ffmpeg.git
6 years agoswscale: Use alpha from the right row in yuva2rgba_c
Martin Storsjö [Mon, 6 May 2013 11:48:25 +0000 (14:48 +0300)]
swscale: Use alpha from the right row in yuva2rgba_c

Every other pixel had the alpha channel taken from the wrong
row.

This fixes bug 504.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 6e293d111fcad27d52a2ef5ad77b1009f1743396)

Signed-off-by: Martin Storsjö <martin@martin.st>
6 years agoPrepare for 9.6 Release
Reinhard Tartler [Sat, 4 May 2013 08:54:20 +0000 (10:54 +0200)]
Prepare for 9.6 Release

6 years agohls, segment: fix splitting for audio-only streams.
Anton Khirnov [Fri, 26 Apr 2013 07:54:59 +0000 (09:54 +0200)]
hls, segment: fix splitting for audio-only streams.

CC:libav-stable@libav.org
(cherry picked from commit cf679b9476727a237c8006c685ace18acba149ab)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoafifo: fix request_samples on the last frame in certain cases
Anton Khirnov [Tue, 16 Apr 2013 19:53:56 +0000 (21:53 +0200)]
afifo: fix request_samples on the last frame in certain cases

The current code can fail to return the last frame if it contains
exactly the requested number of samples.

Fixes the join filter test, which previously did not include the last
408 samples in most cases.

CC:libav-stable@libav.org

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 9bfc6e02bae9de354fb9ba09a8a140e83eeadf7d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavfilter/fifo.c
tests/fate/filter-audio.mak

6 years agoid3v2: check for end of file while unescaping tags
Luca Barbato [Wed, 1 May 2013 17:01:11 +0000 (19:01 +0200)]
id3v2: check for end of file while unescaping tags

Prevent an out of buffer bound write.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit af4cc2605c7a56ecfd84c264aa2b325020418472)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agoindeo3: fix off by one in MV validity check
Anton Khirnov [Sat, 27 Apr 2013 16:01:51 +0000 (18:01 +0200)]
indeo3: fix off by one in MV validity check

CC:libav-stable@libav.org
(cherry picked from commit 95220be1faac628d849a004644c0d102df0aa98b)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agoaac: check the maximum number of channels
Luca Barbato [Sat, 27 Apr 2013 16:20:47 +0000 (18:20 +0200)]
aac: check the maximum number of channels

Broken bitstreams could report a larger than specified number of
channels and cause outbound writes.

CC:libav-stable@libav.org
(cherry picked from commit a943a132f36f4df8fe2f749744677b71984abce7)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agoupdate Changelog
Reinhard Tartler [Sun, 21 Apr 2013 16:51:33 +0000 (18:51 +0200)]
update Changelog

6 years agoriff: check for eof if chunk size and code are 0
Luca Barbato [Sat, 20 Apr 2013 11:36:44 +0000 (13:36 +0200)]
riff: check for eof if chunk size and code are 0

Prevent an infinite loop.

Inspired by a patch from Michael Niedermayer

CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 8e329dba378cef0ff6400c7df9c51da167d5a1f0)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agooggdec: fix faulty cleanup prototype
Luca Barbato [Wed, 9 Jan 2013 19:49:34 +0000 (20:49 +0100)]
oggdec: fix faulty cleanup prototype

(cherry picked from commit fba8e5b608577fc660989d0057a55818254a3744)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agomp3dec: fallback to generic seeking when a TOC is not present
Michael Niedermayer [Thu, 20 Sep 2012 20:00:52 +0000 (22:00 +0200)]
mp3dec: fallback to generic seeking when a TOC is not present

Fixes seeking without a Xing/Info header.

CC: libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 505642f18276aed03278ac91b1f334ea888eac6a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agosvq1dec: clip motion vectors to the frame size.
Anton Khirnov [Mon, 8 Apr 2013 20:15:54 +0000 (22:15 +0200)]
svq1dec: clip motion vectors to the frame size.

Fixes invalid reads for corrupted files.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit ecff5acb5a738fcb4f9e206a12070dac4bf259b3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agosvq1dec: check that the reference frame has the same dimensions as the current one
Anton Khirnov [Mon, 8 Apr 2013 20:12:12 +0000 (22:12 +0200)]
svq1dec: check that the reference frame has the same dimensions as the current one

They can be different if the last keyframe failed to decode correctly.
Fixes possible invalid reads in such a case.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit b1bb8fb860b47e90dd67f0c5740698128fc82dcc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoqdm2: check that the FFT size is a power of 2
Anton Khirnov [Tue, 9 Apr 2013 13:25:20 +0000 (15:25 +0200)]
qdm2: check that the FFT size is a power of 2

