ffmpeg.git
7 years agoupdate for 0.5.10 n0.5.10
Michael Niedermayer [Sat, 9 Jun 2012 20:18:07 +0000 (22:18 +0200)]
update for 0.5.10

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agowmv1: check that the input buffer is large enough
Michael Niedermayer [Fri, 1 Jun 2012 19:42:29 +0000 (21:42 +0200)]
wmv1: check that the input buffer is large enough

Fixes null ptr deref
Fixes Ticket1367

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f23a2418fb0ccc56fdae4dbf83a5994cc917c475)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agotruemotion1: Check index, fix out of array read
Michael Niedermayer [Wed, 30 May 2012 14:19:36 +0000 (16:19 +0200)]
truemotion1: Check index, fix out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fd4c1c0b70b5a06dd572d7e27799a2f4c3d9b984)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoMerge remote-tracking branch 'qatar/release/0.5' into release/0.5
Michael Niedermayer [Sat, 9 Jun 2012 17:02:31 +0000 (19:02 +0200)]
Merge remote-tracking branch 'qatar/release/0.5' into release/0.5

* qatar/release/0.5:
  Release notes for 0.5.9
  Update changelog for 0.5.9 release

Conflicts:
RELEASE

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoRelease notes for 0.5.9
Reinhard Tartler [Sat, 9 Jun 2012 10:12:52 +0000 (12:12 +0200)]
Release notes for 0.5.9

7 years agoUpdate changelog for 0.5.9 release
Derek Buitenhuis [Fri, 8 Jun 2012 19:41:31 +0000 (15:41 -0400)]
Update changelog for 0.5.9 release

Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
7 years agoMerge remote-tracking branch 'qatar/release/0.5' into release/0.5
Michael Niedermayer [Mon, 4 Jun 2012 10:29:16 +0000 (12:29 +0200)]
Merge remote-tracking branch 'qatar/release/0.5' into release/0.5

* qatar/release/0.5:
  Bump version number for 0.5.9 release.
  png: check bit depth for PAL8/Y400A pixel formats.
  tqi: Pass errors from the MB decoder
  eatqi: move "block" variable into context to ensure sufficient alignment for idct_put for compilers/architectures that can not align stack variables that much. This is also consistent with similar code in eatgq.c
  ea: check chunk_size for validity.
  vfwcap: Include windows.h before vfw.h since the latter requires defines from the former. Patch by kemuri <kemuri9 at gmail dot com>
  mingw32: merge checks for mingw-w64 and mingw32-runtime >= 3.15 into one
  mingw32: properly check if vfw capture is supported by the system headers
  Replace every usage of -lvfw32 with what is particularly necessary for that case: Avisynth -> -lavifil32 VFW Cap -> -lavicap32 Patch by kemuri <kemuri9 at gmail dot com>
  configure: properly check for mingw-w64 through installed headers. mingw-w64 can also target 32-bit code.
  qdm2: clip array indices returned by qdm2_get_vlc().
  kmvc: Check palsize.
  adpcm: ADPCM Electronic Arts has always two channels
  h264: Add check for invalid chroma_format_idc
  dpcm: ignore extra unpaired bytes in stereo streams.

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoBump version number for 0.5.9 release.
Reinhard Tartler [Sun, 3 Jun 2012 20:42:30 +0000 (22:42 +0200)]
Bump version number for 0.5.9 release.

7 years agopng: check bit depth for PAL8/Y400A pixel formats.
Reinhard Tartler [Sun, 3 Jun 2012 17:35:50 +0000 (19:35 +0200)]
png: check bit depth for PAL8/Y400A pixel formats.

Wrong bit depth can lead to invalid rowsize values, which crashes the
decoder further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d2205d6543881f2e6fa18c8a354bbcf91a1235f7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b8d6ba9d50e80fdce2ed74cdaffd4960df8a21c5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 33f93005f1a86c108302b4c5978aa1a3d8e092cc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4c8c2660bd9252775c9a1dc2e2f36cb34718595a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:

libavcodec/pngdec.c

7 years agotqi: Pass errors from the MB decoder
Michael Niedermayer [Mon, 19 Dec 2011 03:13:37 +0000 (04:13 +0100)]
tqi: Pass errors from the MB decoder

This silences some valgrind warnings.
CC: libav-stable@libav.org
Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Bug found by: Oana Stratulat

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f85334f58e1286287d0547a49fa9c93b40cbf48f)
(cherry picked from commit 90290a5150e84fb138ccde57657dc03830f08c1c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 5872580e65aab026b77754eb184f97ba7cc6ea35)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2f2fd8c6d1c51a6b817e6c0bc4eff308b8f9cd18)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c3edce42704142f4c66954e9f24d7fbf0e5ae423)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoeatqi: move "block" variable into context to ensure sufficient alignment for
Reimar Döffinger [Sun, 24 May 2009 09:14:19 +0000 (09:14 +0000)]
eatqi: move "block" variable into context to ensure sufficient alignment for
idct_put for compilers/architectures that can not align stack variables that much.
This is also consistent with similar code in eatgq.c

