ffmpeg.git
6 years agolavf: avoid integer overflow in ff_compute_frame_duration()
Janne Grunau [Fri, 23 Nov 2012 13:05:36 +0000 (14:05 +0100)]
lavf: avoid integer overflow in ff_compute_frame_duration()

Scaling the denominator instead of the numerator if it is too large
loses precision. Fixes an assert caused by a negative frame duration in
the fuzzed sample nasa-8s2.ts_s202310.

CC: libav-stable@libav.org
(cherry picked from commit 7709ce029a7bc101b9ac1ceee607cda10dcb89dc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoyuv4mpeg: reject unsupported codecs
Luca Barbato [Fri, 26 Oct 2012 20:55:04 +0000 (22:55 +0200)]
yuv4mpeg: reject unsupported codecs

The muxer already rejects unsupported pixel formats, reject also
unsupported codecs to prevent dangerous misuses.
(cherry picked from commit 424b1e764263b1493de4c34365ef367ddae856db)

Conflicts:

libavformat/yuv4mpeg.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agotiffenc: Check av_malloc() results.
Alex Converse [Wed, 19 Sep 2012 18:12:58 +0000 (11:12 -0700)]
tiffenc: Check av_malloc() results.

(cherry picked from commit b92dfb56d4582633571db18c3d904f8602eaa2a6)

Conflicts:

libavcodec/tiffenc.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agompegaudiodec: fix short_start calculation
Luca Barbato [Fri, 28 Sep 2012 12:38:13 +0000 (14:38 +0200)]
mpegaudiodec: fix short_start calculation

The value should be always 3, as it follows from the specification.

Fix a stack buffer overflow in exponents_from_scale_factors as reported
by asan. Thanks to Dale Curtis for the sample vector.
(cherry picked from commit 97cfa55eea39cef30abe14682c56c1e4e7f6f10d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoh264: avoid stuck buffer pointer in decode_nal_units
Jindřich Makovička [Sat, 29 Sep 2012 09:16:45 +0000 (11:16 +0200)]
h264: avoid stuck buffer pointer in decode_nal_units

When decode_nal_units() previously encountered a NAL_END_SEQUENCE,
and there are some junk bytes left in the input buffer, but no start codes,
buf_index gets stuck 3 bytes before the end of the buffer.

This can trigger an infinite loop in the caller code, eg. in
try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes,
with 3 bytes of the input packet still available.

With this change, the remaining bytes are skipped so the whole packet gets
consumed.

CC:libav-stable@libav.org

Signed-off-by: Jindřich Makovička <makovick@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1a8c6917f68f7378465e18f7615762bfd22704c2)

Conflicts:

libavcodec/h264.c

6 years agoyuv4mpeg: return proper error codes.
Anton Khirnov [Fri, 5 Oct 2012 13:53:32 +0000 (15:53 +0200)]
yuv4mpeg: return proper error codes.

Fixes Bug 373.

CC:libav-stable@libav.org
(cherry picked from commit d3a72becc6371563185a509b94f5daf32ddbb485)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoavidec: return 0, not packet size from read_packet().
Anton Khirnov [Fri, 28 Sep 2012 13:26:48 +0000 (15:26 +0200)]
avidec: return 0, not packet size from read_packet().

(cherry picked from commit eeade678f0a2bac127aeed2fb68d8717a6463420)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agocavsdec: check for changing w/h.
Michael Niedermayer [Sat, 24 Mar 2012 01:40:24 +0000 (02:40 +0100)]
cavsdec: check for changing w/h.

Our decoder does not support changing w/h.

Fixes CVE-2012-2777 and CVE-2012-2784.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c20a69630619d14ae92c5541d52c579d7c8f3e94)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoavidec: use actually read size instead of requested size
Anton Khirnov [Fri, 28 Sep 2012 13:42:29 +0000 (15:42 +0200)]
avidec: use actually read size instead of requested size

Fixes CVE-2012-2788
(cherry picked from commit 0af49a63c7f87876486ab09482d5b26b95abce60)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agobytestream: add a new set of bytestream functions with overread checking
Aneesh Dogra [Mon, 19 Dec 2011 22:24:50 +0000 (03:54 +0530)]
bytestream: add a new set of bytestream functions with overread checking

Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
6 years agoavsdec: Set dimensions instead of relying on the demuxer.
Michael Niedermayer [Fri, 20 Apr 2012 15:42:18 +0000 (17:42 +0200)]
avsdec: Set dimensions instead of relying on the demuxer.

The decode function assumes that the video will have those dimensions.

Fixes CVE-2012-2801

CC:libav-stable@libav.org

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 85f477935cd6b34e6ec2716b20e15ce748277a89)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agolavfi: avfilter_merge_formats: handle case where inputs are same
Mina Nagy Zaki [Wed, 8 Jun 2011 16:24:25 +0000 (19:24 +0300)]
lavfi: avfilter_merge_formats: handle case where inputs are same

This fixes a double-free crash if lists are the same due to the two
merge_ref() calls at the end of the (useless) merging that happens.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325)

Conflicts:

libavfilter/formats.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agobmpdec: only initialize palette for pal8.
Anton Khirnov [Sun, 16 Sep 2012 06:33:09 +0000 (08:33 +0200)]
bmpdec: only initialize palette for pal8.

