ffmpeg.git
7 years agowma: fix invalid buffer size assumptions causing random overreads.
Ronald S. Bultje [Fri, 2 Mar 2012 00:19:51 +0000 (16:19 -0800)]
wma: fix invalid buffer size assumptions causing random overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 349b7977e408f18cff01ab31dfa66c8249b6584a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agowmadec: Verify bitstream size makes sense before calling init_get_bits.
Alex Converse [Fri, 27 Jan 2012 22:24:07 +0000 (14:24 -0800)]
wmadec: Verify bitstream size makes sense before calling init_get_bits.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 48f1e5212c90b511c90fa0449655abb06a9edda2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agorv10/20: Fix a buffer overread caused by losing track of the remaining buffer size.
Alex Converse [Thu, 1 Mar 2012 22:07:22 +0000 (14:07 -0800)]
rv10/20: Fix a buffer overread caused by losing track of the remaining buffer size.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2f6528537fdd88820f3a4683d5e595d7b3a62689)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agolcl: return negative error codes on decode_init() errors.
Ronald S. Bultje [Thu, 1 Mar 2012 01:50:28 +0000 (17:50 -0800)]
lcl: return negative error codes on decode_init() errors.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bd17a40a7e0eba21b5d27c67aff795e2910766e4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoavutil: add AVERROR_UNKNOWN
Justin Ruggles [Sat, 25 Feb 2012 04:27:14 +0000 (23:27 -0500)]
avutil: add AVERROR_UNKNOWN

Useful to return instead of -1 when the cause of the error is unknown,
typically from an external library.
(cherry picked from commit c9bca801324f03746757aef8549ebd26599adec2)

Conflicts:

doc/APIchanges
libavutil/avutil.h

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoh264: error out on invalid bitdepth.
Ronald S. Bultje [Thu, 1 Mar 2012 19:56:05 +0000 (11:56 -0800)]
h264: error out on invalid bitdepth.

Fixes invalid reads while initializing the dequant tables, which uses
the bit depth to determine the QP table size.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 0ce4fe482c27abfa7eac503a52fdc50b70ccd871)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agohuffyuv: do not abort on unknown pix_fmt; instead, return an error.
Ronald S. Bultje [Thu, 1 Mar 2012 17:41:22 +0000 (09:41 -0800)]
huffyuv: do not abort on unknown pix_fmt; instead, return an error.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 63c9de6469005974288f4e4d89fc79a590e38c06)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovmnc: return error on decode_init() failure.
Ronald S. Bultje [Wed, 29 Feb 2012 03:00:48 +0000 (19:00 -0800)]
vmnc: return error on decode_init() failure.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 07a180972fb369bb59bf6d4f8edb4598c51e80d2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agorpza: error out on buffer overreads.
Ronald S. Bultje [Wed, 29 Feb 2012 01:04:33 +0000 (17:04 -0800)]
rpza: error out on buffer overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 78e9852a2e3b198ecd69ffa0deab3fa22a8e5378)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoqtrle: return error on decode_init() failure.
Ronald S. Bultje [Wed, 29 Feb 2012 03:00:39 +0000 (19:00 -0800)]
qtrle: return error on decode_init() failure.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e54ae60e46f737b8e9a96548971091f7ab6b8f7c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoswscale: fix another integer overflow.
Ronald S. Bultje [Wed, 29 Feb 2012 02:21:31 +0000 (18:21 -0800)]
swscale: fix another integer overflow.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 791de61bbb0d2bceb1037597b310e2a4a94494fd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovp56: error out on invalid stream dimensions.
Ronald S. Bultje [Thu, 23 Feb 2012 19:19:33 +0000 (11:19 -0800)]
vp56: error out on invalid stream dimensions.

Prevents crashes when playing corrupt vp5/6 streams.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 8bc396fc0e8769a056375c1c211f389ce0e3ecc5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoasf: don't seek back on EOF.
Ronald S. Bultje [Wed, 29 Feb 2012 00:13:46 +0000 (16:13 -0800)]
asf: don't seek back on EOF.

Seeking back on EOF will reset the EOF flag, causing us to re-enter
the loop to find the next marker in the ASF file, thus potentially
causing an infinite loop.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bb6d5411e1e1a8e0608b1af1c4addee654dcbac5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoasf: error out on ridiculously large minpktsize values.
Ronald S. Bultje [Fri, 17 Feb 2012 20:21:22 +0000 (12:21 -0800)]
asf: error out on ridiculously large minpktsize values.

