Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fd4c1c0b70)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.5:
Bump version number for 0.5.9 release.
png: check bit depth for PAL8/Y400A pixel formats.
tqi: Pass errors from the MB decoder
eatqi: move "block" variable into context to ensure sufficient alignment for idct_put for compilers/architectures that can not align stack variables that much. This is also consistent with similar code in eatgq.c
ea: check chunk_size for validity.
vfwcap: Include windows.h before vfw.h since the latter requires defines from the former. Patch by kemuri <kemuri9 at gmail dot com>
mingw32: merge checks for mingw-w64 and mingw32-runtime >= 3.15 into one
mingw32: properly check if vfw capture is supported by the system headers
Replace every usage of -lvfw32 with what is particularly necessary for that case: Avisynth -> -lavifil32 VFW Cap -> -lavicap32 Patch by kemuri <kemuri9 at gmail dot com>
configure: properly check for mingw-w64 through installed headers. mingw-w64 can also target 32-bit code.
qdm2: clip array indices returned by qdm2_get_vlc().
kmvc: Check palsize.
adpcm: ADPCM Electronic Arts has always two channels
h264: Add check for invalid chroma_format_idc
dpcm: ignore extra unpaired bytes in stereo streams.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
idct_put for compilers/architectures that can not align stack variables that much.
This is also consistent with similar code in eatgq.c
Originally committed as revision 18927 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 1eda87ce63)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Prevents subsequent overreads when these numbers are used as indices
in arrays.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f9)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:
libavcodec/qdm2.c
Fixes: CVE-2011-3952
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Based on fix by Michael Niedermayer
(cherry picked from commit 386741f887)
(cherry picked from commit 416849f2e0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e7392dc349291eb94379d8cfb7ef73d32a768858)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes out of array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ec3cd74f2d)
* qatar/release/0.5:
Bump version number for 0.5.8 release.
Release notes and changelog for 0.5.7
vqavideo: return error if image size is not a multiple of block size
motionpixels: Clip YUV values after applying a gradient.
mjpegbdec: Fix overflow in SOS.
atrac3: Fix crash in tonal component decoding.
dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.
dv: Fix null pointer dereference due to ach=0
dv: check stype
nsvdec: Propagate errors
nsvdec: Be more careful with av_malloc().
nsvdec: Fix use of uninitialized streams.
Conflicts:
libavcodec/atrac3.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes. Bailing out early if the header
specifies a bad size avoids various errors later on.
Fixes CVE-2012-0947.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d5207e2af8)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c71c77e56f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c90da45d5a7a4045dbf22fba52c63ef55d207269)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes Ticket780
Bug Found by: cosminamironesei
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9af6abdc17)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.5:
Release notes and changelog for 0.5.7
Bump version number for 0.5.7 release.
vorbis: An additional defense in the Vorbis codec.
vorbisdec: Fix decoding bug with channel handling
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.5:
matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()
vorbis: Avoid some out-of-bounds reads
vp3: fix oob read for negative tokens and memleaks on error.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8370e426e4)
Fixes: #189
Chromium-Bug: 101172,100465
CVE-2011-3892
Removed the parts that are related to multi-threading, which is not
included before 0.7.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c624935554)
Conflicts:
libavcodec/vp3.c
(cherry picked from commit c9c7db0af2)
Conflicts:
libavcodec/vp3.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* qatar/release/0.5:
Bump version number for 0.5.6 release.
svq1dec: call avcodec_set_dimensions() after dimensions changed.
vmd: fix segfaults on corruped streams
vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling
Plug some memory leaks in the VP6 decoder
vp6: Reset the internal state when aborting key frames header parsing
vp6: Fix illegal read.
vp6: Fix illegal read.
Fix out of bound reads in the QDM2 decoder.
Check for out of bound writes in the QDM2 decoder.
qdm2: check output buffer size before decoding
Fix qdm2 decoder packet handling to match the api
Conflicts:
libavcodec/qdm2.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Originally committed as revision 22172 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 0a41faa9a7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Originally committed as revision 25767 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit b26c1a8b7e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes NGS00144
This also adds a few lines of code from master that are needed for this fix.
Thanks to Phillip for suggestions to improve the patch.
Found-by: Phillip Langlois
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a6a61a6d1d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This is neccessary but likely not sufficient to prevent out of array reads.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 14db3af4f2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8120a1d9bd)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket240
Based on patch by ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 20431a9982)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found with Address Sanitizer
(cherry picked from commit bb4b0ad83b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f62fa1ce9f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Jim Radford
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6ae93d0304)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
