Update VERSION for 0.6.3

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

.gitignore

@@ -0,0 +1,45 @@
+.config
+.version
+*.o
+*.d
+*.exe
+*.ho
+*-example
+*-test
+*_g
+config.*
+doc/*.1
+doc/*.html
+doc/*.pod
+doxy
+ffmpeg
+ffplay
+ffprobe
+ffserver
+libavcodec/libavcodec*
+libavcore/libavcore*
+libavdevice/libavdevice*
+libavfilter/libavfilter*
+libavformat/libavformat*
+libavutil/avconfig.h
+libavutil/libavutil*
+libpostproc/libpostproc*
+libswscale/libswscale*
+tests/audiogen
+tests/base64
+tests/data
+tests/rotozoom
+tests/seek_test
+tests/tiny_psnr
+tests/videogen
+tests/vsynth1
+tests/vsynth2
+tools/cws2fws
+tools/graph2dot
+tools/lavfi-showfiltfmts
+tools/pktdumper
+tools/probetest
+tools/qt-faststart
+tools/trasher
+tools/trasher*.d
+version.h

Changelog

@@ -1,13 +1,26 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 0.6.3:
+- AMV: Fix possibly exploitable crash.
+- Fix apparently exploitable race condition.
+
+
+version 0.6.2:
+
+- fix compilation with --enable-hardcoded-tables
+- Fix invalid reads in VC-1 decoding (related to CVE-2011-0723)
+- Do not attempt to decode APE file with no frames
+  (adresses http://packetstorm.linuxsecurity.com/1103-exploits/vlc105-dos.txt)
+
+
 version 0.6.1:
 
 - fix autodetection of E-AC-3 substream samples
-- performance fix for seekable http
-- Backport AAC-HE v2 from trunk
-- Add missing VP80 fourcc code for the VP8 codec
-- smaller documentation fixes
+- performance fix for seekable HTTP
+- backport AAC-HE v2 from trunk
+- add missing VP80 fourcc code for the VP8 codec
+- small documentation fixes
 - fix several potentially exploitable issues in the FLIC decoder
   (addresses CVE-2010-3429)
 
@@ -18,7 +31,7 @@ version 0.6:
 - deprecated vhook subsystem removed
 - deprecated old scaler removed
 - VQF demuxer
-- Alpha channel scaler
+- alpha channel scaler
 - PCX encoder
 - RTP packetization of H.263
 - RTP packetization of AMR

RELEASE

@@ -6,7 +6,7 @@ Release Notes
 General notes
 -------------
 
-This release features a lot of improvements that are relevant for HTML5 video.
+This release focuses on improvements for the new multimedia elements in HTML5.
 The H.264 and Theora decoders are now significantly faster, the Vorbis decoder
 has seen important updates and this release supports Google's newly released
 libvpx library for the VP8 codec and WebM container.
@@ -101,19 +101,17 @@ Notable license related changes
 General notes
 -------------
 
-This point release includes some minor updates to make the 0.6 release series
-usable for users that need to retain the existing behavior as closely as
-possible. The changes follow below:
+This point release includes some updates to make the 0.6 release series usable
+for users that need to retain the existing behavior as closely as possible.
+The changes follow below:
 
-General Bugfixes
-----------------
-
-Included are some general, minor bugfixes:
+Bugfixes
+--------
 
 - fix autodetection of E-AC-3 substream samples
-- performance fix for seekable http
-- Add missing VP80 fourcc code for the VP8 codec
-- smaller documentation fixes
+- performance fix for seekable HTTP
+- add missing VP80 fourcc code for the VP8 codec
+- small documentation fixes
 - fix several potentially exploitable issues in the FLIC decoder
   (addresses CVE-2010-3429)
 
@@ -121,5 +119,28 @@ Included are some general, minor bugfixes:
 HE-AAC v2 backport
 ------------------
 
