* commit 'ce1dacb435460dda1f9d453eaaeac44bd502aca4':
rl2: Avoid a division by zero
wtv: Add more sanity checks for a length read from the file
segafilm: Validate the number of audio channels
qpeg: Add checks for running out of rows in qpeg_decode_inter
mpegaudiodec: Validate that the number of channels fits at the given offset
asvdec: Verify the amount of extradata
idroqdec: Make sure a video stream has been allocated before returning packets
rv10: Validate the dimensions set from the container
xmv: Add more sanity checks for parameters read from the bitstream
ffv1: Make sure at least one slice context is initialized
truemotion2: Use av_freep properly in an error path
eacmv: Make sure a reference frame exists before referencing it
mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory
ivi_common: Make sure color planes have been initialized
mov: Don't use a negative duration for setting other fields
Conflicts:
libavcodec/eacmv.c
libavcodec/ffv1.c
libavcodec/mpeg4videodec.c
libavcodec/mpegaudiodec.c
libavcodec/qpeg.c
libavformat/mov.c
libavformat/wtv.c
libavformat/xmv.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '0b6adcf76bda8994902f5b6d8e694b0b916ea210':
oma: refactor seek function
xl: Make sure the width is valid
8bps: Bound-check the input buffer
4xm: Reject not a multiple of 16 dimension
alsdec: Clean up error paths
alsdec: Fix the clipping range
dsicinav: Clip the source size to the expected maximum
dsicinav: Bound-check the source buffer when needed
dsicinav: K&R formatting cosmetics
lavf: Make sure avg_frame_rate can be calculated without integer overflow
mov: Do not allow updating the time scale after it has been set
mov: Seek back if overreading an individual atom
ac3dec: Don't consume more data than the actual input packet size
indeo: Reject impossible FRAMETYPE_NULL
indeo: Do not reference mismatched tiles
Conflicts:
libavcodec/4xm.c
libavcodec/8bps.c
libavcodec/alsdec.c
libavcodec/dsicinav.c
libavcodec/ivi_common.c
libavcodec/xl.c
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'fbbe487b1c1f21339cff9ca86c3dfc495ad1c2c6':
indeo: Sanitize ff_ivi_init_planes fail paths
indeo5: return proper error codes
indeo: Bound-check before applying motion compensation
indeo: Bound-check before applying transform
indeo4: Validate scantable dimension
indeo4: Check the quantization matrix index
indeo4: Do not access missing reference MV
ac3dec: Increment channel pointers only once per channel
dca: Respect the current limits in the downmixing capabilities
dca: Error out on missing DSYNC
pcm: always use codec->id instead of codec_id
mlpdec: Do not set invalid context in read_restart_header
pcx: Do not overread source buffer in pcx_rle_decode
wmavoice: conceal clearly corrupted blocks
iff: Do not read over the source buffer
qdm2: Conceal broken samples
qdm2: refactor joined stereo support
Conflicts:
libavcodec/ac3dec.c
libavcodec/dcadec.c
libavcodec/iff.c
libavcodec/indeo4.c
libavcodec/indeo5.c
libavcodec/ivi_common.c
libavcodec/mlpdec.c
libavcodec/pcx.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'fa6eef4210c2fd7f7324d558b09311c75987a31e':
wtv: Mark attachment with a negative stream id
avconv: do not use lavfi direct rendering with -deinterlace
avidec: Let the inner dv demuxer take care of discarding
Update Changelog
kmvc: Clip pixel position to valid range
kmvc: use fixed sized arrays in the context
indeo: reject negative array indexes
indeo: Cosmetic formatting
indeo: Refactor ff_ivi_init_tiles and ivi_decode_blocks
indeo: Refactor ff_ivi_dec_huff_desc
indeo: use a typedef for the mc function pointer
indeo: use proper error code
Conflicts:
Changelog
ffmpeg.c
libavcodec/ivi_common.c
libavformat/wtv.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'c8fb5d0f383fcbb0da9bdef609c3a826df0064f7':
Update Changelog
indeo: check for reference when inheriting mvs
indeo: use proper error code
indeo: Properly forward the error codes
mjpeg: Check the unescaped size for overflows
wmapro: error out on impossible scale factor offsets
wmapro: check the min_samples_per_subframe
wmapro: return early on unsupported condition
wmapro: check num_vec_coeffs against the actual available buffer
wmapro: make sure there is room to store the current packet
lavc: move put_bits_left in put_bits.h
4xm: do not overread the source buffer in decode_p_block
4xm: check bitstream_size boundary before using it
Conflicts:
Changelog
libavcodec/4xm.c
libavcodec/mjpegdec.c
libavcodec/wmaprodec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Spin large and mostly self contained blocks into stand alone
functions.
