| 6b01163 | Laurent Aimar | 02 October 2011, 00:48:11 UTC | 4xm: prevent NULL dereference with invalid huffman table Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 1b1182ce97db7a97914bb7713eba66fee5d93937) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:41 UTC |
| 5ab326d | Laurent Aimar | 02 October 2011, 00:48:11 UTC | 4xmdemux: prevent use of uninitialized memory Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 79964745b3ed5a700f4f0dda56c7360497328c88) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:40 UTC |
| 39fd8d0 | Laurent Aimar | 02 October 2011, 00:48:11 UTC | 4xm: clear FF_INPUT_BUFFER_PADDING_SIZE bytes in temporary buffers Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 8d518a9c4fe92e2497565f1765da7f913be8b1e7) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:40 UTC |
| b3bdefb | Laurent Aimar | 02 October 2011, 00:48:12 UTC | ptx: check for out of bound reads Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit dc64f203a62083c3d5f81e8201018279c29581af) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:40 UTC |
| 4eb51d9 | Laurent Aimar | 30 September 2011, 23:42:33 UTC | tiffdec: fix out of bound reads/writes Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 04a845caa7cdcdd1457f8c0dde52a7b2085ed92f) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:40 UTC |
| d75c80e | Laurent Aimar | 30 September 2011, 23:42:32 UTC | eacmv: check for out of bound reads Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 46cb2f6a2928a7fa4bee3f09b0475ccb8cdd2064) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:40 UTC |
| 34d6f22 | Laurent Aimar | 30 September 2011, 23:42:32 UTC | eacmv: fix potential pointer arithmetic overflows Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 8df8a87e3fd5bd0c3dabc676aae8fd84992932dc) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:40 UTC |
| 518c724 | Laurent Aimar | 30 September 2011, 23:42:32 UTC | adpcm: fix out of bound reads due to integer overflow Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit c7f89064e2f0fef8198aadf64b0daf12787404ee) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:40 UTC |
| 39fed2e | Laurent Aimar | 30 September 2011, 23:42:32 UTC | anm: prevent infinite loop Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 2475f1a83ccf313d828b25f1769e3a37442ecf64) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:40 UTC |
| 7fa13e1 | Laurent Aimar | 30 September 2011, 23:42:31 UTC | avsdemux: check for out of bound writes Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 6de33611c918e6ad5bbc878840a59607cb42b8c0) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:40 UTC |
| ab201f6 | Laurent Aimar | 30 September 2011, 23:42:31 UTC | avs: check for out of bound reads Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit de049a95f4a8089b2878c7fcef6cac7e88a8f1bf) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:40 UTC |
| b696d61 | Laurent Aimar | 30 September 2011, 23:42:31 UTC | avsdemux: check for corrupted data Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 76c6971a6464705f263fc30e537b370a3a7c853b) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:40 UTC |
| a23bcc9 | Alex Converse | 08 October 2011, 01:41:06 UTC | mxfdec: Fix some buffer overreads caused by the misuse of AVPacket related functions. (cherry picked from commit 0c46e958d1fd3817b8e9fa048d0450d509c80378) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:36 UTC |
| 559261c | Gwenole Beauchesne | 10 October 2011, 11:51:41 UTC | vaapi: Fix VC-1 decoding (reconstruct bitstream TTFRM correctly). Signed-off-by: Diego Biurrun <diego@biurrun.de> (cherry picked from commit 53efb758c045900f512c947074900c0dbc988685) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:36 UTC |
| f9d17e6 | Mans Rullgard | 09 October 2011, 19:38:01 UTC | 4xm: fix signed overflow Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit 84dda407628e298f33d610e9e04a8b2945d24665) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:36 UTC |
| 0b1ac7b | Mans Rullgard | 09 October 2011, 19:46:22 UTC | wmavoice: fix a signed overflow Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit ba3f07d0611d9a6c10eaa90b3c058ecdffe76676) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:36 UTC |
| af0a56e | Mans Rullgard | 09 October 2011, 19:32:58 UTC | mpegvideo_enc: fix a signed overflow Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit 05795f35be4b479bfa8d60ed3eb13e0f89e439c0) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:36 UTC |
