Merge remote-tracking branch 'qatar/release/0.5' into release/0.5
* qatar/release/0.5:
Release notes for 0.5.9
Update changelog for 0.5.9 release
Conflicts:
RELEASE
Merged-by: Michael Niedermayer <michaelni@gmx.at>
diff --git a/Changelog b/Changelog
index b39ecc0..3a66ab0 100644
--- a/Changelog
+++ b/Changelog
@@ -66,6 +66,7 @@
(CVE-2011-3362, CVE-2011-3973, CVE-2011-3974)
- Compilation fixes for gcc-4.6, testsuite now passes again
- Detect and handle overreads in the MJPEG decoder.
+- multiple other security fixes.
diff --git a/RELEASE b/RELEASE
index c164d6b..c934528 100644
--- a/RELEASE
+++ b/RELEASE
@@ -140,7 +140,7 @@
-* 0.5.5 Nov 11, 2011
+* 0.5.5 Nov 6, 2011
General notes
-------------
@@ -148,14 +148,24 @@
This maintenance-only release addresses several security issues that
were brought to our attention. In detail, fixes for the MJPEG decoder,
the CAVS decoder (CVE-2011-3362, CVE-2011-3973, CVE-2011-3974), and the
-Matroska decoder (MSVR11-011/CVE-2011-3504) have been
+Matroska decoder (MSVR11-011/CVE-2011-3504) and many others have been
corrected. Additional, this release contains fixes for compilation with
gcc-4.6. Distributors and system integrators are encouraged to update
and share their patches against this branch.
-* 0.5.6 Dec 25, 2011
+* 0.5.6 Nov 21, 2011
+
+General notes
+-------------
+
+This maintenance-only release addresses several security issues that
+were brought to our attention.
+
+
+
+* 0.5.7 Dec 25, 2011
General notes
-------------
@@ -173,7 +183,7 @@
-* 0.5.7 Jan 11, 2012
+* 0.5.8 Jan 12, 2012
General notes
-------------
@@ -190,7 +200,7 @@
-* 0.5.8 May 10, 2012
+* 0.5.9 May 11, 2012
General notes
-------------
@@ -208,7 +218,7 @@
-* 0.5.9 Jun 09, 2012
+* 0.5.10 Jun 09, 2012
General notes
-------------
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 5c96baa..e33001f 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -133,7 +133,9 @@
GetBitContext pre_gb; ///< ac/dc prefix
GetBitContext gb;
const uint8_t *bytestream;
+ const uint8_t *bytestream_end;
const uint16_t *wordstream;
+ const uint16_t *wordstream_end;
int mv[256];
VLC pre_vlc;
int last_dc;
@@ -308,6 +310,8 @@
assert(code>=0 && code<=6);
if(code == 0){
+ if (f->bytestream_end - f->bytestream < 1)
+ return;
src += f->mv[ *f->bytestream++ ];
if(start > src || src > end){
av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
@@ -325,15 +329,23 @@
}else if(code == 3 && f->version<2){
mcdc(dst, src, log2w, h, stride, 1, 0);
}else if(code == 4){
+ if (f->bytestream_end - f->bytestream < 1)
+ return;
src += f->mv[ *f->bytestream++ ];
if(start > src || src > end){
av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
return;
}
+ if (f->wordstream_end - f->wordstream < 1)
+ return;
mcdc(dst, src, log2w, h, stride, 1, le2me_16(*f->wordstream++));
}else if(code == 5){
+ if (f->wordstream_end - f->wordstream < 1)
+ return;
mcdc(dst, src, log2w, h, stride, 0, le2me_16(*f->wordstream++));
}else if(code == 6){
+ if (f->wordstream_end - f->wordstream < 2)
+ return;
if(log2w){
dst[0] = le2me_16(*f->wordstream++);
dst[1] = le2me_16(*f->wordstream++);
@@ -355,6 +367,8 @@
if(f->version>1){
extra=20;
+ if (length < extra)
+ return -1;
bitstream_size= AV_RL32(buf+8);
wordstream_size= AV_RL32(buf+12);
bytestream_size= AV_RL32(buf+16);
@@ -365,11 +379,10 @@
bytestream_size= FFMAX(length - bitstream_size - wordstream_size, 0);
}
- if(bitstream_size+ bytestream_size+ wordstream_size + extra != length
- || bitstream_size > (1<<26)
- || bytestream_size > (1<<26)
- || wordstream_size > (1<<26)
- ){
+ if (bitstream_size > length ||
+ bytestream_size > length - bitstream_size ||
+ wordstream_size > length - bytestream_size - bitstream_size ||
+ extra > length - bytestream_size - bitstream_size - wordstream_size){
av_log(f->avctx, AV_LOG_ERROR, "lengths %d %d %d %d\n", bitstream_size, bytestream_size, wordstream_size,
bitstream_size+ bytestream_size+ wordstream_size - length);
return -1;
@@ -380,7 +393,9 @@
init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size);
f->wordstream= (const uint16_t*)(buf + extra + bitstream_size);
+ f->wordstream_end= f->wordstream + wordstream_size/2;
f->bytestream= buf + extra + bitstream_size + wordstream_size;
+ f->bytestream_end = f->bytestream + bytestream_size;
init_mv(f);
@@ -509,7 +524,7 @@
return 0;
}
-static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf){
+static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf, int buf_size){
int frequency[512];
uint8_t flag[512];
int up[512];
@@ -517,6 +532,7 @@
int bits_tab[257];
int start, end;
const uint8_t *ptr= buf;
+ const uint8_t *ptr_end = buf + buf_size;
int j;
memset(frequency, 0, sizeof(frequency));
@@ -527,6 +543,8 @@
for(;;){
int i;
+ if (start <= end && ptr_end - ptr < end - start + 1 + 1)
+ return NULL;
for(i=start; i<=end; i++){
frequency[i]= *ptr++;
}
@@ -599,10 +617,13 @@
const int height= f->avctx->height;
uint16_t *dst= (uint16_t*)f->current_picture.data[0];
const int stride= f->current_picture.linesize[0]>>1;
+ const uint8_t *buf_end = buf + length;
for(y=0; y<height; y+=16){
for(x=0; x<width; x+=16){
unsigned int color[4], bits;
+ if (buf_end - buf < 8)
+ return -1;
memset(color, 0, sizeof(color));
//warning following is purely guessed ...