They cause various issues further down in demuxing.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 6e57a02b9f639af53acfa9fc742c1341400818f8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agolavf: add functions for accessing the fourcc<->CodecID mapping tables.
Anton Khirnov [Fri, 27 Jan 2012 12:33:09 +0000 (13:33 +0100)]
lavf: add functions for accessing the fourcc<->CodecID mapping tables.

Fixes bug 212.
(cherry picked from commit dd6d3b0e025cb2a16022665dbb8ab1be18dc05e8)

Conflicts:

doc/APIchanges

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoavutil: make intfloat api public
Paul B Mahol [Sun, 29 Jan 2012 20:09:22 +0000 (20:09 +0000)]
avutil: make intfloat api public

The functions are already av_ prefixed and intfloat header is already provided.
Install libavutil/intfloat.h

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8b933129b932f523a746e921a0a20b8dd8816971)

Conflicts:

doc/APIchanges

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agomjpegbdec: Fix overflow in SOS.
Alex Converse [Wed, 25 Jan 2012 21:39:24 +0000 (13:39 -0800)]
mjpegbdec: Fix overflow in SOS.

Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2011-3947

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agooma: don't read beyond end of leaf_table.
Ronald S. Bultje [Tue, 28 Feb 2012 19:35:36 +0000 (11:35 -0800)]
oma: don't read beyond end of leaf_table.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 934cd18a43151ba4b819d9270d539cdb26f6e079)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoIndeo3: fix crashes on corrupt bitstreams.
Ronald S. Bultje [Tue, 28 Feb 2012 18:22:28 +0000 (10:22 -0800)]
Indeo3: fix crashes on corrupt bitstreams.

Splits at borders of cells are invalid, since it leaves one of the
cells with a width/height of zero. Also, propagate errors on buffer
allocation failures, so we don't continue decoding (which crashes).

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit fc9bc08dca9ac32526251e19fcf738d23b8c68d1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovorbis: fix overflows in floor1[] vector and inverse db table index.
Ronald S. Bultje [Wed, 11 Jan 2012 01:01:26 +0000 (17:01 -0800)]
vorbis: fix overflows in floor1[] vector and inverse db table index.

(cherry picked from commit 24947d4988012f1f0fd467c83418615adc11c3e8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoFix parser not to clobber has_b_frames when extradata is set.
Reinhard Tartler [Sun, 26 Feb 2012 09:50:45 +0000 (10:50 +0100)]
Fix parser not to clobber has_b_frames when extradata is set.

Because in contrast to the decoder, the parser does not setup low_delay.
The code in parse_nal_units would always end up setting has_b_frames
to "1", except when stream is explicitly marked as low delay.
Since the parser itself would create 'extradata', simply reopening
the parser would cause this.

This happens for instance in estimate_timings_from_pts(), which causes the
parser to be reopened on the same stream.

This fixes Libav #22 and FFmpeg (trac) #360

CC: libav-stable@libav.org
Based on a patch by Reimar Döffinger <Reimar.Doeffinger@gmx.de>
(commit 31ac0ac29b6bba744493f7d1040757a3f51b9ad7)

Comments and description adapted by Reinhard Tartler.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 790a367d9ecd04360f78616765ee723f3fe65645)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agorm: prevent infinite loops for index parsing.
Ronald S. Bultje [Wed, 22 Feb 2012 19:33:24 +0000 (11:33 -0800)]
rm: prevent infinite loops for index parsing.

Specifically, prevent jumping back in the file for the next index, since
this can lead to infinite loops where we jump between indexes referring
to each other, and don't read indexes that don't fit in the file.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit aac07a7a4c2c7a4a29cf6dbc88c1b9fdd191b99d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agofraps: release reference buffer on pix_fmt change.
Ronald S. Bultje [Fri, 24 Feb 2012 22:11:04 +0000 (14:11 -0800)]
fraps: release reference buffer on pix_fmt change.

Prevents crash when trying to copy from a non-existing plane in e.g.
a RGB32 reference image to a YUV420P target image

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 830f70442a87a31f7c75565e9380e3caf8333b8a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agokgv1: release reference picture on size change.
Ronald S. Bultje [Sat, 25 Feb 2012 00:27:53 +0000 (16:27 -0800)]
kgv1: release reference picture on size change.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 6c4c27adb61b2881a94ce5c7d97ee1c8adadb5fe)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agokgv1: use avctx->get/release_buffer().
Ronald S. Bultje [Thu, 29 Dec 2011 17:07:32 +0000 (09:07 -0800)]
kgv1: use avctx->get/release_buffer().

Also fixes crashes on corrupt bitstreams.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 33cd32b389864f2437c94e6fd7dc109ff5f0ed06)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agolcl: error out if uncompressed input buffer is smaller than framesize.
Ronald S. Bultje [Fri, 24 Feb 2012 00:09:36 +0000 (16:09 -0800)]
lcl: error out if uncompressed input buffer is smaller than framesize.

