Re: [libav-devel] [PATCH] Add support for multichannel ATRAC3+ to OpenMG demuxer
On Sat, 28 Sep 2013 14:03:19 +0200, Maxim Polijakowski max_p...@gmx.de wrote: Am 28.09.2013 07:35, schrieb Anton Khirnov: [...] framesize = ((codec_params 0x3FF) * 8) + 8; samplerate = ff_oma_srate_tab[(codec_params 13) 7] * 100; if (!samplerate) { @@ -372,7 +379,7 @@ static int oma_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; } st-codec-sample_rate = samplerate; -st-codec-bit_rate= samplerate * framesize * 8 / 1024; +st-codec-bit_rate= samplerate * framesize * 8 / 2048; This part looks unrelated. Was bitrate wrong previously? Yes, because ATRAC3+ sample frame size was set to the wrong value of 1024 samples. The displayed bitrate always higher than it actually was... You're right - it looks unrelated. Should I make this only line a separate patch? It should be split, but no need to send a new patch just for this. I'll split it myself before pushing if nobody has any other comments. -- Anton Khirnov ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH] mxfdec: set audio timebase to 1/samplerate
Fixes sync in some samples (e.g. bugs 7581 and 8374 in VLC). Based on a commit by Matthieu Bouron matthieu.bou...@gmail.com Reported-by: Jean-Baptiste Kempf j...@videolan.org CC: libav-sta...@libav.org --- libavformat/mxfdec.c| 10 +- tests/ref/fate/mxf-demux|6 +++--- tests/ref/seek/lavf-mxf | 18 +- tests/ref/seek/lavf-mxf_d10 | 30 +++--- 4 files changed, 36 insertions(+), 28 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 7c0f657..d666b47 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1528,8 +1528,16 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) st-codec-channels = descriptor-channels; st-codec-bits_per_coded_sample = descriptor-bits_per_sample; -if (descriptor-sample_rate.den 0) +if (descriptor-sample_rate.den 0) { st-codec-sample_rate = descriptor-sample_rate.num / descriptor-sample_rate.den; +avpriv_set_pts_info(st, 64, descriptor-sample_rate.den, descriptor-sample_rate.num); +} else { +av_log(mxf-fc, AV_LOG_WARNING, invalid sample rate (%d/%d) + found for stream #%, time base forced to 1/48000\n, + descriptor-sample_rate.num, descriptor-sample_rate.den, + st-index); +avpriv_set_pts_info(st, 64, 1, 48000); +} /* TODO: implement AV_CODEC_ID_RAWAUDIO */ if (st-codec-codec_id == AV_CODEC_ID_PCM_S16LE) { diff --git a/tests/ref/fate/mxf-demux b/tests/ref/fate/mxf-demux index e162775..426afae 100644 --- a/tests/ref/fate/mxf-demux +++ b/tests/ref/fate/mxf-demux @@ -1,7 +1,7 @@ #tb 0: 1/25 -#tb 1: 1/25 +#tb 1: 1/8000 0, 0, -9223372036854775808,1, 8468, 0xc083 -1, 0, 0, 50,32000, 0x479155e6 +1, 0, 0,16000,32000, 0x479155e6 0, 1, -9223372036854775808,1, 3814, 0xa10783b4 0, 2, -9223372036854775808,1, 3747, 0xb7bf6973 0, 3, -9223372036854775808,1, 3705, 0x5462a600 @@ -52,7 +52,7 @@ 0, 48, -9223372036854775808,1, 3688, 0x1db45852 0, 49, -9223372036854775808,1,38412, 0x2ee26a63 0, 50, -9223372036854775808,1, 8385, 0x0bc20a27 -1, 50, 50, 50,32000, 0x8f7e5009 +1, 16000, 16000,16000,32000, 0x8f7e5009 0, 51, -9223372036854775808,1, 3733, 0xa3e2a9a0 0, 52, -9223372036854775808,1, 3773, 0x27769caa 0, 53, -9223372036854775808,1, 3670, 0xc8335e98 diff --git a/tests/ref/seek/lavf-mxf b/tests/ref/seek/lavf-mxf index cc634a8..5f2cf5d 100644 --- a/tests/ref/seek/lavf-mxf +++ b/tests/ref/seek/lavf-mxf @@ -7,8 +7,8 @@ ret: 0 st: 0 flags:0 ts: 0.80 ret: 0 st: 0 flags:1 dts: 0.84 pts: 0.96 pos: 460800 size: 24712 ret: 0 st: 0 flags:1 ts:-0.32 ret: 0 st: 0 flags:1 dts:-0.04 pts: 0.00 pos: 6144 size: 24801 -ret:-1 st: 1 flags:0 ts: 2.56 -ret: 0 st: 1 flags:1 ts: 1.48 +ret:-1 st: 1 flags:0 ts: 2.576667 +ret: 0 st: 1 flags:1 ts: 1.470833 ret: 0 st: 0 flags:1 dts: 0.84 pts: 0.96 pos: 460800 size: 24712 ret: 0 st:-1 flags:0 ts: 0.365002 ret: 0 st: 0 flags:1 dts: 0.36 pts: 0.48 pos: 211968 size: 24787 @@ -17,9 +17,9 @@ ret: 0 st: 0 flags:1 dts:-0.04 pts: 0.00 pos: 6144 size: 24801 ret:-1 st: 0 flags:0 ts: 2.16 ret: 0 st: 0 flags:1 ts: 1.04 ret: 0 