ffmpeg.git
6 years agoChangelog for 0.10.5 n0.10.5
Michael Niedermayer [Wed, 19 Sep 2012 01:09:28 +0000 (03:09 +0200)]
Changelog for 0.10.5

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6 years agoUpdate for 0.10.5
Michael Niedermayer [Wed, 19 Sep 2012 00:34:55 +0000 (02:34 +0200)]
Update for 0.10.5

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6 years agobmv_videodec: fix out of array read
Michael Niedermayer [Tue, 14 Aug 2012 16:58:49 +0000 (18:58 +0200)]
bmv_videodec: fix out of array read

Fixes Ticket1373

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 70f0ffa1ed456fd0b560d0dd1d0d93f1ba3a6d93)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d721cb009d73662f35c629bdc678e25786e79301)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6 years agofaxcompr: fix out of array read
Michael Niedermayer [Fri, 7 Sep 2012 10:35:41 +0000 (12:35 +0200)]
faxcompr: fix out of array read

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5891e454a667e42ef71a06bfd9661540ea3f3ebd)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 55b3e408fa18b918bd0cabb1b27f1f0c4ce57a64)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6 years agoescape124: fix integer overflow leading to excessive memory allocation
Michael Niedermayer [Thu, 16 Aug 2012 20:28:29 +0000 (22:28 +0200)]
escape124: fix integer overflow leading to excessive memory allocation

Fixes Ticket1629

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3d7817048cb387de87600f2152075f78b37b60a6)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9f1e01c9915fe0c86ad2b8f50e11fee9e1b00c62)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6 years agosp5xdec: fix off by 1 error causing a crash
Michael Niedermayer [Thu, 16 Aug 2012 01:15:14 +0000 (03:15 +0200)]
sp5xdec: fix off by 1 error causing a crash

Fixes Ticket1633

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f0896a6bd94e5b45447c7d640c8e8aa95d860d7a)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 450e4b1a60721d25f306d97062f35c9c3d7989f8)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6 years agompegaudio_parser: reset state to prevent it to be random
Michael Niedermayer [Fri, 14 Sep 2012 03:55:11 +0000 (05:55 +0200)]
mpegaudio_parser: reset state to prevent it to be random

Fixes Ticket1718

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 93b240f4a59348c07d3d7e4862227f6949c51e14)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3581ab6ce0754544b06f34f7875b731a5ca2e061)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6 years agopthread: Avoid crashes/odd behavior caused by spurious wakeups
Ben Jackson [Fri, 14 Sep 2012 04:26:43 +0000 (21:26 -0700)]
pthread: Avoid crashes/odd behavior caused by spurious wakeups

pthread_wait_cond can wake up for no reason (Wikipedia: Spurious_wakeup).
The FF_THREAD_SLICE thread mechanism could spontaneously execute jobs or
allow the caller of avctx->execute to return before all jobs were complete.
This adds tests to both cases to ensure the wakeup is real.

Signed-off-by: Ben Jackson <ben@ben.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e3329474a366de066b25e86f35f5abf9c5a4b7b2)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f1ec792ae3011531d47070144b8c91d58bb3e76f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6 years agoMerge remote-tracking branch 'qatar/release/0.8' into release/0.10
Michael Niedermayer [Tue, 18 Sep 2012 22:27:03 +0000 (00:27 +0200)]
Merge remote-tracking branch 'qatar/release/0.8' into release/0.10

Merged-by: Michael Niedermayer <michaelni@gmx.at>
6 years agoFix muxing mjpeg in swf.
Carl Eugen Hoyos [Wed, 12 Sep 2012 11:08:27 +0000 (13:08 +0200)]
Fix muxing mjpeg in swf.
(cherry picked from commit 7680d99b4302e476076cc1b8f2567f47c2aaef4d)

6 years agobuild: Fix some paths in uninstall-libs
jamal [Fri, 3 Aug 2012 20:13:27 +0000 (17:13 -0300)]
build: Fix some paths in uninstall-libs

Folder and file names weren't being separated with a slash.
This resulted in .dll.a, .lib and .def files not being removed on uninstall.

