Attachment #201877 for bug #234551





PORTNAME=	mythtv
DISTVERSIONPREFIX=	v
DISTVERSION=	30.0
PORTREVISION?=	0
PORTEPOCH=	1
CATEGORIES=	multimedia


LICENSE=	GPLv2+
LICENSE_FILE=	${WRKSRC}/COPYING

BROKEN=		fails to build
ONLY_FOR_ARCHS=	amd64 i386

LIB_DEPENDS=	liblzo2.so:archivers/lzo2 \
		libmp3lame.so:audio/lame \
		libsamplerate.so:audio/libsamplerate \
		libtag.so:audio/taglib \
		libexiv2.so:graphics/exiv2 \
		libva.so:multimedia/libva \
		libbluray.so:multimedia/libbluray \
		libass.so:multimedia/libass \
		libfftw3_threads.so:math/fftw3 \
		libfftw3f.so:math/fftw3-float \
		libfreetype.so:print/freetype2 \
		libxml2.so:textproc/libxml2
BUILD_DEPENDS=	yasm:devel/yasm \
		${LOCALBASE}/include/linux/input.h:devel/evdev-proto

USES=		gmake gl iconv libtool pkgconfig pathfix qmake:no_env qt:5 ssl
USE_GITHUB=	yes
GH_ACCOUNT=	MythTV
USE_GL=		gl

CONFIGURE_ARGS=	--prefix="${PREFIX}" --cc="${CC}" --cxx="${CXX}" \
		--libxml2-path="${LOCALBASE}/include/libxml2" \
		--enable-opengl-video \
		--disable-audio-alsa --disable-indev=alsa \
		--disable-outdev=alsa
CONFIGURE_ENV=	QMAKESPEC="${QMAKESPEC}" MOC="${MOC}" \
		QTDIR="${PREFIX}" PKG_CONFIG_PATH="${LOCALBASE}/libdata/pkgconfig"
MAKE_ENV=	QTDIR="${PREFIX}" \

		programs/scripts/internetcontent/nv_python_libs/*.py \
		programs/scripts/hardwareprofile/*.py \
		programs/scripts/metadata/Television/ttvdb.py \
		programs/scripts/metadata/Movie/tmdb3.py \
		programs/scripts/metadata/Music/mbutils.py

CONFIGURE_ARGS+=--dvb-path="${LOCALBASE}/include" \
		--enable-ivtv --enable-v4l2 --enable-xv

			p5-DBD-mysql>0:databases/p5-DBD-mysql \
			p5-Net-UPnP>=0:multimedia/p5-Net-UPnP \
			p5-IO-Socket-INET6>=2.51:net/p5-IO-Socket-INET6 \
			p5-XML-Simple>=0:textproc/p5-XML-Simple \
			p5-HTTP-Request-Params>=0:www/p5-HTTP-Request-Params \
			p5-LWP-UserAgent-Determined>=0:www/p5-LWP-UserAgent-Determined
BINDINGS_RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}MySQLdb>=1.2.2:databases/py-MySQLdb@${PY_FLAVOR} \

			p5-DBD-mysql>0:databases/p5-DBD-mysql \
			p5-Net-UPnP>=0:multimedia/p5-Net-UPnP \
			p5-IO-Socket-INET6>=2.51:net/p5-IO-Socket-INET6 \
			p5-XML-Simple>=0:textproc/p5-XML-Simple \
			p5-HTTP-Request-Params>=0:www/p5-HTTP-Request-Params \
			p5-LWP-UserAgent-Determined>=0:www/p5-LWP-UserAgent-Determined
BINDINGS_CONFIGURE_ON=	--python=${PYTHON_CMD}

Lines 1-3 Link Here

(-)distinfo (-3 / +3 lines)
1	TIMESTAMP = 1539236555	1	TIMESTAMP = 1548724555
2	SHA256 (MythTV-mythtv-v29.1_GH0.tar.gz) = e40ec8111d39fd059a9ec741b10016683bcc66ee3b33c4cdaab93d60851f5d3e	2	SHA256 (MythTV-mythtv-v30.0_GH0.tar.gz) = 7f7ae9b8927659616f181afc12d7ddc26b0a4b0d13982e2586985f4770640b43
3	SIZE (MythTV-mythtv-v29.1_GH0.tar.gz) = 105616253	3	SIZE (MythTV-mythtv-v30.0_GH0.tar.gz) = 101169041

Lines 2-8 Link Here

(-)files/extrapatch-programs_programs.pro (-1 / +2 lines)
2		2
3	--- programs/programs.pro.orig 2018-01-11 12:39:22 UTC	3	--- programs/programs.pro.orig 2018-01-11 12:39:22 UTC
4	+++ programs/programs.pro	4	+++ programs/programs.pro
5	@@ -15,12 +15,4 @@ using_frontend {	5	@@ -15,13 +15,4 @@ using_frontend {
6	!mingw:!win32-msvc*: SUBDIRS += mythtranscode/external/replex	6	!mingw:!win32-msvc*: SUBDIRS += mythtranscode/external/replex
7	}	7	}
8		8
Lines 12-17 Link Here
12	-	12	-
13	- !win32-msvc*:SUBDIRS += scripts	13	- !win32-msvc*:SUBDIRS += scripts
14	- !mingw:!win32-msvc*: SUBDIRS += mythfilerecorder	14	- !mingw:!win32-msvc*: SUBDIRS += mythfilerecorder
		15	- !mingw:!win32-msvc*: SUBDIRS += mythexternrecorder
15	-}	16	-}
16	-	17	-
17	using_mythtranscode: SUBDIRS += mythtranscode	18	using_mythtranscode: SUBDIRS += mythtranscode




From 0e0a413725e0221e1a9d0b7595e22bf57e23a09c Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rsbultje@gmail.com>
Date: Mon, 5 Dec 2016 08:02:33 -0500
Subject: [PATCH] http: make length/offset-related variables unsigned.

Fixes #5992, reported and found by Paul Cher <paulcher@icloud.com>.

(cherry picked from commit 2a05c8f813de6f2278827734bf8102291e7484aa)
---
 libavformat/http.c | 70 +++++++++++++++++++++++++++++-------------------------
 1 file changed, 38 insertions(+), 32 deletions(-)

diff --git libavformat/http.c libavformat/http.c
index d48958d8a3c..13f3be42271 100644
--- external/FFmpeg/libavformat/http.c
+++ external/FFmpeg/libavformat/http.c
@@ -62,8 +62,8 @@ typedef struct HTTPContext {
     int line_count;
     int http_code;
     /* Used if "Transfer-Encoding: chunked" otherwise -1. */
-    int64_t chunksize;
-    int64_t off, end_off, filesize;
+    uint64_t chunksize;
+    uint64_t off, end_off, filesize;
     char *location;
     HTTPAuthState auth_state;
     HTTPAuthState proxy_auth_state;
@@ -95,9 +95,9 @@ typedef struct HTTPContext {
     AVDictionary *cookie_dict;
     int icy;
     /* how much data was read since the last ICY metadata packet */
-    int icy_data_read;
+    uint64_t icy_data_read;
     /* after how many bytes of read data a new metadata packet will be found */
-    int icy_metaint;
+    uint64_t icy_metaint;
     char *icy_metadata_headers;
     char *icy_metadata_packet;
     AVDictionary *metadata;
@@ -489,7 +489,7 @@ static int http_open(URLContext *h, const char *uri, int flags,
     else
         h->is_streamed = 1;
 
-    s->filesize = -1;
+    s->filesize = UINT64_MAX;
     s->location = av_strdup(uri);
     if (!s->location)
         return AVERROR(ENOMEM);
@@ -616,9 +616,9 @@ static void parse_content_range(URLContext *h, const char *p)
 
     if (!strncmp(p, "bytes ", 6)) {
         p     += 6;
-        s->off = strtoll(p, NULL, 10);
+        s->off = strtoull(p, NULL, 10);
         if ((slash = strchr(p, '/')) && strlen(slash) > 0)
-            s->filesize = strtoll(slash + 1, NULL, 10);
+            s->filesize = strtoull(slash + 1, NULL, 10);
     }
     if (s->seekable == -1 && (!s->is_akamai || s->filesize != 2147483647))
         h->is_streamed = 0; /* we _can_ in fact seek */
@@ -808,8 +808,9 @@ static int process_line(URLContext *h, char *line, int line_count,
             if ((ret = parse_location(s, p)) < 0)
                 return ret;
             *new_location = 1;
-        } else if (!av_strcasecmp(tag, "Content-Length") && s->filesize == -1) {
-            s->filesize = strtoll(p, NULL, 10);
+        } else if (!av_strcasecmp(tag, "Content-Length") &&
+                   s->filesize == UINT64_MAX) {
+            s->filesize = strtoull(p, NULL, 10);
         } else if (!av_strcasecmp(tag, "Content-Range")) {
             parse_content_range(h, p);
         } else if (!av_strcasecmp(tag, "Accept-Ranges") &&
@@ -818,7 +819,7 @@ static int process_line(URLContext *h, char *line, int line_count,
             h->is_streamed = 0;
         } else if (!av_strcasecmp(tag, "Transfer-Encoding") &&
                    !av_strncasecmp(p, "chunked", 7)) {
-            s->filesize  = -1;
+            s->filesize  = UINT64_MAX;
             s->chunksize = 0;
         } else if (!av_strcasecmp(tag, "WWW-Authenticate")) {
             ff_http_auth_handle_header(&s->auth_state, tag, p);
@@ -842,7 +843,7 @@ static int process_line(URLContext *h, char *line, int line_count,
             if (parse_cookie(s, p, &s->cookie_dict))
                 av_log(h, AV_LOG_WARNING, "Unable to parse '%s'\n", p);
         } else if (!av_strcasecmp(tag, "Icy-MetaInt")) {
-            s->icy_metaint = strtoll(p, NULL, 10);
+            s->icy_metaint = strtoull(p, NULL, 10);
         } else if (!av_strncasecmp(tag, "Icy-", 4)) {
             if ((ret = parse_icy(s, tag, p)) < 0)
                 return ret;
@@ -972,7 +973,7 @@ static int http_read_header(URLContext *h, int *new_location)
     char line[MAX_URL_SIZE];
     int err = 0;
 
-    s->chunksize = -1;
+    s->chunksize = UINT64_MAX;
 
     for (;;) {
         if ((err = http_get_line(s, line, sizeof(line))) < 0)
@@ -1006,7 +1007,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path,
     int post, err;
     char headers[HTTP_HEADERS_SIZE] = "";
     char *authstr = NULL, *proxyauthstr = NULL;
-    int64_t off = s->off;
+    uint64_t off = s->off;
     int len = 0;
     const char *method;
     int send_expect_100 = 0;
@@ -1060,7 +1061,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path,
     // server supports seeking by analysing the reply headers.
     if (!has_header(s->headers, "\r\nRange: ") && !post && (s->off > 0 || s->end_off || s->seekable == -1)) {
         len += av_strlcatf(headers + len, sizeof(headers) - len,
-                           "Range: bytes=%"PRId64"-", s->off);
+                           "Range: bytes=%"PRIu64"-", s->off);
         if (s->end_off)
             len += av_strlcatf(headers + len, sizeof(headers) - len,
                                "%"PRId64, s->end_off - 1);
@@ -1135,7 +1136,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path,
     s->line_count       = 0;
     s->off              = 0;
     s->icy_data_read    = 0;
-    s->filesize         = -1;
+    s->filesize         = UINT64_MAX;
     s->willclose        = 0;
     s->end_chunked_post = 0;
     s->end_header       = 0;
@@ -1175,15 +1176,13 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size)
         memcpy(buf, s->buf_ptr, len);
         s->buf_ptr += len;
     } else {
-        int64_t target_end = s->end_off ? s->end_off : s->filesize;
-        if ((!s->willclose || s->chunksize < 0) &&
-            target_end >= 0 && s->off >= target_end)
+        uint64_t target_end = s->end_off ? s->end_off : s->filesize;
+        if ((!s->willclose || s->chunksize == UINT64_MAX) && s->off >= target_end)
             return AVERROR_EOF;
         len = ffurl_read(s->hd, buf, size);
-        if (!len && (!s->willclose || s->chunksize < 0) &&
-            target_end >= 0 && s->off < target_end) {
+        if (!len && (!s->willclose || s->chunksize == UINT64_MAX) && s->off < target_end) {
             av_log(h, AV_LOG_ERROR,
-                   "Stream ends prematurely at %"PRId64", should be %"PRId64"\n",
+                   "Stream ends prematurely at %"PRIu64", should be %"PRIu64"\n",
                    s->off, target_end
                   );
             return AVERROR(EIO);
@@ -1247,7 +1246,7 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size)
             return err;
     }
 
-    if (s->chunksize >= 0) {
+    if (s->chunksize != UINT64_MAX) {
         if (!s->chunksize) {
             char line[32];
 
@@ -1256,13 +1255,19 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size)
                         return err;
                 } while (!*line);    /* skip CR LF from last chunk */
 
-                s->chunksize = strtoll(line, NULL, 16);
+                s->chunksize = strtoull(line, NULL, 16);
 
-                av_log(NULL, AV_LOG_TRACE, "Chunked encoding data size: %"PRId64"'\n",
+                av_log(h, AV_LOG_TRACE,
+                       "Chunked encoding data size: %"PRIu64"'\n",
                         s->chunksize);
 
                 if (!s->chunksize)
                     return 0;
+                else if (s->chunksize == UINT64_MAX) {
+                    av_log(h, AV_LOG_ERROR, "Invalid chunk size %"PRIu64"\n",
+                           s->chunksize);
+                    return AVERROR(EINVAL);
+                }
         }
         size = FFMIN(size, s->chunksize);
     }
@@ -1273,17 +1278,17 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size)
     read_ret = http_buf_read(h, buf, size);
     if (   (read_ret  < 0 && s->reconnect        && (!h->is_streamed || s->reconnect_streamed) && s->filesize > 0 && s->off < s->filesize)
         || (read_ret == 0 && s->reconnect_at_eof && (!h->is_streamed || s->reconnect_streamed))) {
-        int64_t target = h->is_streamed ? 0 : s->off;
+        uint64_t target = h->is_streamed ? 0 : s->off;
 
         if (s->reconnect_delay > s->reconnect_delay_max)
             return AVERROR(EIO);
 
-        av_log(h, AV_LOG_INFO, "Will reconnect at %"PRId64" error=%s.\n", s->off, av_err2str(read_ret));
+        av_log(h, AV_LOG_INFO, "Will reconnect at %"PRIu64" error=%s.\n", s->off, av_err2str(read_ret));
         av_usleep(1000U*1000*s->reconnect_delay);
         s->reconnect_delay = 1 + 2*s->reconnect_delay;
         seek_ret = http_seek_internal(h, target, SEEK_SET, 1);
         if (seek_ret != target) {
-            av_log(h, AV_LOG_ERROR, "Failed to reconnect at %"PRId64".\n", target);
+            av_log(h, AV_LOG_ERROR, "Failed to reconnect at %"PRIu64".\n", target);
             return read_ret;
         }
 
@@ -1338,10 +1343,11 @@ static int store_icy(URLContext *h, int size)
 {
     HTTPContext *s = h->priv_data;
     /* until next metadata packet */
-    int remaining = s->icy_metaint - s->icy_data_read;
+    uint64_t remaining;
 
-    if (remaining < 0)
+    if (s->icy_metaint < s->icy_data_read)
         return AVERROR_INVALIDDATA;
+    remaining = s->icy_metaint - s->icy_data_read;
 
     if (!remaining) {
         /* The metadata packet is variable sized. It has a 1 byte header
@@ -1455,7 +1461,7 @@ static int64_t http_seek_internal(URLContext *h, int64_t off, int whence, int fo
 {
     HTTPContext *s = h->priv_data;
     URLContext *old_hd = s->hd;
-    int64_t old_off = s->off;
+    uint64_t old_off = s->off;
     uint8_t old_buf[BUFFER_SIZE];
     int old_buf_size, ret;
     AVDictionary *options = NULL;
@@ -1466,7 +1472,7 @@ static int64_t http_seek_internal(URLContext *h, int64_t off, int whence, int fo
              ((whence == SEEK_CUR && off == 0) ||
               (whence == SEEK_SET && off == s->off)))
         return s->off;
-    else if ((s->filesize == -1 && whence == SEEK_END))
+    else if ((s->filesize == UINT64_MAX && whence == SEEK_END))
         return AVERROR(ENOSYS);
 
     if (whence == SEEK_CUR)
@@ -1621,7 +1627,7 @@ static int http_proxy_open(URLContext *h, const char *uri, int flags)
     s->buf_ptr    = s->buffer;
     s->buf_end    = s->buffer;
     s->line_count = 0;
-    s->filesize   = -1;
+    s->filesize   = UINT64_MAX;
     cur_auth_type = s->proxy_auth_state.auth_type;
 
     /* Note: This uses buffering, potentially reading more than the




From c12ee64e80af2517005231388fdf4ea78f16bb0e Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 5 Dec 2016 17:27:45 +0100
Subject: [PATCH] ffserver: Check chunk size

Fixes out of array access

Fixes: poc_ffserver.py
Found-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 ffserver.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git ffserver.c ffserver.c
index 453d790e6cd..aec808e78cb 100644
--- external/FFmpeg/ffserver.c.orig
+++ external/FFmpeg/ffserver.c
@@ -2702,8 +2702,10 @@ static int http_receive_data(HTTPContext *c)
         } else if (c->buffer_ptr - c->buffer >= 2 &&
                    !memcmp(c->buffer_ptr - 1, "\r\n", 2)) {
             c->chunk_size = strtol(c->buffer, 0, 16);
-            if (c->chunk_size == 0) // end of stream
+            if (c->chunk_size <= 0) { // end of stream or invalid chunk size
+                c->chunk_size = 0;
                 goto fail;
+            }
             c->buffer_ptr = c->buffer;
             break;
         } else if (++loop_run > 10)
@@ -2725,6 +2727,7 @@ static int http_receive_data(HTTPContext *c)
             /* end of connection : close it */
             goto fail;
         else {
+            av_assert0(len <= c->chunk_size);
             c->chunk_size -= len;
             c->buffer_ptr += len;
             c->data_count += len;




From ed2572b9c8f885e2a4764d2e34604442a71899a1 Mon Sep 17 00:00:00 2001
From: Matt Wolenetz <wolenetz@google.com>
Date: Wed, 14 Dec 2016 15:26:19 -0800
Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid

Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643951

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support values beyond INT_MAX
Also the check is moved to a more common place and before integer truncation

(cherry picked from commit 2d453188c2303da641dafb048dc1806790526dfd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git libavformat/mov.c libavformat/mov.c
index 17d0475aae1..74b58255784 100644
--- external/FFmpeg/libavformat/mov.c
+++ external/FFmpeg/libavformat/mov.c
@@ -4436,7 +4436,7 @@ static int mov_read_uuid(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         0x9c, 0x71, 0x99, 0x94, 0x91, 0xe3, 0xaf, 0xac
     };
 
-    if (atom.size < sizeof(uuid) || atom.size == INT64_MAX)
+    if (atom.size < sizeof(uuid) || atom.size >= FFMIN(INT_MAX, SIZE_MAX))
         return AVERROR_INVALIDDATA;
 
     ret = avio_read(pb, uuid, sizeof(uuid));




From cf8e004a51b08c6e8ceaeebca85ab84c7ed0b4cf Mon Sep 17 00:00:00 2001
From: Matt Wolenetz <wolenetz@google.com>
Date: Wed, 14 Dec 2016 15:24:42 -0800
Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr

Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643950

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support larger lengths

(cherry picked from commit fd30e4d57fe5841385f845440688505b88c0f4a9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git libavformat/mov.c libavformat/mov.c
index 1e2141808da..17d0475aae1 100644
--- external/FFmpeg/libavformat/mov.c
+++ external/FFmpeg/libavformat/mov.c
@@ -739,6 +739,8 @@ static int mov_read_hdlr(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     title_size = atom.size - 24;
     if (title_size > 0) {
+        if (title_size > FFMIN(INT_MAX, SIZE_MAX-1))
+            return AVERROR_INVALIDDATA;
         title_str = av_malloc(title_size + 1); /* Add null terminator */
         if (!title_str)
             return AVERROR(ENOMEM);




From a1a14982ec5b9954637cdc9ce8daf01d211e5c79 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 7 Feb 2017 15:49:09 +0100
Subject: [PATCH] avcodec/pictordec: Fix logic error

Fixes: 559/clusterfuzz-testcase-6424225917173760

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8c2ea3030af7b40a3c4275696fb5c76cdb80950a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/pictordec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git libavcodec/pictordec.c libavcodec/pictordec.c
index ff6eb7f4fc9..0cfc7858326 100644
--- external/FFmpeg/libavcodec/pictordec.c
+++ external/FFmpeg/libavcodec/pictordec.c
@@ -142,7 +142,7 @@ static int decode_frame(AVCodecContext *avctx,
 
     if (av_image_check_size(s->width, s->height, 0, avctx) < 0)
         return -1;
-    if (s->width != avctx->width && s->height != avctx->height) {
+    if (s->width != avctx->width || s->height != avctx->height) {
         ret = ff_set_dimensions(avctx, s->width, s->height);
         if (ret < 0)
             return ret;




From bd6c1d5149fbc4f2a0200ad99e7f56f4fb7d518a Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 23 Jan 2017 01:25:27 +0100
Subject: [PATCH] avcodec/pngdec: Fix off by 1 size in decode_zbuf()

Fixes out of array access
Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e371f031b942d73e02c090170975561fabd5c264)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/pngdec.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git libavcodec/pngdec.c libavcodec/pngdec.c
index 36275ae43f5..7ade0cee661 100644
--- external/FFmpeg/libavcodec/pngdec.c
+++ external/FFmpeg/libavcodec/pngdec.c
@@ -437,13 +437,13 @@ static int decode_zbuf(AVBPrint *bp, const uint8_t *data,
     av_bprint_init(bp, 0, -1);
 
     while (zstream.avail_in > 0) {
-        av_bprint_get_buffer(bp, 1, &buf, &buf_size);
-        if (!buf_size) {
+        av_bprint_get_buffer(bp, 2, &buf, &buf_size);
+        if (buf_size < 2) {
             ret = AVERROR(ENOMEM);
             goto fail;
         }
         zstream.next_out  = buf;
-        zstream.avail_out = buf_size;
+        zstream.avail_out = buf_size - 1;
         ret = inflate(&zstream, Z_PARTIAL_FLUSH);
         if (ret != Z_OK && ret != Z_STREAM_END) {
             ret = AVERROR_EXTERNAL;




From e1940d2458353943e2fab6bdb87d2278077e22a5 Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Mon, 20 Mar 2017 22:47:48 +0100
Subject: [PATCH] avcodec/dnxhd_parser: take into account compressed frame size
 and skip it

Fixes #6214 and vsynth1-dnxhd-720p-hr-lb.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
---
 libavcodec/dnxhd_parser.c                 | 65 +++++++++++++++++++++++++++----
 tests/ref/vsynth/vsynth1-dnxhd-720p-hr-lb |  4 +-
 2 files changed, 60 insertions(+), 9 deletions(-)

diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c
index 033b8ee7e11..4f9bbceeeb5 100644
--- external/FFmpeg/libavcodec/dnxhd_parser.c
+++ external/FFmpeg/libavcodec/dnxhd_parser.c
@@ -31,8 +31,24 @@ typedef struct {
     ParseContext pc;
     int interlaced;
     int cur_field; /* first field is 0, second is 1 */
+    int cur_byte;
+    int remaining;
+    int w, h;
 } DNXHDParserContext;
 
+static int dnxhd_get_hr_frame_size(int cid, int w, int h)
+{
+    int result, i = ff_dnxhd_get_cid_table(cid);
+
+    if (i < 0)
+        return i;
+
+    result = ((h + 15) / 16) * ((w + 15) / 16) * ff_dnxhd_cid_table[i].packet_scale.num / ff_dnxhd_cid_table[i].packet_scale.den;
+    result = (result + 2048) / 4096 * 4096;
+
+    return FFMAX(result, 8192);
+}
+
 static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
                                 const uint8_t *buf, int buf_size)
 {
@@ -51,30 +67,65 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
                 pic_found = 1;
                 interlaced = (state&2)>>1; /* byte following the 5-byte header prefix */
                 cur_field = state&1;
+                dctx->cur_byte = 0;
+                dctx->remaining = 0;
                 break;
             }
         }
     }
 
-    if (pic_found) {
+    if (pic_found && !dctx->remaining) {
         if (!buf_size) /* EOF considered as end of frame */
             return 0;
         for (; i < buf_size; i++) {
+            dctx->cur_byte++;
             state = (state << 8) | buf[i];
-            if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) {
-                if (!interlaced || dctx->cur_field) {
+
+            if (dctx->cur_byte == 24) {
+                dctx->h = (state >> 32) & 0xFFFF;
+            } else if (dctx->cur_byte == 26) {
+                dctx->w = (state >> 32) & 0xFFFF;
+            } else if (dctx->cur_byte == 42) {
+                int cid = (state >> 32) & 0xFFFFFFFF;
+
+                if (cid <= 0)
+                    continue;
+
+                dctx->remaining = avpriv_dnxhd_get_frame_size(cid);
+                if (dctx->remaining <= 0) {
+                    dctx->remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
+                    if (dctx->remaining <= 0)
+                        return dctx->remaining;
+                }
+                if (buf_size - i >= dctx->remaining && (!dctx->interlaced || dctx->cur_field)) {
+                    int remaining = dctx->remaining;
+
                     pc->frame_start_found = 0;
                     pc->state64 = -1;
                     dctx->interlaced = interlaced;
                     dctx->cur_field = 0;
-                    return i - 5;
+                    dctx->cur_byte = 0;
+                    dctx->remaining = 0;
+                    return remaining;
                 } else {
-                    /* continue, to get the second field */
-                    dctx->interlaced = interlaced = (state&2)>>1;
-                    dctx->cur_field = cur_field = state&1;
+                    dctx->remaining -= buf_size;
                 }
             }
         }
+    } else if (pic_found) {
+        if (dctx->remaining > buf_size) {
+            dctx->remaining -= buf_size;
+        } else {
+            int remaining = dctx->remaining;
+
+            pc->frame_start_found = 0;
+            pc->state64 = -1;
+            dctx->interlaced = interlaced;
+            dctx->cur_field = 0;
+            dctx->cur_byte = 0;
+            dctx->remaining = 0;
+            return remaining;
+        }
     }
     pc->frame_start_found = pic_found;
     pc->state64 = state;




From da693f8daa62cb76a2aa05021d6c8d53a1b816b2 Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Sun, 23 Apr 2017 11:53:57 +0200
Subject: [PATCH] avcodec/dnxhd_parser: fix parsing interlaced video, simplify
 code

There appears to be no need to treat interlaced videos differently,
also that code is flawed, as for at least one input cur_field would
be always 0.

