[libav-commits] siff: Use the correct type for packet size variables

2015-03-09 Thread Vittorio Giovara 
Module: libav
Branch: master
Commit: ad94c6ca0b86c463f476b26606259a2041dcddc9

Author:Vittorio Giovara vittorio.giov...@gmail.com
Committer: Vittorio Giovara vittorio.giov...@gmail.com
Date:  Sun Mar  8 23:59:58 2015 +

siff: Use the correct type for packet size variables

The avio functions used here return an unsigned value.
Also reduce a variable scope.

CC: libav-sta...@libav.org
Bug-Id: CID 1258461

---

 libavformat/siff.c |   17 +
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/libavformat/siff.c b/libavformat/siff.c
index cf71514..d97c8b0 100644
--- a/libavformat/siff.c
+++ b/libavformat/siff.c
@@ -53,11 +53,11 @@ typedef struct SIFFContext {
 int has_audio;
 
 int curstrm;
-int pktsize;
+unsigned int pktsize;
 int gmcsize;
 int sndsize;
 
-int flags;
+unsigned int flags;
 uint8_t gmc[4];
 } SIFFContext;
 
@@ -189,9 +189,9 @@ static int siff_read_header(AVFormatContext *s)
 static int siff_read_packet(AVFormatContext *s, AVPacket *pkt)
 {
 SIFFContext *c = s-priv_data;
-int size;
 
 if (c-has_video) {
+unsigned int size;
 if (c-cur_frame = c-frames)
 return AVERROR(EIO);
 if (c-curstrm == -1) {
@@ -215,10 +215,11 @@ static int siff_read_packet(AVFormatContext *s, AVPacket 
*pkt)
 pkt-stream_index = 0;
 c-curstrm= -1;
 } else {
-if ((size = av_get_packet(s-pb, pkt, c-sndsize - 4))  0)
+int pktsize = av_get_packet(s-pb, pkt, c-sndsize - 4);
+if (pktsize  0)
 return AVERROR(EIO);
 pkt-stream_index = 1;
-pkt-duration = size;
+pkt-duration = pktsize;
 c-curstrm= 0;
 }
 if (!c-cur_frame || c-curstrm)
@@ -226,10 +227,10 @@ static int siff_read_packet(AVFormatContext *s, AVPacket 
*pkt)
 if (c-curstrm == -1)
 c-cur_frame++;
 } else {
-size = av_get_packet(s-pb, pkt, c-block_align);
-if (size = 0)
+int pktsize = av_get_packet(s-pb, pkt, c-block_align);
+if (pktsize = 0)
 return AVERROR(EIO);
-pkt-duration = size;
+pkt-duration = pktsize;
 }
 return pkt-size;
 }

___
libav-commits mailing list
libav-commits@libav.org
https://lists.libav.org/mailman/listinfo/libav-commits

[libav-commits] libvpx: Fix mixed use of av_malloc() and av_reallocp()

2015-03-09 Thread Vittorio Giovara 
Module: libav
Branch: master
Commit: 93f7948136fcda8ddbbc44a6c24418f11ca829b8

Author:Vittorio Giovara vittorio.giov...@gmail.com
Committer: Vittorio Giovara vittorio.giov...@gmail.com
Date:  Sun Mar  8 21:08:16 2015 +

libvpx: Fix mixed use of av_malloc() and av_reallocp()

This buffer is resized when vpx_codec_get_cx_data() returns a
VPX_CODEC_STATS_PKT packet.

CC: libav-sta...@libav.org
Signed-off-by: Vittorio Giovara vittorio.giov...@gmail.com

---

 libavcodec/libvpxenc.c |8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c
index 8ff7b28..4164769 100644
--- a/libavcodec/libvpxenc.c
+++ b/libavcodec/libvpxenc.c
@@ -292,7 +292,7 @@ static av_cold int vpx_init(AVCodecContext *avctx,
 if (enccfg.g_pass == VPX_RC_FIRST_PASS)
 enccfg.g_lag_in_frames = 0;
 else if (enccfg.g_pass == VPX_RC_LAST_PASS) {
-int decode_size;
+int decode_size, ret;
 
 if (!avctx-stats_in) {
 av_log(avctx, AV_LOG_ERROR, No stats file for second pass\n);
@@ -300,12 +300,12 @@ static av_cold int vpx_init(AVCodecContext *avctx,
 }
 
