Fixes Ticket4777
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit db91e0edb6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Previously only the edit_rate of material_track was checked.
If it's negative, it causes assertion failures in av_rescale_rnd.
Reviewed-by: Tim Nicholson <nichot20-at-yahoo.com@ffmpeg.org>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 047bf82c18)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size
is 3, the right side overflows leading to a wrong result of the
comparison and subsequently a heap buffer overflow.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit db374790c7)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 189420cb56)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Otherwise sm_size can be larger than size, which results in a negative
packet size.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 6b9fdf7f4f)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Fixes infinite loop and segfault in ogg_buffer_data()
Fixes Ticket4806
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 81a8701eb5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4c6beaed92)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
There can be other headers than "Content-Type:" (in this case, a
"Content-Length:" header was following), so checking for a trailing
newline is wrong.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bf51fcd304)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
If bit_rate is negative, it can trigger an av_assert2 in av_rescale_rnd.
Since av_rescale returns int64_t, but st->codec_bit_rate is int, it can
also overflow into a negative value.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0eec40b713)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 64815d1f0c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Fixes: 260813283176b57b3c9974fe284eebc3_signal_sigsegv_7ffff713351a_991_xtrem_e2_m64q15_a32sxx.3gp with memlimit of 262144
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 15629129dd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
If init_get_bits fails the GetBitContext is invalid and must not be
used. Check the return value in dirac_header and propogate the error.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4f5c2e651a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
And default to 8000 if it is invalid.
An invalid sample rate can trigger av_assert2 in av_rescale_rnd.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 5b76c82fd7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
In the TTA extradata re-construction the values are written with
avio_wl16 and if they don't fit into uint16_t, this triggers an
av_assert2 in avio_w8.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 92e79a2f7b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Calling ffio_ensure_seekback() if ffio_init_checksum() has been called
on the same context can lead to out of bounds memory accesses and
crashes. The reason is that ffio_ensure_seekback() does not update
checksum_ptr after reallocating the buffer, resulting in a dangling
pointer.
This effectively fixes potential crashes when opening mp3 files.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dc87758775)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Otherwise the loop can take a lot of time if num_descr is very large.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a5718863da)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Make the logic in libavformat/hevc.c parse_rps align with libavcodec/hevc_ps.c ff_hevc_decode_short_term_rps
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6e1f8780c8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This was simply wrong
Found-by: Martin Storsjö
This reverts commit 5d8e4f6da0.
(cherry picked from commit 3e34b7498f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This is the maximum rate possible based on the frame size limit of MXF D-10
Previous version reviewed by tim nicholson <nichot20@yahoo.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d7a762553c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes DTS detection of b2429e5ba9.dts
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9f5769437a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
These loops can take a lot of time if count is very large.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit bb23a15df5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This can unnecessarily waste a lot of time.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit fa7dec8cb0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
nut->last_syncpoint_pos doesn't necessarily change between resync
attempts, so find_any_startcode can return the same startcode again.
Thus remember where the last resync happened and don't try to resync
before that.
This can't be done locally in nut_read_packet, because this wouldn't
prevent infinite resync loops, where after the resync a packet is
returned and while reading a following packet the resync happens again.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 37e679881d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Prevents read of uninitialized variable
Based on patch by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ebb0ca3d70)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b3496b4a33)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 361702660d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes the calculation of the number of needed blocks to make
sure that ALL pixels are represented by the result.
Reviewed-by: Thomas Volkert <silvo@gmx.net>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7f64a7503b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes (harmless) use of uninitialized variable
Found-by: jamrial
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6ad42b3e15)
Conflicts:
libavformat/mp3dec.c
Fixes Ticket4557
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 50393bce31)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1238994
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b62b3292d8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1239014
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2cddc0b19a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID703652
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 171af59d58)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1041175
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 56abf35151)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1238818
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 81198a6837)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Larger packets are not supported and would cause problems later
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit aa5169935e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Since len is an unsigned int, the comparison is currently treated as
unsigned and thus ignores all errors from avio_read.
Thus cast len to int, which is unproblematic, because at that point len
is between 0 and 4.
This fixes 'Conditional jump or move depends on uninitialised value'
valgrind warnings in is_tag.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0382c94f13)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Its currently guaranteed to be smaller but its safer to check anyway
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 66f26b3e8e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