Originally committed as revision 18927 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 1eda87ce6366189eebf9956f826dfd92d9e64d9c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoea: check chunk_size for validity.
Ronald S. Bultje [Fri, 4 May 2012 23:06:26 +0000 (16:06 -0700)]
ea: check chunk_size for validity.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 273e6af47b38391f2bcc157cca0423fe7fcbf55c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6a86b705e1d4b72f0dddfbe23ad3eed9947001d5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e74bc64dd376c4691a610ba62a66ed30affc97ec)

Conflicts:

libavformat/electronicarts.c
(cherry picked from commit 38c45adfca299e3d96c07a700032695ec7ff2aeb)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovfwcap: Include windows.h before vfw.h since the latter requires defines from the...
kemuri [Sat, 23 Jan 2010 20:58:29 +0000 (20:58 +0000)]
vfwcap: Include windows.h before vfw.h since the latter requires defines from the former. Patch by kemuri <kemuri9 at gmail dot com>

Originally committed as revision 21411 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 420755dd282a913c2163d5589706d6a99a18d10f)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
7 years agomingw32: merge checks for mingw-w64 and mingw32-runtime >= 3.15 into one
Ramiro Polla [Sun, 11 Jul 2010 22:31:41 +0000 (22:31 +0000)]
mingw32: merge checks for mingw-w64 and mingw32-runtime >= 3.15 into one

Originally committed as revision 24204 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit e26011d0f495de1148b8014995cbe923611b6b76)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
7 years agomingw32: properly check if vfw capture is supported by the system headers
Ramiro Polla [Sun, 11 Jul 2010 22:17:17 +0000 (22:17 +0000)]
mingw32: properly check if vfw capture is supported by the system headers

Remove check for an specific w32api version, checking instead if vfw.h
supports vfw capture. The defines in w32api 3.12 were wrong, so this must be
accounted for in the check.

Originally committed as revision 24203 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit ec1ee802a2e1cb3317bd44851cc28f95b5916051)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:

configure

7 years agoReplace every usage of -lvfw32 with what is particularly necessary for that case...
kemuri [Sat, 23 Jan 2010 20:42:00 +0000 (20:42 +0000)]
Replace every usage of -lvfw32 with what is particularly necessary for that case: Avisynth -> -lavifil32 VFW Cap -> -lavicap32 Patch by kemuri <kemuri9 at gmail dot com>

Originally committed as revision 21410 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit a1b3c5a377976d21b9daa878265c6eada24c2543)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:

configure

7 years agoconfigure: properly check for mingw-w64 through installed headers. mingw-w64 can...
Ramiro Polla [Sat, 10 Jul 2010 04:08:02 +0000 (04:08 +0000)]
configure: properly check for mingw-w64 through installed headers. mingw-w64 can also target 32-bit code.

Originally committed as revision 24156 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 0a4307d6307516d333ce2cde2a2ffa0f50bc176c)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
7 years agoqdm2: clip array indices returned by qdm2_get_vlc().
Ronald S. Bultje [Wed, 2 May 2012 16:12:46 +0000 (16:12 +0000)]
qdm2: clip array indices returned by qdm2_get_vlc().

Prevents subsequent overreads when these numbers are used as indices
in arrays.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:

libavcodec/qdm2.c

7 years agokmvc: Check palsize.
Alex Converse [Thu, 26 Jan 2012 16:30:49 +0000 (17:30 +0100)]
kmvc: Check palsize.

Fixes: CVE-2011-3952

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Based on fix by Michael Niedermayer
(cherry picked from commit 386741f887714d3e46c9e8fe577e326a7964037b)
(cherry picked from commit 416849f2e06227b1b4a451c392f100db1d709a0c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e7392dc349291eb94379d8cfb7ef73d32a768858)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoadpcm: ADPCM Electronic Arts has always two channels
Janne Grunau [Thu, 5 Jan 2012 19:50:55 +0000 (20:50 +0100)]
adpcm: ADPCM Electronic Arts has always two channels

Fixes half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Adresses CVE-2012-0852

(cherry picked from commit bb5b3940b08d8dad5b7e948e8f3b02cd2eb70716)

Conflicts:

libavcodec/adpcm.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b581580bd1cc8506befa65b0a5c9ae429240f21f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a0f58c3a605b8123039628d1598cb36f1da0e815)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoh264: Add check for invalid chroma_format_idc
Alexander Strange [Sat, 24 Mar 2012 21:32:14 +0000 (17:32 -0400)]
h264: Add check for invalid chroma_format_idc

Fixes a crash when FF_DEBUG_PICT_INFO is used.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df)

Fixes: CVE-2012-0851

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 47132345184dc3d0ff962a57a1225564fe979548)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c5f7c755cfccd7aa01010a2d566104c2b0fa6d86)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 00d2c432581cf61326973a1a48f2e63690b65515)

7 years agodpcm: ignore extra unpaired bytes in stereo streams.
Alex Converse [Fri, 17 Feb 2012 22:13:40 +0000 (14:13 -0800)]
dpcm: ignore extra unpaired bytes in stereo streams.

