| 3be6a8e | Michael Niedermayer | 21 February 2013, 02:28:32 UTC | update for 0.7.15 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 21 February 2013, 02:28:32 UTC |
| a92cdd8 | Michael Niedermayer | 21 February 2013, 02:28:00 UTC | Merge branch 'release/0.8' into release/0.7 * release/0.8: cook: check js_subband_start for validity avcodec_align_dimensions2: Ensure cinepak has large enough buffers. Update for 0.8.14 qdm2: increase noise_table size wma: check byte_offset_bits tiff: check bppcount vqavideo: fix return type Conflicts: Doxyfile RELEASE VERSION Merged-by: Michael Niedermayer <michaelni@gmx.at> | 21 February 2013, 02:28:00 UTC |
| dfeef3a | Michael Niedermayer | 19 February 2013, 23:19:39 UTC | cook: check js_subband_start for validity Fixes out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit c69315a5deb0f8095e6b4746b69171d6f3059b2f) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 21 February 2013, 01:00:40 UTC |
| 2b6f3be | Michael Niedermayer | 20 February 2013, 01:24:30 UTC | avcodec_align_dimensions2: Ensure cinepak has large enough buffers. This is partly redundant with the following patches, but its safer Found-by: u-bo1b@0w.se Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit f5c00b347dc76285c639d9878a014c40395c5228) Conflicts: libavcodec/utils.c Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 20 February 2013, 03:33:01 UTC |
| 0a57df3 | Michael Niedermayer | 20 February 2013, 00:26:33 UTC | Update for 0.8.14 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 20 February 2013, 00:26:33 UTC |
| 17966ae | Michael Niedermayer | 28 January 2013, 18:34:55 UTC | qdm2: increase noise_table size This prevents out of array reads. An alternative solution would be to check the index but this would require several checks in the inner loops Yet another alternative would be to change the index reset logic but this likely would introduce a difference to the binary decoder Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 8c4aebb58d00fd613f3f684bf0f869966149ae78) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 20 February 2013, 00:23:54 UTC |
| 5af2fd3 | Michael Niedermayer | 30 January 2013, 21:56:45 UTC | wma: check byte_offset_bits Fixes assertion failure Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 984add64a41c3296a8a82051cc90bff2eb449609) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 20 February 2013, 00:23:54 UTC |
| 8aedb75 | Michael Niedermayer | 19 February 2013, 16:48:56 UTC | tiff: check bppcount Fixes division by 0 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit a34418c28e0accd1468ca15fff4d4f138a609f4e) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 20 February 2013, 00:23:54 UTC |
| 1fd86f9 | Michael Niedermayer | 19 February 2013, 23:47:13 UTC | vqavideo: fix return type Fixes Ticket2281 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 20 February 2013, 00:23:54 UTC |
| f86da59 | Michael Niedermayer | 18 February 2013, 00:12:02 UTC | update for 0.7.14 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 18 February 2013, 00:12:02 UTC |
| 7378101 | Michael Niedermayer | 17 February 2013, 23:56:01 UTC | Merge branch 'release/0.8' into release/0.7 * release/0.8: (92 commits) Update for 0.8.13 pngdec/filter: dont access out of array elements at the end aacdec: check channel count vqavideo: check chunk sizes before reading chunks eamad: fix out of array accesses roqvideodec: check dimensions validity qdm2: check array index before use, fix out of array accesses alsdec: check block length huffyuvdec: Skip len==0 cases huffyuvdec: Check init_vlc() return codes. Update changelog for 0.7.7 release mpeg12: do not decode extradata more than once. indeo4/5: check empty tile size in decode_mb_info(). dfa: improve boundary checks in decode_dds1() indeo5dec: Make sure we have had a valid gop header. rv34: error out on size changes with frame threading rtmp: fix buffer overflows in ff_amf_tag_contents() rtmp: fix multiple broken overflow checks Revert "h264: allow cropping to AVCodecContext.width/height" h264: check ref_count validity for num_ref_idx_active_override_flag ... Conflicts: Doxyfile RELEASE VERSION libavcodec/rv34.c Merged-by: Michael Niedermayer <michaelni@gmx.at> | 17 February 2013, 23:56:01 UTC |
| 377fabc | Michael Niedermayer | 17 February 2013, 22:41:01 UTC | Update for 0.8.13 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 17 February 2013, 22:41:01 UTC |
| 41eda87 | Michael Niedermayer | 12 February 2013, 18:53:40 UTC | pngdec/filter: dont access out of array elements at the end Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 1ac0fa50eff30d413206cffa5f47f7fe6d4849b1) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 17 February 2013, 22:23:05 UTC |
| e6ac11e | Michael Niedermayer | 27 January 2013, 19:37:27 UTC | aacdec: check channel count Prevent out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 96f452ac647dae33c53c242ef3266b65a9beafb6) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 17 February 2013, 22:22:44 UTC |
