ffmpeg

mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-01-16 11:01:16 +01:00

Author	SHA1	Message	Date
Michael Niedermayer	0d40fbaef0	iff: fix null ptr dereference Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `41abc9da50`)	2012-05-06 00:54:40 +02:00
Michael Niedermayer	1ca4e70b6c	cook: check subacket count Fixes out of array writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `5a35bd92ad`)	2012-05-06 00:47:44 +02:00
Michael Niedermayer	581a830829	Merge remote-tracking branch 'qatar/release/0.8' into release/0.10 * qatar/release/0.8: Update Changelog for the 0.8.2 Release Prepare for 0.8.2 Release vqavideo: return error if image size is not a multiple of block size celp filters: Do not read earlier than the start of the 'out' vector. motionpixels: Clip YUV values after applying a gradient. jpeg: handle progressive in second field of interlaced. h263: more strictly forbid frame size changes with frame-mt. h264: additional protection against unsupported size/bitdepth changes. tta: prevents overflows for 32bit integers in header. ttadec: CRC checking tta: use skip_bits_long() Conflicts: Changelog RELEASE libavcodec/h264.c libavcodec/tta.c Merged-by: Michael Niedermayer <michaelni@gmx.at>	2012-05-06 00:25:39 +02:00
Mans Rullgard	d5207e2af8	vqavideo: return error if image size is not a multiple of block size The decoder assumes in various places that the image size is a multiple of the block size, and there is no obvious way to support odd sizes. Bailing out early if the header specifies a bad size avoids various errors later on. Fixes CVE-2012-0947. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit `58b2e0f0f2`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 22:14:26 +02:00
Alex Converse	9ea94c44b1	celp filters: Do not read earlier than the start of the 'out' vector. CC: libav-stable@libav.org (cherry picked from commit `37ddd38332`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 22:09:27 +02:00
Alex Converse	aaa6a66677	motionpixels: Clip YUV values after applying a gradient. Prevents illegal reads on truncated and malformed input. CC: libav-stable@libav.org (cherry picked from commit `b5da848fac`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 22:09:27 +02:00
Ronald S. Bultje	7240cc3f8b	jpeg: handle progressive in second field of interlaced. Progressive data is allocated later in decode_sof(), not allocating that data leads to NULL dereferences. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `5eec5a79da`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 22:09:27 +02:00
Ronald S. Bultje	7fe4c8cb76	h263: more strictly forbid frame size changes with frame-mt. Prevents crashes because the old check was incomplete. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `2d22d4307d`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 22:09:27 +02:00
Ronald S. Bultje	746f1594d7	h264: additional protection against unsupported size/bitdepth changes. Fixes crashes in codepaths not covered by original checks. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `732f9fcfe5`) Conflicts: libavcodec/h264.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 22:09:27 +02:00
Ronald S. Bultje	0e4bb0530f	tta: prevents overflows for 32bit integers in header. This prevents sample_rate/data_length from going negative, which caused various crashes and undefined behaviour further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `ac80b812cd`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 21:28:45 +02:00
Paul B Mahol	994c0efcc7	ttadec: CRC checking Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit `2af3dc8698`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 21:28:35 +02:00
Paul B Mahol	cf5e119d4a	tta: use skip_bits_long() Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit `9aff2d1753`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-04 21:28:28 +02:00
Michael Niedermayer	1ee1e9e43f	vqavideodev: Check image dimensions Fixes out of heap array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `3583c8706d`) Independently-Found-by: Fabian Yamaguchi Fixes: CVE-2012-0947 Conflicts: libavcodec/vqavideo.c	2012-05-03 00:22:32 +02:00
Michael Niedermayer	15e9aee544	Merge remote-tracking branch 'qatar/release/0.8' into release/0.10 * qatar/release/0.8: (24 commits) apedec: check bits <= 32. truemotion: forbid invalid VLC bitsizes and token values. mov: don't overwrite existing indexes. truemotion2: handle out-of-frame motion vectors through edge extension. lzw: prevent buffer overreads. truemotion2: convert packet header reading to bytestream2. lagarith: fix buffer overreads. raw: forward avpicture_fill() error code in raw_decode(). vc1: Do not read from array if index is invalid. utvideo: port header reading to bytestream2. bytestream: add more unchecked variants for bytestream2 API bytestream: K&R formatting cosmetics bytestream: Add bytestream2 writing API. aac: Reset PS parameters on header decode failure. mov: Do not read past the end of the ctts_data table. xwma: Validate channels and bits_per_coded_sample. asf: reset side data elements on packet copy. vqa: check palette chunk size before reading data. vqavideo: port to bytestream2 API wmavoice: fix stack overread. ... Conflicts: cmdutils.c cmdutils.h libavcodec/lagarith.c libavcodec/truemotion2.c libavcodec/vqavideo.c Merged-by: Michael Niedermayer <michaelni@gmx.at>	2012-05-03 00:20:54 +02:00
