chacha/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
31,900 Commits 36 Branches 386 Tags
2a1bebfc83db072cb2c984e4cebb4dd261f9d51f
Commit Graph

8092 Commits

Author SHA1 Message Date
Carl Eugen Hoyos
2a1bebfc83 Autodetect idcin only if audio properties allow decoding. 
Fixes ticket #2688.
(cherry picked from commit 06bede95fc)
 2013-06-19 23:50:09 +02:00
Paul B Mahol
537c173853 smacker: fix off by one error 
Regression since a93b572ae4.

Fixes #2426.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit e3cc92a623)
 2013-04-03 15:17:54 +02:00
Xi Wang
b59ee5dcf1 rtmp: fix buffer overflows in ff_amf_tag_contents() 
A negative `size' will bypass FFMIN().  In the subsequent memcpy() call,
`size' will be considered as a large positive value, leading to a buffer
overflow.

Change the type of `size' to unsigned int to avoid buffer overflow, and
simplify overflow checks accordingly.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4e692374f7)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2013-01-23 05:55:20 +01:00
Xi Wang
e163d884ef rtmp: fix multiple broken overflow checks 
Sanity checks like `data + size >= data_end || data + size < data' are
broken, because `data + size < data' assumes pointer overflow, which is
undefined behavior in C.  Many compilers such as gcc/clang optimize such
checks away.

Use `size < 0 || size >= data_end - data' instead.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 902cfe2f74)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2013-01-23 05:55:19 +01:00
Michael Niedermayer
685321e4bd Merge remote-tracking branch 'qatar/release/0.7' into release/0.8 
* qatar/release/0.7:
  h264: check ref_count validity for num_ref_idx_active_override_flag
  h264: check context state before decoding slice data partitions
  oggdec: free the ogg streams on read_header failure
  oggdec: check memory allocation
  Fix uninitialized reads on malformed ogg files.
  rtsp: Recheck the reordering queue if getting a new packet
  alacdec: do not be too strict about the extradata size
  h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles
  h264: check sps.log2_max_frame_num for validity
  ppc: always use pic for shared libraries
  h264: enable low delay only if no delayed frames were seen
  lavf: avoid integer overflow in ff_compute_frame_duration()

Conflicts:
	libavformat/oggdec.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
 2013-01-17 03:16:46 +01:00
Michael Niedermayer
3f1a58db6f Merge commit 'b143844ea0f6246e0d5a938d743e2e8a98453bec' into release/0.8 
* commit 'b143844ea0f6246e0d5a938d743e2e8a98453bec': (22 commits)
  aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN.
  vp6: properly fail on unsupported feature
  h264: Fix parameters to ff_er_add_slice() call
  flacenc: ensure the order is within the min/max range in LPC order search
  yuv4mpeg: reject unsupported codecs
  vp8: reset loopfilter delta values at keyframes.
  vp56: release frames on error
  vp56: make parse_header return standard error codes
  ivi_common: check that scan pattern is set before using it.
  Update RELEASE file for 0.7.7
  tiffenc: Check av_malloc() results.
  mpegaudiodec: fix short_start calculation
  h264: avoid stuck buffer pointer in decode_nal_units
  yuv4mpeg: return proper error codes.
  smacker audio: sign-extend the initial 16-bit predicted value
  vf_pad: don't give up its own reference to the output buffer.
  avidec: return 0, not packet size from read_packet().
  wmapro: prevent division by zero when sample rate is unspecified
  alsdec: fix number of decoded samples in first sub-block in BGMC mode.
  alsdec: remove dead assignments
  ...

