fd3af2950a
smacker: Sanity check huffman tables found in the headers.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9adf25c1cf
14 years ago
bf9f26cef7
aac: fix infinite loop on end-of-frame with sequence of 1-bits.
Based-on-work-by: Ronald S. Bultje <rsbultje@gmail.com>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1cd9a6154b
14 years ago
0fbde741cb
wma: Clip WMA1 and WMA2 frame length to 11 bits.
The MDCT buffers in the decoder are only sized for up to 11 bits. The
reverse engineered documentation for WMA1/2 headers say that that for
all samplerates above 32kHz 11 bits are used. 12 and 13 bit support
were added for WMAPro. I was unable to make any Microsoft tools generate
a test file at a samplerate above 48kHz.
Discovered by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d78bb1a4b2
14 years ago
ec961c8919
flac: fix infinite loops on all-zero input or end-of-stream.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 52e4018be4
14 years ago
3b5e1494c6
golomb: avoid infinite loop on all-zero input (or end of buffer).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c6643fddba
14 years ago
ccd528cc32
qdm2: Check data block size for bytes to bits overflow.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit dac56d9ce0
14 years ago
c321f2abca
avcodec: Remove a misplaced and useless attribute_deprecated
If attribute_deprecated is used in an enum declaration, it
should follow the 'enum' keyword, otherwise it's ignored
silently. This is the only case of attribute_deprecated for
enum declarations currently.
Currently, this attribute_deprecated doesn't have any effect.
If moved to the right place, it emits a warning every single
time avcodec.h is included, like this:
avcodec.h:2827: warning: ‘AVLPCType’ is deprecated (declared at avcodec.h:543)
There is already a working attribute_deprecated for the
corresponding field in AVCodecContext, so therefore this
one shouldn't be needed.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 1b6da627d4
14 years ago
1cc0b08635
smacker: validate channels and sample format.
(cherry picked from commit ff1f89de2d
14 years ago
b3d7fffee3
smacker: check buffer size before reading output size
(cherry picked from commit cf044f8bff
14 years ago
ef7a4df458
smacker: validate number of channels
(cherry picked from commit e190e453bd
14 years ago
3b7a1ba90e
sipr: fix get_bits(0) calls
Zero-length get_bits() is undefined, must check before calling.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit c79d2a20ba
14 years ago
da73a2005a
motion_est: make MotionExtContext.map_generation unsigned
The way this value is used, it should be an unsigned type.
While the numerical value has no meaning, unsigned wraparound
is relied upon.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit cb668476ab
14 years ago
6b011631e9
4xm: prevent NULL dereference with invalid huffman table
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1b1182ce97
14 years ago
39fd8d0083
4xm: clear FF_INPUT_BUFFER_PADDING_SIZE bytes in temporary buffers
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 8d518a9c4f
14 years ago
b3bdefb01b
ptx: check for out of bound reads
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit dc64f203a6
14 years ago
4eb51d96dd
tiffdec: fix out of bound reads/writes
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 04a845caa7
14 years ago
d75c80e942
eacmv: check for out of bound reads
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 46cb2f6a29
14 years ago
34d6f22a57
eacmv: fix potential pointer arithmetic overflows
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 8df8a87e3f
14 years ago
518c72474d
adpcm: fix out of bound reads due to integer overflow
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit c7f89064e2
14 years ago
39fed2e95b
anm: prevent infinite loop
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 2475f1a83c
14 years ago
ab201f6f1b
avs: check for out of bound reads
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit de049a95f4
14 years ago
559261ce49
vaapi: Fix VC-1 decoding (reconstruct bitstream TTFRM correctly).
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 53efb758c0
14 years ago
f9d17e6f54
4xm: fix signed overflow
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 84dda40762
14 years ago
0b1ac7bf4f
wmavoice: fix a signed overflow
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit ba3f07d061
14 years ago
af0a56e6ef
mpegvideo_enc: fix a signed overflow
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 05795f35be
14 years ago
48f9a80072
mpeg12enc: use sign_extend() function
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 2f329db90e
14 years ago
fdc669fcbb
vp8: fix signed overflows
In addition to avoiding undefined behaviour, an unsigned type
makes more sense for packing multiple 8-bit values.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit bb59156606
14 years ago
fe3314a413
motion_est: fix some signed overflows
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit e708afd3c0
14 years ago
58afe6061a
dca: fix signed overflow in shift
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 559c244d42
14 years ago
8c2ae575ad
aacdec: fix undefined shifts
Since nnz can be zero, this is needed to avoid a shift by 32.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit d12294304a
14 years ago
9c78fe9360
bink: Check for various out of bound writes
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit a00676e48e
14 years ago
c98d7882d8
bink: Check for out of bound writes when building tree
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 24adf7832b
14 years ago
e52e85ac3a
put_bits: fix invalid shift by 32 in flush_put_bits()
If flush_put_bits() is called when the 32-bit buffer is empty,
e.g. after writing a multiple of 32 bits, and invalid shift by
32 is performed. Since flush_put_bits() is called infrequently,
this additional check should have negligible performance impact.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit ac6eab1496
14 years ago
59050c0629
mpc8: Check out of bound bands limit
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 9bd854b1ff
14 years ago
be2404b06d
xan: Prevent NULL dereference with missing palette
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 7d17a794f0
14 years ago
49007b494e
xan: Check for out of bound reads in xan_huffman_decode()
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 3db3fdf4c6
14 years ago
0277c82de2
xan: Fixed out of bound accesses in xan_unpack()
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 3e0757c2a8
14 years ago
5fa8e43b54
motionpixels: Prevent calling init_vlc() with invalid parameters
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1cd0a55163
14 years ago
737bea21b6
shorten: Fix out of bound writes in fix_bitshift()
The data pointers s->decoded[*] already take into account s->nwrap.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 5f05cf4ea9
14 years ago
aa9e308580
dsicinav: Check for out of bounds writes
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1720603287
14 years ago
d57d039e04
tiertexseqv: Check for out of bound reads
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 64263dd526
14 years ago
97a1ab4bce
quickdraw: Check for out of bound reads
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 4fd56f842c
14 years ago
914b9b0b2b
dsicinav: Check for out of bounds reads
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit e3ca9b93d9
14 years ago
39de0e008d
motionpixels: Fix the size of workspace buffers
Some buffers must be mod 4 in width and/or height.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 210c80331e
14 years ago
f2f2a00d39
motionpixels: Clear FF_INPUT_BUFFER_PADDING_SIZE bytes at the end of the temporary buffer
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit d337dd3a90
14 years ago
905d0633a6
wmavoice: Check for corrupted extra data
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit d99427cb8b
14 years ago
95605595b5
wmavoice: Check for out of bound writes
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 1c1449b548
14 years ago
fb20141563
xan: Prevent NULL dereferences with missing reference frame
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 06be075cda
14 years ago
c5766b55c4
bink: Prevent NULL dereferences with missing reference frame
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit c7e631986b
14 years ago
d646cce15f
wavpack: Reset internal state on corrupted blocks
wavpack_decode_block() supposes that it is called back with the exact
same buffer unless it has returned with an error. With multi-channels
files, wavpack_decode_frame() was breaking this assumption.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 2c6cf13940
14 years ago
Alex Converse
Ronald S. Bultje
Martin Storsjö
Justin Ruggles
Mans Rullgard
Laurent Aimar
Gwenole Beauchesne