ffmpeg

Author	SHA1	Message	Date
Michael Niedermayer	a81f72e482	Update for 0.5.14 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> n0.5.14	2014-07-20 18:34:16 +02:00
Michael Niedermayer	24a0273cb8	avutil/lzo: Fix integer overflow Embargoed-till: 2014-06-27 requested by researcher, but embargo broken by libav today (git and mailing list) Fixes: LMS-2014-06-16-4 Found-by: "Don A. Bailey" <donb@securitymouse.com> See: ccda51b14c0fcae2fad73a24872dce75a7964996 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit d6af26c55c1ea30f85a7d9edbc373f53be1743ee) Conflicts: libavutil/lzo.c (cherry picked from commit 7b5c706494a775b2b0d0e0a38448610802eef8f4) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2014-06-23 15:23:08 +02:00
Xi Wang	974c2ad87c	lzo: fix overflow checking in copy_backptr() The check `src > dst' in the form `&c->out[-back] > c->out' invokes pointer overflow, which is undefined behavior in C. Remove the check. Also replace `&c->out[-back] < c->out_start' with a safe form `c->out - c->out_start < back' to avoid overflow. CC: libav-stable@libav.org Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit ca6c3f2c53be70aa3c38e8f1292809db89ea1ba6) Conflicts: libavutil/lzo.c (cherry picked from commit ff712a262d317f5bd6fc9552cd837508e584a565) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2014-06-23 15:23:06 +02:00
Dale Curtis	90c8fa5221	matroska: Fix use after free Signed-off-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit ae3d41636942cbc0236bad21ad06c65f4eb0f096) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2014-03-13 00:39:12 +01:00
Michael Niedermayer	43aae00455	avcodec/vmnc: Check that rectangles are within the picture Prevents out of array accesses with CODEC_FLAG_EMU_EDGE Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 6ba02602aa7fc7d38db582e75b8b093fb3c1608d) Conflicts: libavcodec/vmnc.c Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 7c17207ab9acfaa934e8feb8fba90765c9d0b989) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2014-01-21 17:07:10 +01:00
Michael Niedermayer	02ac859dfe	avcodec/jpeglsdec: check err value for ls_get_code_runterm() Fixes infinite loop Fixes Ticket3086 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit cc0e47b55096361723b364afa43b79a3f5619cdc) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2013-10-30 23:39:40 +01:00
Michael Niedermayer	04fb6bb915	avcodec/parser: reset indexes on realloc failure Fixes Ticket2982 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2013-09-26 23:25:09 +02:00
Michael Niedermayer	b012da4019	update for 0.5.13 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> n0.5.13	2013-09-25 02:51:05 +02:00
Michael Niedermayer	617a9eedc6	avcodec/ffv1enc: update buffer check for 16bps Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3728603f1854b5c79d1a64dd3b41b80640ef1e7f) Conflicts: libavcodec/ffv1enc.c (cherry picked from commit c900c6e5c26cd86cf34f9c8d4347cedbd01f3935)	2013-09-09 20:51:05 +02:00
Michael Niedermayer	e7484d5425	avcodec/dsputil: fix signedness in sizeof() comparissions Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 454a11a1c9c686c78aa97954306fb63453299760) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2013-08-30 23:49:58 +02:00
Michael Niedermayer	31f9e849a8	matroska_read_seek: Fix used streams for subtitle index compensation Might fix Ticket1907 (I have no testcase so i cant test) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 4758e32a6c48044f77102a49110c79b4f338f648) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2013-08-29 03:00:44 +02:00
Michael Niedermayer	fde0b7d91c	avcodec/rpza: Perform pointer advance and checks before using the pointers Fixes out of array accesses Fixes Ticket2850 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34) Conflicts: libavcodec/rpza.c (cherry picked from commit edba432b8b01d68c22e70a508f47553359f59fb5) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2013-08-22 01:44:37 +02:00
