aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
Commit message (Collapse)AuthorAgeFilesLines
* avcodec/apedec: Check length in long_filter_high_3800()Michael Niedermayer2015-12-201-0/+3
| | | | | | | | | | | Fixes out of array read Fixes: 0a7ff0c1d93da9cef28a315ec91b692a/asan_heap-oob_4a52e5_3604_9c56dbb20e308f4faeef7b35f688521a.ape Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit cd7524fdd13dc8d0cf22e2cfd8300a245542b13a) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vp3: always set pix_fmt in theora_decode_header()Michael Niedermayer2015-12-201-1/+2
| | | | | | | | | | | Fixes assertion failure Fixes: d0bb0662da342ec65f8f2a081222e6b9/signal_sigabrt_7ffff6ae7cc9_5471_82964f0a9ac2f4d3d59390c15473f6f7.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a814f1d364ba912adf61adef158168c5f7604e93) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/utils: Clear dimensions in ff_get_buffer() on failureMichael Niedermayer2015-12-201-1/+3
| | | | | | | | | | | Fixes out of array access Fixes: 482d8f2fd17c9f532b586458a33f267c/asan_heap-oob_4a52b6_7417_1d08d477736d66cdadd833d146bb8bae.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit abee0a1c60612e8638640a8a3738fffb65e16dbf) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string()Michael Niedermayer2015-12-201-2/+2
| | | | | | | | | | | Fixes integer overflow Fixes: 3a45b2ae02f2cf12b7bd99543cdcdae5/asan_heap-oob_1dff502_8022_899f75e1e81046ebd7b6c2394a1419f4.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 4f03bebc79f76df3a3e5bb9e1bc32baabfb7797c) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vp3: Clear context on reinitialization failureMichael Niedermayer2015-12-201-4/+6
| | | | | | | | | | | Fixes null pointer dereference Fixes: 1536b9b096a8f95b742bae9d3d761cc6/signal_sigsegv_294aaed_2039_8d1797aeb823ea43858d0fa45c9eb899.ogv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 6105b7219a90438deae71b0dc5a034c71ee30fc0) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/hevc: allocate entries unconditionallyMichael Niedermayer2015-12-201-3/+1
| | | | | | | | | | | Fixes out of array access Fixes: 08664a2a7921ef48172f26495c7455be/asan_heap-oob_23036c6_3301_523388ef84285a0270caf67a43247b59.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit d85aa76115214183e7e3b7d65e950da61474959a) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/hevc_cabac: Fix multiple integer overflowsMichael Niedermayer2015-12-201-3/+7
| | | | | | | | | | Fixes: 04ec80eefa77aecd7a49a442cc02baea/asan_heap-oob_19544fa_3303_1905796cd9d8e15f86d664332caabc00.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit d5028f61e44b7607b6a547f218f7d85217490a5b) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*()Michael Niedermayer2015-12-201-0/+3
| | | | | | | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit feb3f39614b88c113211a98dda1bc2fe5c3c6957) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()Michael Niedermayer2015-12-201-0/+3
| | | | | | | | | | | Fixes out of array access Fixes: 01859c9a9ac6cd60a008274123275574/asan_heap-oob_1dff571_8250_50d3d1611e294c3519fd1fa82198b69b.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 75422280fbcdfbe9dc56bde5525b4d8b280f1bc5) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/hevc: Check entry_point_offsetsMichael Niedermayer2015-12-201-1/+7
| | | | | | | | | | | Fixes out of array read Fixes: 007c4a36608ebdf27ee260ad60a81184/asan_heap-oob_32076b4_2243_116b1cb29d91cc4974d6680e3d10bd91.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit ef9f7bbfa47317f9d46bf46982a394d2be78503c) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/cabac: Check initial cabac decoder stateMichael Niedermayer2015-12-205-5/+15
| | | | | | | | | | | | | | | | | | | Fixes integer overflows Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 8000d484b83aafa752d84fbdbfb352ffe0dc64f8) Conflicts: libavcodec/cabac.h Conflicts: libavcodec/h264_cabac.c libavcodec/h264_slice.c
* avcodec/cabac_functions: Fix "left shift of negative value -31767"Michael Niedermayer2015-12-201-1/+2
| | | | | | | | | | | Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a1f6b05f5228979dab0e149deca7a30d22e98af5) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/h264_slice: Limit max_contexts when slice_context_count is initializedMichael Niedermayer2015-12-201-0/+1
| | | | | | | | | | | Fixes out of array access Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2049_f2192b6829ab6e0eefcb035329c03c60.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 4ea4d2f438c9a7eba37980c9a87be4b34943e4d5) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setupMichael Niedermayer2015-12-201-1/+1