-This release includes a backport of the AAC decoder from trunk. This
+This release includes a backport of the AAC decoder from trunk, which
 enables proper playback of HE-AAC v2 media.
+
+
+* 0.6.2
+
+General notes
+-------------
+
+This is a maintenance-only release that addresses a small number of security
+and portability issues. Distributors and system integrators are encouraged
+to update and share their patches against this branch.
+
+Security fixes
+--------------
+
+Programming errors in container and codec implementations may lead to
+denial of service or the execution of arbitrary code if the user is
+tricked into opening a malformed media file or stream.
+
+Affected and updated have been the implementations of the following
+codecs and container formats:
+
+ - VC1 decoder (Change related to CVE-2011-0723)
+ - APE decoder (cf. http://packetstorm.linuxsecurity.com/1103-exploits/vlc105-dos.txt)

VERSION

@@ -1 +1 @@
-0.6.1
+0.6.3

configure

@@ -2206,7 +2206,7 @@ case $target_os in
         LIBTARGET=i386
         if enabled x86_64; then
             enable malloc_aligned
-            LIBTARGET=x64
+            LIBTARGET="i386:x86-64"
         elif enabled arm; then
             LIBTARGET=arm
         fi
@@ -2216,7 +2216,7 @@ case $target_os in
         SLIBSUF=".dll"
         SLIBNAME_WITH_VERSION='$(SLIBPREF)$(FULLNAME)-$(LIBVERSION)$(SLIBSUF)'
         SLIBNAME_WITH_MAJOR='$(SLIBPREF)$(FULLNAME)-$(LIBMAJOR)$(SLIBSUF)'
-        SLIB_EXTRA_CMD='-lib.exe /machine:$(LIBTARGET) /def:$$(@:$(SLIBSUF)=.def) /out:$(SUBDIR)$(SLIBNAME_WITH_MAJOR:$(SLIBSUF)=.lib)'
+        SLIB_EXTRA_CMD=-'$(DLLTOOL) -m $(LIBTARGET) -d $$(@:$(SLIBSUF)=.def) -l $(SUBDIR)$(SLIBNAME_WITH_MAJOR:$(SLIBSUF)=.lib) -D $(SLIBNAME_WITH_MAJOR)'
         SLIB_INSTALL_EXTRA_CMD='-install -m 644 $(SUBDIR)$(SLIBNAME_WITH_MAJOR:$(SLIBSUF)=.lib) "$(SHLIBDIR)/$(SLIBNAME:$(SLIBSUF)=.lib)"; \
             install -m 644 $(SUBDIR)$(SLIBNAME_WITH_MAJOR:$(SLIBSUF)=.lib) "$(SHLIBDIR)/$(SLIBNAME_WITH_MAJOR:$(SLIBSUF)=.lib)"; \
             install -d "$(LIBDIR)"; \
@@ -2224,6 +2224,7 @@ case $target_os in
         SLIB_UNINSTALL_EXTRA_CMD='rm -f "$(SHLIBDIR)/$(SLIBNAME:$(SLIBSUF)=.lib)"'
         SHFLAGS='-shared -Wl,--output-def,$$(@:$(SLIBSUF)=.def) -Wl,--out-implib,$(SUBDIR)lib$(SLIBNAME:$(SLIBSUF)=.dll.a) -Wl,--enable-runtime-pseudo-reloc -Wl,--enable-auto-image-base'
         objformat="win32"
+        dlltool="${cross_prefix}dlltool"
         enable dos_paths
         check_cflags -fno-common
         if ! enabled x86_64; then
@@ -3002,6 +3003,7 @@ CPPFLAGS=$CPPFLAGS
 CFLAGS=$CFLAGS
 ASFLAGS=$ASFLAGS
 CC_O=$CC_O
+DLLTOOL=$dlltool
 LDFLAGS=$LDFLAGS
 FFSERVERLDFLAGS=$FFSERVERLDFLAGS
 SHFLAGS=$SHFLAGS

libavcodec/Makefile

@@ -645,7 +645,9 @@ $(SUBDIR)%_tables.h: $(SUBDIR)%_tablegen$(HOSTEXESUF)
 	$(M)./$< > $@
 
 ifdef CONFIG_HARDCODED_TABLES
-$(SUBDIR)aac.o: $(SUBDIR)cbrt_tables.h
+$(SUBDIR)aacdec.o: $(SUBDIR)cbrt_tables.h
+$(SUBDIR)aacps.o: $(SUBDIR)aacps_tables.h
+$(SUBDIR)aactab.o: $(SUBDIR)aac_tables.h
 $(SUBDIR)dv.o: $(SUBDIR)dv_tables.h
 $(SUBDIR)mdct.o: $(SUBDIR)mdct_tables.h
 $(SUBDIR)mpegaudiodec.o: $(SUBDIR)mpegaudio_tables.h

libavcodec/sp5xdec.c

@@ -90,7 +90,6 @@ static int sp5x_decode_frame(AVCodecContext *avctx,
     recoded[j++] = 0xFF;
     recoded[j++] = 0xD9;
 
