From bf1e5f277384ff816394e966c1adb3a9598172d5 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Fri, 27 Oct 2023 19:53:10 +0800 Subject: [PATCH 001/606] avutil/hwcontext_vulkan: fix memleak when device_create is skipped Signed-off-by: Zhao Zhili --- libavutil/hwcontext_vulkan.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/libavutil/hwcontext_vulkan.c b/libavutil/hwcontext_vulkan.c index 4adcc0e839..8dd40cb66f 100644 --- a/libavutil/hwcontext_vulkan.c +++ b/libavutil/hwcontext_vulkan.c @@ -1164,6 +1164,11 @@ static int setup_queue_families(AVHWDeviceContext *ctx, VkDeviceCreateInfo *cd) return 0; } +/* Only resources created by vulkan_device_create should be released here, + * resources created by vulkan_device_init should be released by + * vulkan_device_uninit, to make sure we don't free user provided resources, + * and there is no leak. + */ static void vulkan_device_free(AVHWDeviceContext *ctx) { VulkanDevicePriv *p = ctx->internal->priv; @@ -1183,15 +1188,20 @@ static void vulkan_device_free(AVHWDeviceContext *ctx) if (p->libvulkan) dlclose(p->libvulkan); + RELEASE_PROPS(hwctx->enabled_inst_extensions, hwctx->nb_enabled_inst_extensions); + RELEASE_PROPS(hwctx->enabled_dev_extensions, hwctx->nb_enabled_dev_extensions); +} + +static void vulkan_device_uninit(AVHWDeviceContext *ctx) +{ + VulkanDevicePriv *p = ctx->internal->priv; + for (uint32_t i = 0; i < p->nb_tot_qfs; i++) { pthread_mutex_destroy(p->qf_mutex[i]); av_freep(&p->qf_mutex[i]); } av_freep(&p->qf_mutex); - RELEASE_PROPS(hwctx->enabled_inst_extensions, hwctx->nb_enabled_inst_extensions); - RELEASE_PROPS(hwctx->enabled_dev_extensions, hwctx->nb_enabled_dev_extensions); - ff_vk_uninit(&p->vkctx); } @@ -3702,6 +3712,7 @@ const HWContextType ff_hwcontext_type_vulkan = { .frames_priv_size = sizeof(VulkanFramesPriv), .device_init = &vulkan_device_init, + .device_uninit = &vulkan_device_uninit, .device_create = &vulkan_device_create, .device_derive = &vulkan_device_derive, From 2233b51283d5368ca2aeda5984aa14d0f6f52687 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Fri, 27 Oct 2023 23:37:00 +0800 Subject: [PATCH 002/606] avutil/hwcontext_vulkan: cuda doesn't belong to valid_sw_formats Move it to transfer_get_formats. Signed-off-by: Zhao Zhili --- libavutil/hwcontext_vulkan.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/libavutil/hwcontext_vulkan.c b/libavutil/hwcontext_vulkan.c index 8dd40cb66f..8481427b42 100644 --- a/libavutil/hwcontext_vulkan.c +++ b/libavutil/hwcontext_vulkan.c @@ -1664,11 +1664,6 @@ static int vulkan_frames_get_constraints(AVHWDeviceContext *ctx, NULL, NULL, NULL, NULL, 0, 0) >= 0; } -#if CONFIG_CUDA - if (p->dev_is_nvidia) - count++; -#endif - constraints->valid_sw_formats = av_malloc_array(count + 1, sizeof(enum AVPixelFormat)); if (!constraints->valid_sw_formats) @@ -1684,10 +1679,6 @@ static int vulkan_frames_get_constraints(AVHWDeviceContext *ctx, } } -#if CONFIG_CUDA - if (p->dev_is_nvidia) - constraints->valid_sw_formats[count++] = AV_PIX_FMT_CUDA; -#endif constraints->valid_sw_formats[count++] = AV_PIX_FMT_NONE; constraints->min_width = 1; @@ -2416,12 +2407,22 @@ static int vulkan_transfer_get_formats(AVHWFramesContext *hwfc, enum AVHWFrameTransferDirection dir, enum AVPixelFormat **formats) { - enum AVPixelFormat *fmts = av_malloc_array(2, sizeof(*fmts)); + enum AVPixelFormat *fmts; + int n = 2; + +#if CONFIG_CUDA + n++; +#endif + fmts = av_malloc_array(n, sizeof(*fmts)); if (!fmts) return AVERROR(ENOMEM); - fmts[0] = hwfc->sw_format; - fmts[1] = AV_PIX_FMT_NONE; + n = 0; + fmts[n++] = hwfc->sw_format; +#if CONFIG_CUDA + fmts[n++] = AV_PIX_FMT_CUDA; +#endif + fmts[n++] = AV_PIX_FMT_NONE; *formats = fmts; return 0; From 1e84d9c5da685af9ca54ef31a6091f2bff8d646c Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Sat, 28 Oct 2023 14:33:31 +0800 Subject: [PATCH 003/606] avutil/hwcontext_vaapi: return ENOSYS for unsupported operation av_hwframe_transfer_data try with src_ctx first. If the operation failed with AVERROR(ENOSYS), it will try again with dst_ctx. Return AVERROR(EINVAL) makes the second step being skipped. Signed-off-by: Zhao Zhili --- libavutil/hwcontext_vaapi.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/hwcontext_vaapi.c b/libavutil/hwcontext_vaapi.c index 558fed94c6..12bc95119a 100644 --- a/libavutil/hwcontext_vaapi.c +++ b/libavutil/hwcontext_vaapi.c @@ -217,7 +217,7 @@ static int vaapi_get_image_format(AVHWDeviceContext *hwdev, return 0; } } - return AVERROR(EINVAL); + return AVERROR(ENOSYS); } static int vaapi_frames_get_constraints(AVHWDeviceContext *hwdev, @@ -817,7 +817,7 @@ static int vaapi_map_frame(AVHWFramesContext *hwfc, err = vaapi_get_image_format(hwfc->device_ctx, dst->format, &image_format); if (err < 0) { // Requested format is not a valid output format. - return AVERROR(EINVAL); + return err; } map = av_malloc(sizeof(*map)); @@ -992,7 +992,7 @@ static int vaapi_map_to_memory(AVHWFramesContext *hwfc, AVFrame *dst, if (dst->format != AV_PIX_FMT_NONE) { err = vaapi_get_image_format(hwfc->device_ctx, dst->format, NULL); if (err < 0) - return AVERROR(ENOSYS); + return err; } err = vaapi_map_frame(hwfc, dst, src, flags); From efac4e2c44c5a16055f8e1a0d753ee1a6e66a5c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Oct 2023 15:34:05 +0100 Subject: [PATCH 004/606] Bump versions prior to 6.1 Signed-off-by: Michael Niedermayer --- libavcodec/version.h | 4 ++-- libavdevice/version.h | 4 ++-- libavfilter/version.h | 2 +- libavformat/version.h | 4 ++-- libavutil/version.h | 2 +- libpostproc/version.h | 2 +- libswresample/version.h | 2 +- libswscale/version.h | 2 +- 8 files changed, 11 insertions(+), 11 deletions(-) diff --git a/libavcodec/version.h b/libavcodec/version.h index 6b46100aae..497389d3f3 100644 --- a/libavcodec/version.h +++ b/libavcodec/version.h @@ -29,8 +29,8 @@ #include "version_major.h" -#define LIBAVCODEC_VERSION_MINOR 30 -#define LIBAVCODEC_VERSION_MICRO 102 +#define LIBAVCODEC_VERSION_MINOR 31 +#define LIBAVCODEC_VERSION_MICRO 100 #define LIBAVCODEC_VERSION_INT AV_VERSION_INT(LIBAVCODEC_VERSION_MAJOR, \ LIBAVCODEC_VERSION_MINOR, \ diff --git a/libavdevice/version.h b/libavdevice/version.h index 0796e41221..7608a8602c 100644 --- a/libavdevice/version.h +++ b/libavdevice/version.h @@ -29,8 +29,8 @@ #include "version_major.h" -#define LIBAVDEVICE_VERSION_MINOR 2 -#define LIBAVDEVICE_VERSION_MICRO 101 +#define LIBAVDEVICE_VERSION_MINOR 3 +#define LIBAVDEVICE_VERSION_MICRO 100 #define LIBAVDEVICE_VERSION_INT AV_VERSION_INT(LIBAVDEVICE_VERSION_MAJOR, \ LIBAVDEVICE_VERSION_MINOR, \ diff --git a/libavfilter/version.h b/libavfilter/version.h index 8f4a7a9cd3..64cd692ab6 100644 --- a/libavfilter/version.h +++ b/libavfilter/version.h @@ -31,7 +31,7 @@ #include "version_major.h" -#define LIBAVFILTER_VERSION_MINOR 11 +#define LIBAVFILTER_VERSION_MINOR 12 #define LIBAVFILTER_VERSION_MICRO 100 diff --git a/libavformat/version.h b/libavformat/version.h index e6fbdfafc5..9e1f484db4 100644 --- a/libavformat/version.h +++ b/libavformat/version.h @@ -31,8 +31,8 @@ #include "version_major.h" -#define LIBAVFORMAT_VERSION_MINOR 15 -#define LIBAVFORMAT_VERSION_MICRO 101 +#define LIBAVFORMAT_VERSION_MINOR 16 +#define LIBAVFORMAT_VERSION_MICRO 100 #define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \ LIBAVFORMAT_VERSION_MINOR, \ diff --git a/libavutil/version.h b/libavutil/version.h index 279e54c394..7c0600da22 100644 --- a/libavutil/version.h +++ b/libavutil/version.h @@ -79,7 +79,7 @@ */ #define LIBAVUTIL_VERSION_MAJOR 58 -#define LIBAVUTIL_VERSION_MINOR 28 +#define LIBAVUTIL_VERSION_MINOR 29 #define LIBAVUTIL_VERSION_MICRO 100 #define LIBAVUTIL_VERSION_INT AV_VERSION_INT(LIBAVUTIL_VERSION_MAJOR, \ diff --git a/libpostproc/version.h b/libpostproc/version.h index 0703ac1d7c..e77dff98c5 100644 --- a/libpostproc/version.h +++ b/libpostproc/version.h @@ -30,7 +30,7 @@ #include "version_major.h" -#define LIBPOSTPROC_VERSION_MINOR 2 +#define LIBPOSTPROC_VERSION_MINOR 3 #define LIBPOSTPROC_VERSION_MICRO 100 #define LIBPOSTPROC_VERSION_INT AV_VERSION_INT(LIBPOSTPROC_VERSION_MAJOR, \ diff --git a/libswresample/version.h b/libswresample/version.h index 9f589b1143..a2668b5e59 100644 --- a/libswresample/version.h +++ b/libswresample/version.h @@ -30,7 +30,7 @@ #include "version_major.h" -#define LIBSWRESAMPLE_VERSION_MINOR 11 +#define LIBSWRESAMPLE_VERSION_MINOR 12 #define LIBSWRESAMPLE_VERSION_MICRO 100 #define LIBSWRESAMPLE_VERSION_INT AV_VERSION_INT(LIBSWRESAMPLE_VERSION_MAJOR, \ diff --git a/libswscale/version.h b/libswscale/version.h index 12412bd538..c13db31c43 100644 --- a/libswscale/version.h +++ b/libswscale/version.h @@ -28,7 +28,7 @@ #include "version_major.h" -#define LIBSWSCALE_VERSION_MINOR 4 +#define LIBSWSCALE_VERSION_MINOR 5 #define LIBSWSCALE_VERSION_MICRO 100 #define LIBSWSCALE_VERSION_INT AV_VERSION_INT(LIBSWSCALE_VERSION_MAJOR, \ From 4d476677b0dbabbea5e3d1bce2f21025876a36b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Oct 2023 16:18:25 +0100 Subject: [PATCH 005/606] doc/APIchanges: Add 6.1 cut point Signed-off-by: Michael Niedermayer --- doc/APIchanges | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/APIchanges b/doc/APIchanges index 9622d6db3b..438a43e057 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -2,6 +2,8 @@ The last version increases of all libraries were on 2023-02-09 API changes, most recent first: +-------- 8< --------- FFmpeg 6.1 was cut here -------- 8< --------- + 2023-10-27 - xxxxxxxxxx - lavu 58.28.100 - channel_layout.h Add AV_CH_LAYOUT_3POINT1POINT2 and AV_CHANNEL_LAYOUT_3POINT1POINT2. Add AV_CH_LAYOUT_5POINT1POINT2_BACK and AV_CHANNEL_LAYOUT_5POINT1POINT2_BACK. From 5c5d3e315e802364023bb84b59087735824bbfc1 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 29 Oct 2023 12:53:26 -0300 Subject: [PATCH 006/606] Changelog: mark 6.0 Signed-off-by: James Almer --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog b/Changelog index cceee46215..8f0606fc26 100644 --- a/Changelog +++ b/Changelog @@ -1,7 +1,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. -version : +version 6.1: - libaribcaption decoder - Playdate video decoder and demuxer - Extend VAAPI support for libva-win32 on Windows From 48afb43549024eff7ad107515763a6ec9f3a2ee8 Mon Sep 17 00:00:00 2001 From: TADANO Tokumei Date: Tue, 17 Oct 2023 22:13:33 +0900 Subject: [PATCH 007/606] lavc/libaribcaption: switch all `bool` context variables to `int` On some environments, a `bool` variable is of smaller size than `int`. As AV_OPT_TYPE_BOOL is internally handled as sizeof(int), if a `bool` option was set on such an environment, the memory of following variables would be filled. Additionally, set values may be destroyed by av_opt_copy(). Signed-off-by: TADANO Tokumei (cherry picked from commit 82faba8a6ce8b6a9a3db635ce0a70495a2b2cf3c) --- libavcodec/libaribcaption.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/libaribcaption.c b/libavcodec/libaribcaption.c index 8a8c8f8cfd..be3328c5c9 100644 --- a/libavcodec/libaribcaption.c +++ b/libavcodec/libaribcaption.c @@ -68,14 +68,14 @@ typedef struct ARIBCaptionContext { int subtitle_type; int encoding_scheme; - bool ass_single_rect; + int ass_single_rect; char *font; - bool replace_fullwidth_ascii; - bool force_stroke_text; - bool ignore_background; - bool ignore_ruby; + int replace_fullwidth_ascii; + int force_stroke_text; + int ignore_background; + int ignore_ruby; float stroke_width; - bool replace_drcs; + int replace_drcs; int64_t pts; AVRational time_base; From 8ccd1593a4b8c715d6fb3f8eaea630dbf2518569 Mon Sep 17 00:00:00 2001 From: TADANO Tokumei Date: Tue, 17 Oct 2023 22:13:34 +0900 Subject: [PATCH 008/606] lavc/libaribcaption: add MSZ character related options This patch adds two MSZ (Middle Size; half width) character related options, mapping against newly added upstream functionality: * `replace_msz_japanese`, which was introduced in version 1.0.1 of libaribcaption. * `replace_msz_glyph`, which was introduced in version 1.1.0 of libaribcaption. The latter option improves bitmap type rendering if specified fonts contain half-width glyphs (e.g., BIZ UDGothic), even if both ASCII and Japanese MSZ replacement options are set to false. As these options require newer versions of libaribcaption, the configure requirement has been bumped accordingly. Signed-off-by: TADANO Tokumei (cherry picked from commit 21bfadd9b4a216c0b0994465325822d554fc6a52) --- configure | 2 +- doc/decoders.texi | 16 ++++++++++++++++ libavcodec/libaribcaption.c | 10 ++++++++++ libavcodec/version.h | 2 +- 4 files changed, 28 insertions(+), 2 deletions(-) diff --git a/configure b/configure index f494da204c..1f0b9497cb 100755 --- a/configure +++ b/configure @@ -6677,7 +6677,7 @@ enabled libaom && require_pkg_config libaom "aom >= 1.0.0" aom/aom_co enabled libaribb24 && { check_pkg_config libaribb24 "aribb24 > 1.0.3" "aribb24/aribb24.h" arib_instance_new || { enabled gpl && require_pkg_config libaribb24 aribb24 "aribb24/aribb24.h" arib_instance_new; } || die "ERROR: libaribb24 requires version higher than 1.0.3 or --enable-gpl."; } -enabled libaribcaption && require_pkg_config libaribcaption "libaribcaption >= 0.1.0" "aribcaption/aribcaption.h" aribcc_context_alloc +enabled libaribcaption && require_pkg_config libaribcaption "libaribcaption >= 1.1.1" "aribcaption/aribcaption.h" aribcc_context_alloc enabled lv2 && require_pkg_config lv2 lilv-0 "lilv/lilv.h" lilv_world_new enabled libiec61883 && require libiec61883 libiec61883/iec61883.h iec61883_cmp_connect -lraw1394 -lavc1394 -lrom1394 -liec61883 enabled libass && require_pkg_config libass "libass >= 0.11.0" ass/ass.h ass_library_init diff --git a/doc/decoders.texi b/doc/decoders.texi index 09b8314dd2..36c3404475 100644 --- a/doc/decoders.texi +++ b/doc/decoders.texi @@ -459,6 +459,22 @@ Specify whether to render replaced DRCS characters as Unicode characters. The default is @var{true}. +@item -replace_msz_japanese @var{boolean} +Specify whether to replace some MSZ (Middle Size; half width) fullwidth +japanese special characters with halfwidth ones. + +The default is @var{true}. + +@item -replace_msz_glyph @var{boolean} +Specify whether to replace MSZ (Middle Size; half width) characters +with halfwidth glyphs if the fonts supports it. +This option works under FreeType or DirectWrite renderer +with Adobe-Japan1 compliant fonts. +e.g., IBM Plex Sans JP, Morisawa BIZ UDGothic, Morisawa BIZ UDMincho, +Yu Gothic, Yu Mincho, and Meiryo. + +The default is @var{true}. + @item -canvas_size @var{image_size} Specify the resolution of the canvas to render subtitles to; usually, this should be frame size of input video. diff --git a/libavcodec/libaribcaption.c b/libavcodec/libaribcaption.c index be3328c5c9..29642cd817 100644 --- a/libavcodec/libaribcaption.c +++ b/libavcodec/libaribcaption.c @@ -76,6 +76,8 @@ typedef struct ARIBCaptionContext { int ignore_ruby; float stroke_width; int replace_drcs; + int replace_msz_japanese; + int replace_msz_glyph; int64_t pts; AVRational time_base; @@ -1005,6 +1007,8 @@ static int aribcaption_init(AVCodecContext *avctx) } aribcc_decoder_set_replace_msz_fullwidth_ascii(ctx->decoder, ctx->replace_fullwidth_ascii); + aribcc_decoder_set_replace_msz_fullwidth_japanese(ctx->decoder, + ctx->replace_msz_japanese); /* Similar behavior as ffmpeg tool to set canvas size */ if (ctx->canvas_width > 0 && ctx->canvas_height > 0 && @@ -1057,6 +1061,8 @@ static int aribcaption_init(AVCodecContext *avctx) aribcc_renderer_set_force_no_background(ctx->renderer, ctx->ignore_background); aribcc_renderer_set_force_no_ruby(ctx->renderer, ctx->ignore_ruby); aribcc_renderer_set_stroke_width(ctx->renderer, ctx->stroke_width); + aribcc_renderer_set_replace_msz_halfwidth_glyph(ctx->renderer, + ctx->replace_msz_glyph); if (ctx->font) { int is_nomem = 0; size_t count = 0; @@ -1144,6 +1150,10 @@ static const AVOption options[] = { OFFSET(stroke_width), AV_OPT_TYPE_FLOAT, { .dbl = 1.5 }, 0.0, 3.0, SD }, { "replace_drcs", "replace known DRCS [bitmap]", OFFSET(replace_drcs), AV_OPT_TYPE_BOOL, { .i64 = 1 }, 0, 1, SD }, + { "replace_msz_japanese", "replace MSZ fullwidth Japanese with halfwidth [ass, bitmap]", + OFFSET(replace_msz_japanese), AV_OPT_TYPE_BOOL, { .i64 = 1 }, 0, 1, SD }, + { "replace_msz_glyph", "replace MSZ characters with halfwidth glyphs [bitmap]", + OFFSET(replace_msz_glyph), AV_OPT_TYPE_BOOL, { .i64 = 1 }, 0, 1, SD }, {"canvas_size", "set input video size (WxH or abbreviation) [bitmap]", OFFSET(canvas_width), AV_OPT_TYPE_IMAGE_SIZE, { .str = NULL }, 0, INT_MAX, SD }, { NULL } diff --git a/libavcodec/version.h b/libavcodec/version.h index 497389d3f3..1030154c0e 100644 --- a/libavcodec/version.h +++ b/libavcodec/version.h @@ -30,7 +30,7 @@ #include "version_major.h" #define LIBAVCODEC_VERSION_MINOR 31 -#define LIBAVCODEC_VERSION_MICRO 100 +#define LIBAVCODEC_VERSION_MICRO 101 #define LIBAVCODEC_VERSION_INT AV_VERSION_INT(LIBAVCODEC_VERSION_MAJOR, \ LIBAVCODEC_VERSION_MINOR, \ From 1cff6e41bf2b8a53ebba516dde9f592c63581f14 Mon Sep 17 00:00:00 2001 From: TADANO Tokumei Date: Tue, 17 Oct 2023 22:13:35 +0900 Subject: [PATCH 009/606] lavc/libaribcaption: rename `replace_fullwidth_ascii` to `replace_msz_ascii` This should hopefully clarify that the option only affects MSZ full-width characters, and not all full-width ASCII. Additionally, this matches the prefix with the upstream option. Signed-off-by: TADANO Tokumei (cherry picked from commit a824c6f2f627474b4fc9044c3d43297c9767b758) --- doc/decoders.texi | 12 ++++++------ libavcodec/libaribcaption.c | 8 ++++---- libavcodec/version.h | 2 +- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/doc/decoders.texi b/doc/decoders.texi index 36c3404475..eb00e2a9e9 100644 --- a/doc/decoders.texi +++ b/doc/decoders.texi @@ -427,12 +427,6 @@ If your player cannot handle AVSubtitles with multiple ASS rectangles properly, set this option to @var{true} or define @env{ASS_SINGLE_RECT=1} to change default behavior at compilation. -@item -replace_fullwidth_ascii @var{boolean} -Specify whether to replace MSZ (Middle Size, half width) fullwidth -alphanumerics with halfwidth alphanumerics. - -The default is @var{true}. - @item -force_outline_text @var{boolean} Specify whether always render outline text for all characters regardless of the indication by charactor style. @@ -459,6 +453,12 @@ Specify whether to render replaced DRCS characters as Unicode characters. The default is @var{true}. +@item -replace_msz_ascii @var{boolean} +Specify whether to replace MSZ (Middle Size; half width) fullwidth +alphanumerics with halfwidth alphanumerics. + +The default is @var{true}. + @item -replace_msz_japanese @var{boolean} Specify whether to replace some MSZ (Middle Size; half width) fullwidth japanese special characters with halfwidth ones. diff --git a/libavcodec/libaribcaption.c b/libavcodec/libaribcaption.c index 29642cd817..e87f303aa8 100644 --- a/libavcodec/libaribcaption.c +++ b/libavcodec/libaribcaption.c @@ -70,12 +70,12 @@ typedef struct ARIBCaptionContext { int encoding_scheme; int ass_single_rect; char *font; - int replace_fullwidth_ascii; int force_stroke_text; int ignore_background; int ignore_ruby; float stroke_width; int replace_drcs; + int replace_msz_ascii; int replace_msz_japanese; int replace_msz_glyph; @@ -1006,7 +1006,7 @@ static int aribcaption_init(AVCodecContext *avctx) return AVERROR_EXTERNAL; } aribcc_decoder_set_replace_msz_fullwidth_ascii(ctx->decoder, - ctx->replace_fullwidth_ascii); + ctx->replace_msz_ascii); aribcc_decoder_set_replace_msz_fullwidth_japanese(ctx->decoder, ctx->replace_msz_japanese); @@ -1138,8 +1138,6 @@ static const AVOption options[] = { OFFSET(ass_single_rect), AV_OPT_TYPE_BOOL, { .i64 = ASS_SINGLE_RECT }, 0, 1, SD }, { "font", "comma-separated font family [ass, bitmap]", OFFSET(font), AV_OPT_TYPE_STRING, { .str = NULL }, 0, 0, SD }, - { "replace_fullwidth_ascii", "replace MSZ fullwidth alphanumerics with halfwidth alphanumerics [ass, bitmap]", - OFFSET(replace_fullwidth_ascii), AV_OPT_TYPE_BOOL, { .i64 = 1 }, 0, 1, SD }, { "force_outline_text", "always render characters with outline [(ass), bitmap]", OFFSET(force_stroke_text), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, SD }, { "ignore_background", "ignore rendering caption background [(ass), bitmap]", @@ -1150,6 +1148,8 @@ static const AVOption options[] = { OFFSET(stroke_width), AV_OPT_TYPE_FLOAT, { .dbl = 1.5 }, 0.0, 3.0, SD }, { "replace_drcs", "replace known DRCS [bitmap]", OFFSET(replace_drcs), AV_OPT_TYPE_BOOL, { .i64 = 1 }, 0, 1, SD }, + { "replace_msz_ascii", "replace MSZ fullwidth alphanumerics with halfwidth alphanumerics [ass, bitmap]", + OFFSET(replace_msz_ascii), AV_OPT_TYPE_BOOL, { .i64 = 1 }, 0, 1, SD }, { "replace_msz_japanese", "replace MSZ fullwidth Japanese with halfwidth [ass, bitmap]", OFFSET(replace_msz_japanese), AV_OPT_TYPE_BOOL, { .i64 = 1 }, 0, 1, SD }, { "replace_msz_glyph", "replace MSZ characters with halfwidth glyphs [bitmap]", diff --git a/libavcodec/version.h b/libavcodec/version.h index 1030154c0e..1cf9651391 100644 --- a/libavcodec/version.h +++ b/libavcodec/version.h @@ -30,7 +30,7 @@ #include "version_major.h" #define LIBAVCODEC_VERSION_MINOR 31 -#define LIBAVCODEC_VERSION_MICRO 101 +#define LIBAVCODEC_VERSION_MICRO 102 #define LIBAVCODEC_VERSION_INT AV_VERSION_INT(LIBAVCODEC_VERSION_MAJOR, \ LIBAVCODEC_VERSION_MINOR, \ From 116cb346e36b71be0e45f97030eebeb893c16bfd Mon Sep 17 00:00:00 2001 From: Benjamin Cheng Date: Fri, 13 Oct 2023 15:10:55 -0400 Subject: [PATCH 010/606] vulkan_h264: fix long-term ref handling h->long_ref isn't guaranteed to be contiguously filled. Use the approach from both vaapi_h264 and vdpau_h264 which goes through the 16 frames in h->long_ref to find the LTR entries. Fixes MR2_MW_A.264 from JVT-AVC_V1. (cherry picked from commit 4536de3769796a74ea26fcdfdae73af5e0fa8b5a) --- libavcodec/vulkan_h264.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/vulkan_h264.c b/libavcodec/vulkan_h264.c index 172c6c4e8e..e727aafb16 100644 --- a/libavcodec/vulkan_h264.c +++ b/libavcodec/vulkan_h264.c @@ -406,10 +406,14 @@ static int vk_h264_start_frame(AVCodecContext *avctx, } /* Fill in long-term refs */ - for (int r = 0, i = h->short_ref_count; i < h->short_ref_count + h->long_ref_count; i++, r++) { + for (int r = 0, i = h->short_ref_count; r < H264_MAX_DPB_FRAMES && + i < h->short_ref_count + h->long_ref_count; r++) { + if (!h->long_ref[r]) + continue; + dpb_slot_index = 0; - for (unsigned slot = 0; slot < H264_MAX_PICTURE_COUNT; slot++) { - if (h->long_ref[i] == &h->DPB[slot]) { + for (unsigned slot = 0; slot < 16; slot++) { + if (h->long_ref[r] == &h->DPB[slot]) { dpb_slot_index = slot; break; } @@ -422,6 +426,7 @@ static int vk_h264_start_frame(AVCodecContext *avctx, dpb_slot_index); if (err < 0) return err; + i++; } hp->h264pic = (StdVideoDecodeH264PictureInfo) { From 4e5f3e6b8e1132354eed810dfdadf87f45c5de27 Mon Sep 17 00:00:00 2001 From: Lynne Date: Sun, 29 Oct 2023 07:19:25 +0100 Subject: [PATCH 011/606] bwdif_vulkan: fix artifacts on vulkan decode images Due to making the decode frames context use the coded size, the filter started to display those artifacts as it reused the input frame's size. Change it to instead output the real image size for images, not the input. (cherry picked from commit 0e8abf26983aa0dc72cbfbb094eeed13a9b55404) --- libavfilter/vf_bwdif_vulkan.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_bwdif_vulkan.c b/libavfilter/vf_bwdif_vulkan.c index f1623e6ef7..690a89c4ba 100644 --- a/libavfilter/vf_bwdif_vulkan.c +++ b/libavfilter/vf_bwdif_vulkan.c @@ -325,8 +325,8 @@ static int bwdif_vulkan_config_input(AVFilterLink *inlink) /* Defaults */ vkctx->output_format = input_frames->sw_format; - vkctx->output_width = input_frames->width; - vkctx->output_height = input_frames->height; + vkctx->output_width = inlink->w; + vkctx->output_height = inlink->h; return 0; } From 80daebdfdff48dc5ad7c1a704d885c215168e214 Mon Sep 17 00:00:00 2001 From: zheng qian Date: Thu, 2 Nov 2023 00:24:21 +0900 Subject: [PATCH 012/606] doc/decoders: correctly note an option's default in libaribcaption The `-caption_encoding` option was reported as having a default value of 'ass', whereas it's actually 'auto'. Signed-off-by: zheng qian Signed-off-by: Gyan Doshi --- doc/decoders.texi | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/doc/decoders.texi b/doc/decoders.texi index eb00e2a9e9..f75364166e 100644 --- a/doc/decoders.texi +++ b/doc/decoders.texi @@ -391,7 +391,7 @@ Specifies the encoding scheme of input subtitle text. @table @samp @item auto -Automatically detect text encoding. +Automatically detect text encoding (default). @item jis 8bit-char JIS encoding defined in ARIB STD B24. This encoding used in Japan for ISDB captions. @@ -403,9 +403,6 @@ Latin character encoding defined in ABNT NBR 15606-1. This encoding is used in South America for SBTVD / ISDB-Tb captions. @end table -The default is @dfn{ass} as same as @dfn{libaribb24} decoder. -Some present players (e.g., @dfn{mpv}) expect ASS format for ARIB caption. - @item -font @var{font_name[,font_name2,...]} Specify comma-separated list of font family names to be used for @dfn{bitmap} or @dfn{ass} type subtitle rendering. From 5eca8964a93208ef9c4fac48411ed8fcd8883ea3 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 30 Oct 2023 10:55:36 +0100 Subject: [PATCH 013/606] fftools/ffmpeg_mux_init: Restrict disabling automatic copying of metadata Fixes ticket #10638 (and should also fix ticket #10482) by restoring the behaviour from before 3c7dd5ed37da6d2de06c4850de5a319ca9cdd47f. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 02064ba3a37754183cf7e7a4c1ffd3cdf971b5dc) --- fftools/ffmpeg_mux_init.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fftools/ffmpeg_mux_init.c b/fftools/ffmpeg_mux_init.c index ab2d1d89e4..63a25a350f 100644 --- a/fftools/ffmpeg_mux_init.c +++ b/fftools/ffmpeg_mux_init.c @@ -2182,11 +2182,11 @@ static int copy_metadata(Muxer *mux, AVFormatContext *ic, if (ret < 0) return ret; - if (type_in == 'g' || type_out == 'g' || !*outspec) + if (type_in == 'g' || type_out == 'g' || (!*outspec && !ic)) *metadata_global_manual = 1; - if (type_in == 's' || type_out == 's' || !*outspec) + if (type_in == 's' || type_out == 's' || (!*outspec && !ic)) *metadata_streams_manual = 1; - if (type_in == 'c' || type_out == 'c' || !*outspec) + if (type_in == 'c' || type_out == 'c' || (!*outspec && !ic)) *metadata_chapters_manual = 1; /* ic is NULL when just disabling automatic mappings */ From 868aa88d83c85a0f0ec56e9ae353e4b39e90e00a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 23 Oct 2023 17:16:22 +0200 Subject: [PATCH 014/606] avcodec/cbs_h2645: Fix leak of SPS VUI extension data Fixes: VUI extension leak Fixes: 63004/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_METADATA_fuzzer-4928832253329408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3f890fbfd9014843c51408c8f7ab3ba4aef7d354) --- libavcodec/cbs_h2645.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index 470f60b95f..c48a06b241 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -1989,7 +1989,17 @@ static const CodedBitstreamUnitTypeDescriptor cbs_h266_unit_types[] = { CBS_UNIT_TYPE_INTERNAL_REF(VVC_DCI_NUT, H266RawDCI, extension_data.data), CBS_UNIT_TYPE_INTERNAL_REF(VVC_OPI_NUT, H266RawOPI, extension_data.data), CBS_UNIT_TYPE_INTERNAL_REF(VVC_VPS_NUT, H266RawVPS, extension_data.data), - CBS_UNIT_TYPE_INTERNAL_REF(VVC_SPS_NUT, H266RawSPS, extension_data.data), + { + .nb_unit_types = 1, + .unit_type.list[0] = VVC_SPS_NUT, + .content_type = CBS_CONTENT_TYPE_INTERNAL_REFS, + .content_size = sizeof(H266RawSPS), + .type.ref = { + .nb_offsets = 2, + .offsets = { offsetof(H266RawSPS, extension_data.data), + offsetof(H266RawSPS, vui.extension_data.data) } + }, + }, CBS_UNIT_TYPE_INTERNAL_REF(VVC_PPS_NUT, H266RawPPS, extension_data.data), CBS_UNIT_TYPE_INTERNAL_REF(VVC_PREFIX_APS_NUT, H266RawAPS, extension_data.data), CBS_UNIT_TYPE_INTERNAL_REF(VVC_SUFFIX_APS_NUT, H266RawAPS, extension_data.data), From d4041282f4c29333fa63999242374d934fd4577b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Manuel=20J=C3=A1quez=20Leal?= Date: Thu, 2 Nov 2023 14:00:03 +0100 Subject: [PATCH 015/606] avutil/hwcontext_vulkan: get VkFormatFeatureFlagBits2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Rather than the VkFormatFeatureFlagBits enum Signed-off-by: Víctor Manuel Jáquez Leal (cherry picked from commit 854012ec59623736a12db0b5f99ca4b602fb5206) --- libavutil/hwcontext_vulkan.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavutil/hwcontext_vulkan.c b/libavutil/hwcontext_vulkan.c index 8481427b42..506a218a42 100644 --- a/libavutil/hwcontext_vulkan.c +++ b/libavutil/hwcontext_vulkan.c @@ -298,8 +298,12 @@ static int vkfmt_from_pixfmt2(AVHWDeviceContext *dev_ctx, enum AVPixelFormat p, for (int i = 0; i < nb_vk_formats_list; i++) { if (vk_formats_list[i].pixfmt == p) { + VkFormatProperties3 fprops = { + .sType = VK_STRUCTURE_TYPE_FORMAT_PROPERTIES_3, + }; VkFormatProperties2 prop = { .sType = VK_STRUCTURE_TYPE_FORMAT_PROPERTIES_2, + .pNext = &fprops, }; VkFormatFeatureFlagBits2 feats_primary, feats_secondary; int basics_primary = 0, basics_secondary = 0; @@ -310,8 +314,7 @@ static int vkfmt_from_pixfmt2(AVHWDeviceContext *dev_ctx, enum AVPixelFormat p, &prop); feats_primary = tiling == VK_IMAGE_TILING_LINEAR ? - prop.formatProperties.linearTilingFeatures : - prop.formatProperties.optimalTilingFeatures; + fprops.linearTilingFeatures : fprops.optimalTilingFeatures; basics_primary = (feats_primary & basic_flags) == basic_flags; storage_primary = !!(feats_primary & VK_FORMAT_FEATURE_2_STORAGE_IMAGE_BIT); @@ -320,8 +323,7 @@ static int vkfmt_from_pixfmt2(AVHWDeviceContext *dev_ctx, enum AVPixelFormat p, vk_formats_list[i].fallback[0], &prop); feats_secondary = tiling == VK_IMAGE_TILING_LINEAR ? - prop.formatProperties.linearTilingFeatures : - prop.formatProperties.optimalTilingFeatures; + fprops.linearTilingFeatures : fprops.optimalTilingFeatures; basics_secondary = (feats_secondary & basic_flags) == basic_flags; storage_secondary = !!(feats_secondary & VK_FORMAT_FEATURE_2_STORAGE_IMAGE_BIT); } else { From 86c4d04051e00998327fece4c3e3e4edcfb64482 Mon Sep 17 00:00:00 2001 From: Lynne Date: Tue, 7 Nov 2023 07:27:30 +0000 Subject: [PATCH 016/606] nlmeans_vulkan: fix offsets calculation and various stride issues We calculated offsets as pairs, but addressed them in the shader as single float values, while reading them as ivec2s. Also removes unused code (was provisionally added if cooperative matrices could be used, but that turned out to be impossible). (cherry picked from commit 99fcdee5e80db8a2a8ff1ea9b66a9b74d8f96f67) --- libavfilter/vf_nlmeans_vulkan.c | 78 +++++++++++++-------------------- 1 file changed, 31 insertions(+), 47 deletions(-) diff --git a/libavfilter/vf_nlmeans_vulkan.c b/libavfilter/vf_nlmeans_vulkan.c index 2b8f97d7d9..fac38d16f4 100644 --- a/libavfilter/vf_nlmeans_vulkan.c +++ b/libavfilter/vf_nlmeans_vulkan.c @@ -94,7 +94,7 @@ static void insert_horizontal_pass(FFVkSPIRVShader *shd, int nb_rows, int first, GLSLC(2, #pragma unroll(1) ); GLSLF(2, for (r = 0; r < %i; r++) { ,nb_rows); GLSLC(3, prefix_sum = DTYPE(0); ); - GLSLC(3, offset = uint64_t(int_stride)*(pos.y + r)*T_ALIGN; ); + GLSLC(3, offset = int_stride * uint64_t(pos.y + r); ); GLSLC(3, dst = DataBuffer(uint64_t(integral_data) + offset); ); GLSLC(0, ); GLSLF(3, for (pos.x = 0; pos.x < width[%i]; pos.x++) { ,plane); @@ -122,7 +122,7 @@ static void insert_vertical_pass(FFVkSPIRVShader *shd, int nb_rows, int first, i GLSLC(0, ); GLSLF(1, if (pos.x < width[%i]) { ,plane); GLSLF(2, for (pos.y = 0; pos.y < height[%i]; pos.y++) { ,plane); - GLSLC(3, offset = uint64_t(int_stride)*pos.y*T_ALIGN; ); + GLSLC(3, offset = int_stride * uint64_t(pos.y); ); GLSLC(3, dst = DataBuffer(uint64_t(integral_data) + offset); ); GLSLC(0, ); GLSLC(3, #pragma unroll(1) ); @@ -167,40 +167,26 @@ static void insert_weights_pass(FFVkSPIRVShader *shd, int nb_rows, int vert, GLSLC(0, ); GLSLC(3, lt = ((pos.x - p) < 0) || ((pos.y - p) < 0); ); GLSLC(0, ); - if (TYPE_ELEMS == 4) { - GLSLF(3, src[0] = texture(input_img[%i], pos + offs[0])[%i]; ,plane, comp); - GLSLF(3, src[1] = texture(input_img[%i], pos + offs[1])[%i]; ,plane, comp); - GLSLF(3, src[2] = texture(input_img[%i], pos + offs[2])[%i]; ,plane, comp); - GLSLF(3, src[3] = texture(input_img[%i], pos + offs[3])[%i]; ,plane, comp); - } else { - for (int i = 0; i < 16; i++) - GLSLF(3, src[%i][%i] = texture(input_img[%i], pos + offs[%i])[%i]; - ,i / 4, i % 4, plane, i, comp); - - } + GLSLF(3, src[0] = texture(input_img[%i], pos + offs[0])[%i]; ,plane, comp); + GLSLF(3, src[1] = texture(input_img[%i], pos + offs[1])[%i]; ,plane, comp); + GLSLF(3, src[2] = texture(input_img[%i], pos + offs[2])[%i]; ,plane, comp); + GLSLF(3, src[3] = texture(input_img[%i], pos + offs[3])[%i]; ,plane, comp); GLSLC(0, ); GLSLC(3, if (lt == false) { ); - GLSLC(4, a = integral_data.v[(pos.y - p)*int_stride + pos.x - p]; ); - GLSLC(4, c = integral_data.v[(pos.y - p)*int_stride + pos.x + p]; ); - GLSLC(4, b = integral_data.v[(pos.y + p)*int_stride + pos.x - p]; ); - GLSLC(4, d = integral_data.v[(pos.y + p)*int_stride + pos.x + p]; ); + GLSLC(3, offset = int_stride * uint64_t(pos.y - p); ); + GLSLC(3, dst = DataBuffer(uint64_t(integral_data) + offset); ); + GLSLC(4, a = dst.v[pos.x - p]; ); + GLSLC(4, c = dst.v[pos.x + p]; ); + GLSLC(3, offset = int_stride * uint64_t(pos.y + p); ); + GLSLC(3, dst = DataBuffer(uint64_t(integral_data) + offset); ); + GLSLC(4, b = dst.v[pos.x - p]; ); + GLSLC(4, d = dst.v[pos.x + p]; ); GLSLC(3, } ); GLSLC(0, ); GLSLC(3, patch_diff = d + a - b - c; ); - if (TYPE_ELEMS == 4) { - GLSLF(3, w = exp(patch_diff * strength[%i]); ,dst_comp); - GLSLC(3, w_sum = w[0] + w[1] + w[2] + w[3]; ); - GLSLC(3, sum = dot(w, src*255); ); - } else { - for (int i = 0; i < 4; i++) - GLSLF(3, w[%i] = exp(patch_diff[%i] * strength[%i]); ,i,i,dst_comp); - for (int i = 0; i < 4; i++) - GLSLF(3, w_sum %s w[%i][0] + w[%i][1] + w[%i][2] + w[%i][3]; - ,!i ? "=" : "+=", i, i, i, i); - for (int i = 0; i < 4; i++) - GLSLF(3, sum %s dot(w[%i], src[%i]*255); - ,!i ? "=" : "+=", i, i); - } + GLSLF(3, w = exp(patch_diff * strength[%i]); ,dst_comp); + GLSLC(3, w_sum = w[0] + w[1] + w[2] + w[3]; ); + GLSLC(3, sum = dot(w, src*255); ); GLSLC(0, ); if (t > 1) { GLSLF(3, atomicAdd(weights_%i[pos.y*ws_stride[%i] + pos.x], w_sum); ,dst_comp, dst_comp); @@ -220,8 +206,8 @@ typedef struct HorizontalPushData { int32_t patch_size[4]; float strength[4]; VkDeviceAddress integral_base; - uint32_t integral_size; - uint32_t int_stride; + uint64_t integral_size; + uint64_t int_stride; uint32_t xyoffs_start; } HorizontalPushData; @@ -275,8 +261,8 @@ static av_cold int init_weights_pipeline(FFVulkanContext *vkctx, FFVkExecPool *e GLSLC(1, ivec4 patch_size; ); GLSLC(1, vec4 strength; ); GLSLC(1, DataBuffer integral_base; ); - GLSLC(1, uint integral_size; ); - GLSLC(1, uint int_stride; ); + GLSLC(1, uint64_t integral_size; ); + GLSLC(1, uint64_t int_stride; ); GLSLC(1, uint xyoffs_start; ); GLSLC(0, }; ); GLSLC(0, ); @@ -371,13 +357,11 @@ static av_cold int init_weights_pipeline(FFVulkanContext *vkctx, FFVkExecPool *e GLSLF(1, ivec2 offs[%i]; ,TYPE_ELEMS); GLSLC(0, ); GLSLC(1, int invoc_idx = int(gl_WorkGroupID.z); ); - - GLSLC(1, offset = uint64_t(integral_size)*invoc_idx; ); - GLSLC(1, dst = DataBuffer(uint64_t(integral_data) + offset); ); - + GLSLC(0, ); + GLSLC(1, offset = integral_size * invoc_idx; ); GLSLC(1, integral_data = DataBuffer(uint64_t(integral_base) + offset); ); - for (int i = 0; i < TYPE_ELEMS*2; i += 2) - GLSLF(1, offs[%i] = xyoffsets[xyoffs_start + 2*%i*invoc_idx + %i]; ,i/2,TYPE_ELEMS,i); + for (int i = 0; i < TYPE_ELEMS; i++) + GLSLF(1, offs[%i] = xyoffsets[xyoffs_start + %i*invoc_idx + %i]; ,i,TYPE_ELEMS,i); GLSLC(0, ); GLSLC(1, DTYPE a; ); GLSLC(1, DTYPE b; ); @@ -759,7 +743,7 @@ static int nlmeans_vulkan_filter_frame(AVFilterLink *link, AVFrame *in) /* Integral */ AVBufferRef *integral_buf = NULL; FFVkBuffer *integral_vk; - uint32_t int_stride; + size_t int_stride; size_t int_size; /* Weights/sums */ @@ -787,8 +771,8 @@ static int nlmeans_vulkan_filter_frame(AVFilterLink *link, AVFrame *in) return AVERROR(EINVAL); /* Integral image */ - int_stride = s->pl_weights.wg_size[0]*s->pl_weights_rows; - int_size = int_stride * int_stride * TYPE_SIZE; + int_stride = s->pl_weights.wg_size[0]*s->pl_weights_rows*TYPE_SIZE; + int_size = s->pl_weights.wg_size[0]*s->pl_weights_rows*int_stride; /* Plane dimensions */ for (int i = 0; i < desc->nb_components; i++) { @@ -982,9 +966,9 @@ static int nlmeans_vulkan_filter_frame(AVFilterLink *link, AVFrame *in) { s->patch[0], s->patch[1], s->patch[2], s->patch[3] }, { s->strength[0], s->strength[1], s->strength[2], s->strength[2], }, integral_vk->address, - int_size, - int_stride, - offsets_dispatched * 2, + (uint64_t)int_size, + (uint64_t)int_stride, + offsets_dispatched, }; if (offsets_dispatched) { From 3d7c02e4a2750f41dd4ee032c261ddb62f6e3374 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Fri, 3 Nov 2023 17:32:07 +0800 Subject: [PATCH 017/606] avdevice/android_camera: fix build failure due to typo Signed-off-by: Zhao Zhili --- libavdevice/android_camera.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavdevice/android_camera.c b/libavdevice/android_camera.c index 602b59047d..c981985f10 100644 --- a/libavdevice/android_camera.c +++ b/libavdevice/android_camera.c @@ -648,8 +648,8 @@ static int add_display_matrix(AVFormatContext *avctx, AVStream *st) av_display_matrix_flip(display_matrix, 1, 0); } - side_data = av_packet_side_data_new(&st->codecpar->side_data, - &st->codecpar->nb_side_data, + side_data = av_packet_side_data_new(&st->codecpar->coded_side_data, + &st->codecpar->nb_coded_side_data, AV_PKT_DATA_DISPLAYMATRIX, sizeof(display_matrix), 0); From c5ee01d966ab43338f913c3977bbb638f8940122 Mon Sep 17 00:00:00 2001 From: Marvin Scholz Date: Tue, 7 Nov 2023 23:21:17 +0100 Subject: [PATCH 018/606] avfilter/vf_tpad: fix check for drawing initialization The check if drawing needs to be initialized and supported formats should be drawable ones was flawed, as pad_stop/pad_start is only populated from stop_duration/start_duration after these checks. To fix that, check the _duration variants as well and for better readability and maintainability break the check out into its own helper. Fixes a regression from 86b252ea9dee18006910e30646ad1067f2d1323f Fix #10621 Signed-off-by: Anton Khirnov (cherry picked from commit 6667741029bce9a79b48caedf24d6cb69c5ead7d) Signed-off-by: Anton Khirnov --- libavfilter/vf_tpad.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_tpad.c b/libavfilter/vf_tpad.c index 7990403e81..1efe4ec479 100644 --- a/libavfilter/vf_tpad.c +++ b/libavfilter/vf_tpad.c @@ -70,11 +70,17 @@ static const AVOption tpad_options[] = { AVFILTER_DEFINE_CLASS(tpad); +static int needs_drawing(const TPadContext *s) { + return ( + (s->stop_mode == MODE_ADD && (s->pad_stop != 0 || s->stop_duration != 0)) || + (s->start_mode == MODE_ADD && (s->pad_start != 0 || s->start_duration != 0)) + ); +} + static int query_formats(AVFilterContext *ctx) { TPadContext *s = ctx->priv; - if ((s->stop_mode == MODE_ADD && s->pad_stop != 0) || - (s->start_mode == MODE_ADD && s->pad_start != 0)) + if (needs_drawing(s)) return ff_set_common_formats(ctx, ff_draw_supported_pixel_formats(0)); return ff_set_common_formats(ctx, ff_all_formats(AVMEDIA_TYPE_VIDEO)); @@ -196,8 +202,7 @@ static int config_input(AVFilterLink *inlink) AVFilterContext *ctx = inlink->dst; TPadContext *s = ctx->priv; - if ((s->stop_mode == MODE_ADD && s->pad_stop != 0) || - (s->start_mode == MODE_ADD && s->pad_start != 0)) { + if (needs_drawing(s)) { ff_draw_init(&s->draw, inlink->format, 0); ff_draw_color(&s->draw, &s->color, s->rgba_color); } From 38dc8767df7c2432c72c18e46677047ca6d1e0d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Oct 2023 00:10:18 +0200 Subject: [PATCH 019/606] avcodec/evc_parse: remove pow() and log2() The use of float based functions is both unneeded and wrong due to unpredictable rounding Signed-off-by: Michael Niedermayer (cherry picked from commit d35eecd24fb62a4060ef89dfdd1c45f5549fb71d) Signed-off-by: Michael Niedermayer --- libavcodec/evc_parse.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index bd3a4416f2..255706ce61 100644 --- a/libavcodec/evc_parse.c +++ b/libavcodec/evc_parse.c @@ -172,7 +172,8 @@ int ff_evc_derive_poc(const EVCParamSets *ps, const EVCParserSliceHeader *sh, poc->PicOrderCntVal = 0; poc->DocOffset = -1; } else { - int SubGopLength = (int)pow(2.0, sps->log2_sub_gop_length); + int SubGopLength = 1 << sps->log2_sub_gop_length; + if (tid == 0) { poc->PicOrderCntVal = poc->prevPicOrderCntVal + SubGopLength; poc->DocOffset = 0; @@ -187,15 +188,16 @@ int ff_evc_derive_poc(const EVCParamSets *ps, const EVCParserSliceHeader *sh, poc->prevPicOrderCntVal += SubGopLength; ExpectedTemporalId = 0; } else - ExpectedTemporalId = 1 + (int)log2(poc->DocOffset); + ExpectedTemporalId = 1 + av_log2(poc->DocOffset); + while (tid != ExpectedTemporalId) { poc->DocOffset = (poc->DocOffset + 1) % SubGopLength; if (poc->DocOffset == 0) ExpectedTemporalId = 0; else - ExpectedTemporalId = 1 + (int)log2(poc->DocOffset); + ExpectedTemporalId = 1 + av_log2(poc->DocOffset); } - PocOffset = (int)(SubGopLength * ((2.0 * poc->DocOffset + 1) / (int)pow(2.0, tid) - 2)); + PocOffset = (int)(SubGopLength * ((2.0 * poc->DocOffset + 1) / (1 << tid) - 2)); poc->PicOrderCntVal = poc->prevPicOrderCntVal + PocOffset; } } From 3d1ca4c3ff28905258f1382a91fd17d3cbea7800 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Oct 2023 00:19:53 +0200 Subject: [PATCH 020/606] avcodec/evc_parse: Check tid The check is based on not infinite looping. It is likely a more strict check can be done Fixes: Infinite loop Fixes: 62473/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5719883750703104 Fixes: 62765/clusterfuzz-testcase-minimized-ffmpeg_dem_EVC_fuzzer-6448531252314112 Fixes: 63378/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGPS_fuzzer-6504993844494336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: "Dawid Kozinski/Multimedia (PLT) /SRPOL/Staff Engineer/Samsung Electronics" Signed-off-by: Michael Niedermayer (cherry picked from commit 68cc1744db828e929b74f96478c18f1d226510be) Signed-off-by: Michael Niedermayer --- libavcodec/evc_parse.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index 255706ce61..43b8dabf8b 100644 --- a/libavcodec/evc_parse.c +++ b/libavcodec/evc_parse.c @@ -174,6 +174,9 @@ int ff_evc_derive_poc(const EVCParamSets *ps, const EVCParserSliceHeader *sh, } else { int SubGopLength = 1 << sps->log2_sub_gop_length; + if (tid > (SubGopLength > 1 ? 1 + av_log2(SubGopLength - 1) : 0)) + return AVERROR_INVALIDDATA; + if (tid == 0) { poc->PicOrderCntVal = poc->prevPicOrderCntVal + SubGopLength; poc->DocOffset = 0; From cebc2b3880eed069a4487cc92cccc5fcd0c50677 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Oct 2023 01:52:20 +0200 Subject: [PATCH 021/606] avformat/mov: Check that is_still_picture_avif has no trak based streams Fixes: Assertion failure in mov_read_iloc( in mov_read_iloc()) Fixes: 62866/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5282997370486784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 98c2711b58ce65eae02cb2ece3a664e1119fd8fe) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2f29487beb..e8efccf6eb 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4628,6 +4628,10 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVStreamContext *sc; int ret; + if (c->is_still_picture_avif) { + return AVERROR_INVALIDDATA; + } + st = avformat_new_stream(c->fc, NULL); if (!st) return AVERROR(ENOMEM); st->id = -1; From c9a9dbfebf749f0fa8d938e6f64adaef438ea9f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Oct 2023 18:20:14 +0200 Subject: [PATCH 022/606] avcodec/apedec: Fix integer overflow in predictor_decode_stereo_3950() Fixes: signed integer overflow: 1900031961 + 553590817 cannot be represented in type 'int' Fixes: 63061/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5166188298371072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2def61778777e998e2ac538f56b8e6779b0ca8c1) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 8bfbb75b41..d31c067152 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1284,7 +1284,7 @@ static void predictor_decode_stereo_3950(APEContext *ctx, int count) *decoded1++ = a1; if (num_passes > 1) { int32_t left = a1 - (unsigned)(a0 / 2); - int32_t right = left + a0; + int32_t right = left + (unsigned)a0; if (FFMAX(FFABS(left), FFABS(right)) > (1<<23)) { ctx->interim_mode = !interim_mode; From 8904bc8e76f558b2291c065304fd0a7caad3bdb9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Oct 2023 23:50:07 +0200 Subject: [PATCH 023/606] avcodec/dovi_rpu: Use 64 bit in get_us/se_coeff() Fixes: shift exponent 32 is too large for 32-bit type 'int' Fixes: 63151/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5067531154751488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2817efbba331ac1d3a39fbee78b480008ce20a93) Signed-off-by: Michael Niedermayer --- libavcodec/dovi_rpu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dovi_rpu.c b/libavcodec/dovi_rpu.c index f6485256c4..a6b23f4dd1 100644 --- a/libavcodec/dovi_rpu.c +++ b/libavcodec/dovi_rpu.c @@ -149,7 +149,7 @@ static inline uint64_t get_ue_coef(GetBitContext *gb, const AVDOVIRpuDataHeader case RPU_COEFF_FLOAT: fpart.u32 = get_bits_long(gb, 32); - return fpart.f32 * (1 << hdr->coef_log2_denom); + return fpart.f32 * (1LL << hdr->coef_log2_denom); } return 0; /* unreachable */ @@ -168,7 +168,7 @@ static inline int64_t get_se_coef(GetBitContext *gb, const AVDOVIRpuDataHeader * case RPU_COEFF_FLOAT: fpart.u32 = get_bits_long(gb, 32); - return fpart.f32 * (1 << hdr->coef_log2_denom); + return fpart.f32 * (1LL << hdr->coef_log2_denom); } return 0; /* unreachable */ From 4f863e52dd1e34d66a19cf00f13fd053c8e8c8fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Oct 2023 00:11:02 +0200 Subject: [PATCH 024/606] tools/target_dec_fuzzer: Adjust threshold for CSCD Fixes: Timeout Fixes: 63362/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-4694620065628160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c2f2bf82c1b3987e2d1a75cc79c4b58d286a2291) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 798fc0b3f2..27e7398089 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -221,6 +221,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_CFHD: maxpixels /= 16384; break; case AV_CODEC_ID_CINEPAK: maxpixels /= 128; break; case AV_CODEC_ID_COOK: maxsamples /= 1<<20; break; + case AV_CODEC_ID_CSCD: maxpixels /= 1024; break; case AV_CODEC_ID_DFA: maxpixels /= 1024; break; case AV_CODEC_ID_DIRAC: maxpixels /= 8192; break; case AV_CODEC_ID_DSICINVIDEO: maxpixels /= 1024; break; From e8541ed9f132a69c152c7da0b8fef57cea2f926a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Oct 2023 21:20:25 +0200 Subject: [PATCH 025/606] avcodec/vlc: Skip subtable entries in multi VLC These entries do not correspond to VLC symbols that can be used they do corrupt various variables like min/max bits This also no longer assumes that there is a single non subtable entry Probably fixes some infinite loops too Signed-off-by: Michael Niedermayer (cherry picked from commit 356b1ba765623ec1640a366e587232f1631800f8) Signed-off-by: Michael Niedermayer --- libavcodec/vlc.