ffmpeg

Author	SHA1	Message	Date
Alex Converse	853ce33dbc	mov: Add more HDV and XDCAM FourCCs. Reference: VLC (cherry picked from commit `b142496c56`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Alex Converse	5015ada0ec	mov: Add support for MPEG2 HDV 720p24 (hdv4) (cherry picked from commit `0ad522afb3`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Michael Niedermayer	4be63587e1	h263dec: Disallow width/height changing with frame threads. Fixes CVE-2011-3937 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `71db86d53b`) Conflicts: libavcodec/h263dec.c Signed-off-by: Alex Converse <alex.converse@gmail.com> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Alex Converse	a642953b0f	tiff: Make the TIFF_LONG and TIFF_SHORT types unsigned. TIFF v6.0 (unimplemented) adds signed equivalents. (cherry picked from commit `e32548d133`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Alex Converse	f5ce67d837	svq3: Prevent illegal reads while parsing extradata. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `9e1db721c4`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Alex Converse	b0888b8a48	dv: Fix small overread in audio frequency table. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `0ab3687924`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Mans Rullgard	2c199cb253	ac3: Do not read past the end of ff_ac3_band_start_tab. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit `034b03e7a0`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Alex Converse	00fa6ffe1a	dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936. Found with asan. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit `2d1c0dea5f`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Michael Niedermayer	44e182d41e	dv: Fix null pointer dereference due to ach=0 dv: Fix null pointer dereference due to ach=0 Fixes part2 of CVE-2011-3929 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit `5a396bb3a6`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Michael Niedermayer	bb737d381f	dv: check stype dv: check stype Fixes part1 of CVE-2011-3929 Possibly fixes part of CVE-2011-3936 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit `635bcfccd4`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Alex Converse	0100c4b1b0	nsvdec: Propagate errors Related to CVE-2011-3940. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `c898431ca5`) Conflicts: libavformat/nsvdec.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Alex Converse	be524c186b	nsvdec: Be more careful with av_malloc(). Check results for av_malloc() and fix an overflow in one call. Related to CVE-2011-3940. Based in part on work from Michael Niedermayer. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `8fd8a48263`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Michael Niedermayer	65beb8c117	nsvdec: Fix use of uninitialized streams. Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write) Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `5c011706bc`) Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit `6a89b41d97`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Fabian Greffrath	f375e19f37	Fix format string vulnerability detected by -Wformat-security. Signed-off-by: Diego Biurrun <diego@biurrun.de> (cherry picked from commit `c9dbac36ad`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Ronald S. Bultje	54e947273c	h264: fix mmxext chroma deblock to use correct TC values. (cherry picked from commit `b0c4f04338`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Ronald S. Bultje	e3e05963c1	cscd: use negative error values to indicate decode_init() failures. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `8a9faf33f2`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Ronald S. Bultje	bd37b95383	h264: prevent overreads in intra PCM decoding. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `d1604b3de9`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Justin Ruggles	58133bb010	wmaenc: fix m/s stereo encoding for the first frame We need to set ms_stereo in encode_init() in order to avoid incorrectly encoding the first frame as non-m/s while flagging it as m/s. Fixes an uncomfortable pop in the left channel at the start of playback. CC:libav-stable@libav.org (cherry picked from commit `51ddf35c90`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Justin Ruggles	43e3e7764c	wmaenc: limit allowed sample rate to 48kHz ff_wma_init() allows up to 50kHz, but this generates an exponent band size table that requires 65 bands. The code assumes 25 bands in many places, and using sample rates higher than 48kHz will lead to buffer overwrites. CC:libav-stable@libav.org (cherry picked from commit `1ec075cfec`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +02:00
Justin Ruggles	74bd46e82a	wmaenc: limit block_align to MAX_CODED_SUPERFRAME_SIZE This is near the theoretical limit for wma frame size and is the most that our decoder can handle. Allowing higher bit rates will just end up padding each frame with empty bytes. Fixes invalid writes for avconv when using very high bit rates. CC:libav-stable@libav.org (cherry picked from commit `c2b8dea182`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Justin Ruggles	c932844882	wmaenc: require a large enough output buffer to prevent overwrites The maximum theoretical frame size is around 17000 bytes. Although in practice it will generally be much smaller, we require a larger buffer just to be safe. CC: libav-stable@libav.org (cherry picked from commit `dfc4fdedf8`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	433aaeb2f1	matroska: check buffer size for RM-style byte reordering. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `9c239f6026`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Alex Converse	88b47010c4	wmadec: Verify bitstream size makes sense before calling init_get_bits. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `48f1e5212c`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Alex Converse	b56b7b9081	rv10/20: Fix a buffer overread caused by losing track of the remaining buffer size. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `2f6528537f`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	bd0d32d131	lcl: return negative error codes on decode_init() errors. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `bd17a40a7e`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	d680295d0c	huffyuv: do not abort on unknown pix_fmt; instead, return an error. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `63c9de6469`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	ced190c96c	vmnc: return error on decode_init() failure. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `07a180972f`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	e15d137ecf	rpza: error out on buffer overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `78e9852a2e`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	87a1169ab8	qtrle: return error on decode_init() failure. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `e54ae60e46`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	4f64456a14	swscale: fix another integer overflow. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `791de61bbb`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	f28ec73379	vp56: error out on invalid stream dimensions. Prevents crashes when playing corrupt vp5/6 streams. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `8bc396fc0e`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	a2d5e741a8	asf: don't seek back on EOF. Seeking back on EOF will reset the EOF flag, causing us to re-enter the loop to find the next marker in the ASF file, thus potentially causing an infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `bb6d5411e1`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	18caebca4c	asf: error out on ridiculously large minpktsize values. They cause various issues further down in demuxing. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `6e57a02b9f`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	117b8b00cc	vorbis: fix overflows in floor1[] vector and inverse db table index. (cherry picked from commit `24947d4988`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Reinhard Tartler	a02da9ceaf	Fix parser not to clobber has_b_frames when extradata is set. Because in contrast to the decoder, the parser does not setup low_delay. The code in parse_nal_units would always end up setting has_b_frames to "1", except when stream is explicitly marked as low delay. Since the parser itself would create 'extradata', simply reopening the parser would cause this. This happens for instance in estimate_timings_from_pts(), which causes the parser to be reopened on the same stream. This fixes Libav #22 and FFmpeg (trac) #360 CC: libav-stable@libav.org Based on a patch by Reimar Döffinger <Reimar.Doeffinger@gmx.de> (commit `31ac0ac29b`) Comments and description adapted by Reinhard Tartler. Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit `790a367d9e`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	811989e910	rm: prevent infinite loops for index parsing. Specifically, prevent jumping back in the file for the next index, since this can lead to infinite loops where we jump between indexes referring to each other, and don't read indexes that don't fit in the file. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `aac07a7a4c`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	678737c26b	fraps: release reference buffer on pix_fmt change. Prevents crash when trying to copy from a non-existing plane in e.g. a RGB32 reference image to a YUV420P target image Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `830f70442a`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	25784c0409	kgv1: release reference picture on size change. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `6c4c27adb6`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	d10c22d33c	lcl: error out if uncompressed input buffer is smaller than framesize. This prevents crashes when trying to read beyond the end of the buffer while decoding frame data. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `be129271ea`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Alex Converse	b1d9a80863	tiff: Prevent overreads in the type_sizes array. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `447363870f`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	cd6c5e16c6	swf: check return values for av_get/new_packet(). Prevents crashers when using the packet if allocation failed. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `31632e73f4`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +02:00
Ronald S. Bultje	18b2f23ef8	truemotion2: error out if the huffman tree has no nodes. This prevents crashers and errors further down when reading nodes in the empty tree. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `2b83e8b700`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:26 +02:00
Ronald S. Bultje	33149928ed	mjpegb: don't return 0 at the end of frame decoding. Return 0 indicates "please return the same data again", i.e. it causes an infinite loop. Instead, return that we consumed the buffer if we finished decoding succesfully, or return an error if an error occurred. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `74699ac8c8`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:26 +02:00
Ronald S. Bultje	9a331217b0	asf: prevent packet_size_left from going negative if hdrlen > pktlen. This prevents failed assertions further down in the packet processing where we require non-negative values for packet_size_left. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `41afac7f7a`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:26 +02:00
Ronald S. Bultje	2380a3d37f	huffyuv: error out on bit overrun. On EOF, get_bits() will continuously return 0, causing an infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `84c202cc37`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:26 +02:00
Ronald S. Bultje	4509129e9d	als: prevent infinite loop in zero_remaining(). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `af468015d9`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:26 +02:00
Ronald S. Bultje	d031302e0e	cook: prevent div-by-zero if channels is zero. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `941fc1ea1e`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:26 +02:00
Ronald S. Bultje	0fe5321634	swscale: take first/lastline over/underflows into account for MMX. Fixes crashes for extremely large resizes (several 100-fold). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `1d8c4af396`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:26 +02:00
Ronald S. Bultje	b2b2dc61fa	swscale: fix overflows in filterPos[] calculation for large sizes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `19a65b5be4`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:26 +02:00
Ronald S. Bultje	ce99c1bfb5	swscale: enforce a minimum filtersize. At very small dimensions, this calculation could lead to zero-sized filters, which leads to uninitialized output, zero-sized allocations, loop overflows in SIMD that uses do{..}while(i++<filtersize); instead of for(i=0;i<filtersize;i++){..} and several other similar failures. Therefore, require a minimum filtersize of 1. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `dae2ce361a`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:26 +02:00

... 2 3 4 5 6 ...

29555 Commits