24248 Commits

Author SHA1 Message Date
Justin Ruggles
46d9022859 shorten: check for realloc failure
(cherry picked from commit 9e5e2c2d010c05c10337e9c1ec9d0d61495e0c9c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a207a2fecc6a77735ab0cf209fdba0b4dd942a86)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:53 +02:00
Laurent Aimar
58b3f439cc shorten: Fix out of bound writes in fix_bitshift()
The data pointers s->decoded[*] already take into account s->nwrap.

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 5f05cf4ea9aaafed8edcabe785c2719786103ec1)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 737bea21b6c2c1d4dca0b7b18824c0a3205556d2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:53 +02:00
Laurent Aimar
8f924ee66f shorten: Prevent block size from increasing
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 95010d18b2d808db9a49377e41bc2f7cf4dfa03e)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 22949c42edf5352c5fa8c43870efe20698432b35)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:53 +02:00
Måns Rullgård
40cb7b3b49 shorten: remove VLA and check for buffer overflow
Originally committed as revision 23798 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 02591641f88097aec2a573f0ae384c8b87bcfe3b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:53 +02:00
Janne Grunau
15c819e23f adpcm: ADPCM Electronic Arts has always two channels
Fixes half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Adresses CVE-2012-0852

(cherry picked from commit bb5b3940b08d8dad5b7e948e8f3b02cd2eb70716)

Conflicts:

	libavcodec/adpcm.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b581580bd1cc8506befa65b0a5c9ae429240f21f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:53 +02:00
Alexander Strange
7a5fbe4034 h264: Add check for invalid chroma_format_idc
Fixes a crash when FF_DEBUG_PICT_INFO is used.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df)

Fixes: CVE-2012-0851

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 47132345184dc3d0ff962a57a1225564fe979548)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c5f7c755cfccd7aa01010a2d566104c2b0fa6d86)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:53 +02:00
Alex Converse
32b73701c7 aacsbr: prevent out of bounds memcpy().
Fixes Libav Bug 195.
Fixes CVE-2012-0850

This doesn't make the code handle sample rate or upsample/downsample
change properly but this is still a good sanity check.

Based on change by Michael Niedermayer.

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 17ce52912f59a74ecc265e062578fb1181456e18)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 01804cc91ab231ac79092eee21325d7644357975)

Conflicts:

	libavcodec/aacsbr.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:53 +02:00
Alex Converse
212217504a dpcm: ignore extra unpaired bytes in stereo streams.
Fixes: CVE-2011-3951

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ce7aee9b733134649a6ce2fa743e51733f33e67e)
(cherry picked from commit eaeaeb265fe46e1d81452960de918227541873b4)

Conflicts:

	libavcodec/dpcm.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1ce9c93198fc997e8f23934a78e2937af670e4e9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:52 +02:00
Mans Rullgard
e02249b130 vqavideo: return error if image size is not a multiple of block size
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes.  Bailing out early if the header
specifies a bad size avoids various errors later on.

Fixes CVE-2012-0947.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d5207e2af81580dd5e6277b354c8b459c3624f26)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c71c77e56fcc6d469d45e1c8ce04aa053124d3f8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:52 +02:00
Alex Converse
bf0ec375ef celp filters: Do not read earlier than the start of the 'out' vector.
CC: libav-stable@libav.org
(cherry picked from commit 37ddd3833219fa7b913fff3f5cccc6878b047e6b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 9ea94c44b1b414ab3bc6e9220ebb77621423ca38)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 08c81f7365af96c1655767e68d6ec85bea50600c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:52 +02:00
Alex Converse
e9c9707316 motionpixels: Clip YUV values after applying a gradient.
Prevents illegal reads on truncated and malformed input.

