Diego Biurrun
d34a133b78
dfa: Disallow odd width/height and add proper bounds check for DDS1 chunks
...
DDS1 chunks are decoded in 2x2 blocks, odd chunk width or height is not
allowed in that case. Also ensure that the decode buffer is big enough
for all blocks being processed.
Bug-Id: CVE-2017-9992
CC: libav-stable@libav.org
8 years ago
Michael Niedermayer
58ac7fb9c3
avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int'
...
Fixes: 1657/clusterfuzz-testcase-minimized-4710000079405056
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 years ago
Michael Niedermayer
12936a4585
avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
...
Fixes: 1368/clusterfuzz-testcase-minimized-4507293276176384
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 years ago
Michael Niedermayer
f52fbf4f3e
avcodec/dfa: Fix off by 1 error
...
Fixes out of array access
Fixes: 1345/clusterfuzz-testcase-minimized-6062963045695488
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 years ago
Anton Khirnov
fd9212f2ed
Mark some arrays that never change as const.
8 years ago
Vittorio Giovara
def97856de
lavc: AV-prefix all codec capabilities
...
Express bitfields more simply.
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
10 years ago
Diego Biurrun
cc8163e1a3
avcodec: more correct printf specifiers
11 years ago
Diego Biurrun
b2bed9325d
cosmetics: Group .name and .long_name together in codec/format declarations
11 years ago
Michael Niedermayer
e9e207ece7
dfa: Put our pointer check back.
...
The reimplementation by Libav does not prevent out of array
writes, even though it looks like it does at a quick glance.
No FFmpeg releases are affected by this
See: d1c95d2ce3
3623589edc
740ebe468c
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
12 years ago
Michael Niedermayer
1557f34b10
dfa: support decoding version=1.0
...
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
12 years ago
Kostya Shishkov
56c1b92576
dfa: implement missing TDLT coding method
12 years ago
Paul B Mahol
1adf54de56
dfa: implement tdlt chunk decoding
...
Sample & pseudo code provided by Vladimir "VAG" Gneushev.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
12 years ago
Michael Niedermayer
740ebe468c
dfa: remove redundant check
...
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
12 years ago
Anton Khirnov
3623589edc
dfa: check for invalid access in decode_wdlt().
...
This can happen when the number of skipped lines is not consistent with
the number of coded lines.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
12 years ago
Clément Bœsch
1ec94b0f06
lavc: factorize ff_{thread_,re,}get_buffer error messages.
...
Coccinelle profile used:
@@
expression r, ctx, f, loglevel, str, flags;
@@
-if ((r = ff_get_buffer(ctx, f, flags)) < 0) {
- av_log(ctx, loglevel, str);
- return r;
-}
+if ((r = ff_get_buffer(ctx, f, flags)) < 0)
+ return r;
@@
expression r, ctx, f, loglevel, str;
@@
-if ((r = ff_reget_buffer(ctx, f)) < 0) {
- av_log(ctx, loglevel, str);
- return r;
-}
+if ((r = ff_reget_buffer(ctx, f)) < 0)
+ return r;
@@
expression r, ctx, f, loglevel, str, flags;
@@
-if ((r = ff_thread_get_buffer(ctx, f, flags)) < 0) {
- av_log(ctx, loglevel, str);
- return r;
-}
+if ((r = ff_thread_get_buffer(ctx, f, flags)) < 0)
+ return r;
...along with some manual patches for the remaining ones.
12 years ago
Anton Khirnov
759001c534
lavc decoders: work with refcounted frames.
12 years ago
Anton Khirnov
df9b956751
lavc: fix decode_frame() third parameter semantics for video decoders
...
It's got_frame, not data size
12 years ago
Anton Khirnov
594d4d5df3
lavc: add a wrapper for AVCodecContext.get_buffer().
...
It will be useful in the upcoming transition to refcounted AVFrames.
12 years ago
Diego Biurrun
5bac2d0c30
avutil: Move memcpy_backptr() to mem.c
...
