- 05 May, 2017 1 commit
-
-
Michael Niedermayer authored
avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int' Fixes: 1080/clusterfuzz-testcase-5353236754071552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
- 07 Apr, 2017 1 commit
-
-
Michael Niedermayer authored
avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int' Fixes: 619/clusterfuzz-testcase-5803914534322176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
- 29 Mar, 2017 1 commit
-
-
Clément Bœsch authored
-
- 18 Nov, 2016 1 commit
-
-
Alexandra Hájková authored
Signed-off-by: Anton Khirnov <anton@khirnov.net>
-
- 28 Oct, 2016 1 commit
-
-
Diego Biurrun authored
-
- 26 Oct, 2016 2 commits
-
-
Michael Niedermayer authored
Fixes out of array read Found-by: Thomas Garnier using libFuzzer Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Fixes out of array access Found-by: Thomas Garnier using libFuzzer Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
- 18 Sep, 2016 1 commit
-
-
Paul B Mahol authored
Fixes #5825. If h == 1, second decode_rle() fails. Regression since: 3f0a3e9e. Signed-off-by: Paul B Mahol <onemda@gmail.com>
-
- 11 May, 2016 1 commit
-
-
Diego Biurrun authored
This avoids unused variable warnings after the next version bump. Also drop a trace level av_log() call that is in the way.
-
- 06 Dec, 2015 1 commit
-
-
Ganesh Ajjanagadde authored
Likely accidental in 764900d6. Fixes: CID 1341578. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Ganesh Ajjanagadde <gajjanagadde@gmail.com>
-
- 04 Dec, 2015 1 commit
-
-
Clément Bœsch authored
-
- 22 Nov, 2015 1 commit
-
-
Michael Niedermayer authored
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
- 17 Nov, 2015 1 commit
-
-
Luca Barbato authored
CC: libav-stable@libav.org
-
- 10 Nov, 2015 1 commit
-
-
Andreas Cadhalpun authored
If it is negative, it causes segmentation faults in decode_rle. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
-
- 21 Oct, 2015 1 commit
-
-
Vittorio Giovara authored
Use the new fields directly instead of the ones from AVPicture. This removes a layer of indirection which serves no pratical purpose whatsoever, and will help in removing AVPicture structure completely later. Every subtitle encoder/decoder seamlessly points to the new arrays, so it is possible to deprecate AVSubtitleRect.pict. Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
-
- 22 Sep, 2015 3 commits
-
-
wm4 authored
-
wm4 authored
If cmd_pos is broken, this would just keep accumulating packets in the reassembly buffer, until it fails and flushes the buffer on overflow. Since packets are usually rather small, this will take a lot of subtitle packets. The perceived effect is that subtitles are not displayed anymore after the faulty packet was passed to the decoder. I'm not terribly sure about this, but on the other hand this code is active only when fragmented packets need to be reassembled. Fixes sample file in trac issue #4872.
-
wm4 authored
Assuming the first and second packets are partial, this would append the reassembly buffer (ctx->buf) to itself with the second append_to_cached_buf() call, because buf is set to ctx->buf. I do not know a valid sample file which triggers this, and do not know if packets can be split into more than 2 sub-packets, but it triggered with a (differently) broken sample file in trac issue #4872.
-
- 21 Sep, 2015 1 commit
-
-
wm4 authored
-
- 28 May, 2015 2 commits
-
-
wm4 authored
This is needed for proper operation with seeking. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-
wm4 authored
Otherwise it will never be reset, and remain "stuck" in this state forever. Can happen when seeking: the decoder will receive fragments from different file positions, which triggers the condition easily. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-
- 19 Apr, 2015 1 commit
-
-
Vittorio Giovara authored
-
- 17 Feb, 2015 1 commit
-
-
Vittorio Giovara authored
-
- 08 Jan, 2015 2 commits
-
-
wm4 authored
dvdsub_decode() can call append_to_cached_buf() 2 times, the second time with ctx->buf as argument. If the second append_to_cached_buf() reallocs ctx->buf, the argument will be a pointer to the previous, freed block. This can cause invalid reads at least with some fuzzed files - and possibly with valid files. Since packets can apparently not be larger than 64K (even if packets are combined), just use a fixed size buffer. It will be allocated as part of the DVDSubContext, and although some memory is "wasted", it's relatively minimal by modern standards and should be acceptable. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-
wm4 authored
Attemtping to decode them could lead to invalid writes with some fuzzed samples. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-
- 05 Jan, 2015 1 commit
-
-
wm4 authored
The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-
- 13 Dec, 2014 1 commit
-
-
Michael Niedermayer authored
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-
- 21 Nov, 2014 1 commit
-
-
Luca Barbato authored
CC: libav-stable@libav.org Bug-Id: CID 1198262
-
- 16 Nov, 2014 1 commit
-
-
Michael Niedermayer authored
Fixes CID1254660 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-
- 15 Nov, 2014 1 commit
-
-
Shin-ichi Toyama authored
Suggested-by: Nicolas George <george@nsup.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-
- 22 Sep, 2014 1 commit
-
-
Nicholas Robbins authored
Signed-off-by: Nicholas Robbins <nickrobbins@yahoo.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-
- 19 Sep, 2014 1 commit
-
-
Michael Niedermayer authored
Found-by: Nicholas Robbins <nickrobbins-at-yahoo.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-
- 16 Aug, 2014 1 commit
-
-
Michael Niedermayer authored
Reviewed-by: James Darnley <james.darnley@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-
- 15 Aug, 2014 2 commits
-
-
Gabriel Dume authored
Signed-off-by: Diego Biurrun <diego@biurrun.de>
-
Gabriel Dume authored
Signed-off-by: Diego Biurrun <diego@biurrun.de>
-
- 31 Jul, 2014 1 commit
-
-
Michael Niedermayer authored
Fixes assertion failure Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-
- 03 Jul, 2014 2 commits
-
-
Oliver Fromme authored
improve the debugging function for saving subtitles to PPM files: Actually use the alpha channel. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-
Oliver Fromme authored
Fix an off-by-one error that causes the height of decoded subtitles to be too small, thus cutting off the lowest row of pixels. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-
- 04 Apr, 2014 1 commit
-
-
Diego Biurrun authored
-
- 13 Mar, 2014 1 commit
-
-
Diego Biurrun authored
Also switch from "tbl" to "tab" name suffixes.
-