aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
Commit message (Collapse)AuthorAgeFilesLines
* avformat/vqf: Use 64bit for ret to avoid overflowMichael Niedermayer2015-02-201-1/+1
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit cb08687180683a755d0fe9d425280d0e4d1e6db2) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/mvdec: Use 64bit for ret to avoid overflowMichael Niedermayer2015-02-201-1/+1
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 26c0cc154e06cb0064b3a3da49447ac44d82444f) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/gxf: Use 64bit for res to avoid overflowMichael Niedermayer2015-02-201-1/+1
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 12987f89007ee82b9d3a6090085dfaef8461ab8b) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/idcin: Use 64bit for ret to avoid overflowMichael Niedermayer2015-02-201-1/+1
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit d1923d15a3544cbb94563a59e7169291db76b312) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/thp: Check av_get_packet() for failure not only for partial outputMichael Niedermayer2015-02-051-0/+2
| | | | | | | | | | | Fixes null pointer dereference Fixes: signal_sigsegv_db2c1f_3108_cov_163322880_pikmin2_opening1_partial.thp Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit f2579dbb4b31e6ae731e7f5555680528ef3020ab) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/mpc8: Use uint64_t in *_get_v() to avoid undefined behaviorMichael Niedermayer2015-02-041-2/+2
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 05e161952954acf247e0fd1fdef00559675c4d4d) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/mpc8: fix broken pointer mathwm42015-02-041-1/+1
| | | | | | | | | | This could overflow and crash at least on 32 bit systems. Reviewed-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit b737a2c52857b214be246ff615c6293730033cfa) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/mpc8: fix hang with fuzzed filewm42015-02-041-0/+4
| | | | | | | | | | | | | | This can lead to an endless loop by seeking back a few bytes after each attempted chunk read. Assuming negative sizes are always invalid, this is easy to fix. Other code in this demuxer treats negative sizes as invalid as well. Fixes ticket #4262. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 56cc024220886927350cfc26ee695062ca7ecaf4) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/tta: fix crash with corrupted fileswm42015-02-031-2/+9
| | | | | | | | | | | | | | | | | | av_add_index_entry() can fail, for example because the parameters are invalid, or because memory allocation fails. Check this; it can actually happen with corrupted files. The second hunk is just for robustness. Just in case functions like ff_reduce_index() remove entries. (Not sure if this can actually happen.) Fixes ticket #4294. Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 6a0cd529a35190d9374b0b26504e71857cd67b83) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/omadec: fix number suffixMichael Niedermayer2015-02-011-1/+1
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit f1f7f5903ab49b84789af5341492afbaba808a70) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/smacker: Fix number suffixMichael Niedermayer2015-02-011-1/+1
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 465f3705b1ef832fd6904750d018f81f9044f3ab) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/matroskadec: Fix number suffixesMichael Niedermayer2015-02-011-1/+1
| | | | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit fc3cdb00d084222a107e61e7168903bf3d3d0b47) Conflicts: libavformat/matroskadec.c
* avformat/utils: Fix number suffixes in tb_unreliable()Michael Niedermayer2015-02-011-2/+2
| | | | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 4b15bba2aec93776bfdc69a1bca42a4795a7d191) Conflicts: libavformat/utils.c
* avformat/rmdec: Check for overflow in ff_rm_read_mdpr_codecdata()Michael Niedermayer2015-01-181-1/+5
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 03abf55f252945c70f4a79eaf4d609cee4d98710) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/mov: Fix mixed declaration and statement warningMichael Niedermayer2015-01-061-1/+2
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit db27f50e0658e91758e8a17fdcf390e6bc93c1d2) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/utils: Clear pointer in ff_alloc_extradata() to avoid leaving a ↵Michael Niedermayer2015-01-061-0/+1
