Anton Khirnov
299c5dcfb0
h264: reset num_reorder_frames if it is invalid
...
An invalid VUI is not considered a fatal error, so the SPS containing it
may still be used. Leaving an invalid value of num_reorder_frames there
can result in writing over the bounds of H264Context.delayed_pic.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 9ecabd7892siretart@tauware.de >
Conflicts:
libavcodec/h264_ps.c
2014-02-01 23:51:46 -05:00
Anton Khirnov
62ed6da016
h264: check that an IDR NAL only contains I slices
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 8b2e5e42bbsiretart@tauware.de >
2014-02-01 23:51:46 -05:00
Martin Storsjö
a1b4d42d31
mov: Free an earlier allocated array if allocating a new one
...
It could probably also be considered an error if the pointer isn't
null at this point, but then we might risk rejecting some
slightly broken files that we might have handled so far.
Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st >
(cherry picked from commit 2620df1310siretart@tauware.de >
2014-02-01 23:51:45 -05:00
Martin Storsjö
44079902c4
mov: Free intermediate arrays in the normal cleanup function
...
These arrays are normally freed at the end of mov_read_trak,
but make sure they're freed in case mov_read_trak returned
early (due to errors) or in case the atoms that allocate arrays
are encountered at some other point than within a trak (which
we don't have checks against).
Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st >
(cherry picked from commit d51f09962dsiretart@tauware.de >
2014-02-01 23:51:45 -05:00
Anton Khirnov
f728782c0d
segafilm: fix leaks if reading the header fails
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 6892d145a0siretart@tauware.de >
2014-02-01 23:51:45 -05:00
Anton Khirnov
b5275ca1a8
h264_cavlc: check the size of the intra PCM data.
...
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
2014-02-01 14:59:50 -05:00
Michael Niedermayer
d9c82cea11
h263: Check init_get_bits return value
...
And use init_get_bits8 to check for integer overflows while at it.
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org >
2014-02-01 14:59:50 -05:00
Anton Khirnov
969028870c
cavsdec: check ff_get_buffer() return value
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
2014-02-01 14:59:50 -05:00
Luca Barbato
c85e5f13f6
cavs: Check for negative cbp
...
Sample-Id: 00000647-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
2014-02-01 14:59:50 -05:00
Luca Barbato
3485a07977
avi: DV in AVI must be considered single stream
...
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
2014-02-01 14:59:50 -05:00
Luca Barbato
4b24eb1a03
vmnc: Check the cursor dimensions
...
And manage the reallocation failure path.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5e992a4682
2014-02-01 14:59:50 -05:00
Luca Barbato
9f9e773881
vmnc: Port to bytestream2
...
Fix some buffer overreads.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
2014-02-01 14:59:50 -05:00
Luca Barbato
f1476459b7
vmnc: K&R formatting cosmetics
...
Signed-off-by: Diego Biurrun <diego@biurrun.de >
2014-02-01 14:59:50 -05:00
Michael Niedermayer
10d48fe6d3
flashsv: Check diff_start diff_height values
...
Fix out of array accesses.
Found-by: ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at >
Adresses: CVE-2013-7015
(cherry picked from commit 57070b1468siretart@tauware.de >
2014-02-01 13:56:58 -05:00
Michael Niedermayer
af9799790d
dsputil/pngdsp: fix signed/unsigned type in end comparison
...
Fixes out of array accesses and integer overflows.
(cherry picked from commit d1916d13e2siretart@tauware.de >
2014-02-01 13:53:41 -05:00
Anton Khirnov
8575f5362f
lavf: make av_probe_input_buffer more robust
...
Always use the actually read size as the offset instead of making
possibly invalid assumptions.
Addresses: CVE-2012-6618
(cherry picked from commit 2115a35974anton@khirnov.net >
2014-01-13 15:32:24 +01:00
Anton Khirnov
539d255871
lavf: use a fixed width type
...
It's shorter and more consistent with the rest of the code.
(cherry picked from commit 8b76362836anton@khirnov.net >
2014-01-13 15:32:17 +01:00
Anton Khirnov
e38c62fe0c
lavf: simplify handling of offset in av_probe_input_buffer()
...
