From 77e6676d3eb3a5161f75103180d4ef3f3c8eb5c7 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sat, 22 Dec 2012 01:21:09 -0500 Subject: [PATCH 1/9] alacdec: do not be too strict about the extradata size Sometimes the extradata has duplicate atoms, but that shouldn't prevent decoding. Just ensure that it is at least 36 bytes as a sanity check. CC: libav-stable@libav.org (cherry picked from commit 68a04b0ccee66f57516e129dd3ec457fd50b4bec) Signed-off-by: Reinhard Tartler --- libavcodec/alac.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 278cc99969..da789087fd 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -605,10 +605,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx) alac->avctx = avctx; /* initialize from the extradata */ - if (alac->avctx->extradata_size != ALAC_EXTRADATA_SIZE) { - av_log(avctx, AV_LOG_ERROR, "alac: expected %d extradata bytes\n", - ALAC_EXTRADATA_SIZE); - return -1; + if (alac->avctx->extradata_size < ALAC_EXTRADATA_SIZE) { + av_log(avctx, AV_LOG_ERROR, "alac: extradata is too small\n"); + return AVERROR_INVALIDDATA; } if (alac_set_info(alac)) { av_log(avctx, AV_LOG_ERROR, "alac: set_info failed\n"); From dfb7a638e6b9d4b86b7e3c5cf97bdd7621adc5f6 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Thu, 8 Nov 2012 18:35:49 -0500 Subject: [PATCH 2/9] opt: avoid segfault in av_opt_next() if the class does not have an option list CC: libav-stable@libav.org (cherry picked from commit d02202e08a994c6c80f0256ae756698541b59902) Signed-off-by: Reinhard Tartler --- libavutil/opt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index 7c53024d25..aea381eead 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -57,8 +57,10 @@ const AVOption *av_next_option(void *obj, const AVOption *last) const AVOption *av_opt_next(void *obj, const AVOption *last) { AVClass *class = *(AVClass**)obj; - if (!last && class->option[0].name) return class->option; - if (last && last[1].name) return ++last; + if (!last && class->option && class->option[0].name) + return class->option; + if (last && last[1].name) + return ++last; return NULL; } From d1d329932fd47d5e0fd4ca3c37827b98981c62cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 7 Jan 2013 18:39:04 +0200 Subject: [PATCH 3/9] rtsp: Recheck the reordering queue if getting a new packet MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If we timed out and consumed a packet from the reordering queue, but didn't return a packet to the caller, recheck the queue status. Otherwise, we could end up in an infinite loop, trying to consume a queued packet that has already been consumed. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 8729698d50739524665090e083d1bfdf28235724) Signed-off-by: Reinhard Tartler --- libavformat/rtsp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 2858a9a806..5a691f24c0 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1711,6 +1711,7 @@ int ff_rtsp_fetch_packet(AVFormatContext *s, AVPacket *pkt) rt->cur_transport_priv = NULL; } +redo: if (rt->transport == RTSP_TRANSPORT_RTP) { int i; int64_t first_queue_time = 0; @@ -1726,12 +1727,15 @@ int ff_rtsp_fetch_packet(AVFormatContext *s, AVPacket *pkt) first_queue_st = rt->rtsp_streams[i]; } } - if (first_queue_time) + if (first_queue_time) { wait_end = first_queue_time + s->max_delay; + } else { + wait_end = 0; + first_queue_st = NULL; + } } /* read next RTP packet */ - redo: if (!rt->recvbuf) { rt->recvbuf = av_malloc(RECVBUF_SIZE); if (!rt->recvbuf) From 9ded14fcb8a57e0ec24b147f19d02faf4b7b93b3 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Wed, 7 Mar 2012 14:26:58 -0800 Subject: [PATCH 4/9] Fix uninitialized reads on malformed ogg files. The ogg decoder wasn't padding the input buffer with the appropriate FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in various pieces of parsing code when they