buf_idx + data_unit_size can overflow, causing the '> buf_size' check to
wrongly fail.
This causes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 984f50deb2d48f6844d65e10991b996a6d29e87c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
AV_PIX_FMT_MONOBLACK has the AV_PIX_FMT_FLAG_BITSTREAM flag, i.e.
linesize can be smaller than width.
Since x_offset is only check against the width, this can lead to
x_offset * bpp >= image_linesize.
In this case ptr could be set to a position outside the image_buf in
png_handle_row, leading to memory corruption and thus crashes.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 372aa0777aaacf726de7cd7dd0e6797026a124ee)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
During the loop ret can get changed. Since it is not set on all failure
paths, decode_frame_common can return 0 even though an error occurred.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8f760be4d312bb6e78f80d39b9d0062253332e08)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This check was removed in commit 08aec6f6, but
s->last_picture.f->data[0] is still used in handle_p_frame_apng
unconditionally.
This fixes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 287dbb0771d558b336e377d0594e26c0a6291755)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
s->decoded_buffer is allocated with a min_size of:
2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)
Then it is assigned to s->decoded[0] (and s->decoded_buffer + FFALIGN(blockstodecode, 8)
to s->decoded[1]) and passed as out buffer to decode_array_0000.
In this function 64 elements of the out buffer are written
unconditionally and outside the array if blockstodecode is too small.
This causes memory corruption, leading to segmentation faults or other
crashes.
Thus change decode_array_0000 to write at most blockstodecode elements
of the out buffer.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 699341d647f7af785fb8ceed67604467b0b9ab12)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Otherwise range_start_decoding is not necessarily run and thus
ctx->rc.range still 0 in range_dec_normalize leading to an infinite
loop.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 464c49155ce7ffc88ed39eb2511e7a75565c24be)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
If rice_limit is 0, k can be 0 in decode_scalar, which calls show_bits(gb, k).
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4b657a1b1eedcf38bcf36e89a2f4be6f76b5ce09)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
For max_order = 0 the clipping range is invalid. (amin = 2, amax = 1)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 58d605ee9b3277289278dc40e022311f8e083833)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b3408ae4c64cb674b1d5f0f30171759113ce722a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Also change the type of begin, end and smp to ptrdiff_t to make the
comparison well-defined.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Thilo Borgmann <thilo.borgmann@mail.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit afc7748d1f6abc4b3b1cc957b0fa6941837db3d0)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
The minimum of the ath(x, ATH_ADD) function depends on ATH_ADD.
This patch uses the first order approximation to determine it.
For ATH_ADD = 4 this results in the value at 3407.06812 (-5.24241638)
not the one at 3410 (-5.24237967).
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Approved-by: Claudio Freire <klaussfreire@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ca9849eecdf7db91d652c698018a5b096d8b78c7)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
If begin is smaller than t, the subtraction 'begin -= t' wraps around,
because begin is unsigned. The same applies for end < t.
This causes segmentation faults.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit faf9fe2c224ea81a98afd53e2f0be0a2e13aeca9)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
avctx->bits_per_raw_sample is used in get_sbits_long, which only
supports up to 32 bits.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4c2b88678b436f59132386d9be2fc143e3ee480d)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
If the same idx is used for more than one i, at least one entry in
sconf->chan_pos remains uninitialized.
This can cause segmentation faults.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ef16501aebed43e34a3721336e8bee732eca2877)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This fixes an invalid read if end is 0:
band_end = ff_ac3_bin_to_band_tab[end-1] + 1;
Depending on what is before the array, this can cause stack smashing,
when band_end becomes too large.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bc4fee7f2a51635fa3c0f61d1e5164da1efeded3)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
If band->thr is 0.0f, the division is undefined, making norm_fac not a
number or infinity, which causes psy_band->threshold to become NaN.
This is passed on to other variables until it finally reaches
sce->sf_idx and is converted to an integer (-2147483648).
This causes a segmentation fault when it is used as array index.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Claudio Freire <klaussfreire@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e224aa41917454e7b5c23d9f2541425743ce595a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0be54ad280cf114c02306b7063147e8379f8ed1e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
ac may be NULL and then accessing ac->avctx results in a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5b75689b987e4c4dd4f34d5c8be389547e9cc701)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This fixes segmentation faults, when pic->linesize[0] is negative.