Conflicts:
	RELEASE
	libavformat/avidec.c
	libavformat/yuv4mpeg.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
 2013-01-17 03:03:39 +01:00
Michael Niedermayer
597d709eb4 Merge commit 'aa45b90804ab21175b8c116bd8e5eb4b4e85fbcb' into release/0.8 
* commit 'aa45b90804ab21175b8c116bd8e5eb4b4e85fbcb': (22 commits)
  alsdec: Check k used for rice decoder.
  cavsdec: check for changing w/h.
  avidec: use actually read size instead of requested size
  wmaprodec: check num_vec_coeffs for validity
  lagarith: check count before writing zeros.
  indeo5: check tile size in decode_mb_info().
  indeo5: prevent null pointer dereference on broken files
  indeo: check for invalid motion vectors
  indeo: clear allocated band buffers
  indeo: check custom Huffman tables for errors
  dfa: add some checks to ensure that decoder won't write past frame end
  dfa: check that the caller set width/height properly.
  bytestream: add a new set of bytestream functions with overread checking
  avsdec: Set dimensions instead of relying on the demuxer.
  lavfi: avfilter_merge_formats: handle case where inputs are same
  rv34: use AVERROR return values in ff_rv34_decode_frame()
  h263: Add ff_ prefix to nonstatic symbols
  eval: fix swapping of lt() and lte()
  bmpdec: only initialize palette for pal8.
  vc1dec: add flush function for WMV9 and VC-1 decoders
  ...

Conflicts:
	libavcodec/avs.c
	libavcodec/mpegvideo_enc.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
 2013-01-17 02:56:12 +01:00
Reinhard Tartler
3bc9cfe66e oggdec: free the ogg streams on read_header failure 
Plug an annoying memory leak on broken files.
(cherry picked from commit 89b51b570d)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 42bd6d9cf6)

Conflicts:

	libavformat/oggdec.c

Conflicts:

	libavformat/oggdec.c
 2013-01-12 19:36:27 +01:00
Luca Barbato
910c1f2352 oggdec: check memory allocation 
(cherry picked from commit ba064ebe48)

Conflicts:

	libavformat/oggdec.c
 2013-01-12 19:34:40 +01:00
Dale Curtis
55065315ca Fix uninitialized reads on malformed ogg files. 
The ogg decoder wasn't padding the input buffer with the appropriate
FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in
various pieces of parsing code when they thought they had more data than
they actually did.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit ef0d779706)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2013-01-12 19:34:40 +01:00
Martin Storsjö
8081879655 rtsp: Recheck the reordering queue if getting a new packet 
If we timed out and consumed a packet from the reordering queue,
but didn't return a packet to the caller, recheck the queue status.
Otherwise, we could end up in an infinite loop, trying to consume
a queued packet that has already been consumed.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8729698d50)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2013-01-12 19:34:40 +01:00
Janne Grunau
10ff052c60 lavf: avoid integer overflow in ff_compute_frame_duration() 
Scaling the denominator instead of the numerator if it is too large
loses precision. Fixes an assert caused by a negative frame duration in
the fuzzed sample nasa-8s2.ts_s202310.

CC: libav-stable@libav.org
(cherry picked from commit 7709ce029a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2013-01-12 19:27:42 +01:00
Luca Barbato
f3f22f183f yuv4mpeg: reject unsupported codecs 
The muxer already rejects unsupported pixel formats, reject also
unsupported codecs to prevent dangerous misuses.
(cherry picked from commit 424b1e7642)

Conflicts:

	libavformat/yuv4mpeg.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2013-01-12 19:20:27 +01:00
Anton Khirnov
5754176b5b yuv4mpeg: return proper error codes. 
Fixes Bug 373.

CC:libav-stable@libav.org
(cherry picked from commit d3a72becc6)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2013-01-04 07:43:38 +01:00
Anton Khirnov
562d6fd5b5 avidec: return 0, not packet size from read_packet(). 
(cherry picked from commit eeade678f0)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
 2013-01-04 07:43:38 +01:00
Anton Khirnov
05f5a2eb62 avidec: use actually read size instead of requested size 
Fixes CVE-2012-2788
(cherry picked from commit 0af49a63c7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2013-01-04 07:43:37 +01:00
Michael Niedermayer
e28814e0e1 Merge remote-tracking branch 'qatar/release/0.7' into release/0.8 
* qatar/release/0.7:
  vorbis: Validate that the floor 1 X values contain no duplicates.
  vorbisenc: check all allocations for failure
  lavfi: avfilter_merge_formats: handle case where inputs are same
  alsdec: check opt_order.
  lavf: don't segfault when a NULL filename is passed to avformat_open_input()
  mpegvideo: Don't use ff_mspel_motion() for vc1
  imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt
  nuv: check RTjpeg header for validity
  vc1dec: add flush function for WMV9 and VC-1 decoders
  ffmpeg: fix -force_key_frames
  mov: set AVCodecContext.width/height for h264
  h264: allow cropping to AVCodecContext.width/height

