Age | Commit message (Collapse) | Author |
|
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f2c58931e629343f7d68258cc2b2d62c5f501ba5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6abb9a901fca27da14d4fffbb01948288b5da3ba)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes out of array access
Fixes: asan_heap-oob_20a6c26_2690_cov_3434532168_mail.png
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 79ceaf827be0b070675d4cd0a55c3386542defd8)
Conflicts:
libavcodec/pngdec.c
|
|
Fixes out of array access
Fixes: asan_heap-oob_11222fb_21_020.dxa
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e70312dfc22c4e54d5716f28f28db8f99c74cc90)
Conflicts:
libavcodec/dxa.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes out of array read
Fixes: signal_sigsegv_844d59_10_signal_sigsegv_a17bb7_366_mpegts_mpeg2video_mp2_dvbsub_topfield.rec
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c3d7f00ee3e09801f56f25db8b5961f25e842bd2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes out of array access
Fixes: asan_heap-oob_1685bf0_5_asan_heap-oob_1f35116_430_smc.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c727401aa9d62335e89d118a5b4e202edf39d905)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes out of array access
Fixes: asan_heap-oob_153760f_4_asan_heap-oob_1d7a4cf_164_VWbig6.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dd3bfe3cc1ca26d0fff3a3baf61a40207032143f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
also change it to a loop
Fixes out of array access
Fixes: asan_heap-oob_ca5410_8_asan_heap-oob_ca5410_97_ID_LSD_Size_Less_Then_Data_Inter_3.gif
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8f1457864be8fb9653643519dea1c6492f1dde57)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes out of array access
Fixes: asan_heap-oob_4da4f3_8_asan_heap-oob_4da4f3_419_scene1a.mm
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e)
Conflicts:
libavcodec/mmvideo.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes out of array accesses
Fixes: asan_heap-oob_16668e9_2_asan_heap-oob_16668e9_346_miss_congeniality_pegasus_mjpg.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c378d6a6df8243f06c87962b873bd563e58cd39)
Conflicts:
libavcodec/mjpegdec.c
(cherry picked from commit 94371a404c663c3dae3d542fa43951567ab67f82)
Conflicts:
libavcodec/mjpegdec.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
previously it could have been by 1 too large
Fixes out of array access
Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8c1e3.jls
Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8nde0.jls
Fixes: asan_heap-oob_12240fa_1_asan_heap-oob_12240fa_448_t16e3.jls
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 06e7d58410a17dc72c30ee7f3145fcacc425f4f2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Embargoed-till: 2014-06-27 requested by researcher, but embargo broken by libav today (git and mailing list)
Fixes: LMS-2014-06-16-4
Found-by: "Don A. Bailey" <donb@securitymouse.com>
See: ccda51b14c0fcae2fad73a24872dce75a7964996
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d6af26c55c1ea30f85a7d9edbc373f53be1743ee)
Conflicts:
libavutil/lzo.c
(cherry picked from commit 7b5c706494a775b2b0d0e0a38448610802eef8f4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
The check `src > dst' in the form `&c->out[-back] > c->out' invokes
pointer overflow, which is undefined behavior in C.
Remove the check. Also replace `&c->out[-back] < c->out_start' with
a safe form `c->out - c->out_start < back' to avoid overflow.
CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit ca6c3f2c53be70aa3c38e8f1292809db89ea1ba6)
Conflicts:
libavutil/lzo.c
(cherry picked from commit ff712a262d317f5bd6fc9552cd837508e584a565)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit ae3d41636942cbc0236bad21ad06c65f4eb0f096)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Prevents out of array accesses with CODEC_FLAG_EMU_EDGE
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6ba02602aa7fc7d38db582e75b8b093fb3c1608d)
Conflicts:
libavcodec/vmnc.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c17207ab9acfaa934e8feb8fba90765c9d0b989)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes infinite loop
Fixes Ticket3086
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cc0e47b55096361723b364afa43b79a3f5619cdc)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes Ticket2982
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3728603f1854b5c79d1a64dd3b41b80640ef1e7f)
Conflicts:
libavcodec/ffv1enc.c
(cherry picked from commit c900c6e5c26cd86cf34f9c8d4347cedbd01f3935)
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 454a11a1c9c686c78aa97954306fb63453299760)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Might fix Ticket1907 (I have no testcase so i cant test)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4758e32a6c48044f77102a49110c79b4f338f648)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes out of array accesses
Fixes Ticket2850
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34)
Conflicts:
libavcodec/rpza.c
(cherry picked from commit edba432b8b01d68c22e70a508f47553359f59fb5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
* qatar/release/0.5:
Bump version number for the 0.5.11 release
update year to 2013
Conflicts:
VERSION
Merge is for metadata only, issues have been fixed in previous commits
already
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
This is partly redundant with the following patches, but its safer
Found-by: u-bo1b@0w.se
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f5c00b347dc76285c639d9878a014c40395c5228)
Conflicts:
libavcodec/utils.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2b6f3be08250683407c7a9846d7133b116661eae)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes assertion failure
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 984add64a41c3296a8a82051cc90bff2eb449609)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes Ticket2281
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1fd86f9a2136165205b0370d5a6e916499f1da7f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes out of array writes
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ae610451170cd5a28b33950006ff0bd23036845)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
* qatar/release/0.5:
Release notes and changelog for 0.5.10
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
* qatar/release/0.5:
mpeg12: do not decode extradata more than once.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes CVE-2012-2803.
