At very small dimensions, this calculation could lead to zero-sized
filters, which leads to uninitialized output, zero-sized allocations,
loop overflows in SIMD that uses do{..}while(i++<filtersize); instead
of for(i=0;i<filtersize;i++){..} and several other similar failures.
Therefore, require a minimum filtersize of 1.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit dae2ce361a2b5fd9be1d43e5e8c00bdbc5f03e3d)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Prevents a division by zero later on.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 7416d610362807848236ceff1bc6740dbc82842d)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
If no data was seen for a stream decoder are returning 0 when fed with
empty packets for flushing. We can stop flushing when the decoder does
not return delayed delayed frames anymore. Changes try_decode_frame()
return value to got_picture or negative error.
CC: libav-stable@libav.org
(cherry picked from commit b3461c29c1aee7d62eeb02a59d46593c60362679)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This prevents certain tags with a default value assigned to them (as per
the EBML syntax elements) from ever being assigned a NULL value. Other
parts of the code rely on these being non-NULL (i.e. they don't check for
NULL before e.g. using the string in strcmp() or similar), and thus in
effect this prevents crashes when reading of such specific tags fails,
either because of low memory or because of targeted file corruption.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cd40c31ee9ad2cca6f3635950b002fd46be07e98)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Based-on-work-by: Ronald S. Bultje <rsbultje@gmail.com>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1cd9a6154bc1ac1193c703cea980ed21c3e53792)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The MDCT buffers in the decoder are only sized for up to 11 bits. The
reverse engineered documentation for WMA1/2 headers say that that for
all samplerates above 32kHz 11 bits are used. 12 and 13 bit support
were added for WMAPro. I was unable to make any Microsoft tools generate
a test file at a samplerate above 48kHz.
Discovered by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d78bb1a4b2a3a415b68e4e6dd448779eccec64e3)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Prevents a crash of VLC during playback of a invalid matroska file,
found by John Villamil <johnv@matasano.com>.
CC: libav-stable@libav.org
(cherry picked from commit c3e10ae4127c998b809066926a410f40ebd47593)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.
Fixes CVE-2012-0858
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Add a check to avoid writing past the end of the channel_unit.components[]
array.
Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f74713b035a06f79cb4d00e708f5226bc5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conversion of the luma intra prediction mode to one of the constrained
("alzheimer") ones can happen by crafting special bitstreams, causing
a crash because we'll call a NULL function pointer for 16x16 block intra
prediction, since constrained intra prediction functions are only
implemented for chroma (8x8 blocks).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 45b7bd7c53b41bc5ff6fc2158831f2b1b1256113)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Earlier, calling avcodec_encode_audio worked fine even if time_base
wasn't set. Now it crashes due to trying to scale the output pts to
the codec context time base. This affects e.g. VLC.
If no time_base is set for audio codecs, set it to the sample
rate.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 9a7dc618c50902e7a171f2deda6430d52c277a95)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This way, if the AVCodecContext is allocated for a specific codec, the
caller doesn't need to store this codec separately and then pass it
again to avcodec_open2().
It also allows to set codec private options using av_opt_set_* before
opening the codec.
(cherry picked from commit bc901998487bf9b77a423961d9f961bcc28a9291)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
I.e. free the priv_data and other stuff allocated in
avcodec_alloc_context3() and not segfault.
(cherry picked from commit 0e72ad95f9fef6a6b8ae55e47339a5c40526502f)
It allows to check whether an AVCodecContext is open in a documented
way. Right now the undocumented way this check is done in lavf/lavc is
by checking whether AVCodecContext.codec is NULL. However it's desirable
to be able to set AVCodecContext.codec before avcodec_open2().
(cherry picked from commit af08d9aeea870de017139f7b1c44b7d816cf8e56)
Conflicts:
doc/APIchanges
Using threaded decoding by default breaks backward compatibility if
AVHWAccel is used or if an appliction sets threadunsafe callbacks.
Avconv and avplay still use -threads auto if not specified.
This temporarily (until 0.8 is released) reverts commit
8e1340abc316e038bb89e5a3b46e92ff58c98a88. That commit breaks shared
builds because of symbol hiding. Reverting it will enable shared builds
for 0.8
When either video dimension is only one macroblock, subtractions
based on v_edge_pos and the macroblock size may be negative. In
that situation, an unsigned comparison isn't sufficent to test for
MV overruns, because a limit of (unsigned)-1 will let any other
value pass.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Originally, sizeof(struct MOVIentry) was 48, after the reordering,
it is 40 in my build configuration.
When writing really long mov/mp4 files, this can make a difference
- this saves a bit over 2 MB of memory per hour of video (down to
10.3 MB per hour from 12.3 MB per hour initially) for a video with
75 packets per second - 25 fps + 50 audio packets (which is the
case for AMR audio).
Signed-off-by: Martin Storsjö <martin@martin.st>
The H.264 decoder needs SPS and PPS for initialization during
multi-threaded decoding. When probed single-threaded SPS and PPS are
copied to extradata and are available for proper initialization of
the decoder before the first frame is decoded.
