Ohter packet sizes are not supported by this muxer.
This avoids a null pointer dereference of pkt->data.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit eeda2c3de8a8484d9e7d1e47ac836bec850b31fc)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoids a null pointer dereference of pkt->data.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7faa40af982960608b117e20fec999b48011e5e0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 12987f89007ee82b9d3a6090085dfaef8461ab8b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f8be605800b801e59ea49657a560287883ebfc8a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 05e161952954acf247e0fd1fdef00559675c4d4d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This could overflow and crash at least on 32 bit systems.
Reviewed-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b737a2c52857b214be246ff615c6293730033cfa)
Conflicts:
libavformat/mpc8.c
(cherry picked from commit 49dd89f9027f3def12e170bb7d986d37812eedba)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This can lead to an endless loop by seeking back a few bytes after each
attempted chunk read. Assuming negative sizes are always invalid, this
is easy to fix. Other code in this demuxer treats negative sizes as
invalid as well.
Fixes ticket #4262.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 56cc024220886927350cfc26ee695062ca7ecaf4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 465f3705b1ef832fd6904750d018f81f9044f3ab)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Suggested-by: Andrew Scherkus <scherkus@google.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ed86dbd05d61363dc1c0d33f3267e2177c985fdd)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)
Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.
This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.
Fixes ticket #4162.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array read
Fixes: signal_sigsegv_844d59_10_signal_sigsegv_a17bb7_366_mpegts_mpeg2video_mp2_dvbsub_topfield.rec
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c3d7f00ee3e09801f56f25db8b5961f25e842bd2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes miss detection of PCM as m4v
Fixes Ticket 3928
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c1835c52a4be2e4e996f83c91a8d5a147b01100)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '0ceb2dffb6ba082a8abcc57c53a14b2512f0aa48':
mov: avoid a memleak when multiple stss boxes are present
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '90a2359fef5325f90aec0eca51b145d90ca3df7d':
nutdec: Remove unused and broken debug function stub
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The chunk size is limited to UINT16_MAX (written by avio_wb16), so make
sure that the packet size is not too large.
Such large frames need to be split into slices smaller than 64 kB, but
that is currently supported neither by the rv10/rv20 encoders nor the rm
muxer.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
In matroska_read_seek(), |tracks| is assigned at the begining of the
function. However, functions like matroska_parse_cues() could reallocate
the tracks and invalidate |tracks|.
This assigns |tracks| only before using it, so that it will not get
invalidated elsewhere.
Bug-Id: chromium/427266
CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 64f7575fbd64e5b65d5c644347408588c776f1fe)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 577f1feb3fd1e51fd14af7ce6d79d468faa3b929)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 931f5b235112f1c2a09dead36f0a228061d23942)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 93f919d0b4c4341ccee366c98ac9af813f8fe622)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The size variable is (correctly) unsigned, but is passed to several functions
which take signed parameters, such as avio_read, sometimes after having
numbers added to it. So ensure that size remains within the bounds that
these functions can handle.
(cherry picked from commit 56ac2cbd0464e0146e62c91843e2b1f5e0908504)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavformat/apetag.c
* commit 'ebe2292eafa7cac71dcdddb865e18c05635fe117':
mpegts: Do not try to write a PMT larger than SECTION_SIZE
Conflicts:
libavformat/mpegtsenc.c
See: 68b14c044a4a00d69aeb620bdb57dce533c4190a
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'd86df7dd497ead1132bd95df7c4c18d91fbe3def':
mpegts: Define the section length with a constant
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Prevent out of array write.
Similar to what Michael Niedermayer did to address the same issue.
Bug-Id: CVE-2014-2263
CC: libav-stable@libav.org
(cherry picked from commit addbaf134836aea4e14f73add8c6d753a1373257)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The specification says the value is expressed in 10 bits including
the 4-byte CRC.
