Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 3a742470a845c24e7c3a40c0a228705ca951e673)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Some of the arguments given to init_vlc() come from the stream
and can be corrupted.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 69a0bce753a5d5556d5bc0888afe390e22611dd8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Using the old code, half of it was unused and the other half was too
small for e.g. >8bpp interlaced data, causing random buffer overruns.
(cherry picked from commit 330deb75923675224fb9aed311d3d6ce3ec52420)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
It was wrong in colorspaces where horizontal and vertical chroma
subsampling are not the same, e.g. 422.
(cherry picked from commit 0884dd5a1b87aff6c8a06e6492dece5cef8f3978)
Conflicts:
libavcodec/mpegvideo.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Adds an additional check before reading the next block header and avoids a
potential integer overflow when checking the metadata size against the
remaining buffer size.
(cherry picked from commit 4c5e7b27d57dd2be777780e840eef9be63242158)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3a549eb82be709d633a0ba964b037ee2f700e0c9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Unfortunately the output buffer size check assumes that the
input buffer is never over-consumed, thus this actually
also allowed to write outside the output buffer if "lucky".
Based on:
git.videolan.org/ffmpeg.git
commit 701d0eb185192542c4a17f296e39e37cedf7abc6
(cherry picked from commit ffe92ff9f0c7f390d895de12c8ffef959ced3cd8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
As a signed integer, 1<<31 overflows, so force it to unsigned.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit c2d3f561072132044114588a5f56b8e1974a2af7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit fe476e5a9b5a1e56e53f1fa62374778fa00ec1fd)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conversion of the luma intra prediction mode to one of the constrained
("alzheimer") ones can happen by crafting special bitstreams, causing
a crash because we'll call a NULL function pointer for 16x16 block intra
prediction, since constrained intra prediction functions are only
implemented for chroma (8x8 blocks).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 45b7bd7c53b41bc5ff6fc2158831f2b1b1256113)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 248d4e461578ff327a2fd75fd0db4f38c270918a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The bit_rate_value_minus1 and cpb_size_value_minus1 elements
allow a wider range than get_ue_golomb() supports. This
adds a get_ue_golomb_long() function supporting up to 31
leading zeros, which is the maximum for these syntax
elements, and uses it in decode_hrd_parameters().
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit fdba370f8a1bdfc22ecbdf3c7148c2f8680a4ac4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The level_code expression includes a shift which is invalid in
those cases where the value is not used. Moving the calculation
to the branch where the result is used avoids these.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 8babfc033ecb6332155c1f8879e54dee41d16952)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The PPS may contain a few trailing elements whose presence is
only signalled by data remaining after the the mandatory part
has been parsed. The current code fails to take into account
the rbsp_trailing_bits() when deciding whether to parse these
optional elements. Assuming no unnecessary padding bytes are
passed to this function, the optional elements are present if
either more than 8 extra bits remain or the remaining bits do
not form a valid rbsp_trailing_bits() after the mandatory PPS
elements have been parsed.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit be1242a3f2b28e9cb08515bdc1db6c14403c279a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 4c7a232fc81fdbdee279ab819a255f624a22b083)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 60f10e0ad37418cc697765d85b0bc22db70f726a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This allows concurrent decoding of the last field/frame, rather than
only the last slice, of data packets with multiple NAL units packed
together.
This will fix the slowdown reported in e.g. bug 52.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 14c21c1ff509eac97f6437aeb51202b15af3a700)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit d1186ff72d75b6067770890758c4feb92abd84f7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
* release/0.8:
shorten: Fix invalid free()
j2kdec: Fix crash in get_qcx
j2kdec: Check curtileno for validity
atrac3: Fix crash in tonal component decoding. Fixes Ticket780 Bug Found by: cosminamironesei
h264: check chroma_format_idc range. Fixes Ticket758 Bug found by: Diana Elena Muscalu
aacsbr: Fix memory corruption. Fixes Ticket760 and Ticket761 Bug Found by: Diana Elena Muscalu
j2kdec: Fix integer overflow leading to a segfault Fixes Ticket776 Bug found by: Diana Elena Muscalu
ws_snd1: Fix wrong samples count and crash.
lavfi: add missing check in avfilter_filter_samples()
Update Changelog for 0.7.4 release
Update RELEASE file for 0.7.4
swscale: fix crash in fast_bilinear code when compiled with -mred-zone.
vorbis: An additional defense in the Vorbis codec.
vorbisdec: Fix decoding bug with channel handling
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 18bcfc912e48bf77a5202a0e24a3b884b9b2ff2c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 282bb02839b1ce73963c8e3ee46804f1ade8b12a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3eedf9f716733b3b4c5205726d2c1ca52b3d3d78)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket780
Bug Found by: cosminamironesei
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket758
Bug found by: Diana Elena Muscalu
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7fff64e00d886fde11d61958888c82b461cf99b9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket760 and Ticket761
Bug Found by: Diana Elena Muscalu
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 944f5b2779e4aa63f7624df6cd4de832a53db81b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket776
Bug found by: Diana Elena Muscalu
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1f99939a6361e2e6d6788494dd7c682b051c6c34)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5257743aee0c3982f0079e6553aabc6aa39401d2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.7:
Update Changelog for 0.7.4 release
Update RELEASE file for 0.7.4
swscale: fix crash in fast_bilinear code when compiled with -mred-zone.
vorbis: An additional defense in the Vorbis codec.
vorbisdec: Fix decoding bug with channel handling
Conflicts:
Changelog
RELEASE
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* release/0.8:
matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()
vorbis: Avoid some out-of-bounds reads
vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f)
avserver: Fix a bug where the socket is IPv4, but IPv6 is autoselected for the loopback address.
vp3: fix streams with non-zero last coefficient
Update for 0.8.9
vp3: fix regression with mplayer-crash.ogv
h264: fix init of topleft ref/mv. Fixes Ticket778
Update for 0.8.8
Conflicts:
Doxyfile
RELEASE
VERSION
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.7:
matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()
vorbis: Avoid some out-of-bounds reads
vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f)
avserver: Fix a bug where the socket is IPv4, but IPv6 is autoselected for the loopback address.
vp3: fix streams with non-zero last coefficient
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes a regression introduced in 8b94df0f2047e972.
(cherry picked from commit 9b4767e4784577f3107730316fe652ccaccd9b3a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* release/0.8: (22 commits)
Update Changelog for 0.7.3 release
4xm: Add a check in decode_i_frame to prevent buffer overreads
wma: initialize prev_block_len_bits, next_block_len_bits, and block_len_bits.
Update RELEASE file for 0.7.3
swscale: #include "libavutil/mathematics.h"
vp3dec: Check coefficient index in vp3_dequant()
svq1dec: call avcodec_set_dimensions() after dimensions changed.
mpegtsenc: fix handling of large audio packets (sorry i have no sample, just a user report)
h264: Use mismatching frame numbers in fields
swscale: Readd #define _SVID_SOURCE
vp6: Fix illegal read.
vp6: Fix illegal read.
vp6: Reset the internal state when aborting key frames header parsing
vp6: Check for huffman tree build errors
vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling
imgutils: Fix illegal read.
qdm2: check output buffer size before decoding
Fix out of bound reads in the QDM2 decoder.
Check for out of bound writes in the QDM2 decoder.
vmd: fix segfaults on corruped streams
...
Conflicts:
Doxyfile
RELEASE
VERSION
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This merge is primary for metadata, theres little actually changed
except cosmetics
* qatar/release/0.7:
4xm: Add a check in decode_i_frame to prevent buffer overreads
wma: initialize prev_block_len_bits, next_block_len_bits, and block_len_bits.
Update RELEASE file for 0.7.3
swscale: #include "libavutil/mathematics.h"
vp3dec: Check coefficient index in vp3_dequant()
svq1dec: call avcodec_set_dimensions() after dimensions changed.
swscale: Readd #define _SVID_SOURCE
Conflicts:
RELEASE
libavcodec/4xm.c
libavcodec/vp3.c
libswscale/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The initial values are not checked against the number of block sizes.
Initializing them to frame_len_bits will result in a block size index of 0
in these cases instead of something that might be out-of-range.
Fixes Bug 81.
(cherry picked from commit 05d1e45d1f42cc90d1f2f36c546d0096cea126a8)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Based on a patch by Michael Niedermayer <michaelni@gmx.at>
Fixes NGS00145, CVE-2011-4352
Found-by: Phillip Langlois
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8b94df0f2047e9728cb872adc9e64557b7a5152f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