st: 0 flags:1 dts: 0.84 pts: 0.96 pos: 460800 size: 24712 -ret: 0 st: 1 flags:0 ts:-0.04 +ret: 0 st: 1 flags:0 ts:-0.058333 ret: 0 st: 0 flags:1 dts:-0.04 pts: 0.00 pos: 6144 size: 24801 -ret: 0 st: 1 flags:1 ts: 2.84 +ret: 0 st: 1 flags:1 ts: 2.835833 ret: 0 st: 0 flags:1 dts: 0.84 pts: 0.96 pos: 460800 size: 24712 ret:-1 st:-1 flags:0 ts: 1.730004 ret: 0 st:-1 flags:1 ts: 0.624171 @@ -28,9 +28,9 @@ ret: 0 st: 0 flags:0 ts:-0.48 ret: 0 st: 0 flags:1 dts:-0.04 pts: 0.00 pos: 6144 size: 24801 ret: 0 st: 0 flags:1 ts: 2.40 ret: 0 st: 0 flags:1 dts: 0.84 pts: 0.96 pos: 460800 size: 24712 -ret:-1 st: 1 flags:0 ts: 1.32 -ret: 0 st: 1 flags:1 ts: 0.20 -ret: 0 st: 0 flags:1 dts:-0.04 pts: 0.00 pos: 6144 size: 24801 +ret:-1 st: 1 flags:0 ts: 1.306667 +ret: 0 st: 1 flags:1 ts: 0.200833 +ret: 0 st: 0 flags:1 dts: 0.84 pts: 0.96 pos: 460800 size: 24712 ret: 0 st:-1 flags:0 ts:-0.904994 ret: 0 st: 0 flags:1 dts:-0.04 pts: 0.00 pos:
Re: [libav-devel] [PATCH] mxfdec: set audio timebase to 1/samplerate
On 28/09/13 17:31, Anton Khirnov wrote: Fixes sync in some samples (e.g. bugs 7581 and 8374 in VLC). Based on a commit by Matthieu Bouron matthieu.bou...@gmail.com Reported-by: Jean-Baptiste Kempf j...@videolan.org CC: libav-sta...@libav.org --- libavformat/mxfdec.c| 10 +- tests/ref/fate/mxf-demux|6 +++--- tests/ref/seek/lavf-mxf | 18 +- tests/ref/seek/lavf-mxf_d10 | 30 +++--- 4 files changed, 36 insertions(+), 28 deletions(-) Ok. ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 11/17] bfi: Add some very basic sanity checks for input packet sizes
CC: libav-sta...@libav.org --- libavformat/bfi.c |4 1 file changed, 4 insertions(+) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index 5d7ccb8..19060e7 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -132,6 +132,10 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) video_offset= avio_rl32(pb); audio_size = video_offset - audio_offset; bfi-video_size = chunk_size - video_offset; +if (audio_size 0 || bfi-video_size 0) { +av_log(s, AV_LOG_ERROR, Invalid audio/video offsets or chunk size\n); +return AVERROR_INVALIDDATA; +} //Tossing an audio packet at the audio decoder. ret = av_get_packet(pb, pkt, audio_size); -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 04/17] xwma: Avoid division by zero
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- Alternatively, we could require bits_per_coded_sample to be = 8 earlier as well, although that could rule out some (purely hypothetical?) formats with 2 channels with bits_per_coded_sample == 4. --- libavformat/xwma.c |8 1 file changed, 8 insertions(+) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 52e423c..f4ff815 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -198,6 +198,14 @@ static int xwma_read_header(AVFormatContext *s) /* Estimate the duration from the total number of output bytes. */ const uint64_t total_decoded_bytes = dpds_table[dpds_table_size - 1]; + +if (!bytes_per_sample) { +av_log(s, AV_LOG_ERROR, + Invalid bits_per_coded_sample %d for %d channels\n, + st-codec-bits_per_coded_sample, st-codec-channels); +return AVERROR_INVALIDDATA; +} + st-duration = total_decoded_bytes / bytes_per_sample; /* Use the dpds data to build a seek table. We can only do this after -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 10/17] bfi: Avoid divisions by zero
If a zero-length video packet is to be returned, just return AVERROR(EAGAIN) and switch back to the audio stream. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavformat/bfi.c |7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index e60bbf4..5d7ccb8 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -140,9 +140,7 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) pkt-pts = bfi-audio_frame; bfi-audio_frame += ret; -} - -else { +} else if (bfi-video_size 0) { //Tossing a video packet at the video decoder. ret = av_get_packet(pb, pkt, bfi-video_size); @@ -154,6 +152,9 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) /* One less frame to read. A cursory decrement. */ bfi-nframes--; +} else { +/* Empty video packet */ +ret = AVERROR(EAGAIN); } bfi-avflag = !bfi-avflag; -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 05/17] alac: Do bounds checking of lpc_order read from the bitstream
