libav.git
2 years agotls: Use the right return value for breaking out due to the interrupt callback release/10 github/release/10 gitlab/release/10 videolan/release/10
Martin Storsjö [Thu, 24 Mar 2016 09:27:49 +0000 (11:27 +0200)]
tls: Use the right return value for breaking out due to the interrupt callback

The retry_transfer_wrapper function higher up in the call chain
ignores AVERROR(EINTR), which only means "interrupted by system call".

This makes sure that returning due to the interrupt callback
works as intended.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
3 years agortmpcrypt: Do the xtea decryption in little endian mode
Martin Storsjö [Wed, 11 Nov 2015 19:42:02 +0000 (21:42 +0200)]
rtmpcrypt: Do the xtea decryption in little endian mode

The XTEA algorithm operates on 32 bit numbers, not on byte sequences.
The XTEA implementation in libavutil is written assuming big endian
numbers, while the rtmpe signature encryption assumes little endian.

This fixes rtmpe communication with rtmpe servers that use signature
type 8 (XTEA), e.g. crunchyroll.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
3 years agoUpdate Changelog for 10.7 v10.7
Reinhard Tartler [Sun, 31 May 2015 15:39:39 +0000 (11:39 -0400)]
Update Changelog for 10.7

3 years agoh264: Make sure reinit failures mark the context as not initialized
Luca Barbato [Mon, 25 May 2015 20:30:10 +0000 (22:30 +0200)]
h264: Make sure reinit failures mark the context as not initialized

Bug-Id: CVE-2015-3417
CC: libav-stable@libav.org
(cherry picked from commit 3b69f245dbe6e2016659a45c4bfe284f6c5ac57e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/h264_slice.c

3 years agomsrle: Use FFABS to determine the frame size in msrle_decode_pal4
Luca Barbato [Mon, 25 May 2015 19:53:26 +0000 (21:53 +0200)]
msrle: Use FFABS to determine the frame size in msrle_decode_pal4

As done in msrle_decode_8_16_24_32.

Bug-Id: CVE-2015-3395
CC: libav-stable@libav.org
3 years agox86: cavs: Remove an unneeded scratch buffer
Michael Niedermayer [Thu, 28 May 2015 10:38:35 +0000 (12:38 +0200)]
x86: cavs: Remove an unneeded scratch buffer

Simplifies the code and makes it build on certain compilers
running out of registers on x86.

CC: libav-stable@libav.org
Reported-By: mudler
(cherry picked from commit e4610300de6869bd6b3b00e76cfeabb6d7653dcd)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 4dc0fbb13c33b4e5bdb766652f4daf900ccc952f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agoconfigure: Disable i686 for i586 and lower CPUs
Mikulas Patocka [Mon, 15 Sep 2014 12:11:21 +0000 (05:11 -0700)]
configure: Disable i686 for i586 and lower CPUs

(cherry picked from commit b37bfbfbe53917820d1f97312fa0b2e8c7a15217)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agomjpegenc: Fix JFIF header byte ordering
Shiina Hideaki [Thu, 7 May 2015 00:46:55 +0000 (01:46 +0100)]
mjpegenc: Fix JFIF header byte ordering

The header had a wrong version description.

Bug-Id: 808
Signed-off-by: Shiina Hideaki <shiina@yndrd.com>
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
(cherry picked from commit 5549f693d2181b3211427f65e48eaa2f4fc5a402)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/mjpegenc_common.c

3 years agonut: Make sure to clean up on read_header failure
Luca Barbato [Wed, 29 Apr 2015 19:29:49 +0000 (21:29 +0200)]
nut: Make sure to clean up on read_header failure

Based on Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> work.

CC: libav-stable@libav.org
(cherry picked from commit 1f64b018cbec018fa66a4a20f79958d9707913de)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agopng: Set the color range as full range
wm4 [Fri, 8 May 2015 15:01:50 +0000 (17:01 +0200)]
png: Set the color range as full range

The format uses full range for the gray formats.

CC: libav-stable@libav.org
(cherry picked from commit 0f50c53cfb959162f2bccc1a2c2e066d35723595)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agoavi: Validate sample_size
Andreas Cadhalpun [Wed, 6 May 2015 00:26:57 +0000 (02:26 +0200)]
avi: Validate sample_size

And either error out or set it to 0 if it is negative.

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit a55a70644872027fdf76a75edf12a09c9008880f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agonut: Check chapter creation in decode_info_header
Andreas Cadhalpun [Tue, 28 Apr 2015 18:57:59 +0000 (20:57 +0200)]
nut: Check chapter creation in decode_info_header

This fixes a segmentation fault when accessing the metadata.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit 21b21aed797b5e636adcf2df811f96a95f208930)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agoalac: Reject rice_limit 0 if compression is used
Andreas Cadhalpun [Thu, 23 Apr 2015 22:01:43 +0000 (00:01 +0200)]
alac: Reject rice_limit 0 if compression is used

If in compression mode rice_limit = 0 leads to call
`show_bits(gb, k)` in `decode_scalar` with k = 0.

