Your message dated Sun, 26 Feb 2017 17:52:37 +0000 with message-id <20170226175237.pz67ltr4k33dgg3b@powdarrmonkey.net> and subject line Re: Bug#855952: unblock: vlc/2.2.4-14 has caused the Debian Bug report #855952, regarding unblock: vlc/2.2.4-14 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 855952: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855952 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: vlc/2.2.4-14
- From: Sebastian Ramacher <sramacher@debian.org>
- Date: Thu, 23 Feb 2017 20:07:27 +0100
- Message-id: <20170223190727.l2dj46t3245y5l4e@ramacher.at>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package vlc version 2.2.4-14. It updates the embedded copy of ffmpeg 2.8 to the latest upstream bug fix release. Since debdiff does not cope very well with multi-component upstream tarballs, there are two diffs attached. vlc.diff contains the changes to debian/ and ffmpeg.diff contains the changes between ffmpeg 2.8.10 and 2.8.11. The changelog for ffmpeg 2.8.11 is below. The release fixes CVE-2016-9561, CVE-2017-5024 and CVE-2017-5025. version 2.8.11 - avcodec/h264_slice: Clear ref_counts on redundant slices - lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid - lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr - avcodec/pictordec: Fix logic error - avcodec/movtextdec: Fix decode_styl() cleanup - lavf/matroskadec: fix is_keyframe for early Blocks - configure: bump year - avcodec/pngdec: Check trns more completely - avcodec/interplayvideo: Move parameter change check up - avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac() - avformat/flacdec: Check avio_read result when reading flac block header. - avcodec/utils: correct align value for interplay - avcodec/vp56: Check for the bitstream end, pass error codes on - avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan() - avcodec/pngdec: Fix off by 1 size in decode_zbuf() - avformat/avidec: skip odml master index chunks in avi_sync - avcodec/mjpegdec: Check for rgb before flipping - avutil/random_seed: Reduce the time needed on systems with very low precision clock() - avutil/random_seed: Improve get_generic_seed() with higher precision clock() - avformat/utils: Print verbose error message if stream count exceeds max_streams - avformat/options_table: Set the default maximum number of streams to 1000 - avutil: Add av_image_check_size2() - avformat: Add max_streams option - avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated - avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory() - avformat/oggdec: Skip streams in duration correction that did not had their duration set. - avcodec/ffv1enc: Fix size of first slice - pgssubdec: reset rle_data_len/rle_remaining_len on allocation error unblock vlc/2.2.4-14 Cheers -- Sebastian Ramacherdiff --git a/debian/changelog b/debian/changelog index 781f9848c9..739c269c42 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +vlc (2.2.4-14) unstable; urgency=medium + + [ Mateusz Łukasik ] + * Update to ffmpeg 2.8.11. + + -- Sebastian Ramacher <sramacher@debian.org> Tue, 14 Feb 2017 20:17:50 +0100 + vlc (2.2.4-13) unstable; urgency=medium * debian/control: Switch to libopenmpt's libmodplug comat layer. diff --git a/debian/rules b/debian/rules index 35ebba4e17..8d48ec81b8 100755 --- a/debian/rules +++ b/debian/rules @@ -346,7 +346,7 @@ override_dh_autoreconf: override_dh_auto_configure: mkdir -p $(ffmpegbuild) $(ffmpegprefix) cd $(ffmpegbuild) && \ - $(CURDIR)/ffmpeg-2-8-10/configure $(ffmpegflags) + $(CURDIR)/ffmpeg-2-8-11/configure $(ffmpegflags) dh_auto_build --sourcedirectory $(ffmpegbuild) -- V=1 $(MAKE) -C $(ffmpegbuild) install-libs install-headers V=1 PKG_CONFIG_PATH=$(ffmpegprefix)/lib/pkgconfig \ diff --git a/debian/watch b/debian/watch index 764a7c1834..8c442743e7 100644 --- a/debian/watch +++ b/debian/watch @@ -1,5 +1,5 @@ version=4 opts=pgpsigurlmangle=s/$/.asc/ \ http://download.videolan.org/pub/videolan/vlc/([\d][\d\.]+[a-z]?)/vlc-([\d][\d\.]+[a-z]?)\.tar\.xz debian -opts=component=ffmpeg-2-8-10 \ -https://ffmpeg.org/releases/ffmpeg-2\.8\.([0-9.]