| 5e3ba60 | Mans Rullgard | 08 October 2011, 00:59:51 UTC | crc: fix signed overflow This fixes a signed overflow from i << 24 when i == 255 by making i unsigned. The result of the shift is already assigned to an variable of unsigned type. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit 8b19ae07616bbd18969b94cbf5d74308a8f2bbdf) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:35 UTC |
| 48f9a80 | Mans Rullgard | 08 October 2011, 11:56:54 UTC | mpeg12enc: use sign_extend() function Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit 2f329db90e5d72ad383a0ba05fde3641a34ef73b) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:35 UTC |
| 2c99aa4 | Mans Rullgard | 08 October 2011, 01:06:26 UTC | lavf: fix signed overflow in avformat_find_stream_info() On the first iteration through this code, last_dts is always INT64_MIN (AV_NOPTS_VALUE) and the subtraction overflows in an invalid manner. Although the result is only used if the input values are valid, performing the subtraction is still not allowed in a strict environment. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit a31e9f68a426f634e002282885c6c2eb1bfbea44) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:35 UTC |
| fdc669f | Mans Rullgard | 08 October 2011, 14:03:51 UTC | vp8: fix signed overflows In addition to avoiding undefined behaviour, an unsigned type makes more sense for packing multiple 8-bit values. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit bb59156606e00057a706ed30165bc7329db3823f) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:35 UTC |
| fe3314a | Mans Rullgard | 08 October 2011, 12:52:44 UTC | motion_est: fix some signed overflows Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit e708afd3c026a9eb547dab07781320a7e2564312) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:35 UTC |
| 58afe60 | Mans Rullgard | 08 October 2011, 12:49:42 UTC | dca: fix signed overflow in shift Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit 559c244d42be7a02c23976216b47fd63b80d6c7f) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:35 UTC |
| 8c2ae57 | Mans Rullgard | 08 October 2011, 12:41:23 UTC | aacdec: fix undefined shifts Since nnz can be zero, this is needed to avoid a shift by 32. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit d12294304acd82cb219e3f66ca9cd6efb2194fa4) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:35 UTC |
| 9c78fe9 | Laurent Aimar | 27 September 2011, 12:16:41 UTC | bink: Check for various out of bound writes Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit a00676e48e49a3d794d6d2063ceca539e945a4a4) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:35 UTC |
| c98d788 | Laurent Aimar | 27 September 2011, 12:16:41 UTC | bink: Check for out of bound writes when building tree Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 24adf7832b8370f3c1febbef6c686f574d360d32) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:35 UTC |
| e52e85a | Mans Rullgard | 08 October 2011, 01:09:42 UTC | put_bits: fix invalid shift by 32 in flush_put_bits() If flush_put_bits() is called when the 32-bit buffer is empty, e.g. after writing a multiple of 32 bits, and invalid shift by 32 is performed. Since flush_put_bits() is called infrequently, this additional check should have negligible performance impact. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit ac6eab1496aad6f8b09deabbef4fe5fd829e142d) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:35 UTC |
| 4faa00b | Alex Converse | 08 October 2011, 00:02:36 UTC | mpegps: Use av_get_packet() instead of poorly emulating it. (cherry picked from commit 98ef887a759c66febcb612407c6bb361c4d50bcb) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| 90d7146 | Janne Grunau | 07 October 2011, 16:08:55 UTC | motionpixels: decode only the 111 complete frames for fate Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit c2f2dfb3dd20e036b8b08c0fd1486a3044e8f02a) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| 59050c0 | Laurent Aimar | 25 September 2011, 20:06:20 UTC | mpc8: Check out of bound bands limit Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 9bd854b1ff342f82efa6d2ad4e8fefddce5fa731) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| be2404b | Laurent Aimar | 29 September 2011, 03:12:07 UTC | xan: Prevent NULL dereference with missing palette Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 7d17a794f0348ba40d5cda7d969564cb83981001) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| 49007b4 | Laurent Aimar | 29 September 2011, 20:38:01 UTC | xan: Check for out of bound reads in xan_huffman_decode() Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 3db3fdf4c669aed9379be430c17f151d4d0697c5) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| 0277c82 | Laurent Aimar | 29 September 2011, 03:12:07 UTC | xan: Fixed out of bound accesses in xan_unpack() Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 3e0757c2a87c8cf3e452f67bca279001c64cedff) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| 5fa8e43 | Laurent Aimar | 29 September 2011, 03:12:07 UTC | motionpixels: Prevent calling init_vlc() with invalid parameters Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 1cd0a5516396bd6fb54e4df1e7c88ed18416299b) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| 737bea2 | Laurent Aimar | 30 September 2011, 01:26:22 UTC | shorten: Fix out of bound writes in fix_bitshift() The data pointers s->decoded[*] already take into account s->nwrap. Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 5f05cf4ea9aaafed8edcabe785c2719786103ec1) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| aa9e308 | Laurent Aimar | 29 September 2011, 23:13:35 UTC | dsicinav: Check for out of bounds writes Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 172060328771d149b076f00352b004b5b5272d38) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| d57d039 | Laurent Aimar | 29 September 2011, 23:13:35 UTC | tiertexseqv: Check for out of bound reads Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 64263dd526ec25ede1591fc1144715a20cc7bc4e) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| 97a1ab4 | Laurent Aimar | 29 September 2011, 23:13:35 UTC | quickdraw: Check for out of bound reads Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 4fd56f842cbaecf74df94c38f9c10452342f436a) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| 914b9b0 | Laurent Aimar | 29 September 2011, 23:13:35 UTC | dsicinav: Check for out of bounds reads Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit e3ca9b93d9f464861638dda3280fcf65e402466a) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| 39de0e0 | Laurent Aimar | 29 September 2011, 23:13:35 UTC | motionpixels: Fix the size of workspace buffers Some buffers must be mod 4 in width and/or height. Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 210c80331e0604edf9c800865c26ba06ed3c2082) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| f2f2a00 | Laurent Aimar | 29 September 2011, 23:13:35 UTC | motionpixels: Clear FF_INPUT_BUFFER_PADDING_SIZE bytes at the end of the temporary buffer Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit d337dd3a907110b32c6305bb65e4beca5b830c5d) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| 905d063 | Laurent Aimar | 27 September 2011, 22:15:31 UTC | wmavoice: Check for corrupted extra data Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit d99427cb8ba099375d8cce6df808d4acf045ab43) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| 9560559 | Laurent Aimar | 27 September 2011, 22:15:31 UTC | wmavoice: Check for out of bound writes Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 1c1449b548a2a0bf0295a522051b04107286653c) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| fb20141 | Laurent Aimar | 27 September 2011, 22:15:32 UTC | xan: Prevent NULL dereferences with missing reference frame Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 06be075cda0a6ba8bab8f543571b380884f562ac) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:31 UTC |
| c5766b5 | Laurent Aimar | 27 September 2011, 22:15:31 UTC | bink: Prevent NULL dereferences with missing reference frame Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit c7e631986b4a326a71a20a1a51000f3fbf6e64e7) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:30 UTC |
| d646cce | Laurent Aimar | 26 September 2011, 22:18:29 UTC | wavpack: Reset internal state on corrupted blocks wavpack_decode_block() supposes that it is called back with the exact same buffer unless it has returned with an error. With multi-channels files, wavpack_decode_frame() was breaking this assumption. Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 2c6cf1394096d08396faadc6e7c0b404fd6df006) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:30 UTC |
| 04b71cd | Laurent Aimar | 26 September 2011, 22:18:29 UTC | wmapro: Validate the number of audio channels before using it Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 2c1ba7994190fa2f1ad430594551070a49353bd1) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:30 UTC |
