ffmpeg.git
2 years agolavf/mov.c: Avoid heap allocation wraps in mov_read_{senc,saiz}() n3.2.4
Matt Wolenetz [Wed, 14 Dec 2016 23:27:49 +0000 (15:27 -0800)]
lavf/mov.c: Avoid heap allocation wraps in mov_read_{senc,saiz}()

Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643952 (senc,saiz portions)

Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 36aba43bd5fae8595dd9a566fbcfbbea63f0fca3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agolavf/mov.c: Avoid OOB in mov_read_udta_string()
Matt Wolenetz [Wed, 8 Feb 2017 23:40:46 +0000 (15:40 -0800)]
lavf/mov.c: Avoid OOB in mov_read_udta_string()

Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643952 (udta_string portion)

Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9bbdf5d921ef57e1698f64981e4ea04db7c56fb5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoUpdate for 3.2.4
Michael Niedermayer [Wed, 8 Feb 2017 19:30:18 +0000 (20:30 +0100)]
Update for 3.2.4

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/h264_slice: Clear ref_counts on redundant slices
Michael Niedermayer [Wed, 8 Feb 2017 16:55:41 +0000 (17:55 +0100)]
avcodec/h264_slice: Clear ref_counts on redundant slices

Fixes reading freed memory
Fixes: 568/clusterfuzz-testcase-6107186067406848

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c03029a835949fc0e68b4c6558ebcdc3ae137087)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agolavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
Matt Wolenetz [Wed, 14 Dec 2016 23:26:19 +0000 (15:26 -0800)]
lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid

Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643951

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support values beyond INT_MAX
Also the check is moved to a more common place and before integer truncation

(cherry picked from commit 2d453188c2303da641dafb048dc1806790526dfd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agolavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr
Matt Wolenetz [Wed, 14 Dec 2016 23:24:42 +0000 (15:24 -0800)]
lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr

Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643950

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support larger lengths

(cherry picked from commit fd30e4d57fe5841385f845440688505b88c0f4a9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pictordec: Fix logic error
Michael Niedermayer [Tue, 7 Feb 2017 14:49:09 +0000 (15:49 +0100)]
avcodec/pictordec: Fix logic error

Fixes: 559/clusterfuzz-testcase-6424225917173760

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8c2ea3030af7b40a3c4275696fb5c76cdb80950a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoffserver_config: Setup codecpar in add_codec()
Michael Niedermayer [Tue, 29 Nov 2016 17:48:40 +0000 (18:48 +0100)]
ffserver_config: Setup codecpar in add_codec()

fixes segfault in the status page code

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 472fee91bcf9b7bae81fd4c00bbe5151ca458a7c)

2 years agoChangelog: fix typos
Michael Niedermayer [Tue, 7 Feb 2017 12:20:37 +0000 (13:20 +0100)]
Changelog: fix typos

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoUpdate for 3.2.3 n3.2.3
Michael Niedermayer [Mon, 6 Feb 2017 11:26:47 +0000 (12:26 +0100)]
Update for 3.2.3

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/movtextdec: Fix decode_styl() cleanup
Michael Niedermayer [Mon, 6 Feb 2017 10:17:10 +0000 (11:17 +0100)]
avcodec/movtextdec: Fix decode_styl() cleanup

Fixes: null pointer dereference
Fixes: 555/clusterfuzz-testcase-5986646595993600

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e248522d1b0d6dd8641f382cd5c4338d0ecd98e5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agolavf/matroskadec: fix is_keyframe for early Blocks
Chris Cunningham [Fri, 3 Feb 2017 22:42:44 +0000 (14:42 -0800)]
lavf/matroskadec: fix is_keyframe for early Blocks

Blocks are marked as key frames whenever the "reference" field is
zero. This breaks for non-keyframe Blocks with a reference timestamp
of zero.

The likelihood of reference timestamp being zero is increased by a
longstanding bug in muxing that encodes reference timestamp as the
absolute time of the referenced frame (rather than relative to the
current Block timestamp, as described in MKV spec).

Now using INT64_MIN to denote "no reference".

Reported to chromium at http://crbug.com/497889 (contains sample)

(cherry picked from commit ac25840ee32888f0c13118edeb9404a123cd3a79)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoconfigure: bump year
James Almer [Mon, 2 Jan 2017 04:38:03 +0000 (01:38 -0300)]
configure: bump year

Happy new year!

