ffmpeg source update for sep 09

source/patched-ffmpeg-mt/libavformat/matroskadec.c

 /*
  * Matroska file demuxer
  * Copyright (c) 2003-2008 The FFmpeg Project
  *
  * This file is part of FFmpeg.
  *
  * FFmpeg is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
  * License as published by the Free Software Foundation; either
  * version 2.1 of the License, or (at your option) any later version.
@@ skipping 524 matching lines @@
  * Read: an "EBML number", which is defined as a variable-length
  * array of bytes. The first byte indicates the length by giving a
  * number of 0-bits followed by a one. The position of the first
  * "one" bit inside the first byte indicates the length of this
  * number.
  * Returns: number of bytes read, < 0 on error
  */
 static int ebml_read_num(MatroskaDemuxContext *matroska, ByteIOContext *pb,
                          int max_size, uint64_t *number)
 {
-    int len_mask = 0x80, read = 1, n = 1;
-    int64_t total = 0;
+    int read = 1, n = 1;
+    uint64_t total = 0;
 
     /* The first byte tells us the length in bytes - get_byte() can normally
      * return 0, but since that's not a valid first ebmlID byte, we can
      * use it safely here to catch EOS. */
     if (!(total = get_byte(pb))) {
         /* we might encounter EOS here */
         if (!url_feof(pb)) {
             int64_t pos = url_ftell(pb);
             av_log(matroska->ctx, AV_LOG_ERROR,
                    "Read error at pos. %"PRIu64" (0x%"PRIx64")\n",
                    pos, pos);
         }
         return AVERROR(EIO); /* EOS or actual I/O error */
     }
 
     /* get the length of the EBML number */
-    while (read <= max_size && !(total & len_mask)) {
-        read++;
-        len_mask >>= 1;
-    }
+    read = 8 - ff_log2_tab[total];
     if (read > max_size) {
         int64_t pos = url_ftell(pb) - 1;
         av_log(matroska->ctx, AV_LOG_ERROR,
                "Invalid EBML number size tag 0x%02x at pos %"PRIu64" (0x%"PRIx64")\n",
                (uint8_t) total, pos, pos);
         return AVERROR_INVALIDDATA;
     }
 
     /* read out length */
-    total &= ~len_mask;
+    total ^= 1 << ff_log2_tab[total];
     while (n++ < read)
         total = (total << 8) | get_byte(pb);
 
     *number = total;
 
     return read;
 }
 
+/**
+ * Read a EBML length value.
+ * This needs special handling for the "unknown length" case which has multiple
+ * encodings.
+ */
+static int ebml_read_length(MatroskaDemuxContext *matroska, ByteIOContext *pb,
+                            uint64_t *number)
+{
+    int res = ebml_read_num(matroska, pb, 8, number);
+    if (res > 0 && *number + 1 == 1ULL << (7 * res))
+        *number = 0xffffffffffffffULL;
+    return res;
+}
+
 /*
  * Read the next element as an unsigned int.
  * 0 is success, < 0 is failure.
  */
 static int ebml_read_uint(ByteIOContext *pb, int size, uint64_t *num)
 {
     int n = 0;
 
-    if (size < 1 || size > 8)
+    if (size > 8)
         return AVERROR_INVALIDDATA;
 
     /* big-endian ordering; build up number */
     *num = 0;
     while (n++ < size)
         *num = (*num << 8) | get_byte(pb);
 
     return 0;
 }
 
 /*
  * Read the next element as a float.
  * 0 is success, < 0 is failure.
  */
 static int ebml_read_float(ByteIOContext *pb, int size, double *num)
 {
-    if (size == 4) {
+    if (size == 0) {
+        *num = 0;
+    } else if (size == 4) {
         *num= av_int2flt(get_be32(pb));
     } else if(size==8){
         *num= av_int2dbl(get_be64(pb));
     } else
         return AVERROR_INVALIDDATA;
 
     return 0;
 }
 
 /*
@@ skipping 162 matching lines @@
     if (syntax->list_elem_size) {
         EbmlList *list = data;
         list->elem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size);
         data = (char*)list->elem + list->nb_elem*syntax->list_elem_size;
         memset(data, 0, syntax->list_elem_size);
         list->nb_elem++;
     }
 
     if (syntax->type != EBML_PASS && syntax->type != EBML_STOP) {
         matroska->current_id = 0;
-        if ((res = ebml_read_num(matroska, pb, 8, &length)) < 0)
+        if ((res = ebml_read_length(matroska, pb, &length)) < 0)
             return res;
     }
 
     switch (syntax->type) {
     case EBML_UINT:  res = ebml_read_uint  (pb, length, data);  break;
     case EBML_FLOAT: res = ebml_read_float (pb, length, data);  break;
     case EBML_STR:
     case EBML_UTF8:  res = ebml_read_ascii (pb, length, data);  break;
     case EBML_BIN:   res = ebml_read_binary(pb, length, data);  break;
     case EBML_NEST:  if ((res=ebml_read_master(matroska, length)) < 0)
@@ skipping 99 matching lines @@
                                   MatroskaTrack *track)
 {
     MatroskaTrackEncoding *encodings = track->encodings.elem;
     uint8_t* data = *buf;
     int isize = *buf_size;
     uint8_t* pkt_data = NULL;
     int pkt_size = isize;
     int result = 0;
     int olen;
 
+    if (pkt_size >= 10000000)
+        return -1;
+
     switch (encodings[0].compression.algo) {
     case MATROSKA_TRACK_ENCODING_COMP_HEADERSTRIP:
         return encodings[0].compression.settings.size;
 #if HAVE_LZO1X_999_COMPRESS
     case MATROSKA_TRACK_ENCODING_COMP_LZO:
         do {
             olen = pkt_size *= 3;
             pkt_data = av_realloc(pkt_data, pkt_size+AV_LZO_OUTPUT_PADDING);
             result = av_lzo1x_decode(pkt_data, &olen, data, &isize);
         } while (result==AV_LZO_OUTPUT_FULL && pkt_size<10000000);
@@ skipping 822 matching lines @@
                            + a * (h*w / a - track->audio.pkt_cnt--), a);
                     pkt->pos = pos;
                     pkt->stream_index = st->index;
                     dynarray_add(&matroska->packets,&matroska->num_packets,pkt);
                 }
             } else {
                 MatroskaTrackEncoding *encodings = track->encodings.elem;
                 int offset = 0, pkt_size = lace_size[n];
                 uint8_t *pkt_data = data;
 
-                if (lace_size[n] > size) {
+                if (pkt_size > size) {
                     av_log(matroska->ctx, AV_LOG_ERROR, "Invalid packet size\n");
                     break;
                 }
 
                 if (encodings && encodings->scope & 1) {
                     offset = matroska_decode_buffer(&pkt_data,&pkt_size, track);
                     if (offset < 0)
                         continue;
                 }
 
@@ skipping 157 matching lines @@
     "matroska,webm",
     NULL_IF_CONFIG_SMALL("Matroska/WebM file format"),
     sizeof(MatroskaDemuxContext),
     matroska_probe,
     matroska_read_header,
     matroska_read_packet,
     matroska_read_close,
     matroska_read_seek,
     .metadata_conv = ff_mkv_metadata_conv,
 };