hi In the previous email I forgot some facts :-> 1) I added a small patch from upstream in stream/cache2.c this fixes bug in caching streams in gmplayer (Closes: #396962) due to the fact that forked processes cannot use a GTK gui; 2) Also , I added in debian/patches all patches that I applied or I am working on 3) I corrected a typo in libmpcodecs/vf.c I am attaching an interdiff that does not contain i18n stuff and all files in debian/patches (so is more readable) On Tue, Jan 30, 2007 at 05:18:42PM +0100, Luk Claes wrote: > > Please upload so we can look at the actual diff, most things mentioned > look acceptable at first sight... uploaded a. -- Andrea Mennucc "The EULA sounds like it was written by a team of lawyers who want to tell me what I can't do, and the GPL sounds like it was written by a human being who wants me to know what I can do." Anonymous, http://www.securityfocus.com/columnists/420
diff -u mplayer-1.0~rc1/libmpcodecs/vf.c mplayer-1.0~rc1/libmpcodecs/vf.c --- mplayer-1.0~rc1/libmpcodecs/vf.c +++ mplayer-1.0~rc1/libmpcodecs/vf.c @@ -325,7 +325,7 @@ if(mpi->width<w2 || mpi->height<h){ // need to re-allocate buffer memory: free(mpi->planes[0]); - mpi->planes[0]==NULL; + mpi->planes[0]=NULL; mpi->flags&=~MP_IMGFLAG_ALLOCATED; mp_msg(MSGT_VFILTER,MSGL_V,"vf.c: have to REALLOCATE buffer memory :(\n"); } diff -u mplayer-1.0~rc1/debian/changelog mplayer-1.0~rc1/debian/changelog --- mplayer-1.0~rc1/debian/changelog +++ mplayer-1.0~rc1/debian/changelog @@ -1,3 +1,26 @@ +mplayer (1.0~rc1-12) unstable; urgency=medium + + * (possible) security fixes backported from SVN + 7585 7586 7591 for libavcodec/h264.c + 7640 7650 for libavformat/asf.c + all thanks to Michael Niedermeyer + * Czech debconf translation; thanks to Miroslav Kure (Closes: #408626). + * Portuguese debconf translation; thanks to Traduz! (Closes: #408449). + * Swedish debconf translation; thanks to Andreas Henriksson (Closes: #407864). + * binary_codecs.sh should specify umask; + thanks to Linas Žvirblis (Closes: #406346). + * clarify dependencies (do not pick up them randomly!), + thanks to EspeonEefi (Closes: #405170); + debian/rules: when configuring, disable also: arts , jack , aa , dv , smb + debian/control: depend on: lzo, speex, dts, ladspa, gl (mesa) + * the above adds opengl video output (Closes: #400934). + * forked processes cannot use GTK gui; this fixes bug in caching streams + in gmplayer (Closes: #396962) + thanks to martin f krafft and Reimar Döffinger for patch. + * added in debian/patches all patches that I applied or I am working on + + -- A Mennucc1 <mennucc1@debian.org> Wed, 31 Jan 2007 10:30:24 +0100 + mplayer (1.0~rc1-11) unstable; urgency=high * fix for CVE-2006-6172 diff -u mplayer-1.0~rc1/debian/rules mplayer-1.0~rc1/debian/rules --- mplayer-1.0~rc1/debian/rules +++ mplayer-1.0~rc1/debian/rules @@ -112,7 +112,7 @@ ## This can be overridden from the command line, see README.Debian. -DEB_BUILD_CONFIGURE=--disable-bitmap-font --enable-runtime-cpudetection --disable-ggi --disable-xvid --disable-gl --language=all --disable-xmms --disable-no-PIC $(archconf) +DEB_BUILD_CONFIGURE=--disable-bitmap-font --enable-runtime-cpudetection --disable-ggi --disable-xvid --language=all --disable-xmms --disable-no-PIC --disable-arts --disable-jack --disable-aa --disable-libdv --disable-smb $(archconf) ifeq ($(DFSG),) DEB_BUILD_CONFIGURE += --disable-mpdvdkit --enable-dvdread --disable-mencoder diff -u mplayer-1.0~rc1/debian/scripts/binary_codecs.sh mplayer-1.0~rc1/debian/scripts/binary_codecs.sh --- mplayer-1.0~rc1/debian/scripts/binary_codecs.sh +++ mplayer-1.0~rc1/debian/scripts/binary_codecs.sh @@ -1,5 +1,6 @@ #!