From 02823f6d7188260dabb10c64d6dd74331e7772e0 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Fri, 7 Dec 2012 23:03:01 +0000 Subject: Make LOCAL_ALIGNED syntactically similar on all systems This changes the LOCAL_ALIGNED definition on systems where DECLARE_ALIGNED is used so it matches the manual alignment case, ensuring invalid use will not compile on x86 only to fail on everything else. Signed-off-by: Mans Rullgard --- libavcodec/dsputil.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/dsputil.h b/libavcodec/dsputil.h index f9c89069d5..364270b0b3 100644 --- a/libavcodec/dsputil.h +++ b/libavcodec/dsputil.h @@ -610,7 +610,9 @@ void ff_dsputil_init_dwt(DSPContext *c); uint8_t la_##v[sizeof(t s o) + (a)]; \ t (*v) o = (void *)FFALIGN((uintptr_t)la_##v, a) -#define LOCAL_ALIGNED_D(a, t, v, s, o, ...) DECLARE_ALIGNED(a, t, v) s o +#define LOCAL_ALIGNED_D(a, t, v, s, o, ...) \ + DECLARE_ALIGNED(a, t, la_##v) s o; \ + t (*v) o = la_##v #define LOCAL_ALIGNED(a, t, v, ...) E(LOCAL_ALIGNED_A(a, t, v, __VA_ARGS__,,)) -- cgit v1.2.3 From e70c5b034c4787377e82cab2d5565486baec0c2a Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Mon, 10 Dec 2012 12:44:09 -0500 Subject: swfdec: do better validation of tag length Avoids trying to read a packet with 0 or negative size. Avoids a potential infinite loop due to seeking backwards. Partially based on a patch by Michael Niedermayer. --- libavformat/swfdec.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index f105c141c6..d8a9852a89 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -100,6 +100,10 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) tag = get_swf_tag(pb, &len); if (tag < 0) return AVERROR(EIO); + if (len < 0) { + av_log(s, AV_LOG_ERROR, "invalid tag length: %d\n", len); + return AVERROR_INVALIDDATA; + } if (tag == TAG_VIDEOSTREAM) { int ch_id = avio_rl16(pb); len -= 2; @@ -161,7 +165,10 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) st = s->streams[i]; if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO && st->id == ch_id) { frame = avio_rl16(pb); - if ((res = av_get_packet(pb, pkt, len-2)) < 0) + len -= 2; + if (len <= 0) + goto skip; + if ((res = av_get_packet(pb, pkt, len)) < 0) return res; pkt->pos = pos; pkt->pts = frame; @@ -175,9 +182,14 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) if (st->codec->codec_type == AVMEDIA_TYPE_AUDIO && st->id == -1) { if (st->codec->codec_id == AV_CODEC_ID_MP3) { avio_skip(pb, 4); - if ((res = av_get_packet(pb, pkt, len-4)) < 0) + len -= 4; + if (len <= 0) + goto skip; + if ((res = av_get_packet(pb, pkt, len)) < 0) return res; } else { // ADPCM, PCM + if (len <= 0) + goto skip; if ((res = av_get_packet(pb, pkt, len)) < 0) return res; } @@ -203,7 +215,10 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) st = vst; } avio_rl16(pb); /* BITMAP_ID */ - if ((res = av_new_packet(pkt, len-2)) < 0) + len -= 2; + if (len < 4) + goto skip; + if ((res = av_new_packet(pkt, len)) < 0) return res; avio_read(pb, pkt->data, 4); if (AV_RB32(pkt->data) == 0xffd8ffd9 || @@ -220,6 +235,7 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) return pkt->size; } skip: + len = FFMAX(0, len); avio_skip(pb, len); } } -- cgit v1.2.3