Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fd4c1c0b70b5a06dd572d7e27799a2f4c3d9b984)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes#1368.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 8f61526978697e51d3b9e61ea84daf13c42717af)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Such files are currently not supported as the table is used at several points
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e7cb161515fc9fb6d30d1681d64d9ba7ad737a4e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1b8741a6843f3f4667c81c2d63d3182858aa534f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket1362
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 849d4b041351ef8d77c4231cf417f997e79f9ab7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes ticket1360
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 01900fcc45e99ee4556e0a5d87ff57b2f150dad4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket1359
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1e5c7376c4ed733910845c9a09e272ac7696b1f4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.7:
Update RELEASE file for 0.7.6
Update changelog for 0.7.6 release
ea: check chunk_size for validity.
png: check bit depth for PAL8/Y400A pixel formats.
x86: fix build with gcc 4.7
qdm2: clip array indices returned by qdm2_get_vlc().
kmvc: Check palsize.
aacsbr: prevent out of bounds memcpy().
rtpdec_asf: Fix integer underflow that could allow remote code execution
dpcm: ignore extra unpaired bytes in stereo streams.
tqi: Pass errors from the MB decoder
h264: Add check for invalid chroma_format_idc
adpcm: ADPCM Electronic Arts has always two channels
h263dec: Disallow width/height changing with frame threads.
vqavideo: return error if image size is not a multiple of block size
celp filters: Do not read earlier than the start of the 'out' vector.
motionpixels: Clip YUV values after applying a gradient.
h263: more strictly forbid frame size changes with frame-mt.
h264: additional protection against unsupported size/bitdepth changes.
Conflicts:
Changelog
RELEASE
libavcodec/aacsbr.c
libavcodec/h264_ps.c
libavcodec/pngdec.c
libavformat/rtpdec_asf.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Wrong bit depth can lead to invalid rowsize values, which crashes the
decoder further down.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d2205d6543881f2e6fa18c8a354bbcf91a1235f7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b8d6ba9d50e80fdce2ed74cdaffd4960df8a21c5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The upcoming gcc 4.7 has more advanced constant propagation
resulting some inline asm operands becoming constants and thus
emitted as literals, sometimes in contexts where this results
in invalid instructions.
This patch changes the constraints of the relevant operands
to "rm" thus forcing a valid type. While obviously suboptimal,
this is what older gcc versions already did, and there is no
change to the code generated with these.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit da4c7cce2100a4e4f9276b4f17e260be47b53f41)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Prevents subsequent overreads when these numbers are used as indices
in arrays.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:
libavcodec/qdm2.c
Fixes: CVE-2011-3952
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Based on fix by Michael Niedermayer
(cherry picked from commit 386741f887714d3e46c9e8fe577e326a7964037b)
(cherry picked from commit 416849f2e06227b1b4a451c392f100db1d709a0c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes Libav Bug 195.
Fixes CVE-2012-0850
This doesn't make the code handle sample rate or upsample/downsample
change properly but this is still a good sanity check.
Based on change by Michael Niedermayer.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 17ce52912f59a74ecc265e062578fb1181456e18)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes MSVR-11-0088
Fixes CVE-2011-4031
Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5ea091fb5a12dc0210b8efdf30b573b87e21652b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes a crash when FF_DEBUG_PICT_INFO is used.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df)
Fixes: CVE-2012-0851
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 47132345184dc3d0ff962a57a1225564fe979548)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes. Bailing out early if the header
specifies a bad size avoids various errors later on.
Fixes CVE-2012-0947.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d5207e2af81580dd5e6277b354c8b459c3624f26)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Prevents crashes because the old check was incomplete.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2d22d4307dcc1461f39a2ffb9c8db6c6b23fd080)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 7fe4c8cb761b0fc8685dacf9f187311b9d124a52)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes Ticket1109
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 15db6a959057b92245a384909ec7d413d5c16461)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket1068
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 73089eccd3e48539555349b36d8aabbf1cea416e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes an AAC decoding issue with the sample from ticket #213 on machines
with SSE but without SSE2.
Based on 89411a by Reimar.
(cherry picked from commit f6b78638086beae9bcab672d4c9de1790be5a928)
* qatar/release/0.7: (84 commits)
id3v2: fix skipping extended header in id3v2.4
Update RELEASE file for 0.7.5
lcl: use AVERROR_INVALIDDATA instead of AVERROR_UNKNOWN
kgv1dec: Increase offsets array size so it is large enough.
kgv1: use avctx->get/release_buffer().
kvmc: fix invalid reads
nsvdec: Propagate error values instead of returning 0 in nsv_read_header().
mjpegbdec: Fix overflow in SOS.
shorten: Use separate pointers for the allocated memory for decoded samples.
shorten: check for realloc failure (cherry picked from commit 9e5e2c2d010c05c10337e9c1ec9d0d61495e0c9c)
atrac3: Fix crash in tonal component decoding.
ws_snd1: Fix wrong samples count and crash.
ws_snd: add some checks to prevent buffer overread or overwrite. (cherry picked from commit 417364ce1f979031ef6fee661fc15e1869bdb1b4)
ws_snd: decode to AV_SAMPLE_FMT_U8 instead of S16.
dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2
h264: stricter reference limit enforcement.
jvdec: unbreak video decoding
xxan: don't read before start of buffer in av_memcpy_backptr().
dsicinvideo: validate buffer offset before copying pixels.
huffyuv: add padding to classic (v1) huffman tables.
...
Conflicts:
RELEASE
libavcodec/atrac3.c
libavcodec/h264.c
libavcodec/h264_parser.c
libavcodec/kgv1dec.c
libavcodec/shorten.c
libavcodec/svq3.c
libavcodec/ws-snd1.c
libavcodec/xxan.c
libswscale/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
While bogus, this change avoids the necessity to backport
AVERROR_UNKNOWN, which is not entirely trivial.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This eliminates a warning about a set-but-unused variable.
(cherry picked from commit 35fa0d47585cef28cd8191dccf0607d90c7667a6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>
Fixes CVE-2011-3947
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 083a8a00373b12dc06b8ae4c49eec61fb5e55f4b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.
Fixes CVE-2012-0858
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6fc3287b9ccece290c5881b92948772bbf72e68c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Add a check to avoid writing past the end of the channel_unit.components[]
array.
Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f74713b035a06f79cb4d00e708f5226bc5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f43b6e2b1ed47a1254a5d44c700a7fad5e9784be)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
