8c0c0e9 | Michael Niedermayer | 09 June 2012, 18:52:12 UTC | Update for 0.10.4 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:52:12 UTC |
997e769 | Michael Niedermayer | 06 June 2012, 17:26:21 UTC | mpegvideo: fix out of heap array accesses Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 317ca0d3f735fad354c404e8bbac3e1ce9f09b12) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:50:57 UTC |
944b6a8 | Michael Niedermayer | 03 June 2012, 15:40:30 UTC | mpc8: fix channel checks fix heap array overflow Found-by: Piotr Bandurski <ami_stuff@o2.pl> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 44c10168cff41c200825448b77cb8feff0d316c9) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:50:14 UTC |
ddd9483 | Michael Niedermayer | 03 June 2012, 12:41:21 UTC | h263: disable loop filter with lowres Fixes ticket1212 Found-by: Piotr Bandurski <ami_stuff@o2.pl> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit cc229d4e83889d1298f1a0863b55feec6c5c339a) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:49:58 UTC |
9c13d23 | Michael Niedermayer | 02 June 2012, 02:06:16 UTC | bmv: fix apparent sign error in the frame_off check Fixes part of Ticket1373 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit debbcfae6010f027a0334d70d0dbb7ddd912ad5a) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:49:18 UTC |
c4926cb | Michael Niedermayer | 02 June 2012, 02:04:29 UTC | bmv: fix integer overflows in vlc decoder. Fixes part of Ticket1373 Found-by: Piotr Bandurski <ami_stuff@o2.pl> Based-on-patch-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 679c578cb8e82df6fdee977e3137a26a680ad346) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:49:14 UTC |
321bbb6 | Michael Niedermayer | 01 June 2012, 19:42:29 UTC | wmv1: check that the input buffer is large enough Fixes null ptr deref Fixes Ticket1367 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit f23a2418fb0ccc56fdae4dbf83a5994cc917c475) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:47:56 UTC |
81476cf | Michael Niedermayer | 01 June 2012, 13:52:20 UTC | yopdec: check frame oddness to be within supported limits Fixes Ticket1365 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit febc013dc5d6db1535a4f91cf02fa8089038937c) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:47:19 UTC |
3c69368 | Michael Niedermayer | 01 June 2012, 13:51:50 UTC | yopdec: check that palette fits in the packet Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit b6fdf8dea7aaf3cb9a979dce91f752c2ce3086a3) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:47:11 UTC |
fcf09eb | Michael Niedermayer | 31 May 2012, 23:33:00 UTC | 8svx: fix crash Fixes Ticket1377 Found-by: Piotr Bandurski <ami_stuff@o2.pl> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 03ce421c1361e4ce79468de8269ad51ba2ae4c16) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:46:55 UTC |
d6c7398 | Michael Niedermayer | 31 May 2012, 21:50:08 UTC | dv-demux: dont mess with codec values Fixes part of Ticket1369 Found-by: ami_stuff Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3c276ac0f8936745543d14674842647c502bdd2e) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:46:03 UTC |
aefa2bf | Paul B Mahol | 31 May 2012, 08:58:31 UTC | binkaudio: check number of channels Fixes #1380. Signed-off-by: Paul B Mahol <onemda@gmail.com> (cherry picked from commit 824a6975ee066e944b7a20d1e220fd8974fb6174) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:45:09 UTC |
ece27b0 | Michael Niedermayer | 31 May 2012, 03:01:28 UTC | indeo5: check quant_mat prevents out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 8aaa00c3012d425ce50efffadb813ad62d1ff3d5) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:45:00 UTC |
479856a | Michael Niedermayer | 30 May 2012, 14:19:36 UTC | truemotion1: Check index, fix out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit fd4c1c0b70b5a06dd572d7e27799a2f4c3d9b984) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:44:19 UTC |
fc0d962 | Paul B Mahol | 30 May 2012, 07:50:32 UTC | iff: check if there is extradata Fixes #1368. Signed-off-by: Paul B Mahol <onemda@gmail.com> (cherry picked from commit 8f61526978697e51d3b9e61ea84daf13c42717af) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:41:15 UTC |
