buf_idx + data_unit_size can overflow, causing the '> buf_size' check to
wrongly fail.
This causes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
AV_PIX_FMT_MONOBLACK has the AV_PIX_FMT_FLAG_BITSTREAM flag, i.e.
linesize can be smaller than width.
Since x_offset is only check against the width, this can lead to
x_offset * bpp >= image_linesize.
In this case ptr could be set to a position outside the image_buf in
png_handle_row, leading to memory corruption and thus crashes.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
During the loop ret can get changed. Since it is not set on all failure
paths, decode_frame_common can return 0 even though an error occurred.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This check was removed in commit 08aec6f6, but
s->last_picture.f->data[0] is still used in handle_p_frame_apng
unconditionally.
This fixes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* rbultje/vp9-profile1-wip:
vp9: add fate test for 422.
vp9: copy bug in libvpx for 4:2:2 chroma bs=8x4/4x4 prediction.
vp9: add yuv440 fate test.
vp9: fix mask_edges and filter_plane_rows/cols() for 440.
vp9: more specifically specify mask destination to mask_edges().
vp9: add fate test for profile 1 444.
vp9: don't create special u/v filter masks for 444.
vp9: merge uv loopfilter code into generic filter_plane_rows/cols().
vp9: split out loopfilter luma rows/cols functions from loopfilter_sb().
vp9: invert order of two conditions.
vp9: use correct chroma subsampling for profile 1 inter block recon.
vp9: use correct chroma subsampling for profile 1 intra block recon.
vp9: take chroma subsampling into account when walking the block tree.
vp9: support non-420 chroma subsampling for profile 1 token decoding.
vp9: increase buffer sizes for non-420 chroma subsamplings.
vp9: profile 1 header decoding.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This also fixes intra-only MT failures (it was the same bug), see trac
4526 and 4527.
Tested-by: James Almer <jamrial@gmail.com>
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Check extended sync word for 16-bit LE and BE core streams to reduce
probability of alias sync detection. Previously sync word extension was
checked only for 14-bit streams (and this check did not properly work
across buffer boundary).
Use 64-bit parser state to make extended sync word detection work across
buffer boundary.
This is sufficient to make the sample in ticket #4492 parse
successfully.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '7a4f74eed51f914e9bbfebaffd4a92ac6791f819':
h264: embed the DPB in the context
Conflicts:
libavcodec/h264.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '88c612e3a4d5b584e2d9f6e2541de78d67bdfb9f':
h264: merge the init and reinit paths in update_thread_context()
Conflicts:
libavcodec/h264_slice.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '8a66fd40260b7aae6226d68c4dbad43b05a8e524':
h264: drop the reinit parameter from init_slice_header()
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'c9ccbc7333eddd025ebbde5cc4f27d68a950c623':
h264: update the current bit depth/chroma type in init_slice_header()
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '440e8dd374b732c48d564d9f1bb0ec3b1b786fb9':
h264: drop a comment that carries no useful information
Merged-by: Michael Niedermayer <michaelni@gmx.at>