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 34f87a58532ed652a6e0283c1d044ee5df0aef0b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoindeo3: switch parsing the header to bytestream2
Anton Khirnov [Wed, 10 Apr 2013 07:40:20 +0000 (09:40 +0200)]
indeo3: switch parsing the header to bytestream2

Also add an additional sanity check to the alt_quant table.
Fixes invalid reads with corrupted files.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 66531d634e75b834e89e4a6a0f7470ca018712a1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoindeo3: check motion vectors.
Anton Khirnov [Tue, 16 Apr 2013 07:41:28 +0000 (09:41 +0200)]
indeo3: check motion vectors.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit a0a872d0733f60876b0c93f236bc4606f36fbf89)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agorv10: check that extradata is large enough
Anton Khirnov [Tue, 9 Apr 2013 18:33:25 +0000 (20:33 +0200)]
rv10: check that extradata is large enough

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

(cherry picked from commit 01d376f598fe95478036f5d1e3e5e14ffe32d4bf)

Conflicts:

libavcodec/rv10.c

6 years agoindeo3: fix data size check
Anton Khirnov [Wed, 10 Apr 2013 07:59:36 +0000 (09:59 +0200)]
indeo3: fix data size check

The data offsets are relative to the bistream header, which is 16 bytes
after the start of the data.
Fixes invalid reads with corrupted files.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 34e6af9e204ca6bb18d8cf8ec68fe19b0e083e95)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoaf_channelmap: sanity check input channel indices in all cases.
Anton Khirnov [Sun, 14 Apr 2013 10:07:24 +0000 (12:07 +0200)]
af_channelmap: sanity check input channel indices in all cases.

Fixes invalid reads from non-existing channels.

CC:libav-stable@libav.org
(cherry picked from commit aafed1175df76603e94c99a7748968780d6548d2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoid3v2: pad the APIC packets as required by lavc.
Anton Khirnov [Thu, 28 Mar 2013 08:49:38 +0000 (09:49 +0100)]
id3v2: pad the APIC packets as required by lavc.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
6 years agolavf: make sure stream probe data gets freed.
Anton Khirnov [Wed, 27 Mar 2013 16:56:59 +0000 (17:56 +0100)]
lavf: make sure stream probe data gets freed.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit dbb1425811a672eddf4acf0513237cdf20f83756)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agodfa: check for invalid access in decode_wdlt().
Anton Khirnov [Wed, 27 Mar 2013 17:18:38 +0000 (18:18 +0100)]
dfa: check for invalid access in decode_wdlt().

This can happen when the number of skipped lines is not consistent with
the number of coded lines.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 3623589edc7b1257bb45aa9e52c9631e133f22b6)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoxmv: check audio track parameters validity.
Anton Khirnov [Thu, 28 Mar 2013 09:33:02 +0000 (10:33 +0100)]
xmv: check audio track parameters validity.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d1016dccdcb10486245e5d7c186cc31af54b2a9c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agobmv: check for len being valid in bmv_decode_frame().
Anton Khirnov [Thu, 28 Mar 2013 09:09:36 +0000 (10:09 +0100)]
bmv: check for len being valid in bmv_decode_frame().

It can be 0 or -1 for invalid files, which may result in invalid memory
access.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b88f902125ee808c8366e9dcb3f21e4c227483fc)

Conflicts:

libavcodec/bmv.c

6 years agoxmv: do not leak memory in the error paths in xmv_read_header()
Anton Khirnov [Thu, 28 Mar 2013 09:34:47 +0000 (10:34 +0100)]
xmv: do not leak memory in the error paths in xmv_read_header()

CC: libav-stable@libav.org
(cherry picked from commit f8080bd13b5f7fc48204b17fa59a5ce9feb15f07)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agomatroska: pass the lace size to the matroska_parse_rm_audio
Luca Barbato [Fri, 29 Mar 2013 11:51:51 +0000 (12:51 +0100)]
matroska: pass the lace size to the matroska_parse_rm_audio

Each lace must be independent according to the specification.

Fix heap-buffer-overflow in matroska_parse_block for
corrupted real media in mkv files.

Stricter check than fc43c19a567aa945398dccb491d972c11ec2a065

CC: libav-stable@libav.org
(cherry picked from commit 25a80a931a3829f9d730971dbd269aa39cc273f6)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agomatroska: Update the available size after lace parsing
Dale Curtis [Wed, 27 Mar 2013 21:02:03 +0000 (14:02 -0700)]
matroska: Update the available size after lace parsing

Fix heap-buffer-overflow in matroska_parse_block for
corrupted real media in mkv files.

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit fc43c19a567aa945398dccb491d972c11ec2a065)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agomatroska: fix a corner case in ebml-lace parsing
Luca Barbato [Thu, 28 Mar 2013 10:52:52 +0000 (11:52 +0100)]
matroska: fix a corner case in ebml-lace parsing

Make sure we notice when the lace_size[n] is a negative value.

