Anton Khirnov
a0a872d073
indeo3: check motion vectors.
...
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
12 years ago
Anton Khirnov
34e6af9e20
indeo3: fix data size check
...
The data offsets are relative to the bistream header, which is 16 bytes
after the start of the data.
Fixes invalid reads with corrupted files.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
12 years ago
Anton Khirnov
66531d634e
indeo3: switch parsing the header to bytestream2
...
Also add an additional sanity check to the alt_quant table.
Fixes invalid reads with corrupted files.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
12 years ago
Diego Biurrun
6d97484d72
avcodec: av_log_ask_for_sample() ---> avpriv_request_sample()
12 years ago
Clément Bœsch
1ec94b0f06
lavc: factorize ff_{thread_,re,}get_buffer error messages.
...
Coccinelle profile used:
@@
expression r, ctx, f, loglevel, str, flags;
@@
-if ((r = ff_get_buffer(ctx, f, flags)) < 0) {
- av_log(ctx, loglevel, str);
- return r;
-}
+if ((r = ff_get_buffer(ctx, f, flags)) < 0)
+ return r;
@@
expression r, ctx, f, loglevel, str;
@@
-if ((r = ff_reget_buffer(ctx, f)) < 0) {
- av_log(ctx, loglevel, str);
- return r;
-}
+if ((r = ff_reget_buffer(ctx, f)) < 0)
+ return r;
@@
expression r, ctx, f, loglevel, str, flags;
@@
-if ((r = ff_thread_get_buffer(ctx, f, flags)) < 0) {
- av_log(ctx, loglevel, str);
- return r;
-}
+if ((r = ff_thread_get_buffer(ctx, f, flags)) < 0)
+ return r;
...along with some manual patches for the remaining ones.
12 years ago
Ronald S. Bultje
4b642ab19b
indeo3: use hpeldsp instead of dsputil for half-pel functions.
...
This makes indeo3 independent of dsputil.
12 years ago
Anton Khirnov
759001c534
lavc decoders: work with refcounted frames.
12 years ago
Mans Rullgard
b9ee5f2cab
indeo3: replace use of copy_block4 with put_pixels
...
The destination is sufficiently aligned for put_pixels here.
Signed-off-by: Mans Rullgard <mans@mansr.com>
12 years ago
Anton Khirnov
df9b956751
lavc: fix decode_frame() third parameter semantics for video decoders
...
It's got_frame, not data size
12 years ago
Anton Khirnov
594d4d5df3
lavc: add a wrapper for AVCodecContext.get_buffer().
...
It will be useful in the upcoming transition to refcounted AVFrames.
12 years ago
Paul B Mahol
b0428741c6
indeo3: move get_buffer() above decode_plane() calls
...
This ensure that decode_plane() mmx code like AV_COPY64()
does not interfere with possible float instructions in
release_buffer/get_buffer.
Found-by: Carl Eugen Hoyos
Signed-off-by: Paul B Mahol <onemda@gmail.com>
12 years ago
Paul B Mahol
20ac916e6d
indeo3: release buffer before calling decode_plane
12 years ago
Paul B Mahol
b02116cc4a
Revert "Partly revert f174fba: indeo3 decoder does not support direct rendering."
...
f174fba
did not introduce DR1 flag it was already available before that.
This reverts commit 8bf44d5c96
.
12 years ago
Carl Eugen Hoyos
8bf44d5c96
Partly revert f174fba: indeo3 decoder does not support direct rendering.
12 years ago
Paul B Mahol
9051025102
lavc: remove duplicated .capabilities
...
Signed-off-by: Paul B Mahol <onemda@gmail.com>
12 years ago
Anton Khirnov
bff5e5f8b3
indeo3: remove duplicate capabilities line.
12 years ago
Anton Khirnov
f174fbac3c
lavc: add CODEC_CAP_DR1 to all video decoders missing them
12 years ago
Kostya Shishkov
169514c440
indeo3: do not try to output more lines than we can fit
...
Internally chroma planes have multiple of four height while allocated image
planes might be smaller if CODEC_FLAG_EMU_EDGE is set. Thus we should not
output more lines of chroma than frame can accept.
Also the decoder can be safely switched to direct rendering now.
12 years ago
Anton Khirnov
716d413c13
Replace PIX_FMT_* -> AV_PIX_FMT_*, PixelFormat -> AVPixelFormat
12 years ago
Anton Khirnov
e4d4044339
indeo3: fix out of cell write.
...
Fixes CVE-2012-2776.