Conflicts:
	libavcodec/mpegvideo_common.h
	libavcodec/nuv.c
	libavcodec/vorbisenc.c
	libavfilter/formats.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
 2012-10-16 17:57:12 +02:00
Anton Khirnov
77d43bf42d lavf: don't segfault when a NULL filename is passed to avformat_open_input() 
This can easily happen when the caller is using a custom AVIOContext.

Behave as if the filename was an empty string in this case.

CC: libav-stable@libav.org
(cherry picked from commit a5db8e4a1a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7124fa5d36)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
 2012-10-06 09:40:46 +02:00
Carl Eugen Hoyos
8582e6e9a3 Fix muxing mjpeg in swf. 
(cherry picked from commit 7680d99b43)
 2012-09-13 09:22:24 +02:00
Mans Rullgard
0054d70f23 mov: set AVCodecContext.width/height for h264 
This is required for correct cropping of files from Canon
cameras.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 8aa93e9004)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2fb4be9a99)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-06-10 11:23:47 +02:00
Michael Niedermayer
b3e5c8de6a ape: Fix null ptr dereference with files missing a seekatable. 
Such files are currently not supported as the table is used at several points

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e7cb161515)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2012-06-09 21:06:57 +02:00
Michael Niedermayer
ee6c1670df 4xm: fix division by zero caused by bps<8 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1b8741a684)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2012-06-09 21:06:52 +02:00
Michael Niedermayer
64bc5f3bf7 Merge remote-tracking branch 'qatar/release/0.7' into release/0.8 
* qatar/release/0.7:
  Update RELEASE file for 0.7.6
  Update changelog for 0.7.6 release
  ea: check chunk_size for validity.
  png: check bit depth for PAL8/Y400A pixel formats.
  x86: fix build with gcc 4.7
  qdm2: clip array indices returned by qdm2_get_vlc().
  kmvc: Check palsize.
  aacsbr: prevent out of bounds memcpy().
  rtpdec_asf: Fix integer underflow that could allow remote code execution
  dpcm: ignore extra unpaired bytes in stereo streams.
  tqi: Pass errors from the MB decoder
  h264: Add check for invalid chroma_format_idc
  adpcm: ADPCM Electronic Arts has always two channels
  h263dec: Disallow width/height changing with frame threads.
  vqavideo: return error if image size is not a multiple of block size
  celp filters: Do not read earlier than the start of the 'out' vector.
  motionpixels: Clip YUV values after applying a gradient.
  h263: more strictly forbid frame size changes with frame-mt.
  h264: additional protection against unsupported size/bitdepth changes.