thought they had more data than they actually did. Signed-off-by: Dale Curtis Signed-off-by: Ronald S. Bultje (cherry picked from commit ef0d779706c77ca9007527bd8d41e9400682f4e4) Signed-off-by: Reinhard Tartler --- libavformat/oggdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 36e2c452da..950308b462 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -70,8 +70,7 @@ static int ogg_save(AVFormatContext *s) for (i = 0; i < ogg->nstreams; i++){ struct ogg_stream *os = ogg->streams + i; - os->buf = av_malloc (os->bufsize); - memset (os->buf, 0, os->bufsize); + os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); memcpy (os->buf, ost->streams[i].buf, os->bufpos); } @@ -168,7 +167,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) os = ogg->streams + idx; os->serial = serial; os->bufsize = DECODER_BUFFER_SIZE; - os->buf = av_malloc(os->bufsize); + os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); os->header = -1; if (new_avstream) { @@ -186,7 +185,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) static int ogg_new_buf(struct ogg *ogg, int idx) { struct ogg_stream *os = ogg->streams + idx; - uint8_t *nb = av_malloc(os->bufsize); + uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); int size = os->bufpos - os->pstart; if(os->buf){ memcpy(nb, os->buf + os->pstart, size); @@ -297,7 +296,7 @@ static int ogg_read_page(AVFormatContext *s, int *str) } if (os->bufsize - os->bufpos < size){ - uint8_t *nb = av_malloc (os->bufsize *= 2); + uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE); memcpy (nb, os->buf, os->bufpos); av_free (os->buf); os->buf = nb; @@ -311,6 +310,7 @@ static int ogg_read_page(AVFormatContext *s, int *str) os->granule = gp; os->flags = flags; + memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE); if (str) *str = idx; From 6eebba08e1888371637c2f86878130f9e7a30732 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 22 Dec 2012 17:58:24 +0100 Subject: [PATCH 5/9] oggdec: check memory allocation (cherry picked from commit ba064ebe48376e199f353ef0b335ed8a39c638c5) Conflicts: libavformat/oggdec.c --- libavformat/oggdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 950308b462..42a1a558ae 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -161,8 +161,13 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) AVStream *st; struct ogg_stream *os; - ogg->streams = av_realloc (ogg->streams, - ogg->nstreams * sizeof (*ogg->streams)); + os = av_realloc (ogg->streams, ogg->nstreams * sizeof (*ogg->streams)); + + if (!os) + return AVERROR(ENOMEM); + + ogg->streams = os; + memset (ogg->streams + idx, 0, sizeof (*ogg->streams)); os = ogg->streams + idx; os->serial = serial; @@ -297,6 +302,8 @@ static int ogg_read_page(AVFormatContext *s, int *str) if (os->bufsize - os->bufpos < size){ uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE); + if (!nb) + return AVERROR(ENOMEM); memcpy (nb, os->buf, os->bufpos); av_free (os->buf); os->buf = nb; From 03fec31cd76f1b9eb980d4e422e569d95cad326c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 4 Jan 2013 15:44:02 +0100 Subject: [PATCH 6/9] oggdec: free the ogg streams on read_header failure Plug an annoying memory leak on broken files. (cherry picked from commit 89b51b570daa80e6e3790fcd449fe61fc5574e07) Signed-off-by: Luca Barbato (cherry picked from commit 42bd6d9cf681306d14c92af97a40116fe4eb2522) Conflicts: libavformat/oggdec.c --- libavformat/oggdec.