aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * h263: more strictly forbid frame size changes with frame-mt.Ronald S. Bultje2012-05-041-5/+7
| | | | | | | | | | | | | | | | | | | | Prevents crashes because the old check was incomplete. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2d22d4307dcc1461f39a2ffb9c8db6c6b23fd080) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * h264: additional protection against unsupported size/bitdepth changes.Ronald S. Bultje2012-05-042-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | Fixes crashes in codepaths not covered by original checks. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 732f9fcfe54fc9a0a7bbce53fe86b38744c2d301) Conflicts: libavcodec/h264.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * tta: prevents overflows for 32bit integers in header.Ronald S. Bultje2012-05-041-3/+5
| | | | | | | | | | | | | | | | | | | | | | This prevents sample_rate/data_length from going negative, which caused various crashes and undefined behaviour further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ac80b812cd177553339467ea12548d71c9ef6865) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * ttadec: CRC checkingPaul B Mahol2012-05-041-0/+33
| | | | | | | | | | | | | | | | Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 2af3dc8698707f800f83f5fc890571a6a119866e) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * tta: use skip_bits_long()Paul B Mahol2012-05-041-7/+5
| | | | | | | | | | | | | | | | Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 9aff2d17533576f4ff52531e534f1319fb36a590) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* | vqavideodev: Check image dimensionsMichael Niedermayer2012-05-031-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes out of heap array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d) Independently-Found-by: Fabian Yamaguchi Fixes: CVE-2012-0947 Conflicts: libavcodec/vqavideo.c
* | Merge remote-tracking branch 'qatar/release/0.8' into release/0.10Michael Niedermayer2012-05-0322-268/+578
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * qatar/release/0.8: (24 commits) apedec: check bits <= 32. truemotion: forbid invalid VLC bitsizes and token values. mov: don't overwrite existing indexes. truemotion2: handle out-of-frame motion vectors through edge extension. lzw: prevent buffer overreads. truemotion2: convert packet header reading to bytestream2. lagarith: fix buffer overreads. raw: forward avpicture_fill() error code in raw_decode(). vc1: Do not read from array if index is invalid. utvideo: port header reading to bytestream2. bytestream: add more unchecked variants for bytestream2 API bytestream: K&R formatting cosmetics bytestream: Add bytestream2 writing API. aac: Reset PS parameters on header decode failure. mov: Do not read past the end of the ctts_data table. xwma: Validate channels and bits_per_coded_sample. asf: reset side data elements on packet copy. vqa: check palette chunk size before reading data. vqavideo: port to bytestream2 API wmavoice: fix stack overread. ... Conflicts: cmdutils.c cmdutils.h libavcodec/lagarith.c libavcodec/truemotion2.c libavcodec/vqavideo.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
| * apedec: check bits <= 32.Michael Niedermayer2012-04-291-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | Fixes a floating-point exception further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com> (cherry picked from commit 420d1df2e2a857eae45fa947e16eae7494793d57) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * truemotion: forbid invalid VLC bitsizes and token values.Ronald S. Bultje2012-04-291-4/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid values larger than this in get_vlc2() (max_bits). tokens[][] can be used as an index in deltas[], which has a size of 64, so ensure the values are smaller than that. This prevents crashes on corrupt bitstreams. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit b7b1509d06d3696d3b944791227fe198ded0654b) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * mov: don't overwrite existing indexes.Ronald S. Bultje2012-04-291-8/+11
| | | | | | | | | | | | | | | | | | | | | | Prevents all kind of badness if files contain multiple indexes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 4f7c7624c0db185c48c59d95d745ab3f7851a5b4) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * truemotion2: handle out-of-frame motion vectors through edge extension.Ronald S. Bultje2012-04-291-27/+90
| | | | | | | | | | | | | | | | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bf39d3b59d85e5734babe48b61b8d92d18188185) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * lzw: prevent buffer overreads.Ronald S. Bultje2012-04-291-3/+8
| | | | | | | | | | | | | | | | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ddcf67c8a51c67b122a826d8b5819e96d591d813) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * truemotion2: convert packet header reading to bytestream2.Ronald S. Bultje2012-04-291-23/+31