In that case 'line * pic->linesize[0] + pixel_ptr' is treated as
unsigned and wraps around.
This reverts commit 7d78a964.
The problem was introduced in commit f7e1367f, which should obsolete
that commit.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ae6fd7300b4e9f81d3b5ba201096ffe7cccf26fb)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This more completely checks for truncation
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 32e06c485be94a4967bff87022cbb065d3cbfd0d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket4460
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e88b3852aefaa39b2170ef185ad03dda18732821)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes non deterministic crash in ticket4408/fuzz2.264
Likely fixes other samples as well
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 43b434210e597d484aef57c4139c3126d22b7e2b)
Conflicts:
libavcodec/h264.h
libavcodec/h264_slice.c
Fixes Ticket4408
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fc58d5c43b4c7396fc69081eb0dfe5b6a21cb10d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This reverts commit 586ba24ff29468d2a4ee843a9650feea5b2be6f6.
Fixes Ticket 4386
Found-by: Martin Vignali <martin.vignali@gmail.com>
(cherry picked from commit 5dd5b7d5312d2b7cb6d3dbfde12f1eaef7c7767f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: da14e86d8462be6493eab16bc2d40f88/asan_heap-oob_204cfd2_528_cov_340150052_COMPRESS.BMP
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f7e1367f58263593e6cee3c282f7277d7ee9d553)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 06c70d45373dedc600f28e345685b130b60203c1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d3bd943108d321b387f955f3ab1ece4e9977401f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket4227
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2c660e34cf3c2b77cd2bef6f292920334dfd9192)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This is the remaining error, the output on the SPX samples,
respectively csi_miami_stereo_128_spx.eac3 and
csi_miami_5.1_256_spx.eac3, goes from:
stddev: 8.71 PSNR: 77.52 MAXDIFF: 235
stddev:24270.51 PSNR: 22.17 MAXDIFF:47166
to:
stddev: 0.12 PSNR:114.12 MAXDIFF: 1
stddev: 0.12 PSNR:114.73 MAXDIFF: 1
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0c3339f4bd7aceebfd74deb437ba2e5c04ef3d0e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
It was set to 1 instead of sqrt(3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c4bf3833f4663fd484441907f73c5bc4700021a4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Should also improve decoding, but actually doesn't...
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b0834400608b3980c06bf6d2cf747116e60d10c7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The AC3DecodeContext has a float (USE_FIXED=0) and an integer
(USE_FIXED=1) variant, both of which can be present in the same binary.
This is not only very confusing, but it also breaks horribly, when one
variant is used by code expecting the other.
This currently happens, because eac3dec.c is only compiled for the float
variant, but also used from ac3dec_fixed.c, which uses the integer
variant.
The result is memory corruption, leading to crashes.
So compile eac3dec.c once for each variant and adapt it, so that it
works with the integer variant.
A loss of precission and scaling bug has been fixed by the committer
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7b05b5093ea67a3397b0c37cf398bab471e1ce2b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Also add av_cold to ff_hevcdsp_init_arm.
Signed-off-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d5addf1555024aebf13b37fbca9fb8d0f4f656ca)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 31816eae32019ff0e2243533f618efa2a4da9c33)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses
Fixes: ffmpeg_012v_crash.ts
Found-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Reviewed-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 48df30d36c3ca360c407d84f96749888d1fbe853)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes division by 0
Found-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d3b25383daffac154846daeb4e4fb46569e728db)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
So far it is only set in roq_encode_frame, but it is used in
roq_encode_end to free the coded_frame. This currently segfaults if
roq_encode_frame is not called between roq_encode_init and
roq_encode_end.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cf82c426fadf90105e1fb9d5ecd267cc3aa2b288)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
allowing access to the size but not the extradata itself is not useful
and could lead to potential problems if writing happens through this field
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Reviewed-by: Lukasz Marek <lukasz.m.luki2@gmail.com>
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1f4088b28540080ce1d42345c5614be3e1a6a197)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This ensures that all current and future code-pathes get bpp checked
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d5e9fc782150d4596c72440a0aa02b7f4f1254b1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: ffmpeg_opus_crash1.ogg
This solution is likely not optimal in terms of error concealment but
its simple and fixes the out of array access.
Found-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Tested-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6c583e9048fe9db2ed4d7bbc75f4f1d76e82761a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
