Michael Niedermayer
736e42bc33
avformat/libquvi: Set default demuxer and protocol limitations
...
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 15cc98a0f3michael@niedermayer.cc >
2016-01-28 15:53:54 +01:00
Michael Niedermayer
cb88f428b3
avformat/concat: Check protocol prefix
...
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 8e32d01432michael@niedermayer.cc >
2016-01-28 15:53:54 +01:00
Michael Niedermayer
971f47f2eb
avformat/avformat: Replace some references to filenames by urls
...
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 41e07390e0michael@niedermayer.cc >
2016-01-28 15:53:54 +01:00
Michael Niedermayer
8ed4b44657
avformat/img2dec: Use AVOpenCallback
...
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit b750b67d13
2016-01-28 15:53:54 +01:00
Michael Niedermayer
642c54270b
avformat/avio: Limit url option parsing to the documented cases
...
This feature is not know much or used much AFAIK, and it might be helpfull in
exploits.
No specific case is known where it can be used in an exploit though
subsequent commits depend on this commit though
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 984d58a344michael@niedermayer.cc >
2016-01-28 15:53:54 +01:00
Michael Niedermayer
d64ff3a6a9
avformat/img2dec: do not interpret the filename by default if a IO context has been opened
...
With this, user applications which use custom IO and have set a IO context will not have
their already opened IO context ignored and glob/seq being interpreted
Comments and tests from maintainers of user apps are welcome!
Liked-by: wm4 <nfxjfg@googlemail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 7ccedc1c78michael@niedermayer.cc >
2016-01-28 15:53:54 +01:00
Derek Buitenhuis
b9551e71bf
mov: Add an option to toggle dref opening
...
This feature is mostly only used by NLE software, and is
both of dubious value being enabled by default, and a
possible security risk.
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 712d962a6amichael@niedermayer.cc >
2016-01-28 15:53:53 +01:00
Andreas Cadhalpun
d640bc7545
asfdec_o: check for too small size in asf_read_unknown
...
This fixes infinite loops due to seeking back.
Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit c29e87ad55Andreas.Cadhalpun@googlemail.com >
2016-01-27 23:45:45 +01:00
Andreas Cadhalpun
93559adfbf
asfdec_o: break if EOF is reached after asf_read_packet_header
...
asf_read_payload can unset eof_reached, so check it also before calling
that function.
This fixes infinite loops.
Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 0e32153e9cAndreas.Cadhalpun@googlemail.com >
2016-01-27 23:45:45 +01:00
Andreas Cadhalpun
4679e54388
asfdec_o: make sure packet_size is non-zero before seeking
...
This fixes infinite loops due to seeking back.
Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 3776a72962Andreas.Cadhalpun@googlemail.com >
2016-01-27 23:45:45 +01:00
Andreas Cadhalpun
782257ba66
asfdec_o: prevent overflow causing seekback
...
This fixes infinite loops.
Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 74474750f1Andreas.Cadhalpun@googlemail.com >
2016-01-27 23:45:45 +01:00
Andreas Cadhalpun
e188c267c8
asfdec_o: check avio_skip in asf_read_simple_index
...
The loop can be very long, even though the file is very short.
Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 0002d845e8Andreas.Cadhalpun@googlemail.com >
2016-01-27 23:45:44 +01:00
Andreas Cadhalpun
407ab167c0
asfdec_o: reject size > INT64_MAX in asf_read_unknown
...
Both avio_skip and detect_unknown_subobject use int64_t for the size
parameter.
This fixes a segmentation fault due to infinite recursion.
Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit aa18016996Andreas.Cadhalpun@googlemail.com >
2016-01-27 23:45:44 +01:00
Andreas Cadhalpun
d7fbd03660
asfdec_o: only set asf_pkt->data_size after sanity checks
...
Otherwise invalid values are used unchecked in the next run.
This can cause NULL pointer dereferencing.
Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 763c572801Andreas.Cadhalpun@googlemail.com >
2016-01-27 23:45:44 +01:00
Hendrik Leppkes
2cd41c5d52
Merge commit '8375dc1dd101d51baa430f34c0bcadfa37873896'
...
* commit '8375dc1dd101d51baa430f34c0bcadfa37873896':
asfdec: handle the case when the stream index has an invalid value better
Merged-by: Hendrik Leppkes <h.leppkes@gmail.com >
(cherry picked from commit bf67ae3cfaAndreas.Cadhalpun@googlemail.com >
2016-01-27 23:45:44 +01:00
Andreas Cadhalpun
cf99f0dd0f
brstm: fix missing closing brace
...
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 1cb2331ecaAndreas.Cadhalpun@googlemail.com >
2016-01-27 23:45:44 +01:00
Andreas Cadhalpun
247bb203e4
brstm: also allocate b->table in read_packet
...
This fixes NULL pointer dereferencing if the codec is forced to
adpcm_thp even though a different one was detected.
Reviewed-by: Paul B Mahol <onemda@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit bcf4ee26a0Andreas.Cadhalpun@googlemail.com >
2016-01-27 23:45:44 +01:00
Andreas Cadhalpun
94b9e7caae
brstm: make sure an ADPC chunk was read for adpcm_thp
...