Signed-off-by: Alexander Strasser <eclipse7@gmx.net>
(cherry picked from commit 49440853d0c1e740daee0e2df1e65d5e67b1ad6b)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6 years agodxva2: include dxva.h if found
Ronald S. Bultje [Sun, 24 Jun 2012 10:17:13 +0000 (11:17 +0100)]
dxva2: include dxva.h if found

Apparently, some build environments require dxva.h even for dxva2,
while others lack this header entirely.  Including it conditionally
allows building in both cases.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit fa84506177f0246b30d4ea6a99ee5d419f3e4550)

Conflicts:

configure

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6 years agoasfenc: properly write index information
Ramiro Polla [Wed, 4 Apr 2012 05:52:27 +0000 (02:52 -0300)]
asfenc: properly write index information

The index must take into account the pre-roll time and must seek backwards,
not forwards.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bd603494f905a7db92fc04eab9c0f6793b0ed7d1)

Conflicts:

tests/ref/lavf/asf
tests/ref/seek/lavf_asf

Fixes Ticket1563

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6 years agoasfenc: remove useless casts
Ramiro Polla [Wed, 4 Apr 2012 05:50:40 +0000 (02:50 -0300)]
asfenc: remove useless casts

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bc13b74992c30da3cf3da9bcce6a0b727b9d2e6b)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6 years agoasfenc: reduce code duplication with new variable
Ramiro Polla [Wed, 4 Apr 2012 05:50:05 +0000 (02:50 -0300)]
asfenc: reduce code duplication with new variable

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f2fad251b8f0b5cfa9fa43200e72f5f9194fd620)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6 years agoasfenc: rename some variables
Ramiro Polla [Wed, 4 Apr 2012 05:49:47 +0000 (02:49 -0300)]
asfenc: rename some variables

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1ceff0859df1c4f6bfacd6c1cd9dbdcceb039423)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6 years agoasfenc: realloc index_ptr fewer times
Ramiro Polla [Wed, 4 Apr 2012 05:48:27 +0000 (02:48 -0300)]
asfenc: realloc index_ptr fewer times

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 97d36a1898dabd6fd85d0f2295bdac911d607b8e)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6 years agoClarify that -passlogfile has a different syntax when used with -vcodec libx264.
Carl Eugen Hoyos [Fri, 31 Aug 2012 12:17:01 +0000 (14:17 +0200)]
Clarify that -passlogfile has a different syntax when used with -vcodec libx264.

7 years agomov: set AVCodecContext.width/height for h264
Mans Rullgard [Wed, 30 May 2012 03:06:00 +0000 (04:06 +0100)]
mov: set AVCodecContext.width/height for h264

This is required for correct cropping of files from Canon
cameras.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 8aa93e900449c88c3169ff5636fed03f41779cac)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoh264: allow cropping to AVCodecContext.width/height
Mans Rullgard [Wed, 30 May 2012 03:04:54 +0000 (04:04 +0100)]
h264: allow cropping to AVCodecContext.width/height

Override the frame size from the SPS with AVCodecContext values
if the latter specify a size smaller by less than one macroblock.
This is required for correct cropping of MOV files from Canon cameras.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 30f515091c323da59c0f1b533703dedca2f4b95d)

Conflicts:

libavcodec/h264.c

7 years agoUpdate for 0.10.4 n0.10.4
Michael Niedermayer [Sat, 9 Jun 2012 18:52:12 +0000 (20:52 +0200)]
Update for 0.10.4
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agompegvideo: fix out of heap array accesses
Michael Niedermayer [Wed, 6 Jun 2012 17:26:21 +0000 (19:26 +0200)]
mpegvideo: fix out of heap array accesses

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 317ca0d3f735fad354c404e8bbac3e1ce9f09b12)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agompc8: fix channel checks
Michael Niedermayer [Sun, 3 Jun 2012 15:40:30 +0000 (17:40 +0200)]
mpc8: fix channel checks

fix heap array overflow

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 44c10168cff41c200825448b77cb8feff0d316c9)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoh263: disable loop filter with lowres
Michael Niedermayer [Sun, 3 Jun 2012 12:41:21 +0000 (14:41 +0200)]
h263: disable loop filter with lowres

Fixes ticket1212

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cc229d4e83889d1298f1a0863b55feec6c5c339a)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agobmv: fix apparent sign error in the frame_off check
Michael Niedermayer [Sat, 2 Jun 2012 02:06:16 +0000 (04:06 +0200)]
bmv: fix apparent sign error in the frame_off check

Fixes part of Ticket1373

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit debbcfae6010f027a0334d70d0dbb7ddd912ad5a)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agobmv: fix integer overflows in vlc decoder.
Michael Niedermayer [Sat, 2 Jun 2012 02:04:29 +0000 (04:04 +0200)]
bmv: fix integer overflows in vlc decoder.

