If it is negative, it can cause the byte position to move backwards in
avio_skip, which in turn makes sm_size negative and thus size larger
than the size of the packet buffer, causing invalid writes in avio_read.
Also fix potential overflow of avio_tell(bc) + value_len.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ce10f572c12b0d172c72d31d8c979afce602bf0c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Fixes ubsan runtime error: null pointer passed as argument 2, which is
declared to never be null
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Otherwise sm_size can be larger than size, which results in a negative
packet size.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 6b9fdf7f4f07926557048070cc2af3cfd0e3fe50)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
These loops can take a lot of time if count is very large.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit bb23a15df507440deb0dcf25099d321d0f73dc28)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This can unnecessarily waste a lot of time.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit fa7dec8cb00d2d0dd96ff9863ccda38428610a21)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
nut->last_syncpoint_pos doesn't necessarily change between resync
attempts, so find_any_startcode can return the same startcode again.
Thus remember where the last resync happened and don't try to resync
before that.
This can't be done locally in nut_read_packet, because this wouldn't
prevent infinite resync loops, where after the resync a packet is
returned and while reading a following packet the resync happens again.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 37e679881d364b6da817d829d35869d657218ab3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Prevents read of uninitialized variable
Based on patch by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ebb0ca3d70465ab6d369a66b2ef43bb059705db8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b3496b4a33e806b7afdcbbf6f468b0332b676d7c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6bbb2f8f4da67af374d62403742482cc5962aa21)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 361702660d2c37a63b7d6381d39e1e1de8405260)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes CID1041175
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 56abf35151c635caa3eb04bbb90454bae5463a09)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The existing check has two problems:
1) i + count can overflow, so that the check '< 256' returns true.
2) In the (i == 'N') case occurs a j-- so that the loop runs once more.
This can trigger the assertion 'nut->header_len[0] == 0' or cause
segmentation faults or infinite hangs.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c24ca1bda2d4df1dc9b2b982941be532d60da21)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes a segmentation fault when accessing the metadata.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ff1af2b0db7132d5717be6395227a94c8abab07)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
A negative frame rate triggers an av_assert2 in av_rescale_rnd.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6621105877ce0d65724a8ab60b3a50160adbe65d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '52a1c32c0a86e84d43f977c5148e62975a0c6917':
nut: Use nut->version in the version range check
Conflicts:
libavformat/nutdec.c
Note, this bug did not affect ffmpeg
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Add the low overhead pipe mode and the extended broadcast mode.
Export the options as 'syncponts' since it impacts only that.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The code was buggy, using the wrong variable, also it missed the case
where the packet become smaller due to sidedata/metadata being extracted
which left a few bytes uninitialized
Fixes use of uninitialized memory
Fixed: msan_uninit-mem_7f6abbe44530_6838_mewmew_vorbis_ssa.nut
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes use of uninitialized memory
Fixes: msan_uninit-mem_7f2785ab8669_6838_mewmew_vorbis_ssa.nut
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'e0c53c3408181d2e7d544eb65fc7355a79438dfe':
nut: use meaningful error values
FATE: use a less ambiguous end time for filter-trim-time test
Conflicts:
libavformat/nutdec.c
tests/fate/filter-video.mak
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '46c1917350f58dfab84e41919e6c02d43950db8c':
nut: use a define for the nut version
bgmc: Do not mark ff_bgmc_decode_init() as av_cold
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The function is a callback that is called by ff_gen_search with
a constant stream index.
Avoid a false positive on older gcc version.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
