Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 361319d0f4)
Conflicts:
tests/ref/lavf/dpx
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/9:
hqdn3d: Fix out of array read in LOWPASS
vf_gradfun: fix uninitialized variable use
Conflicts:
libavfilter/vf_hqdn3d.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'c50241080d7599c90fc8b4e74c5f8d62a4caae52':
vf_hqdn3d: fix uninitialized variable use
lzo: fix overflow checking in copy_backptr()
flacdec: simplify bounds checking in flac_probe()
atrac3: avoid oversized shifting in decode_bytes()
shorten: use the unsigned type where needed
shorten: report meaningful errors
shorten: K&R formatting cosmetics
shorten: set invalid channels count to 0
Conflicts:
libavcodec/shorten.c
libavformat/flacdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The check `src > dst' in the form `&c->out[-back] > c->out' invokes
pointer overflow, which is undefined behavior in C.
Remove the check. Also replace `&c->out[-back] < c->out_start' with
a safe form `c->out - c->out_start < back' to avoid overflow.
CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit ca6c3f2c53)
Simplify `p->buf > p->buf + p->buf_size - 4' as `p->buf_size < 4'.
Avoid a possible out-of-bounds pointer, which is undefined behavior
in C.
CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 8425d693ee)
When `off' is 0, `0x537F6103 << 32' in the following expression invokes
undefined behavior, the result of which is not necessarily 0.
(0x537F6103 >> (off * 8)) | (0x537F6103 << (32 - (off * 8)))
Avoid oversized shifting.
CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit eba1ff3130)
Fixes out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3dbc0ff9c3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e398990eb8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
More speedup and fixes 'may be used uninitialized in this function' warnings
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d2e0a276d5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
speeds up code and allows more simplifications
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dbaae33c2c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See:
commit 29d8cd265a
Author: Alexander Kojevnikov <alexander@kojevnikov.com>
Date: Tue Feb 26 21:47:11 2013 -0800
mp3dec: Fix VBR bit rate parsing
When parsing the Xing/Info tag, don't set the bit rate if it's an Info tag.
When parsing the stream, don't override the bit rate if it's already set,
otherwise calculate the mean bit rate from parsed frames. This way, the bit
rate will be set correctly both for CBR and VBR streams.
Signed-off-by: Alexander Kojevnikov <alexander@kojevnikov.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/9:
eamad: allocate a dummy reference frame when the real one is missing
libmp3lame: use the correct remaining buffer size when flushing
png: use av_mallocz_array() for the zlib zalloc function
wmaprodec: require block_align to be set.
ffv1: fix calculating slice dimensions for version 2
xxan: fix invalid memory access in xan_decode_frame_type0()
wmadec: require block_align to be set.
ivi_common: do not call MC for intra frames when dc_transform is unset
Conflicts:
libavcodec/ffv1dec.c
libavcodec/ivi_common.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '747fbe0c212b81952bb27ec7b99fa709081e2d63':
roqvideodec: fix a potential infinite loop in roqvideo_decode_frame().
mp3dec: Fix VBR bit rate parsing
wmaprodec: return an error, not 0, when the input is too small.
vmdaudio: fix invalid reads when packet size is not a multiple of chunk size
h264: check for luma and chroma bit dept being equal
Prepare for 9.4 Release
Conflicts:
RELEASE
libavcodec/vmdav.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
get_uint returns an unsigned value, use an unsigned to store
blocksize to make sure the comparison logic is correct and report
correctly the error for the channel count not supported.
CC: libav-stable@libav.org
(cherry picked from commit 5cf7c72757)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Prevent the loop shorten_decode_close from writing and freeing out of
the array boundary.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit c10da30d84)
Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.
CC:libav-stable@libav.org
(cherry picked from commit cacad1c058)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The loop a few lines below the xan_unpack() call accesses up to
dec_size * 2 bytes into y_buffer, so dec_size must be limited to
buffer_size / 2.
CC:libav-stable@libav.org
(cherry picked from commit 8a49d2bcbe)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
When there is just 1 byte remanining in the buffer, nothing will be read
and the loop will continue forever. Check that there are at least 8
bytes, which are always read at the beginning.
CC:libav-stable@libav.org
(cherry picked from commit 3e2f200237)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.
CC:libav-stable@libav.org
(cherry picked from commit ea1136baaf)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
When parsing the Xing/Info tag, don't set the bit rate if it's an Info tag.
When parsing the stream, don't override the bit rate if it's already set,
otherwise calculate the mean bit rate from parsed frames. This way, the bit
rate will be set correctly both for CBR and VBR streams.
CC:libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit eae0879d96)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Returning 0 may result in an infinite loop in valid calling programs. A
decoder should never return 0 without producing any output.
CC:libav-stable@libav.org
(cherry picked from commit 4c0080b7e7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The decoder assumes a single bit depth for all the planes
while the specification allows different bit depths for luma
and chroma.
Avoid the possible problems described in CVE-2013-2277
CC: libav-stable@libav.org
(cherry picked from commit 4987faee78)
Conflicts:
libavcodec/h264.c
This prevents various values from becoming stuck at NAN and
output to become silent
If someone knows a cleaner solution, thats welcome!
Fixes Ticket2335
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8978c743fb)
The IIR filter numerically diverges in such cases, this could easily be
fixed but would make the filter slower on some platforms
Fixes Ticket2246
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fee5da6b0a)
Fix linking failures with -all_load due to multiple log2_tabs
Signed-off-by: Carl Eugen Hoyos <cehoyos@ag.or.at>
(cherry picked from commit 03148fd174)
* qatar/release/9:
update Changelog
h264: set ref_count to 0 for intra slices.
h264: on reference overflow, reset the reference count to 0, not 1.
flvdec: Check the return value of a malloc
Conflicts:
Changelog
libavcodec/h264.c
libavformat/flvdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