| fce03f8 | Laurent Aimar | 25 September 2011, 20:06:19 UTC | mpc8: Fix return value on EOF Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 1e3336de69d1c4c28a5e306fab20555f4078f2d7) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:30 UTC |
| 22949c4 | Laurent Aimar | 02 October 2011, 00:48:12 UTC | shorten: Prevent block size from increasing Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 95010d18b2d808db9a49377e41bc2f7cf4dfa03e) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:30 UTC |
| 8751941 | Laurent Aimar | 27 September 2011, 22:15:33 UTC | xan: Prevent out of bound accesses Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 124a16f678ddcffe8f1825efb29a6e8da1d580ac) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:30 UTC |
| 3e1b598 | Laurent Aimar | 21 September 2011, 18:46:33 UTC | vp56: Release old pictures after a resolution changes Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 3d09d0017d10a0d738141a955c75c555133e41b2) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:30 UTC |
| efe3fb1 | Laurent Aimar | 21 September 2011, 18:46:30 UTC | vp56: Check for missing reference frame data Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 0ec6d6e9b682318b5b5b5457e09fbf3c4ca41335) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:30 UTC |
| 987f5dc | Laurent Aimar | 11 September 2011, 17:17:43 UTC | cinepak: Fix invalid read access on extra data Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit d239d4b447885cb7c5eee9ce359f34ad6b64f373) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:30 UTC |
| 5bb9ce7 | Laurent Aimar | 17 September 2011, 14:56:35 UTC | cook: Fix js_vlc_bits value validation for joint stereo Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 3a742470a845c24e7c3a40c0a228705ca951e673) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:30 UTC |
| ea5a5f0 | Laurent Aimar | 06 October 2011, 20:53:41 UTC | segafilm: Check for memory allocation failures in segafilm demuxer. Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 1775b92fee43f0527e2f5892a5a30450fa929722) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:30 UTC |
| 619aab2 | Laurent Aimar | 10 September 2011, 11:28:13 UTC | Fixed deference of NULL pointer in motionpixels decoder. Some of the arguments given to init_vlc() come from the stream and can be corrupted. Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 69a0bce753a5d5556d5bc0888afe390e22611dd8) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:30 UTC |
| 8099d77 | Ronald S. Bultje | 03 October 2011, 15:38:03 UTC | mpegvideo: set correct offset for edge emulation buffer. Using the old code, half of it was unused and the other half was too small for e.g. >8bpp interlaced data, causing random buffer overruns. (cherry picked from commit 330deb75923675224fb9aed311d3d6ce3ec52420) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:30 UTC |
| bb7fd94 | Ronald S. Bultje | 03 October 2011, 14:37:24 UTC | mpegvideo: fix position of bottom edge. It was wrong in colorspaces where horizontal and vertical chroma subsampling are not the same, e.g. 422. (cherry picked from commit 0884dd5a1b87aff6c8a06e6492dece5cef8f3978) Conflicts: libavcodec/mpegvideo.c Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:30 UTC |
| ea311af | Chris Rankin | 07 September 2011, 09:17:30 UTC | qcelpdec: fix the return value of qcelp_decode_frame(). Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit bde25700134b98068e2ad21c1f92955a4b489cdc) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:30 UTC |
| 4562f95 | Justin Ruggles | 20 September 2011, 19:27:44 UTC | sipr: fix the output data size check and only calculate it once. (cherry picked from commit 1b5a189f06879338088809b3049ea7620f4e7e78) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:27 UTC |
| fc0e151 | Justin Ruggles | 14 September 2011, 15:39:21 UTC | mpc8: check output buffer size before decoding (cherry picked from commit 5674d4b0a35a34b75e3533a8580e0b5a0a8895a7) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:25 UTC |
| 56fe62e | Justin Ruggles | 14 September 2011, 15:16:42 UTC | mpc7: return error if packet is too small. (cherry picked from commit 8290d1f38b438f1b070de67645c8b4a42014c7ac) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:22 UTC |
| ce3e0d4 | Justin Ruggles | 13 September 2011, 22:53:18 UTC | mpc7: check output buffer size before decoding (cherry picked from commit c8b5c4d27409dfdcec80868686b173ba446c998b) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:20 UTC |
