ffmpeg.git
6 years agodsputil: fix invalid array indexing
Mans Rullgard [Thu, 26 Apr 2012 13:00:43 +0000 (14:00 +0100)]
dsputil: fix invalid array indexing

Indexing outside an array is invalid and causes errors with
gcc 4.8.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 0a07f2b346433a9a2677c69c6b29a1a827e39109)

Signed-off-by: Diego Biurrun <diego@biurrun.de>
6 years agoshorten: use the unsigned type where needed
Luca Barbato [Tue, 5 Mar 2013 16:12:35 +0000 (17:12 +0100)]
shorten: use the unsigned type where needed

get_uint returns an unsigned value, use an unsigned to store
blocksize to make sure the comparison logic is correct and report
correctly the error for the channel count not supported.

CC: libav-stable@libav.org
(cherry picked from commit 5cf7c72757779a740e897a97710aac044fe5258c)
(cherry picked from commit 88089eecfd7e604d40d078b4f4206c647cb2e2b4)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/shorten.c

6 years agoshorten: report meaningful errors
Luca Barbato [Tue, 5 Mar 2013 15:34:16 +0000 (16:34 +0100)]
shorten: report meaningful errors

(cherry picked from commit 4c364eb2b856fc33cf7b42f7c7b979e69fde5f3a)
(cherry picked from commit 0daf1428e82926dc5a8c72a0ff4c93aaa8a84ed9)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agoshorten: K&R formatting cosmetics
Luca Barbato [Tue, 5 Mar 2013 15:11:28 +0000 (16:11 +0100)]
shorten: K&R formatting cosmetics

(cherry picked from commit a2ad554def214d2d03b7c16f68dc081a8622f9ca)
(cherry picked from commit 97cc2f286f9e3eed1a00034367ebca58cc05ee39)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/shorten.c

6 years agoshorten: set invalid channels count to 0
Michael Niedermayer [Tue, 5 Mar 2013 14:13:04 +0000 (15:13 +0100)]
shorten: set invalid channels count to 0

Prevent the loop shorten_decode_close from writing and freeing out of
the array boundary.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit c10da30d8426a1f681d99a780b6e311f7fb4e5c5)
(cherry picked from commit 21d568be179c54a1596d1377b4da7fbe755bfe7f)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agomatroskadec: request a read buffer for the wav header
Luca Barbato [Tue, 12 Mar 2013 17:56:28 +0000 (18:56 +0100)]
matroskadec: request a read buffer for the wav header

Solve an infiniloop.

CC: libav-stable@libav.org
(cherry picked from commit 37cb3b180a1dc3d6f123f68e0806585ebc2578b6)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agoh264: check for luma and chroma bit depth being equal
Luca Barbato [Sun, 10 Mar 2013 01:50:52 +0000 (02:50 +0100)]
h264: check for luma and chroma bit depth being equal

The decoder assumes a single bit depth for all the planes while
the specification allows different bit depths for luma and chroma.

Avoid the possible problems described in CVE-2013-2277

6 years agovc1: Move init code shared between decoder and parser to common code file.
Diego Biurrun [Tue, 6 Mar 2012 17:59:03 +0000 (18:59 +0100)]
vc1: Move init code shared between decoder and parser to common code file.

This fixes standalone compilation of the VC-1 parser.
(cherry picked from commit 3c715383ea7012ac69507e6b9189c98675c77461)

Conflicts:

libavcodec/vc1data.h

Signed-off-by: Diego Biurrun <diego@biurrun.de>
6 years agolibmp3lame: use the correct remaining buffer size when flushing
Justin Ruggles [Wed, 16 Jan 2013 22:52:55 +0000 (17:52 -0500)]
libmp3lame: use the correct remaining buffer size when flushing

CC:libav-stable@libav.org
(cherry picked from commit e984f47873258b600fd88423f40e3cdaad179190)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b77d9cbbd5050eda75030c8926241af3dbe1a8df)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoxxan: fix invalid memory access in xan_decode_frame_type0()
Anton Khirnov [Wed, 6 Mar 2013 08:06:16 +0000 (09:06 +0100)]
xxan: fix invalid memory access in xan_decode_frame_type0()

The loop a few lines below the xan_unpack() call accesses up to
dec_size * 2 bytes into y_buffer, so dec_size must be limited to
buffer_size / 2.

CC:libav-stable@libav.org
(cherry picked from commit 8a49d2bcbe7573bb4b765728b2578fac0d19763f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 62a657de168cf501acb23d48cc1aa00793dc83f3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agowmadec: require block_align to be set.
Anton Khirnov [Wed, 6 Mar 2013 08:58:00 +0000 (09:58 +0100)]
wmadec: require block_align to be set.

Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.

CC:libav-stable@libav.org
(cherry picked from commit ea1136baafb1fe271cb56c3f4d7bff0267e3c70f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c1f479e8df24284237c80ad959619fc85e29a26d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agowmaprodec: return an error, not 0, when the input is too small.
Anton Khirnov [Wed, 6 Mar 2013 09:02:50 +0000 (10:02 +0100)]
wmaprodec: return an error, not 0, when the input is too small.

