Merge commit '4ff5167ee7fdee6d35c1bb2558172329ae6ec770' into release/0.10
authorMichael Niedermayer <michaelni@gmx.at>
Mon, 29 Jul 2013 01:55:03 +0000 (03:55 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Mon, 29 Jul 2013 01:56:26 +0000 (03:56 +0200)
* commit '4ff5167ee7fdee6d35c1bb2558172329ae6ec770':
  wmapro: make sure there is room to store the current packet
  lavc: move put_bits_left in put_bits.h
  4xm: do not overread the source buffer in decode_p_block
  4xm: check bitstream_size boundary before using it
  4xm: reject frames not compatible with the declared version
  4xm: use the correct logging context
  4xm: check the return value of read_huffman_tables().
  4xm: don't rely on get_buffer() initializing the frame.
  vmdav: convert to bytestream2
  smacker: check frame size validity
  smacker: pad the extradata allocation
  smacker: check the return value of smacker_decode_tree
  smacker: fix an off by one in huff.length computation
  Prepare for 0.8.8 Release
  tiff: do not overread the source buffer
  apetag: use int64_t for filesize
  wavpack: return meaningful errors

Conflicts:
RELEASE
libavcodec/4xm.c
libavcodec/vmdav.c
libavformat/smacker.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
1  2 
libavcodec/4xm.c
libavcodec/dv.c
libavcodec/put_bits.h
libavcodec/smacker.c
libavcodec/tiff.c
libavcodec/vmdav.c
libavcodec/wavpack.c
libavcodec/wmaprodec.c
libavformat/apetag.c
libavformat/smacker.c

@@@ -25,6 -25,6 +25,7 @@@
   */
  
  #include "libavutil/intreadwrite.h"
++#include "libavutil/avassert.h"
  #include "avcodec.h"
  #include "dsputil.h"
  #include "get_bits.h"
@@@ -347,33 -343,25 +348,41 @@@ static void decode_p_block(FourXContex
          decode_p_block(f, dst             , src             , log2w, log2h, stride);
          decode_p_block(f, dst + (1<<log2w), src + (1<<log2w), log2w, log2h, stride);
      }else if(code == 3 && f->version<2){
+         if (start > src || src > end) {
+             av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+             return;
+         }
          mcdc(dst, src, log2w, h, stride, 1, 0);
      }else if(code == 4){
 -        src += f->mv[bytestream2_get_byte(&f->g)];
 +        if (f->g.buffer_end - f->g.buffer < 1){
 +            av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n");
 +            return;
 +        }
 +        src += f->mv[ *f->g.buffer++ ];
          if(start > src || src > end){
              av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
              return;
          }
 +        if (f->g2.buffer_end - f->g2.buffer < 1){
 +            av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n");
 +            return;
 +        }
          mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2));
      }else if(code == 5){
 +        if (f->g2.buffer_end - f->g2.buffer < 1){
 +            av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n");
 +            return;
 +        }
+         if (start > src || src > end) {
+             av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+             return;
+         }
          mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2));
      }else if(code == 6){
 +        if (f->g2.buffer_end - f->g2.buffer < 2){
 +            av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n");
 +            return;
 +        }
          if(log2w){
              dst[0] = bytestream2_get_le16(&f->g2);
              dst[1] = bytestream2_get_le16(&f->g2);
@@@ -708,10 -689,12 +720,14 @@@ static int decode_i_frame(FourXContext 
          return -1;
      }
  
-     prestream= read_huffman_tables(f, prestream, buf + length - prestream);
-     if (!prestream)
-         return -1;
 -    prestream = read_huffman_tables(f, prestream);
++    prestream = read_huffman_tables(f, prestream, prestream_size);
+     if (!prestream) {
+         av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n");
+         return AVERROR_INVALIDDATA;
+     }
++    av_assert0(prestream <= buf + length);
 +
      init_get_bits(&f->gb, buf + 4, 8*bitstream_size);
  
      prestream_size= length + buf - prestream;
diff --cc libavcodec/dv.c
Simple merge
Simple merge
Simple merge
Simple merge
@@@ -48,6 -48,7 +48,7 @@@
  
