From 04c506e912716697e47daad0722c972acef4674e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 5 Jun 2013 17:12:16 +0200 Subject: [PATCH 01/16] 4xm: use the correct logging context (cherry picked from commit 08859d19b429c522d6494c186656f4a2d3ff8e21) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 987285a682..f0e1b48975 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -670,9 +670,9 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length) color[1] = bytestream2_get_le16u(&g3); if (color[0] & 0x8000) - av_log(NULL, AV_LOG_ERROR, "unk bit 1\n"); + av_log(f->avctx, AV_LOG_ERROR, "unk bit 1\n"); if (color[1] & 0x8000) - av_log(NULL, AV_LOG_ERROR, "unk bit 2\n"); + av_log(f->avctx, AV_LOG_ERROR, "unk bit 2\n"); color[2] = mix(color[0], color[1]); color[3] = mix(color[1], color[0]); From 9ac3c6c2c6d9057b12b0169a0ebb70bd8485d5f2 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 5 Jun 2013 17:32:49 +0200 Subject: [PATCH 02/16] 4xm: K&R formatting cosmetics (cherry picked from commit e6496ea7e7ea7355167a1ccbe67a7199d446a654) Signed-off-by: Luca Barbato --- libavformat/4xm.c | 85 +++++++++++++++++++++++------------------------ 1 file changed, 41 insertions(+), 44 deletions(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index e530c34a47..a300e34289 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -57,7 +57,7 @@ #define GET_LIST_HEADER() \ fourcc_tag = avio_rl32(pb); \ - size = avio_rl32(pb); \ + size = avio_rl32(pb); \ if (fourcc_tag != LIST_TAG) \ return AVERROR_INVALIDDATA; \ fourcc_tag = avio_rl32(pb); @@ -103,8 +103,8 @@ static int fourxm_read_header(AVFormatContext *s) AVStream *st; fourxm->track_count = 0; - fourxm->tracks = NULL; - fourxm->fps = 1.0; + fourxm->tracks = NULL; + fourxm->fps = 1.0; /* skip the first 3 32-bit numbers */ avio_skip(pb, 12); @@ -119,7 +119,7 @@ static int fourxm_read_header(AVFormatContext *s) header = av_malloc(header_size); if (!header) return AVERROR(ENOMEM); - if (avio_read(pb, header, header_size) != header_size){ + if (avio_read(pb, header, header_size) != header_size) { av_free(header); return AVERROR(EIO); } @@ -127,14 +127,14 @@ static int fourxm_read_header(AVFormatContext *s) /* take the lazy approach and search for any and all vtrk and strk chunks */ for (i = 0; i < header_size - 8; i++) { fourcc_tag = AV_RL32(&header[i]); - size = AV_RL32(&header[i + 4]); + size = AV_RL32(&header[i + 4]); if (fourcc_tag == std__TAG) { fourxm->fps = av_int2float(AV_RL32(&header[i + 12])); } else if (fourcc_tag == vtrk_TAG) { /* check that there is enough data */ if (size != vtrk_SIZE) { - ret= AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; goto fail; } fourxm->width = AV_RL32(&header[i + 36]); @@ -142,18 +142,18 @@ static int fourxm_read_header(AVFormatContext *s) /* allocate a new AVStream */ st = avformat_new_stream(s, NULL); - if (!st){ - ret= AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); goto fail; } avpriv_set_pts_info(st, 60, 1, fourxm->fps); fourxm->video_stream_index = st->index; - st->codec->codec_type = AVMEDIA_TYPE_VIDEO; - st->codec->codec_id = AV_CODEC_ID_4XM; + st->codec->codec_type = AVMEDIA_TYPE_VIDEO; + st->codec->codec_id = AV_CODEC_ID_4XM; st->codec->extradata_size = 4; - st->codec->extradata = av_malloc(4); + st->codec->extradata = av_malloc(4); AV_WL32(st->codec->extradata, AV_RL32(&header[i + 16])); st->codec->width = fourxm->width; st->codec->height = fourxm->height; @@ -188,24 +188,25 @@ static int fourxm_read_header(AVFormatContext *s) fourxm->tracks[current_track].sample_rate = AV_RL32(&header[i + 40]); fourxm->tracks[current_track].bits = AV_RL32(&header[i + 44]); fourxm->tracks[current_track].audio_pts = 0; - if( fourxm->tracks[current_track].channels <= 0 - || fourxm->tracks[current_track].sample_rate <= 0 - || fourxm->tracks[current_track].bits < 0){ + if (fourxm->tracks[current_track].channels <= 0 || + fourxm->tracks[current_track].sample_rate <= 0 || + fourxm->tracks[current_track].bits < 0) { av_log(s, AV_LOG_ERROR, "audio header invalid\n"); - ret= -1; + ret = -1; goto fail; } i += 8 + size; /* allocate a new AVStream */ st = avformat_new_stream(s, NULL); - if (!st){ - ret= AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); goto fail; } st->id = current_track; - avpriv_set_pts_info(st, 60, 1, fourxm->tracks[current_track].sample_rate); + avpriv_set_pts_info(st, 60, 1, + fourxm->tracks[current_track].sample_rate); fourxm->tracks[current_track].stream_index = st->index; @@ -219,17 +220,17 @@ static int fourxm_read_header(AVFormatContext *s) st->codec->block_align = st->codec->channels * st->codec->bits_per_coded_sample; if (fourxm->tracks[current_track].adpcm){ st->codec->codec_id = AV_CODEC_ID_ADPCM_4XM; - }else if (st->codec->bits_per_coded_sample == 8){ + } else if (st->codec->bits_per_coded_sample == 8) { st->codec->codec_id = AV_CODEC_ID_PCM_U8; - }else + } else st->codec->codec_id = AV_CODEC_ID_PCM_S16LE; } } /* skip over the LIST-MOVI chunk (which is where the stream should be */ GET_LIST_HEADER(); - if (fourcc_tag != MOVI_TAG){ - ret= AVERROR_INVALIDDATA; + if (fourcc_tag != MOVI_TAG) { + ret = AVERROR_INVALIDDATA; goto fail; } @@ -248,7 +249,7 @@ static int fourxm_read_packet(AVFormatContext *s, AVPacket *pkt) { FourxmDemuxContext *fourxm = s->priv_data; - AVIOContext *pb = s->pb; + AVIOContext *pb = s->pb; unsigned int fourcc_tag; unsigned int size; int ret = 0; @@ -258,18 +259,16 @@ static int fourxm_read_packet(AVFormatContext *s, int audio_frame_count; while (!packet_read) { - if ((ret = avio_read(s->pb, header, 8)) < 0) return ret; fourcc_tag = AV_RL32(&header[0]); - size = AV_RL32(&header[4]); + size = AV_RL32(&header[4]); if (pb->eof_reached) return AVERROR(EIO); switch (fourcc_tag) { - case LIST_TAG: /* this is a good time to bump the video pts */ - fourxm->video_pts ++; + fourxm->video_pts++; /* skip the LIST-* tag and move on to the next fourcc */ avio_rl32(pb); @@ -286,45 +285,43 @@ static int fourxm_read_packet(AVFormatContext *s, if (size + 8 < size || av_new_packet(pkt, size + 8)) return AVERROR(EIO); pkt->stream_index = fourxm->video_stream_index; - pkt->pts = fourxm->video_pts; - pkt->pos = avio_tell(s->pb); + pkt->pts = fourxm->video_pts; + pkt->pos = avio_tell(s->pb); memcpy(pkt->data, header, 8); ret = avio_read(s->pb, &pkt->data[8], size); - if (ret < 0){ + if (ret < 0) { av_free_packet(pkt); - }else + } else packet_read = 1; break; case snd__TAG: track_number = avio_rl32(pb); avio_skip(pb, 4); - size-=8; + size -= 8; - if (track_number < fourxm->track_count && fourxm->tracks[track_number].channels>0) { - ret= av_get_packet(s->pb, pkt, size); - if(ret<0) + if (track_number < fourxm->track_count && + fourxm->tracks[track_number].channels > 0) { + ret = av_get_packet(s->pb, pkt, size); + if (ret < 0) return AVERROR(EIO); pkt->stream_index = fourxm->tracks[track_number].stream_index; - pkt->pts = fourxm->tracks[track_number].audio_pts; + pkt->pts = fourxm->tracks[track_number].audio_pts; packet_read = 1; /* pts accounting */ audio_frame_count = size; if (fourxm->tracks[track_number].adpcm) - audio_frame_count -= - 2 * (fourxm->tracks[track_number].channels); - audio_frame_count /= - fourxm->tracks[track_number].channels; - if (fourxm->tracks[track_number].adpcm){ + audio_frame_count -= 2 * (fourxm->tracks[track_number].channels); + audio_frame_count /= fourxm->tracks[track_number].channels; + if (fourxm->tracks[track_number].adpcm) { audio_frame_count *= 2; - }else + } else audio_frame_count /= - (fourxm->tracks[track_number].bits / 8); + (fourxm->tracks[track_number].bits / 8); fourxm->tracks[track_number].audio_pts += audio_frame_count; - } else { avio_skip(pb, size); } From ea56f6e5a7e2ef64b313702dfd27e8118e98c31a Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 5 Jun 2013 18:45:45 +0200 Subject: [PATCH 03/16] 4xm: refactor fourxm_read_header Split sound and video tag parsing in