Returning 0 may result in an infinite loop in valid calling programs. A
decoder should never return 0 without producing any output.

CC:libav-stable@libav.org
(cherry picked from commit 4c0080b7e7d501e2720d2a61f5186a18377f9d63)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 60dd8b5733f9ec4919fbc732ace1be8184dde880)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovmdaudio: fix invalid reads when packet size is not a multiple of chunk size
Anton Khirnov [Wed, 6 Mar 2013 09:42:51 +0000 (10:42 +0100)]
vmdaudio: fix invalid reads when packet size is not a multiple of chunk size

CC:libav-stable@libav.org
(cherry picked from commit f86d66bcfa48998b0727aa0d1089a30cbeae0933)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 77cf052e395b1fac8dd181d4f76b0101d1acd625)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovorbisdec: Error on bark_map_size equal to 0.
Michael Niedermayer [Thu, 10 Jan 2013 23:54:12 +0000 (00:54 +0100)]
vorbisdec: Error on bark_map_size equal to 0.

The value is used to calculate output LSP curve and a division by zero
and out of array accesses would occur.

CVE-2013-0894

CC: libav-stable@libav.org
Reported-by: Dale Curtis <dalecurtis@chromium.org>
Found-by: inferno@chromium.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 11dcecfcca0eca1a571792c4fa3c21fb2cfddddc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 494ddd377ada76ed555f7a3f49391455daa099c9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoconfigure: clean up Altivec detection
Mans Rullgard [Wed, 15 Aug 2012 23:10:33 +0000 (00:10 +0100)]
configure: clean up Altivec detection

There used to be one test for Altivec intrinsics support and a
separate test to determine which of two possible syntaxes to use
for vector literals.  Since 2008, we only support the more common
of these so the split test no longer makes sense.

This combines the tests into one and also changes the hard error on
failure to a warning.  The test can reasonably fail if no --cpu flag
is provided (or is provided with an unknown CPU) and the compiler
default target does not support Altivec.  Aborting in this case is
probably over-reacting.

Fixes: #464, http://bugs.debian.org/701710

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 20bcce507aa6b9c866e34eee75d80305109767a8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoUpdate RELEASE file for 0.8.6
Reinhard Tartler [Sun, 17 Feb 2013 08:12:20 +0000 (09:12 +0100)]
Update RELEASE file for 0.8.6

6 years agoupdate year to 2013
Reinhard Tartler [Sun, 17 Feb 2013 08:11:57 +0000 (09:11 +0100)]
update year to 2013

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agooggdec: make sure the private parse data is cleaned up
Luca Barbato [Fri, 4 Jan 2013 15:05:51 +0000 (16:05 +0100)]
oggdec: make sure the private parse data is cleaned up
(cherry picked from commit d894f74762bc95310ba23f804b7ba8dffc8f6646)

Related to CVE-2012-2882

Conflicts:

libavformat/oggdec.h
libavformat/oggparsevorbis.c

6 years agobuild: Fix CAF demuxer dependencies
Diego Biurrun [Tue, 10 Jul 2012 16:42:13 +0000 (18:42 +0200)]
build: Fix CAF demuxer dependencies

(cherry picked from commit a519463366238a7ec05d2bb76c4a67f42cf60ece)

Conflicts:

libavcodec/Makefile

6 years agodoc: developer: Allow tabs in the vim configuration for Automake files
Diego Biurrun [Fri, 22 Feb 2013 21:06:37 +0000 (22:06 +0100)]
doc: developer: Allow tabs in the vim configuration for Automake files

While we do not use Automake in libav, this allows our config to be
used more globally without introducing unwanted breakage.
(cherry picked from commit 040c565e51985477a8fa5e42d2ddfb26ebde6608)

Conflicts:

doc/developer.texi

6 years agodoc: filters: Correct BNF FILTER description
Vicente Jimenez Aguilar [Wed, 20 Feb 2013 01:35:00 +0000 (02:35 +0100)]
doc: filters: Correct BNF FILTER description

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit b5ad422bf4e671a8b30ce73ad236cd6b49940af9)

6 years agodoc: Fix some obsolete references to av* tools as ff* tools
Vicente Jimenez Aguilar [Sat, 16 Feb 2013 02:08:36 +0000 (03:08 +0100)]
doc: Fix some obsolete references to av* tools as ff* tools

Signed-off-by: Diego Biurrun <diego@biurrun.de>
CC: libav-stable@libav.org
(cherry picked from commit 202b5f6deb65e405b07b9b5c20f97c8cb925cf49)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agopthread: set the frame properties from the thread context, not user.
Anton Khirnov [Thu, 24 Jan 2013 10:45:27 +0000 (11:45 +0100)]
pthread: set the frame properties from the thread context, not user.

Right now, the frame properties are set from the user-facing
AVCodecContext before it is updated from the thread context, which is
wrong since they may be invalid or obsolete.

6 years agomp3: exit on parsing error in mp_decode_frame
Luca Barbato [Mon, 22 Oct 2012 16:50:32 +0000 (18:50 +0200)]
mp3: exit on parsing error in mp_decode_frame

Properly forward mp_decode_layer3 errors, mp_decode_layer1 and
mp_decode_layer2 do not return errors.

