Merge branch 'release/0.8' into release/0.7
* release/0.8: (22 commits)
Update Changelog for 0.7.3 release
4xm: Add a check in decode_i_frame to prevent buffer overreads
wma: initialize prev_block_len_bits, next_block_len_bits, and block_len_bits.
Update RELEASE file for 0.7.3
swscale: #include "libavutil/mathematics.h"
vp3dec: Check coefficient index in vp3_dequant()
svq1dec: call avcodec_set_dimensions() after dimensions changed.
mpegtsenc: fix handling of large audio packets (sorry i have no sample, just a user report)
h264: Use mismatching frame numbers in fields
swscale: Readd #define _SVID_SOURCE
vp6: Fix illegal read.
vp6: Fix illegal read.
vp6: Reset the internal state when aborting key frames header parsing
vp6: Check for huffman tree build errors
vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling
imgutils: Fix illegal read.
qdm2: check output buffer size before decoding
Fix out of bound reads in the QDM2 decoder.
Check for out of bound writes in the QDM2 decoder.
vmd: fix segfaults on corruped streams
...
Conflicts:
Doxyfile
RELEASE
VERSION
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2011/12/26 03:57:17Showing 4 changed files
| ... | ... |
@@ -694,10 +694,13 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
|
| 694 | 694 |
unsigned int prestream_size; |
| 695 | 695 |
const uint8_t *prestream; |
| 696 | 696 |
|
| 697 |
- if (bitstream_size > (1<<26) || length < bitstream_size + 12) |
|
| 698 |
- return -1; |
|
| 699 |
- prestream_size = 4*AV_RL32(buf + bitstream_size + 4); |
|
| 700 |
- prestream = buf + bitstream_size + 12; |
|
| 697 |
+ if (length < bitstream_size + 12) {
|
|
| 698 |
+ av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); |
|
| 699 |
+ return AVERROR_INVALIDDATA; |
|
| 700 |
+ } |
|
| 701 |
+ |
|
| 702 |
+ prestream_size = 4 * AV_RL32(buf + bitstream_size + 4); |
|
| 703 |
+ prestream = buf + bitstream_size + 12; |
|
| 701 | 704 |
|
| 702 | 705 |
if (prestream_size > (1<<26) || |
| 703 | 706 |
prestream_size != length - (bitstream_size + 12)){
|
| ... | ... |
@@ -1514,7 +1514,10 @@ static void render_slice(Vp3DecodeContext *s, int slice) |
| 1514 | 1514 |
/* invert DCT and place (or add) in final output */ |
| 1515 | 1515 |
|
| 1516 | 1516 |
if (s->all_fragments[i].coding_method == MODE_INTRA) {
|
| 1517 |
- vp3_dequant(s, s->all_fragments + i, plane, 0, block); |
|
| 1517 |
+ int index; |
|
| 1518 |
+ index = vp3_dequant(s, s->all_fragments + i, plane, 0, block); |
|
| 1519 |
+ if (index > 63) |
|
| 1520 |
+ continue; |
|
| 1518 | 1521 |
if(s->avctx->idct_algo!=FF_IDCT_VP3) |
| 1519 | 1522 |
block[0] += 128<<3; |
| 1520 | 1523 |
s->dsp.idct_put( |
| ... | ... |
@@ -1522,7 +1525,10 @@ static void render_slice(Vp3DecodeContext *s, int slice) |
| 1522 | 1522 |
stride, |
| 1523 | 1523 |
block); |
| 1524 | 1524 |
} else {
|
| 1525 |
- if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) {
|
|
| 1525 |
+ int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block); |
|
| 1526 |
+ if (index > 63) |
|
| 1527 |
+ continue; |
|
| 1528 |
+ if (index > 0) {
|
|
| 1526 | 1529 |
s->dsp.idct_add( |
| 1527 | 1530 |
output_plane + first_pixel, |
| 1528 | 1531 |
stride, |
| ... | ... |
@@ -137,6 +137,9 @@ int ff_wma_init(AVCodecContext *avctx, int flags2) |
| 137 | 137 |
|
| 138 | 138 |
/* compute MDCT block size */ |
| 139 | 139 |
s->frame_len_bits = ff_wma_get_frame_len_bits(s->sample_rate, s->version, 0); |
| 140 |
+ s->next_block_len_bits = s->frame_len_bits; |
|
| 141 |
+ s->prev_block_len_bits = s->frame_len_bits; |
|
| 142 |
+ s->block_len_bits = s->frame_len_bits; |
|
| 140 | 143 |
|
| 141 | 144 |
s->frame_len = 1 << s->frame_len_bits; |
| 142 | 145 |
if (s->use_variable_block_len) {
|