(cherry picked from commit d800d48fc67208819c2a4ae5eb214ca5e3ad7e82)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pngdec: Check trns more completely
Michael Niedermayer [Sat, 4 Feb 2017 11:24:14 +0000 (12:24 +0100)]
avcodec/pngdec: Check trns more completely

Fixes out of array access
Fixes: 546/clusterfuzz-testcase-4809433909559296

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e477f09d0b3619f3d29173b2cd593e17e2d1978e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/interplayvideo: Move parameter change check up
Michael Niedermayer [Sat, 4 Feb 2017 01:45:02 +0000 (02:45 +0100)]
avcodec/interplayvideo: Move parameter change check up

Fixes out of array read
Fixes: 544/clusterfuzz-testcase-5936536407244800.f8bd9b24_8ba77916_70c2c7be_3df6a2ea_96cd9f14

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b1e2192007d7026049237c9ab11e05ae71bf4f42)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dca_lbr: Fix off by 1 error in freq check
Michael Niedermayer [Thu, 2 Feb 2017 14:23:31 +0000 (15:23 +0100)]
avcodec/dca_lbr: Fix off by 1 error in freq check

Fixes out of array read
Fixes: 510/clusterfuzz-testcase-5737865715646464

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 61f70416f8542cc86c84ae6e0342ba10a35d7cba)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac()
Michael Niedermayer [Wed, 1 Feb 2017 00:32:37 +0000 (01:32 +0100)]
avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac()

Fixes timeout
Fixes: 496/clusterfuzz-testcase-5805083497332736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3782656631fa8262528c07794acf7e9c2aab000d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agopgssubdec: reset rle_data_len/rle_remaining_len on allocation error
Andreas Cadhalpun [Tue, 31 Jan 2017 00:55:44 +0000 (01:55 +0100)]
pgssubdec: reset rle_data_len/rle_remaining_len on allocation error

The code relies on their validity and otherwise can try to access a NULL
object->rle pointer, causing segmentation faults.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 842e98b4d83d8cf297e2bc2761f1f47eb89e49e4)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoswscale: save ebx register when it is not available
Andreas Cadhalpun [Fri, 16 Dec 2016 01:29:56 +0000 (02:29 +0100)]
swscale: save ebx register when it is not available

Configure checks if the ebx register can be used for asm and it has to
be saved if and only if this is not the case.
Without this the build fails when configuring with --toolchain=hardened
--disable-pic on i386 using gcc 4.8:
error: PIC register clobbered by '%ebx' in 'asm'

In that case gcc 4.8 reserves the ebx register for the GOT needed for
PIE, so it can't be used in asm directly.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 319438e2f206036ee0cddf401dd50f3b2a3ae117)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoavformat/flacdec: Check avio_read result when reading flac block header.
Frank Liberato [Tue, 24 Jan 2017 18:58:17 +0000 (10:58 -0800)]
avformat/flacdec: Check avio_read result when reading flac block header.

Return AVERROR_INVALIDDATA if all four bytes aren't present.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 95bde49982a82bc10470c0adab5969ffe635d064)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/utils: correct align value for interplay
Michael Niedermayer [Tue, 24 Jan 2017 23:20:19 +0000 (00:20 +0100)]
avcodec/utils: correct align value for interplay

Fixes out of array access
Fixes: 452/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_INTERPLAY_VIDEO_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2080bc33717955a0e4268e738acf8c1eeddbf8cb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/vp56: Check for the bitstream end, pass error codes on
Michael Niedermayer [Tue, 24 Jan 2017 21:21:25 +0000 (22:21 +0100)]
avcodec/vp56: Check for the bitstream end, pass error codes on

Fixes timeout
Fixes: 446/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_VP6_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9e6a2427558a718be0c1fffacffd935f630a7a8d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan()
Michael Niedermayer [Tue, 24 Jan 2017 15:13:05 +0000 (16:13 +0100)]
avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan()

Fixes timeout
Fixes: 445/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer
Fixes: 456/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_JPEGLS_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 755933cb5cd17decd1838d3d64e07d4157de5638)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pngdec: Fix off by 1 size in decode_zbuf()
Michael Niedermayer [Mon, 23 Jan 2017 00:25:27 +0000 (01:25 +0100)]
avcodec/pngdec: Fix off by 1 size in decode_zbuf()

Fixes out of array access
Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e371f031b942d73e02c090170975561fabd5c264)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agolibopenmpt: add missing avio_read return value check
Andreas Cadhalpun [Sun, 1 Jan 2017 19:27:50 +0000 (20:27 +0100)]
libopenmpt: add missing avio_read return value check

