Merge remote-tracking branch 'qatar/master'

* qatar/master: xwma: Validate channels and bits_per_coded_sample. mov: Do not read past the end of the ctts_data table. mov: Add missing terminator to mov_ch_layout_map_1ch. asf: reset side data elements on packet copy. wmavoice: fix stack overread. wmalossless: error out if a subframe is not used by any channel. vqa: check palette chunk size before reading data. wmalossless: reset sample pointer for each subframe. wmalossless: error out on invalid values for order. Conflicts: libavcodec/vqavideo.c Merged-by: Michael Niedermayer <michaelni@gmx.at>

Merge remote-tracking branch 'qatar/master'
* qatar/master: xwma: Validate channels and bits_per_coded_sample. mov: Do not read past the end of the ctts_data table. mov: Add missing terminator to mov_ch_layout_map_1ch. asf: reset side data elements on packet copy. wmavoice: fix stack overread. wmalossless: error out if a subframe is not used by any channel. vqa: check palette chunk size before reading data. wmalossless: reset sample pointer for each subframe. wmalossless: error out on invalid values for order. Conflicts: libavcodec/vqavideo.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
464cef4c · Michael Niedermayer · 9759d2b8 · 5023b89b · 464cef4c · 464cef4c
Commit 464cef4c authored Mar 22, 2012 by Michael Niedermayer
7 changed files
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -401,7 +401,7 @@ static int vqa_decode_chunk(VqaContext *s)
        bytestream2_seek(&s->gb, cpl0_chunk, SEEK_SET);
        chunk_size = bytestream2_get_be32(&s->gb);
        /* sanity check the palette size */
-        if (chunk_size / 3 > 256) {
+        if (chunk_size / 3 > 256 || chunk_size > bytestream2_get_bytes_left(&s->gb)) {
            av_log(s->avctx, AV_LOG_ERROR, "problem: found a palette chunk with %d colors\n",
                chunk_size / 3);
            return AVERROR_INVALIDDATA;

