Signed-off-by: Nicolas George <nicolas.george@normalesup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e47cfe9e5c10eee3c8d0b6aff81792c0f10e66e1)
Signed-off-by: Nicolas George <nicolas.george@normalesup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 71e23d39a396f45bbdf258735b02a4bd5e25fd49)
Signed-off-by: Nicolas George <nicolas.george@normalesup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0cc44facf17153454727c26f2f40ee2f77b90df5)
Signed-off-by: Nicolas George <nicolas.george@normalesup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 769298a6869c3b16557280a63f6502409d1b5e49)
Signed-off-by: Nicolas George <nicolas.george@normalesup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 198ed6474d603f930430067b8b56955d443e821c)
av_realloc_f helps avoiding memory-leaks in typical uses of realloc.
Signed-off-by: Nicolas George <nicolas.george@normalesup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5cd754bca290775ec2dbbf88597ab58e0482efca)
av_size_mult helps checking for overflow when computing the size of a memory
area.
Signed-off-by: Nicolas George <nicolas.george@normalesup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b2600509fef4d77645491f208b8113c372a32110)
wavpack_decode_block() supposes that it is called back with the exact
same buffer unless it has returned with an error. With multi-channels
files, wavpack_decode_frame() was breaking this assumption.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c2a016ad4d9c29285813ba5806189e63e063e0fb)
Adds an additional check before reading the next block header and avoids a
potential integer overflow when checking the metadata size against the
remaining buffer size.
(cherry picked from commit 4c5e7b27d57dd2be777780e840eef9be63242158)
Signed-off-by: Mike Scheutzow <mike.scheutzow@alcatel-lucent.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e2dae1faa84ada5746ac2114de7eb68abd824131)
The buffer size and pointer were not checked prior to testing the first
byte of the buffer. These were sometimes checked before calling, but it is
better to add it inside the function as it takes buf and size arguments.
Signed-off-by: Alexander Strasser <eclipse7@gmx.net>
(cherry picked from commit 715f259bf949b06df1b5ed0307606dc258754c99)
Replaces a very hackish hack to fix the same issue (call instruction
overwriting stack variables).
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
(cherry picked from commit 424bcc46b5fb0d662e0fb9ad6319c5b9ef3d770f)
It prevents leaving the state only half initialized.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 91f104496bb7632ed5ff03798e06dd8af014f0d9)
As a signed integer, 1<<31 overflows, so force it to unsigned.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit c2d3f561072132044114588a5f56b8e1974a2af7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
occurd during debug. I dont know if this can happen normally but if so
it would be quite bad.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit abe0dbea2e228621e97184e39159d189b6085fe3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The score of 50 can probably be raised if needed
Fixes Ticket490
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3f7dc480c1bf6abf4ac0f633a0c7e63d8eb29a55)
