* commit '6f4404b24bcf59ab29cd4b57995d374a578f51a7':
h264: set parameters from SPS whenever it changes
alac: Limit max_samples_per_frame
Conflicts:
libavcodec/h264.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '27ac9585c97d35b809382be5634c8e5f7211243a':
h264: reset data partitioning at the beginning of each decode call
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '51ae8e26af8f5b26efb41edc0fe4812368d16ae9':
h264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '7f33a24e824c6d20cb941e6b20c5382becfbc923':
h264: check that execute_decode_slices() is not called too many times
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '3ee26080d6b3e777992b4b4124e62e1bf0ac0a65':
h264: reset data_partitioning if decoding the slice header for NAL_DPA fails
Merged-by: Michael Niedermayer <michaelni@gmx.at>
In case start_frame() fails, this potentially invalid frame can still be
output to the caller.
Bug-Id: 672
Bug-Id: debian/741240
Bug-Id: ubuntu/1288206
Prevents using GetBitContexts with data from previous calls.
Fixes access to freed memory.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
Otherwise the ER code might try to use some already freed references.
Fixes possible access to freed memory.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
In this case we may not have a current frame, while first_field being
set implies we do.
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
Higher modes are not allowed for 16x16/chroma, which is what this
function is used for. Otherwise this function would return 0 (vertical
prediction) for invalid higher modes, which could result in invalid
reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
There is no point in delaying the check and it avoids bugs with a
half-initialized context.
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
If it was set before then we can end up trying to decode a slice without
a valid slice header, which can lead to invalid memory access.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
* commit '2c1d84499bfe06d75e9160b824eeffd9f5587337':
lagarith: pad RGB buffer by 1 byte.
truemotion1: check the header size
shorten: pad the internal bitstream buffer
samplefmt: avoid integer overflow in av_samples_get_buffer_size()
h264: Fix a typo from the previous commit
h264: Lower bound check for slice offsets
rpza: limit the number of blocks to the total remaining blocks in the frame
Conflicts:
libavcodec/lagarith.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '979f77b0dc40571761999633a38d97be9a1670c8':
h264: check that an IDR NAL only contains I slices
mov: Free an earlier allocated array if allocating a new one
segafilm: fix leaks if reading the header fails
h264_cavlc: check the size of the intra PCM data.
cavs: Check for negative cbp
avi: DV in AVI must be considered single stream
avutil: use align == 0 for default alignment in audio sample buffer functions
Conflicts:
libavcodec/cavsdec.c
libavutil/avutil.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
f777504f640260337974848c7d5d7a3f064bbb45 changed a - in +
CC: libav-stable@libav.org
(cherry picked from commit d922c5a5fbaf0b6c73bd8c81ae059bc6e406961c)
(cherry picked from commit 3ce77e04c2ca4b9e7fa6b94b51e8d7c5f188da86)
(cherry picked from commit 8cba6f58c8acaa0ca6749110a2746bbe60ff2dab)
And use the value from the specification.
Sample-Id: 00000451-google
Found-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit f777504f640260337974848c7d5d7a3f064bbb45)
(cherry picked from commit 5bd083d0216d9ee649039c84999fb61386536ac1)
Conflicts:
libavcodec/h264.c
(cherry picked from commit 41380e017afcca3119acb560c08a60a97d416c3c)
Conflicts:
libavcodec/h264.c
* commit 'f82e127dd9c7c0d54bf6400f83c7825e571f9a9e':
parser: fix large overreads
dsputil: fix invalid array indexing
shorten: use the unsigned type where needed
shorten: report meaningful errors
shorten: K&R formatting cosmetics
shorten: set invalid channels count to 0
matroskadec: request a read buffer for the wav header
h264: check for luma and chroma bit depth being equal
vc1: Move init code shared between decoder and parser to common code file.
libmp3lame: use the correct remaining buffer size when flushing
xxan: fix invalid memory access in xan_decode_frame_type0()
wmadec: require block_align to be set.
Conflicts:
libavcodec/h264.c
libavcodec/libmp3lame.c
libavcodec/shorten.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The decoder assumes a single bit depth for all the planes while
the specification allows different bit depths for luma and chroma.
Avoid the possible problems described in CVE-2013-2277
* qatar/release/0.8:
Update Changelog
h264: check ref_count validity for num_ref_idx_active_override_flag
h264: check context state before decoding slice data partitions
oggdec: free the ogg streams on read_header failure
oggdec: check memory allocation
Fix uninitialized reads on malformed ogg files.
rtsp: Recheck the reordering queue if getting a new packet
opt: avoid segfault in av_opt_next() if the class does not have an option list
alacdec: do not be too strict about the extradata size
Conflicts:
Changelog
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'a335ffd7f4cdaaa6a8fe4187f6f06b0418eea19a':
h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles
h264: check sps.log2_max_frame_num for validity
h264: slice-mt: get last_pic_dropable from master context
ppc: always use pic for shared libraries
h264: error out on unset current_picture_ptr for h->current_slice > 0
flashsv: make sure data for zlib priming is available
h264: enable low delay only if no delayed frames were seen
flashsv: check for keyframe before using differential coding
lavf: avoid integer overflow in ff_compute_frame_duration()
aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN.
APIchanges: Fill in missing commit hashes
Conflicts:
doc/APIchanges
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '01a4e7f623a2e6dc95862f9a56c777f058d7bfaf':
lavf: Bump minor version to distinguish branch and master version numbers
vp6: properly fail on unsupported feature
mp3: properly forward mp_decode_frame errors
mpeg12: do not decode extradata more than once.
indeo3: when freeing buffers, set pointers referencing them to NULL as well
indeo3: ensure that decoded cell data is in 7-bit range as presumed by decoder
avconv: fix copying per-stream metadata.
id3v2: fix reading unsynchronized frames.
h264: Fix parameters to ff_er_add_slice() call
build: fix 'clean' target
Conflicts:
avconv.c
libavcodec/mpeg12.h
libavformat/id3v2.c
libavformat/version.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes segfault in the fuzzed sample bipbop234.ts_s226407.
CC: libav-stable@libav.org
(cherry-picked from commit 6e5cdf26281945ddea3aaf5eca4d127791f23ca8)
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
Dropping frames is undesirable but that is the only way by which the
decoder could return to low delay mode. Instead emit a warning and
continue with delayed frames.
Fixes a crash in fuzzed sample nasa-8s2.ts_s20033 caused by a larger
than expected has_b_frames value. Low delay keeps getting re-enabled
from a presumely broken SPS.
CC: libav-stable@libav.org
(cherry picked from commit 706acb558a38eba633056773280155d66c2f4b24)
Conflicts:
libavcodec/h264.c
s->mb_x is reset to zero a couple of lines above. It does not make
sense to call ff_er_add_slice() with 0 as endx when the end of the
macroblock row was reached. Fixes unnecessary and counterproductive
error resilience in https://bugzilla.libav.org/show_bug.cgi?id=394.
(cherry picked from commit e6160bda98641b7d4f86de15761ad2a962f21a36)
Conflicts:
libavcodec/h264.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes fate-h264-conformance-cvnlfi2_sony_h and smllwebdl.mkv from
https://github.com/OpenELEC/OpenELEC.tv/issues/1557 .
(cherry picked from commit 24c62ea7a5df44804be88150aa0c45e6796b5da9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'be209bdabb11c59de17220bdbf0bf9c9f7cc16f5':
vf_pad: don't give up its own reference to the output buffer.
libvorbis: use VBR by default, with default quality of 3
libvorbis: fix use of minrate/maxrate AVOptions
h264: fix deadlocks on incomplete reference frame decoding.
cmdutils: avoid setting data pointers to invalid values in alloc_buffer()
avidec: return 0, not packet size from read_packet().
wmapro: prevent division by zero when sample rate is unspecified
vc1dec: check that coded slice positions and interlacing match.
alsdec: fix number of decoded samples in first sub-block in BGMC mode.
alsdec: remove dead assignments
alsdec: Fix out of ltp_gain_values read.
alsdec: Check that quantized parcor coeffs are within range.
alsdec: Check k used for rice decoder.
Conflicts:
avconv.c
libavcodec/h264.c
libavcodec/libvorbis.c
libavformat/avidec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
When decode_nal_units() previously encountered a NAL_END_SEQUENCE,
and there are some junk bytes left in the input buffer, but no start codes,
buf_index gets stuck 3 bytes before the end of the buffer.
This can trigger an infinite loop in the caller code, eg. in
try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes,
with 3 bytes of the input packet still available.
With this change, the remaining bytes are skipped so the whole packet gets
consumed.
CC:libav-stable@libav.org
Signed-off-by: Jindřich Makovička <makovick@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1a8c6917f68f7378465e18f7615762bfd22704c2)
Conflicts:
libavcodec/h264.c
If decoding a second complementary field, and the first was
decoded in our thread, mark decoding of that field as complete.
If decoding fails, mark the decoded field/frame as complete.
Do not allow switching between field modes or field/frame mode
between slices within the same field/frame. Ensure that two
subsequent fields cover top/bottom (rather than top/frame,
bottom/frame or such nonsense situations).
Fixes various deadlocks when decoding samples with errors in
reference frames.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1e26a48fa23ef8e1cbc424667d387184d8155f15)
Fixes Bug 118
Conflicts:
libavcodec/h264.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Override the frame size from the SPS with AVCodecContext values
if the latter specify a size smaller by less than one macroblock.
This is required for correct cropping of MOV files from Canon cameras.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 30f515091c323da59c0f1b533703dedca2f4b95d)
Conflicts:
libavcodec/h264.c
* qatar/release/0.8:
Update Changelog for the 0.8.2 Release
Prepare for 0.8.2 Release
vqavideo: return error if image size is not a multiple of block size
celp filters: Do not read earlier than the start of the 'out' vector.
motionpixels: Clip YUV values after applying a gradient.
jpeg: handle progressive in second field of interlaced.
h263: more strictly forbid frame size changes with frame-mt.
h264: additional protection against unsupported size/bitdepth changes.
tta: prevents overflows for 32bit integers in header.
ttadec: CRC checking
tta: use skip_bits_long()
Conflicts:
Changelog
RELEASE
libavcodec/h264.c
libavcodec/tta.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes crashes in codepaths not covered by original checks.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 732f9fcfe54fc9a0a7bbce53fe86b38744c2d301)
Conflicts:
libavcodec/h264.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Progressive images can have only 16 references, error out if there are
more, since the data is almost certainly corrupt, and the invalid value
will lead to random crashes or invalid writes later on.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e0febda22d0e0fab094a9c886b0e0f0f662df1ef)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Parsing the entire NAL as SPS fixes decoding of some AVC bitstreams
with broken escaping. Since the size of the NAL unit is known and
checked against the buffer end we can parse it entirely without buffer
overreads.
Fixes playback of
http://streams.videolan.org/streams/mp4/Mr_MrsSmith-h264_aac.mp4
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 3aa661ec561d7a20812b84b353b0d7855ac346c8)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This reverts commit 729ebb2f185244b0ff06d48edbbbbb02ceb4ed4e.
There was an off-by-one error in the bit mask calculation clearing
actually the last valid bit and causing
http://bugzilla.libav.org/show_bug.cgi?id=227
The broken sample (Mr_MrsSmith-h264_aac.mp4) the commit was fixing
does not work after correcting the off-by-one error.
CC: libav-stable@libav.org
(cherry picked from commit 8a6037c3900875ccab8d553d2cc659bdef2c9d0e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes invalid reads while initializing the dequant tables, which uses
the bit depth to determine the QP table size.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 0ce4fe482c27abfa7eac503a52fdc50b70ccd871)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conversion of the luma intra prediction mode to one of the constrained
("alzheimer") ones can happen by crafting special bitstreams, causing
a crash because we'll call a NULL function pointer for 16x16 block intra
prediction, since constrained intra prediction functions are only
implemented for chroma (8x8 blocks).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 45b7bd7c53b41bc5ff6fc2158831f2b1b1256113)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
