* qatar/master:
lavf: fix signed overflow in avformat_find_stream_info()
vp8: fix signed overflows
motion_est: fix some signed overflows
dca: fix signed overflow in shift
aacdec: fix undefined shifts
bink: Check for various out of bound writes
bink: Check for out of bound writes when building tree
put_bits: fix invalid shift by 32 in flush_put_bits()
Conflicts:
libavcodec/bink.c
libavformat/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
In addition to avoiding undefined behaviour, an unsigned type
makes more sense for packing multiple 8-bit values.
Signed-off-by: Mans Rullgard <mans@mansr.com>
If flush_put_bits() is called when the 32-bit buffer is empty,
e.g. after writing a multiple of 32 bits, and invalid shift by
32 is performed. Since flush_put_bits() is called infrequently,
this additional check should have negligible performance impact.
Signed-off-by: Mans Rullgard <mans@mansr.com>
* qatar/master: (24 commits)
mpegps: Use av_get_packet() instead of poorly emulating it.
motionpixels: decode only the 111 complete frames for fate
mpc8: Check out of bound bands limit
xan: Prevent NULL dereference with missing palette
xan: Check for out of bound reads in xan_huffman_decode()
xan: Fixed out of bound accesses in xan_unpack()
motionpixels: Prevent calling init_vlc() with invalid parameters
shorten: Fix out of bound writes in fix_bitshift()
dsicinav: Check for out of bounds writes
tiertexseqv: Check for out of bound reads
quickdraw: Check for out of bound reads
dsicinav: Check for out of bounds reads
motionpixels: Fix the size of workspace buffers
motionpixels: Clear FF_INPUT_BUFFER_PADDING_SIZE bytes at the end of the temporary buffer
wmavoice: Check for corrupted extra data
wmavoice: Check for out of bound writes
xan: Prevent NULL dereferences with missing reference frame
bink: Prevent NULL dereferences with missing reference frame
wavpack: Reset internal state on corrupted blocks
wmapro: Validate the number of audio channels before using it
...
Conflicts:
libavcodec/h264.c
libavcodec/xan.c
tests/ref/fate/motionpixels
Merged-by: Michael Niedermayer <michaelni@gmx.at>
wavpack_decode_block() supposes that it is called back with the exact
same buffer unless it has returned with an error. With multi-channels
files, wavpack_decode_frame() was breaking this assumption.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
* hexene/stagefright:
libstagefright: start decode_thread() only after decode_frame() is called at least once.
libstagefright: mark the dummy frame as keyframe.
libstagefright: limit the output queue size
libstagefright: return EOS if CustomSource::read() is called after decode_thread() returns
libstagefright: set the correct frame size
Merged-by: Michael Niedermayer <michaelni@gmx.at>
