Re: [libav-devel] [PATCH] Add support for multichannel ATRAC3+ to OpenMG demuxer
On Sat, 28 Sep 2013 14:03:19 +0200, Maxim Polijakowski max_p...@gmx.de wrote:
Am 28.09.2013 07:35, schrieb Anton Khirnov:
[...]
framesize = ((codec_params 0x3FF) * 8) + 8;
samplerate = ff_oma_srate_tab[(codec_params 13) 7] * 100;
if (!samplerate) {
@@ -372,7 +379,7 @@ static int oma_read_header(AVFormatContext *s)
return AVERROR_INVALIDDATA;
}
st-codec-sample_rate = samplerate;
-st-codec-bit_rate= samplerate * framesize * 8 / 1024;
+st-codec-bit_rate= samplerate * framesize * 8 / 2048;
This part looks unrelated.
Was bitrate wrong previously?
Yes, because ATRAC3+ sample frame size was set to the wrong value of
1024 samples. The displayed bitrate always higher than it actually was...
You're right - it looks unrelated. Should I make this only line a
separate patch?
It should be split, but no need to send a new patch just for this.
I'll split it myself before pushing if nobody has any other comments.
--
Anton Khirnov
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH] mxfdec: set audio timebase to 1/samplerate
Fixes sync in some samples (e.g. bugs 7581 and 8374 in VLC).
Based on a commit by Matthieu Bouron matthieu.bou...@gmail.com
Reported-by: Jean-Baptiste Kempf j...@videolan.org
CC: libav-sta...@libav.org
---
libavformat/mxfdec.c| 10 +-
tests/ref/fate/mxf-demux|6 +++---
tests/ref/seek/lavf-mxf | 18 +-
tests/ref/seek/lavf-mxf_d10 | 30 +++---
4 files changed, 36 insertions(+), 28 deletions(-)
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 7c0f657..d666b47 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -1528,8 +1528,16 @@ static int mxf_parse_structural_metadata(MXFContext *mxf)
st-codec-channels = descriptor-channels;
st-codec-bits_per_coded_sample = descriptor-bits_per_sample;
-if (descriptor-sample_rate.den 0)
+if (descriptor-sample_rate.den 0) {
st-codec-sample_rate = descriptor-sample_rate.num /
descriptor-sample_rate.den;
+avpriv_set_pts_info(st, 64, descriptor-sample_rate.den,
descriptor-sample_rate.num);
+} else {
+av_log(mxf-fc, AV_LOG_WARNING, invalid sample rate (%d/%d)
+ found for stream #%, time base forced to 1/48000\n,
+ descriptor-sample_rate.num,
descriptor-sample_rate.den,
+ st-index);
+avpriv_set_pts_info(st, 64, 1, 48000);
+}
/* TODO: implement AV_CODEC_ID_RAWAUDIO */
if (st-codec-codec_id == AV_CODEC_ID_PCM_S16LE) {
diff --git a/tests/ref/fate/mxf-demux b/tests/ref/fate/mxf-demux
index e162775..426afae 100644
--- a/tests/ref/fate/mxf-demux
+++ b/tests/ref/fate/mxf-demux
@@ -1,7 +1,7 @@
#tb 0: 1/25
-#tb 1: 1/25
+#tb 1: 1/8000
0, 0, -9223372036854775808,1, 8468, 0xc083
-1, 0, 0, 50,32000, 0x479155e6
+1, 0, 0,16000,32000, 0x479155e6
0, 1, -9223372036854775808,1, 3814, 0xa10783b4
0, 2, -9223372036854775808,1, 3747, 0xb7bf6973
0, 3, -9223372036854775808,1, 3705, 0x5462a600
@@ -52,7 +52,7 @@
0, 48, -9223372036854775808,1, 3688, 0x1db45852
0, 49, -9223372036854775808,1,38412, 0x2ee26a63
0, 50, -9223372036854775808,1, 8385, 0x0bc20a27
-1, 50, 50, 50,32000, 0x8f7e5009
+1, 16000, 16000,16000,32000, 0x8f7e5009
