Such files are currently not supported as the table is used at several points
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e7cb161515fc9fb6d30d1681d64d9ba7ad737a4e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1b8741a6843f3f4667c81c2d63d3182858aa534f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.7:
Update RELEASE file for 0.7.6
Update changelog for 0.7.6 release
ea: check chunk_size for validity.
png: check bit depth for PAL8/Y400A pixel formats.
x86: fix build with gcc 4.7
qdm2: clip array indices returned by qdm2_get_vlc().
kmvc: Check palsize.
aacsbr: prevent out of bounds memcpy().
rtpdec_asf: Fix integer underflow that could allow remote code execution
dpcm: ignore extra unpaired bytes in stereo streams.
tqi: Pass errors from the MB decoder
h264: Add check for invalid chroma_format_idc
adpcm: ADPCM Electronic Arts has always two channels
h263dec: Disallow width/height changing with frame threads.
vqavideo: return error if image size is not a multiple of block size
celp filters: Do not read earlier than the start of the 'out' vector.
motionpixels: Clip YUV values after applying a gradient.
h263: more strictly forbid frame size changes with frame-mt.
h264: additional protection against unsupported size/bitdepth changes.
Conflicts:
Changelog
RELEASE
libavcodec/aacsbr.c
libavcodec/h264_ps.c
libavcodec/pngdec.c
libavformat/rtpdec_asf.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes MSVR-11-0088
Fixes CVE-2011-4031
Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5ea091fb5a12dc0210b8efdf30b573b87e21652b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* qatar/release/0.7: (84 commits)
id3v2: fix skipping extended header in id3v2.4
Update RELEASE file for 0.7.5
lcl: use AVERROR_INVALIDDATA instead of AVERROR_UNKNOWN
kgv1dec: Increase offsets array size so it is large enough.
kgv1: use avctx->get/release_buffer().
kvmc: fix invalid reads
nsvdec: Propagate error values instead of returning 0 in nsv_read_header().
mjpegbdec: Fix overflow in SOS.
shorten: Use separate pointers for the allocated memory for decoded samples.
shorten: check for realloc failure (cherry picked from commit 9e5e2c2d010c05c10337e9c1ec9d0d61495e0c9c)
atrac3: Fix crash in tonal component decoding.
ws_snd1: Fix wrong samples count and crash.
ws_snd: add some checks to prevent buffer overread or overwrite. (cherry picked from commit 417364ce1f979031ef6fee661fc15e1869bdb1b4)
ws_snd: decode to AV_SAMPLE_FMT_U8 instead of S16.
dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2
h264: stricter reference limit enforcement.
jvdec: unbreak video decoding
xxan: don't read before start of buffer in av_memcpy_backptr().
dsicinvideo: validate buffer offset before copying pixels.
huffyuv: add padding to classic (v1) huffman tables.
...
Conflicts:
RELEASE
libavcodec/atrac3.c
libavcodec/h264.c
libavcodec/h264_parser.c
libavcodec/kgv1dec.c
libavcodec/shorten.c
libavcodec/svq3.c
libavcodec/ws-snd1.c
libavcodec/xxan.c
libswscale/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This eliminates a warning about a set-but-unused variable.
(cherry picked from commit 35fa0d47585cef28cd8191dccf0607d90c7667a6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Found with asan.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f6b91bec7f5fa53ec050913d851e366)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
dv: Fix null pointer dereference due to ach=0
Fixes part2 of CVE-2011-3929
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a66a61a68b80f2369d0249729bf85e04)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
dv: check stype
Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd439480003b74a665b5aa7c872c1ad6b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Check results for av_malloc() and fix an overflow in one call.
Related to CVE-2011-3940.
Based in part on work from Michael Niedermayer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b)
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Seeking back on EOF will reset the EOF flag, causing us to re-enter
the loop to find the next marker in the ASF file, thus potentially
causing an infinite loop.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bb6d5411e1e1a8e0608b1af1c4addee654dcbac5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
They cause various issues further down in demuxing.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 6e57a02b9f639af53acfa9fc742c1341400818f8)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Specifically, prevent jumping back in the file for the next index, since
this can lead to infinite loops where we jump between indexes referring
to each other, and don't read indexes that don't fit in the file.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit aac07a7a4c2c7a4a29cf6dbc88c1b9fdd191b99d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Prevents crashers when using the packet if allocation failed.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 31632e73f47d25e2077fce729571259ee6354854)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents failed assertions further down in the packet processing
where we require non-negative values for packet_size_left.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 41afac7f7a67c634c86b1d17fc930e9183d4aaa0)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents certain tags with a default value assigned to them (as per
the EBML syntax elements) from ever being assigned a NULL value. Other
parts of the code rely on these being non-NULL (i.e. they don't check for
NULL before e.g. using the string in strcmp() or similar), and thus in
effect this prevents crashes when reading of such specific tags fails,
either because of low memory or because of targeted file corruption.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cd40c31ee9ad2cca6f3635950b002fd46be07e98)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* qatar/release/0.7: (96 commits)
intfloat_readwrite: fix signed addition overflows
smacker: validate channels and sample format.
