The decode function assumes that the video will have those dimensions.
Fixes CVE-2012-2801
CC:libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 85f477935c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This fixes a double-free crash if lists are the same due to the two
merge_ref() calls at the end of the (useless) merging that happens.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 11b6a82412)
Conflicts:
libavfilter/formats.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Gray8 is not considered to be paletted, so this would cause an invalid
write.
Fixes bug 367.
CC: libav-stable@libav.org
(cherry picked from commit 8b78c2969a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This fixes a double-free crash if lists are the same due to the two
merge_ref() calls at the end of the (useless) merging that happens.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 11b6a82412)
Conflicts:
libavfilter/formats.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e5f4e24942)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b6c5848a1f)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a4e277312c)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Using ff_mspel_motion assumes that s (a MpegEncContext
poiinter) really is a Wmv2Context.
This fixes crashes in error resilience on vc1/wmv3 videos.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 18f2d5cb9c)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit da0c457663)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 899d95efe1)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c82ae85a8a)
Conflicts:
libavcodec/mpegvideo_common.h
Signed-off-by: Anton Khirnov <anton@khirnov.net>
CC: libav-stable@libav.org
(cherry picked from commit 39bb27bf79)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7a7229b52d)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8812b5f164)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit fd7426ed89)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
CC: libav-stable@libav.org
(cherry picked from commit 859a579e9b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 6704522ca9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit f31170d4e7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 459feb7cce)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
idct_put for compilers/architectures that can not align stack variables that much.
This is also consistent with similar code in eatgq.c
Originally committed as revision 18927 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 1eda87ce63)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Originally committed as revision 21411 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 420755dd28)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Originally committed as revision 24204 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit e26011d0f4)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Remove check for an specific w32api version, checking instead if vfw.h
supports vfw capture. The defines in w32api 3.12 were wrong, so this must be
accounted for in the check.
Originally committed as revision 24203 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit ec1ee802a2)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:
configure
Originally committed as revision 21410 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit a1b3c5a377)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:
configure
Originally committed as revision 24156 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 0a4307d630)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Prevents subsequent overreads when these numbers are used as indices
in arrays.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f9)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:
libavcodec/qdm2.c
Fixes: CVE-2011-3952
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Based on fix by Michael Niedermayer
(cherry picked from commit 386741f887)
(cherry picked from commit 416849f2e0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e7392dc349)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes. Bailing out early if the header
specifies a bad size avoids various errors later on.
Fixes CVE-2012-0947.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d5207e2af8)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c71c77e56f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c90da45d5a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>
Fixes CVE-2011-3947
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 083a8a0037)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6ae95a0b93)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6ca010f209)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Add a check to avoid writing past the end of the channel_unit.components[]
array.
Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f747)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f43b6e2b1e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f728ad26f0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 224025d852)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Check results for av_malloc() and fix an overflow in one call.
Related to CVE-2011-3940.
Based in part on work from Michael Niedermayer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit be524c186b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 87007519c8)
Conflicts:
libavformat/nsvdec.c
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208)
Conflicts:
libavformat/id3v2.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8370e426e4)
Fixes: #189
Chromium-Bug: 101172,100465
CVE-2011-3892
Removed the parts that are related to multi-threading, which is not
included before 0.7.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c624935554)
Conflicts:
libavcodec/vp3.c
(cherry picked from commit c9c7db0af2)
Conflicts:
libavcodec/vp3.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Michael Niedermayer
Mina Nagy Zaki
Anton Khirnov
Reinhard Tartler
Janne Grunau
Kostya Shishkov
Derek Buitenhuis
Reimar Döffinger
Ronald S. Bultje
kemuri
Ramiro Polla
Alex Converse
Alexander Strange
Mans Rullgard
Chris Evans
Laurent Aimar