| | | | | | | | | stale pointer in memory Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit bbfca8e84b0e69abba523d665536c0135fc1c00e) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/matroskadec: Use av_freep() to avoid leaving stale pointers in memoryMichael Niedermayer2015-01-061-4/+4
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 6e70e4aca50696040cc9256ec96e5c31d9641432) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* mov: Fix negative size calculation in mov_read_default().Dale Curtis2015-01-061-1/+1
| | | | | | | | | | | | | | | | | The previous code assumed if an atom was marked with a 64-bit size extension, it actually had that data available. The new code verfies there's enough data in the atom for this to be done. Failure to verify causes total_size > atom.size which will result in negative size calculations later on. Found-by: Paul Mehta <paul@paulmehta.com> Signed-off-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3ebd76a9c57558e284e94da367dd23b435e6a6d0) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/mov: fix integer overflow in mov_read_udta_string()Michael Niedermayer2015-01-061-1/+1
| | | | | | | | Found-by: Paul Mehta <paul@paulmehta.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* mov: Avoid overflow with mov_metadata_raw()Dale Curtis2015-01-061-0/+3
| | | | | | | | | | | The code previously added 1 to len without checking its size, resulting in an overflow which can corrupt value[-1] -- which may be used to store unaligned ptr information for certain allocators. Found-by: Paul Mehta <paul@paulmehta.com> Signed-off-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/flvdec: Increase string array sizeMichael Niedermayer2015-01-011-1/+1
| | | | | | | | | Fixes parsing httphostheader of Scarlatti\,\ Pieter-Jan\ Belder\ -\ Sonata\ K113\ in\ A\ major\ -\ Alle.flv Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit eb767a276bfdb9a0493bdb0b38203638230b7ccb) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/flvdec: do not inject dts=0 metadata packets which failed to be ↵Michael Niedermayer2015-01-011-3/+3
| | | | | | | | | | | | | | | parsed into a new data stream Such data streams (which then contain no other packets except the faulty one) confuse some user applications, like VLC Works around vlcticket 12389 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 322f0f5960a743cac47252d90a0f1ea7a025feff) Conflicts: libavformat/flvdec.c
* avformat/cdxl: Fix integer overflow of image_sizen2.1.7Michael Niedermayer2014-12-311-0/+2
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3eb5cbe0c50d0a0bbe10bcabbd6b16d73d93c128) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* lavf/segment: remove duplicated and inconsistent cleanup code in ↵Stefano Sabatini2014-12-301-6/+0
| | | | | | | | | | | | seg_write_packet() In particular, avoid to leave around the seg->avf pointer to freed structure, and fix crash with: ffmpeg -f lavfi -i testsrc -c:v h264 -map 0 -f segment foo-%d.ts (cherry picked from commit 169065fbfb3da1ab776379c333aebc54bb1f1bc4) Found-by: Qinghao Tang Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/mov: Fix memleaks for duplicate STCO/CO64/STSC atomsMichael Niedermayer2014-12-301-0/+8
| | | | | | | | | | | | Also see [FFmpeg-devel] [PATCH] avformat/mov: strengthen some table allocations which contains more fixes but is unfinished Fixes: signal_sigabrt_7ffff6ac7bb9_3484_cov_1830000177_starfox2.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 1b5d11240692025f036e945bc37968735679320a) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/mov: check atom nesting depthMichael Niedermayer2014-12-302-1/+13
| | | | | | | | | | | | | | | | Fixes call stack overflow Fixes: case1_call_stack_overflow.mp4 Found-by: Michal Zalewski <lcamtuf@coredump.cx> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit caa7a3914f499f74b3ee346f26d598ebdc0ec210) Conflicts: libavformat/isom.h Conflicts: libavformat/isom.h
* avformat/aviobuf: Check that avio_seek() target is non negativeMichael Niedermayer2014-12-301-0/+3
