At least 2 bytes from the source are read every loop.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9c2216976907336dfae0e8e38a4d70ca2465a92c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/tiff.c
And forward those that were already meaningful.
(cherry picked from commit 8c34558131d846d2b10389564caadaa206372fd4)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/wavpack.c
They must be non-zero.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 8aa3500905fec6c4e657bb291b861d43c34d3de9)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/mjpegdec.c
When JPEG-LS support is disabled the decoder would feed the
data to the JPEG Lossless decode_*_scan function resulting in
faulty decoding.
CC: libav-stable@libav.org
(cherry picked from commit b25e49b187617c486ae3f50a5cbb356fc0e868bb)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Set interlaced to false if we don't have an interlaced frame
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 0881cbf314982cce8448bd12644ce2a6e0b8c576)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1fa37f2bfa0f5c50ce61dedf2bbb772d96d71101)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Broken bitstreams could report a larger than specified number of
channels and cause outbound writes.
CC:libav-stable@libav.org
(cherry picked from commit a943a132f36f4df8fe2f749744677b71984abce7)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/aacdec.c
Also add an additional sanity check to the alt_quant table.
Fixes invalid reads with corrupted files.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 66531d634e75b834e89e4a6a0f7470ca018712a1)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The data offsets are relative to the bistream header, which is 16 bytes
after the start of the data.
Fixes invalid reads with corrupted files.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 34e6af9e204ca6bb18d8cf8ec68fe19b0e083e95)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This can happen when the number of skipped lines is not consistent with
the number of coded lines.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 3623589edc7b1257bb45aa9e52c9631e133f22b6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It can be 0 or -1 for invalid files, which may result in invalid memory
access.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b88f902125ee808c8366e9dcb3f21e4c227483fc)
Conflicts:
libavcodec/bmv.c
Apparently, some build environments require dxva.h even for dxva2,
while others lack this header entirely. Including it conditionally
allows building in both cases.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit fa84506177f0246b30d4ea6a99ee5d419f3e4550)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.
CC:libav-stable@libav.org
(cherry picked from commit cacad1c058f66558ec727faac3b277d2dee264d4)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 20373a66ec68d958c266f643a7d0e5ec254c0fcc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
When there is just 1 byte remanining in the buffer, nothing will be read
and the loop will continue forever. Check that there are at least 8
bytes, which are always read at the beginning.
CC:libav-stable@libav.org
(cherry picked from commit 3e2f200237af977b9253b0aff121eee27bcedb44)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 747fbe0c212b81952bb27ec7b99fa709081e2d63)
Conflicts:
libavcodec/roqvideodec.c
When `off' is 0, `0x537F6103 << 32' in the following expression invokes
undefined behavior, the result of which is not necessarily 0.
(0x537F6103 >> (off * 8)) | (0x537F6103 << (32 - (off * 8)))
Avoid oversized shifting.
CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit eba1ff31304e407db3cefd7532108408f364367b)
Conflicts:
libavcodec/atrac3.c
Indexing outside an array is invalid and causes errors with
gcc 4.8.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 0a07f2b346433a9a2677c69c6b29a1a827e39109)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
get_uint returns an unsigned value, use an unsigned to store
blocksize to make sure the comparison logic is correct and report
correctly the error for the channel count not supported.
CC: libav-stable@libav.org
(cherry picked from commit 5cf7c72757779a740e897a97710aac044fe5258c)
(cherry picked from commit 88089eecfd7e604d40d078b4f4206c647cb2e2b4)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/shorten.c
Prevent the loop shorten_decode_close from writing and freeing out of
the array boundary.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit c10da30d8426a1f681d99a780b6e311f7fb4e5c5)
(cherry picked from commit 21d568be179c54a1596d1377b4da7fbe755bfe7f)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The decoder assumes a single bit depth for all the planes while
the specification allows different bit depths for luma and chroma.
Avoid the possible problems described in CVE-2013-2277
This fixes standalone compilation of the VC-1 parser.
(cherry picked from commit 3c715383ea7012ac69507e6b9189c98675c77461)
Conflicts:
libavcodec/vc1data.h
Signed-off-by: Diego Biurrun <diego@biurrun.de>
The loop a few lines below the xan_unpack() call accesses up to
dec_size * 2 bytes into y_buffer, so dec_size must be limited to
buffer_size / 2.
CC:libav-stable@libav.org
(cherry picked from commit 8a49d2bcbe7573bb4b765728b2578fac0d19763f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 62a657de168cf501acb23d48cc1aa00793dc83f3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.
CC:libav-stable@libav.org
(cherry picked from commit ea1136baafb1fe271cb56c3f4d7bff0267e3c70f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c1f479e8df24284237c80ad959619fc85e29a26d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Returning 0 may result in an infinite loop in valid calling programs. A
decoder should never return 0 without producing any output.
CC:libav-stable@libav.org
(cherry picked from commit 4c0080b7e7d501e2720d2a61f5186a18377f9d63)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 60dd8b5733f9ec4919fbc732ace1be8184dde880)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The value is used to calculate output LSP curve and a division by zero
and out of array accesses would occur.
CVE-2013-0894
CC: libav-stable@libav.org
Reported-by: Dale Curtis <dalecurtis@chromium.org>
Found-by: inferno@chromium.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 11dcecfcca0eca1a571792c4fa3c21fb2cfddddc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 494ddd377ada76ed555f7a3f49391455daa099c9)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Right now, the frame properties are set from the user-facing
AVCodecContext before it is updated from the thread context, which is
wrong since they may be invalid or obsolete.
Properly forward mp_decode_layer3 errors, mp_decode_layer1 and
mp_decode_layer2 do not return errors.
Based on a patch by Michael Niedermayer.
(cherry picked from commit 0c03cc68386443f1e96ab6fb358220faf67cd5ff)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This prevents decoder from reading garbage from it in case of errors later.
(cherry picked from commit 81064a8045028838fd32d18490034c207c8ecc06)
Fixes an invalid read on sample from CVE-2012-2804
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes segfault in the fuzzed sample bipbop234.ts_s226407.
CC: libav-stable@libav.org
(cherry-picked from commit 6e5cdf26281945ddea3aaf5eca4d127791f23ca8)
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