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c index 7786043086..65883a506f 100644 --- a/libavcodec/vlc.c +++ b/libavcodec/vlc.c @@ -401,15 +401,23 @@ static int vlc_multi_gen(VLC_MULTI_ELEM *table, const VLC *single, int minbits, maxbits, max = nb_codes-1; unsigned count[VLC_MULTI_MAX_SYMBOLS-1] = { 0, }; VLC_MULTI_ELEM info = { { 0, }, 0, 0, }; + int count0 = 0; - minbits = buf[0].bits; - maxbits = buf[0].bits; + for (int j = 0; j < 1<table[j].len > 0) { + count0 ++; + j += (1 << (numbits - single->table[j].len)) - 1; + } + } - for (int n = 1; n < nb_codes; n++) { + minbits = 32; + maxbits = 0; + + for (int n = nb_codes - count0; n < nb_codes; n++) { minbits = FFMIN(minbits, buf[n].bits); maxbits = FFMAX(maxbits, buf[n].bits); } - maxbits = FFMIN(maxbits, numbits); + av_assert0(maxbits <= numbits); while (max >= nb_codes/2) { if (buf[max].bits+minbits > maxbits) From 597d5744807dfe85808aa1f854438c0c5f0e1867 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Oct 2023 21:36:11 +0200 Subject: [PATCH 026/606] avcodec/vlc: Replace mysterious max computation code in multi vlc Signed-off-by: Michael Niedermayer (cherry picked from commit 8516609edde98391017fb145b4f492c01b360a03) Signed-off-by: Michael Niedermayer --- libavcodec/vlc.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c index 65883a506f..9b7a42f79a 100644 --- a/libavcodec/vlc.c +++ b/libavcodec/vlc.c @@ -359,7 +359,7 @@ static void add_level(VLC_MULTI_ELEM *table, const int is16bit, unsigned* levelcnt, VLC_MULTI_ELEM *info) { int max_symbols = VLC_MULTI_MAX_SYMBOLS >> is16bit; - for (int i = num-1; i > max; i--) { + for (int i = num-1; i >= max; i--) { for (int j = 0; j < 2; j++) { int newlimit, sym; int t = j ? i-1 : i; @@ -398,7 +398,7 @@ static int vlc_multi_gen(VLC_MULTI_ELEM *table, const VLC *single, const int is16bit, const int nb_codes, const int numbits, VLCcode *buf, void *logctx) { - int minbits, maxbits, max = nb_codes-1; + int minbits, maxbits, max; unsigned count[VLC_MULTI_MAX_SYMBOLS-1] = { 0, }; VLC_MULTI_ELEM info = { { 0, }, 0, 0, }; int count0 = 0; @@ -419,10 +419,13 @@ static int vlc_multi_gen(VLC_MULTI_ELEM *table, const VLC *single, } av_assert0(maxbits <= numbits); - while (max >= nb_codes/2) { - if (buf[max].bits+minbits > maxbits) + for (max = nb_codes; max > nb_codes - count0; max--) { + // We can only add a code that fits with the shortest other code into the table + // We assume the table is sorted by bits and we skip subtables which from our + // point of view are basically random corrupted entries + // If we have not a single useable vlc we end with max = nb_codes + if (buf[max - 1].bits+minbits > numbits) break; - max--; } for (int j = 0; j < 1< Date: Sun, 22 Oct 2023 22:14:47 +0200 Subject: [PATCH 027/606] avcodec/vlc: Pass VLC_MULTI_ELEM directly not by pointer This makes the code more testable as uninitialized fields are 0 and not random values from the last call Signed-off-by: Michael Niedermayer (cherry picked from commit a5259f326bcaf933a25df64aa49417c25990f7d3) Signed-off-by: Michael Niedermayer --- libavcodec/vlc.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c index 9b7a42f79a..4adec2da70 100644 --- a/libavcodec/vlc.c +++ b/libavcodec/vlc.c @@ -356,7 +356,7 @@ static void add_level(VLC_MULTI_ELEM *table, const int is16bit, uint32_t curcode, int curlen, int curlimit, int curlevel, const int minlen, const int max, - unsigned* levelcnt, VLC_MULTI_ELEM *info) + unsigned* levelcnt, VLC_MULTI_ELEM info) { int max_symbols = VLC_MULTI_MAX_SYMBOLS >> is16bit; for (int i = num-1; i >= max; i--) { @@ -372,16 +372,16 @@ static void add_level(VLC_MULTI_ELEM *table, const int is16bit, code = curcode + (buf[t].code >> curlen); newlimit = curlimit - l; l += curlen; - if (is16bit) AV_WN16(info->val+2*curlevel, sym); - else info->val[curlevel] = sym&0xFF; + if (is16bit) AV_WN16(info.val+2*curlevel, sym); + else info.val[curlevel] = sym&0xFF; if (curlevel) { // let's not add single entries uint32_t val = code >> (32 - numbits); uint32_t nb = val + (1U << (numbits - l)); - info->len = l; - info->num = curlevel+1; + info.len = l; + info.num = curlevel+1; for (; val < nb; val++) - AV_COPY64(table+val, info); + AV_COPY64(table+val, &info); levelcnt[curlevel-1]++; } @@ -435,7 +435,7 @@ static int vlc_multi_gen(VLC_MULTI_ELEM *table, const VLC *single, } add_level(table, is16bit, nb_codes, numbits, buf, - 0, 0, FFMIN(maxbits, numbits), 0, minbits, max, count, &info); + 0, 0, FFMIN(maxbits, numbits), 0, minbits, max, count, info); av_log(logctx, AV_LOG_DEBUG, "Joint: %d/%d/%d/%d/%d codes min=%ubits max=%u\n", count[0], count[1], count[2], count[3], count[4], minbits, max); From d660dd1e0a0d87b88e626531e2577be209e510c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Nov 2023 23:49:53 +0100 Subject: [PATCH 028/606] avfilter/framesync: fix order of operation with = and <0 Reviewed-by: Sean McGovern Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 9450a4a7fef5816ee893177c903f0232724c57c6) Signed-off-by: Michael Niedermayer --- libavfilter/framesync.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/framesync.c b/libavfilter/framesync.c index c748262ba6..6cb4b21fed 100644 --- a/libavfilter/framesync.c +++ b/libavfilter/framesync.c @@ -288,7 +288,7 @@ int ff_framesync_get_frame(FFFrameSync *fs, unsigned in, AVFrame **rframe, if (need_copy) { if (!(frame = av_frame_clone(frame))) return AVERROR(ENOMEM); - if ((ret = ff_inlink_make_frame_writable(fs->parent->inputs[in], &frame) < 0)) { + if ((ret = ff_inlink_make_frame_writable(fs->parent->inputs[in], &frame)) < 0) { av_frame_free(&frame); return ret; } From 29294657189af64f299fc0c7b67ff1aa27781138 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Nov 2023 23:49:53 +0100 Subject: [PATCH 029/606] avfilter/buffersink: fix order of operation with = and <0 Reviewed-by: Sean McGovern Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit c0a18e884c2d24d1052147082c358cb6929e97f1) Signed-off-by: Michael Niedermayer --- libavfilter/buffersink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/buffersink.c b/libavfilter/buffersink.c index 9426ded7ee..ca2af1bc07 100644 --- a/libavfilter/buffersink.c +++ b/libavfilter/buffersink.c @@ -293,7 +293,7 @@ static int asink_query_formats(AVFilterContext *ctx) cleanup_redundant_layouts(ctx); for (i = 0; i < NB_ITEMS(buf->channel_layouts); i++) if ((ret = av_channel_layout_from_mask(&layout, buf->channel_layouts[i])) < 0 || - (ret = ff_add_channel_layout(&layouts, &layout) < 0)) + (ret = ff_add_channel_layout(&layouts, &layout)) < 0) return ret; for (i = 0; i < NB_ITEMS(buf->channel_counts); i++) { layout = FF_COUNT2LAYOUT(buf->channel_counts[i]); From 962d667964ffc5e5133d7fc56b5fbd8ce7376553 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Nov 2023 00:10:02 +0100 Subject: [PATCH 030/606] avcodec/flicvideo: consider width in copy loops Fixes: out of array write Fixes: 63520/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-4876198087622656 Regression since: c7f8d42c12582b0626ea38117df6c9aea9fcf5b1 (was not posted to ffmpeg-devel) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Sean McGovern Signed-off-by: Michael Niedermayer (cherry picked from commit 03a4aa9699c397f157394af3394fb065bd0a8166) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 6ce033ba40..43f3f83bf6 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -642,7 +642,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, "has incorrect size, skipping chunk\n", chunk_size - 6); bytestream2_skip(&g2, chunk_size - 6); } else { - for (y_ptr = 0; check_pixel_ptr(y_ptr, 0, pixel_limit, direction) == 0; + for (y_ptr = 0; check_pixel_ptr(y_ptr, s->avctx->width, pixel_limit, direction) == 0; y_ptr += s->frame->linesize[0]) { bytestream2_get_buffer(&g2, &pixels[y_ptr], s->avctx->width); @@ -949,7 +949,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, if (bytestream2_get_bytes_left(&g2) < 2 * s->avctx->width * s->avctx->height ) return AVERROR_INVALIDDATA; - for (y_ptr = 0; check_pixel_ptr(y_ptr, 0, pixel_limit, direction) == 0; + for (y_ptr = 0; check_pixel_ptr(y_ptr, 2*s->avctx->width, pixel_limit, direction) == 0; y_ptr += s->frame->linesize[0]) { pixel_countdown = s->avctx->width; @@ -1235,7 +1235,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx, "bigger than image, skipping chunk\n", chunk_size - 6); bytestream2_skip(&g2, chunk_size - 6); } else { - for (y_ptr = 0; check_pixel_ptr(y_ptr, 0, pixel_limit, direction) == 0; + for (y_ptr = 0; check_pixel_ptr(y_ptr, 3*s->avctx->width, pixel_limit, direction) == 0; y_ptr += s->frame->linesize[0]) { bytestream2_get_buffer(&g2, pixels + y_ptr, 3*s->avctx->width); From 9ee0cd2190cabcc5b9f92c4d64da9ef28d60022d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Nov 2023 00:33:41 +0100 Subject: [PATCH 031/606] avformat/lafdec: Check for 0 parameters Fixes: Timeout Fixes: 63661/clusterfuzz-testcase-minimized-ffmpeg_dem_LAF_fuzzer-6615365234589696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Sean McGovern Signed-off-by: Michael Niedermayer (cherry picked from commit 4fb9d946883ba8a3e21a9e756aa27349e6e22cef) Signed-off-by: Michael Niedermayer --- libavformat/lafdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/lafdec.c b/libavformat/lafdec.c index 59a59dcfe9..b867f106ae 100644 --- a/libavformat/lafdec.c +++ b/libavformat/lafdec.c @@ -139,7 +139,9 @@ static int laf_read_header(AVFormatContext *ctx) s->index = 0; s->stored_index = 0; s->bpp = bpp; - if ((int64_t)bpp * st_count * (int64_t)sample_rate >= INT32_MAX) + if ((int64_t)bpp * st_count * (int64_t)sample_rate >= INT32_MAX || + (int64_t)bpp * st_count * (int64_t)sample_rate == 0 + ) return AVERROR_INVALIDDATA; s->data = av_calloc(st_count * sample_rate, bpp); if (!s->data) From 37c6124893dc4555443bcc72b4a6f97ba1b73711 Mon Sep 17 00:00:00 2001 From: Frank Plowman Date: Wed, 8 Nov 2023 07:55:18 +0000 Subject: [PATCH 032/606] doc/html: support texinfo 7.0 Resolves trac ticket #10636 (http://trac.ffmpeg.org/ticket/10636). Texinfo 7.0, released in November 2022, changed the names of various functions. Compiling docs with Texinfo 7.0 resulted in warnings and improperly formatted documentation. More old names appear to have been removed in Texinfo 7.1, released October 2023, which causes docs compilation to fail. This commit addresses the issue by adding logic to switch between the old and new function names depending on the Texinfo version. Texinfo 6.8 produces identical documentation before and after the patch. CC https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1938238.html https://bugs.gentoo.org/916104 Signed-off-by: Frank Plowman (cherry picked from commit f01fdedb69e4accb1d1555106d8f682ff1f1ddc7) Signed-off-by: Michael Niedermayer --- doc/t2h.pm | 106 ++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 85 insertions(+), 21 deletions(-) diff --git a/doc/t2h.pm b/doc/t2h.pm index d07d974286..b7485e1f1e 100644 --- a/doc/t2h.pm +++ b/doc/t2h.pm @@ -20,8 +20,45 @@ # License along with FFmpeg; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# Texinfo 7.0 changed the syntax of various functions. +# Provide a shim for older versions. +sub ff_set_from_init_file($$) { + my $key = shift; + my $value = shift; + if (exists &{'texinfo_set_from_init_file'}) { + texinfo_set_from_init_file($key, $value); + } else { + set_from_init_file($key, $value); + } +} + +sub ff_get_conf($) { + my $key = shift; + if (exists &{'texinfo_get_conf'}) { + texinfo_get_conf($key); + } else { + get_conf($key); + } +} + +sub get_formatting_function($$) { + my $obj = shift; + my $func = shift; + + my $sub = $obj->can('formatting_function'); + if ($sub) { + return $obj->formatting_function($func); + } else { + return $obj->{$func}; + } +} + +# determine texinfo version +my $program_version_num = version->declare(ff_get_conf('PACKAGE_VERSION'))->numify; +my $program_version_6_8 = $program_version_num >= 6.008000; + # no navigation elements -set_from_init_file('HEADERS', 0); +ff_set_from_init_file('HEADERS', 0); sub ffmpeg_heading_command($$$$$) { @@ -55,7 +92,7 @@ sub ffmpeg_heading_command($$$$$) $element = $command->{'parent'}; } if ($element) { - $result .= &{$self->{'format_element_header'}}($self, $cmdname, + $result .= &{get_formatting_function($self, 'format_element_header')}($self, $cmdname, $command, $element); } @@ -112,7 +149,11 @@ sub ffmpeg_heading_command($$$$$) $cmdname = $Texinfo::Common::level_to_structuring_command{$cmdname}->[$heading_level]; } - $result .= &{$self->{'format_heading_text'}}( + # format_heading_text expects an array of headings for texinfo >= 7.0 + if ($program_version_num >= 7.000000) { + $heading = [$heading]; + } + $result .= &{get_formatting_function($self,'format_heading_text')}( $self, $cmdname, $heading, $heading_level + $self->get_conf('CHAPTER_HEADER_LEVEL') - 1, $command); @@ -126,23 +167,19 @@ foreach my $command (keys(%Texinfo::Common::sectioning_commands), 'node') { texinfo_register_command_formatting($command, \&ffmpeg_heading_command); } -# determine if texinfo is at least version 6.8 -my $program_version_num = version->declare(get_conf('PACKAGE_VERSION'))->numify; -my $program_version_6_8 = $program_version_num >= 6.008000; - # print the TOC where @contents is used if ($program_version_6_8) { - set_from_init_file('CONTENTS_OUTPUT_LOCATION', 'inline'); + ff_set_from_init_file('CONTENTS_OUTPUT_LOCATION', 'inline'); } else { - set_from_init_file('INLINE_CONTENTS', 1); + ff_set_from_init_file('INLINE_CONTENTS', 1); } # make chapters

-set_from_init_file('CHAPTER_HEADER_LEVEL', 2); +ff_set_from_init_file('CHAPTER_HEADER_LEVEL', 2); # Do not add
-set_from_init_file('DEFAULT_RULE', ''); -set_from_init_file('BIG_RULE', ''); +ff_set_from_init_file('DEFAULT_RULE', ''); +ff_set_from_init_file('BIG_RULE', ''); # Customized file beginning sub ffmpeg_begin_file($$$) @@ -159,7 +196,18 @@ sub ffmpeg_begin_file($$$) my ($title, $description, $encoding, $date, $css_lines, $doctype, $bodytext, $copying_comment, $after_body_open, $extra_head, $program_and_version, $program_homepage, - $program, $generator) = $self->_file_header_informations($command); + $program, $generator); + if ($program_version_num >= 7.000000) { + ($title, $description, $encoding, $date, $css_lines, + $doctype, $bodytext, $copying_comment, $after_body_open, + $extra_head, $program_and_version, $program_homepage, + $program, $generator) = $self->_file_header_information($command); + } else { + ($title, $description, $encoding, $date, $css_lines, + $doctype, $bodytext, $copying_comment, $after_body_open, + $extra_head, $program_and_version, $program_homepage, + $program, $generator) = $self->_file_header_informations($command); + } my $links = $self->_get_links ($filename, $element); @@ -223,7 +271,7 @@ if ($program_version_6_8) { sub ffmpeg_end_file($) { my $self = shift; - my $program_string = &{$self->{'format_program_string'}}($self); + my $program_string = &{get_formatting_function($self,'format_program_string')}($self); my $program_text = < $program_string @@ -244,7 +292,7 @@ if ($program_version_6_8) { # Dummy title command # Ignore title. Title is handled through ffmpeg_begin_file(). -set_from_init_file('USE_TITLEPAGE_FOR_TITLE', 1); +ff_set_from_init_file('USE_TITLEPAGE_FOR_TITLE', 1); sub ffmpeg_title($$$$) { return ''; @@ -262,8 +310,14 @@ sub ffmpeg_float($$$$$) my $args = shift; my $content = shift; - my ($caption, $prepended) = Texinfo::Common::float_name_caption($self, - $command); + my ($caption, $prepended); + if ($program_version_num >= 7.000000) { + ($caption, $prepended) = Texinfo::Convert::Converter::float_name_caption($self, + $command); + } else { + ($caption, $prepended) = Texinfo::Common::float_name_caption($self, + $command); + } my $caption_text = ''; my $prepended_text; my $prepended_save = ''; @@ -335,8 +389,13 @@ sub ffmpeg_float($$$$$) $caption->{'args'}->[0], 'float caption'); } if ($prepended_text.$caption_text ne '') { - $prepended_text = $self->_attribute_class('div','float-caption'). '>' - . $prepended_text; + if ($program_version_num >= 7.000000) { + $prepended_text = $self->html_attribute_class('div',['float-caption']). '>' + . $prepended_text; + } else { + $prepended_text = $self->_attribute_class('div','float-caption'). '>' + . $prepended_text; + } $caption_text .= ''; } my $html_class = ''; @@ -349,8 +408,13 @@ sub ffmpeg_float($$$$$) $prepended_text = ''; $caption_text = ''; } - return $self->_attribute_class('div', $html_class). '>' . "\n" . - $prepended_text . $caption_text . $content . ''; + if ($program_version_num >= 7.000000) { + return $self->html_attribute_class('div', [$html_class]). '>' . "\n" . + $prepended_text . $caption_text . $content . ''; + } else { + return $self->_attribute_class('div', $html_class). '>' . "\n" . + $prepended_text . $caption_text . $content . ''; + } } texinfo_register_command_formatting('float', From cf5cdc5a29fb82183c201445f86f27b22dfb1ad3 Mon Sep 17 00:00:00 2001 From: Frank Plowman Date: Wed, 8 Nov 2023 07:55:57 +0000 Subject: [PATCH 033/606] doc/html: fix styling issue with Texinfo 7.0 Texinfo 7.0 produces quite different HTML to Texinfo 6.8. Without this change, enumerated option flags (i.e. Possible values of x are...) render as white text on a white background with Texinfo 7.0 and are unreadable. This change removes a style for the selector `.table .table` which causes the background to turn white for these elements. As far as I can tell, it is not actually used anywhere in files generated by Texinfo 6.8. Signed-off-by: Frank Plowman (cherry picked from commit f16900bda23414caf9ec3f9dc50db7d4caf59a8b) Signed-off-by: Michael Niedermayer --- doc/bootstrap.min.css | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/bootstrap.min.css b/doc/bootstrap.min.css index 6f68017d58..45bf263d6e 100644 --- a/doc/bootstrap.min.css +++ b/doc/bootstrap.min.css @@ -2,4 +2,4 @@ * Bootstrap v3.2.0 (http://getbootstrap.com) * Copyright 2011-2014 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) - *//*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:0 0}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}input{line-height:normal}input[type=checkbox],input[type=radio]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid silver}legend{padding:0;border:0}textarea{overflow:auto}optgroup{font-weight:700}table{border-spacing:0;border-collapse:collapse}td,th{padding:0}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100%!important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff!important}.navbar{display:none}.table td,.table th{background-color:#fff!important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table-bordered th,.table-bordered td{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-bell:before{content:"\e123"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{content:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-wrench:before{content:"\e136"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-briefcase:before{content:"\e139"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{content:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:before,:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive,.thumbnail>img,.thumbnail a>img,.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;width:100% \9;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;width:100% \9;max-width:100%;height:auto;padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:400;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}cite{font-style:normal}mark,.mark{padding:.2em;background-color:#fcf8e3}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover{color:#2b542c}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;margin-left:-5px;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:700}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;text-align:right;border-right:5px solid #eee;border-left:0}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}blockquote:before,blockquote:after{content:""}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.row{margin-right:-15px;margin-left:-15px}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*=col-]{position:static;display:table-column;float:none}table td[class*=col-],table th[class*=col-]{position:static;display:table-cell;float:none}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-x:auto;overflow-y:hidden;-webkit-overflow-scrolling:touch;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:700}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=radio],input[type=checkbox]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=radio]:focus,input[type=checkbox]:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition:border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee;opacity:1}textarea.form-control{height:auto}input[type=search]{-webkit-appearance:none}input[type=date],input[type=time],input[type=datetime-local],input[type=month]{line-height:34px;line-height:1.42857143 \0}input[type=date].input-sm,input[type=time].input-sm,input[type=datetime-local].input-sm,input[type=month].input-sm{line-height:30px}input[type=date].input-lg,input[type=time].input-lg,input[type=datetime-local].input-lg,input[type=month].input-lg{line-height:46px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:20px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:400;cursor:pointer}.radio input[type=radio],.radio-inline input[type=radio],.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox]{position:absolute;margin-top:4px \9;margin-left:-20px}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;font-weight:400;vertical-align:middle;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type=radio][disabled],input[type=checkbox][disabled],input[type=radio].disabled,input[type=checkbox].disabled,fieldset[disabled] input[type=radio],fieldset[disabled] input[type=checkbox]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.form-control-static.input-sm{padding-right:0;padding-left:0}.input-sm,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.input-lg,.form-horizontal .form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:25px;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center}.input-lg+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color:#dff0d8;border-color:#3c763d}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedback{color:#a94442}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type=radio],.form-inline .checkbox input[type=checkbox]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.form-horizontal .control-label{padding-top:7px;margin-bottom:0;text-align:right}}.form-horizontal .has-feedback .form-control-feedback{top:0;right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:400;line-height:1.42857143;text-align:center;white-space:nowrap;vertical-align:middle;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-image:none;border:1px solid transparent;border-radius:4px}.btn:focus,.btn:active:focus,.btn.active:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#333;text-decoration:none}.btn:active,.btn.active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{pointer-events:none;cursor:not-allowed;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none;opacity:.65}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{font-weight:400;color:#428bca;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=submit].btn-block,input[type=reset].btn-block,input[type=button].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid transparent;border-left:4px solid transparent}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;text-align:left;list-style:none;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175)}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:400;line-height:1.42857143;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{color:#262626;text-decoration:none;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;background-color:#428bca;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#777}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{right:0;left:auto}.dropdown-menu-left{right:auto;left:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.42857143;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{content:"";border-top:0;border-bottom:4px solid}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media (min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{right:auto;left:0}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-top-left-radius:0;border-bottom-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-left-radius:0;border-top-right-radius:0;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-top-right-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{display:table-cell;float:none;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn>input[type=radio],[data-toggle=buttons]>.btn>input[type=checkbox]{position:absolute;z-index:-1;filter:alpha(opacity=0);opacity:0}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-right:0;padding-left:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=radio],.input-group-addon input[type=checkbox]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{padding-right:15px;padding-left:15px;overflow-x:visible;-webkit-overflow-scrolling:touch;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1)}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-right:0;padding-left:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;height:50px;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-15px}}@media (min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1)}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type=radio],.navbar-form .checkbox input[type=checkbox]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media (min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-15px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-left-radius:0;border-top-right-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-right:15px;margin-left:15px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{color:#555;background-color:#e7e7e7}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{color:#fff;background-color:#080808}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.42857143;color:#428bca;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-top-left-radius:4px;border-bottom-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:hover,.pagination>li>span:hover,.pagination>li>a:focus,.pagination>li>span:focus{color:#2a6496;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>span,.pagination>.active>a:hover,.pagination>.active>span:hover,.pagination>.active>a:focus,.pagination>.active>span:focus{z-index:2;color:#fff;cursor:default;background-color:#428bca;border-color:#428bca}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#777;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-top-left-radius:6px;border-bottom-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-top-left-radius:3px;border-bottom-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#777;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron h1,.jumbotron .h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:21px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron{border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-right:60px;padding-left:60px}.jumbotron h1,.jumbotron .h1{font-size:63px}}.thumbnail{display:block;padding:4px;margin-bottom:20px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{margin-right:auto;margin-left:auto}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#428bca}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:700}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{min-width:30px;color:#777;background-color:transparent;background-image:none;-webkit-box-shadow:none;box-shadow:none}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-left-radius:4px;border-top-right-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#555}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{color:#555;text-decoration:none;background-color:#f5f5f5}.list-group-item.disabled,.list-group-item.disabled:hover,.list-group-item.disabled:focus{color:#777;background-color:#eee}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2;color:#fff;background-color:#428bca;border-color:#428bca}.list-group-item.active .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading>.small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#e1edf7}.list-group-item-success{color:#3c763d;background-color:#dff0d8}a.list-group-item-success{color:#3c763d}a.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:hover,a.list-group-item-success:focus{color:#3c763d;background-color:#d0e9c6}a.list-group-item-success.active,a.list-group-item-success.active:hover,a.list-group-item-success.active:focus{color:#fff;background-color:#3c763d;border-color:#3c763d}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:hover,a.list-group-item-info:focus{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:hover,a.list-group-item-info.active:focus{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#8a6d3b;background-color:#fcf8e3}a.list-group-item-warning{color:#8a6d3b}a.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:hover,a.list-group-item-warning:focus{color:#8a6d3b;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:hover,a.list-group-item-warning.active:focus{color:#fff;background-color:#8a6d3b;border-color:#8a6d3b}.list-group-item-danger{color:#a94442;background-color:#f2dede}a.list-group-item-danger{color:#a94442}a.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:hover,a.list-group-item-danger:focus{color:#a94442;background-color:#ebcccc}a.list-group-item-danger.active,a.list-group-item-danger.active:hover,a.list-group-item-danger.active:focus{color:#fff;background-color:#a94442;border-color:#a94442}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-left-radius:3px;border-top-right-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-left-radius:3px;border-top-right-radius:3px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{margin-bottom:0;border:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:21px;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;filter:alpha(opacity=20);opacity:.2}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;filter:alpha(opacity=50);opacity:.5}button.close{-webkit-appearance:none;padding:0;cursor:pointer;background:0 0;border:0}.modal-open{overflow:hidden}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;display:none;overflow:hidden;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out;-webkit-transform:translate3d(0,-25%,0);-o-transform:translate3d(0,-25%,0);transform:translate3d(0,-25%,0)}.modal.in .modal-dialog{-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5)}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{filter:alpha(opacity=0);opacity:0}.modal-backdrop.in{filter:alpha(opacity=50);opacity:.5}.modal-header{min-height:16.43px;padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;font-size:12px;line-height:1.4;visibility:visible;filter:alpha(opacity=0);opacity:0}.tooltip.in{filter:alpha(opacity=90);opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{right:5px;bottom:0;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;text-align:left;white-space:normal;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2)}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;font-weight:400;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{content:"";border-width:10px}.popover.top>.arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,.25);border-bottom-width:0}.popover.top>.arrow:after{bottom:1px;margin-left:-10px;content:" ";border-top-color:#fff;border-bottom-width:0}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,.25);border-left-width:0}.popover.right>.arrow:after{bottom:-10px;left:1px;content:" ";border-right-color:#fff;border-left-width:0}.popover.bottom>.arrow{top:-11px;left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25)}.popover.bottom>.arrow:after{top:1px;margin-left:-10px;content:" ";border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{right:1px;bottom:-10px;content:" ";border-right-width:0;border-left-color:#fff}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6);filter:alpha(opacity=50);opacity:.5}.carousel-control.left{background-image:-webkit-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.5)),to(rgba(0,0,0,.0001)));background-image:linear-gradient(to right,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);background-repeat:repeat-x}.carousel-control.right{right:0;left:auto;background-image:-webkit-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.0001)),to(rgba(0,0,0,.5)));background-image:linear-gradient(to right,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);background-repeat:repeat-x}.carousel-control:hover,.carousel-control:focus{color:#fff;text-decoration:none;filter:alpha(opacity=90);outline:0;opacity:.9}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%;margin-left:-10px}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%;margin-right:-10px}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;font-family:serif}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;background-color:#000 \9;background-color:rgba(0,0,0,0);border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-15px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-15px}.carousel-caption{right:20%;left:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.pager:before,.pager:after,.panel-body:before,.panel-body:after,.modal-footer:before,.modal-footer:after{display:table;content:" "}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.pager:after,.panel-body:after,.modal-footer:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important;visibility:hidden!important}.affix{position:fixed;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none!important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none!important}@media (max-width:767px){.visible-xs{display:block!important}table.visible-xs{display:table}tr.visible-xs{display:table-row!important}th.visible-xs,td.visible-xs{display:table-cell!important}}@media (max-width:767px){.visible-xs-block{display:block!important}}@media (max-width:767px){.visible-xs-inline{display:inline!important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block!important}table.visible-sm{display:table}tr.visible-sm{display:table-row!important}th.visible-sm,td.visible-sm{display:table-cell!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block!important}table.visible-md{display:table}tr.visible-md{display:table-row!important}th.visible-md,td.visible-md{display:table-cell!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block!important}}@media (min-width:1200px){.visible-lg{display:block!important}table.visible-lg{display:table}tr.visible-lg{display:table-row!important}th.visible-lg,td.visible-lg{display:table-cell!important}}@media (min-width:1200px){.visible-lg-block{display:block!important}}@media (min-width:1200px){.visible-lg-inline{display:inline!important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block!important}}@media (max-width:767px){.hidden-xs{display:none!important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none!important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none!important}}@media (min-width:1200px){.hidden-lg{display:none!important}}.visible-print{display:none!important}@media print{.visible-print{display:block!important}table.visible-print{display:table}tr.visible-print{display:table-row!important}th.visible-print,td.visible-print{display:table-cell!important}}.visible-print-block{display:none!important}@media print{.visible-print-block{display:block!important}}.visible-print-inline{display:none!important}@media print{.visible-print-inline{display:inline!important}}.visible-print-inline-block{display:none!important}@media print{.visible-print-inline-block{display:inline-block!important}}@media print{.hidden-print{display:none!important}} + *//*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:0 0}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}input{line-height:normal}input[type=checkbox],input[type=radio]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid silver}legend{padding:0;border:0}textarea{overflow:auto}optgroup{font-weight:700}table{border-spacing:0;border-collapse:collapse}td,th{padding:0}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100%!important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff!important}.navbar{display:none}.table td,.table th{background-color:#fff!important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table-bordered th,.table-bordered td{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-bell:before{content:"\e123"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{content:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-wrench:before{content:"\e136"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-briefcase:before{content:"\e139"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{content:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:before,:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive,.thumbnail>img,.thumbnail a>img,.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;width:100% \9;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;width:100% \9;max-width:100%;height:auto;padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:400;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}cite{font-style:normal}mark,.mark{padding:.2em;background-color:#fcf8e3}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover{color:#2b542c}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;margin-left:-5px;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:700}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;text-align:right;border-right:5px solid #eee;border-left:0}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}blockquote:before,blockquote:after{content:""}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.row{margin-right:-15px;margin-left:-15px}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*=col-]{position:static;display:table-column;float:none}table td[class*=col-],table th[class*=col-]{position:static;display:table-cell;float:none}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-x:auto;overflow-y:hidden;-webkit-overflow-scrolling:touch;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:700}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=radio],input[type=checkbox]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=radio]:focus,input[type=checkbox]:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition:border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee;opacity:1}textarea.form-control{height:auto}input[type=search]{-webkit-appearance:none}input[type=date],input[type=time],input[type=datetime-local],input[type=month]{line-height:34px;line-height:1.42857143 \0}input[type=date].input-sm,input[type=time].input-sm,input[type=datetime-local].input-sm,input[type=month].input-sm{line-height:30px}input[type=date].input-lg,input[type=time].input-lg,input[type=datetime-local].input-lg,input[type=month].input-lg{line-height:46px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:20px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:400;cursor:pointer}.radio input[type=radio],.radio-inline input[type=radio],.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox]{position:absolute;margin-top:4px \9;margin-left:-20px}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;font-weight:400;vertical-align:middle;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type=radio][disabled],input[type=checkbox][disabled],input[type=radio].disabled,input[type=checkbox].disabled,fieldset[disabled] input[type=radio],fieldset[disabled] input[type=checkbox]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.form-control-static.input-sm{padding-right:0;padding-left:0}.input-sm,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.input-lg,.form-horizontal .form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:25px;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center}.input-lg+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color:#dff0d8;border-color:#3c763d}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedback{color:#a94442}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type=radio],.form-inline .checkbox input[type=checkbox]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.form-horizontal .control-label{padding-top:7px;margin-bottom:0;text-align:right}}.form-horizontal .has-feedback .form-control-feedback{top:0;right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:400;line-height:1.42857143;text-align:center;white-space:nowrap;vertical-align:middle;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-image:none;border:1px solid transparent;border-radius:4px}.btn:focus,.btn:active:focus,.btn.active:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#333;text-decoration:none}.btn:active,.btn.active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{pointer-events:none;cursor:not-allowed;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none;opacity:.65}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{font-weight:400;color:#428bca;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=submit].btn-block,input[type=reset].btn-block,input[type=button].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid transparent;border-left:4px solid transparent}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;text-align:left;list-style:none;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175)}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:400;line-height:1.42857143;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{color:#262626;text-decoration:none;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;background-color:#428bca;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#777}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{right:0;left:auto}.dropdown-menu-left{right:auto;left:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.42857143;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{content:"";border-top:0;border-bottom:4px solid}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media (min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{right:auto;left:0}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-top-left-radius:0;border-bottom-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-left-radius:0;border-top-right-radius:0;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-top-right-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{display:table-cell;float:none;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn>input[type=radio],[data-toggle=buttons]>.btn>input[type=checkbox]{position:absolute;z-index:-1;filter:alpha(opacity=0);opacity:0}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-right:0;padding-left:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=radio],.input-group-addon input[type=checkbox]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{padding-right:15px;padding-left:15px;overflow-x:visible;-webkit-overflow-scrolling:touch;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1)}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-right:0;padding-left:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;height:50px;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-15px}}@media (min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1)}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type=radio],.navbar-form .checkbox input[type=checkbox]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media (min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-15px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-left-radius:0;border-top-right-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-right:15px;margin-left:15px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{color:#555;background-color:#e7e7e7}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{color:#fff;background-color:#080808}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.42857143;color:#428bca;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-top-left-radius:4px;border-bottom-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:hover,.pagination>li>span:hover,.pagination>li>a:focus,.pagination>li>span:focus{color:#2a6496;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>span,.pagination>.active>a:hover,.pagination>.active>span:hover,.pagination>.active>a:focus,.pagination>.active>span:focus{z-index:2;color:#fff;cursor:default;background-color:#428bca;border-color:#428bca}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#777;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-top-left-radius:6px;border-bottom-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-top-left-radius:3px;border-bottom-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#777;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron h1,.jumbotron .h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:21px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron{border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-right:60px;padding-left:60px}.jumbotron h1,.jumbotron .h1{font-size:63px}}.thumbnail{display:block;padding:4px;margin-bottom:20px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{margin-right:auto;margin-left:auto}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#428bca}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:700}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{min-width:30px;color:#777;background-color:transparent;background-image:none;-webkit-box-shadow:none;box-shadow:none}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-left-radius:4px;border-top-right-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#555}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{color:#555;text-decoration:none;background-color:#f5f5f5}.list-group-item.disabled,.list-group-item.disabled:hover,.list-group-item.disabled:focus{color:#777;background-color:#eee}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2;color:#fff;background-color:#428bca;border-color:#428bca}.list-group-item.active .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading>.small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#e1edf7}.list-group-item-success{color:#3c763d;background-color:#dff0d8}a.list-group-item-success{color:#3c763d}a.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:hover,a.list-group-item-success:focus{color:#3c763d;background-color:#d0e9c6}a.list-group-item-success.active,a.list-group-item-success.active:hover,a.list-group-item-success.active:focus{color:#fff;background-color:#3c763d;border-color:#3c763d}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:hover,a.list-group-item-info:focus{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:hover,a.list-group-item-info.active:focus{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#8a6d3b;background-color:#fcf8e3}a.list-group-item-warning{color:#8a6d3b}a.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:hover,a.list-group-item-warning:focus{color:#8a6d3b;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:hover,a.list-group-item-warning.active:focus{color:#fff;background-color:#8a6d3b;border-color:#8a6d3b}.list-group-item-danger{color:#a94442;background-color:#f2dede}a.list-group-item-danger{color:#a94442}a.