| 042c25f | Reinhard Tartler | 09 August 2014, 00:49:45 UTC | Update Changelog for v0.8.14 | 09 August 2014, 00:49:45 UTC |
| dcc68de | Michael Niedermayer | 04 August 2014, 00:06:51 UTC | vp3: Copy all 3 frames for thread updates Fixes a double release of the current frame on deinit. Bug-Id: CVE-2011-3934 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> | 08 August 2014, 14:04:18 UTC |
| ebe2292 | Luca Barbato | 07 August 2014, 15:10:32 UTC | mpegts: Do not try to write a PMT larger than SECTION_SIZE Prevent out of array write. Similar to what Michael Niedermayer did to address the same issue. Bug-Id: CVE-2014-2263 CC: libav-stable@libav.org (cherry picked from commit addbaf134836aea4e14f73add8c6d753a1373257) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> | 08 August 2014, 12:27:47 UTC |
| d86df7d | Luca Barbato | 03 August 2014, 17:27:07 UTC | mpegts: Define the section length with a constant The specification says the value is expressed in 10 bits including the 4-byte CRC. (cherry picked from commit 694b7cd873f8b06af109036eff1ccd741afdd28e) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> Conflicts: libavformat/mpegtsenc.c | 08 August 2014, 12:27:27 UTC |
| a79e58c | Reinhard Tartler | 07 August 2014, 00:24:20 UTC | Update Changelog for v0.8.14 | 07 August 2014, 00:24:58 UTC |
| 4709bae | Reinhard Tartler | 07 August 2014, 00:24:47 UTC | Prepare for 0.8.14 Release | 07 August 2014, 00:24:58 UTC |
| c79cf01 | Michael Niedermayer | 06 August 2014, 17:19:57 UTC | error_concealment: avoid using the picture if not fully setup Fixes state becoming inconsistent and a null pointer dereference. CC: libav-stable@libav.org Bug-Id: CVE-2013-0860 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> | 06 August 2014, 19:29:48 UTC |
| 9d5f4f0 | Anton Khirnov | 03 August 2014, 08:14:48 UTC | svq1: do not modify the input packet The input data must remain constant, make a copy instead. This is in theory a performance hit, but since I failed to find any samples using this feature, this should not matter in practice. Also, check the size of the header, avoiding invalid reads on truncated data. CC:libav-stable@libav.org (cherry picked from commit 7b588bb691644e1b3c168b99accf74248a24e3cf) Signed-off-by: Anton Khirnov <anton@khirnov.net> Conflicts: libavcodec/svq1dec.c | 06 August 2014, 19:22:05 UTC |
| cf6b2a0 | Anton Khirnov | 06 August 2014, 10:56:34 UTC | cdgraphics: do not return 0 from the decode function 0 means no data consumed, so it can trigger an infinite loop in the caller. CC:libav-stable@libav.org (cherry picked from commit c7d9b473e28238d4a4ef1b7e8b42c1cca256da36) Signed-off-by: Anton Khirnov <anton@khirnov.net> Conflicts: libavcodec/cdgraphics.c | 06 August 2014, 18:52:28 UTC |
| 3aebdff | Anton Khirnov | 06 August 2014, 10:46:50 UTC | cdgraphics: switch to bytestream2 Fixes possible invalid memory accesses on corrupted data. CC:libav-stable@libav.org Bug-ID: CVE-2013-3674 (cherry picked from commit a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 06 August 2014, 18:51:49 UTC |
| a1804df | Michael Niedermayer | 02 August 2014, 23:54:33 UTC | huffyuvdec: check width size for yuv422p Avoid out of array accesses. CC: libav-stable@libav.org Bug-Id: CVE-2013-0848 Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit a7153444df9040bf6ae103e0bbf6104b66f974cb) Signed-off-by: Anton Khirnov <anton@khirnov.net> Conflicts: libavcodec/huffyuvdec.c | 05 August 2014, 20:17:19 UTC |
| e17dc0a | Michael Niedermayer | 03 August 2014, 18:24:18 UTC | mmvideo: check horizontal coordinate too Fixes out of array accesses. Bug-Id: CVE-2013-3672 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 70cd3b8e659c3522eea5c16a65d14b8658894a94) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 05 August 2014, 19:32:56 UTC |
| 4a66225 | Diego Biurrun | 03 August 2014, 19:19:10 UTC | huffyuv: Check and propagate function return values Bug-Id: CVE-2013-0868 inspired by a patch from Michael Niedermayer <michaelni@gmx.at> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 744b406ff3474e77543bcf86125a2f7bc7deaa18) Signed-off-by: Diego Biurrun <diego@biurrun.de> Conflicts: libavcodec/huffyuvdec.c | 04 August 2014, 07:24:21 UTC |
