libav.git
5 years agoarm: Don't clobber callee saved registers in scalarproduct release/0.7 github/release/0.7 gitlab/release/0.7 gitorious/release/0.7 videolan/release/0.7
Martin Storsjö [Fri, 20 Dec 2013 13:02:35 +0000 (15:02 +0200)]
arm: Don't clobber callee saved registers in scalarproduct

q4-q7/d8-d15 are supposed to not be clobbered by the callee.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d307e408d4a9ada22df443cc38be77cc5e492694)

Signed-off-by: Martin Storsjö <martin@martin.st>
6 years agoUpdate changelog for 0.7.8 release
Reinhard Tartler [Sat, 11 May 2013 10:08:35 +0000 (12:08 +0200)]
Update changelog for 0.7.8 release

6 years agoaac: check the maximum number of channels
Reinhard Tartler [Tue, 7 May 2013 05:13:50 +0000 (07:13 +0200)]
aac: check the maximum number of channels

Broken bitstreams could report a larger than specified number of
channels and cause outbound writes.

CC:libav-stable@libav.org
(cherry picked from commit a943a132f36f4df8fe2f749744677b71984abce7)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/aacdec.c

6 years agooggdec: fix faulty cleanup prototype
Luca Barbato [Wed, 9 Jan 2013 19:49:34 +0000 (20:49 +0100)]
oggdec: fix faulty cleanup prototype

(cherry picked from commit fba8e5b608577fc660989d0057a55818254a3744)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoqdm2: check that the FFT size is a power of 2
Anton Khirnov [Tue, 9 Apr 2013 13:25:20 +0000 (15:25 +0200)]
qdm2: check that the FFT size is a power of 2

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 34f87a58532ed652a6e0283c1d044ee5df0aef0b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agorv10: check that extradata is large enough
Anton Khirnov [Tue, 9 Apr 2013 18:33:25 +0000 (20:33 +0200)]
rv10: check that extradata is large enough

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

(cherry picked from commit 01d376f598fe95478036f5d1e3e5e14ffe32d4bf)

Conflicts:

libavcodec/rv10.c

6 years agolavf: make sure stream probe data gets freed.
Anton Khirnov [Wed, 27 Mar 2013 16:56:59 +0000 (17:56 +0100)]
lavf: make sure stream probe data gets freed.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit dbb1425811a672eddf4acf0513237cdf20f83756)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agodfa: check for invalid access in decode_wdlt().
Anton Khirnov [Wed, 27 Mar 2013 17:18:38 +0000 (18:18 +0100)]
dfa: check for invalid access in decode_wdlt().

This can happen when the number of skipped lines is not consistent with
the number of coded lines.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 3623589edc7b1257bb45aa9e52c9631e133f22b6)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoavfiltergraph: check for sws opts being non-NULL before using them.
Anton Khirnov [Sun, 17 Mar 2013 15:14:58 +0000 (16:14 +0100)]
avfiltergraph: check for sws opts being non-NULL before using them.

Avoid snprintfing a NULL pointer.

CC: libav-stable@libav.org
(cherry picked from commit 6e3c13a559e9ff300b5ca60e1d503e594d7f055c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoiff: validate CMAP palette size
Kostya Shishkov [Sun, 17 Mar 2013 19:22:19 +0000 (20:22 +0100)]
iff: validate CMAP palette size

Fixes CVE-2013-2495

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit 50c449ac24fbb4c03c15d2e2026cef2204b80385)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 31a77177ff323ef83944c60a8654891213ab6691)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agowmaprodec: require block_align to be set.
Anton Khirnov [Wed, 6 Mar 2013 08:58:00 +0000 (09:58 +0100)]
wmaprodec: require block_align to be set.

Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.

CC:libav-stable@libav.org
(cherry picked from commit cacad1c058f66558ec727faac3b277d2dee264d4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 20373a66ec68d958c266f643a7d0e5ec254c0fcc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agolzo: fix overflow checking in copy_backptr()
Xi Wang [Fri, 15 Mar 2013 10:59:22 +0000 (06:59 -0400)]
lzo: fix overflow checking in copy_backptr()

The check `src > dst' in the form `&c->out[-back] > c->out' invokes
pointer overflow, which is undefined behavior in C.

Remove the check.  Also replace `&c->out[-back] < c->out_start' with
a safe form `c->out - c->out_start < back' to avoid overflow.

CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit ca6c3f2c53be70aa3c38e8f1292809db89ea1ba6)

Conflicts:
libavutil/lzo.c

6 years agoflacdec: simplify bounds checking in flac_probe()
Xi Wang [Fri, 15 Mar 2013 11:11:47 +0000 (07:11 -0400)]
flacdec: simplify bounds checking in flac_probe()

Simplify `p->buf > p->buf + p->buf_size - 4' as `p->buf_size < 4'.
Avoid a possible out-of-bounds pointer, which is undefined behavior
in C.

CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 8425d693eefbedbb41f91735614d41067695aa37)

6 years agoatrac3: avoid oversized shifting in decode_bytes()
Xi Wang [Fri, 15 Mar 2013 10:31:21 +0000 (06:31 -0400)]
atrac3: avoid oversized shifting in decode_bytes()

When `off' is 0, `0x537F6103 << 32' in the following expression invokes
undefined behavior, the result of which is not necessarily 0.

    (0x537F6103 >> (off * 8)) | (0x537F6103 << (32 - (off * 8)))

Avoid oversized shifting.

CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit eba1ff31304e407db3cefd7532108408f364367b)

Conflicts:
libavcodec/atrac3.c

6 years agolavf: fix arithmetic overflows in avformat_seek_file()
Mans Rullgard [Fri, 7 Dec 2012 13:53:56 +0000 (13:53 +0000)]
lavf: fix arithmetic overflows in avformat_seek_file()

The values compared here can be more than INT64_MAX apart.  Since the
difference is always positive, converting to uint64_t before subtracting
gives the correct result without overflows.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 91ac403b1316d59b4f43c4ea0f237e24cec2819a)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agoparser: fix large overreads
Michael Niedermayer [Wed, 3 Oct 2012 14:06:23 +0000 (16:06 +0200)]
parser: fix large overreads

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 096abfa15052977eed93f0b5e01afd2d47c53c1f)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agodsputil: fix invalid array indexing
Mans Rullgard [Thu, 26 Apr 2012 13:00:43 +0000 (14:00 +0100)]
dsputil: fix invalid array indexing

Indexing outside an array is invalid and causes errors with
gcc 4.8.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 0a07f2b346433a9a2677c69c6b29a1a827e39109)

Signed-off-by: Diego Biurrun <diego@biurrun.de>
6 years agoshorten: use the unsigned type where needed
Luca Barbato [Tue, 5 Mar 2013 16:12:35 +0000 (17:12 +0100)]
shorten: use the unsigned type where needed

get_uint returns an unsigned value, use an unsigned to store
blocksize to make sure the comparison logic is correct and report
correctly the error for the channel count not supported.

CC: libav-stable@libav.org
(cherry picked from commit 5cf7c72757779a740e897a97710aac044fe5258c)
(cherry picked from commit 88089eecfd7e604d40d078b4f4206c647cb2e2b4)
(cherry picked from commit f42d03746afe491dd02bb6372961e85e78299864)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/shorten.c

6 years agoshorten: report meaningful errors
Reinhard Tartler [Tue, 7 May 2013 05:29:06 +0000 (07:29 +0200)]
shorten: report meaningful errors

(cherry picked from commit 4c364eb2b856fc33cf7b42f7c7b979e69fde5f3a)
(cherry picked from commit 0daf1428e82926dc5a8c72a0ff4c93aaa8a84ed9)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/shorten.c

6 years agoshorten: set invalid channels count to 0
Reinhard Tartler [Tue, 7 May 2013 05:26:19 +0000 (07:26 +0200)]
shorten: set invalid channels count to 0

Prevent the loop shorten_decode_close from writing and freeing out of
the array boundary.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit c10da30d8426a1f681d99a780b6e311f7fb4e5c5)
(cherry picked from commit 21d568be179c54a1596d1377b4da7fbe755bfe7f)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/shorten.c

6 years agoshorten: validate that the channel count in the header is not <= 0
Justin Ruggles [Tue, 23 Oct 2012 04:40:51 +0000 (00:40 -0400)]
shorten: validate that the channel count in the header is not <= 0

(cherry picked from commit 4c53f4aed3edfa58360c7a2a468782eae31d3176)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/shorten.c

6 years agomatroskadec: request a read buffer for the wav header
Luca Barbato [Tue, 12 Mar 2013 17:56:28 +0000 (18:56 +0100)]
matroskadec: request a read buffer for the wav header

Solve an infiniloop.

CC: libav-stable@libav.org
(cherry picked from commit 37cb3b180a1dc3d6f123f68e0806585ebc2578b6)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agoh264: check for luma and chroma bit depth being equal
Reinhard Tartler [Tue, 7 May 2013 05:25:10 +0000 (07:25 +0200)]
h264: check for luma and chroma bit depth being equal

The decoder assumes a single bit depth for all the planes while
the specification allows different bit depths for luma and chroma.

Avoid the possible problems described in CVE-2013-2277

Conflicts:
libavcodec/h264.c

6 years agoxxan: fix invalid memory access in xan_decode_frame_type0()
Reinhard Tartler [Tue, 7 May 2013 05:24:16 +0000 (07:24 +0200)]
xxan: fix invalid memory access in xan_decode_frame_type0()

The loop a few lines below the xan_unpack() call accesses up to
dec_size * 2 bytes into y_buffer, so dec_size must be limited to
buffer_size / 2.

CC:libav-stable@libav.org
(cherry picked from commit 8a49d2bcbe7573bb4b765728b2578fac0d19763f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 62a657de168cf501acb23d48cc1aa00793dc83f3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/xxan.c

6 years agowmadec: require block_align to be set.
Anton Khirnov [Wed, 6 Mar 2013 08:58:00 +0000 (09:58 +0100)]
wmadec: require block_align to be set.

Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.

