diff -Naurp ffmpeg.old/libavcodec/vorbis_dec.c ffmpeg-0.5/libavcodec/vorbis_dec.c --- ffmpeg.old/libavcodec/vorbis_dec.c 2011-03-14 09:00:04.000000000 -0400 +++ ffmpeg-0.5/libavcodec/vorbis_dec.c 2011-03-14 09:05:57.569125360 -0400 @@ -37,6 +37,7 @@ #define V_NB_BITS 8 #define V_NB_BITS2 11 #define V_MAX_VLCS (1<<16) +#define V_MAX_PARTITIONS (1<<20) #ifndef V_DEBUG #define AV_DEBUG(...) @@ -634,6 +635,14 @@ static int vorbis_parse_setup_hdr_residu res_setup->begin=get_bits(gb, 24); res_setup->end=get_bits(gb, 24); res_setup->partition_size=get_bits(gb, 24)+1; + /* Validations to prevent a buffer overflow later. */ + if (res_setup->begin>res_setup->end + || res_setup->end>vc->blocksize[1]/(res_setup->type==2?1:2) + || (res_setup->end-res_setup->begin)/res_setup->partition_size>V_MAX_PARTITIONS) { + av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %d, %d, %d, %d, %d\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1]/2); + return 1; + } + res_setup->classifications=get_bits(gb, 6)+1; res_setup->classbook=get_bits(gb, 8); diff -Naurp ffmpeg.old/libavformat/mov.c ffmpeg-0.5/libavformat/mov.c --- ffmpeg.old/libavformat/mov.c 2009-03-01 11:06:26.000000000 -0500 +++ ffmpeg-0.5/libavformat/mov.c 2011-03-14 09:42:21.309368630 -0400 @@ -238,10 +238,16 @@ static int mov_read_default(MOVContext * static int mov_read_dref(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; - MOVStreamContext *sc = st->priv_data; + AVStream *st; + MOVStreamContext *sc; int entries, i, j; + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; + sc = st->priv_data; + get_be32(pb); // version + flags entries = get_be32(pb); if (entries >= UINT_MAX / sizeof(*sc->drefs)) @@ -308,10 +314,15 @@ static int mov_read_dref(MOVContext *c, static int mov_read_hdlr(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; + AVStream *st; uint32_t type; uint32_t ctype; + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; + get_byte(pb); /* version */ get_be24(pb); /* flags */ @@ -381,9 +392,14 @@ static const AVCodecTag mp4_audio_types[ static int mov_read_esds(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; + AVStream *st; int tag, len; + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; + get_be32(pb); /* version + flags */ len = mp4_read_descr(c, pb, &tag); if (tag == MP4ESDescrTag) { @@ -440,7 +456,13 @@ static int mov_read_pasp(MOVContext *c, { const int num = get_be32(pb); const int den = get_be32(pb); - AVStream * const st = c->fc->streams[c->fc->nb_streams-1]; + AVStream *st; + + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; + if (den != 0) { if ((st->sample_aspect_ratio.den != 1 || st->sample_aspect_ratio.num) && // default (den != st->sample_aspect_ratio.den || num != st->sample_aspect_ratio.num)) @@ -494,12 +516,18 @@ static int mov_read_moof(MOVContext *c, static int mov_read_mdhd(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; - MOVStreamContext *sc = st->priv_data; + AVStream *st; + MOVStreamContext *sc; int version = get_byte(pb); char language[4] = {0}; unsigned lang; + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; + sc = st->priv_data; + if (version > 1) return -1; /* unsupported */ @@ -561,7 +589,12 @@ static int mov_read_mvhd(MOVContext *c, static int mov_read_smi(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; + AVStream *st; + + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; if((uint64_t)atom.size > (1<<30)) return -1; @@ -581,9 +614,14 @@ static int mov_read_smi(MOVContext *c, B static int mov_read_enda(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; + AVStream *st; int little_endian = get_be16(pb); + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; + dprintf(c->fc, "enda %d\n", little_endian); if (little_endian == 1) { switch (st->codec->codec_id) { @@ -633,7 +671,12 @@ static int mov_read_extradata(MOVContext static int mov_read_wave(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; + AVStream *st; + + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; if((uint64_t)atom.size > (1<<30)) return -1; @@ -660,7 +703,12 @@ static int mov_read_wave(MOVContext *c, */ static int mov_read_glbl(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; + AVStream *st; + + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; if((uint64_t)atom.size > (1<<30)) return -1; @@ -676,10 +724,16 @@ static int mov_read_glbl(MOVContext *c, static int mov_read_stco(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; - MOVStreamContext *sc = st->priv_data; + AVStream *st; + MOVStreamContext *sc; unsigned int i, entries; + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; + sc = st->priv_data; + get_byte(pb); /* version */ get_be24(pb); /* flags */ @@ -742,10 +796,16 @@ static enum CodecID mov_get_lpcm_codec_i static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; - MOVStreamContext *sc = st->priv_data; + AVStream *st; + MOVStreamContext *sc; int j, entries, pseudo_stream_id; + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; + sc = st->priv_data; + get_byte(pb); /* version */ get_be24(pb); /* flags */ @@ -1064,10 +1124,16 @@ static int mov_read_stsd(MOVContext *c, static int mov_read_stsc(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; - MOVStreamContext *sc = st->priv_data; + AVStream *st; + MOVStreamContext *sc; unsigned int i, entries; + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; + sc = st->priv_data; + get_byte(pb); /* version */ get_be24(pb); /* flags */ @@ -1092,10 +1158,16 @@ static int mov_read_stsc(MOVContext *c, static int mov_read_stss(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; - MOVStreamContext *sc = st->priv_data; + AVStream *st; + MOVStreamContext *sc; unsigned int i, entries; + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; + sc = st->priv_data; + get_byte(pb); /* version */ get_be24(pb); /* flags */ @@ -1119,10 +1191,16 @@ static int mov_read_stss(MOVContext *c, static int mov_read_stsz(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; - MOVStreamContext *sc = st->priv_data; + AVStream *st; + MOVStreamContext *sc; unsigned int i, entries, sample_size; + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; + sc = st->priv_data; + get_byte(pb); /* version */ get_be24(pb); /* flags */ @@ -1150,12 +1228,18 @@ static int mov_read_stsz(MOVContext *c, static int mov_read_stts(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; - MOVStreamContext *sc = st->priv_data; + AVStream *st; + MOVStreamContext *sc; unsigned int i, entries; int64_t duration=0; int64_t total_sample_count=0; + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; + sc = st->priv_data; + get_byte(pb); /* version */ get_be24(pb); /* flags */ entries = get_be32(pb); @@ -1194,10 +1278,16 @@ static int mov_read_stts(MOVContext *c, static int mov_read_ctts(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; - MOVStreamContext *sc = st->priv_data; + AVStream *st; + MOVStreamContext *sc; unsigned int i, entries; + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; + sc = st->priv_data; + get_byte(pb); /* version */ get_be24(pb); /* flags */ entries = get_be32(pb); @@ -1504,10 +1594,16 @@ static int mov_read_tkhd(MOVContext *c, int height; int64_t disp_transform[2]; int display_matrix[3][2]; - AVStream *st = c->fc->streams[c->fc->nb_streams-1]; - MOVStreamContext *sc = st->priv_data; + AVStream *st; + MOVStreamContext *sc; int version = get_byte(pb); + if (c->fc->nb_streams < 1) + return 0; + + st = c->fc->streams[c->fc->nb_streams-1]; + sc = st->priv_data; + get_be24(pb); /* flags */ /* MOV_TRACK_ENABLED 0x0001 @@ -1776,9 +1872,14 @@ free_and_return: /* edit list atom */ static int mov_read_elst(MOVContext *c, ByteIOContext *pb, MOVAtom atom) { - MOVStreamContext *sc = c->fc->streams[c->fc->nb_streams-1]->priv_data; + MOVStreamContext *sc; int i, edit_count; + if (c->fc->nb_streams < 1) + return 0; + + sc = c->fc->streams[c->fc->nb_streams-1]->priv_data; + get_byte(pb); /* version */ get_be24(pb); /* flags */ edit_count = get_be32(pb); /* entries */