ffmpeg.git
7 years agoUpdate for 0.10.4 n0.10.4
Michael Niedermayer [Sat, 9 Jun 2012 18:52:12 +0000 (20:52 +0200)]
Update for 0.10.4
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agompegvideo: fix out of heap array accesses
Michael Niedermayer [Wed, 6 Jun 2012 17:26:21 +0000 (19:26 +0200)]
mpegvideo: fix out of heap array accesses

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 317ca0d3f735fad354c404e8bbac3e1ce9f09b12)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agompc8: fix channel checks
Michael Niedermayer [Sun, 3 Jun 2012 15:40:30 +0000 (17:40 +0200)]
mpc8: fix channel checks

fix heap array overflow

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 44c10168cff41c200825448b77cb8feff0d316c9)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoh263: disable loop filter with lowres
Michael Niedermayer [Sun, 3 Jun 2012 12:41:21 +0000 (14:41 +0200)]
h263: disable loop filter with lowres

Fixes ticket1212

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cc229d4e83889d1298f1a0863b55feec6c5c339a)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agobmv: fix apparent sign error in the frame_off check
Michael Niedermayer [Sat, 2 Jun 2012 02:06:16 +0000 (04:06 +0200)]
bmv: fix apparent sign error in the frame_off check

Fixes part of Ticket1373

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit debbcfae6010f027a0334d70d0dbb7ddd912ad5a)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agobmv: fix integer overflows in vlc decoder.
Michael Niedermayer [Sat, 2 Jun 2012 02:04:29 +0000 (04:04 +0200)]
bmv: fix integer overflows in vlc decoder.

Fixes part of Ticket1373

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Based-on-patch-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 679c578cb8e82df6fdee977e3137a26a680ad346)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agowmv1: check that the input buffer is large enough
Michael Niedermayer [Fri, 1 Jun 2012 19:42:29 +0000 (21:42 +0200)]
wmv1: check that the input buffer is large enough

Fixes null ptr deref
Fixes Ticket1367

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f23a2418fb0ccc56fdae4dbf83a5994cc917c475)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoyopdec: check frame oddness to be within supported limits
Michael Niedermayer [Fri, 1 Jun 2012 13:52:20 +0000 (15:52 +0200)]
yopdec: check frame oddness to be within supported limits

Fixes Ticket1365

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit febc013dc5d6db1535a4f91cf02fa8089038937c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoyopdec: check that palette fits in the packet
Michael Niedermayer [Fri, 1 Jun 2012 13:51:50 +0000 (15:51 +0200)]
yopdec: check that palette fits in the packet

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b6fdf8dea7aaf3cb9a979dce91f752c2ce3086a3)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years ago8svx: fix crash
Michael Niedermayer [Thu, 31 May 2012 23:33:00 +0000 (01:33 +0200)]
8svx: fix crash

Fixes Ticket1377

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 03ce421c1361e4ce79468de8269ad51ba2ae4c16)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agodv-demux: dont mess with codec values
Michael Niedermayer [Thu, 31 May 2012 21:50:08 +0000 (23:50 +0200)]
dv-demux: dont mess with codec values

Fixes part of Ticket1369

Found-by: ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3c276ac0f8936745543d14674842647c502bdd2e)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agobinkaudio: check number of channels
Paul B Mahol [Thu, 31 May 2012 08:58:31 +0000 (08:58 +0000)]
binkaudio: check number of channels

Fixes #1380.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 824a6975ee066e944b7a20d1e220fd8974fb6174)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoindeo5: check quant_mat
Michael Niedermayer [Thu, 31 May 2012 03:01:28 +0000 (05:01 +0200)]
indeo5: check quant_mat

prevents out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8aaa00c3012d425ce50efffadb813ad62d1ff3d5)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agotruemotion1: Check index, fix out of array read
Michael Niedermayer [Wed, 30 May 2012 14:19:36 +0000 (16:19 +0200)]
truemotion1: Check index, fix out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fd4c1c0b70b5a06dd572d7e27799a2f4c3d9b984)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoiff: check if there is extradata
Paul B Mahol [Wed, 30 May 2012 07:50:32 +0000 (07:50 +0000)]
iff: check if there is extradata

Fixes #1368.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 8f61526978697e51d3b9e61ea84daf13c42717af)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoape: Fix null ptr dereference with files missing a seekatable.
Michael Niedermayer [Tue, 29 May 2012 17:50:15 +0000 (19:50 +0200)]
ape: Fix null ptr dereference with files missing a seekatable.

