Fixes out of array access
Fixes: 24d05e8b84676799c735c9e27d97895e/asan_heap-oob_1b70f6a_2955_7c3652a7f370f9f3ef40642bc2c99bb2.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 93f30f825c08477fe8f76be00539e96014cc83c8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes out of array access
Fixes: b877a6b788a25c70e8b1d014f8628549/asan_heap-oob_1da2c3f_2324_5a1b329b0b3c4bb6b1d775660ac56717.r3d
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 43492ff3ab68a343c1264801baa1d5a02de10167)
Conflicts:
libavcodec/jpeg2000dec.c
Fixes out of array read
Fixes: a9502b60f4cecc19475382aee255f73c/asan_heap-oob_1e87fba_2548_a8ad47f6dde36644fe9cdc444d4632d0.sub
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c719cd6cf79ec21d974b81ba874580f4b8e9eb90)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 04715144ba237443010554be0d05343f/asan_heap-oob_1eafc76_1737_c685b48041a563461839e4e7ab97abb8.jpg
Fixes out of array access
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d24888ef19ba38b787b11d1ee091a3d94920c76a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes null pointer dereference
Fixes part of Ticket4977
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9368d2da3d33cac845f2fdf663df500b53625c5e)
Conflicts:
libavcodec/h264_slice.c
This ensures that they are always set to valid values
Fixes Ticket4939
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a878dfa4f57d068eb69fb6614f7a4a20f769ee7b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes Ticket4931
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4c2d4e8700cd3db59bc11ab196c0002215cf601f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: invalid_read.nut
Found-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2d221d9e069e6269cb41f3678f2734800171d87b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes hang.nut
Found-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b2955b6c5aed11026ec5c7164462899a10cdb937)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 055e56e9f76da3298f1b59bf5ea46f570e844600)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fb0466699575724923aeddc4490302180dfdf4af)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes CID1322351
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 71ec8e1ed6cf4947e204e3e4b5929a44c054f5fb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: CID1322313
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a51d4246d8ac96acee735e7e5dedb9d9ef27a594)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: CID1322319
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f1593e4ca564cdb7f3194a9eee1dea16df41142d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes CID1322316
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cbd3cd8eb2de2280d83da5ee875c35581b46a3a3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes out of array access
Fixes: 87196d8bbc633629fc9dd851fce73e70/asan_heap-oob_26f6853_862_cov_585961513_sonic3dblast_intro-partial.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 63fb5a6aefb4223334001fd2c0d82a5e22e3b528)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6701c92fa4269872856c70c3170a9b3291b46247)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b1f59bb6606721ef5eeade4ada541630d51510fe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This avoids leaving uninitialized bits in the output
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e322b7061f873e8fd33b9e518caa19b87616a528)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
related to ticket4749
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7ab1c57a64b629455805d7fa74a8a20c689fc1f6)
Conflicts:
libavcodec/aacdec_template.c
Fixes trac ticket 3226. Also see Andreas' analysis in
https://bugs.debian.org/801745, which was very helpful.
(cherry picked from commit 52f84d82bdf1851ecfcc412c1719e5f6f3396209)
Fix segfault with too large slice_count
Fixes Ticket4879
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aa6c43f3fdec8a7518534b9dab20c9eb4be11568)
Conflicts:
libavcodec/ffv1enc.c
Commits 43bc5cf9 and c5371f77 add code for skipping initial zeros in mp3
packets. This code forgot to report to the user that data was skipped at
all.
Since audio codecs allow partial packet decoding, the user application
has to rely on the return value. It will remove the data reported as
consumed by the decoder, and feed it to the decoder again. This resulted
in the mp3 frame after the zero region to be decoded over and over
again, until the zero region was finally skipped by the application.
Fix this by including the amount of skipped bytes to the number of
consumed bytes returned by the decode call.
Fixes trac ticket #4890.
(cherry picked from commit cb1da9fb8d71bb611a7b0028914c97afc3f5711d)
Needed for old compilers like GCC 4.2
Tested by trac user brad. Fixes ticket #4745
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit a0092cea462ff4f203aaff09c42c6731c6516b44)
flcoeffs2[pos] should be the log2 of flcoeffs1[pos].
flcoeffs1[0] can be 0 here, thus flcoeffs2[pos] gets set to -inf,
causing problems further down.
This seems to have been copied from imc_decode_level_coefficients in
commit 4eb4bb3 without updating the position.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 75fd5ce4c1c0b2d96d71c74b650cefaaef519d27)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
It is used as get_bits argument and reading 0 bits isn't supported.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 05cc8c8e4b7008ff3be8ec477c901b2ceca4b16b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
It asserts that the frame linesize is larger than 37, but it can be
smaller and decoding such frames works.
Before commit cc884a35 src_stride > 7*MB_SIZE was necessary, because the
blocks were interleaved in the tmp buffer and the last block was added
with an offset of 6*MB_SIZE.
It was changed for src_stride <= 7*MB_SIZE to write the blocks
sequentially, hence the larger tmp_step.
After that the assert was only necessary to make sure that the buffer
remained large enough.
Since commit bd2b6b33 s->scratchbuf is used as tmp buffer.
As part of commit 86e107a7 the minimal scratchbuf size was increased to
256*7*MB_SIZE, which is enough for any src_stride <= 7*MB_SIZE.
Also add a comment explaining the tmp_step calculation.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3526a120f92929cb0a4009e403ee2f141030c487)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
The loop always needs at least 8 bytes for chunk_type and chunk_size.
If fewer are left, bytestream2_get_le32 just returns 0 without
reading any bytes, leading to an infinite loop.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0762152f7af6cd93bc8f504d5503723500c3f369)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
More than 32 bits can't be stored in an integer and get_bits should not
be used with more than 25 bits.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit d0eff8857ceff2601f85037c930cbe61a88b611e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This is the first part of the fix for ticket #4370.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 32a5b631267e1f8bf279e407039b9a99d012d033)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 9a345802edf7f430b3335f486aecdd8552f8367b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
get_bits should not be used for more than 25 bits.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit f9883a669c3df05a5c453428e080298c6511a17e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
If nb_samples is zero, the bit_rate calculation results in a division by
zero.
Since ff_get_buffer fails if frame->nb_samples is zero, this can be
fixed by moving the bit_rate calculation after that function call.
That also makes it possible to reuse the already calculated
frame->nb_samples value.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 04dfbc9441beed93984568c1547f1ed588122627)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
get_bits should not be used with more than 25 bits.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1f1e0a2971b2a01f275bb5088c2e36166514be64)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This fixes a segfault when decoding multi-channel MP3onMP4 files.
This is similar to commit cb72230d for MPADSPContext.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 151dbe4579601a81662b4b366d0e10df3c00027a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
avoids null pointer dereference
Fixes: signal_sigsegv_d5de40_964_vp80-00-comprehensive-010.ivf with memlimit of 1048576
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 599d746e07319dc792ed2e511b666fe482f1ff88)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