Fixes: CVE-2011-3951

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ce7aee9b733134649a6ce2fa743e51733f33e67e)
(cherry picked from commit eaeaeb265fe46e1d81452960de918227541873b4)

Conflicts:

libavcodec/dpcm.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1ce9c93198fc997e8f23934a78e2937af670e4e9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 41f1f146c9e29dde63e293078819474c9b8111a1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agodsp: fix diff_bytes_mmx() with small width n0.5.9
Michael Niedermayer [Sat, 17 Mar 2012 19:45:45 +0000 (20:45 +0100)]
dsp: fix diff_bytes_mmx() with small width

Fixes Ticket1068

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 73089eccd3e48539555349b36d8aabbf1cea416e)

7 years agommdemux: dont set pkt->size to an invalid value.
Michael Niedermayer [Thu, 22 Mar 2012 23:49:00 +0000 (00:49 +0100)]
mmdemux: dont set pkt->size to an invalid value.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0c97fd336e17535239ab44d755a0d957dc2688f3)

7 years agoh261: check mtype.
Michael Niedermayer [Fri, 2 Mar 2012 14:58:14 +0000 (15:58 +0100)]
h261: check mtype.

Fixes out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ec3cd74f2dab8e3e8234ccb994132b23d3098585)

7 years ago4xmdemux: Check chunk size
Michael Niedermayer [Mon, 16 Apr 2012 12:30:33 +0000 (14:30 +0200)]
4xmdemux: Check chunk size

Fixes over reading the header array

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 474e31c904f766b6989fe614c3fb093e697c847f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agofix release number
Michael Niedermayer [Fri, 11 May 2012 20:37:20 +0000 (22:37 +0200)]
fix release number

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoMerge remote-tracking branch 'qatar/release/0.5' into release/0.5
Michael Niedermayer [Fri, 11 May 2012 20:02:11 +0000 (22:02 +0200)]
Merge remote-tracking branch 'qatar/release/0.5' into release/0.5

* qatar/release/0.5:
  Bump version number for 0.5.8 release.
  Release notes and changelog for 0.5.7
  vqavideo: return error if image size is not a multiple of block size
  motionpixels: Clip YUV values after applying a gradient.
  mjpegbdec: Fix overflow in SOS.
  atrac3: Fix crash in tonal component decoding.
  dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.
  dv: Fix null pointer dereference due to ach=0
  dv: check stype
  nsvdec: Propagate errors
  nsvdec: Be more careful with av_malloc().
  nsvdec: Fix use of uninitialized streams.

Conflicts:
libavcodec/atrac3.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoBump version number for 0.5.8 release.
Reinhard Tartler [Thu, 10 May 2012 18:21:51 +0000 (20:21 +0200)]
Bump version number for 0.5.8 release.

7 years agoRelease notes and changelog for 0.5.7
Reinhard Tartler [Thu, 10 May 2012 18:15:51 +0000 (20:15 +0200)]
Release notes and changelog for 0.5.7

7 years agovqavideo: return error if image size is not a multiple of block size
Mans Rullgard [Mon, 23 Apr 2012 12:16:33 +0000 (13:16 +0100)]
vqavideo: return error if image size is not a multiple of block size

The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes.  Bailing out early if the header
specifies a bad size avoids various errors later on.

Fixes CVE-2012-0947.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d5207e2af81580dd5e6277b354c8b459c3624f26)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c71c77e56fcc6d469d45e1c8ce04aa053124d3f8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c90da45d5a7a4045dbf22fba52c63ef55d207269)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agomotionpixels: Clip YUV values after applying a gradient.
Alex Converse [Wed, 2 May 2012 19:08:03 +0000 (12:08 -0700)]
motionpixels: Clip YUV values after applying a gradient.

Prevents illegal reads on truncated and malformed input.

CC: libav-stable@libav.org
(cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit aaa6a666774eb02c351c84e80622a5c69e9b642e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 50073e2395522b6e2b8698ff0dd06ffaf8cbf8ce)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2134e7f6e88959513ba1713ad6fd7a7c8d5a0f41)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agomjpegbdec: Fix overflow in SOS.
Alex Converse [Wed, 25 Jan 2012 21:39:24 +0000 (13:39 -0800)]
mjpegbdec: Fix overflow in SOS.

Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2011-3947

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 083a8a00373b12dc06b8ae4c49eec61fb5e55f4b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6ae95a0b93e8df15fe5f364535a7214be0817736)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6ca010f20965ef71d97a53e871edae2eb9c05a5f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoatrac3: Fix crash in tonal component decoding.
Michael Niedermayer [Sat, 17 Dec 2011 02:18:58 +0000 (03:18 +0100)]
atrac3: Fix crash in tonal component decoding.

Add a check to avoid writing past the end of the channel_unit.components[]
array.

Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f74713b035a06f79cb4d00e708f5226bc5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f43b6e2b1ed47a1254a5d44c700a7fad5e9784be)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f728ad26f0ec87650d2986a892785c0e2b97d161)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 224025d852dcc42f752c0922fef7121808d1e42f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agodv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.
Alex Converse [Thu, 26 Jan 2012 23:08:26 +0000 (15:08 -0800)]
dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.

