platform/upstream/libav.git
7 years agoFix out of bounds read. 02/100402/2 accepted/tizen_common accepted/tizen_ivi accepted/tizen_mobile accepted/tizen_tv accepted/tizen_wearable accepted/tizen/common/20161129.173556 accepted/tizen/ivi/20161130.015423 accepted/tizen/mobile/20161130.015203 accepted/tizen/tv/20161130.015249 accepted/tizen/unified/20170309.035748 accepted/tizen/wearable/20161130.015338 submit/tizen/20161129.052917 submit/tizen_unified/20170308.100413
Jiyong Min [Mon, 28 Nov 2016 05:19:02 +0000 (14:19 +0900)]
Fix out of bounds read.
(Apply security patch for CVE-2016-7424)

 - Referenced

 The put_no_rnd_pixels8_xy2_mmx function in x86/rnd_template.c in libav 11.7 and earlier allows remote
 attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted MP3 file
 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7424

 - Solution

 https://git.libav.org/?p=libav.git;a=commit;h=136f55207521f0b03194ef5b55ba70f1635d6aee
 Fix out of bounds read.

Change-Id: I20a5beb71b95b0286f89a66441d07fce7d21de9a
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>
8 years agoSwitch off inline asm for ASan build 14/88714/1 accepted/tizen/3.0/common/20161114.110931 accepted/tizen/3.0/ivi/20161011.044314 accepted/tizen/3.0/mobile/20161015.033423 accepted/tizen/3.0/tv/20161016.004457 accepted/tizen/3.0/wearable/20161015.083214 accepted/tizen/common/20160928.163932 accepted/tizen/ivi/20160930.040744 accepted/tizen/mobile/20160930.040416 accepted/tizen/tv/20160930.040554 accepted/tizen/wearable/20160930.040653 submit/tizen/20160928.043825 submit/tizen_3.0_common/20161104.104000 submit/tizen_3.0_ivi/20161010.000003 submit/tizen_3.0_mobile/20161015.000003 submit/tizen_3.0_tv/20161015.000002 submit/tizen_3.0_wearable/20161015.000003
Slava Barinov [Tue, 20 Sep 2016 09:42:22 +0000 (12:42 +0300)]
Switch off inline asm for ASan build

Change-Id: I4b89e401c3923366c0fcf966a1c3841d86575752
Signed-off-by: Slava Barinov <v.barinov@samsung.com>
8 years agoAdd CVE-2015-5479 patch 87/88687/1 accepted/tizen/common/20160921.162212 accepted/tizen/ivi/20160922.042621 accepted/tizen/mobile/20160922.042334 accepted/tizen/tv/20160922.042456 accepted/tizen/wearable/20160922.042543 submit/tizen/20160921.041639
Minje Ahn [Tue, 20 Sep 2016 08:28:35 +0000 (17:28 +0900)]
Add CVE-2015-5479 patch

Change-Id: Iac970866a602f3d66b1bfc6f6b2a5c050950ff8c
Signed-off-by: Minje Ahn <minje.ahn@samsung.com>
8 years agoStore build_date in .tizen.build-id section to avoid unnecessary rebuilds 46/86146/1 accepted/tizen/common/20160831.162119 accepted/tizen/ivi/20160901.065307 accepted/tizen/mobile/20160901.065050 accepted/tizen/tv/20160901.065143 accepted/tizen/wearable/20160901.065220 submit/tizen/20160831.052250
Junghyun Kim [Tue, 30 Aug 2016 10:56:02 +0000 (19:56 +0900)]
Store build_date in .tizen.build-id section to avoid unnecessary rebuilds

- PROBLEM
We use OBS to build packages in Tizen.
There is a mechanism not to rebuild if the result binary is the same.
For example, there is a dependency graph: A->B->C.
If A is modified, B would be built.
If the result RPM of B is not changed, OBS does not trigger a build of C.
To effectively use this mechanism, each packages make sure that
the result binary should be the same if the input source is the same.

This package uses __DATE__ and __TIME__ which make the result binary
is different everytime it is built.
To efficiently utilize OBS build mechanism and to modify the package
as little as possible, I propose to store this macro in .tizen.build-id
section. OBS build-compare tool does not check *.build-id section
in the binary.

Change-Id: Icc1b62f5f56506d64deae3a5fadabb82eca6f1e6
Signed-off-by: Junghyun Kim <jh0822.kim@samsung.com>
8 years agoDefense of system crash due to damaged random file. (ffmpeg 2.8.1 patch) 06/82206/1 accepted/tizen/common/20160805.130136 accepted/tizen/ivi/20160808.081142 accepted/tizen/mobile/20160808.080755 accepted/tizen/tv/20160808.080949 accepted/tizen/wearable/20160808.081055 submit/tizen/20160805.054353
Minje Ahn [Mon, 1 Aug 2016 23:57:51 +0000 (08:57 +0900)]
Defense of system crash due to damaged random file. (ffmpeg 2.8.1 patch)

