ffmpeg.git
5 years agocmdutils: Conditionally compile libswscale-related bits
Diego Biurrun [Mon, 29 Oct 2012 17:00:14 +0000 (18:00 +0100)]
cmdutils: Conditionally compile libswscale-related bits

This fixes compilation with libswscale disabled.

(cherry picked from commit ab799664755c8bc2c439c428ff5b538c105a5c38)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
5 years agovideo4linux2: Avoid a floating point exception
Bernhard Übelacker [Sun, 27 Jul 2014 15:38:59 +0000 (08:38 -0700)]
video4linux2: Avoid a floating point exception

This avoids a segfault in avconv_opt.c:opt_target when trying to
determine the norm.

(cherry picked from commit dc71f1958846bb1d96de43a4603983dc8450cfcc)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
5 years agovf_select: Drop a debug av_log with an unchecked double to enum conversion
Diego Biurrun [Tue, 29 Jul 2014 12:43:04 +0000 (05:43 -0700)]
vf_select: Drop a debug av_log with an unchecked double to enum conversion

CC: libav-stable@libav.org
(cherry picked from commit a8d803a320fb08b3ad5db4fffc79abd401206905)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
5 years agoeamad: use the bytestream2 API instead of AV_RL
Anton Khirnov [Sun, 20 Jul 2014 12:06:47 +0000 (12:06 +0000)]
eamad: use the bytestream2 API instead of AV_RL

This is safer and possibly fixes invalid reads on truncated data.
(cherry-picked from commit 541427ab4d5b4b6f5a90a687a06decdb78e7bc3c)

CC:libav-stable@libav.org

Conflicts:
libavcodec/eamad.c

(cherry picked from commit f9204ec56a4cf73843d1e5b8563d3584c2c05b47)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
5 years agoUpdate Changelog for 0.8.13
Reinhard Tartler [Fri, 27 Jun 2014 01:34:03 +0000 (21:34 -0400)]
Update Changelog for 0.8.13

5 years agoPrepare for 0.8.13 Release
Reinhard Tartler [Fri, 27 Jun 2014 01:33:18 +0000 (21:33 -0400)]
Prepare for 0.8.13 Release

5 years agolzo: Handle integer overflow
Luca Barbato [Thu, 19 Jun 2014 21:26:58 +0000 (23:26 +0200)]
lzo: Handle integer overflow

get_len can overflow for specially crafted payload.

Reported-By: Don A. Baley <donb@securitymouse.com>
CC: libav-stable@libav.org
(cherry picked from commit ccda51b14c0fcae2fad73a24872dce75a7964996)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavutil/lzo.c

5 years agosgidec: fix an incorrect backport
Sean McGovern [Mon, 2 Jun 2014 22:35:25 +0000 (18:35 -0400)]
sgidec: fix an incorrect backport

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agoAdd some bug references
Reinhard Tartler [Sun, 1 Jun 2014 20:12:58 +0000 (16:12 -0400)]
Add some bug references

5 years agoUpdate Changelog for 0.8.12
Sean McGovern [Sun, 1 Jun 2014 18:20:46 +0000 (14:20 -0400)]
Update Changelog for 0.8.12

5 years agoPrepare for 0.8.12 Release
Reinhard Tartler [Sun, 1 Jun 2014 00:09:10 +0000 (20:09 -0400)]
Prepare for 0.8.12 Release

5 years agoh264: set parameters from SPS whenever it changes
Janne Grunau [Fri, 16 Nov 2012 00:12:40 +0000 (01:12 +0100)]
h264: set parameters from SPS whenever it changes

Fixes a crash in the fuzzed sample sample_varPAR.avi_s26638 with
alternating bit depths.

5 years agoalac: Limit max_samples_per_frame
Martin Storsjö [Tue, 3 Sep 2013 08:54:03 +0000 (11:54 +0300)]
alac: Limit max_samples_per_frame

Otherwise buffer size calculations in allocate_buffers could
overflow later, making the code think a large enough buffer
actually was allocated.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
5 years agoswscale: Fix an undefined behaviour
Luca Barbato [Thu, 1 May 2014 22:21:23 +0000 (00:21 +0200)]
swscale: Fix an undefined behaviour

Prevent a division by zero down the codepath.

Sample-Id: 00001721-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
5 years agoapedec: do not buffer decoded samples over AVPackets
Rafaël Carré [Tue, 27 Aug 2013 15:35:49 +0000 (17:35 +0200)]
apedec: do not buffer decoded samples over AVPackets

Only consume an AVPacket when all the samples have been read.

When the rate of samples output is limited (by the default value
of max_samples), consuming the first packet immediately will cause
timing problems:

- The first packet with PTS 0 will output 4608 samples and be
consumed entirely
- The second packet with PTS 64 will output the remaining samples
(typically, a lot, that's why max_samples exist) until the decoded
samples of the first packet have been exhausted, at which point the
samples of the second packet will be decoded and output when
av_decode_frame is called with the next packet).

