This macro avoids the undefined corner case with the *_MIN values
Previous version Reviewed-by: Ganesh Ajjanagadde <gajjanag@mit.edu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d6cd614dac579850076ae312c29c4188f8659e46)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 733511fb53fedd3adaaeabc5db9d0b29e71ea1d3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes out of array access
Fixes: 87196d8bbc633629fc9dd851fce73e70/asan_heap-oob_26f6853_862_cov_585961513_sonic3dblast_intro-partial.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 63fb5a6aefb4223334001fd2c0d82a5e22e3b528)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6701c92fa4269872856c70c3170a9b3291b46247)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Actually time_base should not be 0/0, but the proper fix is part of
commit 7ea1b34, which can't be backported, as it changes API.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Otherwise the h263p decoder can try to copy overread bytes, even though
buffer is NULL.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 6a69a175e7b5c5393528ed0f5753e41573fa0df2)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
If it is negative, it causes segmentation faults in decode_rle.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit f621749d1181987b3f815c6766ea66d6c5d55198)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size
is 3, the right side overflows leading to a wrong result of the
comparison and subsequently a heap buffer overflow.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit db374790c75fa4ef947abcb5019fcf21d0b2de85)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Fixes crash
Fixes Ticket4969 part 1
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 07225fa74f2cdb29d6d85fd33675539bfdfe9ea5)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 189420cb561929e05f5cc4224cdca83740a24a32)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
flcoeffs2[pos] should be the log2 of flcoeffs1[pos].
flcoeffs1[0] can be 0 here, thus flcoeffs2[pos] gets set to -inf,
causing problems further down.
This seems to have been copied from imc_decode_level_coefficients in
commit 4eb4bb3 without updating the position.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 75fd5ce4c1c0b2d96d71c74b650cefaaef519d27)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
It asserts that the frame linesize is larger than 37, but it can be
smaller and decoding such frames works.
Before commit cc884a35 src_stride > 7*MB_SIZE was necessary, because the
blocks were interleaved in the tmp buffer and the last block was added
with an offset of 6*MB_SIZE.
It was changed for src_stride <= 7*MB_SIZE to write the blocks
sequentially, hence the larger tmp_step.
After that the assert was only necessary to make sure that the buffer
remained large enough.
Since commit bd2b6b33 s->scratchbuf is used as tmp buffer.
As part of commit 86e107a7 the minimal scratchbuf size was increased to
256*7*MB_SIZE, which is enough for any src_stride <= 7*MB_SIZE.
Also add a comment explaining the tmp_step calculation.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3526a120f92929cb0a4009e403ee2f141030c487)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
More than 32 bits can't be stored in an integer and get_bits should not
be used with more than 25 bits.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit d0eff8857ceff2601f85037c930cbe61a88b611e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 9a345802edf7f430b3335f486aecdd8552f8367b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
get_bits should not be used for more than 25 bits.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit f9883a669c3df05a5c453428e080298c6511a17e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Otherwise sm_size can be larger than size, which results in a negative
packet size.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 6b9fdf7f4f07926557048070cc2af3cfd0e3fe50)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
If nb_samples is zero, the bit_rate calculation results in a division by
zero.
Since ff_get_buffer fails if frame->nb_samples is zero, this can be
fixed by moving the bit_rate calculation after that function call.
That also makes it possible to reuse the already calculated
frame->nb_samples value.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 04dfbc9441beed93984568c1547f1ed588122627)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This fixes a segfault when decoding multi-channel MP3onMP4 files.
This is similar to commit cb72230d for MPADSPContext.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 151dbe4579601a81662b4b366d0e10df3c00027a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
get_bits should not be used with more than 25 bits.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1f1e0a2971b2a01f275bb5088c2e36166514be64)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This way ffplay chooses the mp2 stream for Ticket3890
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 802cca5905abe1fe8392e85a812462b959889aaa)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
If bit_rate is negative, it can trigger an av_assert2 in av_rescale_rnd.
Since av_rescale returns int64_t, but st->codec_bit_rate is int, it can
also overflow into a negative value.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0eec40b713eee84e2aec8af35ccce059817cad2a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e8b4f6d6befc5062db74916ea8a4d830e83022a8)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
With a certain fuzzed file, the parser will always return 0 consumed
bytes, which makes calling code call the parser infinitely. Return the
full packet size on error instead. (Here it would be nice if parsers
could return errors at all.)
Additionally, _if_ there's some data left, return that too, which might
help with somewhat broken but still somehow playable files.
Fixes ticket #4242.
Reviewed-by: "Ronald S. Bultje" <rsbultje@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 09b4ad15681be197fff8c57ce7c988a4718d6e03)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Fixes trac ticket 3226. Also see Andreas' analysis in
https://bugs.debian.org/801745, which was very helpful.
(cherry picked from commit 52f84d82bdf1851ecfcc412c1719e5f6f3396209)
Fixes infinite loop and segfault in ogg_buffer_data()
Fixes Ticket4806
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 81a8701eb52d2b6469ae16ef442ce425388141b7)
Fix segfault with too large slice_count
Fixes Ticket4879
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aa6c43f3fdec8a7518534b9dab20c9eb4be11568)
Conflicts:
libavcodec/ffv1enc.c
libavcodec/ffv1.c
Commits 43bc5cf9 and c5371f77 add code for skipping initial zeros in mp3
packets. This code forgot to report to the user that data was skipped at
all.
Since audio codecs allow partial packet decoding, the user application
has to rely on the return value. It will remove the data reported as
consumed by the decoder, and feed it to the decoder again. This resulted
in the mp3 frame after the zero region to be decoded over and over
again, until the zero region was finally skipped by the application.
Fix this by including the amount of skipped bytes to the number of
consumed bytes returned by the decode call.
Fixes trac ticket #4890.
(cherry picked from commit cb1da9fb8d71bb611a7b0028914c97afc3f5711d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee155c18a2c50b339ba5f6f223fbb6dc343fd471)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 781efd07415cdf6f676cca5b22147e5d6be0a4c4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
No testcase known
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 45f3d4e63e7807ff3d281f269625ed83f11e4cdc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
No testcase known
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ac0ba6f233698f02ebb75b03242e94333dbe13d4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes Ticket4778
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2bb54b82b5094fd906aa28c0443be08c95662a31)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The null muxer has AVFMT_RAWPICTURE set but can be fed with non-raw material
related to Ticket4778
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c8890941d63df786bb7a8cab92677416499bb7c3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 15ff3f3fdfc788c0e4e584badd7ec300abfbd716)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes Ticket4777
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit db91e0edb63afc682ae709f73e3732a4c832944d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b1f59bb6606721ef5eeade4ada541630d51510fe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
