Luca Barbato [Sat, 21 Dec 2013 16:59:59 +0000 (17:59 +0100)]
configure: Update freetype check to follow upstream
The freetype tutorial suggests to use #include FT_FREETYPE_H.
Bug-Id: 616
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
e61b8fa5605b16a02a2a0ea75afbfc31d7832bba)
Conflicts:
configure
Luca Barbato [Sun, 5 Jan 2014 11:30:45 +0000 (12:30 +0100)]
drawtext: Drop pointless header
It should be forward compatible with newer freetype.
(cherry picked from commit
d68dc3c9446e38b4d686cc0f55433c9e8d7c128b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Diego Biurrun [Mon, 23 Dec 2013 00:03:48 +0000 (01:03 +0100)]
configure: Support preprocessor macros as header names
New versions of FreeType have moved the location of their API
header(s) and hide the location behind a macro.
Since the location changes between versions and no other way
to know the location exists, this workaround becomes necessary.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
52ccc4a0ece88030e67254418317d72089a0ecc8)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
configure
Janne Grunau [Sat, 8 Mar 2014 10:52:14 +0000 (11:52 +0100)]
arm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6
The overread avoidance fix in
cbddee1cca0ebd01e8c5aa694d31228eb4de4b41
broke the computation for the last row since it prevented the safe
reading from the height+1-th row.
Janne Grunau [Wed, 5 Mar 2014 11:44:57 +0000 (12:44 +0100)]
arm: hpeldsp: prevent overreads in armv6 asm
Based on a patch by Russel King <rmk+libav@arm.linux.org.uk>
Bug-Id: 646
CC: libav-stable@libav.org
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
lagarith: reallocate rgb_planes when needed
Fixes invalid writes on pixel format changes.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit
4c3e1956ee35fdcc5ffdb28782050164b4623c0b)
(cherry picked from commit
bd57e783437f990c3ac4747eeebe20332e103980)
Anton Khirnov [Thu, 14 Feb 2013 07:47:17 +0000 (08:47 +0100)]
lagarith: avoid infinite loop in lag_rac_refill()
range == 0 happens with corrupted files
CC:libav-stable@libav.org
(cherry picked from commit
de6dfa2bb82df916a67e5036b0ef96a944781ed3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit
8bce2c60b8ebc31899d576dde3bbe6205faae97d)
Ronald S. Bultje [Fri, 3 Aug 2012 03:46:09 +0000 (20:46 -0700)]
lagarith: pad RGB buffer by 1 byte.
For left HFYU prediction, we predict from the buffer buf+1 using 8- or
16-byte reads. This means that aligning the buffer by 16 bytes is in
itself not sufficient, because if the width itself is 16- or 8-byte
aligned, the buffer will not be padded, and thus a read of size 16 at
buf+1 will overflow boundaries at the right edge. Padding the buffer by
1 byte is sufficient to not overflow its boundaries.
Fixes bug 342.
(cherry picked from commit
98d0d19208959766a58f13dd6a678d1f765a26ac)
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
truemotion1: check the header size
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit
2240e2078d53d3cfce8ff1dda64e58fa72038602)
(cherry picked from commit
76b40a9bf93e387d98aa7dc02ec7a8d13f51722f)
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
shorten: pad the internal bitstream buffer
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit
1713eec29add37b654ec6bf262b843d139c1ffc6)
(cherry picked from commit
5881ec0ea58a95403bd375b63f22d49905cdd8e5)
Justin Ruggles [Thu, 30 Jan 2014 19:08:38 +0000 (14:08 -0500)]
samplefmt: avoid integer overflow in av_samples_get_buffer_size()
CC:libav-stable@libav.org
(cherry picked from commit
0e830094ad0dc251613a0aa3234d9c5c397e02e6)
(cherry picked from commit
e9b3abd49890e958c745ea46a9f4f91b6b4baa58)
Conflicts:
libavutil/samplefmt.c
Luca Barbato [Sat, 22 Feb 2014 10:19:03 +0000 (11:19 +0100)]
h264: Fix a typo from the previous commit
f777504f640260337974848c7d5d7a3f064bbb45 changed a - in +
CC: libav-stable@libav.org
(cherry picked from commit
d922c5a5fbaf0b6c73bd8c81ae059bc6e406961c)
(cherry picked from commit
3ce77e04c2ca4b9e7fa6b94b51e8d7c5f188da86)
(cherry picked from commit
8cba6f58c8acaa0ca6749110a2746bbe60ff2dab)
Vittorio Giovara [Thu, 20 Feb 2014 01:38:32 +0000 (02:38 +0100)]
h264: Lower bound check for slice offsets
And use the value from the specification.
