From 8135c3552894b096a9f9989dc310ece7bb529403 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 13 Feb 2011 00:19:06 +0000 Subject: [PATCH 1/5] Fix MMX rgb24 to yuv conversion with gcc 4.6 When built with gcc 4.6, the MMX rgb24 to yuv conversion gives wrong output. The compiler produces this warning: libswscale/swscale_template.c:1885:5: warning: use of memory input without lvalue in asm operand 4 is deprecated Changing the memory operand to a register makes it work. Signed-off-by: Mans Rullgard (cherry picked from commit f344903ca5ce28a833fdd656bc1ed5b16d97e7e9) Conflicts: libswscale/swscale_template.c Signed-off-by: Reinhard Tartler --- libswscale/swscale_template.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libswscale/swscale_template.c b/libswscale/swscale_template.c index 6f2e243052..9016778a9c 100644 --- a/libswscale/swscale_template.c +++ b/libswscale/swscale_template.c @@ -1739,7 +1739,7 @@ static inline void RENAME(bgr24ToY_mmx)(uint8_t *dst, uint8_t *src, long width, static inline void RENAME(bgr24ToUV_mmx)(uint8_t *dstU, uint8_t *dstV, uint8_t *src, long width, int srcFormat) { __asm__ volatile( - "movq 24+%4, %%mm6 \n\t" + "movq 24(%4), %%mm6 \n\t" "mov %3, %%"REG_a" \n\t" "pxor %%mm7, %%mm7 \n\t" "1: \n\t" @@ -1750,9 +1750,9 @@ static inline void RENAME(bgr24ToUV_mmx)(uint8_t *dstU, uint8_t *dstV, uint8_t * "punpcklbw %%mm7, %%mm1 \n\t" "movq %%mm0, %%mm2 \n\t" "movq %%mm1, %%mm3 \n\t" - "pmaddwd %4, %%mm0 \n\t" - "pmaddwd 8+%4, %%mm1 \n\t" - "pmaddwd 16+%4, %%mm2 \n\t" + "pmaddwd (%4), %%mm0 \n\t" + "pmaddwd 8(%4), %%mm1 \n\t" + "pmaddwd 16(%4), %%mm2 \n\t" "pmaddwd %%mm6, %%mm3 \n\t" "paddd %%mm1, %%mm0 \n\t" "paddd %%mm3, %%mm2 \n\t" @@ -1764,9 +1764,9 @@ static inline void RENAME(bgr24ToUV_mmx)(uint8_t *dstU, uint8_t *dstV, uint8_t * "punpcklbw %%mm7, %%mm3 \n\t" "movq %%mm1, %%mm4 \n\t" "movq %%mm3, %%mm5 \n\t" - "pmaddwd %4, %%mm1 \n\t" - "pmaddwd 8+%4, %%mm3 \n\t" - "pmaddwd 16+%4, %%mm4 \n\t" + "pmaddwd (%4), %%mm1 \n\t" + "pmaddwd 8(%4), %%mm3 \n\t" + "pmaddwd 16(%4), %%mm4 \n\t" "pmaddwd %%mm6, %%mm5 \n\t" "paddd %%mm3, %%mm1 \n\t" "paddd %%mm5, %%mm4 \n\t" @@ -1789,7 +1789,7 @@ static inline void RENAME(bgr24ToUV_mmx)(uint8_t *dstU, uint8_t *dstV, uint8_t * "add $4, %%"REG_a" \n\t" " js 1b \n\t" : "+r" (src) - : "r" (dstU+width), "r" (dstV+width), "g" (-width), "m"(ff_bgr24toUV[srcFormat == PIX_FMT_RGB24][0]) + : "r" (dstU+width), "r" (dstV+width), "g" (-width), "r"(ff_bgr24toUV[srcFormat == PIX_FMT_RGB24]) : "%"REG_a ); } From 1330a8a1cb28fe1119e37f1006d3141e8dcfa65c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A5ns=20Rullg=C3=A5rd?= Date: Thu, 21 Jan 2010 12:59:22 +0000 Subject: [PATCH 2/5] Make DECLARE_ALIGNED macros work with external array specifiers The macro implementation might need the name of the variable being declared for compiler-specific syntax. Moving array specifiers outside the macro invocation allows this to work. Originally committed as revision 21363 to svn://svn.ffmpeg.org/ffmpeg/trunk (cherry picked from commit 8a24e98d506f0f44ec58e06291fa0fce703fb6a8) Signed-off-by: Reinhard Tartler --- libavutil/internal.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/internal.h b/libavutil/internal.h index f5f769e2c0..792fd29a6c 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -256,11 +256,11 @@ if((y)<(x)){\ } #if defined(__ICC) || defined(__SUNPRO_C) - #define DECLARE_ALIGNED(n,t,v) t v __attribute__ ((aligned (n))) + #define DECLARE_ALIGNED(n,t,v) t __attribute__ ((aligned (n))) v #define DECLARE_ASM_CONST(n,t,v) const t __attribute__ ((aligned (n))) v #elif defined(__GNUC__) - #define DECLARE_ALIGNED(n,t,v) t v __attribute__ ((aligned (n))) - #define DECLARE_ASM_CONST(n,t,v) static const t v attribute_used __attribute__ ((aligned (n))) + #define DECLARE_ALIGNED(n,t,v) t __attribute__ ((aligned (n))) v + #define DECLARE_ASM_CONST(n,t,v) static const t attribute_used __attribute__ ((aligned (n))) v #elif defined(_MSC_VER) #define DECLARE_ALIGNED(n,t,v) __declspec(align(n)) t v #define DECLARE_ASM_CONST(n,t,v) __declspec(align(n)) static const t v From 9463a287920e220cfb82035415581c4e951cad84 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Sun, 30 Jan 2011 01:04:41 -0800 Subject: [PATCH 3/5] Fix ff_imdct_calc_sse() on gcc-4.6 Gcc 4.6 only preserves the first value when using an array with an "m" constraint. Signed-off-by: Mans Rullgard (cherry picked from commit 770c410fbb8e1b87ce8ad7f3d7eddaa55e2b8295) Conflicts: libavcodec/x86/fft_sse.c Signed-off-by: Reinhard Tartler --- libavcodec/x86/fft_sse.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/fft_sse.c b/libavcodec/x86/fft_sse.c index 3d9f1c5145..918fdf299a 100644 --- a/libavcodec/x86/fft_sse.c +++ b/libavcodec/x86/fft_sse.c @@ -22,7 +22,7 @@ #include "libavutil/x86_cpu.h" #include "libavcodec/dsputil.h" -static const int m1m1m1m1[4] __attribute__((aligned(16))) = +DECLARE_ASM_CONST(16, int, m1m1m1m1)[4] = { 1 << 31, 1 << 31, 1 << 31, 1 << 31 }; void ff_fft_dispatch_sse(FFTComplex *z, int nbits); @@ -182,7 +182,7 @@ void ff_imdct_calc_sse(MDCTContext *s, FFTSample *output, const FFTSample *input j = -n; k = n-16; __asm__ volatile( - "movaps %4, %%xmm7 \n" + "movaps "MANGLE(m1m1m1m1)", %%xmm7 \n" "1: \n" "movaps (%2,%1), %%xmm0 \n" "movaps (%3,%0), %%xmm1 \n" @@ -195,8 +195,7 @@ void ff_imdct_calc_sse(MDCTContext *s, FFTSample *output, const FFTSample *input "add $16, %0 \n" "jl 1b \n" :"+r"(j), "+r"(k) - :"r"(output+n4), "r"(output+n4*3), - "m"(*m1m1m1m1) + :"r"(output+n4), "r"(output+n4*3) ); } From 0f2735e839f33af4fe9e2120f908eb31cdfedc34 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 5 Nov 2011 12:53:16 +0100 Subject: [PATCH 4/5] Release notes and changelog for 0.5.5 --- Changelog | 11 +++++++++++ RELEASE | 16 ++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/Changelog b/Changelog index fbbabc2e4c..173cc00acf 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,17 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. + +version 0.5.5: + +- Fix memory (re)allocation in matroskadec.c (MSVR11-011/CVE-2011-3504) +- Fix some crashes with invalid bitstreams in the CAVS decoder + (CVE-2011-3362, CVE-2011-3973, CVE-2011-3974) +- Compilation fixes for gcc-4.6, testsuite now passes again +- Detect and handle overreads in the MJPEG decoder. + + + version 0.5.4: - Fix memory corruption in WMV parsing (addresses CVE-2010-3908) diff --git a/RELEASE b/RELEASE index 2f7e2c6dde..75099adfac 100644 --- a/RELEASE +++ b/RELEASE @@ -137,3 +137,19 @@ maintenance-only release that addresses several security issues that were brought to our attention. In detail, fixes for RV30/40, WMV, Vorbis and VC-1 have been backported from trunk. Distributors and system integrators are encouraged to update and share their patches against this branch. + + + +* 0.5.5 Nov 11, 2011 + +General notes +------------- + +This maintenance-only release addresses several security issues that +were brought to our attention. In detail, fixes for the MJPEG decoder, +the CAVS decoder (CVE-2011-3362, CVE-2011-3973, CVE-2011-3974), and the +Matroska decoder (MSVR11-011/CVE-2011-3504) have been +corrected. Additional, this release contains fixes for compilation with +gcc-4.6. Distributors and system integrators are encouraged to update +and share their patches against this branch. + From d6bf79993fe67021584263f87b8a41f9edcec579 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 5 Nov 2011 12:57:22 +0100 Subject: [PATCH 5/5] update version --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 7d8568351b..d1d899fa33 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.5.4 +0.5.5