Fixes ticket #6344.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit ac30754a148df58822a272555d1f6f860e42037e)
---
 libavcodec/dnxhd_parser.c | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c
index 4f9bbceeeb5..a1f632a620e 100644
--- external/FFmpeg/libavcodec/dnxhd_parser.c
+++ external/FFmpeg/libavcodec/dnxhd_parser.c
@@ -29,8 +29,6 @@
 
 typedef struct {
     ParseContext pc;
-    int interlaced;
-    int cur_field; /* first field is 0, second is 1 */
     int cur_byte;
     int remaining;
     int w, h;
@@ -56,8 +54,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
     uint64_t state = pc->state64;
     int pic_found = pc->frame_start_found;
     int i = 0;
-    int interlaced = dctx->interlaced;
-    int cur_field = dctx->cur_field;
 
     if (!pic_found) {
         for (i = 0; i < buf_size; i++) {
@@ -65,8 +61,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
             if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) {
                 i++;
                 pic_found = 1;
-                interlaced = (state&2)>>1; /* byte following the 5-byte header prefix */
-                cur_field = state&1;
                 dctx->cur_byte = 0;
                 dctx->remaining = 0;
                 break;
@@ -97,13 +91,11 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
                     if (dctx->remaining <= 0)
                         return dctx->remaining;
                 }
-                if (buf_size - i >= dctx->remaining && (!dctx->interlaced || dctx->cur_field)) {
+                if (buf_size - i + 47 >= dctx->remaining) {
                     int remaining = dctx->remaining;
 
                     pc->frame_start_found = 0;
                     pc->state64 = -1;
-                    dctx->interlaced = interlaced;
-                    dctx->cur_field = 0;
                     dctx->cur_byte = 0;
                     dctx->remaining = 0;
                     return remaining;
@@ -120,8 +112,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
 
             pc->frame_start_found = 0;
             pc->state64 = -1;
-            dctx->interlaced = interlaced;
-            dctx->cur_field = 0;
             dctx->cur_byte = 0;
             dctx->remaining = 0;
             return remaining;
@@ -129,8 +119,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
     }
     pc->frame_start_found = pic_found;
     pc->state64 = state;
-    dctx->interlaced = interlaced;
-    dctx->cur_field = cur_field;
     return END_NOT_FOUND;
 }
 




From 0a709e2a10b8288a0cc383547924ecfe285cef89 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 14 Jun 2017 16:58:20 +0200
Subject: [PATCH] avcodec/dnxhd_parser: Do not return invalid value from
 dnxhd_find_frame_end() on error

Fixes: Null pointer dereference

Fixes: CVE-2017-9608
Found-by: Yihan Lian
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 611b35627488a8d0763e75c25ee0875c5b7987dd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dnxhd_parser.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c
index a1f632a620e..f1166be1007 100644
--- external/FFmpeg/libavcodec/dnxhd_parser.c
+++ external/FFmpeg/libavcodec/dnxhd_parser.c
@@ -81,16 +81,18 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
                 dctx->w = (state >> 32) & 0xFFFF;
             } else if (dctx->cur_byte == 42) {
                 int cid = (state >> 32) & 0xFFFFFFFF;
+                int remaining;
 
                 if (cid <= 0)
                     continue;
 
-                dctx->remaining = avpriv_dnxhd_get_frame_size(cid);
-                if (dctx->remaining <= 0) {
-                    dctx->remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
-                    if (dctx->remaining <= 0)
-                        return dctx->remaining;
+                remaining = avpriv_dnxhd_get_frame_size(cid);
+                if (remaining <= 0) {
+                    remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
+                    if (remaining <= 0)
+                        continue;
                 }
+                dctx->remaining = remaining;
                 if (buf_size - i + 47 >= dctx->remaining) {
                     int remaining = dctx->remaining;
 




From 85c8c0c826e78d159ea242ce64d7e8feeeeca741 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 7 May 2017 18:50:49 +0200
Subject: [PATCH] avcodec/xwddec: Check bpp more completely

Fixes out of array access
Fixes: 1399/clusterfuzz-testcase-minimized-4866094172995584

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 441026fcb13ac23aa10edc312bdacb6445a0ad06)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/xwddec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git libavcodec/xwddec.c libavcodec/xwddec.c
index 64cd8418a20..8b0845fc013 100644
--- external/FFmpeg/libavcodec/xwddec.c
+++ external/FFmpeg/libavcodec/xwddec.c
@@ -157,9 +157,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data,
     case XWD_GRAY_SCALE:
         if (bpp != 1 && bpp != 8)
             return AVERROR_INVALIDDATA;
-        if (pixdepth == 1) {
+        if (bpp == 1 && pixdepth == 1) {
             avctx->pix_fmt = AV_PIX_FMT_MONOWHITE;
-        } else if (pixdepth == 8) {
+        } else if (bpp == 8 && pixdepth == 8) {
             avctx->pix_fmt = AV_PIX_FMT_GRAY8;
         }
         break;




From 536af4212100dee1577fe2d30814762c58038efc Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 5 May 2017 20:42:11 +0200
Subject: [PATCH] avcodec/dfa: Fix off by 1 error

Fixes out of array access
Fixes: 1345/clusterfuzz-testcase-minimized-6062963045695488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f52fbf4f3ed02a7d872d8a102006f29b4421f360)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dfa.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git libavcodec/dfa.c libavcodec/dfa.c
index f45d019a792..5ddb647c4cb 100644
--- external/FFmpeg/libavcodec/dfa.c
+++ external/FFmpeg/libavcodec/dfa.c
@@ -175,7 +175,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
                 return AVERROR_INVALIDDATA;
             frame += v;
         } else {
-            if (frame_end - frame < width + 3)
+            if (frame_end - frame < width + 4)
                 return AVERROR_INVALIDDATA;
             frame[0] = frame[1] =
             frame[width] = frame[width + 1] =  bytestream2_get_byte(gb);

From 25dac3128b605f2867e3e0f0288b896f84d3a033 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 3 Jun 2017 21:20:04 +0200
Subject: [PATCH] avformat/hls: Check local file extensions

This reduces the attack surface of local file-system
information leaking.

It prevents the existing exploit leading to an information leak. As
well as similar hypothetical attacks.

Leaks of information from files and symlinks ending in common multimedia extensions
are still possible. But files with sensitive information like private keys and passwords
generally do not use common multimedia filename extensions.
It does not stop leaks via remote addresses in the LAN.

The existing exploit depends on a specific decoder as well.
It does appear though that the exploit should be possible with any decoder.
The problem is that as long as sensitive information gets into the decoder,
the output of the decoder becomes sensitive as well.
The only obvious solution is to prevent access to sensitive information. Or to
disable hls or possibly some of its feature. More complex solutions like
checking the path to limit access to only subdirectories of the hls path may
work as an alternative. But such solutions are fragile and tricky to implement
portably and would not stop every possible attack nor would they work with all
valid hls files.

Developers have expressed their dislike / objected to disabling hls by default as well
as disabling hls with local files. There also where objections against restricting
remote url file extensions. This here is a less robust but also lower
inconvenience solution.
It can be applied stand alone or together with other solutions.
limiting the check to local files was suggested by nevcairiel

This recommits the security fix without the author name joke which was
originally requested by Nicolas.

Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfoucu@google.com>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 189ff4219644532bdfa7bab28dfedaee4d6d4021)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/hls.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git libavformat/hls.c libavformat/hls.c
index 2bf86fadc64..ffefd284f86 100644
--- external/FFmpeg/libavformat/hls.c
+++ external/FFmpeg/libavformat/hls.c
@@ -204,6 +204,7 @@ typedef struct HLSContext {
     char *http_proxy;                    ///< holds the address of the HTTP proxy server
     AVDictionary *avio_opts;
     int strict_std_compliance;
+    char *allowed_extensions;
 } HLSContext;

 static int read_chomp_line(AVIOContext *s, char *buf, int maxlen)
@@ -618,8 +619,19 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
         return AVERROR_INVALIDDATA;

     // only http(s) & file are allowed
-    if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL))
+    if (av_strstart(proto_name, "file", NULL)) {
+        if (strcmp(c->allowed_extensions, "ALL") && !av_match_ext(url, c->allowed_extensions)) {
+            av_log(s, AV_LOG_ERROR,
+                "Filename extension of \'%s\' is not a common multimedia extension, blocked for security reasons.\n"
+                "If you wish to override this adjust allowed_extensions, you can set it to \'ALL\' to allow all\n",
+                url);
+            return AVERROR_INVALIDDATA;
+        }
+    } else if (av_strstart(proto_name, "http", NULL)) {
+        ;
+    } else
         return AVERROR_INVALIDDATA;
+
     if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':')
         ;
     else if (av_strstart(url, "crypto", NULL) && !strncmp(proto_name, url + 7, strlen(proto_name)) && url[7 + strlen(proto_name)] == ':')
@@ -2127,6 +2139,10 @@ static int hls_probe(AVProbeData *p)
 static const AVOption hls_options[] = {
     {"live_start_index", "segment index to start live streams at (negative values are from the end)",
         OFFSET(live_start_index), AV_OPT_TYPE_INT, {.i64 = -3}, INT_MIN, INT_MAX, FLAGS},
+    {"allowed_extensions", "List of file extensions that hls is allowed to access",
+        OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
+        {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
+        INT_MIN, INT_MAX, FLAGS},
     {NULL}
 };




From 5415c88e370692a3cf10b998ab230b4a02fc237f Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 30 May 2017 21:29:20 +0200
Subject: [PATCH] avformat/avidec: Limit formats in gab2 to srt and ass/ssa

This prevents part of one exploit leading to an information leak

Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfoucu@google.com>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5d849b149ca67ced2d271dc84db0bc95a548abb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/avidec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git libavformat/avidec.c libavformat/avidec.c
index ebd14abb12c..9afac825d43 100644
--- external/FFmpeg/libavformat/avidec.c
+++ external/FFmpeg/libavformat/avidec.c
@@ -1098,6 +1098,9 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt)
         if (!sub_demuxer)
             goto error;
 
+        if (strcmp(sub_demuxer->name, "srt") && strcmp(sub_demuxer->name, "ass"))
+            goto error;
+
         if (!(ast->sub_ctx = avformat_alloc_context()))
             goto error;
 




From 869e8b1d0f549e926ecb246f916c9066f881db4a Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 10 May 2017 18:37:49 +0200
Subject: [PATCH] avcodec/webp: Always set pix_fmt

Fixes: out of array access
Fixes: 1434/clusterfuzz-testcase-minimized-6314998085189632
Fixes: 1435/clusterfuzz-testcase-minimized-6483783723253760

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Reviewed-by: "Ronald S. Bultje" <rsbultje@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/vp8.c  | 2 ++
 libavcodec/webp.c | 3 +--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git libavcodec/vp8.c libavcodec/vp8.c
index 068223920e4..63e78492848 100644
--- external/FFmpeg/libavcodec/vp8.c
+++ external/FFmpeg/libavcodec/vp8.c
@@ -2548,6 +2548,8 @@ int vp78_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     enum AVDiscard skip_thresh;
     VP8Frame *av_uninit(curframe), *prev_frame;
 
+    av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVA420P || avctx->pix_fmt == AV_PIX_FMT_YUV420P);
+
     if (is_vp7)
         ret = vp7_decode_frame_header(s, avpkt->data, avpkt->size);
     else
diff --git libavcodec/webp.c libavcodec/webp.c
index 7d23cc74356..b2ae5bcbba9 100644
--- external/FFmpeg/libavcodec/webp.c
+++ external/FFmpeg/libavcodec/webp.c
@@ -1327,9 +1327,8 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p,
     if (!s->initialized) {
         ff_vp8_decode_init(avctx);
         s->initialized = 1;
-        if (s->has_alpha)
-            avctx->pix_fmt = AV_PIX_FMT_YUVA420P;
     }
+    avctx->pix_fmt = s->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P;
     s->lossless = 0;
 
     if (data_size > INT_MAX) {




From 7a69c1b2abfa96f0578cbd3ff82126b883ba6ef0 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 6 May 2017 22:24:52 +0200
Subject: [PATCH] avcodec/cdxl: Check format parameter

Fixes out of array access
Fixes: 1378/clusterfuzz-testcase-minimized-5715088008806400

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e1b60aad77c27ed5d4dfc11e5e6a05a38c70489d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cdxl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git libavcodec/cdxl.c libavcodec/cdxl.c
index 7a9b41943d8..5c0ecb279c7 100644
--- external/FFmpeg/libavcodec/cdxl.c
+++ external/FFmpeg/libavcodec/cdxl.c
@@ -277,7 +277,7 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data,
     c->padded_bits  = aligned_width - c->avctx->width;
     if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8)
         return AVERROR_INVALIDDATA;
-    if (!encoding && c->palette_size && c->bpp <= 8) {
+    if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) {
         avctx->pix_fmt = AV_PIX_FMT_PAL8;
     } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) {
         if (c->palette_size != (1 << (c->bpp - 1)))




From 7f3a671ece8fd711e2ebc71a4e08cda591d810a8 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 8 May 2017 11:46:03 +0200
Subject: [PATCH] avcodec/cdxl: Check format for BGR24

Fixes: out of array access
Fixes: 1427/clusterfuzz-testcase-minimized-5020737339392000

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1e42736b95065c69a7481d0cf55247024f54b660)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cdxl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git libavcodec/cdxl.c libavcodec/cdxl.c
index 5c0ecb279c7..78f5d50102f 100644
--- external/FFmpeg/libavcodec/cdxl.c
+++ external/FFmpeg/libavcodec/cdxl.c
@@ -279,7 +279,7 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data,
         return AVERROR_INVALIDDATA;
     if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) {
         avctx->pix_fmt = AV_PIX_FMT_PAL8;
-    } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) {
+    } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8) && c->format != CHUNKY) {
         if (c->palette_size != (1 << (c->bpp - 1)))
             return AVERROR_INVALIDDATA;
         avctx->pix_fmt = AV_PIX_FMT_BGR24;




From 5bb861d45b86803ec39295cfc04889d2a7138361 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 16 Jul 2017 14:57:20 +0200
Subject: [PATCH] avcodec/apedec: Fix integer overflow

Fixes: out of array access
Fixes: PoC.ape and others

Found-by: Bingchang, Liu@VARAS of IIE
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ba4beaf6149f7241c8bd85fe853318c2f6837ad0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/apedec.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git libavcodec/apedec.c libavcodec/apedec.c
index b99598b4ee7..072e3b42cff 100644
--- external/FFmpeg/libavcodec/apedec.c
+++ external/FFmpeg/libavcodec/apedec.c
@@ -1412,6 +1412,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
     int32_t *sample24;
     int i, ch, ret;
     int blockstodecode;
+    uint64_t decoded_buffer_size;
 
     /* this should never be negative, but bad things will happen if it is, so
        check it just to make sure. */
@@ -1467,7 +1468,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
                 skip_bits_long(&s->gb, offset);
         }
 
-        if (!nblocks || nblocks > INT_MAX) {
+        if (!nblocks || nblocks > INT_MAX / 2 / sizeof(*s->decoded_buffer) - 8) {
             av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %"PRIu32".\n",
                    nblocks);
             return AVERROR_INVALIDDATA;
@@ -1493,8 +1494,9 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
         blockstodecode = s->samples;
 
     /* reallocate decoded sample buffer if needed */
-    av_fast_malloc(&s->decoded_buffer, &s->decoded_size,
-                   2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer));
+    decoded_buffer_size = 2LL * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer);
+    av_assert0(decoded_buffer_size <= INT_MAX);
+    av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size);
     if (!s->decoded_buffer)
         return AVERROR(ENOMEM);
     memset(s->decoded_buffer, 0, s->decoded_size);




From f2a6f41dd7b962e0dd24fe695b002532a42e2230 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 28 Jul 2017 13:41:59 +0200
Subject: [PATCH] avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2

Fixes: out of array accesses
Fixes: crash-9238fa9e8d4fde3beda1f279626f53812cb001cb-SEGV

Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 08c073434e25cba8c43aae5ed9554fdd594adfb0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rtmppkt.c | 68 ++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 48 insertions(+), 20 deletions(-)

diff --git libavformat/rtmppkt.c libavformat/rtmppkt.c
index cde0da78ce1..2ea88d09c57 100644
--- external/FFmpeg/libavformat/rtmppkt.c
+++ external/FFmpeg/libavformat/rtmppkt.c
@@ -433,50 +433,78 @@ void ff_rtmp_packet_destroy(RTMPPacket *pkt)
     pkt->size = 0;
 }
 
-int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end)
+static int amf_tag_skip(GetByteContext *gb)
 {
-    const uint8_t *base = data;
     AMFDataType type;
     unsigned nb   = -1;
     int parse_key = 1;
 
-    if (data >= data_end)
+    if (bytestream2_get_bytes_left(gb) < 1)
         return -1;
-    switch ((type = *data++)) {
-    case AMF_DATA_TYPE_NUMBER:      return 9;
-    case AMF_DATA_TYPE_BOOL:        return 2;
-    case AMF_DATA_TYPE_STRING:      return 3 + AV_RB16(data);
-    case AMF_DATA_TYPE_LONG_STRING: return 5 + AV_RB32(data);
-    case AMF_DATA_TYPE_NULL:        return 1;
-    case AMF_DATA_TYPE_DATE:        return 11;
+
+    type = bytestream2_get_byte(gb);
+    switch (type) {
+    case AMF_DATA_TYPE_NUMBER:
+        bytestream2_get_be64(gb);
+        return 0;
+    case AMF_DATA_TYPE_BOOL:
+        bytestream2_get_byte(gb);
+        return 0;
+    case AMF_DATA_TYPE_STRING:
+        bytestream2_skip(gb, bytestream2_get_be16(gb));
+        return 0;
+    case AMF_DATA_TYPE_LONG_STRING:
+        bytestream2_skip(gb, bytestream2_get_be32(gb));
+        return 0;
+    case AMF_DATA_TYPE_NULL:
+        return 0;
+    case AMF_DATA_TYPE_DATE:
+        bytestream2_skip(gb, 10);
+        return 0;
     case AMF_DATA_TYPE_ARRAY:
         parse_key = 0;
     case AMF_DATA_TYPE_MIXEDARRAY:
-        nb = bytestream_get_be32(&data);
+        nb = bytestream2_get_be32(gb);
     case AMF_DATA_TYPE_OBJECT:
         while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) {
             int t;
             if (parse_key) {
-                int size = bytestream_get_be16(&data);
+                int size = bytestream2_get_be16(gb);
                 if (!size) {
-                    data++;
+                    bytestream2_get_byte(gb);
                     break;
                 }
-                if (size < 0 || size >= data_end - data)
+                if (size < 0 || size >= bytestream2_get_bytes_left(gb))
                     return -1;
-                data += size;
+                bytestream2_skip(gb, size);
             }
-            t = ff_amf_tag_size(data, data_end);
-            if (t < 0 || t >= data_end - data)
+            t = amf_tag_skip(gb);
+            if (t < 0 || bytestream2_get_bytes_left(gb) <= 0)
                 return -1;
-            data += t;
         }
-        return data - base;
-    case AMF_DATA_TYPE_OBJECT_END:  return 1;
+        return 0;
+    case AMF_DATA_TYPE_OBJECT_END:  return 0;
     default:                        return -1;
     }
 }
 
+int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end)
+{
+    GetByteContext gb;
+    int ret;
+
+    if (data >= data_end)
+        return -1;
+
+    bytestream2_init(&gb, data, data_end - data);
+
+    ret = amf_tag_skip(&gb);
+    if (ret < 0 || bytestream2_get_bytes_left(&gb) <= 0)
+        return -1;
+    av_assert0(bytestream2_tell(&gb) >= 0 && bytestream2_tell(&gb) <= data_end - data);
+    return bytestream2_tell(&gb);
+}
+
 int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
                            const uint8_t *name, uint8_t *dst, int dst_size)
 {




From b375cc8bb74a33a7b38175023ee337b1c378281f Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 28 Jul 2017 14:37:26 +0200
Subject: [PATCH] avformat/rtmppkt: Convert ff_amf_get_field_value() to
 bytestream2

Fixes: out of array accesses

Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ffcc82219cef0928bed2d558b19ef6ea35634130)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rtmppkt.c | 57 +++++++++++++++++++++++++++++++++------------------
 1 file changed, 37 insertions(+), 20 deletions(-)

diff --git libavformat/rtmppkt.c libavformat/rtmppkt.c
index 2ea88d09c57..ca7838868e0 100644
--- external/FFmpeg/libavformat/rtmppkt.c
+++ external/FFmpeg/libavformat/rtmppkt.c
@@ -505,53 +505,70 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end)
     return bytestream2_tell(&gb);
 }
 
-int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
+static int amf_get_field_value2(GetByteContext *gb,
                            const uint8_t *name, uint8_t *dst, int dst_size)
 {
     int namelen = strlen(name);
     int len;
 
-    while (*data != AMF_DATA_TYPE_OBJECT && data < data_end) {
-        len = ff_amf_tag_size(data, data_end);
-        if (len < 0)
-            len = data_end - data;
-        data += len;
+    while (bytestream2_peek_byte(gb) != AMF_DATA_TYPE_OBJECT && bytestream2_get_bytes_left(gb) > 0) {
+        int ret = amf_tag_skip(gb);
+        if (ret < 0)
+            return -1;
     }
-    if (data_end - data < 3)
+    if (bytestream2_get_bytes_left(gb) < 3)
         return -1;
-    data++;
+    bytestream2_get_byte(gb);
+
     for (;;) {
-        int size = bytestream_get_be16(&data);
+        int size = bytestream2_get_be16(gb);
         if (!size)
             break;
-        if (size < 0 || size >= data_end - data)
+        if (size < 0 || size >= bytestream2_get_bytes_left(gb))
             return -1;
-        data += size;
-        if (size == namelen && !memcmp(data-size, name, namelen)) {
-            switch (*data++) {
+        bytestream2_skip(gb, size);
+        if (size == namelen && !memcmp(gb->buffer-size, name, namelen)) {
+            switch (bytestream2_get_byte(gb)) {
             case AMF_DATA_TYPE_NUMBER:
-                snprintf(dst, dst_size, "%g", av_int2double(AV_RB64(data)));
+                snprintf(dst, dst_size, "%g", av_int2double(bytestream2_get_be64(gb)));
                 break;
             case AMF_DATA_TYPE_BOOL:
-                snprintf(dst, dst_size, "%s", *data ? "true" : "false");
+                snprintf(dst, dst_size, "%s", bytestream2_get_byte(gb) ? "true" : "false");
                 break;
             case AMF_DATA_TYPE_STRING:
-                len = bytestream_get_be16(&data);
-                av_strlcpy(dst, data, FFMIN(len+1, dst_size));
+                len = bytestream2_get_be16(gb);
+                if (dst_size < 1)
+                    return -1;
+                if (dst_size < len + 1)
+                    len = dst_size - 1;
+                bytestream2_get_buffer(gb, dst, len);
+                dst[len] = 0;
                 break;
             default:
                 return -1;
             }
             return 0;
         }
-        len = ff_amf_tag_size(data, data_end);
-        if (len < 0 || len >= data_end - data)
+        len = amf_tag_skip(gb);
+        if (len < 0 || bytestream2_get_bytes_left(gb) <= 0)
             return -1;
-        data += len;
     }
     return -1;
 }
 
