The input data must remain constant, make a copy instead. This is in
theory a performance hit, but since I failed to find any samples
using this feature, this should not matter in practice.
Also, check the size of the header, avoiding invalid reads on truncated
data.
CC:libav-stable@libav.org
(cherry picked from commit 7b588bb691644e1b3c168b99accf74248a24e3cf)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/svq1dec.c
0 means no data consumed, so it can trigger an infinite loop in the
caller.
CC:libav-stable@libav.org
(cherry picked from commit c7d9b473e28238d4a4ef1b7e8b42c1cca256da36)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/cdgraphics.c
Fixes possible invalid memory accesses on corrupted data.
CC:libav-stable@libav.org
Bug-ID: CVE-2013-3674
(cherry picked from commit a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Bug-Id: CVE-2013-0868
inspired by a patch from Michael Niedermayer <michaelni@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 744b406ff3474e77543bcf86125a2f7bc7deaa18)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Conflicts:
libavcodec/huffyuvdec.c
Properly address CVE-2011-3946 and parse bitstream as described in the spec.
CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Make sure the buffer size does not exceed the expected
RLE size.
Prevent an out of array bound write.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Bug-Id: CVE-2013-0852
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit a1f7844a11010d8552c75424d1a831b37a0ae5d9)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
This avoids a segfault in avconv_opt.c:opt_target when trying to
determine the norm.
(cherry picked from commit dc71f1958846bb1d96de43a4603983dc8450cfcc)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
This is safer and possibly fixes invalid reads on truncated data.
(cherry-picked from commit 541427ab4d5b4b6f5a90a687a06decdb78e7bc3c)
CC:libav-stable@libav.org
Conflicts:
libavcodec/eamad.c
(cherry picked from commit f9204ec56a4cf73843d1e5b8563d3584c2c05b47)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
The actual predictor value, set by the trellis code, never
was written back into the variable that was written into
the block header. This was accidentally removed in b304244b.
This significantly improves the audio quality of the trellis
case, which was plain broken since b304244b.
Encoding IMA QT with trellis still actually gives a slightly
worse quality than without trellis, since the trellis encoder
doesn't use the exact same way of rounding as in
adpcm_ima_qt_compress_sample and adpcm_ima_qt_expand_nibble.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0776e0ef6ba4160281ef3fabea43e670f3792b4a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This was broken in 095be4fb - samples+ch (for the previous
non-planar case) equals &samples_p[ch][0]. The confusion
probably stemmed from the IMA WAV case where it originally
was &samples[avctx->channels + ch], which was correctly
changed into &samples_p[ch][1].
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 3d79d0c93e5b37a35b1b22d6c18699c233aad1ba)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
As indicated in the function documentation, the header MUST be
checked prior to calling it because no consistency check is done
there.
CC:libav-stable@libav.org
(cherry picked from commit f2f2e7627f0c878d13275af5d166ec5932665e28)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Fixes an invalid read past the end of avpriv_mpa_freq_tab.
Fixes divide-by-zero due to sample_rate being set to 0.
Bug-Id: 705
CC:libav-stable@libav.org
Conflicts:
libavcodec/mpegaudiodecheader.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 86a9370e2b91d67375e66a06d6eb573b5a017775)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6e6bd5481cf42a9765c492c77754d4633092cece)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 19e66c7232d96e4ae8f05b52da2b84dfaa4e4da3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes various runtime failures with manually set flags that represent no
existing CPU
Fixes Ticket3653
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6310eb8010b7a3b3016e297132380cbd4e3d2d10)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses for non default buffers with large strides
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4a30f08505a4e85718896ff233c97be41a9754ca)
(cherry picked from commit 9c9fc79d9237d28e33161cb2e75082d8ad232b2e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
get_len can overflow for specially crafted payload.
Reported-By: Don A. Baley <donb@securitymouse.com>
CC: libav-stable@libav.org
(cherry picked from commit ccda51b14c0fcae2fad73a24872dce75a7964996)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
These asserts cannot fail since d6af26c55c1ea30f85a7d9edbc373f53be1743ee
Based-on: ccda51b14c0fcae2fad73a24872dce75a7964996
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cf2b7c01f81c1fb3283a1390c0ca9a2f81f4f4a8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Embargoed-till: 2014-06-27 requested by researcher, but embargo broken by libav today (git and mailing list)
Fixes: LMS-2014-06-16-4
Found-by: "Don A. Bailey" <donb@securitymouse.com>
See: ccda51b14c0fcae2fad73a24872dce75a7964996
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d6af26c55c1ea30f85a7d9edbc373f53be1743ee)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'ba8ab4e7ae016cf970b0f335a7933f2db53784bc':
avconv: do not send non-monotonous DTS to the muxers.
Conflicts:
ffmpeg_opt.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'e0fcad77618a0455ca9c2451ea0aa538597a08c0':
avconv: make -shortest work with streamcopy
Conflicts:
ffmpeg.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '9455a023be9f3915ccf5511a0b8fdb5b8897b2b6':
matroskaenc: do not write negative timestamps
Conflicts:
tests/ref/lavf/mkv
tests/ref/seek/lavf-mkv
No change to fate as ffmpeg was not affected by these bugs
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Hack partially based on a commit by Michael Niedermayer <michaelni@gmx.at>
Should fix (or work around) bug 458.
(cherry picked from commit 76d23f40314fc1dcd74a3d470b17782cc0ee5a3a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes Ticket3594
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 421b21ca8a02a346ba03cea3bb2ecc33f791fc30)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1194435
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 18af0ce62da322176f7bd283b85314d2f41bee2c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1194388
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b4329605289e25bb071ec1c1182bf25fc83b09aa)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1206652
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 09b16619d33ddf93005060d0782f28a1c1cbb7f6)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The code was missing 1 bit in the src format
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fc145e576a443bfc89efdf35b91fd3c9ca0d8388)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
