* commit 'ebe2292eafa7cac71dcdddb865e18c05635fe117':
mpegts: Do not try to write a PMT larger than SECTION_SIZE
Conflicts:
libavformat/mpegtsenc.c
See: 68b14c044a
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'd86df7dd497ead1132bd95df7c4c18d91fbe3def':
mpegts: Define the section length with a constant
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Prevent out of array write.
Similar to what Michael Niedermayer did to address the same issue.
Bug-Id: CVE-2014-2263
CC: libav-stable@libav.org
(cherry picked from commit addbaf1348)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The specification says the value is expressed in 10 bits including
the 4-byte CRC.
(cherry picked from commit 694b7cd873)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavformat/mpegtsenc.c
The code was missing 1 bit in the src format
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fc145e576a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes part of Ticket3466
Found-by: Andrey_Karpov / PVS-Studio
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ff6fa0b4b9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '7fa72700298107fe756311ecb4dee5270ff12d35':
swscale: Fix an undefined behaviour
apedec: do not buffer decoded samples over AVPackets
isom: lpcm in mov default to big endian
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '5463a2b0566b34b9e3847db9ceb1ef1d2a6004fc':
movdec: handle 0x7fff langcode as macintosh per the specs
avi: Improve non-interleaved detection
Conflicts:
libavformat/avidec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '330c18032464a4e1f3da907e54db2e69a6fbfcda':
matroskaenc: allow override of "writing application" tag
avfilter: Add missing emms_c when needed
mpeg12: check scantable indices in all decode_block functions
Conflicts:
libavformat/matroskaenc.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
It is my understanding that "Unless otherwise stated, all data in a
QuickTime movie is stored in big-endian byte ordering" [1] in MOV files.
I have a couple of thousand files, which technically are invalid because
their sound sample description element 4CC is 'lpcm' but its version is
0 - and "Version 0 supports only uncompressed audio in raw ('raw ') or
twos-complement ('twos') format" [2]
Because isom.c only contains a mapping for 4CC 'lpcm' to
AV_CODEC_ID_PCM_S16LE, these files have their audio decoded as LE when
it is actually BE.
This commit adds AV_CODEC_ID_PCM_S16BE as the first match for 4CC 'lpcm'.
[1]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf
page 21
[2]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf
page 178
Reviewed-by: Yusuke Nakamura <muken.the.vfrmaniac@gmail.com>
The correct point that seperates ISO and MAC language codes is 0x400
according to the current QT spec. Old QT specs did not list where this
seperation is but apparently only defined the meaning of the first 137.
(cherry picked from commit 9e71cc81f3)
(cherry picked from commit 7940306a47)
Prevents out of array writes
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 842b6c14bc)
Conflicts:
libavformat/mpegtsenc.c
(cherry picked from commit e87de3f50b765134588d0b048c32ed4b8acc16fb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '36017d49e2f797f7371dc24848a2285ca63e39ab':
Prepare for 0.8.11 Release
lavf: make av_probe_input_buffer more robust
Updated Changelog for 0.8.10
oggparseogm: check timing variables
mathematics: remove asserts from av_rescale_rnd()
vc1: Always reset numref when parsing a new frame header.
h264: reset num_reorder_frames if it is invalid
Conflicts:
RELEASE
libavcodec/vc1.c
libavformat/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '979f77b0dc40571761999633a38d97be9a1670c8':
h264: check that an IDR NAL only contains I slices
mov: Free an earlier allocated array if allocating a new one
segafilm: fix leaks if reading the header fails
h264_cavlc: check the size of the intra PCM data.
cavs: Check for negative cbp
avi: DV in AVI must be considered single stream
avutil: use align == 0 for default alignment in audio sample buffer functions
Conflicts:
libavcodec/cavsdec.c
libavutil/avutil.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'cb5d0ea0bec119ecbe327bd7d3834987ab42ec1a':
flashsv: Check diff_start diff_height values
dsputil/pngdsp: fix signed/unsigned type in end comparison
vqavideo: check chunk sizes before reading chunks
avi: directly resync on DV in AVI read failure
get_bits: change the failure condition in init_get_bits
twinvq: Cope with gcc-4.8.2 miscompilation
Conflicts:
libavcodec/dsputil.c
libavcodec/flashsv.c
libavcodec/get_bits.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Always use the actually read size as the offset instead of making
possibly invalid assumptions.
Addresses: CVE-2012-6618
(cherry picked from commit 2115a35974)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavformat/utils.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8575f5362f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It could probably also be considered an error if the pointer isn't
null at this point, but then we might risk rejecting some
slightly broken files that we might have handled so far.
Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2620df1310)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a1b4d42d31)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* commit '9925f7df0a50387ade8d83cb85b40c53e41e7041':
vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks
r3d: Add more input value validation
fraps: Make the input buffer size checks more strict
svq3: Avoid a division by zero
rmdec: Validate the fps value
twinvqdec: Check the ibps parameter separately
asfdec: Check the return value of asf_read_stream_properties
mxfdec: set audio timebase to 1/samplerate
pcx: Check the packet size before assuming it fits a palette
rpza: Fix a buffer size check
xxan: Disallow odd width
xan: Only read within the data that actually was initialized
Conflicts:
libavcodec/fraps.c
libavformat/mxfdec.c
tests/ref/seek/lavf_mxf
tests/ref/seek/lavf_mxf_d10
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '993977032a0adb47eb70e7fef6ce0d5370027e83':
xan: Use bytestream2 to limit reading to within the buffer
pcx: Consume the whole packet if giving up due to missing palette
pngdec: Stop trying to decode once inflate returns Z_STREAM_END
mov: Make sure the read sample count is nonnegative
bfi: Add some very basic sanity checks for input packet sizes
Conflicts:
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '5e8243e843be8f71da7dde199a71d095726533eb':
bfi: Avoid divisions by zero
electronicarts: Add more sanity checking for the number of channels
riffdec: Add sanity checks for the sample rate
mvi: Add sanity checking for the audio frame size
xwma: Avoid division by zero
avidec: Make sure a packet is large enough before reading its data
vqf: Make sure the bitrate is in the valid range
vqf: Make sure sample_rate is set to a valid value
vc1dec: Undo mpegvideo initialization if unable to allocate tables
Conflicts:
libavformat/riff.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '159993acc7f4e3155510d42c543e09fe972b933c':
vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors
wnv1: Make sure the input packet is large enough
dca: Validate the lfe parameter
rl2: Avoid a division by zero
wtv: Add more sanity checks for a length read from the file
segafilm: Validate the number of audio channels
qpeg: Add checks for running out of rows in qpeg_decode_inter
mpegaudiodec: Validate that the number of channels fits at the given offset
asv1: Verify the amount of extradata
idroqdec: Make sure a video stream has been allocated before returning packets
rv10: Validate the dimensions set from the container
xmv: Add more sanity checks for parameters read from the bitstream
ffv1: Make sure at least one slice context is initialized
truemotion2: Use av_freep properly in an error path
Conflicts:
libavcodec/qpeg.c
libavcodec/wnv1.c
libavformat/wtv.c
libavformat/xmv.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'b19eafa2b930ee40abfde6d1f026b7fa5591c4dc':
eacmv: Make sure a reference frame exists before referencing it
mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory
ivi_common: Make sure color planes have been initialized
oggparseogm: Convert to use bytestream2
rv34: Check the return value from ff_rv34_decode_init
matroskadec: Verify realaudio codec parameters
mace: Make sure that the channel count is set to a valid value
svq3: Check for any negative return value from ff_h264_check_intra_pred_mode
vp3: Check the framerate for validity
cavsdec: Make sure a sequence header has been decoded before decoding pictures
sierravmd: Do sanity checking of frame sizes
omadec: Properly check lengths before incrementing the position
mpc8: Make sure the first stream exists before parsing the seek table
Conflicts:
libavcodec/eacmv.c
libavcodec/mpeg4videodec.c
libavformat/omadec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '486c45767587151b517bb6fde602d43d178da203':
mpc8: Check the seek table size parsed from the bitstream
zmbvdec: Check the buffer size for uncompressed data
ape: Don't allow the seektable to be omitted
shorten: Break out of loop looking for fmt chunk if none is found
shorten: Use a checked bytestream reader for the wave header
smacker: Make sure we don't fill in huffman codes out of range
Conflicts:
libavcodec/shorten.c
libavcodec/smacker.c
libavcodec/zmbv.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Abort if it is invalid if strict error checking has been requested.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0f310a6f33)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavformat/rmdec.c
This makes sure errors in setting stream parameters are passed
on to the caller. This avoids successfully opening files while
some parameters aren't filled in properly.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit cc41167aed)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit fc4d11ec9b)
If a zero-length video packet is to be returned, just return
AVERROR(EAGAIN) and switch back to the audio stream.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 9fc7184d1a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit ad1223d6bc)
This avoids setting a negative number of frames, ending up with a
negative average frame rate.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit c231987662)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit c10f3fed25)
This avoids divisions by zero later (and possibly assertions in
time base scaling), since an invalid rate_flag combined with an
invalid bitrate below could pass the mode combination test.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 9277050e29)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 4d60ab62e0)
