[vlc-commits] [Git][videolan/vlc][master] 87 commits: wav: fix use of uninitialised value
Thomas Guillem (@tguillem)
gitlab at videolan.org
Thu Sep 11 10:50:53 UTC 2025
Thomas Guillem pushed to branch master at VideoLAN / VLC
Commits:
8b27e086 by Thomas Guillem at 2025-09-11T11:10:12+02:00
wav: fix use of uninitialised value
This could lead to the wav probing to succeed without a valid fmt.
Fixes #28772
- - - - -
55437874 by Thomas Guillem at 2025-09-11T11:10:12+02:00
demux: ty: define REC_SIZE
- - - - -
f6ab69f0 by Thomas Guillem at 2025-09-11T11:10:12+02:00
demux: ty: define CHUNK_HEADER_SIZE
- - - - -
366b97f2 by Thomas Guillem at 2025-09-11T11:10:12+02:00
demux: ty: check i_num_recs
- - - - -
75ad6494 by Thomas Guillem at 2025-09-11T11:10:12+02:00
demux: ty: handle possible errors from analyse_chunk
- - - - -
ba8b600e by Thomas Guillem at 2025-09-11T11:10:12+02:00
demux: ty: check buffer size
Prevent potential out of bound reads at the end of input.
- - - - -
679b3d65 by Thomas Guillem at 2025-09-11T11:10:12+02:00
demux: ty: prevent out of bound read
- - - - -
e64a3232 by Thomas Guillem at 2025-09-11T11:10:12+02:00
demux: ty: remove xmalloc usage in get_chunk_header()
- - - - -
2389778b by Thomas Guillem at 2025-09-11T11:10:12+02:00
demux: ty: check l_rec_size
prevent that the sum of all l_rec_size don't go past the CHUNK.
Fixes #28771
- - - - -
1dbbd8dc by Steve Lhomme at 2025-09-11T11:10:12+02:00
spudec: don't generate a region for 0 width/height
Fixes #28983
- - - - -
589c6e29 by François Cartegnie at 2025-09-11T11:10:12+02:00
Revert "demux: mp4: remove useless code"
This reverts commit 159ec27200716058093aad9fa350475eee5f0cd8.
refs #28967
- - - - -
67c04ea8 by Thomas Guillem at 2025-09-11T11:10:12+02:00
wav: don't parse fmt chunk again
Fixes a heap-buffer-overflow when using the cbSize from a previous chunk
to copy extradata.
Fixes #28969
- - - - -
d36c362c by Thomas Guillem at 2025-09-11T11:10:12+02:00
wav: reset sys if ChunkParseFmt() fails
Fix using a mix of previous values and new values.
Fixes #28979
- - - - -
69ae77ef by Steve Lhomme at 2025-09-11T11:10:12+02:00
substx3g: only replace \r on existing characters in the string
psz_subtitle is null terminated and doesn't always have the
same size as i_psz_bytelength.
Fixes #28965
- - - - -
9927d828 by Steve Lhomme at 2025-09-11T11:10:12+02:00
svcdsub: avoid writing past the line pitch
Since we add +1 to i_count, we must remove it from the max value.
Fixes #28961
- - - - -
5cc334f5 by Thomas Guillem at 2025-09-11T11:10:12+02:00
dts: check rate and frame_length
Fixes #28977
- - - - -
9a70a576 by François Cartegnie at 2025-09-11T11:10:12+02:00
demux: libmp4: check iloc extents count
- - - - -
c4c6bb70 by François Cartegnie at 2025-09-11T11:10:12+02:00
demux: libmp4: fix div by zero
also fixes a possible case for full container extent
refs #28973
- - - - -
c4d4aff5 by François Cartegnie at 2025-09-11T11:10:12+02:00
demux: libmp4: add missing allocation check
- - - - -
97876d8a by Tristan Matthews at 2025-09-11T11:10:12+02:00
demux: mkv: check earlier that current segment is valid
Fixes #29017
- - - - -
689514f3 by Steve Lhomme at 2025-09-11T11:10:12+02:00
substext: return NULL when the subpicture could not be allocated
Since 2184adb9c00ba7e38be2522163d0e423d518c07c
and e2090faf2e2af9ff5fdd71328e06bf1337de77e6.
