Commit graph

8070 commits

Author SHA1 Message Date
Michael Niedermayer
64bc5f3bf7 Merge remote-tracking branch 'qatar/release/0.7' into release/0.8
* qatar/release/0.7:
  Update RELEASE file for 0.7.6
  Update changelog for 0.7.6 release
  ea: check chunk_size for validity.
  png: check bit depth for PAL8/Y400A pixel formats.
  x86: fix build with gcc 4.7
  qdm2: clip array indices returned by qdm2_get_vlc().
  kmvc: Check palsize.
  aacsbr: prevent out of bounds memcpy().
  rtpdec_asf: Fix integer underflow that could allow remote code execution
  dpcm: ignore extra unpaired bytes in stereo streams.
  tqi: Pass errors from the MB decoder
  h264: Add check for invalid chroma_format_idc
  adpcm: ADPCM Electronic Arts has always two channels
  h263dec: Disallow width/height changing with frame threads.
  vqavideo: return error if image size is not a multiple of block size
  celp filters: Do not read earlier than the start of the 'out' vector.
  motionpixels: Clip YUV values after applying a gradient.
  h263: more strictly forbid frame size changes with frame-mt.
  h264: additional protection against unsupported size/bitdepth changes.

Conflicts:
	Changelog
	RELEASE
	libavcodec/aacsbr.c
	libavcodec/h264_ps.c
	libavcodec/pngdec.c
	libavformat/rtpdec_asf.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2012-06-04 13:05:25 +02:00
Ronald S. Bultje
50336dc4f1 ea: check chunk_size for validity.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 273e6af47b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6a86b705e1d4b72f0dddfbe23ad3eed9947001d5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-06-03 19:16:37 +02:00
Michael Niedermayer
b15e85d820 rtpdec_asf: Fix integer underflow that could allow remote code execution
Fixes MSVR-11-0088
Fixes CVE-2011-4031
Credit:  Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5ea091fb5a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 20:55:34 +02:00
Michael Niedermayer
b6cc1c77fd Merge remote-tracking branch 'qatar/release/0.7' into release/0.8
* qatar/release/0.7: (84 commits)
  id3v2: fix skipping extended header in id3v2.4
  Update RELEASE file for 0.7.5
  lcl: use AVERROR_INVALIDDATA instead of AVERROR_UNKNOWN
  kgv1dec: Increase offsets array size so it is large enough.
  kgv1: use avctx->get/release_buffer().
  kvmc: fix invalid reads
  nsvdec: Propagate error values instead of returning 0 in nsv_read_header().
  mjpegbdec: Fix overflow in SOS.
  shorten: Use separate pointers for the allocated memory for decoded samples.
  shorten: check for realloc failure (cherry picked from commit 9e5e2c2d01)
  atrac3: Fix crash in tonal component decoding.
  ws_snd1: Fix wrong samples count and crash.
  ws_snd: add some checks to prevent buffer overread or overwrite. (cherry picked from commit 417364ce1f)
  ws_snd: decode to AV_SAMPLE_FMT_U8 instead of S16.
  dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2
  h264: stricter reference limit enforcement.
  jvdec: unbreak video decoding
  xxan: don't read before start of buffer in av_memcpy_backptr().
  dsicinvideo: validate buffer offset before copying pixels.
  huffyuv: add padding to classic (v1) huffman tables.
  ...

Conflicts:
	RELEASE
	libavcodec/atrac3.c
	libavcodec/h264.c
	libavcodec/h264_parser.c
	libavcodec/kgv1dec.c
	libavcodec/shorten.c
	libavcodec/svq3.c
	libavcodec/ws-snd1.c
	libavcodec/xxan.c
	libswscale/utils.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2012-04-02 01:25:31 +02:00
Anton Khirnov
bc5d86d23d id3v2: fix skipping extended header in id3v2.4
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-04-01 19:20:50 +02:00
Diego Biurrun
6fe5038753 nsvdec: Propagate error values instead of returning 0 in nsv_read_header().
This eliminates a warning about a set-but-unused variable.
(cherry picked from commit 35fa0d4758)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Ronald S. Bultje
f2e412d050 smacker: error out if palette copy-with-offset overruns palette size.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit a93b572ae4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Alex Converse
853ce33dbc mov: Add more HDV and XDCAM FourCCs.
Reference: VLC
(cherry picked from commit b142496c56)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Alex Converse
5015ada0ec mov: Add support for MPEG2 HDV 720p24 (hdv4)
(cherry picked from commit 0ad522afb3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Alex Converse
b0888b8a48 dv: Fix small overread in audio frequency table.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 0ab3687924)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Alex Converse
00fa6ffe1a dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.
Found with asan.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Michael Niedermayer
44e182d41e dv: Fix null pointer dereference due to ach=0
dv: Fix null pointer dereference due to ach=0

Fixes part2 of CVE-2011-3929

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Michael Niedermayer
bb737d381f dv: check stype
dv: check stype

Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd4)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Alex Converse
0100c4b1b0 nsvdec: Propagate errors
Related to CVE-2011-3940.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit c898431ca5)

Conflicts:

	libavformat/nsvdec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Alex Converse
be524c186b nsvdec: Be more careful with av_malloc().
Check results for av_malloc() and fix an overflow in one call.