0452ebf | Michael Niedermayer | 29 May 2012, 17:50:15 UTC | ape: Fix null ptr dereference with files missing a seekatable. Such files are currently not supported as the table is used at several points Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit e7cb161515fc9fb6d30d1681d64d9ba7ad737a4e) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:40:50 UTC |
9e9e6bb | Michael Niedermayer | 29 May 2012, 17:16:22 UTC | 4xm: fix division by zero caused by bps<8 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 1b8741a6843f3f4667c81c2d63d3182858aa534f) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:39:12 UTC |
3e4eea6 | Michael Niedermayer | 28 May 2012, 15:21:29 UTC | jvdec: check videosize Fixes null ptr dereference fixes Ticket1364 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit b4904e804d3b1c56ac4f5d3386b15daae98fca2d) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:38:29 UTC |
cc0fec8 | Michael Niedermayer | 28 May 2012, 15:17:49 UTC | motionpixels: check extradata size Fixes null ptr derefernce Fixes Ticket1363 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 50122084a6b3be06781a2b3d8ec036f2d67c32e3) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:38:22 UTC |
fa67ad8 | Michael Niedermayer | 28 May 2012, 15:13:10 UTC | iff_ilbm: fix null ptr deref Fixes Ticket1362 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 849d4b041351ef8d77c4231cf417f997e79f9ab7) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:38:14 UTC |
0adc452 | Michael Niedermayer | 28 May 2012, 15:08:06 UTC | yop: check for missing extradata Fixes null ptr deref Fixes Ticket1361 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 77a4c8b959fa9bc6bcaa42b40a0b046cdf3fec38) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:38:09 UTC |
7df0e30 | Michael Niedermayer | 28 May 2012, 15:04:38 UTC | xan: fix out of array read Fixes ticket1360 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 01900fcc45e99ee4556e0a5d87ff57b2f150dad4) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:37:36 UTC |
a4b329d | Michael Niedermayer | 28 May 2012, 14:50:15 UTC | cdgraphics: Fix out of array write Fixes Ticket1359 Found-by: Piotr Bandurski <ami_stuff@o2.pl> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 1e5c7376c4ed733910845c9a09e272ac7696b1f4) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 18:37:27 UTC |
eefd6bb | Michael Niedermayer | 09 June 2012, 17:17:22 UTC | Merge remote-tracking branch 'qatar/release/0.8' into release/0.10 * qatar/release/0.8: cmdutils: update copyright year to 2012. Conflicts: cmdutils.c Merged-by: Michael Niedermayer <michaelni@gmx.at> | 09 June 2012, 17:17:22 UTC |
ce39a84 | Ronald S. Bultje | 08 February 2012, 18:16:41 UTC | cmdutils: update copyright year to 2012. | 08 June 2012, 10:38:58 UTC |
514f3e7 | Michael Niedermayer | 04 June 2012, 11:40:13 UTC | Merge remote-tracking branch 'qatar/release/0.8' into release/0.10 * qatar/release/0.8: Update Changelog for the 0.8.3 Release Prepare for 0.8.3 Release ea: check chunk_size for validity. png: check bit depth for PAL8/Y400A pixel formats. qdm2: clip array indices returned by qdm2_get_vlc(). tqi: Pass errors from the MB decoder h264: Add check for invalid chroma_format_idc h263dec: Disallow width/height changing with frame threads. Conflicts: Changelog RELEASE libavcodec/eatqi.c libavcodec/h264_ps.c libavcodec/pngdec.c Merged-by: Michael Niedermayer <michaelni@gmx.at> | 04 June 2012, 11:40:13 UTC |
4dfea3e | Reinhard Tartler | 29 May 2012, 20:59:43 UTC | Update Changelog for the 0.8.3 Release | 03 June 2012, 17:09:07 UTC |
f9ee7d1 | Reinhard Tartler | 29 May 2012, 20:56:46 UTC | Prepare for 0.8.3 Release | 03 June 2012, 17:05:29 UTC |
ec27262 | Ronald S. Bultje | 04 May 2012, 23:06:26 UTC | ea: check chunk_size for validity. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 273e6af47b38391f2bcc157cca0423fe7fcbf55c) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 03 June 2012, 17:05:29 UTC |
d34e9e6 | Ronald S. Bultje | 02 May 2012, 17:58:55 UTC | png: check bit depth for PAL8/Y400A pixel formats. Wrong bit depth can lead to invalid rowsize values, which crashes the decoder further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d2205d6543881f2e6fa18c8a354bbcf91a1235f7) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 03 June 2012, 17:04:51 UTC |
