Michael Niedermayer
334901aea0
avcodec/get_bits: Fix get_sbits_long(0)
...
Fixes undefined behavior
Fixes: 640889-media
Found-by: Matt Wolenetz <wolenetz@google.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit c72fa43234michael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
Michael Niedermayer
bbe9a4b542
avformat/ffmdec: Check media type for chunks
...
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit e706e2e775michael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
Michael Niedermayer
a772aaf5dc
avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed()
...
Fixes undefined behavior
Fixes: 640912-media
Found-by: Matt Wolenetz <wolenetz@google.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 83a75bf6c3michael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
Michael Niedermayer
c39e8d05f5
avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c
...
Fixes: left shift of negative value
Fixes: 668346-media
Found-by: Matt Wolenetz <wolenetz@google.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit acc163c6abmichael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
Michael Niedermayer
a0715c1e89
avformat/oggparsespeex: Check frames_per_packet and packet_size
...
The speex specification does not seem to restrict these values, thus
the limits where choosen so as to avoid multiplicative overflow
Fixes undefined behavior
Fixes: 635422.ogg
Found-by: Matt Wolenetz <wolenetz@google.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit afcf15b0dbmichael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
Michael Niedermayer
a0ed412f38
avformat/utils: Check start/end before computing duration in update_stream_timings()
...
Fixes undefined behavior
Fixes: 637428.ogg
Found-by: Matt Wolenetz <wolenetz@google.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 90da187f1dmichael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
Michael Niedermayer
2fb7eb05dc
avcodec/flac_parser: Update nb_headers_buffered
...
Fixes infinite loop
Fixes: fuzz.flac
Found-by: Frank Liberato <liberato@google.com >
Reviewed-by: Frank Liberato <liberato@google.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 2475858889michael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
Michael Niedermayer
8e4f737d2f
avformat/idroqdec: Check chunk_size for being too large
...
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 744a0b5206michael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
Michael Niedermayer
2d51cb1d0a
avcodec/me_cmp: Fix median_sad size
...
Fixes out of array read
Fixes: COV1396255
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit d9883ded34michael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
Michael Niedermayer
c165bad0c0
avformat/utils: Fix type mismatch
...
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit a06e84b56emichael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
James Almer
16aa8c8146
configure: check for strtoull on msvc
...
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: James Almer <jamrial@gmail.com >
(cherry picked from commit b52d3574d4
2016-12-05 19:20:59 -03:00
Ronald S. Bultje
e5be73e178
http: move chunk handling from http_read_stream() to http_buf_read().
...
(cherry picked from commit 845bb40178
2016-12-05 16:20:12 -05:00
Ronald S. Bultje
0e0a413725
http: make length/offset-related variables unsigned.
...
Fixes #5992 , reported and found by Paul Cher <paulcher@icloud.com >.
(cherry picked from commit 2a05c8f813
2016-12-05 16:20:12 -05:00
James Almer
c269c43a83
avcodec/aac_adtstoasc_bsf: validate and forward extradata if the stream is already ASC
...
Fixes ticket #5973
Reviewed-by: Hendrik Leppkes <h.leppkes@gmail.com >
Signed-off-by: James Almer <jamrial@gmail.com >
(cherry picked from commit 6e1902bab4
2016-11-25 18:51:00 -03:00
Andreas Cadhalpun
6f3e3cb8ba
Update Changelog
...
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
2016-11-25 22:23:39 +01:00
Andreas Cadhalpun
d147114b9d
mss2: only use error correction for matching block counts
...
This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2
with coded_width/coded_height larger than width/height.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 2566ad98b0Andreas.Cadhalpun@googlemail.com >
2016-11-25 22:22:19 +01:00
Andreas Cadhalpun
ad82036626
softfloat: decrease MIN_EXP to cover full float range
...
floats are not necessarily normalized, so a normalized softfloat needs
MIN_EXP lowered by 23 to cover that range.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 2d6f46d801Andreas.Cadhalpun@googlemail.com >
2016-11-25 22:22:15 +01:00
Andreas Cadhalpun
a6a2d9d1e5
libopusdec: default to stereo for invalid number of channels
...
This fixes an out-of-bounds read if avc->channels is 0.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 8c8f543b81Andreas.Cadhalpun@googlemail.com >
2016-11-25 22:22:11 +01:00
Andreas Cadhalpun
6ad2773142
flvdec: require need_context_update when changing codec id
...
