ffmpeg.git
5 years agoarm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6
Janne Grunau [Sat, 8 Mar 2014 10:52:14 +0000 (11:52 +0100)]
arm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6

The overread avoidance fix in cbddee1cca0ebd01e8c5aa694d31228eb4de4b41
broke the computation for the last row since it prevented the safe
reading from the height+1-th row.

5 years agoqt-faststart: Check offset_count before reading from the moov_atom buffer
Michael Niedermayer [Thu, 13 Dec 2012 14:07:20 +0000 (15:07 +0100)]
qt-faststart: Check offset_count before reading from the moov_atom buffer

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit bb95334c34d0d9abccea370ae25c4765d7764ab8)
(cherry picked from commit 7754d4838178a5c09c3c3953bb2b90d1abc639e3)

5 years agoarm: hpeldsp: prevent overreads in armv6 asm
Janne Grunau [Wed, 5 Mar 2014 11:44:57 +0000 (12:44 +0100)]
arm: hpeldsp: prevent overreads in armv6 asm

Based on a patch by Russel King <rmk+libav@arm.linux.org.uk>

Bug-Id: 646
CC: libav-stable@libav.org
5 years agoconfigure: enable PIC on s390(x)
Reinhard Tartler [Sun, 2 Mar 2014 07:11:05 +0000 (02:11 -0500)]
configure: enable PIC on s390(x)

The s390 architecture requires shared libraries to be built in PIC mode.
Otherwise applications will get wrong relocations at run-time, leading
to confusing segmentation faults.

CC: libav-stable@libav.org
(cherry picked from commit 5ddc9f5052316608799b932c604f9e7561f8ce24)
(cherry picked from commit 7509c2c4ea2180733cc60ab1a0e0fe4ce2f02a69)

5 years agoituh263: reject b-frame with pp_time = 0
Keiji Costantini [Sat, 1 Mar 2014 18:17:04 +0000 (18:17 +0000)]
ituh263: reject b-frame with pp_time = 0

Avoid a division by 0 in ff_mpeg4_set_one_direct_mv.

Sample-Id: 00000168-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
(cherry picked from commit 9514440337875e0c63b409abcd616b68c518283f)
(cherry picked from commit 5df52b0131d3d4d804ad6e221bc9a2cd8b201ef2)

5 years agolagarith: reallocate rgb_planes when needed
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
lagarith: reallocate rgb_planes when needed

Fixes invalid writes on pixel format changes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 4c3e1956ee35fdcc5ffdb28782050164b4623c0b)

5 years agotruemotion1: check the header size
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
truemotion1: check the header size

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 2240e2078d53d3cfce8ff1dda64e58fa72038602)

5 years agoshorten: pad the internal bitstream buffer
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
shorten: pad the internal bitstream buffer

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 1713eec29add37b654ec6bf262b843d139c1ffc6)

5 years agosamplefmt: avoid integer overflow in av_samples_get_buffer_size()
Justin Ruggles [Thu, 30 Jan 2014 19:08:38 +0000 (14:08 -0500)]
samplefmt: avoid integer overflow in av_samples_get_buffer_size()

CC:libav-stable@libav.org
(cherry picked from commit 0e830094ad0dc251613a0aa3234d9c5c397e02e6)

5 years agoh264: Fix a typo from the previous commit
Luca Barbato [Sat, 22 Feb 2014 10:19:03 +0000 (11:19 +0100)]
h264: Fix a typo from the previous commit

f777504f640260337974848c7d5d7a3f064bbb45 changed a - in +

CC: libav-stable@libav.org
(cherry picked from commit d922c5a5fbaf0b6c73bd8c81ae059bc6e406961c)
(cherry picked from commit 3ce77e04c2ca4b9e7fa6b94b51e8d7c5f188da86)

5 years agoh264: Lower bound check for slice offsets
Vittorio Giovara [Thu, 20 Feb 2014 01:38:32 +0000 (02:38 +0100)]
h264: Lower bound check for slice offsets

And use the value from the specification.