This fixes heap-buffer-overflows in libopenmpt caused by interpreting
the negative size value as unsigned size_t.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Jörn Heusipp <osmanx@problemloesungsmaschine.de>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 367cac7827870054ae3bd6d4517e7b13f4f3f72c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/bsf: Fix av_bsf_list_free()
Michael Niedermayer [Mon, 26 Dec 2016 22:45:53 +0000 (23:45 +0100)]
avcodec/bsf: Fix av_bsf_list_free()

Negate null check
Fixes CID1396248

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 762bf6f4afa906a69366cbd125ef40fb788280de)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/omx: Do not pass negative value into av_malloc()
Michael Niedermayer [Thu, 29 Dec 2016 01:19:27 +0000 (02:19 +0100)]
avcodec/omx: Do not pass negative value into av_malloc()

Fixes CID1396849

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bd83c295fc1b7f8001e5d134b912af86cd62c3f2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/avidec: skip odml master index chunks in avi_sync
Tobias Rapp [Fri, 23 Dec 2016 13:50:16 +0000 (14:50 +0100)]
avformat/avidec: skip odml master index chunks in avi_sync

Fixes pts gaps when reading AVI files > 256GiB generated by FFmpeg.

Signed-off-by: Tobias Rapp <t.rapp@noa-archive.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6d579d7c1bdc4126955cae7f385208e455685986)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mjpegdec: Check for rgb before flipping
Michael Niedermayer [Sat, 31 Dec 2016 02:08:33 +0000 (03:08 +0100)]
avcodec/mjpegdec: Check for rgb before flipping

Fixes assertion failure due to unsupported case

Fixes: 356/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 25d9643f1172ae6a210c671195ba3135895abaf3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agolavf/utils.c Protect against accessing entries[nb_entries]
Matt Wolenetz [Mon, 21 Nov 2016 23:54:02 +0000 (15:54 -0800)]
lavf/utils.c Protect against accessing entries[nb_entries]

In ff_index_search_timestamp(), if b == num_entries,
m == num_entries - 1, and entries[m].flags & AVINDEX_DISCARD_FRAME is
true, then the search for the next non-discarded packet could access
entries[nb_entries], exceeding its bounds. This change adds a protection
against that scenario. Reference: https://crbug.com/666770

Reviewed-by: Sasi Inguva <isasi@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fe7547d69e6721d064c8604d0a6375a2d24b35ca)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavutil/random_seed: Reduce the time needed on systems with very low precission clock()
Michael Niedermayer [Sat, 24 Dec 2016 13:26:41 +0000 (14:26 +0100)]
avutil/random_seed: Reduce the time needed on systems with very low precission clock()

This should fix issues on BSD
CLOCKS_PER_SEC is 128 on BSD while SUSv2 requires it to be a million

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c4152fc42e480c41efb7f761b1bbe5f0bc43d5bc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoswscale/swscale: Fix dereference of stride array before null check
Michael Niedermayer [Fri, 23 Dec 2016 20:14:59 +0000 (21:14 +0100)]
swscale/swscale: Fix dereference of stride array before null check

Fixes: CID1396263
Fixes: CID1396271

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 03ce71e4a1187340720e1569ac96c285c145a1f7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavutil/random_seed: Improve get_generic_seed() with higher precission clock()
Michael Niedermayer [Thu, 22 Dec 2016 02:59:03 +0000 (03:59 +0100)]
avutil/random_seed: Improve get_generic_seed() with higher precission clock()

Tested-by: Thomas Turner <thomastdt@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit da73d95bad4736c5e0a6b4b1a811f4dd4525bb4c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/mp3dec: fix msan warning when verifying mpa header
Chris Cunningham [Tue, 22 Nov 2016 21:54:50 +0000 (13:54 -0800)]
avformat/mp3dec: fix msan warning when verifying mpa header

MPEG Audio frame header must be 4 bytes. If we fail to read
4 bytes bail early to avoid Use-of-uninitialized-value msan error.
Reference https://crbug.com/666874.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ab87df9a47cd31bfcae9acd84c04705a149dfc14)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/utils: Print verbose error message if stream count exceeds max_streams
Michael Niedermayer [Sat, 10 Dec 2016 19:15:13 +0000 (20:15 +0100)]
avformat/utils: Print verbose error message if stream count exceeds max_streams

Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f0bdd538712d8ed34120ab2b7bd1409fcc99fb45)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/options_table: Set the default maximum number of streams to 1000
Michael Niedermayer [Sat, 10 Dec 2016 19:15:12 +0000 (20:15 +0100)]
avformat/options_table: Set the default maximum number of streams to 1000

Fixes CVE-2016-9561, Note the security relevance of this is disputed as
running out of memory can happen with valid files

Suggested-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 30581c51e72a7a7ea1572c1c6039f6e4c590a55c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agolavf/chromaprint: Update for version 1.4
Georgi D. Sotirov [Tue, 6 Dec 2016 20:07:59 +0000 (21:07 +0100)]
lavf/chromaprint: Update for version 1.4

Fixes ticket #5997.
(cherry picked from commit 581f93f37ef2e7a00662828ed0348d1edb9041fe)

Fixes Debian bug 841501.

