https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/n3.4.7:/Changelog
version 3.4.7:
- avcodec/g729dec: require buf_size to be non 0
- avcodec/alac: Fix integer overflow in lpc_prediction() with sign
- avcodec/wmaprodec: Fix buflen computation in save_bits()
- avcodec/vc1_block: Fix integer overflow in AC rescaling in vc1_decode_i_block_adv()
- avcodec/vmdaudio: Check chunk counts to avoid integer overflow
- avformat/mxfdec: Clear metadata_sets_count in mxf_read_close()
- avcodec/nuv: Use ff_set_dimensions()
- avcodec/ffwavesynth: Fix integer overflow with pink_ts_cur/next
- avcodec/ralf: Fix integer overflows with the filter coefficient in decode_channel()
- avcodec/g729dec: Use 64bit and clip in scalar product
- avcodec/mxpegdec: Check for multiple SOF
- avcodec/nuv: Move comptype check up
- avcodec/wmavoice: Fix integer overflow in synth_frame()
- avcodec/rawdec: Check bits_per_coded_sample more pedantically for 16bit cases
- avutil/lfg: Correct index increment type to avoid undefined behavior
- avcodec/cngdec: Remove AV_CODEC_CAP_DELAY
- avcodec/iff: Move index use after check in decodeplane8()
- avcodec/atrac3: Check for huge block aligns
- avcodec/ralf: use multiply instead of shift to avoid undefined behavior in decode_block()
- avcodec/wmadec: Require previous exponents for reuse
- avcodec/vc1_block: Fix undefined behavior in ac prediction rescaling
- avcodec/qdm2: The smallest header seems to have 2 bytes so treat 1 as invalid
- avcodec/apedec: Fixes integer overflow of res+*data in do_apply_filter()
- avcodec/sonic: Fix integer overflow in predictor_calc_error()
- avformat/mp3dec: Check that the frame fits within the probe buffe
- lavc/tableprint_vlc: Remove avpriv_request_sample() from included files.
- avcodec/wmaprodec: get frame during frame decode
- avcodec/interplayacm: Fix overflow of last unused value
- avcodec/adpcm: Fix undefined behavior with negative predictions in IMA OKI
- avcodec/cook: Move up and extend block_align check
- avcodec/twinvq: Check block_align
- avcodec/cook: Enlarge gain table
- avcodec/cook: Check samples_per_channel earlier
- avcodec/atrac3plus: Check split point in fill mode 3
- avcodec/wmavoice: Check sample_rate
- avcodec/xsubdec: fix overflow in alpha handling
- avcodec/iff: Check available space before entering loop in decode_long_vertical_delta2() / decode_long_vertical_delta()
- avcodec/apedec: Fix integer overflow in filter_3800()
- avutil/lfg: Document the AVLFG struct
- avcodec/ffv1dec: Use a different error message for the slice level CRC
- avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830()
- avcodec/dstdec: Check that AC probabilities are within range
- avcodec/dstdec: Check read_table() for failure
- avcodec/snowenc: Set mb_num to avoid ratecontrol floating point divisions by 0.0
- avcodec/snowenc: Fix 2 undefined shifts
- avformat/nutenc: Do not pass NULL to memcmp() in get_needed_flags()
- avcodec/aacdec_template: Check samplerate
- avcodec/truemotion2: Fix several integer overflows in tm2_low_res_block()
- avcodec/utils: Check block_align
- avcodec/wmalosslessdec: Fix some integer anomalies
- avcodec/adpcm: Fix invalid shifts in ADPCM DTK
- avcodec/apedec: Only clear the needed buffer space, instead of all
- avcodec/libvorbisdec: Fix insufficient input checks leading to out of array reads
- avcodec/g723_1dec: fix invalid shift with negative sid_gain
- avcodec/vp5: Check render_x/y
- avcodec/qdrw: Check input for header/skiped space before get_buffer()
- avcodec/ralf: Skip initializing unused filter variables
- avcodec/takdec: Fix overflow with large sample rates
- avcodec/alsdec: Check that input space for header exists in read_diff_float_data()
- avformat/pjsdec: Check duration for overflow
- avcodec/ptx: Check that the input contains at least one line
- avcodec/alac: Fix integer overflow in LPC
- avcodec/smacker: Fix integer overflows in pred[] in smka_decode_frame()
