Fixes out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 695af8eed642ff0104834495652d1ee784a4c14d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Without any correctly decoded slices, there can be no frame.
Fixes out of array reads
Found-by: Rafaël Carré
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 60af6c3138dc501a647bc69b374d5d33d5d86ab5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The existing checks are insufficient to detect a pixel format
changes in case of some damaged streams.
Fixes inconsistency and later out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 11c99c78bafa77f679a1a3ba06ad00984b9a4cae)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Prevent out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 96f452ac647dae33c53c242ef3266b65a9beafb6)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array writes
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c10350358da58600884292c08a8690289b81de29)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This prevents a buffer overflow in rle_decode()
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7357ca900efcf829de4cce4cec6ddc286526d417)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes vlc decoding for hypothetical files that would contain such cases.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Prevents out of array writes
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f67a0d115254461649470452058fa3c28c0df294)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/9:
arm: vp8: Fix the plain-armv6 version of vp8_luma_dc_wht
Prepare for 9.2 Release
lavr: call mix_function_init() in ff_audio_mix_set_matrix()
rtpenc_chain: Use the original AVFormatContext for getting payload type
rtp: Make sure the output format pointer is set
Conflicts:
RELEASE
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '62de693a17f9b107be7867d822d5accacd4be544':
rtp: Make sure priv_data is set before reading it
videodsp_armv5te: remove #if HAVE_ARMV5TE_EXTERNAL
get_bits: change the failure condition in init_get_bits
mpegvideo: fix loop condition in draw_line()
Conflicts:
libavcodec/get_bits.h
libavcodec/mpegvideo.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This makes the plain-armv6 version use the same registers as the
armv6t2 version above.
This fixes fate-vp8 on plain-armv6 devices.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2026eb1408a718c37835eb4b258c63714ab3205e)
Signed-off-by: Martin Storsjö <martin@martin.st>
The fps is stored as a 8 bit value thus 255 is the maximum encodable.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 55d66b27902d3f566cd6cf6f08d4233dcdc338f5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes part of Ticket2045
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9362f31b55510142eefa6d0cc26013a30bd4fc51)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes part of Ticket2045
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bee044d7c261a9e488ee14705814361694b9acdb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Avoids integer overflows and out of array accesses.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 49b729d3af8464de431362e6c5b3027102bc2f88)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
A negative `size' will bypass FFMIN(). In the subsequent memcpy() call,
`size' will be considered as a large positive value, leading to a buffer
overflow.
Change the type of `size' to unsigned int to avoid buffer overflow, and
simplify overflow checks accordingly.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4e692374f7962ea358c329de38c380103f8991b6)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Sanity checks like `data + size >= data_end || data + size < data' are
broken, because `data + size < data' assumes pointer overflow, which is
undefined behavior in C. Many compilers such as gcc/clang optimize such
checks away.
Use `size < 0 || size >= data_end - data' instead.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 902cfe2f74d777a7dc20ac68f2393b9f84b790c1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The check `start + res < start' is broken since pointer overflow is
undefined behavior in C. Many compilers such as gcc/clang optimize
away this check.
Use `res > end - start' instead. Also change `res' to unsigned int
to avoid signed left-shift overflow.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2f014567cfd63e58156f60666f1a61ba147276ab)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0c6b0409af070a3bfb02b55fde8ba18219edc76b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Karcher <ffmpeg@mkarcher.dialup.fu-berlin.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dcbb920f1587d1fce777aae947a49304665436b5)
This is needed if a custom matrix is set by the user after opening the
AVAudioResampleContext because the matrix channel count can change if
different mixing coefficients are used.
CC:libav-stable@libav.org
(cherry picked from commit f07ef2d9c9e9d1e84c532e9102594834e88a5c83)
Conflicts:
libavresample/audio_mix.c
In ff_rtp_get_payload_type, the AVFormatContext is used for checking
whether the payload_type or rtpflags options are set. In rtpenc_chain,
the rtpctx struct is a newly initialized struct where no options have
been set yet, so no options can be fetched from there.
All muxers that internally chain rtp muxers have the "rtpflags" field
that allows passing such options on (which is how this worked before
8034130e06), so this works just as intended.
This makes it possible to produce H263 in RFC2190 format with chained
RTP muxers.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 4a4a7e138c92901e04db46a6b05cc6948023e5f5)
Signed-off-by: Martin Storsjö <martin@martin.st>
Not sure if this actually happens, but we do the same check when
checking payload_type further above in the function, so it might
be needed.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 932117171f32fc3160f3d92943290238945fcb28)
Signed-off-by: Martin Storsjö <martin@martin.st>
This fixes crashes with muxing H263 into RTSP.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e90820d4f815c15796e642467cdddbad755212a2)
Signed-off-by: Martin Storsjö <martin@martin.st>
This reverts 312645e :
"Do not set codec_tag property for matroska muxers."
Also adds dummy codec_tag lists with codecs
supported in mkv but not in wav / avi.
Fixes ticket #2169.
(cherry picked from commit df39c3ce385c02cbd8046298578ea7454c0a0f81)
libavutil/arm/asm.S sets '.arch' depending on HAVE_ARMV5TE so that
assembling armv5te code will always succeed even if the default -march
flag does not support it. HAVE_ARMV5TE_EXTERNAL tests assembling code
with the default arch.
Fixes the missing symbol ff_prefetch_arm with --cpu= not including
armv5te.
CC: libav-stable@libav.org
Too much code relies in having init_get_bits fed with a valid
buffer and set its dimension to 0.
Check for NULL buffer instead.
(cherry picked from commit 4603ec85ed620e585fc6e2e072c99858ed421855)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The loop condition `x = ex' is incorrect. It should be `x <= ex'.
This bug was introduced in commit c65dfac4 "mpegvideo.c: K&R formatting
and cosmetics."
CC:libav-stable@libav.org
(cherry picked from commit 992b03183819553a73b4f870a710ef500b4eb6d0)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7980cca05c7c72fc8b0be4268eea2e156e538228)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 153fad14e5a2f85637aa6c254ced0fc1c68974e2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ac73d3a12a33c5e4e6357d5f8824e19801663eb5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes state becoming inconsistent
Fixes a null pointer dereference
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 23318a57358358e7a4dc551e830e4503f0638cfe)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 25160236957647d81e8beecd6c8fb7f1949fc26e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
