Embargoed-till: 2014-06-27 requested by researcher, but embargo broken by libav today (git and mailing list)
Fixes: LMS-2014-06-16-4
Found-by: "Don A. Bailey" <donb@securitymouse.com>
See: ccda51b14c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d6af26c55c)
Conflicts:
libavutil/lzo.c
(cherry picked from commit 7b5c706494)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
FFmpeg 0.8.15 release
* tag 'n0.8.15': (49 commits)
update for 0.8.15
avcodec/ffv1enc: update buffer check for 16bps
avcodec/dsputil: fix signedness in sizeof() comparissions
avcodec/pngdsp: fix (un)signed type in end comparission
matroska_read_seek: Fix used streams for subtitle index compensation
jpeg2000: check log2_cblk dimensions
avcodec/rpza: Perform pointer advance and checks before using the pointers
update all trac links to use the trac subdomain
doc/APIchanges: List merge commit hashes and version numbers
apichanges: fix 2 wrong hashes
avcodec/parser: reset indexes on realloc failure
mpeg12dec: avoid reinitialization on PS changes when possible.
mpegts: only reopen pmt_cb filter if its different from the previous.
Autodetect idcin only if audio properties allow decoding.
alacenc: Fix missing sign_extend()
h264_cavlc: fix reading skip run
Update changelog for 0.7.8 release
aac: check the maximum number of channels
oggdec: fix faulty cleanup prototype
qdm2: check that the FFT size is a power of 2
...
Conflicts:
Doxyfile
RELEASE
VERSION
libavformat/matroskadec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The check `src > dst' in the form `&c->out[-back] > c->out' invokes
pointer overflow, which is undefined behavior in C.
Remove the check. Also replace `&c->out[-back] < c->out_start' with
a safe form `c->out - c->out_start < back' to avoid overflow.
CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit ca6c3f2c53)
Conflicts:
libavutil/lzo.c
* release/0.8: (92 commits)
Update for 0.8.13
pngdec/filter: dont access out of array elements at the end
aacdec: check channel count
vqavideo: check chunk sizes before reading chunks
eamad: fix out of array accesses
roqvideodec: check dimensions validity
qdm2: check array index before use, fix out of array accesses
alsdec: check block length
huffyuvdec: Skip len==0 cases
huffyuvdec: Check init_vlc() return codes.
Update changelog for 0.7.7 release
mpeg12: do not decode extradata more than once.
indeo4/5: check empty tile size in decode_mb_info().
dfa: improve boundary checks in decode_dds1()
indeo5dec: Make sure we have had a valid gop header.
rv34: error out on size changes with frame threading
rtmp: fix buffer overflows in ff_amf_tag_contents()
rtmp: fix multiple broken overflow checks
Revert "h264: allow cropping to AVCodecContext.width/height"
h264: check ref_count validity for num_ref_idx_active_override_flag
...
Conflicts:
Doxyfile
RELEASE
VERSION
libavcodec/rv34.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'aa45b90804ab21175b8c116bd8e5eb4b4e85fbcb': (22 commits)
alsdec: Check k used for rice decoder.
cavsdec: check for changing w/h.
avidec: use actually read size instead of requested size
wmaprodec: check num_vec_coeffs for validity
lagarith: check count before writing zeros.
indeo5: check tile size in decode_mb_info().
indeo5: prevent null pointer dereference on broken files
indeo: check for invalid motion vectors
indeo: clear allocated band buffers
indeo: check custom Huffman tables for errors
dfa: add some checks to ensure that decoder won't write past frame end
dfa: check that the caller set width/height properly.
bytestream: add a new set of bytestream functions with overread checking
avsdec: Set dimensions instead of relying on the demuxer.
lavfi: avfilter_merge_formats: handle case where inputs are same
rv34: use AVERROR return values in ff_rv34_decode_frame()
h263: Add ff_ prefix to nonstatic symbols
eval: fix swapping of lt() and lte()
bmpdec: only initialize palette for pal8.
vc1dec: add flush function for WMV9 and VC-1 decoders
...