Change-Id: Id0eced23749b7f4dd37b92f095f021f43561e282
Signed-off-by: Minje Ahn <minje.ahn@samsung.com>
8 years ago[CVE patch] CVE-2016-2636 in libav version 11.7 95/76195/1 accepted/tizen/common/20160627.191537 accepted/tizen/common/20160629.222525 accepted/tizen/ivi/20160629.020735 accepted/tizen/mobile/20160629.020842 accepted/tizen/tv/20160629.020755 accepted/tizen/wearable/20160629.020818 submit/tizen/20160623.064645 submit/tizen/20160628.080717
Jiyong Min [Thu, 23 Jun 2016 06:21:19 +0000 (15:21 +0900)]
[CVE patch] CVE-2016-2636 in libav version 11.7

 - asfenc: fix some possible integer overflows (CVE-2016-2326)

Change-Id: I9904997efff6a91ed4c74d4135611c04a63e637f
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>
8 years ago[CVE patch] CVE patch in libav version 11.7 98/76098/3 accepted/tizen/common/20160623.154053 accepted/tizen/ivi/20160623.123157 accepted/tizen/mobile/20160623.123103 accepted/tizen/tv/20160623.123121 accepted/tizen/wearable/20160623.123140 submit/tizen/20160622.235044
Jiyong Min [Wed, 22 Jun 2016 23:29:31 +0000 (08:29 +0900)]
[CVE patch] CVE patch in libav version 11.7

 - asfenc: fix some possible integer overflows (CVE-2016-2326)
 - mov: Check the entries value when parsing dref boxes (CVE-2016-3062)

Change-Id: I4a21091a20e10ee4b68f27ee4f5f5df6e419eca3
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>
8 years agodynamic loadding error in libmm-fileinfo when use memory input. 42/57542/2 accepted/tizen/ivi/20160218.024710 accepted/tizen/mobile/20160128.010228 accepted/tizen/tv/20160128.010249 accepted/tizen/wearable/20160128.010305 submit/tizen/20160127.063514 submit/tizen_common/20160218.142243 submit/tizen_ivi/20160217.000000 submit/tizen_ivi/20160217.000005
ji.yong.seo [Thu, 21 Jan 2016 04:38:13 +0000 (13:38 +0900)]
dynamic loadding error in libmm-fileinfo when use memory input.

Change-Id: I5365b4a3d06915c3346ec45e3bbb5d96faeeebff
Signed-off-by: ji.yong.seo <ji.yong.seo@samsung.com>
8 years agoadd manifest files & add support format. 41/57541/2
ji.yong.seo [Thu, 21 Jan 2016 04:35:57 +0000 (13:35 +0900)]
add manifest files & add support format.

Change-Id: I3d3d7d76ace5c99d384b54f74ce6b2040cfd4861
Signed-off-by: ji.yong.seo <ji.yong.seo@samsung.com>
8 years agofix get frame at time fail. 40/57540/2
ji.yong.seo [Thu, 21 Jan 2016 04:30:39 +0000 (13:30 +0900)]
fix get frame at time fail.

Change-Id: If6b2199e1e55b707a8f61ba61a8429e2514da76a
Signed-off-by: ji.yong.seo <ji.yong.seo@samsung.com>
8 years agofix get rotate at time fail. (ffmpeg 2.5 merge) 39/57539/2
ji.yong.seo [Thu, 21 Jan 2016 04:26:21 +0000 (13:26 +0900)]
fix get rotate at time fail. (ffmpeg 2.5 merge)

Change-Id: I2484409b69a3398b309d0faecd9f82521af71179
Signed-off-by: ji.yong.seo <ji.yong.seo@samsung.com>
8 years agoadd protocol deregister API 38/57538/3
ji.yong.seo [Thu, 21 Jan 2016 04:20:53 +0000 (13:20 +0900)]
add protocol deregister API

Change-Id: I1407f526e68cafef9569fe86c8ac27a07d6ee3fd
Signed-off-by: ji.yong.seo <ji.yong.seo@samsung.com>
8 years agofix crash issue for invalid file. 37/57537/2
ji.yong.seo [Thu, 21 Jan 2016 02:38:10 +0000 (11:38 +0900)]
fix crash issue for invalid file.

Signed-off-by: ji.yong.seo <ji.yong.seo@samsung.com>
Change-Id: Ifaa1b9f3f7cf68050030c48272b8fc1b7eeea235

8 years agoBump to 11.4 53/54453/1 accepted/tizen/mobile/20151215.230558 accepted/tizen/tv/20151215.230616 accepted/tizen/wearable/20151215.230635 submit/tizen/20151215.092340 submit/tizen_common/20151229.142028 submit/tizen_common/20151229.154718
Haejeong Kim [Tue, 15 Dec 2015 09:19:51 +0000 (18:19 +0900)]
Bump to 11.4

Change-Id: I666cefb159e1949babd7594349773d4ccef60fcd

8 years agoAdd missing item after merge v11.4(upstream has VERSION file) 52/54452/1
Haejeong Kim [Tue, 15 Dec 2015 09:13:59 +0000 (18:13 +0900)]
Add missing item after merge v11.4(upstream has VERSION file)

