diff --git a/configure b/configure index e6077a1917..d4635a4ae6 100755 --- a/configure +++ b/configure @@ -3108,6 +3108,10 @@ case "$arch" in check_64bit ppc ppc64 'sizeof(void *) > 4' spic=$shared ;; + s390) + check_64bit s390 s390x 'sizeof(void *) > 4' + spic=$shared + ;; sparc) check_64bit sparc sparc64 'sizeof(void *) > 4' spic=$shared diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 44b13aa5ed..cf57059740 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -757,6 +757,8 @@ int ff_h263_decode_mb(MpegEncContext *s, } if(IS_DIRECT(mb_type)){ + if (!s->pp_time) + return AVERROR_INVALIDDATA; s->mv_dir = MV_DIR_FORWARD | MV_DIR_BACKWARD | MV_DIRECT; mb_type |= ff_mpeg4_set_direct_mv(s, 0, 0); }else{ diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 486e326a0f..e1fa808e34 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -53,6 +53,7 @@ typedef struct LagarithContext { int zeros; /**< number of consecutive zero bytes encountered */ int zeros_rem; /**< number of zero bytes remaining to output */ uint8_t *rgb_planes; + int rgb_planes_allocated; int rgb_stride; } LagarithContext; @@ -567,13 +568,12 @@ static int lag_decode_frame(AVCodecContext *avctx, offs[1] = offset_gu; offs[2] = offset_ry; + l->rgb_stride = FFALIGN(avctx->width, 16); + av_fast_malloc(&l->rgb_planes, &l->rgb_planes_allocated, + l->rgb_stride * avctx->height * planes + 1); if (!l->rgb_planes) { - l->rgb_stride = FFALIGN(avctx->width, 16); - l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * 4 + 16); - if (!l->rgb_planes) { - av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n"); - return AVERROR(ENOMEM); - } + av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n"); + return AVERROR(ENOMEM); } for (i = 0; i < planes; i++) srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride; diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index eef322a2a2..67fce3232c 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -437,7 +437,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, void *tmp_ptr; s->max_framesize = 8192; // should hopefully be enough for the first header tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, - s->max_framesize); + s->max_framesize + FF_INPUT_BUFFER_PADDING_SIZE); if (!tmp_ptr) { av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n"); return AVERROR(ENOMEM); diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index b297bd97d0..dc30b6e8b3 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -322,6 +322,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s) return -1; } + if (header.header_size + 1 > s->size) { + av_log(s->avctx, AV_LOG_ERROR, "Input packet too small.\n"); + return AVERROR_INVALIDDATA; + } + /* unscramble the header bytes with a XOR operation */ for (i = 1; i < header.header_size; i++) header_buffer[i - 1] = s->buf[i] ^ s->buf[i + 1]; diff --git a/libavutil/samplefmt.c b/libavutil/samplefmt.c index 6f762df9b4..d25cc98fe7 100644 --- a/libavutil/samplefmt.c +++ b/libavutil/samplefmt.c @@ -135,6 +135,8 @@ int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples, /* auto-select alignment if not specified */ if (!align) { + if (nb_samples > INT_MAX - 31) + return AVERROR(EINVAL); align = 1; nb_samples = FFALIGN(nb_samples, 32); }