| | | | | | | | | | | | | The variable is not a constant and can lead to race conditions Fixes: repro.webm (not reproducable with FFmpeg alone) Found-by: Dale Curtis <dalecurtis@google.com> Tested-by: Dale Curtis <dalecurtis@google.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit dabea74d0e82ea80cd344f630497cafcb3ef872c) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/mpeg4videodec: Check available data before reading custom matrixMichael Niedermayer2015-12-171-0/+8
| | | | | | | | | | Fixes: out of array read Fixes: 76c515fc3779d1b838667c61ea13ce92/asan_heap-oob_1fc0d07_8913_794a4629a264ebdb25b58d3a94ed1785.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 891dc8f87536ac2ec695c70d081345224524ad99) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* mjpegdec: consider chroma subsampling in size checkAndreas Cadhalpun2015-12-171-3/+8
| | | | | | | | | | | | | | If the chroma components are subsampled, smaller buffers are allocated for them. In that case the maximal block_offset for the chroma components is not as large as for the luma component. This fixes out of bounds writes causing segmentation faults or memory corruption. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 5adb5d9d894aa495e7bf9557b4c78350cbfc9d32) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* avcodec/dirac_parser: Check that there is a previous PU before accessing itMichael Niedermayer2015-12-171-1/+1
| | | | | | | | | | Fixes out of array read Fixes: 99d142c47e6ba3510a74b872a1a2ae72/asan_heap-oob_11b36f4_3811_0f5c69e7609a88a580135678de1df844.dxa Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a08681f1e614152184615e2bcd71c3d63835f810) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* sonic: make sure num_taps * channels is not larger than frame_sizeAndreas Cadhalpun2015-12-171-0/+7
| | | | | | | | | | | If that is the case, the loop setting predictor_state in sonic_decode_frame causes out of bounds reads of int_samples, which has only frame_size number of elements. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 9637c2531f7eb040ad1c3cb46cb40a63dfc77b80) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* opus_silk: fix typo causing overflow in silk_stabilize_lsfAndreas Cadhalpun2015-12-171-1/+1
| | | | | | | | | | | | Due to this typo max_center can be too large, causing nlsf to be set to too large values, which in turn can cause nlsf[i - 1] + min_delta[i] to overflow to a negative value, which is not allowed for nlsf and can cause an out of bounds read in silk_lsf2lpc. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit f61d44b74aaae1d306d8a0d38b7b3d4292c89ced) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* golomb: always check for invalid UE golomb codes in get_ue_golombAndreas Cadhalpun2015-12-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Also correct the check to reject log < 7, because UPDATE_CACHE only guarantees 25 meaningful bits. This fixes undefined behavior: runtime error: shift exponent is negative Testing with START/STOP timers in get_ue_golomb, one for the first branch (A) and one for the second (B), shows that there is practically no slowdown, e.g. for the cavs decoder: With the check in the B branch: 629 decicycles in get_ue_golomb B, 4194260 runs, 44 skips 433 decicycles in get_ue_golomb A,268434102 runs, 1354 skips Without the check: 624 decicycles in get_ue_golomb B, 4194273 runs, 31 skips 433 decicycles in get_ue_golomb A,268434203 runs, 1253 skips Since the B branch is executed far less often than the A branch, this change is negligible, even more so for the h264 decoder, where the ratio B/A is a lot smaller. Fixes: mozilla bug 1230239 Fixes: fbeb8b2c7c996e9b91c6b1af319d7ebc/asan_heap-oob_195450f_2743_e8856ece4579ea486670be2b236099a0.bit Found-by: Tyson Smith Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 22e960ad478e568f4094971a58c6ad8f549c0180) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* aaccoder: prevent crash of anmr coderAndreas Cadhalpun2015-12-171-1/+1
| | | | | | | | | | | If minq is negative, the range of sf_idx can be larger than SCALE_MAX_DIFF allows, causing assertion failures later in encode_scale_factors. Reviewed-by: Claudio Freire <klaussfreire@gmail.com> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 7a4652dd5da0502ff21c183b5ca7d76b1cfd6c51) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* avcodec/ffv1dec: Clear quant_table_count if its invalidMichael Niedermayer2015-12-021-0/+1
| | | | | | | | | | | | Fixes deallocation of corrupted pointer Fixes: 343dfbe142a38b521ed069dc4ea7c03b/signal_sigsegv_421427_4074_ffb11959610278cd40dbc153464aa254.avi No releases affected Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit e04126072e984f8db5db9da9303c89ae01f7d6bb) Fixes ticket #5052.
