Commit graph

18769 commits

Author SHA1 Message Date
Michael Niedermayer
98f93f5272 avformat/oggparsedaala: Check duration for AV_NOPTS_VALUE
This avoids an integer overflow
the solution matches oggparsevorbis.c and 45581ed15d

Fixes: 700242

Found-by: Thomas Guilbert <tguilbert@google.com>
Reviewed-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 679a315424)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-17 20:35:19 +02:00
Michael Niedermayer
d5cdae9e35 avformat/http: Check for truncated buffers in http_connect()
Reported-by: SleepProgger <security@gnutp.com>
Reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8fa18e042a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-17 20:35:19 +02:00
James Almer
48706b9fef avformat/apng: fix setting frame delay when max_fps is set to no limit
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 874eb012f7)
2017-03-21 20:21:41 -03:00
Carl Eugen Hoyos
dffd455b9b lavf/mpeg: Initialize a stack variable used by memcmp().
Silence a valgrind warning.

Fixes ticket #6160.
(cherry picked from commit a5c1c7a8b3)
2017-02-21 02:16:23 +01:00
Matt Wolenetz
c63e587566 lavf/mov.c: Avoid heap allocation wraps in mov_read_{senc,saiz}()
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643952 (senc,saiz portions)

Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 36aba43bd5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-10 12:16:24 +01:00
Matt Wolenetz
b5c13002d1 lavf/mov.c: Avoid OOB in mov_read_udta_string()
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643952 (udta_string portion)

Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9bbdf5d921)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-10 12:14:40 +01:00
Matt Wolenetz
dc1e099bf2 lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643951

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support values beyond INT_MAX
Also the check is moved to a more common place and before integer truncation

(cherry picked from commit 2d453188c2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 11:05:51 +01:00
Matt Wolenetz
4f7064c9da lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643950

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support larger lengths

(cherry picked from commit fd30e4d57f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 04:08:26 +01:00
Chris Cunningham
be0e26d107 lavf/matroskadec: fix is_keyframe for early Blocks
Blocks are marked as key frames whenever the "reference" field is
zero. This breaks for non-keyframe Blocks with a reference timestamp
of zero.

The likelihood of reference timestamp being zero is increased by a
longstanding bug in muxing that encodes reference timestamp as the
absolute time of the referenced frame (rather than relative to the
current Block timestamp, as described in MKV spec).

Now using INT64_MIN to denote "no reference".

Reported to chromium at http://crbug.com/497889 (contains sample)

(cherry picked from commit ac25840ee3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-06 11:00:26 +01:00
Frank Liberato
44eaff5e6d avformat/flacdec: Check avio_read result when reading flac block header.
Return AVERROR_INVALIDDATA if all four bytes aren't present.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 95bde49982)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-03 15:59:14 +01:00
Tobias Rapp
a6639334df avformat/avidec: skip odml master index chunks in avi_sync
Fixes pts gaps when reading AVI files > 256GiB generated by FFmpeg.

Signed-off-by: Tobias Rapp <t.rapp@noa-archive.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6d579d7c1b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-03 15:59:14 +01:00
Michael Niedermayer
198c8924c6 avformat/utils: Print verbose error message if stream count exceeds max_streams
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f0bdd53871)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-03 15:59:14 +01:00
Michael Niedermayer
4535861ef8 avformat/options_table: Set the default maximum number of streams to 1000
Fixes CVE-2016-9561, Note the security relevance of this is disputed as
running out of memory can happen with valid files

Suggested-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 30581c51e7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-03 15:59:14 +01:00
Michael Niedermayer
7dd1cc6076 avformat: Add max_streams option
This allows user apps to stop OOM due to excessive number of streams

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1296f84495)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-10 22:42:03 +01:00
Michael Niedermayer
7c68d5e701 avformat/oggdec: Skip streams in duration correction that did not had their duration set.
Fixes: part of 670190.ogg
Fixes integer overflow

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee2a6f5df8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-09 17:46:10 +01:00
Ronald S. Bultje
726faff0aa http: move chunk handling from http_read_stream() to http_buf_read().
(cherry picked from commit 845bb40178)
2016-12-05 16:50:51 -05:00
Ronald S. Bultje
2e3f0a1c6f http: make length/offset-related variables unsigned.
Fixes #5992, reported and found by Paul Cher <paulcher@icloud.com>.