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:hover,a.list-group-item-danger:focus{color:#a94442;background-color:#ebcccc}a.list-group-item-danger.active,a.list-group-item-danger.active:hover,a.list-group-item-danger.active:focus{color:#fff;background-color:#a94442;border-color:#a94442}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-left-radius:3px;border-top-right-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-left-radius:3px;border-top-right-radius:3px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{margin-bottom:0;border:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:21px;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;filter:alpha(opacity=20);opacity:.2}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;filter:alpha(opacity=50);opacity:.5}button.close{-webkit-appearance:none;padding:0;cursor:pointer;background:0 0;border:0}.modal-open{overflow:hidden}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;display:none;overflow:hidden;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out;-webkit-transform:translate3d(0,-25%,0);-o-transform:translate3d(0,-25%,0);transform:translate3d(0,-25%,0)}.modal.in .modal-dialog{-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5)}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{filter:alpha(opacity=0);opacity:0}.modal-backdrop.in{filter:alpha(opacity=50);opacity:.5}.modal-header{min-height:16.43px;padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;font-size:12px;line-height:1.4;visibility:visible;filter:alpha(opacity=0);opacity:0}.tooltip.in{filter:alpha(opacity=90);opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{right:5px;bottom:0;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;text-align:left;white-space:normal;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2)}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;font-weight:400;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{content:"";border-width:10px}.popover.top>.arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,.25);border-bottom-width:0}.popover.top>.arrow:after{bottom:1px;margin-left:-10px;content:" ";border-top-color:#fff;border-bottom-width:0}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,.25);border-left-width:0}.popover.right>.arrow:after{bottom:-10px;left:1px;content:" ";border-right-color:#fff;border-left-width:0}.popover.bottom>.arrow{top:-11px;left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25)}.popover.bottom>.arrow:after{top:1px;margin-left:-10px;content:" ";border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{right:1px;bottom:-10px;content:" ";border-right-width:0;border-left-color:#fff}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6);filter:alpha(opacity=50);opacity:.5}.carousel-control.left{background-image:-webkit-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.5)),to(rgba(0,0,0,.0001)));background-image:linear-gradient(to right,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);background-repeat:repeat-x}.carousel-control.right{right:0;left:auto;background-image:-webkit-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.0001)),to(rgba(0,0,0,.5)));background-image:linear-gradient(to right,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);background-repeat:repeat-x}.carousel-control:hover,.carousel-control:focus{color:#fff;text-decoration:none;filter:alpha(opacity=90);outline:0;opacity:.9}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%;margin-left:-10px}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%;margin-right:-10px}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;font-family:serif}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;background-color:#000 \9;background-color:rgba(0,0,0,0);border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-15px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-15px}.carousel-caption{right:20%;left:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.pager:before,.pager:after,.panel-body:before,.panel-body:after,.modal-footer:before,.modal-footer:after{display:table;content:" "}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.pager:after,.panel-body:after,.modal-footer:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important;visibility:hidden!important}.affix{position:fixed;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none!important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none!important}@media (max-width:767px){.visible-xs{display:block!important}table.visible-xs{display:table}tr.visible-xs{display:table-row!important}th.visible-xs,td.visible-xs{display:table-cell!important}}@media (max-width:767px){.visible-xs-block{display:block!important}}@media (max-width:767px){.visible-xs-inline{display:inline!important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block!important}table.visible-sm{display:table}tr.visible-sm{display:table-row!important}th.visible-sm,td.visible-sm{display:table-cell!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block!important}table.visible-md{display:table}tr.visible-md{display:table-row!important}th.visible-md,td.visible-md{display:table-cell!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block!important}}@media (min-width:1200px){.visible-lg{display:block!important}table.visible-lg{display:table}tr.visible-lg{display:table-row!important}th.visible-lg,td.visible-lg{display:table-cell!important}}@media (min-width:1200px){.visible-lg-block{display:block!important}}@media (min-width:1200px){.visible-lg-inline{display:inline!important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block!important}}@media (max-width:767px){.hidden-xs{display:none!important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none!important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none!important}}@media (min-width:1200px){.hidden-lg{display:none!important}}.visible-print{display:none!important}@media print{.visible-print{display:block!important}table.visible-print{display:table}tr.visible-print{display:table-row!important}th.visible-print,td.visible-print{display:table-cell!important}}.visible-print-block{display:none!important}@media print{.visible-print-block{display:block!important}}.visible-print-inline{display:none!important}@media print{.visible-print-inline{display:inline!important}}.visible-print-inline-block{display:none!important}@media print{.visible-print-inline-block{display:inline-block!important}}@media print{.hidden-print{display:none!important}} From 422ce1f21abd0e7cf1b0f7dd11a75ec2b1322530 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Nov 2023 01:37:11 +0100 Subject: [PATCH 034/606] avformat/mov: Disallow FTYP after streams Fixes: Assertion !c->fc->nb_streams failed at libavformat/mov.c:7799 Fixes: 63875/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5479178702815232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 19fcf4313148e86aa47d81a8d5d5e8d056f1f906) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index e8efccf6eb..34ca8095c2 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1222,6 +1222,8 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) int ret = ffio_read_size(pb, type, 4); if (ret < 0) return ret; + if (c->fc->nb_streams) + return AVERROR_INVALIDDATA; if (strcmp(type, "qt ")) c->isom = 1; From d57ea70234fc8b913b1822632d7537f0ad813582 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Nov 2023 01:44:07 +0100 Subject: [PATCH 035/606] avcodec/4xm: Check for cfrm exhaustion Fixes: index -1 out of bounds for type 'CFrameBuffer [100]' Fixes: 63877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5854263397711872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bb0a684d93f793457f7bff3940a1398eb9e91703) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index c3e3a45df5..fde40fe104 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -887,6 +887,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *picture, } if (i >= CFRAME_BUFFER_COUNT) { + if (free_index < 0) + return AVERROR_INVALIDDATA; i = free_index; f->cfrm[i].id = id; } From 56b50b945bccb66368088151924cd635782cdad1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Oct 2023 00:59:19 +0200 Subject: [PATCH 036/606] avcodec/evc_parse: Check num_remaining_tiles_in_slice_minus1 Fixes: out of array access Fixes: 62467/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-6092990982258688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: "Dawid Kozinski/Multimedia (PLT) /SRPOL/Staff Engineer/Samsung Electronics" Signed-off-by: Michael Niedermayer (cherry picked from commit ac4e3e188af8bf6f0c4a808a24f6ff0daba78248) Signed-off-by: Michael Niedermayer --- libavcodec/evc_parse.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index 43b8dabf8b..cc9aa106fb 100644 --- a/libavcodec/evc_parse.c +++ b/libavcodec/evc_parse.c @@ -58,8 +58,12 @@ int ff_evc_parse_slice_header(GetBitContext *gb, EVCParserSliceHeader *sh, if (!sh->arbitrary_slice_flag) sh->last_tile_id = get_bits(gb, pps->tile_id_len_minus1 + 1); else { - sh->num_remaining_tiles_in_slice_minus1 = get_ue_golomb_long(gb); - num_tiles_in_slice = sh->num_remaining_tiles_in_slice_minus1 + 2; + unsigned num_remaining_tiles_in_slice_minus1 = get_ue_golomb_long(gb); + if (num_remaining_tiles_in_slice_minus1 > EVC_MAX_TILE_ROWS * EVC_MAX_TILE_COLUMNS - 2) + return AVERROR_INVALIDDATA; + + num_tiles_in_slice = num_remaining_tiles_in_slice_minus1 + 2; + sh->num_remaining_tiles_in_slice_minus1 = num_remaining_tiles_in_slice_minus1; for (int i = 0; i < num_tiles_in_slice - 1; ++i) sh->delta_tile_id_minus1[i] = get_ue_golomb_long(gb); } From e1bbae68fcbcb72dcecaa883f9f036fed007ebc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Nov 2023 02:04:25 +0100 Subject: [PATCH 037/606] doc/APIchanges: Fill in missing values Signed-off-by: Michael Niedermayer --- doc/APIchanges | 90 +++++++++++++++++++++++++------------------------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 438a43e057..444c3893fc 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -4,174 +4,174 @@ API changes, most recent first: -------- 8< --------- FFmpeg 6.1 was cut here -------- 8< --------- -2023-10-27 - xxxxxxxxxx - lavu 58.28.100 - channel_layout.h +2023-10-27 - 52a97642604 - lavu 58.28.100 - channel_layout.h Add AV_CH_LAYOUT_3POINT1POINT2 and AV_CHANNEL_LAYOUT_3POINT1POINT2. Add AV_CH_LAYOUT_5POINT1POINT2_BACK and AV_CHANNEL_LAYOUT_5POINT1POINT2_BACK. Add AV_CH_LAYOUT_5POINT1POINT4_BACK and AV_CHANNEL_LAYOUT_5POINT1POINT4_BACK. Add AV_CH_LAYOUT_7POINT1POINT2 and AV_CHANNEL_LAYOUT_7POINT1POINT2. Add AV_CH_LAYOUT_7POINT1POINT4_BACK and AV_CHANNEL_LAYOUT_7POINT1POINT4_BACK. -2023-10-06 - xxxxxxxxxx - lavc 60.30.101 - avcodec.h +2023-10-06 - 804be7f9e3c - lavc 60.30.101 - avcodec.h AVCodecContext.coded_side_data may now be used during decoding, to be set by user before calling avcodec_open2() for initialization. -2023-10-06 - xxxxxxxxxx - lavc 60.15.100 - avformat.h +2023-10-06 - 5432d2aacad - lavc 60.15.100 - avformat.h Deprecate AVFormatContext.{nb_,}side_data, av_stream_add_side_data(), av_stream_new_side_data(), and av_stream_get_side_data(). Side data fields from AVFormatContext.codecpar should be used from now on. -2023-10-06 - xxxxxxxxxx - lavc 60.30.100 - codec_par.h +2023-10-06 - 21d7cc6fa9a - lavc 60.30.100 - codec_par.h Added {nb_,}coded_side_data to AVCodecParameters. The AVCodecParameters helpers will copy it to and from its AVCodecContext namesake. -2023-10-06 - xxxxxxxxxx - lavc 60.29.100 - packet.h +2023-10-06 - 74279227dd2 - lavc 60.29.100 - packet.h Added av_packet_side_data_new(), av_packet_side_data_add(), av_packet_side_data_get(), av_packet_side_data_remove, and av_packet_side_data_free(). -2023-10-03 - xxxxxxxxxx - lavc 60.28.100 - codec_par.h defs.h +2023-10-03 - ea14e8bc302 - lavc 60.28.100 - codec_par.h defs.h Move the definition of enum AVFieldOrder from codec_par.h to defs.h. -2023-10-03 - xxxxxxxxxx - lavf 60.14.100 - avformat.h +2023-10-03 - dd48e49d547 - lavf 60.14.100 - avformat.h Deprecate AVFMT_ALLOW_FLUSH without replacement. Users can always flush any muxer by sending a NULL packet. -2023-09-28 - xxxxxxxxxx - lavu 58.27.100 - pixfmt.h +2023-09-28 - 8e1ef7c38f6 - lavu 58.27.100 - pixfmt.h Add AV_PIX_FMT_GBRAP14BE, AV_PIX_FMT_GBRAP14LE pixel formats. -2023-09-28 - xxxxxxxxxx - lavu 58.26.100 - hwcontext_cuda.h +2023-09-28 - 05f8b2ca0f7 - lavu 58.26.100 - hwcontext_cuda.h Add AV_CUDA_USE_CURRENT_CONTEXT. -2023-09-19 - xxxxxxxxxx - lavu 58.25.100 - avutil.h +2023-09-19 - ba9cd06c763 - lavu 58.25.100 - avutil.h Make AV_TIME_BASE_Q compatible with C++. -2023-09-xx - xxxxxxxxxx - lavf 60 - avformat.h +2023-09-18 - 85e075587dc - lavf 60 - avformat.h Deprecate AVFMT_FLAG_SHORTEST without replacement. -2023-09-07 - xxxxxxxxxx - lavu 58.24.100 - imgutils.h +2023-09-07 - 423b6a7e493 - lavu 58.24.100 - imgutils.h Add av_image_copy2(), a wrapper around the av_image_copy() to overcome limitations of automatic conversions. -2023-09-07 - xxxxxxxxxx - lavu 58.23.100 - fifo.h +2023-09-07 - 5094d1f429e - lavu 58.23.100 - fifo.h Constify the AVFifo pointees in av_fifo_peek() and av_fifo_peek_to_cb(). -2023-09-07 - xxxxxxxxxx - lavu 58.22.100 - audio_fifo.h +2023-09-07 - fa4bf5793a0 - lavu 58.22.100 - audio_fifo.h Constify some pointees in av_audio_fifo_write(), av_audio_fifo_read(), av_audio_fifo_peek() and av_audio_fifo_peek_at(). -2023-09-07 - xxxxxxxxxx - lavu 58.21.100 - samplefmt.h +2023-09-07 - 9bf31f60960 - lavu 58.21.100 - samplefmt.h Constify some pointees in av_samples_copy() and av_samples_set_silence(). -2023-09-07 - xxxxxxxxxx - lavu 58.20.100 - imgutils.h +2023-09-07 - 41285890e03 - lavu 58.20.100 - imgutils.h Constify some pointees in av_image_copy(), av_image_copy_uc_from() and av_image_fill_black(). -2023-09-07 - xxxxxxxxxx - lavf 60.12.100 - avio.h +2023-09-07 - 2a68d945cd7 - lavf 60.12.100 - avio.h Constify the buffer pointees in the write_packet and write_data_type callbacks of AVIOContext on the next major bump. -2023-09-07 - xxxxxxxxxx - lavc 60.26.100 - defs.h +2023-09-07 - 8238bc0b5e3 - lavc 60.26.100 - defs.h Add AV_PROFILE_* and AV_LEVEL_* replacements in defs.h for the defines from avcodec.h. The latter are deprecated. -2023-09-06 - xxxxxxxxxx - lavc 60.25.101 - avcodec.h +2023-09-06 - b6627a57f41 - lavc 60.25.101 - avcodec.h AVCodecContext.rc_buffer_size may now be set by decoders. -2023-09-02 - xxxxxxxxxx - lavu 58.19.100 - executor.h +2023-09-02 - 25ecc94d58f - lavu 58.19.100 - executor.h Add AVExecutor API -2023-09-xx - xxxxxxxxxx - lavc 60.25.100 - avfft.h +2023-09-01 - 139e54911c8 - lavc 60.25.100 - avfft.h The entire header will be deprecated and removed in two major bumps. For a replacement to av_dct, av_rdft, av_fft and av_mdct, use the new API from libavutil/tx.h. -2023-07-xx - xxxxxxxxxx - lavu 58.18.100 - tx.h +2023-09-01 - 11e22730e1e - lavu 58.18.100 - tx.h Add AV_TX_REAL_TO_REAL and AV_TX_REAL_TO_IMAGINARY -2023-08-18 - xxxxxxxxxx - lavu 58.17.100 - channel_layout.h +2023-08-18 - ff094f5ebbd - lavu 58.17.100 - channel_layout.h All AV_CHANNEL_LAYOUT_* macros are now compatible with C++ 17 and older. -2023-08-08 - xxxxxxxxxx - lavu 58.15.100 - video_hint.h +2023-08-08 - 5012b4ab4ca - lavu 58.15.100 - video_hint.h Add AVVideoHint API. -2023-07-xx - xxxxxxxxxx - lavc 60 - avcodec.h +2023-08-08 - 5012b4ab4ca - lavc 60 - avcodec.h Deprecate AV_CODEC_FLAG_DROPCHANGED without replacement. -2023-07-05 - xxxxxxxxxx - lavu 58.14.100 - random_seed.h +2023-07-05 - d694c25b44c - lavu 58.14.100 - random_seed.h Add av_random_bytes() -2023-05-29 - xxxxxxxxxx - lavc 60.16.100 - avcodec.h codec_id.h +2023-05-29 - 637afea88ed - lavc 60.16.100 - avcodec.h codec_id.h Add AV_CODEC_ID_EVC, FF_PROFILE_EVC_BASELINE, and FF_PROFILE_EVC_MAIN. -2023-05-29 - xxxxxxxxxx - lavu 58.12.100 - mathematics.h +2023-05-29 - 75918016ab1 - lavu 58.12.100 - mathematics.h Add av_bessel_i0() -2023-05-xx - xxxxxxxxxx - lavc 60.15.100 - avcodec.h +2023-05-29 - f3795e18574 - lavc 60.15.100 - avcodec.h Add AVHWAccel.update_thread_context, AVHWAccel.free_frame_priv, AVHWAccel.flush. -2023-05-xx - xxxxxxxxxx - lavu 58.11.100 - hwcontext_vulkan.h +2023-05-29 - db1d0227812 - lavu 58.11.100 - hwcontext_vulkan.h Add AVVulkanDeviceContext.lock_queue, AVVulkanDeviceContext.unlock_queue, AVVulkanFramesContext.format, AVVulkanFramesContext.lock_frame, AVVulkanFramesContext.unlock_frame, AVVkFrame.queue_family. Deprecate AV_VK_FRAME_FLAG_CONTIGUOUS_MEMORY (use multiplane images instead). -2023-05-xx - xxxxxxxxxx - lavu 58.10.100 - pixfmt.h +2023-05-29 - bef86ba86cc - lavu 58.10.100 - pixfmt.h Add AV_PIX_FMT_P212BE, AV_PIX_FMT_P212LE, AV_PIX_FMT_P412BE, AV_PIX_FMT_P412LE. -2023-05-xx - xxxxxxxxxx - lavu 58.8.100 - frame.h +2023-05-18 - 01d444c077e - lavu 58.8.100 - frame.h Add av_frame_replace(). -2023-05-xx - xxxxxxxxxx - lavu 58 - frame.h +2023-05-18 - 63767b79a57 - lavu 58 - frame.h Deprecate AVFrame.palette_has_changed without replacement. -2023-05-xx - xxxxxxxxxx - lavc 60 - avcodec.h +2023-05-15 - 7d1d61cc5f5 - lavc 60 - avcodec.h Depreate AVCodecContext.ticks_per_frame in favor of AVCodecContext.framerate (encoding) and AV_CODEC_PROP_FIELDS (decoding). -2023-05-xx - xxxxxxxxxx - lavc 60.12.100 - codec_desc.h +2023-05-15 - 70433abf7fb - lavc 60.12.100 - codec_desc.h Add AV_CODEC_PROP_FIELDS. -2023-05-xx - xxxxxxxxxx - lavc 60 - codec.h +2023-05-15 - 8b20d0dcb5c - lavc 60 - codec.h Depreate AV_CODEC_CAP_SUBFRAMES without replacement. -2023-05-xx - xxxxxxxxxx - lavc 60.11.100 - codec_par.h +2023-05-07 - c2ae8e30b7f - lavc 60.11.100 - codec_par.h Add AVCodecParameters.framerate. -2023-05-04 - xxxxxxxxxx - lavu 58.7.100 - frame.h +2023-05-04 - 0fc9c1f6828 - lavu 58.7.100 - frame.h Deprecate AVFrame.interlaced_frame, AVFrame.top_field_first, and AVFrame.key_frame. Add AV_FRAME_FLAG_INTERLACED, AV_FRAME_FLAG_TOP_FIELD_FIRST, and AV_FRAME_FLAG_KEY flags as replacement. -2023-04-10 - xxxxxxxxxx - lavu 58.6.100 - frame.h +2023-04-10 - 4eaaa38d3df - lavu 58.6.100 - frame.h av_frame_get_plane_buffer() now accepts const AVFrame*. -2023-04-04 - xxxxxxxxxx - lavu 58.6.100 - hdr_dynamic_metadata.h +2023-04-04 - 61b27b15fc9 - lavu 58.6.100 - hdr_dynamic_metadata.h Add AV_HDR_PLUS_MAX_PAYLOAD_SIZE. av_dynamic_hdr_plus_create_side_data() now accepts a user provided buffer. -2023-03-xx - xxxxxxxxxx - lavfi 9.5.100 - avfilter.h +2023-03-24 - 632c3499319 - lavfi 9.5.100 - avfilter.h Add AVFILTER_FLAG_HWDEVICE. -2023-03-21 - xxxxxxxxxx - lavu 58.5.100 - hdr_dynamic_metadata.h +2023-03-21 - 0a3ce5f7384 - lavu 58.5.100 - hdr_dynamic_metadata.h Add av_dynamic_hdr_plus_from_t35() and av_dynamic_hdr_plus_to_t35() functions to convert between raw T.35 payloads containing dynamic HDR10+ metadata and their parsed representations as AVDynamicHDRPlus. -2023-03-17 - xxxxxxxxxx - lavu 58.4.100 - hdr_dynamic_vivid_metadata.h +2023-03-17 - 3be46ee7672 - lavu 58.4.100 - hdr_dynamic_vivid_metadata.h Add two group of three spline params. Deprecate previous define which only supports one group of params. -2023-03-02 - xxxxxxxxxx - lavc 60.6.100 - avcodec.h +2023-03-02 - 373ef1c4fae - lavc 60.6.100 - avcodec.h Add FF_PROFILE_EAC3_DDP_ATMOS, FF_PROFILE_TRUEHD_ATMOS, FF_PROFILE_DTS_HD_MA_X and FF_PROFILE_DTS_HD_MA_X_IMAX. -2023-02-25 - xxxxxxxxxx - lavc 60.5.100 - avcodec.h +2023-02-25 - f4593775436 - lavc 60.5.100 - avcodec.h Add FF_PROFILE_HEVC_SCC. -------- 8< --------- FFmpeg 6.0 was cut here -------- 8< --------- From b8eefd006152d7cba3c414429e3c7f922d139e8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Nov 2023 02:18:55 +0100 Subject: [PATCH 038/606] Update for 6.1 --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index 238679db50..a435f5a56f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -5.1.git +6.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index 572c532da5..afb4a97d9d 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 6.1 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 61df86efdd5e5437345e080e646476a12c71b855 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Nov 2018 01:36:21 +0100 Subject: [PATCH 039/606] RELEASE_NOTES: Based on the version from 5.1 Name taken to match the suggested news posted by lynne Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 RELEASE_NOTES diff --git a/RELEASE_NOTES b/RELEASE_NOTES new file mode 100644 index 0000000000..dd4cae472d --- /dev/null +++ b/RELEASE_NOTES @@ -0,0 +1,15 @@ + + ┌──────────────────────────────────────────┐ + │ RELEASE NOTES for FFmpeg 6.1 "Heaviside" │ + └──────────────────────────────────────────┘ + + The FFmpeg Project proudly presents FFmpeg 6.1 "Heaviside", about 8 + months after the release of FFmpeg 6.0. + + A complete Changelog is available at the root of the project, and the + complete Git history on https://git.ffmpeg.org/gitweb/ffmpeg.git + + We hope you will like this release as much as we enjoyed working on it, and + as usual, if you have any questions about it, or any FFmpeg related topic, + feel free to join us on the #ffmpeg IRC channel (on irc.libera.chat) or ask + on the mailing-lists. From d4ff0020b40b524a490cf62eccbd3a318f4c0e58 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 29 Oct 2023 10:38:56 -0300 Subject: [PATCH 040/606] avutil/video_enc_params: fix doxy for av_video_enc_params_block() Reviewed-by: Anton Khirnov Signed-off-by: James Almer (cherry picked from commit 4cba3e0f0710460ba9116781625c007598490bc7) --- libavutil/video_enc_params.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/video_enc_params.h b/libavutil/video_enc_params.h index fc0c3bc1a5..62265a5c06 100644 --- a/libavutil/video_enc_params.h +++ b/libavutil/video_enc_params.h @@ -136,8 +136,8 @@ typedef struct AVVideoBlockParams { int32_t delta_qp; } AVVideoBlockParams; -/* - * Get the block at the specified {@code idx}. Must be between 0 and nb_blocks. +/** + * Get the block at the specified {@code idx}. Must be between 0 and nb_blocks - 1. */ static av_always_inline AVVideoBlockParams* av_video_enc_params_block(AVVideoEncParams *par, unsigned int idx) From af912d80d8880797bef9f2ba9809ecd84ed9acd9 Mon Sep 17 00:00:00 2001 From: Sebastian Ramacher Date: Sun, 12 Nov 2023 18:46:27 +0100 Subject: [PATCH 041/606] avcodec/fft: Use av_mallocz to avoid invalid free/uninit Signed-off-by: James Almer (cherry picked from commit a562cfee2e214252f8b3f516527272ae32ef9532) --- libavcodec/avfft.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/avfft.c b/libavcodec/avfft.c index fb635abfff..3ef076d222 100644 --- a/libavcodec/avfft.c +++ b/libavcodec/avfft.c @@ -46,7 +46,7 @@ FFTContext *av_fft_init(int nbits, int inverse) { int ret; float scale = 1.0f; - AVTXWrapper *s = av_malloc(sizeof(*s)); + AVTXWrapper *s = av_mallocz(sizeof(*s)); if (!s) return NULL; @@ -85,7 +85,7 @@ FFTContext *av_mdct_init(int nbits, int inverse, double scale) { int ret; float scale_f = scale; - AVTXWrapper *s = av_malloc(sizeof(*s)); + AVTXWrapper *s = av_mallocz(sizeof(*s)); if (!s) return NULL; @@ -146,7 +146,7 @@ RDFTContext *av_rdft_init(int nbits, enum RDFTransformType trans) if (trans != IDFT_C2R && trans != DFT_R2C) return NULL; - s = av_malloc(sizeof(*s)); + s = av_mallocz(sizeof(*s)); if (!s) return NULL; @@ -199,7 +199,7 @@ DCTContext *av_dct_init(int nbits, enum DCTTransformType inverse) [DST_I] = AV_TX_FLOAT_DST_I, }; - AVTXWrapper *s = av_malloc(sizeof(*s)); + AVTXWrapper *s = av_mallocz(sizeof(*s)); if (!s) return NULL; From c7fe7ee8d4dcae510453abedabae53e45135144a Mon Sep 17 00:00:00 2001 From: Sebastian Ramacher Date: Sun, 12 Nov 2023 18:46:28 +0100 Subject: [PATCH 042/606] avcoded/fft: Fix memory leak if ctx2 is used Signed-off-by: James Almer (cherry picked from commit 250471ea1745fc703eb346a2a662304536a311b1) --- libavcodec/avfft.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/avfft.c b/libavcodec/avfft.c index 3ef076d222..999b5ed79a 100644 --- a/libavcodec/avfft.c +++ b/libavcodec/avfft.c @@ -130,6 +130,7 @@ av_cold void av_mdct_end(FFTContext *s) { if (s) { AVTXWrapper *w = (AVTXWrapper *)s; + av_tx_uninit(&w->ctx2); av_tx_uninit(&w->ctx); av_free(w); } From 466799d4f570db5ed3e70239c12c96a2dc3bfc06 Mon Sep 17 00:00:00 2001 From: Dmitry Rogozhkin Date: Mon, 20 Nov 2023 21:57:32 -0800 Subject: [PATCH 043/606] avcodec/decode: validate hw_frames_ctx when AVHWAccel.free_frame_priv is used Validate that a hw_frames_ctx is available before using it for the AVHWAccel.free_frame_priv callback, and don't require it to be present when the callback is not in use by the HWAccel. v2: check for free_frame_priv (Hendrik) v3: return EINVAL (Christoph Reiter) v4: better commit message (Hendrik) v5: fix typo with missed frames_ctx (Lynne) See[1]: https://github.com/msys2/MINGW-packages/pull/19050 Fixes: be07145109 ("avcodec: add AVHWAccel.free_frame_priv callback") CC: Lynne CC: Christoph Reiter Signed-off-by: Dmitry Rogozhkin (cherry picked from commit e9c93009fc34ca9dfcf0c6f2ed90ef1df298abf7) --- libavcodec/decode.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/decode.c b/libavcodec/decode.c index ad39021354..2cfb3fcf97 100644 --- a/libavcodec/decode.c +++ b/libavcodec/decode.c @@ -1838,17 +1838,26 @@ int ff_copy_palette(void *dst, const AVPacket *src, void *logctx) int ff_hwaccel_frame_priv_alloc(AVCodecContext *avctx, void **hwaccel_picture_private) { const FFHWAccel *hwaccel = ffhwaccel(avctx->hwaccel); - AVHWFramesContext *frames_ctx; if (!hwaccel || !hwaccel->frame_priv_data_size) return 0; av_assert0(!*hwaccel_picture_private); - frames_ctx = (AVHWFramesContext *)avctx->hw_frames_ctx->data; - *hwaccel_picture_private = ff_refstruct_alloc_ext(hwaccel->frame_priv_data_size, 0, - frames_ctx->device_ctx, - hwaccel->free_frame_priv); + if (hwaccel->free_frame_priv) { + AVHWFramesContext *frames_ctx; + + if (!avctx->hw_frames_ctx) + return AVERROR(EINVAL); + + frames_ctx = (AVHWFramesContext *) avctx->hw_frames_ctx->data; + *hwaccel_picture_private = ff_refstruct_alloc_ext(hwaccel->frame_priv_data_size, 0, + frames_ctx->device_ctx, + hwaccel->free_frame_priv); + } else { + *hwaccel_picture_private = ff_refstruct_allocz(hwaccel->frame_priv_data_size); + } + if (!*hwaccel_picture_private) return AVERROR(ENOMEM); From 111035ccae52b448ccee889546a54594cd3fca5e Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 30 Nov 2023 11:21:24 +0100 Subject: [PATCH 044/606] lavc/dvdsubenc: only check canvas size when it is actually set Fixes #10650 (cherry picked from commit 5230257ea18e1d3761ee6b0549d56a3ca817f301) Signed-off-by: Anton Khirnov --- libavcodec/dvdsubenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dvdsubenc.c b/libavcodec/dvdsubenc.c index d272b57675..06c2cf5e5a 100644 --- a/libavcodec/dvdsubenc.c +++ b/libavcodec/dvdsubenc.c @@ -376,7 +376,8 @@ static int encode_dvd_subtitles(AVCodecContext *avctx, x2 = vrect.x + vrect.w - 1; y2 = vrect.y + vrect.h - 1; - if (x2 > avctx->width || y2 > avctx->height) { + if ((avctx->width > 0 && x2 > avctx->width) || + (avctx->height > 0 && y2 > avctx->height)) { av_log(avctx, AV_LOG_ERROR, "canvas_size(%d:%d) is too small(%d:%d) for render\n", avctx->width, avctx->height, x2, y2); ret = AVERROR(EINVAL); From 2c87aa0b231954d32909c0df48cb27ff89fd4506 Mon Sep 17 00:00:00 2001 From: Lynne Date: Sun, 3 Dec 2023 21:02:13 +0100 Subject: [PATCH 045/606] lavc/Makefile: build vulkan decode code if vulkan_av1 has been enabled Forgotten. Reviewed-by: Neal Gompa Tested-by: Neal Gompa (cherry picked from commit 8c117b75afa3c6b824fab85ec6716dbe3ba975be) --- libavcodec/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/Makefile b/libavcodec/Makefile index 580a8d6b54..ec57e53e30 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -993,7 +993,7 @@ OBJS-$(CONFIG_AV1_DXVA2_HWACCEL) += dxva2_av1.o OBJS-$(CONFIG_AV1_NVDEC_HWACCEL) += nvdec_av1.o OBJS-$(CONFIG_AV1_VAAPI_HWACCEL) += vaapi_av1.o OBJS-$(CONFIG_AV1_VDPAU_HWACCEL) += vdpau_av1.o -OBJS-$(CONFIG_AV1_VULKAN_HWACCEL) += vulkan_av1.o +OBJS-$(CONFIG_AV1_VULKAN_HWACCEL) += vulkan_decode.o vulkan_av1.o OBJS-$(CONFIG_H263_VAAPI_HWACCEL) += vaapi_mpeg4.o OBJS-$(CONFIG_H263_VIDEOTOOLBOX_HWACCEL) += videotoolbox.o OBJS-$(CONFIG_H264_D3D11VA_HWACCEL) += dxva2_h264.o From 884a660cae23769d92d533cc1b6232d3cdfbae43 Mon Sep 17 00:00:00 2001 From: Benjamin Cheng Date: Fri, 22 Sep 2023 12:49:22 -0400 Subject: [PATCH 046/606] hwcontext_vulkan: guard unistd.h include win32 typically doesn't have unistd.h, so always including it will break MSVC builds. The usage of those POSIX functions are already guarded by _WIN32, so use that to guard unistd.h include as well. (cherry picked from commit 185871fdd39762295973c1f3db1459e04121317c) --- libavutil/hwcontext_vulkan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/hwcontext_vulkan.c b/libavutil/hwcontext_vulkan.c index 506a218a42..d288fb7ac7 100644 --- a/libavutil/hwcontext_vulkan.c +++ b/libavutil/hwcontext_vulkan.c @@ -27,10 +27,10 @@ #include "compat/w32dlfcn.h" #else #include +#include #endif #include "thread.h" -#include #include "config.h" #include "pixdesc.h" From a888d21c8cfb3b770944afffe287a5e9604597fa Mon Sep 17 00:00:00 2001 From: Frank Plowman Date: Tue, 5 Dec 2023 09:40:52 +0000 Subject: [PATCH 047/606] libavformat/vvc: Make probe more conservative MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reduce false positives for VVC files by adding additional checks in `vvc_probe`. Specifically, `nuh_temporal_id_plus1` is tested for valid values in extra cases depending on the NAL unit type, as per ITU-T H.266 section 7.4.2.2. Resolves trac #10703. Signed-off-by: Frank Plowman Signed-off-by: Zhao Zhili (cherry picked from commit 7d7ba2175c9e139b594b3cdf686c29bc116154a8) --- libavformat/vvcdec.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/libavformat/vvcdec.c b/libavformat/vvcdec.c index 31c5ae1f14..0a0e24b71c 100644 --- a/libavformat/vvcdec.c +++ b/libavformat/vvcdec.c @@ -24,6 +24,22 @@ #include "avformat.h" #include "rawdec.h" +static int check_temporal_id(uint8_t nuh_temporal_id_plus1, int type) +{ + if (nuh_temporal_id_plus1 == 0) + return 0; + + if (nuh_temporal_id_plus1 != 1) { + if (type >= VVC_IDR_W_RADL && type <= VVC_RSV_IRAP_11 + || type == VVC_DCI_NUT || type == VVC_OPI_NUT + || type == VVC_VPS_NUT || type == VVC_SPS_NUT + || type == VVC_EOS_NUT || type == VVC_EOB_NUT) + return 0; + } + + return 1; +} + static int vvc_probe(const AVProbeData *p) { uint32_t code = -1; @@ -39,7 +55,7 @@ static int vvc_probe(const AVProbeData *p) if (code & 0x80) // forbidden_zero_bit return 0; - if ((nal2 & 0x7) == 0) // nuh_temporal_id_plus1 + if (!check_temporal_id(nal2 & 0x7, type)) return 0; switch (type) { From 1a3ec3f2f8b2b7588cb81e1aa01b15d5d1725f20 Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Fri, 22 Dec 2023 21:50:44 -0500 Subject: [PATCH 048/606] avcodec/jpegxl_parser: check ANS cluster alphabet size vs bundle size The specification doesn't mention that clusters cannot have alphabet sizes greater than 1 << bundle->log_alphabet_size, but the reference implementation rejects these entropy streams as invalid, so we should too. Refusing to do so can overflow a stack variable that should be large enough otherwise. Fixes #10738. Found-by: Zeng Yunxiang and Li Zeyuan Signed-off-by: Leo Izen --- libavcodec/jpegxl_parser.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c index 630fc8a60b..4e4d27c3c8 100644 --- a/libavcodec/jpegxl_parser.c +++ b/libavcodec/jpegxl_parser.c @@ -384,11 +384,11 @@ static int populate_distribution(GetBitContext *gb, JXLSymbolDistribution *dist, uint32_t total_count = 0; uint8_t logcounts[258] = { 0 }; uint8_t same[258] = { 0 }; + const int table_size = 1 << log_alphabet_size; dist->uniq_pos = -1; if (get_bits1(gb)) { /* simple code */ - dist->alphabet_size = 256; if (get_bits1(gb)) { uint8_t v1 = jxl_u8(gb); uint8_t v2 = jxl_u8(gb); @@ -398,17 +398,24 @@ static int populate_distribution(GetBitContext *gb, JXLSymbolDistribution *dist, dist->freq[v2] = (1 << 12) - dist->freq[v1]; if (!dist->freq[v1]) dist->uniq_pos = v2; + dist->alphabet_size = 1 + FFMAX(v1, v2); } else { uint8_t x = jxl_u8(gb); dist->freq[x] = 1 << 12; dist->uniq_pos = x; + dist->alphabet_size = 1 + x; } + if (dist->alphabet_size > table_size) + return AVERROR_INVALIDDATA; + return 0; } if (get_bits1(gb)) { /* flat code */ dist->alphabet_size = jxl_u8(gb) + 1; + if (dist->alphabet_size > table_size) + return AVERROR_INVALIDDATA; for (int i = 0; i < dist->alphabet_size; i++) dist->freq[i] = (1 << 12) / dist->alphabet_size; for (int i = 0; i < (1 << 12) % dist->alphabet_size; i++) @@ -426,6 +433,9 @@ static int populate_distribution(GetBitContext *gb, JXLSymbolDistribution *dist, return AVERROR_INVALIDDATA; dist->alphabet_size = jxl_u8(gb) + 3; + if (dist->alphabet_size > table_size) + return AVERROR_INVALIDDATA; + for (int i = 0; i < dist->alphabet_size; i++) { logcounts[i] = get_vlc2(gb, dist_prefix_table, 7, 1); if (logcounts[i] == 13) { From d596225a57f1d49f3f1931a073de6e548b9440d9 Mon Sep 17 00:00:00 2001 From: Haihao Xiang Date: Mon, 27 Nov 2023 14:01:50 +0800 Subject: [PATCH 049/606] lavc/qsvdec: return 0 if more data is required The type of qsv decoders is FF_CODEC_CB_TYPE_DECODE which must not return AVERROR(EAGAIN). commit 42b20c9 added an assertion to check the returned value. Signed-off-by: Haihao Xiang (cherry picked from commit e233f3e75fda8dd60a3dc5f55b7a4bd32b238b6a) --- libavcodec/qsvdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/qsvdec.c b/libavcodec/qsvdec.c index da700f25e9..b501964089 100644 --- a/libavcodec/qsvdec.c +++ b/libavcodec/qsvdec.c @@ -1076,6 +1076,9 @@ static int qsv_decode_frame(AVCodecContext *avctx, AVFrame *frame, ret = qsv_process_data(avctx, &s->qsv, frame, got_frame, &s->buffer_pkt); if (ret < 0){ + if (ret == AVERROR(EAGAIN)) + ret = 0; + /* Drop buffer_pkt when failed to decode the packet. Otherwise, the decoder will keep decoding the failure packet. */ av_packet_unref(&s->buffer_pkt); From ca5ebfb066b1298c6b1f84b03185fb8463bc7884 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Wed, 22 Nov 2023 22:17:37 +0000 Subject: [PATCH 050/606] avformat/mov: Fix integer overflow in mov_read_packet(). Fixes https://crbug.com/1499669: runtime error: signed integer overflow: 9223372036853334272 + 1375731456 cannot be represented in type 'int64_t' (aka 'long') Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 2182173a6933c02b0853751034bd5e0bf829b5f7) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 34ca8095c2..f7b5ec7a35 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -9006,7 +9006,7 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) pkt->flags |= AV_PKT_FLAG_DISCARD; } if (sc->ctts_data && sc->ctts_index < sc->ctts_count) { - pkt->pts = pkt->dts + sc->dts_shift + sc->ctts_data[sc->ctts_index].duration; + pkt->pts = av_sat_add64(pkt->dts, av_sat_add64(sc->dts_shift, sc->ctts_data[sc->ctts_index].duration)); /* update ctts context */ sc->ctts_sample++; if (sc->ctts_index < sc->ctts_count && From f946c6c2f0799c5b88e48d44e282e919a19f988a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Dec 2023 00:26:03 +0100 Subject: [PATCH 051/606] avformat/mov: Ignore duplicate ftyp Fixes: switch_1080p_720p.mp4 Found-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 4cdf2c7f768015c74078544d153f243b6d9b9ac5) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f7b5ec7a35..30cf7a15b0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1222,8 +1222,12 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) int ret = ffio_read_size(pb, type, 4); if (ret < 0) return ret; - if (c->fc->nb_streams) - return AVERROR_INVALIDDATA; + if (c->fc->nb_streams) { + if (c->fc->strict_std_compliance >= FF_COMPLIANCE_STRICT) + return AVERROR_INVALIDDATA; + av_log(c->fc, AV_LOG_DEBUG, "Ignoring duplicate FTYP\n"); + return 0; + } if (strcmp(type, "qt ")) c->isom = 1; From d93b0009c449ce325eab47eb2958fc4380c9f382 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Nov 2023 02:36:41 +0100 Subject: [PATCH 052/606] avcodec/av1dec: Fix resolving zero divisor Fixes: Out of array read Fixes: global-buffer-overflow-AV1 Found-by: "Leonelli, Matteo" Tested-by: "Wang, Fei W" Reviewed-by: "Wang, Fei W" Signed-off-by: Michael Niedermayer (cherry picked from commit 22daf2148fc072f8f347af939f88b3af7896ab60) Signed-off-by: Michael Niedermayer --- libavcodec/av1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index 6114cb78e6..4dcde234c6 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -177,7 +177,7 @@ static uint8_t get_shear_params_valid(AV1DecContext *s, int idx) int16_t alpha, beta, gamma, delta, divf, divs; int64_t v, w; int32_t *param = &s->cur_frame.gm_params[idx][0]; - if (param[2] < 0) + if (param[2] <= 0) return 0; alpha = av_clip_int16(param[2] - (1 << AV1_WARPEDMODEL_PREC_BITS)); From fde01699ebd9d3973cc6062e8d2bb9ee9aa813f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Sep 2023 01:27:14 +0200 Subject: [PATCH 053/606] tools/target_dec_fuzzer: Adjust threshold for VMIX Fixes: Timeout Fixes: 62286/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMIX_fuzzer-5155237134204928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa1e7681203694c6e2b38e2a627ff90eb3524d37) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 27e7398089..62085cf080 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -298,6 +298,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_VC1IMAGE: maxpixels /= 8192; break; case AV_CODEC_ID_VMNC: maxpixels /= 8192; break; case AV_CODEC_ID_VMDVIDEO: maxpixels /= 1024; break; + case AV_CODEC_ID_VMIX: maxpixels /= 8192; break; case AV_CODEC_ID_VP3: maxpixels /= 4096; break; case AV_CODEC_ID_VP4: maxpixels /= 4096; break; case AV_CODEC_ID_VP5: maxpixels /= 256; break; From fb724ad64e2d36464f0c8cdc12125493bba9db01 Mon Sep 17 00:00:00 2001 From: Pierre-Anthony Lemieux Date: Sat, 12 Aug 2023 13:31:16 -0700 Subject: [PATCH 054/606] avcodec/jpeg2000htdec: check if block decoding will exceed internal precision MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Intended to replace https://patchwork.ffmpeg.org/project/ffmpeg/patch/20230802000135.26482-3-michael@niedermayer.cc/ with a more accurate block decoding magnitude bound. Fixes: 62433/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5828618092937216 Fixes: 58299/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5828618092937216 Previous-version-reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit a1384b4e869483cf69230f02ca31c892729bca08) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000htdec.c | 42 ++++++++++++++++++++++++++++++++------ 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/libavcodec/jpeg2000htdec.c b/libavcodec/jpeg2000htdec.c index 2c4cea5dd9..6b9898d3ff 100644 --- a/libavcodec/jpeg2000htdec.c +++ b/libavcodec/jpeg2000htdec.c @@ -567,11 +567,19 @@ static int jpeg2000_decode_ht_cleanup_segment(const Jpeg2000DecoderContext *s, uint64_t c; - uint8_t *sigma; - uint32_t *mu; + uint8_t *sigma, *sigma_n, *E; + uint32_t *mu, *mu_n; const uint8_t *vlc_buf = Dcup + Pcup; + /* + * Bound on the precision needed to process the codeblock. The number of + * decoded bit planes is equal to at most cblk->zbp + 2 since S_blk = P if + * there are no placeholder passes or HT Sets and P = cblk->zbp. See Rec. + * ITU-T T.814, 7.6. + */ + int maxbp = cblk->zbp + 2; + /* convert to raster-scan */ const uint16_t is_border_x = width % 2; const uint16_t is_border_y = height % 2; @@ -581,9 +589,13 @@ static int jpeg2000_decode_ht_cleanup_segment(const Jpeg2000DecoderContext *s, size_t buf_size = 4 * quad_width * quad_height; - uint8_t *sigma_n = av_calloc(buf_size, sizeof(uint8_t)); - uint8_t *E = av_calloc(buf_size, sizeof(uint8_t)); - uint32_t *mu_n = av_calloc(buf_size, sizeof(uint32_t)); + /* do we have enough precision, assuming a 32-bit decoding path */ + if (maxbp >= 32) + return AVERROR_INVALIDDATA; + + sigma_n = av_calloc(buf_size, sizeof(uint8_t)); + E = av_calloc(buf_size, sizeof(uint8_t)); + mu_n = av_calloc(buf_size, sizeof(uint32_t)); if (!sigma_n || !E || !mu_n) { ret = AVERROR(ENOMEM); @@ -676,6 +688,10 @@ static int jpeg2000_decode_ht_cleanup_segment(const Jpeg2000DecoderContext *s, } U[J2K_Q1] = kappa[J2K_Q1] + u[J2K_Q1]; U[J2K_Q2] = kappa[J2K_Q2] + u[J2K_Q2]; + if (U[J2K_Q1] > maxbp || U[J2K_Q2] > maxbp) { + ret = AVERROR_INVALIDDATA; + goto free; + } for (int i = 0; i < 4; i++) { m[J2K_Q1][i] = sigma_n[4 * q1 + i] * U[J2K_Q1] - ((emb_pat_k[J2K_Q1] >> i) & 1); @@ -713,6 +729,10 @@ static int jpeg2000_decode_ht_cleanup_segment(const Jpeg2000DecoderContext *s, } U[J2K_Q1] = kappa[J2K_Q1] + u[J2K_Q1]; + if (U[J2K_Q1] > maxbp) { + ret = AVERROR_INVALIDDATA; + goto free; + } for (int i = 0; i < 4; i++) m[J2K_Q1][i] = sigma_n[4 * q1 + i] * U[J2K_Q1] - ((emb_pat_k[J2K_Q1] >> i) & 1); @@ -842,6 +862,10 @@ static int jpeg2000_decode_ht_cleanup_segment(const Jpeg2000DecoderContext *s, U[J2K_Q1] = kappa[J2K_Q1] + u[J2K_Q1]; U[J2K_Q2] = kappa[J2K_Q2] + u[J2K_Q2]; + if (U[J2K_Q1] > maxbp || U[J2K_Q2] > maxbp) { + ret = AVERROR_INVALIDDATA; + goto free; + } for (int i = 0; i < 4; i++) { m[J2K_Q1][i] = sigma_n[4 * q1 + i] * U[J2K_Q1] - ((emb_pat_k[J2K_Q1] >> i) & 1); @@ -910,6 +934,10 @@ static int jpeg2000_decode_ht_cleanup_segment(const Jpeg2000DecoderContext *s, kappa[J2K_Q1] = FFMAX(1, gamma[J2K_Q1] * (max_e[J2K_Q1] - 1)); U[J2K_Q1] = kappa[J2K_Q1] + u[J2K_Q1]; + if (U[J2K_Q1] > maxbp) { + ret = AVERROR_INVALIDDATA; + goto free; + } for (int i = 0; i < 4; i++) m[J2K_Q1][i] = sigma_n[4 * q1 + i] * U[J2K_Q1] - ((emb_pat_k[J2K_Q1] >> i) & 1); @@ -1238,8 +1266,10 @@ ff_jpeg2000_decode_htj2k(const Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *c } if ((ret = jpeg2000_decode_ht_cleanup_segment(s, cblk, t1, &mel_state, &mel, &vlc, &mag_sgn, Dcup, Lcup, Pcup, pLSB, width, - height, sample_buf, block_states)) < 0) + height, sample_buf, block_states)) < 0) { + av_log(s->avctx, AV_LOG_ERROR, "Bad HT cleanup segment\n"); goto free; + } if (cblk->npasses > 1) jpeg2000_decode_sigprop_segment(cblk, width, height, Dref, Lref, From 0ecd15b83931c8aa4a71d73ac4edda734b2bd23a Mon Sep 17 00:00:00 2001 From: Nuo Mi Date: Sun, 22 Oct 2023 11:04:35 +0800 Subject: [PATCH 055/606] avcodec/cbs_h266: more restrictive check on pps_tile_idx_delta_val Fixes: out of array access Fixes: 62603/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5837632490569728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce0c178a408d43e71085c28a47d50dc939b60196) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h266_syntax_template.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index 5654f22878..5a34200a18 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -2043,9 +2043,12 @@ static int FUNC(pps) (CodedBitstreamContext *ctx, RWContext *rw, } if (i < current->pps_num_slices_in_pic_minus1) { if (current->pps_tile_idx_delta_present_flag) { + // Two conditions must be met: + // 1. −NumTilesInPic + 1 <= pps_tile_idx_delta_val[i] <= NumTilesInPic − 1 + // 2. 0 <= tile_idx + pps_tile_idx_delta_val[i] <= NumTilesInPic − 1 + // Combining these conditions yields: -tile_idx <= pps_tile_idx_delta_val[i] <= NumTilesInPic - 1 - tile_idx ses(pps_tile_idx_delta_val[i], - -current->num_tiles_in_pic + 1, - current->num_tiles_in_pic - 1, 1, i); + -tile_idx, current->num_tiles_in_pic - 1 - tile_idx, 1, i); if (current->pps_tile_idx_delta_val[i] == 0) { av_log(ctx->log_ctx, AV_LOG_ERROR, "pps_tile_idx_delta_val[i] shall not be equal to 0.\n"); From 4f879d26e1e8cdfe33634819574f1ce6b9446c75 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sun, 24 Dec 2023 14:33:31 -0500 Subject: [PATCH 056/606] configure: Enable section_data_rel_ro for FreeBSD and NetBSD aarch64 / arm Fixes the build. It's a requirement when utilizing PIE. Signed-off-by: Brad Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 6066c430e33b4cbf5dc8ff8b3a6d149f51d20300) Signed-off-by: Michael Niedermayer --- configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure b/configure index 1f0b9497cb..a89cfa6d95 100755 --- a/configure +++ b/configure @@ -5585,6 +5585,7 @@ case $target_os in ;; netbsd) disable symver + enable section_data_rel_ro oss_indev_extralibs="-lossaudio" oss_outdev_extralibs="-lossaudio" enabled gcc || check_ldflags -Wl,-zmuldefs @@ -5603,6 +5604,7 @@ case $target_os in disable symver ;; freebsd) + enable section_data_rel_ro ;; bsd/os) add_extralibs -lpoll -lgnugetopt From bb84cbfd0c0f75751f5a1ebaf25fcf6845527390 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Sep 2023 23:53:21 +0200 Subject: [PATCH 057/606] avcodec/osq: Implement flush() Fixes: out of array access Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6227491892887552 Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6268561729126400 Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6414805046788096 Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6538151088488448 Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6608131540779008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c75fccd1d417f288b1ea7f76824f6a6ea652ea92) Signed-off-by: Michael Niedermayer --- libavcodec/osq.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/osq.c b/libavcodec/osq.c index 435f3ea7f6..f47213bf0c 100644 --- a/libavcodec/osq.c +++ b/libavcodec/osq.c @@ -61,6 +61,14 @@ typedef struct OSQContext { int pkt_offset; } OSQContext; +static void osq_flush(AVCodecContext *avctx) +{ + OSQContext *s = avctx->priv_data; + + s->bitstream_size = 0; + s->pkt_offset = 0; +} + static av_cold int osq_close(AVCodecContext *avctx) { OSQContext *s = avctx->priv_data; @@ -478,4 +486,5 @@ const FFCodec ff_osq_decoder = { AV_SAMPLE_FMT_S16P, AV_SAMPLE_FMT_S32P, AV_SAMPLE_FMT_NONE }, + .flush = osq_flush, }; From 45cd69a27669744d9d56de2e959aed39a024b3f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2023 22:23:33 +0100 Subject: [PATCH 058/606] avcodec/jpeglsdec: Check Jpeg-LS LSE Fixes: signed integer overflow: 2147478526 + 33924 cannot be represented in type 'int' Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 64243/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5195717848989696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c72a20f01a6122e1832f73801ea5f54b188abea3) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index ec163b8964..c245cf0279 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -382,6 +382,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, state->T3 = s->t3; state->reset = s->reset; ff_jpegls_reset_coding_parameters(state, 0); + + /* Testing parameters here, we cannot test in LSE or SOF because + * these interdepend and are allowed in either order + */ + if (state->maxval >= (1<bpp) || + state->T1 > state->T2 || + state->T2 > state->T3 || + state->T3 > state->maxval || + state->reset > FFMAX(255, state->maxval)) { + ret = AVERROR_INVALIDDATA; + goto end; + } + ff_jpegls_init_state(state); if (s->bits <= 8) From 84f78ac3eac55e4f9f0199c1cebe5a5ed9015fa7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2023 22:37:49 +0100 Subject: [PATCH 059/606] avformat/mov: do not set sign bit for chunk_offsets Fixes: signed integer overflow: 2314885530818453536 - -7412889664301817824 cannot be represented in type 'long' Fixes: 64296/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6304027146846208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cfc0a68d4d3192779e356a852e71b8218e7a00ab) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 30cf7a15b0..65c5c8c288 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2242,8 +2242,13 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries && !pb->eof_reached; i++) sc->chunk_offsets[i] = avio_rb32(pb); else if (atom.type == MKTAG('c','o','6','4')) - for (i = 0; i < entries && !pb->eof_reached; i++) + for (i = 0; i < entries && !pb->eof_reached; i++) { sc->chunk_offsets[i] = avio_rb64(pb); + if (sc->chunk_offsets[i] < 0) { + av_log(c->fc, AV_LOG_WARNING, "Impossible chunk_offset\n"); + sc->chunk_offsets[i] = 0; + } + } else return AVERROR_INVALIDDATA; From bf2d7b20ea1c7d15dcbaedd479f40295e5c83430 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2023 02:07:56 +0100 Subject: [PATCH 060/606] avcodec/jpegxl_parser: Add padding to cs_buffer Fixes: out of array access Fixes: 64081/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6151006496620544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f88458bea698e00913a38940a7c34994151d2a8) Signed-off-by: Michael Niedermayer --- libavcodec/jpegxl_parser.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c index 4e4d27c3c8..ad1dc46271 100644 --- a/libavcodec/jpegxl_parser.c +++ b/libavcodec/jpegxl_parser.c @@ -162,7 +162,7 @@ typedef struct JXLParseContext { int skipped_icc; int next; - uint8_t cs_buffer[4096]; + uint8_t cs_buffer[4096 + AV_INPUT_BUFFER_PADDING_SIZE]; } JXLParseContext; /* used for reading brotli prefixes */ @@ -1400,7 +1400,7 @@ static int try_parse(AVCodecParserContext *s, AVCodecContext *avctx, JXLParseCon if (ctx->container || AV_RL64(buf) == FF_JPEGXL_CONTAINER_SIGNATURE_LE) { ctx->container = 1; ret = ff_jpegxl_collect_codestream_header(buf, buf_size, ctx->cs_buffer, - sizeof(ctx->cs_buffer), &ctx->copied); + sizeof(ctx->cs_buffer) - AV_INPUT_BUFFER_PADDING_SIZE, &ctx->copied); if (ret < 0) return ret; ctx->collected_size = ret; @@ -1409,7 +1409,7 @@ static int try_parse(AVCodecParserContext *s, AVCodecContext *avctx, JXLParseCon return AVERROR_BUFFER_TOO_SMALL; } cs_buffer = ctx->cs_buffer; - cs_buflen = FFMIN(sizeof(ctx->cs_buffer), ctx->copied); + cs_buflen = FFMIN(sizeof(ctx->cs_buffer) - AV_INPUT_BUFFER_PADDING_SIZE, ctx->copied); } else { cs_buffer = buf; cs_buflen = buf_size; From 3061bf668feffc7c1f0b244205167b3b86da8015 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Dec 2023 20:31:02 +0100 Subject: [PATCH 061/606] avfilter/avf_showspectrum: fix off by 1 error Fixes: out of array access Fixes: tickets/10749/poc15ffmpeg Regression since: 81df787b53eb5c6433731f6eaaf7f2a94d8a8c80 Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit ab0fdaedd1e7224f7e84ea22fcbfaa4ca75a6c06) Signed-off-by: Michael Niedermayer --- libavfilter/avf_showspectrum.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/avf_showspectrum.c b/libavfilter/avf_showspectrum.c index 8cf73fce70..99a5c33d09 100644 --- a/libavfilter/avf_showspectrum.c +++ b/libavfilter/avf_showspectrum.c @@ -1784,7 +1784,7 @@ static int showspectrumpic_request_frame(AVFilterLink *outlink) int acc_samples = 0; int dst_offset = 0; - while (nb_frame <= s->nb_frames) { + while (nb_frame < s->nb_frames) { AVFrame *cur_frame = s->frames[nb_frame]; int cur_frame_samples = cur_frame->nb_samples; int nb_samples = 0; From e809c23786fe297797198a7b9f5d3392d581daf1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Dec 2023 20:50:51 +0100 Subject: [PATCH 062/606] avfilter/vf_gradfun: Do not overread last line The code works in steps of 2 lines and lacks support for odd height Implementing odd height support is better but for now this fixes the out of array access Fixes: out of array access Fixes: tickets/10702/poc6ffmpe Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit e4d2666bdc3dbd177a81bbf428654a5f2fa3787a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_gradfun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_gradfun.c b/libavfilter/vf_gradfun.c index a71a68ecc1..e8d9cae828 100644 --- a/libavfilter/vf_gradfun.c +++ b/libavfilter/vf_gradfun.c @@ -92,7 +92,7 @@ static void filter(GradFunContext *ctx, uint8_t *dst, const uint8_t *src, int wi for (y = 0; y < r; y++) ctx->blur_line(dc, buf + y * bstride, buf + (y - 1) * bstride, src + 2 * y * src_linesize, src_linesize, width / 2); for (;;) { - if (y < height - r) { + if (y + 1 < height - r) { int mod = ((y + r) / 2) % r; uint16_t *buf0 = buf + mod * bstride; uint16_t *buf1 = buf + (mod ? mod - 1 : r - 1) * bstride; From 162b4c60c8f72be2e93b759f3b1e14652b70b3ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 11:54:24 +0100 Subject: [PATCH 063/606] avfilter/edge_template: Fix small inputs with gaussian_blur() Fixes: out of array access Fixes: Ticket10699 Fixes: poc5ffmpeg Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit c443658d26d2b8e19901f9507a890e0efca79056) Signed-off-by: Michael Niedermayer --- libavfilter/edge_template.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/libavfilter/edge_template.c b/libavfilter/edge_template.c index 14635c25af..ce45e579db 100644 --- a/libavfilter/edge_template.c +++ b/libavfilter/edge_template.c @@ -74,6 +74,7 @@ void fn(gaussian_blur)(int w, int h, uint8_t *dst, int dst_linesize, const uint8_t *src, int src_linesize, int src_stride) { + int j; pixel *srcp = (pixel *)src; pixel *dstp = (pixel *)dst; @@ -81,12 +82,17 @@ void fn(gaussian_blur)(int w, int h, src_linesize /= sizeof(pixel); dst_linesize /= sizeof(pixel); - memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize; - memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize; - for (int j = 2; j < h - 2; j++) { - dstp[0] = srcp[(0)*src_stride]; - dstp[1] = srcp[(1)*src_stride]; - for (int i = 2; i < w - 2; i++) { + for (j = 0; j < FFMIN(h, 2); j++) { + memcpy(dstp, srcp, w*sizeof(pixel)); + dstp += dst_linesize; + srcp += src_linesize; + } + + for (; j < h - 2; j++) { + int i; + for (i = 0; i < FFMIN(w, 2); i++) + dstp[i] = srcp[i*src_stride]; + for (; i < w - 2; i++) { /* Gaussian mask of size 5x5 with sigma = 1.4 */ dstp[i] = ((srcp[-2*src_linesize + (i-2)*src_stride] + srcp[2*src_linesize + (i-2)*src_stride]) * 2 + (srcp[-2*src_linesize + (i-1)*src_stride] + srcp[2*src_linesize + (i-1)*src_stride]) * 4 @@ -106,12 +112,15 @@ void fn(gaussian_blur)(int w, int h, + srcp[(i+1)*src_stride] * 12 + srcp[(i+2)*src_stride] * 5) / 159; } - dstp[w - 2] = srcp[(w - 2)*src_stride]; - dstp[w - 1] = srcp[(w - 1)*src_stride]; + for (; i < w; i++) + dstp[i] = srcp[i*src_stride]; dstp += dst_linesize; srcp += src_linesize; } - memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize; - memcpy(dstp, srcp, w*sizeof(pixel)); + for (; j < h; j++) { + memcpy(dstp, srcp, w*sizeof(pixel)); + dstp += dst_linesize; + srcp += src_linesize; + } } From 8b8b4bdef311f88c0075a06a25320187aff00bf2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 12:31:35 +0100 Subject: [PATCH 064/606] avfilter/vf_weave: Fix odd height handling Fixes: out of array access Fixes: tickets/10743/poc10ffmpeg Found-by: Zeng Yunxiang and Li Zeyuan Signed-off-by: Michael Niedermayer (cherry picked from commit 0ecc1f0e48930723d7a467761b66850811c23e62) Signed-off-by: Michael Niedermayer --- libavfilter/vf_weave.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_weave.c b/libavfilter/vf_weave.c index 84f3c5f337..7ad29bdedb 100644 --- a/libavfilter/vf_weave.c +++ b/libavfilter/vf_weave.c @@ -32,6 +32,7 @@ typedef struct WeaveContext { int double_weave; int nb_planes; int planeheight[4]; + int outheight[4]; int linesize[4]; AVFrame *prev; @@ -81,6 +82,9 @@ static int config_props_output(AVFilterLink *outlink) s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h); s->planeheight[0] = s->planeheight[3] = inlink->h; + s->outheight[1] = s->outheight[2] = AV_CEIL_RSHIFT(2*inlink->h, desc->log2_chroma_h); + s->outheight[0] = s->outheight[3] = 2*inlink->h; + s->nb_planes = av_pix_fmt_count_planes(inlink->format); return 0; @@ -106,19 +110,20 @@ static int weave_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) const int height = s->planeheight[i]; const int start = (height * jobnr) / nb_jobs; const int end = (height * (jobnr+1)) / nb_jobs; + const int compensation = 2*end > s->outheight[i]; av_image_copy_plane(out->data[i] + out->linesize[i] * field1 + out->linesize[i] * start * 2, out->linesize[i] * 2, in->data[i] + start * in->linesize[i], in->linesize[i], - s->linesize[i], end - start); + s->linesize[i], end - start - compensation * field1); av_image_copy_plane(out->data[i] + out->linesize[i] * field2 + out->linesize[i] * start * 2, out->linesize[i] * 2, s->prev->data[i] + start * s->prev->linesize[i], s->prev->linesize[i], - s->linesize[i], end - start); + s->linesize[i], end - start - compensation * field2); } return 0; From c02d56b3cf9db4180d0a4409ef367fefe178b5b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Dec 2023 13:20:48 +0100 Subject: [PATCH 065/606] Update for 6.1.1 Signed-off-by: Michael Niedermayer --- Changelog | 27 +++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 8f0606fc26..60a5a0a0ed 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,33 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 6.1.1 +- avfilter/vf_weave: Fix odd height handling +- avfilter/edge_template: Fix small inputs with gaussian_blur() +- avfilter/vf_gradfun: Do not overread last line +- avfilter/avf_showspectrum: fix off by 1 error +- avcodec/jpegxl_parser: Add padding to cs_buffer +- avformat/mov: do not set sign bit for chunk_offsets +- avcodec/jpeglsdec: Check Jpeg-LS LSE +- avcodec/osq: Implement flush() +- configure: Enable section_data_rel_ro for FreeBSD and NetBSD aarch64 / arm +- avcodec/cbs_h266: more restrictive check on pps_tile_idx_delta_val +- avcodec/jpeg2000htdec: check if block decoding will exceed internal precision +- tools/target_dec_fuzzer: Adjust threshold for VMIX +- avcodec/av1dec: Fix resolving zero divisor +- avformat/mov: Ignore duplicate ftyp +- avformat/mov: Fix integer overflow in mov_read_packet(). +- lavc/qsvdec: return 0 if more data is required +- avcodec/jpegxl_parser: check ANS cluster alphabet size vs bundle size +- libavformat/vvc: Make probe more conservative +- hwcontext_vulkan: guard unistd.h include +- lavc/Makefile: build vulkan decode code if vulkan_av1 has been enabled +- lavc/dvdsubenc: only check canvas size when it is actually set +- avcodec/decode: validate hw_frames_ctx when AVHWAccel.free_frame_priv is used +- avcoded/fft: Fix memory leak if ctx2 is used +- avcodec/fft: Use av_mallocz to avoid invalid free/uninit + + version 6.1: - libaribcaption decoder - Playdate video decoder and demuxer diff --git a/RELEASE b/RELEASE index a435f5a56f..f3b5af39e4 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -6.1 +6.1.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index afb4a97d9d..dd9af6a20d 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 6.1 +PROJECT_NUMBER = 6.1.1 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 2eb597816a96fe5c7a434fed78af29271c34abd4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Nov 2023 01:48:27 +0100 Subject: [PATCH 066/606] avcodec/jpegxl_parser: Check get_vlc2() Fixes: shift exponent -1 is negative Fixes: 63889/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6009343056936960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 850ab8f6da58f8ac1012bef1eb69f7924a8cf620) Signed-off-by: Michael Niedermayer --- libavcodec/jpegxl_parser.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c index ad1dc46271..300134be5d 100644 --- a/libavcodec/jpegxl_parser.c +++ b/libavcodec/jpegxl_parser.c @@ -708,6 +708,10 @@ static int read_vlc_prefix(GetBitContext *gb, JXLEntropyDecoder *dec, JXLSymbolD level1_codecounts[0] = hskip; for (int i = hskip; i < 18; i++) { len = level1_lens[prefix_codelen_map[i]] = get_vlc2(gb, level0_table, 4, 1); + if (len < 0) { + ret = AVERROR_INVALIDDATA; + goto end; + } level1_codecounts[len]++; if (len) { total_code += (32 >> len); @@ -753,6 +757,10 @@ static int read_vlc_prefix(GetBitContext *gb, JXLEntropyDecoder *dec, JXLSymbolD total_code = 0; for (int i = 0; i < dist->alphabet_size; i++) { len = get_vlc2(gb, level1_vlc.table, 5, 1); + if (len < 0) { + ret = AVERROR_INVALIDDATA; + goto end; + } if (get_bits_left(gb) < 0) { ret = AVERROR_BUFFER_TOO_SMALL; goto end; From 2bd36ef4c7709a4beaef358a75408c0d6f9e3ea7 Mon Sep 17 00:00:00 2001 From: Thomas Guilbert Date: Wed, 15 Nov 2023 20:28:49 +0000 Subject: [PATCH 067/606] avformat/mov: Fix MSAN issue with stsd_id Fixes: use of uninitialized value Fixes: bbb-320x240-2video-2audio.mp4 Signed-off-by: Michael Niedermayer (cherry picked from commit ff451df9479810d75851f92babd0b4290da03dd6) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 65c5c8c288..606fe22f71 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1472,6 +1472,7 @@ static int update_frag_index(MOVContext *c, int64_t offset) frag_stream_info[i].index_base = -1; frag_stream_info[i].index_entry = -1; frag_stream_info[i].encryption_index = NULL; + frag_stream_info[i].stsd_id = -1; } if (index < c->frag_index.nb_items) From 0c5254378120e443baba572a6c188fc281ae0f2e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Dec 2023 04:03:01 +0100 Subject: [PATCH 068/606] avfilter/af_stereowiden: Check length Fixes: out of array access Fixes: tickets/10746/poc13ffmpeg Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit 50f0f8c53c818f73fe2d752708e2fa9d2a2d8a07) Signed-off-by: Michael Niedermayer --- libavfilter/af_stereowiden.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/af_stereowiden.c b/libavfilter/af_stereowiden.c index af4b23e8a5..f7a6a91ae4 100644 --- a/libavfilter/af_stereowiden.c +++ b/libavfilter/af_stereowiden.c @@ -74,6 +74,8 @@ static int config_input(AVFilterLink *inlink) s->length = s->delay * inlink->sample_rate / 1000; s->length *= 2; + if (s->length == 0) + return AVERROR(EINVAL); s->buffer = av_calloc(s->length, sizeof(*s->buffer)); if (!s->buffer) return AVERROR(ENOMEM); From e01a55c5283b82667dad347331816a5e20869ce9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Dec 2023 18:04:32 +0100 Subject: [PATCH 069/606] avfilter/f_reverse: Apply PTS compensation only when pts is available Fixes: out of array access Fixes: tickets/10753/poc16ffmpeg Regression since: 45dc668aea0edac34969b5a1ff76cf9ad3a09be1 Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit 61e73851a33f0b4cb7662f8578a4695e77bd3c19) Signed-off-by: Michael Niedermayer --- libavfilter/f_reverse.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/f_reverse.c b/libavfilter/f_reverse.c index 086819a207..744f4a3cc8 100644 --- a/libavfilter/f_reverse.c +++ b/libavfilter/f_reverse.c @@ -266,7 +266,8 @@ static int areverse_request_frame(AVFilterLink *outlink) AVFrame *out = s->frames[s->nb_frames - 1]; out->duration = s->duration[s->flush_idx]; out->pts = s->pts[s->flush_idx++] - s->nb_samples; - s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples; + if (s->nb_frames > 1) + s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples; if (av_sample_fmt_is_planar(out->format)) reverse_samples_planar(out); From e43a3d8d304dcafad023eb0327669fe94d6e2d9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 21:49:48 +0100 Subject: [PATCH 070/606] avfilter/af_alimiter: Check nextpos before use Fixes: out of array read Fixes: tickets/10744/poc11ffmpeg Found-by: Li Zeyuan and Zeng Yunxiang. Signed-off-by: Michael Niedermayer (cherry picked from commit a88b06f9ee8c88f78bdd614fc25283225223e858) Signed-off-by: Michael Niedermayer --- libavfilter/af_alimiter.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavfilter/af_alimiter.c b/libavfilter/af_alimiter.c index f08893229d..9a86704764 100644 --- a/libavfilter/af_alimiter.c +++ b/libavfilter/af_alimiter.c @@ -195,9 +195,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) int j = i % buffer_size; double ppeak = 0, pdelta; - for (c = 0; c < channels; c++) { - ppeak = FFMAX(ppeak, fabs(buffer[nextpos[j] + c])); - } + if (nextpos[j] >= 0) + for (c = 0; c < channels; c++) { + ppeak = FFMAX(ppeak, fabs(buffer[nextpos[j] + c])); + } pdelta = (limit / peak - limit / ppeak) / (((buffer_size - nextpos[j] + s->pos) % buffer_size) / channels); if (pdelta < nextdelta[j]) { nextdelta[j] = pdelta; From 8e99388c1b642c430a7dbaee23d6cef4556d3821 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 22:25:25 +0100 Subject: [PATCH 071/606] avfilter/vf_swaprect: assert that rectangles are within memory Signed-off-by: Michael Niedermayer (cherry picked from commit 9d1ba698d2bed1d4bed731b3be62e84d72c35476) Signed-off-by: Michael Niedermayer --- libavfilter/vf_swaprect.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index 13ae149afd..8a983b605b 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -18,6 +18,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/eval.h" #include "libavutil/imgutils.h" @@ -182,6 +183,10 @@ FF_ENABLE_DEPRECATION_WARNINGS y2[1] = y2[2] = AV_CEIL_RSHIFT(y2[0], s->desc->log2_chroma_h); y2[0] = y2[3] = y2[0]; + + av_assert0(FFMAX(x1[1], x2[1]) + pw[1] <= lw[1]); + av_assert0(FFMAX(y1[1], y2[1]) + ph[1] <= lh[1]); + for (p = 0; p < s->nb_planes; p++) { if (ph[p] == ah[p] && pw[p] == aw[p]) { uint8_t *src = in->data[p] + y1[p] * in->linesize[p] + x1[p] * s->pixsteps[p]; From 301100ddfbeca258be1947dad01364854cae4b5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 22:26:22 +0100 Subject: [PATCH 072/606] avfilter/vf_swaprect: Use height for vertical variables Signed-off-by: Michael Niedermayer (cherry picked from commit 9f4c5bd7d23eb94afe85290e03748f52483102b8) Signed-off-by: Michael Niedermayer --- libavfilter/vf_swaprect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index 8a983b605b..20d8e233e4 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -150,10 +150,10 @@ FF_ENABLE_DEPRECATION_WARNINGS w = dw; h = dh; x1[0] = dx1; y1[0] = dy1; x2[0] = dx2; y2[0] = dy2; x1[0] = av_clip(x1[0], 0, inlink->w - 1); - y1[0] = av_clip(y1[0], 0, inlink->w - 1); + y1[0] = av_clip(y1[0], 0, inlink->h - 1); x2[0] = av_clip(x2[0], 0, inlink->w - 1); - y2[0] = av_clip(y2[0], 0, inlink->w - 1); + y2[0] = av_clip(y2[0], 0, inlink->h - 1); ah[1] = ah[2] = AV_CEIL_RSHIFT(h, s->desc->log2_chroma_h); ah[0] = ah[3] = h; From 2450e202c470002391155287e7e038352d0896b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 22:27:08 +0100 Subject: [PATCH 073/606] avfilter/vf_swaprect: round coordinates down Fixes: out of array access: Fixes: tickets/10745/poc12ffmpeg Found-by: Li Zeyuan and Zeng Yunxiang. Signed-off-by: Michael Niedermayer (cherry picked from commit 7deaca71b32c556620e05954ca2d13fbe9aacf1f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_swaprect.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index 20d8e233e4..119fd692fa 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -173,14 +173,14 @@ FF_ENABLE_DEPRECATION_WARNINGS lw[1] = lw[2] = AV_CEIL_RSHIFT(inlink->w, s->desc->log2_chroma_w); lw[0] = lw[3] = inlink->w; - x1[1] = x1[2] = AV_CEIL_RSHIFT(x1[0], s->desc->log2_chroma_w); + x1[1] = x1[2] = (x1[0] >> s->desc->log2_chroma_w); x1[0] = x1[3] = x1[0]; - y1[1] = y1[2] = AV_CEIL_RSHIFT(y1[0], s->desc->log2_chroma_h); + y1[1] = y1[2] = (y1[0] >> s->desc->log2_chroma_h); y1[0] = y1[3] = y1[0]; - x2[1] = x2[2] = AV_CEIL_RSHIFT(x2[0], s->desc->log2_chroma_w); + x2[1] = x2[2] = (x2[0] >> s->desc->log2_chroma_w); x2[0] = x2[3] = x2[0]; - y2[1] = y2[2] = AV_CEIL_RSHIFT(y2[0], s->desc->log2_chroma_h); + y2[1] = y2[2] = (y2[0] >> s->desc->log2_chroma_h); y2[0] = y2[3] = y2[0]; From 2b403b88fcec6c002b8e2bb2eaee34b6113790f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2023 16:09:31 +0200 Subject: [PATCH 074/606] avcodec/vaapi_encode: Avoid double AVERRORS Signed-off-by: Michael Niedermayer (cherry picked from commit bf1159774b94ffcf1049f1def23db5d7cf46a433) Signed-off-by: Michael Niedermayer --- libavcodec/vaapi_encode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vaapi_encode.c b/libavcodec/vaapi_encode.c index e3820956d1..6c3e41fb31 100644 --- a/libavcodec/vaapi_encode.c +++ b/libavcodec/vaapi_encode.c @@ -834,7 +834,7 @@ static int vaapi_encode_output(AVCodecContext *avctx, if (pic->tail_size) { if (ctx->tail_pkt->size) { - err = AVERROR(AVERROR_BUG); + err = AVERROR_BUG; goto end; } From f2d836819da4c69a5b59fa04f3625e1de3698719 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2023 16:09:31 +0200 Subject: [PATCH 075/606] avfilter/vf_vidstabdetect: Avoid double AVERRORS Signed-off-by: Michael Niedermayer (cherry picked from commit bb04235d728a2b85d6cbe14dd60184faa932c855) Signed-off-by: Michael Niedermayer --- libavfilter/vf_vidstabdetect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_vidstabdetect.c b/libavfilter/vf_vidstabdetect.c index aa050afab9..1888e8e6cd 100644 --- a/libavfilter/vf_vidstabdetect.c +++ b/libavfilter/vf_vidstabdetect.c @@ -180,7 +180,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } if (vsMotionDetection(md, &localmotions, &frame) != VS_OK) { av_log(ctx, AV_LOG_ERROR, "motion detection failed"); - return AVERROR(AVERROR_EXTERNAL); + return AVERROR_EXTERNAL; } else { if (vsWriteToFile(md, s->f, &localmotions) != VS_OK) { int ret = AVERROR(errno); From ef879f02f2cfdaa3cc4adc2e725b9f5c53b687c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2023 16:10:22 +0200 Subject: [PATCH 076/606] avformat/flacdec: Avoid double AVERRORS Signed-off-by: Michael Niedermayer (cherry picked from commit 029294ff541c9c85092f81dd45f18081d234f0d5) Signed-off-by: Michael Niedermayer --- libavformat/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index 5104f23110..ab9ef052f9 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -78,7 +78,7 @@ static int flac_read_header(AVFormatContext *s) /* process metadata blocks */ while (!avio_feof(s->pb) && !metadata_last) { if (avio_read(s->pb, header, 4) != 4) - return AVERROR(AVERROR_INVALIDDATA); + return AVERROR_INVALIDDATA; flac_parse_block_header(header, &metadata_last, &metadata_type, &metadata_size); switch (metadata_type) { From 41f32f0bc42490c007920cf7b844f7a84852b201 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Dec 2023 23:23:24 +0100 Subject: [PATCH 077/606] Changelog: update --- Changelog | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Changelog b/Changelog index 60a5a0a0ed..f0ea8700cd 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,17 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 6.1.1 +- avformat/flacdec: Avoid double AVERRORS +- avfilter/vf_vidstabdetect: Avoid double AVERRORS +- avcodec/vaapi_encode: Avoid double AVERRORS +- avfilter/vf_swaprect: round coordinates down +- avfilter/vf_swaprect: Use height for vertical variables +- avfilter/vf_swaprect: assert that rectangles are within memory +- avfilter/af_alimiter: Check nextpos before use +- avfilter/f_reverse: Apply PTS compensation only when pts is available +- avfilter/af_stereowiden: Check length +- avformat/mov: Fix MSAN issue with stsd_id +- avcodec/jpegxl_parser: Check get_vlc2() - avfilter/vf_weave: Fix odd height handling - avfilter/edge_template: Fix small inputs with gaussian_blur() - avfilter/vf_gradfun: Do not overread last line From ea276a511a3aa3d8fdab352e96f13ca1ffd7ae2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 02:39:58 +0100 Subject: [PATCH 078/606] avfilter/avf_showwaves: Check history_nb_samples Fixes: out of array access Fixes: tickets/10756/poc18ffmpeg Discovered by Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit 08bd2cbfeb34717d60ec62bcbaeb7996206df906) Signed-off-by: Michael Niedermayer --- libavfilter/avf_showwaves.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/avf_showwaves.c b/libavfilter/avf_showwaves.c index 329753c8c8..e19b93a207 100644 --- a/libavfilter/avf_showwaves.c +++ b/libavfilter/avf_showwaves.c @@ -440,6 +440,8 @@ static int config_output(AVFilterLink *outlink) showwaves->history_nb_samples = av_rescale(showwaves->w * nb_channels * 2, showwaves->n.num, showwaves->n.den); + if (showwaves->history_nb_samples <= 0) + return AVERROR(EINVAL); showwaves->history = av_calloc(showwaves->history_nb_samples, sizeof(*showwaves->history)); if (!showwaves->history) From c9e6162554cc7d04a56e2edd1f6f1479c6f8b62f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 02:51:32 +0100 Subject: [PATCH 079/606] avfilter/vf_minterpolate: Check pts before division Fixes: FPE Fixes: tickets/10758/poc20ffmpeg Discovered by Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit 68146f06f852078866b3ef1564556e3a272920c7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_minterpolate.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c index 9920210ece..b2242a15ee 100644 --- a/libavfilter/vf_minterpolate.c +++ b/libavfilter/vf_minterpolate.c @@ -1075,8 +1075,13 @@ static void interpolate(AVFilterLink *inlink, AVFrame *avf_out) pts = av_rescale(avf_out->pts, (int64_t) ALPHA_MAX * outlink->time_base.num * inlink->time_base.den, (int64_t) outlink->time_base.den * inlink->time_base.num); - alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); - alpha = av_clip(alpha, 0, ALPHA_MAX); + if (mi_ctx->frames[2].avf->pts > mi_ctx->frames[1].avf->pts) { + alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); + alpha = av_clip(alpha, 0, ALPHA_MAX); + } else { + av_log(ctx, AV_LOG_DEBUG, "duplicate input PTS detected\n"); + alpha = 0; + } if (alpha == 0 || alpha == ALPHA_MAX) { av_frame_copy(avf_out, alpha ? mi_ctx->frames[2].avf : mi_ctx->frames[1].avf); From e1c2fa6b9addeacfa8b9e24acf9d4699ecdaa764 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 03:06:39 +0100 Subject: [PATCH 080/606] avcodec/mpegvideo_enc: Dont copy beyond the image Fixes: out of array access Fixes: tickets/10754/poc17ffmpeg Discovered by Zeng Yunxiang. Signed-off-by: Michael Niedermayer (cherry picked from commit a066b8a809fa6d8b31398d41787822803f8762f2) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 6d2d417454..e460ca407c 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1213,7 +1213,7 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) dst += INPLACE_OFFSET; if (src_stride == dst_stride) - memcpy(dst, src, src_stride * h); + memcpy(dst, src, src_stride * h - src_stride + w); else { int h2 = h; uint8_t *dst2 = dst; From e38092ef9395d7049f871ef4d5411eb410e283e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 22:19:58 +0100 Subject: [PATCH 081/606] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog b/Changelog index f0ea8700cd..2dca1d96c7 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,9 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 6.1.1 +- avcodec/mpegvideo_enc: Dont copy beyond the image +- avfilter/vf_minterpolate: Check pts before division +- avfilter/avf_showwaves: Check history_nb_samples - avformat/flacdec: Avoid double AVERRORS - avfilter/vf_vidstabdetect: Avoid double AVERRORS - avcodec/vaapi_encode: Avoid double AVERRORS From 61b88b4dda5e78661ed1042a72d49c3f0d490534 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Sat, 18 Nov 2023 16:03:11 +0800 Subject: [PATCH 082/606] avcodec/mediacodecdec: fix return EAGAIN after EOF Signed-off-by: Zhao Zhili (cherry picked from commit f27fce0c0cc67ed2d36d7353d843234829bb2f5f) --- libavcodec/mediacodecdec_common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mediacodecdec_common.c b/libavcodec/mediacodecdec_common.c index 1151bb71f9..d6f91e6e89 100644 --- a/libavcodec/mediacodecdec_common.c +++ b/libavcodec/mediacodecdec_common.c @@ -804,6 +804,8 @@ int ff_mediacodec_dec_receive(AVCodecContext *avctx, MediaCodecDecContext *s, return AVERROR_EXTERNAL; } + if (s->draining && s->eos) + return AVERROR_EOF; return AVERROR(EAGAIN); } From bfacb66fc821a6d43c0c83e7222c1c4b8467ae86 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 6 Feb 2024 19:50:33 -0300 Subject: [PATCH 083/606] avcodec/nvdec: don't free NVDECContext->bitstream Ensure all hwaccels that allocate a buffer use NVDECContext->bitstream_internal instead. Otherwise, if FFHWAccel->end_frame() isn't called before FFHWAccel->uninit(), an attempt to free a stale pointer to memory not owned by the hwaccel could take place. Reviewed-by: Timo Rothenpieler Signed-off-by: James Almer --- libavcodec/nvdec.c | 2 +- libavcodec/nvdec_h264.c | 4 ++-- libavcodec/nvdec_hevc.c | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/nvdec.c b/libavcodec/nvdec.c index 0ec8e896a6..b2481e7fe8 100644 --- a/libavcodec/nvdec.c +++ b/libavcodec/nvdec.c @@ -258,8 +258,8 @@ int ff_nvdec_decode_uninit(AVCodecContext *avctx) { NVDECContext *ctx = avctx->internal->hwaccel_priv_data; - av_freep(&ctx->bitstream); av_freep(&ctx->bitstream_internal); + ctx->bitstream = NULL; ctx->bitstream_len = 0; ctx->bitstream_allocated = 0; diff --git a/libavcodec/nvdec_h264.c b/libavcodec/nvdec_h264.c index f022619b64..8c72d5f4f7 100644 --- a/libavcodec/nvdec_h264.c +++ b/libavcodec/nvdec_h264.c @@ -138,11 +138,11 @@ static int nvdec_h264_decode_slice(AVCodecContext *avctx, const uint8_t *buffer, const H264SliceContext *sl = &h->slice_ctx[0]; void *tmp; - tmp = av_fast_realloc(ctx->bitstream, &ctx->bitstream_allocated, + tmp = av_fast_realloc(ctx->bitstream_internal, &ctx->bitstream_allocated, ctx->bitstream_len + size + 3); if (!tmp) return AVERROR(ENOMEM); - ctx->bitstream = tmp; + ctx->bitstream = ctx->bitstream_internal = tmp; tmp = av_fast_realloc(ctx->slice_offsets, &ctx->slice_offsets_allocated, (ctx->nb_slices + 1) * sizeof(*ctx->slice_offsets)); diff --git a/libavcodec/nvdec_hevc.c b/libavcodec/nvdec_hevc.c index b83d5edcf9..25319a1328 100644 --- a/libavcodec/nvdec_hevc.c +++ b/libavcodec/nvdec_hevc.c @@ -274,11 +274,11 @@ static int nvdec_hevc_decode_slice(AVCodecContext *avctx, const uint8_t *buffer, NVDECContext *ctx = avctx->internal->hwaccel_priv_data; void *tmp; - tmp = av_fast_realloc(ctx->bitstream, &ctx->bitstream_allocated, + tmp = av_fast_realloc(ctx->bitstream_internal, &ctx->bitstream_allocated, ctx->bitstream_len + size + 3); if (!tmp) return AVERROR(ENOMEM); - ctx->bitstream = tmp; + ctx->bitstream = ctx->bitstream_internal = tmp; tmp = av_fast_realloc(ctx->slice_offsets, &ctx->slice_offsets_allocated, (ctx->nb_slices + 1) * sizeof(*ctx->slice_offsets)); From 8815d775322570db8ecf82124467a818c681ed90 Mon Sep 17 00:00:00 2001 From: Lynne Date: Fri, 9 Feb 2024 18:17:54 +0100 Subject: [PATCH 084/606] avfft: avoid overreads with RDFT API users The new API requires an extra array member at the very end, which old API users did not do. This disables in-place RDFT transforms and instead does the transform out of place by copying once, there shouldn't be a significant loss of speed as our in-place FFT requires a reorder which is likely more expensive in the majority of cases to do. (cherry picked from commit 90adef99cab46ed1791c8096ac2ac0b89f67a266) --- libavcodec/avfft.c | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/libavcodec/avfft.c b/libavcodec/avfft.c index 999b5ed79a..627fd7a0be 100644 --- a/libavcodec/avfft.c +++ b/libavcodec/avfft.c @@ -152,7 +152,7 @@ RDFTContext *av_rdft_init(int nbits, enum RDFTransformType trans) return NULL; ret = av_tx_init(&s->ctx, &s->fn, AV_TX_FLOAT_RDFT, trans == IDFT_C2R, - 1 << nbits, &scale, AV_TX_INPLACE); + 1 << nbits, &scale, 0x0); if (ret < 0) { av_free(s); return NULL; @@ -162,17 +162,35 @@ RDFTContext *av_rdft_init(int nbits, enum RDFTransformType trans) s->len = 1 << nbits; s->inv = trans == IDFT_C2R; + s->tmp = av_malloc((s->len + 2)*sizeof(float)); + if (!s->tmp) { + av_tx_uninit(&s->ctx); + av_free(s); + return NULL; + } + return (RDFTContext *)s; } void av_rdft_calc(RDFTContext *s, FFTSample *data) { AVTXWrapper *w = (AVTXWrapper *)s; - if (w->inv) - FFSWAP(float, data[1], data[w->len]); - w->fn(w->ctx, data, (void *)data, w->stride); - if (!w->inv) - FFSWAP(float, data[1], data[w->len]); + float *src = w->inv ? w->tmp : (float *)data; + float *dst = w->inv ? (float *)data : w->tmp; + + if (w->inv) { + memcpy(src, data, w->len*sizeof(float)); + + src[w->len] = src[1]; + src[1] = 0.0f; + } + + w->fn(w->ctx, dst, (void *)src, w->stride); + + if (!w->inv) { + dst[1] = dst[w->len]; + memcpy(data, dst, w->len*sizeof(float)); + } } av_cold void av_rdft_end(RDFTContext *s) @@ -180,6 +198,7 @@ av_cold void av_rdft_end(RDFTContext *s) if (s) { AVTXWrapper *w = (AVTXWrapper *)s; av_tx_uninit(&w->ctx); + av_free(w->tmp); av_free(w); } } From 9cc7926586931828917d8e556888bc577ebff173 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 29 Jan 2024 19:58:18 +0100 Subject: [PATCH 085/606] avformat/mov_chan: do not assume channels are in native order Existing code could have caused wrong channel order signalling or reduced channel count if a channel designation appeared multiple times. This is actually an old bug, but the conversion to the new channel layout API made it visible, because now the code overrides the proper channel count with the one calculated from the mask. Signed-off-by: Marton Balint (cherry picked from commit 3d3cad7483785191b99557c78d5a4a551088c549) --- libavformat/mov_chan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov_chan.c b/libavformat/mov_chan.c index f3d51899e1..5cb2de3820 100644 --- a/libavformat/mov_chan.c +++ b/libavformat/mov_chan.c @@ -530,7 +530,7 @@ int ff_mov_read_chan(AVFormatContext *s, AVIOContext *pb, AVStream *st, size -= 20; if (layout_tag == 0) { uint64_t mask_incr = mov_get_channel_mask(label); - if (mask_incr == 0) { + if (mask_incr == 0 || mask_incr <= label_mask) { label_mask = 0; break; } From 3e79074c416f18e20d64f037e56e62e5ae1f09bc Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 29 Jan 2024 20:15:28 +0100 Subject: [PATCH 086/606] avformat/mov_chan: never override number of channels based on chan atom The channel designation metadata should not override the number of channels. Let's warn the user if it is inconsistent, and keep the channel layout unspecified. Before the conversion to the channel layout API the code only set the mask, but never overridden the channel count, so this restores the old behaviour. Signed-off-by: Marton Balint (cherry picked from commit dc9d64f7941f5b071283e16fa56e3af86e5c84d6) --- libavformat/mov_chan.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/mov_chan.c b/libavformat/mov_chan.c index 5cb2de3820..6b206745b4 100644 --- a/libavformat/mov_chan.c +++ b/libavformat/mov_chan.c @@ -544,8 +544,13 @@ int ff_mov_read_chan(AVFormatContext *s, AVIOContext *pb, AVStream *st, mask = mov_get_channel_layout(layout_tag, bitmap); if (mask) { - av_channel_layout_uninit(&st->codecpar->ch_layout); - av_channel_layout_from_mask(&st->codecpar->ch_layout, mask); + if (!st->codecpar->ch_layout.nb_channels || av_popcount64(mask) == st->codecpar->ch_layout.nb_channels) { + av_channel_layout_uninit(&st->codecpar->ch_layout); + av_channel_layout_from_mask(&st->codecpar->ch_layout, mask); + } else { + av_log(s, AV_LOG_WARNING, "ignoring channel layout with %d channels because the real number of channels is %d\n", + av_popcount64(mask), st->codecpar->ch_layout.nb_channels); + } } avio_skip(pb, size - 12); From fef22c87ada4517441701e6e61e062c9f4399c8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ekstr=C3=B6m?= Date: Wed, 14 Feb 2024 22:40:54 +0200 Subject: [PATCH 087/606] {avcodec,tests}: rename the bundled Mesa AV1 vulkan video headers This together with adjusting the inclusion define allows for the build to not fail with latest Vulkan-Headers that contain the stabilized Vulkan AV1 decoding definitions. Compilation fails currently as the AV1 header is getting included via hwcontext_vulkan.h -> -> vulkan_core.h, which finally includes vk_video/vulkan_video_codec_av1std.h and the decode header, leading to the bundled header to never defining anything due to the inclusion define being the same. This fix is imperfect, as it leads to additional re-definition warnings for things such as VK_STD_VULKAN_VIDEO_CODEC_AV1_DECODE_SPEC_VERSION. , but it is not clear how to otherwise have the bundled version trump the actually standardized one for a short-term compilation fix. (cherry picked from commit e06ce6d2b45edac4a2df04f304e18d4727417d24) --- libavcodec/Makefile | 4 ++-- libavcodec/vulkan_video.h | 4 ++-- ...v1std_decode.h => vulkan_video_codec_av1std_decode_mesa.h} | 4 ++-- ..._video_codec_av1std.h => vulkan_video_codec_av1std_mesa.h} | 4 ++-- tests/ref/fate/source | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) rename libavcodec/{vulkan_video_codec_av1std_decode.h => vulkan_video_codec_av1std_decode_mesa.h} (89%) rename libavcodec/{vulkan_video_codec_av1std.h => vulkan_video_codec_av1std_mesa.h} (99%) diff --git a/libavcodec/Makefile b/libavcodec/Makefile index ec57e53e30..eb25707ef5 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -1284,7 +1284,7 @@ SKIPHEADERS += %_tablegen.h \ aacenc_quantization.h \ aacenc_quantization_misc.h \ bitstream_template.h \ - vulkan_video_codec_av1std.h \ + vulkan_video_codec_av1std_mesa.h \ $(ARCH)/vpx_arith.h \ SKIPHEADERS-$(CONFIG_AMF) += amfenc.h @@ -1306,7 +1306,7 @@ SKIPHEADERS-$(CONFIG_XVMC) += xvmc.h SKIPHEADERS-$(CONFIG_VAAPI) += vaapi_decode.h vaapi_hevc.h vaapi_encode.h SKIPHEADERS-$(CONFIG_VDPAU) += vdpau.h vdpau_internal.h SKIPHEADERS-$(CONFIG_VIDEOTOOLBOX) += videotoolbox.h vt_internal.h -SKIPHEADERS-$(CONFIG_VULKAN) += vulkan.h vulkan_video.h vulkan_decode.h vulkan_video_codec_av1std_decode.h +SKIPHEADERS-$(CONFIG_VULKAN) += vulkan.h vulkan_video.h vulkan_decode.h vulkan_video_codec_av1std_decode_mesa.h SKIPHEADERS-$(CONFIG_V4L2_M2M) += v4l2_buffers.h v4l2_context.h v4l2_m2m.h SKIPHEADERS-$(CONFIG_ZLIB) += zlib_wrapper.h diff --git a/libavcodec/vulkan_video.h b/libavcodec/vulkan_video.h index b28e3fe0bd..51f44dd543 100644 --- a/libavcodec/vulkan_video.h +++ b/libavcodec/vulkan_video.h @@ -23,8 +23,8 @@ #include "vulkan.h" #include -#include "vulkan_video_codec_av1std.h" -#include "vulkan_video_codec_av1std_decode.h" +#include "vulkan_video_codec_av1std_mesa.h" +#include "vulkan_video_codec_av1std_decode_mesa.h" #define CODEC_VER_MAJ(ver) (ver >> 22) #define CODEC_VER_MIN(ver) ((ver >> 12) & ((1 << 10) - 1)) diff --git a/libavcodec/vulkan_video_codec_av1std_decode.h b/libavcodec/vulkan_video_codec_av1std_decode_mesa.h similarity index 89% rename from libavcodec/vulkan_video_codec_av1std_decode.h rename to libavcodec/vulkan_video_codec_av1std_decode_mesa.h index a697c00593..e2f37b4e6e 100644 --- a/libavcodec/vulkan_video_codec_av1std_decode.h +++ b/libavcodec/vulkan_video_codec_av1std_decode_mesa.h @@ -14,8 +14,8 @@ * limitations under the License. */ -#ifndef VULKAN_VIDEO_CODEC_AV1STD_DECODE_H_ -#define VULKAN_VIDEO_CODEC_AV1STD_DECODE_H_ 1 +#ifndef VULKAN_VIDEO_CODEC_AV1STD_DECODE_MESA_H_ +#define VULKAN_VIDEO_CODEC_AV1STD_DECODE_MESA_H_ 1 /* ** This header is NOT YET generated from the Khronos Vulkan XML API Registry. diff --git a/libavcodec/vulkan_video_codec_av1std.h b/libavcodec/vulkan_video_codec_av1std_mesa.h similarity index 99% rename from libavcodec/vulkan_video_codec_av1std.h rename to libavcodec/vulkan_video_codec_av1std_mesa.h index c46236c457..c91589eee2 100644 --- a/libavcodec/vulkan_video_codec_av1std.h +++ b/libavcodec/vulkan_video_codec_av1std_mesa.h @@ -14,8 +14,8 @@ * limitations under the License. */ -#ifndef VULKAN_VIDEO_CODEC_AV1STD_H_ -#define VULKAN_VIDEO_CODEC_AV1STD_H_ 1 +#ifndef VULKAN_VIDEO_CODEC_AV1STD_MESA_H_ +#define VULKAN_VIDEO_CODEC_AV1STD_MESA_H_ 1 /* ** This header is NOT YET generated from the Khronos Vulkan XML API Registry. diff --git a/tests/ref/fate/source b/tests/ref/fate/source index c575789dd5..8bb58b61f1 100644 --- a/tests/ref/fate/source +++ b/tests/ref/fate/source @@ -23,8 +23,8 @@ compat/djgpp/math.h compat/float/float.h compat/float/limits.h libavcodec/bitstream_template.h -libavcodec/vulkan_video_codec_av1std.h -libavcodec/vulkan_video_codec_av1std_decode.h +libavcodec/vulkan_video_codec_av1std_decode_mesa.h +libavcodec/vulkan_video_codec_av1std_mesa.h tools/decode_simple.h Use of av_clip() where av_clip_uintp2() could be used: Use of av_clip() where av_clip_intp2() could be used: From a267d4ad4c92e15e4a1db361f5c1c77c06ba7560 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ekstr=C3=B6m?= Date: Tue, 20 Feb 2024 20:00:16 +0200 Subject: [PATCH 088/606] avcodec/av1dec: fix matrix coefficients exposed by codec context `colorspace` in avcodec terms means `matrix coefficients`. Reviewed-by: James Almer (cherry picked from commit 37936b09ce316c32c456539afeb748d472088135) --- libavcodec/av1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index 4dcde234c6..4ae050addf 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -736,7 +736,7 @@ static int set_context_with_sequence(AVCodecContext *avctx, avctx->color_range = seq->color_config.color_range ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG; avctx->color_primaries = seq->color_config.color_primaries; - avctx->colorspace = seq->color_config.color_primaries; + avctx->colorspace = seq->color_config.matrix_coefficients; avctx->color_trc = seq->color_config.transfer_characteristics; switch (seq->color_config.chroma_sample_position) { From d6399d50aee3bb444fd823e5eba48f5a32827acc Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 29 Jan 2024 20:41:34 -0300 Subject: [PATCH 089/606] avcodec/cbs_h266: fix logic setting num_layers_in_ols when vps_ols_mode_idc is 2 The old code did not follow the syntax from the spec. Reviewed-by: Frank Plowman Signed-off-by: James Almer (cherry picked from commit 66f028accbcc88d56716065f7a40a681a798064a) --- libavcodec/cbs_h266_syntax_template.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index 5a34200a18..a4c1363ba6 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -902,11 +902,10 @@ static int FUNC(vps) (CodedBitstreamContext *ctx, RWContext *rw, current->vps_ols_mode_idc == 1) { num_layers_in_ols = i + 1; } else if (current->vps_ols_mode_idc == 2) { - for (k = 0, j = 0; k <= current->vps_max_layers_minus1; k++) { + for (k = 0, j = 0; k <= current->vps_max_layers_minus1; k++) if (layer_included_in_ols_flag[i][k]) j++; - num_layers_in_ols = j; - } + num_layers_in_ols = j; } if (num_layers_in_ols > 1) { num_multi_layer_olss++; From 61628a44eb8e7a8abc884bf3f7f0b9158229248a Mon Sep 17 00:00:00 2001 From: Frank Plowman Date: Tue, 30 Jan 2024 09:40:57 +0000 Subject: [PATCH 090/606] lavc/vvc: Add check to num_multi_layer_olss Check that vps_each_layer_is_an_ols_flag, which indicates that "at least one OLS specified by the VPS contains more than one layer," is set if num_multi_layer_olss is non-zero. Fixes: 65160/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_METADATA_fuzzer-4665241535119360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Frank Plowman Signed-off-by: James Almer (cherry picked from commit 36a986d9a193e39382de4bac95e2e314cc30ca7a) --- libavcodec/cbs_h266_syntax_template.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index a4c1363ba6..d2e63f6016 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -911,6 +911,8 @@ static int FUNC(vps) (CodedBitstreamContext *ctx, RWContext *rw, num_multi_layer_olss++; } } + if (!current->vps_each_layer_is_an_ols_flag && num_multi_layer_olss == 0) + return AVERROR_INVALIDDATA; } for (i = 0; i <= current->vps_num_ptls_minus1; i++) { From db36dfc9baaa735e72aaf3e606bf1801780dce49 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 27 Jan 2024 04:13:32 +0100 Subject: [PATCH 091/606] avcodec/cbs_h266_syntax_template: check aps_adaptation_parameter_set_id "When aps_params_type is equal to ALF_APS or SCALING_APS, the value of aps_adaptation_parameter_set_id shall be in the range of 0 to 7, inclusive. When aps_params_type is equal to LMCS_APS, the value of aps_adaptation_parameter_set_id shall be in the range of 0 to 3, inclusive." Fixes: out of array accesses Fixes: 65932/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4563412340244480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cc774cd96249e95b4ee4989c516881f0ad07e5f9) --- libavcodec/cbs_h266_syntax_template.