| 0e81025 | Reinhard Tartler | 10 March 2015, 02:11:14 UTC | doc: More changelog updates for v0.8.17 | 10 March 2015, 02:11:14 UTC |
| 335ec61 | Michael Niedermayer | 04 March 2015, 17:36:14 UTC | utvideodec: Handle slice_height being zero Fixes out of array accesses. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Bug-Id: CVE-2014-9604 Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit 0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d) (cherry picked from commit 3a417a86b330b7c1acf9db4f729be7d619caaded) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit e032e647dd79e7748145792dfee0358eccb1982e) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 789f433bc6376e6e45d41ae491007d482fa1df85) Conflicts: libavcodec/utvideodec.c | 10 March 2015, 02:08:49 UTC |
| 76435f5 | Reinhard Tartler | 09 March 2015, 02:34:43 UTC | doc: More changelog updates for v0.8.17 | 09 March 2015, 02:34:43 UTC |
| ec5b2f6 | Anton Khirnov | 07 March 2015, 21:06:59 UTC | tiff: Check that there is no aliasing in pixel format selection Fixes possible issues with unexpected bpp/bppcount values. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Bug-Id: CVE-2014-8544 (cherry picked from commit ae5e1f3d663a8c9a532d89e588cbc61f171c9186) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit eb9041403d820634c45ed4ee98570246a252507a) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 62b0462e5fa78901380ca229ddb6a7625efd61a2) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 09 March 2015, 02:30:43 UTC |
| 82776ca | Andreas Cadhalpun | 02 March 2015, 15:52:26 UTC | rmenc: limit packet size The chunk size is limited to UINT16_MAX (written by avio_wb16), so make sure that the packet size is not too large. Such large frames need to be split into slices smaller than 64 kB, but that is currently supported neither by the rv10/rv20 encoders nor the rm muxer. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> | 08 March 2015, 20:37:26 UTC |
| 905988f | Federico Tomassetti | 18 February 2015, 12:11:44 UTC | eamad: check for out of bounds read Bug-Id: CID 1257500 CC: libav-stable@libav.org Signed-off-by: Luca Barbato <lu_zero@gentoo.org> | 08 March 2015, 20:36:47 UTC |
| 8b1f8fb | Reinhard Tartler | 08 March 2015, 15:32:09 UTC | Update Changelog for 0.8.17 Release | 08 March 2015, 15:32:09 UTC |
| aace8b1 | Reinhard Tartler | 08 March 2015, 15:29:56 UTC | Prepare for 0.8.17 Release | 08 March 2015, 15:29:56 UTC |
| d6deed7 | Michael Niedermayer | 31 January 2013, 03:20:24 UTC | h264_cabac: Break infinite loops This fixes out of array reads and/or infinite loops. 30 is the maximum number of bits that can be read into coeff_abs below. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Martin Storsjö <martin@martin.st> | 23 February 2015, 00:06:28 UTC |
| 51dd54c | Xiaohan Wang | 06 November 2014, 20:59:54 UTC | matroskadec: Fix read-after-free in matroska_read_seek() In matroska_read_seek(), |tracks| is assigned at the begining of the function. However, functions like matroska_parse_cues() could reallocate the tracks and invalidate |tracks|. This assigns |tracks| only before using it, so that it will not get invalidated elsewhere. Bug-Id: chromium/427266 | 27 January 2015, 14:36:34 UTC |
| 9ae3cd6 | Michael Niedermayer | 03 October 2014, 18:15:52 UTC | gifdec: refactor interleave end handling Fixes invalid writes with very small image heights. CC: libav-stable@libav.org Bug-ID: CVE-2014-8547 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 0b39ac6f54505a538c21fe49a626de94c518c903) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit eac49477aa95cf727d87d2741ee8e60be59d394b) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 92888e9ed4ea4e761ae953bbe28c85cc658abc8f) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 02de44073a8e116ea177b53081219d32ef135ad8) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 20 December 2014, 10:19:47 UTC |
| a331e11 | Michael Niedermayer | 03 October 2014, 20:50:45 UTC | smc: fix the bounds check Fixes invalid writes when there are more blocks in a run than total remaining blocks. CC: libav-stable@libav.org Bug-ID: CVE-2014-8548 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit d423dd72be451462c6fb1cbbe313bed0194001ab) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 58dc526ebf722d33bf09275c1241674e0e6b9ef1) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit f249e9889155599ee3ad0172832d38f68b0c625d) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 306ee95088243fefa2dfcb5c355d439db75e2d2a) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 20 December 2014, 10:16:34 UTC |
