Currently the code can in some cases draw tiles that hang outside the
allocated buffer. This patch increases the buffer size to avoid out
of array accesses. An alternative would be to fail if such tiles are
encountered.
I do not know if any valid files use such hanging tiles.
Fixes Ticket2971
Found-by: ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Avoid overwriting the bitstream buffer data before we
have ended processing the frame.
This is necessary to fix hwaccels which might try to use
the buffer during the end_frame call.
I am not sure but it is possible this could even trigger
a use-after-free if the av_fast_malloc allocated a new buffer.
This would require that decode_slice did not wind the bitstream
forward all the way to the end, which does not currently happen in
normal streams.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
The specification does not allow multiple bits to be set,
but some encoders do it anyway.
Applying it only to the first seems to give better results.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
* commit '3185a80259ce1f8f8111073dbd14a69a396e03a3':
fraps: Make the input buffer size checks more strict
Conflicts:
libavcodec/fraps.c
The added checks are mostly to handle duplicate frames, which
we discard, thus there are also no P frames for example.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '601c2015bc16f0b281160292a6a760cbbbb0eacb':
svq3: Avoid a division by zero
Conflicts:
libavcodec/svq3.c
See: 4fa706a4a6
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '7a5a55722749a3ab77941914707277b147322cbe':
qpeg: Add checks for running out of rows in qpeg_decode_inter
Conflicts:
libavcodec/qpeg.c
See: 4299dfa5de
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'e9d61de96c113ee0ef8082833c7e682df0e23eec':
mpegaudiodec: Validate that the number of channels fits at the given offset
Conflicts:
libavcodec/mpegaudiodec.c
See: 51fcf276f8
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'f50803354c6acb4575379d7c54ca48ec5d36dd61':
asvdec: Verify the amount of extradata
See: 605f2b6b00
Merged-by: Michael Niedermayer <michaelni@gmx.at>
If the height is zero, the decompression will probably end up
failing due to not fitting into the allocated buffer later
anyway, so this doesn't need any more elaborate check.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
This is similar to the fix in 35cbc98b.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
The init function reads one byte of extradata.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
* commit '5372cda67109848d22146289e401669266217e80':
rv10: Validate the dimensions set from the container
This check could be replaced by a width==0||height==0
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'c4bfa098072ba338d83555d6e2199f7e1e64ffff':
Add a WebP decoder
Conflicts:
Changelog
doc/general.texi
libavcodec/Makefile
libavcodec/avcodec.h
libavcodec/version.h
libavformat/img2.c
The previously existing webp decoder is disabled as the new
one supports lossless mode and alpha while the previous does not.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '9ae53c5860e17d087642d27b00dade071970a2e7':
lavc: add ff_u8_to_s8() for safe type punning of uint8_t to int8_t
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '18a245a2aea31b92bc435f2962a71e060d83b5f7':
jpeg2000dec: Add more checks when parsing headers
The check cannot be true in FFmpeg, but does no harm.
I will move it in a subsequent commit so it can detect missing SIZ
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This is required, since invalid parameters actually could
pass the switch check below.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
A change in framesize caused a perpetual loss of synchronization.
So read (and use) the frame size from the frame header instead of
setting it only once.
Signed-off-by: Diego Biurrun <diego@biurrun.de>
It's not our responsibility to account for other projects'
terrible hacky usage.
Also, it is no longer needed by XMBC, since 78b71d4.
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
* commit 'ea78a348d86a3a733f6c1e0a65cfdd8283d924b9':
eacmv: Make sure a reference frame exists before referencing it
Conflicts:
libavcodec/eacmv.c
See: 113d7be624
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'a92538b7c0defc86c55fb91f55dfa36aad192673':
ivi_common: Make sure color planes have been initialized
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '711c970168297683860422e95d6b7e37ee3c8367':
rv34: Check the return value from ff_rv34_decode_init
Conflicts:
libavcodec/rv30.c
libavcodec/rv40.c
See: b86651a208
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'e1f3847f860a1094a46be4c5f10db8df616c3135':
mace: Make sure that the channel count is set to a valid value
Conflicts:
libavcodec/mace.c
See: 6df1cfa7e4
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '1115689d54ea95a084421f5a182b8dc56cbff978':
svq3: Check for any negative return value from ff_h264_check_intra_pred_mode
Conflicts:
libavcodec/svq3.c
See: 019eb2c77b
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '187105ff8a02bafc9c58d9d8363bb3f55a415635':
Fix references to deleted avcodec_encode_video() function
Merged-by: Michael Niedermayer <michaelni@gmx.at>