Sample-Id:
00000451-google
Found-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
f777504f640260337974848c7d5d7a3f064bbb45)
(cherry picked from commit
5bd083d0216d9ee649039c84999fb61386536ac1)
Conflicts:
libavcodec/h264.c
(cherry picked from commit
41380e017afcca3119acb560c08a60a97d416c3c)
Conflicts:
libavcodec/h264.c
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
rpza: limit the number of blocks to the total remaining blocks in the frame
Fixes invalid writes.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit
77bb0004bbe18f1498cfecdc68db5f10808b6599)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Reinhard Tartler [Fri, 7 Feb 2014 04:26:33 +0000 (23:26 -0500)]
Prepare for 0.8.11 Release
Anton Khirnov [Mon, 13 Jan 2014 12:47:07 +0000 (13:47 +0100)]
lavf: make av_probe_input_buffer more robust
Always use the actually read size as the offset instead of making
possibly invalid assumptions.
Addresses: CVE-2012-6618
(cherry picked from commit
2115a3597457231a6e5c0527fe0ff8550f64b733)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavformat/utils.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit
8575f5362f98c937758b20ff8512d6767a56208e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Reinhard Tartler [Sun, 2 Feb 2014 17:54:52 +0000 (12:54 -0500)]
Updated Changelog for 0.8.10
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
oggparseogm: check timing variables
Fixes a potential divide by zero.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit
75647dea6f7db79b409bad66a119f5c73da730f3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit
bf7c240a50f8ed99a42e08bb7a8a70262cce34ad)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Anton Khirnov [Thu, 12 Dec 2013 06:34:13 +0000 (07:34 +0100)]
mathematics: remove asserts from av_rescale_rnd()
It is a public function, it must not assert on its parameters.
(cherry picked from commit
94a417acc05cc5151b473abc0bf51fad26f8c5a0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit
03bfd8419fbaf9c72b293457437bd508dea64736)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Michael Niedermayer [Sun, 19 Jan 2014 15:28:25 +0000 (15:28 +0000)]
vc1: Always reset numref when parsing a new frame header.
Fixes an issue where the B-frame coding mode switches from interlaced
fields to interlaced frames, causing incorrect decisions in the motion
compensation code and resulting in visual artifacts.
CC: libav-stable@libav.org
Signed-off-by: Tim Walker <tdskywalker@gmail.com>
(cherry picked from commit
dd2d0039b6405dc724e4fef0d5b8f49530eea3aa)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit
3cc8d9bc1ffc6c0888960fb009f12fa3047bb663)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset num_reorder_frames if it is invalid
An invalid VUI is not considered a fatal error, so the SPS containing it
may still be used. Leaving an invalid value of num_reorder_frames there
can result in writing over the bounds of H264Context.delayed_pic.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit
9ecabd7892ff073ae60ded3fc0a1290f5914ed5c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/h264_ps.c
(cherry picked from commit
299c5dcfb0cd3debdf07943edfb46f4aeb02ca91)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: check that an IDR NAL only contains I slices
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit
8b2e5e42bb9d6a59ede5af2e6df4aaf7750d1195)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit
62ed6da016b789eee00e0fff517df4a254e12e5d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/h264.c
Martin Storsjö [Mon, 13 Jan 2014 12:46:07 +0000 (14:46 +0200)]
mov: Free an earlier allocated array if allocating a new one
It could probably also be considered an error if the pointer isn't
null at this point, but then we might risk rejecting some
slightly broken files that we might have handled so far.
Sample-Id:
00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
2620df13104ddaa136158eb6bb1195adbf9d7692)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit
a1b4d42d31ba700c97d4388153a2a553d71ca0ba)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
segafilm: fix leaks if reading the header fails
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit
6892d145a0c80249bd61ee7dd31ec851c5076bcd)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit
f728782c0d30433efa11f1238a16aed994e9b563)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavformat/segafilm.c
Anton Khirnov [Fri, 15 Nov 2013 08:42:26 +0000 (09:42 +0100)]
h264_cavlc: check the size of the intra PCM data.
