This prevents decoder from reading garbage from it in case of errors later.
(cherry picked from commit 81064a8045)
Fixes an invalid read on sample from CVE-2012-2804
Signed-off-by: Anton Khirnov <anton@khirnov.net>
* qatar/release/0.8:
Update Changelog
h264: check ref_count validity for num_ref_idx_active_override_flag
h264: check context state before decoding slice data partitions
oggdec: free the ogg streams on read_header failure
oggdec: check memory allocation
Fix uninitialized reads on malformed ogg files.
rtsp: Recheck the reordering queue if getting a new packet
opt: avoid segfault in av_opt_next() if the class does not have an option list
alacdec: do not be too strict about the extradata size
Conflicts:
Changelog
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'a335ffd7f4cdaaa6a8fe4187f6f06b0418eea19a':
h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles
h264: check sps.log2_max_frame_num for validity
h264: slice-mt: get last_pic_dropable from master context
ppc: always use pic for shared libraries
h264: error out on unset current_picture_ptr for h->current_slice > 0
flashsv: make sure data for zlib priming is available
h264: enable low delay only if no delayed frames were seen
flashsv: check for keyframe before using differential coding
lavf: avoid integer overflow in ff_compute_frame_duration()
aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN.
APIchanges: Fill in missing commit hashes
Conflicts:
doc/APIchanges
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '01a4e7f623a2e6dc95862f9a56c777f058d7bfaf':
lavf: Bump minor version to distinguish branch and master version numbers
vp6: properly fail on unsupported feature
mp3: properly forward mp_decode_frame errors
mpeg12: do not decode extradata more than once.
indeo3: when freeing buffers, set pointers referencing them to NULL as well
indeo3: ensure that decoded cell data is in 7-bit range as presumed by decoder
avconv: fix copying per-stream metadata.
id3v2: fix reading unsynchronized frames.
h264: Fix parameters to ff_er_add_slice() call
build: fix 'clean' target
Conflicts:
avconv.c
libavcodec/mpeg12.h
libavformat/id3v2.c
libavformat/version.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'dcf8f259d107838ff3778343dcb762398130a1a3':
build: Add 'check' target to run all compile and test targets.
Ignore generated aviocat tool.
avconv: only apply presets when we have an encoder.
flacenc: ensure the order is within the min/max range in LPC order search
yuv4mpeg: reject unsupported codecs
vp8: reset loopfilter delta values at keyframes.
vp56: release frames on error
vp56: make parse_header return standard error codes
ivi_common: check that scan pattern is set before using it.
Prepare for 0.8.5 Release
x86: Require an assembler able to cope with AVX instructions
Conflicts:
RELEASE
avconv.c
doc/developer.texi
libavformat/yuv4mpeg.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The ogg decoder wasn't padding the input buffer with the appropriate
FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in
various pieces of parsing code when they thought they had more data than
they actually did.
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit ef0d779706)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes infinite or long taking loop in frame num gap code in
the fuzzed sample bipbop234.ts_s223302.
CC: libav-stable@libav.org
(cherry picked from commit d7d6efe42b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
If we timed out and consumed a packet from the reordering queue,
but didn't return a packet to the caller, recheck the queue status.
Otherwise, we could end up in an infinite loop, trying to consume
a queued packet that has already been consumed.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8729698d50)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Sometimes the extradata has duplicate atoms, but that shouldn't prevent
decoding. Just ensure that it is at least 36 bytes as a sanity check.
CC: libav-stable@libav.org
(cherry picked from commit 68a04b0cce)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Dropping frames is undesirable but that is the only way by which the
decoder could return to low delay mode. Instead emit a warning and
continue with delayed frames.
Fixes a crash in fuzzed sample nasa-8s2.ts_s20033 caused by a larger
than expected has_b_frames value. Low delay keeps getting re-enabled
from a presumely broken SPS.
CC: libav-stable@libav.org
(cherry picked from commit 706acb558a)
Conflicts:
libavcodec/h264.c
Scaling the denominator instead of the numerator if it is too large
loses precision. Fixes an assert caused by a negative frame duration in
the fuzzed sample nasa-8s2.ts_s202310.
CC: libav-stable@libav.org
(cherry picked from commit 7709ce029a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Interlacing is not supported at all and mismanaged down the normal
codepaths causing possible buffer management issues.
Fixes: CVE-2012-2783
(cherry picked from commit be75fed975)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The function can return either a parsing error or a memory management
error.
Fixes: CVE-2012-2797
(cherry picked from commit 9ab0874ea8)
Conflicts:
libavcodec/mpegaudiodec.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It is handled separately from other types because it uses stream
specifiers and currently that triggers an assert in SET_DICT.
(cherry picked from commit 4632abc7a3)
Conflicts:
avconv_opt.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Current code would incorrectly process e.g. 'ff 00 ff 00 ff' to
'ff ff ff', while it should be 'ff ff 00 ff'.
Fixes Bug 395.
CC: libav-stable@libav.org
(cherry picked from commit 9ae80e6a9c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
s->mb_x is reset to zero a couple of lines above. It does not make
sense to call ff_er_add_slice() with 0 as endx when the end of the
macroblock row was reached. Fixes unnecessary and counterproductive
error resilience in https://bugzilla.libav.org/show_bug.cgi?id=394.
(cherry picked from commit e6160bda98)
Conflicts:
libavcodec/h264.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This fixes removal of TOOLS as well as HOSTPROGS declared in the
top-level Makefile. The clean target in common.mak needs to be
eval'd since the variables used within are reset for each library.
(cherry picked from commit 395c3feb3b)
Conflicts:
common.mak
library.mak
Signed-off-by: Diego Biurrun <diego@biurrun.de>
This fixes use of uninitialized values when the FLAC encoder uses the
2-level, 4-level, and 8-level search methods. Fixes failure of the
fate-flac-24-comp-8 test when run using valgrind.
(cherry picked from commit 3a2731cbd3)
Conflicts:
libavcodec/flacenc.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This is consistent with the other ff_ass_split_* functions.
It also fixes a crash when trying to split a dialog with text=NULL
(which seems to happen when the text of the dialog is empty); basically,
this commit fixes crashes when trying to encode an empty text subtitle
dialog (see subrip and mov_text encoders).
Fixes Ticket2048.
(cherry picked from commit c83002a4f8)
