ffmpeg.git
5 years agocdgraphics: switch to bytestream2
Anton Khirnov [Wed, 6 Aug 2014 10:46:50 +0000 (10:46 +0000)]
cdgraphics: switch to bytestream2

Fixes possible invalid memory accesses on corrupted data.

CC:libav-stable@libav.org
Bug-ID: CVE-2013-3674
(cherry picked from commit a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agohuffyuvdec: check width size for yuv422p
Michael Niedermayer [Sat, 2 Aug 2014 23:54:33 +0000 (00:54 +0100)]
huffyuvdec: check width size for yuv422p

Avoid out of array accesses.

CC: libav-stable@libav.org
Bug-Id: CVE-2013-0848
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a7153444df9040bf6ae103e0bbf6104b66f974cb)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agommvideo: check horizontal coordinate too
Michael Niedermayer [Sun, 3 Aug 2014 18:24:18 +0000 (19:24 +0100)]
mmvideo: check horizontal coordinate too

Fixes out of array accesses.

Bug-Id: CVE-2013-3672
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 70cd3b8e659c3522eea5c16a65d14b8658894a94)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agowmalosslessdec: fix mclms_coeffs* array size
Michael Niedermayer [Fri, 7 Feb 2014 14:07:23 +0000 (15:07 +0100)]
wmalosslessdec: fix mclms_coeffs* array size

Fixes corruption of context

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
Bug-Id: CVE-2014-2098
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 849b9d34c7ef70b370c53e7af3940f51cbc07d0f)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agolavc: Check the image size before calling get_buffer
Luca Barbato [Mon, 4 Aug 2014 12:15:45 +0000 (14:15 +0200)]
lavc: Check the image size before calling get_buffer

Bug-Id: CVE-2011-3935
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
5 years agohuffyuv: Check and propagate function return values
Diego Biurrun [Sun, 3 Aug 2014 19:19:10 +0000 (12:19 -0700)]
huffyuv: Check and propagate function return values

Bug-Id: CVE-2013-0868

inspired by a patch from Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 744b406ff3474e77543bcf86125a2f7bc7deaa18)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavcodec/huffyuvdec.c

5 years agoh264: prevent theoretical infinite loop in SEI parsing
Vittorio Giovara [Wed, 30 Jul 2014 18:33:36 +0000 (19:33 +0100)]
h264: prevent theoretical infinite loop in SEI parsing

Properly address CVE-2011-3946 and parse bitstream as described in the spec.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
5 years agoh264_sei: check SEI size
Michael Niedermayer [Thu, 19 Sep 2013 14:26:25 +0000 (16:26 +0200)]
h264_sei: check SEI size

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
5 years agopgssubdec: Check RLE size before copying
Michael Niedermayer [Thu, 31 Jul 2014 01:31:19 +0000 (21:31 -0400)]
pgssubdec: Check RLE size before copying

Make sure the buffer size does not exceed the expected
RLE size.

Prevent an out of array bound write.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Bug-Id: CVE-2013-0852

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit a1f7844a11010d8552c75424d1a831b37a0ae5d9)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
5 years agofate: Add dependencies for dct/fft/mdct/rdft tests
Diego Biurrun [Thu, 26 Jun 2014 00:09:13 +0000 (17:09 -0700)]
fate: Add dependencies for dct/fft/mdct/rdft tests

(cherry picked from commit d396987c303bdc4eea7d1a1ff6776475d9bbd9ea)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavcodec/fft-test.c

5 years agovideo4linux2: Avoid a floating point exception
Bernhard Übelacker [Sun, 27 Jul 2014 15:38:59 +0000 (08:38 -0700)]
video4linux2: Avoid a floating point exception

This avoids a segfault in avconv_opt.c:opt_target when trying to
determine the norm.

(cherry picked from commit dc71f1958846bb1d96de43a4603983dc8450cfcc)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
5 years agovf_select: Drop a debug av_log with an unchecked double to enum conversion
Diego Biurrun [Tue, 29 Jul 2014 12:43:04 +0000 (05:43 -0700)]
vf_select: Drop a debug av_log with an unchecked double to enum conversion

CC: libav-stable@libav.org
(cherry picked from commit a8d803a320fb08b3ad5db4fffc79abd401206905)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
5 years agoeamad: use the bytestream2 API instead of AV_RL
Anton Khirnov [Sun, 20 Jul 2014 12:06:47 +0000 (12:06 +0000)]
eamad: use the bytestream2 API instead of AV_RL