Fixes part of Ticket1373

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Based-on-patch-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 679c578cb8e82df6fdee977e3137a26a680ad346)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agowmv1: check that the input buffer is large enough
Michael Niedermayer [Fri, 1 Jun 2012 19:42:29 +0000 (21:42 +0200)]
wmv1: check that the input buffer is large enough

Fixes null ptr deref
Fixes Ticket1367

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f23a2418fb0ccc56fdae4dbf83a5994cc917c475)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoyopdec: check frame oddness to be within supported limits
Michael Niedermayer [Fri, 1 Jun 2012 13:52:20 +0000 (15:52 +0200)]
yopdec: check frame oddness to be within supported limits

Fixes Ticket1365

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit febc013dc5d6db1535a4f91cf02fa8089038937c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoyopdec: check that palette fits in the packet
Michael Niedermayer [Fri, 1 Jun 2012 13:51:50 +0000 (15:51 +0200)]
yopdec: check that palette fits in the packet

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b6fdf8dea7aaf3cb9a979dce91f752c2ce3086a3)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years ago8svx: fix crash
Michael Niedermayer [Thu, 31 May 2012 23:33:00 +0000 (01:33 +0200)]
8svx: fix crash

Fixes Ticket1377

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 03ce421c1361e4ce79468de8269ad51ba2ae4c16)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agodv-demux: dont mess with codec values
Michael Niedermayer [Thu, 31 May 2012 21:50:08 +0000 (23:50 +0200)]
dv-demux: dont mess with codec values

Fixes part of Ticket1369

Found-by: ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3c276ac0f8936745543d14674842647c502bdd2e)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agobinkaudio: check number of channels
Paul B Mahol [Thu, 31 May 2012 08:58:31 +0000 (08:58 +0000)]
binkaudio: check number of channels

Fixes #1380.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 824a6975ee066e944b7a20d1e220fd8974fb6174)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoindeo5: check quant_mat
Michael Niedermayer [Thu, 31 May 2012 03:01:28 +0000 (05:01 +0200)]
indeo5: check quant_mat

prevents out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8aaa00c3012d425ce50efffadb813ad62d1ff3d5)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agotruemotion1: Check index, fix out of array read
Michael Niedermayer [Wed, 30 May 2012 14:19:36 +0000 (16:19 +0200)]
truemotion1: Check index, fix out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fd4c1c0b70b5a06dd572d7e27799a2f4c3d9b984)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoiff: check if there is extradata
Paul B Mahol [Wed, 30 May 2012 07:50:32 +0000 (07:50 +0000)]
iff: check if there is extradata

Fixes #1368.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 8f61526978697e51d3b9e61ea84daf13c42717af)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoape: Fix null ptr dereference with files missing a seekatable.
Michael Niedermayer [Tue, 29 May 2012 17:50:15 +0000 (19:50 +0200)]
ape: Fix null ptr dereference with files missing a seekatable.

Such files are currently not supported as the table is used at several points

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e7cb161515fc9fb6d30d1681d64d9ba7ad737a4e)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years ago4xm: fix division by zero caused by bps<8
Michael Niedermayer [Tue, 29 May 2012 17:16:22 +0000 (19:16 +0200)]
4xm: fix division by zero caused by bps<8

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1b8741a6843f3f4667c81c2d63d3182858aa534f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agojvdec: check videosize
Michael Niedermayer [Mon, 28 May 2012 15:21:29 +0000 (17:21 +0200)]
jvdec: check videosize

Fixes null ptr dereference
fixes Ticket1364

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b4904e804d3b1c56ac4f5d3386b15daae98fca2d)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agomotionpixels: check extradata size
Michael Niedermayer [Mon, 28 May 2012 15:17:49 +0000 (17:17 +0200)]
motionpixels: check extradata size

