Adds an additional check before reading the next block header and avoids a
potential integer overflow when checking the metadata size against the
remaining buffer size.
(cherry picked from commit 4c5e7b27d5)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Unfortunately the output buffer size check assumes that the
input buffer is never over-consumed, thus this actually
also allowed to write outside the output buffer if "lucky".
Based on:
git.videolan.org/ffmpeg.git
commit 701d0eb185
(cherry picked from commit ffe92ff9f0)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
As a signed integer, 1<<31 overflows, so force it to unsigned.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit c2d3f56107)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Conversion of the luma intra prediction mode to one of the constrained
("alzheimer") ones can happen by crafting special bitstreams, causing
a crash because we'll call a NULL function pointer for 16x16 block intra
prediction, since constrained intra prediction functions are only
implemented for chroma (8x8 blocks).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 45b7bd7c53)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 248d4e461578ff327a2fd75fd0db4f38c270918a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
The bit_rate_value_minus1 and cpb_size_value_minus1 elements
allow a wider range than get_ue_golomb() supports. This
adds a get_ue_golomb_long() function supporting up to 31
leading zeros, which is the maximum for these syntax
elements, and uses it in decode_hrd_parameters().
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit fdba370f8a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The level_code expression includes a shift which is invalid in
those cases where the value is not used. Moving the calculation
to the branch where the result is used avoids these.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 8babfc033e)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The PPS may contain a few trailing elements whose presence is
only signalled by data remaining after the the mandatory part
has been parsed. The current code fails to take into account
the rbsp_trailing_bits() when deciding whether to parse these
optional elements. Assuming no unnecessary padding bytes are
passed to this function, the optional elements are present if
either more than 8 extra bits remain or the remaining bits do
not form a valid rbsp_trailing_bits() after the mandatory PPS
elements have been parsed.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit be1242a3f2)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This allows concurrent decoding of the last field/frame, rather than
only the last slice, of data packets with multiple NAL units packed
together.
This will fix the slowdown reported in e.g. bug 52.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 14c21c1ff5)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The initial values are not checked against the number of block sizes.
Initializing them to frame_len_bits will result in a block size index of 0
in these cases instead of something that might be out-of-range.
Fixes Bug 81.
(cherry picked from commit 05d1e45d1f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Based on a patch by Michael Niedermayer <michaelni@gmx.at>
Fixes NGS00145, CVE-2011-4352
Found-by: Phillip Langlois
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8b94df0f20)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Adds support for decoder-private options and makes setting other options
simpler.
(cherry picked from commit 0b950fe240)
Conflicts:
libavcodec/avcodec.h
Signed-off-by: Anton Khirnov <anton@khirnov.net>
On 32-bit ppc, the GOT pointer must be loaded manually.
This adds a "get_got" assembler macro to compute the
GOT address. The "movrel" macro is updated to take an
additional parameter containing the GOT address since
no register is reserved for this purpose on ppc32.
These changes have no effect on ppc64 builds.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 6e4a35ced9)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
rv34_decode_slice() can return without allocating any pictures.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d0f6ab0298)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This prevents crashes with some corrupted bitstreams.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 4a29b47186)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
init_get_bits() takes a number of bits and not a number of bytes as
its size argument.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit b59efc9434)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
stereo & 16bit is untested due to lack of samples
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5166376f24)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