CC:libav-stable@libav.org
(cherry picked from commit ea1136baafb1fe271cb56c3f4d7bff0267e3c70f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c1f479e8df24284237c80ad959619fc85e29a26d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agowmaprodec: return an error, not 0, when the input is too small.
Anton Khirnov [Wed, 6 Mar 2013 09:02:50 +0000 (10:02 +0100)]
wmaprodec: return an error, not 0, when the input is too small.

Returning 0 may result in an infinite loop in valid calling programs. A
decoder should never return 0 without producing any output.

CC:libav-stable@libav.org
(cherry picked from commit 4c0080b7e7d501e2720d2a61f5186a18377f9d63)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 60dd8b5733f9ec4919fbc732ace1be8184dde880)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovorbisdec: Error on bark_map_size equal to 0.
Michael Niedermayer [Thu, 10 Jan 2013 23:54:12 +0000 (00:54 +0100)]
vorbisdec: Error on bark_map_size equal to 0.

The value is used to calculate output LSP curve and a division by zero
and out of array accesses would occur.

CVE-2013-0894

CC: libav-stable@libav.org
Reported-by: Dale Curtis <dalecurtis@chromium.org>
Found-by: inferno@chromium.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 11dcecfcca0eca1a571792c4fa3c21fb2cfddddc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 494ddd377ada76ed555f7a3f49391455daa099c9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoUpdate RELEASE file for 0.7.8
Reinhard Tartler [Sun, 17 Feb 2013 08:10:52 +0000 (09:10 +0100)]
Update RELEASE file for 0.7.8

6 years agoupdate year to 2013
Reinhard Tartler [Sun, 17 Feb 2013 08:10:16 +0000 (09:10 +0100)]
update year to 2013

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agooggdec: make sure the private parse data is cleaned up
Luca Barbato [Fri, 4 Jan 2013 15:05:51 +0000 (16:05 +0100)]
oggdec: make sure the private parse data is cleaned up

Related to CVE-2012-2882

(cherry picked from commit d894f74762bc95310ba23f804b7ba8dffc8f6646)

Conflicts:

libavformat/oggdec.h
libavformat/oggparsevorbis.c
(cherry picked from commit b0240165d93d4a08d15d244953219a4d4e725d3f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoindeo5: update AVCodecContext width/height on size change
Michael Niedermayer [Sat, 14 Apr 2012 18:04:05 +0000 (20:04 +0200)]
indeo5: update AVCodecContext width/height on size change

Fixes CVE-2012-2787

Note that in 0.7, there is only indeo 5, no indeo 4 decoder

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b146d74730ab9ec5abede9066f770ad851e45fbc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2bc1e4fcb96c470e2ccb2a0a78a415d5eab960c8)

Conflicts:

libavcodec/ivi_common.c

6 years agodoc: filters: Correct BNF FILTER description
Vicente Jimenez Aguilar [Wed, 20 Feb 2013 01:35:00 +0000 (02:35 +0100)]
doc: filters: Correct BNF FILTER description

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit b5ad422bf4e671a8b30ce73ad236cd6b49940af9)

6 years agoUpdate changelog for 0.7.7 release v0.7.7
Reinhard Tartler [Thu, 24 Jan 2013 13:01:42 +0000 (14:01 +0100)]
Update changelog for 0.7.7 release

6 years agompeg12: do not decode extradata more than once.
Anton Khirnov [Thu, 13 Dec 2012 16:53:31 +0000 (17:53 +0100)]
mpeg12: do not decode extradata more than once.

Fixes CVE-2012-2803.

(cherry picked from commit 582368626188c070d4300913c6da5efa4c24cfb2)

Conflicts:

libavcodec/mpeg12.c
libavcodec/mpeg12.h

6 years agoindeo4/5: check empty tile size in decode_mb_info().
Anton Khirnov [Sat, 29 Sep 2012 09:07:58 +0000 (11:07 +0200)]
indeo4/5: check empty tile size in decode_mb_info().

This prevents writing into a too small array if some parameters changed
without the tile being reallocated.

Based on a patch by Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2012-2800

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ae3da0ae5550053583a6f281ea7fd940497ea0d1)

Conflicts:

libavcodec/ivi_common.c

6 years agodfa: improve boundary checks in decode_dds1()
Anton Khirnov [Sat, 29 Sep 2012 11:25:28 +0000 (13:25 +0200)]
dfa: improve boundary checks in decode_dds1()

Fixes CVE-2012-2798

CC:libav-stable@libav.org
(cherry picked from commit d05f72c75445969cd7bdb1d860635c9880c67fb6)

Conflicts:

libavcodec/dfa.c

6 years agoindeo5dec: Make sure we have had a valid gop header.
Michael Niedermayer [Sat, 24 Mar 2012 16:43:55 +0000 (17:43 +0100)]
indeo5dec: Make sure we have had a valid gop header.

This prevents decoding happening on a half initialized context.