Fixes null ptr derefernce
Fixes Ticket1363

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 50122084a6b3be06781a2b3d8ec036f2d67c32e3)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoiff_ilbm: fix null ptr deref
Michael Niedermayer [Mon, 28 May 2012 15:13:10 +0000 (17:13 +0200)]
iff_ilbm: fix null ptr deref

Fixes Ticket1362

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 849d4b041351ef8d77c4231cf417f997e79f9ab7)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoyop: check for missing extradata
Michael Niedermayer [Mon, 28 May 2012 15:08:06 +0000 (17:08 +0200)]
yop: check for missing extradata

Fixes null ptr deref
Fixes Ticket1361

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 77a4c8b959fa9bc6bcaa42b40a0b046cdf3fec38)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoxan: fix out of array read
Michael Niedermayer [Mon, 28 May 2012 15:04:38 +0000 (17:04 +0200)]
xan: fix out of array read

Fixes ticket1360

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 01900fcc45e99ee4556e0a5d87ff57b2f150dad4)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agocdgraphics: Fix out of array write
Michael Niedermayer [Mon, 28 May 2012 14:50:15 +0000 (16:50 +0200)]
cdgraphics: Fix out of array write

Fixes Ticket1359

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1e5c7376c4ed733910845c9a09e272ac7696b1f4)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoMerge remote-tracking branch 'qatar/release/0.8' into release/0.10
Michael Niedermayer [Sat, 9 Jun 2012 17:17:22 +0000 (19:17 +0200)]
Merge remote-tracking branch 'qatar/release/0.8' into release/0.10

* qatar/release/0.8:
  cmdutils: update copyright year to 2012.

Conflicts:
cmdutils.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agocmdutils: update copyright year to 2012.
Ronald S. Bultje [Wed, 8 Feb 2012 18:16:41 +0000 (10:16 -0800)]
cmdutils: update copyright year to 2012.

7 years agoMerge remote-tracking branch 'qatar/release/0.8' into release/0.10
Michael Niedermayer [Mon, 4 Jun 2012 11:40:13 +0000 (13:40 +0200)]
Merge remote-tracking branch 'qatar/release/0.8' into release/0.10

* qatar/release/0.8:
  Update Changelog for the 0.8.3 Release
  Prepare for 0.8.3 Release
  ea: check chunk_size for validity.
  png: check bit depth for PAL8/Y400A pixel formats.
  qdm2: clip array indices returned by qdm2_get_vlc().
  tqi: Pass errors from the MB decoder
  h264: Add check for invalid chroma_format_idc
  h263dec: Disallow width/height changing with frame threads.

Conflicts:
Changelog
RELEASE
libavcodec/eatqi.c
libavcodec/h264_ps.c
libavcodec/pngdec.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoUpdate Changelog for the 0.8.3 Release
Reinhard Tartler [Tue, 29 May 2012 20:59:43 +0000 (22:59 +0200)]
Update Changelog for the 0.8.3 Release

7 years agoPrepare for 0.8.3 Release
Reinhard Tartler [Tue, 29 May 2012 20:56:46 +0000 (22:56 +0200)]
Prepare for 0.8.3 Release

7 years agoea: check chunk_size for validity.
Ronald S. Bultje [Fri, 4 May 2012 23:06:26 +0000 (16:06 -0700)]
ea: check chunk_size for validity.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 273e6af47b38391f2bcc157cca0423fe7fcbf55c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agopng: check bit depth for PAL8/Y400A pixel formats.
Ronald S. Bultje [Wed, 2 May 2012 17:58:55 +0000 (10:58 -0700)]
png: check bit depth for PAL8/Y400A pixel formats.

Wrong bit depth can lead to invalid rowsize values, which crashes the
decoder further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d2205d6543881f2e6fa18c8a354bbcf91a1235f7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoqdm2: clip array indices returned by qdm2_get_vlc().
Ronald S. Bultje [Wed, 2 May 2012 16:12:46 +0000 (16:12 +0000)]
qdm2: clip array indices returned by qdm2_get_vlc().