color[0]= bytestream_get_le16(&buf);
@@ -636,18 +657,23 @@
uint16_t *dst= (uint16_t*)f->current_picture.data[0];
const int stride= f->current_picture.linesize[0]>>1;
const unsigned int bitstream_size= AV_RL32(buf);
- const int token_count av_unused = AV_RL32(buf + bitstream_size + 8);
- unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4);
- const uint8_t *prestream= buf + bitstream_size + 12;
+ unsigned int prestream_size;
+ const uint8_t *prestream;
- if(prestream_size + bitstream_size + 12 != length
- || bitstream_size > (1<<26)
- || prestream_size > (1<<26)){
+ if (bitstream_size > (1<<26) || length < bitstream_size + 12)
+ return -1;
+ prestream_size = 4*AV_RL32(buf + bitstream_size + 4);
+ prestream = buf + bitstream_size + 12;
+
+ if (prestream_size > (1<<26) ||
+ prestream_size != length - (bitstream_size + 12)){
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length);
return -1;
}
- prestream= read_huffman_tables(f, prestream);
+ prestream= read_huffman_tables(f, prestream, buf + length - prestream);
+ if (!prestream)
+ return -1;
init_get_bits(&f->gb, buf + 4, 8*bitstream_size);
@@ -684,6 +710,8 @@
AVFrame *p, temp;
int i, frame_4cc, frame_size;
+ if (buf_size < 12)
+ return AVERROR_INVALIDDATA;
frame_4cc= AV_RL32(buf);
if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4));
@@ -696,6 +724,9 @@
const int whole_size= AV_RL32(buf+16);
CFrameBuffer *cfrm;
+ if (data_size < 0 || whole_size < 0)
+ return AVERROR_INVALIDDATA;
+
for(i=0; i<CFRAME_BUFFER_COUNT; i++){
if(f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number)
av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id);
@@ -712,6 +743,8 @@
}
cfrm= &f->cfrm[i];
+ if (data_size > UINT_MAX - cfrm->size - FF_INPUT_BUFFER_PADDING_SIZE)
+ return AVERROR_INVALIDDATA;
cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);
if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL
av_log(f->avctx, AV_LOG_ERROR, "realloc falure");
diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c
index 9205f35..22dfdfc 100644
--- a/libavcodec/atrac3.c
+++ b/libavcodec/atrac3.c
@@ -454,7 +454,7 @@
for (k=0; k<coded_components; k++) {
sfIndx = get_bits(gb,6);
- if (component_count >= 64)
+ if(component_count>=64)
return AVERROR_INVALIDDATA;
pComponent[component_count].pos = j * 64 + (get_bits(gb,6));
max_coded_values = 1024 - pComponent[component_count].pos;
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 8d30040..25b97bf 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -165,7 +165,7 @@
/* get coded block pattern */
int cbp= get_ue_golomb(&h->s.gb);
- if(cbp > 63){
+ if(cbp > 63U){
av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n");
return -1;
}
@@ -225,7 +225,7 @@
/* get coded block pattern */
if(h->pic_type == FF_I_TYPE)
cbp_code = get_ue_golomb(gb);
- if(cbp_code > 63){
+ if(cbp_code > 63U){
av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n");
return -1;
}
diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c
index d0f5adb..f6d457d 100644
--- a/libavcodec/cinepak.c
+++ b/libavcodec/cinepak.c
@@ -336,7 +336,8 @@
* If the frame header is followed by the bytes FE 00 00 06 00 00 then
* this is probably one of the two known files that have 6 extra bytes
* after the frame header. Else, assume 2 extra bytes. */
- if ((s->data[10] == 0xFE) &&
+ if (s->size >= 16 &&
+ (s->data[10] == 0xFE) &&
(s->data[11] == 0x00) &&
(s->data[12] == 0x00) &&
(s->data[13] == 0x06) &&
@@ -365,6 +366,8 @@
s->strips[i].x2 = s->avctx->width;
strip_size = AV_RB24 (&s->data[1]) - 12;
+ if(strip_size < 0)
+ return -1;
s->data += 12;
strip_size = ((s->data + strip_size) > eod) ? (eod - s->data) : strip_size;
diff --git a/libavcodec/cljr.c b/libavcodec/cljr.c
index 9f7ab61..39ac7d6 100644
--- a/libavcodec/cljr.c
+++ b/libavcodec/cljr.c
@@ -60,7 +60,7 @@
p->pict_type= FF_I_TYPE;
p->key_frame= 1;
- init_get_bits(&a->gb, buf, buf_size);
+ init_get_bits(&a->gb, buf, buf_size * 8);
for(y=0; y<avctx->height; y++){
uint8_t *luma= &a->picture.data[0][ y*a->picture.linesize[0] ];
diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c
index f8093fc..0d9fe05 100644
--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@@ -215,6 +215,8 @@
/* handle palette */
if (palette_type == 0) {
+ if (palette_colors_count > 256)
+ return AVERROR_INVALIDDATA;
for (i = 0; i < palette_colors_count; ++i) {
cin->palette[i] = bytestream_get_le24(&buf);
bitmap_frame_size -= 3;
diff --git a/libavcodec/h261dec.c b/libavcodec/h261dec.c
index 7054286..aa1be6f 100644
--- a/libavcodec/h261dec.c
+++ b/libavcodec/h261dec.c
