Fixes part of Ticket1369
Found-by: ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3c276ac0f8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Such files are currently not supported as the table is used at several points
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e7cb161515)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1b8741a684)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.8:
Update Changelog for the 0.8.3 Release
Prepare for 0.8.3 Release
ea: check chunk_size for validity.
png: check bit depth for PAL8/Y400A pixel formats.
qdm2: clip array indices returned by qdm2_get_vlc().
tqi: Pass errors from the MB decoder
h264: Add check for invalid chroma_format_idc
h263dec: Disallow width/height changing with frame threads.
Conflicts:
Changelog
RELEASE
libavcodec/eatqi.c
libavcodec/h264_ps.c
libavcodec/pngdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes over reading the header array
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 474e31c904)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.8: (24 commits)
apedec: check bits <= 32.
truemotion: forbid invalid VLC bitsizes and token values.
mov: don't overwrite existing indexes.
truemotion2: handle out-of-frame motion vectors through edge extension.
lzw: prevent buffer overreads.
truemotion2: convert packet header reading to bytestream2.
lagarith: fix buffer overreads.
raw: forward avpicture_fill() error code in raw_decode().
vc1: Do not read from array if index is invalid.
utvideo: port header reading to bytestream2.
bytestream: add more unchecked variants for bytestream2 API
bytestream: K&R formatting cosmetics
bytestream: Add bytestream2 writing API.
aac: Reset PS parameters on header decode failure.
mov: Do not read past the end of the ctts_data table.
xwma: Validate channels and bits_per_coded_sample.
asf: reset side data elements on packet copy.
vqa: check palette chunk size before reading data.
vqavideo: port to bytestream2 API
wmavoice: fix stack overread.
...
Conflicts:
cmdutils.c
cmdutils.h
libavcodec/lagarith.c
libavcodec/truemotion2.c
libavcodec/vqavideo.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This prevents a SIGFPE later on.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5023b89bba)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Found with asan.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f)
dv: Fix null pointer dereference due to ach=0
Fixes part2 of CVE-2011-3929
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a6)
dv: check stype
Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd4)
Related to CVE-2011-3940.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit c898431ca5)
Conflicts:
libavformat/nsvdec.c
Check results for av_malloc() and fix an overflow in one call.
Related to CVE-2011-3940.
Based in part on work from Michael Niedermayer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263)
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc)
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d97)
This allows it to be used with get_bits without the thread of overreads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1aa708988a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Seeking back on EOF will reset the EOF flag, causing us to re-enter
the loop to find the next marker in the ASF file, thus potentially
causing an infinite loop.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bb6d5411e1)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
They cause various issues further down in demuxing.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 6e57a02b9f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Specifically, prevent jumping back in the file for the next index, since
this can lead to infinite loops where we jump between indexes referring
to each other, and don't read indexes that don't fit in the file.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit aac07a7a4c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Prevents crashers when using the packet if allocation failed.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 31632e73f4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
We read sub_packet_h / 2 packets per line of data (during deinterleaving),
which equals zero if sub_packet_h <= 1, thus causing us to not read any
data, leading to an infinite loop.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e30b3e59a4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This prevents failed assertions further down in the packet processing
where we require non-negative values for packet_size_left.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 41afac7f7a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This prevents SIGFPEs when using block_align for divisions.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 32a659c758)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
If no data was seen for a stream decoder are returning 0 when fed with
empty packets for flushing. We can stop flushing when the decoder does
not return delayed delayed frames anymore. Changes try_decode_frame()
return value to got_picture or negative error.
CC: libav-stable@libav.org
(cherry picked from commit b3461c29c1)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This prevents certain tags with a default value assigned to them (as per
the EBML syntax elements) from ever being assigned a NULL value. Other
parts of the code rely on these being non-NULL (i.e. they don't check for
NULL before e.g. using the string in strcmp() or similar), and thus in
effect this prevents crashes when reading of such specific tags fails,
either because of low memory or because of targeted file corruption.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cd40c31ee9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This way, if the AVCodecContext is allocated for a specific codec, the
caller doesn't need to store this codec separately and then pass it
again to avcodec_open2().
It also allows to set codec private options using av_opt_set_* before
opening the codec.
(cherry picked from commit bc90199848)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It allows to check whether an AVCodecContext is open in a documented
way. Right now the undocumented way this check is done in lavf/lavc is
by checking whether AVCodecContext.codec is NULL. However it's desirable
to be able to set AVCodecContext.codec before avcodec_open2().
(cherry picked from commit af08d9aeea)
Conflicts:
doc/APIchanges
