[libav-devel] [PATCH] pgssubdec: reset rle_data_len/rle_remaining_len on allocation error

The code relies on their validity and otherwise can try to access a NULL object->rle pointer, causing segmentation faults. Signed-off-by: Andreas Cadhalpun --- libavcodec/pgssubdec.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/pgssubdec.c b/libavco

Re: [libav-devel] [PATCH 2/2] libschroedingerdec: fix leaking of framewithpts

On 02.12.2016 18:07, Vittorio Giovara wrote: > On Sun, Nov 13, 2016 at 5:25 PM, Andreas Cadhalpun > wrote: >> Signed-off-by: Andreas Cadhalpun >> --- >> libavcodec/libschroedingerdec.c | 26 +- >> 1 file changed, 17 insertions(+), 9 deleti

Re: [libav-devel] [FFmpeg-devel] [PATCH] mpegpicture: use coded_width/coded_height to allocate frame

that. Best regards, Andreas >From 6d8b5136c67f3a8cb3f4a4c818f311d748bbab5d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 24 Nov 2016 23:57:46 +0100 Subject: [PATCH] mss2: only use error correction for matching block counts This fixes a heap-buffer-overflow in ff_er_frame_end w

Re: [libav-devel] [FFmpeg-devel] [PATCH] mpegpicture: use coded_width/coded_height to allocate frame

ction in that case works, though. Attached is a patch for that. Best regards, Andreas >From df9241d8b575cc0fbf570e714c586ff37a4821fd Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 24 Nov 2016 23:57:46 +0100 Subject: [PATCH] mss2: only use error correction for matching block coun

Re: [libav-devel] [FFmpeg-devel] [PATCH] libopusdec: fix out-of-bounds read

On 23.11.2016 03:07, Michael Niedermayer wrote: > On Mon, Nov 14, 2016 at 09:55:15PM +0100, Andreas Cadhalpun wrote: >> libopusdec.c |6 ++ >> 1 file changed, 6 insertions(+) >> 0b663c14f4a6dae3e1da453239dbe429aef7886e >> 0001-libopusdec-default-to-stereo-fo

Re: [libav-devel] [FFmpeg-devel] [PATCH] smacker: limit recursion depth of smacker_decode_bigtree

On 20.11.2016 00:25, Luca Barbato wrote: > On 19/11/2016 17:27, Andreas Cadhalpun wrote: >> This fixes segmentation faults due to stack-overflow caused by too >> deep recursion. > > You shouldn't be able to use hc->current for the same purpose? That's what

Re: [libav-devel] [FFmpeg-devel] [PATCH] smacker: limit recursion depth of smacker_decode_bigtree

On 19.11.2016 23:34, Michael Niedermayer wrote: > On Sat, Nov 19, 2016 at 05:27:19PM +0100, Andreas Cadhalpun wrote: >> diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c >> index b8a0c55..be3914b 100644 >> --- a/libavcodec/smacker.c >> +++ b/libavcodec/sma

Re: [libav-devel] [FFmpeg-devel] [PATCH] smacker: limit recursion depth of smacker_decode_bigtree

On 19.11.2016 16:13, Michael Niedermayer wrote: > On Sat, Nov 19, 2016 at 02:29:35PM +0100, Andreas Cadhalpun wrote: >> This fixes segmentation faults due to stack-overflow caused by too deep >> recursion. >> >> Signed-off-by: Andreas Cadhalpun >> --- >> l

[libav-devel] [PATCH] smacker: limit recursion depth of smacker_decode_bigtree

This fixes segmentation faults due to stack-overflow caused by too deep recursion. Signed-off-by: Andreas Cadhalpun --- libavcodec/smacker.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index b8a0c55..0fec7a3 100644 --- a

Re: [libav-devel] [PATCH] libopusdec: fix out-of-bounds read

On 14.11.2016 20:54, Anton Khirnov wrote: > Quoting Andreas Cadhalpun (2016-11-14 20:30:10) >> On 14.11.2016 00:01, Luca Barbato wrote: >>> On 13/11/2016 19:23, Andreas Cadhalpun wrote: >>>> avc->channels can be 0. >>> >>> 0 and less than zero

Re: [libav-devel] [PATCH] libopusdec: fix out-of-bounds read

On 14.11.2016 00:01, Luca Barbato wrote: > On 13/11/2016 19:23, Andreas Cadhalpun wrote: >> avc->channels can be 0. > > 0 and less than zero shouldn't be an error? Such values should be rejected, wherever they are set. However, ensuring that is a larger change I'm cur

[libav-devel] [PATCH 2/2] libschroedingerdec: fix leaking of framewithpts

Signed-off-by: Andreas Cadhalpun --- libavcodec/libschroedingerdec.c | 26 +- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/libavcodec/libschroedingerdec.c b/libavcodec/libschroedingerdec.c index 1e392b3..83c790c 100644 --- a/libavcodec