Michael Niedermayer	e8050f313e	apedec: check bits <= 32. Fixes a floating-point exception further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com> (cherry picked from commit `420d1df2e2`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:03 +02:00
Ronald S. Bultje	be424d86a8	truemotion: forbid invalid VLC bitsizes and token values. SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid values larger than this in get_vlc2() (max_bits). tokens[][] can be used as an index in deltas[], which has a size of 64, so ensure the values are smaller than that. This prevents crashes on corrupt bitstreams. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `b7b1509d06`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:03 +02:00
Ronald S. Bultje	46f8bbfc6d	truemotion2: handle out-of-frame motion vectors through edge extension. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `bf39d3b59d`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:03 +02:00
Ronald S. Bultje	562c6a7bf1	lzw: prevent buffer overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `ddcf67c8a5`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:03 +02:00
Ronald S. Bultje	e711ccee4d	truemotion2: convert packet header reading to bytestream2. Also use correct buffer sizes in calls to tm2_read_stream(). Together, this prevents overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `bd508d435b`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:03 +02:00
Ronald S. Bultje	d6372e80fe	lagarith: fix buffer overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `0a82f5275f`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:03 +02:00
Ronald S. Bultje	29d91e9161	raw: forward avpicture_fill() error code in raw_decode(). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `98df2e2414`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Mashiat Sarker Shakkhar	583f57f04a	vc1: Do not read from array if index is invalid. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit `95b192de5d`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Ronald S. Bultje	f8f6c14f54	utvideo: port header reading to bytestream2. Fixes crash during slice size reading if slice_end goes negative. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `ec0ed97b04`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Paul B Mahol	9e24f2a1f0	bytestream: add more unchecked variants for bytestream2 API Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit `f1ce053cd0`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Aneesh Dogra	e788c6e9cb	bytestream: K&R formatting cosmetics Signed-off-by: Diego Biurrun <diego@biurrun.de> (cherry picked from commit `ab9ae40152`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Aneesh Dogra	2e681cf50f	bytestream: Add bytestream2 writing API. Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit `db7d45237a`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Alex Converse	9ddd3abe78	aac: Reset PS parameters on header decode failure. If the next header frame codes zero envelopes the previous frame's values will be used. Consequently the invalid values must be cleared. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `a237b38021`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:02 +02:00
Ronald S. Bultje	c21b858b27	vqa: check palette chunk size before reading data. Prevents overreads beyond buffer boundaries. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `75d7975268`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:01 +02:00
Paul B Mahol	0b9bb581fd	vqavideo: port to bytestream2 API Protects against overreads. Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit `5a3a906ba2`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:01 +02:00
Ronald S. Bultje	105601c151	wmavoice: fix stack overread. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `262196445c`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:01 +02:00
Ronald S. Bultje	3a4949aa50	indeo4: fix out-of-bounds function call. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com> (cherry picked from commit `68fd077f68`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:01 +02:00
Ronald S. Bultje	bf3998d71e	mimic: don't use self as reference, and report completion at end of decode(). Fixes hangs on corrupt samples that reference self-frames. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `80387f0e25`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:01 +02:00
Ronald S. Bultje	87208b8fc4	mpeg4: report frame decoding completion at ff_MPV_frame_end(). Prevents hangs on corrupt input. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `c6ccb96bc9`) Conflicts: libavcodec/mpegvideo.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-29 22:07:01 +02:00
Ronald S. Bultje	265a628f16	h264: use struct offsets in get_cabac_bypass_sign_x86(). (cherry picked from commit `db025929f2`)	2012-04-21 21:41:30 +02:00
ami_stuff	a854d00acd	Replace SSE2 instruction in scalarproduct_float_sse() by SSE equivalent. Fixes an AAC decoding issue with the sample from ticket #213 on machines with SSE but without SSE2. Based on 89411a by Reimar. (cherry picked from commit `f6b7863808`)	2012-04-04 09:16:49 +02:00