Request a sample in case it is valid and it should be accepted.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit cb5324200ccdc693dd5b28dcd7d4b722fad83ea2)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agoape: Support _0000 files with nblock smaller than 64
Andreas Cadhalpun [Wed, 29 Apr 2015 18:39:22 +0000 (20:39 +0200)]
ape: Support _0000 files with nblock smaller than 64

The decode_array_0000 assumed that 64 is the minimal block size
while it is not.

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit ac1660509ecfbeca7b63eb5ab8360011180e705b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agomux: Do not leave stale side data pointers in ff_interleave_add_packet()
Michael Niedermayer [Fri, 1 May 2015 22:55:42 +0000 (23:55 +0100)]
mux: Do not leave stale side data pointers in ff_interleave_add_packet()

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
(cherry picked from commit 386e80610de282c92ad5897683ccaf2675766ac5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agoavpacket: Check for and return errors in ff_interleave_add_packet()
Nidhi Makhijani [Mon, 14 Jul 2014 06:22:44 +0000 (11:52 +0530)]
avpacket: Check for and return errors in ff_interleave_add_packet()

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 324ff59444ff5470bb325ff1e2be7c4b054fc944)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agompegts: Update the PSI/SI table only if the version change
John Högberg [Tue, 28 Apr 2015 08:20:33 +0000 (10:20 +0200)]
mpegts: Update the PSI/SI table only if the version change

If a PAT is finished while a PMT section filter is opened but
not yet finished, the PMT section filter is closed and all
the received data is discarded.

This is usually not an issue but some multiplexers (With very
quick PAT/PMT repetition settings) consistently emit a PMT
section start, then a PAT, and then the rest of the PMT,
causing the aforementioned behavior to result in no PMT being
finished.

In the most pathologic situation the stream information are lost
and the probe fallback miscategorizes subtitles as mp3 audio.

Avoid the issue through eliminating redundant PSI/SI table
updates by checking their version field, which is required by
the standard to be incremented on every change no matter how
minor.

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 844201e35fe575710be8218d45828df49b77f205)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavformat/mpegts.c

3 years agortsp: Make sure we don't write too many transport entries into a fixed-size array
Martin Storsjö [Fri, 24 Apr 2015 09:38:09 +0000 (12:38 +0300)]
rtsp: Make sure we don't write too many transport entries into a fixed-size array

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit f77c9d71615e17414aacbb1720693b800a5a32d3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agortpenc_jpeg: Handle case of picture dimensions not dividing by 8
Andrey Utkin [Fri, 10 Apr 2015 21:54:10 +0000 (00:54 +0300)]
rtpenc_jpeg: Handle case of picture dimensions not dividing by 8

This fixes the calculation of the number of needed blocks to make
sure that ALL pixels are represented by the result.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 4415d0f3bbaeb287327ef101ae98d727a69d9af1)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agomov: Fix little endian audio detection
Vittorio Giovara [Fri, 13 Mar 2015 19:45:14 +0000 (19:45 +0000)]
mov: Fix little endian audio detection

Set this field to TRUE if the audio component is to operate on
little-endian data, and FALSE otherwise.

However TRUE and FALSE are not defined. Since this flag is just a boolean,
interpret all values except for 0 as little endian.

Sample-Id: 64bit_FLOAT_Little_Endian.mov
(cherry picked from commit 8ae4d4e117626313e0b7df746e82de84d00d160a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agox86: Put COPY3_IF_LT under HAVE_6REGS
Luca Barbato [Mon, 16 Mar 2015 10:26:48 +0000 (11:26 +0100)]
x86: Put COPY3_IF_LT under HAVE_6REGS

It uses 6 registers, unbreaks building on hardened x86 system.

Bug-Id: gentoo/541930
CC: libav-stable@libav.org
(cherry picked from commit 2af720fe5f0418612a8fc26b0147a0e10414fcbe)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agoroqvideoenc: set enc->avctx in roq_encode_init
Andreas Cadhalpun [Mon, 9 Mar 2015 18:24:09 +0000 (19:24 +0100)]
roqvideoenc: set enc->avctx in roq_encode_init

So far it is only set in roq_encode_frame, but it is used in
roq_encode_end to free the coded_frame. This currently segfaults if
roq_encode_frame is not called between roq_encode_init and
roq_encode_end.

CC:libav-stable@libav.org
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 9f6c36d961d27283808310e3ca1d8390b55fce9b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agolibvpx: Fix mixed use of av_malloc() and av_reallocp()
Vittorio Giovara [Sun, 8 Mar 2015 21:08:16 +0000 (21:08 +0000)]
libvpx: Fix mixed use of av_malloc() and av_reallocp()

This buffer is resized when vpx_codec_get_cx_data() returns a
VPX_CODEC_STATS_PKT packet.