- avcodec/aliaspixdec: Check input size against minimal picture size
- avcodec/ffwavesynth: Fix integer overflows in pink noise addition
- avcodec/vc1_block: Fixes integer overflow in vc1_decode_i_block_adv()
- avcodec/wmalosslessdec: Check block_align
- avcodec/g729postfilter: Fix left shift of negative value
- avcodec/binkaudio: Check sample rate
- avcodec/adpcm: Check initial predictor for ADPCM_IMA_EA_EACS
- avcodec/g723_1dec: Fix overflow in shift
- avcodec/apedec: Fix integer overflow in predictor_update_3930()
- avcodec/g729postfilter: Fix undefined intermediate pointers
- avcodec/g729postfilter: Fix undefined shifts
- avcodec/lsp: Fix undefined shifts in lsp2poly()
- avcodec/adpcm: Fix left shifts in AV_CODEC_ID_ADPCM_EA
- avformat/shortendec: Check k in probe
- avfilter/vf_geq: Use av_clipd() instead of av_clipf()
- avcodec/wmaprodec: Check that the streams channels do not exceed the overall channels
- avcodec/qdmc: Check input space in qdmc_get_vlc()
- avcodec/pcm: Check bits_per_coded_sample
- avcodec/exr: Allow duplicate use of channel indexes
- avcodec/fitsdec: Fail on 0 naxisn
- avcodec/ituh263dec: Check input for minimal frame size
- avcodec/truemotion1: Check that the input has enough space for a minimal index_stream
- avformat/mpsubdec: Clear queue on error
- avcodec/sunrast: Check that the input is large enough for the maximally compressed image
- avcodec/sunrast: Check for availability of maplength before allocating image
- avformat/subtitles: Check nb_subs in ff_subtitles_queue_finalize()
- avcodec/wmaprodec: Check if there is a stream
- avcodec/g2meet: Check for end of input in jpg_decode_block()
- avcodec/g2meet: Check if adjusted pixel was on the stack
- avformat/electronicarts: If no packet has been read at the end do not treat it as if theres a packet
- avcodec/utils: Check sample_rate before opening the decoder
- avcodec/fitsdec: fix use of uninitialised values
- avcodec/motionpixels: Mark 2 functions as always_inline
- avcodec/ralf: Fix integer overflow in decode_channel()
- vcodec/vc1: compute rangex/y only for P/B frames
- avcodec/vc1_pred: Fix invalid shifts in scaleforopp()
- avcodec/vc1_block: Fix invalid shift with rangeredfrm
- avcodec/vc1: Check for excessive resolution
- avcodec/vc1: check REFDIST
- avcodec/apedec: Fix several integer overflows in predictor_update_filter() and do_apply_filter()
- avcodec/hevc_cabac: Tighten the limit on k in ff_hevc_cu_qp_delta_abs()
- avcodec/4xm: Check index in decode_i_block() also in the path where its not used.
- avcodec/atrac3: Check block_align
- avcodec/alsdec: Avoid dereferencing context pointer in inner interleave loop
- avcodec/fitsdec: Prevent division by 0 with huge data_max
- avcodec/dstdec: Fix integer overflow in samples_per_frame computation
- avcodec/g729_parser: Check block_size
- avcodec/utils: Optimize ff_color_frame() using memcpy()
- avcodec/aacdec: Check if we run out of input in read_stream_mux_config()
- avcodec/utils: Use av_memcpy_backptr() in ff_color_frame()
- avcodec/smacker: Fix integer overflow in signed int multiply in SMK_BLK_FILL
- avcodec/alac: Fix invalid shifts in 20/24 bps
- avcodec/alac: fix undefined behavior with INT_MIN in lpc_prediction()
- avcodec/ffwavesynth: Fix integer overflow in timestamps
- avcodec/adpcm: Check number of channels for MTAF
- avcodec/sunrast: Fix indention
- avcodec/sunrast: Fix return type for "unsupported (compression) type"
- avformat/mov: Check for EOF in mov_read_meta()
- avcodec/hevcdec: Fix memleak of a53_caption
- avformat/cdxl: Fix integer overflow in intermediate
- avcodec/hevcdec: repeat character in skiped
- avcodec/gdv: Replace assert() checking bitstream by if()
- libavcodec/utils: Free threads on init failure
- avcodec/htmlsubtitles: Avoid locale dependant isdigit()
- avcodec/alsdec: Check k from being outside what our implementation can handle
- avcodec/takdec: Fix integer overflow in decorrelate()
