96b6cab...
by
Chris Coulson
on 2016-12-19
Merge upstream 4c35fe00477f203 43294cc5827cc5a bab6c005fd in to oxide/1.20
4c35fe0...
by
Matt Wolenetz <email address hidden>
on 2016-12-06
More cherry picks from master into M56
Note, chromium/ patches/ README needed conflict resolution, since these
cherry-picks to M56 interleaved with some others already picked for M56
in a different order than on master (due to verification delays on
master).
BUG=635422 ,637428,670190
Details:
avformat/ oggparsespeex: Check frames_per_packet and packet_size
The speex specification does not seem to restrict these values, thus
the limits where choosen so as to avoid multiplicative overflow
Fixes undefined behavior
Fixes: 635422.ogg
Found-by: Matt Wolenetz <email address hidden>
Signed-off-by: Michael Niedermayer <email address hidden>
(cherry picked from commit afcf15b0dbb4b64 29be5083e50b296 cdca61875e)
BUG=635422
<email address hidden>
Change-Id: I0640a2526d3d51 a6eee7292d3ef2f 4eaf63aab1d
Reviewed-on: https:/ /chromium- review. googlesource. com/417245
Reviewed-by: Dale Curtis <email address hidden>
(cherry picked from commit abbfa708f6caa31 ca561463286893f c0de13596d)
avformat/utils: Check start/end before computing duration in update_ stream_ timings( )
Fixes undefined behavior
Fixes: 637428.ogg
Found-by: Matt Wolenetz <email address hidden>
Signed-off-by: Michael Niedermayer <email address hidden>
(cherry picked from commit 90da187f1d33442 2477886a19eca3c 1da29c59a7)
BUG=637428
<email address hidden>
Change-Id: I5f35696751d804 8ccecb98ace8bc0 f2579e13afc
Reviewed-on: https:/ /chromium- review. googlesource. com/417225
Reviewed-by: Dale Curtis <email address hidden>
(cherry picked from commit bfbbd7c5a0f5958 07a74f7649540b7 a40e479028)
A couple cherry picks from upstream to fix issue 670190
Cherry-pick #1:
avformat/oggdec: Skip streams in duration correction that did not had their duration set.
Fixes: part of 670190.ogg
Fixes integer overflow
Found-by: Matt Wolenetz <email address hidden>
Signed-off-by: Michael Niedermayer <email address hidden>
(cherry picked from commit ee2a6f5df8c6a15 1c3e3826872f1b0 a07401c62a)
Cherry-pick #2:
avcodec/ mpeg4videodec: Fix undefined shifts in mpeg4_decode_ sprite_ trajectory( )
Fixes: part of 670190.ogg
Found-by: Matt Wolenetz <email address hidden>
Signed-off-by: Michael Niedermayer <email address hidden>
(cherry picked from commit 8258e363851434a d5662c19d036fdd b3e3f27683)
BUG=670190
<email address hidden>
Change-Id: Ia3f8e3d8c7f15e a2c7f746649155a 0df913f74fd
Reviewed-on: https:/ /chromium- review. googlesource. com/418859
Reviewed-by: Dale Curtis <email address hidden>
(cherry picked from commit f309edd7828e3ea 500c2891187d159 26690ddd27)
3582a8e...
by
Matt Wolenetz <email address hidden>
on 2016-12-03
Multiple cherry picks from master into M56
Note, chromium/ patches/ README needed conflict resolution, since the
cherry-picks for 635422, 637428, and 670190 are not yet approved for
merge.