CC: libav-stable@libav.org
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
(cherry picked from commit 7244cefd6e6ba7258cb022dfd7a284099d88a3e8)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
3 years agoalsdec: only adapt order for positive max_order gitorious/release/10
Andreas Cadhalpun [Wed, 22 Apr 2015 14:03:41 +0000 (16:03 +0200)]
alsdec: only adapt order for positive max_order

For max_order = 0 the clipping range is invalid. (amin = 2, amax = 1)

CC: libav-stable@libav.org
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 60f1cc4a1ffcbf24acbb543988ceeaec76b70818)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 378ee3bad5b99e8f90864af9bc851590e0f64825)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
3 years agoalsdec: check sample pointer range in revert_channel_correlation
Andreas Cadhalpun [Tue, 21 Apr 2015 17:28:30 +0000 (19:28 +0200)]
alsdec: check sample pointer range in revert_channel_correlation

Also change the type of begin, end and smp to ptrdiff_t to make the
comparison well-defined.

CC: libav-stable@libav.org
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 94bb1ce882a12b6d7a1fa32715a68121b39ee838)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 41a89cba6086de2bd24f9ec7e21200fa162505e9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
3 years agoaacpsy: correct calculation of minath in psy_3gpp_init
Andreas Cadhalpun [Tue, 21 Apr 2015 16:43:55 +0000 (18:43 +0200)]
aacpsy: correct calculation of minath in psy_3gpp_init

The minimum of the ath(x, ATH_ADD) function depends on ATH_ADD.
This patch uses the first order approximation to determine it.

For ATH_ADD = 4 this results in the value at 3407.06812 (-5.24241638)
not the one at 3410 (-5.24237967).

CC: libav-stabl@libav.org
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 110f7f35fb615b97d983b1c6c6a714fddd28bcbe)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7b66cf5ce7fdb8b3fa13459aab3f4d6ab559f1ea)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
3 years agoalsdec: limit avctx->bits_per_raw_sample to 32
Andreas Cadhalpun [Sat, 18 Apr 2015 18:29:13 +0000 (20:29 +0200)]
alsdec: limit avctx->bits_per_raw_sample to 32

avctx->bits_per_raw_sample is used in get_sbits_long, which only
supports up to 32 bits.

CC: libav-stable@libav.org
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit e191aaca44b986816695e3b7ecfae64697fd6631)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 97010c74cbff177b58daf9a092b4e37a7da26f85)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
3 years agoaasc: return correct buffer size from aasc_decode_frame
Andreas Cadhalpun [Thu, 16 Apr 2015 17:12:02 +0000 (19:12 +0200)]
aasc: return correct buffer size from aasc_decode_frame

CC: libav-stable@libav.org
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8fc8024ea56e814cd257d5fe27b21a865080782f)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 0d3a7dd26490156b607541dd2e1faeaa0fc61a88)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
3 years agomatroskadec: fix crash when parsing invalid mkv
Thomas Guillem [Fri, 10 Apr 2015 17:04:51 +0000 (19:04 +0200)]
matroskadec: fix crash when parsing invalid mkv

CC: libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b8d7f3186e86234f6255f5e8ee9e98573b4d9a6e)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 3e1c9da38b849ce2982b516004370081fdd89ed0)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavformat/matroskadec.c

4 years agodoc: More changelog updates for v10.6 v10.6
Reinhard Tartler [Mon, 9 Mar 2015 01:57:59 +0000 (21:57 -0400)]
doc: More changelog updates for v10.6

4 years agoutvideodec: Handle slice_height being zero
Michael Niedermayer [Wed, 4 Mar 2015 17:36:14 +0000 (17:36 +0000)]
utvideodec: Handle slice_height being zero

Fixes out of array accesses.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Bug-Id: CVE-2014-9604
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d)
(cherry picked from commit 3a417a86b330b7c1acf9db4f729be7d619caaded)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
4 years agotiff: Check that there is no aliasing in pixel format selection
Anton Khirnov [Sat, 7 Mar 2015 21:06:59 +0000 (22:06 +0100)]
tiff: Check that there is no aliasing in pixel format selection

Fixes possible issues with unexpected bpp/bppcount values.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Bug-Id: CVE-2014-8544
(cherry picked from commit ae5e1f3d663a8c9a532d89e588cbc61f171c9186)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
4 years agormenc: limit packet size
Andreas Cadhalpun [Mon, 2 Mar 2015 15:52:26 +0000 (16:52 +0100)]
rmenc: limit packet size

The chunk size is limited to UINT16_MAX (written by avio_wb16), so make
sure that the packet size is not too large.

Such large frames need to be split into slices smaller than 64 kB, but
that is currently supported neither by the rv10/rv20 encoders nor the rm
muxer.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agowebp: validate the distance prefix code
Andreas Cadhalpun [Mon, 2 Mar 2015 19:47:57 +0000 (20:47 +0100)]
webp: validate the distance prefix code

According to the WebP Lossless Bitstream Specification the highest
allowed value for a prefix code is 39.