Fixes CVE-2012-2779

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 891918431db628db17885ed947ee387b29826a64)

Conflicts:

libavcodec/ivi_common.c
libavcodec/ivi_common.h

6 years agorv34: error out on size changes with frame threading
Janne Grunau [Fri, 23 Mar 2012 21:30:38 +0000 (22:30 +0100)]
rv34: error out on size changes with frame threading

(cherry picked from commit cb7190cd2c691fd93e4d3664f3fce6c19ee001dd)

Fixes: CVE-2012-2772 (according to Ubuntu)

6 years agoh264: check ref_count validity for num_ref_idx_active_override_flag
Janne Grunau [Sat, 12 Jan 2013 16:22:50 +0000 (17:22 +0100)]
h264: check ref_count validity for num_ref_idx_active_override_flag

Fixes segfault in the fuzzed sample bipbop234.ts_s226407.
CC: libav-stable@libav.org
(cherry-picked from commit 6e5cdf26281945ddea3aaf5eca4d127791f23ca8)
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
6 years agoh264: check context state before decoding slice data partitions
Janne Grunau [Wed, 28 Nov 2012 21:17:14 +0000 (22:17 +0100)]
h264: check context state before decoding slice data partitions

Fixes mov_h264_aac__Demo_FlagOfOurFathers.mov.SIGSEGV.4e9.656.

Found-by: Mateusz "j00ru" Jurczyk
CC: libav-stable@libav.org
(cherry-picked from commit c1fcf563b13051f280db169ba41c6a1b21b25e08)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agooggdec: free the ogg streams on read_header failure
Reinhard Tartler [Sat, 12 Jan 2013 18:36:27 +0000 (19:36 +0100)]
oggdec: free the ogg streams on read_header failure

Plug an annoying memory leak on broken files.
(cherry picked from commit 89b51b570daa80e6e3790fcd449fe61fc5574e07)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 42bd6d9cf681306d14c92af97a40116fe4eb2522)

Conflicts:

libavformat/oggdec.c

Conflicts:

libavformat/oggdec.c

6 years agooggdec: check memory allocation
Luca Barbato [Sat, 22 Dec 2012 16:58:24 +0000 (17:58 +0100)]
oggdec: check memory allocation

(cherry picked from commit ba064ebe48376e199f353ef0b335ed8a39c638c5)

Conflicts:

libavformat/oggdec.c

6 years agoFix uninitialized reads on malformed ogg files.
Dale Curtis [Wed, 7 Mar 2012 22:26:58 +0000 (14:26 -0800)]
Fix uninitialized reads on malformed ogg files.

The ogg decoder wasn't padding the input buffer with the appropriate
FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in
various pieces of parsing code when they thought they had more data than
they actually did.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit ef0d779706c77ca9007527bd8d41e9400682f4e4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agortsp: Recheck the reordering queue if getting a new packet
Martin Storsjö [Mon, 7 Jan 2013 16:39:04 +0000 (18:39 +0200)]
rtsp: Recheck the reordering queue if getting a new packet

If we timed out and consumed a packet from the reordering queue,
but didn't return a packet to the caller, recheck the queue status.
Otherwise, we could end up in an infinite loop, trying to consume
a queued packet that has already been consumed.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8729698d50739524665090e083d1bfdf28235724)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoalacdec: do not be too strict about the extradata size
Justin Ruggles [Sat, 22 Dec 2012 06:21:09 +0000 (01:21 -0500)]
alacdec: do not be too strict about the extradata size

Sometimes the extradata has duplicate atoms, but that shouldn't prevent
decoding. Just ensure that it is at least 36 bytes as a sanity check.

CC: libav-stable@libav.org
(cherry picked from commit 68a04b0ccee66f57516e129dd3ec457fd50b4bec)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoh264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles
Victor Lopez [Wed, 19 Dec 2012 08:12:24 +0000 (09:12 +0100)]
h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles

Fixes bug 396.

CC: libav-stable@libav.org
(cherry picked from commit 1c8bf3bfed5ff5c504c8e3de96188a977f67cce0)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoh264: check sps.log2_max_frame_num for validity
Janne Grunau [Sun, 25 Nov 2012 11:56:04 +0000 (12:56 +0100)]
h264: check sps.log2_max_frame_num for validity

Fixes infinite or long taking loop in frame num gap code in
the fuzzed sample bipbop234.ts_s223302.

CC: libav-stable@libav.org
(cherry picked from commit d7d6efe42b0d2057e67999b96b9a391f533d2333)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoppc: always use pic for shared libraries
Luca Barbato [Mon, 3 Dec 2012 21:53:30 +0000 (22:53 +0100)]
ppc: always use pic for shared libraries

CC: libav-stable@libav.org
(cherry picked from commit 1944d532a8a1c4b12222f0acfeb1153630dbc996)

Conflicts:

configure

6 years agoh264: enable low delay only if no delayed frames were seen
Janne Grunau [Fri, 16 Nov 2012 13:31:09 +0000 (14:31 +0100)]
h264: enable low delay only if no delayed frames were seen

Dropping frames is undesirable but that is the only way by which the
decoder could return to low delay mode. Instead emit a warning and
continue with delayed frames.
Fixes a crash in fuzzed sample nasa-8s2.ts_s20033 caused by a larger
than expected has_b_frames value. Low delay keeps getting re-enabled
from a presumely broken SPS.

