This commit squashes below avas patches and merge to M108.
References:
https://review.tizen.org/gerrit/279548
https://review.tizen.org/gerrit/279561
https://review.tizen.org/gerrit/279586
https://review.tizen.org/gerrit/279595
https://review.tizen.org/gerrit/279918
https://review.tizen.org/gerrit/282003
https://review.tizen.org/gerrit/282095
https://review.tizen.org/gerrit/282431
Change-Id: I800ae039bbbe0340a0f222582bda3fc1b8fd115b
Signed-off-by: Gajendra N <gajendra.n@samsung.com>
* scanning order-- 1, 8, 16, etc.), then this will produce an encoded block
* larger than 200 bytes.
*/
-#define BUFSIZE (DCTSIZE2 * 4)
+#define BUFSIZE (DCTSIZE2 * 8)
#define LOAD_BUFFER() { \
if (state->free_in_buffer < BUFSIZE) { \
png_push_handle_unknown(png_ptr, info_ptr, png_ptr->push_length);
}
+ if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4))
+ {
+ png_alloc_size_t limit = PNG_SIZE_MAX;
+#ifdef PNG_SET_USER_LIMITS_SUPPORTED
+ if (png_ptr->user_chunk_malloc_max > 0 &&
+ png_ptr->user_chunk_malloc_max < limit)
+ limit = png_ptr->user_chunk_malloc_max;
+#elif PNG_USER_CHUNK_MALLOC_MAX > 0
+ if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+ limit = PNG_USER_CHUNK_MALLOC_MAX;
+#endif
+ if (png_ptr->push_length > limit)
+ png_chunk_error(png_ptr, "chunk data is too large");
+ }
+
png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
}
/* Check to see if chunk name is valid */
png_check_chunk_name(png_ptr, png_ptr->chunk_name);
+ /* Check for too-large chunk length */
+ if (png_ptr->chunk_name != png_IDAT)
+ {
+ png_alloc_size_t limit = PNG_SIZE_MAX;
+#ifdef PNG_SET_USER_LIMITS_SUPPORTED
+ if (png_ptr->user_chunk_malloc_max > 0 &&
+ png_ptr->user_chunk_malloc_max < limit)
+ limit = png_ptr->user_chunk_malloc_max;
+#elif PNG_USER_CHUNK_MALLOC_MAX > 0
+ if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+ limit = PNG_USER_CHUNK_MALLOC_MAX;
+#endif
+ if (length > limit)
+ png_chunk_error(png_ptr, "chunk data is too large");
+ }
+
return length;
}
return AVERROR(EINVAL);
}
+ if (q->coding_mode == JOINT_STEREO && avctx->channels < 2) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid coding mode\n");
+ return AVERROR_INVALIDDATA;
+ }
+
/* Check the extradata */
if (version != 4) {
}
}
-static void render_line(int x0, int y0, int x1, int y1, float *buf)
+static void render_line(int x0, unsigned char y0, int x1, int y1, float *buf)
{
int dy = y1 - y0;
int adx = x1 - x0;
enum AVDiscard skip_thresh;
VP8Frame *av_uninit(curframe), *prev_frame;
+ av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVA420P || avctx->pix_fmt == AV_PIX_FMT_YUV420P);
+
if (is_vp7)
ret = vp7_decode_frame_header(s, avpkt->data, avpkt->size);
else
WmallDecodeCtx *s = avctx->priv_data;
uint8_t *edata_ptr = avctx->extradata;
unsigned int channel_mask;
- int i, log2_max_num_subframes;
+ int i, bits, log2_max_num_subframes;
if (avctx->block_align <= 0 || avctx->block_align > (1<<21)) {
av_log(avctx, AV_LOG_ERROR, "block_align is not set or invalid\n");
s->len_prefix = s->decode_flags & 0x40;
/* get frame len */
- s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate,
- 3, s->decode_flags);
+ bits = ff_wma_get_frame_len_bits(avctx->sample_rate, 3, s->decode_flags);
+ if (bits > WMALL_BLOCK_MAX_BITS) {
+ av_log_missing_feature(avctx, "big-bits block sizes", 1);
+ return AVERROR_INVALIDDATA;
+ }
+ s->samples_per_frame = 1 << bits;
av_assert0(s->samples_per_frame <= WMALL_BLOCK_MAX_SIZE);
/* init previous block len */
int cur_len = start_off + len_off - off;
int prev_len = out_len;
out_len += cur_len;
- if (FFMIN(cur_len, len - off) < 0)
+ if (!asf->buf || FFMIN(cur_len, len - off) < 0)
return -1;
if ((res = av_reallocp(&asf->buf, out_len)) < 0)
return res;
for(;;) {
u8 label_len;
- if (j >= length) return -1;
GET8(label_len);
if (!label_len) break;
if (label_len & 0xc0) {
*cp++ = '.';
}
if (cp + label_len >= end) return -1;
+ if (j + label_len > length) return -1;
memcpy(cp, packet + j, label_len);
cp += label_len;
j += label_len;
size_t current = ctxt->input->cur - ctxt->input->base;
nbchars = xmlCharEncInput(in, terminate);
- xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
if (nbchars < 0) {
htmlParseErr(ctxt, XML_ERR_INVALID_ENCODING,
"encoder error\n", NULL, NULL);
return(XML_ERR_INVALID_ENCODING);
}
+ xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
}
}
}
size_t current = ctxt->input->cur - ctxt->input->base;
nbchars = xmlCharEncInput(in, terminate);
- xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
if (nbchars < 0) {
/* TODO 2.6.0 */
xmlGenericError(xmlGenericErrorContext,
xmlHaltParser(ctxt);
return(XML_ERR_INVALID_ENCODING);
}
+ xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
}
}
}
projects / platform / framework / web / chromium-efl.git / commitdiff