(cherry picked from commit 2a05c8f813)
2016-12-05 16:50:50 -05:00
Michael Niedermayer
a5513ae7bc avformat/rtmppkt: Check for packet size mismatches
Fixes out of array access

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d57ca4d9a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 22:05:37 +01:00
Michael Niedermayer
9f7eb718e9 avformat/ffmdec: Check media type for chunks
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e706e2e775)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
e9003828dd avformat/oggparsespeex: Check frames_per_packet and packet_size
The speex specification does not seem to restrict these values, thus
the limits where choosen so as to avoid multiplicative overflow

Fixes undefined behavior
Fixes: 635422.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afcf15b0db)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
66e8f87ebc avformat/utils: Check start/end before computing duration in update_stream_timings()
Fixes undefined behavior
Fixes: 637428.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 90da187f1d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
ff01dbb6ec avformat/idroqdec: Check chunk_size for being too large
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 744a0b5206)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
2caee48576 avformat/mpeg: Adjust vid probe threshold to correct mis-detection
Fixes: _ij.mp3

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4e5049a230)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
bab7d72d46 avformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fecb3e82a4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Mark Harris
9375a7d85e avformat/icodec: Fix crash probing fuzzed file
Avoid invalid memory read/crash when frame offset >= 0xfffffff8.
Base64-encoded example: AAABADAwMDAwMAAAMAAwMDAw/P///w==
(The previous commit verifies that p->buf_size >= 22.)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 56e2cd9c04)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:58 +01:00
Andreas Cadhalpun
e8ab2bd2ac dcstr: fix division by zero
Also check for possible overflows.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit b0a043f51b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:58 +01:00
Andreas Cadhalpun
45b18fbb9a rsd: limit number of channels
Negative values don't make sense and too large values can cause
overflows. For AV_CODEC_ID_ADPCM_THP this leads to a too small extradata
buffer being allocated, causing out-of-bounds writes.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ee5f0f1d35)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:58 +01:00
Andreas Cadhalpun
80b85300ae sbgdec: prevent NULL pointer access
Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit dbefbb61b7)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:57 +01:00
Andreas Cadhalpun
1c282152c1 mxfdec: fix NULL pointer dereference in mxf_read_packet_old
Metadata streams have priv_data set to NULL.

Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit fdb8c455b6)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:57 +01:00
Andreas Cadhalpun
e93934e100 filmstripdec: correctly check image dimensions
This prevents a division by zero in read_packet.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 25012c5644)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:57 +01:00
Andreas Cadhalpun
3047b0a4a3 icodec: correctly check avio_read return value
It can read less than the requested amount, in which case buf contains
uninitialized data, causing problems like segmentation faults later on.

Also make sure that image->size is positive, so that it can't match a
negative error code.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 89eb398c7f)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:57 +01:00
Andreas Cadhalpun
05e6606ba9 icodec: add ico_read_close to fix leaking ico->images
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit d54c95a143)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:56 +01:00
Andreas Cadhalpun
c3307f7e9e icodec: fix leaking pkt on error
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 467eece1be)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:56 +01:00
Andreas Cadhalpun
3d82cebdd2 mpegts: prevent division by zero
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1bbb18fe82)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:56 +01:00
Andreas Cadhalpun
5801482379 matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header
The code assumes that s->streams[0] is valid.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ff100c9dd9)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:56 +01:00
Andreas Cadhalpun
e78d9f3f35 mxfdec: fix NULL pointer dereference
Metadata streams have priv_data set to NULL.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 0efb610611)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:56 +01:00
Andreas Cadhalpun
0009cf348a avformat: prevent triggering request_probe assert in ff_read_packet
If probe_codec is called with pkt == NULL, it sets probe_packets to 0
and request_probe to -1.
However, request_probe can change when calling s->iformat->read_packet
and thus a probe_packets value of 0 doesn't guarantee a request_probe
value of -1.
In that case calling probe_codec again is necessary to prevent
triggering the assert.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a5b4476a60)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:51 +01:00
Michael Niedermayer
8c43f32057 avformat/avidec: Check nb_streams in read_gab2_sub()
Fixes null pointer dereference
Fixes: 1/null_point.avi