2 years agoavutil: Add av_image_check_size2()
Michael Niedermayer [Sat, 10 Dec 2016 20:05:14 +0000 (21:05 +0100)]
avutil: Add av_image_check_size2()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f542b152aa2086b30d1089162d79f5c136905c0c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat: Add max_streams option
Michael Niedermayer [Fri, 18 Nov 2016 16:00:30 +0000 (17:00 +0100)]
avformat: Add max_streams option

This allows user apps to stop OOM due to excessive number of streams

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1296f844955e513d19051c962656f829479d4fb9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated
Michael Niedermayer [Thu, 8 Dec 2016 22:51:45 +0000 (23:51 +0100)]
avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated

We are checking during encoding if there is enough space as version 4 needs that
check.

Fixes Ticket6005

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 38a7834bbb24ef62466b076715e0add60e1d6962)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory()
Michael Niedermayer [Fri, 9 Dec 2016 16:01:14 +0000 (17:01 +0100)]
avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory()

Fixes: part of 670190.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8258e363851434ad5662c19d036fddb3e3f27683)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/oggdec: Skip streams in duration correction that did not had their duration...
Michael Niedermayer [Fri, 9 Dec 2016 16:01:14 +0000 (17:01 +0100)]
avformat/oggdec: Skip streams in duration correction that did not had their duration set.

Fixes: part of 670190.ogg
Fixes integer overflow

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee2a6f5df8c6a151c3e3826872f1b0a07401c62a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ffv1enc: Fix size of first slice
Michael Niedermayer [Thu, 8 Dec 2016 23:19:19 +0000 (00:19 +0100)]
avcodec/ffv1enc: Fix size of first slice

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cff1c0edaa797eca96663d9b83e4b8c1b609ff19)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoffplay: fix sws_scale possible out of bounds array access
Marton Balint [Sat, 10 Dec 2016 11:46:54 +0000 (12:46 +0100)]
ffplay: fix sws_scale possible out of bounds array access

As I used simple RGBA formats for subtitles and for the video texture if
avfilter is disabled I kind of assumed that sws_scale won't access data
pointers and strides above index 0, but apparently that is not the case.

Fixes Coverity CID 1396737, 1396738, 1396739, 1396740.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Marton Balint <cus@passwd.hu>
2 years agoavfilter/vf_hwupload_cuda: Add min/max limits for the 'device' option
Srinath K R [Sat, 3 Dec 2016 11:38:40 +0000 (17:08 +0530)]
avfilter/vf_hwupload_cuda: Add min/max limits for the 'device' option

Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
2 years agoUpdate for 3.2.2 n3.2.2
Michael Niedermayer [Mon, 5 Dec 2016 23:09:40 +0000 (00:09 +0100)]
Update for 3.2.2

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoffserver: Check chunk size
Michael Niedermayer [Mon, 5 Dec 2016 16:27:45 +0000 (17:27 +0100)]
ffserver: Check chunk size

Fixes out of array access

Fixes: poc_ffserver.py
Found-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoAvoid using the term "file" and prefer "url" in some docs and comments
Michael Niedermayer [Mon, 5 Dec 2016 11:54:21 +0000 (12:54 +0100)]
Avoid using the term "file" and prefer "url" in some docs and comments

This should make it less ambigous that these are URLs

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5f27a9c3aa973c543bd8bbf2a78363700bbc03e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/rtmppkt: Check for packet size mismatches
Michael Niedermayer [Mon, 5 Dec 2016 10:14:51 +0000 (11:14 +0100)]
avformat/rtmppkt: Check for packet size mismatches

Fixes out of array access

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d57ca4d9a75562fa32e40766211de150f8b3ee7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agozmqsend: Initialize ret to 0
Timothy Gu [Mon, 5 Dec 2016 18:04:57 +0000 (10:04 -0800)]
zmqsend: Initialize ret to 0

Fixes CID1396857.