| d46efbe | Justin Ruggles | 14 September 2011, 16:16:05 UTC | nellymoser: check output buffer size before decoding (cherry picked from commit 8b31c086b6065084644b86a63c9171f3094cf6ad) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:17 UTC |
| 151aaf5 | Martin Storsjö | 30 September 2011, 17:30:35 UTC | lavf: Avoid using av_malloc(0) in av_dump_format On OS X, av_malloc(0) returns pointers that cause crashes when freed. Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit e81e5e8ad2bb5746df0c343c396019aca165cf66) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:17 UTC |
| f74a4b6 | Stefano Sabatini | 11 June 2011, 09:15:40 UTC | avfiltergraph: use meaningful error codes Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 59cef18c24ab21de4e652e130ac25905c1141f62) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:17 UTC |
| 7fc9aa6 | Justin Ruggles | 13 September 2011, 19:13:44 UTC | flacdec: fix buffer size checking in get_metadata_size() Adds an additional check before reading the next block header and avoids a potential integer overflow when checking the metadata size against the remaining buffer size. (cherry picked from commit 4c5e7b27d57dd2be777780e840eef9be63242158) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:17 UTC |
| ce80957 | Justin Ruggles | 24 September 2011, 01:43:43 UTC | sol: return error if av_get_packet() fails. This prevents sending a packet with data=NULL size=AVERROR_EOF. (cherry picked from commit b15a9888a8f8e8cc9784ffd8d5d0307900fb78bb) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:17 UTC |
| 74f4c13 | Laurent Aimar | 24 September 2011, 14:16:38 UTC | flvdec: Fix invalid pointer deferences when parsing index Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit 2b4e49d4281690db67073ba644ad2ffc17767cdf) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:17 UTC |
| 8475df8 | Peter Ross | 23 April 2011, 12:08:48 UTC | permit decoding of multichannel ADPCM_EA_XAS Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3a549eb82be709d633a0ba964b037ee2f700e0c9) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:17 UTC |
| 282a1a9 | Reimar Döffinger | 08 September 2011, 02:14:07 UTC | Fix input buffer size check in adpcm_ea decoder. Unfortunately the output buffer size check assumes that the input buffer is never over-consumed, thus this actually also allowed to write outside the output buffer if "lucky". Based on: git.videolan.org/ffmpeg.git commit 701d0eb185192542c4a17f296e39e37cedf7abc6 (cherry picked from commit ffe92ff9f0c7f390d895de12c8ffef959ced3cd8) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:17 UTC |
| 2ba8606 | Sean McGovern | 20 September 2011, 01:32:09 UTC | fft: avoid a signed overflow As a signed integer, 1<<31 overflows, so force it to unsigned. Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit c2d3f561072132044114588a5f56b8e1974a2af7) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:17 UTC |
| 2f62b67 | Alex Converse | 23 September 2011, 23:28:23 UTC | mpegps: Handle buffer exhaustion when reading packets. (cherry picked from commit 9fba8ebe0acdc28193d37b5e1f4c0d73c589ede2) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:14 UTC |
| 684f671 | Alex Converse | 21 September 2011, 22:26:35 UTC | mp4: Don't read an empty Decoder Config Descriptor (cherry picked from commit 1c2e07b8111b24f62b8d1bda62907848e34dfbcb) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:11 UTC |
| 000bd52 | Laurent Aimar | 21 September 2011, 18:46:31 UTC | rv34: Check for invalid slices offsets Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit fe476e5a9b5a1e56e53f1fa62374778fa00ec1fd) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 18 March 2012, 16:50:11 UTC |
| 047c6ad | Ronald S. Bultje | 10 February 2012, 06:57:01 UTC | h264: disallow constrained intra prediction modes for luma. Conversion of the luma intra prediction mode to one of the constrained ("alzheimer") ones can happen by crafting special bitstreams, causing a crash because we'll call a NULL function pointer for 16x16 block intra prediction, since constrained intra prediction functions are only implemented for chroma (8x8 blocks). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 45b7bd7c53b41bc5ff6fc2158831f2b1b1256113) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 248d4e461578ff327a2fd75fd0db4f38c270918a) Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 19 February 2012, 14:41:16 UTC |
