Fixes invalid writes when there are more blocks in a run than total
remaining blocks.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8548
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit d423dd72be)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 58dc526ebf)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit f249e98891)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 306ee95088)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The frame size must be set by the caller and each dimension must be a
multiple of 2.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8543
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 17ba719d9b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 69a930b988)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 3f10a779b4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/mmvideo.c
(cherry picked from commit 03dba25a40)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The frame size must be set by the caller and each dimension must be a
multiple of 8.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8542
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 88626e5af8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 55788572ea)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8f238dd9bd)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/jvdec.c
(cherry picked from commit 50cb695bf1)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/jvdec.c
CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 64f7575fbd)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 577f1feb3f)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 931f5b2351)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 93f919d0b4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The size variable is (correctly) unsigned, but is passed to several functions
which take signed parameters, such as avio_read, sometimes after having
numbers added to it. So ensure that size remains within the bounds that
these functions can handle.
(cherry picked from commit 56ac2cbd04)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavformat/apetag.c
Also fill in missing hash for AV_CPU_FLAG_CMOV addition in APIChanges.
(cherry picked from commit fe07c9c6b5)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavcodec/x86/dsputil_mmx.c
Previously, the value given to put_bits was 10 bits long for positive
predictors, even though 9 bits were to be written. The extra bit could
in some cases overwrite existing bits in the bitstream writer cache.
This fixes a failed assert in put_bits.h, when running a version
built with -DDEBUG.
The fate test result gets slightly improved, thanks to getting rid
of the overwritten bits in the bitstream writer cache.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit aa264da5bf)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
tests/ref/fate/acodec-adpcm-ima_qt
This fixes assert failures when running in debug mode.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2d7d91f06d)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
It is possible in various error paths as well as gap handling
that this has already been allocated. It is not clear why that
would be a problem with the current code, thus disable the
assert to avoid a common assert failure when asserts are enabled.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5e997688f8)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
The ParserContext class doesn't have an AVClass, required for
using it as a logging class.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 6d65496990)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
This assert is no longer true since h264 error concealment needs
last_picture_ptr to be set.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 91672504a4)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavcodec/mpegvideo.c
It seems the condition was flipped from what was intended.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2c340596ca)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
This change avoids accessing the segment map of the previous frame if
segmentation is not enabled for the current frame. The caller of
decode_mb_mode() only calls ff_thread_await_progress() on the reference
segmentation index array if segmentation is enabled, so Chromium's TSAN
will report a race when accessing this data while segmentation is not
enabled.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 30011bf201)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Change the size specifiers to match the actual element sizes
of the data. This makes no practical difference with strict
alignment checking disabled (the default) other than somewhat
documenting the code. With strict alignment checking on, it
avoids trapping the unaligned loads.
Signed-off-by: Mans Rullgard <mans@mansr.com>
The vertically interpolating variants of these functions read
ahead one line to optimise the loop. On the last line processed,
this might be outside the buffer. Fix these invalid reads by
processing the last line outside the loop.
Signed-off-by: Mans Rullgard <mans@mansr.com>
Such changes are neither allowed nor supported
Found-by: ami_stuff
Bug-Id: CVE-2013-7020
CC: libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit da7d839a0d)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/ffv1dec.c
Fixes a double release of the current frame on deinit.
Bug-Id: CVE-2011-3934
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Prevent out of array write.
Similar to what Michael Niedermayer did to address the same issue.
Bug-Id: CVE-2014-2263
CC: libav-stable@libav.org
(cherry picked from commit addbaf1348)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The specification says the value is expressed in 10 bits including
the 4-byte CRC.
(cherry picked from commit 694b7cd873)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavformat/mpegtsenc.c
The input data must remain constant, make a copy instead. This is in
theory a performance hit, but since I failed to find any samples
using this feature, this should not matter in practice.
Also, check the size of the header, avoiding invalid reads on truncated
data.
CC:libav-stable@libav.org
(cherry picked from commit 7b588bb691)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/svq1dec.c
0 means no data consumed, so it can trigger an infinite loop in the
caller.
CC:libav-stable@libav.org
(cherry picked from commit c7d9b473e2)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/cdgraphics.c
Fixes possible invalid memory accesses on corrupted data.
CC:libav-stable@libav.org
Bug-ID: CVE-2013-3674
(cherry picked from commit a1599f3f7e)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Bug-Id: CVE-2013-0868
inspired by a patch from Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 744b406ff3)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavcodec/huffyuvdec.c
ModeTab.fmode has only 3 elements, so indexing it with ftype
in the initialier for 'size' is invalid when ftype == FT_PPC.
This fixes crashes with gcc 4.8.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 4bf2e7c5f1)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Fixes errors in slice based multithreading introduced in 0b300daad2.
CC: libav-stable@libav.org
(cherry picked from commit 5945c7b35d)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Properly address CVE-2011-3946 and parse bitstream as described in the spec.
CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Make sure the buffer size does not exceed the expected
RLE size.
Prevent an out of array bound write.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Bug-Id: CVE-2013-0852
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 00915d3cd2)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
