From efa8603518258aa992752e0589d8fdd7b7d1f66b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 1 Mar 2013 16:45:24 +0200 Subject: [PATCH 1/4] flvdec: Check the return value of a malloc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The callers of this function can't report errors sanely. If this one malloc fails, don't write the extradata byte, make sure we try to malloc it the next time we're called instead, and make sure we still consume the input data byte. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit c5a738ca4e9789b4678b10240777d931e7dc24c9) Signed-off-by: Reinhard Tartler --- libavformat/flvdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index e45a9a2bfa..403a9b5089 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -213,10 +213,14 @@ static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, int flv_co vcodec->codec_id = AV_CODEC_ID_VP6A; if (read) { if (vcodec->extradata_size != 1) { - vcodec->extradata_size = 1; vcodec->extradata = av_malloc(1); + if (vcodec->extradata) + vcodec->extradata_size = 1; } - vcodec->extradata[0] = avio_r8(s->pb); + if (vcodec->extradata) + vcodec->extradata[0] = avio_r8(s->pb); + else + avio_skip(s->pb, 1); } return 1; // 1 byte body size adjustment for flv_read_packet() case FLV_CODECID_H264: From b6f5a1ca588c2d632184f6f8151b4f6100309db4 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 14 Feb 2013 11:43:20 +0100 Subject: [PATCH 2/4] h264: on reference overflow, reset the reference count to 0, not 1. Since decode_slice_header() returns before the reference lists are constructed, there are zero valid references. CC:libav-stable@libav.org (cherry picked from commit 668e16a0dd1ff56d4beeff5c658d8a2a08dbfac8) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 848d6a2d31..6f49dd28f2 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3046,7 +3046,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) { av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); - h->ref_count[0] = h->ref_count[1] = 1; + h->ref_count[0] = h->ref_count[1] = 0; return AVERROR_INVALIDDATA; } From 704952fee52f4033018919fee7815ee3bc833280 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 14 Feb 2013 11:44:33 +0100 Subject: [PATCH 3/4] h264: set ref_count to 0 for intra slices. CC:libav-stable@libav.org (cherry picked from commit 437211ae73ef1ed8285b4fed7620502ea4999e11) Fixes deadlocks waiting for non-existing references with some fuzzed files. Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 6f49dd28f2..54f618653d 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3039,8 +3039,11 @@ static int decode_slice_header(H264Context *h, H264Context *h0) h->list_count = 2; else h->list_count = 1; - } else + } else { h->list_count = 0; + h->ref_count[0] = h->ref_count[1] = 0; + } + max_refs = s->picture_structure == PICT_FRAME ? 16 : 32; From a3b3096772c65899d7ca43a913051420d706c88a Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 2 Mar 2013 10:54:07 +0100 Subject: [PATCH 4/4] update Changelog --- Changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog b/Changelog index d20dca904f..707bc69a67 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,13 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 9.3: +- h264: fix deadlocks with broken/fuzzed files +- flvdec: make decoder more robust +- vorbisdec: fix buffer overflow (CVE-2013-0894) +- ac3dec: validate channel output mode against channel count +- doc: minor improvements + version 9.2: - loco: check that there is data left after decoding a plane. - mov: use the format context for logging.