CC: libav-stable@libav.org
(cherry picked from commit 706acb558a38eba633056773280155d66c2f4b24)

Conflicts:

libavcodec/h264.c

6 years agolavf: avoid integer overflow in ff_compute_frame_duration()
Janne Grunau [Fri, 23 Nov 2012 13:05:36 +0000 (14:05 +0100)]
lavf: avoid integer overflow in ff_compute_frame_duration()

Scaling the denominator instead of the numerator if it is too large
loses precision. Fixes an assert caused by a negative frame duration in
the fuzzed sample nasa-8s2.ts_s202310.

CC: libav-stable@libav.org
(cherry picked from commit 7709ce029a7bc101b9ac1ceee607cda10dcb89dc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoaacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN.
Alex Converse [Wed, 12 Dec 2012 01:26:10 +0000 (17:26 -0800)]
aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN.

Found-by: pawlkt
CC: libav-stable@libav.org
Fixes: CVE-2012-5144
(cherry picked from commit 6d5b0092678b2a95dfe209a207550bd2fe9ef646)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovp6: properly fail on unsupported feature
Luca Barbato [Thu, 13 Dec 2012 15:20:19 +0000 (16:20 +0100)]
vp6: properly fail on unsupported feature

Interlacing is not supported at all and mismanaged down the normal
codepaths causing possible buffer management issues.

Fixes: CVE-2012-2783
(cherry picked from commit be75fed9755c1285ba084574aff2d7ee0f81110d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoh264: Fix parameters to ff_er_add_slice() call
Reinhard Tartler [Sat, 12 Jan 2013 18:22:22 +0000 (19:22 +0100)]
h264: Fix parameters to ff_er_add_slice() call

s->mb_x is reset to zero a couple of lines above. It does not make
sense to call ff_er_add_slice() with 0 as endx when the end of the
macroblock row was reached. Fixes unnecessary and counterproductive
error resilience in https://bugzilla.libav.org/show_bug.cgi?id=394.

(cherry picked from commit e6160bda98641b7d4f86de15761ad2a962f21a36)

Conflicts:

libavcodec/h264.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:

libavcodec/h264.c

6 years agoflacenc: ensure the order is within the min/max range in LPC order search
Justin Ruggles [Wed, 7 Nov 2012 19:48:28 +0000 (14:48 -0500)]
flacenc: ensure the order is within the min/max range in LPC order search

This fixes use of uninitialized values when the FLAC encoder uses the
2-level, 4-level, and 8-level search methods. Fixes failure of the
fate-flac-24-comp-8 test when run using valgrind.
(cherry picked from commit 3a2731cbd31d0c5681ddbc7c78edd5c53c4d0032)

Conflicts:

libavcodec/flacenc.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoyuv4mpeg: reject unsupported codecs
Luca Barbato [Fri, 26 Oct 2012 20:55:04 +0000 (22:55 +0200)]
yuv4mpeg: reject unsupported codecs

The muxer already rejects unsupported pixel formats, reject also
unsupported codecs to prevent dangerous misuses.
(cherry picked from commit 424b1e764263b1493de4c34365ef367ddae856db)

Conflicts:

libavformat/yuv4mpeg.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovp8: reset loopfilter delta values at keyframes.
Sami Pietila [Fri, 12 Oct 2012 14:12:49 +0000 (07:12 -0700)]
vp8: reset loopfilter delta values at keyframes.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 0bf511d579c7b21f1244eec688abf571ca1235bd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovp56: release frames on error
Luca Barbato [Fri, 14 Dec 2012 08:55:04 +0000 (09:55 +0100)]
vp56: release frames on error

Fixes CVE-2012-2783

CC: libav-stable@libav.org
(cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovp56: make parse_header return standard error codes
Luca Barbato [Fri, 14 Dec 2012 07:22:06 +0000 (08:22 +0100)]
vp56: make parse_header return standard error codes

Returning 0 for failure is misleading.

CC: libav-stable@libav.org
(cherry picked from commit bb675d3ac6d722d5e117ae9042a996b55ca05b1d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoivi_common: check that scan pattern is set before using it.
Anton Khirnov [Thu, 13 Dec 2012 18:38:20 +0000 (19:38 +0100)]
ivi_common: check that scan pattern is set before using it.

Fixes CVE-2012-2791.

CC: libav-stable@libav.org
(cherry picked from commit deabb52ab4c1fdb3dd319f3980b1489a182011f1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoUpdate RELEASE file for 0.7.7
Reinhard Tartler [Wed, 2 Jan 2013 21:14:36 +0000 (22:14 +0100)]
Update RELEASE file for 0.7.7

6 years agotiffenc: Check av_malloc() results.
Alex Converse [Wed, 19 Sep 2012 18:12:58 +0000 (11:12 -0700)]
tiffenc: Check av_malloc() results.