[libav-devel] [PATCH 1/2] libschroedingerdec: don't produce empty frames

They are not valid and can cause problems/crashes for API users. Signed-off-by: Andreas Cadhalpun --- libavcodec/libschroedingerdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libschroedingerdec.c b/libavcodec/libschroedingerdec.c index c9930c7..1e392b3

[libav-devel] [PATCH] libopusdec: fix out-of-bounds read

avc->channels can be 0. Signed-off-by: Andreas Cadhalpun --- libavcodec/libopusdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c index acc62f1..505ed57 100644 --- a/libavcodec/libopusdec.c +++ b/libavcodec/libopusde

Re: [libav-devel] [FFmpeg-devel] [PATCH] mpegts: prevent division by zero

On 08.11.2016 21:09, Michael Niedermayer wrote: > On Tue, Nov 08, 2016 at 07:47:02PM +0100, Andreas Cadhalpun wrote: >> On 08.11.2016 00:54, Michael Niedermayer wrote: >>> On Mon, Nov 07, 2016 at 11:49:52PM +0100, Andreas Cadhalpun wrote: >>>> Si

Re: [libav-devel] [FFmpeg-devel] [PATCH] mpegts: prevent division by zero

On 08.11.2016 00:54, Michael Niedermayer wrote: > On Mon, Nov 07, 2016 at 11:49:52PM +0100, Andreas Cadhalpun wrote: >> Signed-off-by: Andreas Cadhalpun >> --- >> libavformat/mpegts.c | 4 >> 1 file changed, 4 insertions(+) >> >> diff --git a/liba

[libav-devel] [PATCH] mpegts: prevent division by zero

Signed-off-by: Andreas Cadhalpun --- libavformat/mpegts.c | 4 1 file changed, 4 insertions(+) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index fad10c6..77d63f2 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2692,6 +2692,10 @@ static int mpegts_read_header

Re: [libav-devel] [PATCH] mpegpicture: use coded_width/coded_height to allocate frame

On 07.11.2016 22:52, Luca Barbato wrote: > On 07/11/2016 22:32, Andreas Cadhalpun wrote: >> This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2 with >> coded_width/coded_height larger than width/height. >> >> Signed-off-by: Andreas Cadhalpun >>

[libav-devel] [PATCH] mpegpicture: use coded_width/coded_height to allocate frame

This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2 with coded_width/coded_height larger than width/height. Signed-off-by: Andreas Cadhalpun --- libavcodec/mpegpicture.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/mpegpicture.c

[libav-devel] [PATCH] lzf: update pointer p after realloc

This fixes heap-use-after-free detected by AddressSanitizer. Signed-off-by: Andreas Cadhalpun --- libavcodec/lzf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c index 409a7ff..5b7526e 100644 --- a/libavcodec/lzf.c +++ b/libavcodec/lzf.c @@ -53,6 +53,7

Re: [libav-devel] [PATCH] ppc: pixblockdsp: do unaligned block accesses correctly again

On 03.11.2016 22:06, Luca Barbato wrote: > On 03/11/2016 21:35, Andreas Cadhalpun wrote: >> On 03.11.2016 09:36, Luca Barbato wrote: >>> The patch makes sense only if line_size is not a multiple of 16 and >>> normally AVFrames have their linesizes multiple of 32 ... >

Re: [libav-devel] [PATCH] ppc: pixblockdsp: do unaligned block accesses correctly again

On 03.11.2016 09:36, Luca Barbato wrote: > On 02/11/2016 21:34, Andreas Cadhalpun wrote: >> Tested with qemu on ppc32be and ppc64be. > > How did you configure it? I used qemu-ppc64-static for ppc64be and 'export QEMU_CPU=7400_v2.9; qemu-ppc-static' for ppc32be.

[libav-devel] [PATCH] ppc: pixblockdsp: do unaligned block accesses correctly again

-dnxhd-edge3-hr fate-vsynth3-dnxhd-hr-sq-mov fate-vsynth3-dnxhd-hr-hq-mov Fixes trac ticket #5508. Signed-off-by: Andreas Cadhalpun --- Tested with qemu on ppc32be and ppc64be. --- libavcodec/ppc/pixblockdsp.c | 17 ++--- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a

Re: [libav-devel] [PATCH] lavf: remove the concat protocol

On 27.01.2016 09:05, Anton Khirnov wrote: > Quoting Andreas Cadhalpun (2016-01-27 01:18:23) >> Could you explain in more detail what problem that would cause? >> The whitelist should simply be passed from http to tcp in that case. > > You have to go over all the (de)muxers t

Re: [libav-devel] [PATCH] lavf: remove the concat protocol

On 27.01.2016 01:21, Luca Barbato wrote: > On 27/01/16 01:15, Andreas Cadhalpun wrote: >> I think that at the very least the hls demuxer should always reject protocols >> internal to libavformat, like concat, as those simply do not belong into a >> hls >> playlist.

