diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-02-18 03:56:01 +0400 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-02-18 03:56:01 +0400 |
| commit | 7378101d41020ee9f4643740ebf1b9142afca557 (patch) | |
| tree | d23ff231538f8385182a4138a2d874fbc72fa378 /libavcodec/indeo5.c | |
| parent | da5f4e4d19917bce4b9213ff3d433ddf30e22fe5 (diff) | |
| parent | 377fabc9e687a3c73fdb235f773f6e9151378ca5 (diff) | |
Merge branch 'release/0.8' into release/0.7
* release/0.8: (92 commits)
Update for 0.8.13
pngdec/filter: dont access out of array elements at the end
aacdec: check channel count
vqavideo: check chunk sizes before reading chunks
eamad: fix out of array accesses
roqvideodec: check dimensions validity
qdm2: check array index before use, fix out of array accesses
alsdec: check block length
huffyuvdec: Skip len==0 cases
huffyuvdec: Check init_vlc() return codes.
Update changelog for 0.7.7 release
mpeg12: do not decode extradata more than once.
indeo4/5: check empty tile size in decode_mb_info().
dfa: improve boundary checks in decode_dds1()
indeo5dec: Make sure we have had a valid gop header.
rv34: error out on size changes with frame threading
rtmp: fix buffer overflows in ff_amf_tag_contents()
rtmp: fix multiple broken overflow checks
Revert "h264: allow cropping to AVCodecContext.width/height"
h264: check ref_count validity for num_ref_idx_active_override_flag
...
Conflicts:
Doxyfile
RELEASE
VERSION
libavcodec/rv34.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/indeo5.c')
| -rw-r--r-- | libavcodec/indeo5.c | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index eb16726a81..15fad5872b 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -76,6 +76,8 @@ typedef struct { int is_scalable; uint32_t lock_word; IVIPicConfig pic_conf; + + int gop_invalid; } IVI5DecContext; @@ -339,8 +341,12 @@ static int decode_pic_hdr(IVI5DecContext *ctx, AVCodecContext *avctx) ctx->frame_num = get_bits(&ctx->gb, 8); if (ctx->frame_type == FRAMETYPE_INTRA) { - if (decode_gop_header(ctx, avctx)) - return -1; + ctx->gop_invalid = 1; + if (decode_gop_header(ctx, avctx)) { + av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n"); + return AVERROR_INVALIDDATA; + } + ctx->gop_invalid = 0; } if (ctx->frame_type != FRAMETYPE_NULL) { @@ -457,6 +463,16 @@ static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band, ref_mb = tile->ref_mbs; offs = tile->ypos * band->pitch + tile->xpos; + if (!ref_mb && + ((band->qdelta_present && band->inherit_qdelta) || band->inherit_mv)) + return AVERROR_INVALIDDATA; + + if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) { + av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches parameters %d\n", + tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)); + return AVERROR_INVALIDDATA; + } + /* scale factor for motion vectors */ mv_scale = (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3); mv_x = mv_y = 0; @@ -607,8 +623,10 @@ static int decode_band(IVI5DecContext *ctx, int plane_num, tile->is_empty = get_bits1(&ctx->gb); if (tile->is_empty) { - ff_ivi_process_empty_tile(avctx, band, tile, + result = ff_ivi_process_empty_tile(avctx, band, tile, (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3)); + if (result < 0) + break; } else { tile->data_size = ff_ivi_dec_tile_data_size(&ctx->gb); @@ -755,6 +773,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, "Error while decoding picture header: %d\n", result); return -1; } + if (ctx->gop_invalid) + return AVERROR_INVALIDDATA; if (ctx->gop_flags & IVI5_IS_PROTECTED) { av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n"); |