998fc04bcf
apedec: use unsigned int for 'nblocks' and make sure that it's within int range
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
14 years ago
43fa5bf55e
apedec: check for data buffer realloc failure
(cherry picked from commit 11ca8b2d74
14 years ago
f19b8d9533
apedec: check for filter buffer allocation failure
(cherry picked from commit 7500781313
14 years ago
4a66fe2107
mpegaudiodec: check output data size based on avctx->frame_size
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
14 years ago
edf3c5a3eb
resample: Fix array size
Found-by: Jim Radford
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3e7db0a9ee
14 years ago
a39b5e8b32
resample2: fix potential overflow
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
14 years ago
6ae93d0304
resample: Fix overflow
Found-by: Jim Radford
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
14 years ago
2137d99086
vorbisdec: check output buffer size before writing output
(cherry picked from commit 60aa1a358d
14 years ago
e9de2d98a9
twinvq: check output buffer size before decoding
(cherry picked from commit e53eecd0e7
14 years ago
93f1159af5
vp6: Fix illegal read.
(cherry picked from commit 2a6eb06254
14 years ago
b08001e00a
shorten: check output buffer size before decoding
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
14 years ago
e1ea35fb52
shorten: check for realloc failure
(cherry picked from commit 9e5e2c2d01
14 years ago
f531193690
Fixes avpicture_layout to not write past buffer end.
avpicture_get_size() returns the size of buffer required for avpicture_layout.
For pseudo-paletted formats (gray8...) this size does not include the palette.
However, avpicture_layout doesn't know this and still writes the palette. Consequently,
avpicture_layout writes passed the length of the buffer. This fixes it
by fixing avpicture_layout so that it doesn't write the palette for these formats.
Signed-off-by: Matthew Einhorn <moiein2000@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e662b263d9
14 years ago
15a7fe106c
pthread: copy coded frame dimensions in update_context_from_thread
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit feadcd1bdc
14 years ago
d32f509de1
vp8: prevent read from uninitialized memory in decode_mvs
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 0f0b5d6434
14 years ago
5f5f36b52e
vp8: force reallocation in update_thread_context after frame size change
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 5653579381
14 years ago
d1166f03be
vp8: fix return value if update_dimensions fails
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit f05c2fb6eb
14 years ago
62cf52c860
truespeech: check to make sure channels == 1
(cherry picked from commit 3e7a176759
14 years ago
7e95a12d51
mlpdec: validate that the reported channel count matches the actual output
channel count
(cherry picked from commit caa845851d
14 years ago
1c3d46a924
h264: fix HRD parameters parsing
The bit_rate_value_minus1 and cpb_size_value_minus1 elements
allow a wider range than get_ue_golomb() supports. This
adds a get_ue_golomb_long() function supporting up to 31
leading zeros, which is the maximum for these syntax
elements, and uses it in decode_hrd_parameters().
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit fdba370f8a
14 years ago
800ab099e3
smacker: validate channels and sample format.
(cherry picked from commit ff1f89de2d
14 years ago
e6b2255329
smacker: check buffer size before reading output size
(cherry picked from commit cf044f8bff
14 years ago
7f7b2e89e2
smacker: validate number of channels
(cherry picked from commit e190e453bd
14 years ago
73f85eae68
sipr: fix get_bits(0) calls
Zero-length get_bits() is undefined, must check before calling.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit c79d2a20ba
14 years ago
190807a56c
4xm: fix signed overflow
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 84dda40762
14 years ago
33029d7353
wmavoice: fix a signed overflow
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit ba3f07d061
14 years ago
c41950099d
mpegvideo_enc: fix a signed overflow
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 05795f35be
14 years ago
115d88c4b2
h264pred: use unsigned types for pixel values, fix signed overflows
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 60f10e0ad3
14 years ago
a65045915f
qtrle: check for out of bound writes.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7fb92be7e5
14 years ago
adb12c4deb
xxan: check for out of bound accesses
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a68a6a4fb1
14 years ago
ca58b215ab
txd: check for out of bound reads.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e182de9a98
14 years ago
67c46b9b30
qtrle: check for invalid line offset
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a4ed7c3fe9
14 years ago
7ab0b6b7ed
vqavideo: check for out of bound reads.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6d45702f7f
14 years ago
2fdbc1d553
vqavideo: check for invalid/unsupported version
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b226af3910
14 years ago
5415c488f9
eamad: release the reference frame on video size changes
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6c1fb3e763
14 years ago
79bafbb0dd
eamad: check for out of bound reads when doing MC
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit da35797359
14 years ago
7b3c851526
eamad: avoid NULL derefence when missing the reference frame.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6e20554a6d
14 years ago
1b6e6439fa
eatgv: fix pointer arithmetic overflows.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6bfe0d4c3d
14 years ago
4474051370
eatgv: fix out of bound reads on corrupted motions vectors.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 09302a897d
14 years ago
1646d2d2ae
eamad: clear FF_INPUT_BUFFER_PADDING_SIZE bytes at the end of the temporary buffer
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 74b9c59839
14 years ago
f7be632cbd
vp8: fix signed overflows
In addition to avoiding undefined behaviour, an unsigned type
makes more sense for packing multiple 8-bit values.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit bb59156606
14 years ago
4ba0e03759
motion_est: fix some signed overflows
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit e708afd3c0
14 years ago
37ce6ba425
dca: fix signed overflow in shift
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 559c244d42
14 years ago
c2c83dcb32
aacdec: fix undefined shifts
Since nnz can be zero, this is needed to avoid a shift by 32.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit d12294304a
14 years ago
4c5cdb493c
put_bits: fix invalid shift by 32 in flush_put_bits()
If flush_put_bits() is called when the 32-bit buffer is empty,
e.g. after writing a multiple of 32 bits, and invalid shift by
32 is performed. Since flush_put_bits() is called infrequently,
this additional check should have negligible performance impact.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit ac6eab1496
14 years ago
06b15b3715
h264: fix the size of PPS::chroma_qp_table
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e588a5c2d4
14 years ago
614ef0dc0d
h264: fix fill_colmap() to not store entries mbaff style when the reference is not mbaff at all
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a3ba542af3
14 years ago
5d2b6006f0
mpegvideo: fix position of bottom edge.
It was wrong in colorspaces where horizontal and vertical chroma
subsampling are not the same, e.g. 422.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
14 years ago
b491c15c85
h254: explicitly initialize bit depth/chroma idc
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
14 years ago
2809f4ab93
qcelp: check output buffer size before decoding
(cherry picked from commit e43dd3d2a8
14 years ago
Justin Ruggles
Michael Niedermayer
Alex Converse
Matthew Einhorn
Ronald S. Bultje
Mans Rullgard
Laurent Aimar
Laurent Aimar