aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
Commit message (Collapse)AuthorAgeFilesLines
* h264: reset first_field if frame_start() fails for missing refsAnton Khirnov2014-04-141-1/+3
| | | | | | | | | | In this case we may not have a current frame, while first_field being set implies we do. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org
* h264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3Anton Khirnov2014-04-141-3/+3
| | | | | | | | | | Higher modes are not allowed for 16x16/chroma, which is what this function is used for. Otherwise this function would return 0 (vertical prediction) for invalid higher modes, which could result in invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org
* h264: reject mismatching luma/chroma bit depths during sps parsingAnton Khirnov2014-04-142-6/+5
| | | | | | | | | | There is no point in delaying the check and it avoids bugs with a half-initialized context. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org
* h264: check that execute_decode_slices() is not called too many timesAnton Khirnov2014-04-141-0/+6
| | | | | | | | Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 9eef9eb3014b2ed9c3ff4aac510a9f04edb555cf)
* h264: do not use 422 functions for monochromeAnton Khirnov2014-04-146-30/+30
| | | | | | | Fixes invalid memory access. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org
* h264: reset data_partitioning if decoding the slice header for NAL_DPA failsAnton Khirnov2014-04-141-1/+6
| | | | | | | | | If it was set before then we can end up trying to decode a slice without a valid slice header, which can lead to invalid memory access. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 58312b2472d3a44d7458865c459d59ef2e02bf1a)
* h264_refs: make sure not to write over the bounds of the default ref listAnton Khirnov2014-04-141-10/+18
| | | | | | Fixes invalid writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org
* h264: check buffer size before accessing itAnton Khirnov2014-04-141-1/+1
| | | | | | Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org
* arm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6Janne Grunau2014-03-081-6/+4
| | | | | | The overread avoidance fix in cbddee1cca0ebd01e8c5aa694d31228eb4de4b41 broke the computation for the last row since it prevented the safe reading from the height+1-th row.
* arm: hpeldsp: prevent overreads in armv6 asmJanne Grunau2014-03-051-8/+12
| | | | | | | Based on a patch by Russel King <rmk+libav@arm.linux.org.uk> Bug-Id: 646 CC: libav-stable@libav.org
* ituh263: reject b-frame with pp_time = 0Keiji Costantini2014-03-021-0/+2
| | | | | | | | | | | Avoid a division by 0 in ff_mpeg4_set_one_direct_mv. Sample-Id: 00000168-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> (cherry picked from commit 9514440337875e0c63b409abcd616b68c518283f) (cherry picked from commit 5df52b0131d3d4d804ad6e221bc9a2cd8b201ef2)
* lagarith: reallocate rgb_planes when neededAnton Khirnov2014-02-281-6/+6
| | | | | | | | Fixes invalid writes on pixel format changes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 4c3e1956ee35fdcc5ffdb28782050164b4623c0b)
* truemotion1: check the header sizeAnton Khirnov2014-02-281-0/+5
| | | | | | | | Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 2240e2078d53d3cfce8ff1dda64e58fa72038602)
* shorten: pad the internal bitstream bufferAnton Khirnov2014-02-281-1/+1
| | | | | | | | Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 1713eec29add37b654ec6bf262b843d139c1ffc6)
* h264: Fix a typo from the previous commitLuca Barbato2014-02-281-1/+1
| | | | | | | | f777504f640260337974848c7d5d7a3f064bbb45 changed a - in + CC: libav-stable@libav.org (cherry picked from commit d922c5a5fbaf0b6c73bd8c81ae059bc6e406961c) (cherry picked from commit 3ce77e04c2ca4b9e7fa6b94b51e8d7c5f188da86)
* h264: Lower bound check for slice offsetsVittorio Giovara2014-02-282-12/+14
| | | | | | | | | | | | | | | And use the value from the specification. Sample-Id: 00000451-google Found-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit f777504f640260337974848c7d5d7a3f064bbb45) (cherry picked from commit 5bd083d0216d9ee649039c84999fb61386536ac1) Conflicts: libavcodec/h264.c
* Add missing header to fix compilation after d2a0654Anton Khirnov2014-02-281-0/+1
| | | | Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* rpza: limit the number of blocks to the total remaining blocks in the frameAnton Khirnov2014-02-141-0/+3
