s->mb_x is reset to zero a couple of lines above. It does not make
sense to call ff_er_add_slice() with 0 as endx when the end of the
macroblock row was reached. Fixes unnecessary and counterproductive
error resilience in https://bugzilla.libav.org/show_bug.cgi?id=394.
(cherry picked from commit e6160bda98641b7d4f86de15761ad2a962f21a36)
Conflicts:
libavcodec/h264.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/h264.c
This fixes use of uninitialized values when the FLAC encoder uses the
2-level, 4-level, and 8-level search methods. Fixes failure of the
fate-flac-24-comp-8 test when run using valgrind.
(cherry picked from commit 3a2731cbd31d0c5681ddbc7c78edd5c53c4d0032)
Conflicts:
libavcodec/flacenc.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 0bf511d579c7b21f1244eec688abf571ca1235bd)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The value should be always 3, as it follows from the specification.
Fix a stack buffer overflow in exponents_from_scale_factors as reported
by asan. Thanks to Dale Curtis for the sample vector.
(cherry picked from commit 97cfa55eea39cef30abe14682c56c1e4e7f6f10d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
When decode_nal_units() previously encountered a NAL_END_SEQUENCE,
and there are some junk bytes left in the input buffer, but no start codes,
buf_index gets stuck 3 bytes before the end of the buffer.
This can trigger an infinite loop in the caller code, eg. in
try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes,
with 3 bytes of the input packet still available.
With this change, the remaining bytes are skipped so the whole packet gets
consumed.
CC:libav-stable@libav.org
Signed-off-by: Jindřich Makovička <makovick@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1a8c6917f68f7378465e18f7615762bfd22704c2)
Conflicts:
libavcodec/h264.c
ALS spec:
11.6.3.1.1 Quantization and encoding of parcor coefficients
...
In all cases the resulting quantized values ak are restricted to the range [-64,63].
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 5b051ec3bdc78f3d89e8d1425674cde8fd6c9ccc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Values that fail this check will cause failure of decode_rice()
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 23aae62c2cb4504a09ceb8cd0cabc1c8b260f521)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Our decoder does not support changing w/h.
Fixes CVE-2012-2777 and CVE-2012-2784.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c20a69630619d14ae92c5541d52c579d7c8f3e94)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This prevents writing into a too small array if some parameters changed
without the tile being reallocated.
Fixes CVE-2012-2794
CC:libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 2d09cdbaf2f449ba23d54e97e94bd97ca22208c6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Found by John Villamil <johnv@matasano.com>
(cherry picked from commit 366ac22ea5a8bab63c7f46cdad2ddb2ff22cdbed)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The decode function assumes that the video will have those dimensions.
Fixes CVE-2012-2801
CC:libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 85f477935cd6b34e6ec2716b20e15ce748277a89)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This fixes a double-free crash if lists are the same due to the two
merge_ref() calls at the end of the (useless) merging that happens.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325)
Conflicts:
libavfilter/formats.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit ddce8953a5056800ec795df2dfd84fc17a11b5fc)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Gray8 is not considered to be paletted, so this would cause an invalid
write.
Fixes bug 367.
CC: libav-stable@libav.org
(cherry picked from commit 8b78c2969a5b7dca939d93bf525aa2bcd737b5d9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Override the frame size from the SPS with AVCodecContext values
if the latter specify a size smaller by less than one macroblock.
This is required for correct cropping of MOV files from Canon cameras.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 30f515091c323da59c0f1b533703dedca2f4b95d)
Conflicts:
libavcodec/h264.c
All modern assemblers have this capability. Older NASM versions
that lack the capability produce code that crashes at runtime,
so it's better to error out during the build process instead.
(cherry picked from commit e287201c77dc7a7a9759d56d8f48ae719b7e69a9)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Duplicate values in this vector are explicitly banned by the Vorbis I spec
and cause divide-by-zero crashes later on.
(cherry picked from commit ecf79c4d3e8baaf2f303278ef81db6f8407656bc)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 9aaaeba45c41cf2b3fa4100abbdee7437428f93c)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit be8d812c9635f31f69c30dff9ebf565a07a7dab7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit e46cf805b10070327026f8e2880fe29e5e9ac1af)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This fixes a double-free crash if lists are the same due to the two
merge_ref() calls at the end of the (useless) merging that happens.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325)
Conflicts:
libavfilter/formats.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e5f4e249422834f727bcd432b73af971277f1371)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes out of array write in quant_cof.
Also make sure no invalid opt_order stays in the context.
Fixes CVE-2012-2775
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 9853e41aa0a6cfff629ff7009685eb8bf8d64e7f)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a1b127515bb79c715933d0d4201e4ef3152b3dcb)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This can easily happen when the caller is using a custom AVIOContext.
Behave as if the filename was an empty string in this case.
CC: libav-stable@libav.org
(cherry picked from commit a5db8e4a1a5449cc7a61e963c9fa698a4f22131b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7124fa5d3640e5b8089dd13b22a09038b2ec5216)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Using ff_mspel_motion assumes that s (a MpegEncContext
poiinter) really is a Wmv2Context.
This fixes crashes in error resilience on vc1/wmv3 videos.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 18f2d5cb9c48d06895960f37467576725c9dc2d1)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit da0c457663479bc1828918e1bb3e4a5e4de0d557)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
CC: libav-stable@libav.org
(cherry picked from commit 39bb27bf79bc4c2d8beaed637a14176264cb1916)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7a7229b52d1900279041991fadbd29b27e8dfe95)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
CC: libav-stable@libav.org
(cherry picked from commit 859a579e9bbf47fae2e09494c43bcf813dcb2fad)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 6704522ca9dd32c858ee474492be568c386910f9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