| 50493f1 | Mans Rullgard | 01 May 2012, 17:27:19 UTC | twinvq: fix out of bounds array access ModeTab.fmode has only 3 elements, so indexing it with ftype in the initialier for 'size' is invalid when ftype == FT_PPC. This fixes crashes with gcc 4.8. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit 4bf2e7c5f1c0ad3997fd7c9859c16db8e4e16df6) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 01 August 2014, 14:51:18 UTC |
| 3e60501 | Janne Grunau | 05 December 2012, 19:08:01 UTC | h264: slice-mt: check master context for valid current_picture_ptr Fixes errors in slice based multithreading introduced in 0b300daad2f5. CC: libav-stable@libav.org (cherry picked from commit 5945c7b35d9169caf9ecef1c419eebdebb909e60) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 01 August 2014, 14:37:14 UTC |
| 7585a62 | Vittorio Giovara | 30 July 2014, 18:33:36 UTC | h264: prevent theoretical infinite loop in SEI parsing Properly address CVE-2011-3946 and parse bitstream as described in the spec. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | 01 August 2014, 12:40:11 UTC |
| 184c797 | Michael Niedermayer | 19 September 2013, 14:26:25 UTC | h264_sei: check SEI size Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> | 01 August 2014, 12:39:51 UTC |
| a465ed5 | Michael Niedermayer | 31 July 2014, 01:31:19 UTC | pgssubdec: Check RLE size before copying Make sure the buffer size does not exceed the expected RLE size. Prevent an out of array bound write. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Bug-Id: CVE-2013-0852 Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit 00915d3cd2ce61db3d6dc11f63566630a9aff4ec) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 01 August 2014, 12:19:04 UTC |
| 976f2e0 | Diego Biurrun | 29 August 2012, 09:14:17 UTC | x86: Fix linking with some or all of yasm, mmx, optimizations disabled Some optimized template functions reference optimized symbols, so they must be explicitly disabled when those symbols are unavailable. (cherry picked from commit ec36aa69448f20a78d8c4588265022e0b2272ab5) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 01 August 2014, 01:05:34 UTC |
| 28f2d3c | Diego Biurrun | 29 October 2012, 17:00:14 UTC | cmdutils: Conditionally compile libswscale-related bits This fixes compilation with libswscale disabled. (cherry picked from commit ab799664755c8bc2c439c428ff5b538c105a5c38) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 31 July 2014, 23:44:11 UTC |
| 277103e | Bernhard Übelacker | 27 July 2014, 15:38:59 UTC | video4linux2: Avoid a floating point exception This avoids a segfault in avconv_opt.c:opt_target when trying to determine the norm. (cherry picked from commit dc71f1958846bb1d96de43a4603983dc8450cfcc) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 30 July 2014, 20:09:09 UTC |
| e4fdfdf | Diego Biurrun | 29 July 2014, 12:43:04 UTC | vf_select: Drop a debug av_log with an unchecked double to enum conversion CC: libav-stable@libav.org (cherry picked from commit a8d803a320fb08b3ad5db4fffc79abd401206905) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 30 July 2014, 20:06:22 UTC |
| 187cfd3 | Anton Khirnov | 20 July 2014, 12:06:47 UTC | eamad: use the bytestream2 API instead of AV_RL This is safer and possibly fixes invalid reads on truncated data. (cherry-picked from commit 541427ab4d5b4b6f5a90a687a06decdb78e7bc3c) CC:libav-stable@libav.org Conflicts: libavcodec/eamad.c (cherry picked from commit f9204ec56a4cf73843d1e5b8563d3584c2c05b47) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 30 July 2014, 19:42:35 UTC |
| e122fb5 | Reinhard Tartler | 27 June 2014, 01:34:03 UTC | Update Changelog for 0.8.13 | 27 June 2014, 01:34:03 UTC |
| 359383c | Reinhard Tartler | 27 June 2014, 01:33:18 UTC | Prepare for 0.8.13 Release | 27 June 2014, 01:33:18 UTC |
| e7f5dac | Luca Barbato | 19 June 2014, 21:26:58 UTC | lzo: Handle integer overflow get_len can overflow for specially crafted payload. Reported-By: Don A. Baley <donb@securitymouse.com> CC: libav-stable@libav.org (cherry picked from commit ccda51b14c0fcae2fad73a24872dce75a7964996) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> Conflicts: libavutil/lzo.c | 25 June 2014, 12:40:56 UTC |
| 9c7321e | Sean McGovern | 02 June 2014, 22:35:25 UTC | sgidec: fix an incorrect backport Signed-off-by: Anton Khirnov <anton@khirnov.net> | 17 June 2014, 19:50:20 UTC |
| 9552b37 | Reinhard Tartler | 01 June 2014, 20:12:58 UTC | Add some bug references | 01 June 2014, 20:12:58 UTC |