smacker: check buffer size before reading output size
smacker: validate number of channels
sipr: fix get_bits(0) calls
motion_est: make MotionExtContext.map_generation unsigned
4xm: prevent NULL dereference with invalid huffman table
4xmdemux: prevent use of uninitialized memory
4xm: clear FF_INPUT_BUFFER_PADDING_SIZE bytes in temporary buffers
ptx: check for out of bound reads
tiffdec: fix out of bound reads/writes
eacmv: check for out of bound reads
eacmv: fix potential pointer arithmetic overflows
adpcm: fix out of bound reads due to integer overflow
anm: prevent infinite loop
avsdemux: check for out of bound writes
avs: check for out of bound reads
avsdemux: check for corrupted data
mxfdec: Fix some buffer overreads caused by the misuse of AVPacket related functions.
vaapi: Fix VC-1 decoding (reconstruct bitstream TTFRM correctly).
...
Conflicts:
libavcodec/adpcm.c
libavcodec/bink.c
libavcodec/h264.c
libavcodec/h264.h
libavcodec/h264_cabac.c
libavcodec/h264_cavlc.c
libavcodec/motion_est_template.c
libavcodec/mpegvideo.c
libavcodec/nellymoserdec.c
libavcodec/ptx.c
libavcodec/svq3.c
libavcodec/vaapi_vc1.c
libavcodec/xan.c
libavfilter/vf_scale.c
libavformat/4xm.c
libavformat/flvdec.c
libavformat/mpeg.c
tests/ref/fate/motionpixels
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 79964745b3ed5a700f4f0dda56c7360497328c88)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 6de33611c918e6ad5bbc878840a59607cb42b8c0)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 76c6971a6464705f263fc30e537b370a3a7c853b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
On the first iteration through this code, last_dts is always
INT64_MIN (AV_NOPTS_VALUE) and the subtraction overflows in
an invalid manner. Although the result is only used if the
input values are valid, performing the subtraction is still
not allowed in a strict environment.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit a31e9f68a426f634e002282885c6c2eb1bfbea44)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1e3336de69d1c4c28a5e306fab20555f4078f2d7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1775b92fee43f0527e2f5892a5a30450fa929722)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
On OS X, av_malloc(0) returns pointers that cause crashes when
freed.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e81e5e8ad2bb5746df0c343c396019aca165cf66)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This prevents sending a packet with data=NULL size=AVERROR_EOF.
(cherry picked from commit b15a9888a8f8e8cc9784ffd8d5d0307900fb78bb)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2b4e49d4281690db67073ba644ad2ffc17767cdf)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
* qatar/release/0.7:
matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()
vorbis: Avoid some out-of-bounds reads
vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f)
avserver: Fix a bug where the socket is IPv4, but IPv6 is autoselected for the loopback address.
vp3: fix streams with non-zero last coefficient
Merged-by: Michael Niedermayer <michaelni@gmx.at>
(sorry i have no sample, just a user report)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e31c5ebe1146d98d17a5121312c5444432c81904)
Conflicts:
libavformat/mpegtsenc.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Our ac3 code chain can handle it fine.
More ideal would be to write a demuxer that actually extracts what can be from the additional
headers and uses it for whatever it can be used for.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 30ca700ba17b9ba46f4648afa30559ad890f0221)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes stereoscopic_photo.mpo
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1d23e5246c67f765dd5d119c9f3197bdae07330c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.7:
Add a version bump and APIchanges entry for avcodec_open2 and avformat_find_stream_info.
lavf: fix multiplication overflow in avformat_find_stream_info()
lavf: fix invalid reads in avformat_find_stream_info()
lavf: add avformat_find_stream_info()
lavc: fix parentheses placement in avcodec_open2().
lavc: introduce avcodec_open2() as a replacement for avcodec_open().
Conflicts:
doc/APIchanges
libavcodec/utils.c
libavcodec/version.h
libavformat/avformat.h
libavformat/version.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Converting to double before the multiplication rather than after
avoids an integer overflow in some cases.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 52767d891c665ab1124fe4ce82d99b59673de7d2)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
It supports passing options to codecs.
(cherry picked from commit a67c061e0f3b55ffcc96f336fc0998e44b86c8e4)
Conflicts:
libavformat/utils.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
