32467 Commits

Author SHA1 Message Date
Luca Barbato
bf0cb89a8d configure: Update freetype check to follow upstream
The freetype tutorial suggests to use #include FT_FREETYPE_H.

Bug-Id: 616
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

(cherry picked from commit e61b8fa5605b16a02a2a0ea75afbfc31d7832bba)

Conflicts:
	configure
2014-03-13 12:47:49 +01:00
Luca Barbato
ec772cca60 drawtext: Drop pointless header
It should be forward compatible with newer freetype.

(cherry picked from commit d68dc3c9446e38b4d686cc0f55433c9e8d7c128b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
2014-03-13 12:47:12 +01:00
Diego Biurrun
7b00340f97 configure: Support preprocessor macros as header names
New versions of FreeType have moved the location of their API
header(s) and hide the location behind a macro.

Since the location changes between versions and no other way
to know the location exists, this workaround becomes necessary.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 52ccc4a0ece88030e67254418317d72089a0ecc8)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

Conflicts:
	configure
2014-03-13 12:46:10 +01:00
Janne Grunau
0120e480bf arm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6
The overread avoidance fix in cbddee1cca0ebd01e8c5aa694d31228eb4de4b41
broke the computation for the last row since it prevented the safe
reading from the height+1-th row.
2014-03-09 00:31:31 +01:00
Janne Grunau
fd2fc130b2 arm: hpeldsp: prevent overreads in armv6 asm
Based on a patch by Russel King <rmk+libav@arm.linux.org.uk>

Bug-Id: 646
CC: libav-stable@libav.org
2014-03-06 09:06:39 +01:00
Anton Khirnov
3da4fdd5ac lagarith: reallocate rgb_planes when needed
Fixes invalid writes on pixel format changes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 4c3e1956ee35fdcc5ffdb28782050164b4623c0b)
(cherry picked from commit bd57e783437f990c3ac4747eeebe20332e103980)
2014-02-28 23:07:41 -05:00
Anton Khirnov
2fb0a52e70 lagarith: avoid infinite loop in lag_rac_refill()
range == 0 happens with corrupted files

CC:libav-stable@libav.org
(cherry picked from commit de6dfa2bb82df916a67e5036b0ef96a944781ed3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8bce2c60b8ebc31899d576dde3bbe6205faae97d)
2014-02-28 23:07:40 -05:00
Ronald S. Bultje
2c1d84499b lagarith: pad RGB buffer by 1 byte.
For left HFYU prediction, we predict from the buffer buf+1 using 8- or
16-byte reads. This means that aligning the buffer by 16 bytes is in
itself not sufficient, because if the width itself is 16- or 8-byte
aligned, the buffer will not be padded, and thus a read of size 16 at
buf+1 will overflow boundaries at the right edge. Padding the buffer by
1 byte is sufficient to not overflow its boundaries.

Fixes bug 342.

(cherry picked from commit 98d0d19208959766a58f13dd6a678d1f765a26ac)
2014-02-28 23:07:40 -05:00
Anton Khirnov
de0e442e9d truemotion1: check the header size
Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 2240e2078d53d3cfce8ff1dda64e58fa72038602)
(cherry picked from commit 76b40a9bf93e387d98aa7dc02ec7a8d13f51722f)
2014-02-28 23:07:40 -05:00
Anton Khirnov
43aa7eb38e shorten: pad the internal bitstream buffer
Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 1713eec29add37b654ec6bf262b843d139c1ffc6)
(cherry picked from commit 5881ec0ea58a95403bd375b63f22d49905cdd8e5)
2014-02-28 23:07:40 -05:00
Justin Ruggles
9786c24bb7 samplefmt: avoid integer overflow in av_samples_get_buffer_size()
CC:libav-stable@libav.org
(cherry picked from commit 0e830094ad0dc251613a0aa3234d9c5c397e02e6)
(cherry picked from commit e9b3abd49890e958c745ea46a9f4f91b6b4baa58)

Conflicts:
	libavutil/samplefmt.c
2014-02-28 23:07:40 -05:00
Luca Barbato
4279e0e8d0 h264: Fix a typo from the previous commit
f777504f640260337974848c7d5d7a3f064bbb45 changed a - in +

CC: libav-stable@libav.org
(cherry picked from commit d922c5a5fbaf0b6c73bd8c81ae059bc6e406961c)
(cherry picked from commit 3ce77e04c2ca4b9e7fa6b94b51e8d7c5f188da86)
(cherry picked from commit 8cba6f58c8acaa0ca6749110a2746bbe60ff2dab)
2014-02-28 23:07:40 -05:00
Vittorio Giovara
a6003760bd h264: Lower bound check for slice offsets
And use the value from the specification.

