This can easily happen when the caller is using a custom AVIOContext.
Behave as if the filename was an empty string in this case.
CC: libav-stable@libav.org
(cherry picked from commit a5db8e4a1a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7124fa5d36)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This is required for correct cropping of files from Canon
cameras.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 8aa93e9004)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2fb4be9a99)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes MSVR-11-0088
Fixes CVE-2011-4031
Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5ea091fb5a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This eliminates a warning about a set-but-unused variable.
(cherry picked from commit 35fa0d4758)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Found with asan.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
dv: Fix null pointer dereference due to ach=0
Fixes part2 of CVE-2011-3929
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
dv: check stype
Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd4)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Check results for av_malloc() and fix an overflow in one call.
Related to CVE-2011-3940.
Based in part on work from Michael Niedermayer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc)
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d97)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Seeking back on EOF will reset the EOF flag, causing us to re-enter
the loop to find the next marker in the ASF file, thus potentially
causing an infinite loop.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bb6d5411e1)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
They cause various issues further down in demuxing.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 6e57a02b9f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Specifically, prevent jumping back in the file for the next index, since
this can lead to infinite loops where we jump between indexes referring
to each other, and don't read indexes that don't fit in the file.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit aac07a7a4c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Prevents crashers when using the packet if allocation failed.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 31632e73f4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents failed assertions further down in the packet processing
where we require non-negative values for packet_size_left.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 41afac7f7a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents certain tags with a default value assigned to them (as per
the EBML syntax elements) from ever being assigned a NULL value. Other
parts of the code rely on these being non-NULL (i.e. they don't check for
NULL before e.g. using the string in strcmp() or similar), and thus in
effect this prevents crashes when reading of such specific tags fails,
either because of low memory or because of targeted file corruption.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cd40c31ee9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
On the first iteration through this code, last_dts is always
INT64_MIN (AV_NOPTS_VALUE) and the subtraction overflows in
an invalid manner. Although the result is only used if the
input values are valid, performing the subtraction is still
not allowed in a strict environment.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit a31e9f68a4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
On OS X, av_malloc(0) returns pointers that cause crashes when
freed.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e81e5e8ad2)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This prevents sending a packet with data=NULL size=AVERROR_EOF.
(cherry picked from commit b15a9888a8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Converting to double before the multiplication rather than after
avoids an integer overflow in some cases.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 52767d891c)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
It supports passing options to codecs.
(cherry picked from commit a67c061e0f)
Conflicts:
libavformat/utils.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
If the demuxer did not set a codec_tag, there is none and
inventing one makes no sense. This change stops the rawvideo
"decoder" over-writing user-supplied pixfmt with one derived
from the codec_tag. The pixfmt-codec_tag-pixfmt round-trip
is lossy since several pixfmts map to the same codec_tag.
This fixes fate-lavf-pixfmt with avfilter disabled.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit bb416bd68c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Whitespace of the patch cleaned up by Aurel
Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 956c901c68)
Further suggestions from Kostya <kostya.shishkov@gmail.com> have been
implemented by Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 77d2ef13a8)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
st may be NULL when there are more mov streams than AVStreams, e.g. when
chapters are present.
(cherry picked from commit c92a2a4eb8)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
On allocation, the array length is multiplied by sizeof(int64_t),
this prevents the multiplication from overflowing.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit a246cefa75)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Between ogg_save() and ogg_restore() calls, the number of streams
could have been reduced.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 0e7efb9d23)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
init_get_bits() takes a number of bits and not a number of bytes as
its size argument.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit b59efc9434)
Signed-off-by: Anton Khirnov <anton@khirnov.net>