(cherry picked from commit d903b4e3ad4a81b3dd79f12c2f3b9cb16e511173)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flacdec: Fix undefined shift in decode_subframe()
Michael Niedermayer [Sat, 3 Dec 2016 23:11:17 +0000 (00:11 +0100)]
avcodec/flacdec: Fix undefined shift in decode_subframe()

Fixes undefined behavior
Fixes: 639961-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1f5630af51f24d79053b6bef5b8b3ba93d637306)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/get_bits: Fix get_sbits_long(0)
Michael Niedermayer [Sat, 3 Dec 2016 22:44:56 +0000 (23:44 +0100)]
avcodec/get_bits: Fix get_sbits_long(0)

Fixes undefined behavior
Fixes: 640889-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c72fa432349881d5a445cd110abf698cc94d490d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/ffmdec: Check media type for chunks
Michael Niedermayer [Sat, 3 Dec 2016 12:39:56 +0000 (13:39 +0100)]
avformat/ffmdec: Check media type for chunks

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e706e2e775730db5dfa9103628cd70704dd13cef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed()
Michael Niedermayer [Sat, 3 Dec 2016 16:05:43 +0000 (17:05 +0100)]
avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed()

Fixes undefined behavior
Fixes: 640912-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 83a75bf6c31b3c0ce2ca7e1426d1f2e3df634239)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c
Michael Niedermayer [Sat, 3 Dec 2016 15:43:10 +0000 (16:43 +0100)]
avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c

Fixes: left shift of negative value
Fixes: 668346-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit acc163c6ab52d2235767852262c64c7f6b273d1c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/oggparsespeex: Check frames_per_packet and packet_size
Michael Niedermayer [Sat, 3 Dec 2016 02:40:55 +0000 (03:40 +0100)]
avformat/oggparsespeex: Check frames_per_packet and packet_size

The speex specification does not seem to restrict these values, thus
the limits where choosen so as to avoid multiplicative overflow

Fixes undefined behavior
Fixes: 635422.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afcf15b0dbb4b6429be5083e50b296cdca61875e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/utils: Check start/end before computing duration in update_stream_timings()
Michael Niedermayer [Sat, 3 Dec 2016 02:02:41 +0000 (03:02 +0100)]
avformat/utils: Check start/end before computing duration in update_stream_timings()

Fixes undefined behavior
Fixes: 637428.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 90da187f1d334422477886a19eca3c1da29c59a7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flac_parser: Update nb_headers_buffered
Michael Niedermayer [Thu, 24 Nov 2016 14:29:52 +0000 (15:29 +0100)]
avcodec/flac_parser: Update nb_headers_buffered

Fixes infinite loop
Fixes: fuzz.flac

Found-by: Frank Liberato <liberato@google.com>
Reviewed-by: Frank Liberato <liberato@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2475858889cde6221677473b663df6f985add33d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/idroqdec: Check chunk_size for being too large
Michael Niedermayer [Tue, 29 Nov 2016 01:58:34 +0000 (02:58 +0100)]
avformat/idroqdec: Check chunk_size for being too large

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 744a0b5206634e5de04d5c31f08cc3640faf800d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/me_cmp: Fix median_sad size
Michael Niedermayer [Sun, 27 Nov 2016 13:34:57 +0000 (14:34 +0100)]
avcodec/me_cmp: Fix median_sad size

Fixes out of array read
Fixes: COV1396255

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d9883ded3450e456df5b7214fe464b4b92e917ef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/utils: Fix type mismatch
Michael Niedermayer [Sun, 27 Nov 2016 02:39:20 +0000 (03:39 +0100)]
avformat/utils: Fix type mismatch

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a06e84b56e936ff3ca090f53d81f9cbc3514e0e0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoconfigure: check for strtoull on msvc
James Almer [Mon, 5 Dec 2016 16:07:10 +0000 (13:07 -0300)]
configure: check for strtoull on msvc

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit b52d3574d466e745834d1283b55570dee1e2d4cd)

2 years agohttp: move chunk handling from http_read_stream() to http_buf_read().
Ronald S. Bultje [Mon, 5 Dec 2016 15:18:10 +0000 (10:18 -0500)]
http: move chunk handling from http_read_stream() to http_buf_read().

(cherry picked from commit 845bb401781ef04e342bd558df16a8dbf5f800f9)

2 years agohttp: make length/offset-related variables unsigned.
Ronald S. Bultje [Mon, 5 Dec 2016 13:02:33 +0000 (08:02 -0500)]
http: make length/offset-related variables unsigned.

Fixes #5992, reported and found by Paul Cher <paulcher@icloud.com>.

