Bug-Id: CVE-2013-0868
inspired by a patch from Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Diego Biurrun <diego@biurrun.de>
CC: libav-stable@libav.org
(cherry picked from commit d0393d79bc)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavcodec/huffyuvdec.c
Properly address CVE-2011-3946 and parse bitstream as described in the spec.
CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Make sure the buffer size does not exceed the expected
RLE size.
Prevent an out of array bound write.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Bug-Id: CVE-2013-0852
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit d98e6c5d5d)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
This avoids a segfault in avconv_opt.c:opt_target when trying to
determine the norm.
(cherry picked from commit dc71f19588)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
librtmp can keep pointers to this string internally, and may
use them at shutdown as well.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 865461099e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavformat/librtmp.c
This was broken (left half-implemented) in 354468fc12.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit cf280ed004)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This is safer and possibly fixes invalid reads on truncated data.
(cherry-picked from commit 541427ab4d)
CC:libav-stable@libav.org
Conflicts:
libavcodec/eamad.c
This fixes a segmentation fault because request_frame in fifo.c assumes
that the call to ff_request_frame will populate fifo->root.next.
Before, it was possible for request_frame in af_compand to not do this,
resulting in a null pointer access. Now, request_frame in af_compand
always will return at least one frame or an error, as per the API
specifications in avfilter.h for request_frame.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit d3cfd7aff8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The actual predictor value, set by the trellis code, never
was written back into the variable that was written into
the block header. This was accidentally removed in b304244b.
This significantly improves the audio quality of the trellis
case, which was plain broken since b304244b.
Encoding IMA QT with trellis still actually gives a slightly
worse quality than without trellis, since the trellis encoder
doesn't use the exact same way of rounding as in
adpcm_ima_qt_compress_sample and adpcm_ima_qt_expand_nibble.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0776e0ef6b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This was broken in 095be4fb - samples+ch (for the previous
non-planar case) equals &samples_p[ch][0]. The confusion
probably stemmed from the IMA WAV case where it originally
was &samples[avctx->channels + ch], which was correctly
changed into &samples_p[ch][1].
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 3d79d0c93e)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
On big endian machines, the default value set via the faulty
AVOption ended up as 2^32 times too big.
This fixes the fate-lavf-ogg test which currently is broken on
big endian machines, broken since 3831362. Since that commit,
a final zero-sized packet is written to the ogg muxer in that test,
which caused different flushing behaviour on little and big endian
depending on whether the pref_duration option was handled as it
should or not.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 103243ca64)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Side data count is incremented by by calling av_packet_new_side_data()
in the following loop, setting it explicitly results in the resulting
value being twice what it should be.
CC: libav-stable@libav.org
(cherry picked from commit cdf58f0599)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
As indicated in the function documentation, the header MUST be
checked prior to calling it because no consistency check is done
there.
CC:libav-stable@libav.org
(cherry picked from commit f2f2e7627f)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Fixes an invalid read past the end of avpriv_mpa_freq_tab.
Fixes divide-by-zero due to sample_rate being set to 0.
Bug-Id: 705
CC:libav-stable@libav.org
(cherry picked from commit 44127546b0)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
get_len can overflow for specially crafted payload.
Reported-By: Don A. Baley <donb@securitymouse.com>
CC: libav-stable@libav.org
(cherry picked from commit ccda51b14c)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d6d767d93e)
Signed-off-by: Martin Storsjö <martin@martin.st>
This fixes building in PIC mode with gas. The examples in the gas
manual showed using a # here even though gas itself actually didn't
support that syntax (and the gas test suite only tests it without
the extra hash sign).
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 08cd92144e)
Signed-off-by: Martin Storsjö <martin@martin.st>
Additional fixes by Nigel Touati-Evans <nigel.touatievans@gmail.com>.
Check the index for streams with a time drift of 2s or a buffer drift
of 64MB.
Bug-Id: 666
CC: libav-stable@libav.org
Sample-Id: yet-another-broken-interleaved-avi.avi
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 9d599e3f6e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The overread avoidance fix in cbddee1cca
broke the computation for the last row since it prevented the safe
reading from the height+1-th row.
CC: libav-stable@libav.org
(cherry picked from commit 61985ad72c)
Arch specific calls should have an emms_c following to keep the cpu
state consistent.
Reported-By: wm4
CC: libav-stable@libav.org
(cherry picked from commit e995cf1bcc)
As pointed out by Reimar Döffinger.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0bacfa8d37)
Conflicts:
libavformat/rtmpproto.c
Prevent a division by zero down the codepath.
Sample-Id: 00001721-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 3a177a9cca)
s->prim_channels is greater than num_core_channels
when an XCh extension is present in the bitstream.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 801c39e1e3)
Previously, if read_connect failed, the ret variable was unmodified
and had the value 0, indicating success, which then was returned from
the rtmp_open function, even though it actually failed.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 6477139721)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This fixes cases where very few input samples (fewer than needed for one
output sample) are passed to lavr at the beginning.
CC:libav-stable@libav.org
(cherry picked from commit ac976ed91e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Instead of using a fixed bitrate_idx, calculate a matching bitrate for
the XING header.
Using a fixed bitrate_idx causes tools such as file(1) and mediainfo(1)
to report wrong bitrate and bitrate mode when using CBR.
Bug-Id: https://bugs.debian.org/736088
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 617a1a98a6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
