libopenjpeg can return images with components without data.
This fixes segmentation faults.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3ef5702926)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Otherwise the loop can take a lot of time if num_descr is very large.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a5718863da)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Daemon404
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8e91d9652e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Make the logic in libavformat/hevc.c parse_rps align with libavcodec/hevc_ps.c ff_hevc_decode_short_term_rps
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6e1f8780c8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If chan2 is not smaller than the number of channels, it can cause
segmentation faults due to dereferencing a NULL pointer.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 05c57ba2f4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The AVFrame values are closer to the AVFrame bitmap changed instead of
the AVCodecContext values, so this should be more robust
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit aef0e0f009)
Conflicts:
libavcodec/h264_slice.c
Return layout when FF_API_GET_CHANNEL_LAYOUT_COMPAT is set even if the
layout itself is not in the deprecated style.
Signed-off-by: Simon Thelen <ffmpeg-dev@c-14.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 83307a32eb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoid potential out of array accesses
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 12ba1b2b4d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See: vlc ticket 14649
Reported-by: carl
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3c803ed9cb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoids leaks if the user doest call swr_close() after a failed init
Found-by: James Almer <jamrial@gmail.com>
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c3f87f7545)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This was simply wrong
Found-by: Martin Storsjö
This reverts commit 5d8e4f6da0.
(cherry picked from commit 3e34b7498f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This is the maximum rate possible based on the frame size limit of MXF D-10
Previous version reviewed by tim nicholson <nichot20@yahoo.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d7a762553c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
check memory allocation in swri_get_dither()
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 196b885a5f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f2c58931e6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Various header informations need to be reset when decoding next frame.
Regression since: 95582b5c
Fixes ticket #4597.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit a03b69478b)
If opj_image_create fails to allocate an image it returns NULL, which
causes a segmentation fault at 'img->x0 = 0'.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1577526b47)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
s->ref_pics[i] is later used as ref argument of interpolate_refplane,
where it is dereferenced.
If it is NULL, it causes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d93181ef3e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If bytes is large enough, bytes*8 can overflow and become negative.
In that case 'bufsize -= bytes*8' causes bufsize to increase instead of
decrease.
This leads to a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9e66b39aa8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
buf_idx + data_unit_size can overflow, causing the '> buf_size' check to
wrongly fail.
This causes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 984f50deb2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The later is not correct
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5d309d3091)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e54540655f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
index_scale is set to matroska->time_scale of type uint64_t.
When index_scale is int, the assignment can overflow and e.g. result
in index_scale = 0. This causes a floating point exception due to the
division by index_scale.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit eb9fb508b0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The existing check has two problems:
1) i + count can overflow, so that the check '< 256' returns true.
2) In the (i == 'N') case occurs a j-- so that the loop runs once more.
This can trigger the assertion 'nut->header_len[0] == 0' or cause
segmentation faults or infinite hangs.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c24ca1bda2d4df1dc9b2b982941be532d60da21)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
A negative frame rate triggers an av_assert2 in av_rescale_rnd.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6621105877)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The opt_opencl_bench function copied the device name using strcpy without checking if the source string was larger.
This patch fixes this by replacing the strcpy with av_strlcpy, with the string copy size capped to the destination buffer size.
Signed-off-by: Maneesh Gupta <maneesh.gupta@amd.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cf234552b8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Otherwise range_start_decoding is not necessarily run and thus
ctx->rc.range still 0 in range_dec_normalize leading to an infinite
loop.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 464c49155c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