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit
b5275ca1a805436ca12540c34dd5ed1671877434)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Luca Barbato [Sun, 13 Oct 2013 01:30:06 +0000 (03:30 +0200)]
cavs: Check for negative cbp
Sample-Id:
00000647-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit
c85e5f13f6ac9c4c90125e7671d89009e57f9df9)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/cavsdec.c
Luca Barbato [Tue, 6 Aug 2013 01:38:12 +0000 (03:38 +0200)]
avi: DV in AVI must be considered single stream
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit
3485a07977f17b8d4709fb327be4fc29031032b7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Justin Ruggles [Wed, 28 Mar 2012 01:31:14 +0000 (21:31 -0400)]
avutil: use align == 0 for default alignment in audio sample buffer functions
Fixes: http://pad.lv/1264886, http://pad.lv/1241439
(cherry picked from commit
0109a09dc3850eb5dbff84a7bb50eb252a5a8f22)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavutil/avutil.h
Michael Niedermayer [Tue, 20 Aug 2013 21:18:48 +0000 (23:18 +0200)]
flashsv: Check diff_start diff_height values
Fix out of array accesses.
Found-by: ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Adresses: CVE-2013-7015
(cherry picked from commit
57070b1468edc6ac8cb3696c817f3c943975d4c1)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit
10d48fe6d3963842319b1d8d738a318020836e72)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Michael Niedermayer [Fri, 30 Aug 2013 21:14:32 +0000 (23:14 +0200)]
dsputil/pngdsp: fix signed/unsigned type in end comparison
Fixes out of array accesses and integer overflows.
(cherry picked from commit
d1916d13e28b87f4b1b214231149e12e1d536b4b)
Adresses: CVE-2013-7010, CVE-2013-7014
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit
af9799790d7a6342027e0261b5dd87657abb7a0b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/pngdsp.c
Michael Niedermayer [Fri, 25 Jan 2013 05:11:59 +0000 (06:11 +0100)]
vqavideo: check chunk sizes before reading chunks
Fixes out of array writes
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit
ab6c9332bfa1e20127a16392a0b85a4aa4840889)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit
13093f9767b922661132a3c1f4b5ba2c7338b660)
CC: libav-stable@libav.org
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit
f7d18deb73d1dd1b27b2c7062c9a10d168a6c62a)
Addresses: CVE-2013-0865
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit
ab434bf0d051008a329d49d0256faa5d64e2bf4d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Luca Barbato [Tue, 6 Aug 2013 01:52:48 +0000 (03:52 +0200)]
avi: directly resync on DV in AVI read failure
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit
ceec6e792e4b5baaa23b220f4fd33417631f5288)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Adresses CVE-2013-0856
(cherry picked from commit
61057f4604eb909ac2b37f08c7d2b0ed758fd4bf)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Luca Barbato [Sun, 20 Jan 2013 04:10:32 +0000 (05:10 +0100)]
get_bits: change the failure condition in init_get_bits
Too much code relies in having init_get_bits fed with a valid
buffer and set its dimension to 0.
Check for NULL buffer instead.
(cherry picked from commit
4603ec85ed620e585fc6e2e072c99858ed421855)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Luca Barbato [Tue, 7 Jan 2014 13:21:53 +0000 (14:21 +0100)]
twinvq: Cope with gcc-4.8.2 miscompilation
Apparently gcc-4.8.2 miscompiles enums resulting in a lucky fpe soon
after it.
Passing the enum value as integer makes the ftype == FT_PPC condition
evaluates correctly.
Sean McGovern [Wed, 6 Nov 2013 00:15:47 +0000 (19:15 -0500)]
Changelog for 0.8.10
Ben Jackson [Fri, 18 Oct 2013 14:28:50 +0000 (15:28 +0100)]
pthread: Avoid spurious wakeups
pthread_wait_cond can wake up unexpectedly (Wikipedia: Spurious_wakeup).
The FF_THREAD_SLICE thread mechanism could spontaneously execute
jobs or allow the caller of avctx->execute to return before all
jobs were complete.
Test both cases to ensure the wakeup is real.