Based on a patch by Michael Niedermayer.
(cherry picked from commit 0c03cc68386443f1e96ab6fb358220faf67cd5ff)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agoindeo3: initialise pixel planes on allocation
Kostya Shishkov [Mon, 14 May 2012 17:33:03 +0000 (19:33 +0200)]
indeo3: initialise pixel planes on allocation

This prevents decoder from reading garbage from it in case of errors later.
(cherry picked from commit 81064a8045028838fd32d18490034c207c8ecc06)

Fixes an invalid read on sample from CVE-2012-2804

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agoUpdate Changelog
Reinhard Tartler [Sat, 12 Jan 2013 16:21:15 +0000 (17:21 +0100)]
Update Changelog

6 years agoh264: check ref_count validity for num_ref_idx_active_override_flag
Janne Grunau [Sat, 12 Jan 2013 16:22:50 +0000 (17:22 +0100)]
h264: check ref_count validity for num_ref_idx_active_override_flag

Fixes segfault in the fuzzed sample bipbop234.ts_s226407.
CC: libav-stable@libav.org
(cherry-picked from commit 6e5cdf26281945ddea3aaf5eca4d127791f23ca8)
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
6 years agoh264: check context state before decoding slice data partitions
Janne Grunau [Wed, 28 Nov 2012 21:17:14 +0000 (22:17 +0100)]
h264: check context state before decoding slice data partitions

Fixes mov_h264_aac__Demo_FlagOfOurFathers.mov.SIGSEGV.4e9.656.

Found-by: Mateusz "j00ru" Jurczyk
CC: libav-stable@libav.org
(cherry-picked from commit c1fcf563b13051f280db169ba41c6a1b21b25e08)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agooggdec: free the ogg streams on read_header failure
Luca Barbato [Fri, 4 Jan 2013 14:44:02 +0000 (15:44 +0100)]
oggdec: free the ogg streams on read_header failure

Plug an annoying memory leak on broken files.
(cherry picked from commit 89b51b570daa80e6e3790fcd449fe61fc5574e07)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 42bd6d9cf681306d14c92af97a40116fe4eb2522)

Conflicts:

libavformat/oggdec.c

6 years agooggdec: check memory allocation
Luca Barbato [Sat, 22 Dec 2012 16:58:24 +0000 (17:58 +0100)]
oggdec: check memory allocation

(cherry picked from commit ba064ebe48376e199f353ef0b335ed8a39c638c5)

Conflicts:

libavformat/oggdec.c

6 years agoFix uninitialized reads on malformed ogg files.
Dale Curtis [Wed, 7 Mar 2012 22:26:58 +0000 (14:26 -0800)]
Fix uninitialized reads on malformed ogg files.

The ogg decoder wasn't padding the input buffer with the appropriate
FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in
various pieces of parsing code when they thought they had more data than
they actually did.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit ef0d779706c77ca9007527bd8d41e9400682f4e4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agortsp: Recheck the reordering queue if getting a new packet
Martin Storsjö [Mon, 7 Jan 2013 16:39:04 +0000 (18:39 +0200)]
rtsp: Recheck the reordering queue if getting a new packet

If we timed out and consumed a packet from the reordering queue,
but didn't return a packet to the caller, recheck the queue status.
Otherwise, we could end up in an infinite loop, trying to consume
a queued packet that has already been consumed.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8729698d50739524665090e083d1bfdf28235724)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoopt: avoid segfault in av_opt_next() if the class does not have an option list
Justin Ruggles [Thu, 8 Nov 2012 23:35:49 +0000 (18:35 -0500)]
opt: avoid segfault in av_opt_next() if the class does not have an option list

CC: libav-stable@libav.org
(cherry picked from commit d02202e08a994c6c80f0256ae756698541b59902)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoalacdec: do not be too strict about the extradata size
Justin Ruggles [Sat, 22 Dec 2012 06:21:09 +0000 (01:21 -0500)]
alacdec: do not be too strict about the extradata size

Sometimes the extradata has duplicate atoms, but that shouldn't prevent
decoding. Just ensure that it is at least 36 bytes as a sanity check.

CC: libav-stable@libav.org
(cherry picked from commit 68a04b0ccee66f57516e129dd3ec457fd50b4bec)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoh264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles
Victor Lopez [Wed, 19 Dec 2012 08:12:24 +0000 (09:12 +0100)]
h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles

Fixes bug 396.

CC: libav-stable@libav.org
(cherry picked from commit 1c8bf3bfed5ff5c504c8e3de96188a977f67cce0)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoh264: check sps.log2_max_frame_num for validity
Janne Grunau [Sun, 25 Nov 2012 11:56:04 +0000 (12:56 +0100)]
h264: check sps.log2_max_frame_num for validity

Fixes infinite or long taking loop in frame num gap code in
the fuzzed sample bipbop234.ts_s223302.