+int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
+                           const uint8_t *name, uint8_t *dst, int dst_size)
+{
+    GetByteContext gb;
+
+    if (data >= data_end)
+        return -1;
+
+    bytestream2_init(&gb, data, data_end - data);
+
+    return amf_get_field_value2(&gb, name, dst, dst_size);
+}
+
 static const char* rtmp_packet_type(int type)
 {
     switch (type) {




From 6a10b962e3053b9fc851fcce23a60ac653abdc8c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 26 Jul 2017 03:26:59 +0200
Subject: [PATCH] avcodec/dnxhddec: Move mb height check out of non hr branch

Fixes: out of array access
Fixes: poc.dnxhd

Found-by: Bingchang, Liu@VARAS of IIE
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 296debd213bd6dce7647cedd34eb64e5b94cdc92)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dnxhddec.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git libavcodec/dnxhddec.c libavcodec/dnxhddec.c
index 4d1b006bb50..66a0de2e627 100644
--- external/FFmpeg/libavcodec/dnxhddec.c
+++ external/FFmpeg/libavcodec/dnxhddec.c
@@ -294,14 +294,18 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame,
     if (ctx->mb_height > 68 && ff_dnxhd_check_header_prefix_hr(header_prefix)) {
         ctx->data_offset = 0x170 + (ctx->mb_height << 2);
     } else {
-        if (ctx->mb_height > 68 ||
-            (ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) {
+        if (ctx->mb_height > 68) {
             av_log(ctx->avctx, AV_LOG_ERROR,
                    "mb height too big: %d\n", ctx->mb_height);
             return AVERROR_INVALIDDATA;
         }
         ctx->data_offset = 0x280;
     }
+    if ((ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) {
+        av_log(ctx->avctx, AV_LOG_ERROR,
+                "mb height too big: %d\n", ctx->mb_height);
+        return AVERROR_INVALIDDATA;
+    }
 
     if (buf_size < ctx->data_offset) {
         av_log(ctx->avctx, AV_LOG_ERROR,




From 2bbef8ee271240ce4509b23fd33e35076715a39f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
 =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
Date: Fri, 25 Aug 2017 01:15:28 +0200
Subject: [PATCH] avformat/rmdec: Fix DoS due to lack of eof check

Fixes: loop.ivr

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 124eb202e70678539544f6268efc98131f19fa49)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rmdec.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git libavformat/rmdec.c libavformat/rmdec.c
index 4d565291af2..7656812eb16 100644
--- external/FFmpeg/libavformat/rmdec.c
+++ external/FFmpeg/libavformat/rmdec.c
@@ -1238,8 +1238,11 @@ static int ivr_read_header(AVFormatContext *s)
             av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val);
         } else if (type == 4) {
             av_log(s, AV_LOG_DEBUG, "%s = '0x", key);
-            for (j = 0; j < len; j++)
+            for (j = 0; j < len; j++) {
+                if (avio_feof(pb))
+                    return AVERROR_INVALIDDATA;
                 av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb));
+            }
             av_log(s, AV_LOG_DEBUG, "'\n");
         } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) {
             nb_streams = value = avio_rb32(pb);




From d4fc6b211f19365fbae4b4388ec396b293fda249 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 25 Aug 2017 01:15:30 +0200
Subject: [PATCH] avformat/mvdec: Fix DoS due to lack of eof check

Fixes: loop.mv

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mvdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git libavformat/mvdec.c libavformat/mvdec.c
index 80ef4b1569a..e9e9fab5036 100644
--- external/FFmpeg/libavformat/mvdec.c
+++ external/FFmpeg/libavformat/mvdec.c
@@ -338,6 +338,8 @@ static int mv_read_header(AVFormatContext *avctx)
             uint32_t pos   = avio_rb32(pb);
             uint32_t asize = avio_rb32(pb);
             uint32_t vsize = avio_rb32(pb);
+            if (avio_feof(pb))
+                return AVERROR_INVALIDDATA;
             avio_skip(pb, 8);
             av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME);
             av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME);




From 5bc9f70441d7e7067cba9188898c9252c72bab35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
 =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
Date: Fri, 25 Aug 2017 01:15:29 +0200
Subject: [PATCH] avformat/rl2: Fix DoS due to lack of eof check

Fixes: loop.rl2

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rl2.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git libavformat/rl2.c libavformat/rl2.c
index 0bec8f1d9ab..eb1682dfcb7 100644
--- external/FFmpeg/libavformat/rl2.c
+++ external/FFmpeg/libavformat/rl2.c
@@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s)
     }
 
     /** read offset and size tables */
-    for(i=0; i < frame_count;i++)
+    for(i=0; i < frame_count;i++) {
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
         chunk_size[i] = avio_rl32(pb);
-    for(i=0; i < frame_count;i++)
+    }
+    for(i=0; i < frame_count;i++) {
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
         chunk_offset[i] = avio_rl32(pb);
-    for(i=0; i < frame_count;i++)
+    }
+    for(i=0; i < frame_count;i++) {
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
         audio_size[i] = avio_rl32(pb) & 0xFFFF;
+    }
 
     /** build the sample index */
     for(i=0;i<frame_count;i++){




From f94517934bf0ff2510f472fa2bc4cd362951109c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
 =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
Date: Fri, 25 Aug 2017 12:37:25 +0200
Subject: [PATCH] avformat/asfdec: Fix DoS due to lack of eof check

Fixes: loop.asf

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7f9ec5593e04827249e7aeb466da06a98a0d7329)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/asfdec_f.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git libavformat/asfdec_f.c libavformat/asfdec_f.c
index b973eff96e4..2cacafe50d5 100644
--- external/FFmpeg/libavformat/asfdec_f.c
+++ external/FFmpeg/libavformat/asfdec_f.c
@@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size)
     count = avio_rl32(pb);    // markers count
     avio_rl16(pb);            // reserved 2 bytes
     name_len = avio_rl16(pb); // name length
-    for (i = 0; i < name_len; i++)
-        avio_r8(pb); // skip the name
+    avio_skip(pb, name_len);
 
     for (i = 0; i < count; i++) {
         int64_t pres_time;
         int name_len;
 
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
+
         avio_rl64(pb);             // offset, 8 bytes
         pres_time = avio_rl64(pb); // presentation time
         pres_time -= asf->hdr.preroll * 10000;




From 2920c7cec0b1958b59e5e7990078bea4428f6912 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 26 Aug 2017 01:26:58 +0200
Subject: [PATCH] avformat/hls: Fix DoS due to infinite loop

Fixes: loop.m3u

The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome

Found-by: Xiaohei and Wangchu from Alibaba Security Team

Previous version reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7ec414892ddcad88313848494b6fc5f437c9ca4a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 doc/demuxers.texi | 18 ++++++++++++++++++
 libavformat/hls.c |  7 +++++++
 2 files changed, 25 insertions(+)

diff --git doc/demuxers.texi doc/demuxers.texi
index 2934a1cf7f4..d56ad1622a8 100644
--- external/FFmpeg/doc/demuxers.texi
+++ external/FFmpeg/doc/demuxers.texi
@@ -293,6 +293,24 @@ used to end the output video at the length of the shortest input file,
 which in this case is @file{input.mp4} as the GIF in this example loops
 infinitely.
 
+@section hls
+
+HLS demuxer
+
+It accepts the following options:
+
+@table @option
+@item live_start_index
+segment index to start live streams at (negative values are from the end).
+
+@item allowed_extensions
+',' separated list of file extensions that hls is allowed to access.
+
+@item max_reload
+Maximum number of times a insufficient list is attempted to be reloaded.
+Default value is 1000.
+@end table
+
 @section image2
 
 Image file demuxer.
diff --git libavformat/hls.c libavformat/hls.c
index ffefd284f86..87948726da6 100644
--- external/FFmpeg/libavformat/hls.c
+++ external/FFmpeg/libavformat/hls.c
@@ -205,6 +205,7 @@ typedef struct HLSContext {
     AVDictionary *avio_opts;
     int strict_std_compliance;
     char *allowed_extensions;
+    int max_reload;
 } HLSContext;
 
 static int read_chomp_line(AVIOContext *s, char *buf, int maxlen)
@@ -1255,6 +1256,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size)
     HLSContext *c = v->parent->priv_data;
     int ret, i;
     int just_opened = 0;
+    int reload_count = 0;
 
 restart:
     if (!v->needed)
@@ -1286,6 +1288,9 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size)
         reload_interval = default_reload_interval(v);
 
 reload:
+        reload_count++;
+        if (reload_count > c->max_reload)
+            return AVERROR_EOF;
         if (!v->finished &&
             av_gettime_relative() - v->last_load_time >= reload_interval) {
             if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {
@@ -2143,6 +2148,8 @@ static const AVOption hls_options[] = {
         OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
         {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
         INT_MIN, INT_MAX, FLAGS},
+    {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded",
+        OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
     {NULL}
 };
 




From 98e177c7288574b336d80618f4ec5d1f94243070 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
 =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
Date: Fri, 25 Aug 2017 01:15:27 +0200
Subject: [PATCH] avformat/cinedec: Fix DoS due to lack of eof check

Fixes: loop.cine

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7e80b63ecd259d69d383623e75b318bf2bd491f6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/cinedec.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git libavformat/cinedec.c libavformat/cinedec.c
index 32cccf566b4..c615d4fc497 100644
--- external/FFmpeg/libavformat/cinedec.c
+++ external/FFmpeg/libavformat/cinedec.c
@@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx)
 
     /* parse image offsets */
     avio_seek(pb, offImageOffsets, SEEK_SET);
-    for (i = 0; i < st->duration; i++)
+    for (i = 0; i < st->duration; i++) {
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
+
         av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME);
+    }
 
     return 0;
 }




From 816f7337bf3ed3e08afdc28278668d8eb81910cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?=
 <tony.sh@alibaba-inc.com>
Date: Tue, 29 Aug 2017 23:59:21 +0200
Subject: [PATCH] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: 20170829B.mxf

Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mxfdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git libavformat/mxfdec.c libavformat/mxfdec.c
index e2e34b246f7..0e9153847e8 100644
--- external/FFmpeg/libavformat/mxfdec.c
+++ external/FFmpeg/libavformat/mxfdec.c
@@ -500,7 +500,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U
         avpriv_request_sample(pb, "Primer pack item length %d", item_len);
         return AVERROR_PATCHWELCOME;
     }
-    if (item_num > 65536) {
+    if (item_num > 65536 || item_num < 0) {
         av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num);
         return AVERROR_INVALIDDATA;
     }




From 9cbac3602610afa0867b03bc1475c5c13441d096 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?=
 <tony.sh@alibaba-inc.com>
Date: Tue, 29 Aug 2017 23:59:21 +0200
Subject: [PATCH] avformat/mxfdec: Fix DoS issues in
 mxf_read_index_entry_array()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: 20170829A.mxf

Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 900f39692ca0337a98a7cf047e4e2611071810c2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mxfdec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git libavformat/mxfdec.c libavformat/mxfdec.c
index 2ad0c288f89..e2e34b246f7 100644
--- external/FFmpeg/libavformat/mxfdec.c
+++ external/FFmpeg/libavformat/mxfdec.c
@@ -899,6 +899,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
     segment->nb_index_entries = avio_rb32(pb);
 
     length = avio_rb32(pb);
+    if(segment->nb_index_entries && length < 11)
+        return AVERROR_INVALIDDATA;
 
     if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) ||
         !(segment->flag_entries          = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) ||
@@ -909,6 +911,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
     }
 
     for (i = 0; i < segment->nb_index_entries; i++) {
+        if(avio_feof(pb))
+            return AVERROR_INVALIDDATA;
         segment->temporal_offset_entries[i] = avio_r8(pb);
         avio_r8(pb);                                        /* KeyFrameOffset */
         segment->flag_entries[i] = avio_r8(pb);




From a051de092e9c709b69d24d94b66a382909be67d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?=
 <tony.sh@alibaba-inc.com>
Date: Tue, 29 Aug 2017 23:59:21 +0200
Subject: [PATCH] avformat/nsvdec: Fix DoS due to lack of eof check in
 nsvs_file_offset loop.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: 20170829.nsv

Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c24bcb553650b91e9eff15ef6e54ca73de2453b7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/nsvdec.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git libavformat/nsvdec.c libavformat/nsvdec.c
index 507fb396a51..16d2fa59e21 100644
--- external/FFmpeg/libavformat/nsvdec.c
+++ external/FFmpeg/libavformat/nsvdec.c
@@ -350,8 +350,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s)
         if (!nsv->nsvs_file_offset)
             return AVERROR(ENOMEM);
 
-        for(i=0;i<table_entries_used;i++)
+        for(i=0;i<table_entries_used;i++) {
+            if (avio_feof(pb))
+                return AVERROR_INVALIDDATA;
             nsv->nsvs_file_offset[i] = avio_rl32(pb) + size;
+        }
 
         if(table_entries > table_entries_used &&
            avio_rl32(pb) == MKTAG('T','O','C','2')) {




From c9527df274ada02a19c2f973b29d1d5b7069d4bf Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 5 Sep 2017 00:16:29 +0200
Subject: [PATCH] avformat/mov: Fix DoS in read_tfra()

Fixes: Missing EOF check in loop
No testcase

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9cb4eb772839c5e1de2855d126bf74ff16d13382)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git libavformat/mov.c libavformat/mov.c
index 405476fd712..b97aa001a37 100644
--- external/FFmpeg/libavformat/mov.c
+++ external/FFmpeg/libavformat/mov.c
@@ -5394,6 +5394,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f)
     }
     for (i = 0; i < index->item_count; i++) {
         int64_t time, offset;
+
+        if (avio_feof(f)) {
+            index->item_count = 0;
+            av_freep(&index->items);
+            return AVERROR_INVALIDDATA;
+        }
+
         if (version == 1) {
             time   = avio_rb64(f);
             offset = avio_rb64(f);




From 4e4177dde23be77a97887f409f237e17ef53f329 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 5 Sep 2017 00:16:29 +0200
Subject: [PATCH] avformat/asfdec: Fix DoS in asf_build_simple_index()

Fixes: Missing EOF check in loop
No testcase

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afc9c683ed9db01edb357bc8c19edad4282b3a97)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/asfdec_f.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git libavformat/asfdec_f.c libavformat/asfdec_f.c
index 2cacafe50d5..d9dfbf0fa33 100644
--- external/FFmpeg/libavformat/asfdec_f.c
+++ external/FFmpeg/libavformat/asfdec_f.c
@@ -1610,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index)
             int64_t pos       = s->internal->data_offset + s->packet_size * (int64_t)pktnum;
             int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0);
 
+            if (avio_feof(s->pb)) {
+                ret = AVERROR_INVALIDDATA;
+                goto end;
+            }
+
             if (pos != last_pos) {
                 av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d  pts: %"PRId64"\n",
                        pktnum, pktct, index_pts);




From 726133b6d2cd8f5f43b5af536024d8e02791d8cf Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 22 Aug 2017 11:02:38 +0200
Subject: [PATCH] ffprobe: Fix null pointer dereference with color primaries

Found-by: AD-lab of venustech
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 837cb4325b712ff1aab531bf41668933f61d75d2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b2c39fcc3c0749490dc93bca80f56724878b55fe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 ffprobe.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git ffprobe.c ffprobe.c
index 79fe296489d..703304a8c0f 100644
--- external/FFmpeg/ffprobe.c
+++ external/FFmpeg/ffprobe.c
@@ -1789,6 +1789,16 @@ static void print_pkt_side_data(WriterContext *w,
     writer_print_section_footer(w);
 }
 
+static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries)
+{
+    const char *val = av_color_primaries_name(color_primaries);
+    if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) {
+        print_str_opt("color_primaries", "unknown");
+    } else {
+        print_str("color_primaries", val);
+    }
+}
+
 static void show_packet(WriterContext *w, InputFile *ifile, AVPacket *pkt, int packet_idx)
 {
     char val_str[128];
@@ -2258,10 +2268,7 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id
         else
             print_str_opt("color_transfer", av_color_transfer_name(par->color_trc));
 
-        if (par->color_primaries != AVCOL_PRI_UNSPECIFIED)
-            print_str("color_primaries", av_color_primaries_name(par->color_primaries));
-        else
-            print_str_opt("color_primaries", av_color_primaries_name(par->color_primaries));
+        print_primaries(w, par->color_primaries);
 
         if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED)
             print_str("chroma_location", av_chroma_location_name(par->chroma_location));




From 53a6cdf89d694be1f075729f16e0a9e2dcbbcb78 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 23 Aug 2017 21:30:37 +0200
Subject: [PATCH] avformat/rtpdec_h264: Fix heap-buffer-overflow

Fixes: rtp_sdp/poc.sdp

Found-by: Bingchang <l.bing.chang.bc@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c42a1388a6d1bfd8001bf6a4241d8ca27e49326d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rtpdec_h264.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git libavformat/rtpdec_h264.c libavformat/rtpdec_h264.c
index 8dd56a549e4..6f8148ab6d5 100644
--- external/FFmpeg/libavformat/rtpdec_h264.c
+++ external/FFmpeg/libavformat/rtpdec_h264.c
@@ -166,7 +166,7 @@ static int sdp_parse_fmtp_config_h264(AVFormatContext *s,
             parse_profile_level_id(s, h264_data, value);
     } else if (!strcmp(attr, "sprop-parameter-sets")) {
         int ret;
-        if (value[strlen(value) - 1] == ',') {
+        if (*value == 0 || value[strlen(value) - 1] == ',') {
             av_log(s, AV_LOG_WARNING, "Missing PPS in sprop-parameter-sets, ignoring\n");
             return 0;
         }




From 0eb0b21c7f4f2b6a3a74d2d252f95b81a4d472c3 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 30 Sep 2017 00:20:09 +0200
Subject: [PATCH] avcodec/x86/lossless_videoencdsp: Fix handling of small
 widths
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes out of array access
Fixes: crash-huf.avi

Regression since: 6b41b4414934cc930468ccd5db598dd6ef643987

This could also be fixed by adding checks in the C code that calls the dsp

Found-by: Zhibin Hu and 连一汉 <lianyihan@360.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit df62b70de8aaa285168e72fe8f6e740843ca91fa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/x86/huffyuvencdsp.asm | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git libavcodec/x86/huffyuvencdsp.asm libavcodec/x86/huffyuvencdsp.asm
index a55a1de65de..7a1ce2e839e 100644
--- external/FFmpeg/libavcodec/x86/huffyuvencdsp.asm
+++ external/FFmpeg/libavcodec/x86/huffyuvencdsp.asm
@@ -42,10 +42,11 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w
 %define i t0q
 %endmacro
 
-; label to jump to if w < regsize
-%macro DIFF_BYTES_LOOP_PREP 1
+; labels to jump to if w < regsize and w < 0
+%macro DIFF_BYTES_LOOP_PREP 2
     mov                i, wq
     and                i, -2 * regsize
+        js            %2
         jz            %1
     add             dstq, i
     add            src1q, i
@@ -87,7 +88,7 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w
 %if mmsize > 16
     ; fall back to narrower xmm
     %define regsize mmsize / 2
-    DIFF_BYTES_LOOP_PREP .setup_loop_gpr_aa
+    DIFF_BYTES_LOOP_PREP .setup_loop_gpr_aa, .end_aa
 .loop2_%1%2:
     DIFF_BYTES_LOOP_CORE %1, %2, xm0, xm1
     add                i, 2 * regsize
@@ -114,7 +115,7 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w
 INIT_MMX mmx
 DIFF_BYTES_PROLOGUE
     %define regsize mmsize
-    DIFF_BYTES_LOOP_PREP .skip_main_aa
+    DIFF_BYTES_LOOP_PREP .skip_main_aa, .end_aa
     DIFF_BYTES_BODY    a, a
 %undef i
 %endif
@@ -122,7 +123,7 @@ DIFF_BYTES_PROLOGUE
 INIT_XMM sse2
 DIFF_BYTES_PROLOGUE
     %define regsize mmsize
-    DIFF_BYTES_LOOP_PREP .skip_main_aa
+    DIFF_BYTES_LOOP_PREP .skip_main_aa, .end_aa
     test            dstq, regsize - 1
         jnz     .loop_uu
     test           src1q, regsize - 1
@@ -138,7 +139,7 @@ DIFF_BYTES_PROLOGUE
     %define regsize mmsize
     ; Directly using unaligned SSE2 version is marginally faster than
     ; branching based on arguments.
-    DIFF_BYTES_LOOP_PREP .skip_main_uu
+    DIFF_BYTES_LOOP_PREP .skip_main_uu, .end_uu
     test            dstq, regsize - 1
         jnz     .loop_uu
     test           src1q, regsize - 1




From 519a54cc195b92fe6ba71fd156e31e944d862d7e Mon Sep 17 00:00:00 2001
From: Rostislav Pehlivanov <atomnuker@gmail.com>
Date: Wed, 8 Nov 2017 23:50:04 +0000
Subject: [PATCH] vc2enc_dwt: pad the temporary buffer by the slice size

Since non-Haar wavelets need to look into pixels outside the frame, we
need to pad the buffer. The old factor of two seemed to be a workaround
that fact and only padded to the left and bottom. This correctly pads
by the slice size and as such reduces memory usage and potential
exploits.
Reported by Liu Bingchang.

Ideally, there should be no temporary buffer but the encoder is designed
to deinterleave the coefficients into the classical wavelet structure
with the lower frequency values in the top left corner.