/bin/sh set -e +umask 0022 # This script will download binary codecs for MPlayer unto a Debian system. diff -u mplayer-1.0~rc1/debian/control mplayer-1.0~rc1/debian/control --- mplayer-1.0~rc1/debian/control +++ mplayer-1.0~rc1/debian/control @@ -6,9 +6,9 @@ Standards-Version: 3.7.2.0 Build-Depends-Indep: Build-Depends: debhelper (>= 4), make (>= 3.80), pkg-config, po-debconf, - libsdl1.2-dev | libsdl1.1-dev, svgalibg1-dev [i386], - libmad0-dev, libpng-dev, libncurses5-dev, zlib1g-dev, - libtheora-dev (>= 0.0.0.alpha3-1), libesd0-dev, + libsdl1.2-dev | libsdl1.1-dev, svgalibg1-dev [i386], libdts-dev, ladspa-sdk, + libmad0-dev, libpng-dev, libncurses5-dev, zlib1g-dev, libspeex-dev, + libtheora-dev (>= 0.0.0.alpha3-1), libesd0-dev, liblzo-dev, libgl1-mesa-dev, libasound2-dev (>= 1.0.6-3) [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], libvorbis-dev, liblircclient-dev, libfreetype6-dev, libdvdread3-dev, libcdparanoia0-dev, libfontconfig1-dev, libjpeg62-dev, libungif4-dev, diff -u mplayer-1.0~rc1/debian/control.in mplayer-1.0~rc1/debian/control.in --- mplayer-1.0~rc1/debian/control.in +++ mplayer-1.0~rc1/debian/control.in @@ -6,9 +6,9 @@ Standards-Version: 3.7.2.0 Build-Depends-Indep: @DOCDEP@ Build-Depends: debhelper (>= 4), make (>= 3.80), pkg-config, po-debconf, - libsdl1.2-dev | libsdl1.1-dev, svgalibg1-dev [i386], - libmad0-dev, libpng-dev, libncurses5-dev, zlib1g-dev, - libtheora-dev (>= 0.0.0.alpha3-1), libesd0-dev, + libsdl1.2-dev | libsdl1.1-dev, svgalibg1-dev [i386], libdts-dev, ladspa-sdk, + libmad0-dev, libpng-dev, libncurses5-dev, zlib1g-dev, libspeex-dev, + libtheora-dev (>= 0.0.0.alpha3-1), libesd0-dev, liblzo-dev, libgl1-mesa-dev, libasound2-dev (>= 1.0.6-3) [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], libvorbis-dev, liblircclient-dev, libfreetype6-dev, libdvdread3-dev, libcdparanoia0-dev, libfontconfig1-dev, libjpeg62-dev, libungif4-dev, diff -u mplayer-1.0~rc1/libavcodec/h264.c mplayer-1.0~rc1/libavcodec/h264.c --- mplayer-1.0~rc1/libavcodec/h264.c +++ mplayer-1.0~rc1/libavcodec/h264.c @@ -117,12 +117,12 @@ * Picture parameter set */ typedef struct PPS{ - int sps_id; + unsigned int sps_id; int cabac; ///< entropy_coding_mode_flag int pic_order_present; ///< pic_order_present_flag int slice_group_count; ///< num_slice_groups_minus1 + 1 int mb_slice_group_map_type; - int ref_count[2]; ///< num_ref_idx_l0/1_active_minus1 + 1 + unsigned int ref_count[2]; ///< num_ref_idx_l0/1_active_minus1 + 1 int weighted_pred; ///< weighted_pred_flag int weighted_bipred_idc; int init_qp; ///< pic_init_qp_minus26 + 26 @@ -288,7 +288,7 @@ int mb_field_decoding_flag; int mb_mbaff; ///< mb_aff_frame && mb_field_decoding_flag - int sub_mb_type[4]; + unsigned int sub_mb_type[4]; //POC stuff int poc_lsb; @@ -339,7 +339,7 @@ /** * num_ref_idx_l0/1_active_minus1 + 1 */ - int ref_count[2]; ///< counts frames or fields, depending on current mb mode + unsigned int ref_count[2]; ///< counts frames or fields, depending on current mb