ffmpeg.git
4 years agoavformat/idcin: Use 64bit for ret to avoid overflow
Michael Niedermayer [Fri, 20 Feb 2015 19:13:06 +0000 (20:13 +0100)]
avformat/idcin: Use 64bit for ret to avoid overflow

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d1923d15a3544cbb94563a59e7169291db76b312)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/asfdec: Use 64bit ret to avoid overflow
Michael Niedermayer [Fri, 20 Feb 2015 18:29:12 +0000 (19:29 +0100)]
avformat/asfdec: Use 64bit ret to avoid overflow

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d4936d28a11fac6c9c4b4df9625185f93b086986)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoffmdec: make sure the time base is valid
Andreas Cadhalpun [Sun, 8 Mar 2015 22:12:59 +0000 (23:12 +0100)]
ffmdec: make sure the time base is valid

A negative time base can trigger assertions.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4c91d81be23ffacfa3897b2bcfa77445bb0c2f89)

Conflicts:

libavformat/ffmdec.c
(cherry picked from commit 9678ceb6976ca8194848b24535785a298521211f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/012v: redesign main loop
Michael Niedermayer [Tue, 10 Mar 2015 18:18:34 +0000 (19:18 +0100)]
avcodec/012v: redesign main loop

Fixes out of array accesses
Fixes: ffmpeg_012v_crash.ts

Found-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Reviewed-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 48df30d36c3ca360c407d84f96749888d1fbe853)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/012v: Check dimensions more completely
Michael Niedermayer [Tue, 10 Mar 2015 19:21:14 +0000 (20:21 +0100)]
avcodec/012v: Check dimensions more completely

Fixes division by 0

Found-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d3b25383daffac154846daeb4e4fb46569e728db)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoroqvideoenc: set enc->avctx in roq_encode_init
Andreas Cadhalpun [Mon, 9 Mar 2015 18:24:09 +0000 (19:24 +0100)]
roqvideoenc: set enc->avctx in roq_encode_init

So far it is only set in roq_encode_frame, but it is used in
roq_encode_end to free the coded_frame. This currently segfaults if
roq_encode_frame is not called between roq_encode_init and
roq_encode_end.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cf82c426fadf90105e1fb9d5ecd267cc3aa2b288)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/options_table: remove extradata_size from the AVOptions table
Michael Niedermayer [Mon, 9 Mar 2015 02:42:00 +0000 (03:42 +0100)]
avcodec/options_table: remove extradata_size from the AVOptions table

allowing access to the size but not the extradata itself is not useful
and could lead to potential problems if writing happens through this field

Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Reviewed-by: Lukasz Marek <lukasz.m.luki2@gmail.com>
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1f4088b28540080ce1d42345c5614be3e1a6a197)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoffmdec: limit the backward seek to the last resync position
Andreas Cadhalpun [Mon, 9 Mar 2015 13:59:44 +0000 (14:59 +0100)]
ffmdec: limit the backward seek to the last resync position

If resyncing leads to the same position as previously, it will again
lead to a resync attempt, resulting in an infinite loop.

Thus don't seek back beyond the last syncpoint.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6b8263b03ab3d16d70525ae1893cb106be7852f1)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '8ae0d702a1ba1c3c8d88a29c181f8434f25bf53c' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 12:28:40 +0000 (13:28 +0100)]
Merge commit '8ae0d702a1ba1c3c8d88a29c181f8434f25bf53c' into release/2.2

* commit '8ae0d702a1ba1c3c8d88a29c181f8434f25bf53c':
  doc: More changelog updates for v10.6

Conflicts:
Changelog

not merged

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit 'e032e647dd79e7748145792dfee0358eccb1982e' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 12:27:46 +0000 (13:27 +0100)]
Merge commit 'e032e647dd79e7748145792dfee0358eccb1982e' into release/2.2

* commit 'e032e647dd79e7748145792dfee0358eccb1982e':
  utvideodec: Handle slice_height being zero

See: 3881606240953b9275a247a1c98a567f3c44890f
Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit 'eb9041403d820634c45ed4ee98570246a252507a' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 12:26:36 +0000 (13:26 +0100)]
Merge commit 'eb9041403d820634c45ed4ee98570246a252507a' into release/2.2

* commit 'eb9041403d820634c45ed4ee98570246a252507a':
  tiff: Check that there is no aliasing in pixel format selection

Conflicts:
libavcodec/tiff.c

See: e1c0cfaa419aa5d320540d5a1b3f8fd9b82ab7e5
Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '0051174c70810b66378cf8ea093eab01302f6049' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 12:25:45 +0000 (13:25 +0100)]
Merge commit '0051174c70810b66378cf8ea093eab01302f6049' into release/2.2

