previously various variables had a too small type to support the required 32bit unsigned
range allowed from the spec
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
s->ref_pics[i] is later used as ref argument of interpolate_refplane,
where it is dereferenced.
If it is NULL, it causes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If bytes is large enough, bytes*8 can overflow and become negative.
In that case 'bufsize -= bytes*8' causes bufsize to increase instead of
decrease.
This leads to a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
buf_idx + data_unit_size can overflow, causing the '> buf_size' check to
wrongly fail.
This causes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
AV_PIX_FMT_MONOBLACK has the AV_PIX_FMT_FLAG_BITSTREAM flag, i.e.
linesize can be smaller than width.
Since x_offset is only check against the width, this can lead to
x_offset * bpp >= image_linesize.
In this case ptr could be set to a position outside the image_buf in
png_handle_row, leading to memory corruption and thus crashes.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
During the loop ret can get changed. Since it is not set on all failure
paths, decode_frame_common can return 0 even though an error occurred.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This check was removed in commit 08aec6f6, but
s->last_picture.f->data[0] is still used in handle_p_frame_apng
unconditionally.
This fixes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* rbultje/vp9-profile1-wip:
vp9: add fate test for 422.
vp9: copy bug in libvpx for 4:2:2 chroma bs=8x4/4x4 prediction.
vp9: add yuv440 fate test.
vp9: fix mask_edges and filter_plane_rows/cols() for 440.
vp9: more specifically specify mask destination to mask_edges().
vp9: add fate test for profile 1 444.
vp9: don't create special u/v filter masks for 444.
vp9: merge uv loopfilter code into generic filter_plane_rows/cols().
vp9: split out loopfilter luma rows/cols functions from loopfilter_sb().
vp9: invert order of two conditions.
vp9: use correct chroma subsampling for profile 1 inter block recon.
vp9: use correct chroma subsampling for profile 1 intra block recon.
vp9: take chroma subsampling into account when walking the block tree.
vp9: support non-420 chroma subsampling for profile 1 token decoding.
vp9: increase buffer sizes for non-420 chroma subsamplings.
vp9: profile 1 header decoding.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This also fixes intra-only MT failures (it was the same bug), see trac
4526 and 4527.
Tested-by: James Almer <jamrial@gmail.com>
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Check extended sync word for 16-bit LE and BE core streams to reduce
probability of alias sync detection. Previously sync word extension was
checked only for 14-bit streams (and this check did not properly work
across buffer boundary).
Use 64-bit parser state to make extended sync word detection work across
buffer boundary.
This is sufficient to make the sample in ticket #4492 parse
successfully.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
