34679 Commits

Author SHA1 Message Date
Luca Barbato
5c30ae1a09 dvdsubdec: Validate the RLE offsets
CC: libav-stable@libav.org
2015-11-17 18:56:29 +01:00
Michael Niedermayer
bf6d41d8a2 avcodec/internal: Fix skiped typo
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-17 01:23:10 +01:00
Michael Niedermayer
a62178be80 avcodec/pngdec: Replace assert by request for sample for unsupported TRNS cases
Fixes assertion failure
Fixes: 7f646252a30ee28b583aac1f82e7985e/signal_sigabrt_7ffff6ae7cc9_7353_62fc077bf2f454d39e188c69807193a6.png

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-16 18:48:02 +01:00
Vittorio Giovara
79d89cf2f4 flacenc: Clamp user-supplied min/max prediction orders
This mimics what the code does internally for default order values.

Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
2015-11-16 16:56:42 +01:00
Vittorio Giovara
4bb1070c15 ffv1: Explicitly name the coder type
FFv1 uses two types of coders, golomb and range with two different
tables. This is exposed this in a rather convoluted way, for example
mentioning to set coder type 1 while initializing the variable 'ac' to 2,
because encoder does not use range coder with default table.

Appropriate internal coder type values have been added and used in any
check rather than using raw numbers.

Initialization of avctx.coder_type in ffv1dec is removed because this
field is encoder only. An unneeded validation check in the encoder
is dropped too.

Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
2015-11-16 12:56:31 +01:00
Andreas Cadhalpun
9fd2bf09db hqx: correct type and size check of info_offset
It is used as size argument of ff_canopus_parse_info_tag, which uses it
as size argument to bytestream2_init, which only supports sizes up to
INT_MAX.
Changing it's type to unsigned simplifies the check.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-16 12:56:03 +01:00
Michael Niedermayer
0eb7de1973 avcodec/jpeg2000: Change coord to 32bit to support larger than 32k width or height
Fixes: 03e0abe721b1174856d41a1eb5d6a896/signal_sigabrt_7ffff6ae7cc9_3813_e71bf3541abed3ccba031cd5ba0269a4.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-15 22:11:05 +01:00
Michael Niedermayer
65d3359fb3 avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-15 21:36:19 +01:00
Michael Niedermayer
6ef819c40b avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range
Fixes potential integer overflows
Fixes: 03e0abe721b1174856d41a1eb5d6a896/signal_sigabrt_7ffff6ae7cc9_3813_e71bf3541abed3ccba031cd5ba0269a4.avi

This fix is choosen to be simple to backport, better solution
for master is planed

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-15 21:36:19 +01:00
Michael Niedermayer
a1a8cbcb35 avcodec/jpeg2000: Check comp coords to be within the supported size
Fixes assertion failure
Fixes: 03e0abe721b1174856d41a1eb5d6a896/signal_sigabrt_7ffff6ae7cc9_3813_e71bf3541abed3ccba031cd5ba0269a4.avi

This fix is choosen to be simple to backport, better solution
for master is planed

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-15 20:53:22 +01:00
Michael Niedermayer
016fd413f9 avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-15 20:53:22 +01:00
Michael Niedermayer
7ad698e24e avcodec/wmaprodec: Check for overread in decode_packet()
Fixes assertion failure
Fixes: 0256e92df2df7e933b43a2c70e4c8040/signal_sigabrt_7ffff6ae7cc9_1358_999ac18684788221490757582ce9af84.wma

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-15 18:32:22 +01:00
Ganesh Ajjanagadde
064ced5dc1 avcodec/faandct: use more accurate constants
This guarantees a "best effort precision".

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Ganesh Ajjanagadde <gajjanagadde@gmail.com>
2015-11-15 10:26:26 -05:00
Michael Niedermayer
4a9af07a49 avcodec/smacker: Check that the data size is a multiple of a sample vector
Fixes out of array access
Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-15 15:25:51 +01:00
Andreas Cadhalpun
6a69a175e7 mpegvideo: clear overread in clear_context
Otherwise the h263p decoder can try to copy overread bytes, even though
buffer is NULL.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-15 10:26:48 +01:00
Matthieu Bouron
0cdc77f104 lavc/pngdec: set FF_CODEC_CAP_SKIP_FRAME_FILL_PARAM capability 2015-11-15 10:13:24 +01:00
Matthieu Bouron
ad0203d7b0 lavc/mjpegdec: set FF_CODEC_CAP_SKIP_FRAME_FILL_PARAM capability 2015-11-15 10:13:24 +01:00
Matthieu Bouron
e162542e15 lavc/internal: add FF_CODEC_CAP_SKIP_FRAME_FILL_PARAM
The decoder extracts and fills its parameters even if the frame is
skipped due to the skip_frame setting.
2015-11-15 10:13:00 +01:00
Michael Niedermayer
08b520636e avcodec/takdec: Skip last p2 sample (which is unused)
Fixes out of array read
Fixes: cb3f38b08b4541523974667c7d1eee9e/asan_heap-oob_2659e18_9838_021fd5cd635bf76cede6398cd9ecbcdd.tak