c38d3e1 | Ronald S. Bultje | 02 May 2012, 16:12:46 UTC | qdm2: clip array indices returned by qdm2_get_vlc(). Prevents subsequent overreads when these numbers are used as indices in arrays. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69) Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com> Conflicts: libavcodec/qdm2.c | 02 June 2012, 23:17:53 UTC |
5872580 | Michael Niedermayer | 19 December 2011, 03:13:37 UTC | tqi: Pass errors from the MB decoder This silences some valgrind warnings. CC: libav-stable@libav.org Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794 Bug found by: Oana Stratulat Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit f85334f58e1286287d0547a49fa9c93b40cbf48f) (cherry picked from commit 90290a5150e84fb138ccde57657dc03830f08c1c) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 23 May 2012, 18:43:42 UTC |
4713234 | Alexander Strange | 24 March 2012, 21:32:14 UTC | h264: Add check for invalid chroma_format_idc Fixes a crash when FF_DEBUG_PICT_INFO is used. Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df) Fixes: CVE-2012-0851 Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 22 May 2012, 19:57:38 UTC |
5836110 | Michael Niedermayer | 17 February 2012, 21:35:10 UTC | h263dec: Disallow width/height changing with frame threads. Fixes CVE-2011-3937 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba) Conflicts: libavcodec/h263dec.c Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 22 May 2012, 19:51:58 UTC |
3fab87e | Michael Niedermayer | 11 February 2012, 19:14:33 UTC | threads: Perform the generic progress cleanup more carefully. The cleanup is only done now when a picture is returned (assuming that it has to be done when its returned) a error is returned (assuming that there will be no further progress on the frame) the codec is not h264 (this is still needed due to some deadlocks in realvideo) This fixes a decoding regression with 00017.MTS Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 18a7f7465e7e6b9c3688ffc23230ae7a0639a771) | 13 May 2012, 12:09:29 UTC |
b1f9ff4 | Michael Niedermayer | 05 May 2012, 23:35:56 UTC | update for ffmpeg 0.10.3 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 05 May 2012, 23:42:01 UTC |
96acb0a | Michael Niedermayer | 31 March 2012, 19:42:50 UTC | indeo4: check that num_mbs matches Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit d3db8988d5befd8702a748cf1957415677bfe75c) | 05 May 2012, 23:42:01 UTC |
df93682 | Michael Niedermayer | 17 March 2012, 19:45:45 UTC | dsp: fix diff_bytes_mmx() with small width Fixes Ticket1068 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 73089eccd3e48539555349b36d8aabbf1cea416e) | 05 May 2012, 23:42:01 UTC |
22285ab | Michael Niedermayer | 05 May 2012, 23:31:25 UTC | Changelog: update Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 05 May 2012, 23:42:01 UTC |
097ad61 | Michael Niedermayer | 22 March 2012, 23:49:00 UTC | mmdemux: dont set pkt->size to an invalid value. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 0c97fd336e17535239ab44d755a0d957dc2688f3) | 05 May 2012, 22:59:45 UTC |
c785a70 | Michael Niedermayer | 02 March 2012, 14:58:14 UTC | h261: check mtype. Fixes out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit ec3cd74f2dab8e3e8234ccb994132b23d3098585) | 05 May 2012, 22:57:10 UTC |
6736de0 | Michael Niedermayer | 24 March 2012, 13:25:52 UTC | mpegvideo: increase buffer sizes. Fixes buffer overflow Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 2c0559d5e2faeafa7998173a4dc430408475503f) | 05 May 2012, 22:55:36 UTC |
fe8508b | Michael Niedermayer | 23 March 2012, 00:09:04 UTC | mov: fix global unicode convertion array overflow. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 437f5daf0bf727a53ea4b485a30f1289f44bf252) | 05 May 2012, 22:55:06 UTC |
0d40fba | Michael Niedermayer | 22 April 2012, 14:41:21 UTC | iff: fix null ptr dereference Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 41abc9da50ba7a7b68bbbf6622475ce7a3c72e3f) | 05 May 2012, 22:54:40 UTC |
a484694 | Michael Niedermayer | 21 April 2012, 17:41:54 UTC | xmvdemux: dont let current_stream become invalid. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 13381577d181fa732d6d2fa0491fa2ff50186546) | 05 May 2012, 22:53:02 UTC |
bf2534a | Michael Niedermayer | 17 April 2012, 15:42:09 UTC | avidec: Dont crash on avi packets that belong to dv streams in dv in avi Fixes null pointer dereference Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 096231d497457be9496b0be01ff6da2093186c3c) | 05 May 2012, 22:50:25 UTC |