This is safer and possibly fixes invalid reads on truncated data.
(cherry-picked from commit 541427ab4d5b4b6f5a90a687a06decdb78e7bc3c)

CC:libav-stable@libav.org

Conflicts:
libavcodec/eamad.c

(cherry picked from commit f9204ec56a4cf73843d1e5b8563d3584c2c05b47)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
5 years agoUpdate Changelog for v9.14
Reinhard Tartler [Fri, 27 Jun 2014 01:27:56 +0000 (21:27 -0400)]
Update Changelog for v9.14

5 years agoPrepare for 9.14 Release
Reinhard Tartler [Fri, 27 Jun 2014 01:23:39 +0000 (21:23 -0400)]
Prepare for 9.14 Release

5 years agoadpcm: Write the proper predictor in trellis mode in IMA QT
Martin Storsjö [Thu, 5 Jun 2014 11:49:14 +0000 (14:49 +0300)]
adpcm: Write the proper predictor in trellis mode in IMA QT

The actual predictor value, set by the trellis code, never
was written back into the variable that was written into
the block header. This was accidentally removed in b304244b.

This significantly improves the audio quality of the trellis
case, which was plain broken since b304244b.

Encoding IMA QT with trellis still actually gives a slightly
worse quality than without trellis, since the trellis encoder
doesn't use the exact same way of rounding as in
adpcm_ima_qt_compress_sample and adpcm_ima_qt_expand_nibble.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0776e0ef6ba4160281ef3fabea43e670f3792b4a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agoadpcm: Avoid reading out of bounds in the IMA QT trellis encoder
Martin Storsjö [Thu, 5 Jun 2014 08:48:53 +0000 (11:48 +0300)]
adpcm: Avoid reading out of bounds in the IMA QT trellis encoder

This was broken in 095be4fb - samples+ch (for the previous
non-planar case) equals &samples_p[ch][0]. The confusion
probably stemmed from the IMA WAV case where it originally
was &samples[avctx->channels + ch], which was correctly
changed into &samples_p[ch][1].

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 3d79d0c93e5b37a35b1b22d6c18699c233aad1ba)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agoCheck mp3 header before calling avpriv_mpegaudio_decode_header().
Justin Ruggles [Sun, 22 Jun 2014 17:19:36 +0000 (13:19 -0400)]
Check mp3 header before calling avpriv_mpegaudio_decode_header().

As indicated in the function documentation, the header MUST be
checked prior to calling it because no consistency check is done
there.

CC:libav-stable@libav.org
(cherry picked from commit f2f2e7627f0c878d13275af5d166ec5932665e28)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agoCheck if an mp3 header is using a reserved sample rate.
Justin Ruggles [Sun, 22 Jun 2014 17:11:32 +0000 (13:11 -0400)]
Check if an mp3 header is using a reserved sample rate.

Fixes an invalid read past the end of avpriv_mpa_freq_tab.
Fixes divide-by-zero due to sample_rate being set to 0.

Bug-Id: 705

CC:libav-stable@libav.org

Conflicts:
libavcodec/mpegaudiodecheader.c

5 years agolzo: Handle integer overflow
Luca Barbato [Thu, 19 Jun 2014 21:26:58 +0000 (23:26 +0200)]
lzo: Handle integer overflow

get_len can overflow for specially crafted payload.

Reported-By: Don A. Baley <donb@securitymouse.com>
CC: libav-stable@libav.org
(cherry picked from commit ccda51b14c0fcae2fad73a24872dce75a7964996)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agosgidec: fix an incorrect backport
Sean McGovern [Mon, 2 Jun 2014 21:42:17 +0000 (17:42 -0400)]
sgidec: fix an incorrect backport

Bug-Id: 691

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agoavconv: do not send non-monotonous DTS to the muxers.
Anton Khirnov [Wed, 24 Apr 2013 06:34:44 +0000 (08:34 +0200)]
avconv: do not send non-monotonous DTS to the muxers.

