Prevent the loop shorten_decode_close from writing and freeing out of
the array boundary.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit c10da30d8426a1f681d99a780b6e311f7fb4e5c5)
Fixes invalid reads when the first frame is not an I-frame.
CC:libav-stable@libav.org
(cherry picked from commit 7b89cd20d844cbe763ca34e63e99d110043cf241)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.
CC:libav-stable@libav.org
(cherry picked from commit cacad1c058f66558ec727faac3b277d2dee264d4)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
It got broken in 0f13cd3187192ba0cc2b043430de6e279e7b97c3.
CC:libav-stable@libav.org
(cherry picked from commit d243896987b8b2062d1faba4d8d6f0c62d2dbee9)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The loop a few lines below the xan_unpack() call accesses up to
dec_size * 2 bytes into y_buffer, so dec_size must be limited to
buffer_size / 2.
CC:libav-stable@libav.org
(cherry picked from commit 8a49d2bcbe7573bb4b765728b2578fac0d19763f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
When there is just 1 byte remanining in the buffer, nothing will be read
and the loop will continue forever. Check that there are at least 8
bytes, which are always read at the beginning.
CC:libav-stable@libav.org
(cherry picked from commit 3e2f200237af977b9253b0aff121eee27bcedb44)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.
CC:libav-stable@libav.org
(cherry picked from commit ea1136baafb1fe271cb56c3f4d7bff0267e3c70f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
When parsing the Xing/Info tag, don't set the bit rate if it's an Info tag.
When parsing the stream, don't override the bit rate if it's already set,
otherwise calculate the mean bit rate from parsed frames. This way, the bit
rate will be set correctly both for CBR and VBR streams.
CC:libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit eae0879d961b78717dd2a0899809ad22819ae9e3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Returning 0 may result in an infinite loop in valid calling programs. A
decoder should never return 0 without producing any output.
CC:libav-stable@libav.org
(cherry picked from commit 4c0080b7e7d501e2720d2a61f5186a18377f9d63)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The decoder assumes a single bit depth for all the planes
while the specification allows different bit depths for luma
and chroma.
Avoid the possible problems described in CVE-2013-2277
CC: libav-stable@libav.org
(cherry picked from commit 4987faee78b9869f8f4646b8dd971d459df218a5)
Conflicts:
libavcodec/h264.c
This prevents various values from becoming stuck at NAN and
output to become silent
If someone knows a cleaner solution, thats welcome!
Fixes Ticket2335
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8978c743fb1d1f5a0d6dbdd83ff05817f8a41230)
The IIR filter numerically diverges in such cases, this could easily be
fixed but would make the filter slower on some platforms
Fixes Ticket2246
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fee5da6b0a79bed9dc849f216b6da1e03132b668)
Fix linking failures with -all_load due to multiple log2_tabs
Signed-off-by: Carl Eugen Hoyos <cehoyos@ag.or.at>
(cherry picked from commit 03148fd1743fca98c2f4b5920b796f381e820045)
* qatar/release/9:
update Changelog
h264: set ref_count to 0 for intra slices.
h264: on reference overflow, reset the reference count to 0, not 1.
flvdec: Check the return value of a malloc
Conflicts:
Changelog
libavcodec/h264.c
libavformat/flvdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
CC:libav-stable@libav.org
(cherry picked from commit 437211ae73ef1ed8285b4fed7620502ea4999e11)
Fixes deadlocks waiting for non-existing references with some fuzzed files.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Since decode_slice_header() returns before the reference lists are
constructed, there are zero valid references.
CC:libav-stable@libav.org
(cherry picked from commit 668e16a0dd1ff56d4beeff5c658d8a2a08dbfac8)
Conflicts:
libavcodec/h264.c
The specification does not prevent an encoder to write the amplitude 0
as 0 amplitude_bits.
Our get_bits() implementation might not support a zero sized read
properly, thus the additional branch.
(cherry picked from commit 23bd9ef4b209c789d5473d75f89a2e411d343d80)
Conflicts:
libavcodec/vorbisdec.c
The value is used to calculate output LSP curve and a division by zero
and out of array accesses would occur.