Change-Id: I3d668e6d20457206bab0bc0c6baa30c2ecf07854

8 years agoMerge tag 'v11.4' into tizen 51/54451/1
Haejeong Kim [Tue, 15 Dec 2015 09:05:49 +0000 (18:05 +0900)]
Merge tag 'v11.4' into tizen

v11.4 release

Change-Id: I922d679faac6f7e054033c9423c2416cc49efa09

9 years agoVideos that contain cdis, get duration fail issue. (patch from latest ffmpeg) 76/41476/2
ji.yong.seo [Tue, 16 Jun 2015 05:38:02 +0000 (14:38 +0900)]
Videos that contain cdis, get duration fail issue. (patch from latest ffmpeg)

Change-Id: I5d9c9c3d0797e7d719019504052bac017b861518

9 years agoUpdate changelog for v11.4 v11.4
Reinhard Tartler [Sun, 24 May 2015 08:36:42 +0000 (10:36 +0200)]
Update changelog for v11.4

9 years agoh264: Make sure reinit failures mark the context as not initialized
Luca Barbato [Mon, 25 May 2015 20:30:10 +0000 (22:30 +0200)]
h264: Make sure reinit failures mark the context as not initialized

Bug-Id: CVE-2015-3417
CC: libav-stable@libav.org
9 years agomsrle: Use FFABS to determine the frame size in msrle_decode_pal4
Luca Barbato [Mon, 25 May 2015 19:53:26 +0000 (21:53 +0200)]
msrle: Use FFABS to determine the frame size in msrle_decode_pal4

As done in msrle_decode_8_16_24_32.

Bug-Id: CVE-2015-3395
CC: libav-stable@libav.org
9 years agox86: cavs: Remove an unneeded scratch buffer
Michael Niedermayer [Thu, 28 May 2015 10:38:35 +0000 (12:38 +0200)]
x86: cavs: Remove an unneeded scratch buffer

Simplifies the code and makes it build on certain compilers
running out of registers on x86.

CC: libav-stable@libav.org
Reported-By: mudler
(cherry picked from commit e4610300de6869bd6b3b00e76cfeabb6d7653dcd)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agoconfigure: Disable i686 for i586 and lower CPUs
Mikulas Patocka [Mon, 15 Sep 2014 12:11:21 +0000 (05:11 -0700)]
configure: Disable i686 for i586 and lower CPUs

9 years agomjpegenc: Fix JFIF header byte ordering
Shiina Hideaki [Thu, 7 May 2015 00:46:55 +0000 (01:46 +0100)]
mjpegenc: Fix JFIF header byte ordering

The header had a wrong version description.

Bug-Id: 808
Signed-off-by: Shiina Hideaki <shiina@yndrd.com>
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
9 years agonut: Make sure to clean up on read_header failure
Luca Barbato [Wed, 29 Apr 2015 19:29:49 +0000 (21:29 +0200)]
nut: Make sure to clean up on read_header failure

Based on Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> work.

CC: libav-stable@libav.org
9 years agopng: Set the color range as full range
wm4 [Fri, 8 May 2015 15:01:50 +0000 (17:01 +0200)]
png: Set the color range as full range

The format uses full range for the gray formats.

CC: libav-stable@libav.org
9 years agoavi: Validate sample_size
Andreas Cadhalpun [Wed, 6 May 2015 00:26:57 +0000 (02:26 +0200)]
avi: Validate sample_size

And either error out or set it to 0 if it is negative.

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agonut: Check chapter creation in decode_info_header
Andreas Cadhalpun [Tue, 28 Apr 2015 18:57:59 +0000 (20:57 +0200)]
nut: Check chapter creation in decode_info_header

This fixes a segmentation fault when accessing the metadata.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
9 years agoalac: Reject rice_limit 0 if compression is used
Andreas Cadhalpun [Thu, 23 Apr 2015 22:01:43 +0000 (00:01 +0200)]
alac: Reject rice_limit 0 if compression is used

If in compression mode rice_limit = 0 leads to call
`show_bits(gb, k)` in `decode_scalar` with k = 0.

Request a sample in case it is valid and it should be accepted.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
9 years agoape: Support _0000 files with nblock smaller than 64
Andreas Cadhalpun [Wed, 29 Apr 2015 18:39:22 +0000 (20:39 +0200)]
ape: Support _0000 files with nblock smaller than 64

The decode_array_0000 assumed that 64 is the minimal block size
while it is not.

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agomux: Do not leave stale side data pointers in ff_interleave_add_packet()
Michael Niedermayer [Fri, 1 May 2015 22:55:42 +0000 (23:55 +0100)]
mux: Do not leave stale side data pointers in ff_interleave_add_packet()

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
9 years agoavresample: Reallocate the internal buffer to the correct size
Luca Barbato [Mon, 27 Apr 2015 23:55:10 +0000 (01:55 +0200)]
avresample: Reallocate the internal buffer to the correct size

Fixes the corner case in which the internal buffer size
is larger than input buffer provided and resizing it
before moving the left over samples would make it write
to now unallocated memory.

Bug-Id: 825
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agompegts: Update the PSI/SI table only if the version change
John Högberg [Tue, 28 Apr 2015 08:20:33 +0000 (10:20 +0200)]
mpegts: Update the PSI/SI table only if the version change

If a PAT is finished while a PMT section filter is opened but
not yet finished, the PMT section filter is closed and all
the received data is discarded.

This is usually not an issue but some multiplexers (With very
quick PAT/PMT repetition settings) consistently emit a PMT
section start, then a PAT, and then the rest of the PMT,
causing the aforementioned behavior to result in no PMT being
finished.

