Commits · 974f9d255d28acfe8b482836e466135bc42a94d0 · sixue.cheng / FFmpeg

30 Jan, 2016 16 commits

avcodec/wmaenc: Check ff_wma_init() for failure · 974f9d25

Michael Niedermayer authored 9 years ago


Fixes null pointer dereference
Fixes: c4faf8280ba366bf00a79d425f2910a8/signal_sigsegv_1f96477_5177_1448ba7e4125faceb966f44ceb69abfa.qcp
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 19e456d4

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

974f9d25

avcodec/mpeg12enc: Move high resolution thread check to before initializing threads · 302f11e7

Michael Niedermayer authored 9 years ago


Cleaner solution is welcome!
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a53fbda9

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

302f11e7

avformat/img2dec: Use AVOpenCallback · 8c2f006d

Michael Niedermayer authored 9 years ago

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b750b67d)

Conflicts:

	libavformat/img2dec.c

8c2f006d

avformat/avio: Limit url option parsing to the documented cases · 3cd17b9b

Michael Niedermayer authored 9 years ago


This feature is not know much or used much AFAIK, and it might be helpfull in
exploits.
No specific case is known where it can be used in an exploit though
subsequent commits depend on this commit though
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 984d58a3

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

3cd17b9b

avformat/img2dec: do not interpret the filename by default if a IO context has been opened · 4180a838

Michael Niedermayer authored 9 years ago


With this, user applications which use custom IO and have set a IO context will not have
their already opened IO context ignored and glob/seq being interpreted

Comments and tests from maintainers of user apps are welcome!
Liked-by: wm4 <nfxjfg@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7ccedc1c

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

4180a838

avcodec/ass_split: Fix null pointer dereference in ff_ass_style_get() · 6fabd858

Michael Niedermayer authored 9 years ago


Fixes: 55d71971da50365d542ed14b65565fe1/signal_sigsegv_4765a4_8499_f146af090a94f591d6254515c7700ef5.mkv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 158f0545

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

6fabd858

mov: Add an option to toggle dref opening · c6ab367d

Derek Buitenhuis authored 9 years ago


This feature is mostly only used by NLE software, and is
both of dubious value being enabled by default, and a
possible security risk.
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 712d962a

)

Conflicts:

	libavformat/isom.h
	libavformat/mov.c
	libavformat/version.h
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

c6ab367d

avcodec/gif: Fix lzw buffer size · 40e846bb

Michael Niedermayer authored 9 years ago


Fixes out of array access
Fixes: aaa479088e6fb40b04837b3119f47b04/asan_heap-oob_e38c68_8576_9d653078b2470700e2834636f12ff557.tga

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 03d83ba3

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

40e846bb

avcodec/put_bits: Assert buf_ptr in flush_put_bits() · f6755e5e

Michael Niedermayer authored 9 years ago

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3ef5de0f

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

f6755e5e

avcodec/tiff: Check subsample & rps values more completely · eb087233

Michael Niedermayer authored 9 years ago


Fixes out of array access
Fixes: 83aedfb29af669c4d6e10f1bfad974d2/asan_heap-oob_1ab42fe_4984_9f6ec14462f8d8a00ea24b320572a963.tif

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 89f464e9

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

eb087233

swscale/swscale: Add some sanity checks for srcSlice* parameters · 1b6390dd

Michael Niedermayer authored 9 years ago

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 321e85e1

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

1b6390dd

swscale/x86/rgb2rgb_template: Fix planar2x() for short width · edc7ef37

Michael Niedermayer authored 9 years ago


Fixes: 451b3e0cf956c0bd2f27ed753ac24050/asan_heap-oob_2873c01_3231_7ed10a9464d15f0d57277f5917c566a8.AVI

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c8a9aaab

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

edc7ef37

swscale/swscale_unscaled: Fix odd height inputs for bayer_to_yv12_wrapper() · 1a88eef9

Michael Niedermayer authored 9 years ago


Fixes: 372d2df1f04b49e25f109f07f90b1505/asan_heap-oob_2835d2e_8501_99e0114d7ba3a6db885d0b4684d200c1.cine
Fixes out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 757248ea

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

1a88eef9

swscale/swscale_unscaled: Fix odd height inputs for bayer_to_rgb24_wrapper() · d3cefc27

Michael Niedermayer authored 9 years ago


Fixes: 372d2df1f04b49e25f109f07f90b1505/asan_heap-oob_2835d2e_8501_99e0114d7ba3a6db885d0b4684d200c1.cine
Fixes out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ad3b6fa7

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

d3cefc27

avcodec/aacenc: Check both channels for finiteness · 9d230f46

Michael Niedermayer authored 9 years ago


Fixes null pointer dereference
Fixes: 10412fc52ecc6eab40ed67f82ca7b372/signal_sigsegv_2618c99_2129_f808373959e46afb165593332799ffbc.aif

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 057549a9)

Conflicts:

	libavcodec/aacenc.c

9d230f46

swscale/swscale-test: Fix slice height in random reference data creation. · 4b17205c
Michael Niedermayer authored 9 years ago
```
Found-by: Pedro Arthur <bygrandao@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
```
4b17205c

28 Jan, 2016 4 commits

dca: fix misaligned access in avpriv_dca_convert_bitstream · 41157f6b

Andreas Cadhalpun authored 9 years ago


src and dst are only 8-bit-aligned, so accessing them as uint16_t causes
SIGBUS crashes on architectures like sparc.