+)\.tar\.xz 2.8.10 +opts=component=ffmpeg-2-8-11 \ +https://ffmpeg.org/releases/ffmpeg-2\.8\.([0-9.]+)\.tar\.xz 2.8.11diff --git a/Changelog b/Changelog index ac863b2260..83004c4fd9 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,36 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.8.11 +- avcodec/h264_slice: Clear ref_counts on redundant slices +- lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid +- lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr +- avcodec/pictordec: Fix logic error +- avcodec/movtextdec: Fix decode_styl() cleanup +- lavf/matroskadec: fix is_keyframe for early Blocks +- configure: bump year +- avcodec/pngdec: Check trns more completely +- avcodec/interplayvideo: Move parameter change check up +- avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac() +- avformat/flacdec: Check avio_read result when reading flac block header. +- avcodec/utils: correct align value for interplay +- avcodec/vp56: Check for the bitstream end, pass error codes on +- avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan() +- avcodec/pngdec: Fix off by 1 size in decode_zbuf() +- avformat/avidec: skip odml master index chunks in avi_sync +- avcodec/mjpegdec: Check for rgb before flipping +- avutil/random_seed: Reduce the time needed on systems with very low precision clock() +- avutil/random_seed: Improve get_generic_seed() with higher precision clock() +- avformat/utils: Print verbose error message if stream count exceeds max_streams +- avformat/options_table: Set the default maximum number of streams to 1000 +- avutil: Add av_image_check_size2() +- avformat: Add max_streams option +- avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated +- avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory() +- avformat/oggdec: Skip streams in duration correction that did not had their duration set. +- avcodec/ffv1enc: Fix size of first slice +- pgssubdec: reset rle_data_len/rle_remaining_len on allocation error + version 2.8.10 - avformat/http: Match chunksize checks to master..3.0 - Changelog: fix typos diff --git a/RELEASE b/RELEASE index 4067d1db71..38bc52136e 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.8.10 +2.8.11 diff --git a/configure b/configure index 684d5c1918..180f3ef0ef 100755 --- a/configure +++ b/configure @@ -6144,7 +6144,7 @@ cat > $TMPH <<EOF #define FFMPEG_CONFIG_H #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)" #define FFMPEG_LICENSE "$(c_escape $license)" -#define CONFIG_THIS_YEAR 2016 +#define CONFIG_THIS_YEAR 2017 #define FFMPEG_DATADIR "$(eval c_escape $datadir)" #define AVCONV_DATADIR "$(eval c_escape $datadir)" #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})" diff --git a/doc/Doxyfile b/doc/Doxyfile index 74fca4017f..7776739ca7 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.8.10 +PROJECT_NUMBER = 2.8.11 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/doc/formats.texi b/doc/formats.texi index 617cda54a9..b62ca43dd7 100644 --- a/doc/formats.texi +++ b/doc/formats.texi @@ -205,6 +205,10 @@ For example to separate the fields with newlines and indention: ffprobe -dump_separator " " -i ~/videos/matrixbench_mpeg2.mpg @end example + +@item max_streams @var{integer} (@emph{input}) +Specifies the maximum number of streams. This can be used to reject files that +would require too many resources due to a large number of streams. @end table @c man end FORMAT OPTIONS diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 00ef800c30..3b425d68ed 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -1192,7 +1192,6 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, FFV1Context *f = avctx->priv_data; RangeCoder *const c = &f->slice_context[0]->c; AVFrame *const p = f->picture.f; - int used_count = 0; uint8_t keystate = 128; uint8_t *buf_p; int i, ret; @@ -1248,6 +1247,11 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, if (f->version > 3) maxsize = AV_INPUT_BUFFER_MIN_SIZE + avctx->width*avctx->height*3LL*4; + if (maxsize > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - 32) { + av_log(avctx, AV_LOG_WARNING, "Cannot