Gray8 is not considered to be paletted, so this would cause an invalid
write.

Fixes bug 367.

CC: libav-stable@libav.org
(cherry picked from commit 8b78c2969a5b7dca939d93bf525aa2bcd737b5d9)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agoBump version number for the 0.5.10 release
Reinhard Tartler [Thu, 24 Jan 2013 13:26:56 +0000 (14:26 +0100)]
Bump version number for the 0.5.10 release

7 years agolavfi: avfilter_merge_formats: handle case where inputs are same
Mina Nagy Zaki [Wed, 8 Jun 2011 16:24:25 +0000 (19:24 +0300)]
lavfi: avfilter_merge_formats: handle case where inputs are same

This fixes a double-free crash if lists are the same due to the two
merge_ref() calls at the end of the (useless) merging that happens.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325)

Conflicts:

libavfilter/formats.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e5f4e249422834f727bcd432b73af971277f1371)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b6c5848a1f8fc2755ea70d325acaddae9fac45ab)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a4e277312cacfb78ef7583ed0b4fe4ccf5a0bcb1)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agompegvideo: Don't use ff_mspel_motion() for vc1
Michael Niedermayer [Sun, 20 Nov 2011 16:19:25 +0000 (17:19 +0100)]
mpegvideo: Don't use ff_mspel_motion() for vc1

Using ff_mspel_motion assumes that s (a MpegEncContext
poiinter) really is a Wmv2Context.

This fixes crashes in error resilience on vc1/wmv3 videos.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 18f2d5cb9c48d06895960f37467576725c9dc2d1)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit da0c457663479bc1828918e1bb3e4a5e4de0d557)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 899d95efe12f1e250b361837c1c8c06df9ac9b86)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c82ae85a8a78a98f7c7fea68d24a4ac0ca74d01f)

Conflicts:
libavcodec/mpegvideo_common.h

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoimgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt
Janne Grunau [Mon, 2 Jul 2012 08:46:39 +0000 (10:46 +0200)]
imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt

CC: libav-stable@libav.org
(cherry picked from commit 39bb27bf79bc4c2d8beaed637a14176264cb1916)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7a7229b52d1900279041991fadbd29b27e8dfe95)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8812b5f164109553f009ce385e17a1af16b6ea53)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit fd7426ed898533bed98e6b472ff5f5c8e47f2eb5)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agonuv: check RTjpeg header for validity
Janne Grunau [Mon, 6 Aug 2012 11:59:04 +0000 (13:59 +0200)]
nuv: check RTjpeg header for validity

CC: libav-stable@libav.org
(cherry picked from commit 859a579e9bbf47fae2e09494c43bcf813dcb2fad)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 6704522ca9dd32c858ee474492be568c386910f9)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit f31170d4e7f9671e019315391160d454b18d7296)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 459feb7cce03af7154c098171fc9d36fc9d472f6)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agovc1dec: add flush function for WMV9 and VC-1 decoders
Kostya Shishkov [Thu, 27 Sep 2012 17:25:06 +0000 (19:25 +0200)]
vc1dec: add flush function for WMV9 and VC-1 decoders

CC: libav-stable@libav.org
(cherry picked from commit 4dc8c8386eef942dba35c4f2fb3210e22b511a5b)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 02b72394627933dc8ce26445231a69f00dba491b)

Conflicts:
libavcodec/vc1dec.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 0173a7966b331105158a88f96b9afcc431d2fef8)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit aa4121276777b20eaaa83bf9bd544b00748c865c)

Conflicts:
libavcodec/vc1dec.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoRelease notes for 0.5.9
Reinhard Tartler [Sat, 9 Jun 2012 10:12:52 +0000 (12:12 +0200)]
Release notes for 0.5.9

7 years agoUpdate changelog for 0.5.9 release
Derek Buitenhuis [Fri, 8 Jun 2012 19:41:31 +0000 (15:41 -0400)]
Update changelog for 0.5.9 release

Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
7 years agoBump version number for 0.5.9 release.
Reinhard Tartler [Sun, 3 Jun 2012 20:42:30 +0000 (22:42 +0200)]
Bump version number for 0.5.9 release.

7 years agopng: check bit depth for PAL8/Y400A pixel formats.
Reinhard Tartler [Sun, 3 Jun 2012 17:35:50 +0000 (19:35 +0200)]
png: check bit depth for PAL8/Y400A pixel formats.