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 42a1a558ae..3079685652 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -501,15 +501,30 @@ static int ogg_get_length(AVFormatContext *s) return 0; } -static int ogg_read_header(AVFormatContext *s, AVFormatParameters *ap) +static int ogg_read_close(AVFormatContext *s) +{ + struct ogg *ogg = s->priv_data; + int i; + + for (i = 0; i < ogg->nstreams; i++) { + av_free(ogg->streams[i].buf); + av_free(ogg->streams[i].private); + } + av_free(ogg->streams); + return 0; +} + +static int ogg_read_header(AVFormatContext *s) { struct ogg *ogg = s->priv_data; int ret, i; ogg->curidx = -1; //linear headers seek from start ret = ogg_get_headers(s); - if (ret < 0) + if (ret < 0) { + ogg_read_close(s); return ret; + } for (i = 0; i < ogg->nstreams; i++) if (ogg->streams[i].header < 0) @@ -594,19 +609,6 @@ retry: return psize; } -static int ogg_read_close(AVFormatContext *s) -{ - struct ogg *ogg = s->priv_data; - int i; - - for (i = 0; i < ogg->nstreams; i++){ - av_free (ogg->streams[i].buf); - av_free (ogg->streams[i].private); - } - av_free (ogg->streams); - return 0; -} - static int64_t ogg_read_timestamp(AVFormatContext *s, int stream_index, int64_t *pos_arg, int64_t pos_limit) { From 06312bbb101815a992fae0e16cde89ea4066a3a1 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 28 Nov 2012 22:17:14 +0100 Subject: [PATCH 7/9] h264: check context state before decoding slice data partitions Fixes mov_h264_aac__Demo_FlagOfOurFathers.mov.SIGSEGV.4e9.656. Found-by: Mateusz "j00ru" Jurczyk CC: libav-stable@libav.org (cherry-picked from commit c1fcf563b13051f280db169ba41c6a1b21b25e08) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 97b21155f0..002477b8eb 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -4013,6 +4013,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ hx->inter_gb_ptr= &hx->inter_gb; if(hx->redundant_pic_count==0 && hx->intra_gb_ptr && hx->s.data_partitioning + && s->current_picture_ptr && s->context_initialized && (avctx->skip_frame < AVDISCARD_NONREF || hx->nal_ref_idc) && (avctx->skip_frame < AVDISCARD_BIDIR || hx->slice_type_nos!=AV_PICTURE_TYPE_B) From adef01c370c909ed639dde3277476fab704589be Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sat, 12 Jan 2013 17:22:50 +0100 Subject: [PATCH 8/9] h264: check ref_count validity for num_ref_idx_active_override_flag Fixes segfault in the fuzzed sample bipbop234.ts_s226407. CC: libav-stable@libav.org (cherry-picked from commit 6e5cdf26281945ddea3aaf5eca4d127791f23ca8) Signed-off-by: Janne Grunau --- libavcodec/h264.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 002477b8eb..f3a47fe8c0 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3121,8 +3121,13 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ if(num_ref_idx_active_override_flag){ h->ref_count[0]= get_ue_golomb(&s->gb) + 1; - if(h->slice_type_nos==AV_PICTURE_TYPE_B) + if (h->ref_count[0] < 1) + return AVERROR_INVALIDDATA; + if (h->slice_type_nos == AV_PICTURE_TYPE_B) { h->ref_count[1]= get_ue_golomb(&s->gb) + 1; + if (h->ref_count[1] < 1) + return AVERROR_INVALIDDATA; + } } if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) { From cf2cab5b2ab80fa2914692e02fa3488aaab7697e Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 12 Jan 2013 17:21:15 +0100 Subject: [PATCH 9/9] Update Changelog --- Changelog | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/Changelog b/Changelog index d3c743d111..c85120345a 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,25 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.5: + +- Several bugs and crashes have been fixed in the following codecs: + Indeo 4 (CVE-2012-2791), VP5/VP6 (CVE-2012-2783), Indeo 3 (CVE-2012-2804), + MPEG-1/2 (CVE-2012-2803), MP3 (CVE-2012-2797), AAC (CVE-2012-5144), + AC-3 (CVE-2012-2802), AVS (CVE-2012-2801), DFA (CVE-2012-2798) + +- backported hardening patches for h264 and svq3 + +- smaller bug fixes in id3v2 (Bug 395), RTSP, option handling, ALAC, + Flash Screen Video + +- unconditionally enable PIC on PowerPC + +- x86: Require an assembler able to cope with AVX instructions + +- fix a serious memory leak on broken Ogg files + + version 0.8.4: - Several bugs and crashes have been fixed in the following codecs: