Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6abb9a901f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: asan_heap-oob_20a6c26_2690_cov_3434532168_mail.png
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 79ceaf827b)
Conflicts:
libavcodec/pngdec.c
Fixes out of array access
Fixes: asan_heap-oob_11222fb_21_020.dxa
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e70312dfc2)
Conflicts:
libavcodec/dxa.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: asan_heap-oob_1685bf0_5_asan_heap-oob_1f35116_430_smc.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c727401aa9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: asan_heap-oob_153760f_4_asan_heap-oob_1d7a4cf_164_VWbig6.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dd3bfe3cc1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
also change it to a loop
Fixes out of array access
Fixes: asan_heap-oob_ca5410_8_asan_heap-oob_ca5410_97_ID_LSD_Size_Less_Then_Data_Inter_3.gif
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8f1457864b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: asan_heap-oob_4da4f3_8_asan_heap-oob_4da4f3_419_scene1a.mm
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8b0e96e1f2)
Conflicts:
libavcodec/mmvideo.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
previously it could have been by 1 too large
Fixes out of array access
Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8c1e3.jls
Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8nde0.jls
Fixes: asan_heap-oob_12240fa_1_asan_heap-oob_12240fa_448_t16e3.jls
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 06e7d58410)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Prevents out of array accesses with CODEC_FLAG_EMU_EDGE
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6ba02602aa)
Conflicts:
libavcodec/vmnc.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c17207ab9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket2982
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f31011e9ab)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses
Fixes Ticket2850
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3819db745d)
Conflicts:
libavcodec/rpza.c
(cherry picked from commit edba432b8b01d68c22e70a508f47553359f59fb5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This is partly redundant with the following patches, but its safer
Found-by: u-bo1b@0w.se
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f5c00b347d)
Conflicts:
libavcodec/utils.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2b6f3be082)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket2281
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1fd86f9a21)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array writes
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ab6c9332bf)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ae6104511)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a7ee6281f7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.5: (21 commits)
vp6: properly fail on unsupported feature
vp56: release frames on error
shorten: Use separate pointers for the allocated memory for decoded samples.
shorten: check for realloc failure
h264: check context state before decoding slice data partitions
oggdec: check memory allocation
Fix uninitialized reads on malformed ogg files.
lavf: avoid integer overflow in ff_compute_frame_duration()
yuv4mpeg: reject unsupported codecs
tiffenc: Check av_malloc() results.
mpegaudiodec: fix short_start calculation
h264: avoid stuck buffer pointer in decode_nal_units
yuv4mpeg: return proper error codes.
avidec: return 0, not packet size from read_packet().
cavsdec: check for changing w/h.
avidec: use actually read size instead of requested size
bytestream: add a new set of bytestream functions with overread checking
avsdec: Set dimensions instead of relying on the demuxer.
lavfi: avfilter_merge_formats: handle case where inputs are same
bmpdec: only initialize palette for pal8.
...
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Interlacing is not supported at all and mismanaged down the normal
codepaths causing possible buffer management issues.
Fixes: CVE-2012-2783
(cherry picked from commit be75fed975)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4ede95e69c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.
Fixes CVE-2012-0858
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The value should be always 3, as it follows from the specification.
Fix a stack buffer overflow in exponents_from_scale_factors as reported
by asan. Thanks to Dale Curtis for the sample vector.
(cherry picked from commit 97cfa55eea)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
When decode_nal_units() previously encountered a NAL_END_SEQUENCE,
and there are some junk bytes left in the input buffer, but no start codes,
buf_index gets stuck 3 bytes before the end of the buffer.
This can trigger an infinite loop in the caller code, eg. in
try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes,
with 3 bytes of the input packet still available.
With this change, the remaining bytes are skipped so the whole packet gets
consumed.
CC:libav-stable@libav.org
Signed-off-by: Jindřich Makovička <makovick@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1a8c6917f6)
Conflicts:
libavcodec/h264.c
Our decoder does not support changing w/h.
Fixes CVE-2012-2777 and CVE-2012-2784.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c20a696306)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The decode function assumes that the video will have those dimensions.
Fixes CVE-2012-2801
CC:libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 85f477935c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Gray8 is not considered to be paletted, so this would cause an invalid
write.
Fixes bug 367.
CC: libav-stable@libav.org
(cherry picked from commit 8b78c2969a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes vlc decoding for hypothetical files that would contain such cases.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0dfc01c2bb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5ff41ffeb4cb9ea6df49757dc859619dc3d3ab4f)
Conflicts:
libavcodec/huffyuv.c
(cherry picked from commit 9bc70fe1ae50fd2faa0b9429d47cfbda01a92ebc)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Prevents out of array writes
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f67a0d1152)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 95ab8d33e1a680f30a5a9605175112008ab81afc)
Conflicts:
libavcodec/huffyuv.c
(cherry picked from commit 277def59fce10d91e3113e5c0f63e22bc4abfa88)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.5:
lavfi: avfilter_merge_formats: handle case where inputs are same
mpegvideo: Don't use ff_mspel_motion() for vc1
imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt
nuv: check RTjpeg header for validity
vc1dec: add flush function for WMV9 and VC-1 decoders
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Using ff_mspel_motion assumes that s (a MpegEncContext
poiinter) really is a Wmv2Context.
This fixes crashes in error resilience on vc1/wmv3 videos.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 18f2d5cb9c)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit da0c457663)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 899d95efe1)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c82ae85a8a)
Conflicts:
libavcodec/mpegvideo_common.h
Signed-off-by: Anton Khirnov <anton@khirnov.net>
CC: libav-stable@libav.org
(cherry picked from commit 39bb27bf79)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7a7229b52d)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8812b5f164)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit fd7426ed89)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
CC: libav-stable@libav.org
(cherry picked from commit 859a579e9b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 6704522ca9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit f31170d4e7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 459feb7cce)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fd4c1c0b70)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.5:
Bump version number for 0.5.9 release.
png: check bit depth for PAL8/Y400A pixel formats.
tqi: Pass errors from the MB decoder
eatqi: move "block" variable into context to ensure sufficient alignment for idct_put for compilers/architectures that can not align stack variables that much. This is also consistent with similar code in eatgq.c
ea: check chunk_size for validity.
vfwcap: Include windows.h before vfw.h since the latter requires defines from the former. Patch by kemuri <kemuri9 at gmail dot com>
mingw32: merge checks for mingw-w64 and mingw32-runtime >= 3.15 into one
mingw32: properly check if vfw capture is supported by the system headers
Replace every usage of -lvfw32 with what is particularly necessary for that case: Avisynth -> -lavifil32 VFW Cap -> -lavicap32 Patch by kemuri <kemuri9 at gmail dot com>
configure: properly check for mingw-w64 through installed headers. mingw-w64 can also target 32-bit code.
qdm2: clip array indices returned by qdm2_get_vlc().
kmvc: Check palsize.
adpcm: ADPCM Electronic Arts has always two channels
h264: Add check for invalid chroma_format_idc
dpcm: ignore extra unpaired bytes in stereo streams.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
idct_put for compilers/architectures that can not align stack variables that much.
This is also consistent with similar code in eatgq.c
Originally committed as revision 18927 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 1eda87ce63)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Prevents subsequent overreads when these numbers are used as indices
in arrays.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f9)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:
libavcodec/qdm2.c