Hack partially based on a commit by Michael Niedermayer <michaelni@gmx.at>
Should fix (or work around) bug 458.
(cherry picked from commit 76d23f40314fc1dcd74a3d470b17782cc0ee5a3a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agoavconv: make -shortest work with streamcopy
Anton Khirnov [Tue, 10 Jun 2014 15:41:57 +0000 (17:41 +0200)]
avconv: make -shortest work with streamcopy

CC: libav-stable@libav.org
(cherry picked from commit 48e50921337984ba4ec2c1cafe45d43787f84498)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agomatroskaenc: do not write negative timestamps
Anton Khirnov [Sun, 1 Jun 2014 10:40:20 +0000 (12:40 +0200)]
matroskaenc: do not write negative timestamps

Bug-Id: 597, 341

5 years agoupdate Changelog
Rafaël Carré [Tue, 27 Aug 2013 15:35:49 +0000 (17:35 +0200)]
update Changelog

5 years agoUpdate Changelog for v9.13
Reinhard Tartler [Sun, 4 May 2014 14:37:49 +0000 (10:37 -0400)]
Update Changelog for v9.13

5 years agoswscale: Fix an undefined behaviour
Luca Barbato [Thu, 1 May 2014 22:21:23 +0000 (00:21 +0200)]
swscale: Fix an undefined behaviour

Prevent a division by zero down the codepath.

Sample-Id: 00001721-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 3a177a9cca924e097265b32f9282814f6b653e08)
(cherry picked from commit 0499f7809c1fcc33ed710cdf771a18b374702135)

5 years agomatroska: add the Opus mapping
Anton Khirnov [Sun, 27 Apr 2014 11:40:11 +0000 (13:40 +0200)]
matroska: add the Opus mapping

(cherry picked from commit 141fdc763c2841b572d29a2ad78513e8d5325870)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 79041d92ee7421853ee8c57fc13891cb0c272e0e)

5 years agomp3enc: Properly write bitrate value in XING header
Michael Niedermayer [Wed, 9 Apr 2014 16:22:53 +0000 (18:22 +0200)]
mp3enc: Properly write bitrate value in XING header

Instead of using a fixed bitrate_idx, calculate a matching bitrate for
the XING header.

Using a fixed bitrate_idx causes tools such as file(1) and mediainfo(1)
to report wrong bitrate and bitrate mode when using CBR.

Bug-Id: https://bugs.debian.org/736088

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 617a1a98a6be3e59db6fbfc21afab2fb9a049c03)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0f6e309b97e3da83a0fa75fbf1c4b50cd72047eb)

5 years agooggdec: add support for Opus in Ogg demuxing
Nicolas George [Sun, 24 Jun 2012 09:38:18 +0000 (11:38 +0200)]
oggdec: add support for Opus in Ogg demuxing

Fixes: https://bugzilla.libav.org/show_bug.cgi?id=603
Fixes: http://bugs.debian.org/720563

(cherry picked from commit ecab1c77410f023b437c6ed3a3281be8f039e574)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoapedec: do not buffer decoded samples over AVPackets
Rafaël Carré [Tue, 27 Aug 2013 15:35:49 +0000 (17:35 +0200)]
apedec: do not buffer decoded samples over AVPackets

Only consume an AVPacket when all the samples have been read.

When the rate of samples output is limited (by the default value
of max_samples), consuming the first packet immediately will cause
timing problems:

- The first packet with PTS 0 will output 4608 samples and be
consumed entirely
- The second packet with PTS 64 will output the remaining samples
(typically, a lot, that's why max_samples exist) until the decoded
samples of the first packet have been exhausted, at which point the
samples of the second packet will be decoded and output when
av_decode_frame is called with the next packet).

That means there's a PTS jump since the first packet is 'decoded'
immediately, which can be seen with avplay or mplayer: the timing
jumps immediately to 6.2s (which is the size of a packet).

Sample: http://streams.videolan.org/issues/6348/Goldwave-MAClib.ape

Bug-Debian: http://bugs.debian.org/744901
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 91d4cfb8127f1de6c4ad173a30fffe584700046d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoisom: lpcm in mov default to big endian
Mark Himsley [Fri, 1 Nov 2013 11:22:53 +0000 (11:22 +0000)]
isom: lpcm in mov default to big endian

It is my understanding that "Unless otherwise stated, all data in a
QuickTime movie is stored in big-endian byte ordering" [1] in MOV files.

I have a couple of thousand files, which technically are invalid because
their sound sample description element 4CC is 'lpcm' but its version is
0 - and "Version 0 supports only uncompressed audio in raw ('raw ') or
twos-complement ('twos') format" [2]

Because isom.c only contains a mapping for 4CC 'lpcm' to
AV_CODEC_ID_PCM_S16LE, these files have their audio decoded as LE when
it is actually BE.

This commit adds AV_CODEC_ID_PCM_S16BE as the first match for 4CC 'lpcm'.