Michael Niedermayer	a56eaa024f	mpeg4: dont reset picture_num for xvid Fixes Ticket1162 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `a4e359a3f9`)	2012-04-04 08:38:18 +02:00
Michael Niedermayer	fdc6f6507c	h264: fix seeking in low delay streams without IDR Fixes Ticket1165 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `3360b8517a`)	2012-04-04 08:38:06 +02:00
Franz Brauße	f9bdc93723	smacker audio: sign-extend the initial 16-bit predicted value Fixes Bug #265 Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit `12cbbbb4ab`)	2012-04-01 13:57:49 +02:00
Michael Niedermayer	abfafb6c81	pngenc: Fix incorrect mask used for interlaced mode. Fixes Ticket1109 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `15db6a9590`)	2012-03-21 10:50:58 +01:00
Kelly Anderson	0a224ab102	libx264: fix duplicate stats entry Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-03-17 08:56:59 +01:00
Michael Niedermayer	001f4c7dc6	jpeglsdec: Prevent out of array write. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `00ab9cdae1`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-03-16 16:46:30 +01:00
Michael Niedermayer	313ddbfe48	proresdec: Fix read via negative index in a global array. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `0065080320`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-03-16 16:42:49 +01:00
Michael Niedermayer	7f5bd6c72b	diracdec: Correct the bytestream end pointer. This fixes some arith decoder overreads and a potential infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `0f13cc732b`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-03-16 16:00:07 +01:00
Michael Niedermayer	0be85fd80f	diracdec: Check for negative quants which would cause out of array reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `5cd8afee99`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-03-16 15:59:30 +01:00
Michael Niedermayer	9f253ebb41	diracdec: Fix integer overflow leading to out of global array read. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `9729f140ae`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-03-16 15:59:21 +01:00
Michael Niedermayer	6242dae507	sonic: update to new API Fixes Ticket1075 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `6f9803e5e0`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-03-16 15:23:10 +01:00
Michael Niedermayer	1749b0d74d	mmvideo: restore initial y value. This bug might have been exploitable (out of HEAP buffer writes) Bug introduced by libav commit `a55d5bdc6e` Date: Tue Mar 6 15:15:42 2012 -0800 algmm: convert to bytestream2 API. (cherry picked from commit `c2e3b564b3`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-03-16 14:46:08 +01:00
Michael Niedermayer	568e9062bd	Merge remote-tracking branch 'qatar/release/0.8' into release/0.10 * qatar/release/0.8: (154 commits) Update Changelog for the 0.8.1 Release dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2 dca: don't use av_clip_uintp2(). snow: check reference frame indices. snow: reject unsupported chroma shifts. xa_adpcm: limit filter to prevent xa_adpcm_table[] array bounds overruns. h264: increase reference poc list from 16 to 32. h264: stricter reference limit enforcement. h264: improve parsing of broken AVC SPS Replace computations of remaining bits with calls to get_bits_left(). png: convert to bytestream2 API. roqvideo: convert to bytestream2 API. smc: port to bytestream2 API. tgq: convert to bytestream2 API. algmm: convert to bytestream2 API. jvdec: unbreak video decoding h264: Fix invalid interlaced/progressive MB combinations for direct mode prediction. libx264: add 'stats' private option for setting 2pass stats filename. libx264: fix help text for slice-max-size option. avconv: reindent ... Conflicts: Changelog RELEASE avconv.c doc/APIchanges ffplay.c libavcodec/Makefile libavcodec/aacdec.c libavcodec/alsdec.c libavcodec/atrac3.c libavcodec/avcodec.h libavcodec/dvdata.c libavcodec/fraps.c libavcodec/golomb.h libavcodec/h264.c libavcodec/h264.h libavcodec/h264_cabac.c libavcodec/h264_cavlc.c libavcodec/h264_direct.c libavcodec/h264_parser.c libavcodec/h264_ps.c libavcodec/h264idct_template.c libavcodec/indeo3.c libavcodec/kgv1dec.c libavcodec/kmvc.c libavcodec/mjpegbdec.c libavcodec/mmvideo.c libavcodec/mpegaudiodec.c libavcodec/mpegvideo.h libavcodec/options.c libavcodec/pngdec.c libavcodec/roqvideodec.c libavcodec/shorten.c libavcodec/svq3.c libavcodec/utils.c libavcodec/version.h libavcodec/wmadec.c libavcodec/xxan.c libavformat/Makefile libavformat/asfdec.c libavformat/dv.c libavformat/mov.c libavformat/nsvdec.c libavformat/utils.c libavformat/version.h libavutil/avutil.h libavutil/error.c libavutil/error.h libswscale/swscale.c libswscale/utils.c libswscale/x86/swscale_template.c tests/ref/acodec/g722 Merged-by: Michael Niedermayer <michaelni@gmx.at>	2012-03-16 09:01:08 +01:00
Michael Niedermayer	5dbc75870f	qpeg: Fix out of array writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-03-16 06:29:10 +01:00
Fabian Greffrath	c91a14638e	srtdec: fix a format string vulnerability. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `aaa1173de7`)	2012-03-16 06:29:10 +01:00

1 2 3 4 5 ...

17474 Commits