Sample-Id: 00000451-google
Found-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit f777504f640260337974848c7d5d7a3f064bbb45)
(cherry picked from commit 5bd083d0216d9ee649039c84999fb61386536ac1)

Conflicts:
libavcodec/h264.c

5 years agoAdd missing header to fix compilation after d2a0654
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
Add missing header to fix compilation after d2a0654

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoPrepare for 9.12 RELEASE
Reinhard Tartler [Sat, 1 Mar 2014 00:22:56 +0000 (19:22 -0500)]
Prepare for 9.12 RELEASE

5 years agoconfigure: Add missing dependency of Snow decoder on videodsp
Diego Biurrun [Fri, 21 Feb 2014 09:31:39 +0000 (10:31 +0100)]
configure: Add missing dependency of Snow decoder on videodsp

5 years agorpza: limit the number of blocks to the total remaining blocks in the frame
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
rpza: limit the number of blocks to the total remaining blocks in the frame

Fixes invalid writes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 77bb0004bbe18f1498cfecdc68db5f10808b6599)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agoUpdate Changelog for 9.11
Reinhard Tartler [Sun, 2 Feb 2014 18:08:08 +0000 (13:08 -0500)]
Update Changelog for 9.11

5 years agooggparseogm: check timing variables
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
oggparseogm: check timing variables

Fixes a potential divide by zero.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 75647dea6f7db79b409bad66a119f5c73da730f3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agomathematics: remove asserts from av_rescale_rnd()
Anton Khirnov [Thu, 12 Dec 2013 06:34:13 +0000 (07:34 +0100)]
mathematics: remove asserts from av_rescale_rnd()

It is a public function, it must not assert on its parameters.

(cherry picked from commit 94a417acc05cc5151b473abc0bf51fad26f8c5a0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agovc1: Always reset numref when parsing a new frame header.
Michael Niedermayer [Sun, 19 Jan 2014 15:28:25 +0000 (15:28 +0000)]
vc1: Always reset numref when parsing a new frame header.

Fixes an issue where the B-frame coding mode switches from interlaced
fields to interlaced frames, causing incorrect decisions in the motion
compensation code and resulting in visual artifacts.

CC: libav-stable@libav.org
Signed-off-by: Tim Walker <tdskywalker@gmail.com>
(cherry picked from commit dd2d0039b6405dc724e4fef0d5b8f49530eea3aa)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoh264: reset num_reorder_frames if it is invalid
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset num_reorder_frames if it is invalid

An invalid VUI is not considered a fatal error, so the SPS containing it
may still be used. Leaving an invalid value of num_reorder_frames there
can result in writing over the bounds of H264Context.delayed_pic.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 9ecabd7892ff073ae60ded3fc0a1290f5914ed5c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/h264_ps.c

5 years agoh264: check that an IDR NAL only contains I slices
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: check that an IDR NAL only contains I slices

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 8b2e5e42bb9d6a59ede5af2e6df4aaf7750d1195)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agomov: Free an earlier allocated array if allocating a new one
Martin Storsjö [Mon, 13 Jan 2014 12:46:07 +0000 (14:46 +0200)]
mov: Free an earlier allocated array if allocating a new one

It could probably also be considered an error if the pointer isn't
null at this point, but then we might risk rejecting some
slightly broken files that we might have handled so far.

Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2620df13104ddaa136158eb6bb1195adbf9d7692)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agomov: Free intermediate arrays in the normal cleanup function
Martin Storsjö [Mon, 13 Jan 2014 12:43:23 +0000 (14:43 +0200)]
mov: Free intermediate arrays in the normal cleanup function

These arrays are normally freed at the end of mov_read_trak,
but make sure they're freed in case mov_read_trak returned
early (due to errors) or in case the atoms that allocate arrays
are encountered at some other point than within a trak (which
we don't have checks against).

Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d51f09962d5b4bc999fb70c040f330dd1873212e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agosegafilm: fix leaks if reading the header fails
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
segafilm: fix leaks if reading the header fails

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 6892d145a0c80249bd61ee7dd31ec851c5076bcd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoh264_cavlc: check the size of the intra PCM data.
Anton Khirnov [Fri, 15 Nov 2013 08:42:26 +0000 (09:42 +0100)]
h264_cavlc: check the size of the intra PCM data.

Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh263: Check init_get_bits return value
Michael Niedermayer [Sat, 26 Oct 2013 17:02:34 +0000 (19:02 +0200)]
h263: Check init_get_bits return value

And use init_get_bits8 to check for integer overflows while at it.

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agocavsdec: check ff_get_buffer() return value
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
cavsdec: check ff_get_buffer() return value

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agocavs: Check for negative cbp
Luca Barbato [Sun, 13 Oct 2013 01:30:06 +0000 (03:30 +0200)]
cavs: Check for negative cbp

Sample-Id: 00000647-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
5 years agoavi: DV in AVI must be considered single stream
Luca Barbato [Tue, 6 Aug 2013 01:38:12 +0000 (03:38 +0200)]
avi: DV in AVI must be considered single stream

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
5 years agovmnc: Check the cursor dimensions
Luca Barbato [Wed, 9 Oct 2013 03:51:20 +0000 (05:51 +0200)]
vmnc: Check the cursor dimensions

And manage the reallocation failure path.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5e992a4682d2c09eed3839c6cacf70db3b65c2f4)

5 years agovmnc: Port to bytestream2
Luca Barbato [Wed, 9 Oct 2013 03:13:59 +0000 (05:13 +0200)]
vmnc: Port to bytestream2

Fix some buffer overreads.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
5 years agovmnc: K&R formatting cosmetics
Luca Barbato [Wed, 9 Oct 2013 10:58:42 +0000 (12:58 +0200)]
vmnc: K&R formatting cosmetics

Signed-off-by: Diego Biurrun <diego@biurrun.de>
5 years agoflashsv: Check diff_start diff_height values
Michael Niedermayer [Tue, 20 Aug 2013 21:18:48 +0000 (23:18 +0200)]
flashsv: Check diff_start diff_height values

Fix out of array accesses.

Found-by: ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Adresses: CVE-2013-7015
(cherry picked from commit 57070b1468edc6ac8cb3696c817f3c943975d4c1)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agodsputil/pngdsp: fix signed/unsigned type in end comparison
Michael Niedermayer [Fri, 30 Aug 2013 21:14:32 +0000 (23:14 +0200)]
dsputil/pngdsp: fix signed/unsigned type in end comparison

Fixes out of array accesses and integer overflows.

(cherry picked from commit d1916d13e28b87f4b1b214231149e12e1d536b4b)
Adresses: CVE-2013-7010, CVE-2013-7014

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agolavf: make av_probe_input_buffer more robust
Anton Khirnov [Mon, 13 Jan 2014 12:47:07 +0000 (13:47 +0100)]
lavf: make av_probe_input_buffer more robust

Always use the actually read size as the offset instead of making
possibly invalid assumptions.

Addresses: CVE-2012-6618

(cherry picked from commit 2115a3597457231a6e5c0527fe0ff8550f64b733)

Conflicts:
libavformat/utils.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agolavf: use a fixed width type
Anton Khirnov [Mon, 13 Jan 2014 10:56:59 +0000 (11:56 +0100)]
lavf: use a fixed width type

It's shorter and more consistent with the rest of the code.

(cherry picked from commit 8b76362836f3c373c3aadc544522edcbef16dd5f)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agolavf: simplify handling of offset in av_probe_input_buffer()
Anton Khirnov [Mon, 13 Jan 2014 10:55:18 +0000 (11:55 +0100)]
lavf: simplify handling of offset in av_probe_input_buffer()

(cherry picked from commit c1868e7ee7b07b40a0fe15f50df89fe499a01a50)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agoprores: Error out only on surely incomplete ac_coeffs
Luca Barbato [Thu, 10 Oct 2013 08:26:31 +0000 (10:26 +0200)]
prores: Error out only on surely incomplete ac_coeffs

(cherry picked from commit 2df7f7714a12a59d31058aba15fb1e348e36b0ab)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agoshorten: Fix out-of-array read
Tim Walker [Wed, 9 Oct 2013 09:47:04 +0000 (11:47 +0200)]
shorten: Fix out-of-array read

pred_order == FF_ARRAY_ELEMS(fixed_coeffs) is invalid too.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 5f5ada3dbf97e306a74250ba8dcf8619ad59b020)
Signed-off-by: Tim Walker <tdskywalker@gmail.com>
5 years agoprores: Add a codepath for decoding errors
Luca Barbato [Thu, 10 Oct 2013 06:40:39 +0000 (08:40 +0200)]
prores: Add a codepath for decoding errors