Prevents subsequent overreads when these numbers are used as indices
in arrays.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:

libavcodec/qdm2.c

7 years agotqi: Pass errors from the MB decoder
Michael Niedermayer [Mon, 19 Dec 2011 03:13:37 +0000 (04:13 +0100)]
tqi: Pass errors from the MB decoder

This silences some valgrind warnings.
CC: libav-stable@libav.org
Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Bug found by: Oana Stratulat

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f85334f58e1286287d0547a49fa9c93b40cbf48f)
(cherry picked from commit 90290a5150e84fb138ccde57657dc03830f08c1c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoh264: Add check for invalid chroma_format_idc
Alexander Strange [Sat, 24 Mar 2012 21:32:14 +0000 (17:32 -0400)]
h264: Add check for invalid chroma_format_idc

Fixes a crash when FF_DEBUG_PICT_INFO is used.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df)

Fixes: CVE-2012-0851

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoh263dec: Disallow width/height changing with frame threads.
Michael Niedermayer [Fri, 17 Feb 2012 21:35:10 +0000 (13:35 -0800)]
h263dec: Disallow width/height changing with frame threads.

Fixes CVE-2011-3937

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba)

Conflicts:

libavcodec/h263dec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agothreads: Perform the generic progress cleanup more carefully.
Michael Niedermayer [Sat, 11 Feb 2012 19:14:33 +0000 (20:14 +0100)]
threads: Perform the generic progress cleanup more carefully.

The cleanup is only done now when
a picture is returned (assuming that it has to be done when its returned)
a error is returned (assuming that there will be no further progress on the frame)
the codec is not h264 (this is still needed due to some deadlocks in realvideo)

This fixes a decoding regression with 00017.MTS

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 18a7f7465e7e6b9c3688ffc23230ae7a0639a771)

7 years agoupdate for ffmpeg 0.10.3 n0.10.3
Michael Niedermayer [Sat, 5 May 2012 23:35:56 +0000 (01:35 +0200)]
update for ffmpeg 0.10.3

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoindeo4: check that num_mbs matches
Michael Niedermayer [Sat, 31 Mar 2012 19:42:50 +0000 (21:42 +0200)]
indeo4: check that num_mbs matches

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d3db8988d5befd8702a748cf1957415677bfe75c)

7 years agodsp: fix diff_bytes_mmx() with small width
Michael Niedermayer [Sat, 17 Mar 2012 19:45:45 +0000 (20:45 +0100)]
dsp: fix diff_bytes_mmx() with small width

Fixes Ticket1068

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 73089eccd3e48539555349b36d8aabbf1cea416e)

7 years agoChangelog: update
Michael Niedermayer [Sat, 5 May 2012 23:31:25 +0000 (01:31 +0200)]
Changelog: update

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agommdemux: dont set pkt->size to an invalid value.
Michael Niedermayer [Thu, 22 Mar 2012 23:49:00 +0000 (00:49 +0100)]
mmdemux: dont set pkt->size to an invalid value.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0c97fd336e17535239ab44d755a0d957dc2688f3)

7 years agoh261: check mtype.
Michael Niedermayer [Fri, 2 Mar 2012 14:58:14 +0000 (15:58 +0100)]
h261: check mtype.

Fixes out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ec3cd74f2dab8e3e8234ccb994132b23d3098585)

7 years agompegvideo: increase buffer sizes.
Michael Niedermayer [Sat, 24 Mar 2012 13:25:52 +0000 (14:25 +0100)]
mpegvideo: increase buffer sizes.

Fixes buffer overflow

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2c0559d5e2faeafa7998173a4dc430408475503f)

7 years agomov: fix global unicode convertion array overflow.
Michael Niedermayer [Fri, 23 Mar 2012 00:09:04 +0000 (01:09 +0100)]
mov: fix global unicode convertion array overflow.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 437f5daf0bf727a53ea4b485a30f1289f44bf252)

7 years agoiff: fix null ptr dereference
Michael Niedermayer [Sun, 22 Apr 2012 14:41:21 +0000 (16:41 +0200)]
iff: fix null ptr dereference

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 41abc9da50ba7a7b68bbbf6622475ce7a3c72e3f)

7 years agoxmvdemux: dont let current_stream become invalid.
Michael Niedermayer [Sat, 21 Apr 2012 17:41:54 +0000 (19:41 +0200)]
xmvdemux: dont let current_stream become invalid.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 13381577d181fa732d6d2fa0491fa2ff50186546)

7 years agoavidec: Dont crash on avi packets that belong to dv streams in dv in avi
Michael Niedermayer [Tue, 17 Apr 2012 15:42:09 +0000 (17:42 +0200)]
avidec: Dont crash on avi packets that belong to dv streams in dv in avi