| 2cac350 | Michael Niedermayer | 25 January 2013, 05:11:59 UTC | vqavideo: check chunk sizes before reading chunks Fixes out of array writes Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 17 February 2013, 22:22:42 UTC |
| af343f5 | Michael Niedermayer | 17 November 2012, 15:26:55 UTC | eamad: fix out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 63ac64864c6e0e84355aa3caa5b92208997a9a8d) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 17 February 2013, 22:22:21 UTC |
| 391e0fc | Michael Niedermayer | 29 November 2012, 14:18:17 UTC | roqvideodec: check dimensions validity Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3ae610451170cd5a28b33950006ff0bd23036845) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 17 February 2013, 22:22:18 UTC |
| caeca53 | Michael Niedermayer | 30 November 2012, 22:59:40 UTC | qdm2: check array index before use, fix out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 17 February 2013, 22:22:13 UTC |
| 7609291 | Michael Niedermayer | 12 December 2012, 11:28:45 UTC | alsdec: check block length Fix writing over the end Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 0ceca269b66ec12a23bf0907bd2c220513cdbf16) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 17 February 2013, 22:22:12 UTC |
| acada70 | Michael Niedermayer | 14 February 2013, 13:12:14 UTC | Merge remote-tracking branch 'qatar/release/0.7' into release/0.8 * qatar/release/0.7: Update changelog for 0.7.7 release mpeg12: do not decode extradata more than once. indeo4/5: check empty tile size in decode_mb_info(). dfa: improve boundary checks in decode_dds1() indeo5dec: Make sure we have had a valid gop header. rv34: error out on size changes with frame threading Conflicts: Changelog Merged-by: Michael Niedermayer <michaelni@gmx.at> | 14 February 2013, 13:12:14 UTC |
| 4f91c45 | Michael Niedermayer | 29 January 2013, 18:22:33 UTC | huffyuvdec: Skip len==0 cases Fixes vlc decoding for hypothetical files that would contain such cases. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 5ff41ffeb4cb9ea6df49757dc859619dc3d3ab4f) Conflicts: libavcodec/huffyuv.c (cherry picked from commit 9bc70fe1ae50fd2faa0b9429d47cfbda01a92ebc) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 14 February 2013, 13:11:58 UTC |
| e4831bb | Michael Niedermayer | 29 January 2013, 17:29:41 UTC | huffyuvdec: Check init_vlc() return codes. Prevents out of array writes Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit f67a0d115254461649470452058fa3c28c0df294) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 95ab8d33e1a680f30a5a9605175112008ab81afc) Conflicts: libavcodec/huffyuv.c (cherry picked from commit 277def59fce10d91e3113e5c0f63e22bc4abfa88) Conflicts: libavcodec/huffyuv.c (cherry picked from commit adf022f458d75e2c8041262e1906a249366ad518) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 14 February 2013, 13:11:58 UTC |
| db5b454 | Reinhard Tartler | 24 January 2013, 13:01:42 UTC | Update changelog for 0.7.7 release | 02 February 2013, 08:59:21 UTC |
| 3017617 | Anton Khirnov | 13 December 2012, 16:53:31 UTC | mpeg12: do not decode extradata more than once. Fixes CVE-2012-2803. (cherry picked from commit 582368626188c070d4300913c6da5efa4c24cfb2) Conflicts: libavcodec/mpeg12.c libavcodec/mpeg12.h | 02 February 2013, 08:54:16 UTC |
| 440e985 | Anton Khirnov | 29 September 2012, 09:07:58 UTC | indeo4/5: check empty tile size in decode_mb_info(). This prevents writing into a too small array if some parameters changed without the tile being reallocated. Based on a patch by Michael Niedermayer <michaelni@gmx.at> Fixes CVE-2012-2800 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit ae3da0ae5550053583a6f281ea7fd940497ea0d1) Conflicts: libavcodec/ivi_common.c | 02 February 2013, 08:54:16 UTC |
| 604d72a | Anton Khirnov | 29 September 2012, 11:25:28 UTC | dfa: improve boundary checks in decode_dds1() Fixes CVE-2012-2798 CC:libav-stable@libav.org (cherry picked from commit d05f72c75445969cd7bdb1d860635c9880c67fb6) Conflicts: libavcodec/dfa.c | 02 February 2013, 08:54:16 UTC |
| 03ddc26 | Michael Niedermayer | 24 March 2012, 16:43:55 UTC | indeo5dec: Make sure we have had a valid gop header. This prevents decoding happening on a half initialized context. Fixes CVE-2012-2779 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 891918431db628db17885ed947ee387b29826a64) Conflicts: libavcodec/ivi_common.c libavcodec/ivi_common.h | 01 February 2013, 05:46:04 UTC |
| 801eff7 | Janne Grunau | 23 March 2012, 21:30:38 UTC | rv34: error out on size changes with frame threading (cherry picked from commit cb7190cd2c691fd93e4d3664f3fce6c19ee001dd) Fixes: CVE-2012-2772 (according to Ubuntu) | 01 February 2013, 05:46:04 UTC |