(cherry picked from commit 44690dfa683f620c77e9f0e8e9bc5682608636b1)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
5 years agonut: Fix unchecked allocations
Derek Buitenhuis [Tue, 22 Oct 2013 15:11:11 +0000 (16:11 +0100)]
nut: Fix unchecked allocations

CC: libav-stable@libav.org
(cherry picked from commit b1fcdc08ceb5df69fac34aa0d57c56905d32b8b4)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
5 years agoavi: directly resync on DV in AVI read failure
Luca Barbato [Tue, 6 Aug 2013 01:52:48 +0000 (03:52 +0200)]
avi: directly resync on DV in AVI read failure

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ceec6e792e4b5baaa23b220f4fd33417631f5288)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agomov: Don't allocate arrays with av_malloc that will be realloced
Martin Storsjö [Fri, 4 Oct 2013 06:52:02 +0000 (09:52 +0300)]
mov: Don't allocate arrays with av_malloc that will be realloced

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit b698542ad83284fbb8c22404e3cafeb2dd739d38)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoshorten: Extend fixed_coeffs to properly support pred_order 0
Luca Barbato [Wed, 4 Sep 2013 17:26:36 +0000 (19:26 +0200)]
shorten: Extend fixed_coeffs to properly support pred_order 0

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b2148faca9e9e553c14b27844b56e367c85a777e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoPrepare for 9.11 RELEASE
Reinhard Tartler [Sun, 5 Jan 2014 22:23:12 +0000 (17:23 -0500)]
Prepare for 9.11 RELEASE

5 years agoavi: properly fail if the dv demuxer is missing
Luca Barbato [Mon, 5 Aug 2013 23:39:07 +0000 (01:39 +0200)]
avi: properly fail if the dv demuxer is missing

CC: libav-stable@libav.org
(cherry picked from commit 1cac9accbd1f9b8596122d0735e37b97a844c514)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoprores: Reject negative run and level values
Luca Barbato [Thu, 10 Oct 2013 19:02:10 +0000 (21:02 +0200)]
prores: Reject negative run and level values

Sample-Id: 00000611-google

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c0de9a23c7080e2fac8f879b9d9a0ce2b64ea953)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoaudio_mix: fix channel order in mix_1_to_2_fltp_flt_c
Anton Khirnov [Wed, 2 Oct 2013 14:40:02 +0000 (16:40 +0200)]
audio_mix: fix channel order in mix_1_to_2_fltp_flt_c

CC:libav-stable@libav.org
(cherry picked from commit df6737a55f5dc7c0ae5272bc5fa6182836d5481c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoindeo4: Check the inherited quant_mat
Luca Barbato [Fri, 11 Oct 2013 09:34:03 +0000 (11:34 +0200)]
indeo4: Check the inherited quant_mat

Invalidate it if not supported.

Sample-Id: 00000262-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c9ef6b09326a24010bf86d6b0d19cfa42df4d546)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/indeo4.c

5 years agoindeo4: Check the block size if reusing the band configuration
Luca Barbato [Fri, 11 Oct 2013 08:51:53 +0000 (10:51 +0200)]
indeo4: Check the block size if reusing the band configuration

Sample-Id: 00000287-google

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 0cb83c563848bf8f8365e7bd30e7e6b57ef360f0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoffv1: Assume bitdepth 0 means 8bit
Luca Barbato [Sun, 13 Oct 2013 13:34:47 +0000 (15:34 +0200)]
ffv1: Assume bitdepth 0 means 8bit

CC: libav-stable@libav.org
Reported-by: debian/726189
(cherry picked from commit a90905db2e6ab1840890f3a88bfd3bf008b9d886)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoalsa-audio-dec: explicitly cast the delay to a signed int64
Anton Khirnov [Sun, 1 Dec 2013 08:27:01 +0000 (09:27 +0100)]
alsa-audio-dec: explicitly cast the delay to a signed int64

Otherwise the expression will be evaluated as unsigned, which will break
when the result should be negative.
CC:libav-stable@libav.org

(cherry picked from commit 089fac77a6bf9199a5ec161e9c27850f0a680541)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agomatroskadec: pad EBML_BIN data.
Anton Khirnov [Fri, 15 Nov 2013 09:15:24 +0000 (10:15 +0100)]
matroskadec: pad EBML_BIN data.

