* commit '6f4404b24bcf59ab29cd4b57995d374a578f51a7':
h264: set parameters from SPS whenever it changes
alac: Limit max_samples_per_frame
Conflicts:
libavcodec/h264.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '27ac9585c97d35b809382be5634c8e5f7211243a':
h264: reset data partitioning at the beginning of each decode call
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '51ae8e26af8f5b26efb41edc0fe4812368d16ae9':
h264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '7f33a24e824c6d20cb941e6b20c5382becfbc923':
h264: check that execute_decode_slices() is not called too many times
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '3ee26080d6b3e777992b4b4124e62e1bf0ac0a65':
h264: reset data_partitioning if decoding the slice header for NAL_DPA fails
Merged-by: Michael Niedermayer <michaelni@gmx.at>
In case start_frame() fails, this potentially invalid frame can still be
output to the caller.
Bug-Id: 672
Bug-Id: debian/741240
Bug-Id: ubuntu/1288206
Prevents using GetBitContexts with data from previous calls.
Fixes access to freed memory.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
Otherwise the ER code might try to use some already freed references.
Fixes possible access to freed memory.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
In this case we may not have a current frame, while first_field being
set implies we do.
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
Higher modes are not allowed for 16x16/chroma, which is what this
function is used for. Otherwise this function would return 0 (vertical
prediction) for invalid higher modes, which could result in invalid
reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
There is no point in delaying the check and it avoids bugs with a
half-initialized context.
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
If it was set before then we can end up trying to decode a slice without
a valid slice header, which can lead to invalid memory access.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
* commit '2c1d84499bfe06d75e9160b824eeffd9f5587337':
lagarith: pad RGB buffer by 1 byte.
truemotion1: check the header size
shorten: pad the internal bitstream buffer
samplefmt: avoid integer overflow in av_samples_get_buffer_size()
h264: Fix a typo from the previous commit
h264: Lower bound check for slice offsets
rpza: limit the number of blocks to the total remaining blocks in the frame
Conflicts:
libavcodec/lagarith.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '979f77b0dc40571761999633a38d97be9a1670c8':
h264: check that an IDR NAL only contains I slices
mov: Free an earlier allocated array if allocating a new one
segafilm: fix leaks if reading the header fails
h264_cavlc: check the size of the intra PCM data.
cavs: Check for negative cbp
avi: DV in AVI must be considered single stream
avutil: use align == 0 for default alignment in audio sample buffer functions
Conflicts:
libavcodec/cavsdec.c
libavutil/avutil.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
f777504f64 changed a - in +
CC: libav-stable@libav.org
(cherry picked from commit d922c5a5fb)
(cherry picked from commit 3ce77e04c2ca4b9e7fa6b94b51e8d7c5f188da86)
(cherry picked from commit 8cba6f58c8acaa0ca6749110a2746bbe60ff2dab)
And use the value from the specification.
Sample-Id: 00000451-google
Found-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit f777504f64)
(cherry picked from commit 5bd083d0216d9ee649039c84999fb61386536ac1)
Conflicts:
libavcodec/h264.c
(cherry picked from commit 41380e017afcca3119acb560c08a60a97d416c3c)
Conflicts:
libavcodec/h264.c
* commit 'f82e127dd9c7c0d54bf6400f83c7825e571f9a9e':
parser: fix large overreads
dsputil: fix invalid array indexing
shorten: use the unsigned type where needed
shorten: report meaningful errors
shorten: K&R formatting cosmetics
shorten: set invalid channels count to 0
matroskadec: request a read buffer for the wav header
h264: check for luma and chroma bit depth being equal
vc1: Move init code shared between decoder and parser to common code file.
libmp3lame: use the correct remaining buffer size when flushing
xxan: fix invalid memory access in xan_decode_frame_type0()
wmadec: require block_align to be set.
Conflicts:
libavcodec/h264.c
libavcodec/libmp3lame.c
libavcodec/shorten.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The decoder assumes a single bit depth for all the planes while
the specification allows different bit depths for luma and chroma.
Avoid the possible problems described in CVE-2013-2277
* qatar/release/0.8:
Update Changelog
h264: check ref_count validity for num_ref_idx_active_override_flag
h264: check context state before decoding slice data partitions
oggdec: free the ogg streams on read_header failure
oggdec: check memory allocation
Fix uninitialized reads on malformed ogg files.
rtsp: Recheck the reordering queue if getting a new packet
opt: avoid segfault in av_opt_next() if the class does not have an option list
alacdec: do not be too strict about the extradata size
Conflicts:
Changelog
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'a335ffd7f4cdaaa6a8fe4187f6f06b0418eea19a':
h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles
h264: check sps.log2_max_frame_num for validity
h264: slice-mt: get last_pic_dropable from master context
ppc: always use pic for shared libraries
h264: error out on unset current_picture_ptr for h->current_slice > 0
flashsv: make sure data for zlib priming is available
h264: enable low delay only if no delayed frames were seen
flashsv: check for keyframe before using differential coding
lavf: avoid integer overflow in ff_compute_frame_duration()
aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN.
