From 03457cabd618d4de3e64cb890af268fd67b83aec Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 11 Oct 2013 11:34:03 +0200 Subject: [PATCH 01/10] indeo4: Check the inherited quant_mat Invalidate it if not supported. Sample-Id: 00000262-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c9ef6b09326a24010bf86d6b0d19cfa42df4d546) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/indeo4.c --- libavcodec/indeo4.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 73a7a6672a..b250f506b4 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -371,13 +371,17 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, band->scan = scan_index_to_tab[scan_indx]; band->quant_mat = get_bits(&ctx->gb, 5); - if (band->quant_mat == 31) { - av_log(avctx, AV_LOG_ERROR, "Custom quant matrix encountered!\n"); - return AVERROR_INVALIDDATA; - } if (band->quant_mat >= FF_ARRAY_ELEMS(quant_index_to_tab)) { av_log_ask_for_sample(avctx, "Quantization matrix %d", band->quant_mat); + + if (band->quant_mat == 31) + av_log(avctx, AV_LOG_ERROR, + "Custom quant matrix encountered!\n"); + else + av_log_ask_for_sample(avctx, "Quantization matrix %d", + band->quant_mat); + band->quant_mat = -1; return AVERROR_INVALIDDATA; } } else { @@ -387,6 +391,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, "inherited\n"); return AVERROR_INVALIDDATA; } + if (band->quant_mat < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid quant_mat inherited\n"); + return AVERROR_INVALIDDATA; + } } /* decode block huffman codebook */ From 481e55eba7a7942a0497e5bb4191cb1971e19760 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 2 Oct 2013 16:40:02 +0200 Subject: [PATCH 02/10] audio_mix: fix channel order in mix_1_to_2_fltp_flt_c CC:libav-stable@libav.org (cherry picked from commit df6737a55f5dc7c0ae5272bc5fa6182836d5481c) Signed-off-by: Reinhard Tartler --- libavresample/audio_mix.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavresample/audio_mix.c b/libavresample/audio_mix.c index c0560288a5..f737a30fc8 100644 --- a/libavresample/audio_mix.c +++ b/libavresample/audio_mix.c @@ -195,23 +195,23 @@ static void mix_1_to_2_fltp_flt_c(float **samples, float **matrix, int len, while (len > 4) { v = *src++; - *dst0++ = v * m1; - *dst1++ = v * m0; + *dst0++ = v * m0; + *dst1++ = v * m1; v = *src++; - *dst0++ = v * m1; - *dst1++ = v * m0; + *dst0++ = v * m0; + *dst1++ = v * m1; v = *src++; - *dst0++ = v * m1; - *dst1++ = v * m0; + *dst0++ = v * m0; + *dst1++ = v * m1; v = *src++; - *dst0++ = v * m1; - *dst1++ = v * m0; + *dst0++ = v * m0; + *dst1++ = v * m1; len -= 4; } while (len > 0) { v = *src++; - *dst0++ = v * m1; - *dst1++ = v * m0; + *dst0++ = v * m0; + *dst1++ = v * m1; len--; } } From 1d7a453dcfe4edae7d08aed0bed5ccd993409d42 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 10 Oct 2013 21:02:10 +0200 Subject: [PATCH 03/10] prores: Reject negative run and level values Sample-Id: 00000611-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c0de9a23c7080e2fac8f879b9d9a0ce2b64ea953) Signed-off-by: Reinhard Tartler --- libavcodec/proresdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/proresdec.c b/libavcodec/proresdec.c index 4b196f6d32..a47f16e575 100644 --- a/libavcodec/proresdec.c +++ b/libavcodec/proresdec.c @@ -392,12 +392,16 @@ static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out, return; run = decode_vlc_codeword(gb, ff_prores_ac_codebook[run_cb_index]); + if (run < 0) + return AVERROR_INVALIDDATA; bits_left = get_bits_left(gb); if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left))) return; level = decode_vlc_codeword(gb, ff_prores_ac_codebook[lev_cb_index]) + 1; + if (level < 0) + return AVERROR_INVALIDDATA; pos += run + 1; if (pos >= max_coeffs) From e361fde8b011bcd556057f949e984f58bfdaa974 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 6 Aug 2013 01:39:07 +0200 Subject: [PATCH 04/10] avi: properly fail if the dv demuxer is missing CC: libav-stable@libav.org (cherry picked from