[MPlayer-cvslog] r37591 - in branches/1.2: . libmpcodecs/ad_hwac3.c libmpcodecs/ad_imaadpcm.c libmpcodecs/dec_audio.c libmpcodecs/mp_image.c libmpcodecs/vf.c libmpdemux/demux_gif.c

rtogni subversion at mplayerhq.hu
Fri Jan 8 13:28:32 CET 2016 

Author: rtogni
Date: Fri Jan  8 13:28:31 2016
New Revision: 37591

Log:
Merge r37583 - r37590 from trunk

-ad_hwac3: Fix access to NULL demuxer buffer by demux_getc()
-ad_imaadpcm: MS/QT IMA ADCPM and DK4 ADPCM can have only 1 or 2 channels
-demux_gif: do not crash on missing colormap.
-Make gif detection more robust in demuxer_gif.
-demux_gif: do not crash on broken graphic extension block.
-Sanitize audio parameters and prevent int32 overflow while calculating the
size of the codec ouput buffer.
-Sanitize image parameters and prevent int32 overflow while calculating the
size of the picture  buffer.
-Prevent overflow in picture size buffer allocation also for the IF09 case

Modified:
   branches/1.2/   (props changed)
   branches/1.2/libmpcodecs/ad_hwac3.c
   branches/1.2/libmpcodecs/ad_imaadpcm.c
   branches/1.2/libmpcodecs/dec_audio.c
   branches/1.2/libmpcodecs/mp_image.c
   branches/1.2/libmpcodecs/vf.c
   branches/1.2/libmpdemux/demux_gif.c

Modified: branches/1.2/libmpcodecs/ad_hwac3.c
==============================================================================
--- branches/1.2/libmpcodecs/ad_hwac3.c	Fri Jan  8 00:38:44 2016	(r37590)
+++ branches/1.2/libmpcodecs/ad_hwac3.c	Fri Jan  8 13:28:31 2016	(r37591)
@@ -168,6 +168,11 @@ static int preinit(sh_audio_t *sh)
 
 static int init(sh_audio_t *sh_audio)
 {
+  demux_stream_t *ds = sh_audio->ds;
+
+  /* Ensure that the demuxer buffer is not empty */
+  if(ds->buffer_pos >= ds->buffer_size && !ds_fill_buffer(ds))
+    return 0;
   /* Dolby AC3 passthrough:*/
   if(ac3dts_fillbuff(sh_audio) < 0)
   {

Modified: branches/1.2/libmpcodecs/ad_imaadpcm.c
==============================================================================
--- branches/1.2/libmpcodecs/ad_imaadpcm.c	Fri Jan  8 00:38:44 2016	(r37590)
+++ branches/1.2/libmpcodecs/ad_imaadpcm.c	Fri Jan  8 13:28:31 2016	(r37591)
@@ -92,6 +92,10 @@ static int preinit(sh_audio_t *sh_audio)
   // not exactly sure what this field is for
   sh_audio->audio_out_minsize = 8192;
 
+  // These formats can have only 1 or 2 channels
+  if (sh_audio->wf->nChannels != 1 && sh_audio->wf->nChannels != 2)
+    return 0;
+
   // if format is "ima4", assume the audio is coming from a QT file which
   // indicates constant block size, whereas an AVI/ASF/WAV file will fill
   // in this field with 0x11

Modified: branches/1.2/libmpcodecs/dec_audio.c
==============================================================================
--- branches/1.2/libmpcodecs/dec_audio.c	Fri Jan  8 00:38:44 2016	(r37590)
+++ branches/1.2/libmpcodecs/dec_audio.c	Fri Jan  8 13:28:31 2016	(r37591)
@@ -118,6 +118,14 @@ static int init_audio_codec(sh_audio_t *
 	return 0;
     }
 
+    if (sh_audio->channels < 0 || sh_audio->samplerate < 0 || sh_audio->samplesize < 0 ||
+	(int64_t)sh_audio->channels * sh_audio->samplerate > INT_MAX ||
+	(int64_t)sh_audio->channels * sh_audio->samplerate * sh_audio->samplesize > INT_MAX) {
+	mp_msg(MSGT_DECAUDIO, MSGL_WARN, "dec_audio: Unreasonable audio codec parameters\n");
+	uninit_audio(sh_audio);	// free buffers
+	return 0;
+    }
+
     if (!sh_audio->o_bps)
 	sh_audio->o_bps = sh_audio->channels * sh_audio->samplerate
 	                  * sh_audio->samplesize;

