From 1274b6893595f44a6b0b7d4c90527bc1b717c629 Mon Sep 17 00:00:00 2001
From: Petri Hintukainen <phintuka@users.sourceforge.net>
Date: Tue, 3 Nov 2009 17:15:27 +0200
Subject: Fixed buffer overflow. Removed scratch buffer from
 demux_mpeg_block_s.

---
 src/demuxers/demux_mpeg_block.c | 38 +++++++++++++-------------------------
 1 file changed, 13 insertions(+), 25 deletions(-)

diff --git a/src/demuxers/demux_mpeg_block.c b/src/demuxers/demux_mpeg_block.c
index ffbc63f3d..55eb0ce81 100644
--- a/src/demuxers/demux_mpeg_block.c
+++ b/src/demuxers/demux_mpeg_block.c
@@ -69,9 +69,6 @@ typedef struct demux_mpeg_block_s {
 
   char                  cur_mrl[256];
 
-  uint8_t              *scratch;
-  void                 *scratch_base;
-
   int64_t               nav_last_end_pts;
   int64_t               nav_last_start_pts;
   int64_t               last_pts[2];
@@ -1176,7 +1173,6 @@ static void demux_mpeg_block_dispose (demux_plugin_t *this_gen) {
 
   demux_mpeg_block_t *this = (demux_mpeg_block_t *) this_gen;
   
-  free (this->scratch_base);
   free (this);
 }
 
@@ -1189,18 +1185,19 @@ static int demux_mpeg_block_get_status (demux_plugin_t *this_gen) {
 static int demux_mpeg_detect_blocksize(demux_mpeg_block_t *this, 
 				       input_plugin_t *input)
 {
+  uint8_t scratch[4];
   input->seek(input, 2048, SEEK_SET);
-  if (input->read(input, this->scratch, 4) != 4)
+  if (input->read(input, scratch, 4) != 4)
     return 0;
 
-  if (this->scratch[0] || this->scratch[1]
-      || (this->scratch[2] != 0x01) || (this->scratch[3] != 0xba)) {
+  if (scratch[0] || scratch[1]
+      || (scratch[2] != 0x01) || (scratch[3] != 0xba)) {
 
     input->seek(input, 2324, SEEK_SET);
-    if (input->read(input, this->scratch, 4) != 4)
+    if (input->read(input, scratch, 4) != 4)
       return 0;
-    if (this->scratch[0] || this->scratch[1] 
-        || (this->scratch[2] != 0x01) || (this->scratch[3] != 0xba)) 
+    if (scratch[0] || scratch[1] 
+        || (scratch[2] != 0x01) || (scratch[3] != 0xba)) 
       return 0;
      
     return 2324;
@@ -1385,7 +1382,6 @@ static demux_plugin_t *open_plugin (demux_class_t *class_gen, xine_stream_t *str
   this->demux_plugin.get_optional_data = demux_mpeg_block_get_optional_data;
   this->demux_plugin.demux_class       = class_gen;
 
-  this->scratch    = xine_xmalloc_aligned (512, 4096, &this->scratch_base);
   this->status     = DEMUX_FINISHED;
 
   lprintf ("open_plugin:detection_method=%d\n",
@@ -1397,13 +1393,14 @@ static demux_plugin_t *open_plugin (demux_class_t *class_gen, xine_stream_t *str
 
     /* use demux_mpeg for non-block devices */
     if (!(input->get_capabilities(input) & INPUT_CAP_BLOCK)) {
-      free (this->scratch_base);
       free (this);
       return NULL;
     }
 
     if (((input->get_capabilities(input) & INPUT_CAP_SEEKABLE) != 0) ) {
 
+      uint8_t scratch[5] = {0xff, 0xff, 0xff, 0xff, 0xff}; /* result of input->read() won't matter */
+
       this->blocksize = input->get_blocksize(input);
       lprintf("open_plugin:blocksize=%d\n",this->blocksize);
 
@@ -1411,29 +1408,25 @@ static demux_plugin_t *open_plugin (demux_class_t *class_gen, xine_stream_t *str
         this->blocksize = demux_mpeg_detect_blocksize( this, input );
 
       if (!this->blocksize) {
-        free (this->scratch_base);
         free (this);
         return NULL;
       }
 
       input->seek(input, 0, SEEK_SET);
-      memset (this->scratch, 255, 5); /* result of input->read() won't matter */
-      if (input->read(input, this->scratch, this->blocksize)) {
+      if (input->read(input, scratch, 5)) {
 	lprintf("open_plugin:read worked\n");
 
-        if (this->scratch[0] || this->scratch[1]
-            || (this->scratch[2] != 0x01) || (this->scratch[3] != 0xba)) {
+        if (scratch[0] || scratch[1]
+            || (scratch[2] != 0x01) || (scratch[3] != 0xba)) {
 	  lprintf("open_plugin:scratch failed\n");
 
-          free (this->scratch_base);
           free (this);
           return NULL;
         }
 
