q4-q7/d8-d15 are supposed to not be clobbered by the callee.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d307e408d4)
Fixes out of array accesses
Fixes Ticket2919
Found_by: ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 86736f59d6)
Conflicts:
libavcodec/pngdsp.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes Ticket2895
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9a271a9368)
Conflicts:
libavcodec/jpeg2000dec.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Conflicts:
libavcodec/j2kdec.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses
Fixes Ticket2850
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3819db745d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket2982
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f31011e9ab)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.7:
Update changelog for 0.7.8 release
aac: check the maximum number of channels
oggdec: fix faulty cleanup prototype
qdm2: check that the FFT size is a power of 2
rv10: check that extradata is large enough
lavf: make sure stream probe data gets freed.
dfa: check for invalid access in decode_wdlt().
avfiltergraph: check for sws opts being non-NULL before using them.
Conflicts:
Changelog
libavformat/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '9c713f30e4':
parser: fix large overreads
dsputil: fix invalid array indexing
shorten: use the unsigned type where needed
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'd785f69401':
shorten: validate that the channel count in the header is not <= 0
matroskadec: request a read buffer for the wav header
h264: check for luma and chroma bit depth being equal
xxan: fix invalid memory access in xan_decode_frame_type0()
wmadec: require block_align to be set.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '5025dbc577':
wmaprodec: return an error, not 0, when the input is too small.
vorbisdec: Error on bark_map_size equal to 0.
Update RELEASE file for 0.7.8
update year to 2013
oggdec: make sure the private parse data is cleaned up
indeo5: update AVCodecContext width/height on size change
doc: filters: Correct BNF FILTER description
Conflicts:
RELEASE
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Broken bitstreams could report a larger than specified number of
channels and cause outbound writes.
CC:libav-stable@libav.org
(cherry picked from commit a943a132f3)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/aacdec.c
Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.
CC:libav-stable@libav.org
(cherry picked from commit cacad1c058)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 20373a66ec)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This can happen when the number of skipped lines is not consistent with
the number of coded lines.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 3623589edc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Indexing outside an array is invalid and causes errors with
gcc 4.8.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 0a07f2b346)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
When `off' is 0, `0x537F6103 << 32' in the following expression invokes
undefined behavior, the result of which is not necessarily 0.
(0x537F6103 >> (off * 8)) | (0x537F6103 << (32 - (off * 8)))
Avoid oversized shifting.
CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit eba1ff3130)
Conflicts:
libavcodec/atrac3.c
get_uint returns an unsigned value, use an unsigned to store
blocksize to make sure the comparison logic is correct and report
correctly the error for the channel count not supported.
CC: libav-stable@libav.org
(cherry picked from commit 5cf7c72757)
(cherry picked from commit 88089eecfd)
(cherry picked from commit f42d03746a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/shorten.c
Prevent the loop shorten_decode_close from writing and freeing out of
the array boundary.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit c10da30d84)
(cherry picked from commit 21d568be17)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/shorten.c
Returning 0 may result in an infinite loop in valid calling programs. A
decoder should never return 0 without producing any output.
CC:libav-stable@libav.org
(cherry picked from commit 4c0080b7e7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 60dd8b5733)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The value is used to calculate output LSP curve and a division by zero
and out of array accesses would occur.
CVE-2013-0894
CC: libav-stable@libav.org
Reported-by: Dale Curtis <dalecurtis@chromium.org>
Found-by: inferno@chromium.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 11dcecfcca)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 494ddd377a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The decoder assumes a single bit depth for all the planes while
the specification allows different bit depths for luma and chroma.
Avoid the possible problems described in CVE-2013-2277
Conflicts:
libavcodec/h264.c
The loop a few lines below the xan_unpack() call accesses up to
dec_size * 2 bytes into y_buffer, so dec_size must be limited to
buffer_size / 2.
CC:libav-stable@libav.org
(cherry picked from commit 8a49d2bcbe)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 62a657de16)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/xxan.c
Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.
CC:libav-stable@libav.org
(cherry picked from commit ea1136baaf)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c1f479e8df)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes CVE-2012-2787
Note that in 0.7, there is only indeo 5, no indeo 4 decoder
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b146d74730)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2bc1e4fcb9)
Conflicts:
libavcodec/ivi_common.c
Fixes out of array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c69315a5de)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This is partly redundant with the following patches, but its safer
Found-by: u-bo1b@0w.se
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f5c00b347d)
Conflicts:
libavcodec/utils.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This prevents out of array reads. An alternative solution would be
to check the index but this would require several checks in the
inner loops
Yet another alternative would be to change the index reset logic
but this likely would introduce a difference to the binary decoder
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8c4aebb58d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes division by 0
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a34418c28e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1ac0fa50ef)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Prevent out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 96f452ac64)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array writes
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ab6c9332bf)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 63ac64864c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ae6104511)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a7ee6281f7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fix writing over the end
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0ceca269b6)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.7:
Update changelog for 0.7.7 release
mpeg12: do not decode extradata more than once.
indeo4/5: check empty tile size in decode_mb_info().
dfa: improve boundary checks in decode_dds1()
indeo5dec: Make sure we have had a valid gop header.
rv34: error out on size changes with frame threading
Conflicts:
Changelog
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes vlc decoding for hypothetical files that would contain such cases.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0dfc01c2bb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5ff41ffeb4cb9ea6df49757dc859619dc3d3ab4f)
Conflicts:
libavcodec/huffyuv.c
(cherry picked from commit 9bc70fe1ae50fd2faa0b9429d47cfbda01a92ebc)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