* commit '0051174c70810b66378cf8ea093eab01302f6049':
  rmenc: limit packet size

Conflicts:
libavformat/rmenc.c

See: 08728f400b8367dc8c983036cb2eff3a2891322b
Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '61c966ef30129a0e4dba485242c039a895914d33' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 12:05:37 +0000 (13:05 +0100)]
Merge commit '61c966ef30129a0e4dba485242c039a895914d33' into release/2.2

* commit '61c966ef30129a0e4dba485242c039a895914d33':
  webp: validate the distance prefix code

See: c089e720c1b753790c746a13053636d7facf6bf0
Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '772f50c1f3e4a50ce3f35e31a6f0cd64e7cbe818' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 12:04:23 +0000 (13:04 +0100)]
Merge commit '772f50c1f3e4a50ce3f35e31a6f0cd64e7cbe818' into release/2.2

* commit '772f50c1f3e4a50ce3f35e31a6f0cd64e7cbe818':
  rv10: check size of s->mb_width * s->mb_height

Conflicts:
libavcodec/rv10enc.c

See: 2578a546183da09d49d5bba8ab5e982dece1dede
Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '0eb8786eac1f4a2132ad80dc49f90d5f81665c5c' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 12:00:10 +0000 (13:00 +0100)]
Merge commit '0eb8786eac1f4a2132ad80dc49f90d5f81665c5c' into release/2.2

* commit '0eb8786eac1f4a2132ad80dc49f90d5f81665c5c':
  eamad: check for out of bounds read

Conflicts:
libavcodec/eamad.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/rm: limit packet size
Andreas Cadhalpun [Mon, 2 Mar 2015 14:46:44 +0000 (15:46 +0100)]
avformat/rm: limit packet size

The chunk size is limited to 0xFFFF (written by avio_wb16), so make
sure that the packet size is not too large.

Such large frames need to be split into slices smaller than 64 kB, but
that is currently supported neither by the rv10/rv20 encoders nor the rm
muxer.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
See Ticket244

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 08728f400b8367dc8c983036cb2eff3a2891322b)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/webp: validate the distance prefix code
Andreas Cadhalpun [Mon, 2 Mar 2015 19:47:57 +0000 (20:47 +0100)]
avcodec/webp: validate the distance prefix code

According to the WebP Lossless Bitstream Specification the highest
allowed value for a prefix code is 39.

If prefix_code is too large, the calculated extra_bits has an invalid
value and triggers an assertion in get_bits.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5de2dab12b951b2fe121eb18503accfc91cd1565)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/rv10: check size of s->mb_width * s->mb_height
Andreas Cadhalpun [Mon, 2 Mar 2015 19:27:26 +0000 (20:27 +0100)]
avcodec/rv10: check size of s->mb_width * s->mb_height

If it doesn't fit into 12 bits it triggers an assertion.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2578a546183da09d49d5bba8ab5e982dece1dede)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agowebp: ensure that each transform is only used once
Andreas Cadhalpun [Thu, 5 Mar 2015 21:48:28 +0000 (22:48 +0100)]
webp: ensure that each transform is only used once

According to the WebP Lossless Bitstream Specification
"each transform is allowed to be used only once".

If a transform is more than once this can lead to memory
corruption.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c089e720c1b753790c746a13053636d7facf6bf0)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit 'b2b359f12465c8445484be24278b324da8ebb0e1' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 11:50:05 +0000 (12:50 +0100)]
Merge commit 'b2b359f12465c8445484be24278b324da8ebb0e1' into release/2.2

* commit 'b2b359f12465c8445484be24278b324da8ebb0e1':
  mdec: check for out of bounds read

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '0ad8d751337efbbd61c0d78762448b043100b653' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 11:48:48 +0000 (12:48 +0100)]
Merge commit '0ad8d751337efbbd61c0d78762448b043100b653' into release/2.2

* commit '0ad8d751337efbbd61c0d78762448b043100b653':
  configure: Properly fail when libcdio/cdparanoia is not found

Conflicts:
configure

See: f514b5dff769a331ea2153c23594d9b29b667141
Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '7fd11fbeeb41990427b475dc0d8800d2cf15a8c4' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 11:48:15 +0000 (12:48 +0100)]
Merge commit '7fd11fbeeb41990427b475dc0d8800d2cf15a8c4' into release/2.2

* commit '7fd11fbeeb41990427b475dc0d8800d2cf15a8c4':
  arm: Suppress tags about used cpu arch and extensions

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '470fd8e64e292d2336b2b860437dcbc053ba9eec' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 11:40:22 +0000 (12:40 +0100)]
Merge commit '470fd8e64e292d2336b2b860437dcbc053ba9eec' into release/2.2

* commit '470fd8e64e292d2336b2b860437dcbc053ba9eec':
  Update Changelog for v10.6

Conflicts:
Changelog

not merged

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit 'f74f4a540151aacb38306f2e41a160c326be3d51' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 11:38:44 +0000 (12:38 +0100)]
Merge commit 'f74f4a540151aacb38306f2e41a160c326be3d51' into release/2.2

