Fix crash when doing 8 ch conversion from apps compiled with MSVS
Thanks to Ronald for giving this hint:
https://ffmpeg.org/pipermail/ffmpeg-devel/2015-May/173049.html
Reviewed-by: "Ronald S. Bultje" <rsbultje@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit adb7372f7495927a226edf9b8e1d0ac9453985ea)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 81cf9108563510dee24f73b2c5d94a7bd07ff747)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes nothing but maybe helps coverity which does not see that this is failing later
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 65e5032955cb5022f0f39160aa3839f0799456bd)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1239099 part 2
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1c6ae98d4a9ff9ea607df87908393eda4ebdf4e8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1239099 part 1
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3e9d5e16ad9799f6b6faae4f21120d23146b84c9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 48e9f68384a2af257b9ca7633bf14f0c2748edc6)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1271794
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 93b0ee21a2f534f6d3b812686f3acde110e94f18)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1239154
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8a62b80ce6c8e87e7937f9a5d68f83882c1c8da2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Since commit 676a395a aac->frame->data is not necessarily allocated at
the end of aac_decode_frame_int if avctx->channels is 0.
In this case a bogus frame without any data, but non-zero nb_samples is
returned.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ec38a1ba404b8cb8d71ccee2b8dcd6f3fcbde273)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1238994
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b62b3292d8e25d3240e462c1b1cd8ac69195c46b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1239014
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2cddc0b19a20dd061dbf199bf88005b37c540d2f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID703652
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 171af59d58fc67d82dce8ff7ed11fa671108baa5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1041175
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 56abf35151c635caa3eb04bbb90454bae5463a09)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1238818
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 81198a68370e88f7d02f16de58db36713c2a50b6)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Larger packets are not supported and would cause problems later
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit aa5169935e160551fb1c290d1397da2f04325817)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit acf4925f444636a828534ab47d0f86c21a7a9b4e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Since len is an unsigned int, the comparison is currently treated as
unsigned and thus ignores all errors from avio_read.
Thus cast len to int, which is unproblematic, because at that point len
is between 0 and 4.
This fixes 'Conditional jump or move depends on uninitialised value'
valgrind warnings in is_tag.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0382c94f13b4b20456b7259e90b170dc020419b8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Its currently guaranteed to be smaller but its safer to check anyway
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 66f26b3e8ec075298e7ba329a55893d085bafe96)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0db5b2b9f8a96298eeba7988d43c4eb44220fab3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 40a7700b82aec0036622f8673ce64e070a520891)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
string length could theoretically be larger than int
Reviewed-by: Clément Bœsch <u@pkh.me>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a633928d47057426a9c328da594407d1c7da8a5c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 95efc651294b3cf3e5ec4b3ed36e79d7261545ff)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ae4eea8be45a0b212fd57ceaac1f11089ab81d98)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit eca38864a6ce5053e463b8d3fc22b22bc9a49578)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
the string length is not constrained to INT_MAX
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4c128ea1629116fc4936edc5f96bbd18f3ef1647)
Conflicts:
libavutil/dict.c
the string length is not constrained to INT_MAX
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4950bd4ebedbb6289734234bb2a719820f565c41)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 584cc1ade10a3297ef9c107ef3a2081c04024156)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
In init_planes p->xblen and p->yblen are set to:
p->xblen = s->plane[0].xblen >> s->chroma_x_shift;
p->yblen = s->plane[0].yblen >> s->chroma_y_shift;
These are later used as block_w and block_h arguments of
s->vdsp.emulated_edge_mc. If one of them is 0 it triggers an av_assert2
in emulated_edge_mc:
av_assert2(start_x < end_x && block_w > 0);
av_assert2(start_y < end_y && block_h > 0);
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 75fc81c8318505aa7946e05a9bee08d47241fc66)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
s->ref_pics[i] is later used as ref argument of interpolate_refplane,
where it is dereferenced.
If it is NULL, it causes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d93181ef3eacdb862d93448f31c97765a523d1db)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If bytes is large enough, bytes*8 can overflow and become negative.
In that case 'bufsize -= bytes*8' causes bufsize to increase instead of
decrease.
This leads to a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9e66b39aa87eb653a6e5d15f70b792ccbf719de7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
buf_idx + data_unit_size can overflow, causing the '> buf_size' check to
wrongly fail.
This causes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 984f50deb2d48f6844d65e10991b996a6d29e87c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If max in clean_index is set to a negative ast->sample_size, the
following loop never ends:
while (max < 1024)
max += max;
Thus set ast->sample_size to 0 if it would otherwise be negative.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ca234639ac49a0dc073ac1f10977979acdb94f97)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The later is not correct
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5d309d309108684f742bbf5fc2393f1c519cda72)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e54540655f229d06667dc7fa7005f2a20e101e80)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d43cd6b08ed555c303478e3133717fbb2236be6e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
index_scale is set to matroska->time_scale of type uint64_t.
When index_scale is int, the assignment can overflow and e.g. result
in index_scale = 0. This causes a floating point exception due to the
division by index_scale.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit eb9fb508b0e09d85d234fe694333b2005e1d7a7e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
AV_PIX_FMT_MONOBLACK has the AV_PIX_FMT_FLAG_BITSTREAM flag, i.e.
linesize can be smaller than width.
Since x_offset is only check against the width, this can lead to
x_offset * bpp >= image_linesize.
In this case ptr could be set to a position outside the image_buf in
png_handle_row, leading to memory corruption and thus crashes.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 372aa0777aaacf726de7cd7dd0e6797026a124ee)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
During the loop ret can get changed. Since it is not set on all failure
paths, decode_frame_common can return 0 even though an error occurred.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8f760be4d312bb6e78f80d39b9d0062253332e08)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This check was removed in commit 08aec6f6, but
s->last_picture.f->data[0] is still used in handle_p_frame_apng
unconditionally.
This fixes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 287dbb0771d558b336e377d0594e26c0a6291755)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 042260cde4ecf716438c5fc92d15ad5f037ee2e1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
And notify why the capture is impossible.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit e8c4db0d4d07738fed716b1d2f20c85aac944641)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The image decoding code does expect the image to be decoded immedeatly
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d2184bf3b65354e44c177e226a6c59c5d6fdbad4)
Conflicts:
libavfilter/lavfutils.c
The existing check has two problems:
1) i + count can overflow, so that the check '< 256' returns true.
2) In the (i == 'N') case occurs a j-- so that the loop runs once more.
This can trigger the assertion 'nut->header_len[0] == 0' or cause
segmentation faults or infinite hangs.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c24ca1bda2d4df1dc9b2b982941be532d60da21)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes a segmentation fault when accessing the metadata.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ff1af2b0db7132d5717be6395227a94c8abab07)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
A negative frame rate triggers an av_assert2 in av_rescale_rnd.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6621105877ce0d65724a8ab60b3a50160adbe65d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e2877bdf3862325c2982c3237d9bf28f1bbf793f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