Such files are currently not supported as the table is used at several points

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e7cb161515fc9fb6d30d1681d64d9ba7ad737a4e)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years ago4xm: fix division by zero caused by bps<8
Michael Niedermayer [Tue, 29 May 2012 17:16:22 +0000 (19:16 +0200)]
4xm: fix division by zero caused by bps<8

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1b8741a6843f3f4667c81c2d63d3182858aa534f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agojvdec: check videosize
Michael Niedermayer [Mon, 28 May 2012 15:21:29 +0000 (17:21 +0200)]
jvdec: check videosize

Fixes null ptr dereference
fixes Ticket1364

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b4904e804d3b1c56ac4f5d3386b15daae98fca2d)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agomotionpixels: check extradata size
Michael Niedermayer [Mon, 28 May 2012 15:17:49 +0000 (17:17 +0200)]
motionpixels: check extradata size

Fixes null ptr derefernce
Fixes Ticket1363

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 50122084a6b3be06781a2b3d8ec036f2d67c32e3)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoiff_ilbm: fix null ptr deref
Michael Niedermayer [Mon, 28 May 2012 15:13:10 +0000 (17:13 +0200)]
iff_ilbm: fix null ptr deref

Fixes Ticket1362

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 849d4b041351ef8d77c4231cf417f997e79f9ab7)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoyop: check for missing extradata
Michael Niedermayer [Mon, 28 May 2012 15:08:06 +0000 (17:08 +0200)]
yop: check for missing extradata

Fixes null ptr deref
Fixes Ticket1361

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 77a4c8b959fa9bc6bcaa42b40a0b046cdf3fec38)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoxan: fix out of array read
Michael Niedermayer [Mon, 28 May 2012 15:04:38 +0000 (17:04 +0200)]
xan: fix out of array read

Fixes ticket1360

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 01900fcc45e99ee4556e0a5d87ff57b2f150dad4)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agocdgraphics: Fix out of array write
Michael Niedermayer [Mon, 28 May 2012 14:50:15 +0000 (16:50 +0200)]
cdgraphics: Fix out of array write

Fixes Ticket1359

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1e5c7376c4ed733910845c9a09e272ac7696b1f4)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoMerge remote-tracking branch 'qatar/release/0.8' into release/0.10
Michael Niedermayer [Sat, 9 Jun 2012 17:17:22 +0000 (19:17 +0200)]
Merge remote-tracking branch 'qatar/release/0.8' into release/0.10

* qatar/release/0.8:
  cmdutils: update copyright year to 2012.

Conflicts:
cmdutils.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agocmdutils: update copyright year to 2012.
Ronald S. Bultje [Wed, 8 Feb 2012 18:16:41 +0000 (10:16 -0800)]
cmdutils: update copyright year to 2012.

7 years agoMerge remote-tracking branch 'qatar/release/0.8' into release/0.10
Michael Niedermayer [Mon, 4 Jun 2012 11:40:13 +0000 (13:40 +0200)]
Merge remote-tracking branch 'qatar/release/0.8' into release/0.10

* qatar/release/0.8:
  Update Changelog for the 0.8.3 Release
  Prepare for 0.8.3 Release
  ea: check chunk_size for validity.
  png: check bit depth for PAL8/Y400A pixel formats.
  qdm2: clip array indices returned by qdm2_get_vlc().
  tqi: Pass errors from the MB decoder
  h264: Add check for invalid chroma_format_idc
  h263dec: Disallow width/height changing with frame threads.