Michael Niedermayer	b5f685211c	Merge remote-tracking branch 'qatar/release/0.5' into release/0.5 * qatar/release/0.5: Bump version number for the 0.5.11 release update year to 2013 Conflicts: VERSION Merge is for metadata only, issues have been fixed in previous commits already Merged-by: Michael Niedermayer <michaelni@gmx.at>	2013-08-17 22:08:36 +02:00
Reinhard Tartler	588571d41d	Bump version number for the 0.5.11 release	2013-05-09 17:53:33 +02:00
Michael Niedermayer	81b754b1e4	Update for 0.5.12 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> n0.5.12	2013-02-28 03:54:37 +01:00
Michael Niedermayer	5f5bf9faf9	avcodec_align_dimensions2: Ensure cinepak has large enough buffers. This is partly redundant with the following patches, but its safer Found-by: u-bo1b@0w.se Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit f5c00b347dc76285c639d9878a014c40395c5228) Conflicts: libavcodec/utils.c Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 2b6f3be08250683407c7a9846d7133b116661eae) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2013-02-28 03:52:07 +01:00
Michael Niedermayer	c2d3f06882	wma: check byte_offset_bits Fixes assertion failure Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 984add64a41c3296a8a82051cc90bff2eb449609) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2013-02-28 03:51:23 +01:00
Michael Niedermayer	01c90eea6c	vqavideo: fix return type Fixes Ticket2281 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 1fd86f9a2136165205b0370d5a6e916499f1da7f) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2013-02-28 03:50:15 +01:00
Reinhard Tartler	2abf5eeea6	update year to 2013 Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-02-17 09:07:52 +01:00
Michael Niedermayer	d34cfb33af	update for 0.5.11 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> n0.5.11	2013-02-17 04:24:30 +01:00
Michael Niedermayer	13093f9767	vqavideo: check chunk sizes before reading chunks Fixes out of array writes Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2013-02-17 04:24:30 +01:00
Michael Niedermayer	fee26d352a	roqvideodec: check dimensions validity Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3ae610451170cd5a28b33950006ff0bd23036845) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2013-02-17 04:24:30 +01:00
Michael Niedermayer	a23a3dba25	qdm2: check array index before use, fix out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2013-02-17 03:50:41 +01:00
Michael Niedermayer	0360dbefad	Merge remote-tracking branch 'qatar/release/0.5' into release/0.5 * qatar/release/0.5: Release notes and changelog for 0.5.10 Merged-by: Michael Niedermayer <michaelni@gmx.at>	2013-02-17 03:40:45 +01:00
Reinhard Tartler	deb650c692	Release notes and changelog for 0.5.10	2013-02-16 09:27:00 +01:00
Michael Niedermayer	deaaacbc3f	Merge remote-tracking branch 'qatar/release/0.5' into release/0.5 * qatar/release/0.5: mpeg12: do not decode extradata more than once. Merged-by: Michael Niedermayer <michaelni@gmx.at>	2013-02-13 13:37:34 +01:00
Anton Khirnov	0b25c3b67c	mpeg12: do not decode extradata more than once. Fixes CVE-2012-2803. (cherry picked from commit 582368626188c070d4300913c6da5efa4c24cfb2) (cherry picked from commit 301761792a693a1f3303a2af34a0fb066a03c10c) Conflicts: libavcodec/mpeg12.c	2013-02-12 07:12:00 +01:00
Michael Niedermayer	10ec2308b0	Merge remote-tracking branch 'qatar/release/0.5' into release/0.5 * qatar/release/0.5: (21 commits) vp6: properly fail on unsupported feature vp56: release frames on error shorten: Use separate pointers for the allocated memory for decoded samples. shorten: check for realloc failure h264: check context state before decoding slice data partitions oggdec: check memory allocation Fix uninitialized reads on malformed ogg files. lavf: avoid integer overflow in ff_compute_frame_duration() yuv4mpeg: reject unsupported codecs tiffenc: Check av_malloc() results. mpegaudiodec: fix short_start calculation h264: avoid stuck buffer pointer in decode_nal_units yuv4mpeg: return proper error codes. avidec: return 0, not packet size from read_packet(). cavsdec: check for changing w/h. avidec: use actually read size instead of requested size bytestream: add a new set of bytestream functions with overread checking avsdec: Set dimensions instead of relying on the demuxer. lavfi: avfilter_merge_formats: handle case where inputs are same bmpdec: only initialize palette for pal8. ... Merged-by: Michael Niedermayer <michaelni@gmx.at>	2013-02-11 12:29:32 +01:00
