Update for 0.7.13

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Merge branch 'release/0.8' into release/0.7
2012-06-09 21:17:02 +02:00 · 2012-06-09 21:13:58 +02:00 · 2012-06-09 21:09:06 +02:00 · 2012-06-09 21:08:21 +02:00 · 2012-06-09 21:08:13 +02:00 · 2012-06-09 21:07:53 +02:00
33 changed files with 175 additions and 43 deletions
--- a/2
+++ b/2
@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.

-PROJECT_NUMBER         = 0.7.12
+PROJECT_NUMBER         = 0.7.13

 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
 # base path where the generated documentation will be put.
--- a/2
+++ b/2
@@ -1 +1 @@
-0.7.12
+0.7.13
--- a/2
+++ b/2
@@ -1 +1 @@
-0.7.12
+0.7.13
--- a/libavcodec/8svx.c
+++ b/libavcodec/8svx.c
@@ -44,7 +44,7 @@ typedef struct EightSvxContext {
    /* buffer used to store the whole audio decoded/interleaved chunk,
     * which is sent with the first packet */
    uint8_t *samples;
-    size_t samples_size;
+    int64_t samples_size;
    int samples_idx;
 } EightSvxContext;

--- a/libavcodec/aacsbr.c
+++ b/libavcodec/aacsbr.c
@@ -1183,14 +1183,15 @@ static void sbr_qmf_synthesis(DSPContext *dsp, FFTContext *mdct,
 {
    int i, n;
    const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us;
+    const int step = 128 >> div;
    float *v;
    for (i = 0; i < 32; i++) {
-        if (*v_off < 128 >> div) {
+        if (*v_off < step) {
            int saved_samples = (1280 - 128) >> div;
            memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float));
-            *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div);
+            *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - step;
        } else {
-            *v_off -= 128 >> div;
+            *v_off -= step;
        }
        v = v0 + *v_off;
        if (div) {
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -778,9 +778,13 @@ static int adpcm_encode_frame(AVCodecContext *avctx,
 static av_cold int adpcm_decode_init(AVCodecContext * avctx)
 {
    ADPCMContext *c = avctx->priv_data;
+    unsigned int min_channels = 1;
    unsigned int max_channels = 2;

    switch(avctx->codec->id) {
+    case CODEC_ID_ADPCM_EA:
+        min_channels = 2;
+        break;
    case CODEC_ID_ADPCM_EA_R1:
    case CODEC_ID_ADPCM_EA_R2:
    case CODEC_ID_ADPCM_EA_R3:
@@ -788,8 +792,10 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx)
        max_channels = 6;
        break;
    }
-    if(avctx->channels > max_channels){
-        return -1;
+
+    if (avctx->channels < min_channels || avctx->channels > max_channels) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n");
+        return AVERROR(EINVAL);
    }

    switch(avctx->codec->id) {
--- a/libavcodec/binkaudio.c
+++ b/libavcodec/binkaudio.c
@@ -85,9 +85,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
        frame_len_bits = 11;
    }

-    if (avctx->channels > MAX_CHANNELS) {
-        av_log(avctx, AV_LOG_ERROR, "too many channels: %d\n", avctx->channels);
-        return -1;
+    if (avctx->channels < 1 || avctx->channels > MAX_CHANNELS) {
+        av_log(avctx, AV_LOG_ERROR, "invalid number of channels: %d\n", avctx->channels);
+        return AVERROR_INVALIDDATA;
    }

    if (avctx->extradata && avctx->extradata_size > 0)
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -280,6 +280,10 @@ static int cdg_decode_frame(AVCodecContext *avctx,
        av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n");
        return AVERROR(EINVAL);
    }
+    if (buf_size > CDG_HEADER_SIZE + CDG_DATA_SIZE) {
+        av_log(avctx, AV_LOG_ERROR, "buffer too big for decoder\n");
+        return AVERROR(EINVAL);
+    }

    ret = avctx->reget_buffer(avctx, &cc->frame);
    if (ret) {
--- a/libavcodec/celp_filters.c
+++ b/libavcodec/celp_filters.c
@@ -133,9 +133,8 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs,
        out2 -= val * old_out2;
        out3 -= val * old_out3;

-        old_out3 = out[-5];
-
        for (i = 5; i <= filter_length; i += 2) {
+            old_out3 = out[-i];
            val = filter_coeffs[i-1];

            out0 -= val * old_out3;
@@ -154,7 +153,6 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs,

