Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fcbea93cf8777bbef2a393d26942b5d3c70a448d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 39a25908b84604acdaa490138282d091_signal_sigsegv_7ffff713351a_331_WAWV.avi with memlimit of 262144
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6e80fe1ecd984a59bb6c73cbb436cc06536b7728)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 260813283176b57b3c9974fe284eebc3_signal_sigsegv_7ffff713351a_991_xtrem_e2_m64q15_a32sxx.3gp with memlimit of 262144
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 15629129dde771446a005282ee33c4ea1199e696)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 1013dbde2c360d939cc2dfc33e4f275c_signal_sigsegv_a0500f_45_320vp3.nsv with memlimit of 536870912
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fd4c87fa3becaf8a6c480db915daf51e297b76c5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 09e670595acbdafb226974b08dab66e3_signal_sigabrt_7ffff70eccc9_991_xtrem_e2_m64q15_a32sxx.3gp with memlimit of 1048576
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 503ec7139f887bf8ed8d57da07ce93c4e88447a6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes null pointer dereferences
Fixes: af1a5a33e67e479f439239097bd0d4fd_signal_sigsegv_7ffff713351a_152_Dolby_Rain_Logo.pmp with memlimit of 8388608
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5d346feafa817c4fbc30f7ed0b93b2dad6cef15b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes crash in 1288a2fe8e9ae6b00ca40e089d08ca65_signal_sigsegv_7ffff71426a7_354_accident.san with allocation limit 65536
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 39bbdebb1ed8eb9c9b0cd6db85afde6ba89d86e4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 06a4edb39ad8a9883175f9bd428334a2_signal_sigsegv_7ffff713351a_706_mov__alac__ALAC_6ch.mov
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f7068bf277a37479aecde2832208d820682b35e6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This prevents possible infinite loops with the calling code along the
lines of while (bytestream2_get_bytes_left()) { ... }, where the reader
does not advance.
CC: libav-stable@libav.org
(cherry picked from commit 86eee85daddb682fa072c2e2657c90a514b855e3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes Assertion failure
Found-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7ef6656b1e5bfbc7499013d3b38b093b6b2f31ec)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This ensures that no stale pointers leak through on any path
Fixes: signal_sigsegv_c3097a_991_xtrem_e2_m64q15_a32sxx.3gp
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b160fc290cf49b516c5b6ee0730fd9da7fc623b1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If init_get_bits fails the GetBitContext is invalid and must not be
used. Check the return value in dirac_header and propogate the error.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4f5c2e651a95b950f6a3fb36f2342cbc32515f17)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Otherwise a frame with non-zero nb_samples but without any data can be
returned.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 42e7a5b3c704985c2c18970cc94a837b413df9d9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit f9020d514e9ed5043496a710b36daba1ab182e97)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
the later is not optimal when the buffer size is well known at allocation time
This avoids a memcpy()
Overall 2.5% speedup with a random 1920x1080 video
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 47496eb97cff8130991313d1b7292613620d8592)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2e13a45b1a9a69456631e582bbb06954d169eb55)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: signal_sigsegv_3670fc0_2818_cov_2307326154_moon.mux
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 79a98294da6cd85f8c86b34764c5e0c43b09eea3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: asan_heap-oob_4d5bb0_682_cov_3124593265_Fraunhofer__a_driving_force_in_innovation__small.mp4
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 330863c9f19a23c500ba7901a23f1cc377b353bb)
Conflicts:
libavcodec/h264_slice.c
the max value of the lookup in expanded form is:
(((1 << 7) - 1) << 1) - 65 + 1 + 64 = 254
add one entry of padding to inv_map_table[] to prevent out of bounds
access with non-conforming / fuzzed bitstreams
Signed-off-by: James Zern <jzern@google.com>
Reviewed-by: "Ronald S. Bultje" <rsbultje@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e91f860ea74e11e9178500fe8794c47f57dbf48c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: asan_heap-oob_7f875d_3482_cov_1818465256_ssudec.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0083c16605aa5997534e87e68f97ef85a8c3b7b8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b54ac8403bfea4e7fab0799ccfe728ba76959a38)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This is required by the APNG spec
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a1736926e9ae51706b537776722e816a4d1f6b36)
Conflicts:
libavcodec/pngdec.c
Multiple IHDR chunks are forbidden in PNG
Fixes inconsistency and out of array accesses
Fixes: asan_heap-oob_4d5c5a_1738_cov_2638287726_c-m2-8f2b481b7fd9bd745e620b7c01a18df2.png
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 47f4e2d8960ca756ca153ab8e3e93d80449b8c91)
Conflicts:
libavcodec/pngdec.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Claiming to have decoded more bytes than the packet size is wrong.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 2a4700a4f03280fa8ba4fc0f8a9987bb550f0d1e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes fate/dds-rgb16 on big endian
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f6ab967eae497733f6adc12b30075980fd6eea98)
Conflicts:
tests/ref/fate/dds-rgb16
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit e22edbfd413242dda720dc5191fc00a51c24d74c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 910eeab48026060b5f7780b2560445c069eb4d6b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The pixel buffer base address is never unlocked this causes
a bug with some pixel format types that are produced natively
by the hardware decoder: the first buffer was always used.