Luca Barbato	b9500bf864	vp6: properly fail on unsupported feature Interlacing is not supported at all and mismanaged down the normal codepaths causing possible buffer management issues. Fixes: CVE-2012-2783 (cherry picked from commit be75fed9755c1285ba084574aff2d7ee0f81110d) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 4ede95e69cf964cd46b1e9fcd48da80d8d92c433) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-02-10 18:01:16 +01:00
Luca Barbato	4f8f4458a5	vp56: release frames on error Fixes CVE-2012-2783 CC: libav-stable@libav.org (cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 7fd7950174f9f2935fbf5bf1435fd0dc37be5c61) Conflicts: libavcodec/vp56.c	2013-02-10 18:01:16 +01:00
Michael Niedermayer	9def5c4666	shorten: Use separate pointers for the allocated memory for decoded samples. Fixes invalid free() if any of the buffers are not allocated due to either not decoding a header or an error prior to allocating all buffers. Fixes CVE-2012-0858 CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-02-10 18:01:15 +01:00
Justin Ruggles	7aeb281aa5	shorten: check for realloc failure (cherry picked from commit 9e5e2c2d010c05c10337e9c1ec9d0d61495e0c9c) Conflicts: libavcodec/shorten.c	2013-02-10 18:01:15 +01:00
Janne Grunau	a49599b125	h264: check context state before decoding slice data partitions Fixes mov_h264_aac__Demo_FlagOfOurFathers.mov.SIGSEGV.4e9.656. Found-by: Mateusz "j00ru" Jurczyk CC: libav-stable@libav.org (cherry-picked from commit c1fcf563b13051f280db169ba41c6a1b21b25e08) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-02-10 18:01:15 +01:00
Luca Barbato	fe4409a396	oggdec: check memory allocation (cherry picked from commit ba064ebe48376e199f353ef0b335ed8a39c638c5) Conflicts: libavformat/oggdec.c	2013-02-10 18:01:15 +01:00
Dale Curtis	c3761b6618	Fix uninitialized reads on malformed ogg files. The ogg decoder wasn't padding the input buffer with the appropriate FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in various pieces of parsing code when they thought they had more data than they actually did. Signed-off-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit ef0d779706c77ca9007527bd8d41e9400682f4e4) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-02-10 18:01:15 +01:00
Janne Grunau	2e1474fd99	lavf: avoid integer overflow in ff_compute_frame_duration() Scaling the denominator instead of the numerator if it is too large loses precision. Fixes an assert caused by a negative frame duration in the fuzzed sample nasa-8s2.ts_s202310. CC: libav-stable@libav.org (cherry picked from commit 7709ce029a7bc101b9ac1ceee607cda10dcb89dc) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-02-10 18:01:15 +01:00
Luca Barbato	1f1b2f1806	yuv4mpeg: reject unsupported codecs The muxer already rejects unsupported pixel formats, reject also unsupported codecs to prevent dangerous misuses. (cherry picked from commit 424b1e764263b1493de4c34365ef367ddae856db) Conflicts: libavformat/yuv4mpeg.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-02-10 18:01:15 +01:00
Alex Converse	80f89a9b40	tiffenc: Check av_malloc() results. (cherry picked from commit b92dfb56d4582633571db18c3d904f8602eaa2a6) Conflicts: libavcodec/tiffenc.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-02-10 18:01:15 +01:00