  #define VMD_HEADER_SIZE 0x330
  #define PALETTE_COUNT 256
++#include "bytestream.h"
  
  /*
   * Video Decoder
@@@ -107,13 -104,13 +104,13 @@@ static void lz_unpack(const unsigned ch
          speclen = 100;  /* no speclen */
      }
  
-     while (s_end - s > 0 && dataleft > 0) {
-         tag = *s++;
+     while (dataleft > 0 && bytestream2_get_bytes_left(&gb) > 0) {
+         tag = bytestream2_get_byteu(&gb);
          if ((tag == 0xFF) && (dataleft > 8)) {
-             if (d_end - d < 8 || s_end - s < 8)
 -            if (d + 8 > d_end || bytestream2_get_bytes_left(&gb) < 8)
++            if (d_end - d < 8 || bytestream2_get_bytes_left(&gb) < 8)
                  return;
              for (i = 0; i < 8; i++) {
-                 queue[qpos++] = *d++ = *s++;
+                 queue[qpos++] = *d++ = bytestream2_get_byteu(&gb);
                  qpos &= QUEUE_MASK;
              }
              dataleft -= 8;
                  if (dataleft == 0)
                      break;
                  if (tag & 0x01) {
-                     if (d_end - d < 1 || s_end - s < 1)
 -                    if (d + 1 > d_end || bytestream2_get_bytes_left(&gb) < 1)
++                    if (d_end - d < 1 || bytestream2_get_bytes_left(&gb) < 1)
                          return;
-                     queue[qpos++] = *d++ = *s++;
+                     queue[qpos++] = *d++ = bytestream2_get_byte(&gb);
                      qpos &= QUEUE_MASK;
                      dataleft--;
                  } else {
-                     if (s_end - s < 2)
-                         return;
-                     chainofs = *s++;
-                     chainofs |= ((*s & 0xF0) << 4);
-                     chainlen = (*s++ & 0x0F) + 3;
+                     chainofs = bytestream2_get_byte(&gb);
+                     chainofs |= ((bytestream2_peek_byte(&gb) & 0xF0) << 4);
+                     chainlen = (bytestream2_get_byte(&gb) & 0x0F) + 3;
                      if (chainlen == speclen) {
-                         if (s_end - s < 1)
-                             return;
-                         chainlen = *s++ + 0xF + 3;
+                         chainlen = bytestream2_get_byte(&gb) + 0xF + 3;
                      }
 -                    if (d + chainlen > d_end)
 +                    if (d_end - d < chainlen)
                          return;
                      for (j = 0; j < chainlen; j++) {
                          *d = queue[chainofs++ & QUEUE_MASK];
          }
      }
  }
--
- static int rle_unpack(const unsigned char *src, int src_len, int src_count,
-                       unsigned char *dest, int dest_len)
+ static int rle_unpack(const unsigned char *src, unsigned char *dest,
 -    int src_count, int src_size, int dest_len)
++                      int src_count, int src_size, int dest_len)
  {
-     const unsigned char *ps;
-     const unsigned char *ps_end;
      unsigned char *pd;
      int i, l;
      unsigned char *dest_end = dest + dest_len;
      src_count >>= 1;
      i = 0;
      do {
-         if (ps_end - ps < 1)
+         if (bytestream2_get_bytes_left(&gb) < 1)
              break;
-         l = *ps++;
+         l = bytestream2_get_byteu(&gb);
          if (l & 0x80) {
              l = (l & 0x7F) * 2;
-             if (dest_end - pd < l || ps_end - ps < l)
-                 return ps - src;
-             memcpy(pd, ps, l);
-             ps += l;
 -            if (pd + l > dest_end || bytestream2_get_bytes_left(&gb) < l)
++            if (dest_end - pd < l || bytestream2_get_bytes_left(&gb) < l)
+                 return bytestream2_tell(&gb);
+             bytestream2_get_buffer(&gb, pd, l);
              pd += l;
          } else {
-             if (dest_end - pd < i || ps_end - ps < 2)
-                 return ps - src;
 -            if (pd + i > dest_end || bytestream2_get_bytes_left(&gb) < 2)
++            if (dest_end - pd < i || bytestream2_get_bytes_left(&gb) < 2)
+                 return bytestream2_tell(&gb);
              for (i = 0; i < l; i++) {
-                 *pd++ = ps[0];
-                 *pd++ = ps[1];
+                 *pd++ = bytestream2_get_byteu(&gb);
+                 *pd++ = bytestream2_get_byteu(&gb);
              }
-             ps += 2;
+             bytestream2_skip(&gb, 2);
          }
          i += l;
      } while (i < src_count);
@@@ -255,29 -241,31 +240,31 @@@ static void vmd_decode(VmdVideoContext 
      }
  