This fixes ubsan runtime error: load of misaligned address for type
'const uint16_t', which requires 2 byte alignment
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 44ac13ee

)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

41157f6b

brstm: fix missing closing brace · f106232e

Andreas Cadhalpun authored 9 years ago

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1cb2331e

)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

f106232e

brstm: also allocate b->table in read_packet · 269a522a

Andreas Cadhalpun authored 9 years ago


This fixes NULL pointer dereferencing if the codec is forced to
adpcm_thp even though a different one was detected.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit bcf4ee26

)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

269a522a

brstm: make sure an ADPC chunk was read for adpcm_thp · 496c02a0

Andreas Cadhalpun authored 9 years ago


This fixes NULL pointer dereferencing.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit d7d37c47

)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

496c02a0

27 Jan, 2016 4 commits

vorbisdec: reject rangebits 0 with non-0 partitions · 6fe77207

Andreas Cadhalpun authored 9 years ago


This causes non-unique elements in floor_setup->data.t1.list, which
makes the stream undecodable according to the specification.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit e7a7b313

)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

6fe77207

vorbisdec: reject channel mapping with less than two channels · 00a0c0fd

Andreas Cadhalpun authored 9 years ago


It causes the angle channel number to equal the magnitude channel
number, which makes the stream undecodable according to the
specification.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit b4b13848

)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

00a0c0fd

ffmdec: reset packet_end in case of failure · a21ec4e1

Andreas Cadhalpun authored 9 years ago


This fixes segmentation faults caused by passing a packet_ptr of NULL to
memcpy.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 40eb2531

)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

a21ec4e1

avformat/ipmovie: put video decoding_map_size into packet and use it in decoder · 0c03d860

Paul B Mahol authored 9 years ago


The size of decoding map can differ from one calculated
internally, producing artifacts while decoding video.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit c293ef25

)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

0c03d860

15 Jan, 2016 16 commits

avcodec/wavpackenc: print channel count in av_log call · a697577a

James Almer authored 9 years ago

Fixes a warning with -Wformat-extra-args
(cherry picked from commit 17e7fdf6

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

a697577a

Update for 2.7.5 · 99f3f5a8
Michael Niedermayer authored 9 years ago
```
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
```
99f3f5a8

configure: bump copyright year to 2016 · d4a7e897

James Almer authored 9 years ago

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 78129978

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

d4a7e897

avformat/hls: Even stricter URL checks · e681e92d

Michael Niedermayer authored 9 years ago


This fixes a null pointer dereference at least
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cfda1bea)

Conflicts:

	libavformat/hls.c

e681e92d

avformat/hls: More strict url checks · 123d3568

Michael Niedermayer authored 9 years ago


No case is known where these are needed
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6ba42b64

)

Conflicts:

	libavformat/hls.c
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

123d3568

swscale/utils: Detect and skip unneeded sws_setColorspaceDetails() calls · 119659b7

Michael Niedermayer authored 9 years ago


This avoids running various table inits unnecessarily
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cc538e9d)

Conflicts:

	libswscale/utils.c

119659b7

swscale/yuv2rgb: Increase YUV2RGB table headroom · f0cc6f74

Michael Niedermayer authored 9 years ago


This makes SWS more robust
Fixes: 07650a772d98aa63b0fed6370dc89037/asan_heap-oob_27ddeaf_2657_2c81ff264dee5d9712cb3251fb9c3bbb.264
Fixes: out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8f3a9a8c

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

f0cc6f74

swscale/yuv2rgb: Factor YUVRGB_TABLE_LUMA_HEADROOM out · f5060bce

Michael Niedermayer authored 9 years ago

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5e5f82a2

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

f5060bce

avformat/hls: forbid all protocols except http(s) & file · cde38373

Maxim Andreev authored 9 years ago

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7145e80b)

Conflicts:

	libavformat/hls.c

cde38373

avformat/aviobuf: Fix end check in put_str16() · a2b234b9

Michael Niedermayer authored 9 years ago


Fixes out of array read
Fixes: 03c406ec9530e594a074ce2979f8a1f0/asan_heap-oob_7dec26_4664_37c52495b2870a2eaac65f53958e76c1.flac

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 115fb6d0

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

a2b234b9

avformat/asfenc: Check pts · f1cdd935

Michael Niedermayer authored 9 years ago


Fixes integer overflow
Fixes: 0063df8be3aaa30dd6d76f59c8f818c8/signal_sigsegv_7b7b59_3634_bf418b6822bbfa68734411d96b667be3.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7c0b84d8

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

f1cdd935

avcodec/mpeg4video: Check time_incr · 0e3c3651

Michael Niedermayer authored 9 years ago


Fixes assertion failure
Fixes out of memory access

Fixes: test_casex.ivf
Found-by: Tyson Smith <twsmith@mozilla.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7c97946d

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

0e3c3651

avcodec/wavpackenc: Check the number of channels · 858f4304

Michael Niedermayer authored 9 years ago


They are stored in a byte, thus more than 255 is not possible
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 59c915a4

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

858f4304

avcodec/wavpackenc: Headers are per channel · d0fd9bec

Michael Niedermayer authored 9 years ago


Fixes: 1b8b83a53bfa751f01b1daa65a4758db/signal_sigabrt_7ffff6ae7cb7_7488_403f71d1a2565b598d01b6cb110fac8f.aiff
Fixes: assertion failure

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 26757b02

)

Conflicts:

	libavcodec/wavpackenc.c
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

d0fd9bec

avcodec/aacdec_template: Check id_map · d755045e

Michael Niedermayer authored 9 years ago


Fixes index out of bounds error
Fixes: aac_index_out_of_bounds.wmv
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 59086387)

Conflicts:

	libavcodec/aacdec_template.c

d755045e

avcodec/dvdec: Fix "left shift of negative value -254" · 3820c6a9

Michael Niedermayer authored 9 years ago


Fixes: dvdec_left_shift.avi
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 93ac72a9

)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

3820c6a9

GitLab

Menu