| fc159ba | Anton Khirnov | 14 December 2014, 20:01:59 UTC | mmvideo: check frame dimensions The frame size must be set by the caller and each dimension must be a multiple of 2. CC: libav-stable@libav.org Bug-ID: CVE-2014-8543 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 17ba719d9ba30c970f65747f42d5fbb1e447ca28) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 69a930b988ff4f88ae27e4fc24ff6ed116840b5e) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 3f10a779b465fd22d3aec1b744ca8544bc2da970) Signed-off-by: Anton Khirnov <anton@khirnov.net> Conflicts: libavcodec/mmvideo.c (cherry picked from commit 03dba25a4001495226651068232b4c6b1e75fd02) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 20 December 2014, 10:16:27 UTC |
| 954aafa | Anton Khirnov | 14 December 2014, 20:01:59 UTC | jvdec: check frame dimensions The frame size must be set by the caller and each dimension must be a multiple of 8. CC: libav-stable@libav.org Bug-ID: CVE-2014-8542 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 88626e5af8d006e67189bf10b96b982502a7e8ad) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 55788572ea7b89cdd77bab1cf4bf06d14ead34f5) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 8f238dd9bdd9eba569fcaa564a07fbdd89412a14) Signed-off-by: Anton Khirnov <anton@khirnov.net> Conflicts: libavcodec/jvdec.c (cherry picked from commit 50cb695bf124b0bd4d9e2b3c1bfdd08b35b14438) Signed-off-by: Anton Khirnov <anton@khirnov.net> Conflicts: libavcodec/jvdec.c | 20 December 2014, 10:16:15 UTC |
| 0ceb2df | Anton Khirnov | 12 August 2014, 14:39:10 UTC | mov: avoid a memleak when multiple stss boxes are present CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 64f7575fbd64e5b65d5c644347408588c776f1fe) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 577f1feb3fd1e51fd14af7ce6d79d468faa3b929) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 931f5b235112f1c2a09dead36f0a228061d23942) Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 93f919d0b4c4341ccee366c98ac9af813f8fe622) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 20 December 2014, 10:15:47 UTC |
| 2210331 | Diego Biurrun | 16 September 2014, 10:28:45 UTC | Add some bug references to the changelog | 26 September 2014, 10:17:31 UTC |
| b989bb7 | Katerina Barone-Adesi | 15 September 2014, 23:40:24 UTC | apetag: Fix APE tag size check The size variable is (correctly) unsigned, but is passed to several functions which take signed parameters, such as avio_read, sometimes after having numbers added to it. So ensure that size remains within the bounds that these functions can handle. (cherry picked from commit 56ac2cbd0464e0146e62c91843e2b1f5e0908504) Signed-off-by: Diego Biurrun <diego@biurrun.de> Conflicts: libavformat/apetag.c | 17 September 2014, 14:50:55 UTC |
| 893b353 | Diego Biurrun | 19 June 2012, 10:55:10 UTC | x86: Only use optimizations with cmov if the CPU supports the instruction Also fill in missing hash for AV_CPU_FLAG_CMOV addition in APIChanges. (cherry picked from commit fe07c9c6b5a870b8f2ffcfac649228b4d76e9505) Signed-off-by: Diego Biurrun <diego@biurrun.de> Conflicts: libavcodec/x86/dsputil_mmx.c | 16 September 2014, 08:48:53 UTC |
| 8637f4e | Diego Biurrun | 19 June 2012, 20:55:26 UTC | x86: Add CPU flag for the i686 cmov instruction (cherry picked from commit 65345a5a30a0e866b6944c0e6184be3feca04335) Signed-off-by: Diego Biurrun <diego@biurrun.de> Conflicts: libavutil/cpu.c libavutil/cpu.h | 16 September 2014, 08:39:13 UTC |
| c6af9e9 | Diego Biurrun | 10 September 2014, 19:46:05 UTC | Update Changelog for v0.8.16 | 10 September 2014, 19:46:05 UTC |
| 992da6b | Diego Biurrun | 10 September 2014, 19:43:08 UTC | Prepare for 0.8.16 release | 10 September 2014, 19:43:08 UTC |
| e9e7646 | Diego Biurrun | 10 September 2014, 19:42:12 UTC | Update Changelog for v0.8.15 | 10 September 2014, 19:42:12 UTC |