APIchanges: Fill in missing commit hashes
Conflicts:
doc/APIchanges
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '01a4e7f623a2e6dc95862f9a56c777f058d7bfaf':
lavf: Bump minor version to distinguish branch and master version numbers
vp6: properly fail on unsupported feature
mp3: properly forward mp_decode_frame errors
mpeg12: do not decode extradata more than once.
indeo3: when freeing buffers, set pointers referencing them to NULL as well
indeo3: ensure that decoded cell data is in 7-bit range as presumed by decoder
avconv: fix copying per-stream metadata.
id3v2: fix reading unsynchronized frames.
h264: Fix parameters to ff_er_add_slice() call
build: fix 'clean' target
Conflicts:
avconv.c
libavcodec/mpeg12.h
libavformat/id3v2.c
libavformat/version.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Dropping frames is undesirable but that is the only way by which the
decoder could return to low delay mode. Instead emit a warning and
continue with delayed frames.
Fixes a crash in fuzzed sample nasa-8s2.ts_s20033 caused by a larger
than expected has_b_frames value. Low delay keeps getting re-enabled
from a presumely broken SPS.
CC: libav-stable@libav.org
(cherry picked from commit 706acb558a)
Conflicts:
libavcodec/h264.c
s->mb_x is reset to zero a couple of lines above. It does not make
sense to call ff_er_add_slice() with 0 as endx when the end of the
macroblock row was reached. Fixes unnecessary and counterproductive
error resilience in https://bugzilla.libav.org/show_bug.cgi?id=394.
(cherry picked from commit e6160bda98)
Conflicts:
libavcodec/h264.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* commit 'be209bdabb11c59de17220bdbf0bf9c9f7cc16f5':
vf_pad: don't give up its own reference to the output buffer.
libvorbis: use VBR by default, with default quality of 3
libvorbis: fix use of minrate/maxrate AVOptions
h264: fix deadlocks on incomplete reference frame decoding.
cmdutils: avoid setting data pointers to invalid values in alloc_buffer()
avidec: return 0, not packet size from read_packet().
wmapro: prevent division by zero when sample rate is unspecified
vc1dec: check that coded slice positions and interlacing match.
alsdec: fix number of decoded samples in first sub-block in BGMC mode.
alsdec: remove dead assignments
alsdec: Fix out of ltp_gain_values read.
alsdec: Check that quantized parcor coeffs are within range.
alsdec: Check k used for rice decoder.
Conflicts:
avconv.c
libavcodec/h264.c
libavcodec/libvorbis.c
libavformat/avidec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
When decode_nal_units() previously encountered a NAL_END_SEQUENCE,
and there are some junk bytes left in the input buffer, but no start codes,
buf_index gets stuck 3 bytes before the end of the buffer.
This can trigger an infinite loop in the caller code, eg. in
try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes,
with 3 bytes of the input packet still available.
With this change, the remaining bytes are skipped so the whole packet gets
consumed.
CC:libav-stable@libav.org
Signed-off-by: Jindřich Makovička <makovick@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1a8c6917f6)
Conflicts:
libavcodec/h264.c
If decoding a second complementary field, and the first was
decoded in our thread, mark decoding of that field as complete.
If decoding fails, mark the decoded field/frame as complete.
Do not allow switching between field modes or field/frame mode
between slices within the same field/frame. Ensure that two
subsequent fields cover top/bottom (rather than top/frame,
bottom/frame or such nonsense situations).
Fixes various deadlocks when decoding samples with errors in
reference frames.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1e26a48fa2)
Fixes Bug 118
Conflicts:
libavcodec/h264.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Override the frame size from the SPS with AVCodecContext values
if the latter specify a size smaller by less than one macroblock.
This is required for correct cropping of MOV files from Canon cameras.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 30f515091c)
Conflicts:
libavcodec/h264.c
* qatar/release/0.8:
Update Changelog for the 0.8.2 Release
Prepare for 0.8.2 Release
vqavideo: return error if image size is not a multiple of block size
celp filters: Do not read earlier than the start of the 'out' vector.
motionpixels: Clip YUV values after applying a gradient.
jpeg: handle progressive in second field of interlaced.
h263: more strictly forbid frame size changes with frame-mt.
h264: additional protection against unsupported size/bitdepth changes.
tta: prevents overflows for 32bit integers in header.
ttadec: CRC checking
tta: use skip_bits_long()
Conflicts:
Changelog
RELEASE
libavcodec/h264.c
libavcodec/tta.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes crashes in codepaths not covered by original checks.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 732f9fcfe5)
Conflicts:
libavcodec/h264.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Progressive images can have only 16 references, error out if there are
more, since the data is almost certainly corrupt, and the invalid value
will lead to random crashes or invalid writes later on.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e0febda22d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This reverts commit 729ebb2f18.
There was an off-by-one error in the bit mask calculation clearing
actually the last valid bit and causing
http://bugzilla.libav.org/show_bug.cgi?id=227
The broken sample (Mr_MrsSmith-h264_aac.mp4) the commit was fixing
does not work after correcting the off-by-one error.
CC: libav-stable@libav.org
(cherry picked from commit 8a6037c390)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes invalid reads while initializing the dequant tables, which uses
the bit depth to determine the QP table size.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 0ce4fe482c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conversion of the luma intra prediction mode to one of the constrained
("alzheimer") ones can happen by crafting special bitstreams, causing
a crash because we'll call a NULL function pointer for 16x16 block intra
prediction, since constrained intra prediction functions are only
implemented for chroma (8x8 blocks).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 45b7bd7c53)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