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index d2e63f6016..34c8ca6fe3 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -2456,6 +2456,7 @@ static int FUNC(scaling_list_data)(CodedBitstreamContext *ctx, RWContext *rw, static int FUNC(aps)(CodedBitstreamContext *ctx, RWContext *rw, H266RawAPS *current, int prefix) { + int aps_id_max = MAX_UINT_BITS(5); int err; if (prefix) @@ -2468,7 +2469,12 @@ static int FUNC(aps)(CodedBitstreamContext *ctx, RWContext *rw, : VVC_SUFFIX_APS_NUT)); ub(3, aps_params_type); - ub(5, aps_adaptation_parameter_set_id); + if (current->aps_params_type == VVC_ASP_TYPE_ALF || + current->aps_params_type == VVC_ASP_TYPE_SCALING) + aps_id_max = 7; + else if (current->aps_params_type == VVC_ASP_TYPE_LMCS) + aps_id_max = 3; + u(5, aps_adaptation_parameter_set_id, 0, aps_id_max); flag(aps_chroma_present_flag); if (current->aps_params_type == VVC_ASP_TYPE_ALF) CHECK(FUNC(alf_data)(ctx, rw, current)); From bebaad4371c6e75502607f177c5b8d5864b7ab81 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 21 Feb 2024 21:16:17 +0100 Subject: [PATCH 092/606] avcodec/cbs_h266_syntax_template: Don't omit unused function parameter The calls to the sei_decoded_picture_hash read and write functions are performed with four pointer arguments; just because one of them is unused by the callees does not mean that they can be omitted: This is undefined behaviour. (This was not recognized because the SEI_MESSAGE_RW macro contains casts.) Reviewed-by: Mark Thompson Signed-off-by: Andreas Rheinhardt (cherry picked from commit 484e7716bc9c79ead7b345e38197d414d5cdccc8) --- libavcodec/cbs_h266_syntax_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index 34c8ca6fe3..e8deb6bf13 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -3431,7 +3431,7 @@ static int FUNC(slice_header) (CodedBitstreamContext *ctx, RWContext *rw, static int FUNC(sei_decoded_picture_hash) (CodedBitstreamContext *ctx, RWContext *rw, H266RawSEIDecodedPictureHash * - current) + current, SEIMessageState *unused) { int err, c_idx, i; From adef13da94386624263adae1c88ad9cd14dbe7d3 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 25 Feb 2024 02:16:27 +0100 Subject: [PATCH 093/606] avcodec/cbs_h2645: Avoid function pointer casts, fix UB The SEI message read/write functions are called via function pointers where the SEI message-specific context is passed as void*. But the actual function definitions use a pointer to their proper context in place of void*, making the calls undefined behaviour. Clang UBSan 17 warns about this. This commit fixes this by adding wrapper functions (created via macros) that have the right type that call the actual functions. This reduced the number of failing FATE tests with UBSan from 164 to 85 here. Reviewed-by: Mark Thompson Signed-off-by: Andreas Rheinhardt (cherry picked from commit ab2173c0a530622a0e8683cbd66f8e5aff7a2916) --- libavcodec/cbs_h2645.c | 15 +++++++ libavcodec/cbs_h264_syntax_template.c | 35 ++++++++-------- libavcodec/cbs_h265_syntax_template.c | 58 +++++++++++++-------------- libavcodec/cbs_h266_syntax_template.c | 8 ++-- libavcodec/cbs_sei.h | 7 ---- libavcodec/cbs_sei_syntax_template.c | 47 +++++++++++----------- 6 files changed, 88 insertions(+), 82 deletions(-) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index c48a06b241..ccd0626472 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -235,6 +235,16 @@ static int cbs_h265_payload_extension_present(GetBitContext *gbc, uint32_t paylo #define FUNC_H266(name) FUNC_NAME1(READWRITE, h266, name) #define FUNC_SEI(name) FUNC_NAME1(READWRITE, sei, name) +#define SEI_FUNC(name, args) \ +static int FUNC(name) args; \ +static int FUNC(name ## _internal)(CodedBitstreamContext *ctx, \ + RWContext *rw, void *cur, \ + SEIMessageState *state) \ +{ \ + return FUNC(name)(ctx, rw, cur, state); \ +} \ +static int FUNC(name) args + #define SUBSCRIPTS(subs, ...) (subs > 0 ? ((int[subs + 1]){ subs, __VA_ARGS__ }) : NULL) #define u(width, name, range_min, range_max) \ @@ -2069,6 +2079,11 @@ const CodedBitstreamType ff_cbs_type_h266 = { .close = &cbs_h266_close, }; +// Macro for the read/write pair. +#define SEI_MESSAGE_RW(codec, name) \ + .read = cbs_ ## codec ## _read_ ## name ## _internal, \ + .write = cbs_ ## codec ## _write_ ## name ## _internal + static const SEIMessageTypeDescriptor cbs_sei_common_types[] = { { SEI_TYPE_FILLER_PAYLOAD, diff --git a/libavcodec/cbs_h264_syntax_template.c b/libavcodec/cbs_h264_syntax_template.c index 0f8bba4a0d..4d2d303722 100644 --- a/libavcodec/cbs_h264_syntax_template.c +++ b/libavcodec/cbs_h264_syntax_template.c @@ -510,9 +510,9 @@ static int FUNC(pps)(CodedBitstreamContext *ctx, RWContext *rw, return 0; } -static int FUNC(sei_buffering_period)(CodedBitstreamContext *ctx, RWContext *rw, - H264RawSEIBufferingPeriod *current, - SEIMessageState *sei) +SEI_FUNC(sei_buffering_period, (CodedBitstreamContext *ctx, RWContext *rw, + H264RawSEIBufferingPeriod *current, + SEIMessageState *sei)) { CodedBitstreamH264Context *h264 = ctx->priv_data; const H264RawSPS *sps; @@ -604,9 +604,8 @@ static int FUNC(sei_pic_timestamp)(CodedBitstreamContext *ctx, RWContext *rw, return 0; } -static int FUNC(sei_pic_timing)(CodedBitstreamContext *ctx, RWContext *rw, - H264RawSEIPicTiming *current, - SEIMessageState *sei) +SEI_FUNC(sei_pic_timing, (CodedBitstreamContext *ctx, RWContext *rw, + H264RawSEIPicTiming *current, SEIMessageState *sei)) { CodedBitstreamH264Context *h264 = ctx->priv_data; const H264RawSPS *sps; @@ -676,9 +675,9 @@ static int FUNC(sei_pic_timing)(CodedBitstreamContext *ctx, RWContext *rw, return 0; } -static int FUNC(sei_pan_scan_rect)(CodedBitstreamContext *ctx, RWContext *rw, - H264RawSEIPanScanRect *current, - SEIMessageState *sei) +SEI_FUNC(sei_pan_scan_rect, (CodedBitstreamContext *ctx, RWContext *rw, + H264RawSEIPanScanRect *current, + SEIMessageState *sei)) { int err, i; @@ -703,9 +702,9 @@ static int FUNC(sei_pan_scan_rect)(CodedBitstreamContext *ctx, RWContext *rw, return 0; } -static int FUNC(sei_recovery_point)(CodedBitstreamContext *ctx, RWContext *rw, - H264RawSEIRecoveryPoint *current, - SEIMessageState *sei) +SEI_FUNC(sei_recovery_point, (CodedBitstreamContext *ctx, RWContext *rw, + H264RawSEIRecoveryPoint *current, + SEIMessageState *sei)) { int err; @@ -719,9 +718,9 @@ static int FUNC(sei_recovery_point)(CodedBitstreamContext *ctx, RWContext *rw, return 0; } -static int FUNC(film_grain_characteristics)(CodedBitstreamContext *ctx, RWContext *rw, - H264RawFilmGrainCharacteristics *current, - SEIMessageState *state) +SEI_FUNC(film_grain_characteristics, (CodedBitstreamContext *ctx, RWContext *rw, + H264RawFilmGrainCharacteristics *current, + SEIMessageState *state)) { CodedBitstreamH264Context *h264 = ctx->priv_data; const H264RawSPS *sps; @@ -802,9 +801,9 @@ static int FUNC(film_grain_characteristics)(CodedBitstreamContext *ctx, RWContex return 0; } -static int FUNC(sei_display_orientation)(CodedBitstreamContext *ctx, RWContext *rw, - H264RawSEIDisplayOrientation *current, - SEIMessageState *sei) +SEI_FUNC(sei_display_orientation, (CodedBitstreamContext *ctx, RWContext *rw, + H264RawSEIDisplayOrientation *current, + SEIMessageState *sei)) { int err; diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index 2d4b954718..86ca00a0c9 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -1618,9 +1618,9 @@ static int FUNC(slice_segment_header)(CodedBitstreamContext *ctx, RWContext *rw, return 0; } -static int FUNC(sei_buffering_period) - (CodedBitstreamContext *ctx, RWContext *rw, - H265RawSEIBufferingPeriod *current, SEIMessageState *sei) +SEI_FUNC(sei_buffering_period, (CodedBitstreamContext *ctx, RWContext *rw, + H265RawSEIBufferingPeriod *current, + SEIMessageState *sei)) { CodedBitstreamH265Context *h265 = ctx->priv_data; const H265RawSPS *sps; @@ -1728,9 +1728,8 @@ static int FUNC(sei_buffering_period) return 0; } -static int FUNC(sei_pic_timing) - (CodedBitstreamContext *ctx, RWContext *rw, - H265RawSEIPicTiming *current, SEIMessageState *sei) +SEI_FUNC(sei_pic_timing, (CodedBitstreamContext *ctx, RWContext *rw, + H265RawSEIPicTiming *current, SEIMessageState *sei)) { CodedBitstreamH265Context *h265 = ctx->priv_data; const H265RawSPS *sps; @@ -1804,9 +1803,9 @@ static int FUNC(sei_pic_timing) return 0; } -static int FUNC(sei_pan_scan_rect) - (CodedBitstreamContext *ctx, RWContext *rw, - H265RawSEIPanScanRect *current, SEIMessageState *sei) +SEI_FUNC(sei_pan_scan_rect, (CodedBitstreamContext *ctx, RWContext *rw, + H265RawSEIPanScanRect *current, + SEIMessageState *sei)) { int err, i; @@ -1831,9 +1830,9 @@ static int FUNC(sei_pan_scan_rect) return 0; } -static int FUNC(sei_recovery_point) - (CodedBitstreamContext *ctx, RWContext *rw, - H265RawSEIRecoveryPoint *current, SEIMessageState *sei) +SEI_FUNC(sei_recovery_point, (CodedBitstreamContext *ctx, RWContext *rw, + H265RawSEIRecoveryPoint *current, + SEIMessageState *sei)) { int err; @@ -1847,9 +1846,9 @@ static int FUNC(sei_recovery_point) return 0; } -static int FUNC(film_grain_characteristics)(CodedBitstreamContext *ctx, RWContext *rw, - H265RawFilmGrainCharacteristics *current, - SEIMessageState *state) +SEI_FUNC(film_grain_characteristics, (CodedBitstreamContext *ctx, RWContext *rw, + H265RawFilmGrainCharacteristics *current, + SEIMessageState *state)) { CodedBitstreamH265Context *h265 = ctx->priv_data; const H265RawSPS *sps = h265->active_sps; @@ -1912,9 +1911,9 @@ static int FUNC(film_grain_characteristics)(CodedBitstreamContext *ctx, RWContex return 0; } -static int FUNC(sei_display_orientation) - (CodedBitstreamContext *ctx, RWContext *rw, - H265RawSEIDisplayOrientation *current, SEIMessageState *sei) +SEI_FUNC(sei_display_orientation, (CodedBitstreamContext *ctx, RWContext *rw, + H265RawSEIDisplayOrientation *current, + SEIMessageState *sei)) { int err; @@ -1931,9 +1930,9 @@ static int FUNC(sei_display_orientation) return 0; } -static int FUNC(sei_active_parameter_sets) - (CodedBitstreamContext *ctx, RWContext *rw, - H265RawSEIActiveParameterSets *current, SEIMessageState *sei) +SEI_FUNC(sei_active_parameter_sets, (CodedBitstreamContext *ctx, RWContext *rw, + H265RawSEIActiveParameterSets *current, + SEIMessageState *sei)) { CodedBitstreamH265Context *h265 = ctx->priv_data; const H265RawVPS *vps; @@ -1968,9 +1967,9 @@ static int FUNC(sei_active_parameter_sets) return 0; } -static int FUNC(sei_decoded_picture_hash) - (CodedBitstreamContext *ctx, RWContext *rw, - H265RawSEIDecodedPictureHash *current, SEIMessageState *sei) +SEI_FUNC(sei_decoded_picture_hash, (CodedBitstreamContext *ctx, RWContext *rw, + H265RawSEIDecodedPictureHash *current, + SEIMessageState *sei)) { CodedBitstreamH265Context *h265 = ctx->priv_data; const H265RawSPS *sps = h265->active_sps; @@ -2000,9 +1999,8 @@ static int FUNC(sei_decoded_picture_hash) return 0; } -static int FUNC(sei_time_code) - (CodedBitstreamContext *ctx, RWContext *rw, - H265RawSEITimeCode *current, SEIMessageState *sei) +SEI_FUNC(sei_time_code, (CodedBitstreamContext *ctx, RWContext *rw, + H265RawSEITimeCode *current, SEIMessageState *sei)) { int err, i; @@ -2051,9 +2049,9 @@ static int FUNC(sei_time_code) return 0; } -static int FUNC(sei_alpha_channel_info) - (CodedBitstreamContext *ctx, RWContext *rw, - H265RawSEIAlphaChannelInfo *current, SEIMessageState *sei) +SEI_FUNC(sei_alpha_channel_info, (CodedBitstreamContext *ctx, RWContext *rw, + H265RawSEIAlphaChannelInfo *current, + SEIMessageState *sei)) { int err, length; diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index e8deb6bf13..fb0ca55ce3 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -3428,10 +3428,10 @@ static int FUNC(slice_header) (CodedBitstreamContext *ctx, RWContext *rw, return 0; } -static int FUNC(sei_decoded_picture_hash) (CodedBitstreamContext *ctx, - RWContext *rw, - H266RawSEIDecodedPictureHash * - current, SEIMessageState *unused) +SEI_FUNC(sei_decoded_picture_hash, (CodedBitstreamContext *ctx, + RWContext *rw, + H266RawSEIDecodedPictureHash *current, + SEIMessageState *unused)) { int err, c_idx, i; diff --git a/libavcodec/cbs_sei.h b/libavcodec/cbs_sei.h index 4511c506cc..ec7cdb62f0 100644 --- a/libavcodec/cbs_sei.h +++ b/libavcodec/cbs_sei.h @@ -126,13 +126,6 @@ typedef struct SEIMessageTypeDescriptor { SEIMessageWriteFunction write; } SEIMessageTypeDescriptor; -// Macro for the read/write pair. The clumsy cast is needed because the -// current pointer is typed in all of the read/write functions but has to -// be void here to fit all cases. -#define SEI_MESSAGE_RW(codec, name) \ - .read = (SEIMessageReadFunction) cbs_ ## codec ## _read_ ## name, \ - .write = (SEIMessageWriteFunction)cbs_ ## codec ## _write_ ## name - // End-of-list sentinel element. #define SEI_MESSAGE_TYPE_END { .type = -1 } diff --git a/libavcodec/cbs_sei_syntax_template.c b/libavcodec/cbs_sei_syntax_template.c index 62dd1dabaa..81448ef3f2 100644 --- a/libavcodec/cbs_sei_syntax_template.c +++ b/libavcodec/cbs_sei_syntax_template.c @@ -16,9 +16,9 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -static int FUNC(filler_payload) - (CodedBitstreamContext *ctx, RWContext *rw, - SEIRawFillerPayload *current, SEIMessageState *state) +SEI_FUNC(filler_payload, (CodedBitstreamContext *ctx, RWContext *rw, + SEIRawFillerPayload *current, + SEIMessageState *state)) { int err, i; @@ -34,9 +34,9 @@ static int FUNC(filler_payload) return 0; } -static int FUNC(user_data_registered) - (CodedBitstreamContext *ctx, RWContext *rw, - SEIRawUserDataRegistered *current, SEIMessageState *state) +SEI_FUNC(user_data_registered, (CodedBitstreamContext *ctx, RWContext *rw, + SEIRawUserDataRegistered *current, + SEIMessageState *state)) { int err, i, j; @@ -66,9 +66,9 @@ static int FUNC(user_data_registered) return 0; } -static int FUNC(user_data_unregistered) - (CodedBitstreamContext *ctx, RWContext *rw, - SEIRawUserDataUnregistered *current, SEIMessageState *state) +SEI_FUNC(user_data_unregistered, (CodedBitstreamContext *ctx, RWContext *rw, + SEIRawUserDataUnregistered *current, + SEIMessageState *state)) { int err, i; @@ -94,9 +94,10 @@ static int FUNC(user_data_unregistered) return 0; } -static int FUNC(mastering_display_colour_volume) - (CodedBitstreamContext *ctx, RWContext *rw, - SEIRawMasteringDisplayColourVolume *current, SEIMessageState *state) +SEI_FUNC(mastering_display_colour_volume, + (CodedBitstreamContext *ctx, RWContext *rw, + SEIRawMasteringDisplayColourVolume *current, + SEIMessageState *state)) { int err, c; @@ -116,9 +117,9 @@ static int FUNC(mastering_display_colour_volume) return 0; } -static int FUNC(content_light_level_info) - (CodedBitstreamContext *ctx, RWContext *rw, - SEIRawContentLightLevelInfo *current, SEIMessageState *state) +SEI_FUNC(content_light_level_info, (CodedBitstreamContext *ctx, RWContext *rw, + SEIRawContentLightLevelInfo *current, + SEIMessageState *state)) { int err; @@ -130,10 +131,10 @@ static int FUNC(content_light_level_info) return 0; } -static int FUNC(alternative_transfer_characteristics) - (CodedBitstreamContext *ctx, RWContext *rw, - SEIRawAlternativeTransferCharacteristics *current, - SEIMessageState *state) +SEI_FUNC(alternative_transfer_characteristics, + (CodedBitstreamContext *ctx, RWContext *rw, + SEIRawAlternativeTransferCharacteristics *current, + SEIMessageState *state)) { int err; @@ -144,10 +145,10 @@ static int FUNC(alternative_transfer_characteristics) return 0; } -static int FUNC(ambient_viewing_environment) - (CodedBitstreamContext *ctx, RWContext *rw, - SEIRawAmbientViewingEnvironment *current, - SEIMessageState *state) +SEI_FUNC(ambient_viewing_environment, + (CodedBitstreamContext *ctx, RWContext *rw, + SEIRawAmbientViewingEnvironment *current, + SEIMessageState *state)) { static const uint16_t max_ambient_light_value = 50000; int err; From 192fca4b596b81aabdd8823871828d5899d2699b Mon Sep 17 00:00:00 2001 From: Frank Plowman Date: Sun, 25 Feb 2024 17:51:01 +0000 Subject: [PATCH 094/606] lavc/vvc: Correct sps_num_subpics_minus1 minimum MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The spec says "the value of sps_num_subpics_minus1 shall be in the range of 0 to MaxSlicesPerAu − 1, inclusive." Signed-off-by: Frank Plowman Signed-off-by: James Almer (cherry picked from commit 53ab7ff67e7ee9e7cae5cb0449203a7951cbe029) --- libavcodec/cbs_h266_syntax_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index fb0ca55ce3..ad9dcbc93c 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -1130,7 +1130,7 @@ static int FUNC(sps)(CodedBitstreamContext *ctx, RWContext *rw, flag(sps_subpic_info_present_flag); if (current->sps_subpic_info_present_flag) { - ue(sps_num_subpics_minus1, 1, VVC_MAX_SLICES - 1); + ue(sps_num_subpics_minus1, 0, VVC_MAX_SLICES - 1); if (current->sps_num_subpics_minus1 > 0) { flag(sps_independent_subpics_flag); flag(sps_subpic_same_size_flag); From f9b68bc9a566ff73cd8fead599b22f436599bdeb Mon Sep 17 00:00:00 2001 From: Frank Plowman Date: Sun, 25 Feb 2024 22:30:42 +0000 Subject: [PATCH 095/606] lavc/vvc: Read subpic ID when only one subpicture is present Previously, the following syntax elements were not read in the case sps_num_subpics_minus is 0: * sps_subpic_id_len_minus1 * sps_subpic_id_mapping_explicitly_signalled_flag * sps_subpic_id_mapping_present_flag * sps_subpic_id[i] This was causing failures to decode bitstreams, for example the DVB's "VVC HDR UHDTV1 OpenGOP 3840x2160 50fps HLG10 PiP" V&V bitstream. Patch fixes this by moving the reads for these syntax elements out a scope. Signed-off-by: Frank Plowman Signed-off-by: James Almer (cherry picked from commit 8b6219a99d80cabf87c50170c009fe93092e32bd) --- libavcodec/cbs_h266_syntax_template.c | 36 +++++++++++++-------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index ad9dcbc93c..2c9988341b 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -1213,30 +1213,30 @@ static int FUNC(sps)(CodedBitstreamContext *ctx, RWContext *rw, infer(sps_loop_filter_across_subpic_enabled_flag[i], 0); } } - ue(sps_subpic_id_len_minus1, 0, 15); - if ((1 << (current->sps_subpic_id_len_minus1 + 1)) < - current->sps_num_subpics_minus1 + 1) { - av_log(ctx->log_ctx, AV_LOG_ERROR, - "sps_subpic_id_len_minus1(%d) is too small\n", - current->sps_subpic_id_len_minus1); - return AVERROR_INVALIDDATA; - } - flag(sps_subpic_id_mapping_explicitly_signalled_flag); - if (current->sps_subpic_id_mapping_explicitly_signalled_flag) { - flag(sps_subpic_id_mapping_present_flag); - if (current->sps_subpic_id_mapping_present_flag) { - for (i = 0; i <= current->sps_num_subpics_minus1; i++) { - ubs(current->sps_subpic_id_len_minus1 + 1, - sps_subpic_id[i], 1, i); - } - } - } } else { infer(sps_subpic_ctu_top_left_x[0], 0); infer(sps_subpic_ctu_top_left_y[0], 0); infer(sps_subpic_width_minus1[0], tmp_width_val - 1); infer(sps_subpic_height_minus1[0], tmp_height_val - 1); } + ue(sps_subpic_id_len_minus1, 0, 15); + if ((1 << (current->sps_subpic_id_len_minus1 + 1)) < + current->sps_num_subpics_minus1 + 1) { + av_log(ctx->log_ctx, AV_LOG_ERROR, + "sps_subpic_id_len_minus1(%d) is too small\n", + current->sps_subpic_id_len_minus1); + return AVERROR_INVALIDDATA; + } + flag(sps_subpic_id_mapping_explicitly_signalled_flag); + if (current->sps_subpic_id_mapping_explicitly_signalled_flag) { + flag(sps_subpic_id_mapping_present_flag); + if (current->sps_subpic_id_mapping_present_flag) { + for (i = 0; i <= current->sps_num_subpics_minus1; i++) { + ubs(current->sps_subpic_id_len_minus1 + 1, + sps_subpic_id[i], 1, i); + } + } + } } else { infer(sps_num_subpics_minus1, 0); infer(sps_independent_subpics_flag, 1); From 25abb63bfc4f99d94124ccd7b80f1eec4a7e6f67 Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Wed, 8 Nov 2023 10:15:19 +0530 Subject: [PATCH 096/606] avcodec/libsvtav1: add version guard for external param Setting of external param 'force_key_frames' was added in 7bcc1b4eb8. It is available since v1.1.0 but ffmpeg allows linking against v0.9.0. (cherry picked from commit 67a2571a5547d39990e7f709f24d7a5b452ff8b9) --- libavcodec/libsvtav1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/libsvtav1.c b/libavcodec/libsvtav1.c index 8d2c7f3be4..862192945b 100644 --- a/libavcodec/libsvtav1.c +++ b/libavcodec/libsvtav1.c @@ -250,6 +250,7 @@ static int config_enc_params(EbSvtAv1EncConfiguration *param, if (avctx->gop_size > 1) param->intra_period_length = avctx->gop_size - 1; +#if SVT_AV1_CHECK_VERSION(1, 1, 0) // In order for SVT-AV1 to force keyframes by setting pic_type to // EB_AV1_KEY_PICTURE on any frame, force_key_frames has to be set. Note // that this does not force all frames to be keyframes (it only forces a @@ -260,6 +261,7 @@ static int config_enc_params(EbSvtAv1EncConfiguration *param, // to be updated to set force_key_frames accordingly. if (avctx->gop_size == 1) param->force_key_frames = 1; +#endif if (avctx->framerate.num > 0 && avctx->framerate.den > 0) { param->frame_rate_numerator = avctx->framerate.num; From 33efa50fa4508567b1d84d0a84728b400e492a6a Mon Sep 17 00:00:00 2001 From: Cosmin Stejerean Date: Fri, 23 Feb 2024 23:21:39 +0000 Subject: [PATCH 097/606] avcodec/libsvtav1: send the EOS signal without a one frame delay to allow for the library to operate in a low-delay mode Co-authored-by: Amir Naghdinezhad Signed-off-by: Cosmin Stejerean Signed-off-by: James Almer (cherry picked from commit 69dd1ce610fcffec453a0663c613c9b13165fd9e) --- libavcodec/libsvtav1.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/libsvtav1.c b/libavcodec/libsvtav1.c index 862192945b..66486591f2 100644 --- a/libavcodec/libsvtav1.c +++ b/libavcodec/libsvtav1.c @@ -539,6 +539,14 @@ static int eb_receive_packet(AVCodecContext *avctx, AVPacket *pkt) if (svt_ret == EB_NoErrorEmptyQueue) return AVERROR(EAGAIN); +#if SVT_AV1_CHECK_VERSION(2, 0, 0) + if (headerPtr->flags & EB_BUFFERFLAG_EOS) { + svt_enc->eos_flag = EOS_RECEIVED; + svt_av1_enc_release_out_buffer(&headerPtr); + return AVERROR_EOF; + } +#endif + ref = get_output_ref(avctx, svt_enc, headerPtr->n_filled_len); if (!ref) { av_log(avctx, AV_LOG_ERROR, "Failed to allocate output packet.\n"); @@ -573,8 +581,10 @@ static int eb_receive_packet(AVCodecContext *avctx, AVPacket *pkt) if (headerPtr->pic_type == EB_AV1_NON_REF_PICTURE) pkt->flags |= AV_PKT_FLAG_DISPOSABLE; +#if !(SVT_AV1_CHECK_VERSION(2, 0, 0)) if (headerPtr->flags & EB_BUFFERFLAG_EOS) svt_enc->eos_flag = EOS_RECEIVED; +#endif ff_side_data_set_encoder_stats(pkt, headerPtr->qp * FF_QP2LAMBDA, NULL, 0, pict_type); From 98436c51becde56a961f3faad3037a17d64f310c Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Wed, 13 Mar 2024 20:03:42 +0100 Subject: [PATCH 098/606] avutil/hwcontext_d3d11va: prefer DXGI 1.1 factory when available A lot of modern stuff straight up fails on the old 1.0 factory, which is masked by the fact that it's only used when an explicit adapter is specified. --- libavutil/hwcontext_d3d11va.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavutil/hwcontext_d3d11va.c b/libavutil/hwcontext_d3d11va.c index cc8c97d2b6..26cebbb650 100644 --- a/libavutil/hwcontext_d3d11va.c +++ b/libavutil/hwcontext_d3d11va.c @@ -62,7 +62,9 @@ static av_cold void load_functions(void) return; mD3D11CreateDevice = (PFN_D3D11_CREATE_DEVICE) GetProcAddress(d3dlib, "D3D11CreateDevice"); - mCreateDXGIFactory = (PFN_CREATE_DXGI_FACTORY) GetProcAddress(dxgilib, "CreateDXGIFactory"); + mCreateDXGIFactory = (PFN_CREATE_DXGI_FACTORY) GetProcAddress(dxgilib, "CreateDXGIFactory1"); + if (!mCreateDXGIFactory) + mCreateDXGIFactory = (PFN_CREATE_DXGI_FACTORY) GetProcAddress(dxgilib, "CreateDXGIFactory"); #else // In UWP (which lacks LoadLibrary), CreateDXGIFactory isn't available, // only CreateDXGIFactory1 From 9e0cfc48ac6a3111f21a4515a3b158e3b3f99e52 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Fri, 16 Feb 2024 20:13:43 +0100 Subject: [PATCH 099/606] avformat/mxfdec: move resolving Descriptors to the multi descriptor resolve function Also remove unused descriptor member from MXFPackage. Signed-off-by: Marton Balint (cherry picked from commit 41672f558673151e77798f8a184fc1d3e60b16b9) --- libavformat/mxfdec.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index e42975e7fd..4e4e3e7a84 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -266,7 +266,6 @@ typedef struct MXFPackage { UID package_ul; UID *tracks_refs; int tracks_count; - MXFDescriptor *descriptor; /* only one */ UID descriptor_ref; char *name; UID *comment_refs; @@ -2257,11 +2256,12 @@ static MXFPackage* mxf_resolve_source_package(MXFContext *mxf, UID package_ul, U return NULL; } -static MXFDescriptor* mxf_resolve_multidescriptor(MXFContext *mxf, MXFDescriptor *descriptor, int track_id) +static MXFDescriptor* mxf_resolve_descriptor(MXFContext *mxf, UID *strong_ref, int track_id) { - MXFDescriptor *file_descriptor = NULL; + MXFDescriptor *descriptor, *file_descriptor = NULL; int i; + descriptor = mxf_resolve_strong_ref(mxf, strong_ref, AnyType); if (!descriptor) return NULL; @@ -2782,8 +2782,7 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) st->id = material_track->track_id; st->priv_data = source_track; - source_package->descriptor = mxf_resolve_strong_ref(mxf, &source_package->descriptor_ref, AnyType); - descriptor = mxf_resolve_multidescriptor(mxf, source_package->descriptor, source_track->track_id); + descriptor = mxf_resolve_descriptor(mxf, &source_package->descriptor_ref, source_track->track_id); /* A SourceClip from a EssenceGroup may only be a single frame of essence data. The clips duration is then how many * frames its suppose to repeat for. Descriptor->duration, if present, contains the real duration of the essence data */ From 2af975f2c1d3ffd42a681e0df6a6ffdddd4bb465 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Fri, 16 Feb 2024 21:53:16 +0100 Subject: [PATCH 100/606] avformat/mxfdec: do not use AnyType when resolving Descriptors and MultipleDescriptors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit By using AnyType for resolving a strong reference we searched among all types, not just the ones which can be the target of the reference, which in some cases caused to find the wrong type, if the metadata set UUIDs were not unique. UUIDs do not have to be unique if their type sets them apart, SMPTE 377M says: > StrongRef: 'One to One’ relationship between sets and implemented in MXF > with UUIDs. Strong References are typed which means that the definition > identifies the kind of set which is the target of the reference. Fixes ticket #10865. Signed-off-by: Marton Balint (cherry picked from commit 68f2b32ef2b29aa95488531b007adde92ca82165) --- libavformat/mxfdec.c | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 4e4e3e7a84..446bcf3276 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2258,16 +2258,14 @@ static MXFPackage* mxf_resolve_source_package(MXFContext *mxf, UID package_ul, U static MXFDescriptor* mxf_resolve_descriptor(MXFContext *mxf, UID *strong_ref, int track_id) { - MXFDescriptor *descriptor, *file_descriptor = NULL; - int i; + MXFDescriptor *descriptor = mxf_resolve_strong_ref(mxf, strong_ref, Descriptor); + if (descriptor) + return descriptor; - descriptor = mxf_resolve_strong_ref(mxf, strong_ref, AnyType); - if (!descriptor) - return NULL; - - if (descriptor->meta.type == MultipleDescriptor) { - for (i = 0; i < descriptor->file_descriptors_count; i++) { - file_descriptor = mxf_resolve_strong_ref(mxf, &descriptor->file_descriptors_refs[i], Descriptor); + descriptor = mxf_resolve_strong_ref(mxf, strong_ref, MultipleDescriptor); + if (descriptor) { + for (int i = 0; i < descriptor->file_descriptors_count; i++) { + MXFDescriptor *file_descriptor = mxf_resolve_strong_ref(mxf, &descriptor->file_descriptors_refs[i], Descriptor); if (!file_descriptor) { av_log(mxf->fc, AV_LOG_ERROR, "could not resolve file descriptor strong ref\n"); @@ -2277,8 +2275,7 @@ static MXFDescriptor* mxf_resolve_descriptor(MXFContext *mxf, UID *strong_ref, i return file_descriptor; } } - } else if (descriptor->meta.type == Descriptor) - return descriptor; + } return NULL; } From 0c4777a569448ba007552317ad1d0b7d088b9de7 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Tue, 20 Feb 2024 22:34:37 +0100 Subject: [PATCH 101/606] avformat/libsrt: use SRT_EPOLL_IN for waiting for an incoming connection This is the proper poll mode for waiting for an incoming connection according to the SRT API docs. Fixes ticket #9142. Signed-off-by: Marton Balint (cherry picked from commit 87677c2195e86b126c3438439a05d0a46ae5bb50) --- libavformat/libsrt.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/libavformat/libsrt.c b/libavformat/libsrt.c index cd8f5b1e7d..1fb97392c3 100644 --- a/libavformat/libsrt.c +++ b/libavformat/libsrt.c @@ -249,7 +249,7 @@ static int libsrt_listen(int eid, int fd, const struct sockaddr *addr, socklen_t if (srt_listen(fd, 1)) return libsrt_neterrno(h); - ret = libsrt_network_wait_fd_timeout(h, eid, 1, timeout, &h->interrupt_callback); + ret = libsrt_network_wait_fd_timeout(h, eid, 0, timeout, &h->interrupt_callback); if (ret < 0) return ret; @@ -390,7 +390,7 @@ static int libsrt_setup(URLContext *h, const char *uri, int flags) char hostname[1024],proto[1024],path[1024]; char portstr[10]; int64_t open_timeout = 0; - int eid, write_eid; + int eid; av_url_split(proto, sizeof(proto), NULL, 0, hostname, sizeof(hostname), &port, path, sizeof(path), uri); @@ -454,18 +454,21 @@ static int libsrt_setup(URLContext *h, const char *uri, int flags) if (libsrt_socket_nonblock(fd, 1) < 0) av_log(h, AV_LOG_DEBUG, "libsrt_socket_nonblock failed\n"); - ret = write_eid = libsrt_epoll_create(h, fd, 1); - if (ret < 0) - goto fail1; if (s->mode == SRT_MODE_LISTENER) { + int read_eid = ret = libsrt_epoll_create(h, fd, 0); + if (ret < 0) + goto fail1; // multi-client - ret = libsrt_listen(write_eid, fd, cur_ai->ai_addr, cur_ai->ai_addrlen, h, s->listen_timeout); - srt_epoll_release(write_eid); + ret = libsrt_listen(read_eid, fd, cur_ai->ai_addr, cur_ai->ai_addrlen, h, s->listen_timeout); + srt_epoll_release(read_eid); if (ret < 0) goto fail1; srt_close(fd); fd = ret; } else { + int write_eid = ret = libsrt_epoll_create(h, fd, 1); + if (ret < 0) + goto fail1; if (s->mode == SRT_MODE_RENDEZVOUS) { if (srt_bind(fd, cur_ai->ai_addr, cur_ai->ai_addrlen)) { ret = libsrt_neterrno(h); From fafdcb2a35bf773526ccc24e26209c13d5c4bfff Mon Sep 17 00:00:00 2001 From: Stone Chen Date: Sat, 24 Feb 2024 11:08:02 -0500 Subject: [PATCH 102/606] avfilter/vf_convolution: add float user_rdiv[4] to allow user options to apply correctly Previously to support dynamic reconfigurations of the matrix string (e.g. 0m), the rdiv values would always be cleared to 0.f, causing the rdiv to be recalculated based on the new filter. This however had the side effect of always ignoring user specified rdiv values. Instead float user_rdiv[0] is added to ConvolutionContext which will store the user specified rdiv values. Then the original rdiv array will store either the user_rdiv or the automatically calculated 1/sum. This fixes trac ticket #10294, #10867. Signed-off-by: Stone Chen Signed-off-by: Marton Balint (cherry picked from commit ef917950f0298a812bebfed2443626972a7d8f29) --- libavfilter/convolution.h | 3 ++- libavfilter/vf_convolution.c | 10 +++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/libavfilter/convolution.h b/libavfilter/convolution.h index e44bfb5da8..ee7477ef89 100644 --- a/libavfilter/convolution.h +++ b/libavfilter/convolution.h @@ -34,13 +34,14 @@ typedef struct ConvolutionContext { const AVClass *class; char *matrix_str[4]; - float rdiv[4]; + float user_rdiv[4]; float bias[4]; int mode[4]; float scale; float delta; int planes; + float rdiv[4]; int size[4]; int depth; int max; diff --git a/libavfilter/vf_convolution.c b/libavfilter/vf_convolution.c index c1a63c9aa9..839621bc33 100644 --- a/libavfilter/vf_convolution.c +++ b/libavfilter/vf_convolution.c @@ -40,10 +40,10 @@ static const AVOption convolution_options[] = { { "1m", "set matrix for 2nd plane", OFFSET(matrix_str[1]), AV_OPT_TYPE_STRING, {.str="0 0 0 0 1 0 0 0 0"}, 0, 0, FLAGS }, { "2m", "set matrix for 3rd plane", OFFSET(matrix_str[2]), AV_OPT_TYPE_STRING, {.str="0 0 0 0 1 0 0 0 0"}, 0, 0, FLAGS }, { "3m", "set matrix for 4th plane", OFFSET(matrix_str[3]), AV_OPT_TYPE_STRING, {.str="0 0 0 0 1 0 0 0 0"}, 0, 0, FLAGS }, - { "0rdiv", "set rdiv for 1st plane", OFFSET(rdiv[0]), AV_OPT_TYPE_FLOAT, {.dbl=0.0}, 0.0, INT_MAX, FLAGS}, - { "1rdiv", "set rdiv for 2nd plane", OFFSET(rdiv[1]), AV_OPT_TYPE_FLOAT, {.dbl=0.0}, 0.0, INT_MAX, FLAGS}, - { "2rdiv", "set rdiv for 3rd plane", OFFSET(rdiv[2]), AV_OPT_TYPE_FLOAT, {.dbl=0.0}, 0.0, INT_MAX, FLAGS}, - { "3rdiv", "set rdiv for 4th plane", OFFSET(rdiv[3]), AV_OPT_TYPE_FLOAT, {.dbl=0.0}, 0.0, INT_MAX, FLAGS}, + { "0rdiv", "set rdiv for 1st plane", OFFSET(user_rdiv[0]), AV_OPT_TYPE_FLOAT, {.dbl=0.0}, 0.0, INT_MAX, FLAGS}, + { "1rdiv", "set rdiv for 2nd plane", OFFSET(user_rdiv[1]), AV_OPT_TYPE_FLOAT, {.dbl=0.0}, 0.0, INT_MAX, FLAGS}, + { "2rdiv", "set rdiv for 3rd plane", OFFSET(user_rdiv[2]), AV_OPT_TYPE_FLOAT, {.dbl=0.0}, 0.0, INT_MAX, FLAGS}, + { "3rdiv", "set rdiv for 4th plane", OFFSET(user_rdiv[3]), AV_OPT_TYPE_FLOAT, {.dbl=0.0}, 0.0, INT_MAX, FLAGS}, { "0bias", "set bias for 1st plane", OFFSET(bias[0]), AV_OPT_TYPE_FLOAT, {.dbl=0.0}, 0.0, INT_MAX, FLAGS}, { "1bias", "set bias for 2nd plane", OFFSET(bias[1]), AV_OPT_TYPE_FLOAT, {.dbl=0.0}, 0.0, INT_MAX, FLAGS}, { "2bias", "set bias for 3rd plane", OFFSET(bias[2]), AV_OPT_TYPE_FLOAT, {.dbl=0.0}, 0.0, INT_MAX, FLAGS}, @@ -674,7 +674,7 @@ static int param_init(AVFilterContext *ctx) p = orig = av_strdup(s->matrix_str[i]); if (p) { s->matrix_length[i] = 0; - s->rdiv[i] = 0.f; + s->rdiv[i] = s->user_rdiv[i]; sum = 0.f; while (s->matrix_length[i] < 49) { From d3145298c08d5d0e5d260d2aa16a0f250d540155 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 17 Feb 2024 00:06:03 +0100 Subject: [PATCH 103/606] avformat/mxfdec: remove resolve_strong_ref usage with AnyType UUIDs do not have to be unique if their type sets them apart, so avoid using AnyType, since we are only interested in specific types. Signed-off-by: Marton Balint (cherry picked from commit aa299faa9ad2b01010acc4641b1f215d60a1336b) --- libavformat/mxf.h | 3 +-- libavformat/mxfdec.c | 54 ++++++++++++++++---------------------------- 2 files changed, 20 insertions(+), 37 deletions(-) diff --git a/libavformat/mxf.h b/libavformat/mxf.h index 2561605ce5..63fe90af20 100644 --- a/libavformat/mxf.h +++ b/libavformat/mxf.h @@ -30,8 +30,7 @@ typedef AVUUID UID; enum MXFMetadataSetType { - AnyType, - MaterialPackage, + MaterialPackage = 1, SourcePackage, SourceClip, TimecodeComponent, diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 446bcf3276..b7b9207a5b 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1582,7 +1582,7 @@ static void *mxf_resolve_strong_ref(MXFContext *mxf, UID *strong_ref, enum MXFMe return NULL; for (i = mxf->metadata_sets_count - 1; i >= 0; i--) { if (!memcmp(*strong_ref, mxf->metadata_sets[i]->uid, 16) && - (type == AnyType || mxf->metadata_sets[i]->type == type)) { + (mxf->metadata_sets[i]->type == type)) { return mxf->metadata_sets[i]; } } @@ -2221,22 +2221,17 @@ static int mxf_add_timecode_metadata(AVDictionary **pm, const char *key, AVTimec static MXFTimecodeComponent* mxf_resolve_timecode_component(MXFContext *mxf, UID *strong_ref) { - MXFStructuralComponent *component = NULL; - MXFPulldownComponent *pulldown = NULL; + MXFTimecodeComponent *timecode; + MXFPulldownComponent *pulldown; - component = mxf_resolve_strong_ref(mxf, strong_ref, AnyType); - if (!component) - return NULL; + timecode = mxf_resolve_strong_ref(mxf, strong_ref, TimecodeComponent); + if (timecode) + return timecode; - switch (component->meta.type) { - case TimecodeComponent: - return (MXFTimecodeComponent*)component; - case PulldownComponent: /* timcode component may be located on a pulldown component */ - pulldown = (MXFPulldownComponent*)component; + pulldown = mxf_resolve_strong_ref(mxf, strong_ref, PulldownComponent); + if (pulldown) return mxf_resolve_strong_ref(mxf, &pulldown->input_segment_ref, TimecodeComponent); - default: - break; - } + return NULL; } @@ -2280,14 +2275,20 @@ static MXFDescriptor* mxf_resolve_descriptor(MXFContext *mxf, UID *strong_ref, i return NULL; } -static MXFStructuralComponent* mxf_resolve_essence_group_choice(MXFContext *mxf, MXFEssenceGroup *essence_group) +static MXFStructuralComponent* mxf_resolve_sourceclip(MXFContext *mxf, UID *strong_ref) { MXFStructuralComponent *component = NULL; MXFPackage *package = NULL; MXFDescriptor *descriptor = NULL; + MXFEssenceGroup *essence_group; int i; - if (!essence_group || !essence_group->structural_components_count) + component = mxf_resolve_strong_ref(mxf, strong_ref, SourceClip); + if (component) + return component; + + essence_group = mxf_resolve_strong_ref(mxf, strong_ref, EssenceGroup); + if (!essence_group) return NULL; /* essence groups contains multiple representations of the same media, @@ -2304,24 +2305,7 @@ static MXFStructuralComponent* mxf_resolve_essence_group_choice(MXFContext *mxf, if (descriptor) return component; } - return NULL; -} -static MXFStructuralComponent* mxf_resolve_sourceclip(MXFContext *mxf, UID *strong_ref) -{ - MXFStructuralComponent *component = NULL; - - component = mxf_resolve_strong_ref(mxf, strong_ref, AnyType); - if (!component) - return NULL; - switch (component->meta.type) { - case SourceClip: - return component; - case EssenceGroup: - return mxf_resolve_essence_group_choice(mxf, (MXFEssenceGroup*) component); - default: - break; - } return NULL; } @@ -3243,7 +3227,7 @@ static const MXFMetadataReadTableEntry mxf_metadata_read_table[] = { { { 0x06,0x0e,0x2b,0x34,0x02,0x05,0x01,0x01,0x0d,0x01,0x02,0x01,0x01,0x04,0x04,0x00 }, mxf_read_partition_pack }, { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x2f,0x00 }, mxf_read_preface_metadata }, { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x30,0x00 }, mxf_read_identification_metadata }, - { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x18,0x00 }, mxf_read_content_storage, 0, AnyType }, + { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x18,0x00 }, mxf_read_content_storage }, { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x37,0x00 }, mxf_read_package, sizeof(MXFPackage), SourcePackage }, { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x36,0x00 }, mxf_read_package, sizeof(MXFPackage), MaterialPackage }, { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x0f,0x00 }, mxf_read_sequence, sizeof(MXFSequence), Sequence }, @@ -3272,7 +3256,7 @@ static const MXFMetadataReadTableEntry mxf_metadata_read_table[] = { { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x04,0x01,0x02,0x02,0x00,0x00 }, mxf_read_cryptographic_context, sizeof(MXFCryptoContext), CryptoContext }, { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x02,0x01,0x01,0x10,0x01,0x00 }, mxf_read_index_table_segment, sizeof(MXFIndexTableSegment), IndexTableSegment }, { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x23,0x00 }, mxf_read_essence_container_data, sizeof(MXFEssenceContainerData), EssenceContainerData }, - { { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }, NULL, 0, AnyType }, + { { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }, NULL }, }; static int mxf_metadataset_init(MXFMetadataSet *ctx, enum MXFMetadataSetType type, MXFPartition *partition) From 3fb9425a75a589fab6c16954a12021e119c74359 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Tue, 27 Feb 2024 10:31:31 +0100 Subject: [PATCH 104/606] swresample/resample: fix rounding errors with filter_size=1 and phase_shift=0 Depending on input chunk size noticable corrpution was hearable, here is an example command line: ffplay -f lavfi -i "sine=440:r=8000:samples_per_frame=32,aresample=24000:filter_size=1:phase_shift=0" Fix this by rounding the fixed point fractions up instead of down. Signed-off-by: Marton Balint (cherry picked from commit 7b1b9bb31f04fb9ba06e79c767c1084f0e229bb6) --- libswresample/resample.c | 4 ++-- tests/fate/libswresample.mak | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/libswresample/resample.c b/libswresample/resample.c index bd54a7002f..17cebad01b 100644 --- a/libswresample/resample.c +++ b/libswresample/resample.c @@ -357,8 +357,8 @@ static int multiple_resample(ResampleContext *c, AudioData *dst, int dst_size, A *consumed = 0; if (c->filter_length == 1 && c->phase_count == 1) { - int64_t index2= (1LL<<32)*c->frac/c->src_incr + (1LL<<32)*c->index; - int64_t incr= (1LL<<32) * c->dst_incr / c->src_incr; + int64_t index2= (1LL<<32)*c->frac/c->src_incr + (1LL<<32)*c->index + 1; + int64_t incr= (1LL<<32) * c->dst_incr / c->src_incr + 1; int new_size = (src_size * (int64_t)c->src_incr - c->frac + c->dst_incr - 1) / c->dst_incr; dst_size = FFMAX(FFMIN(dst_size, new_size), 0); diff --git a/tests/fate/libswresample.mak b/tests/fate/libswresample.mak index f2108016af..82d5ec4bf9 100644 --- a/tests/fate/libswresample.mak +++ b/tests/fate/libswresample.mak @@ -347,13 +347,13 @@ endef fate-swr-resample_nn-fltp-44100-8000: CMP_TARGET = 591.03 fate-swr-resample_nn-fltp-44100-8000: SIZE_TOLERANCE = 529200 - 20486 -fate-swr-resample_nn-fltp-8000-44100: CMP_TARGET = 3163.32 +fate-swr-resample_nn-fltp-8000-44100: CMP_TARGET = 3156.61 fate-swr-resample_nn-fltp-8000-44100: SIZE_TOLERANCE = 96000 - 20480 fate-swr-resample_nn-s16p-44100-8000: CMP_TARGET = 590.98 fate-swr-resample_nn-s16p-44100-8000: SIZE_TOLERANCE = 529200 - 20486 -fate-swr-resample_nn-s16p-8000-44100: CMP_TARGET = 3163.39 +fate-swr-resample_nn-s16p-8000-44100: CMP_TARGET = 3156.61 fate-swr-resample_nn-s16p-8000-44100: SIZE_TOLERANCE = 96000 - 20480 define ARESAMPLE_ASYNC From 894bebeaf728720415affaeab421e901fa461e78 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Fri, 1 Mar 2024 00:09:43 +0100 Subject: [PATCH 105/606] avformat/mpegts: detect synchronous metadata KLV more reliably The mpegts code historically tries to strip (the first) metadata access unit header from synchronous KLV metadata, but the detection for such streams was unreliable causing strips of asynchronous metadata or ID3 as well. MISB ST 1402 specifies required stream type, stream id and registration descriptor (which eventually maps to the codec ID) so let's use all of these for reliable detection. Fixes a regression caused by 468615f2045da325e0f73e8e668d49cf456ccb37. Fixes ticket #10828, #10883. Signed-off-by: Marton Balint (cherry picked from commit 0aaee4741ce0c10ca09f5d17194b58d0cf0ebece) --- libavformat/mpegts.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index c7fd1f5d1f..9babe68126 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1306,8 +1306,11 @@ skip: p += sl_header_bytes; buf_size -= sl_header_bytes; } - if (pes->st->codecpar->codec_id == AV_CODEC_ID_SMPTE_KLV && buf_size >= 5) { - /* skip metadata access unit header */ + if (pes->stream_type == STREAM_TYPE_METADATA && + pes->stream_id == STREAM_ID_METADATA_STREAM && + pes->st->codecpar->codec_id == AV_CODEC_ID_SMPTE_KLV && + buf_size >= 5) { + /* skip metadata access unit header - see MISB ST 1402 */ pes->pes_header_size += 5; p += 5; buf_size -= 5; From 888602001fe71807cf6ef1df7a77ff9f6bfd4f70 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 18 Mar 2024 21:07:20 +0100 Subject: [PATCH 106/606] fftools/ffplay: use correct buffersink channel layout parameters Regression since 0995e1f1b31f6e937a1b527407ed3e850f138098. Signed-off-by: Marton Balint (cherry picked from commit 7251f909721a570726775acf61b2b9c28a950c76) --- fftools/ffplay.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fftools/ffplay.c b/fftools/ffplay.c index d8c69e10bc..5bf2070a8d 100644 --- a/fftools/ffplay.c +++ b/fftools/ffplay.c @@ -1999,6 +1999,8 @@ static int configure_audio_filters(VideoState *is, const char *afilters, int for goto end; if (force_output_format) { + av_bprint_clear(&bp); + av_channel_layout_describe_bprint(&is->audio_tgt.ch_layout, &bp); sample_rates [0] = is->audio_tgt.freq; if ((ret = av_opt_set_int(filt_asink, "all_channel_counts", 0, AV_OPT_SEARCH_CHILDREN)) < 0) goto end; From f309408874a5d6ccc77063631fa78b8fb59937a0 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 26 Mar 2024 21:11:20 -0300 Subject: [PATCH 107/606] avformat/mov: don't abort on duplicate Mastering Display Metadata boxes The VP9 spec defines a SmDm box for this information, and the ISOBMFF spec defines a mdvc one. If both are present, just ignore one of them. This is in line with clli and CoLL boxes. Fixes ticket #10711. Signed-off-by: James Almer (cherry picked from commit 189c32f53659b8f9dc402765905fc12a321ab1ac) --- libavformat/mov.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 606fe22f71..9c535da082 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5916,8 +5916,10 @@ static int mov_read_smdm(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata box version %d\n", version); return 0; } - if (sc->mastering) - return AVERROR_INVALIDDATA; + if (sc->mastering) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate Mastering Display Metadata\n"); + return 0; + } avio_skip(pb, 3); /* flags */ @@ -5954,11 +5956,16 @@ static int mov_read_mdcv(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc = c->fc->streams[c->fc->nb_streams - 1]->priv_data; - if (atom.size < 24 || sc->mastering) { + if (atom.size < 24) { av_log(c->fc, AV_LOG_ERROR, "Invalid Mastering Display Color Volume box\n"); return AVERROR_INVALIDDATA; } + if (sc->mastering) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate Mastering Display Color Volume\n"); + return 0; + } + sc->mastering = av_mastering_display_metadata_alloc(); if (!sc->mastering) return AVERROR(ENOMEM); From f4a6db1222eaec502eb5c09d9b57321903aaeaff Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sat, 30 Mar 2024 00:12:03 +0100 Subject: [PATCH 108/606] avcodec/nvdec: reset bitstream_len/nb_slices when resetting bitstream pointer --- libavcodec/nvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/nvdec.c b/libavcodec/nvdec.c index b2481e7fe8..09c91e0dab 100644 --- a/libavcodec/nvdec.c +++ b/libavcodec/nvdec.c @@ -665,6 +665,8 @@ int ff_nvdec_simple_end_frame(AVCodecContext *avctx) NVDECContext *ctx = avctx->internal->hwaccel_priv_data; int ret = ff_nvdec_end_frame(avctx); ctx->bitstream = NULL; + ctx->bitstream_len = 0; + ctx->nb_slices = 0; return ret; } From 88127b743f33ca90f7917b3203819b2ada018559 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 18 Mar 2024 21:56:58 +0100 Subject: [PATCH 109/606] avfilter/af_channelmap: fix error message if FL source channel was missing FL channel ID is 0, so for an unset value we must check for ID < 0. Regression since 1f96db959c1235bb7079d354e09914a0a2608f62. Signed-off-by: Marton Balint (cherry picked from commit 9a5627ea9a213c4929020ee8c90bae74788f645c) --- libavfilter/af_channelmap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/af_channelmap.c b/libavfilter/af_channelmap.c index 09bc4cfbe1..302bd09a26 100644 --- a/libavfilter/af_channelmap.c +++ b/libavfilter/af_channelmap.c @@ -167,7 +167,7 @@ static av_cold int channelmap_init(AVFilterContext *ctx) for (i = 0; i < map_entries; i++) { int in_ch_idx = -1, out_ch_idx = -1; - int in_ch = 0, out_ch = 0; + int in_ch = -1, out_ch = -1; static const char err[] = "Failed to parse channel map\n"; switch (mode) { case MAP_ONE_INT: @@ -382,7 +382,7 @@ static int channelmap_config_input(AVFilterLink *inlink) if (m->in_channel_idx < 0 || m->in_channel_idx >= nb_channels) { av_channel_layout_describe(&inlink->ch_layout, layout_name, sizeof(layout_name)); - if (m->in_channel) { + if (m->in_channel >= 0) { av_channel_name(channel_name, sizeof(channel_name), m->in_channel); av_log(ctx, AV_LOG_ERROR, "input channel '%s' not available from input layout '%s'\n", From 0deb010ae7eec4df1d874b74c9f46571045bb48e Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 18 Mar 2024 22:08:54 +0100 Subject: [PATCH 110/606] avfilter/af_channelmap: fix mapping if in_channel was a string but out_channel was not specified In this case in_channel_idx was never set and the default 0 was used. Suprisingly no one noticed that the respective fate test output was wrong. Signed-off-by: Marton Balint (cherry picked from commit 1bea3e9ee2f3521182eea6066fc8e8e1f8910c5b) --- libavfilter/af_channelmap.c | 2 +- tests/fate/filter-audio.mak | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/af_channelmap.c b/libavfilter/af_channelmap.c index 302bd09a26..1bfac69624 100644 --- a/libavfilter/af_channelmap.c +++ b/libavfilter/af_channelmap.c @@ -375,7 +375,7 @@ static int channelmap_config_input(AVFilterLink *inlink) for (i = 0; i < s->nch; i++) { struct ChannelMap *m = &s->map[i]; - if (s->mode == MAP_PAIR_STR_INT || s->mode == MAP_PAIR_STR_STR) { + if (s->mode == MAP_PAIR_STR_INT || s->mode == MAP_PAIR_STR_STR || s->mode == MAP_ONE_STR) { m->in_channel_idx = av_channel_layout_index_from_channel( &inlink->ch_layout, m->in_channel); } diff --git a/tests/fate/filter-audio.mak b/tests/fate/filter-audio.mak index 445c0f9217..4bbae5d8e0 100644 --- a/tests/fate/filter-audio.mak +++ b/tests/fate/filter-audio.mak @@ -285,7 +285,7 @@ fate-filter-channelmap-one-str: SRC = $(TARGET_PATH)/tests/data/asynth-44100-2.w fate-filter-channelmap-one-str: tests/data/asynth-44100-2.wav fate-filter-channelmap-one-str: CMD = md5 -auto_conversion_filters -i $(SRC) -filter_complex_script $(TARGET_PATH)/tests/data/filtergraphs/channelmap_one_str -f wav -fflags +bitexact fate-filter-channelmap-one-str: CMP = oneline -fate-filter-channelmap-one-str: REF = 0ea3052e482c95d5d3bd9da6dac1b5fa +fate-filter-channelmap-one-str: REF = e18791f65ce5861e130b2c3e472ab90a FATE_AFILTER-$(call FILTERDEMDECENCMUX, CHANNELMAP, WAV, PCM_S16LE, PCM_S16LE, WAV) += $(FATE_FILTER_CHANNELMAP) From 8d1e092b245f6ac66dfe71f76a4a18dd2c11735e Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 18 Mar 2024 23:35:26 +0100 Subject: [PATCH 111/606] avfilter/af_channelmap: disallow channel index 64 MAX_CH is 64, therefore the maximum index is 63. Signed-off-by: Marton Balint (cherry picked from commit 2f754a96bd4ae4932923fe03c2d53f8273b6273c) --- libavfilter/af_channelmap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/af_channelmap.c b/libavfilter/af_channelmap.c index 1bfac69624..c8225fc65f 100644 --- a/libavfilter/af_channelmap.c +++ b/libavfilter/af_channelmap.c @@ -85,7 +85,7 @@ static char* split(char *message, char delim) { return next; } -static int get_channel_idx(char **map, int *ch, char delim, int max_ch) +static int get_channel_idx(char **map, int *ch, char delim, int max_nb_channels) { char *next; int len; @@ -99,7 +99,7 @@ static int get_channel_idx(char **map, int *ch, char delim, int max_ch) sscanf(*map, "%d%n", ch, &n); if (n != len) return AVERROR(EINVAL); - if (*ch < 0 || *ch > max_ch) + if (*ch < 0 || *ch >= max_nb_channels) return AVERROR(EINVAL); *map = next; return 0; From aa5e6017a58ec4b647a35cea1605ce00a9d7054f Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 23 Mar 2024 16:10:22 +0100 Subject: [PATCH 112/606] avfilter/buffersrc: fix overriding unknown channel layouts with negotiated one Fixes ffplay playback of unknown layouts, when SDL directly supports the audio format, such as: ffplay -f lavfi anullsrc=cl=2C,aformat=s16 Without the patch, "Channel layout change is not supported" errors are generated because buffersrc (unknown 2 channel) and buffersink (stereo) negotiated a stereo layout, but the stereo layout was never stored in the BufferSourceContext. This fixes a regression of 7251f909721a570726775acf61b2b9c28a950c76, but this is more of a regression of the avfilter channel layout conversion (1f96db959c1235bb7079d354e09914a0a2608f62). Signed-off-by: Marton Balint (cherry picked from commit 2df2b4067ed01b9076a5dda073521551a32336cd) --- libavfilter/buffersrc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c index 453fc0fd5c..9e51320393 100644 --- a/libavfilter/buffersrc.c +++ b/libavfilter/buffersrc.c @@ -469,7 +469,7 @@ static int config_props(AVFilterLink *link) } break; case AVMEDIA_TYPE_AUDIO: - if (!c->ch_layout.nb_channels) { + if (!c->ch_layout.nb_channels || c->ch_layout.order == AV_CHANNEL_ORDER_UNSPEC) { int ret = av_channel_layout_copy(&c->ch_layout, &link->ch_layout); if (ret < 0) return ret; From 3481f8d99fc44f5516957e774b7f2da74c33beb8 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 31 Mar 2024 18:25:15 +0200 Subject: [PATCH 113/606] avcodec/nvenc: stop using long deprecated format specifiers --- libavcodec/nvenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 626f10d20a..66a95f54d1 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1689,15 +1689,15 @@ static NV_ENC_BUFFER_FORMAT nvenc_map_buffer_format(enum AVPixelFormat pix_fmt) { switch (pix_fmt) { case AV_PIX_FMT_YUV420P: - return NV_ENC_BUFFER_FORMAT_YV12_PL; + return NV_ENC_BUFFER_FORMAT_YV12; case AV_PIX_FMT_NV12: - return NV_ENC_BUFFER_FORMAT_NV12_PL; + return NV_ENC_BUFFER_FORMAT_NV12; case AV_PIX_FMT_P010: case AV_PIX_FMT_P016: return NV_ENC_BUFFER_FORMAT_YUV420_10BIT; case AV_PIX_FMT_GBRP: case AV_PIX_FMT_YUV444P: - return NV_ENC_BUFFER_FORMAT_YUV444_PL; + return NV_ENC_BUFFER_FORMAT_YUV444; case AV_PIX_FMT_GBRP16: case AV_PIX_FMT_YUV444P16: return NV_ENC_BUFFER_FORMAT_YUV444_10BIT; From 38346298973e3869d895e0ad3ca3b19dc598c5c8 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 31 Mar 2024 18:39:49 +0200 Subject: [PATCH 114/606] avcodec/nvenc: support SDK 12.2 bit depth API --- libavcodec/nvenc.c | 15 +++++++++++++++ libavcodec/nvenc.h | 5 +++++ 2 files changed, 20 insertions(+) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 66a95f54d1..c1ab4e7265 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1255,6 +1255,11 @@ static av_cold int nvenc_setup_h264_config(AVCodecContext *avctx) h264->level = ctx->level; +#ifdef NVENC_HAVE_NEW_BIT_DEPTH_API + h264->inputBitDepth = h264->outputBitDepth = + IS_10BIT(ctx->data_pix_fmt) ? NV_ENC_BIT_DEPTH_10 : NV_ENC_BIT_DEPTH_8; +#endif + if (ctx->coder >= 0) h264->entropyCodingMode = ctx->coder; @@ -1370,7 +1375,12 @@ static av_cold int nvenc_setup_hevc_config(AVCodecContext *avctx) hevc->chromaFormatIDC = IS_YUV444(ctx->data_pix_fmt) ? 