It might be passed to code requiring padding, such as lzo decompression.

Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

(cherry picked from commit 30be1ea33e5525266ad871bed60b1893a53caeaf)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agomotionpixels: clip VLC codes.
Anton Khirnov [Fri, 15 Nov 2013 14:33:20 +0000 (15:33 +0100)]
motionpixels: clip VLC codes.

Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

(cherry picked from commit ca41c72c6d9515d9045bd3b68104525dee81b8d0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoavidec: fix a memleak in the dv init code.
Anton Khirnov [Fri, 15 Nov 2013 18:06:23 +0000 (19:06 +0100)]
avidec: fix a memleak in the dv init code.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit ce9bba5340a5fb6f38974a19af019dd6aa2da035)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agotruemotion1: make sure index does not go out of bounds
Anton Khirnov [Fri, 15 Nov 2013 18:06:23 +0000 (19:06 +0100)]
truemotion1: make sure index does not go out of bounds

Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

(cherry picked from commit c918e08b9cc9ce8d06159c51da55ec5ab018039a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agopcx: round up in bits->bytes conversion in a buffer size check
Anton Khirnov [Fri, 15 Nov 2013 18:06:23 +0000 (19:06 +0100)]
pcx: round up in bits->bytes conversion in a buffer size check

Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

(cherry picked from commit 430d12196432ded13f011a3bf7690f03c9b2e5d6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoomadec: Fix wrong number of array elements
Michael Niedermayer [Thu, 24 Oct 2013 13:24:24 +0000 (15:24 +0200)]
omadec: Fix wrong number of array elements

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: David Goldwich <david.goldwich@gmail.com>
CC:libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 97f50e92b5cf3b47a76f75d76ed4340e822030db)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoomadec: check GEOB sizes against buffer size
Michael Niedermayer [Thu, 24 Oct 2013 13:24:25 +0000 (15:24 +0200)]
omadec: check GEOB sizes against buffer size

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: David Goldwich <david.goldwich@gmail.com>
CC:libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1c736bedd9891501960ebac0f7c05eb60225e947)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoac3dec: fix outptr increment.
Michael Niedermayer [Fri, 25 Oct 2013 22:46:53 +0000 (18:46 -0400)]
ac3dec: fix outptr increment.

Fixes corrupt data errors when downmixing in the AC-3 decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
CC:libav-stable@libav.org
(cherry picked from commit 6c82c87dbbc0582658968eae46cfebeea90a9c5e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoavio: Use AVERROR_PROTOCOL_NOT_FOUND
Luca Barbato [Sun, 20 Oct 2013 20:01:54 +0000 (22:01 +0200)]
avio: Use AVERROR_PROTOCOL_NOT_FOUND

When the protocol is missing ffurl_alloc() should return
AVERROR_PROTOCOL_NOT_FOUND instead of AVERROR(ENOENT).

Bug-Id: 577
CC: libav-stable@libav.org
(cherry picked from commit ea71aafd6881d7ce5cffec56feb45488e3ac5221)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agompegvideo: Drop a faulty assert
Luca Barbato [Tue, 22 Oct 2013 17:17:10 +0000 (19:17 +0200)]
mpegvideo: Drop a faulty assert

That check is easily reachable by faulty input.

CC:libav-stable@libav.org
Reported-by: Torsten Sadowski <tsadowski@gmx.net>
(cherry picked from commit 72072bf9de3241848ea86f68d2297b7a5d6ad49b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agolavr: check that current_buffer is not NULL before using it
Justin Ruggles [Sun, 27 Oct 2013 19:00:36 +0000 (15:00 -0400)]
lavr: check that current_buffer is not NULL before using it

Fixes a segfault during resampling when compiled with -DDEBUG.
Fixes all fate-lavr-resample tests with -DDEBUG.

