ffmpeg

Author	SHA1	Message	Date
Xi Wang	b59ee5dcf1	rtmp: fix buffer overflows in ff_amf_tag_contents() A negative `size' will bypass FFMIN(). In the subsequent memcpy() call, `size' will be considered as a large positive value, leading to a buffer overflow. Change the type of `size' to unsigned int to avoid buffer overflow, and simplify overflow checks accordingly. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 4e692374f7962ea358c329de38c380103f8991b6) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2013-01-23 05:55:20 +01:00
Xi Wang	e163d884ef	rtmp: fix multiple broken overflow checks Sanity checks like `data + size >= data_end \|\| data + size < data' are broken, because `data + size < data' assumes pointer overflow, which is undefined behavior in C. Many compilers such as gcc/clang optimize such checks away. Use `size < 0 \|\| size >= data_end - data' instead. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 902cfe2f74d777a7dc20ac68f2393b9f84b790c1) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2013-01-23 05:55:19 +01:00
Michael Niedermayer	685321e4bd	Merge remote-tracking branch 'qatar/release/0.7' into release/0.8 * qatar/release/0.7: h264: check ref_count validity for num_ref_idx_active_override_flag h264: check context state before decoding slice data partitions oggdec: free the ogg streams on read_header failure oggdec: check memory allocation Fix uninitialized reads on malformed ogg files. rtsp: Recheck the reordering queue if getting a new packet alacdec: do not be too strict about the extradata size h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles h264: check sps.log2_max_frame_num for validity ppc: always use pic for shared libraries h264: enable low delay only if no delayed frames were seen lavf: avoid integer overflow in ff_compute_frame_duration() Conflicts: libavformat/oggdec.c Merged-by: Michael Niedermayer <michaelni@gmx.at>	2013-01-17 03:16:46 +01:00
Michael Niedermayer	3f1a58db6f	Merge commit 'b143844ea0f6246e0d5a938d743e2e8a98453bec' into release/0.8 * commit 'b143844ea0f6246e0d5a938d743e2e8a98453bec': (22 commits) aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN. vp6: properly fail on unsupported feature h264: Fix parameters to ff_er_add_slice() call flacenc: ensure the order is within the min/max range in LPC order search yuv4mpeg: reject unsupported codecs vp8: reset loopfilter delta values at keyframes. vp56: release frames on error vp56: make parse_header return standard error codes ivi_common: check that scan pattern is set before using it. Update RELEASE file for 0.7.7 tiffenc: Check av_malloc() results. mpegaudiodec: fix short_start calculation h264: avoid stuck buffer pointer in decode_nal_units yuv4mpeg: return proper error codes. smacker audio: sign-extend the initial 16-bit predicted value vf_pad: don't give up its own reference to the output buffer. avidec: return 0, not packet size from read_packet(). wmapro: prevent division by zero when sample rate is unspecified alsdec: fix number of decoded samples in first sub-block in BGMC mode. alsdec: remove dead assignments ... Conflicts: RELEASE libavformat/avidec.c libavformat/yuv4mpeg.c Merged-by: Michael Niedermayer <michaelni@gmx.at>	2013-01-17 03:03:39 +01:00
Michael Niedermayer	597d709eb4	Merge commit 'aa45b90804ab21175b8c116bd8e5eb4b4e85fbcb' into release/0.8 * commit 'aa45b90804ab21175b8c116bd8e5eb4b4e85fbcb': (22 commits) alsdec: Check k used for rice decoder. cavsdec: check for changing w/h. avidec: use actually read size instead of requested size wmaprodec: check num_vec_coeffs for validity lagarith: check count before writing zeros. indeo5: check tile size in decode_mb_info(). indeo5: prevent null pointer dereference on broken files indeo: check for invalid motion vectors indeo: clear allocated band buffers indeo: check custom Huffman tables for errors dfa: add some checks to ensure that decoder won't write past frame end dfa: check that the caller set width/height properly. bytestream: add a new set of bytestream functions with overread checking avsdec: Set dimensions instead of relying on the demuxer. lavfi: avfilter_merge_formats: handle case where inputs are same rv34: use AVERROR return values in ff_rv34_decode_frame() h263: Add ff_ prefix to nonstatic symbols eval: fix swapping of lt() and lte() bmpdec: only initialize palette for pal8. vc1dec: add flush function for WMV9 and VC-1 decoders ... Conflicts: libavcodec/avs.c libavcodec/mpegvideo_enc.c Merged-by: Michael Niedermayer <michaelni@gmx.at>	2013-01-17 02:56:12 +01:00
