdr, 0) > buf_size){
+ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
return -1;
}
init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), buf_size-get_slice_offset(avctx, slices_hdr, 0));
@@ -1430,8 +1438,8 @@
else
size= get_slice_offset(avctx, slices_hdr, i+1) - offset;
- if(offset > buf_size){
- av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n");
+ if(offset < 0 || offset > buf_size || size < 0){
+ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
break;
}
@@ -1452,7 +1460,7 @@
break;
}
- if(last){
+ if(last && s->current_picture_ptr){
if(r->loop_filter)
r->loop_filter(r, s->mb_height - 1);
ff_er_frame_end(s);
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 03241cf..95a9beb 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -133,11 +133,13 @@
return -1;
}
b1 = get_bits_count(gb);
- i1 = get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3);
+ i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0;
b1 = get_bits_count(gb) - b1;
b2 = get_bits_count(gb);
- i2 = get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3);
+ i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0;
b2 = get_bits_count(gb) - b2;
+ if (i1 < 0 || i2 < 0)
+ return -1;
val = ctx->recode1[i1] | (ctx->recode2[i2] << 8);
if(val == ctx->escapes[0]) {
ctx->last[0] = hc->current;
@@ -289,7 +291,8 @@
smk->mmap_tbl[0] = 0;
smk->mmap_last[0] = smk->mmap_last[1] = smk->mmap_last[2] = 1;
} else {
- smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size);
+ if (smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size))
+ return -1;
}
if(!get_bits1(&gb)) {
av_log(smk->avctx, AV_LOG_INFO, "Skipping MCLR tree\n");
@@ -297,7 +300,8 @@
smk->mclr_tbl[0] = 0;
smk->mclr_last[0] = smk->mclr_last[1] = smk->mclr_last[2] = 1;
} else {
- smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size);
+ if (smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size))
+ return -1;
}
if(!get_bits1(&gb)) {
av_log(smk->avctx, AV_LOG_INFO, "Skipping FULL tree\n");
@@ -305,7 +309,8 @@
smk->full_tbl[0] = 0;
smk->full_last[0] = smk->full_last[1] = smk->full_last[2] = 1;
} else {
- smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size);
+ if (smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size))
+ return -1;
}
if(!get_bits1(&gb)) {
av_log(smk->avctx, AV_LOG_INFO, "Skipping TYPE tree\n");
@@ -313,7 +318,8 @@
smk->type_tbl[0] = 0;
smk->type_last[0] = smk->type_last[1] = smk->type_last[2] = 1;
} else {
- smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size);
+ if (smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size))
+ return -1;
}
return 0;
@@ -527,8 +533,8 @@
return -1;
}
- decode_header_trees(c);
-
+ if (decode_header_trees(c))
+ return -1;
return 0;
}
@@ -654,6 +660,8 @@
} else { //8-bit data
for(i = stereo; i >= 0; i--)
pred[i] = get_bits(&gb, 8);
+ if (stereo + unp_size > *data_size)
+ return -1;
for(i = 0; i < stereo; i++)
*samples++ = (pred[i] - 0x80) << 8;
for(i = 0; i < unp_size; i++) {
diff --git a/libavcodec/sp5xdec.c b/libavcodec/sp5xdec.c
index 920b32d..f1e436c 100644
--- a/libavcodec/sp5xdec.c
+++ b/libavcodec/sp5xdec.c
@@ -88,7 +88,6 @@
recoded[j++] = 0xFF;
recoded[j++] = 0xD9;
- avctx->flags &= ~CODEC_FLAG_EMU_EDGE;
i = ff_mjpeg_decode_frame(avctx, data, data_size, recoded, j);
av_free(recoded);
diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 12eac33..19e5e05 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -536,12 +536,13 @@
}
switch(id & WP_IDF_MASK){
case WP_ID_DECTERMS:
- s->terms = size;
- if(s->terms > MAX_TERMS){
+ if(size > MAX_TERMS){
av_log(avctx, AV_LOG_ERROR, "Too many decorrelation terms\n");
+ s->terms = 0;
buf += ssize;
continue;
}
+ s->terms = size;
for(i = 0; i < s->terms; i++) {
s->decorr[s->terms - i - 1].value = (*buf & 0x1F) - 5;
s->decorr[s->terms - i - 1].delta = *buf >> 5;
diff --git a/libavformat/ape.c b/libavformat/ape.c
index 3031e47..7511d93 100644
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -356,6 +356,8 @@
if (ape->seektablelength > 0) {