3 : 1; +#ifdef NVENC_HAVE_NEW_BIT_DEPTH_API + hevc->inputBitDepth = hevc->outputBitDepth = + IS_10BIT(ctx->data_pix_fmt) ? NV_ENC_BIT_DEPTH_10 : NV_ENC_BIT_DEPTH_8; +#else hevc->pixelBitDepthMinus8 = IS_10BIT(ctx->data_pix_fmt) ? 2 : 0; +#endif hevc->level = ctx->level; @@ -1455,8 +1465,13 @@ static av_cold int nvenc_setup_av1_config(AVCodecContext *avctx) av1->chromaFormatIDC = IS_YUV444(ctx->data_pix_fmt) ? 3 : 1; +#ifdef NVENC_HAVE_NEW_BIT_DEPTH_API + av1->inputBitDepth = IS_10BIT(ctx->data_pix_fmt) ? NV_ENC_BIT_DEPTH_10 : NV_ENC_BIT_DEPTH_8; + av1->outputBitDepth = (IS_10BIT(ctx->data_pix_fmt) || ctx->highbitdepth) ? NV_ENC_BIT_DEPTH_10 : NV_ENC_BIT_DEPTH_8; +#else av1->inputPixelBitDepthMinus8 = IS_10BIT(ctx->data_pix_fmt) ? 2 : 0; av1->pixelBitDepthMinus8 = (IS_10BIT(ctx->data_pix_fmt) || ctx->highbitdepth) ? 2 : 0; +#endif if (ctx->b_ref_mode >= 0) av1->useBFramesAsRef = ctx->b_ref_mode; diff --git a/libavcodec/nvenc.h b/libavcodec/nvenc.h index e5b0eb8305..ecc827de97 100644 --- a/libavcodec/nvenc.h +++ b/libavcodec/nvenc.h @@ -83,6 +83,11 @@ typedef void ID3D11Device; #define NVENC_NO_DEPRECATED_RC #endif +// SDK 12.2 compile time feature checks +#if NVENCAPI_CHECK_VERSION(12, 2) +#define NVENC_HAVE_NEW_BIT_DEPTH_API +#endif + typedef struct NvencSurface { NV_ENC_INPUT_PTR input_surface; From 5e45c27ba9baf576e548e226162be7e104328cc0 Mon Sep 17 00:00:00 2001 From: Eugene Zemtsov Date: Mon, 1 Apr 2024 19:28:03 -0700 Subject: [PATCH 115/606] avformat/mov: Check if a key is longer than the atom containing it Stop reading keys and return AVERROR_INVALIDDATA if key_size is larger than the amount of space left in the atom. Bug: https://crbug.com/41496983 Signed-off-by: Eugene Zemtsov Signed-off-by: James Almer (cherry picked from commit 8a23a145d85964950123952d897b89c2c2b1b8c5) --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9c535da082..55bafaa26a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4815,12 +4815,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 1; i <= count; ++i) { uint32_t key_size = avio_rb32(pb); uint32_t type = avio_rl32(pb); - if (key_size < 8) { + if (key_size < 8 || key_size > atom.size) { av_log(c->fc, AV_LOG_ERROR, "The key# %"PRIu32" in meta has invalid size:" "%"PRIu32"\n", i, key_size); return AVERROR_INVALIDDATA; } + atom.size -= key_size; key_size -= 8; if (type != MKTAG('m','d','t','a')) { avio_skip(pb, key_size); From adfa69aaa9977aeb884b4c021c9f562f72f0e4ba Mon Sep 17 00:00:00 2001 From: Romain Beauxis Date: Mon, 1 Jan 2024 09:52:50 -0600 Subject: [PATCH 116/606] libavformat/hlsenc.c: Populate OTI using AAC profile in write_codec_attr. This patch populates the third entry for HLS codec attribute using the AAC profile. The HLS specifications[1] require this value to be the Object Type ID as referred to in table 1.3 of ISO/IEC 14496-3:2009[2]. The numerical constants in the code refer to these OTIs minus one, as documented in commit 372597e[3], confirmed by comparing the values in the code with the values in the table mentioned above. Links: 1: https://datatracker.ietf.org/doc/html/rfc6381#section-3.3 2: https://csclub.uwaterloo.ca/~ehashman/ISO14496-3-2009.pdf 3: https://github.com/FFmpeg/FFmpeg/commit/372597e5381c097455a7b73849254d56083eb056 Changes in this version: - Default value set to "mp4a.40.2" when profile is unknown for backward compatibility. Signed-off-by: Steven Liu (cherry picked from commit 797f0b27c175022d896e46db4ac2873e3e0a70af) Signed-off-by: Michael Niedermayer --- libavformat/hlsenc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 4ef84c05c1..0b89a7f508 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -418,8 +418,11 @@ static void write_codec_attr(AVStream *st, VariantStream *vs) } else if (st->codecpar->codec_id == AV_CODEC_ID_MP3) { snprintf(attr, sizeof(attr), "mp4a.40.34"); } else if (st->codecpar->codec_id == AV_CODEC_ID_AAC) { - /* TODO : For HE-AAC, HE-AACv2, the last digit needs to be set to 5 and 29 respectively */ - snprintf(attr, sizeof(attr), "mp4a.40.2"); + if (st->codecpar->profile != AV_PROFILE_UNKNOWN) + snprintf(attr, sizeof(attr), "mp4a.40.%d", st->codecpar->profile+1); + else + // This is for backward compatibility with the previous implementation. + snprintf(attr, sizeof(attr), "mp4a.40.2"); } else if (st->codecpar->codec_id == AV_CODEC_ID_AC3) { snprintf(attr, sizeof(attr), "ac-3"); } else if (st->codecpar->codec_id == AV_CODEC_ID_EAC3) { From 16bef72c508637bd9cf7eb4b7342270567ec9312 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 03:09:52 +0100 Subject: [PATCH 117/606] avcodec/mpegvideo_enc: Use ptrdiff_t for stride Signed-off-by: Michael Niedermayer (cherry picked from commit e063c1d079086150580ed7a9ad076da122e27f76) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index e460ca407c..c20e364cac 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1194,8 +1194,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) } for (int i = 0; i < 3; i++) { - int src_stride = pic_arg->linesize[i]; - int dst_stride = i ? s->uvlinesize : s->linesize; + ptrdiff_t src_stride = pic_arg->linesize[i]; + ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize; int h_shift = i ? s->chroma_x_shift : 0; int v_shift = i ? s->chroma_y_shift : 0; int w = s->width >> h_shift; From c5dcf99399aa4b02dcdd846771217c413b51b046 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Feb 2024 12:10:41 +0100 Subject: [PATCH 118/606] avfilter/signature_lookup: dont leave uncleared pointers in sll_free() Signed-off-by: Michael Niedermayer (cherry picked from commit 6c504829514333439d15deb5717567fb4bdbbee0) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 86dd0c6675..3c7006c9d6 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -37,6 +37,16 @@ #define STATUS_END_REACHED 1 #define STATUS_BEGIN_REACHED 2 +static void sll_free(MatchingInfo **sll) +{ + while (*sll) { + MatchingInfo *tmp = *sll; + *sll = tmp->next; + tmp->next = NULL; + av_free(tmp); + } +} + static void fill_l1distlut(uint8_t lut[]) { int i, j, tmp_i, tmp_j,count; @@ -520,16 +530,6 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * return bestmatch; } -static void sll_free(MatchingInfo *sll) -{ - void *tmp; - while (sll) { - tmp = sll; - sll = sll->next; - av_freep(&tmp); - } -} - static MatchingInfo lookup_signatures(AVFilterContext *ctx, SignatureContext *sc, StreamContext *first, StreamContext *second, int mode) { CoarseSignature *cs, *cs2; @@ -572,7 +572,7 @@ static MatchingInfo lookup_signatures(AVFilterContext *ctx, SignatureContext *sc "ratio %f, offset %d, score %d, %d frames matching\n", bestmatch.first->index, bestmatch.second->index, bestmatch.framerateratio, bestmatch.offset, bestmatch.score, bestmatch.matchframes); - sll_free(infos); + sll_free(&infos); } } while (find_next_coarsecandidate(sc, second->coarsesiglist, &cs, &cs2, 0) && !bestmatch.whole); return bestmatch; From fdc5b25f19fae6615cc9d7139175c0de58115185 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Feb 2024 12:40:30 +0100 Subject: [PATCH 119/606] avfilter/signature_lookup: Do not dereference NULL pointers after malloc failure Fixes: CID 1403229 Dereference after null check Signed-off-by: Michael Niedermayer (cherry picked from commit 98ae1ad7cf16bd10a4fa79f676439edc4da7cba6) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 3c7006c9d6..ad012ecced 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -299,6 +299,11 @@ static MatchingInfo* get_matching_parameters(AVFilterContext *ctx, SignatureCont if (!c->next) av_log(ctx, AV_LOG_FATAL, "Could not allocate memory"); c = c->next; + + } + if (!c) { + sll_free(&cands); + goto error; } c->framerateratio = (i+1.0) / 30; c->score = hspace[i][j].score; @@ -315,6 +320,7 @@ static MatchingInfo* get_matching_parameters(AVFilterContext *ctx, SignatureCont } } } + error: for (i = 0; i < MAX_FRAMERATE; i++) { av_freep(&hspace[i]); } From e97660783143347daeadd700731f1da309a4e554 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2024 02:37:57 +0100 Subject: [PATCH 120/606] avutil/rational: Document what is to be expected from av_d2q() of doubles representing rational numbers Signed-off-by: Michael Niedermayer (cherry picked from commit f465badb062c8023bc245f4878e7a6a082afc416) Signed-off-by: Michael Niedermayer --- libavutil/rational.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/rational.h b/libavutil/rational.h index 8cbfc8e066..849f47f38d 100644 --- a/libavutil/rational.h +++ b/libavutil/rational.h @@ -168,6 +168,10 @@ static av_always_inline AVRational av_inv_q(AVRational q) * In case of infinity, the returned value is expressed as `{1, 0}` or * `{-1, 0}` depending on the sign. * + * In general rational numbers with |num| <= 1<<26 && |den| <= 1<<26 + * can be recovered exactly from their double representation. + * (no exceptions were found within 1B random ones) + * * @param d `double` to convert * @param max Maximum allowed numerator and denominator * @return `d` in AVRational form From 7dbea8ef0b2c958b8b27defc1055a0d703b463f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Feb 2024 20:11:56 +0100 Subject: [PATCH 121/606] avcodec/indeo3: Round dimensions up in allocate_frame_buffers() Fixes: Ticket6581 Signed-off-by: Michael Niedermayer (cherry picked from commit 3be80ce299d0073118ae42f5d99c14f912751d93) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 5f1014f0d4..7bb0235bdb 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -171,6 +171,9 @@ static av_cold int allocate_frame_buffers(Indeo3DecodeContext *ctx, int luma_size, chroma_size; ptrdiff_t luma_pitch, chroma_pitch; + luma_width = FFALIGN(luma_width , 2); + luma_height = FFALIGN(luma_height, 2); + if (luma_width < 16 || luma_width > 640 || luma_height < 16 || luma_height > 480 || luma_width & 1 || luma_height & 1) { From ce355905622f8ea78979d43575faedf6e89282d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2024 01:04:13 +0100 Subject: [PATCH 122/606] swscale/utils: Allocate more dithererror Fixes: out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 18f26f8a2f8dc3b9ec3ac3ab8e03fce15cc8c88d) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index e1ad685972..e6eab0c4c1 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1891,7 +1891,7 @@ static av_cold int sws_init_single_context(SwsContext *c, SwsFilter *srcFilter, } for (i = 0; i < 4; i++) - if (!FF_ALLOCZ_TYPED_ARRAY(c->dither_error[i], c->dstW + 2)) + if (!FF_ALLOCZ_TYPED_ARRAY(c->dither_error[i], c->dstW + 3)) goto nomem; c->needAlpha = (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat) && isALPHA(c->dstFormat)) ? 1 : 0; From b88210ba04fc7a050fbc45c0cd84fae328e8dd50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2024 01:34:25 +0100 Subject: [PATCH 123/606] swscale/swscale: Check srcSliceH for bayer Fixes: Assertion srcSliceH > 1 failed at libswscale/swscale_unscaled.c:1359 Signed-off-by: Michael Niedermayer (cherry picked from commit 64098d0cd8ab1d27f78a335ca684f00a419b2160) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 90e5b299ab..fe0e74f871 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -904,7 +904,8 @@ static int scale_internal(SwsContext *c, if ((srcSliceY & (macro_height_src - 1)) || ((srcSliceH & (macro_height_src - 1)) && srcSliceY + srcSliceH != c->srcH) || - srcSliceY + srcSliceH > c->srcH) { + srcSliceY + srcSliceH > c->srcH || + (isBayer(c->srcFormat) && srcSliceH <= 1)) { av_log(c, AV_LOG_ERROR, "Slice parameters %d, %d are invalid\n", srcSliceY, srcSliceH); return AVERROR(EINVAL); } From abd835bec748c0a39fa47bab75c14250e537a7cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Feb 2024 03:32:38 +0100 Subject: [PATCH 124/606] libswscale/utils: Fix bayer to yuvj Fixes: out of array access. Earlier code assumes that a unscaled bayer to yuvj420 converter exists but the later code then skips yuvj420 Signed-off-by: Michael Niedermayer (cherry picked from commit e9cc9e492f987ce23ce8c514258a17952dd20401) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index e6eab0c4c1..d78a6d50ff 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1730,7 +1730,8 @@ static av_cold int sws_init_single_context(SwsContext *c, SwsFilter *srcFilter, /* unscaled special cases */ if (unscaled && !usesHFilter && !usesVFilter && (c->srcRange == c->dstRange || isAnyRGB(dstFormat) || - isFloat(srcFormat) || isFloat(dstFormat))){ + isFloat(srcFormat) || isFloat(dstFormat) || isBayer(srcFormat))){ + ff_get_unscaled_swscale(c); if (c->convert_unscaled) { From ae0e91150cc3158f89a10fcd8baaf8b5c3f46d43 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Feb 2024 22:06:48 +0100 Subject: [PATCH 125/606] avcodec/8bps: Consider width in the minimal size check Fixes: Timeout Fixes: 64479/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EIGHTBPS_fuzzer-5434435386081280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5db09574dfd40d3e15db9336a34398405a1c601b) Signed-off-by: Michael Niedermayer --- libavcodec/8bps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index 0becaa9320..a7ef3e085e 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -61,7 +61,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, unsigned int planes = c->planes; int ret; - if (buf_size < planes * height * 2) + if (buf_size < planes * height * (2 + 2*((avctx->width+128)/129))) return AVERROR_INVALIDDATA; if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) From 13f0a85c2ca0eba278b2153ff4f27ad5f232b7a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Feb 2024 23:11:40 +0100 Subject: [PATCH 126/606] avformat/concatdec: Check in and outpoints to be to produce a positive representable duration Fixes: signed integer overflow: -93000000 - 9223372036839000000 cannot be represented in type 'long' Fixes: 64546/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5110813828186112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b2d7cbc378fa276d62fd676c037b9df59fc319a0) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index ffa8ade25b..7abe03c26d 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -638,6 +638,12 @@ static int concat_parse_script(AVFormatContext *avf) } } + if (file->inpoint != AV_NOPTS_VALUE && file->outpoint != AV_NOPTS_VALUE) { + if (file->inpoint > file->outpoint || + file->outpoint - (uint64_t)file->inpoint > INT64_MAX) + ret = AVERROR_INVALIDDATA; + } + fail: for (arg = 0; arg < MAX_ARGS; arg++) av_freep(&arg_str[arg]); From d2f57db3ab12479c60d98828c3634868e68b7259 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Feb 2024 22:27:03 +0100 Subject: [PATCH 127/606] avcodec/vorbisdec: Check remaining data in vorbis_residue_decode_internal() Fixes: timeout Fixes: 66326/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-6295291863040000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dc89cf804a811c0d25f4649a99f7fab4b5b416fa) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index faeaeadde7..bf26b13b83 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1468,6 +1468,9 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, unsigned step = FASTDIV(vr->partition_size << 1, dim << 1); vorbis_codebook codebook = vc->codebooks[vqbook]; + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; + if (vr_type == 0) { voffs = voffset+j*vlen; From 24367ad563800f5edcaa229e3cf00081102dfab6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Feb 2024 19:38:41 +0100 Subject: [PATCH 128/606] avcodec/proresenc_kostya: Remove bug similarity text According to kostya, it is not based on Wassermans encoder CC: Kostya Shishkov CC: Anatoliy Wasserman Signed-off-by: Michael Niedermayer (cherry picked from commit e0e30e07a1755c4f7829f64d35dc07e399c02c6e) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index 52fe5639b1..0bee01e157 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -3,9 +3,6 @@ * * Copyright (c) 2012 Konstantin Shishkov * - * This encoder appears to be based on Anatoliy Wassermans considering - * similarities in the bugs. - * * This file is part of FFmpeg. * * FFmpeg is free software; you can redistribute it and/or From a2ceca5cf6d402ec9d79d415dba116cad8677555 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Mar 2024 02:15:16 +0100 Subject: [PATCH 129/606] avcodec/cbs_h266_syntax_template: Check tile_y Fixes: out of array access Fixes: 67021/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4883576579489792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 57f252b2d10c3dbb422f5ddc4e8625bf56e27a9c) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h266_syntax_template.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index 2c9988341b..439d863b8f 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -2072,6 +2072,8 @@ static int FUNC(pps) (CodedBitstreamContext *ctx, RWContext *rw, tile_x = tile_idx % current->num_tile_columns; tile_y = tile_idx / current->num_tile_columns; + if (tile_y >= current->num_tile_rows) + return AVERROR_INVALIDDATA; ctu_x = 0, ctu_y = 0; for (j = 0; j < tile_x; j++) { From 8464563b80f0d28e1e10e5b9de177ac37fa715f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Mar 2024 23:24:11 +0100 Subject: [PATCH 130/606] avformat/wady: Check >0 samplerate and channels 1 || 2. The WADY decoder only supports mono and stereo This fixes a probetest failure Signed-off-by: Michael Niedermayer (cherry picked from commit 6f9e90ab0bede36cc960a099e8f19998345e7164) Signed-off-by: Michael Niedermayer --- libavformat/wady.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/wady.c b/libavformat/wady.c index bd9b64f514..ce9c0237d7 100644 --- a/libavformat/wady.c +++ b/libavformat/wady.c @@ -32,7 +32,8 @@ static int wady_probe(const AVProbeData *p) return 0; if (p->buf[4] != 0 || p->buf[5] == 0 || AV_RL16(p->buf+6) == 0 || - AV_RL32(p->buf+8) == 0) + AV_RL16(p->buf+6) > 2 || + (int32_t)AV_RL32(p->buf+8) <= 0) return 0; return AVPROBE_SCORE_MAX / 3 * 2; From b171edca3c990fc2858f028bc01ffd828e762b2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Mar 2024 02:06:34 +0100 Subject: [PATCH 131/606] avformat/mov: Check sample_count and auxiliary_info_default_size to be 0 This combination causes 0 size arrays to be allocated and to leak later Fixes: memleak Fixes: 64342/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4520993686945792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3c43299e9e642e73b31be7ac7c49700949946e13) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 55bafaa26a..20b6ef3dac 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6754,6 +6754,9 @@ static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom) sample_count = avio_rb32(pb); if (encryption_index->auxiliary_info_default_size == 0) { + if (sample_count == 0) + return AVERROR_INVALIDDATA; + encryption_index->auxiliary_info_sizes = av_malloc(sample_count); if (!encryption_index->auxiliary_info_sizes) return AVERROR(ENOMEM); From e2a58916b1bde8de18c8216d4d7f9d49e01ae612 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Mar 2024 03:30:56 +0100 Subject: [PATCH 132/606] avcodec/vmixdec: Check shift before use Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 65909/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMIX_fuzzer-519459745831321 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 70b26b693e9e06bcd9fe83ee5063ee40e32ce02f) Signed-off-by: Michael Niedermayer --- libavcodec/vmixdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vmixdec.c b/libavcodec/vmixdec.c index d6b6e3557f..ab283d13db 100644 --- a/libavcodec/vmixdec.c +++ b/libavcodec/vmixdec.c @@ -235,6 +235,9 @@ static int decode_frame(AVCodecContext *avctx, else if (offset != 3) return AVERROR_INVALIDDATA; + if (s->lshift > 31) + return AVERROR_INVALIDDATA; + q = quality[FFMIN(avpkt->data[offset - 2], FF_ARRAY_ELEMS(quality)-1)]; for (int n = 0; n < 64; n++) s->factors[n] = quant[n] * q; From 19ea7b0409a56e37ab478695f6953433b2e9b827 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Mar 2024 03:51:05 +0100 Subject: [PATCH 133/606] avformat/id3v2: read_uslt() check for the amount read Fixes: timeout Fixes: 66783/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5356884892647424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0f4abe2aa0117a10fb651f2c1c030d4cd516081) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index d83716dcf4..e0a7e3f3ea 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -370,7 +370,7 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen, int encoding; int ok = 0; - if (taglen < 1) + if (taglen < 4) goto error; encoding = avio_r8(pb); From d66b1af8df7902a3b6226f13410112d9ff27bfc4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:38:17 +0200 Subject: [PATCH 134/606] avformat/cafdec: dont seek beyond 64bit Fixes: signed integer overflow: 64 + 9223372036854775807 cannot be represented in type 'long long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d973fcbcc2f944752ff10e6a76b0b2d9329937a7) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index f5ba0f4108..e92e3279fc 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -271,7 +271,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) } } - if (avio_tell(pb) - ccount > size) { + if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) { av_log(s, AV_LOG_ERROR, "error reading packet table\n"); return AVERROR_INVALIDDATA; } From 521347ee0bffd3603d3251b391e487cb3d7625d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:51:29 +0200 Subject: [PATCH 135/606] avformat/dxa: Adjust order of operations around block align Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464 Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50d8e4f27398fd5778485a827d7a2817921f8540) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 474b85270a..b4d9d00529 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -122,7 +122,7 @@ static int dxa_read_header(AVFormatContext *s) if(ast->codecpar->block_align) { if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) return AVERROR_INVALIDDATA; - c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; + c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align; } c->bytes_left = fsize; c->wavpos = avio_tell(pb); From 9459a4503609cf9eb8aaea4ccc53a8a55dd0a6a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:56:06 +0200 Subject: [PATCH 136/606] avformat/iff: Saturate avio_tell() + 12 Fixes: signed integer overflow: 9223372036854775796 + 12 cannot be represented in type 'long long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4898373660704768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b8e754525ca3d3fd835f7360e11f29b02b39cd62) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index b8e8bffe03..5bff0e9b6c 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -217,7 +217,7 @@ static int parse_dsd_diin(AVFormatContext *s, AVStream *st, uint64_t eof) { AVIOContext *pb = s->pb; - while (avio_tell(pb) + 12 <= eof && !avio_feof(pb)) { + while (av_sat_add64(avio_tell(pb), 12) <= eof && !avio_feof(pb)) { uint32_t tag = avio_rl32(pb); uint64_t size = avio_rb64(pb); uint64_t orig_pos = avio_tell(pb); @@ -254,7 +254,7 @@ static int parse_dsd_prop(AVFormatContext *s, AVStream *st, uint64_t eof) int dsd_layout[6]; ID3v2ExtraMeta *id3v2_extra_meta; - while (avio_tell(pb) + 12 <= eof && !avio_feof(pb)) { + while (av_sat_add64(avio_tell(pb), 12) <= eof && !avio_feof(pb)) { uint32_t tag = avio_rl32(pb); uint64_t size = avio_rb64(pb); uint64_t orig_pos = avio_tell(pb); From 356251d750358f1d2431a99ab31980e496d0cd70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:45:33 +0200 Subject: [PATCH 137/606] avformat/cafdec: Check that data chunk end fits within 64bit Fixes: signed integer overflow: 64 + 9223372036854775803 cannot be represented in type 'long long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464 Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b792e4d4c772b7b5ef8ea32be187a871000e50c2) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index e92e3279fc..7a0b754697 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -343,6 +343,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 4); /* edit count */ caf->data_start = avio_tell(pb); caf->data_size = size < 0 ? -1 : size - 4; + if (caf->data_start < 0 || caf->data_size > INT64_MAX - caf->data_start) + return AVERROR_INVALIDDATA; + if (caf->data_size > 0 && (pb->seekable & AVIO_SEEKABLE_NORMAL)) avio_skip(pb, caf->data_size); found_data = 1; From f0c08506f5f253e3233460a8b84988c8a20369ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Oct 2023 19:52:33 +0200 Subject: [PATCH 138/606] avformat/jacosubdec: clarify code add comments, rename variables and indent things differently Signed-off-by: Michael Niedermayer (cherry picked from commit e83e8d443b5b86aabf17d1cfb7fba9abf15e24fd) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index c6e5b4aa6d..60fe72d5d7 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -127,28 +127,28 @@ shift_and_ret: static int get_shift(unsigned timeres, const char *buf) { int sign = 1; - int a = 0, b = 0, c = 0, d = 0; + int h = 0, m = 0, s = 0, d = 0; int64_t ret; #define SSEP "%*1[.:]" - int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d); + int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &h, &m, &s, &d); #undef SSEP - if (a == INT_MIN) + if (h == INT_MIN) return 0; - if (*buf == '-' || a < 0) { + if (*buf == '-' || h < 0) { sign = -1; - a = FFABS(a); + h = FFABS(h); } ret = 0; switch (n) { - case 1: a = 0; - case 2: c = b; b = a; a = 0; - case 3: d = c; c = b; b = a; a = 0; + case 1: h = 0; //clear all in case of a single parameter + case 2: s = m; m = h; h = 0; //shift into second subsecondd + case 3: d = s; s = m; m = h; h = 0; //shift into minute second subsecond } - ret = (int64_t)a*3600 + (int64_t)b*60 + c; + ret = (int64_t)h*3600 + (int64_t)m*60 + s; if (FFABS(ret) > (INT64_MAX - FFABS(d)) / timeres) return 0; ret = sign * (ret * timeres + d); From 21ff582aecc32c8126c90621712134ead631c4dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2023 00:33:02 +0100 Subject: [PATCH 139/606] avcodec/osq: avoid several signed integer overflows Fixes: signed integer overflow: 178459578 + 2009763270 cannot be represented in type 'int' Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-5013423686287360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b54c9a9c8f44a9272dc0ee3c9f11ce54cba74008) Signed-off-by: Michael Niedermayer --- libavcodec/osq.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/osq.c b/libavcodec/osq.c index f47213bf0c..650cfcd98c 100644 --- a/libavcodec/osq.c +++ b/libavcodec/osq.c @@ -221,8 +221,8 @@ static int osq_channel_parameters(AVCodecContext *avctx, int ch) #define C (-3) #define D (-4) #define E (-5) -#define P2 ((dst[A] + dst[A]) - dst[B]) -#define P3 ((dst[A] - dst[B]) * 3 + dst[C]) +#define P2 (((unsigned)dst[A] + dst[A]) - dst[B]) +#define P3 (((unsigned)dst[A] - dst[B]) * 3 + dst[C]) static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int downsample) { @@ -272,10 +272,10 @@ static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int case 0: break; case 1: - dst[n] += dst[A]; + dst[n] += (unsigned)dst[A]; break; case 2: - dst[n] += dst[A] + p; + dst[n] += (unsigned)dst[A] + p; break; case 3: dst[n] += P2; @@ -290,28 +290,28 @@ static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int dst[n] += P3 + p; break; case 7: - dst[n] += (P2 + P3) / 2 + p; + dst[n] += (int)(P2 + P3) / 2 + (unsigned)p; break; case 8: - dst[n] += (P2 + P3) / 2; + dst[n] += (int)(P2 + P3) / 2; break; case 9: - dst[n] += (P2 * 2 + P3) / 3 + p; + dst[n] += (int)(P2 * 2 + P3) / 3 + (unsigned)p; break; case 10: - dst[n] += (P2 + P3 * 2) / 3 + p; + dst[n] += (int)(P2 + P3 * 2) / 3 + (unsigned)p; break; case 11: - dst[n] += (dst[A] + dst[B]) / 2; + dst[n] += (int)((unsigned)dst[A] + dst[B]) / 2; break; case 12: - dst[n] += dst[B]; + dst[n] += (unsigned)dst[B]; break; case 13: - dst[n] += (dst[D] + dst[B]) / 2; + dst[n] += (int)(unsigned)(dst[D] + dst[B]) / 2; break; case 14: - dst[n] += (P2 + dst[A]) / 2 + p; + dst[n] += (int)((unsigned)P2 + dst[A]) / 2 + (unsigned)p; break; default: return AVERROR_INVALIDDATA; From 435f172b5d507b2c447a63a732e63cb16e1752a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2023 03:51:23 +0100 Subject: [PATCH 140/606] avformat/concatdec: clip outpoint - inpoint overflow in get_best_effort_duration() An alternative would be to limit all time/duration fields to below 64bit Fixes: signed integer overflow: -93000000 - 9223372036839000000 cannot be represented in type 'long long' Fixes: 64546/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5110813828186112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dd733b2be472cea766c62984237533b239e9a93d) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 7abe03c26d..2e0f22f4df 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -323,7 +323,7 @@ static int64_t get_best_effort_duration(ConcatFile *file, AVFormatContext *avf) if (file->user_duration != AV_NOPTS_VALUE) return file->user_duration; if (file->outpoint != AV_NOPTS_VALUE) - return file->outpoint - file->file_inpoint; + return av_sat_sub64(file->outpoint, file->file_inpoint); if (avf->duration > 0) return avf->duration - (file->file_inpoint - file->file_start_time); if (file->next_dts != AV_NOPTS_VALUE) From 30fe9d3511a6025719c477cb7f3a3143593a03ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 01:46:02 +0100 Subject: [PATCH 141/606] avcodec/hcadec: do not set hfr_group_count to invalid values Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCA_fuzzer-6247136417087488 Fixes: out of array write Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit addb85ea39300c36010ffb6dc0d28b2ea62b4805) Signed-off-by: Michael Niedermayer --- libavcodec/hcadec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/hcadec.c b/libavcodec/hcadec.c index 026b998341..8c8c235f7b 100644 --- a/libavcodec/hcadec.c +++ b/libavcodec/hcadec.c @@ -212,6 +212,7 @@ static int init_hca(AVCodecContext *avctx, const uint8_t *extradata, int8_t r[16] = { 0 }; unsigned b, chunk; int version, ret; + unsigned hfr_group_count; init_flush(avctx); @@ -336,11 +337,12 @@ static int init_hca(AVCodecContext *avctx, const uint8_t *extradata, if (c->total_band_count < c->base_band_count) return AVERROR_INVALIDDATA; - c->hfr_group_count = ceil2(c->total_band_count - (c->base_band_count + c->stereo_band_count), + hfr_group_count = ceil2(c->total_band_count - (c->base_band_count + c->stereo_band_count), c->bands_per_hfr_group); - if (c->base_band_count + c->stereo_band_count + (unsigned long)c->hfr_group_count > 128ULL) + if (c->base_band_count + c->stereo_band_count + (uint64_t)hfr_group_count > 128ULL) return AVERROR_INVALIDDATA; + c->hfr_group_count = hfr_group_count; for (int i = 0; i < avctx->ch_layout.nb_channels; i++) { c->ch[i].chan_type = r[i]; From aa4cf7a584dd326eb404f3ade4050bc67130e6e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 01:46:02 +0100 Subject: [PATCH 142/606] avcodec/hcadec: do not allow code to continue after failed init Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCA_fuzzer-6247136417087488 Fixes: out of array write Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 48eeb198a55852ccb4b57cb73c4658767252614e) Signed-off-by: Michael Niedermayer --- libavcodec/hcadec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/hcadec.c b/libavcodec/hcadec.c index 8c8c235f7b..88146c7cdd 100644 --- a/libavcodec/hcadec.c +++ b/libavcodec/hcadec.c @@ -538,8 +538,10 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, return AVERROR_INVALIDDATA; } else if (AV_RB16(avpkt->data + 6) <= avpkt->size) { ret = init_hca(avctx, avpkt->data, AV_RB16(avpkt->data + 6)); - if (ret < 0) + if (ret < 0) { + c->crc_table = NULL; // signal that init has not finished return ret; + } offset = AV_RB16(avpkt->data + 6); if (offset == avpkt->size) return avpkt->size; From 9a5f191bfb49f66cbe2f5f4b178b2144960028cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 02:30:57 +0100 Subject: [PATCH 143/606] avcodec/rtv1: fix undefined FFALIGN Fixes: signed integer overflow: 2147483647 + 4 cannot be represented in type 'int' Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RTV1_fuzzer-6324303861514240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d188a867302fd745b5980a90a0b5cad9016c477c) Signed-off-by: Michael Niedermayer --- libavcodec/rtv1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/rtv1.c b/libavcodec/rtv1.c index 06afe9e873..807c8a3466 100644 --- a/libavcodec/rtv1.c +++ b/libavcodec/rtv1.c @@ -113,6 +113,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p, width = bytestream2_get_le32(&gb); height = bytestream2_get_le32(&gb); + if (width > INT_MAX-4U || height > INT_MAX-4U) + return AVERROR_INVALIDDATA; ret = ff_set_dimensions(avctx, FFALIGN(width, 4), FFALIGN(height, 4)); if (ret < 0) return ret; From 4cbc9bb2c9622f082c07829822fdc4d91e65a65c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 02:52:04 +0100 Subject: [PATCH 144/606] avcodec/truemotion1: Height not being a multiple of 4 is unsupported mb_change_bits is given space based on height >> 2, while more data is read Fixes: out of array access Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION1_fuzzer-5201925062590464.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ebdcf9849905fdd67dcd3ab93e55e47ded35fda2) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 6b0ee22569..784576d01b 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -408,6 +408,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s) return AVERROR_PATCHWELCOME; } + if (s->h & 3) { + avpriv_request_sample(s->avctx, "Frame with height not being a multiple of 4"); + return AVERROR_PATCHWELCOME; + } + if (s->w != s->avctx->width || s->h != s->avctx->height || new_pix_fmt != s->avctx->pix_fmt) { av_frame_unref(s->frame); From 9062d898490d09d93fd9677c269e6aef19af6d08 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 03:10:14 +0100 Subject: [PATCH 145/606] avcodec/wavarc: Avoid signed integer overflow in sample Fixes: signed integer overflow: -2147483648 + -25122315 cannot be represented in type 'int' Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6199806972198912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6009dd07bd2bde72f2e01723678c1994ecef035e) Signed-off-by: Michael Niedermayer --- libavcodec/wavarc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c index 09ed4d473a..99cbaf0109 100644 --- a/libavcodec/wavarc.c +++ b/libavcodec/wavarc.c @@ -374,7 +374,7 @@ static int decode_2slp(AVCodecContext *avctx, for (int o = 0; o < order; o++) sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1]; - samples[n + 70] = get_srice(gb, k) + (sum >> 4); + samples[n + 70] = get_srice(gb, k) + (unsigned)(sum >> 4); } finished = 1; break; From e7093154883e7cfc017b4ab71625ed0ca4aab3be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 03:14:08 +0100 Subject: [PATCH 146/606] avcodec/wavarc: avoid signed integer overflow in AC code Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-659847401740697 Fixes: signed integer overflow: 65312 * 34078 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1eb8cbd09c5f22d7ba9e0d443712a6ab80648637) Signed-off-by: Michael Niedermayer --- libavcodec/wavarc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c index 99cbaf0109..aa1af6330b 100644 --- a/libavcodec/wavarc.c +++ b/libavcodec/wavarc.c @@ -414,7 +414,7 @@ static int ac_init(AVCodecContext *avctx, static uint16_t ac_get_prob(WavArcContext *s) { - return ((s->freq_range - 1) + (s->ac_value - s->ac_low) * s->freq_range) / + return ((s->freq_range - 1) + (s->ac_value - s->ac_low) * (unsigned)s->freq_range) / ((s->ac_high - s->ac_low) + 1U); } @@ -439,8 +439,8 @@ static int ac_normalize(AVCodecContext *avctx, WavArcContext *s, GetBitContext * goto fail; range = (s->ac_high - s->ac_low) + 1; - s->ac_high = (range * s->range_high) / s->freq_range + s->ac_low - 1; - s->ac_low += (range * s->range_low) / s->freq_range; + s->ac_high = (range * (unsigned)s->range_high) / s->freq_range + s->ac_low - 1; + s->ac_low += (range * (unsigned)s->range_low) / s->freq_range; if (s->ac_high < s->ac_low) goto fail; From 0a64d77be93c243bdd93e2c02d74c3cd725067f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:16:39 +0100 Subject: [PATCH 147/606] avformat/concatdec: Check user_duration sum Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-6434245599690752 Fixes: signed integer overflow: 9223372026773000000 + 22337000000 cannot be represented in type 'long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 007486058c2eb7a7518450a2ddb4fa98845887a3) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 2e0f22f4df..11c7f75fc0 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -679,6 +679,8 @@ static int concat_read_header(AVFormatContext *avf) cat->files[i].user_duration = cat->files[i].outpoint - cat->files[i].inpoint; } cat->files[i].duration = cat->files[i].user_duration; + if (time + (uint64_t)cat->files[i].user_duration > INT64_MAX) + return AVERROR_INVALIDDATA; time += cat->files[i].user_duration; } if (i == cat->nb_files) { From 6cc785c255adb35c46890e271094134529d7947f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:21:28 +0100 Subject: [PATCH 148/606] avformat/jacosubdec: Use 64bit for abs Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5401294942371840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 746203af3116288b1dd4442e46a5724ba759e831) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 60fe72d5d7..e22bbd788c 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -149,7 +149,7 @@ static int get_shift(unsigned timeres, const char *buf) } ret = (int64_t)h*3600 + (int64_t)m*60 + s; - if (FFABS(ret) > (INT64_MAX - FFABS(d)) / timeres) + if (FFABS(ret) > (INT64_MAX - FFABS((int64_t)d)) / timeres) return 0; ret = sign * (ret * timeres + d); From db7a80c3ca7b5abede367e49ff3e21eb20caa2d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:27:39 +0100 Subject: [PATCH 149/606] avformat/mov: use 64bit for intermediate for rounding Fixes: signed integer overflow: 1768972133 + 968491058 cannot be represented in type 'int' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4802790784303104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f01a89c5a378cb7b55a0bcb5763cfb1da83b81f1) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 20b6ef3dac..d5ec35c99c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8366,7 +8366,7 @@ static int mov_read_timecode_track(AVFormatContext *s, AVStream *st) /* 60 fps content have tmcd_nb_frames set to 30 but tc_rate set to 60, so * we multiply the frame number with the quotient. * See tickets #9492, #9710. */ - rounded_tc_rate = (tc_rate.num + tc_rate.den / 2) / tc_rate.den; + rounded_tc_rate = (tc_rate.num + tc_rate.den / 2LL) / tc_rate.den; /* Work around files where tmcd_nb_frames is rounded down from frame rate * instead of up. See ticket #5978. */ if (tmcd_nb_frames == tc_rate.num / tc_rate.den && From 7af16852cbf118d6dd563e864e91969c9f94a69e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:27:39 +0100 Subject: [PATCH 150/606] avformat/timecode: use 64bit for intermediate for rounding in fps_from_frame_rate() Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4802790784303104 Fixes: signed integer overflow: 1768972133 + 968491058 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d8d778a68531b406455f8090d81216ef374ab75) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index b93f05b4b8..bd879bd3cc 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -210,7 +210,7 @@ static int fps_from_frame_rate(AVRational rate) { if (!rate.den || !rate.num) return -1; - return (rate.num + rate.den/2) / rate.den; + return (rate.num + rate.den/2LL) / rate.den; } int av_timecode_check_frame_rate(AVRational rate) From 4a618246cd849a73aef0f44ee59e19ec38d8b8ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:36:40 +0100 Subject: [PATCH 151/606] avformat/rpl: Use 64bit for total_audio_size and check it Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-4677434693517312 Fixes: signed integer overflow: 5555555555555555556 * 8 cannot be represented in type 'long long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 878625812f164fbb733f442965235656d9eaccc8) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index eae0da891b..427738bbdb 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -117,7 +117,7 @@ static int rpl_read_header(AVFormatContext *s) AVIOContext *pb = s->pb; RPLContext *rpl = s->priv_data; AVStream *vst = NULL, *ast = NULL; - int total_audio_size; + int64_t total_audio_size; int error = 0; const char *endptr; char audio_type[RPL_LINE_LENGTH]; @@ -302,6 +302,8 @@ static int rpl_read_header(AVFormatContext *s) if (ast) av_add_index_entry(ast, offset + video_size, total_audio_size, audio_size, audio_size * 8, 0); + if (total_audio_size/8 + (uint64_t)audio_size >= INT64_MAX/8) + return AVERROR_INVALIDDATA; total_audio_size += audio_size * 8; } From d492fc3e5ea49078b847d1f9f7b55fc597bf6232 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:39:49 +0100 Subject: [PATCH 152/606] avformat/sbgdec: Check for negative duration Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0bed22d597b78999151e3bde0768b7fe763fc2a6) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index b2662ea418..281fe6272e 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -386,7 +386,7 @@ static int parse_options(struct sbg_parser *p) case 'L': FORWARD_ERROR(parse_optarg(p, opt, &oarg)); r = str_to_time(oarg.s, &p->scs.opt_duration); - if (oarg.e != oarg.s + r) { + if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) { snprintf(p->err_msg, sizeof(p->err_msg), "syntax error for option -L"); return AVERROR_INVALIDDATA; From 6d92f9a85eb17435f7a6fcdfa19dee2d82ceedb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:45:09 +0100 Subject: [PATCH 153/606] avformat/wavdec: sanity check channels and bps before using them for block_align Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-4704044498944000 Fixes: signed integer overflow: 520464 * 8224 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 75317ec4420d9853526291e8aa18f3ea17321525) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 0c6629b157..a4afbc11fd 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -34,6 +34,7 @@ #include "libavutil/log.h" #include "libavutil/mathematics.h" #include "libavutil/opt.h" +#include "libavcodec/internal.h" #include "avformat.h" #include "avio.h" #include "avio_internal.h" @@ -899,7 +900,9 @@ static int w64_read_header(AVFormatContext *s) if (ret < 0) return ret; avio_skip(pb, FFALIGN(size, INT64_C(8)) - size); - if (st->codecpar->block_align) { + if (st->codecpar->block_align && + st->codecpar->ch_layout.nb_channels < FF_SANE_NB_CHANNELS && + st->codecpar->bits_per_coded_sample < 128) { int block_align = st->codecpar->block_align; block_align = FFMAX(block_align, From a42a5e692dcb32f503433194c306fe29ba337388 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:50:36 +0100 Subject: [PATCH 154/606] avformat/wavdec: satuarte next_tag_ofs, data_end Fixes: signed integer overflow: 5053074104798691550 + 5053074104259715104 cannot be represented in type 'long' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6515315309936640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 61dca9e150b723a160d4a570885f3e5326c3d276) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index a4afbc11fd..4639f849b5 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -445,7 +445,7 @@ static int wav_read_header(AVFormatContext *s) } if (rf64 || bw64) { - next_tag_ofs = wav->data_end = avio_tell(pb) + data_size; + next_tag_ofs = wav->data_end = av_sat_add64(avio_tell(pb), data_size); } else if (size != 0xFFFFFFFF) { data_size = size; next_tag_ofs = wav->data_end = size ? next_tag_ofs : INT64_MAX; From 41f91568568b339195ba328ab8c649197dc4933c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:57:33 +0100 Subject: [PATCH 155/606] avformat/matroskadec: Check timescale Fixes: 3.82046e+18 is outside the range of representable values of type 'unsigned int' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6381436594421760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e849eb23432e45d0a1fda3901bb84eff0ce91282) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 8f000f86be..57d2038635 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3186,6 +3186,10 @@ static int matroska_parse_tracks(AVFormatContext *s) track->time_scale); track->time_scale = 1.0; } + + if (matroska->time_scale * track->time_scale > UINT_MAX) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, matroska->time_scale * track->time_scale, 1000 * 1000 * 1000); /* 64 bit pts in ns */ From 243359fc78f099fe177dde004f2ee96c8f2edee8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 01:00:13 +0100 Subject: [PATCH 156/606] avformat/westwood_vqa: Fix 2g packets Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 'int' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 86f73277bf014e2ce36dd2594f1e0fb8b3bd6661) Signed-off-by: Michael Niedermayer --- libavformat/westwood_vqa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c index 03b2d9e03c..024f5d3652 100644 --- a/libavformat/westwood_vqa.c +++ b/libavformat/westwood_vqa.c @@ -262,7 +262,7 @@ static int wsvqa_read_packet(AVFormatContext *s, break; case SND2_TAG: /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */ - pkt->duration = (chunk_size * 2) / wsvqa->channels; + pkt->duration = (chunk_size * 2LL) / wsvqa->channels; break; } break; From 5bb9d8affe128f071083695c88a58ddf5ce4fddf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Feb 2024 19:40:07 +0100 Subject: [PATCH 157/606] avfilter/vf_signature: Dont crash on no frames Signed-off-by: Michael Niedermayer (cherry picked from commit 3d5f03bbc8bba2929cc09b07d2731ae5d392e772) Signed-off-by: Michael Niedermayer --- libavfilter/vf_signature.