| | | | | | | | | | | | | | | | | | | | | | Also use correct buffer sizes in calls to tm2_read_stream(). Together, this prevents overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bd508d435b94584db460c684e30ea7ce180cf50f) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * lagarith: fix buffer overreads.Ronald S. Bultje2012-04-292-25/+54
| | | | | | | | | | | | | | | | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 0a82f5275f719e6e369a807720a2c3603aa0ddd9) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * raw: forward avpicture_fill() error code in raw_decode().Ronald S. Bultje2012-04-291-1/+4
| | | | | | | | | | | | | | | | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 98df2e24141cd00a557ef10ed7af2b956200cd80) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * vc1: Do not read from array if index is invalid.Mashiat Sarker Shakkhar2012-04-294-6/+22
| | | | | | | | | | | | | | | | | | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit 95b192de5d05f3e1542e7b2378cdefbc195f5185) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * utvideo: port header reading to bytestream2.Ronald S. Bultje2012-04-291-16/+12
| | | | | | | | | | | | | | | | | | | | Fixes crash during slice size reading if slice_end goes negative. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ec0ed97b046d46421db72c4911d2bbe28bbe5741) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * bytestream: add more unchecked variants for bytestream2 APIPaul B Mahol2012-04-291-0/+32
| | | | | | | | | | | | | | | | Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit f1ce053cd0e0d7dc67fa61f32bcd8b6ee5e5c490) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * bytestream: K&R formatting cosmeticsAneesh Dogra2012-04-291-53/+68
| | | | | | | | | | | | | | Signed-off-by: Diego Biurrun <diego@biurrun.de> (cherry picked from commit ab9ae401525d301a31ec695bf39103502db6afeb) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * bytestream: Add bytestream2 writing API.Aneesh Dogra2012-04-291-0/+112
| | | | | | | | | | | | | | Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit db7d45237ab6fc7fe90ec861cb756b2a109504a4) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * aac: Reset PS parameters on header decode failure.Alex Converse2012-04-291-0/+4
| | | | | | | | | | | | | | | | | | | | | | If the next header frame codes zero envelopes the previous frame's values will be used. Consequently the invalid values must be cleared. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit a237b38021cd3009cc78eeb974b596085f2fe393) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * mov: Do not read past the end of the ctts_data table.Alex Converse2012-04-291-1/+1
| | | | | | | | | | | | | | | | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 86f2ae06b92d42580ae7ebd86d52c9b7acbc2f13) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * xwma: Validate channels and bits_per_coded_sample.Alex Converse2012-04-291-0/+11
| | | | | | | | | | | | | | | | | | | | This prevents a SIGFPE later on. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5023b89bba198b2f8e43b7f555aeb9c30d33db9f) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * asf: reset side data elements on packet copy.Ronald S. Bultje2012-04-291-0/+2
| | | | | | | | | | | | | | | | | | | | Prevents crash (double free) when free()ing the original packet. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e73c6aaabff1169899184c382385fe9afae5b068) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * vqa: check palette chunk size before reading data.Ronald S. Bultje2012-04-291-1/+1
| | | | | | | | | | | | | | | | | | | | Prevents overreads beyond buffer boundaries. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 75d7975268394f4f16294b68ec6d6d5ac30da3ac) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * vqavideo: port to bytestream2 APIPaul B Mahol2012-04-291-89/+97
| | | | | | | | | | | | | | | | | | | | Protects against overreads. Signed-off-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit 5a3a906ba29b53fa34d3047af78d9f8fd7678256) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * wmavoice: fix stack overread.Ronald S. Bultje2012-04-291-2/+3
| | | | | | | | | | | | | | | | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 262196445cf03fda0f7e41c4b968f4f7bf060e6b) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * indeo4: fix out-of-bounds function call.Ronald S. Bultje2012-04-291-1/+2
| | | | | | | | | | | | | | | | | | | | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com> (cherry picked from commit 68fd077f68bdde864bb7328d72a040849c616261) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * Read preset files with suffix .avpresetReinhard Tartler2012-04-292-4/+4
| | | | | | | | | | | | | | | | | | The preset files have been renamed some time ago. CC: libav-stable@libav.org (cherry picked from commit 050dc127787e91d8ee4b341046c74fe6e74e3285) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * mimic: don't use self as reference, and report completion at end of decode().Ronald S. Bultje2012-04-291-6/+7