- avcodec/aacps: Fix integer overflows in hybrid_synthesis()
- avcodec/vp56rac: delay signaling an error on truncated input
- avcodec/vp5/6/8: use vpX_rac_is_end()
- avcodec/vp56: Add vpX_rac_is_end() to check for the end of input
- avcodec/qdm2: Check frame size
- avcodec/vc1_pred: Fix refdist in scaleforopp()
- avcodec/vorbisdec: fix FASTDIV usage for vr_type == 2
- avcodec/iff: Check for overlap in cmap_read_palette()
- avcodec/apedec: Fix 32bit int overflow in do_apply_filter()
- avcodec/ralf: fix undefined shift in extend_code()
- avcodec/ralf: fix undefined shift
- avcodec/bgmc: Check input space in ff_bgmc_decode_init()
- avcodec/truemotion2: Fix multiple integer overflows in tm2_null_res_block()
- avcodec/vc1dec: Require res_sprite for wmv3images
- avcodec/vc1_block: Check for double escapes
- avcodec/vorbisdec: Check get_vlc2() failure
- avcodec/tta: Fix integer overflow in prediction
- avcodec/vb: Check input packet size to be large enough to contain flags
- avcodec/cavsdec: Limit the number of access units per packet to 2
- avcodec/alac: Check for bps of 0
- avcodec/alac: Fix multiple integer overflows in lpc_prediction()
- avcodec/rl2: set dimensions
- avcodec/aacdec: Add FF_CODEC_CAP_INIT_CLEANUP
- avcodec/idcinvideo: Add 320x240 default maximum resolution
- avformat/realtextdec: free queue on error
- avcodec/alsdec: Fix integer overflow in decode_var_block_data()
- avcodec/alsdec: Limit maximum channels to 512
- avcodec/anm: Check input size for a frame with just a stop code
- avcodec/flicvideo: Optimize and Simplify FLI_COPY in flic_decode_frame_24BPP() by using bytestream2_get_buffer()
- avcodec/loco: Check left column value
- avcodec/ffwavesynth: Fixes invalid shift with pink noise seeking
- avcodec/ffwavesynth: Fix integer overflow for some corner case values
- avcodec/indeo2: Check remaining input more often
- avcodec/diracdec: Check that slices are fewer than pixels
- avcodec/vp56: Consider the alpha start as end of the prior header
- avcodec/4xm: Check for end of input in decode_p_block()
- avcodec/hevcdec: Check delta_luma_weight_l0/1
- avcodec/hnm4video: Optimize postprocess_current_frame()
- avcodec/hevc_refs: Optimize 16bit generate_missing_ref()
- avcodec/scpr: Use av_memcpy_backptr() in type 17 and 33
- avcodec/dds: Use ff_set_dimensions()
- avcodec/mpc8: Fix 32bit mask/enum
- avcodec/alsdec: Fix integer overflows of raw_samples in decode_var_block_data()
- avcodec/alsdec: Fix integer overflow of raw_samples in decode_blocks()
- avcodec/alsdec: fix mantisse shift
- avcodec/aacdec_template: fix integer overflow in imdct_and_windowing()
- libavcodec/iff: Use unsigned to avoid undefined behaviour
- avcodec/alsdec: Check for block_length <= 0 in read_var_block_data()
- avcodec/vqavideo: Set video size
- avcodec/sanm: Check extradata_size before allocations
- avcodec/mss1: check for overread and forward errors
- avcodec/dirac_parser: Fix overflow in dts
- avcodec/ralf: Fix undefined pointer in decode_channel()
- avcodec/ralf: Fix integer overflow in apply_lpc()
- avcodec/vorbisdec: Implement vr->classifications = 1
- avcodec/vorbisdec: Check parameters in vorbis_floor0_decode() before divide
- avformat/realtextdec: Check for duplicate extradata in realtext_read_header()
- avcodec/apedec: Fix 2 signed overflows
- avcodec/mss3: Check for the rac stream being invalid in rac_normalize()
- avcodec/vc1_block: Check get_vlc2() return before use
- avcodec/apedec: Do not partially clear data array
- avcodec/hnm4video: Forward errors of decode_interframe_v4()
- avcodec/vp3: Check that theora is theora
- avcodec/vc1_pred: Fix invalid shift in scaleforsame()
- avcodec/vc1_block: Fix integer overflow in ff_vc1_pred_dc()
- avcodec/truemotion2: Fix several integer overflows in tm2_motion_block()
- avcodec/apedec: make left/right unsigned to avoid undefined behavior
- avcodec/apedec: Fix multiple integer overflows and undefined behaviorin filter_3800()
