as this kind of allows to circumvent it to some extend.
We also could add a separate parameter or value to choose this
Found-by: ramiro
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1e4d0498df6621143da1a550006ddc3526ad51cb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8003816e1619e77d8de051883264aa090e0d78cc)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 21a53dd08dce7cc5b3fdf9c4826b4b74d8300ea0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit db27f50e0658e91758e8a17fdcf390e6bc93c1d2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The previous code assumed if an atom was marked with a 64-bit
size extension, it actually had that data available. The new
code verfies there's enough data in the atom for this to be
done.
Failure to verify causes total_size > atom.size which will
result in negative size calculations later on.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ebd76a9c57558e284e94da367dd23b435e6a6d0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Also see [FFmpeg-devel] [PATCH] avformat/mov: strengthen some table allocations
which contains more fixes but is unfinished
Fixes: signal_sigabrt_7ffff6ac7bb9_3484_cov_1830000177_starfox2.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1b5d11240692025f036e945bc37968735679320a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes playback of some AAC streams, which are otherwise mangled by the
parser, and stss is typically only valid for video anyway.
Fixes a regression since e41ea866.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 019247bdc326a90bf20d3ce5d2413cc642e8bb08)
Fixes out of array read
Fixes: signal_sigsegv_6f1855_3910_avid_test_alpha.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a7f27453f64d9020b92b01687baeb5909c6cdad0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'b698542ad83284fbb8c22404e3cafeb2dd739d38':
mov: Don't allocate arrays with av_malloc that will be realloced
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'c231987662194d009dd91bfc57c678e0e70ca161':
mov: Make sure the read sample count is nonnegative
Conflicts:
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This avoids setting a negative number of frames, ending up with a
negative average frame rate.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
When av_reallocp fails, the associated variables that keep track of
the number of elements in the array (and in some cases, the
separate number of allocated elements) need to be reset.
Not all of these might technically be needed, but it's better to
reset them if in doubt, to make sure variables don't end up
conflicting.
Signed-off-by: Martin Storsjö <martin@martin.st>
* commit '7f8d41eb097e8d4223c9caf97dd332a2fdb29d52':
mov: Don't use a negative duration for setting other fields
Conflicts:
libavformat/mov.c
See: 87d073eaccc00ef2909445ae4b25128c440d9efa
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Some files have the duration set to -1 in the mdhd atom, more
or less legitimately. (We produce such files ourselves, for the
initial duration in fragmented mp4 files.)
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
* commit '08504380ddf25d6905e189e9bf52e7a4c771a415':
mov: Refactor codec specific final steps in mov_finalize_stsd_codec
Conflicts:
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'dc518a3ae21e7b6420131b813cfc6bcdcad26b7e':
mov: Refactor subtitle specific parsing in mov_parse_stsd_subtitle
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'a3b53ff062eaccdaa28964899c63520ef2978c2e':
mov: Refactor video specific parsing in mov_parse_stsd_video
Conflicts:
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '1f70a5ad284b33e8b3e2b40a5cb33055419781b7':
mov: use tkhd enabled flag to set the default track
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '31931520df35a6f9606fe8293c8a39e2d1fabedf':
mov: Do not allow updating the time scale after it has been set
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '5b4eb243bce10a3e8345401a353749e0414c54ca':
mov: Seek back if overreading an individual atom
Conflicts:
libavformat/mov.c
See: 6093960ae35c8d69c559b5604f683c2ea3f279ca
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The time scale is set in mdhd, and later validated in the
enclosing trak atom once all of its children have been parsed.
A loose mdhd atom outside of a trak atom could update the time
scale of the last stream without any validation.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Cc: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