| f661006 | Diego Biurrun | 10 September 2014, 16:38:15 UTC | doc: Fix syntax and logical errors in avconv stream combination example Bug-Id: 661 CC: libav-stable@libav.org (cherry picked from commit 775a0b04f0cf8102fe322b2ee03fe1a0633dea04) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 10 September 2014, 19:11:01 UTC |
| 554fd5c | Diego Biurrun | 20 August 2014, 17:50:33 UTC | ffmpeg: Clarify wording of ffmpeg --> avconv deprecation message | 04 September 2014, 23:14:54 UTC |
| 2deac60 | Michael Niedermayer | 04 September 2012, 11:02:30 UTC | adpcmenc: Calculate the IMA_QT predictor without overflow Previously, the value given to put_bits was 10 bits long for positive predictors, even though 9 bits were to be written. The extra bit could in some cases overwrite existing bits in the bitstream writer cache. This fixes a failed assert in put_bits.h, when running a version built with -DDEBUG. The fate test result gets slightly improved, thanks to getting rid of the overwritten bits in the bitstream writer cache. Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit aa264da5bf6a3d82a47abba4cfcfa629dd1f3daa) Signed-off-by: Diego Biurrun <diego@biurrun.de> Conflicts: tests/ref/fate/acodec-adpcm-ima_qt | 23 August 2014, 12:19:12 UTC |
| 3eed35a | Michael Niedermayer | 06 August 2012, 14:28:13 UTC | svq1enc: Set picture_structure correctly This fixes assert failures when running in debug mode. Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit 2d7d91f06d6a1d243dc74c96d3389ee237a3b906) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 23 August 2014, 12:19:12 UTC |
| ec0df23 | Michael Niedermayer | 06 August 2012, 22:18:59 UTC | h264: Remove an assert on current_picture_ptr being null It is possible in various error paths as well as gap handling that this has already been allocated. It is not clear why that would be a problem with the current code, thus disable the assert to avoid a common assert failure when asserts are enabled. Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit 5e997688f8801bb89c773f368237627d957fa520) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 23 August 2014, 12:19:12 UTC |
| 372f742 | Martin Storsjö | 04 September 2012, 11:45:00 UTC | parser: Don't use pc as context for av_dlog The ParserContext class doesn't have an AVClass, required for using it as a logging class. Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit 6d65496990dcac551f60668c2418a50a3111c86c) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 23 August 2014, 12:19:12 UTC |
| d1c4904 | Michael Niedermayer | 06 August 2012, 14:49:49 UTC | mpegvideo: remove last_picture_ptr / h264 assert. This assert is no longer true since h264 error concealment needs last_picture_ptr to be set. Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit 91672504a403556f63492093b892574234f21dd7) Signed-off-by: Diego Biurrun <diego@biurrun.de> Conflicts: libavcodec/mpegvideo.c | 21 August 2014, 12:40:26 UTC |
| 9858a72 | Michael Niedermayer | 18 August 2012, 19:53:32 UTC | elbg: Fix an assert It seems the condition was flipped from what was intended. Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit 2c340596cab981ac842aff7da89d298025c99304) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 21 August 2014, 12:40:26 UTC |
| ce57531 | Diego Biurrun | 11 September 2012, 20:11:25 UTC | swscale: Remove two bogus asserts (cherry picked from commit b9141aa346b736adffd27e1a98bd12aa7b628a8f) Signed-off-by: Diego Biurrun <diego@biurrun.de> Conflicts: libswscale/swscale.c | 21 August 2014, 12:40:26 UTC |
| 233d1b4 | Diego Biurrun | 25 September 2012, 17:05:26 UTC | h264_refs: Fix debug tprintf argument types (cherry picked from commit 6c5b0517e00fc22753c5cc0751cba186dd71ed36) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 20 August 2014, 17:19:33 UTC |
| 90a2359 | Diego Biurrun | 25 September 2012, 17:01:10 UTC | nutdec: Remove unused and broken debug function stub (cherry picked from commit 83655442fa6dbf7578d108ce479f98a14ebb3e3c) Signed-off-by: Diego Biurrun <diego@biurrun.de> Conflicts: libavformat/nutdec.c | 20 August 2014, 17:11:31 UTC |