Found-by: 连一汉 <lianyihan@360.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2679ad4773)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-28 17:11:52 +02:00
Michael Niedermayer
77d5a237ef avformat/avidec: Remove ancient assert
This assert can with crafted files fail, a warning is already printed
for this case.

Fixes assertion failure
Fixes:1/assert.avi

Found-by: 连一汉 <lianyihan@360.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 14bac7e00d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-28 17:11:52 +02:00
Michael Niedermayer
fb7617df4e avformat/avidec: Fix memleak with dv in avi
Found-by: 连一汉 <lianyihan@360.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b98dafe045)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-28 17:11:52 +02:00
Michael Niedermayer
7fefa4138d avformat/movenc: Check packet in mov_write_single_packet() too
Fixes assertion failure

Found-by: durandal117
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2834313933)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-28 17:11:52 +02:00
Michael Niedermayer
a1f77124c8 avformat/movenc: Factor check_pkt() out
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit deabcd2c05)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-28 17:11:52 +02:00
Xinzheng Zhang
f2f7d49f41 avformat/utils: fix timebase error in avformat_seek_file()
When there is only one stream and stream_index has not specified,
The ts has been transferd by the timebase of stream0 without modifying the stream_index
In this condation it cause seek failure.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ecc04b4f2f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-28 17:11:52 +02:00
Michael Niedermayer
b7b3b0086d avformat/movenc: Check first DTS similar to dts difference
Fixes assertion failure
Fixes: b84b53855a0b74560e64c6f45f505a13/signal_sigabrt_7ffff6ae7c37_3837_ef4e243ea5b4fa8d0becf4afe9166604.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 68f4c2163e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-28 17:11:52 +02:00
Sergey Volk
9259b7f38e avformat/mov: Fix potential integer overflow in mov_read_keys
Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so
we need to check that (count + 1) won't cause overflow.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 347cb14b7c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-28 17:11:52 +02:00
Carl Eugen Hoyos
73b644cdee lavf/utils: Avoid an overflow for huge negative durations.
Fixes ticket #5135.
(cherry picked from commit 267da70ea8)
2016-09-24 21:08:23 +02:00
Michael Niedermayer
1d90326f95 avformat/avidec: Fix infinite loop in avi_read_nikon()
Fixes: 360/test.poc

Found-by: 连一汉 <lianyihan@360.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e4e4a9cad7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-05 01:01:35 +02:00
Michael Niedermayer
1b47c278a6 avformat/utils: End probing if the expected codec surpasses AVPROBE_SCORE_STREAM_RETRY
Fixes Ticket5800

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c75273310c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-05 01:01:35 +02:00
Michael Niedermayer
2858f77fd4 avformat/wtvdec: Check pointer before use
Fixes out of array read
Fixes: 049fdf78565f1ce5665df236d90f8657/asan_heap-oob_10a5a97_1026_42f9d4855547329560f385768de2f3fb.wtv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cc5e5548df)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-05 01:01:35 +02:00
Michael Niedermayer
ca92adafb0 avformat/swfdec: Fix inflate() error code check
Fixes infinite loop
Fixes endless.poc

Found-by: 连一汉 <lianyihan@360.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a453bbb68f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-05 01:01:35 +02:00