| d75b149 | Sean McGovern | 01 June 2014, 18:20:46 UTC | Update Changelog for 0.8.12 | 01 June 2014, 18:20:46 UTC |
| 516ea2d | Reinhard Tartler | 01 June 2014, 00:09:10 UTC | Prepare for 0.8.12 Release | 01 June 2014, 00:09:10 UTC |
| 6f4404b | Janne Grunau | 16 November 2012, 00:12:40 UTC | h264: set parameters from SPS whenever it changes Fixes a crash in the fuzzed sample sample_varPAR.avi_s26638 with alternating bit depths. | 01 June 2014, 00:07:52 UTC |
| 110680c | Martin Storsjö | 03 September 2013, 08:54:03 UTC | alac: Limit max_samples_per_frame Otherwise buffer size calculations in allocate_buffers could overflow later, making the code think a large enough buffer actually was allocated. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st> | 01 June 2014, 00:07:52 UTC |
| 7fa7270 | Luca Barbato | 01 May 2014, 22:21:23 UTC | swscale: Fix an undefined behaviour Prevent a division by zero down the codepath. Sample-Id: 00001721-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org | 01 June 2014, 00:07:52 UTC |
| 65c3593 | Rafaël Carré | 27 August 2013, 15:35:49 UTC | apedec: do not buffer decoded samples over AVPackets Only consume an AVPacket when all the samples have been read. When the rate of samples output is limited (by the default value of max_samples), consuming the first packet immediately will cause timing problems: - The first packet with PTS 0 will output 4608 samples and be consumed entirely - The second packet with PTS 64 will output the remaining samples (typically, a lot, that's why max_samples exist) until the decoded samples of the first packet have been exhausted, at which point the samples of the second packet will be decoded and output when av_decode_frame is called with the next packet). That means there's a PTS jump since the first packet is 'decoded' immediately, which can be seen with avplay or mplayer: the timing jumps immediately to 6.2s (which is the size of a packet). Sample: http://streams.videolan.org/issues/6348/Goldwave-MAClib.ape Bug-Debian: http://bugs.debian.org/744901 Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 91d4cfb8127f1de6c4ad173a30fffe584700046d) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 01 June 2014, 00:07:52 UTC |
| b7b798a | Mark Himsley | 01 November 2013, 11:22:53 UTC | isom: lpcm in mov default to big endian It is my understanding that "Unless otherwise stated, all data in a QuickTime movie is stored in big-endian byte ordering" [1] in MOV files. I have a couple of thousand files, which technically are invalid because their sound sample description element 4CC is 'lpcm' but its version is 0 - and "Version 0 supports only uncompressed audio in raw ('raw ') or twos-complement ('twos') format" [2] Because isom.c only contains a mapping for 4CC 'lpcm' to AV_CODEC_ID_PCM_S16LE, these files have their audio decoded as LE when it is actually BE. This commit adds AV_CODEC_ID_PCM_S16BE as the first match for 4CC 'lpcm'. [1] https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf page 21 [2] https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf page 178 Reviewed-by: Yusuke Nakamura <muken.the.vfrmaniac@gmail.com> | 01 June 2014, 00:07:52 UTC |
| 5463a2b | Baptiste Coudurier | 21 March 2012, 21:18:16 UTC | movdec: handle 0x7fff langcode as macintosh per the specs The correct point that seperates ISO and MAC language codes is 0x400 according to the current QT spec. Old QT specs did not list where this seperation is but apparently only defined the meaning of the first 137. (cherry picked from commit 9e71cc81f3655cacf0f91860fba3043f13b64059) (cherry picked from commit 7940306a47df602be4f57a62175706265bbfd0aa) | 01 June 2014, 00:07:51 UTC |
| 42dcfe3 | Michael Niedermayer | 02 April 2014, 07:11:10 UTC | avi: Improve non-interleaved detection Additional fixes by Nigel Touati-Evans <nigel.touatievans@gmail.com>. Check the index for streams with a time drift of 2s or a buffer drift of 64MB. Bug-Id: 666 CC: libav-stable@libav.org Sample-Id: yet-another-broken-interleaved-avi.avi Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> Signed-off-by: Luca Barbato <lu_zero@gentoo.org> Signed-off-by: Diego Biurrun <diego@biurrun.de> | 01 June 2014, 00:07:51 UTC |
| 079758e | Anton Khirnov | 23 April 2014, 20:26:40 UTC | h264: reset next_output_pic earlier in start_frame() In case start_frame() fails, this potentially invalid frame can still be output to the caller. Bug-Id: 672 Bug-Id: debian/741240 Bug-Id: ubuntu/1288206 | 01 June 2014, 00:07:51 UTC |
