From 8c3a643808fc89c8003478ea952187cd9fe5d27a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 13 Nov 2016 23:24:45 +0100 Subject: libschroedingerdec: don't produce empty frames They are not valid and can cause problems/crashes for API users. Signed-off-by: Andreas Cadhalpun --- libavcodec/libschroedingerdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'libavcodec') diff --git a/libavcodec/libschroedingerdec.c b/libavcodec/libschroedingerdec.c index f173f92f04..56b2f6d778 100644 --- a/libavcodec/libschroedingerdec.c +++ b/libavcodec/libschroedingerdec.c @@ -307,7 +307,7 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx, /* Grab next frame to be returned from the top of the queue. */ framewithpts = ff_schro_queue_pop(&p_schro_params->dec_frame_queue); - if (framewithpts && framewithpts->frame) { + if (framewithpts && framewithpts->frame && framewithpts->frame->components[0].stride) { if (ff_get_buffer(avctx, avframe, 0) < 0) { av_log(avctx, AV_LOG_ERROR, "Unable to allocate buffer\n"); return AVERROR(ENOMEM); -- cgit v1.2.3 From dc2ad094931de2b28c63eaa5614756ed74e2579e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 2 Dec 2016 22:52:44 +0100 Subject: libschroedingerdec: fix leaking of framewithpts Also preserve the return value from ff_get_buffer(). Signed-off-by: Andreas Cadhalpun Signed-off-by: Vittorio Giovara --- libavcodec/libschroedingerdec.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'libavcodec') diff --git a/libavcodec/libschroedingerdec.c b/libavcodec/libschroedingerdec.c index 56b2f6d778..69eed01ce0 100644 --- a/libavcodec/libschroedingerdec.c +++ b/libavcodec/libschroedingerdec.c @@ -218,6 +218,7 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx, int outer = 1; SchroParseUnitContext parse_ctx; LibSchroFrameContext *framewithpts = NULL; + int ret; *got_frame = 0; @@ -308,9 +309,9 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx, framewithpts = ff_schro_queue_pop(&p_schro_params->dec_frame_queue); if (framewithpts && framewithpts->frame && framewithpts->frame->components[0].stride) { - if (ff_get_buffer(avctx, avframe, 0) < 0) { + if ((ret = ff_get_buffer(avctx, avframe, 0)) < 0) { av_log(avctx, AV_LOG_ERROR, "Unable to allocate buffer\n"); - return AVERROR(ENOMEM); + goto end; } memcpy(avframe->data[0], @@ -337,15 +338,17 @@ FF_ENABLE_DEPRECATION_WARNINGS avframe->linesize[2] = framewithpts->frame->components[2].stride; *got_frame = 1; - - /* Now free the frame resources. */ - libschroedinger_decode_frame_free(framewithpts->frame); - av_free(framewithpts); } else { data = NULL; *got_frame = 0; } - return buf_size; + ret = buf_size; +end: + /* Now free the frame resources. */ + if (framewithpts && framewithpts->frame) + libschroedinger_decode_frame_free(framewithpts->frame); + av_freep(&framewithpts); + return ret; } -- cgit v1.2.3 From fc85646ad495f3418042468da415af73a7a07334 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 24 Nov 2016 01:06:35 +0100 Subject: libopusdec: fix out-of-bounds read Signed-off-by: Andreas Cadhalpun --- libavcodec/libopusdec.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'libavcodec') diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c index 75eaf9bd48..781635615c 100644 --- a/libavcodec/libopusdec.c +++ b/libavcodec/libopusdec.c @@ -48,6 +48,13 @@ static av_cold int libopus_decode_init(AVCodecContext *avc) avc->channels = 2; } + avc->channels = avc->extradata_size >= 10 ? avc->extradata[9] : (avc->channels == 1) ? 1 : 2; + if (avc->channels <= 0) { + av_log(avc, AV_LOG_WARNING, + "Invalid number of channels %d, defaulting to stereo\n", avc->channels); + avc->channels = 2; + } + avc->sample_rate = 48000; avc->sample_fmt = avc->request_sample_fmt == AV_SAMPLE_FMT_FLT ? AV_SAMPLE_FMT_FLT : AV_SAMPLE_FMT_S16; -- cgit v1.2.3