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index 4896e8f2c1..53ed413a4c 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -384,6 +384,9 @@ static int xml_export(AVFilterContext *ctx, StreamContext *sc, const char* filen FILE* f; unsigned int pot3[5] = { 3*3*3*3, 3*3*3, 3*3, 3, 1 }; + if (!sc->coarseend->last) + return AVERROR(EINVAL); // No frames ? + f = avpriv_fopen_utf8(filename, "w"); if (!f) { int err = AVERROR(EINVAL); From 78e54e1361b8e0548770b1549377f275e5429b09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Mar 2024 03:27:13 +0100 Subject: [PATCH 158/606] avcodec/jpeg2000htdec: Check magp before using it in a shift Fixes: shift exponent -1 is negative Fixes: 65378/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5457678193197056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 19ad05e9e0f045b13de8de7300ca3bd34ea8ca53) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 691cfbd891..bedc9bc73e 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1887,7 +1887,7 @@ static inline void roi_scale_cblk(Jpeg2000Cblk *cblk, } } -static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile *tile) +static inline int tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile *tile) { Jpeg2000T1Context t1; @@ -1912,6 +1912,8 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile int nb_precincts, precno; Jpeg2000Band *band = rlevel->band + bandno; int cblkno = 0, bandpos; + /* See Rec. ITU-T T.800, Equation E-2 */ + int magp = quantsty->expn[subbandno] + quantsty->nguardbits - 1; bandpos = bandno + (reslevelno > 0); @@ -1919,6 +1921,11 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile band->coord[1][0] == band->coord[1][1]) continue; + if ((codsty->cblk_style & JPEG2000_CTSY_HTJ2K_F) && magp >= 31) { + avpriv_request_sample(s->avctx, "JPEG2000_CTSY_HTJ2K_F and magp >= 31"); + return AVERROR_PATCHWELCOME; + } + nb_precincts = rlevel->num_precincts_x * rlevel->num_precincts_y; /* Loop on precincts */ for (precno = 0; precno < nb_precincts; precno++) { @@ -1929,8 +1936,6 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile cblkno < prec->nb_codeblocks_width * prec->nb_codeblocks_height; cblkno++) { int x, y, ret; - /* See Rec. ITU-T T.800, Equation E-2 */ - int magp = quantsty->expn[subbandno] + quantsty->nguardbits - 1; Jpeg2000Cblk *cblk = prec->cblk + cblkno; @@ -1970,6 +1975,7 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile ff_dwt_decode(&comp->dwt, codsty->transform == FF_DWT97 ? (void*)comp->f_data : (void*)comp->i_data); } /*end comp */ + return 0; } #define WRITE_FRAME(D, PIXEL) \ @@ -2046,7 +2052,9 @@ static int jpeg2000_decode_tile(AVCodecContext *avctx, void *td, AVFrame *picture = td; Jpeg2000Tile *tile = s->tile + jobnr; - tile_codeblocks(s, tile); + int ret = tile_codeblocks(s, tile); + if (ret < 0) + return ret; /* inverse MCT transformation */ if (tile->codsty[0].mct) From ab84c37d63f31383bf3c4db537be954a7bf5b6d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Mar 2024 02:51:29 +0100 Subject: [PATCH 159/606] avcodec/jpeg2000htdec: warn about non zero roi shift MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Suggested-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 7b7eea8e63f761a0d0611d15c24170e40c62402c) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000htdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000htdec.c b/libavcodec/jpeg2000htdec.c index 6b9898d3ff..4f0b10b429 100644 --- a/libavcodec/jpeg2000htdec.c +++ b/libavcodec/jpeg2000htdec.c @@ -1198,6 +1198,9 @@ ff_jpeg2000_decode_htj2k(const Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *c av_assert0(width * height <= 4096); av_assert0(width * height > 0); + if (roi_shift) + avpriv_report_missing_feature(s->avctx, "ROI shift"); + memset(t1->data, 0, t1->stride * height * sizeof(*t1->data)); memset(t1->flags, 0, t1->stride * (height + 2) * sizeof(*t1->flags)); From 38261d8cbd65f971e9047a5880976cea86f3a4de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Mar 2024 03:35:18 +0100 Subject: [PATCH 160/606] avformat/mxfdec: Check first case of offset_temp computation for overflow This is kind of ugly Fixes: signed integer overflow: 255 * 1157565362826411919 cannot be represented in type 'long' Fixes: 67313/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6250434245230592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d6ed6f6e8dffcf777c336869f56002da588e2de8) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index b7b9207a5b..283b0616ed 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1900,9 +1900,13 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t if (edit_unit < s->index_start_position + s->index_duration) { int64_t index = edit_unit - s->index_start_position; - if (s->edit_unit_byte_count) + if (s->edit_unit_byte_count) { + if (index > INT64_MAX / s->edit_unit_byte_count || + s->edit_unit_byte_count * index > INT64_MAX - offset_temp) + return AVERROR_INVALIDDATA; + offset_temp += s->edit_unit_byte_count * index; - else { + } else { if (s->nb_index_entries == 2 * s->index_duration + 1) index *= 2; /* Avid index */ From 56999f9353c0980e76d771f2988cdc41ff40cb26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Mar 2024 19:51:43 +0100 Subject: [PATCH 161/606] avformat/movenc: Check that cts fits in 32bit Fixes: Assertion av_rescale_rnd(start_dts, mov->movie_timescale, track->timescale, AV_ROUND_DOWN) <= 0 failed at libavformat/movenc.c:3694 Fixes: poc2 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer (cherry picked from commit d88c284c18bf6cd3dd24a7c86b5e496dd3037405) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index e39f1ac987..6604b019b4 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -6102,6 +6102,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) if (ret < 0) return ret; + if (pkt->pts != AV_NOPTS_VALUE && + (uint64_t)pkt->dts - pkt->pts != (int32_t)((uint64_t)pkt->dts - pkt->pts)) { + av_log(s, AV_LOG_WARNING, "pts/dts pair unsupported\n"); + return AVERROR_PATCHWELCOME; + } + if (mov->flags & FF_MOV_FLAG_FRAGMENT || mov->mode == MODE_AVIF) { int ret; if (mov->moov_written || mov->flags & FF_MOV_FLAG_EMPTY_MOOV) { From 27d48ddd8f20d8c0c469d0ecaebbd321e48b9143 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 18:29:46 +0200 Subject: [PATCH 162/606] avformat/mxfdec: Make edit_unit_byte_count unsigned Suggested-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit f30fe5e8d002e15f07eaacf720c5654097cb62df) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 283b0616ed..89fb49180c 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -248,7 +248,7 @@ typedef struct MXFFFV1SubDescriptor { typedef struct MXFIndexTableSegment { MXFMetadataSet meta; - int edit_unit_byte_count; + unsigned edit_unit_byte_count; int index_sid; int body_sid; AVRational index_edit_rate; From 93d6513bbece6d632e711289cc04212ebb80601b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Mar 2024 23:07:01 +0100 Subject: [PATCH 163/606] avformat/aiffdec: Check for previously set channels Fixes: out of array access (av_channel_layout_copy()) Fixes: 67087/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-4920720268263424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 23b29f72eeb2ff6f2176ee74b9abe78aec4cd1f4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 5314d159ef..5b38c65cd6 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -106,6 +106,8 @@ static int get_aiff_header(AVFormatContext *s, int64_t size, size++; par->codec_type = AVMEDIA_TYPE_AUDIO; channels = avio_rb16(pb); + if (par->ch_layout.nb_channels && par->ch_layout.nb_channels != channels) + return AVERROR_INVALIDDATA; par->ch_layout.nb_channels = channels; num_frames = avio_rb32(pb); par->bits_per_coded_sample = avio_rb16(pb); From 2da196b39a16e2c7244d61c04d9a123e1cb5a78e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Feb 2024 02:07:28 +0100 Subject: [PATCH 164/606] avformat/mpegts: Reset local nb_prg on add_program() failure add_program() will deallocate the whole array on failure so we must clear nb_prgs Fixes: null pointer dereference Fixes: crash-35a3b39ddcc5babeeb005b7399a3a1217c8781bc Found-by: Catena cyber Signed-off-by: Michael Niedermayer (cherry picked from commit cb9752d897de17212a7a3ce54ad3e16b377b22c0) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 9babe68126..e70fe90f06 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2604,7 +2604,8 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len FFSWAP(struct Program, ts->prg[nb_prg], ts->prg[prg_idx]); if (prg_idx >= nb_prg) nb_prg++; - } + } else + nb_prg = 0; } } ts->nb_prg = nb_prg; From 72b27f4f70fc81e9ee28dab325d2d203dfa231e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 22:11:54 +0200 Subject: [PATCH 165/606] avcodec/apedec: Use NABS to avoid undefined negation Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: 67738/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5444313212321792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1887ff250cfd1e69c08bca21cc53e30a39e26818) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index d31c067152..4f4fd54833 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1286,7 +1286,7 @@ static void predictor_decode_stereo_3950(APEContext *ctx, int count) int32_t left = a1 - (unsigned)(a0 / 2); int32_t right = left + (unsigned)a0; - if (FFMAX(FFABS(left), FFABS(right)) > (1<<23)) { + if (FFMIN(FFNABS(left), FFNABS(right)) < -(1<<23)) { ctx->interim_mode = !interim_mode; av_log(ctx->avctx, AV_LOG_VERBOSE, "Interim mode: %d\n", ctx->interim_mode); break; From e85ea8baaa6681a4181cf81703ee726317a5878a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 02:15:07 +0200 Subject: [PATCH 166/606] avcodec/exr: Check for remaining bits in huf_unpack_enc_table() Fixes: Timeout Fixes: 67645/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6308760977997824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 589fa8a027f3b1707d78d7c45335acc498a5e887) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index b30d3b7404..9f8a015a45 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -334,7 +334,10 @@ static int huf_unpack_enc_table(GetByteContext *gb, return ret; for (; im <= iM; im++) { - uint64_t l = freq[im] = get_bits(&gbit, 6); + uint64_t l; + if (get_bits_left(&gbit) < 6) + return AVERROR_INVALIDDATA; + l = freq[im] = get_bits(&gbit, 6); if (l == LONG_ZEROCODE_RUN) { int zerun = get_bits(&gbit, 8) + SHORTEST_LONG_RUN; From 58475c6988cc51c3c49814aa60c90d37046b0aae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 02:18:57 +0200 Subject: [PATCH 167/606] avcodec/exr: Dont use 64bits to hold 6bits Signed-off-by: Michael Niedermayer (cherry picked from commit e3984de6ffd6068efcfb5c576f1ec788211608fe) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 9f8a015a45..207d687a4b 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -334,7 +334,7 @@ static int huf_unpack_enc_table(GetByteContext *gb, return ret; for (; im <= iM; im++) { - uint64_t l; + int l; if (get_bits_left(&gbit) < 6) return AVERROR_INVALIDDATA; l = freq[im] = get_bits(&gbit, 6); From 7c8c94279c6fbc107eb4091c3cc96365c59115e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 22:56:02 +0200 Subject: [PATCH 168/606] avformat/isom: Uninit layout in ff_mp4_read_dec_config_descr() Fixes: memleak Fixes: 67442/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5068813261406208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit d157725cf726adc29385d264eaf79ae430b1f3e5) Signed-off-by: Michael Niedermayer --- libavformat/isom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/isom.c b/libavformat/isom.c index 6d019881e5..954ba1ec4f 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -358,6 +358,7 @@ int ff_mp4_read_dec_config_descr(AVFormatContext *fc, AVStream *st, AVIOContext st->codecpar->extradata_size, 1, fc); if (ret < 0) return ret; + av_channel_layout_uninit(&st->codecpar->ch_layout); st->codecpar->ch_layout.order = AV_CHANNEL_ORDER_UNSPEC; st->codecpar->ch_layout.nb_channels = cfg.channels; if (cfg.object_type == 29 && cfg.sampling_index < 3) // old mp3on4 From b38902646c83a9bf656928765dc18d6d066e0653 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Apr 2024 02:13:05 +0200 Subject: [PATCH 169/606] doc/developer: (security) researchers should be credited MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 5a5422196d0283918a1aa996a81bd51522f34fda) Signed-off-by: Michael Niedermayer --- doc/developer.texi | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/developer.texi b/doc/developer.texi index 26dc5b9749..a55599d4fa 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -396,6 +396,10 @@ If you apply a patch, send an answer to ffmpeg-devel (or wherever you got the patch from) saying that you applied the patch. +@subheading Credit any researchers +If a commit/patch fixes an issues found by some researcher, always credit the +researcher in the commit message for finding/reporting the issue. + @subheading Always wait long enough before pushing changes Do NOT commit to code actively maintained by others without permission. Send a patch to ffmpeg-devel. If no one answers within a reasonable From b94d2dd59a217ab224a3a54d4f9d5e362eb284eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:15:27 +0200 Subject: [PATCH 170/606] avcodec/wavarc: fix signed integer overflow in block type 6/19 Fixes: signed integer overflow: -2088796289 + -91276551 cannot be represented in type 'int' Fixes: 67772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6533568953122816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 28c7094b25b689185155a6833caf2747b94774a4) Signed-off-by: Michael Niedermayer --- libavcodec/wavarc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c index aa1af6330b..e121f1bc61 100644 --- a/libavcodec/wavarc.c +++ b/libavcodec/wavarc.c @@ -648,7 +648,7 @@ static int decode_5elp(AVCodecContext *avctx, for (int o = 0; o < order; o++) sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1]; - samples[n + 70] += ac_out[n] + (sum >> 4); + samples[n + 70] += ac_out[n] + (unsigned)(sum >> 4); } for (int n = 0; n < 70; n++) From 610da8475f838230c40e7c1f94fd103e961684a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:31:40 +0200 Subject: [PATCH 171/606] swscale/utils: Fix xInc overflow Fixes: signed integer overflow: 2 * 1073741824 cannot be represented in type 'int' Fixes: 67802/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6249515855183872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1a9eda65d027e0167f7363e0514f71311ac5d8d1) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index d78a6d50ff..d50b437a62 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -564,7 +564,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, filter[i * filterSize + j] = coeff; xx++; } - xDstInSrc += 2 * xInc; + xDstInSrc += 2LL * xInc; } } From eb480d18722e4602935e93f75295efed3b76840b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:38:20 +0200 Subject: [PATCH 172/606] avformat/mxfdec: Check index_edit_rate Fixes: Assertion b >=0 failed at libavutil/mathematics.c:62 Fixes: 67811/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5108429687422976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ed49391961999f028e0bc55767d0eef6eeb15e49) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 89fb49180c..f5215b0163 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1266,6 +1266,9 @@ static int mxf_read_index_table_segment(void *arg, AVIOContext *pb, int tag, int case 0x3F0B: segment->index_edit_rate.num = avio_rb32(pb); segment->index_edit_rate.den = avio_rb32(pb); + if (segment->index_edit_rate.num <= 0 || + segment->index_edit_rate.den <= 0) + return AVERROR_INVALIDDATA; av_log(NULL, AV_LOG_TRACE, "IndexEditRate %d/%d\n", segment->index_edit_rate.num, segment->index_edit_rate.den); break; From fce939153240a4952ecbb41e131347bcdcbda565 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 13 Feb 2024 14:20:55 +0100 Subject: [PATCH 173/606] fate/subtitles: Ignore line endings for sub-scc test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since 7bf1b9b35769b37684dd2f18a54f01d852a540c8, the test produces ordinary \n, yet this is not what the reference file used for the most time, leading to test failures. Reviewed-by: Martin Storsjö Signed-off-by: Andreas Rheinhardt (cherry picked from commit 99d33cc661fbd04e8657831b818042b11f1862a2) Signed-off-by: Michael Niedermayer --- tests/fate/subtitles.mak | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/fate/subtitles.mak b/tests/fate/subtitles.mak index 59595b9cc1..d5895bc914 100644 --- a/tests/fate/subtitles.mak +++ b/tests/fate/subtitles.mak @@ -114,6 +114,7 @@ fate-sub-charenc: CMD = fmtstdout ass -sub_charenc cp1251 -i $(TARGET_SAMPLES)/s FATE_SUBTITLES-$(call DEMDEC, SCC, CCAPTION) += fate-sub-scc fate-sub-scc: CMD = fmtstdout ass -ss 57 -i $(TARGET_SAMPLES)/sub/witch.scc +fate-sub-scc: CMP = diff FATE_SUBTITLES-$(call DEMMUX, SCC, SCC) += fate-sub-scc-remux fate-sub-scc-remux: CMD = fmtstdout scc -i $(TARGET_SAMPLES)/sub/witch.scc -ss 4:00 -map 0 -c copy From 9593b727e2751e5a79be86a7327a98f3422fa505 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Apr 2024 01:02:08 +0200 Subject: [PATCH 174/606] Update for 6.1.2 Signed-off-by: Michael Niedermayer --- Changelog | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 97 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 2dca1d96c7..d8bbe1b08a 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,101 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 6.1.2 + fate/subtitles: Ignore line endings for sub-scc test + avformat/mxfdec: Check index_edit_rate + swscale/utils: Fix xInc overflow + avcodec/wavarc: fix signed integer overflow in block type 6/19 + doc/developer: (security) researchers should be credited + avformat/isom: Uninit layout in ff_mp4_read_dec_config_descr() + avcodec/exr: Dont use 64bits to hold 6bits + avcodec/exr: Check for remaining bits in huf_unpack_enc_table() + avcodec/apedec: Use NABS to avoid undefined negation + avformat/mpegts: Reset local nb_prg on add_program() failure + avformat/aiffdec: Check for previously set channels + avformat/mxfdec: Make edit_unit_byte_count unsigned + avformat/movenc: Check that cts fits in 32bit + avformat/mxfdec: Check first case of offset_temp computation for overflow + avcodec/jpeg2000htdec: warn about non zero roi shift + avcodec/jpeg2000htdec: Check magp before using it in a shift + avfilter/vf_signature: Dont crash on no frames + avformat/westwood_vqa: Fix 2g packets + avformat/matroskadec: Check timescale + avformat/wavdec: satuarte next_tag_ofs, data_end + avformat/wavdec: sanity check channels and bps before using them for block_align + avformat/sbgdec: Check for negative duration + avformat/rpl: Use 64bit for total_audio_size and check it + avformat/timecode: use 64bit for intermediate for rounding in fps_from_frame_rate() + avformat/mov: use 64bit for intermediate for rounding + avformat/jacosubdec: Use 64bit for abs + avformat/concatdec: Check user_duration sum + avcodec/wavarc: avoid signed integer overflow in AC code + avcodec/wavarc: Avoid signed integer overflow in sample + avcodec/truemotion1: Height not being a multiple of 4 is unsupported + avcodec/rtv1: fix undefined FFALIGN + avcodec/hcadec: do not allow code to continue after failed init + avcodec/hcadec: do not set hfr_group_count to invalid values + avformat/concatdec: clip outpoint - inpoint overflow in get_best_effort_duration() + avcodec/osq: avoid several signed integer overflows + avformat/jacosubdec: clarify code + avformat/cafdec: Check that data chunk end fits within 64bit + avformat/iff: Saturate avio_tell() + 12 + avformat/dxa: Adjust order of operations around block align + avformat/cafdec: dont seek beyond 64bit + avformat/id3v2: read_uslt() check for the amount read + avcodec/vmixdec: Check shift before use + avformat/mov: Check sample_count and auxiliary_info_default_size to be 0 + avformat/wady: Check >0 samplerate and channels 1 || 2. + avcodec/cbs_h266_syntax_template: Check tile_y + avcodec/proresenc_kostya: Remove bug similarity text + avcodec/vorbisdec: Check remaining data in vorbis_residue_decode_internal() + avformat/concatdec: Check in and outpoints to be to produce a positive representable duration + avcodec/8bps: Consider width in the minimal size check + libswscale/utils: Fix bayer to yuvj + swscale/swscale: Check srcSliceH for bayer + swscale/utils: Allocate more dithererror + avcodec/indeo3: Round dimensions up in allocate_frame_buffers() + avutil/rational: Document what is to be expected from av_d2q() of doubles representing rational numbers + avfilter/signature_lookup: Do not dereference NULL pointers after malloc failure + avfilter/signature_lookup: dont leave uncleared pointers in sll_free() + avcodec/mpegvideo_enc: Use ptrdiff_t for stride + libavformat/hlsenc.c: Populate OTI using AAC profile in write_codec_attr. + avformat/mov: Check if a key is longer than the atom containing it + avcodec/nvenc: support SDK 12.2 bit depth API + avcodec/nvenc: stop using long deprecated format specifiers + avfilter/buffersrc: fix overriding unknown channel layouts with negotiated one + avfilter/af_channelmap: disallow channel index 64 + avfilter/af_channelmap: fix mapping if in_channel was a string but out_channel was not specified + avfilter/af_channelmap: fix error message if FL source channel was missing + avcodec/nvdec: reset bitstream_len/nb_slices when resetting bitstream pointer + avformat/mov: don't abort on duplicate Mastering Display Metadata boxes + fftools/ffplay: use correct buffersink channel layout parameters + avformat/mpegts: detect synchronous metadata KLV more reliably + swresample/resample: fix rounding errors with filter_size=1 and phase_shift=0 + avformat/mxfdec: remove resolve_strong_ref usage with AnyType + avfilter/vf_convolution: add float user_rdiv[4] to allow user options to apply correctly + avformat/libsrt: use SRT_EPOLL_IN for waiting for an incoming connection + avformat/mxfdec: do not use AnyType when resolving Descriptors and MultipleDescriptors + avformat/mxfdec: move resolving Descriptors to the multi descriptor resolve function + avutil/hwcontext_d3d11va: prefer DXGI 1.1 factory when available + avcodec/libsvtav1: send the EOS signal without a one frame delay to allow for the library to operate in a low-delay mode + avcodec/libsvtav1: add version guard for external param + lavc/vvc: Read subpic ID when only one subpicture is present + lavc/vvc: Correct sps_num_subpics_minus1 minimum + avcodec/cbs_h2645: Avoid function pointer casts, fix UB + avcodec/cbs_h266_syntax_template: Don't omit unused function parameter + avcodec/cbs_h266_syntax_template: check aps_adaptation_parameter_set_id + lavc/vvc: Add check to num_multi_layer_olss + avcodec/cbs_h266: fix logic setting num_layers_in_ols when vps_ols_mode_idc is 2 + avcodec/av1dec: fix matrix coefficients exposed by codec context + {avcodec,tests}: rename the bundled Mesa AV1 vulkan video headers + avformat/mov_chan: never override number of channels based on chan atom + avformat/mov_chan: do not assume channels are in native order + avfft: avoid overreads with RDFT API users + avcodec/nvdec: don't free NVDECContext->bitstream + avcodec/mediacodecdec: fix return EAGAIN after EOF + + version 6.1.1 - avcodec/mpegvideo_enc: Dont copy beyond the image - avfilter/vf_minterpolate: Check pts before division diff --git a/RELEASE b/RELEASE index f3b5af39e4..5e3254243a 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -6.1.1 +6.1.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index dd9af6a20d..45b0797cbf 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 6.1.1 +PROJECT_NUMBER = 6.1.2 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From f914c18de502a3bd8a907149f8742605f7798c0c Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Sun, 17 Dec 2023 20:50:53 +0800 Subject: [PATCH 175/606] avcodec/mediacodecenc: set quality in cq mode From AOSP doc, these values are device and codec specific, but lower values generally result in more efficient (smaller-sized) encoding. For example, global_quality 50 on Pixel 6 results a 1080P 30 FPS HEVC with 3744 kb/s, while global_quality 80 results 28178 kb/s. Fix #10689 Signed-off-by: Zhao Zhili (cherry picked from commit 287e22f745c0b7290ce1e80fc7cd161b41ca6997) --- libavcodec/mediacodecenc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/mediacodecenc.c b/libavcodec/mediacodecenc.c index a1ae5d5ec5..7eae542248 100644 --- a/libavcodec/mediacodecenc.c +++ b/libavcodec/mediacodecenc.c @@ -268,8 +268,11 @@ static av_cold int mediacodec_init(AVCodecContext *avctx) if (avctx->bit_rate) ff_AMediaFormat_setInt32(format, "bitrate", avctx->bit_rate); - if (s->bitrate_mode >= 0) + if (s->bitrate_mode >= 0) { ff_AMediaFormat_setInt32(format, "bitrate-mode", s->bitrate_mode); + if (s->bitrate_mode == BITRATE_MODE_CQ && avctx->global_quality > 0) + ff_AMediaFormat_setInt32(format, "quality", avctx->global_quality); + } // frame-rate and i-frame-interval are required to configure codec if (avctx->framerate.num >= avctx->framerate.den && avctx->framerate.den > 0) { s->fps = avctx->framerate.num / avctx->framerate.den; From 670c823406612697b394d4933e03d3e1a176474f Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 27 Oct 2023 14:26:50 +0200 Subject: [PATCH 176/606] avfilter/buffersrc: switch to activate Fixes OOM when caller keeps adding frames into filtergraph that reached EOF by other means, for example EOF is signalled by other filter in filtergraph or by buffersink. (cherry picked from commit 84e400ae37b1e2849a3ead399ef86c808356cdd6) --- libavfilter/buffersrc.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c index 9e51320393..fbbf9b75e8 100644 --- a/libavfilter/buffersrc.c +++ b/libavfilter/buffersrc.c @@ -36,6 +36,7 @@ #include "audio.h" #include "avfilter.h" #include "buffersrc.h" +#include "filters.h" #include "formats.h" #include "internal.h" #include "video.h" @@ -194,7 +195,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (!frame) return av_buffersrc_close(ctx, s->last_pts, flags); if (s->eof) - return AVERROR(EINVAL); + return AVERROR_EOF; s->last_pts = frame->pts + frame->duration; @@ -484,21 +485,28 @@ static int config_props(AVFilterLink *link) return 0; } -static int request_frame(AVFilterLink *link) +static int activate(AVFilterContext *ctx) { - BufferSourceContext *c = link->src->priv; + AVFilterLink *outlink = ctx->outputs[0]; + BufferSourceContext *c = ctx->priv; - if (c->eof) - return AVERROR_EOF; + if (!c->eof && ff_outlink_get_status(outlink)) { + c->eof = 1; + return 0; + } + + if (c->eof) { + ff_outlink_set_status(outlink, AVERROR_EOF, c->last_pts); + return 0; + } c->nb_failed_requests++; - return AVERROR(EAGAIN); + return FFERROR_NOT_READY; } static const AVFilterPad avfilter_vsrc_buffer_outputs[] = { { .name = "default", .type = AVMEDIA_TYPE_VIDEO, - .request_frame = request_frame, .config_props = config_props, }, }; @@ -507,7 +515,7 @@ const AVFilter ff_vsrc_buffer = { .name = "buffer", .description = NULL_IF_CONFIG_SMALL("Buffer video frames, and make them accessible to the filterchain."), .priv_size = sizeof(BufferSourceContext), - + .activate = activate, .init = init_video, .uninit = uninit, @@ -521,7 +529,6 @@ static const AVFilterPad avfilter_asrc_abuffer_outputs[] = { { .name = "default", .type = AVMEDIA_TYPE_AUDIO, - .request_frame = request_frame, .config_props = config_props, }, }; @@ -530,7 +537,7 @@ const AVFilter ff_asrc_abuffer = { .name = "abuffer", .description = NULL_IF_CONFIG_SMALL("Buffer audio frames, and make them accessible to the filterchain."), .priv_size = sizeof(BufferSourceContext), - + .activate = activate, .init = init_audio, .uninit = uninit, From 1606aab99bd84f0040fb0fa6ccccb092941f01ec Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 1 Dec 2023 16:59:07 +0100 Subject: [PATCH 177/606] avfilter/avfilter: fix OOM case for default activate Fixes OOM when caller keeps adding frames into filtergraph that reached EOF by other means, for example EOF is signalled by other filter in filtergraph or by buffersink. (cherry picked from commit d9e41ead82263e96ebd14d4d88d6e7f858dd944c) --- libavfilter/avfilter.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavfilter/avfilter.c b/libavfilter/avfilter.c index ab7782862a..bde1c33d07 100644 --- a/libavfilter/avfilter.c +++ b/libavfilter/avfilter.c @@ -1167,6 +1167,16 @@ static int ff_filter_activate_default(AVFilterContext *filter) { unsigned i; + for (i = 0; i < filter->nb_outputs; i++) { + int ret = filter->outputs[i]->status_in; + + if (ret) { + for (int j = 0; j < filter->nb_inputs; j++) + ff_inlink_set_status(filter->inputs[j], ret); + return 0; + } + } + for (i = 0; i < filter->nb_inputs; i++) { if (samples_ready(filter->inputs[i], filter->inputs[i]->min_samples)) { return ff_filter_frame_to_filter(filter->inputs[i]); From ebb406db7c7b1fff5223d824fa3bbe3cd1402685 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sun, 5 May 2024 23:59:47 -0400 Subject: [PATCH 178/606] lavd/v4l2: Use proper field type for second parameter of ioctl() with BSD's The proper type was used until 73251678c83cbe24d08264da693411b166239bc7. This covers all of the OS's that currently have V4L2 support, permutations of Linux glibc/musl, Android bionic, FreeBSD, NetBSD, OpenBSD, Solaris. Copied from FreeBSD ports patch. Signed-off-by: Brad Smith Signed-off-by: Marton Balint (cherry picked from commit 9e674b31606c805dd31b4bb754364a72a5877238) Signed-off-by: Brad Smith --- libavdevice/v4l2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index 5e85d1a2b3..33bd26ead9 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -107,10 +107,10 @@ struct video_data { int (*open_f)(const char *file, int oflag, ...); int (*close_f)(int fd); int (*dup_f)(int fd); -#ifdef __GLIBC__ - int (*ioctl_f)(int fd, unsigned long int request, ...); -#else +#if defined(__sun) || defined(__BIONIC__) || defined(__musl__) /* POSIX-like */ int (*ioctl_f)(int fd, int request, ...); +#else + int (*ioctl_f)(int fd, unsigned long int request, ...); #endif ssize_t (*read_f)(int fd, void *buffer, size_t n); void *(*mmap_f)(void *start, size_t length, int prot, int flags, int fd, int64_t offset); From a01ed5273350d869017b7ec26efd3da0866b1de4 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sat, 18 May 2024 07:38:40 -0400 Subject: [PATCH 179/606] avutil/ppc/cpu: Also use the machdep.altivec sysctl on NetBSD Use the machdep.altivec sysctl on NetBSD for AltiVec detection as is done with OpenBSD. (cherry picked from commit 115c96b9bd53e775f425f23d5b73fa0a9dedbd08) Signed-off-by: Brad Smith --- libavutil/ppc/cpu.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/ppc/cpu.c b/libavutil/ppc/cpu.c index bc8bb5f47c..2b13cda662 100644 --- a/libavutil/ppc/cpu.c +++ b/libavutil/ppc/cpu.c @@ -27,7 +27,7 @@ #if HAVE_UNISTD_H #include #endif -#elif defined(__OpenBSD__) +#elif defined(__NetBSD__) || defined(__OpenBSD__) #include #include #include @@ -56,8 +56,8 @@ int ff_get_cpu_flags_ppc(void) if (result == VECTORTYPE_ALTIVEC) return AV_CPU_FLAG_ALTIVEC; return 0; -#elif defined(__APPLE__) || defined(__OpenBSD__) -#ifdef __OpenBSD__ +#elif defined(__APPLE__) || defined(__NetBSD__) || defined(__OpenBSD__) +#if defined(__NetBSD__) || defined(__OpenBSD__) int sels[2] = {CTL_MACHDEP, CPU_ALTIVEC}; #else int sels[2] = {CTL_HW, HW_VECTORUNIT}; From 66f2cf8958edb55545724f127d3f39ae7b1c024a Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sun, 7 Jan 2024 00:55:51 -0500 Subject: [PATCH 180/606] avutil/thread: add support for setting thread name on *bsd and solaris FreeBSD/DragonFly/Solaris use pthread_setname_np(). OpenBSD uses pthread_set_name_np(). Signed-off-by: Brad Smith Signed-off-by: Marton Balint (cherry picked from commit fd16d8c68cd7b820eda76c407b0645b7cf470efd) Signed-off-by: Brad Smith --- configure | 10 ++++++++++ libavutil/thread.h | 14 ++++++++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/configure b/configure index a89cfa6d95..9ca9f949b6 100755 --- a/configure +++ b/configure @@ -2227,6 +2227,7 @@ HEADERS_LIST=" opencv2_core_core_c_h OpenGL_gl3_h poll_h + pthread_np_h sys_param_h sys_resource_h sys_select_h @@ -2329,6 +2330,8 @@ SYSTEM_FUNCS=" posix_memalign prctl pthread_cancel + pthread_set_name_np + pthread_setname_np sched_getaffinity SecItemImport SetConsoleTextAttribute @@ -6460,6 +6463,7 @@ check_headers malloc.h check_headers mftransform.h check_headers net/udplite.h check_headers poll.h +check_headers pthread_np.h check_headers sys/param.h check_headers sys/resource.h check_headers sys/select.h @@ -6625,6 +6629,12 @@ if ! disabled pthreads && ! enabled w32threads && ! enabled os2threads; then if enabled pthreads; then check_builtin sem_timedwait semaphore.h "sem_t *s; sem_init(s,0,0); sem_timedwait(s,0); sem_destroy(s)" $pthreads_extralibs check_func pthread_cancel $pthreads_extralibs + hdrs=pthread.h + if enabled pthread_np_h; then + hdrs="$hdrs pthread_np.h" + fi + check_lib pthread_set_name_np "$hdrs" pthread_set_name_np -lpthread + check_lib pthread_setname_np "$hdrs" pthread_setname_np -lpthread fi fi diff --git a/libavutil/thread.h b/libavutil/thread.h index 2ded498c89..fa74dd2ea7 100644 --- a/libavutil/thread.h +++ b/libavutil/thread.h @@ -26,6 +26,8 @@ #if HAVE_PRCTL #include +#elif (HAVE_PTHREAD_SETNAME_NP || HAVE_PTHREAD_SET_NAME_NP) && HAVE_PTHREAD_NP_H +#include #endif #include "error.h" @@ -213,11 +215,19 @@ static inline int ff_thread_once(char *control, void (*routine)(void)) static inline int ff_thread_setname(const char *name) { + int ret = 0; + #if HAVE_PRCTL - return AVERROR(prctl(PR_SET_NAME, name)); + ret = AVERROR(prctl(PR_SET_NAME, name)); +#elif HAVE_PTHREAD_SETNAME_NP + ret = AVERROR(pthread_setname_np(pthread_self(), name)); +#elif HAVE_PTHREAD_SET_NAME_NP + pthread_set_name_np(pthread_self(), name); +#else + ret = AVERROR(ENOSYS); #endif - return AVERROR(ENOSYS); + return ret; } #endif /* AVUTIL_THREAD_H */ From 2aad37688cedf7675a55137d326c7d931f587138 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 5 Feb 2024 00:31:27 +0100 Subject: [PATCH 181/606] avutil/thread: fix pthread_setname_np parameters for NetBSD and Apple Signed-off-by: Marton Balint (cherry picked from commit 71ea90638efa56b4cd006bfa6cfb464d2169692d) Signed-off-by: Brad Smith --- libavutil/thread.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavutil/thread.h b/libavutil/thread.h index fa74dd2ea7..2c00c7cc35 100644 --- a/libavutil/thread.h +++ b/libavutil/thread.h @@ -220,7 +220,13 @@ static inline int ff_thread_setname(const char *name) #if HAVE_PRCTL ret = AVERROR(prctl(PR_SET_NAME, name)); #elif HAVE_PTHREAD_SETNAME_NP +#if defined(__APPLE__) + ret = AVERROR(pthread_setname_np(name)); +#elif defined(__NetBSD__) + ret = AVERROR(pthread_setname_np(pthread_self(), "%s", name)); +#else ret = AVERROR(pthread_setname_np(pthread_self(), name)); +#endif #elif HAVE_PTHREAD_SET_NAME_NP pthread_set_name_np(pthread_self(), name); #else From b4681bd6ecfb2fb4b4512a98e68edda536af7ca5 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 11 May 2024 22:54:24 +0200 Subject: [PATCH 182/606] avformat/mp3dec: only call ffio_ensure_seekback once Otherwise the subsequent ffio_ensure_seekback calls destroy the buffer of the earlier. The worst case ~66kB seekback is so small it is easier to request it entirely. Fixes ticket #10837, a regression since 0d17f5228f4d3854066ec1001f69c7d1714b0df9. Signed-off-by: Marton Balint (cherry picked from commit b0053172199b54a806a4147cda8567a2f1823bc0) --- libavformat/mp3dec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 05c13228bc..6423becf35 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -32,6 +32,7 @@ #include "replaygain.h" #include "libavcodec/codec_id.h" +#include "libavcodec/mpegaudio.h" #include "libavcodec/mpegaudiodecheader.h" #define XING_FLAG_FRAMES 0x01 @@ -400,15 +401,16 @@ static int mp3_read_header(AVFormatContext *s) if (ret < 0) return ret; + ret = ffio_ensure_seekback(s->pb, 64 * 1024 + MPA_MAX_CODED_FRAME_SIZE + 4); + if (ret < 0) + return ret; + off = avio_tell(s->pb); for (i = 0; i < 64 * 1024; i++) { uint32_t header, header2; int frame_size; - if (!(i&1023)) - ffio_ensure_seekback(s->pb, i + 1024 + 4); frame_size = check(s->pb, off + i, &header); if (frame_size > 0) { - ffio_ensure_seekback(s->pb, i + 1024 + frame_size + 4); ret = check(s->pb, off + i + frame_size, &header2); if (ret >= 0 && (header & MP3_MASK) == (header2 & MP3_MASK)) From 306ed3f30182bbdc5f7ba9e81d57679d96d121f6 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sun, 12 May 2024 19:10:18 +0200 Subject: [PATCH 183/606] avformat/mp3dec: simplify inner frame size check in mp3_read_header We are protecting the checked buffer with ffio_ensure_seekback(), so if the inner check fails with a seek error, that likely means the end of file was reached when checking for the next frame. This could also be the result of a wrongly guessed (larger than normal) frame size, so let's continue the loop instead of breaking out early. It will end sooner or later anyway. Signed-off-by: Marton Balint (cherry picked from commit b75e604fe5cd7da9ca713f20d1ade18d50319aff) --- libavformat/mp3dec.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 6423becf35..eee9c17c0b 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -412,14 +412,8 @@ static int mp3_read_header(AVFormatContext *s) frame_size = check(s->pb, off + i, &header); if (frame_size > 0) { ret = check(s->pb, off + i + frame_size, &header2); - if (ret >= 0 && - (header & MP3_MASK) == (header2 & MP3_MASK)) - { + if (ret >= 0 && (header & MP3_MASK) == (header2 & MP3_MASK)) break; - } else if (ret == CHECK_SEEK_FAILED) { - av_log(s, AV_LOG_ERROR, "Invalid frame size (%d): Could not seek to %"PRId64".\n", frame_size, off + i + frame_size); - return AVERROR(EINVAL); - } } else if (frame_size == CHECK_SEEK_FAILED) { av_log(s, AV_LOG_ERROR, "Failed to read frame size: Could not seek to %"PRId64".\n", (int64_t) (i + 1024 + frame_size + 4)); return AVERROR(EINVAL); From fcce52871326e0ca722a01c951bbf780a5d463fc Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sun, 12 May 2024 19:26:24 +0200 Subject: [PATCH 184/606] avformat/mp3dec: change bogus error message if read_header encounters EOF Because of ffio_ensure_seekback() a seek error normally should only happen if the end of file is reached during checking for the junk run-in. Also use proper error code. Signed-off-by: Marton Balint (cherry picked from commit 49e018d6fee689af6b30b773d83f545d74b8d9aa) --- libavformat/mp3dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index eee9c17c0b..a0edb195b5 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -415,8 +415,8 @@ static int mp3_read_header(AVFormatContext *s) if (ret >= 0 && (header & MP3_MASK) == (header2 & MP3_MASK)) break; } else if (frame_size == CHECK_SEEK_FAILED) { - av_log(s, AV_LOG_ERROR, "Failed to read frame size: Could not seek to %"PRId64".\n", (int64_t) (i + 1024 + frame_size + 4)); - return AVERROR(EINVAL); + av_log(s, AV_LOG_ERROR, "Failed to find two consecutive MPEG audio frames.\n"); + return AVERROR_INVALIDDATA; } } if (i == 64 * 1024) { From ab4fcc06ce95f59e50569315ac3c5679ab28857e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 30 Apr 2024 19:16:49 +0200 Subject: [PATCH 185/606] avcodec/x86/vp3dsp_init: Set correct function pointer, fix crash Regression since fd172185580c1ccdcfb90bbfdb59fa806fad3117; triggered by vp4/KTkvw8dg1J8.avi in the FATE suite, but not when running fate as this code is not used when the bitexact flag is set. Bisecting done by ami_stuff, patch from user Mika Fischer in ticket #10027 (which this commit fixes). Signed-off-by: Andreas Rheinhardt (cherry picked from commit c3ca90a92e7211aef8ad1d044518a34f6ba137d7) --- libavcodec/x86/vp3dsp_init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/vp3dsp_init.c b/libavcodec/x86/vp3dsp_init.c index f54fa57b3e..edac1764cb 100644 --- a/libavcodec/x86/vp3dsp_init.c +++ b/libavcodec/x86/vp3dsp_init.c @@ -53,7 +53,7 @@ av_cold void ff_vp3dsp_init_x86(VP3DSPContext *c, int flags) if (!(flags & AV_CODEC_FLAG_BITEXACT)) { c->v_loop_filter = c->v_loop_filter_unaligned = ff_vp3_v_loop_filter_mmxext; - c->h_loop_filter = c->v_loop_filter_unaligned = ff_vp3_h_loop_filter_mmxext; + c->h_loop_filter = c->h_loop_filter_unaligned = ff_vp3_h_loop_filter_mmxext; } } From 572985605f04baaeeb01730d54475398cc7d1b40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 00:43:19 +0200 Subject: [PATCH 186/606] avfilter/signature_lookup: Fix 2 differences to the refernce SW Fixes: CID1403227 Division or modulo by float zero Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 25cb66369e7b81bd280f0bdd6d51a0e2e11881e3) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index ad012ecced..208e9cb936 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -501,10 +501,10 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * continue; /* matching sequence is too short */ if ((double) goodfcount / (double) fcount < sc->thit) continue; - if ((double) goodfcount*0.5 < FFMAX(gooda, goodb)) + if ((double) goodfcount*0.5 <= FFMAX(gooda, goodb)) continue; - meandist = (double) goodfcount / (double) distsum; + meandist = (double) distsum / (double) goodfcount; if (meandist < minmeandist || status == (STATUS_END_REACHED | STATUS_BEGIN_REACHED) || From 057b8d65e3c5dd6d149560e8a941c843ec804c98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 00:57:43 +0200 Subject: [PATCH 187/606] avfilter/signature_lookup: Dont copy uninitialized stuff around Fixes: CID1403238 Uninitialized pointer read Fixes: CID1403239 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e7174e66ac6025cea4b8e590525314d3aea6a134) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 208e9cb936..362825935f 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -453,14 +453,14 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * } if (tolerancecount > 2) { - a = aprev; - b = bprev; if (dir == DIR_NEXT) { /* turn around */ a = infos->first; b = infos->second; dir = DIR_PREV; } else { + a = aprev; + b = bprev; break; } } From d92ef4f846fd52744599d98fa16e2dc764422c6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 03:09:54 +0200 Subject: [PATCH 188/606] avfilter/vf_thumbnail_cuda: Set ret before checking it Fixes: CID1418336 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Timo Rothenpieler Signed-off-by: Michael Niedermayer (cherry picked from commit 02301017d28422e4d0a4badb16f2226e70ec534a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_thumbnail_cuda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_thumbnail_cuda.c b/libavfilter/vf_thumbnail_cuda.c index c8dd905123..40a3b75dd0 100644 --- a/libavfilter/vf_thumbnail_cuda.c +++ b/libavfilter/vf_thumbnail_cuda.c @@ -290,7 +290,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) hist[i] = 4 * hist[i]; } - CHECK_CU(cu->cuCtxPopCurrent(&dummy)); + ret = CHECK_CU(cu->cuCtxPopCurrent(&dummy)); if (ret < 0) return ret; From 3d742d20ab8268250ca5a946dae2c5a5bd8dafec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 03:23:10 +0200 Subject: [PATCH 189/606] avcodec/cbs_h2645: Check NAL space Found-by-reviewing: CID1419833 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b91e3c4c908228901b1ec120d59ddf5a86c3b3b8) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h2645.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index ccd0626472..68c9aeded9 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -708,7 +708,11 @@ static int cbs_h2645_split_fragment(CodedBitstreamContext *ctx, start = bytestream2_tell(&gbc); for(i = 0; i < num_nalus; i++) { + if (bytestream2_get_bytes_left(&gbc) < 2) + return AVERROR_INVALIDDATA; size = bytestream2_get_be16(&gbc); + if (bytestream2_get_bytes_left(&gbc) < size) + return AVERROR_INVALIDDATA; bytestream2_skip(&gbc, size); } end = bytestream2_tell(&gbc); From 66bcc6463e5397047873a4c1b4d5b3a2dd93d61a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Apr 2024 03:20:38 +0200 Subject: [PATCH 190/606] doc/examples/qsv_transcode: Simplify loop Fixes: CID1428858(2/2) Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit 82cce209349d2a7c893a4f9691ec8698704b0486) Signed-off-by: Michael Niedermayer --- doc/examples/qsv_transcode.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/doc/examples/qsv_transcode.c b/doc/examples/qsv_transcode.c index 48128b200c..1d7fea966f 100644 --- a/doc/examples/qsv_transcode.c +++ b/doc/examples/qsv_transcode.c @@ -334,10 +334,8 @@ static int dec_enc(AVPacket *pkt, const AVCodec *enc_codec, char *optstr) fail: av_frame_free(&frame); - if (ret < 0) - return ret; } - return 0; + return ret; } int main(int argc, char **argv) From f72b41c42100d94ceed9b105d1bd5f950917828f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Apr 2024 03:20:38 +0200 Subject: [PATCH 191/606] doc/examples/vaapi_transcode: Simplify loop Fixes: CID1428858(1/2) Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: "mypopy@gmail.com" Signed-off-by: Michael Niedermayer (cherry picked from commit c9c11a0866d45827201b034349bceb2dc58a3499) Signed-off-by: Michael Niedermayer --- doc/examples/vaapi_transcode.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/doc/examples/vaapi_transcode.c b/doc/examples/vaapi_transcode.c index 8367cb3040..e1b7a43883 100644 --- a/doc/examples/vaapi_transcode.c +++ b/doc/examples/vaapi_transcode.c @@ -215,10 +215,8 @@ static int dec_enc(AVPacket *pkt, const AVCodec *enc_codec) fail: av_frame_free(&frame); - if (ret < 0) - return ret; } - return 0; + return ret; } int main(int argc, char **argv) From 9493a2d06619290cf154494b8c497a4daa0b5880 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Apr 2024 03:28:00 +0200 Subject: [PATCH 192/606] doc/examples/qsv_transcode: Simplify str_to_dict() loop Fixes: CID1517022 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit 191950d1bfc3924d1b54f236b2c35149ba4487a1) Signed-off-by: Michael Niedermayer --- doc/examples/qsv_transcode.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/examples/qsv_transcode.c b/doc/examples/qsv_transcode.c index 1d7fea966f..10f5b6859f 100644 --- a/doc/examples/qsv_transcode.c +++ b/doc/examples/qsv_transcode.c @@ -75,8 +75,7 @@ static int str_to_dict(char* optstr, AVDictionary **opt) if (value == NULL) return AVERROR(ENAVAIL); av_dict_set(opt, key, value, 0); - } while(key != NULL); - return 0; + } while(1); } static int dynamic_set_parameter(AVCodecContext *avctx) From 69e12a3f431eec36b4f7df6d2c31f3412b4f676d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Apr 2024 03:30:20 +0200 Subject: [PATCH 193/606] doc/examples/qsv_transcode: Initialize pointer before free Fixees: CID1517023 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Reviewed-by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit cae0f2bc550312c99655057f8ffab5b59556ceeb) Signed-off-by: Michael Niedermayer --- doc/examples/qsv_transcode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/examples/qsv_transcode.c b/doc/examples/qsv_transcode.c index 10f5b6859f..bc5617d96c 100644 --- a/doc/examples/qsv_transcode.c +++ b/doc/examples/qsv_transcode.c @@ -341,7 +341,7 @@ int main(int argc, char **argv) { const AVCodec *enc_codec; int ret = 0; - AVPacket *dec_pkt; + AVPacket *dec_pkt = NULL; if (argc < 5 || (argc - 5) % 2) { av_log(NULL, AV_LOG_ERROR, "Usage: %s " From 1f090edd02afb56e56810be42eda42452005fada Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Apr 2024 00:09:02 +0200 Subject: [PATCH 194/606] avcodec/hevcdec: Check ref frame Fixes: NULL pointer dereferences Fixes: 68197/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6382538823106560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 5eb05f44503da3fdff82f1fed8ee2706d9841a9a) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index b267f6ebcf..b47975a9b5 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -1961,13 +1961,13 @@ static void hls_prediction_unit(HEVCLocalContext *lc, int x0, int y0, if (current_mv.pred_flag & PF_L0) { ref0 = refPicList[0].ref[current_mv.ref_idx[0]]; - if (!ref0 || !ref0->frame->data[0]) + if (!ref0 || !ref0->frame) return; hevc_await_progress(s, ref0, ¤t_mv.mv[0], y0, nPbH); } if (current_mv.pred_flag & PF_L1) { ref1 = refPicList[1].ref[current_mv.ref_idx[1]]; - if (!ref1 || !ref1->frame->data[0]) + if (!ref1 || !ref1->frame) return; hevc_await_progress(s, ref1, ¤t_mv.mv[1], y0, nPbH); } From 554787a53e95f09f49efdfeb2a3f56582852699e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 23:22:53 +0200 Subject: [PATCH 195/606] avcodec/pngdec: Check last AVFrame before deref Fixes: NULL pointer dereference Fixes: 68184/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-4926478069334016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 091fdce87e88c8622d8af89ffa6cbb0dc20c3816) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index d812ffd348..657d0a9f4e 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1158,7 +1158,7 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } - if ((sequence_number == 0 || !s->last_picture.f->data[0]) && + if ((sequence_number == 0 || !s->last_picture.f) && dispose_op == APNG_DISPOSE_OP_PREVIOUS) { // No previous frame to revert to for the first frame // Spec says to just treat it as a APNG_DISPOSE_OP_BACKGROUND From b8d75b8ebc8fdfdc18fe768db8502ea65fa22c98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 21:09:45 +0200 Subject: [PATCH 196/606] avcodec/ac3_parser: Check init_get_bits8() for failure Fixes: CID1420393 Unchecked return value Sponsored-by: Sovereign Tech Fund Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit 63415168dbd96475372e37ae0fd47bafe151e2f0) Signed-off-by: Michael Niedermayer --- libavcodec/ac3_parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index 13b8d3b7d8..283139288c 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -204,7 +204,9 @@ int av_ac3_parse_header(const uint8_t *buf, size_t size, AC3HeaderInfo hdr; int err; - init_get_bits8(&gb, buf, size); + err = init_get_bits8(&gb, buf, size); + if (err < 0) + return AVERROR_INVALIDDATA; err = ff_ac3_parse_header(&gb, &hdr); if (err < 0) return AVERROR_INVALIDDATA; From e67741feea1fca56be19e4a4ae25ca077e425673 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 22:57:53 +0200 Subject: [PATCH 197/606] avcodec/atrac9dec: Check init_get_bits8() for failure Fixes: CID1439569 Unchecked return value Fixes: CID1439578 Unchecked return value Sponsored-by: Sovereign Tech Fund Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit 615c994739cacbeb0a2f48f8271d911fcd0b4303) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index d24a8e3f79..a2b094629c 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -801,7 +801,9 @@ static int atrac9_decode_frame(AVCodecContext *avctx, AVFrame *frame, if (ret < 0) return ret; - init_get_bits8(&gb, avpkt->data, avpkt->size); + ret = init_get_bits8(&gb, avpkt->data, avpkt->size); + if (ret < 0) + return ret; for (int i = 0; i < frames; i++) { for (int j = 0; j < s->block_config->count; j++) { @@ -923,7 +925,9 @@ static av_cold int atrac9_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } - init_get_bits8(&gb, avctx->extradata + 4, avctx->extradata_size); + err = init_get_bits8(&gb, avctx->extradata + 4, avctx->extradata_size); + if (err < 0) + return err; if (get_bits(&gb, 8) != 0xFE) { av_log(avctx, AV_LOG_ERROR, "Incorrect magic byte!