In lpc_prediction(), we write up to array element 'lpc_order' in an array allocated to hold 'max_samples_per_frame' elements. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavcodec/alac.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 41d1f77..6d1ace3 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -314,6 +314,9 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, rice_history_mult[ch] = get_bits(alac-gb, 3); lpc_order[ch] = get_bits(alac-gb, 5); +if (lpc_order[ch] = alac-max_samples_per_frame) +return AVERROR_INVALIDDATA; + /* read the predictor table */ for (i = lpc_order[ch] - 1; i = 0; i--) lpc_coefs[ch][i] = get_sbits(alac-gb, 16); -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 07/17] riffdec: Avoid a division by zero
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavformat/riffdec.c |8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c index 447a686..1927b82 100644 --- a/libavformat/riffdec.c +++ b/libavformat/riffdec.c @@ -127,8 +127,14 @@ int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size) codec-sample_rate = 0; } /* override bits_per_coded_sample for G.726 */ -if (codec-codec_id == AV_CODEC_ID_ADPCM_G726) +if (codec-codec_id == AV_CODEC_ID_ADPCM_G726) { +if (codec-sample_rate = 0) { +av_log(NULL, AV_LOG_ERROR, + Invalid sample rate for G726: %d\n, codec-sample_rate); +return AVERROR_INVALIDDATA; +} codec-bits_per_coded_sample = codec-bit_rate / codec-sample_rate; +} return 0; } -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 02/17] vqf: Make sure the bitrate is in the valid range
Even if the sample rate is valid, an invalid bitrate could pass the mode combination test below. CC: libav-sta...@libav.org --- libavformat/vqf.c |7 +++ 1 file changed, 7 insertions(+) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 162c753..a43829b 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -182,6 +182,13 @@ static int vqf_read_header(AVFormatContext *s) break; } +if (read_bitrate / st-codec-channels 8 || +read_bitrate / st-codec-channels 48) { +av_log(s, AV_LOG_ERROR, Invalid bitrate per channel %d\n, + read_bitrate / st-codec-channels); +return AVERROR_INVALIDDATA; +} + switch (((st-codec-sample_rate/1000) 8) + read_bitrate/st-codec-channels) { case (118) + 8 : -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 09/17] electronicarts: Add more sanity checking for the number of channels
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavformat/electronicarts.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index b0e0674..b518ca0 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -467,7 +467,7 @@ static int ea_read_header(AVFormatContext *s) } if (ea-audio_codec) { -if (ea-num_channels = 0) { +if (ea-num_channels = 0 || ea-num_channels 48) { av_log(s, AV_LOG_WARNING, Unsupported number of channels: %d\n, ea-num_channels); ea-audio_codec = 0; -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 03/17] avidec: Make sure a packet is large enough before reading its data
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavformat/avidec.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 1212c6a..3616281 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -816,7 +816,8 @@ fail: static int read_gab2_sub(AVStream *st, AVPacket *pkt) { -if (!strcmp(pkt-data, GAB2) AV_RL16(pkt-data + 5) == 2) { +if (pkt-size = 7 +!strcmp(pkt-data, GAB2) AV_RL16(pkt-data + 5) == 2) { uint8_t desc[256]; int score = AVPROBE_SCORE_EXTENSION, ret; AVIStream *ast = st-priv_data; -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 06/17] mvi: Avoid a division by zero