(cherry picked from commit 62256010e9bc8879e2bf7f3b94af8ff85e239082)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The same is done already for qdelta.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b36e1893ef3430f039c1eaddeedcbb378f9c4444)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
If the tile data size does not match the buffer size it did not
return an AVERROR_INVALIDDATA causing futher corruption later.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 7388c0c58601477db076e2e74e8b11f8a644384a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* commit '07acdd651d1e2f4cfa5f610e616e70e323bb69cd':
ivi_common: use proper logging context in ivi_decode_blocks().
ivi_common: make some functions and tables static.
asyncts: ignore min_delta only if first_pts is set
Conflicts:
libavcodec/ivi_common.c
libavcodec/ivi_common.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
configure: fix tests for 2-arg math functions
doc: git-howto: Clarify comment about pushing series of commits
ivi_common: Drop unused function parameter from decode_band()
cook: Remove some silly Doxygen comments
cook: Remove senseless maybe_reformat_buffer32() function
cook: cosmetics: Better names for joint_decode() function parameters
cook: cosmetics: Better name for ccpl COOKSubpacket member
doxygen: Add av_alloc_size to list of predefined macros
doxygen: Drop some pointless entries from PREDEFINED macros list
h263: avoid memcpys over array bound in motion vector caching for obmc
Conflicts:
configure
doc/git-howto.texi
libavcodec/cook.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'd05f72c75445969cd7bdb1d860635c9880c67fb6':
dfa: improve boundary checks in decode_dds1()
wmalosslessdec: Fix reading too many bits in decode_channel_residues()
wmalosslessdec: fix a get_bits(0) in decode_ac_filter
wmalosslessdec: make MCLMS arrays big enough for what is written into them.
indeo4/5: check empty tile size in decode_mb_info().
ivi_common: make ff_ivi_process_empty_tile() static.
indeo5: check tile size in decode_mb_info().
indeo3: fix out of cell write.
Conflicts:
libavcodec/dfa.c
libavcodec/indeo3.c
libavcodec/indeo5.c
libavcodec/ivi_common.c
libavcodec/wmalosslessdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This prevents writing into a too small array if some parameters changed
without the tile being reallocated.
Based on a patch by Michael Niedermayer <michaelni@gmx.at>
Fixes CVE-2012-2800
CC:libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
* commit 'b146d74730ab9ec5abede9066f770ad851e45fbc':
indeo4: update AVCodecContext width/height on size change
dfa: check that the caller set width/height properly.
indeo5dec: Make sure we have had a valid gop header.
cavsdec: check for changing w/h.
lavc: set channel count from channel layout in avcodec_open2().
doc/platform: Rework the Visual Studio linking section
doc/faq: Change the Visual Studio entry to reflect current status
doc/platform: Replace Visual Studio section with build instructions
doc/platform: Nuke section on linking static MinGW-built libs with MSVC
doc/platform: Remove false claim about MinGW installer
doc/platform: Mention MinGW-w64
dsputil_mmx: fix reading prior of the src array in sub_hfyu_median_prediction()
mpegaudiodec: fix short_start calculation
Conflicts:
doc/faq.texi
doc/platform.texi
libavcodec/cavsdec.c
libavcodec/indeo5.c
libavcodec/ivi_common.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This prevents decoding happening on a half initialized context.
Fixes CVE-2012-2779
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
