Commit graph

39420 commits

Author SHA1 Message Date
Xiaohan Wang
a9602c6cfb matroskadec: Fix read-after-free in matroska_read_seek()
In matroska_read_seek(), |tracks| is assigned at the begining of the
function. However, functions like matroska_parse_cues() could reallocate
the tracks and invalidate |tracks|.

This assigns |tracks| only before using it, so that it will not get
invalidated elsewhere.

Bug-Id: chromium/427266
2015-01-27 14:35:24 +00:00
Michael Niedermayer
f249e98891 smc: fix the bounds check
Fixes invalid writes when there are more blocks in a run than total
remaining blocks.

CC: libav-stable@libav.org
Bug-ID: CVE-2014-8548
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit d423dd72be)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 58dc526ebf)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-12-20 10:53:40 +01:00
Michael Niedermayer
92888e9ed4 gifdec: refactor interleave end handling
Fixes invalid writes with very small image heights.

CC: libav-stable@libav.org
Bug-ID: CVE-2014-8547
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 0b39ac6f54)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit eac49477aa)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-12-20 10:53:37 +01:00
Anton Khirnov
3f10a779b4 mmvideo: check frame dimensions
The frame size must be set by the caller and each dimension must be a
multiple of 2.

CC: libav-stable@libav.org
Bug-ID: CVE-2014-8543
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 17ba719d9b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 69a930b988)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-12-20 10:53:35 +01:00
Anton Khirnov
8f238dd9bd jvdec: check frame dimensions
The frame size must be set by the caller and each dimension must be a
multiple of 8.

CC: libav-stable@libav.org
Bug-ID: CVE-2014-8542
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 88626e5af8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 55788572ea)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-12-20 10:53:32 +01:00
Anton Khirnov
da4f5d9d77 mjpegdec: check for pixel format changes
Fixes possible invalid memory access.

Based on code by Michael Niedermayer <michaelni@gmx.at>

CC: libav-stable@libav.org
Bug-ID: CVE-2014-8541
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 809c3023b6)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit aa7a19b417)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-12-20 10:53:28 +01:00
Anton Khirnov
931f5b2351 mov: avoid a memleak when multiple stss boxes are present
CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 64f7575fbd)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 577f1feb3f)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-12-20 10:53:24 +01:00
Julien Ramseier
e7fdd6aa0d avconv: Use the mpeg12 private option scan_offset
Introduced in aed7900704

Bug-Id: debian/773055
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit fd665f7f48)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 864c0c50eb)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-12-14 20:26:37 +01:00
Reinhard Tartler
d1c2f86b21 Replace lena.pnm
The new reference.pnm is a freely licensed replacement. The photo has
been taken by Reinhard Tartler on August 28 2014, and is licensed under
the expat license as stated at http://www.jclark.com/xml/copying.txt

(cherry picked from commit e38231007e19e5f27b0e77e72bcd26fb3d76edfb)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2014-12-01 17:43:32 -08:00
Reinhard Tartler
2bcd8f22f2 Treat all '*.pnm' files as non-text file
This convinces the pre-receive hook to not consider all *.pnm files as
text files to reduce the patch sizes and avoids triggering whitespace
checks,

Contains a correction by Janne Grunau <janne-libav@jannau.net>

(cherry picked from commit b877814e09b9f25308ec205cf48bb9554b33e95c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2014-12-01 17:36:05 -08:00
wm4
c790e31ae4 lavu: fix memory leaks by using a mutex instead of atomics
The buffer pool has to atomically add and remove entries from the linked
list of available buffers. This was done by removing the entire list
with a CAS operation, working on it, and then setting it back again
(using a retry-loop in case another thread was doing the same thing).

This could effectively cause memory leaks: while a thread was working on
the buffer list, other threads would allocate new buffers, increasing
the pool's total size. There was no real leak, but since these extra
buffers were not needed, but not free'd either (except when the buffer
pool was destroyed), this had the same effects as a real leak. For some
reason, growth was exponential, and could easily kill the process due
to OOM in real-world uses.

Fix this by using a mutex to protect the list operations. The fancy
way atomics remove the whole list to work on it is not needed anymore,
which also avoids the situation which was causing the leak.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit fbd6c97f9c)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 517ce1d09b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-11-27 13:45:36 +01:00
Anton Khirnov
7fe5d0a78d lavu: add wrappers for the pthreads mutex API
Also add no-op fallbacks when threading is disabled.

This helps keeping the code clean if Libav is compiled for targets
without threading. Since we assume that no threads of any kind are used
in such configurations, doing nothing is ok by definition.

Based on a patch by wm4 <nfxjfg@googlemail.com>.

(cherry picked from commit 2443e522f0)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 46a17d886b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-11-27 13:45:28 +01:00
Anton Khirnov
871d99ef77 mp3enc: fix a triggerable assert
We have to check against the number of bytes actually needed, not the
theoretical maximum size.