That means there's a PTS jump since the first packet is 'decoded'
immediately, which can be seen with avplay or mplayer: the timing
jumps immediately to 6.2s (which is the size of a packet).

Sample: http://streams.videolan.org/issues/6348/Goldwave-MAClib.ape

Bug-Debian: http://bugs.debian.org/744901
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 91d4cfb8127f1de6c4ad173a30fffe584700046d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoisom: lpcm in mov default to big endian
Mark Himsley [Fri, 1 Nov 2013 11:22:53 +0000 (11:22 +0000)]
isom: lpcm in mov default to big endian

It is my understanding that "Unless otherwise stated, all data in a
QuickTime movie is stored in big-endian byte ordering" [1] in MOV files.

I have a couple of thousand files, which technically are invalid because
their sound sample description element 4CC is 'lpcm' but its version is
0 - and "Version 0 supports only uncompressed audio in raw ('raw ') or
twos-complement ('twos') format" [2]

Because isom.c only contains a mapping for 4CC 'lpcm' to
AV_CODEC_ID_PCM_S16LE, these files have their audio decoded as LE when
it is actually BE.

This commit adds AV_CODEC_ID_PCM_S16BE as the first match for 4CC 'lpcm'.

[1]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf
page 21
[2]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf
page 178

Reviewed-by: Yusuke Nakamura <muken.the.vfrmaniac@gmail.com>
5 years agomovdec: handle 0x7fff langcode as macintosh per the specs
Baptiste Coudurier [Wed, 21 Mar 2012 21:18:16 +0000 (14:18 -0700)]
movdec: handle 0x7fff langcode as macintosh per the specs

The correct point that seperates ISO and MAC language codes is 0x400
according to the current QT spec. Old QT specs did not list where this
seperation is but apparently only defined the meaning of the first 137.

(cherry picked from commit 9e71cc81f3655cacf0f91860fba3043f13b64059)
(cherry picked from commit 7940306a47df602be4f57a62175706265bbfd0aa)

5 years agoavi: Improve non-interleaved detection
Michael Niedermayer [Wed, 2 Apr 2014 07:11:10 +0000 (09:11 +0200)]
avi: Improve non-interleaved detection

Additional fixes by Nigel Touati-Evans <nigel.touatievans@gmail.com>.

Check the index for streams with a time drift of 2s or a buffer drift
of 64MB.

Bug-Id: 666
CC: libav-stable@libav.org
Sample-Id: yet-another-broken-interleaved-avi.avi

Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Diego Biurrun <diego@biurrun.de>
5 years agoh264: reset next_output_pic earlier in start_frame()
Anton Khirnov [Wed, 23 Apr 2014 20:26:40 +0000 (22:26 +0200)]
h264: reset next_output_pic earlier in start_frame()

In case start_frame() fails, this potentially invalid frame can still be
output to the caller.

Bug-Id: 672
Bug-Id: debian/741240
Bug-Id: ubuntu/1288206

5 years agotiffdec: use bytestream2 to simplify overread/overwrite protection
Justin Ruggles [Sun, 29 Sep 2013 23:47:55 +0000 (19:47 -0400)]
tiffdec: use bytestream2 to simplify overread/overwrite protection

Based on a patch by Paul B Mahol <onemda@gmail.com>

CC:libav-stable@libav.org

5 years agobytestream: add bytestream2_copy_buffer() functions
Justin Ruggles [Sun, 29 Sep 2013 23:45:57 +0000 (19:45 -0400)]
bytestream: add bytestream2_copy_buffer() functions

This is basically an overread/overwrite-safe memcpy between a
GetByteContext and a PutByteContext.

CC:libav-stable@libav.org
(cherry picked from commit 5748faf291fec297ef25d81962b52b3438f54278)

5 years agobytestream: add functions for accessing size of buffer
Paul B Mahol [Wed, 21 Mar 2012 00:10:18 +0000 (00:10 +0000)]
bytestream: add functions for accessing size of buffer

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
CC:libav-stable@libav.org
(cherry picked from commit de9d2705f61ef569487ec5f8974a9c7ce34ec783)

5 years agomovenc: allow override of "writing application" tag
John Stebbins [Mon, 3 Mar 2014 20:20:15 +0000 (20:20 +0000)]
movenc: allow override of "writing application" tag

Signed-off-by: Tim Walker <tdskywalker@gmail.com>
CC: libav-stable@libav.org
(cherry picked from commit 565e0c6d866ce08d4b06427456d3d1f4fd856e9c)

5 years agomatroskaenc: allow override of "writing application" tag
John Stebbins [Mon, 3 Mar 2014 20:20:14 +0000 (20:20 +0000)]
matroskaenc: allow override of "writing application" tag

Signed-off-by: Tim Walker <tdskywalker@gmail.com>
CC: libav-stable@libav.org
(cherry picked from commit 0092c1dd8dac2d9e185b58503b447a0d3fb5230d)

5 years agoavfilter: Add missing emms_c when needed
Luca Barbato [Wed, 5 Mar 2014 09:41:33 +0000 (10:41 +0100)]
avfilter: Add missing emms_c when needed

Arch specific calls should have an emms_c following to keep the cpu
state consistent.

