Merge remote-tracking branch 'qatar/master'

* qatar/master: qcelpdec: cosmetics: do not add line break before opening bracket in 'for', 'while', 'if/else', and 'switch' statements. qcelp: check output buffer size before decoding qcelpdec: fix the return value of qcelp_decode_frame(). sipr: fix the output data size check and only calculate it once. Synchronize various 4CCs and codec tags from FFmpeg. qdm2: check output buffer size before decoding Fix out of bound reads in the QDM2 decoder. Check for out of bound writes in the QDM2 decoder. ogg/celt: do not set sample_fmt in the demuxer Conflicts: libavcodec/avcodec.h libavcodec/qdm2.c libavformat/oggparsecelt.c Merged-by: Michael Niedermayer <michaelni@gmx.at>

Merge remote-tracking branch 'qatar/master'
* qatar/master: qcelpdec: cosmetics: do not add line break before opening bracket in 'for', 'while', 'if/else', and 'switch' statements. qcelp: check output buffer size before decoding qcelpdec: fix the return value of qcelp_decode_frame(). sipr: fix the output data size check and only calculate it once. Synchronize various 4CCs and codec tags from FFmpeg. qdm2: check output buffer size before decoding Fix out of bound reads in the QDM2 decoder. Check for out of bound writes in the QDM2 decoder. ogg/celt: do not set sample_fmt in the demuxer Conflicts: libavcodec/avcodec.h libavcodec/qdm2.c libavformat/oggparsecelt.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
ec1ffae0 · Michael Niedermayer · f7da257a · dd376b1a · ec1ffae0 · ec1ffae0
Commit ec1ffae0 authored Oct 05, 2011 by Michael Niedermayer
6 changed files
--- a/libavcodec/qcelpdec.c
+++ b/libavcodec/qcelpdec.c
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -77,6 +77,7 @@ do { \
 #define SAMPLES_NEEDED_2(why) \
     av_log (NULL,AV_LOG_INFO,"This file triggers some missing code. Please contact the developers.\nPosition: %s\n",why);

+#define QDM2_MAX_FRAME_SIZE 512

 typedef int8_t sb_int8_array[2][30][64];

@@ -169,7 +170,7 @@ typedef struct {
    /// I/O data
    const uint8_t *compressed_data;
    int compressed_size;
-    float output_buffer[1024];
+    float output_buffer[QDM2_MAX_FRAME_SIZE * 2];

    /// Synthesis filter
    MPADSPContext mpadsp;
@@ -1823,7 +1824,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
    // something like max decodable tones
    s->group_order = av_log2(s->group_size) + 1;
    s->frame_size = s->group_size / 16; // 16 iterations per super block
-    if (s->frame_size > FF_ARRAY_ELEMS(s->output_buffer) / 2)
+
+    if (s->frame_size > QDM2_MAX_FRAME_SIZE)
        return AVERROR_INVALIDDATA;

    s->sub_sampling = s->fft_order - 7;
@@ -1959,13 +1961,20 @@ static int qdm2_decode_frame(AVCodecContext *avctx,
    int buf_size = avpkt->size;
    QDM2Context *s = avctx->priv_data;
    int16_t *out = data;
-    int i;
+    int i, out_size;

    if(!buf)
        return 0;
    if(buf_size < s->checksum_size)
        return -1;

+    out_size = 16 * s->channels * s->frame_size *
+               av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
    av_log(avctx, AV_LOG_DEBUG, "decode(%d): %p[%d] -> %p[%d]\n",
       buf_size, buf, s->checksum_size, data, *data_size);

@@ -1975,7 +1984,7 @@ static int qdm2_decode_frame(AVCodecContext *avctx,
        out += s->channels * s->frame_size;
    }

-    *data_size = (uint8_t*)out - (uint8_t*)data;
+    *data_size = out_size;

    return s->checksum_size;
 }

--- a/libavcodec/sipr.c
+++ b/libavcodec/sipr.c
@@ -509,7 +509,7 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *datap,
    GetBitContext gb;
    float *data = datap;
    int subframe_size = ctx->mode == MODE_16k ? L_SUBFR_16k : SUBFR_SIZE;
-    int i;
+    int i, out_size;

    ctx->avctx = avctx;
    if (avpkt->size < (mode_par->bits_per_frame >> 3)) {
@@ -520,7 +520,11 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *datap,
        *data_size = 0;
        return -1;
    }
-    if (*data_size < subframe_size * mode_par->subframe_count * sizeof(float)) {
+
+    out_size = mode_par->frames_per_packet * subframe_size *
+               mode_par->subframe_count *
+               av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_size) {
        av_log(avctx, AV_LOG_ERROR,
               "Error processing packet: output buffer (%d) too small\n",
               *data_size);
@@ -542,8 +546,7 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *datap,
        data += subframe_size * mode_par->subframe_count;
    }

-    *data_size = mode_par->frames_per_packet * subframe_size *
-        mode_par->subframe_count * sizeof(float);
+    *data_size = out_size;

    return mode_par->bits_per_frame >> 3;
 }

--- a/libavformat/isom.c
+++ b/libavformat/isom.c
@@ -204,6 +204,8 @@ const AVCodecTag codec_movvideo_tags[] = {