| a0a90b1 | Justin Ruggles | 29 September 2013, 23:47:55 UTC | tiffdec: use bytestream2 to simplify overread/overwrite protection Based on a patch by Paul B Mahol <onemda@gmail.com> CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| fa60904 | Justin Ruggles | 29 September 2013, 23:45:57 UTC | bytestream: add bytestream2_copy_buffer() functions This is basically an overread/overwrite-safe memcpy between a GetByteContext and a PutByteContext. CC:libav-stable@libav.org (cherry picked from commit 5748faf291fec297ef25d81962b52b3438f54278) | 01 June 2014, 00:05:19 UTC |
| b473fdc | Paul B Mahol | 21 March 2012, 00:10:18 UTC | bytestream: add functions for accessing size of buffer Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> CC:libav-stable@libav.org (cherry picked from commit de9d2705f61ef569487ec5f8974a9c7ce34ec783) | 01 June 2014, 00:05:19 UTC |
| db52f05 | John Stebbins | 03 March 2014, 20:20:15 UTC | movenc: allow override of "writing application" tag Signed-off-by: Tim Walker <tdskywalker@gmail.com> CC: libav-stable@libav.org (cherry picked from commit 565e0c6d866ce08d4b06427456d3d1f4fd856e9c) | 01 June 2014, 00:05:19 UTC |
| 330c180 | John Stebbins | 03 March 2014, 20:20:14 UTC | matroskaenc: allow override of "writing application" tag Signed-off-by: Tim Walker <tdskywalker@gmail.com> CC: libav-stable@libav.org (cherry picked from commit 0092c1dd8dac2d9e185b58503b447a0d3fb5230d) | 01 June 2014, 00:05:19 UTC |
| 1dce4a0 | Luca Barbato | 05 March 2014, 09:41:33 UTC | avfilter: Add missing emms_c when needed Arch specific calls should have an emms_c following to keep the cpu state consistent. Reported-By: wm4 CC: libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| 9938e45 | Janne Grunau | 24 January 2014, 15:22:44 UTC | mpeg12: check scantable indices in all decode_block functions Add checks to the fast functions used with CODEC_FLAGS2_FAST and move the check for all other functions to before the invalid memory is accessed. Fixes https://trac.videolan.org/vlc/ticket/9713 with CODEC_FLAGS2_FAST. CC: libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| 71b8c84 | Anton Khirnov | 02 January 2014, 08:34:20 UTC | sgidec: fix buffer size check in expand_rle_row() Right now it will spuriously fail if the linesize is exactly equal to the data width. CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| d0ecfe3 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | adx: check that the offset is not negative Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 5569146d48f06564e8fa393424782cceed510916) | 01 June 2014, 00:05:19 UTC |
| 07558d0 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | mpegvideo: set reference/pict_type on generated reference frames Otherwise the generic code will unref them, which can then result in last_picture_ptr == current_picture_ptr, which causes deadlocks at least in rv40. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| 27ac958 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: reset data partitioning at the beginning of each decode call Prevents using GetBitContexts with data from previous calls. Fixes access to freed memory. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| 35ba079 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: reset ref count if decoding the slice header fails Otherwise the ER code might try to use some already freed references. Fixes possible access to freed memory. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| a7cce9e | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: reset first_field if frame_start() fails for missing refs In this case we may not have a current frame, while first_field being set implies we do. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| 51ae8e2 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3 Higher modes are not allowed for 16x16/chroma, which is what this function is used for. Otherwise this function would return 0 (vertical prediction) for invalid higher modes, which could result in invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| c4033cd | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: reject mismatching luma/chroma bit depths during sps parsing There is no point in delaying the check and it avoids bugs with a half-initialized context. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| 7f33a24 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: check that execute_decode_slices() is not called too many times Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:18 UTC |