Conflicts:
libavcodec/avs.c
libavcodec/mpegvideo_enc.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* release/0.8: (182 commits)
id3v2: fix skipping extended header in id3v2.4
Update RELEASE file for 0.7.5
lcl: use AVERROR_INVALIDDATA instead of AVERROR_UNKNOWN
kgv1dec: Increase offsets array size so it is large enough.
kgv1: use avctx->get/release_buffer().
kvmc: fix invalid reads
nsvdec: Propagate error values instead of returning 0 in nsv_read_header().
mjpegbdec: Fix overflow in SOS.
shorten: Use separate pointers for the allocated memory for decoded samples.
shorten: check for realloc failure (cherry picked from commit 9e5e2c2d01)
atrac3: Fix crash in tonal component decoding.
ws_snd1: Fix wrong samples count and crash.
ws_snd: add some checks to prevent buffer overread or overwrite. (cherry picked from commit 417364ce1f)
ws_snd: decode to AV_SAMPLE_FMT_U8 instead of S16.
dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2
h264: stricter reference limit enforcement.
jvdec: unbreak video decoding
xxan: don't read before start of buffer in av_memcpy_backptr().
dsicinvideo: validate buffer offset before copying pixels.
huffyuv: add padding to classic (v1) huffman tables.
...
Conflicts:
Doxyfile
RELEASE
VERSION
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.7: (96 commits)
intfloat_readwrite: fix signed addition overflows
smacker: validate channels and sample format.
smacker: check buffer size before reading output size
smacker: validate number of channels
sipr: fix get_bits(0) calls
motion_est: make MotionExtContext.map_generation unsigned
4xm: prevent NULL dereference with invalid huffman table
4xmdemux: prevent use of uninitialized memory
4xm: clear FF_INPUT_BUFFER_PADDING_SIZE bytes in temporary buffers
ptx: check for out of bound reads
tiffdec: fix out of bound reads/writes
eacmv: check for out of bound reads
eacmv: fix potential pointer arithmetic overflows
adpcm: fix out of bound reads due to integer overflow
anm: prevent infinite loop
avsdemux: check for out of bound writes
avs: check for out of bound reads
avsdemux: check for corrupted data
mxfdec: Fix some buffer overreads caused by the misuse of AVPacket related functions.
vaapi: Fix VC-1 decoding (reconstruct bitstream TTFRM correctly).
...
Conflicts:
libavcodec/adpcm.c
libavcodec/bink.c
libavcodec/h264.c
libavcodec/h264.h
libavcodec/h264_cabac.c
libavcodec/h264_cavlc.c
libavcodec/motion_est_template.c
libavcodec/mpegvideo.c
libavcodec/nellymoserdec.c
libavcodec/ptx.c
libavcodec/svq3.c
libavcodec/vaapi_vc1.c
libavcodec/xan.c
libavfilter/vf_scale.c
libavformat/4xm.c
libavformat/flvdec.c
libavformat/mpeg.c
tests/ref/fate/motionpixels
Merged-by: Michael Niedermayer <michaelni@gmx.at>
These additions might overflow the signed range for large
input values. Converting to unsigned before the addition
rather than after avoids such undefined behaviour. The
result under normal two's complement wraparound remains
unchanged.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 88d1e2b2b0)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This fixes a signed overflow from i << 24 when i == 255 by
making i unsigned. The result of the shift is already
assigned to an variable of unsigned type.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 8b19ae0761)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Found with address sanitizer.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit c693aa6f71)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* release/0.8: (31 commits)
svq1dec: call avcodec_set_dimensions() after dimensions changed. Fixes NGS00148
vp3dec: Check coefficient index in vp3_dequant() Fixes NGS00145
qdm2dec: fix buffer overflow. Fixes NGS00144
h264: Fix invalid interlaced progressive MB combinations for direct mode prediction. Fixes Ticket312
mpegvideo: dont use ff_mspel_motion() for vc1 Fixes Ticket655
imgutils: Fix illegal read.
ac3probe: Detect Sonic Foundry Soft Encode AC3 as raw AC3. Our ac3 code chain can handle it fine. More ideal would be to write a demuxer that actually extracts what can be from the additional headers and uses it for whatever it can be used for.
mjpeg: support mpo Fixes stereoscopic_photo.mpo
Add a version bump and APIchanges entry for avcodec_open2 and avformat_find_stream_info.
lavf: fix multiplication overflow in avformat_find_stream_info()
lavf: fix invalid reads in avformat_find_stream_info()
lavf: add avformat_find_stream_info()
lavc: fix parentheses placement in avcodec_open2().
lavc: introduce avcodec_open2() as a replacement for avcodec_open().
rawdec: use a default sample rate if none is specified. Fixes "ffmpeg -f s16le -i /dev/zero"
rawdec: add check on sample_rate
qdm2dec: check remaining input bits in the mainloop of qdm2_fft_decode_tones() This is neccessary but likely not sufficient to prevent out of array reads.
cinepak: check strip_size
wma: Check channel number before init. Fixes Ticket240
Do not try to read 16bit gray png files with alpha channel.
