24178 Commits

Author SHA1 Message Date
Michael Niedermayer
cfad9930ff shorten: Use separate pointers for the allocated memory for decoded samples.
Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.

Fixes CVE-2012-0858
CC: libav-stable@libav.org

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6fc3287b9ccece290c5881b92948772bbf72e68c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 96ed18cab1048f03ff1c825f46b25d49218f1da4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:53 +02:00
Justin Ruggles
46d9022859 shorten: check for realloc failure
(cherry picked from commit 9e5e2c2d010c05c10337e9c1ec9d0d61495e0c9c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a207a2fecc6a77735ab0cf209fdba0b4dd942a86)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:53 +02:00
Laurent Aimar
58b3f439cc shorten: Fix out of bound writes in fix_bitshift()
The data pointers s->decoded[*] already take into account s->nwrap.

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 5f05cf4ea9aaafed8edcabe785c2719786103ec1)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 737bea21b6c2c1d4dca0b7b18824c0a3205556d2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:53 +02:00
Laurent Aimar
8f924ee66f shorten: Prevent block size from increasing
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 95010d18b2d808db9a49377e41bc2f7cf4dfa03e)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 22949c42edf5352c5fa8c43870efe20698432b35)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:53 +02:00
Måns Rullgård
40cb7b3b49 shorten: remove VLA and check for buffer overflow
Originally committed as revision 23798 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 02591641f88097aec2a573f0ae384c8b87bcfe3b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:53 +02:00
Janne Grunau
15c819e23f adpcm: ADPCM Electronic Arts has always two channels
Fixes half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Adresses CVE-2012-0852

(cherry picked from commit bb5b3940b08d8dad5b7e948e8f3b02cd2eb70716)

Conflicts:

	libavcodec/adpcm.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b581580bd1cc8506befa65b0a5c9ae429240f21f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:53 +02:00
Alexander Strange
7a5fbe4034 h264: Add check for invalid chroma_format_idc
Fixes a crash when FF_DEBUG_PICT_INFO is used.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df)

Fixes: CVE-2012-0851

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 47132345184dc3d0ff962a57a1225564fe979548)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c5f7c755cfccd7aa01010a2d566104c2b0fa6d86)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:53 +02:00
Alex Converse
32b73701c7 aacsbr: prevent out of bounds memcpy().
Fixes Libav Bug 195.
Fixes CVE-2012-0850

This doesn't make the code handle sample rate or upsample/downsample
change properly but this is still a good sanity check.

Based on change by Michael Niedermayer.

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 17ce52912f59a74ecc265e062578fb1181456e18)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 01804cc91ab231ac79092eee21325d7644357975)

Conflicts:

	libavcodec/aacsbr.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:53 +02:00
Alex Converse
212217504a dpcm: ignore extra unpaired bytes in stereo streams.
Fixes: CVE-2011-3951

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ce7aee9b733134649a6ce2fa743e51733f33e67e)
(cherry picked from commit eaeaeb265fe46e1d81452960de918227541873b4)

Conflicts:

	libavcodec/dpcm.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1ce9c93198fc997e8f23934a78e2937af670e4e9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:52 +02:00
Mans Rullgard
e02249b130 vqavideo: return error if image size is not a multiple of block size
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes.  Bailing out early if the header
specifies a bad size avoids various errors later on.

Fixes CVE-2012-0947.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d5207e2af81580dd5e6277b354c8b459c3624f26)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c71c77e56fcc6d469d45e1c8ce04aa053124d3f8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:52 +02:00
Alex Converse
bf0ec375ef celp filters: Do not read earlier than the start of the 'out' vector.
CC: libav-stable@libav.org
(cherry picked from commit 37ddd3833219fa7b913fff3f5cccc6878b047e6b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 9ea94c44b1b414ab3bc6e9220ebb77621423ca38)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 08c81f7365af96c1655767e68d6ec85bea50600c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:52 +02:00
Alex Converse
e9c9707316 motionpixels: Clip YUV values after applying a gradient.
Prevents illegal reads on truncated and malformed input.

