When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)
Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.
This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.
Fixes ticket #4162.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6551acab68)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
It causes all kinds of problems and there is no code in the muxers that reads
this field
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 242f1152bf)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket4151
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8524558858)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes ticket4152
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit eac5c7b837)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '3ea49fc5081d63277ecbc12ed440af4b02ddfdf9':
vc1: Do not assume seek happens after decoding
See: 6801eb0a09
Merged-by: Michael Niedermayer <michaelni@gmx.at>
If a seek is requested before the decoding start there is no
current picture.
CC: libav-stable@libav.org
(cherry picked from commit 3e348ecfc6ab1830e43288a9e12e8f0a000afbcb)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The frame size must be set by the caller and each dimension must be a
multiple of 2.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See: 8b0e96e1f2
These should be redundant, but are backported for saftey anyway
(cherry picked from commit b0273232d8fffdc8a977ccdad460b8071a0e353c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The frame size must be set by the caller and each dimension must be a
multiple of 8.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See: 105654e376
These should be redundant, but are backported for saftey anyway
(cherry picked from commit e012cb8dea7969c7b3927dbf846ef2742cd4a7ab)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes use of freed memory
Fixes: case5_av_frame_copy_props.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e8714f6f93)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoids use of uninitialized memory
Fixes: asan_static-oob_17aa046_582_cov_212287884_DBLK_G_VIXS_1.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8aa8d12554)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array read
Fixes: signal_sigsegv_1b0a4da_1865_cov_2167818389_computer_anger.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3305acdc92)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes use of freed memory
Fixes: asan_heap-uaf_3660f67_757_cov_1257014655_Hi422FR1_SONY_A.jsv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f3b5b139ad)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: case2_bad_read_yuv2rgbx32.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array accesses
Fixes: asan_heap-oob_25bcd7e_3783_cov_3553517262_utvideo_rgba_median.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3881606240)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: asan_heap-oob_4d23ba_91_cov_3853393937_128.vmd
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3030fb7e0d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes an issue where the tests directory is not created for out of tree
builds before its needed
Tested-by: Dave Yeo <daveryeo@telus.net>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e631872f13)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Make use of the V4L2 VIDIOC_ENUM_FRAMESIZES ioctl on OpenBSD.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 04a4fb81b3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array read
Fixes Ticket4121
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b50e003e1c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '1cc6fef0671c5522c952671ee06bf973135a22c4':
Prepare for 11.1 Release
Conflicts:
RELEASE
Not merged, as our release numbers differ
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '60ccc1a748bf3d26201411479146d0798e1ecff9':
Update changelog for v11.1
Conflicts:
Changelog
Not merged, the changelog does not match FFmpeg
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The new reference.pnm is a freely licensed replacement. The photo has
been taken by Reinhard Tartler on August 28 2014, and is licensed under
the expat license as stated at http://www.jclark.com/xml/copying.txt
(cherry picked from commit 8895bf7b78)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This convinces the pre-receive hook to not consider all *.pnm files as
text files to reduce the patch sizes and avoids triggering whitespace
checks,
Contains a correction by Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 0f257e29c5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
use_mmx_vfilter check/fix by commiter
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b546023b93)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: signal_sigsegv_35bd0f0_1182_cov_791726764_STRUCT_B_Samsung_4.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ea38e5a6b7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array read
Fixes: asan_heap-oob_177e222_885_cov_1532528832_MERGE_D_TI_3.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9f9440bd81)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: asan_heap-oob_22388d0_3435_cov_3297128910_small_roll5_FlashCine1.cine
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1d3a3b9f89)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array access
Fixes: asan_heap-oob_20a6c26_2690_cov_3434532168_mail.png
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 79ceaf827b)
Conflicts:
libavcodec/pngdec.c
Fixes out of array access
Fixes: signal_sigsegv_324b135_3398_cov_246853371_short.flac
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e5c01ccdf5)
Conflicts:
libavcodec/flacdec.c
