On OS X, av_malloc(0) returns pointers that cause crashes when
freed.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e81e5e8ad2bb5746df0c343c396019aca165cf66)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 59cef18c24ab21de4e652e130ac25905c1141f62)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Adds an additional check before reading the next block header and avoids a
potential integer overflow when checking the metadata size against the
remaining buffer size.
(cherry picked from commit 4c5e7b27d57dd2be777780e840eef9be63242158)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This prevents sending a packet with data=NULL size=AVERROR_EOF.
(cherry picked from commit b15a9888a8f8e8cc9784ffd8d5d0307900fb78bb)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2b4e49d4281690db67073ba644ad2ffc17767cdf)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3a549eb82be709d633a0ba964b037ee2f700e0c9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Unfortunately the output buffer size check assumes that the
input buffer is never over-consumed, thus this actually
also allowed to write outside the output buffer if "lucky".
Based on:
git.videolan.org/ffmpeg.git
commit 701d0eb185192542c4a17f296e39e37cedf7abc6
(cherry picked from commit ffe92ff9f0c7f390d895de12c8ffef959ced3cd8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
As a signed integer, 1<<31 overflows, so force it to unsigned.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit c2d3f561072132044114588a5f56b8e1974a2af7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit fe476e5a9b5a1e56e53f1fa62374778fa00ec1fd)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conversion of the luma intra prediction mode to one of the constrained
("alzheimer") ones can happen by crafting special bitstreams, causing
a crash because we'll call a NULL function pointer for 16x16 block intra
prediction, since constrained intra prediction functions are only
implemented for chroma (8x8 blocks).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 45b7bd7c53b41bc5ff6fc2158831f2b1b1256113)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 248d4e461578ff327a2fd75fd0db4f38c270918a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The bit_rate_value_minus1 and cpb_size_value_minus1 elements
allow a wider range than get_ue_golomb() supports. This
adds a get_ue_golomb_long() function supporting up to 31
leading zeros, which is the maximum for these syntax
elements, and uses it in decode_hrd_parameters().
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit fdba370f8a1bdfc22ecbdf3c7148c2f8680a4ac4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The level_code expression includes a shift which is invalid in
those cases where the value is not used. Moving the calculation
to the branch where the result is used avoids these.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 8babfc033ecb6332155c1f8879e54dee41d16952)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The PPS may contain a few trailing elements whose presence is
only signalled by data remaining after the the mandatory part
has been parsed. The current code fails to take into account
the rbsp_trailing_bits() when deciding whether to parse these
optional elements. Assuming no unnecessary padding bytes are
passed to this function, the optional elements are present if
either more than 8 extra bits remain or the remaining bits do
not form a valid rbsp_trailing_bits() after the mandatory PPS
elements have been parsed.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit be1242a3f2b28e9cb08515bdc1db6c14403c279a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 4c7a232fc81fdbdee279ab819a255f624a22b083)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 60f10e0ad37418cc697765d85b0bc22db70f726a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This allows concurrent decoding of the last field/frame, rather than
only the last slice, of data packets with multiple NAL units packed
together.
This will fix the slowdown reported in e.g. bug 52.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 14c21c1ff509eac97f6437aeb51202b15af3a700)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit d1186ff72d75b6067770890758c4feb92abd84f7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Replace sizeof((*avff)->formats)
with sizeof(*(*avff)->formats)
as the size of the array element is given by the pointed element
rather than by its pointer.
In particular fix computation with the pending patch when
sizeof(int64_t) != sizeof(int64_t *).
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 0ec56d1144fa4ea36950295987bb5f49c9747046)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
In apply_unsharp(), when y is >= height, prevent out-of-buffer reading
from src, read from the last buffer line in src2 instead.
The check was implemented in the original unsharp libmpcodecs code and
lost in the port.
This also fixes output discrepancy between the two filters.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 998e8519efbc772994c5ba19c0d39573998be9db)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It was shifting 2 rather than 1, +10l.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 80de930a781c177dc54f3836f57aa8959597bcda)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
0 is top-field-first, 1 is bottom-field-first, not the other way
around.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 4703a7b50b098a53ec2f806bd41a00fd87ea9d8c)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 18bcfc912e48bf77a5202a0e24a3b884b9b2ff2c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 282bb02839b1ce73963c8e3ee46804f1ade8b12a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3eedf9f716733b3b4c5205726d2c1ca52b3d3d78)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket780
Bug Found by: cosminamironesei
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket758
Bug found by: Diana Elena Muscalu
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7fff64e00d886fde11d61958888c82b461cf99b9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket760 and Ticket761
Bug Found by: Diana Elena Muscalu
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 944f5b2779e4aa63f7624df6cd4de832a53db81b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket776
Bug found by: Diana Elena Muscalu
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1f99939a6361e2e6d6788494dd7c682b051c6c34)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5257743aee0c3982f0079e6553aabc6aa39401d2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Avoid out-of-buffer data access when nb_channels is 8.
(cherry picked from commit ae21776207e8a2bbe268e7c9e203f7599dd87ddb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.7:
Update Changelog for 0.7.4 release
Update RELEASE file for 0.7.4
swscale: fix crash in fast_bilinear code when compiled with -mred-zone.
vorbis: An additional defense in the Vorbis codec.
vorbisdec: Fix decoding bug with channel handling
Conflicts:
Changelog
RELEASE
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Additional comments from Måns Rullgard have been integrated
by Reinhard Tartler.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b14fa5572c2a3bb1d8cd6327c4687a2eee363bbb)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* qatar/release/0.7:
matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()
vorbis: Avoid some out-of-bounds reads
vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f)
avserver: Fix a bug where the socket is IPv4, but IPv6 is autoselected for the loopback address.
vp3: fix streams with non-zero last coefficient
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This fixes bind(8080): Address family not supported by protocol.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit f5e717f3c735af5c941b458d42615c97028aa916)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
