ffmpeg

Author	SHA1	Message	Date
Alex Converse	fecd7468fc	wmadec: Verify bitstream size makes sense before calling init_get_bits. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 48f1e5212c90b511c90fa0449655abb06a9edda2) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-03-04 12:26:06 +01:00
Alex Converse	19da1a39e8	rv10/20: Fix a buffer overread caused by losing track of the remaining buffer size. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2f6528537fdd88820f3a4683d5e595d7b3a62689) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-03-04 12:26:06 +01:00
Ronald S. Bultje	7e88df99e1	lcl: return negative error codes on decode_init() errors. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bd17a40a7e0eba21b5d27c67aff795e2910766e4) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-03-04 12:26:06 +01:00
Justin Ruggles	7f3f85544c	avutil: add AVERROR_UNKNOWN Useful to return instead of -1 when the cause of the error is unknown, typically from an external library. (cherry picked from commit c9bca801324f03746757aef8549ebd26599adec2) Conflicts: doc/APIchanges libavutil/avutil.h Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-03-04 12:26:06 +01:00
Ronald S. Bultje	750f5baf30	h264: error out on invalid bitdepth. Fixes invalid reads while initializing the dequant tables, which uses the bit depth to determine the QP table size. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 0ce4fe482c27abfa7eac503a52fdc50b70ccd871) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-03-04 12:26:06 +01:00
Ronald S. Bultje	a63f3f714c	huffyuv: do not abort on unknown pix_fmt; instead, return an error. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 63c9de6469005974288f4e4d89fc79a590e38c06) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-03-04 12:26:06 +01:00
Ronald S. Bultje	1dd1ee00d5	vmnc: return error on decode_init() failure. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 07a180972fb369bb59bf6d4f8edb4598c51e80d2) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-02-29 21:43:20 +01:00
Ronald S. Bultje	4493af756b	rpza: error out on buffer overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 78e9852a2e3b198ecd69ffa0deab3fa22a8e5378) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-02-29 21:43:20 +01:00
Ronald S. Bultje	e904e9b720	qtrle: return error on decode_init() failure. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e54ae60e46f737b8e9a96548971091f7ab6b8f7c) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-02-29 21:43:20 +01:00
Ronald S. Bultje	5f896773e0	swscale: fix another integer overflow. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 791de61bbb0d2bceb1037597b310e2a4a94494fd) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-02-29 21:43:20 +01:00
Ronald S. Bultje	b2dcac7141	vp56: error out on invalid stream dimensions. Prevents crashes when playing corrupt vp5/6 streams. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 8bc396fc0e8769a056375c1c211f389ce0e3ecc5) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-02-29 14:23:11 +01:00
Ronald S. Bultje	40ccc81146	asf: don't seek back on EOF. Seeking back on EOF will reset the EOF flag, causing us to re-enter the loop to find the next marker in the ASF file, thus potentially causing an infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bb6d5411e1e1a8e0608b1af1c4addee654dcbac5) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-02-29 14:22:35 +01:00
Ronald S. Bultje	1c63d61372	asf: error out on ridiculously large minpktsize values. They cause various issues further down in demuxing. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 6e57a02b9f639af53acfa9fc742c1341400818f8) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-02-29 14:21:57 +01:00
Anton Khirnov	2ad77c60ef	lavf: add functions for accessing the fourcc<->CodecID mapping tables. Fixes bug 212. (cherry picked from commit dd6d3b0e025cb2a16022665dbb8ab1be18dc05e8) Conflicts: doc/APIchanges Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-29 10:44:37 +01:00
Paul B Mahol	a1556d37b8	avutil: make intfloat api public The functions are already av_ prefixed and intfloat header is already provided. Install libavutil/intfloat.h Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 8b933129b932f523a746e921a0a20b8dd8816971) Conflicts: doc/APIchanges Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-29 10:44:37 +01:00
Alex Converse	083a8a0037	mjpegbdec: Fix overflow in SOS. Based in part by a fix from Michael Niedermayer <michaelni@gmx.at> Fixes CVE-2011-3947 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-02-28 22:20:45 +01:00
Ronald S. Bultje	71a939fee4	oma: don't read beyond end of leaf_table. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 934cd18a43151ba4b819d9270d539cdb26f6e079) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-02-28 22:10:55 +01:00
Ronald S. Bultje	9dbd437da2	Indeo3: fix crashes on corrupt bitstreams. Splits at borders of cells are invalid, since it leaves one of the cells with a width/height of zero. Also, propagate errors on buffer allocation failures, so we don't continue decoding (which crashes). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit fc9bc08dca9ac32526251e19fcf738d23b8c68d1) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-02-28 20:57:44 +01:00
Ronald S. Bultje	2510e1476e	vorbis: fix overflows in floor1[] vector and inverse db table index. (cherry picked from commit 24947d4988012f1f0fd467c83418615adc11c3e8) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-02-26 18:11:15 +01:00
