generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
31,997 Commits 24 Branches 241 Tags
Commit Graph

31997 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Michael Niedermayer
5836110018 h263dec: Disallow width/height changing with frame threads. 
Fixes CVE-2011-3937

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba)

Conflicts:

	libavcodec/h263dec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-22 21:51:58 +02:00
Reinhard Tartler
43e5fda45c Update Changelog for the 0.8.2 Release 2012-05-04 22:59:01 +02:00
Reinhard Tartler
a638e10ba0 Prepare for 0.8.2 Release 2012-05-04 22:40:37 +02:00
Mans Rullgard
d5207e2af8 vqavideo: return error if image size is not a multiple of block size 
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes.  Bailing out early if the header
specifies a bad size avoids various errors later on.

Fixes CVE-2012-0947.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 22:14:26 +02:00
Alex Converse
9ea94c44b1 celp filters: Do not read earlier than the start of the 'out' vector. 
CC: libav-stable@libav.org
(cherry picked from commit 37ddd3833219fa7b913fff3f5cccc6878b047e6b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 22:09:27 +02:00
Alex Converse
aaa6a66677 motionpixels: Clip YUV values after applying a gradient. 
Prevents illegal reads on truncated and malformed input.

CC: libav-stable@libav.org
(cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 22:09:27 +02:00
Ronald S. Bultje
7240cc3f8b jpeg: handle progressive in second field of interlaced. 
Progressive data is allocated later in decode_sof(), not allocating
that data leads to NULL dereferences.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5eec5a79da118170f3cfe185a862783d3fa50abe)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 22:09:27 +02:00
Ronald S. Bultje
7fe4c8cb76 h263: more strictly forbid frame size changes with frame-mt. 
Prevents crashes because the old check was incomplete.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2d22d4307dcc1461f39a2ffb9c8db6c6b23fd080)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 22:09:27 +02:00
Ronald S. Bultje
746f1594d7 h264: additional protection against unsupported size/bitdepth changes. 
Fixes crashes in codepaths not covered by original checks.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 732f9fcfe54fc9a0a7bbce53fe86b38744c2d301)

Conflicts:

	libavcodec/h264.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 22:09:27 +02:00
Ronald S. Bultje
0e4bb0530f tta: prevents overflows for 32bit integers in header. 
This prevents sample_rate/data_length from going negative, which
caused various crashes and undefined behaviour further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ac80b812cd177553339467ea12548d71c9ef6865)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 21:28:45 +02:00
Paul B Mahol
994c0efcc7 ttadec: CRC checking 
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 2af3dc8698707f800f83f5fc890571a6a119866e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 21:28:35 +02:00
Paul B Mahol
cf5e119d4a tta: use skip_bits_long() 
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 9aff2d17533576f4ff52531e534f1319fb36a590)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 21:28:28 +02:00
Michael Niedermayer
e8050f313e apedec: check bits <= 32. 
Fixes a floating-point exception further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
(cherry picked from commit 420d1df2e2a857eae45fa947e16eae7494793d57)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:03 +02:00
Ronald S. Bultje
be424d86a8 truemotion: forbid invalid VLC bitsizes and token values. 
SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid
values larger than this in get_vlc2() (max_bits). tokens[][] can be
used as an index in deltas[], which has a size of 64, so ensure the
values are smaller than that.

This prevents crashes on corrupt bitstreams.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b7b1509d06d3696d3b944791227fe198ded0654b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:03 +02:00
Ronald S. Bultje
a08cb950b2 mov: don't overwrite existing indexes. 
Prevents all kind of badness if files contain multiple
indexes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 4f7c7624c0db185c48c59d95d745ab3f7851a5b4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:03 +02:00
Ronald S. Bultje
46f8bbfc6d truemotion2: handle out-of-frame motion vectors through edge extension. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bf39d3b59d85e5734babe48b61b8d92d18188185)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:03 +02:00
Ronald S. Bultje
562c6a7bf1 lzw: prevent buffer overreads. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ddcf67c8a51c67b122a826d8b5819e96d591d813)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:03 +02:00
Ronald S. Bultje
e711ccee4d truemotion2: convert packet header reading to bytestream2. 
Also use correct buffer sizes in calls to tm2_read_stream(). Together,
this prevents overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bd508d435b94584db460c684e30ea7ce180cf50f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:03 +02:00
Ronald S. Bultje
d6372e80fe lagarith: fix buffer overreads. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 0a82f5275f719e6e369a807720a2c3603aa0ddd9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:03 +02:00
Ronald S. Bultje
29d91e9161 raw: forward avpicture_fill() error code in raw_decode(). 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 98df2e24141cd00a557ef10ed7af2b956200cd80)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Mashiat Sarker Shakkhar
583f57f04a vc1: Do not read from array if index is invalid. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 95b192de5d05f3e1542e7b2378cdefbc195f5185)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Ronald S. Bultje
f8f6c14f54 utvideo: port header reading to bytestream2. 
Fixes crash during slice size reading if slice_end goes negative.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ec0ed97b046d46421db72c4911d2bbe28bbe5741)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Paul B Mahol
9e24f2a1f0 bytestream: add more unchecked variants for bytestream2 API 
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit f1ce053cd0e0d7dc67fa61f32bcd8b6ee5e5c490)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Aneesh Dogra
e788c6e9cb bytestream: K&R formatting cosmetics 
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit ab9ae401525d301a31ec695bf39103502db6afeb)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Aneesh Dogra
2e681cf50f bytestream: Add bytestream2 writing API. 
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit db7d45237ab6fc7fe90ec861cb756b2a109504a4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Alex Converse
9ddd3abe78 aac: Reset PS parameters on header decode failure. 
If the next header frame codes zero envelopes the previous frame's
values will be used. Consequently the invalid values must be cleared.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit a237b38021cd3009cc78eeb974b596085f2fe393)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Alex Converse
86bd0244ec mov: Do not read past the end of the ctts_data table. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 86f2ae06b92d42580ae7ebd86d52c9b7acbc2f13)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Alex Converse
15de658c04 xwma: Validate channels and bits_per_coded_sample. 
This prevents a SIGFPE later on.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5023b89bba198b2f8e43b7f555aeb9c30d33db9f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Ronald S. Bultje
19d3f7d8ac asf: reset side data elements on packet copy. 
Prevents crash (double free) when free()ing the original packet.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e73c6aaabff1169899184c382385fe9afae5b068)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Ronald S. Bultje
c21b858b27 vqa: check palette chunk size before reading data. 
Prevents overreads beyond buffer boundaries.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 75d7975268394f4f16294b68ec6d6d5ac30da3ac)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:01 +02:00
Paul B Mahol
0b9bb581fd vqavideo: port to bytestream2 API 
Protects against overreads.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 5a3a906ba29b53fa34d3047af78d9f8fd7678256)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:01 +02:00
Ronald S. Bultje
105601c151 wmavoice: fix stack overread. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 262196445cf03fda0f7e41c4b968f4f7bf060e6b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:01 +02:00
Ronald S. Bultje
3a4949aa50 indeo4: fix out-of-bounds function call. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org

Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>
(cherry picked from commit 68fd077f68bdde864bb7328d72a040849c616261)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:01 +02:00
Reinhard Tartler
ec554ee747 Read preset files with suffix .avpreset 
The preset files have been renamed some time ago.

CC: libav-stable@libav.org
(cherry picked from commit 050dc127787e91d8ee4b341046c74fe6e74e3285)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:01 +02:00
Ronald S. Bultje
bf3998d71e mimic: don't use self as reference, and report completion at end of decode(). 
Fixes hangs on corrupt samples that reference self-frames.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 80387f0e2568746dce4a68e2217297029a053dae)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:01 +02:00
Ronald S. Bultje
87208b8fc4 mpeg4: report frame decoding completion at ff_MPV_frame_end(). 
Prevents hangs on corrupt input.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c6ccb96bc955b2087ec71033d99b3dcd5203eaf2)

Conflicts:

	libavcodec/mpegvideo.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:01 +02:00
Anton Khirnov
989431c02f id3v2: fix skipping extended header in id3v2.4 
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
 2012-04-01 19:30:21 +02:00
Reinhard Tartler
5effcfa767 Update Changelog for the 0.8.1 Release 2012-03-15 08:58:14 +01:00
Kostya Shishkov
1ee0cd1ad7 dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2 
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
 2012-03-14 23:32:15 +01:00
Ronald S. Bultje
b594732475 dca: don't use av_clip_uintp2(). 
The argument is not a literal, thus causing the ARM v6 or later
builds to break.

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
 2012-03-14 23:30:19 +01:00
Michael Niedermayer
ce15406e78 snow: check reference frame indices. 
Fixes NULL ptr dereference

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 1f8ff2b13cbfef790385818664ed12e763e7c75b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:35:09 +01:00
Michael Niedermayer
c9e95636a8 snow: reject unsupported chroma shifts. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit c9837954e7b968d44f82e7cdb7618e9f523b196c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:34:55 +01:00
Ronald S. Bultje
6e5c07f4c8 xa_adpcm: limit filter to prevent xa_adpcm_table[] array bounds overruns. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 86020073dbb9a3a9d1fbb76345b2ca29ba1f13d2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:34:36 +01:00
Ronald S. Bultje
c999a8ed65 h264: increase reference poc list from 16 to 32. 
Interlaced images can have 32 references (16 per field), so limiting the
array size to 16 leads to invalid writes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 48cbe4b092113eae0b3e5d6a08b59027f913a884)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:34:13 +01:00
Ronald S. Bultje
4d343a6f47 h264: stricter reference limit enforcement. 
Progressive images can have only 16 references, error out if there are
more, since the data is almost certainly corrupt, and the invalid value
will lead to random crashes or invalid writes later on.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e0febda22d0e0fab094a9c886b0e0f0f662df1ef)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:33:15 +01:00
Michael Niedermayer
a81a6d9c80 h264: improve parsing of broken AVC SPS 
Parsing the entire NAL as SPS fixes decoding of some AVC bitstreams
with broken escaping. Since the size of the NAL unit is known and
checked against the buffer end we can parse it entirely without buffer
overreads.

Fixes playback of
http://streams.videolan.org/streams/mp4/Mr_MrsSmith-h264_aac.mp4

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 3aa661ec561d7a20812b84b353b0d7855ac346c8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:27:22 +01:00
Alex Converse
48f0eeb2e5 Replace computations of remaining bits with calls to get_bits_left(). 
(cherry picked from commit 3574a85ce57366ba7429edef93d5cad8640fb68c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:27:16 +01:00
Ronald S. Bultje
d26e47bf6c png: convert to bytestream2 API. 
Protects against overreads in the input buffer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 4c25269cedd042abcb823c42d33609564861c374)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:14:28 +01:00
Ronald S. Bultje
568a474a08 roqvideo: convert to bytestream2 API. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cdf15771621bce7959b3e53b21426c5ba747e17b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:09:40 +01:00
Ronald S. Bultje
9a66cdbc16 smc: port to bytestream2 API. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 8febcb9fc178926687ee19d32d2b3150da899867)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:09:28 +01:00