Commit Graph

29466 Commits

Author SHA1 Message Date
Anton Khirnov
d3e2f35f7a bmpdec: only initialize palette for pal8.
Gray8 is not considered to be paletted, so this would cause an invalid
write.

Fixes bug 367.

CC: libav-stable@libav.org
(cherry picked from commit 8b78c2969a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2013-01-04 07:43:21 +01:00
Kostya Shishkov
e39fc137ae vc1dec: add flush function for WMV9 and VC-1 decoders
CC: libav-stable@libav.org
(cherry picked from commit 4dc8c8386e)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2013-01-04 07:43:20 +01:00
Mans Rullgard
a2ae183a38 h264: allow cropping to AVCodecContext.width/height
Override the frame size from the SPS with AVCodecContext values
if the latter specify a size smaller by less than one macroblock.
This is required for correct cropping of MOV files from Canon cameras.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 30f515091c)

Conflicts:

	libavcodec/h264.c
2013-01-04 07:43:20 +01:00
Diego Biurrun
7b91e52eb9 x86: Require an assembler able to cope with AVX instructions
All modern assemblers have this capability.  Older NASM versions
that lack the capability produce code that crashes at runtime,
so it's better to error out during the build process instead.

(cherry picked from commit e287201c77)

Signed-off-by: Diego Biurrun <diego@biurrun.de>
2012-11-11 23:03:57 +01:00
Alex Converse
d6e250abfc vorbis: Validate that the floor 1 X values contain no duplicates.
Duplicate values in this vector are explicitly banned by the Vorbis I spec
and cause divide-by-zero crashes later on.
(cherry picked from commit ecf79c4d3e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 9aaaeba45c)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-10-06 09:40:46 +02:00
Justin Ruggles
61ece41372 vorbisenc: check all allocations for failure
(cherry picked from commit be8d812c96)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit e46cf805b1)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-10-06 09:40:46 +02:00
Mina Nagy Zaki
b6c5848a1f lavfi: avfilter_merge_formats: handle case where inputs are same
This fixes a double-free crash if lists are the same due to the two
merge_ref() calls at the end of the (useless) merging that happens.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 11b6a82412)

Conflicts:

	libavfilter/formats.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e5f4e24942)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-10-06 09:40:46 +02:00
Michael Niedermayer
b6ba39f931 alsdec: check opt_order.
Fixes out of array write in quant_cof.
Also make sure no invalid opt_order stays in the context.

Fixes CVE-2012-2775

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 9853e41aa0)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a1b127515b)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-10-06 09:40:46 +02:00
Anton Khirnov
77d43bf42d lavf: don't segfault when a NULL filename is passed to avformat_open_input()
This can easily happen when the caller is using a custom AVIOContext.

Behave as if the filename was an empty string in this case.

CC: libav-stable@libav.org
(cherry picked from commit a5db8e4a1a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7124fa5d36)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-10-06 09:40:46 +02:00
Michael Niedermayer
899d95efe1 mpegvideo: Don't use ff_mspel_motion() for vc1
Using ff_mspel_motion assumes that s (a MpegEncContext
poiinter) really is a Wmv2Context.

This fixes crashes in error resilience on vc1/wmv3 videos.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 18f2d5cb9c)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit da0c457663)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-10-06 09:40:46 +02:00
Janne Grunau
8812b5f164 imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt
CC: libav-stable@libav.org
(cherry picked from commit 39bb27bf79)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7a7229b52d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-10-06 09:40:46 +02:00
Janne Grunau
f31170d4e7 nuv: check RTjpeg header for validity
CC: libav-stable@libav.org
(cherry picked from commit 859a579e9b)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 6704522ca9)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-10-06 09:40:46 +02:00
Kostya Shishkov
0173a7966b vc1dec: add flush function for WMV9 and VC-1 decoders
CC: libav-stable@libav.org
(cherry picked from commit 4dc8c8386e)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 02b7239462)