commit 1cac9accbd1f9b8596122d0735e37b97a844c514) Signed-off-by: Reinhard Tartler --- libavformat/avidec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 414ed01c55..e0c1988803 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -463,7 +463,8 @@ static int avi_read_header(AVFormatContext *s) avi->dv_demux = avpriv_dv_init_demux(s); if (!avi->dv_demux) goto fail; - } + } else + goto fail; s->streams[0]->priv_data = ast; avio_skip(pb, 3 * 4); ast->scale = avio_rl32(pb); From f53a5332b017da21e57da2d5f4e5e56bfa5f2f2f Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 5 Jan 2014 17:23:12 -0500 Subject: [PATCH 05/10] Prepare for 9.11 RELEASE --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 5f3c44015f..d4ce17d7db 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.10 +9.11 From 5bbee02ae04f3c49ae7f76f510fb1702761c0f15 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 4 Sep 2013 19:26:36 +0200 Subject: [PATCH 06/10] shorten: Extend fixed_coeffs to properly support pred_order 0 Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit b2148faca9e9e553c14b27844b56e367c85a777e) Signed-off-by: Reinhard Tartler --- libavcodec/shorten.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index fda90fedfe..ea2277218d 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -277,7 +277,8 @@ static void output_buffer(int16_t **samples, int nchan, int blocksize, } } -static const int fixed_coeffs[3][3] = { +static const int fixed_coeffs[][3] = { + { 0, 0, 0 }, { 1, 0, 0 }, { 2, -1, 0 }, { 3, -3, 1 } @@ -306,7 +307,12 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, } else { /* fixed LPC coeffs */ pred_order = command; - coeffs = fixed_coeffs[pred_order - 1]; + if (pred_order > FF_ARRAY_ELEMS(fixed_coeffs)) { + av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n", + pred_order); + return AVERROR_INVALIDDATA; + } + coeffs = fixed_coeffs[pred_order]; qshift = 0; } From d149c14a2263cf17e09a18e577b7a99043e26fbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 4 Oct 2013 09:52:02 +0300 Subject: [PATCH 07/10] mov: Don't allocate arrays with av_malloc that will be realloced MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit b698542ad83284fbb8c22404e3cafeb2dd739d38) Signed-off-by: Reinhard Tartler --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6b89a2d1ba..8c547067b7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2313,7 +2313,7 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!sc->ctts_count && sc->sample_count) { /* Complement ctts table if moov atom doesn't have ctts atom. */ - ctts_data = av_malloc(sizeof(*sc->ctts_data)); + ctts_data = av_realloc(NULL, sizeof(*sc->ctts_data)); if (!ctts_data) return AVERROR(ENOMEM); sc->ctts_data = ctts_data; From 61057f4604eb909ac2b37f08c7d2b0ed758fd4bf Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 6 Aug 2013 03:52:48 +0200 Subject: [PATCH 08/10] avi: directly resync on DV in AVI read failure Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ceec6e792e4b5baaa23b220f4fd33417631f5288) Signed-off-by: Reinhard Tartler --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index e0c1988803..109b0ab5d8 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -990,6 +990,8 @@ static int avi_read_packet(AVFormatContext *s, AVPacket *pkt) int size = avpriv_dv_get_packet(avi->dv_demux, pkt); if (size >= 0) return size; + else + goto resync; } if(avi->non_interleaved){ From 5ae7ed3aa4f3f4ed07677edeb6edebf9967caa82 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Tue, 22 Oct 2013 16:11:11 +0100 Subject: [PATCH 09/10] nut: Fix unchecked allocations CC: libav-stable@libav.org (cherry picked from commit b1fcdc08ceb5df69fac34aa0d57c56905d32b8b4) Signed-off-by: Derek Buitenhuis --- libavformat/nut.c | 10 +++++++++- libavformat/nut.h | 2 +- libavformat/nutdec.c | 5 ++++- libavformat/nutenc.c | 3 ++- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/libavformat/nut.c b/libavformat/nut.c index 196e04e54f..65d84d1d41 100644 --- a/libavformat/nut.c +++ b/libavformat/nut.c @@ -179,10 +179,16 @@ int ff_nut_sp_pts_cmp(const Syncpoint *a, const Syncpoint *b){ return ((a->ts - b->ts) >> 32) - ((b->ts - a->ts) >> 32); } -void ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts){ +int ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts){ Syncpoint *sp= av_mallocz(sizeof(Syncpoint)); struct AVTreeNode *node = av_tree_node_alloc(); + if (!sp || !node) { + av_freep(&sp); + av_freep(&node); + return AVERROR(ENOMEM); + } + sp->pos= pos; sp->back_ptr= back_ptr; sp->ts= ts; @@ -191,6 +197,8 @@ void ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts){ av_free(sp); av_free(node); } + + return 0; } static int enu_free(void *opaque, void *elem) diff --git a/libavformat/nut.h b/libavformat/nut.h index 89b0248fa4..066d186f25 100644 --- a/libavformat/nut.h +++ b/libavformat/nut.h @@ -119,7 +119,7 @@ void ff_nut_reset_ts(NUTContext *nut, AVRational time_base, int64_t val); int64_t ff_lsb2full(StreamContext *stream, int64_t lsb); int ff_nut_sp_pos_cmp(const Syncpoint *a, const Syncpoint *b); int ff_nut_sp_pts_cmp(const Syncpoint *a, const Syncpoint *b); -void ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts); +int ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts); void ff_nut_free_sp(NUTContext *nut); extern const Dispositions ff_nut_dispositions[]; diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index b705987795..1a9390c9d6 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -526,6 +526,7 @@ static int decode_syncpoint(NUTContext *nut, int64_t *ts, int64_t *back_ptr) AVFormatContext *s = nut->avf; AVIOContext *bc = s->pb; int64_t end, tmp; + int ret; nut->last_syncpoint_pos = avio_tell(bc) - 8; @@ -547,7 +548,9 @@ static int decode_syncpoint(NUTContext *nut, int64_t *ts, int64_t *back_ptr) *ts = tmp / s->nb_streams * av_q2d(nut->time_base[tmp % s->nb_streams]) * AV_TIME_BASE; - ff_nut_add_sp(nut, nut->last_syncpoint_pos, *back_ptr, *ts); + + if ((ret = ff_nut_add_sp(nut, nut->last_syncpoint_pos, *back_ptr, *ts)) < 0) + return ret; return 0; } diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c index df70f94122..51bddf00e7 100644 --- a/libavformat/nutenc.c +++ b/libavformat/nutenc.c @@ -815,7 +815,8 @@ static int nut_write_packet(AVFormatContext *s, AVPacket *pkt) ff_put_v(dyn_bc, sp ? (nut->last_syncpoint_pos - sp->pos) >> 4 : 0); put_packet(nut, bc, dyn_bc, 1, SYNCPOINT_STARTCODE); - ff_nut_add_sp(nut, nut->last_syncpoint_pos, 0 /*unused*/, pkt->dts); + if ((ret = ff_nut_add_sp(nut, nut->last_syncpoint_pos, 0 /*unused*/, pkt->dts)) < 0) + return ret; } assert(nus->last_pts != AV_NOPTS_VALUE); From 65830277d2d2ee3658e1f070a61044fff261ed3e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 10 Oct 2013 08:40:39 +0200 Subject: [PATCH 10/10] prores: Add a codepath for decoding errors (cherry picked from commit 44690dfa683f620c77e9f0e8e9bc5682608636b1) Signed-off-by: Derek Buitenhuis --- libavcodec/proresdec.c | 72 ++++++++++++++++++++++++------------------ 1 file changed, 42 insertions(+), 30 deletions(-) diff --git a/libavcodec/proresdec.c b/libavcodec/proresdec.c index a47f16e575..6d63463ab7 100644 --- a/libavcodec/proresdec.c +++ b/libavcodec/proresdec.c @@ -368,7 +368,7 @@ static inline void decode_dc_coeffs(GetBitContext *gb, DCTELEM *out, /** * Decode AC coefficients for all blocks in a slice. */ -static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out, +static inline int decode_ac_coeffs(GetBitContext *gb, DCTELEM *out, int blocks_per_slice, int plane_size_factor, const uint8_t *scan) @@ -389,7 +389,7 @@ static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out, bits_left = get_bits_left(gb); if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left))) - return; + return AVERROR_INVALIDDATA; run = decode_vlc_codeword(gb, ff_prores_ac_codebook[run_cb_index]); if (run < 0) @@ -397,7 +397,7 @@ static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out, bits_left = get_bits_left(gb); if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left))) - return; + return AVERROR_INVALIDDATA; level = decode_vlc_codeword(gb, ff_prores_ac_codebook[lev_cb_index]) + 1; if (level < 0) @@ -411,22 +411,24 @@ static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out, out[((pos & block_mask) << 6) + scan[pos >> plane_size_factor]] = (level ^ sign) - sign; } + + return 0; } /** * Decode a slice plane (luma or chroma). */ -static void decode_slice_plane(ProresContext *ctx, ProresThreadData *td, - const uint8_t *buf, - int data_size, uint16_t *out_ptr, - int linesize, int mbs_per_slice, - int blocks_per_mb, int plane_size_factor, - const int16_t *qmat, int is_chroma) +static int decode_slice_plane(ProresContext *ctx, ProresThreadData *td, + const uint8_t *buf, + int data_size, uint16_t *out_ptr, + int linesize, int mbs_per_slice, + int blocks_per_mb, int plane_size_factor, + const int16_t *qmat, int is_chroma) { GetBitContext gb; DCTELEM *block_ptr; - int mb_num, blocks_per_slice; + int mb_num, blocks_per_slice, ret; blocks_per_slice = mbs_per_slice * blocks_per_mb; @@ -436,8 +438,10 @@ static void decode_slice_plane(ProresContext *ctx, ProresThreadData *td, decode_dc_coeffs(&gb, td->blocks, blocks_per_slice); - decode_ac_coeffs(&gb, td->blocks, blocks_per_slice, - plane_size_factor, ctx->scantable.permutated); + ret = decode_ac_coeffs(&gb, td->blocks, blocks_per_slice, + plane_size_factor, ctx->scantable.permutated); + if (ret < 0) + return ret; /* inverse quantization, inverse transform and output */ block_ptr = td->blocks; @@ -471,6 +475,7 @@ static void decode_slice_plane(ProresContext *ctx, ProresThreadData *td, } } } + return 0; } @@ -489,6 +494,7 @@ static int decode_slice(AVCodecContext *avctx, void *tdata) int i, sf, slice_width_factor; int slice_data_size, hdr_size, y_data_size, u_data_size, v_data_size; int y_linesize, u_linesize, v_linesize; + int ret; buf = ctx->slice_data[slice_num].index; slice_data_size = ctx->slice_data[slice_num + 1].index - buf; @@ -545,28 +551,34 @@ static int decode_slice(AVCodecContext *avctx, void *tdata) } /* decode luma plane */ - decode_slice_plane(ctx, td, buf + hdr_size, y_data_size, - (uint16_t*) (y_data + (mb_y_pos << 4) * y_linesize + - (mb_x_pos << 5)), y_linesize, - mbs_per_slice, 4, slice_width_factor + 2, - td->qmat_luma_scaled, 0); + ret = decode_slice_plane(ctx, td, buf + hdr_size, y_data_size, + (uint16_t*) (y_data + (mb_y_pos << 4) * y_linesize + + (mb_x_pos << 5)), y_linesize, + mbs_per_slice, 4, slice_width_factor + 2, + td->qmat_luma_scaled, 0); + if (ret < 0) + return ret; /* decode U chroma plane */ - decode_slice_plane(ctx, td, buf + hdr_size + y_data_size, u_data_size, - (uint16_t*) (u_data + (mb_y_pos << 4) * u_linesize + - (mb_x_pos << ctx->mb_chroma_factor)), - u_linesize, mbs_per_slice, ctx->num_chroma_blocks, - slice_width_factor + ctx->chroma_factor - 1, - td->qmat_chroma_scaled, 1); + ret = decode_slice_plane(ctx, td, buf + hdr_size + y_data_size, u_data_size, + (uint16_t*) (u_data + (mb_y_pos << 4) * u_linesize + + (mb_x_pos << ctx->mb_chroma_factor)), + u_linesize, mbs_per_slice, ctx->num_chroma_blocks, + slice_width_factor + ctx->chroma_factor - 1, + td->qmat_chroma_scaled, 1); + if (ret < 0) + return ret; /* decode V chroma plane */ - decode_slice_plane(ctx, td, buf + hdr_size + y_data_size + u_data_size, - v_data_size, - (uint16_t*) (v_data + (mb_y_pos << 4) * v_linesize + - (mb_x_pos << ctx->mb_chroma_factor)), - v_linesize, mbs_per_slice, ctx->num_chroma_blocks, - slice_width_factor + ctx->chroma_factor - 1, - td->qmat_chroma_scaled, 1); + ret = decode_slice_plane(ctx, td, buf + hdr_size + y_data_size + u_data_size, + v_data_size, + (uint16_t*) (v_data + (mb_y_pos << 4) * v_linesize + + (mb_x_pos << ctx->mb_chroma_factor)), + v_linesize, mbs_per_slice, ctx->num_chroma_blocks, + slice_width_factor + ctx->chroma_factor - 1, + td->qmat_chroma_scaled, 1); + if (ret < 0) + return ret; return 0; }