We should not be using the empty subpic.
Fixes #28989
- - - - -
49d588e8 by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: avi: avoid rescaling with 0 rate
The result would end up being 0 anyway, but since 8c59fc7af4ad5c52168cb12b8bd296c4494df345
The newscale is also used for divisions.
Fixes #28974
- - - - -
4ba3eebf by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: avi: fix AVI_StreamBytesSet() being called with potential negative value
- - - - -
efc8b5b5 by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: avi: fix AVI_StreamChunkSet() being called with potential negative/large value
- - - - -
90bf7ca8 by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: avi: fix potential negative chunk position usage
If we let AVI_PTSToChunk() report errors with negative values, a positive
i_dpts may result in a negative i_chunks_count.
We don't need to check i_dpts is positive anymore.
- - - - -
f7b49683 by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: avi: return -1 for errors in AVI_PTSToChunk()/AVI_PTSToByte()
All callsites are checked.
demuxctx.i_toread is already assuming -1 is some sort of error.
- - - - -
2b2052b9 by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: wav: reject ADPCM with negative number of samples
Fixes #28978
- - - - -
b6afa950 by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: wav: reject IMA with negative number of samples
- - - - -
7af99bff by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: wav: ensure i_frame_samples is always positive
- - - - -
efcf19d4 by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: wav: simplify unnecessary negative checks
And simplify associated logs.
- - - - -
62592fc8 by Steve Lhomme at 2025-09-11T11:10:12+02:00
codec: webvtt: exit reduce loop when no reduction happens
The assert was there to ensure we don't loop indefinitely on a reduction
that does not happen.
We can check directly if it happened or not.
Fixes #28981
- - - - -
15faee4c by Thomas Guillem at 2025-09-11T11:10:12+02:00
mjpeg: fetch separator length once
- - - - -
4bb71a0a by Thomas Guillem at 2025-09-11T11:10:12+02:00
mjpeg: fix heap-buffer-overflow
Fixes #29009
- - - - -
1cacde61 by Steve Lhomme at 2025-09-11T11:10:12+02:00
subsvtt: fix issues when ruby base/rt strings are NULL
Fixes #28986
Co-authored-by: Thomas Guillem <thomas at gllm.fr>
- - - - -
2ee59cc4 by François Cartegnie at 2025-09-11T11:10:12+02:00
demux: avi: ensure max_streams limits
refs #28975
- - - - -
b1d0fdda by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: libasf: error on too large preroll
If the uint64_t is too big, the conversion to vlc_tick_t will be bogus,
depending on the value of CLOCK_FREQ.
We can't use such a huge preroll.
Fixes #29005
- - - - -
3ca27925 by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: libavi: avoid potential unsigned shift issue
biClrUsed is a uint32_t.
Fixes #29007
- - - - -
943d4df4 by François Cartegnie at 2025-09-11T11:10:12+02:00
codec: webvtt: fix potential null deref
refs #28987
- - - - -
a297bc1a by Steve Lhomme at 2025-09-11T11:10:12+02:00
codec: webvtt: parse timestamps as signed values
sscanf("-1:00:27.500", "%u:%2u:%2u.%3u") returns a large for the negative value.
This happens on Windows and in Linux too [^1].
The returned timestamp is negative (matching what the text says).
That bogus timestamps is then discarded as invalid.
Fixes #28994
[^1]: https://godbolt.org/z/YWEYzPeGq
- - - - -
00617861 by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: webvtt: avoid cast removing const
- - - - -
ff8daa0d by Steve Lhomme at 2025-09-11T11:10:12+02:00
spudec: don't read/write past the RLE pixeldata
Fixes #28960
No error is generated, we just store valid data.
If we end up reading too much we will not issue a region for the subpicture.
