Commit graph

48937 commits

Author SHA1 Message Date
Nuo Mi
0ecd15b839
avcodec/cbs_h266: more restrictive check on pps_tile_idx_delta_val
Fixes: out of array access
Fixes: 62603/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5837632490569728

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ce0c178a40)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-12-29 13:18:59 +01:00
Pierre-Anthony Lemieux
fb724ad64e
avcodec/jpeg2000htdec: check if block decoding will exceed internal precision
Intended to replace 2023080200.26482-3-michael@niedermayer.cc/
with a more accurate block decoding magnitude bound.

Fixes: 62433/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5828618092937216
Fixes: 58299/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5828618092937216
Previous-version-reviewed-by: Tomas Härdin <git@haerdin.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a1384b4e86)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-12-29 13:18:58 +01:00
Michael Niedermayer
d93b0009c4
avcodec/av1dec: Fix resolving zero divisor
Fixes: Out of array read
Fixes: global-buffer-overflow-AV1

Found-by: "Leonelli, Matteo" <matteo.leonelli@cispa.de>
Tested-by: "Wang, Fei W" <fei.w.wang@intel.com>
Reviewed-by: "Wang, Fei W" <fei.w.wang@intel.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 22daf2148f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-12-29 13:18:58 +01:00
Haihao Xiang
d596225a57 lavc/qsvdec: return 0 if more data is required
The type of qsv decoders is FF_CODEC_CB_TYPE_DECODE which must not
return AVERROR(EAGAIN). commit 42b20c9 added an assertion to check the
returned value.

Signed-off-by: Haihao Xiang <haihao.xiang@intel.com>
(cherry picked from commit e233f3e75f)
2023-12-29 13:19:11 +08:00
Leo Izen
1a3ec3f2f8
avcodec/jpegxl_parser: check ANS cluster alphabet size vs bundle size
The specification doesn't mention that clusters cannot have alphabet
sizes greater than 1 << bundle->log_alphabet_size, but the reference
implementation rejects these entropy streams as invalid, so we should
too. Refusing to do so can overflow a stack variable that should be
large enough otherwise.

Fixes #10738.

Found-by: Zeng Yunxiang and Li Zeyuan
Signed-off-by: Leo Izen <leo.izen@gmail.com>
2023-12-27 10:25:05 -05:00
Lynne
2c87aa0b23 lavc/Makefile: build vulkan decode code if vulkan_av1 has been enabled
Forgotten.

Reviewed-by: Neal Gompa <ngompa13@gmail.com>
Tested-by: Neal Gompa <ngompa13@gmail.com>
(cherry picked from commit 8c117b75af)
2023-12-04 07:59:03 +01:00
Anton Khirnov
111035ccae lavc/dvdsubenc: only check canvas size when it is actually set
Fixes #10650

(cherry picked from commit 5230257ea1)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2023-12-02 11:32:08 +01:00
Dmitry Rogozhkin
466799d4f5 avcodec/decode: validate hw_frames_ctx when AVHWAccel.free_frame_priv is used
Validate that a hw_frames_ctx is available before using it for
the AVHWAccel.free_frame_priv callback, and don't require it to
be present when the callback is not in use by the HWAccel.

v2: check for free_frame_priv (Hendrik)
v3: return EINVAL (Christoph Reiter)
v4: better commit message (Hendrik)
v5: fix typo with missed frames_ctx (Lynne)

See[1]: https://github.com/msys2/MINGW-packages/pull/19050
Fixes: be07145109 ("avcodec: add AVHWAccel.free_frame_priv callback")
CC: Lynne <dev@lynne.ee>
CC: Christoph Reiter <reiter.christoph@gmail.com>
Signed-off-by: Dmitry Rogozhkin <dmitry.v.rogozhkin@intel.com>
(cherry picked from commit e9c93009fc)
2023-11-22 10:16:10 +01:00
Sebastian Ramacher
c7fe7ee8d4 avcoded/fft: Fix memory leak if ctx2 is used
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 250471ea17)
2023-11-12 14:51:28 -03:00
Sebastian Ramacher
af912d80d8 avcodec/fft: Use av_mallocz to avoid invalid free/uninit
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit a562cfee2e)
2023-11-12 14:51:28 -03:00
Michael Niedermayer
56b50b945b
avcodec/evc_parse: Check num_remaining_tiles_in_slice_minus1
Fixes: out of array access
Fixes: 62467/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-6092990982258688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: "Dawid Kozinski/Multimedia (PLT) /SRPOL/Staff Engineer/Samsung Electronics" <d.kozinski@samsung.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ac4e3e188a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-11-10 02:06:21 +01:00
Michael Niedermayer
d57ea70234
avcodec/4xm: Check for cfrm exhaustion
Fixes: index -1 out of bounds for type 'CFrameBuffer [100]'
Fixes: 63877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5854263397711872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bb0a684d93)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-11-10 02:06:21 +01:00
Michael Niedermayer
962d667964
avcodec/flicvideo: consider width in copy loops
Fixes: out of array write
Fixes: 63520/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-4876198087622656
Regression since: c7f8d42c12 (was not posted to ffmpeg-devel)