CC: libav-stable@libav.org
(cherry picked from commit d7d6efe42b0d2057e67999b96b9a391f533d2333)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoh264: slice-mt: get last_pic_dropable from master context
Janne Grunau [Wed, 5 Dec 2012 18:56:36 +0000 (19:56 +0100)]
h264: slice-mt: get last_pic_dropable from master context

Fixes fate-h264-conformance-cvnlfi2_sony_h and smllwebdl.mkv from
https://github.com/OpenELEC/OpenELEC.tv/issues/1557 .

CC: libav-stable@libav.org
(cherry picked from commit a8cb1746c5b6307b2e820f965a7da8d907893b38)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoppc: always use pic for shared libraries
Luca Barbato [Mon, 3 Dec 2012 21:53:30 +0000 (22:53 +0100)]
ppc: always use pic for shared libraries

CC: libav-stable@libav.org
(cherry picked from commit 1944d532a8a1c4b12222f0acfeb1153630dbc996)

Conflicts:

configure

6 years agoh264: error out on unset current_picture_ptr for h->current_slice > 0
Janne Grunau [Wed, 21 Nov 2012 18:41:59 +0000 (19:41 +0100)]
h264: error out on unset current_picture_ptr for h->current_slice > 0

Fixes a segfault with fuzzed sample sample_varPAR_s11622_r001-02.avi.

CC: libav-stable@libav.org
(cherry picked from commit 0b300daad2f5cb59a7c06dde5ac701685e6edf16)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoflashsv: make sure data for zlib priming is available
Janne Grunau [Wed, 28 Nov 2012 16:31:35 +0000 (17:31 +0100)]
flashsv: make sure data for zlib priming is available

Fixes a segfault in the fuzzed sample resolutionchange.flv_s314809.

CC: libav-stable@libav.org
(cherry picked from commit 3ae69b91668e3d9b65af4007eb5871397cf0b0ab)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoh264: enable low delay only if no delayed frames were seen
Janne Grunau [Fri, 16 Nov 2012 13:31:09 +0000 (14:31 +0100)]
h264: enable low delay only if no delayed frames were seen

Dropping frames is undesirable but that is the only way by which the
decoder could return to low delay mode. Instead emit a warning and
continue with delayed frames.
Fixes a crash in fuzzed sample nasa-8s2.ts_s20033 caused by a larger
than expected has_b_frames value. Low delay keeps getting re-enabled
from a presumely broken SPS.

CC: libav-stable@libav.org
(cherry picked from commit 706acb558a38eba633056773280155d66c2f4b24)

Conflicts:

libavcodec/h264.c

6 years agoflashsv: check for keyframe before using differential coding
Janne Grunau [Sat, 24 Nov 2012 14:50:03 +0000 (15:50 +0100)]
flashsv: check for keyframe before using differential coding

Fixes a segfault in te fuzzed sample resolutionchange.flv_s211713.

CC: libav-stable@libav.org
(cherry picked from commit 5ae72f54532960cb9eae82a1c9e8d505106c022b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agolavf: avoid integer overflow in ff_compute_frame_duration()
Janne Grunau [Fri, 23 Nov 2012 13:05:36 +0000 (14:05 +0100)]
lavf: avoid integer overflow in ff_compute_frame_duration()

Scaling the denominator instead of the numerator if it is too large
loses precision. Fixes an assert caused by a negative frame duration in
the fuzzed sample nasa-8s2.ts_s202310.

CC: libav-stable@libav.org
(cherry picked from commit 7709ce029a7bc101b9ac1ceee607cda10dcb89dc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoaacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN.
Alex Converse [Wed, 12 Dec 2012 01:26:10 +0000 (17:26 -0800)]
aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN.

Found-by: pawlkt
CC: libav-stable@libav.org
Fixes: CVE-2012-5144
(cherry picked from commit 6d5b0092678b2a95dfe209a207550bd2fe9ef646)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoAPIchanges: Fill in missing commit hashes
Diego Biurrun [Wed, 9 Jan 2013 08:52:48 +0000 (09:52 +0100)]
APIchanges: Fill in missing commit hashes

6 years agolavf: Bump minor version to distinguish branch and master version numbers
Diego Biurrun [Mon, 7 Jan 2013 22:50:16 +0000 (23:50 +0100)]
lavf: Bump minor version to distinguish branch and master version numbers

This enables checking for an API version not present in master that
has avformat_get_riff_video_tags() and avformat_get_riff_audio_tags().

6 years agovp6: properly fail on unsupported feature
Luca Barbato [Thu, 13 Dec 2012 15:20:19 +0000 (16:20 +0100)]
vp6: properly fail on unsupported feature

Interlacing is not supported at all and mismanaged down the normal
codepaths causing possible buffer management issues.

Fixes: CVE-2012-2783
(cherry picked from commit be75fed9755c1285ba084574aff2d7ee0f81110d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agomp3: properly forward mp_decode_frame errors
Luca Barbato [Mon, 22 Oct 2012 17:11:05 +0000 (19:11 +0200)]
mp3: properly forward mp_decode_frame errors

The function can return either a parsing error or a memory management
error.

Fixes: CVE-2012-2797

(cherry picked from commit 9ab0874ea8b6774c6f5470dba2b5b4615a610d0d)

Conflicts:

libavcodec/mpegaudiodec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agompeg12: do not decode extradata more than once.
Anton Khirnov [Thu, 13 Dec 2012 16:53:31 +0000 (17:53 +0100)]
mpeg12: do not decode extradata more than once.

