* release/0.8: (22 commits)
Update Changelog for 0.7.3 release
4xm: Add a check in decode_i_frame to prevent buffer overreads
wma: initialize prev_block_len_bits, next_block_len_bits, and block_len_bits.
Update RELEASE file for 0.7.3
swscale: #include "libavutil/mathematics.h"
vp3dec: Check coefficient index in vp3_dequant()
svq1dec: call avcodec_set_dimensions() after dimensions changed.
mpegtsenc: fix handling of large audio packets (sorry i have no sample, just a user report)
h264: Use mismatching frame numbers in fields
swscale: Readd #define _SVID_SOURCE
vp6: Fix illegal read.
vp6: Fix illegal read.
vp6: Reset the internal state when aborting key frames header parsing
vp6: Check for huffman tree build errors
vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling
imgutils: Fix illegal read.
qdm2: check output buffer size before decoding
Fix out of bound reads in the QDM2 decoder.
Check for out of bound writes in the QDM2 decoder.
vmd: fix segfaults on corruped streams
...
Conflicts:
Doxyfile
RELEASE
VERSION
Merged-by: Michael Niedermayer <michaelni@gmx.at>
... | ... |
@@ -694,10 +694,13 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ |
694 | 694 |
unsigned int prestream_size; |
695 | 695 |
const uint8_t *prestream; |
696 | 696 |
|
697 |
- if (bitstream_size > (1<<26) || length < bitstream_size + 12) |
|
698 |
- return -1; |
|
699 |
- prestream_size = 4*AV_RL32(buf + bitstream_size + 4); |
|
700 |
- prestream = buf + bitstream_size + 12; |
|
697 |
+ if (length < bitstream_size + 12) { |
|
698 |
+ av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); |
|
699 |
+ return AVERROR_INVALIDDATA; |
|
700 |
+ } |
|
701 |
+ |
|
702 |
+ prestream_size = 4 * AV_RL32(buf + bitstream_size + 4); |
|
703 |
+ prestream = buf + bitstream_size + 12; |
|
701 | 704 |
|
702 | 705 |
if (prestream_size > (1<<26) || |
703 | 706 |
prestream_size != length - (bitstream_size + 12)){ |
... | ... |
@@ -1514,7 +1514,10 @@ static void render_slice(Vp3DecodeContext *s, int slice) |
1514 | 1514 |
/* invert DCT and place (or add) in final output */ |
1515 | 1515 |
|
1516 | 1516 |
if (s->all_fragments[i].coding_method == MODE_INTRA) { |
1517 |
- vp3_dequant(s, s->all_fragments + i, plane, 0, block); |
|
1517 |
+ int index; |
|
1518 |
+ index = vp3_dequant(s, s->all_fragments + i, plane, 0, block); |
|
1519 |
+ if (index > 63) |
|
1520 |
+ continue; |
|
1518 | 1521 |
if(s->avctx->idct_algo!=FF_IDCT_VP3) |
1519 | 1522 |
block[0] += 128<<3; |
1520 | 1523 |
s->dsp.idct_put( |
... | ... |
@@ -1522,7 +1525,10 @@ static void render_slice(Vp3DecodeContext *s, int slice) |
1522 | 1522 |
stride, |
1523 | 1523 |
block); |
1524 | 1524 |
} else { |
1525 |
- if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) { |
|
1525 |
+ int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block); |
|
1526 |
+ if (index > 63) |
|
1527 |
+ continue; |
|
1528 |
+ if (index > 0) { |
|
1526 | 1529 |
s->dsp.idct_add( |
1527 | 1530 |
output_plane + first_pixel, |
1528 | 1531 |
stride, |
... | ... |
@@ -137,6 +137,9 @@ int ff_wma_init(AVCodecContext *avctx, int flags2) |
137 | 137 |
|
138 | 138 |
/* compute MDCT block size */ |
139 | 139 |
s->frame_len_bits = ff_wma_get_frame_len_bits(s->sample_rate, s->version, 0); |
140 |
+ s->next_block_len_bits = s->frame_len_bits; |
|
141 |
+ s->prev_block_len_bits = s->frame_len_bits; |
|
142 |
+ s->block_len_bits = s->frame_len_bits; |
|
140 | 143 |
|
141 | 144 |
s->frame_len = 1 << s->frame_len_bits; |
142 | 145 |
if (s->use_variable_block_len) { |