            FFSWAP(float, old_out0, old_out2);
            old_out1 = old_out3;
-            old_out3 = out[-i-2];
        }

        tmp0 = out0;
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -169,6 +169,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
    int in, out = 0;
    int predictor[2];
    int channel_number = 0;
+    int stereo = s->channels - 1;
    short *output_samples = data;
    int shift[2];
    unsigned char byte;
@@ -177,6 +178,9 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
    if (!buf_size)
        return 0;

+    if (stereo && (buf_size & 1))
+        buf_size--;
+
    // almost every DPCM variant expands one byte of data into two
    if(*data_size/2 < buf_size)
        return -1;
@@ -295,7 +299,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
    }

    *data_size = out * sizeof(short);
-    return buf_size;
+    return avpkt->size;
 }

 #define DPCM_DECODER(id, name, long_name_)      \
--- a/libavcodec/eatqi.c
+++ b/libavcodec/eatqi.c
@@ -59,12 +59,15 @@ static av_cold int tqi_decode_init(AVCodecContext *avctx)
    return 0;
 }

-static void tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64])
+static int tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64])
 {
    int n;
    s->dsp.clear_blocks(block[0]);
    for (n=0; n<6; n++)
-        ff_mpeg1_decode_block_intra(s, block[n], n);
+        if (ff_mpeg1_decode_block_intra(s, block[n], n) < 0)
+            return -1;
+
+    return 0;
 }

 static inline void tqi_idct_put(TqiContext *t, DCTELEM (*block)[64])
@@ -136,7 +139,8 @@ static int tqi_decode_frame(AVCodecContext *avctx,
    for (s->mb_y=0; s->mb_y<(avctx->height+15)/16; s->mb_y++)
    for (s->mb_x=0; s->mb_x<(avctx->width+15)/16; s->mb_x++)
    {
-        tqi_decode_mb(s, t->block);
+        if (tqi_decode_mb(s, t->block) < 0)
+            break;
        tqi_idct_put(t, t->block);
    }

--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -438,6 +438,13 @@ retry:
    if (ret < 0){
        av_log(s->avctx, AV_LOG_ERROR, "header damaged\n");
        return -1;
+    } else if ((s->width  != avctx->coded_width  ||
+                s->height != avctx->coded_height ||
+                (s->width  + 15) >> 4 != s->mb_width ||
+                (s->height + 15) >> 4 != s->mb_height) &&
+               (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME))) {
+        av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
+        return AVERROR_PATCHWELCOME;   // width / height changed during parallelized decoding
    }

    avctx->has_b_frames= !s->low_delay;
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -2620,9 +2620,9 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    if (s->context_initialized
        && (   s->width != s->avctx->width || s->height != s->avctx->height
            || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) {
-        if(h != h0) {
+        if(h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) {
            av_log_missing_feature(s->avctx, "Width/height changing with threads is", 0);
-            return -1;   // width / height changed during parallelized decoding
+            return AVERROR_PATCHWELCOME;   // width / height changed during parallelized decoding
        }
        free_tables(h, 0);
        flush_dpb(s->avctx);
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -345,9 +345,9 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
        if (sps->chroma_format_idc > 3U) {
            av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc %d is illegal\n", sps->chroma_format_idc);
            goto fail;
-        }
-        if(sps->chroma_format_idc == 3)
+        } else if(sps->chroma_format_idc == 3) {
            sps->residual_color_transform_flag = get_bits1(&s->gb);
+        }
        sps->bit_depth_luma   = get_ue_golomb(&s->gb) + 8;
        sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8;
        if (sps->bit_depth_luma > 12U || sps->bit_depth_chroma > 12U) {
@@ -490,6 +490,9 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
    if(pps_id >= MAX_PPS_COUNT) {
        av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id);
        return -1;
+    } else if (h->sps.bit_depth_luma > 10) {
+        av_log(h->s.avctx, AV_LOG_ERROR, "Unimplemented luma bit depth=%d (max=10)\n", h->sps.bit_depth_luma);
+        return AVERROR_PATCHWELCOME;
    }

    pps= av_mallocz(sizeof(PPS));
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -176,7 +176,13 @@ static int extract_header(AVCodecContext *const avctx,
    const uint8_t *buf;
    unsigned buf_size;
    IffContext *s = avctx->priv_data;
-    int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
+    int palette_size;
+
+    if (avctx->extradata_size < 2) {
+        av_log(avctx, AV_LOG_ERROR, "not enough extradata\n");
+        return AVERROR_INVALIDDATA;
+    }
+    palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);

