From e73c6aaabff1169899184c382385fe9afae5b068 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 21 Mar 2012 16:10:37 -0700 Subject: asf: reset side data elements on packet copy. Prevents crash (double free) when free()ing the original packet. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavformat/asfdec.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'libavformat') diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 07899609c9..d3869b427b 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -1072,6 +1072,8 @@ static int ff_asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pk //printf("packet %d %d\n", asf_st->pkt.size, asf->packet_frag_size); asf_st->pkt.size = 0; asf_st->pkt.data = 0; + asf_st->pkt.side_data_elems = 0; + asf_st->pkt.side_data = NULL; break; // packet completed } } -- cgit v1.2.3 From 3e6e89b3d61876b49f4c5d17a36d40e96ccf7ce4 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 21 Mar 2012 09:35:45 -0700 Subject: mov: Add missing terminator to mov_ch_layout_map_1ch. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: Libav-stable@libav.org --- libavformat/mov_chan.c | 1 + 1 file changed, 1 insertion(+) (limited to 'libavformat') diff --git a/libavformat/mov_chan.c b/libavformat/mov_chan.c index 5728ebd898..a0fbecc991 100644 --- a/libavformat/mov_chan.c +++ b/libavformat/mov_chan.c @@ -155,6 +155,7 @@ static const struct MovChannelLayoutMap mov_ch_layout_map_misc[] = { static const struct MovChannelLayoutMap mov_ch_layout_map_1ch[] = { { MOV_CH_LAYOUT_MONO, AV_CH_LAYOUT_MONO }, // C + { 0, 0 }, }; static const struct MovChannelLayoutMap mov_ch_layout_map_2ch[] = { -- cgit v1.2.3 From 86f2ae06b92d42580ae7ebd86d52c9b7acbc2f13 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 21 Mar 2012 11:24:10 -0700 Subject: mov: Do not read past the end of the ctts_data table. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'libavformat') diff --git a/libavformat/mov.c b/libavformat/mov.c index 7b21423afa..75dec37872 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2713,7 +2713,7 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) pkt->stream_index = sc->ffindex; pkt->dts = sample->timestamp; - if (sc->ctts_data) { + if (sc->ctts_data && sc->ctts_index < sc->ctts_count) { pkt->pts = pkt->dts + sc->dts_shift + sc->ctts_data[sc->ctts_index].duration; /* update ctts context */ sc->ctts_sample++; -- cgit v1.2.3 From 5023b89bba198b2f8e43b7f555aeb9c30d33db9f Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 21 Mar 2012 10:58:07 -0700 Subject: xwma: Validate channels and bits_per_coded_sample. This prevents a SIGFPE later on. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavformat/xwma.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'libavformat') diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 2c6ee114bd..7b34b96433 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -115,6 +115,17 @@ static int xwma_read_header(AVFormatContext *s) } } + if (!st->codec->channels) { + av_log(s, AV_LOG_WARNING, "Invalid channel count: %d\n", + st->codec->channels); + return AVERROR_INVALIDDATA; + } + if (!st->codec->bits_per_coded_sample) { + av_log(s, AV_LOG_WARNING, "Invalid bits_per_coded_sample: %d\n", + st->codec->bits_per_coded_sample); + return AVERROR_INVALIDDATA; + } + /* set the sample rate */ avpriv_set_pts_info(st, 64, 1, st->codec->sample_rate); -- cgit v1.2.3