0, 51, -9223372036854775808,1, 3733, 0xa3e2a9a0
0, 52, -9223372036854775808,1, 3773, 0x27769caa
0, 53, -9223372036854775808,1, 3670, 0xc8335e98
diff --git a/tests/ref/seek/lavf-mxf b/tests/ref/seek/lavf-mxf
index cc634a8..5f2cf5d 100644
--- a/tests/ref/seek/lavf-mxf
+++ b/tests/ref/seek/lavf-mxf
@@ -7,8 +7,8 @@ ret: 0 st: 0 flags:0 ts: 0.80
ret: 0 st: 0 flags:1 dts: 0.84 pts: 0.96 pos: 460800 size:
24712
ret: 0 st: 0 flags:1 ts:-0.32
ret: 0 st: 0 flags:1 dts:-0.04 pts: 0.00 pos: 6144 size:
24801
-ret:-1 st: 1 flags:0 ts: 2.56
-ret: 0 st: 1 flags:1 ts: 1.48
+ret:-1 st: 1 flags:0 ts: 2.576667
+ret: 0 st: 1 flags:1 ts: 1.470833
ret: 0 st: 0 flags:1 dts: 0.84 pts: 0.96 pos: 460800 size:
24712
ret: 0 st:-1 flags:0 ts: 0.365002
ret: 0 st: 0 flags:1 dts: 0.36 pts: 0.48 pos: 211968 size:
24787
@@ -17,9 +17,9 @@ ret: 0 st: 0 flags:1 dts:-0.04 pts: 0.00 pos:
6144 size: 24801
ret:-1 st: 0 flags:0 ts: 2.16
ret: 0 st: 0 flags:1 ts: 1.04
ret: 0 st: 0 flags:1 dts: 0.84 pts: 0.96 pos: 460800 size:
24712
-ret: 0 st: 1 flags:0 ts:-0.04
+ret: 0 st: 1 flags:0 ts:-0.058333
ret: 0 st: 0 flags:1 dts:-0.04 pts: 0.00 pos: 6144 size:
24801
-ret: 0 st: 1 flags:1 ts: 2.84
+ret: 0 st: 1 flags:1 ts: 2.835833
ret: 0 st: 0 flags:1 dts: 0.84 pts: 0.96 pos: 460800 size:
24712
ret:-1 st:-1 flags:0 ts: 1.730004
ret: 0 st:-1 flags:1 ts: 0.624171
@@ -28,9 +28,9 @@ ret: 0 st: 0 flags:0 ts:-0.48
ret: 0 st: 0 flags:1 dts:-0.04 pts: 0.00 pos: 6144 size:
24801
ret: 0 st: 0 flags:1 ts: 2.40
ret: 0 st: 0 flags:1 dts: 0.84 pts: 0.96 pos: 460800 size:
24712
-ret:-1 st: 1 flags:0 ts: 1.32
-ret: 0 st: 1 flags:1 ts: 0.20
-ret: 0 st: 0 flags:1 dts:-0.04 pts: 0.00 pos: 6144 size:
24801
+ret:-1 st: 1 flags:0 ts: 1.306667
+ret: 0 st: 1 flags:1 ts: 0.200833
+ret: 0 st: 0 flags:1 dts: 0.84 pts: 0.96 pos: 460800 size:
24712
ret: 0 st:-1 flags:0 ts:-0.904994
ret: 0 st: 0 flags:1 dts:-0.04 pts: 0.00 pos:
Re: [libav-devel] [PATCH] mxfdec: set audio timebase to 1/samplerate
On 28/09/13 17:31, Anton Khirnov wrote: Fixes sync in some samples (e.g. bugs 7581 and 8374 in VLC). Based on a commit by Matthieu Bouron matthieu.bou...@gmail.com Reported-by: Jean-Baptiste Kempf j...@videolan.org CC: libav-sta...@libav.org --- libavformat/mxfdec.c| 10 +- tests/ref/fate/mxf-demux|6 +++--- tests/ref/seek/lavf-mxf | 18 +- tests/ref/seek/lavf-mxf_d10 | 30 +++--- 4 files changed, 36 insertions(+), 28 deletions(-) Ok. ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 11/17] bfi: Add some very basic sanity checks for input packet sizes
CC: libav-sta...@libav.org
---
libavformat/bfi.c |4
1 file changed, 4 insertions(+)
diff --git a/libavformat/bfi.c b/libavformat/bfi.c
index 5d7ccb8..19060e7 100644
--- a/libavformat/bfi.c
+++ b/libavformat/bfi.c
@@ -132,6 +132,10 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket *
pkt)
video_offset= avio_rl32(pb);
audio_size = video_offset - audio_offset;
bfi-video_size = chunk_size - video_offset;
+if (audio_size 0 || bfi-video_size 0) {
+av_log(s, AV_LOG_ERROR, Invalid audio/video offsets or chunk
size\n);
+return AVERROR_INVALIDDATA;
+}
//Tossing an audio packet at the audio decoder.
