Fixes corrupt data errors when downmixing in the AC-3 decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
CC:libav-stable@libav.org
(cherry picked from commit 6c82c87dbbc0582658968eae46cfebeea90a9c5e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Also add an error message an return a more suitable error code
(INVALIDDATA, not EINVAL);
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit c453723ad7d14abc5e82677eebaa6025fa598f08)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It has been checking the number of bits in the offset instead of the
actual offset.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit a6a2282c25abe43e352010a7c3fbc92994c0bc1c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
There are samples in the wild with B-frames and P-frames with different
interlace mode.
CC: libav-stable@libav.org
Reported-by: Jean-Baptiste Kempf <jb@videolan.org>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit de44dfc7c0ec02bda7d846ef713145c890bfae3f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* qatar/release/9:
arm: Don't clobber callee saved registers in scalarproduct
alsdec: check block length
h264/mpegvideo: do not provide pixel formats for hwaccels that are not compiled in
mpeg4video_parser: init mpeg4 static tables.
Conflicts:
libavcodec/mpeg4video_parser.c
libavcodec/mpeg4videodec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '56eded8bc7bccdf14245bae3a45b0fecf9d9d122':
mpeg4videodec: split initializing static tables into a separate function
x86: ac3dsp: Remove 3dnow version of ff_ac3_extract_exponents
pthread: Avoid spurious wakeups
Conflicts:
libavcodec/mpeg4videodec.c
tests/fate/ac3.mak
Merged-by: Michael Niedermayer <michaelni@gmx.at>
q4-q7/d8-d15 are supposed to not be clobbered by the callee.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d307e408d4a9ada22df443cc38be77cc5e492694)
Signed-off-by: Martin Storsjö <martin@martin.st>
Fix writing over the end
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Addresses: CVE-2013-0845
(cherry picked from commit 2a0fb7286d67c47e44aa76c237ede117b22af616)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
works around bug in gccs inline asm register assignment
Fixes Ticket3177
gcc from 4.4 to 4.6 is affected at least, no non affected gccs known
clang seems not affected
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0538b29ae8002c44f27bae8a1a6fc6e646998be5)
They are used when decoding the frame header.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The function requires increasing the fuzz factor for the ac3/eac3 encode
tests and even so makes fate fail. It only provides a slight encoding
speedup for legacy CPUs that do not support SSE2. Thus its benefit is not
worth the trouble it creates and fixing it would be a waste of time.
This ensures that frames do not get mixed on context reinits
Fixes Ticket2836
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3c9dd93faa9f3c250428dd0548c075583aa07cc3)
Do not consider it an error if we have no frames and should discard one.
This condition can easily happen when decoding is started from an I frame
Fixes Ticket2811
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 08a89761964bdd0a023eff6d37a1131fb7e1d7a0)
Conflicts:
libavcodec/h264_refs.c
This simplifies the code and fixes a deadlock
Fixes Ticket2927
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 29ffeef5e73b8f41ff3a3f2242d356759c66f91f)
Conflicts:
libavcodec/h264.c
pthread_wait_cond can wake up unexpectedly (Wikipedia: Spurious_wakeup).
The FF_THREAD_SLICE thread mechanism could spontaneously execute
jobs or allow the caller of avctx->execute to return before all
jobs were complete.
Test both cases to ensure the wakeup is real.
Signed-off-by: Ben Jackson <ben@ben.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Sometimes, if pthread_create() failed, then pthread_cond_wait() could
accidentally be called in the worker threads after the uninit function
had already called pthread_cond_broadcast(), leading to a deadlock.
Don't call pthread_cond_wait() if c->done is set.
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Fixes Ticket2982
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3728603f1854b5c79d1a64dd3b41b80640ef1e7f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/9:
Prepare for 9.10 RELEASE
h263dec: Remove a hack that can cause infinite loops
mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0
vc1dec: Don't decode slices when the latest slice header failed to decode
Conflicts:
RELEASE
libavcodec/h263dec.c
libavcodec/mpegvideo.c
libavcodec/vc1dec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '494f2d4f9e834db1eaf1a7d0160d497f9802013d':
vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks
r3d: Add more input value validation
fraps: Make the input buffer size checks more strict
svq3: Avoid a division by zero
rmdec: Validate the fps value
twinvqdec: Check the ibps parameter separately
asfdec: Check the return value of asf_read_stream_properties
mxfdec: set audio timebase to 1/samplerate
Conflicts:
libavcodec/fraps.c
libavcodec/svq3.c
libavformat/mxfdec.c
tests/ref/fate/mxf-demux
tests/ref/seek/lavf-mxf
tests/ref/seek/lavf-mxf_d10
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '7e350b7ddd19af856b55634233d609e29baab646':
pcx: Check the packet size before assuming it fits a palette
rpza: Fix a buffer size check
xxan: Disallow odd width
xan: Only read within the data that actually was initialized
xan: Use bytestream2 to limit reading to within the buffer
pcx: Consume the whole packet if giving up due to missing palette
pngdec: Stop trying to decode once inflate returns Z_STREAM_END
mov: Make sure the read sample count is nonnegative
bfi: Add some very basic sanity checks for input packet sizes
bfi: Avoid divisions by zero
electronicarts: Add more sanity checking for the number of channels
riffdec: Add sanity checks for the sample rate
Conflicts:
libavcodec/pcx.c
libavcodec/xan.c
libavformat/mov.c
libavformat/riff.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '04d2f9ace3fb6e880f3488770fc5a39de5b63cbb':
mvi: Add sanity checking for the audio frame size
alac: Do bounds checking of lpc_order read from the bitstream
xwma: Avoid division by zero
avidec: Make sure a packet is large enough before reading its data
vqf: Make sure the bitrate is in the valid range
vqf: Make sure sample_rate is set to a valid value
electronicarts: Check packet sizes before reading
lavf: Avoid setting avg_frame_rate if delta_dts is negative
vc1dec: Undo mpegvideo initialization if unable to allocate tables
vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors
wnv1: Make sure the input packet is large enough
dcadec: Validate the lfe parameter
Conflicts:
libavcodec/dcadec.c
libavcodec/wnv1.c
libavformat/avidec.c
libavformat/electronicarts.c
libavformat/utils.c
libavformat/xwma.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'ce1dacb435460dda1f9d453eaaeac44bd502aca4':
rl2: Avoid a division by zero
wtv: Add more sanity checks for a length read from the file
segafilm: Validate the number of audio channels
qpeg: Add checks for running out of rows in qpeg_decode_inter
mpegaudiodec: Validate that the number of channels fits at the given offset
asvdec: Verify the amount of extradata
idroqdec: Make sure a video stream has been allocated before returning packets
rv10: Validate the dimensions set from the container
xmv: Add more sanity checks for parameters read from the bitstream
ffv1: Make sure at least one slice context is initialized
truemotion2: Use av_freep properly in an error path
eacmv: Make sure a reference frame exists before referencing it
mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory
ivi_common: Make sure color planes have been initialized
mov: Don't use a negative duration for setting other fields
Conflicts:
libavcodec/eacmv.c
libavcodec/ffv1.c
libavcodec/mpeg4videodec.c
libavcodec/mpegaudiodec.c
libavcodec/qpeg.c
libavformat/mov.c
libavformat/wtv.c
libavformat/xmv.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '163196562fe744149ef599d754c30c08a9898381':
oggparseogm: Convert to use bytestream2
rv34: Check the return value from ff_rv34_decode_init
matroskadec: Verify realaudio codec parameters
mace: Make sure that the channel count is set to a valid value
svq3: Check for any negative return value from ff_h264_check_intra_pred_mode
vp3: Check the framerate for validity
cavsdec: Make sure a sequence header has been decoded before decoding pictures
vocdec: Don't update codec parameters mid-stream
sierravmd: Do sanity checking of frame sizes
omadec: Properly check lengths before incrementing the position
mpc8: Make sure the first stream exists before parsing the seek table
Conflicts:
libavcodec/mace.c
libavformat/oggparseogm.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'f8a72f041c049e812dfa1f32156327e9778f5710':
mpc8: Check the seek table size parsed from the bitstream
zmbvdec: Check the buffer size for uncompressed data
ape: Don't allow the seektable to be omitted
shorten: Break out of loop looking for fmt chunk if none is found
shorten: Use a checked bytestream reader for the wave header
smacker: Make sure we don't fill in huffman codes out of range
smacker: Avoid integer overflow when allocating packets
smacker: Don't return packets in unallocated streams
dsicin: Add some basic sanity checks for fields read from the file
Conflicts:
libavcodec/shorten.c
libavcodec/smacker.c
libavcodec/zmbv.c
libavformat/mpc8.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The actual usefulness of the hack is not known, and it does cause
infinite loops with some broken input files.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8812a8057f539845f6801cafdf6c481a59e96b48)
Signed-off-by: Martin Storsjö <martin@martin.st>
This fixes breakage in a few fate tests on certain setups
(that for some reason didn't break on OS X) after the previous
commit (8812a8057). Currently, some video streams are initialized
in ff_MPV_common_init with width/height set at 0 and only changed
to a proper video size with ff_MPV_common_frame_size_change later.
The breakage was diagnosed by Anton Khirnov.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5f24fe82e5fcf227abb5ebf62aa9bc246fda8c0d)
Signed-off-by: Martin Storsjö <martin@martin.st>
If the height is zero, the decompression will probably end up
failing due to not fitting into the allocated buffer later
anyway, so this doesn't need any more elaborate check.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 601c2015bc16f0b281160292a6a760cbbbb0eacb)
This is required, since invalid parameters actually could
pass the switch check below.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit c77d409bf95954aceb762dd800d1ee2868c4b0d4)
This fixes reads out of bounds.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d1d99e3befea5d411ac3aae72dbdecce94f8b547)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/pcx.c
We read 2 bytes for 15 out of 16 pixels, therefore we need to
have at least 30 bytes, not 16.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 7ba0cedbfeff5671b264d1d7e90777057b5714c6)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Decoded data is always written in pairs within this decoder.
This fixes writes out of bounds.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit aa0dd52434768da64f1f3d8ae92bcf980c1adffc)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
