| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
| |
| |
| | |
(cherry picked from commit 0ad522afb3a3b3d22402ecb82dd4609f7655031b)
|
| |
| |
| |
| | |
(cherry picked from commit 9243ec4a508c81a621e941bb7e012e2d45d93659)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes CVE-2011-3937
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba)
Conflicts:
libavcodec/h263dec.c
Signed-off-by: Alex Converse <alex.converse@gmail.com>
|
| |
| |
| |
| |
| |
| |
| | |
each frame.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit bbeb29133b55b7256d18f5aaab8b5c8e919a173a)
|
| |
| |
| |
| |
| | |
TIFF v6.0 (unimplemented) adds signed equivalents.
(cherry picked from commit e32548d1331ce05a054f1028fcdda8823a4f215a)
|
| |
| |
| |
| |
| |
| |
| | |
Fixes: CVE-2011-3951
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ce7aee9b733134649a6ce2fa743e51733f33e67e)
|
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 9e1db721c4329f4ac166a0bcc002c8d75f831aba)
|
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 0ab3687924457cb4fd81897bd39ab3cc5b699588)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
That way all mix levels as exported by avpriv_ac3_parse_header()
will have the same meaning.
Previously the 3-bit center mix level for E-AC-3 was used to index in a
4-entry table, leading to out-of-array reads.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit e6d9fa66f12cf5a3024c9bc7c4c608f7fc59207e)
|
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 29a20ac4a19df5acc0eef306ca5a737778a31358)
|
| |
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 034b03e7a0e8e4f8f66c82b736f2c0aa7c063ec0)
|
| |
| |
| |
| |
| |
| |
| |
| | |
Found with asan.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f6b91bec7f5fa53ec050913d851e366)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
dv: Fix null pointer dereference due to ach=0
Fixes part2 of CVE-2011-3929
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a66a61a68b80f2369d0249729bf85e04)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
dv: check stype
Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd439480003b74a665b5aa7c872c1ad6b)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Instead of clipping extrasize based on EXTRABYTES, clip based on the
amount of buffer actually left. Without this fix, there are warbles
and other distortions in the test case below.
http://kevincennis.com/mix/assets/sounds/1901_voxfx.mp3
(cherry picked from commit b7165426917f91ebcad84bdff366824f03b32bfe)
Signed-off-by: Alex Converse <alex.converse@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In some cases, what is left to read from ptr is smaller than EXTRABYTES.
Based on a patch by Thierry Foucu <tfoucu@gmail.com>.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit f372ce119bd2458fa0b4ddfb2af3a36621df99f7)
|
| |
| |
| |
| |
| |
| |
| | |
There are many places where we read an unchecked 4-bit index into it.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit dfa37fe8a3d9243dd339d94befa065e2c90b29e6)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes CVE-2011-3945
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 807a045ab7f51993a2c1b3116016cbbd4f3d20d6)
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit a02e8df973f5478ec82f4c507f5b5b191a5ecb6b)
|
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes: CVE-2011-3952
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Based on fix by Michael Niedermayer
(cherry picked from commit 386741f887714d3e46c9e8fe577e326a7964037b)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Related to CVE-2011-3940.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit c898431ca5ef2a997fe9388b650f658fb60783e5)
Conflicts:
libavformat/nsvdec.c
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Check results for av_malloc() and fix an overflow in one call.
Related to CVE-2011-3940.
Based in part on work from Michael Niedermayer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b)
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes clipping if the encoder input used the full 16 bit
input range (samples with a magnitude below 16383 worked fine).
The filtered subband samples should be 15 bit maximum, while
the code earlier produced them scaled to 16 bit.
This makes the decoder output have double the magnitude
compared to before.
The spec reference samples doesn't test the QMF at all, which
was why this part slipped past initially.
(cherry picked from commit b087ce2bee81db8cc5caffb8f0a4f6c7c92a30fe)
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We need to do unsigned saturation in order to cover the corner case when the
absolute coefficient value is 16777215 (the maximum value).
Fixes Bug #216
(cherry picked from commit d483bb58c318b0a6152709cf28263d72200b98f9)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit c9dbac36ad4bac07f6c1d06d465e361ab55bcb95)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| | |
(cherry picked from commit b0c4f04338234ee011d7b704621347ef232294fe)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This prevents us from reading before the start of the buffer, and thus
prevents crashes resulting from this behaviour. Fixes bug 237.
(cherry picked from commit 291c9b62855d555ac5385e23219461b6080da7db)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 8a9faf33f2b4f40afbc3393b2be49867cea0c92d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 882abda5a26ffb8e3d1c5852dfa7cdad0a291d2d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d1604b3de96575195b219028e2c4f08b2259aa7d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We need to set ms_stereo in encode_init() in order to avoid incorrectly
encoding the first frame as non-m/s while flagging it as m/s. Fixes an
uncomfortable pop in the left channel at the start of playback.
CC:libav-stable@libav.org
(cherry picked from commit 51ddf35c9017018e58c15275ff5b129647a0c94d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
ff_wma_init() allows up to 50kHz, but this generates an exponent band
size table that requires 65 bands. The code assumes 25 bands in many
places, and using sample rates higher than 48kHz will lead to buffer
overwrites.
CC:libav-stable@libav.org
(cherry picked from commit 1ec075cfecac01f9a289965db06f76365b0b1737)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is near the theoretical limit for wma frame size and is the most that
our decoder can handle. Allowing higher bit rates will just end up padding
each frame with empty bytes.
Fixes invalid writes for avconv when using very high bit rates.
CC:libav-stable@libav.org
(cherry picked from commit c2b8dea1828f35c808adcf12615893d5c740bc0a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The maximum theoretical frame size is around 17000 bytes. Although in
practice it will generally be much smaller, we require a larger buffer
just to be safe.
CC: libav-stable@libav.org
(cherry picked from commit dfc4fdedf8cfc56a505579b1f2c1c5efbce4b97e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 4df369692ea8aee7094ac0f233cef8d1bee139a3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows it to be used with get_bits without the thread of overreads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1aa708988ac131cf7d5c8bd59aca256a7c974df9)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prevents warnings because the dst and src overlap (are the same) in the
memcpy() inside the function.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9d87374ec0f382c8394ad511243db6980afa42af)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prevents using the invalid mode as an index in a static array, which
would generate invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 154b8bb80029e71d562e8936164266300dd35a0e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9c239f6026a170866a4a0c96908980ac2cfaa8b3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 349b7977e408f18cff01ab31dfa66c8249b6584a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 48f1e5212c90b511c90fa0449655abb06a9edda2)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
buffer size.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2f6528537fdd88820f3a4683d5e595d7b3a62689)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bd17a40a7e0eba21b5d27c67aff795e2910766e4)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Useful to return instead of -1 when the cause of the error is unknown,
typically from an external library.
(cherry picked from commit c9bca801324f03746757aef8549ebd26599adec2)
Conflicts:
doc/APIchanges
libavutil/avutil.h
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes invalid reads while initializing the dequant tables, which uses
the bit depth to determine the QP table size.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 0ce4fe482c27abfa7eac503a52fdc50b70ccd871)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 63c9de6469005974288f4e4d89fc79a590e38c06)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 07a180972fb369bb59bf6d4f8edb4598c51e80d2)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 78e9852a2e3b198ecd69ffa0deab3fa22a8e5378)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e54ae60e46f737b8e9a96548971091f7ab6b8f7c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 791de61bbb0d2bceb1037597b310e2a4a94494fd)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|