It is a public function, it must not assert on its parameters.
(cherry picked from commit 94a417acc05cc5151b473abc0bf51fad26f8c5a0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes an issue where the B-frame coding mode switches from interlaced
fields to interlaced frames, causing incorrect decisions in the motion
compensation code and resulting in visual artifacts.
CC: libav-stable@libav.org
Signed-off-by: Tim Walker <tdskywalker@gmail.com>
(cherry picked from commit dd2d0039b6405dc724e4fef0d5b8f49530eea3aa)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
An invalid VUI is not considered a fatal error, so the SPS containing it
may still be used. Leaving an invalid value of num_reorder_frames there
can result in writing over the bounds of H264Context.delayed_pic.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 9ecabd7892ff073ae60ded3fc0a1290f5914ed5c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/h264_ps.c
These arrays are normally freed at the end of mov_read_trak,
but make sure they're freed in case mov_read_trak returned
early (due to errors) or in case the atoms that allocate arrays
are encountered at some other point than within a trak (which
we don't have checks against).
Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d51f09962d5b4bc999fb70c040f330dd1873212e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It could probably also be considered an error if the pointer isn't
null at this point, but then we might risk rejecting some
slightly broken files that we might have handled so far.
Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2620df13104ddaa136158eb6bb1195adbf9d7692)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
And manage the reallocation failure path.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5e992a4682d2c09eed3839c6cacf70db3b65c2f4)
Fixes out of array accesses and integer overflows.
(cherry picked from commit d1916d13e28b87f4b1b214231149e12e1d536b4b)
Adresses: CVE-2013-7010, CVE-2013-7014
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This should make no difference but the variable will be used in a subsequent commit
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8893f31e206358d933abe4a5227b5ae89f5f303d)
Conflicts:
libavcodec/mjpegdec.c
Always use the actually read size as the offset instead of making
possibly invalid assumptions.
Addresses: CVE-2012-6618
(cherry picked from commit 2115a3597457231a6e5c0527fe0ff8550f64b733)
Conflicts:
libavformat/utils.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
It's shorter and more consistent with the rest of the code.
(cherry picked from commit 8b76362836f3c373c3aadc544522edcbef16dd5f)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
* commit '65830277d2d2ee3658e1f070a61044fff261ed3e':
prores: Add a codepath for decoding errors
nut: Fix unchecked allocations
avi: directly resync on DV in AVI read failure
mov: Don't allocate arrays with av_malloc that will be realloced
shorten: Extend fixed_coeffs to properly support pred_order 0
Prepare for 9.11 RELEASE
avi: properly fail if the dv demuxer is missing
prores: Reject negative run and level values
audio_mix: fix channel order in mix_1_to_2_fltp_flt_c
indeo4: Check the inherited quant_mat
Conflicts:
RELEASE
libavcodec/indeo4.c
libavcodec/shorten.c
libavformat/nut.c
libavformat/nutdec.c
libavformat/nutenc.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '0358a099f8abe60230dc2e5bec59bfceb7d1be07':
indeo4: Check the block size if reusing the band configuration
ffv1: Assume bitdepth 0 means 8bit
alsa-audio-dec: explicitly cast the delay to a signed int64
matroskadec: pad EBML_BIN data.
motionpixels: clip VLC codes.
avidec: fix a memleak in the dv init code.
Conflicts:
libavcodec/ffv1dec.c
libavcodec/indeo4.c
libavdevice/alsa-audio-dec.c
libavformat/matroskadec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '7b337b122959b9bf634c31b549892df974f35b40':
truemotion1: make sure index does not go out of bounds
pcx: round up in bits->bytes conversion in a buffer size check
omadec: Fix wrong number of array elements
omadec: check GEOB sizes against buffer size
ac3dec: fix outptr increment.
avio: Use AVERROR_PROTOCOL_NOT_FOUND
Conflicts:
libavcodec/ac3dec.c
libavcodec/pcx.c
libavformat/omadec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '0e8ae6d10c609bb968c141aa2436413a55852590':
mpegvideo: Drop a faulty assert
lavr: check that current_buffer is not NULL before using it
pmpdec: check that there is at least one audio packet.
lzw: switch to bytestream2
gifdec: convert to bytestream2
Conflicts:
libavcodec/gifdec.c
libavcodec/lzw.c
libavcodec/lzw.h
libavformat/pmpdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'c5c7e3e6f7cf17943c04bd078f260eaf789afbc9':
gifdec: check that the image dimensions are non-zero
gifdec: return meaningful error codes.
eacmv: check the framerate before setting it.
rv30: fix extradata size check.
sdp: Check that fmt->oformat is non-null before accessing it
matroskadec: use correct compression parameters for current track CodecPrivate
vc1: Reset numref if fieldmode is not set
Conflicts:
libavcodec/gifdec.c
libavcodec/rv30.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The header parser uses forward and backward parsing, making the
bulletproof prevention of loops difficult, thus this simple
detection code.
If someone improves the forward/backward parsing so it cannot loop
then this commit should be reverted
Fixes Ticket3278
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1c010fd035c1a14dc73827b84f21f593e969a5d6)
Some muxers store invalid timestamps there, which breaks seeking
Fixes Ticket2739
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5e0c7eab2a9d43e6e3be967ec1a6b04a3e0328da)
Otherwise the expression will be evaluated as unsigned, which will break
when the result should be negative.
CC:libav-stable@libav.org
(cherry picked from commit 089fac77a6bf9199a5ec161e9c27850f0a680541)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
