When decode_nal_units() previously encountered a NAL_END_SEQUENCE,
and there are some junk bytes left in the input buffer, but no start codes,
buf_index gets stuck 3 bytes before the end of the buffer.
This can trigger an infinite loop in the caller code, eg. in
try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes,
with 3 bytes of the input packet still available.
With this change, the remaining bytes are skipped so the whole packet gets
consumed.
CC:libav-stable@libav.org
Signed-off-by: Jindřich Makovička <makovick@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1a8c6917f68f7378465e18f7615762bfd22704c2)
Conflicts:
libavcodec/h264.c
(cherry picked from commit 147ff24a0e8d819615a0f596df3ea47dddd79fdc)
Conflicts:
libavcodec/libvorbis.c
Fixes a part of Bug 277
Signed-off-by: Anton Khirnov <anton@khirnov.net>
- enable the options for audio encoding
- properly check for user-set maxrate
- use correct calling order in vorbis_encode_setup_managed()
(cherry picked from commit 182d4f1f3855460ee8634ea052f33332cf9d174e)
Conflicts:
libavcodec/libvorbis.c
Fixes a part of Bug 277
Signed-off-by: Anton Khirnov <anton@khirnov.net>
If decoding a second complementary field, and the first was
decoded in our thread, mark decoding of that field as complete.
If decoding fails, mark the decoded field/frame as complete.
Do not allow switching between field modes or field/frame mode
between slices within the same field/frame. Ensure that two
subsequent fields cover top/bottom (rather than top/frame,
bottom/frame or such nonsense situations).
Fixes various deadlocks when decoding samples with errors in
reference frames.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1e26a48fa23ef8e1cbc424667d387184d8155f15)
Fixes Bug 118
Conflicts:
libavcodec/h264.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
ALS spec:
11.6.3.1.1 Quantization and encoding of parcor coefficients
...
In all cases the resulting quantized values ak are restricted to the range [-64,63].
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 5b051ec3bdc78f3d89e8d1425674cde8fd6c9ccc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Values that fail this check will cause failure of decode_rice()
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 23aae62c2cb4504a09ceb8cd0cabc1c8b260f521)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Our decoder does not support changing w/h.
Fixes CVE-2012-2777 and CVE-2012-2784.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c20a69630619d14ae92c5541d52c579d7c8f3e94)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents writing into a too small array if some parameters changed
without the tile being reallocated.
Fixes CVE-2012-2794
CC:libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 2d09cdbaf2f449ba23d54e97e94bd97ca22208c6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Found by John Villamil <johnv@matasano.com>
(cherry picked from commit 366ac22ea5a8bab63c7f46cdad2ddb2ff22cdbed)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents writing into a too small array if some parameters changed
without the tile being reallocated.
Based on a patch by Michael Niedermayer <michaelni@gmx.at>
Fixes CVE-2012-2800
CC:libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ae3da0ae5550053583a6f281ea7fd940497ea0d1)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It's not used outside of ivi_common.c
(cherry picked from commit 5d2170c53bf4c2b0499f230c43764e4acf228f88)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Protects from overreads.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 29b0d94b43ac960cb442049a5d737a3386ff0337)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The decode function assumes that the video will have those dimensions.
Fixes CVE-2012-2801
CC:libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 85f477935cd6b34e6ec2716b20e15ce748277a89)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
If there is an error during frame parsing, but AVCodecContext.channels was
changed and AC3DecodeContext.out_channels was set previously, the two may not
match.
Fixes CVE-2012-2802
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 56b6a43056235fc110a018678da590595734203d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Duplicate values in this vector are explicitly banned by the Vorbis I spec
and cause divide-by-zero crashes later on.
(cherry picked from commit ecf79c4d3e8baaf2f303278ef81db6f8407656bc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This fixes a double-free crash if lists are the same due to the two
merge_ref() calls at the end of the (useless) merging that happens.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325)
Conflicts:
libavfilter/formats.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Correct handling of errors to prevent hags or crashes is very complex
otherwise.
The frame initializing is also moved from decode_slice() to
decode_frame() for clarity.
(cherry picked from commit 73ad4471a48bd02b2c2a55de116161b87e061023)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e96b4a53df101403c54e329abfadad2edddc47c4)
Conflicts:
libavcodec/4xm.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
