git.ffmpeg.org Git - ffmpeg.git/log

raw: move buffer size check up.

This way, it protects against overreads for 4bpp/2bpp content also.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cc5dd632cecc5114717d0b90f8c2be162b1c6ee8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

dca: prevent accessing static arrays with invalid indexes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e6ffd997cbc06426e75d3fa291b991866c84a79b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

lpcm: fix sample size calculation for 20bit LCPM.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit f1320dc3bed281bb2f3c5531c52b6a6246e2394a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

smacker: error out if palette copy-with-offset overruns palette size.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit a93b572ae4f517ce0c35cf085167c318e9215908)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Don't use ff_cropTbl[] for IDCT.

Results of IDCT can by far outreach the range of ff_cropTbl[], leading
to overreads and potentially crashes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c23acbaed40101c677dfcfbbfe0d2c230a8e8f44)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

swscale: make filterPos 32bit.

Fixes overflows for large image sizes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2254b559cbcfc0418135f09add37c0a5866b1981)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

error_resilience: initialize s->block_index[].

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 6193ff68549ecbaf1a4d63a0e06964ec580ac620)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

svq3: protect against negative quantizers.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 11b940a1a8e7e5d5b212935a3ce78aeda577f5f2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Prepare for 0.8.1 Release

mov: set channel layout for AC-3 streams based on the 'dac3' atom info

fixes Bug 225
(cherry picked from commit 3798205a77ce275613098ecb48645e6029811f14)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

rv34: handle size changes during frame multithreading

Factors all context dynamic memory handling to its own functions.
Fixes bug 220.
(cherry picked from commit 2bd730010da24d035639586bb13862abe36cc1b8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

mov: Add more HDV and XDCAM FourCCs.

Reference: VLC
(cherry picked from commit b142496c5630b9bc88fb9eaccae7f6bd62fb23e7)

mov: Add support for MPEG2 HDV 720p24 (hdv4)

(cherry picked from commit 0ad522afb3a3b3d22402ecb82dd4609f7655031b)

rv10/20: Fix slice overflow with checked bitstream reader.

(cherry picked from commit 9243ec4a508c81a621e941bb7e012e2d45d93659)

h263dec: Disallow width/height changing with frame threads.

Fixes CVE-2011-3937

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba)

Conflicts:

libavcodec/h263dec.c

Signed-off-by: Alex Converse <alex.converse@gmail.com>

adpcm: Clip step_index values read from the bitstream at the beginning of each frame.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit bbeb29133b55b7256d18f5aaab8b5c8e919a173a)

tiff: Make the TIFF_LONG and TIFF_SHORT types unsigned.

TIFF v6.0 (unimplemented) adds signed equivalents.
(cherry picked from commit e32548d1331ce05a054f1028fcdda8823a4f215a)

dpcm: ignore extra unpaired bytes in stereo streams.

Fixes: CVE-2011-3951

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ce7aee9b733134649a6ce2fa743e51733f33e67e)

svq3: Prevent illegal reads while parsing extradata.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 9e1db721c4329f4ac166a0bcc002c8d75f831aba)

dv: Fix small overread in audio frequency table.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 0ab3687924457cb4fd81897bd39ab3cc5b699588)

ac3dec: Move center and surround mix level tables to the parser.

That way all mix levels as exported by avpriv_ac3_parse_header()
will have the same meaning.

Previously the 3-bit center mix level for E-AC-3 was used to index in a
4-entry table, leading to out-of-array reads.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit e6d9fa66f12cf5a3024c9bc7c4c608f7fc59207e)

movdec: Avoid av_malloc(0) in stss

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 29a20ac4a19df5acc0eef306ca5a737778a31358)

ac3: Do not read past the end of ff_ac3_band_start_tab.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 034b03e7a0e8e4f8f66c82b736f2c0aa7c063ec0)

dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.

Found with asan.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f6b91bec7f5fa53ec050913d851e366)

dv: Fix null pointer dereference due to ach=0

dv: Fix null pointer dereference due to ach=0

Fixes part2 of CVE-2011-3929

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a66a61a68b80f2369d0249729bf85e04)

dv: check stype

dv: check stype

Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd439480003b74a665b5aa7c872c1ad6b)

mpegaudiodec: Prevent premature clipping of mp3 input buffer.

