prevents out of array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8aaa00c301)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fd4c1c0b70)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.8:
Update Changelog for the 0.8.3 Release
Prepare for 0.8.3 Release
ea: check chunk_size for validity.
png: check bit depth for PAL8/Y400A pixel formats.
qdm2: clip array indices returned by qdm2_get_vlc().
tqi: Pass errors from the MB decoder
h264: Add check for invalid chroma_format_idc
h263dec: Disallow width/height changing with frame threads.
Conflicts:
Changelog
RELEASE
libavcodec/eatqi.c
libavcodec/h264_ps.c
libavcodec/pngdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Wrong bit depth can lead to invalid rowsize values, which crashes the
decoder further down.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d2205d6543)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Prevents subsequent overreads when these numbers are used as indices
in arrays.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f9)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:
libavcodec/qdm2.c
Fixes a crash when FF_DEBUG_PICT_INFO is used.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 6ef4063957)
Fixes: CVE-2012-0851
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The cleanup is only done now when
a picture is returned (assuming that it has to be done when its returned)
a error is returned (assuming that there will be no further progress on the frame)
the codec is not h264 (this is still needed due to some deadlocks in realvideo)
This fixes a decoding regression with 00017.MTS
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 18a7f7465e)
Fixes out of array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ec3cd74f2d)
Fixes out of array writes.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5a35bd92ad)
* qatar/release/0.8:
Update Changelog for the 0.8.2 Release
Prepare for 0.8.2 Release
vqavideo: return error if image size is not a multiple of block size
celp filters: Do not read earlier than the start of the 'out' vector.
motionpixels: Clip YUV values after applying a gradient.
jpeg: handle progressive in second field of interlaced.
h263: more strictly forbid frame size changes with frame-mt.
h264: additional protection against unsupported size/bitdepth changes.
tta: prevents overflows for 32bit integers in header.
ttadec: CRC checking
tta: use skip_bits_long()
Conflicts:
Changelog
RELEASE
libavcodec/h264.c
libavcodec/tta.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes. Bailing out early if the header
specifies a bad size avoids various errors later on.
Fixes CVE-2012-0947.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Progressive data is allocated later in decode_sof(), not allocating
that data leads to NULL dereferences.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5eec5a79da)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Prevents crashes because the old check was incomplete.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2d22d4307d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes crashes in codepaths not covered by original checks.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 732f9fcfe5)
Conflicts:
libavcodec/h264.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents sample_rate/data_length from going negative, which
caused various crashes and undefined behaviour further down.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ac80b812cd)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* qatar/release/0.8: (24 commits)
apedec: check bits <= 32.
truemotion: forbid invalid VLC bitsizes and token values.
mov: don't overwrite existing indexes.
truemotion2: handle out-of-frame motion vectors through edge extension.
lzw: prevent buffer overreads.
truemotion2: convert packet header reading to bytestream2.
lagarith: fix buffer overreads.
raw: forward avpicture_fill() error code in raw_decode().
vc1: Do not read from array if index is invalid.
utvideo: port header reading to bytestream2.
bytestream: add more unchecked variants for bytestream2 API
bytestream: K&R formatting cosmetics
bytestream: Add bytestream2 writing API.
aac: Reset PS parameters on header decode failure.
mov: Do not read past the end of the ctts_data table.
xwma: Validate channels and bits_per_coded_sample.
asf: reset side data elements on packet copy.
vqa: check palette chunk size before reading data.
vqavideo: port to bytestream2 API
wmavoice: fix stack overread.
...
Conflicts:
cmdutils.c
cmdutils.h
libavcodec/lagarith.c
libavcodec/truemotion2.c
libavcodec/vqavideo.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid
values larger than this in get_vlc2() (max_bits). tokens[][] can be
used as an index in deltas[], which has a size of 64, so ensure the
values are smaller than that.
This prevents crashes on corrupt bitstreams.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b7b1509d06)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Also use correct buffer sizes in calls to tm2_read_stream(). Together,
this prevents overreads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bd508d435b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