Conflicts:
	libavcodec/vc1dec.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-10-06 09:40:46 +02:00
Anton Khirnov
a60eb6ef12 ffmpeg: fix -force_key_frames
Based on commit 19ad567311 in master.
2012-10-06 09:40:28 +02:00
Mans Rullgard
0054d70f23 mov: set AVCodecContext.width/height for h264
This is required for correct cropping of files from Canon
cameras.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 8aa93e9004)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2fb4be9a99)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-06-10 11:23:47 +02:00
Mans Rullgard
b102d5d97d h264: allow cropping to AVCodecContext.width/height
Override the frame size from the SPS with AVCodecContext values
if the latter specify a size smaller by less than one macroblock.
This is required for correct cropping of MOV files from Canon cameras.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 30f515091c)

Conflicts:

	libavcodec/h264.c
(cherry picked from commit e1608014c5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-06-10 09:54:22 +02:00
Reinhard Tartler
b61e311b0e Update RELEASE file for 0.7.6 2012-06-03 19:22:20 +02:00
Reinhard Tartler
ee66a7198e Update changelog for 0.7.6 release 2012-06-03 19:22:09 +02:00
Ronald S. Bultje
50336dc4f1 ea: check chunk_size for validity.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 273e6af47b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6a86b705e1d4b72f0dddfbe23ad3eed9947001d5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-06-03 19:16:37 +02:00
Ronald S. Bultje
269dbc5359 png: check bit depth for PAL8/Y400A pixel formats.
Wrong bit depth can lead to invalid rowsize values, which crashes the
decoder further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d2205d6543)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b8d6ba9d50e80fdce2ed74cdaffd4960df8a21c5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-06-03 19:16:37 +02:00
Mans Rullgard
850298ef25 x86: fix build with gcc 4.7
The upcoming gcc 4.7 has more advanced constant propagation
resulting some inline asm operands becoming constants and thus
emitted as literals, sometimes in contexts where this results
in invalid instructions.

This patch changes the constraints of the relevant operands
to "rm" thus forcing a valid type.  While obviously suboptimal,
this is what older gcc versions already did, and there is no
change to the code generated with these.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit da4c7cce21)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2012-06-02 19:22:50 -04:00
Ronald S. Bultje
628b82294a qdm2: clip array indices returned by qdm2_get_vlc().
Prevents subsequent overreads when these numbers are used as indices
in arrays.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org

Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f9)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>

Conflicts:

	libavcodec/qdm2.c
2012-06-02 19:22:43 -04:00
Alex Converse
75d8cccf0e kmvc: Check palsize.
Fixes: CVE-2011-3952

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Based on fix by Michael Niedermayer
(cherry picked from commit 386741f887)
(cherry picked from commit 416849f2e0)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-29 15:40:57 +02:00
Alex Converse
d87997b56f aacsbr: prevent out of bounds memcpy().
Fixes Libav Bug 195.
Fixes CVE-2012-0850

This doesn't make the code handle sample rate or upsample/downsample
change properly but this is still a good sanity check.

Based on change by Michael Niedermayer.

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 17ce52912f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 20:55:34 +02:00
Michael Niedermayer
b15e85d820 rtpdec_asf: Fix integer underflow that could allow remote code execution
Fixes MSVR-11-0088
Fixes CVE-2011-4031
Credit:  Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5ea091fb5a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 20:55:34 +02:00
Alex Converse
654b24f68a dpcm: ignore extra unpaired bytes in stereo streams.
Fixes: CVE-2011-3951

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ce7aee9b73)
(cherry picked from commit eaeaeb265f)

Conflicts:

	libavcodec/dpcm.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 20:55:34 +02:00
Michael Niedermayer
2f2fd8c6d1 tqi: Pass errors from the MB decoder
This silences some valgrind warnings.
CC: libav-stable@libav.org

Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Bug found by: Oana Stratulat

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f85334f58e)
(cherry picked from commit 90290a5150)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 5872580e65)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-23 20:44:57 +02:00
Alexander Strange
c5f7c755cf h264: Add check for invalid chroma_format_idc
Fixes a crash when FF_DEBUG_PICT_INFO is used.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 6ef4063957)

Fixes: CVE-2012-0851

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4713234518)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-23 20:44:45 +02:00
Janne Grunau
b581580bd1 adpcm: ADPCM Electronic Arts has always two channels
Fixes half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Adresses CVE-2012-0852

(cherry picked from commit bb5b3940b0)

Conflicts:

	libavcodec/adpcm.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-23 15:05:27 +02:00
Michael Niedermayer
3313f31f01 h263dec: Disallow width/height changing with frame threads.
Fixes CVE-2011-3937

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 71db86d53b)

Conflicts:

	libavcodec/h263dec.c

Signed-off-by: Alex Converse <alex.converse@gmail.com>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4be63587e1)

Conflicts:

	libavcodec/h263dec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-22 22:19:41 +02:00
Mans Rullgard
c71c77e56f vqavideo: return error if image size is not a multiple of block size
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes.  Bailing out early if the header
specifies a bad size avoids various errors later on.

