In matroska_read_seek(), |tracks| is assigned at the begining of the
function. However, functions like matroska_parse_cues() could reallocate
the tracks and invalidate |tracks|.
This assigns |tracks| only before using it, so that it will not get
invalidated elsewhere.
Bug-Id: chromium/427266
This simplifies identifying from which revision a binary of a lib came from
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 649c158e8c)
Conflicts:
libavdevice/avdevice.c
libswresample/swresample.c
The previous code assumed if an atom was marked with a 64-bit
size extension, it actually had that data available. The new
code verfies there's enough data in the atom for this to be
done.
Failure to verify causes total_size > atom.size which will
result in negative size calculations later on.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ebd76a9c5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Such data streams (which then contain no other packets except the faulty one)
confuse some user applications, like VLC
Works around vlcticket 12389
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 322f0f5960)
Conflicts:
libavformat/flvdec.c
Also see [FFmpeg-devel] [PATCH] avformat/mov: strengthen some table allocations
which contains more fixes but is unfinished
Fixes: signal_sigabrt_7ffff6ac7bb9_3484_cov_1830000177_starfox2.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1b5d112406)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)
Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.
This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.
Fixes ticket #4162.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6551acab68)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
We have to check against the number of bytes actually needed, not the
theoretical maximum size.
(cherry picked from commit 12700b0219)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes out of array read
Fixes: signal_sigsegv_844d59_10_signal_sigsegv_a17bb7_366_mpegts_mpeg2video_mp2_dvbsub_topfield.rec
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c3d7f00ee3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket1304
Commit message and extradata size bugfix by commiter
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6843b9dc78)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes miss detection of PCM as m4v
Fixes Ticket 3928
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c1835c52a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This is currently not supported
Fixes part of Ticket 3539
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c2430304df)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes reading from freed data
Fixes part of Ticket3539
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1c55d0ff32)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a9734e7d3017ffc9539eaac2a8acce3ad427f746)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes wrong number of segments output and undefined memory access.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 58e0402e02)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The read_packet callback passes a pointer to a stack-allocated AVPacket.
Attempting to free it with av_free() makes no sense.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b173f5c155)
Conflicts:
libavformat/oggdec.c
The size variable is (correctly) unsigned, but is passed to several functions
which take signed parameters, such as avio_read, sometimes after having
numbers added to it. So ensure that size remains within the bounds that
these functions can handle.
(cherry picked from commit b45ab61b24)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
* commit '7788297a59656ececd84f602292bfeb79f7eedd7':
mpegts: Do not try to write a PMT larger than SECTION_SIZE
Conflicts:
libavformat/mpegtsenc.c
See: 842b6c14bc
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '23376ae2f0247ff659724b6a5313639db0c991ad':
mpegts: Define the section length with a constant
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Prevent out of array writes.
Similar to what Michael Niedermayer did to address the same issue.
Bug-Id: CVE-2014-2263
CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit e8049af132)
Conflicts:
libavformat/mpegtsenc.c
The specification says the value is expressed in 10 bits including
the 4-byte CRC.
(cherry picked from commit 89616408e3)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavformat/mpegtsenc.c