Luca Barbato	5235db68c0	mpegaudiodec: fix short_start calculation The value should be always 3, as it follows from the specification. Fix a stack buffer overflow in exponents_from_scale_factors as reported by asan. Thanks to Dale Curtis for the sample vector. (cherry picked from commit 97cfa55eea39cef30abe14682c56c1e4e7f6f10d) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-02-10 18:01:15 +01:00
Jindřich Makovička	6731776795	h264: avoid stuck buffer pointer in decode_nal_units When decode_nal_units() previously encountered a NAL_END_SEQUENCE, and there are some junk bytes left in the input buffer, but no start codes, buf_index gets stuck 3 bytes before the end of the buffer. This can trigger an infinite loop in the caller code, eg. in try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes, with 3 bytes of the input packet still available. With this change, the remaining bytes are skipped so the whole packet gets consumed. CC:libav-stable@libav.org Signed-off-by: Jindřich Makovička <makovick@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 1a8c6917f68f7378465e18f7615762bfd22704c2) Conflicts: libavcodec/h264.c	2013-02-10 18:01:15 +01:00
Anton Khirnov	d4e4234147	yuv4mpeg: return proper error codes. Fixes Bug 373. CC:libav-stable@libav.org (cherry picked from commit d3a72becc6371563185a509b94f5daf32ddbb485) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-02-10 18:01:15 +01:00
Anton Khirnov	2ae6bdbb9b	avidec: return 0, not packet size from read_packet(). (cherry picked from commit eeade678f0a2bac127aeed2fb68d8717a6463420) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2013-02-10 18:01:15 +01:00
Michael Niedermayer	4fac60d568	cavsdec: check for changing w/h. Our decoder does not support changing w/h. Fixes CVE-2012-2777 and CVE-2012-2784. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit c20a69630619d14ae92c5541d52c579d7c8f3e94) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-02-10 18:01:15 +01:00
Anton Khirnov	d1729c3715	avidec: use actually read size instead of requested size Fixes CVE-2012-2788 (cherry picked from commit 0af49a63c7f87876486ab09482d5b26b95abce60) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-02-10 18:01:15 +01:00
Aneesh Dogra	c28c631d29	bytestream: add a new set of bytestream functions with overread checking Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>	2013-02-10 18:01:15 +01:00
Michael Niedermayer	6b97e76dfc	avsdec: Set dimensions instead of relying on the demuxer. The decode function assumes that the video will have those dimensions. Fixes CVE-2012-2801 CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 85f477935cd6b34e6ec2716b20e15ce748277a89) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-02-10 18:01:15 +01:00
Mina Nagy Zaki	4475a7d88b	lavfi: avfilter_merge_formats: handle case where inputs are same This fixes a double-free crash if lists are the same due to the two merge_ref() calls at the end of the (useless) merging that happens. Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325) Conflicts: libavfilter/formats.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-02-10 18:01:15 +01:00
Anton Khirnov	0f6d4da8de	bmpdec: only initialize palette for pal8. Gray8 is not considered to be paletted, so this would cause an invalid write. Fixes bug 367. CC: libav-stable@libav.org (cherry picked from commit 8b78c2969a5b7dca939d93bf525aa2bcd737b5d9) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2013-02-10 18:01:15 +01:00
Reinhard Tartler	5c9d2d8377	Bump version number for the 0.5.10 release	2013-02-10 18:01:15 +01:00
Michael Niedermayer	ac476bfa9f	huffyuvdec: Skip len==0 cases Fixes vlc decoding for hypothetical files that would contain such cases. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 5ff41ffeb4cb9ea6df49757dc859619dc3d3ab4f) Conflicts: libavcodec/huffyuv.c (cherry picked from commit 9bc70fe1ae50fd2faa0b9429d47cfbda01a92ebc) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2013-01-29 19:29:08 +01:00

1 2 3 4 5 ...

18767 Commits