Attachment #86870 for bug #133520

Lines 606-612 Link Here

(-)4xm.c (-1 / +5 lines)
606	int i, frame_4cc, frame_size;	606	int i, frame_4cc, frame_size;
607		607
608	frame_4cc= get32(buf);	608	frame_4cc= get32(buf);
609	if(buf_size != get32(buf+4)+8){	609	if(buf_size != get32(buf+4)+8 \|\| buf_size < 20){
610	av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, get32(buf+4));	610	av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, get32(buf+4));
611	}	611	}
612		612
Lines 634-639 Link Here
634	cfrm= &f->cfrm[i];	634	cfrm= &f->cfrm[i];
635		635
636	cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);	636	cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);
		637	if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL
		638	av_log(f->avctx, AV_LOG_ERROR, "realloc falure");
		639	return -1;
		640	}
637		641
638	memcpy(cfrm->data + cfrm->size, buf+20, data_size);	642	memcpy(cfrm->data + cfrm->size, buf+20, data_size);
639	cfrm->size += data_size;	643	cfrm->size += data_size;

Lines 100-106 Link Here

(-)alac.c (-1 / +7 lines)
100	alac->outputsamples_buffer_b = av_malloc(alac->setinfo_max_samples_per_frame * 4);	100	alac->outputsamples_buffer_b = av_malloc(alac->setinfo_max_samples_per_frame * 4);
101	}	101	}
102		102
103	static void alac_set_info(ALACContext *alac)	103	static int alac_set_info(ALACContext *alac)
104	{	104	{
105	unsigned char *ptr = alac->avctx->extradata;	105	unsigned char *ptr = alac->avctx->extradata;
106		106
Lines 108-113 Link Here
108	ptr += 4; /* alac */	108	ptr += 4; /* alac */
109	ptr += 4; /* 0 ? */	109	ptr += 4; /* 0 ? */
110		110
		111	if(BE_32(ptr) >= UINT_MAX/4){
		112	av_log(alac->avctx, AV_LOG_ERROR, "setinfo_max_samples_per_frame too large\n");
		113	return -1;
		114	}
111	alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */	115	alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */
112	ptr += 4;	116	ptr += 4;
113	alac->setinfo_7a = *ptr++;	117	alac->setinfo_7a = *ptr++;
Lines 126-131 Link Here
126	ptr += 4;	130	ptr += 4;
127		131
128	allocate_buffers(alac);	132	allocate_buffers(alac);
		133
		134	return 0;
129	}	135	}
130		136
131	/* hideously inefficient. could use a bitmask search,	137	/* hideously inefficient. could use a bitmask search,

Lines 1253-1258 Link Here

(-)cook.c (+4 lines)
1253	if (init_cook_vlc_tables(q) != 0)	1253	if (init_cook_vlc_tables(q) != 0)
1254	return -1;	1254	return -1;
1255		1255
		1256
		1257	if(avctx->block_align >= UINT_MAX/2)
		1258	return -1;
		1259
1256	/* Pad the databuffer with FF_INPUT_BUFFER_PADDING_SIZE,	1260	/* Pad the databuffer with FF_INPUT_BUFFER_PADDING_SIZE,
1257	this is for the bitstreamreader. */	1261	this is for the bitstreamreader. */
1258	if ((q->decoded_bytes_buffer = av_mallocz((avctx->block_align+(4-avctx->block_align%4) + FF_INPUT_BUFFER_PADDING_SIZE)*sizeof(uint8_t))) == NULL)	1262	if ((q->decoded_bytes_buffer = av_mallocz((avctx->block_align+(4-avctx->block_align%4) + FF_INPUT_BUFFER_PADDING_SIZE)*sizeof(uint8_t))) == NULL)




    return 0;
}

static int allocate_buffers(ShortenContext *s)
{
    int i, chan;
    for (chan=0; chan<s->channels; chan++) {
        if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
            av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n");
            return -1;
        }
        if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){
            av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n");
            return -1;
        }

        s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));

        s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
        for (i=0; i<s->nwrap; i++)
            s->decoded[chan][i] = 0;
        s->decoded[chan] += s->nwrap;