...
Conflicts:
libavcodec/version.h
libavformat/version.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Found with address sanitizer.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit c693aa6f71)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Treating them like 0 is safest, current code would invoke
undefined pointer arithmetic behaviour in this case.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
(cherry picked from commit b9242fd12f)
(cherry picked from commit 0411b19289)
Treating them like 0 is safest, current code would invoke
undefined pointer arithmetic behaviour in this case.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
(cherry picked from commit b9242fd12f)
* release/0.8: (96 commits)
Version numbers for 0.8.6
snow: emu edge support Fixes Ticket592
imc: validate channel count
imc: check for ff_fft_init() failure (cherry picked from commit 95fee70d67)
libgsmdec: check output buffer size before decoding (cherry picked from commit b03761b130)
configure: fix arch x86_32
mp3enc: avoid truncating id3v1 tags by one byte
asfdec: Check packet_replic_size earlier
cin audio: validate the channel count
binkaudio: add some buffer overread checks.
atrac1: validate number of channels (cherry picked from commit bff5b2c1ca)
atrac1: check output buffer size before decoding (cherry picked from commit 33684b9c12)
vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e4)
apedec: set s->currentframeblocks after validating nblocks
apedec: use unsigned int for 'nblocks' and make sure that it's within int range
apedec: check for data buffer realloc failure (cherry picked from commit 11ca8b2d74)
apedec: check for filter buffer allocation failure (cherry picked from commit 7500781313)
mpegaudiodec: check output data size based on avctx->frame_size
resample: Fix array size
resample2: fix potential overflow
...
Conflicts:
Doxyfile
RELEASE
VERSION
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Note, the other arm asm code is likely affected too and should be changed as well.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 96bc6485bc)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes a signed overflow from i << 24 when i == 255 by
making i unsigned. The result of the shift is already
assigned to an variable of unsigned type.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 8b19ae0761)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* release/0.8: (185 commits)
h264: fix intra 16x16 mode check when using mbaff and constrained_intra_pred.
h264: check for invalid bit depth value.
h264: add entries for 11 and 12 bits in ff_h264_chroma_qp[][]
h264: fix the check for invalid SPS:num_ref_frames.
h264: do not let invalid values in h->ref_count on ff_h264_decode_ref_pic_list_reordering() errors.
Reject video with non multiple of 16 width/height in the 4xm decoder.
4xm decoder: fix data size for i2 frames.
4xm decoder: print some error messages in case of errors.
Check for out of bound accesses in the 4xm decoder.
Prevent block size from inreasing in the shorten decoder.
Check for out of bound reads in PTX decoder.
Clear FF_INPUT_BUFFER_PADDING_SIZE bytes at the end of the temporary buffers used in 4xm decoder.
Fix the check for missing references in ff_er_frame_end() for H264.
Prevent NULL dereference when the huffman table is invalid in the 4xm decoder.
Fix use of uninitialized memory in 4X Technologies demuxer.
h264: increase ref_poc size to 32 as it can be per field.
h264: set unused ref_counts to 0 as a precautionary meassure.
Remove Chnagelog it has nothing to do with reality
fate: fix motion pixels checksum change caused by backported bugfix
avienc: Add a limit on the number of skiped frames muxed in a row.
...
Conflicts:
Doxyfile
RELEASE
VERSION
libavformat/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
av_realloc_f helps avoiding memory-leaks in typical uses of realloc.
Signed-off-by: Nicolas George <nicolas.george@normalesup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5cd754bca2)
av_size_mult helps checking for overflow when computing the size of a memory
area.