Instead of clipping extrasize based on EXTRABYTES, clip based on the
amount of buffer actually left. Without this fix, there are warbles
and other distortions in the test case below.

http://kevincennis.com/mix/assets/sounds/1901_voxfx.mp3
(cherry picked from commit b7165426917f91ebcad84bdff366824f03b32bfe)

Signed-off-by: Alex Converse <alex.converse@gmail.com>

mp3dec: Fix a heap-buffer-overflow

In some cases, what is left to read from ptr is smaller than EXTRABYTES.

Based on a patch by Thierry Foucu <tfoucu@gmail.com>.

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit f372ce119bd2458fa0b4ddfb2af3a36621df99f7)

mpeg12: Pad framerate tab to 16 entries.

There are many places where we read an unchecked 4-bit index into it.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit dfa37fe8a3d9243dd339d94befa065e2c90b29e6)

kgv1dec: Increase offsets array size so it is large enough.

Fixes CVE-2011-3945

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 807a045ab7f51993a2c1b3116016cbbd4f3d20d6)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit a02e8df973f5478ec82f4c507f5b5b191a5ecb6b)

kmvc: Check palsize.

Fixes: CVE-2011-3952

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Based on fix by Michael Niedermayer
(cherry picked from commit 386741f887714d3e46c9e8fe577e326a7964037b)

nsvdec: Propagate errors

Related to CVE-2011-3940.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit c898431ca5ef2a997fe9388b650f658fb60783e5)

Conflicts:

libavformat/nsvdec.c

nsvdec: Be more careful with av_malloc().

Check results for av_malloc() and fix an overflow in one call.

Related to CVE-2011-3940.

Based in part on work from Michael Niedermayer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a)

nsvdec: Fix use of uninitialized streams.

Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3)

g722: Fix the QMF scaling

This fixes clipping if the encoder input used the full 16 bit
input range (samples with a magnitude below 16383 worked fine).
The filtered subband samples should be 15 bit maximum, while
the code earlier produced them scaled to 16 bit.

This makes the decoder output have double the magnitude
compared to before.

The spec reference samples doesn't test the QMF at all, which
was why this part slipped past initially.

(cherry picked from commit b087ce2bee81db8cc5caffb8f0a4f6c7c92a30fe)

Signed-off-by: Martin Storsjö <martin@martin.st>

ac3dsp: do not use pshufb in ac3_extract_exponents_ssse3()

We need to do unsigned saturation in order to cover the corner case when the
absolute coefficient value is 16777215 (the maximum value).

Fixes Bug #216
(cherry picked from commit d483bb58c318b0a6152709cf28263d72200b98f9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Fix format string vulnerability detected by -Wformat-security.

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit c9dbac36ad4bac07f6c1d06d465e361ab55bcb95)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

h264: fix mmxext chroma deblock to use correct TC values.
(cherry picked from commit b0c4f04338234ee011d7b704621347ef232294fe)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

h264: change underread for 10bit QPEL to overread.

This prevents us from reading before the start of the buffer, and thus
prevents crashes resulting from this behaviour. Fixes bug 237.
(cherry picked from commit 291c9b62855d555ac5385e23219461b6080da7db)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

cscd: use negative error values to indicate decode_init() failures.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 8a9faf33f2b4f40afbc3393b2be49867cea0c92d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

amrnbdec: check frame size before decoding.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 882abda5a26ffb8e3d1c5852dfa7cdad0a291d2d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

h264: prevent overreads in intra PCM decoding.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d1604b3de96575195b219028e2c4f08b2259aa7d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

wmaenc: fix m/s stereo encoding for the first frame

We need to set ms_stereo in encode_init() in order to avoid incorrectly
encoding the first frame as non-m/s while flagging it as m/s. Fixes an
uncomfortable pop in the left channel at the start of playback.