    if (avpkt) {
        int image_size;
@@ -192,8 +198,6 @@ static int extract_header(AVCodecContext *const avctx,
            return AVERROR_INVALIDDATA;
        }
    } else {
-        if (avctx->extradata_size < 2)
-            return AVERROR_INVALIDDATA;
        buf = avctx->extradata;
        buf_size = bytestream_get_be16(&buf);
        if (buf_size <= 1 || palette_size < 0) {
@@ -281,7 +285,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
    int err;

    if (avctx->bits_per_coded_sample <= 8) {
-        int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
+        int palette_size;
+
+        if (avctx->extradata_size >= 2)
+            palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
+        else
+            palette_size = 0;
        avctx->pix_fmt = (avctx->bits_per_coded_sample < 8) ||
                         (avctx->extradata_size >= 2 && palette_size) ? PIX_FMT_PAL8 : PIX_FMT_GRAY8;
    } else if (avctx->bits_per_coded_sample <= 32) {
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -219,6 +219,10 @@ static int decode_gop_header(IVI5DecContext *ctx, AVCodecContext *avctx)
            }

            if (band->blk_size == 8) {
+                if(quant_mat >= 5){
+                    av_log(avctx, AV_LOG_ERROR, "quant_mat %d too large!\n", quant_mat);
+                    return -1;
+                }
                band->intra_base  = &ivi5_base_quant_8x8_intra[quant_mat][0];
                band->inter_base  = &ivi5_base_quant_8x8_inter[quant_mat][0];
                band->intra_scale = &ivi5_scale_quant_8x8_intra[quant_mat][0];
--- a/libavcodec/intelh263dec.c
+++ b/libavcodec/intelh263dec.c
@@ -77,7 +77,7 @@ int ff_intel_h263_decode_picture_header(MpegEncContext *s)
        }
        if(get_bits(&s->gb, 2))
            av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n");
-        s->loop_filter = get_bits1(&s->gb);
+        s->loop_filter = get_bits1(&s->gb) * !s->avctx->lowres;
        if(get_bits1(&s->gb))
            av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n");
        if(get_bits1(&s->gb))
--- a/libavcodec/ituh263dec.c
+++ b/libavcodec/ituh263dec.c
@@ -961,6 +961,8 @@ int h263_decode_picture_header(MpegEncContext *s)
            s->h263_aic = get_bits1(&s->gb); /* Advanced Intra Coding (AIC) */
            s->loop_filter= get_bits1(&s->gb);
            s->unrestricted_mv = s->umvplus || s->obmc || s->loop_filter;
+            if(s->avctx->lowres)
+                s->loop_filter = 0;

            s->h263_slice_structured= get_bits1(&s->gb);
            if (get_bits1(&s->gb) != 0) {
--- a/libavcodec/jvdec.c
+++ b/libavcodec/jvdec.c
@@ -143,6 +143,10 @@ static int decode_frame(AVCodecContext *avctx,
    buf += 5;

    if (video_size) {
+        if(video_size < 0) {
+            av_log(avctx, AV_LOG_ERROR, "video size %d invalid\n", video_size);
+            return AVERROR_INVALIDDATA;
+        }
        if (avctx->reget_buffer(avctx, &s->frame) < 0) {
            av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
            return -1;
--- a/libavcodec/kmvc.c
+++ b/libavcodec/kmvc.c
@@ -33,6 +33,7 @@
 #define KMVC_KEYFRAME 0x80
 #define KMVC_PALETTE  0x40
 #define KMVC_METHOD   0x0F
+#define MAX_PALSIZE   256

 /*
 * Decoder context
@@ -43,7 +44,7 @@ typedef struct KmvcContext {

    int setpal;
    int palsize;
-    uint32_t pal[256];
+    uint32_t pal[MAX_PALSIZE];
    uint8_t *cur, *prev;
    uint8_t *frm0, *frm1;
 } KmvcContext;
@@ -415,6 +416,10 @@ static av_cold int decode_init(AVCodecContext * avctx)
        c->palsize = 127;
    } else {
        c->palsize = AV_RL16(avctx->extradata + 10);
+        if (c->palsize >= MAX_PALSIZE) {
+            av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n");
+            return AVERROR_INVALIDDATA;
+        }
    }

    if (avctx->extradata_size == 1036) {        // palette in extradata
--- a/libavcodec/motionpixels.c
+++ b/libavcodec/motionpixels.c
@@ -55,6 +55,11 @@ static av_cold int mp_decode_init(AVCodecContext *avctx)
    int w4 = (avctx->width  + 3) & ~3;
    int h4 = (avctx->height + 3) & ~3;

