if (!key)
return 0;
- if (atom.size < 0)
+ if (atom.size < 0 || str_size >= INT_MAX/2)
return AVERROR_INVALIDDATA;
// worst-case requirement for output string in case of utf8 coded input
- str_size_alloc = raw ? str_size + 1 : str_size * 2;
- str = av_malloc(str_size_alloc);
+ str_size_alloc = (raw ? str_size : str_size * 2) + 1;
+ str = av_mallocz(str_size_alloc);
if (!str)
return AVERROR(ENOMEM);
return 0;
st = c->fc->streams[c->fc->nb_streams-1];
- if ((ret = ff_get_wav_header(pb, st->codec, atom.size)) < 0)
+ if ((ret = ff_get_wav_header(pb, st->codec, atom.size, 0)) < 0)
av_log(c->fc, AV_LOG_WARNING, "get_wav_header failed\n");
return ret;
static void mov_parse_stsd_subtitle(MOVContext *c, AVIOContext *pb,
AVStream *st, MOVStreamContext *sc,
- int size)
+ int64_t size)
{
// ttxt stsd contains display flags, justification, background
// color, fonts, and default styles, so fake an atom to read it
static int mov_parse_stsd_data(MOVContext *c, AVIOContext *pb,
AVStream *st, MOVStreamContext *sc,
- int size)
+ int64_t size)
{
if (st->codec->codec_tag == MKTAG('t','m','c','d')) {
- if (ff_get_extradata(st->codec, pb, size) < 0)
+ if ((int)size != size || ff_get_extradata(st->codec, pb, size) < 0)
return AVERROR(ENOMEM);
if (size > 16) {
MOVStreamContext *tmcd_ctx = st->priv_data;
}
if (sc->keyframes)
av_log(c->fc, AV_LOG_WARNING, "Duplicated STSS atom\n");
- av_free(sc->keyframes);
+ if (entries >= UINT_MAX / sizeof(int))
+ return AVERROR_INVALIDDATA;
+ av_freep(&sc->keyframes);
sc->keyframe_count = 0;
sc->keyframes = av_malloc_array(entries, sizeof(*sc->keyframes));
if (!sc->keyframes)
unsigned int i, j;
uint64_t stream_size = 0;
- /* adjust first dts according to edit list */
- if ((sc->empty_duration || sc->start_time) && mov->time_scale > 0) {
- if (sc->empty_duration)
- sc->empty_duration = av_rescale(sc->empty_duration, sc->time_scale, mov->time_scale);
- sc->time_offset = sc->start_time - sc->empty_duration;
- current_dts = -sc->time_offset;
- if (sc->ctts_count>0 && sc->stts_count>0 &&
- sc->ctts_data[0].duration / FFMAX(sc->stts_data[0].duration, 1) > 16) {
- /* more than 16 frames delay, dts are likely wrong
- this happens with files created by iMovie */
- sc->wrong_dts = 1;
- st->codec->has_b_frames = 1;
+ if (sc->elst_count) {
+ int i, edit_start_index = 0, unsupported = 0;
+ int64_t empty_duration = 0; // empty duration of the first edit list entry
+ int64_t start_time = 0; // start time of the media
+
+ for (i = 0; i < sc->elst_count; i++) {
+ const MOVElst *e = &sc->elst_data[i];
+ if (i == 0 && e->time == -1) {
+ /* if empty, the first entry is the start time of the stream
+ * relative to the presentation itself */
+ empty_duration = e->duration;
+ edit_start_index = 1;
+ } else if (i == edit_start_index && e->time >= 0) {
+ start_time = e->time;
+ } else
+ unsupported = 1;
+ }
+ if (unsupported)
+ av_log(mov->fc, AV_LOG_WARNING, "multiple edit list entries, "
+ "a/v desync might occur, patch welcome\n");
+
+ /* adjust first dts according to edit list */
+ if ((empty_duration || start_time) && mov->time_scale > 0) {
+ if (empty_duration)
+ empty_duration = av_rescale(empty_duration, sc->time_scale, mov->time_scale);
+ sc->time_offset = start_time - empty_duration;
+ current_dts = -sc->time_offset;
+ if (sc->ctts_count>0 && sc->stts_count>0 &&
+ sc->ctts_data[0].duration / FFMAX(sc->stts_data[0].duration, 1) > 16) {
+ /* more than 16 frames delay, dts are likely wrong
+ this happens with files created by iMovie */
+ sc->wrong_dts = 1;
+ st->codec->has_b_frames = 1;
+ }
}
}
av_freep(&sc->keyframes);
av_freep(&sc->stts_data);
av_freep(&sc->stps_data);
+ av_freep(&sc->elst_data);
av_freep(&sc->rap_group);
return 0;
static int mov_read_elst(MOVContext *c, AVIOContext *pb, MOVAtom atom)
{
MOVStreamContext *sc;
- int i, edit_count, version, edit_start_index = 0;
- int unsupported = 0;
+ int i, edit_count, version;
if (c->fc->nb_streams < 1 || c->ignore_editlist)
return 0;
avio_rb24(pb); /* flags */
edit_count = avio_rb32(pb); /* entries */
- if ((uint64_t)edit_count*12+8 > atom.size)
- return AVERROR_INVALIDDATA;
+ if (!edit_count)
+ return 0;
+ if (sc->elst_data)
+ av_log(c->fc, AV_LOG_WARNING, "Duplicated ELST atom\n");
+ av_free(sc->elst_data);
+ sc->elst_count = 0;
