Check results for av_malloc() and fix an overflow in one call.
Related to CVE-2011-3940.
Based in part on work from Michael Niedermayer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263)
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc)
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d97)
This allows it to be used with get_bits without the thread of overreads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1aa708988a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Seeking back on EOF will reset the EOF flag, causing us to re-enter
the loop to find the next marker in the ASF file, thus potentially
causing an infinite loop.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bb6d5411e1)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
They cause various issues further down in demuxing.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 6e57a02b9f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Specifically, prevent jumping back in the file for the next index, since
this can lead to infinite loops where we jump between indexes referring
to each other, and don't read indexes that don't fit in the file.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit aac07a7a4c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Prevents crashers when using the packet if allocation failed.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 31632e73f4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
We read sub_packet_h / 2 packets per line of data (during deinterleaving),
which equals zero if sub_packet_h <= 1, thus causing us to not read any
data, leading to an infinite loop.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e30b3e59a4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This prevents failed assertions further down in the packet processing
where we require non-negative values for packet_size_left.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 41afac7f7a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This prevents SIGFPEs when using block_align for divisions.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 32a659c758)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
If no data was seen for a stream decoder are returning 0 when fed with
empty packets for flushing. We can stop flushing when the decoder does
not return delayed delayed frames anymore. Changes try_decode_frame()
return value to got_picture or negative error.
CC: libav-stable@libav.org
(cherry picked from commit b3461c29c1)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This prevents certain tags with a default value assigned to them (as per
the EBML syntax elements) from ever being assigned a NULL value. Other
parts of the code rely on these being non-NULL (i.e. they don't check for
NULL before e.g. using the string in strcmp() or similar), and thus in
effect this prevents crashes when reading of such specific tags fails,
either because of low memory or because of targeted file corruption.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cd40c31ee9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This way, if the AVCodecContext is allocated for a specific codec, the
caller doesn't need to store this codec separately and then pass it
again to avcodec_open2().
It also allows to set codec private options using av_opt_set_* before
opening the codec.
(cherry picked from commit bc90199848)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It allows to check whether an AVCodecContext is open in a documented
way. Right now the undocumented way this check is done in lavf/lavc is
by checking whether AVCodecContext.codec is NULL. However it's desirable
to be able to set AVCodecContext.codec before avcodec_open2().
(cherry picked from commit af08d9aeea)
Conflicts:
doc/APIchanges
* qatar/master: (22 commits)
wma: Clip WMA1 and WMA2 frame length to 11 bits.
movenc: Don't require frame_size to be set for modes other than mov
doc: Update APIchanges with info on muxer flushing
movenc: Reindent a block
tools: Remove some unnecessary #undefs.
rv20: prevent calling ff_h263_decode_mba() with unset height/width
tools: K&R reformatting cosmetics
Ignore generated aviocat and ismindex tools.
build: Automatically include architecture-specific library Makefile snippets.
indeo5: prevent null pointer dereference on broken files
pktdumper: Use usleep instead of sleep
cosmetics: Remove some unnecessary block braces.
Drop unnecessary prefix from *sink* variable and struct names.
Add a tool for creating smooth streaming manifests
movdec: Calculate an average bit rate for fragmented streams, too
movenc: Write the sample rate instead of time scale in the stsd atom
movenc: Add a separate ismv/isma (smooth streaming) muxer
movenc: Allow the caller to decide on fragmentation
libavformat: Add a flag for muxers that support write_packet(NULL) for flushing
movenc: Add support for writing fragmented mov files
...
Conflicts:
Changelog
cmdutils.c
cmdutils.h
doc/APIchanges
ffmpeg.c
ffplay.c
libavfilter/Makefile
libavformat/Makefile
libavformat/avformat.h
libavformat/movenc.c
libavformat/movenc.h
libavformat/version.h
tools/graph2dot.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The field frame_size isn't written to the output anywhere except
than in mov.
This facilitates stream copy from formats that don't set frame_size.
Signed-off-by: Martin Storsjö <martin@martin.st>
Also add some space around operators and wrap a comment
that extends past the 80 char "limit"/guideline.
Signed-off-by: Martin Storsjö <martin@martin.st>
Fixes part2 of CVE-2011-3929
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
It can also optionally split the file into individual fragments,
which allows it to be served from any web server without any
server side support.
Signed-off-by: Martin Storsjö <martin@martin.st>
This fixes calculation of trackDuration if the MOVIentry array
is cleared. This is required by the fragmentation support in the
next patch.
Signed-off-by: Martin Storsjö <martin@martin.st>
This commit makes the check specific to the case that needs it.
Regression was introduced by
commit 62adc60b97
Author: Michael Niedermayer <michaelni@gmx.at>
Date: Fri Dec 16 06:13:04 2011 +0100
avidec: Check that the header chunks fit in the available filesize.
Fixes Ticket771
Bug found by: Diana Elena Muscalu
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master: (23 commits)
aacenc: Fix identification padding when the bitstream is already aligned.
aacenc: Write correct length for long identification strings.
aud: remove unneeded field, audio_stream_index from context
aud: fix time stamp calculation for ADPCM IMA WS
aud: simplify header parsing
aud: set pts_wrap_bits to 64.
cosmetics: indentation
aud: support Westwood SND1 audio in AUD files.
adpcm_ima_ws: fix stereo decoding
avcodec: add a new codec_id for CRYO APC IMA ADPCM.
vqa: remove unused context fields, audio_samplerate and audio_bits
vqa: clean up audio header parsing
vqa: set time base to frame rate as coded in the header.
vqa: set packet duration.
vqa: use 1/sample_rate as the audio stream time base
vqa: set stream start_time to 0.
lavc: postpone the removal of AVCodecContext.request_channels.
lavf: postpone removing av_close_input_file().
lavc: postpone removing old audio encoding and decoding API
avplay: remove the -er option.
...
Conflicts:
Changelog
libavcodec/version.h
libavdevice/v4l.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