Signed-off-by: Nicolas George <nicolas.george@normalesup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b2600509fe)
1<<31 overflows because 1 is signed, so force it to unsigned.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 5938e02185)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
* release/0.8: (154 commits)
vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling
Check for huffman tree building error in vp6 decoder.
Release old pictures after a resolution change in vp5/6 decoder
Check for missing reference in vp5/6 decoder.
Check for invalid slices offsets in RV30/40 decoder.
Check output buffer size in nellymoser decoder.
Hack around gcc 4.6 breaking asm using call.
Fix dxva2 decoding for some H264 samples.
mp3demux: pass on error code on packet read.
Check for invalid slice offsets in real decoder.
rmdec: Reject invalid deinterleaving parameters
Use deinterleavers for demangling audio packets in RealMedia.
rv10: Reject slices that does not have the same type as the first one
rmdec: use the deinterleaving mode and not the codec when creating audio packets.
MAINTAINERS: add my GPG fingerprint. (cherry picked from commit 7882dc10f8)
Support 3IVD in isom, produced by 3ivx DivX Doctor.
mpegpsdec: fix reading first mpegps packet (cherry picked from commit b2f230e23d)
Avoid NULL dereference on corrupted bitstream with real decoder.
Reject slices that does not have the same type than the first one in RV10/RV20 decoder.
check all svq3_get_ue_golomb() returns.
...
Conflicts:
Doxyfile
RELEASE
VERSION
libavcodec/rv34.c
libavformat/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* khirnov/release/0.7: (64 commits)
rv34: Check for invalid slice offsets
rv34: Fix potential overreads
rv34: Avoid NULL dereference on corrupted bitstream
rv10: Reject slices that does not have the same type as the first one
lavf: Fix context pointer in av_open_input_stream when avformat_open_input fails
oggdec: fix out of bound write in the ogg demuxer
Fixed size given to init_get_bits().
smacker: fix a few off by 1 errors
Check for invalid VLC value in smacker decoder.
Check and propagate errors when VLC trees cannot be built in smacker decoder.
Fixed off by one packet size allocation in the smacker demuxer.
Check for invalid packet size in the smacker demuxer.
ape demuxer: fix segfault on memory allocation failure.
xan: Add some buffer checks (cherry picked from commit 0872bb23b4)
Fixed size given to init_get_bits() in xan decoder. (cherry picked from commit 393d5031c6)
smacker demuxer: handle possible av_realloc() failure.
Fixed segfault with wavpack decoder on corrupted decorrelation terms sub-blocks.
cljr: init_get_bits size in bits instead of bytes (cherry picked from commit 0c1f5b93d9)
indeo2: fail if input buffer too small (cherry picked from commit b7ce4f1d1c)
indeo2: init_get_bits size in bits instead of bytes (cherry picked from commit 68ca330cbd)
...
Conflicts:
ffmpeg.c
libavdevice/alsa-audio.h
libavformat/gxf.c
libswscale/x86/swscale_template.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
1<<31 overflows because 1 is signed, so force it to unsigned.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 5938e02185)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
* release/0.8: (82 commits)
Fix version numbers
rtp: disable udp fifos, the rtp code cannot work with the fifos in its current form as rtp bypasses the public API.
udp: allow fifo size to be tuned seperately
riff: Add mpgv MPEG-2 fourcc
Update Changelog
matroskadec: fix integer underflow if header length < probe length.
ffmpeg: fix operation with --disable-avfilter
vf_libopencv: replace opencv/cxtypes.h #include by opencv/cxcore.h
build: Create mlib optimization directories during out-of-tree builds.
changelog: misc typo and wording fixes (cherry picked from commit b047941d7d)
doc: Remove outdated comments about gcc 2.95 and gcc 3.3 support. (cherry picked from commit 5ccbf80963)
matroskadec: matroska_read_seek after after EBML_STOP leads to failure.
Update RELEASE file
update Changelog
mt: proper locking around release_buffer calls.
vp8/mt: flush worker thread, not application thread context, on seek.
docs: Mention the upstream bugzilla url about the dlltool vs MSVC issue
docs: Use proper markup for a literal command line option
docs: Don't recommend adding --enable-memalign-hack
docs: Remove needless configure options
...
