This prevents a buffer overflow in rle_decode()
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes encoding where the idct setting originally was set to
FF_IDCT_AUTO and dsputil chose a default idct with a non-null
permutation - even if the permutation tables were updated,
dct_quantize in x86/mpegvideoenc_template.c also checked the
value of this type variable.
Signed-off-by: Martin Storsjö <martin@martin.st>
* commit '2bef1a83d7a3ca60b161ab90bf4d4338e5def5e7':
dsputil: remove some never-assigned function pointers from the struct.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '2e4bb99f4df7052b3e147ee898fcb4013a34d904':
vorbisdsp: convert x86 simd functions from inline asm to yasm.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'ed1b01131e662c9086b27aaaea69684d8575fbea':
mlp: implement support for AVCodecContext.request_channel_layout.
Conflicts:
libavcodec/mlpdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'b0c7e3ffd09f68022429920da483ad7abed84aa1':
mlp_parser: account for AVCodecContext.request_channels when setting the channel layout.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '1fd2deedcc6400e08b31566a547a5fac3b38cefb':
mlpdec: set the channel layout.
Conflicts:
libavcodec/mlpdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '99ccd2ba10eac2b282c272ad9e75f082123c765a':
mlp: store the channel layout for each substream.
Conflicts:
libavcodec/mlp_parser.c
libavcodec/mlpdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The check `start + res < start' is broken since pointer overflow is
undefined behavior in C. Many compilers such as gcc/clang optimize
away this check.
Use `res > end - start' instead. Also change `res' to unsigned int
to avoid signed left-shift overflow.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
A negative `size' will bypass FFMIN(). In the subsequent memcpy() call,
`size' will be considered as a large positive value, leading to a buffer
overflow.
Change the type of `size' to unsigned int to avoid buffer overflow, and
simplify overflow checks accordingly. Also change a literal buffer
size to use sizeof, and limit the amount of data copied in another
memcpy call as well.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
Sanity checks like `data + size >= data_end || data + size < data' are
broken, because `data + size < data' assumes pointer overflow, which is
undefined behavior in C. Many compilers such as gcc/clang optimize such
checks away.
Use `size < 0 || size >= data_end - data' instead.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
This makes sure that the restrict keyword is mapped to whatever
keyword the compiler prefers/supports. This fixes building on MSVC
(and possibly on GCC 2.x as well).
Signed-off-by: Martin Storsjö <martin@martin.st>
A negative `size' will bypass FFMIN(). In the subsequent memcpy() call,
`size' will be considered as a large positive value, leading to a buffer
overflow.
Change the type of `size' to unsigned int to avoid buffer overflow, and
simplify overflow checks accordingly.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Sanity checks like `data + size >= data_end || data + size < data' are
broken, because `data + size < data' assumes pointer overflow, which is
undefined behavior in C. Many compilers such as gcc/clang optimize such
checks away.
Use `size < 0 || size >= data_end - data' instead.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The check `start + res < start' is broken since pointer overflow is
undefined behavior in C. Many compilers such as gcc/clang optimize
away this check.
Use `res > end - start' instead. Also change `res' to unsigned int
to avoid signed left-shift overflow.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes use of uninitialized and half initialized values, which
can occur on several error pathes
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>