(cherry picked from commit 12700b0219)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-11-15 08:46:48 +01:00
Timothy B. Terriberry
72ed4166a6 resample: Avoid off-by-1 errors in PTS calcs.
The rounding used in the PTS calculations in filter_frame() does
not actually match the number of samples output by the resampler.
This leads to off-by-1 errors in the timestamps indicating gaps and
underruns, even when the input timestamps are all contiguous.

Bug-Id: 753

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 6cbbf0592f)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit ca8c62d187)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-10-18 05:15:48 +02:00
Vittorio Giovara
787a6156a2 imc: fix order of operations in coefficients read
Reported-by: Ruoyu <liangry@ucweb.com>
2014-10-15 14:54:20 +01:00
Rémi Denis-Courmont
0989a120f1 mpeg12: Always invoke the get_format() callback
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
2014-09-27 15:49:06 +02:00
Rémi Denis-Courmont
c7caed88a0 h264: Always invoke the get_format() callback
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
2014-09-27 15:49:06 +02:00
Diego Biurrun
f13f5a7d4b Add some bug references to the changelog 2014-09-17 07:18:39 -07:00
Katerina Barone-Adesi
d14696c99c apetag: Fix APE tag size check
The size variable is (correctly) unsigned, but is passed to several functions
which take signed parameters, such as avio_read, sometimes after having
numbers added to it. So ensure that size remains within the bounds that
these functions can handle.

(cherry picked from commit b45ab61b24)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2014-09-17 07:18:39 -07:00
Diego Biurrun
d0af7d5745 Update Changelog for v10.5 2014-09-10 13:24:18 -07:00
Diego Biurrun
f2abf8df7a Prepare for 10.5 release 2014-09-10 13:24:13 -07:00
Diego Biurrun
40c7613ecf doc: Fix syntax and logical errors in avconv stream combination example
Bug-Id: 661
CC: libav-stable@libav.org
(cherry picked from commit 775a0b04f0)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2014-09-10 12:02:24 -07:00
Diego Biurrun
1a7d1793d6 license: Mention that vf_interlace is GPL, not LGPL
(cherry picked from commit 9e8bbe7d4d)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2014-08-28 10:52:55 -07:00
Luca Barbato
9fcc632249 pulse: Add a wallclock option to be compatible with other other captures
alsa and x11grab use av_gettime() to report timestamps.

Have it on by default.

Bug-Id: 647
(cherry picked from commit 424b929b5c)
(cherry picked from commit 404731bd20)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
2014-08-28 12:09:53 +02:00
Anton Khirnov
f7395926f2 avconv: fix parsing the AVOptions for -target
CC: libav-stable@libav.org
(cherry picked from commit f5245a9c62)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-08-27 06:31:05 +00:00
Anton Khirnov
7bc37641e3 avconv: fix the muxrate values for -target
The mpegenc private option values are in 50-byte units.

CC: libav-stable@libav.org
(cherry picked from commit 1688eef253)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-08-27 06:31:02 +00:00
Anton Khirnov
3ac0638d57 mpegenc: limit the maximum muxrate
It is written to the file as a 22-bit value.

CC: libav-stable@libav.org
(cherry picked from commit 75bbaf2493)
Signed-off-by: Anton Khirnov <anton@khirnov.net>

Conflicts:
	libavformat/mpegenc.c
2014-08-27 06:30:52 +00:00
Michael Niedermayer
051ac5c0f5 mpegvideo: Use the current_picture pts
The picture slot can be recycled by select_input_picture and
only current_picture is populated with the valid pts.

Unbreak timestamps when in cbr mode.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 1c7b71a5bd)
Signed-off-by: Anton Khirnov <anton@khirnov.net>

Conflicts:
	libavcodec/mpegvideo_enc.c
2014-08-26 06:33:07 +00:00
Diego Biurrun
37e2d574dd setpts: Add missing inttypes.h #include for PRId64
Also convert a debug av_log() to av_dlog().

(cherry picked from commit a89dd9a72c6e9c3111d6f34d9b08cd624fe76358)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
2014-08-20 10:07:09 -07:00
Christophe Gisquet
f25f5f8c62 proresenc: Properly account for alpha plane
The packet buffer allocation considers the alpha channel as DCT-coded,
while it is actually run-coded and thus requires a larger buffer.

CC: libav-stable@libav.org

Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 41e1354c10)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
2014-08-18 19:03:37 +02:00
Christophe Gisquet
a437298de5 proresenc: Realloc if buffer is too small
The buffer allocation may be incorrect (e.g. with an alpha plane),
and currently causes the buffer to be set to NULL by init_put_bits,
causing a crash later on.

So, detect that situation, and if detected, reallocate the buffer
and ask for a sample that shows the problem.