Wrong bit depth can lead to invalid rowsize values, which crashes the
decoder further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d2205d6543881f2e6fa18c8a354bbcf91a1235f7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b8d6ba9d50e80fdce2ed74cdaffd4960df8a21c5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 33f93005f1a86c108302b4c5978aa1a3d8e092cc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4c8c2660bd9252775c9a1dc2e2f36cb34718595a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:

libavcodec/pngdec.c

7 years agotqi: Pass errors from the MB decoder
Michael Niedermayer [Mon, 19 Dec 2011 03:13:37 +0000 (04:13 +0100)]
tqi: Pass errors from the MB decoder

This silences some valgrind warnings.
CC: libav-stable@libav.org
Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Bug found by: Oana Stratulat

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f85334f58e1286287d0547a49fa9c93b40cbf48f)
(cherry picked from commit 90290a5150e84fb138ccde57657dc03830f08c1c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 5872580e65aab026b77754eb184f97ba7cc6ea35)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2f2fd8c6d1c51a6b817e6c0bc4eff308b8f9cd18)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c3edce42704142f4c66954e9f24d7fbf0e5ae423)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoeatqi: move "block" variable into context to ensure sufficient alignment for
Reimar Döffinger [Sun, 24 May 2009 09:14:19 +0000 (09:14 +0000)]
eatqi: move "block" variable into context to ensure sufficient alignment for
idct_put for compilers/architectures that can not align stack variables that much.
This is also consistent with similar code in eatgq.c

Originally committed as revision 18927 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 1eda87ce6366189eebf9956f826dfd92d9e64d9c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoea: check chunk_size for validity.
Ronald S. Bultje [Fri, 4 May 2012 23:06:26 +0000 (16:06 -0700)]
ea: check chunk_size for validity.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 273e6af47b38391f2bcc157cca0423fe7fcbf55c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6a86b705e1d4b72f0dddfbe23ad3eed9947001d5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e74bc64dd376c4691a610ba62a66ed30affc97ec)

Conflicts:

libavformat/electronicarts.c
(cherry picked from commit 38c45adfca299e3d96c07a700032695ec7ff2aeb)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovfwcap: Include windows.h before vfw.h since the latter requires defines from the...
kemuri [Sat, 23 Jan 2010 20:58:29 +0000 (20:58 +0000)]
vfwcap: Include windows.h before vfw.h since the latter requires defines from the former. Patch by kemuri <kemuri9 at gmail dot com>

Originally committed as revision 21411 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 420755dd282a913c2163d5589706d6a99a18d10f)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
7 years agomingw32: merge checks for mingw-w64 and mingw32-runtime >= 3.15 into one
Ramiro Polla [Sun, 11 Jul 2010 22:31:41 +0000 (22:31 +0000)]
mingw32: merge checks for mingw-w64 and mingw32-runtime >= 3.15 into one

Originally committed as revision 24204 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit e26011d0f495de1148b8014995cbe923611b6b76)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
7 years agomingw32: properly check if vfw capture is supported by the system headers
Ramiro Polla [Sun, 11 Jul 2010 22:17:17 +0000 (22:17 +0000)]
mingw32: properly check if vfw capture is supported by the system headers

Remove check for an specific w32api version, checking instead if vfw.h
supports vfw capture. The defines in w32api 3.12 were wrong, so this must be
accounted for in the check.

Originally committed as revision 24203 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit ec1ee802a2e1cb3317bd44851cc28f95b5916051)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:

configure

7 years agoReplace every usage of -lvfw32 with what is particularly necessary for that case...
kemuri [Sat, 23 Jan 2010 20:42:00 +0000 (20:42 +0000)]
Replace every usage of -lvfw32 with what is particularly necessary for that case: Avisynth -> -lavifil32 VFW Cap -> -lavicap32 Patch by kemuri <kemuri9 at gmail dot com>

Originally committed as revision 21410 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit a1b3c5a377976d21b9daa878265c6eada24c2543)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:

configure

7 years agoconfigure: properly check for mingw-w64 through installed headers. mingw-w64 can...
Ramiro Polla [Sat, 10 Jul 2010 04:08:02 +0000 (04:08 +0000)]
configure: properly check for mingw-w64 through installed headers. mingw-w64 can also target 32-bit code.

Originally committed as revision 24156 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 0a4307d6307516d333ce2cde2a2ffa0f50bc176c)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
7 years agoqdm2: clip array indices returned by qdm2_get_vlc().
Ronald S. Bultje [Wed, 2 May 2012 16:12:46 +0000 (16:12 +0000)]
qdm2: clip array indices returned by qdm2_get_vlc().

Prevents subsequent overreads when these numbers are used as indices
in arrays.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:

libavcodec/qdm2.c

7 years agokmvc: Check palsize.
Alex Converse [Thu, 26 Jan 2012 16:30:49 +0000 (17:30 +0100)]
kmvc: Check palsize.

Fixes: CVE-2011-3952

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Based on fix by Michael Niedermayer
(cherry picked from commit 386741f887714d3e46c9e8fe577e326a7964037b)
(cherry picked from commit 416849f2e06227b1b4a451c392f100db1d709a0c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e7392dc349291eb94379d8cfb7ef73d32a768858)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoadpcm: ADPCM Electronic Arts has always two channels
Janne Grunau [Thu, 5 Jan 2012 19:50:55 +0000 (20:50 +0100)]
adpcm: ADPCM Electronic Arts has always two channels

Fixes half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Adresses CVE-2012-0852

(cherry picked from commit bb5b3940b08d8dad5b7e948e8f3b02cd2eb70716)

