If it is negative, it can cause the byte position to move backwards in
avio_skip, which in turn makes sm_size negative and thus size larger
than the size of the packet buffer, causing invalid writes in avio_read.
Also fix potential overflow of avio_tell(bc) + value_len.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ce10f572c1)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
nut->last_syncpoint_pos doesn't necessarily change between resync
attempts, so find_any_startcode can return the same startcode again.
Thus remember where the last resync happened and don't try to resync
before that.
This can't be done locally in nut_read_packet, because this wouldn't
prevent infinite resync loops, where after the resync a packet is
returned and while reading a following packet the resync happens again.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 37e679881d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The existing check has two problems:
1) i + count can overflow, so that the check '< 256' returns true.
2) In the (i == 'N') case occurs a j-- so that the loop runs once more.
This can trigger the assertion 'nut->header_len[0] == 0' or cause
segmentation faults or infinite hangs.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c24ca1bda)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes a segmentation fault when accessing the metadata.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ff1af2b0d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '52a1c32c0a86e84d43f977c5148e62975a0c6917':
nut: Use nut->version in the version range check
Conflicts:
libavformat/nutdec.c
Note, this bug did not affect ffmpeg
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Add the low overhead pipe mode and the extended broadcast mode.
Export the options as 'syncponts' since it impacts only that.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The code was buggy, using the wrong variable, also it missed the case
where the packet become smaller due to sidedata/metadata being extracted
which left a few bytes uninitialized
Fixes use of uninitialized memory
Fixed: msan_uninit-mem_7f6abbe44530_6838_mewmew_vorbis_ssa.nut
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes use of uninitialized memory
Fixes: msan_uninit-mem_7f2785ab8669_6838_mewmew_vorbis_ssa.nut
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'e0c53c3408181d2e7d544eb65fc7355a79438dfe':
nut: use meaningful error values
FATE: use a less ambiguous end time for filter-trim-time test
Conflicts:
libavformat/nutdec.c
tests/fate/filter-video.mak
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '46c1917350f58dfab84e41919e6c02d43950db8c':
nut: use a define for the nut version
bgmc: Do not mark ff_bgmc_decode_init() as av_cold
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The function is a callback that is called by ff_gen_search with
a constant stream index.
Avoid a false positive on older gcc version.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