@@ -285,6 +285,10 @@
// Read mtype
h->mtype = get_vlc2(&s->gb, h261_mtype_vlc.table, H261_MTYPE_VLC_BITS, 2);
+ if (h->mtype < 0) {
+ av_log(s->avctx, AV_LOG_ERROR, "illegal mtype %d\n", h->mtype);
+ return SLICE_ERROR;
+ }
h->mtype = h261_mtype_map[h->mtype];
// Read mquant
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index c8b561d..48c8028 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -3743,6 +3743,7 @@
free_tables(h);
flush_dpb(s->avctx);
MPV_common_end(s);
+ h->list_count = 0;
}
if (!s->context_initialized) {
if(h != h0)
@@ -3940,8 +3941,10 @@
fill_default_ref_list(h);
}
- if(h->slice_type_nos!=FF_I_TYPE && decode_ref_pic_list_reordering(h) < 0)
+ if(h->slice_type_nos!=FF_I_TYPE && decode_ref_pic_list_reordering(h) < 0) {
+ h->ref_count[1]= h->ref_count[0]= 0;
return -1;
+ }
if(h->slice_type_nos!=FF_I_TYPE){
s->last_picture_ptr= &h->ref_list[0][0];
@@ -7169,7 +7172,7 @@
}
sps->ref_frame_count= get_ue_golomb_31(&s->gb);
- if(sps->ref_frame_count > MAX_PICTURE_COUNT-2 || sps->ref_frame_count >= 32U){
+ if(sps->ref_frame_count > MAX_PICTURE_COUNT-2 || sps->ref_frame_count > 16U){
av_log(h->s.avctx, AV_LOG_ERROR, "too many reference frames\n");
goto fail;
}
diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c
index 40c561a..8ee6a86 100644
--- a/libavcodec/indeo2.c
+++ b/libavcodec/indeo2.c
@@ -153,6 +153,13 @@
return -1;
}
+ start = 48; /* hardcoded for now */
+
+ if (start >= buf_size) {
+ av_log(s->avctx, AV_LOG_ERROR, "input buffer size too small (%d)\n", buf_size);
+ return AVERROR_INVALIDDATA;
+ }
+
s->decode_delta = buf[18];
/* decide whether frame uses deltas or not */
@@ -160,9 +167,8 @@
for (i = 0; i < buf_size; i++)
buf[i] = ff_reverse[buf[i]];
#endif
- start = 48; /* hardcoded for now */
- init_get_bits(&s->gb, buf + start, buf_size - start);
+ init_get_bits(&s->gb, buf + start, (buf_size - start) * 8);
if (s->decode_delta) { /* intraframe */
ir2_decode_plane(s, avctx->width, avctx->height,
diff --git a/libavcodec/libxvidff.c b/libavcodec/libxvidff.c
index bdf70a0..0bbb712 100644
--- a/libavcodec/libxvidff.c
+++ b/libavcodec/libxvidff.c
@@ -485,6 +485,7 @@
if( x->twopassbuffer != NULL ) {
av_free(x->twopassbuffer);
av_free(x->old_twopassbuffer);
+ avctx->stats_out = NULL;
}
if( x->twopassfile != NULL )
av_free(x->twopassfile);
diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c
index 349a02d..7971b09 100644
--- a/libavcodec/motionpixels.c
+++ b/libavcodec/motionpixels.c
@@ -331,7 +331,8 @@
if (sz == 0)
goto end;
- init_vlc(&mp->vlc, mp->max_codes_bits, mp->codes_count, &mp->codes[0].size, sizeof(HuffCode), 1, &mp->codes[0].code, sizeof(HuffCode), 4, 0);
+ if (init_vlc(&mp->vlc, mp->max_codes_bits, mp->codes_count, &mp->codes[0].size, sizeof(HuffCode), 1, &mp->codes[0].code, sizeof(HuffCode), 4, 0))
+ goto end;
mp_decode_frame_helper(mp, &gb);
free_vlc(&mp->vlc);
diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c
index 7077c96..34f7693 100644
--- a/libavcodec/mpc7.c
+++ b/libavcodec/mpc7.c
@@ -164,12 +164,19 @@
int i, ch, t;
int mb = -1;
Band *bands = c->bands;
- int off;
+ int off, out_size;
int bits_used, bits_avail;
memset(bands, 0, sizeof(bands));
if(buf_size <= 4){
av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size);
+ return AVERROR(EINVAL);
+ }
+
+ out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4;
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
}
bits = av_malloc(((buf_size - 1) & ~3) + FF_INPUT_BUFFER_PADDING_SIZE);
@@ -248,7 +255,7 @@
*data_size = 0;
return buf_size;
}
- *data_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4;
+ *data_size = out_size;
return buf_size;
}
diff --git a/libavcodec/nellymoserdec.c b/libavcodec/nellymoserdec.c
index 94e6129..ec35369 100644
--- a/libavcodec/nellymoserdec.c
+++ b/libavcodec/nellymoserdec.c
@@ -154,6 +154,7 @@
void *data, int *data_size,
const uint8_t * buf, int buf_size) {
NellyMoserDecodeContext *s = avctx->priv_data;
+ int data_max = *data_size;
int blocks, i;
int16_t* samples;
*data_size = 0;
@@ -177,6 +178,8 @@
}
for (i=0 ; i<blocks ; i++) {
+ if ((i + 1) * NELLY_SAMPLES * sizeof(int16_t) > data_max)
+ return i > 0 ? i * NELLY_BLOCK_LEN : -1;
nelly_decode_block(s, &buf[i*NELLY_BLOCK_LEN], s->float_buf);
s->dsp.float_to_int16(&samples[i*NELLY_SAMPLES], s->float_buf, NELLY_SAMPLES);
*data_size += NELLY_SAMPLES*sizeof(int16_t);
diff --git a/libavcodec/qcelpdec.c b/libavcodec/qcelpdec.c
index 59eff1f..3a18470 100644
--- a/libavcodec/qcelpdec.c
+++ b/libavcodec/qcelpdec.c
@@ -802,7 +802,7 @@