In the most pathologic situation the stream information are lost
and the probe fallback miscategorizes subtitles as mp3 audio.

Avoid the issue through eliminating redundant PSI/SI table
updates by checking their version field, which is required by
the standard to be incremented on every change no matter how
minor.

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agortsp: Make sure we don't write too many transport entries into a fixed-size array
Martin Storsjö [Fri, 24 Apr 2015 09:38:09 +0000 (12:38 +0300)]
rtsp: Make sure we don't write too many transport entries into a fixed-size array

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
9 years agortpenc_jpeg: Handle case of picture dimensions not dividing by 8
Andrey Utkin [Fri, 10 Apr 2015 21:54:10 +0000 (00:54 +0300)]
rtpenc_jpeg: Handle case of picture dimensions not dividing by 8

This fixes the calculation of the number of needed blocks to make
sure that ALL pixels are represented by the result.

Signed-off-by: Martin Storsjö <martin@martin.st>
9 years agomov: Fix little endian audio detection
Vittorio Giovara [Fri, 13 Mar 2015 19:45:14 +0000 (19:45 +0000)]
mov: Fix little endian audio detection

Set this field to TRUE if the audio component is to operate on
little-endian data, and FALSE otherwise.

However TRUE and FALSE are not defined. Since this flag is just a boolean,
interpret all values except for 0 as little endian.

Sample-Id: 64bit_FLOAT_Little_Endian.mov

9 years agox86: Put COPY3_IF_LT under HAVE_6REGS
Luca Barbato [Mon, 16 Mar 2015 10:26:48 +0000 (11:26 +0100)]
x86: Put COPY3_IF_LT under HAVE_6REGS

It uses 6 registers, unbreaks building on hardened x86 system.

Bug-Id: gentoo/541930
CC: libav-stable@libav.org
9 years agoroqvideoenc: set enc->avctx in roq_encode_init
Andreas Cadhalpun [Mon, 9 Mar 2015 18:24:09 +0000 (19:24 +0100)]
roqvideoenc: set enc->avctx in roq_encode_init

So far it is only set in roq_encode_frame, but it is used in
roq_encode_end to free the coded_frame. This currently segfaults if
roq_encode_frame is not called between roq_encode_init and
roq_encode_end.

CC:libav-stable@libav.org
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agomp3: Properly use AVCodecContext API
Vittorio Giovara [Mon, 9 Mar 2015 23:02:00 +0000 (23:02 +0000)]
mp3: Properly use AVCodecContext API

Rather than having an unitialized context on the stack, allocate it with
defaults and free it when unneeded.

CC: libav-stable@libav.org
9 years agolibvpx: Fix mixed use of av_malloc() and av_reallocp()
Vittorio Giovara [Sun, 8 Mar 2015 21:08:16 +0000 (21:08 +0000)]
libvpx: Fix mixed use of av_malloc() and av_reallocp()

This buffer is resized when vpx_codec_get_cx_data() returns a
VPX_CODEC_STATS_PKT packet.

CC: libav-stable@libav.org
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
9 years agoRevert "lavfi: always check av_expr_parse_and_eval() return value"
Anton Khirnov [Sat, 2 May 2015 07:09:52 +0000 (09:09 +0200)]
Revert "lavfi: always check av_expr_parse_and_eval() return value"

This reverts commit 63be97ec403023fb664798432acedaf6e6922527.

All those calls were unchecked on purpose, as explained in the comments
in the code.

(cherry picked from commit 3735b5c616770429572f86aabdaec39c6ebb8818)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agoalsdec: only adapt order for positive max_order
Andreas Cadhalpun [Wed, 22 Apr 2015 14:03:41 +0000 (16:03 +0200)]
alsdec: only adapt order for positive max_order

For max_order = 0 the clipping range is invalid. (amin = 2, amax = 1)

CC: libav-stable@libav.org
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 60f1cc4a1ffcbf24acbb543988ceeaec76b70818)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agoalsdec: check sample pointer range in revert_channel_correlation
Andreas Cadhalpun [Tue, 21 Apr 2015 17:28:30 +0000 (19:28 +0200)]
alsdec: check sample pointer range in revert_channel_correlation

Also change the type of begin, end and smp to ptrdiff_t to make the
comparison well-defined.

CC: libav-stable@libav.org
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 94bb1ce882a12b6d7a1fa32715a68121b39ee838)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agoaacpsy: correct calculation of minath in psy_3gpp_init
Andreas Cadhalpun [Tue, 21 Apr 2015 16:43:55 +0000 (18:43 +0200)]
aacpsy: correct calculation of minath in psy_3gpp_init

The minimum of the ath(x, ATH_ADD) function depends on ATH_ADD.
This patch uses the first order approximation to determine it.

For ATH_ADD = 4 this results in the value at 3407.06812 (-5.24241638)
not the one at 3410 (-5.24237967).

CC: libav-stabl@libav.org
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 110f7f35fb615b97d983b1c6c6a714fddd28bcbe)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agoalsdec: limit avctx->bits_per_raw_sample to 32
Andreas Cadhalpun [Sat, 18 Apr 2015 18:29:13 +0000 (20:29 +0200)]
alsdec: limit avctx->bits_per_raw_sample to 32

avctx->bits_per_raw_sample is used in get_sbits_long, which only
supports up to 32 bits.

