Fixes invalid writes with very small image heights.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8547
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 0b39ac6f54)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The frame size must be set by the caller and each dimension must be a
multiple of 2.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8543
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 17ba719d9b)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The frame size must be set by the caller and each dimension must be a
multiple of 8.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8542
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 88626e5af8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes possible invalid memory access.
Based on code by Michael Niedermayer <michaelni@gmx.at>
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8541
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 809c3023b6)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
If a seek is requested before the decoding start there is no
current picture.
CC: libav-stable@libav.org
(cherry picked from commit 3e348ecfc6ab1830e43288a9e12e8f0a000afbcb)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The new reference.pnm is a freely licensed replacement. The photo has
been taken by Reinhard Tartler on August 28 2014, and is licensed under
the expat license as stated at http://www.jclark.com/xml/copying.txt
(cherry picked from commit 8895bf7b78)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This convinces the pre-receive hook to not consider all *.pnm files as
text files to reduce the patch sizes and avoids triggering whitespace
checks,
Contains a correction by Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 0f257e29c5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The buffer pool has to atomically add and remove entries from the linked
list of available buffers. This was done by removing the entire list
with a CAS operation, working on it, and then setting it back again
(using a retry-loop in case another thread was doing the same thing).
This could effectively cause memory leaks: while a thread was working on
the buffer list, other threads would allocate new buffers, increasing
the pool's total size. There was no real leak, but since these extra
buffers were not needed, but not free'd either (except when the buffer
pool was destroyed), this had the same effects as a real leak. For some
reason, growth was exponential, and could easily kill the process due
to OOM in real-world uses.
Fix this by using a mutex to protect the list operations. The fancy
way atomics remove the whole list to work on it is not needed anymore,
which also avoids the situation which was causing the leak.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit fbd6c97f9c)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Also add no-op fallbacks when threading is disabled.
This helps keeping the code clean if Libav is compiled for targets
without threading. Since we assume that no threads of any kind are used
in such configurations, doing nothing is ok by definition.
Based on a patch by wm4 <nfxjfg@googlemail.com>.
(cherry picked from commit 2443e522f0)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The rounding used in the PTS calculations in filter_frame() does
not actually match the number of samples output by the resampler.
This leads to off-by-1 errors in the timestamps indicating gaps and
underruns, even when the input timestamps are all contiguous.
Bug-Id: 753
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 6cbbf0592f)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The size variable is (correctly) unsigned, but is passed to several functions
which take signed parameters, such as avio_read, sometimes after having
numbers added to it. So ensure that size remains within the bounds that
these functions can handle.
(cherry picked from commit c5560e72d0)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Convert the Matroska stereo format to the Stereo3D format, and add a
Stereo3D side data to the stream.
Bump the doctype version supported.
Bug-Id: 728 / https://bugs.debian.org/757185
alsa and x11grab use av_gettime() to report timestamps.
Have it on by default.
Bug-Id: 647
(cherry picked from commit 424b929b5c)
(cherry picked from commit 404731bd20)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The mpegenc private option values are in 50-byte units.
CC: libav-stable@libav.org
(cherry picked from commit 1688eef253)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
It is written to the file as a 22-bit value.
CC: libav-stable@libav.org
(cherry picked from commit 75bbaf2493)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Some obsolete versions of the MinGW32 runtime (<4.0.0) lack the definition.
(cherry picked from commit ab56fabe62)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
The asserts check struct members that are not referenced in guess_mv()
and one of them fails to compile.
(cherry picked from commit 7cb66ebc0b)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
At least one FATE sample contains such chunks and happens to work simply
by accident (due to find_stream_info() swallowing the error).
CC: libav-stable@libav.org
(cherry picked from commit 4d6c515284)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
