0 means no data consumed, so it can trigger an infinite loop in the
caller.
CC:libav-stable@libav.org
(cherry picked from commit c7d9b473e28238d4a4ef1b7e8b42c1cca256da36)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/cdgraphics.c
Fixes possible invalid memory accesses on corrupted data.
CC:libav-stable@libav.org
Bug-ID: CVE-2013-3674
(cherry picked from commit a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Bug-Id: CVE-2013-0868
inspired by a patch from Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 744b406ff3474e77543bcf86125a2f7bc7deaa18)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavcodec/huffyuvdec.c
Properly address CVE-2011-3946 and parse bitstream as described in the spec.
CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Make sure the buffer size does not exceed the expected
RLE size.
Prevent an out of array bound write.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Bug-Id: CVE-2013-0852
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit a1f7844a11010d8552c75424d1a831b37a0ae5d9)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
This is safer and possibly fixes invalid reads on truncated data.
(cherry-picked from commit 541427ab4d5b4b6f5a90a687a06decdb78e7bc3c)
CC:libav-stable@libav.org
Conflicts:
libavcodec/eamad.c
(cherry picked from commit f9204ec56a4cf73843d1e5b8563d3584c2c05b47)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
The actual predictor value, set by the trellis code, never
was written back into the variable that was written into
the block header. This was accidentally removed in b304244b.
This significantly improves the audio quality of the trellis
case, which was plain broken since b304244b.
Encoding IMA QT with trellis still actually gives a slightly
worse quality than without trellis, since the trellis encoder
doesn't use the exact same way of rounding as in
adpcm_ima_qt_compress_sample and adpcm_ima_qt_expand_nibble.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0776e0ef6ba4160281ef3fabea43e670f3792b4a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This was broken in 095be4fb - samples+ch (for the previous
non-planar case) equals &samples_p[ch][0]. The confusion
probably stemmed from the IMA WAV case where it originally
was &samples[avctx->channels + ch], which was correctly
changed into &samples_p[ch][1].
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 3d79d0c93e5b37a35b1b22d6c18699c233aad1ba)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
As indicated in the function documentation, the header MUST be
checked prior to calling it because no consistency check is done
there.
CC:libav-stable@libav.org
(cherry picked from commit f2f2e7627f0c878d13275af5d166ec5932665e28)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Fixes an invalid read past the end of avpriv_mpa_freq_tab.
Fixes divide-by-zero due to sample_rate being set to 0.
Bug-Id: 705
CC:libav-stable@libav.org
Conflicts:
libavcodec/mpegaudiodecheader.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6e6bd5481cf42a9765c492c77754d4633092cece)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 19e66c7232d96e4ae8f05b52da2b84dfaa4e4da3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses for non default buffers with large strides
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4a30f08505a4e85718896ff233c97be41a9754ca)
(cherry picked from commit 9c9fc79d9237d28e33161cb2e75082d8ad232b2e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1194388
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b4329605289e25bb071ec1c1182bf25fc83b09aa)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'cf7bb6ceb1da7682aa54989f83d81c67a5e6790d':
Revert "pthread: flush all threads on flush, not just the first one"
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Only consume an AVPacket when all the samples have been read.
When the rate of samples output is limited (by the default value
of max_samples), consuming the first packet immediately will cause
timing problems:
- The first packet with PTS 0 will output 4608 samples and be
consumed entirely
- The second packet with PTS 64 will output the remaining samples
(typically, a lot, that's why max_samples exist) until the decoded
samples of the first packet have been exhausted, at which point the
samples of the second packet will be decoded and output when
av_decode_frame is called with the next packet).
That means there's a PTS jump since the first packet is 'decoded'
immediately, which can be seen with avplay or mplayer: the timing
jumps immediately to 6.2s (which is the size of a packet).
Sample: http://streams.videolan.org/issues/6348/Goldwave-MAClib.ape
Bug-Debian: http://bugs.debian.org/744901
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 91d4cfb8127f1de6c4ad173a30fffe584700046d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
In case start_frame() fails, this potentially invalid frame can still be
output to the caller.
Bug-Id: 672
Bug-Id: debian/741240
Bug-Id: ubuntu/1288206
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1457f3fd90e17745791354fbb87899fc4803085a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes part of Ticket3466
Found-by: Andrey_Karpov / PVS-Studio
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b8598f6ce61ccda3f2ff0c730b009fb650e42986)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Matt Oliver <protogonoi@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 46d5625f44185271862337d61cd246fd569c42a4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket3540
The function dirac_get_arith_bit in libavcodec/dirac_arith.h can't be
built with PIC and check-stack because the asm code needs 6 registers
and PIC and check-stack options take 1 each and x86 is quite limited
in this area.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d8ab7f31dd819f7b3e0d460a2fa4261aaae87b98)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d167faafe9dfa0b82bebb267c3c4e5fa5286bd67)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes h264_mp4toannexb_bsf_failure.mkv
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 289b149cecb381522cc9ccdf382825330169c655)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f07cebcd910c97ff6012085c21493231752990e9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '2eb15cdeef29eb8a0a32658154decba94b4b89cb':
pthread: flush all threads on flush, not just the first one
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'b701e26a4e89e3816490bc74bc47f82e6b7f7002':
mpeg12: check scantable indices in all decode_block functions
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'd8e89a37267f276afd404bd062e5112a336d1a36':
h264: reset data partitioning at the beginning of each decode call
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d6a33f5d20b6ef2eae2cbb959b001cb125a564b7)
Conflicts:
libavcodec/h264.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2005fddcbb4e18e8f7c34326e40609e4a2d83c31)
Conflicts:
libavcodec/h264.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '7e513d85e80d730718695d09fcaf0295ae24699e':
h264: check that execute_decode_slices() is not called too many times
See: 64591f8f86f2dfeac13ee6b4e971d069675ca814
Merged-by: Michael Niedermayer <michaelni@gmx.at>