CC: libav-stable@libav.org
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit e191aaca44b986816695e3b7ecfae64697fd6631)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agoaasc: return correct buffer size from aasc_decode_frame
Andreas Cadhalpun [Thu, 16 Apr 2015 17:12:02 +0000 (19:12 +0200)]
aasc: return correct buffer size from aasc_decode_frame

CC: libav-stable@libav.org
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8fc8024ea56e814cd257d5fe27b21a865080782f)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agomatroskadec: fix crash when parsing invalid mkv
Thomas Guillem [Fri, 10 Apr 2015 17:04:51 +0000 (19:04 +0200)]
matroskadec: fix crash when parsing invalid mkv

CC: libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b8d7f3186e86234f6255f5e8ee9e98573b4d9a6e)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agoavconv: do not overwrite the stream codec context for streamcopy
Anton Khirnov [Thu, 2 Apr 2015 04:09:05 +0000 (06:09 +0200)]
avconv: do not overwrite the stream codec context for streamcopy

Since we are not doing encoding, there is no point in ever touching the
separate encoding context. Always use the stream codec context.

Fixes writing attachments.

CC:libav-devel@libav.org
(cherry picked from commit 3892bdab9b652eb003ab95e167f1765e0b0ea035)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
avconv.c

9 years agowebp: ensure that each transform is only used once
Andreas Cadhalpun [Thu, 5 Mar 2015 21:48:28 +0000 (22:48 +0100)]
webp: ensure that each transform is only used once

According to the WebP Lossless Bitstream Specification
"each transform is allowed to be used only once".

If a transform is more than once this can lead to memory
corruption.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 30e6abd1a8cc4fd5daf2e23ad2e768862c39e975)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agoh264_ps: properly check cropping parameters against overflow
Anton Khirnov [Fri, 20 Mar 2015 20:49:23 +0000 (21:49 +0100)]
h264_ps: properly check cropping parameters against overflow

CC: libav-stable@libav.org
(cherry picked from commit d8a45d2d49f54fde042b195f9d5859251252493d)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agohevc: zero the correct variables on invalid crop parameters
Anton Khirnov [Fri, 20 Mar 2015 20:30:29 +0000 (21:30 +0100)]
hevc: zero the correct variables on invalid crop parameters

It's the output_window that is applied to the output frame, not
pic_conf_win

(cherry picked from commit 5127c00b971b674f72609369b39a9c0f7c36977d)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agohevc: make the crop sizes unsigned
Anton Khirnov [Fri, 20 Mar 2015 20:28:34 +0000 (21:28 +0100)]
hevc: make the crop sizes unsigned

(cherry picked from commit c929659bdd7d2d5848ea52e685a3164c7b901bb0)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agodoc: More changelog updates for v11.3
Reinhard Tartler [Mon, 9 Mar 2015 01:51:11 +0000 (21:51 -0400)]
doc: More changelog updates for v11.3

9 years agoutvideodec: Handle slice_height being zero
Michael Niedermayer [Wed, 4 Mar 2015 17:36:14 +0000 (17:36 +0000)]
utvideodec: Handle slice_height being zero

Fixes out of array accesses.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Bug-Id: CVE-2014-9604
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d)

9 years agoadxdec: set avctx->channels in adx_read_header
Andreas Cadhalpun [Thu, 26 Feb 2015 00:06:57 +0000 (01:06 +0100)]
adxdec: set avctx->channels in adx_read_header

It is used in adx_read_packet, which currently depends on the
decoder/parser setting this value between reading the file header and
demuxing the first packet.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agormenc: limit packet size
Andreas Cadhalpun [Mon, 2 Mar 2015 15:52:26 +0000 (16:52 +0100)]
rmenc: limit packet size

The chunk size is limited to UINT16_MAX (written by avio_wb16), so make
sure that the packet size is not too large.

Such large frames need to be split into slices smaller than 64 kB, but
that is currently supported neither by the rv10/rv20 encoders nor the rm
muxer.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agowebp: validate the distance prefix code
Andreas Cadhalpun [Mon, 2 Mar 2015 19:47:57 +0000 (20:47 +0100)]
webp: validate the distance prefix code

According to the WebP Lossless Bitstream Specification the highest
allowed value for a prefix code is 39.

If prefix_code is too large, the calculated extra_bits has an invalid
value and triggers an assertion in get_bits.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agorv10: check size of s->mb_width * s->mb_height
Andreas Cadhalpun [Tue, 3 Mar 2015 20:31:15 +0000 (21:31 +0100)]
rv10: check size of s->mb_width * s->mb_height

If it doesn't fit into 12 bits it triggers an assertion.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agoeamad: check for out of bounds read
Federico Tomassetti [Wed, 18 Feb 2015 12:11:44 +0000 (12:11 +0000)]
eamad: check for out of bounds read

Bug-Id: CID 1257500
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agomdec: check for out of bounds read
Federico Tomassetti [Wed, 18 Feb 2015 12:11:43 +0000 (12:11 +0000)]
mdec: check for out of bounds read