Reinhard Tartler	0f839cff6b	Fix parser not to clobber has_b_frames when extradata is set. Because in contrast to the decoder, the parser does not setup low_delay. The code in parse_nal_units would always end up setting has_b_frames to "1", except when stream is explicitly marked as low delay. Since the parser itself would create 'extradata', simply reopening the parser would cause this. This happens for instance in estimate_timings_from_pts(), which causes the parser to be reopened on the same stream. This fixes Libav #22 and FFmpeg (trac) #360 CC: libav-stable@libav.org Based on a patch by Reimar Döffinger <Reimar.Doeffinger@gmx.de> (commit 31ac0ac29b6bba744493f7d1040757a3f51b9ad7) Comments and description adapted by Reinhard Tartler. Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 790a367d9ecd04360f78616765ee723f3fe65645) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-02-26 15:56:55 +01:00
Ronald S. Bultje	abe3572878	rm: prevent infinite loops for index parsing. Specifically, prevent jumping back in the file for the next index, since this can lead to infinite loops where we jump between indexes referring to each other, and don't read indexes that don't fit in the file. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit aac07a7a4c2c7a4a29cf6dbc88c1b9fdd191b99d) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-02-26 10:04:04 +01:00
Ronald S. Bultje	0d30e2c6f2	fraps: release reference buffer on pix_fmt change. Prevents crash when trying to copy from a non-existing plane in e.g. a RGB32 reference image to a YUV420P target image Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 830f70442a87a31f7c75565e9380e3caf8333b8a) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:16 +01:00
Ronald S. Bultje	a0473085f3	kgv1: release reference picture on size change. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 6c4c27adb61b2881a94ce5c7d97ee1c8adadb5fe) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:16 +01:00
Ronald S. Bultje	e537dc230b	kgv1: use avctx->get/release_buffer(). Also fixes crashes on corrupt bitstreams. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 33cd32b389864f2437c94e6fd7dc109ff5f0ed06) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:16 +01:00
Ronald S. Bultje	19f4943d12	lcl: error out if uncompressed input buffer is smaller than framesize. This prevents crashes when trying to read beyond the end of the buffer while decoding frame data. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit be129271eac04f91393bf42a490ec631e1a9abea) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:16 +01:00
Ronald S. Bultje	bf6d1a1ca7	mjpeg: abort decoding if packet is too large. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ab492ca2ab105aeb24d955f3f03756bdb3139ee1) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:16 +01:00
Alex Converse	424b6edd19	tiff: Prevent overreads in the type_sizes array. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 447363870f2f91e125e07ac2d0820359a5d86b06) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:16 +01:00
Ronald S. Bultje	4f48417fe7	swf: check return values for av_get/new_packet(). Prevents crashers when using the packet if allocation failed. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 31632e73f47d25e2077fce729571259ee6354854) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:16 +01:00
Ronald S. Bultje	8e3dc37bc0	truemotion2: error out if the huffman tree has no nodes. This prevents crashers and errors further down when reading nodes in the empty tree. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2b83e8b7005d531bc78b0fd4f699e9faa54ce9bb) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:16 +01:00
Ronald S. Bultje	0312969b9e	rmdec: when using INT4 deinterleaving, error out if sub_packet_h <= 1. We read sub_packet_h / 2 packets per line of data (during deinterleaving), which equals zero if sub_packet_h <= 1, thus causing us to not read any data, leading to an infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e30b3e59a4f3004337cb1623b2aac988ce52b93f) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:16 +01:00
Janne Grunau	62beae313a	avplay: fix -threads option The AVOptions based default to threads auto in 2473a45c8 works only if avplay does not use custom option handling for -threads. CC: <libav-stable@libav.org> (cherry picked from commit e48a70e6da02cd5426b6340af70410bdfe27dfa7) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:16 +01:00
Ronald S. Bultje	8011a29fa8	vc1parse: call vc1_init_common(). The parser uses VLC tables initialized in vc1_common_init(), therefore we should call this function on parser init also. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c742ab4e81bb9dcabfdab006d6b8b09a5808c4ce) Conflicts: libavcodec/vc1.h Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:16 +01:00
Ronald S. Bultje	fe710f2074	wma: don't return 0 on invalid packets. Return 0 means "please return the same data again", i.e. it causes an infinite loop. Instead, return an error. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9d3050d3e95e307ebc34a943484c7add838d1220) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:16 +01:00
Ronald S. Bultje	bba43a1ea0	mjpegb: don't return 0 at the end of frame decoding. Return 0 indicates "please return the same data again", i.e. it causes an infinite loop. Instead, return that we consumed the buffer if we finished decoding succesfully, or return an error if an error occurred. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 74699ac8c8b562e9f8d26e21482b89585365774a) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:16 +01:00