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavformat/mvi.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 7fb163b..af7b5c5 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -94,6 +94,12 @@ static int read_header(AVFormatContext *s) mvi-get_int = (vst-codec-width * vst-codec-height (1 16)) ? avio_rl16 : avio_rl24; mvi-audio_frame_size = ((uint64_t)mvi-audio_data_size MVI_FRAC_BITS) / frames_count; +if (mvi-audio_frame_size = 1) { +av_log(s, AV_LOG_ERROR, Invalid audio_data_size (%d) or frames_count (%d)\n, + mvi-audio_data_size, frames_count); +return AVERROR_INVALIDDATA; +} + mvi-audio_size_counter = (ast-codec-sample_rate * 830 / mvi-audio_frame_size - 1) * mvi-audio_frame_size; mvi-audio_size_left= mvi-audio_data_size; -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 14/17] pcx: Return an error code if giving up due to missing palette
Previously, we returned 0, meaning successful decoding but 0 bytes consumed, leading to an infinite loop. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- Alternatively, we could just return buf_size to signal that the whole packet was consumed (but nothing was decoded). --- libavcodec/pcx.c |1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c index a6f9d8d..51aea69 100644 --- a/libavcodec/pcx.c +++ b/libavcodec/pcx.c @@ -181,6 +181,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } if (*buf++ != 12) { av_log(avctx, AV_LOG_ERROR, expected palette after image data\n); +ret = AVERROR_INVALIDDATA; goto end; } } else if (nplanes == 1) { /* all packed formats, max. 16 colors */ -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 01/17] vqf: Make sure sample_rate is set to a valid value
This avoids divisions by zero later (and possibly assertions in time base scaling), since an invalid rate_flag combined with an invalid bitrate below could pass the mode combination test. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavformat/vqf.c |4 1 file changed, 4 insertions(+) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index ab1042a..162c753 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -174,6 +174,10 @@ static int vqf_read_header(AVFormatContext *s) st-codec-sample_rate = 11025; break; default: +if (rate_flag 8 || rate_flag 44) { +av_log(s, AV_LOG_ERROR, Invalid rate flag %d\n, rate_flag); +return AVERROR_INVALIDDATA; +} st-codec-sample_rate = rate_flag*1000; break; } -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 08/17] asfdec: Check the return value of asf_read_stream_properties
This makes sure errors in setting stream parameters are passed on to the caller. This avoids successfully opening files while some parameters aren't filled in properly. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavformat/asfdec.c |4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index b99cb02..5b4366e 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -743,7 +743,9 @@ static int asf_read_header(AVFormatContext *s) if (ret 0) return ret; } else if (!ff_guidcmp(g, ff_asf_stream_header)) { -asf_read_stream_properties(s, gsize); +int ret = asf_read_stream_properties(s, gsize); +if (ret 0) +return ret; } else if (!ff_guidcmp(g, ff_asf_comment_header)) { asf_read_content_desc(s, gsize); } else if (!ff_guidcmp(g, ff_asf_language_guid)) { -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 13/17] pngdec: Stop trying to decode once inflate returns Z_STREAM_END
If the input buffer contains more data after the deflate stream, the loop previously left running infinitely, with inflate returning Z_STREAM_END. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavcodec/pngdec.c |4 1 file changed, 4 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index ec44d56..8864e4a 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -378,6 +378,10 @@ static int png_decode_idat(PNGDecContext *s, int length) s-zstream.avail_out = s-crow_size; s-zstream.next_out = s-crow_buf; } +if (ret == Z_STREAM_END s-zstream.avail_in 0) { +av_log(NULL, AV_LOG_WARNING, %d undecompressed bytes left in buffer\n, s-zstream.avail_in); +return 0; +} } return 0; } -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 12/17] mov: Make sure the read sample count is nonnegative
