Commit graph

32471 commits

Author SHA1 Message Date
Anton Khirnov
3aebdffb01 cdgraphics: switch to bytestream2
Fixes possible invalid memory accesses on corrupted data.

CC:libav-stable@libav.org
Bug-ID: CVE-2013-3674
(cherry picked from commit a1599f3f7e)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-08-06 18:51:49 +00:00
Michael Niedermayer
a1804df66a huffyuvdec: check width size for yuv422p
Avoid out of array accesses.

CC: libav-stable@libav.org
Bug-Id: CVE-2013-0848
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a7153444df)
Signed-off-by: Anton Khirnov <anton@khirnov.net>

Conflicts:
	libavcodec/huffyuvdec.c
2014-08-05 20:17:19 +00:00
Michael Niedermayer
e17dc0a254 mmvideo: check horizontal coordinate too
Fixes out of array accesses.

Bug-Id: CVE-2013-3672
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 70cd3b8e65)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-08-05 19:32:56 +00:00
Diego Biurrun
4a6622550a huffyuv: Check and propagate function return values
Bug-Id: CVE-2013-0868

inspired by a patch from Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

(cherry picked from commit 744b406ff3)
Signed-off-by: Diego Biurrun <diego@biurrun.de>

Conflicts:
	libavcodec/huffyuvdec.c
2014-08-04 00:24:21 -07:00
Mans Rullgard
50493f1f7d twinvq: fix out of bounds array access
ModeTab.fmode has only 3 elements, so indexing it with ftype
in the initialier for 'size' is invalid when ftype == FT_PPC.

This fixes crashes with gcc 4.8.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 4bf2e7c5f1)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2014-08-01 07:51:18 -07:00
Janne Grunau
3e60501f31 h264: slice-mt: check master context for valid current_picture_ptr
Fixes errors in slice based multithreading introduced in 0b300daad2.

CC: libav-stable@libav.org
(cherry picked from commit 5945c7b35d)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2014-08-01 07:37:14 -07:00
Vittorio Giovara
7585a6254b h264: prevent theoretical infinite loop in SEI parsing
Properly address CVE-2011-3946 and parse bitstream as described in the spec.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
2014-08-01 13:40:11 +01:00
Michael Niedermayer
184c79729d h264_sei: check SEI size
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
2014-08-01 13:39:51 +01:00
Michael Niedermayer
a465ed5707 pgssubdec: Check RLE size before copying
Make sure the buffer size does not exceed the expected
RLE size.

Prevent an out of array bound write.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Bug-Id: CVE-2013-0852

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 00915d3cd2)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2014-08-01 05:19:04 -07:00
Diego Biurrun
976f2e0a54 x86: Fix linking with some or all of yasm, mmx, optimizations disabled
Some optimized template functions reference optimized symbols, so they
must be explicitly disabled when those symbols are unavailable.

(cherry picked from commit ec36aa6944)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2014-07-31 18:05:34 -07:00
Diego Biurrun
28f2d3c5a5 cmdutils: Conditionally compile libswscale-related bits
This fixes compilation with libswscale disabled.

(cherry picked from commit ab79966475)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2014-07-31 16:44:11 -07:00
Bernhard Übelacker
277103e07f video4linux2: Avoid a floating point exception
This avoids a segfault in avconv_opt.c:opt_target when trying to
determine the norm.

(cherry picked from commit dc71f19588)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2014-07-30 13:09:09 -07:00
Diego Biurrun
e4fdfdf65d vf_select: Drop a debug av_log with an unchecked double to enum conversion
CC: libav-stable@libav.org
(cherry picked from commit a8d803a320)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2014-07-30 13:06:22 -07:00
Anton Khirnov
187cfd3c13 eamad: use the bytestream2 API instead of AV_RL
This is safer and possibly fixes invalid reads on truncated data.
(cherry-picked from commit 541427ab4d)

CC:libav-stable@libav.org

Conflicts:
	libavcodec/eamad.c

(cherry picked from commit f9204ec56a)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2014-07-30 12:42:35 -07:00
Reinhard Tartler
e122fb594a Update Changelog for 0.8.13 2014-06-26 21:34:03 -04:00
Reinhard Tartler
359383c983 Prepare for 0.8.13 Release 2014-06-26 21:33:18 -04:00
Luca Barbato
e7f5dacd55 lzo: Handle integer overflow
get_len can overflow for specially crafted payload.

