Age | Commit message (Collapse) | Author |
|
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6abb9a901fca27da14d4fffbb01948288b5da3ba)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes out of array access
Fixes: asan_heap-oob_20a6c26_2690_cov_3434532168_mail.png
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 79ceaf827be0b070675d4cd0a55c3386542defd8)
Conflicts:
libavcodec/pngdec.c
|
|
Fixes out of array access
Fixes: asan_heap-oob_11222fb_21_020.dxa
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e70312dfc22c4e54d5716f28f28db8f99c74cc90)
Conflicts:
libavcodec/dxa.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes out of array access
Fixes: asan_heap-oob_1685bf0_5_asan_heap-oob_1f35116_430_smc.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c727401aa9d62335e89d118a5b4e202edf39d905)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes out of array access
Fixes: asan_heap-oob_153760f_4_asan_heap-oob_1d7a4cf_164_VWbig6.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dd3bfe3cc1ca26d0fff3a3baf61a40207032143f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
also change it to a loop
Fixes out of array access
Fixes: asan_heap-oob_ca5410_8_asan_heap-oob_ca5410_97_ID_LSD_Size_Less_Then_Data_Inter_3.gif
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8f1457864be8fb9653643519dea1c6492f1dde57)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes out of array access
Fixes: asan_heap-oob_4da4f3_8_asan_heap-oob_4da4f3_419_scene1a.mm
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e)
Conflicts:
libavcodec/mmvideo.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes out of array accesses
Fixes: asan_heap-oob_16668e9_2_asan_heap-oob_16668e9_346_miss_congeniality_pegasus_mjpg.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c378d6a6df8243f06c87962b873bd563e58cd39)
Conflicts:
libavcodec/mjpegdec.c
(cherry picked from commit 94371a404c663c3dae3d542fa43951567ab67f82)
Conflicts:
libavcodec/mjpegdec.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
previously it could have been by 1 too large
Fixes out of array access
Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8c1e3.jls
Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8nde0.jls
Fixes: asan_heap-oob_12240fa_1_asan_heap-oob_12240fa_448_t16e3.jls
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 06e7d58410a17dc72c30ee7f3145fcacc425f4f2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Prevents out of array accesses with CODEC_FLAG_EMU_EDGE
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6ba02602aa7fc7d38db582e75b8b093fb3c1608d)
Conflicts:
libavcodec/vmnc.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c17207ab9acfaa934e8feb8fba90765c9d0b989)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes infinite loop
Fixes Ticket3086
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cc0e47b55096361723b364afa43b79a3f5619cdc)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes Ticket2982
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3728603f1854b5c79d1a64dd3b41b80640ef1e7f)
Conflicts:
libavcodec/ffv1enc.c
(cherry picked from commit c900c6e5c26cd86cf34f9c8d4347cedbd01f3935)
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 454a11a1c9c686c78aa97954306fb63453299760)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes out of array accesses
Fixes Ticket2850
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34)
Conflicts:
libavcodec/rpza.c
(cherry picked from commit edba432b8b01d68c22e70a508f47553359f59fb5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
This is partly redundant with the following patches, but its safer
Found-by: u-bo1b@0w.se
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f5c00b347dc76285c639d9878a014c40395c5228)
Conflicts:
libavcodec/utils.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2b6f3be08250683407c7a9846d7133b116661eae)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes assertion failure
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 984add64a41c3296a8a82051cc90bff2eb449609)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes Ticket2281
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1fd86f9a2136165205b0370d5a6e916499f1da7f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes out of array writes
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ae610451170cd5a28b33950006ff0bd23036845)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
* qatar/release/0.5:
mpeg12: do not decode extradata more than once.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes CVE-2012-2803.
(cherry picked from commit 582368626188c070d4300913c6da5efa4c24cfb2)
(cherry picked from commit 301761792a693a1f3303a2af34a0fb066a03c10c)
Conflicts:
libavcodec/mpeg12.c
|
|
* qatar/release/0.5: (21 commits)
vp6: properly fail on unsupported feature
vp56: release frames on error
shorten: Use separate pointers for the allocated memory for decoded samples.
shorten: check for realloc failure
h264: check context state before decoding slice data partitions
oggdec: check memory allocation
Fix uninitialized reads on malformed ogg files.
lavf: avoid integer overflow in ff_compute_frame_duration()
yuv4mpeg: reject unsupported codecs
tiffenc: Check av_malloc() results.
mpegaudiodec: fix short_start calculation
h264: avoid stuck buffer pointer in decode_nal_units
yuv4mpeg: return proper error codes.
avidec: return 0, not packet size from read_packet().
cavsdec: check for changing w/h.
avidec: use actually read size instead of requested size
bytestream: add a new set of bytestream functions with overread checking
avsdec: Set dimensions instead of relying on the demuxer.
lavfi: avfilter_merge_formats: handle case where inputs are same
bmpdec: only initialize palette for pal8.
...
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Interlacing is not supported at all and mismanaged down the normal
codepaths causing possible buffer management issues.
Fixes: CVE-2012-2783
(cherry picked from commit be75fed9755c1285ba084574aff2d7ee0f81110d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4ede95e69cf964cd46b1e9fcd48da80d8d92c433)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
Fixes CVE-2012-2783
CC: libav-stable@libav.org
(cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 7fd7950174f9f2935fbf5bf1435fd0dc37be5c61)
Conflicts:
libavcodec/vp56.c
|
|
Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.
Fixes CVE-2012-0858
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
(cherry picked from commit 9e5e2c2d010c05c10337e9c1ec9d0d61495e0c9c)
Conflicts:
libavcodec/shorten.c
|
|
Fixes mov_h264_aac__Demo_FlagOfOurFathers.mov.SIGSEGV.4e9.656.
Found-by: Mateusz "j00ru" Jurczyk
CC: libav-stable@libav.org
(cherry-picked from commit c1fcf563b13051f280db169ba41c6a1b21b25e08)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
(cherry picked from commit b92dfb56d4582633571db18c3d904f8602eaa2a6)
Conflicts:
libavcodec/tiffenc.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
The value should be always 3, as it follows from the specification.
Fix a stack buffer overflow in exponents_from_scale_factors as reported
by asan. Thanks to Dale Curtis for the sample vector.
(cherry picked from commit 97cfa55eea39cef30abe14682c56c1e4e7f6f10d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
When decode_nal_units() previously encountered a NAL_END_SEQUENCE,
and there are some junk bytes left in the input buffer, but no start codes,
buf_index gets stuck 3 bytes before the end of the buffer.
This can trigger an infinite loop in the caller code, eg. in
try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes,
with 3 bytes of the input packet still available.
With this change, the remaining bytes are skipped so the whole packet gets
consumed.
CC:libav-stable@libav.org
Signed-off-by: Jindřich Makovička <makovick@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1a8c6917f68f7378465e18f7615762bfd22704c2)
Conflicts:
libavcodec/h264.c
|
|
Our decoder does not support changing w/h.
Fixes CVE-2012-2777 and CVE-2012-2784.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c20a69630619d14ae92c5541d52c579d7c8f3e94)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
|
|
The decode function assumes that the video will have those dimensions.
Fixes CVE-2012-2801
CC:libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 85f477935cd6b34e6ec2716b20e15ce748277a89)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
Gray8 is not considered to be paletted, so this would cause an invalid
write.
Fixes bug 367.
CC: libav-stable@libav.org
(cherry picked from commit 8b78c2969a5b7dca939d93bf525aa2bcd737b5d9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
|
|
Fixes vlc decoding for hypothetical files that would contain such cases.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5ff41ffeb4cb9ea6df49757dc859619dc3d3ab4f)
Conflicts:
libavcodec/huffyuv.c
(cherry picked from commit 9bc70fe1ae50fd2faa0b9429d47cfbda01a92ebc)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Prevents out of array writes
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f67a0d115254461649470452058fa3c28c0df294)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 95ab8d33e1a680f30a5a9605175112008ab81afc)
Conflicts:
libavcodec/huffyuv.c
(cherry picked from commit 277def59fce10d91e3113e5c0f63e22bc4abfa88)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
* qatar/release/0.5:
lavfi: avfilter_merge_formats: handle case where inputs are same
mpegvideo: Don't use ff_mspel_motion() for vc1
imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt
nuv: check RTjpeg header for validity
vc1dec: add flush function for WMV9 and VC-1 decoders
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Using ff_mspel_motion assumes that s (a MpegEncContext
poiinter) really is a Wmv2Context.