CC: libav-stable@libav.org
(cherry picked from commit 8a96df7b70be509dae9ceec82d2c10a20361356d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoavfiltergraph: check for sws opts being non-NULL before using them.
Anton Khirnov [Sun, 17 Mar 2013 15:14:58 +0000 (16:14 +0100)]
avfiltergraph: check for sws opts being non-NULL before using them.

Avoid snprintfing a NULL pointer.

CC: libav-stable@libav.org
(cherry picked from commit 6e3c13a559e9ff300b5ca60e1d503e594d7f055c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoconfigure: Enable hwaccels without external dependencies by default.
Diego Biurrun [Mon, 18 Mar 2013 21:27:03 +0000 (22:27 +0100)]
configure: Enable hwaccels without external dependencies by default.

(cherry picked from commit 2e2ec667416d8ed345491ac360fccc94e7a4772f)

This is a fixup for f074618 to reenable auto-detection of dxva in the
build environment.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agooma: Validate sample rates
Luca Barbato [Sat, 30 Mar 2013 08:46:06 +0000 (09:46 +0100)]
oma: Validate sample rates

The sample rate index is 3 bits even if currently index 5, 6 and 7 are
not supported.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 0933fd1533560fbc718026e12f19a4824b041237)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovp8: Fix pthread_cond and pthread_mutex leaks
Matt Wolenetz [Thu, 28 Mar 2013 00:29:57 +0000 (17:29 -0700)]
vp8: Fix pthread_cond and pthread_mutex leaks

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 1d6e618939c1ba9c333d513fc7826719dae34031)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoconfigure: Refactor dxva2api.h dependency declarations
Diego Biurrun [Thu, 21 Feb 2013 11:39:20 +0000 (12:39 +0100)]
configure: Refactor dxva2api.h dependency declarations

(cherry picked from commit 215cdd35efd625ec28ef5846f1692b18f7c2c230)

Fixes Bug: #482

6 years agoflvdec: read audio sample size and channels metadata
Justin Ruggles [Thu, 21 Mar 2013 12:23:51 +0000 (08:23 -0400)]
flvdec: read audio sample size and channels metadata

This is needed in order for the FLV demuxer not to detect a codec change when
using the "flv_metadata" option.
(cherry picked from commit e46a2a7309d8e8b8c1573047731dea77695d0ce1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoflvdec: use the correct audio codec id when parsing metadata
Justin Ruggles [Thu, 21 Mar 2013 12:03:58 +0000 (08:03 -0400)]
flvdec: use the correct audio codec id when parsing metadata

(cherry picked from commit c3d015775388882b8a122afc337ea35108f652be)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoPrepare for 9.5 Release
Reinhard Tartler [Sun, 31 Mar 2013 08:38:00 +0000 (10:38 +0200)]
Prepare for 9.5 Release

6 years agoupdate Changelog
Reinhard Tartler [Sat, 23 Mar 2013 07:29:24 +0000 (08:29 +0100)]
update Changelog

6 years agoadd missed CVE reference in 9.2 release
Reinhard Tartler [Sat, 23 Mar 2013 07:29:04 +0000 (08:29 +0100)]
add missed CVE reference in 9.2 release

6 years agofate: fetch samples that match the release series
Reinhard Tartler [Sat, 23 Mar 2013 08:43:26 +0000 (09:43 +0100)]
fate: fetch samples that match the release series

The idea is to ensure that 'make fate-rsync' always fetches the fate
samples that work with this release.

6 years agoiff: validate CMAP palette size
Kostya Shishkov [Sun, 17 Mar 2013 19:22:19 +0000 (20:22 +0100)]
iff: validate CMAP palette size

Fixes CVE-2013-2495

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit 50c449ac24fbb4c03c15d2e2026cef2204b80385)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agohqdn3d: Fix out of array read in LOWPASS
Loren Merritt [Fri, 21 Sep 2012 23:43:16 +0000 (01:43 +0200)]
hqdn3d: Fix out of array read in LOWPASS

CC:libav-stable@libav.org
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 5b3c1aecb253828d09fa9825c5a4aed97badf086)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovf_gradfun: fix uninitialized variable use
Anton Khirnov [Thu, 28 Feb 2013 07:47:21 +0000 (08:47 +0100)]
vf_gradfun: fix uninitialized variable use

CC:libav-stable@libav.org
(cherry picked from commit 887d31d455915b6bde6814063384dafdee61164c)

Conflicts:

libavfilter/vf_gradfun.c

6 years agovf_hqdn3d: fix uninitialized variable use
Anton Khirnov [Thu, 28 Feb 2013 07:47:21 +0000 (08:47 +0100)]
vf_hqdn3d: fix uninitialized variable use

CC:libav-stable@libav.org
(cherry picked from commit d0a863ac891eae49ceaa4de7f759270bc87e668d)

Conflicts:

libavfilter/vf_hqdn3d.c

6 years agolzo: fix overflow checking in copy_backptr()
Xi Wang [Fri, 15 Mar 2013 10:59:22 +0000 (06:59 -0400)]
lzo: fix overflow checking in copy_backptr()

The check `src > dst' in the form `&c->out[-back] > c->out' invokes
pointer overflow, which is undefined behavior in C.