| | | | | | | | | Fixes invalid writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 77bb0004bbe18f1498cfecdc68db5f10808b6599) Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
* vc1: Always reset numref when parsing a new frame header.Michael Niedermayer2014-02-011-2/+1
| | | | | | | | | | | Fixes an issue where the B-frame coding mode switches from interlaced fields to interlaced frames, causing incorrect decisions in the motion compensation code and resulting in visual artifacts. CC: libav-stable@libav.org Signed-off-by: Tim Walker <tdskywalker@gmail.com> (cherry picked from commit dd2d0039b6405dc724e4fef0d5b8f49530eea3aa) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* h264: reset num_reorder_frames if it is invalidAnton Khirnov2014-02-011-1/+3
| | | | | | | | | | | | | | An invalid VUI is not considered a fatal error, so the SPS containing it may still be used. Leaving an invalid value of num_reorder_frames there can result in writing over the bounds of H264Context.delayed_pic. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 9ecabd7892ff073ae60ded3fc0a1290f5914ed5c) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavcodec/h264_ps.c
* h264: check that an IDR NAL only contains I slicesAnton Khirnov2014-02-011-0/+6
| | | | | | | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 8b2e5e42bb9d6a59ede5af2e6df4aaf7750d1195) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* h264_cavlc: check the size of the intra PCM data.Anton Khirnov2014-02-011-0/+4
| | | | | | Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org
* h263: Check init_get_bits return valueMichael Niedermayer2014-02-011-11/+17
| | | | | | | And use init_get_bits8 to check for integer overflows while at it. CC: libav-stable@libav.org Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
* cavsdec: check ff_get_buffer() return valueAnton Khirnov2014-02-011-1/+4
| | | | | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org
* cavs: Check for negative cbpLuca Barbato2014-02-011-3/+3
| | | | | | Sample-Id: 00000647-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
* vmnc: Check the cursor dimensionsLuca Barbato2014-02-011-3/+20
| | | | | | | | And manage the reallocation failure path. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5e992a4682d2c09eed3839c6cacf70db3b65c2f4)
* vmnc: Port to bytestream2Luca Barbato2014-02-011-75/+57
| | | | | | | Fix some buffer overreads. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
* vmnc: K&R formatting cosmeticsLuca Barbato2014-02-011-157/+195
| | | | Signed-off-by: Diego Biurrun <diego@biurrun.de>
* flashsv: Check diff_start diff_height valuesMichael Niedermayer2014-02-011-0/+6
| | | | | | | | | | | Fix out of array accesses. Found-by: ami_stuff Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Adresses: CVE-2013-7015 (cherry picked from commit 57070b1468edc6ac8cb3696c817f3c943975d4c1) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* dsputil/pngdsp: fix signed/unsigned type in end comparisonMichael Niedermayer2014-02-012-3/+3
| | | | | | | | | Fixes out of array accesses and integer overflows. (cherry picked from commit d1916d13e28b87f4b1b214231149e12e1d536b4b) Adresses: CVE-2013-7010, CVE-2013-7014 Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* prores: Error out only on surely incomplete ac_coeffsLuca Barbato2014-01-131-1/+1
| | | | | (cherry picked from commit 2df7f7714a12a59d31058aba15fb1e348e36b0ab) Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
* shorten: Fix out-of-array readTim Walker2014-01-061-1/+1
| | | | | | | | pred_order == FF_ARRAY_ELEMS(fixed_coeffs) is invalid too. Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit 5f5ada3dbf97e306a74250ba8dcf8619ad59b020) Signed-off-by: Tim Walker <tdskywalker@gmail.com>
* prores: Add a codepath for decoding errorsLuca Barbato2014-01-061-30/+42
| | | | | (cherry picked from commit 44690dfa683f620c77e9f0e8e9bc5682608636b1) Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
* shorten: Extend fixed_coeffs to properly support pred_order 0Luca Barbato2014-01-051-2/+8
| | | | | | | Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit b2148faca9e9e553c14b27844b56e367c85a777e) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* prores: Reject negative run and level valuesLuca Barbato2014-01-051-0/+4
