Fixes out of array read
Fixes: asan_heap-oob_35ca682_1474_cov_3230122439_aletrek_tga_16bit.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1895d414aa)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This also fixes a memleak
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4da351ff0c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Averaging over 2 pixels doesn't work correctly for the last pixel, because the
rest of the buffer is not initialized.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 87513d6545)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes the use of uninitialized values in avpriv_do_elbg.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ab759f8f4a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes invalid reads of the packet buffer in av_dup_packet
Based on patch by Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d96142e9af)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes freeing the frame buffer twice on cleanup leading to a crash.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 39e4ed7c1d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Based on patch by Francisco Blas Izquierdo Riera
Commit message partly taken from carl
fixes a compilation
error in mlpdsp_init.c with -fstack-check and some gcc compilers (I
reproduced the issue with gcc 4.7.3) by simplifying the code.
See also https://bugs.gentoo.org/show_bug.cgi?id=471756
$ make libavcodec/x86/mlpdsp_init.o
libavcodec/x86/mlpdsp_init.c: In function ‘mlp_filter_channel_x86’:
libavcodec/x86/mlpdsp_init.c:142:5: error: can’t find a register in
class ‘GENERAL_REGS’ while reloading ‘asm’
libavcodec/x86/mlpdsp_init.c:142:5: error: ‘asm’ operand has impossible
constraints
4551 -> 4509 dezicycles
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 03f39fbb2a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'b7c8a1fbbd0b6ac0b096ef0402dee440ff27ecb7':
webp: ensure that each transform is only used once
See: c089e720c1
Merged-by: Michael Niedermayer <michaelni@gmx.at>
According to the WebP Lossless Bitstream Specification
"each transform is allowed to be used only once".
If a transform is more than once this can lead to memory
corruption.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c089e720c1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'a529f6648ed450f7e846a0e704a0a3260aaa4b62':
hevc: zero the correct variables on invalid crop parameters
Conflicts:
libavcodec/hevc_ps.c
See: 7bce99216f
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes out of array read
Fixes: signal_sigsegv_35bcf26_471_cov_2806540268_CAINIT_A_SHARP_4.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 57e5812198)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
According to the WebP Lossless Bitstream Specification
"each transform is allowed to be used only once".
If a transform is more than once this can lead to memory
corruption.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 30e6abd1a8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
It's the output_window that is applied to the output frame, not
pic_conf_win
(cherry picked from commit 5127c00b97)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
* commit '00abc0080d2f5f179f18534713659ce79b22e647':
doc: More changelog updates for v11.3
Conflicts:
Changelog
not merged
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '3a417a86b330b7c1acf9db4f729be7d619caaded':
utvideodec: Handle slice_height being zero
See: 3881606240
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'a73b2c288e3dace6e054a5b48640978be1d5df84':
adxdec: set avctx->channels in adx_read_header
See: 72f83ad277
Merged-by: Michael Niedermayer <michaelni@gmx.at>
It is used in adx_read_packet, which currently depends on the decoder/parser setting this value between reading the file header and demuxing the first packet.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 64ea4a0598)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The chunk size is limited to 0xFFFF (written by avio_wb16), so make
sure that the packet size is not too large.
Such large frames need to be split into slices smaller than 64 kB, but
that is currently supported neither by the rv10/rv20 encoders nor the rm
muxer.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
See Ticket244
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 08728f400b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
According to the WebP Lossless Bitstream Specification the highest
allowed value for a prefix code is 39.
If prefix_code is too large, the calculated extra_bits has an invalid
value and triggers an assertion in get_bits.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5de2dab12b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If it doesn't fit into 12 bits it triggers an assertion.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2578a54618)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'e818da77240146b36d6669b1c4e0565239dc55d3':
eamad: check for out of bounds read
Conflicts:
libavcodec/eamad.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '4070e02dfcf8c7d871b4a41d8b591ec0c130c70a':
configure: Properly fail when libcdio/cdparanoia is not found
Conflicts:
configure
See: f514b5dff7
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '77eb3d9a60a9c2bb6d87c960ac186af242bbcc9e':
tiff: Check that there is no aliasing in pixel format selection
Conflicts:
libavcodec/tiff.c
See: e1c0cfaa41
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '7136a0bf88f31bb8d40a3bbd251963706fb14578':
vorbis: Check the vlc value in setup_classifs
Conflicts:
libavcodec/vorbisdec.c
See: ae038c0914
See: 709cae2bcb
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '450b02307cb631f501793b52b98b610c3a54378b':
arm: Suppress tags about used cpu arch and extensions
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'fc3c1156e361202ab97ad63ffb4dacc416906d33':
doc: Update changelog for v11.3
Conflicts:
Changelog
Not merged, the changelog is not correct for FFmpeg
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '7c1fe31617699ddefe6b0f39f16e7c3d79e998e2':
Prepare for 11.3 Release
Conflicts:
RELEASE
Not merged
Merged-by: Michael Niedermayer <michaelni@gmx.at>
It is used in adx_read_packet, which currently depends on the
decoder/parser setting this value between reading the file header and
demuxing the first packet.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The chunk size is limited to UINT16_MAX (written by avio_wb16), so make
sure that the packet size is not too large.
Such large frames need to be split into slices smaller than 64 kB, but
that is currently supported neither by the rv10/rv20 encoders nor the rm
muxer.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Michael Niedermayer
Andreas Cadhalpun
Ronald S. Bultje
Anton Khirnov
Reinhard Tartler