Fixes out of array accesses
Fixes: asan_heap-oob_16668e9_2_asan_heap-oob_16668e9_346_miss_congeniality_pegasus_mjpg.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c378d6a6d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
previously it could have been by 1 too large
Fixes out of array access
Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8c1e3.jls
Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8nde0.jls
Fixes: asan_heap-oob_12240fa_1_asan_heap-oob_12240fa_448_t16e3.jls
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 06e7d58410)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Found-by: Andreas Cadhalpun
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d85ebea3f3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes Ticket1304
Commit message and extradata size bugfix by commiter
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 6843b9dc78)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
in the latest git commits of libilbc developers removed WebRtc_xxx typedefs
This commit uses int types instead,
it's safe to apply also for previous versions since
WebRtc_Word16 was always a typedef of int16_t and
WebRtc_UWord16 a typedef of uint16_t
Reviewed-by: Timothy Gu <timothygu99@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 59af5383c1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
See https://code.google.com/p/webp/issues/detail?id=206
for a description of the problem/fix.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This patch makes the decoder follow the recommendation of the spec.
There is some disagreement (see "[FFmpeg-devel] [PATCH]: libavcodec/webp")
about what would be best to be written in the spec, so in case the spec
is changed again, this potentially would need to be amended or reverted
(cherry picked from commit 4fd21d58a7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The size variable is (correctly) unsigned, but is passed to several functions
which take signed parameters, such as avio_read, sometimes after having
numbers added to it. So ensure that size remains within the bounds that
these functions can handle.
CC: libav-stable@libav.org
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit c5560e72d0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes miss detection of PCM as m4v
Fixes Ticket 3928
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c1835c52a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The function otherwise would initialize the context without setting context_initialized
alternatively we could set context_initialized
Fixes valgrind anomalies related to ticket 3928
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0d0f7f0ba4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This is currently not supported
Fixes part of Ticket 3539
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c2430304df)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes reading from freed data
Fixes part of Ticket3539
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1c55d0ff32)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes wrong number of segments output and undefined memory access.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 58e0402e02)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The read_packet callback passes a pointer to a stack-allocated AVPacket.
Attempting to free it with av_free() makes no sense.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b173f5c155)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Buffers containing copies of the AAC and AC3 header bits were not padded
before parsing, violating init_get_bits() buffer padding requirement,
leading to potential buffer read overflows.
This change adds FF_INPUT_BUFFER_PADDING_SIZE bytes to the bit buffer
for parsing the header in each of aac_parser.c and ac3_parser.c.
Based on patch by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fccd85b9f3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The allocation didn't account for headers, that can be easily 79 bytes.
As a result, buffers allocated for a few samples (e.g. 5 in the original
bug) could be undersized.
Fixed ticket #2881.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2ba58bec20)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This avoids high scores in random data that has a high 0x47 frequency
Fixes Ticket3844
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 427bcdf035)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The packet buffer allocation considered as dct-coded, while it is
actually run-coded and thus requires a larger buffer.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 117bc8e6ff)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
If the allocated size, despite best efforts, is too small, exit
with the appropriate error.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 52b81ff463)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