Found with asan.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f6b91bec7f5fa53ec050913d851e366)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 00fa6ffe1a0b252d6a81815e51f125225cd0b97a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a8f4db0acd9b588ba33e3b8c0c21feea5916cfd1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agodv: Fix null pointer dereference due to ach=0
Michael Niedermayer [Tue, 24 Jan 2012 16:51:40 +0000 (17:51 +0100)]
dv: Fix null pointer dereference due to ach=0

dv: Fix null pointer dereference due to ach=0

Fixes part2 of CVE-2011-3929

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a66a61a68b80f2369d0249729bf85e04)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 44e182d41e3a73548f3f5e8445ec428d3846e6d6)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b46141b0d1d7efb74dad172b7c1b52413441592f)

Conflicts:

libavformat/dv.c

7 years agodv: check stype
Michael Niedermayer [Tue, 24 Jan 2012 16:48:23 +0000 (17:48 +0100)]
dv: check stype

dv: check stype

Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd439480003b74a665b5aa7c872c1ad6b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit bb737d381f6d6413899a0697f426fb082eac66fc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 38421f27b3899a930552750fe1e0dffd45b71b8e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agonsvdec: Propagate errors
Alex Converse [Fri, 27 Jan 2012 01:23:09 +0000 (17:23 -0800)]
nsvdec: Propagate errors

Related to CVE-2011-3940.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit c898431ca5ef2a997fe9388b650f658fb60783e5)

Conflicts:

libavformat/nsvdec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0100c4b1b0736e0f5b3c98f9b0ab8acbef574888)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 3253dd2b420583a7f10afa87e47b9cb73e950e2a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agonsvdec: Be more careful with av_malloc().
Alex Converse [Fri, 27 Jan 2012 01:21:46 +0000 (17:21 -0800)]
nsvdec: Be more careful with av_malloc().

Check results for av_malloc() and fix an overflow in one call.

Related to CVE-2011-3940.

Based in part on work from Michael Niedermayer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit be524c186b50337db64d34a5726dfe3e8ea94f09)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 87007519c81c37d8a3de424de3db14078ae84333)

Conflicts:

libavformat/nsvdec.c

7 years agonsvdec: Fix use of uninitialized streams.
Michael Niedermayer [Tue, 24 Jan 2012 21:20:26 +0000 (22:20 +0100)]
nsvdec: Fix use of uninitialized streams.

Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 65beb8c1173906b0541442713cb29e8ba44c47ef)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1edf848a81464afd514afbbbcb97b471d334e14a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoMerge remote-tracking branch 'qatar/release/0.5' into release/0.5
Michael Niedermayer [Mon, 2 Apr 2012 00:25:43 +0000 (02:25 +0200)]
Merge remote-tracking branch 'qatar/release/0.5' into release/0.5

* qatar/release/0.5:
  id3v2: fix skipping extended header in id3v2.4

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoid3v2: fix skipping extended header in id3v2.4
Anton Khirnov [Sat, 31 Mar 2012 05:52:42 +0000 (07:52 +0200)]
id3v2: fix skipping extended header in id3v2.4

In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303)

Conflicts:

libavformat/id3v2.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoupdate for 0.5.8 n0.5.8
Michael Niedermayer [Thu, 12 Jan 2012 21:19:09 +0000 (22:19 +0100)]
update for 0.5.8

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoatrac3: Fix crash in tonal component decoding.
Michael Niedermayer [Sat, 17 Dec 2011 02:18:58 +0000 (03:18 +0100)]
atrac3: Fix crash in tonal component decoding.
Fixes Ticket780
Bug Found by: cosminamironesei

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoMerge remote-tracking branch 'qatar/release/0.5' into release/0.5
Michael Niedermayer [Thu, 12 Jan 2012 21:14:01 +0000 (22:14 +0100)]
Merge remote-tracking branch 'qatar/release/0.5' into release/0.5

* qatar/release/0.5:
  Release notes and changelog for 0.5.7
  Bump version number for 0.5.7 release.
  vorbis: An additional defense in the Vorbis codec.
  vorbisdec: Fix decoding bug with channel handling

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoRelease notes and changelog for 0.5.7
Reinhard Tartler [Tue, 10 Jan 2012 21:22:05 +0000 (22:22 +0100)]
Release notes and changelog for 0.5.7

7 years agoBump version number for 0.5.7 release.
Reinhard Tartler [Tue, 10 Jan 2012 20:23:27 +0000 (21:23 +0100)]
Bump version number for 0.5.7 release.

7 years agovorbis: An additional defense in the Vorbis codec.
Chris Evans [Thu, 5 Jan 2012 20:25:41 +0000 (21:25 +0100)]
vorbis: An additional defense in the Vorbis codec.

