Might fix Ticket1907 (I have no testcase so i cant test)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4758e32a6c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
A negative `size' will bypass FFMIN(). In the subsequent memcpy() call,
`size' will be considered as a large positive value, leading to a buffer
overflow.
Change the type of `size' to unsigned int to avoid buffer overflow, and
simplify overflow checks accordingly.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4e692374f7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Sanity checks like `data + size >= data_end || data + size < data' are
broken, because `data + size < data' assumes pointer overflow, which is
undefined behavior in C. Many compilers such as gcc/clang optimize such
checks away.
Use `size < 0 || size >= data_end - data' instead.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 902cfe2f74)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.6:
vorbis: Validate that the floor 1 X values contain no duplicates.
lavfi: avfilter_merge_formats: handle case where inputs are same
mpegvideo: Don't use ff_mspel_motion() for vc1
imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt
nuv: check RTjpeg header for validity
vc1dec: add flush function for WMV9 and VC-1 decoders
mov: set AVCodecContext.width/height for h264
h264: allow cropping to AVCodecContext.width/height
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This is required for correct cropping of files from Canon
cameras.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 8aa93e9004)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2fb4be9a99)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0054d70f23)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Check results for av_malloc() and fix an overflow in one call.
Related to CVE-2011-3940.
Based in part on work from Michael Niedermayer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit be524c186b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc)
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d97)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 65beb8c117)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208)
Conflicts:
libavformat/id3v2.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Between ogg_save() and ogg_restore() calls, the number of streams
could have been reduced.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 0e7efb9d23)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a3d471e500)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Metadata currently is written only at the start of the file in normal
cases, when transcoding from a rtmp source metadata could be
written later and the offset recorded can exceed 32bit.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7f5bf4fbaf)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit fe3e7297fe)
Conflicts:
libavformat/flvenc.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents out of bounds reads when extradata is being decoded.
(cherry picked from commit 1f6f58d585)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
According to MPEG-TS specs, the continuity_counter shall not be
incremented when the adaptation_field_control of the packet
equals '00' or '10'.
Signed-off-by: Jindrich Makovicka <jindrich.makovicka@nangu.tv>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8923cfa328)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 4d5e7ab5c4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Originally committed as revision 23513 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 77d3f1f792)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Whitespace of the patch cleaned up by Aurel
Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 956c901c68)
Further suggestions from Kostya <kostya.shishkov@gmail.com> have been
implemented by Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 77d2ef13a8)
NB: MSVR-11-0080 doesn't seem to exist. This issue seems to be known
as MSVR11-011 instead.
Fixes: CVE-2011-3504
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Specifically crafted samples can reinit ogg->streams[] while
reading samples, and thus we should not cache old pointers since
these may no longer be valid.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry-picked from commit 4cc3467e7a)
As per issue2629, most 23.976fps matroska H.264 files are incorrectly
detected as 24fps, as the matroska timestamps usually have only
millisecond precision.
Fix that by doubling the amount of timestamps inspected for frame rate
for streams that have coarse time base. This also fixes 29.970 detection
in matroska.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 78431098f9)
Tested with mplayer based on this report
http://thread.gmane.org/gmane.comp.video.mplayer.user/66043/focus=66063
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 7c152a458d)
This improves performance on e.g. seekable http.
backport r24280 by mstorsjo
Originally committed as revision 24335 to svn://svn.ffmpeg.org/ffmpeg/branches/0.6
When symbol versioning is enabled, moving symbols from one library to
another breaks binary compatibility. This adds wrappers with the old
version tag for the av_*packet functions recently moved to lavc.
backport r23611 by mru
Originally committed as revision 23613 to svn://svn.ffmpeg.org/ffmpeg/branches/0.6
this patch restores binary compatibility for the av_*_packet symbols that have
been moved from libavformat to libavcodec. This patch works for gnu toolchains
only; support for ARM RCVT will be handed in for a later point release as soon
as the patch is ready and approved by the ARM maintainer(s).
Originally committed as revision 23610 to svn://svn.ffmpeg.org/ffmpeg/branches/0.6
This isn't exactly semantically equivalent, but the field has already been
long abused to mean this, and writing it helps in determining a decent cfr
time base when transcoding from a mkv where the video codec stores none (VP8).
backport r23284 by conrad
Originally committed as revision 23365 to svn://svn.ffmpeg.org/ffmpeg/branches/0.6
It's not required for mkv and unsupported in webm
backport r23247 by conrad
Originally committed as revision 23315 to svn://svn.ffmpeg.org/ffmpeg/branches/0.6
