This makes sure that linesize * start_y doesn't overflow, so that
emulated_edge_mc can get back the original value if needed.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit a711a2cb47)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The code tries to decode a number of channels at the
offset given by the ff_alac_channel_layout_offsets table.
Even if the number of channels decoded so far doesn't
exceed the total number of channels, we need to check that
we actually can decode that number of channels at this offset
as well.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 35cbc98b72)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Otherwise buffer size calculations in allocate_buffers could
overflow later, making the code think a large enough buffer
actually was allocated.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit f7c5883126)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Otherwise picmemset can get called with negative y, resulting in an
invalid write.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5f7aecde02)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The parsing function return AVERROR and AAC_AC3_PARSE_ERROR values,
make sure they are not misunderstood.
(cherry picked from commit 6258d362b8)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The decompressed buffer can be used after codec_reinit, so it must be
preserved.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2df0776c22)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
And properly update the buf_size with the correct size.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 075dbc1855)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Update the fate reference since the last broken frame is not decoded
anymore.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit aae159a7cc)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Some code paths can call it with invalid length.
CC: libav-stable@libav.org
(cherry picked from commit 71953ebcf9)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
A packet larger than cin->bitmap_size does not make sense.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit fd81899321)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This was handled properly in the normal return case at the end
of the function, but not in this special case.
Returning a value larger than the input packet size can cause
problems for certain library users.
Returning the actual input buffer size unconditionally, since
it is not guaranteed that frame_size is set to a sensible
value at this point.
Cc: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8f24c12be7)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
If the channel mapping map multiple output channels to one
input channel, we should only increment the actual pointer once.
Cc: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 68e57cde68)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The faulty values rippled further down the codepath causing a
hard-to-track segfault in the assembly code.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e9d394f3fa)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/mlpdec.c
