* commit 'cee4490b521fd0d02476d46aa2598af24fb8d686':
on2avc: check number of channels
See: 550f3e9df3
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes invalid writes when there are more blocks in a run than total
remaining blocks.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8548
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes invalid writes with very small image heights.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8547
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The frame size must be set by the caller and each dimension must be a
multiple of 2.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8543
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
The frame size must be set by the caller and each dimension must be a
multiple of 8.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8542
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Fixes possible invalid memory access.
Based on code by Michael Niedermayer <michaelni@gmx.at>
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8541
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
* commit '67fc8a15e4182ea111cfcd05897709f09d99a33a':
theora: support different visible and coded frame size
Conflicts:
libavcodec/vp3.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Also adds a lot of infrastructure necessary for it.
Some of it is a bit ugly though.
Increases binary size for hardcoded tables by about 12 kB,
which is about 15 kB from qdm2_table minus data and code
saved that was only used for creating it.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
This is the order that the caller uses in the rest of the file. The
same operation is applied to both parameters, so this change is only
done for consistency, it doesn't change the actual behaviour.
Bug-Id: CID 732285 / CID 732286
ff_mpv_common_init sets s->context_initialized.
This fixes decoding of h261 in the cases where the demuxer
hasn't already set the frame size.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
This avoids trying to do sliced encoding, even if a slice/packet
size is requested (via the -ps option or the rtp_payload_size
field), since the encoder currently doesn't support it (or at least
our decoder can't decode it, even if the h261_encode_gob_header
function is hooked up to be called from the slicing part in
mpegvideo_enc.c).
Signed-off-by: Martin Storsjö <martin@martin.st>
Fixes use of freed memory
Fixes: case5_av_frame_copy_props.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoids use of uninitialized memory
Fixes: asan_static-oob_17aa046_582_cov_212287884_DBLK_G_VIXS_1.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array read
Fixes: signal_sigsegv_1b0a4da_1865_cov_2167818389_computer_anger.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Should improve cache usage and reduces stack usage.
Also reduces number of copies in case many levels
have the same number of bits.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Fixes use of freed memory
Fixes: asan_heap-uaf_3660f67_757_cov_1257014655_Hi422FR1_SONY_A.jsv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses
Fixes: asan_heap-oob_25bcd7e_3783_cov_3553517262_utvideo_rgba_median.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: asan_stack-oob_32c12e5_2536_cov_2442316831_lena.xface
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: asan_heap-oob_4d23ba_91_cov_3853393937_128.vmd
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If allocation fails earlier on, and the next frame is processed,
the slice buffer could be left in a state where line and data_stack
have already been freed, or are otherwise null pointers.
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
* commit '10d4c5e55e5b23e165aa4c7723073ebe2c2e7da0':
tiff: set the correct return value when check_size() fails
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '3c27275c1309190f2d6ed69140b67d014215b6c9':
tiff: Check the check_size() return value and forward it
Conflicts:
libavcodec/tiffenc.c
See: d50aa006fb
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Also use the same type for add_entry and check_size.
Bug-Id: CID 700699
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Vittorio Giovara <vittorio.giovarao@gmail.com>
* commit 'bcbdeb318e0828cf00b458885ffa1e1596c85d06':
asvenc: Forward the error instead of asserting on it
Conflicts:
libavcodec/asvenc.c
Not merged, conditions which are impossible should be checked by assert*()
adding impossible to be true error checks has the potential to confuse
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Also a slight change to the ssse3 code, which prevents a theoretical
overflow in the sharp filter.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fix linking when only a subset of vaapi decoders is enabled.
Bug-Id: 760
CC: libav-stable@libav.org
Signed-off-by: Rémi Denis-Courmont <remi@remlab.net>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The input packets are always assumed to be padded and
the av_fast_ family of function takes a pointer to a pointer.
Thanks to Nicolas Dufresne <nicolas.dufresne@collabora.com> for
a similar patch.
Introduced in 7b588bb691.