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-15 01:23:25 +01:00
Michael Niedermayer
76b6f4b7d9 avcodec/dxtory: Fix input size check in dxtory_decode_v1_410()
Fixes potential out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-15 00:32:19 +01:00
Michael Niedermayer
9caa9414cc avcodec/dxtory: Fix input size check in dxtory_decode_v1_420()
Fixes out of array read
Fixes: c50c4aa6cefda71b19a31ea12302980c/asan_heap-oob_12be5fd_7011_33ebd015a74976215934add72b9c8352.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-15 00:26:01 +01:00
Michael Niedermayer
a105f52855 avcodec/error_resilience: avoid accessing previous or next frames tables beyond height
The height of tables can be rounded up for MBAFF but this does not imply that is also true
for the previous frames

Fixes out of array reads
Fixes: c106b36fa36db8ff8f3ed0c82be7bea2/asan_heap-oob_32699f0_6321_467b9a1d7e03d7cfd310b7e65dc53bcc.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-14 22:51:30 +01:00
Andreas Cadhalpun
603ebab8d7 dds: disable palette flag for compressed dds
Having both is not valid and can cause a NULL pointer dereference of
frame->data[1] later.

Reviewed-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-14 21:52:11 +01:00
Michael Niedermayer
ebf5264cd6 avcodec/pgssubdec: Check dimensions for 0
Fixes division by 0
Fixes: b293a6479bb4b5286cff24d356bfd955/asan_generic_225c3c9_7819_cc526b657450c6cdef1371b526499626.mkv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-14 18:26:11 +01:00
Michael Niedermayer
ac6ab77741 avcodec/rscc: Check input size for raw mode
Fixes out of array read
Fixes: 7fcd09eadd046e326d8ea0af66f166c8/asan_heap-oob_4a52e5_2273_fa6078a10dd575df266fb1e0b4114cd5.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-14 18:26:11 +01:00
Ganesh Ajjanagadde
618b3ae7d4 avcodec/simple_idct: use predefined M_SQRT2
M_SQRT2 is defined in math.h, or in avutil/mathematics.h for
compatibility hacks. This uses this value instead of a floating literal.

Fixed point values produced by C_FIX(), R_FIX() remain identical.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Ganesh Ajjanagadde <gajjanagadde@gmail.com>
2015-11-14 10:58:39 -05:00
Ganesh Ajjanagadde
11f0acf829 avcodec/mpegaudio: use predefined M_SQRT2
M_SQRT2 is defined in math.h, or in avutil/mathematics.h for
compatibility hacks. This uses this value instead of an ad-hoc define.

Fixed point values produced by FIX() remain identical.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Ganesh Ajjanagadde <gajjanagadde@gmail.com>
2015-11-14 10:58:39 -05:00
Ganesh Ajjanagadde
c5fa42c69a avcodec/mpegvideo: use predefined M_PI
M_PI is defined in math.h, or in avutil/mathematics.h for compatibility
hacks. This uses this value instead of an ad-hoc floating literal.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Ganesh Ajjanagadde <gajjanagadde@gmail.com>
2015-11-14 10:58:39 -05:00
Ganesh Ajjanagadde
f1726ad1b0 avcodec/ratecontrol: use predefined M_E
M_E is defined in math.h, or in avutil/mathematics.h for compatibility
hacks. This uses this value instead of an ad-hoc define.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Ganesh Ajjanagadde <gajjanagadde@gmail.com>
2015-11-14 10:58:39 -05:00
Michael Niedermayer
c8aaae8e0f avcodec/dpx: Move need_align to act per line
Fixes out of array read
Fixes: 61cf123c081ee2bb774d307c75bdb99e/asan_heap-oob_1224f76_5546_bee833ffae73f752b489b9eeaac52db7.dpx

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-14 16:12:15 +01:00
Michael Niedermayer
17705f5d4f avcodec/flashsv: Check size before updating it
Fixes out of array read
Fixes: 3c857d4d90365731524716e6d051e43a/signal_sigsegv_7f4f59bcc29e_1386_20abd2c8e655cb9c75b24368e65fe3b1.flv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-14 13:34:52 +01:00
Michael Niedermayer
e04126072e avcodec/ffv1dec: Clear quant_table_count if its invalid
Fixes deallocation of corrupted pointer
Fixes: 343dfbe142a38b521ed069dc4ea7c03b/signal_sigsegv_421427_4074_ffb11959610278cd40dbc153464aa254.avi
No releases affected

