The size variable is (correctly) unsigned, but is passed to several functions
which take signed parameters, such as avio_read, sometimes after having
numbers added to it. So ensure that size remains within the bounds that
these functions can handle.
(cherry picked from commit b45ab61b24)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
alsa and x11grab use av_gettime() to report timestamps.
Have it on by default.
Bug-Id: 647
(cherry picked from commit 424b929b5c)
(cherry picked from commit 404731bd20)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The picture slot can be recycled by select_input_picture and
only current_picture is populated with the valid pts.
Unbreak timestamps when in cbr mode.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 1c7b71a5bd)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/mpegvideo_enc.c
Also convert a debug av_log() to av_dlog().
(cherry picked from commit a89dd9a72c6e9c3111d6f34d9b08cd624fe76358)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
The packet buffer allocation considers the alpha channel as DCT-coded,
while it is actually run-coded and thus requires a larger buffer.
CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 41e1354c10)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The buffer allocation may be incorrect (e.g. with an alpha plane),
and currently causes the buffer to be set to NULL by init_put_bits,
causing a crash later on.
So, detect that situation, and if detected, reallocate the buffer
and ask for a sample that shows the problem.
CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 45ce880a9b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Prevent out of array writes.
Similar to what Michael Niedermayer did to address the same issue.
Bug-Id: CVE-2014-2263
CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit e8049af132)
Conflicts:
libavformat/mpegtsenc.c
The specification says the value is expressed in 10 bits including
the 4-byte CRC.
(cherry picked from commit 89616408e3)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavformat/mpegtsenc.c
The input data must remain constant, make a copy instead. This is in
theory a performance hit, but since I failed to find any samples
using this feature, this should not matter in practice.
Also, check the size of the header, avoiding invalid reads on truncated
data.
CC:libav-stable@libav.org
(cherry picked from commit 7b588bb691)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Bug-Id: CVE-2013-0868
inspired by a patch from Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Diego Biurrun <diego@biurrun.de>
CC: libav-stable@libav.org
(cherry picked from commit d0393d79bc)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavcodec/huffyuvdec.c
Properly address CVE-2011-3946 and parse bitstream as described in the spec.
CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Make sure the buffer size does not exceed the expected
RLE size.
Prevent an out of array bound write.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Bug-Id: CVE-2013-0852
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit d98e6c5d5d)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
This avoids a segfault in avconv_opt.c:opt_target when trying to
determine the norm.
(cherry picked from commit dc71f19588)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
librtmp can keep pointers to this string internally, and may
use them at shutdown as well.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 865461099e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavformat/librtmp.c
This is safer and possibly fixes invalid reads on truncated data.
(cherry-picked from commit 541427ab4d)
CC:libav-stable@libav.org
Conflicts:
libavcodec/eamad.c
This fixes a segmentation fault because request_frame in fifo.c assumes
that the call to ff_request_frame will populate fifo->root.next.
Before, it was possible for request_frame in af_compand to not do this,
resulting in a null pointer access. Now, request_frame in af_compand
always will return at least one frame or an error, as per the API
specifications in avfilter.h for request_frame.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit d3cfd7aff8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The actual predictor value, set by the trellis code, never
was written back into the variable that was written into
the block header. This was accidentally removed in b304244b.
This significantly improves the audio quality of the trellis
case, which was plain broken since b304244b.
Encoding IMA QT with trellis still actually gives a slightly
worse quality than without trellis, since the trellis encoder
doesn't use the exact same way of rounding as in
adpcm_ima_qt_compress_sample and adpcm_ima_qt_expand_nibble.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0776e0ef6b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This was broken in 095be4fb - samples+ch (for the previous
non-planar case) equals &samples_p[ch][0]. The confusion
probably stemmed from the IMA WAV case where it originally
was &samples[avctx->channels + ch], which was correctly
changed into &samples_p[ch][1].
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 3d79d0c93e)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
On big endian machines, the default value set via the faulty
AVOption ended up as 2^32 times too big.
This fixes the fate-lavf-ogg test which currently is broken on
big endian machines, broken since 3831362. Since that commit,
a final zero-sized packet is written to the ogg muxer in that test,
which caused different flushing behaviour on little and big endian
depending on whether the pref_duration option was handled as it
should or not.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 103243ca64)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