Conflicts:
Changelog
RELEASE
libavcodec/eatqi.c
libavcodec/h264_ps.c
libavcodec/pngdec.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoUpdate Changelog for the 0.8.3 Release
Reinhard Tartler [Tue, 29 May 2012 20:59:43 +0000 (22:59 +0200)]
Update Changelog for the 0.8.3 Release

7 years agoPrepare for 0.8.3 Release
Reinhard Tartler [Tue, 29 May 2012 20:56:46 +0000 (22:56 +0200)]
Prepare for 0.8.3 Release

7 years agoea: check chunk_size for validity.
Ronald S. Bultje [Fri, 4 May 2012 23:06:26 +0000 (16:06 -0700)]
ea: check chunk_size for validity.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 273e6af47b38391f2bcc157cca0423fe7fcbf55c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agopng: check bit depth for PAL8/Y400A pixel formats.
Ronald S. Bultje [Wed, 2 May 2012 17:58:55 +0000 (10:58 -0700)]
png: check bit depth for PAL8/Y400A pixel formats.

Wrong bit depth can lead to invalid rowsize values, which crashes the
decoder further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d2205d6543881f2e6fa18c8a354bbcf91a1235f7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoqdm2: clip array indices returned by qdm2_get_vlc().
Ronald S. Bultje [Wed, 2 May 2012 16:12:46 +0000 (16:12 +0000)]
qdm2: clip array indices returned by qdm2_get_vlc().

Prevents subsequent overreads when these numbers are used as indices
in arrays.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:

libavcodec/qdm2.c

7 years agotqi: Pass errors from the MB decoder
Michael Niedermayer [Mon, 19 Dec 2011 03:13:37 +0000 (04:13 +0100)]
tqi: Pass errors from the MB decoder

This silences some valgrind warnings.
CC: libav-stable@libav.org
Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Bug found by: Oana Stratulat

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f85334f58e1286287d0547a49fa9c93b40cbf48f)
(cherry picked from commit 90290a5150e84fb138ccde57657dc03830f08c1c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoh264: Add check for invalid chroma_format_idc
Alexander Strange [Sat, 24 Mar 2012 21:32:14 +0000 (17:32 -0400)]
h264: Add check for invalid chroma_format_idc

Fixes a crash when FF_DEBUG_PICT_INFO is used.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df)

Fixes: CVE-2012-0851

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoh263dec: Disallow width/height changing with frame threads.
Michael Niedermayer [Fri, 17 Feb 2012 21:35:10 +0000 (13:35 -0800)]
h263dec: Disallow width/height changing with frame threads.

Fixes CVE-2011-3937

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba)

Conflicts:

libavcodec/h263dec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agothreads: Perform the generic progress cleanup more carefully.
Michael Niedermayer [Sat, 11 Feb 2012 19:14:33 +0000 (20:14 +0100)]
threads: Perform the generic progress cleanup more carefully.

The cleanup is only done now when
a picture is returned (assuming that it has to be done when its returned)
a error is returned (assuming that there will be no further progress on the frame)
the codec is not h264 (this is still needed due to some deadlocks in realvideo)

This fixes a decoding regression with 00017.MTS

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 18a7f7465e7e6b9c3688ffc23230ae7a0639a771)

7 years agoupdate for ffmpeg 0.10.3 n0.10.3
Michael Niedermayer [Sat, 5 May 2012 23:35:56 +0000 (01:35 +0200)]
update for ffmpeg 0.10.3

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoindeo4: check that num_mbs matches
Michael Niedermayer [Sat, 31 Mar 2012 19:42:50 +0000 (21:42 +0200)]
indeo4: check that num_mbs matches

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d3db8988d5befd8702a748cf1957415677bfe75c)

7 years agodsp: fix diff_bytes_mmx() with small width
Michael Niedermayer [Sat, 17 Mar 2012 19:45:45 +0000 (20:45 +0100)]
dsp: fix diff_bytes_mmx() with small width

Fixes Ticket1068

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 73089eccd3e48539555349b36d8aabbf1cea416e)

7 years agoChangelog: update
Michael Niedermayer [Sat, 5 May 2012 23:31:25 +0000 (01:31 +0200)]
Changelog: update

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agommdemux: dont set pkt->size to an invalid value.
Michael Niedermayer [Thu, 22 Mar 2012 23:49:00 +0000 (00:49 +0100)]
mmdemux: dont set pkt->size to an invalid value.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0c97fd336e17535239ab44d755a0d957dc2688f3)

7 years agoh261: check mtype.
Michael Niedermayer [Fri, 2 Mar 2012 14:58:14 +0000 (15:58 +0100)]
h261: check mtype.