Signed-off-by: Rostislav Pehlivanov <atomnuker@gmail.com>
(cherry picked from commit 3228ac730c11eca49d5680d5550128e397061c85)
---
 libavcodec/vc2enc.c     |  3 ++-
 libavcodec/vc2enc_dwt.c | 12 +++++++++---
 libavcodec/vc2enc_dwt.h |  4 +++-
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git libavcodec/vc2enc.c libavcodec/vc2enc.c
index eda390163ff..745c6e974d5 100644
--- external/FFmpeg/libavcodec/vc2enc.c
+++ external/FFmpeg/libavcodec/vc2enc.c
@@ -1190,7 +1190,8 @@ static av_cold int vc2_encode_init(AVCodecContext *avctx)
         /* DWT init */
         if (ff_vc2enc_init_transforms(&s->transform_args[i].t,
                                       s->plane[i].coef_stride,
-                                      s->plane[i].dwt_height))
+                                      s->plane[i].dwt_height,
+                                      s->slice_width, s->slice_height))
             goto alloc_fail;
     }
 
diff --git libavcodec/vc2enc_dwt.c libavcodec/vc2enc_dwt.c
index c60b003a313..d22af8a3138 100644
--- external/FFmpeg/libavcodec/vc2enc_dwt.c
+++ external/FFmpeg/libavcodec/vc2enc_dwt.c
@@ -255,21 +255,27 @@ static void vc2_subband_dwt_haar_shift(VC2TransformContext *t, dwtcoef *data,
     dwt_haar(t, data, stride, width, height, 1);
 }
 
-av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_width, int p_height)
+av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_stride,
+                                      int p_height, int slice_w, int slice_h)
 {
     s->vc2_subband_dwt[VC2_TRANSFORM_9_7]    = vc2_subband_dwt_97;
     s->vc2_subband_dwt[VC2_TRANSFORM_5_3]    = vc2_subband_dwt_53;
     s->vc2_subband_dwt[VC2_TRANSFORM_HAAR]   = vc2_subband_dwt_haar;
     s->vc2_subband_dwt[VC2_TRANSFORM_HAAR_S] = vc2_subband_dwt_haar_shift;
 
-    s->buffer = av_malloc(2*p_width*p_height*sizeof(dwtcoef));
+    /* Pad by the slice size, only matters for non-Haar wavelets */
+    s->buffer = av_calloc((p_stride + slice_w)*(p_height + slice_h), sizeof(dwtcoef));
     if (!s->buffer)
         return 1;
 
+    s->padding = (slice_h >> 1)*p_stride + (slice_w >> 1);
+    s->buffer += s->padding;
+
     return 0;
 }
 
 av_cold void ff_vc2enc_free_transforms(VC2TransformContext *s)
 {
-    av_freep(&s->buffer);
+    av_free(s->buffer - s->padding);
+    s->buffer = NULL;
 }
diff --git libavcodec/vc2enc_dwt.h libavcodec/vc2enc_dwt.h
index 7fbbfbe0ed9..a6932bcdaf0 100644
--- external/FFmpeg/libavcodec/vc2enc_dwt.h
+++ external/FFmpeg/libavcodec/vc2enc_dwt.h
@@ -41,12 +41,14 @@ enum VC2TransformType {
 
 typedef struct VC2TransformContext {
     dwtcoef *buffer;
+    int padding;
     void (*vc2_subband_dwt[VC2_TRANSFORMS_NB])(struct VC2TransformContext *t,
                                                dwtcoef *data, ptrdiff_t stride,
                                                int width, int height);
 } VC2TransformContext;
 
-int  ff_vc2enc_init_transforms(VC2TransformContext *t, int p_width, int p_height);
+int  ff_vc2enc_init_transforms(VC2TransformContext *t, int p_stride, int p_height,
+                               int slice_w, int slice_h);
 void ff_vc2enc_free_transforms(VC2TransformContext *t);
 
 #endif /* AVCODEC_VC2ENC_DWT_H */




From b2c9771dd435fbce4f0a422bbdc16ecf7b243395 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 9 Oct 2017 00:32:30 +0200
Subject: [PATCH] avcodec/mpeg_er: Clear mcsel in mpeg_er_decode_mb()

Fixes out of array read
Should fix: 3516/clusterfuzz-testcase-minimized-4608518562775040 (not reprodoceable)

Found-by: Insu Yun, Georgia Tech.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 127a362630e11fe724e2e63fc871791fdcbcfa64)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/mpeg_er.c | 1 +
 1 file changed, 1 insertion(+)

diff --git libavcodec/mpeg_er.c libavcodec/mpeg_er.c
index dd87ae9cc9e..9bd269c4402 100644
--- external/FFmpeg/libavcodec/mpeg_er.c
+++ external/FFmpeg/libavcodec/mpeg_er.c
@@ -71,6 +71,7 @@ static void mpeg_er_decode_mb(void *opaque, int ref, int mv_dir, int mv_type,
     s->mb_skipped = mb_skipped;
     s->mb_x       = mb_x;
     s->mb_y       = mb_y;
+    s->mcsel      = 0;
     memcpy(s->mv, mv, sizeof(*mv));
 
     ff_init_block_index(s);




From b51f515c5c837351f2104b43c0e2a0562a759086 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 13 Nov 2017 20:47:48 +0100
Subject: [PATCH] avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu

Fixes: out of array read
Fixes: 3516/attachment-311488.dat

Found-by: Insu Yun, Georgia Tech.
Tested-by: wuninsu@gmail.com
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 58cf31cee7a456057f337b3102a03206d833d5e8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/x86/mpegvideodsp.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git libavcodec/x86/mpegvideodsp.c libavcodec/x86/mpegvideodsp.c
index e0498f38496..6009b64e076 100644
--- external/FFmpeg/libavcodec/x86/mpegvideodsp.c
+++ external/FFmpeg/libavcodec/x86/mpegvideodsp.c
@@ -52,8 +52,9 @@ static void gmc_mmx(uint8_t *dst, uint8_t *src,
     const int dyh = (dyy - (1 << (16 + shift))) * (h - 1);
     const int dxh = dxy * (h - 1);
     const int dyw = dyx * (w - 1);
-    int need_emu  =  (unsigned) ix >= width  - w ||
-                     (unsigned) iy >= height - h;
+    int need_emu  =  (unsigned) ix >= width  - w || width < w ||
+                     (unsigned) iy >= height - h || height< h
+                     ;
 
     if ( // non-constant fullpel offset (3% of blocks)
         ((ox ^ (ox + dxw)) | (ox ^ (ox + dxh)) | (ox ^ (ox + dxw + dxh)) |




Fix for CVE-2018-6392
https://security-tracker.debian.org/tracker/CVE-2018-6392
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/3f621455d62e46745453568d915badd5b1e5bcd5
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/c6939f65a116b1ffed345d29d8621ee4ffb32235

--- external/FFmpeg/libavfilter/vf_transpose.c.orig	2018-02-01 11:15:37 UTC
+++ external/FFmpeg/libavfilter/vf_transpose.c
@@ -27,6 +27,7 @@
 
 #include <stdio.h>
 
+#include "libavutil/avassert.h"
 #include "libavutil/imgutils.h"
 #include "libavutil/internal.h"
 #include "libavutil/intreadwrite.h"
@@ -54,6 +55,7 @@ enum TransposeDir {
 typedef struct TransContext {
     const AVClass *class;
     int hsub, vsub;
+    int planes;
     int pixsteps[4];
 
     int passthrough;    ///< PassthroughType, landscape passthrough mode enabled
@@ -106,7 +108,11 @@ static int config_props_output(AVFilterLink *outlink)
 
     s->hsub = desc_in->log2_chroma_w;
     s->vsub = desc_in->log2_chroma_h;
+    s->planes = av_pix_fmt_count_planes(outlink->format);
 
+    av_assert0(desc_in->nb_components == desc_out->nb_components);
+
+
     av_image_fill_max_pixsteps(s->pixsteps, NULL, desc_out);
 
     outlink->w = inlink->h;
@@ -148,7 +154,7 @@ static int filter_slice(AVFilterContext *ctx, void *ar
     AVFrame *in = td->in;
     int plane;
 
-    for (plane = 0; out->data[plane]; plane++) {
+    for (plane = 0; plane < s->planes; plane++) {
         int hsub    = plane == 1 || plane == 2 ? s->hsub : 0;
         int vsub    = plane == 1 || plane == 2 ? s->vsub : 0;
         int pixstep = s->pixsteps[plane];




Fix for CVE-2018-6621
https://security-tracker.debian.org/tracker/CVE-2018-6621
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/118e1b0b3370dd1c0da442901b486689efd1654b

--- external/FFmpeg/libavcodec/utvideodec.c.orig	2018-03-01 05:12:04 UTC
+++ external/FFmpeg/libavcodec/utvideodec.c
@@ -534,7 +534,7 @@ static int decode_frame(AVCodecContext *avctx, void *d
             for (j = 0; j < c->slices; j++) {
                 slice_end   = bytestream2_get_le32u(&gb);
                 if (slice_end < 0 || slice_end < slice_start ||
-                    bytestream2_get_bytes_left(&gb) < slice_end) {
+                    bytestream2_get_bytes_left(&gb) < slice_end + 1024LL) {
                     av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n");
                     return AVERROR_INVALIDDATA;
                 }




 }
 
 as_o(){
@@ -8840,7 +8840,7 @@ INCDIR=\$(INSTALL_ROOT)$incdir
 BINDIR=\$(INSTALL_ROOT)$bindir
 DATADIR=\$(INSTALL_ROOT)$datadir
 MANDIR=\$(INSTALL_ROOT)$mandir
-CFLAGS=${CFLAGS} -DFF_API_OLD_DECODE_AUDIO=1 -w
+CFLAGS=${CFLAGS} -DFF_API_OLD_DECODE_AUDIO=1 -I${prefix}/include -w
 endif # FFMPEG_CONFIG_MAK
 EOF
 




Fix arch detection
Fix runtime crashes on i386: enforce stack-alignment=16

--- external/FFmpeg/configure.orig	2018-02-01 11:15:37 UTC
+++ external/FFmpeg/configure
@@ -3189,12 +3189,7 @@ target_os_default=$(tolower $(uname -s))
 host_os=$target_os_default
 
 # machine
-if test "$target_os_default" = aix; then
-    arch_default=$(uname -p)
-    strip_default="strip -X32_64"
-else
-    arch_default=$(uname -m)
-fi
+arch_default=$(uname -p)
 cpu="generic"
 intrinsics="none"
 
@@ -6217,6 +6212,9 @@ elif enabled llvm_gcc; then
 elif enabled clang; then
     check_cflags -mllvm -stack-alignment=16
     check_cflags -mstack-alignment=16
+    if enabled x86_32; then
+        check_cflags -mstackrealign
+    fi
     check_cflags -Qunused-arguments
     check_cflags -Werror=implicit-function-declaration
     check_cflags -Werror=missing-prototypes




Fix build with libressl

--- external/FFmpeg/libavformat/tls_openssl.c.orig	2018-02-01 11:15:37 UTC
+++ external/FFmpeg/libavformat/tls_openssl.c
@@ -43,7 +43,7 @@ typedef struct TLSContext {
     TLSShared tls_shared;
     SSL_CTX *ctx;
     SSL *ssl;
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
     BIO_METHOD* url_bio_method;
 #endif
 } TLSContext;
@@ -68,7 +68,7 @@ static unsigned long openssl_thread_id(void)
 
 static int url_bio_create(BIO *b)
 {
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
     BIO_set_init(b, 1);
     BIO_set_data(b, NULL);
     BIO_set_flags(b, 0);
@@ -85,7 +85,7 @@ static int url_bio_destroy(BIO *b)
     return 1;
 }
 
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
 #define GET_BIO_DATA(x) BIO_get_data(x);
 #else
 #define GET_BIO_DATA(x) (x)->ptr;
@@ -133,7 +133,7 @@ static int url_bio_bputs(BIO *b, const char *str)
     return url_bio_bwrite(b, str, strlen(str));
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x1010000fL
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(LIBRESSL_VERSION_NUMBER)
 static BIO_METHOD url_bio_method = {
     .type = BIO_TYPE_SOURCE_SINK,
     .name = "urlprotocol bio",
@@ -212,7 +212,7 @@ static int tls_close(URLContext *h)
         SSL_CTX_free(c->ctx);
     if (c->tls_shared.tcp)
         ffurl_close(c->tls_shared.tcp);
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
     if (c->url_bio_method)
         BIO_meth_free(c->url_bio_method);
 #endif
@@ -265,7 +265,7 @@ static int tls_open(URLContext *h, const char *uri, in
         ret = AVERROR(EIO);
         goto fail;
     }
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
     p->url_bio_method = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "urlprotocol bio");
     BIO_meth_set_write(p->url_bio_method, url_bio_bwrite);
     BIO_meth_set_read(p->url_bio_method, url_bio_bread);




Database schema 1347 fails to update due to bad SQL statement
Ref: https://code.mythtv.org/trac/ticket/13155

--- libs/libmythtv/dbcheck.cpp.orig	2018-02-01 11:15:37 UTC
+++ libs/libmythtv/dbcheck.cpp
@@ -3340,25 +3340,24 @@ NULL
 
     if (dbver == "1346")
     {
-        QString master;
+        QList<QByteArray> updates_ba;
         // Create new MasterServerName setting
         if (gCoreContext->IsMasterHost())
-            master =
-            "insert into settings (value,data,hostname) "
-            "values('MasterServerName','"
-                + gCoreContext->GetHostName() + "', null);";
+            updates_ba.push_back(
+                QString("INSERT INTO settings (value, data, hostname) "
+                        "VALUES ('MasterServerName', '%1', NULL);")
+                        .arg(gCoreContext->GetHostName()).toLocal8Bit());
         else
-            master =
-            "insert into settings (value,data,hostname) "
-            "select 'MasterServerName', b.hostname, null "
-            "from settings a, settings b "
-            "where a.value = 'MasterServerIP' "
-            "and b.value in ('BackendServerIP','BackendServerIP6')"
-            "and a.data = b.data;";
+            updates_ba.push_back(
+                QString("INSERT INTO settings (value,data,hostname) "
+                        "SELECT 'MasterServerName', b.hostname, NULL "
+                        "FROM settings a, settings b "
+                        "WHERE a.value = 'MasterServerIP' "
+                        "AND b.value IN ('BackendServerIP','BackendServerIP6')"
+                        "AND a.data = b.data;")
+                        .toLocal8Bit());
 
-        const char *updates[] = {
-            // Create new MasterServerName setting
-            master.toLocal8Bit().constData(),
+        const char *post_sql[] = {
             // Create new BackendServerAddr setting for each backend server
             // Assume using IPV4 value.
             "insert into settings (value,data,hostname) "
@@ -3385,8 +3384,17 @@ NULL
             // Delete obsolete settings
             "delete from settings "
                 "where value in ('WatchTVGuide');",
-            NULL
         };
+        
+        for (uint i = 0; i < sizeof(post_sql)/sizeof(char*); i++)
+            updates_ba.push_back(QByteArray(post_sql[i]));
+
+        // Convert update ByteArrays to NULL terminated char**
+        QList<QByteArray>::const_iterator it = updates_ba.begin();
+        vector<const char*> updates;
+        for (; it != updates_ba.end(); ++it)
+            updates.push_back((*it).constData());
+        updates.push_back(NULL);
 
         if (!performActualUpdate(&updates[0], "1347", dbver))
             return false;




--- libs/libmythtv/videodev2.h.orig      2018-01-11 12:39:22 UTC
+++ libs/libmythtv/videodev2.h
@@ -60,6 +60,32 @@
 #ifdef __FreeBSD__
 #include <linux/input.h>	// For __[us][0-9]+ types
+#ifndef __u64
+typedef uint64_t __u64;
+#endif
+#ifndef __u32
+typedef uint32_t __u32;
+#endif
+#ifndef __u16
+typedef uint16_t __u16;
+#endif
+#ifndef __u8
+typedef uint8_t __u8;
+#endif
+
+#ifndef __s64
+typedef int64_t __s64;
+#endif
+#ifndef __s32
+typedef int32_t __s32;
+#endif
+#ifndef __s16
+typedef int16_t __s16;
+#endif
+#ifndef __s8
+typedef int8_t __s8;
+#endif
+
 #define __le64 __u64
 #define __le32 __u32
 #define __le16 __u16

Lines 1-10 Link Here

(-)files/patch-libs_libmythui_mythpainter.cpp (-10 lines)
1	--- libs/libmythui/mythpainter.cpp.orig 2018-01-11 12:39:22 UTC
2	+++ libs/libmythui/mythpainter.cpp
3	@@ -1,6 +1,7 @@
4	#include <stdint.h>
5	#include <algorithm>
6	#include <complex>
7	+#include <cstdlib>
8
9	// QT headers
10	#include <QRect>

Lines 1-10 Link Here

(-)files/patch-libs_libmythui_mythrender__vdpau.h (-10 lines)
1	--- libs/libmythui/mythrender_vdpau.h.orig 2018-01-27 11:25:49 UTC
2	+++ libs/libmythui/mythrender_vdpau.h
3	@@ -12,6 +12,7 @@
4
5	extern "C" {
6	#include "libavcodec/vdpau.h"
7	+#include <vdpau/vdpau_x11.h>
8	}
9
10	#define MIN_OUTPUT_SURFACES 2 // UI




bin/mythbackend
bin/mythccextractor
bin/mythcommflag
bin/mythexternrecorder
bin/mythffmpeg
bin/mythffprobe
bin/mythffserver
bin/mythfilerecorder
bin/mythfilldatabase
bin/mythfrontend
bin/mythhdhomerun_config
bin/mythjobqueue
bin/mythlcdserver
bin/mythmediaserver
bin/mythmetadatalookup
bin/mythpreviewgen
bin/mythpython
bin/mythreplex
bin/mythscreenwizard
bin/mythshutdown

bin/mythtv-setup
bin/mythutil
bin/mythwelcome
bin/mythwikiscripts
include/mythtv/audioconvert.h
include/mythtv/audiooutput.h
include/mythtv/audiooutputsettings.h

include/mythtv/audiosettings.h
include/mythtv/autodeletedeque.h
include/mythtv/blockinput.h
include/mythtv/bluray/array.h
include/mythtv/bluray/attributes.h
include/mythtv/bluray/bdid_parse.h
include/mythtv/bluray/bdparse.h
include/mythtv/bluray/bits.h
include/mythtv/bluray/bluray.h
include/mythtv/bluray/clpi_data.h
include/mythtv/bluray/clpi_parse.h
include/mythtv/bluray/dirs.h
include/mythtv/bluray/dl.h
include/mythtv/bluray/event_queue.h
include/mythtv/bluray/extdata_parse.h
include/mythtv/bluray/file.h
include/mythtv/bluray/filesystem.h
include/mythtv/bluray/hdmv_insn.h
include/mythtv/bluray/hdmv_vm.h
include/mythtv/bluray/index_parse.h
include/mythtv/bluray/log_control.h
include/mythtv/bluray/logging.h
include/mythtv/bluray/macro.h
include/mythtv/bluray/meta_data.h
include/mythtv/bluray/meta_parse.h
include/mythtv/bluray/mobj_data.h
include/mythtv/bluray/mobj_parse.h
include/mythtv/bluray/mobj_print.h
include/mythtv/bluray/mount.h
include/mythtv/bluray/mpls_parse.h
include/mythtv/bluray/mutex.h
include/mythtv/bluray/navigation.h
include/mythtv/bluray/refcnt.h
include/mythtv/bluray/sound_parse.h
include/mythtv/bluray/strutl.h
include/mythtv/bluray/time.h
include/mythtv/bluray/uo_mask_table.h
include/mythtv/bonjourregister.h
include/mythtv/bswap.h
include/mythtv/compat.h

include/mythtv/exitcodes.h
include/mythtv/ffmpeg-mmx.h
include/mythtv/filesysteminfo.h
include/mythtv/goom/drawmethods.h
include/mythtv/goom/filters.h
include/mythtv/goom/goom_core.h
include/mythtv/goom/goom_tools.h
include/mythtv/goom/goomconfig.h
include/mythtv/goom/graphic.h
include/mythtv/goom/ifs.h
include/mythtv/goom/lines.h
include/mythtv/goom/mathtools.h
include/mythtv/goom/mmx.h
include/mythtv/goom/tentacle3d.h
include/mythtv/goom/v3d.h
include/mythtv/hardwareprofile.h
include/mythtv/iso3166.h
include/mythtv/iso639.h
include/mythtv/langsettings.h
include/mythtv/lcddevice.h
include/mythtv/libavcodec/ac3_parser.h
include/mythtv/libavcodec/adts_parser.h
include/mythtv/libavcodec/avcodec.h
include/mythtv/libavcodec/avdct.h
include/mythtv/libavcodec/avfft.h

include/mythtv/libavcodec/mediacodec.h
include/mythtv/libavcodec/qsv.h
include/mythtv/libavcodec/vaapi.h
include/mythtv/libavcodec/vda.h
include/mythtv/libavcodec/vdpau.h
include/mythtv/libavcodec/version.h
include/mythtv/libavcodec/videotoolbox.h

include/mythtv/libavdevice/avdevice.h
include/mythtv/libavdevice/version.h
include/mythtv/libavfilter/avfilter.h
include/mythtv/libavfilter/avfiltergraph.h
include/mythtv/libavfilter/buffersink.h
include/mythtv/libavfilter/buffersrc.h
include/mythtv/libavfilter/version.h

include/mythtv/libavutil/dict.h
include/mythtv/libavutil/display.h
include/mythtv/libavutil/downmix_info.h
include/mythtv/libavutil/encryption_info.h
include/mythtv/libavutil/error.h
include/mythtv/libavutil/eval.h
include/mythtv/libavutil/ffversion.h

include/mythtv/libavutil/hmac.h
include/mythtv/libavutil/hwcontext.h
include/mythtv/libavutil/hwcontext_cuda.h
include/mythtv/libavutil/hwcontext_d3d11va.h
include/mythtv/libavutil/hwcontext_drm.h
include/mythtv/libavutil/hwcontext_dxva2.h
include/mythtv/libavutil/hwcontext_mediacodec.h
include/mythtv/libavutil/hwcontext_qsv.h
include/mythtv/libavutil/hwcontext_vaapi.h
include/mythtv/libavutil/hwcontext_vdpau.h
include/mythtv/libavutil/hwcontext_videotoolbox.h
include/mythtv/libavutil/imgutils.h
include/mythtv/libavutil/intfloat.h
include/mythtv/libavutil/intreadwrite.h

include/mythtv/libavutil/samplefmt.h
include/mythtv/libavutil/sha.h
include/mythtv/libavutil/sha512.h
include/mythtv/libavutil/spherical.h
include/mythtv/libavutil/stereo3d.h
include/mythtv/libavutil/tea.h
include/mythtv/libavutil/threadmessage.h

include/mythtv/libmyth/dialogbox.h
include/mythtv/libmyth/eldutils.h
include/mythtv/libmyth/langsettings.h
include/mythtv/libmyth/mythconfigdialogs.h
include/mythtv/libmyth/mythconfiggroups.h
include/mythtv/libmyth/mythcontext.h
include/mythtv/libmyth/mythdialogs.h
include/mythtv/libmyth/mythexp.h

include/mythtv/libmyth/remoteutil.h
include/mythtv/libmyth/rssparse.h
include/mythtv/libmyth/schemawizard.h
include/mythtv/libmyth/settings.h
include/mythtv/libmyth/standardsettings.h
include/mythtv/libmyth/storagegroupeditor.h
include/mythtv/libmyth/visual.h

include/mythtv/libmythbase/mythsingledownload.h
include/mythtv/libmythbase/mythsocket.h
include/mythtv/libmythbase/mythsocket_cb.h
include/mythtv/libmythbase/mythsorthelper.h
include/mythtv/libmythbase/mythstorage.h
include/mythtv/libmythbase/mythsystem.h
include/mythtv/libmythbase/mythsystemlegacy.h

include/mythtv/metadata/videoscan.h
include/mythtv/metadata/videoutils.h
include/mythtv/metadataimagehelper.h
include/mythtv/minilzo.h
include/mythtv/mpeg2dec/mpeg2.h
include/mythtv/mthread.h
include/mythtv/mthreadpool.h

include/mythtv/mythcommandlineparser.h
include/mythtv/mythconfig.h
include/mythtv/mythconfig.mak
include/mythtv/mythconfigdialogs.h
include/mythtv/mythconfiggroups.h
include/mythtv/mythcontext.h
include/mythtv/mythcorecontext.h
include/mythtv/mythcoreutil.h

include/mythtv/mythsingledownload.h
include/mythtv/mythsocket.h
include/mythtv/mythsocket_cb.h
include/mythtv/mythsorthelper.h
include/mythtv/mythstorage.h
include/mythtv/mythsystem.h
include/mythtv/mythsystemlegacy.h

include/mythtv/remotefile.h
include/mythtv/remoteutil.h
include/mythtv/rssparse.h
include/mythtv/samplerate.h
include/mythtv/schemawizard.h
include/mythtv/serverpool.h
include/mythtv/settings.h
include/mythtv/signalhandling.h
include/mythtv/standardsettings.h
include/mythtv/storagegroup.h

