Fixes invalid reads while initializing the dequant tables, which uses
the bit depth to determine the QP table size.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 0ce4fe482c27abfa7eac503a52fdc50b70ccd871)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>
Fixes CVE-2011-3947
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Splits at borders of cells are invalid, since it leaves one of the
cells with a width/height of zero. Also, propagate errors on buffer
allocation failures, so we don't continue decoding (which crashes).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit fc9bc08dca9ac32526251e19fcf738d23b8c68d1)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Because in contrast to the decoder, the parser does not setup low_delay.
The code in parse_nal_units would always end up setting has_b_frames
to "1", except when stream is explicitly marked as low delay.
Since the parser itself would create 'extradata', simply reopening
the parser would cause this.
This happens for instance in estimate_timings_from_pts(), which causes the
parser to be reopened on the same stream.
This fixes Libav #22 and FFmpeg (trac) #360
CC: libav-stable@libav.org
Based on a patch by Reimar Döffinger <Reimar.Doeffinger@gmx.de>
(commit 31ac0ac29b6bba744493f7d1040757a3f51b9ad7)
Comments and description adapted by Reinhard Tartler.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 790a367d9ecd04360f78616765ee723f3fe65645)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Prevents crash when trying to copy from a non-existing plane in e.g.
a RGB32 reference image to a YUV420P target image
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 830f70442a87a31f7c75565e9380e3caf8333b8a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Also fixes crashes on corrupt bitstreams.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 33cd32b389864f2437c94e6fd7dc109ff5f0ed06)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This prevents crashes when trying to read beyond the end of the buffer
while decoding frame data.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit be129271eac04f91393bf42a490ec631e1a9abea)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This prevents crashers and errors further down when reading nodes in the
empty tree.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2b83e8b7005d531bc78b0fd4f699e9faa54ce9bb)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The parser uses VLC tables initialized in vc1_common_init(), therefore
we should call this function on parser init also.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c742ab4e81bb9dcabfdab006d6b8b09a5808c4ce)
Conflicts:
libavcodec/vc1.h
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Return 0 means "please return the same data again", i.e. it causes an
infinite loop. Instead, return an error.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9d3050d3e95e307ebc34a943484c7add838d1220)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Return 0 indicates "please return the same data again", i.e. it causes
an infinite loop. Instead, return that we consumed the buffer if we
finished decoding succesfully, or return an error if an error occurred.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 74699ac8c8b562e9f8d26e21482b89585365774a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
If bufsize < headersize, init_get_bits() will be called with a negative
number, causing it to fail and any subsequent call to get_bits() will
crash because it reads from a NULL pointer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 3e13005cac6e076053276b515f5fcf59a3f4b65d)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
On EOF, get_bits() will continuously return 0, causing an infinite
loop.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 84c202cc37024bd78261e4222e46631ea73c48dd)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Prevents a division by zero later on.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 7416d610362807848236ceff1bc6740dbc82842d)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Based-on-work-by: Ronald S. Bultje <rsbultje@gmail.com>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1cd9a6154bc1ac1193c703cea980ed21c3e53792)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The MDCT buffers in the decoder are only sized for up to 11 bits. The
reverse engineered documentation for WMA1/2 headers say that that for
all samplerates above 32kHz 11 bits are used. 12 and 13 bit support
were added for WMAPro. I was unable to make any Microsoft tools generate
a test file at a samplerate above 48kHz.
Discovered by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d78bb1a4b2a3a415b68e4e6dd448779eccec64e3)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Prevents a crash of VLC during playback of a invalid matroska file,
found by John Villamil <johnv@matasano.com>.
CC: libav-stable@libav.org
(cherry picked from commit c3e10ae4127c998b809066926a410f40ebd47593)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.
Fixes CVE-2012-0858
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Add a check to avoid writing past the end of the channel_unit.components[]
array.
Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f74713b035a06f79cb4d00e708f5226bc5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conversion of the luma intra prediction mode to one of the constrained
("alzheimer") ones can happen by crafting special bitstreams, causing
a crash because we'll call a NULL function pointer for 16x16 block intra
prediction, since constrained intra prediction functions are only
implemented for chroma (8x8 blocks).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 45b7bd7c53b41bc5ff6fc2158831f2b1b1256113)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Earlier, calling avcodec_encode_audio worked fine even if time_base
wasn't set. Now it crashes due to trying to scale the output pts to
the codec context time base. This affects e.g. VLC.
If no time_base is set for audio codecs, set it to the sample
rate.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 9a7dc618c50902e7a171f2deda6430d52c277a95)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This way, if the AVCodecContext is allocated for a specific codec, the
caller doesn't need to store this codec separately and then pass it
again to avcodec_open2().
It also allows to set codec private options using av_opt_set_* before
opening the codec.
(cherry picked from commit bc901998487bf9b77a423961d9f961bcc28a9291)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
I.e. free the priv_data and other stuff allocated in
avcodec_alloc_context3() and not segfault.
(cherry picked from commit 0e72ad95f9fef6a6b8ae55e47339a5c40526502f)
It allows to check whether an AVCodecContext is open in a documented
way. Right now the undocumented way this check is done in lavf/lavc is
by checking whether AVCodecContext.codec is NULL. However it's desirable
to be able to set AVCodecContext.codec before avcodec_open2().
(cherry picked from commit af08d9aeea870de017139f7b1c44b7d816cf8e56)
Conflicts:
doc/APIchanges
Using threaded decoding by default breaks backward compatibility if
AVHWAccel is used or if an appliction sets threadunsafe callbacks.
Avconv and avplay still use -threads auto if not specified.