| 0f71a5d | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: do not use 422 functions for monochrome Fixes invalid memory access. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:18 UTC |
| 3ee2608 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: reset data_partitioning if decoding the slice header for NAL_DPA fails If it was set before then we can end up trying to decode a slice without a valid slice header, which can lead to invalid memory access. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:18 UTC |
| e0d8a17 | Anton Khirnov | 15 November 2013, 18:06:23 UTC | h264_refs: make sure not to write over the bounds of the default ref list Fixes invalid writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:18 UTC |
| 2cbc8df | Anton Khirnov | 15 November 2013, 09:15:24 UTC | h264: check buffer size before accessing it Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:18 UTC |
| afab4c4 | Mans Rullgard | 07 September 2012, 11:50:43 UTC | configure: use utilities from /usr/xpg4/bin if it exists Solaris defaults to non-standard utilities (grep, sed, ...) with proper ones being in /usr/xpg4/bin. Prefixing PATH with this directory when it exists ensures we get correct variants. Signed-off-by: Mans Rullgard <mans@mansr.com> | 01 June 2014, 00:05:18 UTC |
| ecf21ab | Johan Andersson | 04 January 2014, 19:47:32 UTC | cmdutils: update copyright year to 2014. Signed-off-by: Martin Storsjö <martin@martin.st> | 01 June 2014, 00:05:18 UTC |
| 16f0f97 | Keiji Costantini | 01 March 2014, 18:17:04 UTC | ituh263: reject b-frame with pp_time = 0 Avoid a division by 0 in ff_mpeg4_set_one_direct_mv. Sample-Id: 00000168-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> (cherry picked from commit 9514440337875e0c63b409abcd616b68c518283f) (cherry picked from commit 5df52b0131d3d4d804ad6e221bc9a2cd8b201ef2) (cherry picked from commit aa2a3ca27a3269e2b975686652204607fad8bc49) | 01 June 2014, 00:03:35 UTC |
| f1a8885 | Martin Storsjö | 12 March 2014, 11:46:04 UTC | doc: Point to the correct, actually maintained gas-preprocessor repo Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit d15c536123a44362ace6299c391a492c90b83fc7) Signed-off-by: Martin Storsjö <martin@martin.st> | 16 March 2014, 18:56:04 UTC |
| aedf1a2 | Reinhard Tartler | 14 March 2014, 00:59:00 UTC | Update Changelog for 0.8.11 | 14 March 2014, 00:59:00 UTC |
| bf0cb89 | Luca Barbato | 21 December 2013, 16:59:59 UTC | configure: Update freetype check to follow upstream The freetype tutorial suggests to use #include FT_FREETYPE_H. Bug-Id: 616 Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit e61b8fa5605b16a02a2a0ea75afbfc31d7832bba) Conflicts: configure | 13 March 2014, 11:47:49 UTC |
| ec772cc | Luca Barbato | 05 January 2014, 11:30:45 UTC | drawtext: Drop pointless header It should be forward compatible with newer freetype. (cherry picked from commit d68dc3c9446e38b4d686cc0f55433c9e8d7c128b) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> | 13 March 2014, 11:47:12 UTC |
| 7b00340 | Diego Biurrun | 23 December 2013, 00:03:48 UTC | configure: Support preprocessor macros as header names New versions of FreeType have moved the location of their API header(s) and hide the location behind a macro. Since the location changes between versions and no other way to know the location exists, this workaround becomes necessary. Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit 52ccc4a0ece88030e67254418317d72089a0ecc8) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> Conflicts: configure | 13 March 2014, 11:46:10 UTC |
| 0120e48 | Janne Grunau | 08 March 2014, 10:52:14 UTC | arm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6 The overread avoidance fix in cbddee1cca0ebd01e8c5aa694d31228eb4de4b41 broke the computation for the last row since it prevented the safe reading from the height+1-th row. | 08 March 2014, 23:31:31 UTC |
| fd2fc13 | Janne Grunau | 05 March 2014, 11:44:57 UTC | arm: hpeldsp: prevent overreads in armv6 asm Based on a patch by Russel King <rmk+libav@arm.linux.org.uk> Bug-Id: 646 CC: libav-stable@libav.org | 06 March 2014, 08:06:39 UTC |
