From 1edf848a81464afd514afbbbcb97b471d334e14a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2012 22:20:26 +0100 Subject: [PATCH 01/32] nsvdec: Fix use of uninitialized streams. Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write) Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b) Signed-off-by: Alex Converse (cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3) Signed-off-by: Reinhard Tartler (cherry picked from commit 65beb8c1173906b0541442713cb29e8ba44c47ef) Signed-off-by: Reinhard Tartler --- libavformat/nsvdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 44e5097d59..3a14cfa22c 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -609,12 +609,12 @@ null_chunk_retry: } /* map back streams to v,a */ - if (s->streams[0]) + if (s->nb_streams > 0) st[s->streams[0]->id] = s->streams[0]; - if (s->streams[1]) + if (s->nb_streams > 1) st[s->streams[1]->id] = s->streams[1]; - if (vsize/* && st[NSV_ST_VIDEO]*/) { + if (vsize && st[NSV_ST_VIDEO]) { nst = st[NSV_ST_VIDEO]->priv_data; pkt = &nsv->ahead[NSV_ST_VIDEO]; av_get_packet(pb, pkt, vsize); @@ -629,7 +629,7 @@ null_chunk_retry: if(st[NSV_ST_VIDEO]) ((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++; - if (asize/*st[NSV_ST_AUDIO]*/) { + if (asize && st[NSV_ST_AUDIO]) { nst = st[NSV_ST_AUDIO]->priv_data; pkt = &nsv->ahead[NSV_ST_AUDIO]; /* read raw audio specific header on the first audio chunk... */ From 87007519c81c37d8a3de424de3db14078ae84333 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 17:21:46 -0800 Subject: [PATCH 02/32] nsvdec: Be more careful with av_malloc(). Check results for av_malloc() and fix an overflow in one call. Related to CVE-2011-3940. Based in part on work from Michael Niedermayer. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a) Signed-off-by: Reinhard Tartler (cherry picked from commit be524c186b50337db64d34a5726dfe3e8ea94f09) Signed-off-by: Reinhard Tartler --- libavformat/nsvdec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 3a14cfa22c..beeb73911f 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -319,7 +319,9 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap) char *token, *value; char quote; - p = strings = av_mallocz(strings_size + 1); + p = strings = av_mallocz((size_t)strings_size + 1); + if (!p) + return AVERROR(ENOMEM); endp = strings + strings_size; get_buffer(pb, strings, strings_size); while (p < endp) { @@ -354,6 +356,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap) if((unsigned)table_entries_used >= UINT_MAX / sizeof(uint32_t)) return -1; nsv->nsvs_file_offset = av_malloc((unsigned)table_entries_used * sizeof(uint32_t)); + if (!nsv->nsvs_file_offset) + return AVERROR(ENOMEM); for(i=0;insvs_file_offset[i] = get_le32(pb) + size; @@ -361,6 +365,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap) if(table_entries > table_entries_used && get_le32(pb) == MKTAG('T','O','C','2')) { nsv->nsvs_timestamps = av_malloc((unsigned)table_entries_used*sizeof(uint32_t)); + if (!nsv->nsvs_timestamps) + return AVERROR(ENOMEM); for(i=0;insvs_timestamps[i] = get_le32(pb); } From 3253dd2b420583a7f10afa87e47b9cb73e950e2a Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 17:23:09 -0800 Subject: [PATCH 03/32] nsvdec: Propagate errors Related to CVE-2011-3940. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit c898431ca5ef2a997fe9388b650f658fb60783e5) Conflicts: libavformat/nsvdec.c Signed-off-by: Reinhard Tartler (cherry picked from commit 0100c4b1b0736e0f5b3c98f9b0ab8acbef574888) Signed-off-by: Reinhard Tartler --- libavformat/nsvdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index beeb73911f..169e95e321 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -536,11 +536,16 @@ static int nsv_read_header(AVFormatContext *s, AVFormatParameters *ap) for (i = 0; i < NSV_MAX_RESYNC_TRIES; i++) { if (nsv_resync(s) < 0) return -1; - if (nsv->state == NSV_FOUND_NSVF) + if (nsv->state == NSV_FOUND_NSVF) { err = nsv_parse_NSVf_header(s, ap); + if (err < 0) + return err; + } /* we need the first NSVs also... */ if (nsv->state == NSV_FOUND_NSVS) { err = nsv_parse_NSVs_header(s, ap); + if (err < 0) + return err; break; /* we just want the first one */ } } From 38421f27b3899a930552750fe1e0dffd45b71b8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2012 17:48:23 +0100 Subject: [PATCH 04/32] dv: check stype dv: check stype Fixes part1 of CVE-2011-3929 Possibly fixes part of CVE-2011-3936 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik Signed-off-by: Michael Niedermayer Signed-off-by: Alex Converse (cherry picked from commit 635bcfccd439480003b74a665b5aa7c872c1ad6b) Signed-off-by: Reinhard Tartler (cherry picked from commit bb737d381f6d6413899a0697f426fb082eac66fc) Signed-off-by: Reinhard Tartler --- libavformat/dv.