In init_planes p->xblen and p->yblen are set to:
p->xblen = s->plane[0].xblen >> s->chroma_x_shift;
p->yblen = s->plane[0].yblen >> s->chroma_y_shift;
These are later used as block_w and block_h arguments of
s->vdsp.emulated_edge_mc. If one of them is 0 it triggers an av_assert2
in emulated_edge_mc:
av_assert2(start_x < end_x && block_w > 0);
av_assert2(start_y < end_y && block_h > 0);
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 75fc81c831)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Calling ffio_ensure_seekback() if ffio_init_checksum() has been called
on the same context can lead to out of bounds memory accesses and
crashes. The reason is that ffio_ensure_seekback() does not update
checksum_ptr after reallocating the buffer, resulting in a dangling
pointer.
This effectively fixes potential crashes when opening mp3 files.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dc87758775)
Conflicts:
libavformat/aviobuf.c
If one of the dimensions is larger than 8176, s->mb_width or
s->mb_height is larger than 511, leading to an int16_t overflow of
s->mv_max.{x,y}. This then causes av_clip to be called with amin > amax.
Changing the type to int avoids the overflow and has no negative
effect, because s->mv_max is only used in clamp_mv for clipping.
Since mv_max.{x,y} is positive and mv_min.{x,y} negative, av_clip can't
increase the absolute value. The input to av_clip is an int16_t, and
thus the output fits into int16_t as well.
For additional safety, s->mv_{min,max}.{x,y} are clipped to int16_t range
before use.
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 6fdbaa2b7f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Otherwise the check 'tile_size < size' treats a negative size as
unsigned, causing the check to pass. This subsequently leads to
segmentation faults.
This was originally fixed as part of Libav commit 72ca83, so the
original author is one of the following developers:
Anton Khirnov <anton@khirnov.net>
Diego Biurrun <diego@biurrun.de>
Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö <martin@martin.st>
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit b18eac7ff2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Make the logic in libavformat/hevc.c parse_rps align with libavcodec/hevc_ps.c ff_hevc_decode_short_term_rps
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6e1f8780c8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If chan2 is not smaller than the number of channels, it can cause
segmentation faults due to dereferencing a NULL pointer.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 05c57ba2f4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Return layout when FF_API_GET_CHANNEL_LAYOUT_COMPAT is set even if the
layout itself is not in the deprecated style.
Signed-off-by: Simon Thelen <ffmpeg-dev@c-14.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 83307a32eb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoid potential out of array accesses
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 12ba1b2b4d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See: vlc ticket 14649
Reported-by: carl
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3c803ed9cb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoids leaks if the user doest call swr_close() after a failed init
Found-by: James Almer <jamrial@gmail.com>
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c3f87f7545)
Conflicts:
libswresample/swresample.c
This was simply wrong
Found-by: Martin Storsjö
This reverts commit 5d8e4f6da0.
(cherry picked from commit 3e34b7498f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This is the maximum rate possible based on the frame size limit of MXF D-10
Previous version reviewed by tim nicholson <nichot20@yahoo.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d7a762553c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
check memory allocation in swri_get_dither()
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 196b885a5f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If opj_image_create fails to allocate an image it returns NULL, which
causes a segmentation fault at 'img->x0 = 0'.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1577526b47)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'e863f4cd2a5ea05c74b8beb92e55d7ed10908d64':
Update Changelog for 10.7
Conflicts:
Changelog
RELEASE
Not merged, as this isnt the changelog from between 2 ffmpeg versions
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '964fef3f3ced60e67831549df223bc177e1537c9':
h264: Make sure reinit failures mark the context as not initialized
See: e8714f6f93
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '48c7fe5b5834a197f10a6eb56cbe7cda8ee32407':
msrle: Use FFABS to determine the frame size in msrle_decode_pal4
Conflicts:
libavcodec/msrledec.c
See: f7e1367f58
Merged-by: Michael Niedermayer <michaelni@gmx.at>
If the CPU is 386, 486 or pentium, we must not use cmov in inline
assembler.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cdb3eee7c4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'c34d1099db6f9bc49f30eb3141f87c42b01a3714':
nut: Make sure to clean up on read_header failure
Conflicts:
libavformat/nutdec.c
See: 361702660d
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'f29cf578923d2d4d2cf891dfc0c7ac45c641a5b7':
png: Set the color range as full range
Conflicts:
libavcodec/pngdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
If max in clean_index is set to a negative ast->sample_size, the
following loop never ends:
while (max < 1024)
max += max;
Thus set ast->sample_size to 0 if it would otherwise be negative.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ca234639ac)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes a segmentation fault when accessing the metadata.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ff1af2b0d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '1dcb68c02a55648facb82c0b2b6a1eb3dc18f988':
alac: Reject rice_limit 0 if compression is used
Conflicts:
libavcodec/alac.c
See: 4b657a1b1e
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '9726f3007196a9c3589c4f09a81c0d75e1d97f2c':
ape: Support _0000 files with nblock smaller than 64
Conflicts:
libavcodec/apedec.c
See: 699341d647
Merged-by: Michael Niedermayer <michaelni@gmx.at>
s->decoded_buffer is allocated with a min_size of:
2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)
Then it is assigned to s->decoded[0] (and s->decoded_buffer + FFALIGN(blockstodecode, 8)
to s->decoded[1]) and passed as out buffer to decode_array_0000.
In this function 64 elements of the out buffer are written
unconditionally and outside the array if blockstodecode is too small.
This causes memory corruption, leading to segmentation faults or other
crashes.
Thus change decode_array_0000 to write at most blockstodecode elements
of the out buffer.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 699341d647)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '296d70f58517d6702bfda32178c1e395bca9665e':
mux: Do not leave stale side data pointers in ff_interleave_add_packet()
Conflicts:
libavformat/mux.c
See: bfb3ed1a9d
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Detecting AAC with such descriptor if the parts needed for detection
are later in the stream
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 14e9a20083)
Conflicts:
libavformat/mpegts.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6397814926)
Conflicts:
libavformat/mpegts.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'feedde4d8702d554a7f46de824a887fe4d75a714':
mpegts: Update the PSI/SI table only if the version change
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '4c4cc9b27b69a86e405fd7612aa0a62f3b62b027':
rtsp: Make sure we don't write too many transport entries into a fixed-size array
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '1f1686615c20982a68b2d8db3ff109834a260d27':
rtpenc_jpeg: Handle case of picture dimensions not dividing by 8
Merged-by: Michael Niedermayer <michaelni@gmx.at>