*data_size = 160 * sizeof(*outbuffer);
- return *data_size;
+ return buf_size;
}
AVCodec qcelp_decoder =
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 79aa256..e2f1a87 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -170,7 +170,7 @@
/// I/O data
const uint8_t *compressed_data;
int compressed_size;
- float output_buffer[QDM2_MAX_FRAME_SIZE * 2];
+ float output_buffer[QDM2_MAX_FRAME_SIZE * MPA_MAX_CHANNELS * 2];
/// Synthesis filter
DECLARE_ALIGNED_16(MPA_INT, synth_buf[MPA_MAX_CHANNELS][512*2]);
@@ -1360,7 +1360,7 @@
local_int_10 = 1 << (q->group_order - duration - 1);
offset = 1;
- while (1) {
+ while (get_bits_left(gb)>0) {
if (q->superblocktype_2_3) {
while ((n = qdm2_get_vlc(gb, &vlc_tab_fft_tone_offset[local_int_8], 1, 2)) < 2) {
offset = 1;
@@ -1856,6 +1856,7 @@
// something like max decodable tones
s->group_order = av_log2(s->group_size) + 1;
s->frame_size = s->group_size / 16; // 16 iterations per super block
+
if (s->frame_size > QDM2_MAX_FRAME_SIZE)
return AVERROR_INVALIDDATA;
@@ -1926,6 +1927,9 @@
int ch, i;
const int frame_size = (q->frame_size * q->channels);
+ if((unsigned)frame_size > FF_ARRAY_ELEMS(q->output_buffer)/2)
+ return -1;
+
/* select input buffer */
q->compressed_data = in;
q->compressed_size = q->checksum_size;
diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c
index d535c38..d68b44f 100644
--- a/libavcodec/qtrle.c
+++ b/libavcodec/qtrle.c
@@ -127,6 +127,7 @@
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (num_pixels * (s->buf[stream_ptr++] - 1));
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -183,6 +184,7 @@
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (4 * (s->buf[stream_ptr++] - 1));
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -236,6 +238,7 @@
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 2;
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -285,6 +288,7 @@
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 3;
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -336,6 +340,7 @@
while (lines_to_change--) {
CHECK_STREAM_PTR(2);
pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 4;
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
if (rle_code == 0) {
@@ -461,6 +466,8 @@
stream_ptr += 4;
height = AV_RB16(&s->buf[stream_ptr]);
stream_ptr += 4;
+ if (height > s->avctx->height - start_line)
+ goto done;
} else {
start_line = 0;
height = s->avctx->height;
diff --git a/libavcodec/resample.c b/libavcodec/resample.c
index 829db76..c40f722 100644
--- a/libavcodec/resample.c
+++ b/libavcodec/resample.c
@@ -279,9 +279,9 @@
if (s->sample_fmt[1] != SAMPLE_FMT_S16) {
output_bak = output;
- if (!s->buffer_size[1] || s->buffer_size[1] < lenout) {
+ if (!s->buffer_size[1] || s->buffer_size[1] < 2*lenout) {
av_free(s->buffer[1]);
- s->buffer_size[1] = lenout;
+ s->buffer_size[1] = 2*lenout;
s->buffer[1] = av_malloc(s->buffer_size[1]);
if (!s->buffer[1]) {
av_log(s, AV_LOG_ERROR, "Could not allocate buffer\n");
diff --git a/libavcodec/resample2.c b/libavcodec/resample2.c
index ac9db73..19fed30 100644
--- a/libavcodec/resample2.c
+++ b/libavcodec/resample2.c
@@ -190,8 +190,10 @@
memcpy(&c->filter_bank[c->filter_length*phase_count+1], c->filter_bank, (c->filter_length-1)*sizeof(FELEM));
c->filter_bank[c->filter_length*phase_count]= c->filter_bank[c->filter_length - 1];
- c->src_incr= out_rate;
- c->ideal_dst_incr= c->dst_incr= in_rate * phase_count;
+ if(!av_reduce(&c->src_incr, &c->dst_incr, out_rate, in_rate * (int64_t)phase_count, INT32_MAX/2))
+ return NULL;
+ c->ideal_dst_incr= c->dst_incr;
+
c->index= -phase_count*((c->filter_length-1)/2);
return c;
@@ -225,10 +227,9 @@
dst[dst_index] = src[index2>>32];
index2 += incr;
}
- frac += dst_index * dst_incr_frac;
index += dst_index * dst_incr;
- index += frac / c->src_incr;
- frac %= c->src_incr;
+ index += (frac + dst_index * (int64_t)dst_incr_frac) / c->src_incr;
+ frac = (frac + dst_index * (int64_t)dst_incr_frac) % c->src_incr;
}else{
for(dst_index=0; dst_index < dst_size; dst_index++){
FELEM *filter= c->filter_bank + c->filter_length*(index & c->phase_mask);
diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index 71a25d6..ddf0f1d 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -642,6 +642,11 @@
if(MPV_frame_start(s, avctx) < 0)
return -1;
ff_er_frame_start(s);
+ } else {
+ if (s->current_picture_ptr->pict_type != s->pict_type) {
+ av_log(s->avctx, AV_LOG_ERROR, "Slice type mismatch\n");
+ return -1;
+ }
}
#ifdef DEBUG
diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c
index e1b3ad1..0d25eac 100644