[1]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf
page 21
[2]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf
page 178

Reviewed-by: Yusuke Nakamura <muken.the.vfrmaniac@gmail.com>
(cherry picked from commit 360022bd3b894cc01ea112b275fa4c8f53881808)
(cherry picked from commit d37fac6dbbdddb76225aa691b83ffd9a0c7dae6b)

5 years agomovdec: handle 0x7fff langcode as macintosh per the specs
Baptiste Coudurier [Wed, 21 Mar 2012 21:18:16 +0000 (14:18 -0700)]
movdec: handle 0x7fff langcode as macintosh per the specs

The correct point that seperates ISO and MAC language codes is 0x400
according to the current QT spec. Old QT specs did not list where this
seperation is but apparently only defined the meaning of the first 137.

(cherry picked from commit 9e71cc81f3655cacf0f91860fba3043f13b64059)
(cherry picked from commit 7940306a47df602be4f57a62175706265bbfd0aa)

5 years agoh264: reset next_output_pic earlier in start_frame()
Anton Khirnov [Wed, 23 Apr 2014 20:26:40 +0000 (22:26 +0200)]
h264: reset next_output_pic earlier in start_frame()

In case start_frame() fails, this potentially invalid frame can still be
output to the caller.

Bug-Id: 672
Bug-Id: debian/741240
Bug-Id: ubuntu/1288206

5 years agoRevert "pthread: flush all threads on flush, not just the first one"
Anton Khirnov [Thu, 24 Apr 2014 05:40:34 +0000 (07:40 +0200)]
Revert "pthread: flush all threads on flush, not just the first one"

This reverts commit 2eb15cdeef29eb8a0a32658154decba94b4b89cb.

It does not work correctly in pre-refcounting threading code.

5 years agoconfigure: Support older version of openjpeg1
Luca Barbato [Wed, 12 Mar 2014 09:30:07 +0000 (09:30 +0000)]
configure: Support older version of openjpeg1

It should work best for debian stable and people not installing the .pc
file.
(cherry picked from commit aa807425395caa17a85ed2833133278e8bd44a76)

Conflicts:
configure

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agoconfigure: Use the right pkgconf file for openjpeg
Luca Barbato [Mon, 10 Mar 2014 10:48:04 +0000 (11:48 +0100)]
configure: Use the right pkgconf file for openjpeg

The current release of version 1 uses libopenjpeg1.
(cherry picked from commit 4a8562394b685e83ae4a38a93eef43625755a231)

Conflicts:
configure

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agortmpproto: Make sure to pass on the error code if read_connect failed
Martin Storsjö [Sun, 13 Apr 2014 10:44:03 +0000 (13:44 +0300)]
rtmpproto: Make sure to pass on the error code if read_connect failed

Previously, if read_connect failed, the ret variable was unmodified
and had the value 0, indicating success, which then was returned from
the rtmp_open function, even though it actually failed.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 6477139721f559b26eafd415e23e13ea2b0c27e1)

5 years agolavr: allocate the resampling buffer with a positive size
Anton Khirnov [Thu, 20 Mar 2014 19:40:24 +0000 (20:40 +0100)]
lavr: allocate the resampling buffer with a positive size

This fixes cases where very few input samples (fewer than needed for one
output sample) are passed to lavr at the beginning.
CC:libav-stable@libav.org
(cherry picked from commit ac976ed91e323754e9a84509873ebdb437372797)

5 years agotiffdec: use bytestream2 to simplify overread/overwrite protection
Justin Ruggles [Sun, 29 Sep 2013 23:47:55 +0000 (19:47 -0400)]
tiffdec: use bytestream2 to simplify overread/overwrite protection

Based on a patch by Paul B Mahol <onemda@gmail.com>

CC:libav-stable@libav.org

5 years agobytestream: add bytestream2_copy_buffer() functions
Justin Ruggles [Sun, 29 Sep 2013 23:45:57 +0000 (19:45 -0400)]
bytestream: add bytestream2_copy_buffer() functions

This is basically an overread/overwrite-safe memcpy between a
GetByteContext and a PutByteContext.