This avoids setting a negative number of frames, ending up with a negative average frame rate. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavformat/mov.c |4 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index c3d857b..e1f2db2 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1724,6 +1724,10 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) sample_count=avio_rb32(pb); sample_duration = avio_rb32(pb); +if (sample_count 0) { +av_log(c-fc, AV_LOG_ERROR, Invalid sample_count=%d\n, sample_count); +return AVERROR_INVALIDDATA; +} sc-stts_data[i].count= sample_count; sc-stts_data[i].duration= sample_duration; -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 15/17] xan: Use bytestream2 to limit reading to within the buffer
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavcodec/xan.c | 22 ++ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index ca2e8e0..2bdced7 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -287,8 +287,8 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame) /* pointers to segments inside the compressed chunk */ const unsigned char *huffman_segment; -const unsigned char *size_segment; -const unsigned char *vector_segment; +GetByteContext size_segment; +GetByteContext vector_segment; const unsigned char *imagedata_segment; int huffman_offset, size_offset, vector_offset, imagedata_offset, imagedata_size; @@ -308,8 +308,8 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame) return AVERROR_INVALIDDATA; huffman_segment = s-buf + huffman_offset; -size_segment = s-buf + size_offset; -vector_segment= s-buf + vector_offset; +bytestream2_init(size_segment, s-buf + size_offset, s-size - size_offset); +bytestream2_init(vector_segment, s-buf + vector_offset, s-size - vector_offset); imagedata_segment = s-buf + imagedata_offset; if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, @@ -361,19 +361,17 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame) case 9: case 19: -size = *size_segment++; +size = bytestream2_get_byte(size_segment); break; case 10: case 20: -size = AV_RB16(size_segment[0]); -size_segment += 2; +size = bytestream2_get_be16(size_segment); break; case 11: case 21: -size = AV_RB24(size_segment); -size_segment += 3; +size = bytestream2_get_be24(size_segment); break; } @@ -395,9 +393,9 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame) } } else { /* run-based motion compensation from last frame */ -motion_x = sign_extend(*vector_segment 4, 4); -motion_y = sign_extend(*vector_segment 0xF, 4); -vector_segment++; +uint8_t vector = bytestream2_get_byte(vector_segment); +motion_x = sign_extend(vector 4, 4); +motion_y = sign_extend(vector 0xF, 4); /* copy a run of pixels from the previous frame */ xan_wc3_copy_pixel_run(s, frame, x, y, size, motion_x, motion_y); -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 16/17] xan: Only read within the data that actually was initialized
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavcodec/xan.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 2bdced7..8a33e79 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -103,6 +103,7 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, int ptr_len = src_len - 1 - byte*2; unsigned char val = ival; unsigned char *dest_end = dest + dest_len; +unsigned char *dest_start = dest; GetBitContext gb; if (ptr_len 0) @@ -118,13 +119,13 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, if (val 0x16) { if (dest = dest_end) -return 0; +return dest_len; *dest++ = val; val = ival; } } -return 0; +return dest - dest_start; } /** @@ -278,7 +279,7 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame) unsigned char flag = 0; int size = 0; int motion_x, motion_y; -int x, y; +int x, y, ret; unsigned char *opcode_buffer = s-buffer1; unsigned char *opcode_buffer_end = s-buffer1 + s-buffer1_size; @@ -312,9 +313,10 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame) bytestream2_init(vector_segment, s-buf + vector_offset, s-size - vector_offset); imagedata_segment = s-buf + imagedata_offset; -if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, - huffman_segment, s-size - huffman_offset) 0) +if ((ret = xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s-size - huffman_offset)) 0) return AVERROR_INVALIDDATA; +opcode_buffer_end = opcode_buffer + ret; if (imagedata_segment[0] == 2) { xan_unpack(s-buffer2, s-buffer2_size, -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 17/17] xxan: Disallow odd width
