Commit Graph

7437 Commits

Author SHA1 Message Date
Anton Khirnov
77d43bf42d lavf: don't segfault when a NULL filename is passed to avformat_open_input()
This can easily happen when the caller is using a custom AVIOContext.

Behave as if the filename was an empty string in this case.

CC: libav-stable@libav.org
(cherry picked from commit a5db8e4a1a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7124fa5d36)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-10-06 09:40:46 +02:00
Mans Rullgard
0054d70f23 mov: set AVCodecContext.width/height for h264
This is required for correct cropping of files from Canon
cameras.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 8aa93e9004)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2fb4be9a99)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-06-10 11:23:47 +02:00
Ronald S. Bultje
50336dc4f1 ea: check chunk_size for validity.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 273e6af47b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6a86b705e1d4b72f0dddfbe23ad3eed9947001d5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-06-03 19:16:37 +02:00
Michael Niedermayer
b15e85d820 rtpdec_asf: Fix integer underflow that could allow remote code execution
Fixes MSVR-11-0088
Fixes CVE-2011-4031
Credit:  Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5ea091fb5a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 20:55:34 +02:00
Anton Khirnov
bc5d86d23d id3v2: fix skipping extended header in id3v2.4
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-04-01 19:20:50 +02:00
Diego Biurrun
6fe5038753 nsvdec: Propagate error values instead of returning 0 in nsv_read_header().
This eliminates a warning about a set-but-unused variable.
(cherry picked from commit 35fa0d4758)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Ronald S. Bultje
f2e412d050 smacker: error out if palette copy-with-offset overruns palette size.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit a93b572ae4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Alex Converse
853ce33dbc mov: Add more HDV and XDCAM FourCCs.
Reference: VLC
(cherry picked from commit b142496c56)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Alex Converse
5015ada0ec mov: Add support for MPEG2 HDV 720p24 (hdv4)
(cherry picked from commit 0ad522afb3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Alex Converse
b0888b8a48 dv: Fix small overread in audio frequency table.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 0ab3687924)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Alex Converse
00fa6ffe1a dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.
Found with asan.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Michael Niedermayer
44e182d41e dv: Fix null pointer dereference due to ach=0
dv: Fix null pointer dereference due to ach=0

Fixes part2 of CVE-2011-3929

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Michael Niedermayer
bb737d381f dv: check stype
dv: check stype

Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd4)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Alex Converse
0100c4b1b0 nsvdec: Propagate errors
Related to CVE-2011-3940.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit c898431ca5)

Conflicts:

	libavformat/nsvdec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Alex Converse
be524c186b nsvdec: Be more careful with av_malloc().
Check results for av_malloc() and fix an overflow in one call.

Related to CVE-2011-3940.

Based in part on work from Michael Niedermayer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Michael Niedermayer
65beb8c117 nsvdec: Fix use of uninitialized streams.
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d97)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Ronald S. Bultje
433aaeb2f1 matroska: check buffer size for RM-style byte reordering.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9c239f6026)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Ronald S. Bultje
a2d5e741a8 asf: don't seek back on EOF.
Seeking back on EOF will reset the EOF flag, causing us to re-enter
the loop to find the next marker in the ASF file, thus potentially
causing an infinite loop.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bb6d5411e1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Ronald S. Bultje
18caebca4c asf: error out on ridiculously large minpktsize values.
They cause various issues further down in demuxing.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 6e57a02b9f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Ronald S. Bultje
811989e910 rm: prevent infinite loops for index parsing.
Specifically, prevent jumping back in the file for the next index, since
this can lead to infinite loops where we jump between indexes referring
to each other, and don't read indexes that don't fit in the file.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit aac07a7a4c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Ronald S. Bultje
cd6c5e16c6 swf: check return values for av_get/new_packet().
Prevents crashers when using the packet if allocation failed.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 31632e73f4)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Ronald S. Bultje
9a331217b0 asf: prevent packet_size_left from going negative if hdrlen > pktlen.
This prevents failed assertions further down in the packet processing
where we require non-negative values for packet_size_left.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 41afac7f7a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:26 +02:00
Ronald S. Bultje
6c12293f6c matroska: don't overwrite string values until read/alloc was succesful.
This prevents certain tags with a default value assigned to them (as per
the EBML syntax elements) from ever being assigned a NULL value. Other
parts of the code rely on these being non-NULL (i.e. they don't check for
NULL before e.g. using the string in strcmp() or similar), and thus in
effect this prevents crashes when reading of such specific tags fails,
either because of low memory or because of targeted file corruption.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cd40c31ee9)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:26 +02:00
Alex Converse
dd7b323d9a matroskadec: Pad AAC extradata.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