Re: [libav-devel] [PATCH] hls: Add a blacklist option

On 13.01.2016 18:14, Luca Barbato wrote: > concat can be abused to leak local file contents as url parameter. > > CC: libav-sta...@libav.org > Reported-By: Максим Андреев > --- > > Not sure if we want to add a whitelist option as well. > > libavformat/hls.c | 32 +++

Re: [libav-devel] [PATCH] lavf: remove the concat protocol

Hi Rémi, On 26.01.2016 19:49, Rémi Denis-Courmont wrote: > On Thursday 21 January 2016 23:03:25 Andreas Cadhalpun wrote: >> Why not fix the issue properly instead of removing useful functionality? > > By its very essence, the concat protocol allows for injection attacks with &

Re: [libav-devel] [PATCH] lavf: remove the concat protocol

On 26.01.2016 19:42, Anton Khirnov wrote: > Quoting Andreas Cadhalpun (2016-01-26 01:02:04) >> On 22.01.2016 13:37, Anton Khirnov wrote: >>> Just so it's clear what we're talking about, what is "properly" for you? >> >> That would be a more or

Re: [libav-devel] [PATCH] lavf: remove the concat protocol

On 26.01.2016 09:52, Luca Barbato wrote: > On 26/01/16 01:02, Andreas Cadhalpun wrote: >> On 22.01.2016 00:34, Luca Barbato wrote: >>> The ways to fix the specific problem problem: >>> >>> - provide a blacklist/whitelist option in hls (from me, first >>&

Re: [libav-devel] [FFmpeg-devel] [PATCH] svq1enc: fix out of bounds reads

On 22.01.2016 00:57, Michael Niedermayer wrote: > On Thu, Jan 21, 2016 at 11:04:14PM +0100, Andreas Cadhalpun wrote: >> level can be up to 5, but there are only four codebooks. >> >> Fixes ubsan runtime error: index 5 out of bounds for type 'int8_t >> [4][9

Re: [libav-devel] [PATCH] lavf: remove the concat protocol

On 22.01.2016 00:34, Luca Barbato wrote: > Let's try to make sure we are talking about the same problem here. > > by using hls you might craft a playlist containing a concat of a > playlist w/out a final new line. > > So you would send the initial part of the file together with the url. > > This

Re: [libav-devel] [PATCH] svq1enc: fix out of bounds reads

On 21.01.2016 23:24, Luca Barbato wrote: > On 21/01/16 23:04, Andreas Cadhalpun wrote: >> level can be up to 5, but there are only four codebooks. >> >> Fixes ubsan runtime error: index 5 out of bounds for type 'int8_t >> [4][96]' >> >> Signed

Re: [libav-devel] [PATCH] lavf: remove the concat protocol

On 21.01.2016 23:21, Luca Barbato wrote: > On 21/01/16 23:03, Andreas Cadhalpun wrote: >> Why not fix the issue properly instead of removing useful functionality? > > It is not exactly useful (since it is quite unwieldy) But I'm sure it's used in quite some sc

Re: [libav-devel] [PATCH] lavf: remove the concat protocol

On 20.01.2016 13:42, Anton Khirnov wrote: > It is of very limited usefulness and is a source of important security > problems. > > Bug-Id: CVE-2016-1897 > Bug-Id: CVE-2016-1898 > --- > Changelog| 1 + > doc/protocols.texi | 26 --- > libavformat/Makefile | 1 - >

[libav-devel] [PATCH] svq1enc: fix out of bounds reads

level can be up to 5, but there are only four codebooks. Fixes ubsan runtime error: index 5 out of bounds for type 'int8_t [4][96]' Signed-off-by: Andreas Cadhalpun --- libavcodec/svq1enc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/s

Re: [libav-devel] [PATCH] dca: fix misaligned access in avpriv_dca_convert_bitstream

On 13.01.2016 08:01, Luca Barbato wrote: > On 13/01/16 00:56, Andreas Cadhalpun wrote: >> src and dst are only 8-bit-aligned, so accessing them as uint16_t causes >> SIGBUS crashes on architectures like sparc. >> >> This fixes ubsan runtime error: load of misaligned

[libav-devel] [PATCH] dca: fix misaligned access in avpriv_dca_convert_bitstream

src and dst are only 8-bit-aligned, so accessing them as uint16_t causes SIGBUS crashes on architectures like sparc. This fixes ubsan runtime error: load of misaligned address for type 'const uint16_t', which requires 2 byte alignment Signed-off-by: Andreas Cadhalpun --- libavcodec

Re: [libav-devel] [PATCH 1/2] asfdec: only set asf_pkt->data_size after sanity checks