Reinhard Tartler	3bc9cfe66e	oggdec: free the ogg streams on read_header failure Plug an annoying memory leak on broken files. (cherry picked from commit 89b51b570daa80e6e3790fcd449fe61fc5574e07) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit 42bd6d9cf681306d14c92af97a40116fe4eb2522) Conflicts: libavformat/oggdec.c Conflicts: libavformat/oggdec.c	2013-01-12 19:36:27 +01:00
Luca Barbato	910c1f2352	oggdec: check memory allocation (cherry picked from commit ba064ebe48376e199f353ef0b335ed8a39c638c5) Conflicts: libavformat/oggdec.c	2013-01-12 19:34:40 +01:00
Dale Curtis	55065315ca	Fix uninitialized reads on malformed ogg files. The ogg decoder wasn't padding the input buffer with the appropriate FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in various pieces of parsing code when they thought they had more data than they actually did. Signed-off-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit ef0d779706c77ca9007527bd8d41e9400682f4e4) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-01-12 19:34:40 +01:00
Martin Storsjö	8081879655	rtsp: Recheck the reordering queue if getting a new packet If we timed out and consumed a packet from the reordering queue, but didn't return a packet to the caller, recheck the queue status. Otherwise, we could end up in an infinite loop, trying to consume a queued packet that has already been consumed. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit 8729698d50739524665090e083d1bfdf28235724) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-01-12 19:34:40 +01:00
Janne Grunau	10ff052c60	lavf: avoid integer overflow in ff_compute_frame_duration() Scaling the denominator instead of the numerator if it is too large loses precision. Fixes an assert caused by a negative frame duration in the fuzzed sample nasa-8s2.ts_s202310. CC: libav-stable@libav.org (cherry picked from commit 7709ce029a7bc101b9ac1ceee607cda10dcb89dc) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-01-12 19:27:42 +01:00
Luca Barbato	f3f22f183f	yuv4mpeg: reject unsupported codecs The muxer already rejects unsupported pixel formats, reject also unsupported codecs to prevent dangerous misuses. (cherry picked from commit 424b1e764263b1493de4c34365ef367ddae856db) Conflicts: libavformat/yuv4mpeg.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-01-12 19:20:27 +01:00
Anton Khirnov	5754176b5b	yuv4mpeg: return proper error codes. Fixes Bug 373. CC:libav-stable@libav.org (cherry picked from commit d3a72becc6371563185a509b94f5daf32ddbb485) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-01-04 07:43:38 +01:00
Anton Khirnov	562d6fd5b5	avidec: return 0, not packet size from read_packet(). (cherry picked from commit eeade678f0a2bac127aeed2fb68d8717a6463420) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2013-01-04 07:43:38 +01:00
Anton Khirnov	05f5a2eb62	avidec: use actually read size instead of requested size Fixes CVE-2012-2788 (cherry picked from commit 0af49a63c7f87876486ab09482d5b26b95abce60) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2013-01-04 07:43:37 +01:00
Michael Niedermayer	e28814e0e1	Merge remote-tracking branch 'qatar/release/0.7' into release/0.8 * qatar/release/0.7: vorbis: Validate that the floor 1 X values contain no duplicates. vorbisenc: check all allocations for failure lavfi: avfilter_merge_formats: handle case where inputs are same alsdec: check opt_order. lavf: don't segfault when a NULL filename is passed to avformat_open_input() mpegvideo: Don't use ff_mspel_motion() for vc1 imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt nuv: check RTjpeg header for validity vc1dec: add flush function for WMV9 and VC-1 decoders ffmpeg: fix -force_key_frames mov: set AVCodecContext.width/height for h264 h264: allow cropping to AVCodecContext.width/height Conflicts: libavcodec/mpegvideo_common.h libavcodec/nuv.c libavcodec/vorbisenc.c libavfilter/formats.c Merged-by: Michael Niedermayer <michaelni@gmx.at>	2012-10-16 17:57:12 +02:00
Anton Khirnov	77d43bf42d	lavf: don't segfault when a NULL filename is passed to avformat_open_input() This can easily happen when the caller is using a custom AVIOContext. Behave as if the filename was an empty string in this case. CC: libav-stable@libav.org (cherry picked from commit a5db8e4a1a5449cc7a61e963c9fa698a4f22131b) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 7124fa5d3640e5b8089dd13b22a09038b2ec5216) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-10-06 09:40:46 +02:00
