This fixes SA10143.vc1 from test-suite. Also partially fixes MC-VC1.ts
from videolan streams archive.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 082829520e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Currently all uses of the emu edge code as well as the code itself
assume int linesize
changing some but not changing all would introduce a security issue
once all use this typedef a simple search and replace can be
done to switch them all to ptrdiff_t
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2ffead98dd)
Conflicts:
libavcodec/mpegvideo_common.h
libavcodec/videodsp.h
libavcodec/videodsp_template.c
libavcodec/x86/videodsp_init.c
These prevent the rgb ljpeg code from being run on parameters that it doesnt
support. No testcase available but it seems possible to trigger these.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 61c68000ed)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses
Fixes Ticket2919
Found_by: ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 86736f59d6)
Conflicts:
libavcodec/pngdsp.c
Might fix Ticket1907 (I have no testcase so i cant test)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4758e32a6c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes Ticket2895
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9a271a9368)
Conflicts:
libavcodec/jpeg2000dec.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Conflicts:
libavcodec/j2kdec.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses
Fixes Ticket2850
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3819db745d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses
Fixes Ticket2844
Found-by: ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 880c73cd76)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'b0ca5fef09d1b1268ea0c8f89bf53cd38aaa85e7':
dv: Add a guard to not overread the ppcm array
mpegvideo: Avoid 32-bit wrapping of linesize multiplications
mjpegb: Detect changing number of planes in interlaced video
matroskadec: Check that .lang was allocated and set before reading it
ape demuxer: check for EOF in potentially long loops
lavf: avoid integer overflow when estimating bitrate
pictordec: break out of both decoding loops when y drops below 0
ac3: Return proper error codes
Conflicts:
libavcodec/pictordec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '37e69e2dee7c5167083bb42d669f73f038111a79':
ac3: Clean up the error paths
ac3: Do not clash with normal AVERROR
dxa: Make sure the reference frame exists
h261: check the mtype index
segafilm: Error out on impossible packet size
ogg: Always alloc the private context in vorbis_header
vc1: check mb_height validity.
Conflicts:
libavcodec/h261dec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '54e03863691dcae73260f70108b3731b70773e7c':
vc1: check the source buffer in vc1_mc functions
bink: Bound check the quantization matrix.
xl: Make sure the width is valid
alsdec: Fix the clipping range
dsicinav: Bound-check the source buffer when needed
mov: Do not allow updating the time scale after it has been set
ac3dec: Don't consume more data than the actual input packet size
indeo: Reject impossible FRAMETYPE_NULL
Conflicts:
libavcodec/alsdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '06c52faef27e5bded4ceda7e6d1541f9fb20e84c':
indeo4: Check the quantization matrix index
indeo4: Do not access missing reference MV
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This makes sure that linesize * start_y doesn't overflow, so that
emulated_edge_mc can get back the original value if needed.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit a711a2cb47)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Otherwise picmemset can get called with negative y, resulting in an
invalid write.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5f7aecde02)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The parsing function return AVERROR and AAC_AC3_PARSE_ERROR values,
make sure they are not misunderstood.
(cherry picked from commit 6258d362b8)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
It is possible to have an initial broken header and then valid packets.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 3562684db7)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The time scale is set in mdhd, and later validated in the
enclosing trak atom once all of its children have been parsed.
A loose mdhd atom outside of a trak atom could update the time
scale of the last stream without any validation.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Cc: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 31931520df)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This was handled properly in the normal return case at the end
of the function, but not in this special case.
Returning a value larger than the input packet size can cause
problems for certain library users.
Returning the actual input buffer size unconditionally, since
it is not guaranteed that frame_size is set to a sensible
value at this point.
Cc: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8f24c12be7)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
* qatar/release/0.8:
adpcm: Unbreak ima-dk4
ac3dec: validate channel output mode against channel count
dca: Respect the current limits in the downmixing capabilities
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'ce3ce08850f1690dff01d9bb4ed6a4274d52771e':
dca: Error out on missing DSYNC
pcm: always use codec->id instead of codec_id
mlpdec: Do not set invalid context in read_restart_header
pcx: Do not overread source buffer in pcx_rle_decode
wmavoice: conceal clearly corrupted blocks
iff: Do not read over the source buffer
qdm2: Conceal broken samples
Merged-by: Michael Niedermayer <michaelni@gmx.at>
