Commit graph

15294 commits

Author SHA1 Message Date
Janne Grunau
06312bbb10 h264: check context state before decoding slice data partitions
Fixes mov_h264_aac__Demo_FlagOfOurFathers.mov.SIGSEGV.4e9.656.

Found-by: Mateusz "j00ru" Jurczyk
CC: libav-stable@libav.org
(cherry-picked from commit c1fcf563b1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-12 17:59:41 +01:00
Justin Ruggles
77e6676d3e alacdec: do not be too strict about the extradata size
Sometimes the extradata has duplicate atoms, but that shouldn't prevent
decoding. Just ensure that it is at least 36 bytes as a sanity check.

CC: libav-stable@libav.org
(cherry picked from commit 68a04b0cce)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-12 17:59:40 +01:00
Victor Lopez
a335ffd7f4 h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles
Fixes bug 396.

CC: libav-stable@libav.org
(cherry picked from commit 1c8bf3bfed)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-12 17:59:40 +01:00
Janne Grunau
f620c12067 h264: check sps.log2_max_frame_num for validity
Fixes infinite or long taking loop in frame num gap code in
the fuzzed sample bipbop234.ts_s223302.

CC: libav-stable@libav.org
(cherry picked from commit d7d6efe42b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-12 17:59:40 +01:00
Janne Grunau
1d98811b95 h264: slice-mt: get last_pic_dropable from master context
Fixes fate-h264-conformance-cvnlfi2_sony_h and smllwebdl.mkv from
https://github.com/OpenELEC/OpenELEC.tv/issues/1557 .

CC: libav-stable@libav.org
(cherry picked from commit a8cb1746c5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-12 17:59:40 +01:00
Janne Grunau
f1b3cc02ec h264: error out on unset current_picture_ptr for h->current_slice > 0
Fixes a segfault with fuzzed sample sample_varPAR_s11622_r001-02.avi.

CC: libav-stable@libav.org
(cherry picked from commit 0b300daad2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-12 17:59:40 +01:00
Janne Grunau
b6592b402c flashsv: make sure data for zlib priming is available
Fixes a segfault in the fuzzed sample resolutionchange.flv_s314809.

CC: libav-stable@libav.org
(cherry picked from commit 3ae69b9166)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-12 17:59:40 +01:00
Janne Grunau
6cd92c3880 h264: enable low delay only if no delayed frames were seen
Dropping frames is undesirable but that is the only way by which the
decoder could return to low delay mode. Instead emit a warning and
continue with delayed frames.
Fixes a crash in fuzzed sample nasa-8s2.ts_s20033 caused by a larger
than expected has_b_frames value. Low delay keeps getting re-enabled
from a presumely broken SPS.

CC: libav-stable@libav.org
(cherry picked from commit 706acb558a)

Conflicts:

	libavcodec/h264.c
2013-01-12 17:59:40 +01:00
Janne Grunau
522e97bd9e flashsv: check for keyframe before using differential coding
Fixes a segfault in te fuzzed sample resolutionchange.flv_s211713.

CC: libav-stable@libav.org
(cherry picked from commit 5ae72f5453)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-12 17:59:39 +01:00
Alex Converse
a4a63bf5b5 aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN.
Found-by: pawlkt
CC: libav-stable@libav.org
Fixes: CVE-2012-5144
(cherry picked from commit 6d5b009267)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-12 17:59:39 +01:00
Luca Barbato
3e700cc66b vp6: properly fail on unsupported feature
Interlacing is not supported at all and mismanaged down the normal
codepaths causing possible buffer management issues.

Fixes: CVE-2012-2783
(cherry picked from commit be75fed975)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-05 12:02:22 +01:00
Luca Barbato
a5290800f5 mp3: properly forward mp_decode_frame errors
The function can return either a parsing error or a memory management
error.

Fixes: CVE-2012-2797

(cherry picked from commit 9ab0874ea8)

Conflicts:

	libavcodec/mpegaudiodec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-05 11:49:25 +01:00
Anton Khirnov
56c1e18a52 mpeg12: do not decode extradata more than once.
Fixes CVE-2012-2803.

CC: libav-stable@libav.org
(cherry picked from commit 5823686261)

Conflicts:

	libavcodec/mpeg12.c
2013-01-05 00:35:58 +01:00
Kostya Shishkov
c55ca98769 indeo3: when freeing buffers, set pointers referencing them to NULL as well
Related to CVE-2012-2804
(cherry picked from commit bc00da2701)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-05 00:27:34 +01:00
Kostya Shishkov
e5ea6539d4 indeo3: ensure that decoded cell data is in 7-bit range as presumed by decoder
Related to CVE-2012-2804
(cherry picked from commit fc417db3f1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-05 00:26:25 +01:00
Janne Grunau
52adbc0e17 h264: Fix parameters to ff_er_add_slice() call
s->mb_x is reset to zero a couple of lines above. It does not make
sense to call ff_er_add_slice() with 0 as endx when the end of the
macroblock row was reached. Fixes unnecessary and counterproductive
error resilience in https://bugzilla.libav.org/show_bug.cgi?id=394.