| 57c36de | Aaron Colwell | 19 March 2012, 03:03:00 UTC | vp8: avoid race condition on segment map. This change avoids accessing the segment map of the previous frame if segmentation is not enabled for the current frame. The caller of decode_mb_mode() only calls ff_thread_await_progress() on the reference segmentation index array if segmentation is enabled, so Chromium's TSAN will report a race when accessing this data while segmentation is not enabled. Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit 30011bf20109eef1a0f9ee949b19f9998ad88663) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 19 August 2014, 13:15:26 UTC |
| 8152b02 | Mans Rullgard | 10 May 2012, 16:40:30 UTC | arm/neon: dsputil: use correct size specifiers on vld1/vst1 Change the size specifiers to match the actual element sizes of the data. This makes no practical difference with strict alignment checking disabled (the default) other than somewhat documenting the code. With strict alignment checking on, it avoids trapping the unaligned loads. Signed-off-by: Mans Rullgard <mans@mansr.com> | 17 August 2014, 07:52:39 UTC |
| 9fa9d47 | Mans Rullgard | 10 May 2012, 15:24:33 UTC | arm: dsputil: prettify some conditional instructions in put_pixels macros Signed-off-by: Mans Rullgard <mans@mansr.com> | 17 August 2014, 07:52:23 UTC |
| 6dd19ff | Mans Rullgard | 09 May 2012, 23:55:18 UTC | arm: dsputil: fix overreads in put/avg_pixels functions The vertically interpolating variants of these functions read ahead one line to optimise the loop. On the last line processed, this might be outside the buffer. Fix these invalid reads by processing the last line outside the loop. Signed-off-by: Mans Rullgard <mans@mansr.com> | 17 August 2014, 07:52:13 UTC |
| b5d7b80 | Michael Niedermayer | 30 August 2013, 02:51:09 UTC | ffv1dec: check that global parameters do not change in version 0/1 Such changes are neither allowed nor supported Found-by: ami_stuff Bug-Id: CVE-2013-7020 CC: libav-stable@libav.org Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit da7d839a0d3ec40423a665dc85e0cfaed3f92eb8) Signed-off-by: Anton Khirnov <anton@khirnov.net> Conflicts: libavcodec/ffv1dec.c | 12 August 2014, 10:49:43 UTC |
| 452e343 | Reinhard Tartler | 09 August 2014, 15:22:11 UTC | avcodec: Add more missing #includes for ff_get_buffer() | 09 August 2014, 15:22:11 UTC |
| 5a2d191 | Reinhard Tartler | 09 August 2014, 13:09:24 UTC | Prepare for 0.8.15 Release | 09 August 2014, 13:09:24 UTC |
| e24d1cb | Luca Barbato | 09 August 2014, 12:14:34 UTC | lavf: Fix leftovers from the ff_get_buffer patch The automated script did not perfectly replace all the instances nor added internal.h in all the files requiring it. | 09 August 2014, 12:14:34 UTC |
| c98d164 | Martin Storsjö | 13 November 2012, 17:01:51 UTC | configure: Check for -Werror parameters on clang Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit 9eded0fe412e610ee8944681d5c554b723463e96) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> | 09 August 2014, 12:13:49 UTC |
| 0ab76dd | Luca Barbato | 08 August 2014, 16:07:43 UTC | avcodec: Introduce ff_get_buffer Validate the image size there as is done in the other release branches. Bug-Id: CVE-2011-3935 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | 09 August 2014, 02:01:15 UTC |
| 042c25f | Reinhard Tartler | 09 August 2014, 00:49:45 UTC | Update Changelog for v0.8.14 | 09 August 2014, 00:49:45 UTC |
| dcc68de | Michael Niedermayer | 04 August 2014, 00:06:51 UTC | vp3: Copy all 3 frames for thread updates Fixes a double release of the current frame on deinit. Bug-Id: CVE-2011-3934 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> | 08 August 2014, 14:04:18 UTC |
| ebe2292 | Luca Barbato | 07 August 2014, 15:10:32 UTC | mpegts: Do not try to write a PMT larger than SECTION_SIZE Prevent out of array write. Similar to what Michael Niedermayer did to address the same issue. Bug-Id: CVE-2014-2263 CC: libav-stable@libav.org (cherry picked from commit addbaf134836aea4e14f73add8c6d753a1373257) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> | 08 August 2014, 12:27:47 UTC |
| d86df7d | Luca Barbato | 03 August 2014, 17:27:07 UTC | mpegts: Define the section length with a constant The specification says the value is expressed in 10 bits including the 4-byte CRC. (cherry picked from commit 694b7cd873f8b06af109036eff1ccd741afdd28e) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> Conflicts: libavformat/mpegtsenc.c | 08 August 2014, 12:27:27 UTC |
| a79e58c | Reinhard Tartler | 07 August 2014, 00:24:20 UTC | Update Changelog for v0.8.14 | 07 August 2014, 00:24:58 UTC |
