ffmpeg.git
7 years agoupdate for 0.5.8 n0.5.8
Michael Niedermayer [Thu, 12 Jan 2012 21:19:09 +0000 (22:19 +0100)]
update for 0.5.8

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoatrac3: Fix crash in tonal component decoding.
Michael Niedermayer [Sat, 17 Dec 2011 02:18:58 +0000 (03:18 +0100)]
atrac3: Fix crash in tonal component decoding.
Fixes Ticket780
Bug Found by: cosminamironesei

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoMerge remote-tracking branch 'qatar/release/0.5' into release/0.5
Michael Niedermayer [Thu, 12 Jan 2012 21:14:01 +0000 (22:14 +0100)]
Merge remote-tracking branch 'qatar/release/0.5' into release/0.5

* qatar/release/0.5:
  Release notes and changelog for 0.5.7
  Bump version number for 0.5.7 release.
  vorbis: An additional defense in the Vorbis codec.
  vorbisdec: Fix decoding bug with channel handling

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoRelease notes and changelog for 0.5.7
Reinhard Tartler [Tue, 10 Jan 2012 21:22:05 +0000 (22:22 +0100)]
Release notes and changelog for 0.5.7

7 years agoBump version number for 0.5.7 release.
Reinhard Tartler [Tue, 10 Jan 2012 20:23:27 +0000 (21:23 +0100)]
Bump version number for 0.5.7 release.

7 years agovorbis: An additional defense in the Vorbis codec.
Chris Evans [Thu, 5 Jan 2012 20:25:41 +0000 (21:25 +0100)]
vorbis: An additional defense in the Vorbis codec.

Fixes Bug: #190
Chromium Bug: #100543
Related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit afb2aa537954db537d54358997b68f46561fd5a7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b0283ccb9e8945ce9e56f7c6ba0c676e7179d7a3)

Conflicts:

libavcodec/vorbis_dec.c
(cherry picked from commit a5e0afe3c936220a793db0cdae04bb228f1904e0)

Conflicts:

libavcodec/vorbis_dec.c

7 years agovorbisdec: Fix decoding bug with channel handling
Reinhard Tartler [Thu, 5 Jan 2012 20:40:18 +0000 (21:40 +0100)]
vorbisdec: Fix decoding bug with channel handling

Fixes Bug: #191
Chromium Bug: #101458
CVE-2011-3895

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e6d527ff729e42d80e4756cab779ff4ad693631b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 97f23c72a3815739ab28e297ce60f943349f6939)

Conflicts:

libavcodec/vorbis_dec.c
(cherry picked from commit 42f0a6696889ba275aa2087b57fa99f7a97033a0)

Conflicts:

libavcodec/vorbis_dec.c

7 years agoMerge remote-tracking branch 'qatar/release/0.5' into release/0.5
Michael Niedermayer [Sun, 8 Jan 2012 04:03:35 +0000 (05:03 +0100)]
Merge remote-tracking branch 'qatar/release/0.5' into release/0.5

* qatar/release/0.5:
  matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()
  vorbis: Avoid some out-of-bounds reads
  vp3: fix oob read for negative tokens and memleaks on error.

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agomatroskadec: Fix a bug where a pointer was cached to an array that might later move...
Chris Evans [Thu, 5 Jan 2012 20:19:30 +0000 (21:19 +0100)]
matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()

Fixes bug #190
Chromium bug #100492
related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry-picked from commit faaec4676cb4c7a2303d50df66c6290bc96a7657)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1f625431e2bb9564760fba3ab8077ae07ce7c7a1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 90a4a467477be8c292daa08a9516ee78ca0d517b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovorbis: Avoid some out-of-bounds reads
Chris Evans [Thu, 5 Jan 2012 20:25:41 +0000 (21:25 +0100)]
vorbis: Avoid some out-of-bounds reads

Fixes Bug: #190
Chromium Bug: #100543
Related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 57cd6d709565e84e84385f8f2a9641ca3fa718be)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4a94678f1be4b7d47f862e9523ca3358255da5d4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6d6254ba9fbb22260939c06db1faed5bbd295ad4)

Conflicts:

libavcodec/vorbis.c

7 years agovp3: fix oob read for negative tokens and memleaks on error.
Ronald S. Bultje [Sat, 29 Oct 2011 06:50:04 +0000 (23:50 -0700)]
vp3: fix oob read for negative tokens and memleaks on error.

(cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f)

Fixes: #189
Chromium-Bug: 101172,100465
CVE-2011-3892

Removed the parts that are related to multi-threading, which is not
included before 0.7.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c624935554332f8921a15265b8720f0c7b3c8cc2)

Conflicts:

libavcodec/vp3.c
(cherry picked from commit c9c7db0af2a0fc14764a07f0e61cebf11238e3c2)

Conflicts:

libavcodec/vp3.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoUpdate for 0.5.7 n0.5.7
Michael Niedermayer [Sun, 25 Dec 2011 20:43:56 +0000 (21:43 +0100)]
Update for 0.5.7

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoMerge remote-tracking branch 'qatar/release/0.5' into release/0.5
Michael Niedermayer [Sun, 25 Dec 2011 19:19:13 +0000 (20:19 +0100)]
Merge remote-tracking branch 'qatar/release/0.5' into release/0.5

* qatar/release/0.5:
  Release notes and changelog for 0.5.6

Conflicts:
RELEASE

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoRelease notes and changelog for 0.5.6
Reinhard Tartler [Sun, 25 Dec 2011 08:55:45 +0000 (09:55 +0100)]
Release notes and changelog for 0.5.6

7 years agoMerge remote-tracking branch 'qatar/release/0.5' into release/0.5
Michael Niedermayer [Sat, 24 Dec 2011 23:53:49 +0000 (00:53 +0100)]
Merge remote-tracking branch 'qatar/release/0.5' into release/0.5

* qatar/release/0.5:
  Bump version number for 0.5.6 release.
  svq1dec: call avcodec_set_dimensions() after dimensions changed.
  vmd: fix segfaults on corruped streams
  vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling
  Plug some memory leaks in the VP6 decoder
  vp6: Reset the internal state when aborting key frames header parsing
  vp6: Fix illegal read.
  vp6: Fix illegal read.
  Fix out of bound reads in the QDM2 decoder.
  Check for out of bound writes in the QDM2 decoder.
  qdm2: check output buffer size before decoding
  Fix qdm2 decoder packet handling to match the api

Conflicts:
libavcodec/qdm2.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoBump version number for 0.5.6 release.
Reinhard Tartler [Sat, 24 Dec 2011 15:32:06 +0000 (16:32 +0100)]
Bump version number for 0.5.6 release.

7 years agosvq1dec: call avcodec_set_dimensions() after dimensions changed.
Michael Niedermayer [Fri, 18 Nov 2011 18:10:21 +0000 (19:10 +0100)]
svq1dec: call avcodec_set_dimensions() after dimensions changed.

Fixes NGS00148, CVE-2011-4579

Found-by: Phillip Langlois
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6e24b9488e67849a28e64a8056e05f83cf439229)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0eca0da06e40b73af495cc05fbcfaa030fcf78ea)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8ddc0b491d3c9c11c1e3d638fda51b4b604d32f4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovmd: fix segfaults on corruped streams
Laurent Aimar [Sun, 11 Sep 2011 17:17:45 +0000 (19:17 +0200)]
vmd: fix segfaults on corruped streams

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 494cfacdb9ba3f0549e37f76b3a2f86a7aeeac3c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b99366faef3a1ed4a34c9b37107f2c8c24702813)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovp6: partially propagate huffman tree building errors during coeff model parsing...
Dustin Brody [Tue, 16 Aug 2011 20:46:34 +0000 (16:46 -0400)]
vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit f913eeea43078b3b9052efd8d8d29e7b29b39208)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 7367cbec1b8cf0cbb49707fb0fdfded8ec397b0d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 201fcfb89482c6f73d6b679a294aac8da9612bbd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoPlug some memory leaks in the VP6 decoder
Vitor Sessak [Wed, 3 Mar 2010 17:24:32 +0000 (17:24 +0000)]
Plug some memory leaks in the VP6 decoder

Originally committed as revision 22172 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 0a41faa9a77dc83d8d933e99f1ba902ecd146e79)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovp6: Reset the internal state when aborting key frames header parsing
Laurent Aimar [Fri, 23 Sep 2011 20:36:11 +0000 (22:36 +0200)]
vp6: Reset the internal state when aborting key frames header parsing

It prevents leaving the state only half initialized.

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit a72cad0a6c05aa74940101e937cb3dc602d7d67b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c76505e0dee0890e39636ddebd2707ab3ea5b8de)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e28bb18fdc894dfdc1befa9f5e748ccb649a8c76)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovp6: Fix illegal read.
Thierry Foucu [Thu, 17 Nov 2011 17:39:52 +0000 (09:39 -0800)]
vp6: Fix illegal read.