+    if(avctx->extradata_size < 2){
+        av_log(avctx, AV_LOG_ERROR, "extradata too small\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    motionpixels_tableinit();
    mp->avctx = avctx;
    dsputil_init(&mp->dsp, avctx);
@@ -191,10 +196,13 @@ static void mp_decode_line(MotionPixelsContext *mp, GetBitContext *gb, int y)
            p = mp_get_yuv_from_rgb(mp, x - 1, y);
        } else {
            p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb));
+            p.y = av_clip(p.y, 0, 31);
            if ((x & 3) == 0) {
                if ((y & 3) == 0) {
                    p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb));
+                    p.v = av_clip(p.v, -32, 31);
                    p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb));
+                    p.u = av_clip(p.u, -32, 31);
                    mp->hpt[((y / 4) * mp->avctx->width + x) / 4] = p;
                } else {
                    p.v = mp->hpt[((y / 4) * mp->avctx->width + x) / 4].v;
@@ -218,9 +226,12 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb)
            p = mp_get_yuv_from_rgb(mp, 0, y);
        } else {
            p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb));
+            p.y = av_clip(p.y, 0, 31);
            if ((y & 3) == 0) {
                p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb));
+                p.v = av_clip(p.v, -32, 31);
                p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb));
+                p.u = av_clip(p.u, -32, 31);
            }
            mp->vpt[y] = p;
            mp_set_rgb_from_yuv(mp, 0, y, &p);
--- a/libavcodec/mpc8.c
+++ b/libavcodec/mpc8.c
@@ -138,7 +138,8 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx)
    c->frames = 1 << (get_bits(&gb, 3) * 2);

    avctx->sample_fmt = AV_SAMPLE_FMT_S16;
-    avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
+    avctx->channel_layout = (channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
+    avctx->channels = channels;

    if(vlc_initialized) return 0;
    av_log(avctx, AV_LOG_DEBUG, "Initing VLC\n");
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -469,11 +469,12 @@ static int decode_frame(AVCodecContext *avctx,
                    avctx->pix_fmt = PIX_FMT_RGB48BE;
                } else if (s->bit_depth == 1) {
                    avctx->pix_fmt = PIX_FMT_MONOBLACK;
-                } else if (s->color_type == PNG_COLOR_TYPE_PALETTE) {
+                } else if (s->bit_depth == 8 &&
+                           s->color_type == PNG_COLOR_TYPE_PALETTE) {
                    avctx->pix_fmt = PIX_FMT_PAL8;
                } else if (s->bit_depth == 8 &&
                           s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) {
-                    avctx->pix_fmt = PIX_FMT_GRAY8A;
+                    avctx->pix_fmt = PIX_FMT_Y400A;
                } else {
                    goto fail;
                }
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -881,9 +881,13 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l
                        break;

                    case 30:
-                        if (BITS_LEFT(length,gb) >= 4)
-                            samples[0] = type30_dequant[qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1)];
-                        else
+                        if (BITS_LEFT(length,gb) >= 4) {
+                            unsigned index = qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1);
+                            if (index < FF_ARRAY_ELEMS(type30_dequant)) {
+                                samples[0] = type30_dequant[index];
+                            } else
+                                samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
+                        } else
                            samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);

                        run = 1;
@@ -897,8 +901,12 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l
                                type34_predictor = samples[0];
                                type34_first = 0;
                            } else {
-                                samples[0] = type34_delta[qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1)] / type34_div + type34_predictor;
-                                type34_predictor = samples[0];
+                                unsigned index = qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1);
+                                if (index < FF_ARRAY_ELEMS(type34_delta)) {
+                                    samples[0] = type34_delta[index] / type34_div + type34_predictor;
+                                    type34_predictor = samples[0];
+                                } else
+                                    samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
                            }
                        } else {
                            samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -520,6 +520,10 @@ hres,vres,i,i%vres (0 < i < 4)
 }

 #define APPLY_C_PREDICTOR() \
+    if(index > 1023){\
+        av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+        return; \
+    }\
    predictor_pair = s->c_predictor_table[index]; \
    horiz_pred += (predictor_pair >> 1); \
    if (predictor_pair & 1) { \
@@ -537,6 +541,10 @@ hres,vres,i,i%vres (0 < i < 4)
        index++;

 #define APPLY_C_PREDICTOR_24() \
+    if(index > 1023){\
+        av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+        return; \
+    }\
    predictor_pair = s->c_predictor_table[index]; \
    horiz_pred += (predictor_pair >> 1); \
    if (predictor_pair & 1) { \
@@ -555,6 +563,10 @@ hres,vres,i,i%vres (0 < i < 4)