      /* check if there is a new palette */
+     bytestream2_init(&gb, s->buf + 16, s->size - 16);
      if (s->buf[15] & 0x02) {
-         if (p_end - p < 2 + 3 * PALETTE_COUNT)
-             return;
-         p += 2;
+         bytestream2_skip(&gb, 2);
          palette32 = (unsigned int *)s->palette;
-         for (i = 0; i < PALETTE_COUNT; i++) {
-             r = *p++ * 4;
-             g = *p++ * 4;
-             b = *p++ * 4;
-             palette32[i] = 0xFF << 24 | r << 16 | g << 8 | b;
-             palette32[i] |= palette32[i] >> 6 & 0x30303;
+         if (bytestream2_get_bytes_left(&gb) >= PALETTE_COUNT * 3) {
+             for (i = 0; i < PALETTE_COUNT; i++) {
+                 r = bytestream2_get_byteu(&gb) * 4;
+                 g = bytestream2_get_byteu(&gb) * 4;
+                 b = bytestream2_get_byteu(&gb) * 4;
 -                palette32[i] = (r << 16) | (g << 8) | (b);
++                palette32[i] = 0xFFU << 24 | (r << 16) | (g << 8) | (b);
++                palette32[i] |= palette32[i] >> 6 & 0x30303;
+             }
          }
 -        s->size -= (256 * 3 + 2);
      }
-     if (p < p_end) {
+     if (s->size > 0) {
          /* originally UnpackFrame in VAG's code */
-         pb = p;
-         pb_end = p_end;
-         meth = *pb++;
+         bytestream2_init(&gb, gb.buffer, s->buf + s->size - gb.buffer);
+         if (bytestream2_get_bytes_left(&gb) < 1)
+             return;
+         meth = bytestream2_get_byteu(&gb);
          if (meth & 0x80) {
-             lz_unpack(pb, p_end - pb, s->unpack_buffer, s->unpack_buffer_size);
+             lz_unpack(gb.buffer, bytestream2_get_bytes_left(&gb),
+                       s->unpack_buffer, s->unpack_buffer_size);
              meth &= 0x7F;
-             pb = s->unpack_buffer;
-             pb_end = s->unpack_buffer + s->unpack_buffer_size;
+             bytestream2_init(&gb, s->unpack_buffer, s->unpack_buffer_size);
          }
  
          dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x];
Simple merge
Simple merge
Simple merge
@@@ -302,8 -301,10 +303,10 @@@ static int smacker_read_packet(AVFormat
                  uint8_t *tmpbuf;
  
                  size = avio_rl32(s->pb) - 4;
-                 if(size + 4L > frame_size)
 -                if (!size || size > frame_size) {
++                if (!size || size + 4L > frame_size) {
+                     av_log(s, AV_LOG_ERROR, "Invalid audio part size\n");
                      return AVERROR_INVALIDDATA;
+                 }
                  frame_size -= size;
                  frame_size -= 4;
                  smk->curstream++;