Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit db27f50e0658e91758e8a17fdcf390e6bc93c1d2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The previous code assumed if an atom was marked with a 64-bit
size extension, it actually had that data available. The new
code verfies there's enough data in the atom for this to be
done.
Failure to verify causes total_size > atom.size which will
result in negative size calculations later on.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ebd76a9c57558e284e94da367dd23b435e6a6d0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '93f919d0b4c4341ccee366c98ac9af813f8fe622':
mov: avoid a memleak when multiple stss boxes are present
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The correct point that seperates ISO and MAC language codes is 0x400
according to the current QT spec. Old QT specs did not list where this
seperation is but apparently only defined the meaning of the first 137.
(cherry picked from commit 9e71cc81f3655cacf0f91860fba3043f13b64059)
(cherry picked from commit 7940306a47df602be4f57a62175706265bbfd0aa)
Fixes playback of some AAC streams, which are otherwise mangled by the
parser, and stss is typically only valid for video anyway.
Fixes a regression since e41ea866.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 019247bdc326a90bf20d3ce5d2413cc642e8bb08)
* commit '62ed6da016b789eee00e0fff517df4a254e12e5d':
h264: check that an IDR NAL only contains I slices
mov: Free an earlier allocated array if allocating a new one
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '44079902c49e526f464bb4eb855665e1af867e91':
mov: Free intermediate arrays in the normal cleanup function
segafilm: fix leaks if reading the header fails
h264_cavlc: check the size of the intra PCM data.
h263: Check init_get_bits return value
cavsdec: check ff_get_buffer() return value
Conflicts:
libavcodec/cavsdec.c
libavcodec/h263dec.c
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
These arrays are normally freed at the end of mov_read_trak,
but make sure they're freed in case mov_read_trak returned
early (due to errors) or in case the atoms that allocate arrays
are encountered at some other point than within a trak (which
we don't have checks against).
Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d51f09962d5b4bc999fb70c040f330dd1873212e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It could probably also be considered an error if the pointer isn't
null at this point, but then we might risk rejecting some
slightly broken files that we might have handled so far.
Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2620df13104ddaa136158eb6bb1195adbf9d7692)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
* commit '65830277d2d2ee3658e1f070a61044fff261ed3e':
prores: Add a codepath for decoding errors
nut: Fix unchecked allocations
avi: directly resync on DV in AVI read failure
mov: Don't allocate arrays with av_malloc that will be realloced
shorten: Extend fixed_coeffs to properly support pred_order 0
Prepare for 9.11 RELEASE
avi: properly fail if the dv demuxer is missing
prores: Reject negative run and level values
audio_mix: fix channel order in mix_1_to_2_fltp_flt_c
indeo4: Check the inherited quant_mat
Conflicts:
RELEASE
libavcodec/indeo4.c
libavcodec/shorten.c
libavformat/nut.c
libavformat/nutdec.c
libavformat/nutenc.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '7e350b7ddd19af856b55634233d609e29baab646':
pcx: Check the packet size before assuming it fits a palette
rpza: Fix a buffer size check
xxan: Disallow odd width
xan: Only read within the data that actually was initialized
xan: Use bytestream2 to limit reading to within the buffer
pcx: Consume the whole packet if giving up due to missing palette
pngdec: Stop trying to decode once inflate returns Z_STREAM_END
mov: Make sure the read sample count is nonnegative
bfi: Add some very basic sanity checks for input packet sizes
bfi: Avoid divisions by zero
electronicarts: Add more sanity checking for the number of channels
riffdec: Add sanity checks for the sample rate
Conflicts:
libavcodec/pcx.c
libavcodec/xan.c
libavformat/mov.c
libavformat/riff.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'ce1dacb435460dda1f9d453eaaeac44bd502aca4':
rl2: Avoid a division by zero
wtv: Add more sanity checks for a length read from the file
segafilm: Validate the number of audio channels
qpeg: Add checks for running out of rows in qpeg_decode_inter
mpegaudiodec: Validate that the number of channels fits at the given offset
asvdec: Verify the amount of extradata
idroqdec: Make sure a video stream has been allocated before returning packets
rv10: Validate the dimensions set from the container
xmv: Add more sanity checks for parameters read from the bitstream
ffv1: Make sure at least one slice context is initialized
truemotion2: Use av_freep properly in an error path
eacmv: Make sure a reference frame exists before referencing it
mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory
ivi_common: Make sure color planes have been initialized
mov: Don't use a negative duration for setting other fields
Conflicts:
libavcodec/eacmv.c
libavcodec/ffv1.c
libavcodec/mpeg4videodec.c
libavcodec/mpegaudiodec.c
libavcodec/qpeg.c
libavformat/mov.c
libavformat/wtv.c
libavformat/xmv.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This avoids setting a negative number of frames, ending up with a
negative average frame rate.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit c231987662194d009dd91bfc57c678e0e70ca161)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Some files have the duration set to -1 in the mdhd atom, more
or less legitimately. (We produce such files ourselves, for the
initial duration in fragmented mp4 files.)