CC: libav-stable@libav.org
(cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit aaa6a666774eb02c351c84e80622a5c69e9b642e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 50073e2395522b6e2b8698ff0dd06ffaf8cbf8ce)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:52 +02:00
Janne Grunau
5933af562e motionpixels: decode only the 111 complete frames for fate
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit c2f2dfb3dd20e036b8b08c0fd1486a3044e8f02a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 90d7146511db0e2dd2d2b1baf2ceb7177b30dd8d)

Conflicts:

	tests/fate.mak
	tests/ref/fate/motionpixels

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 21:21:52 +02:00
Michael Niedermayer
1156f07c6a kgv1dec: Increase offsets array size so it is large enough.
Fixes CVE-2011-3945

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 807a045ab7f51993a2c1b3116016cbbd4f3d20d6)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit a02e8df973f5478ec82f4c507f5b5b191a5ecb6b)
(cherry picked from commit d5f2382d0389ed47a566ea536887af908bf9b14f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a0b65938b7cf37680a4ce0667444a217a151c551)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:43:06 +02:00
Alex Converse
6ca010f209 mjpegbdec: Fix overflow in SOS.
Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2011-3947

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 083a8a00373b12dc06b8ae4c49eec61fb5e55f4b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6ae95a0b93e8df15fe5f364535a7214be0817736)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:43:06 +02:00
Michael Niedermayer
224025d852 atrac3: Fix crash in tonal component decoding.
Add a check to avoid writing past the end of the channel_unit.components[]
array.

Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f74713b035a06f79cb4d00e708f5226bc5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f43b6e2b1ed47a1254a5d44c700a7fad5e9784be)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f728ad26f0ec87650d2986a892785c0e2b97d161)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:43:06 +02:00
Alex Converse
a8f4db0acd dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.
Found with asan.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f6b91bec7f5fa53ec050913d851e366)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 00fa6ffe1a0b252d6a81815e51f125225cd0b97a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:23:19 +02:00
Michael Niedermayer
b46141b0d1 dv: Fix null pointer dereference due to ach=0
dv: Fix null pointer dereference due to ach=0

Fixes part2 of CVE-2011-3929

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a66a61a68b80f2369d0249729bf85e04)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 44e182d41e3a73548f3f5e8445ec428d3846e6d6)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:23:19 +02:00
Michael Niedermayer
38421f27b3 dv: check stype
dv: check stype

Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd439480003b74a665b5aa7c872c1ad6b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit bb737d381f6d6413899a0697f426fb082eac66fc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:23:19 +02:00
Alex Converse
3253dd2b42 nsvdec: Propagate errors
Related to CVE-2011-3940.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit c898431ca5ef2a997fe9388b650f658fb60783e5)

Conflicts:

	libavformat/nsvdec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0100c4b1b0736e0f5b3c98f9b0ab8acbef574888)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:23:19 +02:00
Alex Converse
87007519c8 nsvdec: Be more careful with av_malloc().
Check results for av_malloc() and fix an overflow in one call.

Related to CVE-2011-3940.

Based in part on work from Michael Niedermayer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit be524c186b50337db64d34a5726dfe3e8ea94f09)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:23:19 +02:00
Michael Niedermayer
1edf848a81 nsvdec: Fix use of uninitialized streams.
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 65beb8c1173906b0541442713cb29e8ba44c47ef)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-08 11:23:19 +02:00
Anton Khirnov
f70c720d42 id3v2: fix skipping extended header in id3v2.4
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303)

Conflicts:

	libavformat/id3v2.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-04-01 19:35:11 +02:00
Reinhard Tartler
62c4739348 Release notes and changelog for 0.6.5 2012-01-10 21:17:30 +01:00
Reinhard Tartler
7efa13b4b4 Bump version number for 0.6.5 release. 2012-01-10 21:02:32 +01:00
Chris Evans
a5e0afe3c9 vorbis: An additional defense in the Vorbis codec.
Fixes Bug: #190
Chromium Bug: #100543
Related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit afb2aa537954db537d54358997b68f46561fd5a7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b0283ccb9e8945ce9e56f7c6ba0c676e7179d7a3)