 ctx-twopass_stats.sz  = strlen(avctx-stats_in) * 3 / 4;
-ctx-twopass_stats.buf = av_malloc(ctx-twopass_stats.sz);
-if (!ctx-twopass_stats.buf) {
+ret = av_reallocp(ctx-twopass_stats.buf, ctx-twopass_stats.sz);
+if (ret  0) {
 av_log(avctx, AV_LOG_ERROR,
Stat buffer alloc (%zu bytes) failed\n,
ctx-twopass_stats.sz);
-return AVERROR(ENOMEM);
+return ret;
 }
 decode_size = av_base64_decode(ctx-twopass_stats.buf, avctx-stats_in,
ctx-twopass_stats.sz);

___
libav-commits mailing list
libav-commits@libav.org
https://lists.libav.org/mailman/listinfo/libav-commits

[libav-commits] matroskaenc: Also validate chapter end time

2015-03-09 Thread Vittorio Giovara 
Module: libav
Branch: master
Commit: 9f25a109922da43c1f81273a431d3b40cb5a785a

Author:Vittorio Giovara vittorio.giov...@gmail.com
Committer: Vittorio Giovara vittorio.giov...@gmail.com
Date:  Mon Mar  9 00:05:30 2015 +

matroskaenc: Also validate chapter end time

This prevents it to be written as unsigned. Also add an error message.

CC: libav-sta...@libav.org
Bug-Id: CID 1265717

---

 libavformat/matroskaenc.c |5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c
index 8688616..f4d2665 100644
--- a/libavformat/matroskaenc.c
+++ b/libavformat/matroskaenc.c
@@ -920,8 +920,11 @@ static int mkv_write_chapters(AVFormatContext *s)
 int chapterstart = av_rescale_q(c-start, c-time_base, scale);
 int chapterend   = av_rescale_q(c-end,   c-time_base, scale);
 AVDictionaryEntry *t = NULL;
-if (chapterstart  0 || chapterstart  chapterend)
+if (chapterstart  0 || chapterstart  chapterend || chapterend  0) {
+av_log(s, AV_LOG_ERROR, Invalid chapter start (%d) or end 
(%d).\n,
+   chapterstart, chapterend);
 return AVERROR_INVALIDDATA;
+}
 
 chapteratom = start_ebml_master(pb, MATROSKA_ID_CHAPTERATOM, 0);
 put_ebml_uint(pb, MATROSKA_ID_CHAPTERUID, c-id);

___
libav-commits mailing list
libav-commits@libav.org
https://lists.libav.org/mailman/listinfo/libav-commits

[libav-commits] rtpdec_hevc: Drop extra sanity check for size of input packet

2015-03-09 Thread Vittorio Giovara 
Module: libav
Branch: master
Commit: bfeb83a8b7d3fcf09a54d8dbc9c521e10bb17530

Author:Vittorio Giovara vittorio.giov...@gmail.com
Committer: Vittorio Giovara vittorio.giov...@gmail.com
Date:  Sun Mar  8 23:42:59 2015 +

rtpdec_hevc: Drop extra sanity check for size of input packet

In this case len is always at least 3, since it is checked against
RTP_HEVC_PAYLOAD_HEADER_SIZE + 1 before entering the switch block.

Bug-Id: CID 1238784

---

 libavformat/rtpdec_hevc.c |8 
 1 file changed, 8 deletions(-)

diff --git a/libavformat/rtpdec_hevc.c b/libavformat/rtpdec_hevc.c
index 4ec9767..ef47388 100644
--- a/libavformat/rtpdec_hevc.c
+++ b/libavformat/rtpdec_hevc.c
@@ -245,14 +245,6 @@ static int hevc_handle_packet(AVFormatContext *ctx, 
PayloadContext *rtp_hevc_ctx
 case 39:
 /* single NAL unit packet */
 default:
-/* sanity check for size of input packet: 1 byte payload at least */
-if (len  1) {
-av_log(ctx, AV_LOG_ERROR,
-   Too short RTP/HEVC packet, got %d bytes of NAL unit type 
%d\n,
-   len, nal_type);
-return AVERROR_INVALIDDATA;
-}
-
 /* create A/V packet */
 if ((res = av_new_packet(pkt, sizeof(start_sequence) + len))  0)
 return res;