Fixes out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ec3cd74f2dab8e3e8234ccb994132b23d3098585)

7 years agompegvideo: increase buffer sizes.
Michael Niedermayer [Sat, 24 Mar 2012 13:25:52 +0000 (14:25 +0100)]
mpegvideo: increase buffer sizes.

Fixes buffer overflow

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2c0559d5e2faeafa7998173a4dc430408475503f)

7 years agomov: fix global unicode convertion array overflow.
Michael Niedermayer [Fri, 23 Mar 2012 00:09:04 +0000 (01:09 +0100)]
mov: fix global unicode convertion array overflow.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 437f5daf0bf727a53ea4b485a30f1289f44bf252)

7 years agoiff: fix null ptr dereference
Michael Niedermayer [Sun, 22 Apr 2012 14:41:21 +0000 (16:41 +0200)]
iff: fix null ptr dereference

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 41abc9da50ba7a7b68bbbf6622475ce7a3c72e3f)

7 years agoxmvdemux: dont let current_stream become invalid.
Michael Niedermayer [Sat, 21 Apr 2012 17:41:54 +0000 (19:41 +0200)]
xmvdemux: dont let current_stream become invalid.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 13381577d181fa732d6d2fa0491fa2ff50186546)

7 years agoavidec: Dont crash on avi packets that belong to dv streams in dv in avi
Michael Niedermayer [Tue, 17 Apr 2012 15:42:09 +0000 (17:42 +0200)]
avidec: Dont crash on avi packets that belong to dv streams in dv in avi

Fixes null pointer dereference

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 096231d497457be9496b0be01ff6da2093186c3c)

7 years agocook: check subacket count
Michael Niedermayer [Sat, 21 Apr 2012 17:28:35 +0000 (19:28 +0200)]
cook: check subacket count

Fixes out of array writes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5a35bd92ad6b535fd5d3a7513169661de66ec247)

7 years ago4xmdemux: Check chunk size
Michael Niedermayer [Mon, 16 Apr 2012 12:30:33 +0000 (14:30 +0200)]
4xmdemux: Check chunk size

Fixes over reading the header array

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 474e31c904f766b6989fe614c3fb093e697c847f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoMerge remote-tracking branch 'qatar/release/0.8' into release/0.10
Michael Niedermayer [Sat, 5 May 2012 19:18:48 +0000 (21:18 +0200)]
Merge remote-tracking branch 'qatar/release/0.8' into release/0.10

* qatar/release/0.8:
  Update Changelog for the 0.8.2 Release
  Prepare for 0.8.2 Release
  vqavideo: return error if image size is not a multiple of block size
  celp filters: Do not read earlier than the start of the 'out' vector.
  motionpixels: Clip YUV values after applying a gradient.
  jpeg: handle progressive in second field of interlaced.
  h263: more strictly forbid frame size changes with frame-mt.
  h264: additional protection against unsupported size/bitdepth changes.
  tta: prevents overflows for 32bit integers in header.
  ttadec: CRC checking
  tta: use skip_bits_long()

Conflicts:
Changelog
RELEASE
libavcodec/h264.c
libavcodec/tta.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoUpdate Changelog for the 0.8.2 Release
Reinhard Tartler [Fri, 4 May 2012 20:59:01 +0000 (22:59 +0200)]
Update Changelog for the 0.8.2 Release

7 years agoPrepare for 0.8.2 Release
Reinhard Tartler [Fri, 4 May 2012 20:40:37 +0000 (22:40 +0200)]
Prepare for 0.8.2 Release

7 years agovqavideo: return error if image size is not a multiple of block size
Mans Rullgard [Mon, 23 Apr 2012 12:16:33 +0000 (13:16 +0100)]
vqavideo: return error if image size is not a multiple of block size

The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes.  Bailing out early if the header
specifies a bad size avoids various errors later on.

Fixes CVE-2012-0947.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agocelp filters: Do not read earlier than the start of the 'out' vector.
Alex Converse [Fri, 4 May 2012 17:27:03 +0000 (10:27 -0700)]
celp filters: Do not read earlier than the start of the 'out' vector.