Remove the check.  Also replace `&c->out[-back] < c->out_start' with
a safe form `c->out - c->out_start < back' to avoid overflow.

CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit ca6c3f2c53be70aa3c38e8f1292809db89ea1ba6)

6 years agoflacdec: simplify bounds checking in flac_probe()
Xi Wang [Fri, 15 Mar 2013 11:11:47 +0000 (07:11 -0400)]
flacdec: simplify bounds checking in flac_probe()

Simplify `p->buf > p->buf + p->buf_size - 4' as `p->buf_size < 4'.
Avoid a possible out-of-bounds pointer, which is undefined behavior
in C.

CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 8425d693eefbedbb41f91735614d41067695aa37)

6 years agoatrac3: avoid oversized shifting in decode_bytes()
Xi Wang [Fri, 15 Mar 2013 10:31:21 +0000 (06:31 -0400)]
atrac3: avoid oversized shifting in decode_bytes()

When `off' is 0, `0x537F6103 << 32' in the following expression invokes
undefined behavior, the result of which is not necessarily 0.

    (0x537F6103 >> (off * 8)) | (0x537F6103 << (32 - (off * 8)))

Avoid oversized shifting.

CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit eba1ff31304e407db3cefd7532108408f364367b)

6 years agoshorten: use the unsigned type where needed
Luca Barbato [Tue, 5 Mar 2013 16:12:35 +0000 (17:12 +0100)]
shorten: use the unsigned type where needed

get_uint returns an unsigned value, use an unsigned to store
blocksize to make sure the comparison logic is correct and report
correctly the error for the channel count not supported.

CC: libav-stable@libav.org
(cherry picked from commit 5cf7c72757779a740e897a97710aac044fe5258c)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agoshorten: report meaningful errors
Luca Barbato [Tue, 5 Mar 2013 15:34:16 +0000 (16:34 +0100)]
shorten: report meaningful errors

(cherry picked from commit 4c364eb2b856fc33cf7b42f7c7b979e69fde5f3a)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agoshorten: K&R formatting cosmetics
Luca Barbato [Tue, 5 Mar 2013 15:11:28 +0000 (16:11 +0100)]
shorten: K&R formatting cosmetics

(cherry picked from commit a2ad554def214d2d03b7c16f68dc081a8622f9ca)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
6 years agoshorten: set invalid channels count to 0
Michael Niedermayer [Tue, 5 Mar 2013 14:13:04 +0000 (15:13 +0100)]
shorten: set invalid channels count to 0

Prevent the loop shorten_decode_close from writing and freeing out of
the array boundary.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit c10da30d8426a1f681d99a780b6e311f7fb4e5c5)

6 years agoeamad: allocate a dummy reference frame when the real one is missing
Anton Khirnov [Wed, 13 Feb 2013 20:04:42 +0000 (21:04 +0100)]
eamad: allocate a dummy reference frame when the real one is missing

Fixes invalid reads when the first frame is not an I-frame.

CC:libav-stable@libav.org
(cherry picked from commit 7b89cd20d844cbe763ca34e63e99d110043cf241)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
6 years agolibmp3lame: use the correct remaining buffer size when flushing
Justin Ruggles [Wed, 16 Jan 2013 22:52:55 +0000 (17:52 -0500)]
libmp3lame: use the correct remaining buffer size when flushing

CC:libav-stable@libav.org
(cherry picked from commit e984f47873258b600fd88423f40e3cdaad179190)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agopng: use av_mallocz_array() for the zlib zalloc function
Justin Ruggles [Wed, 16 Jan 2013 23:10:57 +0000 (18:10 -0500)]
png: use av_mallocz_array() for the zlib zalloc function

Fixes valgrind uninitialized memory errors when decoding png.

CC:libav-stable@libav.org
(cherry picked from commit 486f0b0cfc800cd38ec06635630539431d296774)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agowmaprodec: require block_align to be set.
Anton Khirnov [Wed, 6 Mar 2013 08:58:00 +0000 (09:58 +0100)]
wmaprodec: require block_align to be set.

Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.

CC:libav-stable@libav.org
(cherry picked from commit cacad1c058f66558ec727faac3b277d2dee264d4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoffv1: fix calculating slice dimensions for version 2
Anton Khirnov [Tue, 19 Feb 2013 07:15:07 +0000 (08:15 +0100)]
ffv1: fix calculating slice dimensions for version 2

It got broken in 0f13cd3187192ba0cc2b043430de6e279e7b97c3.