Conflicts:

libavcodec/adpcm.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b581580bd1cc8506befa65b0a5c9ae429240f21f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a0f58c3a605b8123039628d1598cb36f1da0e815)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoh264: Add check for invalid chroma_format_idc
Alexander Strange [Sat, 24 Mar 2012 21:32:14 +0000 (17:32 -0400)]
h264: Add check for invalid chroma_format_idc

Fixes a crash when FF_DEBUG_PICT_INFO is used.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df)

Fixes: CVE-2012-0851

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 47132345184dc3d0ff962a57a1225564fe979548)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c5f7c755cfccd7aa01010a2d566104c2b0fa6d86)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 00d2c432581cf61326973a1a48f2e63690b65515)

7 years agodpcm: ignore extra unpaired bytes in stereo streams.
Alex Converse [Fri, 17 Feb 2012 22:13:40 +0000 (14:13 -0800)]
dpcm: ignore extra unpaired bytes in stereo streams.

Fixes: CVE-2011-3951

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ce7aee9b733134649a6ce2fa743e51733f33e67e)
(cherry picked from commit eaeaeb265fe46e1d81452960de918227541873b4)

Conflicts:

libavcodec/dpcm.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1ce9c93198fc997e8f23934a78e2937af670e4e9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 41f1f146c9e29dde63e293078819474c9b8111a1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoBump version number for 0.5.8 release.
Reinhard Tartler [Thu, 10 May 2012 18:21:51 +0000 (20:21 +0200)]
Bump version number for 0.5.8 release.

7 years agoRelease notes and changelog for 0.5.7
Reinhard Tartler [Thu, 10 May 2012 18:15:51 +0000 (20:15 +0200)]
Release notes and changelog for 0.5.7

7 years agovqavideo: return error if image size is not a multiple of block size
Mans Rullgard [Mon, 23 Apr 2012 12:16:33 +0000 (13:16 +0100)]
vqavideo: return error if image size is not a multiple of block size

The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes.  Bailing out early if the header
specifies a bad size avoids various errors later on.

Fixes CVE-2012-0947.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d5207e2af81580dd5e6277b354c8b459c3624f26)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c71c77e56fcc6d469d45e1c8ce04aa053124d3f8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c90da45d5a7a4045dbf22fba52c63ef55d207269)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agomotionpixels: Clip YUV values after applying a gradient.
Alex Converse [Wed, 2 May 2012 19:08:03 +0000 (12:08 -0700)]
motionpixels: Clip YUV values after applying a gradient.

Prevents illegal reads on truncated and malformed input.

CC: libav-stable@libav.org
(cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit aaa6a666774eb02c351c84e80622a5c69e9b642e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 50073e2395522b6e2b8698ff0dd06ffaf8cbf8ce)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2134e7f6e88959513ba1713ad6fd7a7c8d5a0f41)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agomjpegbdec: Fix overflow in SOS.
Alex Converse [Wed, 25 Jan 2012 21:39:24 +0000 (13:39 -0800)]
mjpegbdec: Fix overflow in SOS.

Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2011-3947

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 083a8a00373b12dc06b8ae4c49eec61fb5e55f4b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6ae95a0b93e8df15fe5f364535a7214be0817736)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6ca010f20965ef71d97a53e871edae2eb9c05a5f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoatrac3: Fix crash in tonal component decoding.
Michael Niedermayer [Sat, 17 Dec 2011 02:18:58 +0000 (03:18 +0100)]
atrac3: Fix crash in tonal component decoding.

Add a check to avoid writing past the end of the channel_unit.components[]
array.

Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f74713b035a06f79cb4d00e708f5226bc5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f43b6e2b1ed47a1254a5d44c700a7fad5e9784be)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f728ad26f0ec87650d2986a892785c0e2b97d161)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 224025d852dcc42f752c0922fef7121808d1e42f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agodv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.
Alex Converse [Thu, 26 Jan 2012 23:08:26 +0000 (15:08 -0800)]
dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.

Found with asan.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f6b91bec7f5fa53ec050913d851e366)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 00fa6ffe1a0b252d6a81815e51f125225cd0b97a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a8f4db0acd9b588ba33e3b8c0c21feea5916cfd1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agodv: Fix null pointer dereference due to ach=0
Michael Niedermayer [Tue, 24 Jan 2012 16:51:40 +0000 (17:51 +0100)]
dv: Fix null pointer dereference due to ach=0

dv: Fix null pointer dereference due to ach=0

Fixes part2 of CVE-2011-3929

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a66a61a68b80f2369d0249729bf85e04)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 44e182d41e3a73548f3f5e8445ec428d3846e6d6)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b46141b0d1d7efb74dad172b7c1b52413441592f)

Conflicts:

libavformat/dv.c

7 years agodv: check stype
Michael Niedermayer [Tue, 24 Jan 2012 16:48:23 +0000 (17:48 +0100)]
dv: check stype

dv: check stype

Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd439480003b74a665b5aa7c872c1ad6b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit bb737d381f6d6413899a0697f426fb082eac66fc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 38421f27b3899a930552750fe1e0dffd45b71b8e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agonsvdec: Propagate errors
Alex Converse [Fri, 27 Jan 2012 01:23:09 +0000 (17:23 -0800)]
nsvdec: Propagate errors

Related to CVE-2011-3940.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit c898431ca5ef2a997fe9388b650f658fb60783e5)

Conflicts:

libavformat/nsvdec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0100c4b1b0736e0f5b3c98f9b0ab8acbef574888)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 3253dd2b420583a7f10afa87e47b9cb73e950e2a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agonsvdec: Be more careful with av_malloc().
Alex Converse [Fri, 27 Jan 2012 01:21:46 +0000 (17:21 -0800)]
nsvdec: Be more careful with av_malloc().

