From 36921fcdd3613dedd4046b59e3f43024fbfbbe17 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 14 Jul 2013 18:16:56 +0200 Subject: [PATCH 1/8] indeo: Reject impossible FRAMETYPE_NULL A frame marked FRAMETYPE_NULL cannot be scalable and requires a previous frame successfully decoded. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5b2a29552ca09edd4646b6aa1828b32912b7ab36) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index c907e2a4d1..0dc7fa29f0 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -820,6 +820,14 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } } } + } else { + if (ctx->is_scalable) + return AVERROR_INVALIDDATA; + + for (p = 0; p < 3; p++) { + if (!ctx->planes[p].bands[0].buf) + return AVERROR_INVALIDDATA; + } } //STOP_TIMER("decode_planes"); } From 729143e2d27d5f06e6c4b959f4808a8a5fa7ca25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 15 Jul 2013 11:28:46 +0300 Subject: [PATCH 2/8] ac3dec: Don't consume more data than the actual input packet size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was handled properly in the normal return case at the end of the function, but not in this special case. Returning a value larger than the input packet size can cause problems for certain library users. Returning the actual input buffer size unconditionally, since it is not guaranteed that frame_size is set to a sensible value at this point. Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 8f24c12be7a3b3ea105e67bba9a867fe210a2333) Signed-off-by: Luca Barbato --- libavcodec/ac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 61097e99d9..2eac0ed12a 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1345,7 +1345,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, av_log(avctx, AV_LOG_ERROR, "unsupported frame type : " "skipping frame\n"); *got_frame_ptr = 0; - return s->frame_size; + return buf_size; } else { av_log(avctx, AV_LOG_ERROR, "invalid frame type\n"); } From a593d2e92e1491ec04f315d9e38b001b74dcf0b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 15 Jul 2013 17:13:54 +0300 Subject: [PATCH 3/8] mov: Do not allow updating the time scale after it has been set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The time scale is set in mdhd, and later validated in the enclosing trak atom once all of its children have been parsed. A loose mdhd atom outside of a trak atom could update the time scale of the last stream without any validation. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 31931520df35a6f9606fe8293c8a39e2d1fabedf) Signed-off-by: Luca Barbato --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 1dbf63f91f..0e5d473a8b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -736,6 +736,11 @@ static int mov_read_mdhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) st = c->fc->streams[c->fc->nb_streams-1]; sc = st->priv_data; + if (sc->time_scale) { + av_log(c->fc, AV_LOG_ERROR, "Multiple mdhd?\n"); + return AVERROR_INVALIDDATA; + } + version = avio_r8(pb); if (version > 1) { av_log_ask_for_sample(c, "unsupported version %d\n", version); From 0d24adbe8d8e48428776586aa16df6629470d8ae Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 19 Jul 2013 21:09:40 +0200 Subject: [PATCH 4/8] dsicinav: Bound-check the source buffer when needed Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit dd0bfc3a6a310e3e3674ce7742672d689a9a0e93) Signed-off-by: Luca Barbato --- libavcodec/dsicinav.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index a379531613..108424c858 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -187,11 +187,13 @@ static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char while (src < src_end && dst < dst_end) { code = *src++; if (code & 0x80) { + if (src >= src_end) + break; len = code - 0x7F; memset(dst, *src++, FFMIN(len, dst_end - dst)); } else { len = code + 1; - memcpy(dst, src, FFMIN(len, dst_end - dst)); + memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src)); src += len; } dst += len; From 246e0e2c994f0fad30d89ff39bd1fabca30c53ce Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 12 Jul 2013 23:02:25 +0200 Subject: [PATCH 5/8] alsdec: Fix the clipping range mcc_weightings is only 32 elements. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 70ecc175c7b513a153ac87d1c5d219556ca55070) Signed-off-by: Luca Barbato --- libavcodec/alsdec.