generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
32,160 Commits 24 Branches 241 Tags
Commit Graph

15321 Commits

Author SHA1 Message Date
Janne Grunau
fdb7080781 Revert "nuv: check per-frame header for validity." 
The check is bogus since the nuv frameheader is already skipped
and the (decompressed) RTjpeg header is checked.

This reverts commit f6afacdb3b708720c9fb85984b4f7fdbca2b2036.

CC: libav-stable@libav.org
(cherry picked from commit 110d015ad450ea1b2fd40f0e9ce1c53507cdec5d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
 2012-09-28 08:05:11 +02:00
Anton Khirnov
bed5847563 bmpdec: only initialize palette for pal8. 
Gray8 is not considered to be paletted, so this would cause an invalid
write.

Fixes bug 367.

CC: libav-stable@libav.org
(cherry picked from commit 8b78c2969a5b7dca939d93bf525aa2bcd737b5d9)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
 2012-09-28 08:04:43 +02:00
Reimar Döffinger
e9ac06160f sipr: fall back to setting mode based on bit_rate. 
Not all applications (e.g. MPlayer) set block_align, and
when using a different demuxer it might not even be
easily available.
So fall back to selecting mode based on bit rate as before
if block_align has not useful value.
It can't be worse than failing to decode completely.

(cherry picked from commit 1d0d63052b82c76e10c45cd38cdd27677de72e81)

CC: libav-stable@libav.org
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c54e00610f20d2342fe9b17a5460abfbd411c8fb)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
 2012-09-28 08:04:33 +02:00
Kostya Shishkov
02b7239462 vc1dec: add flush function for WMV9 and VC-1 decoders 
CC: libav-stable@libav.org
(cherry picked from commit 4dc8c8386eef942dba35c4f2fb3210e22b511a5b)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
 2012-09-28 08:04:33 +02:00
Mans Rullgard
e1608014c5 h264: allow cropping to AVCodecContext.width/height 
Override the frame size from the SPS with AVCodecContext values
if the latter specify a size smaller by less than one macroblock.
This is required for correct cropping of MOV files from Canon cameras.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 30f515091c323da59c0f1b533703dedca2f4b95d)

Conflicts:

	libavcodec/h264.c
 2012-06-10 09:47:45 +02:00
Ronald S. Bultje
d34e9e61dd png: check bit depth for PAL8/Y400A pixel formats. 
Wrong bit depth can lead to invalid rowsize values, which crashes the
decoder further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d2205d6543881f2e6fa18c8a354bbcf91a1235f7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-06-03 19:04:51 +02:00
Ronald S. Bultje
c38d3e1a39 qdm2: clip array indices returned by qdm2_get_vlc(). 
Prevents subsequent overreads when these numbers are used as indices
in arrays.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org

Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>

Conflicts:

	libavcodec/qdm2.c
 2012-06-02 19:17:53 -04:00
Michael Niedermayer
5872580e65 tqi: Pass errors from the MB decoder 
This silences some valgrind warnings.
CC: libav-stable@libav.org

Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Bug found by: Oana Stratulat

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f85334f58e1286287d0547a49fa9c93b40cbf48f)
(cherry picked from commit 90290a5150e84fb138ccde57657dc03830f08c1c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-23 20:43:42 +02:00
Alexander Strange
4713234518 h264: Add check for invalid chroma_format_idc 
Fixes a crash when FF_DEBUG_PICT_INFO is used.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df)

Fixes: CVE-2012-0851

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-22 21:57:38 +02:00
Michael Niedermayer
5836110018 h263dec: Disallow width/height changing with frame threads. 
Fixes CVE-2011-3937

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba)

Conflicts:

	libavcodec/h263dec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-22 21:51:58 +02:00
Mans Rullgard
d5207e2af8 vqavideo: return error if image size is not a multiple of block size 
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes.  Bailing out early if the header
specifies a bad size avoids various errors later on.

Fixes CVE-2012-0947.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 22:14:26 +02:00
Alex Converse
9ea94c44b1 celp filters: Do not read earlier than the start of the 'out' vector. 
CC: libav-stable@libav.org
(cherry picked from commit 37ddd3833219fa7b913fff3f5cccc6878b047e6b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 22:09:27 +02:00
Alex Converse
aaa6a66677 motionpixels: Clip YUV values after applying a gradient. 
Prevents illegal reads on truncated and malformed input.