(cherry picked from commit e6160bda98)

Conflicts:

	libavcodec/h264.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-05 00:25:31 +01:00
Justin Ruggles
0ba0e31955 flacenc: ensure the order is within the min/max range in LPC order search
This fixes use of uninitialized values when the FLAC encoder uses the
2-level, 4-level, and 8-level search methods. Fixes failure of the
fate-flac-24-comp-8 test when run using valgrind.
(cherry picked from commit 3a2731cbd3)

Conflicts:

	libavcodec/flacenc.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-02 20:44:31 +01:00
Sami Pietila
9837f19693 vp8: reset loopfilter delta values at keyframes.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>

(cherry picked from commit 0bf511d579)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-02 20:29:41 +01:00
Luca Barbato
211badf068 vp56: release frames on error
Fixes CVE-2012-2783

CC: libav-stable@libav.org

(cherry picked from commit f33b5ba63e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-02 20:28:18 +01:00
Luca Barbato
145317d220 vp56: make parse_header return standard error codes
Returning 0 for failure is misleading.

CC: libav-stable@libav.org

(cherry picked from commit bb675d3ac6)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-02 20:28:08 +01:00
Anton Khirnov
3fca5799c6 ivi_common: check that scan pattern is set before using it.
Fixes CVE-2012-2791.

CC: libav-stable@libav.org

(cherry picked from commit deabb52ab4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-01-02 20:25:32 +01:00
Mans Rullgard
6365b43295 svq3: replace unsafe pointer casting with intreadwrite macros
Signed-off-by: Mans Rullgard <mans@mansr.com>
2012-10-23 16:38:52 +02:00
Anton Khirnov
a0f6c93f52 lavc: remove stats_out from the options table.
Since it is declared as a string AVOption, the generic freeing code
attempts to free it on codec close. Some codecs might have already freed
it elsewhere (or didn't even allocate it with av_malloc() in the first
place), so this might lead to an invalid free.

There is no point in having this field accessible as an AVOption, so
remove it from the options table.

Fixes Bug 380.

CC: libav-stable@libav.org
(cherry picked from commit b691135d0c)

Conflicts:

	libavcodec/options_table.h
2012-10-22 18:51:50 +02:00
Alex Converse
8076d32f30 tiffenc: Check av_malloc() results.
(cherry picked from commit b92dfb56d4)

Conflicts:

	libavcodec/tiffenc.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-19 19:23:14 +02:00
Luca Barbato
0f3381ad5b mpegaudiodec: fix short_start calculation
The value should be always 3, as it follows from the specification.

Fix a stack buffer overflow in exponents_from_scale_factors as reported
by asan. Thanks to Dale Curtis for the sample vector.
(cherry picked from commit 97cfa55eea)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-19 19:23:14 +02:00
Jindřich Makovička
9822e3aa52 h264: avoid stuck buffer pointer in decode_nal_units
When decode_nal_units() previously encountered a NAL_END_SEQUENCE,
and there are some junk bytes left in the input buffer, but no start codes,
buf_index gets stuck 3 bytes before the end of the buffer.

This can trigger an infinite loop in the caller code, eg. in
try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes,
with 3 bytes of the input packet still available.

With this change, the remaining bytes are skipped so the whole packet gets
consumed.

CC:libav-stable@libav.org

Signed-off-by: Jindřich Makovička <makovick@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1a8c6917f6)

Conflicts:

	libavcodec/h264.c
2012-10-19 19:23:14 +02:00
Franz Brauße
443f1463c0 smacker audio: sign-extend the initial 16-bit predicted value
Fixes Bug #265

Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 12cbbbb4ab)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-10-18 11:13:05 +02:00
Justin Ruggles
24025cc0b9 libvorbis: use VBR by default, with default quality of 3
(cherry picked from commit 147ff24a0e)

Conflicts:
	libavcodec/libvorbis.c

Fixes a part of Bug 277

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-10-18 10:53:51 +02:00
Justin Ruggles
5920d00d74 libvorbis: fix use of minrate/maxrate AVOptions
- enable the options for audio encoding
- properly check for user-set maxrate
- use correct calling order in vorbis_encode_setup_managed()
(cherry picked from commit 182d4f1f38)

Conflicts:
	libavcodec/libvorbis.c

Fixes a part of Bug 277

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-10-18 10:27:50 +02:00
Ronald S. Bultje
79fb7bc667 h264: fix deadlocks on incomplete reference frame decoding.
If decoding a second complementary field, and the first was
decoded in our thread, mark decoding of that field as complete.
If decoding fails, mark the decoded field/frame as complete.
Do not allow switching between field modes or field/frame mode
between slices within the same field/frame. Ensure that two
subsequent fields cover top/bottom (rather than top/frame,
bottom/frame or such nonsense situations).