allocate worst case packet size, the encoding could fail\n"); + maxsize = INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - 32; + } + if ((ret = ff_alloc_packet2(avctx, pkt, maxsize, 0)) < 0) return ret; @@ -1277,11 +1281,17 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, } } - for (i = 1; i < f->slice_count; i++) { + for (i = 0; i < f->slice_count; i++) { FFV1Context *fs = f->slice_context[i]; - uint8_t *start = pkt->data + (pkt->size - used_count) * (int64_t)i / f->slice_count; + uint8_t *start = pkt->data + pkt->size * (int64_t)i / f->slice_count; int len = pkt->size / f->slice_count; - ff_init_range_encoder(&fs->c, start, len); + if (i) { + ff_init_range_encoder(&fs->c, start, len); + } else { + av_assert0(fs->c.bytestream_end >= fs->c.bytestream_start + len); + av_assert0(fs->c.bytestream < fs->c.bytestream_start + len); + fs->c.bytestream_end = fs->c.bytestream_start + len; + } } avctx->execute(avctx, encode_slice, &f->slice_context[0], NULL, f->slice_count, sizeof(void *)); diff --git a/libavcodec/h264.c b/libavcodec/h264.c index fead5ae116..4fc2aed302 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1587,7 +1587,9 @@ again: #endif } else context_count++; - } + } else + sl->ref_count[0] = sl->ref_count[1] = 0; + break; break; case NAL_DPA: case NAL_DPB: diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index 3c3212e1fe..48dc3783b4 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -988,6 +988,11 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, AVFrame *frame = data; int ret; + if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) { + av_frame_unref(s->last_frame); + av_frame_unref(s->second_last_frame); + } + if (buf_size < 2) return AVERROR_INVALIDDATA; @@ -999,10 +1004,6 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, if (buf_size < s->decoding_map_size + 2) return buf_size; - if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) { - av_frame_unref(s->last_frame); - av_frame_unref(s->second_last_frame); - } s->decoding_map = buf + 2; bytestream2_init(&s->stream_ptr, buf + 2 + s->decoding_map_size, diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index adc2597dba..d9d18e2c82 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1076,6 +1076,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, for (mb_y = 0; mb_y < s->mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + if (get_bits_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "bitstream end in yuv_scan\n"); + return AVERROR_INVALIDDATA; + } if (s->restart_interval && !s->restart_count){ s->restart_count = s->restart_interval; resync_mb_x = mb_x; @@ -1387,6 +1391,10 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, int block_idx = mb_y * s->block_stride[c]; int16_t (*block)[64] = &s->blocks[c][block_idx]; uint8_t *last_nnz = &s->last_nnz[c][block_idx]; + if (get_bits_left(&s->gb) <= 0) { + av_log(s->avctx, AV_LOG_ERROR, "bitstream truncated in mjpeg_decode_scan_progressive_ac\n"); + return AVERROR_INVALIDDATA; + } for (mb_x = 0; mb_x < s->mb_width; mb_x++, block++, last_nnz++) { int ret; if (s->restart_interval && !s->restart_count) @@ -2308,7 +2316,7 @@ the_end: } } } - if (s->flipped) { + if (s->flipped && !s->rgb) { int j; avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &hshift, &vshift); for (index=0; index<4; index++) { diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index cbaa6b2974..2f3ef7d02e 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -115,6 +115,8 @@ static void mov_text_cleanup(MovTextContext *m) av_freep(&m->s[i]); } av_freep(&m->s); + m->count_s = 0; + m->style_entries = 0; } } @@ -278,12 +280,14 @@ static int decode_hclr(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) { int i; - m->style_entries = AV_RB16(tsmb); + int style_entries = AV_RB16(tsmb); tsmb += 2; // A single style record is of length 12 bytes. - if (m->tracksize + m->size_var + 2 + m->style_entries * 12 > avpkt->size) + if (m->tracksize + m->size_var + 2 + style_entries * 12 > avpkt->size) return -1; + m->style_entries = style_entries; + m->box_flags |= STYL_BOX; for(i = 0; i < m->style_entries; i++) { m->s_temp = av_malloc(sizeof(*m->s_temp)); diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 2c34d21a14..8d015efced 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -314,13 +314,13 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g min_ab = FFMIN(alpha, beta); w3 = w2 >> min_ab; h3 = h2 >> min_ab; - s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + beta + rho - min_ab)) + + s->sprite_offset[0][0] = (sprite_ref[0][0] * (1<<(alpha + beta + rho - min_ab))) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-vop_ref[0][0]) + (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-vop_ref[0][1]) + (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + beta + rho - min_ab)) + + s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-vop_ref[0][0]) + (-r * sprite_ref[0][1] + virtual_ref[1][1]) * @@ -367,10 +367,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; for (i = 0; i < 2; i++) { - s->sprite_offset[0][i] <<= shift_y; - s->sprite_offset[1][i] <<= shift_c; - s->sprite_delta[0][i] <<= shift_y; - s->sprite_delta[1][i] <<= shift_y; + s->sprite_offset[0][i] *= 1 << shift_y; + s->sprite_offset[1][i] *= 1 << shift_c; + s->sprite_delta[0][i] *= 1 << shift_y; + s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; } s->real_sprite_warping_points = ctx->num_sprite_warping_points; diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 6ff6cc4059..b549ff2bf4 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -300,8 +300,11 @@ static int parse_object_segment(AVCodecContext *avctx, av_fast_padded_malloc(&object->rle, &object->rle_buffer_size, rle_bitmap_len); - if (!object->rle) + if (!object->rle) { + object->rle_data_len = 0; + object->rle_remaining_len = 0; return AVERROR(ENOMEM); + } memcpy(object->rle, buf, buf_size); object->rle_data_len = buf_size; diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index ff6eb7f4fc..0cfc785832 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -142,7 +142,7 @@ static int decode_frame(AVCodecContext *avctx, if (av_image_check_size(s->width, s->height, 0, avctx) < 0) return -1; - if (s->width != avctx->width && s->height != avctx->height) { + if (s->width != avctx->width || s->height != avctx->height) { ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret; diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index b4d1fb59ae..61c4ac8e0a 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -435,13 +435,13 @@ static int decode_zbuf(AVBPrint *bp, const uint8_t *data, av_bprint_init(bp, 0, -1); while (zstream.avail_in > 0) { - av_bprint_get_buffer(bp, 1, &buf, &buf_size); - if (!buf_size) { + av_bprint_get_buffer(bp, 2, &buf, &buf_size); + if (buf_size < 2) { ret = AVERROR(ENOMEM); goto fail; } zstream.next_out = buf; - zstream.avail_out = buf_size; + zstream.avail_out = buf_size - 1; ret = inflate(&zstream, Z_PARTIAL_FLUSH); if (ret != Z_OK && ret != Z_STREAM_END) { ret = AVERROR_EXTERNAL; @@ -770,6 +770,16 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s, { int v, i; + if (!(s->state & PNG_IHDR)) { + av_log(avctx, AV_LOG_ERROR, "trns before IHDR\n"); + return AVERROR_INVALIDDATA; + } + + if (s->state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "trns after IDAT\n"); + return AVERROR_INVALIDDATA; + } + if (s->color_type == PNG_COLOR_TYPE_PALETTE) { if (length > 256 || !(s->state & PNG_PLTE)) return AVERROR_INVALIDDATA; @@ -780,7 +790,8 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s, } } else if (s->color_type == PNG_COLOR_TYPE_GRAY || s->color_type == PNG_COLOR_TYPE_RGB) { if ((s->color_type == PNG_COLOR_TYPE_GRAY && length != 2) || - (s->color_type == PNG_COLOR_TYPE_RGB && length != 6)) + (s->color_type == PNG_COLOR_TYPE_RGB && length != 6) || + s->bit_depth == 1) return AVERROR_INVALIDDATA; for (i = 0; i < length / 2; i++) { @@ -1194,6 +1205,8 @@ exit_loop: size_t raw_bpp = s->bpp - byte_depth; unsigned x, y; + av_assert0(s->bit_depth > 1); + for (y = 0; y < s->height; ++y) { uint8_t *row = &s->image_buf[s->image_linesize * y]; diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 