From 0eb465f981de014becd4c99c8d6ad4523ad81ad1 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 11 Aug 2013 20:35:40 +0200 Subject: [PATCH 1/5] nuv: check ff_rtjpeg_decode_frame_yuv420 return value CC: libav-stable@libav.org (cherry picked from commit 85ac12587bfef970d0e0e4abc292df346daf8478) Signed-off-by: Luca Barbato Conflicts: libavcodec/nuv.c --- libavcodec/nuv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 9c765a0f64..e253bfbbed 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -156,6 +156,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int orig_size = buf_size; int keyframe; int result; + int ret; enum { NUV_UNCOMPRESSED = '0', NUV_RTJPEG = '1', @@ -259,7 +260,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } case NUV_RTJPEG_IN_LZO: case NUV_RTJPEG: - ff_rtjpeg_decode_frame_yuv420(&c->rtj, &c->pic, buf, buf_size); + ret = ff_rtjpeg_decode_frame_yuv420(&c->rtj, &c->pic, buf, buf_size); + if (ret < 0) + return ret; break; case NUV_BLACK: memset(c->pic.data[0], 0, c->width * c->height); From 1e9e311e21074575f1ad29fb35ac135197f4b68d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 5 Aug 2013 22:15:24 +0200 Subject: [PATCH 2/5] dv: Add a guard to not overread the ppcm array Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 7ee191cab0dc44700f26c5784e2adeb6a779651b) Signed-off-by: Luca Barbato Conflicts: libavformat/dv.c --- libavformat/dv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dv.c b/libavformat/dv.c index 1730972213..ea2805e630 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -108,7 +108,7 @@ static const int dv_audio_frequency[3] = { * 3. Audio is always returned as 16bit linear samples: 12bit nonlinear samples * are converted into 16bit linear ones. */ -static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4], +static int dv_extract_audio(uint8_t *frame, uint8_t **ppcm, const DVprofile *sys) { int size, chan, i, j, d, of, smpls, freq, quant, half_ch; @@ -336,7 +336,7 @@ int avpriv_dv_produce_packet(DVDemuxContext *c, AVPacket *pkt, uint8_t* buf, int buf_size) { int size, i; - uint8_t *ppcm[4] = {0}; + uint8_t *ppcm[5] = { 0 }; if (buf_size < DV_PROFILE_BYTES || !(c->sys = avpriv_dv_frame_profile(c->sys, buf, buf_size)) || From 777bc81a91a476f9e1f81faebfb952b823f13f28 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 4 Sep 2013 08:55:08 +0200 Subject: [PATCH 3/5] lavf: fix the comparison in an overflow check CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit 26f027fba1c5ab482fa2488fbe0fa36c8bb33b69) Signed-off-by: Luca Barbato --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 27d9d06667..4f73dfebef 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1864,7 +1864,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) for(i=0;inb_streams;i++) { st = ic->streams[i]; if (st->codec->bit_rate > 0) { - if (INT_MAX - st->codec->bit_rate > bit_rate) { + if (INT_MAX - st->codec->bit_rate < bit_rate) { bit_rate = 0; break; } From 007f3f416573f428dab24ef1099ade9f1a0bd5c4 Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Mon, 2 Sep 2013 12:22:13 -0400 Subject: [PATCH 4/5] Prepare for 9.9 RELEASE Signed-off-by: Luca Barbato --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 021debdfd4..a61a79be6c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.8 +9.9 From 4d073ddac95d789f23c3ee6f7b5348599b39f047 Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Mon, 2 Sep 2013 12:22:14 -0400 Subject: [PATCH 5/5] Update Changelog Signed-off-by: Luca Barbato --- Changelog | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) diff --git a/Changelog b/Changelog index 4cd63c823a..a0b11862b6 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,90 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 9.9: +- 4xm: check that bits per sample is strictly positive +- 4xm: Check that the read track value is non-negative +- 4xm: Reject not a