Fixes Bug: #190
Chromium Bug: #100543
Related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit afb2aa537954db537d54358997b68f46561fd5a7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b0283ccb9e8945ce9e56f7c6ba0c676e7179d7a3)

Conflicts:

libavcodec/vorbis_dec.c
(cherry picked from commit a5e0afe3c936220a793db0cdae04bb228f1904e0)

Conflicts:

libavcodec/vorbis_dec.c

7 years agovorbisdec: Fix decoding bug with channel handling
Reinhard Tartler [Thu, 5 Jan 2012 20:40:18 +0000 (21:40 +0100)]
vorbisdec: Fix decoding bug with channel handling

Fixes Bug: #191
Chromium Bug: #101458
CVE-2011-3895

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e6d527ff729e42d80e4756cab779ff4ad693631b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 97f23c72a3815739ab28e297ce60f943349f6939)

Conflicts:

libavcodec/vorbis_dec.c
(cherry picked from commit 42f0a6696889ba275aa2087b57fa99f7a97033a0)

Conflicts:

libavcodec/vorbis_dec.c

7 years agoMerge remote-tracking branch 'qatar/release/0.5' into release/0.5
Michael Niedermayer [Sun, 8 Jan 2012 04:03:35 +0000 (05:03 +0100)]
Merge remote-tracking branch 'qatar/release/0.5' into release/0.5

* qatar/release/0.5:
  matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()
  vorbis: Avoid some out-of-bounds reads
  vp3: fix oob read for negative tokens and memleaks on error.

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agomatroskadec: Fix a bug where a pointer was cached to an array that might later move...
Chris Evans [Thu, 5 Jan 2012 20:19:30 +0000 (21:19 +0100)]
matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()

Fixes bug #190
Chromium bug #100492
related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry-picked from commit faaec4676cb4c7a2303d50df66c6290bc96a7657)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1f625431e2bb9564760fba3ab8077ae07ce7c7a1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 90a4a467477be8c292daa08a9516ee78ca0d517b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovorbis: Avoid some out-of-bounds reads
Chris Evans [Thu, 5 Jan 2012 20:25:41 +0000 (21:25 +0100)]
vorbis: Avoid some out-of-bounds reads

Fixes Bug: #190
Chromium Bug: #100543
Related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 57cd6d709565e84e84385f8f2a9641ca3fa718be)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4a94678f1be4b7d47f862e9523ca3358255da5d4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6d6254ba9fbb22260939c06db1faed5bbd295ad4)

Conflicts:

libavcodec/vorbis.c

7 years agovp3: fix oob read for negative tokens and memleaks on error.
Ronald S. Bultje [Sat, 29 Oct 2011 06:50:04 +0000 (23:50 -0700)]
vp3: fix oob read for negative tokens and memleaks on error.

(cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f)

Fixes: #189
Chromium-Bug: 101172,100465
CVE-2011-3892

Removed the parts that are related to multi-threading, which is not
included before 0.7.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c624935554332f8921a15265b8720f0c7b3c8cc2)

Conflicts:

libavcodec/vp3.c
(cherry picked from commit c9c7db0af2a0fc14764a07f0e61cebf11238e3c2)

Conflicts:

libavcodec/vp3.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoUpdate for 0.5.7 n0.5.7
Michael Niedermayer [Sun, 25 Dec 2011 20:43:56 +0000 (21:43 +0100)]
Update for 0.5.7

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoMerge remote-tracking branch 'qatar/release/0.5' into release/0.5
Michael Niedermayer [Sun, 25 Dec 2011 19:19:13 +0000 (20:19 +0100)]
Merge remote-tracking branch 'qatar/release/0.5' into release/0.5

* qatar/release/0.5:
  Release notes and changelog for 0.5.6

Conflicts:
RELEASE

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoRelease notes and changelog for 0.5.6
Reinhard Tartler [Sun, 25 Dec 2011 08:55:45 +0000 (09:55 +0100)]
Release notes and changelog for 0.5.6

7 years agoMerge remote-tracking branch 'qatar/release/0.5' into release/0.5
Michael Niedermayer [Sat, 24 Dec 2011 23:53:49 +0000 (00:53 +0100)]
Merge remote-tracking branch 'qatar/release/0.5' into release/0.5

* qatar/release/0.5:
  Bump version number for 0.5.6 release.
  svq1dec: call avcodec_set_dimensions() after dimensions changed.
  vmd: fix segfaults on corruped streams
  vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling
  Plug some memory leaks in the VP6 decoder
  vp6: Reset the internal state when aborting key frames header parsing
  vp6: Fix illegal read.
  vp6: Fix illegal read.
  Fix out of bound reads in the QDM2 decoder.
  Check for out of bound writes in the QDM2 decoder.
  qdm2: check output buffer size before decoding
  Fix qdm2 decoder packet handling to match the api

Conflicts:
libavcodec/qdm2.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoBump version number for 0.5.6 release.
Reinhard Tartler [Sat, 24 Dec 2011 15:32:06 +0000 (16:32 +0100)]
Bump version number for 0.5.6 release.

7 years agosvq1dec: call avcodec_set_dimensions() after dimensions changed.
Michael Niedermayer [Fri, 18 Nov 2011 18:10:21 +0000 (19:10 +0100)]
svq1dec: call avcodec_set_dimensions() after dimensions changed.