This prevents crashes when trying to read beyond the end of the buffer
while decoding frame data.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit be129271eac04f91393bf42a490ec631e1a9abea)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agomjpeg: abort decoding if packet is too large.
Ronald S. Bultje [Thu, 23 Feb 2012 20:22:40 +0000 (12:22 -0800)]
mjpeg: abort decoding if packet is too large.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ab492ca2ab105aeb24d955f3f03756bdb3139ee1)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agotiff: Prevent overreads in the type_sizes array.
Alex Converse [Thu, 23 Feb 2012 18:47:50 +0000 (10:47 -0800)]
tiff: Prevent overreads in the type_sizes array.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 447363870f2f91e125e07ac2d0820359a5d86b06)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoswf: check return values for av_get/new_packet().
Ronald S. Bultje [Thu, 23 Feb 2012 19:53:27 +0000 (11:53 -0800)]
swf: check return values for av_get/new_packet().

Prevents crashers when using the packet if allocation failed.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 31632e73f47d25e2077fce729571259ee6354854)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agotruemotion2: error out if the huffman tree has no nodes.
Ronald S. Bultje [Wed, 22 Feb 2012 20:19:52 +0000 (12:19 -0800)]
truemotion2: error out if the huffman tree has no nodes.

This prevents crashers and errors further down when reading nodes in the
empty tree.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2b83e8b7005d531bc78b0fd4f699e9faa54ce9bb)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agormdec: when using INT4 deinterleaving, error out if sub_packet_h <= 1.
Ronald S. Bultje [Tue, 21 Feb 2012 18:36:27 +0000 (10:36 -0800)]
rmdec: when using INT4 deinterleaving, error out if sub_packet_h <= 1.

We read sub_packet_h / 2 packets per line of data (during deinterleaving),
which equals zero if sub_packet_h <= 1, thus causing us to not read any
data, leading to an infinite loop.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e30b3e59a4f3004337cb1623b2aac988ce52b93f)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoavplay: fix -threads option
Janne Grunau [Tue, 21 Feb 2012 15:34:08 +0000 (16:34 +0100)]
avplay: fix -threads option

The AVOptions based default to threads auto in 2473a45c8
works only if avplay does not use custom option handling
for -threads.

CC: <libav-stable@libav.org>
(cherry picked from commit e48a70e6da02cd5426b6340af70410bdfe27dfa7)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agovc1parse: call vc1_init_common().
Ronald S. Bultje [Fri, 17 Feb 2012 22:18:22 +0000 (14:18 -0800)]
vc1parse: call vc1_init_common().

The parser uses VLC tables initialized in vc1_common_init(), therefore
we should call this function on parser init also.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c742ab4e81bb9dcabfdab006d6b8b09a5808c4ce)

Conflicts:

libavcodec/vc1.h

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agowma: don't return 0 on invalid packets.
Ronald S. Bultje [Sat, 18 Feb 2012 00:57:00 +0000 (16:57 -0800)]
wma: don't return 0 on invalid packets.

Return 0 means "please return the same data again", i.e. it causes an
infinite loop. Instead, return an error.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9d3050d3e95e307ebc34a943484c7add838d1220)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agomjpegb: don't return 0 at the end of frame decoding.
Ronald S. Bultje [Sat, 18 Feb 2012 00:27:36 +0000 (16:27 -0800)]
mjpegb: don't return 0 at the end of frame decoding.

Return 0 indicates "please return the same data again", i.e. it causes
an infinite loop. Instead, return that we consumed the buffer if we
finished decoding succesfully, or return an error if an error occurred.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 74699ac8c8b562e9f8d26e21482b89585365774a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoasf: prevent packet_size_left from going negative if hdrlen > pktlen.
Ronald S. Bultje [Fri, 17 Feb 2012 20:21:18 +0000 (12:21 -0800)]
asf: prevent packet_size_left from going negative if hdrlen > pktlen.

This prevents failed assertions further down in the packet processing
where we require non-negative values for packet_size_left.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 41afac7f7a67c634c86b1d17fc930e9183d4aaa0)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoaiff: don't skip block_align==0 check on COMM-after-SSND files.
Ronald S. Bultje [Fri, 17 Feb 2012 23:51:27 +0000 (15:51 -0800)]
aiff: don't skip block_align==0 check on COMM-after-SSND files.

