* qatar/release/0.5: (21 commits)
vp6: properly fail on unsupported feature
vp56: release frames on error
shorten: Use separate pointers for the allocated memory for decoded samples.
shorten: check for realloc failure
h264: check context state before decoding slice data partitions
oggdec: check memory allocation
Fix uninitialized reads on malformed ogg files.
lavf: avoid integer overflow in ff_compute_frame_duration()
yuv4mpeg: reject unsupported codecs
tiffenc: Check av_malloc() results.
mpegaudiodec: fix short_start calculation
h264: avoid stuck buffer pointer in decode_nal_units
yuv4mpeg: return proper error codes.
avidec: return 0, not packet size from read_packet().
cavsdec: check for changing w/h.
avidec: use actually read size instead of requested size
bytestream: add a new set of bytestream functions with overread checking
avsdec: Set dimensions instead of relying on the demuxer.
lavfi: avfilter_merge_formats: handle case where inputs are same
bmpdec: only initialize palette for pal8.
...
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Interlacing is not supported at all and mismanaged down the normal
codepaths causing possible buffer management issues.
Fixes: CVE-2012-2783
(cherry picked from commit be75fed975)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4ede95e69c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.
Fixes CVE-2012-0858
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The ogg decoder wasn't padding the input buffer with the appropriate
FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in
various pieces of parsing code when they thought they had more data than
they actually did.
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit ef0d779706)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Scaling the denominator instead of the numerator if it is too large
loses precision. Fixes an assert caused by a negative frame duration in
the fuzzed sample nasa-8s2.ts_s202310.
CC: libav-stable@libav.org
(cherry picked from commit 7709ce029a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The value should be always 3, as it follows from the specification.
Fix a stack buffer overflow in exponents_from_scale_factors as reported
by asan. Thanks to Dale Curtis for the sample vector.
(cherry picked from commit 97cfa55eea)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
When decode_nal_units() previously encountered a NAL_END_SEQUENCE,
and there are some junk bytes left in the input buffer, but no start codes,
buf_index gets stuck 3 bytes before the end of the buffer.
This can trigger an infinite loop in the caller code, eg. in
try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes,
with 3 bytes of the input packet still available.
With this change, the remaining bytes are skipped so the whole packet gets
consumed.
CC:libav-stable@libav.org
Signed-off-by: Jindřich Makovička <makovick@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1a8c6917f6)
Conflicts:
libavcodec/h264.c
Our decoder does not support changing w/h.
Fixes CVE-2012-2777 and CVE-2012-2784.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c20a696306)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The decode function assumes that the video will have those dimensions.
Fixes CVE-2012-2801
CC:libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 85f477935c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This fixes a double-free crash if lists are the same due to the two
merge_ref() calls at the end of the (useless) merging that happens.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 11b6a82412)
Conflicts:
libavfilter/formats.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Gray8 is not considered to be paletted, so this would cause an invalid
write.
Fixes bug 367.
CC: libav-stable@libav.org
(cherry picked from commit 8b78c2969a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes vlc decoding for hypothetical files that would contain such cases.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0dfc01c2bb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5ff41ffeb4)
Conflicts:
libavcodec/huffyuv.c
(cherry picked from commit 9bc70fe1ae)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Prevents out of array writes
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f67a0d1152)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 95ab8d33e1)
Conflicts:
libavcodec/huffyuv.c
(cherry picked from commit 277def59fc)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.5:
lavfi: avfilter_merge_formats: handle case where inputs are same
mpegvideo: Don't use ff_mspel_motion() for vc1
imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt
nuv: check RTjpeg header for validity
vc1dec: add flush function for WMV9 and VC-1 decoders
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This fixes a double-free crash if lists are the same due to the two
merge_ref() calls at the end of the (useless) merging that happens.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 11b6a82412)
Conflicts:
libavfilter/formats.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e5f4e24942)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b6c5848a1f)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a4e277312c)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Using ff_mspel_motion assumes that s (a MpegEncContext
poiinter) really is a Wmv2Context.
This fixes crashes in error resilience on vc1/wmv3 videos.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 18f2d5cb9c)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit da0c457663)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 899d95efe1)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c82ae85a8a)
Conflicts:
libavcodec/mpegvideo_common.h
Signed-off-by: Anton Khirnov <anton@khirnov.net>
CC: libav-stable@libav.org
(cherry picked from commit 39bb27bf79)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7a7229b52d)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8812b5f164)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit fd7426ed89)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
CC: libav-stable@libav.org
(cherry picked from commit 859a579e9b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 6704522ca9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit f31170d4e7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 459feb7cce)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fd4c1c0b70)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.5:
Bump version number for 0.5.9 release.
png: check bit depth for PAL8/Y400A pixel formats.
tqi: Pass errors from the MB decoder
eatqi: move "block" variable into context to ensure sufficient alignment for idct_put for compilers/architectures that can not align stack variables that much. This is also consistent with similar code in eatgq.c
ea: check chunk_size for validity.
vfwcap: Include windows.h before vfw.h since the latter requires defines from the former. Patch by kemuri <kemuri9 at gmail dot com>
mingw32: merge checks for mingw-w64 and mingw32-runtime >= 3.15 into one
mingw32: properly check if vfw capture is supported by the system headers
Replace every usage of -lvfw32 with what is particularly necessary for that case: Avisynth -> -lavifil32 VFW Cap -> -lavicap32 Patch by kemuri <kemuri9 at gmail dot com>
configure: properly check for mingw-w64 through installed headers. mingw-w64 can also target 32-bit code.
qdm2: clip array indices returned by qdm2_get_vlc().
kmvc: Check palsize.
adpcm: ADPCM Electronic Arts has always two channels
h264: Add check for invalid chroma_format_idc
dpcm: ignore extra unpaired bytes in stereo streams.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
idct_put for compilers/architectures that can not align stack variables that much.
This is also consistent with similar code in eatgq.c
Originally committed as revision 18927 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 1eda87ce63)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Originally committed as revision 21411 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 420755dd28)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Originally committed as revision 24204 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit e26011d0f4)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Remove check for an specific w32api version, checking instead if vfw.h
supports vfw capture. The defines in w32api 3.12 were wrong, so this must be
accounted for in the check.
Originally committed as revision 24203 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit ec1ee802a2)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:
configure
Originally committed as revision 21410 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit a1b3c5a377)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:
configure
Originally committed as revision 24156 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 0a4307d630)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>