Fixes NGS00148, CVE-2011-4579

Found-by: Phillip Langlois
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6e24b9488e67849a28e64a8056e05f83cf439229)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0eca0da06e40b73af495cc05fbcfaa030fcf78ea)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8ddc0b491d3c9c11c1e3d638fda51b4b604d32f4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovmd: fix segfaults on corruped streams
Laurent Aimar [Sun, 11 Sep 2011 17:17:45 +0000 (19:17 +0200)]
vmd: fix segfaults on corruped streams

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 494cfacdb9ba3f0549e37f76b3a2f86a7aeeac3c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b99366faef3a1ed4a34c9b37107f2c8c24702813)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovp6: partially propagate huffman tree building errors during coeff model parsing...
Dustin Brody [Tue, 16 Aug 2011 20:46:34 +0000 (16:46 -0400)]
vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit f913eeea43078b3b9052efd8d8d29e7b29b39208)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 7367cbec1b8cf0cbb49707fb0fdfded8ec397b0d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 201fcfb89482c6f73d6b679a294aac8da9612bbd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoPlug some memory leaks in the VP6 decoder
Vitor Sessak [Wed, 3 Mar 2010 17:24:32 +0000 (17:24 +0000)]
Plug some memory leaks in the VP6 decoder

Originally committed as revision 22172 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 0a41faa9a77dc83d8d933e99f1ba902ecd146e79)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovp6: Reset the internal state when aborting key frames header parsing
Laurent Aimar [Fri, 23 Sep 2011 20:36:11 +0000 (22:36 +0200)]
vp6: Reset the internal state when aborting key frames header parsing

It prevents leaving the state only half initialized.

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit a72cad0a6c05aa74940101e937cb3dc602d7d67b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c76505e0dee0890e39636ddebd2707ab3ea5b8de)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e28bb18fdc894dfdc1befa9f5e748ccb649a8c76)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovp6: Fix illegal read.
Thierry Foucu [Thu, 17 Nov 2011 17:39:52 +0000 (09:39 -0800)]
vp6: Fix illegal read.

Found with Address Sanitizer

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit e0966eb140b3569b3d6b5b5008961944ef229c06)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit ba4b08b78918f399f9c9524750b26e904d146078)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 94aacaf5083313378c6105bd71db04ce8f62c058)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovp6: Fix illegal read.
Alex Converse [Thu, 3 Nov 2011 22:55:52 +0000 (15:55 -0700)]
vp6: Fix illegal read.

(cherry picked from commit 2a6eb06254df79e96b3d791b6b89b2534ced3119)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 67a7ed623b678a84c992dd7bf3e3d0329f83621b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8d68083298e2481669de4db0b7b86c915119df6d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoFix out of bound reads in the QDM2 decoder.
Laurent Aimar [Fri, 30 Sep 2011 22:45:04 +0000 (00:45 +0200)]
Fix out of bound reads in the QDM2 decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 5a19acb17ceb71657b0eec51dac651953520e5c8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0d93d5c4614fafea74bdac681673f5b32eb49063)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoCheck for out of bound writes in the QDM2 decoder.
Laurent Aimar [Fri, 30 Sep 2011 22:45:05 +0000 (00:45 +0200)]
Check for out of bound writes in the QDM2 decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 291d74a46d32183653db07818c7b3407fd50a288)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a31ccacb1a9b2abc0e140a812fb0ffca6f7c2591)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoqdm2: check output buffer size before decoding
Justin Ruggles [Wed, 14 Sep 2011 17:57:04 +0000 (13:57 -0400)]
qdm2: check output buffer size before decoding

(cherry picked from commit 7d49f79f1cd47783a963a757a6563b9cac29db62)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 73472053516f82b7d273a3d42c583f894077a191)

Conflicts:

libavcodec/qdm2.c
(cherry picked from commit cfb9b47a1ecdc9e88e6561aa213d98245ee70267)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoFix qdm2 decoder packet handling to match the api
Baptiste Coudurier [Fri, 19 Nov 2010 06:52:30 +0000 (06:52 +0000)]
Fix qdm2 decoder packet handling to match the api

Originally committed as revision 25767 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit b26c1a8b7ed1a199b19f92bb5d62c61f1c149215)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoupdate for 0.5.6 n0.5.6
Michael Niedermayer [Mon, 21 Nov 2011 21:22:04 +0000 (22:22 +0100)]
update for 0.5.6

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agosvq1dec: call avcodec_set_dimensions() after dimensions changed.
Michael Niedermayer [Fri, 18 Nov 2011 18:10:21 +0000 (19:10 +0100)]
svq1dec: call avcodec_set_dimensions() after dimensions changed.
Fixes NGS00148

Found-by: Phillip Langlois
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4931c8f0f10bf8dedcf626104a6b85bfefadc6f2)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 661ee45f8881bb551eb403472e60c38a7c2818aa)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoqdm2dec: fix buffer overflow.
Michael Niedermayer [Fri, 18 Nov 2011 16:48:31 +0000 (17:48 +0100)]
qdm2dec: fix buffer overflow.
Fixes NGS00144

This also adds a few lines of code from master that are needed for this fix.