Check results for av_malloc() and fix an overflow in one call.

Related to CVE-2011-3940.

Based in part on work from Michael Niedermayer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit be524c186b50337db64d34a5726dfe3e8ea94f09)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 87007519c81c37d8a3de424de3db14078ae84333)

Conflicts:

libavformat/nsvdec.c

7 years agonsvdec: Fix use of uninitialized streams.
Michael Niedermayer [Tue, 24 Jan 2012 21:20:26 +0000 (22:20 +0100)]
nsvdec: Fix use of uninitialized streams.

Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 65beb8c1173906b0541442713cb29e8ba44c47ef)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1edf848a81464afd514afbbbcb97b471d334e14a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoid3v2: fix skipping extended header in id3v2.4
Anton Khirnov [Sat, 31 Mar 2012 05:52:42 +0000 (07:52 +0200)]
id3v2: fix skipping extended header in id3v2.4

In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303)

Conflicts:

libavformat/id3v2.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoRelease notes and changelog for 0.5.7
Reinhard Tartler [Tue, 10 Jan 2012 21:22:05 +0000 (22:22 +0100)]
Release notes and changelog for 0.5.7

7 years agoBump version number for 0.5.7 release.
Reinhard Tartler [Tue, 10 Jan 2012 20:23:27 +0000 (21:23 +0100)]
Bump version number for 0.5.7 release.

7 years agovorbis: An additional defense in the Vorbis codec.
Chris Evans [Thu, 5 Jan 2012 20:25:41 +0000 (21:25 +0100)]
vorbis: An additional defense in the Vorbis codec.

Fixes Bug: #190
Chromium Bug: #100543
Related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit afb2aa537954db537d54358997b68f46561fd5a7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b0283ccb9e8945ce9e56f7c6ba0c676e7179d7a3)

Conflicts:

libavcodec/vorbis_dec.c
(cherry picked from commit a5e0afe3c936220a793db0cdae04bb228f1904e0)

Conflicts:

libavcodec/vorbis_dec.c

7 years agovorbisdec: Fix decoding bug with channel handling
Reinhard Tartler [Thu, 5 Jan 2012 20:40:18 +0000 (21:40 +0100)]
vorbisdec: Fix decoding bug with channel handling

Fixes Bug: #191
Chromium Bug: #101458
CVE-2011-3895

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e6d527ff729e42d80e4756cab779ff4ad693631b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 97f23c72a3815739ab28e297ce60f943349f6939)

Conflicts:

libavcodec/vorbis_dec.c
(cherry picked from commit 42f0a6696889ba275aa2087b57fa99f7a97033a0)

Conflicts:

libavcodec/vorbis_dec.c

7 years agomatroskadec: Fix a bug where a pointer was cached to an array that might later move...
Chris Evans [Thu, 5 Jan 2012 20:19:30 +0000 (21:19 +0100)]
matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()

Fixes bug #190
Chromium bug #100492
related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry-picked from commit faaec4676cb4c7a2303d50df66c6290bc96a7657)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1f625431e2bb9564760fba3ab8077ae07ce7c7a1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 90a4a467477be8c292daa08a9516ee78ca0d517b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovorbis: Avoid some out-of-bounds reads
Chris Evans [Thu, 5 Jan 2012 20:25:41 +0000 (21:25 +0100)]
vorbis: Avoid some out-of-bounds reads

Fixes Bug: #190
Chromium Bug: #100543
Related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 57cd6d709565e84e84385f8f2a9641ca3fa718be)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4a94678f1be4b7d47f862e9523ca3358255da5d4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6d6254ba9fbb22260939c06db1faed5bbd295ad4)

Conflicts:

libavcodec/vorbis.c

7 years agovp3: fix oob read for negative tokens and memleaks on error.
Ronald S. Bultje [Sat, 29 Oct 2011 06:50:04 +0000 (23:50 -0700)]
vp3: fix oob read for negative tokens and memleaks on error.

(cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f)

Fixes: #189
Chromium-Bug: 101172,100465
CVE-2011-3892

Removed the parts that are related to multi-threading, which is not
included before 0.7.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c624935554332f8921a15265b8720f0c7b3c8cc2)

Conflicts:

libavcodec/vp3.c
(cherry picked from commit c9c7db0af2a0fc14764a07f0e61cebf11238e3c2)

Conflicts:

libavcodec/vp3.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoRelease notes and changelog for 0.5.6
Reinhard Tartler [Sun, 25 Dec 2011 08:55:45 +0000 (09:55 +0100)]
Release notes and changelog for 0.5.6

7 years agoBump version number for 0.5.6 release.
Reinhard Tartler [Sat, 24 Dec 2011 15:32:06 +0000 (16:32 +0100)]
Bump version number for 0.5.6 release.