Conflicts:
	Changelog
	RELEASE
	libavcodec/aacsbr.c
	libavcodec/h264_ps.c
	libavcodec/pngdec.c
	libavformat/rtpdec_asf.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
 2012-06-04 13:05:25 +02:00
Ronald S. Bultje
50336dc4f1 ea: check chunk_size for validity. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 273e6af47b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6a86b705e1d4b72f0dddfbe23ad3eed9947001d5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-06-03 19:16:37 +02:00
Michael Niedermayer
b15e85d820 rtpdec_asf: Fix integer underflow that could allow remote code execution 
Fixes MSVR-11-0088
Fixes CVE-2011-4031
Credit:  Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5ea091fb5a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-05-28 20:55:34 +02:00
Michael Niedermayer
b6cc1c77fd Merge remote-tracking branch 'qatar/release/0.7' into release/0.8 
* qatar/release/0.7: (84 commits)
  id3v2: fix skipping extended header in id3v2.4
  Update RELEASE file for 0.7.5
  lcl: use AVERROR_INVALIDDATA instead of AVERROR_UNKNOWN
  kgv1dec: Increase offsets array size so it is large enough.
  kgv1: use avctx->get/release_buffer().
  kvmc: fix invalid reads
  nsvdec: Propagate error values instead of returning 0 in nsv_read_header().
  mjpegbdec: Fix overflow in SOS.
  shorten: Use separate pointers for the allocated memory for decoded samples.
  shorten: check for realloc failure (cherry picked from commit 9e5e2c2d01)
  atrac3: Fix crash in tonal component decoding.
  ws_snd1: Fix wrong samples count and crash.
  ws_snd: add some checks to prevent buffer overread or overwrite. (cherry picked from commit 417364ce1f)
  ws_snd: decode to AV_SAMPLE_FMT_U8 instead of S16.
  dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2
  h264: stricter reference limit enforcement.
  jvdec: unbreak video decoding
  xxan: don't read before start of buffer in av_memcpy_backptr().
  dsicinvideo: validate buffer offset before copying pixels.
  huffyuv: add padding to classic (v1) huffman tables.
  ...

Conflicts:
	RELEASE
	libavcodec/atrac3.c
	libavcodec/h264.c
	libavcodec/h264_parser.c
	libavcodec/kgv1dec.c
	libavcodec/shorten.c
	libavcodec/svq3.c
	libavcodec/ws-snd1.c
	libavcodec/xxan.c
	libswscale/utils.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
 2012-04-02 01:25:31 +02:00
Anton Khirnov
bc5d86d23d id3v2: fix skipping extended header in id3v2.4 
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
 2012-04-01 19:20:50 +02:00
Diego Biurrun
6fe5038753 nsvdec: Propagate error values instead of returning 0 in nsv_read_header(). 
This eliminates a warning about a set-but-unused variable.
(cherry picked from commit 35fa0d4758)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:29 +02:00
Ronald S. Bultje
f2e412d050 smacker: error out if palette copy-with-offset overruns palette size. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit a93b572ae4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Alex Converse
853ce33dbc mov: Add more HDV and XDCAM FourCCs. 
Reference: VLC
(cherry picked from commit b142496c56)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Alex Converse
5015ada0ec mov: Add support for MPEG2 HDV 720p24 (hdv4) 
(cherry picked from commit 0ad522afb3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Alex Converse
b0888b8a48 dv: Fix small overread in audio frequency table. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 0ab3687924)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Alex Converse
00fa6ffe1a dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936. 
Found with asan.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Michael Niedermayer
44e182d41e dv: Fix null pointer dereference due to ach=0 
dv: Fix null pointer dereference due to ach=0

Fixes part2 of CVE-2011-3929

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Michael Niedermayer
bb737d381f dv: check stype 
dv: check stype

Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd4)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Alex Converse
0100c4b1b0 nsvdec: Propagate errors 
Related to CVE-2011-3940.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit c898431ca5)

Conflicts:

	libavformat/nsvdec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Alex Converse
be524c186b nsvdec: Be more careful with av_malloc(). 
Check results for av_malloc() and fix an overflow in one call.

Related to CVE-2011-3940.

