From 97f23c72a3815739ab28e297ce60f943349f6939 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 5 Jan 2012 21:40:18 +0100 Subject: [PATCH 01/14] vorbisdec: Fix decoding bug with channel handling Fixes Bug: #191 Chromium Bug: #101458 CVE-2011-3895 Signed-off-by: Reinhard Tartler (cherry picked from commit e6d527ff729e42d80e4756cab779ff4ad693631b) Signed-off-by: Reinhard Tartler --- libavcodec/vorbisdec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 017102e777..81458144df 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -660,7 +660,7 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc) res_setup->partition_size = get_bits(gb, 24) + 1; /* Validations to prevent a buffer overflow later. */ if (res_setup->begin>res_setup->end || - res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 || + res_setup->end > (res_setup->type == 2 ? vc->avccontext->channels : 1) * vc->blocksize[1] / 2 || (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) { av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIu16", %"PRIu32", %"PRIu32", %u, %"PRIu32"\n", @@ -1466,6 +1466,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) uint8_t res_chan[255]; unsigned res_num = 0; int retlen = 0; + int ch_left = vc->audio_channels; if (get_bits1(gb)) { av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n"); @@ -1540,9 +1541,14 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) } } residue = &vc->residues[mapping->submap_residue[i]]; + if (ch_left < ch) { + av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n"); + return -1; + } vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2); ch_res_ptr += ch * blocksize / 2; + ch_left -= ch; } // Inverse coupling From b0283ccb9e8945ce9e56f7c6ba0c676e7179d7a3 Mon Sep 17 00:00:00 2001 From: Chris Evans Date: Thu, 5 Jan 2012 21:25:41 +0100 Subject: [PATCH 02/14] vorbis: An additional defense in the Vorbis codec. Fixes Bug: #190 Chromium Bug: #100543 Related to CVE-2011-3893 Signed-off-by: Reinhard Tartler (cherry picked from commit afb2aa537954db537d54358997b68f46561fd5a7) Signed-off-by: Reinhard Tartler --- libavcodec/vorbisdec.c | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 81458144df..572e06ebc3 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1269,6 +1269,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, uint8_t *do_not_decode, float *vec, unsigned vlen, + unsigned ch_left, int vr_type) { GetBitContext *gb = &vc->gb; @@ -1276,6 +1277,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, unsigned ptns_to_read = vr->ptns_to_read; uint8_t *classifs = vr->classifs; unsigned pass, ch_used, i, j, k, l; + unsigned max_output = (ch - 1) * vlen; if (vr_type == 2) { for (j = 1; j < ch; ++j) @@ -1283,8 +1285,15 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, if (do_not_decode[0]) return 0; ch_used = 1; + max_output += vr->end / ch; } else { ch_used = ch; + max_output += vr->end; + } + + if (max_output > ch_left * vlen) { + av_log(vc->avccontext, AV_LOG_ERROR, "Insufficient output buffer\n"); + return -1; } av_dlog(NULL, " residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c_p_c); @@ -1411,14 +1420,15 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, static inline int vorbis_residue_decode(vorbis_context *vc, vorbis_residue *vr, unsigned ch, uint8_t *do_not_decode, - float *vec, unsigned vlen) + float *vec, unsigned vlen, + unsigned ch_left) { if (vr->type == 2) - return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 2); + return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 2); else if (vr->type == 1) - return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 1); + return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 1); else if (vr->type == 0) - return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 