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Sean McGovern <gseanmcg@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 03a4aa9699)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-11-10 02:06:19 +01:00
Michael Niedermayer
a1d9e28272
avcodec/vlc: Pass VLC_MULTI_ELEM directly not by pointer
This makes the code more testable as uninitialized fields are 0
and not random values from the last call

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5259f326b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-11-10 02:06:18 +01:00
Michael Niedermayer
597d574480
avcodec/vlc: Replace mysterious max computation code in multi vlc
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8516609edd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-11-10 02:06:18 +01:00
Michael Niedermayer
e8541ed9f1
avcodec/vlc: Skip subtable entries in multi VLC
These entries do not correspond to VLC symbols that can be used
they do corrupt various variables like min/max bits

This also no longer assumes that there is a single non subtable
entry
Probably fixes some infinite loops too

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 356b1ba765)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-11-10 02:06:17 +01:00
Michael Niedermayer
8904bc8e76
avcodec/dovi_rpu: Use 64 bit in get_us/se_coeff()
Fixes: shift exponent 32 is too large for 32-bit type 'int'
Fixes: 63151/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5067531154751488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2817efbba3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-11-10 02:06:17 +01:00
Michael Niedermayer
c9a9dbfebf
avcodec/apedec: Fix integer overflow in predictor_decode_stereo_3950()
Fixes: signed integer overflow: 1900031961 + 553590817 cannot be represented in type 'int'
Fixes: 63061/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5166188298371072

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2def617787)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-11-10 02:06:16 +01:00
Michael Niedermayer
3d1ca4c3ff
avcodec/evc_parse: Check tid
The check is based on not infinite looping. It is likely
a more strict check can be done

Fixes: Infinite loop
Fixes: 62473/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5719883750703104
Fixes: 62765/clusterfuzz-testcase-minimized-ffmpeg_dem_EVC_fuzzer-6448531252314112
Fixes: 63378/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGPS_fuzzer-6504993844494336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: "Dawid Kozinski/Multimedia (PLT) /SRPOL/Staff Engineer/Samsung Electronics" <d.kozinski@samsung.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 68cc1744db)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-11-10 02:06:16 +01:00
Michael Niedermayer
38dc8767df
avcodec/evc_parse: remove pow() and log2()
The use of float based functions is both unneeded and wrong due to unpredictable rounding

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d35eecd24f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-11-10 02:06:15 +01:00
Andreas Rheinhardt
868aa88d83 avcodec/cbs_h2645: Fix leak of SPS VUI extension data
Fixes: VUI extension leak
Fixes: 63004/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_METADATA_fuzzer-4928832253329408

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 3f890fbfd9)
2023-11-04 01:58:10 +01:00
Benjamin Cheng
116cb346e3 vulkan_h264: fix long-term ref handling
h->long_ref isn't guaranteed to be contiguously filled. Use the approach
from both vaapi_h264 and vdpau_h264 which goes through the 16 frames in
h->long_ref to find the LTR entries.

Fixes MR2_MW_A.264 from JVT-AVC_V1.

(cherry picked from commit 4536de3769)
2023-10-31 21:40:36 +01:00
TADANO Tokumei
1cff6e41bf lavc/libaribcaption: rename replace_fullwidth_ascii to replace_msz_ascii
This should hopefully clarify that the option only affects MSZ
full-width characters, and not all full-width ASCII. Additionally,
this matches the prefix with the upstream option.