multiple of 16 dimension +- 8bps: Bound-check the input buffer +- aac: Check init_get_bits return value +- aac: return meaningful errors +- ac3: Clean up the error paths +- ac3dec: Don't consume more data than the actual input packet size +- ac3dec: Increment channel pointers only once per channel +- ac3: Do not clash with normal AVERROR +- ac3: Return proper error codes +- adpcm: Write the correct number of samples for ima-dk4 +- alac: Check that the channels fit at the given offset +- alac: Limit max_samples_per_frame +- alsdec: Clean up error paths +- alsdec: Fix the clipping range +- ape demuxer: check for EOF in potentially long loops +- atrac3: Error on impossible encoding/channel combinations +- atrac3: fix error handling +- atrac3: set the getbits context the right buffer_end +- avconv: do not use lavfi direct rendering with -deinterlace +- avidec: Let the inner dv demuxer take care of discarding +- avio: Handle AVERROR_EOF in the same way as the return value 0 +- bink: Bound check the quantization matrix. +- dca: Error out on missing DSYNC +- dca: Respect the current limits in the downmixing capabilities +- dsicinav: Bound-check the source buffer when needed +- dsicinav: Clip the source size to the expected maximum +- dv: Add a guard to not overread the ppcm array +- dxa: Make sure the reference frame exists +- h261: check the mtype index +- iff: Do not read over the source buffer +- imc: Catch a division by zero +- indeo4: Check the quantization matrix index +- indeo4: Do not access missing reference MV +- indeo4: Validate scantable dimension +- indeo5: return proper error codes +- indeo: Bound-check before applying motion compensation +- indeo: Bound-check before applying transform +- indeo: Do not reference mismatched tiles +- indeo: Reject impossible FRAMETYPE_NULL +- indeo: Sanitize ff_ivi_init_planes fail paths +- lavf: avoid integer overflow when estimating bitrate +- lavf: Make sure avg_frame_rate can be calculated without integer overflow +- matroskadec: Check that .lang was allocated and set before reading it +- mjpegb: Detect changing number of planes in interlaced video +- mlpdec: Do not set invalid context in read_restart_header +- mov: Do not allow updating the time scale after it has been set +- mov: Seek back if overreading an individual atom +- mpegvideo: Avoid 32-bit wrapping of linesize multiplications +- nuv: check ff_rtjpeg_decode_frame_yuv420 return value +- nuv: Do not ignore lzo decompression failures +- nuv: Pad the lzo outbuf +- nuv: Reset the frame on resize +- nuv: return meaningful error codes. +- nuv: Use av_fast_realloc +- ogg: Always alloc the private context in vorbis_header +- ogg: Fix potential infinite discard loop +- oma: check geob tag boundary +- oma: correctly mark and decrypt partial packets +- oma: refactor seek function +- pcm: always use codec->id instead of codec_id +- pcx: Do not overread source buffer in pcx_rle_decode +- pictordec: break out of both decoding loops when y drops below 0 +- pictordec: pass correct context to avpriv_request_sample +- qdm2: check and reset dithering index per channel +- qdm2: Conceal broken samples +- qdm2: refactor joined stereo support +- qdm2: use init_static_data +- rmdec: Use the AVIOContext given as parameter in rm_read_metadata() +- rtjpeg: Use init_get_bits8 +- rtmp: Do not misuse memcmp +- rtmp: rename data_size to size +- segafilm: Error out on impossible packet size +- vc1: check mb_height validity. +- vc1: check the source buffer in vc1_mc functions +- vcr1: add sanity checks +- vqavideo: check the version +- westwood_vqa: do not free extradata on error in read_header +- wmavoice: conceal clearly corrupted blocks +- wtv: Mark attachment with a negative stream id +- xl: Make sure the width is valid + version 9.8: - kmvc: Clip pixel position to valid range - kmvc: Use fixed sized arrays in the context