From 3e3805b7fae6bda01e40462079028f8e6bfedea9 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Thu, 30 Jan 2014 14:08:38 -0500 Subject: [PATCH 1/6] samplefmt: avoid integer overflow in av_samples_get_buffer_size() CC:libav-stable@libav.org (cherry picked from commit 0e830094ad0dc251613a0aa3234d9c5c397e02e6) --- libavutil/samplefmt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavutil/samplefmt.c b/libavutil/samplefmt.c index 389f726d65..bff600447c 100644 --- a/libavutil/samplefmt.c +++ b/libavutil/samplefmt.c @@ -118,6 +118,8 @@ int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples, /* auto-select alignment if not specified */ if (!align) { + if (nb_samples > INT_MAX - 31) + return AVERROR(EINVAL); align = 1; nb_samples = FFALIGN(nb_samples, 32); } From f1a7bfea41e56067c3bf4864159c87cdda613c19 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 2/6] shorten: pad the internal bitstream buffer Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 1713eec29add37b654ec6bf262b843d139c1ffc6) --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 22976e0137..31bd943fb3 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -441,7 +441,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, void *tmp_ptr; s->max_framesize = 1024; // should hopefully be enough for the first header tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, - s->max_framesize); + s->max_framesize + FF_INPUT_BUFFER_PADDING_SIZE); if (!tmp_ptr) { av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n"); return AVERROR(ENOMEM); From 13fd80837f85f7d33bfb857ce9a3f33455cf4b3d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 3/6] truemotion1: check the header size Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 2240e2078d53d3cfce8ff1dda64e58fa72038602) --- libavcodec/truemotion1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 63cd05b66c..2421dacbf3 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -322,6 +322,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s) return -1; } + if (header.header_size + 1 > s->size) { + av_log(s->avctx, AV_LOG_ERROR, "Input packet too small.\n"); + return AVERROR_INVALIDDATA; + } + /* unscramble the header bytes with a XOR operation */ for (i = 1; i < header.header_size; i++) header_buffer[i - 1] = s->buf[i] ^ s->buf[i + 1]; From b4d72f901c96f526dc1090a77bf84cec4d2e000d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 4/6] lagarith: reallocate rgb_planes when needed Fixes invalid writes on pixel format changes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 4c3e1956ee35fdcc5ffdb28782050164b4623c0b) --- libavcodec/lagarith.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 33dd8b0c53..5290d390b4 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -53,6 +53,7 @@ typedef struct LagarithContext { int zeros; /**< number of consecutive zero bytes encountered */ int zeros_rem; /**< number of zero bytes remaining to output */ uint8_t *rgb_planes; + int rgb_planes_allocated; int rgb_stride; } LagarithContext; @@ -557,13 +558,12 @@ static int lag_decode_frame(AVCodecContext *avctx, offs[1] = offset_gu; offs[2] = offset_ry; + l->rgb_stride = FFALIGN(avctx->width, 16); + av_fast_malloc(&l->rgb_planes, &l->rgb_planes_allocated, + l->rgb_stride * avctx->height * planes + 1); if (!l->rgb_planes) { - l->rgb_stride = FFALIGN(avctx->width, 16); - l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * planes + 1); - if (!l->rgb_planes) { - av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n"); - return AVERROR(ENOMEM); - } + av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n"); + return AVERROR(ENOMEM); } for (i = 0; i < planes; i++) srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride; From aa2a3ca27a3269e2b975686652204607fad8bc49 Mon Sep 17 00:00:00 2001 From: Keiji Costantini Date: Sat, 1 Mar 2014 18:17:04 +0000 Subject: [PATCH 5/6] ituh263: reject b-frame with pp_time = 0 Avoid a division by 0 in ff_mpeg4_set_one_direct_mv. Sample-Id: 00000168-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara (cherry picked from commit 9514440337875e0c63b409abcd616b68c518283f) (cherry picked from commit 5df52b0131d3d4d804ad6e221bc9a2cd8b201ef2) --- libavcodec/ituh263dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index cb26be21df..3cbc7b84d2 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -753,6 +753,8 @@ int ff_h263_decode_mb(MpegEncContext *s, } if(IS_DIRECT(mb_type)){ + if (!s->pp_time) + return AVERROR_INVALIDDATA; s->mv_dir = MV_DIR_FORWARD | MV_DIR_BACKWARD | MV_DIRECT; mb_type |= ff_mpeg4_set_direct_mv(s, 0, 0); }else{ From 798c715f4fa5cde37456af6202a32ee62cfb96d9 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 2 Mar 2014 02:11:05 -0500 Subject: [PATCH 6/6] configure: enable PIC on s390(x) The s390 architecture requires shared libraries to be built in PIC mode. Otherwise applications will get wrong relocations at run-time, leading to confusing segmentation faults. CC: libav-stable@libav.org (cherry picked from commit 5ddc9f5052316608799b932c604f9e7561f8ce24) (cherry picked from commit 7509c2c4ea2180733cc60ab1a0e0fe4ce2f02a69) --- configure | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/configure b/configure index d2b412290d..d65c112c3b 100755 --- a/configure +++ b/configure @@ -2818,6 +2818,10 @@ case "$arch" in check_64bit ppc ppc64 'sizeof(void *) > 4' spic=$shared ;; + s390) + check_64bit s390 s390x 'sizeof(void *) > 4' + spic=$shared + ;; sparc) check_64bit sparc sparc64 'sizeof(void *) > 4' spic=$shared