* commit '26589aa81028f42c763c5581a1486a271799890b':
westwood_vqa: do not free extradata on error in read_header
vqavideo: check the version
rmdec: Use the AVIOContext given as parameter in rm_read_metadata()
avio: Handle AVERROR_EOF in the same way as the return value 0
Conflicts:
libavcodec/vqavideo.c
libavformat/westwood_vqa.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '139f352daf84e005824562e0e0f36e06ac60ee36':
wtv: Mark attachment with a negative stream id
avidec: Let the inner dv demuxer take care of discarding
Conflicts:
libavformat/wtv.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The extradata is already freed by avformat_open_input on
failure.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 76f5dfbfd9)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This fixes crashes when playing back certain RealRTSP streams.
When invoked from the RTP depacketizer, the full realmedia
demuxer isn't invoked, but only certain functions from it, where
a separate AVIOContext is passed in as parameter (for the buffer
containing the data to parse). The functions called from within
those entry points should only be using that parameter, not
s->pb. In the depacketizer case, s is the RTSP context, where ->pb
is null.
Cc: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d35b6cd377)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This makes sure the ffurl_read_complete function actually
returns the number of bytes read, as the documentation of the
function says, even if the underlying protocol uses AVERROR_EOF
instead of 0.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5d876be87a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
A sid 0 would be mismatched to the attachment.
Prevent NULL pointer dereference.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit f5e646a00a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
* qatar/release/0.8:
swfdec: do better validation of tag length
Changelog for 0.8.8
kmvc: Clip pixel position to valid range
kmvc: use fixed sized arrays in the context
indeo: use a typedef for the mc function pointer
lavc: check for overflow in init_get_bits
indeo: check for reference when inheriting mvs
indeo: use proper error code
indeo: Properly forward the error codes
wmapro: error out on impossible scale factor offsets
wmapro: check the min_samples_per_subframe
wmapro: return early on unsupported condition
wmapro: check num_vec_coeffs against the actual available buffer
Conflicts:
Changelog
libavformat/swfdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '4ff5167ee7fdee6d35c1bb2558172329ae6ec770':
wmapro: make sure there is room to store the current packet
lavc: move put_bits_left in put_bits.h
4xm: do not overread the source buffer in decode_p_block
4xm: check bitstream_size boundary before using it
4xm: reject frames not compatible with the declared version
4xm: use the correct logging context
4xm: check the return value of read_huffman_tables().
4xm: don't rely on get_buffer() initializing the frame.
vmdav: convert to bytestream2
smacker: check frame size validity
smacker: pad the extradata allocation
smacker: check the return value of smacker_decode_tree
smacker: fix an off by one in huff.length computation
Prepare for 0.8.8 Release
tiff: do not overread the source buffer
apetag: use int64_t for filesize
wavpack: return meaningful errors
Conflicts:
RELEASE
libavcodec/4xm.c
libavcodec/vmdav.c
libavformat/smacker.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '42fed7f433e6d2167ffd4aae31905b583a53b988':
wavpack: check packet size early
mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac
mjpeg: Validate sampling factors
ljpeg: use the correct number of components in yuv
wavpack: validate samples size parsed in wavpack_decode_block
jpegls: check the scan offset
jpegls: factorize return paths
jpegls: return meaningful errors
mjpegdec: properly report unsupported disabled features
update Changelog
proresdec: support mixed interlaced/non-interlaced content
update Changelog
wav: Always seek to an even offset
id3v2: check for end of file while unescaping tags
indeo3: fix off by one in MV validity check
aac: check the maximum number of channels
update Changelog
oggdec: fix faulty cleanup prototype
Conflicts:
Changelog
libavcodec/jpeglsdec.c
libavcodec/mjpegdec.c
libavformat/id3v2.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '43c0a87279e717c1384314c6da7155c306ee7c60':
qdm2: check that the FFT size is a power of 2
indeo3: switch parsing the header to bytestream2
indeo3: check motion vectors.
rv10: check that extradata is large enough
indeo3: fix data size check
lavf: make sure stream probe data gets freed.
dfa: check for invalid access in decode_wdlt().
xmv: check audio track parameters validity.
bmv: check for len being valid in bmv_decode_frame().
xmv: do not leak memory in the error paths in xmv_read_header()
avfiltergraph: check for sws opts being non-NULL before using them.
oma: Validate sample rates
Prepare for 0.8.7 Release
Conflicts:
RELEASE
libavcodec/indeo3.c
libavfilter/avfiltergraph.c
libavformat/utils.c
libavformat/xmv.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Avoids trying to read a packet with 0 or negative size.
Avoids a potential infinite loop due to seeking backwards.
Partially based on a patch by Michael Niedermayer.