On 06.01.2016 07:34, Alexandra Hájková wrote: > From: Andreas Cadhalpun > > Otherwise invalid values are used unchecked in the next run. > This can cause NULL pointer dereferencing. > > Signed-off-by: Andreas Cadhalpun > --- > Rebased patch. Thanks. > -a

[libav-devel] [PATCH 4/5] asfdec_o: break if EOF is reached after asf_read_packet_header

asf_read_payload can unset eof_reached, so check it also before calling that function. This fixes infinite loops. Signed-off-by: Andreas Cadhalpun --- libavformat/asfdec_o.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 4a3c815

[libav-devel] [PATCH 5/5] asfdec_o: check for too small size in asf_read_unknown

This fixes infinite loops due to seeking back. --- libavformat/asfdec_o.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index ca4a066..bc79f10 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -190,8 +190

[libav-devel] [PATCH 3/5] asfdec_o: make sure packet_size is non-zero before seeking

This fixes infinite loops due to seeking back. --- libavformat/asfdec_o.c | 4 1 file changed, 4 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index b81519f..4a3c815 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -1287,6 +1287,10 @@ static in

[libav-devel] [PATCH 2/5] asfdec_o: prevent overflow causing seekback

This fixes infinite loops. Signed-off-by: Andreas Cadhalpun --- libavformat/asfdec_o.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index bc168d3..b81519f 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c

[libav-devel] [PATCH 1/5] asfdec_o: check avio_skip in asf_read_simple_index

The loop can be very long, even though the file is very short. Signed-off-by: Andreas Cadhalpun --- libavformat/asfdec_o.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 02809bb..bc168d3 100644 --- a/libavformat

Re: [libav-devel] [PATCH 1/2] asfdec_o: only set asf_pkt->data_size after sanity checks

On 05.01.2016 16:30, Diego Biurrun wrote: > The demuxer worked perfectly with all available samples at the time, > better in fact with some samples. It has received some improvements > since. Remind me why there is still a reason to have two demuxers. The new demuxer still crashes, as the need f

Re: [libav-devel] [PATCH 1/2] asfdec_o: only set asf_pkt->data_size after sanity checks

On 05.01.2016 14:32, Luca Barbato wrote: > On 05/01/16 13:25, Andreas Cadhalpun wrote: >> Otherwise invalid values are used unchecked in the next run. >> This can cause NULL pointer dereferencing. >> >> Signed-off-by: Andreas Cadhalpun >> --

[libav-devel] [PATCH 2/2] asfdec_o: reject size > INT64_MAX in asf_read_unknown

Both avio_skip and detect_unknown_subobject use int64_t for the size parameter. This fixes a segmentation fault due to infinite recursion. Signed-off-by: Andreas Cadhalpun --- libavformat/asfdec_o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat

[libav-devel] [PATCH 1/2] asfdec_o: only set asf_pkt->data_size after sanity checks

Otherwise invalid values are used unchecked in the next run. This can cause NULL pointer dereferencing. Signed-off-by: Andreas Cadhalpun --- libavformat/asfdec_o.c | 18 ++ 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/libavformat/asfdec_o.c b/libavformat

[libav-devel] [PATCH] avpacket: fix size check in packet_alloc

The previous check only caught sizes from -AV_INPUT_BUFFER_PADDING_SIZE to -1. This fixes ubsan runtime error: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Signed-off-by: Andreas Cadhalpun --- libavcodec/avpacket.c | 2 +- 1 file changed, 1 inser

Re: [libav-devel] [FFmpeg-devel] [PATCH 2/3] vorbisdec: replace get_bits with get_bitsz where n can be 0

On 03.01.2016 22:50, Michael Niedermayer wrote: > On Sun, Jan 03, 2016 at 07:50:39PM +0100, Andreas Cadhalpun wrote: >> vorbisdec.c |5 + >> 1 file changed, 5 insertions(+) >> ba151dadb72b6c74e1139decf4b32c8676ddc58e >> 0001-vorbisdec-rejec

Re: [libav-devel] [FFmpeg-devel] [PATCH 2/3] vorbisdec: replace get_bits with get_bitsz where n can be 0

On 03.01.2016 02:41, Michael Niedermayer wrote: > On Sun, Jan 03, 2016 at 01:36:13AM +0100, Andreas Cadhalpun wrote: >> get_bits is documented to only support reading 1-25 bits. >> get_bitsz was added for this purpose. >> >> Signed-off-by: Andreas Cadhalpun >> -

Re: [libav-devel] [FFmpeg-devel] [PATCH 1/3] get_bits: add get_bitsz for reading 0-25 bits

