[SCM] ffmpeg/squeeze: Imported Upstream version 0.5.5
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Sat Nov 5 13:15:39 UTC 2011
The following commit has been merged in the squeeze branch:
commit 5b4e56870cac541a8bbe1d746560befabc2f1d91
Author: Reinhard Tartler <siretart at tauware.de>
Date: Sat Nov 5 14:02:31 2011 +0100
Imported Upstream version 0.5.5
diff --git a/Changelog b/Changelog
index fbbabc2..173cc00 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,17 @@
Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.
+
+version 0.5.5:
+
+- Fix memory (re)allocation in matroskadec.c (MSVR11-011/CVE-2011-3504)
+- Fix some crashes with invalid bitstreams in the CAVS decoder
+ (CVE-2011-3362, CVE-2011-3973, CVE-2011-3974)
+- Compilation fixes for gcc-4.6, testsuite now passes again
+- Detect and handle overreads in the MJPEG decoder.
+
+
+
version 0.5.4:
- Fix memory corruption in WMV parsing (addresses CVE-2010-3908)
diff --git a/RELEASE b/RELEASE
index 2f7e2c6..75099ad 100644
--- a/RELEASE
+++ b/RELEASE
@@ -137,3 +137,19 @@ maintenance-only release that addresses several security issues that were
brought to our attention. In detail, fixes for RV30/40, WMV, Vorbis and
VC-1 have been backported from trunk. Distributors and system integrators
are encouraged to update and share their patches against this branch.
+
+
+
+* 0.5.5 Nov 11, 2011
+
+General notes
+-------------
+
+This maintenance-only release addresses several security issues that
+were brought to our attention. In detail, fixes for the MJPEG decoder,
+the CAVS decoder (CVE-2011-3362, CVE-2011-3973, CVE-2011-3974), and the
+Matroska decoder (MSVR11-011/CVE-2011-3504) have been
+corrected. Additional, this release contains fixes for compilation with
+gcc-4.6. Distributors and system integrators are encouraged to update
+and share their patches against this branch.
+
diff --git a/VERSION b/VERSION
index 7d85683..d1d899f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.5.4
+0.5.5
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index a1895bc..8d30040 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -130,12 +130,14 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb,
r++;
mask = -(level_code & 1);
level = (level^mask) - mask;
- } else {
+ } else if (level_code >= 0) {
level = r->rltab[level_code][0];
if(!level) //end of block signal
break;
run = r->rltab[level_code][1];
r += r->rltab[level_code][2];
+ } else {
+ break;
}
level_buf[i] = level;
run_buf[i] = run;
@@ -189,7 +191,8 @@ static inline int decode_residual_inter(AVSContext *h) {
static int decode_mb_i(AVSContext *h, int cbp_code) {
GetBitContext *gb = &h->s.gb;
- int block, pred_mode_uv;
+ unsigned pred_mode_uv;
+ int block;
uint8_t top[18];
uint8_t *left = NULL;
uint8_t *d;
@@ -445,6 +448,8 @@ static inline int check_for_slice(AVSContext *h) {
if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) {
skip_bits_long(gb,24+align);
h->stc = get_bits(gb,8);
+ if (h->stc >= h->mb_height)
+ return 0;
decode_slice_header(h,gb);
return 1;
}
@@ -648,7 +653,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size,
buf_end = buf + buf_size;
for(;;) {
buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc);
- if(stc & 0xFFFFFE00)
+ if((stc & 0xFFFFFE00) || buf_ptr == buf_end)
return FFMAX(0, buf_ptr - buf - s->parse_context.last_index);
input_size = (buf_end - buf_ptr)*8;
switch(stc) {
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 145719c..e5c9f38 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -784,6 +784,10 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i