Thanks to Phillip for suggestions to improve the patch.
Found-by: Phillip Langlois
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a6a61a6d1d4da219a6fe29250e2a6b28f9d05524)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoqdm2dec: check remaining input bits in the mainloop of qdm2_fft_decode_tones()
Michael Niedermayer [Fri, 18 Nov 2011 16:56:24 +0000 (17:56 +0100)]
qdm2dec: check remaining input bits in the mainloop of qdm2_fft_decode_tones()
This is neccessary but likely not sufficient to prevent out of array reads.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 14db3af4f26dad8e6ddf2147e96ccc710952ad4d)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8120a1d9bd4bcc4434b4f588f50c9d81aa8ad0e0)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agocinepak: check strip_size
Michael Niedermayer [Wed, 16 Nov 2011 16:21:42 +0000 (17:21 +0100)]
cinepak: check strip_size

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cea0c82d9b9771dfa2ac729c13c0d9e03ea352a7)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 211a107208ee636da81d2a89592181e2d78a0c8c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agowma: Check channel number before init.
Michael Niedermayer [Wed, 16 Nov 2011 02:31:25 +0000 (03:31 +0100)]
wma: Check channel number before init.
Fixes Ticket240

Based on patch by ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 20431a9982b9bd2c475042d919890a941ad70c71)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agovp5: Fix illegal read.
Alex Converse [Thu, 17 Nov 2011 18:06:14 +0000 (10:06 -0800)]
vp5: Fix illegal read.

Found with Address Sanitizer
(cherry picked from commit bb4b0ad83b13c3af57675e80163f3f333adef96f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f62fa1ce9f12e4a43b41401a7416c6fa8da579c9)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agovp6: Fix illegal read.
Thierry Foucu [Thu, 17 Nov 2011 17:39:52 +0000 (09:39 -0800)]
vp6: Fix illegal read.

Found with Address Sanitizer

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit e0966eb140b3569b3d6b5b5008961944ef229c06)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8a63deab15ef41fd439be1b46d8dcb73669ccfc1)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years ago0.5: some updates. n0.5.5
Michael Niedermayer [Sun, 6 Nov 2011 19:57:55 +0000 (20:57 +0100)]
0.5: some updates.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoresample: Fix array size
Michael Niedermayer [Thu, 27 Oct 2011 13:26:45 +0000 (15:26 +0200)]
resample: Fix array size

Found-by: Jim Radford
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3e7db0a9ee758bf0570a141be1fea64f8d9c03db)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit edf3c5a3ebeee8df55c6a05f88a682091f10a364)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoresample2: fix potential overflow
Michael Niedermayer [Thu, 27 Oct 2011 12:34:45 +0000 (14:34 +0200)]
resample2: fix potential overflow

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a39b5e8b323785695fb0e3c0f30bd9e24287db87)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoresample: Fix overflow
Michael Niedermayer [Thu, 27 Oct 2011 12:31:53 +0000 (14:31 +0200)]
resample: Fix overflow

Found-by: Jim Radford
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6ae93d030476ddd7fa2ab4d9d2dd25df85725390)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agomatroskadec: fix out of bounds write
Ronald S. Bultje [Fri, 14 Oct 2011 22:03:55 +0000 (00:03 +0200)]
matroskadec: fix out of bounds write

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 723229c11f1400e6a09c8a1c9c27193f376eb1d1)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d51c7b4cbe022f6b3b026735dc7e29eb50bbf129)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agomem: fix memalign hack av_realloc()
Michael Niedermayer [Tue, 11 Oct 2011 20:03:19 +0000 (22:03 +0200)]
mem: fix memalign hack av_realloc()

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fc11927890f38445a950b453d24928525da0e61a)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5ae87280e219e843c71201c580780e8e30083559)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoqtrle: check for out of bound writes.
Laurent Aimar [Sat, 8 Oct 2011 21:40:36 +0000 (23:40 +0200)]
qtrle: check for out of bound writes.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7fb92be7e50ea4ba5712804326c6814ae02dd190)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a65045915f5b4ec6da73df54d1914b320a861223)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoqtrle: check for invalid line offset
Laurent Aimar [Sat, 8 Oct 2011 21:01:33 +0000 (23:01 +0200)]
qtrle: check for invalid line offset

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a4ed7c3fe9f99b89f86b65710d8855dc572f1a25)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 67c46b9b3027fdd9fd737e21a80d3326748b1c15)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agovqa: fix double free on corrupted streams
Laurent Aimar [Sat, 8 Oct 2011 21:40:37 +0000 (23:40 +0200)]
vqa: fix double free on corrupted streams