- - - - -
04c216e7 by François Cartegnie at 2025-09-11T11:10:12+02:00
aout_ChannelReorder: always use limited range for reorder
aout_CheckChannelReorder <= aout_ChannelReorder
refs #28968
- - - - -
0efd39aa by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: mp4: accumulate all trun for a given track
Before the previous array was leaking and we were writing too
far in the array.
Fixes #28959
- - - - -
dd7b3884 by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: asf: fix unitialized free on error
The goto may occur before the variables are initialized,
consecutive to 430792dc3f9f0e7bb526c38564f57e3b7fab4a0a.
Fixes #29058
- - - - -
77cd69d1 by François Cartegnie at 2025-09-11T11:10:12+02:00
packetizer: dts: fix dead loop
refs #29063
- - - - -
14447fec by François Cartegnie at 2025-09-11T11:10:12+02:00
codec: webvtt: fix potential NULL derefs
refs #28988
- - - - -
06cb3a37 by Thomas Guillem at 2025-09-11T11:10:12+02:00
webvtt: don't pass NULL to qsort
../../modules/demux/webvtt.c:323:5: runtime error: null pointer passed as argument 1, which is declared to never be null
- - - - -
a7b4cb1a by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux/mkv: avoid casting to KaxCluster if it's not the right type
Fixes #29042
- - - - -
6bfe54e4 by François Cartegnie at 2025-09-11T11:10:12+02:00
demux: ogg: fix potential double free
refs #29220
- - - - -
19cb9931 by François Cartegnie at 2025-09-11T11:10:12+02:00
codec: cc: don't assume input size is checked by caller
refs #29216
- - - - -
7933251e by François Cartegnie at 2025-09-11T11:10:12+02:00
packetizer: hevc: hvcc->annexb output prefix size is always 4
refs #29217
- - - - -
f5ffd3ad by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux/mkv: discard extra elements provided when reading a master element
If this happens that means we're leaking the upper element that was found.
It's not part of the data we want to read and went further than expected.
Fixes #29043
- - - - -
2fd5666a by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux/mkv: fix header leak on error
Fixes #29044
- - - - -
a977e717 by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: mp4: read the sample description index as unsigned
Fixes #29008
- - - - -
e2e25782 by François Cartegnie at 2025-09-11T11:10:12+02:00
packetizer: h264: check chroma_idc value
- - - - -
9a451e0e by François Cartegnie at 2025-09-11T11:10:12+02:00
packetizer: hevc: check chroma_idc range
- - - - -
4b1df083 by François Cartegnie at 2025-09-11T11:10:12+02:00
packetizer: h26x: check chroma_idc range
refs #29054
- - - - -
8c2be59e by Tristan Matthews at 2025-09-11T11:10:12+02:00
packetizer: h264_nal: avoid integer overflow
The expected range should be between 0 and 12.
- - - - -
0961270d by Steve Lhomme at 2025-09-11T11:10:12+02:00
packetizer: dts: fix busy loop with empty returned blocks
Fixes #29046
- - - - -
ce916310 by Thomas Guillem at 2025-09-11T11:10:12+02:00
codec: webvtt: subsvtt: fix SEGV
node->psz_attrs can be NULL, cf. CreateDomNodes().
Fixes #29049
- - - - -
de1b1a58 by Steve Lhomme at 2025-09-11T11:10:12+02:00
asx: fix potential null dereference
Ref. #29114
- - - - -
4ec117d3 by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: mp4: don't use the i_nztime if it's invalid
It may be invalid when set via FragGetDemuxTimeFromTracksTime().