If prefix_code is too large, the calculated extra_bits has an invalid
value and triggers an assertion in get_bits.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agorv10: check size of s->mb_width * s->mb_height
Andreas Cadhalpun [Tue, 3 Mar 2015 20:31:15 +0000 (21:31 +0100)]
rv10: check size of s->mb_width * s->mb_height

If it doesn't fit into 12 bits it triggers an assertion.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agoeamad: check for out of bounds read
Federico Tomassetti [Wed, 18 Feb 2015 12:11:44 +0000 (12:11 +0000)]
eamad: check for out of bounds read

Bug-Id: CID 1257500
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
4 years agomdec: check for out of bounds read
Federico Tomassetti [Wed, 18 Feb 2015 12:11:43 +0000 (12:11 +0000)]
mdec: check for out of bounds read

Bug-Id: CID 1257501
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
4 years agoconfigure: Properly fail when libcdio/cdparanoia is not found
Vittorio Giovara [Sun, 22 Feb 2015 19:49:52 +0000 (19:49 +0000)]
configure: Properly fail when libcdio/cdparanoia is not found

4 years agoarm: Suppress tags about used cpu arch and extensions
Martin Storsjö [Thu, 5 Mar 2015 21:38:00 +0000 (23:38 +0200)]
arm: Suppress tags about used cpu arch and extensions

When all the codepaths using manually set .arch/.fpu code is
behind runtime detection, the elf attributes should be suppressed.

This allows tools to know that the final built binary doesn't
strictly require these extensions.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit dcae2e32f7d8a1ca5fb8c1e4aa81313be854dd73
and b77e335e441040a40fc6156b8e4a134745d10233)
Signed-off-by: Martin Storsjö <martin@martin.st>
4 years agoUpdate Changelog for v10.6
Reinhard Tartler [Sun, 8 Mar 2015 15:20:46 +0000 (11:20 -0400)]
Update Changelog for v10.6

4 years agoPrepare for 10.6 Release
Reinhard Tartler [Sun, 8 Mar 2015 15:16:33 +0000 (11:16 -0400)]
Prepare for 10.6 Release

4 years agoimg2dec: correctly use the parsed value from -start_number
Vittorio Giovara [Tue, 6 Jan 2015 15:47:18 +0000 (16:47 +0100)]
img2dec: correctly use the parsed value from -start_number

Previously the image sequence was always starting from the minimum
number rather than the requested one.

CC: libav-stable@libav.org
4 years agoh264_cabac: Break infinite loops
Michael Niedermayer [Thu, 31 Jan 2013 03:20:24 +0000 (04:20 +0100)]
h264_cabac: Break infinite loops

This fixes out of array reads and/or infinite loops.

30 is the maximum number of bits that can be read into
coeff_abs below.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Martin Storsjö <martin@martin.st>
4 years agoh264: initialize H264Context.avctx in init_thread_copy
Anton Khirnov [Thu, 12 Feb 2015 12:06:49 +0000 (13:06 +0100)]
h264: initialize H264Context.avctx in init_thread_copy

This prevents using a wrong (first thread's) AVCodecContext if decoding
a frame in the first pass over all threads fails.

(cherry picked from commit a06b0b1295c51d100101e0ca0434e199ad6de6b5)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 2686dab45eec54f99866413153aa0b36381e48be)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agoh264: Do not share rbsp_buffer across threads
Michael Niedermayer [Sun, 25 Aug 2013 01:01:19 +0000 (03:01 +0200)]
h264: Do not share rbsp_buffer across threads

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit 61928b68dc28e080b8c8191afe5541123c682bbd)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 06d433366c02ab81a1aaad33d32934b4180d354b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agoh264: only ref cur_pic in update_thread_context if it is initialized
Anton Khirnov [Thu, 12 Feb 2015 11:26:58 +0000 (12:26 +0100)]
h264: only ref cur_pic in update_thread_context if it is initialized

It may be empty if the previous thread's decode call did not contain a
valid frame.

(cherry picked from commit 0dea4c77ccf5956561bb8991311b3d834bb5fa40)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1dbfaa34e615606cb3f1a3ecabb117e354459edc)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/h264_slice.c

4 years agomatroskadec: Fix read-after-free in matroska_read_seek()
Xiaohan Wang [Thu, 6 Nov 2014 20:59:54 +0000 (12:59 -0800)]
matroskadec: Fix read-after-free in matroska_read_seek()

In matroska_read_seek(), |tracks| is assigned at the begining of the
function. However, functions like matroska_parse_cues() could reallocate
the tracks and invalidate |tracks|.

This assigns |tracks| only before using it, so that it will not get
invalidated elsewhere.

Bug-Id: chromium/427266

4 years agosmc: fix the bounds check
Michael Niedermayer [Fri, 3 Oct 2014 20:50:45 +0000 (22:50 +0200)]
smc: fix the bounds check

Fixes invalid writes when there are more blocks in a run than total
remaining blocks.

CC: libav-stable@libav.org
Bug-ID: CVE-2014-8548
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit d423dd72be451462c6fb1cbbe313bed0194001ab)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 58dc526ebf722d33bf09275c1241674e0e6b9ef1)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agogifdec: refactor interleave end handling
Michael Niedermayer [Fri, 3 Oct 2014 18:15:52 +0000 (20:15 +0200)]
gifdec: refactor interleave end handling

Fixes invalid writes with very small image heights.

