Fixes part of Ticket1373
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Based-on-patch-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 679c578cb8e82df6fdee977e3137a26a680ad346)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket1365
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit febc013dc5d6db1535a4f91cf02fa8089038937c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b6fdf8dea7aaf3cb9a979dce91f752c2ce3086a3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket1377
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 03ce421c1361e4ce79468de8269ad51ba2ae4c16)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes#1380.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 824a6975ee066e944b7a20d1e220fd8974fb6174)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
prevents out of array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8aaa00c3012d425ce50efffadb813ad62d1ff3d5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fd4c1c0b70b5a06dd572d7e27799a2f4c3d9b984)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes#1368.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 8f61526978697e51d3b9e61ea84daf13c42717af)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket1362
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 849d4b041351ef8d77c4231cf417f997e79f9ab7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes ticket1360
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 01900fcc45e99ee4556e0a5d87ff57b2f150dad4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket1359
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1e5c7376c4ed733910845c9a09e272ac7696b1f4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.8:
Update Changelog for the 0.8.3 Release
Prepare for 0.8.3 Release
ea: check chunk_size for validity.
png: check bit depth for PAL8/Y400A pixel formats.
qdm2: clip array indices returned by qdm2_get_vlc().
tqi: Pass errors from the MB decoder
h264: Add check for invalid chroma_format_idc
h263dec: Disallow width/height changing with frame threads.
Conflicts:
Changelog
RELEASE
libavcodec/eatqi.c
libavcodec/h264_ps.c
libavcodec/pngdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Wrong bit depth can lead to invalid rowsize values, which crashes the
decoder further down.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d2205d6543881f2e6fa18c8a354bbcf91a1235f7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Prevents subsequent overreads when these numbers are used as indices
in arrays.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:
libavcodec/qdm2.c
This silences some valgrind warnings.
CC: libav-stable@libav.org
Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Bug found by: Oana Stratulat
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f85334f58e1286287d0547a49fa9c93b40cbf48f)
(cherry picked from commit 90290a5150e84fb138ccde57657dc03830f08c1c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes a crash when FF_DEBUG_PICT_INFO is used.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df)
Fixes: CVE-2012-0851
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The cleanup is only done now when
a picture is returned (assuming that it has to be done when its returned)
a error is returned (assuming that there will be no further progress on the frame)
the codec is not h264 (this is still needed due to some deadlocks in realvideo)
This fixes a decoding regression with 00017.MTS
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 18a7f7465e7e6b9c3688ffc23230ae7a0639a771)
Fixes out of array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ec3cd74f2dab8e3e8234ccb994132b23d3098585)
Fixes out of array writes.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5a35bd92ad6b535fd5d3a7513169661de66ec247)
* qatar/release/0.8:
Update Changelog for the 0.8.2 Release
Prepare for 0.8.2 Release
vqavideo: return error if image size is not a multiple of block size
celp filters: Do not read earlier than the start of the 'out' vector.
motionpixels: Clip YUV values after applying a gradient.
jpeg: handle progressive in second field of interlaced.
h263: more strictly forbid frame size changes with frame-mt.
h264: additional protection against unsupported size/bitdepth changes.
tta: prevents overflows for 32bit integers in header.
ttadec: CRC checking
tta: use skip_bits_long()
Conflicts:
Changelog
RELEASE
libavcodec/h264.c
libavcodec/tta.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes. Bailing out early if the header
specifies a bad size avoids various errors later on.
Fixes CVE-2012-0947.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Progressive data is allocated later in decode_sof(), not allocating
that data leads to NULL dereferences.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5eec5a79da118170f3cfe185a862783d3fa50abe)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Prevents crashes because the old check was incomplete.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2d22d4307dcc1461f39a2ffb9c8db6c6b23fd080)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes crashes in codepaths not covered by original checks.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 732f9fcfe54fc9a0a7bbce53fe86b38744c2d301)
Conflicts:
libavcodec/h264.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents sample_rate/data_length from going negative, which
caused various crashes and undefined behaviour further down.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ac80b812cd177553339467ea12548d71c9ef6865)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 9aff2d17533576f4ff52531e534f1319fb36a590)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* qatar/release/0.8: (24 commits)
apedec: check bits <= 32.
truemotion: forbid invalid VLC bitsizes and token values.
mov: don't overwrite existing indexes.
truemotion2: handle out-of-frame motion vectors through edge extension.
lzw: prevent buffer overreads.
truemotion2: convert packet header reading to bytestream2.
lagarith: fix buffer overreads.
raw: forward avpicture_fill() error code in raw_decode().
vc1: Do not read from array if index is invalid.
utvideo: port header reading to bytestream2.
bytestream: add more unchecked variants for bytestream2 API
bytestream: K&R formatting cosmetics
bytestream: Add bytestream2 writing API.
aac: Reset PS parameters on header decode failure.
mov: Do not read past the end of the ctts_data table.
xwma: Validate channels and bits_per_coded_sample.
asf: reset side data elements on packet copy.
vqa: check palette chunk size before reading data.
vqavideo: port to bytestream2 API
wmavoice: fix stack overread.
...
Conflicts:
cmdutils.c
cmdutils.h
libavcodec/lagarith.c
libavcodec/truemotion2.c
libavcodec/vqavideo.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid
values larger than this in get_vlc2() (max_bits). tokens[][] can be
used as an index in deltas[], which has a size of 64, so ensure the
values are smaller than that.
This prevents crashes on corrupt bitstreams.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b7b1509d06d3696d3b944791227fe198ded0654b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Also use correct buffer sizes in calls to tm2_read_stream(). Together,
this prevents overreads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bd508d435b94584db460c684e30ea7ce180cf50f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit f1ce053cd0e0d7dc67fa61f32bcd8b6ee5e5c490)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