1ca4e70 | Michael Niedermayer | 21 April 2012, 17:28:35 UTC | cook: check subacket count Fixes out of array writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 5a35bd92ad6b535fd5d3a7513169661de66ec247) | 05 May 2012, 22:47:44 UTC |
25a2802 | Michael Niedermayer | 16 April 2012, 12:30:33 UTC | 4xmdemux: Check chunk size Fixes over reading the header array Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 474e31c904f766b6989fe614c3fb093e697c847f) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 05 May 2012, 22:45:04 UTC |
581a830 | Michael Niedermayer | 05 May 2012, 19:18:48 UTC | Merge remote-tracking branch 'qatar/release/0.8' into release/0.10 * qatar/release/0.8: Update Changelog for the 0.8.2 Release Prepare for 0.8.2 Release vqavideo: return error if image size is not a multiple of block size celp filters: Do not read earlier than the start of the 'out' vector. motionpixels: Clip YUV values after applying a gradient. jpeg: handle progressive in second field of interlaced. h263: more strictly forbid frame size changes with frame-mt. h264: additional protection against unsupported size/bitdepth changes. tta: prevents overflows for 32bit integers in header. ttadec: CRC checking tta: use skip_bits_long() Conflicts: Changelog RELEASE libavcodec/h264.c libavcodec/tta.c Merged-by: Michael Niedermayer <michaelni@gmx.at> | 05 May 2012, 22:25:39 UTC |
43e5fda | Reinhard Tartler | 04 May 2012, 20:59:01 UTC | Update Changelog for the 0.8.2 Release | 04 May 2012, 20:59:01 UTC |
a638e10 | Reinhard Tartler | 04 May 2012, 20:40:37 UTC | Prepare for 0.8.2 Release | 04 May 2012, 20:40:37 UTC |
d5207e2 | Mans Rullgard | 23 April 2012, 12:16:33 UTC | vqavideo: return error if image size is not a multiple of block size The decoder assumes in various places that the image size is a multiple of the block size, and there is no obvious way to support odd sizes. Bailing out early if the header specifies a bad size avoids various errors later on. Fixes CVE-2012-0947. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 May 2012, 20:14:26 UTC |
9ea94c4 | Alex Converse | 04 May 2012, 17:27:03 UTC | celp filters: Do not read earlier than the start of the 'out' vector. CC: libav-stable@libav.org (cherry picked from commit 37ddd3833219fa7b913fff3f5cccc6878b047e6b) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 May 2012, 20:09:27 UTC |
aaa6a66 | Alex Converse | 02 May 2012, 19:08:03 UTC | motionpixels: Clip YUV values after applying a gradient. Prevents illegal reads on truncated and malformed input. CC: libav-stable@libav.org (cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 May 2012, 20:09:27 UTC |
7240cc3 | Ronald S. Bultje | 14 March 2012, 00:18:41 UTC | jpeg: handle progressive in second field of interlaced. Progressive data is allocated later in decode_sof(), not allocating that data leads to NULL dereferences. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5eec5a79da118170f3cfe185a862783d3fa50abe) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 May 2012, 20:09:27 UTC |
7fe4c8c | Ronald S. Bultje | 29 March 2012, 19:24:10 UTC | h263: more strictly forbid frame size changes with frame-mt. Prevents crashes because the old check was incomplete. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2d22d4307dcc1461f39a2ffb9c8db6c6b23fd080) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 May 2012, 20:09:27 UTC |
746f159 | Ronald S. Bultje | 29 March 2012, 23:37:09 UTC | h264: additional protection against unsupported size/bitdepth changes. Fixes crashes in codepaths not covered by original checks. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 732f9fcfe54fc9a0a7bbce53fe86b38744c2d301) Conflicts: libavcodec/h264.c Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 May 2012, 20:09:27 UTC |
0e4bb05 | Ronald S. Bultje | 29 March 2012, 19:44:55 UTC | tta: prevents overflows for 32bit integers in header. This prevents sample_rate/data_length from going negative, which caused various crashes and undefined behaviour further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ac80b812cd177553339467ea12548d71c9ef6865) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 May 2012, 19:28:45 UTC |