Ronald S. Bultje	f947e965be	asf: prevent packet_size_left from going negative if hdrlen > pktlen. This prevents failed assertions further down in the packet processing where we require non-negative values for packet_size_left. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 41afac7f7a67c634c86b1d17fc930e9183d4aaa0) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:16 +01:00
Ronald S. Bultje	5c365dc979	aiff: don't skip block_align==0 check on COMM-after-SSND files. This prevents SIGFPEs when using block_align for divisions. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 32a659c758bf2ddd8ad48f18c06fa77444341286) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:15 +01:00
Ronald S. Bultje	95a9d44dc3	mp3on4: require a minimum framesize. If bufsize < headersize, init_get_bits() will be called with a negative number, causing it to fail and any subsequent call to get_bits() will crash because it reads from a NULL pointer. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 3e13005cac6e076053276b515f5fcf59a3f4b65d) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:15 +01:00
Ronald S. Bultje	27558bd87e	huffyuv: error out on bit overrun. On EOF, get_bits() will continuously return 0, causing an infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 84c202cc37024bd78261e4222e46631ea73c48dd) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:15 +01:00
Ronald S. Bultje	5ab9294a8d	als: prevent infinite loop in zero_remaining(). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit af468015d972c0dec5c8c37b2685ffa5cbe4ae87) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:15 +01:00
Ronald S. Bultje	cfd7d166e2	cook: prevent div-by-zero if channels is zero. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 941fc1ea1ed7f7d99a8b9e2607b41f2f2820394a) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:15 +01:00
Ronald S. Bultje	5bcd47cf63	vc1: prevent using last_frame as a reference for I/P first frame. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ae591aeea58d64399b8281be31dacec0de85ae04) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:15 +01:00
Ronald S. Bultje	0c60d5c59f	swscale: take first/lastline over/underflows into account for MMX. Fixes crashes for extremely large resizes (several 100-fold). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 1d8c4af396b6ed84c84b5ebf0bf1163c4a7a3017) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:15 +01:00
Ronald S. Bultje	cd9bdc6395	swscale: fix overflows in filterPos[] calculation for large sizes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 19a65b5be47944c607a9e979edb098924d95f2e4) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:15 +01:00
Ronald S. Bultje	b68470707b	swscale: enforce a minimum filtersize. At very small dimensions, this calculation could lead to zero-sized filters, which leads to uninitialized output, zero-sized allocations, loop overflows in SIMD that uses do{..}while(i++<filtersize); instead of for(i=0;i<filtersize;i++){..} and several other similar failures. Therefore, require a minimum filtersize of 1. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit dae2ce361a2b5fd9be1d43e5e8c00bdbc5f03e3d) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:15 +01:00
Ronald S. Bultje	7046ae5593	tta: error out if samplerate is zero. Prevents a division by zero later on. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 7416d610362807848236ceff1bc6740dbc82842d) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:15 +01:00
Janne Grunau	d19e3e19d6	vc1: prevent null pointer dereference on broken files CC: libav-stable@libav.org (cherry picked from commit 510ef04a461b3b54a762c6141ad880cbed85981f) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:15 +01:00
Alex Converse	04597e2595	smacker: Sanity check huffman tables found in the headers. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9adf25c1cf78dbf1d71bf386c49dc74cb8a60df0) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:15 +01:00
Janne Grunau	d16653c3d4	lavf: prevent infinite loops while flushing in avformat_find_stream_info If no data was seen for a stream decoder are returning 0 when fed with empty packets for flushing. We can stop flushing when the decoder does not return delayed delayed frames anymore. Changes try_decode_frame() return value to got_picture or negative error. CC: libav-stable@libav.org (cherry picked from commit b3461c29c1aee7d62eeb02a59d46593c60362679) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:15 +01:00
Ronald S. Bultje	183e0eb5b9	matroska: don't overwrite string values until read/alloc was succesful. This prevents certain tags with a default value assigned to them (as per the EBML syntax elements) from ever being assigned a NULL value. Other parts of the code rely on these being non-NULL (i.e. they don't check for NULL before e.g. using the string in strcmp() or similar), and thus in effect this prevents crashes when reading of such specific tags fails, either because of low memory or because of targeted file corruption. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit cd40c31ee9ad2cca6f3635950b002fd46be07e98) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:15 +01:00
Alex Converse	be0b3137d0	matroskadec: Pad AAC extradata. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d2ee8c17793201ce969afd1f433ba1580c143cd2) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-02-26 10:03:15 +01:00

... 2 3 4 5 6 ...

32023 Commits