- avformat/mpc: deallocate frames array on errors
- avcodec/eatqi: Check for minimum frame size
- avcodec/eatgv: Check remaining size after the keyframe header
- avcodec/assdec: undefined use of memcpy()
- avcodec/brenderpix: Check input size before allocating image
- lafv/wavdec: Fail bext parsing on incomplete reads
- avcodec/utils: fix leak of subtitle_header on error path
- avcodec/utils: Check close before calling it
- avcodec/vorbisdec: Check vlc for floor0 dec vector offset
- avcodec/vorbisdec: amplitude bits can be more than 25 bits
- avutil/softfloat_ieee754: Fix odd bit position for exponent and sign in av_bits2sf_ieee754()
- avcodec/apedec: Fix various integer overflows
- avcodec/apedec: Fix multiple integer overflows in predictor_update_filter()
- avcodec/alsdec: fix undefined shift in multiply()
- avcodec/alsdec: Fix 2 integer overflows
- avcodec/flicvideo: Make line_packets int
- avcodec/dvbsubdec: Use ff_set_dimensions()
- avcodec/ffwavesynth: Check if there is enough extradata before allocation
- avcodec/ffwavesynth: More correct cast in wavesynth_seek()
- avcodec/ffwavesynth: Check sample rate before use
- avcodec/dnxhd_parser: Fix parser when input does not have nicely sized packets
- avcodec/dnxhd_parser: remove unneeded code
- avformat/utils: Check rfps_duration_sum for overflow
- avcodec/h264_refs: Also check reference in ff_h264_build_ref_list()
- avcodec/parser: Check next index validity in ff_combine_frame()
- avcodec/ivi: Ask for samples with odd tiles
- avformat/xmv: Make bitrate 64bit
- avcodec/pngdec: Check that previous_picture has same w/h/format
- avcodec/huffyuv: remove gray8a (the format is listed but not supported by the implementation)
- avcodec/mpc8: Fixes invalid shift in mpc8_decode_frame()
- avcodec/utils, avcodec_open2: close codec on failure
- avcodec/golomb: Correct the doxy about get_ue_golomb() and errors
- avformat/utils: Check timebase before use in estimate_timings()
- avcodec/hq_hqa: Use ff_set_dimensions()
- avcodec/rv10: Fix integer overflow in aspect ratio compare
- avcodec/4xm: Fix signed integer overflows in idct()
- avcodec/qdm2: Check checksum_size for 0
- avcodec/qdm2: error out of qdm2_fft_decode_tones() before entering endless loop
- avcodec/qdm2: Do not read out of array in fix_coding_method_array()
- avcodec/svq3: Use ff_set_dimension()
- avcodec/iff: Check ham vs bpp
- avcodec/ffwavesynth: use uint32_t to compute difference, it is enough
- avcodec/ffwavesynth: Simplify lcg_seek(), avoid negative case
- avcodec/ffwavesynth: Fix backward lcg_seek()
- avcodec/flicvideo: Fix off by 1 error in flic_decode_frame_24BPP()
- avcodec/vc1_block: Check for vlc error in vc1_decode_ac_coeff()
- avcodec/alac: Check lpc_quant
- avcodec/alsdec: Add FF_CODEC_CAP_INIT_CLEANUP
- avcodec/alsdec: Fix integer overflow with buffer number
- avcodec/alsdec: Fixes signed integer overflow in LSB addition
- avcodec/alsdec: Check opt_order / sb_length in ra_block handling
- avcodec/alsdec: Fix integer overflow with shifting samples
- avcodec/alsdec: Fix undefined behavior in decode_rice()
- avcodec/alsdec: Fixes invalid shifts in read_var_block_data() and INTERLEAVE_OUTPUT()
- avcodec/hevc_ps: Change num_tile_rows/columns checks to sps->ctb_height/weight
- avcodec/hevc_ps: Fix integer overflow with num_tile_rows and num_tile_columns
- avcodec/apedec: Add k < 24 check to the only k++ case which lacks such a check
- avformat/aviobuf: Delay buffer downsizing until asserts are met
- avcodec/fitsdec: Check data_min/max
- avcodec/m101: Fix off be 2 error
- avcodec/qdm2: Move fft_order check up
- avcodec/libvorbisdec: Check extradata size
- avformat/vqf: Check header_size
- avcodec/utils: Check bits_per_coded_sample
- avcodec/videodsp_template: Fix overflow of addition
- avcodec/alsdec: Fix invalid shift in multiply()
- avcodec/ffwavesynth: Check ts_end - ts_start for overflow