| | | | | | | | | | Fixes out of array access Suggested-by: Andrew Scherkus <scherkus@google.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit ed86dbd05d61363dc1c0d33f3267e2177c985fdd) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/matroskadec: fix handling of recursive SeekHead elementswm42014-12-301-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | When matroska_execute_seekhead() is called, it goes through the list of seekhead entries and attempts to read elements not read yet. When doing this, the parser can find further SeekHead elements, and will extend the matroska->seekhead list. This can lead to a (practically) infinite loop with certain broken files. (Maybe it can happen even with valid files. The demuxer doesn't seem to check correctly whether an element has already been read.) Fix this by ignoring elements that were added to the seekhead field during executing seekhead entries. This does not fix the possible situation when multiple SeekHead elements after the file header (i.e. occur after the "before_pos" file position) point to the same elements. These elements will probably be parsed multiple times, likely leading to bugs. Fixes ticket #4162. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/rmdec: Check codec_data_sizeMichael Niedermayer2014-12-301-0/+3
| | | | | | | | | | Fixes infinite loop Fixes Ticket4154 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit a6f730730b82645a9d31aad0968487cb77d6946c) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/rsd: make tag_buf string largerClément Bœsch2014-12-191-1/+1
| | | | | | av_get_codec_tag_string() uses more that 1 char for unprintable characters. (cherry picked from commit edbbb11488e1fce9b9703535936d2e1731e2e318)
* avformat/hlsenc: Free context after hls_append_segmentMichael Niedermayer2014-11-281-1/+2
| | | | | | | | | | | | | | | | | | | Fixes reading uninitialized memory Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 530eb6acf8ee867bf00728bf7efaf505da107e17) Conflicts: libavformat/hlsenc.c (cherry picked from commit 0ac22f043bee2f1c4daf5e1044b014326325d929) Conflicts: libavformat/hlsenc.c (cherry picked from commit 134d3e1c0331462ea94c78a5e13a63b20d283653) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/mpegts: Check desc_len / get8() return codeMichael Niedermayer2014-11-281-1/+1
| | | | | | | | | | | Fixes out of array read Fixes: signal_sigsegv_844d59_10_signal_sigsegv_a17bb7_366_mpegts_mpeg2video_mp2_dvbsub_topfield.rec Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit c3d7f00ee3e09801f56f25db8b5961f25e842bd2) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/riffenc: Filter out "BottomUp" in ff_put_bmp_header()Benoit Fouet2014-11-281-4/+8
| | | | | | | | | | Fixes Ticket1304 Commit message and extradata size bugfix by commiter Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 6843b9dc78bc966bb30121828ef4f6b6755cf877) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* apetag: Fix APE tag size checkKaterina Barone-Adesi2014-11-281-2/+4
| | | | | | | | | | | | | The size variable is (correctly) unsigned, but is passed to several functions which take signed parameters, such as avio_read, sometimes after having numbers added to it. So ensure that size remains within the bounds that these functions can handle. CC: libav-stable@libav.org Signed-off-by: Diego Biurrun <diego@biurrun.de> (cherry picked from commit c5560e72d0bb69f8a1ac9536570398f84388f396) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/m4vdec: Check for non startcode 00 00 00 sequences in probeMichael Niedermayer2014-11-281-3/+5
| | | | | | | | | | Fixes miss detection of PCM as m4v Fixes Ticket 3928 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 7c1835c52a4be2e4e996f83c91a8d5a147b01100) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/swfdec: Do not change the pixel formatMichael Niedermayer2014-11-281-3/+10
| | | | | | | | | | This is currently not supported Fixes part of Ticket 3539 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit c2430304dfb3cc0e3a59ce6d1b59ebdcc934a0c2) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/swfdec: Use side data to communicate w/h changes to the decoderMichael Niedermayer2014-11-281-2/+6
| | | | | | | | | | | | | | Fixes reading from freed data Fixes part of Ticket3539 Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 1c55d0ff3202a04ebc67a72d72391104e9bdb633) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit a9734e7d3017ffc9539eaac2a8acce3ad427f746) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* segment: don't access outside seg->frames arrayMika Raento2014-11-281-1/+1