if (s->restart_interval && !s->restart_count)
s->restart_count = s->restart_interval;
+ if(get_bits_count(&s->gb)>s->gb.size_in_bits){
+ av_log(s->avctx, AV_LOG_ERROR, "overread %d\n", get_bits_count(&s->gb) - s->gb.size_in_bits);
+ return -1;
+ }
for(i=0;i<nb_components;i++) {
uint8_t *ptr;
int n, h, v, x, y, c, j;
diff --git a/libavcodec/x86/fft_sse.c b/libavcodec/x86/fft_sse.c
index 3d9f1c5..918fdf2 100644
--- a/libavcodec/x86/fft_sse.c
+++ b/libavcodec/x86/fft_sse.c
@@ -22,7 +22,7 @@
#include "libavutil/x86_cpu.h"
#include "libavcodec/dsputil.h"
-static const int m1m1m1m1[4] __attribute__((aligned(16))) =
+DECLARE_ASM_CONST(16, int, m1m1m1m1)[4] =
{ 1 << 31, 1 << 31, 1 << 31, 1 << 31 };
void ff_fft_dispatch_sse(FFTComplex *z, int nbits);
@@ -182,7 +182,7 @@ void ff_imdct_calc_sse(MDCTContext *s, FFTSample *output, const FFTSample *input
j = -n;
k = n-16;
__asm__ volatile(
- "movaps %4, %%xmm7 \n"
+ "movaps "MANGLE(m1m1m1m1)", %%xmm7 \n"
"1: \n"
"movaps (%2,%1), %%xmm0 \n"
"movaps (%3,%0), %%xmm1 \n"
@@ -195,8 +195,7 @@ void ff_imdct_calc_sse(MDCTContext *s, FFTSample *output, const FFTSample *input
"add $16, %0 \n"
"jl 1b \n"
:"+r"(j), "+r"(k)
- :"r"(output+n4), "r"(output+n4*3),
- "m"(*m1m1m1m1)
+ :"r"(output+n4), "r"(output+n4*3)
);
}
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index ac12f1e..d9ffec3 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -752,11 +752,15 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska,
uint32_t id = syntax->id;
uint64_t length;
int res;
+ void *newelem;
data = (char *)data + syntax->data_offset;
if (syntax->list_elem_size) {
EbmlList *list = data;
- list->elem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size);
+ newelem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size);
+ if (!newelem)
+ return AVERROR(ENOMEM);
+ list->elem = newelem;
data = (char*)list->elem + list->nb_elem*syntax->list_elem_size;
memset(data, 0, syntax->list_elem_size);
list->nb_elem++;
@@ -873,6 +877,7 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
uint8_t* data = *buf;
int isize = *buf_size;
uint8_t* pkt_data = NULL;
+ uint8_t* newpktdata;
int pkt_size = isize;
int result = 0;
int olen;
@@ -899,7 +904,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
zstream.avail_in = isize;
do {
pkt_size *= 3;
- pkt_data = av_realloc(pkt_data, pkt_size);
+ newpktdata = av_realloc(pkt_data, pkt_size);
+ if (!newpktdata) {
+ inflateEnd(&zstream);
+ goto failed;
+ }
+ pkt_data = newpktdata;
zstream.avail_out = pkt_size - zstream.total_out;
zstream.next_out = pkt_data + zstream.total_out;
result = inflate(&zstream, Z_NO_FLUSH);
@@ -920,7 +930,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
bzstream.avail_in = isize;
do {
pkt_size *= 3;
- pkt_data = av_realloc(pkt_data, pkt_size);
+ newpktdata = av_realloc(pkt_data, pkt_size);
+ if (!newpktdata) {
+ BZ2_bzDecompressEnd(&bzstream);
+ goto failed;
+ }
+ pkt_data = newpktdata;
bzstream.avail_out = pkt_size - bzstream.total_out_lo32;
bzstream.next_out = pkt_data + bzstream.total_out_lo32;
result = BZ2_bzDecompress(&bzstream);
@@ -975,13 +990,17 @@ static void matroska_fix_ass_packet(MatroskaDemuxContext *matroska,
}
}
-static void matroska_merge_packets(AVPacket *out, AVPacket *in)
+static int matroska_merge_packets(AVPacket *out, AVPacket *in)
{
- out->data = av_realloc(out->data, out->size+in->size);
+ void *newdata = av_realloc(out->data, out->size+in->size);
+ if (!newdata)
+ return AVERROR(ENOMEM);
+ out->data = newdata;
memcpy(out->data+out->size, in->data, in->size);
