Index: ffmpeg/libavformat/matroskadec.c
===================================================================
--- ffmpeg/libavformat/matroskadec.c
+++ ffmpeg/libavformat/matroskadec.c 2012-01-30 12:17:48.709327610 +0100
@@ -1074,13 +1074,13 @@
static void matroska_execute_seekhead(MatroskaDemuxContext *matroska)
{
EbmlList *seekhead_list = &matroska->seekhead;
- MatroskaSeekhead *seekhead = seekhead_list->elem;
uint32_t level_up = matroska->level_up;
int64_t before_pos = url_ftell(matroska->ctx->pb);
MatroskaLevel level;
int i;
for (i=0; i<seekhead_list->nb_elem; i++) {
+ MatroskaSeekhead *seekhead = seekhead_list->elem;
int64_t offset = seekhead[i].pos + matroska->segment_start;
if (seekhead[i].pos <= before_pos
Index: ffmpeg/libavcodec/vorbis.c
===================================================================
--- ffmpeg/libavcodec/vorbis.c
+++ ffmpeg/libavcodec/vorbis.c 2012-01-30 12:17:44.530363354 +0100
@@ -156,7 +156,7 @@
}
}
-static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1,
+static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1,
intptr_t sy, int ady, int adx,
float *buf)
{
@@ -179,7 +179,7 @@
}
}
-static void render_line(int x0, int y0, int x1, int y1, float *buf)
+static void render_line(int x0, uint8_t y0, int x1, int y1, float *buf)
{
int dy = y1 - y0;
int adx = x1 - x0;
@@ -189,10 +189,10 @@
if (ady*2 <= adx) { // optimized common case
render_line_unrolled(x0, y0, x1, sy, ady, adx, buf);
} else {
- int base = dy / adx;
- int x = x0;
- int y = y0;
- int err = -adx;
+ int base = dy / adx;
+ int x = x0;
+ uint8_t y = y0;
+ int err = -adx;
ady -= FFABS(base) * adx;
while (++x < x1) {
y += base;
@@ -210,7 +210,8 @@
uint_fast16_t *y_list, int *flag,
int multiplier, float *out, int samples)
{
- int lx, ly, i;
+ int lx, i;
+ uint8_t ly;
lx = 0;
ly = y_list[0] * multiplier;
for (i = 1; i < values; i++) {
Index: ffmpeg/libavcodec/vorbis_dec.c
===================================================================
--- ffmpeg/libavcodec/vorbis_dec.c
+++ ffmpeg/libavcodec/vorbis_dec.c 2012-01-30 12:35:06.628468836 +0100
@@ -1262,6 +1262,7 @@
uint_fast8_t *do_not_decode,
float *vec,
uint_fast16_t vlen,
+ unsigned ch_left,
int vr_type)
{
GetBitContext *gb = &vc->gb;
@@ -1273,6 +1274,7 @@
uint_fast8_t ch_used;
uint_fast8_t i,j,l;
uint_fast16_t k;
+ unsigned max_output = (ch - 1) * vlen;
if (vr_type == 2) {
for (j = 1; j < ch; ++j)
@@ -1280,8 +1282,15 @@
if (do_not_decode[0])
return 0;
ch_used = 1;
+ max_output += vr->end / ch;
} else {
ch_used = ch;
+ max_output += vr->end;
+ }
+
+ if (max_output > ch_left * vlen) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Insufficient output buffer\n");
+ return -1;
}
AV_DEBUG(" residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c_p_c);
@@ -1403,14 +1412,16 @@
static inline int vorbis_residue_decode(vorbis_context *vc, vorbis_residue *vr,
uint_fast8_t ch,
uint_fast8_t *do_not_decode,
- float *vec, uint_fast16_t vlen)
+ float *vec, uint_fast16_t vlen,
+ unsigned ch_left)
+
{
if (vr->type == 2)
- return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 2);
+ return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 2);
else if (vr->type == 1)
- return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 1);
+ return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 1);
else if (vr->type == 0)
- return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 0);
+ return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 0);
else {
av_log(vc->avccontext, AV_LOG_ERROR, " Invalid residue type while residue decode?! \n");
return -1;
@@ -1473,6 +1484,8 @@
uint_fast8_t res_num = 0;
int_fast16_t retlen = 0;
float fadd_bias = vc->add_bias;
+ unsigned ch_left = vc->audio_channels;
+ unsigned vlen;
if (get_bits1(gb)) {
av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n");
@@ -1491,11 +1504,12 @@
blockflag = vc->modes[mode_number].blockflag;
blocksize = vc->blocksize[blockflag];
+ vlen = blocksize / 2;
if (blockflag)
skip_bits(gb, 2); // previous_window, next_window
- memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ?
- memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ?
+ memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ?
+ memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ?
// Decode floor
@@ -1515,7 +1529,7 @@
return -1;
}
no_residue[i] = ret;
- ch_floor_ptr += blocksize / 2;
+ ch_floor_ptr += vlen;
}
// Nonzero vector propagate
@@ -1532,6 +1546,7 @@
for (i = 0; i < mapping->submaps; ++i) {
vorbis_residue *residue;
uint_fast8_t ch = 0;
+ int ret;
for (j = 0; j < vc->audio_channels; ++j) {
if ((mapping->submaps == 1) || (i == mapping->mux[j])) {
@@ -1546,9 +1561,13 @@
}
}
residue = &vc->residues[mapping->submap_residue[i]];
- vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2);
+ if (ch) {
+ ret = vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, vlen, ch_left);
+ if (ret < 0)
+ return ret;
+ }
- ch_res_ptr += ch * blocksize / 2;
+ ch_res_ptr += ch * vlen;
}
// Inverse coupling
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
86c95bca44436ae3ccee1f76bb453895
>
files
>
7
