Seeking back on EOF will reset the EOF flag, causing us to re-enter
the loop to find the next marker in the ASF file, thus potentially
causing an infinite loop.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bb6d5411e1)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
They cause various issues further down in demuxing.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 6e57a02b9f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Because in contrast to the decoder, the parser does not setup low_delay.
The code in parse_nal_units would always end up setting has_b_frames
to "1", except when stream is explicitly marked as low delay.
Since the parser itself would create 'extradata', simply reopening
the parser would cause this.
This happens for instance in estimate_timings_from_pts(), which causes the
parser to be reopened on the same stream.
This fixes Libav #22 and FFmpeg (trac) #360
CC: libav-stable@libav.org
Based on a patch by Reimar Döffinger <Reimar.Doeffinger@gmx.de>
(commit 31ac0ac29b)
Comments and description adapted by Reinhard Tartler.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 790a367d9e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Specifically, prevent jumping back in the file for the next index, since
this can lead to infinite loops where we jump between indexes referring
to each other, and don't read indexes that don't fit in the file.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit aac07a7a4c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Prevents crash when trying to copy from a non-existing plane in e.g.
a RGB32 reference image to a YUV420P target image
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 830f70442a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents crashes when trying to read beyond the end of the buffer
while decoding frame data.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit be129271ea)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Prevents crashers when using the packet if allocation failed.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 31632e73f4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents crashers and errors further down when reading nodes in the
empty tree.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2b83e8b700)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Return 0 indicates "please return the same data again", i.e. it causes
an infinite loop. Instead, return that we consumed the buffer if we
finished decoding succesfully, or return an error if an error occurred.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 74699ac8c8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents failed assertions further down in the packet processing
where we require non-negative values for packet_size_left.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 41afac7f7a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
At very small dimensions, this calculation could lead to zero-sized
filters, which leads to uninitialized output, zero-sized allocations,
loop overflows in SIMD that uses do{..}while(i++<filtersize); instead
of for(i=0;i<filtersize;i++){..} and several other similar failures.
Therefore, require a minimum filtersize of 1.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit dae2ce361a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents certain tags with a default value assigned to them (as per
the EBML syntax elements) from ever being assigned a NULL value. Other
parts of the code rely on these being non-NULL (i.e. they don't check for
NULL before e.g. using the string in strcmp() or similar), and thus in
effect this prevents crashes when reading of such specific tags fails,
either because of low memory or because of targeted file corruption.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit cd40c31ee9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The MDCT buffers in the decoder are only sized for up to 11 bits. The
reverse engineered documentation for WMA1/2 headers say that that for
all samplerates above 32kHz 11 bits are used. 12 and 13 bit support
were added for WMAPro. I was unable to make any Microsoft tools generate
a test file at a samplerate above 48kHz.
Discovered by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d78bb1a4b2)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
If attribute_deprecated is used in an enum declaration, it
should follow the 'enum' keyword, otherwise it's ignored
silently. This is the only case of attribute_deprecated for
enum declarations currently.
Currently, this attribute_deprecated doesn't have any effect.
If moved to the right place, it emits a warning every single
time avcodec.h is included, like this:
avcodec.h:2827: warning: ‘AVLPCType’ is deprecated (declared at avcodec.h:543)
There is already a working attribute_deprecated for the
corresponding field in AVCodecContext, so therefore this
one shouldn't be needed.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 1b6da627d4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If attribute_deprecated is used in an enum declaration, it
should follow the 'enum' keyword, otherwise it's ignored
silently. This is the only case of attribute_deprecated for
enum declarations currently.
Currently, this attribute_deprecated doesn't have any effect.
If moved to the right place, it emits a warning every single
time avcodec.h is included, like this:
avcodec.h:2827: warning: ‘AVLPCType’ is deprecated (declared at avcodec.h:543)
There is already a working attribute_deprecated for the
corresponding field in AVCodecContext, so therefore this
one shouldn't be needed.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 1b6da627d4)
Signed-off-by: Martin Storsjö <martin@martin.st>
* qatar/release/0.7: (96 commits)
intfloat_readwrite: fix signed addition overflows
smacker: validate channels and sample format.
smacker: check buffer size before reading output size
smacker: validate number of channels
sipr: fix get_bits(0) calls
motion_est: make MotionExtContext.map_generation unsigned
4xm: prevent NULL dereference with invalid huffman table
4xmdemux: prevent use of uninitialized memory
4xm: clear FF_INPUT_BUFFER_PADDING_SIZE bytes in temporary buffers
ptx: check for out of bound reads
tiffdec: fix out of bound reads/writes
eacmv: check for out of bound reads
eacmv: fix potential pointer arithmetic overflows
adpcm: fix out of bound reads due to integer overflow
anm: prevent infinite loop
avsdemux: check for out of bound writes
avs: check for out of bound reads
avsdemux: check for corrupted data
mxfdec: Fix some buffer overreads caused by the misuse of AVPacket related functions.
vaapi: Fix VC-1 decoding (reconstruct bitstream TTFRM correctly).
...
Conflicts:
libavcodec/adpcm.c
libavcodec/bink.c
libavcodec/h264.c
libavcodec/h264.h
libavcodec/h264_cabac.c
libavcodec/h264_cavlc.c
libavcodec/motion_est_template.c
libavcodec/mpegvideo.c
libavcodec/nellymoserdec.c
libavcodec/ptx.c
libavcodec/svq3.c
libavcodec/vaapi_vc1.c
libavcodec/xan.c
libavfilter/vf_scale.c
libavformat/4xm.c
libavformat/flvdec.c
libavformat/mpeg.c
tests/ref/fate/motionpixels
Merged-by: Michael Niedermayer <michaelni@gmx.at>
These additions might overflow the signed range for large
input values. Converting to unsigned before the addition
rather than after avoids such undefined behaviour. The
result under normal two's complement wraparound remains
unchanged.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 88d1e2b2b0)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Zero-length get_bits() is undefined, must check before calling.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit c79d2a20ba)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The way this value is used, it should be an unsigned type.
While the numerical value has no meaning, unsigned wraparound
is relied upon.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit cb668476ab)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