CC: libav-stable@libav.org
(cherry picked from commit 37ddd3833219fa7b913fff3f5cccc6878b047e6b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agomotionpixels: Clip YUV values after applying a gradient.
Alex Converse [Wed, 2 May 2012 19:08:03 +0000 (12:08 -0700)]
motionpixels: Clip YUV values after applying a gradient.

Prevents illegal reads on truncated and malformed input.

CC: libav-stable@libav.org
(cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agojpeg: handle progressive in second field of interlaced.
Ronald S. Bultje [Wed, 14 Mar 2012 00:18:41 +0000 (17:18 -0700)]
jpeg: handle progressive in second field of interlaced.

Progressive data is allocated later in decode_sof(), not allocating
that data leads to NULL dereferences.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5eec5a79da118170f3cfe185a862783d3fa50abe)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoh263: more strictly forbid frame size changes with frame-mt.
Ronald S. Bultje [Thu, 29 Mar 2012 19:24:10 +0000 (12:24 -0700)]
h263: more strictly forbid frame size changes with frame-mt.

Prevents crashes because the old check was incomplete.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2d22d4307dcc1461f39a2ffb9c8db6c6b23fd080)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoh264: additional protection against unsupported size/bitdepth changes.
Ronald S. Bultje [Thu, 29 Mar 2012 23:37:09 +0000 (16:37 -0700)]
h264: additional protection against unsupported size/bitdepth changes.

Fixes crashes in codepaths not covered by original checks.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 732f9fcfe54fc9a0a7bbce53fe86b38744c2d301)

Conflicts:

libavcodec/h264.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agotta: prevents overflows for 32bit integers in header.
Ronald S. Bultje [Thu, 29 Mar 2012 19:44:55 +0000 (12:44 -0700)]
tta: prevents overflows for 32bit integers in header.

This prevents sample_rate/data_length from going negative, which
caused various crashes and undefined behaviour further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ac80b812cd177553339467ea12548d71c9ef6865)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agottadec: CRC checking
Paul B Mahol [Sat, 11 Feb 2012 21:30:30 +0000 (21:30 +0000)]
ttadec: CRC checking

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 2af3dc8698707f800f83f5fc890571a6a119866e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agotta: use skip_bits_long()
Paul B Mahol [Sun, 5 Feb 2012 19:39:13 +0000 (19:39 +0000)]
tta: use skip_bits_long()

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 9aff2d17533576f4ff52531e534f1319fb36a590)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovqavideodev: Check image dimensions
Michael Niedermayer [Thu, 22 Mar 2012 22:43:37 +0000 (23:43 +0100)]
vqavideodev: Check image dimensions

Fixes out of heap array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d)
Independently-Found-by: Fabian Yamaguchi
Fixes: CVE-2012-0947

Conflicts:

libavcodec/vqavideo.c

7 years agoMerge remote-tracking branch 'qatar/release/0.8' into release/0.10
Michael Niedermayer [Wed, 2 May 2012 20:49:14 +0000 (22:49 +0200)]
Merge remote-tracking branch 'qatar/release/0.8' into release/0.10

* qatar/release/0.8: (24 commits)
  apedec: check bits <= 32.
  truemotion: forbid invalid VLC bitsizes and token values.
  mov: don't overwrite existing indexes.
  truemotion2: handle out-of-frame motion vectors through edge extension.
  lzw: prevent buffer overreads.
  truemotion2: convert packet header reading to bytestream2.
  lagarith: fix buffer overreads.
  raw: forward avpicture_fill() error code in raw_decode().
  vc1: Do not read from array if index is invalid.
  utvideo: port header reading to bytestream2.
  bytestream: add more unchecked variants for bytestream2 API
  bytestream: K&R formatting cosmetics
  bytestream: Add bytestream2 writing API.
  aac: Reset PS parameters on header decode failure.
  mov: Do not read past the end of the ctts_data table.
  xwma: Validate channels and bits_per_coded_sample.
  asf: reset side data elements on packet copy.
  vqa: check palette chunk size before reading data.
  vqavideo: port to bytestream2 API
  wmavoice: fix stack overread.
  ...

