If it was set before then we can end up trying to decode a slice without
a valid slice header, which can lead to invalid memory access.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 58312b2472d3a44d7458865c459d59ef2e02bf1a)
Higher modes are not allowed for 16x16/chroma, which is what this
function is used for. Otherwise this function would return 0 (vertical
prediction) for invalid higher modes, which could result in invalid
reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
The overread avoidance fix in cbddee1cca0ebd01e8c5aa694d31228eb4de4b41
broke the computation for the last row since it prevented the safe
reading from the height+1-th row.
Fixes out of array read
Fixes: d4476f68ca1c1c57afbc45806f581963-asan_heap-oob_2266b27_8607_cov_4044577381_snow_chroma_bug.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 61d59703c91869f4e5cdacd8d6be52f8b89d4ba4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array read
Fixes: 5f9698e86d92f19bb08d54ff0d57027f-signal_sigsegv_b30756_3795_cov_2693691257_ansi256.ans
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d42ec8433c687fcbccefa51a7716d81920218e4f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: 14a74a0a2dc67ede543f0e35d834fbbe-asan_heap-oob_49572c_556_cov_215466444_44_001_engine_room.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c919e1ca2ecfc47d796382973ba0e48b8f6f92a2)
Conflicts:
libavcodec/msrle.c
(cherry picked from commit bc1c8ec5e65098fd2ccd8456f667151dfc9cda42)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
20 ms is used by libopus encoder.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 74906d3727ec3bd9b7b28dfa7a98ff6e8cf8b6d7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 240fd8c96f59ebe9dcfc4152a1086cd3f63400c0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1e48318802b3caa493a40c0584afc30cc866d9d0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '8883b5f85bfe35509633bc590d19b6a1b495690e':
h264: Fix a typo from the previous commit
h264: Lower bound check for slice offsets
Add missing header to fix compilation after d2a0654
Prepare for 9.12 RELEASE
configure: Add missing dependency of Snow decoder on videodsp
rpza: limit the number of blocks to the total remaining blocks in the frame
Conflicts:
RELEASE
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Avoid a division by 0 in ff_mpeg4_set_one_direct_mv.
Sample-Id: 00000168-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
(cherry picked from commit 9514440337875e0c63b409abcd616b68c518283f)
(cherry picked from commit 5df52b0131d3d4d804ad6e221bc9a2cd8b201ef2)
f777504f640260337974848c7d5d7a3f064bbb45 changed a - in +
CC: libav-stable@libav.org
(cherry picked from commit d922c5a5fbaf0b6c73bd8c81ae059bc6e406961c)
(cherry picked from commit 3ce77e04c2ca4b9e7fa6b94b51e8d7c5f188da86)
Fixes invalid writes on pixel format changes.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 4c3e1956ee35fdcc5ffdb28782050164b4623c0b)
And use the value from the specification.
Sample-Id: 00000451-google
Found-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit f777504f640260337974848c7d5d7a3f064bbb45)
(cherry picked from commit 5bd083d0216d9ee649039c84999fb61386536ac1)
Conflicts:
libavcodec/h264.c
* qatar/release/9:
Update Changelog for 9.11
oggparseogm: check timing variables
mathematics: remove asserts from av_rescale_rnd()
vc1: Always reset numref when parsing a new frame header.
h264: reset num_reorder_frames if it is invalid
Conflicts:
Changelog
libavcodec/vc1.c
libavutil/mathematics.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '62ed6da016b789eee00e0fff517df4a254e12e5d':
h264: check that an IDR NAL only contains I slices
mov: Free an earlier allocated array if allocating a new one
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '44079902c49e526f464bb4eb855665e1af867e91':
mov: Free intermediate arrays in the normal cleanup function
segafilm: fix leaks if reading the header fails
h264_cavlc: check the size of the intra PCM data.
h263: Check init_get_bits return value
cavsdec: check ff_get_buffer() return value
Conflicts:
libavcodec/cavsdec.c
libavcodec/h263dec.c
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'c85e5f13f6ac9c4c90125e7671d89009e57f9df9':
cavs: Check for negative cbp
avi: DV in AVI must be considered single stream
vmnc: Check the cursor dimensions
vmnc: Port to bytestream2
Conflicts:
libavcodec/cavsdec.c
libavcodec/vmnc.c
libavformat/avidec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: asan_heap-oob_19c7a94_6470_cov_1453611734_luckynight-partial.tak
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f58eab151214d2d35ff0973f2b3e51c5eb372da4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Prevents out of array accesses with CODEC_FLAG_EMU_EDGE
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6ba02602aa7fc7d38db582e75b8b093fb3c1608d)
Conflicts:
libavcodec/vmnc.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c17207ab9acfaa934e8feb8fba90765c9d0b989)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access with RC_VARIANCE set to 0
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f1caaa1c61310beba705957e6366f0392a0b005b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes an issue where the B-frame coding mode switches from interlaced
fields to interlaced frames, causing incorrect decisions in the motion
compensation code and resulting in visual artifacts.
CC: libav-stable@libav.org
Signed-off-by: Tim Walker <tdskywalker@gmail.com>
(cherry picked from commit dd2d0039b6405dc724e4fef0d5b8f49530eea3aa)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
An invalid VUI is not considered a fatal error, so the SPS containing it
may still be used. Leaving an invalid value of num_reorder_frames there
can result in writing over the bounds of H264Context.delayed_pic.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 9ecabd7892ff073ae60ded3fc0a1290f5914ed5c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/h264_ps.c
And manage the reallocation failure path.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5e992a4682d2c09eed3839c6cacf70db3b65c2f4)
Fixes out of array accesses and integer overflows.
(cherry picked from commit d1916d13e28b87f4b1b214231149e12e1d536b4b)
Adresses: CVE-2013-7010, CVE-2013-7014
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