Reported-By: wm4
CC: libav-stable@libav.org
5 years agompeg12: check scantable indices in all decode_block functions
Janne Grunau [Fri, 24 Jan 2014 15:22:44 +0000 (16:22 +0100)]
mpeg12: check scantable indices in all decode_block functions

Add checks to the fast functions used with CODEC_FLAGS2_FAST and move
the check for all other functions to before the invalid memory is
accessed. Fixes https://trac.videolan.org/vlc/ticket/9713 with
CODEC_FLAGS2_FAST.

CC: libav-stable@libav.org
5 years agosgidec: fix buffer size check in expand_rle_row()
Anton Khirnov [Thu, 2 Jan 2014 08:34:20 +0000 (09:34 +0100)]
sgidec: fix buffer size check in expand_rle_row()

Right now it will spuriously fail if the linesize is exactly equal to
the data width.

CC:libav-stable@libav.org

5 years agoadx: check that the offset is not negative
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
adx: check that the offset is not negative

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 5569146d48f06564e8fa393424782cceed510916)

5 years agompegvideo: set reference/pict_type on generated reference frames
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
mpegvideo: set reference/pict_type on generated reference frames

Otherwise the generic code will unref them, which can then result in
last_picture_ptr == current_picture_ptr, which causes deadlocks at least
in rv40.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: reset data partitioning at the beginning of each decode call
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset data partitioning at the beginning of each decode call

Prevents using GetBitContexts with data from previous calls.

Fixes access to freed memory.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: reset ref count if decoding the slice header fails
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset ref count if decoding the slice header fails

Otherwise the ER code might try to use some already freed references.

Fixes possible access to freed memory.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: reset first_field if frame_start() fails for missing refs
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset first_field if frame_start() fails for missing refs

In this case we may not have a current frame, while first_field being
set implies we do.

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3

Higher modes are not allowed for 16x16/chroma, which is what this
function is used for. Otherwise this function would return 0 (vertical
prediction) for invalid higher modes, which could result in invalid
reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: reject mismatching luma/chroma bit depths during sps parsing
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reject mismatching luma/chroma bit depths during sps parsing

There is no point in delaying the check and it avoids bugs with a
half-initialized context.

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: check that execute_decode_slices() is not called too many times
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: check that execute_decode_slices() is not called too many times

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: do not use 422 functions for monochrome
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: do not use 422 functions for monochrome

Fixes invalid memory access.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: reset data_partitioning if decoding the slice header for NAL_DPA fails
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset data_partitioning if decoding the slice header for NAL_DPA fails

If it was set before then we can end up trying to decode a slice without
a valid slice header, which can lead to invalid memory access.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264_refs: make sure not to write over the bounds of the default ref list
Anton Khirnov [Fri, 15 Nov 2013 18:06:23 +0000 (19:06 +0100)]
h264_refs: make sure not to write over the bounds of the default ref list

Fixes invalid writes.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: check buffer size before accessing it
Anton Khirnov [Fri, 15 Nov 2013 09:15:24 +0000 (10:15 +0100)]
h264: check buffer size before accessing it

Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoconfigure: use utilities from /usr/xpg4/bin if it exists
Mans Rullgard [Fri, 7 Sep 2012 11:50:43 +0000 (12:50 +0100)]
configure: use utilities from /usr/xpg4/bin if it exists

Solaris defaults to non-standard utilities (grep, sed, ...) with
proper ones being in /usr/xpg4/bin.  Prefixing PATH with this
directory when it exists ensures we get correct variants.

Signed-off-by: Mans Rullgard <mans@mansr.com>
5 years agocmdutils: update copyright year to 2014.
Johan Andersson [Sat, 4 Jan 2014 19:47:32 +0000 (20:47 +0100)]
cmdutils: update copyright year to 2014.

Signed-off-by: Martin Storsjö <martin@martin.st>
5 years agoituh263: reject b-frame with pp_time = 0
Keiji Costantini [Sat, 1 Mar 2014 18:17:04 +0000 (18:17 +0000)]
ituh263: reject b-frame with pp_time = 0

Avoid a division by 0 in ff_mpeg4_set_one_direct_mv.

