Found-by: ubitux
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cfce6f7efd28130bf0dd409b2367ca0f8c9b2417)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The function otherwise would initialize the context without setting context_initialized
alternatively we could set context_initialized
Fixes valgrind anomalies related to ticket 3928
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0d0f7f0ba43f64312ae4a05d97afecf1b7b1330c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2762323c37511fbbc98b164c07620b9ebc59ec68)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket3923
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 033a5334badd8af48f13c6fd1e6827f8e3f2c2f3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket3869
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3fe9e7be4c70c8fccdcd56fd19276e668cfb7de8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If the initial max_slice_size is 0 then reallocation is disabled for the first
slice.
Reviewed-by: Christophe Gisquet <christophe.gisquet@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 76a8cb9d7bcc12a8f1cedcb4c23bbb6391a4c56c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The picture slot can be recycled by select_input_picture and
only current_picture is populated with the valid pts.
Unbreak timestamps when in cbr mode.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 1c7b71a5bdb88ebb69734100405bbb5441b871e8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/mpegvideo_enc.c
* commit '8231764784a405f546e9c427a6de22d3f4de5c35':
ffv1dec: check that global parameters do not change in version 0/1
Conflicts:
libavcodec/ffv1dec.c
See: b05cd1ea7e45a836f7f6071a716c38bb30326e0f
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The packet buffer allocation considers the alpha channel as DCT-coded,
while it is actually run-coded and thus requires a larger buffer.
CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 41e1354c101004ccd46dc08d3dd6e956e83a6b51)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The buffer allocation may be incorrect (e.g. with an alpha plane),
and currently causes the buffer to be set to NULL by init_put_bits,
causing a crash later on.
So, detect that situation, and if detected, reallocate the buffer
and ask for a sample that shows the problem.
CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 45ce880a9b3e50cfa088f111dffaf8685bd7bc6b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
If the allocated size, despite best efforts, is too small, exit
with the appropriate error.
CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 58b68e4fdea22e22178e237bda950b09cc6f363a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The packet buffer allocation considered as dct-coded, while it is
actually run-coded and thus requires a larger buffer.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 117bc8e6ffc744fedcf77edf2fdb33c964b83370)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Such changes are neither allowed nor supported
Found-by: ami_stuff
Bug-Id: CVE-2013-7020
CC: libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit da7d839a0d3ec40423a665dc85e0cfaed3f92eb8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
If the allocated size, despite best efforts, is too small, exit
with the appropriate error.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 52b81ff4635c077b2bc8b8d3637d933b6629d803)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bf10f09bccdcfdb41b9f5bbae01d55961bfd0693)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes: snowf.avi
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9a162146ca6cc12ef7ad4a15164349482885962c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3539d6c63a16e1b2874bb037a86f317449c58770)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Add padding, clear size, use the correct pointer.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4213fc5b9eebec53c7d22b770c3f1ceecca1c113)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '18f48e05a22a73a389fb3ab4b3eaf78903bab5ef':
cdgraphics: do not return 0 from the decode function
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The input data must remain constant, make a copy instead. This is in
theory a performance hit, but since I failed to find any samples
using this feature, this should not matter in practice.
Also, check the size of the header, avoiding invalid reads on truncated
data.
CC:libav-stable@libav.org
(cherry picked from commit 7b588bb691644e1b3c168b99accf74248a24e3cf)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
0 means no data consumed, so it can trigger an infinite loop in the
caller.
CC:libav-stable@libav.org
(cherry picked from commit c7d9b473e28238d4a4ef1b7e8b42c1cca256da36)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes possible invalid memory accesses on corrupted data.
CC:libav-stable@libav.org
Bug-ID: CVE-2013-3674
(cherry picked from commit a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Found-by: CSA
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e706fe764049b3f1ccf10ba9f686426a4c007906)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bcc898dd2643c883522ffa565be4b226ce798c78)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 81c1657a593b1c0f8e46fca00ead1d30ee1cd418)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes a infinite loop
Fixes Ticket3804
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cfdb30d2f1241de9354a8efdbf8252d0f1a6f933)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket3809
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f95298c913899207344d668a6d5624cb2d2e480c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0782fb6bcb32fe3ab956a99af4cc472ff81da0c2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If there are consecutive IDR pictures, then SPS/PPS should be prepended
to all of them, not only the first one.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bf428bb3145c4f0eef32f8ef00de0ee222b3e414)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This simplifies the management of current_sps
Fixes Ticket3458
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 880dbe43ca71982ecdfe1c73446137d6b2fd24d5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0fc2045d5f4eab35d943a79c3d965a2f31361f48)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes leaving a pointer to unreferenced memory
Fixes Ticket 3115
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ccd6911c189d2f974dcc4095c963dfad14d703d2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
