Check results for av_malloc() and fix an overflow in one call.
Related to CVE-2011-3940.
Based in part on work from Michael Niedermayer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit be524c186b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 87007519c8)
Conflicts:
libavformat/nsvdec.c
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208)
Conflicts:
libavformat/id3v2.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8370e426e4)
Fixes: #189
Chromium-Bug: 101172,100465
CVE-2011-3892
Removed the parts that are related to multi-threading, which is not
included before 0.7.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c624935554)
Conflicts:
libavcodec/vp3.c
(cherry picked from commit c9c7db0af2)
Conflicts:
libavcodec/vp3.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Originally committed as revision 22172 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 0a41faa9a7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It prevents leaving the state only half initialized.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit a72cad0a6c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c76505e0de)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e28bb18fdc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Originally committed as revision 25767 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit b26c1a8b7e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Gcc 4.6 only preserves the first value when using an array with an "m"
constraint.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 770c410fbb)
Conflicts:
libavcodec/x86/fft_sse.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The macro implementation might need the name of the variable being
declared for compiler-specific syntax. Moving array specifiers outside
the macro invocation allows this to work.
Originally committed as revision 21363 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 8a24e98d50)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
When built with gcc 4.6, the MMX rgb24 to yuv conversion gives
wrong output. The compiler produces this warning:
libswscale/swscale_template.c:1885:5: warning: use of memory input without lvalue in asm operand 4 is deprecated
Changing the memory operand to a register makes it work.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit f344903ca5)
Conflicts:
libswscale/swscale_template.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Whitespace of the patch cleaned up by Aurel
Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 956c901c68)
Further suggestions from Kostya <kostya.shishkov@gmail.com> have been
implemented by Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 77d2ef13a8)
NB: MSVR-11-0080 doesn't seem to exist. This issue seems to be known
as MSVR11-011 instead.
Fixes: CVE-2011-3504
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This removes all valgrind-reported invalid writes with one
specific test file.
Fixes http://www.ocert.org/advisories/ocert-2011-002.html
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 4a71da0f3a)
Fixes CVE-2011-3362, CVE-2011-3973, CVE-2011-3974
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Ronald S. Bultje <rbultje@google.com>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
when frame dimensions change in RV3/4.
Originally committed as revision 20595 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit d90aeeaf56)
private in dv.c for some reason). See "[PATCH] get_bits_left()" thread.
Originally committed as revision 20490 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit c47ca25e74)
Fixes issue 2322.
Originally committed as revision 25591 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 3dde66752d)
Addresses: CVE-2010-4704
Michael Niedermayer
Alex Converse
Anton Khirnov
Reinhard Tartler
Chris Evans
Ronald S. Bultje
Laurent Aimar
Dustin Brody
Vitor Sessak
Thierry Foucu
Justin Ruggles
Baptiste Coudurier
Måns Rullgård
Kostya
Diego Biurrun
Reinhard Tartler
Reimar Döffinger
Frank Barchard
Jason Garrett-Glaser
Janne Grunau