Found with Address Sanitizer

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit e0966eb140b3569b3d6b5b5008961944ef229c06)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit ba4b08b78918f399f9c9524750b26e904d146078)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 94aacaf5083313378c6105bd71db04ce8f62c058)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovp6: Fix illegal read.
Alex Converse [Thu, 3 Nov 2011 22:55:52 +0000 (15:55 -0700)]
vp6: Fix illegal read.

(cherry picked from commit 2a6eb06254df79e96b3d791b6b89b2534ced3119)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 67a7ed623b678a84c992dd7bf3e3d0329f83621b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8d68083298e2481669de4db0b7b86c915119df6d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoFix out of bound reads in the QDM2 decoder.
Laurent Aimar [Fri, 30 Sep 2011 22:45:04 +0000 (00:45 +0200)]
Fix out of bound reads in the QDM2 decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 5a19acb17ceb71657b0eec51dac651953520e5c8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0d93d5c4614fafea74bdac681673f5b32eb49063)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoCheck for out of bound writes in the QDM2 decoder.
Laurent Aimar [Fri, 30 Sep 2011 22:45:05 +0000 (00:45 +0200)]
Check for out of bound writes in the QDM2 decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 291d74a46d32183653db07818c7b3407fd50a288)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a31ccacb1a9b2abc0e140a812fb0ffca6f7c2591)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoqdm2: check output buffer size before decoding
Justin Ruggles [Wed, 14 Sep 2011 17:57:04 +0000 (13:57 -0400)]
qdm2: check output buffer size before decoding

(cherry picked from commit 7d49f79f1cd47783a963a757a6563b9cac29db62)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 73472053516f82b7d273a3d42c583f894077a191)

Conflicts:

libavcodec/qdm2.c
(cherry picked from commit cfb9b47a1ecdc9e88e6561aa213d98245ee70267)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoFix qdm2 decoder packet handling to match the api
Baptiste Coudurier [Fri, 19 Nov 2010 06:52:30 +0000 (06:52 +0000)]
Fix qdm2 decoder packet handling to match the api

Originally committed as revision 25767 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit b26c1a8b7ed1a199b19f92bb5d62c61f1c149215)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoupdate for 0.5.6 n0.5.6
Michael Niedermayer [Mon, 21 Nov 2011 21:22:04 +0000 (22:22 +0100)]
update for 0.5.6

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agosvq1dec: call avcodec_set_dimensions() after dimensions changed.
Michael Niedermayer [Fri, 18 Nov 2011 18:10:21 +0000 (19:10 +0100)]
svq1dec: call avcodec_set_dimensions() after dimensions changed.
Fixes NGS00148

Found-by: Phillip Langlois
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4931c8f0f10bf8dedcf626104a6b85bfefadc6f2)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 661ee45f8881bb551eb403472e60c38a7c2818aa)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoqdm2dec: fix buffer overflow.
Michael Niedermayer [Fri, 18 Nov 2011 16:48:31 +0000 (17:48 +0100)]
qdm2dec: fix buffer overflow.
Fixes NGS00144

This also adds a few lines of code from master that are needed for this fix.

Thanks to Phillip for suggestions to improve the patch.
Found-by: Phillip Langlois
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a6a61a6d1d4da219a6fe29250e2a6b28f9d05524)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoqdm2dec: check remaining input bits in the mainloop of qdm2_fft_decode_tones()
Michael Niedermayer [Fri, 18 Nov 2011 16:56:24 +0000 (17:56 +0100)]
qdm2dec: check remaining input bits in the mainloop of qdm2_fft_decode_tones()
This is neccessary but likely not sufficient to prevent out of array reads.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 14db3af4f26dad8e6ddf2147e96ccc710952ad4d)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8120a1d9bd4bcc4434b4f588f50c9d81aa8ad0e0)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agocinepak: check strip_size
Michael Niedermayer [Wed, 16 Nov 2011 16:21:42 +0000 (17:21 +0100)]
cinepak: check strip_size

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cea0c82d9b9771dfa2ac729c13c0d9e03ea352a7)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 211a107208ee636da81d2a89592181e2d78a0c8c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agowma: Check channel number before init.
Michael Niedermayer [Wed, 16 Nov 2011 02:31:25 +0000 (03:31 +0100)]
wma: Check channel number before init.
Fixes Ticket240

Based on patch by ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 20431a9982b9bd2c475042d919890a941ad70c71)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agovp5: Fix illegal read.
Alex Converse [Thu, 17 Nov 2011 18:06:14 +0000 (10:06 -0800)]
vp5: Fix illegal read.

Found with Address Sanitizer
(cherry picked from commit bb4b0ad83b13c3af57675e80163f3f333adef96f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f62fa1ce9f12e4a43b41401a7416c6fa8da579c9)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agovp6: Fix illegal read.
Thierry Foucu [Thu, 17 Nov 2011 17:39:52 +0000 (09:39 -0800)]
vp6: Fix illegal read.

Found with Address Sanitizer

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit e0966eb140b3569b3d6b5b5008961944ef229c06)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8a63deab15ef41fd439be1b46d8dcb73669ccfc1)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years ago0.5: some updates. n0.5.5
Michael Niedermayer [Sun, 6 Nov 2011 19:57:55 +0000 (20:57 +0100)]
0.5: some updates.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoresample: Fix array size
Michael Niedermayer [Thu, 27 Oct 2011 13:26:45 +0000 (15:26 +0200)]
resample: Fix array size

Found-by: Jim Radford
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3e7db0a9ee758bf0570a141be1fea64f8d9c03db)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit edf3c5a3ebeee8df55c6a05f88a682091f10a364)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoresample2: fix potential overflow
Michael Niedermayer [Thu, 27 Oct 2011 12:34:45 +0000 (14:34 +0200)]
resample2: fix potential overflow

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a39b5e8b323785695fb0e3c0f30bd9e24287db87)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoresample: Fix overflow
Michael Niedermayer [Thu, 27 Oct 2011 12:31:53 +0000 (14:31 +0200)]
resample: Fix overflow

Found-by: Jim Radford
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6ae93d030476ddd7fa2ab4d9d2dd25df85725390)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agomatroskadec: fix out of bounds write
Ronald S. Bultje [Fri, 14 Oct 2011 22:03:55 +0000 (00:03 +0200)]
matroskadec: fix out of bounds write

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 723229c11f1400e6a09c8a1c9c27193f376eb1d1)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d51c7b4cbe022f6b3b026735dc7e29eb50bbf129)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agomem: fix memalign hack av_realloc()
Michael Niedermayer [Tue, 11 Oct 2011 20:03:19 +0000 (22:03 +0200)]
mem: fix memalign hack av_realloc()

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fc11927890f38445a950b453d24928525da0e61a)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5ae87280e219e843c71201c580780e8e30083559)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoqtrle: check for out of bound writes.
Laurent Aimar [Sat, 8 Oct 2011 21:40:36 +0000 (23:40 +0200)]
qtrle: check for out of bound writes.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7fb92be7e50ea4ba5712804326c6814ae02dd190)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a65045915f5b4ec6da73df54d1914b320a861223)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoqtrle: check for invalid line offset
Laurent Aimar [Sat, 8 Oct 2011 21:01:33 +0000 (23:01 +0200)]
qtrle: check for invalid line offset

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a4ed7c3fe9f99b89f86b65710d8855dc572f1a25)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 67c46b9b3027fdd9fd737e21a80d3326748b1c15)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agovqa: fix double free on corrupted streams
Laurent Aimar [Sat, 8 Oct 2011 21:40:37 +0000 (23:40 +0200)]
vqa: fix double free on corrupted streams

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e3123856c79c36507772ada1bcda6cfe36a1e297)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agompc7: return error if packet is too small.
Justin Ruggles [Wed, 14 Sep 2011 15:16:42 +0000 (11:16 -0400)]
mpc7: return error if packet is too small.
(cherry picked from commit 8290d1f38b438f1b070de67645c8b4a42014c7ac)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 490617b6ffa13f8e49a196a752f927d5ebad6e2b)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agompc7: check output buffer size before decoding
Justin Ruggles [Tue, 13 Sep 2011 22:53:18 +0000 (18:53 -0400)]
mpc7: check output buffer size before decoding
(cherry picked from commit c8b5c4d27409dfdcec80868686b173ba446c998b)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b833859daa4eb8fe0ec9117859b21a734905b895)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoh264: do not let invalid values in h->ref_count after a decoder reset.
Laurent Aimar [Tue, 4 Oct 2011 20:13:58 +0000 (22:13 +0200)]
h264: do not let invalid values in h->ref_count after a decoder reset.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0333d234b0355b375762447e93674e3fe3c5bff1)
(cherry picked from commit f74d1c6de7ef810544edae947db1eb1e2c7b6361)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoh264: fix the check for invalid SPS:num_ref_frames.
Laurent Aimar [Sun, 2 Oct 2011 14:06:38 +0000 (16:06 +0200)]
h264: fix the check for invalid SPS:num_ref_frames.

This patch set the limit to 16.

For information, thoses previous commits:
41f7e2d11d2dca23842ee89d530ca9fa15cec9d8
5cbb0e70a0a2ee99eb3cb09e837b9a1f7355b9bc
assumed it was either 30 or 32.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bcf881a6858760ecbd9ff4352a38813dc4232dd6)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoh264: do not let invalid values in h->ref_count on ff_h264_decode_ref_pic_list_reorde...
Laurent Aimar [Sun, 2 Oct 2011 14:06:37 +0000 (16:06 +0200)]
h264: do not let invalid values in h->ref_count on ff_h264_decode_ref_pic_list_reordering() errors.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2428b53f6d306d8d71dec34fa7b0af733d76cfac)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoCheck for out of bound accesses in the 4xm decoder.
Laurent Aimar [Sat, 1 Oct 2011 22:38:27 +0000 (00:38 +0200)]
Check for out of bound accesses in the 4xm decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9c661e952fbcbf044709f9a7031c68cc4860336b)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoPrevent block size from inreasing in the shorten decoder.
Laurent Aimar [Fri, 30 Sep 2011 22:43:05 +0000 (00:43 +0200)]
Prevent block size from inreasing in the shorten decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b399cbfba5d901608c18e1a2d48a24c30541a634)
(cherry picked from commit 55a96a984ec65736475a8577a158abc5c48fd50a)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoCheck for out of bound writes in the QDM2 decoder.
Laurent Aimar [Fri, 30 Sep 2011 22:45:05 +0000 (00:45 +0200)]
Check for out of bound writes in the QDM2 decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4a7876c6e4e62e94d51e364ba99aae4da7671238)
(cherry picked from commit b08df314dca6946ed644caacb9d3a533a054c0f6)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoCheck for out of bound writes in the avs demuxer.
Laurent Aimar [Fri, 30 Sep 2011 22:44:55 +0000 (00:44 +0200)]
Check for out of bound writes in the avs demuxer.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5d44c061cf511d97be5fac8d76be2f3915c6e798)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoCheck for corrupted data in avs demuxer.
Laurent Aimar [Fri, 30 Sep 2011 22:44:54 +0000 (00:44 +0200)]
Check for corrupted data in avs demuxer.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1cce7def0a8eff2e7db294b7d195a0fb1a5043b0)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoFix out of bound writes in fix_bitshift() of the shorten decoder.
Laurent Aimar [Thu, 29 Sep 2011 22:05:53 +0000 (00:05 +0200)]
Fix out of bound writes in fix_bitshift() of the shorten decoder.

The data pointers s->decoded[*] already take into account s->nwrap.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f42b3195d3f2692a4dfc0a8668bb4ac35301f2ed)
(cherry picked from commit 107ea3057eb8de8a38c45c2f7181c42ea694b187)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoCheck for out of bounds writes in the Delphine Software International CIN decoder.
Laurent Aimar [Thu, 29 Sep 2011 22:05:51 +0000 (00:05 +0200)]
Check for out of bounds writes in the Delphine Software International CIN decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3035c4034b6af3ad47f921e3385196e1b9d44ddf)
(cherry picked from commit 6e774cf67e6f30feb9b3dec11713d6b6dc0b521c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoCheck for invalid update parameters in vmd video decoder.
Laurent Aimar [Sat, 24 Sep 2011 21:16:18 +0000 (23:16 +0200)]
Check for invalid update parameters in vmd video decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e7aed1280ea14b60fceae04d71dfd03e1daf2d04)
(cherry picked from commit 1ed90c84f6ab75af91b08436cefb8ea464f8495b)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoRelease old pictures after a resolution change in vp5/6 decoder
Laurent Aimar [Wed, 21 Sep 2011 18:46:33 +0000 (20:46 +0200)]
Release old pictures after a resolution change in vp5/6 decoder

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dba20b84784a7931b7eac50ced1d43e86801bde9)
(cherry picked from commit c9c6e5f4e8680b7b7801dd6943590ae9cd6bfd89)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoCheck output buffer size in nellymoser decoder.
Laurent Aimar [Wed, 21 Sep 2011 18:46:29 +0000 (20:46 +0200)]
Check output buffer size in nellymoser decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 741ec30bd2385f794efa9fafa84d39a917f2574e)
(cherry picked from commit 533dbaa55b7d45d5ca76f9ed46f5690282f86ea9)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agocheck all svq3_get_ue_golomb() returns.
Michael Niedermayer [Sat, 17 Sep 2011 19:53:21 +0000 (21:53 +0200)]
check all svq3_get_ue_golomb() returns.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 979bea13003ef489d95d2538ac2fb1c26c6f103b)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agorv34: check for size mismatch
Michael Niedermayer [Sat, 17 Sep 2011 17:40:25 +0000 (19:40 +0200)]
rv34: check for size mismatch

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 35f38b3ab9d755aede5bce8abbe1cb9c07027f8a)
(cherry picked from commit ed9e561490d70e317659f9e406c7920242e509eb)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoReject audio tracks with invalid interleaver parameters in RM demuxer.
Laurent Aimar [Sat, 17 Sep 2011 14:56:33 +0000 (16:56 +0200)]
Reject audio tracks with invalid interleaver parameters in RM demuxer.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4907f813581acd6cf68f1be9eb163464503e8208)
(cherry picked from commit 24e0a9e451e1aae427307a919d78f6790f4e413c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoMerge remote-tracking branch 'qatar/release/0.5' into release/0.5
Michael Niedermayer [Sun, 6 Nov 2011 00:34:54 +0000 (01:34 +0100)]
Merge remote-tracking branch 'qatar/release/0.5' into release/0.5

* qatar/release/0.5:
  update version
  Release notes and changelog for 0.5.5
  Fix ff_imdct_calc_sse() on gcc-4.6
  Make DECLARE_ALIGNED macros work with external array specifiers
  Fix MMX rgb24 to yuv conversion with gcc 4.6

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoupdate version
Reinhard Tartler [Sat, 5 Nov 2011 11:57:22 +0000 (12:57 +0100)]
update version

7 years agoRelease notes and changelog for 0.5.5
Reinhard Tartler [Sat, 5 Nov 2011 11:53:16 +0000 (12:53 +0100)]
Release notes and changelog for 0.5.5

7 years agoFix ff_imdct_calc_sse() on gcc-4.6
Alex Converse [Sun, 30 Jan 2011 09:04:41 +0000 (01:04 -0800)]
Fix ff_imdct_calc_sse() on gcc-4.6

Gcc 4.6 only preserves the first value when using an array with an "m"
constraint.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 770c410fbb8e1b87ce8ad7f3d7eddaa55e2b8295)

Conflicts:

libavcodec/x86/fft_sse.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoMake DECLARE_ALIGNED macros work with external array specifiers
Måns Rullgård [Thu, 21 Jan 2010 12:59:22 +0000 (12:59 +0000)]
Make DECLARE_ALIGNED macros work with external array specifiers

The macro implementation might need the name of the variable being
declared for compiler-specific syntax.  Moving array specifiers outside
the macro invocation allows this to work.

Originally committed as revision 21363 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 8a24e98d506f0f44ec58e06291fa0fce703fb6a8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoFix MMX rgb24 to yuv conversion with gcc 4.6
Mans Rullgard [Sun, 13 Feb 2011 00:19:06 +0000 (00:19 +0000)]
Fix MMX rgb24 to yuv conversion with gcc 4.6

When built with gcc 4.6, the MMX rgb24 to yuv conversion gives
wrong output.  The compiler produces this warning:

libswscale/swscale_template.c:1885:5: warning: use of memory input without lvalue in asm operand 4 is deprecated

Changing the memory operand to a register makes it work.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit f344903ca5ce28a833fdd656bc1ed5b16d97e7e9)

Conflicts:

libswscale/swscale_template.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agosmacker: add forgotten *
Michael Niedermayer [Mon, 12 Sep 2011 21:45:21 +0000 (23:45 +0200)]
smacker: add forgotten *
found by fenrir

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f98edc73c599badaa0c075fbffb519a150d03d80)

7 years agosegafilm: Fix potential division by 0 on corrupted segafilm streams in the demuxer.
Laurent Aimar [Mon, 12 Sep 2011 19:09:57 +0000 (21:09 +0200)]
segafilm: Fix potential division by 0 on corrupted segafilm streams in the demuxer.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agosegafilm: Check for memory allocation failures in segafilm demuxer.
Laurent Aimar [Mon, 12 Sep 2011 18:58:35 +0000 (20:58 +0200)]
segafilm: Check for memory allocation failures in segafilm demuxer.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7cbe02575868e7d25acf3d319ece664702700f0a)

7 years agorv34: check that subsequent slices have the same type as first one.
Kostya Shishkov [Mon, 12 Sep 2011 09:39:53 +0000 (11:39 +0200)]
rv34: check that subsequent slices have the same type as first one.

This prevents some crashes when corrupted bitstream reports e.g. P-type
slice in I-frame. Official RealVideo decoder demands all slices to be
of the same type too.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 23a1f0c59241465ba30103388029a7afc0ead909)

7 years agoFixed invalid read access on extra data in cinepak decoder.
Laurent Aimar [Sun, 11 Sep 2011 17:17:43 +0000 (19:17 +0200)]
Fixed invalid read access on extra data in cinepak decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dc255275f6293a060518271a151e1ce75499e874)

7 years agoFixed segfault on corrupted smacker streams in the demuxer.
Laurent Aimar [Sun, 11 Sep 2011 16:51:52 +0000 (18:51 +0200)]
Fixed segfault on corrupted smacker streams in the demuxer.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d0121e8d969cde74fa7dbd96d3602109b051e701)

7 years agoFixed segfaults on corruped smacker streams in the decoder.
Laurent Aimar [Sun, 11 Sep 2011 16:54:01 +0000 (18:54 +0200)]
Fixed segfaults on corruped smacker streams in the decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d07ac1853da29ea696243160e02154ebf758d1ee)

7 years agoFixed segfault with wavpack decoder on corrupted decorrelation terms sub-blocks.
Laurent Aimar [Wed, 7 Sep 2011 19:43:03 +0000 (21:43 +0200)]
Fixed segfault with wavpack decoder on corrupted decorrelation terms sub-blocks.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8bfea4ab4e2cb32bc7bf6f697ee30a238c65d296)

7 years agoFixed deference of NULL pointer in motionpixels decoder.
Laurent Aimar [Sat, 10 Sep 2011 11:28:13 +0000 (13:28 +0200)]
Fixed deference of NULL pointer in motionpixels decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 824f98f442996eaee9204b132752cf5114fc94cf)

7 years agoqcelpdec: fix the return value of qcelp_decode_frame().
Chris Rankin [Wed, 7 Sep 2011 09:17:30 +0000 (10:17 +0100)]
qcelpdec: fix the return value of qcelp_decode_frame().
(cherry picked from commit 04c13dca8812e8302686887b6e8201d4ad25b7d8)

7 years agoCheck extradata size on resolution change.
Reimar Döffinger [Sun, 17 Jul 2011 13:22:36 +0000 (15:22 +0200)]
Check extradata size on resolution change.

Ignore resolution change if resolution not defined in extradata.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
(cherry picked from commit 09c5f990bc7629dfbee8c760fd485936c60a7b40)

7 years agorv34: Check for invalid slice offsets
Laurent Aimar [Mon, 19 Sep 2011 20:48:53 +0000 (22:48 +0200)]
rv34: Check for invalid slice offsets

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 4cc7732386eb36661ed22d1200339b38a5fa60bc)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agorv34: Avoid NULL dereference on corrupted bitstream
Laurent Aimar [Sat, 17 Sep 2011 21:43:58 +0000 (23:43 +0200)]
rv34: Avoid NULL dereference on corrupted bitstream

rv34_decode_slice() can return without allocating any pictures.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d0f6ab0298f2309c6104626787ed73416298b019)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agorv10: Reject slices that does not have the same type as the first one
Laurent Aimar [Sat, 17 Sep 2011 22:03:08 +0000 (00:03 +0200)]
rv10: Reject slices that does not have the same type as the first one

This prevents crashes with some corrupted bitstreams.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 4a29b471869353c3077fb4b25b6518eb1047afb7)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agooggdec: fix out of bound write in the ogg demuxer
Laurent Aimar [Sun, 11 Sep 2011 21:26:12 +0000 (23:26 +0200)]
oggdec: fix out of bound write in the ogg demuxer

Between ogg_save() and ogg_restore() calls, the number of streams
could have been reduced.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 0e7efb9d23c3641d50caa288818e8c27647ce74d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoCheck for invalid VLC value in smacker decoder.
Laurent Aimar [Mon, 12 Sep 2011 21:49:36 +0000 (23:49 +0200)]
Check for invalid VLC value in smacker decoder.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 6489455495fc5bfbebcfe3f57e5d4fdd6a781091)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoCheck and propagate errors when VLC trees cannot be built in smacker decoder.
Laurent Aimar [Mon, 12 Sep 2011 21:46:49 +0000 (23:46 +0200)]
Check and propagate errors when VLC trees cannot be built in smacker decoder.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 9676ffba8346791f494451e68d2a3b37a2918a9b)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoFixed off by one packet size allocation in the smacker demuxer.
Laurent Aimar [Mon, 12 Sep 2011 18:50:34 +0000 (20:50 +0200)]
Fixed off by one packet size allocation in the smacker demuxer.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit a92d0fa5d234582583d41b67dddecffc2c819573)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoape demuxer: fix segfault on memory allocation failure.
Laurent Aimar [Sun, 11 Sep 2011 17:17:40 +0000 (19:17 +0200)]
ape demuxer: fix segfault on memory allocation failure.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 273aab99bf7be2bcda95dd64101c2317ee0fcb99)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoCheck for invalid packet size in the smacker demuxer.
Laurent Aimar [Mon, 12 Sep 2011 18:50:13 +0000 (20:50 +0200)]
Check for invalid packet size in the smacker demuxer.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e055932f5636a82275837968eea9c8fcb5bca474)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agocljr: init_get_bits size in bits instead of bytes
Alex Converse [Fri, 9 Sep 2011 21:50:33 +0000 (14:50 -0700)]
cljr: init_get_bits size in bits instead of bytes
(cherry picked from commit 0c1f5b93d9b97c4cc3684ba91a040e90bfc760d2)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoindeo2: fail if input buffer too small
Alex Converse [Fri, 9 Sep 2011 20:26:49 +0000 (13:26 -0700)]
indeo2: fail if input buffer too small
(cherry picked from commit b7ce4f1d1c3add86ece7ca595ea6c4a10b471055)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agoindeo2: init_get_bits size in bits instead of bytes
Alex Converse [Fri, 9 Sep 2011 20:24:19 +0000 (13:24 -0700)]
indeo2: init_get_bits size in bits instead of bytes
(cherry picked from commit 68ca330cbd479111db9cb7649d7530ad59f04cc8)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
7 years agocavsdec: avoid possible crash with crafted input
Michael Niedermayer [Wed, 10 Aug 2011 15:29:51 +0000 (17:29 +0200)]
cavsdec: avoid possible crash with crafted input

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9f06c1c61e876e930753da200bfe835817e30a53)

7 years agoFix possible double free when encoding using xvid.
Carl Eugen Hoyos [Fri, 1 Jul 2011 00:38:28 +0000 (02:38 +0200)]
Fix possible double free when encoding using xvid.
(cherry picked from commit 315f0e3fd8dcbd1362276b7407dad2e97cccc4b7)

7 years agoMerge remote-tracking branch 'qatar/release/0.5' into release/0.5
Michael Niedermayer [Thu, 3 Nov 2011 01:22:07 +0000 (02:22 +0100)]
Merge remote-tracking branch 'qatar/release/0.5' into release/0.5

* qatar/release/0.5:
  Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080.
  cavs: fix some crashes with invalid bitstreams
  mjpeg: Detect overreads in mjpeg_decode_scan() and error out.

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoFix memory (re)allocation in matroskadec.c, related to MSVR-11-0080.
Michael Niedermayer [Thu, 28 Jul 2011 12:59:54 +0000 (14:59 +0200)]
Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080.

Whitespace of the patch cleaned up by Aurel
Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 956c901c68eff78288f40e3c8f41ee2fa081d4a8)

Further suggestions from Kostya <kostya.shishkov@gmail.com> have been
implemented by Reinhard Tartler <siretart@tauware.de>

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 77d2ef13a8fa630e5081f14bde3fd20f84c90aec)

NB: MSVR-11-0080 doesn't seem to exist. This issue seems to be known
as MSVR11-011 instead.

Fixes: CVE-2011-3504

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agocavs: fix some crashes with invalid bitstreams
Mans Rullgard [Wed, 10 Aug 2011 17:52:11 +0000 (18:52 +0100)]
cavs: fix some crashes with invalid bitstreams

This removes all valgrind-reported invalid writes with one
specific test file.

Fixes http://www.ocert.org/advisories/ocert-2011-002.html

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 4a71da0f3ab7f5542decd11c81994f849d5b2c78)

Fixes CVE-2011-3362, CVE-2011-3973, CVE-2011-3974

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
8 years agoFix apparently exploitable race condition.
Michael Niedermayer [Fri, 25 Mar 2011 01:24:32 +0000 (02:24 +0100)]
Fix apparently exploitable race condition.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
8 years agoAMV: Fix possibly exploitable crash.
Michael Niedermayer [Thu, 21 Apr 2011 20:04:21 +0000 (22:04 +0200)]
AMV: Fix possibly exploitable crash.
Reported-at: Thu, 21 Apr 2011 14:38:25 +0000
Reported-by: Dominic Chell <Dominic.Chell@ngssecure.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
8 years agomjpeg: Detect overreads in mjpeg_decode_scan() and error out.
Michael Niedermayer [Thu, 21 Apr 2011 20:03:24 +0000 (22:03 +0200)]
mjpeg: Detect overreads in mjpeg_decode_scan() and error out.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Ronald S. Bultje <rbultje@google.com>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
8 years agoupdate release date
Reinhard Tartler [Thu, 17 Mar 2011 12:10:27 +0000 (13:10 +0100)]
update release date