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/dv.c b/libavformat/dv.c index b6f9c6ae54..1ad224e9e1 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -202,6 +202,12 @@ static int dv_extract_audio_info(DVDemuxContext* c, uint8_t* frame) stype = (as_pack[3] & 0x1f); /* 0 - 2CH, 2 - 4CH, 3 - 8CH */ quant = as_pack[4] & 0x07; /* 0 - 16bit linear, 1 - 12bit nonlinear */ + if (stype > 3) { + av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype); + c->ach = 0; + return 0; + } + /* note: ach counts PAIRS of channels (i.e. stereo channels) */ ach = ((int[4]){ 1, 0, 2, 4})[stype]; if (ach == 1 && quant && freq == 2) From b46141b0d1d7efb74dad172b7c1b52413441592f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2012 17:51:40 +0100 Subject: [PATCH 05/32] dv: Fix null pointer dereference due to ach=0 dv: Fix null pointer dereference due to ach=0 Fixes part2 of CVE-2011-3929 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik Signed-off-by: Michael Niedermayer Signed-off-by: Alex Converse (cherry picked from commit 5a396bb3a66a61a68b80f2369d0249729bf85e04) Signed-off-by: Reinhard Tartler (cherry picked from commit 44e182d41e3a73548f3f5e8445ec428d3846e6d6) Signed-off-by: Reinhard Tartler --- libavformat/dv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/dv.c b/libavformat/dv.c index 1ad224e9e1..92b93f7501 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -341,7 +341,8 @@ int dv_produce_packet(DVDemuxContext *c, AVPacket *pkt, c->audio_pkt[i].pts = c->abytes * 30000*8 / c->ast[i]->codec->bit_rate; ppcm[i] = c->audio_buf[i]; } - dv_extract_audio(buf, ppcm, c->sys); + if (c->ach) + dv_extract_audio(buf, ppcm, c->sys); /* We work with 720p frames split in half, thus even frames have * channels 0,1 and odd 2,3. */ From a8f4db0acd9b588ba33e3b8c0c21feea5916cfd1 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 15:08:26 -0800 Subject: [PATCH 06/32] dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936. Found with asan. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Alex Converse (cherry picked from commit 2d1c0dea5f6b91bec7f5fa53ec050913d851e366) Signed-off-by: Reinhard Tartler (cherry picked from commit 00fa6ffe1a0b252d6a81815e51f125225cd0b97a) Signed-off-by: Reinhard Tartler --- libavformat/dv.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavformat/dv.c b/libavformat/dv.c index 92b93f7501..d65d4fffbd 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -125,10 +125,14 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4], /* We work with 720p frames split in half, thus even frames have * channels 0,1 and odd 2,3. */ ipcm = (sys->height == 720 && !(frame[1] & 0x0C)) ? 2 : 0; - pcm = ppcm[ipcm++]; /* for each DIF channel */ for (chan = 0; chan < sys->n_difchan; chan++) { + /* next stereo channel (50Mbps and 100Mbps only) */ + pcm = ppcm[ipcm++]; + if (!pcm) + break; + /* for each DIF segment */ for (i = 0; i < sys->difseg_size; i++) { frame += 6 * 80; /* skip DIF segment header */ @@ -176,11 +180,6 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4], frame += 16 * 80; /* 15 Video DIFs + 1 Audio DIF */ } } - - /* next stereo channel (50Mbps and 100Mbps only) */ - pcm = ppcm[ipcm++]; - if (!pcm) - break; } return size; From 224025d852dcc42f752c0922fef7121808d1e42f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Dec 2011 03:18:58 +0100 Subject: [PATCH 07/32] atrac3: Fix crash in tonal component decoding. Add a check to avoid writing past the end of the channel_unit.components[] array. Bug Found by: cosminamironesei Fixes CVE-2012-0853 CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit c509f4f74713b035a06f79cb4d00e708f5226bc5) Signed-off-by: Reinhard Tartler (cherry picked from commit f43b6e2b1ed47a1254a5d44c700a7fad5e9784be) Signed-off-by: Reinhard Tartler (cherry picked from commit f728ad26f0ec87650d2986a892785c0e2b97d161) Signed-off-by: Reinhard Tartler --- libavcodec/atrac3.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 5179c345cf..8452853d7b 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -393,6 +393,8 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent for (k=0; k= 64) + return AVERROR_INVALIDDATA; pComponent[component_count].pos = j * 64 + (get_bits(gb,6)); max_coded_values = 1024 - pComponent[component_count].pos; coded_values = coded_values_per_component + 1; From 6ca010f20965ef71d97a53e871edae2eb9c05a5f Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 25 Jan 2012 13:39:24 -0800 Subject: [PATCH 08/32] mjpegbdec: Fix overflow in SOS. Based in part by a fix from Michael Niedermayer Fixes CVE-2011-3947 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5) Signed-off-by: Reinhard Tartler (cherry picked from commit 083a8a00373b12dc06b8ae4c49eec61fb5e55f4b) Signed-off-by: Reinhard Tartler (cherry picked from commit 6ae95a0b93e8df15fe5f364535a7214be0817736) Signed-off-by: Reinhard Tartler --- libavcodec/mjpegbdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index b418f5734c..324806e5e2 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -59,6 +59,9 @@ read_header: s->restart_count = 0; s->mjpb_skiptosod = 0; + if (buf_end - buf_ptr >= 1 << 28) + return AVERROR_INVALIDDATA; + init_get_bits(&hgb, buf_ptr, /*buf_size*/(buf_end - buf_ptr)*8); skip_bits(&hgb, 32); /* reserved zeros */ @@ -109,8 +112,8 @@ read_header: av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs); if (sos_offs) { -// init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8); - init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8); + init_get_bits(&s->gb, buf_ptr + sos_offs, + 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs)); s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16)); s->start_code = SOS; ff_mjpeg_decode_sos(s); From 1156f07c6a82af5bd692847d2e66478a28ab1ee2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Jan 2012 23:23:35 +0100 Subject: [PATCH 09/32] kgv1dec: Increase offsets array size so it is large enough. Fixes CVE-2011-3945 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 807a045ab7f51993a2c1b3116016cbbd4f3d20d6) Signed-off-by: Alex Converse (cherry picked from commit a02e8df973f5478ec82f4c507f5b5b191a5ecb6b) (cherry picked from commit d5f2382d0389ed47a566ea536887af908bf9b14f) Signed-off-by: Reinhard Tartler (cherry picked