Buffers containing copies of the AAC and AC3 header bits were not padded
before parsing, violating init_get_bits() buffer padding requirement,
leading to potential buffer read overflows.
This change adds FF_INPUT_BUFFER_PADDING_SIZE bytes to the bit buffer
for parsing the header in each of aac_parser.c and ac3_parser.c.
Based on patch by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fccd85b9f3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes out of array reads and/or infinite loops.
30 is the maximum number of bits that can be read into
coeff_abs below.
CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Martin Storsjö <martin@martin.st>
Fixes invalid writes with very small image heights.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8547
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 0b39ac6f54)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit eac49477aa)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 92888e9ed4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 02de44073a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes invalid writes when there are more blocks in a run than total
remaining blocks.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8548
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit d423dd72be)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 58dc526ebf)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit f249e98891)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 306ee95088)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The frame size must be set by the caller and each dimension must be a
multiple of 2.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8543
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 17ba719d9b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 69a930b988)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 3f10a779b4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/mmvideo.c
(cherry picked from commit 03dba25a40)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The frame size must be set by the caller and each dimension must be a
multiple of 8.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8542
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 88626e5af8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 55788572ea)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8f238dd9bd)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/jvdec.c
(cherry picked from commit 50cb695bf1)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/jvdec.c
Also fill in missing hash for AV_CPU_FLAG_CMOV addition in APIChanges.
(cherry picked from commit fe07c9c6b5)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavcodec/x86/dsputil_mmx.c
Previously, the value given to put_bits was 10 bits long for positive
predictors, even though 9 bits were to be written. The extra bit could
in some cases overwrite existing bits in the bitstream writer cache.
This fixes a failed assert in put_bits.h, when running a version
built with -DDEBUG.
The fate test result gets slightly improved, thanks to getting rid
of the overwritten bits in the bitstream writer cache.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit aa264da5bf)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
tests/ref/fate/acodec-adpcm-ima_qt
This fixes assert failures when running in debug mode.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2d7d91f06d)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
It is possible in various error paths as well as gap handling
that this has already been allocated. It is not clear why that
would be a problem with the current code, thus disable the
assert to avoid a common assert failure when asserts are enabled.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5e997688f8)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
The ParserContext class doesn't have an AVClass, required for
using it as a logging class.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 6d65496990)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
This assert is no longer true since h264 error concealment needs
last_picture_ptr to be set.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 91672504a4)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavcodec/mpegvideo.c
It seems the condition was flipped from what was intended.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2c340596ca)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
This change avoids accessing the segment map of the previous frame if
segmentation is not enabled for the current frame. The caller of
decode_mb_mode() only calls ff_thread_await_progress() on the reference
segmentation index array if segmentation is enabled, so Chromium's TSAN
will report a race when accessing this data while segmentation is not
enabled.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 30011bf201)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Change the size specifiers to match the actual element sizes
of the data. This makes no practical difference with strict
alignment checking disabled (the default) other than somewhat
documenting the code. With strict alignment checking on, it
avoids trapping the unaligned loads.
Signed-off-by: Mans Rullgard <mans@mansr.com>
The vertically interpolating variants of these functions read
ahead one line to optimise the loop. On the last line processed,
this might be outside the buffer. Fix these invalid reads by
processing the last line outside the loop.
Signed-off-by: Mans Rullgard <mans@mansr.com>
This fixes a bogus bitrate value in the header of WAV files with
alaw/ulaw audio.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 7d7b40f48a)
Conflicts:
libavcodec/pcm.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'b5d7b80a7e':
ffv1dec: check that global parameters do not change in version 0/1
Conflicts:
libavcodec/ffv1.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Add padding, clear size, use the correct pointer.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4213fc5b9e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