| b59ee5d | Xi Wang | 23 January 2013, 02:40:05 UTC | rtmp: fix buffer overflows in ff_amf_tag_contents() A negative `size' will bypass FFMIN(). In the subsequent memcpy() call, `size' will be considered as a large positive value, leading to a buffer overflow. Change the type of `size' to unsigned int to avoid buffer overflow, and simplify overflow checks accordingly. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 4e692374f7962ea358c329de38c380103f8991b6) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 23 January 2013, 04:55:20 UTC |
| e163d88 | Xi Wang | 22 January 2013, 22:49:29 UTC | rtmp: fix multiple broken overflow checks Sanity checks like `data + size >= data_end || data + size < data' are broken, because `data + size < data' assumes pointer overflow, which is undefined behavior in C. Many compilers such as gcc/clang optimize such checks away. Use `size < 0 || size >= data_end - data' instead. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 902cfe2f74d777a7dc20ac68f2393b9f84b790c1) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 23 January 2013, 04:55:19 UTC |
| 56cc629 | Michael Niedermayer | 19 January 2013, 12:34:41 UTC | Revert "h264: allow cropping to AVCodecContext.width/height" This reverts commit a2ae183a382f063c5403922b5151d865ce7252a2. This removes a duplicate hunk Found-by: Joakim Plate <elupus@ecce.se> | 19 January 2013, 12:34:41 UTC |
| 685321e | Michael Niedermayer | 17 January 2013, 02:16:46 UTC | Merge remote-tracking branch 'qatar/release/0.7' into release/0.8 * qatar/release/0.7: h264: check ref_count validity for num_ref_idx_active_override_flag h264: check context state before decoding slice data partitions oggdec: free the ogg streams on read_header failure oggdec: check memory allocation Fix uninitialized reads on malformed ogg files. rtsp: Recheck the reordering queue if getting a new packet alacdec: do not be too strict about the extradata size h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles h264: check sps.log2_max_frame_num for validity ppc: always use pic for shared libraries h264: enable low delay only if no delayed frames were seen lavf: avoid integer overflow in ff_compute_frame_duration() Conflicts: libavformat/oggdec.c Merged-by: Michael Niedermayer <michaelni@gmx.at> | 17 January 2013, 02:16:46 UTC |
| 3f1a58d | Michael Niedermayer | 17 January 2013, 02:03:39 UTC | Merge commit 'b143844ea0f6246e0d5a938d743e2e8a98453bec' into release/0.8 * commit 'b143844ea0f6246e0d5a938d743e2e8a98453bec': (22 commits) aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN. vp6: properly fail on unsupported feature h264: Fix parameters to ff_er_add_slice() call flacenc: ensure the order is within the min/max range in LPC order search yuv4mpeg: reject unsupported codecs vp8: reset loopfilter delta values at keyframes. vp56: release frames on error vp56: make parse_header return standard error codes ivi_common: check that scan pattern is set before using it. Update RELEASE file for 0.7.7 tiffenc: Check av_malloc() results. mpegaudiodec: fix short_start calculation h264: avoid stuck buffer pointer in decode_nal_units yuv4mpeg: return proper error codes. smacker audio: sign-extend the initial 16-bit predicted value vf_pad: don't give up its own reference to the output buffer. avidec: return 0, not packet size from read_packet(). wmapro: prevent division by zero when sample rate is unspecified alsdec: fix number of decoded samples in first sub-block in BGMC mode. alsdec: remove dead assignments ... Conflicts: RELEASE libavformat/avidec.c libavformat/yuv4mpeg.c Merged-by: Michael Niedermayer <michaelni@gmx.at> | 17 January 2013, 02:03:39 UTC |
| 597d709 | Michael Niedermayer | 17 January 2013, 01:56:12 UTC | Merge commit 'aa45b90804ab21175b8c116bd8e5eb4b4e85fbcb' into release/0.8 * commit 'aa45b90804ab21175b8c116bd8e5eb4b4e85fbcb': (22 commits) alsdec: Check k used for rice decoder. cavsdec: check for changing w/h. avidec: use actually read size instead of requested size wmaprodec: check num_vec_coeffs for validity lagarith: check count before writing zeros. indeo5: check tile size in decode_mb_info(). indeo5: prevent null pointer dereference on broken files indeo: check for invalid motion vectors indeo: clear allocated band buffers indeo: check custom Huffman tables for errors dfa: add some checks to ensure that decoder won't write past frame end dfa: check that the caller set width/height properly. bytestream: add a new set of bytestream functions with overread checking avsdec: Set dimensions instead of relying on the demuxer. lavfi: avfilter_merge_formats: handle case where inputs are same rv34: use AVERROR return values in ff_rv34_decode_frame() h263: Add ff_ prefix to nonstatic symbols eval: fix swapping of lt() and lte() bmpdec: only initialize palette for pal8. vc1dec: add flush function for WMV9 and VC-1 decoders ... Conflicts: libavcodec/avs.c libavcodec/mpegvideo_enc.c Merged-by: Michael Niedermayer <michaelni@gmx.at> | 17 January 2013, 01:56:12 UTC |
