If the allocated size, despite best efforts, is too small, exit
with the appropriate error.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 52b81ff463)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes: snowf.avi
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9a162146ca)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3539d6c63a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Add padding, clear size, use the correct pointer.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4213fc5b9e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The input data must remain constant, make a copy instead. This is in
theory a performance hit, but since I failed to find any samples
using this feature, this should not matter in practice.
Also, check the size of the header, avoiding invalid reads on truncated
data.
CC:libav-stable@libav.org
(cherry picked from commit 7b588bb691)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
0 means no data consumed, so it can trigger an infinite loop in the
caller.
CC:libav-stable@libav.org
(cherry picked from commit c7d9b473e2)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes possible invalid memory accesses on corrupted data.
CC:libav-stable@libav.org
Bug-ID: CVE-2013-3674
(cherry picked from commit a1599f3f7e)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Found-by: CSA
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e706fe7640)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes a infinite loop
Fixes Ticket3804
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cfdb30d2f1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket3809
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f95298c913)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If there are consecutive IDR pictures, then SPS/PPS should be prepended
to all of them, not only the first one.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bf428bb314)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This simplifies the management of current_sps
Fixes Ticket3458
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 880dbe43ca)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes leaving a pointer to unreferenced memory
Fixes Ticket 3115
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ccd6911c18)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Bug-Id: CVE-2013-0868
inspired by a patch from Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Diego Biurrun <diego@biurrun.de>
CC: libav-stable@libav.org
(cherry picked from commit d0393d79bc)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavcodec/huffyuvdec.c
Properly address CVE-2011-3946 and parse bitstream as described in the spec.
CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Make sure the buffer size does not exceed the expected
RLE size.
Prevent an out of array bound write.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Bug-Id: CVE-2013-0852
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit d98e6c5d5d)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
This is safer and possibly fixes invalid reads on truncated data.
(cherry-picked from commit 541427ab4d)
CC:libav-stable@libav.org
Conflicts:
libavcodec/eamad.c
This caused mpv (and possibly others) to fallback to software decoding after
seeking a VC1 stream.
Bug-Id: 667
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit cdf6eb5a97)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The actual predictor value, set by the trellis code, never
was written back into the variable that was written into
the block header. This was accidentally removed in b304244b.
This significantly improves the audio quality of the trellis
case, which was plain broken since b304244b.
Encoding IMA QT with trellis still actually gives a slightly
worse quality than without trellis, since the trellis encoder
doesn't use the exact same way of rounding as in
adpcm_ima_qt_compress_sample and adpcm_ima_qt_expand_nibble.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0776e0ef6b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This was broken in 095be4fb - samples+ch (for the previous
non-planar case) equals &samples_p[ch][0]. The confusion
probably stemmed from the IMA WAV case where it originally
was &samples[avctx->channels + ch], which was correctly
changed into &samples_p[ch][1].
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 3d79d0c93e)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
