If one of the dimensions is larger than 8176, s->mb_width or
s->mb_height is larger than 511, leading to an int16_t overflow of
s->mv_max.{x,y}. This then causes av_clip to be called with amin > amax.
Changing the type to int avoids the overflow and has no negative
effect, because s->mv_max is only used in clamp_mv for clipping.
Since mv_max.{x,y} is positive and mv_min.{x,y} negative, av_clip can't
increase the absolute value. The input to av_clip is an int16_t, and
thus the output fits into int16_t as well.
For additional safety, s->mv_{min,max}.{x,y} are clipped to int16_t range
before use.
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
The first check is done without the AVIOContext, so alloc it only if said check succeeds
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: James Almer <jamrial@gmail.com>
* commit 'caf7be30b11288c498fae67be4741bfbf083d977':
mpjpgdec: free AVIOContext leak on early probe fail
Conflicts:
libavformat/mpjpegdec.c
See: 34d278f9838e355b3b2c7a9c0f77d7fcaf37ce49, this was mistakenly reimplemented, also see ffmpeg IRC log of today
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Otherwise the check 'tile_size < size' treats a negative size as
unsigned, causing the check to pass. This subsequently leads to
segmentation faults.
This was originally fixed as part of Libav commit 72ca83, so the
original author is one of the following developers:
Anton Khirnov <anton@khirnov.net>
Diego Biurrun <diego@biurrun.de>
Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö <martin@martin.st>
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* commit 'da0c8664b4dc906696803685f7e53ade68594ab8':
mpegvideo: Move various temporary buffers to a separate context
Conflicts:
libavcodec/mpegvideo.c
libavcodec/mpegvideo_enc.c
libavcodec/mpegvideo_motion.c
libavcodec/rv34.c
libavcodec/vc1_mc.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Currently restricted to blending pixels that only contain either
0 or 255 in their alpha components
Signed-off-by: Donny Yang <work@kota.moe>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The spec specifies the dispose operation as how the current (i.e., currently
being rendered) frame should be disposed when the next frame is blended onto it
This is contrary to ffmpeg's current behaviour of interpreting the dispose
operation as how the previous (i.e., already rendered) frame should be disposed
This patch fixes ffmpeg's behaviour to match those of the spec, which involved
a rewrite of the blending function
Signed-off-by: Donny Yang <work@kota.moe>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This can be useful for debugging, or in scenarios where the user
doesn't want to use the system's DNS settings for whatever reason.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The main ff_alloc_picture() function is made more generic with all the
parameters necessary as arguments. This will allows to move most of the
related functions to a separate file later.
Right now wrappers are provided to try and minimize the number of
changes in the code.
The C runtime C99 compatibility had been improved a lot and it now
rejects some of the compatibility defines provided for the older
versions.
Many thanks to Ray for the time spent testing.
Bug-Id: 864
CC: libav-stable@libav.org