Fixes CVE-2012-2803.

CC: libav-stable@libav.org
(cherry picked from commit 582368626188c070d4300913c6da5efa4c24cfb2)

Conflicts:

libavcodec/mpeg12.c

6 years agoindeo3: when freeing buffers, set pointers referencing them to NULL as well
Kostya Shishkov [Mon, 14 May 2012 17:45:41 +0000 (19:45 +0200)]
indeo3: when freeing buffers, set pointers referencing them to NULL as well

Related to CVE-2012-2804
(cherry picked from commit bc00da27010ed9e5dbe47e5b6fae3dcddb999d78)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoindeo3: ensure that decoded cell data is in 7-bit range as presumed by decoder
Kostya Shishkov [Mon, 14 May 2012 17:30:54 +0000 (19:30 +0200)]
indeo3: ensure that decoded cell data is in 7-bit range as presumed by decoder

Related to CVE-2012-2804
(cherry picked from commit fc417db3f162d5269c0d22f8e467da4afa67c20a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoavconv: fix copying per-stream metadata.
Anton Khirnov [Sat, 24 Nov 2012 06:55:42 +0000 (07:55 +0100)]
avconv: fix copying per-stream metadata.

It is handled separately from other types because it uses stream
specifiers and currently that triggers an assert in SET_DICT.

(cherry picked from commit 4632abc7a3a64b23c243b21cae7a08e5af92231e)

Conflicts:

avconv_opt.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoid3v2: fix reading unsynchronized frames.
Anton Khirnov [Wed, 21 Nov 2012 07:48:47 +0000 (08:48 +0100)]
id3v2: fix reading unsynchronized frames.

Current code would incorrectly process e.g. 'ff 00 ff 00 ff' to
'ff ff ff', while it should be 'ff ff 00 ff'.

Fixes Bug 395.

CC: libav-stable@libav.org
(cherry picked from commit 9ae80e6a9cefcab61e867256ba19ef78a4bfe0cb)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoh264: Fix parameters to ff_er_add_slice() call
Janne Grunau [Thu, 15 Nov 2012 15:21:41 +0000 (16:21 +0100)]
h264: Fix parameters to ff_er_add_slice() call

s->mb_x is reset to zero a couple of lines above. It does not make
sense to call ff_er_add_slice() with 0 as endx when the end of the
macroblock row was reached. Fixes unnecessary and counterproductive
error resilience in https://bugzilla.libav.org/show_bug.cgi?id=394.

(cherry picked from commit e6160bda98641b7d4f86de15761ad2a962f21a36)

Conflicts:

libavcodec/h264.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agobuild: fix 'clean' target
Diego Biurrun [Thu, 3 Jan 2013 14:30:22 +0000 (15:30 +0100)]
build: fix 'clean' target

This fixes removal of TOOLS as well as HOSTPROGS declared in the
top-level Makefile.  The clean target in common.mak needs to be
eval'd since the variables used within are reset for each library.

(cherry picked from commit 395c3feb3bb165af5760d287a9a64344b6269fe2)

Conflicts:

common.mak
library.mak

Signed-off-by: Diego Biurrun <diego@biurrun.de>
6 years agobuild: Add 'check' target to run all compile and test targets.
Diego Biurrun [Sun, 26 Jun 2011 11:52:40 +0000 (13:52 +0200)]
build: Add 'check' target to run all compile and test targets.

(cherry picked from commit 4982e1ddfaff5287e05b95957f3c56901d60b56a)

Signed-off-by: Diego Biurrun <diego@biurrun.de>
6 years agoIgnore generated aviocat tool.
Diego Biurrun [Wed, 25 Jan 2012 13:56:24 +0000 (14:56 +0100)]
Ignore generated aviocat tool.

(cherry picked from commit 50639cbefef8cc9f3df19241be7cf23cde8313b7)

Signed-off-by: Diego Biurrun <diego@biurrun.de>
6 years agoavconv: only apply presets when we have an encoder.
Anton Khirnov [Mon, 22 Oct 2012 20:40:22 +0000 (22:40 +0200)]
avconv: only apply presets when we have an encoder.

Fixes a crash when using a preset with stream copy.
(cherry picked from commit 4e61a38aa038b7027c5ed423635168d463515d24)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoflacenc: ensure the order is within the min/max range in LPC order search
Justin Ruggles [Wed, 7 Nov 2012 19:48:28 +0000 (14:48 -0500)]
flacenc: ensure the order is within the min/max range in LPC order search

This fixes use of uninitialized values when the FLAC encoder uses the
2-level, 4-level, and 8-level search methods. Fixes failure of the
fate-flac-24-comp-8 test when run using valgrind.
(cherry picked from commit 3a2731cbd31d0c5681ddbc7c78edd5c53c4d0032)

Conflicts:

libavcodec/flacenc.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoyuv4mpeg: reject unsupported codecs
Luca Barbato [Fri, 26 Oct 2012 20:55:04 +0000 (22:55 +0200)]
yuv4mpeg: reject unsupported codecs