BUG=643950 ,643951, 643952, 668346, 640912, 640889, 639961
Details:
lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr
Core of patch is from <email address hidden>
BUG=643950
<email address hidden>
Change-Id: I6eb1ab9c13e923 66297e4c41dab98 e6300a18a5b
Reviewed-on: https:/ /chromium- review. googlesource. com/416271
Reviewed-by: Dale Curtis <email address hidden>
(cherry picked from commit fd878457cd55690 d4a27d74411b68a 30c9fb2313)
lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
Core of patch is from <email address hidden>
BUG=643951
<email address hidden>
Change-Id: Ib4dd9b30c7d882 a37bec89ddd56d6 691851ec61c
Reviewed-on: https:/ /chromium- review. googlesource. com/417133
Reviewed-by: Dale Curtis <email address hidden>
(cherry picked from commit 9d45f272a682b0e a831c20e36f696e 15cc0c55fe)
lavf/mov.c: Avoid heap allocation wraps and OOB in mov_read_ {senc,saiz, udta_string} ()
Core of patch is from <email address hidden>
BUG=643952
<email address hidden>
Change-Id: Ie464d4d0df0447 25fcb0a6d2fa498 47580de2731
Reviewed-on: https:/ /chromium- review. googlesource. com/417161
Reviewed-by: Dale Curtis <email address hidden>
(cherry picked from commit 8622f9398e7c89a 664c4c2ceff9d35 b89ff17bb5)
avcodec/ flacdsp_ template: Fix undefined shift in flac_decorrelat e_indep_ c
Fixes: left shift of negative value
Fixes: 668346-media
Found-by: Matt Wolenetz <email address hidden>
Signed-off-by: Michael Niedermayer <email address hidden>
(cherry picked from commit acc163c6ab52d22 35767852262c64c 7f6b273d1c)
BUG=668346
<email address hidden>
Change-Id: Idec4c2ef302d36 a3ac230d5cf9576 85cb0a9f49d
Reviewed-on: https:/ /chromium- review. googlesource. com/417105
Reviewed-by: Dale Curtis <email address hidden>
(cherry picked from commit d537e0c9f5438f2 cbe2b9379e208af ffc38f2553)
avcodec/flacdec: Fix signed integer overflow in decode_ subframe_ fixed()
Fixes undefined behavior
Fixes: 640912-media
Found-by: Matt Wolenetz <email address hidden>
Signed-off-by: Michael Niedermayer <email address hidden>
(cherry picked from commit 83a75bf6c31b3c0 ce2ca7e1426d1f2 e3df634239)
BUG=640912
<email address hidden>
TEST=no ffplay repro of 640912 (with both this and the fix for 668346 applied)
Change-Id: I2489491ab0ba18 39083fb9fc3a515 55ed0dc3250
Reviewed-on: https:/ /chromium- review. googlesource. com/417286
Reviewed-by: Dale Curtis <email address hidden>
(cherry picked from commit 83b21c04ac5fb6e b8b744c0adb120e cb1f97e1b3)
avcodec/get_bits: Fix get_sbits_long(0)
Fixes undefined behavior
Fixes: 640889-media
Found-by: Matt Wolenetz <email address hidden>
Signed-off-by: Michael Niedermayer <email address hidden>
(cherry picked from commit c72fa432349881d 5a445cd110abf69 8cc94d490d)
BUG=640889
<email address hidden>
Change-Id: I2b58c9a656c0b3 2467e9f84e09158 07b8170d98d
Reviewed-on: https:/ /chromium- review. googlesource. com/417185
Reviewed-by: Dale Curtis <email address hidden>
(cherry picked from commit 85304c9bf34a802 9032cfc2e21da2b e0c4c4eb80)
avcodec/flacdec: Fix undefined shift in decode_subframe()
Fixes undefined behavior
Fixes: 639961-media
Found-by: Matt Wolenetz <email address hidden>
Signed-off-by: Michael Niedermayer <email address hidden>
(cherry picked from commit 1f5630af51f24d7 9053b6bef5b8b3b a93d637306)
BUG=639961
<email address hidden>
Change-Id: I2e7f77984c3e43 6cafbe677ed8558 2e5af90cbb8
Reviewed-on: https:/ /chromium- review. googlesource. com/417201
Reviewed-by: Dale Curtis <email address hidden>
(cherry picked from commit 26be2ced90769f2 5f83b9a613fe3b3 e47c1ce4c6)
448748e...
by
Chris Coulson
on 2016-12-07
Merge upstream 7e5307d753a5a21 f6d02663ccccf2a cdf7aeae0e in to oxide/dev/cr2924
7e5307d...
by
"<email address hidden>" <email address hidden>
on 2016-11-28
Consume headers in flac parser.
