In most places where it's used, it's as a pointless write-only field.
Only rv10 decoder actually reads from it, but it stores some internal
version info in it. There is no reason for it to be in a public field.
It appears there are corner cases with damaged input that can lead
to small overreads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Code ported from qatar/master, please see there for per line authorship.
Main authors AFAIK are Ronald and Justin. I have no authorship on this.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Instead of clipping extrasize based on EXTRABYTES, clip based on the
amount of buffer actually left. Without this fix, there are warbles
and other distortions in the test case below.
http://kevincennis.com/mix/assets/sounds/1901_voxfx.mp3
If bufsize < headersize, init_get_bits() will be called with a negative
number, causing it to fail and any subsequent call to get_bits() will
crash because it reads from a NULL pointer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
In some cases, what is left to read from ptr is smaller than EXTRABYTES.
Based on a patch by Thierry Foucu <tfoucu@gmail.com>.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
The safe bitstream reader does not allow using skip_bits_long() to seek to a
point before the start of the buffer, which was needed by the mp3 decoder.
This change instead calculates the start point of the first valid granule and
skips to that position.
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
The buffer splicing relies on the bitstream reader over-reading
the end of the buffer as declared in init_get_bits(), although
more data is actually present. Manually moving the bitstream
boundary after init_get_bits() allows this to work as expected.
Signed-off-by: Mans Rullgard <mans@mansr.com>
Pass the correct size in bits to mpeg4audio_get_config and add a flag
to disable parsing of the sync extension when the size is not known.
Latm with AudioMuxVersion 0 does not specify the size of the audio
specific config. Data after the audio specific config can be
misinterpreted as sync extension resulting in random and wrong configs.
The documentation for CODEC_CAP_PARSE_ONLY and AVCodecContext.parse_only
indicates that they are utilized through avcodec_parse_frame(), which was
never actually implemented.
Its functionality was removed several years ago, so it doesn't do anything.
AVCodecContext.frame_number could serve the same purpose if someone
wants to debug the frame count.
On frame decoding failure, return an error if the frame is the same size as
the whole packet, otherwise just log an error message and return the number
of bytes consumed.