| 4709bae | Reinhard Tartler | 07 August 2014, 00:24:47 UTC | Prepare for 0.8.14 Release | 07 August 2014, 00:24:58 UTC |
| c79cf01 | Michael Niedermayer | 06 August 2014, 17:19:57 UTC | error_concealment: avoid using the picture if not fully setup Fixes state becoming inconsistent and a null pointer dereference. CC: libav-stable@libav.org Bug-Id: CVE-2013-0860 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> | 06 August 2014, 19:29:48 UTC |
| 9d5f4f0 | Anton Khirnov | 03 August 2014, 08:14:48 UTC | svq1: do not modify the input packet The input data must remain constant, make a copy instead. This is in theory a performance hit, but since I failed to find any samples using this feature, this should not matter in practice. Also, check the size of the header, avoiding invalid reads on truncated data. CC:libav-stable@libav.org (cherry picked from commit 7b588bb691644e1b3c168b99accf74248a24e3cf) Signed-off-by: Anton Khirnov <anton@khirnov.net> Conflicts: libavcodec/svq1dec.c | 06 August 2014, 19:22:05 UTC |
| cf6b2a0 | Anton Khirnov | 06 August 2014, 10:56:34 UTC | cdgraphics: do not return 0 from the decode function 0 means no data consumed, so it can trigger an infinite loop in the caller. CC:libav-stable@libav.org (cherry picked from commit c7d9b473e28238d4a4ef1b7e8b42c1cca256da36) Signed-off-by: Anton Khirnov <anton@khirnov.net> Conflicts: libavcodec/cdgraphics.c | 06 August 2014, 18:52:28 UTC |
| 3aebdff | Anton Khirnov | 06 August 2014, 10:46:50 UTC | cdgraphics: switch to bytestream2 Fixes possible invalid memory accesses on corrupted data. CC:libav-stable@libav.org Bug-ID: CVE-2013-3674 (cherry picked from commit a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 06 August 2014, 18:51:49 UTC |
| a1804df | Michael Niedermayer | 02 August 2014, 23:54:33 UTC | huffyuvdec: check width size for yuv422p Avoid out of array accesses. CC: libav-stable@libav.org Bug-Id: CVE-2013-0848 Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit a7153444df9040bf6ae103e0bbf6104b66f974cb) Signed-off-by: Anton Khirnov <anton@khirnov.net> Conflicts: libavcodec/huffyuvdec.c | 05 August 2014, 20:17:19 UTC |
| e17dc0a | Michael Niedermayer | 03 August 2014, 18:24:18 UTC | mmvideo: check horizontal coordinate too Fixes out of array accesses. Bug-Id: CVE-2013-3672 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 70cd3b8e659c3522eea5c16a65d14b8658894a94) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 05 August 2014, 19:32:56 UTC |
| 4a66225 | Diego Biurrun | 03 August 2014, 19:19:10 UTC | huffyuv: Check and propagate function return values Bug-Id: CVE-2013-0868 inspired by a patch from Michael Niedermayer <michaelni@gmx.at> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 744b406ff3474e77543bcf86125a2f7bc7deaa18) Signed-off-by: Diego Biurrun <diego@biurrun.de> Conflicts: libavcodec/huffyuvdec.c | 04 August 2014, 07:24:21 UTC |
| 50493f1 | Mans Rullgard | 01 May 2012, 17:27:19 UTC | twinvq: fix out of bounds array access ModeTab.fmode has only 3 elements, so indexing it with ftype in the initialier for 'size' is invalid when ftype == FT_PPC. This fixes crashes with gcc 4.8. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit 4bf2e7c5f1c0ad3997fd7c9859c16db8e4e16df6) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 01 August 2014, 14:51:18 UTC |
| 3e60501 | Janne Grunau | 05 December 2012, 19:08:01 UTC | h264: slice-mt: check master context for valid current_picture_ptr Fixes errors in slice based multithreading introduced in 0b300daad2f5. CC: libav-stable@libav.org (cherry picked from commit 5945c7b35d9169caf9ecef1c419eebdebb909e60) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 01 August 2014, 14:37:14 UTC |
| 7585a62 | Vittorio Giovara | 30 July 2014, 18:33:36 UTC | h264: prevent theoretical infinite loop in SEI parsing Properly address CVE-2011-3946 and parse bitstream as described in the spec. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | 01 August 2014, 12:40:11 UTC |
| 184c797 | Michael Niedermayer | 19 September 2013, 14:26:25 UTC | h264_sei: check SEI size Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> | 01 August 2014, 12:39:51 UTC |