Signed-off-by: TADANO Tokumei <aimingoff@pc.nifty.jp>
(cherry picked from commit a824c6f2f6)
2023-10-29 18:50:05 +02:00
TADANO Tokumei
8ccd1593a4 lavc/libaribcaption: add MSZ character related options
This patch adds two MSZ (Middle Size; half width) character
related options, mapping against newly added upstream
functionality:

* `replace_msz_japanese`, which was introduced in version 1.0.1
  of libaribcaption.
* `replace_msz_glyph`, which was introduced in version 1.1.0
  of libaribcaption.

The latter option improves bitmap type rendering if specified
fonts contain half-width glyphs (e.g., BIZ UDGothic), even
if both ASCII and Japanese MSZ replacement options are set
to false.

As these options require newer versions of libaribcaption, the
configure requirement has been bumped accordingly.

Signed-off-by: TADANO Tokumei <aimingoff@pc.nifty.jp>
(cherry picked from commit 21bfadd9b4)
2023-10-29 18:49:34 +02:00
TADANO Tokumei
48afb43549 lavc/libaribcaption: switch all bool context variables to int
On some environments, a `bool` variable is of smaller size than `int`.
As AV_OPT_TYPE_BOOL is internally handled as sizeof(int), if a `bool`
option was set on such an environment, the memory of following
variables would be filled. Additionally, set values may be destroyed
by av_opt_copy().

Signed-off-by: TADANO Tokumei <aimingoff@pc.nifty.jp>
(cherry picked from commit 82faba8a6c)
2023-10-29 18:42:13 +02:00
Michael Niedermayer
efac4e2c44
Bump versions prior to 6.1
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-10-29 16:19:39 +01:00
Michael Niedermayer
88453250db
avcodec/jpeg2000dec: Check image offset
Fixes: left shift of negative value -538967841
Fixes: 62447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6427134337613824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <git@haerdin.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-10-27 18:10:47 +02:00
Michael Niedermayer
9690d71f11
avcodec/vlc: dont pass nb_elems into multi vlc code
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-10-27 18:10:46 +02:00
Michael Niedermayer
9b546a0717
avcodec/vlc: merge lost 16bit end of array check
Also cleanup related code

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-10-27 18:10:46 +02:00
Michael Niedermayer
a23d527ec5
avcodec/magicyuv: remove redundant check in inner loop
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-10-27 18:10:46 +02:00
Michael Niedermayer
4ddf4f5001
avcodec/magicyuv: correct end of array check in multi VLC parsing
Fixes: out of array write
Fixes: 63390/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5144552979431424.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-10-27 18:10:45 +02:00
Michael Niedermayer
ffac64a270
avcodec/bitstream_template: Basic documentation for read_vlc_multi()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-10-27 18:10:28 +02:00
Paul B Mahol
36eb774ad4 avcodec/mlpenc: try different filter parameters in case of out of range output from LPC 2023-10-27 12:45:23 +02:00
Paul B Mahol
567af48fba avcodec/mlpenc: add support for 4.0/4.1 ch layout 2023-10-27 12:45:23 +02:00
Paul B Mahol
210e844def avcodec/mlpdec: support for truehd with channels not representable with 5bit field in second stream
Fixes decoding for 4.0/4.1 layouts.
2023-10-27 12:45:23 +02:00
Paul B Mahol
deb4c28dcc avcodec/mlpenc: add 3.1 ch layout support for truehd 2023-10-27 12:45:23 +02:00
Andreas Rheinhardt
ba6a5e7a3d avcodec/hevcdec: Move collocated_ref to HEVCContext
Only the collocated_ref of the current frame (i.e. HEVCContext.ref)
is ever used*, so move it to HEVCContext directly after ref.

*: This goes so far that collocated_ref was not even synced across
threads in case of frame-threading.

Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2023-10-26 13:18:01 +02:00
Lynne
70864e6adb
vulkan_decode: correct flipped condition in image layout
Changed by the previous commit.
Caused validation issues on hardware with !reuse_dpb_dst but not layered_dpb.
2023-10-25 22:01:21 +02:00
Lynne
0b3616231d
vulkan_decode: fix another validation issue
Surprising no one, the insane usage rule has a catch.
2023-10-25 20:51:55 +02:00
Lynne
467e411839
vulkan_decode: fix pedantic validation issue
"Validation Error: [ VUID-VkImageViewCreateInfo-imageViewType-04974 ] Object 0: handle = 0x9f9b41000000003c, type = VK_OBJECT_TYPE_IMAGE; | MessageID = 0xc120e150 | vkCreateImageView():
Using pCreateInfo->viewType VK_IMAGE_VIEW_TYPE_2D and the subresourceRange.layerCount VK_REMAINING_ARRAY_LAYERS=(17) and must 1 (try looking into VK_IMAGE_VIEW_TYPE_*_ARRAY).
The Vulkan spec states: If viewType is VK_IMAGE_VIEW_TYPE_1D, VK_IMAGE_VIEW_TYPE_2D, or VK_IMAGE_VIEW_TYPE_3D; and subresourceRange.layerCount is VK_REMAINING_ARRAY_LAYERS,
then the remaining number of layers must be 1"
2023-10-25 20:51:54 +02:00
Lynne
9ee4f47c94
vulkan_decode: use coded_width/height instead of the non-coded width and height
Partially fixes https://streams.videolan.org/issues/19938/20000_20180305-15.04.59.ts
The is coded as 1920x1080, meant to be rendered at 1440x1080 with cropping,
or 1680x1080 before cropping. Currently, the created DPB is 1440x1080, which results
in the image being decoded incorrectly, as the decoder overwrites output memory.
This commit fixes this.
2023-10-25 20:51:05 +02:00
Martin Storsjö
a4877f1ec1 aarch64: Only enable extensions in the intended files/regions
This eases actual development of the assembly functions, by only
allowing extension instructions within the sections that explicitly
enable them, instead of having all extensions enabled everywhere.

Signed-off-by: Martin Storsjö <martin@martin.st>
2023-10-24 14:46:20 +03:00
Martin Storsjö
1762975ba1 libavcodec/aarch64/hevc: Require consistent use of trailing semicolon
Signed-off-by: Martin Storsjö <martin@martin.st>
2023-10-23 10:39:12 +03:00
Andreas Rheinhardt
6e4030a07b avcodec/av1dec, vaapi_av1: Remove excessive logmessages
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2023-10-22 22:11:37 +02:00
Andreas Rheinhardt
315c956cbd avcodec/pthread_frame: Remove ff_thread_release_buffer()
It is unnecessary since the removal of non-thread-safe callbacks
in e0786a8eeb. Since then, the
AVCodecContext has only been used as logcontext.

Removing ff_thread_release_buffer() allowed to remove AVCodecContext*
parameters from several other functions (not only unref functions,
but also e.g. ff_h264_ref_picture() which calls ff_h264_unref_picture()
on error).

Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2023-10-22 22:09:59 +02:00
Leo Izen
86ed68420d
avcodec/librsvgdec: fix memory leaks and deprecated functions
At various points through the function librsvg_decode_frame, errors are
returned from immediately without deallocating any allocated structs.
This patch both fixes those leaks, and also fixes the use of functions
that are deprecated since librsvg version 2.52.0. The older calls are
still used, guarded by #ifdefs while the newer replacements are used if
librsvg >= 2.52.0. One of the deprecated functions is used as a check
for the configure shell script, so it was replaced with a different
function.

Signed-off-by: Leo Izen <leo.izen@gmail.com>
2023-10-22 15:18:13 -04:00
Martin Storsjö
a76b409dd0 aarch64: Reindent all assembly to 8/24 column indentation
libavcodec/aarch64/vc1dsp_neon.S is skipped here, as it intentionally
uses a layered indentation style to visually show how different
unrolled/interleaved phases fit together.

Signed-off-by: Martin Storsjö <martin@martin.st>
2023-10-21 23:25:54 +03:00
Martin Storsjö
7f905f3672 aarch64: Make the indentation more consistent
Some functions have slightly different indentation styles; try
to match the surrounding code.

libavcodec/aarch64/vc1dsp_neon.S is skipped here, as it intentionally
uses a layered indentation style to visually show how different
unrolled/interleaved phases fit together.

Signed-off-by: Martin Storsjö <martin@martin.st>
2023-10-21 23:25:29 +03:00
Martin Storsjö
93cda5a9c2 aarch64: Lowercase UXTW/SXTW and similar flags
Signed-off-by: Martin Storsjö <martin@martin.st>
2023-10-21 23:25:23 +03:00
Martin Storsjö
184103b310 aarch64: Consistently use lowercase for vector element specifiers
Signed-off-by: Martin Storsjö <martin@martin.st>
2023-10-21 23:25:18 +03:00