Fixes out of array access
Fixes: b877a6b788a25c70e8b1d014f8628549/asan_heap-oob_1da2c3f_2324_5a1b329b0b3c4bb6b1d775660ac56717.r3d
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 43492ff3ab)
Conflicts:
libavcodec/jpeg2000dec.c
Fixes out of array read
Fixes: a9502b60f4cecc19475382aee255f73c/asan_heap-oob_1e87fba_2548_a8ad47f6dde36644fe9cdc444d4632d0.sub
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c719cd6cf7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9b6fac11da)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 04715144ba237443010554be0d05343f/asan_heap-oob_1eafc76_1737_c685b48041a563461839e4e7ab97abb8.jpg
Fixes out of array access
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d24888ef19)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Avoids inheritance of file handles on Windows systems similar to the
O_CLOEXEC/FD_CLOEXEC flag on Linux.
Fixes file lock issues in Windows applications when a child process
is started with handle inheritance enabled (standard input/output
redirection) while a FFmpeg transcoding is running in the parent
process.
Links relevant to the subject:
https://msdn.microsoft.com/en-us/library/w7sa2b22.aspx
Describes the _wsopen() function and the O_NOINHERIT flag. File handles
opened by _wsopen() are inheritable by default.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx
Describes handle inheritance when creating new processes. Handle
inheritance must be enabled (bInheritHandles = TRUE) e.g. when you want
to pass handles for stdin/stdout via lpStartupInfo.
Signed-off-by: Tobias Rapp <t.rapp@noa-audio.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4746653466)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This ensures that they are always set to valid values
Fixes Ticket4939
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a878dfa4f5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes Ticket4931
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4c2d4e8700)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This fixes access to Grandstream cameras, which return 401 to ffmpeg
otherwise.
VLC sends Authorization: header with spaces between parameters, and it
is known to work with Grandstream devices and broad range of other HTTP
and RTSP servers, so author considers switching to such behaviour safe.
Just for record - RFC 2617 (HTTP Auth) does not specify the need in
spaces, so this is not a bug of FFmpeg.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fdb3283872)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: invalid_read.nut
Found-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2d221d9e06)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes hang.nut
Found-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b2955b6c5a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Not requiring this can end up producing hilariously broken files
together with -c:s copy (e.g. a webvtt file containing binary subtitle data).
Signed-off-by: Simon Thelen <ffmpeg-dev@c-14.de>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b84232694e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 055e56e9f7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fb04666995)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes CID1322351
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 71ec8e1ed6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: CID1322313
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a51d4246d8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: CID1322319
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f1593e4ca5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes CID1322333
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 32f53958b8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This macro avoids the undefined corner case with the *_MIN values
Previous version Reviewed-by: Ganesh Ajjanagadde <gajjanag@mit.edu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d6cd614dac)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 733511fb53)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes out of array access
Fixes: 87196d8bbc633629fc9dd851fce73e70/asan_heap-oob_26f6853_862_cov_585961513_sonic3dblast_intro-partial.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 63fb5a6aef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6701c92fa4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Actually time_base should not be 0/0, but the proper fix is part of
commit 7ea1b34, which can't be backported, as it changes API.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Otherwise the h263p decoder can try to copy overread bytes, even though
buffer is NULL.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 6a69a175e7)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
If it is negative, it causes segmentation faults in decode_rle.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit f621749d11)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size
is 3, the right side overflows leading to a wrong result of the
comparison and subsequently a heap buffer overflow.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit db374790c7)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Fixes crash
Fixes Ticket4969 part 1
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 07225fa74f)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 189420cb56)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
flcoeffs2[pos] should be the log2 of flcoeffs1[pos].
flcoeffs1[0] can be 0 here, thus flcoeffs2[pos] gets set to -inf,
causing problems further down.
This seems to have been copied from imc_decode_level_coefficients in
commit 4eb4bb3 without updating the position.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 75fd5ce4c1)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
It asserts that the frame linesize is larger than 37, but it can be
smaller and decoding such frames works.
Before commit cc884a35 src_stride > 7*MB_SIZE was necessary, because the
blocks were interleaved in the tmp buffer and the last block was added
with an offset of 6*MB_SIZE.
It was changed for src_stride <= 7*MB_SIZE to write the blocks
sequentially, hence the larger tmp_step.
After that the assert was only necessary to make sure that the buffer
remained large enough.
Since commit bd2b6b33 s->scratchbuf is used as tmp buffer.
As part of commit 86e107a7 the minimal scratchbuf size was increased to
256*7*MB_SIZE, which is enough for any src_stride <= 7*MB_SIZE.
Also add a comment explaining the tmp_step calculation.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3526a120f9)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
More than 32 bits can't be stored in an integer and get_bits should not
be used with more than 25 bits.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit d0eff8857c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 9a345802ed)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
get_bits should not be used for more than 25 bits.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit f9883a669c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Otherwise sm_size can be larger than size, which results in a negative
packet size.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 6b9fdf7f4f)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Michael Niedermayer
Tobias Rapp
Andrey Utkin
Simon Thelen
Ganesh Ajjanagadde
Andrey Utkin
Andreas Cadhalpun
Kieran Kunhya