This also as a sideeffect fixes the non aligned case
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a066ff89bc)
Fixes infinite loop and segfault in ogg_buffer_data()
Fixes Ticket4806
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 81a8701eb5)
Fix segfault with too large slice_count
Fixes Ticket4879
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aa6c43f3fd)
Conflicts:
libavcodec/ffv1enc.c
libavcodec/ffv1.c
Commits 43bc5cf9 and c5371f77 add code for skipping initial zeros in mp3
packets. This code forgot to report to the user that data was skipped at
all.
Since audio codecs allow partial packet decoding, the user application
has to rely on the return value. It will remove the data reported as
consumed by the decoder, and feed it to the decoder again. This resulted
in the mp3 frame after the zero region to be decoded over and over
again, until the zero region was finally skipped by the application.
Fix this by including the amount of skipped bytes to the number of
consumed bytes returned by the decode call.
Fixes trac ticket #4890.
(cherry picked from commit cb1da9fb8d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f2c58931e6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Various header informations need to be reset when decoding next frame.
Regression since: 95582b5c
Fixes ticket #4597.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit a03b69478b)
The previous code assumed if an atom was marked with a 64-bit
size extension, it actually had that data available. The new
code verfies there's enough data in the atom for this to be
done.
Failure to verify causes total_size > atom.size which will
result in negative size calculations later on.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ebd76a9c5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3859868c75)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c9151de7c4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array reads
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9bff052b51)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Such data streams (which then contain no other packets except the faulty one)
confuse some user applications, like VLC
Works around vlcticket 12389
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 322f0f5960)
Conflicts:
libavformat/flvdec.c
Also see [FFmpeg-devel] [PATCH] avformat/mov: strengthen some table allocations
which contains more fixes but is unfinished
Fixes: signal_sigabrt_7ffff6ac7bb9_3484_cov_1830000177_starfox2.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1b5d112406)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Without this ffversion.h could sometimes be built too late
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4ae87554f3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This simplifies identifying from which revision a binary of a lib came from
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 649c158e8c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The frame size must be set by the caller and each dimension must be a
multiple of 2.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See: 8b0e96e1f2
These should be redundant, but are backported for saftey anyway
(cherry picked from commit b0273232d8fffdc8a977ccdad460b8071a0e353c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The frame size must be set by the caller and each dimension must be a
multiple of 8.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See: 105654e376
These should be redundant, but are backported for saftey anyway
(cherry picked from commit e012cb8dea7969c7b3927dbf846ef2742cd4a7ab)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes use of freed memory
Fixes: case5_av_frame_copy_props.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e8714f6f93)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoids use of uninitialized memory
Fixes: asan_static-oob_17aa046_582_cov_212287884_DBLK_G_VIXS_1.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8aa8d12554)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array read
Fixes: signal_sigsegv_1b0a4da_1865_cov_2167818389_computer_anger.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3305acdc92)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