CC: libav-stable@libav.org
Bug-ID: CVE-2014-8547
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 0b39ac6f54505a538c21fe49a626de94c518c903)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit eac49477aa95cf727d87d2741ee8e60be59d394b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agommvideo: check frame dimensions
Anton Khirnov [Sun, 14 Dec 2014 20:01:59 +0000 (21:01 +0100)]
mmvideo: check frame dimensions

The frame size must be set by the caller and each dimension must be a
multiple of 2.

CC: libav-stable@libav.org
Bug-ID: CVE-2014-8543
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 17ba719d9ba30c970f65747f42d5fbb1e447ca28)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 69a930b988ff4f88ae27e4fc24ff6ed116840b5e)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agojvdec: check frame dimensions
Anton Khirnov [Sun, 14 Dec 2014 20:01:59 +0000 (21:01 +0100)]
jvdec: check frame dimensions

The frame size must be set by the caller and each dimension must be a
multiple of 8.

CC: libav-stable@libav.org
Bug-ID: CVE-2014-8542
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 88626e5af8d006e67189bf10b96b982502a7e8ad)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 55788572ea7b89cdd77bab1cf4bf06d14ead34f5)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agomjpegdec: check for pixel format changes
Anton Khirnov [Sun, 14 Dec 2014 19:52:13 +0000 (20:52 +0100)]
mjpegdec: check for pixel format changes

Fixes possible invalid memory access.

Based on code by Michael Niedermayer <michaelni@gmx.at>

CC: libav-stable@libav.org
Bug-ID: CVE-2014-8541
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 809c3023b699c54c90511913d3b6140dd2436550)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit aa7a19b41774ce5f8a4e43f3692a4f9d90aa5c92)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agomov: avoid a memleak when multiple stss boxes are present
Anton Khirnov [Tue, 12 Aug 2014 14:39:10 +0000 (14:39 +0000)]
mov: avoid a memleak when multiple stss boxes are present

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 64f7575fbd64e5b65d5c644347408588c776f1fe)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 577f1feb3fd1e51fd14af7ce6d79d468faa3b929)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agoavconv: Use the mpeg12 private option scan_offset
Julien Ramseier [Sun, 14 Dec 2014 01:00:04 +0000 (02:00 +0100)]
avconv: Use the mpeg12 private option scan_offset

Introduced in aed790070486b1b01b48106310d9d0ca1730e459

Bug-Id: debian/773055
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit fd665f7f48fa7db89eb9a93ac33919f6adc40f9d)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 864c0c50eb0e7a112b20007459b0cb94b61cb8d3)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agoReplace lena.pnm
Reinhard Tartler [Thu, 27 Nov 2014 17:21:03 +0000 (18:21 +0100)]
Replace lena.pnm

The new reference.pnm is a freely licensed replacement. The photo has
been taken by Reinhard Tartler on August 28 2014, and is licensed under
the expat license as stated at http://www.jclark.com/xml/copying.txt

(cherry picked from commit e38231007e19e5f27b0e77e72bcd26fb3d76edfb)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
4 years agoTreat all '*.pnm' files as non-text file
Reinhard Tartler [Fri, 28 Nov 2014 14:52:50 +0000 (09:52 -0500)]
Treat all '*.pnm' files as non-text file

This convinces the pre-receive hook to not consider all *.pnm files as
text files to reduce the patch sizes and avoids triggering whitespace
checks,

Contains a correction by Janne Grunau <janne-libav@jannau.net>

(cherry picked from commit b877814e09b9f25308ec205cf48bb9554b33e95c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
4 years agolavu: fix memory leaks by using a mutex instead of atomics
wm4 [Fri, 14 Nov 2014 12:34:50 +0000 (13:34 +0100)]
lavu: fix memory leaks by using a mutex instead of atomics

The buffer pool has to atomically add and remove entries from the linked
list of available buffers. This was done by removing the entire list
with a CAS operation, working on it, and then setting it back again
(using a retry-loop in case another thread was doing the same thing).

This could effectively cause memory leaks: while a thread was working on
the buffer list, other threads would allocate new buffers, increasing
the pool's total size. There was no real leak, but since these extra
buffers were not needed, but not free'd either (except when the buffer
pool was destroyed), this had the same effects as a real leak. For some
reason, growth was exponential, and could easily kill the process due
to OOM in real-world uses.

Fix this by using a mutex to protect the list operations. The fancy
way atomics remove the whole list to work on it is not needed anymore,
which also avoids the situation which was causing the leak.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit fbd6c97f9ca858140df16dd07200ea0d4bdc1a83)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 517ce1d09b5e6b72afc2ef9490b5f8ca42fa6a65)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agolavu: add wrappers for the pthreads mutex API
Anton Khirnov [Sun, 23 Nov 2014 20:25:05 +0000 (21:25 +0100)]
lavu: add wrappers for the pthreads mutex API

Also add no-op fallbacks when threading is disabled.

This helps keeping the code clean if Libav is compiled for targets
without threading. Since we assume that no threads of any kind are used
in such configurations, doing nothing is ok by definition.

Based on a patch by wm4 <nfxjfg@googlemail.com>.