--- a/libavcodec/rv30.c
+++ b/libavcodec/rv30.c
@@ -51,6 +51,11 @@
skip_bits1(gb);
si->pts = get_bits(gb, 13);
rpr = get_bits(gb, r->rpr);
+ if (r->s.avctx->extradata_size < 8 + rpr*2) {
+ av_log(r->s.avctx, AV_LOG_WARNING,
+ "Extradata does not contain selected resolution\n");
+ rpr = 0;
+ }
if(rpr){
w = r->s.avctx->extradata[6 + rpr*2] << 2;
h = r->s.avctx->extradata[7 + rpr*2] << 2;
@@ -74,7 +79,7 @@
for(i = 0; i < 4; i++, dst += r->s.b4_stride - 4){
for(j = 0; j < 4; j+= 2){
int code = svq3_get_ue_golomb(gb) << 1;
- if(code >= 81*2){
+ if(code >= 81U*2U){
av_log(r->s.avctx, AV_LOG_ERROR, "Incorrect intra prediction code\n");
return -1;
}
@@ -103,7 +108,7 @@
GetBitContext *gb = &s->gb;
int code = svq3_get_ue_golomb(gb);
- if(code > 11){
+ if(code > 11U){
av_log(s->avctx, AV_LOG_ERROR, "Incorrect MB type code\n");
return -1;
}
diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index 4d8d968..c4e3621 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1269,6 +1269,17 @@
r->next_pts = r->cur_pts;
}
s->mb_x = s->mb_y = 0;
+ } else {
+ int slice_type = r->si.type ? r->si.type : FF_I_TYPE;
+
+ if (slice_type != s->pict_type) {
+ av_log(s->avctx, AV_LOG_ERROR, "Slice type mismatch\n");
+ return AVERROR_INVALIDDATA;
+ }
+ if (s->width != r->si.width || s->height != r->si.height) {
+ av_log(s->avctx, AV_LOG_ERROR, "Size mismatch\n");
+ return AVERROR_INVALIDDATA;
+ }
}
r->si.end = end;
@@ -1401,8 +1412,9 @@
slice_count = avctx->slice_count;
//parse first slice header to check whether this frame can be decoded
- if(get_slice_offset(avctx, slices_hdr, 0) > buf_size){
- av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n");
+ if(get_slice_offset(avctx, slices_hdr, 0) < 0 ||
+ get_slice_offset(avctx, slices_hdr, 0) > buf_size){
+ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
return -1;
}
init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), buf_size-get_slice_offset(avctx, slices_hdr, 0));
@@ -1430,8 +1442,8 @@
else
size= get_slice_offset(avctx, slices_hdr, i+1) - offset;
- if(offset > buf_size){
- av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n");
+ if(offset < 0 || offset > buf_size || size < 0){
+ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
break;
}
@@ -1452,7 +1464,7 @@
break;
}
- if(last){
+ if(last && s->current_picture_ptr){
if(r->loop_filter)
r->loop_filter(r, s->mb_height - 1);
ff_er_frame_end(s);
diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c
index 8e1a470..31c9ca3 100644
--- a/libavcodec/rv40.c
+++ b/libavcodec/rv40.c
@@ -207,8 +207,11 @@
int blocks[RV34_MB_TYPES] = {0};
int count = 0;
- if(!r->s.mb_skip_run)
+ if(!r->s.mb_skip_run) {
r->s.mb_skip_run = svq3_get_ue_golomb(gb) + 1;
+ if(r->s.mb_skip_run > (unsigned)s->mb_num)
+ return -1;
+ }
if(--r->s.mb_skip_run)
return RV34_MB_SKIP;
diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 053f5c2..6aacd5c 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -147,7 +147,7 @@
if (s->bitshift != 0)
for (i = 0; i < s->blocksize; i++)
- buffer[s->nwrap + i] <<= s->bitshift;
+ buffer[i] <<= s->bitshift;
}
@@ -469,9 +469,15 @@
case FN_BITSHIFT:
s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE);
break;
- case FN_BLOCKSIZE:
- s->blocksize = get_uint(s, av_log2(s->blocksize));
+ case FN_BLOCKSIZE: {
+ int blocksize = get_uint(s, av_log2(s->blocksize));
+ if (blocksize > s->blocksize) {
+ av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n");
+ return AVERROR_PATCHWELCOME;
+ }
+ s->blocksize = blocksize;
break;
+ }
case FN_QUIT:
*data_size = 0;
return buf_size;
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 03241cf..95a9beb 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -133,11 +133,13 @@
return -1;
}
b1 = get_bits_count(gb);
- i1 = get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3);
+ i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0;
b1 = get_bits_count(gb) - b1;
b2 = get_bits_count(gb);
- i2 = get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3);
+ i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0;
b2 = get_bits_count(gb) - b2;
+ if (i1 < 0 || i2 < 0)
+ return -1;
val = ctx->recode1[i1] | (ctx->recode2[i2] << 8);
if(val == ctx->escapes[0]) {
ctx->last[0] = hc->current;
@@ -289,7 +291,8 @@
smk->mmap_tbl[0] = 0;
smk->mmap_last[0] = smk->mmap_last[1] = smk->mmap_last[2] = 1;
} else {
- smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size);
+ if (smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size))
+ return -1;
}
if(!get_bits1(&gb)) {
av_log(smk->avctx, AV_LOG_INFO, "Skipping MCLR tree\n");