| 6362264 | Mans Rullgard | 11 October 2011, 15:00:21 UTC | h264: fix HRD parameters parsing The bit_rate_value_minus1 and cpb_size_value_minus1 elements allow a wider range than get_ue_golomb() supports. This adds a get_ue_golomb_long() function supporting up to 31 leading zeros, which is the maximum for these syntax elements, and uses it in decode_hrd_parameters(). Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit fdba370f8a1bdfc22ecbdf3c7148c2f8680a4ac4) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 19 February 2012, 14:08:43 UTC |
| ccb3b71 | Mans Rullgard | 11 October 2011, 11:58:31 UTC | h264: fix invalid shifts in init_cavlc_level_tab() The level_code expression includes a shift which is invalid in those cases where the value is not used. Moving the calculation to the branch where the result is used avoids these. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit 8babfc033ecb6332155c1f8879e54dee41d16952) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 19 February 2012, 14:08:43 UTC |
| 4ed486d | Mans Rullgard | 10 October 2011, 23:58:03 UTC | h264: fix detection of optional trailing PPS elements The PPS may contain a few trailing elements whose presence is only signalled by data remaining after the the mandatory part has been parsed. The current code fails to take into account the rbsp_trailing_bits() when deciding whether to parse these optional elements. Assuming no unnecessary padding bytes are passed to this function, the optional elements are present if either more than 8 extra bits remain or the remaining bits do not form a valid rbsp_trailing_bits() after the mandatory PPS elements have been parsed. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit be1242a3f2b28e9cb08515bdc1db6c14403c279a) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 19 February 2012, 14:08:42 UTC |
| ba31a01 | Laurent Aimar | 02 October 2011, 14:03:47 UTC | h264: reset h->ref_count in case of errors in ff_h264_decode_ref_pic_list_reordering() Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 4c7a232fc81fdbdee279ab819a255f624a22b083) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 19 February 2012, 14:08:42 UTC |
| 1e809ab | Mans Rullgard | 08 October 2011, 20:22:06 UTC | h264pred: use unsigned types for pixel values, fix signed overflows Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit 60f10e0ad37418cc697765d85b0bc22db70f726a) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 19 February 2012, 14:08:42 UTC |
| c6bb93d | Michael Niedermayer | 03 October 2011, 22:14:48 UTC | H264: Only wait before triggering ff_thread_setup_complete() until the next slice that contains a start-of-field/frame macroblock This allows concurrent decoding of the last field/frame, rather than only the last slice, of data packets with multiple NAL units packed together. This will fix the slowdown reported in e.g. bug 52. Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 14c21c1ff509eac97f6437aeb51202b15af3a700) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 19 February 2012, 14:08:42 UTC |
| 485f85a | Ronald S. Bultje | 03 October 2011, 15:41:51 UTC | h264: correct implicit_weight for field-interlaced pictures. (cherry picked from commit 4418aa9cb3b2f0b83748e37d2952560cf84b3611) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 19 February 2012, 14:08:42 UTC |
| ec2a1d9 | Laurent Aimar | 24 September 2011, 14:16:39 UTC | h264: check for out of bounds reads in ff_h264_decode_extradata(). Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit d1186ff72d75b6067770890758c4feb92abd84f7) Signed-off-by: Anton Khirnov <anton@khirnov.net> | 19 February 2012, 14:08:42 UTC |
| 958e0f7 | Stefano Sabatini | 19 June 2011, 20:07:18 UTC | lavfi: fix realloc size computation in avfilter_add_format() Replace sizeof((*avff)->formats) with sizeof(*(*avff)->formats) as the size of the array element is given by the pointed element rather than by its pointer. In particular fix computation with the pending patch when sizeof(int64_t) != sizeof(int64_t *). Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 0ec56d1144fa4ea36950295987bb5f49c9747046) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 08 February 2012, 14:04:21 UTC |
| 734a9bb | Stefano Sabatini | 12 August 2011, 06:42:35 UTC | vf_unsharp: fix out-of-buffer read In apply_unsharp(), when y is >= height, prevent out-of-buffer reading from src, read from the last buffer line in src2 instead. The check was implemented in the original unsharp libmpcodecs code and lost in the port. This also fixes output discrepancy between the two filters. Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 998e8519efbc772994c5ba19c0d39573998be9db) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 08 February 2012, 13:38:31 UTC |