(cherry picked from commit 582368626188c070d4300913c6da5efa4c24cfb2)
(cherry picked from commit 301761792a693a1f3303a2af34a0fb066a03c10c)
Conflicts:
libavcodec/mpeg12.c
|
|
* qatar/release/0.5: (21 commits)
vp6: properly fail on unsupported feature
vp56: release frames on error
shorten: Use separate pointers for the allocated memory for decoded samples.
shorten: check for realloc failure
h264: check context state before decoding slice data partitions
oggdec: check memory allocation
Fix uninitialized reads on malformed ogg files.
lavf: avoid integer overflow in ff_compute_frame_duration()
yuv4mpeg: reject unsupported codecs
tiffenc: Check av_malloc() results.
mpegaudiodec: fix short_start calculation
h264: avoid stuck buffer pointer in decode_nal_units
yuv4mpeg: return proper error codes.
avidec: return 0, not packet size from read_packet().
cavsdec: check for changing w/h.
avidec: use actually read size instead of requested size
bytestream: add a new set of bytestream functions with overread checking
avsdec: Set dimensions instead of relying on the demuxer.
lavfi: avfilter_merge_formats: handle case where inputs are same
bmpdec: only initialize palette for pal8.
...
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Interlacing is not supported at all and mismanaged down the normal
codepaths causing possible buffer management issues.
Fixes: CVE-2012-2783
(cherry picked from commit be75fed9755c1285ba084574aff2d7ee0f81110d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4ede95e69cf964cd46b1e9fcd48da80d8d92c433)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
Fixes CVE-2012-2783
CC: libav-stable@libav.org
(cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 7fd7950174f9f2935fbf5bf1435fd0dc37be5c61)
Conflicts:
libavcodec/vp56.c
|
|
Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.
Fixes CVE-2012-0858
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
(cherry picked from commit 9e5e2c2d010c05c10337e9c1ec9d0d61495e0c9c)
Conflicts:
libavcodec/shorten.c
|
|
Fixes mov_h264_aac__Demo_FlagOfOurFathers.mov.SIGSEGV.4e9.656.
Found-by: Mateusz "j00ru" Jurczyk
CC: libav-stable@libav.org
(cherry-picked from commit c1fcf563b13051f280db169ba41c6a1b21b25e08)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
(cherry picked from commit ba064ebe48376e199f353ef0b335ed8a39c638c5)
Conflicts:
libavformat/oggdec.c
|
|
The ogg decoder wasn't padding the input buffer with the appropriate
FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in
various pieces of parsing code when they thought they had more data than
they actually did.
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit ef0d779706c77ca9007527bd8d41e9400682f4e4)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
Scaling the denominator instead of the numerator if it is too large
loses precision. Fixes an assert caused by a negative frame duration in
the fuzzed sample nasa-8s2.ts_s202310.
CC: libav-stable@libav.org
(cherry picked from commit 7709ce029a7bc101b9ac1ceee607cda10dcb89dc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
The muxer already rejects unsupported pixel formats, reject also
unsupported codecs to prevent dangerous misuses.
(cherry picked from commit 424b1e764263b1493de4c34365ef367ddae856db)
Conflicts:
libavformat/yuv4mpeg.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
(cherry picked from commit b92dfb56d4582633571db18c3d904f8602eaa2a6)
Conflicts:
libavcodec/tiffenc.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|