Decoded data is always written in pairs within this decoder. This fixes writes out of bounds. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavcodec/xxan.c |4 1 file changed, 4 insertions(+) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 2bc9ff6..05ce7ff 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -50,6 +50,10 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, Invalid frame height: %d.\n, avctx-height); return AVERROR(EINVAL); } +if (avctx-width 1) { +av_log(avctx, AV_LOG_ERROR, Invalid frame width: %d.\n, avctx-width); +return AVERROR(EINVAL); +} s-buffer_size = avctx-width * avctx-height; s-y_buffer = av_malloc(s-buffer_size); -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH] rpza: Fix a buffer size check
We read 2 bytes for 15 out of 16 pixels, therefore we need to have at least 30 bytes, not 16. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavcodec/rpza.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 45350a8..ca9f7ea 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -204,7 +204,7 @@ static void rpza_decode_stream(RpzaContext *s) /* Fill block with 16 colors */ case 0x00: -if (s-size - stream_ptr 16) +if (s-size - stream_ptr 30) return; block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y 4; pixel_y++) { -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH] rpza: Fix a buffer size check
On 29/09/13 00:28, Martin Storsjö wrote: We read 2 bytes for 15 out of 16 pixels, therefore we need to have at least 30 bytes, not 16. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavcodec/rpza.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 45350a8..ca9f7ea 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -204,7 +204,7 @@ static void rpza_decode_stream(RpzaContext *s) /* Fill block with 16 colors */ case 0x00: -if (s-size - stream_ptr 16) +if (s-size - stream_ptr 30) return; Ok, BLOCK_SIZE might be a good name for it. lu ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 16/17] xan: Only read within the data that actually was initialized
On 29/09/13 00:21, Martin Storsjö wrote: Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavcodec/xan.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) Looks fine. ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 12/17] mov: Make sure the read sample count is nonnegative
On 29/09/13 00:21, Martin Storsjö wrote: This avoids setting a negative number of frames, ending up with a negative average frame rate. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavformat/mov.c |4 1 file changed, 4 insertions(+) Ok. ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 13/17] pngdec: Stop trying to decode once inflate returns Z_STREAM_END
On 29/09/13 00:21, Martin Storsjö wrote: If the input buffer contains more data after the deflate stream, the loop previously left running infinitely, with inflate returning Z_STREAM_END. Ok. ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 15/17] xan: Use bytestream2 to limit reading to within the buffer
On 29/09/13 00:21, Martin Storsjö wrote: Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavcodec/xan.c | 22 ++ 1 file changed, 10 insertions(+), 12 deletions(-) Ok. ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 14/17] pcx: Return an error code if giving up due to missing palette