         /* if it's a file then make sure it's mpeg-2 */
         if ( !input->get_blocksize(input)
-             && ((this->scratch[4]>>4) != 4) ) {
-          free (this->scratch_base);
+             && ((scratch[4]>>4) != 4) ) {
           free (this);
           return NULL;
         }
@@ -1447,7 +1440,6 @@ static demux_plugin_t *open_plugin (demux_class_t *class_gen, xine_stream_t *str
         break;
       }
     }
-    free (this->scratch_base);
     free (this);
     return NULL;
   }
@@ -1468,7 +1460,6 @@ static demux_plugin_t *open_plugin (demux_class_t *class_gen, xine_stream_t *str
       ending = strrchr(mrl, '.');
 
       if (!ending) {
-        free (this->scratch_base);
         free (this);
         return NULL;
       }
@@ -1478,7 +1469,6 @@ static demux_plugin_t *open_plugin (demux_class_t *class_gen, xine_stream_t *str
         this->blocksize = 2048;
         demux_mpeg_block_accept_input(this, input);
       } else {
-        free (this->scratch_base);
         free (this);
         return NULL;
       }
@@ -1496,7 +1486,6 @@ static demux_plugin_t *open_plugin (demux_class_t *class_gen, xine_stream_t *str
       this->blocksize = demux_mpeg_detect_blocksize( this, input );
 
     if (!this->blocksize) {
-      free (this->scratch_base);
       free (this);
       return NULL;
     }
@@ -1506,7 +1495,6 @@ static demux_plugin_t *open_plugin (demux_class_t *class_gen, xine_stream_t *str
   break;
 
   default:
-    free (this->scratch_base);
     free (this);
     return NULL;
   }
-- 
cgit v1.2.3


From 1c0d093f3bfd5861550d9fbb23a998b0204b9bed Mon Sep 17 00:00:00 2001
From: Petri Hintukainen <phintuka@users.sourceforge.net>
Date: Tue, 17 Nov 2009 13:17:25 +0000
Subject: VC1 support fixes There are two tricks to make VC1 decoding work: 1)
 VC1 sequence and entry point headers must be present in context->extradata.
 2) video width and height must be known when opening decoder.

Some container formats store required extra data, but mpeg-ts does not.

1) is fixed by scanning the stream for headers and discarding all data until
proper headers are found.

2) is fixed by re-opening decoder with width and height information from
first open.
---
 ChangeLog                              |  1 +
 src/combined/ffmpeg/ff_video_decoder.c | 62 ++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index f8ba8a1e5..3f37ddd20 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,7 @@ xine-lib (1.1.17) 2009-??-??
   * The XML parser & lexer code now has re-entrancy.
   * Fixed a bug which prevented "dvb://" (no channel specified) working with
     the default configuration.
+  * Handle VC1 extradata requirement (should fix playback).
 
 xine-lib (1.1.16.3) 2009-04-03
   * Security fixes:
diff --git a/src/combined/ffmpeg/ff_video_decoder.c b/src/combined/ffmpeg/ff_video_decoder.c
index 60f2c5d9c..98caac269 100644
--- a/src/combined/ffmpeg/ff_video_decoder.c
+++ b/src/combined/ffmpeg/ff_video_decoder.c
@@ -340,6 +340,22 @@ static void init_video_codec (ff_video_decoder_t *this, unsigned int codec_type)
     return;
   }
 
+  if (this->codec->id == CODEC_ID_VC1 && 
+      (!this->bih.biWidth || !this->bih.biHeight)) {
+    /* VC1 codec must be re-opened with correct width and height. */
+    avcodec_close(this->context);
+
+    if (avcodec_open (this->context, this->codec) < 0) {
+      pthread_mutex_unlock(&ffmpeg_lock);
+      xprintf (this->stream->xine, XINE_VERBOSITY_LOG, 
+	       _("ffmpeg_video_dec: couldn't open decoder (pass 2)\n"));
+      free(this->context);
+      this->context = NULL;
+      _x_stream_info_set(this->stream, XINE_STREAM_INFO_VIDEO_HANDLED, 0);
+      return;
+    }
+  }
+
   if (this->class->thread_count > 1) {
     avcodec_thread_init(this->context, this->class->thread_count);
     this->context->thread_count = this->class->thread_count;
@@ -1165,6 +1181,49 @@ static void ff_check_pts_tagging(ff_video_decoder_t *this, uint64_t pts)
   }
 }
 
+static int ff_vc1_find_header(ff_video_decoder_t *this, buf_element_t *buf)
+{
+  uint8_t *p = buf->content;
+
+  if (!p[0] && !p[1] && p[2] == 1 && p[3] == 0x0f) {
+    int i;
+
+    this->context->extradata = calloc(1, buf->size);
+    this->context->extradata_size = 0;
+
+    for (i = 0; i < buf->size && i < 128; i++) {
+      if (!p[i] && !p[i+1] && p[i+2]) {
+	lprintf("00 00 01 %02x at %d\n", p[i+3], i);
+	if (p[i+3] != 0x0e && p[i+3] != 0x0f)
+	  break;
+      }
+      this->context->extradata[i] = p[i];
+      this->context->extradata_size++;
+    }
+
+    lprintf("ff_video_decoder: found VC1 sequence header\n");
+    return 1;
+  }
+
+  xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG,
+	  "ffmpeg_video_dec: VC1 extradata missing !\n");
+  return 0;
+}
+
+static int ff_check_extradata(ff_video_decoder_t *this, unsigned int codec_type, buf_element_t *buf)
+{
+  if (this->context && this->context->extradata)
+    return 1;
+
+  switch (codec_type) {
+  case BUF_VIDEO_VC1:
+    return ff_vc1_find_header(this, buf);
+  default:;
+  }
+
+  return 1;
+}
+
 #endif /* AVCODEC_HAS_REORDERED_OPAQUE */
 static void ff_handle_buffer (ff_video_decoder_t *this, buf_element_t *buf) {
   uint8_t *chunk_buf = this->buf;
@@ -1176,6 +1235,9 @@ static void ff_handle_buffer (ff_video_decoder_t *this, buf_element_t *buf) {
     if (this->decoder_init_mode) {
       int codec_type = buf->type & 0xFFFF0000;
 
+      if (!ff_check_extradata(this, codec_type, buf))
+	return;
+
       /* init ffmpeg decoder */
       init_video_codec(this, codec_type);
       init_postprocess(this);
-- 
cgit v1.2.3