Fixes: out of array access:
Fixes: tickets/10745/poc12ffmpeg
Found-by: Li Zeyuan and Zeng Yunxiang.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7deaca71b3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array read
Fixes: tickets/10744/poc11ffmpeg
Found-by: Li Zeyuan and Zeng Yunxiang.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a88b06f9ee)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: tickets/10746/poc13ffmpeg
Found-by: Zeng Yunxiang
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 50f0f8c53c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: tickets/10743/poc10ffmpeg
Found-by: Zeng Yunxiang and Li Zeyuan
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0ecc1f0e48)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The code works in steps of 2 lines and lacks support for odd height
Implementing odd height support is better but for now this fixes the
out of array access
Fixes: out of array access
Fixes: tickets/10702/poc6ffmpe
Found-by: Zeng Yunxiang
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e4d2666bdc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: CID1403233
The second of the 2 changes may be unneeded but will help coverity
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dd6040675e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Instead of the potentially adjusted ones. Otherwise, if config_props() is
called again and if using force_original_aspect_ratio, the already adjusted
values could be altered again.
Example command line
scale=size=1920x1000:force_original_aspect_ratio=decrease:force_divisible_by=2
user value 1920x1000 -> 1920x798 on init_dict() -> 1918x798 on frame
change when eval_mode == EVAL_MODE_INIT, which after e645a1ddb9 could be at the
very first frame.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit d9e3cb7e73)
Currently an error from init could be overwritten by successfully
setting the enable expression.
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 10ad3cd798)
Fix this by switching to av_dynarray_add_nofree() which is more
natural anyway because the entries of the array are pointers.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 05c1f78a72)
When an flite filter instance is uninitialized and the refcount
of the corresponding voice_entry reaches zero, the voice is
unregistered, yet the voice_entry's pointer to the voice is not reset.
(Whereas some other pointers are needlessly reset.)
Because of this a new flite filter instance will believe said voice
to already be registered, leading to use-after-frees.
Fix this by resetting the right pointer instead of the wrong ones.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 18ddb25c7a)
Could also happen if initializing flite failed* or if an unknown voice
has been selected or if registering the voice failed.
*: which it currently can't, because it is a no-op.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 304cc03798)
This reverts commit 723c37d3b7.
Said commit was in preparation for auto-inserting the idet filter.
This has never happened; even if it did, the code is wrong, because
it segfaults if the filter instance doesn't have a name (having one
is not mandatory). Furthermore, it is documented for libavfilter to
not assign any semantics to the name, which this check violates.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit f626a3d0e0)
Fixes: floating point division by 0
Fixes: -nan is outside the range of representable values of type 'int'
Fixes: Ticket8307
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4f49fa6abe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 1.04064e+10 is outside the range of representable values of type 'int'
Fixes: Ticket 8279
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1f21349d20)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This fixes the passing through of non-RGB matrix from input to
output when conversion from YCbCr to RGB happens.
(cherry picked from commit 2818b14392)
Fixes passing through mismatching metadata from the input side
when RGB input (from f.ex. H.264 or HEVC) gets converted to YCbCr.
Fixes#9132
(cherry picked from commit 9dd410c804)
The early return caused isses for the "add" mode (got fixed in
c95dfe5cce) and the "select" mode needs a similar
fix. It is probably better to fully remove the check, since all modes work
correctly with NULL metadata.
Signed-off-by: Marton Balint <cus@passwd.hu>
(cherry picked from commit 758e2da289)
Fixes: floating point division by 0
Fixes: undefined behavior in handling NaN
Fixes: Ticket 8268
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3d500e62f6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: Ticket8240
Fixes: CVE-2020-22021
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7971f62120)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
by keeping the variable uint32_t which in this situation is the natural
type anyway. This affected the FATE-test filter-paletteuse-sierra2_4a.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 797c2ecc8f)
by using a multiplication instead. The multiplication can never overflow
an int because the sin-factor is only an int16_t.
Affected the FATE-tests filter-concat and filter-concat-vfr.
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 55b46902c1)