@@ -297,7 +300,8 @@
smk->mclr_tbl[0] = 0;
smk->mclr_last[0] = smk->mclr_last[1] = smk->mclr_last[2] = 1;
} else {
- smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size);
+ if (smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size))
+ return -1;
}
if(!get_bits1(&gb)) {
av_log(smk->avctx, AV_LOG_INFO, "Skipping FULL tree\n");
@@ -305,7 +309,8 @@
smk->full_tbl[0] = 0;
smk->full_last[0] = smk->full_last[1] = smk->full_last[2] = 1;
} else {
- smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size);
+ if (smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size))
+ return -1;
}
if(!get_bits1(&gb)) {
av_log(smk->avctx, AV_LOG_INFO, "Skipping TYPE tree\n");
@@ -313,7 +318,8 @@
smk->type_tbl[0] = 0;
smk->type_last[0] = smk->type_last[1] = smk->type_last[2] = 1;
} else {
- smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size);
+ if (smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size))
+ return -1;
}
return 0;
@@ -527,8 +533,8 @@
return -1;
}
- decode_header_trees(c);
-
+ if (decode_header_trees(c))
+ return -1;
return 0;
}
@@ -654,6 +660,8 @@
} else { //8-bit data
for(i = stereo; i >= 0; i--)
pred[i] = get_bits(&gb, 8);
+ if (stereo + unp_size > *data_size)
+ return -1;
for(i = 0; i < stereo; i++)
*samples++ = (pred[i] - 0x80) << 8;
for(i = 0; i < unp_size; i++) {
diff --git a/libavcodec/sp5xdec.c b/libavcodec/sp5xdec.c
index 920b32d..f1e436c 100644
--- a/libavcodec/sp5xdec.c
+++ b/libavcodec/sp5xdec.c
@@ -88,7 +88,6 @@
recoded[j++] = 0xFF;
recoded[j++] = 0xD9;
- avctx->flags &= ~CODEC_FLAG_EMU_EDGE;
i = ff_mjpeg_decode_frame(avctx, data, data_size, recoded, j);
av_free(recoded);
diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c
index bef7075..5d4d411 100644
--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@ -202,7 +202,7 @@
for (limit = (16 >> intra); index < 16; index = limit, limit += 8) {
for (; (vlc = svq3_get_ue_golomb(gb)) != 0; index++) {
- if (vlc == INVALID_VLC)
+ if (vlc < 0)
return -1;
sign = (vlc & 0x1) - 1;
@@ -220,7 +220,7 @@
level = ((vlc + 9) >> 2) - run;
}
} else {
- if (vlc < 16) {
+ if (vlc < 16U) {
run = svq3_dct_tables[intra][vlc].run;
level = svq3_dct_tables[intra][vlc].level;
} else if (intra) {
@@ -549,7 +549,7 @@
for (i = 0; i < 16; i+=2) {
vlc = svq3_get_ue_golomb(&s->gb);
- if (vlc >= 25){
+ if (vlc >= 25U){
av_log(h->s.avctx, AV_LOG_ERROR, "luma prediction:%d\n", vlc);
return -1;
}
@@ -620,7 +620,7 @@
}
if (!IS_INTRA16x16(mb_type) && (!IS_SKIP(mb_type) || s->pict_type == FF_B_TYPE)) {
- if ((vlc = svq3_get_ue_golomb(&s->gb)) >= 48){
+ if ((vlc = svq3_get_ue_golomb(&s->gb)) >= 48U){
av_log(h->s.avctx, AV_LOG_ERROR, "cbp_vlc=%d\n", vlc);
return -1;
}
@@ -630,7 +630,7 @@
if (IS_INTRA16x16(mb_type) || (s->pict_type != FF_I_TYPE && s->adaptive_quant && cbp)) {
s->qscale += svq3_get_se_golomb(&s->gb);
- if (s->qscale > 31){
+ if (s->qscale > 31U){
av_log(h->s.avctx, AV_LOG_ERROR, "qscale:%d\n", s->qscale);
return -1;
}
@@ -727,7 +727,7 @@
skip_bits_long(&s->gb, 0);
}
- if ((i = svq3_get_ue_golomb(&s->gb)) == INVALID_VLC || i >= 3){
+ if ((i = svq3_get_ue_golomb(&s->gb)) >= 3U){
av_log(h->s.avctx, AV_LOG_ERROR, "illegal slice type %d \n", i);
return -1;
}
diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c
index dfa2a1b..c32f4f0 100644
--- a/libavcodec/vp5.c
+++ b/libavcodec/vp5.c
@@ -199,7 +199,8 @@
model1 = model->coeff_dccv[pt];
model2 = model->coeff_dcct[pt][ctx];
- for (coeff_idx=0; coeff_idx<64; ) {
+ coeff_idx = 0;
+ for (;;) {
if (vp56_rac_get_prob(c, model2[0])) {
if (vp56_rac_get_prob(c, model2[2])) {
if (vp56_rac_get_prob(c, model2[3])) {
@@ -236,8 +237,11 @@
ct = 0;
s->coeff_ctx[vp56_b6to4[b]][coeff_idx] = 0;
}
+ coeff_idx++;
+ if (coeff_idx >= 64)
+ break;
- cg = vp5_coeff_groups[++coeff_idx];
+ cg = vp5_coeff_groups[coeff_idx];
ctx = s->coeff_ctx[vp56_b6to4[b]][coeff_idx];
model1 = model->coeff_ract[pt][ct][cg];
model2 = cg > 2 ? model1 : model->coeff_acct[pt][ct][cg][ctx];
diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
index c09dbeb..1ca8a40 100644
--- a/libavcodec/vp56.c
+++ b/libavcodec/vp56.c
@@ -519,6 +519,16 @@
if (!res)
return -1;
+ if (res == 2) {
+ int i;
+ for (i = 0; i < 4; i++) {
+ if (s->frames[i].data[0])
+ avctx->release_buffer(avctx, &s->frames[i]);
+ }
+ if (is_alpha)
+ return -1;
+ }
+
if (!is_alpha) {
p->reference = 1;
if (avctx->get_buffer(avctx, p) < 0) {
diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 12eac33..19e5e05 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -536,12 +536,13 @@
}
switch(id & WP_IDF_MASK){