CC:libav-stable@libav.org
(cherry picked from commit d243896987b8b2062d1faba4d8d6f0c62d2dbee9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoxxan: fix invalid memory access in xan_decode_frame_type0()
Anton Khirnov [Wed, 6 Mar 2013 08:06:16 +0000 (09:06 +0100)]
xxan: fix invalid memory access in xan_decode_frame_type0()

The loop a few lines below the xan_unpack() call accesses up to
dec_size * 2 bytes into y_buffer, so dec_size must be limited to
buffer_size / 2.

CC:libav-stable@libav.org
(cherry picked from commit 8a49d2bcbe7573bb4b765728b2578fac0d19763f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agowmadec: require block_align to be set.
Anton Khirnov [Wed, 6 Mar 2013 08:58:00 +0000 (09:58 +0100)]
wmadec: require block_align to be set.

Avoids an infinite loop in the calling programs with decoder not
consuming any input and not returning output.

CC:libav-stable@libav.org
(cherry picked from commit ea1136baafb1fe271cb56c3f4d7bff0267e3c70f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoivi_common: do not call MC for intra frames when dc_transform is unset
Anton Khirnov [Wed, 6 Mar 2013 08:41:44 +0000 (09:41 +0100)]
ivi_common: do not call MC for intra frames when dc_transform is unset

CC:libav-stable@libav.org
(cherry picked from commit 3ba40ebb6cc58753dc3746c718203bb31760deba)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoroqvideodec: fix a potential infinite loop in roqvideo_decode_frame().
Anton Khirnov [Wed, 6 Mar 2013 08:15:19 +0000 (09:15 +0100)]
roqvideodec: fix a potential infinite loop in roqvideo_decode_frame().

When there is just 1 byte remanining in the buffer, nothing will be read
and the loop will continue forever. Check that there are at least 8
bytes, which are always read at the beginning.

CC:libav-stable@libav.org
(cherry picked from commit 3e2f200237af977b9253b0aff121eee27bcedb44)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agomp3dec: Fix VBR bit rate parsing
Alexander Kojevnikov [Thu, 7 Mar 2013 05:38:55 +0000 (21:38 -0800)]
mp3dec: Fix VBR bit rate parsing

When parsing the Xing/Info tag, don't set the bit rate if it's an Info tag.

When parsing the stream, don't override the bit rate if it's already set,
otherwise calculate the mean bit rate from parsed frames. This way, the bit
rate will be set correctly both for CBR and VBR streams.

CC:libav-stable@libav.org

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit eae0879d961b78717dd2a0899809ad22819ae9e3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agowmaprodec: return an error, not 0, when the input is too small.
Anton Khirnov [Wed, 6 Mar 2013 09:02:50 +0000 (10:02 +0100)]
wmaprodec: return an error, not 0, when the input is too small.

Returning 0 may result in an infinite loop in valid calling programs. A
decoder should never return 0 without producing any output.

CC:libav-stable@libav.org
(cherry picked from commit 4c0080b7e7d501e2720d2a61f5186a18377f9d63)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovmdaudio: fix invalid reads when packet size is not a multiple of chunk size
Anton Khirnov [Wed, 6 Mar 2013 09:42:51 +0000 (10:42 +0100)]
vmdaudio: fix invalid reads when packet size is not a multiple of chunk size

CC:libav-stable@libav.org
(cherry picked from commit f86d66bcfa48998b0727aa0d1089a30cbeae0933)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoh264: check for luma and chroma bit dept being equal
Luca Barbato [Mon, 4 Mar 2013 10:21:08 +0000 (11:21 +0100)]
h264: check for luma and chroma bit dept being equal

The decoder assumes a single bit depth for all the planes
while the specification allows different bit depths for luma
and chroma.

Avoid the possible problems described in CVE-2013-2277

CC: libav-stable@libav.org
(cherry picked from commit 4987faee78b9869f8f4646b8dd971d459df218a5)

Conflicts:

libavcodec/h264.c

6 years agoPrepare for 9.4 Release
Reinhard Tartler [Sat, 9 Mar 2013 16:49:23 +0000 (17:49 +0100)]
Prepare for 9.4 Release

6 years agoupdate Changelog
Reinhard Tartler [Sat, 2 Mar 2013 09:54:07 +0000 (10:54 +0100)]
update Changelog

6 years agoh264: set ref_count to 0 for intra slices.
Anton Khirnov [Thu, 14 Feb 2013 10:44:33 +0000 (11:44 +0100)]
h264: set ref_count to 0 for intra slices.

CC:libav-stable@libav.org
(cherry picked from commit 437211ae73ef1ed8285b4fed7620502ea4999e11)

Fixes deadlocks waiting for non-existing references with some fuzzed files.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoh264: on reference overflow, reset the reference count to 0, not 1.
Anton Khirnov [Thu, 14 Feb 2013 10:43:20 +0000 (11:43 +0100)]
h264: on reference overflow, reset the reference count to 0, not 1.

Since decode_slice_header() returns before the reference lists are
constructed, there are zero valid references.

CC:libav-stable@libav.org
(cherry picked from commit 668e16a0dd1ff56d4beeff5c658d8a2a08dbfac8)

Conflicts:

libavcodec/h264.c

6 years agoflvdec: Check the return value of a malloc
Martin Storsjö [Fri, 1 Mar 2013 14:45:24 +0000 (16:45 +0200)]
flvdec: Check the return value of a malloc

The callers of this function can't report errors sanely. If this
one malloc fails, don't write the extradata byte, make sure we
try to malloc it the next time we're called instead, and make sure
we still consume the input data byte.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit c5a738ca4e9789b4678b10240777d931e7dc24c9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoflvdec: Don't read the VP6 header byte when setting codec type based on metadata
Martin Storsjö [Fri, 1 Mar 2013 14:30:44 +0000 (16:30 +0200)]
flvdec: Don't read the VP6 header byte when setting codec type based on metadata

This header byte is only present when actually reading a VP6 frame,
not when reading the codec type field in the metadata. This
potential bug has been present since 5b54a90c.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit c91c63b5380bf79655c09320774a022f84d76fd5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovorbisdec: Accept 0 amplitude_bits
Luca Barbato [Sun, 24 Feb 2013 15:56:15 +0000 (16:56 +0100)]
vorbisdec: Accept 0 amplitude_bits

The specification does not prevent an encoder to write the amplitude 0
as 0 amplitude_bits.

Our get_bits() implementation might not support a zero sized read
properly, thus the additional branch.
(cherry picked from commit 23bd9ef4b209c789d5473d75f89a2e411d343d80)

Conflicts:

libavcodec/vorbisdec.c

6 years agovorbisdec: Error on bark_map_size equal to 0.
Michael Niedermayer [Thu, 10 Jan 2013 23:54:12 +0000 (00:54 +0100)]
vorbisdec: Error on bark_map_size equal to 0.

The value is used to calculate output LSP curve and a division by zero
and out of array accesses would occur.

CVE-2013-0894

CC: libav-stable@libav.org
Reported-by: Dale Curtis <dalecurtis@chromium.org>
Found-by: inferno@chromium.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 11dcecfcca0eca1a571792c4fa3c21fb2cfddddc)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovorbisdec: Add missing checks
Luca Barbato [Sun, 24 Feb 2013 11:30:30 +0000 (12:30 +0100)]
vorbisdec: Add missing checks

Rate and order must not be 0 even if the specification does not say that
explicitly.
(cherry picked from commit 5b47c19bfda92273ae49e83db26a565afcaed80a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoac3dec: validate channel output mode against channel count
Justin Ruggles [Wed, 20 Feb 2013 16:41:20 +0000 (11:41 -0500)]
ac3dec: validate channel output mode against channel count

Damaged frames can lead to a mismatch, which can cause a segfault
due to using an incorrect channel mapping.

CC:libav-stable@libav.org
(cherry picked from commit d7c450436fcb9d3ecf59884a574e7684183e753d)

Conflicts:

libavcodec/ac3dec.c

6 years agodoc: developer: Allow tabs in the vim configuration for Automake files
Diego Biurrun [Fri, 22 Feb 2013 21:06:37 +0000 (22:06 +0100)]
doc: developer: Allow tabs in the vim configuration for Automake files

While we do not use Automake in libav, this allows our config to be
used more globally without introducing unwanted breakage.
(cherry picked from commit 040c565e51985477a8fa5e42d2ddfb26ebde6608)

Conflicts:

doc/developer.texi

6 years agodoc: filters: Correct BNF FILTER description
Vicente Jimenez Aguilar [Wed, 20 Feb 2013 01:35:00 +0000 (02:35 +0100)]
doc: filters: Correct BNF FILTER description

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit b5ad422bf4e671a8b30ce73ad236cd6b49940af9)

6 years agoPrepare for 9.3 Release
Reinhard Tartler [Sun, 24 Feb 2013 08:29:17 +0000 (09:29 +0100)]
Prepare for 9.3 Release

6 years agoupdate Changelog
Reinhard Tartler [Sat, 23 Feb 2013 13:49:16 +0000 (14:49 +0100)]
update Changelog

6 years agocavs: initialize various context tables to 0
Anton Khirnov [Thu, 14 Feb 2013 13:39:41 +0000 (14:39 +0100)]
cavs: initialize various context tables to 0

Avoids crashes with corrupted files.