3b85087563..6f54f530a1 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -378,6 +378,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } + if (s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) { + w_align = 8; + h_align = 8; + } break; case AV_PIX_FMT_PAL8: case AV_PIX_FMT_BGR8: @@ -387,7 +391,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } - if (s->codec_id == AV_CODEC_ID_JV) { + if (s->codec_id == AV_CODEC_ID_JV || + s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) { w_align = 8; h_align = 8; } diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 5bcf9b6217..4ec85ebde7 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -171,7 +171,7 @@ static int vp5_parse_coeff_models(VP56Context *s) return 0; } -static void vp5_parse_coeff(VP56Context *s) +static int vp5_parse_coeff(VP56Context *s) { VP56RangeCoder *c = &s->c; VP56Model *model = s->modelp; @@ -181,6 +181,11 @@ static void vp5_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx, ctx_last; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ + if (c->end >= c->buffer && c->bits >= 0) { + av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n"); + return AVERROR_INVALIDDATA; + } + for (b=0; b<6; b++) { int ct = 1; /* code type */ @@ -246,6 +251,7 @@ static void vp5_parse_coeff(VP56Context *s) s->coeff_ctx[ff_vp56_b6to4[b]][i] = 5; s->above_blocks[s->above_block_idx[b]].not_null_dc = s->coeff_ctx[ff_vp56_b6to4[b]][0]; } + return 0; } static void vp5_default_models_init(VP56Context *s) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 631924828d..d8fe994b8c 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -381,12 +381,13 @@ static void vp56_mc(VP56Context *s, int b, int plane, uint8_t *src, } } -static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) { AVFrame *frame_current, *frame_ref; VP56mb mb_type; VP56Frame ref_frame; int b, ab, b_max, plane, off; + int ret; if (s->frames[VP56_FRAME_CURRENT]->key_frame) mb_type = VP56_MB_INTRA; @@ -394,14 +395,16 @@ static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) mb_type = vp56_decode_mv(s, row, col); ref_frame = ff_vp56_reference_frame[mb_type]; - s->parse_coeff(s); + ret = s->parse_coeff(s); + if (ret < 0) + return ret; vp56_add_predictors_dc(s, ref_frame); frame_current = s->frames[VP56_FRAME_CURRENT]; frame_ref = s->frames[ref_frame]; if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) - return; + return 0; ab = 6*is_alpha; b_max = 6 - 2*is_alpha; @@ -451,6 +454,7 @@ static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) s->block_coeff[4][0] = 0; s->block_coeff[5][0] = 0; } + return 0; } static int vp56_size_changed(VP56Context *s) @@ -653,7 +657,9 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, s->block_offset[5] = s->block_offset[4]; for (mb_col=0; mb_col<s->mb_width; mb_col++) { - vp56_decode_mb(s, mb_row, mb_col, is_alpha); + int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); + if (ret < 0) + return ret; for (y=0; y<4; y++) { s->above_block_idx[y] += 2; diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 56c30919b7..34d48228fd 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -74,7 +74,7 @@ typedef void (*VP56ParseVectorAdjustment)(VP56Context *s, typedef void (*VP56Filter)(VP56Context *s, uint8_t *dst, uint8_t *src, int offset1, int offset2, int stride, VP56mv mv, int mask, int select, int luma); -typedef void (*VP56ParseCoeff)(VP56Context *s); +typedef int (*VP56ParseCoeff)(VP56Context *s); typedef void (*VP56DefaultModelsInit)(VP56Context *s); typedef void (*VP56ParseVectorModels)(VP56Context *s); typedef int (*VP56ParseCoeffModels)(VP56Context *s); diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index a2bb4578d5..7f0a9b7d5d 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -40,8 +40,8 @@ #define VP6_MAX_HUFF_SIZE 12 -static void vp6_parse_coeff(VP56Context *s); -static void vp6_parse_coeff_huffman(VP56Context *s); +static int vp6_parse_coeff(VP56Context *s); +static int vp6_parse_coeff_huffman(VP56Context *s); static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) { @@ -380,7 +380,7 @@ static unsigned