| 3da4fdd | Anton Khirnov | 28 November 2013, 09:54:35 UTC | lagarith: reallocate rgb_planes when needed Fixes invalid writes on pixel format changes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 4c3e1956ee35fdcc5ffdb28782050164b4623c0b) (cherry picked from commit bd57e783437f990c3ac4747eeebe20332e103980) | 01 March 2014, 04:07:41 UTC |
| 2fb0a52 | Anton Khirnov | 14 February 2013, 07:47:17 UTC | lagarith: avoid infinite loop in lag_rac_refill() range == 0 happens with corrupted files CC:libav-stable@libav.org (cherry picked from commit de6dfa2bb82df916a67e5036b0ef96a944781ed3) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 8bce2c60b8ebc31899d576dde3bbe6205faae97d) | 01 March 2014, 04:07:40 UTC |
| 2c1d844 | Ronald S. Bultje | 03 August 2012, 03:46:09 UTC | lagarith: pad RGB buffer by 1 byte. For left HFYU prediction, we predict from the buffer buf+1 using 8- or 16-byte reads. This means that aligning the buffer by 16 bytes is in itself not sufficient, because if the width itself is 16- or 8-byte aligned, the buffer will not be padded, and thus a read of size 16 at buf+1 will overflow boundaries at the right edge. Padding the buffer by 1 byte is sufficient to not overflow its boundaries. Fixes bug 342. (cherry picked from commit 98d0d19208959766a58f13dd6a678d1f765a26ac) | 01 March 2014, 04:07:40 UTC |
| de0e442 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | truemotion1: check the header size Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 2240e2078d53d3cfce8ff1dda64e58fa72038602) (cherry picked from commit 76b40a9bf93e387d98aa7dc02ec7a8d13f51722f) | 01 March 2014, 04:07:40 UTC |
| 43aa7eb | Anton Khirnov | 28 November 2013, 09:54:35 UTC | shorten: pad the internal bitstream buffer Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 1713eec29add37b654ec6bf262b843d139c1ffc6) (cherry picked from commit 5881ec0ea58a95403bd375b63f22d49905cdd8e5) | 01 March 2014, 04:07:40 UTC |
| 9786c24 | Justin Ruggles | 30 January 2014, 19:08:38 UTC | samplefmt: avoid integer overflow in av_samples_get_buffer_size() CC:libav-stable@libav.org (cherry picked from commit 0e830094ad0dc251613a0aa3234d9c5c397e02e6) (cherry picked from commit e9b3abd49890e958c745ea46a9f4f91b6b4baa58) Conflicts: libavutil/samplefmt.c | 01 March 2014, 04:07:40 UTC |
| 4279e0e | Luca Barbato | 22 February 2014, 10:19:03 UTC | h264: Fix a typo from the previous commit f777504f640260337974848c7d5d7a3f064bbb45 changed a - in + CC: libav-stable@libav.org (cherry picked from commit d922c5a5fbaf0b6c73bd8c81ae059bc6e406961c) (cherry picked from commit 3ce77e04c2ca4b9e7fa6b94b51e8d7c5f188da86) (cherry picked from commit 8cba6f58c8acaa0ca6749110a2746bbe60ff2dab) | 01 March 2014, 04:07:40 UTC |
| a600376 | Vittorio Giovara | 20 February 2014, 01:38:32 UTC | h264: Lower bound check for slice offsets And use the value from the specification. Sample-Id: 00000451-google Found-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit f777504f640260337974848c7d5d7a3f064bbb45) (cherry picked from commit 5bd083d0216d9ee649039c84999fb61386536ac1) Conflicts: libavcodec/h264.c (cherry picked from commit 41380e017afcca3119acb560c08a60a97d416c3c) Conflicts: libavcodec/h264.c | 01 March 2014, 04:07:40 UTC |
| cf676c1 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | rpza: limit the number of blocks to the total remaining blocks in the frame Fixes invalid writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 77bb0004bbe18f1498cfecdc68db5f10808b6599) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> | 14 February 2014, 10:43:59 UTC |
| 36017d4 | Reinhard Tartler | 07 February 2014, 04:26:33 UTC | Prepare for 0.8.11 Release | 07 February 2014, 04:26:33 UTC |
| 8cade13 | Anton Khirnov | 13 January 2014, 12:47:07 UTC | lavf: make av_probe_input_buffer more robust Always use the actually read size as the offset instead of making possibly invalid assumptions. Addresses: CVE-2012-6618 (cherry picked from commit 2115a3597457231a6e5c0527fe0ff8550f64b733) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavformat/utils.c Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 8575f5362f98c937758b20ff8512d6767a56208e) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 07 February 2014, 04:01:14 UTC |
| 5522c56 | Reinhard Tartler | 02 February 2014, 17:54:52 UTC | Updated Changelog for 0.8.10 | 02 February 2014, 17:54:52 UTC |