mode Picture *short_ref[32]; Picture *long_ref[32]; Picture default_ref_list[2][32]; @@ -363,6 +363,7 @@ GetBitContext *inter_gb_ptr; DECLARE_ALIGNED_8(DCTELEM, mb[16*24]); + DCTELEM mb_padding[256]; ///< as mb is addressed by scantable[i] and scantable is uint8_t we can either check that i is not to large or ensure that there is some unused stuff after mb /** * Cabac @@ -1407,7 +1408,7 @@ const int8_t *l1ref0 = &h->ref_list[1][0].ref_index[0][b8_xy]; const int8_t *l1ref1 = &h->ref_list[1][0].ref_index[1][b8_xy]; const int is_b8x8 = IS_8X8(*mb_type); - int sub_mb_type; + unsigned int sub_mb_type; int i8, i4; #define MB_TYPE_16x16_OR_INTRA (MB_TYPE_16x16|MB_TYPE_INTRA4x4|MB_TYPE_INTRA16x16|MB_TYPE_INTRA_PCM) @@ -1789,6 +1790,10 @@ h->rbsp_buffer= av_fast_realloc(h->rbsp_buffer, &h->rbsp_buffer_size, length); dst= h->rbsp_buffer; + if (dst == NULL){ + return NULL; + } + //printf("decoding esc\n"); si=di=0; while(si<length){ @@ -4039,8 +4044,8 @@ int pred= h->curr_pic_num; for(index=0; ; index++){ - int reordering_of_pic_nums_idc= get_ue_golomb(&s->gb); - int pic_id; + unsigned int reordering_of_pic_nums_idc= get_ue_golomb(&s->gb); + unsigned int pic_id; int i; Picture *ref = NULL; @@ -4054,7 +4059,7 @@ if(reordering_of_pic_nums_idc<3){ if(reordering_of_pic_nums_idc<2){ - const int abs_diff_pic_num= get_ue_golomb(&s->gb) + 1; + const unsigned int abs_diff_pic_num= get_ue_golomb(&s->gb) + 1; if(abs_diff_pic_num >= h->max_pic_num){ av_log(h->s.avctx, AV_LOG_ERROR, "abs_diff_pic_num overflow\n"); @@ -4076,11 +4081,19 @@ ref->pic_id= ref->frame_num; }else{ pic_id= get_ue_golomb(&s->gb); //long_term_pic_idx + if(pic_id>31){ + av_log(h->s.avctx, AV_LOG_ERROR, "long_term_pic_idx overflow\n"); + return -1; + } ref = h->long_ref[pic_id]; - ref->pic_id= pic_id; - assert(ref->reference == 3); - assert(ref->long_ref); - i=0; + if(ref){ + ref->pic_id= pic_id; + assert(ref->reference == 3); + assert(ref->long_ref); + i=0; + }else{ + i=-1; + } } if (i < 0) { @@ -4386,8 +4399,10 @@ if(pic) unreference_pic(h, pic); h->long_ref[ mmco[i].long_index ]= remove_short(h, mmco[i].short_frame_num); - h->long_ref[ mmco[i].long_index ]->long_ref=1; - h->long_ref_count++; + if (h->long_ref[ mmco[i].long_index ]){ + h->long_ref[ mmco[i].long_index ]->long_ref=1; + h->long_ref_count++; + } break; case MMCO_LONG2UNUSED: pic= remove_long(h, mmco[i].long_index); @@ -4417,7 +4432,7 @@ case MMCO_RESET: while(h->short_ref_count){ pic= remove_short(h, h->short_ref[0]->frame_num); - unreference_pic(h, pic); + if(pic) unreference_pic(h, pic); } for(j = 0; j < 16; j++) { pic= remove_long(h, j); @@ -4475,14 +4490,15 @@ }*/ } if(opcode==MMCO_SHORT2LONG || opcode==MMCO_LONG2UNUSED || opcode==MMCO_LONG || opcode==MMCO_SET_MAX_LONG){ - h->mmco[i].long_index= get_ue_golomb(&s->gb); - if(/*h->mmco[i].long_index >= h->long_ref_count || h->long_ref[ h->mmco[i].long_index ] == NULL*/ h->mmco[i].long_index >= 16){ + unsigned int long_index= get_ue_golomb(&s->gb); + if(/*h->mmco[i].long_index >= h->long_ref_count || h->long_ref[ h->mmco[i].long_index ] == NULL*/ long_index >= 16){ av_log(h->s.avctx, AV_LOG_ERROR, "illegal long ref in memory management control operation %d\n", opcode); return -1; } + h->mmco[i].long_index= long_index; } - if(opcode > MMCO_LONG){ + if(opcode > (unsigned)MMCO_LONG){ av_log(h->s.avctx, AV_LOG_ERROR, "illegal memory management control operation %d\n", opcode); return -1; } @@ -4600,10 +4616,11 @@ */ static int decode_slice_header(H264Context *h){ MpegEncContext * const s = &h->s; - int first_mb_in_slice, pps_id; + unsigned int first_mb_in_slice; + unsigned int pps_id; int num_ref_idx_active_override_flag; static const uint8_t slice_type_map[5]= {P_TYPE, B_TYPE, I_TYPE, SP_TYPE, SI_TYPE}; - int slice_type; + unsigned int slice_type, tmp; int default_ref_list_done = 0; s->current_picture.reference= h->nal_ref_idc != 0; @@ -4632,7 +4649,7 @@ s->pict_type= h->slice_type; // to make a few old func happy, it's wrong though pps_id= get_ue_golomb(&s->gb); - if(pps_id>255){ + if(pps_id>=MAX_PPS_COUNT){ av_log(h->s.avctx, AV_LOG_ERROR, "pps_id out of range\n"); return -1; } @@ -4756,12 +4773,15 @@ h->mb_aff_frame = h->sps.mb_aff; } } - - s->resync_mb_x = s->mb_x = first_mb_in_slice % s->mb_width; - s->resync_mb_y = s->mb_y = (first_mb_in_slice / s->mb_width) << h->mb_aff_frame; - if(s->mb_y >= s->mb_height){ + assert(s->mb_num == s->mb_width * s->mb_height); + if(first_mb_in_slice << h->mb_aff_frame >= s->mb_num || + first_mb_in_slice >= s->mb_num){ + av_log(h->s.avctx, AV_LOG_ERROR, "first_mb_in_slice overflow\n"); return -1; } + s->resync_mb_x = s->mb_x = first_mb_in_slice % s->mb_width; + s->resync_mb_y = s->mb_y = (first_mb_in_slice / s->mb_width) << h->mb_aff_frame; + assert(s->mb_y < s->mb_height); if(s->picture_structure==PICT_FRAME){ h->curr_pic_num= h->frame_num; @@ -4815,6 +4835,7 @@ if(h->ref_count[0] > 32 || h->ref_count[1] > 32){ av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); + h->ref_count[0]= h->ref_count[1]= 1; return -1; } } @@ -4841,15 +4862,22 @@ if(FRAME_MBAFF) fill_mbaff_ref_list(h); - if( h->slice_type != I_TYPE && h->slice_type != SI_TYPE && h->pps.cabac ) - h->cabac_init_idc = get_ue_golomb(&s->gb); + if( h->slice_type != I_TYPE && h->slice_type != SI_TYPE && h->pps.cabac ){ + tmp = get_ue_golomb(&s->gb); + if(tmp > 2){ + av_log(s->avctx, AV_LOG_ERROR, "cabac_init_idc overflow\n"); + return -1; + } + h->cabac_init_idc= tmp; + } h->last_qscale_diff = 0; - s->qscale = h->pps.init_qp + get_se_golomb(&s->gb); - if(s->qscale<0 || s->qscale>51){ - av_log(s->avctx, AV_LOG_ERROR, "QP %d out of range\n", s->qscale); + tmp = h->pps.init_qp + get_se_golomb(&s->gb); + if(tmp>51){ + av_log(s->avctx, AV_LOG_ERROR, "QP %u out of range\n", tmp); return -1; } + s->qscale= tmp; h->chroma_qp = get_chroma_qp(h->pps.chroma_qp_index_offset, s->qscale); //FIXME qscale / qp ... stuff if(h->slice_type == SP_TYPE){ @@ -4863,7 +4891,12 @@ h->slice_alpha_c0_offset = 0; h->slice_beta_offset = 0; if( h->pps.deblocking_filter_parameters_present ) { - h->deblocking_filter= get_ue_golomb(&s->gb); + tmp= get_ue_golomb(&s->gb); + if(tmp > 2){ + av_log(s->avctx, AV_LOG_ERROR, "deblocking_filter_idc %u out of range\n", tmp); + return -1; + } + h->deblocking_filter= tmp; if(h->deblocking_filter < 2) h->deblocking_filter^= 1; // 1<->0 @@ -4889,7 +4922,7 @@ h->emu_edge_height= FRAME_MBAFF ? 