    { CODEC_ID_DIRAC, MKTAG('d', 'r', 'a', 'c') },
    { CODEC_ID_DNXHD, MKTAG('A', 'V', 'd', 'n') }, /* AVID DNxHD */
+    { CODEC_ID_FLV1,  MKTAG('H', '2', '6', '3') }, /* Flash Media Server */
+    { CODEC_ID_MSMPEG4V3, MKTAG('3', 'I', 'V', 'D') }, /* 3ivx DivX Doctor */
    { CODEC_ID_RAWVIDEO, MKTAG('A', 'V', '1', 'x') }, /* AVID 1:1x */
    { CODEC_ID_RAWVIDEO, MKTAG('A', 'V', 'u', 'p') },
    { CODEC_ID_SGI,   MKTAG('s', 'g', 'i', ' ') }, /* SGI  */
@@ -215,9 +217,6 @@ const AVCodecTag codec_movvideo_tags[] = {
    { CODEC_ID_PRORES, MKTAG('a', 'p', 'c', 'o') }, /* Apple ProRes 422 Proxy */
    { CODEC_ID_PRORES, MKTAG('a', 'p', '4', 'h') }, /* Apple ProRes 4444 */

-    { CODEC_ID_MSMPEG4V3, MKTAG('3', 'I', 'V', 'D') }, /* 3ivx DivX Doctor */
-    { CODEC_ID_FLV1,      MKTAG('H', '2', '6', '3') }, /* Flash Media Server */
-
    { CODEC_ID_NONE, 0 },
 };

@@ -262,9 +261,8 @@ const AVCodecTag codec_movaudio_tags[] = {
    { CODEC_ID_AMR_WB, MKTAG('s', 'a', 'w', 'b') }, /* AMR-WB 3gp */

    { CODEC_ID_GSM,  MKTAG('a', 'g', 's', 'm') },
-    { CODEC_ID_ALAC, MKTAG('a', 'l', 'a', 'c') }, /* Apple Lossless */
-
    { CODEC_ID_NELLYMOSER, MKTAG('n', 'm', 'o', 's') }, /* Flash Media Server */
+    { CODEC_ID_ALAC, MKTAG('a', 'l', 'a', 'c') }, /* Apple Lossless */

    { CODEC_ID_QCELP, MKTAG('Q','c','l','p') },
    { CODEC_ID_QCELP, MKTAG('Q','c','l','q') },
@@ -273,11 +271,11 @@ const AVCodecTag codec_movaudio_tags[] = {
    { CODEC_ID_QDMC, MKTAG('Q', 'D', 'M', 'C') }, /* QDMC */
    { CODEC_ID_QDM2, MKTAG('Q', 'D', 'M', '2') }, /* QDM2 */

-    { CODEC_ID_SPEEX, MKTAG('s','p','e','x') }, /* Flash Media Server */
-
    { CODEC_ID_DVAUDIO, MKTAG('v', 'd', 'v', 'a') },
    { CODEC_ID_DVAUDIO, MKTAG('d', 'v', 'c', 'a') },

+    { CODEC_ID_SPEEX, MKTAG('s','p','e','x') }, /* Flash Media Server */
+
    { CODEC_ID_WMAV2, MKTAG('W', 'M', 'A', '2') },

    { CODEC_ID_NONE, 0 },

--- a/libavformat/oggparsecelt.c
+++ b/libavformat/oggparsecelt.c
@@ -66,7 +66,6 @@ static int celt_header(AVFormatContext *s, int idx)
        st->codec->sample_rate    = sample_rate;
        st->codec->channels       = nb_channels;
        st->codec->frame_size     = frame_size;
-        st->codec->sample_fmt     = AV_SAMPLE_FMT_S16;
        av_free(st->codec->extradata);
        st->codec->extradata      = extradata;
        st->codec->extradata_size = 2 * sizeof(uint32_t);

--- a/libavformat/riff.c
+++ b/libavformat/riff.c
@@ -179,8 +179,8 @@ const AVCodecTag ff_codec_bmp_tags[] = {
    { CODEC_ID_RAWVIDEO,     MKTAG('U', 'Y', 'V', 'Y') },
    { CODEC_ID_RAWVIDEO,     MKTAG('V', 'Y', 'U', 'Y') },
    { CODEC_ID_RAWVIDEO,     MKTAG('I', 'Y', 'U', 'V') },
-    { CODEC_ID_RAWVIDEO,     MKTAG('Y', '8', ' ', ' ') },
    { CODEC_ID_RAWVIDEO,     MKTAG('Y', '8', '0', '0') },
+    { CODEC_ID_RAWVIDEO,     MKTAG('Y', '8', ' ', ' ') },
    { CODEC_ID_RAWVIDEO,     MKTAG('H', 'D', 'Y', 'C') },
    { CODEC_ID_RAWVIDEO,     MKTAG('Y', 'V', 'U', '9') },
    { CODEC_ID_RAWVIDEO,     MKTAG('V', 'D', 'T', 'Z') }, /* SoftLab-NSK VideoTizer */