Also use correct buffer sizes in calls to tm2_read_stream(). Together,
this prevents overreads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Version from vqa header does not dictate which sound chunks may
appear in file.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
Also remove some write-only variables or write-only variable
assignments, remove internal colorspace conversion to native
endianness (that can be done by swscale much more efficiently),
and some cosmetics.
Prevents running error resilience on a previous frame which will write
to the pic->mb_type[] array of the previous image. The array might
already be re-used for a new image in a subsequent thread, thus cause
two threads to write to the same pic->mb_type[] array, causing a race
condition which can crash in rv34_decode_cbp(), called by
rv34_decode_inter_mb_header() (which accesses mb_type[] twice,
assuming values are maintained, which the race condition breaks).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Before this, they were only added to the delayed release queue and not
freed until later. This could lead to unnecessary memory use or buffer
exhaustion.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
lf_delta.ref[i] and lf_delta.mode[i] were incorrectly reset to 0 if
specific delta value was not updated. Fixed to keep the previous value
if flag indicates that element in question is not updated.
Signed-off-by: Janne Salonen <jsalonen@google.com>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
This makes sure the reset flag gets set when SBR gets turned back on
and sets control variables for unguided mode back to their defaults.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
If the next header frame codes zero envelopes the previous frame's
values will be used. Consequently the invalid values must be cleared.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Prevents a signflip in the counter, and a subsequent crash because of
overreads/overwrites.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Correct handling of errors to prevent hags or crashes is very complex
otherwise.
The frame initializing is also moved from decode_slice() to
decode_frame() for clarity.