This prevents SIGFPEs when using block_align for divisions.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 32a659c758bf2ddd8ad48f18c06fa77444341286)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agomp3on4: require a minimum framesize.
Ronald S. Bultje [Fri, 17 Feb 2012 23:20:27 +0000 (15:20 -0800)]
mp3on4: require a minimum framesize.

If bufsize < headersize, init_get_bits() will be called with a negative
number, causing it to fail and any subsequent call to get_bits() will
crash because it reads from a NULL pointer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 3e13005cac6e076053276b515f5fcf59a3f4b65d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agohuffyuv: error out on bit overrun.
Ronald S. Bultje [Fri, 17 Feb 2012 23:00:47 +0000 (15:00 -0800)]
huffyuv: error out on bit overrun.

On EOF, get_bits() will continuously return 0, causing an infinite
loop.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 84c202cc37024bd78261e4222e46631ea73c48dd)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoals: prevent infinite loop in zero_remaining().
Ronald S. Bultje [Fri, 17 Feb 2012 20:28:26 +0000 (12:28 -0800)]
als: prevent infinite loop in zero_remaining().

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit af468015d972c0dec5c8c37b2685ffa5cbe4ae87)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agocook: prevent div-by-zero if channels is zero.
Ronald S. Bultje [Fri, 17 Feb 2012 20:10:33 +0000 (12:10 -0800)]
cook: prevent div-by-zero if channels is zero.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 941fc1ea1ed7f7d99a8b9e2607b41f2f2820394a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agovc1: prevent using last_frame as a reference for I/P first frame.
Ronald S. Bultje [Tue, 14 Feb 2012 20:40:19 +0000 (12:40 -0800)]
vc1: prevent using last_frame as a reference for I/P first frame.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ae591aeea58d64399b8281be31dacec0de85ae04)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoswscale: take first/lastline over/underflows into account for MMX.
Ronald S. Bultje [Thu, 23 Feb 2012 00:48:38 +0000 (16:48 -0800)]
swscale: take first/lastline over/underflows into account for MMX.

Fixes crashes for extremely large resizes (several 100-fold).

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1d8c4af396b6ed84c84b5ebf0bf1163c4a7a3017)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoswscale: fix overflows in filterPos[] calculation for large sizes.
Ronald S. Bultje [Thu, 23 Feb 2012 00:46:31 +0000 (16:46 -0800)]
swscale: fix overflows in filterPos[] calculation for large sizes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 19a65b5be47944c607a9e979edb098924d95f2e4)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoswscale: enforce a minimum filtersize.
Ronald S. Bultje [Sat, 11 Feb 2012 16:42:28 +0000 (08:42 -0800)]
swscale: enforce a minimum filtersize.

At very small dimensions, this calculation could lead to zero-sized
filters, which leads to uninitialized output, zero-sized allocations,
loop overflows in SIMD that uses do{..}while(i++<filtersize); instead
of for(i=0;i<filtersize;i++){..} and several other similar failures.
Therefore, require a minimum filtersize of 1.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit dae2ce361a2b5fd9be1d43e5e8c00bdbc5f03e3d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agotta: error out if samplerate is zero.
Ronald S. Bultje [Fri, 10 Feb 2012 18:51:43 +0000 (10:51 -0800)]
tta: error out if samplerate is zero.

Prevents a division by zero later on.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 7416d610362807848236ceff1bc6740dbc82842d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agovc1: prevent null pointer dereference on broken files
Janne Grunau [Wed, 25 Jan 2012 14:49:54 +0000 (15:49 +0100)]
vc1: prevent null pointer dereference on broken files

CC: libav-stable@libav.org
(cherry picked from commit 510ef04a461b3b54a762c6141ad880cbed85981f)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agosmacker: Sanity check huffman tables found in the headers.
Alex Converse [Thu, 26 Jan 2012 00:12:42 +0000 (16:12 -0800)]
smacker: Sanity check huffman tables found in the headers.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9adf25c1cf78dbf1d71bf386c49dc74cb8a60df0)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agolavf: prevent infinite loops while flushing in avformat_find_stream_info
Janne Grunau [Wed, 18 Jan 2012 09:59:32 +0000 (10:59 +0100)]
lavf: prevent infinite loops while flushing in avformat_find_stream_info

If no data was seen for a stream decoder are returning 0 when fed with
empty packets for flushing. We can stop flushing when the decoder does
not return delayed delayed frames anymore. Changes try_decode_frame()
return value to got_picture or negative error.

CC: libav-stable@libav.org
(cherry picked from commit b3461c29c1aee7d62eeb02a59d46593c60362679)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agomatroska: don't overwrite string values until read/alloc was succesful.
Ronald S. Bultje [Sat, 25 Feb 2012 00:12:18 +0000 (16:12 -0800)]
matroska: don't overwrite string values until read/alloc was succesful.