Reported-By: Don A. Baley <donb@securitymouse.com>
CC: libav-stable@libav.org
(cherry picked from commit ccda51b14c)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

Conflicts:
	libavutil/lzo.c
2014-06-25 14:40:56 +02:00
Sean McGovern
9c7321e2b8 sgidec: fix an incorrect backport
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-06-17 21:50:20 +02:00
Reinhard Tartler
9552b37e26 Add some bug references 2014-06-01 16:12:58 -04:00
Sean McGovern
d75b149757 Update Changelog for 0.8.12 2014-06-01 14:20:46 -04:00
Reinhard Tartler
516ea2dccd Prepare for 0.8.12 Release 2014-05-31 20:09:10 -04:00
Janne Grunau
6f4404b24b h264: set parameters from SPS whenever it changes
Fixes a crash in the fuzzed sample sample_varPAR.avi_s26638 with
alternating bit depths.
2014-05-31 20:07:52 -04:00
Martin Storsjö
110680c5a2 alac: Limit max_samples_per_frame
Otherwise buffer size calculations in allocate_buffers could
overflow later, making the code think a large enough buffer
actually was allocated.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
2014-05-31 20:07:52 -04:00
Luca Barbato
7fa7270029 swscale: Fix an undefined behaviour
Prevent a division by zero down the codepath.

Sample-Id: 00001721-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
2014-05-31 20:07:52 -04:00
Rafaël Carré
65c3593792 apedec: do not buffer decoded samples over AVPackets
Only consume an AVPacket when all the samples have been read.

When the rate of samples output is limited (by the default value
of max_samples), consuming the first packet immediately will cause
timing problems:

- The first packet with PTS 0 will output 4608 samples and be
consumed entirely
- The second packet with PTS 64 will output the remaining samples
(typically, a lot, that's why max_samples exist) until the decoded
samples of the first packet have been exhausted, at which point the
samples of the second packet will be decoded and output when
av_decode_frame is called with the next packet).

That means there's a PTS jump since the first packet is 'decoded'
immediately, which can be seen with avplay or mplayer: the timing
jumps immediately to 6.2s (which is the size of a packet).

Sample: http://streams.videolan.org/issues/6348/Goldwave-MAClib.ape

Bug-Debian: http://bugs.debian.org/744901
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 91d4cfb812)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2014-05-31 20:07:52 -04:00
Mark Himsley
b7b798a1af isom: lpcm in mov default to big endian
It is my understanding that "Unless otherwise stated, all data in a
QuickTime movie is stored in big-endian byte ordering" [1] in MOV files.

I have a couple of thousand files, which technically are invalid because
their sound sample description element 4CC is 'lpcm' but its version is
0 - and "Version 0 supports only uncompressed audio in raw ('raw ') or
twos-complement ('twos') format" [2]

Because isom.c only contains a mapping for 4CC 'lpcm' to
AV_CODEC_ID_PCM_S16LE, these files have their audio decoded as LE when
it is actually BE.

This commit adds AV_CODEC_ID_PCM_S16BE as the first match for 4CC 'lpcm'.

[1]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf
page 21
[2]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf
page 178

Reviewed-by: Yusuke Nakamura <muken.the.vfrmaniac@gmail.com>
2014-05-31 20:07:52 -04:00
Baptiste Coudurier
5463a2b056 movdec: handle 0x7fff langcode as macintosh per the specs
The correct point that seperates ISO and MAC language codes is 0x400
according to the current QT spec. Old QT specs did not list where this
seperation is but apparently only defined the meaning of the first 137.

(cherry picked from commit 9e71cc81f3)
(cherry picked from commit 7940306a47)
2014-05-31 20:07:51 -04:00
Michael Niedermayer
42dcfe32a8 avi: Improve non-interleaved detection
Additional fixes by Nigel Touati-Evans <nigel.touatievans@gmail.com>.

Check the index for streams with a time drift of 2s or a buffer drift
of 64MB.

Bug-Id: 666
CC: libav-stable@libav.org
Sample-Id: yet-another-broken-interleaved-avi.avi

Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2014-05-31 20:07:51 -04:00
Anton Khirnov
079758e49a h264: reset next_output_pic earlier in start_frame()
In case start_frame() fails, this potentially invalid frame can still be
output to the caller.

Bug-Id: 672
Bug-Id: debian/741240
Bug-Id: ubuntu/1288206
2014-05-31 20:07:51 -04:00
Justin Ruggles
a0a90b1a11 tiffdec: use bytestream2 to simplify overread/overwrite protection
Based on a patch by Paul B Mahol <onemda@gmail.com>

CC:libav-stable@libav.org
2014-05-31 20:05:19 -04:00
Justin Ruggles
fa60904ebd bytestream: add bytestream2_copy_buffer() functions
This is basically an overread/overwrite-safe memcpy between a
GetByteContext and a PutByteContext.

