Gentoo Attachment #86870 for bug #133520

View | Details | Raw Unified
Collapse All | Expand All

(-) 4xm.c (-1 / +5 lines)

Lines 606-612	Link Here

    int i, frame_4cc, frame_size;

    int i, frame_4cc, frame_size;

    frame_4cc= get32(buf);

    frame_4cc= get32(buf);

    if(buf_size != get32(buf+4)+8){

    if(buf_size != get32(buf+4)+8 || buf_size < 20){

        av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, get32(buf+4));

        av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, get32(buf+4));

Lines 634-639	Link Here

        cfrm= &f->cfrm[i];

        cfrm= &f->cfrm[i];

        cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);

        cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);

        if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL

            av_log(f->avctx, AV_LOG_ERROR, "realloc falure");

            return -1;

        memcpy(cfrm->data + cfrm->size, buf+20, data_size);

        memcpy(cfrm->data + cfrm->size, buf+20, data_size);

        cfrm->size += data_size;

        cfrm->size += data_size;

(-) alac.c (-1 / +7 lines)

Lines 100-106	Link Here

    alac->outputsamples_buffer_b = av_malloc(alac->setinfo_max_samples_per_frame * 4);

    alac->outputsamples_buffer_b = av_malloc(alac->setinfo_max_samples_per_frame * 4);

static void alac_set_info(ALACContext *alac)

static int alac_set_info(ALACContext *alac)

    unsigned char *ptr = alac->avctx->extradata;

    unsigned char *ptr = alac->avctx->extradata;

Lines 108-113	Link Here

    ptr += 4; /* alac */

    ptr += 4; /* alac */

    ptr += 4; /* 0 ? */

    ptr += 4; /* 0 ? */

    if(BE_32(ptr) >= UINT_MAX/4){

        av_log(alac->avctx, AV_LOG_ERROR, "setinfo_max_samples_per_frame too large\n");

        return -1;

    alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */

    alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */

    ptr += 4;

    ptr += 4;

    alac->setinfo_7a = *ptr++;

    alac->setinfo_7a = *ptr++;

Lines 126-131	Link Here

    ptr += 4;

    ptr += 4;

    allocate_buffers(alac);

    allocate_buffers(alac);

    return 0;

/* hideously inefficient. could use a bitmask search,

/* hideously inefficient. could use a bitmask search,

(-) cook.c (+4 lines)

Lines 1253-1258	Link Here

    if (init_cook_vlc_tables(q) != 0)

    if (init_cook_vlc_tables(q) != 0)

        return -1;

        return -1;

    if(avctx->block_align >= UINT_MAX/2)

        return -1;

    /* Pad the databuffer with FF_INPUT_BUFFER_PADDING_SIZE,

    /* Pad the databuffer with FF_INPUT_BUFFER_PADDING_SIZE,

       this is for the bitstreamreader. */

       this is for the bitstreamreader. */

    if ((q->decoded_bytes_buffer = av_mallocz((avctx->block_align+(4-avctx->block_align%4) + FF_INPUT_BUFFER_PADDING_SIZE)*sizeof(uint8_t)))  == NULL)

    if ((q->decoded_bytes_buffer = av_mallocz((avctx->block_align+(4-avctx->block_align%4) + FF_INPUT_BUFFER_PADDING_SIZE)*sizeof(uint8_t)))  == NULL)

(-) shorten.c (-2 / +11 lines)

Lines 106-123	Link Here

    return 0;

    return 0;

static void allocate_buffers(ShortenContext *s)

static int allocate_buffers(ShortenContext *s)

    int i, chan;

    int i, chan;

    for (chan=0; chan<s->channels; chan++) {

    for (chan=0; chan<s->channels; chan++) {

        if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){

            av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n");

            return -1;

        if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){

            av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n");

            return -1;

        s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));

        s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));

        s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));

        s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));

        for (i=0; i<s->nwrap; i++)

        for (i=0; i<s->nwrap; i++)

            s->decoded[chan][i] = 0;

            s->decoded[chan][i] = 0;

        s->decoded[chan] += s->nwrap;

        s->decoded[chan] += s->nwrap;

    return 0;

(-) smacker.c (+5 lines)

Lines 177-182	Link Here

    int escapes[3];

    int escapes[3];

    DBCtx ctx;

    DBCtx ctx;

    if(size >= UINT_MAX>>4){ // (((size + 3) >> 2) + 3) << 2 must not overflow

        av_log(smk->avctx, AV_LOG_ERROR, "size too large\n");

        return -1;

    tmp1.length = 256;

    tmp1.length = 256;

    tmp1.maxlength = 0;

    tmp1.maxlength = 0;

    tmp1.current = 0;

    tmp1.current = 0;

(-) snow.c (-1 / +1 lines)

Lines 3712-3718	Link Here

    s->mv_scale= get_symbol(&s->c, s->header_state, 0);

    s->mv_scale= get_symbol(&s->c, s->header_state, 0);

    s->qbias= get_symbol(&s->c, s->header_state, 1);

    s->qbias= get_symbol(&s->c, s->header_state, 1);

    s->block_max_depth= get_symbol(&s->c, s->header_state, 0);

    s->block_max_depth= get_symbol(&s->c, s->header_state, 0);

    if(s->block_max_depth > 1){

    if(s->block_max_depth > 1 || s->block_max_depth < 0){

        av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large", s->block_max_depth);

        av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large", s->block_max_depth);

        s->block_max_depth= 0;

        s->block_max_depth= 0;

        return -1;

        return -1;

(-) tta.c (+9 lines)

Lines 238-243	Link Here

        avctx->bits_per_sample = get_le16(&s->gb);

        avctx->bits_per_sample = get_le16(&s->gb);

        s->bps = (avctx->bits_per_sample + 7) / 8;

        s->bps = (avctx->bits_per_sample + 7) / 8;

        avctx->sample_rate = get_le32(&s->gb);

        avctx->sample_rate = get_le32(&s->gb);

        if(avctx->sample_rate > 1000000){ //prevent FRAME_TIME * avctx->sample_rate from overflowing and sanity check

            av_log(avctx, AV_LOG_ERROR, "sample_rate too large\n");

            return -1;

        s->data_length = get_le32(&s->gb);

        s->data_length = get_le32(&s->gb);

        skip_bits(&s->gb, 32); // CRC32 of header

        skip_bits(&s->gb, 32); // CRC32 of header

Lines 276-281	Link Here

            skip_bits(&s->gb, 32);

            skip_bits(&s->gb, 32);

        skip_bits(&s->gb, 32); // CRC32 of seektable

        skip_bits(&s->gb, 32); // CRC32 of seektable

        if(s->frame_length >= UINT_MAX / (s->channels * sizeof(int32_t))){

            av_log(avctx, AV_LOG_ERROR, "frame_length too large\n");

            return -1;

        s->decode_buffer = av_mallocz(sizeof(int32_t)*s->frame_length*s->channels);

        s->decode_buffer = av_mallocz(sizeof(int32_t)*s->frame_length*s->channels);

    } else {

    } else {

        av_log(avctx, AV_LOG_ERROR, "Wrong extradata present\n");

        av_log(avctx, AV_LOG_ERROR, "Wrong extradata present\n");

Attachment #86870: ffmpeg1.diff for bug #133520