CC:libav-stable@libav.org
(cherry picked from commit 5748faf291fec297ef25d81962b52b3438f54278)

5 years agobytestream: add functions for accessing size of buffer
Paul B Mahol [Wed, 21 Mar 2012 00:10:18 +0000 (00:10 +0000)]
bytestream: add functions for accessing size of buffer

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
CC:libav-stable@libav.org
(cherry picked from commit de9d2705f61ef569487ec5f8974a9c7ce34ec783)

5 years agoresample: fix avresample_get_delay() return value
Anton Khirnov [Tue, 4 Mar 2014 20:18:27 +0000 (21:18 +0100)]
resample: fix avresample_get_delay() return value

The correct "next" input sample is not the first sample of the
resampling buffer, but the center sample of the filter_length-sized
block at the beginning.

CC:libav-stable@libav.org

5 years agoavi: Improve non-interleaved detection
Michael Niedermayer [Wed, 2 Apr 2014 07:11:10 +0000 (09:11 +0200)]
avi: Improve non-interleaved detection

Additional fixes by Nigel Touati-Evans <nigel.touatievans@gmail.com>.

Check the index for streams with a time drift of 2s or a buffer drift
of 64MB.

Bug-Id: 666
CC: libav-stable@libav.org
Sample-Id: yet-another-broken-interleaved-avi.avi

Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Diego Biurrun <diego@biurrun.de>
5 years agoaf_channelmap: fix ONE_STR mapping mode
Anton Khirnov [Tue, 4 Mar 2014 06:19:46 +0000 (07:19 +0100)]
af_channelmap: fix ONE_STR mapping mode

get_channel() returns 0 on success

CC:libav-stable@libav.org

5 years agomovenc: allow override of "writing application" tag
John Stebbins [Mon, 3 Mar 2014 20:20:15 +0000 (20:20 +0000)]
movenc: allow override of "writing application" tag

Signed-off-by: Tim Walker <tdskywalker@gmail.com>
CC: libav-stable@libav.org
(cherry picked from commit 565e0c6d866ce08d4b06427456d3d1f4fd856e9c)

5 years agomatroskaenc: allow override of "writing application" tag
John Stebbins [Mon, 3 Mar 2014 20:20:14 +0000 (20:20 +0000)]
matroskaenc: allow override of "writing application" tag

Signed-off-by: Tim Walker <tdskywalker@gmail.com>
CC: libav-stable@libav.org
(cherry picked from commit 0092c1dd8dac2d9e185b58503b447a0d3fb5230d)

5 years agoavfilter: Add missing emms_c when needed
Luca Barbato [Wed, 5 Mar 2014 09:41:33 +0000 (10:41 +0100)]
avfilter: Add missing emms_c when needed

Arch specific calls should have an emms_c following to keep the cpu
state consistent.

Reported-By: wm4
CC: libav-stable@libav.org
(cherry picked from commit e995cf1bccc6e91bbaa6a8771e23fb3ab259c110)

5 years agobuild: Use pkg-config for openjpeg
Pierre Lejeune [Sat, 8 Mar 2014 12:19:17 +0000 (12:19 +0000)]
build: Use pkg-config for openjpeg

Bug-Id: 387
CC: libav-stable@libav.org
5 years agopthread: flush all threads on flush, not just the first one
Diego Biurrun [Wed, 19 Feb 2014 19:33:28 +0000 (20:33 +0100)]
pthread: flush all threads on flush, not just the first one

avcodec_flush_buffers() must release all internally held references
according to its documentation, for which all the threads need to be
flushed.

CC:libav-stable@libav.org
Bug-Id: vlc/9665

5 years agompeg12: check scantable indices in all decode_block functions
Janne Grunau [Fri, 24 Jan 2014 15:22:44 +0000 (16:22 +0100)]
mpeg12: check scantable indices in all decode_block functions

Add checks to the fast functions used with CODEC_FLAGS2_FAST and move
the check for all other functions to before the invalid memory is
accessed. Fixes https://trac.videolan.org/vlc/ticket/9713 with
CODEC_FLAGS2_FAST.

CC: libav-stable@libav.org
5 years agosgidec: fix buffer size check in expand_rle_row()
Anton Khirnov [Thu, 2 Jan 2014 08:34:20 +0000 (09:34 +0100)]
sgidec: fix buffer size check in expand_rle_row()

Right now it will spuriously fail if the linesize is exactly equal to
the data width.

CC:libav-stable@libav.org

5 years agoadx: check that the offset is not negative
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
adx: check that the offset is not negative

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 5569146d48f06564e8fa393424782cceed510916)

5 years agompegvideo: set reference/pict_type on generated reference frames
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
mpegvideo: set reference/pict_type on generated reference frames

Otherwise the generic code will unref them, which can then result in
last_picture_ptr == current_picture_ptr, which causes deadlocks at least
in rv40.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: reset data partitioning at the beginning of each decode call
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset data partitioning at the beginning of each decode call

Prevents using GetBitContexts with data from previous calls.