(cherry picked from commit 2a05c8f813de6f2278827734bf8102291e7484aa)

2 years agoavcodec/aac_adtstoasc_bsf: validate and forward extradata if the stream is already ASC n3.2.1
James Almer [Fri, 25 Nov 2016 00:10:47 +0000 (21:10 -0300)]
avcodec/aac_adtstoasc_bsf: validate and forward extradata if the stream is already ASC

Fixes ticket #5973

Reviewed-by: Hendrik Leppkes <h.leppkes@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 6e1902bab4349a79c45807af18ebf5b50f7b436b)

2 years agoUpdate Changelog
Andreas Cadhalpun [Fri, 25 Nov 2016 21:23:39 +0000 (22:23 +0100)]
Update Changelog

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomss2: only use error correction for matching block counts
Andreas Cadhalpun [Thu, 24 Nov 2016 22:57:46 +0000 (23:57 +0100)]
mss2: only use error correction for matching block counts

This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2
with coded_width/coded_height larger than width/height.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 2566ad98b01538ea589e5ee07b69fc566aadc348)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosoftfloat: decrease MIN_EXP to cover full float range
Andreas Cadhalpun [Thu, 24 Nov 2016 23:26:51 +0000 (00:26 +0100)]
softfloat: decrease MIN_EXP to cover full float range

floats are not necessarily normalized, so a normalized softfloat needs
MIN_EXP lowered by 23 to cover that range.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 2d6f46d801bab990b7e742b8a8e5c5b0cb70a80e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolibopusdec: default to stereo for invalid number of channels
Andreas Cadhalpun [Mon, 14 Nov 2016 20:41:45 +0000 (21:41 +0100)]
libopusdec: default to stereo for invalid number of channels

This fixes an out-of-bounds read if avc->channels is 0.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 8c8f543b81aa2b50bb6a6cfd370a0061281492a3)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoflvdec: require need_context_update when changing codec id
Andreas Cadhalpun [Fri, 4 Nov 2016 20:37:13 +0000 (21:37 +0100)]
flvdec: require need_context_update when changing codec id

Otherwise the codec context and codecpar might disagree on the codec id,
triggering asserts in av_parser_parse2.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 98b3a7979f2ff64cacfba4d8925faa28fc657c51)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agopgssubdec: only set w/h/linesize when allocating data
Andreas Cadhalpun [Wed, 9 Nov 2016 22:23:16 +0000 (23:23 +0100)]
pgssubdec: only set w/h/linesize when allocating data

Rects with positive w/h/linesize but no data are invalid.

Reviewed-by: Petri Hintukainen <phintuka@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 995512328ed84bb737bc364e4ef6fba1994f062a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosbgdec: prevent NULL pointer access
Andreas Cadhalpun [Thu, 10 Nov 2016 21:21:20 +0000 (22:21 +0100)]
sbgdec: prevent NULL pointer access

Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit dbefbb61b785cd77810c032f5cdb499d2a92df07)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agormdec: validate block alignment
Andreas Cadhalpun [Thu, 17 Nov 2016 21:46:40 +0000 (22:46 +0100)]
rmdec: validate block alignment

This fixes division by zero crashes.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit de4ded06366e5767d0af277a61d9a56b8c8f9c19)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosmacker: limit recursion depth of smacker_decode_bigtree
Andreas Cadhalpun [Sat, 19 Nov 2016 13:21:11 +0000 (14:21 +0100)]
smacker: limit recursion depth of smacker_decode_bigtree

This fixes segmentation faults due to stack-overflow caused by too deep
recursion.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 946ecd19ea752399bccc751c9339ff74b815587e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomxfdec: fix NULL pointer dereference in mxf_read_packet_old
Andreas Cadhalpun [Thu, 17 Nov 2016 21:53:51 +0000 (22:53 +0100)]
mxfdec: fix NULL pointer dereference in mxf_read_packet_old

Metadata streams have priv_data set to NULL.

Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit fdb8c455b637f86e2e85503b7e090fa448164398)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoffmdec: validate codec parameters
Andreas Cadhalpun [Wed, 16 Nov 2016 23:04:57 +0000 (00:04 +0100)]
ffmdec: validate codec parameters

A negative extradata size for example gets passed to memcpy in
avcodec_parameters_from_context causing a segmentation fault.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1c7da19a4b45f5623cb3955b29b9a581026e3c61)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoUpdate for 3.2.1
Michael Niedermayer [Fri, 25 Nov 2016 20:12:44 +0000 (21:12 +0100)]
Update for 3.2.1

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/mpeg: Adjust vid probe threshold to correct mis-detection
Michael Niedermayer [Tue, 15 Nov 2016 19:06:42 +0000 (20:06 +0100)]
avformat/mpeg: Adjust vid probe threshold to correct mis-detection

