From 4169912f3969f9207c3a5fefdf1b7a4185edb1c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Apr 2012 18:49:50 +0200 Subject: [PATCH 01/20] Update for 0.8.11 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 722a86058c..d60e276989 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.10 +PROJECT_NUMBER = 0.8.11 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index ef50561618..83ce05d72f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.10 +0.8.11 diff --git a/VERSION b/VERSION index ef50561618..83ce05d72f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.10 +0.8.11 From 26ac878cc206462de307d85466bc43972e264aee Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 29 Mar 2012 16:37:09 -0700 Subject: [PATCH 02/20] h264: additional protection against unsupported size/bitdepth changes. Fixes crashes in codepaths not covered by original checks. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 732f9fcfe54fc9a0a7bbce53fe86b38744c2d301) Conflicts: libavcodec/h264.c Signed-off-by: Reinhard Tartler (cherry picked from commit 746f1594d71dece6fd6f786447e19be9c200a07d) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 4 ++-- libavcodec/h264_ps.c | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index f1ccc8af38..beb89a07e1 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2602,9 +2602,9 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ if (s->context_initialized && ( s->width != s->avctx->width || s->height != s->avctx->height || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) { - if(h != h0) { + if(h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) { av_log_missing_feature(s->avctx, "Width/height changing with threads is", 0); - return -1; // width / height changed during parallelized decoding + return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding } free_tables(h, 0); flush_dpb(s->avctx); diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 677ca80abb..fe988e9e78 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -467,6 +467,9 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){ if(pps_id >= MAX_PPS_COUNT) { av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id); return -1; + } else if (h->sps.bit_depth_luma > 10) { + av_log(h->s.avctx, AV_LOG_ERROR, "Unimplemented luma bit depth=%d (max=10)\n", h->sps.bit_depth_luma); + return AVERROR_PATCHWELCOME; } pps= av_mallocz(sizeof(PPS)); From 3fc967f6c7ab2a21e9e4cca93487286b431cd64a Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 29 Mar 2012 12:24:10 -0700 Subject: [PATCH 03/20] h263: more strictly forbid frame size changes with frame-mt. Prevents crashes because the old check was incomplete. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2d22d4307dcc1461f39a2ffb9c8db6c6b23fd080) Signed-off-by: Reinhard Tartler (cherry picked from commit 7fe4c8cb761b0fc8685dacf9f187311b9d124a52) Signed-off-by: Reinhard Tartler --- libavcodec/h263dec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index abdaf2bf24..021e172c68 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -426,6 +426,13 @@ retry: if (ret < 0){ av_log(s->avctx, AV_LOG_ERROR, "header damaged\n"); return -1; + } else if ((s->width != avctx->coded_width || + s->height != avctx->coded_height || + (s->width + 15) >> 4 != s->mb_width || + (s->height + 15) >> 4 != s->mb_height) && + (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME))) { + av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0); + return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding } avctx->has_b_frames= !s->low_delay; @@ -567,11 +574,6 @@ retry: /* H.263 could change picture size any time */ ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat - if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) { - av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0); - return -1; // width / height changed during parallelized decoding - } - s->parse_context.buffer=0; MPV_common_end(s); s->parse_context= pc; From 50073e2395522b6e2b8698ff0dd06ffaf8cbf8ce Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 2 May 2012 12:08:03 -0700 Subject: [PATCH 04/20] motionpixels: Clip YUV values after applying a gradient. Prevents illegal reads on truncated and malformed input. CC: libav-stable@libav.org (cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e) Signed-off-by: Reinhard Tartler (cherry picked from commit aaa6a666774eb02c351c84e80622a5c69e9b642e) Signed-off-by: Reinhard Tartler --- libavcodec/motionpixels.