994c0ef | Paul B Mahol | 11 February 2012, 21:30:30 UTC | ttadec: CRC checking Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 2af3dc8698707f800f83f5fc890571a6a119866e) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 May 2012, 19:28:35 UTC |
cf5e119 | Paul B Mahol | 05 February 2012, 19:39:13 UTC | tta: use skip_bits_long() Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 9aff2d17533576f4ff52531e534f1319fb36a590) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 May 2012, 19:28:28 UTC |
1ee1e9e | Michael Niedermayer | 22 March 2012, 22:43:37 UTC | vqavideodev: Check image dimensions Fixes out of heap array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d) Independently-Found-by: Fabian Yamaguchi Fixes: CVE-2012-0947 Conflicts: libavcodec/vqavideo.c | 02 May 2012, 22:22:32 UTC |
15e9aee | Michael Niedermayer | 02 May 2012, 20:49:14 UTC | Merge remote-tracking branch 'qatar/release/0.8' into release/0.10 * qatar/release/0.8: (24 commits) apedec: check bits <= 32. truemotion: forbid invalid VLC bitsizes and token values. mov: don't overwrite existing indexes. truemotion2: handle out-of-frame motion vectors through edge extension. lzw: prevent buffer overreads. truemotion2: convert packet header reading to bytestream2. lagarith: fix buffer overreads. raw: forward avpicture_fill() error code in raw_decode(). vc1: Do not read from array if index is invalid. utvideo: port header reading to bytestream2. bytestream: add more unchecked variants for bytestream2 API bytestream: K&R formatting cosmetics bytestream: Add bytestream2 writing API. aac: Reset PS parameters on header decode failure. mov: Do not read past the end of the ctts_data table. xwma: Validate channels and bits_per_coded_sample. asf: reset side data elements on packet copy. vqa: check palette chunk size before reading data. vqavideo: port to bytestream2 API wmavoice: fix stack overread. ... Conflicts: cmdutils.c cmdutils.h libavcodec/lagarith.c libavcodec/truemotion2.c libavcodec/vqavideo.c Merged-by: Michael Niedermayer <michaelni@gmx.at> | 02 May 2012, 22:20:54 UTC |
e8050f3 | Michael Niedermayer | 29 March 2012, 17:52:21 UTC | apedec: check bits <= 32. Fixes a floating-point exception further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com> (cherry picked from commit 420d1df2e2a857eae45fa947e16eae7494793d57) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:03 UTC |
be424d8 | Ronald S. Bultje | 29 March 2012, 17:25:04 UTC | truemotion: forbid invalid VLC bitsizes and token values. SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid values larger than this in get_vlc2() (max_bits). tokens[][] can be used as an index in deltas[], which has a size of 64, so ensure the values are smaller than that. This prevents crashes on corrupt bitstreams. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit b7b1509d06d3696d3b944791227fe198ded0654b) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:03 UTC |
a08cb95 | Ronald S. Bultje | 28 March 2012, 19:56:07 UTC | mov: don't overwrite existing indexes. Prevents all kind of badness if files contain multiple indexes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 4f7c7624c0db185c48c59d95d745ab3f7851a5b4) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:03 UTC |
46f8bbf | Ronald S. Bultje | 29 March 2012, 16:29:03 UTC | truemotion2: handle out-of-frame motion vectors through edge extension. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bf39d3b59d85e5734babe48b61b8d92d18188185) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:03 UTC |
562c6a7 | Ronald S. Bultje | 29 March 2012, 00:06:00 UTC | lzw: prevent buffer overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ddcf67c8a51c67b122a826d8b5819e96d591d813) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:03 UTC |
e711cce | Ronald S. Bultje | 28 March 2012, 18:53:13 UTC | truemotion2: convert packet header reading to bytestream2. Also use correct buffer sizes in calls to tm2_read_stream(). Together, this prevents overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bd508d435b94584db460c684e30ea7ce180cf50f) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:03 UTC |
d6372e8 | Ronald S. Bultje | 27 March 2012, 19:26:46 UTC | lagarith: fix buffer overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 0a82f5275f719e6e369a807720a2c3603aa0ddd9) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:03 UTC |
