Merge commit '278a923c51187d37445d88a6b21082036ec9568d'
authorMichael Niedermayer <michaelni@gmx.at>
Wed, 3 Jul 2013 11:57:59 +0000 (13:57 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Wed, 3 Jul 2013 12:19:35 +0000 (14:19 +0200)
* commit '278a923c51187d37445d88a6b21082036ec9568d':
  jpeg2000: Validate SIZ parsing

Conflicts:
libavcodec/jpeg2000dec.c

This commit is not exactly merged due to bugs in it

Merged-by: Michael Niedermayer <michaelni@gmx.at>
1  2 
libavcodec/jpeg2000dec.c

@@@ -176,14 -170,26 +176,25 @@@ static int get_siz(Jpeg2000DecoderConte
      s->tile_offset_y  = bytestream2_get_be32u(&s->g); // YT0Siz
      ncomponents       = bytestream2_get_be16u(&s->g); // CSiz
  
-     if (ncomponents <= 0 || ncomponents > 4) {
-         av_log(s->avctx, AV_LOG_ERROR, "unsupported/invalid ncomponents: %d\n", ncomponents);
+     if (ncomponents <= 0) {
+         av_log(s->avctx, AV_LOG_ERROR, "Invalid number of components: %d\n",
+                s->ncomponents);
          return AVERROR_INVALIDDATA;
      }
 -    if (ncomponents > 3) {
++    if (ncomponents > 4) {
+         avpriv_request_sample(s->avctx, "Support for %d components",
+                               s->ncomponents);
+         return AVERROR_PATCHWELCOME;
+     }
      s->ncomponents = ncomponents;
  
-     if (s->tile_width<=0 || s->tile_height<=0)
 -    if (s->tile_width <= 0 || s->tile_height <= 0 ||
 -        s->tile_width > s->width || s->tile_height > s->height) {
++    if (s->tile_width <= 0 || s->tile_height <= 0) {
+         av_log(s->avctx, AV_LOG_ERROR, "Invalid tile dimension %dx%d.\n",
+                s->tile_width, s->tile_height);
          return AVERROR_INVALIDDATA;
+     }
  
      if (bytestream2_get_bytes_left(&s->g) < 3 * s->ncomponents)
          return AVERROR_INVALIDDATA;
          uint8_t x    = bytestream2_get_byteu(&s->g);
          s->cbps[i]   = (x & 0x7f) + 1;
          s->precision = FFMAX(s->cbps[i], s->precision);
 -        s->sgnd[i]   = (x & 0x80) == 1;
 +        s->sgnd[i]   = !!(x & 0x80);
          s->cdx[i]    = bytestream2_get_byteu(&s->g);
          s->cdy[i]    = bytestream2_get_byteu(&s->g);
 -
          if (s->cdx[i] != 1 || s->cdy[i] != 1) {
-             av_log(s->avctx, AV_LOG_ERROR, "unsupported/ CDxy values %d %d for component %d\n", s->cdx[i], s->cdy[i], i);
+             avpriv_request_sample(s->avctx,
+                                   "CDxy values %d %d for component %d",
+                                   s->cdx[i], s->cdy[i], i);
              if (!s->cdx[i] || !s->cdy[i])
                  return AVERROR_INVALIDDATA;
 -            else
 -                return AVERROR_PATCHWELCOME;
          }
      }
  
      s->numXtiles = ff_jpeg2000_ceildiv(s->width  - s->tile_offset_x, s->tile_width);
      s->numYtiles = ff_jpeg2000_ceildiv(s->height - s->tile_offset_y, s->tile_height);
  
-     if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(Jpeg2000Tile))
++    if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile)) {
++        s->numXtiles = s->numYtiles = 0;
 +        return AVERROR(EINVAL);
++    }
 +
-     s->tile = av_mallocz(s->numXtiles * s->numYtiles * sizeof(*s->tile));
-     if (!s->tile)
+     s->tile = av_mallocz_array(s->numXtiles * s->numYtiles, sizeof(*s->tile));
+     if (!s->tile) {
+         s->numXtiles = s->numYtiles = 0;
          return AVERROR(ENOMEM);
+     }
  
      for (i = 0; i < s->numXtiles * s->numYtiles; i++) {
          Jpeg2000Tile *tile = s->tile + i;