| b0db7a5 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | oggparseogm: check timing variables Fixes a potential divide by zero. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 75647dea6f7db79b409bad66a119f5c73da730f3) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit bf7c240a50f8ed99a42e08bb7a8a70262cce34ad) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 02 February 2014, 17:48:58 UTC |
| e03b875 | Anton Khirnov | 12 December 2013, 06:34:13 UTC | mathematics: remove asserts from av_rescale_rnd() It is a public function, it must not assert on its parameters. (cherry picked from commit 94a417acc05cc5151b473abc0bf51fad26f8c5a0) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 03bfd8419fbaf9c72b293457437bd508dea64736) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 02 February 2014, 17:48:45 UTC |
| 30c8a5e | Michael Niedermayer | 19 January 2014, 15:28:25 UTC | vc1: Always reset numref when parsing a new frame header. Fixes an issue where the B-frame coding mode switches from interlaced fields to interlaced frames, causing incorrect decisions in the motion compensation code and resulting in visual artifacts. CC: libav-stable@libav.org Signed-off-by: Tim Walker <tdskywalker@gmail.com> (cherry picked from commit dd2d0039b6405dc724e4fef0d5b8f49530eea3aa) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 3cc8d9bc1ffc6c0888960fb009f12fa3047bb663) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 02 February 2014, 17:48:34 UTC |
| 716ee73 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: reset num_reorder_frames if it is invalid An invalid VUI is not considered a fatal error, so the SPS containing it may still be used. Leaving an invalid value of num_reorder_frames there can result in writing over the bounds of H264Context.delayed_pic. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 9ecabd7892ff073ae60ded3fc0a1290f5914ed5c) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavcodec/h264_ps.c (cherry picked from commit 299c5dcfb0cd3debdf07943edfb46f4aeb02ca91) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 02 February 2014, 17:48:16 UTC |
| 979f77b | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: check that an IDR NAL only contains I slices Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 8b2e5e42bb9d6a59ede5af2e6df4aaf7750d1195) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 62ed6da016b789eee00e0fff517df4a254e12e5d) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavcodec/h264.c | 02 February 2014, 17:48:04 UTC |
| 2f4e066 | Martin Storsjö | 13 January 2014, 12:46:07 UTC | mov: Free an earlier allocated array if allocating a new one It could probably also be considered an error if the pointer isn't null at this point, but then we might risk rejecting some slightly broken files that we might have handled so far. Sample-Id: 00000496-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit 2620df13104ddaa136158eb6bb1195adbf9d7692) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit a1b4d42d31ba700c97d4388153a2a553d71ca0ba) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 02 February 2014, 17:45:09 UTC |
| 6a56d16 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | segafilm: fix leaks if reading the header fails Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 6892d145a0c80249bd61ee7dd31ec851c5076bcd) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit f728782c0d30433efa11f1238a16aed994e9b563) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavformat/segafilm.c | 02 February 2014, 17:44:20 UTC |
| 23144c5 | Anton Khirnov | 15 November 2013, 08:42:26 UTC | h264_cavlc: check the size of the intra PCM data. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit b5275ca1a805436ca12540c34dd5ed1671877434) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 02 February 2014, 17:41:02 UTC |
| e964207 | Luca Barbato | 13 October 2013, 01:30:06 UTC | cavs: Check for negative cbp Sample-Id: 00000647-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c85e5f13f6ac9c4c90125e7671d89009e57f9df9) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavcodec/cavsdec.c | 02 February 2014, 17:36:15 UTC |
| 2c0bfce | Luca Barbato | 06 August 2013, 01:38:12 UTC | avi: DV in AVI must be considered single stream Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 3485a07977f17b8d4709fb327be4fc29031032b7) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 02 February 2014, 17:29:54 UTC |