On 29/09/13 00:21, Martin Storsjö wrote: Previously, we returned 0, meaning successful decoding but 0 bytes consumed, leading to an infinite loop. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- Alternatively, we could just return buf_size to signal that the whole packet was consumed (but nothing was decoded). Sounds better. lu ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 01/17] vqf: Make sure sample_rate is set to a valid value
On Sun, Sep 29, 2013 at 01:21:03AM +0300, Martin Storsjö wrote: This avoids divisions by zero later (and possibly assertions in time base scaling), since an invalid rate_flag combined with an invalid bitrate below could pass the mode combination test. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavformat/vqf.c |4 1 file changed, 4 insertions(+) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index ab1042a..162c753 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -174,6 +174,10 @@ static int vqf_read_header(AVFormatContext *s) st-codec-sample_rate = 11025; break; default: +if (rate_flag 8 || rate_flag 44) { +av_log(s, AV_LOG_ERROR, Invalid rate flag %d\n, rate_flag); +return AVERROR_INVALIDDATA; +} st-codec-sample_rate = rate_flag*1000; break; } -- looks OK ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 02/17] vqf: Make sure the bitrate is in the valid range
On Sun, Sep 29, 2013 at 01:21:04AM +0300, Martin Storsjö wrote: Even if the sample rate is valid, an invalid bitrate could pass the mode combination test below. CC: libav-sta...@libav.org --- libavformat/vqf.c |7 +++ 1 file changed, 7 insertions(+) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 162c753..a43829b 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -182,6 +182,13 @@ static int vqf_read_header(AVFormatContext *s) break; } +if (read_bitrate / st-codec-channels 8 || +read_bitrate / st-codec-channels 48) { +av_log(s, AV_LOG_ERROR, Invalid bitrate per channel %d\n, + read_bitrate / st-codec-channels); +return AVERROR_INVALIDDATA; +} + switch (((st-codec-sample_rate/1000) 8) + read_bitrate/st-codec-channels) { case (118) + 8 : -- looks OK ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 04/17] xwma: Avoid division by zero
On Sun, Sep 29, 2013 at 01:21:06AM +0300, Martin Storsjö wrote: Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- Alternatively, we could require bits_per_coded_sample to be = 8 earlier as well, although that could rule out some (purely hypothetical?) formats with 2 channels with bits_per_coded_sample == 4. --- libavformat/xwma.c |8 1 file changed, 8 insertions(+) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 52e423c..f4ff815 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -198,6 +198,14 @@ static int xwma_read_header(AVFormatContext *s) /* Estimate the duration from the total number of output bytes. */ const uint64_t total_decoded_bytes = dpds_table[dpds_table_size - 1]; + +if (!bytes_per_sample) { +av_log(s, AV_LOG_ERROR, + Invalid bits_per_coded_sample %d for %d channels\n, + st-codec-bits_per_coded_sample, st-codec-channels); +return AVERROR_INVALIDDATA; +} + st-duration = total_decoded_bytes / bytes_per_sample; /* Use the dpds data to build a seek table. We can only do this after -- might be OK ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 05/17] alac: Do bounds checking of lpc_order read from the bitstream
On Sun, Sep 29, 2013 at 01:21:07AM +0300, Martin Storsjö wrote: In lpc_prediction(), we write up to array element 'lpc_order' in an array allocated to hold 'max_samples_per_frame' elements. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavcodec/alac.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 41d1f77..6d1ace3 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -314,6 +314,9 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, rice_history_mult[ch] = get_bits(alac-gb, 3); lpc_order[ch] = get_bits(alac-gb, 5); +if (lpc_order[ch] = alac-max_samples_per_frame) +return AVERROR_INVALIDDATA; + /* read the predictor table */ for (i = lpc_order[ch] - 1; i = 0; i--) lpc_coefs[ch][i] = get_sbits(alac-gb, 16); -- looks a bit strange, I'd expect lpc_order max_samples_per_frame ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel