ffmpeg.git
4 years agoUpdate for 1.1.16 n1.1.16
Michael Niedermayer [Fri, 13 Mar 2015 17:09:08 +0000 (18:09 +0100)]
Update for 1.1.16

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/012v: redesign main loop
Michael Niedermayer [Tue, 10 Mar 2015 18:18:34 +0000 (19:18 +0100)]
avcodec/012v: redesign main loop

Fixes out of array accesses
Fixes: ffmpeg_012v_crash.ts

Found-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Reviewed-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 48df30d36c3ca360c407d84f96749888d1fbe853)

Conflicts:

libavcodec/012v.c

4 years agoffmdec: make sure the time base is valid
Andreas Cadhalpun [Sun, 8 Mar 2015 22:12:59 +0000 (23:12 +0100)]
ffmdec: make sure the time base is valid

A negative time base can trigger assertions.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4c91d81be23ffacfa3897b2bcfa77445bb0c2f89)

Conflicts:

libavformat/ffmdec.c
(cherry picked from commit 9678ceb6976ca8194848b24535785a298521211f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoFix buffer_size argument to init_put_bits() in multiple encoders.
Dyami Caliri [Thu, 26 Feb 2015 18:17:01 +0000 (10:17 -0800)]
Fix buffer_size argument to init_put_bits() in multiple encoders.

Several encoders were multiplying the buffer size by 8, in order to get
a bit size. However, the buffer_size argument is for the byte size of
the buffer. We had experienced crashes encoding prores (Anatoliy) at
size 4096x4096.
(cherry picked from commit 50833c9f7b4e1922197a8955669f8ab3589c8cef)

Conflicts:

libavcodec/proresenc_kostya.c

Conflicts:

libavcodec/faxcompr.c
libavcodec/s302menc.c

4 years agoroqvideoenc: set enc->avctx in roq_encode_init
Andreas Cadhalpun [Mon, 9 Mar 2015 18:24:09 +0000 (19:24 +0100)]
roqvideoenc: set enc->avctx in roq_encode_init

So far it is only set in roq_encode_frame, but it is used in
roq_encode_end to free the coded_frame. This currently segfaults if
roq_encode_frame is not called between roq_encode_init and
roq_encode_end.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cf82c426fadf90105e1fb9d5ecd267cc3aa2b288)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/options_table: remove extradata_size from the AVOptions table
Michael Niedermayer [Mon, 9 Mar 2015 02:42:00 +0000 (03:42 +0100)]
avcodec/options_table: remove extradata_size from the AVOptions table

allowing access to the size but not the extradata itself is not useful
and could lead to potential problems if writing happens through this field

Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Reviewed-by: Lukasz Marek <lukasz.m.luki2@gmail.com>
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1f4088b28540080ce1d42345c5614be3e1a6a197)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoffmdec: limit the backward seek to the last resync position
Andreas Cadhalpun [Mon, 9 Mar 2015 13:59:44 +0000 (14:59 +0100)]
ffmdec: limit the backward seek to the last resync position

If resyncing leads to the same position as previously, it will again
lead to a resync attempt, resulting in an infinite loop.

Thus don't seek back beyond the last syncpoint.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6b8263b03ab3d16d70525ae1893cb106be7852f1)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoffmdec: fix infinite loop at EOF
Andreas Cadhalpun [Sun, 8 Mar 2015 22:31:48 +0000 (23:31 +0100)]
ffmdec: fix infinite loop at EOF

If EOF is reached, while skipping bytes, avio_tell(pb) won't change
anymore, resulting in an infinite loop.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6fa98822eba501a4898fdec5b75acd3026201005)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/tiff: move bpp check to after "end:"
Michael Niedermayer [Sun, 8 Mar 2015 22:27:43 +0000 (23:27 +0100)]
avcodec/tiff: move bpp check to after "end:"

This ensures that all current and future code-pathes get bpp checked

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d5e9fc782150d4596c72440a0aa02b7f4f1254b1)

Conflicts:

libavcodec/tiff.c

4 years agoavcodec/utils: Align YUV411 by as much as the other YUV variants
Michael Niedermayer [Sat, 7 Mar 2015 13:30:34 +0000 (14:30 +0100)]
avcodec/utils: Align YUV411 by as much as the other YUV variants

Fixes out of array accesses
Fixes: ffmpeg_mjpeg_crash2.avi

Found-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Tested-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e3201c38d53d2b8b24d0bc95d726b2cb1752dc12)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/flvenc: check that the codec_tag fits in the available bits
Andreas Cadhalpun [Sat, 28 Feb 2015 19:58:31 +0000 (20:58 +0100)]
avformat/flvenc: check that the codec_tag fits in the available bits

flags is later written with avio_w8 and if it doesn't fit in one byte it
triggers an av_assert2.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e8565d21c276ab9ac5ce785549420321fbd0b093)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoswscale/utils: clear formatConvBuffer on allocation
Michael Niedermayer [Fri, 27 Feb 2015 02:12:23 +0000 (03:12 +0100)]
swscale/utils: clear formatConvBuffer on allocation

Fixes use of uninitialized memory
Fixes: asan_heap-oob_35ca682_1474_cov_3230122439_aletrek_tga_16bit.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 007498fc1a639ecee2cda1892cbcff66c7c8c951)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/bit: only accept the g729 codec and 1 channel
Andreas Cadhalpun [Thu, 26 Feb 2015 20:42:02 +0000 (21:42 +0100)]
avformat/bit: only accept the g729 codec and 1 channel

Other codecs/channel numbers are not supported by this muxer.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d0b8640f75ff7569c98d6fdb03d83451104e088c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/bit: check that pkt->size is 10 in write_packet
Andreas Cadhalpun [Thu, 26 Feb 2015 20:38:50 +0000 (21:38 +0100)]
avformat/bit: check that pkt->size is 10 in write_packet

Ohter packet sizes are not supported by this muxer.

This avoids a null pointer dereference of pkt->data.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit eeda2c3de8a8484d9e7d1e47ac836bec850b31fc)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/adxdec: check avctx->channels for invalid values
Andreas Cadhalpun [Wed, 25 Feb 2015 21:55:44 +0000 (22:55 +0100)]
avformat/adxdec: check avctx->channels for invalid values

This avoids a null pointer dereference of pkt->data.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7faa40af982960608b117e20fec999b48011e5e0)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agomips/acelp_filters: fix incorrect register constraint
James Cowgill [Thu, 26 Feb 2015 13:42:52 +0000 (13:42 +0000)]
mips/acelp_filters: fix incorrect register constraint

Change register constraint on the v variable from = to +. This was causing GCC
to think that the v variable was never read and therefore not initialize it.

This fixes about 20 fate failures on mips64el.

Signed-off-by: James Cowgill <james410@cowgill.org.uk>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b9de1303a6414174ab2f3bccefa801bfabcf0f88)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/zmbv: Check len before reading in decode_frame()
Michael Niedermayer [Wed, 25 Feb 2015 11:29:10 +0000 (12:29 +0100)]
avcodec/zmbv: Check len before reading in decode_frame()

Fixes out of array read
Fixes: asan_heap-oob_4d4eb0_3994_cov_3169972261_zmbv_15bit.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1f5c7781e63d6519192ada59c1e36bcecc92791d)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/snowdec: Fix ref value check
Michael Niedermayer [Tue, 24 Feb 2015 02:12:22 +0000 (03:12 +0100)]
avcodec/snowdec: Fix ref value check

Fixes integer overflow and out of array read.
Fixes: signal_sigsegv_24169e6_3445_cov_3778346427_snow_chroma_bug.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8f4cbf940212079a34753c7f4d6c6b5a43586d30)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoswscale/utils: More carefully merge and clear coefficients outside the input
Michael Niedermayer [Mon, 23 Feb 2015 23:32:39 +0000 (00:32 +0100)]
swscale/utils: More carefully merge and clear coefficients outside the input

Fixes out of array read
Fixes: asan_heap-oob_35ca682_1474_cov_3230122439_aletrek_tga_16bit.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1895d414aaacece3b57d7bf19502305e9a064fae)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop
Andreas Cadhalpun [Sun, 22 Feb 2015 19:48:38 +0000 (20:48 +0100)]
avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop

Averaging over 2 pixels doesn't work correctly for the last pixel, because the
rest of the buffer is not initialized.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 87513d654546a99f8ddb045ca4fa5d33778a617e)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/x86/mlpdsp_init: Simplify mlp_filter_channel_x86()
Michael Niedermayer [Thu, 19 Feb 2015 15:25:29 +0000 (16:25 +0100)]
avcodec/x86/mlpdsp_init: Simplify mlp_filter_channel_x86()

Based on patch by Francisco Blas Izquierdo Riera
Commit message partly taken from carl

fixes a compilation
error in mlpdsp_init.c with -fstack-check and some gcc compilers (I
reproduced the issue with gcc 4.7.3) by simplifying the code.

See also https://bugs.gentoo.org/show_bug.cgi?id=471756

$ make libavcodec/x86/mlpdsp_init.o
libavcodec/x86/mlpdsp_init.c: In function ‘mlp_filter_channel_x86’:
libavcodec/x86/mlpdsp_init.c:142:5: error: can’t find a register in
class ‘GENERAL_REGS’ while reloading ‘asm’
libavcodec/x86/mlpdsp_init.c:142:5: error: ‘asm’ operand has impossible
constraints

4551 -> 4509 dezicycles

Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 03f39fbb2a558153a3c464edec1378d637a755fe)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/vqf: Use 64bit for ret to avoid overflow
Michael Niedermayer [Fri, 20 Feb 2015 20:00:57 +0000 (21:00 +0100)]
avformat/vqf: Use 64bit for ret to avoid overflow

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cb08687180683a755d0fe9d425280d0e4d1e6db2)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/mvdec: Use 64bit for ret to avoid overflow
Michael Niedermayer [Fri, 20 Feb 2015 19:41:35 +0000 (20:41 +0100)]
avformat/mvdec: Use 64bit for ret to avoid overflow

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 26c0cc154e06cb0064b3a3da49447ac44d82444f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/gxf: Use 64bit for res to avoid overflow
Michael Niedermayer [Fri, 20 Feb 2015 19:14:56 +0000 (20:14 +0100)]
avformat/gxf: Use 64bit for res to avoid overflow

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 12987f89007ee82b9d3a6090085dfaef8461ab8b)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/mjpegdec: Skip blocks which are outside the visible area
Michael Niedermayer [Wed, 11 Feb 2015 02:33:53 +0000 (03:33 +0100)]
avcodec/mjpegdec: Skip blocks which are outside the visible area

Fixes out of array accesses
Fixes: ffmpeg_mjpeg_crash.avi

Found-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 08509c8f86626815a3e9e68d600d1aacbb8df4bf)

Conflicts:

libavcodec/mjpegdec.c

4 years agoavcodec/h264_ps: More completely check the bit depths
Michael Niedermayer [Fri, 6 Feb 2015 03:11:56 +0000 (04:11 +0100)]
avcodec/h264_ps: More completely check the bit depths

Fixes out of array read
Fixes: asan_static-oob_30328b6_719_cov_3325483287_H264_artifacts_motion.h264

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 69aa79365c1e8e1cb597d33e77bf1062c2ef47d4)

Conflicts:

libavcodec/h264_ps.c

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/thp: Check av_get_packet() for failure not only for partial output
Michael Niedermayer [Thu, 5 Feb 2015 02:45:21 +0000 (03:45 +0100)]
avformat/thp: Check av_get_packet() for failure not only for partial output

Fixes null pointer dereference
Fixes: signal_sigsegv_db2c1f_3108_cov_163322880_pikmin2_opening1_partial.thp

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f2579dbb4b31e6ae731e7f5555680528ef3020ab)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoswscale/utils: Limit filter shifting so as not to read from prior the array
Michael Niedermayer [Wed, 4 Feb 2015 23:12:08 +0000 (00:12 +0100)]
swscale/utils: Limit filter shifting so as not to read from prior the array

Fixes out of array read
Fixes: asan_heap-oob_1fb2f9b_3780_cov_3984375136_usf.mkv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 692b22626ec9a9585f667c124a186b1a9796e432)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/mjpegdec: Check number of components for JPEG-LS
Michael Niedermayer [Wed, 4 Feb 2015 19:48:30 +0000 (20:48 +0100)]
avcodec/mjpegdec: Check number of components for JPEG-LS

Fixes out of array accesses
Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fabbfaa095660982cc0bc63242c459561fa37037)

Conflicts:

libavcodec/mjpegdec.c

4 years agoavcodec/mjpegdec: Check escape sequence validity
Michael Niedermayer [Wed, 4 Feb 2015 19:13:18 +0000 (20:13 +0100)]
avcodec/mjpegdec: Check escape sequence validity

Fixes assertion failure
Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/mpc8: Use uint64_t in *_get_v() to avoid undefined behavior
Michael Niedermayer [Wed, 4 Feb 2015 13:47:41 +0000 (14:47 +0100)]
avformat/mpc8: Use uint64_t in *_get_v() to avoid undefined behavior

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 05e161952954acf247e0fd1fdef00559675c4d4d)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/mpc8: fix broken pointer math
wm4 [Tue, 3 Feb 2015 18:04:11 +0000 (19:04 +0100)]
avformat/mpc8: fix broken pointer math

This could overflow and crash at least on 32 bit systems.

Reviewed-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b737a2c52857b214be246ff615c6293730033cfa)

Conflicts:

libavformat/mpc8.c
(cherry picked from commit 49dd89f9027f3def12e170bb7d986d37812eedba)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/mpc8: fix hang with fuzzed file
wm4 [Tue, 3 Feb 2015 18:04:12 +0000 (19:04 +0100)]
avformat/mpc8: fix hang with fuzzed file

This can lead to an endless loop by seeking back a few bytes after each
attempted chunk read. Assuming negative sizes are always invalid, this
is easy to fix. Other code in this demuxer treats negative sizes as
invalid as well.

Fixes ticket #4262.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 56cc024220886927350cfc26ee695062ca7ecaf4)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/tta: fix crash with corrupted files
wm4 [Tue, 3 Feb 2015 13:41:10 +0000 (14:41 +0100)]
avformat/tta: fix crash with corrupted files

av_add_index_entry() can fail, for example because the parameters are
invalid, or because memory allocation fails. Check this; it can actually
happen with corrupted files.

The second hunk is just for robustness. Just in case functions like
ff_reduce_index() remove entries. (Not sure if this can actually
happen.)

Fixes ticket #4294.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6a0cd529a35190d9374b0b26504e71857cd67b83)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/mpegvideo_enc: Fix number suffixes in rc_buffer_size calculation
Michael Niedermayer [Sun, 1 Feb 2015 18:40:13 +0000 (19:40 +0100)]
avcodec/mpegvideo_enc: Fix number suffixes in rc_buffer_size calculation

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4531e2c489d279bfc90d54ca26ed898c5b265a7f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/smacker: Fix number suffix
Michael Niedermayer [Sun, 1 Feb 2015 18:36:13 +0000 (19:36 +0100)]
avformat/smacker: Fix number suffix

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 465f3705b1ef832fd6904750d018f81f9044f3ab)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/utils: Fix number suffixes in tb_unreliable()
Michael Niedermayer [Sun, 1 Feb 2015 18:19:25 +0000 (19:19 +0100)]
avformat/utils: Fix number suffixes in tb_unreliable()

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4b15bba2aec93776bfdc69a1bca42a4795a7d191)

Conflicts:

libavformat/utils.c
(cherry picked from commit e651a2f88c219e74c9851563e74100f7652a6005)

4 years agoavcodec/flac_parser: fix handling EOF if no headers are found
Michael Niedermayer [Sat, 17 Jan 2015 00:56:03 +0000 (01:56 +0100)]
avcodec/flac_parser: fix handling EOF if no headers are found

Fixes assertion failure
Fixes Ticket4269

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c4d85fc23c100f7a27d9bad710eb153214868e27)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoffmpeg: Clear error message array at init.
Michael Niedermayer [Thu, 8 Jan 2015 22:02:30 +0000 (23:02 +0100)]
ffmpeg: Clear error message array at init.

This avoids printing uninitialized bytes if no error message is set

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6d1a2efb8ac399a003ea7d3b6f8c641d192567ee)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/dvdsubdec: error on bitmaps with size 0
wm4 [Wed, 7 Jan 2015 22:57:50 +0000 (23:57 +0100)]
avcodec/dvdsubdec: error on bitmaps with size 0

Attemtping to decode them could lead to invalid writes with some fuzzed
samples.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bcaa9099b3648b47060e1724a97dc98b63c83702)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agocmdutils: update copyright year to 2015.
Johan Andersson [Sat, 3 Jan 2015 16:31:36 +0000 (17:31 +0100)]
cmdutils: update copyright year to 2015.

(cherry picked from commit 3e160652219ff4da433f5672ae1e5f4956abb815)

Conflicts:

cmdutils.c

4 years agoavformat/mov: Fix mixed declaration and statement warning
Michael Niedermayer [Tue, 6 Jan 2015 18:51:38 +0000 (19:51 +0100)]
avformat/mov: Fix mixed declaration and statement warning

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit db27f50e0658e91758e8a17fdcf390e6bc93c1d2)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agomov: Fix negative size calculation in mov_read_default().
Dale Curtis [Tue, 6 Jan 2015 00:34:17 +0000 (16:34 -0800)]
mov: Fix negative size calculation in mov_read_default().

The previous code assumed if an atom was marked with a 64-bit
size extension, it actually had that data available. The new
code verfies there's enough data in the atom for this to be
done.

Failure to verify causes total_size > atom.size which will
result in negative size calculations later on.

Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ebd76a9c57558e284e94da367dd23b435e6a6d0)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/mov: fix integer overflow in mov_read_udta_string()
Michael Niedermayer [Tue, 6 Jan 2015 03:29:10 +0000 (04:29 +0100)]
avformat/mov: fix integer overflow in mov_read_udta_string()

Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agomov: Avoid overflow with mov_metadata_raw()
Dale Curtis [Tue, 6 Jan 2015 00:19:09 +0000 (16:19 -0800)]
mov: Avoid overflow with mov_metadata_raw()

The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.

Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/dvdsubdec: fix out of bounds accesses
wm4 [Mon, 5 Jan 2015 03:45:26 +0000 (04:45 +0100)]
avcodec/dvdsubdec: fix out of bounds accesses

The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/cdxl: Fix integer overflow of image_size
Michael Niedermayer [Wed, 31 Dec 2014 20:41:46 +0000 (21:41 +0100)]
avformat/cdxl: Fix integer overflow of image_size

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3eb5cbe0c50d0a0bbe10bcabbd6b16d73d93c128)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agolavf/segment: remove duplicated and inconsistent cleanup code in seg_write_packet()
Stefano Sabatini [Tue, 21 Jan 2014 18:58:41 +0000 (19:58 +0100)]
lavf/segment: remove duplicated and inconsistent cleanup code in seg_write_packet()

In particular, avoid to leave around the seg->avf pointer to freed
structure, and fix crash with:
ffmpeg -f lavfi -i testsrc -c:v h264 -map 0 -f segment foo-%d.ts
(cherry picked from commit 169065fbfb3da1ab776379c333aebc54bb1f1bc4)

Found-by: Qinghao Tang
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/012v: Check dimensions more completely
Michael Niedermayer [Tue, 10 Mar 2015 19:21:14 +0000 (20:21 +0100)]
avcodec/012v: Check dimensions more completely

Fixes division by 0

Found-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d3b25383daffac154846daeb4e4fb46569e728db)

Conflicts:

libavcodec/012v.c

4 years agoMerge commit '798b3ed3fbc31672e6400e18db37deef03fff44f' into release/1.1
Michael Niedermayer [Tue, 10 Mar 2015 13:13:56 +0000 (14:13 +0100)]
Merge commit '798b3ed3fbc31672e6400e18db37deef03fff44f' into release/1.1

* commit '798b3ed3fbc31672e6400e18db37deef03fff44f':
  doc: More changelog updates for v9.18

Conflicts:
Changelog

not merged

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '62b0462e5fa78901380ca229ddb6a7625efd61a2' into release/1.1
Michael Niedermayer [Tue, 10 Mar 2015 13:13:30 +0000 (14:13 +0100)]
Merge commit '62b0462e5fa78901380ca229ddb6a7625efd61a2' into release/1.1

* commit '62b0462e5fa78901380ca229ddb6a7625efd61a2':
  tiff: Check that there is no aliasing in pixel format selection

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '789f433bc6376e6e45d41ae491007d482fa1df85' into release/1.1
Michael Niedermayer [Tue, 10 Mar 2015 13:01:11 +0000 (14:01 +0100)]
Merge commit '789f433bc6376e6e45d41ae491007d482fa1df85' into release/1.1

* commit '789f433bc6376e6e45d41ae491007d482fa1df85':
  utvideodec: Handle slice_height being zero

No change, this has been fixed privously
Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '3756b306a259d1376ce90404771c4d0ea7e23162' into release/1.1
Michael Niedermayer [Tue, 10 Mar 2015 12:48:40 +0000 (13:48 +0100)]
Merge commit '3756b306a259d1376ce90404771c4d0ea7e23162' into release/1.1

* commit '3756b306a259d1376ce90404771c4d0ea7e23162':
  rmenc: limit packet size

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit 'ded9931d165544c342795a1b66e4777b6e7daeb0' into release/1.1
Michael Niedermayer [Tue, 10 Mar 2015 12:47:33 +0000 (13:47 +0100)]
Merge commit 'ded9931d165544c342795a1b66e4777b6e7daeb0' into release/1.1

* commit 'ded9931d165544c342795a1b66e4777b6e7daeb0':
  rv10: check size of s->mb_width * s->mb_height

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit 'c17da32ba26d2c333bd9cd4afe38a1b36e3d6cba' into release/1.1
Michael Niedermayer [Tue, 10 Mar 2015 12:45:40 +0000 (13:45 +0100)]
Merge commit 'c17da32ba26d2c333bd9cd4afe38a1b36e3d6cba' into release/1.1

* commit 'c17da32ba26d2c333bd9cd4afe38a1b36e3d6cba':
  eamad: check for out of bounds read

Conflicts:
libavcodec/eamad.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '9841654c158c80e9d525ba03754135d3f34e306e' into release/1.1
Michael Niedermayer [Tue, 10 Mar 2015 12:44:31 +0000 (13:44 +0100)]
Merge commit '9841654c158c80e9d525ba03754135d3f34e306e' into release/1.1

* commit '9841654c158c80e9d525ba03754135d3f34e306e':
  arm: Suppress tags about used cpu arch and extensions

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '42eaec076bbe2629c466695f71e7aa283a6fda51' into release/1.1
Michael Niedermayer [Tue, 10 Mar 2015 12:38:18 +0000 (13:38 +0100)]
Merge commit '42eaec076bbe2629c466695f71e7aa283a6fda51' into release/1.1

* commit '42eaec076bbe2629c466695f71e7aa283a6fda51':
  Prepare for 9.18 Release

Conflicts:
RELEASE

not merged

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '473281193bed8dcb3f6954a18d03cf6298d651b3' into release/1.1
Michael Niedermayer [Tue, 10 Mar 2015 12:37:42 +0000 (13:37 +0100)]
Merge commit '473281193bed8dcb3f6954a18d03cf6298d651b3' into release/1.1

* commit '473281193bed8dcb3f6954a18d03cf6298d651b3':
  Update Changelog for v9.18

Conflicts:
Changelog

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '11f98c83d1c2a4eecd213bd94a907831fb36a590' into release/1.1
Michael Niedermayer [Tue, 10 Mar 2015 12:30:58 +0000 (13:30 +0100)]
Merge commit '11f98c83d1c2a4eecd213bd94a907831fb36a590' into release/1.1

* commit '11f98c83d1c2a4eecd213bd94a907831fb36a590':
  img2dec: correctly use the parsed value from -start_number

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit 'eb1aa871d4ef9fc11484de436fa02c352b1b7cac' into release/1.1
Michael Niedermayer [Tue, 10 Mar 2015 12:11:38 +0000 (13:11 +0100)]
Merge commit 'eb1aa871d4ef9fc11484de436fa02c352b1b7cac' into release/1.1

* commit 'eb1aa871d4ef9fc11484de436fa02c352b1b7cac':
  h264_cabac: Break infinite loops

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '6222ee068eeb3d29a2bcc4a89ce31effdef5a061' into release/1.1
Michael Niedermayer [Tue, 10 Mar 2015 12:11:22 +0000 (13:11 +0100)]
Merge commit '6222ee068eeb3d29a2bcc4a89ce31effdef5a061' into release/1.1

* commit '6222ee068eeb3d29a2bcc4a89ce31effdef5a061':
  matroskadec: Fix read-after-free in matroska_read_seek()

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agodoc: More changelog updates for v9.18
Reinhard Tartler [Mon, 9 Mar 2015 02:22:28 +0000 (22:22 -0400)]
doc: More changelog updates for v9.18

4 years agotiff: Check that there is no aliasing in pixel format selection
Anton Khirnov [Sat, 7 Mar 2015 21:06:59 +0000 (22:06 +0100)]
tiff: Check that there is no aliasing in pixel format selection

Fixes possible issues with unexpected bpp/bppcount values.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Bug-Id: CVE-2014-8544
(cherry picked from commit ae5e1f3d663a8c9a532d89e588cbc61f171c9186)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit eb9041403d820634c45ed4ee98570246a252507a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
4 years agoutvideodec: Handle slice_height being zero
Michael Niedermayer [Wed, 4 Mar 2015 17:36:14 +0000 (17:36 +0000)]
utvideodec: Handle slice_height being zero

Fixes out of array accesses.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Bug-Id: CVE-2014-9604
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d)
(cherry picked from commit 3a417a86b330b7c1acf9db4f729be7d619caaded)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e032e647dd79e7748145792dfee0358eccb1982e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
4 years agormenc: limit packet size
Andreas Cadhalpun [Mon, 2 Mar 2015 15:52:26 +0000 (16:52 +0100)]
rmenc: limit packet size

The chunk size is limited to UINT16_MAX (written by avio_wb16), so make
sure that the packet size is not too large.

Such large frames need to be split into slices smaller than 64 kB, but
that is currently supported neither by the rv10/rv20 encoders nor the rm
muxer.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
4 years agorv10: check size of s->mb_width * s->mb_height
Andreas Cadhalpun [Tue, 3 Mar 2015 20:31:15 +0000 (21:31 +0100)]
rv10: check size of s->mb_width * s->mb_height

If it doesn't fit into 12 bits it triggers an assertion.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
4 years agoeamad: check for out of bounds read
Federico Tomassetti [Wed, 18 Feb 2015 12:11:44 +0000 (12:11 +0000)]
eamad: check for out of bounds read

Bug-Id: CID 1257500
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
4 years agoarm: Suppress tags about used cpu arch and extensions
Martin Storsjö [Thu, 5 Mar 2015 21:38:00 +0000 (23:38 +0200)]
arm: Suppress tags about used cpu arch and extensions

When all the codepaths using manually set .arch/.fpu code is
behind runtime detection, the elf attributes should be suppressed.

This allows tools to know that the final built binary doesn't
strictly require these extensions.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit dcae2e32f7d8a1ca5fb8c1e4aa81313be854dd73
and b77e335e441040a40fc6156b8e4a134745d10233)
Signed-off-by: Martin Storsjö <martin@martin.st>
4 years agoPrepare for 9.18 Release
Reinhard Tartler [Sun, 8 Mar 2015 15:25:19 +0000 (11:25 -0400)]
Prepare for 9.18 Release

4 years agoUpdate Changelog for v9.18
Reinhard Tartler [Sun, 8 Mar 2015 15:24:45 +0000 (11:24 -0400)]
Update Changelog for v9.18

4 years agoimg2dec: correctly use the parsed value from -start_number
Vittorio Giovara [Tue, 6 Jan 2015 15:47:18 +0000 (16:47 +0100)]
img2dec: correctly use the parsed value from -start_number

Previously the image sequence was always starting from the minimum
number rather than the requested one.

CC: libav-stable@libav.org
4 years agoh264_cabac: Break infinite loops
Michael Niedermayer [Thu, 31 Jan 2013 03:20:24 +0000 (04:20 +0100)]
h264_cabac: Break infinite loops

This fixes out of array reads and/or infinite loops.

30 is the maximum number of bits that can be read into
coeff_abs below.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Martin Storsjö <martin@martin.st>
4 years agomatroskadec: Fix read-after-free in matroska_read_seek()
Xiaohan Wang [Thu, 6 Nov 2014 20:59:54 +0000 (12:59 -0800)]
matroskadec: Fix read-after-free in matroska_read_seek()

In matroska_read_seek(), |tracks| is assigned at the begining of the
function. However, functions like matroska_parse_cues() could reallocate
the tracks and invalidate |tracks|.

This assigns |tracks| only before using it, so that it will not get
invalidated elsewhere.

Bug-Id: chromium/427266

4 years agoUpdate for 1.1.15 n1.1.15
Michael Niedermayer [Sun, 21 Dec 2014 03:51:41 +0000 (04:51 +0100)]
Update for 1.1.15

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/indeo3: ensure offsets are non negative
Michael Niedermayer [Thu, 18 Dec 2014 17:57:27 +0000 (18:57 +0100)]
avcodec/indeo3: ensure offsets are non negative

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 368642361f3a589d7b0c23ea327d988edb434e3f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/indeo3: use signed variables to avoid underflow
Michael Niedermayer [Wed, 17 Dec 2014 02:14:21 +0000 (03:14 +0100)]
avcodec/indeo3: use signed variables to avoid underflow

Fixes out of array read
Fixes: signal_sigsegv_1b0a4da_1865_cov_2167818389_computer_anger.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3305acdc92fa37869f160a11a87741c8a0de0454)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoswscale: increase yuv2rgb table headroom
Michael Niedermayer [Tue, 16 Dec 2014 21:21:21 +0000 (22:21 +0100)]
swscale: increase yuv2rgb table headroom

Fixes out of array access
Fixes: case2_bad_read_yuv2rgbx32.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/mov: check atom nesting depth
Michael Niedermayer [Tue, 16 Dec 2014 20:14:40 +0000 (21:14 +0100)]
avformat/mov: check atom nesting depth

Fixes call stack overflow
Fixes: case1_call_stack_overflow.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit caa7a3914f499f74b3ee346f26d598ebdc0ec210)

Conflicts:

libavformat/isom.h

4 years agoavcodec/utvideodec: Fix handling of slice_height=0
Michael Niedermayer [Tue, 16 Dec 2014 19:45:31 +0000 (20:45 +0100)]
avcodec/utvideodec: Fix handling of slice_height=0

Fixes out of array accesses
Fixes: asan_heap-oob_25bcd7e_3783_cov_3553517262_utvideo_rgba_median.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3881606240953b9275a247a1c98a567f3c44890f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/vmdvideo: Check len before using it in method 3
Michael Niedermayer [Tue, 16 Dec 2014 15:24:55 +0000 (16:24 +0100)]
avcodec/vmdvideo: Check len before using it in method 3

Fixes out of array access
Fixes: asan_heap-oob_4d23ba_91_cov_3853393937_128.vmd

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3030fb7e0d41836f8add6399e9a7c7b740b48bfd)

Conflicts:

libavcodec/vmdav.c

4 years agoavformat/aviobuf: Check that avio_seek() target is non negative
Michael Niedermayer [Sun, 14 Dec 2014 16:26:11 +0000 (17:26 +0100)]
avformat/aviobuf: Check that avio_seek() target is non negative

Fixes out of array access

Suggested-by: Andrew Scherkus <scherkus@google.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ed86dbd05d61363dc1c0d33f3267e2177c985fdd)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoswresample/soxr_resample: fix error handling
Rob Sykes [Sat, 13 Dec 2014 20:12:56 +0000 (21:12 +0100)]
swresample/soxr_resample: fix error handling

Fixes CID1257659

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4b6f2253741f3023928e61ae5105ccd4b1c515fb)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/matroskadec: fix handling of recursive SeekHead elements
wm4 [Sat, 6 Dec 2014 15:53:30 +0000 (16:53 +0100)]
avformat/matroskadec: fix handling of recursive SeekHead elements

When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)

Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.

This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.

Fixes ticket #4162.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoswscale/x86/rgb2rgb_template: fix crash with tiny size and nv12 output
Michael Niedermayer [Wed, 3 Dec 2014 19:21:56 +0000 (20:21 +0100)]
swscale/x86/rgb2rgb_template: fix crash with tiny size and nv12 output

Fixes Ticket4151

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8524558858b7e14bc50afa10233e0194f591ab9d)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/rmdec: Check codec_data_size
Michael Niedermayer [Wed, 3 Dec 2014 19:01:18 +0000 (20:01 +0100)]
avformat/rmdec: Check codec_data_size

Fixes infinite loop
Fixes Ticket4154

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a6f730730b82645a9d31aad0968487cb77d6946c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/pngdec: Check IHDR/IDAT order
Michael Niedermayer [Wed, 26 Nov 2014 14:45:47 +0000 (15:45 +0100)]
avcodec/pngdec: Check IHDR/IDAT order

Fixes out of array access
Fixes: asan_heap-oob_20a6c26_2690_cov_3434532168_mail.png
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 79ceaf827be0b070675d4cd0a55c3386542defd8)

Conflicts:

libavcodec/pngdec.c

4 years agoavcodec/flacdec: Call ff_flacdsp_init() unconditionally
Michael Niedermayer [Wed, 26 Nov 2014 02:29:03 +0000 (03:29 +0100)]
avcodec/flacdec: Call ff_flacdsp_init() unconditionally

Fixes out of array access
Fixes: signal_sigsegv_324b135_3398_cov_246853371_short.flac
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e5c01ccdf5a9a330d4c51a9b9ea721fd8f1fb70b)

Conflicts:

libavcodec/flacdec.c

4 years agoavcodec/utils: Check that the data is complete in avpriv_bprint_to_extradata()
Michael Niedermayer [Tue, 25 Nov 2014 13:45:30 +0000 (14:45 +0100)]
avcodec/utils: Check that the data is complete in avpriv_bprint_to_extradata()

Fixes out of array read
Fixes: asan_heap-oob_4d2250_814_cov_2745172097_JACOsub_capability_tester.jss
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3d5d95db3f5d8e2093e9e19d0c46e86f54ed2a5d)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/mjpegdec: Fix context fields becoming inconsistent
Michael Niedermayer [Tue, 25 Nov 2014 12:53:06 +0000 (13:53 +0100)]
avcodec/mjpegdec: Fix context fields becoming inconsistent

Fixes out of array access
Fixes: asan_heap-oob_1ca4f85_2760_cov_144449187_miss_congeniality_pegasus_ljpg.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0eecf40935b22644e6cd74c586057237ecfd6844)

Conflicts:

libavcodec/mjpegdec.c

4 years agoavcodec/wmaprodec: Fix integer overflow in sfb_offsets initialization
Michael Niedermayer [Mon, 10 Nov 2014 22:07:50 +0000 (23:07 +0100)]
avcodec/wmaprodec: Fix integer overflow in sfb_offsets initialization

Fixes out of array read
Fixes: asan_heap-oob_2aec5b0_1828_classical_22_16_2_16000_v3c_0_exclusive_0_29.wma
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5dcb99033df16eccc4dbbc4a099ad64457f9f090)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/utvideodec: fix assumtation that slice_height >= 1
Michael Niedermayer [Mon, 10 Nov 2014 18:44:20 +0000 (19:44 +0100)]
avcodec/utvideodec: fix assumtation that slice_height >= 1

Fixes out of array read
Fixes: asan_heap-oob_2573085_3783_utvideo_rgba_median.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7656c4c6e66f8a787d384f027ad824cc1677fda1)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/options_table fix min of audio channels and sample rate
Michael Niedermayer [Mon, 3 Nov 2014 12:20:24 +0000 (13:20 +0100)]
avcodec/options_table fix min of audio channels and sample rate

Found-by: Lukasz Marek <lukasz.m.luki2@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 206c98f303e833c9e94427c9e3f9867f85265f78)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/h264_slice: Clear table pointers to avoid stale pointers
Michael Niedermayer [Sun, 2 Nov 2014 00:55:40 +0000 (01:55 +0100)]
avcodec/h264_slice: Clear table pointers to avoid stale pointers

Might fix Ticket3889

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 547fce95858ef83f8c25ae347e3ae3b8ba437fd9)

Conflicts:

libavcodec/h264_slice.c

Conflicts:

libavcodec/h264.c

4 years agoavcodec/svq1dec: zero terminate embedded message before printing
Michael Niedermayer [Thu, 30 Oct 2014 17:16:25 +0000 (18:16 +0100)]
avcodec/svq1dec: zero terminate embedded message before printing

Fixes out of array access
Fixes: asan_stack-oob_49b1e5_10_009.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e91ba2efa949470e9157b652535d207a101f91e0)

Conflicts:

libavcodec/svq1dec.c

4 years agoavcodec/utils: Align dimensions by at least their chroma sub-sampling factors.
Michael Niedermayer [Wed, 29 Oct 2014 13:15:29 +0000 (14:15 +0100)]
avcodec/utils: Align dimensions by at least their chroma sub-sampling factors.

Fixes: out of array accesses
Fixes: asan_heap-oob_112c6b3_13_012.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit df74811cd53e45fcbbd3b77a1c42416816687c5c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/dnxhddec: treat pix_fmt like width/height
Michael Niedermayer [Tue, 28 Oct 2014 23:57:07 +0000 (00:57 +0100)]
avcodec/dnxhddec: treat pix_fmt like width/height

Fixes out of array accesses
Fixes: asan_heap-oob_22c9a39_16_015.mxf
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f3c0e0bf6f53df0977f3878d4f5cec99dff8de9e)

Conflicts:

libavcodec/dnxhddec.c

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/dxa: check dimensions
Michael Niedermayer [Tue, 28 Oct 2014 14:26:42 +0000 (15:26 +0100)]
avcodec/dxa: check dimensions

Fixes out of array access
Fixes: asan_heap-oob_11222fb_21_020.dxa
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e70312dfc22c4e54d5716f28f28db8f99c74cc90)

Conflicts:

libavcodec/dxa.c

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agopostproc: fix qp count
Michael Niedermayer [Mon, 13 Oct 2014 14:02:42 +0000 (16:02 +0200)]
postproc: fix qp count

Found-by: ubitux
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0b7e5d0d75e7d8762dd04d35f8c0821736164372)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agopostproc/postprocess: fix quant store for fq mode
Michael Niedermayer [Sun, 12 Oct 2014 18:26:27 +0000 (20:26 +0200)]
postproc/postprocess: fix quant store for fq mode

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 941aaa39e8cd78ba4d16dfcec767290aec9a0136)

Conflicts:

tests/ref/fate/filter-pp3
(cherry picked from commit 705748caf3f6a4a3e74ad3d2fc547a5a0213a521)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/h264: Check mode before considering mixed mode intra prediction
Michael Niedermayer [Sat, 4 Oct 2014 12:51:46 +0000 (14:51 +0200)]
avcodec/h264: Check mode before considering mixed mode intra prediction

Fixes out of array read
Fixes: asan_heap-oob_e476fc_2_asan_heap-oob_1333ec6_61_CAMACI3_Sony_C.jsv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9734a7a1de3043f012ad0f1ef11027d9488067e6)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>