| a465ed5 | Michael Niedermayer | 31 July 2014, 01:31:19 UTC | pgssubdec: Check RLE size before copying Make sure the buffer size does not exceed the expected RLE size. Prevent an out of array bound write. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Bug-Id: CVE-2013-0852 Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit 00915d3cd2ce61db3d6dc11f63566630a9aff4ec) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 01 August 2014, 12:19:04 UTC |
| 976f2e0 | Diego Biurrun | 29 August 2012, 09:14:17 UTC | x86: Fix linking with some or all of yasm, mmx, optimizations disabled Some optimized template functions reference optimized symbols, so they must be explicitly disabled when those symbols are unavailable. (cherry picked from commit ec36aa69448f20a78d8c4588265022e0b2272ab5) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 01 August 2014, 01:05:34 UTC |
| 28f2d3c | Diego Biurrun | 29 October 2012, 17:00:14 UTC | cmdutils: Conditionally compile libswscale-related bits This fixes compilation with libswscale disabled. (cherry picked from commit ab799664755c8bc2c439c428ff5b538c105a5c38) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 31 July 2014, 23:44:11 UTC |
| 277103e | Bernhard Übelacker | 27 July 2014, 15:38:59 UTC | video4linux2: Avoid a floating point exception This avoids a segfault in avconv_opt.c:opt_target when trying to determine the norm. (cherry picked from commit dc71f1958846bb1d96de43a4603983dc8450cfcc) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 30 July 2014, 20:09:09 UTC |
| e4fdfdf | Diego Biurrun | 29 July 2014, 12:43:04 UTC | vf_select: Drop a debug av_log with an unchecked double to enum conversion CC: libav-stable@libav.org (cherry picked from commit a8d803a320fb08b3ad5db4fffc79abd401206905) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 30 July 2014, 20:06:22 UTC |
| 187cfd3 | Anton Khirnov | 20 July 2014, 12:06:47 UTC | eamad: use the bytestream2 API instead of AV_RL This is safer and possibly fixes invalid reads on truncated data. (cherry-picked from commit 541427ab4d5b4b6f5a90a687a06decdb78e7bc3c) CC:libav-stable@libav.org Conflicts: libavcodec/eamad.c (cherry picked from commit f9204ec56a4cf73843d1e5b8563d3584c2c05b47) Signed-off-by: Diego Biurrun <diego@biurrun.de> | 30 July 2014, 19:42:35 UTC |
| e122fb5 | Reinhard Tartler | 27 June 2014, 01:34:03 UTC | Update Changelog for 0.8.13 | 27 June 2014, 01:34:03 UTC |
| 359383c | Reinhard Tartler | 27 June 2014, 01:33:18 UTC | Prepare for 0.8.13 Release | 27 June 2014, 01:33:18 UTC |
| e7f5dac | Luca Barbato | 19 June 2014, 21:26:58 UTC | lzo: Handle integer overflow get_len can overflow for specially crafted payload. Reported-By: Don A. Baley <donb@securitymouse.com> CC: libav-stable@libav.org (cherry picked from commit ccda51b14c0fcae2fad73a24872dce75a7964996) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> Conflicts: libavutil/lzo.c | 25 June 2014, 12:40:56 UTC |
| 9c7321e | Sean McGovern | 02 June 2014, 22:35:25 UTC | sgidec: fix an incorrect backport Signed-off-by: Anton Khirnov <anton@khirnov.net> | 17 June 2014, 19:50:20 UTC |
| 9552b37 | Reinhard Tartler | 01 June 2014, 20:12:58 UTC | Add some bug references | 01 June 2014, 20:12:58 UTC |
| d75b149 | Sean McGovern | 01 June 2014, 18:20:46 UTC | Update Changelog for 0.8.12 | 01 June 2014, 18:20:46 UTC |
| 516ea2d | Reinhard Tartler | 01 June 2014, 00:09:10 UTC | Prepare for 0.8.12 Release | 01 June 2014, 00:09:10 UTC |
| 6f4404b | Janne Grunau | 16 November 2012, 00:12:40 UTC | h264: set parameters from SPS whenever it changes Fixes a crash in the fuzzed sample sample_varPAR.avi_s26638 with alternating bit depths. | 01 June 2014, 00:07:52 UTC |
| 110680c | Martin Storsjö | 03 September 2013, 08:54:03 UTC | alac: Limit max_samples_per_frame Otherwise buffer size calculations in allocate_buffers could overflow later, making the code think a large enough buffer actually was allocated. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st> | 01 June 2014, 00:07:52 UTC |
| 7fa7270 | Luca Barbato | 01 May 2014, 22:21:23 UTC | swscale: Fix an undefined behaviour Prevent a division by zero down the codepath. Sample-Id: 00001721-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org | 01 June 2014, 00:07:52 UTC |
