Might fix Ticket1907 (I have no testcase so i cant test)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4758e32a6c48044f77102a49110c79b4f338f648)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
A negative `size' will bypass FFMIN(). In the subsequent memcpy() call,
`size' will be considered as a large positive value, leading to a buffer
overflow.
Change the type of `size' to unsigned int to avoid buffer overflow, and
simplify overflow checks accordingly.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4e692374f7962ea358c329de38c380103f8991b6)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Sanity checks like `data + size >= data_end || data + size < data' are
broken, because `data + size < data' assumes pointer overflow, which is
undefined behavior in C. Many compilers such as gcc/clang optimize such
checks away.
Use `size < 0 || size >= data_end - data' instead.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 902cfe2f74d777a7dc20ac68f2393b9f84b790c1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.6:
vorbis: Validate that the floor 1 X values contain no duplicates.
lavfi: avfilter_merge_formats: handle case where inputs are same
mpegvideo: Don't use ff_mspel_motion() for vc1
imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt
nuv: check RTjpeg header for validity
vc1dec: add flush function for WMV9 and VC-1 decoders
mov: set AVCodecContext.width/height for h264
h264: allow cropping to AVCodecContext.width/height
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This is required for correct cropping of files from Canon
cameras.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 8aa93e900449c88c3169ff5636fed03f41779cac)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2fb4be9a99a2c2a9435339830e3d940171cc0d9b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0054d70f23edd1f61a10a1c2c687b3a04831feb9)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Check results for av_malloc() and fix an overflow in one call.
Related to CVE-2011-3940.
Based in part on work from Michael Niedermayer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit be524c186b50337db64d34a5726dfe3e8ea94f09)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b)
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 65beb8c1173906b0541442713cb29e8ba44c47ef)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303)
Conflicts:
libavformat/id3v2.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Between ogg_save() and ogg_restore() calls, the number of streams
could have been reduced.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 0e7efb9d23c3641d50caa288818e8c27647ce74d)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a3d471e500674c31fa4f52a62ef789d5e7fdbd3c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Metadata currently is written only at the start of the file in normal
cases, when transcoding from a rtmp source metadata could be
written later and the offset recorded can exceed 32bit.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7f5bf4fbaf1f2142547321a16358f9871fabdcc6)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit fe3e7297fe56a383baca484dea2c0d603ae305f8)
Conflicts:
libavformat/flvenc.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents out of bounds reads when extradata is being decoded.
(cherry picked from commit 1f6f58d5855288492fc2640a9f1035c01c75d356)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
According to MPEG-TS specs, the continuity_counter shall not be
incremented when the adaptation_field_control of the packet
equals '00' or '10'.
Signed-off-by: Jindrich Makovicka <jindrich.makovicka@nangu.tv>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8923cfa328e8eb565aebcfe8672b276fd1c19bf7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 4d5e7ab5c48451404038706ef3113c9925a83087)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Supported by mplayer and seen in the wild.
(cherry picked from commit 505345ed5d180093a44da8d70ac541898c31c22f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Originally committed as revision 23513 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 77d3f1f792c2a0bd455c75b0aa8e356b3a470ea7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Whitespace of the patch cleaned up by Aurel
Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 956c901c68eff78288f40e3c8f41ee2fa081d4a8)
Further suggestions from Kostya <kostya.shishkov@gmail.com> have been
implemented by Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 77d2ef13a8fa630e5081f14bde3fd20f84c90aec)
NB: MSVR-11-0080 doesn't seem to exist. This issue seems to be known
as MSVR11-011 instead.
Fixes: CVE-2011-3504
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Specifically crafted samples can reinit ogg->streams[] while
reading samples, and thus we should not cache old pointers since
these may no longer be valid.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry-picked from commit 4cc3467e7abfea7e8d03b6af511f7719038a5a98)
As per issue2629, most 23.976fps matroska H.264 files are incorrectly
detected as 24fps, as the matroska timestamps usually have only
millisecond precision.
Fix that by doubling the amount of timestamps inspected for frame rate
for streams that have coarse time base. This also fixes 29.970 detection
in matroska.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 78431098f9e306ebe27e7698d0ae539e3df2afe9)
Tested with mplayer based on this report
http://thread.gmane.org/gmane.comp.video.mplayer.user/66043/focus=66063
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 7c152a458d3fb0a2fb1aef1f05bfee90fe70697e)
This improves performance on e.g. seekable http.
backport r24280 by mstorsjo
Originally committed as revision 24335 to svn://svn.ffmpeg.org/ffmpeg/branches/0.6
When symbol versioning is enabled, moving symbols from one library to
another breaks binary compatibility. This adds wrappers with the old
version tag for the av_*packet functions recently moved to lavc.
backport r23611 by mru
Originally committed as revision 23613 to svn://svn.ffmpeg.org/ffmpeg/branches/0.6
this patch restores binary compatibility for the av_*_packet symbols that have
been moved from libavformat to libavcodec. This patch works for gnu toolchains
only; support for ARM RCVT will be handed in for a later point release as soon
as the patch is ready and approved by the ARM maintainer(s).
Originally committed as revision 23610 to svn://svn.ffmpeg.org/ffmpeg/branches/0.6
This isn't exactly semantically equivalent, but the field has already been
long abused to mean this, and writing it helps in determining a decent cfr
time base when transcoding from a mkv where the video codec stores none (VP8).
backport r23284 by conrad
Originally committed as revision 23365 to svn://svn.ffmpeg.org/ffmpeg/branches/0.6
It's not required for mkv and unsupported in webm
backport r23247 by conrad
Originally committed as revision 23315 to svn://svn.ffmpeg.org/ffmpeg/branches/0.6