The function is used elsewhere and does not belong with the LZO code.
12 years ago
Mans Rullgard
a153e45b95
dfa: use av_memcpy_backptr() where previously impossible
...
Since the requirement for output padding has been lifted, we can
use av_memcpy_backptr() here as well.
Signed-off-by: Mans Rullgard <mans@mansr.com>
12 years ago
Diego Biurrun
e831b3b852
av_memcpy_backptr: Drop no longer necessary malloc padding
...
Signed-off-by: Mans Rullgard <mans@mansr.com>
12 years ago
Michael Niedermayer
b12d92efd6
avoid "0xFF << 24" as it is considered a integer overflow in C99
...
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
12 years ago
Anton Khirnov
716d413c13
Replace PIX_FMT_* -> AV_PIX_FMT_*, PixelFormat -> AVPixelFormat
12 years ago
Anton Khirnov
d05f72c754
dfa: improve boundary checks in decode_dds1()
...
Fixes CVE-2012-2798
CC:libav-stable@libav.org
12 years ago
Michael Niedermayer
6fcd4f3c72
dfa: replace redundant check by assert
...
The values are checked in the wraper function used to call this code.
This was introduced by: ee715f49a0
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
12 years ago
Anton Khirnov
ee715f49a0
dfa: check that the caller set width/height properly.
...
Fixes CVE-2012-2786.
12 years ago
Anton Khirnov
36ef5369ee
Replace all CODEC_ID_* with AV_CODEC_ID_*
13 years ago
Kostya Shishkov
fb5c1aaea6
dfa: use more meaningful return codes
13 years ago
Kostya Shishkov
8099187e89
dfa: add some checks to ensure that decoder won't write past frame end
13 years ago
Michael Niedermayer
72b9537d88
dfa: Fix out of array write in decode_dds1()
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Michael Niedermayer
d1c95d2ce3
dfa: fix out of array write in decode_wdlt()
...
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
13 years ago
Martin Storsjö
00c3b67b8a
cosmetics: Align codec declarations
...
Also break some long lines, remove codec function placeholder comments
and add spaces in sample/pixel format lists.
Signed-off-by: Martin Storsjö <martin@martin.st>
13 years ago
Paul B Mahol
29b0d94b43
dfa: convert to bytestream2 API
...
Protects from overreads.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
13 years ago
Reimar Döffinger
0b378e8aa9
DFA: fix "skip frame" TSW1 encoding.
...
Previously the decoder would raise an error.
The end result is the same, the time stamps only change
because regression tests create time stamps incorrectly.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
13 years ago
Carl Eugen Hoyos
e18f70c2d1
Set Chronomaster DFA palette opaque.
13 years ago
Carl Eugen Hoyos
320f0f04a1
Fix Chronomaster DFA palette.
...
The palette had a blue cast.
13 years ago
Anton Khirnov
ec6402b7c5
lavc: use designated initialisers for all codecs.
...
It's more readable and less prone to breakage.
14 years ago
Diego Biurrun
b1bb3b8d87
dfa: Remove unused variable.
...
This fixes the warning:
libavcodec/dfa.c:189: warning: unused variable ‘frame_end’
14 years ago
Reimar Döffinger
2c9a5172d3
dfa: fix buffer overflow checks to avoid integer overflows.
...
Signed-off-by: Anton Khirnov <anton@khirnov.net>
14 years ago
Michael Niedermayer
334187ade7
Fix "libavcodec/dfa.c:189: warning: unused variable ‘frame_end’"
...
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
14 years ago
Reimar Döffinger
65daa942eb
Fix buffer overflow checks to avoid integer overflows.
14 years ago
Ronald S. Bultje
d38345878c
dfa: protect pointer range checks against overflows.
14 years ago
Kostya Shishkov
42315dabce
Chronomaster DFA decoder
...
Signed-off-by: Anton Khirnov <anton@khirnov.net>
14 years ago