From 97b6916f93e6998ed787e35efc56018f9d390c55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 15:12:06 +0300 Subject: [PATCH 01/12] dcadec: Validate the lfe parameter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit a9d50bb578ec04c085a25f1e023f75e0e4499d5e) Signed-off-by: Luca Barbato --- libavcodec/dcadec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index 561c30c003..eecdeaad99 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -582,6 +582,11 @@ static int dca_parse_frame_header(DCAContext *s) s->lfe = get_bits(&s->gb, 2); s->predictor_history = get_bits(&s->gb, 1); + if (s->lfe > 2) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE value: %d\n", s->lfe); + return AVERROR_INVALIDDATA; + } + /* TODO: check CRC */ if (s->crc_present) s->header_crc = get_bits(&s->gb, 16); From 0c8c6b4419e00d13197a4aea5456b398dca24df0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 00:07:34 +0300 Subject: [PATCH 02/12] wnv1: Make sure the input packet is large enough MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 91be1103fd1f79d381edf268c32f4166b6c3b6d8) Signed-off-by: Luca Barbato --- libavcodec/wnv1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 1636f16510..362fafca9e 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -71,6 +71,11 @@ static int decode_frame(AVCodecContext *avctx, int prev_y = 0, prev_u = 0, prev_v = 0; uint8_t *rbuf; + if (buf_size < 8) { + av_log(avctx, AV_LOG_ERROR, "Packet is too short\n"); + return AVERROR_INVALIDDATA; + } + rbuf = av_malloc(buf_size + FF_INPUT_BUFFER_PADDING_SIZE); if (!rbuf) { av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n"); From b62704891d2353679e012555ac9e9a49ee63d497 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 11:16:00 +0300 Subject: [PATCH 03/12] vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit ede508443e4bf57dc1e019fac81bf6244b88fbd3) Signed-off-by: Luca Barbato --- libavcodec/vc1dec.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index bafd6a2f8c..cb9007849f 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5131,8 +5131,19 @@ av_cold int ff_vc1_decode_init_alloc_tables(VC1Context *v) if (!v->mv_type_mb_plane || !v->direct_mb_plane || !v->acpred_plane || !v->over_flags_plane || !v->block || !v->cbp_base || !v->ttblk_base || !v->is_intra_base || !v->luma_mv_base || - !v->mb_type_base) - return -1; + !v->mb_type_base) { + av_freep(&v->mv_type_mb_plane); + av_freep(&v->direct_mb_plane); + av_freep(&v->acpred_plane); + av_freep(&v->over_flags_plane); + av_freep(&v->block); + av_freep(&v->cbp_base); + av_freep(&v->ttblk_base); + av_freep(&v->is_intra_base); + av_freep(&v->luma_mv_base); + av_freep(&v->mb_type_base); + return AVERROR(ENOMEM); + } return 0; } From a6a8f66608cce414ef31c01a3059d64f6ef26663 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 11:16:57 +0300 Subject: [PATCH 04/12] vc1dec: Undo mpegvideo initialization if unable to allocate tables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, s->context_initialized was left set to 1 if ff_vc1_decode_init_alloc_tables failed, skipping the initialization completely on the next decode call. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit b772b0e28eba6abf76d86ee8c6e459a86642db5a) Signed-off-by: Luca Barbato --- libavcodec/vc1dec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index cb9007849f..9d68d32c13 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5495,8 +5495,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, } if (!s->context_initialized) { - if (ff_msmpeg4_decode_init(avctx) < 0 || ff_vc1_decode_init_alloc_tables(v) < 0) + if (ff_msmpeg4_decode_init(avctx) < 0) goto err; + if (ff_vc1_decode_init_alloc_tables(v) < 0) { + ff_MPV_common_end(s); + goto err; + } s->low_delay = !avctx->has_b_frames || v->res_sprite; From 17e7edf75b451edd7dde4816c3225fd1557517c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 12:20:06 +0300 Subject: [PATCH 05/12] lavf: Avoid setting avg_frame_rate if delta_dts is negative MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids setting avg_frame_rate to invalid (negative) values. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit ce67f442be0f6c4a8794272873852e256b5b8ee4) Signed-off-by: Luca Barbato --- libavformat/utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 4f73dfebef..b0bfea224f 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2499,7 +2499,8 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) double best_error = 0.01; if (delta_dts >= INT64_MAX / st->time_base.num || - delta_packets >= INT64_MAX / st->time_base.den) + delta_packets >= INT64_MAX / st->time_base.den || + delta_dts < 0) continue; av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, delta_packets*(int64_t)st->time_base.den, From 8bd27a167b6e22e7da964df1638c493d51a9663b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 12:26:45 +0300 Subject: [PATCH 06/12] electronicarts: Check packet sizes before reading MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit f7e616959aff8706edccdae763c24c897c449f6f) Signed-off-by: Luca Barbato --- libavformat/electronicarts.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index ae2fda079f..ebb4c124dd 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -525,10 +525,16 @@ static int ea_read_packet(AVFormatContext *s, case AV_CODEC_ID_ADPCM_EA_R1: case AV_CODEC_ID_ADPCM_EA_R2: case AV_CODEC_ID_ADPCM_IMA_EA_EACS: - pkt->duration = AV_RL32(pkt->data); - break; case AV_CODEC_ID_ADPCM_EA_R3: - pkt->duration = AV_RB32(pkt->data); + if (pkt->size < 4) { + av_log(s, AV_LOG_ERROR, "Packet is too short\n"); + av_free_packet(pkt); + return AVERROR_INVALIDDATA; + } + if (ea->audio_codec == AV_CODEC_ID_ADPCM_EA_R3) + pkt->duration = AV_RB32(pkt->data); + else + pkt->duration = AV_RL32(pkt->data); break; case AV_CODEC_ID_ADPCM_IMA_EA_SEAD: pkt->duration = ret * 2 / ea->num_channels; From 4d60ab62e05decc562645cd6f813f7c9e69637ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 00:34:35 +0300 Subject: [PATCH 07/12] vqf: Make sure sample_rate is set to a valid value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids divisions by zero later (and possibly assertions in time base scaling), since an invalid rate_flag combined with an invalid bitrate below could pass the mode combination test. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 9277050e2918e0a0df9689721a188a604d886616) Signed-off-by: Luca Barbato --- libavformat/vqf.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 66ced37bad..b0e3b6de74 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -174,6 +174,10 @@ static int vqf_read_header(AVFormatContext *s) st->codec->sample_rate = 11025; break; default: + if (rate_flag < 8 || rate_flag > 44) { + av_log(s, AV_LOG_ERROR, "Invalid rate flag %d\n", rate_flag); + return AVERROR_INVALIDDATA; + } st->codec->sample_rate = rate_flag*1000; break; } From 60701469ab9f526841ae81444236425f87916adb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:19:10 +0300 Subject: [PATCH 08/12] vqf: Make sure the bitrate is in the valid range MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Even if the sample rate is valid, an invalid bitrate could pass the mode combination test below. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 68ff9981283a56c731f00c2ee7901103665092fc) Signed-off-by: Luca Barbato --- libavformat/vqf.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index b0e3b6de74..aba6ab1f37 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -182,6 +182,13 @@ static int vqf_read_header(AVFormatContext *s) break; } + if (read_bitrate / st->codec->channels < 8 || + read_bitrate / st->codec->channels > 48) { + av_log(s, AV_LOG_ERROR, "Invalid bitrate per channel %d\n", + read_bitrate / st->codec->channels); + return AVERROR_INVALIDDATA; + } + switch (((st->codec->sample_rate/1000) << 8) + read_bitrate/st->codec->channels) { case (11<<8) + 8 : From 2e4c649b3e62fdd158b5a9a0f973d3b186a23e94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 00:41:31 +0300 