Fixes: out of array accesses
Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ffcc82219cef0928bed2d558b19ef6ea35634130)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array accesses
Fixes: crash-9238fa9e8d4fde3beda1f279626f53812cb001cb-SEGV
Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 08c073434e25cba8c43aae5ed9554fdd594adfb0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: double free
Fixes: clusterfuzz-testcase-minimized-5080550145785856
Found-by: ClusterFuzz
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7140761481e4296723a592019a0244ebe6c1a8cf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This reduces the attack surface of local file-system
information leaking.
It prevents the existing exploit leading to an information leak. As
well as similar hypothetical attacks.
Leaks of information from files and symlinks ending in common multimedia extensions
are still possible. But files with sensitive information like private keys and passwords
generally do not use common multimedia filename extensions.
It does not stop leaks via remote addresses in the LAN.
The existing exploit depends on a specific decoder as well.
It does appear though that the exploit should be possible with any decoder.
The problem is that as long as sensitive information gets into the decoder,
the output of the decoder becomes sensitive as well.
The only obvious solution is to prevent access to sensitive information. Or to
disable hls or possibly some of its feature. More complex solutions like
checking the path to limit access to only subdirectories of the hls path may
work as an alternative. But such solutions are fragile and tricky to implement
portably and would not stop every possible attack nor would they work with all
valid hls files.
Developers have expressed their dislike / objected to disabling hls by default as well
as disabling hls with local files. There also where objections against restricting
remote url file extensions. This here is a less robust but also lower
inconvenience solution.
It can be applied stand alone or together with other solutions.
limiting the check to local files was suggested by nevcairiel
This recommits the security fix without the author name joke which was
originally requested by Nicolas.
Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfoucu@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 189ff4219644532bdfa7bab28dfedaee4d6d4021)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The loglevel is choosen so that the main filename and any images of
multi image sequences are shown only at debug level to avoid
clutter.
This makes exploits in playlists more visible. As they would show
accesses to private/sensitive files
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 53e0d5d7247548743e13c59c35e59fc2161e9582)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This prevents part of one exploit leading to an information leak
Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfoucu@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5d849b149ca67ced2d271dc84db0bc95a548abb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Found-by: Roger Scott <rscott@grammatech.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1a36354698fc0453ba4d337786d2cb4d3e374cfb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes integer overflow and out of array access
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3d232196372f309a75ed074c4cef30578eec1782)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
It should not be a value larger than the number of streams we have,
or it will cause invalid reads and/or SIGSEGV.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ec07efa70012845e8642df67a4a773f510a17088)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This seems to be non-optional, and if the muxer is run without it,
strlen() is run on NULL, causing a segfault.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cbd3a68f3e1c2d1679370301eb5e1a32a2df64fe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9eff4b0d2b5013e1ede86cf1a152dce164217d52)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes use of uninitialized data
Found-by: Thomas Guilbert <tguilbert@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 170d864d2c508ca8111b1d108e1e964007dab712)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This avoids an integer overflow
the solution matches oggparsevorbis.c and 45581ed15d2ad5955e24d809820c1675da68f500
Fixes: 700242
Found-by: Thomas Guilbert <tguilbert@google.com>
Reviewed-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 679a315424e6ffaafd21ebf7a86108bd4e743793)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Reported-by: SleepProgger <security@gnutp.com>
Reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8fa18e042ad2c078f759692f1db5629d16d70595)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643952 (senc,saiz portions)
Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 36aba43bd5fae8595dd9a566fbcfbbea63f0fca3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643952 (udta_string portion)
Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9bbdf5d921ef57e1698f64981e4ea04db7c56fb5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 874eb012f75bc18bb6d79ad4bc0912afa21751f3)
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643951
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support values beyond INT_MAX
Also the check is moved to a more common place and before integer truncation
(cherry picked from commit 2d453188c2303da641dafb048dc1806790526dfd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643950
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support larger lengths
(cherry picked from commit fd30e4d57fe5841385f845440688505b88c0f4a9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Blocks are marked as key frames whenever the "reference" field is
zero. This breaks for non-keyframe Blocks with a reference timestamp
of zero.
The likelihood of reference timestamp being zero is increased by a
longstanding bug in muxing that encodes reference timestamp as the
absolute time of the referenced frame (rather than relative to the
current Block timestamp, as described in MKV spec).
Now using INT64_MIN to denote "no reference".
Reported to chromium at http://crbug.com/497889 (contains sample)
(cherry picked from commit ac25840ee32888f0c13118edeb9404a123cd3a79)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Return AVERROR_INVALIDDATA if all four bytes aren't present.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 95bde49982a82bc10470c0adab5969ffe635d064)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes pts gaps when reading AVI files > 256GiB generated by FFmpeg.
Signed-off-by: Tobias Rapp <t.rapp@noa-archive.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6d579d7c1bdc4126955cae7f385208e455685986)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
MPEG Audio frame header must be 4 bytes. If we fail to read
4 bytes bail early to avoid Use-of-uninitialized-value msan error.
Reference https://crbug.com/666874.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ab87df9a47cd31bfcae9acd84c04705a149dfc14)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f0bdd538712d8ed34120ab2b7bd1409fcc99fb45)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes CVE-2016-9561, Note the security relevance of this is disputed as
running out of memory can happen with valid files
Suggested-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 30581c51e72a7a7ea1572c1c6039f6e4c590a55c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This allows user apps to stop OOM due to excessive number of streams
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1296f844955e513d19051c962656f829479d4fb9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: part of 670190.ogg
Fixes integer overflow
Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee2a6f5df8c6a151c3e3826872f1b0a07401c62a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes out of array access
Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d57ca4d9a75562fa32e40766211de150f8b3ee7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e706e2e775730db5dfa9103628cd70704dd13cef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The speex specification does not seem to restrict these values, thus
the limits where choosen so as to avoid multiplicative overflow
Fixes undefined behavior
Fixes: 635422.ogg
Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afcf15b0dbb4b6429be5083e50b296cdca61875e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 744a0b5206634e5de04d5c31f08cc3640faf800d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a06e84b56e936ff3ca090f53d81f9cbc3514e0e0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: _ij.mp3
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4e5049a2303ae7fe74216a83206239e4de42c965)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d88a6bedb9bc51eff35578a0b08d1088ee53bcda)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Otherwise the codec context and codecpar might disagree on the codec id,
triggering asserts in av_parser_parse2.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 98b3a7979f2ff64cacfba4d8925faa28fc657c51)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit dbefbb61b785cd77810c032f5cdb499d2a92df07)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This fixes division by zero crashes.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit de4ded06366e5767d0af277a61d9a56b8c8f9c19)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Metadata streams have priv_data set to NULL.
Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit fdb8c455b637f86e2e85503b7e090fa448164398)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
A negative extradata size for example gets passed to memcpy in
avcodec_parameters_from_context causing a segmentation fault.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1c7da19a4b45f5623cb3955b29b9a581026e3c61)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This prevents a division by zero in read_packet.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 25012c56448a48487cdc9699465e640871dbcd60)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
It can read less than the requested amount, in which case buf contains
uninitialized data, causing problems like segmentation faults later on.
Also make sure that image->size is positive, so that it can't match a
negative error code.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 89eb398c7fc4cb9a15e55bdf2ab6435b5332e377)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit d54c95a1435a8a3fcd599108ec85b7f56a0fcbf9)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
