Commit graph

19272 commits

Author SHA1 Message Date
Derek Buitenhuis
82e5f2c76b avformat/webmdashenc: Validate the 'streams' adaptation sets parameter
It should not be a value larger than the number of streams we have,
or it will cause invalid reads and/or SIGSEGV.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ec07efa700)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-16 16:00:22 +02:00
Derek Buitenhuis
a1d740ff09 avformat/webmdashenc: Require the 'adaptation_sets' option to be set
This seems to be non-optional, and if the muxer is run without it,
strlen() is run on NULL, causing a segfault.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cbd3a68f3e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-16 16:00:22 +02:00
Michael Niedermayer
a46e0879b9 avformat/oggparseogm: Check ff_alloc_extradata() for failure
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9eff4b0d2b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-16 16:00:22 +02:00
Michael Niedermayer
5002123109 avformat/oggparseogm: Check available data before reading global header
Fixes use of uninitialized data

Found-by: Thomas Guilbert <tguilbert@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 170d864d2c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-16 16:00:22 +02:00
Michael Niedermayer
0a966b056f avformat/oggparsedaala: Do not leave an invalid value in gpshift
Fixes: undefined behavior
Fixes: 702974

Found-by: Thomas Guilbert <tguilbert@google.com>
Reviewed-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 23ae3cc822)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-16 16:00:22 +02:00
Michael Niedermayer
dc4fc25200 avformat/oggparsedaala: Check duration for AV_NOPTS_VALUE
This avoids an integer overflow
the solution matches oggparsevorbis.c and 45581ed15d

Fixes: 700242

Found-by: Thomas Guilbert <tguilbert@google.com>
Reviewed-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 679a315424)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-16 16:00:22 +02:00
Michael Niedermayer
3364c8c53a avformat/http: Check for truncated buffers in http_connect()
Reported-by: SleepProgger <security@gnutp.com>
Reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8fa18e042a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-16 16:00:21 +02:00
Matt Wolenetz
5cd2fcd0a7 lavf/mov.c: Avoid heap allocation wraps in mov_read_{senc,saiz}()
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643952 (senc,saiz portions)

Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 36aba43bd5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-16 16:00:21 +02:00
Matt Wolenetz
0abc88f0fd lavf/mov.c: Avoid OOB in mov_read_udta_string()
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643952 (udta_string portion)

Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9bbdf5d921)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-16 16:00:21 +02:00
James Almer
b014fa21d4 avformat/apng: fix setting frame delay when max_fps is set to no limit
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 874eb012f7)
2017-03-21 20:21:53 -03:00
Carl Eugen Hoyos
007cf1786c lavf/mpeg: Initialize a stack variable used by memcmp().
Silence a valgrind warning.

Fixes ticket #6160.
(cherry picked from commit a5c1c7a8b3)
2017-02-21 02:16:18 +01:00
Matt Wolenetz
02a5e88ebc lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643951

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support values beyond INT_MAX
Also the check is moved to a more common place and before integer truncation

(cherry picked from commit 2d453188c2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Matt Wolenetz
b6efd022b7 lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643950

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support larger lengths

(cherry picked from commit fd30e4d57f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Chris Cunningham
a4fb905a14 lavf/matroskadec: fix is_keyframe for early Blocks
Blocks are marked as key frames whenever the "reference" field is
zero. This breaks for non-keyframe Blocks with a reference timestamp
of zero.

The likelihood of reference timestamp being zero is increased by a
longstanding bug in muxing that encodes reference timestamp as the
absolute time of the referenced frame (rather than relative to the
current Block timestamp, as described in MKV spec).

Now using INT64_MIN to denote "no reference".

Reported to chromium at http://crbug.com/497889 (contains sample)

(cherry picked from commit ac25840ee3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Frank Liberato
197e4693f6 avformat/flacdec: Check avio_read result when reading flac block header.
Return AVERROR_INVALIDDATA if all four bytes aren't present.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 95bde49982)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Tobias Rapp
c26cbe6c2e avformat/avidec: skip odml master index chunks in avi_sync
Fixes pts gaps when reading AVI files > 256GiB generated by FFmpeg.

Signed-off-by: Tobias Rapp <t.rapp@noa-archive.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6d579d7c1b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Chris Cunningham
693288c344 avformat/mp3dec: fix msan warning when verifying mpa header
MPEG Audio frame header must be 4 bytes. If we fail to read
4 bytes bail early to avoid Use-of-uninitialized-value msan error.
Reference https://crbug.com/666874.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ab87df9a47)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
3d9c007b61 avformat/utils: Print verbose error message if stream count exceeds max_streams
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f0bdd53871)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
5b8ee8f013 avformat/options_table: Set the default maximum number of streams to 1000
Fixes CVE-2016-9561, Note the security relevance of this is disputed as
running out of memory can happen with valid files

Suggested-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 30581c51e7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
b18a571e23 avformat: Add max_streams option
This allows user apps to stop OOM due to excessive number of streams

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1296f84495)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-11 00:43:29 +01:00
Michael Niedermayer
119301d312 avformat/oggdec: Skip streams in duration correction that did not had their duration set.
Fixes: part of 670190.ogg
Fixes integer overflow

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee2a6f5df8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-11 00:43:29 +01:00
Ronald S. Bultje
ce44100cb0 http: move chunk handling from http_read_stream() to http_buf_read().
(cherry picked from commit 845bb40178)
2016-12-05 16:20:06 -05:00
Ronald S. Bultje
18e3e322b3 http: make length/offset-related variables unsigned.
Fixes #5992, reported and found by Paul Cher <paulcher@icloud.com>.