Subject: [PATCH 09/12] avidec: Make sure a packet is large enough before reading its data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 8d07258bb6063d0780ce2d39443d6dc6d8eedc5a) Signed-off-by: Luca Barbato Conflicts: libavformat/avidec.c --- libavformat/avidec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index ee341c21b6..e17d932319 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -752,8 +752,10 @@ static int avi_read_header(AVFormatContext *s) return 0; } -static int read_gab2_sub(AVStream *st, AVPacket *pkt) { - if (!strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data+5) == 2) { +static int read_gab2_sub(AVStream *st, AVPacket *pkt) +{ + if (pkt->size >= 7 && + !strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data + 5) == 2) { uint8_t desc[256]; int score = AVPROBE_SCORE_MAX / 2, ret; AVIStream *ast = st->priv_data; From 2ff935a06008fb1959ff633962fbc728762c33cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:13:26 +0300 Subject: [PATCH 10/12] xwma: Avoid division by zero MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit adc09136a4a63b152630abeacb22c56541eacf60) Signed-off-by: Luca Barbato --- libavformat/xwma.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 46ca0b80f1..5500db81d7 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -200,6 +200,14 @@ static int xwma_read_header(AVFormatContext *s) /* Estimate the duration from the total number of output bytes. */ const uint64_t total_decoded_bytes = dpds_table[dpds_table_size - 1]; + + if (!bytes_per_sample) { + av_log(s, AV_LOG_ERROR, + "Invalid bits_per_coded_sample %d for %d channels\n", + st->codec->bits_per_coded_sample, st->codec->channels); + return AVERROR_INVALIDDATA; + } + st->duration = total_decoded_bytes / bytes_per_sample; /* Use the dpds data to build a seek table. We can only do this after From 78aa2ed620178044a227fbbe48f749c0dc86023f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 00:22:52 +0300 Subject: [PATCH 11/12] alac: Do bounds checking of lpc_order read from the bitstream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In lpc_prediction(), we write up to array element 'lpc_order' in an array allocated to hold 'max_samples_per_frame' elements. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 59480abce7e4238e22b3a4a904a9fe6abf4e4188) Signed-off-by: Luca Barbato --- libavcodec/alac.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 72e9353b54..139e352ad3 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -315,6 +315,9 @@ static int decode_element(AVCodecContext *avctx, void *data, int ch_index, rice_history_mult[ch] = get_bits(&alac->gb, 3); lpc_order[ch] = get_bits(&alac->gb, 5); + if (lpc_order[ch] >= alac->max_samples_per_frame) + return AVERROR_INVALIDDATA; + /* read the predictor table */ for (i = lpc_order[ch] - 1; i >= 0; i--) lpc_coefs[ch][i] = get_sbits(&alac->gb, 16); From 04d2f9ace3fb6e880f3488770fc5a39de5b63cbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:26:18 +0300 Subject: [PATCH 12/12] mvi: Add sanity checking for the audio frame size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids a division by zero. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 28ff439efd2362fb21e1a78610737f2e26a72d8f) Signed-off-by: Luca Barbato --- libavformat/mvi.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 10ec8bbb20..65096f10b4 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -93,6 +93,12 @@ static int read_header(AVFormatContext *s) mvi->get_int = (vst->codec->width * vst->codec->height < (1 << 16)) ? avio_rl16 : avio_rl24; mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count; + if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) { + av_log(s, AV_LOG_ERROR, "Invalid audio_data_size (%d) or frames_count (%d)\n", + mvi->audio_data_size, frames_count); + return AVERROR_INVALIDDATA; + } + mvi->audio_size_counter = (ast->codec->sample_rate * 830 / mvi->audio_frame_size - 1) * mvi->audio_frame_size; mvi->audio_size_left = mvi->audio_data_size;