CC: libav-stable@libav.org
(cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit aaa6a666774eb02c351c84e80622a5c69e9b642e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 50073e2395522b6e2b8698ff0dd06ffaf8cbf8ce)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:52 +02:00
Janne Grunau
5933af562e motionpixels: decode only the 111 complete frames for fate
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit c2f2dfb3dd20e036b8b08c0fd1486a3044e8f02a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 90d7146511db0e2dd2d2b1baf2ceb7177b30dd8d)

Conflicts:

	tests/fate.mak
	tests/ref/fate/motionpixels

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:52 +02:00
Michael Niedermayer
1156f07c6a kgv1dec: Increase offsets array size so it is large enough.
Fixes CVE-2011-3945

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 807a045ab7f51993a2c1b3116016cbbd4f3d20d6)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit a02e8df973f5478ec82f4c507f5b5b191a5ecb6b)
(cherry picked from commit d5f2382d0389ed47a566ea536887af908bf9b14f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a0b65938b7cf37680a4ce0667444a217a151c551)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:43:06 +02:00
Alex Converse
6ca010f209 mjpegbdec: Fix overflow in SOS.
Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2011-3947

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 083a8a00373b12dc06b8ae4c49eec61fb5e55f4b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6ae95a0b93e8df15fe5f364535a7214be0817736)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:43:06 +02:00
Michael Niedermayer
224025d852 atrac3: Fix crash in tonal component decoding.
Add a check to avoid writing past the end of the channel_unit.components[]
array.

Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f74713b035a06f79cb4d00e708f5226bc5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f43b6e2b1ed47a1254a5d44c700a7fad5e9784be)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f728ad26f0ec87650d2986a892785c0e2b97d161)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:43:06 +02:00
Alex Converse
a8f4db0acd dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.
Found with asan.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f6b91bec7f5fa53ec050913d851e366)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 00fa6ffe1a0b252d6a81815e51f125225cd0b97a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:23:19 +02:00
Michael Niedermayer
b46141b0d1 dv: Fix null pointer dereference due to ach=0
dv: Fix null pointer dereference due to ach=0

Fixes part2 of CVE-2011-3929

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a66a61a68b80f2369d0249729bf85e04)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 44e182d41e3a73548f3f5e8445ec428d3846e6d6)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:23:19 +02:00
Michael Niedermayer
38421f27b3 dv: check stype
dv: check stype

Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd439480003b74a665b5aa7c872c1ad6b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit bb737d381f6d6413899a0697f426fb082eac66fc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:23:19 +02:00
Alex Converse
3253dd2b42 nsvdec: Propagate errors
Related to CVE-2011-3940.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit c898431ca5ef2a997fe9388b650f658fb60783e5)

Conflicts:

	libavformat/nsvdec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0100c4b1b0736e0f5b3c98f9b0ab8acbef574888)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:23:19 +02:00
Alex Converse
87007519c8 nsvdec: Be more careful with av_malloc().
Check results for av_malloc() and fix an overflow in one call.

Related to CVE-2011-3940.

Based in part on work from Michael Niedermayer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit be524c186b50337db64d34a5726dfe3e8ea94f09)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:23:19 +02:00
Michael Niedermayer
1edf848a81 nsvdec: Fix use of uninitialized streams.
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 65beb8c1173906b0541442713cb29e8ba44c47ef)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:23:19 +02:00
ami_stuff
b56606e6bc Replace SSE2 instruction in scalarproduct_float_sse() by SSE equivalent.
Fixes an AAC decoding issue with the sample from ticket #213 on machines
with SSE but without SSE2.
Based on 89411a by Reimar.

(cherry picked from commit f6b78638086beae9bcab672d4c9de1790be5a928)
2012-04-04 09:10:25 +02:00
Michael Niedermayer
113ca1b8db Merge remote-tracking branch 'qatar/release/0.6' into release/0.6
* qatar/release/0.6:
  id3v2: fix skipping extended header in id3v2.4

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2012-04-02 02:19:17 +02:00
Anton Khirnov
f70c720d42 id3v2: fix skipping extended header in id3v2.4
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303)

Conflicts:

	libavformat/id3v2.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-04-01 19:35:11 +02:00
Michael Niedermayer
1014e20492 atrac3: Fix crash in tonal component decoding.
Fixes Ticket780
Bug Found by: cosminamironesei

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
n0.6.5
2012-01-12 22:10:33 +01:00
Michael Niedermayer
431cf16963 h264: check chroma_format_idc range.
Fixes Ticket758
Bug found by: Diana Elena Muscalu