(cherry picked from commit b92dfb56d4582633571db18c3d904f8602eaa2a6)

Conflicts:

libavcodec/tiffenc.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agompegaudiodec: fix short_start calculation
Luca Barbato [Fri, 28 Sep 2012 12:38:13 +0000 (14:38 +0200)]
mpegaudiodec: fix short_start calculation

The value should be always 3, as it follows from the specification.

Fix a stack buffer overflow in exponents_from_scale_factors as reported
by asan. Thanks to Dale Curtis for the sample vector.
(cherry picked from commit 97cfa55eea39cef30abe14682c56c1e4e7f6f10d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoh264: avoid stuck buffer pointer in decode_nal_units
Jindřich Makovička [Sat, 29 Sep 2012 09:16:45 +0000 (11:16 +0200)]
h264: avoid stuck buffer pointer in decode_nal_units

When decode_nal_units() previously encountered a NAL_END_SEQUENCE,
and there are some junk bytes left in the input buffer, but no start codes,
buf_index gets stuck 3 bytes before the end of the buffer.

This can trigger an infinite loop in the caller code, eg. in
try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes,
with 3 bytes of the input packet still available.

With this change, the remaining bytes are skipped so the whole packet gets
consumed.

CC:libav-stable@libav.org

Signed-off-by: Jindřich Makovička <makovick@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1a8c6917f68f7378465e18f7615762bfd22704c2)

Conflicts:

libavcodec/h264.c

6 years agoyuv4mpeg: return proper error codes.
Anton Khirnov [Fri, 5 Oct 2012 13:53:32 +0000 (15:53 +0200)]
yuv4mpeg: return proper error codes.

Fixes Bug 373.

CC:libav-stable@libav.org
(cherry picked from commit d3a72becc6371563185a509b94f5daf32ddbb485)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agosmacker audio: sign-extend the initial 16-bit predicted value
Franz Brauße [Fri, 30 Mar 2012 18:40:14 +0000 (14:40 -0400)]
smacker audio: sign-extend the initial 16-bit predicted value

Fixes Bug #265

Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 12cbbbb4abda2de0ea123282ccf7ebee61517f7d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agovf_pad: don't give up its own reference to the output buffer.
Anton Khirnov [Sun, 8 Jul 2012 15:01:17 +0000 (17:01 +0200)]
vf_pad: don't give up its own reference to the output buffer.

Conflicts:
libavfilter/vf_pad.c

Fixes Bug 245

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agoavidec: return 0, not packet size from read_packet().
Anton Khirnov [Fri, 28 Sep 2012 13:26:48 +0000 (15:26 +0200)]
avidec: return 0, not packet size from read_packet().

(cherry picked from commit eeade678f0a2bac127aeed2fb68d8717a6463420)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agowmapro: prevent division by zero when sample rate is unspecified
Sean McGovern [Thu, 2 Aug 2012 19:37:28 +0000 (15:37 -0400)]
wmapro: prevent division by zero when sample rate is unspecified

This fixes Bugzilla #327:

Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>
(cherry picked from commit 3680b2435101a5de56821718a71c828320d535a0)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agoalsdec: fix number of decoded samples in first sub-block in BGMC mode.
Thilo Borgmann [Sun, 15 Apr 2012 16:07:12 +0000 (18:07 +0200)]
alsdec: fix number of decoded samples in first sub-block in BGMC mode.

Fixes CVE-2012-2790

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 66197988b1ee914825afbc3084e6da63f862068a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoalsdec: remove dead assignments
Mans Rullgard [Sun, 1 Jul 2012 12:36:30 +0000 (13:36 +0100)]
alsdec: remove dead assignments

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 4ca6d206d1b5beea42c4290d2ee801aaf5cd31f0)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoalsdec: Fix out of ltp_gain_values read.
Thilo Borgmann [Sun, 11 Mar 2012 15:56:23 +0000 (16:56 +0100)]
alsdec: Fix out of ltp_gain_values read.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 97f0efbfb86d24f081b2caa39f6249e05c95c2ef)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoalsdec: Check that quantized parcor coeffs are within range.
Michael Niedermayer [Wed, 29 Feb 2012 05:10:17 +0000 (06:10 +0100)]
alsdec: Check that quantized parcor coeffs are within range.

ALS spec:
11.6.3.1.1 Quantization and encoding of parcor coefficients
...
In all cases the resulting quantized values ak are restricted to the range [-64,63].

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 5b051ec3bdc78f3d89e8d1425674cde8fd6c9ccc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoalsdec: Check k used for rice decoder.
Michael Niedermayer [Sat, 7 Apr 2012 15:25:47 +0000 (17:25 +0200)]
alsdec: Check k used for rice decoder.

Values that fail this check will cause failure of decode_rice()

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 23aae62c2cb4504a09ceb8cd0cabc1c8b260f521)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agocavsdec: check for changing w/h.
Michael Niedermayer [Sat, 24 Mar 2012 01:40:24 +0000 (02:40 +0100)]
cavsdec: check for changing w/h.

Our decoder does not support changing w/h.