Sample-Id: 00000451-google
Found-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit f777504f640260337974848c7d5d7a3f064bbb45)
(cherry picked from commit 5bd083d0216d9ee649039c84999fb61386536ac1)

Conflicts:
	libavcodec/h264.c

(cherry picked from commit 41380e017afcca3119acb560c08a60a97d416c3c)

Conflicts:
	libavcodec/h264.c
2014-02-28 23:07:40 -05:00
Anton Khirnov
cf676c159b rpza: limit the number of blocks to the total remaining blocks in the frame
Fixes invalid writes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 77bb0004bbe18f1498cfecdc68db5f10808b6599)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
2014-02-14 11:43:59 +01:00
Reinhard Tartler
36017d49e2 Prepare for 0.8.11 Release 2014-02-06 23:26:33 -05:00
Anton Khirnov
8cade1352b lavf: make av_probe_input_buffer more robust
Always use the actually read size as the offset instead of making
possibly invalid assumptions.

Addresses: CVE-2012-6618

(cherry picked from commit 2115a3597457231a6e5c0527fe0ff8550f64b733)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Conflicts:
	libavformat/utils.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8575f5362f98c937758b20ff8512d6767a56208e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2014-02-06 23:01:14 -05:00
Reinhard Tartler
5522c564d4 Updated Changelog for 0.8.10 2014-02-02 12:54:52 -05:00
Anton Khirnov
b0db7a523d oggparseogm: check timing variables
Fixes a potential divide by zero.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 75647dea6f7db79b409bad66a119f5c73da730f3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit bf7c240a50f8ed99a42e08bb7a8a70262cce34ad)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2014-02-02 12:48:58 -05:00
Anton Khirnov
e03b875c0b mathematics: remove asserts from av_rescale_rnd()
It is a public function, it must not assert on its parameters.

(cherry picked from commit 94a417acc05cc5151b473abc0bf51fad26f8c5a0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 03bfd8419fbaf9c72b293457437bd508dea64736)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2014-02-02 12:48:45 -05:00
Michael Niedermayer
30c8a5e4f6 vc1: Always reset numref when parsing a new frame header.
Fixes an issue where the B-frame coding mode switches from interlaced
fields to interlaced frames, causing incorrect decisions in the motion
compensation code and resulting in visual artifacts.

CC: libav-stable@libav.org
Signed-off-by: Tim Walker <tdskywalker@gmail.com>
(cherry picked from commit dd2d0039b6405dc724e4fef0d5b8f49530eea3aa)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 3cc8d9bc1ffc6c0888960fb009f12fa3047bb663)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2014-02-02 12:48:34 -05:00
Anton Khirnov
716ee73c99 h264: reset num_reorder_frames if it is invalid
An invalid VUI is not considered a fatal error, so the SPS containing it
may still be used. Leaving an invalid value of num_reorder_frames there
can result in writing over the bounds of H264Context.delayed_pic.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 9ecabd7892ff073ae60ded3fc0a1290f5914ed5c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Conflicts:
	libavcodec/h264_ps.c

(cherry picked from commit 299c5dcfb0cd3debdf07943edfb46f4aeb02ca91)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2014-02-02 12:48:16 -05:00
Anton Khirnov
979f77b0dc h264: check that an IDR NAL only contains I slices
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 8b2e5e42bb9d6a59ede5af2e6df4aaf7750d1195)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 62ed6da016b789eee00e0fff517df4a254e12e5d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Conflicts:
	libavcodec/h264.c
2014-02-02 12:48:04 -05:00
Martin Storsjö
2f4e066d66 mov: Free an earlier allocated array if allocating a new one
It could probably also be considered an error if the pointer isn't
null at this point, but then we might risk rejecting some
slightly broken files that we might have handled so far.

Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2620df13104ddaa136158eb6bb1195adbf9d7692)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a1b4d42d31ba700c97d4388153a2a553d71ca0ba)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2014-02-02 12:45:09 -05:00
Anton Khirnov
6a56d16dc1 segafilm: fix leaks if reading the header fails
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 6892d145a0c80249bd61ee7dd31ec851c5076bcd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f728782c0d30433efa11f1238a16aed994e9b563)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Conflicts:
	libavformat/segafilm.c
2014-02-02 12:44:20 -05:00
Anton Khirnov
23144c5f06 h264_cavlc: check the size of the intra PCM data.
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

(cherry picked from commit b5275ca1a805436ca12540c34dd5ed1671877434)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2014-02-02 12:41:02 -05:00
Luca Barbato
e964207e6c cavs: Check for negative cbp
Sample-Id: 00000647-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c85e5f13f6ac9c4c90125e7671d89009e57f9df9)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Conflicts:
	libavcodec/cavsdec.c
2014-02-02 12:36:15 -05:00
Luca Barbato
2c0bfce4cb avi: DV in AVI must be considered single stream
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 3485a07977f17b8d4709fb327be4fc29031032b7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2014-02-02 12:29:54 -05:00
Justin Ruggles
b68e5b1195 avutil: use align == 0 for default alignment in audio sample buffer functions
Fixes: http://pad.lv/1264886, http://pad.lv/1241439
(cherry picked from commit 0109a09dc3850eb5dbff84a7bb50eb252a5a8f22)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Conflicts:
	libavutil/avutil.h
2014-02-01 14:59:12 -05:00
Michael Niedermayer
cb5d0ea0be flashsv: Check diff_start diff_height values
Fix out of array accesses.

Found-by: ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Adresses: CVE-2013-7015
(cherry picked from commit 57070b1468edc6ac8cb3696c817f3c943975d4c1)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 10d48fe6d3963842319b1d8d738a318020836e72)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2014-02-01 14:06:24 -05:00
Michael Niedermayer
ef6c90e102 dsputil/pngdsp: fix signed/unsigned type in end comparison
Fixes out of array accesses and integer overflows.

(cherry picked from commit d1916d13e28b87f4b1b214231149e12e1d536b4b)
Adresses: CVE-2013-7010, CVE-2013-7014

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit af9799790d7a6342027e0261b5dd87657abb7a0b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Conflicts:
	libavcodec/pngdsp.c
2014-02-01 14:05:47 -05:00
Michael Niedermayer
d04194db45 vqavideo: check chunk sizes before reading chunks
Fixes out of array writes

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 13093f9767b922661132a3c1f4b5ba2c7338b660)

CC: libav-stable@libav.org

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f7d18deb73d1dd1b27b2c7062c9a10d168a6c62a)

Addresses: CVE-2013-0865

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit ab434bf0d051008a329d49d0256faa5d64e2bf4d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2014-02-01 14:03:28 -05:00
Luca Barbato
976a7b72a3 avi: directly resync on DV in AVI read failure
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ceec6e792e4b5baaa23b220f4fd33417631f5288)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Adresses CVE-2013-0856
(cherry picked from commit 61057f4604eb909ac2b37f08c7d2b0ed758fd4bf)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2014-02-01 14:02:20 -05:00
Luca Barbato
a89acaa0b0 get_bits: change the failure condition in init_get_bits
Too much code relies in having init_get_bits fed with a valid
buffer and set its dimension to 0.

Check for NULL buffer instead.

(cherry picked from commit 4603ec85ed620e585fc6e2e072c99858ed421855)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
2014-01-25 01:01:25 +01:00
Luca Barbato
8b24e17d09 twinvq: Cope with gcc-4.8.2 miscompilation
Apparently gcc-4.8.2 miscompiles enums resulting in a lucky fpe soon
after it.

Passing the enum value as integer makes the ftype == FT_PPC condition
evaluates correctly.
2014-01-07 14:21:53 +01:00
Sean McGovern
3736b13753 Changelog for 0.8.10 2014-01-07 09:43:58 +01:00
Ben Jackson
1123870879 pthread: Avoid spurious wakeups
pthread_wait_cond can wake up unexpectedly (Wikipedia: Spurious_wakeup).

The FF_THREAD_SLICE thread mechanism could spontaneously execute
jobs or allow the caller of avctx->execute to return before all
jobs were complete.

Test both cases to ensure the wakeup is real.

Signed-off-by: Ben Jackson <ben@ben.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 311583e7798237be5cc531d672a9e37f8c729d83)
2014-01-07 09:43:58 +01:00
Derek Buitenhuis
48d57650f1 pthread: Fix deadlock during thread initialization
Sometimes, if pthread_create() failed, then pthread_cond_wait() could
accidentally be called in the worker threads after the uninit function
had already called pthread_cond_broadcast(), leading to a deadlock.

Don't call pthread_cond_wait() if c->done is set.

Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
(cherry picked from commit 1a5a6ac01b0ad2cf3d2128372ea41f3c1cfc2d3f)
2014-01-07 09:43:58 +01:00
Martin Storsjö
371659d1ad mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0
This fixes breakage in a few fate tests on certain setups
(that for some reason didn't break on OS X) after the previous
commit (8812a8057). Currently, some video streams are initialized
in ff_MPV_common_init with width/height set at 0 and only changed
to a proper video size with ff_MPV_common_frame_size_change later.

The breakage was diagnosed by Anton Khirnov.

Signed-off-by: Martin Storsjö <martin@martin.st>
2014-01-07 09:43:58 +01:00
Michael Niedermayer
c00e491aeb vc1dec: Don't decode slices when the latest slice header failed to decode
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>

Conflicts:
	libavcodec/vc1dec.c
2014-01-07 09:43:58 +01:00
Martin Storsjö
9925f7df0a vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5e25fdbfe01635cfc650ac4adc27d434b2df0d64)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

Conflicts:
	libavcodec/vc1dec.c
(cherry picked from commit 494f2d4f9e834db1eaf1a7d0160d497f9802013d)
2014-01-07 09:43:58 +01:00
Martin Storsjö
29fa517d40 r3d: Add more input value validation
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>

Conflicts:
	libavformat/r3d.c
2014-01-07 09:43:58 +01:00
Martin Storsjö
fbc52044f3 fraps: Make the input buffer size checks more strict
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>

Conflicts:
	libavcodec/fraps.c
2014-01-07 09:43:58 +01:00
Martin Storsjö
49c1defee5 svq3: Avoid a division by zero
If the height is zero, the decompression will probably end up
failing due to not fitting into the allocated buffer later
anyway, so this doesn't need any more elaborate check.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 601c2015bc16f0b281160292a6a760cbbbb0eacb)
2014-01-07 09:43:58 +01:00
Martin Storsjö
871baf3127 rmdec: Validate the fps value
Abort if it is invalid if strict error checking has been requested.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0f310a6f333b016d336674d086045e8473fdf918)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

Conflicts:
	libavformat/rmdec.c
2014-01-07 09:43:58 +01:00
Martin Storsjö
591d5281f5 twinvqdec: Check the ibps parameter separately
This is required, since invalid parameters actually could
pass the switch check below.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit c77d409bf95954aceb762dd800d1ee2868c4b0d4)
(cherry picked from commit 9b9aee27f4e43b4a6b0884f8a6f49eb0289d7c09)
2014-01-07 09:43:58 +01:00
Martin Storsjö
e972338e35 asfdec: Check the return value of asf_read_stream_properties
This makes sure errors in setting stream parameters are passed
on to the caller. This avoids successfully opening files while
some parameters aren't filled in properly.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit cc41167aede4c101ad17eeffa8f39bb6c23d3dad)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit fc4d11ec9b4c9710e2dac012d4ed0e7d08c6df7d)
2014-01-07 09:43:58 +01:00
Anton Khirnov
90294e31a1 mxfdec: set audio timebase to 1/samplerate
Fixes sync in some samples (e.g. bugs 7581 and 8374 in VLC).
Based on a commit by Matthieu Bouron <matthieu.bouron@gmail.com>

Reported-by: Jean-Baptiste Kempf <jb@videolan.org>
CC: libav-stable@libav.org
(cherry picked from commit 93370d12164236d59645314871a1d6808b2a8ddb)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
2014-01-07 09:43:58 +01:00
Martin Storsjö
d92c908e23 pcx: Check the packet size before assuming it fits a palette
This fixes reads out of bounds.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d1d99e3befea5d411ac3aae72dbdecce94f8b547)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

Conflicts:
	libavcodec/pcx.c
(cherry picked from commit 7e350b7ddd19af856b55634233d609e29baab646)
2014-01-07 09:43:58 +01:00
Martin Storsjö
cb4a101fbe rpza: Fix a buffer size check
We read 2 bytes for 15 out of 16 pixels, therefore we need to
have at least 30 bytes, not 16.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 7ba0cedbfeff5671b264d1d7e90777057b5714c6)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit f06e39fe6b272a11782c023c31eec43bfce3138d)
2014-01-07 09:43:58 +01:00
Martin Storsjö
d3986f4f1b xxan: Disallow odd width
Decoded data is always written in pairs within this decoder.
This fixes writes out of bounds.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit aa0dd52434768da64f1f3d8ae92bcf980c1adffc)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
2014-01-07 09:43:57 +01:00