| | | | | | | | | Fixes wrong number of segments output and undefined memory access. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 58e0402e02ae5e466c33b9465c1465fdee68d342) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* oggdec: fix invalid free on errorwm42014-11-281-1/+0
| | | | | | | | | | | | | | | The read_packet callback passes a pointer to a stack-allocated AVPacket. Attempting to free it with av_free() makes no sense. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit b173f5c15572cc82f68128599722e689df4ff137) Conflicts: libavformat/oggdec.c (cherry picked from commit a82401b7284e05e2cf6fb89aeed53738af06a7fd) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/tee: flip assigment directionMichael Niedermayer2014-11-281-1/+1
| | | | | | | | | Found-by: CSA Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 2e6fdcb7f3c86491408a3699f0aa9dc52b7c5686) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/avidec: fix handling dv in aviMichael Niedermayer2014-11-211-1/+4
| | | | | | | Fixes Ticket4086 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit f0ae0354d3f04c369257c2a28557524d28c5df15)
* avformat/oggparseopus: Check opus_duration() return valueJames Almer2014-09-111-1/+5
| | | | | | | | | | | Regression since 39d11d599cd292485fe991cd22e10d7a1738b3bc os->pduration would be wrongly assigned a negative value on invalid packets instead of aborting. Signed-off-by: James Almer <jamrial@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit c619e14c314b44d86a8d552259afb957c0b6775d)
* avformat/oggparseopus: calculate pts/dts for initial packets after seekingMichael Niedermayer2014-09-111-0/+30
| | | | | | | | | based on code from oggparsevorbis Fixes Ticket3124 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 7f39352a1b661771cf471986059027acd8e0e31f) Fixes ticket #3943.
* avformat/oggparseopus: factor opus_duration() outMichael Niedermayer2014-09-111-15/+21
| | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 39d11d599cd292485fe991cd22e10d7a1738b3bc)
* avformat/dv: implement fallback in dv_extract_pack()Michael Niedermayer2014-07-171-20/+23
| | | | | | | | | | | | Fixes Ticket2340 Fixes Ticket2341 Based-on mail from Dave Rice <dave@dericed.com> Tested-by: Dave Rice <dave@dericed.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 88f038ac97a875f25c2eceac6d2107a09314984c) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat: add av_stream_get_parser() to access avformat AVParserMichael Niedermayer2014-07-142-0/+6
| | | | | | | | | | | | | | | | | | | | The AVStream.parser field is considered private and its location cannot be preserved while preserving also ABI compatibility to libav, as libav added fields before it. Some tools like ffmpeg.c access this field though Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 62227a70f0a4c07d7ead5775d8bad64797f8ef80) Conflicts: RELEASE_NOTES doc/APIchanges libavformat/utils.c libavformat/version.h (cherry picked from commit a78e6363e9a7ef90bd1ff4aeceee8e5501cbc6d4) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/utils: do not wait for packets from discarded streams for genptsMichael Niedermayer2014-07-131-1/+2
| | | | | | | | | | Fixes long loop Fixes Ticket3208 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 8202c49b43621c04e26d4a3aa83a10e1e5cc1836) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/mpc: attempt to allocate a packet that is not smaller than the data ↵Michael Niedermayer2014-06-231-1/+1
| | | | | | | | | inside it Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 86a9370e2b91d67375e66a06d6eb573b5a017775) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/cavsvideodec: Fix probing when the file extension is avsMichael Niedermayer2014-06-231-1/+1
| | | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 52e563bb2f7897d615391520c3c4acba1ee7dcb4) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* avformat/flvenc: Do not allow creating h263/mpeg4 in flv without unofficial ↵Michael Niedermayer2014-06-231-0/+12
| | | | | | | | | | format extensions being enabled. Found-by: Jean-Baptiste Kempf <jb@videolan.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 74760883fcb4443d105814ed246b3cf51d7e9dca) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-06 16:37:07 +0000