 #define APPLY_Y_PREDICTOR() \
+    if(index > 1023){\
+        av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+        return; \
+    }\
    predictor_pair = s->y_predictor_table[index]; \
    horiz_pred += (predictor_pair >> 1); \
    if (predictor_pair & 1) { \
@@ -572,6 +584,10 @@ hres,vres,i,i%vres (0 < i < 4)
        index++;

 #define APPLY_Y_PREDICTOR_24() \
+    if(index > 1023){\
+        av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+        return; \
+    }\
    predictor_pair = s->y_predictor_table[index]; \
    horiz_pred += (predictor_pair >> 1); \
    if (predictor_pair & 1) { \
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -159,6 +159,12 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
        return -1;
    }

+    if (s->width  & (s->vector_width  - 1) ||
+        s->height & (s->vector_height - 1)) {
+        av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    /* allocate codebooks */
    s->codebook_size = MAX_CODEBOOK_SIZE;
    s->codebook = av_malloc(s->codebook_size);
--- a/libavcodec/wnv1.c
+++ b/libavcodec/wnv1.c
@@ -70,6 +70,11 @@ static int decode_frame(AVCodecContext *avctx,
    int prev_y = 0, prev_u = 0, prev_v = 0;
    uint8_t *rbuf;

+    if(buf_size<=8) {
+        av_log(avctx, AV_LOG_ERROR, "buf_size %d is too small\n", buf_size);
+        return AVERROR_INVALIDDATA;
+    }
+
    rbuf = av_malloc(buf_size + FF_INPUT_BUFFER_PADDING_SIZE);
    if(!rbuf){
        av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n");
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -511,6 +511,10 @@ static int xan_decode_frame(AVCodecContext *avctx,
            int i;
            tag  = bytestream_get_le32(&buf);
            size = bytestream_get_be32(&buf);
+            if(size < 0) {
+                av_log(avctx, AV_LOG_ERROR, "Invalid tag size %d\n", size);
+                return AVERROR_INVALIDDATA;
+            }
            size = FFMIN(size, buf_end - buf);
            switch (tag) {
            case PALT_TAG:
--- a/libavcodec/yop.c
+++ b/libavcodec/yop.c
@@ -90,6 +90,11 @@ static av_cold int yop_decode_init(AVCodecContext *avctx)
        return -1;
    }

+    if (!avctx->extradata) {
+        av_log(avctx, AV_LOG_ERROR, "extradata missing\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    avctx->pix_fmt = PIX_FMT_PAL8;

    avcodec_get_frame_defaults(&s->frame);
@@ -200,6 +205,11 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
    if (s->frame.data[0])
        avctx->release_buffer(avctx, &s->frame);

+    if (avpkt->size < 4 + 3*s->num_pal_colors) {
+        av_log(avctx, AV_LOG_ERROR, "packet of size %d too small\n", avpkt->size);
+        return AVERROR_INVALIDDATA;
+    }
+
    ret = avctx->get_buffer(avctx, &s->frame);
    if (ret < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
@@ -215,6 +225,10 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
    s->low_nibble = NULL;

    is_odd_frame = avpkt->data[0];
+    if(is_odd_frame>1){
+        av_log(avctx, AV_LOG_ERROR, "frame is too odd %d\n", is_odd_frame);
+        return AVERROR_INVALIDDATA;
+    }
    firstcolor   = s->first_color[is_odd_frame];
    palette      = (uint32_t *)s->frame.data[1];

--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -195,6 +195,11 @@ static int fourxm_read_header(AVFormatContext *s,
                ret= -1;
                goto fail;
            }
+            if(!fourxm->tracks[current_track].adpcm && fourxm->tracks[current_track].bits<8){
+                av_log(s, AV_LOG_ERROR, "bits unspecified for non ADPCM\n");
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
            i += 8 + size;

            /* allocate a new AVStream */
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -274,6 +274,9 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap)
            return AVERROR(ENOMEM);
        for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++)
            ape->seektable[i] = avio_rl32(pb);
+    }else{
+        av_log(s, AV_LOG_ERROR, "Missing seektable\n");
+        return -1;
    }

    ape->frames[0].pos     = ape->firstframe;
--- a/libavformat/electronicarts.c
+++ b/libavformat/electronicarts.c
@@ -470,12 +470,17 @@ static int ea_read_packet(AVFormatContext *s,

    while (!packet_read) {
        chunk_type = avio_rl32(pb);
-        chunk_size = (ea->big_endian ? avio_rb32(pb) : avio_rl32(pb)) - 8;
+        chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb);
+        if (chunk_size <= 8)
+            return AVERROR_INVALIDDATA;
+        chunk_size -= 8;