| b68e5b1 | Justin Ruggles | 28 March 2012, 01:31:14 UTC | avutil: use align == 0 for default alignment in audio sample buffer functions Fixes: http://pad.lv/1264886, http://pad.lv/1241439 (cherry picked from commit 0109a09dc3850eb5dbff84a7bb50eb252a5a8f22) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavutil/avutil.h | 01 February 2014, 19:59:12 UTC |
| cb5d0ea | Michael Niedermayer | 20 August 2013, 21:18:48 UTC | flashsv: Check diff_start diff_height values Fix out of array accesses. Found-by: ami_stuff Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Adresses: CVE-2013-7015 (cherry picked from commit 57070b1468edc6ac8cb3696c817f3c943975d4c1) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 10d48fe6d3963842319b1d8d738a318020836e72) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 01 February 2014, 19:06:24 UTC |
| ef6c90e | Michael Niedermayer | 30 August 2013, 21:14:32 UTC | dsputil/pngdsp: fix signed/unsigned type in end comparison Fixes out of array accesses and integer overflows. (cherry picked from commit d1916d13e28b87f4b1b214231149e12e1d536b4b) Adresses: CVE-2013-7010, CVE-2013-7014 Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit af9799790d7a6342027e0261b5dd87657abb7a0b) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavcodec/pngdsp.c | 01 February 2014, 19:05:47 UTC |
| d04194d | Michael Niedermayer | 25 January 2013, 05:11:59 UTC | vqavideo: check chunk sizes before reading chunks Fixes out of array writes Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 13093f9767b922661132a3c1f4b5ba2c7338b660) CC: libav-stable@libav.org Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit f7d18deb73d1dd1b27b2c7062c9a10d168a6c62a) Addresses: CVE-2013-0865 Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit ab434bf0d051008a329d49d0256faa5d64e2bf4d) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 01 February 2014, 19:03:28 UTC |
| 976a7b7 | Luca Barbato | 06 August 2013, 01:52:48 UTC | avi: directly resync on DV in AVI read failure Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ceec6e792e4b5baaa23b220f4fd33417631f5288) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Adresses CVE-2013-0856 (cherry picked from commit 61057f4604eb909ac2b37f08c7d2b0ed758fd4bf) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 01 February 2014, 19:02:20 UTC |
| a89acaa | Luca Barbato | 20 January 2013, 04:10:32 UTC | get_bits: change the failure condition in init_get_bits Too much code relies in having init_get_bits fed with a valid buffer and set its dimension to 0. Check for NULL buffer instead. (cherry picked from commit 4603ec85ed620e585fc6e2e072c99858ed421855) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> | 25 January 2014, 00:01:25 UTC |
| 8b24e17 | Luca Barbato | 07 January 2014, 13:21:53 UTC | twinvq: Cope with gcc-4.8.2 miscompilation Apparently gcc-4.8.2 miscompiles enums resulting in a lucky fpe soon after it. Passing the enum value as integer makes the ftype == FT_PPC condition evaluates correctly. | 07 January 2014, 13:21:53 UTC |
| 3736b13 | Sean McGovern | 06 November 2013, 00:15:47 UTC | Changelog for 0.8.10 | 07 January 2014, 08:43:58 UTC |
| 1123870 | Ben Jackson | 18 October 2013, 14:28:50 UTC | pthread: Avoid spurious wakeups pthread_wait_cond can wake up unexpectedly (Wikipedia: Spurious_wakeup). The FF_THREAD_SLICE thread mechanism could spontaneously execute jobs or allow the caller of avctx->execute to return before all jobs were complete. Test both cases to ensure the wakeup is real. Signed-off-by: Ben Jackson <ben@ben.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com> Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit 311583e7798237be5cc531d672a9e37f8c729d83) | 07 January 2014, 08:43:58 UTC |
| 48d5765 | Derek Buitenhuis | 10 October 2013, 15:05:40 UTC | pthread: Fix deadlock during thread initialization Sometimes, if pthread_create() failed, then pthread_cond_wait() could accidentally be called in the worker threads after the uninit function had already called pthread_cond_broadcast(), leading to a deadlock. Don't call pthread_cond_wait() if c->done is set. Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com> (cherry picked from commit 1a5a6ac01b0ad2cf3d2128372ea41f3c1cfc2d3f) | 07 January 2014, 08:43:58 UTC |