CC:libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
12 years ago
Anton Khirnov
36ef5369ee
Replace all CODEC_ID_* with AV_CODEC_ID_*
12 years ago
Kostya Shishkov
6de226a2b8
indeo3: validate new frame size before resetting decoder
13 years ago
Kostya Shishkov
bc00da2701
indeo3: when freeing buffers, set pointers referencing them to NULL as well
13 years ago
Kostya Shishkov
81064a8045
indeo3: initialise pixel planes on allocation
...
This prevents decoder from reading garbage from it in case of errors later.
13 years ago
Kostya Shishkov
fc417db3f1
indeo3: ensure that decoded cell data is in 7-bit range as presumed by decoder
13 years ago
Hendrik Leppkes
4b7fa553a9
indeo3: fix motion vector validation
...
The index of the motion vector has to be checked before being
multiplied by 2 for the array index.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
13 years ago
Michael Niedermayer
4a80ebe491
indeo3: Fix reallocation code so that it doesnt become inconsistent.
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Michael Niedermayer
a84851bef8
indeo3dec: check mv bitstream pointer
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Michael Niedermayer
8a521d57b3
indeo3dec: Fix end pointer.
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Michael Niedermayer
ba775a54bc
indeo3: fix out of picture write.
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Michael Niedermayer
50f4f272fe
indeo3: Fix out of reference reading with NULL blocks.
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Michael Niedermayer
e75518e18d
indeo3: move MV check up.
...
This adds checking for modes >= 10.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Michael Niedermayer
33a183df46
indeo3: Fix overreading requant_tab.
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Michael Niedermayer
56ffa3fefb
indeo3: Check motion vectors.
...
Fixes overread of reference frame.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Ronald S. Bultje
fc9bc08dca
Indeo3: fix crashes on corrupt bitstreams.
...
Splits at borders of cells are invalid, since it leaves one of the
cells with a width/height of zero. Also, propagate errors on buffer
allocation failures, so we don't continue decoding (which crashes).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
13 years ago
Martin Storsjö
9cf0841ef3
dsputil: Add ff_ prefix to the dsputil*_init* functions
...
Signed-off-by: Martin Storsjö <martin@martin.st>
13 years ago
Hendrik Leppkes
6071644287
indeo3: fix motion vector validation
...
The index of the motion vector has to be checked before being
multiplied by 2 for the array index.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Janne Grunau
be540e0cb3
indeo3: check motion vectors for validity
...
Fixes null pointer dereferences in fuzzed files found by Oana Stratulat.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
13 years ago
Michael Niedermayer
134aaa79f7
indeo3: Fix null ptr dereference
...
Fixes Ticket804
Bug found by: Oana Stratulat
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Michael Niedermayer
cd645c15d8
indeo3: check return values of allocate_frame_buffers()
...
Bug Found by: Diana Elena Muscalu
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Aneesh Dogra
464ccb0144
indeo3: check per-plane data buffer against input buffer bounds.
...
Fixes : http://bugzilla.libav.org/show_bug.cgi?id=102
Signed-off-by: Alex Converse <alex.converse@gmail.com>
13 years ago
Kostya Shishkov
1469f943ad
indeo3: cosmetics
...
Signed-off-by: Diego Biurrun <diego@biurrun.de>
13 years ago
Aneesh Dogra
97980db487
indeo3: error out if no motion vector is set.
...
This fixes a crash on a corrupt bitstream (bugzilla #93 ).
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
13 years ago
Michael Niedermayer
1afe49b062
indeo3: out of array read checks for decode_plane()
...
Fixes: avi+indeo3+++1-dog.avi
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Michael Niedermayer
e9e642cbfb
indeo3: Check remaining bits in parse_bintree()
...
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Michael Niedermayer
e421b79d01
indeo3: fix null pointer dereference in vulnerable.mov
...
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Alex Converse
1149fbc763
indeo3: Fix a fencepost error.
...
Found with asan and the venerable 1-dog.avi sample.
13 years ago
Maxim Poliakovski
594b54b51e
replacement Indeo 3 decoder
...
The new decoder is much smaller and has better code quality.
Cleanup and fixes courtesy of Kostya Shishkov.
Signed-off-by: Diego Biurrun <diego@biurrun.de>
13 years ago
Diego Biurrun
124e28847b
Remove some stray unnecessary ffmpeg references.
13 years ago
Anton Khirnov
ec6402b7c5
lavc: use designated initialisers for all codecs.
...
It's more readable and less prone to breakage.
14 years ago