case WP_ID_DECTERMS:
- s->terms = size;
- if(s->terms > MAX_TERMS){
+ if(size > MAX_TERMS){
av_log(avctx, AV_LOG_ERROR, "Too many decorrelation terms\n");
+ s->terms = 0;
buf += ssize;
continue;
}
+ s->terms = size;
for(i = 0; i < s->terms; i++) {
s->decorr[s->terms - i - 1].value = (*buf & 0x1F) - 5;
s->decorr[s->terms - i - 1].delta = *buf >> 5;
diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c
index e7936ce..088d510 100644
--- a/libavcodec/wmadec.c
+++ b/libavcodec/wmadec.c
@@ -105,6 +105,11 @@
s->use_bit_reservoir = flags2 & 0x0002;
s->use_variable_block_len = flags2 & 0x0004;
+ if(avctx->channels > MAX_CHANNELS){
+ av_log(avctx, AV_LOG_ERROR, "Invalid number of channels (%d)\n", avctx->channels);
+ return -1;
+ }
+
if(ff_wma_init(avctx, flags2)<0)
return -1;
diff --git a/libavcodec/x86/dsputilenc_mmx.c b/libavcodec/x86/dsputilenc_mmx.c
index 1717a01..c1a648b 100644
--- a/libavcodec/x86/dsputilenc_mmx.c
+++ b/libavcodec/x86/dsputilenc_mmx.c
@@ -882,6 +882,7 @@
static void diff_bytes_mmx(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
x86_reg i=0;
+ if(w>=16)
__asm__ volatile(
"1: \n\t"
"movq (%2, %0), %%mm0 \n\t"
diff --git a/libavformat/4xm.c b/libavformat/4xm.c
index 631f821..d0fd312 100644
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -127,6 +127,10 @@
for (i = 0; i < header_size - 8; i++) {
fourcc_tag = AV_RL32(&header[i]);
size = AV_RL32(&header[i + 4]);
+ if (size > header_size - i - 8 && (fourcc_tag == vtrk_TAG || fourcc_tag == strk_TAG)) {
+ av_log(s, AV_LOG_ERROR, "chunk larger than array %d>%d\n", size, header_size - i - 8);
+ return AVERROR_INVALIDDATA;
+ }
if (fourcc_tag == std__TAG) {
fourxm->fps = av_int2flt(AV_RL32(&header[i + 12]));
diff --git a/libavformat/ape.c b/libavformat/ape.c
index 3031e47..7511d93 100644
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -356,6 +356,8 @@
if (ape->seektablelength > 0) {
ape->seektable = av_malloc(ape->seektablelength);
+ if (!ape->seektable)
+ return AVERROR(ENOMEM);
for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++)
ape->seektable[i] = get_le32(pb);
}
diff --git a/libavformat/avs.c b/libavformat/avs.c
index 1fcb19f..eda7f9d 100644
--- a/libavformat/avs.c
+++ b/libavformat/avs.c
@@ -163,10 +163,14 @@
sub_type = get_byte(s->pb);
type = get_byte(s->pb);
size = get_le16(s->pb);
+ if (size < 4)
+ return AVERROR_INVALIDDATA;
avs->remaining_frame_size -= size;
switch (type) {
case AVS_PALETTE:
+ if (size - 4 > sizeof(palette))
+ return AVERROR_INVALIDDATA;
ret = get_buffer(s->pb, palette, size - 4);
if (ret < size - 4)
return AVERROR(EIO);
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index e16cd1e..7350562 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1641,7 +1641,7 @@
lace_size[n] = lace_size[n - 1] + snum;
total += lace_size[n];
}
- lace_size[n] = size - total;
+ lace_size[laces - 1] = size - total;
break;
}
}
diff --git a/libavformat/mm.c b/libavformat/mm.c
index 6c621ab..1868e90 100644
--- a/libavformat/mm.c
+++ b/libavformat/mm.c
@@ -162,7 +162,6 @@
case MM_TYPE_AUDIO :
if (av_get_packet(s->pb, pkt, length)<0)
return AVERROR(ENOMEM);
- pkt->size = length;
pkt->stream_index = 1;
pkt->pts = mm->audio_pts++;
return 0;
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 54406f5..a810b95 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -90,14 +90,24 @@
ogg->state = ost->next;
if (!discard){
+ struct ogg_stream *old_streams = ogg->streams;
+
for (i = 0; i < ogg->nstreams; i++)
av_free (ogg->streams[i].buf);
url_fseek (bc, ost->pos, SEEK_SET);
ogg->curidx = ost->curidx;
ogg->nstreams = ost->nstreams;
- memcpy(ogg->streams, ost->streams,
- ost->nstreams * sizeof(*ogg->streams));
+ ogg->streams = av_realloc (ogg->streams,
+ ogg->nstreams * sizeof (*ogg->streams));
+
+ if (ogg->streams) {
+ memcpy(ogg->streams, ost->streams,
+ ost->nstreams * sizeof(*ogg->streams));
+ } else {
+ av_free(old_streams);
+ ogg->nstreams = 0;
+ }
}
av_free (ost);
diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 5e3b3c7..65bc79c 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -154,8 +154,9 @@
ast->audio_framesize = st->codec->block_align;
st->codec->block_align = coded_framesize;
- if(ast->audio_framesize >= UINT_MAX / sub_packet_h){
- av_log(s, AV_LOG_ERROR, "ast->audio_framesize * sub_packet_h too large\n");
+ if (ast->audio_framesize <= 0 || sub_packet_h <= 0 ||
+ ast->audio_framesize >= UINT_MAX / sub_packet_h){
+ av_log(s, AV_LOG_ERROR, "ast->audio_framesize * sub_packet_h is invalid\n");
return -1;
}
@@ -185,8 +186,9 @@
