30339 Commits

Author SHA1 Message Date
Andreas Cadhalpun
ae1156ef2a mpegvideo: clear overread in clear_context
Otherwise the h263p decoder can try to copy overread bytes, even though
buffer is NULL.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 6a69a175e7b5c5393528ed0f5753e41573fa0df2)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:18 +01:00
Andreas Cadhalpun
aa464dc041 dvdsubdec: validate offset2 similar to offset1
If it is negative, it causes segmentation faults in decode_rle.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit f621749d1181987b3f815c6766ea66d6c5d55198)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:18 +01:00
Michael Niedermayer
372ded7f69 avcodec/takdec: Use memove, avoid undefined memcpy() use
Fixes: e214333cbd94c91228e624ff39329ce6/asan_generic_4a5159_6412_96cda2530e80607210ab41ccae3d456d.tak

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7cea3430a56fb0ff6ef60f08620fd3875e7bfeb6)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:17 +01:00
Michael Niedermayer
2ccab79595 avcodec/mpeg12dec: Do not call show_bits() with invalid bits
Fixes assertion failure
Fixes: 63e50545709a6440d3d59f6426d58db9/signal_sigabrt_7ffff6ae7cc9_8189_3272a3010fd98ddf947c662bbde1ac13.ts

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 973c3dba27d0b1a88c70f6661b6a90d2f2e50665)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:17 +01:00
Kieran Kunhya
458b1fda34 opusdec: Don't run vector_fmul_scalar on zero length arrays
Fixes crashes on fuzzed files
Fixes Ticket4969 part2

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b3e5f15b95f04a35821f63f6fd89ddd60f666a59)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:17 +01:00
Michael Niedermayer
5ed5acb910 avcodec/opusdec: Fix extra samples read index
Fixes crash
Fixes Ticket4969 part 1

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 07225fa74f2cdb29d6d85fd33675539bfdfe9ea5)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:17 +01:00
Andreas Cadhalpun
ba944121e2 imc: use correct position for flcoeffs2 calculation
flcoeffs2[pos] should be the log2 of flcoeffs1[pos].
flcoeffs1[0] can be 0 here, thus flcoeffs2[pos] gets set to -inf,
causing problems further down.

This seems to have been copied from imc_decode_level_coefficients in
commit 4eb4bb3 without updating the position.

Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 75fd5ce4c1c0b2d96d71c74b650cefaaef519d27)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:17 +01:00
Andreas Cadhalpun
6f024dfd53 snow: remove an obsolete av_assert2
It asserts that the frame linesize is larger than 37, but it can be
smaller and decoding such frames works.

Before commit cc884a35 src_stride > 7*MB_SIZE was necessary, because the
blocks were interleaved in the tmp buffer and the last block was added
with an offset of 6*MB_SIZE.
It was changed for src_stride <= 7*MB_SIZE to write the blocks
sequentially, hence the larger tmp_step.
After that the assert was only necessary to make sure that the buffer
remained large enough.
Since commit bd2b6b33 s->scratchbuf is used as tmp buffer.
As part of commit 86e107a7 the minimal scratchbuf size was increased to
256*7*MB_SIZE, which is enough for any src_stride <= 7*MB_SIZE.

Also add a comment explaining the tmp_step calculation.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3526a120f92929cb0a4009e403ee2f141030c487)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:17 +01:00
Andreas Cadhalpun
910df0f871 wavpack: limit extra_bits to 32 and use get_bits_long
More than 32 bits can't be stored in an integer and get_bits should not
be used with more than 25 bits.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit d0eff8857ceff2601f85037c930cbe61a88b611e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:17 +01:00
Andreas Cadhalpun
31ae0693d8 huffyuvdec: validate image size
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 9a345802edf7f430b3335f486aecdd8552f8367b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:17 +01:00
Andreas Cadhalpun
4410505b42 wavpack: use get_bits_long to read up to 32 bits
get_bits should not be used for more than 25 bits.

Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit f9883a669c3df05a5c453428e080298c6511a17e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:17 +01:00
Andreas Cadhalpun
7bd9ae4afb s302m: fix arithmetic exception
If nb_samples is zero, the bit_rate calculation results in a division by
zero.

Since ff_get_buffer fails if frame->nb_samples is zero, this can be
fixed by moving the bit_rate calculation after that function call.

That also makes it possible to reuse the already calculated
frame->nb_samples value.

Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 04dfbc9441beed93984568c1547f1ed588122627)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:17 +01:00
Andreas Cadhalpun
554dffb35f mpegaudiodec: copy AVFloatDSPContext from first context to all contexts
This fixes a segfault when decoding multi-channel MP3onMP4 files.

This is similar to commit cb72230d for MPADSPContext.

Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 151dbe4579601a81662b4b366d0e10df3c00027a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:17 +01:00
Andreas Cadhalpun
6e288d5274 vc1dec: use get_bits_long and limit the read bits to 32
get_bits should not be used with more than 25 bits.

Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1f1e0a2971b2a01f275bb5088c2e36166514be64)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:17 +01:00
Michael Niedermayer
46a7fe2417 avcodec/s302m: Only set the sample rate when some data is output
This way ffplay chooses the mp2 stream for Ticket3890

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 802cca5905abe1fe8392e85a812462b959889aaa)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:17 +01:00
Ronald S. Bultje
d837407ae0 vp9: add support for resolution changes in inter frames.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e8b4f6d6befc5062db74916ea8a4d830e83022a8)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:16 +01:00
wm4
f3e33608a5 vp9: avoid infinite loop with broken files
With a certain fuzzed file, the parser will always return 0 consumed
bytes, which makes calling code call the parser infinitely. Return the
full packet size on error instead. (Here it would be nice if parsers
could return errors at all.)

Additionally, _if_ there's some data left, return that too, which might
help with somewhat broken but still somehow playable files.

Fixes ticket #4242.

Reviewed-by: "Ronald S. Bultje" <rsbultje@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 09b4ad15681be197fff8c57ce7c988a4718d6e03)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-11-26 01:38:13 +01:00
Ronald S. Bultje
d3af86c867 videodsp: don't overread edges in vfix3 emu_edge.
Fixes trac ticket 3226. Also see Andreas' analysis in
https://bugs.debian.org/801745, which was very helpful.
(cherry picked from commit 52f84d82bdf1851ecfcc412c1719e5f6f3396209)
2015-10-25 01:20:42 +02:00
Hendrik Leppkes
4edb236c49 hevc: properly handle no_rasl_output_flag when removing pictures from the DPB
Fixes ticket #4185.

Reviewed-By: Mickael Raulet <Mickael.Raulet@insa-rennes.fr>
Signed-off-by: Hendrik Leppkes <h.leppkes@gmail.com>
(cherry picked from commit 0118158efa8e45761f9f65a3bb74f33907bd2aec)
2015-10-09 22:09:54 +02:00
Ronald S. Bultje
f085ce3265 hevc: fix wpp threading deadlock.
Fixes ticket 4258.
(cherry picked from commit 74e4948235bc8f8946eeca20525258bbf383f75d)
2015-10-09 22:08:46 +02:00
Michael Niedermayer
6e629b0b66 avcodec/ffv1: seperate slice_count from max_slice_count
Fix segfault with too large slice_count
Fixes Ticket4879

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aa6c43f3fdec8a7518534b9dab20c9eb4be11568)

Conflicts:
	libavcodec/ffv1enc.c
	libavcodec/ffv1.c
2015-10-09 22:07:46 +02:00
wm4
f5ce1a7626 avcodec/mp3: fix skipping zeros
Commits 43bc5cf9 and c5371f77 add code for skipping initial zeros in mp3
packets. This code forgot to report to the user that data was skipped at
all.

Since audio codecs allow partial packet decoding, the user application
has to rely on the return value. It will remove the data reported as
consumed by the decoder, and feed it to the decoder again. This resulted
in the mp3 frame after the zero region to be decoded over and over
again, until the zero region was finally skipped by the application.

Fix this by including the amount of skipped bytes to the number of
consumed bytes returned by the decode call.

Fixes trac ticket #4890.
(cherry picked from commit cb1da9fb8d71bb611a7b0028914c97afc3f5711d)
2015-10-09 22:07:11 +02:00
Michael Niedermayer
5b41bb29d7 avcodec/h264_mp4toannexb_bsf: Reorder operations in nal_size check
Fixes Ticket4778

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2bb54b82b5094fd906aa28c0443be08c95662a31)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-21 03:40:15 +02:00
Michael Niedermayer
ac3358d73a avcodec/flashsvenc: Correct max dimension in error message
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b1f59bb6606721ef5eeade4ada541630d51510fe)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-20 14:38:28 +02:00
Michael Niedermayer
eac75d405b avcodec/svq1enc: Check dimensions
Fixes assertion failure

