Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 383c6a3a07b71981bd32d083496f5a4935f620f9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 145a84717b62e086cdb5f26649ad9f1b51ef38d0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The previous code assumed if an atom was marked with a 64-bit
size extension, it actually had that data available. The new
code verfies there's enough data in the atom for this to be
done.
Failure to verify causes total_size > atom.size which will
result in negative size calculations later on.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ebd76a9c57558e284e94da367dd23b435e6a6d0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Under abnormal conditions the item_count may exceed the max
allocation size on 32-bit systems, this causes the allocated
size to overflow and become too small for the given count.
Additionally, if av_reallocp() fails its allocation, the
fragment_index_count is not correctly decremented.
Ensuring further havoc may be wrought, the error code for
read_tfra() is not checked upon return.
Found-by: Paul Mehta <paul@paulmehta.com>
positive return code and use of _array functions by commiter
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit db42d93a61be26873be6115c57f5921b4dfdec14)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array reads
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9bff052b51f27f6cce04e8d7d8b405c710d7ad67)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Such data streams (which then contain no other packets except the faulty one)
confuse some user applications, like VLC
Works around vlcticket 12389
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 322f0f5960a743cac47252d90a0f1ea7a025feff)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3eb5cbe0c50d0a0bbe10bcabbd6b16d73d93c128)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 68fa549230af35179df2a2af2bdb84ee6c825bed)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The RTP muxer enables the actual codepaths within sdp.c,
which depend on hevc.o since e5cfc8fd.
This fixes builds with --disable-everything --enable-muxer=rtp.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit fccfc22d1f304aef42a0b960e4c1d55ce67107f5)
Without this ffversion.h could sometimes be built too late
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4ae87554f3c8bc54db572873f5049427a7e6cb31)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This simplifies identifying from which revision a binary of a lib came from
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 649c158e8c94ac0cff7f03e97d6ea8bbf71b7f02)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The frame size must be set by the caller and each dimension must be a
multiple of 2.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See: 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e
These should be redundant, but are backported for saftey anyway
The frame size must be set by the caller and each dimension must be a
multiple of 8.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See: 105654e376a736d243aef4a1d121abebce912e6b
These should be redundant, but are backported for saftey anyway
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 368642361f3a589d7b0c23ea327d988edb434e3f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes use of freed memory
Fixes: case5_av_frame_copy_props.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e8714f6f93d1a32f4e4655209960afcf4c185214)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoids use of uninitialized memory
Fixes: asan_static-oob_17aa046_582_cov_212287884_DBLK_G_VIXS_1.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8aa8d12554868c32436750f881954193087219c8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array read
Fixes: signal_sigsegv_1b0a4da_1865_cov_2167818389_computer_anger.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3305acdc92fa37869f160a11a87741c8a0de0454)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes use of freed memory
Fixes: asan_heap-uaf_3660f67_757_cov_1257014655_Hi422FR1_SONY_A.jsv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f3b5b139ad853b6f69c6a0b036815a60e7b3f261)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: case2_bad_read_yuv2rgbx32.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2a983ff7fe076ae93926eb33cfb44ca49183dacc)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes: case1_call_stack_overflow.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit be9ce6e10a8d53b8bc346c9337d75a5a30631a2a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses
Fixes: asan_heap-oob_25bcd7e_3783_cov_3553517262_utvideo_rgba_median.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3881606240953b9275a247a1c98a567f3c44890f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: asan_stack-oob_32c12e5_2536_cov_2442316831_lena.xface
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 93a5a16f136d095d23610f57bdad10ba88120fba)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: asan_heap-oob_4d23ba_91_cov_3853393937_128.vmd
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3030fb7e0d41836f8add6399e9a7c7b740b48bfd)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 91ea466551c148bd897706a1b6a168e783761a06)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 16d763fa45b95783c6770edc559769d9a83d6a10)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes an issue where the tests directory is not created for out of tree
builds before its needed
Tested-by: Dave Yeo <daveryeo@telus.net>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e631872f13b6be0583603d45a11e53319754bc8d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The error path frees all side data, but forgets to reset the side data
count. This can blow up later in av_frame_unref() and free_side_data().
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a400edbb6d00c0211de38e4f1b4f593681db91d8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket3686
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a29524bf2e197dd8d582445de0fe17f03b79f79d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Suggested-by: Andrew Scherkus <scherkus@google.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ed86dbd05d61363dc1c0d33f3267e2177c985fdd)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1257659
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4b6f2253741f3023928e61ae5105ccd4b1c515fb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0fadbd3623cf9132832f48810c0edb93aa63f51b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This ensures that the CFLAGS and LDFLAGS are actually applied.
Fixes an incorrect change introduced with the clean-up in commit
cfcaf6b38e39ed6e788abb1a5a44f23660dce2f6.
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 754f4957d7a7e5be0df0e9de1d31aebeecdc4476)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)
Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.
This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.
Fixes ticket #4162.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