- avcodec/vc1dsp: Avoid undefined shifts in vc1_v_s_overlap_c / vc1_h_s_overlap_c
- avcodec/tta: Fix undefined shift
- avcodec/qdmc: Fix integer overflows in PRNG
- avcodec/bintext: Check font height
- avcodec/binkdsp: Fix integer overflows in idct
- avcodec/motionpixels: Check for vlc error in mp_get_vlc()
- avcodec/loco: Limit lossy parameter so it is sane and does not overflow
- avformat/mov: Set fragment.found_tfhd only after TFHD has been parsed
- avcodec/xpmdec: Do not use context dimensions as temporary variables
- avcodec/fitsdec: Fix division by 0 in size check
- avcodec/aacpsdsp_template: Fix integer overflow in ps_hybrid_analysis_c()
- avcodec/truemotion2: Fix integer overflow in last loop in tm2_update_block()
- avcodec/iff: finetune the palette size check in the mask case
- avcodec/iff: Fix mask_buf / mask_palbuf leak
- avformat/icodec: Free ico->images on error paths
- avformat/wsddec: Fix undefined shift
- avcodec/fmvc: Check if header fields are available before allocating the image
- avcodec/bink: Reorder operations in init to avoid memleak on error
- avformat/wtvdec: Avoid (32bit signed) sectors
- avcodec/bitstream: Check for more conflicting codes in build_table()
- avcodec/bitstream: Check for integer code truncation in build_table()
- avformat/sbgdec: Fixes integer overflow in str_to_time() with hours
- avformat/vpk: Check offset for validity
- avformat/vpk: Fix integer overflow in samples_per_block computation
- avcodec/mjpegdec: Check for non ls PAL8
- avcodec/interplayvideo: check decoding_map_size with video_data_size
- avcodec/h264_parse: Use 64bit for expectedpoc and expected_delta_per_poc_cycle
- avcodec/mss4: Check input size against skip bits
- avcodec/diracdec: Fix integer overflow in global_mv()
- avcodec/vmnc: Check available space against chunks before reget_buffer()
- avcodec/aacdec_template: skip apply_tns() if max_sfb is 0 (from previous header decode failure)
- avcodec/aacdec_fixed: Handle more extreem cases in noise_scale()
- avcodec/aacdec_template: Merge 3 #ifs related to noise handling
- avcodec/aacdec_fixed: ssign seems always -1 in noise_scale(), simplify
- avformat/mp3enc: Avoid SEEK_END as it is unsupported
- avcodec/truemotion2: Fix several integer overflows in tm2_update_block()
- avformat/webm_chunk: Specify expected argument length of get_chunk_filename()
- avformat/webm_chunk: Check header filename length
- avcodec/cpia: Check input size also against linesizes and EOL
- swscale/tests/swscale: Lengthen pixfmt name buffer to 21 bytes
- libswcale: Fix possible string overflow in test.
- avcodec/hq_hqa: Check available space before reading slice offsets
- lavf/webm_chunk: Respect buffer size
- avcodec/fits: Check bitpix
- avcodec/jvdec: Use ff_get_buffer() when the content is not reused
- avcodec/truemotion2: Fix 2 integer overflows in tm2_update_block()
- avcodec/jpeg2000: Check stepsize before using it
- avcodec/aacdec_fixed: Fix undefined shift in noise_scale()
- avutil/avstring: Fix bug and undefined behavior in av_strncasecmp()
- avformat/mov: Skip stsd adjustment without chunks
- avformat/aadec: Check for scanf() failure
- avcodec/ccaption_dec: Add a blank like at the end to avoid rollup reading from outside
- avcodec/ivi: Move buffer/block end check to caller of ivi_dc_transform()
- avcodec/diracdec: Use 64bit in intermediate of global motion vector field generation
- avcodec/truemotion2: Fix integer overflow in tm2_decode_blocks()
- avcodec/rscc: Check that the to be uncompressed input is large enough
- avcodec/bsf: check that AVBSFInternal was allocated before dereferencing it
- lavf/rawenc: Only accept the appropriate stream type for raw muxers.
- avcodec/h263dec: fix hwaccel decoding
- avutil/mem: Fix invalid use of av_alloc_size
- avformat/aacdec: resync to the next adts frame on invalid data instead of aborting
- avformat/aacdec: factorize the adts frame resync code
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/