(cherry picked from commit c1868e7ee7anton@khirnov.net >
2014-01-13 15:24:08 +01:00
Luca Barbato
9aa22918c2
prores: Error out only on surely incomplete ac_coeffs
...
(cherry picked from commit 2df7f7714alu_zero@gentoo.org >
2014-01-13 14:18:37 +01:00
Tim Walker
a0866c7129
shorten: Fix out-of-array read
...
pred_order == FF_ARRAY_ELEMS(fixed_coeffs) is invalid too.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org >
(cherry picked from commit 5f5ada3dbftdskywalker@gmail.com >
2014-01-06 16:36:56 +01:00
Luca Barbato
65830277d2
prores: Add a codepath for decoding errors
...
(cherry picked from commit 44690dfa68derek.buitenhuis@gmail.com >
2014-01-06 02:31:17 +00:00
Derek Buitenhuis
5ae7ed3aa4
nut: Fix unchecked allocations
...
CC: libav-stable@libav.org
(cherry picked from commit b1fcdc08cederek.buitenhuis@gmail.com >
2014-01-06 02:31:05 +00:00
Luca Barbato
61057f4604
avi: directly resync on DV in AVI read failure
...
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ceec6e792esiretart@tauware.de >
2014-01-05 17:34:06 -05:00
Martin Storsjö
d149c14a22
mov: Don't allocate arrays with av_malloc that will be realloced
...
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st >
(cherry picked from commit b698542ad8siretart@tauware.de >
2014-01-05 17:31:06 -05:00
Luca Barbato
5bbee02ae0
shorten: Extend fixed_coeffs to properly support pred_order 0
...
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b2148faca9siretart@tauware.de >
2014-01-05 17:30:53 -05:00
Reinhard Tartler
f53a5332b0
Prepare for 9.11 RELEASE
2014-01-05 17:23:12 -05:00
Luca Barbato
e361fde8b0
avi: properly fail if the dv demuxer is missing
...
CC: libav-stable@libav.org
(cherry picked from commit 1cac9accbdsiretart@tauware.de >
2014-01-05 17:21:47 -05:00
Luca Barbato
1d7a453dcf
prores: Reject negative run and level values
...
Sample-Id: 00000611-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c0de9a23c7siretart@tauware.de >
2014-01-05 17:21:35 -05:00
Anton Khirnov
481e55eba7
audio_mix: fix channel order in mix_1_to_2_fltp_flt_c
...
CC:libav-stable@libav.org
(cherry picked from commit df6737a55fsiretart@tauware.de >
2014-01-05 17:21:24 -05:00
Luca Barbato
03457cabd6
indeo4: Check the inherited quant_mat
...
Invalidate it if not supported.
Sample-Id: 00000262-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c9ef6b0932siretart@tauware.de >
Conflicts:
libavcodec/indeo4.c
2014-01-05 17:21:07 -05:00
Luca Barbato
0358a099f8
indeo4: Check the block size if reusing the band configuration
...
Sample-Id: 00000287-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 0cb83c5638siretart@tauware.de >
2014-01-05 17:16:42 -05:00
Luca Barbato
2656036757
ffv1: Assume bitdepth 0 means 8bit
...
CC: libav-stable@libav.org
Reported-by: debian/726189
(cherry picked from commit a90905db2esiretart@tauware.de >
2014-01-05 17:15:41 -05:00
Anton Khirnov
f9f2591beb
alsa-audio-dec: explicitly cast the delay to a signed int64
...
Otherwise the expression will be evaluated as unsigned, which will break
when the result should be negative.
CC:libav-stable@libav.org
(cherry picked from commit 089fac77a6siretart@tauware.de >
2014-01-05 17:15:04 -05:00
Anton Khirnov
cbf51c4d36
matroskadec: pad EBML_BIN data.
...
It might be passed to code requiring padding, such as lzo decompression.
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 30be1ea33esiretart@tauware.de >
2014-01-05 17:13:19 -05:00
Anton Khirnov
26221a54ec
motionpixels: clip VLC codes.