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7fff64e00d886fde11d61958888c82b461cf99b9)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-12 22:09:56 +01:00
Michael Niedermayer
e85296beae Merge remote-tracking branch 'qatar/release/0.6' into release/0.6
* qatar/release/0.6:
  Release notes and changelog for 0.6.5
  Bump version number for 0.6.5 release.
  vorbis: An additional defense in the Vorbis codec.
  vorbisdec: Fix decoding bug with channel handling

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-12 22:06:50 +01:00
Reinhard Tartler
62c4739348 Release notes and changelog for 0.6.5 2012-01-10 21:17:30 +01:00
Reinhard Tartler
7efa13b4b4 Bump version number for 0.6.5 release. 2012-01-10 21:02:32 +01:00
Chris Evans
a5e0afe3c9 vorbis: An additional defense in the Vorbis codec.
Fixes Bug: #190
Chromium Bug: #100543
Related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit afb2aa537954db537d54358997b68f46561fd5a7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b0283ccb9e8945ce9e56f7c6ba0c676e7179d7a3)

Conflicts:

	libavcodec/vorbis_dec.c
2012-01-08 09:29:16 +01:00
Reinhard Tartler
42f0a66968 vorbisdec: Fix decoding bug with channel handling
Fixes Bug: #191
Chromium Bug: #101458
CVE-2011-3895

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e6d527ff729e42d80e4756cab779ff4ad693631b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 97f23c72a3815739ab28e297ce60f943349f6939)

Conflicts:

	libavcodec/vorbis_dec.c
2012-01-08 09:24:13 +01:00
Michael Niedermayer
f1c9dbe40b Merge remote-tracking branch 'qatar/release/0.6' into release/0.6
* qatar/release/0.6:
  matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()
  vorbis: Avoid some out-of-bounds reads
  vp3: fix streams with non-zero last coefficient
  vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f)

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-08 05:13:49 +01:00
Michael Niedermayer
b945f558c7 vp3: fix regression with mplayer-crash.ogv
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a2a12e3358c3bbdc0246ffc94973e58eba50ee30)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-08 05:13:32 +01:00
Chris Evans
90a4a46747 matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()
Fixes bug #190
Chromium bug #100492
related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

(cherry-picked from commit faaec4676cb4c7a2303d50df66c6290bc96a7657)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1f625431e2bb9564760fba3ab8077ae07ce7c7a1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-01-07 22:03:48 +01:00
Chris Evans
6d6254ba9f vorbis: Avoid some out-of-bounds reads
Fixes Bug: #190
Chromium Bug: #100543
Related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 57cd6d709565e84e84385f8f2a9641ca3fa718be)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4a94678f1be4b7d47f862e9523ca3358255da5d4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-01-07 22:03:34 +01:00
Janne Grunau
ae24b5ce3a vp3: fix streams with non-zero last coefficient
Fixes a regression introduced in 8b94df0f2047e972.
(cherry picked from commit 9b4767e4784577f3107730316fe652ccaccd9b3a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 82a11fcff24d9827070d77f1a3c6ba5d4dc12984)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-01-07 21:33:24 +01:00
Ronald S. Bultje
c9c7db0af2 vp3: fix oob read for negative tokens and memleaks on error.
(cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f)

Fixes: #189
Chromium-Bug: 101172,100465
CVE-2011-3892

Removed the parts that are related to multi-threading, which is not
included before 0.7.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c624935554332f8921a15265b8720f0c7b3c8cc2)

Conflicts:

	libavcodec/vp3.c
2012-01-07 09:35:15 +01:00
Michael Niedermayer
e1a2bcbec8 h264: fix init of topleft ref/mv.
Fixes Ticket778

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 680880c98db2817437e19c3fc7f6349261bbbbb0)
2011-12-28 02:20:09 +01:00
Michael Niedermayer
d32ea79ea2 Merge remote-tracking branch 'qatar/release/0.6' into release/0.6
* qatar/release/0.6:
  Release notes and changelog for 0.6.4