| dd0c5e0 | Janne Grunau | 12 January 2013, 16:22:50 UTC | h264: check ref_count validity for num_ref_idx_active_override_flag Fixes segfault in the fuzzed sample bipbop234.ts_s226407. CC: libav-stable@libav.org (cherry-picked from commit 6e5cdf26281945ddea3aaf5eca4d127791f23ca8) Signed-off-by: Janne Grunau <janne-libav@jannau.net> | 12 January 2013, 18:36:38 UTC |
| ad02537 | Janne Grunau | 28 November 2012, 21:17:14 UTC | h264: check context state before decoding slice data partitions Fixes mov_h264_aac__Demo_FlagOfOurFathers.mov.SIGSEGV.4e9.656. Found-by: Mateusz "j00ru" Jurczyk CC: libav-stable@libav.org (cherry-picked from commit c1fcf563b13051f280db169ba41c6a1b21b25e08) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 12 January 2013, 18:36:38 UTC |
| 3bc9cfe | Reinhard Tartler | 12 January 2013, 18:36:27 UTC | oggdec: free the ogg streams on read_header failure Plug an annoying memory leak on broken files. (cherry picked from commit 89b51b570daa80e6e3790fcd449fe61fc5574e07) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit 42bd6d9cf681306d14c92af97a40116fe4eb2522) Conflicts: libavformat/oggdec.c Conflicts: libavformat/oggdec.c | 12 January 2013, 18:36:27 UTC |
| 910c1f2 | Luca Barbato | 22 December 2012, 16:58:24 UTC | oggdec: check memory allocation (cherry picked from commit ba064ebe48376e199f353ef0b335ed8a39c638c5) Conflicts: libavformat/oggdec.c | 12 January 2013, 18:34:40 UTC |
| 5506531 | Dale Curtis | 07 March 2012, 22:26:58 UTC | Fix uninitialized reads on malformed ogg files. The ogg decoder wasn't padding the input buffer with the appropriate FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in various pieces of parsing code when they thought they had more data than they actually did. Signed-off-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit ef0d779706c77ca9007527bd8d41e9400682f4e4) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 12 January 2013, 18:34:40 UTC |
| 8081879 | Martin Storsjö | 07 January 2013, 16:39:04 UTC | rtsp: Recheck the reordering queue if getting a new packet If we timed out and consumed a packet from the reordering queue, but didn't return a packet to the caller, recheck the queue status. Otherwise, we could end up in an infinite loop, trying to consume a queued packet that has already been consumed. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit 8729698d50739524665090e083d1bfdf28235724) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 12 January 2013, 18:34:40 UTC |
| a39c6bf | Justin Ruggles | 22 December 2012, 06:21:09 UTC | alacdec: do not be too strict about the extradata size Sometimes the extradata has duplicate atoms, but that shouldn't prevent decoding. Just ensure that it is at least 36 bytes as a sanity check. CC: libav-stable@libav.org (cherry picked from commit 68a04b0ccee66f57516e129dd3ec457fd50b4bec) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 12 January 2013, 18:34:10 UTC |
| 884a9b0 | Victor Lopez | 19 December 2012, 08:12:24 UTC | h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles Fixes bug 396. CC: libav-stable@libav.org (cherry picked from commit 1c8bf3bfed5ff5c504c8e3de96188a977f67cce0) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 12 January 2013, 18:34:10 UTC |
| 4457e61 | Janne Grunau | 25 November 2012, 11:56:04 UTC | h264: check sps.log2_max_frame_num for validity Fixes infinite or long taking loop in frame num gap code in the fuzzed sample bipbop234.ts_s223302. CC: libav-stable@libav.org (cherry picked from commit d7d6efe42b0d2057e67999b96b9a391f533d2333) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 12 January 2013, 18:34:10 UTC |
| 08d9fd6 | Luca Barbato | 03 December 2012, 21:53:30 UTC | ppc: always use pic for shared libraries CC: libav-stable@libav.org (cherry picked from commit 1944d532a8a1c4b12222f0acfeb1153630dbc996) Conflicts: configure | 12 January 2013, 18:33:10 UTC |
| 5fa739e | Janne Grunau | 16 November 2012, 13:31:09 UTC | h264: enable low delay only if no delayed frames were seen Dropping frames is undesirable but that is the only way by which the decoder could return to low delay mode. Instead emit a warning and continue with delayed frames. Fixes a crash in fuzzed sample nasa-8s2.ts_s20033 caused by a larger than expected has_b_frames value. Low delay keeps getting re-enabled from a presumely broken SPS. CC: libav-stable@libav.org (cherry picked from commit 706acb558a38eba633056773280155d66c2f4b24) Conflicts: libavcodec/h264.c | 12 January 2013, 18:32:24 UTC |
| 10ff052 | Janne Grunau | 23 November 2012, 13:05:36 UTC | lavf: avoid integer overflow in ff_compute_frame_duration() Scaling the denominator instead of the numerator if it is too large loses precision. Fixes an assert caused by a negative frame duration in the fuzzed sample nasa-8s2.ts_s202310. CC: libav-stable@libav.org (cherry picked from commit 7709ce029a7bc101b9ac1ceee607cda10dcb89dc) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 12 January 2013, 18:27:42 UTC |