The muxer already rejects unsupported pixel formats, reject also
unsupported codecs to prevent dangerous misuses.
(cherry picked from commit 424b1e764263b1493de4c34365ef367ddae856db)

Conflicts:

libavformat/yuv4mpeg.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovp8: reset loopfilter delta values at keyframes.
Sami Pietila [Fri, 12 Oct 2012 14:12:49 +0000 (07:12 -0700)]
vp8: reset loopfilter delta values at keyframes.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 0bf511d579c7b21f1244eec688abf571ca1235bd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovp56: release frames on error
Luca Barbato [Fri, 14 Dec 2012 08:55:04 +0000 (09:55 +0100)]
vp56: release frames on error

Fixes CVE-2012-2783

CC: libav-stable@libav.org
(cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovp56: make parse_header return standard error codes
Luca Barbato [Fri, 14 Dec 2012 07:22:06 +0000 (08:22 +0100)]
vp56: make parse_header return standard error codes

Returning 0 for failure is misleading.

CC: libav-stable@libav.org
(cherry picked from commit bb675d3ac6d722d5e117ae9042a996b55ca05b1d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoivi_common: check that scan pattern is set before using it.
Anton Khirnov [Thu, 13 Dec 2012 18:38:20 +0000 (19:38 +0100)]
ivi_common: check that scan pattern is set before using it.

Fixes CVE-2012-2791.

CC: libav-stable@libav.org
(cherry picked from commit deabb52ab4c1fdb3dd319f3980b1489a182011f1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoPrepare for 0.8.5 Release
Reinhard Tartler [Wed, 2 Jan 2013 19:07:48 +0000 (20:07 +0100)]
Prepare for 0.8.5 Release

6 years agox86: Require an assembler able to cope with AVX instructions
Diego Biurrun [Sun, 11 Nov 2012 21:41:46 +0000 (22:41 +0100)]
x86: Require an assembler able to cope with AVX instructions

All modern assemblers have this capability.  Older NASM versions
that lack the capability produce code that crashes at runtime,
so it's better to error out during the build process instead.

CC: libav-stable@libav.org
(cherry picked from commit b8e8a07c6c4df93de92480f5c3a14296a6a2a690)

Conflicts:

configure

6 years agosvq3: replace unsafe pointer casting with intreadwrite macros
Mans Rullgard [Thu, 11 Oct 2012 15:08:22 +0000 (16:08 +0100)]
svq3: replace unsafe pointer casting with intreadwrite macros

Signed-off-by: Mans Rullgard <mans@mansr.com>
6 years agoUpdate Changelog for the 0.8.4 Release
Reinhard Tartler [Wed, 17 Oct 2012 22:08:30 +0000 (00:08 +0200)]
Update Changelog for the 0.8.4 Release

6 years agolavc: remove stats_out from the options table.
Anton Khirnov [Fri, 19 Oct 2012 18:39:27 +0000 (20:39 +0200)]
lavc: remove stats_out from the options table.

Since it is declared as a string AVOption, the generic freeing code
attempts to free it on codec close. Some codecs might have already freed
it elsewhere (or didn't even allocate it with av_malloc() in the first
place), so this might lead to an invalid free.

There is no point in having this field accessible as an AVOption, so
remove it from the options table.

Fixes Bug 380.

CC: libav-stable@libav.org
(cherry picked from commit b691135d0c6a2b1cca91adadaf457c2989c6a55d)

Conflicts:

libavcodec/options_table.h

6 years agoPrepare for 0.8.4 Release
Reinhard Tartler [Wed, 17 Oct 2012 21:55:27 +0000 (23:55 +0200)]
Prepare for 0.8.4 Release

6 years agotiffenc: Check av_malloc() results.
Alex Converse [Wed, 19 Sep 2012 18:12:58 +0000 (11:12 -0700)]
tiffenc: Check av_malloc() results.

(cherry picked from commit b92dfb56d4582633571db18c3d904f8602eaa2a6)

Conflicts:

libavcodec/tiffenc.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agompegaudiodec: fix short_start calculation
Luca Barbato [Fri, 28 Sep 2012 12:38:13 +0000 (14:38 +0200)]
mpegaudiodec: fix short_start calculation

The value should be always 3, as it follows from the specification.

Fix a stack buffer overflow in exponents_from_scale_factors as reported
by asan. Thanks to Dale Curtis for the sample vector.
(cherry picked from commit 97cfa55eea39cef30abe14682c56c1e4e7f6f10d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoh264: avoid stuck buffer pointer in decode_nal_units
Jindřich Makovička [Sat, 29 Sep 2012 09:16:45 +0000 (11:16 +0200)]
h264: avoid stuck buffer pointer in decode_nal_units

When decode_nal_units() previously encountered a NAL_END_SEQUENCE,
and there are some junk bytes left in the input buffer, but no start codes,
buf_index gets stuck 3 bytes before the end of the buffer.

This can trigger an infinite loop in the caller code, eg. in
try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes,
with 3 bytes of the input packet still available.

With this change, the remaining bytes are skipped so the whole packet gets
consumed.