Fixes CVE-2012-2777 and CVE-2012-2784.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c20a69630619d14ae92c5541d52c579d7c8f3e94)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoavidec: use actually read size instead of requested size
Anton Khirnov [Fri, 28 Sep 2012 13:42:29 +0000 (15:42 +0200)]
avidec: use actually read size instead of requested size

Fixes CVE-2012-2788
(cherry picked from commit 0af49a63c7f87876486ab09482d5b26b95abce60)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agowmaprodec: check num_vec_coeffs for validity
Michael Niedermayer [Sat, 14 Apr 2012 09:07:11 +0000 (11:07 +0200)]
wmaprodec: check num_vec_coeffs for validity

Fixes CVE-2012-2789

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 99f392a584dd10b553facc8e819f2c7e982e176d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agolagarith: check count before writing zeros.
Michael Niedermayer [Sat, 14 Apr 2012 16:28:31 +0000 (18:28 +0200)]
lagarith: check count before writing zeros.

Fixes CVE-2012-2793

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b631e4ed64f7d1b9ca8f897fda31140e8d1fad81)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoindeo5: check tile size in decode_mb_info().
Michael Niedermayer [Sun, 15 Apr 2012 12:11:50 +0000 (14:11 +0200)]
indeo5: check tile size in decode_mb_info().

This prevents writing into a too small array if some parameters changed
without the tile being reallocated.

Fixes CVE-2012-2794

CC:libav-stable@libav.org

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 2d09cdbaf2f449ba23d54e97e94bd97ca22208c6)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoindeo5: prevent null pointer dereference on broken files
Janne Grunau [Mon, 23 Jan 2012 20:33:34 +0000 (21:33 +0100)]
indeo5: prevent null pointer dereference on broken files

Found by John Villamil <johnv@matasano.com>
(cherry picked from commit 366ac22ea5a8bab63c7f46cdad2ddb2ff22cdbed)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoindeo: check for invalid motion vectors
Kostya Shishkov [Sat, 19 May 2012 14:07:42 +0000 (16:07 +0200)]
indeo: check for invalid motion vectors

(cherry picked from commit cf61aaaca16810b9b3a28395ed48fda8db0e87d9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoindeo: clear allocated band buffers
Kostya Shishkov [Sat, 19 May 2012 11:39:15 +0000 (13:39 +0200)]
indeo: clear allocated band buffers

(cherry picked from commit 23ba1503f2b11057c65052b4a07961236d8d69c7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoindeo: check custom Huffman tables for errors
Kostya Shishkov [Sat, 19 May 2012 10:39:49 +0000 (12:39 +0200)]
indeo: check custom Huffman tables for errors

(cherry picked from commit fe7a37c36febd71576cbefc385d995a8d6e444e7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agodfa: add some checks to ensure that decoder won't write past frame end
Kostya Shishkov [Thu, 3 May 2012 18:10:36 +0000 (20:10 +0200)]
dfa: add some checks to ensure that decoder won't write past frame end

(cherry picked from commit 8099187e897ddc90cb3902332c76fb2542dac308)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agodfa: check that the caller set width/height properly.
Anton Khirnov [Fri, 28 Sep 2012 12:47:56 +0000 (14:47 +0200)]
dfa: check that the caller set width/height properly.

Fixes CVE-2012-2786.
(cherry picked from commit ee715f49a06bf3898246d01b056284a9bb1bcbb9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agobytestream: add a new set of bytestream functions with overread checking
Aneesh Dogra [Mon, 19 Dec 2011 22:24:50 +0000 (03:54 +0530)]
bytestream: add a new set of bytestream functions with overread checking

Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
6 years agoavsdec: Set dimensions instead of relying on the demuxer.
Michael Niedermayer [Fri, 20 Apr 2012 15:42:18 +0000 (17:42 +0200)]
avsdec: Set dimensions instead of relying on the demuxer.

The decode function assumes that the video will have those dimensions.

Fixes CVE-2012-2801

CC:libav-stable@libav.org

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 85f477935cd6b34e6ec2716b20e15ce748277a89)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agolavfi: avfilter_merge_formats: handle case where inputs are same
Mina Nagy Zaki [Wed, 8 Jun 2011 16:24:25 +0000 (19:24 +0300)]
lavfi: avfilter_merge_formats: handle case where inputs are same

This fixes a double-free crash if lists are the same due to the two
merge_ref() calls at the end of the (useless) merging that happens.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325)

Conflicts:

libavfilter/formats.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agorv34: use AVERROR return values in ff_rv34_decode_frame()
Janne Grunau [Mon, 13 Feb 2012 20:14:19 +0000 (21:14 +0100)]
rv34: use AVERROR return values in ff_rv34_decode_frame()

Also adds an error message.
(cherry picked from commit 29330721b0e8514f9f8b4d54be75a662a2b79e44)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agoh263: Add ff_ prefix to nonstatic symbols
Martin Storsjö [Thu, 9 Feb 2012 09:28:46 +0000 (11:28 +0200)]
h263: Add ff_ prefix to nonstatic symbols

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit ddce8953a5056800ec795df2dfd84fc17a11b5fc)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agoeval: fix swapping of lt() and lte()
Max Lazarov [Sat, 31 Mar 2012 06:56:56 +0000 (23:56 -0700)]
eval: fix swapping of lt() and lte()

CC: libav-stable@libav.org
(cherry picked from commit caac3ab6efde4fc9769e8a7472269356f262970a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agobmpdec: only initialize palette for pal8.
Anton Khirnov [Sun, 16 Sep 2012 06:33:09 +0000 (08:33 +0200)]
bmpdec: only initialize palette for pal8.

