diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 9da1f91d1d..870437d6f4 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -292,7 +292,14 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } }else{ t = get_unary_0_33(gb); - if(t >= 2) t = get_bits(gb, t - 1) | (1 << (t-1)); + if(t >= 2){ + if(get_bits_left(gb) < t-1) + goto error; + t = get_bits(gb, t - 1) | (1 << (t-1)); + }else{ + if(get_bits_left(gb) < 0) + goto error; + } ctx->zeroes = t; if(ctx->zeroes){ memset(ctx->ch[0].median, 0, sizeof(ctx->ch[0].median)); @@ -303,24 +310,24 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } } - if(get_bits_count(gb) >= ctx->data_size){ - *last = 1; - return 0; - } - if(ctx->zero){ t = 0; ctx->zero = 0; }else{ t = get_unary_0_33(gb); - if(get_bits_count(gb) >= ctx->data_size){ - *last = 1; - return 0; - } + if(get_bits_left(gb) < 0) + goto error; if(t == 16) { t2 = get_unary_0_33(gb); - if(t2 < 2) t += t2; - else t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + if(t2 < 2){ + if(get_bits_left(gb) < 0) + goto error; + t += t2; + }else{ + if(get_bits_left(gb) < t2 - 1) + goto error; + t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + } } if(ctx->one){ @@ -360,9 +367,13 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } if(!c->error_limit){ ret = base + get_tail(gb, add); + if (get_bits_left(gb) <= 0) + goto error; }else{ int mid = (base*2 + add + 1) >> 1; while(add > c->error_limit){ + if(get_bits_left(gb) <= 0) + goto error; if(get_bits1(gb)){ add -= (mid - base); base = mid; @@ -376,6 +387,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel if(ctx->hybrid_bitrate) c->slow_level += wp_log2(ret) - LEVEL_DECAY(c->slow_level); return sign ? ~ret : ret; + +error: + *last = 1; + return 0; } static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, int S) @@ -385,7 +400,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, in if(s->extra_bits){ S <<= s->extra_bits; - if(s->got_extra_bits){ + if(s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits){ S |= get_bits(&s->gb_extra_bits, s->extra_bits); *crc = *crc * 9 + (S&0xffff) * 3 + ((unsigned)S>>16); } @@ -581,7 +596,10 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, vo count++; }while(!last && count < s->max_samples); - s->samples_left -= count; + if (last) + s->samples_left = 0; + else + s->samples_left -= count; if(!s->samples_left){ wv_reset_saved_context(s); if(crc != s->CRC){ @@ -659,7 +677,10 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, void count++; }while(!last && count < s->max_samples); - s->samples_left -= count; + if (last) + s->samples_left = 0; + else + s->samples_left -= count; if(!s->samples_left){ wv_reset_saved_context(s); if(crc != s->CRC){ @@ -1114,7 +1135,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int16_t *dst = (int16_t*)samples + 1; int16_t *src = (int16_t*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1123,7 +1144,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int32_t *dst = (int32_t*)samples + 1; int32_t *src = (int32_t*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1132,7 +1153,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, float *dst = (float*)samples + 1; float *src = (float*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; diff --git a/libavformat/avlanguage.c b/libavformat/avlanguage.c index 525bf07d27..39f2560d94 100644 --- a/libavformat/avlanguage.c +++ b/libavformat/avlanguage.c @@ -20,6 +20,7 @@ #include "avlanguage.h" #include "libavutil/avstring.h" +#include "libavutil/common.h" #include #include #include @@ -736,7 +737,7 @@ const char *av_convert_lang_to(const char *lang, enum AVLangCodespace target_cod { int i; const LangEntry *entry = NULL; - const int NB_CODESPACES = sizeof(lang_table_counts)/sizeof(*lang_table_counts); + const int NB_CODESPACES = FF_ARRAY_ELEMS(lang_table_counts); if (target_codespace >= NB_CODESPACES) return NULL; diff --git a/libavformat/mxf.c b/libavformat/mxf.c index d7e95eebfc..1b85a894ce 100644 --- a/libavformat/mxf.c +++ b/libavformat/mxf.c @@ -19,6 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/common.h" #include "mxf.h" /** @@ -81,7 +82,7 @@ static const struct { {PIX_FMT_PAL8, {'P', 8 }}, }; -static const int num_pixel_layouts = sizeof(ff_mxf_pixel_layouts) / sizeof(*ff_mxf_pixel_layouts); +static const int num_pixel_layouts = FF_ARRAY_ELEMS(ff_mxf_pixel_layouts); int ff_mxf_decode_pixel_layout(const char pixel_layout[16], enum PixelFormat *pix_fmt) { diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c index 643ea7a5a0..b481c37c82 100644 --- a/libavformat/rtpdec_asf.c +++ b/libavformat/rtpdec_asf.c @@ -233,14 +233,14 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf, int cur_len = start_off + len_off - off; int prev_len = out_len; - void *newbuf; + void *newmem; out_len += cur_len; - if(FFMIN(cur_len, len - off)<0) + if (FFMIN(cur_len, len - off) < 0) return -1; - newbuf = av_realloc(asf->buf, out_len); - if(!newbuf) + newmem = av_realloc(asf->buf, out_len); + if (!newmem) return -1; - asf->buf= newbuf; + asf->buf = newmem; memcpy(asf->buf + prev_len, buf + off, FFMIN(cur_len, len - off)); avio_skip(pb, cur_len);