        switch (chunk_type) {
        /* audio data */
        case ISNh_TAG:
            /* header chunk also contains data; skip over the header portion*/
+            if (chunk_size < 32)
+                return AVERROR_INVALIDDATA;
            avio_skip(pb, 32);
            chunk_size -= 32;
        case ISNd_TAG:
--- a/libavformat/rtpdec_asf.c
+++ b/libavformat/rtpdec_asf.c
@@ -233,14 +233,16 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf,

                int cur_len = start_off + len_off - off;
                int prev_len = out_len;
-                void *newbuf;
+                void *newmem;
+
                out_len += cur_len;
-                if(FFMIN(cur_len, len - off)<0)
+
+                if (FFMIN(cur_len, len - off) < 0)
                    return -1;
-                newbuf = av_realloc(asf->buf, out_len);
-                if(!newbuf)
+                newmem = av_realloc(asf->buf, out_len);
+                if (!newmem)
                    return -1;
-                asf->buf= newbuf;
+                asf->buf = newmem;
                memcpy(asf->buf + prev_len, buf + off,
                       FFMIN(cur_len, len - off));
                avio_skip(pb, cur_len);
Author	SHA1	Message	Date
Michael Niedermayer	84ffe14e2a	Update for 0.7.13 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:17:02 +02:00
Michael Niedermayer	796039ad38	Merge branch 'release/0.8' into release/0.7 * release/0.8: Update for 0.8.12 mpc8: fix channel checks h263: disable loop filter with lowres wmv1: check that the input buffer is large enough yopdec: check frame oddness to be within supported limits yopdec: check that palette fits in the packet 8svx: fix crash binkaudio: check number of channels indeo5: check quant_mat truemotion1: Check index, fix out of array read iff: check if there is extradata ape: Fix null ptr dereference with files missing a seekatable. 4xm: fix division by zero caused by bps<8 jvdec: check videosize motionpixels: check extradata size iff_ilbm: fix null ptr deref yop: check for missing extradata xan: fix out of array read cdgraphics: Fix out of array write Conflicts: Doxyfile RELEASE VERSION Merged-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:13:58 +02:00
Michael Niedermayer	858c3158b5	Update for 0.8.12 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:09:06 +02:00
Michael Niedermayer	5e87fa347c	mpc8: fix channel checks fix heap array overflow Found-by: Piotr Bandurski <ami_stuff@o2.pl> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `44c10168cf`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:08:21 +02:00
Michael Niedermayer	6a441ee78e	h263: disable loop filter with lowres Fixes ticket1212 Found-by: Piotr Bandurski <ami_stuff@o2.pl> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `cc229d4e83`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:08:13 +02:00
Michael Niedermayer	316589e1db	wmv1: check that the input buffer is large enough Fixes null ptr deref Fixes Ticket1367 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `f23a2418fb`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:07:53 +02:00
Michael Niedermayer	35bf5f7966	yopdec: check frame oddness to be within supported limits Fixes Ticket1365 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `febc013dc5`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:07:49 +02:00
Michael Niedermayer	89409be50c	yopdec: check that palette fits in the packet Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `b6fdf8dea7`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:07:43 +02:00
Michael Niedermayer	a4bf9033c3	8svx: fix crash Fixes Ticket1377 Found-by: Piotr Bandurski <ami_stuff@o2.pl> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `03ce421c13`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:07:37 +02:00
Paul B Mahol	8502b4aef6	binkaudio: check number of channels Fixes #1380. Signed-off-by: Paul B Mahol <onemda@gmail.com> (cherry picked from commit `824a6975ee`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:07:22 +02:00
Michael Niedermayer	03e404740e	indeo5: check quant_mat prevents out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `8aaa00c301`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:07:17 +02:00
Michael Niedermayer	688da036b1	truemotion1: Check index, fix out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `fd4c1c0b70`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:07:12 +02:00
Paul B Mahol	c761e144f6	iff: check if there is extradata Fixes #1368. Signed-off-by: Paul B Mahol <onemda@gmail.com> (cherry picked from commit `8f61526978`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:07:05 +02:00
Michael Niedermayer	b3e5c8de6a	ape: Fix null ptr dereference with files missing a seekatable. Such files are currently not supported as the table is used at several points Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `e7cb161515`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:06:57 +02:00
Michael Niedermayer	ee6c1670df	4xm: fix division by zero caused by bps<8 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `1b8741a684`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:06:52 +02:00
Michael Niedermayer	9e4a68a76c	jvdec: check videosize Fixes null ptr dereference fixes Ticket1364 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `b4904e804d`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:06:47 +02:00