from commit a0b65938b7cf37680a4ce0667444a217a151c551) Signed-off-by: Reinhard Tartler --- libavcodec/kgv1dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index 5af6b3b2bb..494aa11b0b 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -38,7 +38,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac const uint8_t *buf = avpkt->data; const uint8_t *buf_end = buf + avpkt->size; KgvContext * const c = avctx->priv_data; - int offsets[7]; + int offsets[8]; uint16_t *out, *prev; int outcnt = 0, maxcnt; int w, h, i; @@ -68,7 +68,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac return -1; c->prev = prev; - for (i = 0; i < 7; i++) + for (i = 0; i < 8; i++) offsets[i] = -1; while (outcnt < maxcnt && buf_end - 2 > buf) { From 5933af562ea78b4be5d0cb0b7b7dcedd5aba6d7e Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 7 Oct 2011 18:08:55 +0200 Subject: [PATCH 10/32] motionpixels: decode only the 111 complete frames for fate Signed-off-by: Janne Grunau (cherry picked from commit c2f2dfb3dd20e036b8b08c0fd1486a3044e8f02a) Signed-off-by: Anton Khirnov (cherry picked from commit 90d7146511db0e2dd2d2b1baf2ceb7177b30dd8d) Conflicts: tests/fate.mak tests/ref/fate/motionpixels Signed-off-by: Reinhard Tartler --- tests/fate.mak | 2 +- tests/ref/fate/motionpixels | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/fate.mak b/tests/fate.mak index 933dec6348..c44de42eb2 100644 --- a/tests/fate.mak +++ b/tests/fate.mak @@ -503,7 +503,7 @@ fate-maxis-xa: CMD = $$BUILD_PATH/ffmpeg -i $$SAMPLES_PATH/maxis-xa/SC2KBUG.XA FATE_TESTS += fate-mimic fate-mimic: CMD = $$BUILD_PATH/ffmpeg -idct simple -i $$SAMPLES_PATH/mimic/mimic2-womanloveffmpeg.cam -vsync 0 -f framecrc - FATE_TESTS += fate-motionpixels -fate-motionpixels: CMD = $$BUILD_PATH/ffmpeg -i $$SAMPLES_PATH/motion-pixels/INTRO-partial.MVI -an -pix_fmt rgb24 -f framecrc - +fate-motionpixels: CMD = $$BUILD_PATH/ffmpeg -i $$SAMPLES_PATH/motion-pixels/INTRO-partial.MVI -an -pix_fmt rgb24 -vframes 111 -f framecrc - FATE_TESTS += fate-mpc7-demux fate-mpc7-demux: CMD = $$BUILD_PATH/ffmpeg -i $$SAMPLES_PATH/musepack/inside-mp7.mpc -acodec copy -f crc - FATE_TESTS += fate-mpc8-demux diff --git a/tests/ref/fate/motionpixels b/tests/ref/fate/motionpixels index e588ed3e18..fa86f7379f 100644 --- a/tests/ref/fate/motionpixels +++ b/tests/ref/fate/motionpixels @@ -109,4 +109,3 @@ 0, 648003, 230400, 0xb343f372 0, 654003, 230400, 0xf7f1e588 0, 660003, 230400, 0x9682bdb2 -0, 666003, 230400, 0x538a3db8 From e9c9707316582f5d5c4ddd46f9b5c43ca205ca87 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 2 May 2012 12:08:03 -0700 Subject: [PATCH 11/32] motionpixels: Clip YUV values after applying a gradient. Prevents illegal reads on truncated and malformed input. CC: libav-stable@libav.org (cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e) Signed-off-by: Reinhard Tartler (cherry picked from commit aaa6a666774eb02c351c84e80622a5c69e9b642e) Signed-off-by: Reinhard Tartler (cherry picked from commit 50073e2395522b6e2b8698ff0dd06ffaf8cbf8ce) Signed-off-by: Reinhard Tartler --- libavcodec/motionpixels.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 9bc5e2035d..91f28cfe62 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -188,10 +188,13 @@ static void mp_decode_line(MotionPixelsContext *mp, GetBitContext *gb, int y) p = mp_get_yuv_from_rgb(mp, x - 1, y); } else { p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb)); + p.y = av_clip(p.y, 0, 31); if ((x & 3) == 0) { if ((y & 3) == 0) { p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb)); + p.v = av_clip(p.v, -32, 31); p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb)); + p.u = av_clip(p.u, -32, 31); mp->hpt[((y / 4) * mp->avctx->width + x) / 4] = p; } else { p.v = mp->hpt[((y / 4) * mp->avctx->width + x) / 4].v; @@ -215,9 +218,12 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb) p = mp_get_yuv_from_rgb(mp, 0, y); } else { p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb)); + p.y = av_clip(p.y, 0, 31); if ((y & 3) == 0) { p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb)); + p.v = av_clip(p.v, -32, 31); p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb)); + p.u = av_clip(p.u, -32, 31); } mp->vpt[y] = p; mp_set_rgb_from_yuv(mp, 0, y, &p); From bf0ec375ef7df1d154f07a820de90f6393d22363 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 4 May 2012 10:27:03 -0700 Subject: [PATCH 12/32] celp filters: Do not read earlier than the start of the 'out' vector. CC: libav-stable@libav.org (cherry picked from commit 37ddd3833219fa7b913fff3f5cccc6878b047e6b) Signed-off-by: Reinhard Tartler (cherry picked from commit 9ea94c44b1b414ab3bc6e9220ebb77621423ca38) Signed-off-by: Reinhard Tartler (cherry picked from commit 08c81f7365af96c1655767e68d6ec85bea50600c) Signed-off-by: Reinhard Tartler --- libavcodec/celp_filters.