Prevents crashes because the old check was incomplete.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2d22d4307dcc1461f39a2ffb9c8db6c6b23fd080)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes crashes in codepaths not covered by original checks.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 732f9fcfe54fc9a0a7bbce53fe86b38744c2d301)
Conflicts:
libavcodec/h264.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents sample_rate/data_length from going negative, which
caused various crashes and undefined behaviour further down.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ac80b812cd177553339467ea12548d71c9ef6865)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 9aff2d17533576f4ff52531e534f1319fb36a590)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* qatar/release/0.8: (24 commits)
apedec: check bits <= 32.
truemotion: forbid invalid VLC bitsizes and token values.
mov: don't overwrite existing indexes.
truemotion2: handle out-of-frame motion vectors through edge extension.
lzw: prevent buffer overreads.
truemotion2: convert packet header reading to bytestream2.
lagarith: fix buffer overreads.
raw: forward avpicture_fill() error code in raw_decode().
vc1: Do not read from array if index is invalid.
utvideo: port header reading to bytestream2.
bytestream: add more unchecked variants for bytestream2 API
bytestream: K&R formatting cosmetics
bytestream: Add bytestream2 writing API.
aac: Reset PS parameters on header decode failure.
mov: Do not read past the end of the ctts_data table.
xwma: Validate channels and bits_per_coded_sample.
asf: reset side data elements on packet copy.
vqa: check palette chunk size before reading data.
vqavideo: port to bytestream2 API
wmavoice: fix stack overread.
...
Conflicts:
cmdutils.c
cmdutils.h
libavcodec/lagarith.c
libavcodec/truemotion2.c
libavcodec/vqavideo.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid
values larger than this in get_vlc2() (max_bits). tokens[][] can be
used as an index in deltas[], which has a size of 64, so ensure the
values are smaller than that.
This prevents crashes on corrupt bitstreams.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b7b1509d06d3696d3b944791227fe198ded0654b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Also use correct buffer sizes in calls to tm2_read_stream(). Together,
this prevents overreads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bd508d435b94584db460c684e30ea7ce180cf50f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit f1ce053cd0e0d7dc67fa61f32bcd8b6ee5e5c490)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
If the next header frame codes zero envelopes the previous frame's
values will be used. Consequently the invalid values must be cleared.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit a237b38021cd3009cc78eeb974b596085f2fe393)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents a SIGFPE later on.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5023b89bba198b2f8e43b7f555aeb9c30d33db9f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Protects against overreads.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 5a3a906ba29b53fa34d3047af78d9f8fd7678256)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The preset files have been renamed some time ago.
CC: libav-stable@libav.org
(cherry picked from commit 050dc127787e91d8ee4b341046c74fe6e74e3285)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes an AAC decoding issue with the sample from ticket #213 on machines
with SSE but without SSE2.
Based on 89411a by Reimar.
(cherry picked from commit f6b78638086beae9bcab672d4c9de1790be5a928)
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 00ab9cdae1a96dfea33cd505076a83823f390aa4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 006508032057824a371bec4e629b66f8cbb26c47)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes some arith decoder overreads and a potential infinite loop.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0f13cc732b3752828890b8dff507615cfd454336)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5cd8afee99c83b62e1474f122d947de7e4ad9ff5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9729f140ae073f1df2041b6c5fd2068592eb9c48)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
