Check for out of picture macroblocks before calling mcdc.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 94aefb1932)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
At least 2 bytes from the source are read every loop.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9c22169769)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/tiff.c
Simplify a little, assume empty frames are acceptable and
do not pointlessly reinit the bytestream2 contexts using
possibly wrong size values.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 676da248ca)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/vmdav.c
Odd chunk size makes no sense for stereo and incomplete chunks are
not supported.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 701966730c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
And forward those that were already meaningful.
(cherry picked from commit 8c34558131)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/wavpack.c
They must be non-zero.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 8aa3500905)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
MPV_decode_mb_internal needs 3 * 16 * linesize bytes of scratch buffer
For interlaced content, linesize is multiplied by two after the allocation
of the scratch buffer, and the dest_cr pointer ends past the buffer.
This patch makes ff_mpv_frame_size_alloc allocate a total of
(aligned line_size) * 2 * 16 * 3 bytes, which suffices even for the
interlaced case.
CC:libav-stable@libav.org
Signed-off-by: Jindrich Makovicka <makovick@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 259af1b923)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
When JPEG-LS support is disabled the decoder would feed the
data to the JPEG Lossless decode_*_scan function resulting in
faulty decoding.
CC: libav-stable@libav.org
(cherry picked from commit b25e49b187)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Set interlaced to false if we don't have an interlaced frame
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 0881cbf314)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
They are not guaranteed to be aligned.
Fixes Bug 503.
CC:libav-stable@libav.org
(cherry picked from commit a97d8cc16e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Broken bitstreams could report a larger than specified number of
channels and cause outbound writes.
CC:libav-stable@libav.org
(cherry picked from commit a943a132f3)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
They can be different if the last keyframe failed to decode correctly.
Fixes possible invalid reads in such a case.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit b1bb8fb860)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Also add an additional sanity check to the alt_quant table.
Fixes invalid reads with corrupted files.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 66531d634e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The data offsets are relative to the bistream header, which is 16 bytes
after the start of the data.
Fixes invalid reads with corrupted files.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 34e6af9e20)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This can happen when the number of skipped lines is not consistent with
the number of coded lines.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 3623589edc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It can be 0 or -1 for invalid files, which may result in invalid memory
access.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b88f902125)
Conflicts:
libavcodec/bmv.c
When `off' is 0, `0x537F6103 << 32' in the following expression invokes
undefined behavior, the result of which is not necessarily 0.
(0x537F6103 >> (off * 8)) | (0x537F6103 << (32 - (off * 8)))
Avoid oversized shifting.
CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit eba1ff3130)
get_uint returns an unsigned value, use an unsigned to store
blocksize to make sure the comparison logic is correct and report
correctly the error for the channel count not supported.
CC: libav-stable@libav.org
(cherry picked from commit 5cf7c72757)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Prevent the loop shorten_decode_close from writing and freeing out of
the array boundary.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit c10da30d84)