CC:libav-stable@libav.org
(cherry picked from commit 51ddf35c9017018e58c15275ff5b129647a0c94d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

wmaenc: limit allowed sample rate to 48kHz

ff_wma_init() allows up to 50kHz, but this generates an exponent band
size table that requires 65 bands. The code assumes 25 bands in many
places, and using sample rates higher than 48kHz will lead to buffer
overwrites.

CC:libav-stable@libav.org
(cherry picked from commit 1ec075cfecac01f9a289965db06f76365b0b1737)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

wmaenc: limit block_align to MAX_CODED_SUPERFRAME_SIZE

This is near the theoretical limit for wma frame size and is the most that
our decoder can handle. Allowing higher bit rates will just end up padding
each frame with empty bytes.

Fixes invalid writes for avconv when using very high bit rates.

CC:libav-stable@libav.org
(cherry picked from commit c2b8dea1828f35c808adcf12615893d5c740bc0a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

wmaenc: require a large enough output buffer to prevent overwrites

The maximum theoretical frame size is around 17000 bytes. Although in
practice it will generally be much smaller, we require a larger buffer
just to be safe.

CC: libav-stable@libav.org
(cherry picked from commit dfc4fdedf8cfc56a505579b1f2c1c5efbce4b97e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

mpegts: Do not call read_sl_header() when no bytes remain in the buffer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 4df369692ea8aee7094ac0f233cef8d1bee139a3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

mpegts: Pad the packet buffer in handle_packet().

This allows it to be used with get_bits without the thread of overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1aa708988ac131cf7d5c8bd59aca256a7c974df9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

amrwb: remove duplicate arguments from extrapolate_isf().

Prevents warnings because the dst and src overlap (are the same) in the
memcpy() inside the function.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9d87374ec0f382c8394ad511243db6980afa42af)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

amrwb: error out early if mode is invalid.

Prevents using the invalid mode as an index in a static array, which
would generate invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 154b8bb80029e71d562e8936164266300dd35a0e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

matroska: check buffer size for RM-style byte reordering.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9c239f6026a170866a4a0c96908980ac2cfaa8b3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

wma: fix invalid buffer size assumptions causing random overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 349b7977e408f18cff01ab31dfa66c8249b6584a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

wmadec: Verify bitstream size makes sense before calling init_get_bits.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 48f1e5212c90b511c90fa0449655abb06a9edda2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

rv10/20: Fix a buffer overread caused by losing track of the remaining buffer size.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2f6528537fdd88820f3a4683d5e595d7b3a62689)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

lcl: return negative error codes on decode_init() errors.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bd17a40a7e0eba21b5d27c67aff795e2910766e4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

avutil: add AVERROR_UNKNOWN

Useful to return instead of -1 when the cause of the error is unknown,
typically from an external library.
(cherry picked from commit c9bca801324f03746757aef8549ebd26599adec2)

Conflicts:

doc/APIchanges
libavutil/avutil.h

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

h264: error out on invalid bitdepth.

Fixes invalid reads while initializing the dequant tables, which uses
the bit depth to determine the QP table size.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 0ce4fe482c27abfa7eac503a52fdc50b70ccd871)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

huffyuv: do not abort on unknown pix_fmt; instead, return an error.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 63c9de6469005974288f4e4d89fc79a590e38c06)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

vmnc: return error on decode_init() failure.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 07a180972fb369bb59bf6d4f8edb4598c51e80d2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

rpza: error out on buffer overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 78e9852a2e3b198ecd69ffa0deab3fa22a8e5378)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

qtrle: return error on decode_init() failure.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e54ae60e46f737b8e9a96548971091f7ab6b8f7c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

swscale: fix another integer overflow.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 791de61bbb0d2bceb1037597b310e2a4a94494fd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

vp56: error out on invalid stream dimensions.

Prevents crashes when playing corrupt vp5/6 streams.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 8bc396fc0e8769a056375c1c211f389ce0e3ecc5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

asf: don't seek back on EOF.

Seeking back on EOF will reset the EOF flag, causing us to re-enter
the loop to find the next marker in the ASF file, thus potentially
causing an infinite loop.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bb6d5411e1e1a8e0608b1af1c4addee654dcbac5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

asf: error out on ridiculously large minpktsize values.