out->size += in->size;
av_destruct_packet(in);
av_free(in);
+ return 0;
}
static void matroska_convert_tag(AVFormatContext *s, EbmlList *list,
@@ -1462,11 +1481,13 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska,
memcpy(pkt, matroska->packets[0], sizeof(AVPacket));
av_free(matroska->packets[0]);
if (matroska->num_packets > 1) {
+ void *newpackets;
memmove(&matroska->packets[0], &matroska->packets[1],
(matroska->num_packets - 1) * sizeof(AVPacket *));
- matroska->packets =
- av_realloc(matroska->packets, (matroska->num_packets - 1) *
- sizeof(AVPacket *));
+ newpackets = av_realloc(matroska->packets,
+ (matroska->num_packets - 1) * sizeof(AVPacket *));
+ if (newpackets)
+ matroska->packets = newpackets;
} else {
av_freep(&matroska->packets);
}
diff --git a/libavutil/internal.h b/libavutil/internal.h
index f5f769e..792fd29 100644
--- a/libavutil/internal.h
+++ b/libavutil/internal.h
@@ -256,11 +256,11 @@ if((y)<(x)){\
}
#if defined(__ICC) || defined(__SUNPRO_C)
- #define DECLARE_ALIGNED(n,t,v) t v __attribute__ ((aligned (n)))
+ #define DECLARE_ALIGNED(n,t,v) t __attribute__ ((aligned (n))) v
#define DECLARE_ASM_CONST(n,t,v) const t __attribute__ ((aligned (n))) v
#elif defined(__GNUC__)
- #define DECLARE_ALIGNED(n,t,v) t v __attribute__ ((aligned (n)))
- #define DECLARE_ASM_CONST(n,t,v) static const t v attribute_used __attribute__ ((aligned (n)))
+ #define DECLARE_ALIGNED(n,t,v) t __attribute__ ((aligned (n))) v
+ #define DECLARE_ASM_CONST(n,t,v) static const t attribute_used __attribute__ ((aligned (n))) v
#elif defined(_MSC_VER)
#define DECLARE_ALIGNED(n,t,v) __declspec(align(n)) t v
#define DECLARE_ASM_CONST(n,t,v) __declspec(align(n)) static const t v
diff --git a/libswscale/swscale_template.c b/libswscale/swscale_template.c
index 6f2e243..9016778 100644
--- a/libswscale/swscale_template.c
+++ b/libswscale/swscale_template.c
@@ -1739,7 +1739,7 @@ static inline void RENAME(bgr24ToY_mmx)(uint8_t *dst, uint8_t *src, long width,
static inline void RENAME(bgr24ToUV_mmx)(uint8_t *dstU, uint8_t *dstV, uint8_t *src, long width, int srcFormat)
{
__asm__ volatile(
- "movq 24+%4, %%mm6 \n\t"
+ "movq 24(%4), %%mm6 \n\t"
"mov %3, %%"REG_a" \n\t"
"pxor %%mm7, %%mm7 \n\t"
"1: \n\t"
@@ -1750,9 +1750,9 @@ static inline void RENAME(bgr24ToUV_mmx)(uint8_t *dstU, uint8_t *dstV, uint8_t *
"punpcklbw %%mm7, %%mm1 \n\t"
"movq %%mm0, %%mm2 \n\t"
"movq %%mm1, %%mm3 \n\t"
- "pmaddwd %4, %%mm0 \n\t"
- "pmaddwd 8+%4, %%mm1 \n\t"
- "pmaddwd 16+%4, %%mm2 \n\t"
+ "pmaddwd (%4), %%mm0 \n\t"
+ "pmaddwd 8(%4), %%mm1 \n\t"
+ "pmaddwd 16(%4), %%mm2 \n\t"
"pmaddwd %%mm6, %%mm3 \n\t"
"paddd %%mm1, %%mm0 \n\t"
"paddd %%mm3, %%mm2 \n\t"
@@ -1764,9 +1764,9 @@ static inline void RENAME(bgr24ToUV_mmx)(uint8_t *dstU, uint8_t *dstV, uint8_t *
"punpcklbw %%mm7, %%mm3 \n\t"
"movq %%mm1, %%mm4 \n\t"
"movq %%mm3, %%mm5 \n\t"
- "pmaddwd %4, %%mm1 \n\t"
- "pmaddwd 8+%4, %%mm3 \n\t"
- "pmaddwd 16+%4, %%mm4 \n\t"
+ "pmaddwd (%4), %%mm1 \n\t"
+ "pmaddwd 8(%4), %%mm3 \n\t"
+ "pmaddwd 16(%4), %%mm4 \n\t"
"pmaddwd %%mm6, %%mm5 \n\t"
"paddd %%mm3, %%mm1 \n\t"
"paddd %%mm5, %%mm4 \n\t"
@@ -1789,7 +1789,7 @@ static inline void RENAME(bgr24ToUV_mmx)(uint8_t *dstU, uint8_t *dstV, uint8_t *
"add $4, %%"REG_a" \n\t"
" js 1b \n\t"
: "+r" (src)
- : "r" (dstU+width), "r" (dstV+width), "g" (-width), "m"(ff_bgr24toUV[srcFormat == PIX_FMT_RGB24][0])
+ : "r" (dstU+width), "r" (dstV+width), "g" (-width), "r"(ff_bgr24toUV[srcFormat == PIX_FMT_RGB24])
: "%"REG_a
);
}
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list