Conflicts:
VERSION
libavcodec/opt.h
libavformat/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Before this, almost all module groups have been used for grouping functions
and fields in structures semantically. This causes them to not appear
properly in the file documentation and needlessly clutters up the "Modules"
index.
Additionally, this commit streamlines some spelling and appearances.
(cherry picked from commit 21a19b7912)
In commit bebe72f4a0, the enum AV_PICTURE_TYPE_* was introduced. There are still places in the code where pict_type is used as an integer and there is a case where "pict_type = 0" with the explanation "let ffmpeg decide what to do". The new enum does not know a value of 0 and C++ will fail if compiling such programs anyway as it is refered as an int (and you cannot patch them properly).
(cherry picked from commit 5129336714)
In commit bebe72f4a0, the enum AV_PICTURE_TYPE_* was introduced. There are still places in the code where pict_type is used as an integer and there is a case where "pict_type = 0" with the explanation "let ffmpeg decide what to do". The new enum does not know a value of 0 and C++ will fail if compiling such programs anyway as it is refered as an int (and you cannot patch them properly).
(cherry picked from commit 5129336714)
* master:
ffplay: do not init SDL audio if -an is specified.
Fix zero-length gnu_printf format string warning.
A cmp instruction with two constants is invalid, thus "g" constraint is not correct but must be "rm" instead.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* master: (109 commits)
libx264: fix open gop default. Please use -x264opts to force open gop This fixes Ticket268
avfilter picture pool: double free hotfix
mpegaudio_parser: be less picky on the start position
ppc32: Fix movrel
Replace usages of av_get_bits_per_sample_fmt() with av_get_bytes_per_sample().
x86: cabac: fix register constraints for 32-bit mode
cabac: move x86 asm to libavcodec/x86/cabac.h
x86: h264: cast pointers to intptr_t rather than int
x86: h264: remove hardcoded edi in decode_significance_8x8_x86()
x86: h264: remove hardcoded esi in decode_significance[_8x8]_x86()
x86: h264: remove hardcoded edx in decode_significance[_8x8]_x86()
x86: h264: remove hardcoded eax in decode_significance[_8x8]_x86()
x86: cabac: change 'a' constraint to 'r' in get_cabac_inline()
x86: cabac: remove hardcoded esi in get_cabac_inline()
x86: cabac: remove hardcoded edx in get_cabac_inline()
x86: cabac: remove unused macro parameter
x86: cabac: remove hardcoded ebx in inline asm
x86: cabac: remove hardcoded struct offsets from inline asm
cabac: remove inline asm under #if 0
cabac: remove BRANCHLESS_CABAC_DECODER switch
...
Conflicts:
cmdutils.c
ffserver.c
libavfilter/avfilter.h
libavformat/avformat.h
libavformat/utils.c
libavformat/version.h
libavutil/avutil.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
lavc: add opt_find to AVCodecContext class.
h264: Complexify frame num gap shortening code
intreadwrite.h: fix AV_RL32/AV_RB32 signedness.
Fix decoding of mpegts streams with h264 video that does *NOT* have b frames
Add minor bumps and APIChanges entries for lavf private options.
ffmpeg: deprecate -vc and -tvstd
ffmpeg: use new avformat_open_* API.
ffserver: use new avformat_open_* API.
ffprobe: use new avformat_open_* API.
ffplay: use new avformat_open_* API.
cmdutils: add opt_default2().
dict: add AV_DICT_APPEND flag.
lavf: add avformat_write_header() as a replacement for av_write_header().
Deprecate av_open_input_* and remove their uses.
lavf: add avformat_open_input() as a replacement for av_open_input_*
AVOptions: add av_opt_find() as a replacement for av_find_opt.
AVOptions: add av_opt_set_dict() mapping a dictionary struct to a context.
ffmpeg: don't abuse a global for passing frame size from input to output
ffmpeg: don't abuse a global for passing pixel format from input to output
ffmpeg: initialise encoders earlier.
Conflicts:
cmdutils.c
doc/APIchanges
ffmpeg.c
ffplay.c
ffprobe.c
libavcodec/h264.c
libavformat/avformat.h
libavformat/utils.c
libavformat/version.h
libavutil/avutil.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The output type of the AV_RL32/AV_RB32 macros was signed int. The
resulting overflow broke at least some ASF streams with large
timestamps. Fix by adding a cast to uint32_t.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
