ffmpeg

Author	SHA1	Message	Date
Ronald S. Bultje	c38d3e1a39	qdm2: clip array indices returned by qdm2_get_vlc(). Prevents subsequent overreads when these numbers are used as indices in arrays. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69) Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com> Conflicts: libavcodec/qdm2.c	2012-06-02 19:17:53 -04:00
Michael Niedermayer	5872580e65	tqi: Pass errors from the MB decoder This silences some valgrind warnings. CC: libav-stable@libav.org Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794 Bug found by: Oana Stratulat Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit f85334f58e1286287d0547a49fa9c93b40cbf48f) (cherry picked from commit 90290a5150e84fb138ccde57657dc03830f08c1c) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-23 20:43:42 +02:00
Alexander Strange	4713234518	h264: Add check for invalid chroma_format_idc Fixes a crash when FF_DEBUG_PICT_INFO is used. Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df) Fixes: CVE-2012-0851 Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-22 21:57:38 +02:00
Michael Niedermayer	5836110018	h263dec: Disallow width/height changing with frame threads. Fixes CVE-2011-3937 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba) Conflicts: libavcodec/h263dec.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-22 21:51:58 +02:00
Michael Niedermayer	3fab87edc9	threads: Perform the generic progress cleanup more carefully. The cleanup is only done now when a picture is returned (assuming that it has to be done when its returned) a error is returned (assuming that there will be no further progress on the frame) the codec is not h264 (this is still needed due to some deadlocks in realvideo) This fixes a decoding regression with 00017.MTS Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 18a7f7465e7e6b9c3688ffc23230ae7a0639a771)	2012-05-13 14:09:29 +02:00
Michael Niedermayer	b1f9ff45d4	update for ffmpeg 0.10.3 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> n0.10.3	2012-05-06 01:42:01 +02:00
Michael Niedermayer	96acb0a4eb	indeo4: check that num_mbs matches Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit d3db8988d5befd8702a748cf1957415677bfe75c)	2012-05-06 01:42:01 +02:00
Michael Niedermayer	df93682e64	dsp: fix diff_bytes_mmx() with small width Fixes Ticket1068 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 73089eccd3e48539555349b36d8aabbf1cea416e)	2012-05-06 01:42:01 +02:00
Michael Niedermayer	22285aba13	Changelog: update Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-05-06 01:42:01 +02:00
Michael Niedermayer	097ad61100	mmdemux: dont set pkt->size to an invalid value. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 0c97fd336e17535239ab44d755a0d957dc2688f3)	2012-05-06 00:59:45 +02:00
Michael Niedermayer	c785a7058a	h261: check mtype. Fixes out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit ec3cd74f2dab8e3e8234ccb994132b23d3098585)	2012-05-06 00:57:10 +02:00
Michael Niedermayer	6736de0ce6	mpegvideo: increase buffer sizes. Fixes buffer overflow Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 2c0559d5e2faeafa7998173a4dc430408475503f)	2012-05-06 00:55:36 +02:00
Michael Niedermayer	fe8508b948	mov: fix global unicode convertion array overflow. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 437f5daf0bf727a53ea4b485a30f1289f44bf252)	2012-05-06 00:55:06 +02:00
Michael Niedermayer	0d40fbaef0	iff: fix null ptr dereference Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 41abc9da50ba7a7b68bbbf6622475ce7a3c72e3f)	2012-05-06 00:54:40 +02:00
Michael Niedermayer	a4846943a3	xmvdemux: dont let current_stream become invalid. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 13381577d181fa732d6d2fa0491fa2ff50186546)	2012-05-06 00:53:02 +02:00
Michael Niedermayer	bf2534a5e2	avidec: Dont crash on avi packets that belong to dv streams in dv in avi Fixes null pointer dereference Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 096231d497457be9496b0be01ff6da2093186c3c)	2012-05-06 00:50:25 +02:00
Michael Niedermayer	1ca4e70b6c	cook: check subacket count Fixes out of array writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 5a35bd92ad6b535fd5d3a7513169661de66ec247)	2012-05-06 00:47:44 +02:00
Michael Niedermayer	25a2802239	4xmdemux: Check chunk size Fixes over reading the header array Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 474e31c904f766b6989fe614c3fb093e697c847f) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-05-06 00:45:04 +02:00