They cause various issues further down in demuxing.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 6e57a02b9f639af53acfa9fc742c1341400818f8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

lavf: add functions for accessing the fourcc<->CodecID mapping tables.

Fixes bug 212.
(cherry picked from commit dd6d3b0e025cb2a16022665dbb8ab1be18dc05e8)

Conflicts:

doc/APIchanges

Signed-off-by: Anton Khirnov <anton@khirnov.net>

avutil: make intfloat api public

The functions are already av_ prefixed and intfloat header is already provided.
Install libavutil/intfloat.h

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8b933129b932f523a746e921a0a20b8dd8816971)

Conflicts:

doc/APIchanges

Signed-off-by: Anton Khirnov <anton@khirnov.net>

mjpegbdec: Fix overflow in SOS.

Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2011-3947

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

oma: don't read beyond end of leaf_table.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 934cd18a43151ba4b819d9270d539cdb26f6e079)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Indeo3: fix crashes on corrupt bitstreams.

Splits at borders of cells are invalid, since it leaves one of the
cells with a width/height of zero. Also, propagate errors on buffer
allocation failures, so we don't continue decoding (which crashes).

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit fc9bc08dca9ac32526251e19fcf738d23b8c68d1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

vorbis: fix overflows in floor1[] vector and inverse db table index.

(cherry picked from commit 24947d4988012f1f0fd467c83418615adc11c3e8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Fix parser not to clobber has_b_frames when extradata is set.

Because in contrast to the decoder, the parser does not setup low_delay.
The code in parse_nal_units would always end up setting has_b_frames
to "1", except when stream is explicitly marked as low delay.
Since the parser itself would create 'extradata', simply reopening
the parser would cause this.

This happens for instance in estimate_timings_from_pts(), which causes the
parser to be reopened on the same stream.

This fixes Libav #22 and FFmpeg (trac) #360

CC: libav-stable@libav.org
Based on a patch by Reimar Döffinger <Reimar.Doeffinger@gmx.de>
(commit 31ac0ac29b6bba744493f7d1040757a3f51b9ad7)

Comments and description adapted by Reinhard Tartler.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 790a367d9ecd04360f78616765ee723f3fe65645)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

rm: prevent infinite loops for index parsing.

Specifically, prevent jumping back in the file for the next index, since
this can lead to infinite loops where we jump between indexes referring
to each other, and don't read indexes that don't fit in the file.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit aac07a7a4c2c7a4a29cf6dbc88c1b9fdd191b99d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

fraps: release reference buffer on pix_fmt change.

Prevents crash when trying to copy from a non-existing plane in e.g.
a RGB32 reference image to a YUV420P target image

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 830f70442a87a31f7c75565e9380e3caf8333b8a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

kgv1: release reference picture on size change.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 6c4c27adb61b2881a94ce5c7d97ee1c8adadb5fe)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

kgv1: use avctx->get/release_buffer().

Also fixes crashes on corrupt bitstreams.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 33cd32b389864f2437c94e6fd7dc109ff5f0ed06)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

lcl: error out if uncompressed input buffer is smaller than framesize.

This prevents crashes when trying to read beyond the end of the buffer
while decoding frame data.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit be129271eac04f91393bf42a490ec631e1a9abea)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

mjpeg: abort decoding if packet is too large.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ab492ca2ab105aeb24d955f3f03756bdb3139ee1)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

tiff: Prevent overreads in the type_sizes array.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 447363870f2f91e125e07ac2d0820359a5d86b06)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

swf: check return values for av_get/new_packet().

Prevents crashers when using the packet if allocation failed.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 31632e73f47d25e2077fce729571259ee6354854)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

truemotion2: error out if the huffman tree has no nodes.

This prevents crashers and errors further down when reading nodes in the
empty tree.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2b83e8b7005d531bc78b0fd4f699e9faa54ce9bb)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

rmdec: when using INT4 deinterleaving, error out if sub_packet_h <= 1.

We read sub_packet_h / 2 packets per line of data (during deinterleaving),
which equals zero if sub_packet_h <= 1, thus causing us to not read any
data, leading to an infinite loop.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e30b3e59a4f3004337cb1623b2aac988ce52b93f)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

avplay: fix -threads option

The AVOptions based default to threads auto in 2473a45c8
works only if avplay does not use custom option handling
for -threads.

