These warnings have no false positives and point to serious bugs.
(cherry picked from commit 99853cb8d4)
Conflicts:
configure
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.8:
update Changelog
fate: fetch samples that match the release series
dxva2: include dxva.h if found
iff: validate CMAP palette size
Changelog: document msrle bugfix
Changelog: cosmetics, remove trailing periods and sort
msrledec: check bounds before constructing a possibly invalid pointer,
Conflicts:
Changelog
configure
libavformat/iff.c
tests/Makefile
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '327ff82bac3081d918dceb4931c77e25d0a1480d':
msrle: convert MS RLE decoding function to bytestream2.
Update Changelog for the 0.8.6 Release
wmaprodec: require block_align to be set.
ivi_common: do not call MC for intra frames when dc_transform is unset
roqvideodec: fix a potential infinite loop in roqvideo_decode_frame().
Revert "libmp3lame: use the correct remaining buffer size when flushing"
lzo: fix overflow checking in copy_backptr()
flacdec: simplify bounds checking in flac_probe()
atrac3: avoid oversized shifting in decode_bytes()
avconv: skip attached files when selecting streams to read from.
lavf: fix arithmetic overflows in avformat_seek_file()
Conflicts:
Changelog
avconv.c
libavcodec/libmp3lame.c
libavcodec/msrledec.c
libavformat/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'f82e127dd9c7c0d54bf6400f83c7825e571f9a9e':
parser: fix large overreads
dsputil: fix invalid array indexing
shorten: use the unsigned type where needed
shorten: report meaningful errors
shorten: K&R formatting cosmetics
shorten: set invalid channels count to 0
matroskadec: request a read buffer for the wav header
h264: check for luma and chroma bit depth being equal
vc1: Move init code shared between decoder and parser to common code file.
libmp3lame: use the correct remaining buffer size when flushing
xxan: fix invalid memory access in xan_decode_frame_type0()
wmadec: require block_align to be set.
Conflicts:
libavcodec/h264.c
libavcodec/libmp3lame.c
libavcodec/shorten.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '9b79a05289d91d1184455d12e6c4df457f0657c4':
wmaprodec: return an error, not 0, when the input is too small.
vmdaudio: fix invalid reads when packet size is not a multiple of chunk size
vorbisdec: Error on bark_map_size equal to 0.
configure: clean up Altivec detection
Update RELEASE file for 0.8.6
update year to 2013
oggdec: make sure the private parse data is cleaned up (cherry picked from commit d894f74762)
build: Fix CAF demuxer dependencies
doc: developer: Allow tabs in the vim configuration for Automake files
doc: filters: Correct BNF FILTER description
Conflicts:
RELEASE
cmdutils.c
libavcodec/vmdav.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '60a1ee6e419e244dc2363fdc4ddf8350d506f2ae':
doc: Fix some obsolete references to av* tools as ff* tools
Conflicts:
doc/indevs.texi
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes decoding with picky media players.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b448c0a68d)
Conflicts:
libavformat/movenc.c
Many players ignore broken aac frames, so don't abort mov or flv
muxing when encountering one, just print a warning instead.
Fixes ticket #2380.
(cherry picked from commit 1741fece70)
Conflicts:
libavformat/flvenc.c
The idea is to ensure that 'make fate' always fetches the fate samples
that work with this release.
(cherry picked from commit a89f68776b2771935a348ce07d0a094ae965acfc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Apparently, some build environments require dxva.h even for dxva2,
while others lack this header entirely. Including it conditionally
allows building in both cases.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit fa84506177)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.
CC:libav-stable@libav.org
(cherry picked from commit cacad1c058)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 20373a66ec)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
When there is just 1 byte remanining in the buffer, nothing will be read
and the loop will continue forever. Check that there are at least 8
bytes, which are always read at the beginning.