(cherry picked from commit 2443e522f0059176ff8717c9c753eb6fe7e7bbf1)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 46a17d886b8559723c40b9f5cdf0e0c6b1c95180)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agomp3enc: fix a triggerable assert
Anton Khirnov [Fri, 14 Nov 2014 19:20:50 +0000 (20:20 +0100)]
mp3enc: fix a triggerable assert

We have to check against the number of bytes actually needed, not the
theoretical maximum size.

(cherry picked from commit 12700b0219521a5f20c8ba47b3ad7857ea9e0554)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agoresample: Avoid off-by-1 errors in PTS calcs.
Timothy B. Terriberry [Tue, 14 Oct 2014 00:46:00 +0000 (17:46 -0700)]
resample: Avoid off-by-1 errors in PTS calcs.

The rounding used in the PTS calculations in filter_frame() does
not actually match the number of samples output by the resampler.
This leads to off-by-1 errors in the timestamps indicating gaps and
underruns, even when the input timestamps are all contiguous.

Bug-Id: 753

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 6cbbf0592f4f3940aac7f687850d1b726a2ea836)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit ca8c62d187fdca13979379fb2ab172ed662aa2f8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agoimc: fix order of operations in coefficients read
Vittorio Giovara [Mon, 13 Oct 2014 14:42:28 +0000 (15:42 +0100)]
imc: fix order of operations in coefficients read

Reported-by: Ruoyu <liangry@ucweb.com>
4 years agompeg12: Always invoke the get_format() callback
Rémi Denis-Courmont [Thu, 25 Sep 2014 08:59:58 +0000 (11:59 +0300)]
mpeg12: Always invoke the get_format() callback

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
4 years agoh264: Always invoke the get_format() callback
Rémi Denis-Courmont [Thu, 25 Sep 2014 08:59:57 +0000 (11:59 +0300)]
h264: Always invoke the get_format() callback

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
4 years agoAdd some bug references to the changelog
Diego Biurrun [Tue, 16 Sep 2014 10:40:37 +0000 (03:40 -0700)]
Add some bug references to the changelog

4 years agoapetag: Fix APE tag size check
Katerina Barone-Adesi [Mon, 15 Sep 2014 23:40:24 +0000 (01:40 +0200)]
apetag: Fix APE tag size check

The size variable is (correctly) unsigned, but is passed to several functions
which take signed parameters, such as avio_read, sometimes after having
numbers added to it. So ensure that size remains within the bounds that
these functions can handle.

(cherry picked from commit b45ab61b24a8f2aeafdd4451491b1b30b7875ee5)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
4 years agoUpdate Changelog for v10.5 v10.5
Diego Biurrun [Wed, 10 Sep 2014 20:01:30 +0000 (13:01 -0700)]
Update Changelog for v10.5

4 years agoPrepare for 10.5 release
Diego Biurrun [Wed, 10 Sep 2014 20:01:07 +0000 (13:01 -0700)]
Prepare for 10.5 release

4 years agodoc: Fix syntax and logical errors in avconv stream combination example
Diego Biurrun [Wed, 10 Sep 2014 16:38:15 +0000 (18:38 +0200)]
doc: Fix syntax and logical errors in avconv stream combination example

Bug-Id: 661
CC: libav-stable@libav.org
(cherry picked from commit 775a0b04f0cf8102fe322b2ee03fe1a0633dea04)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
4 years agolicense: Mention that vf_interlace is GPL, not LGPL
Diego Biurrun [Wed, 27 Aug 2014 11:14:20 +0000 (13:14 +0200)]
license: Mention that vf_interlace is GPL, not LGPL

(cherry picked from commit 9e8bbe7d4d1dcd5fec491dbfbb98ed2038a7bed5)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
4 years agopulse: Add a wallclock option to be compatible with other other captures
Luca Barbato [Sat, 23 Aug 2014 17:03:21 +0000 (19:03 +0200)]
pulse: Add a wallclock option to be compatible with other other captures

alsa and x11grab use av_gettime() to report timestamps.

Have it on by default.

Bug-Id: 647
(cherry picked from commit 424b929b5cb9ca4094099f25179829260d4b0fa3)
(cherry picked from commit 404731bd20e1df5880e6fe381e975ba48afc75b2)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
4 years agoavconv: fix parsing the AVOptions for -target
Anton Khirnov [Tue, 26 Aug 2014 06:26:35 +0000 (06:26 +0000)]
avconv: fix parsing the AVOptions for -target

CC: libav-stable@libav.org
(cherry picked from commit f5245a9c6206878b892adf3ccbccc9311c202af5)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agoavconv: fix the muxrate values for -target
Anton Khirnov [Mon, 25 Aug 2014 21:24:35 +0000 (21:24 +0000)]
avconv: fix the muxrate values for -target

The mpegenc private option values are in 50-byte units.

CC: libav-stable@libav.org
(cherry picked from commit 1688eef25385089026aba55da1885f70a57815ab)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agompegenc: limit the maximum muxrate
Anton Khirnov [Mon, 25 Aug 2014 21:21:57 +0000 (21:21 +0000)]
mpegenc: limit the maximum muxrate

It is written to the file as a 22-bit value.