CC:libav-stable@libav.org
(cherry picked from commit 211ca69b13eb0a127a9ef7e70ddaccdab125d1c5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agopmpdec: check that there is at least one audio packet.
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
pmpdec: check that there is at least one audio packet.

The code cannot handle there being none, but that should not happen for
valid files.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 1b5d065ca722eb8028c7a08e054b6da3419faf5d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agolzw: switch to bytestream2
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
lzw: switch to bytestream2

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit e89aa4bf56e5b5c45f569eb12733519789e057da)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agogifdec: convert to bytestream2
Anton Khirnov [Fri, 15 Nov 2013 09:23:04 +0000 (10:23 +0100)]
gifdec: convert to bytestream2

(cherry picked from commit 1f3e56b6dcc163a705704e98569d4850a31d651c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agogifdec: check that the image dimensions are non-zero
Anton Khirnov [Fri, 15 Nov 2013 09:15:24 +0000 (10:15 +0100)]
gifdec: check that the image dimensions are non-zero

Also add an error message an return a more suitable error code
(INVALIDDATA, not EINVAL);
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

(cherry picked from commit c453723ad7d14abc5e82677eebaa6025fa598f08)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agogifdec: return meaningful error codes.
Anton Khirnov [Mon, 19 Nov 2012 09:30:01 +0000 (10:30 +0100)]
gifdec: return meaningful error codes.

(cherry picked from commit 048ffb9bb26f30f1995400b8cd3809221ba03441)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoeacmv: check the framerate before setting it.
Anton Khirnov [Thu, 12 Dec 2013 06:31:26 +0000 (07:31 +0100)]
eacmv: check the framerate before setting it.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 24057c83207d6ea8bfd824155ac37be8a33dfd0c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/eacmv.c

5 years agorv30: fix extradata size check.
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
rv30: fix extradata size check.

It has been checking the number of bits in the offset instead of the
actual offset.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit a6a2282c25abe43e352010a7c3fbc92994c0bc1c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agosdp: Check that fmt->oformat is non-null before accessing it
Martin Storsjö [Fri, 3 Jan 2014 13:47:02 +0000 (15:47 +0200)]
sdp: Check that fmt->oformat is non-null before accessing it

This avoids crashes when avserver tries to create an SDP, since
d77f4af.

Addresses: CVE-2012-6617

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 82b9799bb211ecd117171115e4a8b832c4942314)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agomatroskadec: use correct compression parameters for current track CodecPrivate
Aurelien Jacobs [Sun, 21 Aug 2011 14:03:13 +0000 (16:03 +0200)]
matroskadec: use correct compression parameters for current track CodecPrivate

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8b516f154a0a08655cec2d13d12aadc58cae0b1c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agovc1: Reset numref if fieldmode is not set
Kostya Shishkov [Mon, 25 Nov 2013 13:04:41 +0000 (14:04 +0100)]
vc1: Reset numref if fieldmode is not set

There are samples in the wild with B-frames and P-frames with different
interlace mode.

CC: libav-stable@libav.org
Reported-by: Jean-Baptiste Kempf <jb@videolan.org>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit de44dfc7c0ec02bda7d846ef713145c890bfae3f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoarm: Don't clobber callee saved registers in scalarproduct
Martin Storsjö [Fri, 20 Dec 2013 13:02:35 +0000 (15:02 +0200)]
arm: Don't clobber callee saved registers in scalarproduct

q4-q7/d8-d15 are supposed to not be clobbered by the callee.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d307e408d4a9ada22df443cc38be77cc5e492694)

Signed-off-by: Martin Storsjö <martin@martin.st>
5 years agoalsdec: check block length
Reinhard Tartler [Sun, 8 Dec 2013 18:24:26 +0000 (13:24 -0500)]
alsdec: check block length

Fix writing over the end

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Addresses: CVE-2013-0845
(cherry picked from commit 2a0fb7286d67c47e44aa76c237ede117b22af616)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoh264/mpegvideo: do not provide pixel formats for hwaccels that are not compiled in
Anton Khirnov [Fri, 29 Nov 2013 12:18:29 +0000 (13:18 +0100)]
h264/mpegvideo: do not provide pixel formats for hwaccels that are not compiled in

5 years agompeg4video_parser: init mpeg4 static tables.
Anton Khirnov [Fri, 15 Nov 2013 21:13:46 +0000 (22:13 +0100)]
mpeg4video_parser: init mpeg4 static tables.