(cherry picked from commit e70c5b034c)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This ensures that theres enough data for mpeg_probe() to recognize mpeg-ps
Fixes Ticket2583
Based on code by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c605adbf56)
Prevent an out of buffer bound write.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit af4cc2605c)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The sample rate index is 3 bits even if currently index 5, 6 and 7 are
not supported.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 0933fd1533)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* qatar/release/0.8:
update Changelog
fate: fetch samples that match the release series
dxva2: include dxva.h if found
iff: validate CMAP palette size
Changelog: document msrle bugfix
Changelog: cosmetics, remove trailing periods and sort
msrledec: check bounds before constructing a possibly invalid pointer,
Conflicts:
Changelog
configure
libavformat/iff.c
tests/Makefile
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '327ff82bac3081d918dceb4931c77e25d0a1480d':
msrle: convert MS RLE decoding function to bytestream2.
Update Changelog for the 0.8.6 Release
wmaprodec: require block_align to be set.
ivi_common: do not call MC for intra frames when dc_transform is unset
roqvideodec: fix a potential infinite loop in roqvideo_decode_frame().
Revert "libmp3lame: use the correct remaining buffer size when flushing"
lzo: fix overflow checking in copy_backptr()
flacdec: simplify bounds checking in flac_probe()
atrac3: avoid oversized shifting in decode_bytes()
avconv: skip attached files when selecting streams to read from.
lavf: fix arithmetic overflows in avformat_seek_file()
Conflicts:
Changelog
avconv.c
libavcodec/libmp3lame.c
libavcodec/msrledec.c
libavformat/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'f82e127dd9c7c0d54bf6400f83c7825e571f9a9e':
parser: fix large overreads
dsputil: fix invalid array indexing
shorten: use the unsigned type where needed
shorten: report meaningful errors
shorten: K&R formatting cosmetics
shorten: set invalid channels count to 0
matroskadec: request a read buffer for the wav header
h264: check for luma and chroma bit depth being equal
vc1: Move init code shared between decoder and parser to common code file.
libmp3lame: use the correct remaining buffer size when flushing
xxan: fix invalid memory access in xan_decode_frame_type0()
wmadec: require block_align to be set.
Conflicts:
libavcodec/h264.c
libavcodec/libmp3lame.c
libavcodec/shorten.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '9b79a05289d91d1184455d12e6c4df457f0657c4':
wmaprodec: return an error, not 0, when the input is too small.
vmdaudio: fix invalid reads when packet size is not a multiple of chunk size
vorbisdec: Error on bark_map_size equal to 0.
configure: clean up Altivec detection
Update RELEASE file for 0.8.6
update year to 2013
oggdec: make sure the private parse data is cleaned up (cherry picked from commit d894f74762)
build: Fix CAF demuxer dependencies
doc: developer: Allow tabs in the vim configuration for Automake files
doc: filters: Correct BNF FILTER description
Conflicts:
RELEASE
cmdutils.c
libavcodec/vmdav.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes decoding with picky media players.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b448c0a68d)
Conflicts:
libavformat/movenc.c
Many players ignore broken aac frames, so don't abort mov or flv
muxing when encountering one, just print a warning instead.
Fixes ticket #2380.
(cherry picked from commit 1741fece70)
Conflicts:
libavformat/flvenc.c
Simplify `p->buf > p->buf + p->buf_size - 4' as `p->buf_size < 4'.
Avoid a possible out-of-bounds pointer, which is undefined behavior
in C.
CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 8425d693ee)
The values compared here can be more than INT64_MAX apart. Since the
difference is always positive, converting to uint64_t before subtracting
gives the correct result without overflows.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 91ac403b13)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
If the first "special" character in a filename is a comma,
it can introduce protocol options, but only if there is a
colon at the end. Otherwise, it is just a filename with a
comma.
Fix trac ticket #2303.
(cherry picked from commit d9fad53f4b)
The QuickTime specification does not contain any hint that the atom
must not be written in some cases and both the QuickTime and the
AVID decoders do not fail if the atom is present.
This change allows to signal (visually) interlaced streams with
a codec different from uncompressed video.
As a side-effect, this fixes ticket #2202
(cherry picked from commit 7d0e3b197c)
Conflicts:
libavformat/movenc.c
tests/ref/lavf/mov
tests/ref/seek/lavf_mov
tests/ref/vsynth/vsynth1-avui
tests/ref/vsynth/vsynth1-dnxhd-1080i
tests/ref/vsynth/vsynth1-mpeg4
tests/ref/vsynth/vsynth2-avui
tests/ref/vsynth/vsynth2-dnxhd-1080i
tests/ref/vsynth/vsynth2-mpeg4
A negative `size' will bypass FFMIN(). In the subsequent memcpy() call,
`size' will be considered as a large positive value, leading to a buffer
overflow.
Change the type of `size' to unsigned int to avoid buffer overflow, and
simplify overflow checks accordingly.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4e692374f7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Sanity checks like `data + size >= data_end || data + size < data' are
broken, because `data + size < data' assumes pointer overflow, which is
undefined behavior in C. Many compilers such as gcc/clang optimize such
checks away.
Use `size < 0 || size >= data_end - data' instead.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 902cfe2f74)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The check `start + res < start' is broken since pointer overflow is
undefined behavior in C. Many compilers such as gcc/clang optimize
away this check.
Use `res > end - start' instead. Also change `res' to unsigned int
to avoid signed left-shift overflow.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2f014567cf)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
