Fixes Ticket2982
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3728603f1854b5c79d1a64dd3b41b80640ef1e7f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/9:
Prepare for 9.10 RELEASE
h263dec: Remove a hack that can cause infinite loops
mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0
vc1dec: Don't decode slices when the latest slice header failed to decode
Conflicts:
RELEASE
libavcodec/h263dec.c
libavcodec/mpegvideo.c
libavcodec/vc1dec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '494f2d4f9e834db1eaf1a7d0160d497f9802013d':
vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks
r3d: Add more input value validation
fraps: Make the input buffer size checks more strict
svq3: Avoid a division by zero
rmdec: Validate the fps value
twinvqdec: Check the ibps parameter separately
asfdec: Check the return value of asf_read_stream_properties
mxfdec: set audio timebase to 1/samplerate
Conflicts:
libavcodec/fraps.c
libavcodec/svq3.c
libavformat/mxfdec.c
tests/ref/fate/mxf-demux
tests/ref/seek/lavf-mxf
tests/ref/seek/lavf-mxf_d10
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '7e350b7ddd19af856b55634233d609e29baab646':
pcx: Check the packet size before assuming it fits a palette
rpza: Fix a buffer size check
xxan: Disallow odd width
xan: Only read within the data that actually was initialized
xan: Use bytestream2 to limit reading to within the buffer
pcx: Consume the whole packet if giving up due to missing palette
pngdec: Stop trying to decode once inflate returns Z_STREAM_END
mov: Make sure the read sample count is nonnegative
bfi: Add some very basic sanity checks for input packet sizes
bfi: Avoid divisions by zero
electronicarts: Add more sanity checking for the number of channels
riffdec: Add sanity checks for the sample rate
Conflicts:
libavcodec/pcx.c
libavcodec/xan.c
libavformat/mov.c
libavformat/riff.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '04d2f9ace3fb6e880f3488770fc5a39de5b63cbb':
mvi: Add sanity checking for the audio frame size
alac: Do bounds checking of lpc_order read from the bitstream
xwma: Avoid division by zero
avidec: Make sure a packet is large enough before reading its data
vqf: Make sure the bitrate is in the valid range
vqf: Make sure sample_rate is set to a valid value
electronicarts: Check packet sizes before reading
lavf: Avoid setting avg_frame_rate if delta_dts is negative
vc1dec: Undo mpegvideo initialization if unable to allocate tables
vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors
wnv1: Make sure the input packet is large enough
dcadec: Validate the lfe parameter
Conflicts:
libavcodec/dcadec.c
libavcodec/wnv1.c
libavformat/avidec.c
libavformat/electronicarts.c
libavformat/utils.c
libavformat/xwma.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'ce1dacb435460dda1f9d453eaaeac44bd502aca4':
rl2: Avoid a division by zero
wtv: Add more sanity checks for a length read from the file
segafilm: Validate the number of audio channels
qpeg: Add checks for running out of rows in qpeg_decode_inter
mpegaudiodec: Validate that the number of channels fits at the given offset
asvdec: Verify the amount of extradata
idroqdec: Make sure a video stream has been allocated before returning packets
rv10: Validate the dimensions set from the container
xmv: Add more sanity checks for parameters read from the bitstream
ffv1: Make sure at least one slice context is initialized
truemotion2: Use av_freep properly in an error path
eacmv: Make sure a reference frame exists before referencing it
mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory
ivi_common: Make sure color planes have been initialized
mov: Don't use a negative duration for setting other fields
Conflicts:
libavcodec/eacmv.c
libavcodec/ffv1.c
libavcodec/mpeg4videodec.c
libavcodec/mpegaudiodec.c
libavcodec/qpeg.c
libavformat/mov.c
libavformat/wtv.c
libavformat/xmv.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '163196562fe744149ef599d754c30c08a9898381':
oggparseogm: Convert to use bytestream2
rv34: Check the return value from ff_rv34_decode_init
matroskadec: Verify realaudio codec parameters
mace: Make sure that the channel count is set to a valid value
svq3: Check for any negative return value from ff_h264_check_intra_pred_mode
vp3: Check the framerate for validity
cavsdec: Make sure a sequence header has been decoded before decoding pictures
vocdec: Don't update codec parameters mid-stream
sierravmd: Do sanity checking of frame sizes
omadec: Properly check lengths before incrementing the position
mpc8: Make sure the first stream exists before parsing the seek table
Conflicts:
libavcodec/mace.c
libavformat/oggparseogm.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'f8a72f041c049e812dfa1f32156327e9778f5710':
mpc8: Check the seek table size parsed from the bitstream
zmbvdec: Check the buffer size for uncompressed data
ape: Don't allow the seektable to be omitted
shorten: Break out of loop looking for fmt chunk if none is found
shorten: Use a checked bytestream reader for the wave header
smacker: Make sure we don't fill in huffman codes out of range
smacker: Avoid integer overflow when allocating packets
smacker: Don't return packets in unallocated streams
dsicin: Add some basic sanity checks for fields read from the file
Conflicts:
libavcodec/shorten.c
libavcodec/smacker.c
libavcodec/zmbv.c
libavformat/mpc8.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The actual usefulness of the hack is not known, and it does cause
infinite loops with some broken input files.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8812a8057f539845f6801cafdf6c481a59e96b48)
Signed-off-by: Martin Storsjö <martin@martin.st>
This fixes breakage in a few fate tests on certain setups
(that for some reason didn't break on OS X) after the previous
commit (8812a8057). Currently, some video streams are initialized
in ff_MPV_common_init with width/height set at 0 and only changed
to a proper video size with ff_MPV_common_frame_size_change later.
The breakage was diagnosed by Anton Khirnov.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5f24fe82e5fcf227abb5ebf62aa9bc246fda8c0d)
Signed-off-by: Martin Storsjö <martin@martin.st>
If the height is zero, the decompression will probably end up
failing due to not fitting into the allocated buffer later
anyway, so this doesn't need any more elaborate check.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 601c2015bc16f0b281160292a6a760cbbbb0eacb)
This is required, since invalid parameters actually could
pass the switch check below.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit c77d409bf95954aceb762dd800d1ee2868c4b0d4)
This fixes reads out of bounds.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d1d99e3befea5d411ac3aae72dbdecce94f8b547)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/pcx.c
We read 2 bytes for 15 out of 16 pixels, therefore we need to
have at least 30 bytes, not 16.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 7ba0cedbfeff5671b264d1d7e90777057b5714c6)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Decoded data is always written in pairs within this decoder.
This fixes writes out of bounds.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit aa0dd52434768da64f1f3d8ae92bcf980c1adffc)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Previously, we returned 0, meaning successful decoding but 0
bytes consumed, leading to an infinite loop.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 9fb0de86b49e9fb0709a8ad1e1875e35da841887)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
If the input buffer contains more data after the deflate stream,
the loop previously left running infinitely, with inflate returning
Z_STREAM_END.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit a81cad8f86d1feb7e4bfae29e43f3e994935a5c7)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
In lpc_prediction(), we write up to array element 'lpc_order' in
an array allocated to hold 'max_samples_per_frame' elements.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 59480abce7e4238e22b3a4a904a9fe6abf4e4188)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Previously, s->context_initialized was left set to 1
if ff_vc1_decode_init_alloc_tables failed, skipping the
initialization completely on the next decode call.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit b772b0e28eba6abf76d86ee8c6e459a86642db5a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This is similar to the fix in 35cbc98b.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e9d61de96c113ee0ef8082833c7e682df0e23eec)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The init function reads one byte of extradata.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit f50803354c6acb4575379d7c54ca48ec5d36dd61)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This avoids crashes when initializing the range coder for
the first slice context.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit b1db33159fdc2da4bdd8c75e4ff9a7dd0ef2f0c2)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This is similar to an existing check for the second-last frame
from 062421e3.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit ea78a348d86a3a733f6c1e0a65cfdd8283d924b9)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/eacmv.c
This avoids a potential division by zero.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit f875a732e36786d49f3650e3235272891a820600)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Also pass on any returned error code.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 1115689d54ea95a084421f5a182b8dc56cbff978)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/svq3.c
Also don't pointlessly set the buffer size to 1 after copying
one packet.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0d61f260010707f3028b818e8b24598e1a83d696)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
* qatar/release/9:
Update Changelog
Prepare for 9.9 RELEASE
lavf: fix the comparison in an overflow check
dv: Add a guard to not overread the ppcm array
nuv: check ff_rtjpeg_decode_frame_yuv420 return value
Conflicts:
Changelog
RELEASE
libavformat/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a4e70918316c6d1423e559aad15823a5e0453fcf)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 164b67ca281fa5a47b965a858c7783aa547091b8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Currently all uses of the emu edge code as well as the code itself
assume int linesize
changing some but not changing all would introduce a security issue
once all use this typedef a simple search and replace can be
done to switch them all to ptrdiff_t
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2ffead98ddd384f61cdf6b1cb3f36592f54cd34a)
Conflicts:
libavcodec/videodsp.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