Signed-off-by: Ben Jackson <ben@ben.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
311583e7798237be5cc531d672a9e37f8c729d83)
Derek Buitenhuis [Thu, 10 Oct 2013 15:05:40 +0000 (11:05 -0400)]
pthread: Fix deadlock during thread initialization
Sometimes, if pthread_create() failed, then pthread_cond_wait() could
accidentally be called in the worker threads after the uninit function
had already called pthread_cond_broadcast(), leading to a deadlock.
Don't call pthread_cond_wait() if c->done is set.
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
(cherry picked from commit
1a5a6ac01b0ad2cf3d2128372ea41f3c1cfc2d3f)
Martin Storsjö [Tue, 24 Sep 2013 09:02:39 +0000 (12:02 +0300)]
mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0
This fixes breakage in a few fate tests on certain setups
(that for some reason didn't break on OS X) after the previous
commit (
8812a8057). Currently, some video streams are initialized
in ff_MPV_common_init with width/height set at 0 and only changed
to a proper video size with ff_MPV_common_frame_size_change later.
The breakage was diagnosed by Anton Khirnov.
Signed-off-by: Martin Storsjö <martin@martin.st>
Michael Niedermayer [Tue, 19 Feb 2013 20:40:09 +0000 (21:40 +0100)]
vc1dec: Don't decode slices when the latest slice header failed to decode
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
Conflicts:
libavcodec/vc1dec.c
Martin Storsjö [Fri, 20 Sep 2013 08:32:25 +0000 (11:32 +0300)]
vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
5e25fdbfe01635cfc650ac4adc27d434b2df0d64)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/vc1dec.c
(cherry picked from commit
494f2d4f9e834db1eaf1a7d0160d497f9802013d)
Martin Storsjö [Thu, 19 Sep 2013 14:02:36 +0000 (17:02 +0300)]
r3d: Add more input value validation
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
Conflicts:
libavformat/r3d.c
Martin Storsjö [Thu, 19 Sep 2013 13:29:23 +0000 (16:29 +0300)]
fraps: Make the input buffer size checks more strict
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
Conflicts:
libavcodec/fraps.c
Martin Storsjö [Thu, 19 Sep 2013 12:58:59 +0000 (15:58 +0300)]
svq3: Avoid a division by zero
If the height is zero, the decompression will probably end up
failing due to not fitting into the allocated buffer later
anyway, so this doesn't need any more elaborate check.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
601c2015bc16f0b281160292a6a760cbbbb0eacb)
Martin Storsjö [Mon, 16 Sep 2013 17:58:38 +0000 (20:58 +0300)]
rmdec: Validate the fps value
Abort if it is invalid if strict error checking has been requested.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
0f310a6f333b016d336674d086045e8473fdf918)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavformat/rmdec.c
Martin Storsjö [Tue, 17 Sep 2013 16:33:48 +0000 (19:33 +0300)]
twinvqdec: Check the ibps parameter separately
This is required, since invalid parameters actually could
pass the switch check below.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
c77d409bf95954aceb762dd800d1ee2868c4b0d4)
(cherry picked from commit
9b9aee27f4e43b4a6b0884f8a6f49eb0289d7c09)
Martin Storsjö [Sat, 28 Sep 2013 20:32:57 +0000 (23:32 +0300)]
asfdec: Check the return value of asf_read_stream_properties
This makes sure errors in setting stream parameters are passed
on to the caller. This avoids successfully opening files while
some parameters aren't filled in properly.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
cc41167aede4c101ad17eeffa8f39bb6c23d3dad)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
fc4d11ec9b4c9710e2dac012d4ed0e7d08c6df7d)
Anton Khirnov [Sat, 28 Sep 2013 14:56:54 +0000 (16:56 +0200)]
mxfdec: set audio timebase to 1/samplerate
Fixes sync in some samples (e.g. bugs 7581 and 8374 in VLC).