--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -34,6 +34,7 @@
 #define MAX_SUBFRAMES          32                       ///< max number of subframes per channel
 #define MAX_BANDS              29                       ///< max number of scale factor bands
 #define MAX_FRAMESIZE       32768                       ///< maximum compressed frame size
+#define MAX_ORDER             256
 #define WMALL_BLOCK_MIN_BITS    6                       ///< log2 of min block size
 #define WMALL_BLOCK_MAX_BITS   12                       ///< log2 of max block size
@@ -95,10 +96,8 @@ typedef struct WmallDecodeCtx {
    uint32_t        frame_num;                      ///< current frame number (not used for decoding)
    GetBitContext   gb;                             ///< bitstream reader context
    int             buf_bit_size;                   ///< buffer size in bits
-    int16_t         *samples_16;                    ///< current samplebuffer pointer (16-bit)
+    int16_t         *samples_16[WMALL_MAX_CHANNELS]; ///< current samplebuffer pointer (16-bit)
-    int16_t         *samples_16_end;                ///< maximum samplebuffer pointer
+    int32_t         *samples_32[WMALL_MAX_CHANNELS]; ///< current samplebuffer pointer (24-bit)
-    int             *samples_32;                    ///< current samplebuffer pointer (24-bit)
-    int             *samples_32_end;                ///< maximum samplebuffer pointer
    uint8_t         drc_gain;                       ///< gain for the DRC tool
    int8_t          skip_frame;                     ///< skip output step
    int8_t          parsed_all_subframes;           ///< all subframes decoded?
@@ -139,9 +138,9 @@ typedef struct WmallDecodeCtx {
        int scaling;
        int coefsend;
        int bitsend;
-        int16_t coefs[256];
+        int16_t coefs[MAX_ORDER];
-        int16_t lms_prevvalues[512];
+        int16_t lms_prevvalues[MAX_ORDER * 2];
-        int16_t lms_updates[512];
+        int16_t lms_updates[MAX_ORDER * 2];
        int recent;
    } cdlms[2][9];
@@ -331,21 +330,28 @@ static int decode_tilehdr(WmallDecodeCtx *s)
    /* loop until the frame data is split between the subframes */
    do {
-        int subframe_len;
+        int subframe_len, in_use = 0;
        /* check which channels contain the subframe */
        for (c = 0; c < s->num_channels; c++) {
            if (num_samples[c] == min_channel_len) {
                if (fixed_channel_layout || channels_for_cur_subframe == 1 ||
                   (min_channel_len == s->samples_per_frame - s->min_samples_per_subframe)) {
-                    contains_subframe[c] = 1;
+                    contains_subframe[c] = in_use = 1;
                } else {
-                    contains_subframe[c] = get_bits1(&s->gb);
+                    if (get_bits1(&s->gb))
+                        contains_subframe[c] = in_use = 1;
                }
            } else
                contains_subframe[c] = 0;
        }
+        if (!in_use) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "Found empty subframe\n");
+            return AVERROR_INVALIDDATA;
+        }
        /* get subframe length, subframe_len == 0 is not allowed */
        if ((subframe_len = decode_subframe_length(s, min_channel_len)) <= 0)
            return AVERROR_INVALIDDATA;
@@ -423,15 +429,23 @@ static void decode_mclms(WmallDecodeCtx *s)
    }
 }
-static void decode_cdlms(WmallDecodeCtx *s)
+static int decode_cdlms(WmallDecodeCtx *s)
 {
    int c, i;
    int cdlms_send_coef = get_bits1(&s->gb);
    for (c = 0; c < s->num_channels; c++) {
        s->cdlms_ttl[c] = get_bits(&s->gb, 3) + 1;
-        for (i = 0; i < s->cdlms_ttl[c]; i++)
+        for (i = 0; i < s->cdlms_ttl[c]; i++) {
            s->cdlms[c][i].order = (get_bits(&s->gb, 7) + 1) * 8;
+            if (s->cdlms[c][i].order > MAX_ORDER) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                       "Order[%d][%d] %d > max (%d), not supported\n",
+                       c, i, s->cdlms[c][i].order, MAX_ORDER);
+                s->cdlms[0][0].order = 0;
+                return AVERROR_INVALIDDATA;
+            }
+        }
        for (i = 0; i < s->cdlms_ttl[c]; i++)
            s->cdlms[c][i].scaling = get_bits(&s->gb, 4);
@@ -457,6 +471,8 @@ static void decode_cdlms(WmallDecodeCtx *s)
            }
        }
    }
+    return 0;
 }
 static int decode_channel_residues(WmallDecodeCtx *s, int ch, int tile_size)
@@ -820,7 +836,7 @@ static int decode_subframe(WmallDecodeCtx *s)
    int offset        = s->samples_per_frame;
    int subframe_len  = s->samples_per_frame;
    int total_samples = s->samples_per_frame * s->num_channels;
-    int i, j, rawpcm_tile, padding_zeroes;
+    int i, j, rawpcm_tile, padding_zeroes, res;
    s->subframe_offset = get_bits_count(&s->gb);
@@ -865,8 +881,8 @@ static int decode_subframe(WmallDecodeCtx *s)
        s->do_arith_coding    = get_bits1(&s->gb);
        if (s->do_arith_coding) {
-            av_dlog(s->avctx, "do_arith_coding == 1");
+            av_log_missing_feature(s->avctx, "arithmetic coding", 1);
-            abort();
+            return AVERROR_PATCHWELCOME;
        }
        s->do_ac_filter       = get_bits1(&s->gb);
        s->do_inter_ch_decorr = get_bits1(&s->gb);
@@ -878,11 +894,16 @@ static int decode_subframe(WmallDecodeCtx *s)
        if (s->do_mclms)
            decode_mclms(s);
-        decode_cdlms(s);
+        if ((res = decode_cdlms(s)) < 0)
+            return res;
        s->movave_scaling = get_bits(&s->gb, 3);
        s->quant_stepsize = get_bits(&s->gb, 8) + 1;
        reset_codec(s);
+    } else if (!s->cdlms[0][0].order) {
+        av_log(s->avctx, AV_LOG_DEBUG,
+               "Waiting for seekable tile\n");
+        return -1;
    }
    rawpcm_tile = get_bits1(&s->gb);
@@ -945,13 +966,20 @@ static int decode_subframe(WmallDecodeCtx *s)
                s->channel_residues[i][j] *= s->quant_stepsize;
    /* Write to proper output buffer depending on bit-depth */
-    for (i = 0; i < subframe_len; i++)
+    for (i = 0; i < s->channels_for_cur_subframe; i++) {
-        for (j = 0; j < s->num_channels; j++) {
+        int c = s->channel_indexes_for_cur_subframe[i];
-            if (s->bits_per_sample == 16)
+        int subframe_len = s->channel[c].subframe_len[s->channel[c].cur_subframe];
-                *s->samples_16++ = (int16_t) s->channel_residues[j][i];
-            else
+        for (j = 0; j < subframe_len; j++) {
-                *s->samples_32++ = s->channel_residues[j][i];
+            if (s->bits_per_sample == 16) {
+                *s->samples_16[c] = (int16_t) s->channel_residues[c][j];
+                s->samples_16[c] += s->num_channels;
+            } else {
+                *s->samples_32[c] = s->channel_residues[c][j];
+                s->samples_32[c] += s->num_channels;
+            }
        }
+    }
    /* handled one subframe */
    for (i = 0; i < s->channels_for_cur_subframe; i++) {
@@ -984,8 +1012,10 @@ static int decode_frame(WmallDecodeCtx *s)
        s->packet_loss = 1;
        return ret;
    }
-    s->samples_16 = (int16_t *)s->frame.data[0];
+    for (i = 0; i < s->num_channels; i++) {
-    s->samples_32 = (int32_t *)s->frame.data[0];
+        s->samples_16[i] = (int16_t *)s->frame.data[0] + i;
+        s->samples_32[i] = (int32_t *)s->frame.data[0] + i;
+    }
    /* get frame length */
    if (s->len_prefix)