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-14 13:23:14 +01:00
Michael Niedermayer
ccba8aaff2 avcodec/avrndec: Use the AVFrame format instead of the context
Fixes out of array read
Fixes: 20dd01398dee0f6d83d7e5410a2ae8eb/signal_sigsegv_39eeb1f_4001_62efbdf1c60748dabf1ec310b59525fd.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-14 13:06:25 +01:00
Andreas Cadhalpun
0a8bff788b dds: disable palette flag for compressed images
Having both is not valid and can cause a NULL pointer dereference of
frame->data[1] later.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
2015-11-14 03:40:20 +01:00
Michael Niedermayer
df91aa034b avcodec/ivi: Check image dimensions
Fixes integer overflow
Fixes: 1e32c6c591d940337c20b197ec1c4d3d/asan_heap-oob_4a52e5_8946_0bb0d9e863def56005e49f1d89bdc94d.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-14 02:37:12 +01:00
Michael Niedermayer
4e16ad2868 avcodec/utils: Better check for channels in av_get_audio_frame_duration()
Fixes integer overflow
Fixes: 0c2625f236ced104d402b4a03c0d65c7/asan_generic_274e1ce_5990_9314e7a67c26aecf011b178ade9f217c.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-14 01:38:15 +01:00
Michael Niedermayer
44a7f17d0b avcodec/jpeg2000dec: Check for duplicate SIZ marker
Fixes: 0231a17345734228011c6f35a64e4594/asan_heap-oob_1d92a72_3218_1213809a9e3affec77e4c191fdfdc0a9.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-14 00:58:54 +01:00
Will Kelleher
b1a32429ef hevc: Fix a53 caption extraction
Just realized my previous patch doesn't work quite right.  I uploaded a better
sample file that actually has visible captions to /incoming/hevc_cc.ts.  I
tested with that file doing hevc->x264 and it works.

This is basically an exact copy of the existing h264 logic.

Signed-off-by: Will Kelleher <wkelleher@gogoair.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-12 13:16:25 +01:00
Vittorio Giovara
e25cac50e0 lavc: Add missing mem.h header to libxvid and screenpresso 2015-11-12 04:39:14 +01:00
Andreas Cadhalpun
7b2211bfc4 dds: add missing newline to log messages
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-12 04:39:14 +01:00
Andreas Cadhalpun
29b1752861 dds: validate compressed source buffer size
A too small buffer will cause segfaults somewhere below
decompress_texture_thread.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-12 04:39:14 +01:00
Andreas Cadhalpun
e6459c655e dds: validate source buffer size before copying
If it is too small av_image_copy_plane segfaults.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-12 04:39:14 +01:00
Andreas Cadhalpun
edd0c1d78a dds: add missing newline to log messages
Reviewed-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-11 21:49:51 +01:00
Andreas Cadhalpun
9a37d47644 dds: validate compressed source buffer size
A too small buffer will cause segfaults somewhere below
decompress_texture_thread.

Reviewed-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-11 21:49:51 +01:00
Andreas Cadhalpun
1675809d2d dds: validate source buffer size before copying
If it is too small av_image_copy_plane segfaults.

Reviewed-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-11 21:49:51 +01:00
Andreas Cadhalpun
0e36a14a42 aacsbr_fixed: check for envelope scalefactors overflowing
This prevents various values from getting an insanely huge exponent.
If someone knows a cleaner solution, thats welcome!

This is similar to commit 8978c74 for aacsbr.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-11 21:49:51 +01:00
Hendrik Leppkes
b33d58c31f Merge commit '79f5347a983342e2711ca8ba19ec3d8d151183f0'
* commit '79f5347a983342e2711ca8ba19ec3d8d151183f0':
  avcodec: fix doxy placement

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-11-11 14:41:49 +01:00
Michael Niedermayer
4819446eae avcodec/webvttdec: Fix uninitialized use of variable "again"
Fixes CID1338336
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-11 00:40:37 +01:00
Andreas Cadhalpun
f621749d11 dvdsubdec: validate offset2 similar to offset1
If it is negative, it causes segmentation faults in decode_rle.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-11 00:39:47 +01:00
Ni Hui
3ea60c505f avcodec/gifdec: skip the data lzw consumed
this fixes the return code of avcodec_decode_video2 for gif decoding
and the gif frame data buffer is skipped properly

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-10 23:21:27 +01:00