Using ff_mspel_motion assumes that s (a MpegEncContext
poiinter) really is a Wmv2Context.
This fixes crashes in error resilience on vc1/wmv3 videos.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 18f2d5cb9c)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit da0c457663)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
CC: libav-stable@libav.org
(cherry picked from commit 39bb27bf79)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7a7229b52d)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
CC: libav-stable@libav.org
(cherry picked from commit 859a579e9b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 6704522ca9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Override the frame size from the SPS with AVCodecContext values
if the latter specify a size smaller by less than one macroblock.
This is required for correct cropping of MOV files from Canon cameras.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 30f515091c)
Conflicts:
libavcodec/h264.c
(cherry picked from commit e1608014c5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Wrong bit depth can lead to invalid rowsize values, which crashes the
decoder further down.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d2205d6543)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b8d6ba9d50e80fdce2ed74cdaffd4960df8a21c5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The upcoming gcc 4.7 has more advanced constant propagation
resulting some inline asm operands becoming constants and thus
emitted as literals, sometimes in contexts where this results
in invalid instructions.
This patch changes the constraints of the relevant operands
to "rm" thus forcing a valid type. While obviously suboptimal,
this is what older gcc versions already did, and there is no
change to the code generated with these.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit da4c7cce21)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Prevents subsequent overreads when these numbers are used as indices
in arrays.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f9)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:
libavcodec/qdm2.c
Fixes: CVE-2011-3952
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Based on fix by Michael Niedermayer
(cherry picked from commit 386741f887)
(cherry picked from commit 416849f2e0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes Libav Bug 195.
Fixes CVE-2012-0850
This doesn't make the code handle sample rate or upsample/downsample
change properly but this is still a good sanity check.
Based on change by Michael Niedermayer.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 17ce52912f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes a crash when FF_DEBUG_PICT_INFO is used.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 6ef4063957)
Fixes: CVE-2012-0851
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4713234518)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes. Bailing out early if the header
specifies a bad size avoids various errors later on.
Fixes CVE-2012-0947.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d5207e2af8)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Prevents crashes because the old check was incomplete.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2d22d4307d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 7fe4c8cb76)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
While bogus, this change avoids the necessity to backport
AVERROR_UNKNOWN, which is not entirely trivial.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>
Fixes CVE-2011-3947
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 083a8a0037)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.
Fixes CVE-2012-0858
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6fc3287b9c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Add a check to avoid writing past the end of the channel_unit.components[]
array.
Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f747)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f43b6e2b1e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Progressive images can have only 16 references, error out if there are
more, since the data is almost certainly corrupt, and the invalid value
will lead to random crashes or invalid writes later on.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e0febda22d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The safe bitstream reader broke it since the buffer size was specified
in bytes instead of bits.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
CC: libav-stable@libav.org
(cherry picked from commit a1c036e961)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
We slightly overread the input buffer, so we require
padding at the end of the buffer, as is documented in the
get_bits API. Without padding, we'll read uninitialized
data or beyond the end of the .rodata, which may crash.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 4ffe5e2aa5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This way, it protects against overreads for 4bpp/2bpp content also.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cc5dd632ce)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
We need to set ms_stereo in encode_init() in order to avoid incorrectly
encoding the first frame as non-m/s while flagging it as m/s. Fixes an
uncomfortable pop in the left channel at the start of playback.
CC:libav-stable@libav.org
(cherry picked from commit 51ddf35c90)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