Fixes: _ij.mp3

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4e5049a2303ae7fe74216a83206239e4de42c965)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ass_split: Change order of operations in ass_split_section()
Michael Niedermayer [Thu, 17 Nov 2016 16:45:03 +0000 (17:45 +0100)]
avcodec/ass_split: Change order of operations in ass_split_section()

This matches the other branch
Fixes out of array read
Fixes: 4d142ca76d39fe685effcf5017098723/asan_heap-oob_31ae824_8611_348fdb64f9009b63c8a8eae9a0e497c5.mkv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ae514b1254318ae5e76be2c17055f14b4084ccf0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/rawdec: check for side data before checking its size
James Almer [Fri, 4 Nov 2016 01:34:58 +0000 (22:34 -0300)]
avcodec/rawdec: check for side data before checking its size

Fixes valgrind warnings about usage of uninitialized values.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 51e329918dc1826de7451541cb15bef3b9bfe138)

2 years agoavcodec/avpacket: fix leak on realloc in av_packet_add_side_data()
James Almer [Sat, 19 Nov 2016 15:38:44 +0000 (12:38 -0300)]
avcodec/avpacket: fix leak on realloc in av_packet_add_side_data()

If realloc fails, the pointer is overwritten and the previously allocated
buffer is leaked, which goes against the expected behavior of keeping the
packet unchanged in case of error.

Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 574929d8b6de32ae712fcca7ab09f01a3e4616be)

2 years agoavformat/apngenc: use the stream parameters extradata if available
James Almer [Fri, 18 Nov 2016 15:21:54 +0000 (12:21 -0300)]
avformat/apngenc: use the stream parameters extradata if available

Fixes remuxing apng streams coming from the apng demuxer, which sends extradata
during init.

Signed-off-by: James Almer <jamrial@gmail.com>
2 years agoRevert "apngdec: use side data to pass extradata to the decoder"
James Almer [Fri, 18 Nov 2016 15:08:54 +0000 (12:08 -0300)]
Revert "apngdec: use side data to pass extradata to the decoder"

This reverts commit e0c6b32046f4bab7d34be77dd2f03b2a80c86d39.

Said commit changed the behavior of the demuxer and decoder in a non
backwards compatible way.
Demuxers should make extradata available at init if possible, and send
new extradata as side data within a packet if needed.

A better fix for the remuxing crash will follow.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 16c429166ddf1736972b6ccce84bd3509ec16a34)

2 years agoffprobe: fix crash in case -of is specified with an empty string
Stefano Sabatini [Thu, 17 Nov 2016 11:11:13 +0000 (12:11 +0100)]
ffprobe: fix crash in case -of is specified with an empty string

Fix trac issue #5957.

(cherry picked from commit 427a47abcddab15e10ce26d971f712d90c53884b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolibavcodec/exr : fix channel size calculation for uint32 channel
Martin Vignali [Wed, 16 Nov 2016 22:15:27 +0000 (23:15 +0100)]
libavcodec/exr : fix channel size calculation for uint32 channel

uint32 need 4 bytes not 1.
Fix decoding when there is half/float and uint32 channel.

This fixes crashes due to pointer corruption caused by invalid writes.

The problem was introduced in commit
03152e74dfdc7f438cb4a10402c4de744e807e22.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 52da3f6f70b1e95589a152aaf224811756fb9665)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoexr: fix out-of-bounds read
Andreas Cadhalpun [Wed, 16 Nov 2016 19:46:56 +0000 (20:46 +0100)]
exr: fix out-of-bounds read

channel_index can be -1.

This problem was introduced in commit
2dd7b46132e2801ef34fe1b5c27e0113cdcfa2f9.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ffdc5d09e498bee8176c9e35df101c01c546a738)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolibschroedingerdec: fix leaking of framewithpts
Andreas Cadhalpun [Sun, 13 Nov 2016 22:10:06 +0000 (23:10 +0100)]
libschroedingerdec: fix leaking of framewithpts

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3c0328d58d98664b05efdd377d3fe66a569d385e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolibschroedingerdec: don't produce empty frames
Andreas Cadhalpun [Sun, 13 Nov 2016 21:59:47 +0000 (22:59 +0100)]
libschroedingerdec: don't produce empty frames

They are not valid and can cause problems/crashes for API users.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a86ebbf7f641bc797002ddea7fb517759722cd1b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agodds: limit 4 bpp handling to AV_PIX_FMT_PAL8
Andreas Cadhalpun [Tue, 15 Nov 2016 21:11:05 +0000 (22:11 +0100)]
dds: limit 4 bpp handling to AV_PIX_FMT_PAL8

This fixes NULL pointer dereferencing for formats, where frame->data[1]
is not allocated.