ape->seektable = av_malloc(ape->seektablelength);
+ if (!ape->seektable)
+ return AVERROR(ENOMEM);
for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++)
ape->seektable[i] = get_le32(pb);
}
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 54406f5..a810b95 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -90,14 +90,24 @@
ogg->state = ost->next;
if (!discard){
+ struct ogg_stream *old_streams = ogg->streams;
+
for (i = 0; i < ogg->nstreams; i++)
av_free (ogg->streams[i].buf);
url_fseek (bc, ost->pos, SEEK_SET);
ogg->curidx = ost->curidx;
ogg->nstreams = ost->nstreams;
- memcpy(ogg->streams, ost->streams,
- ost->nstreams * sizeof(*ogg->streams));
+ ogg->streams = av_realloc (ogg->streams,
+ ogg->nstreams * sizeof (*ogg->streams));
+
+ if (ogg->streams) {
+ memcpy(ogg->streams, ost->streams,
+ ost->nstreams * sizeof(*ogg->streams));
+ } else {
+ av_free(old_streams);
+ ogg->nstreams = 0;
+ }
}
av_free (ost);
diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c
index ae1263c..c1da789 100644
--- a/libavformat/segafilm.c
+++ b/libavformat/segafilm.c
@@ -111,11 +111,16 @@
film->audio_samplerate = AV_RB16(&scratch[24]);
film->audio_channels = scratch[21];
film->audio_bits = scratch[22];
- if (film->audio_bits == 8)
- film->audio_type = CODEC_ID_PCM_S8;
- else if (film->audio_bits == 16)
- film->audio_type = CODEC_ID_PCM_S16BE;
- else
+ if (scratch[23] == 2)
+ film->audio_type = CODEC_ID_ADPCM_ADX;
+ else if (film->audio_channels > 0) {
+ if (film->audio_bits == 8)
+ film->audio_type = CODEC_ID_PCM_S8;
+ else if (film->audio_bits == 16)
+ film->audio_type = CODEC_ID_PCM_S16BE;
+ else
+ film->audio_type = CODEC_ID_NONE;
+ } else
film->audio_type = CODEC_ID_NONE;
}
@@ -167,6 +172,8 @@
if(film->sample_count >= UINT_MAX / sizeof(film_sample))
return -1;
film->sample_table = av_malloc(film->sample_count * sizeof(film_sample));
+ if (!film->sample_table)
+ return AVERROR(ENOMEM);
for(i=0; i<s->nb_streams; i++)
av_set_pts_info(s->streams[i], 33, 1, film->base_clock);
@@ -187,8 +194,12 @@
film->sample_table[i].pts *= film->base_clock;
film->sample_table[i].pts /= film->audio_samplerate;
- audio_frame_counter += (film->sample_table[i].sample_size /
- (film->audio_channels * film->audio_bits / 8));
+ if (film->audio_type == CODEC_ID_ADPCM_ADX)
+ audio_frame_counter += (film->sample_table[i].sample_size * 32 /
+ (18 * film->audio_channels));
+ else if (film->audio_type != CODEC_ID_NONE)
+ audio_frame_counter += (film->sample_table[i].sample_size /
+ (film->audio_channels * film->audio_bits / 8));
} else {
film->sample_table[i].stream = film->video_stream_index;
film->sample_table[i].pts = AV_RB32(&scratch[8]) & 0x7FFFFFFF;
@@ -238,6 +249,10 @@
av_free(film->stereo_buffer);
film->stereo_buffer_size = sample->sample_size;
film->stereo_buffer = av_malloc(film->stereo_buffer_size);
+ if (!film->stereo_buffer) {
+ film->stereo_buffer_size = 0;
+ return AVERROR(ENOMEM);
+ }
}
pkt->pos= url_ftell(pb);
diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 8ec28bc..b4fc5f7 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -284,6 +284,10 @@
frame_size -= 4;
smk->curstream++;
smk->bufs[smk->curstream] = av_realloc(smk->bufs[smk->curstream], size);
+ if (!smk->bufs[smk->curstream]) {
+ smk->buf_sizes[smk->curstream] = 0;
+ return AVERROR(ENOMEM);
+ }
smk->buf_sizes[smk->curstream] = size;
ret = get_buffer(s->pb, smk->bufs[smk->curstream], size);
if(ret != size)
@@ -292,7 +296,9 @@
}
flags >>= 1;
}
- if (av_new_packet(pkt, frame_size + 768))
+ if (frame_size < 0)
+ return AVERROR_INVALIDDATA;
+ if (av_new_packet(pkt, frame_size + 769))
return AVERROR(ENOMEM);
if(smk->frm_size[smk->cur_frame] & 1)
palchange |= 2;
diff --git a/libavutil/log.c b/libavutil/log.c
index 4bb9652..fb773d0 100644
--- a/libavutil/log.c
+++ b/libavutil/log.c
@@ -33,7 +33,8 @@
{
static int print_prefix=1;
static int count;
- static char line[1024], prev[1024];
+ static char prev[1024];
+ char line[1024];
AVClass* avc= ptr ? *(AVClass**)ptr : NULL;
if(level>av_log_level)
return;