Based in part on work from Michael Niedermayer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Michael Niedermayer
65beb8c117 nsvdec: Fix use of uninitialized streams. 
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d97)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:28 +02:00
Ronald S. Bultje
433aaeb2f1 matroska: check buffer size for RM-style byte reordering. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9c239f6026)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:27 +02:00
Ronald S. Bultje
a2d5e741a8 asf: don't seek back on EOF. 
Seeking back on EOF will reset the EOF flag, causing us to re-enter
the loop to find the next marker in the ASF file, thus potentially
causing an infinite loop.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bb6d5411e1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:27 +02:00
Ronald S. Bultje
18caebca4c asf: error out on ridiculously large minpktsize values. 
They cause various issues further down in demuxing.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 6e57a02b9f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:27 +02:00
Ronald S. Bultje
811989e910 rm: prevent infinite loops for index parsing. 
Specifically, prevent jumping back in the file for the next index, since
this can lead to infinite loops where we jump between indexes referring
to each other, and don't read indexes that don't fit in the file.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit aac07a7a4c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:27 +02:00
Ronald S. Bultje
cd6c5e16c6 swf: check return values for av_get/new_packet(). 
Prevents crashers when using the packet if allocation failed.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 31632e73f4)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:27 +02:00
Ronald S. Bultje
9a331217b0 asf: prevent packet_size_left from going negative if hdrlen > pktlen. 
This prevents failed assertions further down in the packet processing
where we require non-negative values for packet_size_left.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 41afac7f7a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:26 +02:00
Ronald S. Bultje
6c12293f6c matroska: don't overwrite string values until read/alloc was succesful. 
This prevents certain tags with a default value assigned to them (as per
the EBML syntax elements) from ever being assigned a NULL value. Other
parts of the code rely on these being non-NULL (i.e. they don't check for
NULL before e.g. using the string in strcmp() or similar), and thus in
effect this prevents crashes when reading of such specific tags fails,
either because of low memory or because of targeted file corruption.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cd40c31ee9)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:26 +02:00
Alex Converse
dd7b323d9a matroskadec: Pad AAC extradata. 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

CC: libav-stable@libav.org
(cherry picked from commit d2ee8c1779)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 2012-04-01 18:33:26 +02:00
Michael Niedermayer
a3d331f2d8 Merge remote-tracking branch 'qatar/release/0.7' into release/0.8 
* qatar/release/0.7: (96 commits)
  intfloat_readwrite: fix signed addition overflows
  smacker: validate channels and sample format.
  smacker: check buffer size before reading output size
  smacker: validate number of channels
  sipr: fix get_bits(0) calls
  motion_est: make MotionExtContext.map_generation unsigned
  4xm: prevent NULL dereference with invalid huffman table
  4xmdemux: prevent use of uninitialized memory
  4xm: clear FF_INPUT_BUFFER_PADDING_SIZE bytes in temporary buffers
  ptx: check for out of bound reads
  tiffdec: fix out of bound reads/writes
  eacmv: check for out of bound reads
  eacmv: fix potential pointer arithmetic overflows
  adpcm: fix out of bound reads due to integer overflow
  anm: prevent infinite loop
  avsdemux: check for out of bound writes
  avs: check for out of bound reads
  avsdemux: check for corrupted data
  mxfdec: Fix some buffer overreads caused by the misuse of AVPacket related functions.
  vaapi: Fix VC-1 decoding (reconstruct bitstream TTFRM correctly).
  ...

Conflicts:
	libavcodec/adpcm.c
	libavcodec/bink.c
	libavcodec/h264.c
	libavcodec/h264.h
	libavcodec/h264_cabac.c
	libavcodec/h264_cavlc.c
	libavcodec/motion_est_template.c
	libavcodec/mpegvideo.c
	libavcodec/nellymoserdec.c
	libavcodec/ptx.c
	libavcodec/svq3.c
	libavcodec/vaapi_vc1.c
	libavcodec/xan.c
	libavfilter/vf_scale.c
	libavformat/4xm.c
	libavformat/flvdec.c
	libavformat/mpeg.c
	tests/ref/fate/motionpixels

Merged-by: Michael Niedermayer <michaelni@gmx.at>
 2012-03-19 05:14:44 +01:00
Laurent Aimar
5ab326d7db 4xmdemux: prevent use of uninitialized memory 
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 79964745b3)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
 2012-03-18 17:50:40 +01:00
Laurent Aimar
7fa13e12e6 avsdemux: check for out of bound writes 
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 6de33611c9)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
 2012-03-18 17:50:40 +01:00
Laurent Aimar
b696d61518 avsdemux: check for corrupted data 
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 76c6971a64)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
 2012-03-18 17:50:40 +01:00