-    avctx->flags &= ~CODEC_FLAG_EMU_EDGE;
     av_init_packet(&avpkt_recoded);
     avpkt_recoded.data = recoded;
     avpkt_recoded.size = j;
@@ -216,6 +215,6 @@ AVCodec amv_decoder = {
     NULL,
     ff_mjpeg_decode_end,
     sp5x_decode_frame,
-    CODEC_CAP_DR1,
+    0,
     .long_name = NULL_IF_CONFIG_SMALL("AMV Video"),
 };

libavcodec/tableprint.c

@@ -33,6 +33,7 @@ WRITE_1D_FUNC(float,  float,    "%.18e", 3)
 WRITE_2D_FUNC(int8,   int8_t)
 WRITE_2D_FUNC(uint8,  uint8_t)
 WRITE_2D_FUNC(uint32, uint32_t)
+WRITE_2D_FUNC(float,  float)
 
 void write_fileheader(void) {
     printf("/* This file was generated by libavcodec/tableprint */\n");

libavcodec/tableprint.h

@@ -66,6 +66,7 @@ void write_float_array    (const float    *, int);
 void write_int8_2d_array  (const void *, int, int);
 void write_uint8_2d_array (const void *, int, int);
 void write_uint32_2d_array(const void *, int, int);
+void write_float_2d_array (const void *, int, int);
 /** \} */ // end of printfuncs group
 
 /** Write a standard file header */

libavcodec/vc1dec.c

@@ -1365,7 +1365,7 @@ static void vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, int *value,
     if (index != vc1_ac_sizes[codingset] - 1) {
         run = vc1_index_decode_table[codingset][index][0];
         level = vc1_index_decode_table[codingset][index][1];
-        lst = index >= vc1_last_decode_table[codingset];
+        lst = index >= vc1_last_decode_table[codingset] || get_bits_left(gb) < 0;
         if(get_bits1(gb))
             level = -level;
     } else {

libavcodec/vorbis_dec.c

@@ -61,8 +61,8 @@ typedef struct vorbis_floor0_s vorbis_floor0;
 typedef struct vorbis_floor1_s vorbis_floor1;
 struct vorbis_context_s;
 typedef
-uint_fast8_t (* vorbis_floor_decode_func)
-             (struct vorbis_context_s *, vorbis_floor_data *, float *);
+int (* vorbis_floor_decode_func)
+    (struct vorbis_context_s *, vorbis_floor_data *, float *);
 typedef struct {
     uint_fast8_t floor_type;
     vorbis_floor_decode_func decode;
@@ -453,11 +453,11 @@ static int vorbis_parse_setup_hdr_tdtransforms(vorbis_context *vc)
 
 // Process floors part
 
-static uint_fast8_t vorbis_floor0_decode(vorbis_context *vc,
-                                         vorbis_floor_data *vfu, float *vec);
+static int vorbis_floor0_decode(vorbis_context *vc,
+                                vorbis_floor_data *vfu, float *vec);
 static void create_map(vorbis_context *vc, uint_fast8_t floor_number);
-static uint_fast8_t vorbis_floor1_decode(vorbis_context *vc,
-                                         vorbis_floor_data *vfu, float *vec);
+static int vorbis_floor1_decode(vorbis_context *vc,
+                                vorbis_floor_data *vfu, float *vec);
 static int vorbis_parse_setup_hdr_floors(vorbis_context *vc)
 {
     GetBitContext *gb = &vc->gb;
@@ -477,6 +477,7 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc)
         if (floor_setup->floor_type == 1) {
             uint_fast8_t  maximum_class = 0;
             uint_fast8_t  rangebits;
+            uint_fast32_t rangemax;
             uint_fast16_t floor1_values = 2;
 