CC: libav-stable@libav.org
(cherry picked from commit d2ee8c1779)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:26 +02:00
Laurent Aimar
5ab326d7db 4xmdemux: prevent use of uninitialized memory
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 79964745b3)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:40 +01:00
Laurent Aimar
7fa13e12e6 avsdemux: check for out of bound writes
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 6de33611c9)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:40 +01:00
Laurent Aimar
b696d61518 avsdemux: check for corrupted data
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 76c6971a64)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:40 +01:00
Alex Converse
a23bcc923d mxfdec: Fix some buffer overreads caused by the misuse of AVPacket related functions.
(cherry picked from commit 0c46e958d1)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:36 +01:00
Mans Rullgard
2c99aa48d7 lavf: fix signed overflow in avformat_find_stream_info()
On the first iteration through this code, last_dts is always
INT64_MIN (AV_NOPTS_VALUE) and the subtraction overflows in
an invalid manner.  Although the result is only used if the
input values are valid, performing the subtraction is still
not allowed in a strict environment.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit a31e9f68a4)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:35 +01:00
Alex Converse
4faa00b256 mpegps: Use av_get_packet() instead of poorly emulating it.
(cherry picked from commit 98ef887a75)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:31 +01:00
Laurent Aimar
fce03f8783 mpc8: Fix return value on EOF
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1e3336de69)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:30 +01:00
Laurent Aimar
ea5a5f0908 segafilm: Check for memory allocation failures in segafilm demuxer.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1775b92fee)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:30 +01:00
Martin Storsjö
151aaf539f lavf: Avoid using av_malloc(0) in av_dump_format
On OS X, av_malloc(0) returns pointers that cause crashes when
freed.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e81e5e8ad2)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:17 +01:00
Justin Ruggles
ce80957cf1 sol: return error if av_get_packet() fails.
This prevents sending a packet with data=NULL size=AVERROR_EOF.
(cherry picked from commit b15a9888a8)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:17 +01:00
Laurent Aimar
74f4c1358c flvdec: Fix invalid pointer deferences when parsing index
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2b4e49d428)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:17 +01:00
Alex Converse
2f62b677cc mpegps: Handle buffer exhaustion when reading packets.
(cherry picked from commit 9fba8ebe0a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:14 +01:00
Alex Converse
684f671f28 mp4: Don't read an empty Decoder Config Descriptor
(cherry picked from commit 1c2e07b811)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:11 +01:00
Chris Evans
1f625431e2 matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()
Fixes bug #190
Chromium bug #100492
related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

(cherry-picked from commit faaec4676c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-01-07 22:01:19 +01:00
Anton Khirnov
07624cfeaa Add a version bump and APIchanges entry for avcodec_open2 and avformat_find_stream_info. 2011-11-19 10:22:27 +01:00
Mans Rullgard
d6f763659c lavf: fix multiplication overflow in avformat_find_stream_info()
Converting to double before the multiplication rather than after
avoids an integer overflow in some cases.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 52767d891c)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2011-11-19 10:22:27 +01:00
Anton Khirnov
e297459eb6 lavf: fix invalid reads in avformat_find_stream_info()
(cherry picked from commit e358f7ee90)

Conflicts:

	libavformat/utils.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2011-11-19 10:22:27 +01:00
Anton Khirnov
afe2726089 lavf: add avformat_find_stream_info()
It supports passing options to codecs.
(cherry picked from commit a67c061e0f)

Conflicts:

	libavformat/utils.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2011-11-19 10:22:27 +01:00
Mans Rullgard
e257eebd17 lavf: do not set codec_tag for rawvideo
If the demuxer did not set a codec_tag, there is none and
inventing one makes no sense.  This change stops the rawvideo
"decoder" over-writing user-supplied pixfmt with one derived
from the codec_tag.  The pixfmt-codec_tag-pixfmt round-trip
is lossy since several pixfmts map to the same codec_tag.

This fixes fate-lavf-pixfmt with avfilter disabled.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit bb416bd68c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-09-30 15:37:05 +02:00
Michael Niedermayer
a2443e89d7 Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080.
Whitespace of the patch cleaned up by Aurel
Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

(cherry picked from commit 956c901c68)

Further suggestions from Kostya <kostya.shishkov@gmail.com> have been
implemented by Reinhard Tartler <siretart@tauware.de>

(cherry picked from commit 77d2ef13a8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-09-28 00:24:41 +02:00
Anton Khirnov
9f9b731a3a movenc: fix NULL reference in mov_write_tkhd_tag
st may be NULL when there are more mov streams than AVStreams, e.g. when
chapters are present.

(cherry picked from commit c92a2a4eb8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-09-27 20:57:08 +02:00
Anton Khirnov
ad47a5ec85 movenc: create an alternate group for each media type
Partially fixes bug 44.

(cherry picked from commit 7574cacbd5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-09-27 20:57:08 +02:00
Michael Niedermayer
fed7f5b04f flvdec: Check for overflow before allocating arrays
On allocation, the array length is multiplied by sizeof(int64_t),
this prevents the multiplication from overflowing.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit a246cefa75)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2011-09-26 19:31:32 +02:00
David Goldwich
9973ca992e lavf: Fix context pointer in av_open_input_stream when avformat_open_input fails
Signed-off-by: David Goldwich <david.goldwich@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 63d64228a7)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2011-09-26 19:26:33 +02:00
Laurent Aimar
a3d471e500 oggdec: fix out of bound write in the ogg demuxer
Between ogg_save() and ogg_restore() calls, the number of streams
could have been reduced.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 0e7efb9d23)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2011-09-26 19:26:33 +02:00
Laurent Aimar
54a178f28f Fixed size given to init_get_bits().
init_get_bits() takes a number of bits and not a number of bytes as
its size argument.

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit b59efc9434)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2011-09-26 19:26:32 +02:00