| 7f62cf1 | Michael Niedermayer | 26 August 2011, 23:49:55 UTC | vf_scale: apply the same transform to the aspect during init that is applied per frame Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit d33e0c6bc819048b05c168d304fba7bdd75a80e1) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 08 February 2012, 13:38:31 UTC |
| af58dd4 | Stefano Sabatini | 04 July 2011, 09:15:14 UTC | vf_pad: fix "vsub" variable value computation It was shifting 2 rather than 1, +10l. Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 80de930a781c177dc54f3836f57aa8959597bcda) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 08 February 2012, 13:38:31 UTC |
| 5c9ca59 | Stefano Sabatini | 03 August 2011, 22:25:35 UTC | vf_yadif: correct documentation on the parity parameter 0 is top-field-first, 1 is bottom-field-first, not the other way around. Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 4703a7b50b098a53ec2f806bd41a00fd87ea9d8c) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 08 February 2012, 13:38:27 UTC |
| 4a22876 | Joakim Plate | 14 July 2011, 20:31:37 UTC | vf_yadif: copy buffer properties like aspect for second frame as well Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 5feb67f8a1a17a4dd3cec0aa80ef0dc543fc7673) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de> | 08 February 2012, 13:38:19 UTC |
| 3a3f2b5 | Michael Niedermayer | 12 January 2012, 21:25:00 UTC | Update for 0.8.10 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 12 January 2012, 21:25:00 UTC |
| 8935e74 | Michael Niedermayer | 25 December 2011, 11:28:50 UTC | shorten: Fix invalid free() Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 18bcfc912e48bf77a5202a0e24a3b884b9b2ff2c) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 12 January 2012, 20:55:59 UTC |
| 4ad5618 | Michael Niedermayer | 24 December 2011, 05:17:12 UTC | j2kdec: Fix crash in get_qcx Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 282bb02839b1ce73963c8e3ee46804f1ade8b12a) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 12 January 2012, 20:55:38 UTC |
| 6b4c38b | Michael Niedermayer | 24 December 2011, 04:06:20 UTC | j2kdec: Check curtileno for validity Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3eedf9f716733b3b4c5205726d2c1ca52b3d3d78) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 12 January 2012, 20:54:42 UTC |
| 049b08d | Michael Niedermayer | 17 December 2011, 02:18:58 UTC | atrac3: Fix crash in tonal component decoding. Fixes Ticket780 Bug Found by: cosminamironesei Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 12 January 2012, 20:54:09 UTC |
| 8454d81 | Michael Niedermayer | 15 December 2011, 01:43:03 UTC | h264: check chroma_format_idc range. Fixes Ticket758 Bug found by: Diana Elena Muscalu Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 7fff64e00d886fde11d61958888c82b461cf99b9) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 12 January 2012, 20:52:50 UTC |
| 6f0e349 | Michael Niedermayer | 15 December 2011, 02:59:29 UTC | aacsbr: Fix memory corruption. Fixes Ticket760 and Ticket761 Bug Found by: Diana Elena Muscalu Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 944f5b2779e4aa63f7624df6cd4de832a53db81b) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 12 January 2012, 20:52:43 UTC |
| 56173ea | Michael Niedermayer | 16 December 2011, 03:16:01 UTC | j2kdec: Fix integer overflow leading to a segfault Fixes Ticket776 Bug found by: Diana Elena Muscalu Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 1f99939a6361e2e6d6788494dd7c682b051c6c34) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 12 January 2012, 20:52:31 UTC |
| d80db23 | Michael Niedermayer | 24 December 2011, 23:10:27 UTC | ws_snd1: Fix wrong samples count and crash. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 5257743aee0c3982f0079e6553aabc6aa39401d2) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 12 January 2012, 20:52:10 UTC |
| c4cc858 | Stefano Sabatini | 27 December 2011, 14:15:02 UTC | lavfi: add missing check in avfilter_filter_samples() Avoid out-of-buffer data access when nb_channels is 8. (cherry picked from commit ae21776207e8a2bbe268e7c9e203f7599dd87ddb) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | 12 January 2012, 20:52:03 UTC |
