Fixes CID733837
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4334ba043e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID733842
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 989c91b504)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes: CID733844
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fac1ccbda1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'be209bdabb':
vf_pad: don't give up its own reference to the output buffer.
libvorbis: use VBR by default, with default quality of 3
libvorbis: fix use of minrate/maxrate AVOptions
h264: fix deadlocks on incomplete reference frame decoding.
cmdutils: avoid setting data pointers to invalid values in alloc_buffer()
avidec: return 0, not packet size from read_packet().
wmapro: prevent division by zero when sample rate is unspecified
vc1dec: check that coded slice positions and interlacing match.
alsdec: fix number of decoded samples in first sub-block in BGMC mode.
alsdec: remove dead assignments
alsdec: Fix out of ltp_gain_values read.
alsdec: Check that quantized parcor coeffs are within range.
alsdec: Check k used for rice decoder.
Conflicts:
avconv.c
libavcodec/h264.c
libavcodec/libvorbis.c
libavformat/avidec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '15c2e8027f':
wav: do not fail on empty INFO tags
cavsdec: check for changing w/h.
indeo4: update AVCodecContext width/height on size change
avidec: use actually read size instead of requested size
wmaprodec: check num_vec_coeffs for validity
lagarith: check count before writing zeros.
indeo3: fix out of cell write.
indeo5: check tile size in decode_mb_info().
indeo5: prevent null pointer dereference on broken files
indeo5dec: Make sure we have had a valid gop header.
indeo4/5: check empty tile size in decode_mb_info().
ivi_common: make ff_ivi_process_empty_tile() static.
Conflicts:
libavcodec/indeo5.c
libavformat/wav.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'c5ec190859':
indeo: check for invalid motion vectors
indeo: clear allocated band buffers
indeo: track tile macroblock size
factor out common decoding code for Indeo 4 and Indeo 5
indeo: check custom Huffman tables for errors
dfa: improve boundary checks in decode_dds1()
dfa: use more meaningful return codes
dfa: add some checks to ensure that decoder won't write past frame end
dfa: convert to bytestream2 API
dfa: check that the caller set width/height properly.
avsdec: Set dimensions instead of relying on the demuxer.
ac3dec: ensure get_buffer() gets a buffer for the correct number of channels
Conflicts:
libavcodec/avs.c
libavcodec/dfa.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Since it is declared as a string AVOption, the generic freeing code
attempts to free it on codec close. Some codecs might have already freed
it elsewhere (or didn't even allocate it with av_malloc() in the first
place), so this might lead to an invalid free.
There is no point in having this field accessible as an AVOption, so
remove it from the options table.
Fixes Bug 380.
CC: libav-stable@libav.org
(cherry picked from commit b691135d0c)
Conflicts:
libavcodec/options_table.h
The value should be always 3, as it follows from the specification.
Fix a stack buffer overflow in exponents_from_scale_factors as reported
by asan. Thanks to Dale Curtis for the sample vector.
(cherry picked from commit 97cfa55eea)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
When decode_nal_units() previously encountered a NAL_END_SEQUENCE,
and there are some junk bytes left in the input buffer, but no start codes,
buf_index gets stuck 3 bytes before the end of the buffer.
This can trigger an infinite loop in the caller code, eg. in
try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes,
with 3 bytes of the input packet still available.
With this change, the remaining bytes are skipped so the whole packet gets
consumed.
CC:libav-stable@libav.org
Signed-off-by: Jindřich Makovička <makovick@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1a8c6917f6)
Conflicts:
libavcodec/h264.c
- enable the options for audio encoding
- properly check for user-set maxrate
- use correct calling order in vorbis_encode_setup_managed()
(cherry picked from commit 182d4f1f38)
Conflicts:
libavcodec/libvorbis.c
Fixes a part of Bug 277
Signed-off-by: Anton Khirnov <anton@khirnov.net>
If decoding a second complementary field, and the first was
decoded in our thread, mark decoding of that field as complete.
If decoding fails, mark the decoded field/frame as complete.
Do not allow switching between field modes or field/frame mode
between slices within the same field/frame. Ensure that two
subsequent fields cover top/bottom (rather than top/frame,
bottom/frame or such nonsense situations).
Fixes various deadlocks when decoding samples with errors in
reference frames.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1e26a48fa2)
Fixes Bug 118
Conflicts:
libavcodec/h264.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
ALS spec:
11.6.3.1.1 Quantization and encoding of parcor coefficients
...
In all cases the resulting quantized values ak are restricted to the range [-64,63].
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 5b051ec3bd)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Values that fail this check will cause failure of decode_rice()
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 23aae62c2c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* qatar/release/0.8: (23 commits)
snow: Check mallocs at init
vorbis: Validate that the floor 1 X values contain no duplicates.
vorbisenc: check all allocations for failure
indeo3: validate new frame size before resetting decoder
lavfi: avfilter_merge_formats: handle case where inputs are same
rv34: error out on size changes with frame threading
rv34: Handle only complete frames in frame-mt.
rv34: use AVERROR return values in ff_rv34_decode_frame()
vlc/rl: Add ff_ prefix to the nonstatic symbols
h263: Add ff_ prefix to nonstatic symbols
alsdec: check opt_order.
golomb: check remaining bits during unary decoding in get_ur_golomb_jpegls()
lavf: don't segfault when a NULL filename is passed to avformat_open_input()
mpegvideo: Don't use ff_mspel_motion() for vc1
imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt
eval: fix swapping of lt() and lte()
nuv: check RTjpeg header for validity
Revert "nuv: check per-frame header for validity."
bmpdec: only initialize palette for pal8.
sipr: fall back to setting mode based on bit_rate.
...
Conflicts:
avconv.c
libavcodec/dnxhddec.c
libavcodec/golomb.h
libavcodec/h263.h
libavcodec/imgconvert.c
libavcodec/mpegvideo_common.h
libavcodec/mpegvideo_enc.c
libavcodec/nuv.c
libavcodec/rv34.c
libavcodec/sipr.c
libavcodec/vorbisdec.c
libavcodec/vorbisenc.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Our decoder does not support changing w/h.
Fixes CVE-2012-2777 and CVE-2012-2784.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c20a696306)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents writing into a too small array if some parameters changed
without the tile being reallocated.
Fixes CVE-2012-2794
CC:libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 2d09cdbaf2)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents writing into a too small array if some parameters changed
without the tile being reallocated.
Based on a patch by Michael Niedermayer <michaelni@gmx.at>
Fixes CVE-2012-2800
CC:libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ae3da0ae55)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