Modified: branches/1.2/libmpcodecs/mp_image.c
==============================================================================
--- branches/1.2/libmpcodecs/mp_image.c	Fri Jan  8 00:38:44 2016	(r37590)
+++ branches/1.2/libmpcodecs/mp_image.c	Fri Jan  8 13:28:31 2016	(r37591)
@@ -33,8 +33,22 @@
 #include "mp_msg.h"
 
 void mp_image_alloc_planes(mp_image_t *mpi) {
+  /* This condition is stricter than needed, but I want to be sure that every
+   * calculation step can fit in int32_t. This assumption is true over most of
+   * the code, so this acts as a safeguard for other image size calulations. */
+  if ((unsigned int)mpi->height + 2 > INT_MAX ||
+      (int64_t)mpi->width*(mpi->height+2) > INT_MAX ||
+      (int64_t)mpi->bpp*mpi->width*(mpi->height+2) > INT_MAX) {
+      mp_msg(MSGT_DECVIDEO,MSGL_WARN,"mp_image: Unreasonable image parameters\n");
+      return;
+  }
   // IF09 - allocate space for 4. plane delta info - unused
   if (mpi->imgfmt == IMGFMT_IF09) {
+    if ((int64_t)mpi->chroma_width*mpi->chroma_height > INT_MAX ||
+        mpi->bpp*mpi->width*(mpi->height+2)/8 > INT_MAX - mpi->chroma_width*mpi->chroma_height) {
+        mp_msg(MSGT_DECVIDEO,MSGL_WARN,"mp_image: Unreasonable image parameters\n");
+        return;
+  }
     mpi->planes[0]=av_malloc(mpi->bpp*mpi->width*(mpi->height+2)/8+
                             mpi->chroma_width*mpi->chroma_height);
   } else

Modified: branches/1.2/libmpcodecs/vf.c
==============================================================================
--- branches/1.2/libmpcodecs/vf.c	Fri Jan  8 00:38:44 2016	(r37590)
+++ branches/1.2/libmpcodecs/vf.c	Fri Jan  8 13:28:31 2016	(r37591)
@@ -294,6 +294,11 @@ mp_image_t* vf_get_image(vf_instance_t*
   if (w == -1) w = vf->w;
   if (h == -1) h = vf->h;
 
+  if (w < 0 || h < 0 || w > INT_MAX - 32) {
+      mp_msg(MSGT_DECVIDEO, MSGL_ERR, "vf_get_image: unreasonable picture size\n");
+      return NULL;
+  }
+
   w2=(mp_imgflag&MP_IMGFLAG_ACCEPT_ALIGNED_STRIDE)?FFALIGN(w, 32):w;
 
   if(vf->put_image==vf_next_put_image){
@@ -411,6 +416,11 @@ mp_image_t* vf_get_image(vf_instance_t*
           }
 
           mp_image_alloc_planes(mpi);
+          if (!(mpi->flags & MP_IMGFLAG_ALLOCATED)) { // allocation failed
+              mp_msg(MSGT_DECVIDEO, MSGL_FATAL, "vf_get_image: allocation of image planes failed!\n");
+              return NULL;
+          }
+
 //        printf("clearing img!\n");
           vf_mpi_clear(mpi,0,0,mpi->width,mpi->height);
         }

Modified: branches/1.2/libmpdemux/demux_gif.c
==============================================================================
--- branches/1.2/libmpdemux/demux_gif.c	Fri Jan  8 00:38:44 2016	(r37590)
+++ branches/1.2/libmpdemux/demux_gif.c	Fri Jan  8 13:28:31 2016	(r37591)
@@ -43,7 +43,7 @@ typedef struct {
   uint8_t *refimg;
 } gif_priv_t;
 
-#define GIF_SIGNATURE (('G' << 16) | ('I' << 8) | 'F')
+#define GIF_SIGNATURE (('G' << 24) | ('I' << 16) | ('F' << 8) | '8')
 
 #if defined GIFLIB_MAJOR && GIFLIB_MAJOR >= 5
 #define DGifOpen(a, b) DGifOpen(a, b, NULL)
@@ -84,8 +84,11 @@ static int my_read_gif(GifFileType *gif,
 
 static int gif_check_file(demuxer_t *demuxer)
 {
-  if (stream_read_int24(demuxer->stream) == GIF_SIGNATURE)
-    return DEMUXER_TYPE_GIF;
+  if (stream_read_dword(demuxer->stream) == GIF_SIGNATURE) {
+    int sig = stream_read_word(demuxer->stream);
+    if ((((sig & 0xff00) == 0x3700) || ((sig & 0xff00) == 0x3900)) && (sig & 0xff) == 'a')
+      return DEMUXER_TYPE_GIF;
+  }
   return 0;
 }
 
@@ -143,7 +146,7 @@ static int demux_gif_fill_buffer(demuxer
       }
       if (code == 0xF9) {
         int frametime = 0;
-        if (p[0] == 4) // is the length correct?
+        if (p && p[0] == 4) // is the length correct?
         {
           transparency = p[1] & 1;
           refmode = (p[1] >> 2) & 3;
@@ -204,6 +207,11 @@ static int demux_gif_fill_buffer(demuxer
 
   effective_map = gif->Image.ColorMap;
   if (effective_map == NULL) effective_map = gif->SColorMap;
+  if (effective_map == NULL) {
+    mp_msg(MSGT_DEMUX, MSGL_ERR, "[demux_gif] No local nor global colormap.\n");
+    free(buf);
+    return 0;
+  }
 
   {
     int y;

More information about the MPlayer-cvslog mailing list