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 459e2af928..b1fc1c05bd 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1159,6 +1159,12 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, return 0; } +static inline int als_weighting(GetBitContext *gb, int k, int off) +{ + int idx = av_clip(decode_rice(gb, k) + off, + 0, FF_ARRAY_ELEMS(mcc_weightings) - 1); + return mcc_weightings[idx]; +} /** Read the channel data. */ @@ -1179,14 +1185,14 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (current->master_channel != c) { current->time_diff_flag = get_bits1(gb); - current->weighting[0] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; - current->weighting[1] = mcc_weightings[av_clip(decode_rice(gb, 2) + 14, 0, 32)]; - current->weighting[2] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; + current->weighting[0] = als_weighting(gb, 1, 16); + current->weighting[1] = als_weighting(gb, 2, 14); + current->weighting[2] = als_weighting(gb, 1, 16); if (current->time_diff_flag) { - current->weighting[3] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; - current->weighting[4] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; - current->weighting[5] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; + current->weighting[3] = als_weighting(gb, 1, 16); + current->weighting[4] = als_weighting(gb, 1, 16); + current->weighting[5] = als_weighting(gb, 1, 16); current->time_diff_sign = get_bits1(gb); current->time_diff_index = get_bits(gb, ctx->ltp_lag_length - 3) + 3; From 8006716f215582ed396d9392809a174c26209f97 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 28 Jul 2013 18:24:15 +0200 Subject: [PATCH 6/8] xl: Make sure the width is valid CC: libav-stable@libav.org Signed-off-by: Luca Barbato --- libavcodec/xl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/xl.c b/libavcodec/xl.c index 0ebc9467e0..d45866df8b 100644 --- a/libavcodec/xl.c +++ b/libavcodec/xl.c @@ -69,6 +69,11 @@ static int decode_frame(AVCodecContext *avctx, stride = avctx->width - 4; + if (avctx->width % 4) { + av_log(avctx, AV_LOG_ERROR, "Width not a multiple of 4.\n"); + return AVERROR_INVALIDDATA; + } + if (buf_size < avctx->width * avctx->height) { av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); return AVERROR_INVALIDDATA; From 9c779b5dd0e8ce296aa2125877c8276775b8423e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 4 Aug 2013 18:48:20 +0200 Subject: [PATCH 7/8] bink: Bound check the quantization matrix. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9991298f2c4d9022ad56057f15d037e18d454157) Signed-off-by: Luca Barbato --- libavcodec/bink.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index f38c030b7c..47fcc81172 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -675,6 +675,9 @@ static int read_dct_coeffs(GetBitContext *gb, int32_t block[64], const uint8_t * quant_idx = q; } + if (quant_idx >= 16) + return AVERROR_INVALIDDATA; + quant = quant_matrices[quant_idx]; block[0] = (block[0] * quant[0]) >> 11; From 54e03863691dcae73260f70108b3731b70773e7c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 5 Aug 2013 06:27:12 +0200 Subject: [PATCH 8/8] vc1: check the source buffer in vc1_mc functions Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 090cd0631140ac1a3a795d2adfac5dbf5e381aa2) Signed-off-by: Luca Barbato Conflicts: libavcodec/vc1dec.c --- libavcodec/vc1dec.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 9bc340b0e0..752f22fe0a 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -395,6 +395,11 @@ static void vc1_mc_1mv(VC1Context *v, int dir) } } + if (!srcY || !srcU) { + av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n"); + return; + } + src_x = s->mb_x * 16 + (mx >> 2); src_y = s->mb_y * 16 + (my >> 2); uvsrc_x = s->mb_x * 8 + (uvmx >> 2); @@ -570,6 +575,11 @@ static void vc1_mc_4mv_luma(VC1Context *v, int n, int dir) } else srcY = s->next_picture.f.data[0]; + if (!srcY) { + av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n"); + return; + } + if (v->field_mode) { if (v->cur_field_type != v->ref_field_type[dir]) my = my - 2 + 4 * v->cur_field_type; @@ -856,6 +866,11 @@ static void vc1_mc_4mv_chroma(VC1Context *v, int dir) srcV = s->next_picture.f.data[2] + uvsrc_y * s->uvlinesize + uvsrc_x; } + if (!srcU) { + av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n"); + return; + } + if (v->field_mode) { if (chroma_ref_type) { srcU += s->current_picture_ptr->f.linesize[1];