Sample-Id: 00000168-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
(cherry picked from commit 9514440337875e0c63b409abcd616b68c518283f)
(cherry picked from commit 5df52b0131d3d4d804ad6e221bc9a2cd8b201ef2)
(cherry picked from commit aa2a3ca27a3269e2b975686652204607fad8bc49)

5 years agodoc: Point to the correct, actually maintained gas-preprocessor repo
Martin Storsjö [Wed, 12 Mar 2014 11:46:04 +0000 (13:46 +0200)]
doc: Point to the correct, actually maintained gas-preprocessor repo

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d15c536123a44362ace6299c391a492c90b83fc7)
Signed-off-by: Martin Storsjö <martin@martin.st>
5 years agoUpdate Changelog for 0.8.11
Reinhard Tartler [Fri, 14 Mar 2014 00:59:00 +0000 (20:59 -0400)]
Update Changelog for 0.8.11

5 years agoconfigure: Update freetype check to follow upstream
Luca Barbato [Sat, 21 Dec 2013 16:59:59 +0000 (17:59 +0100)]
configure: Update freetype check to follow upstream

The freetype tutorial suggests to use #include FT_FREETYPE_H.

Bug-Id: 616
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit e61b8fa5605b16a02a2a0ea75afbfc31d7832bba)

Conflicts:
configure

5 years agodrawtext: Drop pointless header
Luca Barbato [Sun, 5 Jan 2014 11:30:45 +0000 (12:30 +0100)]
drawtext: Drop pointless header

It should be forward compatible with newer freetype.

(cherry picked from commit d68dc3c9446e38b4d686cc0f55433c9e8d7c128b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agoconfigure: Support preprocessor macros as header names
Diego Biurrun [Mon, 23 Dec 2013 00:03:48 +0000 (01:03 +0100)]
configure: Support preprocessor macros as header names

New versions of FreeType have moved the location of their API
header(s) and hide the location behind a macro.

Since the location changes between versions and no other way
to know the location exists, this workaround becomes necessary.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 52ccc4a0ece88030e67254418317d72089a0ecc8)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
configure

5 years agoarm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6
Janne Grunau [Sat, 8 Mar 2014 10:52:14 +0000 (11:52 +0100)]
arm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6

The overread avoidance fix in cbddee1cca0ebd01e8c5aa694d31228eb4de4b41
broke the computation for the last row since it prevented the safe
reading from the height+1-th row.

5 years agoarm: hpeldsp: prevent overreads in armv6 asm
Janne Grunau [Wed, 5 Mar 2014 11:44:57 +0000 (12:44 +0100)]
arm: hpeldsp: prevent overreads in armv6 asm

Based on a patch by Russel King <rmk+libav@arm.linux.org.uk>

Bug-Id: 646
CC: libav-stable@libav.org
5 years agolagarith: reallocate rgb_planes when needed
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
lagarith: reallocate rgb_planes when needed

Fixes invalid writes on pixel format changes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 4c3e1956ee35fdcc5ffdb28782050164b4623c0b)
(cherry picked from commit bd57e783437f990c3ac4747eeebe20332e103980)

5 years agolagarith: avoid infinite loop in lag_rac_refill()
Anton Khirnov [Thu, 14 Feb 2013 07:47:17 +0000 (08:47 +0100)]
lagarith: avoid infinite loop in lag_rac_refill()

range == 0 happens with corrupted files

CC:libav-stable@libav.org
(cherry picked from commit de6dfa2bb82df916a67e5036b0ef96a944781ed3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8bce2c60b8ebc31899d576dde3bbe6205faae97d)

5 years agolagarith: pad RGB buffer by 1 byte.
Ronald S. Bultje [Fri, 3 Aug 2012 03:46:09 +0000 (20:46 -0700)]
lagarith: pad RGB buffer by 1 byte.

For left HFYU prediction, we predict from the buffer buf+1 using 8- or
16-byte reads. This means that aligning the buffer by 16 bytes is in
itself not sufficient, because if the width itself is 16- or 8-byte
aligned, the buffer will not be padded, and thus a read of size 16 at
buf+1 will overflow boundaries at the right edge. Padding the buffer by
1 byte is sufficient to not overflow its boundaries.

Fixes bug 342.