| b143844 | Alex Converse | 12 December 2012, 01:26:10 UTC | aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN. Found-by: pawlkt CC: libav-stable@libav.org Fixes: CVE-2012-5144 (cherry picked from commit 6d5b0092678b2a95dfe209a207550bd2fe9ef646) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 12 January 2013, 18:27:42 UTC |
| 4ede95e | Luca Barbato | 13 December 2012, 15:20:19 UTC | vp6: properly fail on unsupported feature Interlacing is not supported at all and mismanaged down the normal codepaths causing possible buffer management issues. Fixes: CVE-2012-2783 (cherry picked from commit be75fed9755c1285ba084574aff2d7ee0f81110d) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 12 January 2013, 18:27:29 UTC |
| ce8910d | Reinhard Tartler | 12 January 2013, 18:22:22 UTC | h264: Fix parameters to ff_er_add_slice() call s->mb_x is reset to zero a couple of lines above. It does not make sense to call ff_er_add_slice() with 0 as endx when the end of the macroblock row was reached. Fixes unnecessary and counterproductive error resilience in https://bugzilla.libav.org/show_bug.cgi?id=394. (cherry picked from commit e6160bda98641b7d4f86de15761ad2a962f21a36) Conflicts: libavcodec/h264.c Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavcodec/h264.c | 12 January 2013, 18:22:22 UTC |
| 3d0c9c9 | Justin Ruggles | 07 November 2012, 19:48:28 UTC | flacenc: ensure the order is within the min/max range in LPC order search This fixes use of uninitialized values when the FLAC encoder uses the 2-level, 4-level, and 8-level search methods. Fixes failure of the fate-flac-24-comp-8 test when run using valgrind. (cherry picked from commit 3a2731cbd31d0c5681ddbc7c78edd5c53c4d0032) Conflicts: libavcodec/flacenc.c Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 12 January 2013, 18:20:27 UTC |
| f3f22f1 | Luca Barbato | 26 October 2012, 20:55:04 UTC | yuv4mpeg: reject unsupported codecs The muxer already rejects unsupported pixel formats, reject also unsupported codecs to prevent dangerous misuses. (cherry picked from commit 424b1e764263b1493de4c34365ef367ddae856db) Conflicts: libavformat/yuv4mpeg.c Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 12 January 2013, 18:20:27 UTC |
| bfbff1c | Sami Pietila | 12 October 2012, 14:12:49 UTC | vp8: reset loopfilter delta values at keyframes. Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit 0bf511d579c7b21f1244eec688abf571ca1235bd) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 12 January 2013, 18:20:27 UTC |
| 7fd7950 | Luca Barbato | 14 December 2012, 08:55:04 UTC | vp56: release frames on error Fixes CVE-2012-2783 CC: libav-stable@libav.org (cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 12 January 2013, 18:20:27 UTC |
| 700fb8c | Luca Barbato | 14 December 2012, 07:22:06 UTC | vp56: make parse_header return standard error codes Returning 0 for failure is misleading. CC: libav-stable@libav.org (cherry picked from commit bb675d3ac6d722d5e117ae9042a996b55ca05b1d) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 12 January 2013, 18:20:27 UTC |
| 9f80712 | Anton Khirnov | 13 December 2012, 18:38:20 UTC | ivi_common: check that scan pattern is set before using it. Fixes CVE-2012-2791. CC: libav-stable@libav.org (cherry picked from commit deabb52ab4c1fdb3dd319f3980b1489a182011f1) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 12 January 2013, 18:20:27 UTC |
| da5f4e4 | Piotr Bandurski | 06 January 2013, 00:56:23 UTC | tiffdec: Use the correct height field. Fixes Ticket913 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 4784a135b2b0fe4d1b4c6256bd37265fc45aed3d) Conflicts: libavcodec/tiff.c (cherry picked from commit fe0e64ca6431c2f606bc702c1a4e230f22531a4f) | 06 January 2013, 23:45:02 UTC |
| fe9cbf5 | Piotr Bandurski | 06 January 2013, 00:56:23 UTC | tiffdec: Use the correct height field. Fixes Ticket913 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 4784a135b2b0fe4d1b4c6256bd37265fc45aed3d) Conflicts: libavcodec/tiff.c (cherry picked from commit fe0e64ca6431c2f606bc702c1a4e230f22531a4f) | 06 January 2013, 23:43:03 UTC |
| 642d758 | Reinhard Tartler | 02 January 2013, 21:14:36 UTC | Update RELEASE file for 0.7.7 | 04 January 2013, 06:43:39 UTC |
| 549b808 | Alex Converse | 19 September 2012, 18:12:58 UTC | tiffenc: Check av_malloc() results. (cherry picked from commit b92dfb56d4582633571db18c3d904f8602eaa2a6) Conflicts: libavcodec/tiffenc.c Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:38 UTC |
| aa45b90 | Michael Niedermayer | 07 April 2012, 15:25:47 UTC | alsdec: Check k used for rice decoder. Values that fail this check will cause failure of decode_rice() Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 23aae62c2cb4504a09ceb8cd0cabc1c8b260f521) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:38 UTC |
