In matroska_read_seek(), |tracks| is assigned at the begining of the
function. However, functions like matroska_parse_cues() could reallocate
the tracks and invalidate |tracks|.
This assigns |tracks| only before using it, so that it will not get
invalidated elsewhere.
Bug-Id: chromium/427266
CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 64f7575fbd64e5b65d5c644347408588c776f1fe)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 577f1feb3fd1e51fd14af7ce6d79d468faa3b929)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 931f5b235112f1c2a09dead36f0a228061d23942)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 93f919d0b4c4341ccee366c98ac9af813f8fe622)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The size variable is (correctly) unsigned, but is passed to several functions
which take signed parameters, such as avio_read, sometimes after having
numbers added to it. So ensure that size remains within the bounds that
these functions can handle.
(cherry picked from commit 56ac2cbd0464e0146e62c91843e2b1f5e0908504)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavformat/apetag.c
Prevent out of array write.
Similar to what Michael Niedermayer did to address the same issue.
Bug-Id: CVE-2014-2263
CC: libav-stable@libav.org
(cherry picked from commit addbaf134836aea4e14f73add8c6d753a1373257)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The specification says the value is expressed in 10 bits including
the 4-byte CRC.
(cherry picked from commit 694b7cd873f8b06af109036eff1ccd741afdd28e)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavformat/mpegtsenc.c
It is my understanding that "Unless otherwise stated, all data in a
QuickTime movie is stored in big-endian byte ordering" [1] in MOV files.
I have a couple of thousand files, which technically are invalid because
their sound sample description element 4CC is 'lpcm' but its version is
0 - and "Version 0 supports only uncompressed audio in raw ('raw ') or
twos-complement ('twos') format" [2]
Because isom.c only contains a mapping for 4CC 'lpcm' to
AV_CODEC_ID_PCM_S16LE, these files have their audio decoded as LE when
it is actually BE.
This commit adds AV_CODEC_ID_PCM_S16BE as the first match for 4CC 'lpcm'.
[1]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf
page 21
[2]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf
page 178
Reviewed-by: Yusuke Nakamura <muken.the.vfrmaniac@gmail.com>
The correct point that seperates ISO and MAC language codes is 0x400
according to the current QT spec. Old QT specs did not list where this
seperation is but apparently only defined the meaning of the first 137.
(cherry picked from commit 9e71cc81f3655cacf0f91860fba3043f13b64059)
(cherry picked from commit 7940306a47df602be4f57a62175706265bbfd0aa)
Additional fixes by Nigel Touati-Evans <nigel.touatievans@gmail.com>.
Check the index for streams with a time drift of 2s or a buffer drift
of 64MB.
Bug-Id: 666
CC: libav-stable@libav.org
Sample-Id: yet-another-broken-interleaved-avi.avi
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Always use the actually read size as the offset instead of making
possibly invalid assumptions.
Addresses: CVE-2012-6618
(cherry picked from commit 2115a3597457231a6e5c0527fe0ff8550f64b733)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavformat/utils.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8575f5362f98c937758b20ff8512d6767a56208e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It could probably also be considered an error if the pointer isn't
null at this point, but then we might risk rejecting some
slightly broken files that we might have handled so far.
Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2620df13104ddaa136158eb6bb1195adbf9d7692)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a1b4d42d31ba700c97d4388153a2a553d71ca0ba)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Abort if it is invalid if strict error checking has been requested.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0f310a6f333b016d336674d086045e8473fdf918)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavformat/rmdec.c
This makes sure errors in setting stream parameters are passed
on to the caller. This avoids successfully opening files while
some parameters aren't filled in properly.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit cc41167aede4c101ad17eeffa8f39bb6c23d3dad)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit fc4d11ec9b4c9710e2dac012d4ed0e7d08c6df7d)
Fixes sync in some samples (e.g. bugs 7581 and 8374 in VLC).
Based on a commit by Matthieu Bouron <matthieu.bouron@gmail.com>
Reported-by: Jean-Baptiste Kempf <jb@videolan.org>
CC: libav-stable@libav.org
(cherry picked from commit 93370d12164236d59645314871a1d6808b2a8ddb)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This avoids setting a negative number of frames, ending up with a
negative average frame rate.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit c231987662194d009dd91bfc57c678e0e70ca161)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit c10f3fed259c23e6887f68cdf3e7d4ae87026f65)
If a zero-length video packet is to be returned, just return
AVERROR(EAGAIN) and switch back to the audio stream.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 9fc7184d1a9af8d97b3fc5c2ef9d0a647d6617ea)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit ad1223d6bcc69e1639951aedcdae40822bf41042)
This avoids a division by zero for G726.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d07aa3f02b73ab1371c13ac7898338380ca0932b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 607863acaec85671f8c2afd81079ae4c605e3468)
This avoids a division by zero.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 28ff439efd2362fb21e1a78610737f2e26a72d8f)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 04d2f9ace3fb6e880f3488770fc5a39de5b63cbb)
Even if the sample rate is valid, an invalid bitrate could
pass the mode combination test below.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 68ff9981283a56c731f00c2ee7901103665092fc)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 60701469ab9f526841ae81444236425f87916adb)
This avoids divisions by zero later (and possibly assertions in
time base scaling), since an invalid rate_flag combined with an
invalid bitrate below could pass the mode combination test.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 9277050e2918e0a0df9689721a188a604d886616)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 4d60ab62e05decc562645cd6f813f7c9e69637ee)
This avoids divisions by zero later.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 82e266c6d3fbf3cc74e515b883e66543381a0f2c)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 5379c5184b9fe9ef06234638f5629d4c80056e04)
Since the number of channels is multiplied by 36 and assigned to
to a uint16_t, make sure this calculation didn't overflow. (In
certain cases the calculation could overflow leaving the
truncated block_align at 0, leading to divisions by zero later.)
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d4c2a3740fb95f952a87ba320d2bf31f126bdf68)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 00516b5491fbd99e4057f21eae231fc02cc596e3)
Limit the size to INT_MAX/2 (for simplicity) to be sure that
size + BYTES_PER_FRAME_RECORD won't overflow.
Also factorize other existing error return paths.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0ef1660a6365ce60ead8858936b6f3f8ea862826)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 153deed18bed43d16b272e8681b2a9b988d2682a)
Limit the size to INT_MAX/2 (for simplicity) to be sure that
size + FF_INPUT_BUFFER_PADDING_SIZE won't overflow.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 459f2b393a3f89ed08d10fbceb4738d1429f268e)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit f8a72f041c049e812dfa1f32156327e9778f5710)
The seektable is required for filling in ape->frames[i].pos
further down.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 183b9d843a9533774fabd3984a52f3987001acbc)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Seeking in certain broken files would cause ogg_read_timestamp
to fail because ogg_packet would go into a state where all packets
of stream 1 would be discarded until the end of the stream.
Bug-Id: 553
CC: libav-stable@libav.org
Signed-off-by: Jan Gerber <j@v2v.cc>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 9a27acae9e6b7d0bf74c5b878af9c42495a546f3)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavformat/oggdec.c
Incomplete crypted files would lead to a read after buffer boundary
otherwise.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2219e27b5b17d146e4ab71a3ed86dfc013fb7a93)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavformat/omadec.c