Fixes null pointer dereference

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 096231d497457be9496b0be01ff6da2093186c3c)

7 years agocook: check subacket count
Michael Niedermayer [Sat, 21 Apr 2012 17:28:35 +0000 (19:28 +0200)]
cook: check subacket count

Fixes out of array writes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5a35bd92ad6b535fd5d3a7513169661de66ec247)

7 years ago4xmdemux: Check chunk size
Michael Niedermayer [Mon, 16 Apr 2012 12:30:33 +0000 (14:30 +0200)]
4xmdemux: Check chunk size

Fixes over reading the header array

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 474e31c904f766b6989fe614c3fb093e697c847f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoMerge remote-tracking branch 'qatar/release/0.8' into release/0.10
Michael Niedermayer [Sat, 5 May 2012 19:18:48 +0000 (21:18 +0200)]
Merge remote-tracking branch 'qatar/release/0.8' into release/0.10

* qatar/release/0.8:
  Update Changelog for the 0.8.2 Release
  Prepare for 0.8.2 Release
  vqavideo: return error if image size is not a multiple of block size
  celp filters: Do not read earlier than the start of the 'out' vector.
  motionpixels: Clip YUV values after applying a gradient.
  jpeg: handle progressive in second field of interlaced.
  h263: more strictly forbid frame size changes with frame-mt.
  h264: additional protection against unsupported size/bitdepth changes.
  tta: prevents overflows for 32bit integers in header.
  ttadec: CRC checking
  tta: use skip_bits_long()

Conflicts:
Changelog
RELEASE
libavcodec/h264.c
libavcodec/tta.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoUpdate Changelog for the 0.8.2 Release
Reinhard Tartler [Fri, 4 May 2012 20:59:01 +0000 (22:59 +0200)]
Update Changelog for the 0.8.2 Release

7 years agoPrepare for 0.8.2 Release
Reinhard Tartler [Fri, 4 May 2012 20:40:37 +0000 (22:40 +0200)]
Prepare for 0.8.2 Release

7 years agovqavideo: return error if image size is not a multiple of block size
Mans Rullgard [Mon, 23 Apr 2012 12:16:33 +0000 (13:16 +0100)]
vqavideo: return error if image size is not a multiple of block size

The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes.  Bailing out early if the header
specifies a bad size avoids various errors later on.

Fixes CVE-2012-0947.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agocelp filters: Do not read earlier than the start of the 'out' vector.
Alex Converse [Fri, 4 May 2012 17:27:03 +0000 (10:27 -0700)]
celp filters: Do not read earlier than the start of the 'out' vector.

CC: libav-stable@libav.org
(cherry picked from commit 37ddd3833219fa7b913fff3f5cccc6878b047e6b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agomotionpixels: Clip YUV values after applying a gradient.
Alex Converse [Wed, 2 May 2012 19:08:03 +0000 (12:08 -0700)]
motionpixels: Clip YUV values after applying a gradient.

Prevents illegal reads on truncated and malformed input.

CC: libav-stable@libav.org
(cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agojpeg: handle progressive in second field of interlaced.
Ronald S. Bultje [Wed, 14 Mar 2012 00:18:41 +0000 (17:18 -0700)]
jpeg: handle progressive in second field of interlaced.

Progressive data is allocated later in decode_sof(), not allocating
that data leads to NULL dereferences.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5eec5a79da118170f3cfe185a862783d3fa50abe)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoh263: more strictly forbid frame size changes with frame-mt.
Ronald S. Bultje [Thu, 29 Mar 2012 19:24:10 +0000 (12:24 -0700)]
h263: more strictly forbid frame size changes with frame-mt.

Prevents crashes because the old check was incomplete.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2d22d4307dcc1461f39a2ffb9c8db6c6b23fd080)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoh264: additional protection against unsupported size/bitdepth changes.
Ronald S. Bultje [Thu, 29 Mar 2012 23:37:09 +0000 (16:37 -0700)]
h264: additional protection against unsupported size/bitdepth changes.

Fixes crashes in codepaths not covered by original checks.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 732f9fcfe54fc9a0a7bbce53fe86b38744c2d301)

Conflicts:

libavcodec/h264.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agotta: prevents overflows for 32bit integers in header.
Ronald S. Bultje [Thu, 29 Mar 2012 19:44:55 +0000 (12:44 -0700)]
tta: prevents overflows for 32bit integers in header.

This prevents sample_rate/data_length from going negative, which
caused various crashes and undefined behaviour further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ac80b812cd177553339467ea12548d71c9ef6865)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agottadec: CRC checking
Paul B Mahol [Sat, 11 Feb 2012 21:30:30 +0000 (21:30 +0000)]
ttadec: CRC checking

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 2af3dc8698707f800f83f5fc890571a6a119866e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agotta: use skip_bits_long()
Paul B Mahol [Sun, 5 Feb 2012 19:39:13 +0000 (19:39 +0000)]
tta: use skip_bits_long()

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 9aff2d17533576f4ff52531e534f1319fb36a590)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovqavideodev: Check image dimensions
Michael Niedermayer [Thu, 22 Mar 2012 22:43:37 +0000 (23:43 +0100)]
vqavideodev: Check image dimensions

Fixes out of heap array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d)
Independently-Found-by: Fabian Yamaguchi
Fixes: CVE-2012-0947

Conflicts:

libavcodec/vqavideo.c

7 years agoMerge remote-tracking branch 'qatar/release/0.8' into release/0.10
Michael Niedermayer [Wed, 2 May 2012 20:49:14 +0000 (22:49 +0200)]
Merge remote-tracking branch 'qatar/release/0.8' into release/0.10

* qatar/release/0.8: (24 commits)
  apedec: check bits <= 32.
  truemotion: forbid invalid VLC bitsizes and token values.
  mov: don't overwrite existing indexes.
  truemotion2: handle out-of-frame motion vectors through edge extension.
  lzw: prevent buffer overreads.
  truemotion2: convert packet header reading to bytestream2.
  lagarith: fix buffer overreads.
  raw: forward avpicture_fill() error code in raw_decode().
  vc1: Do not read from array if index is invalid.
  utvideo: port header reading to bytestream2.
  bytestream: add more unchecked variants for bytestream2 API
  bytestream: K&R formatting cosmetics
  bytestream: Add bytestream2 writing API.
  aac: Reset PS parameters on header decode failure.
  mov: Do not read past the end of the ctts_data table.
  xwma: Validate channels and bits_per_coded_sample.
  asf: reset side data elements on packet copy.
  vqa: check palette chunk size before reading data.
  vqavideo: port to bytestream2 API
  wmavoice: fix stack overread.
  ...

Conflicts:
cmdutils.c
cmdutils.h
libavcodec/lagarith.c
libavcodec/truemotion2.c
libavcodec/vqavideo.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
7 years agoapedec: check bits <= 32.
Michael Niedermayer [Thu, 29 Mar 2012 17:52:21 +0000 (17:52 +0000)]
apedec: check bits <= 32.

Fixes a floating-point exception further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
(cherry picked from commit 420d1df2e2a857eae45fa947e16eae7494793d57)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agotruemotion: forbid invalid VLC bitsizes and token values.
Ronald S. Bultje [Thu, 29 Mar 2012 17:25:04 +0000 (10:25 -0700)]
truemotion: forbid invalid VLC bitsizes and token values.

SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid
values larger than this in get_vlc2() (max_bits). tokens[][] can be
used as an index in deltas[], which has a size of 64, so ensure the
values are smaller than that.

This prevents crashes on corrupt bitstreams.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b7b1509d06d3696d3b944791227fe198ded0654b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agomov: don't overwrite existing indexes.
Ronald S. Bultje [Wed, 28 Mar 2012 19:56:07 +0000 (12:56 -0700)]
mov: don't overwrite existing indexes.

Prevents all kind of badness if files contain multiple
indexes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 4f7c7624c0db185c48c59d95d745ab3f7851a5b4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agotruemotion2: handle out-of-frame motion vectors through edge extension.
Ronald S. Bultje [Thu, 29 Mar 2012 16:29:03 +0000 (09:29 -0700)]
truemotion2: handle out-of-frame motion vectors through edge extension.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bf39d3b59d85e5734babe48b61b8d92d18188185)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agolzw: prevent buffer overreads.
Ronald S. Bultje [Thu, 29 Mar 2012 00:06:00 +0000 (17:06 -0700)]
lzw: prevent buffer overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ddcf67c8a51c67b122a826d8b5819e96d591d813)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agotruemotion2: convert packet header reading to bytestream2.
Ronald S. Bultje [Wed, 28 Mar 2012 18:53:13 +0000 (11:53 -0700)]
truemotion2: convert packet header reading to bytestream2.