This fixes crashes in error resilience on vc1/wmv3 videos.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 18f2d5cb9c48d06895960f37467576725c9dc2d1)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit da0c457663479bc1828918e1bb3e4a5e4de0d557)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 899d95efe12f1e250b361837c1c8c06df9ac9b86)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c82ae85a8a78a98f7c7fea68d24a4ac0ca74d01f)
Conflicts:
libavcodec/mpegvideo_common.h
Signed-off-by: Anton Khirnov <anton@khirnov.net>
|
|
CC: libav-stable@libav.org
(cherry picked from commit 39bb27bf79bc4c2d8beaed637a14176264cb1916)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7a7229b52d1900279041991fadbd29b27e8dfe95)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8812b5f164109553f009ce385e17a1af16b6ea53)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit fd7426ed898533bed98e6b472ff5f5c8e47f2eb5)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
|
|
CC: libav-stable@libav.org
(cherry picked from commit 859a579e9bbf47fae2e09494c43bcf813dcb2fad)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 6704522ca9dd32c858ee474492be568c386910f9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit f31170d4e7f9671e019315391160d454b18d7296)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 459feb7cce03af7154c098171fc9d36fc9d472f6)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
|
|
CC: libav-stable@libav.org
(cherry picked from commit 4dc8c8386eef942dba35c4f2fb3210e22b511a5b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 02b72394627933dc8ce26445231a69f00dba491b)
Conflicts:
libavcodec/vc1dec.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 0173a7966b331105158a88f96b9afcc431d2fef8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit aa4121276777b20eaaa83bf9bd544b00748c865c)
Conflicts:
libavcodec/vc1dec.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
|
|
Fixes null ptr deref
Fixes Ticket1367
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f23a2418fb0ccc56fdae4dbf83a5994cc917c475)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fd4c1c0b70b5a06dd572d7e27799a2f4c3d9b984)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
* qatar/release/0.5:
Bump version number for 0.5.9 release.
png: check bit depth for PAL8/Y400A pixel formats.
tqi: Pass errors from the MB decoder
eatqi: move "block" variable into context to ensure sufficient alignment for idct_put for compilers/architectures that can not align stack variables that much. This is also consistent with similar code in eatgq.c
ea: check chunk_size for validity.
vfwcap: Include windows.h before vfw.h since the latter requires defines from the former. Patch by kemuri <kemuri9 at gmail dot com>
mingw32: merge checks for mingw-w64 and mingw32-runtime >= 3.15 into one
mingw32: properly check if vfw capture is supported by the system headers
Replace every usage of -lvfw32 with what is particularly necessary for that case: Avisynth -> -lavifil32 VFW Cap -> -lavicap32 Patch by kemuri <kemuri9 at gmail dot com>
configure: properly check for mingw-w64 through installed headers. mingw-w64 can also target 32-bit code.
qdm2: clip array indices returned by qdm2_get_vlc().
kmvc: Check palsize.
adpcm: ADPCM Electronic Arts has always two channels
h264: Add check for invalid chroma_format_idc
dpcm: ignore extra unpaired bytes in stereo streams.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Wrong bit depth can lead to invalid rowsize values, which crashes the
decoder further down.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d2205d6543881f2e6fa18c8a354bbcf91a1235f7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b8d6ba9d50e80fdce2ed74cdaffd4960df8a21c5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 33f93005f1a86c108302b4c5978aa1a3d8e092cc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4c8c2660bd9252775c9a1dc2e2f36cb34718595a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/pngdec.c
|
|
This silences some valgrind warnings.
CC: libav-stable@libav.org
Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Bug found by: Oana Stratulat
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f85334f58e1286287d0547a49fa9c93b40cbf48f)
(cherry picked from commit 90290a5150e84fb138ccde57657dc03830f08c1c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 5872580e65aab026b77754eb184f97ba7cc6ea35)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2f2fd8c6d1c51a6b817e6c0bc4eff308b8f9cd18)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c3edce42704142f4c66954e9f24d7fbf0e5ae423)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
idct_put for compilers/architectures that can not align stack variables that much.
This is also consistent with similar code in eatgq.c
Originally committed as revision 18927 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 1eda87ce6366189eebf9956f826dfd92d9e64d9c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
|
Prevents subsequent overreads when these numbers are used as indices
in arrays.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:
libavcodec/qdm2.c
|