include/mythtv/version.h
include/mythtv/visual.h
include/mythtv/volumebase.h
lib/libmyth-30.so
lib/libmyth-30.so.30
lib/libmyth-30.so.30.0
lib/libmyth-30.so.30.0.0
lib/libmythavcodec.so
lib/libmythavcodec.so.58
lib/libmythavcodec.so.58.18.100
lib/libmythavdevice.so
lib/libmythavdevice.so.58
lib/libmythavdevice.so.58.3.100
lib/libmythavfilter.so
lib/libmythavfilter.so.7
lib/libmythavfilter.so.7.16.100
lib/libmythavformat.so
lib/libmythavformat.so.58
lib/libmythavformat.so.58.12.100
lib/libmythavutil.so
lib/libmythavutil.so.56
lib/libmythavutil.so.56.14.100
lib/libmythbase-30.so
lib/libmythbase-30.so.30
lib/libmythbase-30.so.30.0
lib/libmythbase-30.so.30.0.0
lib/libmythfreemheg-30.so
lib/libmythfreemheg-30.so.30
lib/libmythfreemheg-30.so.30.0
lib/libmythfreemheg-30.so.30.0.0
lib/libmythmetadata-30.so
lib/libmythmetadata-30.so.30
lib/libmythmetadata-30.so.30.0
lib/libmythmetadata-30.so.30.0.0
lib/libmythmetadata-29.so
lib/libmythmetadata-29.so.29
lib/libmythmetadata-29.so.29.0
lib/libmythmetadata-29.so.29.0.0
lib/libmythpostproc.so
lib/libmythpostproc.so.55
lib/libmythpostproc.so.55.1.100
lib/libmythprotoserver-30.so
lib/libmythprotoserver-30.so.30
lib/libmythprotoserver-30.so.30.0
lib/libmythprotoserver-30.so.30.0.0
lib/libmythservicecontracts-30.so
lib/libmythservicecontracts-30.so.30
lib/libmythservicecontracts-30.so.30.0
lib/libmythservicecontracts-30.so.30.0.0
lib/libmythswresample.so
lib/libmythswresample.so.3
lib/libmythswresample.so.3.1.100
lib/libmythswscale.so
lib/libmythswscale.so.5
lib/libmythswscale.so.5.1.100
lib/libmythtv-30.so
lib/libmythtv-30.so.30
lib/libmythtv-30.so.30.0
lib/libmythtv-30.so.30.0.0
lib/libmythui-30.so
lib/libmythui-30.so.30
lib/libmythui-30.so.30.0
lib/libmythui-30.so.30.0.0
lib/libmythupnp-30.so
lib/libmythupnp-30.so.30
lib/libmythupnp-30.so.30.0
lib/libmythupnp-30.so.30.0.0
lib/mythtv/filters/libadjust.so
lib/mythtv/filters/libbobdeint.so
lib/mythtv/filters/libcrop.so

lib/mythtv/filters/libquickdnr.so
lib/mythtv/filters/libvflip.so
lib/mythtv/filters/libyadif.so
%%SITE_PERL%%/IO/Socket/INET/MythTV.pm
%%SITE_PERL%%/MythTV.pm
%%SITE_PERL%%/MythTV/Channel.pm
%%SITE_PERL%%/MythTV/Program.pm
%%SITE_PERL%%/MythTV/Recording.pm
%%SITE_PERL%%/MythTV/StorageGroup.pm
%%PYTHON_SITELIBDIR%%/MythTV-30.0._1-py%%PYTHON_VER%%.egg-info
%%PYTHON_SITELIBDIR%%/MythTV/__init__.py
%%PYTHON_SITELIBDIR%%/MythTV/__init__.pyc
%%PYTHON_SITELIBDIR%%/MythTV/_conn_mysqldb.py
%%PYTHON_SITELIBDIR%%/MythTV/_conn_mysqldb.pyc
%%PYTHON_SITELIBDIR%%/MythTV/_conn_oursql.py
%%PYTHON_SITELIBDIR%%/MythTV/_conn_oursql.pyc
%%PYTHON_SITELIBDIR%%/MythTV/altdict.py
%%PYTHON_SITELIBDIR%%/MythTV/altdict.pyc
%%PYTHON_SITELIBDIR%%/MythTV/connections.py
%%PYTHON_SITELIBDIR%%/MythTV/connections.pyc
%%PYTHON_SITELIBDIR%%/MythTV/database.py
%%PYTHON_SITELIBDIR%%/MythTV/database.pyc
%%PYTHON_SITELIBDIR%%/MythTV/dataheap.py
%%PYTHON_SITELIBDIR%%/MythTV/dataheap.pyc
%%PYTHON_SITELIBDIR%%/MythTV/exceptions.py
%%PYTHON_SITELIBDIR%%/MythTV/exceptions.pyc
%%PYTHON_SITELIBDIR%%/MythTV/logging.py
%%PYTHON_SITELIBDIR%%/MythTV/logging.pyc
%%PYTHON_SITELIBDIR%%/MythTV/methodheap.py
%%PYTHON_SITELIBDIR%%/MythTV/methodheap.pyc
%%PYTHON_SITELIBDIR%%/MythTV/msearch.py
%%PYTHON_SITELIBDIR%%/MythTV/msearch.pyc
%%PYTHON_SITELIBDIR%%/MythTV/mythproto.py
%%PYTHON_SITELIBDIR%%/MythTV/mythproto.pyc
%%PYTHON_SITELIBDIR%%/MythTV/services_api/__init__.py
%%PYTHON_SITELIBDIR%%/MythTV/services_api/__init__.pyc
%%PYTHON_SITELIBDIR%%/MythTV/services_api/_version.py
%%PYTHON_SITELIBDIR%%/MythTV/services_api/_version.pyc
%%PYTHON_SITELIBDIR%%/MythTV/services_api/send.py
%%PYTHON_SITELIBDIR%%/MythTV/services_api/send.pyc
%%PYTHON_SITELIBDIR%%/MythTV/services_api/utilities.py
%%PYTHON_SITELIBDIR%%/MythTV/services_api/utilities.pyc
%%PYTHON_SITELIBDIR%%/MythTV/static.py
%%PYTHON_SITELIBDIR%%/MythTV/static.pyc
%%PYTHON_SITELIBDIR%%/MythTV/system.py
%%PYTHON_SITELIBDIR%%/MythTV/system.pyc
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/__init__.py
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/__init__.pyc
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/cache.py
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/cache.pyc
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/cache_engine.py
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/cache_engine.pyc
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/cache_file.py
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/cache_file.pyc
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/cache_null.py
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/cache_null.pyc
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/locales.py
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/locales.pyc
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/pager.py
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/pager.pyc
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/request.py
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/request.pyc
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/tmdb_api.py
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/tmdb_api.pyc
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/tmdb_auth.py
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/tmdb_auth.pyc
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/tmdb_exceptions.py
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/tmdb_exceptions.pyc
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/util.py
%%PYTHON_SITELIBDIR%%/MythTV/tmdb3/util.pyc
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/XSLT/tvdbCollection.xsl
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/XSLT/tvdbQuery.xsl
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/XSLT/tvdbVideo.xsl
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/__init__.py
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/__init__.pyc
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/requests_cache_compatability.py
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/requests_cache_compatability.pyc
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/tvdbXslt.py
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/tvdbXslt.pyc
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/tvdb_api.py
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/tvdb_api.pyc
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/tvdb_create_key.py
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/tvdb_create_key.pyc
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/tvdb_exceptions.py
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/tvdb_exceptions.pyc
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/tvdb_ui.py
%%PYTHON_SITELIBDIR%%/MythTV/ttvdb/tvdb_ui.pyc
%%PYTHON_SITELIBDIR%%/MythTV/utility/__init__.py
%%PYTHON_SITELIBDIR%%/MythTV/utility/__init__.pyc
%%PYTHON_SITELIBDIR%%/MythTV/utility/altdict.py
%%PYTHON_SITELIBDIR%%/MythTV/utility/altdict.pyc
%%PYTHON_SITELIBDIR%%/MythTV/utility/dequebuffer.py
%%PYTHON_SITELIBDIR%%/MythTV/utility/dequebuffer.pyc
%%PYTHON_SITELIBDIR%%/MythTV/utility/dicttoxml.py
%%PYTHON_SITELIBDIR%%/MythTV/utility/dicttoxml.pyc
%%PYTHON_SITELIBDIR%%/MythTV/utility/dt.py
%%PYTHON_SITELIBDIR%%/MythTV/utility/dt.pyc
%%PYTHON_SITELIBDIR%%/MythTV/utility/enum.py
%%PYTHON_SITELIBDIR%%/MythTV/utility/enum.pyc
%%PYTHON_SITELIBDIR%%/MythTV/utility/mixin.py
%%PYTHON_SITELIBDIR%%/MythTV/utility/mixin.pyc
%%PYTHON_SITELIBDIR%%/MythTV/utility/other.py
%%PYTHON_SITELIBDIR%%/MythTV/utility/other.pyc
%%PYTHON_SITELIBDIR%%/MythTV/utility/singleton.py
%%PYTHON_SITELIBDIR%%/MythTV/utility/singleton.pyc
%%PYTHON_SITELIBDIR%%/MythTV/wikiscripts/__init__.py
%%PYTHON_SITELIBDIR%%/MythTV/wikiscripts/__init__.pyc
%%PYTHON_SITELIBDIR%%/MythTV/wikiscripts/wikiscripts.py
%%PYTHON_SITELIBDIR%%/MythTV/wikiscripts/wikiscripts.pyc
%%DATADIR%%/CDS_scpd.xml
%%DATADIR%%/CMGR_scpd.xml
%%DATADIR%%/MFEXML_scpd.xml

%%DATADIR%%/metadata/Music/lyrics/filelyrics.py
%%DATADIR%%/metadata/Music/lyrics/genius.py
%%DATADIR%%/metadata/Music/lyrics/gomaudio.py
%%DATADIR%%/metadata/Music/lyrics/letssingit.py
%%DATADIR%%/metadata/Music/lyrics/lyricscom.py
%%DATADIR%%/metadata/Music/lyrics/lyricsmode.py
%%DATADIR%%/metadata/Music/lyrics/lyricswiki.py

%%DATADIR%%/themes/MythCenter-wide/osd/tv.png
%%DATADIR%%/themes/MythCenter-wide/osd/video.png
%%DATADIR%%/themes/MythCenter-wide/preview.png
%%DATADIR%%/themes/MythCenter-wide/qtlook.txt
%%DATADIR%%/themes/MythCenter-wide/recordings-ui.xml
%%DATADIR%%/themes/MythCenter-wide/schedule-ui.xml
%%DATADIR%%/themes/MythCenter-wide/settings-ui.xml

%%DATADIR%%/themes/MythCenter/osd/tv.png
%%DATADIR%%/themes/MythCenter/osd/video.png
%%DATADIR%%/themes/MythCenter/preview.png
%%DATADIR%%/themes/MythCenter/qtlook.txt
%%DATADIR%%/themes/MythCenter/recordings-ui.xml
%%DATADIR%%/themes/MythCenter/schedule-ui.xml
%%DATADIR%%/themes/MythCenter/status-ui.xml

%%DATADIR%%/themes/Terra/popups/selected_submenu_arrow.png
%%DATADIR%%/themes/Terra/popups/submenu_arrow.png
%%DATADIR%%/themes/Terra/preview.png
%%DATADIR%%/themes/Terra/qtlook.txt
%%DATADIR%%/themes/Terra/recordings-ui.xml
%%DATADIR%%/themes/Terra/recordings/filterlist_background.png
%%DATADIR%%/themes/Terra/recordings/flagging_1.png

%%DATADIR%%/themes/default-wide/video-ui.xml
%%DATADIR%%/themes/default-wide/welcome-ui.xml
%%DATADIR%%/themes/default/appear-ui.xml
%%DATADIR%%/themes/default/aspect_button.png
%%DATADIR%%/themes/default/autoexpire.png
%%DATADIR%%/themes/default/avchd.png
%%DATADIR%%/themes/default/background.png

%%DATADIR%%/themes/default/blankbutton_on.png
%%DATADIR%%/themes/default/blankbutton_pushed.png
%%DATADIR%%/themes/default/bookmark.png
%%DATADIR%%/themes/default/bookmark_button.png
%%DATADIR%%/themes/default/bottomright.png
%%DATADIR%%/themes/default/busyimages/0.png
%%DATADIR%%/themes/default/busyimages/1.png

%%DATADIR%%/themes/default/button_selected_background.png
%%DATADIR%%/themes/default/categories.xml
%%DATADIR%%/themes/default/cc.png
%%DATADIR%%/themes/default/cc_button.png
%%DATADIR%%/themes/default/check.png
%%DATADIR%%/themes/default/checkbox_background_off.png
%%DATADIR%%/themes/default/checkbox_background_selected.png

%%DATADIR%%/themes/default/cursor.png
%%DATADIR%%/themes/default/cutlist.png
%%DATADIR%%/themes/default/damaged.png
%%DATADIR%%/themes/default/dbl_left_arrow_button.png
%%DATADIR%%/themes/default/dbl_right_arrow_button.png
%%DATADIR%%/themes/default/dd.png
%%DATADIR%%/themes/default/def-ro-lines.png
%%DATADIR%%/themes/default/down_arrow.png

%%DATADIR%%/themes/default/dummy720x576p25.00.ts
%%DATADIR%%/themes/default/dummy768x576p50.00.ts
%%DATADIR%%/themes/default/error.png
%%DATADIR%%/themes/default/ff_button.png
%%DATADIR%%/themes/default/fill_button.png
%%DATADIR%%/themes/default/filler.png
%%DATADIR%%/themes/default/galleryfolder.png
%%DATADIR%%/themes/default/gg-arrow-down.png

%%DATADIR%%/themes/default/htmls/progdetails_page1.html
%%DATADIR%%/themes/default/htmls/progdetails_page2.html
%%DATADIR%%/themes/default/image-ui.xml
%%DATADIR%%/themes/default/info_button.png
%%DATADIR%%/themes/default/jump_bookmark_button.png
%%DATADIR%%/themes/default/jump_start_button.png
%%DATADIR%%/themes/default/keyboard/ar.xml
%%DATADIR%%/themes/default/keyboard/da.xml
%%DATADIR%%/themes/default/keyboard/de.xml

%%DATADIR%%/themes/default/lb-uparrow-reg.png
%%DATADIR%%/themes/default/lb-uparrow-sel.png
%%DATADIR%%/themes/default/left_arrow.png
%%DATADIR%%/themes/default/left_arrow_button.png
%%DATADIR%%/themes/default/leftarrow.png
%%DATADIR%%/themes/default/leftright_off.png
%%DATADIR%%/themes/default/leftright_on.png

%%DATADIR%%/themes/default/locale/zw.png
%%DATADIR%%/themes/default/md_progress_background.png
%%DATADIR%%/themes/default/md_rip_banner.png
%%DATADIR%%/themes/default/menu_button.png
%%DATADIR%%/themes/default/menu_cutlist.xml
%%DATADIR%%/themes/default/menu_cutlist_compact.xml
%%DATADIR%%/themes/default/menu_playback.xml
%%DATADIR%%/themes/default/menu_playback_compact.xml
%%DATADIR%%/themes/default/mono.png
%%DATADIR%%/themes/default/more_button.png
%%DATADIR%%/themes/default/musicscanner.png
%%DATADIR%%/themes/default/muted_button.png
%%DATADIR%%/themes/default/mv_browse_background.png
%%DATADIR%%/themes/default/mv_browse_selector.png
%%DATADIR%%/themes/default/mv_filerequest.png

%%DATADIR%%/themes/default/notification-ui.xml
%%DATADIR%%/themes/default/osd.xml
%%DATADIR%%/themes/default/osd_subtitle.xml
%%DATADIR%%/themes/default/pause_button.png
%%DATADIR%%/themes/default/pd-background.png
%%DATADIR%%/themes/default/pf-background.png
%%DATADIR%%/themes/default/pf-lines.png

%%DATADIR%%/themes/default/pf-sel3.png
%%DATADIR%%/themes/default/pf-top.png
%%DATADIR%%/themes/default/pf-topbackground.png
%%DATADIR%%/themes/default/play_button.png
%%DATADIR%%/themes/default/playlist_yes.png
%%DATADIR%%/themes/default/preview.png
%%DATADIR%%/themes/default/processing.png

%%DATADIR%%/themes/default/progressbar_fill2.png
%%DATADIR%%/themes/default/reclist_background.png
%%DATADIR%%/themes/default/recordings-ui.xml
%%DATADIR%%/themes/default/rew_button.png
%%DATADIR%%/themes/default/right_arrow.png
%%DATADIR%%/themes/default/right_arrow_button.png
%%DATADIR%%/themes/default/rightarrow.png
%%DATADIR%%/themes/default/rk-background.png
%%DATADIR%%/themes/default/rk-lines.png

%%DATADIR%%/themes/default/status-bar.png
%%DATADIR%%/themes/default/status-ui.xml
%%DATADIR%%/themes/default/stereo.png
%%DATADIR%%/themes/default/stop_button.png
%%DATADIR%%/themes/default/subs.png
%%DATADIR%%/themes/default/subs_onscreen.png
%%DATADIR%%/themes/default/surround.png

%%DATADIR%%/themes/default/trans-sr-background.png
%%DATADIR%%/themes/default/unchecked.png
%%DATADIR%%/themes/default/unchecked_high.png
%%DATADIR%%/themes/default/unmuted_button.png
%%DATADIR%%/themes/default/up_arrow.png
%%DATADIR%%/themes/default/uparrow.png
%%DATADIR%%/themes/default/very_wide_button_background.png

Return to bug 234551

Lines 3-10 Link Here

(-)Makefile (-9 / +15 lines)
3		3
4	PORTNAME= mythtv	4	PORTNAME= mythtv
5	DISTVERSIONPREFIX= v	5	DISTVERSIONPREFIX= v
6	DISTVERSION= 29.1	6	DISTVERSION= 30.0
7	PORTREVISION?= 3	7	PORTREVISION?= 0
8	PORTEPOCH= 1	8	PORTEPOCH= 1
9	CATEGORIES= multimedia	9	CATEGORIES= multimedia
10		10
Lines 14-34 Link Here
14	LICENSE= GPLv2+	14	LICENSE= GPLv2+
15	LICENSE_FILE= ${WRKSRC}/COPYING	15	LICENSE_FILE= ${WRKSRC}/COPYING
16		16
17	BROKEN= fails to build
18	ONLY_FOR_ARCHS= amd64 i386	17	ONLY_FOR_ARCHS= amd64 i386
19		18
20	LIB_DEPENDS= libmp3lame.so:audio/lame \	19	LIB_DEPENDS= liblzo2.so:archivers/lzo2 \
		20	libmp3lame.so:audio/lame \
		21	libsamplerate.so:audio/libsamplerate \
21	libtag.so:audio/taglib \	22	libtag.so:audio/taglib \
22	libexiv2.so:graphics/exiv2 \	23	libexiv2.so:graphics/exiv2 \
23	libva.so:multimedia/libva \	24	libva.so:multimedia/libva \
		25	libbluray.so:multimedia/libbluray \
24	libass.so:multimedia/libass \	26	libass.so:multimedia/libass \
25	libfftw3_threads.so:math/fftw3 \	27	libfftw3_threads.so:math/fftw3 \
26	libfftw3f.so:math/fftw3-float \	28	libfftw3f.so:math/fftw3-float \
27	libfreetype.so:print/freetype2 \	29	libfreetype.so:print/freetype2 \
28	libxml2.so:textproc/libxml2	30	libxml2.so:textproc/libxml2
29	BUILD_DEPENDS= yasm:devel/yasm	31	BUILD_DEPENDS= yasm:devel/yasm \
		32	${LOCALBASE}/include/linux/input.h:devel/evdev-proto
30		33
31	USES= gmake iconv libtool pkgconfig pathfix qmake:no_env qt:5 ssl	34	USES= gmake gl iconv libtool pkgconfig pathfix qmake:no_env qt:5 ssl
32	USE_GITHUB= yes	35	USE_GITHUB= yes
33	GH_ACCOUNT= MythTV	36	GH_ACCOUNT= MythTV
34	USE_GL= gl	37	USE_GL= gl
Lines 42-49 Link Here
42	CONFIGURE_ARGS= --prefix="${PREFIX}" --cc="${CC}" --cxx="${CXX}" \	45	CONFIGURE_ARGS= --prefix="${PREFIX}" --cc="${CC}" --cxx="${CXX}" \
43	--libxml2-path="${LOCALBASE}/include/libxml2" \	46	--libxml2-path="${LOCALBASE}/include/libxml2" \
44	--enable-opengl-video \	47	--enable-opengl-video \
45	--disable-audio-alsa --disable-indev=alsa --disable-outdev=alsa \	48	--disable-audio-alsa --disable-indev=alsa \
46	--disable-mythlogserver	49	--disable-outdev=alsa
47	CONFIGURE_ENV= QMAKESPEC="${QMAKESPEC}" MOC="${MOC}" \	50	CONFIGURE_ENV= QMAKESPEC="${QMAKESPEC}" MOC="${MOC}" \
48	QTDIR="${PREFIX}" PKG_CONFIG_PATH="${LOCALBASE}/libdata/pkgconfig"	51	QTDIR="${PREFIX}" PKG_CONFIG_PATH="${LOCALBASE}/libdata/pkgconfig"
49	MAKE_ENV= QTDIR="${PREFIX}" \	52	MAKE_ENV= QTDIR="${PREFIX}" \
Lines 84-90 Link Here
84	programs/scripts/internetcontent/nv_python_libs/*.py \	87	programs/scripts/internetcontent/nv_python_libs/*.py \
85	programs/scripts/hardwareprofile/*.py \	88	programs/scripts/hardwareprofile/*.py \
86	programs/scripts/metadata/Television/ttvdb.py \	89	programs/scripts/metadata/Television/ttvdb.py \
87	programs/scripts/metadata/Movie/tmdb3.py	90	programs/scripts/metadata/Movie/tmdb3.py \
		91	programs/scripts/metadata/Music/mbutils.py
88		92
89	CONFIGURE_ARGS+=--dvb-path="${LOCALBASE}/include" \	93	CONFIGURE_ARGS+=--dvb-path="${LOCALBASE}/include" \
90	--enable-ivtv --enable-v4l2 --enable-xv	94	--enable-ivtv --enable-v4l2 --enable-xv
Lines 108-113 Link Here
108	p5-DBD-mysql>0:databases/p5-DBD-mysql \	112	p5-DBD-mysql>0:databases/p5-DBD-mysql \
109	p5-Net-UPnP>=0:multimedia/p5-Net-UPnP \	113	p5-Net-UPnP>=0:multimedia/p5-Net-UPnP \
110	p5-IO-Socket-INET6>=2.51:net/p5-IO-Socket-INET6 \	114	p5-IO-Socket-INET6>=2.51:net/p5-IO-Socket-INET6 \
		115	p5-XML-Simple>=0:textproc/p5-XML-Simple \
111	p5-HTTP-Request-Params>=0:www/p5-HTTP-Request-Params \	116	p5-HTTP-Request-Params>=0:www/p5-HTTP-Request-Params \
112	p5-LWP-UserAgent-Determined>=0:www/p5-LWP-UserAgent-Determined	117	p5-LWP-UserAgent-Determined>=0:www/p5-LWP-UserAgent-Determined
113	BINDINGS_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}MySQLdb>=1.2.2:databases/py-MySQLdb@${PY_FLAVOR} \	118	BINDINGS_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}MySQLdb>=1.2.2:databases/py-MySQLdb@${PY_FLAVOR} \
Lines 121-126 Link Here
121	p5-DBD-mysql>0:databases/p5-DBD-mysql \	126	p5-DBD-mysql>0:databases/p5-DBD-mysql \
122	p5-Net-UPnP>=0:multimedia/p5-Net-UPnP \	127	p5-Net-UPnP>=0:multimedia/p5-Net-UPnP \
123	p5-IO-Socket-INET6>=2.51:net/p5-IO-Socket-INET6 \	128	p5-IO-Socket-INET6>=2.51:net/p5-IO-Socket-INET6 \
		129	p5-XML-Simple>=0:textproc/p5-XML-Simple \
124	p5-HTTP-Request-Params>=0:www/p5-HTTP-Request-Params \	130	p5-HTTP-Request-Params>=0:www/p5-HTTP-Request-Params \
125	p5-LWP-UserAgent-Determined>=0:www/p5-LWP-UserAgent-Determined	131	p5-LWP-UserAgent-Determined>=0:www/p5-LWP-UserAgent-Determined
126	BINDINGS_CONFIGURE_ON= --python=${PYTHON_CMD}	132	BINDINGS_CONFIGURE_ON= --python=${PYTHON_CMD}