0); + return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 0); else { av_log(vc->avccontext, AV_LOG_ERROR, " Invalid residue type while residue decode?! \n"); return -1; @@ -1466,7 +1476,8 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) uint8_t res_chan[255]; unsigned res_num = 0; int retlen = 0; - int ch_left = vc->audio_channels; + unsigned ch_left = vc->audio_channels; + unsigned vlen; if (get_bits1(gb)) { av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n"); @@ -1486,11 +1497,12 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) blockflag = vc->modes[mode_number].blockflag; blocksize = vc->blocksize[blockflag]; + vlen = blocksize / 2; if (blockflag) skip_bits(gb, 2); // previous_window, next_window - memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ? - memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ? + memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ? + memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ? // Decode floor @@ -1510,7 +1522,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) return -1; } no_residue[i] = ret; - ch_floor_ptr += blocksize / 2; + ch_floor_ptr += vlen; } // Nonzero vector propagate @@ -1527,6 +1539,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) for (i = 0; i < mapping->submaps; ++i) { vorbis_residue *residue; unsigned ch = 0; + int ret; for (j = 0; j < vc->audio_channels; ++j) { if ((mapping->submaps == 1) || (i == mapping->mux[j])) { @@ -1545,9 +1558,13 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n"); return -1; } - vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2); + if (ch) { + ret = vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, vlen, ch_left); + if (ret < 0) + return ret; + } - ch_res_ptr += ch * blocksize / 2; + ch_res_ptr += ch * vlen; ch_left -= ch; } From dd8228dcffc10b00c1f496e11e7ed7c6d07403c4 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 20 Nov 2011 15:54:15 -0800 Subject: [PATCH 03/14] swscale: fix crash in fast_bilinear code when compiled with -mred-zone. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Additional comments from Måns Rullgard have been integrated by Reinhard Tartler. Signed-off-by: Reinhard Tartler (cherry picked from commit b14fa5572c2a3bb1d8cd6327c4687a2eee363bbb) Signed-off-by: Reinhard Tartler --- libswscale/x86/swscale_template.c | 50 ++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c index dc92cddff5..670b68eb51 100644 --- a/libswscale/x86/swscale_template.c +++ b/libswscale/x86/swscale_template.c @@ -2072,12 +2072,24 @@ static void RENAME(hyscale_fast)(SwsContext *c, int16_t *dst, void *mmx2FilterCode= c->lumMmx2FilterCode; int i; #if defined(PIC) - DECLARE_ALIGNED(8, uint64_t, ebxsave); + uint64_t ebxsave; +#endif +#if ARCH_X86_64 + uint64_t retsave; #endif __asm__ volatile( #if defined(PIC) "mov %%"REG_b", %5 \n\t" +#if ARCH_X86_64 + "mov -8(%%rsp), %%"REG_a" \n\t" + "mov %%"REG_a", %6 \n\t" +#endif +#else +#if ARCH_X86_64 + "mov -8(%%rsp), %%"REG_a" \n\t" + "mov %%"REG_a", %5 \n\t" +#endif #endif "pxor %%mm7, %%mm7 \n\t" "mov %0, %%"REG_c" \n\t" @@ -2119,11 +2131,23 @@ static void RENAME(hyscale_fast)(SwsContext *c, int16_t *dst, #if defined(PIC) "mov %5, %%"REG_b" \n\t" +#if ARCH_X86_64 + "mov %6, %%"REG_a" \n\t" + "mov %%"REG_a", -8(%%rsp) \n\t" +#endif +#else +#if ARCH_X86_64 + "mov %5, %%"REG_a" \n\t" + "mov %%"REG_a", -8(%%rsp) \n\t" +#endif #endif :: "m" (src), "m" (dst), "m" (filter), "m" (filterPos), "m" (mmx2FilterCode) #if defined(PIC) ,"m" (ebxsave) +#endif +#if ARCH_X86_64 + ,"m"(retsave) #endif : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D #if !defined(PIC) @@ -2146,10 +2170,22 @@ static void RENAME(hcscale_fast)(SwsContext *c, int16_t *dst1, int16_t *dst2, #if defined(PIC) DECLARE_ALIGNED(8, uint64_t, ebxsave); #endif +#if ARCH_X86_64 + DECLARE_ALIGNED(8, uint64_t, retsave); +#endif __asm__ volatile( #if defined(PIC) "mov %%"REG_b", %7 \n\t" +#if ARCH_X86_64 + "mov -8(%%rsp), %%"REG_a" \n\t" + "mov %%"REG_a", %8 \n\t" +#endif +#else +#if ARCH_X86_64 + "mov -8(%%rsp), %%"REG_a" \n\t" + "mov %%"REG_a", %7 \n\t" +#endif #endif "pxor %%mm7, %%mm7 \n\t" "mov %0, %%"REG_c" \n\t" @@ -2179,11 +2215,23 @@ static void RENAME(hcscale_fast)(SwsContext *c, int16_t *dst1, int16_t *dst2, #if defined(PIC) "mov %7, %%"REG_b" \n\t" +#if ARCH_X86_64 + "mov %8, %%"REG_a" \n\t" + "mov %%"REG_a", -8(%%rsp) \n\t" +#endif +#else +#if ARCH_X86_64 + "mov %7, %%"REG_a" \n\t" + "mov %%"REG_a", -8(%%rsp) \n\t" +#endif #endif :: "m" (src1), "m" (dst1), "m" (filter), "m" (filterPos), "m" (mmx2FilterCode), "m" (src2), "m"(dst2) #if defined(PIC) ,"m" (ebxsave) +#endif +#if ARCH_X86_64 + ,"m"(retsave) #endif : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D #if !defined(PIC) From 8f17d7dd4bf7a6e7cda550aa935e60125d808d49 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 8 Jan 2012 17:34:06 +0100 Subject: [PATCH 04/14] Update RELEASE file for 0.7.4 --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index f38fc5393f..0a1ffad4b4 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.3 +0.7.4 From d4653e882fee5a2876c3878bc23d26799e3380ad Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 8 Jan 2012 17:34:17 +0100 Subject: [PATCH 05/14] Update Changelog for 0.7.4 release --- Changelog | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Changelog b/Changelog index e8fcf8257f..30c5b8f8de 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,20 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.7.4: + +- vorbis: An additional defense in the Vorbis codec. (CVE-2011-3895) +- vorbisdec: Fix decoding bug with channel handling. +- matroskadec: Fix a bug where a pointer was cached to an array that might + later move due to a realloc(). (CVE-2011-3893) +- vorbis: Avoid some out-of-bounds reads. (CVE-2011-3893) +- vp3: fix oob read for negative tokens and memleaks on error, (CVE-2011-3892) +- avserver: Fix a bug where the socket is IPv4, but IPv6 is autoselected + for the loopback address. +- vp3: fix streams with non-zero last coefficient. +- swscale: fix crash in fast_bilinear code when compiled with -mred-zone. + + version 0.7.3: - check buffer and input values in various parts of the code: From c4cc8584d0e48a9474a52eed725ed726d14d3f2f Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Tue, 27 Dec 2011 15:15:02 +0100 Subject: [PATCH 06/14] lavfi: add missing check in avfilter_filter_samples() Avoid out-of-buffer data access when nb_channels is 8. (cherry picked from commit ae21776207e8a2bbe268e7c9e203f7599dd87ddb) Signed-off-by: Michael Niedermayer --- libavfilter/avfilter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/avfilter.c b/libavfilter/avfilter.c index a57677c0e4..d2b4986cef 100644 --- a/libavfilter/avfilter.c +++ b/libavfilter/avfilter.c @@ -614,7 +614,7 @@ void avfilter_filter_samples(AVFilterLink *link, AVFilterBufferRef *samplesref) link->cur_buf->audio->sample_rate = samplesref->audio->sample_rate; /* Copy actual data into new samples buffer */ - for (i = 0; samplesref->data[i]; i++) + for (i = 0; samplesref->data[i] && i < 8; i++) memcpy(link->cur_buf->data[i], samplesref->data[i], samplesref->linesize[0]); avfilter_unref_buffer(samplesref); From d80db23e7d3130ee5f5f6fff7e6db3274cdd6a98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Dec 2011 00:10:27 +0100 Subject: [PATCH 07/14] ws_snd1: Fix wrong samples count and crash. Signed-off-by: Michael Niedermayer (cherry picked from commit 5257743aee0c3982f0079e6553aabc6aa39401d2) Signed-off-by: Michael Niedermayer --- libavcodec/ws-snd1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c index f92c3531e0..c28d1a8d6a 100644 --- a/libavcodec/ws-snd1.c +++ b/libavcodec/ws-snd1.c @@ -100,8 +100,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, /* make sure we don't write more than out_size samples */ switch (code) { - case 0: smp = 4; break; - case 1: smp = 2; break; + case 0: smp = 4*(count+1); break; + case 1: smp = 2*(count+1); break; case 2: smp = (count & 0x20) ? 