They are used when decoding the frame header.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agompeg4videodec: split initializing static tables into a separate function
Anton Khirnov [Fri, 15 Nov 2013 21:13:45 +0000 (22:13 +0100)]
mpeg4videodec: split initializing static tables into a separate function

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agox86: ac3dsp: Remove 3dnow version of ff_ac3_extract_exponents
Diego Biurrun [Fri, 26 Apr 2013 14:48:39 +0000 (16:48 +0200)]
x86: ac3dsp: Remove 3dnow version of ff_ac3_extract_exponents

The function requires increasing the fuzz factor for the ac3/eac3 encode
tests and even so makes fate fail. It only provides a slight encoding
speedup for legacy CPUs that do not support SSE2. Thus its benefit is not
worth the trouble it creates and fixing it would be a waste of time.

6 years agopthread: Avoid spurious wakeups
Ben Jackson [Fri, 18 Oct 2013 14:28:50 +0000 (15:28 +0100)]
pthread: Avoid spurious wakeups

pthread_wait_cond can wake up unexpectedly (Wikipedia: Spurious_wakeup).

The FF_THREAD_SLICE thread mechanism could spontaneously execute
jobs or allow the caller of avctx->execute to return before all
jobs were complete.

Test both cases to ensure the wakeup is real.

Signed-off-by: Ben Jackson <ben@ben.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agopthread: Fix deadlock during thread initialization
Derek Buitenhuis [Thu, 10 Oct 2013 15:05:40 +0000 (11:05 -0400)]
pthread: Fix deadlock during thread initialization

Sometimes, if pthread_create() failed, then pthread_cond_wait() could
accidentally be called in the worker threads after the uninit function
had already called pthread_cond_broadcast(), leading to a deadlock.

Don't call pthread_cond_wait() if c->done is set.

Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
6 years agoFix top-level description
Reinhard Tartler [Thu, 10 Oct 2013 13:56:40 +0000 (09:56 -0400)]
Fix top-level description

6 years agoupdate Changelog
Reinhard Tartler [Thu, 10 Oct 2013 12:50:09 +0000 (08:50 -0400)]
update Changelog

6 years agoPrepare for 9.10 RELEASE
Reinhard Tartler [Fri, 4 Oct 2013 23:14:27 +0000 (19:14 -0400)]
Prepare for 9.10 RELEASE

6 years agoh263dec: Remove a hack that can cause infinite loops
Martin Storsjö [Mon, 23 Sep 2013 09:25:48 +0000 (12:25 +0300)]
h263dec: Remove a hack that can cause infinite loops

The actual usefulness of the hack is not known, and it does cause
infinite loops with some broken input files.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8812a8057f539845f6801cafdf6c481a59e96b48)

Signed-off-by: Martin Storsjö <martin@martin.st>
6 years agompegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0
Martin Storsjö [Tue, 24 Sep 2013 09:02:39 +0000 (12:02 +0300)]
mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0

This fixes breakage in a few fate tests on certain setups
(that for some reason didn't break on OS X) after the previous
commit (8812a8057). Currently, some video streams are initialized
in ff_MPV_common_init with width/height set at 0 and only changed
to a proper video size with ff_MPV_common_frame_size_change later.

The breakage was diagnosed by Anton Khirnov.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5f24fe82e5fcf227abb5ebf62aa9bc246fda8c0d)

Signed-off-by: Martin Storsjö <martin@martin.st>
6 years agovc1dec: Don't decode slices when the latest slice header failed to decode
Michael Niedermayer [Tue, 19 Feb 2013 20:40:09 +0000 (21:40 +0100)]
vc1dec: Don't decode slices when the latest slice header failed to decode

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
Conflicts:
libavcodec/vc1dec.c

6 years agovc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks
Martin Storsjö [Fri, 20 Sep 2013 08:32:25 +0000 (11:32 +0300)]
vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5e25fdbfe01635cfc650ac4adc27d434b2df0d64)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/vc1dec.c