The problem was introduced in commit
257fbc3af4cba08ac471dab68924182160bde6fd.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 90ebf3c428352eb1d4116bf97b470ceca295d7d6)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomlz: limit next_code to data buffer size
Andreas Cadhalpun [Mon, 14 Nov 2016 23:11:30 +0000 (00:11 +0100)]
mlz: limit next_code to data buffer size

This fixes a heap-buffer-overflow detected by AddressSanitizer.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1abcd972c4c0e16f1e83be2fd32a251f51b2946d)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosoftfloat: handle -INT_MAX correctly
Andreas Cadhalpun [Sun, 13 Nov 2016 19:52:02 +0000 (20:52 +0100)]
softfloat: handle -INT_MAX correctly

This is similar to commit 9ac61e73d0843ec4b83f4e3d47eded73234e406e.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 0edd569466eb45b134690b9f4efbb57eda86f58d)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agofilmstripdec: correctly check image dimensions
Andreas Cadhalpun [Sun, 13 Nov 2016 17:22:12 +0000 (18:22 +0100)]
filmstripdec: correctly check image dimensions

This prevents a division by zero in read_packet.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 25012c56448a48487cdc9699465e640871dbcd60)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agopnmdec: make sure v is capped by maxval
Andreas Cadhalpun [Wed, 9 Nov 2016 00:09:35 +0000 (01:09 +0100)]
pnmdec: make sure v is capped by maxval

Otherwise put_bits can be called with a value that doesn't fit in the
sample_len, causing an assertion failure.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit cdb5479c9ddc886f0b8661db585405ebab343e80)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosmvjpegdec: make sure cur_frame is not negative
Andreas Cadhalpun [Thu, 10 Nov 2016 21:09:03 +0000 (22:09 +0100)]
smvjpegdec: make sure cur_frame is not negative

This fixes a heap-buffer-overflow detected by AddressSanitizer.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 360bc0d90aa66cf21e9f488e77d21db18e01ec9c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoicodec: correctly check avio_read return value
Andreas Cadhalpun [Tue, 8 Nov 2016 22:29:28 +0000 (23:29 +0100)]
icodec: correctly check avio_read return value

It can read less than the requested amount, in which case buf contains
uninitialized data, causing problems like segmentation faults later on.

Also make sure that image->size is positive, so that it can't match a
negative error code.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 89eb398c7fc4cb9a15e55bdf2ab6435b5332e377)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoicodec: fix leaking pkt on error
Andreas Cadhalpun [Tue, 8 Nov 2016 22:53:52 +0000 (23:53 +0100)]
icodec: fix leaking pkt on error

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 467eece1bea5c8325c6974190ba61f1bba88a3f3)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agodvbsubdec: fix division by zero in compute_default_clut
Andreas Cadhalpun [Tue, 8 Nov 2016 21:32:42 +0000 (22:32 +0100)]
dvbsubdec: fix division by zero in compute_default_clut

This problem was introduced in commit
4b90dcb8493552c17a811c8b1e6538dae4061f9d.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit c82b8ef0e4f226423ddd644bfe37e6a15d070924)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoproresdec_lgpl: explicitly check coff[3] against slice_data_size
Andreas Cadhalpun [Wed, 9 Nov 2016 22:49:46 +0000 (23:49 +0100)]
proresdec_lgpl: explicitly check coff[3] against slice_data_size

The implicit checks via v_data_size and a_data_size don't work in the case
'(hdr_size > 7) && !ctx->alpha_info'.

This fixes segmentation faults due to invalid reads.

This problem was introduced in commit
547c2f002a87f4412a83c23b0d60364be5e7ce58.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1e33035ee7a8d9fb7a4b8b6cc54842e72b36ed70)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoescape124: reject codebook size 0
Andreas Cadhalpun [Tue, 8 Nov 2016 23:38:50 +0000 (00:38 +0100)]
escape124: reject codebook size 0

It causes a cb_depth of 32, leading to assertion failures in get_bits.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 226d35c84591f1901c2a13819031549909faa1f5)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agompegts: prevent division by zero
Andreas Cadhalpun [Mon, 7 Nov 2016 22:37:59 +0000 (23:37 +0100)]
mpegts: prevent division by zero

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1bbb18fe82fc77a10d45fa53bd2738d2c54de6c6)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>