Gray8 is not considered to be paletted, so this would cause an invalid
write.

Fixes bug 367.

CC: libav-stable@libav.org
(cherry picked from commit 8b78c2969a5b7dca939d93bf525aa2bcd737b5d9)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agovc1dec: add flush function for WMV9 and VC-1 decoders
Kostya Shishkov [Thu, 27 Sep 2012 17:25:06 +0000 (19:25 +0200)]
vc1dec: add flush function for WMV9 and VC-1 decoders

CC: libav-stable@libav.org
(cherry picked from commit 4dc8c8386eef942dba35c4f2fb3210e22b511a5b)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agoh264: allow cropping to AVCodecContext.width/height
Mans Rullgard [Wed, 30 May 2012 03:04:54 +0000 (04:04 +0100)]
h264: allow cropping to AVCodecContext.width/height

Override the frame size from the SPS with AVCodecContext values
if the latter specify a size smaller by less than one macroblock.
This is required for correct cropping of MOV files from Canon cameras.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 30f515091c323da59c0f1b533703dedca2f4b95d)

Conflicts:

libavcodec/h264.c

6 years agox86: Require an assembler able to cope with AVX instructions
Diego Biurrun [Sun, 11 Nov 2012 21:41:46 +0000 (22:41 +0100)]
x86: Require an assembler able to cope with AVX instructions

All modern assemblers have this capability.  Older NASM versions
that lack the capability produce code that crashes at runtime,
so it's better to error out during the build process instead.

(cherry picked from commit e287201c77dc7a7a9759d56d8f48ae719b7e69a9)

Signed-off-by: Diego Biurrun <diego@biurrun.de>
7 years agovorbis: Validate that the floor 1 X values contain no duplicates.
Alex Converse [Tue, 5 Jun 2012 01:27:03 +0000 (18:27 -0700)]
vorbis: Validate that the floor 1 X values contain no duplicates.

Duplicate values in this vector are explicitly banned by the Vorbis I spec
and cause divide-by-zero crashes later on.
(cherry picked from commit ecf79c4d3e8baaf2f303278ef81db6f8407656bc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 9aaaeba45c41cf2b3fa4100abbdee7437428f93c)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agovorbisenc: check all allocations for failure
Justin Ruggles [Thu, 23 Feb 2012 00:23:18 +0000 (19:23 -0500)]
vorbisenc: check all allocations for failure

(cherry picked from commit be8d812c9635f31f69c30dff9ebf565a07a7dab7)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit e46cf805b10070327026f8e2880fe29e5e9ac1af)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agolavfi: avfilter_merge_formats: handle case where inputs are same
Mina Nagy Zaki [Wed, 8 Jun 2011 16:24:25 +0000 (19:24 +0300)]
lavfi: avfilter_merge_formats: handle case where inputs are same

This fixes a double-free crash if lists are the same due to the two
merge_ref() calls at the end of the (useless) merging that happens.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325)

Conflicts:

libavfilter/formats.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e5f4e249422834f727bcd432b73af971277f1371)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoalsdec: check opt_order.
Michael Niedermayer [Sat, 24 Mar 2012 00:39:13 +0000 (01:39 +0100)]
alsdec: check opt_order.

Fixes out of array write in quant_cof.
Also make sure no invalid opt_order stays in the context.

Fixes CVE-2012-2775

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 9853e41aa0a6cfff629ff7009685eb8bf8d64e7f)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a1b127515bb79c715933d0d4201e4ef3152b3dcb)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agolavf: don't segfault when a NULL filename is passed to avformat_open_input()
Anton Khirnov [Fri, 15 Jun 2012 17:58:11 +0000 (19:58 +0200)]
lavf: don't segfault when a NULL filename is passed to avformat_open_input()

This can easily happen when the caller is using a custom AVIOContext.

Behave as if the filename was an empty string in this case.

CC: libav-stable@libav.org
(cherry picked from commit a5db8e4a1a5449cc7a61e963c9fa698a4f22131b)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7124fa5d3640e5b8089dd13b22a09038b2ec5216)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agompegvideo: Don't use ff_mspel_motion() for vc1
Michael Niedermayer [Sun, 20 Nov 2011 16:19:25 +0000 (17:19 +0100)]
mpegvideo: Don't use ff_mspel_motion() for vc1

Using ff_mspel_motion assumes that s (a MpegEncContext
poiinter) really is a Wmv2Context.

This fixes crashes in error resilience on vc1/wmv3 videos.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 18f2d5cb9c48d06895960f37467576725c9dc2d1)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit da0c457663479bc1828918e1bb3e4a5e4de0d557)

Signed-off-by: Anton Khirnov <anton@khirnov.net>