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e3123856c79c36507772ada1bcda6cfe36a1e297)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agompc7: return error if packet is too small.
Justin Ruggles [Wed, 14 Sep 2011 15:16:42 +0000 (11:16 -0400)]
mpc7: return error if packet is too small.
(cherry picked from commit 8290d1f38b438f1b070de67645c8b4a42014c7ac)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 490617b6ffa13f8e49a196a752f927d5ebad6e2b)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agompc7: check output buffer size before decoding
Justin Ruggles [Tue, 13 Sep 2011 22:53:18 +0000 (18:53 -0400)]
mpc7: check output buffer size before decoding
(cherry picked from commit c8b5c4d27409dfdcec80868686b173ba446c998b)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b833859daa4eb8fe0ec9117859b21a734905b895)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoh264: do not let invalid values in h->ref_count after a decoder reset.
Laurent Aimar [Tue, 4 Oct 2011 20:13:58 +0000 (22:13 +0200)]
h264: do not let invalid values in h->ref_count after a decoder reset.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0333d234b0355b375762447e93674e3fe3c5bff1)
(cherry picked from commit f74d1c6de7ef810544edae947db1eb1e2c7b6361)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoh264: fix the check for invalid SPS:num_ref_frames.
Laurent Aimar [Sun, 2 Oct 2011 14:06:38 +0000 (16:06 +0200)]
h264: fix the check for invalid SPS:num_ref_frames.

This patch set the limit to 16.

For information, thoses previous commits:
41f7e2d11d2dca23842ee89d530ca9fa15cec9d8
5cbb0e70a0a2ee99eb3cb09e837b9a1f7355b9bc
assumed it was either 30 or 32.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bcf881a6858760ecbd9ff4352a38813dc4232dd6)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoh264: do not let invalid values in h->ref_count on ff_h264_decode_ref_pic_list_reorde...
Laurent Aimar [Sun, 2 Oct 2011 14:06:37 +0000 (16:06 +0200)]
h264: do not let invalid values in h->ref_count on ff_h264_decode_ref_pic_list_reordering() errors.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2428b53f6d306d8d71dec34fa7b0af733d76cfac)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoCheck for out of bound accesses in the 4xm decoder.
Laurent Aimar [Sat, 1 Oct 2011 22:38:27 +0000 (00:38 +0200)]
Check for out of bound accesses in the 4xm decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9c661e952fbcbf044709f9a7031c68cc4860336b)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoPrevent block size from inreasing in the shorten decoder.
Laurent Aimar [Fri, 30 Sep 2011 22:43:05 +0000 (00:43 +0200)]
Prevent block size from inreasing in the shorten decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b399cbfba5d901608c18e1a2d48a24c30541a634)
(cherry picked from commit 55a96a984ec65736475a8577a158abc5c48fd50a)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoCheck for out of bound writes in the QDM2 decoder.
Laurent Aimar [Fri, 30 Sep 2011 22:45:05 +0000 (00:45 +0200)]
Check for out of bound writes in the QDM2 decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4a7876c6e4e62e94d51e364ba99aae4da7671238)
(cherry picked from commit b08df314dca6946ed644caacb9d3a533a054c0f6)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoCheck for out of bound writes in the avs demuxer.
Laurent Aimar [Fri, 30 Sep 2011 22:44:55 +0000 (00:44 +0200)]
Check for out of bound writes in the avs demuxer.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5d44c061cf511d97be5fac8d76be2f3915c6e798)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoCheck for corrupted data in avs demuxer.
Laurent Aimar [Fri, 30 Sep 2011 22:44:54 +0000 (00:44 +0200)]
Check for corrupted data in avs demuxer.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1cce7def0a8eff2e7db294b7d195a0fb1a5043b0)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoFix out of bound writes in fix_bitshift() of the shorten decoder.
Laurent Aimar [Thu, 29 Sep 2011 22:05:53 +0000 (00:05 +0200)]
Fix out of bound writes in fix_bitshift() of the shorten decoder.

The data pointers s->decoded[*] already take into account s->nwrap.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f42b3195d3f2692a4dfc0a8668bb4ac35301f2ed)
(cherry picked from commit 107ea3057eb8de8a38c45c2f7181c42ea694b187)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoCheck for out of bounds writes in the Delphine Software International CIN decoder.
Laurent Aimar [Thu, 29 Sep 2011 22:05:51 +0000 (00:05 +0200)]
Check for out of bounds writes in the Delphine Software International CIN decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3035c4034b6af3ad47f921e3385196e1b9d44ddf)
(cherry picked from commit 6e774cf67e6f30feb9b3dec11713d6b6dc0b521c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoCheck for invalid update parameters in vmd video decoder.
Laurent Aimar [Sat, 24 Sep 2011 21:16:18 +0000 (23:16 +0200)]
Check for invalid update parameters in vmd video decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e7aed1280ea14b60fceae04d71dfd03e1daf2d04)
(cherry picked from commit 1ed90c84f6ab75af91b08436cefb8ea464f8495b)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoRelease old pictures after a resolution change in vp5/6 decoder
Laurent Aimar [Wed, 21 Sep 2011 18:46:33 +0000 (20:46 +0200)]
Release old pictures after a resolution change in vp5/6 decoder

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dba20b84784a7931b7eac50ced1d43e86801bde9)
(cherry picked from commit c9c6e5f4e8680b7b7801dd6943590ae9cd6bfd89)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>