___
libav-commits mailing list
libav-commits@libav.org
https://lists.libav.org/mailman/listinfo/libav-commits

[libav-commits] doc: More changelog updates for v0.8.17

2015-03-09 Thread Reinhard Tartler 
Module: libav
Branch: release/0.8
Commit: 0e810255596070e2c503c5da9001f7087f71de6e

Author:Reinhard Tartler siret...@tauware.de
Committer: Reinhard Tartler siret...@tauware.de
Date:  Mon Mar  9 22:11:14 2015 -0400

doc: More changelog updates for v0.8.17

---

 Changelog |1 +
 1 file changed, 1 insertion(+)

diff --git a/Changelog b/Changelog
index ed35b61..ecbb6ef 100644
--- a/Changelog
+++ b/Changelog
@@ -3,6 +3,7 @@ releases are sorted from youngest to oldest.
 
 version 0.8.17:
 
+- utvideodec: Handle slice_height being zero (CVE-2014-9604)
 - tiff: Check that there is no aliasing in pixel format selection 
(CVE-2014-8544)
 - rmenc: limit packet size
 - eamad: check for out of bounds read (CID/1257500)

___
libav-commits mailing list
libav-commits@libav.org
https://lists.libav.org/mailman/listinfo/libav-commits

[libav-commits] utvideodec: Handle slice_height being zero

2015-03-09 Thread Michael Niedermayer 
Module: libav
Branch: release/0.8
Commit: 335ec616cc38ee6206a3acebd46d01aad73d721b

Author:Michael Niedermayer michae...@gmx.at
Committer: Reinhard Tartler siret...@tauware.de
Date:  Wed Mar  4 17:36:14 2015 +

utvideodec: Handle slice_height being zero

Fixes out of array accesses.

CC: libav-sta...@libav.org
Found-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
Bug-Id: CVE-2014-9604
Signed-off-by: Vittorio Giovara vittorio.giov...@gmail.com
Signed-off-by: Luca Barbato lu_z...@gentoo.org
(cherry picked from commit 0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d)
(cherry picked from commit 3a417a86b330b7c1acf9db4f729be7d619caaded)
Signed-off-by: Reinhard Tartler siret...@tauware.de
(cherry picked from commit e032e647dd79e7748145792dfee0358eccb1982e)
Signed-off-by: Reinhard Tartler siret...@tauware.de
(cherry picked from commit 789f433bc6376e6e45d41ae491007d482fa1df85)

Conflicts:
libavcodec/utvideodec.c

---

 libavcodec/utvideo.c |4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/utvideo.c b/libavcodec/utvideo.c
index fdce255..b889ae9 100644
--- a/libavcodec/utvideo.c
+++ b/libavcodec/utvideo.c
@@ -246,6 +246,8 @@ static void restore_median(uint8_t *src, int step, int 
stride,
 for (slice = 0; slice  slices; slice++) {
 slice_start = ((slice * height) / slices)  cmask;
 slice_height = slice + 1) * height) / slices)  cmask) - 
slice_start;
+if (!slice_height)
+continue;
 
 bsrc = src + slice_start * stride;
 
@@ -301,6 +303,8 @@ static void restore_median_il(uint8_t *src, int step, int 
stride,
 slice_start= ((slice * height) / slices)  cmask;
 slice_height   = slice + 1) * height) / slices)  cmask) - 
slice_start;
 slice_height = 1;
+if (!slice_height)
+continue;
 
 bsrc = src + slice_start * stride;
 

___
libav-commits mailing list
libav-commits@libav.org
https://lists.libav.org/mailman/listinfo/libav-commits

[libav-commits] movenc: Set tfhd default sample flags based on actual samples, if possible

2015-03-09 Thread Martin Storsjö 
Module: libav
Branch: master
Commit: 00d751d4fc20ec88d2cc2c9f39ec8b9e9c8cdeba

Author:Martin Storsjö mar...@martin.st
Committer: Martin Storsjö mar...@martin.st
Date:  Fri Mar  6 11:22:35 2015 +0200

movenc: Set tfhd default sample flags based on actual samples, if possible

This avoids assuming that e.g. audio samples are marked as
sync samples.

This allows omitting the sample flags from trun, if the default
flags happen to be right for all the samples.

