Commit Graph

37361 Commits

Author SHA1 Message Date
Alex Converse
b57d262412 mjpegbdec: Fix overflow in SOS.
Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2011-3947

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
2012-01-26 15:47:36 -08:00
Diego Biurrun
299ab0fd17 libavutil: Remove pointless file test program. 2012-01-26 22:44:37 +01:00
Paul B Mahol
324e818093 8bps: K&R formatting cosmetics
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2012-01-26 22:44:37 +01:00
Alex Converse
a8ae00b68c qdm2: Check data block size for bytes to bits overflow.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

CC: libav-stable@libav.org
(cherry picked from commit dac56d9ce0)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 22:28:25 +01:00
Martin Storsjö
b9e79a3f4e ismindex: Fix build on mingw
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8801fac365)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 22:25:29 +01:00
Michael Niedermayer
33c21378a8 Changelog: remove duplicate lines
Found-by: durandal_1707
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 22:18:51 +01:00
Michael Niedermayer
5ce1b214eb RELEASE_NOTES: update for 0.10
remove minor things and things that we had in many previous releases
already.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 21:59:09 +01:00
Michael Niedermayer
32281d309a Changelog: update for 0.10
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 21:33:51 +01:00
Michael Niedermayer
88d84dd8ea dv: Fix out of array read
Fixes part of CVE-2011-3936

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 20:10:26 +01:00
Michael Niedermayer
8847561f93 mov: Fix seeking regression in fragemnted movs.
Regression introduced in 550f7c43ec

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 20:10:25 +01:00
Michael Niedermayer
22eef8d738 snowenc: dont crash with gray but exit with an error msg.
Fixes Ticket839

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 20:05:15 +01:00
Michael Niedermayer
9decfc17bb h264_sei: Fix infinite loop.
Fixes not yet fixed parts of CVE-2011-3946.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 19:54:38 +01:00
Michael Niedermayer
fe0089a6ed ffmpeg: fix -qscale X breaking audio codecs
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 19:54:38 +01:00
Alex Converse
9adf25c1cf smacker: Sanity check huffman tables found in the headers.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

CC: libav-stable@libav.org
2012-01-26 10:18:00 -08:00
Alex Converse
90c0c83e14 smacker: remove dead store 2012-01-26 10:17:04 -08:00
Alex Converse
dac56d9ce0 qdm2: Check data block size for bytes to bits overflow.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

CC: libav-stable@libav.org
2012-01-26 10:17:04 -08:00
Michael Niedermayer
7ed6b1a128 mpeg1videoenc: disable slice threads
It doesnt work (and as far as i tested also didnt in the past)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 18:45:46 +01:00
Michael Niedermayer
70dba1e3c8 kvmc: Check palsize.
Fixes: CVE-2011-3952

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 17:30:49 +01:00
Michael Niedermayer
1860c66c54 matroskadec: increase padding on several more extradata allocations.
Inspired by: 5af569aa30 by alex
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 17:23:41 +01:00
Alex Converse
5af569aa30 matroskadec: Pad AAC extradata.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

CC: libav-stable@libav.org
(cherry picked from commit d2ee8c1779)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 17:16:33 +01:00
Michael Niedermayer
92115bb685 dpcm: Round output buffer size up.
Fixes: CVE-2011-3951

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 17:05:57 +01:00
Michael Niedermayer
ddf0c1d86a diracdec: Check num_refs.
Fixes: CVE-2011-3950

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 17:05:57 +01:00
Michael Niedermayer
e2291ea153 diracdec: Check dirac_unpack_idwt_params parameters before storing them.
Fixes CVE-2011-3949

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 17:05:57 +01:00
Tomas Härdin
62271c4c9a mxfdec: Fix files with essence containers larger than 2 GiB.
For such files, accumulating into an int would cause an overflow.

Signed-off-by: Diego Biurrun <diego@biurrun.de>
2012-01-26 15:47:50 +01:00
Jean First
4fbd3e89e7 mxfdec: Employ correct printf conversion specifiers for POSIX int types.
Signed-off-by: Jean First <jeanfirst@gmail.com>
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2012-01-26 15:31:55 +01:00
Hendrik Leppkes
feaa40020b vc1: always read the bfraction element for interlaced fields
Previously, it would not be read if refdist_flag was not set, however
according to the spec and the reference decoder, it should always be read.

Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>
2012-01-26 15:19:27 +01:00
Clément Bœsch
ee0cab7721 doc: remove trailing 's' to metadata.
metadata is already plural.

