highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
31,893 Commits 36 Branches 392 Tags
0a57df38f468e905f0fe834ac5e21b89f68f5ce6
Commit Graph

31893 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Reinhard Tartler
1687c55e24 Update RELEASE file for 0.7.5 2012-04-01 19:08:06 +02:00
Reinhard Tartler
fd53da21a1 lcl: use AVERROR_INVALIDDATA instead of AVERROR_UNKNOWN 
While bogus, this change avoids the necessity to backport
AVERROR_UNKNOWN, which is not entirely trivial.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:30 +02:00
Michael Niedermayer
a0b65938b7 kgv1dec: Increase offsets array size so it is large enough. 
Fixes CVE-2011-3945

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 807a045ab7)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit a02e8df973)
(cherry picked from commit d5f2382d03)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Ronald S. Bultje
cb8a17ddac kgv1: use avctx->get/release_buffer(). 
Also fixes crashes on corrupt bitstreams.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 33cd32b389)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit e537dc230b)

Conflicts:

	libavcodec/kgv1dec.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Gaurav Narula
24eabc53ba kvmc: fix invalid reads 
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit ad3161ec1d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Diego Biurrun
6fe5038753 nsvdec: Propagate error values instead of returning 0 in nsv_read_header(). 
This eliminates a warning about a set-but-unused variable.
(cherry picked from commit 35fa0d4758)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Alex Converse
6ae95a0b93 mjpegbdec: Fix overflow in SOS. 
Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2011-3947

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 083a8a0037)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Michael Niedermayer
96ed18cab1 shorten: Use separate pointers for the allocated memory for decoded samples. 
Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.

Fixes CVE-2012-0858
CC: libav-stable@libav.org

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6fc3287b9c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Justin Ruggles
a207a2fecc shorten: check for realloc failure (cherry picked from commit 9e5e2c2d01) 
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Michael Niedermayer
f728ad26f0 atrac3: Fix crash in tonal component decoding. 
Add a check to avoid writing past the end of the channel_unit.components[]
array.

Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f747)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f43b6e2b1e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Michael Niedermayer
e676bbb8cf ws_snd1: Fix wrong samples count and crash. 
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9fb7a5af97)

Addresses CVE-2012-0848

Reviewed-by: Justin Ruggles <justin.ruggles@gmail.com>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 697a45d861)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Justin Ruggles
847c7cd0c8 ws_snd: add some checks to prevent buffer overread or overwrite. (cherry picked from commit 417364ce1f) 
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Justin Ruggles
137007b5bf ws_snd: decode to AV_SAMPLE_FMT_U8 instead of S16. 
8-bit unsigned is the native sample format.
(cherry picked from commit 2322ced8da)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Kostya Shishkov
90db3c435e dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2 
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Ronald S. Bultje
8b819fd9d3 h264: stricter reference limit enforcement. 
Progressive images can have only 16 references, error out if there are
more, since the data is almost certainly corrupt, and the invalid value
will lead to random crashes or invalid writes later on.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e0febda22d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Paul B Mahol
81c5b4ddcb jvdec: unbreak video decoding 
The safe bitstream reader broke it since the buffer size was specified
in bytes instead of bits.

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
CC: libav-stable@libav.org
(cherry picked from commit a1c036e961)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Ronald S. Bultje
5ae49ddaa4 xxan: don't read before start of buffer in av_memcpy_backptr(). 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit f1279e286b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Ronald S. Bultje
311361348d dsicinvideo: validate buffer offset before copying pixels. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c95fefa042)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Ronald S. Bultje
99536be9d4 huffyuv: add padding to classic (v1) huffman tables. 
We slightly overread the input buffer, so we require
padding at the end of the buffer, as is documented in the
get_bits API. Without padding, we'll read uninitialized
data or beyond the end of the .rodata, which may crash.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 4ffe5e2aa5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Alex Converse
bbe316dfb4 tiffdec: Prevent illegal memory access caused by recycled pointers. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit fd0be63049)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Ronald S. Bultje
b4a223fd19 wma: fix off-by-one in array bounds check. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b4bccf3e4e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Ronald S. Bultje
4924520513 raw: move buffer size check up. 
This way, it protects against overreads for 4bpp/2bpp content also.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cc5dd632ce)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Ronald S. Bultje
f2e412d050 smacker: error out if palette copy-with-offset overruns palette size. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit a93b572ae4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Ronald S. Bultje
6dfe865aed svq3: protect against negative quantizers. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 11b940a1a8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Alex Converse
853ce33dbc mov: Add more HDV and XDCAM FourCCs. 
Reference: VLC
(cherry picked from commit b142496c56)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Alex Converse
5015ada0ec mov: Add support for MPEG2 HDV 720p24 (hdv4) 
(cherry picked from commit 0ad522afb3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Michael Niedermayer
4be63587e1 h263dec: Disallow width/height changing with frame threads. 
Fixes CVE-2011-3937

