Merge commit '7e350b7ddd19af856b55634233d609e29baab646' into release/1.1
authorMichael Niedermayer <michaelni@gmx.at>
Mon, 7 Oct 2013 23:41:20 +0000 (01:41 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Mon, 7 Oct 2013 23:41:20 +0000 (01:41 +0200)
* commit '7e350b7ddd19af856b55634233d609e29baab646':
  pcx: Check the packet size before assuming it fits a palette
  rpza: Fix a buffer size check
  xxan: Disallow odd width
  xan: Only read within the data that actually was initialized
  xan: Use bytestream2 to limit reading to within the buffer
  pcx: Consume the whole packet if giving up due to missing palette
  pngdec: Stop trying to decode once inflate returns Z_STREAM_END
  mov: Make sure the read sample count is nonnegative
  bfi: Add some very basic sanity checks for input packet sizes
  bfi: Avoid divisions by zero
  electronicarts: Add more sanity checking for the number of channels
  riffdec: Add sanity checks for the sample rate

Conflicts:
libavcodec/pcx.c
libavcodec/xan.c
libavformat/mov.c
libavformat/riff.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
1  2 
libavcodec/pcx.c
libavcodec/pngdec.c
libavcodec/rpza.c
libavcodec/xan.c
libavcodec/xxan.c
libavformat/bfi.c
libavformat/electronicarts.c
libavformat/mov.c
libavformat/riff.c

@@@ -182,20 -182,27 +182,26 @@@ static int pcx_decode_frame(AVCodecCont
          }
  
      } else if (nplanes == 1 && bits_per_pixel == 8) {
 -        const uint8_t *palstart = bufstart + buf_size - 769;
 +        int palstart = avpkt->size - 769;
  
-         for (y=0; y<h; y++, ptr+=stride) {
 -        if (buf_size < 769) {
++        if (avpkt->size < 769) {
+             av_log(avctx, AV_LOG_ERROR, "File is too short\n");
 -            ret = buf_size;
++            ret = avpkt->size;
+             goto end;
+         }
+         for (y = 0; y < h; y++, ptr += stride) {
 -            buf = pcx_rle_decode(buf, buf_end,
 -                                 scanline, bytes_per_scanline, compressed);
 +            pcx_rle_decode(&gb, scanline, bytes_per_scanline, compressed);
              memcpy(ptr, scanline, w);
          }
  
 -        if (buf != palstart) {
 +        if (bytestream2_tell(&gb) != palstart) {
              av_log(avctx, AV_LOG_WARNING, "image data possibly corrupted\n");
 -            buf = palstart;
 +            bytestream2_seek(&gb, palstart, SEEK_SET);
          }
 -        if (*buf++ != 12) {
 +        if (bytestream2_get_byte(&gb) != 12) {
              av_log(avctx, AV_LOG_ERROR, "expected palette after image data\n");
-             ret = AVERROR_INVALIDDATA;
 -            ret = buf_size;
++            ret = avpkt->size;
              goto end;
          }
  
Simple merge
@@@ -203,9 -203,8 +203,9 @@@ static void rpza_decode_stream(RpzaCont
  
          /* Fill block with 16 colors */
          case 0x00:
-             if (s->size - stream_ptr < 16)
+             if (s->size - stream_ptr < 30)
                  return;
 +            ADVANCE_BLOCK();
              block_ptr = row_ptr + pixel_ptr;
              for (pixel_y = 0; pixel_y < 4; pixel_y++) {
                  for (pixel_x = 0; pixel_x < 4; pixel_x++){
@@@ -360,31 -359,17 +361,29 @@@ static int xan_wc3_decode_frame(XanCont
  
          case 9:
          case 19:
-             if (buf_end - size_segment < 1) {
++            if (bytestream2_get_bytes_left(&size_segment) < 1) {
 +                av_log(s->avctx, AV_LOG_ERROR, "size_segment overread\n");
 +                return AVERROR_INVALIDDATA;
 +            }
-             size = *size_segment++;
+             size = bytestream2_get_byte(&size_segment);
              break;
  
          case 10:
          case 20:
-             if (buf_end - size_segment < 2) {
++            if (bytestream2_get_bytes_left(&size_segment) < 2) {
 +                av_log(s->avctx, AV_LOG_ERROR, "size_segment overread\n");
 +                return AVERROR_INVALIDDATA;
 +            }
-             size = AV_RB16(&size_segment[0]);
-             size_segment += 2;
+             size = bytestream2_get_be16(&size_segment);
              break;
  
          case 11:
          case 21:
-             if (buf_end - size_segment < 3) {
++            if (bytestream2_get_bytes_left(&size_segment) < 3) {
 +                av_log(s->avctx, AV_LOG_ERROR, "size_segment overread\n");
 +                return AVERROR_INVALIDDATA;
 +            }
-             size = AV_RB24(size_segment);
-             size_segment += 3;
+             size = bytestream2_get_be24(&size_segment);
              break;
          }
  
                  imagedata_size -= size;
              }
          } else {
-             if (vector_segment >= buf_end) {
++            uint8_t vector;
++            if (bytestream2_get_bytes_left(&vector_segment) <= 0) {
 +                av_log(s->avctx, AV_LOG_ERROR, "vector_segment overread\n");
 +                return AVERROR_INVALIDDATA;
 +            }
              /* run-based motion compensation from last frame */
-             motion_x = sign_extend(*vector_segment >> 4,  4);
-             motion_y = sign_extend(*vector_segment & 0xF, 4);
-             vector_segment++;
 -            uint8_t vector = bytestream2_get_byte(&vector_segment);
++            vector = bytestream2_get_byte(&vector_segment);
+             motion_x = sign_extend(vector >> 4,  4);
+             motion_y = sign_extend(vector & 0xF, 4);
  
              /* copy a run of pixels from the previous frame */
              xan_wc3_copy_pixel_run(s, x, y, size, motion_x, motion_y);
Simple merge
Simple merge
Simple merge
@@@ -1816,11 -1659,10 +1816,15 @@@ static int mov_read_stts(MOVContext *c
  
          sample_count=avio_rb32(pb);
          sample_duration = avio_rb32(pb);
 +        /* sample_duration < 0 is invalid based on the spec */
 +        if (sample_duration < 0) {
 +            av_log(c->fc, AV_LOG_ERROR, "Invalid SampleDelta in STTS %d\n", sample_duration);
 +            sample_duration = 1;
 +        }
+         if (sample_count < 0) {
+             av_log(c->fc, AV_LOG_ERROR, "Invalid sample_count=%d\n", sample_count);
+             return AVERROR_INVALIDDATA;
+         }
          sc->stts_data[i].count= sample_count;
          sc->stts_data[i].duration= sample_duration;
  
@@@ -736,6 -653,12 +736,11 @@@ int ff_get_wav_header(AVIOContext *pb, 
          if (size > 0)
              avio_skip(pb, size);
      }
 -    codec->codec_id = ff_wav_codec_get_id(id, codec->bits_per_coded_sample);
+     if (codec->sample_rate <= 0) {
+         av_log(NULL, AV_LOG_ERROR,
+                "Invalid sample rate: %d\n", codec->sample_rate);
+         return AVERROR_INVALIDDATA;
+     }
      if (codec->codec_id == AV_CODEC_ID_AAC_LATM) {
          /* channels and sample_rate values are those prior to applying SBR and/or PS */
          codec->channels    = 0;