in the latest git commits of libilbc developers removed WebRtc_xxx typedefs
This commit uses int types instead,
it's safe to apply also for previous versions since
WebRtc_Word16 was always a typedef of int16_t and
WebRtc_UWord16 a typedef of uint16_t
Reviewed-by: Timothy Gu <timothygu99@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 59af5383c18c8cf3fe2a4b5cc1ebf2f3300bdfe5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Buffers containing copies of the AAC and AC3 header bits were not padded
before parsing, violating init_get_bits() buffer padding requirement,
leading to potential buffer read overflows.
This change adds FF_INPUT_BUFFER_PADDING_SIZE bytes to the bit buffer
for parsing the header in each of aac_parser.c and ac3_parser.c.
Based on patch by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fccd85b9f30525f88692f53134eba41f1f2d90db)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The allocation didn't account for headers, that can be easily 79 bytes.
As a result, buffers allocated for a few samples (e.g. 5 in the original
bug) could be undersized.
Fixed ticket #2881.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2ba58bec20b0039ccc40cfba59af6d56de16e8b1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 11a39bdf534a4ead634b4a593c66ebf756910b9b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Also undo the changes to ra144enc.c from previous commits.
Should fix ticket #3429
Signed-off-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9e0e1f9067430de1655a7b28536b5afed48bded5)
Conflicts:
libavcodec/ra144enc.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See https://code.google.com/p/webp/issues/detail?id=206
for a description of the problem/fix.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This patch makes the decoder follow the recommendation of the spec.
There is some disagreement (see "[FFmpeg-devel] [PATCH]: libavcodec/webp")
about what would be best to be written in the spec, so in case the spec
is changed again, this potentially would need to be amended or reverted
(cherry picked from commit 4fd21d58a72c38ab63c3a4483b420db260fa7b8d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: ubitux
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cfce6f7efd28130bf0dd409b2367ca0f8c9b2417)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The function otherwise would initialize the context without setting context_initialized
alternatively we could set context_initialized
Fixes valgrind anomalies related to ticket 3928
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0d0f7f0ba43f64312ae4a05d97afecf1b7b1330c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2762323c37511fbbc98b164c07620b9ebc59ec68)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket3923
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 033a5334badd8af48f13c6fd1e6827f8e3f2c2f3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket3869
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3fe9e7be4c70c8fccdcd56fd19276e668cfb7de8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If the initial max_slice_size is 0 then reallocation is disabled for the first
slice.
Reviewed-by: Christophe Gisquet <christophe.gisquet@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 76a8cb9d7bcc12a8f1cedcb4c23bbb6391a4c56c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The picture slot can be recycled by select_input_picture and
only current_picture is populated with the valid pts.
Unbreak timestamps when in cbr mode.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 1c7b71a5bdb88ebb69734100405bbb5441b871e8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/mpegvideo_enc.c
* commit '8231764784a405f546e9c427a6de22d3f4de5c35':
ffv1dec: check that global parameters do not change in version 0/1
Conflicts:
libavcodec/ffv1dec.c
See: b05cd1ea7e45a836f7f6071a716c38bb30326e0f
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The packet buffer allocation considers the alpha channel as DCT-coded,
while it is actually run-coded and thus requires a larger buffer.
CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 41e1354c101004ccd46dc08d3dd6e956e83a6b51)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The buffer allocation may be incorrect (e.g. with an alpha plane),
and currently causes the buffer to be set to NULL by init_put_bits,
causing a crash later on.
So, detect that situation, and if detected, reallocate the buffer
and ask for a sample that shows the problem.
CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 45ce880a9b3e50cfa088f111dffaf8685bd7bc6b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
If the allocated size, despite best efforts, is too small, exit
with the appropriate error.
CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 58b68e4fdea22e22178e237bda950b09cc6f363a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The packet buffer allocation considered as dct-coded, while it is
actually run-coded and thus requires a larger buffer.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 117bc8e6ffc744fedcf77edf2fdb33c964b83370)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Such changes are neither allowed nor supported
Found-by: ami_stuff
Bug-Id: CVE-2013-7020
CC: libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit da7d839a0d3ec40423a665dc85e0cfaed3f92eb8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
If the allocated size, despite best efforts, is too small, exit
with the appropriate error.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 52b81ff4635c077b2bc8b8d3637d933b6629d803)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bf10f09bccdcfdb41b9f5bbae01d55961bfd0693)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes: snowf.avi
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9a162146ca6cc12ef7ad4a15164349482885962c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3539d6c63a16e1b2874bb037a86f317449c58770)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Add padding, clear size, use the correct pointer.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4213fc5b9eebec53c7d22b770c3f1ceecca1c113)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '18f48e05a22a73a389fb3ab4b3eaf78903bab5ef':
cdgraphics: do not return 0 from the decode function
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The input data must remain constant, make a copy instead. This is in
theory a performance hit, but since I failed to find any samples
using this feature, this should not matter in practice.
Also, check the size of the header, avoiding invalid reads on truncated
data.
CC:libav-stable@libav.org
(cherry picked from commit 7b588bb691644e1b3c168b99accf74248a24e3cf)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
0 means no data consumed, so it can trigger an infinite loop in the
caller.
CC:libav-stable@libav.org
(cherry picked from commit c7d9b473e28238d4a4ef1b7e8b42c1cca256da36)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes possible invalid memory accesses on corrupted data.
CC:libav-stable@libav.org
Bug-ID: CVE-2013-3674
(cherry picked from commit a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Found-by: CSA
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e706fe764049b3f1ccf10ba9f686426a4c007906)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bcc898dd2643c883522ffa565be4b226ce798c78)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 81c1657a593b1c0f8e46fca00ead1d30ee1cd418)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
