aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* avformat/idcin: Use 64bit for ret to avoid overflowMichael Niedermayer2015-02-201-1/+1
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit d1923d15a3544cbb94563a59e7169291db76b312) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avcodec/h264_slice: ignore SAR changes in slices after the firstMichael Niedermayer2015-02-071-1/+3
| | | | | | | | | | | | | | | Fixes race condition and null pointer dereference Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 38d5241b7f36c1571a88517a0650caade16dd5f4) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Conflicts: libavcodec/h264_slice.c
* avcodec/h264_slice: Check picture structure before setting the related fieldsMichael Niedermayer2015-02-071-14/+17
| | | | | | | | | | | | | This might fix a hypothetical race condition Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit f111831ed61103f9fa8fdda41473a23da016bdaa) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Conflicts: libavcodec/h264_slice.c
* avcodec/h264_slice: Do not change frame_num after the first sliceMichael Niedermayer2015-02-071-1/+10
| | | | | | | | | | | | | | | Fixes potential race condition Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit f906982c9411f3062e3ce68013309b37c213c4dd) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Conflicts: libavcodec/h264_slice.c
* avcodec/h264: Be more strict on rejecting pps/sps changesMichael Niedermayer2015-02-061-4/+15
| | | | | | | | | | | | | Fixes race condition Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 6fafc62b0bd0e206deb77a7aabbf3a370ad80789) Conflicts: libavcodec/h264.c
* avcodec/h264_ps: More completely check the bit depthsMichael Niedermayer2015-02-061-1/+3
| | | | | | | | | | | | | | | Fixes out of array read Fixes: asan_static-oob_30328b6_719_cov_3325483287_H264_artifacts_motion.h264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 69aa79365c1e8e1cb597d33e77bf1062c2ef47d4) Conflicts: libavcodec/h264_ps.c Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/thp: Check av_get_packet() for failure not only for partial outputMichael Niedermayer2015-02-051-0/+2
| | | | | | | | | | | Fixes null pointer dereference Fixes: signal_sigsegv_db2c1f_3108_cov_163322880_pikmin2_opening1_partial.thp Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit f2579dbb4b31e6ae731e7f5555680528ef3020ab) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* swscale/utils: Limit filter shifting so as not to read from prior the arrayMichael Niedermayer2015-02-051-2/+3
| | | | | | | | | | | Fixes out of array read Fixes: asan_heap-oob_1fb2f9b_3780_cov_3984375136_usf.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 692b22626ec9a9585f667c124a186b1a9796e432) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avcodec/mjpegdec: Check escape sequence validityMichael Niedermayer2015-02-041-0/+4
| | | | | | | | Fixes assertion failure Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avcodec/mjpegdec: Check number of components for JPEG-LSMichael Niedermayer2015-02-041-2/+5
| | | | | | | | | | | | | Fixes out of array accesses Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit fabbfaa095660982cc0bc63242c459561fa37037) Conflicts: libavcodec/mjpegdec.c
* avformat/mpc8: Use uint64_t in *_get_v() to avoid undefined behaviorMichael Niedermayer2015-02-041-2/+2
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 05e161952954acf247e0fd1fdef00559675c4d4d) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/mpc8: fix broken pointer mathwm42015-02-041-1/+1
| | | | | | | | | | This could overflow and crash at least on 32 bit systems. Reviewed-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit b737a2c52857b214be246ff615c6293730033cfa) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/mpc8: fix hang with fuzzed filewm42015-02-041-0/+4
| | | | | | | | | | | | | | This can lead to an endless loop by seeking back a few bytes after each attempted chunk read. Assuming negative sizes are always invalid, this is easy to fix. Other code in this demuxer treats negative sizes as invalid as well. Fixes ticket #4262. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 56cc024220886927350cfc26ee695062ca7ecaf4) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/tta: fix crash with corrupted fileswm42015-02-031-2/+9
| | | | | | | | | | | | | | | | | | av_add_index_entry() can fail, for example because the parameters are invalid, or because memory allocation fails. Check this; it can actually happen with corrupted files. The second hunk is just for robustness. Just in case functions like ff_reduce_index() remove entries. (Not sure if this can actually happen.) Fixes ticket #4294. Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 6a0cd529a35190d9374b0b26504e71857cd67b83) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avcodec/mpegvideo_enc: Fix number suffixes in rc_buffer_size calculationMichael Niedermayer2015-02-011-4/+4
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 4531e2c489d279bfc90d54ca26ed898c5b265a7f) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avcodec/h264_cabac: use int instead of long for mbb_xyMichael Niedermayer2015-02-011-1/+1
| | | | | | | | | The mb address fits in int Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 592ba6ec106206f97133c9345313010c76361e12) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/omadec: fix number suffixMichael Niedermayer2015-02-011-1/+1