29d91e9 | Ronald S. Bultje | 27 March 2012, 01:02:08 UTC | raw: forward avpicture_fill() error code in raw_decode(). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 98df2e24141cd00a557ef10ed7af2b956200cd80) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:02 UTC |
583f57f | Mashiat Sarker Shakkhar | 24 March 2012, 22:49:34 UTC | vc1: Do not read from array if index is invalid. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit 95b192de5d05f3e1542e7b2378cdefbc195f5185) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:02 UTC |
f8f6c14 | Ronald S. Bultje | 23 March 2012, 00:25:22 UTC | utvideo: port header reading to bytestream2. Fixes crash during slice size reading if slice_end goes negative. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ec0ed97b046d46421db72c4911d2bbe28bbe5741) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:02 UTC |
9e24f2a | Paul B Mahol | 13 March 2012, 14:14:59 UTC | bytestream: add more unchecked variants for bytestream2 API Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit f1ce053cd0e0d7dc67fa61f32bcd8b6ee5e5c490) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:02 UTC |
e788c6e | Aneesh Dogra | 08 February 2012, 18:07:20 UTC | bytestream: K&R formatting cosmetics Signed-off-by: Diego Biurrun <diego@biurrun.de> (cherry picked from commit ab9ae401525d301a31ec695bf39103502db6afeb) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:02 UTC |
2e681cf | Aneesh Dogra | 06 February 2012, 20:09:22 UTC | bytestream: Add bytestream2 writing API. Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit db7d45237ab6fc7fe90ec861cb756b2a109504a4) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:02 UTC |
9ddd3ab | Alex Converse | 21 March 2012, 17:11:02 UTC | aac: Reset PS parameters on header decode failure. If the next header frame codes zero envelopes the previous frame's values will be used. Consequently the invalid values must be cleared. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit a237b38021cd3009cc78eeb974b596085f2fe393) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:02 UTC |
86bd024 | Alex Converse | 21 March 2012, 18:24:10 UTC | mov: Do not read past the end of the ctts_data table. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 86f2ae06b92d42580ae7ebd86d52c9b7acbc2f13) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:02 UTC |
15de658 | Alex Converse | 21 March 2012, 17:58:07 UTC | xwma: Validate channels and bits_per_coded_sample. This prevents a SIGFPE later on. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5023b89bba198b2f8e43b7f555aeb9c30d33db9f) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:02 UTC |
19d3f7d | Ronald S. Bultje | 21 March 2012, 23:10:37 UTC | asf: reset side data elements on packet copy. Prevents crash (double free) when free()ing the original packet. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e73c6aaabff1169899184c382385fe9afae5b068) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:02 UTC |
c21b858 | Ronald S. Bultje | 21 March 2012, 22:19:31 UTC | vqa: check palette chunk size before reading data. Prevents overreads beyond buffer boundaries. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 75d7975268394f4f16294b68ec6d6d5ac30da3ac) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:01 UTC |
0b9bb58 | Paul B Mahol | 16 March 2012, 00:56:41 UTC | vqavideo: port to bytestream2 API Protects against overreads. Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit 5a3a906ba29b53fa34d3047af78d9f8fd7678256) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:01 UTC |
105601c | Ronald S. Bultje | 21 March 2012, 22:47:11 UTC | wmavoice: fix stack overread. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 262196445cf03fda0f7e41c4b968f4f7bf060e6b) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:01 UTC |
3a4949a | Ronald S. Bultje | 21 March 2012, 17:39:10 UTC | indeo4: fix out-of-bounds function call. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com> (cherry picked from commit 68fd077f68bdde864bb7328d72a040849c616261) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:01 UTC |
ec554ee | Reinhard Tartler | 18 March 2012, 08:26:32 UTC | Read preset files with suffix .avpreset The preset files have been renamed some time ago. CC: libav-stable@libav.org (cherry picked from commit 050dc127787e91d8ee4b341046c74fe6e74e3285) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:01 UTC |