separate functions. (cherry picked from commit e7a44f87d07655ec0cd31c315936931674434340) Signed-off-by: Luca Barbato Conflicts: libavcodec/4xm.c --- libavformat/4xm.c | 190 ++++++++++++++++++++++++---------------------- 1 file changed, 101 insertions(+), 89 deletions(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index a300e34289..2396045226 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -72,8 +72,6 @@ typedef struct AudioTrack { } AudioTrack; typedef struct FourxmDemuxContext { - int width; - int height; int video_stream_index; int track_count; AudioTrack *tracks; @@ -91,6 +89,104 @@ static int fourxm_probe(AVProbeData *p) return AVPROBE_SCORE_MAX; } +static int parse_vtrk(AVFormatContext *s, + FourxmDemuxContext *fourxm, uint8_t *buf, int size) +{ + AVStream *st; + /* check that there is enough data */ + if (size != vtrk_SIZE) { + return AVERROR_INVALIDDATA; + } + + /* allocate a new AVStream */ + st = avformat_new_stream(s, NULL); + if (!st) + return AVERROR(ENOMEM); + + avpriv_set_pts_info(st, 60, 1, fourxm->fps); + + fourxm->video_stream_index = st->index; + + st->codec->codec_type = AVMEDIA_TYPE_VIDEO; + st->codec->codec_id = AV_CODEC_ID_4XM; + st->codec->extradata_size = 4; + st->codec->extradata = av_malloc(4); + AV_WL32(st->codec->extradata, AV_RL32(buf + 16)); + st->codec->width = AV_RL32(buf + 36); + st->codec->height = AV_RL32(buf + 40); + + return 0; +} + + +static int parse_strk(AVFormatContext *s, + FourxmDemuxContext *fourxm, uint8_t *buf, int size) +{ + AVStream *st; + int track; + /* check that there is enough data */ + if (size != strk_SIZE) + return AVERROR_INVALIDDATA; + + track = AV_RL32(buf + 8); + + if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) { + av_log(s, AV_LOG_ERROR, "current_track too large\n"); + return AVERROR_INVALIDDATA; + } + if (track + 1 > fourxm->track_count) { + AudioTrack *tmp = av_realloc(fourxm->tracks, + (track + 1) * sizeof(AudioTrack)); + if (!tmp) + return AVERROR(ENOMEM); + fourxm->tracks = tmp; + memset(&fourxm->tracks[fourxm->track_count], 0, + sizeof(AudioTrack) * (track + 1 - fourxm->track_count)); + fourxm->track_count = track + 1; + } + fourxm->tracks[track].adpcm = AV_RL32(buf + 12); + fourxm->tracks[track].channels = AV_RL32(buf + 36); + fourxm->tracks[track].sample_rate = AV_RL32(buf + 40); + fourxm->tracks[track].bits = AV_RL32(buf + 44); + fourxm->tracks[track].audio_pts = 0; + + if (fourxm->tracks[track].channels <= 0 || + fourxm->tracks[track].sample_rate <= 0 || + fourxm->tracks[track].bits < 0) { + av_log(s, AV_LOG_ERROR, "audio header invalid\n"); + return AVERROR_INVALIDDATA; + } + /* allocate a new AVStream */ + st = avformat_new_stream(s, NULL); + if (!st) + return AVERROR(ENOMEM); + + st->id = track; + avpriv_set_pts_info(st, 60, 1, fourxm->tracks[track].sample_rate); + + fourxm->tracks[track].stream_index = st->index; + + st->codec->codec_type = AVMEDIA_TYPE_AUDIO; + st->codec->codec_tag = 0; + st->codec->channels = fourxm->tracks[track].channels; + st->codec->sample_rate = fourxm->tracks[track].sample_rate; + st->codec->bits_per_coded_sample = fourxm->tracks[track].bits; + st->codec->bit_rate = st->codec->channels * + st->codec->sample_rate * + st->codec->bits_per_coded_sample; + st->codec->block_align = st->codec->channels * + st->codec->bits_per_coded_sample; + + if (fourxm->tracks[track].adpcm){ + st->codec->codec_id = AV_CODEC_ID_ADPCM_4XM; + } else if (st->codec->bits_per_coded_sample == 8) { + st->codec->codec_id = AV_CODEC_ID_PCM_U8; + } else + st->codec->codec_id = AV_CODEC_ID_PCM_S16LE; + + return 0; +} + static int fourxm_read_header(AVFormatContext *s) { AVIOContext *pb = s->pb; @@ -100,7 +196,6 @@ static int fourxm_read_header(AVFormatContext *s) FourxmDemuxContext *fourxm = s->priv_data; unsigned char *header; int i, ret; - AVStream *st; fourxm->track_count = 0; fourxm->tracks = NULL; @@ -132,98 +227,15 @@ static int fourxm_read_header(AVFormatContext *s) if (fourcc_tag == std__TAG) { fourxm->fps = av_int2float(AV_RL32(&header[i + 12])); } else if (fourcc_tag == vtrk_TAG) { - /* check that there is enough data */ - if (size != vtrk_SIZE) { - ret = AVERROR_INVALIDDATA; + if ((ret = parse_vtrk(s, fourxm, header + i, size)) < 0) goto fail; - } - fourxm->width = AV_RL32(&header[i + 36]); - fourxm->height = AV_RL32(&header[i + 40]); - - /* allocate a new AVStream */ - st = avformat_new_stream(s, NULL); - if (!st) { - ret = AVERROR(ENOMEM); - goto fail; - } - avpriv_set_pts_info(st, 60, 1, fourxm->fps); - - fourxm->video_stream_index = st->index; - - st->codec->codec_type = AVMEDIA_TYPE_VIDEO; - st->codec->codec_id = AV_CODEC_ID_4XM; - st->codec->extradata_size = 4; - st->codec->extradata = av_malloc(4); - AV_WL32(st->codec->extradata, AV_RL32(&header[i + 16])); - st->codec->width = fourxm->width; - st->codec->height = fourxm->height; i += 8 + size; } else if (fourcc_tag == strk_TAG) { - int current_track; - /* check that there is enough data */ - if (size != strk_SIZE) { - ret= AVERROR_INVALIDDATA; + if ((ret = parse_strk(s, fourxm, header + i, size)) < 0) goto fail; - } - current_track = AV_RL32(&header[i + 8]); - if((unsigned)current_track >= UINT_MAX / sizeof(AudioTrack) - 1){ - av_log(s, AV_LOG_ERROR, "current_track too large\n"); - ret= -1; - goto fail; - } - if (current_track + 1 > fourxm->track_count) { - fourxm->tracks = av_realloc(fourxm->tracks, - (current_track + 1) * sizeof(AudioTrack)); - if (!fourxm->tracks) { - ret = AVERROR(ENOMEM); - goto fail; - } - memset(&fourxm->tracks[fourxm->track_count], 0, - sizeof(AudioTrack) * (current_track + 1 - fourxm->track_count)); - fourxm->track_count = current_track + 1; - } - fourxm->tracks[current_track].adpcm = AV_RL32(&header[i + 12]); - fourxm->tracks[current_track].channels = AV_RL32(&header[i + 36]); - fourxm->tracks[current_track].sample_rate = AV_RL32(&header[i + 40]); - fourxm->tracks[current_track].bits = AV_RL32(&header[i + 44]); - fourxm->tracks[current_track].audio_pts = 0; - if (fourxm->tracks[current_track].channels <= 0 || - fourxm->tracks[current_track].sample_rate <= 0 || - fourxm->tracks[current_track].bits < 0) { - av_log(s, AV_LOG_ERROR, "audio header invalid\n"); - ret = -1; - goto fail; - } + i += 8 + size; - - /* allocate a new AVStream */ - st = avformat_new_stream(s, NULL); - if (!st) { - ret = AVERROR(ENOMEM); - goto fail; - } - - st->id = current_track; - avpriv_set_pts_info(st, 60, 1, - fourxm->tracks[current_track].sample_rate); - - fourxm->tracks[current_track].stream_index = st->index; - - st->codec->codec_type = AVMEDIA_TYPE_AUDIO; - st->codec->codec_tag = 0; - st->codec->channels = fourxm->tracks[current_track].channels; - st->codec->sample_rate = fourxm->tracks[current_track].sample_rate; - st->codec->bits_per_coded_sample = fourxm->tracks[current_track].bits; - st->codec->bit_rate = st->codec->channels * st->codec->sample_rate * - st->codec->bits_per_coded_sample; - st->codec->block_align = st->codec->channels * st->codec->bits_per_coded_sample; - if (fourxm->tracks[current_track].adpcm){ - st->codec->codec_id = AV_CODEC_ID_ADPCM_4XM; - } else if (st->codec->bits_per_coded_sample == 8) { - st->codec->codec_id = AV_CODEC_ID_PCM_U8; - } else - st->codec->codec_id = AV_CODEC_ID_PCM_S16LE; } } From 3f71c0c1b08a815609fba9a9378171d1181083d3 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 5 Jun 2013 18:56:28 +0200 Subject: [PATCH 04/16] 4xm: do not overread while parsing header Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 42d73f7f6bea0ee0f64a3ad4882860ce5b923a11) Signed-off-by: Luca Barbato --- libavformat/4xm.