CC:libav-stable@libav.org

Signed-off-by: Jindřich Makovička <makovick@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1a8c6917f68f7378465e18f7615762bfd22704c2)

Conflicts:

libavcodec/h264.c

6 years agovf_pad/scale: use double precision for aspect ratios.
Anton Khirnov [Fri, 5 Oct 2012 12:45:30 +0000 (14:45 +0200)]
vf_pad/scale: use double precision for aspect ratios.

Fixes Bug 203.

CC:libav-stable@libav.org
(cherry picked from commit ba04177eeb690ba4e93ec30fc8eb02f5319f844b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoyuv4mpeg: return proper error codes.
Anton Khirnov [Fri, 5 Oct 2012 13:53:32 +0000 (15:53 +0200)]
yuv4mpeg: return proper error codes.

Fixes Bug 373.

CC:libav-stable@libav.org
(cherry picked from commit d3a72becc6371563185a509b94f5daf32ddbb485)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agosmacker audio: sign-extend the initial 16-bit predicted value
Franz Brauße [Fri, 30 Mar 2012 18:40:14 +0000 (14:40 -0400)]
smacker audio: sign-extend the initial 16-bit predicted value

Fixes Bug #265

Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 12cbbbb4abda2de0ea123282ccf7ebee61517f7d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agovf_pad: don't give up its own reference to the output buffer.
Anton Khirnov [Sun, 8 Jul 2012 15:01:17 +0000 (17:01 +0200)]
vf_pad: don't give up its own reference to the output buffer.

Conflicts:
libavfilter/vf_pad.c

Fixes Bug 245

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agolibvorbis: use VBR by default, with default quality of 3
Justin Ruggles [Wed, 29 Feb 2012 00:33:07 +0000 (19:33 -0500)]
libvorbis: use VBR by default, with default quality of 3

(cherry picked from commit 147ff24a0e8d819615a0f596df3ea47dddd79fdc)

Conflicts:
libavcodec/libvorbis.c

Fixes a part of Bug 277

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agolibvorbis: fix use of minrate/maxrate AVOptions
Justin Ruggles [Tue, 28 Feb 2012 23:52:30 +0000 (18:52 -0500)]
libvorbis: fix use of minrate/maxrate AVOptions

- enable the options for audio encoding
- properly check for user-set maxrate
- use correct calling order in vorbis_encode_setup_managed()
(cherry picked from commit 182d4f1f3855460ee8634ea052f33332cf9d174e)

Conflicts:
libavcodec/libvorbis.c

Fixes a part of Bug 277

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agoh264: fix deadlocks on incomplete reference frame decoding.
Ronald S. Bultje [Fri, 16 Mar 2012 22:24:08 +0000 (15:24 -0700)]
h264: fix deadlocks on incomplete reference frame decoding.

If decoding a second complementary field, and the first was
decoded in our thread, mark decoding of that field as complete.
If decoding fails, mark the decoded field/frame as complete.
Do not allow switching between field modes or field/frame mode
between slices within the same field/frame. Ensure that two
subsequent fields cover top/bottom (rather than top/frame,
bottom/frame or such nonsense situations).

Fixes various deadlocks when decoding samples with errors in
reference frames.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1e26a48fa23ef8e1cbc424667d387184d8155f15)

Fixes Bug 118

Conflicts:
libavcodec/h264.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agocmdutils: avoid setting data pointers to invalid values in alloc_buffer()
Anton Khirnov [Tue, 11 Sep 2012 09:03:52 +0000 (11:03 +0200)]
cmdutils: avoid setting data pointers to invalid values in alloc_buffer()

Fixes bug 352.
(cherry picked from commit 990450c5bf17afc31a81d6225afaac86d0dca5dd)

Conflicts:
cmdutils.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agoavidec: return 0, not packet size from read_packet().
Anton Khirnov [Fri, 28 Sep 2012 13:26:48 +0000 (15:26 +0200)]
avidec: return 0, not packet size from read_packet().

(cherry picked from commit eeade678f0a2bac127aeed2fb68d8717a6463420)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agowmapro: prevent division by zero when sample rate is unspecified
Sean McGovern [Thu, 2 Aug 2012 19:37:28 +0000 (15:37 -0400)]
wmapro: prevent division by zero when sample rate is unspecified

This fixes Bugzilla #327:

Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>
(cherry picked from commit 3680b2435101a5de56821718a71c828320d535a0)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agovc1dec: check that coded slice positions and interlacing match.
Michael Niedermayer [Sat, 28 Jul 2012 11:14:50 +0000 (17:14 +0600)]
vc1dec: check that coded slice positions and interlacing match.

This fixes out of array writes.

Addresses: CVE-2012-2796

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>
(cherry picked from commit 1100acbab26883007898c53efeb289f562c6e514)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoalsdec: fix number of decoded samples in first sub-block in BGMC mode.
Thilo Borgmann [Sun, 15 Apr 2012 16:07:12 +0000 (18:07 +0200)]
alsdec: fix number of decoded samples in first sub-block in BGMC mode.