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/celp_filters.c b/libavcodec/celp_filters.c index 26a62eed14..0f8e071735 100644 --- a/libavcodec/celp_filters.c +++ b/libavcodec/celp_filters.c @@ -133,9 +133,8 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs, out2 -= val * old_out2; out3 -= val * old_out3; - old_out3 = out[-5]; - for (i = 5; i <= filter_length; i += 2) { + old_out3 = out[-i]; val = filter_coeffs[i-1]; out0 -= val * old_out3; @@ -154,7 +153,6 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs, FFSWAP(float, old_out0, old_out2); old_out1 = old_out3; - old_out3 = out[-i-2]; } tmp0 = out0; From e02249b13055c978379f34367840553faa902d1c Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Mon, 23 Apr 2012 13:16:33 +0100 Subject: [PATCH 13/32] vqavideo: return error if image size is not a multiple of block size The decoder assumes in various places that the image size is a multiple of the block size, and there is no obvious way to support odd sizes. Bailing out early if the header specifies a bad size avoids various errors later on. Fixes CVE-2012-0947. Signed-off-by: Mans Rullgard (cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3) Signed-off-by: Reinhard Tartler (cherry picked from commit d5207e2af81580dd5e6277b354c8b459c3624f26) Signed-off-by: Reinhard Tartler (cherry picked from commit c71c77e56fcc6d469d45e1c8ce04aa053124d3f8) Signed-off-by: Reinhard Tartler --- libavcodec/vqavideo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index a1698394ef..12f4dbcaca 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -162,6 +162,12 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) return -1; } + if (s->width & (s->vector_width - 1) || + s->height & (s->vector_height - 1)) { + av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n"); + return AVERROR_INVALIDDATA; + } + /* allocate codebooks */ s->codebook_size = MAX_CODEBOOK_SIZE; s->codebook = av_malloc(s->codebook_size); From 212217504afc45ac96d5a070e8bda3604bcda092 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 17 Feb 2012 14:13:40 -0800 Subject: [PATCH 14/32] dpcm: ignore extra unpaired bytes in stereo streams. Fixes: CVE-2011-3951 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit ce7aee9b733134649a6ce2fa743e51733f33e67e) (cherry picked from commit eaeaeb265fe46e1d81452960de918227541873b4) Conflicts: libavcodec/dpcm.c Signed-off-by: Reinhard Tartler (cherry picked from commit 1ce9c93198fc997e8f23934a78e2937af670e4e9) Signed-off-by: Reinhard Tartler --- libavcodec/dpcm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c index 7c5351686e..8cc8fb56a2 100644 --- a/libavcodec/dpcm.c +++ b/libavcodec/dpcm.c @@ -169,6 +169,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, int in, out = 0; int predictor[2]; int channel_number = 0; + int stereo = s->channels - 1; short *output_samples = data; int shift[2]; unsigned char byte; @@ -177,6 +178,9 @@ static int dpcm_decode_frame(AVCodecContext *avctx, if (!buf_size) return 0; + if (stereo && (buf_size & 1)) + buf_size--; + // almost every DPCM variant expands one byte of data into two if(*data_size/2 < buf_size) return -1; @@ -295,7 +299,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, } *data_size = out * sizeof(short); - return buf_size; + return avpkt->size; } #define DPCM_DECODER(id, name, long_name_) \ From 32b73701c72153980cbd09743bf3011a08e6af90 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 10 Jan 2012 13:07:09 -0800 Subject: [PATCH 15/32] aacsbr: prevent out of bounds memcpy(). Fixes Libav Bug 195. Fixes CVE-2012-0850 This doesn't make the code handle sample rate or upsample/downsample change properly but this is still a good sanity check. Based on change by Michael Niedermayer. Signed-off-by: Alex Converse (cherry picked from commit 17ce52912f59a74ecc265e062578fb1181456e18) Signed-off-by: Reinhard Tartler (cherry picked from commit 01804cc91ab231ac79092eee21325d7644357975) Conflicts: libavcodec/aacsbr.c Signed-off-by: Reinhard Tartler --- libavcodec/aacsbr.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index cac34bb085..a8ce7ce9a2 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1182,14 +1182,15 @@ static void sbr_qmf_synthesis(DSPContext *dsp, FFTContext *mdct, int i, n; const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us; int scale_and_bias = scale != 1.0f || bias != 0.0f; + const int step = 128 >> div; float *v; for (i = 0; i < 32; i++) { - if (*v_off == 0) { + if (*v_off < step) { int saved_samples = (1280 - 128) >> div; memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float)); - *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div); + *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - step; } else { - *v_off -= 128 >> div; + *v_off -= step; } v = v0 + *v_off; if (div) { From 7a5fbe40344ae51ce629cc0694a436535beb1233 Mon Sep 17 00:00:00 2001 From: Alexander Strange Date: Sat, 24 Mar 2012 17:32:14 -0400 Subject: [PATCH 16/32] h264: Add check for invalid chroma_format_idc Fixes a crash when FF_DEBUG_PICT_INFO is used. Signed-off-by: Ronald S. Bultje (cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df) Fixes: CVE-2012-0851 Signed-off-by: Reinhard Tartler (cherry picked from commit 47132345184dc3d0ff962a57a1225564fe979548) Signed-off-by: Reinhard Tartler (cherry picked from commit c5f7c755cfccd7aa01010a2d566104c2b0fa6d86) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 7648e2c7a6..d6728304aa 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -297,8 +297,12 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ if(sps->profile_idc >= 100){ //high profile sps->chroma_format_idc= get_ue_golomb_31(&s->gb); - if(sps->chroma_format_idc == 3) + if(sps->chroma_format_idc > 3) { + av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc (%u) out of range\n", sps->chroma_format_idc); + return -1; + } else if(sps->chroma_format_idc == 3) { sps->residual_color_transform_flag = get_bits1(&s->gb); + } sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8; sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8; sps->transform_bypass = get_bits1(&s->gb); From 15c819e23ff1820ab6e0ea71291f939e36b2efb3 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Thu, 5 Jan 2012 20:50:55 +0100 Subject: [PATCH 17/32] adpcm: ADPCM Electronic Arts has always two channels Fixes half of http://ffmpeg.org/trac/ffmpeg/ticket/794 Adresses CVE-2012-0852 (cherry picked from commit bb5b3940b08d8dad5b7e948e8f3b02cd2eb70716) Conflicts: libavcodec/adpcm.c Signed-off-by: Reinhard Tartler (cherry picked from commit b581580bd1cc8506befa65b0a5c9ae429240f21f) Signed-off-by: Reinhard Tartler --- libavcodec/adpcm.