ret = av_get_packet(pb, pkt, audio_size);
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 04/17] xwma: Avoid division by zero
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
Alternatively, we could require bits_per_coded_sample to be = 8
earlier as well, although that could rule out some (purely
hypothetical?) formats with 2 channels with bits_per_coded_sample == 4.
---
libavformat/xwma.c |8
1 file changed, 8 insertions(+)
diff --git a/libavformat/xwma.c b/libavformat/xwma.c
index 52e423c..f4ff815 100644
--- a/libavformat/xwma.c
+++ b/libavformat/xwma.c
@@ -198,6 +198,14 @@ static int xwma_read_header(AVFormatContext *s)
/* Estimate the duration from the total number of output bytes. */
const uint64_t total_decoded_bytes = dpds_table[dpds_table_size - 1];
+
+if (!bytes_per_sample) {
+av_log(s, AV_LOG_ERROR,
+ Invalid bits_per_coded_sample %d for %d channels\n,
+ st-codec-bits_per_coded_sample, st-codec-channels);
+return AVERROR_INVALIDDATA;
+}
+
st-duration = total_decoded_bytes / bytes_per_sample;
/* Use the dpds data to build a seek table. We can only do this after
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 10/17] bfi: Avoid divisions by zero
If a zero-length video packet is to be returned, just return
AVERROR(EAGAIN) and switch back to the audio stream.
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
libavformat/bfi.c |7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/libavformat/bfi.c b/libavformat/bfi.c
index e60bbf4..5d7ccb8 100644
--- a/libavformat/bfi.c
+++ b/libavformat/bfi.c
@@ -140,9 +140,7 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket *
pkt)
pkt-pts = bfi-audio_frame;
bfi-audio_frame += ret;
-}
-
-else {
+} else if (bfi-video_size 0) {
//Tossing a video packet at the video decoder.
ret = av_get_packet(pb, pkt, bfi-video_size);
@@ -154,6 +152,9 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket *
pkt)
/* One less frame to read. A cursory decrement. */
bfi-nframes--;
+} else {
+/* Empty video packet */
+ret = AVERROR(EAGAIN);
}
bfi-avflag = !bfi-avflag;
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 05/17] alac: Do bounds checking of lpc_order read from the bitstream
In lpc_prediction(), we write up to array element 'lpc_order' in an array allocated to hold 'max_samples_per_frame' elements. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavcodec/alac.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 41d1f77..6d1ace3 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -314,6 +314,9 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, rice_history_mult[ch] = get_bits(alac-gb, 3); lpc_order[ch] = get_bits(alac-gb, 5); +if (lpc_order[ch] = alac-max_samples_per_frame) +return AVERROR_INVALIDDATA; + /* read the predictor table */ for (i = lpc_order[ch] - 1; i = 0; i--) lpc_coefs[ch][i] = get_sbits(alac-gb, 16); -- 1.7.9.4 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 07/17] riffdec: Avoid a division by zero
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
libavformat/riffdec.c |8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c
index 447a686..1927b82 100644
--- a/libavformat/riffdec.c
+++ b/libavformat/riffdec.c
@@ -127,8 +127,14 @@ int ff_get_wav_header(AVIOContext *pb, AVCodecContext
*codec, int size)
codec-sample_rate = 0;
}
/* override bits_per_coded_sample for G.726 */
-if (codec-codec_id == AV_CODEC_ID_ADPCM_G726)
+if (codec-codec_id == AV_CODEC_ID_ADPCM_G726) {
+if (codec-sample_rate = 0) {
+av_log(NULL, AV_LOG_ERROR,
+ Invalid sample rate for G726: %d\n, codec-sample_rate);
+return AVERROR_INVALIDDATA;
+}
codec-bits_per_coded_sample = codec-bit_rate / codec-sample_rate;
+}
return 0;
}
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 02/17] vqf: Make sure the bitrate is in the valid range
Even if the sample rate is valid, an invalid bitrate could
pass the mode combination test below.
