From 38a511e84cb776ec16cb7edcf8ed5e878af0a374 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 25 Nov 2011 00:45:16 +0200 Subject: [PATCH 1/7] swscale: Readd #define _SVID_SOURCE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was removed erroneously in 046f081b46c8479820409cf8f530b988221bd15b. This define still is necessary for getting MAP_ANONYMOUS defined on linux/glibc, despite the define reshuffling done in that commit. Without MAP_ANONYMOUS defined, the mprotect calls for setting the generated mmx2 scaler code pages executable are left out, causing crashes if that codepath is chosen. This patch fixes scaling from 192x144 to 320x240 with -sws_flags fast_bilinear, which crashes on linux at the moment. Signed-off-by: Martin Storsjö (cherry picked from commit f32dfad9dc64acf0fd1bb867e127a9efe6380676) Signed-off-by: Reinhard Tartler --- libswscale/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/utils.c b/libswscale/utils.c index d048b22e24..43efa0ce0e 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -18,6 +18,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#define _SVID_SOURCE //needed for MAP_ANONYMOUS #include #include #include From 0eca0da06e40b73af495cc05fbcfaa030fcf78ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2011 19:10:21 +0100 Subject: [PATCH 2/7] svq1dec: call avcodec_set_dimensions() after dimensions changed. Fixes NGS00148, CVE-2011-4579 Found-by: Phillip Langlois Signed-off-by: Michael Niedermayer (cherry picked from commit 6e24b9488e67849a28e64a8056e05f83cf439229) Signed-off-by: Reinhard Tartler --- libavcodec/svq1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 2a80374569..325cc1289b 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -658,6 +658,7 @@ static int svq1_decode_frame(AVCodecContext *avctx, av_dlog(s->avctx, "Error in svq1_decode_frame_header %i\n",result); return result; } + avcodec_set_dimensions(avctx, s->width, s->height); //FIXME this avoids some confusion for "B frames" without 2 references //this should be removed after libavcodec can handle more flexible picture types & ordering From bba709214a51ffd665a67404d3beb3727bb3f319 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 4 Dec 2011 10:10:33 +0100 Subject: [PATCH 3/7] vp3dec: Check coefficient index in vp3_dequant() Based on a patch by Michael Niedermayer Fixes NGS00145, CVE-2011-4352 Found-by: Phillip Langlois Signed-off-by: Reinhard Tartler (cherry picked from commit 8b94df0f2047e9728cb872adc9e64557b7a5152f) Signed-off-by: Reinhard Tartler --- libavcodec/vp3.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index c117a64084..890db5c59f 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1291,6 +1291,10 @@ static inline int vp3_dequant(Vp3DecodeContext *s, Vp3Fragment *frag, case 1: // zero run s->dct_tokens[plane][i]++; i += (token >> 2) & 0x7f; + if (i > 63) { + av_log(s->avctx, AV_LOG_ERROR, "Coefficient index overflow\n"); + return i; + } block[perm[i]] = (token >> 9) * dequantizer[perm[i]]; i++; break; @@ -1493,7 +1497,10 @@ static void render_slice(Vp3DecodeContext *s, int slice) /* invert DCT and place (or add) in final output */ if (s->all_fragments[i].coding_method == MODE_INTRA) { - vp3_dequant(s, s->all_fragments + i, plane, 0, block); + int index; + index = vp3_dequant(s, s->all_fragments + i, plane, 0, block); + if (index > 63) + continue; if(s->avctx->idct_algo!=FF_IDCT_VP3) block[0] += 128<<3; s->dsp.idct_put( @@ -1501,7 +1508,10 @@ static void render_slice(Vp3DecodeContext *s, int slice) stride, block); } else { - if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) { + int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block); + if (index > 63) + continue; + if (index > 0) { s->dsp.idct_add( output_plane + first_pixel, stride, From 851098c9e004b2ce294b687cb18633b038dcc3fe Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 1 Dec 2011 18:48:33 +0100 Subject: [PATCH 4/7] swscale: #include "libavutil/mathematics.h" this file uses the M_PI macro since 4e74187db2f5db52f88729efc662df9d6bc763e1, so include the correct header directly. Signed-off-by: Reinhard Tartler (cherry picked from commit 5089ce1b5abe2ecbbfd7235aeb0ad47ba38305c1) Signed-off-by: Reinhard Tartler --- libswscale/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/utils.c b/libswscale/utils.c index 43efa0ce0e..ac22dfe688 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -43,6 +43,7 @@ #include "libavutil/cpu.h" #include "libavutil/avutil.h" #include "libavutil/bswap.h" +#include "libavutil/mathematics.h" #include "libavutil/opt.h" #include "libavutil/pixdesc.h" From 7ce728050b6157fc926bc399393d8c1161c9efd6 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 23 Dec 2011 16:00:17 +0100 Subject: [PATCH 5/7] Update RELEASE file for 0.7.3 --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 7486fdbc50..f38fc5393f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.2 +0.7.3 From 8dba5608dcf76032d8a9aa4bd8a3fc1392682281 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 22 Nov 2011 13:37:52 -0500 Subject: [PATCH 6/7] wma: initialize prev_block_len_bits, next_block_len_bits, and block_len_bits. The initial values are not checked against the number of block sizes. Initializing them to frame_len_bits will result in a block size index of 0 in these cases instead of something that might be out-of-range. Fixes Bug 81. (cherry picked from commit 05d1e45d1f42cc90d1f2f36c546d0096cea126a8) Signed-off-by: Reinhard Tartler --- libavcodec/wma.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wma.c b/libavcodec/wma.c index bed47ec35b..4cdffcd101 100644 --- a/libavcodec/wma.c +++ b/libavcodec/wma.c @@ -137,6 +137,9 @@ int ff_wma_init(AVCodecContext *avctx, int flags2) /* compute MDCT block size */ s->frame_len_bits = ff_wma_get_frame_len_bits(s->sample_rate, s->version, 0); + s->next_block_len_bits = s->frame_len_bits; + s->prev_block_len_bits = s->frame_len_bits; + s->block_len_bits = s->frame_len_bits; s->frame_len = 1 << s->frame_len_bits; if (s->use_variable_block_len) { From d912a30c7d5cf9b8fdb26402804c9b0f999b4ff1 Mon Sep 17 00:00:00 2001 From: Shitiz Garg Date: Wed, 14 Dec 2011 18:29:21 +0530 Subject: [PATCH 7/7] 4xm: Add a check in decode_i_frame to prevent buffer overreads Fixes bugzilla #135 Signed-off-by: Janne Grunau (cherry picked from commit 355d917c0bd8163a3f1c7d4a6866dac749efdb84) Signed-off-by: Reinhard Tartler --- libavcodec/4xm.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 176feb94c0..ed832598b0 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -658,9 +658,18 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ uint16_t *dst= (uint16_t*)f->current_picture.data[0]; const int stride= f->current_picture.linesize[0]>>1; const unsigned int bitstream_size= AV_RL32(buf); - const int token_count av_unused = AV_RL32(buf + bitstream_size + 8); - unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4); - const uint8_t *prestream= buf + bitstream_size + 12; + int token_count av_unused; + unsigned int prestream_size; + const uint8_t *prestream; + + if (length < bitstream_size + 12) { + av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); + return AVERROR_INVALIDDATA; + } + + token_count = AV_RL32(buf + bitstream_size + 8); + prestream_size = 4 * AV_RL32(buf + bitstream_size + 4); + prestream = buf + bitstream_size + 12; if(prestream_size + bitstream_size + 12 != length || bitstream_size > (1<<26)