vp6_get_nb_null(VP56Context *s) return val; } -static void vp6_parse_coeff_huffman(VP56Context *s) +static int vp6_parse_coeff_huffman(VP56Context *s) { VP56Model *model = s->modelp; uint8_t *permute = s->idct_scantable; @@ -402,7 +402,7 @@ static void vp6_parse_coeff_huffman(VP56Context *s) break; } else { if (get_bits_left(&s->gb) <= 0) - return; + return AVERROR_INVALIDDATA; coeff = get_vlc2(&s->gb, vlc_coeff->table, FF_HUFFMAN_BITS, 3); if (coeff == 0) { if (coeff_idx) { @@ -437,9 +437,10 @@ static void vp6_parse_coeff_huffman(VP56Context *s) vlc_coeff = &s->ract_vlc[pt][ct][cg]; } } + return 0; } -static void vp6_parse_coeff(VP56Context *s) +static int vp6_parse_coeff(VP56Context *s) { VP56RangeCoder *c = s->ccp; VP56Model *model = s->modelp; @@ -449,6 +450,11 @@ static void vp6_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ + if (c->end >= c->buffer && c->bits >= 0) { + av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n"); + return AVERROR_INVALIDDATA; + } + for (b=0; b<6; b++) { int ct = 1; /* code type */ int run = 1; @@ -512,6 +518,7 @@ static void vp6_parse_coeff(VP56Context *s) s->left_block[ff_vp56_b6to4[b]].not_null_dc = s->above_blocks[s->above_block_idx[b]].not_null_dc = !!s->block_coeff[b][0]; } + return 0; } static int vp6_block_variance(uint8_t *src, int stride) diff --git a/libavformat/avformat.h b/libavformat/avformat.h index a6694765b2..ba8c615b18 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -1822,6 +1822,13 @@ typedef struct AVFormatContext { * Demuxing: Set by user. */ int (*open_cb)(struct AVFormatContext *s, AVIOContext **p, const char *url, int flags, const AVIOInterruptCB *int_cb, AVDictionary **options); + + /** + * The maximum number of streams. + * - encoding: unused + * - decoding: set by user through AVOptions (NO direct access) + */ + int max_streams; } AVFormatContext; int av_format_get_probe_score(const AVFormatContext *s); diff --git a/libavformat/avidec.c b/libavformat/avidec.c index d2904ab7d2..cbe6c85636 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1187,7 +1187,8 @@ start_sync: if ((d[0] == 'i' && d[1] == 'x' && n < s->nb_streams) || // parse JUNK (d[0] == 'J' && d[1] == 'U' && d[2] == 'N' && d[3] == 'K') || - (d[0] == 'i' && d[1] == 'd' && d[2] == 'x' && d[3] == '1')) { + (d[0] == 'i' && d[1] == 'd' && d[2] == 'x' && d[3] == '1') || + (d[0] == 'i' && d[1] == 'n' && d[2] == 'd' && d[3] == 'x')) { avio_skip(pb, size); goto start_sync; } diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index 4c1f943581..221b3e820d 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -49,7 +49,8 @@ static int flac_read_header(AVFormatContext *s) /* process metadata blocks */ while (!avio_feof(s->pb) && !metadata_last) { - avio_read(s->pb, header, 4); + if (avio_read(s->pb, header, 4) != 4) + return AVERROR(AVERROR_INVALIDDATA); flac_parse_block_header(header, &metadata_last, &metadata_type, &metadata_size); switch (metadata_type) { diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index a52c4f0f56..4e12c840b0 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -85,6 +85,7 @@ typedef const struct EbmlSyntax { int list_elem_size; int data_offset; union { + int64_t i; uint64_t u; double f; const char *s; @@ -600,7 +601,7 @@ static const EbmlSyntax matroska_blockgroup[] = { { MATROSKA_ID_SIMPLEBLOCK, EBML_BIN, 0, offsetof(MatroskaBlock, bin) }, { MATROSKA_ID_BLOCKDURATION, EBML_UINT, 0, offsetof(MatroskaBlock, duration) }, { MATROSKA_ID_DISCARDPADDING, EBML_SINT, 0, offsetof(MatroskaBlock, discard_padding) }, - { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference) }, + { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference), { .i = INT64_MIN } }, { MATROSKA_ID_CODECSTATE, EBML_NONE }, { 1, EBML_UINT, 0, offsetof(MatroskaBlock, non_simple), { .u = 1 } }, { 0 } @@ -971,6 +972,9 @@ static int ebml_parse_nest(MatroskaDemuxContext *matroska, EbmlSyntax *syntax, for (i = 0; syntax[i].id; i++) switch (syntax[i].type) { + case EBML_SINT: + *(int64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.i; + break; case EBML_UINT: *(uint64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.u; break; @@ -2983,7 +2987,7 @@ static int matroska_parse_cluster_incremental(MatroskaDemuxContext *matroska) matroska->current_cluster_num_blocks = blocks_list->nb_elem; i = blocks_list->nb_elem - 1; if (blocks[i].bin.size > 0 && blocks[i].bin.data) { - int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1; + int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1; uint8_t* additional = blocks[i].additional.size > 0 ? blocks[i].additional.data : NULL; if (!blocks[i].non_simple) @@ -3021,7 +3025,7 @@ static int matroska_parse_cluster(MatroskaDemuxContext *matroska) blocks = blocks_list->elem; for (i = 0; i < blocks_list->nb_elem; i++) if (blocks[i].bin.size > 0 && blocks[i].bin.data) { - int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1; + int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1; res = matroska_parse_block(matroska, blocks[i].bin.data, blocks[i].bin.size, blocks[i].bin.pos, cluster.timecode, blocks[i].duration, diff --git a/libavformat/mov.c b/libavformat/mov.c index aa6208759b..017df0fbc0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -635,6 +635,8 @@ static int mov_read_hdlr(MOVContext *c, AVIOContext *pb, MOVAtom atom) title_size = atom.size - 24; if (title_size > 0) { + if (title_size > FFMIN(INT_MAX, SIZE_MAX-1)) + return AVERROR_INVALIDDATA; title_str = av_malloc(title_size + 1); /* Add null terminator */ if (!title_str) return AVERROR(ENOMEM); @@ -3808,7 +3810,7 @@ static int mov_read_uuid(MOVContext *c, AVIOContext *pb, MOVAtom atom) 0xba, 0x2f, 0x08, 0x00, 0x20, 0x0c, 0x9a, 0x66 }; - if (atom.size < sizeof(uuid) || atom.size == INT64_MAX) + if (atom.size < sizeof(uuid) || atom.size >= FFMIN(INT_MAX, SIZE_MAX)) return AVERROR_INVALIDDATA; ret = avio_read(pb, uuid, sizeof(uuid)); diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 856e0e633e..ffd1703a1a 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -642,6 +642,8 @@ static int ogg_get_length(AVFormatContext *s) int64_t pts; if (i < 0) continue; pts = ogg_calc_pts(s, i, NULL); + if (s->streams[i]->duration == AV_NOPTS_VALUE) + continue; if (pts != AV_NOPTS_VALUE && s->streams[i]->start_time == AV_NOPTS_VALUE && !ogg->streams[i].got_start) { s->streams[i]->duration -= pts; ogg->streams[i].got_start= 1; diff --git a/libavformat/options_table.h b/libavformat/options_table.h index 8f3c3100f7..1ffce5e068 100644 --- a/libavformat/options_table.h +++ b/libavformat/options_table.h @@ -109,6 +109,7 @@ static const AVOption avformat_options[] = { {"dump_separator", "set information dump field separator", OFFSET(dump_separator), AV_OPT_TYPE_STRING, {.str = ", "}, CHAR_MIN, CHAR_MAX, D|E}, {"codec_whitelist", "List of decoders that are allowed to be used", OFFSET(codec_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, {"format_whitelist", "List of demuxers that are allowed to be used", OFFSET(format_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, +{"max_streams", "maximum number of streams", OFFSET(max_streams), AV_OPT_TYPE_INT, { .i64 = 1000 }, 0, INT_MAX, D }, {NULL}, }; diff --git a/libavformat/utils.c b/libavformat/utils.c index a705065879..abc90c3c70 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3764,8 +3764,11 @@ AVStream *avformat_new_stream(AVFormatContext *s, const AVCodec *c) int i; AVStream **streams; - if (s->nb_streams >= INT_MAX/sizeof(*streams)) + if (s->nb_streams >= FFMIN(s->max_streams, INT_MAX/sizeof(*streams))) { + if (s->max_streams < INT_MAX/sizeof(*streams)) + av_log(s, AV_LOG_ERROR, "Number of streams exceeds max_streams parameter (%d), see the documentation if you wish to increase it\n", s->max_streams); return NULL; + } streams = av_realloc_array(s->streams, s->nb_streams + 1, sizeof(*streams)); if (!streams) return NULL; diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index 9c8216e827..b727b6b5f5 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -238,15 +238,34 @@ typedef struct ImgUtils { static const AVClass imgutils_class = { "IMGUTILS", av_default_item_name, NULL, LIBAVUTIL_VERSION_INT, offsetof(ImgUtils, log_offset), offsetof(ImgUtils, log_ctx) }; -int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx) +int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enum AVPixelFormat pix_fmt, int log_offset, void *log_ctx) { ImgUtils imgutils = { &imgutils_class, log_offset, log_ctx }; + int64_t stride = av_image_get_linesize(pix_fmt, w, 0); + if (stride <= 0) + stride = 8LL*w; + stride += 128*8; - if ((int)w>0 && (int)h>0 && (w+128)*(uint64_t)(h+128) < INT_MAX/8) - return 0; + if ((int)w<=0 || (int)h<=0 || stride >= INT_MAX || stride*(uint64_t)(h+128) >= INT_MAX) { + av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h); + return AVERROR(EINVAL); + } - av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h); - return AVERROR(EINVAL); + if (max_pixels < INT64_MAX) { + if (w*(int64_t)h > max_pixels) { + av_log(&imgutils, AV_LOG_ERROR, + "Picture size %ux%u exceeds specified max pixel count %"PRId64", see the documentation if you wish to increase it\n", + w, h, max_pixels); + return AVERROR(EINVAL); + } + } + + return 0; +} + +int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx) +{ + return av_image_check_size2(w, h, INT64_MAX, AV_PIX_FMT_NONE, log_offset, log_ctx); } int av_image_check_sar(unsigned int w, unsigned int h, AVRational sar) diff --git a/libavutil/imgutils.h b/libavutil/imgutils.h index 23282a38fa..19f34deced 100644 --- a/libavutil/imgutils.h +++ b/libavutil/imgutils.h @@ -192,6 +192,20 @@ int av_image_copy_to_buffer(uint8_t *dst, int dst_size, int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx); /** + * Check if the given dimension of an image is valid, meaning that all + * bytes of the image can be addressed with a signed int. + * + * @param w the width of the picture + * @param h the height of the picture + * @param max_pixels the maximum number of pixels the user wants to accept + * @param pix_fmt the pixel format, can be AV_PIX_FMT_NONE if unknown. + * @param log_offset the offset to sum to the log level for logging with log_ctx + * @param log_ctx the parent logging context, it may be NULL + * @return >= 0 if valid, a negative error code otherwise + */ +int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enum AVPixelFormat pix_fmt, int log_offset, void *log_ctx); + +/** * Check if the given sample aspect ratio of an image is valid. * * It is considered invalid if the denominator is 0 or if applying the ratio diff --git a/libavutil/random_seed.c b/libavutil/random_seed.c index 5af8e9e524..67000e4a1f 100644 --- a/libavutil/random_seed.c +++ b/libavutil/random_seed.c @@ -67,6 +67,7 @@ static uint32_t get_generic_seed(void) uint8_t tmp[120]; struct AVSHA *sha = (void*)tmp; clock_t last_t = 0; + clock_t last_td = 0; static uint64_t i = 0; static uint32_t buffer[512] = { 0 }; unsigned char digest[20]; @@ -86,11 +87,12 @@ static uint32_t get_generic_seed(void) for (;;) { clock_t t = clock(); - - if (last_t == t) { - buffer[i & 511]++; + if (last_t + 2*last_td + (CLOCKS_PER_SEC > 1000) >= t) { + last_td = t - last_t; + buffer[i & 511] = 1664525*buffer[i & 511] + 1013904223 + (last_td % 3294638521U); } else { - buffer[++i & 511] += (t - last_t) % 3294638521U; + last_td = t - last_t; + buffer[++i & 511] += last_td % 3294638521U; if (last_i && i - last_i > 4 || i - last_i > 64 || TEST && i - last_i > 8) break; }Attachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: Sebastian Ramacher <sramacher@debian.org>, 855952-done@bugs.debian.org
- Subject: Re: Bug#855952: unblock: vlc/2.2.4-14
- From: Jonathan Wiltshire <jmw@debian.org>
- Date: Sun, 26 Feb 2017 17:52:37 +0000
- Message-id: <20170226175237.pz67ltr4k33dgg3b@powdarrmonkey.net>
- In-reply-to: <20170223190727.l2dj46t3245y5l4e@ramacher.at>
- References: <20170223190727.l2dj46t3245y5l4e@ramacher.at>
On Thu, Feb 23, 2017 at 08:07:27PM +0100, Sebastian Ramacher wrote: > Please unblock package vlc version 2.2.4-14. It updates the embedded copy of > ffmpeg 2.8 to the latest upstream bug fix release. Urgh, though I accept the necessity. Unblocked. Thanks, -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
--- End Message ---