CC: libav-sta...@libav.org
---
libavformat/vqf.c |7 +++
1 file changed, 7 insertions(+)
diff --git a/libavformat/vqf.c b/libavformat/vqf.c
index 162c753..a43829b 100644
--- a/libavformat/vqf.c
+++ b/libavformat/vqf.c
@@ -182,6 +182,13 @@ static int vqf_read_header(AVFormatContext *s)
break;
}
+if (read_bitrate / st-codec-channels 8 ||
+read_bitrate / st-codec-channels 48) {
+av_log(s, AV_LOG_ERROR, Invalid bitrate per channel %d\n,
+ read_bitrate / st-codec-channels);
+return AVERROR_INVALIDDATA;
+}
+
switch (((st-codec-sample_rate/1000) 8) +
read_bitrate/st-codec-channels) {
case (118) + 8 :
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 09/17] electronicarts: Add more sanity checking for the number of channels
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
libavformat/electronicarts.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c
index b0e0674..b518ca0 100644
--- a/libavformat/electronicarts.c
+++ b/libavformat/electronicarts.c
@@ -467,7 +467,7 @@ static int ea_read_header(AVFormatContext *s)
}
if (ea-audio_codec) {
-if (ea-num_channels = 0) {
+if (ea-num_channels = 0 || ea-num_channels 48) {
av_log(s, AV_LOG_WARNING,
Unsupported number of channels: %d\n, ea-num_channels);
ea-audio_codec = 0;
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 03/17] avidec: Make sure a packet is large enough before reading its data
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
libavformat/avidec.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index 1212c6a..3616281 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -816,7 +816,8 @@ fail:
static int read_gab2_sub(AVStream *st, AVPacket *pkt)
{
-if (!strcmp(pkt-data, GAB2) AV_RL16(pkt-data + 5) == 2) {
+if (pkt-size = 7
+!strcmp(pkt-data, GAB2) AV_RL16(pkt-data + 5) == 2) {
uint8_t desc[256];
int score = AVPROBE_SCORE_EXTENSION, ret;
AVIStream *ast = st-priv_data;
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 06/17] mvi: Avoid a division by zero
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
libavformat/mvi.c |6 ++
1 file changed, 6 insertions(+)
diff --git a/libavformat/mvi.c b/libavformat/mvi.c
index 7fb163b..af7b5c5 100644
--- a/libavformat/mvi.c
+++ b/libavformat/mvi.c
@@ -94,6 +94,12 @@ static int read_header(AVFormatContext *s)
mvi-get_int = (vst-codec-width * vst-codec-height (1 16)) ?
avio_rl16 : avio_rl24;
mvi-audio_frame_size = ((uint64_t)mvi-audio_data_size
MVI_FRAC_BITS) / frames_count;
+if (mvi-audio_frame_size = 1) {
+av_log(s, AV_LOG_ERROR, Invalid audio_data_size (%d) or frames_count
(%d)\n,
+ mvi-audio_data_size, frames_count);
+return AVERROR_INVALIDDATA;
+}
+
mvi-audio_size_counter = (ast-codec-sample_rate * 830 /
mvi-audio_frame_size - 1) * mvi-audio_frame_size;
mvi-audio_size_left= mvi-audio_data_size;
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 14/17] pcx: Return an error code if giving up due to missing palette
Previously, we returned 0, meaning successful decoding but 0
bytes consumed, leading to an infinite loop.