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 23433a1caf..fd37622603 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -190,10 +190,13 @@ static void mp_decode_line(MotionPixelsContext *mp, GetBitContext *gb, int y) p = mp_get_yuv_from_rgb(mp, x - 1, y); } else { p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb)); + p.y = av_clip(p.y, 0, 31); if ((x & 3) == 0) { if ((y & 3) == 0) { p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb)); + p.v = av_clip(p.v, -32, 31); p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb)); + p.u = av_clip(p.u, -32, 31); mp->hpt[((y / 4) * mp->avctx->width + x) / 4] = p; } else { p.v = mp->hpt[((y / 4) * mp->avctx->width + x) / 4].v; @@ -217,9 +220,12 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb) p = mp_get_yuv_from_rgb(mp, 0, y); } else { p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb)); + p.y = av_clip(p.y, 0, 31); if ((y & 3) == 0) { p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb)); + p.v = av_clip(p.v, -32, 31); p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb)); + p.u = av_clip(p.u, -32, 31); } mp->vpt[y] = p; mp_set_rgb_from_yuv(mp, 0, y, &p); From 08c81f7365af96c1655767e68d6ec85bea50600c Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 4 May 2012 10:27:03 -0700 Subject: [PATCH 05/20] celp filters: Do not read earlier than the start of the 'out' vector. CC: libav-stable@libav.org (cherry picked from commit 37ddd3833219fa7b913fff3f5cccc6878b047e6b) Signed-off-by: Reinhard Tartler (cherry picked from commit 9ea94c44b1b414ab3bc6e9220ebb77621423ca38) Signed-off-by: Reinhard Tartler --- libavcodec/celp_filters.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/celp_filters.c b/libavcodec/celp_filters.c index 25a6744b04..849cda439e 100644 --- a/libavcodec/celp_filters.c +++ b/libavcodec/celp_filters.c @@ -133,9 +133,8 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs, out2 -= val * old_out2; out3 -= val * old_out3; - old_out3 = out[-5]; - for (i = 5; i <= filter_length; i += 2) { + old_out3 = out[-i]; val = filter_coeffs[i-1]; out0 -= val * old_out3; @@ -154,7 +153,6 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs, FFSWAP(float, old_out0, old_out2); old_out1 = old_out3; - old_out3 = out[-i-2]; } tmp0 = out0; From c71c77e56fcc6d469d45e1c8ce04aa053124d3f8 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Mon, 23 Apr 2012 13:16:33 +0100 Subject: [PATCH 06/20] vqavideo: return error if image size is not a multiple of block size The decoder assumes in various places that the image size is a multiple of the block size, and there is no obvious way to support odd sizes. Bailing out early if the header specifies a bad size avoids various errors later on. Fixes CVE-2012-0947. Signed-off-by: Mans Rullgard (cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3) Signed-off-by: Reinhard Tartler (cherry picked from commit d5207e2af81580dd5e6277b354c8b459c3624f26) Signed-off-by: Reinhard Tartler --- libavcodec/vqavideo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index caffddbfa4..81b08d11a8 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -155,6 +155,12 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) return -1; } + if (s->width & (s->vector_width - 1) || + s->height & (s->vector_height - 1)) { + av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n"); + return AVERROR_INVALIDDATA; + } + /* allocate codebooks */ s->codebook_size = MAX_CODEBOOK_SIZE; s->codebook = av_malloc(s->codebook_size); From 3313f31f012a434a7c7aac6cb2c554d5cbac88fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Feb 2012 13:35:10 -0800 Subject: [PATCH 07/20] h263dec: Disallow width/height changing with frame threads. Fixes CVE-2011-3937 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba) Conflicts: libavcodec/h263dec.c Signed-off-by: Alex Converse Signed-off-by: Reinhard Tartler (cherry picked from commit 4be63587e110c05cda3101abf2e3745d919f3fae) Conflicts: libavcodec/h263dec.c Signed-off-by: Reinhard Tartler --- libavcodec/h263dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 021e172c68..15fc724e54 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -574,6 +574,11 @@ retry: /* H.263 could change picture size any time */ ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat + if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) { + av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0); + return -1; // width / height changed during parallelized decoding + } + s->parse_context.buffer=0; MPV_common_end(s); s->parse_context= pc; From b581580bd1cc8506befa65b0a5c9ae429240f21f Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Thu, 5 Jan 2012 20:50:55 +0100 Subject: [PATCH 08/20] adpcm: ADPCM Electronic Arts has always two channels Fixes half of http://ffmpeg.org/trac/ffmpeg/ticket/794 Adresses CVE-2012-0852 (cherry picked from commit bb5b3940b08d8dad5b7e948e8f3b02cd2eb70716) Conflicts: libavcodec/adpcm.c Signed-off-by: Reinhard Tartler --- libavcodec/adpcm.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 069690a64a..4384e1dcee 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -744,9 +744,13 @@ static int adpcm_encode_frame(AVCodecContext *avctx, static av_cold int adpcm_decode_init(AVCodecContext * avctx) { ADPCMContext *c = avctx->priv_data; + unsigned int min_channels = 1; unsigned int max_channels = 2; switch(avctx->codec->id) { + case CODEC_ID_ADPCM_EA: + min_channels = 2; + break; case CODEC_ID_ADPCM_EA_R1: case CODEC_ID_ADPCM_EA_R2: case CODEC_ID_ADPCM_EA_R3: @@ -754,8 +758,10 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx) max_channels = 6; break; } - if(avctx->channels > max_channels){ - return -1; + + if (avctx->channels < min_channels || avctx->channels > max_channels) { + av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n"); + return AVERROR(EINVAL); } switch(avctx->codec->id) { From c5f7c755cfccd7aa01010a2d566104c2b0fa6d86 Mon Sep 17 00:00:00 2001 From: Alexander Strange Date: Sat, 24 Mar 2012 17:32:14 -0400 Subject: [PATCH 09/20] h264: Add check for invalid chroma_format_idc Fixes a crash when FF_DEBUG_PICT_INFO is used. Signed-off-by: Ronald S. Bultje (cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df) Fixes: CVE-2012-0851 Signed-off-by: Reinhard Tartler (cherry picked from commit 47132345184dc3d0ff962a57a1225564fe979548) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index fe988e9e78..9eeff59762 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -329,8 +329,12 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ if(sps->profile_idc >= 100){ //high profile sps->chroma_format_idc= get_ue_golomb_31(&s->gb); - if(sps->chroma_format_idc == 3) + if(sps->chroma_format_idc > 3) { + av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc (%u) out of range\n", sps->chroma_format_idc); + return -1; + } else if(sps->chroma_format_idc == 3) { sps->residual_color_transform_flag = get_bits1(&s->gb); + } sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8; sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8; sps->transform_bypass = get_bits1(&s->gb); From 2f2fd8c6d1c51a6b817e6c0bc4eff308b8f9cd18 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Dec 2011 04:13:37 +0100 Subject: [PATCH 10/20] tqi: Pass errors from the MB decoder This silences some valgrind warnings. CC: libav-stable@libav.org Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794 Bug found by: Oana Stratulat Signed-off-by: Michael Niedermayer Signed-off-by: Reinhard Tartler (cherry picked from commit f85334f58e1286287d0547a49fa9c93b40cbf48f) (cherry picked from commit 90290a5150e84fb138ccde57657dc03830f08c1c) Signed-off-by: Reinhard Tartler (cherry picked from commit 5872580e65aab026b77754eb184f97ba7cc6ea35) Signed-off-by: Reinhard Tartler --- libavcodec/eatqi.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c index aa96437013..6c5604820a 100644 --- a/libavcodec/eatqi.c +++ b/libavcodec/eatqi.c @@ -59,12 +59,15 @@ static av_cold int tqi_decode_init(AVCodecContext *avctx) return 0; } -static void tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64]) +static int tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64]) { int n; s->dsp.clear_blocks(block[0]); for (n=0; n<6; n++) - ff_mpeg1_decode_block_intra(s, block[n], n); + if (ff_mpeg1_decode_block_intra(s, block[n], n) < 0) + return -1; + + return 0; } static inline void tqi_idct_put(TqiContext *t, DCTELEM (*block)[64]) @@ -136,7 +139,8 @@ static int tqi_decode_frame(AVCodecContext *avctx, for (s->mb_y=0; s->mb_y<(avctx->height+15)/16; s->mb_y++) for (s->mb_x=0; s->mb_x<(avctx->width+15)/16; s->mb_x++) { - tqi_decode_mb(s, t->block); + if (tqi_decode_mb(s, t->block) < 0) + break; tqi_idct_put(t, t->block); } From 654b24f68a803fbc85764899a07294483dccf54f Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 17 Feb 2012 14:13:40 -0800 Subject: [PATCH 11/20] dpcm: ignore extra unpaired bytes in stereo streams. Fixes: CVE-2011-3951 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit ce7aee9b733134649a6ce2fa743e51733f33e67e) (cherry picked from commit eaeaeb265fe46e1d81452960de918227541873b4) Conflicts: libavcodec/dpcm.c Signed-off-by: Reinhard Tartler --- libavcodec/dpcm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c index af5bf8abea..9cf924821a 100644 --- a/libavcodec/dpcm.c +++ b/libavcodec/dpcm.c @@ -169,6 +169,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, int in, out = 0; int predictor[2]; int channel_number = 0; + int stereo = s->channels - 1; short *output_samples = data; int shift[2]; unsigned char byte; @@ -177,6 +178,9 @@ static int dpcm_decode_frame(AVCodecContext *avctx, if (!buf_size) return 0; + if (stereo && (buf_size & 1)) + buf_size--; + // almost every DPCM variant expands one byte of data into two if(*data_size/2 < buf_size) return -1; @@ -295,7 +299,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, } *data_size = out * sizeof(short); - return buf_size; + return avpkt->size; } #define DPCM_DECODER(id, name, long_name_) \ From b15e85d8207bf644e5fc8837b4fad2ae3f33d021 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Sep 2011 14:12:42 +0200 Subject: [PATCH 12/20] rtpdec_asf: Fix integer underflow that could allow remote code execution MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes MSVR-11-0088 Fixes CVE-2011-4031 Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer Signed-off-by: Martin Storsjö (cherry picked from commit 5ea091fb5a12dc0210b8efdf30b573b87e21652b) Signed-off-by: Reinhard Tartler --- libavformat/rtpdec_asf.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c index 287025f377..9d8c87b889 100644 --- a/libavformat/rtpdec_asf.c +++ b/libavformat/rtpdec_asf.c @@ -233,8 +233,14 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf, int cur_len = start_off + len_off - off; int prev_len = out_len; + void *newmem; out_len += cur_len; - asf->buf = av_realloc(asf->buf, out_len); + if (FFMIN(cur_len, len - off) < 0) + return -1; + newmem = av_realloc(asf->buf, out_len); + if (!newmem) + return -1; + asf->buf = newmem; memcpy(asf->buf + prev_len, buf + off, FFMIN(cur_len, len - off)); avio_skip(pb, cur_len); From d87997b56f2725dc33ba262d895060a29ba5000d Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 10 Jan 2012 13:07:09 -0800 Subject: [PATCH 13/20] aacsbr: prevent out of bounds memcpy(). Fixes Libav Bug 195. Fixes CVE-2012-0850 This doesn't make the code handle sample rate or upsample/downsample change properly but this is still a good sanity check. Based on change by Michael Niedermayer. Signed-off-by: Alex Converse (cherry picked from commit 17ce52912f59a74ecc265e062578fb1181456e18) Signed-off-by: Reinhard Tartler --- libavcodec/aacsbr.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 81b0b4c001..0bfcabb06b 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1181,14 +1181,15 @@ static void sbr_qmf_synthesis(DSPContext *dsp, FFTContext *mdct, { int i, n; const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us; + const int step = 128 >> div; float *v; for (i = 0; i < 32; i++) { - if (*v_off == 0) { + if (*v_off < step) { int saved_samples = (1280 - 128) >> div; memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float)); - *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div); + *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - step; } else { - *v_off -= 128 >> div; + *v_off -= step; } v = v0 + *v_off; if (div) { From 75d8cccf0efb95c8a43b2a84f18013600eed877f Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 17:30:49 +0100 Subject: [PATCH 14/20] kmvc: Check palsize. Fixes: CVE-2011-3952 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Based on fix by Michael Niedermayer (cherry picked from commit 386741f887714d3e46c9e8fe577e326a7964037b) (cherry picked from commit 416849f2e06227b1b4a451c392f100db1d709a0c) Signed-off-by: Reinhard Tartler --- libavcodec/kmvc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index 033d3d7998..ff83b86ddf 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -33,6 +33,7 @@ #define KMVC_KEYFRAME 0x80 #define KMVC_PALETTE 0x40 #define KMVC_METHOD 0x0F +#define MAX_PALSIZE 256 /* * Decoder context @@ -43,7 +44,7 @@ typedef struct KmvcContext { int setpal; int palsize; - uint32_t pal[256]; + uint32_t pal[MAX_PALSIZE]; uint8_t *cur, *prev; uint8_t *frm0, *frm1; } KmvcContext; @@ -414,6 +415,10 @@ static av_cold int decode_init(AVCodecContext * avctx) c->palsize = 127; } else { c->palsize = AV_RL16(avctx->extradata + 10); + if (c->palsize >= MAX_PALSIZE) { + av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n"); + return AVERROR_INVALIDDATA; + } } if (avctx->extradata_size == 1036) { // palette in extradata From 628b82294a6f51d0d9c51981d737c70e287e1ba3 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 2 May 2012 16:12:46 +0000 Subject: [PATCH 15/20] qdm2: clip array indices returned by qdm2_get_vlc(). Prevents subsequent overreads when these numbers are used as indices in arrays. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Justin Ruggles (cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69) Signed-off-by: Derek Buitenhuis Conflicts: libavcodec/qdm2.c --- libavcodec/qdm2.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 184c97dfb6..258a343837 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -881,9 +881,13 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l break; case 30: - if (BITS_LEFT(length,gb) >= 4) - samples[0] = type30_dequant[qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1)]; - else + if (BITS_LEFT(length,gb) >= 4) { + unsigned index = qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1); + if (index < FF_ARRAY_ELEMS(type30_dequant)) { + samples[0] = type30_dequant[index]; + } else + samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); + } else samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); run = 1; @@ -897,8 +901,12 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l type34_predictor = samples[0]; type34_first = 0; } else { - samples[0] = type34_delta[qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1)] / type34_div + type34_predictor; - type34_predictor = samples[0]; + unsigned index = qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1); + if (index < FF_ARRAY_ELEMS(type34_delta)) { + samples[0] = type34_delta[index] / type34_div + type34_predictor; + type34_predictor = samples[0]; + } else + samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); } } else { samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); From 850298ef2538f02cd4671a4cc5035026b35c7bf5 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Tue, 26 Jul 2011 12:23:43 +0100 Subject: [PATCH 16/20] x86: fix build with gcc 4.7 The upcoming gcc 4.7 has more advanced constant propagation resulting some inline asm operands becoming constants and thus emitted as literals, sometimes in contexts where this results in invalid instructions. This patch changes the constraints of the relevant operands to "rm" thus forcing a valid type. While obviously suboptimal, this is what older gcc versions already did, and there is no change to the code generated with these. Signed-off-by: Mans Rullgard (cherry picked from commit da4c7cce2100a4e4f9276b4f17e260be47b53f41) Signed-off-by: Derek Buitenhuis --- libavcodec/x86/h264_qpel_mmx.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/h264_qpel_mmx.c b/libavcodec/x86/h264_qpel_mmx.c index 066f794fb6..b322d5c89c 100644 --- a/libavcodec/x86/h264_qpel_mmx.c +++ b/libavcodec/x86/h264_qpel_mmx.c @@ -398,7 +398,7 @@ static av_noinline void OPNAME ## h264_qpel8or16_v_lowpass_ ## MMX(uint8_t *dst, "2: \n\t"\ \ : "+a"(src), "+c"(dst)\ - : "S"((x86_reg)srcStride), "D"((x86_reg)dstStride), "g"(h)\ + : "S"((x86_reg)srcStride), "D"((x86_reg)dstStride), "rm"(h)\ : "memory"\ );\ src += 4-(h+5)*srcStride;\ @@ -446,7 +446,7 @@ static av_always_inline void OPNAME ## h264_qpel8or16_hv1_lowpass_ ## MMX(int16_ QPEL_H264HV(%%mm3, %%mm4, %%mm5, %%mm0, %%mm1, %%mm2, 15*48)\ "2: \n\t"\ : "+a"(src)\ - : "c"(tmp), "S"((x86_reg)srcStride), "g"(size)\ + : "c"(tmp), "S"((x86_reg)srcStride), "rm"(size)\ : "memory"\ );\ tmp += 4;\ @@ -823,7 +823,7 @@ static av_noinline void OPNAME ## h264_qpel8or16_v_lowpass_ ## MMX(uint8_t *dst, "2: \n\t"\ \ : "+a"(src), "+c"(dst)\ - : "S"((x86_reg)srcStride), "D"((x86_reg)dstStride), "g"(h)\ + : "S"((x86_reg)srcStride), "D"((x86_reg)dstStride), "rm"(h)\ : XMM_CLOBBERS("%xmm0", "%xmm1", "%xmm2", "%xmm3", \ "%xmm4", "%xmm5", "%xmm6", "%xmm7",)\ "memory"\ @@ -878,7 +878,7 @@ static av_always_inline void put_h264_qpel8or16_hv1_lowpass_sse2(int16_t *tmp, u QPEL_H264HV_XMM(%%xmm3, %%xmm4, %%xmm5, %%xmm0, %%xmm1, %%xmm2, 15*48) "2: \n\t" : "+a"(src) - : "c"(tmp), "S"((x86_reg)srcStride), "g"(size) + : "c"(tmp), "S"((x86_reg)srcStride), "rm"(size) : XMM_CLOBBERS("%xmm0", "%xmm1", "%xmm2", "%xmm3", "%xmm4", "%xmm5", "%xmm6", "%xmm7",) "memory" From 269dbc53599e588efc6027df634a9d5b9476c3fc Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 2 May 2012 10:58:55 -0700 Subject: [PATCH 17/20] png: check bit depth for PAL8/Y400A pixel formats. Wrong bit depth can lead to invalid rowsize values, which crashes the decoder further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d2205d6543881f2e6fa18c8a354bbcf91a1235f7) Signed-off-by: Reinhard Tartler (cherry picked from commit b8d6ba9d50e80fdce2ed74cdaffd4960df8a21c5) Signed-off-by: Reinhard Tartler --- libavcodec/pngdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 1268c9e781..aed3d609fd 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -488,9 +488,11 @@ static int decode_frame(AVCodecContext *avctx, } else if (s->bit_depth == 1 && s->color_type == PNG_COLOR_TYPE_GRAY) { avctx->pix_fmt = PIX_FMT_MONOBLACK; - } else if (s->color_type == PNG_COLOR_TYPE_PALETTE) { + } else if (s->bit_depth == 8 && + s->color_type == PNG_COLOR_TYPE_PALETTE) { avctx->pix_fmt = PIX_FMT_PAL8; - } else if (s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { + } else if (s->bit_depth == 8 && + s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { avctx->pix_fmt = PIX_FMT_Y400A; } else { goto fail; From 50336dc4f12d629492b236c84b9ea2adead720db Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 4 May 2012 16:06:26 -0700 Subject: [PATCH 18/20] ea: check chunk_size for validity. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 273e6af47b38391f2bcc157cca0423fe7fcbf55c) Signed-off-by: Reinhard Tartler (cherry picked from commit 6a86b705e1d4b72f0dddfbe23ad3eed9947001d5) Signed-off-by: Reinhard Tartler --- libavformat/electronicarts.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 06689ddfb7..0a6cdd5fd4 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -468,12 +468,17 @@ static int ea_read_packet(AVFormatContext *s, while (!packet_read) { chunk_type = avio_rl32(pb); - chunk_size = (ea->big_endian ? avio_rb32(pb) : avio_rl32(pb)) - 8; + chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb); + if (chunk_size <= 8) + return AVERROR_INVALIDDATA; + chunk_size -= 8; switch (chunk_type) { /* audio data */ case ISNh_TAG: /* header chunk also contains data; skip over the header portion*/ + if (chunk_size < 32) + return AVERROR_INVALIDDATA; avio_skip(pb, 32); chunk_size -= 32; case ISNd_TAG: From ee66a7198eea0ab3aefae0b3de5a17473f4374cf Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 3 Jun 2012 19:22:09 +0200 Subject: [PATCH 19/20] Update changelog for 0.7.6 release --- Changelog | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/Changelog b/Changelog index 425f6e2b96..f434aa13b5 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,24 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.7.6: + +Security Updates: + +- vqavideo: return error if image size is not a multiple of block size (CVE-2012-0947) +- h263dec: Disallow width/height changing with frame threads (CVE-2011-3937) +- adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852) +- h264: Add check for invalid chroma_format_idc (CVE-2012-0851) +- dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951) +- rtpdec_asf: Fix integer underflow that could allow remote code execution (CVE-2011-4031) +- aacsbr: prevent out of bounds memcpy() (CVE-2012-0850) +- kmvc: Check palsize (CVE-2011-3952) + +Further bugfixes in the following codecs: + + ea, png, qdm2, tqi, motionpixels, and a compilation failure with gcc 4.7 + + version 0.7.5: Security updates: From b61e311b0eeabaab8eb05f4e5e5c6c8c9d84f3cf Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 3 Jun 2012 19:22:20 +0200 Subject: [PATCH 20/20] Update RELEASE file for 0.7.6 --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 8bd6ba8c5c..c006218557 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.5 +0.7.6