On 03.01.2016 02:03, Michael Niedermayer wrote: > On Sun, Jan 03, 2016 at 01:35:39AM +0100, Andreas Cadhalpun wrote: >> --- a/libavcodec/get_bits.h >> +++ b/libavcodec/get_bits.h >> @@ -269,6 +269,14 @@ static inline unsigned int get_bits(GetBitContext *s, >>

Re: [libav-devel] [PATCH] vorbisdec: avoid calling get_bits to read 0 bits

On 03.01.2016 00:16, Luca Barbato wrote: > On 02/01/16 23:46, Andreas Cadhalpun wrote: >> Maybe, but on the other hand there are only about a dozen or so places in >> the complete code base that would benefit from that. >> >> Do you think that's enough to justif

[libav-devel] [PATCH 3/3] lavc: use get_bitsz to simplify the code

Signed-off-by: Andreas Cadhalpun --- libavcodec/atrac3plus.c| 13 + libavcodec/escape124.c | 2 +- libavcodec/hevc.c | 2 +- libavcodec/hevc_parser.c | 2 +- libavcodec/mpegaudiodec_template.c | 7 --- libavcodec/wavpack.c

[libav-devel] [PATCH 2/3] vorbisdec: replace get_bits with get_bitsz where n can be 0

get_bits is documented to only support reading 1-25 bits. get_bitsz was added for this purpose. Signed-off-by: Andreas Cadhalpun --- libavcodec/vorbisdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index f773afa

[libav-devel] [PATCH 1/3] get_bits: add get_bitsz for reading 0-25 bits

This can be used to simplify code in a couple of places. Signed-off-by: Andreas Cadhalpun --- libavcodec/get_bits.h | 8 1 file changed, 8 insertions(+) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 0a61c80..f984d3e 100644 --- a/libavcodec/get_bits.h +++ b

Re: [libav-devel] [PATCH] vorbisdec: avoid calling get_bits to read 0 bits

On 02.01.2016 23:36, Luca Barbato wrote: > On 02/01/16 23:26, Andreas Cadhalpun wrote: >> On 02.01.2016 23:03, Luca Barbato wrote: >>> On 02/01/16 20:01, Andreas Cadhalpun wrote: >>>> It's documented to only support reading 1-25 bits. >>

Re: [libav-devel] [PATCH] vorbisdec: avoid calling get_bits to read 0 bits

On 02.01.2016 23:03, Luca Barbato wrote: > On 02/01/16 20:01, Andreas Cadhalpun wrote: >> It's documented to only support reading 1-25 bits. >> >> Signed-off-by: Andreas Cadhalpun >> --- >> libavcodec/vorbisdec.c | 4 ++-- >> 1 file changed, 2 inse

[libav-devel] [PATCH] vorbisdec: avoid calling get_bits to read 0 bits

It's documented to only support reading 1-25 bits. Signed-off-by: Andreas Cadhalpun --- libavcodec/vorbisdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index f773afa..1db8bd8 100644 --- a/libavcodec/vorbisdec.c

Re: [libav-devel] [PATCH] nutdec: only copy the header if it exists

On 18.12.2015 23:11, Luca Barbato wrote: > On 18/12/15 20:12, Andreas Cadhalpun wrote: >> On 18.12.2015 20:06, Luca Barbato wrote: >>> On 18/12/15 19:05, Andreas Cadhalpun wrote: >>>> On 18.12.2015 18:53, Luca Barbato wrote: >>>>> On 18/12/15 17:24,

Re: [libav-devel] [FFmpeg-devel] [PATCH] xwddec: prevent overflow of lsize * avctx->height

On 19.12.2015 01:32, Michael Niedermayer wrote: > On Fri, Dec 18, 2015 at 08:13:06PM +0100, Andreas Cadhalpun wrote: >> xwddec.c |6 ++ >> 1 file changed, 6 insertions(+) >> 0be27d89a669445b523bfdac99884065e3581f3c >> 0001-xwddec-prevent-overflow-of-lsize

Re: [libav-devel] [PATCH] xwddec: prevent overflow of lsize * avctx->height

On 18.12.2015 20:08, Luca Barbato wrote: > On 18/12/15 20:04, Andreas Cadhalpun wrote: >> This is used to check if the input buffer is larger enough, so if this >> overflows it can cause a false negative leading to a segmentation fault >> in bytestream2_get_bufferu. >>

Re: [libav-devel] [PATCH] nutdec: only copy the header if it exists

On 18.12.2015 20:06, Luca Barbato wrote: > On 18/12/15 19:05, Andreas Cadhalpun wrote: >> On 18.12.2015 18:53, Luca Barbato wrote: >>> On 18/12/15 17:24, Andreas Cadhalpun wrote: >>>> Fixes runtime error: null pointer passed as argument 2, which is >>>>

[libav-devel] [PATCH] xwddec: prevent overflow of lsize * avctx->height

This is used to check if the input buffer is larger enough, so if this overflows it can cause a false negative leading to a segmentation fault in bytestream2_get_bufferu. Signed-off-by: Andreas Cadhalpun --- libavcodec/xwddec.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a