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
Alternatively, we could just return buf_size to signal that the
whole packet was consumed (but nothing was decoded).
---
libavcodec/pcx.c |1 +
1 file changed, 1 insertion(+)
diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c
index a6f9d8d..51aea69 100644
--- a/libavcodec/pcx.c
+++ b/libavcodec/pcx.c
@@ -181,6 +181,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void
*data, int *got_frame,
}
if (*buf++ != 12) {
av_log(avctx, AV_LOG_ERROR, expected palette after image data\n);
+ret = AVERROR_INVALIDDATA;
goto end;
}
} else if (nplanes == 1) { /* all packed formats, max. 16 colors */
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 01/17] vqf: Make sure sample_rate is set to a valid value
This avoids divisions by zero later (and possibly assertions in
time base scaling), since an invalid rate_flag combined with an
invalid bitrate below could pass the mode combination test.
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
libavformat/vqf.c |4
1 file changed, 4 insertions(+)
diff --git a/libavformat/vqf.c b/libavformat/vqf.c
index ab1042a..162c753 100644
--- a/libavformat/vqf.c
+++ b/libavformat/vqf.c
@@ -174,6 +174,10 @@ static int vqf_read_header(AVFormatContext *s)
st-codec-sample_rate = 11025;
break;
default:
+if (rate_flag 8 || rate_flag 44) {
+av_log(s, AV_LOG_ERROR, Invalid rate flag %d\n, rate_flag);
+return AVERROR_INVALIDDATA;
+}
st-codec-sample_rate = rate_flag*1000;
break;
}
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 08/17] asfdec: Check the return value of asf_read_stream_properties
This makes sure errors in setting stream parameters are passed
on to the caller. This avoids successfully opening files while
some parameters aren't filled in properly.
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
libavformat/asfdec.c |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index b99cb02..5b4366e 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -743,7 +743,9 @@ static int asf_read_header(AVFormatContext *s)
if (ret 0)
return ret;
} else if (!ff_guidcmp(g, ff_asf_stream_header)) {
-asf_read_stream_properties(s, gsize);
+int ret = asf_read_stream_properties(s, gsize);
+if (ret 0)
+return ret;
} else if (!ff_guidcmp(g, ff_asf_comment_header)) {
asf_read_content_desc(s, gsize);
} else if (!ff_guidcmp(g, ff_asf_language_guid)) {
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 13/17] pngdec: Stop trying to decode once inflate returns Z_STREAM_END
If the input buffer contains more data after the deflate stream,
the loop previously left running infinitely, with inflate returning
Z_STREAM_END.
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
libavcodec/pngdec.c |4
1 file changed, 4 insertions(+)
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index ec44d56..8864e4a 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -378,6 +378,10 @@ static int png_decode_idat(PNGDecContext *s, int length)
s-zstream.avail_out = s-crow_size;
s-zstream.next_out = s-crow_buf;
}
+if (ret == Z_STREAM_END s-zstream.avail_in 0) {
+av_log(NULL, AV_LOG_WARNING, %d undecompressed bytes left in
buffer\n, s-zstream.avail_in);
+return 0;
+}
}
return 0;
}
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 12/17] mov: Make sure the read sample count is nonnegative
This avoids setting a negative number of frames, ending up with a
negative average frame rate.
