Fixes not yet fixed parts of CVE-2011-3946.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master: (22 commits)
wma: Clip WMA1 and WMA2 frame length to 11 bits.
movenc: Don't require frame_size to be set for modes other than mov
doc: Update APIchanges with info on muxer flushing
movenc: Reindent a block
tools: Remove some unnecessary #undefs.
rv20: prevent calling ff_h263_decode_mba() with unset height/width
tools: K&R reformatting cosmetics
Ignore generated aviocat and ismindex tools.
build: Automatically include architecture-specific library Makefile snippets.
indeo5: prevent null pointer dereference on broken files
pktdumper: Use usleep instead of sleep
cosmetics: Remove some unnecessary block braces.
Drop unnecessary prefix from *sink* variable and struct names.
Add a tool for creating smooth streaming manifests
movdec: Calculate an average bit rate for fragmented streams, too
movenc: Write the sample rate instead of time scale in the stsd atom
movenc: Add a separate ismv/isma (smooth streaming) muxer
movenc: Allow the caller to decide on fragmentation
libavformat: Add a flag for muxers that support write_packet(NULL) for flushing
movenc: Add support for writing fragmented mov files
...
Conflicts:
Changelog
cmdutils.c
cmdutils.h
doc/APIchanges
ffmpeg.c
ffplay.c
libavfilter/Makefile
libavformat/Makefile
libavformat/avformat.h
libavformat/movenc.c
libavformat/movenc.h
libavformat/version.h
tools/graph2dot.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The MDCT buffers in the decoder are only sized for up to 11 bits. The
reverse engineered documentation for WMA1/2 headers say that that for
all samplerates above 32kHz 11 bits are used. 12 and 13 bit support
were added for WMAPro. I was unable to make any Microsoft tools generate
a test file at a samplerate above 48kHz.
Discovered by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
The field frame_size isn't written to the output anywhere except
than in mov.
This facilitates stream copy from formats that don't set frame_size.
Signed-off-by: Martin Storsjö <martin@martin.st>
Also add some space around operators and wrap a comment
that extends past the 80 char "limit"/guideline.
Signed-off-by: Martin Storsjö <martin@martin.st>
This fixes a double release of the current frame on deinit.
Fixes CVE-2011-3934
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The index of the motion vector has to be checked before being
multiplied by 2 for the array index.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes part2 of CVE-2011-3929
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
MinGW doesn't have sleep, only _sleep (which is deprecated),
Sleep (which is defined in winbase.h and not in the standard
C headers) and usleep.
Signed-off-by: Martin Storsjö <martin@martin.st>
It can also optionally split the file into individual fragments,
which allows it to be served from any web server without any
server side support.
Signed-off-by: Martin Storsjö <martin@martin.st>