Lines 1-239 Link Here

(-)files/patch-CVE-2016-10190 (-239 lines)
1	From 0e0a413725e0221e1a9d0b7595e22bf57e23a09c Mon Sep 17 00:00:00 2001
2	From: "Ronald S. Bultje" <rsbultje@gmail.com>
3	Date: Mon, 5 Dec 2016 08:02:33 -0500
4	Subject: [PATCH] http: make length/offset-related variables unsigned.
5
6	Fixes #5992, reported and found by Paul Cher <paulcher@icloud.com>.
7
8	(cherry picked from commit 2a05c8f813de6f2278827734bf8102291e7484aa)
9	---
10	libavformat/http.c \| 70 +++++++++++++++++++++++++++++-------------------------
11	1 file changed, 38 insertions(+), 32 deletions(-)
12
13	diff --git libavformat/http.c libavformat/http.c
14	index d48958d8a3c..13f3be42271 100644
15	--- external/FFmpeg/libavformat/http.c
16	+++ external/FFmpeg/libavformat/http.c
17	@@ -62,8 +62,8 @@ typedef struct HTTPContext {
18	int line_count;
19	int http_code;
20	/* Used if "Transfer-Encoding: chunked" otherwise -1. */
21	- int64_t chunksize;
22	- int64_t off, end_off, filesize;
23	+ uint64_t chunksize;
24	+ uint64_t off, end_off, filesize;
25	char *location;
26	HTTPAuthState auth_state;
27	HTTPAuthState proxy_auth_state;
28	@@ -95,9 +95,9 @@ typedef struct HTTPContext {
29	AVDictionary *cookie_dict;
30	int icy;
31	/* how much data was read since the last ICY metadata packet */
32	- int icy_data_read;
33	+ uint64_t icy_data_read;
34	/* after how many bytes of read data a new metadata packet will be found */
35	- int icy_metaint;
36	+ uint64_t icy_metaint;
37	char *icy_metadata_headers;
38	char *icy_metadata_packet;
39	AVDictionary *metadata;
40	@@ -489,7 +489,7 @@ static int http_open(URLContext h, const char uri, int flags,
41	else
42	h->is_streamed = 1;
43
44	- s->filesize = -1;
45	+ s->filesize = UINT64_MAX;
46	s->location = av_strdup(uri);
47	if (!s->location)
48	return AVERROR(ENOMEM);
49	@@ -616,9 +616,9 @@ static void parse_content_range(URLContext h, const char p)
50
51	if (!strncmp(p, "bytes ", 6)) {
52	p += 6;
53	- s->off = strtoll(p, NULL, 10);
54	+ s->off = strtoull(p, NULL, 10);
55	if ((slash = strchr(p, '/')) && strlen(slash) > 0)
56	- s->filesize = strtoll(slash + 1, NULL, 10);
57	+ s->filesize = strtoull(slash + 1, NULL, 10);
58	}
59	if (s->seekable == -1 && (!s->is_akamai \|\| s->filesize != 2147483647))
60	h->is_streamed = 0; /* we _can_ in fact seek */
61	@@ -808,8 +808,9 @@ static int process_line(URLContext h, char line, int line_count,
62	if ((ret = parse_location(s, p)) < 0)
63	return ret;
64	*new_location = 1;
65	- } else if (!av_strcasecmp(tag, "Content-Length") && s->filesize == -1) {
66	- s->filesize = strtoll(p, NULL, 10);
67	+ } else if (!av_strcasecmp(tag, "Content-Length") &&
68	+ s->filesize == UINT64_MAX) {
69	+ s->filesize = strtoull(p, NULL, 10);
70	} else if (!av_strcasecmp(tag, "Content-Range")) {
71	parse_content_range(h, p);
72	} else if (!av_strcasecmp(tag, "Accept-Ranges") &&
73	@@ -818,7 +819,7 @@ static int process_line(URLContext h, char line, int line_count,
74	h->is_streamed = 0;
75	} else if (!av_strcasecmp(tag, "Transfer-Encoding") &&
76	!av_strncasecmp(p, "chunked", 7)) {
77	- s->filesize = -1;
78	+ s->filesize = UINT64_MAX;
79	s->chunksize = 0;
80	} else if (!av_strcasecmp(tag, "WWW-Authenticate")) {
81	ff_http_auth_handle_header(&s->auth_state, tag, p);
82	@@ -842,7 +843,7 @@ static int process_line(URLContext h, char line, int line_count,
83	if (parse_cookie(s, p, &s->cookie_dict))
84	av_log(h, AV_LOG_WARNING, "Unable to parse '%s'\n", p);
85	} else if (!av_strcasecmp(tag, "Icy-MetaInt")) {
86	- s->icy_metaint = strtoll(p, NULL, 10);
87	+ s->icy_metaint = strtoull(p, NULL, 10);
88	} else if (!av_strncasecmp(tag, "Icy-", 4)) {
89	if ((ret = parse_icy(s, tag, p)) < 0)
90	return ret;
91	@@ -972,7 +973,7 @@ static int http_read_header(URLContext h, int new_location)
92	char line[MAX_URL_SIZE];
93	int err = 0;
94
95	- s->chunksize = -1;
96	+ s->chunksize = UINT64_MAX;
97
98	for (;;) {
99	if ((err = http_get_line(s, line, sizeof(line))) < 0)
100	@@ -1006,7 +1007,7 @@ static int http_connect(URLContext h, const char path, const char *local_path,
101	int post, err;
102	char headers[HTTP_HEADERS_SIZE] = "";
103	char authstr = NULL, proxyauthstr = NULL;
104	- int64_t off = s->off;
105	+ uint64_t off = s->off;
106	int len = 0;
107	const char *method;
108	int send_expect_100 = 0;
109	@@ -1060,7 +1061,7 @@ static int http_connect(URLContext h, const char path, const char *local_path,
110	// server supports seeking by analysing the reply headers.
111	if (!has_header(s->headers, "\r\nRange: ") && !post && (s->off > 0 \|\| s->end_off \|\| s->seekable == -1)) {
112	len += av_strlcatf(headers + len, sizeof(headers) - len,
113	- "Range: bytes=%"PRId64"-", s->off);
114	+ "Range: bytes=%"PRIu64"-", s->off);
115	if (s->end_off)
116	len += av_strlcatf(headers + len, sizeof(headers) - len,
117	"%"PRId64, s->end_off - 1);
118	@@ -1135,7 +1136,7 @@ static int http_connect(URLContext h, const char path, const char *local_path,
119	s->line_count = 0;
120	s->off = 0;
121	s->icy_data_read = 0;
122	- s->filesize = -1;
123	+ s->filesize = UINT64_MAX;
124	s->willclose = 0;
125	s->end_chunked_post = 0;
126	s->end_header = 0;
127	@@ -1175,15 +1176,13 @@ static int http_buf_read(URLContext h, uint8_t buf, int size)
128	memcpy(buf, s->buf_ptr, len);
129	s->buf_ptr += len;
130	} else {
131	- int64_t target_end = s->end_off ? s->end_off : s->filesize;
132	- if ((!s->willclose \|\| s->chunksize < 0) &&
133	- target_end >= 0 && s->off >= target_end)
134	+ uint64_t target_end = s->end_off ? s->end_off : s->filesize;
135	+ if ((!s->willclose \|\| s->chunksize == UINT64_MAX) && s->off >= target_end)
136	return AVERROR_EOF;
137	len = ffurl_read(s->hd, buf, size);
138	- if (!len && (!s->willclose \|\| s->chunksize < 0) &&
139	- target_end >= 0 && s->off < target_end) {
140	+ if (!len && (!s->willclose \|\| s->chunksize == UINT64_MAX) && s->off < target_end) {
141	av_log(h, AV_LOG_ERROR,
142	- "Stream ends prematurely at %"PRId64", should be %"PRId64"\n",
143	+ "Stream ends prematurely at %"PRIu64", should be %"PRIu64"\n",
144	s->off, target_end
145	);
146	return AVERROR(EIO);
147	@@ -1247,7 +1246,7 @@ static int http_read_stream(URLContext h, uint8_t buf, int size)
148	return err;
149	}
150
151	- if (s->chunksize >= 0) {
152	+ if (s->chunksize != UINT64_MAX) {
153	if (!s->chunksize) {
154	char line[32];
155
156	@@ -1256,13 +1255,19 @@ static int http_read_stream(URLContext h, uint8_t buf, int size)
157	return err;
158	} while (!line); / skip CR LF from last chunk */
159
160	- s->chunksize = strtoll(line, NULL, 16);
161	+ s->chunksize = strtoull(line, NULL, 16);
162
163	- av_log(NULL, AV_LOG_TRACE, "Chunked encoding data size: %"PRId64"'\n",
164	+ av_log(h, AV_LOG_TRACE,
165	+ "Chunked encoding data size: %"PRIu64"'\n",
166	s->chunksize);
167
168	if (!s->chunksize)
169	return 0;
170	+ else if (s->chunksize == UINT64_MAX) {
171	+ av_log(h, AV_LOG_ERROR, "Invalid chunk size %"PRIu64"\n",
172	+ s->chunksize);
173	+ return AVERROR(EINVAL);
174	+ }
175	}
176	size = FFMIN(size, s->chunksize);
177	}
178	@@ -1273,17 +1278,17 @@ static int http_read_stream(URLContext h, uint8_t buf, int size)
179	read_ret = http_buf_read(h, buf, size);
180	if ( (read_ret < 0 && s->reconnect && (!h->is_streamed \|\| s->reconnect_streamed) && s->filesize > 0 && s->off < s->filesize)
181	\|\| (read_ret == 0 && s->reconnect_at_eof && (!h->is_streamed \|\| s->reconnect_streamed))) {
182	- int64_t target = h->is_streamed ? 0 : s->off;
183	+ uint64_t target = h->is_streamed ? 0 : s->off;
184
185	if (s->reconnect_delay > s->reconnect_delay_max)
186	return AVERROR(EIO);
187
188	- av_log(h, AV_LOG_INFO, "Will reconnect at %"PRId64" error=%s.\n", s->off, av_err2str(read_ret));
189	+ av_log(h, AV_LOG_INFO, "Will reconnect at %"PRIu64" error=%s.\n", s->off, av_err2str(read_ret));
190	av_usleep(1000U1000s->reconnect_delay);
191	s->reconnect_delay = 1 + 2*s->reconnect_delay;
192	seek_ret = http_seek_internal(h, target, SEEK_SET, 1);
193	if (seek_ret != target) {
194	- av_log(h, AV_LOG_ERROR, "Failed to reconnect at %"PRId64".\n", target);
195	+ av_log(h, AV_LOG_ERROR, "Failed to reconnect at %"PRIu64".\n", target);
196	return read_ret;
197	}
198
199	@@ -1338,10 +1343,11 @@ static int store_icy(URLContext *h, int size)
200	{
201	HTTPContext *s = h->priv_data;
202	/* until next metadata packet */
203	- int remaining = s->icy_metaint - s->icy_data_read;
204	+ uint64_t remaining;
205
206	- if (remaining < 0)
207	+ if (s->icy_metaint < s->icy_data_read)
208	return AVERROR_INVALIDDATA;
209	+ remaining = s->icy_metaint - s->icy_data_read;
210
211	if (!remaining) {
212	/* The metadata packet is variable sized. It has a 1 byte header
213	@@ -1455,7 +1461,7 @@ static int64_t http_seek_internal(URLContext *h, int64_t off, int whence, int fo
214	{
215	HTTPContext *s = h->priv_data;
216	URLContext *old_hd = s->hd;
217	- int64_t old_off = s->off;
218	+ uint64_t old_off = s->off;
219	uint8_t old_buf[BUFFER_SIZE];
220	int old_buf_size, ret;
221	AVDictionary *options = NULL;
222	@@ -1466,7 +1472,7 @@ static int64_t http_seek_internal(URLContext *h, int64_t off, int whence, int fo
223	((whence == SEEK_CUR && off == 0) \|\|
224	(whence == SEEK_SET && off == s->off)))
225	return s->off;
226	- else if ((s->filesize == -1 && whence == SEEK_END))
227	+ else if ((s->filesize == UINT64_MAX && whence == SEEK_END))
228	return AVERROR(ENOSYS);
229
230	if (whence == SEEK_CUR)
231	@@ -1621,7 +1627,7 @@ static int http_proxy_open(URLContext h, const char uri, int flags)
232	s->buf_ptr = s->buffer;
233	s->buf_end = s->buffer;
234	s->line_count = 0;
235	- s->filesize = -1;
236	+ s->filesize = UINT64_MAX;
237	cur_auth_type = s->proxy_auth_state.auth_type;
238
239	/* Note: This uses buffering, potentially reading more than the

Lines 1-40 Link Here

(-)files/patch-CVE-2016-10192 (-40 lines)
1	From c12ee64e80af2517005231388fdf4ea78f16bb0e Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Mon, 5 Dec 2016 17:27:45 +0100
4	Subject: [PATCH] ffserver: Check chunk size
5
6	Fixes out of array access
7
8	Fixes: poc_ffserver.py
9	Found-by: Paul Cher <paulcher@icloud.com>
10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11	(cherry picked from commit a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156)
12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13	---
14	ffserver.c \| 5 ++++-
15	1 file changed, 4 insertions(+), 1 deletion(-)
16
17	diff --git ffserver.c ffserver.c
18	index 453d790e6cd..aec808e78cb 100644
19	--- external/FFmpeg/ffserver.c.orig
20	+++ external/FFmpeg/ffserver.c
21	@@ -2702,8 +2702,10 @@ static int http_receive_data(HTTPContext *c)
22	} else if (c->buffer_ptr - c->buffer >= 2 &&
23	!memcmp(c->buffer_ptr - 1, "\r\n", 2)) {
24	c->chunk_size = strtol(c->buffer, 0, 16);
25	- if (c->chunk_size == 0) // end of stream
26	+ if (c->chunk_size <= 0) { // end of stream or invalid chunk size
27	+ c->chunk_size = 0;
28	goto fail;
29	+ }
30	c->buffer_ptr = c->buffer;
31	break;
32	} else if (++loop_run > 10)
33	@@ -2725,6 +2727,7 @@ static int http_receive_data(HTTPContext *c)
34	/* end of connection : close it */
35	goto fail;
36	else {
37	+ av_assert0(len <= c->chunk_size);
38	c->chunk_size -= len;
39	c->buffer_ptr += len;
40	c->data_count += len;

Lines 1-31 Link Here

(-)files/patch-CVE-2017-05024 (-31 lines)
1	From ed2572b9c8f885e2a4764d2e34604442a71899a1 Mon Sep 17 00:00:00 2001
2	From: Matt Wolenetz <wolenetz@google.com>
3	Date: Wed, 14 Dec 2016 15:26:19 -0800
4	Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
5
6	Core of patch is from paul@paulmehta.com
7	Reference https://crbug.com/643951
8
9	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10	Check value reduced as the code does not support values beyond INT_MAX
11	Also the check is moved to a more common place and before integer truncation
12
13	(cherry picked from commit 2d453188c2303da641dafb048dc1806790526dfd)
14	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
15	---
16	libavformat/mov.c \| 2 +-
17	1 file changed, 1 insertion(+), 1 deletion(-)
18
19	diff --git libavformat/mov.c libavformat/mov.c
20	index 17d0475aae1..74b58255784 100644
21	--- external/FFmpeg/libavformat/mov.c
22	+++ external/FFmpeg/libavformat/mov.c
23	@@ -4436,7 +4436,7 @@ static int mov_read_uuid(MOVContext c, AVIOContext pb, MOVAtom atom)
24	0x9c, 0x71, 0x99, 0x94, 0x91, 0xe3, 0xaf, 0xac
25	};
26
27	- if (atom.size < sizeof(uuid) \|\| atom.size == INT64_MAX)
28	+ if (atom.size < sizeof(uuid) \|\| atom.size >= FFMIN(INT_MAX, SIZE_MAX))
29	return AVERROR_INVALIDDATA;
30
31	ret = avio_read(pb, uuid, sizeof(uuid));

Lines 1-30 Link Here

(-)files/patch-CVE-2017-05025 (-30 lines)
1	From cf8e004a51b08c6e8ceaeebca85ab84c7ed0b4cf Mon Sep 17 00:00:00 2001
2	From: Matt Wolenetz <wolenetz@google.com>
3	Date: Wed, 14 Dec 2016 15:24:42 -0800
4	Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr
5
6	Core of patch is from paul@paulmehta.com
7	Reference https://crbug.com/643950
8
9	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10	Check value reduced as the code does not support larger lengths
11
12	(cherry picked from commit fd30e4d57fe5841385f845440688505b88c0f4a9)
13	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14	---
15	libavformat/mov.c \| 2 ++
16	1 file changed, 2 insertions(+)
17
18	diff --git libavformat/mov.c libavformat/mov.c
19	index 1e2141808da..17d0475aae1 100644
20	--- external/FFmpeg/libavformat/mov.c
21	+++ external/FFmpeg/libavformat/mov.c
22	@@ -739,6 +739,8 @@ static int mov_read_hdlr(MOVContext c, AVIOContext pb, MOVAtom atom)
23
24	title_size = atom.size - 24;
25	if (title_size > 0) {
26	+ if (title_size > FFMIN(INT_MAX, SIZE_MAX-1))
27	+ return AVERROR_INVALIDDATA;
28	title_str = av_malloc(title_size + 1); /* Add null terminator */
29	if (!title_str)
30	return AVERROR(ENOMEM);

Lines 1-28 Link Here

(-)files/patch-CVE-2017-07862 (-28 lines)
1	From a1a14982ec5b9954637cdc9ce8daf01d211e5c79 Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Tue, 7 Feb 2017 15:49:09 +0100
4	Subject: [PATCH] avcodec/pictordec: Fix logic error
5
6	Fixes: 559/clusterfuzz-testcase-6424225917173760
7
8	Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
9	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10	(cherry picked from commit 8c2ea3030af7b40a3c4275696fb5c76cdb80950a)
11	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
12	---
13	libavcodec/pictordec.c \| 2 +-
14	1 file changed, 1 insertion(+), 1 deletion(-)
15
16	diff --git libavcodec/pictordec.c libavcodec/pictordec.c
17	index ff6eb7f4fc9..0cfc7858326 100644
18	--- external/FFmpeg/libavcodec/pictordec.c
19	+++ external/FFmpeg/libavcodec/pictordec.c
20	@@ -142,7 +142,7 @@ static int decode_frame(AVCodecContext *avctx,
21
22	if (av_image_check_size(s->width, s->height, 0, avctx) < 0)
23	return -1;
24	- if (s->width != avctx->width && s->height != avctx->height) {
25	+ if (s->width != avctx->width \|\| s->height != avctx->height) {
26	ret = ff_set_dimensions(avctx, s->width, s->height);
27	if (ret < 0)
28	return ret;

Lines 1-37 Link Here

(-)files/patch-CVE-2017-07866 (-37 lines)
1	From bd6c1d5149fbc4f2a0200ad99e7f56f4fb7d518a Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Mon, 23 Jan 2017 01:25:27 +0100
4	Subject: [PATCH] avcodec/pngdec: Fix off by 1 size in decode_zbuf()
5
6	Fixes out of array access
7	Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer
8
9	Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11	(cherry picked from commit e371f031b942d73e02c090170975561fabd5c264)
12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13	---
14	libavcodec/pngdec.c \| 6 +++---
15	1 file changed, 3 insertions(+), 3 deletions(-)
16
17	diff --git libavcodec/pngdec.c libavcodec/pngdec.c
18	index 36275ae43f5..7ade0cee661 100644
19	--- external/FFmpeg/libavcodec/pngdec.c
20	+++ external/FFmpeg/libavcodec/pngdec.c
21	@@ -437,13 +437,13 @@ static int decode_zbuf(AVBPrint bp, const uint8_t data,
22	av_bprint_init(bp, 0, -1);
23
24	while (zstream.avail_in > 0) {
25	- av_bprint_get_buffer(bp, 1, &buf, &buf_size);
26	- if (!buf_size) {
27	+ av_bprint_get_buffer(bp, 2, &buf, &buf_size);
28	+ if (buf_size < 2) {
29	ret = AVERROR(ENOMEM);
30	goto fail;
31	}
32	zstream.next_out = buf;
33	- zstream.avail_out = buf_size;
34	+ zstream.avail_out = buf_size - 1;
35	ret = inflate(&zstream, Z_PARTIAL_FLUSH);
36	if (ret != Z_OK && ret != Z_STREAM_END) {
37	ret = AVERROR_EXTERNAL;

Lines 1-116 Link Here

(-)files/patch-CVE-2017-09608a (-116 lines)
1	From e1940d2458353943e2fab6bdb87d2278077e22a5 Mon Sep 17 00:00:00 2001
2	From: Paul B Mahol <onemda@gmail.com>
3	Date: Mon, 20 Mar 2017 22:47:48 +0100
4	Subject: [PATCH] avcodec/dnxhd_parser: take into account compressed frame size
5	and skip it
6
7	Fixes #6214 and vsynth1-dnxhd-720p-hr-lb.
8
9	Signed-off-by: Paul B Mahol <onemda@gmail.com>
10	---
11	libavcodec/dnxhd_parser.c \| 65 +++++++++++++++++++++++++++----
12	tests/ref/vsynth/vsynth1-dnxhd-720p-hr-lb \| 4 +-
13	2 files changed, 60 insertions(+), 9 deletions(-)
14
15	diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c
16	index 033b8ee7e11..4f9bbceeeb5 100644
17	--- external/FFmpeg/libavcodec/dnxhd_parser.c
18	+++ external/FFmpeg/libavcodec/dnxhd_parser.c
19	@@ -31,8 +31,24 @@ typedef struct {
20	ParseContext pc;
21	int interlaced;
22	int cur_field; /* first field is 0, second is 1 */
23	+ int cur_byte;
24	+ int remaining;
25	+ int w, h;
26	} DNXHDParserContext;
27
28	+static int dnxhd_get_hr_frame_size(int cid, int w, int h)
29	+{
30	+ int result, i = ff_dnxhd_get_cid_table(cid);
31	+
32	+ if (i < 0)
33	+ return i;
34	+
35	+ result = ((h + 15) / 16) * ((w + 15) / 16) * ff_dnxhd_cid_table[i].packet_scale.num / ff_dnxhd_cid_table[i].packet_scale.den;
36	+ result = (result + 2048) / 4096 * 4096;
37	+
38	+ return FFMAX(result, 8192);
39	+}
40	+
41	static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
42	const uint8_t *buf, int buf_size)
43	{
44	@@ -51,30 +67,65 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
45	pic_found = 1;
46	interlaced = (state&2)>>1; /* byte following the 5-byte header prefix */
47	cur_field = state&1;
48	+ dctx->cur_byte = 0;
49	+ dctx->remaining = 0;
50	break;
51	}
52	}
53	}
54
55	- if (pic_found) {
56	+ if (pic_found && !dctx->remaining) {
57	if (!buf_size) /* EOF considered as end of frame */
58	return 0;
59	for (; i < buf_size; i++) {
60	+ dctx->cur_byte++;
61	state = (state << 8) \| buf[i];
62	- if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) {
63	- if (!interlaced \|\| dctx->cur_field) {
64	+
65	+ if (dctx->cur_byte == 24) {
66	+ dctx->h = (state >> 32) & 0xFFFF;
67	+ } else if (dctx->cur_byte == 26) {
68	+ dctx->w = (state >> 32) & 0xFFFF;
69	+ } else if (dctx->cur_byte == 42) {
70	+ int cid = (state >> 32) & 0xFFFFFFFF;
71	+
72	+ if (cid <= 0)
73	+ continue;
74	+
75	+ dctx->remaining = avpriv_dnxhd_get_frame_size(cid);
76	+ if (dctx->remaining <= 0) {
77	+ dctx->remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
78	+ if (dctx->remaining <= 0)
79	+ return dctx->remaining;
80	+ }
81	+ if (buf_size - i >= dctx->remaining && (!dctx->interlaced \|\| dctx->cur_field)) {
82	+ int remaining = dctx->remaining;
83	+
84	pc->frame_start_found = 0;
85	pc->state64 = -1;
86	dctx->interlaced = interlaced;
87	dctx->cur_field = 0;
88	- return i - 5;
89	+ dctx->cur_byte = 0;
90	+ dctx->remaining = 0;
91	+ return remaining;
92	} else {
93	- /* continue, to get the second field */
94	- dctx->interlaced = interlaced = (state&2)>>1;
95	- dctx->cur_field = cur_field = state&1;
96	+ dctx->remaining -= buf_size;
97	}
98	}
99	}
100	+ } else if (pic_found) {
101	+ if (dctx->remaining > buf_size) {
102	+ dctx->remaining -= buf_size;
103	+ } else {
104	+ int remaining = dctx->remaining;
105	+
106	+ pc->frame_start_found = 0;
107	+ pc->state64 = -1;
108	+ dctx->interlaced = interlaced;
109	+ dctx->cur_field = 0;
110	+ dctx->cur_byte = 0;
111	+ dctx->remaining = 0;
112	+ return remaining;
113	+ }
114	}
115	pc->frame_start_found = pic_found;
116	pc->state64 = state;