Re: [libav-devel] [PATCH] nutdec: only copy the header if it exists

On 18.12.2015 18:53, Luca Barbato wrote: > On 18/12/15 17:24, Andreas Cadhalpun wrote: >> Fixes runtime error: null pointer passed as argument 2, which is >> declared to never be null >> >> Signed-off-by: Andreas Cadhalpun >> --- >> libavformat/nutdec.c |

[libav-devel] [PATCH] nutdec: only copy the header if it exists

Fixes runtime error: null pointer passed as argument 2, which is declared to never be null Signed-off-by: Andreas Cadhalpun --- libavformat/nutdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 47ae7a7..3aa7a88 100644

Re: [libav-devel] [PATCH] nuv: reject negative fps rate

On 18.12.2015 15:46, Anton Khirnov wrote: > Quoting Luca Barbato (2015-12-18 15:36:33) >> On 18/12/15 15:25, Andreas Cadhalpun wrote: >>> On 18.12.2015 12:00, Luca Barbato wrote: >>>> b- mark the framerate as invalid >>> >>> How does one do t

Re: [libav-devel] [FFmpeg-devel] [PATCH] nuv: reject negative fps rate

On 18.12.2015 01:12, Michael Niedermayer wrote: > On Thu, Dec 17, 2015 at 11:03:15PM +0100, Andreas Cadhalpun wrote: >> On 16.12.2015 23:53, Michael Niedermayer wrote: >>> On Wed, Dec 16, 2015 at 08:56:55PM +0100, Andreas Cadhalpun wrote: >>>> Si

Re: [libav-devel] [PATCH] nuv: reject negative fps rate

On 18.12.2015 12:00, Luca Barbato wrote: > On 17/12/15 23:01, Andreas Cadhalpun wrote: >> On 16.12.2015 22:18, Luca Barbato wrote: >>> On 16/12/15 20:56, Andreas Cadhalpun wrote: >>>> Signed-off-by: Andreas Cadhalpun >>>> --- >>>> libavfo

Re: [libav-devel] [FFmpeg-devel] [PATCH] on2avc: limit number of bits to 30 in get_egolomb

On 17.12.2015 13:28, Michael Niedermayer wrote: > On Wed, Dec 16, 2015 at 08:20:18PM +0100, Andreas Cadhalpun wrote: >> More don't fit into the integer output. >> >> Also use get_bits_long, since get_bits only supports reading up to 25 >> bits, while get_bits_long

Re: [libav-devel] [FFmpeg-devel] [PATCH] on2avc: limit number of bits to 30 in get_egolomb

On 17.12.2015 10:54, Hendrik Leppkes wrote: > On Wed, Dec 16, 2015 at 8:20 PM, Andreas Cadhalpun > wrote: >> More don't fit into the integer output. >> >> Also use get_bits_long, since get_bits only supports reading up to 25 >> bits, while get_bits_l

Re: [libav-devel] [PATCH] on2avc: limit number of bits to 30 in get_egolomb

On 16.12.2015 22:26, Luca Barbato wrote: > On 16/12/15 20:20, Andreas Cadhalpun wrote: >> More don't fit into the integer output. >> >> Also use get_bits_long, since get_bits only supports reading up to 25 >> bits, while get_bits_long supports the full integer ran

Re: [libav-devel] [FFmpeg-devel] [PATCH] nuv: reject negative fps rate

On 16.12.2015 23:53, Michael Niedermayer wrote: > On Wed, Dec 16, 2015 at 08:56:55PM +0100, Andreas Cadhalpun wrote: >> Signed-off-by: Andreas Cadhalpun >> --- >> libavformat/nuv.c | 4 >> 1 file changed, 4 insertions(+) > > looks logical iam not nuv mai

Re: [libav-devel] [PATCH] nuv: reject negative fps rate

On 16.12.2015 22:18, Luca Barbato wrote: > On 16/12/15 20:56, Andreas Cadhalpun wrote: >> Signed-off-by: Andreas Cadhalpun >> --- >> libavformat/nuv.c | 4 >> 1 file changed, 4 insertions(+) >> >> diff --git a/libavformat/nuv.c b/libavformat/nuv.c &g

[libav-devel] [PATCH] nuv: reject negative fps rate

Signed-off-by: Andreas Cadhalpun --- libavformat/nuv.c | 4 1 file changed, 4 insertions(+) diff --git a/libavformat/nuv.c b/libavformat/nuv.c index 2a1b70f..4cb28d5 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -172,6 +172,10 @@ static int nuv_header(AVFormatContext *s

