This feature is not know much or used much AFAIK, and it might be helpfull in
exploits.
No specific case is known where it can be used in an exploit though
subsequent commits depend on this commit though
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 984d58a344)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This feature is mostly only used by NLE software, and is
both of dubious value being enabled by default, and a
possible security risk.
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 712d962a6a)
Conflicts:
libavformat/isom.h
libavformat/mov.c
libavformat/version.h
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Conflicts:
libavformat/mov.c
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1cb2331eca)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This fixes NULL pointer dereferencing if the codec is forced to
adpcm_thp even though a different one was detected.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit bcf4ee26a0)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This fixes NULL pointer dereferencing.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit d7d37c479f)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This fixes segmentation faults caused by passing a packet_ptr of NULL to
memcpy.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 40eb2531b2)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
The size of decoding map can differ from one calculated
internally, producing artifacts while decoding video.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit c293ef258c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This fixes a null pointer dereference at least
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cfda1bea4c)
Conflicts:
libavformat/hls.c
No case is known where these are needed
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6ba42b6482)
Conflicts:
libavformat/hls.c
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Conflicts:
libavformat/hls.c
Fixes out of array read
Fixes: 03c406ec9530e594a074ce2979f8a1f0/asan_heap-oob_7dec26_4664_37c52495b2870a2eaac65f53958e76c1.flac
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 115fb6d03e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Ticket4914
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b51e7554e7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes a mpegts file with hevc that fails estimating duration. Increasing number of
retries fixes the issue.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2d8c2f1a28)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes CID1238790
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e6971db12b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit f6830cf5ba)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This fixes NULL pointer dereferencing.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 9fcfe4a3cd)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
If it is negative, it can cause the byte position to move backwards in
avio_skip, which in turn makes sm_size negative and thus size larger
than the size of the packet buffer, causing invalid writes in avio_read.
Also fix potential overflow of avio_tell(bc) + value_len.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ce10f572c1)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Fixes ubsan runtime error: null pointer passed as argument 2, which is
declared to never be null
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 9f82506c79)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
A negative codec_id cannot be handled by the found_decoder API of
AVStream->info: if the codec_id is not recognized, found_decoder is set
to -codec_id, which has to be '<0' according to the API documentation.
This can cause NULL pointer dereferencing in try_decode_frame.
Also make sure the codec_type matches the expected one for codec_id.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ecf63b7cc2)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
If size is zero, avio_get_str fails, leaving the buffer uninitialized.
This causes invalid reads in av_set_options_string.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a611375db5)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
ts->mux_rate is int (signed 32-bit) type. The period calculations
will start to overflow when mux_rate > 5mbps. This fixes overflows
by converting first to 64-bit type.
Fixes#5044.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 64f7db554e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes part of mozilla bug 1229167
Found-by: Tyson Smith
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8e7f452022)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The XTEA algorithm operates on 32 bit numbers, not on byte sequences.
The XTEA implementation in libavutil is written assuming big endian
numbers, while the rtmpe signature encryption assumes little endian.
This fixes rtmpe communication with rtmpe servers that use signature
type 8 (XTEA), e.g. crunchyroll.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e7728319b92dbb4fb949155e33de7ff5358ddff3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Unrecognized streams are not allocated
Fixes: flicker-1.color1.vp91447030769.08.webm
Found-by: Chris Cunningham <chcunningham@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5034b324c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9b6fac11da)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This fixes access to Grandstream cameras, which return 401 to ffmpeg
otherwise.
VLC sends Authorization: header with spaces between parameters, and it
is known to work with Grandstream devices and broad range of other HTTP
and RTSP servers, so author considers switching to such behaviour safe.
Just for record - RFC 2617 (HTTP Auth) does not specify the need in
spaces, so this is not a bug of FFmpeg.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fdb3283872)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Not requiring this can end up producing hilariously broken files
together with -c:s copy (e.g. a webvtt file containing binary subtitle data).
Signed-off-by: Simon Thelen <ffmpeg-dev@c-14.de>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b84232694e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee155c18a2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 781efd0741)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes Ticket4777
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit db91e0edb6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Previously only the edit_rate of material_track was checked.
If it's negative, it causes assertion failures in av_rescale_rnd.
Reviewed-by: Tim Nicholson <nichot20-at-yahoo.com@ffmpeg.org>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 047bf82c18)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size
is 3, the right side overflows leading to a wrong result of the
comparison and subsequently a heap buffer overflow.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit db374790c7)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 189420cb56)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Otherwise sm_size can be larger than size, which results in a negative
packet size.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 6b9fdf7f4f)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Fixes infinite loop and segfault in ogg_buffer_data()
Fixes Ticket4806
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 81a8701eb5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4c6beaed92)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
There can be other headers than "Content-Type:" (in this case, a
"Content-Length:" header was following), so checking for a trailing
newline is wrong.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bf51fcd304)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
If bit_rate is negative, it can trigger an av_assert2 in av_rescale_rnd.
Since av_rescale returns int64_t, but st->codec_bit_rate is int, it can
also overflow into a negative value.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0eec40b713)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
