FFmpeg

Commit Graph

Author	SHA1	Message	Date
Ronald S. Bultje	b594732475	dca: don't use av_clip_uintp2(). The argument is not a literal, thus causing the ARM v6 or later builds to break. Signed-off-by: Janne Grunau <janne-libav@jannau.net>	14 years ago
Michael Niedermayer	ce15406e78	snow: check reference frame indices. Fixes NULL ptr dereference Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit `1f8ff2b13c`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Michael Niedermayer	c9e95636a8	snow: reject unsupported chroma shifts. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit `c9837954e7`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	6e5c07f4c8	xa_adpcm: limit filter to prevent xa_adpcm_table[] array bounds overruns. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `86020073db`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	c999a8ed65	h264: increase reference poc list from 16 to 32. Interlaced images can have 32 references (16 per field), so limiting the array size to 16 leads to invalid writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `48cbe4b092`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	4d343a6f47	h264: stricter reference limit enforcement. Progressive images can have only 16 references, error out if there are more, since the data is almost certainly corrupt, and the invalid value will lead to random crashes or invalid writes later on. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `e0febda22d`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Michael Niedermayer	a81a6d9c80	h264: improve parsing of broken AVC SPS Parsing the entire NAL as SPS fixes decoding of some AVC bitstreams with broken escaping. Since the size of the NAL unit is known and checked against the buffer end we can parse it entirely without buffer overreads. Fixes playback of http://streams.videolan.org/streams/mp4/Mr_MrsSmith-h264_aac.mp4 Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit `3aa661ec56`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Alex Converse	48f0eeb2e5	Replace computations of remaining bits with calls to get_bits_left(). (cherry picked from commit `3574a85ce5`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	d26e47bf6c	png: convert to bytestream2 API. Protects against overreads in the input buffer. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `4c25269ced`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	568a474a08	roqvideo: convert to bytestream2 API. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `cdf1577162`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	9a66cdbc16	smc: port to bytestream2 API. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `8febcb9fc1`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	ddb1149e25	tgq: convert to bytestream2 API. This protects against input buffer overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `1255eed533`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	f6778f58d4	algmm: convert to bytestream2 API. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `a55d5bdc6e`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Paul B Mahol	e4e4d92641	jvdec: unbreak video decoding The safe bitstream reader broke it since the buffer size was specified in bytes instead of bits. Signed-off-by: Janne Grunau <janne-libav@jannau.net> CC: libav-stable@libav.org (cherry picked from commit `a1c036e961`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Michael Niedermayer	de0ff4ce69	h264: Fix invalid interlaced/progressive MB combinations for direct mode prediction. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit `758ec11153`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Anton Khirnov	6548cb2578	libx264: add 'stats' private option for setting 2pass stats filename. x264 always opens the file itself with fopen, so we cannot use the standard lavc stats mechanism. CC: libav-stable@libav.org (cherry picked from commit `d533e395e1`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Anton Khirnov	f6257cf4b7	libx264: fix help text for slice-max-size option. CC: libav-stable@libav.org (cherry picked from commit `9d5c131ece`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Janne Grunau	d94256d36c	Revert "h264: clear trailing bits in partially parsed NAL units" This reverts commit `729ebb2f18`. There was an off-by-one error in the bit mask calculation clearing actually the last valid bit and causing http://bugzilla.libav.org/show_bug.cgi?id=227 The broken sample (Mr_MrsSmith-h264_aac.mp4) the commit was fixing does not work after correcting the off-by-one error. CC: libav-stable@libav.org (cherry picked from commit `8a6037c390`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	7bb97a61df	mpc: pad mpc_CC/SCF[] tables to allow for negative indices. MPC8 allows indices of mpc_CC up to -1, and mpc_SCF up to -6, thus pad the tables by that much on the left end. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `d7eabd5042`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	c65eadee5d	xxan: protect against chroma LUT overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `f77bfa8376`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	a43f4bd601	xxan: convert to bytestream2 API. Protects against overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `5518827816`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	8f881885c2	xxan: don't read before start of buffer in av_memcpy_backptr(). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `f1279e286b`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	26521d87ba	dsicinvideo: validate buffer offset before copying pixels. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `c95fefa042`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	e1a4143793	cook: error out on quant_index values outside [-63, 63] range. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `97e48b2f54`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	b9482a6efd	cook: extend channel uncoupling tables so the full bit range is covered. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `37cc8600d0`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	88c3cc019c	cook: expand dither_tab[], and make sure indexes into it don't overflow. Fixes overflows in accessing dither_tab[]. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `442c3a8cb1`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	9980e4df3b	huffyuv: add padding to classic (v1) huffman tables. We slightly overread the input buffer, so we require padding at the end of the buffer, as is documented in the get_bits API. Without padding, we'll read uninitialized data or beyond the end of the .rodata, which may crash. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `4ffe5e2aa5`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	d4f2786cda	avs: fix infinite loop on end-of-stream. The codec would keep returning the last decoded frame if the stream contains B-frames, since it wouldn't clear that frame from the list of frames to be returned to the user. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `83f15a1228`) Conflicts: libavcodec/cavsdec.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Alex Converse	2744fdbd9e	tiffdec: Prevent illegal memory access caused by recycled pointers. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `fd0be63049`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	1fcc2c6091	wma: fix off-by-one in array bounds check. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `b4bccf3e4e`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	74871ac70a	dv: check buffer size before reading profile. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `e97efecec8`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	9cb7f6e54a	raw: move buffer size check up. This way, it protects against overreads for 4bpp/2bpp content also. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `cc5dd632ce`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	ed6aaf579d	dca: prevent accessing static arrays with invalid indexes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `e6ffd997cb`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	e1b4614ab4	lpcm: fix sample size calculation for 20bit LCPM. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `f1320dc3be`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	12247a13e0	Don't use ff_cropTbl[] for IDCT. Results of IDCT can by far outreach the range of ff_cropTbl[], leading to overreads and potentially crashes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `c23acbaed4`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	9def2f200e	error_resilience: initialize s->block_index[]. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `6193ff6854`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Ronald S. Bultje	7b676935ee	svq3: protect against negative quantizers. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `11b940a1a8`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Justin Ruggles	4a15240a27	mov: set channel layout for AC-3 streams based on the 'dac3' atom info fixes Bug 225 (cherry picked from commit `3798205a77`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Janne Grunau	a47b96bdd3	rv34: handle size changes during frame multithreading Factors all context dynamic memory handling to its own functions. Fixes bug 220. (cherry picked from commit `2bd730010d`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	14 years ago
Alex Converse	48ac765efe	rv10/20: Fix slice overflow with checked bitstream reader. (cherry picked from commit `9243ec4a50`)	14 years ago
Michael Niedermayer	522645e38f	h263dec: Disallow width/height changing with frame threads. Fixes CVE-2011-3937 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `71db86d53b`) Conflicts: libavcodec/h263dec.c Signed-off-by: Alex Converse <alex.converse@gmail.com>	14 years ago
Alex Converse	e891ee4bf6	adpcm: Clip step_index values read from the bitstream at the beginning of each frame. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `bbeb29133b`)	14 years ago
Alex Converse	ef673211e7	tiff: Make the TIFF_LONG and TIFF_SHORT types unsigned. TIFF v6.0 (unimplemented) adds signed equivalents. (cherry picked from commit `e32548d133`)	14 years ago
Alex Converse	eaeaeb265f	dpcm: ignore extra unpaired bytes in stereo streams. Fixes: CVE-2011-3951 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `ce7aee9b73`)	14 years ago
Alex Converse	db315c796d	svq3: Prevent illegal reads while parsing extradata. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `9e1db721c4`)	14 years ago
Michael Niedermayer	e3743869e9	ac3dec: Move center and surround mix level tables to the parser. That way all mix levels as exported by avpriv_ac3_parse_header() will have the same meaning. Previously the 3-bit center mix level for E-AC-3 was used to index in a 4-entry table, leading to out-of-array reads. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit `e6d9fa66f1`)	14 years ago
Mans Rullgard	627f4621f5	ac3: Do not read past the end of ff_ac3_band_start_tab. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit `034b03e7a0`)	14 years ago
Dale Curtis	feed0c6b6a	mpegaudiodec: Prevent premature clipping of mp3 input buffer. Instead of clipping extrasize based on EXTRABYTES, clip based on the amount of buffer actually left. Without this fix, there are warbles and other distortions in the test case below. http://kevincennis.com/mix/assets/sounds/1901_voxfx.mp3 (cherry picked from commit `b716542691`) Signed-off-by: Alex Converse <alex.converse@gmail.com>	14 years ago
Alex Converse	d0e53ecff7	mp3dec: Fix a heap-buffer-overflow In some cases, what is left to read from ptr is smaller than EXTRABYTES. Based on a patch by Thierry Foucu <tfoucu@gmail.com>. Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit `f372ce119b`)	14 years ago
Alex Converse	1ca84aa162	mpeg12: Pad framerate tab to 16 entries. There are many places where we read an unchecked 4-bit index into it. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `dfa37fe8a3`)	14 years ago

1 2 3 4 5 ...

15182 Commits (b5947324758ae2a99ebf910ad425fdde69b23935)