[libav-devel] [PATCH] on2avc: limit number of bits to 30 in get_egolomb

More don't fit into the integer output. Also use get_bits_long, since get_bits only supports reading up to 25 bits, while get_bits_long supports the full integer range. Signed-off-by: Andreas Cadhalpun --- libavcodec/on2avc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

Re: [libav-devel] [PATCH] opus_silk: fix out of array read in silk_lsf2lpc

72f0f740730996ded Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 15 Dec 2015 22:00:31 +0100 Subject: [PATCH] opus_silk: fix typo causing overflow in silk_stabilize_lsf Due to this typo max_center can be too large, causing nlsf to be set to too large values, which in turn can

Re: [libav-devel] [PATCH] exr: fix out of bounds read in get_code

On 14.12.2015 22:37, Luca Barbato wrote: > On 13/12/15 23:37, Andreas Cadhalpun wrote: >> This macro unconditionally used out[-1], which causes an out of bounds >> read, if out is the very beginning of the buffer. >> >> Signed-off-by: Andreas Cadhalpun >&

Re: [libav-devel] [FFmpeg-devel] [PATCH] opus_silk: fix out of array read in silk_lsf2lpc

On 14.12.2015 22:34, Luca Barbato wrote: > On 14/12/15 20:43, Andreas Cadhalpun wrote: >> +nlsf[i] = FFMIN(nlsf[i - 1] + min_delta[i], INT16_MAX); > > maybe av_clip_int16 ? Sure, updated patch attached. Best regards, Andreas >From 2894ea930251562c1551b1c5326fc4af2

Re: [libav-devel] [FFmpeg-devel] [PATCH] opus_silk: fix out of array read in silk_lsf2lpc

On 14.12.2015 02:38, Michael Niedermayer wrote: > On Sun, Dec 13, 2015 at 10:51:31PM +0100, Andreas Cadhalpun wrote: >> nlsf can be negative, but a negative index for silk_cosine doesn't work. >> --- >> libavcodec/opus_silk.c | 2 +- >> 1 file changed, 1 insert

[libav-devel] [PATCH] exr: fix out of bounds read in get_code

This macro unconditionally used out[-1], which causes an out of bounds read, if out is the very beginning of the buffer. Signed-off-by: Andreas Cadhalpun --- libavcodec/exr.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index

[libav-devel] [PATCH] opus_silk: fix out of array read in silk_lsf2lpc

nlsf can be negative, but a negative index for silk_cosine doesn't work. --- libavcodec/opus_silk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 841d1ed..3ac83b8 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_s

Re: [libav-devel] [RFC] [PATCH] lavc: Drop exporting 2-pass encoding stats

On 03.12.2015 01:53, Vittorio Giovara wrote: > On Wed, Dec 2, 2015 at 1:53 PM, Andreas Cadhalpun > wrote: >> So this deprecating seems fine, but an entry in APIchanges would be nice. > > I'm hesitant about this, this removal, and the the changes from global > to codec

Re: [libav-devel] [RFC] [PATCH] lavc: Drop exporting 2-pass encoding stats

On 30.11.2015 18:19, Vittorio Giovara wrote: > These variables leaked from mpegvideoenc where are supposedly used for > statistics. However they might very well be private, and, due to their > absolute lack of documentation, they are hardly used in the wild. Despite > being write-only there are opt

Re: [libav-devel] [PATCH] lavc: Deprecate coder_type and its symbols

On 30.11.2015 18:17, Vittorio Giovara wrote: > Most option values are simply unused or ignored and in practice the > majory of codecs only need to check whether to enable rle or not. > > Add appropriate codec private options which better expose the allowed > features. > > Signed-off-by: Vittorio

Re: [libav-devel] [PATCH] lavc: Deprecate rtp_callback field

On 20.11.2015 13:17, Luca Barbato wrote: > On 20/11/15 12:36, Vittorio Giovara wrote: > >> Martin, I am aware of what was explained, > > Andreas seemed to have missed your previous explanation and Martin's. I missed neither, but apparently you missed that. >> If you still prefer that I complete

Re: [libav-devel] [PATCH] lavc: Deprecate rtp_callback field

On 19.11.2015 09:45, Vittorio Giovara wrote: > This function returns the encoded data of a frame, one slice at a time > directly when that slice is encoded, instead of waiting for the full > frame to be done. However this field has a debatable usefulness, since > it looks like it is just a convolut

[libav-devel] [PATCH] hqx: correct type and size check of info_offset

It is used as size argument of ff_canopus_parse_info_tag, which uses it as size argument to bytestream2_init, which only supports sizes up to INT_MAX. Changing it's type to unsigned simplifies the check. Signed-off-by: Andreas Cadhalpun --- libavcodec/hqx.c | 4 ++-- 1 file chang

Re: [libav-devel] [PATCH 3/4] dds: make sure pallete frame buffer exists before use