Based on a commit by Matthieu Bouron <matthieu.bouron@gmail.com>
Reported-by: Jean-Baptiste Kempf <jb@videolan.org>
CC: libav-stable@libav.org
(cherry picked from commit
93370d12164236d59645314871a1d6808b2a8ddb)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö [Sun, 29 Sep 2013 10:02:27 +0000 (13:02 +0300)]
pcx: Check the packet size before assuming it fits a palette
This fixes reads out of bounds.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
d1d99e3befea5d411ac3aae72dbdecce94f8b547)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/pcx.c
(cherry picked from commit
7e350b7ddd19af856b55634233d609e29baab646)
Martin Storsjö [Sat, 28 Sep 2013 22:24:20 +0000 (01:24 +0300)]
rpza: Fix a buffer size check
We read 2 bytes for 15 out of 16 pixels, therefore we need to
have at least 30 bytes, not 16.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
7ba0cedbfeff5671b264d1d7e90777057b5714c6)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
f06e39fe6b272a11782c023c31eec43bfce3138d)
Martin Storsjö [Sat, 28 Sep 2013 22:04:05 +0000 (01:04 +0300)]
xxan: Disallow odd width
Decoded data is always written in pairs within this decoder.
This fixes writes out of bounds.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
aa0dd52434768da64f1f3d8ae92bcf980c1adffc)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö [Sat, 28 Sep 2013 21:59:50 +0000 (00:59 +0300)]
xan: Only read within the data that actually was initialized
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
fc739b3eefa0b58d64e7661621da94a94dbc8a82)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
09ace619d6ccb2c0a45b5fdead29f926409fa129)
Martin Storsjö [Sat, 28 Sep 2013 21:53:58 +0000 (00:53 +0300)]
xan: Use bytestream2 to limit reading to within the buffer
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
30db94dc399f6e4ef8905049d9b740556f0fce47)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
145de32896b37a508f11bcf11dfcc94487301716)
Martin Storsjö [Sat, 28 Sep 2013 21:38:50 +0000 (00:38 +0300)]
pcx: Consume the whole packet if giving up due to missing palette
Previously, we returned 0, meaning successful decoding but 0
bytes consumed, leading to an infinite loop.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
9fb0de86b49e9fb0709a8ad1e1875e35da841887)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
812955a12b190012c134be33a93f27308953eb2f)
Martin Storsjö [Sat, 28 Sep 2013 21:12:04 +0000 (00:12 +0300)]
pngdec: Stop trying to decode once inflate returns Z_STREAM_END
If the input buffer contains more data after the deflate stream,
the loop previously left running infinitely, with inflate returning
Z_STREAM_END.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
a81cad8f86d1feb7e4bfae29e43f3e994935a5c7)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
a63e83cd4b43c3dcef38f7fefe41c002a263af0f)
Martin Storsjö [Sat, 28 Sep 2013 20:57:36 +0000 (23:57 +0300)]
mov: Make sure the read sample count is nonnegative
This avoids setting a negative number of frames, ending up with a
negative average frame rate.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
c231987662194d009dd91bfc57c678e0e70ca161)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
c10f3fed259c23e6887f68cdf3e7d4ae87026f65)
Martin Storsjö [Sat, 28 Sep 2013 20:46:04 +0000 (23:46 +0300)]
bfi: Add some very basic sanity checks for input packet sizes
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
640a2427aafa774b83316b7a8c5c2bdc28bfd269)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
10f384e4f5d0ee692cacaf90d629d8bc2178b092)
Martin Storsjö [Sat, 28 Sep 2013 20:42:40 +0000 (23:42 +0300)]
bfi: Avoid divisions by zero
If a zero-length video packet is to be returned, just return
AVERROR(EAGAIN) and switch back to the audio stream.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
9fc7184d1a9af8d97b3fc5c2ef9d0a647d6617ea)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
ad1223d6bcc69e1639951aedcdae40822bf41042)
Martin Storsjö [Sat, 28 Sep 2013 20:38:40 +0000 (23:38 +0300)]
electronicarts: Add more sanity checking for the number of channels
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
a9221e39600a31ee13e736e9e47743cde23f0280)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavformat/electronicarts.c
(cherry picked from commit
a89868d714705af1b0b004fa790a889e9ba792cd)
Martin Storsjö [Sat, 28 Sep 2013 20:32:39 +0000 (23:32 +0300)]
riffdec: Add sanity checks for the sample rate
This avoids a division by zero for G726.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
