Commits · c98d164a6a2c3d93bfb10d44c946bc3ed56f14e7 · sixue.cheng / FFmpeg

09 Aug, 2014 3 commits

configure: Check for -Werror parameters on clang · c98d164a

Martin Storsjö authored 12 years ago

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 9eded0fe

)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

c98d164a

avcodec: Introduce ff_get_buffer · 0ab76ddf

Luca Barbato authored 10 years ago

Validate the image size there as is done in the other release
branches.

Bug-Id: CVE-2011-3935
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

0ab76ddf

Update Changelog for v0.8.14 · 042c25f5
Reinhard Tartler authored 10 years ago

042c25f5

08 Aug, 2014 3 commits

vp3: Copy all 3 frames for thread updates · dcc68de9

Michael Niedermayer authored 10 years ago


Fixes a double release of the current frame on deinit.

Bug-Id: CVE-2011-3934
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>

dcc68de9

mpegts: Do not try to write a PMT larger than SECTION_SIZE · ebe2292e

Luca Barbato authored 10 years ago

Prevent out of array write.

Similar to what Michael Niedermayer did to address the same issue.

Bug-Id: CVE-2014-2263
CC: libav-stable@libav.org
(cherry picked from commit addbaf13

)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

ebe2292e

mpegts: Define the section length with a constant · d86df7dd

Luca Barbato authored 10 years ago

The specification says the value is expressed in 10 bits including
the 4-byte CRC.

(cherry picked from commit 694b7cd8

)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

Conflicts:
	libavformat/mpegtsenc.c

d86df7dd

07 Aug, 2014 2 commits
- Update Changelog for v0.8.14 · a79e58cd
  Reinhard Tartler authored 10 years ago
  
  a79e58cd
- Prepare for 0.8.14 Release · 4709baec
  Reinhard Tartler authored 10 years ago
  
  4709baec
06 Aug, 2014 4 commits

error_concealment: avoid using the picture if not fully setup · c79cf012

Michael Niedermayer authored 10 years ago


Fixes state becoming inconsistent and a null pointer dereference.

CC: libav-stable@libav.org
Bug-Id: CVE-2013-0860
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>

c79cf012

svq1: do not modify the input packet · 9d5f4f02

Anton Khirnov authored 10 years ago

The input data must remain constant, make a copy instead. This is in
theory a performance hit, but since I failed to find any samples
using this feature, this should not matter in practice.

Also, check the size of the header, avoiding invalid reads on truncated
data.

CC:libav-stable@libav.org
(cherry picked from commit 7b588bb6

)
Signed-off-by: Anton Khirnov <anton@khirnov.net>

Conflicts:
	libavcodec/svq1dec.c

9d5f4f02

cdgraphics: do not return 0 from the decode function · cf6b2a0a

Anton Khirnov authored 10 years ago

0 means no data consumed, so it can trigger an infinite loop in the
caller.

CC:libav-stable@libav.org
(cherry picked from commit c7d9b473

)
Signed-off-by: Anton Khirnov <anton@khirnov.net>

Conflicts:
	libavcodec/cdgraphics.c

cf6b2a0a

cdgraphics: switch to bytestream2 · 3aebdffb

Anton Khirnov authored 10 years ago

Fixes possible invalid memory accesses on corrupted data.

CC:libav-stable@libav.org
Bug-ID: CVE-2013-3674
(cherry picked from commit a1599f3f

)
Signed-off-by: Anton Khirnov <anton@khirnov.net>

3aebdffb

05 Aug, 2014 2 commits

huffyuvdec: check width size for yuv422p · a1804df6

Michael Niedermayer authored 10 years ago


Avoid out of array accesses.

CC: libav-stable@libav.org
Bug-Id: CVE-2013-0848
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a7153444

)
Signed-off-by: Anton Khirnov <anton@khirnov.net>

Conflicts:
	libavcodec/huffyuvdec.c

a1804df6

mmvideo: check horizontal coordinate too · e17dc0a2

Michael Niedermayer authored 10 years ago


Fixes out of array accesses.