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 2396045226..c0b3914fa1 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -90,11 +90,12 @@ static int fourxm_probe(AVProbeData *p) } static int parse_vtrk(AVFormatContext *s, - FourxmDemuxContext *fourxm, uint8_t *buf, int size) + FourxmDemuxContext *fourxm, uint8_t *buf, int size, + int left) { AVStream *st; /* check that there is enough data */ - if (size != vtrk_SIZE) { + if (size != vtrk_SIZE || left < size + 8) { return AVERROR_INVALIDDATA; } @@ -120,12 +121,13 @@ static int parse_vtrk(AVFormatContext *s, static int parse_strk(AVFormatContext *s, - FourxmDemuxContext *fourxm, uint8_t *buf, int size) + FourxmDemuxContext *fourxm, uint8_t *buf, int size, + int left) { AVStream *st; int track; /* check that there is enough data */ - if (size != strk_SIZE) + if (size != strk_SIZE || left < size + 8) return AVERROR_INVALIDDATA; track = AV_RL32(buf + 8); @@ -225,14 +227,20 @@ static int fourxm_read_header(AVFormatContext *s) size = AV_RL32(&header[i + 4]); if (fourcc_tag == std__TAG) { + if (header_size - i < 16) { + ret = AVERROR_INVALIDDATA; + goto fail; + } fourxm->fps = av_int2float(AV_RL32(&header[i + 12])); } else if (fourcc_tag == vtrk_TAG) { - if ((ret = parse_vtrk(s, fourxm, header + i, size)) < 0) + if ((ret = parse_vtrk(s, fourxm, header + i, size, + header_size - i)) < 0) goto fail; i += 8 + size; } else if (fourcc_tag == strk_TAG) { - if ((ret = parse_strk(s, fourxm, header + i, size)) < 0) + if ((ret = parse_strk(s, fourxm, header + i, size, + header_size - i)) < 0) goto fail; i += 8 + size; From dac0d4f354fe5ae93910cc6b30df9b992cca6be0 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 5 Jun 2013 20:30:48 +0200 Subject: [PATCH 05/16] 4xm: fold last_picture lazy allocation in decode_p_frame (cherry picked from commit 50ec1db62d977b6e864f315a53c1c580a6d7efa4) Signed-off-by: Luca Barbato Conflicts: libavcodec/4xm.c --- libavcodec/4xm.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index f0e1b48975..ceaacee5a6 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -395,6 +395,16 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length) const int stride = f->current_picture.linesize[0] >> 1; unsigned int bitstream_size, bytestream_size, wordstream_size, extra, bytestream_offset, wordstream_offset; + int ret; + + if (!f->last_picture.data[0]) { + if ((ret = ff_get_buffer(f->avctx, &f->last_picture)) < 0) { + av_log(f->avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + return ret; + } + memset(f->last_picture.data[0], 0, + f->avctx->height * FFABS(f->last_picture.linesize[0])); + } if (f->version > 1) { extra = 20; @@ -852,14 +862,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, if (decode_i_frame(f, buf, frame_size) < 0) return -1; } else if (frame_4cc == AV_RL32("pfrm") || frame_4cc == AV_RL32("pfr2")) { - if (!f->last_picture.data[0]) { - f->last_picture.reference = 1; - if (ff_get_buffer(avctx, &f->last_picture) < 0) { - av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); - return -1; - } - memset(f->last_picture.data[0], 0, avctx->height * FFABS(f->last_picture.linesize[0])); - } p->pict_type = AV_PICTURE_TYPE_P; if (decode_p_frame(f, buf, frame_size) < 0) From d0cabcc78975e8d4ffc84cffc3a390807e415ffa Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 5 Jun 2013 22:33:34 +0200 Subject: [PATCH 06/16] 4xm: forward errors from decode_p_block Partially mitigate out of memory writes. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit b8b809908ec547b2609dbac24194f4fd2df61aea) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index ceaacee5a6..696d2cf425 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -333,8 +333,8 @@ static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, } } -static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, - int log2w, int log2h, int stride) +static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, + int log2w, int log2h, int stride) { const int index = size2index[log2h][log2w]; const int h = 1 << log2h; @@ -343,33 +343,41 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, BLOCK_TYPE_VLC_BITS, 1); uint16_t *start = (uint16_t *)f->last_picture.data[0]; uint16_t *end = start + stride * (f->avctx->height - h + 1) - (1 << log2w); + int