This prevents certain tags with a default value assigned to them (as per
the EBML syntax elements) from ever being assigned a NULL value. Other
parts of the code rely on these being non-NULL (i.e. they don't check for
NULL before e.g. using the string in strcmp() or similar), and thus in
effect this prevents crashes when reading of such specific tags fails,
either because of low memory or because of targeted file corruption.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cd40c31ee9ad2cca6f3635950b002fd46be07e98)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agomatroskadec: Pad AAC extradata.
Alex Converse [Wed, 25 Jan 2012 22:34:21 +0000 (14:34 -0800)]
matroskadec: Pad AAC extradata.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d2ee8c17793201ce969afd1f433ba1580c143cd2)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoaac: fix infinite loop on end-of-frame with sequence of 1-bits.
Alex Converse [Wed, 22 Feb 2012 19:05:42 +0000 (11:05 -0800)]
aac: fix infinite loop on end-of-frame with sequence of 1-bits.

Based-on-work-by: Ronald S. Bultje <rsbultje@gmail.com>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1cd9a6154bc1ac1193c703cea980ed21c3e53792)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agowma: Clip WMA1 and WMA2 frame length to 11 bits.
Alex Converse [Wed, 25 Jan 2012 02:43:43 +0000 (18:43 -0800)]
wma: Clip WMA1 and WMA2 frame length to 11 bits.

The MDCT buffers in the decoder are only sized for up to 11 bits. The
reverse engineered documentation for WMA1/2 headers say that that for
all samplerates above 32kHz 11 bits are used. 12 and 13 bit support
were added for WMAPro. I was unable to make any Microsoft tools generate
a test file at a samplerate above 48kHz.

Discovered by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

CC: libav-stable@libav.org
(cherry picked from commit d78bb1a4b2a3a415b68e4e6dd448779eccec64e3)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agorv20: prevent calling ff_h263_decode_mba() with unset height/width
Janne Grunau [Tue, 24 Jan 2012 20:50:50 +0000 (21:50 +0100)]
rv20: prevent calling ff_h263_decode_mba() with unset height/width

Prevents a crash of VLC during playback of a invalid matroska file,
found by John Villamil <johnv@matasano.com>.

CC: libav-stable@libav.org
(cherry picked from commit c3e10ae4127c998b809066926a410f40ebd47593)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoflac: fix infinite loops on all-zero input or end-of-stream.
Ronald S. Bultje [Wed, 15 Feb 2012 17:52:11 +0000 (09:52 -0800)]
flac: fix infinite loops on all-zero input or end-of-stream.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 52e4018be47697a60f4f18f83551766df31f5adf)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agogolomb: use HAVE_BITS_REMAINING() macro to prevent infloop on EOF.
Ronald S. Bultje [Fri, 17 Feb 2012 20:54:37 +0000 (12:54 -0800)]
golomb: use HAVE_BITS_REMAINING() macro to prevent infloop on EOF.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 46b3fbc30b7aaf7fdd52391734cfd6d93af8720a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoget_bits: add HAVE_BITS_REMAINING macro.
Ronald S. Bultje [Wed, 22 Feb 2012 20:09:33 +0000 (12:09 -0800)]
get_bits: add HAVE_BITS_REMAINING macro.

(cherry picked from commit b44b41633f110e9d938165e0f79c9d32191fc135)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agogolomb: avoid infinite loop on all-zero input (or end of buffer).
Ronald S. Bultje [Tue, 14 Feb 2012 19:50:57 +0000 (11:50 -0800)]
golomb: avoid infinite loop on all-zero input (or end of buffer).

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c6643fddba73560f26f90d327c84d8832222a720)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoshorten: Use separate pointers for the allocated memory for decoded samples.
Michael Niedermayer [Sun, 25 Dec 2011 11:28:50 +0000 (12:28 +0100)]
shorten: Use separate pointers for the allocated memory for decoded samples.

Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.

Fixes CVE-2012-0858
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoatrac3: Fix crash in tonal component decoding.
Michael Niedermayer [Sat, 17 Dec 2011 02:18:58 +0000 (03:18 +0100)]
atrac3: Fix crash in tonal component decoding.

Add a check to avoid writing past the end of the channel_unit.components[]
array.

Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f74713b035a06f79cb4d00e708f5226bc5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agows_snd1: Fix wrong samples count and crash.
Michael Niedermayer [Sat, 24 Dec 2011 23:10:27 +0000 (00:10 +0100)]
ws_snd1: Fix wrong samples count and crash.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9fb7a5af97d8c084c3af2566070d09eae0ab49fc)

Addresses CVE-2012-0848

Reviewed-by: Justin Ruggles <justin.ruggles@gmail.com>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoh264: disallow constrained intra prediction modes for luma.
Ronald S. Bultje [Fri, 10 Feb 2012 06:57:01 +0000 (22:57 -0800)]
h264: disallow constrained intra prediction modes for luma.

