| Age | Commit message (Collapse) | Author |
|---|
|
Fixes CID703652
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 171af59d58fc67d82dce8ff7ed11fa671108baa5)
Conflicts:
libavformat/matroskadec.c
|
|
Fixes CID1041175
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 56abf35151c635caa3eb04bbb90454bae5463a09)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes CID1238818
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 81198a68370e88f7d02f16de58db36713c2a50b6)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Larger packets are not supported and would cause problems later
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit aa5169935e160551fb1c290d1397da2f04325817)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit acf4925f444636a828534ab47d0f86c21a7a9b4e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
string length could theoretically be larger than int
Reviewed-by: Clément Bœsch <u@pkh.me>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a633928d47057426a9c328da594407d1c7da8a5c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 95efc651294b3cf3e5ec4b3ed36e79d7261545ff)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ae4eea8be45a0b212fd57ceaac1f11089ab81d98)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit eca38864a6ce5053e463b8d3fc22b22bc9a49578)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
the string length is not constrained to INT_MAX
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4c128ea1629116fc4936edc5f96bbd18f3ef1647)
Conflicts:
libavutil/dict.c
|
|
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 584cc1ade10a3297ef9c107ef3a2081c04024156)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
In init_planes p->xblen and p->yblen are set to:
p->xblen = s->plane[0].xblen >> s->chroma_x_shift;
p->yblen = s->plane[0].yblen >> s->chroma_y_shift;
These are later used as block_w and block_h arguments of
s->vdsp.emulated_edge_mc. If one of them is 0 it triggers an av_assert2
in emulated_edge_mc:
av_assert2(start_x < end_x && block_w > 0);
av_assert2(start_y < end_y && block_h > 0);
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 75fc81c8318505aa7946e05a9bee08d47241fc66)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
s->ref_pics[i] is later used as ref argument of interpolate_refplane,
where it is dereferenced.
If it is NULL, it causes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d93181ef3eacdb862d93448f31c97765a523d1db)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
If bytes is large enough, bytes*8 can overflow and become negative.
In that case 'bufsize -= bytes*8' causes bufsize to increase instead of
decrease.
This leads to a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9e66b39aa87eb653a6e5d15f70b792ccbf719de7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
buf_idx + data_unit_size can overflow, causing the '> buf_size' check to
wrongly fail.
This causes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 984f50deb2d48f6844d65e10991b996a6d29e87c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
If max in clean_index is set to a negative ast->sample_size, the
following loop never ends:
while (max < 1024)
max += max;
Thus set ast->sample_size to 0 if it would otherwise be negative.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ca234639ac49a0dc073ac1f10977979acdb94f97)
Conflicts:
libavformat/avidec.c
|
|
The later is not correct
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5d309d309108684f742bbf5fc2393f1c519cda72)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
This fixes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e54540655f229d06667dc7fa7005f2a20e101e80)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d43cd6b08ed555c303478e3133717fbb2236be6e)
Conflicts:
libavcodec/ffv1dec.c
|
|
index_scale is set to matroska->time_scale of type uint64_t.
When index_scale is int, the assignment can overflow and e.g. result
in index_scale = 0. This causes a floating point exception due to the
division by index_scale.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit eb9fb508b0e09d85d234fe694333b2005e1d7a7e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
overflow and undefined behavior in fate
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 042260cde4ecf716438c5fc92d15ad5f037ee2e1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
The existing check has two problems:
1) i + count can overflow, so that the check '< 256' returns true.
2) In the (i == 'N') case occurs a j-- so that the loop runs once more.
This can trigger the assertion 'nut->header_len[0] == 0' or cause
segmentation faults or infinite hangs.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c24ca1bda2d4df1dc9b2b982941be532d60da21)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
This fixes a segmentation fault when accessing the metadata.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3ff1af2b0db7132d5717be6395227a94c8abab07)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
A negative frame rate triggers an av_assert2 in av_rescale_rnd.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6621105877ce0d65724a8ab60b3a50160adbe65d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e2877bdf3862325c2982c3237d9bf28f1bbf793f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
s->decoded_buffer is allocated with a min_size of:
2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)
Then it is assigned to s->decoded[0] (and s->decoded_buffer + FFALIGN(blockstodecode, 8)
to s->decoded[1]) and passed as out buffer to decode_array_0000.
In this function 64 elements of the out buffer are written
unconditionally and outside the array if blockstodecode is too small.
This causes memory corruption, leading to segmentation faults or other
crashes.