d07aa3f02b73ab1371c13ac7898338380ca0932b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
607863acaec85671f8c2afd81079ae4c605e3468)
Martin Storsjö [Sat, 28 Sep 2013 20:26:18 +0000 (23:26 +0300)]
mvi: Add sanity checking for the audio frame size
This avoids a division by zero.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
28ff439efd2362fb21e1a78610737f2e26a72d8f)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
04d2f9ace3fb6e880f3488770fc5a39de5b63cbb)
Martin Storsjö [Sat, 28 Sep 2013 20:13:26 +0000 (23:13 +0300)]
xwma: Avoid division by zero
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
adc09136a4a63b152630abeacb22c56541eacf60)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
2ff935a06008fb1959ff633962fbc728762c33cb)
Martin Storsjö [Fri, 27 Sep 2013 21:41:31 +0000 (00:41 +0300)]
avidec: Make sure a packet is large enough before reading its data
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
8d07258bb6063d0780ce2d39443d6dc6d8eedc5a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavformat/avidec.c
(cherry picked from commit
2e4c649b3e62fdd158b5a9a0f973d3b186a23e94)
Martin Storsjö [Sat, 28 Sep 2013 20:19:10 +0000 (23:19 +0300)]
vqf: Make sure the bitrate is in the valid range
Even if the sample rate is valid, an invalid bitrate could
pass the mode combination test below.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
68ff9981283a56c731f00c2ee7901103665092fc)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
60701469ab9f526841ae81444236425f87916adb)
Martin Storsjö [Fri, 27 Sep 2013 21:34:35 +0000 (00:34 +0300)]
vqf: Make sure sample_rate is set to a valid value
This avoids divisions by zero later (and possibly assertions in
time base scaling), since an invalid rate_flag combined with an
invalid bitrate below could pass the mode combination test.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
9277050e2918e0a0df9689721a188a604d886616)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
4d60ab62e05decc562645cd6f813f7c9e69637ee)
Martin Storsjö [Fri, 20 Sep 2013 08:16:57 +0000 (11:16 +0300)]
vc1dec: Undo mpegvideo initialization if unable to allocate tables
Previously, s->context_initialized was left set to 1
if ff_vc1_decode_init_alloc_tables failed, skipping the
initialization completely on the next decode call.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
b772b0e28eba6abf76d86ee8c6e459a86642db5a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö [Fri, 20 Sep 2013 08:16:00 +0000 (11:16 +0300)]
vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
ede508443e4bf57dc1e019fac81bf6244b88fbd3)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
b62704891d2353679e012555ac9e9a49ee63d497)
Martin Storsjö [Thu, 19 Sep 2013 21:07:34 +0000 (00:07 +0300)]
wnv1: Make sure the input packet is large enough
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
91be1103fd1f79d381edf268c32f4166b6c3b6d8)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
0c8c6b4419e00d13197a4aea5456b398dca24df0)
Martin Storsjö [Thu, 19 Sep 2013 12:12:06 +0000 (15:12 +0300)]
dca: Validate the lfe parameter
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
a9d50bb578ec04c085a25f1e023f75e0e4499d5e)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö [Thu, 19 Sep 2013 13:57:47 +0000 (16:57 +0300)]
rl2: Avoid a division by zero
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
3ca14aa5964ea5d11f7a15f9fff17924d6096d44)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
ce1dacb435460dda1f9d453eaaeac44bd502aca4)
Martin Storsjö [Thu, 19 Sep 2013 13:55:13 +0000 (16:55 +0300)]
wtv: Add more sanity checks for a length read from the file
Also make sure the existing length check can't overflow.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
83c285f88016b087c2f0f4b9ef356ad8ef12d947)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
78dc022f6f8a8b87773a209e0fcbea2d5b48396f)
Martin Storsjö [Thu, 19 Sep 2013 13:02:29 +0000 (16:02 +0300)]
segafilm: Validate the number of audio channels
This avoids divisions by zero later.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
82e266c6d3fbf3cc74e515b883e66543381a0f2c)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
5379c5184b9fe9ef06234638f5629d4c80056e04)
Martin Storsjö [Thu, 19 Sep 2013 12:53:31 +0000 (15:53 +0300)]
qpeg: Add checks for running out of rows in qpeg_decode_inter
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
7a5a55722749a3ab77941914707277b147322cbe)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
4d90550cf95eac0451465116d6e53bac37b96927)
Martin Storsjö [Thu, 19 Sep 2013 12:32:02 +0000 (15:32 +0300)]