Otherwise the codec context and codecpar might disagree on the codec id,
triggering asserts in av_parser_parse2.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 98b3a7979fAndreas.Cadhalpun@googlemail.com >
2016-11-25 22:22:07 +01:00
Andreas Cadhalpun
1dc59aaf61
pgssubdec: only set w/h/linesize when allocating data
...
Rects with positive w/h/linesize but no data are invalid.
Reviewed-by: Petri Hintukainen <phintuka@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 995512328eAndreas.Cadhalpun@googlemail.com >
2016-11-25 22:21:52 +01:00
Andreas Cadhalpun
9aaddbf0ef
sbgdec: prevent NULL pointer access
...
Reviewed-by: Josh de Kock <josh@itanimul.li >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit dbefbb61b7Andreas.Cadhalpun@googlemail.com >
2016-11-25 22:21:48 +01:00
Andreas Cadhalpun
e00fec907f
rmdec: validate block alignment
...
This fixes division by zero crashes.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit de4ded0636Andreas.Cadhalpun@googlemail.com >
2016-11-25 22:21:44 +01:00
Andreas Cadhalpun
d8364f4e1d
smacker: limit recursion depth of smacker_decode_bigtree
...
This fixes segmentation faults due to stack-overflow caused by too deep
recursion.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 946ecd19eaAndreas.Cadhalpun@googlemail.com >
2016-11-25 22:21:39 +01:00
Andreas Cadhalpun
7d0cc12a56
mxfdec: fix NULL pointer dereference in mxf_read_packet_old
...
Metadata streams have priv_data set to NULL.
Reviewed-by: Josh de Kock <josh@itanimul.li >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit fdb8c455b6Andreas.Cadhalpun@googlemail.com >
2016-11-25 22:21:33 +01:00
Andreas Cadhalpun
de031809f3
ffmdec: validate codec parameters
...
A negative extradata size for example gets passed to memcpy in
avcodec_parameters_from_context causing a segmentation fault.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 1c7da19a4bAndreas.Cadhalpun@googlemail.com >
2016-11-25 22:21:14 +01:00
Michael Niedermayer
6550d0580b
Update for 3.2.1
...
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2016-11-25 21:27:40 +01:00
Michael Niedermayer
dff4f58107
avformat/mpeg: Adjust vid probe threshold to correct mis-detection
...
Fixes: _ij.mp3
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 4e5049a230michael@niedermayer.cc >
2016-11-23 20:29:31 +01:00
Michael Niedermayer
e9f3cc7fc7
avcodec/ass_split: Change order of operations in ass_split_section()
...
This matches the other branch
Fixes out of array read
Fixes: 4d142ca76d39fe685effcf5017098723/asan_heap-oob_31ae824_8611_348fdb64f9009b63c8a8eae9a0e497c5.mkv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit ae514b1254michael@niedermayer.cc >
2016-11-23 20:29:31 +01:00
James Almer
ee56777379
avcodec/rawdec: check for side data before checking its size
...
Fixes valgrind warnings about usage of uninitialized values.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: James Almer <jamrial@gmail.com >
(cherry picked from commit 51e329918d
2016-11-19 23:50:37 -03:00
James Almer
3bd7ad58a7
avcodec/avpacket: fix leak on realloc in av_packet_add_side_data()
...
If realloc fails, the pointer is overwritten and the previously allocated
buffer is leaked, which goes against the expected behavior of keeping the
packet unchanged in case of error.
Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: James Almer <jamrial@gmail.com >
(cherry picked from commit 574929d8b6
2016-11-19 20:24:54 -03:00
James Almer
f97bee9ad5
avformat/apngenc: use the stream parameters extradata if available
...
Fixes remuxing apng streams coming from the apng demuxer, which sends extradata
during init.
Signed-off-by: James Almer <jamrial@gmail.com >
2016-11-18 12:33:31 -03:00
James Almer
cf655d1643
Revert "apngdec: use side data to pass extradata to the decoder"
...
This reverts commit e0c6b32046jamrial@gmail.com >
(cherry picked from commit 16c429166d
2016-11-18 12:33:21 -03:00
Stefano Sabatini
31c9c7ad82
ffprobe: fix crash in case -of is specified with an empty string
...
Fix trac issue #5957 .