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit f1f7f5903ab49b84789af5341492afbaba808a70) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/smacker: Fix number suffixMichael Niedermayer2015-02-011-1/+1
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 465f3705b1ef832fd6904750d018f81f9044f3ab) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/matroskadec: Fix number suffixesMichael Niedermayer2015-02-011-1/+1
| | | | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit fc3cdb00d084222a107e61e7168903bf3d3d0b47) Conflicts: libavformat/matroskadec.c
* swresample/dither: Cleanup number suffixesMichael Niedermayer2015-02-011-6/+6
| | | | | | | | | The <<31 case needs LL Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit c77cc2c1766666cdb5f14daee0f75e397bf7a194) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/utils: Fix number suffixes in tb_unreliable()Michael Niedermayer2015-02-011-2/+2
| | | | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 4b15bba2aec93776bfdc69a1bca42a4795a7d191) Conflicts: libavformat/utils.c
* avformat/rmdec: Check for overflow in ff_rm_read_mdpr_codecdata()Michael Niedermayer2015-01-181-1/+5
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 03abf55f252945c70f4a79eaf4d609cee4d98710) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* swscale: check memory allocationsVittorio Giovara2015-01-171-7/+11
| | | | | | | Bug-Id: CID 1257779 (cherry picked from commit 1dd797e3c9f179f957316a0becbec048b42df8aa) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avcodec/flac_parser: fix handling EOF if no headers are foundMichael Niedermayer2015-01-171-1/+1
| | | | | | | | | | Fixes assertion failure Fixes Ticket4269 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit c4d85fc23c100f7a27d9bad710eb153214868e27) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* ffmpeg: Clear error message array at init.Michael Niedermayer2015-01-081-1/+1
| | | | | | | | | This avoids printing uninitialized bytes if no error message is set Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 6d1a2efb8ac399a003ea7d3b6f8c641d192567ee) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avcodec/dvdsubdec: fix accessing dangling pointerswm42015-01-081-9/+3
| | | | | | | | | | | | | | | | | | dvdsub_decode() can call append_to_cached_buf() 2 times, the second time with ctx->buf as argument. If the second append_to_cached_buf() reallocs ctx->buf, the argument will be a pointer to the previous, freed block. This can cause invalid reads at least with some fuzzed files - and possibly with valid files. Since packets can apparently not be larger than 64K (even if packets are combined), just use a fixed size buffer. It will be allocated as part of the DVDSubContext, and although some memory is "wasted", it's relatively minimal by modern standards and should be acceptable. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 816577716bc6170bccfea3b9e865618b69a4b426) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avcodec/dvdsubdec: error on bitmaps with size 0wm42015-01-081-0/+3
| | | | | | | | | | Attemtping to decode them could lead to invalid writes with some fuzzed samples. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit bcaa9099b3648b47060e1724a97dc98b63c83702) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* cmdutils: update copyright year to 2015.Johan Andersson2015-01-061-1/+1
| | | | | | | | (cherry picked from commit 3e160652219ff4da433f5672ae1e5f4956abb815) Conflicts: cmdutils.c
* avformat/mov: Fix mixed declaration and statement warningMichael Niedermayer2015-01-061-1/+2
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit db27f50e0658e91758e8a17fdcf390e6bc93c1d2) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/utils: Clear pointer in ff_alloc_extradata() to avoid leaving a ↵Michael Niedermayer2015-01-061-0/+1
| | | | | | | | | stale pointer in memory Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit bbfca8e84b0e69abba523d665536c0135fc1c00e) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/matroskadec: Use av_freep() to avoid leaving stale pointers in memoryMichael Niedermayer2015-01-061-4/+4
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 6e70e4aca50696040cc9256ec96e5c31d9641432) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* lavfi: check av_strdup() return valuePaul B Mahol2015-01-064-0/+8
| | | | | | | Signed-off-by: Paul B Mahol <onemda@gmail.com> (cherry picked from commit 145a84717b62e086cdb5f26649ad9f1b51ef38d0) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* mov: Fix negative size calculation in mov_read_default().Dale Curtis2015-01-061-1/+1
| | | | | | | | | | | | | | | | | The previous code assumed if an atom was marked with a 64-bit size extension, it actually had that data available. The new code verfies there's enough data in the atom for this to be done. Failure to verify causes total_size > atom.size which will result in negative size calculations later on. Found-by: Paul Mehta <paul@paulmehta.com> Signed-off-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3ebd76a9c57558e284e94da367dd23b435e6a6d0) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/mov: fix integer overflow in mov_read_udta_string()Michael Niedermayer2015-01-061-1/+1
| | | | | | | | Found-by: Paul Mehta <paul@paulmehta.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* mov: Avoid overflow with mov_metadata_raw()Dale Curtis2015-01-061-0/+3
| | | | | | | | | | | The code previously added 1 to len without checking its size, resulting in an overflow which can corrupt value[-1] -- which may be used to store unaligned ptr information for certain allocators. Found-by: Paul Mehta <paul@paulmehta.com> Signed-off-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avcodec/dvdsubdec: fix out of bounds accesseswm42015-01-051-4/+9
| | | | | | | | | | | The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avfilter/vf_sab: fix filtering tiny imagesMichael Niedermayer2015-01-051-6/+16
| | | | | | | | | Fixes out of array reads Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 9bff052b51f27f6cce04e8d7d8b405c710d7ad67) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/flvdec: Increase string array sizeMichael Niedermayer2015-01-011-1/+1
| | | | | | | | | Fixes parsing httphostheader of Scarlatti\,\ Pieter-Jan\ Belder\ -\ Sonata\ K113\ in\ A\ major\ -\ Alle.flv Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit eb767a276bfdb9a0493bdb0b38203638230b7ccb) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/flvdec: do not inject dts=0 metadata packets which failed to be ↵Michael Niedermayer2015-01-011-3/+3
| | | | | | | | | | | | | | | parsed into a new data stream Such data streams (which then contain no other packets except the faulty one) confuse some user applications, like VLC Works around vlcticket 12389 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 322f0f5960a743cac47252d90a0f1ea7a025feff) Conflicts: libavformat/flvdec.c
* avformat/cdxl: Fix integer overflow of image_sizen2.1.7Michael Niedermayer2014-12-311-0/+2
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3eb5cbe0c50d0a0bbe10bcabbd6b16d73d93c128) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* Update for 2.1.7Michael Niedermayer2014-12-303-3/+3
|
* lavf/segment: remove duplicated and inconsistent cleanup code in ↵Stefano Sabatini2014-12-301-6/+0
| | | | | | | | | | | | seg_write_packet() In particular, avoid to leave around the seg->avf pointer to freed structure, and fix crash with: ffmpeg -f lavfi -i testsrc -c:v h264 -map 0 -f segment foo-%d.ts (cherry picked from commit 169065fbfb3da1ab776379c333aebc54bb1f1bc4) Found-by: Qinghao Tang Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/mov: Fix memleaks for duplicate STCO/CO64/STSC atomsMichael Niedermayer2014-12-301-0/+8
| | | | | | | | | | | | Also see [FFmpeg-devel] [PATCH] avformat/mov: strengthen some table allocations which contains more fixes but is unfinished Fixes: signal_sigabrt_7ffff6ac7bb9_3484_cov_1830000177_starfox2.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 1b5d11240692025f036e945bc37968735679320a) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* mmvideo: check frame dimensionsAnton Khirnov2014-12-301-0/+7
| | | | | | | | | | | | | The frame size must be set by the caller and each dimension must be a multiple of 2. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> See: 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e These should be redundant, but are backported for saftey anyway (cherry picked from commit b0273232d8fffdc8a977ccdad460b8071a0e353c) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* jvdec: check frame dimensionsAnton Khirnov2014-12-301-0/+7
| | | | | | | | | | | | | The frame size must be set by the caller and each dimension must be a multiple of 8. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> See: 105654e376a736d243aef4a1d121abebce912e6b These should be redundant, but are backported for saftey anyway (cherry picked from commit e012cb8dea7969c7b3927dbf846ef2742cd4a7ab) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avcodec/indeo3: ensure offsets are non negativeMichael Niedermayer2014-12-301-1/+2
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 368642361f3a589d7b0c23ea327d988edb434e3f) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avcodec/h264: Check *log2_weight_denomMichael Niedermayer2014-12-301-0/+10
| | | | | | | | | | Fixes undefined behavior Fixes: signal_sigsegv_14768d2_2248_cov_3629497219_h264_h264___pi_20070614T182942.h264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 61296d41e2de3b41304339e4631dd44c2e15f805) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avcodec/hevc_ps: Check diff_cu_qp_delta_depthMichael Niedermayer2014-12-301-0/+8
| | | | | | | | | | Fixes undefined behavior Fixes: asan_static-oob_17aa046_582_cov_1577759978_DBLK_G_VIXS_1.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3281fa892599d71b4dc298a426af8296419cd90e) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avcodec/h264: Clear delayed_pic on deallocationMichael Niedermayer2014-12-301-0/+1
| | | | | | | | | | | | | Fixes use of freed memory Fixes: case5_av_frame_copy_props.mp4 Found-by: Michal Zalewski <lcamtuf@coredump.cx> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit e8714f6f93d1a32f4e4655209960afcf4c185214) Conflicts: libavcodec/h264.c
* avcodec/hevc: clear filter_slice_edges() on allocationMichael Niedermayer2014-12-301-1/+1
| | | | | | | | | | This avoids use of uninitialized memory Fixes: asan_static-oob_17aa046_582_cov_212287884_DBLK_G_VIXS_1.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 8aa8d12554868c32436750f881954193087219c8) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-06 16:23:25 +0000