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
libavformat/mov.c |4
1 file changed, 4 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index c3d857b..e1f2db2 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1724,6 +1724,10 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
sample_count=avio_rb32(pb);
sample_duration = avio_rb32(pb);
+if (sample_count 0) {
+av_log(c-fc, AV_LOG_ERROR, Invalid sample_count=%d\n,
sample_count);
+return AVERROR_INVALIDDATA;
+}
sc-stts_data[i].count= sample_count;
sc-stts_data[i].duration= sample_duration;
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 15/17] xan: Use bytestream2 to limit reading to within the buffer
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
libavcodec/xan.c | 22 ++
1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/libavcodec/xan.c b/libavcodec/xan.c
index ca2e8e0..2bdced7 100644
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -287,8 +287,8 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame
*frame)
/* pointers to segments inside the compressed chunk */
const unsigned char *huffman_segment;
-const unsigned char *size_segment;
-const unsigned char *vector_segment;
+GetByteContext size_segment;
+GetByteContext vector_segment;
const unsigned char *imagedata_segment;
int huffman_offset, size_offset, vector_offset, imagedata_offset,
imagedata_size;
@@ -308,8 +308,8 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame
*frame)
return AVERROR_INVALIDDATA;
huffman_segment = s-buf + huffman_offset;
-size_segment = s-buf + size_offset;
-vector_segment= s-buf + vector_offset;
+bytestream2_init(size_segment, s-buf + size_offset, s-size -
size_offset);
+bytestream2_init(vector_segment, s-buf + vector_offset, s-size -
vector_offset);
imagedata_segment = s-buf + imagedata_offset;
if (xan_huffman_decode(opcode_buffer, opcode_buffer_size,
@@ -361,19 +361,17 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame
*frame)
case 9:
case 19:
-size = *size_segment++;
+size = bytestream2_get_byte(size_segment);
break;
case 10:
case 20:
-size = AV_RB16(size_segment[0]);
-size_segment += 2;
+size = bytestream2_get_be16(size_segment);
break;
case 11:
case 21:
-size = AV_RB24(size_segment);
-size_segment += 3;
+size = bytestream2_get_be24(size_segment);
break;
}
@@ -395,9 +393,9 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame
*frame)
}
} else {
/* run-based motion compensation from last frame */
-motion_x = sign_extend(*vector_segment 4, 4);
-motion_y = sign_extend(*vector_segment 0xF, 4);
-vector_segment++;
+uint8_t vector = bytestream2_get_byte(vector_segment);
+motion_x = sign_extend(vector 4, 4);
+motion_y = sign_extend(vector 0xF, 4);
/* copy a run of pixels from the previous frame */
xan_wc3_copy_pixel_run(s, frame, x, y, size, motion_x, motion_y);
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 16/17] xan: Only read within the data that actually was initialized
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
libavcodec/xan.c | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/libavcodec/xan.c b/libavcodec/xan.c
index 2bdced7..8a33e79 100644
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -103,6 +103,7 @@ static int xan_huffman_decode(unsigned char *dest, int
dest_len,
int ptr_len = src_len - 1 - byte*2;
unsigned char val = ival;
unsigned char *dest_end = dest + dest_len;
+unsigned char *dest_start = dest;
GetBitContext gb;
if (ptr_len 0)
@@ -118,13 +119,13 @@ static int xan_huffman_decode(unsigned char *dest, int
dest_len,
if (val 0x16) {
if (dest = dest_end)
-return 0;
+return dest_len;
*dest++ = val;
val = ival;
}
}
-return 0;
+return dest - dest_start;
}
/**
@@ -278,7 +279,7 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame
*frame)
unsigned char flag = 0;
int size = 0;
int motion_x, motion_y;
-int x, y;
+int x, y, ret;
unsigned char *opcode_buffer = s-buffer1;
unsigned char *opcode_buffer_end = s-buffer1 + s-buffer1_size;
@@ -312,9 +313,10 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame
*frame)
bytestream2_init(vector_segment, s-buf + vector_offset, s-size -
vector_offset);
imagedata_segment = s-buf + imagedata_offset;
-if (xan_huffman_decode(opcode_buffer, opcode_buffer_size,
- huffman_segment, s-size - huffman_offset) 0)
+if ((ret = xan_huffman_decode(opcode_buffer, opcode_buffer_size,
+ huffman_segment, s-size - huffman_offset))
0)
return AVERROR_INVALIDDATA;
+opcode_buffer_end = opcode_buffer + ret;
if (imagedata_segment[0] == 2) {
xan_unpack(s-buffer2, s-buffer2_size,
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 17/17] xxan: Disallow odd width
Decoded data is always written in pairs within this decoder.
