Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.
Fixes CVE-2012-0858
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6fc3287b9ccece290c5881b92948772bbf72e68c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 96ed18cab1048f03ff1c825f46b25d49218f1da4)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The data pointers s->decoded[*] already take into account s->nwrap.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 5f05cf4ea9aaafed8edcabe785c2719786103ec1)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 737bea21b6c2c1d4dca0b7b18824c0a3205556d2)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Originally committed as revision 23798 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 02591641f88097aec2a573f0ae384c8b87bcfe3b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes Libav Bug 195.
Fixes CVE-2012-0850
This doesn't make the code handle sample rate or upsample/downsample
change properly but this is still a good sanity check.
Based on change by Michael Niedermayer.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 17ce52912f59a74ecc265e062578fb1181456e18)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 01804cc91ab231ac79092eee21325d7644357975)
Conflicts:
libavcodec/aacsbr.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes. Bailing out early if the header
specifies a bad size avoids various errors later on.
Fixes CVE-2012-0947.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d5207e2af81580dd5e6277b354c8b459c3624f26)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c71c77e56fcc6d469d45e1c8ce04aa053124d3f8)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>
Fixes CVE-2011-3947
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 083a8a00373b12dc06b8ae4c49eec61fb5e55f4b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6ae95a0b93e8df15fe5f364535a7214be0817736)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Add a check to avoid writing past the end of the channel_unit.components[]
array.
Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f74713b035a06f79cb4d00e708f5226bc5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f43b6e2b1ed47a1254a5d44c700a7fad5e9784be)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f728ad26f0ec87650d2986a892785c0e2b97d161)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Check results for av_malloc() and fix an overflow in one call.
Related to CVE-2011-3940.
Based in part on work from Michael Niedermayer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit be524c186b50337db64d34a5726dfe3e8ea94f09)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b)
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 65beb8c1173906b0541442713cb29e8ba44c47ef)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303)
Conflicts:
libavformat/id3v2.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f)
Fixes: #189
Chromium-Bug: 101172,100465
CVE-2011-3892
Removed the parts that are related to multi-threading, which is not
included before 0.7.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c624935554332f8921a15265b8720f0c7b3c8cc2)
Conflicts:
libavcodec/vp3.c
The initial values are not checked against the number of block sizes.
Initializing them to frame_len_bits will result in a block size index of 0
in these cases instead of something that might be out-of-range.
Fixes Bug 81.
(cherry picked from commit 05d1e45d1f42cc90d1f2f36c546d0096cea126a8)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8dba5608dcf76032d8a9aa4bd8a3fc1392682281)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
this file uses the M_PI macro since
4e74187db2f5db52f88729efc662df9d6bc763e1, so include the correct header
directly.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 5089ce1b5abe2ecbbfd7235aeb0ad47ba38305c1)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 851098c9e004b2ce294b687cb18633b038dcc3fe)
Conflicts:
libswscale/utils.c
It prevents leaving the state only half initialized.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit a72cad0a6c05aa74940101e937cb3dc602d7d67b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c76505e0dee0890e39636ddebd2707ab3ea5b8de)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>