This fixes potential divisions by zero and out of array accesses.
Reported-by: Dale Curtis <dalecurtis@chromium.org>
Found-by: inferno@chromium.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2c16bf2de0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array read
Fixes: d4476f68ca1c1c57afbc45806f581963-asan_heap-oob_2266b27_8607_cov_4044577381_snow_chroma_bug.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 61d59703c9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: 14a74a0a2dc67ede543f0e35d834fbbe-asan_heap-oob_49572c_556_cov_215466444_44_001_engine_room.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c919e1ca2e)
Conflicts:
libavcodec/msrle.c
(cherry picked from commit bc1c8ec5e6)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Prevents out of array accesses with CODEC_FLAG_EMU_EDGE
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6ba02602aa)
Conflicts:
libavcodec/vmnc.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c17207ab9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access with RC_VARIANCE set to 0
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f1caaa1c61)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket2982
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f31011e9ab)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
q4-q7/d8-d15 are supposed to not be clobbered by the callee.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d307e408d4)
Do not consider it an error if we have no frames and should discard one.
This condition can easily happen when decoding is started from an I frame
Fixes Ticket2811
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 08a8976196)
Conflicts:
libavcodec/h264_refs.c
Fixes out of array accesses
Fixes Ticket2919
Found_by: ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 86736f59d6)
Conflicts:
libavcodec/pngdsp.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes Ticket2895
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9a271a9368)
Conflicts:
libavcodec/jpeg2000dec.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Conflicts:
libavcodec/j2kdec.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses
Fixes Ticket2850
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3819db745d)
Conflicts:
libavcodec/rpza.c
Fixes out of array accesses
Fixes Ticket2844
Found-by: ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 880c73cd76)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes vlc decoding for hypothetical files that would contain such cases.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0dfc01c2bb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5ff41ffeb4cb9ea6df49757dc859619dc3d3ab4f)
Conflicts:
libavcodec/huffyuv.c
(cherry picked from commit 9bc70fe1ae50fd2faa0b9429d47cfbda01a92ebc)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Prevents out of array writes
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f67a0d1152)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 95ab8d33e1a680f30a5a9605175112008ab81afc)
Conflicts:
libavcodec/huffyuv.c
(cherry picked from commit 277def59fce10d91e3113e5c0f63e22bc4abfa88)
Conflicts:
libavcodec/huffyuv.c
This is consistent with the other ff_ass_split_* functions.
It also fixes a crash when trying to split a dialog with text=NULL
(which seems to happen when the text of the dialog is empty); basically,
this commit fixes crashes when trying to encode an empty text subtitle
dialog (see subrip and mov_text encoders).
Fixes Ticket2048.
(cherry picked from commit c83002a4f8)
Apparently, some build environments require dxva.h even for dxva2,
while others lack this header entirely. Including it conditionally
allows building in both cases.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit fa84506177)
Conflicts:
configure
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d3db8988d5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket1068
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 73089eccd3e48539555349b36d8aabbf1cea416e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes an AAC decoding issue with the sample from ticket #213 on machines
with SSE but without SSE2.
Based on 89411a by Reimar.
(cherry picked from commit f6b7863808)
For small video dimensions, these calculations of the upper bound
for pixel access may have a negative result. Using an unsigned
comparison to bound a potentially negative value only works if
the greater operand is non-negative. Fixed by doing edge emulation
when the upper bound is probably negative, everywhere that this
pattern appears.
Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>
(cherry picked from commit d209c27b09)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
For small video dimensions calculations of the upper bound for pixel
access may result in negative value. Using an unsigned comparison
works only if the greater operand is non-negative. This is fixed by
doing edge emulation explicitly for such conditions.
Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>
(cherry picked from commit aacf6b3a2f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This possibly makes part of the CVE-2011-3895 fix unneeded.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ff7f198d7f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
BUG=101458
Review URL: http://codereview.chromium.org/8414025
Fixes second part of CVE-2011-3895
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f74ce3a60d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
BUG=101458
Review URL: http://codereview.chromium.org/8413019
This fixes part of 2011-3895
bigned-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 68226ed9ec)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
decoding.
BUG=100543
Review URL: http://codereview.chromium.org/8365014
This fixes 25% of CVE-2011-3893
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7149fce2ca)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
