The pixel buffer base address is never unlocked this causes
a bug with some pixel format types that are produced natively
by the hardware decoder: the first buffer was always used.
Unlock the pixel buffer base address fixes the issue.
(cherry picked from commit c06fdacc3d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The function is specific to little endian
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4df3cf90bf)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
And default to 8000 if it is invalid.
An invalid sample rate can trigger av_assert2 in av_rescale_rnd.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 5b76c82fd7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
In the TTA extradata re-construction the values are written with
avio_wl16 and if they don't fit into uint16_t, this triggers an
av_assert2 in avio_w8.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 92e79a2f7b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes undefined behavior and segfault
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8edc17b639)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
QP_store is only 8-bit-aligned, so accessing it as uint32_t causes
SIGBUS crashes on sparc.
The AV_RN32/AV_WN32 macros only do unaligned access in the
HAVE_FAST_UNALIGNED case.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 590743101d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Calling ffio_ensure_seekback() if ffio_init_checksum() has been called
on the same context can lead to out of bounds memory accesses and
crashes. The reason is that ffio_ensure_seekback() does not update
checksum_ptr after reallocating the buffer, resulting in a dangling
pointer.
This effectively fixes potential crashes when opening mp3 files.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dc87758775)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Also use the frame pixel format instead of the one from the codec
context, which is more robust.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit fdc64a1044)
Conflicts:
libavcodec/h264_slice.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If one of the dimensions is larger than 8176, s->mb_width or
s->mb_height is larger than 511, leading to an int16_t overflow of
s->mv_max.{x,y}. This then causes av_clip to be called with amin > amax.
Changing the type to int avoids the overflow and has no negative
effect, because s->mv_max is only used in clamp_mv for clipping.
Since mv_max.{x,y} is positive and mv_min.{x,y} negative, av_clip can't
increase the absolute value. The input to av_clip is an int16_t, and
thus the output fits into int16_t as well.
For additional safety, s->mv_{min,max}.{x,y} are clipped to int16_t range
before use.
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 6fdbaa2b7f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Otherwise the check 'tile_size < size' treats a negative size as
unsigned, causing the check to pass. This subsequently leads to
segmentation faults.
This was originally fixed as part of Libav commit 72ca83, so the
original author is one of the following developers:
Anton Khirnov <anton@khirnov.net>
Diego Biurrun <diego@biurrun.de>
Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö <martin@martin.st>
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit b18eac7ff2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libopenjpeg can return images with components without data.
This fixes segmentation faults.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3ef5702926)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Make the logic in libavformat/hevc.c parse_rps align with libavcodec/hevc_ps.c ff_hevc_decode_short_term_rps
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6e1f8780c8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If chan2 is not smaller than the number of channels, it can cause
segmentation faults due to dereferencing a NULL pointer.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 05c57ba2f4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The AVFrame values are closer to the AVFrame bitmap changed instead of
the AVCodecContext values, so this should be more robust
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit aef0e0f009)
Conflicts:
libavcodec/h264_slice.c
Return layout when FF_API_GET_CHANNEL_LAYOUT_COMPAT is set even if the
layout itself is not in the deprecated style.
Signed-off-by: Simon Thelen <ffmpeg-dev@c-14.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 83307a32eb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoid potential out of array accesses
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 12ba1b2b4d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See: vlc ticket 14649
Reported-by: carl
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3c803ed9cb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
av_normalize1_sf doesn't properly address border case when mantis is
exactly -0x40000000.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7131aba916)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoids leaks if the user doest call swr_close() after a failed init
Found-by: James Almer <jamrial@gmail.com>
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c3f87f7545)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This was simply wrong
Found-by: Martin Storsjö
This reverts commit 5d8e4f6da0.
(cherry picked from commit 3e34b7498f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This is the maximum rate possible based on the frame size limit of MXF D-10
Previous version reviewed by tim nicholson <nichot20@yahoo.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d7a762553c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
check memory allocation in swri_get_dither()
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 196b885a5f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If opj_image_create fails to allocate an image it returns NULL, which
causes a segmentation fault at 'img->x0 = 0'.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1577526b47)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes DTS detection of b2429e5ba9.dts
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9f5769437a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
nut->last_syncpoint_pos doesn't necessarily change between resync
attempts, so find_any_startcode can return the same startcode again.
Thus remember where the last resync happened and don't try to resync
before that.
This can't be done locally in nut_read_packet, because this wouldn't
prevent infinite resync loops, where after the resync a packet is
returned and while reading a following packet the resync happens again.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 37e679881d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