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 68bd656aa6..2cf2d20f46 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -678,17 +678,23 @@ static int adpcm_encode_frame(AVCodecContext *avctx, static av_cold int adpcm_decode_init(AVCodecContext * avctx) { ADPCMContext *c = avctx->priv_data; + unsigned int min_channels = 1; unsigned int max_channels = 2; switch(avctx->codec->id) { + case CODEC_ID_ADPCM_EA: + min_channels = 2; + break; case CODEC_ID_ADPCM_EA_R1: case CODEC_ID_ADPCM_EA_R2: case CODEC_ID_ADPCM_EA_R3: max_channels = 6; break; } - if(avctx->channels > max_channels){ - return -1; + + if (avctx->channels < min_channels || avctx->channels > max_channels) { + av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n"); + return AVERROR(EINVAL); } switch(avctx->codec->id) { From 40cb7b3b490fbe84c36cb998a818e333a9074df9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A5ns=20Rullg=C3=A5rd?= Date: Sat, 26 Jun 2010 14:34:21 +0000 Subject: [PATCH 18/32] shorten: remove VLA and check for buffer overflow Originally committed as revision 23798 to svn://svn.ffmpeg.org/ffmpeg/trunk (cherry picked from commit 02591641f88097aec2a573f0ae384c8b87bcfe3b) Signed-off-by: Reinhard Tartler --- libavcodec/shorten.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 7e17f18e17..934da8e8b6 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -83,6 +83,7 @@ typedef struct ShortenContext { int32_t *decoded[MAX_CHANNELS]; int32_t *offset[MAX_CHANNELS]; + int *coeffs; uint8_t *bitstream; int bitstream_size; int bitstream_index; @@ -112,6 +113,8 @@ static av_cold int shorten_decode_init(AVCodecContext * avctx) static int allocate_buffers(ShortenContext *s) { int i, chan; + int *coeffs; + for (chan=0; chanchannels; chan++) { if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){ av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n"); @@ -129,6 +132,12 @@ static int allocate_buffers(ShortenContext *s) s->decoded[chan][i] = 0; s->decoded[chan] += s->nwrap; } + + coeffs = av_realloc(s->coeffs, s->nwrap * sizeof(*s->coeffs)); + if (!coeffs) + return AVERROR(ENOMEM); + s->coeffs = coeffs; + return 0; } @@ -253,7 +262,7 @@ static int16_t * interleave_buffer(int16_t *samples, int nchan, int blocksize, i static void decode_subframe_lpc(ShortenContext *s, int channel, int residual_size, int pred_order) { int sum, i, j; - int coeffs[pred_order]; + int *coeffs = s->coeffs; for (i=0; igb, LPCQUANT); @@ -427,6 +436,12 @@ static int shorten_decode_frame(AVCodecContext *avctx, case FN_QLPC: { int pred_order = get_ur_golomb_shorten(&s->gb, LPCQSIZE); + if (pred_order > s->nwrap) { + av_log(avctx, AV_LOG_ERROR, + "invalid pred_order %d\n", + pred_order); + return -1; + } for (i=0; idecoded[channel][i - pred_order] -= coffset; decode_subframe_lpc(s, channel, residual_size, pred_order); @@ -515,6 +530,7 @@ static av_cold int shorten_decode_close(AVCodecContext *avctx) av_freep(&s->offset[i]); } av_freep(&s->bitstream); + av_freep(&s->coeffs); return 0; } From 8f924ee66ff38e8758e404bac9d7cbd4c5676df8 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:48:12 +0000 Subject: [PATCH 19/32] shorten: Prevent block size from increasing Signed-off-by: Janne Grunau (cherry picked from commit 95010d18b2d808db9a49377e41bc2f7cf4dfa03e) Signed-off-by: Anton Khirnov (cherry picked from commit 22949c42edf5352c5fa8c43870efe20698432b35) Signed-off-by: Reinhard Tartler --- libavcodec/shorten.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 934da8e8b6..833a817561 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -486,9 +486,15 @@ static int shorten_decode_frame(AVCodecContext *avctx, case FN_BITSHIFT: s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE); break; - case FN_BLOCKSIZE: - s->blocksize = get_uint(s, av_log2(s->blocksize)); + case FN_BLOCKSIZE: { + int blocksize = get_uint(s, av_log2(s->blocksize)); + if (blocksize > s->blocksize) { + av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n"); + return AVERROR_PATCHWELCOME; + } + s->blocksize = blocksize; break; + } case FN_QUIT: *data_size = 0; return buf_size; From 58b3f439cc7e900fe269a7b73c58cf57a6e0c0fb Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 01:26:22 +0000 Subject: [PATCH 20/32] shorten: Fix out of bound writes in fix_bitshift() The data pointers s->decoded[*] already take into account s->nwrap. Signed-off-by: Janne Grunau (cherry picked from commit 5f05cf4ea9aaafed8edcabe785c2719786103ec1) Signed-off-by: Anton Khirnov (cherry picked from commit 737bea21b6c2c1d4dca0b7b18824c0a3205556d2) Signed-off-by: Reinhard Tartler --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 833a817561..22fdcff403 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -156,7 +156,7 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer) if (s->bitshift != 0) for (i = 0; i < s->blocksize; i++) - buffer[s->nwrap + i] <<= s->bitshift; + buffer[i] <<= s->bitshift; } From 46d9022859d1b991735fab91c88ff8dcb6891f57 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Thu, 15 Sep 2011 18:08:52 -0400 Subject: [PATCH 21/32] shorten: check for realloc failure (cherry picked from commit 9e5e2c2d010c05c10337e9c1ec9d0d61495e0c9c) Signed-off-by: Reinhard Tartler (cherry picked from commit a207a2fecc6a77735ab0cf209fdba0b4dd942a86) Signed-off-by: Reinhard Tartler --- libavcodec/shorten.