(cherry picked from commit 427a47abcdAndreas.Cadhalpun@googlemail.com >
2016-11-17 23:51:21 +01:00
Martin Vignali
08f26d99b5
libavcodec/exr : fix channel size calculation for uint32 channel
...
uint32 need 4 bytes not 1.
Fix decoding when there is half/float and uint32 channel.
This fixes crashes due to pointer corruption caused by invalid writes.
The problem was introduced in commit
03152e74dfAndreas.Cadhalpun@googlemail.com >
(cherry picked from commit 52da3f6f70Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:37:05 +01:00
Andreas Cadhalpun
c7d38efbc2
exr: fix out-of-bounds read
...
channel_index can be -1.
This problem was introduced in commit
2dd7b46132onemda@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit ffdc5d09e4Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:19:01 +01:00
Andreas Cadhalpun
cbc9d46066
libschroedingerdec: fix leaking of framewithpts
...
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 3c0328d58dAndreas.Cadhalpun@googlemail.com >
2016-11-17 23:18:56 +01:00
Andreas Cadhalpun
2b863d4e9b
libschroedingerdec: don't produce empty frames
...
They are not valid and can cause problems/crashes for API users.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit a86ebbf7f6Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:18:53 +01:00
Andreas Cadhalpun
598016b85f
dds: limit 4 bpp handling to AV_PIX_FMT_PAL8
...
This fixes NULL pointer dereferencing for formats, where frame->data[1]
is not allocated.
The problem was introduced in commit
257fbc3af4onemda@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 90ebf3c428Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:18:48 +01:00
Andreas Cadhalpun
a2c7840a6b
mlz: limit next_code to data buffer size
...
This fixes a heap-buffer-overflow detected by AddressSanitizer.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 1abcd972c4Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:18:42 +01:00
Andreas Cadhalpun
c8f5154fc1
softfloat: handle -INT_MAX correctly
...
This is similar to commit 9ac61e73d0michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 0edd569466Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:18:35 +01:00
Andreas Cadhalpun
b526958ca4
filmstripdec: correctly check image dimensions
...
This prevents a division by zero in read_packet.
Reviewed-by: Paul B Mahol <onemda@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 25012c5644Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:18:29 +01:00
Andreas Cadhalpun
039a3e6db8
pnmdec: make sure v is capped by maxval
...
Otherwise put_bits can be called with a value that doesn't fit in the
sample_len, causing an assertion failure.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit cdb5479c9dAndreas.Cadhalpun@googlemail.com >
2016-11-17 23:17:58 +01:00
Andreas Cadhalpun
d8affeea82
smvjpegdec: make sure cur_frame is not negative
...
This fixes a heap-buffer-overflow detected by AddressSanitizer.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 360bc0d90aAndreas.Cadhalpun@googlemail.com >
2016-11-17 23:17:20 +01:00
Andreas Cadhalpun
1615d83dcf
icodec: correctly check avio_read return value
...
It can read less than the requested amount, in which case buf contains
uninitialized data, causing problems like segmentation faults later on.
Also make sure that image->size is positive, so that it can't match a
negative error code.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 89eb398c7fAndreas.Cadhalpun@googlemail.com >
2016-11-17 23:16:48 +01:00
Andreas Cadhalpun
41359d381a
icodec: fix leaking pkt on error
...
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 467eece1beAndreas.Cadhalpun@googlemail.com >
2016-11-17 23:16:43 +01:00
Andreas Cadhalpun
581cce0cca
dvbsubdec: fix division by zero in compute_default_clut
...
This problem was introduced in commit
4b90dcb849michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit c82b8ef0e4Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:15:52 +01:00
Andreas Cadhalpun
1ed4b52732
proresdec_lgpl: explicitly check coff[3] against slice_data_size
...
The implicit checks via v_data_size and a_data_size don't work in the case
'(hdr_size > 7) && !ctx->alpha_info'.
This fixes segmentation faults due to invalid reads.
This problem was introduced in commit
547c2f002amichael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 1e33035ee7Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:15:47 +01:00
Andreas Cadhalpun
72a2d6ff56
escape124: reject codebook size 0
...
It causes a cb_depth of 32, leading to assertion failures in get_bits.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 226d35c845Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:15:42 +01:00
Andreas Cadhalpun
9dee25fbc7
mpegts: prevent division by zero
...
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 1bbb18fe82Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:15:07 +01:00
Andreas Cadhalpun
fa24e3780b
matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header
...
The code assumes that s->streams[0] is valid.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit ff100c9dd9Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:14:52 +01:00