Conflicts:
cmdutils.c
cmdutils.h
libavcodec/lagarith.c
libavcodec/truemotion2.c
libavcodec/vqavideo.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoapedec: check bits <= 32.
Michael Niedermayer [Thu, 29 Mar 2012 17:52:21 +0000 (17:52 +0000)]
apedec: check bits <= 32.

Fixes a floating-point exception further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
(cherry picked from commit 420d1df2e2a857eae45fa947e16eae7494793d57)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agotruemotion: forbid invalid VLC bitsizes and token values.
Ronald S. Bultje [Thu, 29 Mar 2012 17:25:04 +0000 (10:25 -0700)]
truemotion: forbid invalid VLC bitsizes and token values.

SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid
values larger than this in get_vlc2() (max_bits). tokens[][] can be
used as an index in deltas[], which has a size of 64, so ensure the
values are smaller than that.

This prevents crashes on corrupt bitstreams.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b7b1509d06d3696d3b944791227fe198ded0654b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agomov: don't overwrite existing indexes.
Ronald S. Bultje [Wed, 28 Mar 2012 19:56:07 +0000 (12:56 -0700)]
mov: don't overwrite existing indexes.

Prevents all kind of badness if files contain multiple
indexes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 4f7c7624c0db185c48c59d95d745ab3f7851a5b4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agotruemotion2: handle out-of-frame motion vectors through edge extension.
Ronald S. Bultje [Thu, 29 Mar 2012 16:29:03 +0000 (09:29 -0700)]
truemotion2: handle out-of-frame motion vectors through edge extension.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bf39d3b59d85e5734babe48b61b8d92d18188185)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agolzw: prevent buffer overreads.
Ronald S. Bultje [Thu, 29 Mar 2012 00:06:00 +0000 (17:06 -0700)]
lzw: prevent buffer overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ddcf67c8a51c67b122a826d8b5819e96d591d813)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agotruemotion2: convert packet header reading to bytestream2.
Ronald S. Bultje [Wed, 28 Mar 2012 18:53:13 +0000 (11:53 -0700)]
truemotion2: convert packet header reading to bytestream2.

Also use correct buffer sizes in calls to tm2_read_stream(). Together,
this prevents overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bd508d435b94584db460c684e30ea7ce180cf50f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agolagarith: fix buffer overreads.
Ronald S. Bultje [Tue, 27 Mar 2012 19:26:46 +0000 (12:26 -0700)]
lagarith: fix buffer overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 0a82f5275f719e6e369a807720a2c3603aa0ddd9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoraw: forward avpicture_fill() error code in raw_decode().
Ronald S. Bultje [Tue, 27 Mar 2012 01:02:08 +0000 (18:02 -0700)]
raw: forward avpicture_fill() error code in raw_decode().

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 98df2e24141cd00a557ef10ed7af2b956200cd80)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovc1: Do not read from array if index is invalid.
Mashiat Sarker Shakkhar [Sat, 24 Mar 2012 22:49:34 +0000 (15:49 -0700)]
vc1: Do not read from array if index is invalid.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 95b192de5d05f3e1542e7b2378cdefbc195f5185)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoutvideo: port header reading to bytestream2.
Ronald S. Bultje [Fri, 23 Mar 2012 00:25:22 +0000 (17:25 -0700)]
utvideo: port header reading to bytestream2.

Fixes crash during slice size reading if slice_end goes negative.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ec0ed97b046d46421db72c4911d2bbe28bbe5741)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agobytestream: add more unchecked variants for bytestream2 API
Paul B Mahol [Tue, 13 Mar 2012 14:14:59 +0000 (14:14 +0000)]
bytestream: add more unchecked variants for bytestream2 API

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit f1ce053cd0e0d7dc67fa61f32bcd8b6ee5e5c490)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agobytestream: K&R formatting cosmetics
Aneesh Dogra [Wed, 8 Feb 2012 18:07:20 +0000 (23:37 +0530)]
bytestream: K&R formatting cosmetics

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit ab9ae401525d301a31ec695bf39103502db6afeb)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agobytestream: Add bytestream2 writing API.
Aneesh Dogra [Mon, 6 Feb 2012 20:09:22 +0000 (01:39 +0530)]
bytestream: Add bytestream2 writing API.

Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit db7d45237ab6fc7fe90ec861cb756b2a109504a4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoaac: Reset PS parameters on header decode failure.
Alex Converse [Wed, 21 Mar 2012 17:11:02 +0000 (10:11 -0700)]
aac: Reset PS parameters on header decode failure.

If the next header frame codes zero envelopes the previous frame's
values will be used. Consequently the invalid values must be cleared.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit a237b38021cd3009cc78eeb974b596085f2fe393)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agomov: Do not read past the end of the ctts_data table.
Alex Converse [Wed, 21 Mar 2012 18:24:10 +0000 (11:24 -0700)]
mov: Do not read past the end of the ctts_data table.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 86f2ae06b92d42580ae7ebd86d52c9b7acbc2f13)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoxwma: Validate channels and bits_per_coded_sample.
Alex Converse [Wed, 21 Mar 2012 17:58:07 +0000 (10:58 -0700)]
xwma: Validate channels and bits_per_coded_sample.

This prevents a SIGFPE later on.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5023b89bba198b2f8e43b7f555aeb9c30d33db9f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoasf: reset side data elements on packet copy.
Ronald S. Bultje [Wed, 21 Mar 2012 23:10:37 +0000 (16:10 -0700)]
asf: reset side data elements on packet copy.

Prevents crash (double free) when free()ing the original packet.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e73c6aaabff1169899184c382385fe9afae5b068)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovqa: check palette chunk size before reading data.
Ronald S. Bultje [Wed, 21 Mar 2012 22:19:31 +0000 (15:19 -0700)]
vqa: check palette chunk size before reading data.

Prevents overreads beyond buffer boundaries.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 75d7975268394f4f16294b68ec6d6d5ac30da3ac)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovqavideo: port to bytestream2 API
Paul B Mahol [Fri, 16 Mar 2012 00:56:41 +0000 (00:56 +0000)]
vqavideo: port to bytestream2 API

Protects against overreads.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 5a3a906ba29b53fa34d3047af78d9f8fd7678256)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agowmavoice: fix stack overread.
Ronald S. Bultje [Wed, 21 Mar 2012 22:47:11 +0000 (15:47 -0700)]
wmavoice: fix stack overread.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 262196445cf03fda0f7e41c4b968f4f7bf060e6b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoindeo4: fix out-of-bounds function call.
Ronald S. Bultje [Wed, 21 Mar 2012 17:39:10 +0000 (10:39 -0700)]
indeo4: fix out-of-bounds function call.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>
(cherry picked from commit 68fd077f68bdde864bb7328d72a040849c616261)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoRead preset files with suffix .avpreset
Reinhard Tartler [Sun, 18 Mar 2012 08:26:32 +0000 (09:26 +0100)]
Read preset files with suffix .avpreset

The preset files have been renamed some time ago.

CC: libav-stable@libav.org
(cherry picked from commit 050dc127787e91d8ee4b341046c74fe6e74e3285)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agomimic: don't use self as reference, and report completion at end of decode().
Ronald S. Bultje [Fri, 16 Mar 2012 21:04:00 +0000 (14:04 -0700)]
mimic: don't use self as reference, and report completion at end of decode().

Fixes hangs on corrupt samples that reference self-frames.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 80387f0e2568746dce4a68e2217297029a053dae)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agompeg4: report frame decoding completion at ff_MPV_frame_end().
Ronald S. Bultje [Fri, 16 Mar 2012 21:16:56 +0000 (14:16 -0700)]
mpeg4: report frame decoding completion at ff_MPV_frame_end().

Prevents hangs on corrupt input.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c6ccb96bc955b2087ec71033d99b3dcd5203eaf2)

Conflicts:

libavcodec/mpegvideo.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoh264: use struct offsets in get_cabac_bypass_sign_x86().
Ronald S. Bultje [Sat, 17 Mar 2012 05:41:17 +0000 (22:41 -0700)]
h264: use struct offsets in get_cabac_bypass_sign_x86().
(cherry picked from commit db025929f202bc32459a1278ee06920a06564762)

7 years agoReplace SSE2 instruction in scalarproduct_float_sse() by SSE equivalent.
ami_stuff [Thu, 22 Mar 2012 18:28:52 +0000 (19:28 +0100)]
Replace SSE2 instruction in scalarproduct_float_sse() by SSE equivalent.