Bug-Id: CID 1257501
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agoconfigure: Properly fail when libcdio/cdparanoia is not found
Vittorio Giovara [Sun, 22 Feb 2015 19:49:52 +0000 (19:49 +0000)]
configure: Properly fail when libcdio/cdparanoia is not found

9 years agotiff: Check that there is no aliasing in pixel format selection
Anton Khirnov [Sat, 7 Mar 2015 21:06:59 +0000 (22:06 +0100)]
tiff: Check that there is no aliasing in pixel format selection

Fixes possible issues with unexpected bpp/bppcount values.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Bug-Id: CVE-2014-8544
(cherry picked from commit ae5e1f3d663a8c9a532d89e588cbc61f171c9186)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agoaic: Fix decoding files with odd dimensions
Vittorio Giovara [Fri, 27 Feb 2015 19:00:25 +0000 (19:00 +0000)]
aic: Fix decoding files with odd dimensions

Normally the aic decoder finds the proper slice combination (multiple of
some number less than 32) but in case of odd width, it resorts to the
default values, which were actually swapped.
The number of slices is modified to account for such odd width cases.

CC: libav-stable@libav.org
(cherry picked from commit e878ec0d47cd6228c367b2f3128b76d7523f7255)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agovorbis: Check the vlc value in setup_classifs
Luca Barbato [Tue, 3 Mar 2015 10:05:15 +0000 (11:05 +0100)]
vorbis: Check the vlc value in setup_classifs

The valid returned values are always at most 11bit.
Remove the previous check that assumed larger values plausible and
use a signed integer to check get_vlc2 return values.

CC: libav-stable@libav.org
(cherry picked from commit 0025f7408a0fab2cab4a950064e4784a67463994)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agoarm: Suppress tags about used cpu arch and extensions
Martin Storsjö [Thu, 5 Mar 2015 21:38:00 +0000 (23:38 +0200)]
arm: Suppress tags about used cpu arch and extensions

When all the codepaths using manually set .arch/.fpu code is
behind runtime detection, the elf attributes should be suppressed.

This allows tools to know that the final built binary doesn't
strictly require these extensions.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit dcae2e32f7d8a1ca5fb8c1e4aa81313be854dd73
and b77e335e441040a40fc6156b8e4a134745d10233)
Signed-off-by: Martin Storsjö <martin@martin.st>
9 years agodoc: Update changelog for v11.3
Reinhard Tartler [Sun, 8 Mar 2015 15:12:14 +0000 (11:12 -0400)]
doc: Update changelog for v11.3

9 years agoPrepare for 11.3 Release
Reinhard Tartler [Sun, 8 Mar 2015 15:06:15 +0000 (11:06 -0400)]
Prepare for 11.3 Release

9 years agoprores: Extend the padding check to 16bit
Luca Barbato [Wed, 25 Feb 2015 14:29:15 +0000 (15:29 +0100)]
prores: Extend the padding check to 16bit

Some files produced by the official encoder have up to 16bit of
padding instead of the expected padding to the byte.

Use a self-explanatory macro instead of a simple number.

CC: libav-stable@libav.org
(cherry picked from commit dbc1163b203b175d246b7454c32ac176f84006d1)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agoicecast: Do not use chunked post
Mark McGough [Sun, 12 Oct 2014 10:24:07 +0000 (18:24 +0800)]
icecast: Do not use chunked post

Icecast uses HTTP 1.0 while Libav uses HTTP 1.1 and enables by
default chunked post.

Icecast actually forwards the HTTP chunk headers to the listener
as part of the media stream (without the chunk encoding HTTP headers)
causing the players to lose sync.

Disabling the option is enough to feed icecast properly.

(cherry picked from commit 76c70e33d2244a688832f03b53862eb5d9ad3b01)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agoimg2dec: correctly use the parsed value from -start_number
Vittorio Giovara [Tue, 6 Jan 2015 15:47:18 +0000 (16:47 +0100)]
img2dec: correctly use the parsed value from -start_number

Previously the image sequence was always starting from the minimum
number rather than the requested one.

CC: libav-stable@libav.org
9 years agoh264_cabac: Break infinite loops
Michael Niedermayer [Thu, 31 Jan 2013 03:20:24 +0000 (04:20 +0100)]
h264_cabac: Break infinite loops

This fixes out of array reads and/or infinite loops.

30 is the maximum number of bits that can be read into
coeff_abs below.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Martin Storsjö <martin@martin.st>
9 years agohevc_deblock: Fix compilation with nasm
Carl Eugen Hoyos [Sun, 22 Feb 2015 17:46:49 +0000 (17:46 +0000)]
hevc_deblock: Fix compilation with nasm

CC: libav-stable@libav.org
Bug-Id: 795
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
9 years agoh264: initialize H264Context.avctx in init_thread_copy
Anton Khirnov [Thu, 12 Feb 2015 12:06:49 +0000 (13:06 +0100)]
h264: initialize H264Context.avctx in init_thread_copy

This prevents using a wrong (first thread's) AVCodecContext if decoding
a frame in the first pass over all threads fails.

