Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4c6beaed9210f01290e5a5a4e377f93f145172cc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
There can be other headers than "Content-Type:" (in this case, a
"Content-Length:" header was following), so checking for a trailing
newline is wrong.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bf51fcd304d5594a4d8eed2bedf0ef0f68fa65f8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
If bit_rate is negative, it can trigger an av_assert2 in av_rescale_rnd.
Since av_rescale returns int64_t, but st->codec_bit_rate is int, it can
also overflow into a negative value.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0eec40b713eee84e2aec8af35ccce059817cad2a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 64815d1f0c782a632447806e40d9c7ee71f31b92)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Fixes: 260813283176b57b3c9974fe284eebc3_signal_sigsegv_7ffff713351a_991_xtrem_e2_m64q15_a32sxx.3gp with memlimit of 262144
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 15629129dde771446a005282ee33c4ea1199e696)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
If init_get_bits fails the GetBitContext is invalid and must not be
used. Check the return value in dirac_header and propogate the error.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4f5c2e651a95b950f6a3fb36f2342cbc32515f17)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
And default to 8000 if it is invalid.
An invalid sample rate can trigger av_assert2 in av_rescale_rnd.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 5b76c82fd7a5f4f36bb901b8c43d7f7319599599)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
In the TTA extradata re-construction the values are written with
avio_wl16 and if they don't fit into uint16_t, this triggers an
av_assert2 in avio_w8.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 92e79a2f7bf2f8bb0cb2d1a3e4d76737557071c4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Calling ffio_ensure_seekback() if ffio_init_checksum() has been called
on the same context can lead to out of bounds memory accesses and
crashes. The reason is that ffio_ensure_seekback() does not update
checksum_ptr after reallocating the buffer, resulting in a dangling
pointer.
This effectively fixes potential crashes when opening mp3 files.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dc87758775e2ce8be84e4fe598e12416e83d2845)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Otherwise the loop can take a lot of time if num_descr is very large.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a5718863da99b54b6c853d45c84871c4a96a57c0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Make the logic in libavformat/hevc.c parse_rps align with libavcodec/hevc_ps.c ff_hevc_decode_short_term_rps
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6e1f8780c833ef55815111d4771b95ff78567cdb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dc55477a64cefebf8dcc611f026be71382814ae2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This was simply wrong
Found-by: Martin Storsjö
This reverts commit 5d8e4f6da03c0342157e6ac7fab1a8ac3a87a8b0.
(cherry picked from commit 3e34b7498f14c04baadde1700a6f73a7e9e86fa6)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This is the maximum rate possible based on the frame size limit of MXF D-10
Previous version reviewed by tim nicholson <nichot20@yahoo.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d7a762553c6f6c422adb6632354bcc4ff577b701)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 40a3e1e9c54997e4dfc7802b5a758b68ceb64982)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes DTS detection of b2429e5ba9.dts
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9f5769437aaab30a359cde254f39d9a28b1ce657)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Instead print an error and continue
Fixes Ticket4702
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6a1204a1a46674084b1e6b92562f81aaab7aac69)
These loops can take a lot of time if count is very large.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit bb23a15df507440deb0dcf25099d321d0f73dc28)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This can unnecessarily waste a lot of time.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit fa7dec8cb00d2d0dd96ff9863ccda38428610a21)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
nut->last_syncpoint_pos doesn't necessarily change between resync
attempts, so find_any_startcode can return the same startcode again.
Thus remember where the last resync happened and don't try to resync
before that.
This can't be done locally in nut_read_packet, because this wouldn't
prevent infinite resync loops, where after the resync a packet is
returned and while reading a following packet the resync happens again.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 37e679881d364b6da817d829d35869d657218ab3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Prevents read of uninitialized variable
Based on patch by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ebb0ca3d70465ab6d369a66b2ef43bb059705db8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b3496b4a33e806b7afdcbbf6f468b0332b676d7c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6bbb2f8f4da67af374d62403742482cc5962aa21)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 361702660d2c37a63b7d6381d39e1e1de8405260)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes the calculation of the number of needed blocks to make
sure that ALL pixels are represented by the result.
Reviewed-by: Thomas Volkert <silvo@gmx.net>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7f64a7503b19b39f1251e4380987034c569bebf5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b851bc20c6931c084710e69f7eec30d8c1bdb68e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes (harmless) use of uninitialized variable
Found-by: jamrial
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6ad42b3e15478284321dd285acaf189a16590854)
Conflicts:
libavformat/mp3dec.c
Fixes Ticket4557
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 50393bce31a5618f5125aaaf97bb69886fc4261d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9e4f0cfc8ff4ab635ea12bdbd8d85d8bb1ba25f9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1238994
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b62b3292d8e25d3240e462c1b1cd8ac69195c46b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1239014
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2cddc0b19a20dd061dbf199bf88005b37c540d2f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID703652
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 171af59d58fc67d82dce8ff7ed11fa671108baa5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1041175
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 56abf35151c635caa3eb04bbb90454bae5463a09)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1238818
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 81198a68370e88f7d02f16de58db36713c2a50b6)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Larger packets are not supported and would cause problems later
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit aa5169935e160551fb1c290d1397da2f04325817)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Since len is an unsigned int, the comparison is currently treated as
unsigned and thus ignores all errors from avio_read.
Thus cast len to int, which is unproblematic, because at that point len
is between 0 and 4.
This fixes 'Conditional jump or move depends on uninitialised value'
valgrind warnings in is_tag.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0382c94f13b4b20456b7259e90b170dc020419b8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Its currently guaranteed to be smaller but its safer to check anyway
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 66f26b3e8ec075298e7ba329a55893d085bafe96)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0db5b2b9f8a96298eeba7988d43c4eb44220fab3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 40a7700b82aec0036622f8673ce64e070a520891)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
string length could theoretically be larger than int
Reviewed-by: Clément Bœsch <u@pkh.me>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a633928d47057426a9c328da594407d1c7da8a5c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 95efc651294b3cf3e5ec4b3ed36e79d7261545ff)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit eca38864a6ce5053e463b8d3fc22b22bc9a49578)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If max in clean_index is set to a negative ast->sample_size, the
following loop never ends:
while (max < 1024)
max += max;
Thus set ast->sample_size to 0 if it would otherwise be negative.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ca234639ac49a0dc073ac1f10977979acdb94f97)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The later is not correct
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5d309d309108684f742bbf5fc2393f1c519cda72)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e54540655f229d06667dc7fa7005f2a20e101e80)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
index_scale is set to matroska->time_scale of type uint64_t.
When index_scale is int, the assignment can overflow and e.g. result
in index_scale = 0. This causes a floating point exception due to the
division by index_scale.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit eb9fb508b0e09d85d234fe694333b2005e1d7a7e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The existing check has two problems:
1) i + count can overflow, so that the check '< 256' returns true.
2) In the (i == 'N') case occurs a j-- so that the loop runs once more.
This can trigger the assertion 'nut->header_len[0] == 0' or cause
segmentation faults or infinite hangs.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c24ca1bda2d4df1dc9b2b982941be532d60da21)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes a segmentation fault when accessing the metadata.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ff1af2b0db7132d5717be6395227a94c8abab07)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