* commit 'f74f4a540151aacb38306f2e41a160c326be3d51':
  Prepare for 10.6 Release

Conflicts:
RELEASE

Not merged

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit 'c47cdf837c1b52681a84f434443e1f993757a5e9' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 11:35:20 +0000 (12:35 +0100)]
Merge commit 'c47cdf837c1b52681a84f434443e1f993757a5e9' into release/2.2

* commit 'c47cdf837c1b52681a84f434443e1f993757a5e9':
  img2dec: correctly use the parsed value from -start_number

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '91ef250713d04d675a16e5b030d7226baafe3f82' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 11:26:49 +0000 (12:26 +0100)]
Merge commit '91ef250713d04d675a16e5b030d7226baafe3f82' into release/2.2

* commit '91ef250713d04d675a16e5b030d7226baafe3f82':
  h264_cabac: Break infinite loops

Conflicts:
libavcodec/h264_cabac.c

See: cdf0877bc341684c56ac1fe057397adbadf329ee
Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '3670942fae7beb2bfde52557ee95eab5f536e624' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 11:24:50 +0000 (12:24 +0100)]
Merge commit '3670942fae7beb2bfde52557ee95eab5f536e624' into release/2.2

* commit '3670942fae7beb2bfde52557ee95eab5f536e624':
  h264: initialize H264Context.avctx in init_thread_copy

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit 'fa4604d80580dde45bfce32ebe04a5c13c233895' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 11:23:49 +0000 (12:23 +0100)]
Merge commit 'fa4604d80580dde45bfce32ebe04a5c13c233895' into release/2.2

* commit 'fa4604d80580dde45bfce32ebe04a5c13c233895':
  h264: Do not share rbsp_buffer across threads

Conflicts:
libavcodec/h264.c

See: ecbf838c7d81ebd3b89fe75d83ff29150dbda27a
Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit '03fbb6ff3d28f639ea5a35aba3c6dca09c17225d' into release/2.2
Michael Niedermayer [Mon, 9 Mar 2015 11:11:40 +0000 (12:11 +0100)]
Merge commit '03fbb6ff3d28f639ea5a35aba3c6dca09c17225d' into release/2.2

* commit '03fbb6ff3d28f639ea5a35aba3c6dca09c17225d':
  h264: only ref cur_pic in update_thread_context if it is initialized

Conflicts:
libavcodec/h264.c

See: 0fc01ae33c7712168aab0f98c5715b40da0b5f03
Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agodoc: More changelog updates for v10.6
Reinhard Tartler [Mon, 9 Mar 2015 01:57:59 +0000 (21:57 -0400)]
doc: More changelog updates for v10.6

4 years agoutvideodec: Handle slice_height being zero
Michael Niedermayer [Wed, 4 Mar 2015 17:36:14 +0000 (17:36 +0000)]
utvideodec: Handle slice_height being zero

Fixes out of array accesses.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Bug-Id: CVE-2014-9604
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d)
(cherry picked from commit 3a417a86b330b7c1acf9db4f729be7d619caaded)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
4 years agotiff: Check that there is no aliasing in pixel format selection
Anton Khirnov [Sat, 7 Mar 2015 21:06:59 +0000 (22:06 +0100)]
tiff: Check that there is no aliasing in pixel format selection

Fixes possible issues with unexpected bpp/bppcount values.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Bug-Id: CVE-2014-8544
(cherry picked from commit ae5e1f3d663a8c9a532d89e588cbc61f171c9186)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
4 years agormenc: limit packet size
Andreas Cadhalpun [Mon, 2 Mar 2015 15:52:26 +0000 (16:52 +0100)]
rmenc: limit packet size

The chunk size is limited to UINT16_MAX (written by avio_wb16), so make
sure that the packet size is not too large.

Such large frames need to be split into slices smaller than 64 kB, but
that is currently supported neither by the rv10/rv20 encoders nor the rm
muxer.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agowebp: validate the distance prefix code
Andreas Cadhalpun [Mon, 2 Mar 2015 19:47:57 +0000 (20:47 +0100)]
webp: validate the distance prefix code

According to the WebP Lossless Bitstream Specification the highest
allowed value for a prefix code is 39.

