Commit 7c425e4f authored by Michael Niedermayer's avatar Michael Niedermayer

Merge commit 'd7d6efe4'

* commit 'd7d6efe4':
  h264: check sps.log2_max_frame_num for validity
  mov: validate number of DataReferenceBox entries against box size
  mov: compute avg_frame_rate only if duration is known
  flac: change minimum and default of lpc_passes option to 1

Conflicts:
	libavcodec/h264_ps.c
	libavformat/mov.c
Merged-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parents af164d7d d7d6efe4
...@@ -1320,7 +1320,7 @@ static const AVOption options[] = { ...@@ -1320,7 +1320,7 @@ static const AVOption options[] = {
{ "fixed", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = FF_LPC_TYPE_FIXED }, INT_MIN, INT_MAX, FLAGS, "lpc_type" }, { "fixed", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = FF_LPC_TYPE_FIXED }, INT_MIN, INT_MAX, FLAGS, "lpc_type" },
{ "levinson", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = FF_LPC_TYPE_LEVINSON }, INT_MIN, INT_MAX, FLAGS, "lpc_type" }, { "levinson", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = FF_LPC_TYPE_LEVINSON }, INT_MIN, INT_MAX, FLAGS, "lpc_type" },
{ "cholesky", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = FF_LPC_TYPE_CHOLESKY }, INT_MIN, INT_MAX, FLAGS, "lpc_type" }, { "cholesky", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = FF_LPC_TYPE_CHOLESKY }, INT_MIN, INT_MAX, FLAGS, "lpc_type" },
{ "lpc_passes", "Number of passes to use for Cholesky factorization during LPC analysis", offsetof(FlacEncodeContext, options.lpc_passes), AV_OPT_TYPE_INT, {.i64 = -1 }, INT_MIN, INT_MAX, FLAGS }, { "lpc_passes", "Number of passes to use for Cholesky factorization during LPC analysis", offsetof(FlacEncodeContext, options.lpc_passes), AV_OPT_TYPE_INT, {.i64 = 2 }, 1, INT_MAX, FLAGS },
{ "min_partition_order", NULL, offsetof(FlacEncodeContext, options.min_partition_order), AV_OPT_TYPE_INT, {.i64 = -1 }, -1, MAX_PARTITION_ORDER, FLAGS }, { "min_partition_order", NULL, offsetof(FlacEncodeContext, options.min_partition_order), AV_OPT_TYPE_INT, {.i64 = -1 }, -1, MAX_PARTITION_ORDER, FLAGS },
{ "max_partition_order", NULL, offsetof(FlacEncodeContext, options.max_partition_order), AV_OPT_TYPE_INT, {.i64 = -1 }, -1, MAX_PARTITION_ORDER, FLAGS }, { "max_partition_order", NULL, offsetof(FlacEncodeContext, options.max_partition_order), AV_OPT_TYPE_INT, {.i64 = -1 }, -1, MAX_PARTITION_ORDER, FLAGS },
{ "prediction_order_method", "Search method for selecting prediction order", offsetof(FlacEncodeContext, options.prediction_order_method), AV_OPT_TYPE_INT, {.i64 = -1 }, -1, ORDER_METHOD_LOG, FLAGS, "predm" }, { "prediction_order_method", "Search method for selecting prediction order", offsetof(FlacEncodeContext, options.prediction_order_method), AV_OPT_TYPE_INT, {.i64 = -1 }, -1, ORDER_METHOD_LOG, FLAGS, "predm" },
......
...@@ -37,6 +37,9 @@ ...@@ -37,6 +37,9 @@
//#undef NDEBUG //#undef NDEBUG
#include <assert.h> #include <assert.h>
#define MAX_LOG2_MAX_FRAME_NUM (12 + 4)
#define MIN_LOG2_MAX_FRAME_NUM 4
static const AVRational pixel_aspect[17]={ static const AVRational pixel_aspect[17]={
{0, 1}, {0, 1},
{1, 1}, {1, 1},
...@@ -331,7 +334,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ ...@@ -331,7 +334,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
MpegEncContext * const s = &h->s; MpegEncContext * const s = &h->s;
int profile_idc, level_idc, constraint_set_flags = 0; int profile_idc, level_idc, constraint_set_flags = 0;
unsigned int sps_id; unsigned int sps_id;
int i; int i, log2_max_frame_num_minus4;
SPS *sps; SPS *sps;
profile_idc= get_bits(&s->gb, 8); profile_idc= get_bits(&s->gb, 8);
...@@ -394,12 +397,15 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ ...@@ -394,12 +397,15 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
sps->bit_depth_chroma = 8; sps->bit_depth_chroma = 8;
} }
sps->log2_max_frame_num= get_ue_golomb(&s->gb) + 4; log2_max_frame_num_minus4 = get_ue_golomb(&s->gb);
if (sps->log2_max_frame_num < 4 || sps->log2_max_frame_num > 16) { if (log2_max_frame_num_minus4 < MIN_LOG2_MAX_FRAME_NUM - 4 ||
av_log(h->s.avctx, AV_LOG_ERROR, "illegal log2_max_frame_num %d\n", log2_max_frame_num_minus4 > MAX_LOG2_MAX_FRAME_NUM - 4) {
sps->log2_max_frame_num); av_log(h->s.avctx, AV_LOG_ERROR,
"log2_max_frame_num_minus4 out of range (0-12): %d\n",
log2_max_frame_num_minus4);
goto fail; goto fail;
} }
sps->log2_max_frame_num = log2_max_frame_num_minus4 + 4;
sps->poc_type= get_ue_golomb_31(&s->gb); sps->poc_type= get_ue_golomb_31(&s->gb);
......
...@@ -429,6 +429,7 @@ static int mov_read_chpl(MOVContext *c, AVIOContext *pb, MOVAtom atom) ...@@ -429,6 +429,7 @@ static int mov_read_chpl(MOVContext *c, AVIOContext *pb, MOVAtom atom)
return 0; return 0;
} }
#define MIN_DATA_ENTRY_BOX_SIZE 12
static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom) static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
{ {
AVStream *st; AVStream *st;
...@@ -442,7 +443,8 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom) ...@@ -442,7 +443,8 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
avio_rb32(pb); // version + flags avio_rb32(pb); // version + flags
entries = avio_rb32(pb); entries = avio_rb32(pb);
if (entries >= UINT_MAX / sizeof(*sc->drefs)) if (entries > (atom.size - 1) / MIN_DATA_ENTRY_BOX_SIZE + 1 ||
entries >= UINT_MAX / sizeof(*sc->drefs))
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
av_free(sc->drefs); av_free(sc->drefs);
sc->drefs_count = 0; sc->drefs_count = 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment