Fixes trac ticket 3226. Also see Andreas' analysis in
https://bugs.debian.org/801745, which was very helpful.
(cherry picked from commit 52f84d82bdf1851ecfcc412c1719e5f6f3396209)
Fixes infinite loop and segfault in ogg_buffer_data()
Fixes Ticket4806
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 81a8701eb52d2b6469ae16ef442ce425388141b7)
Fix segfault with too large slice_count
Fixes Ticket4879
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aa6c43f3fdec8a7518534b9dab20c9eb4be11568)
Conflicts:
libavcodec/ffv1enc.c
libavcodec/ffv1.c
Commits 43bc5cf9 and c5371f77 add code for skipping initial zeros in mp3
packets. This code forgot to report to the user that data was skipped at
all.
Since audio codecs allow partial packet decoding, the user application
has to rely on the return value. It will remove the data reported as
consumed by the decoder, and feed it to the decoder again. This resulted
in the mp3 frame after the zero region to be decoded over and over
again, until the zero region was finally skipped by the application.
Fix this by including the amount of skipped bytes to the number of
consumed bytes returned by the decode call.
Fixes trac ticket #4890.
(cherry picked from commit cb1da9fb8d71bb611a7b0028914c97afc3f5711d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f2c58931e629343f7d68258cc2b2d62c5f501ba5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Instead print an error and continue
Fixes Ticket4702
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6a1204a1a46674084b1e6b92562f81aaab7aac69)
Various header informations need to be reset when decoding next frame.
Regression since: 95582b5c
Fixes ticket #4597.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit a03b69478b7f1c0c31e53acb0cf392917c0f967a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 369b4cd4120bf67aa5187b6bc72574970a24ca22)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bbfca8e84b0e69abba523d665536c0135fc1c00e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6e70e4aca50696040cc9256ec96e5c31d9641432)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 145a84717b62e086cdb5f26649ad9f1b51ef38d0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The previous code assumed if an atom was marked with a 64-bit
size extension, it actually had that data available. The new
code verfies there's enough data in the atom for this to be
done.
Failure to verify causes total_size > atom.size which will
result in negative size calculations later on.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ebd76a9c57558e284e94da367dd23b435e6a6d0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array reads
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9bff052b51f27f6cce04e8d7d8b405c710d7ad67)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Such data streams (which then contain no other packets except the faulty one)
confuse some user applications, like VLC
Works around vlcticket 12389
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 322f0f5960a743cac47252d90a0f1ea7a025feff)
Conflicts:
libavformat/flvdec.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3eb5cbe0c50d0a0bbe10bcabbd6b16d73d93c128)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 68fa549230af35179df2a2af2bdb84ee6c825bed)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Also see [FFmpeg-devel] [PATCH] avformat/mov: strengthen some table allocations
which contains more fixes but is unfinished
Fixes: signal_sigabrt_7ffff6ac7bb9_3484_cov_1830000177_starfox2.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1b5d11240692025f036e945bc37968735679320a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Without this ffversion.h could sometimes be built too late
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4ae87554f3c8bc54db572873f5049427a7e6cb31)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This simplifies identifying from which revision a binary of a lib came from
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 649c158e8c94ac0cff7f03e97d6ea8bbf71b7f02)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The frame size must be set by the caller and each dimension must be a
multiple of 2.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See: 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e
These should be redundant, but are backported for saftey anyway
(cherry picked from commit b0273232d8fffdc8a977ccdad460b8071a0e353c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The frame size must be set by the caller and each dimension must be a
multiple of 8.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See: 105654e376a736d243aef4a1d121abebce912e6b
These should be redundant, but are backported for saftey anyway
(cherry picked from commit e012cb8dea7969c7b3927dbf846ef2742cd4a7ab)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 368642361f3a589d7b0c23ea327d988edb434e3f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes use of freed memory
Fixes: case5_av_frame_copy_props.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e8714f6f93d1a32f4e4655209960afcf4c185214)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoids use of uninitialized memory
Fixes: asan_static-oob_17aa046_582_cov_212287884_DBLK_G_VIXS_1.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8aa8d12554868c32436750f881954193087219c8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array read
Fixes: signal_sigsegv_1b0a4da_1865_cov_2167818389_computer_anger.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3305acdc92fa37869f160a11a87741c8a0de0454)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes use of freed memory
Fixes: asan_heap-uaf_3660f67_757_cov_1257014655_Hi422FR1_SONY_A.jsv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f3b5b139ad853b6f69c6a0b036815a60e7b3f261)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: case2_bad_read_yuv2rgbx32.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses
Fixes: asan_heap-oob_25bcd7e_3783_cov_3553517262_utvideo_rgba_median.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3881606240953b9275a247a1c98a567f3c44890f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
