Adds an additional check before reading the next block header and avoids a
potential integer overflow when checking the metadata size against the
remaining buffer size.
(cherry picked from commit 4c5e7b27d57dd2be777780e840eef9be63242158)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3a549eb82be709d633a0ba964b037ee2f700e0c9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Unfortunately the output buffer size check assumes that the
input buffer is never over-consumed, thus this actually
also allowed to write outside the output buffer if "lucky".
Based on:
git.videolan.org/ffmpeg.git
commit 701d0eb185192542c4a17f296e39e37cedf7abc6
(cherry picked from commit ffe92ff9f0c7f390d895de12c8ffef959ced3cd8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
As a signed integer, 1<<31 overflows, so force it to unsigned.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit c2d3f561072132044114588a5f56b8e1974a2af7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit fe476e5a9b5a1e56e53f1fa62374778fa00ec1fd)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conversion of the luma intra prediction mode to one of the constrained
("alzheimer") ones can happen by crafting special bitstreams, causing
a crash because we'll call a NULL function pointer for 16x16 block intra
prediction, since constrained intra prediction functions are only
implemented for chroma (8x8 blocks).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 45b7bd7c53b41bc5ff6fc2158831f2b1b1256113)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 248d4e461578ff327a2fd75fd0db4f38c270918a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The bit_rate_value_minus1 and cpb_size_value_minus1 elements
allow a wider range than get_ue_golomb() supports. This
adds a get_ue_golomb_long() function supporting up to 31
leading zeros, which is the maximum for these syntax
elements, and uses it in decode_hrd_parameters().
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit fdba370f8a1bdfc22ecbdf3c7148c2f8680a4ac4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The level_code expression includes a shift which is invalid in
those cases where the value is not used. Moving the calculation
to the branch where the result is used avoids these.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 8babfc033ecb6332155c1f8879e54dee41d16952)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The PPS may contain a few trailing elements whose presence is
only signalled by data remaining after the the mandatory part
has been parsed. The current code fails to take into account
the rbsp_trailing_bits() when deciding whether to parse these
optional elements. Assuming no unnecessary padding bytes are
passed to this function, the optional elements are present if
either more than 8 extra bits remain or the remaining bits do
not form a valid rbsp_trailing_bits() after the mandatory PPS
elements have been parsed.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit be1242a3f2b28e9cb08515bdc1db6c14403c279a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 4c7a232fc81fdbdee279ab819a255f624a22b083)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 60f10e0ad37418cc697765d85b0bc22db70f726a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This allows concurrent decoding of the last field/frame, rather than
only the last slice, of data packets with multiple NAL units packed
together.
This will fix the slowdown reported in e.g. bug 52.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 14c21c1ff509eac97f6437aeb51202b15af3a700)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit d1186ff72d75b6067770890758c4feb92abd84f7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 18bcfc912e48bf77a5202a0e24a3b884b9b2ff2c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 282bb02839b1ce73963c8e3ee46804f1ade8b12a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3eedf9f716733b3b4c5205726d2c1ca52b3d3d78)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket780
Bug Found by: cosminamironesei
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket758
Bug found by: Diana Elena Muscalu
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7fff64e00d886fde11d61958888c82b461cf99b9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket760 and Ticket761
Bug Found by: Diana Elena Muscalu
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 944f5b2779e4aa63f7624df6cd4de832a53db81b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket776
Bug found by: Diana Elena Muscalu
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1f99939a6361e2e6d6788494dd7c682b051c6c34)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5257743aee0c3982f0079e6553aabc6aa39401d2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.7:
Update Changelog for 0.7.4 release
Update RELEASE file for 0.7.4
swscale: fix crash in fast_bilinear code when compiled with -mred-zone.
vorbis: An additional defense in the Vorbis codec.
vorbisdec: Fix decoding bug with channel handling
Conflicts:
Changelog
RELEASE
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.7:
matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()
vorbis: Avoid some out-of-bounds reads
vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f)
avserver: Fix a bug where the socket is IPv4, but IPv6 is autoselected for the loopback address.
vp3: fix streams with non-zero last coefficient
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes a regression introduced in 8b94df0f2047e972.
(cherry picked from commit 9b4767e4784577f3107730316fe652ccaccd9b3a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This merge is primary for metadata, theres little actually changed
except cosmetics
* qatar/release/0.7:
4xm: Add a check in decode_i_frame to prevent buffer overreads
wma: initialize prev_block_len_bits, next_block_len_bits, and block_len_bits.
Update RELEASE file for 0.7.3
swscale: #include "libavutil/mathematics.h"
vp3dec: Check coefficient index in vp3_dequant()
svq1dec: call avcodec_set_dimensions() after dimensions changed.
swscale: Readd #define _SVID_SOURCE
Conflicts:
RELEASE
libavcodec/4xm.c
libavcodec/vp3.c
libswscale/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The initial values are not checked against the number of block sizes.
Initializing them to frame_len_bits will result in a block size index of 0
in these cases instead of something that might be out-of-range.
Fixes Bug 81.
(cherry picked from commit 05d1e45d1f42cc90d1f2f36c546d0096cea126a8)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Based on a patch by Michael Niedermayer <michaelni@gmx.at>
Fixes NGS00145, CVE-2011-4352
Found-by: Phillip Langlois
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8b94df0f2047e9728cb872adc9e64557b7a5152f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
to synchronize the first/second field state independant of them being reference or not.
Fixes Ticket354
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 545ec935a4b4e0f032ebd975907b41f6fe4465c9)
Found with Address Sanitizer
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit e0966eb140b3569b3d6b5b5008961944ef229c06)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It prevents leaving the state only half initialized.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit a72cad0a6c05aa74940101e937cb3dc602d7d67b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit f913eeea43078b3b9052efd8d8d29e7b29b39208)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