If prefix_code is too large, the calculated extra_bits has an invalid
value and triggers an assertion in get_bits.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agorv10: check size of s->mb_width * s->mb_height
Andreas Cadhalpun [Tue, 3 Mar 2015 20:31:15 +0000 (21:31 +0100)]
rv10: check size of s->mb_width * s->mb_height

If it doesn't fit into 12 bits it triggers an assertion.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agoeamad: check for out of bounds read
Federico Tomassetti [Wed, 18 Feb 2015 12:11:44 +0000 (12:11 +0000)]
eamad: check for out of bounds read

Bug-Id: CID 1257500
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
4 years agomdec: check for out of bounds read
Federico Tomassetti [Wed, 18 Feb 2015 12:11:43 +0000 (12:11 +0000)]
mdec: check for out of bounds read

Bug-Id: CID 1257501
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
4 years agoconfigure: Properly fail when libcdio/cdparanoia is not found
Vittorio Giovara [Sun, 22 Feb 2015 19:49:52 +0000 (19:49 +0000)]
configure: Properly fail when libcdio/cdparanoia is not found

4 years agoarm: Suppress tags about used cpu arch and extensions
Martin Storsjö [Thu, 5 Mar 2015 21:38:00 +0000 (23:38 +0200)]
arm: Suppress tags about used cpu arch and extensions

When all the codepaths using manually set .arch/.fpu code is
behind runtime detection, the elf attributes should be suppressed.

This allows tools to know that the final built binary doesn't
strictly require these extensions.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit dcae2e32f7d8a1ca5fb8c1e4aa81313be854dd73
and b77e335e441040a40fc6156b8e4a134745d10233)
Signed-off-by: Martin Storsjö <martin@martin.st>
4 years agoUpdate Changelog for v10.6
Reinhard Tartler [Sun, 8 Mar 2015 15:20:46 +0000 (11:20 -0400)]
Update Changelog for v10.6

4 years agoPrepare for 10.6 Release
Reinhard Tartler [Sun, 8 Mar 2015 15:16:33 +0000 (11:16 -0400)]
Prepare for 10.6 Release

4 years agoimg2dec: correctly use the parsed value from -start_number
Vittorio Giovara [Tue, 6 Jan 2015 15:47:18 +0000 (16:47 +0100)]
img2dec: correctly use the parsed value from -start_number

Previously the image sequence was always starting from the minimum
number rather than the requested one.

CC: libav-stable@libav.org
4 years agoh264_cabac: Break infinite loops
Michael Niedermayer [Thu, 31 Jan 2013 03:20:24 +0000 (04:20 +0100)]
h264_cabac: Break infinite loops

This fixes out of array reads and/or infinite loops.

30 is the maximum number of bits that can be read into
coeff_abs below.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Martin Storsjö <martin@martin.st>
4 years agoh264: initialize H264Context.avctx in init_thread_copy
Anton Khirnov [Thu, 12 Feb 2015 12:06:49 +0000 (13:06 +0100)]
h264: initialize H264Context.avctx in init_thread_copy

This prevents using a wrong (first thread's) AVCodecContext if decoding
a frame in the first pass over all threads fails.

(cherry picked from commit a06b0b1295c51d100101e0ca0434e199ad6de6b5)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 2686dab45eec54f99866413153aa0b36381e48be)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agoh264: Do not share rbsp_buffer across threads
Michael Niedermayer [Sun, 25 Aug 2013 01:01:19 +0000 (03:01 +0200)]
h264: Do not share rbsp_buffer across threads

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit 61928b68dc28e080b8c8191afe5541123c682bbd)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 06d433366c02ab81a1aaad33d32934b4180d354b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
4 years agoh264: only ref cur_pic in update_thread_context if it is initialized
Anton Khirnov [Thu, 12 Feb 2015 11:26:58 +0000 (12:26 +0100)]
h264: only ref cur_pic in update_thread_context if it is initialized

It may be empty if the previous thread's decode call did not contain a
valid frame.

(cherry picked from commit 0dea4c77ccf5956561bb8991311b3d834bb5fa40)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1dbfaa34e615606cb3f1a3ecabb117e354459edc)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conflicts:
libavcodec/h264_slice.c

4 years agoUpdate for 2.2.13 n2.2.13
Michael Niedermayer [Tue, 17 Feb 2015 18:50:54 +0000 (19:50 +0100)]
Update for 2.2.13

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/arm/videodsp_armv5te: Fix linking failure with "g++ -shared -D__STDC_CONSTANT...
Michael Niedermayer [Thu, 12 Feb 2015 15:35:29 +0000 (16:35 +0100)]
avcodec/arm/videodsp_armv5te: Fix linking failure with "g++ -shared -D__STDC_CONSTANT_MACROS -o test.so ... libavcodec.a"

Tested-by: Andreas Haupt
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cab6302534962331753fb69c674df86a458b098d)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/mjpegdec: Skip blocks which are outside the visible area
Michael Niedermayer [Wed, 11 Feb 2015 02:33:53 +0000 (03:33 +0100)]
avcodec/mjpegdec: Skip blocks which are outside the visible area

Fixes out of array accesses
Fixes: ffmpeg_mjpeg_crash.avi

Found-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 08509c8f86626815a3e9e68d600d1aacbb8df4bf)