6 years agor3d: Add more input value validation
Martin Storsjö [Thu, 19 Sep 2013 14:02:36 +0000 (17:02 +0300)]
r3d: Add more input value validation

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
Conflicts:
libavformat/r3d.c

6 years agofraps: Make the input buffer size checks more strict
Martin Storsjö [Thu, 19 Sep 2013 13:29:23 +0000 (16:29 +0300)]
fraps: Make the input buffer size checks more strict

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
Conflicts:
libavcodec/fraps.c

6 years agosvq3: Avoid a division by zero
Martin Storsjö [Thu, 19 Sep 2013 12:58:59 +0000 (15:58 +0300)]
svq3: Avoid a division by zero

If the height is zero, the decompression will probably end up
failing due to not fitting into the allocated buffer later
anyway, so this doesn't need any more elaborate check.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 601c2015bc16f0b281160292a6a760cbbbb0eacb)

6 years agormdec: Validate the fps value
Martin Storsjö [Mon, 16 Sep 2013 17:58:38 +0000 (20:58 +0300)]
rmdec: Validate the fps value

Abort if it is invalid if strict error checking has been requested.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0f310a6f333b016d336674d086045e8473fdf918)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavformat/rmdec.c

6 years agotwinvqdec: Check the ibps parameter separately
Martin Storsjö [Tue, 17 Sep 2013 16:33:48 +0000 (19:33 +0300)]
twinvqdec: Check the ibps parameter separately

This is required, since invalid parameters actually could
pass the switch check below.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit c77d409bf95954aceb762dd800d1ee2868c4b0d4)

6 years agoasfdec: Check the return value of asf_read_stream_properties
Martin Storsjö [Sat, 28 Sep 2013 20:32:57 +0000 (23:32 +0300)]
asfdec: Check the return value of asf_read_stream_properties

This makes sure errors in setting stream parameters are passed
on to the caller. This avoids successfully opening files while
some parameters aren't filled in properly.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit cc41167aede4c101ad17eeffa8f39bb6c23d3dad)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agomxfdec: set audio timebase to 1/samplerate
Anton Khirnov [Sat, 28 Sep 2013 14:56:54 +0000 (16:56 +0200)]
mxfdec: set audio timebase to 1/samplerate

Fixes sync in some samples (e.g. bugs 7581 and 8374 in VLC).
Based on a commit by Matthieu Bouron <matthieu.bouron@gmail.com>

Reported-by: Jean-Baptiste Kempf <jb@videolan.org>
CC: libav-stable@libav.org
(cherry picked from commit 93370d12164236d59645314871a1d6808b2a8ddb)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agopcx: Check the packet size before assuming it fits a palette
Martin Storsjö [Sun, 29 Sep 2013 10:02:27 +0000 (13:02 +0300)]
pcx: Check the packet size before assuming it fits a palette

This fixes reads out of bounds.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d1d99e3befea5d411ac3aae72dbdecce94f8b547)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/pcx.c

6 years agorpza: Fix a buffer size check
Martin Storsjö [Sat, 28 Sep 2013 22:24:20 +0000 (01:24 +0300)]
rpza: Fix a buffer size check

We read 2 bytes for 15 out of 16 pixels, therefore we need to
have at least 30 bytes, not 16.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 7ba0cedbfeff5671b264d1d7e90777057b5714c6)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agoxxan: Disallow odd width
Martin Storsjö [Sat, 28 Sep 2013 22:04:05 +0000 (01:04 +0300)]
xxan: Disallow odd width

Decoded data is always written in pairs within this decoder.
This fixes writes out of bounds.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit aa0dd52434768da64f1f3d8ae92bcf980c1adffc)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agoxan: Only read within the data that actually was initialized
Martin Storsjö [Sat, 28 Sep 2013 21:59:50 +0000 (00:59 +0300)]
xan: Only read within the data that actually was initialized

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit fc739b3eefa0b58d64e7661621da94a94dbc8a82)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agoxan: Use bytestream2 to limit reading to within the buffer
Martin Storsjö [Sat, 28 Sep 2013 21:53:58 +0000 (00:53 +0300)]
xan: Use bytestream2 to limit reading to within the buffer

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 30db94dc399f6e4ef8905049d9b740556f0fce47)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>