* avcodec/ffv1dec: Print an error if the quant table count is invalidMichael Niedermayer2015-12-021-1/+3
| | | | | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a8b254e436dce2f5c8c6459108dab4b02cc6b79b)
* mpegvideo: clear overread in clear_contextAndreas Cadhalpun2015-11-261-0/+1
| | | | | | | | | | Otherwise the h263p decoder can try to copy overread bytes, even though buffer is NULL. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 6a69a175e7b5c5393528ed0f5753e41573fa0df2) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* dvdsubdec: validate offset2 similar to offset1Andreas Cadhalpun2015-11-261-1/+1
| | | | | | | | | If it is negative, it causes segmentation faults in decode_rle. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit f621749d1181987b3f815c6766ea66d6c5d55198) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* aacdec: don't return frames without data from aac_decode_er_frameAndreas Cadhalpun2015-11-261-0/+5
| | | | | | | | | This is similar to commit ec38a1b for aac_decode_frame_int. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit d7f29bfa6985e3eea2033dba0449e47b41b85928) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* avcodec/takdec: Use memove, avoid undefined memcpy() useMichael Niedermayer2015-11-261-1/+1
| | | | | | | | | Fixes: e214333cbd94c91228e624ff39329ce6/asan_generic_4a5159_6412_96cda2530e80607210ab41ccae3d456d.tak Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 7cea3430a56fb0ff6ef60f08620fd3875e7bfeb6) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* s302m: fix arithmetic exceptionAndreas Cadhalpun2015-11-261-4/+2
| | | | | | | | | | | | | | | | If nb_samples is zero, the bit_rate calculation results in a division by zero. Since ff_get_buffer fails if frame->nb_samples is zero, this can be fixed by moving the bit_rate calculation after that function call. That also makes it possible to reuse the already calculated frame->nb_samples value. Reviewed-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 04dfbc9441beed93984568c1547f1ed588122627) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* avcodec/s302m: Only set the sample rate when some data is outputMichael Niedermayer2015-11-261-1/+2
| | | | | | | | This way ffplay chooses the mp2 stream for Ticket3890 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 802cca5905abe1fe8392e85a812462b959889aaa) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* vp9: add support for resolution changes in inter frames.Ronald S. Bultje2015-11-265-171/+535
| | | | | | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit e8b4f6d6befc5062db74916ea8a4d830e83022a8) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensionsMichael Niedermayer2015-11-191-4/+4
| | | | | | | | | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 65d3359fb366ea265a8468d76a111cb7352f0b55) Conflicts: libavcodec/jpeg2000dec.c
* avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported rangeMichael Niedermayer2015-11-191-0/+4
| | | | | | | | | | | | | | Fixes potential integer overflows Fixes: 03e0abe721b1174856d41a1eb5d6a896/signal_sigabrt_7ffff6ae7cc9_3813_e71bf3541abed3ccba031cd5ba0269a4.avi This fix is choosen to be simple to backport, better solution for master is planed Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 6ef819c40bcc2175edba7ce9e20c3036c01b36b9) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/jpeg2000: Check comp coords to be within the supported sizeMichael Niedermayer2015-11-191-0/+5
| | | | | | | | | | | | | | Fixes assertion failure Fixes: 03e0abe721b1174856d41a1eb5d6a896/signal_sigabrt_7ffff6ae7cc9_3813_e71bf3541abed3ccba031cd5ba0269a4.avi This fix is choosen to be simple to backport, better solution for master is planed Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a1a8cbcb35ef2759a66b4f0875785e4b3f277057) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component()Michael Niedermayer2015-11-191-1/+5
| | | | | | | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 016fd413f9168816924f21c0c1ffb578f7226221) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/wmaprodec: Check for overread in decode_packet()Michael Niedermayer2015-11-191-0/+5
| | | | | | | | | | | Fixes assertion failure Fixes: 0256e92df2df7e933b43a2c70e4c8040/signal_sigabrt_7ffff6ae7cc9_1358_999ac18684788221490757582ce9af84.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 7ad698e24e6b9dde57c4e01c145bcddfe9d6e4a3) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/smacker: Check that the data size is a multiple of a sample vectorMichael Niedermayer2015-11-191-0/+4
| | | | | | | | | | | Fixes out of array access Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 4a9af07a49295e014b059c1ab624c40345af5892) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/takdec: Skip last p2 sample (which is unused)Michael Niedermayer2015-11-191-1/+1
| | | | | | | | | | | Fixes out of array read Fixes: cb3f38b08b4541523974667c7d1eee9e/asan_heap-oob_2659e18_9838_021fd5cd635bf76cede6398cd9ecbcdd.tak Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 08b520636e96ba6888b669b9b3f4c414631ea1d2) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/dxtory: Fix input size check in dxtory_decode_v1_410()Michael Niedermayer2015-11-191-1/+1