| 65c3593 | Rafaël Carré | 27 August 2013, 15:35:49 UTC | apedec: do not buffer decoded samples over AVPackets Only consume an AVPacket when all the samples have been read. When the rate of samples output is limited (by the default value of max_samples), consuming the first packet immediately will cause timing problems: - The first packet with PTS 0 will output 4608 samples and be consumed entirely - The second packet with PTS 64 will output the remaining samples (typically, a lot, that's why max_samples exist) until the decoded samples of the first packet have been exhausted, at which point the samples of the second packet will be decoded and output when av_decode_frame is called with the next packet). That means there's a PTS jump since the first packet is 'decoded' immediately, which can be seen with avplay or mplayer: the timing jumps immediately to 6.2s (which is the size of a packet). Sample: http://streams.videolan.org/issues/6348/Goldwave-MAClib.ape Bug-Debian: http://bugs.debian.org/744901 Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 91d4cfb8127f1de6c4ad173a30fffe584700046d) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 01 June 2014, 00:07:52 UTC |
| b7b798a | Mark Himsley | 01 November 2013, 11:22:53 UTC | isom: lpcm in mov default to big endian It is my understanding that "Unless otherwise stated, all data in a QuickTime movie is stored in big-endian byte ordering" [1] in MOV files. I have a couple of thousand files, which technically are invalid because their sound sample description element 4CC is 'lpcm' but its version is 0 - and "Version 0 supports only uncompressed audio in raw ('raw ') or twos-complement ('twos') format" [2] Because isom.c only contains a mapping for 4CC 'lpcm' to AV_CODEC_ID_PCM_S16LE, these files have their audio decoded as LE when it is actually BE. This commit adds AV_CODEC_ID_PCM_S16BE as the first match for 4CC 'lpcm'. [1] https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf page 21 [2] https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf page 178 Reviewed-by: Yusuke Nakamura <muken.the.vfrmaniac@gmail.com> | 01 June 2014, 00:07:52 UTC |
| 5463a2b | Baptiste Coudurier | 21 March 2012, 21:18:16 UTC | movdec: handle 0x7fff langcode as macintosh per the specs The correct point that seperates ISO and MAC language codes is 0x400 according to the current QT spec. Old QT specs did not list where this seperation is but apparently only defined the meaning of the first 137. (cherry picked from commit 9e71cc81f3655cacf0f91860fba3043f13b64059) (cherry picked from commit 7940306a47df602be4f57a62175706265bbfd0aa) | 01 June 2014, 00:07:51 UTC |
| 42dcfe3 | Michael Niedermayer | 02 April 2014, 07:11:10 UTC | avi: Improve non-interleaved detection Additional fixes by Nigel Touati-Evans <nigel.touatievans@gmail.com>. Check the index for streams with a time drift of 2s or a buffer drift of 64MB. Bug-Id: 666 CC: libav-stable@libav.org Sample-Id: yet-another-broken-interleaved-avi.avi Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> Signed-off-by: Luca Barbato <lu_zero@gentoo.org> Signed-off-by: Diego Biurrun <diego@biurrun.de> | 01 June 2014, 00:07:51 UTC |
| 079758e | Anton Khirnov | 23 April 2014, 20:26:40 UTC | h264: reset next_output_pic earlier in start_frame() In case start_frame() fails, this potentially invalid frame can still be output to the caller. Bug-Id: 672 Bug-Id: debian/741240 Bug-Id: ubuntu/1288206 | 01 June 2014, 00:07:51 UTC |
| a0a90b1 | Justin Ruggles | 29 September 2013, 23:47:55 UTC | tiffdec: use bytestream2 to simplify overread/overwrite protection Based on a patch by Paul B Mahol <onemda@gmail.com> CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| fa60904 | Justin Ruggles | 29 September 2013, 23:45:57 UTC | bytestream: add bytestream2_copy_buffer() functions This is basically an overread/overwrite-safe memcpy between a GetByteContext and a PutByteContext. CC:libav-stable@libav.org (cherry picked from commit 5748faf291fec297ef25d81962b52b3438f54278) | 01 June 2014, 00:05:19 UTC |
| b473fdc | Paul B Mahol | 21 March 2012, 00:10:18 UTC | bytestream: add functions for accessing size of buffer Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> CC:libav-stable@libav.org (cherry picked from commit de9d2705f61ef569487ec5f8974a9c7ce34ec783) | 01 June 2014, 00:05:19 UTC |