Conflicts:

libavcodec/mjpegdec.c

4 years agolavc/aarch64: Do not use the neon horizontal chroma loop filter for H.264 4:2:2.
Carl Eugen Hoyos [Sat, 31 Jan 2015 09:01:37 +0000 (10:01 +0100)]
lavc/aarch64: Do not use the neon horizontal chroma loop filter for H.264 4:2:2.
(cherry picked from commit 4faea46bd906b3897018736208123aa36c3f45d5)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/h264_slice: ignore SAR changes in slices after the first
Michael Niedermayer [Sat, 7 Feb 2015 02:34:48 +0000 (03:34 +0100)]
avcodec/h264_slice: ignore SAR changes in slices after the first

Fixes race condition and null pointer dereference
Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 38d5241b7f36c1571a88517a0650caade16dd5f4)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Conflicts:

libavcodec/h264_slice.c

4 years agoavcodec/h264_slice: Check picture structure before setting the related fields
Michael Niedermayer [Sat, 7 Feb 2015 01:22:44 +0000 (02:22 +0100)]
avcodec/h264_slice: Check picture structure before setting the related fields

This might fix a hypothetical race condition

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f111831ed61103f9fa8fdda41473a23da016bdaa)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Conflicts:

libavcodec/h264_slice.c

4 years agoavcodec/h264_slice: Do not change frame_num after the first slice
Michael Niedermayer [Sat, 7 Feb 2015 01:06:20 +0000 (02:06 +0100)]
avcodec/h264_slice: Do not change frame_num after the first slice

Fixes potential race condition
Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f906982c9411f3062e3ce68013309b37c213c4dd)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Conflicts:

libavcodec/h264_slice.c

4 years agoavutil/opt: Fix type used to access AV_OPT_TYPE_SAMPLE_FMT
Michael Niedermayer [Fri, 6 Feb 2015 21:16:08 +0000 (22:16 +0100)]
avutil/opt: Fix type used to access AV_OPT_TYPE_SAMPLE_FMT

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1750b45cdf7498d0a05bea29cafcb26aa576d595)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavutil/opt: Fix types used to access AV_OPT_TYPE_PIXEL_FMT
Michael Niedermayer [Fri, 6 Feb 2015 21:14:15 +0000 (22:14 +0100)]
avutil/opt: Fix types used to access AV_OPT_TYPE_PIXEL_FMT

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a0640e63463e6428b80422c89e1bfc96147ecfc6)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/h264: Be more strict on rejecting pps/sps changes
Michael Niedermayer [Fri, 6 Feb 2015 14:09:54 +0000 (15:09 +0100)]
avcodec/h264: Be more strict on rejecting pps/sps changes

Fixes race condition
Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6fafc62b0bd0e206deb77a7aabbf3a370ad80789)

Conflicts:

libavcodec/h264_slice.c

4 years agoavcodec/h264: Be more strict on rejecting pps_id changes
Michael Niedermayer [Fri, 6 Feb 2015 14:01:17 +0000 (15:01 +0100)]
avcodec/h264: Be more strict on rejecting pps_id changes

Fixes race condition
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 31cc9c04ca386dce289864021982da62190982ab)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/h264_ps: More completely check the bit depths
Michael Niedermayer [Fri, 6 Feb 2015 03:11:56 +0000 (04:11 +0100)]
avcodec/h264_ps: More completely check the bit depths

Fixes out of array read
Fixes: asan_static-oob_30328b6_719_cov_3325483287_H264_artifacts_motion.h264

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 69aa79365c1e8e1cb597d33e77bf1062c2ef47d4)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/thp: Check av_get_packet() for failure not only for partial output
Michael Niedermayer [Thu, 5 Feb 2015 02:45:21 +0000 (03:45 +0100)]
avformat/thp: Check av_get_packet() for failure not only for partial output

Fixes null pointer dereference
Fixes: signal_sigsegv_db2c1f_3108_cov_163322880_pikmin2_opening1_partial.thp

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f2579dbb4b31e6ae731e7f5555680528ef3020ab)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoswscale/utils: Limit filter shifting so as not to read from prior the array
Michael Niedermayer [Wed, 4 Feb 2015 23:12:08 +0000 (00:12 +0100)]
swscale/utils: Limit filter shifting so as not to read from prior the array

Fixes out of array read
Fixes: asan_heap-oob_1fb2f9b_3780_cov_3984375136_usf.mkv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 692b22626ec9a9585f667c124a186b1a9796e432)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/mjpegdec: Check number of components for JPEG-LS
Michael Niedermayer [Wed, 4 Feb 2015 19:48:30 +0000 (20:48 +0100)]
avcodec/mjpegdec: Check number of components for JPEG-LS

Fixes out of array accesses
Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fabbfaa095660982cc0bc63242c459561fa37037)