1 : count + 1; break; default: smp = count + 1; break; } From 56173eabb6fb508574150098ac835b3b3e6a8569 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Dec 2011 04:16:01 +0100 Subject: [PATCH 08/14] j2kdec: Fix integer overflow leading to a segfault Fixes Ticket776 Bug found by: Diana Elena Muscalu Signed-off-by: Michael Niedermayer (cherry picked from commit 1f99939a6361e2e6d6788494dd7c682b051c6c34) Signed-off-by: Michael Niedermayer --- libavcodec/j2k_dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/j2k_dwt.c b/libavcodec/j2k_dwt.c index ab7a1ab757..48aa33735e 100644 --- a/libavcodec/j2k_dwt.c +++ b/libavcodec/j2k_dwt.c @@ -321,7 +321,7 @@ int ff_j2k_dwt_init(DWTContext *s, uint16_t border[2][2], int decomp_levels, int int i, j, lev = decomp_levels, maxlen, b[2][2]; - if (decomp_levels >= FF_DWT_MAX_DECLVLS) + if ((unsigned)decomp_levels >= FF_DWT_MAX_DECLVLS) return AVERROR_INVALIDDATA; s->ndeclevels = decomp_levels; s->type = type; From 6f0e349a023c9690ef21a94ac5eb8451cf1cce95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Dec 2011 03:59:29 +0100 Subject: [PATCH 09/14] aacsbr: Fix memory corruption. Fixes Ticket760 and Ticket761 Bug Found by: Diana Elena Muscalu Signed-off-by: Michael Niedermayer (cherry picked from commit 944f5b2779e4aa63f7624df6cd4de832a53db81b) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 10b8daf280..866482aac3 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1185,7 +1185,7 @@ static void sbr_qmf_synthesis(DSPContext *dsp, FFTContext *mdct, const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us; float *v; for (i = 0; i < 32; i++) { - if (*v_off == 0) { + if (*v_off < 128 >> div) { int saved_samples = (1280 - 128) >> div; memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float)); *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div); From 8454d81ebe672e33022bc06e461676ca6d7b3299 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Dec 2011 02:43:03 +0100 Subject: [PATCH 10/14] h264: check chroma_format_idc range. Fixes Ticket758 Bug found by: Diana Elena Muscalu Signed-off-by: Michael Niedermayer (cherry picked from commit 7fff64e00d886fde11d61958888c82b461cf99b9) Signed-off-by: Michael Niedermayer --- libavcodec/h264_ps.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 89e2502e0d..680db1e5a6 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -342,6 +342,10 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ if(sps->profile_idc >= 100){ //high profile sps->chroma_format_idc= get_ue_golomb_31(&s->gb); + if (sps->chroma_format_idc > 3U) { + av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc %d is illegal\n", sps->chroma_format_idc); + goto fail; + } if(sps->chroma_format_idc == 3) sps->residual_color_transform_flag = get_bits1(&s->gb); sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8; From 049b08d04cd5a6e53e0b0814525313fe5bd3e47a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Dec 2011 03:18:58 +0100 Subject: [PATCH 11/14] atrac3: Fix crash in tonal component decoding. Fixes Ticket780 Bug Found by: cosminamironesei Signed-off-by: Michael Niedermayer (cherry picked from commit 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016) Signed-off-by: Michael Niedermayer --- libavcodec/atrac3.