generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
31,928 Commits 24 Branches 241 Tags
Commit Graph

31928 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alex Converse
2744fdbd9e tiffdec: Prevent illegal memory access caused by recycled pointers. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit fd0be63049ed46660993d0550a4f0847a0b942ea)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-13 23:30:55 +01:00
Ronald S. Bultje
1fcc2c6091 wma: fix off-by-one in array bounds check. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b4bccf3e4e58f6fe58043791ca09db01a4343fac)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-13 23:30:39 +01:00
Ronald S. Bultje
74871ac70a dv: check buffer size before reading profile. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e97efecec82ca8458a9bbd75a91ebf556abde362)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-13 23:30:21 +01:00
Ronald S. Bultje
9cb7f6e54a raw: move buffer size check up. 
This way, it protects against overreads for 4bpp/2bpp content also.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cc5dd632cecc5114717d0b90f8c2be162b1c6ee8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-13 23:23:58 +01:00
Ronald S. Bultje
ed6aaf579d dca: prevent accessing static arrays with invalid indexes. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e6ffd997cbc06426e75d3fa291b991866c84a79b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-13 23:22:32 +01:00
Ronald S. Bultje
e1b4614ab4 lpcm: fix sample size calculation for 20bit LCPM. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit f1320dc3bed281bb2f3c5531c52b6a6246e2394a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-13 23:12:00 +01:00
Ronald S. Bultje
c3bf08d04c smacker: error out if palette copy-with-offset overruns palette size. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit a93b572ae4f517ce0c35cf085167c318e9215908)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-13 23:12:00 +01:00
Ronald S. Bultje
12247a13e0 Don't use ff_cropTbl[] for IDCT. 
Results of IDCT can by far outreach the range of ff_cropTbl[], leading
to overreads and potentially crashes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c23acbaed40101c677dfcfbbfe0d2c230a8e8f44)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-08 22:07:55 +01:00
Ronald S. Bultje
7503861b42 swscale: make filterPos 32bit. 
Fixes overflows for large image sizes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2254b559cbcfc0418135f09add37c0a5866b1981)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-08 22:07:55 +01:00
Ronald S. Bultje
9def2f200e error_resilience: initialize s->block_index[]. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 6193ff68549ecbaf1a4d63a0e06964ec580ac620)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-08 22:07:55 +01:00
Ronald S. Bultje
7b676935ee svq3: protect against negative quantizers. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 11b940a1a8e7e5d5b212935a3ce78aeda577f5f2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-08 22:07:55 +01:00
Reinhard Tartler
9550c63196 Prepare for 0.8.1 Release 2012-03-08 22:07:54 +01:00
Justin Ruggles
4a15240a27 mov: set channel layout for AC-3 streams based on the 'dac3' atom info 
fixes Bug 225
(cherry picked from commit 3798205a77ce275613098ecb48645e6029811f14)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-08 22:07:54 +01:00
Janne Grunau
a47b96bdd3 rv34: handle size changes during frame multithreading 
Factors all context dynamic memory handling to its own functions.
Fixes bug 220.
(cherry picked from commit 2bd730010da24d035639586bb13862abe36cc1b8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-08 22:07:54 +01:00
Alex Converse
fb049da952 mov: Add more HDV and XDCAM FourCCs. 
Reference: VLC
(cherry picked from commit b142496c5630b9bc88fb9eaccae7f6bd62fb23e7)
 2012-03-06 15:31:49 -08:00
Alex Converse
4a325ddeae mov: Add support for MPEG2 HDV 720p24 (hdv4) 
(cherry picked from commit 0ad522afb3a3b3d22402ecb82dd4609f7655031b)
 2012-03-06 15:31:41 -08:00
Alex Converse
48ac765efe rv10/20: Fix slice overflow with checked bitstream reader. 
(cherry picked from commit 9243ec4a508c81a621e941bb7e012e2d45d93659)
 2012-03-06 15:31:23 -08:00
Michael Niedermayer
522645e38f h263dec: Disallow width/height changing with frame threads. 
Fixes CVE-2011-3937

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba)

Conflicts:

	libavcodec/h263dec.c

Signed-off-by: Alex Converse <alex.converse@gmail.com>
 2012-03-06 15:28:01 -08:00
Alex Converse
e891ee4bf6 adpcm: Clip step_index values read from the bitstream at the beginning of each frame. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit bbeb29133b55b7256d18f5aaab8b5c8e919a173a)
 2012-03-06 15:28:01 -08:00
Alex Converse
ef673211e7 tiff: Make the TIFF_LONG and TIFF_SHORT types unsigned. 
TIFF v6.0 (unimplemented) adds signed equivalents.
(cherry picked from commit e32548d1331ce05a054f1028fcdda8823a4f215a)
 2012-03-06 15:28:01 -08:00
Alex Converse
eaeaeb265f dpcm: ignore extra unpaired bytes in stereo streams. 
Fixes: CVE-2011-3951