7 years agosvq1dec: call avcodec_set_dimensions() after dimensions changed.
Michael Niedermayer [Fri, 18 Nov 2011 18:10:21 +0000 (19:10 +0100)]
svq1dec: call avcodec_set_dimensions() after dimensions changed.

Fixes NGS00148, CVE-2011-4579

Found-by: Phillip Langlois
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6e24b9488e67849a28e64a8056e05f83cf439229)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0eca0da06e40b73af495cc05fbcfaa030fcf78ea)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8ddc0b491d3c9c11c1e3d638fda51b4b604d32f4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovmd: fix segfaults on corruped streams
Laurent Aimar [Sun, 11 Sep 2011 17:17:45 +0000 (19:17 +0200)]
vmd: fix segfaults on corruped streams

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 494cfacdb9ba3f0549e37f76b3a2f86a7aeeac3c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b99366faef3a1ed4a34c9b37107f2c8c24702813)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovp6: partially propagate huffman tree building errors during coeff model parsing...
Dustin Brody [Tue, 16 Aug 2011 20:46:34 +0000 (16:46 -0400)]
vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit f913eeea43078b3b9052efd8d8d29e7b29b39208)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 7367cbec1b8cf0cbb49707fb0fdfded8ec397b0d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 201fcfb89482c6f73d6b679a294aac8da9612bbd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoPlug some memory leaks in the VP6 decoder
Vitor Sessak [Wed, 3 Mar 2010 17:24:32 +0000 (17:24 +0000)]
Plug some memory leaks in the VP6 decoder

Originally committed as revision 22172 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 0a41faa9a77dc83d8d933e99f1ba902ecd146e79)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovp6: Reset the internal state when aborting key frames header parsing
Laurent Aimar [Fri, 23 Sep 2011 20:36:11 +0000 (22:36 +0200)]
vp6: Reset the internal state when aborting key frames header parsing

It prevents leaving the state only half initialized.

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit a72cad0a6c05aa74940101e937cb3dc602d7d67b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c76505e0dee0890e39636ddebd2707ab3ea5b8de)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e28bb18fdc894dfdc1befa9f5e748ccb649a8c76)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovp6: Fix illegal read.
Thierry Foucu [Thu, 17 Nov 2011 17:39:52 +0000 (09:39 -0800)]
vp6: Fix illegal read.

Found with Address Sanitizer

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit e0966eb140b3569b3d6b5b5008961944ef229c06)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit ba4b08b78918f399f9c9524750b26e904d146078)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 94aacaf5083313378c6105bd71db04ce8f62c058)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovp6: Fix illegal read.
Alex Converse [Thu, 3 Nov 2011 22:55:52 +0000 (15:55 -0700)]
vp6: Fix illegal read.

(cherry picked from commit 2a6eb06254df79e96b3d791b6b89b2534ced3119)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 67a7ed623b678a84c992dd7bf3e3d0329f83621b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8d68083298e2481669de4db0b7b86c915119df6d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoFix out of bound reads in the QDM2 decoder.
Laurent Aimar [Fri, 30 Sep 2011 22:45:04 +0000 (00:45 +0200)]
Fix out of bound reads in the QDM2 decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 5a19acb17ceb71657b0eec51dac651953520e5c8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0d93d5c4614fafea74bdac681673f5b32eb49063)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoCheck for out of bound writes in the QDM2 decoder.
Laurent Aimar [Fri, 30 Sep 2011 22:45:05 +0000 (00:45 +0200)]
Check for out of bound writes in the QDM2 decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 291d74a46d32183653db07818c7b3407fd50a288)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a31ccacb1a9b2abc0e140a812fb0ffca6f7c2591)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoqdm2: check output buffer size before decoding
Justin Ruggles [Wed, 14 Sep 2011 17:57:04 +0000 (13:57 -0400)]
qdm2: check output buffer size before decoding

(cherry picked from commit 7d49f79f1cd47783a963a757a6563b9cac29db62)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 73472053516f82b7d273a3d42c583f894077a191)

Conflicts:

libavcodec/qdm2.c
(cherry picked from commit cfb9b47a1ecdc9e88e6561aa213d98245ee70267)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoFix qdm2 decoder packet handling to match the api
Baptiste Coudurier [Fri, 19 Nov 2010 06:52:30 +0000 (06:52 +0000)]
Fix qdm2 decoder packet handling to match the api

Originally committed as revision 25767 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit b26c1a8b7ed1a199b19f92bb5d62c61f1c149215)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoupdate version
Reinhard Tartler [Sat, 5 Nov 2011 11:57:22 +0000 (12:57 +0100)]
update version

7 years agoRelease notes and changelog for 0.5.5
Reinhard Tartler [Sat, 5 Nov 2011 11:53:16 +0000 (12:53 +0100)]
Release notes and changelog for 0.5.5