| | | | | | | | | Fixes potential out of array read Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 76b6f4b7d91901929177cc61d9810dcca0bb40c1) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/dxtory: Fix input size check in dxtory_decode_v1_420()Michael Niedermayer2015-11-191-1/+1
| | | | | | | | | | | Fixes out of array read Fixes: c50c4aa6cefda71b19a31ea12302980c/asan_heap-oob_12be5fd_7011_33ebd015a74976215934add72b9c8352.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 9caa9414ccf2dcf8aee2695377dee830a5024c82) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/error_resilience: avoid accessing previous or next frames tables ↵Michael Niedermayer2015-11-191-5/+10
| | | | | | | | | | | | | | | | beyond height The height of tables can be rounded up for MBAFF but this does not imply that is also true for the previous frames Fixes out of array reads Fixes: c106b36fa36db8ff8f3ed0c82be7bea2/asan_heap-oob_32699f0_6321_467b9a1d7e03d7cfd310b7e65dc53bcc.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a105f52855d08e4ab1ed7306da8e32fc90d6d647) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/dpx: Move need_align to act per lineMichael Niedermayer2015-11-191-2/+2
| | | | | | | | | | | Fixes out of array read Fixes: 61cf123c081ee2bb774d307c75bdb99e/asan_heap-oob_1224f76_5546_bee833ffae73f752b489b9eeaac52db7.dpx Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit c8aaae8e0f1519bc99bd717ea3067c9cfdb68def) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/flashsv: Check size before updating itMichael Niedermayer2015-11-191-0/+8
| | | | | | | | | | | Fixes out of array read Fixes: 3c857d4d90365731524716e6d051e43a/signal_sigsegv_7f4f59bcc29e_1386_20abd2c8e655cb9c75b24368e65fe3b1.flv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 17705f5d4f57c15f9b9bb9cfcbbb4621fed2fc70) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/ivi: Check image dimensionsMichael Niedermayer2015-11-191-1/+2
| | | | | | | | | | | Fixes integer overflow Fixes: 1e32c6c591d940337c20b197ec1c4d3d/asan_heap-oob_4a52e5_8946_0bb0d9e863def56005e49f1d89bdc94d.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit df91aa034b82b77a3c4e01791f4a2b2ff6c82066) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/utils: Better check for channels in av_get_audio_frame_duration()Michael Niedermayer2015-11-191-1/+1
| | | | | | | | | | | Fixes integer overflow Fixes: 0c2625f236ced104d402b4a03c0d65c7/asan_generic_274e1ce_5990_9314e7a67c26aecf011b178ade9f217c.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 4e16ad2868a1819de6680fc355a8eb20164adaea) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/jpeg2000dec: Check for duplicate SIZ markerMichael Niedermayer2015-11-191-0/+5
| | | | | | | | | | Fixes: 0231a17345734228011c6f35a64e4594/asan_heap-oob_1d92a72_3218_1213809a9e3affec77e4c191fdfdc0a9.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 44a7f17d0b20e6f8d836b2957e3e357b639f19a2) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/jpeg2000dec: Clip all tile coordinatesMichael Niedermayer2015-11-191-4/+4
| | | | | | | | | | | | | Fixes out of array access Fixes: b877a6b788a25c70e8b1d014f8628549/asan_heap-oob_1da2c3f_2324_5a1b329b0b3c4bb6b1d775660ac56717.r3d Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 43492ff3ab68a343c1264801baa1d5a02de10167) Conflicts: libavcodec/jpeg2000dec.c
* avcodec/hevc_ps: Check chroma_format_idcMichael Niedermayer2015-11-191-0/+3
| | | | | | | | | | | Fixes out of array access Fixes: 24d05e8b84676799c735c9e27d97895e/asan_heap-oob_1b70f6a_2955_7c3652a7f370f9f3ef40642bc2c99bb2.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 93f30f825c08477fe8f76be00539e96014cc83c8) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/microdvddec: Check for string end in 'P' caseMichael Niedermayer2015-11-191-0/+2
| | | | | | | | | | | Fixes out of array read Fixes: a9502b60f4cecc19475382aee255f73c/asan_heap-oob_1e87fba_2548_a8ad47f6dde36644fe9cdc444d4632d0.sub Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit c719cd6cf79ec21d974b81ba874580f4b8e9eb90) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/dirac_parser: Fix undefined memcpy() useMichael Niedermayer2015-11-191-1/+1
| | | | | | | | | | Fixes: 9d375e415486edd1a0c826f2307d89a4/asan_generic_4a5159_1577_faa333e83dacdd9e4dd322380aeed537.iss Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit daefd8ab2f2aeb90cd53cb75445faffdc7a3cc79) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/mpeg12dec: Do not call show_bits() with invalid bitsMichael Niedermayer2015-11-191-1/+1
| | | | | | | | | | | Fixes assertion failure Fixes: 63e50545709a6440d3d59f6426d58db9/signal_sigabrt_7ffff6ae7cc9_8189_3272a3010fd98ddf947c662bbde1ac13.ts Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 973c3dba27d0b1a88c70f6661b6a90d2f2e50665) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-16 14:34:59 +0000