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ce7aee9b733134649a6ce2fa743e51733f33e67e)
 2012-03-06 15:28:01 -08:00
Alex Converse
db315c796d svq3: Prevent illegal reads while parsing extradata. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 9e1db721c4329f4ac166a0bcc002c8d75f831aba)
 2012-03-06 15:28:01 -08:00
Alex Converse
035dd77cbb dv: Fix small overread in audio frequency table. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 0ab3687924457cb4fd81897bd39ab3cc5b699588)
 2012-03-06 15:28:01 -08:00
Michael Niedermayer
e3743869e9 ac3dec: Move center and surround mix level tables to the parser. 
That way all mix levels as exported by avpriv_ac3_parse_header()
will have the same meaning.

Previously the 3-bit center mix level for E-AC-3 was used to index in a
4-entry table, leading to out-of-array reads.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit e6d9fa66f12cf5a3024c9bc7c4c608f7fc59207e)
 2012-03-06 15:28:01 -08:00
Alex Converse
ce14f00dea movdec: Avoid av_malloc(0) in stss 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 29a20ac4a19df5acc0eef306ca5a737778a31358)
 2012-03-06 15:28:01 -08:00
Mans Rullgard
627f4621f5 ac3: Do not read past the end of ff_ac3_band_start_tab. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 034b03e7a0e8e4f8f66c82b736f2c0aa7c063ec0)
 2012-03-06 15:28:01 -08:00
Alex Converse
3e8434bcea dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936. 
Found with asan.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f6b91bec7f5fa53ec050913d851e366)
 2012-03-06 15:28:01 -08:00
Michael Niedermayer
efd30c4d95 dv: Fix null pointer dereference due to ach=0 
dv: Fix null pointer dereference due to ach=0

Fixes part2 of CVE-2011-3929

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a66a61a68b80f2369d0249729bf85e04)
 2012-03-06 15:28:00 -08:00
Michael Niedermayer
d7fddc97d4 dv: check stype 
dv: check stype

Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd439480003b74a665b5aa7c872c1ad6b)
 2012-03-06 15:28:00 -08:00
Dale Curtis
feed0c6b6a mpegaudiodec: Prevent premature clipping of mp3 input buffer. 
Instead of clipping extrasize based on EXTRABYTES, clip based on the
amount of buffer actually left. Without this fix, there are warbles
and other distortions in the test case below.

http://kevincennis.com/mix/assets/sounds/1901_voxfx.mp3
(cherry picked from commit b7165426917f91ebcad84bdff366824f03b32bfe)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
 2012-03-06 15:28:00 -08:00
Alex Converse
d0e53ecff7 mp3dec: Fix a heap-buffer-overflow 
In some cases, what is left to read from ptr is smaller than EXTRABYTES.

Based on a patch by Thierry Foucu <tfoucu@gmail.com>.

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit f372ce119bd2458fa0b4ddfb2af3a36621df99f7)
 2012-03-06 15:28:00 -08:00
Alex Converse
1ca84aa162 mpeg12: Pad framerate tab to 16 entries. 
There are many places where we read an unchecked 4-bit index into it.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit dfa37fe8a3d9243dd339d94befa065e2c90b29e6)
 2012-03-06 15:28:00 -08:00
Michael Niedermayer
d5f2382d03 kgv1dec: Increase offsets array size so it is large enough. 
Fixes CVE-2011-3945

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 807a045ab7f51993a2c1b3116016cbbd4f3d20d6)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit a02e8df973f5478ec82f4c507f5b5b191a5ecb6b)
 2012-03-06 15:28:00 -08:00
Alex Converse
416849f2e0 kmvc: Check palsize. 
Fixes: CVE-2011-3952

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Based on fix by Michael Niedermayer
(cherry picked from commit 386741f887714d3e46c9e8fe577e326a7964037b)
 2012-03-06 15:28:00 -08:00
Alex Converse
dd37038ac7 nsvdec: Propagate errors 
Related to CVE-2011-3940.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit c898431ca5ef2a997fe9388b650f658fb60783e5)

Conflicts:

	libavformat/nsvdec.c
 2012-03-06 15:28:00 -08:00
Alex Converse
e410dd1792 nsvdec: Be more careful with av_malloc(). 
Check results for av_malloc() and fix an overflow in one call.

Related to CVE-2011-3940.