Conflicts:

libavcodec/mjpegdec.c

4 years agoavcodec/mjpegdec: Check escape sequence validity
Michael Niedermayer [Wed, 4 Feb 2015 19:13:18 +0000 (20:13 +0100)]
avcodec/mjpegdec: Check escape sequence validity

Fixes assertion failure
Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit afa92907f3c6a0c3bdad766ec8d938ee17ee1c9e)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/mpc8: Use uint64_t in *_get_v() to avoid undefined behavior
Michael Niedermayer [Wed, 4 Feb 2015 13:47:41 +0000 (14:47 +0100)]
avformat/mpc8: Use uint64_t in *_get_v() to avoid undefined behavior

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 05e161952954acf247e0fd1fdef00559675c4d4d)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/mpc8: fix broken pointer math
wm4 [Tue, 3 Feb 2015 18:04:11 +0000 (19:04 +0100)]
avformat/mpc8: fix broken pointer math

This could overflow and crash at least on 32 bit systems.

Reviewed-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b737a2c52857b214be246ff615c6293730033cfa)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/mpc8: fix hang with fuzzed file
wm4 [Tue, 3 Feb 2015 18:04:12 +0000 (19:04 +0100)]
avformat/mpc8: fix hang with fuzzed file

This can lead to an endless loop by seeking back a few bytes after each
attempted chunk read. Assuming negative sizes are always invalid, this
is easy to fix. Other code in this demuxer treats negative sizes as
invalid as well.

Fixes ticket #4262.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 56cc024220886927350cfc26ee695062ca7ecaf4)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/tta: fix crash with corrupted files
wm4 [Tue, 3 Feb 2015 13:41:10 +0000 (14:41 +0100)]
avformat/tta: fix crash with corrupted files

av_add_index_entry() can fail, for example because the parameters are
invalid, or because memory allocation fails. Check this; it can actually
happen with corrupted files.

The second hunk is just for robustness. Just in case functions like
ff_reduce_index() remove entries. (Not sure if this can actually
happen.)

Fixes ticket #4294.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6a0cd529a35190d9374b0b26504e71857cd67b83)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/mpegvideo_enc: Fix number suffixes in rc_buffer_size calculation
Michael Niedermayer [Sun, 1 Feb 2015 18:40:13 +0000 (19:40 +0100)]
avcodec/mpegvideo_enc: Fix number suffixes in rc_buffer_size calculation

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4531e2c489d279bfc90d54ca26ed898c5b265a7f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/h264_cabac: use int instead of long for mbb_xy
Michael Niedermayer [Sun, 1 Feb 2015 18:39:22 +0000 (19:39 +0100)]
avcodec/h264_cabac: use int instead of long for mbb_xy

The mb address fits in int

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 592ba6ec106206f97133c9345313010c76361e12)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/omadec: fix number suffix
Michael Niedermayer [Sun, 1 Feb 2015 18:36:36 +0000 (19:36 +0100)]
avformat/omadec: fix number suffix

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f1f7f5903ab49b84789af5341492afbaba808a70)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/smacker: Fix number suffix
Michael Niedermayer [Sun, 1 Feb 2015 18:36:13 +0000 (19:36 +0100)]
avformat/smacker: Fix number suffix

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 465f3705b1ef832fd6904750d018f81f9044f3ab)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/matroskadec: Fix number suffixes
Michael Niedermayer [Sun, 1 Feb 2015 18:34:52 +0000 (19:34 +0100)]
avformat/matroskadec: Fix number suffixes

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fc3cdb00d084222a107e61e7168903bf3d3d0b47)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/dxtory: Use LL instead of L number suffix
Michael Niedermayer [Sun, 1 Feb 2015 18:29:20 +0000 (19:29 +0100)]
avcodec/dxtory: Use LL instead of L number suffix

This is probably unneeded and normal int would be fine, but its
safer to use LL and this isnt speed relevant

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b4ad2853c50d055e9ba8c29f2e1c83b292f29d7a)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoswresample/dither: Cleanup number suffixes
Michael Niedermayer [Sun, 1 Feb 2015 18:27:00 +0000 (19:27 +0100)]
swresample/dither: Cleanup number suffixes

The <<31 case needs LL

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c77cc2c1766666cdb5f14daee0f75e397bf7a194)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/utils: Fix number suffixes in tb_unreliable()
Michael Niedermayer [Sun, 1 Feb 2015 18:19:25 +0000 (19:19 +0100)]
avformat/utils: Fix number suffixes in tb_unreliable()

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4b15bba2aec93776bfdc69a1bca42a4795a7d191)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMerge commit 'a9602c6cfbe6fa06ff97ad01c0ffa9ad5ccff30f' into release/2.2
Michael Niedermayer [Tue, 17 Feb 2015 18:28:50 +0000 (19:28 +0100)]
Merge commit 'a9602c6cfbe6fa06ff97ad01c0ffa9ad5ccff30f' into release/2.2