CC: libav-stable@libav.org
(cherry picked from commit 75bbaf2493a71ee66eaabe3c21fadd84d07888de)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavformat/mpegenc.c

4 years agompegvideo: Use the current_picture pts
Michael Niedermayer [Fri, 18 Apr 2014 21:11:31 +0000 (23:11 +0200)]
mpegvideo: Use the current_picture pts

The picture slot can be recycled by select_input_picture and
only current_picture is populated with the valid pts.

Unbreak timestamps when in cbr mode.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 1c7b71a5bdb88ebb69734100405bbb5441b871e8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/mpegvideo_enc.c

4 years agosetpts: Add missing inttypes.h #include for PRId64
Diego Biurrun [Wed, 20 Aug 2014 16:54:50 +0000 (09:54 -0700)]
setpts: Add missing inttypes.h #include for PRId64

Also convert a debug av_log() to av_dlog().

(cherry picked from commit a89dd9a72c6e9c3111d6f34d9b08cd624fe76358)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
4 years agoproresenc: Properly account for alpha plane
Christophe Gisquet [Mon, 18 Aug 2014 14:15:24 +0000 (14:15 +0000)]
proresenc: Properly account for alpha plane

The packet buffer allocation considers the alpha channel as DCT-coded,
while it is actually run-coded and thus requires a larger buffer.

CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 41e1354c101004ccd46dc08d3dd6e956e83a6b51)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
4 years agoproresenc: Realloc if buffer is too small
Christophe Gisquet [Mon, 18 Aug 2014 14:15:23 +0000 (14:15 +0000)]
proresenc: Realloc if buffer is too small

The buffer allocation may be incorrect (e.g. with an alpha plane),
and currently causes the buffer to be set to NULL by init_put_bits,
causing a crash later on.

So, detect that situation, and if detected, reallocate the buffer
and ask for a sample that shows the problem.

CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 45ce880a9b3e50cfa088f111dffaf8685bd7bc6b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
4 years agoproresenc: Report buffer overflow
Christophe Gisquet [Mon, 18 Aug 2014 14:15:22 +0000 (14:15 +0000)]
proresenc: Report buffer overflow

If the allocated size, despite best efforts, is too small, exit
with the appropriate error.

CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 58b68e4fdea22e22178e237bda950b09cc6f363a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
4 years agoproresenc: Remove unneeded parameters from encode_alpha_plane()
Christophe Gisquet [Mon, 18 Aug 2014 14:15:21 +0000 (14:15 +0000)]
proresenc: Remove unneeded parameters from encode_alpha_plane()

Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit b16699f2da9c1d41eff852ec3a0c81f74fd44421)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
4 years agoUpdate Changelog for v10.4 v10.4
Reinhard Tartler [Sun, 17 Aug 2014 14:23:20 +0000 (10:23 -0400)]
Update Changelog for v10.4

4 years agoPrepare for 10.4 Release
Reinhard Tartler [Sun, 17 Aug 2014 14:19:48 +0000 (10:19 -0400)]
Prepare for 10.4 Release

4 years agompegts: Do not try to write a PMT larger than SECTION_SIZE
Luca Barbato [Tue, 12 Aug 2014 18:21:12 +0000 (20:21 +0200)]
mpegts: Do not try to write a PMT larger than SECTION_SIZE

Prevent out of array writes.

Similar to what Michael Niedermayer did to address the same issue.

Bug-Id: CVE-2014-2263
CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit e8049af1325dd59a51546c15b2e71a0f578e9d27)

Conflicts:
libavformat/mpegtsenc.c

4 years agompegts: Define the section length with a constant
Luca Barbato [Sun, 3 Aug 2014 17:27:07 +0000 (19:27 +0200)]
mpegts: Define the section length with a constant

The specification says the value is expressed in 10 bits including
the 4-byte CRC.

(cherry picked from commit 89616408e38ac7257e36976723df0e23d6ee1157)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavformat/mpegtsenc.c

4 years agoffv1dec: check that global parameters do not change in version 0/1
Michael Niedermayer [Fri, 30 Aug 2013 02:51:09 +0000 (04:51 +0200)]
ffv1dec: check that global parameters do not change in version 0/1

Such changes are neither allowed nor supported

Found-by: ami_stuff
Bug-Id: CVE-2013-7020
CC: libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit da7d839a0d3ec40423a665dc85e0cfaed3f92eb8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agoh264: fix interpretation of interleaved stereo modes
Felix Abecassis [Thu, 7 Aug 2014 09:42:36 +0000 (11:42 +0200)]
h264: fix interpretation of interleaved stereo modes

Column and row frame packing arrangements were inverted.

Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
4 years agosvq1: do not modify the input packet
Anton Khirnov [Sun, 3 Aug 2014 08:14:48 +0000 (10:14 +0200)]
svq1: do not modify the input packet

The input data must remain constant, make a copy instead. This is in
theory a performance hit, but since I failed to find any samples
using this feature, this should not matter in practice.

Also, check the size of the header, avoiding invalid reads on truncated
data.