(cherry picked from commit 98d0d19208959766a58f13dd6a678d1f765a26ac)

5 years agotruemotion1: check the header size
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
truemotion1: check the header size

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 2240e2078d53d3cfce8ff1dda64e58fa72038602)
(cherry picked from commit 76b40a9bf93e387d98aa7dc02ec7a8d13f51722f)

5 years agoshorten: pad the internal bitstream buffer
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
shorten: pad the internal bitstream buffer

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 1713eec29add37b654ec6bf262b843d139c1ffc6)
(cherry picked from commit 5881ec0ea58a95403bd375b63f22d49905cdd8e5)

5 years agosamplefmt: avoid integer overflow in av_samples_get_buffer_size()
Justin Ruggles [Thu, 30 Jan 2014 19:08:38 +0000 (14:08 -0500)]
samplefmt: avoid integer overflow in av_samples_get_buffer_size()

CC:libav-stable@libav.org
(cherry picked from commit 0e830094ad0dc251613a0aa3234d9c5c397e02e6)
(cherry picked from commit e9b3abd49890e958c745ea46a9f4f91b6b4baa58)

Conflicts:
libavutil/samplefmt.c

5 years agoh264: Fix a typo from the previous commit
Luca Barbato [Sat, 22 Feb 2014 10:19:03 +0000 (11:19 +0100)]
h264: Fix a typo from the previous commit

f777504f640260337974848c7d5d7a3f064bbb45 changed a - in +

CC: libav-stable@libav.org
(cherry picked from commit d922c5a5fbaf0b6c73bd8c81ae059bc6e406961c)
(cherry picked from commit 3ce77e04c2ca4b9e7fa6b94b51e8d7c5f188da86)
(cherry picked from commit 8cba6f58c8acaa0ca6749110a2746bbe60ff2dab)

5 years agoh264: Lower bound check for slice offsets
Vittorio Giovara [Thu, 20 Feb 2014 01:38:32 +0000 (02:38 +0100)]
h264: Lower bound check for slice offsets

And use the value from the specification.

Sample-Id: 00000451-google
Found-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit f777504f640260337974848c7d5d7a3f064bbb45)
(cherry picked from commit 5bd083d0216d9ee649039c84999fb61386536ac1)

Conflicts:
libavcodec/h264.c

(cherry picked from commit 41380e017afcca3119acb560c08a60a97d416c3c)

Conflicts:
libavcodec/h264.c

5 years agorpza: limit the number of blocks to the total remaining blocks in the frame
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
rpza: limit the number of blocks to the total remaining blocks in the frame

Fixes invalid writes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 77bb0004bbe18f1498cfecdc68db5f10808b6599)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agoPrepare for 0.8.11 Release
Reinhard Tartler [Fri, 7 Feb 2014 04:26:33 +0000 (23:26 -0500)]
Prepare for 0.8.11 Release

5 years agolavf: make av_probe_input_buffer more robust
Anton Khirnov [Mon, 13 Jan 2014 12:47:07 +0000 (13:47 +0100)]
lavf: make av_probe_input_buffer more robust

Always use the actually read size as the offset instead of making
possibly invalid assumptions.

Addresses: CVE-2012-6618

(cherry picked from commit 2115a3597457231a6e5c0527fe0ff8550f64b733)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavformat/utils.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8575f5362f98c937758b20ff8512d6767a56208e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoUpdated Changelog for 0.8.10
Reinhard Tartler [Sun, 2 Feb 2014 17:54:52 +0000 (12:54 -0500)]
Updated Changelog for 0.8.10

5 years agooggparseogm: check timing variables
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
oggparseogm: check timing variables

Fixes a potential divide by zero.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 75647dea6f7db79b409bad66a119f5c73da730f3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit bf7c240a50f8ed99a42e08bb7a8a70262cce34ad)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agomathematics: remove asserts from av_rescale_rnd()
Anton Khirnov [Thu, 12 Dec 2013 06:34:13 +0000 (07:34 +0100)]
mathematics: remove asserts from av_rescale_rnd()

It is a public function, it must not assert on its parameters.

(cherry picked from commit 94a417acc05cc5151b473abc0bf51fad26f8c5a0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 03bfd8419fbaf9c72b293457437bd508dea64736)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agovc1: Always reset numref when parsing a new frame header.
Michael Niedermayer [Sun, 19 Jan 2014 15:28:25 +0000 (15:28 +0000)]
vc1: Always reset numref when parsing a new frame header.

Fixes an issue where the B-frame coding mode switches from interlaced
fields to interlaced frames, causing incorrect decisions in the motion
compensation code and resulting in visual artifacts.

CC: libav-stable@libav.org
Signed-off-by: Tim Walker <tdskywalker@gmail.com>
(cherry picked from commit dd2d0039b6405dc724e4fef0d5b8f49530eea3aa)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 3cc8d9bc1ffc6c0888960fb009f12fa3047bb663)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoh264: reset num_reorder_frames if it is invalid
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset num_reorder_frames if it is invalid

An invalid VUI is not considered a fatal error, so the SPS containing it
may still be used. Leaving an invalid value of num_reorder_frames there
can result in writing over the bounds of H264Context.delayed_pic.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 9ecabd7892ff073ae60ded3fc0a1290f5914ed5c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/h264_ps.c

(cherry picked from commit 299c5dcfb0cd3debdf07943edfb46f4aeb02ca91)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoh264: check that an IDR NAL only contains I slices
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: check that an IDR NAL only contains I slices

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 8b2e5e42bb9d6a59ede5af2e6df4aaf7750d1195)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 62ed6da016b789eee00e0fff517df4a254e12e5d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/h264.c

5 years agomov: Free an earlier allocated array if allocating a new one
Martin Storsjö [Mon, 13 Jan 2014 12:46:07 +0000 (14:46 +0200)]
mov: Free an earlier allocated array if allocating a new one

It could probably also be considered an error if the pointer isn't
null at this point, but then we might risk rejecting some
slightly broken files that we might have handled so far.

Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2620df13104ddaa136158eb6bb1195adbf9d7692)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a1b4d42d31ba700c97d4388153a2a553d71ca0ba)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agosegafilm: fix leaks if reading the header fails
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
segafilm: fix leaks if reading the header fails

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 6892d145a0c80249bd61ee7dd31ec851c5076bcd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f728782c0d30433efa11f1238a16aed994e9b563)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavformat/segafilm.c

5 years agoh264_cavlc: check the size of the intra PCM data.
Anton Khirnov [Fri, 15 Nov 2013 08:42:26 +0000 (09:42 +0100)]
h264_cavlc: check the size of the intra PCM data.

Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

(cherry picked from commit b5275ca1a805436ca12540c34dd5ed1671877434)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agocavs: Check for negative cbp
Luca Barbato [Sun, 13 Oct 2013 01:30:06 +0000 (03:30 +0200)]
cavs: Check for negative cbp

Sample-Id: 00000647-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c85e5f13f6ac9c4c90125e7671d89009e57f9df9)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/cavsdec.c

5 years agoavi: DV in AVI must be considered single stream
Luca Barbato [Tue, 6 Aug 2013 01:38:12 +0000 (03:38 +0200)]
avi: DV in AVI must be considered single stream

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 3485a07977f17b8d4709fb327be4fc29031032b7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoavutil: use align == 0 for default alignment in audio sample buffer functions
Justin Ruggles [Wed, 28 Mar 2012 01:31:14 +0000 (21:31 -0400)]
avutil: use align == 0 for default alignment in audio sample buffer functions

Fixes: http://pad.lv/1264886, http://pad.lv/1241439
(cherry picked from commit 0109a09dc3850eb5dbff84a7bb50eb252a5a8f22)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavutil/avutil.h

5 years agoflashsv: Check diff_start diff_height values
Michael Niedermayer [Tue, 20 Aug 2013 21:18:48 +0000 (23:18 +0200)]
flashsv: Check diff_start diff_height values

Fix out of array accesses.

Found-by: ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Adresses: CVE-2013-7015
(cherry picked from commit 57070b1468edc6ac8cb3696c817f3c943975d4c1)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 10d48fe6d3963842319b1d8d738a318020836e72)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agodsputil/pngdsp: fix signed/unsigned type in end comparison
Michael Niedermayer [Fri, 30 Aug 2013 21:14:32 +0000 (23:14 +0200)]
dsputil/pngdsp: fix signed/unsigned type in end comparison

Fixes out of array accesses and integer overflows.

(cherry picked from commit d1916d13e28b87f4b1b214231149e12e1d536b4b)
Adresses: CVE-2013-7010, CVE-2013-7014

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit af9799790d7a6342027e0261b5dd87657abb7a0b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/pngdsp.c

5 years agovqavideo: check chunk sizes before reading chunks
Michael Niedermayer [Fri, 25 Jan 2013 05:11:59 +0000 (06:11 +0100)]
vqavideo: check chunk sizes before reading chunks

Fixes out of array writes

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 13093f9767b922661132a3c1f4b5ba2c7338b660)

CC: libav-stable@libav.org
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f7d18deb73d1dd1b27b2c7062c9a10d168a6c62a)

Addresses: CVE-2013-0865

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit ab434bf0d051008a329d49d0256faa5d64e2bf4d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoavi: directly resync on DV in AVI read failure
Luca Barbato [Tue, 6 Aug 2013 01:52:48 +0000 (03:52 +0200)]
avi: directly resync on DV in AVI read failure

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ceec6e792e4b5baaa23b220f4fd33417631f5288)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Adresses CVE-2013-0856
(cherry picked from commit 61057f4604eb909ac2b37f08c7d2b0ed758fd4bf)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoget_bits: change the failure condition in init_get_bits
Luca Barbato [Sun, 20 Jan 2013 04:10:32 +0000 (05:10 +0100)]
get_bits: change the failure condition in init_get_bits

Too much code relies in having init_get_bits fed with a valid
buffer and set its dimension to 0.

Check for NULL buffer instead.