Signed-off-by: Martin Storsjö mar...@martin.st

---

 libavformat/movenc.c |   25 +++--
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index 343f321..122bc2d 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -2409,6 +2409,12 @@ static int mov_write_mfhd_tag(AVIOContext *pb, 
MOVMuxContext *mov)
 return 0;
 }
 
+static uint32_t get_sample_flags(MOVTrack *track, MOVIentry *entry)
+{
+return entry-flags  MOV_SYNC_SAMPLE ? MOV_FRAG_SAMPLE_FLAG_DEPENDS_NO :
+   (MOV_FRAG_SAMPLE_FLAG_DEPENDS_YES | 
MOV_FRAG_SAMPLE_FLAG_IS_NON_SYNC);
+}
+
 static int mov_write_tfhd_tag(AVIOContext *pb, MOVMuxContext *mov,
   MOVTrack *track, int64_t moof_offset)
 {
@@ -2454,22 +2460,21 @@ static int mov_write_tfhd_tag(AVIOContext *pb, 
MOVMuxContext *mov,
 track-default_size = -1;
 
 if (flags  MOV_TFHD_DEFAULT_FLAGS) {
-track-default_sample_flags =
-track-enc-codec_type == AVMEDIA_TYPE_VIDEO ?
-(MOV_FRAG_SAMPLE_FLAG_DEPENDS_YES | 
MOV_FRAG_SAMPLE_FLAG_IS_NON_SYNC) :
-MOV_FRAG_SAMPLE_FLAG_DEPENDS_NO;
+/* Set the default flags based on the second sample, if available.
+ * If the first sample is different, that can be signaled via a 
separate field. */
+if (track-entry  1)
+track-default_sample_flags = get_sample_flags(track, 
track-cluster[1]);
+else
+track-default_sample_flags =
+track-enc-codec_type == AVMEDIA_TYPE_VIDEO ?
+(MOV_FRAG_SAMPLE_FLAG_DEPENDS_YES | 
MOV_FRAG_SAMPLE_FLAG_IS_NON_SYNC) :
+MOV_FRAG_SAMPLE_FLAG_DEPENDS_NO;
 avio_wb32(pb, track-default_sample_flags);
 }
 
 return update_size(pb, pos);
 }
 
-static uint32_t get_sample_flags(MOVTrack *track, MOVIentry *entry)
-{
-return entry-flags  MOV_SYNC_SAMPLE ? MOV_FRAG_SAMPLE_FLAG_DEPENDS_NO :
-   (MOV_FRAG_SAMPLE_FLAG_DEPENDS_YES | 
MOV_FRAG_SAMPLE_FLAG_IS_NON_SYNC);
-}
-
 static int mov_write_trun_tag(AVIOContext *pb, MOVMuxContext *mov,
   MOVTrack *track, int moof_size)
 {

___
libav-commits mailing list
libav-commits@libav.org
https://lists.libav.org/mailman/listinfo/libav-commits

[libav-commits] movenc: Avoid writing separate flags for the first sample if not necessary

2015-03-09 Thread Martin Storsjö 
Module: libav
Branch: master
Commit: 46d4d8575979a24a8d026d9805039b724e0e3e5f

Author:Martin Storsjö mar...@martin.st
Committer: Martin Storsjö mar...@martin.st
Date:  Fri Mar  6 11:26:40 2015 +0200

movenc: Avoid writing separate flags for the first sample if not necessary

Signed-off-by: Martin Storsjö mar...@martin.st

---

 libavformat/movenc.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index 122bc2d..67c7214 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -2490,7 +2490,8 @@ static int mov_write_trun_tag(AVIOContext *pb, 
MOVMuxContext *mov,
 if (i  0  get_sample_flags(track, track-cluster[i]) != 
track-default_sample_flags)
 flags |= MOV_TRUN_SAMPLE_FLAGS;
 }
-if (!(flags  MOV_TRUN_SAMPLE_FLAGS))
+if (!(flags  MOV_TRUN_SAMPLE_FLAGS)  track-entry  0 
+ get_sample_flags(track, track-cluster[0]) != 
track-default_sample_flags)
 flags |= MOV_TRUN_FIRST_SAMPLE_FLAGS;
 if (track-flags  MOV_TRACK_CTTS)
 flags |= MOV_TRUN_SAMPLE_CTS;

___
libav-commits mailing list
libav-commits@libav.org
https://lists.libav.org/mailman/listinfo/libav-commits