| db52f05 | John Stebbins | 03 March 2014, 20:20:15 UTC | movenc: allow override of "writing application" tag Signed-off-by: Tim Walker <tdskywalker@gmail.com> CC: libav-stable@libav.org (cherry picked from commit 565e0c6d866ce08d4b06427456d3d1f4fd856e9c) | 01 June 2014, 00:05:19 UTC |
| 330c180 | John Stebbins | 03 March 2014, 20:20:14 UTC | matroskaenc: allow override of "writing application" tag Signed-off-by: Tim Walker <tdskywalker@gmail.com> CC: libav-stable@libav.org (cherry picked from commit 0092c1dd8dac2d9e185b58503b447a0d3fb5230d) | 01 June 2014, 00:05:19 UTC |
| 1dce4a0 | Luca Barbato | 05 March 2014, 09:41:33 UTC | avfilter: Add missing emms_c when needed Arch specific calls should have an emms_c following to keep the cpu state consistent. Reported-By: wm4 CC: libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| 9938e45 | Janne Grunau | 24 January 2014, 15:22:44 UTC | mpeg12: check scantable indices in all decode_block functions Add checks to the fast functions used with CODEC_FLAGS2_FAST and move the check for all other functions to before the invalid memory is accessed. Fixes https://trac.videolan.org/vlc/ticket/9713 with CODEC_FLAGS2_FAST. CC: libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| 71b8c84 | Anton Khirnov | 02 January 2014, 08:34:20 UTC | sgidec: fix buffer size check in expand_rle_row() Right now it will spuriously fail if the linesize is exactly equal to the data width. CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| d0ecfe3 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | adx: check that the offset is not negative Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 5569146d48f06564e8fa393424782cceed510916) | 01 June 2014, 00:05:19 UTC |
| 07558d0 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | mpegvideo: set reference/pict_type on generated reference frames Otherwise the generic code will unref them, which can then result in last_picture_ptr == current_picture_ptr, which causes deadlocks at least in rv40. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| 27ac958 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: reset data partitioning at the beginning of each decode call Prevents using GetBitContexts with data from previous calls. Fixes access to freed memory. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| 35ba079 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: reset ref count if decoding the slice header fails Otherwise the ER code might try to use some already freed references. Fixes possible access to freed memory. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| a7cce9e | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: reset first_field if frame_start() fails for missing refs In this case we may not have a current frame, while first_field being set implies we do. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| 51ae8e2 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3 Higher modes are not allowed for 16x16/chroma, which is what this function is used for. Otherwise this function would return 0 (vertical prediction) for invalid higher modes, which could result in invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| c4033cd | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: reject mismatching luma/chroma bit depths during sps parsing There is no point in delaying the check and it avoids bugs with a half-initialized context. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:19 UTC |
| 7f33a24 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: check that execute_decode_slices() is not called too many times Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:18 UTC |
| 0f71a5d | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: do not use 422 functions for monochrome Fixes invalid memory access. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:18 UTC |
| 3ee2608 | Anton Khirnov | 28 November 2013, 09:54:35 UTC | h264: reset data_partitioning if decoding the slice header for NAL_DPA fails If it was set before then we can end up trying to decode a slice without a valid slice header, which can lead to invalid memory access. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:18 UTC |
| e0d8a17 | Anton Khirnov | 15 November 2013, 18:06:23 UTC | h264_refs: make sure not to write over the bounds of the default ref list Fixes invalid writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org | 01 June 2014, 00:05:18 UTC |