| | | | | | | | | Sample-Id: 00000611-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c0de9a23c7080e2fac8f879b9d9a0ce2b64ea953) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* indeo4: Check the inherited quant_matLuca Barbato2014-01-051-4/+12
| | | | | | | | | | | | | Invalidate it if not supported. Sample-Id: 00000262-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c9ef6b09326a24010bf86d6b0d19cfa42df4d546) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavcodec/indeo4.c
* indeo4: Check the block size if reusing the band configurationLuca Barbato2014-01-051-0/+8
| | | | | | | | | Sample-Id: 00000287-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 0cb83c563848bf8f8365e7bd30e7e6b57ef360f0) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* ffv1: Assume bitdepth 0 means 8bitLuca Barbato2014-01-051-0/+1
| | | | | | | CC: libav-stable@libav.org Reported-by: debian/726189 (cherry picked from commit a90905db2e6ab1840890f3a88bfd3bf008b9d886) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* motionpixels: clip VLC codes.Anton Khirnov2014-01-051-0/+1
| | | | | | | | | Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit ca41c72c6d9515d9045bd3b68104525dee81b8d0) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* truemotion1: make sure index does not go out of boundsAnton Khirnov2014-01-051-8/+17
| | | | | | | | | Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit c918e08b9cc9ce8d06159c51da55ec5ab018039a) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* pcx: round up in bits->bytes conversion in a buffer size checkAnton Khirnov2014-01-051-1/+1
| | | | | | | | | Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 430d12196432ded13f011a3bf7690f03c9b2e5d6) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* ac3dec: fix outptr increment.Michael Niedermayer2014-01-051-1/+1
| | | | | | | | | | | Fixes corrupt data errors when downmixing in the AC-3 decoder. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> CC:libav-stable@libav.org (cherry picked from commit 6c82c87dbbc0582658968eae46cfebeea90a9c5e) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* mpegvideo: Drop a faulty assertLuca Barbato2014-01-051-2/+6
| | | | | | | | | That check is easily reachable by faulty input. CC:libav-stable@libav.org Reported-by: Torsten Sadowski <tsadowski@gmx.net> (cherry picked from commit 72072bf9de3241848ea86f68d2297b7a5d6ad49b) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* lzw: switch to bytestream2Anton Khirnov2014-01-051-16/+11
| | | | | | | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit e89aa4bf56e5b5c45f569eb12733519789e057da) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* gifdec: convert to bytestream2Anton Khirnov2014-01-053-38/+38
| | | | | (cherry picked from commit 1f3e56b6dcc163a705704e98569d4850a31d651c) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* gifdec: check that the image dimensions are non-zeroAnton Khirnov2014-01-051-2/+5
| | | | | | | | | | Also add an error message an return a more suitable error code (INVALIDDATA, not EINVAL); Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit c453723ad7d14abc5e82677eebaa6025fa598f08) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* gifdec: return meaningful error codes.Anton Khirnov2014-01-051-14/+15
| | | | | (cherry picked from commit 048ffb9bb26f30f1995400b8cd3809221ba03441) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* eacmv: check the framerate before setting it.Anton Khirnov2014-01-051-3/+4
| | | | | | | | | | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 24057c83207d6ea8bfd824155ac37be8a33dfd0c) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavcodec/eacmv.c
* rv30: fix extradata size check.Anton Khirnov2014-01-051-5/+9
| | | | | | | | | | It has been checking the number of bits in the offset instead of the actual offset. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit a6a2282c25abe43e352010a7c3fbc92994c0bc1c) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* vc1: Reset numref if fieldmode is not setKostya Shishkov2014-01-051-0/+2
| | | | | | | | | | | | There are samples in the wild with B-frames and P-frames with different interlace mode. CC: libav-stable@libav.org Reported-by: Jean-Baptiste Kempf <jb@videolan.org> Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit de44dfc7c0ec02bda7d846ef713145c890bfae3f) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 08:13:39 +0000