(cherry picked from commit a06b0b1295c51d100101e0ca0434e199ad6de6b5)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agoh264: Do not share rbsp_buffer across threads
Michael Niedermayer [Sun, 25 Aug 2013 01:01:19 +0000 (03:01 +0200)]
h264: Do not share rbsp_buffer across threads

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit 61928b68dc28e080b8c8191afe5541123c682bbd)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agoh264: only ref cur_pic in update_thread_context if it is initialized
Anton Khirnov [Thu, 12 Feb 2015 11:26:58 +0000 (12:26 +0100)]
h264: only ref cur_pic in update_thread_context if it is initialized

It may be empty if the previous thread's decode call did not contain a
valid frame.

(cherry picked from commit 0dea4c77ccf5956561bb8991311b3d834bb5fa40)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
9 years agomatroskadec: Fix read-after-free in matroska_read_seek()
Xiaohan Wang [Thu, 6 Nov 2014 20:59:54 +0000 (12:59 -0800)]
matroskadec: Fix read-after-free in matroska_read_seek()

In matroska_read_seek(), |tracks| is assigned at the begining of the
function. However, functions like matroska_parse_cues() could reallocate
the tracks and invalidate |tracks|.

This assigns |tracks| only before using it, so that it will not get
invalidated elsewhere.

Bug-Id: chromium/427266

9 years agolog: Unbreak no-tty support on 256color terminals
Luca Barbato [Fri, 12 Sep 2014 22:26:21 +0000 (00:26 +0200)]
log: Unbreak no-tty support on 256color terminals

9 years agoPrepare for 11.2 Release
Luca Barbato [Wed, 14 Jan 2015 17:05:57 +0000 (18:05 +0100)]
Prepare for 11.2 Release

9 years agodoc: Update the Changelog for release 11.2
Luca Barbato [Mon, 12 Jan 2015 23:33:23 +0000 (00:33 +0100)]
doc: Update the Changelog for release 11.2

9 years agovp7: fix checking vp7_feature_value_size()
Michael Niedermayer [Tue, 11 Nov 2014 12:27:00 +0000 (13:27 +0100)]
vp7: fix checking vp7_feature_value_size()

CC: libav-stable@libav.org
Bug-Id: CID 1197061
(cherry picked from commit 29234f56818135faf2f1868ab324c073abd28fbd)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agolibopusenc: prevent an out-of-bounds read by returning early
Vittorio Giovara [Tue, 11 Nov 2014 12:26:55 +0000 (13:26 +0100)]
libopusenc: prevent an out-of-bounds read by returning early

CC: libav-stable@libav.org
Bug-Id: CID 1244188
(cherry picked from commit 8dd0a2c5cf40a8a49faae985adc11750b6429132)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agodisplay: fix order of operands
Vittorio Giovara [Tue, 11 Nov 2014 12:27:02 +0000 (13:27 +0100)]
display: fix order of operands

CC: libav-stable@libav.org
Bug-Id: CID 1238828 / CID 1238832
(cherry picked from commit b1b1a7370e141c912e3d0bbaa668dcee05c3ad67)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agoffv1: fix out-of-bounds read
Vittorio Giovara [Tue, 11 Nov 2014 16:40:04 +0000 (17:40 +0100)]
ffv1: fix out-of-bounds read

CC: libav-stable@libav.org
Bug-Id: CID 1047234
(cherry picked from commit 6abe7edabb7d57e82d7ea6312d30cf05d2192c5b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agoindeo3: check ff_set_dimensions return value
Vittorio Giovara [Wed, 12 Nov 2014 10:13:02 +0000 (11:13 +0100)]
indeo3: check ff_set_dimensions return value

CC: libav-stable@libav.org
Bug-Id: CID 1135740
(cherry picked from commit c6d7c201dfa80502cb6cefbee7dc9160cedb5187)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agog2meet: check ff_set_dimensions return value
Vittorio Giovara [Wed, 12 Nov 2014 10:13:04 +0000 (11:13 +0100)]
g2meet: check ff_set_dimensions return value

CC: libav-stable@libav.org
Bug-Id: CID 1135739
(cherry picked from commit 2b5c1efa1465d8646f8be525cace7a21404e40ad)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agoavs: check ff_set_dimensions return value
Vittorio Giovara [Wed, 12 Nov 2014 10:13:05 +0000 (11:13 +0100)]
avs: check ff_set_dimensions return value

CC: libav-stable@libav.org
Bug-Id: CID 1135738
(cherry picked from commit c7384664ba0cbb12d882effafbc6d321ae706cff)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agoansi: check ff_set_dimensions return value
Vittorio Giovara [Wed, 12 Nov 2014 10:13:06 +0000 (11:13 +0100)]
ansi: check ff_set_dimensions return value

CC: libav-stable@libav.org
Bug-Id: CID 1135737
(cherry picked from commit 994ab1804b8bf532f44876927b07b51f1f63247f)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agosvq1enc: check ff_get_buffer return value
Vittorio Giovara [Wed, 12 Nov 2014 10:13:07 +0000 (11:13 +0100)]
svq1enc: check ff_get_buffer return value

CC: libav-stable@libav.org
Bug-Id: CID 747723
(cherry picked from commit 59846452af762f6af5ced4399e8dcd709ca50fcd)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agoon2avc: Fix out of array access
Michael Niedermayer [Wed, 12 Nov 2014 10:13:01 +0000 (11:13 +0100)]
on2avc: Fix out of array access

CC: libav-stable@libav.org
Bug-Id: CID 1206648
(cherry picked from commit 2fa6d21124bd2fc0b186290f5313179263bfcfb7)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agolibrtmp: append the correct field to the string
Vittorio Giovara [Sun, 16 Nov 2014 23:22:22 +0000 (00:22 +0100)]
librtmp: append the correct field to the string

Also prevent a NULL pointer dereference.