CC:libav-stable@libav.org
(cherry picked from commit 4f3b058c84f570e261d743c7c22f865617fd28ac)

Conflicts:

libavcodec/cavs.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years ago4xm: check the return value of read_huffman_tables().
Anton Khirnov [Wed, 13 Feb 2013 19:46:08 +0000 (20:46 +0100)]
4xm: check the return value of read_huffman_tables().

CC:libav-stable@libav.org
(cherry picked from commit 8097fc9a2dd49d8e467b16c8bafaa96242b7fe46)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoqtrle: add more checks against pixel_ptr being negative.
Anton Khirnov [Thu, 14 Feb 2013 16:58:12 +0000 (17:58 +0100)]
qtrle: add more checks against pixel_ptr being negative.

CC:libav-stable@libav.org
(cherry picked from commit e10659244782b26061e7d52c06437de32a43a7af)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agomlpdec: do not try to allocate a zero-sized output buffer.
Anton Khirnov [Thu, 14 Feb 2013 13:05:35 +0000 (14:05 +0100)]
mlpdec: do not try to allocate a zero-sized output buffer.

CC:libav-stable@libav.org
(cherry picked from commit 0dff40bfb9a0b24d56ecd64cd90c8f724cc5745f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoav_memcpy_backptr: avoid an infinite loop for back = 0
Anton Khirnov [Wed, 13 Feb 2013 20:36:25 +0000 (21:36 +0100)]
av_memcpy_backptr: avoid an infinite loop for back = 0

CC:libav-stable@libav.org
(cherry picked from commit f935aca44c674d30e3ed940ef73bbad1228a5855)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoflicvideo: avoid an infinite loop in byte run compression
Anton Khirnov [Thu, 14 Feb 2013 11:40:36 +0000 (12:40 +0100)]
flicvideo: avoid an infinite loop in byte run compression

When byte_run is 0, pixel_countdown is not touched and the loop will run
forever.

CC:libav-stable@libav.org
(cherry picked from commit ddfe1246d98f70cdce368a2176196ba26ed7bf2d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agolagarith: avoid infinite loop in lag_rac_refill()
Anton Khirnov [Thu, 14 Feb 2013 07:47:17 +0000 (08:47 +0100)]
lagarith: avoid infinite loop in lag_rac_refill()

range == 0 happens with corrupted files

CC:libav-stable@libav.org
(cherry picked from commit de6dfa2bb82df916a67e5036b0ef96a944781ed3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agomov: use the format context for logging.
Anton Khirnov [Thu, 14 Feb 2013 11:47:43 +0000 (12:47 +0100)]
mov: use the format context for logging.

CC:libav-stable@libav.org
(cherry picked from commit 56daf10e0313c5e36f43e773f457d2a99ff0df10)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoloco: check that there is data left after decoding a plane.
Anton Khirnov [Thu, 14 Feb 2013 08:08:35 +0000 (09:08 +0100)]
loco: check that there is data left after decoding a plane.

CC:libav-stable@libav.org
(cherry picked from commit 067432c1c95882c7221e694f33d9f3bdbe46de7f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoupdate Changelog
Reinhard Tartler [Fri, 22 Feb 2013 20:52:56 +0000 (21:52 +0100)]
update Changelog

6 years agox86: h264: Don't use redzone in AVX h264_deblock on Win64
Matt Wolenetz [Fri, 15 Feb 2013 21:59:40 +0000 (13:59 -0800)]
x86: h264: Don't use redzone in AVX h264_deblock on Win64

This fixes crashes in chromium on win64 on machines with AVX
(crashes that apparently aren't triggered by fate).

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 311443f6c7eb230276e320f2d30a5d729cf32b76)

Signed-off-by: Martin Storsjö <martin@martin.st>
6 years agodoc: Fix some obsolete references to av* tools as ff* tools
Vicente Jimenez Aguilar [Sat, 16 Feb 2013 02:08:36 +0000 (03:08 +0100)]
doc: Fix some obsolete references to av* tools as ff* tools

Signed-off-by: Diego Biurrun <diego@biurrun.de>
CC: libav-stable@libav.org
(cherry picked from commit 202b5f6deb65e405b07b9b5c20f97c8cb925cf49)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agovqavideo: check chunk sizes before reading chunks
Michael Niedermayer [Fri, 25 Jan 2013 05:11:59 +0000 (06:11 +0100)]
vqavideo: check chunk sizes before reading chunks

Fixes out of array writes

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 13093f9767b922661132a3c1f4b5ba2c7338b660)

CC: libav-stable@libav.org
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f7d18deb73d1dd1b27b2c7062c9a10d168a6c62a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoroqvideodec: check dimensions validity
Michael Niedermayer [Thu, 29 Nov 2012 14:18:17 +0000 (15:18 +0100)]
roqvideodec: check dimensions validity