0 : h->emu_edge_width; if(s->avctx->debug&FF_DEBUG_PICT_INFO){ - av_log(h->s.avctx, AV_LOG_DEBUG, "slice:%d %s mb:%d %c pps:%d frame:%d poc:%d/%d ref:%d/%d qp:%d loop:%d:%d:%d weight:%d%s\n", + av_log(h->s.avctx, AV_LOG_DEBUG, "slice:%d %s mb:%d %c pps:%u frame:%d poc:%d/%d ref:%d/%d qp:%d loop:%d:%d:%d weight:%d%s\n", h->slice_num, (s->picture_structure==PICT_FRAME ? "F" : s->picture_structure==PICT_TOP_FIELD ? "T" : "B"), first_mb_in_slice, @@ -5156,7 +5189,8 @@ static int decode_mb_cavlc(H264Context *h){ MpegEncContext * const s = &h->s; const int mb_xy= s->mb_x + s->mb_y*s->mb_stride; - int mb_type, partition_count, cbp; + int partition_count; + unsigned int mb_type, cbp; int dct8x8_allowed= h->pps.transform_8x8_mode; if(s->dsp.clear_blocks) @@ -5271,6 +5305,7 @@ //mb_pred if(IS_INTRA(mb_type)){ + int pred_mode; // init_top_left_availability(h); if(IS_INTRA4x4(mb_type)){ int i; @@ -5302,11 +5337,11 @@ if(h->intra16x16_pred_mode < 0) return -1; } - h->chroma_pred_mode= get_ue_golomb(&s->gb); - h->chroma_pred_mode= check_intra_pred_mode(h, h->chroma_pred_mode); - if(h->chroma_pred_mode < 0) + pred_mode= check_intra_pred_mode(h, get_ue_golomb(&s->gb)); + if(pred_mode < 0) return -1; + h->chroma_pred_mode= pred_mode; }else if(partition_count==4){ int i, j, sub_partition_count[4], list, ref[2][4]; @@ -5314,7 +5349,7 @@ for(i=0; i<4; i++){ h->sub_mb_type[i]= get_ue_golomb(&s->gb); if(h->sub_mb_type[i] >=13){ - av_log(h->s.avctx, AV_LOG_ERROR, "B sub_mb_type %d out of range at %d %d\n", h->sub_mb_type[i], s->mb_x, s->mb_y); + av_log(h->s.avctx, AV_LOG_ERROR, "B sub_mb_type %u out of range at %d %d\n", h->sub_mb_type[i], s->mb_x, s->mb_y); return -1; } sub_partition_count[i]= b_sub_mb_type_info[ h->sub_mb_type[i] ].partition_count; @@ -5333,7 +5368,7 @@ for(i=0; i<4; i++){ h->sub_mb_type[i]= get_ue_golomb(&s->gb); if(h->sub_mb_type[i] >=4){ - av_log(h->s.avctx, AV_LOG_ERROR, "P sub_mb_type %d out of range at %d %d\n", h->sub_mb_type[i], s->mb_x, s->mb_y); + av_log(h->s.avctx, AV_LOG_ERROR, "P sub_mb_type %u out of range at %d %d\n", h->sub_mb_type[i], s->mb_x, s->mb_y); return -1; } sub_partition_count[i]= p_sub_mb_type_info[ h->sub_mb_type[i] ].partition_count; @@ -5347,7 +5382,12 @@ for(i=0; i<4; i++){ if(IS_DIRECT(h->sub_mb_type[i])) continue; if(IS_DIR(h->sub_mb_type[i], 0, list)){ - ref[list][i] = get_te0_golomb(&s->gb, ref_count); //FIXME init to 0 before and skip? + unsigned int tmp = get_te0_golomb(&s->gb, ref_count); //FIXME init to 0 before and skip? + if(tmp>=ref_count){ + av_log(h->s.avctx, AV_LOG_ERROR, "ref %u overflow\n", tmp); + return -1; + } + ref[list][i]= tmp; }else{ //FIXME ref[list][i] = -1; @@ -5416,7 +5456,11 @@ for(list=0; list<2; list++){ if(h->ref_count[list]>0){ if(IS_DIR(mb_type, 0, list)){ - const int val= get_te0_golomb(&s->gb, h->ref_count[list]); + unsigned int val= get_te0_golomb(&s->gb, h->ref_count[list]); + if(val >= h->ref_count[list]){ + av_log(h->s.avctx, AV_LOG_ERROR, "ref %u overflow\n", val); + return -1; + } fill_rectangle(&h->ref_cache[list][ scan8[0] ], 4, 4, 8, val, 1); }else fill_rectangle(&h->ref_cache[list][ scan8[0] ], 4, 4, 8, (LIST_NOT_USED&0xFF), 1); @@ -5439,7 +5483,11 @@ if(h->ref_count[list]>0){ for(i=0; i<2; i++){ if(IS_DIR(mb_type, i, list)){ - const int val= get_te0_golomb(&s->gb, h->ref_count[list]); + unsigned int val= get_te0_golomb(&s->gb, h->ref_count[list]); + if(val >= h->ref_count[list]){ + av_log(h->s.avctx, AV_LOG_ERROR, "ref %u overflow\n", val); + return -1; + } fill_rectangle(&h->ref_cache[list][ scan8[0] + 16*i ], 4, 2, 8, val, 1); }else fill_rectangle(&h->ref_cache[list][ scan8[0] + 16*i ], 4, 2, 8, (LIST_NOT_USED&0xFF), 1); @@ -5465,7 +5513,11 @@ if(h->ref_count[list]>0){ for(i=0; i<2; i++){ if(IS_DIR(mb_type, i, list)){ //FIXME optimize - const int val= get_te0_golomb(&s->gb, h->ref_count[list]); + unsigned int val= get_te0_golomb(&s->gb, h->ref_count[list]); + if(val >= h->ref_count[list]){ + av_log(h->s.avctx, AV_LOG_ERROR, "ref %u overflow\n", val); + return -1; + } fill_rectangle(&h->ref_cache[list][ scan8[0] + 2*i ], 2, 4, 8, val, 1); }else fill_rectangle(&h->ref_cache[list][ scan8[0] + 2*i ], 2, 4, 8, (LIST_NOT_USED&0xFF), 1); @@ -5494,7 +5546,7 @@ if(!IS_INTRA16x16(mb_type)){ cbp= get_ue_golomb(&s->gb); if(cbp > 47){ - av_log(h->s.avctx, AV_LOG_ERROR, "cbp too large (%d) at %d %d\n", cbp, s->mb_x, s->mb_y); + av_log(h->s.avctx, AV_LOG_ERROR, "cbp too large (%u) at %d %d\n", cbp, s->mb_x, s->mb_y); return -1; } @@ -5976,6 +6028,10 @@ ctx = 4; else ctx = 5; + if(ref >= 32 /*h->ref_list[list]*/){ + av_log(h->s.avctx, AV_LOG_ERROR, "overflow in decode_cabac_mb_ref\n"); + return 0; //FIXME we should return -1 and check the return everywhere + } } return ref; } @@ -6009,6 +6065,10 @@ while( get_cabac_bypass( &h->cabac ) ) { mvd += 1 << k; k++; + if(k>24){ + av_log(h->s.avctx, AV_LOG_ERROR, "overflow in decode_cabac_mb_mvd\n"); + return INT_MIN; + } } while( k-- ) { if( get_cabac_bypass( &h->cabac ) ) @@ -6395,7 +6455,7 @@ fill_caches(h, mb_type, 0); if( IS_INTRA( mb_type ) ) { - int i; + int i, pred_mode; if( IS_INTRA4x4( mb_type ) ) { if( dct8x8_allowed && decode_cabac_mb_transform_size( h ) ) { mb_type |= MB_TYPE_8x8DCT; @@ -6419,10 +6479,11 @@ if( h->intra16x16_pred_mode < 0 ) return -1; } h->chroma_pred_mode_table[mb_xy] = - h->chroma_pred_mode = decode_cabac_mb_chroma_pre_mode( h ); + pred_mode = decode_cabac_mb_chroma_pre_mode( h ); - h->chroma_pred_mode= check_intra_pred_mode( h, h->chroma_pred_mode ); - if( h->chroma_pred_mode < 0 ) return -1; + pred_mode= check_intra_pred_mode( h, pred_mode ); + if( pred_mode < 0 ) return -1; + h->chroma_pred_mode= pred_mode; } else if( partition_count == 4 ) { int i, j, sub_partition_count[4], list, ref[2][4]; @@ -7679,7 +7740,8 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){ MpegEncContext * const s = &h->s; - int aspect_ratio_info_present_flag, aspect_ratio_idc; + int aspect_ratio_info_present_flag; + unsigned int aspect_ratio_idc; int nal_hrd_parameters_present_flag, vcl_hrd_parameters_present_flag; aspect_ratio_info_present_flag= get_bits1(&s->gb); @@ -7801,7 +7863,8 @@ static inline int decode_seq_parameter_set(H264Context *h){ MpegEncContext * const s = &h->s; int profile_idc, level_idc; - int sps_id, i; + unsigned int sps_id, tmp, mb_width, mb_height; + int i; SPS *sps; profile_idc= get_bits(&s->gb, 8); @@ -7813,6 +7876,12 @@ level_idc= get_bits(&s->gb, 8); sps_id= get_ue_golomb(&s->gb); + if (sps_id >= MAX_SPS_COUNT){ + // ok it has gone out of hand, someone is sending us bad stuff. + av_log(h->s.avctx, AV_LOG_ERROR, "illegal sps_id (%d)\n", sps_id); + return -1; + } + sps= &h->sps_buffer[ sps_id ]; sps->profile_idc= profile_idc; sps->level_idc= level_idc; @@ -7836,26 +7905,36 @@ sps->delta_pic_order_always_zero_flag= get_bits1(&s->gb); sps->offset_for_non_ref_pic= get_se_golomb(&s->gb); sps->offset_for_top_to_bottom_field= get_se_golomb(&s->gb); - sps->poc_cycle_length= get_ue_golomb(&s->gb); + tmp= get_ue_golomb(&s->gb); + + if(tmp >= sizeof(sps->offset_for_ref_frame) / sizeof(sps->offset_for_ref_frame[0])){ + av_log(h->s.avctx, AV_LOG_ERROR, "poc_cycle_length overflow %u\n", tmp); + return -1; + } + sps->poc_cycle_length= tmp; for(i=0; i<sps->poc_cycle_length; i++) sps->offset_for_ref_frame[i]= get_se_golomb(&s->gb); - } - if(sps->poc_type > 2){ + }else if(sps->poc_type != 2){ av_log(h->s.avctx, AV_LOG_ERROR, "illegal POC type %d\n", sps->poc_type); return -1; } - sps->ref_frame_count= get_ue_golomb(&s->gb); - if(sps->ref_frame_count > MAX_PICTURE_COUNT-2){ + tmp= get_ue_golomb(&s->gb); + if(tmp > MAX_PICTURE_COUNT-2){ av_log(h->s.avctx, AV_LOG_ERROR, "too many reference frames\n"); } + sps->ref_frame_count= tmp; sps->gaps_in_frame_num_allowed_flag= get_bits1(&s->gb); - sps->mb_width= get_ue_golomb(&s->gb) + 1; - sps->mb_height= get_ue_golomb(&s->gb) + 1; - if((unsigned)sps->mb_width >= INT_MAX/16 || (unsigned)sps->mb_height >= INT_MAX/16 || - avcodec_check_dimensions(NULL, 16*sps->mb_width, 16*sps->mb_height)) + mb_width= get_ue_golomb(&s->gb) + 1; + mb_height= get_ue_golomb(&s->gb) + 1; + if(mb_width >= INT_MAX/16 || mb_height >= INT_MAX/16 || + avcodec_check_dimensions(NULL, 16*mb_width, 16*mb_height)){ + av_log(h->s.avctx, AV_LOG_ERROR, "mb_width/height overflow\n"); return -1; + } + sps->mb_width = mb_width; + sps->mb_height= mb_height; sps->frame_mbs_only_flag= get_bits1(&s->gb); if(!sps->frame_mbs_only_flag) @@ -7893,7 +7972,7 @@ decode_vui_parameters(h, sps); if(s->avctx->debug&FF_DEBUG_PICT_INFO){ - av_log(h->s.avctx, AV_LOG_DEBUG, "sps:%d profile:%d/%d poc:%d ref:%d %dx%d %s %s crop:%d/%d/%d/%d %s\n", + av_log(h->s.avctx, AV_LOG_DEBUG, "sps:%u profile:%d/%d poc:%d ref:%d %dx%d %s %s crop:%d/%d/%d/%d %s\n", sps_id, sps->profile_idc, sps->level_idc, sps->poc_type, sps->ref_frame_count, @@ -7910,10 +7989,22 @@ static inline int decode_picture_parameter_set(H264Context *h, int bit_length){ MpegEncContext * const s = &h->s; - int pps_id= get_ue_golomb(&s->gb); - PPS *pps= &h->pps_buffer[pps_id]; + unsigned int tmp, pps_id= get_ue_golomb(&s->gb); + PPS *pps; + + if(pps_id>=MAX_PPS_COUNT){ + av_log(h->s.avctx, AV_LOG_ERROR, "pps_id out of range\n"); + return -1; + } + pps = &h->pps_buffer[pps_id]; + + tmp= get_ue_golomb(&s->gb); + if(tmp>=MAX_SPS_COUNT){ + av_log(h->s.avctx, AV_LOG_ERROR, "sps_id out of range\n"); + return -1; + } + pps->sps_id= tmp; - pps->sps_id= get_ue_golomb(&s->gb); pps->cabac= get_bits1(&s->gb); pps->pic_order_present= get_bits1(&s->gb); pps->slice_group_count= get_ue_golomb(&s->gb) + 1; @@ -7958,6 +8049,7 @@ pps->ref_count[1]= get_ue_golomb(&s->gb) + 1; if(pps->ref_count[0] > 32 || pps->ref_count[1] > 32){ av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow (pps)\n"); + pps->ref_count[0]= pps->ref_count[1]= 1; return -1; } @@ -7982,7 +8074,7 @@ } if(s->avctx->debug&FF_DEBUG_PICT_INFO){ - av_log(h->s.avctx, AV_LOG_DEBUG, "pps:%d sps:%d %s slice_groups:%d ref:%d/%d %s qp:%d/%d/%d %s %s %s %s\n", + av_log(h->s.avctx, AV_LOG_DEBUG, "pps:%u sps:%u %s slice_groups:%d ref:%d/%d %s qp:%d/%d/%d %s %s %s %s\n", pps_id, pps->sps_id, pps->cabac ? "CABAC" : "CAVLC", pps->slice_group_count, @@ -8116,7 +8208,7 @@ nalsize = 0; for(i = 0; i < h->nal_length_size; i++) nalsize = (nalsize << 