Damaged frames can lead to a mismatch, which can cause a segfault
due to using an incorrect channel mapping.
CC:libav-stable@libav.org
(cherry picked from commit d7c450436fcb9d3ecf59884a574e7684183e753d)
Conflicts:
libavcodec/ac3dec.c
The faulty values rippled further down the codepath causing a
hard-to-track segfault in the assembly code.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e9d394f3fad7e8fd8fc80e3b33cb045bbaceb446)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/mlpdec.c
qdm2 does support only two channels. Loop over the run once.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit adadc3f2443d25b375e21e801516ccfd78e0b080)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Checking per subband would have the index exceed the
dithering noise table size.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 744a11c996641888d477a3981d609e79eeb69ea9)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/qdm2.c
The extradata is already freed by avformat_open_input on
failure.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 76f5dfbfd902178df4a38221a68dc8540189345a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This fixes crashes when playing back certain RealRTSP streams.
When invoked from the RTP depacketizer, the full realmedia
demuxer isn't invoked, but only certain functions from it, where
a separate AVIOContext is passed in as parameter (for the buffer
containing the data to parse). The functions called from within
those entry points should only be using that parameter, not
s->pb. In the depacketizer case, s is the RTSP context, where ->pb
is null.
Cc: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d35b6cd3775456a23b63e73316e244b671caa02f)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This makes sure the ffurl_read_complete function actually
returns the number of bytes read, as the documentation of the
function says, even if the underlying protocol uses AVERROR_EOF
instead of 0.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5d876be87a115b93dd2e644049e3ada2cfb5ccb7)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
A sid 0 would be mismatched to the attachment.
Prevent NULL pointer dereference.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit f5e646a00ac21e500dae4bcceded790a0fbc5246)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Avoids trying to read a packet with 0 or negative size.
Avoids a potential infinite loop due to seeking backwards.
Partially based on a patch by Michael Niedermayer.
(cherry picked from commit e70c5b034c4787377e82cab2d5565486baec0c2a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Avoid some boilerplate code to dynamically allocate and then free the
buffers.
(cherry picked from commit 8f689770548c86151071ef976cf9b6998ba21c2a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/kmvc.c
Fix an undefined behaviour and make the function return a proper
error in case of overflow.
CC: libav-stable@libav.org
(cherry picked from commit d9cf5f516974c64e01846ca685301014b38cf224)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 7a2ee770f520ae4fd5f009cfc361a18e993dec91)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The same is done already for qdelta.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b36e1893ef3430f039c1eaddeedcbb378f9c4444)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
If the tile data size does not match the buffer size it did not
return an AVERROR_INVALIDDATA causing futher corruption later.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 7388c0c58601477db076e2e74e8b11f8a644384a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/ivi_common.c
Must be at least WMAPRO_BLOCK_MIN_SIZE.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d4a217a408da4bd63acc02cd8f9ebe378a2ad65a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/wmaprodec.c
Check for out of picture macroblocks before calling mcdc.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 94aefb1932be882fd93f66cf790ceb19ff575c19)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/4xm.c