+ sc->elst_data = av_malloc_array(edit_count, sizeof(*sc->elst_data));
+ if (!sc->elst_data)
+ return AVERROR(ENOMEM);
av_dlog(c->fc, "track[%i].edit_count = %i\n", c->fc->nb_streams-1, edit_count);
- for (i=0; i<edit_count; i++){
- int64_t time;
- int64_t duration;
- int rate;
+ for (i = 0; i < edit_count && !pb->eof_reached; i++) {
+ MOVElst *e = &sc->elst_data[i];
+
if (version == 1) {
- duration = avio_rb64(pb);
- time = avio_rb64(pb);
+ e->duration = avio_rb64(pb);
+ e->time = avio_rb64(pb);
} else {
- duration = avio_rb32(pb); /* segment duration */
- time = (int32_t)avio_rb32(pb); /* media time */
+ e->duration = avio_rb32(pb); /* segment duration */
+ e->time = (int32_t)avio_rb32(pb); /* media time */
}
- rate = avio_rb32(pb);
- if (i == 0 && time == -1) {
- sc->empty_duration = duration;
- edit_start_index = 1;
- } else if (i == edit_start_index && time >= 0)
- sc->start_time = time;
- else
- unsupported = 1;
-
+ e->rate = avio_rb32(pb) / 65536.0;
av_dlog(c->fc, "duration=%"PRId64" time=%"PRId64" rate=%f\n",
- duration, time, rate / 65536.0);
+ e->duration, e->time, e->rate);
}
-
- if (unsupported)
- av_log(c->fc, AV_LOG_WARNING, "multiple edit list entries, "
- "a/v desync might occur, patch welcome\n");
+ sc->elst_count = i;
return 0;
}
MOVAtom a;
int i;
+ if (c->atom_depth > 10) {
+ av_log(c->fc, AV_LOG_ERROR, "Atoms too deeply nested\n");
+ return AVERROR_INVALIDDATA;
+ }
+ c->atom_depth ++;
+
if (atom.size < 0)
atom.size = INT64_MAX;
while (total_size + 8 <= atom.size && !avio_feof(pb)) {
{
av_log(c->fc, AV_LOG_ERROR, "Broken file, trak/mdat not at top-level\n");
avio_skip(pb, -8);
+ c->atom_depth --;
return 0;
}
}
total_size += 8;
- if (a.size == 1) { /* 64 bit extended size */
+ if (a.size == 1 && total_size + 8 <= atom.size) { /* 64 bit extended size */
a.size = avio_rb64(pb) - 8;
total_size += 8;
}
int64_t start_pos = avio_tell(pb);
int64_t left;
int err = parse(c, pb, a);
- if (err < 0)
+ if (err < 0) {
+ c->atom_depth --;
return err;
+ }
if (c->found_moov && c->found_mdat &&
((!pb->seekable || c->fc->flags & AVFMT_FLAG_IGNIDX) ||
start_pos + a.size == avio_size(pb))) {
if (!pb->seekable || c->fc->flags & AVFMT_FLAG_IGNIDX)
c->next_root_atom = start_pos + a.size;
+ c->atom_depth --;
return 0;
}
left = a.size - avio_tell(pb) + start_pos;
if (total_size < atom.size && atom.size < 0x7ffff)
avio_skip(pb, atom.size - total_size);
+ c->atom_depth --;
return 0;
}
av_freep(&sc->keyframes);
av_freep(&sc->stts_data);
av_freep(&sc->stps_data);
+ av_freep(&sc->elst_data);
av_freep(&sc->rap_group);
av_freep(&sc->display_matrix);
}
static int read_tfra(MOVContext *mov, AVIOContext *f)
{
MOVFragmentIndex* index = NULL;
- int version, fieldlength, i, j, err;
+ int version, fieldlength, i, j;
int64_t pos = avio_tell(f);
uint32_t size = avio_rb32(f);
+ void *tmp;
+
if (avio_rb32(f) != MKBETAG('t', 'f', 'r', 'a')) {
- return -1;
+ return 1;
}
av_log(mov->fc, AV_LOG_VERBOSE, "found tfra\n");
index = av_mallocz(sizeof(MOVFragmentIndex));
if (!index) {
return AVERROR(ENOMEM);
}
- mov->fragment_index_count++;
- if ((err = av_reallocp(&mov->fragment_index_data,
- mov->fragment_index_count *
- sizeof(MOVFragmentIndex*))) < 0) {
+
+ tmp = av_realloc_array(mov->fragment_index_data,
+ mov->fragment_index_count + 1,
+ sizeof(MOVFragmentIndex*));
+ if (!tmp) {
av_freep(&index);
- return err;
+ return AVERROR(ENOMEM);
}
- mov->fragment_index_data[mov->fragment_index_count - 1] =
- index;
+ mov->fragment_index_data = tmp;
+ mov->fragment_index_data[mov->fragment_index_count++] = index;
version = avio_r8(f);
avio_rb24(f);
index->track_id = avio_rb32(f);
fieldlength = avio_rb32(f);
index->item_count = avio_rb32(f);
- index->items = av_mallocz(
- index->item_count * sizeof(MOVFragmentIndexItem));
+ index->items = av_mallocz_array(
+ index->item_count, sizeof(MOVFragmentIndexItem));
if (!index->items) {
+ index->item_count = 0;
return AVERROR(ENOMEM);
}
for (i = 0; i < index->item_count; i++) {
av_log(c->fc, AV_LOG_DEBUG, "doesn't look like mfra (tag mismatch)\n");
goto fail;
}
- ret = 0;
av_log(c->fc, AV_LOG_VERBOSE, "stream has mfra\n");
- while (!read_tfra(c, f)) {
- /* Empty */
- }
+ do {
+ ret = read_tfra(c, f);
+ if (ret < 0)
+ goto fail;
+ } while (!ret);
+ ret = 0;
fail:
seek_ret = avio_seek(f, original_pos, SEEK_SET);
if (seek_ret < 0) {