Commit graph

19261 commits

Author SHA1 Message Date
Matt Wolenetz
02a5e88ebc lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643951

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support values beyond INT_MAX
Also the check is moved to a more common place and before integer truncation

(cherry picked from commit 2d453188c2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Matt Wolenetz
b6efd022b7 lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643950

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support larger lengths

(cherry picked from commit fd30e4d57f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Chris Cunningham
a4fb905a14 lavf/matroskadec: fix is_keyframe for early Blocks
Blocks are marked as key frames whenever the "reference" field is
zero. This breaks for non-keyframe Blocks with a reference timestamp
of zero.

The likelihood of reference timestamp being zero is increased by a
longstanding bug in muxing that encodes reference timestamp as the
absolute time of the referenced frame (rather than relative to the
current Block timestamp, as described in MKV spec).

Now using INT64_MIN to denote "no reference".

Reported to chromium at http://crbug.com/497889 (contains sample)

(cherry picked from commit ac25840ee3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Frank Liberato
197e4693f6 avformat/flacdec: Check avio_read result when reading flac block header.
Return AVERROR_INVALIDDATA if all four bytes aren't present.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 95bde49982)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Tobias Rapp
c26cbe6c2e avformat/avidec: skip odml master index chunks in avi_sync
Fixes pts gaps when reading AVI files > 256GiB generated by FFmpeg.

Signed-off-by: Tobias Rapp <t.rapp@noa-archive.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6d579d7c1b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Chris Cunningham
693288c344 avformat/mp3dec: fix msan warning when verifying mpa header
MPEG Audio frame header must be 4 bytes. If we fail to read
4 bytes bail early to avoid Use-of-uninitialized-value msan error.
Reference https://crbug.com/666874.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ab87df9a47)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
3d9c007b61 avformat/utils: Print verbose error message if stream count exceeds max_streams
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f0bdd53871)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
5b8ee8f013 avformat/options_table: Set the default maximum number of streams to 1000
Fixes CVE-2016-9561, Note the security relevance of this is disputed as
running out of memory can happen with valid files

Suggested-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 30581c51e7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
b18a571e23 avformat: Add max_streams option
This allows user apps to stop OOM due to excessive number of streams

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1296f84495)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-11 00:43:29 +01:00
Michael Niedermayer
119301d312 avformat/oggdec: Skip streams in duration correction that did not had their duration set.
Fixes: part of 670190.ogg
Fixes integer overflow

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee2a6f5df8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-11 00:43:29 +01:00
Ronald S. Bultje
ce44100cb0 http: move chunk handling from http_read_stream() to http_buf_read().
(cherry picked from commit 845bb40178)
2016-12-05 16:20:06 -05:00
Ronald S. Bultje
18e3e322b3 http: make length/offset-related variables unsigned.
Fixes #5992, reported and found by Paul Cher <paulcher@icloud.com>.

(cherry picked from commit 2a05c8f813)
2016-12-05 16:20:06 -05:00
Michael Niedermayer
b0ebef0578 avformat/rtmppkt: Check for packet size mismatches
Fixes out of array access

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d57ca4d9a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 21:37:48 +01:00
Michael Niedermayer
a7c7543a3d avformat/ffmdec: Check media type for chunks
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e706e2e775)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Michael Niedermayer
c2e4ced78e avformat/oggparsespeex: Check frames_per_packet and packet_size
The speex specification does not seem to restrict these values, thus
the limits where choosen so as to avoid multiplicative overflow

Fixes undefined behavior
Fixes: 635422.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afcf15b0db)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Michael Niedermayer
cc27b8e09f avformat/utils: Check start/end before computing duration in update_stream_timings()
Fixes undefined behavior
Fixes: 637428.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 90da187f1d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Michael Niedermayer
60ca730d21 avformat/idroqdec: Check chunk_size for being too large
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 744a0b5206)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Michael Niedermayer
ebe104e827 avformat/utils: Fix type mismatch
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a06e84b56e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Michael Niedermayer
42a20f1fea avformat/mpeg: Adjust vid probe threshold to correct mis-detection
Fixes: _ij.mp3

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4e5049a230)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Michael Niedermayer
e90fbc86c1 avformat/flvdec: Fix regression loosing streams
Fixes: unknown_video.flv

Found-by: Thierry Foucu <tfoucu@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 077939626e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Michael Niedermayer
b6b7034416 avformat/isom: Fix old API regression with exporting max bitrate
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d88a6bedb9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Andreas Cadhalpun
d0f8741a5a flvdec: require need_context_update when changing codec id
Otherwise the codec context and codecpar might disagree on the codec id,
triggering asserts in av_parser_parse2.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 98b3a7979f)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:07 +01:00
Andreas Cadhalpun
312757eb84 sbgdec: prevent NULL pointer access
Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit dbefbb61b7)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:07 +01:00
Andreas Cadhalpun
e2de6f31c0 rmdec: validate block alignment
This fixes division by zero crashes.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit de4ded0636)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:07 +01:00
Andreas Cadhalpun
315f1dea84 mxfdec: fix NULL pointer dereference in mxf_read_packet_old
Metadata streams have priv_data set to NULL.

Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit fdb8c455b6)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:07 +01:00
Andreas Cadhalpun
b4f42e5c85 ffmdec: validate codec parameters
A negative extradata size for example gets passed to memcpy in
avcodec_parameters_from_context causing a segmentation fault.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1c7da19a4b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:07 +01:00
Andreas Cadhalpun
52d8c1e474 filmstripdec: correctly check image dimensions
This prevents a division by zero in read_packet.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 25012c5644)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:06 +01:00
Andreas Cadhalpun
c35a140e71 icodec: correctly check avio_read return value
It can read less than the requested amount, in which case buf contains
uninitialized data, causing problems like segmentation faults later on.

Also make sure that image->size is positive, so that it can't match a
negative error code.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 89eb398c7f)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:05 +01:00
Andreas Cadhalpun
6a7f0585ab icodec: add ico_read_close to fix leaking ico->images
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit d54c95a143)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:05 +01:00
Andreas Cadhalpun
356e035773 icodec: fix leaking pkt on error
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 467eece1be)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:05 +01:00
Andreas Cadhalpun
e1c1cb4aa1 mpegts: prevent division by zero
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1bbb18fe82)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:05 +01:00
Andreas Cadhalpun
c19e965704 matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header
The code assumes that s->streams[0] is valid.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ff100c9dd9)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:04 +01:00
Andreas Cadhalpun
50d34cbf5a mxfdec: fix NULL pointer dereference
Metadata streams have priv_data set to NULL.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 0efb610611)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:04 +01:00
Andreas Cadhalpun
d77684b853 dcstr: fix division by zero
Also check for possible overflows.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit b0a043f51b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:03 +01:00
Andreas Cadhalpun
2c52b74980 aiff: check block_align in aiff_read_packet
It can be unset in avcodec_parameters_from_context and a value of 0
causes SIGFPE crashes.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 93c39db5f1)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:03 +01:00
Andreas Cadhalpun
13f032abbb rsd: limit number of channels
Negative values don't make sense and too large values can cause
overflows. For AV_CODEC_ID_ADPCM_THP this leads to a too small extradata
buffer being allocated, causing out-of-bounds writes.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ee5f0f1d35)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:02 +01:00
Andreas Cadhalpun
d69dc10466 avformat: prevent triggering request_probe assert in ff_read_packet
If probe_codec is called with pkt == NULL, it sets probe_packets to 0
and request_probe to -1.
However, request_probe can change when calling s->iformat->read_packet
and thus a probe_packets value of 0 doesn't guarantee a request_probe
value of -1.
In that case calling probe_codec again is necessary to prevent
triggering the assert.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a5b4476a60)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:02 +01:00
Andreas Cadhalpun
d4f64a0f54 westwood_aud: prevent division by zero
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit bc7e128a6e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:02 +01:00
Andreas Cadhalpun
b3991ccd11 astdec: fix division by zero
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 9959a52b14)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:02 +01:00
Andreas Cadhalpun
230c04e3f6 aiffdec: fix division by zero
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit c143a9c96f)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:27:56 +01:00
Michael Niedermayer
9e6586ceb2 avformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fecb3e82a4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-10-21 20:26:00 +02:00
Michael Niedermayer
08eef74a39 avformat/utils: Update codec_id before using it in the parser init
Fixes assertion failure

Fixes: input.avi

Found-by: 连一汉 <lianyihan@360.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 987690799d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-10-10 00:59:51 +02:00
Michael Niedermayer
622ccbd8ab avformat/avidec: Check nb_streams in read_gab2_sub()
Fixes null pointer dereference
Fixes: 1/null_point.avi

Found-by: 连一汉 <lianyihan@360.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2679ad4773)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-10-01 02:50:54 +02:00
Michael Niedermayer
c8c5f66b42 avformat/avidec: Remove ancient assert
This assert can with crafted files fail, a warning is already printed
for this case.

Fixes assertion failure
Fixes:1/assert.avi

Found-by: 连一汉 <lianyihan@360.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 14bac7e00d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-10-01 02:50:54 +02:00
Michael Niedermayer
8834e080c2 avformat/avidec: Fix memleak with dv in avi
Found-by: 连一汉 <lianyihan@360.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b98dafe045)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-28 14:23:07 +02:00
Michael Niedermayer
77c9c35093 avformat/movenc: Check packet in mov_write_single_packet() too
Fixes assertion failure

Found-by: durandal117
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2834313933)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-28 14:23:06 +02:00
Michael Niedermayer
03f996d183 avformat/movenc: Factor check_pkt() out
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit deabcd2c05)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-28 14:23:06 +02:00
Xinzheng Zhang
c68ce48260 avformat/utils: fix timebase error in avformat_seek_file()
When there is only one stream and stream_index has not specified,
The ts has been transferd by the timebase of stream0 without modifying the stream_index
In this condation it cause seek failure.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ecc04b4f2f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-28 14:23:06 +02:00
Michael Niedermayer
21a9797737 avformat/movenc: Check first DTS similar to dts difference
Fixes assertion failure
Fixes: b84b53855a0b74560e64c6f45f505a13/signal_sigabrt_7ffff6ae7c37_3837_ef4e243ea5b4fa8d0becf4afe9166604.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 68f4c2163e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-28 14:23:06 +02:00
Sergey Volk
7a3dc2f7b6 avformat/mov: Fix potential integer overflow in mov_read_keys
Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so
we need to check that (count + 1) won't cause overflow.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 347cb14b7c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-27 13:42:11 +02:00