Merge remote-tracking branch 'qatar/release/0.6' into release/0.6
* qatar/release/0.6: Release notes and changelog for 0.6.5 Bump version number for 0.6.5 release. vorbis: An additional defense in the Vorbis codec. vorbisdec: Fix decoding bug with channel handling Merged-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
commit
e85296beae
10
Changelog
10
Changelog
@ -1,6 +1,16 @@
|
||||
Entries are sorted chronologically from oldest to youngest within each release,
|
||||
releases are sorted from youngest to oldest.
|
||||
|
||||
version 0.6.5:
|
||||
- vorbis: An additional defense in the Vorbis codec. (CVE-2011-3895)
|
||||
- vorbisdec: Fix decoding bug with channel handling.
|
||||
- matroskadec: Fix a bug where a pointer was cached to an array that might
|
||||
later move due to a realloc(). (CVE-2011-3893)
|
||||
- vorbis: Avoid some out-of-bounds reads. (CVE-2011-3893)
|
||||
- vp3: fix oob read for negative tokens and memleaks on error, (CVE-2011-3892)
|
||||
- vp3: fix streams with non-zero last coefficient.
|
||||
|
||||
|
||||
version 0.6.4:
|
||||
- 4xm: Add a check in decode_i_frame to prevent buffer overreads
|
||||
- wma: initialize prev_block_len_bits, next_block_len_bits, and block_len_bits.
|
||||
|
||||
16
RELEASE
16
RELEASE
@ -176,3 +176,19 @@ Sierra VMD decoder CVE-2011-4364, and a safety fix in the svq1 decoder
|
||||
Distributors and system integrators are encouraged
|
||||
to update and share their patches against this branch. For a full list
|
||||
of changes please see the Changelog file.
|
||||
|
||||
|
||||
* 0.6.5
|
||||
|
||||
General notes
|
||||
-------------
|
||||
|
||||
This mostly maintenance-only release that addresses a number a number of
|
||||
bugs such as security and compilation issues that have been brought to
|
||||
our attention. Among other (rather minor) fixes, this release features
|
||||
fixes for the VP3 decoder (CVE-2011-3892), vorbis decoder, and matroska
|
||||
demuxer (CVE-2011-3893 and CVE-2011-3895).
|
||||
|
||||
Distributors and system integrators are encouraged
|
||||
to update and share their patches against this branch. For a full list
|
||||
of changes please see the Changelog file.
|
||||
|
||||
@ -656,7 +656,7 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc)
|
||||
res_setup->partition_size = get_bits(gb, 24) + 1;
|
||||
/* Validations to prevent a buffer overflow later. */
|
||||
if (res_setup->begin>res_setup->end ||
|
||||
res_setup->end>vc->blocksize[1] / (res_setup->type == 2 ? 1 : 2) ||
|
||||
res_setup->end > (res_setup->type == 2 ? vc->avccontext->channels : 1) * vc->blocksize[1] / 2 ||
|
||||
(res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) {
|
||||
av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32", %"PRIdFAST32", %"PRIdFAST32", %"PRIdFAST32"\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1] / 2);
|
||||
return -1;
|
||||
@ -1262,6 +1262,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
|
||||
uint_fast8_t *do_not_decode,
|
||||
float *vec,
|
||||
uint_fast16_t vlen,
|
||||
unsigned ch_left,
|
||||
int vr_type)
|
||||
{
|
||||
GetBitContext *gb = &vc->gb;
|
||||
@ -1273,6 +1274,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
|
||||
uint_fast8_t ch_used;
|
||||
uint_fast8_t i,j,l;
|
||||
uint_fast16_t k;
|
||||
unsigned max_output = (ch - 1) * vlen;
|
||||
|
||||
if (vr_type == 2) {
|
||||
for (j = 1; j < ch; ++j)
|
||||
@ -1280,8 +1282,15 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
|
||||
if (do_not_decode[0])
|
||||
return 0;
|
||||
ch_used = 1;
|
||||
max_output += vr->end / ch;
|
||||
} else {
|
||||
ch_used = ch;
|
||||
max_output += vr->end;
|
||||
}
|
||||
|
||||
if (max_output > ch_left * vlen) {
|
||||
av_log(vc->avccontext, AV_LOG_ERROR, "Insufficient output buffer\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
AV_DEBUG(" residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c_p_c);
|
||||
@ -1403,14 +1412,16 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
|
||||
static inline int vorbis_residue_decode(vorbis_context *vc, vorbis_residue *vr,
|
||||
uint_fast8_t ch,
|
||||
uint_fast8_t *do_not_decode,
|
||||
float *vec, uint_fast16_t vlen)
|
||||
float *vec, uint_fast16_t vlen,
|
||||
unsigned ch_left)
|
||||
|
||||
{
|
||||
if (vr->type == 2)
|
||||
return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 2);
|
||||
return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 2);
|
||||
else if (vr->type == 1)
|
||||
return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 1);
|
||||
return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 1);
|
||||
else if (vr->type == 0)
|
||||
return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 0);
|
||||
return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 0);
|
||||
else {
|
||||
av_log(vc->avccontext, AV_LOG_ERROR, " Invalid residue type while residue decode?! \n");
|
||||
return -1;
|
||||
@ -1473,6 +1484,8 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
|
||||
uint_fast8_t res_num = 0;
|
||||
int_fast16_t retlen = 0;
|
||||
float fadd_bias = vc->add_bias;
|
||||
unsigned ch_left = vc->audio_channels;
|
||||
unsigned vlen;
|
||||
|
||||
if (get_bits1(gb)) {
|
||||
av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n");
|
||||
@ -1491,11 +1504,12 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
|
||||
|
||||
blockflag = vc->modes[mode_number].blockflag;
|
||||
blocksize = vc->blocksize[blockflag];
|
||||
vlen = blocksize / 2;
|
||||
if (blockflag)
|
||||
skip_bits(gb, 2); // previous_window, next_window
|
||||
|
||||
memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ?
|
||||
memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ?
|
||||
memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ?
|
||||
memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ?
|
||||
|
||||
// Decode floor
|
||||
|
||||
@ -1515,7 +1529,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
|
||||
return -1;
|
||||
}
|
||||
no_residue[i] = ret;
|
||||
ch_floor_ptr += blocksize / 2;
|
||||
ch_floor_ptr += vlen;
|
||||
}
|
||||
|
||||
// Nonzero vector propagate
|
||||
@ -1532,6 +1546,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
|
||||
for (i = 0; i < mapping->submaps; ++i) {
|
||||
vorbis_residue *residue;
|
||||
uint_fast8_t ch = 0;
|
||||
int ret;
|
||||
|
||||
for (j = 0; j < vc->audio_channels; ++j) {
|
||||
if ((mapping->submaps == 1) || (i == mapping->mux[j])) {
|
||||
@ -1546,9 +1561,18 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
|
||||
}
|
||||
}
|
||||
residue = &vc->residues[mapping->submap_residue[i]];
|
||||
vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2);
|
||||
if (ch_left < ch) {
|
||||
av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n");
|
||||
return -1;
|
||||
}
|
||||
if (ch) {
|
||||
ret = vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, vlen, ch_left);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
}
|
||||
|
||||
ch_res_ptr += ch * blocksize / 2;
|
||||
ch_res_ptr += ch * vlen;
|
||||
ch_left -= ch;
|
||||
}
|
||||
|
||||
// Inverse coupling
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user