Commit graph

13864 commits

Author SHA1 Message Date
Alex Converse
d87997b56f aacsbr: prevent out of bounds memcpy().
Fixes Libav Bug 195.
Fixes CVE-2012-0850

This doesn't make the code handle sample rate or upsample/downsample
change properly but this is still a good sanity check.

Based on change by Michael Niedermayer.

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 17ce52912f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 20:55:34 +02:00
Alex Converse
654b24f68a dpcm: ignore extra unpaired bytes in stereo streams.
Fixes: CVE-2011-3951

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ce7aee9b73)
(cherry picked from commit eaeaeb265f)

Conflicts:

	libavcodec/dpcm.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-28 20:55:34 +02:00
Michael Niedermayer
2f2fd8c6d1 tqi: Pass errors from the MB decoder
This silences some valgrind warnings.
CC: libav-stable@libav.org

Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Bug found by: Oana Stratulat

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f85334f58e)
(cherry picked from commit 90290a5150)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 5872580e65)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-23 20:44:57 +02:00
Alexander Strange
c5f7c755cf h264: Add check for invalid chroma_format_idc
Fixes a crash when FF_DEBUG_PICT_INFO is used.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 6ef4063957)

Fixes: CVE-2012-0851

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4713234518)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-23 20:44:45 +02:00
Janne Grunau
b581580bd1 adpcm: ADPCM Electronic Arts has always two channels
Fixes half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Adresses CVE-2012-0852

(cherry picked from commit bb5b3940b0)

Conflicts:

	libavcodec/adpcm.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-23 15:05:27 +02:00
Michael Niedermayer
3313f31f01 h263dec: Disallow width/height changing with frame threads.
Fixes CVE-2011-3937

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 71db86d53b)

Conflicts:

	libavcodec/h263dec.c

Signed-off-by: Alex Converse <alex.converse@gmail.com>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4be63587e1)

Conflicts:

	libavcodec/h263dec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-22 22:19:41 +02:00
Mans Rullgard
c71c77e56f vqavideo: return error if image size is not a multiple of block size
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes.  Bailing out early if the header
specifies a bad size avoids various errors later on.

Fixes CVE-2012-0947.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d5207e2af8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-06 21:40:58 +02:00
Alex Converse
08c81f7365 celp filters: Do not read earlier than the start of the 'out' vector.
CC: libav-stable@libav.org
(cherry picked from commit 37ddd38332)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 9ea94c44b1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-06 21:40:58 +02:00
Alex Converse
50073e2395 motionpixels: Clip YUV values after applying a gradient.
Prevents illegal reads on truncated and malformed input.

CC: libav-stable@libav.org
(cherry picked from commit b5da848fac)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit aaa6a66677)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-06 21:40:58 +02:00
Ronald S. Bultje
3fc967f6c7 h263: more strictly forbid frame size changes with frame-mt.
Prevents crashes because the old check was incomplete.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2d22d4307d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 7fe4c8cb76)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-06 21:40:58 +02:00
Ronald S. Bultje
26ac878cc2 h264: additional protection against unsupported size/bitdepth changes.
Fixes crashes in codepaths not covered by original checks.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 732f9fcfe5)

Conflicts:

	libavcodec/h264.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 746f1594d7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-05-06 21:40:58 +02:00
Reinhard Tartler
fd53da21a1 lcl: use AVERROR_INVALIDDATA instead of AVERROR_UNKNOWN
While bogus, this change avoids the necessity to backport
AVERROR_UNKNOWN, which is not entirely trivial.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:30 +02:00
Michael Niedermayer
a0b65938b7 kgv1dec: Increase offsets array size so it is large enough.
Fixes CVE-2011-3945

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 807a045ab7)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit a02e8df973)
(cherry picked from commit d5f2382d03)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Ronald S. Bultje
cb8a17ddac kgv1: use avctx->get/release_buffer().
Also fixes crashes on corrupt bitstreams.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 33cd32b389)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit e537dc230b)

Conflicts:

	libavcodec/kgv1dec.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Gaurav Narula
24eabc53ba kvmc: fix invalid reads
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit ad3161ec1d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Alex Converse
6ae95a0b93 mjpegbdec: Fix overflow in SOS.
Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2011-3947

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 083a8a0037)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Michael Niedermayer
96ed18cab1 shorten: Use separate pointers for the allocated memory for decoded samples.
Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.

Fixes CVE-2012-0858
CC: libav-stable@libav.org

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6fc3287b9c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Justin Ruggles
a207a2fecc shorten: check for realloc failure (cherry picked from commit 9e5e2c2d01)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Michael Niedermayer
f728ad26f0 atrac3: Fix crash in tonal component decoding.
Add a check to avoid writing past the end of the channel_unit.components[]
array.

Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f747)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f43b6e2b1e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Michael Niedermayer
e676bbb8cf ws_snd1: Fix wrong samples count and crash.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9fb7a5af97)

Addresses CVE-2012-0848

Reviewed-by: Justin Ruggles <justin.ruggles@gmail.com>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 697a45d861)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Justin Ruggles
847c7cd0c8 ws_snd: add some checks to prevent buffer overread or overwrite. (cherry picked from commit 417364ce1f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Justin Ruggles
137007b5bf ws_snd: decode to AV_SAMPLE_FMT_U8 instead of S16.
8-bit unsigned is the native sample format.
(cherry picked from commit 2322ced8da)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Kostya Shishkov
90db3c435e dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Ronald S. Bultje
8b819fd9d3 h264: stricter reference limit enforcement.
Progressive images can have only 16 references, error out if there are
more, since the data is almost certainly corrupt, and the invalid value
will lead to random crashes or invalid writes later on.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e0febda22d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Paul B Mahol
81c5b4ddcb jvdec: unbreak video decoding
The safe bitstream reader broke it since the buffer size was specified
in bytes instead of bits.

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
CC: libav-stable@libav.org
(cherry picked from commit a1c036e961)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Ronald S. Bultje
5ae49ddaa4 xxan: don't read before start of buffer in av_memcpy_backptr().
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit f1279e286b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Ronald S. Bultje
311361348d dsicinvideo: validate buffer offset before copying pixels.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c95fefa042)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Ronald S. Bultje
99536be9d4 huffyuv: add padding to classic (v1) huffman tables.
We slightly overread the input buffer, so we require
padding at the end of the buffer, as is documented in the
get_bits API. Without padding, we'll read uninitialized
data or beyond the end of the .rodata, which may crash.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 4ffe5e2aa5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Alex Converse
bbe316dfb4 tiffdec: Prevent illegal memory access caused by recycled pointers.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit fd0be63049)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Ronald S. Bultje
b4a223fd19 wma: fix off-by-one in array bounds check.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b4bccf3e4e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Ronald S. Bultje
4924520513 raw: move buffer size check up.
This way, it protects against overreads for 4bpp/2bpp content also.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cc5dd632ce)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:29 +02:00
Ronald S. Bultje
6dfe865aed svq3: protect against negative quantizers.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 11b940a1a8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Michael Niedermayer
4be63587e1 h263dec: Disallow width/height changing with frame threads.
Fixes CVE-2011-3937

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 71db86d53b)

Conflicts:

	libavcodec/h263dec.c

Signed-off-by: Alex Converse <alex.converse@gmail.com>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Alex Converse
a642953b0f tiff: Make the TIFF_LONG and TIFF_SHORT types unsigned.
TIFF v6.0 (unimplemented) adds signed equivalents.
(cherry picked from commit e32548d133)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Alex Converse
f5ce67d837 svq3: Prevent illegal reads while parsing extradata.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 9e1db721c4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Mans Rullgard
2c199cb253 ac3: Do not read past the end of ff_ac3_band_start_tab.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 034b03e7a0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Fabian Greffrath
f375e19f37 Fix format string vulnerability detected by -Wformat-security.
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit c9dbac36ad)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Ronald S. Bultje
54e947273c h264: fix mmxext chroma deblock to use correct TC values. (cherry picked from commit b0c4f04338)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Ronald S. Bultje
e3e05963c1 cscd: use negative error values to indicate decode_init() failures.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 8a9faf33f2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Ronald S. Bultje
bd37b95383 h264: prevent overreads in intra PCM decoding.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d1604b3de9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Justin Ruggles
58133bb010 wmaenc: fix m/s stereo encoding for the first frame
We need to set ms_stereo in encode_init() in order to avoid incorrectly
encoding the first frame as non-m/s while flagging it as m/s. Fixes an
uncomfortable pop in the left channel at the start of playback.

CC:libav-stable@libav.org
(cherry picked from commit 51ddf35c90)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Justin Ruggles
43e3e7764c wmaenc: limit allowed sample rate to 48kHz
ff_wma_init() allows up to 50kHz, but this generates an exponent band
size table that requires 65 bands. The code assumes 25 bands in many
places, and using sample rates higher than 48kHz will lead to buffer
overwrites.

CC:libav-stable@libav.org
(cherry picked from commit 1ec075cfec)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:28 +02:00
Justin Ruggles
74bd46e82a wmaenc: limit block_align to MAX_CODED_SUPERFRAME_SIZE
This is near the theoretical limit for wma frame size and is the most that
our decoder can handle. Allowing higher bit rates will just end up padding
each frame with empty bytes.

Fixes invalid writes for avconv when using very high bit rates.

CC:libav-stable@libav.org
(cherry picked from commit c2b8dea182)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Justin Ruggles
c932844882 wmaenc: require a large enough output buffer to prevent overwrites
The maximum theoretical frame size is around 17000 bytes. Although in
practice it will generally be much smaller, we require a larger buffer
just to be safe.

CC: libav-stable@libav.org
(cherry picked from commit dfc4fdedf8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Alex Converse
88b47010c4 wmadec: Verify bitstream size makes sense before calling init_get_bits.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 48f1e5212c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Alex Converse
b56b7b9081 rv10/20: Fix a buffer overread caused by losing track of the remaining buffer size.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2f6528537f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Ronald S. Bultje
bd0d32d131 lcl: return negative error codes on decode_init() errors.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bd17a40a7e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Ronald S. Bultje
d680295d0c huffyuv: do not abort on unknown pix_fmt; instead, return an error.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 63c9de6469)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Ronald S. Bultje
ced190c96c vmnc: return error on decode_init() failure.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 07a180972f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00
Ronald S. Bultje
e15d137ecf rpza: error out on buffer overreads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 78e9852a2e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-04-01 18:33:27 +02:00