Michael Niedermayer	581a830829	Merge remote-tracking branch 'qatar/release/0.8' into release/0.10 * qatar/release/0.8: Update Changelog for the 0.8.2 Release Prepare for 0.8.2 Release vqavideo: return error if image size is not a multiple of block size celp filters: Do not read earlier than the start of the 'out' vector. motionpixels: Clip YUV values after applying a gradient. jpeg: handle progressive in second field of interlaced. h263: more strictly forbid frame size changes with frame-mt. h264: additional protection against unsupported size/bitdepth changes. tta: prevents overflows for 32bit integers in header. ttadec: CRC checking tta: use skip_bits_long() Conflicts: Changelog RELEASE libavcodec/h264.c libavcodec/tta.c Merged-by: Michael Niedermayer <michaelni@gmx.at>	2012-05-06 00:25:39 +02:00
Reinhard Tartler	43e5fda45c	Update Changelog for the 0.8.2 Release	2012-05-04 22:59:01 +02:00
Reinhard Tartler	a638e10ba0	Prepare for 0.8.2 Release	2012-05-04 22:40:37 +02:00
Mans Rullgard	d5207e2af8	vqavideo: return error if image size is not a multiple of block size The decoder assumes in various places that the image size is a multiple of the block size, and there is no obvious way to support odd sizes. Bailing out early if the header specifies a bad size avoids various errors later on. Fixes CVE-2012-0947. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 22:14:26 +02:00
Alex Converse	9ea94c44b1	celp filters: Do not read earlier than the start of the 'out' vector. CC: libav-stable@libav.org (cherry picked from commit 37ddd3833219fa7b913fff3f5cccc6878b047e6b) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 22:09:27 +02:00
Alex Converse	aaa6a66677	motionpixels: Clip YUV values after applying a gradient. Prevents illegal reads on truncated and malformed input. CC: libav-stable@libav.org (cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 22:09:27 +02:00
Ronald S. Bultje	7240cc3f8b	jpeg: handle progressive in second field of interlaced. Progressive data is allocated later in decode_sof(), not allocating that data leads to NULL dereferences. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5eec5a79da118170f3cfe185a862783d3fa50abe) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 22:09:27 +02:00
Ronald S. Bultje	7fe4c8cb76	h263: more strictly forbid frame size changes with frame-mt. Prevents crashes because the old check was incomplete. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2d22d4307dcc1461f39a2ffb9c8db6c6b23fd080) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 22:09:27 +02:00
Ronald S. Bultje	746f1594d7	h264: additional protection against unsupported size/bitdepth changes. Fixes crashes in codepaths not covered by original checks. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 732f9fcfe54fc9a0a7bbce53fe86b38744c2d301) Conflicts: libavcodec/h264.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 22:09:27 +02:00
Ronald S. Bultje	0e4bb0530f	tta: prevents overflows for 32bit integers in header. This prevents sample_rate/data_length from going negative, which caused various crashes and undefined behaviour further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ac80b812cd177553339467ea12548d71c9ef6865) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 21:28:45 +02:00
Paul B Mahol	994c0efcc7	ttadec: CRC checking Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 2af3dc8698707f800f83f5fc890571a6a119866e) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 21:28:35 +02:00
Paul B Mahol	cf5e119d4a	tta: use skip_bits_long() Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 9aff2d17533576f4ff52531e534f1319fb36a590) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 21:28:28 +02:00
Michael Niedermayer	1ee1e9e43f	vqavideodev: Check image dimensions Fixes out of heap array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d) Independently-Found-by: Fabian Yamaguchi Fixes: CVE-2012-0947 Conflicts: libavcodec/vqavideo.c	2012-05-03 00:22:32 +02:00
Michael Niedermayer	15e9aee544	Merge remote-tracking branch 'qatar/release/0.8' into release/0.10 * qatar/release/0.8: (24 commits) apedec: check bits <= 32. truemotion: forbid invalid VLC bitsizes and token values. mov: don't overwrite existing indexes. truemotion2: handle out-of-frame motion vectors through edge extension. lzw: prevent buffer overreads. truemotion2: convert packet header reading to bytestream2. lagarith: fix buffer overreads. raw: forward avpicture_fill() error code in raw_decode(). vc1: Do not read from array if index is invalid. utvideo: port header reading to bytestream2. bytestream: add more unchecked variants for bytestream2 API bytestream: K&R formatting cosmetics bytestream: Add bytestream2 writing API. aac: Reset PS parameters on header decode failure. mov: Do not read past the end of the ctts_data table. xwma: Validate channels and bits_per_coded_sample. asf: reset side data elements on packet copy. vqa: check palette chunk size before reading data. vqavideo: port to bytestream2 API wmavoice: fix stack overread. ... Conflicts: cmdutils.c cmdutils.h libavcodec/lagarith.c libavcodec/truemotion2.c libavcodec/vqavideo.c Merged-by: Michael Niedermayer <michaelni@gmx.at>	2012-05-03 00:20:54 +02:00
