The ogg decoder wasn't padding the input buffer with the appropriate
FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in
various pieces of parsing code when they thought they had more data than
they actually did.
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit ef0d779706)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Scaling the denominator instead of the numerator if it is too large
loses precision. Fixes an assert caused by a negative frame duration in
the fuzzed sample nasa-8s2.ts_s202310.
CC: libav-stable@libav.org
(cherry picked from commit 7709ce029a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes over reading the header array
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 474e31c904)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Check results for av_malloc() and fix an overflow in one call.
Related to CVE-2011-3940.
Based in part on work from Michael Niedermayer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit be524c186b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 87007519c8)
Conflicts:
libavformat/nsvdec.c
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208)
Conflicts:
libavformat/id3v2.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 723229c11f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d51c7b4cbe)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4907f81358)
(cherry picked from commit 24e0a9e451)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Between ogg_save() and ogg_restore() calls, the number of streams
could have been reduced.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 0e7efb9d23)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Whitespace of the patch cleaned up by Aurel
Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 956c901c68)
Further suggestions from Kostya <kostya.shishkov@gmail.com> have been
implemented by Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 77d2ef13a8)
NB: MSVR-11-0080 doesn't seem to exist. This issue seems to be known
as MSVR11-011 instead.
Fixes: CVE-2011-3504
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This improves performance on e.g. seekable http.
backport r24280 by mstorsjo
Originally committed as revision 24428 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5
backport r19270 by rbultje:
Remove any reference to ASFContext.packet_size and replace it with
AVFormatContext.packet_size. See "[PATCH] asf*.c/h: use
AVFormatContext->packet_size instead of own copy" thread on ML.
and r19361 by reimar:
Check for packet_length 0, it is already treated as invalid by the padding check,
but that resulted in a confusing/wrong error message.
Originally committed as revision 22147 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5
First, make s signed, so that comparisons against end - p will not be made as
unsigned, making the check incorrectly pass if p is beyond end.
Also ensure that p will never be > end, so the code is correct also if
buf is not padded.
backported r20014 by reimar
Originally committed as revision 21711 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5
if no header was found the parser was not initialized and thus will
crash when trying to use it.
Originally committed as revision 21708 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5
Luca Barbato
Dale Curtis
Janne Grunau
Anton Khirnov
Carl Eugen Hoyos
Ronald S. Bultje
Michael Niedermayer
Alex Converse
Chris Evans
Laurent Aimar
Kostya
Janne Grunau
Reinhard Tartler
Baptiste Coudurier
Diego Biurrun
Aurelien Jacobs