Michael Niedermayer	25594f0018	motionpixels: check extradata size Fixes null ptr derefernce Fixes Ticket1363 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `50122084a6`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:06:41 +02:00
Michael Niedermayer	a85c3fff37	iff_ilbm: fix null ptr deref Fixes Ticket1362 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `849d4b0413`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:06:35 +02:00
Michael Niedermayer	0f5840b51a	yop: check for missing extradata Fixes null ptr deref Fixes Ticket1361 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `77a4c8b959`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:06:29 +02:00
Michael Niedermayer	1285fe5530	xan: fix out of array read Fixes ticket1360 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `01900fcc45`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:06:22 +02:00
Michael Niedermayer	0aefcb6aa8	cdgraphics: Fix out of array write Fixes Ticket1359 Found-by: Piotr Bandurski <ami_stuff@o2.pl> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `1e5c7376c4`) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-09 21:06:12 +02:00
Michael Niedermayer	a56b07b5dc	Merge branch 'release/0.8' into release/0.7 * release/0.8: Update RELEASE file for 0.7.6 Update changelog for 0.7.6 release ea: check chunk_size for validity. png: check bit depth for PAL8/Y400A pixel formats. x86: fix build with gcc 4.7 qdm2: clip array indices returned by qdm2_get_vlc(). kmvc: Check palsize. aacsbr: prevent out of bounds memcpy(). rtpdec_asf: Fix integer underflow that could allow remote code execution dpcm: ignore extra unpaired bytes in stereo streams. tqi: Pass errors from the MB decoder h264: Add check for invalid chroma_format_idc adpcm: ADPCM Electronic Arts has always two channels h263dec: Disallow width/height changing with frame threads. vqavideo: return error if image size is not a multiple of block size celp filters: Do not read earlier than the start of the 'out' vector. motionpixels: Clip YUV values after applying a gradient. h263: more strictly forbid frame size changes with frame-mt. h264: additional protection against unsupported size/bitdepth changes. Update for 0.8.11 Conflicts: Doxyfile RELEASE VERSION Merged-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-04 13:12:41 +02:00
Michael Niedermayer	64bc5f3bf7	Merge remote-tracking branch 'qatar/release/0.7' into release/0.8 * qatar/release/0.7: Update RELEASE file for 0.7.6 Update changelog for 0.7.6 release ea: check chunk_size for validity. png: check bit depth for PAL8/Y400A pixel formats. x86: fix build with gcc 4.7 qdm2: clip array indices returned by qdm2_get_vlc(). kmvc: Check palsize. aacsbr: prevent out of bounds memcpy(). rtpdec_asf: Fix integer underflow that could allow remote code execution dpcm: ignore extra unpaired bytes in stereo streams. tqi: Pass errors from the MB decoder h264: Add check for invalid chroma_format_idc adpcm: ADPCM Electronic Arts has always two channels h263dec: Disallow width/height changing with frame threads. vqavideo: return error if image size is not a multiple of block size celp filters: Do not read earlier than the start of the 'out' vector. motionpixels: Clip YUV values after applying a gradient. h263: more strictly forbid frame size changes with frame-mt. h264: additional protection against unsupported size/bitdepth changes. Conflicts: Changelog RELEASE libavcodec/aacsbr.c libavcodec/h264_ps.c libavcodec/pngdec.c libavformat/rtpdec_asf.c Merged-by: Michael Niedermayer <michaelni@gmx.at>	2012-06-04 13:05:25 +02:00
Reinhard Tartler	b61e311b0e	Update RELEASE file for 0.7.6	2012-06-03 19:22:20 +02:00
Reinhard Tartler	ee66a7198e	Update changelog for 0.7.6 release	2012-06-03 19:22:09 +02:00
Ronald S. Bultje	50336dc4f1	ea: check chunk_size for validity. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `273e6af47b`) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 6a86b705e1d4b72f0dddfbe23ad3eed9947001d5) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-06-03 19:16:37 +02:00
Ronald S. Bultje	269dbc5359	png: check bit depth for PAL8/Y400A pixel formats. Wrong bit depth can lead to invalid rowsize values, which crashes the decoder further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `d2205d6543`) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit b8d6ba9d50e80fdce2ed74cdaffd4960df8a21c5) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-06-03 19:16:37 +02:00
Mans Rullgard	850298ef25	x86: fix build with gcc 4.7 The upcoming gcc 4.7 has more advanced constant propagation resulting some inline asm operands becoming constants and thus emitted as literals, sometimes in contexts where this results in invalid instructions. This patch changes the constraints of the relevant operands to "rm" thus forcing a valid type. While obviously suboptimal, this is what older gcc versions already did, and there is no change to the code generated with these. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit `da4c7cce21`) Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>	2012-06-02 19:22:50 -04:00