Fixes access to freed memory.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: reset ref count if decoding the slice header fails
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset ref count if decoding the slice header fails

Otherwise the ER code might try to use some already freed references.

Fixes possible access to freed memory.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: reset first_field if frame_start() fails for missing refs
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset first_field if frame_start() fails for missing refs

In this case we may not have a current frame, while first_field being
set implies we do.

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3

Higher modes are not allowed for 16x16/chroma, which is what this
function is used for. Otherwise this function would return 0 (vertical
prediction) for invalid higher modes, which could result in invalid
reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: reject mismatching luma/chroma bit depths during sps parsing
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reject mismatching luma/chroma bit depths during sps parsing

There is no point in delaying the check and it avoids bugs with a
half-initialized context.

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: check that execute_decode_slices() is not called too many times
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: check that execute_decode_slices() is not called too many times

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 9eef9eb3014b2ed9c3ff4aac510a9f04edb555cf)

5 years agoh264: do not use 422 functions for monochrome
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: do not use 422 functions for monochrome

Fixes invalid memory access.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: reset data_partitioning if decoding the slice header for NAL_DPA fails
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset data_partitioning if decoding the slice header for NAL_DPA fails

If it was set before then we can end up trying to decode a slice without
a valid slice header, which can lead to invalid memory access.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 58312b2472d3a44d7458865c459d59ef2e02bf1a)

5 years agoh264_refs: make sure not to write over the bounds of the default ref list
Anton Khirnov [Fri, 15 Nov 2013 18:06:23 +0000 (19:06 +0100)]
h264_refs: make sure not to write over the bounds of the default ref list

Fixes invalid writes.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: check buffer size before accessing it
Anton Khirnov [Fri, 15 Nov 2013 09:15:24 +0000 (10:15 +0100)]
h264: check buffer size before accessing it

Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agocmdutils: update copyright year to 2014.
Johan Andersson [Sat, 4 Jan 2014 19:47:32 +0000 (20:47 +0100)]
cmdutils: update copyright year to 2014.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 7ce88e5ec41484c452da56853a6897803da9c2a5)

5 years agoPrepare for 9.13 Release
Reinhard Tartler [Sat, 29 Mar 2014 17:10:29 +0000 (13:10 -0400)]
Prepare for 9.13 Release

5 years agodoc: Point to the correct, actually maintained gas-preprocessor repo
Martin Storsjö [Wed, 12 Mar 2014 11:46:04 +0000 (13:46 +0200)]
doc: Point to the correct, actually maintained gas-preprocessor repo

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d15c536123a44362ace6299c391a492c90b83fc7)
Signed-off-by: Martin Storsjö <martin@martin.st>
5 years agoUpdate Changelog for 9.12
Reinhard Tartler [Fri, 14 Mar 2014 00:57:03 +0000 (20:57 -0400)]
Update Changelog for 9.12

5 years agoconfigure: Update freetype check to follow upstream
Luca Barbato [Sat, 21 Dec 2013 16:59:59 +0000 (17:59 +0100)]
configure: Update freetype check to follow upstream

The freetype tutorial suggests to use #include FT_FREETYPE_H.

Bug-Id: 616
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit e61b8fa5605b16a02a2a0ea75afbfc31d7832bba)

5 years agodrawtext: Drop pointless header
Luca Barbato [Sun, 5 Jan 2014 11:30:45 +0000 (12:30 +0100)]
drawtext: Drop pointless header

It should be forward compatible with newer freetype.

(cherry picked from commit d68dc3c9446e38b4d686cc0f55433c9e8d7c128b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agoconfigure: Support preprocessor macros as header names
Diego Biurrun [Mon, 23 Dec 2013 00:03:48 +0000 (01:03 +0100)]
configure: Support preprocessor macros as header names

New versions of FreeType have moved the location of their API
header(s) and hide the location behind a macro.

Since the location changes between versions and no other way
to know the location exists, this workaround becomes necessary.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 52ccc4a0ece88030e67254418317d72089a0ecc8)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agoarm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6
Janne Grunau [Sat, 8 Mar 2014 10:52:14 +0000 (11:52 +0100)]
arm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6

The overread avoidance fix in cbddee1cca0ebd01e8c5aa694d31228eb4de4b41
broke the computation for the last row since it prevented the safe
reading from the height+1-th row.