CC:libav-stable@libav.org
(cherry picked from commit 7b588bb691644e1b3c168b99accf74248a24e3cf)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agocdgraphics: do not return 0 from the decode function
Anton Khirnov [Wed, 6 Aug 2014 10:56:34 +0000 (10:56 +0000)]
cdgraphics: do not return 0 from the decode function

0 means no data consumed, so it can trigger an infinite loop in the
caller.

CC:libav-stable@libav.org
(cherry picked from commit c7d9b473e28238d4a4ef1b7e8b42c1cca256da36)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agocdgraphics: switch to bytestream2
Anton Khirnov [Wed, 6 Aug 2014 10:46:50 +0000 (10:46 +0000)]
cdgraphics: switch to bytestream2

Fixes possible invalid memory accesses on corrupted data.

CC:libav-stable@libav.org
Bug-ID: CVE-2013-3674
(cherry picked from commit a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agojpeg2000: enable 4 component pixel formats
Vittorio Giovara [Wed, 6 Aug 2014 10:07:08 +0000 (11:07 +0100)]
jpeg2000: enable 4 component pixel formats

Bug-Id: 721
CC: libav-stable@libav.org
Sample-Id: 31230.mov

4 years agostereo3d: add missing include guards
Vittorio Giovara [Mon, 21 Apr 2014 00:33:35 +0000 (02:33 +0200)]
stereo3d: add missing include guards

4 years agohuffyuvdec: check width size for yuv422p
Michael Niedermayer [Sat, 2 Aug 2014 23:54:33 +0000 (00:54 +0100)]
huffyuvdec: check width size for yuv422p

Avoid out of array accesses.

CC: libav-stable@libav.org
Bug-Id: CVE-2013-0848
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a7153444df9040bf6ae103e0bbf6104b66f974cb)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agommvideo: check horizontal coordinate too
Michael Niedermayer [Sun, 3 Aug 2014 18:24:18 +0000 (19:24 +0100)]
mmvideo: check horizontal coordinate too

Fixes out of array accesses.

Bug-Id: CVE-2013-3672
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 70cd3b8e659c3522eea5c16a65d14b8658894a94)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agowmalosslessdec: fix mclms_coeffs* array size
Michael Niedermayer [Fri, 7 Feb 2014 14:07:23 +0000 (15:07 +0100)]
wmalosslessdec: fix mclms_coeffs* array size

Fixes corruption of context

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
Bug-Id: CVE-2014-2098
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 849b9d34c7ef70b370c53e7af3940f51cbc07d0f)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agoUpdate Changelog for v10.3 v10.3
Reinhard Tartler [Mon, 4 Aug 2014 01:30:32 +0000 (21:30 -0400)]
Update Changelog for v10.3

4 years agohuffyuv: Check and propagate function return values
Diego Biurrun [Sun, 3 Aug 2014 19:19:10 +0000 (12:19 -0700)]
huffyuv: Check and propagate function return values

Bug-Id: CVE-2013-0868

inspired by a patch from Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Diego Biurrun <diego@biurrun.de>
CC: libav-stable@libav.org
(cherry picked from commit d0393d79bc3d61c9f2ff832c0e273b7774ff0269)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavcodec/huffyuvdec.c

4 years agoh264: prevent theoretical infinite loop in SEI parsing
Vittorio Giovara [Wed, 30 Jul 2014 18:33:36 +0000 (19:33 +0100)]
h264: prevent theoretical infinite loop in SEI parsing

Properly address CVE-2011-3946 and parse bitstream as described in the spec.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
4 years agopgssubdec: Check RLE size before copying
Michael Niedermayer [Thu, 31 Jul 2014 01:31:19 +0000 (21:31 -0400)]
pgssubdec: Check RLE size before copying

Make sure the buffer size does not exceed the expected
RLE size.

Prevent an out of array bound write.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Bug-Id: CVE-2013-0852

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit d98e6c5d5d80c1dfe0c30f2e73d41a3aea0b920d)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
4 years agofate: Add dependencies for dct/fft/mdct/rdft tests
Diego Biurrun [Thu, 26 Jun 2014 00:09:13 +0000 (17:09 -0700)]
fate: Add dependencies for dct/fft/mdct/rdft tests

(cherry picked from commit 24f45c16224d4c5d482e928676714766ffdda4fc)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
4 years agovideo4linux2: Avoid a floating point exception
Bernhard Übelacker [Sun, 27 Jul 2014 15:38:59 +0000 (08:38 -0700)]
video4linux2: Avoid a floating point exception

This avoids a segfault in avconv_opt.c:opt_target when trying to
determine the norm.

(cherry picked from commit dc71f1958846bb1d96de43a4603983dc8450cfcc)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
4 years agovf_select: Drop a debug av_log with an unchecked double to enum conversion
Diego Biurrun [Tue, 29 Jul 2014 12:43:04 +0000 (05:43 -0700)]
vf_select: Drop a debug av_log with an unchecked double to enum conversion

CC: libav-stable@libav.org
(cherry picked from commit a8d803a320fb08b3ad5db4fffc79abd401206905)
Signed-off-by: Diego Biurrun <diego@biurrun.de>