CC:libav-stable@libav.org
(cherry picked from commit 5748faf291)
2014-05-31 20:05:19 -04:00
Paul B Mahol
b473fdcde3 bytestream: add functions for accessing size of buffer
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>

CC:libav-stable@libav.org
(cherry picked from commit de9d2705f6)
2014-05-31 20:05:19 -04:00
John Stebbins
db52f056c3 movenc: allow override of "writing application" tag
Signed-off-by: Tim Walker <tdskywalker@gmail.com>

CC: libav-stable@libav.org
(cherry picked from commit 565e0c6d86)
2014-05-31 20:05:19 -04:00
John Stebbins
330c180324 matroskaenc: allow override of "writing application" tag
Signed-off-by: Tim Walker <tdskywalker@gmail.com>

CC: libav-stable@libav.org
(cherry picked from commit 0092c1dd8d)
2014-05-31 20:05:19 -04:00
Luca Barbato
1dce4a031f avfilter: Add missing emms_c when needed
Arch specific calls should have an emms_c following to keep the cpu
state consistent.

Reported-By: wm4
CC: libav-stable@libav.org
2014-05-31 20:05:19 -04:00
Janne Grunau
9938e450c8 mpeg12: check scantable indices in all decode_block functions
Add checks to the fast functions used with CODEC_FLAGS2_FAST and move
the check for all other functions to before the invalid memory is
accessed. Fixes https://trac.videolan.org/vlc/ticket/9713 with
CODEC_FLAGS2_FAST.

CC: libav-stable@libav.org
2014-05-31 20:05:19 -04:00
Anton Khirnov
71b8c8430c sgidec: fix buffer size check in expand_rle_row()
Right now it will spuriously fail if the linesize is exactly equal to
the data width.

CC:libav-stable@libav.org
2014-05-31 20:05:19 -04:00
Anton Khirnov
d0ecfe3249 adx: check that the offset is not negative
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 5569146d48)
2014-05-31 20:05:19 -04:00
Anton Khirnov
07558d0b9f mpegvideo: set reference/pict_type on generated reference frames
Otherwise the generic code will unref them, which can then result in
last_picture_ptr == current_picture_ptr, which causes deadlocks at least
in rv40.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
2014-05-31 20:05:19 -04:00
Anton Khirnov
27ac9585c9 h264: reset data partitioning at the beginning of each decode call
Prevents using GetBitContexts with data from previous calls.

Fixes access to freed memory.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
2014-05-31 20:05:19 -04:00
Anton Khirnov
35ba079fbf h264: reset ref count if decoding the slice header fails
Otherwise the ER code might try to use some already freed references.

Fixes possible access to freed memory.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
2014-05-31 20:05:19 -04:00
Anton Khirnov
a7cce9ebf3 h264: reset first_field if frame_start() fails for missing refs
In this case we may not have a current frame, while first_field being
set implies we do.

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
2014-05-31 20:05:19 -04:00
Anton Khirnov
51ae8e26af h264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3
Higher modes are not allowed for 16x16/chroma, which is what this
function is used for. Otherwise this function would return 0 (vertical
prediction) for invalid higher modes, which could result in invalid
reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
2014-05-31 20:05:19 -04:00
Anton Khirnov
c4033cd4eb h264: reject mismatching luma/chroma bit depths during sps parsing
There is no point in delaying the check and it avoids bugs with a
half-initialized context.

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
2014-05-31 20:05:19 -04:00
Anton Khirnov
7f33a24e82 h264: check that execute_decode_slices() is not called too many times
Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
2014-05-31 20:05:18 -04:00
Anton Khirnov
0f71a5df4b h264: do not use 422 functions for monochrome
Fixes invalid memory access.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
2014-05-31 20:05:18 -04:00
Anton Khirnov
3ee26080d6 h264: reset data_partitioning if decoding the slice header for NAL_DPA fails
If it was set before then we can end up trying to decode a slice without
a valid slice header, which can lead to invalid memory access.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
2014-05-31 20:05:18 -04:00
Anton Khirnov
e0d8a17402 h264_refs: make sure not to write over the bounds of the default ref list
Fixes invalid writes.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
2014-05-31 20:05:18 -04:00
Anton Khirnov
2cbc8dfedd h264: check buffer size before accessing it
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
2014-05-31 20:05:18 -04:00
Mans Rullgard
afab4c422b configure: use utilities from /usr/xpg4/bin if it exists
Solaris defaults to non-standard utilities (grep, sed, ...) with
proper ones being in /usr/xpg4/bin.  Prefixing PATH with this
directory when it exists ensures we get correct variants.

Signed-off-by: Mans Rullgard <mans@mansr.com>
2014-05-31 20:05:18 -04:00