CC: libav-stable@libav.org
Bug-Id: CID 1250329 / CID 1250331
(cherry picked from commit a28468d0daf4be14761c16a3ddd33266b2380123)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agolavc: fix bitshifts amount bigger than the type
Vittorio Giovara [Sun, 16 Nov 2014 23:22:27 +0000 (00:22 +0100)]
lavc: fix bitshifts amount bigger than the type

CC: libav-stable@libav.org
Bug-Id: CID 1194387 / CID 1194389 / CID 1194393 / CID 1206638
(cherry picked from commit 85dc006b1a829726dd5e3a9b0fcc6a1dbfe6dffa)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agoconfigure: Fix enabling memalign_hack automatically
Martin Storsjö [Tue, 18 Nov 2014 11:52:26 +0000 (13:52 +0200)]
configure: Fix enabling memalign_hack automatically

simd_align_16 is a configure item that can be enabled or disabled,
it's not a variable containing a list of other configure items
as need_memalign previously. This was broken in eba2233b5.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 7813e6752bdab38a5686c301e869ee71d97bce69)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agolavc: Move the libtwolame encoder registration to the list for external libraries
Martin Storsjö [Fri, 21 Nov 2014 12:23:02 +0000 (14:23 +0200)]
lavc: Move the libtwolame encoder registration to the list for external libraries

This makes sure the default behaviour of using the internal encoder
stays the same regardless if libtwolame is enabled or not (as for
any external library).

This fixes fate-lavf-mpg if libav is built with libtwolame enabled.

CC: libav-stable@libav.org
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
(cherry picked from commit aa8b39d999589154f79300de9038994d0093cd34)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agoxwma: Do not leak on failure path
Luca Barbato [Sun, 16 Nov 2014 23:22:21 +0000 (00:22 +0100)]
xwma: Do not leak on failure path

CC: libav-stable@libav.org
Bug-Id: CID 1087092
(cherry picked from commit fd9badd3cb3b60f5c54dcea35523e1ecca2f67a6)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agolibtwolame: prevent a NULL pointer dereference
Vittorio Giovara [Fri, 21 Nov 2014 11:56:59 +0000 (11:56 +0000)]
libtwolame: prevent a NULL pointer dereference

CC: libav-stable@libav.org
Bug-Id: CID 1250330 / CID 1250335
(cherry picked from commit a42d5c861fea8d18d997c6ba3f4a1d8aa95a288b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agodvdsubdec: Do not leak on failure path
Luca Barbato [Sun, 9 Nov 2014 07:48:47 +0000 (08:48 +0100)]
dvdsubdec: Do not leak on failure path

CC: libav-stable@libav.org
Bug-Id: CID 1198262
(cherry picked from commit d466d82faaf6e0e57a3a4be5e38e3902ef251ac3)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agoqdm2: avoid integer overflow
Vittorio Giovara [Wed, 12 Nov 2014 18:10:44 +0000 (19:10 +0100)]
qdm2: avoid integer overflow

CC: libav-stable@libav.org
Bug-Id: CID 700555
(cherry picked from commit 1f80742f49a9a4e846c9f099387881abc87150b2)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agompegenc: prevent a NULL pointer dereference
Vittorio Giovara [Fri, 21 Nov 2014 12:57:42 +0000 (12:57 +0000)]
mpegenc: prevent a NULL pointer dereference

CC: libav-stable@libav.org
Bug-Id: CID 29261
(cherry picked from commit 065923b0781b06a2604f69f4e2c2407b7750a854)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agoaacdec: avoid an out-of-bounds write
Vittorio Giovara [Fri, 21 Nov 2014 12:57:40 +0000 (12:57 +0000)]
aacdec: avoid an out-of-bounds write

Also move the check in the case it is actually used.

CC: libav-stable@libav.org
Bug-Id: CID 1087090
(cherry picked from commit b99ca863506f0630514921b740b78364de67a3ff)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agocook: Make sure there is enough extradata
Luca Barbato [Sun, 23 Nov 2014 15:09:05 +0000 (16:09 +0100)]
cook: Make sure there is enough extradata

At least 8 bytes are needed (Mono audio).

Bug-Id: CID 741418
CC: libav-stable@libav.org
(cherry picked from commit 299d8ab104fb350254eb2e6d9ecdce892a2a55b1)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
9 years agotiffenc: initialize return value
Vittorio Giovara [Sun, 9 Nov 2014 07:48:43 +0000 (08:48 +0100)]
tiffenc: initialize return value

'ret' can only be used without initialization if s->height <= 0, which can
only happen if avctx->height <= 0, which is validated elsewhere. Doesn't hurt
to still initialize it though.

CC: libav-stable@libav.org
Bug-Id: CID 732296
(cherry picked from commit 0562887a984388fdc7a9b71c9374ff9c756fb4f1)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>