* commit 'a9602c6cfbe6fa06ff97ad01c0ffa9ad5ccff30f':
  matroskadec: Fix read-after-free in matroska_read_seek()

Merged-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/gif: fix off by one in column offsetting finding
Clément Bœsch [Mon, 16 Feb 2015 16:23:34 +0000 (17:23 +0100)]
avcodec/gif: fix off by one in column offsetting finding

(cherry picked from commit f9240ec01abb097263fe578d2b6fb076bb7b9263)

4 years agomatroskadec: Fix read-after-free in matroska_read_seek()
Xiaohan Wang [Thu, 6 Nov 2014 20:59:54 +0000 (12:59 -0800)]
matroskadec: Fix read-after-free in matroska_read_seek()

In matroska_read_seek(), |tracks| is assigned at the begining of the
function. However, functions like matroska_parse_cues() could reallocate
the tracks and invalidate |tracks|.

This assigns |tracks| only before using it, so that it will not get
invalidated elsewhere.

Bug-Id: chromium/427266

4 years agoUpdate for FFmpeg 2.2.12 n2.2.12
Michael Niedermayer [Tue, 20 Jan 2015 02:39:09 +0000 (03:39 +0100)]
Update for FFmpeg 2.2.12

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoMakefile: add dependencies which require ffversion.h
Michael Niedermayer [Sat, 20 Dec 2014 03:09:01 +0000 (04:09 +0100)]
Makefile: add dependencies which require ffversion.h

Without this ffversion.h could sometimes be built too late

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4ae87554f3c8bc54db572873f5049427a7e6cb31)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoAdd FFMPEG_VERSION into the binary libs
Michael Niedermayer [Fri, 19 Dec 2014 17:04:40 +0000 (18:04 +0100)]
Add FFMPEG_VERSION into the binary libs

This simplifies identifying from which revision a binary of a lib came from

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 649c158e8c94ac0cff7f03e97d6ea8bbf71b7f02)

Conflicts:

libavdevice/avdevice.c
libswresample/swresample.c

4 years agoavcodec/indeo3: ensure offsets are non negative
Michael Niedermayer [Thu, 18 Dec 2014 17:57:27 +0000 (18:57 +0100)]
avcodec/indeo3: ensure offsets are non negative

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 368642361f3a589d7b0c23ea327d988edb434e3f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/h264: Check *log2_weight_denom
Michael Niedermayer [Thu, 18 Dec 2014 02:16:39 +0000 (03:16 +0100)]
avcodec/h264: Check *log2_weight_denom

Fixes undefined behavior
Fixes: signal_sigsegv_14768d2_2248_cov_3629497219_h264_h264___pi_20070614T182942.h264
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 61296d41e2de3b41304339e4631dd44c2e15f805)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/hevc_ps: Check diff_cu_qp_delta_depth
Michael Niedermayer [Thu, 18 Dec 2014 01:09:23 +0000 (02:09 +0100)]
avcodec/hevc_ps: Check diff_cu_qp_delta_depth

Fixes undefined behavior
Fixes: asan_static-oob_17aa046_582_cov_1577759978_DBLK_G_VIXS_1.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3281fa892599d71b4dc298a426af8296419cd90e)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/h264: Clear delayed_pic on deallocation
Michael Niedermayer [Wed, 17 Dec 2014 20:27:37 +0000 (21:27 +0100)]
avcodec/h264: Clear delayed_pic on deallocation

Fixes use of freed memory

Fixes: case5_av_frame_copy_props.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e8714f6f93d1a32f4e4655209960afcf4c185214)

Conflicts:

libavcodec/h264.c

4 years agoavcodec/hevc: clear filter_slice_edges() on allocation
Michael Niedermayer [Wed, 17 Dec 2014 18:42:57 +0000 (19:42 +0100)]
avcodec/hevc: clear filter_slice_edges() on allocation

This avoids use of uninitialized memory
Fixes: asan_static-oob_17aa046_582_cov_212287884_DBLK_G_VIXS_1.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8aa8d12554868c32436750f881954193087219c8)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/dcadec: Check that the added xch channel isnt already there
Michael Niedermayer [Wed, 17 Dec 2014 14:33:05 +0000 (15:33 +0100)]
avcodec/dcadec: Check that the added xch channel isnt already there

Fixes null pointer dereference
Fixes: signal_sigsegv_369609d_623_cov_2008234281_ES_6.1_16bit.dts
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7d593495e42e92693cc8f3ce9b42cf3edcea377a)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/indeo3: use signed variables to avoid underflow
Michael Niedermayer [Wed, 17 Dec 2014 02:14:21 +0000 (03:14 +0100)]
avcodec/indeo3: use signed variables to avoid underflow

