diff -Naurp ffmpeg.old/libavcodec/vorbis_dec.c ffmpeg-0.5/libavcodec/vorbis_dec.c
--- ffmpeg.old/libavcodec/vorbis_dec.c 2011-03-14 09:00:04.000000000 -0400
+++ ffmpeg-0.5/libavcodec/vorbis_dec.c 2011-03-14 09:05:57.569125360 -0400
@@ -37,6 +37,7 @@
#define V_NB_BITS 8
#define V_NB_BITS2 11
#define V_MAX_VLCS (1<<16)
+#define V_MAX_PARTITIONS (1<<20)
#ifndef V_DEBUG
#define AV_DEBUG(...)
@@ -634,6 +635,14 @@ static int vorbis_parse_setup_hdr_residu
res_setup->begin=get_bits(gb, 24);
res_setup->end=get_bits(gb, 24);
res_setup->partition_size=get_bits(gb, 24)+1;
+ /* Validations to prevent a buffer overflow later. */
+ if (res_setup->begin>res_setup->end
+ || res_setup->end>vc->blocksize[1]/(res_setup->type==2?1:2)
+ || (res_setup->end-res_setup->begin)/res_setup->partition_size>V_MAX_PARTITIONS) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %d, %d, %d, %d, %d\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1]/2);
+ return 1;
+ }
+
res_setup->classifications=get_bits(gb, 6)+1;
res_setup->classbook=get_bits(gb, 8);
diff -Naurp ffmpeg.old/libavformat/mov.c ffmpeg-0.5/libavformat/mov.c
--- ffmpeg.old/libavformat/mov.c 2009-03-01 11:06:26.000000000 -0500
+++ ffmpeg-0.5/libavformat/mov.c 2011-03-14 09:42:21.309368630 -0400
@@ -238,10 +238,16 @@ static int mov_read_default(MOVContext *
static int mov_read_dref(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
- MOVStreamContext *sc = st->priv_data;
+ AVStream *st;
+ MOVStreamContext *sc;
int entries, i, j;
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
+ sc = st->priv_data;
+
get_be32(pb); // version + flags
entries = get_be32(pb);
if (entries >= UINT_MAX / sizeof(*sc->drefs))
@@ -308,10 +314,15 @@ static int mov_read_dref(MOVContext *c,
static int mov_read_hdlr(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+ AVStream *st;
uint32_t type;
uint32_t ctype;
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
+
get_byte(pb); /* version */
get_be24(pb); /* flags */
@@ -381,9 +392,14 @@ static const AVCodecTag mp4_audio_types[
static int mov_read_esds(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+ AVStream *st;
int tag, len;
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
+
get_be32(pb); /* version + flags */
len = mp4_read_descr(c, pb, &tag);
if (tag == MP4ESDescrTag) {
@@ -440,7 +456,13 @@ static int mov_read_pasp(MOVContext *c,
{
const int num = get_be32(pb);
const int den = get_be32(pb);
- AVStream * const st = c->fc->streams[c->fc->nb_streams-1];
+ AVStream *st;
+
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
+
if (den != 0) {
if ((st->sample_aspect_ratio.den != 1 || st->sample_aspect_ratio.num) && // default
(den != st->sample_aspect_ratio.den || num != st->sample_aspect_ratio.num))
@@ -494,12 +516,18 @@ static int mov_read_moof(MOVContext *c,
static int mov_read_mdhd(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
- MOVStreamContext *sc = st->priv_data;
+ AVStream *st;
+ MOVStreamContext *sc;
int version = get_byte(pb);
char language[4] = {0};
unsigned lang;
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
+ sc = st->priv_data;
+
if (version > 1)
return -1; /* unsupported */
@@ -561,7 +589,12 @@ static int mov_read_mvhd(MOVContext *c,
static int mov_read_smi(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+ AVStream *st;
+
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
if((uint64_t)atom.size > (1<<30))
return -1;
@@ -581,9 +614,14 @@ static int mov_read_smi(MOVContext *c, B
static int mov_read_enda(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+ AVStream *st;
int little_endian = get_be16(pb);
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
+
dprintf(c->fc, "enda %d\n", little_endian);
if (little_endian == 1) {
switch (st->codec->codec_id) {
@@ -633,7 +671,12 @@ static int mov_read_extradata(MOVContext
static int mov_read_wave(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+ AVStream *st;
+
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
if((uint64_t)atom.size > (1<<30))
return -1;