This fixes NULL pointer dereferencing.
Reviewed-by: Paul B Mahol <onemda@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit d7d37c479fAndreas.Cadhalpun@googlemail.com >
2016-01-27 23:45:44 +01:00
Andreas Cadhalpun
667a23a032
ffmdec: reset packet_end in case of failure
...
This fixes segmentation faults caused by passing a packet_ptr of NULL to
memcpy.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 40eb2531b2Andreas.Cadhalpun@googlemail.com >
2016-01-27 23:45:44 +01:00
Paul B Mahol
7b0fb4fdf7
avformat/ipmovie: put video decoding_map_size into packet and use it in decoder
...
The size of decoding map can differ from one calculated
internally, producing artifacts while decoding video.
Signed-off-by: Paul B Mahol <onemda@gmail.com >
(cherry picked from commit c293ef258cAndreas.Cadhalpun@googlemail.com >
2016-01-27 23:28:49 +01:00
Paul B Mahol
40ebeee3fc
avformat/brstm: fix overflow
...
Signed-off-by: Paul B Mahol <onemda@gmail.com >
(cherry picked from commit 3441fef0f8Andreas.Cadhalpun@googlemail.com >
2016-01-27 23:28:43 +01:00
Michael Niedermayer
28f89bc439
avformat/hls: Even stricter URL checks
...
This fixes a null pointer dereference at least
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit cfda1bea4cmichael@niedermayer.cc >
2016-01-15 15:49:35 +01:00
Michael Niedermayer
23b903aaf4
avformat/hls: More strict url checks
...
No case is known where these are needed
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 6ba42b6482michael@niedermayer.cc >
2016-01-15 14:17:28 +01:00
Maxim Andreev
b7d54d6e07
avformat/hls: forbid all protocols except http(s) & file
...
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 7145e80b4fmichael@niedermayer.cc >
2016-01-15 12:30:40 +01:00
Michael Niedermayer
90c2256ee5
avformat/aviobuf: Fix end check in put_str16()
...
Fixes out of array read
Fixes: 03c406ec9530e594a074ce2979f8a1f0/asan_heap-oob_7dec26_4664_37c52495b2870a2eaac65f53958e76c1.flac
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 115fb6d03emichael@niedermayer.cc >
2016-01-15 12:30:40 +01:00
Michael Niedermayer
f459afdd72
avformat/asfenc: Check pts
...
Fixes integer overflow
Fixes: 0063df8be3aaa30dd6d76f59c8f818c8/signal_sigsegv_7b7b59_3634_bf418b6822bbfa68734411d96b667be3.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 7c0b84d899michael@niedermayer.cc >
2016-01-15 12:30:40 +01:00
Michael Niedermayer
cb4ba7456a
avformat: Add integer fps from 31 to 60 to get_std_framerate()
...
Fixes Ticket 5106
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 2039b3e751michael@niedermayer.cc >
2016-01-15 12:30:40 +01:00
Michael Niedermayer
d79b6dd9f9
avformat/ivfenc: fix division by zero
...
Fixes Ticket 5115
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 5c8467a07cmichael@niedermayer.cc >
2016-01-15 12:30:40 +01:00
Michael Niedermayer
2f65366c11
avformat/mov: Update handbrake_version threshold for full mp3 parsing
...
Fixes: Endangered\ Species\ 1x01\ Collecting\ Merl.mp4
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit d3b6a9abacmichael@niedermayer.cc >
2016-01-15 12:30:40 +01:00
Andreas Cadhalpun
79f407b79a
nuv: sanitize negative fps rate
...
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit f6830cf5baAndreas.Cadhalpun@googlemail.com >
2015-12-20 13:39:45 +01:00
Andreas Cadhalpun
174ec7d744
nutdec: reject negative value_len in read_sm_data
...
If it is negative, it can cause the byte position to move backwards in
avio_skip, which in turn makes sm_size negative and thus size larger
than the size of the packet buffer, causing invalid writes in avio_read.
Also fix potential overflow of avio_tell(bc) + value_len.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit ce10f572c1Andreas.Cadhalpun@googlemail.com >
2015-12-20 13:39:41 +01:00
Andreas Cadhalpun
38f8c80901
nutdec: only copy the header if it exists
...
Fixes ubsan runtime error: null pointer passed as argument 2, which is
declared to never be null
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 9f82506c79Andreas.Cadhalpun@googlemail.com >
2015-12-20 13:39:33 +01:00
Andreas Cadhalpun
63ecbb82fc
mlvdec: check that index_entries exist
...
This fixes NULL pointer dereferencing.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2015-12-20 02:42:13 +01:00
Andreas Cadhalpun
0b24a0e0f1
ffm: reject invalid codec_id and codec_type
...
A negative codec_id cannot be handled by the found_decoder API of
AVStream->info: if the codec_id is not recognized, found_decoder is set
to -codec_id, which has to be '<0' according to the API documentation.
This can cause NULL pointer dereferencing in try_decode_frame.
Also make sure the codec_type matches the expected one for codec_id.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit ecf63b7cc2Andreas.Cadhalpun@googlemail.com >
2015-12-17 20:04:25 +01:00
Andreas Cadhalpun
76af12f542
ffmdec: reject zero-sized chunks
...
If size is zero, avio_get_str fails, leaving the buffer uninitialized.
This causes invalid reads in av_set_options_string.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit a611375db5Andreas.Cadhalpun@googlemail.com >
2015-12-17 20:02:55 +01:00
Michael Niedermayer
95a144ae62
avformat/mxfenc: Do not crash if there is no packet in the first stream
...
Fixes: Ticket4914
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit b51e7554e7michael@niedermayer.cc >
2015-12-13 17:27:04 +01:00
Nicolas George
1450a39ad4
lavf/tee: fix side data double free.
...
Similar to 33fefdb44#4921 .
Signed-off-by: Nicolas George <george@nsup.org >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 1acc90eaa5michael@niedermayer.cc >
2015-12-13 10:14:24 +01:00
Michael Niedermayer
d07f658201
avformat/hlsenc: Check the return code of avformat_write_header()
...
Fixes: segfault
Fixes: Ticket5067
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit c62d1780ffmichael@niedermayer.cc >
2015-12-13 02:59:32 +01:00
Michael Niedermayer
07b43fb69a
avformat/mov: Enable parser for mp3s by old HandBrake
...
Fixes Ticket5047
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 861f47ddf4michael@niedermayer.cc >
2015-12-13 02:15:36 +01:00
Michael Niedermayer
e3f08d9359
avformat/mxfenc: Fix integer overflow in length computation
...
Fixes: CID1341577
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 537e901fe6michael@niedermayer.cc >
2015-12-13 02:15:14 +01:00
Rainer Hochecker
5e105aca01
avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec
...
Fixes a mpegts file with hevc that fails estimating duration. Increasing number of
retries fixes the issue.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 2d8c2f1a28michael@niedermayer.cc >
2015-12-09 20:46:47 +01:00
Michael Niedermayer
a9c721da12
avformat/matroskaenc: Check codecdelay before use
...
Fixes CID1238790
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit e6971db12bmichael@niedermayer.cc >
2015-12-09 18:27:54 +01:00
Michael Niedermayer
0e3ec7db53
avformat/smacker: fix integer overflow with pts_inc
...
Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 7ed47e9729michael@niedermayer.cc >
2015-12-06 02:51:27 +01:00
Michael Niedermayer
b8621a2e98
avformat/riffdec: Initialize bitrate
...
Fixes CID1338334
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 32bf6550cbmichael@niedermayer.cc >
2015-12-06 02:51:27 +01:00
Timo Teräs
aa9ac199b8
mpegencts: Fix overflow in cbr mode period calculations
...
ts->mux_rate is int (signed 32-bit) type. The period calculations
will start to overflow when mux_rate > 5mbps. This fixes overflows
by converting first to 64-bit type.
Fixes #5044 .
Signed-off-by: Timo Teräs <timo.teras@iki.fi >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 64f7db554emichael@niedermayer.cc >
2015-12-06 02:51:27 +01:00
Michael Niedermayer
3d69716bae
avformat/dump: Fix integer overflow in av_dump_format()
...
Fixes part of mozilla bug 1229167
Found-by: Tyson Smith
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 8e7f452022michael@niedermayer.cc >
2015-12-06 02:51:27 +01:00
Carl Eugen Hoyos
aa3101a9e8
lavf/rtpenc_jpeg: Less strict check for standard Huffman tables.
...
There can be one or more Huffman table segments DHT.
Reported-by: Andrey Utkin
2015-12-02 14:56:53 +01:00
Martin Storsjö
1290c85c9d
rtmpcrypt: Do the xtea decryption in little endian mode
...
The XTEA algorithm operates on 32 bit numbers, not on byte sequences.
The XTEA implementation in libavutil is written assuming big endian
numbers, while the rtmpe signature encryption assumes little endian.
This fixes rtmpe communication with rtmpe servers that use signature
type 8 (XTEA), e.g. crunchyroll.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st >
(cherry picked from commit e7728319b92dbb4fb949155e33de7ff5358ddff3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2015-11-26 16:06:39 +01:00
Michael Niedermayer
b70f7d20e1
avformat/matroskadec: Check subtitle stream before dereferencing
...
Unrecognized streams are not allocated
Fixes: flicker-1.color1.vp91447030769.08.webm
Found-by: Chris Cunningham <chcunningham@google.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit a5034b324cmichael@niedermayer.cc >
2015-11-26 16:06:39 +01:00
Michael Niedermayer
859a6edaed
avformat/utils: Do not init parser if probing is unfinished
...
Fixes assertion failure
Fixes: 136f8b8d47af7892306625e597dee655/signal_sigabrt_7ffff6ae7cc9_8941_ab11bea57c84796418f481f873dc31ba.dvr_ms
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 1ef336e912michael@niedermayer.cc >
2015-11-26 16:06:39 +01:00