             floor_setup->decode = vorbis_floor1_decode;
@@ -530,8 +531,15 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc)
 
 
             rangebits = get_bits(gb, 4);
+            rangemax = (1 << rangebits);
+            if (rangemax > vc->blocksize[1] / 2) {
+                av_log(vc->avccontext, AV_LOG_ERROR,
+                       "Floor value is too large for blocksize: %d (%d)\n",
+                       rangemax, vc->blocksize[1] / 2);
+                return -1;
+            }
             floor_setup->data.t1.list[0].x = 0;
-            floor_setup->data.t1.list[1].x = (1 << rangebits);
+            floor_setup->data.t1.list[1].x = rangemax;
 
             for (j = 0; j < floor_setup->data.t1.partitions; ++j) {
                 for (k = 0; k < floor_setup->data.t1.class_dimensions[floor_setup->data.t1.partition_class[j]]; ++k, ++floor1_values) {
@@ -1002,8 +1010,8 @@ static av_cold int vorbis_decode_init(AVCodecContext *avccontext)
 
 // Read and decode floor
 
-static uint_fast8_t vorbis_floor0_decode(vorbis_context *vc,
-                                         vorbis_floor_data *vfu, float *vec)
+static int vorbis_floor0_decode(vorbis_context *vc,
+                                vorbis_floor_data *vfu, float *vec)
 {
     vorbis_floor0 *vf = &vfu->t0;
     float *lsp = vf->lsp;
@@ -1027,6 +1035,9 @@ static uint_fast8_t vorbis_floor0_decode(vorbis_context *vc,
         }
         AV_DEBUG("floor0 dec: booknumber: %u\n", book_idx);
         codebook = vc->codebooks[vf->book_list[book_idx]];
+        /* Invalid codebook! */
+        if (!codebook.codevectors)
+            return -1;
 
         while (lsp_len<vf->order) {
             int vec_off;
@@ -1112,8 +1123,8 @@ static uint_fast8_t vorbis_floor0_decode(vorbis_context *vc,
     return 0;
 }
 
-static uint_fast8_t vorbis_floor1_decode(vorbis_context *vc,
-                                         vorbis_floor_data *vfu, float *vec)
+static int vorbis_floor1_decode(vorbis_context *vc,
+                                vorbis_floor_data *vfu, float *vec)
 {
     vorbis_floor1 *vf = &vfu->t1;
     GetBitContext *gb = &vc->gb;
@@ -1490,13 +1501,20 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
 
     for (i = 0; i < vc->audio_channels; ++i) {
         vorbis_floor *floor;
+        int ret;
         if (mapping->submaps > 1) {
             floor = &vc->floors[mapping->submap_floor[mapping->mux[i]]];
         } else {
             floor = &vc->floors[mapping->submap_floor[0]];
         }
 
-        no_residue[i] = floor->decode(vc, &floor->data, ch_floor_ptr);
+        ret = floor->decode(vc, &floor->data, ch_floor_ptr);
+
+        if (ret < 0) {
+            av_log(vc->avccontext, AV_LOG_ERROR, "Invalid codebook in vorbis_floor_decode.\n");
+            return -1;
+        }
+        no_residue[i] = ret;
         ch_floor_ptr += blocksize / 2;
     }
 

libavformat/ape.c

@@ -242,6 +242,10 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap)
             url_fskip(pb, ape->wavheaderlength);
     }
 
+    if(!ape->totalframes){
+        av_log(s, AV_LOG_ERROR, "No frames in the file!\n");
+        return AVERROR(EINVAL);
+    }
     if(ape->totalframes > UINT_MAX / sizeof(APEFrame)){
         av_log(s, AV_LOG_ERROR, "Too many frames: %d\n", ape->totalframes);
         return -1;

libavutil/log.c

@@ -59,7 +59,8 @@ void av_log_default_callback(void* ptr, int level, const char* fmt, va_list vl)
 {
     static int print_prefix=1;
     static int count;
-    static char line[1024], prev[1024];
+    static char prev[1024];
+    char line[1024];
     static const uint8_t color[]={0x41,0x41,0x11,0x03,9,9,9};
     AVClass* avc= ptr ? *(AVClass**)ptr : NULL;
     if(level>av_log_level)