Fixes various deadlocks when decoding samples with errors in
reference frames.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1e26a48fa2)

Fixes Bug 118

Conflicts:
	libavcodec/h264.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-10-18 10:00:14 +02:00
Sean McGovern
a2d4d9f4fb wmapro: prevent division by zero when sample rate is unspecified
This fixes Bugzilla #327:

Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>
(cherry picked from commit 3680b24351)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-10-18 07:41:21 +02:00
Michael Niedermayer
3c55bf1201 vc1dec: check that coded slice positions and interlacing match.
This fixes out of array writes.

Addresses: CVE-2012-2796

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>
(cherry picked from commit 1100acbab2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-17 21:35:25 +02:00
Thilo Borgmann
dc5283dffc alsdec: fix number of decoded samples in first sub-block in BGMC mode.
Fixes CVE-2012-2790

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 66197988b1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-17 21:31:21 +02:00
Mans Rullgard
c28e1c12ad alsdec: remove dead assignments
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 4ca6d206d1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-17 21:31:01 +02:00
Thilo Borgmann
c5f9c272e9 alsdec: Fix out of ltp_gain_values read.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 97f0efbfb8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-17 21:27:02 +02:00
Michael Niedermayer
0f81057c12 alsdec: Check that quantized parcor coeffs are within range.
ALS spec:
	11.6.3.1.1 Quantization and encoding of parcor coefficients
	...
	In all cases the resulting quantized values ak are restricted to the range [-64,63].

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 5b051ec3bd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-17 21:26:46 +02:00
Michael Niedermayer
592ba67815 alsdec: Check k used for rice decoder.
Values that fail this check will cause failure of decode_rice()

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 23aae62c2c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-17 21:26:15 +02:00
Michael Niedermayer
2051adbfa0 cavsdec: check for changing w/h.
Our decoder does not support changing w/h.

Fixes CVE-2012-2777 and CVE-2012-2784.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c20a696306)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-14 16:03:24 -04:00
Michael Niedermayer
2bc1e4fcb9 indeo4: update AVCodecContext width/height on size change
Fixes CVE-2012-2787

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b146d74730)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-14 16:03:24 -04:00
Michael Niedermayer
6744eee1e5 wmaprodec: check num_vec_coeffs for validity
Fixes CVE-2012-2789

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 99f392a584)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-14 16:03:24 -04:00
Michael Niedermayer
14bba214fa lagarith: check count before writing zeros.
Fixes CVE-2012-2793

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b631e4ed64)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-14 16:03:24 -04:00
Anton Khirnov
1c8e2561b4 indeo3: fix out of cell write.
Fixes CVE-2012-2776.

CC:libav-stable@libav.org

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit e4d4044339)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-14 16:03:24 -04:00
Michael Niedermayer
5c413648c1 indeo5: check tile size in decode_mb_info().
This prevents writing into a too small array if some parameters changed
without the tile being reallocated.

Fixes CVE-2012-2794

CC:libav-stable@libav.org

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 2d09cdbaf2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-14 16:03:24 -04:00
Janne Grunau
3efe6becc7 indeo5: prevent null pointer dereference on broken files
Found by John Villamil <johnv@matasano.com>
(cherry picked from commit 366ac22ea5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-14 16:03:24 -04:00
Michael Niedermayer
dc8371b2b1 indeo5dec: Make sure we have had a valid gop header.
This prevents decoding happening on a half initialized context.

Fixes CVE-2012-2779

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 891918431d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-14 16:03:24 -04:00
Anton Khirnov
0815d9174c indeo4/5: check empty tile size in decode_mb_info().
This prevents writing into a too small array if some parameters changed
without the tile being reallocated.

Based on a patch by Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2012-2800

CC:libav-stable@libav.org

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ae3da0ae55)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-14 16:03:24 -04:00
Anton Khirnov
332555f660 ivi_common: make ff_ivi_process_empty_tile() static.
It's not used outside of ivi_common.c
(cherry picked from commit 5d2170c53b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-14 16:03:24 -04:00
Kostya Shishkov
c5ec190859 indeo: check for invalid motion vectors
(cherry picked from commit cf61aaaca1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-14 16:03:23 -04:00
Kostya Shishkov
b561618014 indeo: clear allocated band buffers
(cherry picked from commit 23ba1503f2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-14 16:03:23 -04:00
Kostya Shishkov
e0daa15a96 indeo: track tile macroblock size
(cherry picked from commit a6e4ac40a6)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-10-14 16:03:23 -04:00