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 22fdcff403..bf2783550f 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -114,6 +114,7 @@ static int allocate_buffers(ShortenContext *s) { int i, chan; int *coeffs; + void *tmp_ptr; for (chan=0; chanchannels; chan++) { if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){ @@ -125,9 +126,15 @@ static int allocate_buffers(ShortenContext *s) return -1; } - s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); + tmp_ptr = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); + if (!tmp_ptr) + return AVERROR(ENOMEM); + s->offset[chan] = tmp_ptr; - s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + if (!tmp_ptr) + return AVERROR(ENOMEM); + s->decoded[chan] = tmp_ptr; for (i=0; inwrap; i++) s->decoded[chan][i] = 0; s->decoded[chan] += s->nwrap; @@ -286,8 +293,15 @@ static int shorten_decode_frame(AVCodecContext *avctx, int i, input_buf_size = 0; int16_t *samples = data; if(s->max_framesize == 0){ + void *tmp_ptr; s->max_framesize= 1024; // should hopefully be enough for the first header - s->bitstream= av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, s->max_framesize); + tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, + s->max_framesize); + if (!tmp_ptr) { + av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n"); + return AVERROR(ENOMEM); + } + s->bitstream = tmp_ptr; } if(1 && s->max_framesize){//FIXME truncated From cfad9930ff1e53452fc9664be62c975943acf353 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Dec 2011 12:28:50 +0100 Subject: [PATCH 22/32] shorten: Use separate pointers for the allocated memory for decoded samples. Fixes invalid free() if any of the buffers are not allocated due to either not decoding a header or an error prior to allocating all buffers. Fixes CVE-2012-0858 CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98) Signed-off-by: Reinhard Tartler (cherry picked from commit 6fc3287b9ccece290c5881b92948772bbf72e68c) Signed-off-by: Reinhard Tartler (cherry picked from commit 96ed18cab1048f03ff1c825f46b25d49218f1da4) Signed-off-by: Reinhard Tartler --- libavcodec/shorten.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index bf2783550f..49708ef54c 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -82,6 +82,7 @@ typedef struct ShortenContext { int channels; int32_t *decoded[MAX_CHANNELS]; + int32_t *decoded_base[MAX_CHANNELS]; int32_t *offset[MAX_CHANNELS]; int *coeffs; uint8_t *bitstream; @@ -131,13 +132,14 @@ static int allocate_buffers(ShortenContext *s) return AVERROR(ENOMEM); s->offset[chan] = tmp_ptr; - tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + tmp_ptr = av_realloc(s->decoded_base[chan], (s->blocksize + s->nwrap) * + sizeof(s->decoded_base[0][0])); if (!tmp_ptr) return AVERROR(ENOMEM); - s->decoded[chan] = tmp_ptr; + s->decoded_base[chan] = tmp_ptr; for (i=0; inwrap; i++) - s->decoded[chan][i] = 0; - s->decoded[chan] += s->nwrap; + s->decoded_base[chan][i] = 0; + s->decoded[chan] = s->decoded_base[chan] + s->nwrap; } coeffs = av_realloc(s->coeffs, s->nwrap * sizeof(*s->coeffs)); @@ -545,8 +547,8 @@ static av_cold int shorten_decode_close(AVCodecContext *avctx) int i; for (i = 0; i < s->channels; i++) { - s->decoded[i] -= s->nwrap; - av_freep(&s->decoded[i]); + s->decoded[i] = NULL; + av_freep(&s->decoded_base[i]); av_freep(&s->offset[i]); } av_freep(&s->bitstream); From 07bff951764c129d39ab2e06a644b13d1f0d6e48 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 17:30:49 +0100 Subject: [PATCH 23/32] kmvc: Check palsize. Fixes: CVE-2011-3952 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Based on fix by Michael Niedermayer (cherry picked from commit 386741f887714d3e46c9e8fe577e326a7964037b) (cherry picked from commit 416849f2e06227b1b4a451c392f100db1d709a0c) Signed-off-by: Reinhard Tartler --- libavcodec/kmvc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index 3e8dccd363..c8de28b3e5 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -33,6 +33,7 @@ #define KMVC_KEYFRAME 0x80 #define KMVC_PALETTE 0x40 #define KMVC_METHOD 0x0F +#define MAX_PALSIZE 256 /* * Decoder context @@ -43,7 +44,7 @@ typedef struct KmvcContext { int setpal; int palsize; - uint32_t pal[256]; + uint32_t pal[MAX_PALSIZE]; uint8_t *cur, *prev; uint8_t *frm0, *frm1; } KmvcContext; @@ -365,6 +366,10 @@ static av_cold int decode_init(AVCodecContext * avctx) c->palsize = 127; } else { c->palsize = AV_RL16(avctx->extradata + 10); + if (c->palsize >= MAX_PALSIZE) { + av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n"); + return AVERROR_INVALIDDATA; + } } if (avctx->extradata_size == 1036) { // palette in extradata From 4bccd5a36bb14d9befecdc10cd8c4c4a5d3d24fe Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 2 May 2012 16:12:46 +0000 Subject: [PATCH 24/32] qdm2: clip array indices returned by qdm2_get_vlc(). Prevents subsequent overreads when these numbers are used as indices in arrays. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Justin Ruggles (cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69) Signed-off-by: Derek Buitenhuis Conflicts: libavcodec/qdm2.c --- libavcodec/qdm2.