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ae610451170cd5a28b33950006ff0bd23036845)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fee26d352a52eb9f7fcd8d9167fb4a5ba015b612)

CC: libav-stable@libav.org
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 488f87be873506abb01d67708a67c10a4dd29283)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agoqdm2: check array index before use, fix out of array accesses
Michael Niedermayer [Fri, 30 Nov 2012 22:59:40 +0000 (23:59 +0100)]
qdm2: check array index before use, fix out of array accesses

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed)

CC: libav-stable@libav.org
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 39bec05ed42e505d17877b0c23f16322f9b5883b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agompegvideo: Do REBASE_PICTURE with byte pointers
Martin Storsjö [Thu, 31 Jan 2013 08:19:57 +0000 (10:19 +0200)]
mpegvideo: Do REBASE_PICTURE with byte pointers

REBASE_PICTURE (more specifically, this half of it) takes a Picture
pointer that points into one larger struct, finds the offset of
that Picture within the struct and finds the corresponding field
within another instance of a similar struct.

The pointer difference "pic - (Picture*)old_ctx" is a value given
in sizeof(Picture) units, and when applied back on
(Picture*)new_ctx gets multiplied back with sizeof(Picture). Many
compilers seem to optimize out this division/multiplication, but
not all do.

GCC 4.2 on OS X doesn't seem to remove the division/multiplication,
therefore the new pointer didn't turn out to point to exactly
the right place in the new struct since it only had sizeof(Picture)
granularity (and the Picture is not aligned on a sizeof(Picture)
boundary within the encompassing struct). This bug has been present
before 47318953d as well - with H264, pointers to h->ref_list[0][0]
pointed to 88 bytes before h->ref_list[0][0] after the rebase. After
shrinking Picture, the difference ended up even larger, making
writes via such a Picture pointer overwrite other fields at random
in H264Context, ending up in crashes later.

This fixes H264 multithreaded decoding on OS X with GCC 4.2.

Fixes Bug: #439

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit a65f965c04bfa27adedc0409c14cc05903f483d0)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
6 years agosvq3: unbreak decoding
Matti Hamalainen [Mon, 18 Feb 2013 01:49:45 +0000 (02:49 +0100)]
svq3: unbreak decoding

a7d2861d36756b913e85681b86ed3385274e8ced removed necessary braces.

6 years agobuild: make audio_frame_queue a stand-alone component
Luca Barbato [Sun, 17 Feb 2013 11:38:23 +0000 (12:38 +0100)]
build: make audio_frame_queue a stand-alone component

Encoders requiring it have the dependency expressed in the configure.

6 years agobuild: The libopencore-amrnb encoder depends on audio_frame_queue
Diego Biurrun [Sat, 16 Feb 2013 22:05:05 +0000 (23:05 +0100)]
build: The libopencore-amrnb encoder depends on audio_frame_queue

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit d0fd1dd559b8362bdbca3405f739e0cc202d62e7)

6 years agolibopencore-amrwb: Make AMR-WB ifdeffery more precise
Diego Biurrun [Sat, 16 Feb 2013 22:05:04 +0000 (23:05 +0100)]
libopencore-amrwb: Make AMR-WB ifdeffery more precise

The library might provide an encoder in the future, so it's better to
check for the presence of the decoder rather than just the library.

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit ed89cad6aa04bbd692b3eb21c0e0bb56aca77130)

6 years agolibopencore-amr: Conditionally compile decoder and encoder bits
Diego Biurrun [Sat, 16 Feb 2013 22:05:03 +0000 (23:05 +0100)]
libopencore-amr: Conditionally compile decoder and encoder bits

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit f6ad3ca159edcd2e48634bf39b9cd4a85af29cb1)

6 years agolibopencore-amrnb: cosmetics: Group all encoder-related code together
Diego Biurrun [Sat, 16 Feb 2013 22:05:02 +0000 (23:05 +0100)]
libopencore-amrnb: cosmetics: Group all encoder-related code together

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 81ae57a269782fbfc9e11548d1e6605f13d65c9b)

6 years agoarm: Fall back to runtime cpu feature detection via /proc/cpuinfo
Martin Storsjö [Thu, 7 Feb 2013 08:54:20 +0000 (10:54 +0200)]
arm: Fall back to runtime cpu feature detection via /proc/cpuinfo

On recent android versions, /proc/self/auxw is unreadable
(unless the process is running running under the shell uid or
in debuggable mode, which makes it hard to notice). See
http://b.android.com/43055 and
https://android-review.googlesource.com/51271 for more information
about the issue.

This makes sure e.g. neon optimizations are enabled at runtime in
android apps even when built in release mode, if configured to
use the runtime detection.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit ab8f1a698990c33afb4c1c6ae5af3d6de4f696cb)

Signed-off-by: Martin Storsjö <martin@martin.st>