Fix from Michael Neidermayer. Prevents clusterfuzz test case from
looping forever trying to find the next header.
BUG=665305
Change-Id: If518327c93569c 475bdabec154ac5 c4499b74acd
Reviewed-on: https:/ /chromium- review. googlesource. com/414310
Reviewed-by: Dale Curtis <email address hidden>
d16162e...
by
Matt Wolenetz <email address hidden>
on 2016-11-23
mov: immediately return from mov_fix_index without old index entries
If there are no index entries, e_old = st->index_entries is only one
byte large, since it was created by av_realloc called with size 0.
Thus accessing e_old[0].timestamp causes a heap buffer overflow.
Reviewed-by: Sasi Inguva <email address hidden>
Signed-off-by: Andreas Cadhalpun <email address hidden>
(cherry picked from commit 9d83b209d8861f1 daf55f6719b1e0c 226ed7269a)
<email address hidden>
BUG=667063
Change-Id: I1dbc7dae4ea8d4 869ecc35a8657b9 aade98a5d48
Reviewed-on: https:/ /chromium- review. googlesource. com/413549
Reviewed-by: Dale Curtis <email address hidden>
5ed6e20...
by
Chris Cunningham <email address hidden>
on 2016-11-22
mp3dec: fix msan warning when verifying mpa header
MPEG Audio frame header must be 4 bytes. If we fail to read
4 bytes bail early to avoid Use-of- uninitialized- value msan error.
BUG=666874
TEST=libfuzzer_ media_pipeline_ integration_ fuzzer
Change-Id: I3a3fdeb1dbd8c8 b2f1f81d621bbba fab9b77bb34
Reviewed-on: https:/ /chromium- review. googlesource. com/413605
Reviewed-by: Matthew Wolenetz <email address hidden>
141e56c...
by
Matt Wolenetz <email address hidden>
on 2016-11-22
lavc/libopusdec.c Fix ff_vorbis_ channel_ layouts OOB
Similar to existing lavc/vorbisdec.c code which first checks that
avc->channels is valid for accessing ff_vorbis_ channel_ layouts, this
change adds protection to libopusdec.c to prevent accessing that
array with a negative index.
<email address hidden>
BUG=666794
Change-Id: Id301bd783cb9b8 26117d41b20b1b0 5f28d35827c
Reviewed-on: https:/ /chromium- review. googlesource. com/413334
Reviewed-by: Dale Curtis <email address hidden>
e91355a...
by
Matt Wolenetz <email address hidden>
on 2016-11-21
lavf/utils.c Protect against accessing entries[nb_entries]
In ff_index_ search_ timestamp( ), if b == num_entries,
m == num_entries - 1, and entries[m].flags & AVINDEX_ DISCARD_ FRAME is
true, then the search for the next non-discarded packet could access
entries[ nb_entries] , exceeding its bounds. This change adds a protection
against that scenario.
BUG=666770 ,666769
<email address hidden>
Change-Id: Ib9a84dae74dad1 e70a7a0afcf3382 fd187152733
Reviewed-on: https:/ /chromium- review. googlesource. com/413306
Reviewed-by: Dale Curtis <email address hidden>
92f86a5...
by
Matt Wolenetz <email address hidden>
on 2016-11-17
Disable deprecation warnings locally within ffmpeg
Upstream changes in the FFmpeg M56 roll included some deprecated usages
of avcodec_ encode_ {audio, video}2( ) and AVStream.codec internally in
lavc/utils.c and lavf/utils.c, respectively. This change locally
disables deprecation warnings around those usages to prevent spamming
such warnings when building Chrom*.
BUG=591845
<email address hidden>
Change-Id: I2086156c22114c ccffa355d47336a a31fa5bb135
Reviewed-on: https:/ /chromium- review. googlesource. com/412444
Reviewed-by: Dale Curtis <email address hidden>