Unlock the pixel buffer base address fixes the issue.
(cherry picked from commit c06fdacc3dc706e70d953917fea845532d3703ca)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7604358018229f345dfdf88b16c8930a67984435)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit abb833c5681b84d7025c083e2191140eaa30dca7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The function is specific to little endian
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4df3cf90bf7a54793e90304bd1b6c7599673f36a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d4325b2fea9e2f4f4a17d0b929f12425e9c39964)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
And default to 8000 if it is invalid.
An invalid sample rate can trigger av_assert2 in av_rescale_rnd.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 5b76c82fd7a5f4f36bb901b8c43d7f7319599599)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
In the TTA extradata re-construction the values are written with
avio_wl16 and if they don't fit into uint16_t, this triggers an
av_assert2 in avio_w8.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 92e79a2f7bf2f8bb0cb2d1a3e4d76737557071c4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes undefined behavior and segfault
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8edc17b639c4ac47913c467107ffb43c67c64890)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
QP_store is only 8-bit-aligned, so accessing it as uint32_t causes
SIGBUS crashes on sparc.
The AV_RN32/AV_WN32 macros only do unaligned access in the
HAVE_FAST_UNALIGNED case.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 590743101dc934043f34013f1c9bb9fb261355b0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Calling ffio_ensure_seekback() if ffio_init_checksum() has been called
on the same context can lead to out of bounds memory accesses and
crashes. The reason is that ffio_ensure_seekback() does not update
checksum_ptr after reallocating the buffer, resulting in a dangling
pointer.
This effectively fixes potential crashes when opening mp3 files.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dc87758775e2ce8be84e4fe598e12416e83d2845)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This is more robust.
And only check if there is actually a frame returned.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit dd6c8575dbc8d3ff5dc2ffacb5028c253066ff78)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Also use the frame pixel format instead of the one from the codec
context, which is more robust.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit fdc64a104410f5fcc7f35b62287b0ae502b7061a)
Conflicts:
libavcodec/h264_slice.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Otherwise it can be 0 in sonic_decode_frame, causing SIGFPE crashes.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 58995f647b5fa2e1efa33ae4f8b8a76a81ec99df)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If one of the dimensions is larger than 8176, s->mb_width or
s->mb_height is larger than 511, leading to an int16_t overflow of
s->mv_max.{x,y}. This then causes av_clip to be called with amin > amax.
Changing the type to int avoids the overflow and has no negative
effect, because s->mv_max is only used in clamp_mv for clipping.
Since mv_max.{x,y} is positive and mv_min.{x,y} negative, av_clip can't
increase the absolute value. The input to av_clip is an int16_t, and
thus the output fits into int16_t as well.
For additional safety, s->mv_{min,max}.{x,y} are clipped to int16_t range
before use.
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 6fdbaa2b7fb56623ab2163f861952bc1408c39b3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Otherwise the check 'tile_size < size' treats a negative size as
unsigned, causing the check to pass. This subsequently leads to
segmentation faults.
This was originally fixed as part of Libav commit 72ca83, so the
original author is one of the following developers:
Anton Khirnov <anton@khirnov.net>
Diego Biurrun <diego@biurrun.de>
Luca Barbato <lu_zero@gentoo.org>
Martin Storsjö <martin@martin.st>
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit b18eac7ff22332c9344769af15f7b245dd13cc64)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Without this check it causes SIGILL crashes on ARMv5.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 5bf84a584e9ce681b439a5747671e2809a019c83)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libopenjpeg can return images with components without data.
This fixes segmentation faults.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3ef5702926c495232ffe685303ba8661bdff1149)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Otherwise the loop can take a lot of time if num_descr is very large.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a5718863da99b54b6c853d45c84871c4a96a57c0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Daemon404
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8e91d9652ea5048d9014e7636e12c6ed4732d7b7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Make the logic in libavformat/hevc.c parse_rps align with libavcodec/hevc_ps.c ff_hevc_decode_short_term_rps
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6e1f8780c833ef55815111d4771b95ff78567cdb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If chan2 is not smaller than the number of channels, it can cause
segmentation faults due to dereferencing a NULL pointer.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 05c57ba2f42324da2fdc93d83d65bb68dd637613)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