Carl Eugen Hoyos	8582e6e9a3	Fix muxing mjpeg in swf. (cherry picked from commit 7680d99b4302e476076cc1b8f2567f47c2aaef4d)	2012-09-13 09:22:24 +02:00
Mans Rullgard	0054d70f23	mov: set AVCodecContext.width/height for h264 This is required for correct cropping of files from Canon cameras. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit 8aa93e900449c88c3169ff5636fed03f41779cac) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 2fb4be9a99a2c2a9435339830e3d940171cc0d9b) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-06-10 11:23:47 +02:00
Michael Niedermayer	b3e5c8de6a	ape: Fix null ptr dereference with files missing a seekatable. Such files are currently not supported as the table is used at several points Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit e7cb161515fc9fb6d30d1681d64d9ba7ad737a4e) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:06:57 +02:00
Michael Niedermayer	ee6c1670df	4xm: fix division by zero caused by bps<8 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 1b8741a6843f3f4667c81c2d63d3182858aa534f) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:06:52 +02:00
Michael Niedermayer	64bc5f3bf7	Merge remote-tracking branch 'qatar/release/0.7' into release/0.8 * qatar/release/0.7: Update RELEASE file for 0.7.6 Update changelog for 0.7.6 release ea: check chunk_size for validity. png: check bit depth for PAL8/Y400A pixel formats. x86: fix build with gcc 4.7 qdm2: clip array indices returned by qdm2_get_vlc(). kmvc: Check palsize. aacsbr: prevent out of bounds memcpy(). rtpdec_asf: Fix integer underflow that could allow remote code execution dpcm: ignore extra unpaired bytes in stereo streams. tqi: Pass errors from the MB decoder h264: Add check for invalid chroma_format_idc adpcm: ADPCM Electronic Arts has always two channels h263dec: Disallow width/height changing with frame threads. vqavideo: return error if image size is not a multiple of block size celp filters: Do not read earlier than the start of the 'out' vector. motionpixels: Clip YUV values after applying a gradient. h263: more strictly forbid frame size changes with frame-mt. h264: additional protection against unsupported size/bitdepth changes. Conflicts: Changelog RELEASE libavcodec/aacsbr.c libavcodec/h264_ps.c libavcodec/pngdec.c libavformat/rtpdec_asf.c Merged-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-04 13:05:25 +02:00
Ronald S. Bultje	50336dc4f1	ea: check chunk_size for validity. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 273e6af47b38391f2bcc157cca0423fe7fcbf55c) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 6a86b705e1d4b72f0dddfbe23ad3eed9947001d5) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-06-03 19:16:37 +02:00
Michael Niedermayer	b15e85d820	rtpdec_asf: Fix integer underflow that could allow remote code execution Fixes MSVR-11-0088 Fixes CVE-2011-4031 Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit 5ea091fb5a12dc0210b8efdf30b573b87e21652b) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-28 20:55:34 +02:00
Michael Niedermayer	b6cc1c77fd	Merge remote-tracking branch 'qatar/release/0.7' into release/0.8 * qatar/release/0.7: (84 commits) id3v2: fix skipping extended header in id3v2.4 Update RELEASE file for 0.7.5 lcl: use AVERROR_INVALIDDATA instead of AVERROR_UNKNOWN kgv1dec: Increase offsets array size so it is large enough. kgv1: use avctx->get/release_buffer(). kvmc: fix invalid reads nsvdec: Propagate error values instead of returning 0 in nsv_read_header(). mjpegbdec: Fix overflow in SOS. shorten: Use separate pointers for the allocated memory for decoded samples. shorten: check for realloc failure (cherry picked from commit 9e5e2c2d010c05c10337e9c1ec9d0d61495e0c9c) atrac3: Fix crash in tonal component decoding. ws_snd1: Fix wrong samples count and crash. ws_snd: add some checks to prevent buffer overread or overwrite. (cherry picked from commit 417364ce1f979031ef6fee661fc15e1869bdb1b4) ws_snd: decode to AV_SAMPLE_FMT_U8 instead of S16. dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2 h264: stricter reference limit enforcement. jvdec: unbreak video decoding xxan: don't read before start of buffer in av_memcpy_backptr(). dsicinvideo: validate buffer offset before copying pixels. huffyuv: add padding to classic (v1) huffman tables. ... Conflicts: RELEASE libavcodec/atrac3.c libavcodec/h264.c libavcodec/h264_parser.c libavcodec/kgv1dec.c libavcodec/shorten.c libavcodec/svq3.c libavcodec/ws-snd1.c libavcodec/xxan.c libswscale/utils.c Merged-by: Michael Niedermayer <michaelni@gmx.at>	2012-04-02 01:25:31 +02:00