CVE-2013-0894
CC: libav-stable@libav.org
Reported-by: Dale Curtis <dalecurtis@chromium.org>
Found-by: inferno@chromium.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 11dcecfcca0eca1a571792c4fa3c21fb2cfddddc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Rate and order must not be 0 even if the specification does not say that
explicitly.
(cherry picked from commit 5b47c19bfda92273ae49e83db26a565afcaed80a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Damaged frames can lead to a mismatch, which can cause a segfault
due to using an incorrect channel mapping.
CC:libav-stable@libav.org
(cherry picked from commit d7c450436fcb9d3ecf59884a574e7684183e753d)
Conflicts:
libavcodec/ac3dec.c
Fixes Ticket1918
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6f77122bf5712da1d860a0ad7174181fd0bcffd9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/9:
doc: developer: Allow tabs in the vim configuration for Automake files
doc: filters: Correct BNF FILTER description
Prepare for 9.3 Release
update Changelog
cavs: initialize various context tables to 0
4xm: check the return value of read_huffman_tables().
qtrle: add more checks against pixel_ptr being negative.
mlpdec: do not try to allocate a zero-sized output buffer.
av_memcpy_backptr: avoid an infinite loop for back = 0
flicvideo: avoid an infinite loop in byte run compression
lagarith: avoid infinite loop in lag_rac_refill()
mov: use the format context for logging.
loco: check that there is data left after decoding a plane.
update Changelog
x86: h264: Don't use redzone in AVX h264_deblock on Win64
Conflicts:
Changelog
RELEASE
libavcodec/4xm.c
libavcodec/loco.c
libavcodec/qtrle.c
libavutil/mem.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
When byte_run is 0, pixel_countdown is not touched and the loop will run
forever.
CC:libav-stable@libav.org
(cherry picked from commit ddfe1246d98f70cdce368a2176196ba26ed7bf2d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Thanks-to: "Ronald S. Bultje" <rsbultje@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 82a4a4e7caa96cea9aa2185c4c3110a5e9fde7c2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bdeb61ccc67911cfc5e20c7cfb1312d0501ca90a)
Conflicts:
libavcodec/h264_ps.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8a6449167a6da8cb747cfe3502ae86ffaac2ed48)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes crashes in chromium on win64 on machines with AVX
(crashes that apparently aren't triggered by fate).
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 311443f6c7eb230276e320f2d30a5d729cf32b76)
Signed-off-by: Martin Storsjö <martin@martin.st>
* qatar/release/9:
doc: Fix some obsolete references to av* tools as ff* tools
vqavideo: check chunk sizes before reading chunks
roqvideodec: check dimensions validity
qdm2: check array index before use, fix out of array accesses
mpegvideo: Do REBASE_PICTURE with byte pointers
Conflicts:
libavcodec/qdm2.c
libavcodec/roqvideodec.c
libavcodec/vqavideo.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
REBASE_PICTURE (more specifically, this half of it) takes a Picture
pointer that points into one larger struct, finds the offset of
that Picture within the struct and finds the corresponding field
within another instance of a similar struct.
The pointer difference "pic - (Picture*)old_ctx" is a value given
in sizeof(Picture) units, and when applied back on
(Picture*)new_ctx gets multiplied back with sizeof(Picture). Many
compilers seem to optimize out this division/multiplication, but
not all do.
GCC 4.2 on OS X doesn't seem to remove the division/multiplication,
therefore the new pointer didn't turn out to point to exactly
the right place in the new struct since it only had sizeof(Picture)
granularity (and the Picture is not aligned on a sizeof(Picture)
boundary within the encompassing struct). This bug has been present
before 47318953d as well - with H264, pointers to h->ref_list[0][0]
pointed to 88 bytes before h->ref_list[0][0] after the rebase. After
shrinking Picture, the difference ended up even larger, making
writes via such a Picture pointer overwrite other fields at random
in H264Context, ending up in crashes later.
This fixes H264 multithreaded decoding on OS X with GCC 4.2.
Fixes Bug: #439
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit a65f965c04bfa27adedc0409c14cc05903f483d0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fixes out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e1219cdaf9fb4bc8cea410e1caf802373c1bfe51)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