This fixes writes out of bounds.
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
libavcodec/xxan.c |4
1 file changed, 4 insertions(+)
diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c
index 2bc9ff6..05ce7ff 100644
--- a/libavcodec/xxan.c
+++ b/libavcodec/xxan.c
@@ -50,6 +50,10 @@ static av_cold int xan_decode_init(AVCodecContext *avctx)
av_log(avctx, AV_LOG_ERROR, Invalid frame height: %d.\n,
avctx-height);
return AVERROR(EINVAL);
}
+if (avctx-width 1) {
+av_log(avctx, AV_LOG_ERROR, Invalid frame width: %d.\n,
avctx-width);
+return AVERROR(EINVAL);
+}
s-buffer_size = avctx-width * avctx-height;
s-y_buffer = av_malloc(s-buffer_size);
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH] rpza: Fix a buffer size check
We read 2 bytes for 15 out of 16 pixels, therefore we need to
have at least 30 bytes, not 16.
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
libavcodec/rpza.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
index 45350a8..ca9f7ea 100644
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -204,7 +204,7 @@ static void rpza_decode_stream(RpzaContext *s)
/* Fill block with 16 colors */
case 0x00:
-if (s-size - stream_ptr 16)
+if (s-size - stream_ptr 30)
return;
block_ptr = row_ptr + pixel_ptr;
for (pixel_y = 0; pixel_y 4; pixel_y++) {
--
1.7.9.4
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH] rpza: Fix a buffer size check
On 29/09/13 00:28, Martin Storsjö wrote: We read 2 bytes for 15 out of 16 pixels, therefore we need to have at least 30 bytes, not 16. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavcodec/rpza.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 45350a8..ca9f7ea 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -204,7 +204,7 @@ static void rpza_decode_stream(RpzaContext *s) /* Fill block with 16 colors */ case 0x00: -if (s-size - stream_ptr 16) +if (s-size - stream_ptr 30) return; Ok, BLOCK_SIZE might be a good name for it. lu ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 16/17] xan: Only read within the data that actually was initialized
On 29/09/13 00:21, Martin Storsjö wrote: Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavcodec/xan.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) Looks fine. ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 12/17] mov: Make sure the read sample count is nonnegative
On 29/09/13 00:21, Martin Storsjö wrote: This avoids setting a negative number of frames, ending up with a negative average frame rate. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavformat/mov.c |4 1 file changed, 4 insertions(+) Ok. ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 13/17] pngdec: Stop trying to decode once inflate returns Z_STREAM_END
On 29/09/13 00:21, Martin Storsjö wrote: If the input buffer contains more data after the deflate stream, the loop previously left running infinitely, with inflate returning Z_STREAM_END. Ok. ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 15/17] xan: Use bytestream2 to limit reading to within the buffer
On 29/09/13 00:21, Martin Storsjö wrote: Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavcodec/xan.c | 22 ++ 1 file changed, 10 insertions(+), 12 deletions(-) Ok. ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 14/17] pcx: Return an error code if giving up due to missing palette
On 29/09/13 00:21, Martin Storsjö wrote: Previously, we returned 0, meaning successful decoding but 0 bytes consumed, leading to an infinite loop. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- Alternatively, we could just return buf_size to signal that the whole packet was consumed (but nothing was decoded). Sounds better. lu ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 01/17] vqf: Make sure sample_rate is set to a valid value
On Sun, Sep 29, 2013 at 01:21:03AM +0300, Martin Storsjö wrote:
This avoids divisions by zero later (and possibly assertions in
time base scaling), since an invalid rate_flag combined with an
invalid bitrate below could pass the mode combination test.