Conversion of the luma intra prediction mode to one of the constrained
("alzheimer") ones can happen by crafting special bitstreams, causing
a crash because we'll call a NULL function pointer for 16x16 block intra
prediction, since constrained intra prediction functions are only
implemented for chroma (8x8 blocks).

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 45b7bd7c53b41bc5ff6fc2158831f2b1b1256113)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoswscale: fix V plane memory location in bilinear/unscaled RGB/YUYV case.
Ronald S. Bultje [Tue, 7 Feb 2012 19:33:20 +0000 (11:33 -0800)]
swscale: fix V plane memory location in bilinear/unscaled RGB/YUYV case.

Fixes bug 221.

CC: libav-stable@libav.org
(cherry picked from commit b7542dd3d71d1ee873277020b6a8eab2674bb167)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agolibavcodec: Don't crash in avcodec_encode_audio if time_base isn't set
Martin Storsjö [Thu, 26 Jan 2012 19:37:38 +0000 (21:37 +0200)]
libavcodec: Don't crash in avcodec_encode_audio if time_base isn't set

Earlier, calling avcodec_encode_audio worked fine even if time_base
wasn't set. Now it crashes due to trying to scale the output pts to
the codec context time base. This affects e.g. VLC.

If no time_base is set for audio codecs, set it to the sample
rate.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 9a7dc618c50902e7a171f2deda6430d52c277a95)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoqdm2: Check data block size for bytes to bits overflow.
Alex Converse [Wed, 25 Jan 2012 23:27:11 +0000 (15:27 -0800)]
qdm2: Check data block size for bytes to bits overflow.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit dac56d9ce01eb9963f28f26b97a81db5cbd46c1c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agolavc: set AVCodecContext.codec in avcodec_get_context_defaults3().
Anton Khirnov [Sat, 28 Jan 2012 18:15:15 +0000 (19:15 +0100)]
lavc: set AVCodecContext.codec in avcodec_get_context_defaults3().

This way, if the AVCodecContext is allocated for a specific codec, the
caller doesn't need to store this codec separately and then pass it
again to avcodec_open2().

It also allows to set codec private options using av_opt_set_* before
opening the codec.
(cherry picked from commit bc901998487bf9b77a423961d9f961bcc28a9291)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agolavc: make avcodec_close() work properly on unopened codecs.
Anton Khirnov [Sun, 29 Jan 2012 11:17:30 +0000 (12:17 +0100)]
lavc: make avcodec_close() work properly on unopened codecs.

I.e. free the priv_data and other stuff allocated in
avcodec_alloc_context3() and not segfault.

(cherry picked from commit 0e72ad95f9fef6a6b8ae55e47339a5c40526502f)

7 years agolavc: add avcodec_is_open().
Anton Khirnov [Thu, 8 Dec 2011 05:57:44 +0000 (06:57 +0100)]
lavc: add avcodec_is_open().

It allows to check whether an AVCodecContext is open in a documented
way. Right now the undocumented way this check is done in lavf/lavc is
by checking whether AVCodecContext.codec is NULL. However it's desirable
to be able to set AVCodecContext.codec before avcodec_open2().

(cherry picked from commit af08d9aeea870de017139f7b1c44b7d816cf8e56)

Conflicts:

doc/APIchanges

7 years agowavpack: Don't shift minclip/maxclip
Derek Buitenhuis [Thu, 23 Feb 2012 15:55:35 +0000 (10:55 -0500)]
wavpack: Don't shift minclip/maxclip

Since we are clipping before we shift the values to
16 or 32 bits, we should not shift the min/max clip
values to compensate.

Fixes 8 and 24 bit lossy decoding.

Fixes ticket #871.

Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 480b133e6f79c470aff0f84d9ed3648d37c32b03)

7 years agoRevert "Improve decoding quality for lossy wavpack."
Michael Niedermayer [Fri, 24 Feb 2012 00:26:38 +0000 (01:26 +0100)]
Revert "Improve decoding quality for lossy wavpack."

This has been implemented more correctly.

