The previous code assumed if an atom was marked with a 64-bit
size extension, it actually had that data available. The new
code verfies there's enough data in the atom for this to be
done.
Failure to verify causes total_size > atom.size which will
result in negative size calculations later on.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ebd76a9c5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3859868c75)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Such data streams (which then contain no other packets except the faulty one)
confuse some user applications, like VLC
Works around vlcticket 12389
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 322f0f5960)
Conflicts:
libavformat/flvdec.c
Also see [FFmpeg-devel] [PATCH] avformat/mov: strengthen some table allocations
which contains more fixes but is unfinished
Fixes: signal_sigabrt_7ffff6ac7bb9_3484_cov_1830000177_starfox2.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1b5d112406)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)
Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.
This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.
Fixes ticket #4162.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6551acab68)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
We have to check against the number of bytes actually needed, not the
theoretical maximum size.
(cherry picked from commit 12700b0219)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes out of array read
Fixes: signal_sigsegv_844d59_10_signal_sigsegv_a17bb7_366_mpegts_mpeg2video_mp2_dvbsub_topfield.rec
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c3d7f00ee3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket1304
Commit message and extradata size bugfix by commiter
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6843b9dc78)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes miss detection of PCM as m4v
Fixes Ticket 3928
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c1835c52a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This is currently not supported
Fixes part of Ticket 3539
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c2430304df)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes reading from freed data
Fixes part of Ticket3539
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1c55d0ff32)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a9734e7d3017ffc9539eaac2a8acce3ad427f746)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes wrong number of segments output and undefined memory access.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 58e0402e02)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The read_packet callback passes a pointer to a stack-allocated AVPacket.
Attempting to free it with av_free() makes no sense.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b173f5c155)
Conflicts:
libavformat/oggdec.c
The size variable is (correctly) unsigned, but is passed to several functions
which take signed parameters, such as avio_read, sometimes after having
numbers added to it. So ensure that size remains within the bounds that
these functions can handle.
(cherry picked from commit b45ab61b24)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
It is written to the file as a 22-bit value.
CC: libav-stable@libav.org
(cherry picked from commit 75bbaf2493)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavformat/mpegenc.c
* commit '7788297a59':
mpegts: Do not try to write a PMT larger than SECTION_SIZE
Conflicts:
libavformat/mpegtsenc.c
See: 842b6c14bc
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Prevent out of array writes.
Similar to what Michael Niedermayer did to address the same issue.
Bug-Id: CVE-2014-2263
CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit e8049af132)
Conflicts:
libavformat/mpegtsenc.c
The specification says the value is expressed in 10 bits including
the 4-byte CRC.
(cherry picked from commit 89616408e3)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavformat/mpegtsenc.c
Found-by: CSA
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2e6fdcb7f3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket2340
Fixes Ticket2341
Based-on mail from Dave Rice <dave@dericed.com>
Tested-by: Dave Rice <dave@dericed.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 88f038ac97)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'f6b3dce952':
librtmp: Don't free the temp url at the end of rtmp_open
Conflicts:
libavformat/librtmp.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
librtmp can keep pointers to this string internally, and may
use them at shutdown as well.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 865461099e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavformat/librtmp.c
The AVStream.parser field is considered private and its location cannot be
preserved while preserving also ABI compatibility to libav, as libav added fields
before it.
Some tools like ffmpeg.c access this field though
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 62227a70f0)
Conflicts:
RELEASE_NOTES
doc/APIchanges
libavformat/utils.c
libavformat/version.h
Fixes long loop
Fixes Ticket3208
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8202c49b43)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
On big endian machines, the default value set via the faulty
AVOption ended up as 2^32 times too big.
This fixes the fate-lavf-ogg test which currently is broken on
big endian machines, broken since 3831362. Since that commit,
a final zero-sized packet is written to the ogg muxer in that test,
which caused different flushing behaviour on little and big endian
depending on whether the pref_duration option was handled as it
should or not.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 103243ca64)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
As indicated in the function documentation, the header MUST be
checked prior to calling it because no consistency check is done
there.
CC:libav-stable@libav.org
(cherry picked from commit f2f2e7627f)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>