@@ -660,7 +703,12 @@ static int mov_read_wave(MOVContext *c,
*/
static int mov_read_glbl(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+ AVStream *st;
+
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
if((uint64_t)atom.size > (1<<30))
return -1;
@@ -676,10 +724,16 @@ static int mov_read_glbl(MOVContext *c,
static int mov_read_stco(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
- MOVStreamContext *sc = st->priv_data;
+ AVStream *st;
+ MOVStreamContext *sc;
unsigned int i, entries;
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
+ sc = st->priv_data;
+
get_byte(pb); /* version */
get_be24(pb); /* flags */
@@ -742,10 +796,16 @@ static enum CodecID mov_get_lpcm_codec_i
static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
- MOVStreamContext *sc = st->priv_data;
+ AVStream *st;
+ MOVStreamContext *sc;
int j, entries, pseudo_stream_id;
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
+ sc = st->priv_data;
+
get_byte(pb); /* version */
get_be24(pb); /* flags */
@@ -1064,10 +1124,16 @@ static int mov_read_stsd(MOVContext *c,
static int mov_read_stsc(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
- MOVStreamContext *sc = st->priv_data;
+ AVStream *st;
+ MOVStreamContext *sc;
unsigned int i, entries;
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
+ sc = st->priv_data;
+
get_byte(pb); /* version */
get_be24(pb); /* flags */
@@ -1092,10 +1158,16 @@ static int mov_read_stsc(MOVContext *c,
static int mov_read_stss(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
- MOVStreamContext *sc = st->priv_data;
+ AVStream *st;
+ MOVStreamContext *sc;
unsigned int i, entries;
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
+ sc = st->priv_data;
+
get_byte(pb); /* version */
get_be24(pb); /* flags */
@@ -1119,10 +1191,16 @@ static int mov_read_stss(MOVContext *c,
static int mov_read_stsz(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
- MOVStreamContext *sc = st->priv_data;
+ AVStream *st;
+ MOVStreamContext *sc;
unsigned int i, entries, sample_size;
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
+ sc = st->priv_data;
+
get_byte(pb); /* version */
get_be24(pb); /* flags */
@@ -1150,12 +1228,18 @@ static int mov_read_stsz(MOVContext *c,
static int mov_read_stts(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
- MOVStreamContext *sc = st->priv_data;
+ AVStream *st;
+ MOVStreamContext *sc;
unsigned int i, entries;
int64_t duration=0;
int64_t total_sample_count=0;
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
+ sc = st->priv_data;
+
get_byte(pb); /* version */
get_be24(pb); /* flags */
entries = get_be32(pb);
@@ -1194,10 +1278,16 @@ static int mov_read_stts(MOVContext *c,
static int mov_read_ctts(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
- MOVStreamContext *sc = st->priv_data;
+ AVStream *st;
+ MOVStreamContext *sc;
unsigned int i, entries;
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
+ sc = st->priv_data;
+
get_byte(pb); /* version */
get_be24(pb); /* flags */
entries = get_be32(pb);
@@ -1504,10 +1594,16 @@ static int mov_read_tkhd(MOVContext *c,
int height;
int64_t disp_transform[2];
int display_matrix[3][2];
- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
- MOVStreamContext *sc = st->priv_data;
+ AVStream *st;
+ MOVStreamContext *sc;
int version = get_byte(pb);
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ st = c->fc->streams[c->fc->nb_streams-1];
+ sc = st->priv_data;
+
get_be24(pb); /* flags */
/*
MOV_TRACK_ENABLED 0x0001
@@ -1776,9 +1872,14 @@ free_and_return:
/* edit list atom */
static int mov_read_elst(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
{
- MOVStreamContext *sc = c->fc->streams[c->fc->nb_streams-1]->priv_data;
+ MOVStreamContext *sc;
int i, edit_count;
+ if (c->fc->nb_streams < 1)
+ return 0;
+
+ sc = c->fc->streams[c->fc->nb_streams-1]->priv_data;
+
get_byte(pb); /* version */
get_be24(pb); /* flags */
edit_count = get_be32(pb); /* entries */
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
cc1449fd094f04e3bf58d09425996df5
>
files
>
30
