From 259d8c5647417da02aed3081f8442c734988bbf3 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sun, 25 Nov 2012 12:40:54 -0500 Subject: [PATCH 1/5] riff: do not add empty metadata tags in INFO chunk --- libavformat/riff.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/riff.c b/libavformat/riff.c index 731309201a..190504cc79 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -734,6 +734,12 @@ int ff_read_riff_info(AVFormatContext *s, int64_t size) chunk_size += (chunk_size & 1); + if (!chunk_code) { + if (chunk_size) + avio_skip(pb, chunk_size); + continue; + } + value = av_malloc(chunk_size + 1); if (!value) { av_log(s, AV_LOG_ERROR, "out of memory, unable to read INFO tag\n"); From 2fe0094e0bf939f563c2600083bee8f183c2763d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Oct 2012 21:48:39 +0100 Subject: [PATCH 2/5] wavenc: write fact chunk sample count at the correct file position Fixes curruption of metadata in the INFO chunk. Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles --- libavformat/wavenc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/wavenc.c b/libavformat/wavenc.c index d5e572fd2f..86ed557802 100644 --- a/libavformat/wavenc.c +++ b/libavformat/wavenc.c @@ -36,6 +36,7 @@ typedef struct WAVMuxContext { const AVClass *class; int64_t data; + int64_t fact_pos; int64_t minpts; int64_t maxpts; int last_duration; @@ -100,7 +101,7 @@ static int wav_write_header(AVFormatContext *s) { WAVMuxContext *wav = s->priv_data; AVIOContext *pb = s->pb; - int64_t fmt, fact; + int64_t fmt; ffio_wfourcc(pb, "RIFF"); avio_wl32(pb, 0); /* file length */ @@ -117,9 +118,9 @@ static int wav_write_header(AVFormatContext *s) if (s->streams[0]->codec->codec_tag != 0x01 /* hence for all other than PCM */ && s->pb->seekable) { - fact = ff_start_tag(pb, "fact"); + wav->fact_pos = ff_start_tag(pb, "fact"); avio_wl32(pb, 0); - ff_end_tag(pb, fact); + ff_end_tag(pb, wav->fact_pos); } if (wav->write_bext) @@ -179,7 +180,7 @@ static int wav_write_trailer(AVFormatContext *s) number_of_samples = av_rescale(wav->maxpts - wav->minpts + wav->last_duration, s->streams[0]->codec->sample_rate * (int64_t)s->streams[0]->time_base.num, s->streams[0]->time_base.den); - avio_seek(pb, wav->data-12, SEEK_SET); + avio_seek(pb, wav->fact_pos, SEEK_SET); avio_wl32(pb, number_of_samples); avio_seek(pb, file_size, SEEK_SET); avio_flush(pb); From 5d47850bbd9ea70f6ab6b8eecaf3992a8c444492 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Oct 2012 05:21:47 +0100 Subject: [PATCH 3/5] dcadec: skip QMF on unused channels When the extra rear channel is present but unused, the s->channel_order_tab[] value for that channel is -1. The QMF can be skipped for the extra channel, and doing so avoids an out-of-array read on s->samples_chanptr[]. Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles --- libavcodec/dcadec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index 712a72aed0..325f3fe96d 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -1279,9 +1279,10 @@ static int dca_filter_channels(DCAContext *s, int block_index) for (k = 0; k < s->prim_channels; k++) { /* static float pcm_to_double[8] = { 32768.0, 32768.0, 524288.0, 524288.0, 0, 8388608.0, 8388608.0 };*/ - qmf_32_subbands(s, k, subband_samples[k], - s->samples_chanptr[s->channel_order_tab[k]], - M_SQRT1_2 / 32768.0 /* pcm_to_double[s->source_pcm_res] */); + if (s->channel_order_tab[k] >= 0) + qmf_32_subbands(s, k, subband_samples[k], + s->samples_chanptr[s->channel_order_tab[k]], + M_SQRT1_2 / 32768.0 /* pcm_to_double[s->source_pcm_res] */); } /* Down mixing */ From 150b2361ca08085415c8d67a9b1b2a6fbe1c44be Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 21 Nov 2012 20:13:15 +0100 Subject: [PATCH 4/5] h264: add missing new line to log message --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 658d865339..5440d7bc31 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3765,7 +3765,7 @@ again: case NAL_IDR_SLICE: if (h->nal_unit_type != NAL_IDR_SLICE) { av_log(h->s.avctx, AV_LOG_ERROR, - "Invalid mix of idr and non-idr slices"); + "Invalid mix of idr and non-idr slices\n"); buf_index = -1; goto end; } From 6e5cdf26281945ddea3aaf5eca4d127791f23ca8 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sun, 25 Nov 2012 16:02:02 +0100 Subject: [PATCH 5/5] h264: check ref_count validity for num_ref_idx_active_override_flag Fixes segfault in the fuzzed sample bipbop234.ts_s226407. CC: libav-stable@libav.org --- libavcodec/h264.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 5440d7bc31..8226d74326 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2841,8 +2841,13 @@ static int decode_slice_header(H264Context *h, H264Context *h0) if (num_ref_idx_active_override_flag) { h->ref_count[0] = get_ue_golomb(&s->gb) + 1; - if (h->slice_type_nos == AV_PICTURE_TYPE_B) + if (h->ref_count[0] < 1) + return AVERROR_INVALIDDATA; + if (h->slice_type_nos == AV_PICTURE_TYPE_B) { h->ref_count[1] = get_ue_golomb(&s->gb) + 1; + if (h->ref_count[1] < 1) + return AVERROR_INVALIDDATA; + } } if (h->slice_type_nos == AV_PICTURE_TYPE_B)