CC: libav-stable@libav.org
(cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 22:09:27 +02:00
Ronald S. Bultje
7240cc3f8b jpeg: handle progressive in second field of interlaced. 
Progressive data is allocated later in decode_sof(), not allocating
that data leads to NULL dereferences.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5eec5a79da118170f3cfe185a862783d3fa50abe)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 22:09:27 +02:00
Ronald S. Bultje
7fe4c8cb76 h263: more strictly forbid frame size changes with frame-mt. 
Prevents crashes because the old check was incomplete.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2d22d4307dcc1461f39a2ffb9c8db6c6b23fd080)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 22:09:27 +02:00
Ronald S. Bultje
746f1594d7 h264: additional protection against unsupported size/bitdepth changes. 
Fixes crashes in codepaths not covered by original checks.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 732f9fcfe54fc9a0a7bbce53fe86b38744c2d301)

Conflicts:

	libavcodec/h264.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 22:09:27 +02:00
Ronald S. Bultje
0e4bb0530f tta: prevents overflows for 32bit integers in header. 
This prevents sample_rate/data_length from going negative, which
caused various crashes and undefined behaviour further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ac80b812cd177553339467ea12548d71c9ef6865)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 21:28:45 +02:00
Paul B Mahol
994c0efcc7 ttadec: CRC checking 
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 2af3dc8698707f800f83f5fc890571a6a119866e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 21:28:35 +02:00
Paul B Mahol
cf5e119d4a tta: use skip_bits_long() 
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 9aff2d17533576f4ff52531e534f1319fb36a590)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-04 21:28:28 +02:00
Michael Niedermayer
e8050f313e apedec: check bits <= 32. 
Fixes a floating-point exception further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
(cherry picked from commit 420d1df2e2a857eae45fa947e16eae7494793d57)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:03 +02:00
Ronald S. Bultje
be424d86a8 truemotion: forbid invalid VLC bitsizes and token values. 
SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid
values larger than this in get_vlc2() (max_bits). tokens[][] can be
used as an index in deltas[], which has a size of 64, so ensure the
values are smaller than that.

This prevents crashes on corrupt bitstreams.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b7b1509d06d3696d3b944791227fe198ded0654b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:03 +02:00
Ronald S. Bultje
46f8bbfc6d truemotion2: handle out-of-frame motion vectors through edge extension. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bf39d3b59d85e5734babe48b61b8d92d18188185)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:03 +02:00
Ronald S. Bultje
562c6a7bf1 lzw: prevent buffer overreads. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ddcf67c8a51c67b122a826d8b5819e96d591d813)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:03 +02:00
Ronald S. Bultje
e711ccee4d truemotion2: convert packet header reading to bytestream2. 
Also use correct buffer sizes in calls to tm2_read_stream(). Together,
this prevents overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bd508d435b94584db460c684e30ea7ce180cf50f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:03 +02:00
Ronald S. Bultje
d6372e80fe lagarith: fix buffer overreads. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 0a82f5275f719e6e369a807720a2c3603aa0ddd9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:03 +02:00
Ronald S. Bultje
29d91e9161 raw: forward avpicture_fill() error code in raw_decode(). 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 98df2e24141cd00a557ef10ed7af2b956200cd80)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Mashiat Sarker Shakkhar
583f57f04a vc1: Do not read from array if index is invalid. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 95b192de5d05f3e1542e7b2378cdefbc195f5185)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Ronald S. Bultje
f8f6c14f54 utvideo: port header reading to bytestream2. 
Fixes crash during slice size reading if slice_end goes negative.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ec0ed97b046d46421db72c4911d2bbe28bbe5741)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Paul B Mahol
9e24f2a1f0 bytestream: add more unchecked variants for bytestream2 API 
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit f1ce053cd0e0d7dc67fa61f32bcd8b6ee5e5c490)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Aneesh Dogra
e788c6e9cb bytestream: K&R formatting cosmetics 
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit ab9ae401525d301a31ec695bf39103502db6afeb)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Aneesh Dogra
2e681cf50f bytestream: Add bytestream2 writing API. 
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit db7d45237ab6fc7fe90ec861cb756b2a109504a4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Alex Converse
9ddd3abe78 aac: Reset PS parameters on header decode failure. 
If the next header frame codes zero envelopes the previous frame's
values will be used. Consequently the invalid values must be cleared.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit a237b38021cd3009cc78eeb974b596085f2fe393)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:02 +02:00
Ronald S. Bultje
c21b858b27 vqa: check palette chunk size before reading data. 
Prevents overreads beyond buffer boundaries.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 75d7975268394f4f16294b68ec6d6d5ac30da3ac)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:01 +02:00
Paul B Mahol
0b9bb581fd vqavideo: port to bytestream2 API 
Protects against overreads.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 5a3a906ba29b53fa34d3047af78d9f8fd7678256)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:01 +02:00
Ronald S. Bultje
105601c151 wmavoice: fix stack overread. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 262196445cf03fda0f7e41c4b968f4f7bf060e6b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:01 +02:00
Ronald S. Bultje
3a4949aa50 indeo4: fix out-of-bounds function call. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org

Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>
(cherry picked from commit 68fd077f68bdde864bb7328d72a040849c616261)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:01 +02:00
Ronald S. Bultje
bf3998d71e mimic: don't use self as reference, and report completion at end of decode(). 
Fixes hangs on corrupt samples that reference self-frames.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 80387f0e2568746dce4a68e2217297029a053dae)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:01 +02:00
Ronald S. Bultje
87208b8fc4 mpeg4: report frame decoding completion at ff_MPV_frame_end(). 
Prevents hangs on corrupt input.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c6ccb96bc955b2087ec71033d99b3dcd5203eaf2)

Conflicts:

	libavcodec/mpegvideo.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-29 22:07:01 +02:00
Kostya Shishkov
1ee0cd1ad7 dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2 
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
 2012-03-14 23:32:15 +01:00
Ronald S. Bultje
b594732475 dca: don't use av_clip_uintp2(). 
The argument is not a literal, thus causing the ARM v6 or later
builds to break.

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
 2012-03-14 23:30:19 +01:00
Michael Niedermayer
ce15406e78 snow: check reference frame indices. 
Fixes NULL ptr dereference

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 1f8ff2b13cbfef790385818664ed12e763e7c75b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:35:09 +01:00
Michael Niedermayer
c9e95636a8 snow: reject unsupported chroma shifts. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit c9837954e7b968d44f82e7cdb7618e9f523b196c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:34:55 +01:00
Ronald S. Bultje
6e5c07f4c8 xa_adpcm: limit filter to prevent xa_adpcm_table[] array bounds overruns. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 86020073dbb9a3a9d1fbb76345b2ca29ba1f13d2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:34:36 +01:00
Ronald S. Bultje
c999a8ed65 h264: increase reference poc list from 16 to 32. 
Interlaced images can have 32 references (16 per field), so limiting the
array size to 16 leads to invalid writes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 48cbe4b092113eae0b3e5d6a08b59027f913a884)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:34:13 +01:00
Ronald S. Bultje
4d343a6f47 h264: stricter reference limit enforcement. 
Progressive images can have only 16 references, error out if there are
more, since the data is almost certainly corrupt, and the invalid value
will lead to random crashes or invalid writes later on.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e0febda22d0e0fab094a9c886b0e0f0f662df1ef)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:33:15 +01:00
Michael Niedermayer
a81a6d9c80 h264: improve parsing of broken AVC SPS 
Parsing the entire NAL as SPS fixes decoding of some AVC bitstreams
with broken escaping. Since the size of the NAL unit is known and
checked against the buffer end we can parse it entirely without buffer
overreads.

Fixes playback of
http://streams.videolan.org/streams/mp4/Mr_MrsSmith-h264_aac.mp4

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 3aa661ec561d7a20812b84b353b0d7855ac346c8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:27:22 +01:00
Alex Converse
48f0eeb2e5 Replace computations of remaining bits with calls to get_bits_left(). 
(cherry picked from commit 3574a85ce57366ba7429edef93d5cad8640fb68c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:27:16 +01:00
Ronald S. Bultje
d26e47bf6c png: convert to bytestream2 API. 
Protects against overreads in the input buffer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 4c25269cedd042abcb823c42d33609564861c374)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:14:28 +01:00
Ronald S. Bultje
568a474a08 roqvideo: convert to bytestream2 API. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cdf15771621bce7959b3e53b21426c5ba747e17b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:09:40 +01:00
Ronald S. Bultje
9a66cdbc16 smc: port to bytestream2 API. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 8febcb9fc178926687ee19d32d2b3150da899867)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-03-14 21:09:28 +01:00