(cherry picked from commit 2a05c8f813)
2016-12-05 16:20:06 -05:00
Michael Niedermayer
b0ebef0578 avformat/rtmppkt: Check for packet size mismatches
Fixes out of array access

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d57ca4d9a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 21:37:48 +01:00
Michael Niedermayer
a7c7543a3d avformat/ffmdec: Check media type for chunks
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e706e2e775)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Michael Niedermayer
c2e4ced78e avformat/oggparsespeex: Check frames_per_packet and packet_size
The speex specification does not seem to restrict these values, thus
the limits where choosen so as to avoid multiplicative overflow

Fixes undefined behavior
Fixes: 635422.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afcf15b0db)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Michael Niedermayer
cc27b8e09f avformat/utils: Check start/end before computing duration in update_stream_timings()
Fixes undefined behavior
Fixes: 637428.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 90da187f1d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Michael Niedermayer
60ca730d21 avformat/idroqdec: Check chunk_size for being too large
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 744a0b5206)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Michael Niedermayer
ebe104e827 avformat/utils: Fix type mismatch
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a06e84b56e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Michael Niedermayer
42a20f1fea avformat/mpeg: Adjust vid probe threshold to correct mis-detection
Fixes: _ij.mp3

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4e5049a230)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Michael Niedermayer
e90fbc86c1 avformat/flvdec: Fix regression loosing streams
Fixes: unknown_video.flv

Found-by: Thierry Foucu <tfoucu@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 077939626e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Michael Niedermayer
b6b7034416 avformat/isom: Fix old API regression with exporting max bitrate
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d88a6bedb9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 18:29:12 +01:00
Andreas Cadhalpun
d0f8741a5a flvdec: require need_context_update when changing codec id
Otherwise the codec context and codecpar might disagree on the codec id,
triggering asserts in av_parser_parse2.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 98b3a7979f)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:07 +01:00
Andreas Cadhalpun
312757eb84 sbgdec: prevent NULL pointer access
Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit dbefbb61b7)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:07 +01:00
Andreas Cadhalpun
e2de6f31c0 rmdec: validate block alignment
This fixes division by zero crashes.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit de4ded0636)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:07 +01:00
Andreas Cadhalpun
315f1dea84 mxfdec: fix NULL pointer dereference in mxf_read_packet_old
Metadata streams have priv_data set to NULL.

Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit fdb8c455b6)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:07 +01:00
Andreas Cadhalpun
b4f42e5c85 ffmdec: validate codec parameters
A negative extradata size for example gets passed to memcpy in
avcodec_parameters_from_context causing a segmentation fault.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1c7da19a4b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:07 +01:00
Andreas Cadhalpun
52d8c1e474 filmstripdec: correctly check image dimensions
This prevents a division by zero in read_packet.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 25012c5644)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:06 +01:00
Andreas Cadhalpun
c35a140e71 icodec: correctly check avio_read return value
It can read less than the requested amount, in which case buf contains
uninitialized data, causing problems like segmentation faults later on.

Also make sure that image->size is positive, so that it can't match a
negative error code.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 89eb398c7f)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:05 +01:00
Andreas Cadhalpun
6a7f0585ab icodec: add ico_read_close to fix leaking ico->images
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit d54c95a143)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:05 +01:00
Andreas Cadhalpun
356e035773 icodec: fix leaking pkt on error
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 467eece1be)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:05 +01:00
Andreas Cadhalpun
e1c1cb4aa1 mpegts: prevent division by zero
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1bbb18fe82)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:05 +01:00
Andreas Cadhalpun
c19e965704 matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header
The code assumes that s->streams[0] is valid.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ff100c9dd9)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:04 +01:00
Andreas Cadhalpun
50d34cbf5a mxfdec: fix NULL pointer dereference
Metadata streams have priv_data set to NULL.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 0efb610611)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:04 +01:00
Andreas Cadhalpun
d77684b853 dcstr: fix division by zero
Also check for possible overflows.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit b0a043f51b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:03 +01:00
Andreas Cadhalpun
2c52b74980 aiff: check block_align in aiff_read_packet
It can be unset in avcodec_parameters_from_context and a value of 0
causes SIGFPE crashes.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 93c39db5f1)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:03 +01:00
Andreas Cadhalpun
13f032abbb rsd: limit number of channels
Negative values don't make sense and too large values can cause
overflows. For AV_CODEC_ID_ADPCM_THP this leads to a too small extradata
buffer being allocated, causing out-of-bounds writes.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ee5f0f1d35)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:02 +01:00
Andreas Cadhalpun
d69dc10466 avformat: prevent triggering request_probe assert in ff_read_packet
If probe_codec is called with pkt == NULL, it sets probe_packets to 0
and request_probe to -1.
However, request_probe can change when calling s->iformat->read_packet
and thus a probe_packets value of 0 doesn't guarantee a request_probe
value of -1.
In that case calling probe_codec again is necessary to prevent
triggering the assert.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a5b4476a60)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:02 +01:00
Andreas Cadhalpun
d4f64a0f54 westwood_aud: prevent division by zero
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit bc7e128a6e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:02 +01:00
Andreas Cadhalpun
b3991ccd11 astdec: fix division by zero
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 9959a52b14)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:28:02 +01:00