Related to CVE-2011-3940.

Based in part on work from Michael Niedermayer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Michael Niedermayer
65beb8c117 nsvdec: Fix use of uninitialized streams.
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d97)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Ronald S. Bultje
433aaeb2f1 matroska: check buffer size for RM-style byte reordering.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9c239f6026)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Ronald S. Bultje
a2d5e741a8 asf: don't seek back on EOF.
Seeking back on EOF will reset the EOF flag, causing us to re-enter
the loop to find the next marker in the ASF file, thus potentially
causing an infinite loop.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bb6d5411e1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Ronald S. Bultje
18caebca4c asf: error out on ridiculously large minpktsize values.
They cause various issues further down in demuxing.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 6e57a02b9f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Ronald S. Bultje
811989e910 rm: prevent infinite loops for index parsing.
Specifically, prevent jumping back in the file for the next index, since
this can lead to infinite loops where we jump between indexes referring
to each other, and don't read indexes that don't fit in the file.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit aac07a7a4c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Ronald S. Bultje
cd6c5e16c6 swf: check return values for av_get/new_packet().
Prevents crashers when using the packet if allocation failed.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 31632e73f4)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Ronald S. Bultje
9a331217b0 asf: prevent packet_size_left from going negative if hdrlen > pktlen.
This prevents failed assertions further down in the packet processing
where we require non-negative values for packet_size_left.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 41afac7f7a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:26 +02:00
Ronald S. Bultje
6c12293f6c matroska: don't overwrite string values until read/alloc was succesful.
This prevents certain tags with a default value assigned to them (as per
the EBML syntax elements) from ever being assigned a NULL value. Other
parts of the code rely on these being non-NULL (i.e. they don't check for
NULL before e.g. using the string in strcmp() or similar), and thus in
effect this prevents crashes when reading of such specific tags fails,
either because of low memory or because of targeted file corruption.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cd40c31ee9)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:26 +02:00
Alex Converse
dd7b323d9a matroskadec: Pad AAC extradata.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

CC: libav-stable@libav.org
(cherry picked from commit d2ee8c1779)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:26 +02:00
Michael Niedermayer
a3d331f2d8 Merge remote-tracking branch 'qatar/release/0.7' into release/0.8
* qatar/release/0.7: (96 commits)
  intfloat_readwrite: fix signed addition overflows
  smacker: validate channels and sample format.
  smacker: check buffer size before reading output size
  smacker: validate number of channels
  sipr: fix get_bits(0) calls
  motion_est: make MotionExtContext.map_generation unsigned
  4xm: prevent NULL dereference with invalid huffman table
  4xmdemux: prevent use of uninitialized memory
  4xm: clear FF_INPUT_BUFFER_PADDING_SIZE bytes in temporary buffers
  ptx: check for out of bound reads
  tiffdec: fix out of bound reads/writes
  eacmv: check for out of bound reads
  eacmv: fix potential pointer arithmetic overflows
  adpcm: fix out of bound reads due to integer overflow
  anm: prevent infinite loop
  avsdemux: check for out of bound writes
  avs: check for out of bound reads
  avsdemux: check for corrupted data
  mxfdec: Fix some buffer overreads caused by the misuse of AVPacket related functions.
  vaapi: Fix VC-1 decoding (reconstruct bitstream TTFRM correctly).
  ...

Conflicts:
	libavcodec/adpcm.c
	libavcodec/bink.c
	libavcodec/h264.c
	libavcodec/h264.h
	libavcodec/h264_cabac.c
	libavcodec/h264_cavlc.c
	libavcodec/motion_est_template.c
	libavcodec/mpegvideo.c
	libavcodec/nellymoserdec.c
	libavcodec/ptx.c
	libavcodec/svq3.c
	libavcodec/vaapi_vc1.c
	libavcodec/xan.c
	libavfilter/vf_scale.c
	libavformat/4xm.c
	libavformat/flvdec.c
	libavformat/mpeg.c
	tests/ref/fate/motionpixels