Conflicts:

	libavcodec/vorbis_dec.c
2012-01-08 09:29:16 +01:00
Reinhard Tartler
42f0a66968 vorbisdec: Fix decoding bug with channel handling
Fixes Bug: #191
Chromium Bug: #101458
CVE-2011-3895

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e6d527ff729e42d80e4756cab779ff4ad693631b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 97f23c72a3815739ab28e297ce60f943349f6939)

Conflicts:

	libavcodec/vorbis_dec.c
2012-01-08 09:24:13 +01:00
Chris Evans
90a4a46747 matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()
Fixes bug #190
Chromium bug #100492
related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

(cherry-picked from commit faaec4676cb4c7a2303d50df66c6290bc96a7657)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1f625431e2bb9564760fba3ab8077ae07ce7c7a1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-01-07 22:03:48 +01:00
Chris Evans
6d6254ba9f vorbis: Avoid some out-of-bounds reads
Fixes Bug: #190
Chromium Bug: #100543
Related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 57cd6d709565e84e84385f8f2a9641ca3fa718be)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4a94678f1be4b7d47f862e9523ca3358255da5d4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-01-07 22:03:34 +01:00
Janne Grunau
ae24b5ce3a vp3: fix streams with non-zero last coefficient
Fixes a regression introduced in 8b94df0f2047e972.
(cherry picked from commit 9b4767e4784577f3107730316fe652ccaccd9b3a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 82a11fcff24d9827070d77f1a3c6ba5d4dc12984)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-01-07 21:33:24 +01:00
Ronald S. Bultje
c9c7db0af2 vp3: fix oob read for negative tokens and memleaks on error.
(cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f)

Fixes: #189
Chromium-Bug: 101172,100465
CVE-2011-3892

Removed the parts that are related to multi-threading, which is not
included before 0.7.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c624935554332f8921a15265b8720f0c7b3c8cc2)

Conflicts:

	libavcodec/vp3.c
2012-01-07 09:35:15 +01:00
Reinhard Tartler
6b156c4563 Release notes and changelog for 0.6.4 2011-12-25 10:03:08 +01:00
Reinhard Tartler
dbe7e209df Bump version number for 0.6.4 release. 2011-12-24 15:59:10 +01:00
Justin Ruggles
cfb9b47a1e qdm2: check output buffer size before decoding
(cherry picked from commit 7d49f79f1cd47783a963a757a6563b9cac29db62)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 73472053516f82b7d273a3d42c583f894077a191)

Conflicts:

	libavcodec/qdm2.c
2011-12-24 15:57:17 +01:00
Baptiste Coudurier
b26c1a8b7e Fix qdm2 decoder packet handling to match the api
Originally committed as revision 25767 to svn://svn.ffmpeg.org/ffmpeg/trunk
2011-12-24 15:54:51 +01:00
Shitiz Garg
ccd2ca0246 4xm: Add a check in decode_i_frame to prevent buffer overreads
Fixes bugzilla #135

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 355d917c0bd8163a3f1c7d4a6866dac749efdb84)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d912a30c7d5cf9b8fdb26402804c9b0f999b4ff1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:47:57 +01:00
Justin Ruggles
92b964969b wma: initialize prev_block_len_bits, next_block_len_bits, and block_len_bits.
The initial values are not checked against the number of block sizes.
Initializing them to frame_len_bits will result in a block size index of 0
in these cases instead of something that might be out-of-range.