5 years agoqt-faststart: Check offset_count before reading from the moov_atom buffer
Michael Niedermayer [Thu, 13 Dec 2012 14:07:20 +0000 (15:07 +0100)]
qt-faststart: Check offset_count before reading from the moov_atom buffer

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit bb95334c34d0d9abccea370ae25c4765d7764ab8)
(cherry picked from commit 7754d4838178a5c09c3c3953bb2b90d1abc639e3)

5 years agoarm: hpeldsp: prevent overreads in armv6 asm
Janne Grunau [Wed, 5 Mar 2014 11:44:57 +0000 (12:44 +0100)]
arm: hpeldsp: prevent overreads in armv6 asm

Based on a patch by Russel King <rmk+libav@arm.linux.org.uk>

Bug-Id: 646
CC: libav-stable@libav.org
5 years agoconfigure: enable PIC on s390(x)
Reinhard Tartler [Sun, 2 Mar 2014 07:11:05 +0000 (02:11 -0500)]
configure: enable PIC on s390(x)

The s390 architecture requires shared libraries to be built in PIC mode.
Otherwise applications will get wrong relocations at run-time, leading
to confusing segmentation faults.

CC: libav-stable@libav.org
(cherry picked from commit 5ddc9f5052316608799b932c604f9e7561f8ce24)
(cherry picked from commit 7509c2c4ea2180733cc60ab1a0e0fe4ce2f02a69)

5 years agoituh263: reject b-frame with pp_time = 0
Keiji Costantini [Sat, 1 Mar 2014 18:17:04 +0000 (18:17 +0000)]
ituh263: reject b-frame with pp_time = 0

Avoid a division by 0 in ff_mpeg4_set_one_direct_mv.

Sample-Id: 00000168-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
(cherry picked from commit 9514440337875e0c63b409abcd616b68c518283f)
(cherry picked from commit 5df52b0131d3d4d804ad6e221bc9a2cd8b201ef2)

5 years agolagarith: reallocate rgb_planes when needed
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
lagarith: reallocate rgb_planes when needed

Fixes invalid writes on pixel format changes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 4c3e1956ee35fdcc5ffdb28782050164b4623c0b)

5 years agotruemotion1: check the header size
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
truemotion1: check the header size

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 2240e2078d53d3cfce8ff1dda64e58fa72038602)

5 years agoshorten: pad the internal bitstream buffer
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
shorten: pad the internal bitstream buffer

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 1713eec29add37b654ec6bf262b843d139c1ffc6)

5 years agosamplefmt: avoid integer overflow in av_samples_get_buffer_size()
Justin Ruggles [Thu, 30 Jan 2014 19:08:38 +0000 (14:08 -0500)]
samplefmt: avoid integer overflow in av_samples_get_buffer_size()

CC:libav-stable@libav.org
(cherry picked from commit 0e830094ad0dc251613a0aa3234d9c5c397e02e6)

5 years agoh264: Fix a typo from the previous commit
Luca Barbato [Sat, 22 Feb 2014 10:19:03 +0000 (11:19 +0100)]
h264: Fix a typo from the previous commit

f777504f640260337974848c7d5d7a3f064bbb45 changed a - in +

CC: libav-stable@libav.org
(cherry picked from commit d922c5a5fbaf0b6c73bd8c81ae059bc6e406961c)
(cherry picked from commit 3ce77e04c2ca4b9e7fa6b94b51e8d7c5f188da86)

5 years agoh264: Lower bound check for slice offsets
Vittorio Giovara [Thu, 20 Feb 2014 01:38:32 +0000 (02:38 +0100)]
h264: Lower bound check for slice offsets

And use the value from the specification.