| ec6719f | Luca Barbato | 28 September 2012, 12:38:13 UTC | mpegaudiodec: fix short_start calculation The value should be always 3, as it follows from the specification. Fix a stack buffer overflow in exponents_from_scale_factors as reported by asan. Thanks to Dale Curtis for the sample vector. (cherry picked from commit 97cfa55eea39cef30abe14682c56c1e4e7f6f10d) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:38 UTC |
| 11ecd85 | Jindřich Makovička | 29 September 2012, 09:16:45 UTC | h264: avoid stuck buffer pointer in decode_nal_units When decode_nal_units() previously encountered a NAL_END_SEQUENCE, and there are some junk bytes left in the input buffer, but no start codes, buf_index gets stuck 3 bytes before the end of the buffer. This can trigger an infinite loop in the caller code, eg. in try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes, with 3 bytes of the input packet still available. With this change, the remaining bytes are skipped so the whole packet gets consumed. CC:libav-stable@libav.org Signed-off-by: Jindřich Makovička <makovick@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 1a8c6917f68f7378465e18f7615762bfd22704c2) Conflicts: libavcodec/h264.c | 04 January 2013, 06:43:38 UTC |
| 5754176 | Anton Khirnov | 05 October 2012, 13:53:32 UTC | yuv4mpeg: return proper error codes. Fixes Bug 373. CC:libav-stable@libav.org (cherry picked from commit d3a72becc6371563185a509b94f5daf32ddbb485) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:38 UTC |
| fb3189c | Franz Brauße | 30 March 2012, 18:40:14 UTC | smacker audio: sign-extend the initial 16-bit predicted value Fixes Bug #265 Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 12cbbbb4abda2de0ea123282ccf7ebee61517f7d) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 04 January 2013, 06:43:38 UTC |
| 8168a7c | Anton Khirnov | 08 July 2012, 15:01:17 UTC | vf_pad: don't give up its own reference to the output buffer. Conflicts: libavfilter/vf_pad.c Fixes Bug 245 Signed-off-by: Anton Khirnov <anton@khirnov.net> | 04 January 2013, 06:43:38 UTC |
| 562d6fd | Anton Khirnov | 28 September 2012, 13:26:48 UTC | avidec: return 0, not packet size from read_packet(). (cherry picked from commit eeade678f0a2bac127aeed2fb68d8717a6463420) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 04 January 2013, 06:43:38 UTC |
| dd14723 | Sean McGovern | 02 August 2012, 19:37:28 UTC | wmapro: prevent division by zero when sample rate is unspecified This fixes Bugzilla #327: Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com> (cherry picked from commit 3680b2435101a5de56821718a71c828320d535a0) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 04 January 2013, 06:43:38 UTC |
| 9474c93 | Thilo Borgmann | 15 April 2012, 16:07:12 UTC | alsdec: fix number of decoded samples in first sub-block in BGMC mode. Fixes CVE-2012-2790 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 66197988b1ee914825afbc3084e6da63f862068a) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:38 UTC |
| 7e070cf | Mans Rullgard | 01 July 2012, 12:36:30 UTC | alsdec: remove dead assignments Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit 4ca6d206d1b5beea42c4290d2ee801aaf5cd31f0) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:38 UTC |
| 1b48a42 | Thilo Borgmann | 11 March 2012, 15:56:23 UTC | alsdec: Fix out of ltp_gain_values read. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 97f0efbfb86d24f081b2caa39f6249e05c95c2ef) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:38 UTC |
| e3e369f | Michael Niedermayer | 29 February 2012, 05:10:17 UTC | alsdec: Check that quantized parcor coeffs are within range. ALS spec: 11.6.3.1.1 Quantization and encoding of parcor coefficients ... In all cases the resulting quantized values ak are restricted to the range [-64,63]. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 5b051ec3bdc78f3d89e8d1425674cde8fd6c9ccc) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:38 UTC |
| 6996a2f | Michael Niedermayer | 24 March 2012, 01:40:24 UTC | cavsdec: check for changing w/h. Our decoder does not support changing w/h. Fixes CVE-2012-2777 and CVE-2012-2784. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit c20a69630619d14ae92c5541d52c579d7c8f3e94) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:37 UTC |
| 05f5a2e | Anton Khirnov | 28 September 2012, 13:42:29 UTC | avidec: use actually read size instead of requested size Fixes CVE-2012-2788 (cherry picked from commit 0af49a63c7f87876486ab09482d5b26b95abce60) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:37 UTC |
| 4a636a5 | Michael Niedermayer | 14 April 2012, 09:07:11 UTC | wmaprodec: check num_vec_coeffs for validity Fixes CVE-2012-2789 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 99f392a584dd10b553facc8e819f2c7e982e176d) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:37 UTC |
| 44da556 | Michael Niedermayer | 14 April 2012, 16:28:31 UTC | lagarith: check count before writing zeros. Fixes CVE-2012-2793 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit b631e4ed64f7d1b9ca8f897fda31140e8d1fad81) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:37 UTC |