CC: libav-stable@libav.org

Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 45ce880a9b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
2014-08-18 19:03:34 +02:00
Christophe Gisquet
e912b0777b proresenc: Report buffer overflow
If the allocated size, despite best efforts, is too small, exit
with the appropriate error.

CC: libav-stable@libav.org

Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 58b68e4fde)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
2014-08-18 19:03:30 +02:00
Christophe Gisquet
b3f48a5044 proresenc: Remove unneeded parameters from encode_alpha_plane()
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit b16699f2da)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
2014-08-18 19:03:22 +02:00
Reinhard Tartler
ee9e966296 Update Changelog for v10.4 2014-08-17 10:23:20 -04:00
Reinhard Tartler
493a92313f Prepare for 10.4 Release 2014-08-17 10:20:00 -04:00
Luca Barbato
7788297a59 mpegts: Do not try to write a PMT larger than SECTION_SIZE
Prevent out of array writes.

Similar to what Michael Niedermayer did to address the same issue.

Bug-Id: CVE-2014-2263
CC: libav-stable@libav.org

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit e8049af132)

Conflicts:
	libavformat/mpegtsenc.c
2014-08-13 13:57:47 -07:00
Luca Barbato
23376ae2f0 mpegts: Define the section length with a constant
The specification says the value is expressed in 10 bits including
the 4-byte CRC.

(cherry picked from commit 89616408e3)
Signed-off-by: Diego Biurrun <diego@biurrun.de>

Conflicts:
	libavformat/mpegtsenc.c
2014-08-13 13:53:20 -07:00
Michael Niedermayer
8231764784 ffv1dec: check that global parameters do not change in version 0/1
Such changes are neither allowed nor supported

Found-by: ami_stuff
Bug-Id: CVE-2013-7020
CC: libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit da7d839a0d)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-08-12 10:34:09 +00:00
Felix Abecassis
67134ad31f h264: fix interpretation of interleaved stereo modes
Column and row frame packing arrangements were inverted.

Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
2014-08-07 11:40:08 +01:00
Anton Khirnov
d513c6a0ee svq1: do not modify the input packet
The input data must remain constant, make a copy instead. This is in
theory a performance hit, but since I failed to find any samples
using this feature, this should not matter in practice.

Also, check the size of the header, avoiding invalid reads on truncated
data.

CC:libav-stable@libav.org
(cherry picked from commit 7b588bb691)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-08-06 19:05:34 +00:00
Anton Khirnov
18f48e05a2 cdgraphics: do not return 0 from the decode function
0 means no data consumed, so it can trigger an infinite loop in the
caller.

CC:libav-stable@libav.org
(cherry picked from commit c7d9b473e2)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-08-06 18:41:44 +00:00
Anton Khirnov
5bf5a35fb5 cdgraphics: switch to bytestream2
Fixes possible invalid memory accesses on corrupted data.

CC:libav-stable@libav.org
Bug-ID: CVE-2013-3674
(cherry picked from commit a1599f3f7e)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-08-06 18:41:42 +00:00
Vittorio Giovara
6598aaea1a jpeg2000: enable 4 component pixel formats
Bug-Id: 721
CC: libav-stable@libav.org
Sample-Id: 31230.mov
2014-08-06 12:44:35 +01:00
Vittorio Giovara
a5992a274f stereo3d: add missing include guards 2014-08-06 12:44:35 +01:00
Michael Niedermayer
aa943bd31f huffyuvdec: check width size for yuv422p
Avoid out of array accesses.

CC: libav-stable@libav.org
Bug-Id: CVE-2013-0848
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a7153444df)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-08-05 20:06:53 +00:00
Michael Niedermayer
bea14966e2 mmvideo: check horizontal coordinate too
Fixes out of array accesses.

Bug-Id: CVE-2013-3672
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 70cd3b8e65)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-08-05 19:21:40 +00:00
Michael Niedermayer
6be5a3c045 wmalosslessdec: fix mclms_coeffs* array size
Fixes corruption of context

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
Bug-Id: CVE-2014-2098
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 849b9d34c7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2014-08-05 14:59:29 +00:00
Reinhard Tartler
07015d9f91 Update Changelog for v10.3 2014-08-03 21:30:46 -04:00
Diego Biurrun
744b406ff3 huffyuv: Check and propagate function return values
Bug-Id: CVE-2013-0868

inspired by a patch from Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Diego Biurrun <diego@biurrun.de>

CC: libav-stable@libav.org
(cherry picked from commit d0393d79bc)
Signed-off-by: Diego Biurrun <diego@biurrun.de>

Conflicts:
	libavcodec/huffyuvdec.c
2014-08-03 15:53:38 -07:00
Vittorio Giovara
2273e5ed99 h264: prevent theoretical infinite loop in SEI parsing
Properly address CVE-2011-3946 and parse bitstream as described in the spec.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
2014-08-01 13:15:07 +01:00