Merge branch 'release/0.8' into release/0.7

* release/0.8: (21 commits) rtp: Fix integer underflow that could allow remote code execution. cavsdec: avoid possible crash with crafted input vf_scale: apply the same transform to the aspect during init that is applied per frame Fix memory corruption in case of memory allocation failure in av_probe_input_buffer() Make all option parsing functions match the function pointer type through which they are called. mjpegdec; even better RSTn skiping Fixes Ticket426 jpegdec: better rst skiping Fixes Ticket426 mpeg4: fix another packed divx issue. Fixes getting_stuck.avi mpeg4: adjust dummy frame threashold for packed divx. Fixes Ticket427 configure: add missing CFLAGS to fix building on the HURD cavs: fix some crashes with invalid bitstreams jpegdec: actually search for and parse RSTn Fix compilation with --disable-avfilter. (cherry picked from commit 67a8251690a17f05630eb6f45a73db0f0e806c72) libavfilter: fix --enable-small 0.8.2 cavs: fix oCERT #2011-002 FFmpeg/libavcodec insufficient boundary check Fix possible crash when decoding mpeg streams. Bink: clip AC coefficients during dequantization. ffmpeg: fix passlogfile regression Fix several security issues in matroskadec.c (MSVR-11-0080). ... Conflicts: Doxyfile RELEASE VERSION Merged-by: Michael Niedermayer <michaelni@gmx.at>
2011-09-07 15:04:56 +02:00 · 2011-09-07 15:04:56 +02:00 · 21d99be9dc
commit 21d99be9dc
parent 7b6b9be861 c2a2ad133e
6 changed files with 25 additions and 5 deletions
--- a/1
+++ b/1
@ -1 +1,2 @@
 0.7.3
--- a/1
+++ b/1
@ -2537,6 +2537,7 @@ case $target_os in
        add_cppflags -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_BSD_SOURCE
        ;;
    gnu)
        add_cppflags -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600
        ;;
    qnx)
        add_cppflags -D_QNX_SOURCE
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@ -125,6 +125,8 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb,
        level_code = get_ue_code(gb,r->golomb_order);
        if(level_code >= ESCAPE_CODE) {
            run = ((level_code - ESCAPE_CODE) >> 1) + 1;
            if(run > 64)
                return -1;
            esc_code = get_ue_code(gb,esc_golomb_order);
            level = esc_code + (run > r->max_run ? 1 : r->level_add[run]);
            while(level > r->inc_limit)
@ -164,7 +166,7 @@ static inline int decode_residual_inter(AVSContext *h) {
    /* get coded block pattern */
    int cbp= get_ue_golomb(&h->s.gb);
-    if(cbp > 63){
+    if(cbp > 63U){
        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n");
        return -1;
    }
@ -190,7 +192,8 @@ static inline int decode_residual_inter(AVSContext *h) {
 static int decode_mb_i(AVSContext *h, int cbp_code) {
    GetBitContext *gb = &h->s.gb;
-    int block, pred_mode_uv;
+    unsigned pred_mode_uv;
    int block;
    uint8_t top[18];
    uint8_t *left = NULL;
    uint8_t *d;
@ -223,7 +226,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) {
    /* get coded block pattern */
    if(h->pic_type == AV_PICTURE_TYPE_I)
        cbp_code = get_ue_golomb(gb);
-    if(cbp_code > 63){
+    if(cbp_code > 63U){
        av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n");
        return -1;
    }
@ -446,6 +449,8 @@ static inline int check_for_slice(AVSContext *h) {
    if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) {
        skip_bits_long(gb,24+align);
        h->stc = get_bits(gb,8);
        if (h->stc >= h->mb_height)
            return 0;
        decode_slice_header(h,gb);
        return 1;
    }
@ -660,7 +665,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size,
    buf_end = buf + buf_size;
    for(;;) {
        buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc);
-        if(stc & 0xFFFFFE00)
+        if((stc & 0xFFFFFE00) || buf_ptr == buf_end)
            return FFMAX(0, buf_ptr - buf - s->parse_context.last_index);
        input_size = (buf_end - buf_ptr)*8;
        switch(stc) {
--- a/libavfilter/vf_scale.c
+++ b/libavfilter/vf_scale.c
@ -232,6 +232,11 @@ static int config_props(AVFilterLink *outlink)
    if (!scale->sws)
        return AVERROR(EINVAL);
    if (inlink->sample_aspect_ratio.num){
        outlink->sample_aspect_ratio = av_mul_q((AVRational){outlink->h * inlink->w, outlink->w * inlink->h}, inlink->sample_aspect_ratio);
    } else
        outlink->sample_aspect_ratio = inlink->sample_aspect_ratio;
    return 0;
 fail:
--- a/libavformat/rtpdec_asf.c
+++ b/libavformat/rtpdec_asf.c
@ -235,6 +235,8 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf,
                int prev_len = out_len;
                out_len += cur_len;
                asf->buf = av_realloc(asf->buf, out_len);
                if(!asf->buf || FFMIN(cur_len, len - off)<0)
                    return -1;
                memcpy(asf->buf + prev_len, buf + off,
                       FFMIN(cur_len, len - off));
                avio_skip(pb, cur_len);
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@ -596,13 +596,19 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
        probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) {
        int ret, score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0;
        int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1;
        void *buftmp;
        if (probe_size < offset) {
            continue;
        }
        /* read probe data */
-        buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE);
+        buftmp = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE);
        if(!buftmp){
            av_free(buf);
            return AVERROR(ENOMEM);
        }
        buf=buftmp;
        if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) {
            /* fail if error was not end of file, otherwise, lower score */
            if (ret != AVERROR_EOF) {