Bug-Id: CVE-2013-3672
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 70cd3b8e

)
Signed-off-by: Anton Khirnov <anton@khirnov.net>

e17dc0a2

04 Aug, 2014 1 commit

huffyuv: Check and propagate function return values · 4a662255

Diego Biurrun authored 10 years ago

Bug-Id: CVE-2013-0868

inspired by a patch from Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

(cherry picked from commit 744b406f

)
Signed-off-by: Diego Biurrun <diego@biurrun.de>

Conflicts:
	libavcodec/huffyuvdec.c

4a662255

01 Aug, 2014 6 commits

twinvq: fix out of bounds array access · 50493f1f

Mans Rullgard authored 13 years ago


ModeTab.fmode has only 3 elements, so indexing it with ftype
in the initialier for 'size' is invalid when ftype == FT_PPC.

This fixes crashes with gcc 4.8.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 4bf2e7c5

)
Signed-off-by: Diego Biurrun <diego@biurrun.de>

50493f1f

h264: slice-mt: check master context for valid current_picture_ptr · 3e60501f

Janne Grunau authored 12 years ago

Fixes errors in slice based multithreading introduced in 0b300daa.

CC: libav-stable@libav.org
(cherry picked from commit 5945c7b3

)
Signed-off-by: Diego Biurrun <diego@biurrun.de>

3e60501f

h264: prevent theoretical infinite loop in SEI parsing · 7585a625

Vittorio Giovara authored 10 years ago

Properly address CVE-2011-3946 and parse bitstream as described in the spec.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

7585a625

h264_sei: check SEI size · 184c7972

Michael Niedermayer authored 11 years ago

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>

184c7972

pgssubdec: Check RLE size before copying · a465ed57

Michael Niedermayer authored 10 years ago


Make sure the buffer size does not exceed the expected
RLE size.

Prevent an out of array bound write.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Bug-Id: CVE-2013-0852
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 00915d3c

)
Signed-off-by: Diego Biurrun <diego@biurrun.de>

a465ed57

x86: Fix linking with some or all of yasm, mmx, optimizations disabled · 976f2e0a

Diego Biurrun authored 12 years ago

Some optimized template functions reference optimized symbols, so they
must be explicitly disabled when those symbols are unavailable.

(cherry picked from commit ec36aa69

)
Signed-off-by: Diego Biurrun <diego@biurrun.de>

976f2e0a

31 Jul, 2014 1 commit

cmdutils: Conditionally compile libswscale-related bits · 28f2d3c5

Diego Biurrun authored 12 years ago

This fixes compilation with libswscale disabled.

(cherry picked from commit ab799664

)
Signed-off-by: Diego Biurrun <diego@biurrun.de>

28f2d3c5

30 Jul, 2014 3 commits

video4linux2: Avoid a floating point exception · 277103e0

Bernhard Übelacker authored 10 years ago

This avoids a segfault in avconv_opt.c:opt_target when trying to
determine the norm.

(cherry picked from commit dc71f195

)
Signed-off-by: Diego Biurrun <diego@biurrun.de>

277103e0

vf_select: Drop a debug av_log with an unchecked double to enum conversion · e4fdfdf6
Diego Biurrun authored 10 years ago
```
CC: libav-stable@libav.org
(cherry picked from commit a8d803a3

)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
```
e4fdfdf6

eamad: use the bytestream2 API instead of AV_RL · 187cfd3c

Anton Khirnov authored 11 years ago

This is safer and possibly fixes invalid reads on truncated data.
(cherry-picked from commit 541427ab)

CC:libav-stable@libav.org

Conflicts:
	libavcodec/eamad.c

(cherry picked from commit f9204ec5

)
Signed-off-by: Diego Biurrun <diego@biurrun.de>

187cfd3c

27 Jun, 2014 2 commits
- Update Changelog for 0.8.13 · e122fb59
  Reinhard Tartler authored 11 years ago
  
  e122fb59
- Prepare for 0.8.13 Release · 359383c9
  Reinhard Tartler authored 11 years ago
  
  359383c9
25 Jun, 2014 1 commit

lzo: Handle integer overflow · e7f5dacd

Luca Barbato authored 11 years ago


get_len can overflow for specially crafted payload.
Reported-By: Don A. Baley <donb@securitymouse.com>
CC: libav-stable@libav.org
(cherry picked from commit ccda51b1