Fixes CVE-2012-0947.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d5207e2af8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-06 21:40:58 +02:00
Alex Converse
08c81f7365 celp filters: Do not read earlier than the start of the 'out' vector.
CC: libav-stable@libav.org
(cherry picked from commit 37ddd38332)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 9ea94c44b1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-06 21:40:58 +02:00
Alex Converse
50073e2395 motionpixels: Clip YUV values after applying a gradient.
Prevents illegal reads on truncated and malformed input.

CC: libav-stable@libav.org
(cherry picked from commit b5da848fac)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit aaa6a66677)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-06 21:40:58 +02:00
Ronald S. Bultje
3fc967f6c7 h263: more strictly forbid frame size changes with frame-mt.
Prevents crashes because the old check was incomplete.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2d22d4307d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 7fe4c8cb76)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-06 21:40:58 +02:00
Ronald S. Bultje
26ac878cc2 h264: additional protection against unsupported size/bitdepth changes.
Fixes crashes in codepaths not covered by original checks.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 732f9fcfe5)

Conflicts:

	libavcodec/h264.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 746f1594d7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-06 21:40:58 +02:00
Reinhard Tartler
808686375d Update changelog for 0.7.5 release 2012-04-01 22:47:53 +02:00
Anton Khirnov
bc5d86d23d id3v2: fix skipping extended header in id3v2.4
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-04-01 19:20:50 +02:00
Reinhard Tartler
1687c55e24 Update RELEASE file for 0.7.5 2012-04-01 19:08:06 +02:00
Reinhard Tartler
fd53da21a1 lcl: use AVERROR_INVALIDDATA instead of AVERROR_UNKNOWN
While bogus, this change avoids the necessity to backport
AVERROR_UNKNOWN, which is not entirely trivial.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:30 +02:00
Michael Niedermayer
a0b65938b7 kgv1dec: Increase offsets array size so it is large enough.
Fixes CVE-2011-3945

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 807a045ab7)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit a02e8df973)
(cherry picked from commit d5f2382d03)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Ronald S. Bultje
cb8a17ddac kgv1: use avctx->get/release_buffer().
Also fixes crashes on corrupt bitstreams.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 33cd32b389)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit e537dc230b)

Conflicts:

	libavcodec/kgv1dec.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Gaurav Narula
24eabc53ba kvmc: fix invalid reads
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit ad3161ec1d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Diego Biurrun
6fe5038753 nsvdec: Propagate error values instead of returning 0 in nsv_read_header().
This eliminates a warning about a set-but-unused variable.
(cherry picked from commit 35fa0d4758)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Alex Converse
6ae95a0b93 mjpegbdec: Fix overflow in SOS.
Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2011-3947

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 083a8a0037)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Michael Niedermayer
96ed18cab1 shorten: Use separate pointers for the allocated memory for decoded samples.
Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.

Fixes CVE-2012-0858
CC: libav-stable@libav.org

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6fc3287b9c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Justin Ruggles
a207a2fecc shorten: check for realloc failure (cherry picked from commit 9e5e2c2d01)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Michael Niedermayer
f728ad26f0 atrac3: Fix crash in tonal component decoding.
Add a check to avoid writing past the end of the channel_unit.components[]
array.

Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f747)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f43b6e2b1e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Michael Niedermayer
e676bbb8cf ws_snd1: Fix wrong samples count and crash.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9fb7a5af97)

Addresses CVE-2012-0848

Reviewed-by: Justin Ruggles <justin.ruggles@gmail.com>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 697a45d861)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Justin Ruggles
847c7cd0c8 ws_snd: add some checks to prevent buffer overread or overwrite. (cherry picked from commit 417364ce1f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Justin Ruggles
137007b5bf ws_snd: decode to AV_SAMPLE_FMT_U8 instead of S16.
8-bit unsigned is the native sample format.
(cherry picked from commit 2322ced8da)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00