ret; - assert(code >= 0 && code <= 6); + if (code < 0 || code > 6) + return AVERROR_INVALIDDATA; if (code == 0) { src += f->mv[bytestream2_get_byte(&f->g)]; if (start > src || src > end) { av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); - return; + return AVERROR_INVALIDDATA; } mcdc(dst, src, log2w, h, stride, 1, 0); } else if (code == 1) { log2h--; - decode_p_block(f, dst, src, log2w, log2h, stride); - decode_p_block(f, dst + (stride << log2h), - src + (stride << log2h), log2w, log2h, stride); + if ((ret = decode_p_block(f, dst, src, log2w, log2h, stride)) < 0) + return ret; + if ((ret = decode_p_block(f, dst + (stride << log2h), + src + (stride << log2h), + log2w, log2h, stride)) < 0) + return ret; } else if (code == 2) { log2w--; - decode_p_block(f, dst , src, log2w, log2h, stride); - decode_p_block(f, dst + (1 << log2w), - src + (1 << log2w), log2w, log2h, stride); + if ((ret = decode_p_block(f, dst , src, log2w, log2h, stride)) < 0) + return ret; + if ((ret = decode_p_block(f, dst + (1 << log2w), + src + (1 << log2w), + log2w, log2h, stride)) < 0) + return ret; } else if (code == 3 && f->version < 2) { mcdc(dst, src, log2w, h, stride, 1, 0); } else if (code == 4) { src += f->mv[bytestream2_get_byte(&f->g)]; if (start > src || src > end) { av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); - return; + return AVERROR_INVALIDDATA; } mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2)); } else if (code == 5) { @@ -383,6 +391,7 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, dst[stride] = bytestream2_get_le16(&f->g2); } } + return 0; } static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length) @@ -449,7 +458,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length) for (y = 0; y < height; y += 8) { for (x = 0; x < width; x += 8) - decode_p_block(f, dst + x, src + x, 3, 3, stride); + if ((ret = decode_p_block(f, dst + x, src + x, 3, 3, stride)) < 0) + return ret; src += 8 * stride; dst += 8 * stride; } From f82e9deec2c2657d73731ab16c49efba5559670d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 6 Jun 2013 14:21:19 +0200 Subject: [PATCH 07/16] 4xm: drop pointless assert Make sure the value of wlog2 is always between 0 and 3. (cherry picked from commit 1f0c6075604c271d5627480f1243d22795f9a315) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 696d2cf425..4973b41636 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -329,7 +329,7 @@ static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, } break; default: - assert(0); + break; } } @@ -345,7 +345,7 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, uint16_t *end = start + stride * (f->avctx->height - h + 1) - (1 << log2w); int ret; - if (code < 0 || code > 6) + if (code < 0 || code > 6 || log2w < 0) return AVERROR_INVALIDDATA; if (code == 0) { From ded74ab5d1ccfef375090a0e828fa123c589083c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 6 Jun 2013 16:58:57 +0200 Subject: [PATCH 08/16] 4xm: reject frames not compatible with the declared version Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 145023f57262d21474e35b4a6069cf95136339d4) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 4973b41636..dbf49177e6 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -835,6 +835,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, av_log(f->avctx, AV_LOG_ERROR, "cframe id mismatch %d %d\n", id, avctx->frame_number); + if (f->version <= 1) + return AVERROR_INVALIDDATA; + cfrm->size = cfrm->id = 0; frame_4cc = AV_RL32("pfrm"); } else From 6ddc1eb037042da814a62aa7f54517a897f0bdad Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 7 Jun 2013 16:16:46 +0200 Subject: [PATCH 09/16] 4xm: validate the buffer size before parsing it Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit de2e5777e225e75813daf2373c95e223651fd89a) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index dbf49177e6..493e2ad152 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -416,6 +416,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length) } if (f->version > 1) { + if (length < 20) + return AVERROR_INVALIDDATA; extra = 20; bitstream_size = AV_RL32(buf + 8); wordstream_size = AV_RL32(buf + 12); @@ -786,18 +788,29 @@ static int decode_frame(AVCodecContext *avctx, void *data, AVFrame *p, temp; int i, frame_4cc, frame_size; - frame_4cc = AV_RL32(buf); - if (buf_size != AV_RL32(buf + 4) + 8 || buf_size < 20) + if (buf_size < 20) + return AVERROR_INVALIDDATA; + + if (buf_size < AV_RL32(buf + 4) + 8) { av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4)); + return AVERROR_INVALIDDATA; + } + + frame_4cc = AV_RL32(buf); if (frame_4cc == AV_RL32("cfrm")) { int free_index = -1; + int id, whole_size; const int data_size = buf_size - 20; - const int id = AV_RL32(buf + 12); - const int whole_size = AV_RL32(buf + 16); CFrameBuffer *cfrm; + if (data_size < 0) + return AVERROR_INVALIDDATA; + + id = AV_RL32(buf + 12); + whole_size = AV_RL32(buf + 16); + for (i = 0; i < CFRAME_BUFFER_COUNT; i++) if (f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number) av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", From d33b0f72245da71f7121b08116ef8732731f5adf Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 7 Jun 2013 16:18:22 +0200 Subject: [PATCH 10/16] 4xm: do not overread the prestream buffer Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit be373cb50d3c411366fec7eef2eb3681abe48f96) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 493e2ad152..5602f62026 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -576,7 +576,8 @@ static int decode_i_mb(FourXContext *f) } static const uint8_t *read_huffman_tables(FourXContext *f, - const uint8_t * const buf) + const uint8_t * const buf, + int len) { int frequency[512] = { 0 }; uint8_t flag[512]; @@ -594,12 +595,20 @@ static const uint8_t *read_huffman_tables(FourXContext *f, for (;;) { int i; + len -= end - start + 1; + + if (end < start || len < 0) + return NULL; + for (i = start; i <= end; i++) frequency[i] = *ptr++; start = *ptr++; if (start == 0) break; + if (--len < 0) + return NULL; + end = *ptr++; } frequency[256] = 1; @@ -741,7 +750,7 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length) return -1; } - prestream = read_huffman_tables(f, prestream); + prestream = read_huffman_tables(f, prestream, prestream_size); if (!prestream) { av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n"); return AVERROR_INVALIDDATA; From 1a0cdd18b0cc3373c3a1348a8d5a4dab86a994d5 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 12 Jun 2013 14:22:24 +0200 Subject: [PATCH 11/16] smacker: fix an off by one in huff.length computation Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit ee205588b250fe5cae0681be8eba51a5403c3272) Signed-off-by: Luca Barbato --- libavcodec/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index b20a7b6d10..8c26e1ec4f 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -246,7 +246,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int ctx.recode2 = tmp2.values; ctx.last = last; - huff.length = ((size + 3) >> 2) + 3; + huff.length = ((size + 3) >> 2) + 4; huff.maxlength = 0; huff.current = 0; huff.values = av_mallocz(huff.length * sizeof(int)); From 5e6122ddadae542350933c2077434f17d51587a7 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 12 Jun 2013 14:27:00 +0200 Subject: [PATCH 12/16] smacker: check the return value of smacker_decode_tree Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit a2f9937bb04b23a341b0ec0eb1d923bbeb420277) Signed-off-by: Luca Barbato --- libavcodec/smacker.