(cherry picked from commit 4603ec85ed620e585fc6e2e072c99858ed421855)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agotwinvq: Cope with gcc-4.8.2 miscompilation
Luca Barbato [Tue, 7 Jan 2014 13:21:53 +0000 (14:21 +0100)]
twinvq: Cope with gcc-4.8.2 miscompilation

Apparently gcc-4.8.2 miscompiles enums resulting in a lucky fpe soon
after it.

Passing the enum value as integer makes the ftype == FT_PPC condition
evaluates correctly.

6 years agoChangelog for 0.8.10
Sean McGovern [Wed, 6 Nov 2013 00:15:47 +0000 (19:15 -0500)]
Changelog for 0.8.10

6 years agopthread: Avoid spurious wakeups
Ben Jackson [Fri, 18 Oct 2013 14:28:50 +0000 (15:28 +0100)]
pthread: Avoid spurious wakeups

pthread_wait_cond can wake up unexpectedly (Wikipedia: Spurious_wakeup).

The FF_THREAD_SLICE thread mechanism could spontaneously execute
jobs or allow the caller of avctx->execute to return before all
jobs were complete.

Test both cases to ensure the wakeup is real.

Signed-off-by: Ben Jackson <ben@ben.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 311583e7798237be5cc531d672a9e37f8c729d83)

6 years agopthread: Fix deadlock during thread initialization
Derek Buitenhuis [Thu, 10 Oct 2013 15:05:40 +0000 (11:05 -0400)]
pthread: Fix deadlock during thread initialization

Sometimes, if pthread_create() failed, then pthread_cond_wait() could
accidentally be called in the worker threads after the uninit function
had already called pthread_cond_broadcast(), leading to a deadlock.

Don't call pthread_cond_wait() if c->done is set.

Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
(cherry picked from commit 1a5a6ac01b0ad2cf3d2128372ea41f3c1cfc2d3f)

6 years agompegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0
Martin Storsjö [Tue, 24 Sep 2013 09:02:39 +0000 (12:02 +0300)]
mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0

This fixes breakage in a few fate tests on certain setups
(that for some reason didn't break on OS X) after the previous
commit (8812a8057). Currently, some video streams are initialized
in ff_MPV_common_init with width/height set at 0 and only changed
to a proper video size with ff_MPV_common_frame_size_change later.

The breakage was diagnosed by Anton Khirnov.

Signed-off-by: Martin Storsjö <martin@martin.st>
6 years agovc1dec: Don't decode slices when the latest slice header failed to decode
Michael Niedermayer [Tue, 19 Feb 2013 20:40:09 +0000 (21:40 +0100)]
vc1dec: Don't decode slices when the latest slice header failed to decode

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
Conflicts:
libavcodec/vc1dec.c

6 years agovc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks
Martin Storsjö [Fri, 20 Sep 2013 08:32:25 +0000 (11:32 +0300)]
vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5e25fdbfe01635cfc650ac4adc27d434b2df0d64)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/vc1dec.c
(cherry picked from commit 494f2d4f9e834db1eaf1a7d0160d497f9802013d)

6 years agor3d: Add more input value validation
Martin Storsjö [Thu, 19 Sep 2013 14:02:36 +0000 (17:02 +0300)]
r3d: Add more input value validation

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
Conflicts:
libavformat/r3d.c

6 years agofraps: Make the input buffer size checks more strict
Martin Storsjö [Thu, 19 Sep 2013 13:29:23 +0000 (16:29 +0300)]
fraps: Make the input buffer size checks more strict

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
Conflicts:
libavcodec/fraps.c

6 years agosvq3: Avoid a division by zero
Martin Storsjö [Thu, 19 Sep 2013 12:58:59 +0000 (15:58 +0300)]
svq3: Avoid a division by zero

If the height is zero, the decompression will probably end up
failing due to not fitting into the allocated buffer later
anyway, so this doesn't need any more elaborate check.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 601c2015bc16f0b281160292a6a760cbbbb0eacb)

6 years agormdec: Validate the fps value
Martin Storsjö [Mon, 16 Sep 2013 17:58:38 +0000 (20:58 +0300)]
rmdec: Validate the fps value

Abort if it is invalid if strict error checking has been requested.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0f310a6f333b016d336674d086045e8473fdf918)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavformat/rmdec.c

6 years agotwinvqdec: Check the ibps parameter separately
Martin Storsjö [Tue, 17 Sep 2013 16:33:48 +0000 (19:33 +0300)]
twinvqdec: Check the ibps parameter separately

This is required, since invalid parameters actually could
pass the switch check below.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit c77d409bf95954aceb762dd800d1ee2868c4b0d4)
(cherry picked from commit 9b9aee27f4e43b4a6b0884f8a6f49eb0289d7c09)

6 years agoasfdec: Check the return value of asf_read_stream_properties
Martin Storsjö [Sat, 28 Sep 2013 20:32:57 +0000 (23:32 +0300)]
asfdec: Check the return value of asf_read_stream_properties