Lines 1-82 Link Here

(-)files/patch-CVE-2017-09608b (-82 lines)
1	From da693f8daa62cb76a2aa05021d6c8d53a1b816b2 Mon Sep 17 00:00:00 2001
2	From: Paul B Mahol <onemda@gmail.com>
3	Date: Sun, 23 Apr 2017 11:53:57 +0200
4	Subject: [PATCH] avcodec/dnxhd_parser: fix parsing interlaced video, simplify
5	code
6
7	There appears to be no need to treat interlaced videos differently,
8	also that code is flawed, as for at least one input cur_field would
9	be always 0.
10
11	Fixes ticket #6344.
12
13	Signed-off-by: Paul B Mahol <onemda@gmail.com>
14	(cherry picked from commit ac30754a148df58822a272555d1f6f860e42037e)
15	---
16	libavcodec/dnxhd_parser.c \| 14 +-------------
17	1 file changed, 1 insertion(+), 13 deletions(-)
18
19	diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c
20	index 4f9bbceeeb5..a1f632a620e 100644
21	--- external/FFmpeg/libavcodec/dnxhd_parser.c
22	+++ external/FFmpeg/libavcodec/dnxhd_parser.c
23	@@ -29,8 +29,6 @@
24
25	typedef struct {
26	ParseContext pc;
27	- int interlaced;
28	- int cur_field; /* first field is 0, second is 1 */
29	int cur_byte;
30	int remaining;
31	int w, h;
32	@@ -56,8 +54,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
33	uint64_t state = pc->state64;
34	int pic_found = pc->frame_start_found;
35	int i = 0;
36	- int interlaced = dctx->interlaced;
37	- int cur_field = dctx->cur_field;
38
39	if (!pic_found) {
40	for (i = 0; i < buf_size; i++) {
41	@@ -65,8 +61,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
42	if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) {
43	i++;
44	pic_found = 1;
45	- interlaced = (state&2)>>1; /* byte following the 5-byte header prefix */
46	- cur_field = state&1;
47	dctx->cur_byte = 0;
48	dctx->remaining = 0;
49	break;
50	@@ -97,13 +91,11 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
51	if (dctx->remaining <= 0)
52	return dctx->remaining;
53	}
54	- if (buf_size - i >= dctx->remaining && (!dctx->interlaced \|\| dctx->cur_field)) {
55	+ if (buf_size - i + 47 >= dctx->remaining) {
56	int remaining = dctx->remaining;
57
58	pc->frame_start_found = 0;
59	pc->state64 = -1;
60	- dctx->interlaced = interlaced;
61	- dctx->cur_field = 0;
62	dctx->cur_byte = 0;
63	dctx->remaining = 0;
64	return remaining;
65	@@ -120,8 +112,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
66
67	pc->frame_start_found = 0;
68	pc->state64 = -1;
69	- dctx->interlaced = interlaced;
70	- dctx->cur_field = 0;
71	dctx->cur_byte = 0;
72	dctx->remaining = 0;
73	return remaining;
74	@@ -129,8 +119,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
75	}
76	pc->frame_start_found = pic_found;
77	pc->state64 = state;
78	- dctx->interlaced = interlaced;
79	- dctx->cur_field = cur_field;
80	return END_NOT_FOUND;
81	}
82

Lines 1-45 Link Here

(-)files/patch-CVE-2017-09608c (-45 lines)
1	From 0a709e2a10b8288a0cc383547924ecfe285cef89 Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Wed, 14 Jun 2017 16:58:20 +0200
4	Subject: [PATCH] avcodec/dnxhd_parser: Do not return invalid value from
5	dnxhd_find_frame_end() on error
6
7	Fixes: Null pointer dereference
8
9	Fixes: CVE-2017-9608
10	Found-by: Yihan Lian
11	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
12	(cherry picked from commit 611b35627488a8d0763e75c25ee0875c5b7987dd)
13	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14	---
15	libavcodec/dnxhd_parser.c \| 12 +++++++-----
16	1 file changed, 7 insertions(+), 5 deletions(-)
17
18	diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c
19	index a1f632a620e..f1166be1007 100644
20	--- external/FFmpeg/libavcodec/dnxhd_parser.c
21	+++ external/FFmpeg/libavcodec/dnxhd_parser.c
22	@@ -81,16 +81,18 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
23	dctx->w = (state >> 32) & 0xFFFF;
24	} else if (dctx->cur_byte == 42) {
25	int cid = (state >> 32) & 0xFFFFFFFF;
26	+ int remaining;
27
28	if (cid <= 0)
29	continue;
30
31	- dctx->remaining = avpriv_dnxhd_get_frame_size(cid);
32	- if (dctx->remaining <= 0) {
33	- dctx->remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
34	- if (dctx->remaining <= 0)
35	- return dctx->remaining;
36	+ remaining = avpriv_dnxhd_get_frame_size(cid);
37	+ if (remaining <= 0) {
38	+ remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
39	+ if (remaining <= 0)
40	+ continue;
41	}
42	+ dctx->remaining = remaining;
43	if (buf_size - i + 47 >= dctx->remaining) {
44	int remaining = dctx->remaining;
45

Lines 1-32 Link Here

(-)files/patch-CVE-2017-09991 (-32 lines)
1	From 85c8c0c826e78d159ea242ce64d7e8feeeeca741 Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Sun, 7 May 2017 18:50:49 +0200
4	Subject: [PATCH] avcodec/xwddec: Check bpp more completely
5
6	Fixes out of array access
7	Fixes: 1399/clusterfuzz-testcase-minimized-4866094172995584
8
9	Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11	(cherry picked from commit 441026fcb13ac23aa10edc312bdacb6445a0ad06)
12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13	---
14	libavcodec/xwddec.c \| 4 ++--
15	1 file changed, 2 insertions(+), 2 deletions(-)
16
17	diff --git libavcodec/xwddec.c libavcodec/xwddec.c
18	index 64cd8418a20..8b0845fc013 100644
19	--- external/FFmpeg/libavcodec/xwddec.c
20	+++ external/FFmpeg/libavcodec/xwddec.c
21	@@ -157,9 +157,9 @@ static int xwd_decode_frame(AVCodecContext avctx, void data,
22	case XWD_GRAY_SCALE:
23	if (bpp != 1 && bpp != 8)
24	return AVERROR_INVALIDDATA;
25	- if (pixdepth == 1) {
26	+ if (bpp == 1 && pixdepth == 1) {
27	avctx->pix_fmt = AV_PIX_FMT_MONOWHITE;
28	- } else if (pixdepth == 8) {
29	+ } else if (bpp == 8 && pixdepth == 8) {
30	avctx->pix_fmt = AV_PIX_FMT_GRAY8;
31	}
32	break;

Lines 1-29 Link Here

(-)files/patch-CVE-2017-09992 (-29 lines)
1	From 536af4212100dee1577fe2d30814762c58038efc Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Fri, 5 May 2017 20:42:11 +0200
4	Subject: [PATCH] avcodec/dfa: Fix off by 1 error
5
6	Fixes out of array access
7	Fixes: 1345/clusterfuzz-testcase-minimized-6062963045695488
8
9	Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11	(cherry picked from commit f52fbf4f3ed02a7d872d8a102006f29b4421f360)
12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13	---
14	libavcodec/dfa.c \| 2 +-
15	1 file changed, 1 insertion(+), 1 deletion(-)
16
17	diff --git libavcodec/dfa.c libavcodec/dfa.c
18	index f45d019a792..5ddb647c4cb 100644
19	--- external/FFmpeg/libavcodec/dfa.c
20	+++ external/FFmpeg/libavcodec/dfa.c
21	@@ -175,7 +175,7 @@ static int decode_dds1(GetByteContext gb, uint8_t frame, int width, int height
22	return AVERROR_INVALIDDATA;
23	frame += v;
24	} else {
25	- if (frame_end - frame < width + 3)
26	+ if (frame_end - frame < width + 4)
27	return AVERROR_INVALIDDATA;
28	frame[0] = frame[1] =
29	frame[width] = frame[width + 1] = bytestream2_get_byte(gb);

Lines 1-91 Link Here

(-)files/patch-CVE-2017-09993a (-91 lines)
1	From 25dac3128b605f2867e3e0f0288b896f84d3a033 Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Sat, 3 Jun 2017 21:20:04 +0200
4	Subject: [PATCH] avformat/hls: Check local file extensions
5
6	This reduces the attack surface of local file-system
7	information leaking.
8
9	It prevents the existing exploit leading to an information leak. As
10	well as similar hypothetical attacks.
11
12	Leaks of information from files and symlinks ending in common multimedia extensions
13	are still possible. But files with sensitive information like private keys and passwords
14	generally do not use common multimedia filename extensions.
15	It does not stop leaks via remote addresses in the LAN.
16
17	The existing exploit depends on a specific decoder as well.
18	It does appear though that the exploit should be possible with any decoder.
19	The problem is that as long as sensitive information gets into the decoder,
20	the output of the decoder becomes sensitive as well.
21	The only obvious solution is to prevent access to sensitive information. Or to
22	disable hls or possibly some of its feature. More complex solutions like
23	checking the path to limit access to only subdirectories of the hls path may
24	work as an alternative. But such solutions are fragile and tricky to implement
25	portably and would not stop every possible attack nor would they work with all
26	valid hls files.
27
28	Developers have expressed their dislike / objected to disabling hls by default as well
29	as disabling hls with local files. There also where objections against restricting
30	remote url file extensions. This here is a less robust but also lower
31	inconvenience solution.
32	It can be applied stand alone or together with other solutions.
33	limiting the check to local files was suggested by nevcairiel
34
35	This recommits the security fix without the author name joke which was
36	originally requested by Nicolas.
37
38	Found-by: Emil Lerner and Pavel Cheremushkin
39	Reported-by: Thierry Foucu <tfoucu@google.com>
40
41	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
42	(cherry picked from commit 189ff4219644532bdfa7bab28dfedaee4d6d4021)
43	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
44	---
45	libavformat/hls.c \| 18 +++++++++++++++++-
46	1 file changed, 17 insertions(+), 1 deletion(-)
47
48	diff --git libavformat/hls.c libavformat/hls.c
49	index 2bf86fadc64..ffefd284f86 100644
50	--- external/FFmpeg/libavformat/hls.c
51	+++ external/FFmpeg/libavformat/hls.c
52	@@ -204,6 +204,7 @@ typedef struct HLSContext {
53	char *http_proxy; ///< holds the address of the HTTP proxy server
54	AVDictionary *avio_opts;
55	int strict_std_compliance;
56	+ char *allowed_extensions;
57	} HLSContext;
58
59	static int read_chomp_line(AVIOContext s, char buf, int maxlen)
60	@@ -618,8 +619,19 @@ static int open_url(AVFormatContext s, AVIOContext pb, const char url,
61	return AVERROR_INVALIDDATA;
62
63	// only http(s) & file are allowed
64	- if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL))
65	+ if (av_strstart(proto_name, "file", NULL)) {
66	+ if (strcmp(c->allowed_extensions, "ALL") && !av_match_ext(url, c->allowed_extensions)) {
67	+ av_log(s, AV_LOG_ERROR,
68	+ "Filename extension of \'%s\' is not a common multimedia extension, blocked for security reasons.\n"
69	+ "If you wish to override this adjust allowed_extensions, you can set it to \'ALL\' to allow all\n",
70	+ url);
71	+ return AVERROR_INVALIDDATA;
72	+ }
73	+ } else if (av_strstart(proto_name, "http", NULL)) {
74	+ ;
75	+ } else
76	return AVERROR_INVALIDDATA;
77	+
78	if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':')
79	;
80	else if (av_strstart(url, "crypto", NULL) && !strncmp(proto_name, url + 7, strlen(proto_name)) && url[7 + strlen(proto_name)] == ':')
81	@@ -2127,6 +2139,10 @@ static int hls_probe(AVProbeData *p)
82	static const AVOption hls_options[] = {
83	{"live_start_index", "segment index to start live streams at (negative values are from the end)",
84	OFFSET(live_start_index), AV_OPT_TYPE_INT, {.i64 = -3}, INT_MIN, INT_MAX, FLAGS},
85	+ {"allowed_extensions", "List of file extensions that hls is allowed to access",
86	+ OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
87	+ {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
88	+ INT_MIN, INT_MAX, FLAGS},
89	{NULL}
90	};
91

Lines 1-31 Link Here

(-)files/patch-CVE-2017-09993b (-31 lines)
1	From 5415c88e370692a3cf10b998ab230b4a02fc237f Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Tue, 30 May 2017 21:29:20 +0200
4	Subject: [PATCH] avformat/avidec: Limit formats in gab2 to srt and ass/ssa
5
6	This prevents part of one exploit leading to an information leak
7
8	Found-by: Emil Lerner and Pavel Cheremushkin
9	Reported-by: Thierry Foucu <tfoucu@google.com>
10
11	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
12	(cherry picked from commit a5d849b149ca67ced2d271dc84db0bc95a548abb)
13	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14	---
15	libavformat/avidec.c \| 3 +++
16	1 file changed, 3 insertions(+)
17
18	diff --git libavformat/avidec.c libavformat/avidec.c
19	index ebd14abb12c..9afac825d43 100644
20	--- external/FFmpeg/libavformat/avidec.c
21	+++ external/FFmpeg/libavformat/avidec.c
22	@@ -1098,6 +1098,9 @@ static int read_gab2_sub(AVFormatContext s, AVStream st, AVPacket *pkt)
23	if (!sub_demuxer)
24	goto error;
25
26	+ if (strcmp(sub_demuxer->name, "srt") && strcmp(sub_demuxer->name, "ass"))
27	+ goto error;
28	+
29	if (!(ast->sub_ctx = avformat_alloc_context()))
30	goto error;
31

Lines 1-47 Link Here

(-)files/patch-CVE-2017-09994 (-47 lines)
1	From 869e8b1d0f549e926ecb246f916c9066f881db4a Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Wed, 10 May 2017 18:37:49 +0200
4	Subject: [PATCH] avcodec/webp: Always set pix_fmt
5
6	Fixes: out of array access
7	Fixes: 1434/clusterfuzz-testcase-minimized-6314998085189632
8	Fixes: 1435/clusterfuzz-testcase-minimized-6483783723253760
9
10	Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
11	Reviewed-by: "Ronald S. Bultje" <rsbultje@gmail.com>
12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13	(cherry picked from commit 6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef)
14	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
15	---
16	libavcodec/vp8.c \| 2 ++
17	libavcodec/webp.c \| 3 +--
18	2 files changed, 3 insertions(+), 2 deletions(-)
19
20	diff --git libavcodec/vp8.c libavcodec/vp8.c
21	index 068223920e4..63e78492848 100644
22	--- external/FFmpeg/libavcodec/vp8.c
23	+++ external/FFmpeg/libavcodec/vp8.c
24	@@ -2548,6 +2548,8 @@ int vp78_decode_frame(AVCodecContext avctx, void data, int *got_frame,
25	enum AVDiscard skip_thresh;
26	VP8Frame av_uninit(curframe), prev_frame;
27
28	+ av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVA420P \|\| avctx->pix_fmt == AV_PIX_FMT_YUV420P);
29	+
30	if (is_vp7)
31	ret = vp7_decode_frame_header(s, avpkt->data, avpkt->size);
32	else
33	diff --git libavcodec/webp.c libavcodec/webp.c
34	index 7d23cc74356..b2ae5bcbba9 100644
35	--- external/FFmpeg/libavcodec/webp.c
36	+++ external/FFmpeg/libavcodec/webp.c
37	@@ -1327,9 +1327,8 @@ static int vp8_lossy_decode_frame(AVCodecContext avctx, AVFrame p,
38	if (!s->initialized) {
39	ff_vp8_decode_init(avctx);
40	s->initialized = 1;
41	- if (s->has_alpha)
42	- avctx->pix_fmt = AV_PIX_FMT_YUVA420P;
43	}
44	+ avctx->pix_fmt = s->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P;
45	s->lossless = 0;
46
47	if (data_size > INT_MAX) {

Lines 1-29 Link Here

(-)files/patch-CVE-2017-09996a (-29 lines)
1	From 7a69c1b2abfa96f0578cbd3ff82126b883ba6ef0 Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Sat, 6 May 2017 22:24:52 +0200
4	Subject: [PATCH] avcodec/cdxl: Check format parameter
5
6	Fixes out of array access
7	Fixes: 1378/clusterfuzz-testcase-minimized-5715088008806400
8
9	Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11	(cherry picked from commit e1b60aad77c27ed5d4dfc11e5e6a05a38c70489d)
12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13	---
14	libavcodec/cdxl.c \| 2 +-
15	1 file changed, 1 insertion(+), 1 deletion(-)
16
17	diff --git libavcodec/cdxl.c libavcodec/cdxl.c
18	index 7a9b41943d8..5c0ecb279c7 100644
19	--- external/FFmpeg/libavcodec/cdxl.c
20	+++ external/FFmpeg/libavcodec/cdxl.c
21	@@ -277,7 +277,7 @@ static int cdxl_decode_frame(AVCodecContext avctx, void data,
22	c->padded_bits = aligned_width - c->avctx->width;
23	if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8)
24	return AVERROR_INVALIDDATA;
25	- if (!encoding && c->palette_size && c->bpp <= 8) {
26	+ if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) {
27	avctx->pix_fmt = AV_PIX_FMT_PAL8;
28	} else if (encoding == 1 && (c->bpp == 6 \|\| c->bpp == 8)) {
29	if (c->palette_size != (1 << (c->bpp - 1)))

Lines 1-29 Link Here

(-)files/patch-CVE-2017-09996b (-29 lines)
1	From 7f3a671ece8fd711e2ebc71a4e08cda591d810a8 Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Mon, 8 May 2017 11:46:03 +0200
4	Subject: [PATCH] avcodec/cdxl: Check format for BGR24
5
6	Fixes: out of array access
7	Fixes: 1427/clusterfuzz-testcase-minimized-5020737339392000
8
9	Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11	(cherry picked from commit 1e42736b95065c69a7481d0cf55247024f54b660)
12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13	---
14	libavcodec/cdxl.c \| 2 +-
15	1 file changed, 1 insertion(+), 1 deletion(-)
16
17	diff --git libavcodec/cdxl.c libavcodec/cdxl.c
18	index 5c0ecb279c7..78f5d50102f 100644
19	--- external/FFmpeg/libavcodec/cdxl.c
20	+++ external/FFmpeg/libavcodec/cdxl.c
21	@@ -279,7 +279,7 @@ static int cdxl_decode_frame(AVCodecContext avctx, void data,
22	return AVERROR_INVALIDDATA;
23	if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) {
24	avctx->pix_fmt = AV_PIX_FMT_PAL8;
25	- } else if (encoding == 1 && (c->bpp == 6 \|\| c->bpp == 8)) {
26	+ } else if (encoding == 1 && (c->bpp == 6 \|\| c->bpp == 8) && c->format != CHUNKY) {
27	if (c->palette_size != (1 << (c->bpp - 1)))
28	return AVERROR_INVALIDDATA;
29	avctx->pix_fmt = AV_PIX_FMT_BGR24;

Lines 1-49 Link Here

(-)files/patch-CVE-2017-11399 (-49 lines)
1	From 5bb861d45b86803ec39295cfc04889d2a7138361 Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Sun, 16 Jul 2017 14:57:20 +0200
4	Subject: [PATCH] avcodec/apedec: Fix integer overflow
5
6	Fixes: out of array access
7	Fixes: PoC.ape and others
8
9	Found-by: Bingchang, Liu@VARAS of IIE
10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11	(cherry picked from commit ba4beaf6149f7241c8bd85fe853318c2f6837ad0)
12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13	---
14	libavcodec/apedec.c \| 8 +++++---
15	1 file changed, 5 insertions(+), 3 deletions(-)
16
17	diff --git libavcodec/apedec.c libavcodec/apedec.c
18	index b99598b4ee7..072e3b42cff 100644
19	--- external/FFmpeg/libavcodec/apedec.c
20	+++ external/FFmpeg/libavcodec/apedec.c
21	@@ -1412,6 +1412,7 @@ static int ape_decode_frame(AVCodecContext avctx, void data,
22	int32_t *sample24;
23	int i, ch, ret;
24	int blockstodecode;
25	+ uint64_t decoded_buffer_size;
26
27	/* this should never be negative, but bad things will happen if it is, so
28	check it just to make sure. */
29	@@ -1467,7 +1468,7 @@ static int ape_decode_frame(AVCodecContext avctx, void data,
30	skip_bits_long(&s->gb, offset);
31	}
32
33	- if (!nblocks \|\| nblocks > INT_MAX) {
34	+ if (!nblocks \|\| nblocks > INT_MAX / 2 / sizeof(*s->decoded_buffer) - 8) {
35	av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %"PRIu32".\n",
36	nblocks);
37	return AVERROR_INVALIDDATA;
38	@@ -1493,8 +1494,9 @@ static int ape_decode_frame(AVCodecContext avctx, void data,
39	blockstodecode = s->samples;
40
41	/* reallocate decoded sample buffer if needed */
42	- av_fast_malloc(&s->decoded_buffer, &s->decoded_size,
43	- 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer));
44	+ decoded_buffer_size = 2LL * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer);
45	+ av_assert0(decoded_buffer_size <= INT_MAX);
46	+ av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size);
47	if (!s->decoded_buffer)
48	return AVERROR(ENOMEM);
49	memset(s->decoded_buffer, 0, s->decoded_size);

Lines 1-119 Link Here

(-)files/patch-CVE-2017-11665a (-119 lines)
1	From f2a6f41dd7b962e0dd24fe695b002532a42e2230 Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Fri, 28 Jul 2017 13:41:59 +0200
4	Subject: [PATCH] avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2
5
6	Fixes: out of array accesses
7	Fixes: crash-9238fa9e8d4fde3beda1f279626f53812cb001cb-SEGV
8
9	Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11	(cherry picked from commit 08c073434e25cba8c43aae5ed9554fdd594adfb0)
12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13	---
14	libavformat/rtmppkt.c \| 68 ++++++++++++++++++++++++++++++++++++---------------
15	1 file changed, 48 insertions(+), 20 deletions(-)
16
17	diff --git libavformat/rtmppkt.c libavformat/rtmppkt.c
18	index cde0da78ce1..2ea88d09c57 100644
19	--- external/FFmpeg/libavformat/rtmppkt.c
20	+++ external/FFmpeg/libavformat/rtmppkt.c
21	@@ -433,50 +433,78 @@ void ff_rtmp_packet_destroy(RTMPPacket *pkt)
22	pkt->size = 0;
23	}
24
25	-int ff_amf_tag_size(const uint8_t data, const uint8_t data_end)
26	+static int amf_tag_skip(GetByteContext *gb)
27	{
28	- const uint8_t *base = data;
29	AMFDataType type;
30	unsigned nb = -1;
31	int parse_key = 1;
32
33	- if (data >= data_end)
34	+ if (bytestream2_get_bytes_left(gb) < 1)
35	return -1;
36	- switch ((type = *data++)) {
37	- case AMF_DATA_TYPE_NUMBER: return 9;
38	- case AMF_DATA_TYPE_BOOL: return 2;
39	- case AMF_DATA_TYPE_STRING: return 3 + AV_RB16(data);
40	- case AMF_DATA_TYPE_LONG_STRING: return 5 + AV_RB32(data);
41	- case AMF_DATA_TYPE_NULL: return 1;
42	- case AMF_DATA_TYPE_DATE: return 11;
43	+
44	+ type = bytestream2_get_byte(gb);
45	+ switch (type) {
46	+ case AMF_DATA_TYPE_NUMBER:
47	+ bytestream2_get_be64(gb);
48	+ return 0;
49	+ case AMF_DATA_TYPE_BOOL:
50	+ bytestream2_get_byte(gb);
51	+ return 0;
52	+ case AMF_DATA_TYPE_STRING:
53	+ bytestream2_skip(gb, bytestream2_get_be16(gb));
54	+ return 0;
55	+ case AMF_DATA_TYPE_LONG_STRING:
56	+ bytestream2_skip(gb, bytestream2_get_be32(gb));
57	+ return 0;
58	+ case AMF_DATA_TYPE_NULL:
59	+ return 0;
60	+ case AMF_DATA_TYPE_DATE:
61	+ bytestream2_skip(gb, 10);
62	+ return 0;
63	case AMF_DATA_TYPE_ARRAY:
64	parse_key = 0;
65	case AMF_DATA_TYPE_MIXEDARRAY:
66	- nb = bytestream_get_be32(&data);
67	+ nb = bytestream2_get_be32(gb);
68	case AMF_DATA_TYPE_OBJECT:
69	while (nb-- > 0 \|\| type != AMF_DATA_TYPE_ARRAY) {
70	int t;
71	if (parse_key) {
72	- int size = bytestream_get_be16(&data);
73	+ int size = bytestream2_get_be16(gb);
74	if (!size) {
75	- data++;
76	+ bytestream2_get_byte(gb);
77	break;
78	}
79	- if (size < 0 \|\| size >= data_end - data)
80	+ if (size < 0 \|\| size >= bytestream2_get_bytes_left(gb))
81	return -1;
82	- data += size;
83	+ bytestream2_skip(gb, size);
84	}
85	- t = ff_amf_tag_size(data, data_end);
86	- if (t < 0 \|\| t >= data_end - data)
87	+ t = amf_tag_skip(gb);
88	+ if (t < 0 \|\| bytestream2_get_bytes_left(gb) <= 0)
89	return -1;
90	- data += t;
91	}
92	- return data - base;
93	- case AMF_DATA_TYPE_OBJECT_END: return 1;
94	+ return 0;
95	+ case AMF_DATA_TYPE_OBJECT_END: return 0;
96	default: return -1;
97	}
98	}
99
100	+int ff_amf_tag_size(const uint8_t data, const uint8_t data_end)
101	+{
102	+ GetByteContext gb;
103	+ int ret;
104	+
105	+ if (data >= data_end)
106	+ return -1;
107	+
108	+ bytestream2_init(&gb, data, data_end - data);
109	+
110	+ ret = amf_tag_skip(&gb);
111	+ if (ret < 0 \|\| bytestream2_get_bytes_left(&gb) <= 0)
112	+ return -1;
113	+ av_assert0(bytestream2_tell(&gb) >= 0 && bytestream2_tell(&gb) <= data_end - data);
114	+ return bytestream2_tell(&gb);
115	+}
116	+
117	int ff_amf_get_field_value(const uint8_t data, const uint8_t data_end,
118	const uint8_t name, uint8_t dst, int dst_size)
119	{

