Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.
CC:libav-stable@libav.org
(cherry picked from commit cacad1c058)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 20373a66ec)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The check `src > dst' in the form `&c->out[-back] > c->out' invokes
pointer overflow, which is undefined behavior in C.
Remove the check. Also replace `&c->out[-back] < c->out_start' with
a safe form `c->out - c->out_start < back' to avoid overflow.
CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit ca6c3f2c53)
Conflicts:
libavutil/lzo.c
Simplify `p->buf > p->buf + p->buf_size - 4' as `p->buf_size < 4'.
Avoid a possible out-of-bounds pointer, which is undefined behavior
in C.
CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 8425d693ee)
When `off' is 0, `0x537F6103 << 32' in the following expression invokes
undefined behavior, the result of which is not necessarily 0.
(0x537F6103 >> (off * 8)) | (0x537F6103 << (32 - (off * 8)))
Avoid oversized shifting.
CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit eba1ff3130)
Conflicts:
libavcodec/atrac3.c
The values compared here can be more than INT64_MAX apart. Since the
difference is always positive, converting to uint64_t before subtracting
gives the correct result without overflows.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 91ac403b13)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Indexing outside an array is invalid and causes errors with
gcc 4.8.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 0a07f2b346)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
get_uint returns an unsigned value, use an unsigned to store
blocksize to make sure the comparison logic is correct and report
correctly the error for the channel count not supported.
CC: libav-stable@libav.org
(cherry picked from commit 5cf7c72757)
(cherry picked from commit 88089eecfd)
(cherry picked from commit f42d03746a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/shorten.c
Prevent the loop shorten_decode_close from writing and freeing out of
the array boundary.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit c10da30d84)
(cherry picked from commit 21d568be17)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/shorten.c
The decoder assumes a single bit depth for all the planes while
the specification allows different bit depths for luma and chroma.
Avoid the possible problems described in CVE-2013-2277
Conflicts:
libavcodec/h264.c
The loop a few lines below the xan_unpack() call accesses up to
dec_size * 2 bytes into y_buffer, so dec_size must be limited to
buffer_size / 2.
CC:libav-stable@libav.org
(cherry picked from commit 8a49d2bcbe)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 62a657de16)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/xxan.c
Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.
CC:libav-stable@libav.org
(cherry picked from commit ea1136baaf)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c1f479e8df)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Returning 0 may result in an infinite loop in valid calling programs. A
decoder should never return 0 without producing any output.
CC:libav-stable@libav.org
(cherry picked from commit 4c0080b7e7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 60dd8b5733)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The value is used to calculate output LSP curve and a division by zero
and out of array accesses would occur.
CVE-2013-0894
CC: libav-stable@libav.org
Reported-by: Dale Curtis <dalecurtis@chromium.org>
Found-by: inferno@chromium.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 11dcecfcca)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 494ddd377a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Related to CVE-2012-2882
(cherry picked from commit d894f74762)
Conflicts:
libavformat/oggdec.h
libavformat/oggparsevorbis.c
(cherry picked from commit b0240165d93d4a08d15d244953219a4d4e725d3f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes CVE-2012-2787
Note that in 0.7, there is only indeo 5, no indeo 4 decoder
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b146d74730)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2bc1e4fcb9)
Conflicts:
libavcodec/ivi_common.c
This prevents writing into a too small array if some parameters changed
without the tile being reallocated.
Based on a patch by Michael Niedermayer <michaelni@gmx.at>
Fixes CVE-2012-2800
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ae3da0ae55)
Conflicts:
libavcodec/ivi_common.c
This prevents decoding happening on a half initialized context.
Fixes CVE-2012-2779
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 891918431d)
Conflicts:
libavcodec/ivi_common.c
libavcodec/ivi_common.h
Fixes segfault in the fuzzed sample bipbop234.ts_s226407.
CC: libav-stable@libav.org
(cherry-picked from commit 6e5cdf2628)
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
The ogg decoder wasn't padding the input buffer with the appropriate
FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in
various pieces of parsing code when they thought they had more data than
they actually did.
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit ef0d779706)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
If we timed out and consumed a packet from the reordering queue,
but didn't return a packet to the caller, recheck the queue status.
Otherwise, we could end up in an infinite loop, trying to consume
a queued packet that has already been consumed.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8729698d50)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Sometimes the extradata has duplicate atoms, but that shouldn't prevent
decoding. Just ensure that it is at least 36 bytes as a sanity check.
CC: libav-stable@libav.org
(cherry picked from commit 68a04b0cce)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes infinite or long taking loop in frame num gap code in
the fuzzed sample bipbop234.ts_s223302.
CC: libav-stable@libav.org
(cherry picked from commit d7d6efe42b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Dropping frames is undesirable but that is the only way by which the
decoder could return to low delay mode. Instead emit a warning and
continue with delayed frames.
Fixes a crash in fuzzed sample nasa-8s2.ts_s20033 caused by a larger
than expected has_b_frames value. Low delay keeps getting re-enabled
from a presumely broken SPS.
CC: libav-stable@libav.org
(cherry picked from commit 706acb558a)
Conflicts:
libavcodec/h264.c
Scaling the denominator instead of the numerator if it is too large
loses precision. Fixes an assert caused by a negative frame duration in
the fuzzed sample nasa-8s2.ts_s202310.
CC: libav-stable@libav.org
(cherry picked from commit 7709ce029a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Interlacing is not supported at all and mismanaged down the normal
codepaths causing possible buffer management issues.
Fixes: CVE-2012-2783
(cherry picked from commit be75fed975)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
s->mb_x is reset to zero a couple of lines above. It does not make
sense to call ff_er_add_slice() with 0 as endx when the end of the
macroblock row was reached. Fixes unnecessary and counterproductive
error resilience in https://bugzilla.libav.org/show_bug.cgi?id=394.
(cherry picked from commit e6160bda98)
Conflicts:
libavcodec/h264.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/h264.c
This fixes use of uninitialized values when the FLAC encoder uses the
2-level, 4-level, and 8-level search methods. Fixes failure of the
fate-flac-24-comp-8 test when run using valgrind.
(cherry picked from commit 3a2731cbd3)
Conflicts:
libavcodec/flacenc.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