CC: <libav-stable@libav.org>
(cherry picked from commit e48a70e6da02cd5426b6340af70410bdfe27dfa7)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

vc1parse: call vc1_init_common().

The parser uses VLC tables initialized in vc1_common_init(), therefore
we should call this function on parser init also.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c742ab4e81bb9dcabfdab006d6b8b09a5808c4ce)

Conflicts:

libavcodec/vc1.h

Signed-off-by: Anton Khirnov <anton@khirnov.net>

wma: don't return 0 on invalid packets.

Return 0 means "please return the same data again", i.e. it causes an
infinite loop. Instead, return an error.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9d3050d3e95e307ebc34a943484c7add838d1220)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

mjpegb: don't return 0 at the end of frame decoding.

Return 0 indicates "please return the same data again", i.e. it causes
an infinite loop. Instead, return that we consumed the buffer if we
finished decoding succesfully, or return an error if an error occurred.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 74699ac8c8b562e9f8d26e21482b89585365774a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

asf: prevent packet_size_left from going negative if hdrlen > pktlen.

This prevents failed assertions further down in the packet processing
where we require non-negative values for packet_size_left.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 41afac7f7a67c634c86b1d17fc930e9183d4aaa0)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

aiff: don't skip block_align==0 check on COMM-after-SSND files.

This prevents SIGFPEs when using block_align for divisions.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 32a659c758bf2ddd8ad48f18c06fa77444341286)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

mp3on4: require a minimum framesize.

If bufsize < headersize, init_get_bits() will be called with a negative
number, causing it to fail and any subsequent call to get_bits() will
crash because it reads from a NULL pointer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 3e13005cac6e076053276b515f5fcf59a3f4b65d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

huffyuv: error out on bit overrun.

On EOF, get_bits() will continuously return 0, causing an infinite
loop.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 84c202cc37024bd78261e4222e46631ea73c48dd)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

als: prevent infinite loop in zero_remaining().

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit af468015d972c0dec5c8c37b2685ffa5cbe4ae87)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

cook: prevent div-by-zero if channels is zero.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 941fc1ea1ed7f7d99a8b9e2607b41f2f2820394a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

vc1: prevent using last_frame as a reference for I/P first frame.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ae591aeea58d64399b8281be31dacec0de85ae04)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

swscale: take first/lastline over/underflows into account for MMX.

Fixes crashes for extremely large resizes (several 100-fold).

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1d8c4af396b6ed84c84b5ebf0bf1163c4a7a3017)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

swscale: fix overflows in filterPos[] calculation for large sizes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 19a65b5be47944c607a9e979edb098924d95f2e4)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

swscale: enforce a minimum filtersize.

At very small dimensions, this calculation could lead to zero-sized
filters, which leads to uninitialized output, zero-sized allocations,
loop overflows in SIMD that uses do{..}while(i++<filtersize); instead
of for(i=0;i<filtersize;i++){..} and several other similar failures.
Therefore, require a minimum filtersize of 1.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit dae2ce361a2b5fd9be1d43e5e8c00bdbc5f03e3d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

tta: error out if samplerate is zero.

Prevents a division by zero later on.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 7416d610362807848236ceff1bc6740dbc82842d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

vc1: prevent null pointer dereference on broken files

CC: libav-stable@libav.org
(cherry picked from commit 510ef04a461b3b54a762c6141ad880cbed85981f)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

smacker: Sanity check huffman tables found in the headers.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9adf25c1cf78dbf1d71bf386c49dc74cb8a60df0)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

lavf: prevent infinite loops while flushing in avformat_find_stream_info

If no data was seen for a stream decoder are returning 0 when fed with
empty packets for flushing. We can stop flushing when the decoder does
not return delayed delayed frames anymore. Changes try_decode_frame()
return value to got_picture or negative error.

CC: libav-stable@libav.org
(cherry picked from commit b3461c29c1aee7d62eeb02a59d46593c60362679)

Signed-off-by: Anton Khirnov <anton@khirnov.net>