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2012-03-19 05:14:44 +01:00
Laurent Aimar
5ab326d7db 4xmdemux: prevent use of uninitialized memory
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 79964745b3)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:40 +01:00
Laurent Aimar
7fa13e12e6 avsdemux: check for out of bound writes
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 6de33611c9)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:40 +01:00
Laurent Aimar
b696d61518 avsdemux: check for corrupted data
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 76c6971a64)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:40 +01:00
Alex Converse
a23bcc923d mxfdec: Fix some buffer overreads caused by the misuse of AVPacket related functions.
(cherry picked from commit 0c46e958d1)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:36 +01:00
Mans Rullgard
2c99aa48d7 lavf: fix signed overflow in avformat_find_stream_info()
On the first iteration through this code, last_dts is always
INT64_MIN (AV_NOPTS_VALUE) and the subtraction overflows in
an invalid manner.  Although the result is only used if the
input values are valid, performing the subtraction is still
not allowed in a strict environment.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit a31e9f68a4)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:35 +01:00
Alex Converse
4faa00b256 mpegps: Use av_get_packet() instead of poorly emulating it.
(cherry picked from commit 98ef887a75)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:31 +01:00
Laurent Aimar
fce03f8783 mpc8: Fix return value on EOF
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1e3336de69)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:30 +01:00
Laurent Aimar
ea5a5f0908 segafilm: Check for memory allocation failures in segafilm demuxer.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1775b92fee)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:30 +01:00
Martin Storsjö
151aaf539f lavf: Avoid using av_malloc(0) in av_dump_format
On OS X, av_malloc(0) returns pointers that cause crashes when
freed.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e81e5e8ad2)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:17 +01:00
Justin Ruggles
ce80957cf1 sol: return error if av_get_packet() fails.
This prevents sending a packet with data=NULL size=AVERROR_EOF.
(cherry picked from commit b15a9888a8)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:17 +01:00
Laurent Aimar
74f4c1358c flvdec: Fix invalid pointer deferences when parsing index
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2b4e49d428)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:17 +01:00
Alex Converse
2f62b677cc mpegps: Handle buffer exhaustion when reading packets.
(cherry picked from commit 9fba8ebe0a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:14 +01:00
Alex Converse
684f671f28 mp4: Don't read an empty Decoder Config Descriptor
(cherry picked from commit 1c2e07b811)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-03-18 17:50:11 +01:00
Michael Niedermayer
3b0b8c6531 Merge remote-tracking branch 'qatar/release/0.7' into release/0.8
* qatar/release/0.7:
  matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()
  vorbis: Avoid some out-of-bounds reads
  vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e4)
  avserver: Fix a bug where the socket is IPv4, but IPv6 is autoselected for the loopback address.
  vp3: fix streams with non-zero last coefficient

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-08 06:53:38 +01:00
Chris Evans
1f625431e2 matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()
Fixes bug #190
Chromium bug #100492
related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

(cherry-picked from commit faaec4676c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-01-07 22:01:19 +01:00
Michael Niedermayer
d38580a7bb mpegtsenc: fix handling of large audio packets
(sorry i have no sample, just a user report)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e31c5ebe11)

Conflicts:

	libavformat/mpegtsenc.c

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2011-12-09 03:45:40 +01:00
Michael Niedermayer
5c6a2d9878 ac3probe: Detect Sonic Foundry Soft Encode AC3 as raw AC3.
Our ac3 code chain can handle it fine.
More ideal would be to write a demuxer that actually extracts what can be from the additional
headers and uses it for whatever it can be used for.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 30ca700ba1)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2011-11-21 16:47:53 +01:00
Michael Niedermayer
17c54e9317 mjpeg: support mpo
Fixes stereoscopic_photo.mpo

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1d23e5246c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2011-11-21 16:47:49 +01:00
Michael Niedermayer
14d4eee547 Merge remote-tracking branch 'qatar/release/0.7' into release/0.8
* qatar/release/0.7:
  Add a version bump and APIchanges entry for avcodec_open2 and avformat_find_stream_info.
  lavf: fix multiplication overflow in avformat_find_stream_info()
  lavf: fix invalid reads in avformat_find_stream_info()
  lavf: add avformat_find_stream_info()
  lavc: fix parentheses placement in avcodec_open2().
  lavc: introduce avcodec_open2() as a replacement for avcodec_open().

Conflicts:
	doc/APIchanges
	libavcodec/utils.c
	libavcodec/version.h
	libavformat/avformat.h
	libavformat/version.h

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2011-11-20 03:27:50 +01:00
Anton Khirnov
07624cfeaa Add a version bump and APIchanges entry for avcodec_open2 and avformat_find_stream_info. 2011-11-19 10:22:27 +01:00
Mans Rullgard
d6f763659c lavf: fix multiplication overflow in avformat_find_stream_info()
Converting to double before the multiplication rather than after
avoids an integer overflow in some cases.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 52767d891c)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2011-11-19 10:22:27 +01:00
Anton Khirnov
e297459eb6 lavf: fix invalid reads in avformat_find_stream_info()
(cherry picked from commit e358f7ee90)

Conflicts:

	libavformat/utils.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2011-11-19 10:22:27 +01:00
Anton Khirnov
afe2726089 lavf: add avformat_find_stream_info()
It supports passing options to codecs.
(cherry picked from commit a67c061e0f)

Conflicts:

	libavformat/utils.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2011-11-19 10:22:27 +01:00
Michael Niedermayer
64a854d06b rawdec: use a default sample rate if none is specified.
Fixes "ffmpeg -f s16le -i /dev/zero"

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fca85ce5ec)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2011-11-18 23:09:56 +01:00
Stefano Sabatini
91805f06a3 rawdec: add check on sample_rate
Prevent error condition in case sample_rate is unset or set to a negative
value. In particular, fix divide-by-zero error occurring in ffmpeg due to
sample_rate set to 0 in output_packet(), in code:

                ist->next_pts += ((int64_t)AV_TIME_BASE * ist->st->codec->frame_size) /
                    ist->st->codec->sample_rate;

Fix trac ticket #324.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2011-11-18 21:33:11 +01:00