Lines 1-111 Link Here

(-)files/patch-CVE-2017-11665b (-111 lines)
1	From b375cc8bb74a33a7b38175023ee337b1c378281f Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Fri, 28 Jul 2017 14:37:26 +0200
4	Subject: [PATCH] avformat/rtmppkt: Convert ff_amf_get_field_value() to
5	bytestream2
6
7	Fixes: out of array accesses
8
9	Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11	(cherry picked from commit ffcc82219cef0928bed2d558b19ef6ea35634130)
12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13	---
14	libavformat/rtmppkt.c \| 57 +++++++++++++++++++++++++++++++++------------------
15	1 file changed, 37 insertions(+), 20 deletions(-)
16
17	diff --git libavformat/rtmppkt.c libavformat/rtmppkt.c
18	index 2ea88d09c57..ca7838868e0 100644
19	--- external/FFmpeg/libavformat/rtmppkt.c
20	+++ external/FFmpeg/libavformat/rtmppkt.c
21	@@ -505,53 +505,70 @@ int ff_amf_tag_size(const uint8_t data, const uint8_t data_end)
22	return bytestream2_tell(&gb);
23	}
24
25	-int ff_amf_get_field_value(const uint8_t data, const uint8_t data_end,
26	+static int amf_get_field_value2(GetByteContext *gb,
27	const uint8_t name, uint8_t dst, int dst_size)
28	{
29	int namelen = strlen(name);
30	int len;
31
32	- while (*data != AMF_DATA_TYPE_OBJECT && data < data_end) {
33	- len = ff_amf_tag_size(data, data_end);
34	- if (len < 0)
35	- len = data_end - data;
36	- data += len;
37	+ while (bytestream2_peek_byte(gb) != AMF_DATA_TYPE_OBJECT && bytestream2_get_bytes_left(gb) > 0) {
38	+ int ret = amf_tag_skip(gb);
39	+ if (ret < 0)
40	+ return -1;
41	}
42	- if (data_end - data < 3)
43	+ if (bytestream2_get_bytes_left(gb) < 3)
44	return -1;
45	- data++;
46	+ bytestream2_get_byte(gb);
47	+
48	for (;;) {
49	- int size = bytestream_get_be16(&data);
50	+ int size = bytestream2_get_be16(gb);
51	if (!size)
52	break;
53	- if (size < 0 \|\| size >= data_end - data)
54	+ if (size < 0 \|\| size >= bytestream2_get_bytes_left(gb))
55	return -1;
56	- data += size;
57	- if (size == namelen && !memcmp(data-size, name, namelen)) {
58	- switch (*data++) {
59	+ bytestream2_skip(gb, size);
60	+ if (size == namelen && !memcmp(gb->buffer-size, name, namelen)) {
61	+ switch (bytestream2_get_byte(gb)) {
62	case AMF_DATA_TYPE_NUMBER:
63	- snprintf(dst, dst_size, "%g", av_int2double(AV_RB64(data)));
64	+ snprintf(dst, dst_size, "%g", av_int2double(bytestream2_get_be64(gb)));
65	break;
66	case AMF_DATA_TYPE_BOOL:
67	- snprintf(dst, dst_size, "%s", *data ? "true" : "false");
68	+ snprintf(dst, dst_size, "%s", bytestream2_get_byte(gb) ? "true" : "false");
69	break;
70	case AMF_DATA_TYPE_STRING:
71	- len = bytestream_get_be16(&data);
72	- av_strlcpy(dst, data, FFMIN(len+1, dst_size));
73	+ len = bytestream2_get_be16(gb);
74	+ if (dst_size < 1)
75	+ return -1;
76	+ if (dst_size < len + 1)
77	+ len = dst_size - 1;
78	+ bytestream2_get_buffer(gb, dst, len);
79	+ dst[len] = 0;
80	break;
81	default:
82	return -1;
83	}
84	return 0;
85	}
86	- len = ff_amf_tag_size(data, data_end);
87	- if (len < 0 \|\| len >= data_end - data)
88	+ len = amf_tag_skip(gb);
89	+ if (len < 0 \|\| bytestream2_get_bytes_left(gb) <= 0)
90	return -1;
91	- data += len;
92	}
93	return -1;
94	}
95
96	+int ff_amf_get_field_value(const uint8_t data, const uint8_t data_end,
97	+ const uint8_t name, uint8_t dst, int dst_size)
98	+{
99	+ GetByteContext gb;
100	+
101	+ if (data >= data_end)
102	+ return -1;
103	+
104	+ bytestream2_init(&gb, data, data_end - data);
105	+
106	+ return amf_get_field_value2(&gb, name, dst, dst_size);
107	+}
108	+
109	static const char* rtmp_packet_type(int type)
110	{
111	switch (type) {

Lines 1-41 Link Here

(-)files/patch-CVE-2017-11719 (-41 lines)
1	From 6a10b962e3053b9fc851fcce23a60ac653abdc8c Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Wed, 26 Jul 2017 03:26:59 +0200
4	Subject: [PATCH] avcodec/dnxhddec: Move mb height check out of non hr branch
5
6	Fixes: out of array access
7	Fixes: poc.dnxhd
8
9	Found-by: Bingchang, Liu@VARAS of IIE
10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11	(cherry picked from commit 296debd213bd6dce7647cedd34eb64e5b94cdc92)
12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13	---
14	libavcodec/dnxhddec.c \| 8 ++++++--
15	1 file changed, 6 insertions(+), 2 deletions(-)
16
17	diff --git libavcodec/dnxhddec.c libavcodec/dnxhddec.c
18	index 4d1b006bb50..66a0de2e627 100644
19	--- external/FFmpeg/libavcodec/dnxhddec.c
20	+++ external/FFmpeg/libavcodec/dnxhddec.c
21	@@ -294,14 +294,18 @@ static int dnxhd_decode_header(DNXHDContext ctx, AVFrame frame,
22	if (ctx->mb_height > 68 && ff_dnxhd_check_header_prefix_hr(header_prefix)) {
23	ctx->data_offset = 0x170 + (ctx->mb_height << 2);
24	} else {
25	- if (ctx->mb_height > 68 \|\|
26	- (ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) {
27	+ if (ctx->mb_height > 68) {
28	av_log(ctx->avctx, AV_LOG_ERROR,
29	"mb height too big: %d\n", ctx->mb_height);
30	return AVERROR_INVALIDDATA;
31	}
32	ctx->data_offset = 0x280;
33	}
34	+ if ((ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) {
35	+ av_log(ctx->avctx, AV_LOG_ERROR,
36	+ "mb height too big: %d\n", ctx->mb_height);
37	+ return AVERROR_INVALIDDATA;
38	+ }
39
40	if (buf_size < ctx->data_offset) {
41	av_log(ctx->avctx, AV_LOG_ERROR,

Lines 1-33 Link Here

(-)files/patch-CVE-2017-14054 (-33 lines)
1	From 2bbef8ee271240ce4509b23fd33e35076715a39f Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
3	=?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
4	Date: Fri, 25 Aug 2017 01:15:28 +0200
5	Subject: [PATCH] avformat/rmdec: Fix DoS due to lack of eof check
6
7	Fixes: loop.ivr
8
9	Found-by: Xiaohei and Wangchu from Alibaba Security Team
10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11	(cherry picked from commit 124eb202e70678539544f6268efc98131f19fa49)
12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13	---
14	libavformat/rmdec.c \| 5 ++++-
15	1 file changed, 4 insertions(+), 1 deletion(-)
16
17	diff --git libavformat/rmdec.c libavformat/rmdec.c
18	index 4d565291af2..7656812eb16 100644
19	--- external/FFmpeg/libavformat/rmdec.c
20	+++ external/FFmpeg/libavformat/rmdec.c
21	@@ -1238,8 +1238,11 @@ static int ivr_read_header(AVFormatContext *s)
22	av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val);
23	} else if (type == 4) {
24	av_log(s, AV_LOG_DEBUG, "%s = '0x", key);
25	- for (j = 0; j < len; j++)
26	+ for (j = 0; j < len; j++) {
27	+ if (avio_feof(pb))
28	+ return AVERROR_INVALIDDATA;
29	av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb));
30	+ }
31	av_log(s, AV_LOG_DEBUG, "'\n");
32	} else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) {
33	nb_streams = value = avio_rb32(pb);

Lines 1-28 Link Here

(-)files/patch-CVE-2017-14055 (-28 lines)
1	From d4fc6b211f19365fbae4b4388ec396b293fda249 Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Fri, 25 Aug 2017 01:15:30 +0200
4	Subject: [PATCH] avformat/mvdec: Fix DoS due to lack of eof check
5
6	Fixes: loop.mv
7
8	Found-by: Xiaohei and Wangchu from Alibaba Security Team
9	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10	(cherry picked from commit 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e)
11	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
12	---
13	libavformat/mvdec.c \| 2 ++
14	1 file changed, 2 insertions(+)
15
16	diff --git libavformat/mvdec.c libavformat/mvdec.c
17	index 80ef4b1569a..e9e9fab5036 100644
18	--- external/FFmpeg/libavformat/mvdec.c
19	+++ external/FFmpeg/libavformat/mvdec.c
20	@@ -338,6 +338,8 @@ static int mv_read_header(AVFormatContext *avctx)
21	uint32_t pos = avio_rb32(pb);
22	uint32_t asize = avio_rb32(pb);
23	uint32_t vsize = avio_rb32(pb);
24	+ if (avio_feof(pb))
25	+ return AVERROR_INVALIDDATA;
26	avio_skip(pb, 8);
27	av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME);
28	av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME);

Lines 1-45 Link Here

(-)files/patch-CVE-2017-14056 (-45 lines)
1	From 5bc9f70441d7e7067cba9188898c9252c72bab35 Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
3	=?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
4	Date: Fri, 25 Aug 2017 01:15:29 +0200
5	Subject: [PATCH] avformat/rl2: Fix DoS due to lack of eof check
6
7	Fixes: loop.rl2
8
9	Found-by: Xiaohei and Wangchu from Alibaba Security Team
10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11	(cherry picked from commit 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de)
12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13	---
14	libavformat/rl2.c \| 15 ++++++++++++---
15	1 file changed, 12 insertions(+), 3 deletions(-)
16
17	diff --git libavformat/rl2.c libavformat/rl2.c
18	index 0bec8f1d9ab..eb1682dfcb7 100644
19	--- external/FFmpeg/libavformat/rl2.c
20	+++ external/FFmpeg/libavformat/rl2.c
21	@@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s)
22	}
23
24	/** read offset and size tables */
25	- for(i=0; i < frame_count;i++)
26	+ for(i=0; i < frame_count;i++) {
27	+ if (avio_feof(pb))
28	+ return AVERROR_INVALIDDATA;
29	chunk_size[i] = avio_rl32(pb);
30	- for(i=0; i < frame_count;i++)
31	+ }
32	+ for(i=0; i < frame_count;i++) {
33	+ if (avio_feof(pb))
34	+ return AVERROR_INVALIDDATA;
35	chunk_offset[i] = avio_rl32(pb);
36	- for(i=0; i < frame_count;i++)
37	+ }
38	+ for(i=0; i < frame_count;i++) {
39	+ if (avio_feof(pb))
40	+ return AVERROR_INVALIDDATA;
41	audio_size[i] = avio_rl32(pb) & 0xFFFF;
42	+ }
43
44	/** build the sample index */
45	for(i=0;i<frame_count;i++){

Lines 1-38 Link Here

(-)files/patch-CVE-2017-14057 (-38 lines)
1	From f94517934bf0ff2510f472fa2bc4cd362951109c Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
3	=?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
4	Date: Fri, 25 Aug 2017 12:37:25 +0200
5	Subject: [PATCH] avformat/asfdec: Fix DoS due to lack of eof check
6
7	Fixes: loop.asf
8
9	Found-by: Xiaohei and Wangchu from Alibaba Security Team
10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11	(cherry picked from commit 7f9ec5593e04827249e7aeb466da06a98a0d7329)
12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13	---
14	libavformat/asfdec_f.c \| 6 ++++--
15	1 file changed, 4 insertions(+), 2 deletions(-)
16
17	diff --git libavformat/asfdec_f.c libavformat/asfdec_f.c
18	index b973eff96e4..2cacafe50d5 100644
19	--- external/FFmpeg/libavformat/asfdec_f.c
20	+++ external/FFmpeg/libavformat/asfdec_f.c
21	@@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size)
22	count = avio_rl32(pb); // markers count
23	avio_rl16(pb); // reserved 2 bytes
24	name_len = avio_rl16(pb); // name length
25	- for (i = 0; i < name_len; i++)
26	- avio_r8(pb); // skip the name
27	+ avio_skip(pb, name_len);
28
29	for (i = 0; i < count; i++) {
30	int64_t pres_time;
31	int name_len;
32
33	+ if (avio_feof(pb))
34	+ return AVERROR_INVALIDDATA;
35	+
36	avio_rl64(pb); // offset, 8 bytes
37	pres_time = avio_rl64(pb); // presentation time
38	pres_time -= asf->hdr.preroll * 10000;

Lines 1-88 Link Here

(-)files/patch-CVE-2017-14058 (-88 lines)
1	From 2920c7cec0b1958b59e5e7990078bea4428f6912 Mon Sep 17 00:00:00 2001
2	From: Michael Niedermayer <michael@niedermayer.cc>
3	Date: Sat, 26 Aug 2017 01:26:58 +0200
4	Subject: [PATCH] avformat/hls: Fix DoS due to infinite loop
5
6	Fixes: loop.m3u
7
8	The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome
9
10	Found-by: Xiaohei and Wangchu from Alibaba Security Team
11
12	Previous version reviewed-by: Steven Liu <lingjiujianke@gmail.com>
13	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14	(cherry picked from commit 7ec414892ddcad88313848494b6fc5f437c9ca4a)
15	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
16	---
17	doc/demuxers.texi \| 18 ++++++++++++++++++
18	libavformat/hls.c \| 7 +++++++
19	2 files changed, 25 insertions(+)
20
21	diff --git doc/demuxers.texi doc/demuxers.texi
22	index 2934a1cf7f4..d56ad1622a8 100644
23	--- external/FFmpeg/doc/demuxers.texi
24	+++ external/FFmpeg/doc/demuxers.texi
25	@@ -293,6 +293,24 @@ used to end the output video at the length of the shortest input file,
26	which in this case is @file{input.mp4} as the GIF in this example loops
27	infinitely.
28
29	+@section hls
30	+
31	+HLS demuxer
32	+
33	+It accepts the following options:
34	+
35	+@table @option
36	+@item live_start_index
37	+segment index to start live streams at (negative values are from the end).
38	+
39	+@item allowed_extensions
40	+',' separated list of file extensions that hls is allowed to access.
41	+
42	+@item max_reload
43	+Maximum number of times a insufficient list is attempted to be reloaded.
44	+Default value is 1000.
45	+@end table
46	+
47	@section image2
48
49	Image file demuxer.
50	diff --git libavformat/hls.c libavformat/hls.c
51	index ffefd284f86..87948726da6 100644
52	--- external/FFmpeg/libavformat/hls.c
53	+++ external/FFmpeg/libavformat/hls.c
54	@@ -205,6 +205,7 @@ typedef struct HLSContext {
55	AVDictionary *avio_opts;
56	int strict_std_compliance;
57	char *allowed_extensions;
58	+ int max_reload;
59	} HLSContext;
60
61	static int read_chomp_line(AVIOContext s, char buf, int maxlen)
62	@@ -1255,6 +1256,7 @@ static int read_data(void opaque, uint8_t buf, int buf_size)
63	HLSContext *c = v->parent->priv_data;
64	int ret, i;
65	int just_opened = 0;
66	+ int reload_count = 0;
67
68	restart:
69	if (!v->needed)
70	@@ -1286,6 +1288,9 @@ static int read_data(void opaque, uint8_t buf, int buf_size)
71	reload_interval = default_reload_interval(v);
72
73	reload:
74	+ reload_count++;
75	+ if (reload_count > c->max_reload)
76	+ return AVERROR_EOF;
77	if (!v->finished &&
78	av_gettime_relative() - v->last_load_time >= reload_interval) {
79	if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {
80	@@ -2143,6 +2148,8 @@ static const AVOption hls_options[] = {
81	OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
82	{.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
83	INT_MIN, INT_MAX, FLAGS},
84	+ {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded",
85	+ OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
86	{NULL}
87	};
88

Lines 1-34 Link Here

(-)files/patch-CVE-2017-14059 (-34 lines)
1	From 98e177c7288574b336d80618f4ec5d1f94243070 Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
3	=?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
4	Date: Fri, 25 Aug 2017 01:15:27 +0200
5	Subject: [PATCH] avformat/cinedec: Fix DoS due to lack of eof check
6
7	Fixes: loop.cine
8
9	Found-by: Xiaohei and Wangchu from Alibaba Security Team
10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11	(cherry picked from commit 7e80b63ecd259d69d383623e75b318bf2bd491f6)
12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13	---
14	libavformat/cinedec.c \| 6 +++++-
15	1 file changed, 5 insertions(+), 1 deletion(-)
16
17	diff --git libavformat/cinedec.c libavformat/cinedec.c
18	index 32cccf566b4..c615d4fc497 100644
19	--- external/FFmpeg/libavformat/cinedec.c
20	+++ external/FFmpeg/libavformat/cinedec.c
21	@@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx)
22
23	/* parse image offsets */
24	avio_seek(pb, offImageOffsets, SEEK_SET);
25	- for (i = 0; i < st->duration; i++)
26	+ for (i = 0; i < st->duration; i++) {
27	+ if (avio_feof(pb))
28	+ return AVERROR_INVALIDDATA;
29	+
30	av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME);
31	+ }
32
33	return 0;
34	}

Lines 1-33 Link Here

(-)files/patch-CVE-2017-14169 (-33 lines)
1	From 816f7337bf3ed3e08afdc28278668d8eb81910cb Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?=
3	<tony.sh@alibaba-inc.com>
4	Date: Tue, 29 Aug 2017 23:59:21 +0200
5	Subject: [PATCH] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
6	MIME-Version: 1.0
7	Content-Type: text/plain; charset=UTF-8
8	Content-Transfer-Encoding: 8bit
9
10	Fixes: 20170829B.mxf
11
12	Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
13	Found-by: Xiaohei and Wangchu from Alibaba Security Team
14	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
15	(cherry picked from commit 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad)
16	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
17	---
18	libavformat/mxfdec.c \| 2 +-
19	1 file changed, 1 insertion(+), 1 deletion(-)
20
21	diff --git libavformat/mxfdec.c libavformat/mxfdec.c
22	index e2e34b246f7..0e9153847e8 100644
23	--- external/FFmpeg/libavformat/mxfdec.c
24	+++ external/FFmpeg/libavformat/mxfdec.c
25	@@ -500,7 +500,7 @@ static int mxf_read_primer_pack(void arg, AVIOContext pb, int tag, int size, U
26	avpriv_request_sample(pb, "Primer pack item length %d", item_len);
27	return AVERROR_PATCHWELCOME;
28	}
29	- if (item_num > 65536) {
30	+ if (item_num > 65536 \|\| item_num < 0) {
31	av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num);
32	return AVERROR_INVALIDDATA;
33	}

Lines 1-43 Link Here

(-)files/patch-CVE-2017-14170 (-43 lines)
1	From 9cbac3602610afa0867b03bc1475c5c13441d096 Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?=
3	<tony.sh@alibaba-inc.com>
4	Date: Tue, 29 Aug 2017 23:59:21 +0200
5	Subject: [PATCH] avformat/mxfdec: Fix DoS issues in
6	mxf_read_index_entry_array()
7	MIME-Version: 1.0
8	Content-Type: text/plain; charset=UTF-8
9	Content-Transfer-Encoding: 8bit
10
11	Fixes: 20170829A.mxf
12
13	Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
14	Found-by: Xiaohei and Wangchu from Alibaba Security Team
15	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
16	(cherry picked from commit 900f39692ca0337a98a7cf047e4e2611071810c2)
17	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
18	---
19	libavformat/mxfdec.c \| 4 ++++
20	1 file changed, 4 insertions(+)
21
22	diff --git libavformat/mxfdec.c libavformat/mxfdec.c
23	index 2ad0c288f89..e2e34b246f7 100644
24	--- external/FFmpeg/libavformat/mxfdec.c
25	+++ external/FFmpeg/libavformat/mxfdec.c
26	@@ -899,6 +899,8 @@ static int mxf_read_index_entry_array(AVIOContext pb, MXFIndexTableSegment seg
27	segment->nb_index_entries = avio_rb32(pb);
28
29	length = avio_rb32(pb);
30	+ if(segment->nb_index_entries && length < 11)
31	+ return AVERROR_INVALIDDATA;
32
33	if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) \|\|
34	!(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) \|\|
35	@@ -909,6 +911,8 @@ static int mxf_read_index_entry_array(AVIOContext pb, MXFIndexTableSegment seg
36	}
37
38	for (i = 0; i < segment->nb_index_entries; i++) {
39	+ if(avio_feof(pb))
40	+ return AVERROR_INVALIDDATA;
41	segment->temporal_offset_entries[i] = avio_r8(pb);
42	avio_r8(pb); /* KeyFrameOffset */
43	segment->flag_entries[i] = avio_r8(pb);

Lines 1-38 Link Here

(-)files/patch-CVE-2017-14171 (-38 lines)
1	From a051de092e9c709b69d24d94b66a382909be67d5 Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?=
3	<tony.sh@alibaba-inc.com>
4	Date: Tue, 29 Aug 2017 23:59:21 +0200
5	Subject: [PATCH] avformat/nsvdec: Fix DoS due to lack of eof check in
6	nsvs_file_offset loop.
7	MIME-Version: 1.0
8	Content-Type: text/plain; charset=UTF-8
9	Content-Transfer-Encoding: 8bit
10
11	Fixes: 20170829.nsv
12
13	Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
14	Found-by: Xiaohei and Wangchu from Alibaba Security Team
15	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
16	(cherry picked from commit c24bcb553650b91e9eff15ef6e54ca73de2453b7)
17	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
18	---
19	libavformat/nsvdec.c \| 5 ++++-
20	1 file changed, 4 insertions(+), 1 deletion(-)
21
22	diff --git libavformat/nsvdec.c libavformat/nsvdec.c
23	index 507fb396a51..16d2fa59e21 100644
24	--- external/FFmpeg/libavformat/nsvdec.c
25	+++ external/FFmpeg/libavformat/nsvdec.c
26	@@ -350,8 +350,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s)
27	if (!nsv->nsvs_file_offset)
28	return AVERROR(ENOMEM);
29
30	- for(i=0;i<table_entries_used;i++)
31	+ for(i=0;i<table_entries_used;i++) {
32	+ if (avio_feof(pb))
33	+ return AVERROR_INVALIDDATA;
34	nsv->nsvs_file_offset[i] = avio_rl32(pb) + size;
35	+ }
36
37	if(table_entries > table_entries_used &&
38	avio_rl32(pb) == MKTAG('T','O','C','2')) {