mpegaudiodec: Validate that the number of channels fits at the given offset
This is similar to the fix in
35cbc98b.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
e9d61de96c113ee0ef8082833c7e682df0e23eec)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
bacf5db1962a6955ce80eea6bbc86c6970d7d360)
Martin Storsjö [Thu, 19 Sep 2013 12:14:56 +0000 (15:14 +0300)]
asv1: Verify the amount of extradata
The init function reads one byte of extradata.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
f50803354c6acb4575379d7c54ca48ec5d36dd61)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö [Mon, 16 Sep 2013 11:53:15 +0000 (14:53 +0300)]
idroqdec: Make sure a video stream has been allocated before returning packets
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
bcbe4f3ceb6ee0210d3a401963518906c8b9b230)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
de75bc01cda53acfbd9f901639695ade8e650c43)
Martin Storsjö [Mon, 16 Sep 2013 12:40:57 +0000 (15:40 +0300)]
rv10: Validate the dimensions set from the container
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
5372cda67109848d22146289e401669266217e80)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
0b0f1cd44ece180e12795cfc8d0a0ac5ea3ebe2c)
Martin Storsjö [Mon, 16 Sep 2013 18:27:49 +0000 (21:27 +0300)]
xmv: Add more sanity checks for parameters read from the bitstream
Since the number of channels is multiplied by 36 and assigned to
to a uint16_t, make sure this calculation didn't overflow. (In
certain cases the calculation could overflow leaving the
truncated block_align at 0, leading to divisions by zero later.)
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
d4c2a3740fb95f952a87ba320d2bf31f126bdf68)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
00516b5491fbd99e4057f21eae231fc02cc596e3)
Martin Storsjö [Mon, 16 Sep 2013 18:46:50 +0000 (21:46 +0300)]
ffv1: Make sure at least one slice context is initialized
This avoids crashes when initializing the range coder for
the first slice context.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
b1db33159fdc2da4bdd8c75e4ff9a7dd0ef2f0c2)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö [Mon, 16 Sep 2013 18:03:34 +0000 (21:03 +0300)]
truemotion2: Use av_freep properly in an error path
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
c39f7eba01cd656e8f0eed592f93d11814736650)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
eac1c3f384eab770d42468f4f244156c1735701d)
Martin Storsjö [Mon, 16 Sep 2013 18:07:30 +0000 (21:07 +0300)]
eacmv: Make sure a reference frame exists before referencing it
This is similar to an existing check for the second-last frame
from
062421e3.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
ea78a348d86a3a733f6c1e0a65cfdd8283d924b9)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/eacmv.c
(cherry picked from commit
2e12af4587613dd5b2c3431e5c8194d73b03434f)
Martin Storsjö [Mon, 16 Sep 2013 17:40:13 +0000 (20:40 +0300)]
mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory
This avoids a potential division by zero.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
f875a732e36786d49f3650e3235272891a820600)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
c8c93795e4afd04c2c5b74e29e8dec29b6a76b81)
Martin Storsjö [Mon, 16 Sep 2013 17:32:35 +0000 (20:32 +0300)]
ivi_common: Make sure color planes have been initialized
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
a92538b7c0defc86c55fb91f55dfa36aad192673)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
38bd229af9c4fa5897fc1a69e73a04c55f78647f)
Martin Storsjö [Mon, 16 Sep 2013 14:17:26 +0000 (17:17 +0300)]
oggparseogm: Convert to use bytestream2
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
19b9659f3174599e8685d329c4330b1ea8c4c6db)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö [Mon, 16 Sep 2013 13:01:02 +0000 (16:01 +0300)]
rv34: Check the return value from ff_rv34_decode_init
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
711c970168297683860422e95d6b7e37ee3c8367)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
20c8f176293e7520c6205b664e25ecf8a711253e)
Martin Storsjö [Mon, 16 Sep 2013 12:36:24 +0000 (15:36 +0300)]
matroskadec: Verify realaudio codec parameters
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
569d18aa9dc989c37bb4d4b968026fe5afa6fff9)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
9f7a8b8f8f6ad024410232d926b774261ef2ef36)
Martin Storsjö [Mon, 16 Sep 2013 12:19:52 +0000 (15:19 +0300)]
mace: Make sure that the channel count is set to a valid value
Also return a proper error code.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
