Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 2c1ba7994190fa2f1ad430594551070a49353bd1)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1e3336de69d1c4c28a5e306fab20555f4078f2d7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 95010d18b2d808db9a49377e41bc2f7cf4dfa03e)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 124a16f678ddcffe8f1825efb29a6e8da1d580ac)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 3d09d0017d10a0d738141a955c75c555133e41b2)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 0ec6d6e9b682318b5b5b5457e09fbf3c4ca41335)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit d239d4b447885cb7c5eee9ce359f34ad6b64f373)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 3a742470a845c24e7c3a40c0a228705ca951e673)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1775b92fee43f0527e2f5892a5a30450fa929722)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Some of the arguments given to init_vlc() come from the stream
and can be corrupted.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 69a0bce753a5d5556d5bc0888afe390e22611dd8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Using the old code, half of it was unused and the other half was too
small for e.g. >8bpp interlaced data, causing random buffer overruns.
(cherry picked from commit 330deb75923675224fb9aed311d3d6ce3ec52420)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
It was wrong in colorspaces where horizontal and vertical chroma
subsampling are not the same, e.g. 422.
(cherry picked from commit 0884dd5a1b87aff6c8a06e6492dece5cef8f3978)
Conflicts:
libavcodec/mpegvideo.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
On OS X, av_malloc(0) returns pointers that cause crashes when
freed.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e81e5e8ad2bb5746df0c343c396019aca165cf66)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 59cef18c24ab21de4e652e130ac25905c1141f62)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Adds an additional check before reading the next block header and avoids a
potential integer overflow when checking the metadata size against the
remaining buffer size.
(cherry picked from commit 4c5e7b27d57dd2be777780e840eef9be63242158)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This prevents sending a packet with data=NULL size=AVERROR_EOF.
(cherry picked from commit b15a9888a8f8e8cc9784ffd8d5d0307900fb78bb)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2b4e49d4281690db67073ba644ad2ffc17767cdf)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3a549eb82be709d633a0ba964b037ee2f700e0c9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Unfortunately the output buffer size check assumes that the
input buffer is never over-consumed, thus this actually
also allowed to write outside the output buffer if "lucky".
Based on:
git.videolan.org/ffmpeg.git
commit 701d0eb185192542c4a17f296e39e37cedf7abc6
(cherry picked from commit ffe92ff9f0c7f390d895de12c8ffef959ced3cd8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
As a signed integer, 1<<31 overflows, so force it to unsigned.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit c2d3f561072132044114588a5f56b8e1974a2af7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit fe476e5a9b5a1e56e53f1fa62374778fa00ec1fd)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conversion of the luma intra prediction mode to one of the constrained
("alzheimer") ones can happen by crafting special bitstreams, causing
a crash because we'll call a NULL function pointer for 16x16 block intra
prediction, since constrained intra prediction functions are only
implemented for chroma (8x8 blocks).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 45b7bd7c53b41bc5ff6fc2158831f2b1b1256113)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 248d4e461578ff327a2fd75fd0db4f38c270918a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The bit_rate_value_minus1 and cpb_size_value_minus1 elements
allow a wider range than get_ue_golomb() supports. This
adds a get_ue_golomb_long() function supporting up to 31
leading zeros, which is the maximum for these syntax
elements, and uses it in decode_hrd_parameters().
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit fdba370f8a1bdfc22ecbdf3c7148c2f8680a4ac4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The level_code expression includes a shift which is invalid in
those cases where the value is not used. Moving the calculation
to the branch where the result is used avoids these.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 8babfc033ecb6332155c1f8879e54dee41d16952)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The PPS may contain a few trailing elements whose presence is
only signalled by data remaining after the the mandatory part
has been parsed. The current code fails to take into account
the rbsp_trailing_bits() when deciding whether to parse these
optional elements. Assuming no unnecessary padding bytes are
passed to this function, the optional elements are present if
either more than 8 extra bits remain or the remaining bits do
not form a valid rbsp_trailing_bits() after the mandatory PPS
elements have been parsed.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit be1242a3f2b28e9cb08515bdc1db6c14403c279a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 4c7a232fc81fdbdee279ab819a255f624a22b083)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 60f10e0ad37418cc697765d85b0bc22db70f726a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This allows concurrent decoding of the last field/frame, rather than
only the last slice, of data packets with multiple NAL units packed
together.
This will fix the slowdown reported in e.g. bug 52.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 14c21c1ff509eac97f6437aeb51202b15af3a700)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit d1186ff72d75b6067770890758c4feb92abd84f7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Replace sizeof((*avff)->formats)
with sizeof(*(*avff)->formats)
as the size of the array element is given by the pointed element
rather than by its pointer.
In particular fix computation with the pending patch when
sizeof(int64_t) != sizeof(int64_t *).
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 0ec56d1144fa4ea36950295987bb5f49c9747046)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
In apply_unsharp(), when y is >= height, prevent out-of-buffer reading
from src, read from the last buffer line in src2 instead.
The check was implemented in the original unsharp libmpcodecs code and
lost in the port.
This also fixes output discrepancy between the two filters.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 998e8519efbc772994c5ba19c0d39573998be9db)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It was shifting 2 rather than 1, +10l.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 80de930a781c177dc54f3836f57aa8959597bcda)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
0 is top-field-first, 1 is bottom-field-first, not the other way
around.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 4703a7b50b098a53ec2f806bd41a00fd87ea9d8c)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* release/0.8:
shorten: Fix invalid free()
j2kdec: Fix crash in get_qcx
j2kdec: Check curtileno for validity
atrac3: Fix crash in tonal component decoding. Fixes Ticket780 Bug Found by: cosminamironesei
h264: check chroma_format_idc range. Fixes Ticket758 Bug found by: Diana Elena Muscalu
aacsbr: Fix memory corruption. Fixes Ticket760 and Ticket761 Bug Found by: Diana Elena Muscalu
j2kdec: Fix integer overflow leading to a segfault Fixes Ticket776 Bug found by: Diana Elena Muscalu
ws_snd1: Fix wrong samples count and crash.
lavfi: add missing check in avfilter_filter_samples()
Update Changelog for 0.7.4 release
Update RELEASE file for 0.7.4
swscale: fix crash in fast_bilinear code when compiled with -mred-zone.
vorbis: An additional defense in the Vorbis codec.
vorbisdec: Fix decoding bug with channel handling
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 18bcfc912e48bf77a5202a0e24a3b884b9b2ff2c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 282bb02839b1ce73963c8e3ee46804f1ade8b12a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3eedf9f716733b3b4c5205726d2c1ca52b3d3d78)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