Anton Khirnov	bc5d86d23d	id3v2: fix skipping extended header in id3v2.4 In v2.4, the length includes the length field itself. (cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-04-01 19:20:50 +02:00
Diego Biurrun	6fe5038753	nsvdec: Propagate error values instead of returning 0 in nsv_read_header(). This eliminates a warning about a set-but-unused variable. (cherry picked from commit 35fa0d47585cef28cd8191dccf0607d90c7667a6) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:29 +02:00
Ronald S. Bultje	f2e412d050	smacker: error out if palette copy-with-offset overruns palette size. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit a93b572ae4f517ce0c35cf085167c318e9215908) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Alex Converse	853ce33dbc	mov: Add more HDV and XDCAM FourCCs. Reference: VLC (cherry picked from commit b142496c5630b9bc88fb9eaccae7f6bd62fb23e7) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Alex Converse	5015ada0ec	mov: Add support for MPEG2 HDV 720p24 (hdv4) (cherry picked from commit 0ad522afb3a3b3d22402ecb82dd4609f7655031b) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Alex Converse	b0888b8a48	dv: Fix small overread in audio frequency table. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 0ab3687924457cb4fd81897bd39ab3cc5b699588) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Alex Converse	00fa6ffe1a	dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936. Found with asan. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit 2d1c0dea5f6b91bec7f5fa53ec050913d851e366) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Michael Niedermayer	44e182d41e	dv: Fix null pointer dereference due to ach=0 dv: Fix null pointer dereference due to ach=0 Fixes part2 of CVE-2011-3929 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit 5a396bb3a66a61a68b80f2369d0249729bf85e04) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Michael Niedermayer	bb737d381f	dv: check stype dv: check stype Fixes part1 of CVE-2011-3929 Possibly fixes part of CVE-2011-3936 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit 635bcfccd439480003b74a665b5aa7c872c1ad6b) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Alex Converse	0100c4b1b0	nsvdec: Propagate errors Related to CVE-2011-3940. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit c898431ca5ef2a997fe9388b650f658fb60783e5) Conflicts: libavformat/nsvdec.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Alex Converse	be524c186b	nsvdec: Be more careful with av_malloc(). Check results for av_malloc() and fix an overflow in one call. Related to CVE-2011-3940. Based in part on work from Michael Niedermayer. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Michael Niedermayer	65beb8c117	nsvdec: Fix use of uninitialized streams. Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write) Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b) Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Ronald S. Bultje	433aaeb2f1	matroska: check buffer size for RM-style byte reordering. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9c239f6026a170866a4a0c96908980ac2cfaa8b3) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	a2d5e741a8	asf: don't seek back on EOF. Seeking back on EOF will reset the EOF flag, causing us to re-enter the loop to find the next marker in the ASF file, thus potentially causing an infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bb6d5411e1e1a8e0608b1af1c4addee654dcbac5) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	18caebca4c	asf: error out on ridiculously large minpktsize values. They cause various issues further down in demuxing. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 6e57a02b9f639af53acfa9fc742c1341400818f8) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	811989e910	rm: prevent infinite loops for index parsing. Specifically, prevent jumping back in the file for the next index, since this can lead to infinite loops where we jump between indexes referring to each other, and don't read indexes that don't fit in the file. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit aac07a7a4c2c7a4a29cf6dbc88c1b9fdd191b99d) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	cd6c5e16c6	swf: check return values for av_get/new_packet(). Prevents crashers when using the packet if allocation failed. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 31632e73f47d25e2077fce729571259ee6354854) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	9a331217b0	asf: prevent packet_size_left from going negative if hdrlen > pktlen. This prevents failed assertions further down in the packet processing where we require non-negative values for packet_size_left. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 41afac7f7a67c634c86b1d17fc930e9183d4aaa0) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:26 +02:00