Sample-Id: 00000451-google
Found-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit f777504f640260337974848c7d5d7a3f064bbb45)
(cherry picked from commit 5bd083d0216d9ee649039c84999fb61386536ac1)

Conflicts:
libavcodec/h264.c

5 years agoAdd missing header to fix compilation after d2a0654
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
Add missing header to fix compilation after d2a0654

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoPrepare for 9.12 RELEASE
Reinhard Tartler [Sat, 1 Mar 2014 00:22:56 +0000 (19:22 -0500)]
Prepare for 9.12 RELEASE

5 years agoconfigure: Add missing dependency of Snow decoder on videodsp
Diego Biurrun [Fri, 21 Feb 2014 09:31:39 +0000 (10:31 +0100)]
configure: Add missing dependency of Snow decoder on videodsp

5 years agorpza: limit the number of blocks to the total remaining blocks in the frame
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
rpza: limit the number of blocks to the total remaining blocks in the frame

Fixes invalid writes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 77bb0004bbe18f1498cfecdc68db5f10808b6599)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agoUpdate Changelog for 9.11
Reinhard Tartler [Sun, 2 Feb 2014 18:08:08 +0000 (13:08 -0500)]
Update Changelog for 9.11

5 years agooggparseogm: check timing variables
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
oggparseogm: check timing variables

Fixes a potential divide by zero.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 75647dea6f7db79b409bad66a119f5c73da730f3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agomathematics: remove asserts from av_rescale_rnd()
Anton Khirnov [Thu, 12 Dec 2013 06:34:13 +0000 (07:34 +0100)]
mathematics: remove asserts from av_rescale_rnd()

It is a public function, it must not assert on its parameters.

(cherry picked from commit 94a417acc05cc5151b473abc0bf51fad26f8c5a0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agovc1: Always reset numref when parsing a new frame header.
Michael Niedermayer [Sun, 19 Jan 2014 15:28:25 +0000 (15:28 +0000)]
vc1: Always reset numref when parsing a new frame header.

Fixes an issue where the B-frame coding mode switches from interlaced
fields to interlaced frames, causing incorrect decisions in the motion
compensation code and resulting in visual artifacts.

CC: libav-stable@libav.org
Signed-off-by: Tim Walker <tdskywalker@gmail.com>
(cherry picked from commit dd2d0039b6405dc724e4fef0d5b8f49530eea3aa)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoh264: reset num_reorder_frames if it is invalid
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset num_reorder_frames if it is invalid

An invalid VUI is not considered a fatal error, so the SPS containing it
may still be used. Leaving an invalid value of num_reorder_frames there
can result in writing over the bounds of H264Context.delayed_pic.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 9ecabd7892ff073ae60ded3fc0a1290f5914ed5c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/h264_ps.c

5 years agoh264: check that an IDR NAL only contains I slices
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: check that an IDR NAL only contains I slices

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 8b2e5e42bb9d6a59ede5af2e6df4aaf7750d1195)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agomov: Free an earlier allocated array if allocating a new one
Martin Storsjö [Mon, 13 Jan 2014 12:46:07 +0000 (14:46 +0200)]
mov: Free an earlier allocated array if allocating a new one

It could probably also be considered an error if the pointer isn't
null at this point, but then we might risk rejecting some
slightly broken files that we might have handled so far.

Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2620df13104ddaa136158eb6bb1195adbf9d7692)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agomov: Free intermediate arrays in the normal cleanup function
Martin Storsjö [Mon, 13 Jan 2014 12:43:23 +0000 (14:43 +0200)]
mov: Free intermediate arrays in the normal cleanup function

These arrays are normally freed at the end of mov_read_trak,
but make sure they're freed in case mov_read_trak returned
early (due to errors) or in case the atoms that allocate arrays
are encountered at some other point than within a trak (which
we don't have checks against).

Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d51f09962d5b4bc999fb70c040f330dd1873212e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agosegafilm: fix leaks if reading the header fails
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
segafilm: fix leaks if reading the header fails

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 6892d145a0c80249bd61ee7dd31ec851c5076bcd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoh264_cavlc: check the size of the intra PCM data.
Anton Khirnov [Fri, 15 Nov 2013 08:42:26 +0000 (09:42 +0100)]
h264_cavlc: check the size of the intra PCM data.

Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh263: Check init_get_bits return value
Michael Niedermayer [Sat, 26 Oct 2013 17:02:34 +0000 (19:02 +0200)]
h263: Check init_get_bits return value

And use init_get_bits8 to check for integer overflows while at it.

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agocavsdec: check ff_get_buffer() return value
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
cavsdec: check ff_get_buffer() return value

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agocavs: Check for negative cbp
Luca Barbato [Sun, 13 Oct 2013 01:30:06 +0000 (03:30 +0200)]
cavs: Check for negative cbp

Sample-Id: 00000647-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
5 years agoavi: DV in AVI must be considered single stream
Luca Barbato [Tue, 6 Aug 2013 01:38:12 +0000 (03:38 +0200)]
avi: DV in AVI must be considered single stream

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org