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 8c26e1ec4f..a72d7c5a35 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -639,7 +639,16 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, h[i].lengths = av_mallocz(256 * sizeof(int)); h[i].values = av_mallocz(256 * sizeof(int)); skip_bits1(&gb); - smacker_decode_tree(&gb, &h[i], 0, 0); + if (smacker_decode_tree(&gb, &h[i], 0, 0) < 0) { + for (; i >= 0; i--) { + if (vlc[i].table) + ff_free_vlc(&vlc[i]); + av_free(h[i].bits); + av_free(h[i].lengths); + av_free(h[i].values); + } + return AVERROR_INVALIDDATA; + } skip_bits1(&gb); if(h[i].current > 1) { res = init_vlc(&vlc[i], SMKTREE_BITS, h[i].length, From 71b8ef938c1ec4aedc6459ec7338a4abf0f807b8 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 12 Jun 2013 14:28:07 +0200 Subject: [PATCH 13/16] smacker: pad the extradata allocation Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit 4c22baf65363433f8c20efd1022b4ba2d8cf2288) Signed-off-by: Luca Barbato --- libavformat/smacker.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 17c7c529e7..df074a4c5d 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -210,7 +210,8 @@ static int smacker_read_header(AVFormatContext *s) /* load trees to extradata, they will be unpacked by decoder */ - st->codec->extradata = av_malloc(smk->treesize + 16); + st->codec->extradata = av_mallocz(smk->treesize + 16 + + FF_INPUT_BUFFER_PADDING_SIZE); st->codec->extradata_size = smk->treesize + 16; if(!st->codec->extradata){ av_log(s, AV_LOG_ERROR, "Cannot allocate %i bytes of extradata\n", smk->treesize + 16); From 7e326d52a783fd2f1a93e07bdb2ce74176d4c4a6 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 12 Jun 2013 14:30:51 +0200 Subject: [PATCH 14/16] smacker: check frame size validity Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit 07423ad7836325e03894f2f87ba46a531a1cc0b3) Signed-off-by: Luca Barbato --- libavformat/smacker.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index df074a4c5d..4a3a2b39d1 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -304,10 +304,14 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) /* if audio chunks are present, put them to stack and retrieve later */ for(i = 0; i < 7; i++) { if(flags & 1) { - int size; + uint32_t size; uint8_t *tmpbuf; size = avio_rl32(s->pb) - 4; + if (!size || size > frame_size) { + av_log(s, AV_LOG_ERROR, "Invalid audio part size\n"); + return AVERROR_INVALIDDATA; + } frame_size -= size; frame_size -= 4; smk->curstream++; From 5d2e4c918f35b247fb5a19b74d84de52cbc34e2c Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 16 Jun 2013 19:31:58 +0200 Subject: [PATCH 15/16] update Changelog --- Changelog | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/Changelog b/Changelog index 3ceb469850..2676d15fa3 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,29 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 9.7: + +Most of the following fixes resulted from test samples that the Google +Security Team has kindly made available to us: + +- 4xm: fix several programming errors to avoid crashes, etc. +- apetag: use int64_t for filesize +- jpegls: Fix invalid writes to memory +- ljpeg: use the correct number of components in YUV +- mjpeg: Validate sampling factors +- mjpegdec: properly report unsupported disabled features +- mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac +- mpegvideo: allocate sufficiently large scratch buffer for interlaced vid +- pixdesc: mark gray8 as pseudopal +- smacker: fix several programming errors to avoid crashes, etc. +- tiff: do not overread the source buffer +- vmd: drop incomplete chunks and spurious samples +- vmdav: convert to bytestream2 to avoid invalid reads and writes +- wavpack: check packet size early +- wavpack: use bytestream2 in wavpack_decode_block +- wavpack: validate samples size parsed in wavpack_decode_block + + version 9.6: - aac: check the maximum number of channels to avoid invalid writes - indeo3: fix off by one in MV validity check From 5c54fc6195e52c329b88cf5a56d18628f0ee0029 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 30 Jun 2013 16:03:11 +0200 Subject: [PATCH 16/16] Prepare for 9.8 RELEASE --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 9d5e716c05..021debdfd4 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.7 +9.8