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 839e3fe1bf..946f7d29f7 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -883,9 +883,13 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l break; case 30: - if (BITS_LEFT(length,gb) >= 4) - samples[0] = type30_dequant[qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1)]; - else + if (BITS_LEFT(length,gb) >= 4) { + unsigned index = qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1); + if (index < FF_ARRAY_ELEMS(type30_dequant)) { + samples[0] = type30_dequant[index]; + } else + samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); + } else samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); run = 1; @@ -899,8 +903,12 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l type34_predictor = samples[0]; type34_first = 0; } else { - samples[0] = type34_delta[qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1)] / type34_div + type34_predictor; - type34_predictor = samples[0]; + unsigned index = qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1); + if (index < FF_ARRAY_ELEMS(type34_delta)) { + samples[0] = type34_delta[index] / type34_div + type34_predictor; + type34_predictor = samples[0]; + } else + samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); } } else { samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); From 68d2c6e872d2d063ff0642399524e6e804039f9c Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Sat, 10 Jul 2010 04:08:02 +0000 Subject: [PATCH 25/32] configure: properly check for mingw-w64 through installed headers. mingw-w64 can also target 32-bit code. Originally committed as revision 24156 to svn://svn.ffmpeg.org/ffmpeg/trunk (cherry picked from commit 0a4307d6307516d333ce2cde2a2ffa0f50bc176c) Signed-off-by: Derek Buitenhuis --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index b3e2fe1489..1474ddbdc0 100755 --- a/configure +++ b/configure @@ -2230,7 +2230,7 @@ case $target_os in dlltool="${cross_prefix}dlltool" enable dos_paths check_cflags -fno-common - if ! enabled x86_64; then + if ! check_cpp_condition _mingw.h "defined (__MINGW64_VERSION_MAJOR)"; then check_cpp_condition _mingw.h "(__MINGW32_MAJOR_VERSION > 3) || (__MINGW32_MAJOR_VERSION == 3 && __MINGW32_MINOR_VERSION >= 15)" || die "ERROR: MinGW runtime version must be >= 3.15." enabled_any avisynth vfwcap_indev && From 732dbc0f030c751e297cb648863ab0d5598a9e54 Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Sun, 11 Jul 2010 22:17:17 +0000 Subject: [PATCH 26/32] mingw32: properly check if vfw capture is supported by the system headers Remove check for an specific w32api version, checking instead if vfw.h supports vfw capture. The defines in w32api 3.12 were wrong, so this must be accounted for in the check. Originally committed as revision 24203 to svn://svn.ffmpeg.org/ffmpeg/trunk (cherry picked from commit ec1ee802a2e1cb3317bd44851cc28f95b5916051) Signed-off-by: Derek Buitenhuis Conflicts: configure --- configure | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/configure b/configure index 1474ddbdc0..4d0705b40e 100755 --- a/configure +++ b/configure @@ -1412,7 +1412,7 @@ oss_indev_deps_any="soundcard_h sys_soundcard_h" oss_outdev_deps_any="soundcard_h sys_soundcard_h" v4l_indev_deps="linux_videodev_h" v4l2_indev_deps_any="linux_videodev2_h sys_videoio_h" -vfwcap_indev_deps="capCreateCaptureWindow" +vfwcap_indev_deps="capCreateCaptureWindow vfwcap_defines" vfwcap_indev_extralibs="-lavicap32" x11_grab_device_indev_deps="x11grab XShmCreateImage" x11_grab_device_indev_extralibs="-lX11 -lXext -lXfixes" @@ -2233,9 +2233,6 @@ case $target_os in if ! check_cpp_condition _mingw.h "defined (__MINGW64_VERSION_MAJOR)"; then check_cpp_condition _mingw.h "(__MINGW32_MAJOR_VERSION > 3) || (__MINGW32_MAJOR_VERSION == 3 && __MINGW32_MINOR_VERSION >= 15)" || die "ERROR: MinGW runtime version must be >= 3.15." - enabled_any avisynth vfwcap_indev && - { check_cpp_condition w32api.h "(__W32API_MAJOR_VERSION > 3) || (__W32API_MAJOR_VERSION == 3 && __W32API_MINOR_VERSION >= 13)" || - die "ERROR: avisynth and vfwcap_indev require w32api version 3.13 or later."; } fi ;; cygwin*) @@ -2689,6 +2686,9 @@ check_header linux/videodev2.h check_header sys/videoio.h check_func_headers "windows.h vfw.h" capCreateCaptureWindow "$vfwcap_indev_extralibs" +# check that WM_CAP_DRIVER_CONNECT is defined to the proper value +# w32api 3.12 had it defined wrong +check_cpp_condition vfw.h "WM_CAP_DRIVER_CONNECT > WM_USER" && enable vfwcap_defines # check for ioctl_meteor.h, ioctl_bt848.h and alternatives { check_header dev/bktr/ioctl_meteor.h && From 77630b68e584b3493ae5691dad8f5346fa3fea15 Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Sun, 11 Jul 2010 22:31:41 +0000 Subject: [PATCH 27/32] mingw32: merge checks for mingw-w64 and mingw32-runtime >= 3.15 into one Originally committed as revision 24204 to svn://svn.ffmpeg.org/ffmpeg/trunk (cherry picked from commit e26011d0f495de1148b8014995cbe923611b6b76) Signed-off-by: Derek Buitenhuis --- configure | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/configure b/configure index 4d0705b40e..0e72cb9359 100755 --- a/configure +++ b/configure @@ -2230,10 +2230,9 @@ case $target_os in dlltool="${cross_prefix}dlltool" enable dos_paths check_cflags -fno-common - if ! check_cpp_condition _mingw.h "defined (__MINGW64_VERSION_MAJOR)"; then - check_cpp_condition _mingw.h "(__MINGW32_MAJOR_VERSION > 3) || (__MINGW32_MAJOR_VERSION == 3 && __MINGW32_MINOR_VERSION >= 15)" || + check_cpp_condition _mingw.h "defined (__MINGW64_VERSION_MAJOR) || (__MINGW32_MAJOR_VERSION > 3) \ + || (__MINGW32_MAJOR_VERSION == 3 && __MINGW32_MINOR_VERSION >= 15)" || die "ERROR: MinGW runtime version must be >= 3.15." - fi ;; cygwin*) target_os=cygwin From 97ed486fffc817317561a91bc6ecd71a8eb493c6 Mon Sep 17 00:00:00 2001 From: Kyle Date: Sat, 19 Feb 2011 00:42:11 +0000 Subject: [PATCH 28/32] dxva2: define required feature selection macros Signed-off-by: Mans Rullgard (cherry picked from commit 04973f8082c5a822112d2e42d535b7f3f59dccc0) Signed-off-by: Derek Buitenhuis --- libavcodec/dxva2_internal.