Fixes out of array read
Fixes: signal_sigsegv_1b0a4da_1865_cov_2167818389_computer_anger.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3305acdc92fa37869f160a11a87741c8a0de0454)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/h264: make the first field of H264Context an AVClass
Michael Niedermayer [Wed, 17 Dec 2014 00:31:48 +0000 (01:31 +0100)]
avcodec/h264: make the first field of H264Context an AVClass

Fixes use of freed memory
Fixes: asan_heap-uaf_3660f67_757_cov_1257014655_Hi422FR1_SONY_A.jsv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f3b5b139ad853b6f69c6a0b036815a60e7b3f261)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoswscale: increase yuv2rgb table headroom
Michael Niedermayer [Tue, 16 Dec 2014 21:21:21 +0000 (22:21 +0100)]
swscale: increase yuv2rgb table headroom

Fixes out of array access
Fixes: case2_bad_read_yuv2rgbx32.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/mov: fix integer overflow of size
Michael Niedermayer [Tue, 16 Dec 2014 20:29:27 +0000 (21:29 +0100)]
avformat/mov: fix integer overflow of size

Fixes: case1_call_stack_overflow.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/mov: check atom nesting depth
Michael Niedermayer [Tue, 16 Dec 2014 20:14:40 +0000 (21:14 +0100)]
avformat/mov: check atom nesting depth

Fixes call stack overflow
Fixes: case1_call_stack_overflow.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit caa7a3914f499f74b3ee346f26d598ebdc0ec210)

Conflicts:

libavformat/isom.h

Conflicts:

libavformat/isom.h

4 years agoavcodec/utvideodec: Fix handling of slice_height=0
Michael Niedermayer [Tue, 16 Dec 2014 19:45:31 +0000 (20:45 +0100)]
avcodec/utvideodec: Fix handling of slice_height=0

Fixes out of array accesses
Fixes: asan_heap-oob_25bcd7e_3783_cov_3553517262_utvideo_rgba_median.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3881606240953b9275a247a1c98a567f3c44890f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavcodec/vmdvideo: Check len before using it in method 3
Michael Niedermayer [Tue, 16 Dec 2014 15:24:55 +0000 (16:24 +0100)]
avcodec/vmdvideo: Check len before using it in method 3

Fixes out of array access
Fixes: asan_heap-oob_4d23ba_91_cov_3853393937_128.vmd

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3030fb7e0d41836f8add6399e9a7c7b740b48bfd)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/flvdec: Use av_freep() avoid leaving stale pointers in memory
Michael Niedermayer [Tue, 16 Dec 2014 14:03:32 +0000 (15:03 +0100)]
avformat/flvdec: Use av_freep() avoid leaving stale pointers in memory

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 91ea466551c148bd897706a1b6a168e783761a06)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/hdsenc: Use av_freep() avoid leaving stale pointers in memory
Michael Niedermayer [Tue, 16 Dec 2014 14:01:05 +0000 (15:01 +0100)]
avformat/hdsenc: Use av_freep() avoid leaving stale pointers in memory

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 16d763fa45b95783c6770edc559769d9a83d6a10)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoconfigure: create the tests directory like the doc directory
Michael Niedermayer [Mon, 15 Dec 2014 03:32:23 +0000 (04:32 +0100)]
configure: create the tests directory like the doc directory

This fixes an issue where the tests directory is not created for out of tree
builds before its needed

Tested-by: Dave Yeo <daveryeo@telus.net>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e631872f13b6be0583603d45a11e53319754bc8d)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agolavu/frame: fix malloc error path in av_frame_copy_props()
wm4 [Mon, 15 Dec 2014 03:32:58 +0000 (04:32 +0100)]
lavu/frame: fix malloc error path in av_frame_copy_props()

The error path frees all side data, but forgets to reset the side data
count. This can blow up later in av_frame_unref() and free_side_data().

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a400edbb6d00c0211de38e4f1b4f593681db91d8)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/utils: Do not update programs streams from program-less streams in update_wr...
Michael Niedermayer [Sun, 14 Dec 2014 18:46:31 +0000 (19:46 +0100)]
avformat/utils: Do not update programs streams from program-less streams in update_wrap_reference()

Fixes Ticket3686

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a29524bf2e197dd8d582445de0fe17f03b79f79d)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoavformat/aviobuf: Check that avio_seek() target is non negative
Michael Niedermayer [Sun, 14 Dec 2014 16:26:11 +0000 (17:26 +0100)]
avformat/aviobuf: Check that avio_seek() target is non negative

Fixes out of array access

Suggested-by: Andrew Scherkus <scherkus@google.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ed86dbd05d61363dc1c0d33f3267e2177c985fdd)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
4 years agoswresample/soxr_resample: fix error handling
Rob Sykes [Sat, 13 Dec 2014 20:12:56 +0000 (21:12 +0100)]
swresample/soxr_resample: fix error handling

Fixes CID1257659

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4b6f2253741f3023928e61ae5105ccd4b1c515fb)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>