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 7f8d41eb097e8d4223c9caf97dd332a2fdb29d52)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
* commit '0b6adcf76bda8994902f5b6d8e694b0b916ea210':
oma: refactor seek function
xl: Make sure the width is valid
8bps: Bound-check the input buffer
4xm: Reject not a multiple of 16 dimension
alsdec: Clean up error paths
alsdec: Fix the clipping range
dsicinav: Clip the source size to the expected maximum
dsicinav: Bound-check the source buffer when needed
dsicinav: K&R formatting cosmetics
lavf: Make sure avg_frame_rate can be calculated without integer overflow
mov: Do not allow updating the time scale after it has been set
mov: Seek back if overreading an individual atom
ac3dec: Don't consume more data than the actual input packet size
indeo: Reject impossible FRAMETYPE_NULL
indeo: Do not reference mismatched tiles
Conflicts:
libavcodec/4xm.c
libavcodec/8bps.c
libavcodec/alsdec.c
libavcodec/dsicinav.c
libavcodec/ivi_common.c
libavcodec/xl.c
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The time scale is set in mdhd, and later validated in the
enclosing trak atom once all of its children have been parsed.
A loose mdhd atom outside of a trak atom could update the time
scale of the last stream without any validation.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Cc: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 31931520df35a6f9606fe8293c8a39e2d1fabedf)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
* qatar/release/9:
doc: developer: Allow tabs in the vim configuration for Automake files
doc: filters: Correct BNF FILTER description
Prepare for 9.3 Release
update Changelog
cavs: initialize various context tables to 0
4xm: check the return value of read_huffman_tables().
qtrle: add more checks against pixel_ptr being negative.
mlpdec: do not try to allocate a zero-sized output buffer.
av_memcpy_backptr: avoid an infinite loop for back = 0
flicvideo: avoid an infinite loop in byte run compression
lagarith: avoid infinite loop in lag_rac_refill()
mov: use the format context for logging.
loco: check that there is data left after decoding a plane.
update Changelog
x86: h264: Don't use redzone in AVX h264_deblock on Win64
Conflicts:
Changelog
RELEASE
libavcodec/4xm.c
libavcodec/loco.c
libavcodec/qtrle.c
libavutil/mem.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Followup to http://thread.gmane.org/gmane.comp.video.ffmpeg.devel/151321
patch by Reimar and Thomas Mundt fixes some AVC-Intra files from
different tickets.
It does not fix http://samples.ffmpeg.org/ffmpeg-
bugs/trac/ticket524/AVCI50.mov
Authors of this commit are: Reimar and Thomas Mundt
Patch and commit message mostly taken from ffmpeg-devel, mail by Carl
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'c661cb6672af5ebcb900ec8766b24761bd2ab011':
cmdutils: pass number of groups to split_commandline().
mov: handle h263 and flv1 for codec_tag 'H','2','6','3'
h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles
Conflicts:
libavcodec/h264_ps.c
libavformat/isom.c
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The sample in https://bugzilla.libav.org/show_bug.cgi?id=393 and
samples/F4V/H263_NM_f.mp4 both have codec_tag H263 for different
codecs. H263 is apparently used by Flash Media Server for Sorensen
Spark videos.
Patch based on commit 5442083b1c541dd166b3adf39131259fc846a62b by
Carl Eugen Hoyos. Fixes bug 393.
* commit 'd7d6efe42b0d2057e67999b96b9a391f533d2333':
h264: check sps.log2_max_frame_num for validity
mov: validate number of DataReferenceBox entries against box size
mov: compute avg_frame_rate only if duration is known
flac: change minimum and default of lpc_passes option to 1
Conflicts:
libavcodec/h264_ps.c
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '5c7bf2dddee5bdfa247ff0d57cb8a37d19077f66':
lavf: move nuv fourcc audio tags from riff to nuv
lavf: add a common function for selecting a pcm codec from parameters
Conflicts:
libavformat/internal.h
libavformat/mov.c
libavformat/riff.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Matrox XMIO capture boards write files with major brand "JUNK"
and compatible brand "qt " that contain QuickTime version 1
audio fields.
Fixes ticket #1881.