8) | buf[buf_index++]; - if(nalsize <= 1){ + if(nalsize <= 1 || nalsize > buf_size){ if(nalsize == 1){ buf_index++; continue; @@ -8139,6 +8231,9 @@ } ptr= decode_nal(h, buf + buf_index, &dst_length, &consumed, h->is_avc ? nalsize : buf_size - buf_index); + if (ptr==NULL || dst_length <= 0){ + return -1; + } while(ptr[dst_length - 1] == 0 && dst_length > 1) dst_length--; bit_length= 8*dst_length - decode_rbsp_trailing(ptr + dst_length - 1); only in patch2: unchanged: --- mplayer-1.0~rc1.orig/libavformat/asf.c +++ mplayer-1.0~rc1/libavformat/asf.c @@ -264,7 +264,8 @@ // asf_st->ds_data_size, asf_st->ds_span, asf_st->ds_silence_data); if (asf_st->ds_span > 1) { if (!asf_st->ds_chunk_size - || (asf_st->ds_packet_size/asf_st->ds_chunk_size <= 1)) + || (asf_st->ds_packet_size/asf_st->ds_chunk_size <= 1) + || asf_st->ds_packet_size % asf_st->ds_chunk_size) asf_st->ds_span = 0; // disable descrambling } switch (st->codec->codec_id) { @@ -710,6 +711,14 @@ asf->packet_size_left -= asf->packet_frag_size; if (asf->packet_size_left < 0) continue; + + if( asf->packet_frag_offset >= asf_st->pkt.size + || asf->packet_frag_size > asf_st->pkt.size - asf->packet_frag_offset){ + av_log(s, AV_LOG_ERROR, "packet fragment position invalid %u,%u not in %u\n", + asf->packet_frag_offset, asf->packet_frag_size, asf_st->pkt.size); + continue; + } + get_buffer(pb, asf_st->pkt.data + asf->packet_frag_offset, asf->packet_frag_size); asf_st->frag_offset += asf->packet_frag_size; @@ -717,6 +726,9 @@ if (asf_st->frag_offset == asf_st->pkt.size) { /* return packet */ if (asf_st->ds_span > 1) { + if(asf_st->pkt.size != asf_st->ds_packet_size * asf_st->ds_span){ + av_log(s, AV_LOG_ERROR, "pkt.size != ds_packet_size * ds_span\n"); + }else{ /* packet descrambling */ uint8_t *newdata = av_malloc(asf_st->pkt.size); if (newdata) { @@ -727,6 +739,9 @@ int col = off % asf_st->ds_span; int idx = row + col * asf_st->ds_packet_size / asf_st->ds_chunk_size; //printf("off:%d row:%d col:%d idx:%d\n", off, row, col, idx); + + assert(offset + asf_st->ds_chunk_size <= asf_st->pkt.size); + assert(idx+1 <= asf_st->pkt.size / asf_st->ds_chunk_size); memcpy(newdata + offset, asf_st->pkt.data + idx * asf_st->ds_chunk_size, asf_st->ds_chunk_size); @@ -735,6 +750,7 @@ av_free(asf_st->pkt.data); asf_st->pkt.data = newdata; } + } } asf_st->frag_offset = 0; memcpy(pkt, &asf_st->pkt, sizeof(AVPacket)); only in patch2: unchanged: --- mplayer-1.0~rc1.orig/libavformat/asf.h +++ mplayer-1.0~rc1/libavformat/asf.h @@ -115,8 +115,8 @@ int packet_replic_size; int packet_key_frame; int packet_padsize; - int packet_frag_offset; - int packet_frag_size; + unsigned int packet_frag_offset; + unsigned int packet_frag_size; int packet_frag_timestamp; int packet_multi_size; int packet_obj_size; --- mplayer-1.0~rc1.orig/stream/cache2.c +++ mplayer-1.0~rc1/stream/cache2.c @@ -28,6 +28,9 @@ #include "help_mp.h" #include "stream.h" +#ifdef HAVE_NEW_GUI +extern int use_gui; +#endif int stream_fill_buffer(stream_t *s); int stream_seek_long(stream_t *s,off_t pos); @@ -306,6 +309,9 @@ static DWORD WINAPI ThreadProc(void*s){ #endif +#ifdef HAVE_NEW_GUI + use_gui = 0; // mp_msg may not use gui stuff in forked code +#endif // cache thread mainloop: signal(SIGTERM,exit_sighandler); // kill while(1){
Attachment:
signature.asc
Description: Digital signature