Found-by: Alexander Strasser
2012-01-26 13:06:22 +01:00
Michael Niedermayer
46095f427e mp3dec: Check for memcpy size to be positive.
No, ive no testcase.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 03:30:46 +01:00
Thierry Foucu
10e9d1f76b Fix a heap-buffer-overflow
In some case, what left to read from ptr is smaller than EXTRABYTES.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 03:28:12 +01:00
Michael Niedermayer
3c5fe5b527 Merge remote-tracking branch 'qatar/master'
* qatar/master: (22 commits)
  wma: Clip WMA1 and WMA2 frame length to 11 bits.
  movenc: Don't require frame_size to be set for modes other than mov
  doc: Update APIchanges with info on muxer flushing
  movenc: Reindent a block
  tools: Remove some unnecessary #undefs.
  rv20: prevent calling ff_h263_decode_mba() with unset height/width
  tools: K&R reformatting cosmetics
  Ignore generated aviocat and ismindex tools.
  build: Automatically include architecture-specific library Makefile snippets.
  indeo5: prevent null pointer dereference on broken files
  pktdumper: Use usleep instead of sleep
  cosmetics: Remove some unnecessary block braces.
  Drop unnecessary prefix from *sink* variable and struct names.
  Add a tool for creating smooth streaming manifests
  movdec: Calculate an average bit rate for fragmented streams, too
  movenc: Write the sample rate instead of time scale in the stsd atom
  movenc: Add a separate ismv/isma (smooth streaming) muxer
  movenc: Allow the caller to decide on fragmentation
  libavformat: Add a flag for muxers that support write_packet(NULL) for flushing
  movenc: Add support for writing fragmented mov files
  ...

Conflicts:
	Changelog
	cmdutils.c
	cmdutils.h
	doc/APIchanges
	ffmpeg.c
	ffplay.c
	libavfilter/Makefile
	libavformat/Makefile
	libavformat/avformat.h
	libavformat/movenc.c
	libavformat/movenc.h
	libavformat/version.h
	tools/graph2dot.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-26 02:23:56 +01:00
Paul B Mahol
7de9af65c7 fate: add XWD image regression test
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2012-01-26 01:51:26 +01:00
Janne Grunau
b3461c29c1 lavf: prevent infinite loops while flushing in avformat_find_stream_info
If no data was seen for a stream decoder are returning 0 when fed with
empty packets for flushing. We can stop flushing when the decoder does
not return delayed delayed frames anymore. Changes try_decode_frame()
return value to got_picture or negative error.

CC: libav-stable@libav.org
2012-01-26 00:45:05 +01:00
Michael Niedermayer
01e5e97026 mjpegbdec: Fix incorrect bitstream buffer size.
Fixes CVE-2011-3947

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-25 23:56:09 +01:00
Alex Converse
d2ee8c1779 matroskadec: Pad AAC extradata.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

CC: libav-stable@libav.org
2012-01-25 14:46:06 -08:00
Paul B Mahol
dd453f197c r210, r10k and avrp encoder
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-25 23:40:06 +01:00
Michael Niedermayer
807a045ab7 kgv1dec: Increase offsets array size so it is large enough.
Fixes CVE-2011-3945

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-25 23:25:45 +01:00
Martin Storsjö
8801fac365 ismindex: Fix build on mingw
Signed-off-by: Martin Storsjö <martin@martin.st>
2012-01-26 00:04:28 +02:00
Michael Niedermayer
2f3a86a761 doc/ffmpeg.texi
Merge changes from avconv.texi since the last merge into ffmpeg.texi

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-25 23:01:34 +01:00
Lou Logan
935c659c03 remove avconv from Doxyfile
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-25 22:47:45 +01:00
Michael Niedermayer
def678956a Remove avconv
All features have been merged into ffmpeg.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-25 22:46:37 +01:00
Michael Niedermayer
1285baaab5 smackerdec: Check that the last indexes are within the table.
Fixes CVE-2011-3944

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-25 22:32:11 +01:00
Alex Converse
d78bb1a4b2 wma: Clip WMA1 and WMA2 frame length to 11 bits.
The MDCT buffers in the decoder are only sized for up to 11 bits. The
reverse engineered documentation for WMA1/2 headers say that that for
all samplerates above 32kHz 11 bits are used. 12 and 13 bit support
were added for WMAPro. I was unable to make any Microsoft tools generate
a test file at a samplerate above 48kHz.

Discovered by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

CC: libav-stable@libav.org
2012-01-25 12:31:37 -08:00
Martin Storsjö
9f9c45f4b6 movenc: Don't require frame_size to be set for modes other than mov
The field frame_size isn't written to the output anywhere except
than in mov.

This facilitates stream copy from formats that don't set frame_size.

Signed-off-by: Martin Storsjö <martin@martin.st>
2012-01-25 22:25:56 +02:00
Martin Storsjö
6cb288290d doc: Update APIchanges with info on muxer flushing
Signed-off-by: Martin Storsjö <martin@martin.st>
2012-01-25 22:24:13 +02:00
Martin Storsjö
990a746cec movenc: Reindent a block
Also add some space around operators and wrap a comment
that extends past the 80 char "limit"/guideline.

Signed-off-by: Martin Storsjö <martin@martin.st>
2012-01-25 22:13:56 +02:00
Michael Niedermayer
247d30a7db vp3: Copy all 3 frames for thread updates.
This fixes a double release of the current frame on deinit.
Fixes CVE-2011-3934

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-25 21:12:00 +01:00
Diego Biurrun
d55fa1cb25 tools: Remove some unnecessary #undefs. 2012-01-25 20:41:22 +01:00
Hendrik Leppkes
6071644287 indeo3: fix motion vector validation
The index of the motion vector has to be checked before being
multiplied by 2 for the array index.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-25 18:55:32 +01:00
Michael Niedermayer
5cb57a16ed dv: Fix null pointer dereference due to ach=0
Fixes part2 of CVE-2011-3929

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-25 16:41:27 +01:00
Michael Niedermayer
f9de136b17 dv: check stype
Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-25 16:41:26 +01:00