Ref. #28997
- - - - -
64935e09 by Steve Lhomme at 2025-09-11T11:10:12+02:00
gme: handle es_out_Add() failure
Ref. #29114
- - - - -
14d545d0 by Steve Lhomme at 2025-09-11T11:10:12+02:00
packetizer: h264: check the default ref_idx values are valid
Reference values should only go up to 31:
> num_ref_idx_l0_default_active_minus1 specifies how > num_ref_idx_l0_active_minus1 is inferred for P, SP, and B slices
with num_ref_idx_active_override_flag equal to 0. The value of num_ref_idx_l0_default_active_minus1 shall be in the
range of 0 to 31, inclusive.
num_ref_idx_l1_default_active_minus1 specifies how num_ref_idx_l1_active_minus1 is inferred for B slices with
num_ref_idx_active_override_flag equal to 0. The value of num_ref_idx_l1_default_active_minus1 shall be in the range
of 0 to 31, inclusive.
- - - - -
25fa3a2e by Steve Lhomme at 2025-09-11T11:10:12+02:00
packetizer: h264: use the default ref_idx is the read value is too big
Reference values should only go up to 31:
> num_ref_idx_l0_default_active_minus1 specifies how
> num_ref_idx_l0_active_minus1 is inferred for P, SP, and B slices
> with num_ref_idx_active_override_flag equal to 0. The value of
> num_ref_idx_l0_default_active_minus1 shall be in the range of 0 to 31, inclusive.
> num_ref_idx_l1_default_active_minus1 specifies how num_ref_idx_l1_active_minus1
> is inferred for B slices with num_ref_idx_active_override_flag equal to 0.
> The value of num_ref_idx_l1_default_active_minus1 shall be in the range
> of 0 to 31, inclusive.
This is for the default values but it also applies to the read slice values.
Fixes #29050
- - - - -
e7dad8fd by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: subtitle: sort items in demux master mode
We don't want the PCR to go back and forth.
Fixes #29051
- - - - -
03c0b985 by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: subtitle: return a vlc_tick_t from ParseRealTime
We should not mix VLC_EGENERIC and a vlc_tick_t return value.
We shift directly the value with VLC_TICK_0 when we have the value
as done in other parsers.
The invalid -1 value is used as in other parsers.
- - - - -
9b12e08e by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: subtitle: avoid using uninitialized variables in ParseRealTime
The value may have been set by previous calls but we should not use it.
- - - - -
31c4333f by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: subtitle: keep parsed fields private
And we don't need to initialize them.
- - - - -
f93014dd by Steve Lhomme at 2025-09-11T11:10:12+02:00
demux: subtitle: only parse end time if it's found
We should not parse uninitialized buffers.
- - - - -
4d44f2ee by Steve Lhomme at 2025-09-11T11:10:12+02:00
codec: webvtt: limit the recursive calls to GetTimedTags/ConvertNodesToSegments()
With malicious files it's possible to overflow the stack.
50 levels of nested tags ought to be enough for anyone.
Fixes #28993.
- - - - -
87ed1149 by Steve Lhomme at 2025-09-11T11:10:12+02:00
codec: webvtt: inline webvtt_region_ClearCues calls into webvtt_region_Delete()
- - - - -
c90f8abd by Steve Lhomme at 2025-09-11T11:10:12+02:00
codec: webvtt: inline Delete calls in webvtt_domnode_ChainDelete()
So we can see the recursions.
- - - - -
d47a0b19 by Steve Lhomme at 2025-09-11T11:10:12+02:00
codec: webvtt: always free the current node in webvtt_domnode_ChainDelete()
It doesn't matter which type it has.
- - - - -
150a7f56 by Steve Lhomme at 2025-09-11T11:10:12+02:00
codec: webvtt: split the code to acutally Delete webvtt_dom_node_t data
So we don't use recursions. We only need an extra loop on the child elements
to delete. But it will not cause a recursion.
- - - - -
26b0e0a4 by Steve Lhomme at 2025-09-11T11:10:12+02:00
mms: clarify reading boundaries
We need to take in account how much buffer is available to write.
Given we were requesting at least half our (arbitrary) buffer size, we might as
well request to fill the whole available buffer.
