Also see [FFmpeg-devel] [PATCH] avformat/mov: strengthen some table allocations
which contains more fixes but is unfinished
Fixes: signal_sigabrt_7ffff6ac7bb9_3484_cov_1830000177_starfox2.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1b5d112406)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes invalid writes when there are more blocks in a run than total
remaining blocks.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8548
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit d423dd72be)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes invalid writes with very small image heights.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8547
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 0b39ac6f54)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The frame size must be set by the caller and each dimension must be a
multiple of 2.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8543
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 17ba719d9b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The frame size must be set by the caller and each dimension must be a
multiple of 8.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8542
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 88626e5af8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes possible invalid memory access.
Based on code by Michael Niedermayer <michaelni@gmx.at>
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8541
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 809c3023b6)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Without this ffversion.h could sometimes be built too late
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4ae87554f3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This simplifies identifying from which revision a binary of a lib came from
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 649c158e8c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The error path frees all side data, but forgets to reset the side data
count. This can blow up later in av_frame_unref() and free_side_data().
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a400edbb6d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket3686
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a29524bf2e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Suggested-by: Andrew Scherkus <scherkus@google.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ed86dbd05d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1257659
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4b6f225374)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)
Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.
This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.
Fixes ticket #4162.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6551acab68)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
It causes all kinds of problems and there is no code in the muxers that reads
this field
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 242f1152bf)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket4151
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8524558858)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes ticket4152
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit eac5c7b837)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '3ea49fc5081d63277ecbc12ed440af4b02ddfdf9':
vc1: Do not assume seek happens after decoding
See: 6801eb0a09
Merged-by: Michael Niedermayer <michaelni@gmx.at>
If a seek is requested before the decoding start there is no
current picture.
CC: libav-stable@libav.org
(cherry picked from commit 3e348ecfc6ab1830e43288a9e12e8f0a000afbcb)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The frame size must be set by the caller and each dimension must be a
multiple of 2.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See: 8b0e96e1f2
These should be redundant, but are backported for saftey anyway
(cherry picked from commit b0273232d8fffdc8a977ccdad460b8071a0e353c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The frame size must be set by the caller and each dimension must be a
multiple of 8.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See: 105654e376
These should be redundant, but are backported for saftey anyway
(cherry picked from commit e012cb8dea7969c7b3927dbf846ef2742cd4a7ab)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes use of freed memory
Fixes: case5_av_frame_copy_props.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e8714f6f93)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoids use of uninitialized memory
Fixes: asan_static-oob_17aa046_582_cov_212287884_DBLK_G_VIXS_1.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8aa8d12554)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array read
Fixes: signal_sigsegv_1b0a4da_1865_cov_2167818389_computer_anger.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3305acdc92)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes use of freed memory
Fixes: asan_heap-uaf_3660f67_757_cov_1257014655_Hi422FR1_SONY_A.jsv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f3b5b139ad)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: case2_bad_read_yuv2rgbx32.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses
Fixes: asan_heap-oob_25bcd7e_3783_cov_3553517262_utvideo_rgba_median.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3881606240)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: asan_heap-oob_4d23ba_91_cov_3853393937_128.vmd
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3030fb7e0d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes an issue where the tests directory is not created for out of tree
builds before its needed
Tested-by: Dave Yeo <daveryeo@telus.net>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e631872f13)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Make use of the V4L2 VIDIOC_ENUM_FRAMESIZES ioctl on OpenBSD.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 04a4fb81b3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array read
Fixes Ticket4121
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b50e003e1c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '1cc6fef0671c5522c952671ee06bf973135a22c4':
Prepare for 11.1 Release
Conflicts:
RELEASE
Not merged, as our release numbers differ
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '60ccc1a748bf3d26201411479146d0798e1ecff9':
Update changelog for v11.1
Conflicts:
Changelog
Not merged, the changelog does not match FFmpeg
Merged-by: Michael Niedermayer <michaelni@gmx.at>