| aa097b4 | Michael Niedermayer | 15 April 2012, 12:11:50 UTC | indeo5: check tile size in decode_mb_info(). This prevents writing into a too small array if some parameters changed without the tile being reallocated. Fixes CVE-2012-2794 CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 2d09cdbaf2f449ba23d54e97e94bd97ca22208c6) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:37 UTC |
| 8148833 | Janne Grunau | 23 January 2012, 20:33:34 UTC | indeo5: prevent null pointer dereference on broken files Found by John Villamil <johnv@matasano.com> (cherry picked from commit 366ac22ea5a8bab63c7f46cdad2ddb2ff22cdbed) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:37 UTC |
| 3c0f844 | Kostya Shishkov | 19 May 2012, 14:07:42 UTC | indeo: check for invalid motion vectors (cherry picked from commit cf61aaaca16810b9b3a28395ed48fda8db0e87d9) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:37 UTC |
| 601fa56 | Kostya Shishkov | 19 May 2012, 11:39:15 UTC | indeo: clear allocated band buffers (cherry picked from commit 23ba1503f2b11057c65052b4a07961236d8d69c7) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:37 UTC |
| c0df6a2 | Kostya Shishkov | 19 May 2012, 10:39:49 UTC | indeo: check custom Huffman tables for errors (cherry picked from commit fe7a37c36febd71576cbefc385d995a8d6e444e7) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:37 UTC |
| 2d63f9b | Kostya Shishkov | 03 May 2012, 18:10:36 UTC | dfa: add some checks to ensure that decoder won't write past frame end (cherry picked from commit 8099187e897ddc90cb3902332c76fb2542dac308) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:37 UTC |
| 4c849c6 | Anton Khirnov | 28 September 2012, 12:47:56 UTC | dfa: check that the caller set width/height properly. Fixes CVE-2012-2786. (cherry picked from commit ee715f49a06bf3898246d01b056284a9bb1bcbb9) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:37 UTC |
| 42c3a37 | Aneesh Dogra | 19 December 2011, 22:24:50 UTC | bytestream: add a new set of bytestream functions with overread checking Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> | 04 January 2013, 06:43:37 UTC |
| 7a0ff75 | Michael Niedermayer | 20 April 2012, 15:42:18 UTC | avsdec: Set dimensions instead of relying on the demuxer. The decode function assumes that the video will have those dimensions. Fixes CVE-2012-2801 CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 85f477935cd6b34e6ec2716b20e15ce748277a89) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:37 UTC |
| 10c244c | Mina Nagy Zaki | 08 June 2011, 16:24:25 UTC | lavfi: avfilter_merge_formats: handle case where inputs are same This fixes a double-free crash if lists are the same due to the two merge_ref() calls at the end of the (useless) merging that happens. Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325) Conflicts: libavfilter/formats.c Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 04 January 2013, 06:43:21 UTC |
| 99008ba | Janne Grunau | 13 February 2012, 20:14:19 UTC | rv34: use AVERROR return values in ff_rv34_decode_frame() Also adds an error message. (cherry picked from commit 29330721b0e8514f9f8b4d54be75a662a2b79e44) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 04 January 2013, 06:43:21 UTC |
| a81c1ea | Martin Storsjö | 09 February 2012, 09:28:46 UTC | h263: Add ff_ prefix to nonstatic symbols Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit ddce8953a5056800ec795df2dfd84fc17a11b5fc) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 04 January 2013, 06:43:21 UTC |
| 0892a63 | Max Lazarov | 31 March 2012, 06:56:56 UTC | eval: fix swapping of lt() and lte() CC: libav-stable@libav.org (cherry picked from commit caac3ab6efde4fc9769e8a7472269356f262970a) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 04 January 2013, 06:43:21 UTC |
| d3e2f35 | Anton Khirnov | 16 September 2012, 06:33:09 UTC | bmpdec: only initialize palette for pal8. Gray8 is not considered to be paletted, so this would cause an invalid write. Fixes bug 367. CC: libav-stable@libav.org (cherry picked from commit 8b78c2969a5b7dca939d93bf525aa2bcd737b5d9) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 04 January 2013, 06:43:21 UTC |
| e39fc13 | Kostya Shishkov | 27 September 2012, 17:25:06 UTC | vc1dec: add flush function for WMV9 and VC-1 decoders CC: libav-stable@libav.org (cherry picked from commit 4dc8c8386eef942dba35c4f2fb3210e22b511a5b) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 04 January 2013, 06:43:20 UTC |
| a2ae183 | Mans Rullgard | 30 May 2012, 03:04:54 UTC | h264: allow cropping to AVCodecContext.width/height Override the frame size from the SPS with AVCodecContext values if the latter specify a size smaller by less than one macroblock. This is required for correct cropping of MOV files from Canon cameras. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit 30f515091c323da59c0f1b533703dedca2f4b95d) Conflicts: libavcodec/h264.c | 04 January 2013, 06:43:20 UTC |