7 years agoFix ff_imdct_calc_sse() on gcc-4.6
Alex Converse [Sun, 30 Jan 2011 09:04:41 +0000 (01:04 -0800)]
Fix ff_imdct_calc_sse() on gcc-4.6

Gcc 4.6 only preserves the first value when using an array with an "m"
constraint.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 770c410fbb8e1b87ce8ad7f3d7eddaa55e2b8295)

Conflicts:

libavcodec/x86/fft_sse.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoMake DECLARE_ALIGNED macros work with external array specifiers
Måns Rullgård [Thu, 21 Jan 2010 12:59:22 +0000 (12:59 +0000)]
Make DECLARE_ALIGNED macros work with external array specifiers

The macro implementation might need the name of the variable being
declared for compiler-specific syntax.  Moving array specifiers outside
the macro invocation allows this to work.

Originally committed as revision 21363 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 8a24e98d506f0f44ec58e06291fa0fce703fb6a8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoFix MMX rgb24 to yuv conversion with gcc 4.6
Mans Rullgard [Sun, 13 Feb 2011 00:19:06 +0000 (00:19 +0000)]
Fix MMX rgb24 to yuv conversion with gcc 4.6

When built with gcc 4.6, the MMX rgb24 to yuv conversion gives
wrong output.  The compiler produces this warning:

libswscale/swscale_template.c:1885:5: warning: use of memory input without lvalue in asm operand 4 is deprecated

Changing the memory operand to a register makes it work.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit f344903ca5ce28a833fdd656bc1ed5b16d97e7e9)

Conflicts:

libswscale/swscale_template.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoFix memory (re)allocation in matroskadec.c, related to MSVR-11-0080.
Michael Niedermayer [Thu, 28 Jul 2011 12:59:54 +0000 (14:59 +0200)]
Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080.

Whitespace of the patch cleaned up by Aurel
Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 956c901c68eff78288f40e3c8f41ee2fa081d4a8)

Further suggestions from Kostya <kostya.shishkov@gmail.com> have been
implemented by Reinhard Tartler <siretart@tauware.de>

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 77d2ef13a8fa630e5081f14bde3fd20f84c90aec)

NB: MSVR-11-0080 doesn't seem to exist. This issue seems to be known
as MSVR11-011 instead.

Fixes: CVE-2011-3504

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agocavs: fix some crashes with invalid bitstreams
Mans Rullgard [Wed, 10 Aug 2011 17:52:11 +0000 (18:52 +0100)]
cavs: fix some crashes with invalid bitstreams

This removes all valgrind-reported invalid writes with one
specific test file.

Fixes http://www.ocert.org/advisories/ocert-2011-002.html

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 4a71da0f3ab7f5542decd11c81994f849d5b2c78)

Fixes CVE-2011-3362, CVE-2011-3973, CVE-2011-3974

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
8 years agomjpeg: Detect overreads in mjpeg_decode_scan() and error out.
Michael Niedermayer [Thu, 21 Apr 2011 20:03:24 +0000 (22:03 +0200)]
mjpeg: Detect overreads in mjpeg_decode_scan() and error out.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Ronald S. Bultje <rbultje@google.com>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
8 years agoupdate release date
Reinhard Tartler [Thu, 17 Mar 2011 12:10:27 +0000 (13:10 +0100)]
update release date

8 years agodocument APE patch
Reinhard Tartler [Thu, 17 Mar 2011 12:09:40 +0000 (13:09 +0100)]
document APE patch

8 years agoDo not attempt to decode APE file with no frames
Kostya [Tue, 15 Mar 2011 09:19:43 +0000 (09:19 +0000)]
Do not attempt to decode APE file with no frames

This fixes invalid reads/writes with this sample:
http://packetstorm.linuxsecurity.com/1103-exploits/vlc105-dos.txt
(cherry picked from commit 8312e3fc9041027a33c8bc667bb99740fdf41dd5)

8 years agoFix a bunch of typos in the release documentation.
Diego Biurrun [Sun, 6 Mar 2011 10:02:36 +0000 (11:02 +0100)]
Fix a bunch of typos in the release documentation.

8 years agoBump version number for 0.5.4 release.
Reinhard Tartler [Sun, 20 Feb 2011 21:12:52 +0000 (22:12 +0100)]
Bump version number for 0.5.4 release.

8 years agorelease notes for 0.5.4
Reinhard Tartler [Fri, 18 Feb 2011 16:06:06 +0000 (17:06 +0100)]
release notes for 0.5.4

8 years agoAmend Changelog for 0.5.4
Reinhard Tartler [Fri, 18 Feb 2011 16:06:06 +0000 (17:06 +0100)]
Amend Changelog for 0.5.4

8 years agoCall avcodec_set_dimensions() instead of simply setting avctx->width/height
Kostya Shishkov [Tue, 24 Nov 2009 06:05:41 +0000 (06:05 +0000)]
Call avcodec_set_dimensions() instead of simply setting avctx->width/height
when frame dimensions change in RV3/4.