Fixes an AAC decoding issue with the sample from ticket #213 on machines
with SSE but without SSE2.
Based on 89411a by Reimar.

(cherry picked from commit f6b78638086beae9bcab672d4c9de1790be5a928)

7 years agolavfi/fade: fix black level for non studio-level pixel formats
Stefano Sabatini [Wed, 28 Mar 2012 22:17:23 +0000 (00:17 +0200)]
lavfi/fade: fix black level for non studio-level pixel formats

Fix trac ticket #1139, regression introduced in 8c1fb50d077d5f954.
(cherry picked from commit 95ce0ddcfe99182365e0e57f5f41d7f1a01c57eb)

7 years agompeg4: dont reset picture_num for xvid
Michael Niedermayer [Wed, 4 Apr 2012 02:19:43 +0000 (04:19 +0200)]
mpeg4: dont reset picture_num for xvid

Fixes Ticket1162

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a4e359a3f98650dab3d2e93f067658e20fa9c0d7)

7 years agoh264: fix seeking in low delay streams without IDR
Michael Niedermayer [Wed, 4 Apr 2012 01:43:23 +0000 (03:43 +0200)]
h264: fix seeking in low delay streams without IDR

Fixes Ticket1165

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3360b8517a1f478c4102072e5eadd8ba78be0538)

7 years agoMerge remote-tracking branch 'qatar/release/0.8' into release/0.10
Michael Niedermayer [Sun, 1 Apr 2012 22:52:23 +0000 (00:52 +0200)]
Merge remote-tracking branch 'qatar/release/0.8' into release/0.10

* qatar/release/0.8:
  id3v2: fix skipping extended header in id3v2.4

Conflicts:
libavformat/id3v2.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoid3v2: fix skipping extended header in id3v2.4
Anton Khirnov [Sat, 31 Mar 2012 05:52:42 +0000 (07:52 +0200)]
id3v2: fix skipping extended header in id3v2.4

In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agosmacker audio: sign-extend the initial 16-bit predicted value
Franz Brauße [Fri, 30 Mar 2012 18:40:14 +0000 (14:40 -0400)]
smacker audio: sign-extend the initial 16-bit predicted value

Fixes Bug #265

Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 12cbbbb4abda2de0ea123282ccf7ebee61517f7d)

7 years agomxfdec: Only parse next partition pack if parsing forward
Tomas Härdin [Tue, 20 Mar 2012 10:03:48 +0000 (11:03 +0100)]
mxfdec: Only parse next partition pack if parsing forward

This fixes ticket #1099.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 393b81f0934866bd7fff0a2b113623dd9ee6808f)

7 years agopngenc: Fix incorrect mask used for interlaced mode.
Michael Niedermayer [Tue, 20 Mar 2012 19:39:32 +0000 (20:39 +0100)]
pngenc: Fix incorrect mask used for interlaced mode.

Fixes Ticket1109

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 15db6a959057b92245a384909ec7d413d5c16461)

7 years agoUpdate for 0.10.2 n0.10.2
Michael Niedermayer [Sat, 17 Mar 2012 08:14:13 +0000 (09:14 +0100)]
Update for 0.10.2

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agolibx264: fix duplicate stats entry
Kelly Anderson [Sat, 17 Mar 2012 07:56:59 +0000 (08:56 +0100)]
libx264: fix duplicate stats entry

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoUpdate for 0.10.1 n0.10.1
Michael Niedermayer [Sat, 17 Mar 2012 00:37:34 +0000 (01:37 +0100)]
Update for 0.10.1

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agolavfi: port MP swapuv filter
Stefano Sabatini [Thu, 8 Mar 2012 15:18:03 +0000 (16:18 +0100)]
lavfi: port MP swapuv filter
(cherry picked from commit fa35d880aab1d3ef2b828cae640e43d370e8f0c2)

Conflicts:

Changelog
libavfilter/version.h

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>