Conflicts:
	Changelog

Merged-by: Michael Niedermayer <michaelni@gmx.at>
n0.6.4
2011-12-25 20:11:09 +01:00
Reinhard Tartler
6b156c4563 Release notes and changelog for 0.6.4 2011-12-25 10:03:08 +01:00
Michael Niedermayer
57eb787ed3 Merge remote-tracking branch 'qatar/release/0.6' into release/0.6
* qatar/release/0.6: (58 commits)
  Bump version number for 0.6.4 release.
  qdm2: check output buffer size before decoding
  Fix qdm2 decoder packet handling to match the api
  4xm: Add a check in decode_i_frame to prevent buffer overreads
  wma: initialize prev_block_len_bits, next_block_len_bits, and block_len_bits.
  swscale: #include "libavutil/mathematics.h"
  vp3dec: Check coefficient index in vp3_dequant()
  svq1dec: call avcodec_set_dimensions() after dimensions changed.
  vp6: Fix illegal read.
  vp6: Fix illegal read.
  vp6: Reset the internal state when aborting key frames header parsing
  vp6: Check for huffman tree build errors
  vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling
  Fix out of bound reads in the QDM2 decoder.
  Check for out of bound writes in the QDM2 decoder.
  vmd: fix segfaults on corruped streams
  rv34: Check for invalid slice offsets
  rv34: Fix potential overreads
  rv34: Avoid NULL dereference on corrupted bitstream
  rv10: Reject slices that does not have the same type as the first one
  ...

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2011-12-25 01:24:40 +01:00
Reinhard Tartler
dbe7e209df Bump version number for 0.6.4 release. 2011-12-24 15:59:10 +01:00
Justin Ruggles
cfb9b47a1e qdm2: check output buffer size before decoding
(cherry picked from commit 7d49f79f1cd47783a963a757a6563b9cac29db62)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 73472053516f82b7d273a3d42c583f894077a191)

Conflicts:

	libavcodec/qdm2.c
2011-12-24 15:57:17 +01:00
Baptiste Coudurier
b26c1a8b7e Fix qdm2 decoder packet handling to match the api
Originally committed as revision 25767 to svn://svn.ffmpeg.org/ffmpeg/trunk
2011-12-24 15:54:51 +01:00
Shitiz Garg
ccd2ca0246 4xm: Add a check in decode_i_frame to prevent buffer overreads
Fixes bugzilla #135

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 355d917c0bd8163a3f1c7d4a6866dac749efdb84)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d912a30c7d5cf9b8fdb26402804c9b0f999b4ff1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:47:57 +01:00
Justin Ruggles
92b964969b wma: initialize prev_block_len_bits, next_block_len_bits, and block_len_bits.
The initial values are not checked against the number of block sizes.
Initializing them to frame_len_bits will result in a block size index of 0
in these cases instead of something that might be out-of-range.

Fixes Bug 81.
(cherry picked from commit 05d1e45d1f42cc90d1f2f36c546d0096cea126a8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8dba5608dcf76032d8a9aa4bd8a3fc1392682281)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:47:57 +01:00
Reinhard Tartler
ca87ec53e9 swscale: #include "libavutil/mathematics.h"
this file uses the M_PI macro since
4e74187db2f5db52f88729efc662df9d6bc763e1, so include the correct header
directly.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

(cherry picked from commit 5089ce1b5abe2ecbbfd7235aeb0ad47ba38305c1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 851098c9e004b2ce294b687cb18633b038dcc3fe)

Conflicts:

	libswscale/utils.c
2011-12-24 15:47:57 +01:00
Reinhard Tartler
bd071de29a vp3dec: Check coefficient index in vp3_dequant()
Based on a patch by Michael Niedermayer <michaelni@gmx.at>

Fixes NGS00145, CVE-2011-4352

Found-by: Phillip Langlois
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

(cherry picked from commit 8b94df0f2047e9728cb872adc9e64557b7a5152f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit bba709214a51ffd665a67404d3beb3727bb3f319)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:47:57 +01:00
Michael Niedermayer
8ddc0b491d svq1dec: call avcodec_set_dimensions() after dimensions changed.
Fixes NGS00148, CVE-2011-4579

Found-by: Phillip Langlois
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

(cherry picked from commit 6e24b9488e67849a28e64a8056e05f83cf439229)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0eca0da06e40b73af495cc05fbcfaa030fcf78ea)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:47:57 +01:00
Thierry Foucu
94aacaf508 vp6: Fix illegal read.
Found with Address Sanitizer

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit e0966eb140b3569b3d6b5b5008961944ef229c06)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit ba4b08b78918f399f9c9524750b26e904d146078)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:47:57 +01:00