Originally committed as revision 20595 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit d90aeeaf569e4a08c30b3d1d09c3cff3a86eb431)

8 years agoFix invalid reads in VC1 decoder
Reimar Döffinger [Sat, 19 Feb 2011 10:33:01 +0000 (11:33 +0100)]
Fix invalid reads in VC1 decoder

Patch discussed and taken from https://roundup.ffmpeg.org/issue2584
(cherry picked from commit 2bbec1eda46d907605772a8b6e8263caa4bc4c82)

Change related to CVE-2011-0723

8 years agoMake get_bits_left() available for use in libavcodec (was previously held
Ronald S. Bultje [Mon, 9 Nov 2009 22:10:43 +0000 (22:10 +0000)]
Make get_bits_left() available for use in libavcodec (was previously held
private in dv.c for some reason). See "[PATCH] get_bits_left()" thread.

Originally committed as revision 20490 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit c47ca25e74bbe465cdc8b99d4f6ab4f0ad5e4229)

8 years agoUpdate Changelog for 0.5.4 release.
Reinhard Tartler [Sun, 13 Feb 2011 22:34:41 +0000 (23:34 +0100)]
Update Changelog for 0.5.4 release.

8 years agoCheck rangebits to avoid a possible crash.
Frank Barchard [Sun, 13 Feb 2011 20:38:45 +0000 (21:38 +0100)]
Check rangebits to avoid a possible crash.
Fixes issue 2548 (and Chrome issue 68115 and unknown CERT issues).

Originally committed as revision 26365 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 13184036a6b1b1d4b61c91118c0896e9ad4634c3)

Addresses: CVE-2011-0480

Conflicts:

libavcodec/vorbis_dec.c

8 years agoFix crashes in vorbis decoding found by zzuf
Jason Garrett-Glaser [Sun, 13 Feb 2011 19:41:13 +0000 (20:41 +0100)]
Fix crashes in vorbis decoding found by zzuf
Fixes issue 2322.

Originally committed as revision 25591 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 3dde66752d59dfdd0f3727efd66e7202b3c75078)

Addresses: CVE-2010-4704

8 years agoalso ignore *.so for vhook plugins
Reinhard Tartler [Thu, 10 Feb 2011 13:09:35 +0000 (14:09 +0100)]
also ignore *.so for vhook plugins

8 years agoconsolidate .gitignore patters into a single file
Janne Grunau [Tue, 18 Jan 2011 19:44:24 +0000 (20:44 +0100)]
consolidate .gitignore patters into a single file

Signed-off-by: Janne Grunau <janne-ffmpeg@jannau.net>
(cherry picked from commit 2c3589bfda036c7827ded0bf38b16dfe7630bae1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
8 years agoconvert svn:ignore properties to .gitignore files
Janne Grunau [Mon, 17 Jan 2011 14:49:11 +0000 (15:49 +0100)]
convert svn:ignore properties to .gitignore files

Signed-off-by: Janne Grunau <janne-ffmpeg@jannau.net>
(cherry picked from commit 348b8218f7a59374355c966dbe3b851a7275f952)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
8 years agoUpdate dimensions in AVCodecContext when RV3/4 frame dimensions change
Kostya Shishkov [Sun, 22 Nov 2009 07:48:35 +0000 (07:48 +0000)]
Update dimensions in AVCodecContext when RV3/4 frame dimensions change

Originally committed as revision 20572 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit ec10d2d53999f6edf7d7b5ac88df263eccfb1fb0)

Fixes heap corruption crashes

Addresses: CVE-2011-0722
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
8 years agoUpdate safety check as the maximum pixel size is no longer 4.
Michael Niedermayer [Wed, 22 Apr 2009 01:54:05 +0000 (01:54 +0000)]
Update safety check as the maximum pixel size is no longer 4.
New max size is 16bit * 4 samples (RGBA).

Originally committed as revision 18655 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 445f0a8b666a34e6402f6ae96c6804c8bc024baa)

Addresses: CVE-2010-3908
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
8 years agorelease notes for 0.5.3 v0.5.3
Reinhard Tartler [Mon, 18 Oct 2010 19:43:55 +0000 (19:43 +0000)]
release notes for 0.5.3

Originally committed as revision 25523 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

8 years agoBump version number for 0.5.3 release.
Diego Biurrun [Mon, 18 Oct 2010 19:40:09 +0000 (19:40 +0000)]
Bump version number for 0.5.3 release.

Originally committed as revision 25522 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

8 years agoUpdate Changelog for 0.5.3 release.
Diego Biurrun [Mon, 18 Oct 2010 19:38:02 +0000 (19:38 +0000)]
Update Changelog for 0.5.3 release.

Originally committed as revision 25521 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

9 years agoFix several security issues in flicvideo.c
Reinhard Tartler [Sun, 3 Oct 2010 14:51:50 +0000 (14:51 +0000)]
Fix several security issues in flicvideo.c
This fixes CVE-2010-3429

backport r25223 by michael

Originally committed as revision 25325 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

9 years agounbreak compilation and finish backport r24280 by mstorsjo
Reinhard Tartler [Sun, 3 Oct 2010 14:50:04 +0000 (14:50 +0000)]
unbreak compilation and finish backport r24280 by mstorsjo

Originally committed as revision 25324 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5