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
libavformat/vqf.c |4
1 file changed, 4 insertions(+)
diff --git a/libavformat/vqf.c b/libavformat/vqf.c
index ab1042a..162c753 100644
--- a/libavformat/vqf.c
+++ b/libavformat/vqf.c
@@ -174,6 +174,10 @@ static int vqf_read_header(AVFormatContext *s)
st-codec-sample_rate = 11025;
break;
default:
+if (rate_flag 8 || rate_flag 44) {
+av_log(s, AV_LOG_ERROR, Invalid rate flag %d\n, rate_flag);
+return AVERROR_INVALIDDATA;
+}
st-codec-sample_rate = rate_flag*1000;
break;
}
--
looks OK
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 02/17] vqf: Make sure the bitrate is in the valid range
On Sun, Sep 29, 2013 at 01:21:04AM +0300, Martin Storsjö wrote:
Even if the sample rate is valid, an invalid bitrate could
pass the mode combination test below.
CC: libav-sta...@libav.org
---
libavformat/vqf.c |7 +++
1 file changed, 7 insertions(+)
diff --git a/libavformat/vqf.c b/libavformat/vqf.c
index 162c753..a43829b 100644
--- a/libavformat/vqf.c
+++ b/libavformat/vqf.c
@@ -182,6 +182,13 @@ static int vqf_read_header(AVFormatContext *s)
break;
}
+if (read_bitrate / st-codec-channels 8 ||
+read_bitrate / st-codec-channels 48) {
+av_log(s, AV_LOG_ERROR, Invalid bitrate per channel %d\n,
+ read_bitrate / st-codec-channels);
+return AVERROR_INVALIDDATA;
+}
+
switch (((st-codec-sample_rate/1000) 8) +
read_bitrate/st-codec-channels) {
case (118) + 8 :
--
looks OK
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 04/17] xwma: Avoid division by zero
On Sun, Sep 29, 2013 at 01:21:06AM +0300, Martin Storsjö wrote:
Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
Alternatively, we could require bits_per_coded_sample to be = 8
earlier as well, although that could rule out some (purely
hypothetical?) formats with 2 channels with bits_per_coded_sample == 4.
---
libavformat/xwma.c |8
1 file changed, 8 insertions(+)
diff --git a/libavformat/xwma.c b/libavformat/xwma.c
index 52e423c..f4ff815 100644
--- a/libavformat/xwma.c
+++ b/libavformat/xwma.c
@@ -198,6 +198,14 @@ static int xwma_read_header(AVFormatContext *s)
/* Estimate the duration from the total number of output bytes. */
const uint64_t total_decoded_bytes = dpds_table[dpds_table_size - 1];
+
+if (!bytes_per_sample) {
+av_log(s, AV_LOG_ERROR,
+ Invalid bits_per_coded_sample %d for %d channels\n,
+ st-codec-bits_per_coded_sample, st-codec-channels);
+return AVERROR_INVALIDDATA;
+}
+
st-duration = total_decoded_bytes / bytes_per_sample;
/* Use the dpds data to build a seek table. We can only do this
after
--
might be OK
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 05/17] alac: Do bounds checking of lpc_order read from the bitstream
On Sun, Sep 29, 2013 at 01:21:07AM +0300, Martin Storsjö wrote: In lpc_prediction(), we write up to array element 'lpc_order' in an array allocated to hold 'max_samples_per_frame' elements. Reported-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-sta...@libav.org --- libavcodec/alac.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 41d1f77..6d1ace3 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -314,6 +314,9 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, rice_history_mult[ch] = get_bits(alac-gb, 3); lpc_order[ch] = get_bits(alac-gb, 5); +if (lpc_order[ch] = alac-max_samples_per_frame) +return AVERROR_INVALIDDATA; + /* read the predictor table */ for (i = lpc_order[ch] - 1; i = 0; i--) lpc_coefs[ch][i] = get_sbits(alac-gb, 16); -- looks a bit strange, I'd expect lpc_order max_samples_per_frame ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