Also use correct buffer sizes in calls to tm2_read_stream(). Together,
this prevents overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bd508d435b94584db460c684e30ea7ce180cf50f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agolagarith: fix buffer overreads.
Ronald S. Bultje [Tue, 27 Mar 2012 19:26:46 +0000 (12:26 -0700)]
lagarith: fix buffer overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 0a82f5275f719e6e369a807720a2c3603aa0ddd9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoraw: forward avpicture_fill() error code in raw_decode().
Ronald S. Bultje [Tue, 27 Mar 2012 01:02:08 +0000 (18:02 -0700)]
raw: forward avpicture_fill() error code in raw_decode().

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 98df2e24141cd00a557ef10ed7af2b956200cd80)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovc1: Do not read from array if index is invalid.
Mashiat Sarker Shakkhar [Sat, 24 Mar 2012 22:49:34 +0000 (15:49 -0700)]
vc1: Do not read from array if index is invalid.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 95b192de5d05f3e1542e7b2378cdefbc195f5185)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoutvideo: port header reading to bytestream2.
Ronald S. Bultje [Fri, 23 Mar 2012 00:25:22 +0000 (17:25 -0700)]
utvideo: port header reading to bytestream2.

Fixes crash during slice size reading if slice_end goes negative.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ec0ed97b046d46421db72c4911d2bbe28bbe5741)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agobytestream: add more unchecked variants for bytestream2 API
Paul B Mahol [Tue, 13 Mar 2012 14:14:59 +0000 (14:14 +0000)]
bytestream: add more unchecked variants for bytestream2 API

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit f1ce053cd0e0d7dc67fa61f32bcd8b6ee5e5c490)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agobytestream: K&R formatting cosmetics
Aneesh Dogra [Wed, 8 Feb 2012 18:07:20 +0000 (23:37 +0530)]
bytestream: K&R formatting cosmetics

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit ab9ae401525d301a31ec695bf39103502db6afeb)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agobytestream: Add bytestream2 writing API.
Aneesh Dogra [Mon, 6 Feb 2012 20:09:22 +0000 (01:39 +0530)]
bytestream: Add bytestream2 writing API.

Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit db7d45237ab6fc7fe90ec861cb756b2a109504a4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoaac: Reset PS parameters on header decode failure.
Alex Converse [Wed, 21 Mar 2012 17:11:02 +0000 (10:11 -0700)]
aac: Reset PS parameters on header decode failure.

If the next header frame codes zero envelopes the previous frame's
values will be used. Consequently the invalid values must be cleared.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit a237b38021cd3009cc78eeb974b596085f2fe393)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agomov: Do not read past the end of the ctts_data table.
Alex Converse [Wed, 21 Mar 2012 18:24:10 +0000 (11:24 -0700)]
mov: Do not read past the end of the ctts_data table.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 86f2ae06b92d42580ae7ebd86d52c9b7acbc2f13)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoxwma: Validate channels and bits_per_coded_sample.
Alex Converse [Wed, 21 Mar 2012 17:58:07 +0000 (10:58 -0700)]
xwma: Validate channels and bits_per_coded_sample.

This prevents a SIGFPE later on.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5023b89bba198b2f8e43b7f555aeb9c30d33db9f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agoasf: reset side data elements on packet copy.
Ronald S. Bultje [Wed, 21 Mar 2012 23:10:37 +0000 (16:10 -0700)]
asf: reset side data elements on packet copy.

Prevents crash (double free) when free()ing the original packet.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e73c6aaabff1169899184c382385fe9afae5b068)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
7 years agovqa: check palette chunk size before reading data.
Ronald S. Bultje [Wed, 21 Mar 2012 22:19:31 +0000 (15:19 -0700)]
vqa: check palette chunk size before reading data.

Prevents overreads beyond buffer boundaries.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 75d7975268394f4f16294b68ec6d6d5ac30da3ac)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>