Thus change decode_array_0000 to write at most blockstodecode elements
of the out buffer.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 699341d647f7af785fb8ceed67604467b0b9ab12)
Conflicts:
libavcodec/apedec.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Otherwise range_start_decoding is not necessarily run and thus
ctx->rc.range still 0 in range_dec_normalize leading to an infinite
loop.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 464c49155ce7ffc88ed39eb2511e7a75565c24be)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
This avoids confusing syntax errors with awk later
Likely fixes awk errors at:
http://buildd.debian-ports.org/status/fetch.php?pkg=ffmpeg&arch=sparc64&ver=7%3A2.6.2-1&stamp=1428928967
Reviewed-by: Timothy Gu <timothygu99@gmail.com>
Thanks-to: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> for the link
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c0d847e457c1ef72843a63853f1135d52b74131e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
If rice_limit is 0, k can be 0 in decode_scalar, which calls show_bits(gb, k).
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4b657a1b1eedcf38bcf36e89a2f4be6f76b5ce09)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
For max_order = 0 the clipping range is invalid. (amin = 2, amax = 1)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 58d605ee9b3277289278dc40e022311f8e083833)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 32da94fa7f73ac749e0a1e2f20499fad2f6f57fe)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b3408ae4c64cb674b1d5f0f30171759113ce722a)
Conflicts:
libavcodec/mpeg4videodec.c
(cherry picked from commit 3339bae2197a2a02b090e74a8720282b5b87598e)
|
|
Also change the type of begin, end and smp to ptrdiff_t to make the
comparison well-defined.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Thilo Borgmann <thilo.borgmann@mail.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit afc7748d1f6abc4b3b1cc957b0fa6941837db3d0)
Conflicts:
libavcodec/alsdec.c
(cherry picked from commit 0b5405c443ec8adc3c114e508b71ce2012c83f0d)
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ba631b791435c395361e2026fc7419b341e57813)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
If begin is smaller than t, the subtraction 'begin -= t' wraps around,
because begin is unsigned. The same applies for end < t.
This causes segmentation faults.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit faf9fe2c224ea81a98afd53e2f0be0a2e13aeca9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
never contain random data
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7e104647a3556fc61a139483cee1cb7dfa2dc5bd)
Conflicts:
libavcodec/alsdec.c
|
|
If the same idx is used for more than one i, at least one entry in
sconf->chan_pos remains uninitialized.
This can cause segmentation faults.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ef16501aebed43e34a3721336e8bee732eca2877)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
This fixes an invalid read if end is 0:
band_end = ff_ac3_bin_to_band_tab[end-1] + 1;
Depending on what is before the array, this can cause stack smashing,
when band_end becomes too large.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit bc4fee7f2a51635fa3c0f61d1e5164da1efeded3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
If band->thr is 0.0f, the division is undefined, making norm_fac not a
number or infinity, which causes psy_band->threshold to become NaN.
This is passed on to other variables until it finally reaches
sce->sf_idx and is converted to an integer (-2147483648).
This causes a segmentation fault when it is used as array index.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Claudio Freire <klaussfreire@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e224aa41917454e7b5c23d9f2541425743ce595a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0be54ad280cf114c02306b7063147e8379f8ed1e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
This fixes segmentation faults, when pic->linesize[0] is negative.
In that case 'line * pic->linesize[0] + pixel_ptr' is treated as
unsigned and wraps around.
This reverts commit 7d78a964.
The problem was introduced in commit f7e1367f, which should obsolete
that commit.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ae6fd7300b4e9f81d3b5ba201096ffe7cccf26fb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes Ticket4460
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e88b3852aefaa39b2170ef185ad03dda18732821)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
e1ee0521a698809ed216e9e5c11bd2bbb466ed04)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
The order of error codes will be useful in my future fateserver patches.
Signed-off-by: Timothy Gu <timothygu99@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cc0057a31c7097839f9c4e4da61e2933b5b0e055)
Signed-off-by: Timothy Gu <timothygu99@gmail.com>
|
|
Fixes deadlock
Fixes Ticket4428
Fixes Ticket4429
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 429de043202286a2b5bcc082cc02de860b734db2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dadc43eee4d9036aa532665a04720238cc15e922)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
instead of the pixel pointer
Fixes out of array access
Fixes: da14e86d8462be6493eab16bc2d40f88/asan_heap-oob_204cfd2_528_cov_340150052_COMPRESS.BMP
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f7e1367f58263593e6cee3c282f7277d7ee9d553)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Fixes Ticket4227
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2c660e34cf3c2b77cd2bef6f292920334dfd9192)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
as this kind of allows to circumvent it to some extend.
We also could add a separate parameter or value to choose this
Found-by: ramiro
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1e4d0498df6621143da1a550006ddc3526ad51cb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8003816e1619e77d8de051883264aa090e0d78cc)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