Bug-Id: 766
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Old VDPAU drivers do not support this newly defined profile, so falling
back to Main profile is necessary for backward binary compatibility.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
These fix failures of --enable-xmm-clobber-test
It would be better to change the code to use fewer registers, but until
someone does the used register count must not be too small
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoids potential out of bounds writes, with potential future
versions of the library.
Bug-Id: CID 1254945
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
* commit '581c7f0e12b1fa39f73d683e54d6ecda0772c5a9':
arm: make ff_mlp_filter_channel_arm and ff_mlp_rematrix_channel_arm position independent
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '780cd20b00a69e26bbfffbb8eec16fbe999ea793':
aarch64: Use .data.rel.ro for const data with relocations
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'f963f80399deb1a2b44c1bac3af7123e8a0c9e46':
arm: Use .data.rel.ro for const data with relocations
Conflicts:
configure
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This test doesn't cover every possible issue with this function.
It covers options management only.
Signed-off-by: Lukasz Marek <lukasz.m.luki2@gmail.com>
* commit '6fd91fa11909f27902498648680dbb3d13f1f175':
h264: increase MAX_SLICES to 32
The available sample decodes correctly before, but the reporter of the bug
claims that this change reduces artifacts. This is thus merged
If someone has samples that decode differently depending in the MAX_SLICES
value, please open a ticket on trac.
Also this change should be reverted if it turns out that the artifacts
that where seen had a different cause
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This fixes artifacts in the last pixel of rows with some widths and pixel formats
Found-by: Dominique Leroux <Dominique.Leroux@autodesk.com>
Tested-by: Dominique Leroux <Dominique.Leroux@autodesk.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
According to the DPX file format description found at
http://www.fileformat.info/format/dpx/egff.htm the ImageElement part of
the GenericImageHeader also contains an an offset to the real image data
beside the same member that can be found in the GenericFileHeader.
Libav keeps this member empty (=0) while some applications expects it to
be filled properly. FATE test updated accordingly.
Bug-Id: 742
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
* commit 'b280c6202b28b371a8d96850194fd69d7ad5dcc0':
arm: fft_vfp: Unify the behaviour in ff_fft_calc_vfp between arm/thumb
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'ae81576414f2d2083d3118fb4abe1ebc5a7a4c54':
arm: fft_vfp: Add a missing "endconst" when building in thumb mode
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Don't include the function pointer table in the code segment
in arm mode.
This shouldn't have any significant performance effect. It does
end up as a few more instructions than before, for ARM, but
only at the entry to this function, not within the fft functions
themselves.
Signed-off-by: Martin Storsjö <martin@martin.st>
We dont fail hard if its not set as the old API allowed this and our examples
did in the distant past not set it, these examples still work with the
current code and some encoders.
Based on suggestion by: funman
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This code only segfaults and fixing the segfault, the resulting
files are unplayable, so disable to avoid the segfault.
Better solution is welcome
See: [FFmpeg-devel] [PATCH] avcodec/libxavs: remove global header code
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'b72727a5248f1ef02db99b378dce1eb48a46357a':
lavc: mention that the parser callback never returns an error
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '3a56bcee7cb7549b2813e39ce3bee3b7c522aecb':
mpeg12dec: Use more specific error codes
Conflicts:
libavcodec/mpeg12dec.c
See: 1852b2a0f4
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'e0bb74a1403ed77ef369b9d62866f8a4afaf3f1d':
exr: Add a gamma flag to exr loader to avoid banding
Conflicts:
libavcodec/exr.c
See: cd3daad77e
Merged-by: Michael Niedermayer <michaelni@gmx.at>
libxvidcore calculate number of threads basing on video height.
If height is small enough it allocates 0 bytes long memory and
writes to it.
Setting thread_count to 0 uses 1 thread and skips bugged code.
Signed-off-by: Lukasz Marek <lukasz.m.luki2@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The "faulty" samples actually sound fine when ignoring this issue.
For ticket #3886, more samples are decoded.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>