    }
    return 0;
}



Lines 177-182 Link Here

(-)smacker.c (+5 lines)
177	int escapes[3];	177	int escapes[3];
178	DBCtx ctx;	178	DBCtx ctx;
179		179
		180	if(size >= UINT_MAX>>4){ // (((size + 3) >> 2) + 3) << 2 must not overflow
		181	av_log(smk->avctx, AV_LOG_ERROR, "size too large\n");
		182	return -1;
		183	}
		184
180	tmp1.length = 256;	185	tmp1.length = 256;
181	tmp1.maxlength = 0;	186	tmp1.maxlength = 0;
182	tmp1.current = 0;	187	tmp1.current = 0;

Lines 3712-3718 Link Here

(-)snow.c (-1 / +1 lines)
3712	s->mv_scale= get_symbol(&s->c, s->header_state, 0);	3712	s->mv_scale= get_symbol(&s->c, s->header_state, 0);
3713	s->qbias= get_symbol(&s->c, s->header_state, 1);	3713	s->qbias= get_symbol(&s->c, s->header_state, 1);
3714	s->block_max_depth= get_symbol(&s->c, s->header_state, 0);	3714	s->block_max_depth= get_symbol(&s->c, s->header_state, 0);
3715	if(s->block_max_depth > 1){	3715	if(s->block_max_depth > 1 \|\| s->block_max_depth < 0){
3716	av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large", s->block_max_depth);	3716	av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large", s->block_max_depth);
3717	s->block_max_depth= 0;	3717	s->block_max_depth= 0;
3718	return -1;	3718	return -1;

Lines 238-243 Link Here

(-)tta.c (+9 lines)
238	avctx->bits_per_sample = get_le16(&s->gb);	238	avctx->bits_per_sample = get_le16(&s->gb);
239	s->bps = (avctx->bits_per_sample + 7) / 8;	239	s->bps = (avctx->bits_per_sample + 7) / 8;
240	avctx->sample_rate = get_le32(&s->gb);	240	avctx->sample_rate = get_le32(&s->gb);
		241	if(avctx->sample_rate > 1000000){ //prevent FRAME_TIME * avctx->sample_rate from overflowing and sanity check
		242	av_log(avctx, AV_LOG_ERROR, "sample_rate too large\n");
		243	return -1;
		244	}
241	s->data_length = get_le32(&s->gb);	245	s->data_length = get_le32(&s->gb);
242	skip_bits(&s->gb, 32); // CRC32 of header	246	skip_bits(&s->gb, 32); // CRC32 of header
243		247
Lines 276-281 Link Here
276	skip_bits(&s->gb, 32);	280	skip_bits(&s->gb, 32);
277	skip_bits(&s->gb, 32); // CRC32 of seektable	281	skip_bits(&s->gb, 32); // CRC32 of seektable
278		282
		283	if(s->frame_length >= UINT_MAX / (s->channels * sizeof(int32_t))){
		284	av_log(avctx, AV_LOG_ERROR, "frame_length too large\n");
		285	return -1;
		286	}
		287
279	s->decode_buffer = av_mallocz(sizeof(int32_t)s->frame_lengths->channels);	288	s->decode_buffer = av_mallocz(sizeof(int32_t)s->frame_lengths->channels);
280	} else {	289	} else {
281	av_log(avctx, AV_LOG_ERROR, "Wrong extradata present\n");	290	av_log(avctx, AV_LOG_ERROR, "Wrong extradata present\n");

Return to bug 133520

Lines 106-123 Link Here

(-)shorten.c (-2 / +11 lines)
106	return 0;	106	return 0;
107	}	107	}
108		108
109	static void allocate_buffers(ShortenContext *s)	109	static int allocate_buffers(ShortenContext *s)
110	{	110	{
111	int i, chan;	111	int i, chan;
112	for (chan=0; chan<s->channels; chan++) {	112	for (chan=0; chan<s->channels; chan++) {
		113	if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
		114	av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n");
		115	return -1;
		116	}
		117	if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) \|\| s->blocksize + s->nwrap <= (unsigned)s->nwrap){
		118	av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n");
		119	return -1;
		120	}
		121
113	s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));	122	s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
114		123
115	s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));	124	s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
116	for (i=0; i<s->nwrap; i++)	125	for (i=0; i<s->nwrap; i++)
117	s->decoded[chan][i] = 0;	126	s->decoded[chan][i] = 0;
118	s->decoded[chan] += s->nwrap;	127	s->decoded[chan] += s->nwrap;
119
120	}	128	}
		129	return 0;
121	}	130	}
122		131
123		132