This makes sure errors in setting stream parameters are passed
on to the caller. This avoids successfully opening files while
some parameters aren't filled in properly.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit cc41167aede4c101ad17eeffa8f39bb6c23d3dad)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit fc4d11ec9b4c9710e2dac012d4ed0e7d08c6df7d)

6 years agomxfdec: set audio timebase to 1/samplerate
Anton Khirnov [Sat, 28 Sep 2013 14:56:54 +0000 (16:56 +0200)]
mxfdec: set audio timebase to 1/samplerate

Fixes sync in some samples (e.g. bugs 7581 and 8374 in VLC).
Based on a commit by Matthieu Bouron <matthieu.bouron@gmail.com>

Reported-by: Jean-Baptiste Kempf <jb@videolan.org>
CC: libav-stable@libav.org
(cherry picked from commit 93370d12164236d59645314871a1d6808b2a8ddb)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agopcx: Check the packet size before assuming it fits a palette
Martin Storsjö [Sun, 29 Sep 2013 10:02:27 +0000 (13:02 +0300)]
pcx: Check the packet size before assuming it fits a palette

This fixes reads out of bounds.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d1d99e3befea5d411ac3aae72dbdecce94f8b547)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/pcx.c
(cherry picked from commit 7e350b7ddd19af856b55634233d609e29baab646)

6 years agorpza: Fix a buffer size check
Martin Storsjö [Sat, 28 Sep 2013 22:24:20 +0000 (01:24 +0300)]
rpza: Fix a buffer size check

We read 2 bytes for 15 out of 16 pixels, therefore we need to
have at least 30 bytes, not 16.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 7ba0cedbfeff5671b264d1d7e90777057b5714c6)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit f06e39fe6b272a11782c023c31eec43bfce3138d)

6 years agoxxan: Disallow odd width
Martin Storsjö [Sat, 28 Sep 2013 22:04:05 +0000 (01:04 +0300)]
xxan: Disallow odd width

Decoded data is always written in pairs within this decoder.
This fixes writes out of bounds.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit aa0dd52434768da64f1f3d8ae92bcf980c1adffc)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agoxan: Only read within the data that actually was initialized
Martin Storsjö [Sat, 28 Sep 2013 21:59:50 +0000 (00:59 +0300)]
xan: Only read within the data that actually was initialized

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit fc739b3eefa0b58d64e7661621da94a94dbc8a82)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 09ace619d6ccb2c0a45b5fdead29f926409fa129)

6 years agoxan: Use bytestream2 to limit reading to within the buffer
Martin Storsjö [Sat, 28 Sep 2013 21:53:58 +0000 (00:53 +0300)]
xan: Use bytestream2 to limit reading to within the buffer

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 30db94dc399f6e4ef8905049d9b740556f0fce47)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 145de32896b37a508f11bcf11dfcc94487301716)

6 years agopcx: Consume the whole packet if giving up due to missing palette
Martin Storsjö [Sat, 28 Sep 2013 21:38:50 +0000 (00:38 +0300)]
pcx: Consume the whole packet if giving up due to missing palette

Previously, we returned 0, meaning successful decoding but 0
bytes consumed, leading to an infinite loop.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 9fb0de86b49e9fb0709a8ad1e1875e35da841887)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 812955a12b190012c134be33a93f27308953eb2f)

6 years agopngdec: Stop trying to decode once inflate returns Z_STREAM_END
Martin Storsjö [Sat, 28 Sep 2013 21:12:04 +0000 (00:12 +0300)]
pngdec: Stop trying to decode once inflate returns Z_STREAM_END

If the input buffer contains more data after the deflate stream,
the loop previously left running infinitely, with inflate returning
Z_STREAM_END.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit a81cad8f86d1feb7e4bfae29e43f3e994935a5c7)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit a63e83cd4b43c3dcef38f7fefe41c002a263af0f)

6 years agomov: Make sure the read sample count is nonnegative
Martin Storsjö [Sat, 28 Sep 2013 20:57:36 +0000 (23:57 +0300)]
mov: Make sure the read sample count is nonnegative

This avoids setting a negative number of frames, ending up with a
negative average frame rate.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit c231987662194d009dd91bfc57c678e0e70ca161)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit c10f3fed259c23e6887f68cdf3e7d4ae87026f65)

6 years agobfi: Add some very basic sanity checks for input packet sizes
Martin Storsjö [Sat, 28 Sep 2013 20:46:04 +0000 (23:46 +0300)]
bfi: Add some very basic sanity checks for input packet sizes

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 640a2427aafa774b83316b7a8c5c2bdc28bfd269)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 10f384e4f5d0ee692cacaf90d629d8bc2178b092)