Fixes CID1194388
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b4329605289e25bb071ec1c1182bf25fc83b09aa)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes part of Ticket3466
Found-by: Andrey_Karpov / PVS-Studio
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b8598f6ce61ccda3f2ff0c730b009fb650e42986)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d167faafe9dfa0b82bebb267c3c4e5fa5286bd67)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes h264_mp4toannexb_bsf_failure.mkv
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 289b149cecb381522cc9ccdf382825330169c655)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6e6bd5481cf42a9765c492c77754d4633092cece)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '6f4404b24bcf59ab29cd4b57995d374a578f51a7':
h264: set parameters from SPS whenever it changes
alac: Limit max_samples_per_frame
Conflicts:
libavcodec/h264.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '7fa72700298107fe756311ecb4dee5270ff12d35':
swscale: Fix an undefined behaviour
apedec: do not buffer decoded samples over AVPackets
isom: lpcm in mov default to big endian
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '330c18032464a4e1f3da907e54db2e69a6fbfcda':
matroskaenc: allow override of "writing application" tag
avfilter: Add missing emms_c when needed
mpeg12: check scantable indices in all decode_block functions
Conflicts:
libavformat/matroskaenc.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '71b8c8430cf3f7056849257324fc39b423075ba1':
sgidec: fix buffer size check in expand_rle_row()
adx: check that the offset is not negative
mpegvideo: set reference/pict_type on generated reference frames
Conflicts:
libavcodec/mpegvideo.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '27ac9585c97d35b809382be5634c8e5f7211243a':
h264: reset data partitioning at the beginning of each decode call
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '51ae8e26af8f5b26efb41edc0fe4812368d16ae9':
h264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '7f33a24e824c6d20cb941e6b20c5382becfbc923':
h264: check that execute_decode_slices() is not called too many times
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '3ee26080d6b3e777992b4b4124e62e1bf0ac0a65':
h264: reset data_partitioning if decoding the slice header for NAL_DPA fails
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'e0d8a17402b934b8fba7b86c6c990abf1257901b':
h264_refs: make sure not to write over the bounds of the default ref list
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Otherwise buffer size calculations in allocate_buffers could
overflow later, making the code think a large enough buffer
actually was allocated.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
Only consume an AVPacket when all the samples have been read.
When the rate of samples output is limited (by the default value
of max_samples), consuming the first packet immediately will cause
timing problems:
- The first packet with PTS 0 will output 4608 samples and be
consumed entirely
- The second packet with PTS 64 will output the remaining samples
(typically, a lot, that's why max_samples exist) until the decoded
samples of the first packet have been exhausted, at which point the
samples of the second packet will be decoded and output when
av_decode_frame is called with the next packet).
That means there's a PTS jump since the first packet is 'decoded'
immediately, which can be seen with avplay or mplayer: the timing
jumps immediately to 6.2s (which is the size of a packet).
Sample: http://streams.videolan.org/issues/6348/Goldwave-MAClib.ape
Bug-Debian: http://bugs.debian.org/744901
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 91d4cfb8127f1de6c4ad173a30fffe584700046d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
In case start_frame() fails, this potentially invalid frame can still be
output to the caller.
Bug-Id: 672
Bug-Id: debian/741240
Bug-Id: ubuntu/1288206
This is basically an overread/overwrite-safe memcpy between a
GetByteContext and a PutByteContext.
CC:libav-stable@libav.org
(cherry picked from commit 5748faf291fec297ef25d81962b52b3438f54278)
Prevents using GetBitContexts with data from previous calls.
Fixes access to freed memory.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
Otherwise the ER code might try to use some already freed references.
Fixes possible access to freed memory.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
In this case we may not have a current frame, while first_field being
set implies we do.
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
Higher modes are not allowed for 16x16/chroma, which is what this
function is used for. Otherwise this function would return 0 (vertical
prediction) for invalid higher modes, which could result in invalid
reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
There is no point in delaying the check and it avoids bugs with a
half-initialized context.
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
CC:libav-stable@libav.org
(cherry picked from commit de9d2705f61ef569487ec5f8974a9c7ce34ec783)
Otherwise the generic code will unref them, which can then result in
last_picture_ptr == current_picture_ptr, which causes deadlocks at least
in rv40.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
If it was set before then we can end up trying to decode a slice without
a valid slice header, which can lead to invalid memory access.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
Avoid a division by 0 in ff_mpeg4_set_one_direct_mv.
Sample-Id: 00000168-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
(cherry picked from commit 9514440337875e0c63b409abcd616b68c518283f)
(cherry picked from commit 5df52b0131d3d4d804ad6e221bc9a2cd8b201ef2)
(cherry picked from commit aa2a3ca27a3269e2b975686652204607fad8bc49)
Fixes out of array read
Fixes: d4476f68ca1c1c57afbc45806f581963-asan_heap-oob_2266b27_8607_cov_4044577381_snow_chroma_bug.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 61d59703c91869f4e5cdacd8d6be52f8b89d4ba4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: 14a74a0a2dc67ede543f0e35d834fbbe-asan_heap-oob_49572c_556_cov_215466444_44_001_engine_room.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c919e1ca2ecfc47d796382973ba0e48b8f6f92a2)
Conflicts:
libavcodec/msrle.c
(cherry picked from commit bc1c8ec5e65098fd2ccd8456f667151dfc9cda42)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