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 71db86d53b)

Conflicts:

	libavcodec/h263dec.c

Signed-off-by: Alex Converse <alex.converse@gmail.com>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Alex Converse
a642953b0f tiff: Make the TIFF_LONG and TIFF_SHORT types unsigned. 
TIFF v6.0 (unimplemented) adds signed equivalents.
(cherry picked from commit e32548d133)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Alex Converse
f5ce67d837 svq3: Prevent illegal reads while parsing extradata. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 9e1db721c4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Alex Converse
b0888b8a48 dv: Fix small overread in audio frequency table. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 0ab3687924)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Mans Rullgard
2c199cb253 ac3: Do not read past the end of ff_ac3_band_start_tab. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 034b03e7a0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Alex Converse
00fa6ffe1a dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936. 
Found with asan.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Michael Niedermayer
44e182d41e dv: Fix null pointer dereference due to ach=0 
dv: Fix null pointer dereference due to ach=0

Fixes part2 of CVE-2011-3929

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Michael Niedermayer
bb737d381f dv: check stype 
dv: check stype

Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd4)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Alex Converse
0100c4b1b0 nsvdec: Propagate errors 
Related to CVE-2011-3940.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit c898431ca5)

Conflicts:

	libavformat/nsvdec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Alex Converse
be524c186b nsvdec: Be more careful with av_malloc(). 
Check results for av_malloc() and fix an overflow in one call.

Related to CVE-2011-3940.

Based in part on work from Michael Niedermayer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Michael Niedermayer
65beb8c117 nsvdec: Fix use of uninitialized streams. 
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d97)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Fabian Greffrath
f375e19f37 Fix format string vulnerability detected by -Wformat-security. 
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit c9dbac36ad)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Ronald S. Bultje
54e947273c h264: fix mmxext chroma deblock to use correct TC values. (cherry picked from commit b0c4f04338) 
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Ronald S. Bultje
e3e05963c1 cscd: use negative error values to indicate decode_init() failures. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 8a9faf33f2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Ronald S. Bultje
bd37b95383 h264: prevent overreads in intra PCM decoding. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d1604b3de9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Justin Ruggles
58133bb010 wmaenc: fix m/s stereo encoding for the first frame 
We need to set ms_stereo in encode_init() in order to avoid incorrectly
encoding the first frame as non-m/s while flagging it as m/s. Fixes an
uncomfortable pop in the left channel at the start of playback.

CC:libav-stable@libav.org
(cherry picked from commit 51ddf35c90)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Justin Ruggles
43e3e7764c wmaenc: limit allowed sample rate to 48kHz 
ff_wma_init() allows up to 50kHz, but this generates an exponent band
size table that requires 65 bands. The code assumes 25 bands in many
places, and using sample rates higher than 48kHz will lead to buffer
overwrites.

CC:libav-stable@libav.org
(cherry picked from commit 1ec075cfec)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Justin Ruggles
74bd46e82a wmaenc: limit block_align to MAX_CODED_SUPERFRAME_SIZE 
This is near the theoretical limit for wma frame size and is the most that
our decoder can handle. Allowing higher bit rates will just end up padding
each frame with empty bytes.

Fixes invalid writes for avconv when using very high bit rates.

CC:libav-stable@libav.org
(cherry picked from commit c2b8dea182)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:27 +02:00
Justin Ruggles
c932844882 wmaenc: require a large enough output buffer to prevent overwrites 
The maximum theoretical frame size is around 17000 bytes. Although in
practice it will generally be much smaller, we require a larger buffer
just to be safe.

CC: libav-stable@libav.org
(cherry picked from commit dfc4fdedf8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:27 +02:00
Ronald S. Bultje
433aaeb2f1 matroska: check buffer size for RM-style byte reordering. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9c239f6026)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:27 +02:00
Alex Converse
88b47010c4 wmadec: Verify bitstream size makes sense before calling init_get_bits. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 48f1e5212c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:27 +02:00
Alex Converse
b56b7b9081 rv10/20: Fix a buffer overread caused by losing track of the remaining buffer size. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2f6528537f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:27 +02:00
Ronald S. Bultje
bd0d32d131 lcl: return negative error codes on decode_init() errors. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bd17a40a7e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:27 +02:00
Ronald S. Bultje
d680295d0c huffyuv: do not abort on unknown pix_fmt; instead, return an error. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 63c9de6469)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:27 +02:00