This is required by the APNG spec
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a1736926e9ae51706b537776722e816a4d1f6b36)
Conflicts:
libavcodec/pngdec.c
Multiple IHDR chunks are forbidden in PNG
Fixes inconsistency and out of array accesses
Fixes: asan_heap-oob_4d5c5a_1738_cov_2638287726_c-m2-8f2b481b7fd9bd745e620b7c01a18df2.png
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 47f4e2d8960ca756ca153ab8e3e93d80449b8c91)
Conflicts:
libavcodec/pngdec.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Claiming to have decoded more bytes than the packet size is wrong.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 2a4700a4f03280fa8ba4fc0f8a9987bb550f0d1e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes undefined behavior and segfault
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8edc17b639c4ac47913c467107ffb43c67c64890)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Also use the frame pixel format instead of the one from the codec
context, which is more robust.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit fdc64a104410f5fcc7f35b62287b0ae502b7061a)
Conflicts:
libavcodec/h264_slice.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Otherwise it can be 0 in sonic_decode_frame, causing SIGFPE crashes.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 58995f647b5fa2e1efa33ae4f8b8a76a81ec99df)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If one of the dimensions is larger than 8176, s->mb_width or
s->mb_height is larger than 511, leading to an int16_t overflow of
s->mv_max.{x,y}. This then causes av_clip to be called with amin > amax.
Changing the type to int avoids the overflow and has no negative
effect, because s->mv_max is only used in clamp_mv for clipping.
Since mv_max.{x,y} is positive and mv_min.{x,y} negative, av_clip can't
increase the absolute value. The input to av_clip is an int16_t, and
thus the output fits into int16_t as well.
For additional safety, s->mv_{min,max}.{x,y} are clipped to int16_t range
before use.
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 6fdbaa2b7fb56623ab2163f861952bc1408c39b3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Otherwise the check 'tile_size < size' treats a negative size as
unsigned, causing the check to pass. This subsequently leads to
segmentation faults.
This was originally fixed as part of Libav commit 72ca83, so the
original author is one of the following developers:
Anton Khirnov <anton@khirnov.net>
Diego Biurrun <diego@biurrun.de>
Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö <martin@martin.st>
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit b18eac7ff22332c9344769af15f7b245dd13cc64)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libopenjpeg can return images with components without data.
This fixes segmentation faults.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3ef5702926c495232ffe685303ba8661bdff1149)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If chan2 is not smaller than the number of channels, it can cause
segmentation faults due to dereferencing a NULL pointer.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 05c57ba2f42324da2fdc93d83d65bb68dd637613)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The AVFrame values are closer to the AVFrame bitmap changed instead of
the AVCodecContext values, so this should be more robust
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit aef0e0f009802f1a5e21eb6465498632071e4475)
Conflicts:
libavcodec/h264_slice.c
This avoid potential out of array accesses
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 12ba1b2b4d5592c0e27b0fcc83db929e8d6a8eee)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See: vlc ticket 14649
Reported-by: carl
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3c803ed9cb23e5a8d76b6c31d8a8c71cac27e769)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c2657633187e325a439e3297fd9ccd0522ab2e39)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6b6ae7c3ead5dee786a4aea929820076a7c82da4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If opj_image_create fails to allocate an image it returns NULL, which
causes a segmentation fault at 'img->x0 = 0'.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1577526b47439f33a999339efdec5d624b70e1da)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 291ad5cc9cf815eb110b062487980fab2d107936)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8f5ffed183e099128a732a00976f69fdc641d093)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 561d3a57aaa95c7e8e65e96b36dd069100603650)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e4c2ec879b1121c02279cd60a54643da0d249e40)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Various header informations need to be reset when decoding next frame.
Regression since: 95582b5c
Fixes ticket #4597.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit a03b69478b7f1c0c31e53acb0cf392917c0f967a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c720b9ce9850710e74a103d9626869e397a89faa)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3051e7fa712dfe2136f19b7157211453895f2a3c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1257799
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c64b2d480b4a35d4face9928b4265a0fda3f3dd9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1297594 part 1
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0f3e6959bfa67d12cd5a173b86eb15abd7d9e4d5)
Conflicts:
libavcodec/dcadec.c
Fixes CID1271783
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ade8a46154cb45c88b1cb5c616eaa6320c941187)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c131a9fead5bf63215b6e1172b3c5c183cf90b85)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1271810
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cdd25f9a3df3905543a5546cf6076d2eaf895736)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1239055
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 294469416d8193a28710d802bb0c46e5fa09fad7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1210526
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d201becfc0d89c6a5dfe44e96f1044fbc2aadb70)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2d15588124ab1d4c0612cab66f02a716f1509211)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c4c6aea397f62421bf8ef0449b2b465a53e4ab4d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes: CID1239152
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a9bf628bfdad142763880a3d1ccb6058040dda57)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1239110
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a6a45774d045007f8262cd7c614804390e53122e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Personally, I need the decoder to back out if get_format() returns no
usable pixel format. This didn't work because the error code was not
propagated down the call chain. This in turn happened because the
variable declaration removed in this patch shadowed the variable, whose
value is returned at the end of the function. Consequently, failures of
decode_nal_unit() were ignored in this place.
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cc5e4bb48476a89cc8ce0c41bc2bd2e8fda9b37c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 139e1c8009df7729a53eaaae7036ca01071aced5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1239106
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 22f15f5735389e992ec9aed43b0680e75746b3a1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoids potential accesses over the end
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 93cfa7d1692c25cff045f99ba1af2c9e5772c45e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 81cf9108563510dee24f73b2c5d94a7bd07ff747)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes nothing but maybe helps coverity which does not see that this is failing later
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 65e5032955cb5022f0f39160aa3839f0799456bd)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