This reverts commit a915618a29f3f4197832151a4ed03ccdd585f9cf.
(cherry picked from commit 32e74395a8e88dee1c149aeb36e7a21df431c181)

7 years agoFix ffmpeg -codecs output.
Carl Eugen Hoyos [Fri, 17 Feb 2012 22:51:22 +0000 (23:51 +0100)]
Fix ffmpeg -codecs output.
(cherry picked from commit f6492476a63938cc66c51bf61c88407b7749f780)

7 years agowavpack: add needed braces for 2 statements inside an if block
Justin Ruggles [Sat, 11 Feb 2012 01:18:10 +0000 (20:18 -0500)]
wavpack: add needed braces for 2 statements inside an if block
(cherry picked from commit 9d7cee50aa349563aa5faca1cff256ffccff6551)

7 years agoImprove decoding quality for lossy wavpack.
Carl Eugen Hoyos [Sun, 29 Jan 2012 16:50:17 +0000 (17:50 +0100)]
Improve decoding quality for lossy wavpack.

This reverts e6e7bfc1 and 365e1ec2.
The code may be incorrect both before and after the revert, but we
do not have any samples that were fixed by the original commits.

Fixes ticket #871.
(cherry picked from commit a915618a29f3f4197832151a4ed03ccdd585f9cf)

7 years agodoc: remove doc/ffmpeg-mt-authorship.txt for release/0.10 n0.10
Michael Niedermayer [Thu, 26 Jan 2012 21:44:59 +0000 (22:44 +0100)]
doc: remove doc/ffmpeg-mt-authorship.txt for release/0.10

we dont carry the whole git history in releases so theres no
point in having this in them either.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoUpdate for 0.10
Michael Niedermayer [Thu, 26 Jan 2012 20:15:55 +0000 (21:15 +0100)]
Update for 0.10

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoqdm2: Check data block size for bytes to bits overflow.
Alex Converse [Wed, 25 Jan 2012 23:27:11 +0000 (15:27 -0800)]
qdm2: Check data block size for bytes to bits overflow.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit dac56d9ce01eb9963f28f26b97a81db5cbd46c1c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoismindex: Fix build on mingw
Martin Storsjö [Wed, 25 Jan 2012 11:47:38 +0000 (13:47 +0200)]
ismindex: Fix build on mingw

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8801fac365549a43a639e239faba409d8f91ef86)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoChangelog: remove duplicate lines
Michael Niedermayer [Thu, 26 Jan 2012 21:16:47 +0000 (22:16 +0100)]
Changelog: remove duplicate lines

Found-by: durandal_1707
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoRELEASE_NOTES: update for 0.10
Michael Niedermayer [Thu, 26 Jan 2012 20:57:50 +0000 (21:57 +0100)]
RELEASE_NOTES: update for 0.10

remove minor things and things that we had in many previous releases
already.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoChangelog: update for 0.10
Michael Niedermayer [Thu, 26 Jan 2012 20:33:51 +0000 (21:33 +0100)]
Changelog: update for 0.10

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agodv: Fix out of array read
Michael Niedermayer [Wed, 25 Jan 2012 03:51:06 +0000 (04:51 +0100)]
dv: Fix out of array read

Fixes part of CVE-2011-3936

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agomov: Fix seeking regression in fragemnted movs.
Michael Niedermayer [Thu, 26 Jan 2012 04:18:01 +0000 (05:18 +0100)]
mov: Fix seeking regression in fragemnted movs.

Regression introduced in 550f7c43ece1af27604407647d10e74b52e6fedf

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agosnowenc: dont crash with gray but exit with an error msg.
Michael Niedermayer [Thu, 26 Jan 2012 18:41:59 +0000 (19:41 +0100)]
snowenc: dont crash with gray but exit with an error msg.

Fixes Ticket839

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoh264_sei: Fix infinite loop.
Michael Niedermayer [Thu, 26 Jan 2012 18:31:01 +0000 (19:31 +0100)]
h264_sei: Fix infinite loop.

Fixes not yet fixed parts of CVE-2011-3946.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoffmpeg: fix -qscale X breaking audio codecs
Michael Niedermayer [Thu, 26 Jan 2012 17:49:53 +0000 (18:49 +0100)]
ffmpeg: fix -qscale X breaking audio codecs

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agompeg1videoenc: disable slice threads
Michael Niedermayer [Thu, 26 Jan 2012 17:45:46 +0000 (18:45 +0100)]
mpeg1videoenc: disable slice threads

It doesnt work (and as far as i tested also didnt in the past)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agokvmc: Check palsize.
Michael Niedermayer [Thu, 26 Jan 2012 16:30:49 +0000 (17:30 +0100)]
kvmc: Check palsize.

Fixes: CVE-2011-3952

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agomatroskadec: increase padding on several more extradata allocations.
Michael Niedermayer [Thu, 26 Jan 2012 16:22:34 +0000 (17:22 +0100)]
matroskadec: increase padding on several more extradata allocations.

