This prevents sending a packet with data=NULL size=AVERROR_EOF.
(cherry picked from commit b15a9888a8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Unfortunately the output buffer size check assumes that the
input buffer is never over-consumed, thus this actually
also allowed to write outside the output buffer if "lucky".
Based on:
git.videolan.org/ffmpeg.git
commit 701d0eb185
(cherry picked from commit ffe92ff9f0)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
As a signed integer, 1<<31 overflows, so force it to unsigned.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit c2d3f56107)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conversion of the luma intra prediction mode to one of the constrained
("alzheimer") ones can happen by crafting special bitstreams, causing
a crash because we'll call a NULL function pointer for 16x16 block intra
prediction, since constrained intra prediction functions are only
implemented for chroma (8x8 blocks).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 45b7bd7c53)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 248d4e461578ff327a2fd75fd0db4f38c270918a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The bit_rate_value_minus1 and cpb_size_value_minus1 elements
allow a wider range than get_ue_golomb() supports. This
adds a get_ue_golomb_long() function supporting up to 31
leading zeros, which is the maximum for these syntax
elements, and uses it in decode_hrd_parameters().
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit fdba370f8a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The level_code expression includes a shift which is invalid in
those cases where the value is not used. Moving the calculation
to the branch where the result is used avoids these.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 8babfc033e)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The PPS may contain a few trailing elements whose presence is
only signalled by data remaining after the the mandatory part
has been parsed. The current code fails to take into account
the rbsp_trailing_bits() when deciding whether to parse these
optional elements. Assuming no unnecessary padding bytes are
passed to this function, the optional elements are present if
either more than 8 extra bits remain or the remaining bits do
not form a valid rbsp_trailing_bits() after the mandatory PPS
elements have been parsed.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit be1242a3f2)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This allows concurrent decoding of the last field/frame, rather than
only the last slice, of data packets with multiple NAL units packed
together.
This will fix the slowdown reported in e.g. bug 52.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 14c21c1ff5)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Replace sizeof((*avff)->formats)
with sizeof(*(*avff)->formats)
as the size of the array element is given by the pointed element
rather than by its pointer.
In particular fix computation with the pending patch when
sizeof(int64_t) != sizeof(int64_t *).
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 0ec56d1144)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
In apply_unsharp(), when y is >= height, prevent out-of-buffer reading
from src, read from the last buffer line in src2 instead.
The check was implemented in the original unsharp libmpcodecs code and
lost in the port.
This also fixes output discrepancy between the two filters.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 998e8519ef)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
0 is top-field-first, 1 is bottom-field-first, not the other way
around.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 4703a7b50b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Additional comments from Måns Rullgard have been integrated
by Reinhard Tartler.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b14fa5572c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This fixes bind(8080): Address family not supported by protocol.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit f5e717f3c7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The initial values are not checked against the number of block sizes.
Initializing them to frame_len_bits will result in a block size index of 0
in these cases instead of something that might be out-of-range.
Fixes Bug 81.
(cherry picked from commit 05d1e45d1f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
this file uses the M_PI macro since
4e74187db2, so include the correct header
directly.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 5089ce1b5a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Based on a patch by Michael Niedermayer <michaelni@gmx.at>
Fixes NGS00145, CVE-2011-4352
Found-by: Phillip Langlois
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8b94df0f20)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This was removed erroneously in
046f081b46. This define still is
necessary for getting MAP_ANONYMOUS defined on linux/glibc,
despite the define reshuffling done in that commit.
Without MAP_ANONYMOUS defined, the mprotect calls for setting the
generated mmx2 scaler code pages executable are left out, causing
crashes if that codepath is chosen.
This patch fixes scaling from 192x144 to 320x240 with
-sws_flags fast_bilinear, which crashes on linux at the
moment.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit f32dfad9dc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
