Mans Rullgard
8c2ae575ad
aacdec: fix undefined shifts
...
Since nnz can be zero, this is needed to avoid a shift by 32.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit d12294304a
2012-03-18 17:50:35 +01:00
Laurent Aimar
9c78fe9360
bink: Check for various out of bound writes
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit a00676e48e
2012-03-18 17:50:35 +01:00
Laurent Aimar
c98d7882d8
bink: Check for out of bound writes when building tree
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 24adf7832b
2012-03-18 17:50:35 +01:00
Mans Rullgard
e52e85ac3a
put_bits: fix invalid shift by 32 in flush_put_bits()
...
If flush_put_bits() is called when the 32-bit buffer is empty,
e.g. after writing a multiple of 32 bits, and invalid shift by
32 is performed. Since flush_put_bits() is called infrequently,
this additional check should have negligible performance impact.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit ac6eab1496
2012-03-18 17:50:35 +01:00
Alex Converse
4faa00b256
mpegps: Use av_get_packet() instead of poorly emulating it.
...
(cherry picked from commit 98ef887a75
2012-03-18 17:50:31 +01:00
Janne Grunau
90d7146511
motionpixels: decode only the 111 complete frames for fate
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit c2f2dfb3dd
2012-03-18 17:50:31 +01:00
Laurent Aimar
59050c0629
mpc8: Check out of bound bands limit
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 9bd854b1ff
2012-03-18 17:50:31 +01:00
Laurent Aimar
be2404b06d
xan: Prevent NULL dereference with missing palette
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 7d17a794f0
2012-03-18 17:50:31 +01:00
Laurent Aimar
49007b494e
xan: Check for out of bound reads in xan_huffman_decode()
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 3db3fdf4c6
2012-03-18 17:50:31 +01:00
Laurent Aimar
0277c82de2
xan: Fixed out of bound accesses in xan_unpack()
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 3e0757c2a8
2012-03-18 17:50:31 +01:00
Laurent Aimar
5fa8e43b54
motionpixels: Prevent calling init_vlc() with invalid parameters
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1cd0a55163
2012-03-18 17:50:31 +01:00
Laurent Aimar
737bea21b6
shorten: Fix out of bound writes in fix_bitshift()
...
The data pointers s->decoded[*] already take into account s->nwrap.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 5f05cf4ea9
2012-03-18 17:50:31 +01:00
Laurent Aimar
aa9e308580
dsicinav: Check for out of bounds writes
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1720603287
2012-03-18 17:50:31 +01:00
Laurent Aimar
d57d039e04
tiertexseqv: Check for out of bound reads
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 64263dd526
2012-03-18 17:50:31 +01:00
Laurent Aimar
97a1ab4bce
quickdraw: Check for out of bound reads
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 4fd56f842c
2012-03-18 17:50:31 +01:00
Laurent Aimar
914b9b0b2b
dsicinav: Check for out of bounds reads
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit e3ca9b93d9
2012-03-18 17:50:31 +01:00
Laurent Aimar
39de0e008d
motionpixels: Fix the size of workspace buffers
...
Some buffers must be mod 4 in width and/or height.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 210c80331e
2012-03-18 17:50:31 +01:00
Laurent Aimar
f2f2a00d39
motionpixels: Clear FF_INPUT_BUFFER_PADDING_SIZE bytes at the end of the temporary buffer
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit d337dd3a90
2012-03-18 17:50:31 +01:00
Laurent Aimar
905d0633a6
wmavoice: Check for corrupted extra data
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit d99427cb8b
2012-03-18 17:50:31 +01:00
Laurent Aimar
95605595b5
wmavoice: Check for out of bound writes
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1c1449b548
2012-03-18 17:50:31 +01:00
Laurent Aimar
fb20141563
xan: Prevent NULL dereferences with missing reference frame
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 06be075cda
2012-03-18 17:50:31 +01:00
Laurent Aimar
c5766b55c4
bink: Prevent NULL dereferences with missing reference frame
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit c7e631986b
2012-03-18 17:50:30 +01:00
Laurent Aimar
d646cce15f
wavpack: Reset internal state on corrupted blocks
...
wavpack_decode_block() supposes that it is called back with the exact
same buffer unless it has returned with an error. With multi-channels
files, wavpack_decode_frame() was breaking this assumption.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 2c6cf13940
2012-03-18 17:50:30 +01:00
Laurent Aimar
04b71cdedd
wmapro: Validate the number of audio channels before using it
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 2c1ba79941
2012-03-18 17:50:30 +01:00
Laurent Aimar
fce03f8783
mpc8: Fix return value on EOF
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1e3336de69
2012-03-18 17:50:30 +01:00
Laurent Aimar
22949c42ed
shorten: Prevent block size from increasing
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 95010d18b2
2012-03-18 17:50:30 +01:00
Laurent Aimar
8751941030
xan: Prevent out of bound accesses
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 124a16f678
2012-03-18 17:50:30 +01:00
Laurent Aimar
3e1b5981ba
vp56: Release old pictures after a resolution changes
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 3d09d0017d
2012-03-18 17:50:30 +01:00
Laurent Aimar
efe3fb13a7
vp56: Check for missing reference frame data
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 0ec6d6e9b6
2012-03-18 17:50:30 +01:00
Laurent Aimar
987f5dc55e
cinepak: Fix invalid read access on extra data
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit d239d4b447
2012-03-18 17:50:30 +01:00
Laurent Aimar
5bb9ce755b
cook: Fix js_vlc_bits value validation for joint stereo
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 3a742470a8
2012-03-18 17:50:30 +01:00
Laurent Aimar
ea5a5f0908
segafilm: Check for memory allocation failures in segafilm demuxer.
...
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1775b92fee
2012-03-18 17:50:30 +01:00
Laurent Aimar
619aab2f41
Fixed deference of NULL pointer in motionpixels decoder.
...
Some of the arguments given to init_vlc() come from the stream
and can be corrupted.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 69a0bce753
2012-03-18 17:50:30 +01:00
Ronald S. Bultje
8099d77ca4
mpegvideo: set correct offset for edge emulation buffer.
...
Using the old code, half of it was unused and the other half was too
small for e.g. >8bpp interlaced data, causing random buffer overruns.
(cherry picked from commit 330deb7592
2012-03-18 17:50:30 +01:00
Ronald S. Bultje
bb7fd94eeb
mpegvideo: fix position of bottom edge.
...
It was wrong in colorspaces where horizontal and vertical chroma
subsampling are not the same, e.g. 422.
(cherry picked from commit 0884dd5a1b
2012-03-18 17:50:30 +01:00
Chris Rankin
ea311af23d
qcelpdec: fix the return value of qcelp_decode_frame().
...
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit bde2570013
2012-03-18 17:50:30 +01:00
Justin Ruggles
4562f95ba8
sipr: fix the output data size check and only calculate it once.
...
(cherry picked from commit 1b5a189f06
2012-03-18 17:50:27 +01:00
Justin Ruggles
fc0e151cdc
mpc8: check output buffer size before decoding
...
(cherry picked from commit 5674d4b0a3
2012-03-18 17:50:25 +01:00
Justin Ruggles
56fe62ec94
mpc7: return error if packet is too small.
...
(cherry picked from commit 8290d1f38b
2012-03-18 17:50:22 +01:00
Justin Ruggles
ce3e0d48f8
mpc7: check output buffer size before decoding
...
(cherry picked from commit c8b5c4d274
2012-03-18 17:50:20 +01:00
Justin Ruggles
d46efbebe7
nellymoser: check output buffer size before decoding
...
(cherry picked from commit 8b31c086b6
2012-03-18 17:50:17 +01:00
Martin Storsjö
151aaf539f
lavf: Avoid using av_malloc(0) in av_dump_format
...
On OS X, av_malloc(0) returns pointers that cause crashes when
freed.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e81e5e8ad2
2012-03-18 17:50:17 +01:00
Stefano Sabatini
f74a4b621f
avfiltergraph: use meaningful error codes
...
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 59cef18c24
2012-03-18 17:50:17 +01:00
Justin Ruggles
7fc9aa6d35
flacdec: fix buffer size checking in get_metadata_size()
...
Adds an additional check before reading the next block header and avoids a
potential integer overflow when checking the metadata size against the
remaining buffer size.
(cherry picked from commit 4c5e7b27d5
2012-03-18 17:50:17 +01:00
Justin Ruggles
ce80957cf1
sol: return error if av_get_packet() fails.
...
This prevents sending a packet with data=NULL size=AVERROR_EOF.
(cherry picked from commit b15a9888a8
2012-03-18 17:50:17 +01:00
Laurent Aimar
74f4c1358c
flvdec: Fix invalid pointer deferences when parsing index
...
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2b4e49d428
2012-03-18 17:50:17 +01:00
Peter Ross
8475df8158
permit decoding of multichannel ADPCM_EA_XAS
...
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3a549eb82b
2012-03-18 17:50:17 +01:00
Reimar Döffinger
282a1a960a
Fix input buffer size check in adpcm_ea decoder.
...
Unfortunately the output buffer size check assumes that the
input buffer is never over-consumed, thus this actually
also allowed to write outside the output buffer if "lucky".
Based on:
git.videolan.org/ffmpeg.git
commit 701d0eb185ffe92ff9f0
2012-03-18 17:50:17 +01:00
Sean McGovern
2ba86066be
fft: avoid a signed overflow
...
As a signed integer, 1<<31 overflows, so force it to unsigned.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit c2d3f56107
2012-03-18 17:50:17 +01:00
Alex Converse
2f62b677cc
mpegps: Handle buffer exhaustion when reading packets.
...
(cherry picked from commit 9fba8ebe0a
2012-03-18 17:50:14 +01:00