--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -1440,8 +1440,7 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx,
    int pitch[MAX_BLOCKS], last_block_pitch;
    /* Parse frame type ("frame header"), see frame_descs */
-    int bd_idx = s->vbm_tree[get_vlc2(gb, frame_type_vlc.table, 6, 3)],
+    int bd_idx = s->vbm_tree[get_vlc2(gb, frame_type_vlc.table, 6, 3)], block_nsamples;
-        block_nsamples = MAX_FRAMESIZE / frame_descs[bd_idx].n_blocks;
    if (bd_idx < 0) {
        av_log(ctx, AV_LOG_ERROR,
@@ -1449,6 +1448,8 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx,
        return -1;
    }
+    block_nsamples = MAX_FRAMESIZE / frame_descs[bd_idx].n_blocks;
    /* Pitch calculation for ACB_TYPE_ASYMMETRIC ("pitch-per-frame") */
    if (frame_descs[bd_idx].acb_type == ACB_TYPE_ASYMMETRIC) {
        /* Pitch is provided per frame, which is interpreted as the pitch of

--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -1080,6 +1080,8 @@ static int ff_asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pk
            //printf("packet %d %d\n", asf_st->pkt.size, asf->packet_frag_size);
            asf_st->pkt.size = 0;
            asf_st->pkt.data = 0;
+            asf_st->pkt.side_data_elems = 0;
+            asf_st->pkt.side_data = NULL;
            break; // packet completed
        }
    }

--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2874,7 +2874,7 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt)
    pkt->stream_index = sc->ffindex;
    pkt->dts = sample->timestamp;
-    if (sc->ctts_data) {
+    if (sc->ctts_data && sc->ctts_index < sc->ctts_count) {
        pkt->pts = pkt->dts + sc->dts_shift + sc->ctts_data[sc->ctts_index].duration;
        /* update ctts context */
        sc->ctts_sample++;

--- a/libavformat/mov_chan.c
+++ b/libavformat/mov_chan.c
@@ -155,6 +155,7 @@ static const struct MovChannelLayoutMap mov_ch_layout_map_misc[] = {
 static const struct MovChannelLayoutMap mov_ch_layout_map_1ch[] = {
    { MOV_CH_LAYOUT_MONO,               AV_CH_LAYOUT_MONO }, // C
+    { 0, 0 },
 };
 static const struct MovChannelLayoutMap mov_ch_layout_map_2ch[] = {

--- a/libavformat/xwma.c
+++ b/libavformat/xwma.c
@@ -115,6 +115,17 @@ static int xwma_read_header(AVFormatContext *s)
        }
    }
+    if (!st->codec->channels) {
+        av_log(s, AV_LOG_WARNING, "Invalid channel count: %d\n",
+               st->codec->channels);
+        return AVERROR_INVALIDDATA;
+    }
+    if (!st->codec->bits_per_coded_sample) {
+        av_log(s, AV_LOG_WARNING, "Invalid bits_per_coded_sample: %d\n",
+               st->codec->bits_per_coded_sample);
+        return AVERROR_INVALIDDATA;
+    }
    /* set the sample rate */
    avpriv_set_pts_info(st, 64, 1, st->codec->sample_rate);