Ronald S. Bultje	6c12293f6c	matroska: don't overwrite string values until read/alloc was succesful. This prevents certain tags with a default value assigned to them (as per the EBML syntax elements) from ever being assigned a NULL value. Other parts of the code rely on these being non-NULL (i.e. they don't check for NULL before e.g. using the string in strcmp() or similar), and thus in effect this prevents crashes when reading of such specific tags fails, either because of low memory or because of targeted file corruption. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit cd40c31ee9ad2cca6f3635950b002fd46be07e98) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:26 +02:00
Alex Converse	dd7b323d9a	matroskadec: Pad AAC extradata. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d2ee8c17793201ce969afd1f433ba1580c143cd2) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:26 +02:00
Michael Niedermayer	a3d331f2d8	Merge remote-tracking branch 'qatar/release/0.7' into release/0.8 * qatar/release/0.7: (96 commits) intfloat_readwrite: fix signed addition overflows smacker: validate channels and sample format. smacker: check buffer size before reading output size smacker: validate number of channels sipr: fix get_bits(0) calls motion_est: make MotionExtContext.map_generation unsigned 4xm: prevent NULL dereference with invalid huffman table 4xmdemux: prevent use of uninitialized memory 4xm: clear FF_INPUT_BUFFER_PADDING_SIZE bytes in temporary buffers ptx: check for out of bound reads tiffdec: fix out of bound reads/writes eacmv: check for out of bound reads eacmv: fix potential pointer arithmetic overflows adpcm: fix out of bound reads due to integer overflow anm: prevent infinite loop avsdemux: check for out of bound writes avs: check for out of bound reads avsdemux: check for corrupted data mxfdec: Fix some buffer overreads caused by the misuse of AVPacket related functions. vaapi: Fix VC-1 decoding (reconstruct bitstream TTFRM correctly). ... Conflicts: libavcodec/adpcm.c libavcodec/bink.c libavcodec/h264.c libavcodec/h264.h libavcodec/h264_cabac.c libavcodec/h264_cavlc.c libavcodec/motion_est_template.c libavcodec/mpegvideo.c libavcodec/nellymoserdec.c libavcodec/ptx.c libavcodec/svq3.c libavcodec/vaapi_vc1.c libavcodec/xan.c libavfilter/vf_scale.c libavformat/4xm.c libavformat/flvdec.c libavformat/mpeg.c tests/ref/fate/motionpixels Merged-by: Michael Niedermayer <michaelni@gmx.at>	2012-03-19 05:14:44 +01:00
Laurent Aimar	5ab326d7db	4xmdemux: prevent use of uninitialized memory Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 79964745b3ed5a700f4f0dda56c7360497328c88) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-03-18 17:50:40 +01:00
Laurent Aimar	7fa13e12e6	avsdemux: check for out of bound writes Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 6de33611c918e6ad5bbc878840a59607cb42b8c0) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-03-18 17:50:40 +01:00
Laurent Aimar	b696d61518	avsdemux: check for corrupted data Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 76c6971a6464705f263fc30e537b370a3a7c853b) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-03-18 17:50:40 +01:00
Alex Converse	a23bcc923d	mxfdec: Fix some buffer overreads caused by the misuse of AVPacket related functions. (cherry picked from commit 0c46e958d1fd3817b8e9fa048d0450d509c80378) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-03-18 17:50:36 +01:00
Mans Rullgard	2c99aa48d7	lavf: fix signed overflow in avformat_find_stream_info() On the first iteration through this code, last_dts is always INT64_MIN (AV_NOPTS_VALUE) and the subtraction overflows in an invalid manner. Although the result is only used if the input values are valid, performing the subtraction is still not allowed in a strict environment. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit a31e9f68a426f634e002282885c6c2eb1bfbea44) Signed-off-by: Anton Khirnov <anton@khirnov.net>	2012-03-18 17:50:35 +01:00

1 2 3 4 5 ...

8090 Commits