Based in part on work from Michael Niedermayer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a)
 2012-03-06 15:28:00 -08:00
Michael Niedermayer
ffdc41f039 nsvdec: Fix use of uninitialized streams. 
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3)
 2012-03-06 15:28:00 -08:00
Martin Storsjö
ca7e97bdcf g722: Fix the QMF scaling 
This fixes clipping if the encoder input used the full 16 bit
input range (samples with a magnitude below 16383 worked fine).
The filtered subband samples should be 15 bit maximum, while
the code earlier produced them scaled to 16 bit.

This makes the decoder output have double the magnitude
compared to before.

The spec reference samples doesn't test the QMF at all, which
was why this part slipped past initially.

(cherry picked from commit b087ce2bee81db8cc5caffb8f0a4f6c7c92a30fe)

Signed-off-by: Martin Storsjö <martin@martin.st>
 2012-03-06 15:45:30 +02:00
Justin Ruggles
4ae138cb12 ac3dsp: do not use pshufb in ac3_extract_exponents_ssse3() 
We need to do unsigned saturation in order to cover the corner case when the
absolute coefficient value is 16777215 (the maximum value).

Fixes Bug #216
(cherry picked from commit d483bb58c318b0a6152709cf28263d72200b98f9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-06 13:55:35 +01:00
Fabian Greffrath
003f7e3dd0 Fix format string vulnerability detected by -Wformat-security. 
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit c9dbac36ad4bac07f6c1d06d465e361ab55bcb95)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-05 18:01:37 +01:00
Ronald S. Bultje
85eb76a23f h264: fix mmxext chroma deblock to use correct TC values. 
(cherry picked from commit b0c4f04338234ee011d7b704621347ef232294fe)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-05 18:00:43 +01:00
Ronald S. Bultje
5186984ee9 h264: change underread for 10bit QPEL to overread. 
This prevents us from reading before the start of the buffer, and thus
prevents crashes resulting from this behaviour. Fixes bug 237.
(cherry picked from commit 291c9b62855d555ac5385e23219461b6080da7db)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-05 18:00:31 +01:00
Ronald S. Bultje
b5331b979b cscd: use negative error values to indicate decode_init() failures. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 8a9faf33f2b4f40afbc3393b2be49867cea0c92d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-05 14:48:35 +01:00
Vitor Sessak
11f3173e1b amrnbdec: check frame size before decoding. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 882abda5a26ffb8e3d1c5852dfa7cdad0a291d2d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-05 14:48:35 +01:00
Ronald S. Bultje
cd17195d1c h264: prevent overreads in intra PCM decoding. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d1604b3de96575195b219028e2c4f08b2259aa7d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-05 14:48:35 +01:00
Justin Ruggles
1128b10247 wmaenc: fix m/s stereo encoding for the first frame 
We need to set ms_stereo in encode_init() in order to avoid incorrectly
encoding the first frame as non-m/s while flagging it as m/s. Fixes an
uncomfortable pop in the left channel at the start of playback.

CC:libav-stable@libav.org
(cherry picked from commit 51ddf35c9017018e58c15275ff5b129647a0c94d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-04 21:26:29 +01:00
Justin Ruggles
6a073aa7a7 wmaenc: limit allowed sample rate to 48kHz 
ff_wma_init() allows up to 50kHz, but this generates an exponent band
size table that requires 65 bands. The code assumes 25 bands in many
places, and using sample rates higher than 48kHz will lead to buffer
overwrites.

CC:libav-stable@libav.org
(cherry picked from commit 1ec075cfecac01f9a289965db06f76365b0b1737)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-04 21:26:29 +01:00
Justin Ruggles
073891e875 wmaenc: limit block_align to MAX_CODED_SUPERFRAME_SIZE 
This is near the theoretical limit for wma frame size and is the most that
our decoder can handle. Allowing higher bit rates will just end up padding
each frame with empty bytes.

Fixes invalid writes for avconv when using very high bit rates.

CC:libav-stable@libav.org
(cherry picked from commit c2b8dea1828f35c808adcf12615893d5c740bc0a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-04 21:26:29 +01:00
Justin Ruggles
2e341bc99a wmaenc: require a large enough output buffer to prevent overwrites 
The maximum theoretical frame size is around 17000 bytes. Although in
practice it will generally be much smaller, we require a larger buffer
just to be safe.

CC: libav-stable@libav.org
(cherry picked from commit dfc4fdedf8cfc56a505579b1f2c1c5efbce4b97e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-04 21:26:29 +01:00
Alex Converse
b7c8fff803 mpegts: Do not call read_sl_header() when no bytes remain in the buffer. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 4df369692ea8aee7094ac0f233cef8d1bee139a3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-04 21:26:29 +01:00