Michael Niedermayer	e8050f313e	apedec: check bits <= 32. Fixes a floating-point exception further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com> (cherry picked from commit 420d1df2e2a857eae45fa947e16eae7494793d57) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:03 +02:00
Ronald S. Bultje	be424d86a8	truemotion: forbid invalid VLC bitsizes and token values. SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid values larger than this in get_vlc2() (max_bits). tokens[][] can be used as an index in deltas[], which has a size of 64, so ensure the values are smaller than that. This prevents crashes on corrupt bitstreams. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit b7b1509d06d3696d3b944791227fe198ded0654b) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:03 +02:00
Ronald S. Bultje	a08cb950b2	mov: don't overwrite existing indexes. Prevents all kind of badness if files contain multiple indexes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 4f7c7624c0db185c48c59d95d745ab3f7851a5b4) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:03 +02:00
Ronald S. Bultje	46f8bbfc6d	truemotion2: handle out-of-frame motion vectors through edge extension. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bf39d3b59d85e5734babe48b61b8d92d18188185) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:03 +02:00
Ronald S. Bultje	562c6a7bf1	lzw: prevent buffer overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ddcf67c8a51c67b122a826d8b5819e96d591d813) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:03 +02:00
Ronald S. Bultje	e711ccee4d	truemotion2: convert packet header reading to bytestream2. Also use correct buffer sizes in calls to tm2_read_stream(). Together, this prevents overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bd508d435b94584db460c684e30ea7ce180cf50f) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:03 +02:00
Ronald S. Bultje	d6372e80fe	lagarith: fix buffer overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 0a82f5275f719e6e369a807720a2c3603aa0ddd9) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:03 +02:00
Ronald S. Bultje	29d91e9161	raw: forward avpicture_fill() error code in raw_decode(). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 98df2e24141cd00a557ef10ed7af2b956200cd80) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Mashiat Sarker Shakkhar	583f57f04a	vc1: Do not read from array if index is invalid. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit 95b192de5d05f3e1542e7b2378cdefbc195f5185) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Ronald S. Bultje	f8f6c14f54	utvideo: port header reading to bytestream2. Fixes crash during slice size reading if slice_end goes negative. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ec0ed97b046d46421db72c4911d2bbe28bbe5741) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Paul B Mahol	9e24f2a1f0	bytestream: add more unchecked variants for bytestream2 API Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit f1ce053cd0e0d7dc67fa61f32bcd8b6ee5e5c490) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Aneesh Dogra	e788c6e9cb	bytestream: K&R formatting cosmetics Signed-off-by: Diego Biurrun <diego@biurrun.de> (cherry picked from commit ab9ae401525d301a31ec695bf39103502db6afeb) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Aneesh Dogra	2e681cf50f	bytestream: Add bytestream2 writing API. Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit db7d45237ab6fc7fe90ec861cb756b2a109504a4) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Alex Converse	9ddd3abe78	aac: Reset PS parameters on header decode failure. If the next header frame codes zero envelopes the previous frame's values will be used. Consequently the invalid values must be cleared. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit a237b38021cd3009cc78eeb974b596085f2fe393) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Alex Converse	86bd0244ec	mov: Do not read past the end of the ctts_data table. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 86f2ae06b92d42580ae7ebd86d52c9b7acbc2f13) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Alex Converse	15de658c04	xwma: Validate channels and bits_per_coded_sample. This prevents a SIGFPE later on. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5023b89bba198b2f8e43b7f555aeb9c30d33db9f) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Ronald S. Bultje	19d3f7d8ac	asf: reset side data elements on packet copy. Prevents crash (double free) when free()ing the original packet. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e73c6aaabff1169899184c382385fe9afae5b068) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Ronald S. Bultje	c21b858b27	vqa: check palette chunk size before reading data. Prevents overreads beyond buffer boundaries. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 75d7975268394f4f16294b68ec6d6d5ac30da3ac) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:01 +02:00

1 2 3 4 5 ...

37491 Commits