An invalid VUI is not considered a fatal error, so the SPS containing it
may still be used. Leaving an invalid value of num_reorder_frames there
can result in writing over the bounds of H264Context.delayed_pic.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 9ecabd7892)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/h264_ps.c
It could probably also be considered an error if the pointer isn't
null at this point, but then we might risk rejecting some
slightly broken files that we might have handled so far.
Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2620df1310)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
These arrays are normally freed at the end of mov_read_trak,
but make sure they're freed in case mov_read_trak returned
early (due to errors) or in case the atoms that allocate arrays
are encountered at some other point than within a trak (which
we don't have checks against).
Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d51f09962d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
And manage the reallocation failure path.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5e992a4682)
Fixes out of array accesses and integer overflows.
(cherry picked from commit d1916d13e2)
Adresses: CVE-2013-7010, CVE-2013-7014
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Always use the actually read size as the offset instead of making
possibly invalid assumptions.
Addresses: CVE-2012-6618
(cherry picked from commit 2115a35974)
Conflicts:
libavformat/utils.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Otherwise the expression will be evaluated as unsigned, which will break
when the result should be negative.
CC:libav-stable@libav.org
(cherry picked from commit 089fac77a6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It might be passed to code requiring padding, such as lzo decompression.
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 30be1ea33e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes corrupt data errors when downmixing in the AC-3 decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
CC:libav-stable@libav.org
(cherry picked from commit 6c82c87dbb)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
When the protocol is missing ffurl_alloc() should return
AVERROR_PROTOCOL_NOT_FOUND instead of AVERROR(ENOENT).
Bug-Id: 577
CC: libav-stable@libav.org
(cherry picked from commit ea71aafd68)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes a segfault during resampling when compiled with -DDEBUG.
Fixes all fate-lavr-resample tests with -DDEBUG.
CC:libav-stable@libav.org
(cherry picked from commit 211ca69b13)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The code cannot handle there being none, but that should not happen for
valid files.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 1b5d065ca7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Also add an error message an return a more suitable error code
(INVALIDDATA, not EINVAL);
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit c453723ad7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