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 20ab75dfd7..f16630450d 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -395,6 +395,8 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent for (k=0; k=64) + return AVERROR_INVALIDDATA; pComponent[component_count].pos = j * 64 + (get_bits(gb,6)); max_coded_values = 1024 - pComponent[component_count].pos; coded_values = coded_values_per_component + 1; From 6b4c38b362a59a28860e0e2e3d92a82dc38479cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Dec 2011 05:06:20 +0100 Subject: [PATCH 12/14] j2kdec: Check curtileno for validity Signed-off-by: Michael Niedermayer (cherry picked from commit 3eedf9f716733b3b4c5205726d2c1ca52b3d3d78) Signed-off-by: Michael Niedermayer --- libavcodec/j2kdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c index 96b4f64098..3b94497293 100644 --- a/libavcodec/j2kdec.c +++ b/libavcodec/j2kdec.c @@ -421,6 +421,10 @@ static uint8_t get_sot(J2kDecoderContext *s) return AVERROR(EINVAL); s->curtileno = bytestream_get_be16(&s->buf); ///< Isot + if((unsigned)s->curtileno >= s->numXtiles * s->numYtiles){ + s->curtileno=0; + return AVERROR(EINVAL); + } s->buf += 4; ///< Psot (ignored) From 4ad5618210edabcc28b8ceee77d22e2e1e7eb822 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Dec 2011 06:17:12 +0100 Subject: [PATCH 13/14] j2kdec: Fix crash in get_qcx Signed-off-by: Michael Niedermayer (cherry picked from commit 282bb02839b1ce73963c8e3ee46804f1ade8b12a) Signed-off-by: Michael Niedermayer --- libavcodec/j2kdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c index 3b94497293..3315a835d7 100644 --- a/libavcodec/j2kdec.c +++ b/libavcodec/j2kdec.c @@ -359,7 +359,7 @@ static int get_qcx(J2kDecoderContext *s, int n, J2kQuantStyle *q) if (q->quantsty == J2K_QSTY_NONE){ n -= 3; - if (s->buf_end - s->buf < n) + if (s->buf_end - s->buf < n || 32*3 < n) return AVERROR(EINVAL); for (i = 0; i < n; i++) q->expn[i] = bytestream_get_byte(&s->buf) >> 3; @@ -376,7 +376,7 @@ static int get_qcx(J2kDecoderContext *s, int n, J2kQuantStyle *q) } } else{ n = (n - 3) >> 1; - if (s->buf_end - s->buf < n) + if (s->buf_end - s->buf < n || 32*3 < n) return AVERROR(EINVAL); for (i = 0; i < n; i++){ x = bytestream_get_be16(&s->buf); From 8935e7474ada9f18e9c21ec3a0a1706040e7b3be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Dec 2011 12:28:50 +0100 Subject: [PATCH 14/14] shorten: Fix invalid free() Signed-off-by: Michael Niedermayer (cherry picked from commit 18bcfc912e48bf77a5202a0e24a3b884b9b2ff2c) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 0b9d420d86..621281fc75 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -81,6 +81,7 @@ typedef struct ShortenContext { int channels; int32_t *decoded[MAX_CHANNELS]; + int32_t *decoded_base[MAX_CHANNELS]; int32_t *offset[MAX_CHANNELS]; int *coeffs; uint8_t *bitstream; @@ -130,13 +131,13 @@ static int allocate_buffers(ShortenContext *s) return AVERROR(ENOMEM); s->offset[chan] = tmp_ptr; - tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + tmp_ptr = av_realloc(s->decoded_base[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); if (!tmp_ptr) return AVERROR(ENOMEM); - s->decoded[chan] = tmp_ptr; + s->decoded_base[chan] = tmp_ptr; for (i=0; inwrap; i++) - s->decoded[chan][i] = 0; - s->decoded[chan] += s->nwrap; + s->decoded_base[chan][i] = 0; + s->decoded[chan] = s->decoded_base[chan] + s->nwrap; } coeffs = av_realloc(s->coeffs, s->nwrap * sizeof(*s->coeffs)); @@ -548,8 +549,8 @@ static av_cold int shorten_decode_close(AVCodecContext *avctx) int i; for (i = 0; i < s->channels; i++) { - s->decoded[i] -= s->nwrap; - av_freep(&s->decoded[i]); + s->decoded[i] = NULL; + av_freep(&s->decoded_base[i]); av_freep(&s->offset[i]); } av_freep(&s->bitstream);