- 20 Aug, 2015 40 commits
-
-
Michael Niedermayer authored
Fixes out of array access Fixes: signal_sigsegv_3670fc0_2818_cov_2307326154_moon.mux Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by:
Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 79a98294 ) Signed-off-by:
-
Michael Niedermayer authored
Fixes out of array access Fixes: asan_heap-oob_4d5bb0_682_cov_3124593265_Fraunhofer__a_driving_force_in_innovation__small.mp4 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by:
-
James Zern authored
the max value of the lookup in expanded form is: (((1 << 7) - 1) << 1) - 65 + 1 + 64 = 254 add one entry of padding to inv_map_table[] to prevent out of bounds access with non-conforming / fuzzed bitstreams Signed-off-by:
James Zern <jzern@google.com> Reviewed-by:
"Ronald S. Bultje" <rsbultje@gmail.com> Signed-off-by:
-
Michael Niedermayer authored
Fixes out of array access Fixes: asan_heap-oob_7f875d_3482_cov_1818465256_ssudec.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by:
-
Michael Niedermayer authored
Multiple IHDR chunks are forbidden in PNG Fixes inconsistency and out of array accesses Fixes: asan_heap-oob_4d5c5a_1738_cov_2638287726_c-m2-8f2b481b7fd9bd745e620b7c01a18df2.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by:
-
Andreas Cadhalpun authored
Claiming to have decoded more bytes than the packet size is wrong. Reviewed-by:
Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 2a4700a4 ) Signed-off-by:
-
Michael Niedermayer authored
Fixes fate/dds-rgb16 on big endian Signed-off-by:
-
Michael Niedermayer authored
Found-by: Rodger Combs Signed-off-by:
-
James Almer authored
Reviewed-by:
James Almer <jamrial@gmail.com> (cherry picked from commit e22edbfd ) Signed-off-by:
-
James Almer authored
Reviewed-by:
-
Sebastien Zwickert authored
The pixel buffer base address is never unlocked this causes a bug with some pixel format types that are produced natively by the hardware decoder: the first buffer was always used. Unlock the pixel buffer base address fixes the issue. (cherry picked from commit c06fdacc ) Signed-off-by:
-
Michael Niedermayer authored
Signed-off-by:
-
Michael Niedermayer authored
Signed-off-by:
-
Michael Niedermayer authored
The function is specific to little endian Signed-off-by:
-
Michael Niedermayer authored
Signed-off-by:
-
Andreas Cadhalpun authored
And default to 8000 if it is invalid. An invalid sample rate can trigger av_assert2 in av_rescale_rnd. Reviewed-by:
-
Andreas Cadhalpun authored
In the TTA extradata re-construction the values are written with avio_wl16 and if they don't fit into uint16_t, this triggers an av_assert2 in avio_w8. Reviewed-by:
-
Michael Niedermayer authored
Fixes undefined behavior and segfault Signed-off-by:
-
Andreas Cadhalpun authored
QP_store is only 8-bit-aligned, so accessing it as uint32_t causes SIGBUS crashes on sparc. The AV_RN32/AV_WN32 macros only do unaligned access in the HAVE_FAST_UNALIGNED case. Reviewed-by:
-
wm4 authored
Calling ffio_ensure_seekback() if ffio_init_checksum() has been called on the same context can lead to out of bounds memory accesses and crashes. The reason is that ffio_ensure_seekback() does not update checksum_ptr after reallocating the buffer, resulting in a dangling pointer. This effectively fixes potential crashes when opening mp3 files. Signed-off-by:
-
Andreas Cadhalpun authored
Also use the frame pixel format instead of the one from the codec context, which is more robust. Signed-off-by:
Luca Barbato <lu_zero@gentoo.org> Reviewed-by:
-
Andreas Cadhalpun authored
Otherwise it can be 0 in sonic_decode_frame, causing SIGFPE crashes. Reviewed-by:
-
Andreas Cadhalpun authored
If one of the dimensions is larger than 8176, s->mb_width or s->mb_height is larger than 511, leading to an int16_t overflow of s->mv_max.{x,y}. This then causes av_clip to be called with amin > amax. Changing the type to int avoids the overflow and has no negative effect, because s->mv_max is only used in clamp_mv for clipping. Since mv_max.{x,y} is positive and mv_min.{x,y} negative, av_clip can't increase the absolute value. The input to av_clip is an int16_t, and thus the output fits into int16_t as well. For additional safety, s->mv_{min,max}.{x,y} are clipped to int16_t range before use. Reviewed-by: -
Andreas Cadhalpun authored
Otherwise the check 'tile_size < size' treats a negative size as unsigned, causing the check to pass. This subsequently leads to segmentation faults. This was originally fixed as part of Libav commit 72ca83, so the original author is one of the following developers: Anton Khirnov <anton@khirnov.net> Diego Biurrun <diego@biurrun.de> Luca Barbato <lu_zero@gentoo.org> Martin Storsjö <martin@martin.st> Reviewed-by: -
Andreas Cadhalpun authored
Without this check it causes SIGILL crashes on ARMv5. Reviewed-by:
-
Andreas Cadhalpun authored
libopenjpeg can return images with components without data. This fixes segmentation faults. Reviewed-by:
-
Andreas Cadhalpun authored
Otherwise the loop can take a lot of time if num_descr is very large. Signed-off-by:
-
Michael Niedermayer authored
Found-by: Daemon404 Signed-off-by:
-
Deliang Fu authored
Make the logic in libavformat/hevc.c parse_rps align with libavcodec/hevc_ps.c ff_hevc_decode_short_term_rps Signed-off-by:
-
Andreas Cadhalpun authored
If chan2 is not smaller than the number of channels, it can cause segmentation faults due to dereferencing a NULL pointer. Signed-off-by:
Paul B Mahol <onemda@gmail.com> Signed-off-by:
-
Michael Niedermayer authored
The AVFrame values are closer to the AVFrame bitmap changed instead of the AVCodecContext values, so this should be more robust Signed-off-by:
-
Michael Niedermayer authored
Signed-off-by:
-
Simon Thelen authored
libavutil/channel_layout: Correctly return layout when channel specification ends with a trailing 'c'. Return layout when FF_API_GET_CHANNEL_LAYOUT_COMPAT is set even if the layout itself is not in the deprecated style. Signed-off-by:
Simon Thelen <ffmpeg-dev@c-14.de> Signed-off-by:
-
Michael Niedermayer authored
This avoid potential out of array accesses Signed-off-by:
-
Michael Niedermayer authored
Signed-off-by:
-
Michael Niedermayer authored
See: vlc ticket 14649 Reported-by: carl Signed-off-by:
-
Michael Niedermayer authored
Signed-off-by:
-
Michael Niedermayer authored
Signed-off-by:
-
Michael Niedermayer authored
This avoids leaks if the user doest call swr_close() after a failed init Found-by:
-
Michael Niedermayer authored
This was simply wrong Found-by: Martin Storsjö This reverts commit 5d8e4f6d. (cherry picked from commit 3e34b749 ) Signed-off-by:
-