...
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit ca41c72c6dsiretart@tauware.de >
2014-01-05 17:13:08 -05:00
Anton Khirnov
7c214e313c
avidec: fix a memleak in the dv init code.
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit ce9bba5340siretart@tauware.de >
2014-01-05 17:12:52 -05:00
Anton Khirnov
7b337b1229
truemotion1: make sure index does not go out of bounds
...
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit c918e08b9csiretart@tauware.de >
2014-01-05 17:12:39 -05:00
Anton Khirnov
51ff11647f
pcx: round up in bits->bytes conversion in a buffer size check
...
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 430d121964siretart@tauware.de >
2014-01-05 17:12:31 -05:00
Michael Niedermayer
35f9a0896e
omadec: Fix wrong number of array elements
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: David Goldwich <david.goldwich@gmail.com >
CC:libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net >
(cherry picked from commit 97f50e92b5siretart@tauware.de >
2014-01-05 17:12:19 -05:00
Michael Niedermayer
cdc47c4813
omadec: check GEOB sizes against buffer size
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: David Goldwich <david.goldwich@gmail.com >
CC:libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net >
(cherry picked from commit 1c736bedd9siretart@tauware.de >
2014-01-05 17:12:06 -05:00
Michael Niedermayer
e776a1e8f3
ac3dec: fix outptr increment.
...
Fixes corrupt data errors when downmixing in the AC-3 decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at >
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com >
CC:libav-stable@libav.org
(cherry picked from commit 6c82c87dbbsiretart@tauware.de >
2014-01-05 17:11:54 -05:00
Luca Barbato
d6d2617d07
avio: Use AVERROR_PROTOCOL_NOT_FOUND
...
When the protocol is missing ffurl_alloc() should return
AVERROR_PROTOCOL_NOT_FOUND instead of AVERROR(ENOENT).
Bug-Id: 577
CC: libav-stable@libav.org
(cherry picked from commit ea71aafd68siretart@tauware.de >
2014-01-05 17:08:19 -05:00
Luca Barbato
0e8ae6d10c
mpegvideo: Drop a faulty assert
...
That check is easily reachable by faulty input.
CC:libav-stable@libav.org
Reported-by: Torsten Sadowski <tsadowski@gmx.net >
(cherry picked from commit 72072bf9desiretart@tauware.de >
2014-01-05 17:08:03 -05:00
Justin Ruggles
24a8dfd37b
lavr: check that current_buffer is not NULL before using it
...
Fixes a segfault during resampling when compiled with -DDEBUG.
Fixes all fate-lavr-resample tests with -DDEBUG.
CC:libav-stable@libav.org
(cherry picked from commit 211ca69b13siretart@tauware.de >
2014-01-05 17:07:46 -05:00
Anton Khirnov
a8f6d93071
pmpdec: check that there is at least one audio packet.
...
The code cannot handle there being none, but that should not happen for
valid files.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 1b5d065ca7siretart@tauware.de >
2014-01-05 17:01:18 -05:00
Anton Khirnov
ffa83bcc49
lzw: switch to bytestream2
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit e89aa4bf56siretart@tauware.de >
2014-01-05 17:01:03 -05:00
Anton Khirnov
819541ff83
gifdec: convert to bytestream2
...
(cherry picked from commit 1f3e56b6dcsiretart@tauware.de >
2014-01-05 17:00:51 -05:00
Anton Khirnov
c5c7e3e6f7
gifdec: check that the image dimensions are non-zero
...
Also add an error message an return a more suitable error code
(INVALIDDATA, not EINVAL);
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit c453723ad7siretart@tauware.de >
2014-01-05 17:00:40 -05:00
Anton Khirnov
5e7a5dd70b
gifdec: return meaningful error codes.
...
(cherry picked from commit 048ffb9bb2siretart@tauware.de >
2014-01-05 16:59:55 -05:00
Anton Khirnov
f194f2be41
eacmv: check the framerate before setting it.
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 24057c8320siretart@tauware.de >
Conflicts:
libavcodec/eacmv.c
2014-01-05 16:57:17 -05:00