Inspired by: 5af569aa30b93f56344ea540936eb671760f568c by alex
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agomatroskadec: Pad AAC extradata.
Alex Converse [Wed, 25 Jan 2012 22:34:21 +0000 (14:34 -0800)]
matroskadec: Pad AAC extradata.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d2ee8c17793201ce969afd1f433ba1580c143cd2)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agodpcm: Round output buffer size up.
Michael Niedermayer [Thu, 26 Jan 2012 16:04:51 +0000 (17:04 +0100)]
dpcm: Round output buffer size up.

Fixes: CVE-2011-3951

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agodiracdec: Check num_refs.
Michael Niedermayer [Thu, 26 Jan 2012 15:51:01 +0000 (16:51 +0100)]
diracdec: Check num_refs.

Fixes: CVE-2011-3950

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agodiracdec: Check dirac_unpack_idwt_params parameters before storing them.
Michael Niedermayer [Thu, 26 Jan 2012 14:41:43 +0000 (15:41 +0100)]
diracdec: Check dirac_unpack_idwt_params parameters before storing them.

Fixes CVE-2011-3949

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agodoc: remove trailing 's' to metadata.
Clément Bœsch [Thu, 26 Jan 2012 12:06:22 +0000 (13:06 +0100)]
doc: remove trailing 's' to metadata.

metadata is already plural.

Found-by: Alexander Strasser
7 years agomp3dec: Check for memcpy size to be positive.
Michael Niedermayer [Thu, 26 Jan 2012 02:30:46 +0000 (03:30 +0100)]
mp3dec: Check for memcpy size to be positive.

No, ive no testcase.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoFix a heap-buffer-overflow
Thierry Foucu [Wed, 25 Jan 2012 23:46:14 +0000 (15:46 -0800)]
Fix a heap-buffer-overflow

In some case, what left to read from ptr is smaller than EXTRABYTES.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoMerge remote-tracking branch 'qatar/master'
Michael Niedermayer [Thu, 26 Jan 2012 00:52:29 +0000 (01:52 +0100)]
Merge remote-tracking branch 'qatar/master'

* qatar/master: (22 commits)
  wma: Clip WMA1 and WMA2 frame length to 11 bits.
  movenc: Don't require frame_size to be set for modes other than mov
  doc: Update APIchanges with info on muxer flushing
  movenc: Reindent a block
  tools: Remove some unnecessary #undefs.
  rv20: prevent calling ff_h263_decode_mba() with unset height/width
  tools: K&R reformatting cosmetics
  Ignore generated aviocat and ismindex tools.
  build: Automatically include architecture-specific library Makefile snippets.
  indeo5: prevent null pointer dereference on broken files
  pktdumper: Use usleep instead of sleep
  cosmetics: Remove some unnecessary block braces.
  Drop unnecessary prefix from *sink* variable and struct names.
  Add a tool for creating smooth streaming manifests
  movdec: Calculate an average bit rate for fragmented streams, too
  movenc: Write the sample rate instead of time scale in the stsd atom
  movenc: Add a separate ismv/isma (smooth streaming) muxer
  movenc: Allow the caller to decide on fragmentation
  libavformat: Add a flag for muxers that support write_packet(NULL) for flushing
  movenc: Add support for writing fragmented mov files
  ...

Conflicts:
Changelog
cmdutils.c
cmdutils.h
doc/APIchanges
ffmpeg.c
ffplay.c
libavfilter/Makefile
libavformat/Makefile
libavformat/avformat.h
libavformat/movenc.c
libavformat/movenc.h
libavformat/version.h
tools/graph2dot.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agomjpegbdec: Fix incorrect bitstream buffer size.
Michael Niedermayer [Wed, 25 Jan 2012 22:55:21 +0000 (23:55 +0100)]
mjpegbdec: Fix incorrect bitstream buffer size.

Fixes CVE-2011-3947

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agor210, r10k and avrp encoder
Paul B Mahol [Wed, 25 Jan 2012 19:46:57 +0000 (19:46 +0000)]
r210, r10k and avrp encoder

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agokgv1dec: Increase offsets array size so it is large enough.
Michael Niedermayer [Wed, 25 Jan 2012 22:23:35 +0000 (23:23 +0100)]
kgv1dec: Increase offsets array size so it is large enough.

Fixes CVE-2011-3945

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agodoc/ffmpeg.texi
Michael Niedermayer [Wed, 25 Jan 2012 22:01:34 +0000 (23:01 +0100)]
doc/ffmpeg.texi

Merge changes from avconv.texi since the last merge into ffmpeg.texi

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>