Fixes CVE-2012-2790

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 66197988b1ee914825afbc3084e6da63f862068a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoalsdec: remove dead assignments
Mans Rullgard [Sun, 1 Jul 2012 12:36:30 +0000 (13:36 +0100)]
alsdec: remove dead assignments

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 4ca6d206d1b5beea42c4290d2ee801aaf5cd31f0)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoalsdec: Fix out of ltp_gain_values read.
Thilo Borgmann [Sun, 11 Mar 2012 15:56:23 +0000 (16:56 +0100)]
alsdec: Fix out of ltp_gain_values read.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 97f0efbfb86d24f081b2caa39f6249e05c95c2ef)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoalsdec: Check that quantized parcor coeffs are within range.
Michael Niedermayer [Wed, 29 Feb 2012 05:10:17 +0000 (06:10 +0100)]
alsdec: Check that quantized parcor coeffs are within range.

ALS spec:
11.6.3.1.1 Quantization and encoding of parcor coefficients
...
In all cases the resulting quantized values ak are restricted to the range [-64,63].

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 5b051ec3bdc78f3d89e8d1425674cde8fd6c9ccc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoalsdec: Check k used for rice decoder.
Michael Niedermayer [Sat, 7 Apr 2012 15:25:47 +0000 (17:25 +0200)]
alsdec: Check k used for rice decoder.

Values that fail this check will cause failure of decode_rice()

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 23aae62c2cb4504a09ceb8cd0cabc1c8b260f521)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agowav: do not fail on empty INFO tags
Anton Khirnov [Tue, 16 Oct 2012 08:33:52 +0000 (10:33 +0200)]
wav: do not fail on empty INFO tags

Fixes Bug 379

CC: libav-stable@libav.org
7 years agocavsdec: check for changing w/h.
Michael Niedermayer [Sat, 24 Mar 2012 01:40:24 +0000 (02:40 +0100)]
cavsdec: check for changing w/h.

Our decoder does not support changing w/h.

Fixes CVE-2012-2777 and CVE-2012-2784.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c20a69630619d14ae92c5541d52c579d7c8f3e94)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoindeo4: update AVCodecContext width/height on size change
Michael Niedermayer [Sat, 14 Apr 2012 18:04:05 +0000 (20:04 +0200)]
indeo4: update AVCodecContext width/height on size change

Fixes CVE-2012-2787

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b146d74730ab9ec5abede9066f770ad851e45fbc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoavidec: use actually read size instead of requested size
Anton Khirnov [Fri, 28 Sep 2012 13:42:29 +0000 (15:42 +0200)]
avidec: use actually read size instead of requested size

Fixes CVE-2012-2788
(cherry picked from commit 0af49a63c7f87876486ab09482d5b26b95abce60)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agowmaprodec: check num_vec_coeffs for validity
Michael Niedermayer [Sat, 14 Apr 2012 09:07:11 +0000 (11:07 +0200)]
wmaprodec: check num_vec_coeffs for validity

Fixes CVE-2012-2789

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 99f392a584dd10b553facc8e819f2c7e982e176d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agolagarith: check count before writing zeros.
Michael Niedermayer [Sat, 14 Apr 2012 16:28:31 +0000 (18:28 +0200)]
lagarith: check count before writing zeros.

Fixes CVE-2012-2793

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b631e4ed64f7d1b9ca8f897fda31140e8d1fad81)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoindeo3: fix out of cell write.
Anton Khirnov [Sat, 29 Sep 2012 08:39:49 +0000 (10:39 +0200)]
indeo3: fix out of cell write.

Fixes CVE-2012-2776.

CC:libav-stable@libav.org

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit e4d4044339b9c3b0f45f7203cd026eda3c0414c0)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoindeo5: check tile size in decode_mb_info().
Michael Niedermayer [Sun, 15 Apr 2012 12:11:50 +0000 (14:11 +0200)]
indeo5: check tile size in decode_mb_info().

This prevents writing into a too small array if some parameters changed
without the tile being reallocated.

Fixes CVE-2012-2794

CC:libav-stable@libav.org

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 2d09cdbaf2f449ba23d54e97e94bd97ca22208c6)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoindeo5: prevent null pointer dereference on broken files
Janne Grunau [Mon, 23 Jan 2012 20:33:34 +0000 (21:33 +0100)]
indeo5: prevent null pointer dereference on broken files

Found by John Villamil <johnv@matasano.com>
(cherry picked from commit 366ac22ea5a8bab63c7f46cdad2ddb2ff22cdbed)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoindeo5dec: Make sure we have had a valid gop header.
Michael Niedermayer [Sat, 24 Mar 2012 16:43:55 +0000 (17:43 +0100)]
indeo5dec: Make sure we have had a valid gop header.

This prevents decoding happening on a half initialized context.

Fixes CVE-2012-2779

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 891918431db628db17885ed947ee387b29826a64)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoindeo4/5: check empty tile size in decode_mb_info().
Anton Khirnov [Sat, 29 Sep 2012 09:07:58 +0000 (11:07 +0200)]
indeo4/5: check empty tile size in decode_mb_info().

This prevents writing into a too small array if some parameters changed
without the tile being reallocated.

Based on a patch by Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2012-2800

CC:libav-stable@libav.org

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ae3da0ae5550053583a6f281ea7fd940497ea0d1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>