Ronald S. Bultje	628b82294a	qdm2: clip array indices returned by qdm2_get_vlc(). Prevents subsequent overreads when these numbers are used as indices in arrays. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit `64953f67f9`) Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com> Conflicts: libavcodec/qdm2.c	2012-06-02 19:22:43 -04:00
Alex Converse	75d8cccf0e	kmvc: Check palsize. Fixes: CVE-2011-3952 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Based on fix by Michael Niedermayer (cherry picked from commit `386741f887`) (cherry picked from commit `416849f2e0`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-29 15:40:57 +02:00
Alex Converse	d87997b56f	aacsbr: prevent out of bounds memcpy(). Fixes Libav Bug 195. Fixes CVE-2012-0850 This doesn't make the code handle sample rate or upsample/downsample change properly but this is still a good sanity check. Based on change by Michael Niedermayer. Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit `17ce52912f`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-28 20:55:34 +02:00
Michael Niedermayer	b15e85d820	rtpdec_asf: Fix integer underflow that could allow remote code execution Fixes MSVR-11-0088 Fixes CVE-2011-4031 Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit `5ea091fb5a`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-28 20:55:34 +02:00
Alex Converse	654b24f68a	dpcm: ignore extra unpaired bytes in stereo streams. Fixes: CVE-2011-3951 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `ce7aee9b73`) (cherry picked from commit `eaeaeb265f`) Conflicts: libavcodec/dpcm.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-28 20:55:34 +02:00
Michael Niedermayer	2f2fd8c6d1	tqi: Pass errors from the MB decoder This silences some valgrind warnings. CC: libav-stable@libav.org Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794 Bug found by: Oana Stratulat Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit `f85334f58e`) (cherry picked from commit `90290a5150`) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit `5872580e65`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-23 20:44:57 +02:00
Alexander Strange	c5f7c755cf	h264: Add check for invalid chroma_format_idc Fixes a crash when FF_DEBUG_PICT_INFO is used. Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit `6ef4063957`) Fixes: CVE-2012-0851 Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit `4713234518`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-23 20:44:45 +02:00
Janne Grunau	b581580bd1	adpcm: ADPCM Electronic Arts has always two channels Fixes half of http://ffmpeg.org/trac/ffmpeg/ticket/794 Adresses CVE-2012-0852 (cherry picked from commit `bb5b3940b0`) Conflicts: libavcodec/adpcm.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-23 15:05:27 +02:00
Michael Niedermayer	3313f31f01	h263dec: Disallow width/height changing with frame threads. Fixes CVE-2011-3937 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit `71db86d53b`) Conflicts: libavcodec/h263dec.c Signed-off-by: Alex Converse <alex.converse@gmail.com> Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit `4be63587e1`) Conflicts: libavcodec/h263dec.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-22 22:19:41 +02:00
Mans Rullgard	c71c77e56f	vqavideo: return error if image size is not a multiple of block size The decoder assumes in various places that the image size is a multiple of the block size, and there is no obvious way to support odd sizes. Bailing out early if the header specifies a bad size avoids various errors later on. Fixes CVE-2012-0947. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit `58b2e0f0f2`) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit `d5207e2af8`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-06 21:40:58 +02:00
Alex Converse	08c81f7365	celp filters: Do not read earlier than the start of the 'out' vector. CC: libav-stable@libav.org (cherry picked from commit `37ddd38332`) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit `9ea94c44b1`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-06 21:40:58 +02:00
Alex Converse	50073e2395	motionpixels: Clip YUV values after applying a gradient. Prevents illegal reads on truncated and malformed input. CC: libav-stable@libav.org (cherry picked from commit `b5da848fac`) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit `aaa6a66677`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-06 21:40:58 +02:00
Ronald S. Bultje	3fc967f6c7	h263: more strictly forbid frame size changes with frame-mt. Prevents crashes because the old check was incomplete. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit `2d22d4307d`) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit `7fe4c8cb76`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-06 21:40:58 +02:00
Ronald S. Bultje	26ac878cc2	h264: additional protection against unsupported size/bitdepth changes. Fixes crashes in codepaths not covered by original checks. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit `732f9fcfe5`) Conflicts: libavcodec/h264.c Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit `746f1594d7`) Signed-off-by: Reinhard Tartler <siretart@tauware.de>	2012-05-06 21:40:58 +02:00
Michael Niedermayer	4169912f39	Update for 0.8.11 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>	2012-04-09 18:50:08 +02:00
@@ -1 +1 @@
 .7.12
 .7.13