)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

Conflicts:
	libavutil/lzo.c

e7f5dacd

17 Jun, 2014 1 commit
- sgidec: fix an incorrect backport · 9c7321e2
  Sean McGovern authored 11 years ago
```
Signed-off-by: Anton Khirnov <anton@khirnov.net>
```
  9c7321e2
01 Jun, 2014 11 commits

Add some bug references · 9552b37e
Reinhard Tartler authored 11 years ago

9552b37e
Update Changelog for 0.8.12 · d75b1497
Sean McGovern authored 11 years ago

d75b1497
Prepare for 0.8.12 Release · 516ea2dc
Reinhard Tartler authored 11 years ago

516ea2dc
h264: set parameters from SPS whenever it changes · 6f4404b2
Janne Grunau authored 12 years ago
```
Fixes a crash in the fuzzed sample sample_varPAR.avi_s26638 with
alternating bit depths.
```
6f4404b2

alac: Limit max_samples_per_frame · 110680c5

Martin Storsjö authored 11 years ago


Otherwise buffer size calculations in allocate_buffers could
overflow later, making the code think a large enough buffer
actually was allocated.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>

110680c5

swscale: Fix an undefined behaviour · 7fa72700

Luca Barbato authored 11 years ago

Prevent a division by zero down the codepath.

Sample-Id: 00001721-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org

7fa72700

apedec: do not buffer decoded samples over AVPackets · 65c35937

Rafaël Carré authored 11 years ago

Only consume an AVPacket when all the samples have been read.

When the rate of samples output is limited (by the default value
of max_samples), consuming the first packet immediately will cause
timing problems:

- The first packet with PTS 0 will output 4608 samples and be
consumed entirely
- The second packet with PTS 64 will output the remaining samples
(typically, a lot, that's why max_samples exist) until the decoded
samples of the first packet have been exhausted, at which point the
samples of the second packet will be decoded and output when
av_decode_frame is called with the next packet).

That means there's a PTS jump since the first packet is 'decoded'
immediately, which can be seen with avplay or mplayer: the timing
jumps immediately to 6.2s (which is the size of a packet).

Sample: http://streams.videolan.org/issues/6348/Goldwave-MAClib.ape

Bug-Debian: http://bugs.debian.org/744901

Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 91d4cfb8

)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

65c35937

isom: lpcm in mov default to big endian · b7b798a1

Mark Himsley authored 11 years ago

It is my understanding that "Unless otherwise stated, all data in a
QuickTime movie is stored in big-endian byte ordering" [1] in MOV files.

I have a couple of thousand files, which technically are invalid because
their sound sample description element 4CC is 'lpcm' but its version is
0 - and "Version 0 supports only uncompressed audio in raw ('raw ') or
twos-complement ('twos') format" [2]

Because isom.c only contains a mapping for 4CC 'lpcm' to
AV_CODEC_ID_PCM_S16LE, these files have their audio decoded as LE when
it is actually BE.

This commit adds AV_CODEC_ID_PCM_S16BE as the first match for 4CC 'lpcm'.

[1]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf
page 21
[2]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf


page 178
Reviewed-by: Yusuke Nakamura <muken.the.vfrmaniac@gmail.com>

b7b798a1

movdec: handle 0x7fff langcode as macintosh per the specs · 5463a2b0

Baptiste Coudurier authored 13 years ago

The correct point that seperates ISO and MAC language codes is 0x400
according to the current QT spec. Old QT specs did not list where this
seperation is but apparently only defined the meaning of the first 137.

(cherry picked from commit 9e71cc81)
(cherry picked from commit 7940306a)

5463a2b0

avi: Improve non-interleaved detection · 42dcfe32

Michael Niedermayer authored 11 years ago


Additional fixes by Nigel Touati-Evans <nigel.touatievans@gmail.com>.

Check the index for streams with a time drift of 2s or a buffer drift
of 64MB.

Bug-Id: 666
CC: libav-stable@libav.org
Sample-Id: yet-another-broken-interleaved-avi.avi
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Diego Biurrun <diego@biurrun.de>

42dcfe32

h264: reset next_output_pic earlier in start_frame() · 079758e4

Anton Khirnov authored 11 years ago

In case start_frame() fails, this potentially invalid frame can still be
output to the caller.

Bug-Id: 672
Bug-Id: debian/741240
Bug-Id: ubuntu/1288206

079758e4

GitLab

Menu