* release/0.8: (31 commits)
svq1dec: call avcodec_set_dimensions() after dimensions changed. Fixes NGS00148
vp3dec: Check coefficient index in vp3_dequant() Fixes NGS00145
qdm2dec: fix buffer overflow. Fixes NGS00144
h264: Fix invalid interlaced progressive MB combinations for direct mode prediction. Fixes Ticket312
mpegvideo: dont use ff_mspel_motion() for vc1 Fixes Ticket655
imgutils: Fix illegal read.
ac3probe: Detect Sonic Foundry Soft Encode AC3 as raw AC3. Our ac3 code chain can handle it fine. More ideal would be to write a demuxer that actually extracts what can be from the additional headers and uses it for whatever it can be used for.
mjpeg: support mpo Fixes stereoscopic_photo.mpo
Add a version bump and APIchanges entry for avcodec_open2 and avformat_find_stream_info.
lavf: fix multiplication overflow in avformat_find_stream_info()
lavf: fix invalid reads in avformat_find_stream_info()
lavf: add avformat_find_stream_info()
lavc: fix parentheses placement in avcodec_open2().
lavc: introduce avcodec_open2() as a replacement for avcodec_open().
rawdec: use a default sample rate if none is specified. Fixes "ffmpeg -f s16le -i /dev/zero"
rawdec: add check on sample_rate
qdm2dec: check remaining input bits in the mainloop of qdm2_fft_decode_tones() This is neccessary but likely not sufficient to prevent out of array reads.
cinepak: check strip_size
wma: Check channel number before init. Fixes Ticket240
Do not try to read 16bit gray png files with alpha channel.
...
Conflicts:
libavcodec/version.h
libavformat/version.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes NGS00144
This also adds a few lines of code from master that are needed for this fix.
Thanks to Phillip for suggestions to improve the patch.
Found-by: Phillip Langlois
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket312
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 833a195905405fc9646c7544ce9d0f3279608977)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket655
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 50d6f8195658d529c57bb42dfd8d7a71d60a9f1d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/release/0.7:
Add a version bump and APIchanges entry for avcodec_open2 and avformat_find_stream_info.
lavf: fix multiplication overflow in avformat_find_stream_info()
lavf: fix invalid reads in avformat_find_stream_info()
lavf: add avformat_find_stream_info()
lavc: fix parentheses placement in avcodec_open2().
lavc: introduce avcodec_open2() as a replacement for avcodec_open().
Conflicts:
doc/APIchanges
libavcodec/utils.c
libavcodec/version.h
libavformat/avformat.h
libavformat/version.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 1d36fb13b088f55ece155153fb6ca8ea278fc837)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Adds support for decoder-private options and makes setting other options
simpler.
(cherry picked from commit 0b950fe240936fa48fd41204bcfd04f35bbf39c3)
Conflicts:
libavcodec/avcodec.h
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This is neccessary but likely not sufficient to prevent out of array reads.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 14db3af4f26dad8e6ddf2147e96ccc710952ad4d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cea0c82d9b9771dfa2ac729c13c0d9e03ea352a7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket240
Based on patch by ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 20431a9982b9bd2c475042d919890a941ad70c71)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
FFmpeg does not support gray16a.
Fixes the crash in ticket #644.
(cherry picked from commit 0c5fd6372e6c257912d7ae64cbfc4d8541f0452f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 554caed2d397e137286f2cc71c6bac477b41fa96)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found with Address Sanitizer
(cherry picked from commit bb4b0ad83b13c3af57675e80163f3f333adef96f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found with Address Sanitizer
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit e0966eb140b3569b3d6b5b5008961944ef229c06)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
There were multiple issues, for example might we have to re-run
the decompression when the size of the buffer increased,
we should always use a decompression buffer large enough for
the header (so we do not get stuck when the size is too small).
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
There were multiple issues, for example might we have to re-run
the decompression when the size of the buffer increased,
we should always use a decompression buffer large enough for
the header (so we do not get stuck when the size is too small).
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
* release/0.8: (96 commits)
Version numbers for 0.8.6
snow: emu edge support Fixes Ticket592
imc: validate channel count
imc: check for ff_fft_init() failure (cherry picked from commit 95fee70d6773fde1c34ff6422f48e5e66f37f263)
libgsmdec: check output buffer size before decoding (cherry picked from commit b03761b1309293bbf30edef767503875277b01cf)
configure: fix arch x86_32
mp3enc: avoid truncating id3v1 tags by one byte
asfdec: Check packet_replic_size earlier
cin audio: validate the channel count
binkaudio: add some buffer overread checks.
atrac1: validate number of channels (cherry picked from commit bff5b2c1ca1290ea30587ff2f76171f9e3854872)
atrac1: check output buffer size before decoding (cherry picked from commit 33684b9c12b74c0140fb91e8150263db4a48d55e)
vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f)
apedec: set s->currentframeblocks after validating nblocks
apedec: use unsigned int for 'nblocks' and make sure that it's within int range
apedec: check for data buffer realloc failure (cherry picked from commit 11ca8b2d7486e879926488404b3b79af774f0f2d)
apedec: check for filter buffer allocation failure (cherry picked from commit 7500781313d11b37772c05a28da20fbc112db478)
mpegaudiodec: check output data size based on avctx->frame_size
resample: Fix array size
resample2: fix potential overflow
...
Conflicts:
Doxyfile
RELEASE
VERSION
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket592
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4416931fc069332e267ab6df037a1227c051d7b1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
ask for a sample if not mono
(cherry picked from commit 7b7f47e73356d113cace74b922eee0b6ff5ffe0b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This stops decoding before overreads instead of after.
(cherry picked from commit 101ef19ef4dc9f5c3d536aee8fcc10fff2af4d9e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Jim Radford
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3e7db0a9ee758bf0570a141be1fea64f8d9c03db)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
avpicture_get_size() returns the size of buffer required for avpicture_layout.
For pseudo-paletted formats (gray8...) this size does not include the palette.
However, avpicture_layout doesn't know this and still writes the palette. Consequently,
avpicture_layout writes passed the length of the buffer. This fixes it
by fixing avpicture_layout so that it doesn't write the palette for these formats.
Signed-off-by: Matthew Einhorn <moiein2000@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e662b263d9c500270a8f1dc7e1b81b51d5bdfd4e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit feadcd1bdcbb4601f4ff01878027264fde985ee1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 0f0b5d643401d4d83322eeee0e57eb5a226ef9ab)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 56535793810584f5b3ae59e62cea66fe22d0307d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit f05c2fb6eb1f9ddaec3c07d1874ba62ec0891269)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The bit_rate_value_minus1 and cpb_size_value_minus1 elements
allow a wider range than get_ue_golomb() supports. This
adds a get_ue_golomb_long() function supporting up to 31
leading zeros, which is the maximum for these syntax
elements, and uses it in decode_hrd_parameters().
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit fdba370f8a1bdfc22ecbdf3c7148c2f8680a4ac4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