| 2094078 | Clément Bœsch | 30 December 2012, 05:53:48 UTC | lavc/ass_split: check for NULL pointer in ff_ass_split_override_codes(). This is consistent with the other ff_ass_split_* functions. It also fixes a crash when trying to split a dialog with text=NULL (which seems to happen when the text of the dialog is empty); basically, this commit fixes crashes when trying to encode an empty text subtitle dialog (see subrip and mov_text encoders). Fixes Ticket2048. (cherry picked from commit c83002a4f8042ccfa0688a9a18e8fa0369c1fda8) | 01 January 2013, 17:27:28 UTC |
| 80b8dc3 | Clément Bœsch | 30 December 2012, 05:53:48 UTC | lavc/ass_split: check for NULL pointer in ff_ass_split_override_codes(). This is consistent with the other ff_ass_split_* functions. It also fixes a crash when trying to split a dialog with text=NULL (which seems to happen when the text of the dialog is empty); basically, this commit fixes crashes when trying to encode an empty text subtitle dialog (see subrip and mov_text encoders). Fixes Ticket2048. (cherry picked from commit c83002a4f8042ccfa0688a9a18e8fa0369c1fda8) | 01 January 2013, 17:25:25 UTC |
| 7b91e52 | Diego Biurrun | 11 November 2012, 21:41:46 UTC | x86: Require an assembler able to cope with AVX instructions All modern assemblers have this capability. Older NASM versions that lack the capability produce code that crashes at runtime, so it's better to error out during the build process instead. (cherry picked from commit e287201c77dc7a7a9759d56d8f48ae719b7e69a9) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 11 November 2012, 22:03:57 UTC |
| e28814e | Michael Niedermayer | 16 October 2012, 14:43:59 UTC | Merge remote-tracking branch 'qatar/release/0.7' into release/0.8 * qatar/release/0.7: vorbis: Validate that the floor 1 X values contain no duplicates. vorbisenc: check all allocations for failure lavfi: avfilter_merge_formats: handle case where inputs are same alsdec: check opt_order. lavf: don't segfault when a NULL filename is passed to avformat_open_input() mpegvideo: Don't use ff_mspel_motion() for vc1 imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt nuv: check RTjpeg header for validity vc1dec: add flush function for WMV9 and VC-1 decoders ffmpeg: fix -force_key_frames mov: set AVCodecContext.width/height for h264 h264: allow cropping to AVCodecContext.width/height Conflicts: libavcodec/mpegvideo_common.h libavcodec/nuv.c libavcodec/vorbisenc.c libavfilter/formats.c Merged-by: Michael Niedermayer <michaelni@gmx.at> | 16 October 2012, 15:57:12 UTC |
| d6e250a | Alex Converse | 05 June 2012, 01:27:03 UTC | vorbis: Validate that the floor 1 X values contain no duplicates. Duplicate values in this vector are explicitly banned by the Vorbis I spec and cause divide-by-zero crashes later on. (cherry picked from commit ecf79c4d3e8baaf2f303278ef81db6f8407656bc) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 9aaaeba45c41cf2b3fa4100abbdee7437428f93c) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 06 October 2012, 07:40:46 UTC |
| 61ece41 | Justin Ruggles | 23 February 2012, 00:23:18 UTC | vorbisenc: check all allocations for failure (cherry picked from commit be8d812c9635f31f69c30dff9ebf565a07a7dab7) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit e46cf805b10070327026f8e2880fe29e5e9ac1af) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 06 October 2012, 07:40:46 UTC |
| b6c5848 | Mina Nagy Zaki | 08 June 2011, 16:24:25 UTC | lavfi: avfilter_merge_formats: handle case where inputs are same This fixes a double-free crash if lists are the same due to the two merge_ref() calls at the end of the (useless) merging that happens. Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325) Conflicts: libavfilter/formats.c Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit e5f4e249422834f727bcd432b73af971277f1371) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 06 October 2012, 07:40:46 UTC |
| b6ba39f | Michael Niedermayer | 24 March 2012, 00:39:13 UTC | alsdec: check opt_order. Fixes out of array write in quant_cof. Also make sure no invalid opt_order stays in the context. Fixes CVE-2012-2775 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 9853e41aa0a6cfff629ff7009685eb8bf8d64e7f) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit a1b127515bb79c715933d0d4201e4ef3152b3dcb) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 06 October 2012, 07:40:46 UTC |
| 77d43bf | Anton Khirnov | 15 June 2012, 17:58:11 UTC | lavf: don't segfault when a NULL filename is passed to avformat_open_input() This can easily happen when the caller is using a custom AVIOContext. Behave as if the filename was an empty string in this case. CC: libav-stable@libav.org (cherry picked from commit a5db8e4a1a5449cc7a61e963c9fa698a4f22131b) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 7124fa5d3640e5b8089dd13b22a09038b2ec5216) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 06 October 2012, 07:40:46 UTC |