e1f3847f860a1094a46be4c5f10db8df616c3135)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/mace.c
Martin Storsjö [Mon, 16 Sep 2013 12:05:03 +0000 (15:05 +0300)]
svq3: Check for any negative return value from ff_h264_check_intra_pred_mode
Also pass on any returned error code.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
1115689d54ea95a084421f5a182b8dc56cbff978)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/svq3.c
Martin Storsjö [Thu, 12 Sep 2013 09:27:58 +0000 (12:27 +0300)]
vp3: Check the framerate for validity
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
6fc8226e29055858f28973bb3d27b63b3b65e616)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
b4c479a82adbb1301e3e549cd80cdd65208ddd05)
Martin Storsjö [Thu, 12 Sep 2013 08:58:25 +0000 (11:58 +0300)]
cavsdec: Make sure a sequence header has been decoded before decoding pictures
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
e90a6846c2c006fbebd00e1f2789f4a86fafacef)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/cavsdec.c
Martin Storsjö [Wed, 11 Sep 2013 19:56:55 +0000 (22:56 +0300)]
sierravmd: Do sanity checking of frame sizes
Limit the size to INT_MAX/2 (for simplicity) to be sure that
size + BYTES_PER_FRAME_RECORD won't overflow.
Also factorize other existing error return paths.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
0ef1660a6365ce60ead8858936b6f3f8ea862826)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
153deed18bed43d16b272e8681b2a9b988d2682a)
Martin Storsjö [Wed, 11 Sep 2013 11:54:05 +0000 (14:54 +0300)]
omadec: Properly check lengths before incrementing the position
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
342c43d154e586bc022c86b168fe8d36f69da9d3)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
9eba02d5dd7036294ea350cb772822deec95b867)
Martin Storsjö [Wed, 11 Sep 2013 19:53:15 +0000 (22:53 +0300)]
mpc8: Make sure the first stream exists before parsing the seek table
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
17d57848fc14e82f76a65ffb25c90f2f011dc4a0)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
557df77eab7d3726c34221aeb999afe9e7818d52)
Martin Storsjö [Wed, 11 Sep 2013 19:47:06 +0000 (22:47 +0300)]
mpc8: Check the seek table size parsed from the bitstream
Limit the size to INT_MAX/2 (for simplicity) to be sure that
size + FF_INPUT_BUFFER_PADDING_SIZE won't overflow.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
459f2b393a3f89ed08d10fbceb4738d1429f268e)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit
f8a72f041c049e812dfa1f32156327e9778f5710)
Michael Niedermayer [Sun, 11 Nov 2012 17:08:39 +0000 (18:08 +0100)]
zmbvdec: Check the buffer size for uncompressed data
Also don't pointlessly set the buffer size to 1 after copying
one packet.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
0d61f260010707f3028b818e8b24598e1a83d696)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö [Wed, 11 Sep 2013 19:29:33 +0000 (22:29 +0300)]
ape: Don't allow the seektable to be omitted
The seektable is required for filling in ape->frames[i].pos
further down.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
183b9d843a9533774fabd3984a52f3987001acbc)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö [Wed, 11 Sep 2013 19:19:28 +0000 (22:19 +0300)]
shorten: Break out of loop looking for fmt chunk if none is found
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
b26742cc308552f242ee2bf93b07a3ff509f4edc)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö [Wed, 11 Sep 2013 19:17:13 +0000 (22:17 +0300)]
shorten: Use a checked bytestream reader for the wave header
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
49568851bf1700e3d9ea9cda29208d0df3c2c38b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö [Wed, 11 Sep 2013 12:54:20 +0000 (15:54 +0300)]
smacker: Make sure we don't fill in huffman codes out of range
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
0679cec6e8802643bbe6d5f68ca1110a7d3171da)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö [Wed, 11 Sep 2013 12:25:13 +0000 (15:25 +0300)]
smacker: Avoid integer overflow when allocating packets
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
710b0e27025948b7511821c2f888ff2d74a59e14)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö [Wed, 11 Sep 2013 12:20:01 +0000 (15:20 +0300)]
smacker: Don't return packets in unallocated streams
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit
8d928023f953a28692ba27071a448259134b103b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
projects / platform / upstream / libav.git / log