Fixes Bug 81.
(cherry picked from commit 05d1e45d1f42cc90d1f2f36c546d0096cea126a8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8dba5608dcf76032d8a9aa4bd8a3fc1392682281)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:47:57 +01:00
Reinhard Tartler
ca87ec53e9 swscale: #include "libavutil/mathematics.h"
this file uses the M_PI macro since
4e74187db2f5db52f88729efc662df9d6bc763e1, so include the correct header
directly.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

(cherry picked from commit 5089ce1b5abe2ecbbfd7235aeb0ad47ba38305c1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 851098c9e004b2ce294b687cb18633b038dcc3fe)

Conflicts:

	libswscale/utils.c
2011-12-24 15:47:57 +01:00
Reinhard Tartler
bd071de29a vp3dec: Check coefficient index in vp3_dequant()
Based on a patch by Michael Niedermayer <michaelni@gmx.at>

Fixes NGS00145, CVE-2011-4352

Found-by: Phillip Langlois
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

(cherry picked from commit 8b94df0f2047e9728cb872adc9e64557b7a5152f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit bba709214a51ffd665a67404d3beb3727bb3f319)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:47:57 +01:00
Michael Niedermayer
8ddc0b491d svq1dec: call avcodec_set_dimensions() after dimensions changed.
Fixes NGS00148, CVE-2011-4579

Found-by: Phillip Langlois
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

(cherry picked from commit 6e24b9488e67849a28e64a8056e05f83cf439229)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0eca0da06e40b73af495cc05fbcfaa030fcf78ea)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:47:57 +01:00
Thierry Foucu
94aacaf508 vp6: Fix illegal read.
Found with Address Sanitizer

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit e0966eb140b3569b3d6b5b5008961944ef229c06)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit ba4b08b78918f399f9c9524750b26e904d146078)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:47:57 +01:00
Alex Converse
8d68083298 vp6: Fix illegal read.
(cherry picked from commit 2a6eb06254df79e96b3d791b6b89b2534ced3119)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 67a7ed623b678a84c992dd7bf3e3d0329f83621b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:47:57 +01:00
Laurent Aimar
e28bb18fdc vp6: Reset the internal state when aborting key frames header parsing
It prevents leaving the state only half initialized.

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit a72cad0a6c05aa74940101e937cb3dc602d7d67b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c76505e0dee0890e39636ddebd2707ab3ea5b8de)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:47:57 +01:00
Laurent Aimar
a62779d986 vp6: Check for huffman tree build errors
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 066fff755a5d8edc660c010ddb08474d208eeade)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 30c08e226156e5a36a835c008c67114f22c8da8f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:47:57 +01:00
Dustin Brody
201fcfb894 vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit f913eeea43078b3b9052efd8d8d29e7b29b39208)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 7367cbec1b8cf0cbb49707fb0fdfded8ec397b0d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:47:56 +01:00
Laurent Aimar
8856c4c5c9 Fix out of bound reads in the QDM2 decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 5a19acb17ceb71657b0eec51dac651953520e5c8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0d93d5c4614fafea74bdac681673f5b32eb49063)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:17:00 +01:00
Laurent Aimar
0f7bf1786e Check for out of bound writes in the QDM2 decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 291d74a46d32183653db07818c7b3407fd50a288)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a31ccacb1a9b2abc0e140a812fb0ffca6f7c2591)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:16:51 +01:00
Laurent Aimar
b99366faef vmd: fix segfaults on corruped streams
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 494cfacdb9ba3f0549e37f76b3a2f86a7aeeac3c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 15:16:36 +01:00
Laurent Aimar
da0900e8bb rv34: Check for invalid slice offsets
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 4cc7732386eb36661ed22d1200339b38a5fa60bc)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 2bbb142a140173e1870017b66c439f4d430a6f67)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 12:20:33 +01:00
Laurent Aimar
d5551d7884 rv34: Fix potential overreads
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit b4ed3d78cb6c41c9d3ee5918c326ab925edd6a89)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b4a1bf0bbf53cc6a736a608732b2ac1de5c2447b)

Conflicts:

	libavcodec/rv34.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-12-24 12:20:33 +01:00