Fixes out of array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ec3cd74f2d)
Fixes over reading the header array
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 474e31c904)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.5:
Bump version number for 0.5.8 release.
Release notes and changelog for 0.5.7
vqavideo: return error if image size is not a multiple of block size
motionpixels: Clip YUV values after applying a gradient.
mjpegbdec: Fix overflow in SOS.
atrac3: Fix crash in tonal component decoding.
dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.
dv: Fix null pointer dereference due to ach=0
dv: check stype
nsvdec: Propagate errors
nsvdec: Be more careful with av_malloc().
nsvdec: Fix use of uninitialized streams.
Conflicts:
libavcodec/atrac3.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes. Bailing out early if the header
specifies a bad size avoids various errors later on.
Fixes CVE-2012-0947.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d5207e2af8)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c71c77e56f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c90da45d5a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>
Fixes CVE-2011-3947
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 083a8a0037)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6ae95a0b93)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6ca010f209)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Add a check to avoid writing past the end of the channel_unit.components[]
array.
Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f747)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f43b6e2b1e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f728ad26f0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 224025d852)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Check results for av_malloc() and fix an overflow in one call.
Related to CVE-2011-3940.
Based in part on work from Michael Niedermayer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit be524c186b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 87007519c8)
Conflicts:
libavformat/nsvdec.c
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208)
Conflicts:
libavformat/id3v2.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes Ticket780
Bug Found by: cosminamironesei
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9af6abdc17)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.5:
Release notes and changelog for 0.5.7
Bump version number for 0.5.7 release.
vorbis: An additional defense in the Vorbis codec.
vorbisdec: Fix decoding bug with channel handling
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.5:
matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()
vorbis: Avoid some out-of-bounds reads
vp3: fix oob read for negative tokens and memleaks on error.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8370e426e4)
Fixes: #189
Chromium-Bug: 101172,100465
CVE-2011-3892
Removed the parts that are related to multi-threading, which is not
included before 0.7.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c624935554)
Conflicts:
libavcodec/vp3.c
(cherry picked from commit c9c7db0af2)
Conflicts:
libavcodec/vp3.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* qatar/release/0.5:
Bump version number for 0.5.6 release.
svq1dec: call avcodec_set_dimensions() after dimensions changed.
vmd: fix segfaults on corruped streams
vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling
Plug some memory leaks in the VP6 decoder
vp6: Reset the internal state when aborting key frames header parsing
vp6: Fix illegal read.
vp6: Fix illegal read.
Fix out of bound reads in the QDM2 decoder.
Check for out of bound writes in the QDM2 decoder.
qdm2: check output buffer size before decoding
Fix qdm2 decoder packet handling to match the api
Conflicts:
libavcodec/qdm2.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Originally committed as revision 22172 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 0a41faa9a7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It prevents leaving the state only half initialized.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit a72cad0a6c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c76505e0de)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e28bb18fdc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Originally committed as revision 25767 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit b26c1a8b7e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes NGS00144
This also adds a few lines of code from master that are needed for this fix.
Thanks to Phillip for suggestions to improve the patch.
Found-by: Phillip Langlois
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a6a61a6d1d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer
Reinhard Tartler
Mans Rullgard
Alex Converse
Anton Khirnov
Chris Evans
Ronald S. Bultje
Laurent Aimar
Dustin Brody
Vitor Sessak
Thierry Foucu
Justin Ruggles
Baptiste Coudurier