bf3998d | Ronald S. Bultje | 16 March 2012, 21:04:00 UTC | mimic: don't use self as reference, and report completion at end of decode(). Fixes hangs on corrupt samples that reference self-frames. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 80387f0e2568746dce4a68e2217297029a053dae) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:01 UTC |
87208b8 | Ronald S. Bultje | 16 March 2012, 21:16:56 UTC | mpeg4: report frame decoding completion at ff_MPV_frame_end(). Prevents hangs on corrupt input. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c6ccb96bc955b2087ec71033d99b3dcd5203eaf2) Conflicts: libavcodec/mpegvideo.c Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 29 April 2012, 20:07:01 UTC |
265a628 | Ronald S. Bultje | 17 March 2012, 05:41:17 UTC | h264: use struct offsets in get_cabac_bypass_sign_x86(). (cherry picked from commit db025929f202bc32459a1278ee06920a06564762) | 21 April 2012, 19:41:30 UTC |
a854d00 | ami_stuff | 22 March 2012, 18:28:52 UTC | Replace SSE2 instruction in scalarproduct_float_sse() by SSE equivalent. Fixes an AAC decoding issue with the sample from ticket #213 on machines with SSE but without SSE2. Based on 89411a by Reimar. (cherry picked from commit f6b78638086beae9bcab672d4c9de1790be5a928) | 04 April 2012, 07:16:49 UTC |
d076d0f | Stefano Sabatini | 28 March 2012, 22:17:23 UTC | lavfi/fade: fix black level for non studio-level pixel formats Fix trac ticket #1139, regression introduced in 8c1fb50d077d5f954. (cherry picked from commit 95ce0ddcfe99182365e0e57f5f41d7f1a01c57eb) | 04 April 2012, 07:04:15 UTC |
a56eaa0 | Michael Niedermayer | 04 April 2012, 02:19:43 UTC | mpeg4: dont reset picture_num for xvid Fixes Ticket1162 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit a4e359a3f98650dab3d2e93f067658e20fa9c0d7) | 04 April 2012, 06:38:18 UTC |
fdc6f65 | Michael Niedermayer | 04 April 2012, 01:43:23 UTC | h264: fix seeking in low delay streams without IDR Fixes Ticket1165 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3360b8517a1f478c4102072e5eadd8ba78be0538) | 04 April 2012, 06:38:06 UTC |
976d173 | Michael Niedermayer | 01 April 2012, 22:52:23 UTC | Merge remote-tracking branch 'qatar/release/0.8' into release/0.10 * qatar/release/0.8: id3v2: fix skipping extended header in id3v2.4 Conflicts: libavformat/id3v2.c Merged-by: Michael Niedermayer <michaelni@gmx.at> | 01 April 2012, 22:52:23 UTC |
989431c | Anton Khirnov | 31 March 2012, 05:52:42 UTC | id3v2: fix skipping extended header in id3v2.4 In v2.4, the length includes the length field itself. (cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 01 April 2012, 17:30:21 UTC |
f9bdc93 | Franz Brauße | 30 March 2012, 18:40:14 UTC | smacker audio: sign-extend the initial 16-bit predicted value Fixes Bug #265 Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 12cbbbb4abda2de0ea123282ccf7ebee61517f7d) | 01 April 2012, 11:57:49 UTC |
e687d77 | Tomas Härdin | 20 March 2012, 10:03:48 UTC | mxfdec: Only parse next partition pack if parsing forward This fixes ticket #1099. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 393b81f0934866bd7fff0a2b113623dd9ee6808f) | 21 March 2012, 12:25:59 UTC |
abfafb6 | Michael Niedermayer | 20 March 2012, 19:39:32 UTC | pngenc: Fix incorrect mask used for interlaced mode. Fixes Ticket1109 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 15db6a959057b92245a384909ec7d413d5c16461) | 21 March 2012, 09:50:58 UTC |
f139838 | Michael Niedermayer | 17 March 2012, 08:14:13 UTC | Update for 0.10.2 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 17 March 2012, 08:14:13 UTC |
0a224ab | Kelly Anderson | 17 March 2012, 07:56:59 UTC | libx264: fix duplicate stats entry Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 17 March 2012, 07:56:59 UTC |
d39b183 | Michael Niedermayer | 17 March 2012, 00:37:34 UTC | Update for 0.10.1 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 17 March 2012, 00:41:41 UTC |
dc80541 | Stefano Sabatini | 08 March 2012, 15:18:03 UTC | lavfi: port MP swapuv filter (cherry picked from commit fa35d880aab1d3ef2b828cae640e43d370e8f0c2) Conflicts: Changelog libavfilter/version.h Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 16 March 2012, 23:36:18 UTC |