CC:libav-stable@libav.org
(cherry picked from commit 3e2f200237)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 747fbe0c21)
Conflicts:
libavcodec/roqvideodec.c
The check `src > dst' in the form `&c->out[-back] > c->out' invokes
pointer overflow, which is undefined behavior in C.
Remove the check. Also replace `&c->out[-back] < c->out_start' with
a safe form `c->out - c->out_start < back' to avoid overflow.
CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit ca6c3f2c53)
Conflicts:
libavutil/lzo.c
Simplify `p->buf > p->buf + p->buf_size - 4' as `p->buf_size < 4'.
Avoid a possible out-of-bounds pointer, which is undefined behavior
in C.
CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 8425d693ee)
When `off' is 0, `0x537F6103 << 32' in the following expression invokes
undefined behavior, the result of which is not necessarily 0.
(0x537F6103 >> (off * 8)) | (0x537F6103 << (32 - (off * 8)))
Avoid oversized shifting.
CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit eba1ff31304e407db3cefd7532108408f364367b)
Conflicts:
libavcodec/atrac3.c
The values compared here can be more than INT64_MAX apart. Since the
difference is always positive, converting to uint64_t before subtracting
gives the correct result without overflows.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 91ac403b1316d59b4f43c4ea0f237e24cec2819a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Indexing outside an array is invalid and causes errors with
gcc 4.8.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 0a07f2b346)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
get_uint returns an unsigned value, use an unsigned to store
blocksize to make sure the comparison logic is correct and report
correctly the error for the channel count not supported.
CC: libav-stable@libav.org
(cherry picked from commit 5cf7c72757)
(cherry picked from commit 88089eecfd)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/shorten.c
Prevent the loop shorten_decode_close from writing and freeing out of
the array boundary.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit c10da30d8426a1f681d99a780b6e311f7fb4e5c5)
(cherry picked from commit 21d568be179c54a1596d1377b4da7fbe755bfe7f)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The decoder assumes a single bit depth for all the planes while
the specification allows different bit depths for luma and chroma.
Avoid the possible problems described in CVE-2013-2277
This fixes standalone compilation of the VC-1 parser.
(cherry picked from commit 3c715383ea7012ac69507e6b9189c98675c77461)
Conflicts:
libavcodec/vc1data.h
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Returning 0 may result in an infinite loop in valid calling programs. A
decoder should never return 0 without producing any output.
CC:libav-stable@libav.org
(cherry picked from commit 4c0080b7e7d501e2720d2a61f5186a18377f9d63)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 60dd8b5733f9ec4919fbc732ace1be8184dde880)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The loop a few lines below the xan_unpack() call accesses up to
dec_size * 2 bytes into y_buffer, so dec_size must be limited to
buffer_size / 2.
CC:libav-stable@libav.org
(cherry picked from commit 8a49d2bcbe7573bb4b765728b2578fac0d19763f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 62a657de168cf501acb23d48cc1aa00793dc83f3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The value is used to calculate output LSP curve and a division by zero
and out of array accesses would occur.
CVE-2013-0894
CC: libav-stable@libav.org
Reported-by: Dale Curtis <dalecurtis@chromium.org>
Found-by: inferno@chromium.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 11dcecfcca0eca1a571792c4fa3c21fb2cfddddc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 494ddd377ada76ed555f7a3f49391455daa099c9)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.
CC:libav-stable@libav.org
(cherry picked from commit ea1136baafb1fe271cb56c3f4d7bff0267e3c70f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c1f479e8df24284237c80ad959619fc85e29a26d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
There used to be one test for Altivec intrinsics support and a
separate test to determine which of two possible syntaxes to use
for vector literals. Since 2008, we only support the more common
of these so the split test no longer makes sense.
This combines the tests into one and also changes the hard error on
failure to a warning. The test can reasonably fail if no --cpu flag
is provided (or is provided with an unknown CPU) and the compiler
default target does not support Altivec. Aborting in this case is
probably over-reacting.
Fixes: #464, http://bugs.debian.org/701710
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 20bcce507a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