ast->audio_framesize = st->codec->block_align;
st->codec->block_align = ast->sub_packet_size;
- if(ast->audio_framesize >= UINT_MAX / sub_packet_h){
- av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n");
+ if (ast->audio_framesize <= 0 || sub_packet_h <= 0 ||
+ ast->audio_framesize >= UINT_MAX / sub_packet_h){
+ av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h is invalid\n");
return -1;
}
diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c
index ae1263c..c1da789 100644
--- a/libavformat/segafilm.c
+++ b/libavformat/segafilm.c
@@ -111,11 +111,16 @@
film->audio_samplerate = AV_RB16(&scratch[24]);
film->audio_channels = scratch[21];
film->audio_bits = scratch[22];
- if (film->audio_bits == 8)
- film->audio_type = CODEC_ID_PCM_S8;
- else if (film->audio_bits == 16)
- film->audio_type = CODEC_ID_PCM_S16BE;
- else
+ if (scratch[23] == 2)
+ film->audio_type = CODEC_ID_ADPCM_ADX;
+ else if (film->audio_channels > 0) {
+ if (film->audio_bits == 8)
+ film->audio_type = CODEC_ID_PCM_S8;
+ else if (film->audio_bits == 16)
+ film->audio_type = CODEC_ID_PCM_S16BE;
+ else
+ film->audio_type = CODEC_ID_NONE;
+ } else
film->audio_type = CODEC_ID_NONE;
}
@@ -167,6 +172,8 @@
if(film->sample_count >= UINT_MAX / sizeof(film_sample))
return -1;
film->sample_table = av_malloc(film->sample_count * sizeof(film_sample));
+ if (!film->sample_table)
+ return AVERROR(ENOMEM);
for(i=0; i<s->nb_streams; i++)
av_set_pts_info(s->streams[i], 33, 1, film->base_clock);
@@ -187,8 +194,12 @@
film->sample_table[i].pts *= film->base_clock;
film->sample_table[i].pts /= film->audio_samplerate;
- audio_frame_counter += (film->sample_table[i].sample_size /
- (film->audio_channels * film->audio_bits / 8));
+ if (film->audio_type == CODEC_ID_ADPCM_ADX)
+ audio_frame_counter += (film->sample_table[i].sample_size * 32 /
+ (18 * film->audio_channels));
+ else if (film->audio_type != CODEC_ID_NONE)
+ audio_frame_counter += (film->sample_table[i].sample_size /
+ (film->audio_channels * film->audio_bits / 8));
} else {
film->sample_table[i].stream = film->video_stream_index;
film->sample_table[i].pts = AV_RB32(&scratch[8]) & 0x7FFFFFFF;
@@ -238,6 +249,10 @@
av_free(film->stereo_buffer);
film->stereo_buffer_size = sample->sample_size;
film->stereo_buffer = av_malloc(film->stereo_buffer_size);
+ if (!film->stereo_buffer) {
+ film->stereo_buffer_size = 0;
+ return AVERROR(ENOMEM);
+ }
}
pkt->pos= url_ftell(pb);
diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 8ec28bc..b4fc5f7 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -284,6 +284,10 @@
frame_size -= 4;
smk->curstream++;
smk->bufs[smk->curstream] = av_realloc(smk->bufs[smk->curstream], size);
+ if (!smk->bufs[smk->curstream]) {
+ smk->buf_sizes[smk->curstream] = 0;
+ return AVERROR(ENOMEM);
+ }
smk->buf_sizes[smk->curstream] = size;
ret = get_buffer(s->pb, smk->bufs[smk->curstream], size);
if(ret != size)
@@ -292,7 +296,9 @@
}
flags >>= 1;
}
- if (av_new_packet(pkt, frame_size + 768))
+ if (frame_size < 0)
+ return AVERROR_INVALIDDATA;
+ if (av_new_packet(pkt, frame_size + 769))
return AVERROR(ENOMEM);
if(smk->frm_size[smk->cur_frame] & 1)
palchange |= 2;
diff --git a/libavformat/westwood.c b/libavformat/westwood.c
index d2736ac..7ca1797 100644
--- a/libavformat/westwood.c
+++ b/libavformat/westwood.c
@@ -279,10 +279,8 @@
/* there are 0 or more chunks before the FINF chunk; iterate until
* FINF has been skipped and the file will be ready to be demuxed */
do {
- if (get_buffer(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE) {
- av_free(st->codec->extradata);
+ if (get_buffer(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE)
return AVERROR(EIO);
- }
chunk_tag = AV_RB32(&scratch[0]);
chunk_size = AV_RB32(&scratch[4]);
diff --git a/libavutil/log.c b/libavutil/log.c
index 4bb9652..fb773d0 100644
--- a/libavutil/log.c
+++ b/libavutil/log.c
@@ -33,7 +33,8 @@
{
static int print_prefix=1;
static int count;
- static char line[1024], prev[1024];
+ static char prev[1024];
+ char line[1024];
AVClass* avc= ptr ? *(AVClass**)ptr : NULL;
if(level>av_log_level)
return;
diff --git a/libavutil/mem.c b/libavutil/mem.c
index 741450b..1ce0b77 100644
--- a/libavutil/mem.c
+++ b/libavutil/mem.c
@@ -113,7 +113,9 @@
//FIXME this isn't aligned correctly, though it probably isn't needed
if(!ptr) return av_malloc(size);
diff= ((char*)ptr)[-1];
- return (char*)realloc((char*)ptr - diff, size + diff) + diff;
+ ptr= realloc((char*)ptr - diff, size + diff);
+ if(ptr) ptr = (char*)ptr + diff;
+ return ptr;
#else
return realloc(ptr, size);
#endif
