FFmpeg

Commit Graph

Author	SHA1	Message	Date
Ronald S. Bultje	5ae49ddaa4	xxan: don't read before start of buffer in av_memcpy_backptr(). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `f1279e286b`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	311361348d	dsicinvideo: validate buffer offset before copying pixels. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `c95fefa042`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	99536be9d4	huffyuv: add padding to classic (v1) huffman tables. We slightly overread the input buffer, so we require padding at the end of the buffer, as is documented in the get_bits API. Without padding, we'll read uninitialized data or beyond the end of the .rodata, which may crash. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `4ffe5e2aa5`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Alex Converse	bbe316dfb4	tiffdec: Prevent illegal memory access caused by recycled pointers. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `fd0be63049`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	b4a223fd19	wma: fix off-by-one in array bounds check. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `b4bccf3e4e`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	4924520513	raw: move buffer size check up. This way, it protects against overreads for 4bpp/2bpp content also. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `cc5dd632ce`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	f2e412d050	smacker: error out if palette copy-with-offset overruns palette size. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `a93b572ae4`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	6dfe865aed	svq3: protect against negative quantizers. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `11b940a1a8`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Alex Converse	853ce33dbc	mov: Add more HDV and XDCAM FourCCs. Reference: VLC (cherry picked from commit `b142496c56`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Alex Converse	5015ada0ec	mov: Add support for MPEG2 HDV 720p24 (hdv4) (cherry picked from commit `0ad522afb3`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Michael Niedermayer	4be63587e1	h263dec: Disallow width/height changing with frame threads. Fixes CVE-2011-3937 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `71db86d53b`) Conflicts: libavcodec/h263dec.c Signed-off-by: Alex Converse <alex.converse@gmail.com> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Alex Converse	a642953b0f	tiff: Make the TIFF_LONG and TIFF_SHORT types unsigned. TIFF v6.0 (unimplemented) adds signed equivalents. (cherry picked from commit `e32548d133`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Alex Converse	f5ce67d837	svq3: Prevent illegal reads while parsing extradata. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `9e1db721c4`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Alex Converse	b0888b8a48	dv: Fix small overread in audio frequency table. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `0ab3687924`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Mans Rullgard	2c199cb253	ac3: Do not read past the end of ff_ac3_band_start_tab. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit `034b03e7a0`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Alex Converse	00fa6ffe1a	dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936. Found with asan. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit `2d1c0dea5f`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Michael Niedermayer	44e182d41e	dv: Fix null pointer dereference due to ach=0 dv: Fix null pointer dereference due to ach=0 Fixes part2 of CVE-2011-3929 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit `5a396bb3a6`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Michael Niedermayer	bb737d381f	dv: check stype dv: check stype Fixes part1 of CVE-2011-3929 Possibly fixes part of CVE-2011-3936 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit `635bcfccd4`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Alex Converse	0100c4b1b0	nsvdec: Propagate errors Related to CVE-2011-3940. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `c898431ca5`) Conflicts: libavformat/nsvdec.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Alex Converse	be524c186b	nsvdec: Be more careful with av_malloc(). Check results for av_malloc() and fix an overflow in one call. Related to CVE-2011-3940. Based in part on work from Michael Niedermayer. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `8fd8a48263`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Michael Niedermayer	65beb8c117	nsvdec: Fix use of uninitialized streams. Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write) Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `5c011706bc`) Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit `6a89b41d97`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Fabian Greffrath	f375e19f37	Fix format string vulnerability detected by -Wformat-security. Signed-off-by: Diego Biurrun <diego@biurrun.de> (cherry picked from commit `c9dbac36ad`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	54e947273c	h264: fix mmxext chroma deblock to use correct TC values. (cherry picked from commit `b0c4f04338`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	e3e05963c1	cscd: use negative error values to indicate decode_init() failures. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `8a9faf33f2`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	bd37b95383	h264: prevent overreads in intra PCM decoding. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `d1604b3de9`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Justin Ruggles	58133bb010	wmaenc: fix m/s stereo encoding for the first frame We need to set ms_stereo in encode_init() in order to avoid incorrectly encoding the first frame as non-m/s while flagging it as m/s. Fixes an uncomfortable pop in the left channel at the start of playback. CC:libav-stable@libav.org (cherry picked from commit `51ddf35c90`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Justin Ruggles	43e3e7764c	wmaenc: limit allowed sample rate to 48kHz ff_wma_init() allows up to 50kHz, but this generates an exponent band size table that requires 65 bands. The code assumes 25 bands in many places, and using sample rates higher than 48kHz will lead to buffer overwrites. CC:libav-stable@libav.org (cherry picked from commit `1ec075cfec`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Justin Ruggles	74bd46e82a	wmaenc: limit block_align to MAX_CODED_SUPERFRAME_SIZE This is near the theoretical limit for wma frame size and is the most that our decoder can handle. Allowing higher bit rates will just end up padding each frame with empty bytes. Fixes invalid writes for avconv when using very high bit rates. CC:libav-stable@libav.org (cherry picked from commit `c2b8dea182`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Justin Ruggles	c932844882	wmaenc: require a large enough output buffer to prevent overwrites The maximum theoretical frame size is around 17000 bytes. Although in practice it will generally be much smaller, we require a larger buffer just to be safe. CC: libav-stable@libav.org (cherry picked from commit `dfc4fdedf8`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	433aaeb2f1	matroska: check buffer size for RM-style byte reordering. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `9c239f6026`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Alex Converse	88b47010c4	wmadec: Verify bitstream size makes sense before calling init_get_bits. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `48f1e5212c`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Alex Converse	b56b7b9081	rv10/20: Fix a buffer overread caused by losing track of the remaining buffer size. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `2f6528537f`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	bd0d32d131	lcl: return negative error codes on decode_init() errors. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `bd17a40a7e`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	d680295d0c	huffyuv: do not abort on unknown pix_fmt; instead, return an error. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `63c9de6469`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	ced190c96c	vmnc: return error on decode_init() failure. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `07a180972f`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	e15d137ecf	rpza: error out on buffer overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `78e9852a2e`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	87a1169ab8	qtrle: return error on decode_init() failure. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `e54ae60e46`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	4f64456a14	swscale: fix another integer overflow. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `791de61bbb`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	f28ec73379	vp56: error out on invalid stream dimensions. Prevents crashes when playing corrupt vp5/6 streams. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `8bc396fc0e`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	a2d5e741a8	asf: don't seek back on EOF. Seeking back on EOF will reset the EOF flag, causing us to re-enter the loop to find the next marker in the ASF file, thus potentially causing an infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `bb6d5411e1`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	18caebca4c	asf: error out on ridiculously large minpktsize values. They cause various issues further down in demuxing. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `6e57a02b9f`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	117b8b00cc	vorbis: fix overflows in floor1[] vector and inverse db table index. (cherry picked from commit `24947d4988`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Reinhard Tartler	a02da9ceaf	Fix parser not to clobber has_b_frames when extradata is set. Because in contrast to the decoder, the parser does not setup low_delay. The code in parse_nal_units would always end up setting has_b_frames to "1", except when stream is explicitly marked as low delay. Since the parser itself would create 'extradata', simply reopening the parser would cause this. This happens for instance in estimate_timings_from_pts(), which causes the parser to be reopened on the same stream. This fixes Libav #22 and FFmpeg (trac) #360 CC: libav-stable@libav.org Based on a patch by Reimar Döffinger <Reimar.Doeffinger@gmx.de> (commit `31ac0ac29b`) Comments and description adapted by Reinhard Tartler. Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit `790a367d9e`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	811989e910	rm: prevent infinite loops for index parsing. Specifically, prevent jumping back in the file for the next index, since this can lead to infinite loops where we jump between indexes referring to each other, and don't read indexes that don't fit in the file. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `aac07a7a4c`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	678737c26b	fraps: release reference buffer on pix_fmt change. Prevents crash when trying to copy from a non-existing plane in e.g. a RGB32 reference image to a YUV420P target image Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `830f70442a`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	25784c0409	kgv1: release reference picture on size change. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `6c4c27adb6`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	d10c22d33c	lcl: error out if uncompressed input buffer is smaller than framesize. This prevents crashes when trying to read beyond the end of the buffer while decoding frame data. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `be129271ea`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Alex Converse	b1d9a80863	tiff: Prevent overreads in the type_sizes array. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `447363870f`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	cd6c5e16c6	swf: check return values for av_get/new_packet(). Prevents crashers when using the packet if allocation failed. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `31632e73f4`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	18b2f23ef8	truemotion2: error out if the huffman tree has no nodes. This prevents crashers and errors further down when reading nodes in the empty tree. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `2b83e8b700`) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago

1 2 3 4 5 ...

29413 Commits (5ae49ddaa447bb4fba287f92ca508caba399ffbd) All Branches Search

29413 Commits (5ae49ddaa447bb4fba287f92ca508caba399ffbd)

All Branches