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 88fe45e0fe379d7ea86c8ac1e1e8cf2c3f62389f)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-20 14:38:28 +02:00
Michael Niedermayer
595af5a036 avcodec/dcaenc: clear bitstream end
This avoids leaving uninitialized bits in the output

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e322b7061f873e8fd33b9e518caa19b87616a528)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-20 14:38:28 +02:00
Emanuel Czirai
33629ff60f libavcodec/aacdec_template: Use init_get_bits8() in aac_decode_frame()
related to ticket4749

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7ab1c57a64b629455805d7fa74a8a20c689fc1f6)

Conflicts:

	libavcodec/aacdec_template.c
(cherry picked from commit dabb6dd98af52a22a922bca4a9196acf68b084dd)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-20 14:38:28 +02:00
Michael Niedermayer
d2b0aae5e1 avcodec/vp8: Check buffer size in vp8_decode_frame_header()
avoids null pointer dereference
Fixes: signal_sigsegv_d5de40_964_vp80-00-comprehensive-010.ivf with memlimit of 1048576

Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 599d746e07319dc792ed2e511b666fe482f1ff88)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-20 14:38:28 +02:00
Michael Niedermayer
8fe79605fd avcodec/vp8: Fix null pointer dereference in ff_vp8_decode_free()
Fixes: signal_sigsegv_d5de23_967_vp80_00_comprehensive_010.ivf with memlimit 524288

Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a84f0e8d8f293df3c535f9b893730a835bed6520)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-20 14:38:27 +02:00
Michael Niedermayer
7ae349a324 avcodec/diracdec: Check for hpel_base allocation failure
Fixes null pointer dereference
Fixes: signal_sigsegv_b02a96_280_RL_420p_ffdirac.drc with memlimit of 67108864

Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1c5b712c0a643a039d6f34269b4102de313a050a)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-20 14:38:27 +02:00
Michael Niedermayer
24f1698758 avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy()
Avoids leaving stale pointers
Fixes: signal_sigabrt_7ffff70eccc9_819_sabtriple.rm with memlimit 536870912

Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3197c0aa87a3b7190e17d49e6fbc7b554e4b3f0a)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-20 14:38:27 +02:00
Michael Niedermayer
e3bacdbaad avcodec/pthread_frame: clear priv_data, avoid stale pointer in error case
Fixes: b4b47bc2b3fb7ca710bfffe5aa969e37_signal_sigabrt_7ffff70eccc9_744_nc_sample2.avi with memlimit of 4194304

Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f1a38264f20382731cf2cc75fdd98f4c9a84a626)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-20 14:38:27 +02:00
Michael Niedermayer
bd5cf1dd8f avcodec/pthread_frame: check avctx on deallocation
Fixes null pointer dereferences
Fixes: af1a5a33e67e479f439239097bd0d4fd_signal_sigsegv_7ffff713351a_152_Dolby_Rain_Logo.pmp with memlimit of 8388608

Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5d346feafa817c4fbc30f7ed0b93b2dad6cef15b)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-20 14:38:27 +02:00
Michael Niedermayer
f78573466d avcodec/sanm: Reset sizes in destroy_buffers()
Fixes crash in 1288a2fe8e9ae6b00ca40e089d08ca65_signal_sigsegv_7ffff71426a7_354_accident.san with allocation limit 65536

Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 39bbdebb1ed8eb9c9b0cd6db85afde6ba89d86e4)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-20 14:38:27 +02:00
Michael Niedermayer
41fba53525 avcodec/alac: Clear pointers in allocate_buffers()
Fixes: 06a4edb39ad8a9883175f9bd428334a2_signal_sigsegv_7ffff713351a_706_mov__alac__ALAC_6ch.mov

Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f7068bf277a37479aecde2832208d820682b35e6)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-20 14:38:27 +02:00
Anton Khirnov
a23a6bf06b bytestream2: set the reader to the end when reading more than available
This prevents possible infinite loops with the calling code along the
lines of while (bytestream2_get_bytes_left()) { ... }, where the reader
does not advance.

CC: libav-stable@libav.org
(cherry picked from commit 86eee85daddb682fa072c2e2657c90a514b855e3)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-20 14:38:27 +02:00
Michael Niedermayer
cbc5d2bf30 avcodec/utils: use a minimum 32pixel width in avcodec_align_dimensions2() for H.264
Fixes Assertion failure
Found-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7ef6656b1e5bfbc7499013d3b38b093b6b2f31ec)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-20 14:38:27 +02:00
Michael Niedermayer
c58b0d981e avcodec/mpegvideo: Clear pointers in ff_mpv_common_init()
This ensures that no stale pointers leak through on any path

Fixes: signal_sigsegv_c3097a_991_xtrem_e2_m64q15_a32sxx.3gp

Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b160fc290cf49b516c5b6ee0730fd9da7fc623b1)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-08-20 14:38:27 +02:00
Andreas Cadhalpun
9463930faf wmalosslessdec: reset frame->nb_samples on packet loss
Otherwise a frame with non-zero nb_samples but without any data can be
returned.

Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 42e7a5b3c704985c2c18970cc94a837b413df9d9)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-08-20 14:38:27 +02:00
Andreas Cadhalpun
9e52f6b986 wmalosslessdec: avoid reading 0 bits with get_bits
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit f9020d514e9ed5043496a710b36daba1ab182e97)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-08-20 14:38:27 +02:00
Michael Niedermayer
7ecaa736e7 avcodec/rawenc: Use ff_alloc_packet() instead of ff_alloc_packet2()
the later is not optimal when the buffer size is well known at allocation time

This avoids a memcpy()
Overall 2.5% speedup with a random 1920x1080 video

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 47496eb97cff8130991313d1b7292613620d8592)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-08-20 14:38:26 +02:00
Michael Niedermayer
7fdc2ba3d4 avcodec/aacsbr: Assert that bs_num_env is positive
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2e13a45b1a9a69456631e582bbb06954d169eb55)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-08-20 14:38:26 +02:00
Michael Niedermayer
514d0e29c8 avcodec/aacsbr: check that the element type matches before applying SBR
Fixes out of array access
Fixes: signal_sigsegv_3670fc0_2818_cov_2307326154_moon.mux

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 79a98294da6cd85f8c86b34764c5e0c43b09eea3)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-08-20 14:38:26 +02:00
Michael Niedermayer
47a5cde6ac avcodec/h264_slice: Use w/h from the AVFrame instead of mb_w/h
Fixes out of array access
Fixes: asan_heap-oob_4d5bb0_682_cov_3124593265_Fraunhofer__a_driving_force_in_innovation__small.mp4

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 330863c9f19a23c500ba7901a23f1cc377b353bb)

Conflicts:

	libavcodec/h264_slice.c
2015-08-20 14:38:26 +02:00
James Zern
c6e16ec711 vp9/update_prob: prevent out of bounds table read
the max value of the lookup in expanded form is:
(((1 << 7) - 1) << 1) - 65 + 1 + 64 = 254

add one entry of padding to inv_map_table[] to prevent out of bounds
access with non-conforming / fuzzed bitstreams

Signed-off-by: James Zern <jzern@google.com>
Reviewed-by: "Ronald S. Bultje" <rsbultje@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e91f860ea74e11e9178500fe8794c47f57dbf48c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-08-20 14:38:26 +02:00
Michael Niedermayer
e35c534890 avcodec/pngdec: Only allow one IHDR chunk
Multiple IHDR chunks are forbidden in PNG
Fixes inconsistency and out of array accesses

Fixes: asan_heap-oob_4d5c5a_1738_cov_2638287726_c-m2-8f2b481b7fd9bd745e620b7c01a18df2.png

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 47f4e2d8960ca756ca153ab8e3e93d80449b8c91)

Conflicts:

	libavcodec/pngdec.c
2015-08-20 14:38:26 +02:00
Andreas Cadhalpun
2789d15114 wmavoice: limit wmavoice_decode_packet return value to packet size
Claiming to have decoded more bytes than the packet size is wrong.

Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 2a4700a4f03280fa8ba4fc0f8a9987bb550f0d1e)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-08-20 14:38:26 +02:00
Michael Niedermayer
e588252a42 avcodec/dpxenc: implement write16/32 as functions
Fixes undefined behavior and segfault

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8edc17b639c4ac47913c467107ffb43c67c64890)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-08-20 14:38:25 +02:00
Andreas Cadhalpun
5302adb323 h264: er: Copy from the previous reference only if compatible
Also use the frame pixel format instead of the one from the codec
context, which is more robust.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit fdc64a104410f5fcc7f35b62287b0ae502b7061a)

Conflicts:

	libavcodec/h264_slice.c

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-08-20 14:29:12 +02:00
Andreas Cadhalpun
c5dd6fefd4 sonic: set avctx->channels in sonic_decode_init
Otherwise it can be 0 in sonic_decode_frame, causing SIGFPE crashes.

Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 58995f647b5fa2e1efa33ae4f8b8a76a81ec99df)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-08-20 14:29:12 +02:00