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dxva2_internal.h b/libavcodec/dxva2_internal.h index a9be7a07e7..23d4d87522 100644 --- a/libavcodec/dxva2_internal.h +++ b/libavcodec/dxva2_internal.h @@ -23,6 +23,8 @@ #ifndef AVCODEC_DXVA_INTERNAL_H #define AVCODEC_DXVA_INTERNAL_H +#define _WIN32_WINNT 0x0600 +#define COBJMACROS #include "dxva2.h" #include "avcodec.h" #include "mpegvideo.h" From e17b1536a1d019d62ffa627948a36881a5b7ce1e Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 2 May 2012 10:58:55 -0700 Subject: [PATCH 29/32] png: check bit depth for PAL8/Y400A pixel formats. Wrong bit depth can lead to invalid rowsize values, which crashes the decoder further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d2205d6543881f2e6fa18c8a354bbcf91a1235f7) Signed-off-by: Reinhard Tartler (cherry picked from commit b8d6ba9d50e80fdce2ed74cdaffd4960df8a21c5) Signed-off-by: Reinhard Tartler (cherry picked from commit 33f93005f1a86c108302b4c5978aa1a3d8e092cc) Signed-off-by: Reinhard Tartler --- libavcodec/pngdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 03859a9913..24b0fd4cc7 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -487,9 +487,11 @@ static int decode_frame(AVCodecContext *avctx, } else if (s->bit_depth == 1 && s->color_type == PNG_COLOR_TYPE_GRAY) { avctx->pix_fmt = PIX_FMT_MONOBLACK; - } else if (s->color_type == PNG_COLOR_TYPE_PALETTE) { + } else if (s->bit_depth == 8 && + s->color_type == PNG_COLOR_TYPE_PALETTE) { avctx->pix_fmt = PIX_FMT_PAL8; - } else if (s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { + } else if (s->bit_depth == 8 && + s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { avctx->pix_fmt = PIX_FMT_Y400A; } else { goto fail; From 679de9b5aa511dfcbb223b4a0a42382f95c104e8 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 4 May 2012 16:06:26 -0700 Subject: [PATCH 30/32] ea: check chunk_size for validity. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 273e6af47b38391f2bcc157cca0423fe7fcbf55c) Signed-off-by: Reinhard Tartler (cherry picked from commit 6a86b705e1d4b72f0dddfbe23ad3eed9947001d5) Signed-off-by: Reinhard Tartler (cherry picked from commit e74bc64dd376c4691a610ba62a66ed30affc97ec) Conflicts: libavformat/electronicarts.c --- libavformat/electronicarts.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 86d7f91e66..5f485290c8 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -457,12 +457,17 @@ static int ea_read_packet(AVFormatContext *s, while (!packet_read) { chunk_type = get_le32(pb); - chunk_size = (ea->big_endian ? get_be32(pb) : get_le32(pb)) - 8; + chunk_size = ea->big_endian ? get_be32(pb) : get_le32(pb); + if (chunk_size <= 8) + return AVERROR_INVALIDDATA; + chunk_size -= 8; switch (chunk_type) { /* audio data */ case ISNh_TAG: /* header chunk also contains data; skip over the header portion*/ + if (chunk_size < 32) + return AVERROR_INVALIDDATA; url_fskip(pb, 32); chunk_size -= 32; case ISNd_TAG: From 83fa442b716189d61a19b17aef2adc3777e1fbf2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Dec 2011 04:13:37 +0100 Subject: [PATCH 31/32] tqi: Pass errors from the MB decoder This silences some valgrind warnings. CC: libav-stable@libav.org Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794 Bug found by: Oana Stratulat Signed-off-by: Michael Niedermayer Signed-off-by: Reinhard Tartler (cherry picked from commit f85334f58e1286287d0547a49fa9c93b40cbf48f) (cherry picked from commit 90290a5150e84fb138ccde57657dc03830f08c1c) Signed-off-by: Reinhard Tartler (cherry picked from commit 5872580e65aab026b77754eb184f97ba7cc6ea35) Signed-off-by: Reinhard Tartler (cherry picked from commit 2f2fd8c6d1c51a6b817e6c0bc4eff308b8f9cd18) Signed-off-by: Reinhard Tartler --- libavcodec/eatqi.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c index 7f1901d309..53f21a2c84 100644 --- a/libavcodec/eatqi.c +++ b/libavcodec/eatqi.c @@ -59,12 +59,15 @@ static av_cold int tqi_decode_init(AVCodecContext *avctx) return 0; } -static void tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64]) +static int tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64]) { int n; s->dsp.clear_blocks(block[0]); for (n=0; n<6; n++) - ff_mpeg1_decode_block_intra(s, block[n], n); + if (ff_mpeg1_decode_block_intra(s, block[n], n) < 0) + return -1; + + return 0; } static inline void tqi_idct_put(TqiContext *t, DCTELEM (*block)[64]) @@ -136,7 +139,8 @@ static int tqi_decode_frame(AVCodecContext *avctx, for (s->mb_y=0; s->mb_y<(avctx->height+15)/16; s->mb_y++) for (s->mb_x=0; s->mb_x<(avctx->width+15)/16; s->mb_x++) { - tqi_decode_mb(s, t->block); + if (tqi_decode_mb(s, t->block) < 0) + break; tqi_idct_put(t, t->block); } From 4451f9ae169534999c64b77cccc5cf2976832660 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 3 Jun 2012 22:42:54 +0200 Subject: [PATCH 32/32] Bump version number for 0.6.6 release. --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index ef5e445445..05e8a4593f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.6.5 +0.6.6