同步平台漏洞修复

Signed-off-by: Atrotro <wanganzhouhh@163.com>
2024-11-23 03:09:51 +00:00 · 2024-08-27 10:30:32 +08:00 · 2024-08-27 10:30:32 +08:00 · ed24d866ce
commit ed24d866ce
parent 47f7c53897
9 changed files with 25 additions and 9 deletions
--- a/libavcodec/cbs_av1.c
+++ b/libavcodec/cbs_av1.c
@ -379,7 +379,7 @@ static int cbs_av1_write_increment(CodedBitstreamContext *ctx, PutBitContext *pb
    }
    if (len > 0)
-        put_bits(pbc, len, (1 << len) - 1 - (value != range_max));
+        put_bits(pbc, len, (1U << len) - 1 - (value != range_max));
    return 0;
 }
--- a/libavcodec/mpegvideo_enc.c
+++ b/libavcodec/mpegvideo_enc.c
@ -1327,7 +1327,7 @@ static int estimate_best_b_count(MpegEncContext *s)
                goto fail;
            }
-            rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3);
+            rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3);
        }
        /* get the delayed frames */
@ -1336,7 +1336,7 @@ static int estimate_best_b_count(MpegEncContext *s)
            ret = out_size;
            goto fail;
        }
-        rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3);
+        rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3);
        rd += c->error[0] + c->error[1] + c->error[2];
--- a/libavcodec/mvha.c
+++ b/libavcodec/mvha.c
@ -188,6 +188,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
                    av_log(avctx, AV_LOG_ERROR, "Inflate error: %d\n", ret);
                    return AVERROR_EXTERNAL;
                }
                if (zsteam->avail_out > 0)
                    memset(zstream->next_out, 0, zstream->avail_out);
            }
        }
    } else if (type == MKTAG('H','U','F','Y')) {
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@ -562,6 +562,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, AVFrame *frame,
    buf               = &s->bitstream[s->bitstream_index];
    buf_size         += s->bitstream_size;
    s->bitstream_size = buf_size;
    memset(buf + buf_size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
    /* do not decode until buffer has at least max_framesize bytes or
     * the end of the file has been reached */
--- a/libavcodec/snowenc.c
+++ b/libavcodec/snowenc.c
@ -260,6 +260,7 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){
    int my_context= av_log2(2*FFABS(left->my - top->my));
    int s_context= 2*left->level + 2*top->level + tl->level + tr->level;
    int ref, best_ref, ref_score, ref_mx, ref_my;
    int range = MAX_MV >> (1 + qpel);
    av_assert0(sizeof(s->block_state) >= 256);
    if(s->keyframe){
@ -301,6 +302,11 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){
    c->xmax = - (x+1)*block_w + (w<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3;
    c->ymax = - (y+1)*block_w + (h<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3;
    c->xmin = FFMAX(c->xmin, -range);
    c->xmax = FFMIN(c->xmax, range);
    c->ymin = FFMAX(c->ymin, -range);
    c->ymax = FFMIN(c->ymax, range);
    if(P_LEFT[0]     > (c->xmax<<shift)) P_LEFT[0]    = (c->xmax<<shift);
    if(P_LEFT[1]     > (c->ymax<<shift)) P_LEFT[1]    = (c->ymax<<shift);
    if(P_TOP[0]      > (c->xmax<<shift)) P_TOP[0]     = (c->xmax<<shift);
--- a/libavfilter/vf_rotate.c
+++ b/libavfilter/vf_rotate.c
@ -288,7 +288,9 @@ static int config_props(AVFilterLink *outlink)
    double res;
    char *expr;
-    ff_draw_init(&rot->draw, inlink->format, 0);
+    ret = ff_draw_init(&rot->draw, inlink->format, 0);
    if (ret < 0)
        return ret;
    ff_draw_color(&rot->draw, &rot->color, rot->fillcolor);
    rot->hsub = pixdesc->log2_chroma_w;
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@ -3178,15 +3178,15 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
            sc->stts_data[i].duration = 1;
            corrected_dts += (delta_magnitude < 0 ? (int64_t)delta_magnitude : 1) * sample_count;
        } else {
-            corrected_dts += sample_duration * sample_count;
+            corrected_dts += sample_duration * (int64_t)sample_count;
        }
-        current_dts += sc->stts_data[i].duration * sample_count;
+        current_dts += sc->stts_data[i].duration * (int64_t)sample_count;
        if (current_dts > corrected_dts) {
            int64_t drift = (current_dts - corrected_dts)/FFMAX(sample_count, 1);
            uint32_t correction = (sc->stts_data[i].duration > drift) ? drift : sc->stts_data[i].duration - 1;
-            current_dts -= correction * sample_count;
+            current_dts -= correction * (uint64_t)sample_count;
            sc->stts_data[i].duration -= correction;
        }
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@ -779,6 +779,9 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size
    partition->index_sid = avio_rb32(pb);
    partition->body_offset = avio_rb64(pb);
    partition->body_sid = avio_rb32(pb);
    if (partition->body_offset < 0)
        return AVERROR_INVALIDDATA;
    if (avio_read(pb, op, sizeof(UID)) != sizeof(UID)) {
        av_log(mxf->fc, AV_LOG_ERROR, "Failed reading UID\n");
        return AVERROR_INVALIDDATA;
--- a/libavutil/base64.c
+++ b/libavutil/base64.c
@ -127,10 +127,12 @@ validity_check:
    }
 out3:
-    *dst++ = v >> 10;
+    if (end - dst)
        *dst++ = v >> 10;
    v <<= 2;
 out2:
-    *dst++ = v >> 4;
+    if (end - dst)
        *dst++ = v >> 4;
 out1:
 out0:
    return bits & 1 ? AVERROR_INVALIDDATA : out ? dst - out : 0;