(cherry picked from commit 694b7cd873f8b06af109036eff1ccd741afdd28e)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavformat/mpegtsenc.c
The code was missing 1 bit in the src format
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fc145e576a443bfc89efdf35b91fd3c9ca0d8388)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes part of Ticket3466
Found-by: Andrey_Karpov / PVS-Studio
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ff6fa0b4b980fc5b9f7653d7b159ae02c3d95210)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '7fa72700298107fe756311ecb4dee5270ff12d35':
swscale: Fix an undefined behaviour
apedec: do not buffer decoded samples over AVPackets
isom: lpcm in mov default to big endian
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '5463a2b0566b34b9e3847db9ceb1ef1d2a6004fc':
movdec: handle 0x7fff langcode as macintosh per the specs
avi: Improve non-interleaved detection
Conflicts:
libavformat/avidec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '330c18032464a4e1f3da907e54db2e69a6fbfcda':
matroskaenc: allow override of "writing application" tag
avfilter: Add missing emms_c when needed
mpeg12: check scantable indices in all decode_block functions
Conflicts:
libavformat/matroskaenc.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
It is my understanding that "Unless otherwise stated, all data in a
QuickTime movie is stored in big-endian byte ordering" [1] in MOV files.
I have a couple of thousand files, which technically are invalid because
their sound sample description element 4CC is 'lpcm' but its version is
0 - and "Version 0 supports only uncompressed audio in raw ('raw ') or
twos-complement ('twos') format" [2]
Because isom.c only contains a mapping for 4CC 'lpcm' to
AV_CODEC_ID_PCM_S16LE, these files have their audio decoded as LE when
it is actually BE.
This commit adds AV_CODEC_ID_PCM_S16BE as the first match for 4CC 'lpcm'.
[1]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf
page 21
[2]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf
page 178
Reviewed-by: Yusuke Nakamura <muken.the.vfrmaniac@gmail.com>
The correct point that seperates ISO and MAC language codes is 0x400
according to the current QT spec. Old QT specs did not list where this
seperation is but apparently only defined the meaning of the first 137.
(cherry picked from commit 9e71cc81f3655cacf0f91860fba3043f13b64059)
(cherry picked from commit 7940306a47df602be4f57a62175706265bbfd0aa)
Additional fixes by Nigel Touati-Evans <nigel.touatievans@gmail.com>.
Check the index for streams with a time drift of 2s or a buffer drift
of 64MB.
Bug-Id: 666
CC: libav-stable@libav.org
Sample-Id: yet-another-broken-interleaved-avi.avi
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Prevents out of array writes
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 842b6c14bcfc1c5da1a2d288fd65386eb8c158ad)
Conflicts:
libavformat/mpegtsenc.c
(cherry picked from commit e87de3f50b765134588d0b048c32ed4b8acc16fb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '36017d49e2f797f7371dc24848a2285ca63e39ab':
Prepare for 0.8.11 Release
lavf: make av_probe_input_buffer more robust
Updated Changelog for 0.8.10
oggparseogm: check timing variables
mathematics: remove asserts from av_rescale_rnd()
vc1: Always reset numref when parsing a new frame header.
h264: reset num_reorder_frames if it is invalid
Conflicts:
RELEASE
libavcodec/vc1.c
libavformat/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '979f77b0dc40571761999633a38d97be9a1670c8':
h264: check that an IDR NAL only contains I slices
mov: Free an earlier allocated array if allocating a new one
segafilm: fix leaks if reading the header fails
h264_cavlc: check the size of the intra PCM data.
cavs: Check for negative cbp
avi: DV in AVI must be considered single stream
avutil: use align == 0 for default alignment in audio sample buffer functions
Conflicts:
libavcodec/cavsdec.c
libavutil/avutil.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'cb5d0ea0bec119ecbe327bd7d3834987ab42ec1a':
flashsv: Check diff_start diff_height values
dsputil/pngdsp: fix signed/unsigned type in end comparison
vqavideo: check chunk sizes before reading chunks
avi: directly resync on DV in AVI read failure
get_bits: change the failure condition in init_get_bits
twinvq: Cope with gcc-4.8.2 miscompilation
Conflicts:
libavcodec/dsputil.c
libavcodec/flashsv.c
libavcodec/get_bits.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Always use the actually read size as the offset instead of making
possibly invalid assumptions.
Addresses: CVE-2012-6618
(cherry picked from commit 2115a3597457231a6e5c0527fe0ff8550f64b733)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavformat/utils.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8575f5362f98c937758b20ff8512d6767a56208e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It could probably also be considered an error if the pointer isn't
null at this point, but then we might risk rejecting some
slightly broken files that we might have handled so far.
Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2620df13104ddaa136158eb6bb1195adbf9d7692)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a1b4d42d31ba700c97d4388153a2a553d71ca0ba)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