| | | | | | | | | | | | | | | | | | | | Fixes hangs on corrupt samples that reference self-frames. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 80387f0e2568746dce4a68e2217297029a053dae) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| * mpeg4: report frame decoding completion at ff_MPV_frame_end().Ronald S. Bultje2012-04-291-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Prevents hangs on corrupt input. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c6ccb96bc955b2087ec71033d99b3dcd5203eaf2) Conflicts: libavcodec/mpegvideo.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* | h264: use struct offsets in get_cabac_bypass_sign_x86().Ronald S. Bultje2012-04-211-8/+11
| | | | | | | | (cherry picked from commit db025929f202bc32459a1278ee06920a06564762)
* | Replace SSE2 instruction in scalarproduct_float_sse() by SSE equivalent.ami_stuff2012-04-041-1/+1
| | | | | | | | | | | | | | | | Fixes an AAC decoding issue with the sample from ticket #213 on machines with SSE but without SSE2. Based on 89411a by Reimar. (cherry picked from commit f6b78638086beae9bcab672d4c9de1790be5a928)
* | lavfi/fade: fix black level for non studio-level pixel formatsStefano Sabatini2012-04-041-2/+2
| | | | | | | | | | Fix trac ticket #1139, regression introduced in 8c1fb50d077d5f954. (cherry picked from commit 95ce0ddcfe99182365e0e57f5f41d7f1a01c57eb)
* | mpeg4: dont reset picture_num for xvidMichael Niedermayer2012-04-041-1/+0
| | | | | | | | | | | | | | Fixes Ticket1162 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit a4e359a3f98650dab3d2e93f067658e20fa9c0d7)
* | h264: fix seeking in low delay streams without IDRMichael Niedermayer2012-04-041-0/+2
| | | | | | | | | | | | | | Fixes Ticket1165 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3360b8517a1f478c4102072e5eadd8ba78be0538)
* | Merge remote-tracking branch 'qatar/release/0.8' into release/0.10Michael Niedermayer2012-04-021-9/+9
|\| | | | | | | | | | | | | | | | | | | * qatar/release/0.8: id3v2: fix skipping extended header in id3v2.4 Conflicts: libavformat/id3v2.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
| * id3v2: fix skipping extended header in id3v2.4Anton Khirnov2012-04-011-2/+11
| | | | | | | | | | | | | | In v2.4, the length includes the length field itself. (cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303) Signed-off-by: Anton Khirnov <anton@khirnov.net>
* | smacker audio: sign-extend the initial 16-bit predicted valueFranz Brauße2012-04-011-1/+1
| | | | | | | | | | | | | | Fixes Bug #265 Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 12cbbbb4abda2de0ea123282ccf7ebee61517f7d)
* | mxfdec: Only parse next partition pack if parsing forwardTomas Härdin2012-03-211-0/+3
| | | | | | | | | | | | | | This fixes ticket #1099. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 393b81f0934866bd7fff0a2b113623dd9ee6808f)
* | pngenc: Fix incorrect mask used for interlaced mode.Michael Niedermayer2012-03-211-1/+1
| | | | | | | | | | | | | | Fixes Ticket1109 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 15db6a959057b92245a384909ec7d413d5c16461)
* | Update for 0.10.2n0.10.2Michael Niedermayer2012-03-173-3/+3
| | | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* | libx264: fix duplicate stats entryKelly Anderson2012-03-171-1/+0
| | | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* | Update for 0.10.1n0.10.1Michael Niedermayer2012-03-173-2/+4
| | | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* | lavfi: port MP swapuv filterStefano Sabatini2012-03-176-1/+101
| | | | | | | | | | | | | | | | | | | | | | (cherry picked from commit fa35d880aab1d3ef2b828cae640e43d370e8f0c2) Conflicts: Changelog libavfilter/version.h Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* | jpeglsdec: Prevent out of array write.Michael Niedermayer2012-03-161-0/+3
| | | | | | | | | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 00ab9cdae1a96dfea33cd505076a83823f390aa4) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* | proresdec: Fix read via negative index in a global array.Michael Niedermayer2012-03-161-1/+1
| | | | | | | | | | | | | | | | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 006508032057824a371bec4e629b66f8cbb26c47) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* | diracdec: Correct the bytestream end pointer.Michael Niedermayer2012-03-161-1/+1
| | | | | | | | | | | | | | | | | | | | This fixes some arith decoder overreads and a potential infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 0f13cc732b3752828890b8dff507615cfd454336) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* | diracdec: Check for negative quants which would cause out of array reads.Michael Niedermayer2012-03-161-2/+8
| | | | | | | | | | | | | | | | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 5cd8afee99c83b62e1474f122d947de7e4ad9ff5) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* | diracdec: Fix integer overflow leading to out of global array read.Michael Niedermayer2012-03-161-3/+8
| | | | | | | | | | | | | | | | | | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 9729f140ae073f1df2041b6c5fd2068592eb9c48) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-29 00:51:21 +0000