? :) Like all the other: with afl [1]. It's really good at finding weird cases. ;) Best regards, Andreas 1: http://lcamtuf.coredump.cx/afl/ >From 6e55b4c60e93168236c0f05e67e89f0007da Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 13 Nov 2015 21:48:27 +0100 Subject: [PATCH]

Re: [libav-devel] [PATCH] dvdsubdect: Validate the offsets

On 11.11.2015 23:09, Luca Barbato wrote: > On 11/11/15 22:05, Andreas Cadhalpun wrote: >> On 11.11.2015 20:11, Luca Barbato wrote: >>> CC: libav-sta...@libav.org >>> --- >>> libavcodec/dvdsubdec.c | 6 +- >>> 1 file changed, 5 insertions(+),

Re: [libav-devel] [PATCH 3/4] dds: make sure pallete frame buffer exists before use

On 12.11.2015 04:38, Vittorio Giovara wrote: > On Wed, Nov 11, 2015 at 8:29 PM, Andreas Cadhalpun > wrote: >> On 11.11.2015 12:28, Vittorio Giovara wrote: >>> On Wed, Nov 11, 2015 at 1:16 AM, Andreas Cadhalpun >>> wrote: >>>> Otherwise it causes a

Re: [libav-devel] [PATCH] dvdsubdect: Validate the offsets

On 11.11.2015 20:11, Luca Barbato wrote: > CC: libav-sta...@libav.org > --- > libavcodec/dvdsubdec.c | 6 +- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c > index 15c49c4..0969c71 100644 > --- a/libavcodec/dvdsubdec.c > +++ b

Re: [libav-devel] [PATCH 2/4] dds: validate compressed source buffer size

On 11.11.2015 12:31, Vittorio Giovara wrote: > On Wed, Nov 11, 2015 at 1:15 AM, Andreas Cadhalpun > wrote: >> A too small buffer will cause segfaults somewhere below >> decompress_texture_thread. >> >> Signed-off-by: Andreas Cadhalpun >> --- >> libavco

Re: [libav-devel] [PATCH 3/4] dds: make sure pallete frame buffer exists before use

On 11.11.2015 12:28, Vittorio Giovara wrote: > On Wed, Nov 11, 2015 at 1:16 AM, Andreas Cadhalpun > wrote: >> Otherwise it causes a NULL pointer dereference of frame->data[1]. >> >> Signed-off-by: Andreas Cadhalpun >> --- >> libavcodec/dds.c | 5

[libav-devel] [PATCH 2/4] dds: validate compressed source buffer size

A too small buffer will cause segfaults somewhere below decompress_texture_thread. Signed-off-by: Andreas Cadhalpun --- libavcodec/dds.c | 9 + 1 file changed, 9 insertions(+) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index 324e665..c918cf0 100644 --- a/libavcodec/dds.c +++ b

[libav-devel] [PATCH 4/4] dds: add missing newline to log messages

Signed-off-by: Andreas Cadhalpun --- libavcodec/dds.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index fe36709..4d68b33 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -599,14 +599,14 @@ static int dds_decode(AVCodecContext

[libav-devel] [PATCH 3/4] dds: make sure pallete frame buffer exists before use

Otherwise it causes a NULL pointer dereference of frame->data[1]. Signed-off-by: Andreas Cadhalpun --- libavcodec/dds.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index c918cf0..fe36709 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dd

[libav-devel] [PATCH 1/4] dds: validate source buffer size before copying

If it is too small av_image_copy_plane segfaults. Signed-off-by: Andreas Cadhalpun --- libavcodec/dds.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index a604d56..324e665 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -666,6 +666,12

[libav-devel] [PATCH] dvdsubdec: validate offset2 similar to offset1

If it is negative, it causes segmentation faults in decode_rle. Signed-off-by: Andreas Cadhalpun --- libavcodec/dvdsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index ee06d55..014b0a3 100644 --- a/libavcodec

Re: [libav-devel] [PATCH] lavc: Deprecate rtp_callback field

On 07.11.2015 14:52, Luca Barbato wrote: > On 07/11/15 00:08, Andreas Cadhalpun wrote: > >> 1: >> https://sources.debian.net/src/opal/3.10.10~dfsg2-1/plugins/video/H.263-1998/h263-1998.cxx/?hl=600#L600 > > Downstream dropped it since a while. Not quite, they just

Re: [libav-devel] [PATCH] lavc: Deprecate rtp_callback field

On 06.11.2015 23:52, Vittorio Giovara wrote: > On Fri, Nov 6, 2015 at 9:59 PM, Andreas Cadhalpun > wrote: >> On 06.11.2015 21:42, Vittorio Giovara wrote: >>> On Fri, Nov 6, 2015 at 7:44 PM, Andreas Cadhalpun >>> wrote: >>>> On 06.11.2015 14:56, Vittorio

  1   2   3   4   >