This is equivalent to the previous code since i_tcp is always
> MMS_BUFFER_SIZE/2 - p_sys->i_buffer_tcp
And i_udp is always
> MMS_BUFFER_SIZE/2 - p_sys->i_buffer_udp
- - - - -
a3bbe271 by Steve Lhomme at 2025-09-11T11:10:12+02:00
mms: initialize the error states in mms_ParseCommand()
The pi_used may have been used uninitialized.
- - - - -
5c0d58dc by Steve Lhomme at 2025-09-11T11:10:12+02:00
mms: check errors before allocating the output buffer in mms_ParseCommand
And set the state when there's an error by default.
- - - - -
c2bb76f8 by Steve Lhomme at 2025-09-11T11:10:12+02:00
mmx: only allocate the length we will use in mms_ParseCommand()
- - - - -
409eb482 by Thomas Guillem at 2025-09-11T11:10:12+02:00
codec: webvtt: fix SEGV
psz can be NULL, cf. CSSGrammar.y
Fixes #29047
- - - - -
99eb23e4 by Steve Lhomme at 2025-09-11T11:10:13+02:00
demux: mkv: check bogus block reading
We should not use the block data if it was not fully read.
- - - - -
62632549 by Steve Lhomme at 2025-09-11T11:10:13+02:00
spudec: don't read Nibble past our buffer
We read in the buffer with an offset of 4.
Fixes https://code.videolan.org/videolan/vlc/-/issues/29234
- - - - -
8bef1672 by Steve Lhomme at 2025-09-11T11:10:13+02:00
demux: subtitle: always end the filled buffer
strstr() expects a nul terminated string.
Fixes https://code.videolan.org/videolan/vlc/-/issues/29235
- - - - -
2db9afef by François Cartegnie at 2025-09-11T11:10:13+02:00
codec: webvtt: fix heap read overflow on empty string match
refs #29233
- - - - -
27c58103 by François Cartegnie at 2025-09-11T11:10:13+02:00
codec: webvtt: early exit on empty class
- - - - -
79f57bb8 by Steve Lhomme at 2025-09-11T11:10:13+02:00
demux: libmp4: avoid allowing an index bigger than the array contains
It should not happen in the for loop, but better safe than sorry.
- - - - -
9f451e67 by Steve Lhomme at 2025-09-11T11:10:13+02:00
demux: libmp4: keep stss sample numbers as they are in the file
Adapt the only place it's used in the code to account for the -1 difference.
Fixes #28982
- - - - -
30 changed files:
- modules/access/dcp/dcp.cpp
- modules/access/mms/mmstu.c
- modules/audio_output/waveout.c
- modules/codec/cc.h
- modules/codec/spudec/parse.c
- modules/codec/substext.h
- modules/codec/substx3g.c
- modules/codec/svcdsub.c
- modules/codec/webvtt/CSSGrammar.y
- modules/codec/webvtt/css_style.c
- modules/codec/webvtt/subsvtt.c
- modules/codec/webvtt/webvtt.c
- modules/demux/aiff.c
- modules/demux/asf/asf.c
- modules/demux/asf/libasf.c
- modules/demux/avi/avi.c
- modules/demux/avi/libavi.c
- modules/demux/avi/libavi.h
- modules/demux/gme.c
- modules/demux/mjpeg.c
- modules/demux/mkv/demux.cpp
- modules/demux/mkv/matroska_segment.cpp
- modules/demux/mkv/matroska_segment_seeker.cpp
- modules/demux/mkv/util.cpp
- modules/demux/mp4/essetup.c
- modules/demux/mp4/libmp4.c
- modules/demux/mp4/mp4.c
- modules/demux/mp4/mp4.h
- modules/demux/ogg.c
- modules/demux/playlist/asx.c
The diff was not included because it is too large.
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/4df9268a77f7a33a6ee6d5932629f8f238637f98...9f451e6797e373f0b8f56c1e6a9c83f54687d71e
--
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/4df9268a77f7a33a6ee6d5932629f8f238637f98...9f451e6797e373f0b8f56c1e6a9c83f54687d71e
You're receiving this email because of your account on code.videolan.org.
VideoLAN code repository instance
More information about the vlc-commits
mailing list