\n"); From 115853a821b62774980f9e3e273ad257afe7232c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Apr 2024 23:44:25 +0200 Subject: [PATCH 198/606] avformat/kvag: Check sample_rate Fixes: Division by 0 Fixes: -copyts -start_at_zero -itsoffset 00:00:01 -itsscale 1 -ss 00:00:02 -i zgclab/ffmpeg_crash/poc1 output.mp4 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer (cherry picked from commit c26a762ea1bf028a33554a5f7a18d8dd7d82f5a8) Signed-off-by: Michael Niedermayer --- libavformat/kvag.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/kvag.c b/libavformat/kvag.c index 9487e7dd0e..3654a9e8e4 100644 --- a/libavformat/kvag.c +++ b/libavformat/kvag.c @@ -37,7 +37,7 @@ typedef struct KVAGHeader { uint32_t magic; uint32_t data_size; - uint32_t sample_rate; + int sample_rate; uint16_t stereo; } KVAGHeader; @@ -69,6 +69,9 @@ static int kvag_read_header(AVFormatContext *s) hdr.sample_rate = AV_RL32(buf + 8); hdr.stereo = AV_RL16(buf + 12); + if (hdr.sample_rate <= 0) + return AVERROR_INVALIDDATA; + par = st->codecpar; par->codec_type = AVMEDIA_TYPE_AUDIO; par->codec_id = AV_CODEC_ID_ADPCM_IMA_SSI; From 19e6b871b6c1fd02deb96898d6660857a3952f82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 03:46:33 +0200 Subject: [PATCH 199/606] avformat/mxfdec: Check body_offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 538976288 - -9223372036315799520 cannot be represented in type 'long' Fixes: 68060/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5523457266745344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 20a6bfda0f7c6447ac94611736cee6e9ce6972a0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index f5215b0163..de78b781d4 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -791,6 +791,9 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size partition->index_sid = avio_rb32(pb); partition->body_offset = avio_rb64(pb); partition->body_sid = avio_rb32(pb); + if (partition->body_offset < 0) + return AVERROR_INVALIDDATA; + if (avio_read(pb, op, sizeof(UID)) != sizeof(UID)) { av_log(mxf->fc, AV_LOG_ERROR, "Failed reading UID\n"); return AVERROR_INVALIDDATA; From e886fe5542cd3bd5de47c54bd31a7d5a398d5571 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 15:50:56 +0200 Subject: [PATCH 200/606] avcodec/avs2_parser: Assert init_get_bits8() success with const size 15 Fixes: CID1506708 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a7c4f119c91bcb3791a3c242ee61a5c60379db4f) Signed-off-by: Michael Niedermayer --- libavcodec/avs2_parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/avs2_parser.c b/libavcodec/avs2_parser.c index 200134f91d..0d68ab1d00 100644 --- a/libavcodec/avs2_parser.c +++ b/libavcodec/avs2_parser.c @@ -72,13 +72,15 @@ static void parse_avs2_seq_header(AVCodecParserContext *s, const uint8_t *buf, unsigned aspect_ratio; unsigned frame_rate_code; int low_delay; + av_unused int ret; // update buf_size_min if parse more deeper const int buf_size_min = 15; if (buf_size < buf_size_min) return; - init_get_bits8(&gb, buf, buf_size_min); + ret = init_get_bits8(&gb, buf, buf_size_min); + av_assert1(ret >= 0); s->key_frame = 1; s->pict_type = AV_PICTURE_TYPE_I; From 77d5f217f3cc82442cdbc9aed41a0d4a5ece9398 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 21:17:25 +0200 Subject: [PATCH 201/606] avcodec/avs3_parser: assert the return value of init_get_bits() Fixes: CID1492867 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f9218e4d52e16494ed816651a110dfe0ad22638c) Signed-off-by: Michael Niedermayer --- libavcodec/avs3_parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/avs3_parser.c b/libavcodec/avs3_parser.c index a819b5783d..ea495b1c7c 100644 --- a/libavcodec/avs3_parser.c +++ b/libavcodec/avs3_parser.c @@ -73,7 +73,8 @@ static void parse_avs3_nal_units(AVCodecParserContext *s, const uint8_t *buf, GetBitContext gb; int profile, ratecode, low_delay; - init_get_bits8(&gb, buf + 4, buf_size - 4); + av_unused int ret = init_get_bits(&gb, buf + 4, 100); + av_assert1(ret >= 0); s->key_frame = 1; s->pict_type = AV_PICTURE_TYPE_I; From 270ad2fd2f6a6ead1031023957570fd1197e92a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 13:10:57 +0200 Subject: [PATCH 202/606] avcodec/av1dec: bit_depth cannot be another values than 8,10,12 Fixes: CID1544265 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit fd7d24fa3f39fc1013fb0d06b42c98b8ff1f8942) Signed-off-by: Michael Niedermayer --- libavcodec/av1dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index 4ae050addf..ccc21e933f 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -467,7 +467,7 @@ static enum AVPixelFormat get_sw_pixel_format(void *logctx, else if (bit_depth == 12) pix_fmt = AV_PIX_FMT_YUV444P12; else - av_log(logctx, AV_LOG_WARNING, "Unknown AV1 pixel format.\n"); + av_assert0(0); } else if (seq->color_config.subsampling_x == 1 && seq->color_config.subsampling_y == 0) { if (bit_depth == 8) @@ -477,7 +477,7 @@ static enum AVPixelFormat get_sw_pixel_format(void *logctx, else if (bit_depth == 12) pix_fmt = AV_PIX_FMT_YUV422P12; else - av_log(logctx, AV_LOG_WARNING, "Unknown AV1 pixel format.\n"); + av_assert0(0); } else if (seq->color_config.subsampling_x == 1 && seq->color_config.subsampling_y == 1) { if (bit_depth == 8) @@ -487,7 +487,7 @@ static enum AVPixelFormat get_sw_pixel_format(void *logctx, else if (bit_depth == 12) pix_fmt = AV_PIX_FMT_YUV420P12; else - av_log(logctx, AV_LOG_WARNING, "Unknown AV1 pixel format.\n"); + av_assert0(0); } } else { if (bit_depth == 8) @@ -497,7 +497,7 @@ static enum AVPixelFormat get_sw_pixel_format(void *logctx, else if (bit_depth == 12) pix_fmt = AV_PIX_FMT_GRAY12; else - av_log(logctx, AV_LOG_WARNING, "Unknown AV1 pixel format.\n"); + av_assert0(0); } return pix_fmt; From c42b520ba580e7d068d44c2cf20ca41b43f23e3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 May 2024 00:10:01 +0200 Subject: [PATCH 203/606] avcodec/av1dec: Change bit_depth to int Suggested-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 69b4d9736b0d0ad01c41fcae2d66eaa534b76969) Signed-off-by: Michael Niedermayer --- libavcodec/av1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index ccc21e933f..8ff42d389f 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -443,7 +443,7 @@ static int get_tiles_info(AVCodecContext *avctx, const AV1RawTileGroup *tile_gro static enum AVPixelFormat get_sw_pixel_format(void *logctx, const AV1RawSequenceHeader *seq) { - uint8_t bit_depth; + int bit_depth; enum AVPixelFormat pix_fmt = AV_PIX_FMT_NONE; if (seq->seq_profile == 2 && seq->color_config.high_bitdepth) From e434c789af78d9acf8c2025578ee45c234c34006 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 05:08:35 +0200 Subject: [PATCH 204/606] swscale/output: Fix integer overflow in yuv2rgba64_1_c_template Fixes: signed integer overflow: -831176 * 9539 cannot be represented in type 'int' Fixes: 67869/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5117342091640832 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a56559e688ffde40fcda5588123ffcb978da86d7) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 8849a3201a..0b6c77e167 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1207,8 +1207,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1232,20 +1232,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1253,8 +1253,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A1 = 0xffff<<14, A2 = 0xffff<<14; for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1278,20 +1278,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From 6ed54900f73a277129cdfbe4beda000e5e984e5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 05:08:36 +0200 Subject: [PATCH 205/606] swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() Fixes: signed integer overflow: -1082982400 + -1079364728 cannot be represented in type 'int' Fixes: 67910/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5329011971522560 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1330a73ccadd855542ac4386f75fd72ff0ab5ea1) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 0b6c77e167..b234f9c6b9 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1429,7 +1429,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < dstW; i++) { - int Y = (buf0[i]) >> 2; + SUINT Y = (buf0[i]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1448,9 +1448,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1462,7 +1462,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A = 0xffff<<14; for (i = 0; i < dstW; i++) { - int Y = (buf0[i] ) >> 2; + SUINT Y = (buf0[i] ) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1481,9 +1481,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From 5017839ca0beee8ddc6cd6e8530c48af0c6e011e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 05:08:38 +0200 Subject: [PATCH 206/606] avcodec/wavarc: fix integer overflow in decode_5elp() block type 2 Fixes: signed integer overflow: 2097152000 + 107142979 cannot be represented in type 'int' Fixes: 67919/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-5955101769400320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a2ec2bd49317ab16a3c30c0824efc580ea9a8aef) Signed-off-by: Michael Niedermayer --- libavcodec/wavarc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c index e121f1bc61..536c74e478 100644 --- a/libavcodec/wavarc.c +++ b/libavcodec/wavarc.c @@ -690,7 +690,7 @@ static int decode_5elp(AVCodecContext *avctx, for (int o = 0; o < order; o++) sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1]; - samples[n + 70] += ac_out[n] + (sum >> 4); + samples[n + 70] += ac_out[n] + (unsigned)(sum >> 4); } for (int n = 0; n < 70; n++) From e2afcd74ce77f7bd1b9f7d7626258f1d24688b6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 23:30:51 +0200 Subject: [PATCH 207/606] avcodec/amrwbdec: assert mode to be valid in decode_fixed_vector() Inspired-by: CID1473499 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a3bb269db92601e2dc0e99352468d02f7b26c7c2) Signed-off-by: Michael Niedermayer --- libavcodec/amrwbdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 9d75b972fa..21a730b835 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -26,6 +26,7 @@ #include "config.h" +#include "libavutil/avassert.h" #include "libavutil/channel_layout.h" #include "libavutil/common.h" #include "libavutil/lfg.h" @@ -554,6 +555,8 @@ static void decode_fixed_vector(float *fixed_vector, const uint16_t *pulse_hi, decode_6p_track(sig_pos[i], (int) pulse_lo[i] + ((int) pulse_hi[i] << 11), 4, 1); break; + default: + av_assert2(0); } memset(fixed_vector, 0, sizeof(float) * AMRWB_SFR_SIZE); From 1cb422a0ad42fe0e7f7137033ef9d20367210ba7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Apr 2024 18:38:42 +0200 Subject: [PATCH 208/606] avcodec/mpegvideo_enc: Fix 1 line and one column images Fixes: Ticket10952 Fixes: poc21ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 96449cfeaeb95fcfd7a2b8d9ccf7719e97471ed1) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index c20e364cac..9d048e3dec 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1198,8 +1198,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize; int h_shift = i ? s->chroma_x_shift : 0; int v_shift = i ? s->chroma_y_shift : 0; - int w = s->width >> h_shift; - int h = s->height >> v_shift; + int w = AV_CEIL_RSHIFT(s->width , h_shift); + int h = AV_CEIL_RSHIFT(s->height, v_shift); const uint8_t *src = pic_arg->data[i]; uint8_t *dst = pic->f->data[i]; int vpad = 16; From ff547f5fd4984b59513d5ee8806fce7206c715f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Apr 2024 00:47:31 +0200 Subject: [PATCH 209/606] avformat/concatdec: Check file Fixes: null pointer dereference Fixes: -stream_loop 1 -ss 00:00:05 -i zgclab/ffmpeg_crash/poc2 -codec:v copy -codec:a aac -y output.mp4 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer (cherry picked from commit a5d1497f33afa17b6a3578b66638e69bf8a558de) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 11c7f75fc0..cbddcc0af6 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -638,6 +638,11 @@ static int concat_parse_script(AVFormatContext *avf) } } + if (!file) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + if (file->inpoint != AV_NOPTS_VALUE && file->outpoint != AV_NOPTS_VALUE) { if (file->inpoint > file->outpoint || file->outpoint - (uint64_t)file->inpoint > INT64_MAX) From 36713f42ab54acd83070c5502a75501c4b4c92fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Apr 2024 03:08:14 +0200 Subject: [PATCH 210/606] doc/examples/demux_decode: Simplify loop Fixes: CID1463550 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 91d27f7e02e5bec4b6e53cc7a7f15df8be017bb3) Signed-off-by: Michael Niedermayer --- doc/examples/demux_decode.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/doc/examples/demux_decode.c b/doc/examples/demux_decode.c index f26611d8f4..64f5547bc4 100644 --- a/doc/examples/demux_decode.c +++ b/doc/examples/demux_decode.c @@ -138,11 +138,9 @@ static int decode_packet(AVCodecContext *dec, const AVPacket *pkt) ret = output_audio_frame(frame); av_frame_unref(frame); - if (ret < 0) - return ret; } - return 0; + return ret; } static int open_codec_context(int *stream_idx, From b91b594dbd5d83b0afcc68e1d99a17ef95ba607d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 18:33:24 +0200 Subject: [PATCH 211/606] tools/opt_common: Check for malloc failure Fixes: CID1539100 Negative loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ba7038043a46420bc86b060dbb13b956ea50ac03) Signed-off-by: Michael Niedermayer --- fftools/opt_common.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/fftools/opt_common.c b/fftools/opt_common.c index 02d7048c42..6259097ee8 100644 --- a/fftools/opt_common.c +++ b/fftools/opt_common.c @@ -724,10 +724,13 @@ int show_codecs(void *optctx, const char *opt, const char *arg) return 0; } -static void print_codecs(int encoder) +static int print_codecs(int encoder) { const AVCodecDescriptor **codecs; - unsigned i, nb_codecs = get_codecs_sorted(&codecs); + int i, nb_codecs = get_codecs_sorted(&codecs); + + if (nb_codecs < 0) + return nb_codecs; printf("%s:\n" " V..... = Video\n" @@ -762,18 +765,17 @@ static void print_codecs(int encoder) } } av_free(codecs); + return 0; } int show_decoders(void *optctx, const char *opt, const char *arg) { - print_codecs(0); - return 0; + return print_codecs(0); } int show_encoders(void *optctx, const char *opt, const char *arg) { - print_codecs(1); - return 0; + return print_codecs(1); } int show_bsfs(void *optctx, const char *opt, const char *arg) From cc773eba6bc8288b9d9069f7d1988262f7c8fb7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 01:10:50 +0200 Subject: [PATCH 212/606] fftools/ffplay: Check return of swr_alloc_set_opts2() This probably makes no difference but its more correct Fixes: CID1503080 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f44f44155533822922f6d2f24e5c53c14e432612) Signed-off-by: Michael Niedermayer --- fftools/ffplay.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fftools/ffplay.c b/fftools/ffplay.c index 5bf2070a8d..37f67da67f 100644 --- a/fftools/ffplay.c +++ b/fftools/ffplay.c @@ -2353,12 +2353,13 @@ static int audio_decode_frame(VideoState *is) av_channel_layout_compare(&af->frame->ch_layout, &is->audio_src.ch_layout) || af->frame->sample_rate != is->audio_src.freq || (wanted_nb_samples != af->frame->nb_samples && !is->swr_ctx)) { + int ret; swr_free(&is->swr_ctx); - swr_alloc_set_opts2(&is->swr_ctx, + ret = swr_alloc_set_opts2(&is->swr_ctx, &is->audio_tgt.ch_layout, is->audio_tgt.fmt, is->audio_tgt.freq, &af->frame->ch_layout, af->frame->format, af->frame->sample_rate, 0, NULL); - if (!is->swr_ctx || swr_init(is->swr_ctx) < 0) { + if (ret < 0 || swr_init(is->swr_ctx) < 0) { av_log(NULL, AV_LOG_ERROR, "Cannot create sample rate converter for conversion of %d Hz %s %d channels to %d Hz %s %d channels!\n", af->frame->sample_rate, av_get_sample_fmt_name(af->frame->format), af->frame->ch_layout.nb_channels, From bc08dfdf5d9fa98e62bb2080f81fb80192cb2e58 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 21:44:33 +0200 Subject: [PATCH 213/606] avcodec/cbs_av1: Avoid shift overflow Fixes: CID1465488 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d7924a4f60f2088de1e6790345caba929eb97030) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 1d9ac5ab44..fb82996022 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -301,7 +301,7 @@ static int cbs_av1_write_increment(CodedBitstreamContext *ctx, PutBitContext *pb return AVERROR(ENOSPC); if (len > 0) - put_bits(pbc, len, (1 << len) - 1 - (value != range_max)); + put_bits(pbc, len, (1U << len) - 1 - (value != range_max)); CBS_TRACE_WRITE_END_NO_SUBSCRIPTS(); From f3931154bb43ce45564a00d03689b089de89073c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 03:13:17 +0200 Subject: [PATCH 214/606] libavutil/base64: Try not to write over the array end Signed-off-by: Michael Niedermayer (cherry picked from commit 2d216566f258badd07bc58de1e089b6e4175dc46) Signed-off-by: Michael Niedermayer --- libavutil/base64.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/base64.c b/libavutil/base64.c index 3e66f4fcbe..69e11e6f5e 100644 --- a/libavutil/base64.c +++ b/libavutil/base64.c @@ -127,10 +127,12 @@ validity_check: } out3: - *dst++ = v >> 10; + if (end - dst) + *dst++ = v >> 10; v <<= 2; out2: - *dst++ = v >> 4; + if (end - dst) + *dst++ = v >> 4; out1: out0: return bits & 1 ? AVERROR_INVALIDDATA : out ? dst - out : 0; From 21efa2af5329a039fb11d1c47cb5dbcf68723c63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 03:14:16 +0200 Subject: [PATCH 215/606] avutil/tests/base64: Check with too short output array Signed-off-by: Michael Niedermayer (cherry picked from commit c304784a86cc7e2af211ed80ce2121e788680a8e) Signed-off-by: Michael Niedermayer --- libavutil/tests/base64.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavutil/tests/base64.c b/libavutil/tests/base64.c index 400e01cefe..66d0fdc1fc 100644 --- a/libavutil/tests/base64.c +++ b/libavutil/tests/base64.c @@ -64,6 +64,16 @@ static int test_encode_decode(const uint8_t *data, unsigned int data_size, printf("Failed: decode to NULL buffer\n"); return 1; } + if (data_size > 0 && (data2_size = av_base64_decode(data2, encoded, data_size - 1)) != data_size - 1) { + printf("Failed: out of array write\n" + "Encoded:\n%s\n", encoded); + return 1; + } + if (data_size > 1 && (data2_size = av_base64_decode(data2, encoded, data_size - 2)) != data_size - 2) { + printf("Failed: out of array write\n" + "Encoded:\n%s\n", encoded); + return 1; + } if (strlen(encoded)) { char *end = strchr(encoded, '='); if (!end) From 2de1f26366c95b6936d7b323caf17b6ff1f5dec6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 20:50:44 +0200 Subject: [PATCH 216/606] avcodec/lpc: copy levenson coeffs only when they have been computed Fixes: CID1473514 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c2d897f3566fdf5c190583c6f5197ead5abec2ed) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/lpc.c b/libavcodec/lpc.c index dc6a3060ce..415ec5b739 100644 --- a/libavcodec/lpc.c +++ b/libavcodec/lpc.c @@ -250,8 +250,10 @@ int ff_lpc_calc_coefs(LPCContext *s, double av_uninit(weight); memset(var, 0, FFALIGN(MAX_LPC_ORDER+1,4)*sizeof(*var)); - for(j=0; j 1) + for(j=0; j Date: Mon, 6 May 2024 03:17:26 +0200 Subject: [PATCH 217/606] avcodec/h264_slice: Remove dead sps check Fixes: CID1439574 Dereference after null check Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a68aa951b21b8b7db0a5200bcfebc0a077a5f094) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 5c17edf9a4..aac6f26fb1 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1398,7 +1398,7 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl, sps = h->ps.sps; - if (sps && sps->bitstream_restriction_flag && + if (sps->bitstream_restriction_flag && h->avctx->has_b_frames < sps->num_reorder_frames) { h->avctx->has_b_frames = sps->num_reorder_frames; } From b586ff27683af11315f3e637c08e0ec0a07d9f35 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 May 2024 01:00:17 +0200 Subject: [PATCH 218/606] avcodec/h2645_sei: Remove dead checks Fixes: CID1596534 Dereference after null check Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit fdaa6ae2b62de51ac0584b51feec7b2369799549) Signed-off-by: Michael Niedermayer --- libavcodec/h2645_sei.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/h2645_sei.c b/libavcodec/h2645_sei.c index cb6be0594b..adc0bd3e25 100644 --- a/libavcodec/h2645_sei.c +++ b/libavcodec/h2645_sei.c @@ -599,8 +599,7 @@ int ff_h2645_sei_to_frame(AVFrame *frame, H2645SEI *sei, if (!sd) av_buffer_unref(&a53->buf_ref); a53->buf_ref = NULL; - if (avctx) - avctx->properties |= FF_CODEC_PROPERTY_CLOSED_CAPTIONS; + avctx->properties |= FF_CODEC_PROPERTY_CLOSED_CAPTIONS; } for (unsigned i = 0; i < sei->unregistered.nb_buf_ref; i++) { @@ -686,8 +685,7 @@ int ff_h2645_sei_to_frame(AVFrame *frame, H2645SEI *sei, else fgc->present = fgc->persistence_flag; - if (avctx) - avctx->properties |= FF_CODEC_PROPERTY_FILM_GRAIN; + avctx->properties |= FF_CODEC_PROPERTY_FILM_GRAIN; } if (sei->ambient_viewing_environment.present) { From 41550b0ebb01f249371a7335966ad439557d1834 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 May 2024 23:29:26 +0200 Subject: [PATCH 219/606] avcodec/fmvc: remove dead assignment Fixes: CID1529220 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 96c116254527cc40b386f14b77e17fbe2388d5da) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 5e26a541ca..a9e5afd17b 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -100,7 +100,6 @@ static int decode_type2(GetByteContext *gb, PutByteContext *pb) continue; } } - repeat = 0; } repeat = 1; } From 3ee5567c545951545e5c85ef7854cbb3ece590fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 May 2024 21:51:42 +0200 Subject: [PATCH 220/606] avcodec/decode: decode_simple_internal() only implements audio and video Fixes: CID1538861 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e9bb586543d83fe0ed901834b853b6d64e327529) Signed-off-by: Michael Niedermayer --- libavcodec/decode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/decode.c b/libavcodec/decode.c index 2cfb3fcf97..4c32bfb917 100644 --- a/libavcodec/decode.c +++ b/libavcodec/decode.c @@ -449,7 +449,8 @@ FF_ENABLE_DEPRECATION_WARNINGS } else if (avctx->codec->type == AVMEDIA_TYPE_AUDIO) { ret = !got_frame ? AVERROR(EAGAIN) : discard_samples(avctx, frame, discarded_samples); - } + } else + av_assert0(0); if (ret == AVERROR(EAGAIN)) av_frame_unref(frame); From c10b41608771569b0f55c23913da3b7aebbf753f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 May 2024 23:25:10 +0200 Subject: [PATCH 221/606] avcodec/exr: Fix preview overflow Fixes: CID1515456 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 36126e4c142e43cc703f4b8c535d388ac5e403a4) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 207d687a4b..cffd250a3c 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1942,7 +1942,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) "preview", 16)) >= 0) { uint32_t pw = bytestream2_get_le32(gb); uint32_t ph = bytestream2_get_le32(gb); - uint64_t psize = pw * ph; + uint64_t psize = pw * (uint64_t)ph; if (psize > INT64_MAX / 4) { ret = AVERROR_INVALIDDATA; goto fail; From 28eb4663d6bd4d66300e3e2618d0ecc6732c6caa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2024 02:05:56 +0200 Subject: [PATCH 222/606] avcodec/qsvdec: Check av_image_get_buffer_size() for failure Fixes: CID1477406 Improper use of negative value Sponsored-by: Sovereign Tech Fund Reviewed-by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit 8789c550faf4587527faf0bd4f6c6c5c64a04ae2) Signed-off-by: Michael Niedermayer --- libavcodec/qsvdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/qsvdec.c b/libavcodec/qsvdec.c index b501964089..783bfddb45 100644 --- a/libavcodec/qsvdec.c +++ b/libavcodec/qsvdec.c @@ -378,9 +378,12 @@ static int qsv_decode_init_context(AVCodecContext *avctx, QSVContext *q, mfxVide q->frame_info = param->mfx.FrameInfo; - if (!avctx->hw_frames_ctx) - q->pool = av_buffer_pool_init(av_image_get_buffer_size(avctx->pix_fmt, - FFALIGN(avctx->width, 128), FFALIGN(avctx->height, 64), 1), av_buffer_allocz); + if (!avctx->hw_frames_ctx) { + ret = av_image_get_buffer_size(avctx->pix_fmt, FFALIGN(avctx->width, 128), FFALIGN(avctx->height, 64), 1); + if (ret < 0) + return ret; + q->pool = av_buffer_pool_init(ret, av_buffer_allocz); + } return 0; } From 236001ce0b6214bb9b62dbf63248d2b3e1dfcfb7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 May 2024 16:07:04 +0200 Subject: [PATCH 223/606] avcodec/jpeg2000dec: remove ST=3 case MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: CID1460979 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4ed4f9a6c0a99c823706bfc4bb4df53f963f2f5a) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index bedc9bc73e..c958c27e3a 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -834,9 +834,6 @@ static int get_tlm(Jpeg2000DecoderContext *s, int n) case 2: bytestream2_get_be16(&s->g); break; - case 3: - bytestream2_get_be32(&s->g); - break; } if (SP == 0) { bytestream2_get_be16(&s->g); From 6db10d3be05d25660b0dd6ea72a47a0632f94bb0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 May 2024 03:06:46 +0200 Subject: [PATCH 224/606] avcodec/vp8: Forward return of ff_vpx_init_range_decoder() Fixes: CID1507483 Unchecked return value Sponsored-by: Sovereign Tech Fund Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 63feed1519c5e38d6ce146f265c48592236e3abc) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index ffc430dd32..6f21b9dd1a 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -354,9 +354,8 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size) } s->coeff_partition_size[i] = buf_size; - ff_vpx_init_range_decoder(&s->coeff_partition[i], buf, buf_size); - return 0; + return ff_vpx_init_range_decoder(&s->coeff_partition[i], buf, buf_size); } static void vp7_get_quants(VP8Context *s) From 1b9de6ff2839346a11ca32e0098c2b61427b478e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 May 2024 03:16:08 +0200 Subject: [PATCH 225/606] avcodec/vp3: Replace check by assert Fixes: CID1452425 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 1b991e77b9b19392214f6a788541bea5662de337) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 25bfa9b094..22b5fa2400 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1999,8 +1999,7 @@ static int vp4_mc_loop_filter(Vp3DecodeContext *s, int plane, int motion_x, int x_offset = (-(x + 2) & 7) + 2; y_offset = (-(y + 2) & 7) + 2; - if (x_offset > 8 + x_subpel && y_offset > 8 + y_subpel) - return 0; + av_assert1(!(x_offset > 8 + x_subpel && y_offset > 8 + y_subpel)); s->vdsp.emulated_edge_mc(loop, motion_source - stride - 1, loop_stride, stride, From cc78679c840e1c0478758a65e9c503eaf138e3b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 May 2024 00:32:43 +0200 Subject: [PATCH 226/606] avcodec/vble: Check av_image_get_buffer_size() for failure Fixes: CID1461482 Improper use of negative value Sponsored-by: Sovereign Tech Fund Reviewed-.by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit dd5379db5d83d8b06654582afe327daa6be678a3) Signed-off-by: Michael Niedermayer --- libavcodec/vble.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vble.c b/libavcodec/vble.c index 7711bf1bb1..d27ab658dd 100644 --- a/libavcodec/vble.c +++ b/libavcodec/vble.c @@ -191,6 +191,9 @@ static av_cold int vble_decode_init(AVCodecContext *avctx) ctx->size = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + if (ctx->size < 0) + return ctx->size; + ctx->val = av_malloc_array(ctx->size, sizeof(*ctx->val)); if (!ctx->val) { From d54198256e7318673c9967d5f348eb6299cc1245 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 00:47:11 +0200 Subject: [PATCH 227/606] avcodec/vqcdec: Check init_get_bits8() for failure Fixes: CID1516090 Unchecked return value Sponsored-by: Sovereign Tech Fund Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 6a9302739f5b20791eac7f40d9d999f822227fd1) Signed-off-by: Michael Niedermayer --- libavcodec/vqcdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/vqcdec.c b/libavcodec/vqcdec.c index 462d810a2f..17e4f1a959 100644 --- a/libavcodec/vqcdec.c +++ b/libavcodec/vqcdec.c @@ -145,10 +145,13 @@ static int decode_vectors(VqcContext * s, const uint8_t * buf, int size, int wid GetBitContext gb; uint8_t * vectors = s->vectors; uint8_t * vectors_end = s->vectors + (width * height * 3) / 2; + int ret; memset(vectors, 0, 3 * width * height / 2); - init_get_bits8(&gb, buf, size); + ret = init_get_bits8(&gb, buf, size); + if (ret < 0) + return ret; for (int i = 0; i < 3 * width * height / 2 / 32; i++) { uint8_t * dst = vectors; From 94849755fb50580175315e306d2724720c6e1b77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 21:04:00 +0200 Subject: [PATCH 228/606] avcodec/mpeg12dec: Use 64bit in bit computation I dont think this can actually overflow but 64bit seems reasonable to use Fixes: CID1521983 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4c725df059dd9a5f2071e204924105b3ceb74cbc) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 5dac83ebcd..e3a67acace 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2934,7 +2934,7 @@ static int ipu_decode_frame(AVCodecContext *avctx, AVFrame *frame, int ret; // Check for minimal intra MB size (considering mb header, luma & chroma dc VLC, ac EOB VLC) - if (avpkt->size*8LL < (avctx->width+15)/16 * ((avctx->height+15)/16) * (2 + 3*4 + 2*2 + 2*6)) + if (avpkt->size*8LL < (avctx->width+15)/16 * ((avctx->height+15)/16) * (2LL + 3*4 + 2*2 + 2*6)) return AVERROR_INVALIDDATA; ret = ff_get_buffer(avctx, frame, 0); From 8174b4206d6b4b59a8aab63b79b0413759a4c47d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 22:08:21 +0200 Subject: [PATCH 229/606] avcodec/mpeg4videodec: assert impossible wrap points Helps: CID1473517 Uninitialized scalar variable Helps: CID1473497 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8fc649b931a3cbc3a2dd9b50b75a9261a2fb4b49) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 97aec68981..54b3f33218 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -597,6 +597,8 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[0] = alpha + beta + rho - min_ab; ctx->sprite_shift[1] = alpha + beta + rho - min_ab + 2; break; + default: + av_assert0(0); } /* try to simplify the situation */ if (sprite_delta[0][0] == a << ctx->sprite_shift[0] && From 7cc79bfda97cba5699cb984e11e1fbd052936a89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 May 2024 00:13:58 +0200 Subject: [PATCH 230/606] avcodec/mpegvideo_enc: Fix potential overflow in RD Fixes: CID1500285 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b6b2b01025e016ce29e5add57305384a663edcfc) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 9d048e3dec..c4c174a02e 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1433,7 +1433,7 @@ static int estimate_best_b_count(MpegEncContext *s) goto fail; } - rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3); + rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3); } /* get the delayed frames */ @@ -1442,7 +1442,7 @@ static int estimate_best_b_count(MpegEncContext *s) ret = out_size; goto fail; } - rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3); + rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3); rd += c->error[0] + c->error[1] + c->error[2]; From 4e53ea496cad07bec0ea96f65cd85e8832d0998b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 May 2024 00:43:48 +0200 Subject: [PATCH 231/606] avcodec/mscc & mwsc: Check loop counts before use This could cause timeouts Fixes: CID1439568 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e35fe3d8b9e345527a05b1ae958ac851fe09f1ed) Signed-off-by: Michael Niedermayer --- libavcodec/mscc.c | 6 ++++++ libavcodec/mwsc.c | 11 +++++++++++ 2 files changed, 17 insertions(+) diff --git a/libavcodec/mscc.c b/libavcodec/mscc.c index d1d23e6751..e467b48baf 100644 --- a/libavcodec/mscc.c +++ b/libavcodec/mscc.c @@ -53,6 +53,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont unsigned run = bytestream2_get_byte(gb); if (run) { + if (bytestream2_get_bytes_left_p(pb) < run * s->bpp) + return AVERROR_INVALIDDATA; + switch (avctx->bits_per_coded_sample) { case 8: fill = bytestream2_get_byte(gb); @@ -101,6 +104,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont bytestream2_seek_p(pb, y * avctx->width * s->bpp + x * s->bpp, SEEK_SET); } else { + if (bytestream2_get_bytes_left_p(pb) < copy * s->bpp) + return AVERROR_INVALIDDATA; + for (j = 0; j < copy; j++) { switch (avctx->bits_per_coded_sample) { case 8: diff --git a/libavcodec/mwsc.c b/libavcodec/mwsc.c index f8c53c33ff..a7e8702580 100644 --- a/libavcodec/mwsc.c +++ b/libavcodec/mwsc.c @@ -50,6 +50,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext if (run == 0) { run = bytestream2_get_le32(gb); + + if (bytestream2_tell_p(pb) + width - w < run) + return AVERROR_INVALIDDATA; + for (int j = 0; j < run; j++, w++) { if (w == width) { w = 0; @@ -61,6 +65,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext int pos = bytestream2_tell_p(pb); bytestream2_seek(gbp, pos, SEEK_SET); + + if (pos + width - w < fill) + return AVERROR_INVALIDDATA; + for (int j = 0; j < fill; j++, w++) { if (w == width) { w = 0; @@ -72,6 +80,9 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext intra = 0; } else { + if (bytestream2_tell_p(pb) + width - w < run) + return AVERROR_INVALIDDATA; + for (int j = 0; j < run; j++, w++) { if (w == width) { w = 0; From 2ffc47b37de0d39b356605aee72a0688ff7ad028 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sat, 18 May 2024 19:55:30 -0400 Subject: [PATCH 232/606] configure: enable ffnvcodec, nvenc, nvdec for FreeBSD Signed-off-by: Brad Smith (cherry picked from commit 43b1a956789bf0d5796769427d40c78e460c247f) Signed-off-by: Brad Smith --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 9ca9f949b6..126772b164 100755 --- a/configure +++ b/configure @@ -7170,7 +7170,7 @@ fi if enabled x86; then case $target_os in - mingw32*|mingw64*|win32|win64|linux|cygwin*) + freebsd|mingw32*|mingw64*|win32|win64|linux|cygwin*) ;; *) disable ffnvcodec cuvid nvdec nvenc From e821e6c21de9b71fcf287252d155468f116c19e4 Mon Sep 17 00:00:00 2001 From: llyyr Date: Thu, 23 May 2024 14:07:51 +0530 Subject: [PATCH 233/606] lavc/vp9: reset segmentation fields when segmentation isn't enabled Fields under the segmentation switch are never reset on a new frame, and retain the value from the previous frame. This bugs out a bunch of hwaccel drivers when segmentation is disabled but update_map isn't reset because they don't ignore values behind switches. This commit also resets the temporal field, though it may not be required. We also do this for vp8 [1] so this commit is just mirroring the vp8 logic. This fixes an issue with certain samples [2] that causes blocky artifacts with vaapi, d3d11va and cuda (and possibly others). Mesa worked around [3] this by ignoring these fields if segmentation.enabled is 0, but d3d11va still displays blocky artifacts. [1] https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/2e877090f958131accb8c7e5ac10e5b9865d1735:/libavcodec/vp8.c#l797 [2] https://github.com/mpv-player/mpv/issues/13533 [3] https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/27816 Signed-off-by: llyyr --- libavcodec/vp9.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 885500fdb4..1f586120c9 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -719,6 +719,12 @@ static int decode_frame_header(AVCodecContext *avctx, s->s.h.segmentation.feat[i].skip_enabled = get_bits1(&s->gb); } } + } else { + // Reset fields under segmentation switch if segmentation is disabled. + // This is necessary because some hwaccels don't ignore these fields + // if segmentation is disabled. + s->s.h.segmentation.temporal = 0; + s->s.h.segmentation.update_map = 0; } // set qmul[] based on Y/UV, AC/DC and segmentation Q idx deltas From c859363910a0dc52c17aa2d527c12f99c1a1a961 Mon Sep 17 00:00:00 2001 From: oltolm Date: Fri, 17 May 2024 21:10:49 +0200 Subject: [PATCH 234/606] avutil/hwcontext_qsv: fix GCC 14.1 warnings Tested-by: Tong Wu Signed-off-by: oltolm (cherry picked from commit 45d31614bcc54c5ccbaabf07e7336ac477e2b424) --- libavutil/hwcontext_qsv.c | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/libavutil/hwcontext_qsv.c b/libavutil/hwcontext_qsv.c index 1bfda9e69b..2548d698ed 100644 --- a/libavutil/hwcontext_qsv.c +++ b/libavutil/hwcontext_qsv.c @@ -36,6 +36,7 @@ #include "hwcontext_d3d11va.h" #endif #if CONFIG_DXVA2 +#include #include "hwcontext_dxva2.h" #endif @@ -739,9 +740,11 @@ static int qsv_d3d9_update_config(void *ctx, mfxHDL handle, mfxConfig cfg) #if CONFIG_DXVA2 mfxStatus sts; IDirect3DDeviceManager9* devmgr = handle; - IDirect3DDevice9Ex *device = NULL; + IDirect3DDevice9 *device = NULL; + IDirect3DDevice9Ex *device_ex = NULL; HANDLE device_handle = 0; IDirect3D9Ex *d3d9ex = NULL; + IDirect3D9 *d3d9 = NULL; LUID luid; D3DDEVICE_CREATION_PARAMETERS params; HRESULT hr; @@ -759,18 +762,31 @@ static int qsv_d3d9_update_config(void *ctx, mfxHDL handle, mfxConfig cfg) IDirect3DDeviceManager9_CloseDeviceHandle(devmgr, device_handle); goto fail; } - - hr = IDirect3DDevice9Ex_GetCreationParameters(device, ¶ms); + hr = IDirect3DDevice9_QueryInterface(device, &IID_IDirect3DDevice9Ex, (void **)&device_ex); + IDirect3DDevice9_Release(device); if (FAILED(hr)) { - av_log(ctx, AV_LOG_ERROR, "Error IDirect3DDevice9_GetCreationParameters %d\n", hr); - IDirect3DDevice9Ex_Release(device); + av_log(ctx, AV_LOG_ERROR, "Error IDirect3DDevice9_QueryInterface %d\n", hr); goto unlock; } - hr = IDirect3DDevice9Ex_GetDirect3D(device, &d3d9ex); + hr = IDirect3DDevice9Ex_GetCreationParameters(device_ex, ¶ms); if (FAILED(hr)) { - av_log(ctx, AV_LOG_ERROR, "Error IDirect3DDevice9Ex_GetAdapterLUID %d\n", hr); - IDirect3DDevice9Ex_Release(device); + av_log(ctx, AV_LOG_ERROR, "Error IDirect3DDevice9_GetCreationParameters %d\n", hr); + IDirect3DDevice9Ex_Release(device_ex); + goto unlock; + } + + hr = IDirect3DDevice9Ex_GetDirect3D(device_ex, &d3d9); + if (FAILED(hr)) { + av_log(ctx, AV_LOG_ERROR, "Error IDirect3DDevice9Ex_GetDirect3D %d\n", hr); + IDirect3DDevice9Ex_Release(device_ex); + goto unlock; + } + hr = IDirect3D9_QueryInterface(d3d9, &IID_IDirect3D9Ex, (void **)&d3d9ex); + IDirect3D9_Release(d3d9); + if (FAILED(hr)) { + av_log(ctx, AV_LOG_ERROR, "Error IDirect3D9_QueryInterface3D %d\n", hr); + IDirect3DDevice9Ex_Release(device_ex); goto unlock; } @@ -794,7 +810,7 @@ static int qsv_d3d9_update_config(void *ctx, mfxHDL handle, mfxConfig cfg) release: IDirect3D9Ex_Release(d3d9ex); - IDirect3DDevice9Ex_Release(device); + IDirect3DDevice9Ex_Release(device_ex); unlock: IDirect3DDeviceManager9_UnlockDevice(devmgr, device_handle, FALSE); @@ -1334,8 +1350,9 @@ static int qsv_frames_derive_from(AVHWFramesContext *dst_ctx, case AV_HWDEVICE_TYPE_D3D11VA: { D3D11_TEXTURE2D_DESC texDesc; + AVD3D11VAFramesContext *dst_hwctx; dst_ctx->initial_pool_size = src_ctx->initial_pool_size; - AVD3D11VAFramesContext *dst_hwctx = dst_ctx->hwctx; + dst_hwctx = dst_ctx->hwctx; dst_hwctx->texture_infos = av_calloc(src_hwctx->nb_surfaces, sizeof(*dst_hwctx->texture_infos)); if (!dst_hwctx->texture_infos) From e3711d18f3fec0812b50f8d66563d25f40eddb4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 23:34:05 +0200 Subject: [PATCH 235/606] qsv: Initialize impl_value Fixes: The warnings from CID1598553 Uninitialized scalar variable Passing partly initialized structs is ugly and asking for hard to rieproduce bugs, The uninitialized fields where not used Reviewed-by: "Xiang, Haihao" Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c841cb45e81ebece26768c820c459b085668a37a) --- libavcodec/qsv.c | 2 +- libavutil/hwcontext_qsv.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/qsv.c b/libavcodec/qsv.c index 7563625627..452c0c6856 100644 --- a/libavcodec/qsv.c +++ b/libavcodec/qsv.c @@ -496,7 +496,7 @@ static int qsv_new_mfx_loader(AVCodecContext *avctx, mfxStatus sts; mfxLoader loader = NULL; mfxConfig cfg; - mfxVariant impl_value; + mfxVariant impl_value = {0}; loader = MFXLoad(); if (!loader) { diff --git a/libavutil/hwcontext_qsv.c b/libavutil/hwcontext_qsv.c index 2548d698ed..f27e420868 100644 --- a/libavutil/hwcontext_qsv.c +++ b/libavutil/hwcontext_qsv.c @@ -674,7 +674,7 @@ static int qsv_d3d11_update_config(void *ctx, mfxHDL handle, mfxConfig cfg) IDXGIDevice *pDXGIDevice = NULL; HRESULT hr; ID3D11Device *device = handle; - mfxVariant impl_value; + mfxVariant impl_value = {0}; hr = ID3D11Device_QueryInterface(device, &IID_IDXGIDevice, (void**)&pDXGIDevice); if (SUCCEEDED(hr)) { @@ -748,7 +748,7 @@ static int qsv_d3d9_update_config(void *ctx, mfxHDL handle, mfxConfig cfg) LUID luid; D3DDEVICE_CREATION_PARAMETERS params; HRESULT hr; - mfxVariant impl_value; + mfxVariant impl_value = {0}; hr = IDirect3DDeviceManager9_OpenDeviceHandle(devmgr, &device_handle); if (FAILED(hr)) { @@ -830,7 +830,7 @@ static int qsv_va_update_config(void *ctx, mfxHDL handle, mfxConfig cfg) VADisplayAttribute attr = { .type = VADisplayPCIID, }; - mfxVariant impl_value; + mfxVariant impl_value = {0}; vas = vaGetDisplayAttributes(dpy, &attr, 1); if (vas == VA_STATUS_SUCCESS && attr.flags != VA_DISPLAY_ATTRIB_NOT_SUPPORTED) { @@ -871,7 +871,7 @@ static int qsv_new_mfx_loader(void *ctx, mfxStatus sts; mfxLoader loader = NULL; mfxConfig cfg; - mfxVariant impl_value; + mfxVariant impl_value = {0}; *ploader = NULL; loader = MFXLoad(); From 07fac146530e1d10660e8e138360b0e3673aac9e Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sat, 22 Jun 2024 22:49:14 -0400 Subject: [PATCH 236/606] aarch64: Add OpenBSD runtime detection of dotprod and i8mm using sysctl Signed-off-by: Brad Smith (cherry picked from commit 41190da9e11f536cb590df45ce9839974e5e6777) Signed-off-by: Brad Smith --- libavutil/aarch64/cpu.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/libavutil/aarch64/cpu.c b/libavutil/aarch64/cpu.c index bd780e8591..d97d77fe60 100644 --- a/libavutil/aarch64/cpu.c +++ b/libavutil/aarch64/cpu.c @@ -82,6 +82,44 @@ static int detect_flags(void) return flags; } +#elif defined(__OpenBSD__) +#include +#include +#include +#include + +static int detect_flags(void) +{ + int flags = 0; + +#ifdef CPU_ID_AA64ISAR0 + int mib[2]; + uint64_t isar0; + uint64_t isar1; + size_t len; + + mib[0] = CTL_MACHDEP; + mib[1] = CPU_ID_AA64ISAR0; + len = sizeof(isar0); + if (sysctl(mib, 2, &isar0, &len, NULL, 0) != -1) { + if (ID_AA64ISAR0_DP(isar0) >= ID_AA64ISAR0_DP_IMPL) + flags |= AV_CPU_FLAG_DOTPROD; + } + + mib[0] = CTL_MACHDEP; + mib[1] = CPU_ID_AA64ISAR1; + len = sizeof(isar1); + if (sysctl(mib, 2, &isar1, &len, NULL, 0) != -1) { +#ifdef ID_AA64ISAR1_I8MM_IMPL + if (ID_AA64ISAR1_I8MM(isar1) >= ID_AA64ISAR1_I8MM_IMPL) + flags |= AV_CPU_FLAG_I8MM; +#endif + } +#endif + + return flags; +} + #elif defined(_WIN32) #include From 69bcdb457534a97b281063296b32ed0d6148a59a Mon Sep 17 00:00:00 2001 From: Josh Allmann Date: Thu, 20 Jun 2024 17:33:55 -0700 Subject: [PATCH 237/606] avcodec/nvenc: fix segfault in intra-only mode In intra-only mode, frameIntervalP is 0, which means the frame data array is smaller than the number of surfaces. Together with using the wrong size on deallocation of the frame_data_array, this lead to a crash. Signed-off-by: Timo Rothenpieler (cherry picked from commit c9151ea50715c4ce47ad1c8df519781565db01f6) --- libavcodec/nvenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index c1ab4e7265..6ba194a7f3 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -982,7 +982,7 @@ static av_cold int nvenc_recalc_surfaces(AVCodecContext *avctx) // Output in the worst case will only start when the surface buffer is completely full. // Hence we need to keep at least the max amount of surfaces plus the max reorder delay around. - ctx->frame_data_array_nb = ctx->nb_surfaces + ctx->encode_config.frameIntervalP - 1; + ctx->frame_data_array_nb = FFMAX(ctx->nb_surfaces, ctx->nb_surfaces + ctx->encode_config.frameIntervalP - 1); return 0; } @@ -1891,7 +1891,7 @@ av_cold int ff_nvenc_encode_close(AVCodecContext *avctx) av_fifo_freep2(&ctx->unused_surface_queue); if (ctx->frame_data_array) { - for (i = 0; i < ctx->nb_surfaces; i++) + for (i = 0; i < ctx->frame_data_array_nb; i++) av_buffer_unref(&ctx->frame_data_array[i].frame_opaque_ref); av_freep(&ctx->frame_data_array); } From 09c1c0b12653c34137e5075889fe91a69447845f Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Fri, 12 Jul 2024 15:03:16 -0400 Subject: [PATCH 238/606] avcodec/pngdec: avoid erroring with sBIT on indexed-color images Indexed color images use three colors for sBIT, but the function ff_png_get_nb_channels returns 1 in this case. We should avoid erroring out on valid files in this scenario. Regression since 84b454935fae2633a8a5dd075e22393f3e8f932f. Signed-off-by: Leo Izen Reported-by: Ramiro Polla Reviewed-by: Marton Balint --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 657d0a9f4e..3318309009 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1023,7 +1023,7 @@ static int decode_sbit_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } - channels = ff_png_get_nb_channels(s->color_type); + channels = s->color_type & PNG_COLOR_MASK_PALETTE ? 3 : ff_png_get_nb_channels(s->color_type); if (bytestream2_get_bytes_left(gb) != channels) return AVERROR_INVALIDDATA; From 6a8cf7b3834bf649197392d7c6bb05dc2ba21a55 Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Fri, 12 Jul 2024 15:03:17 -0400 Subject: [PATCH 239/606] avcodec/png: more informative error message for invalid sBIT size If the sBIT chunk size is invalid, we should print a more informative error message rather than return an error and print nothing. Signed-off-by: Leo Izen --- libavcodec/pngdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 3318309009..4b6fc4471f 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1025,8 +1025,11 @@ static int decode_sbit_chunk(AVCodecContext *avctx, PNGDecContext *s, channels = s->color_type & PNG_COLOR_MASK_PALETTE ? 3 : ff_png_get_nb_channels(s->color_type); - if (bytestream2_get_bytes_left(gb) != channels) + if (bytestream2_get_bytes_left(gb) != channels) { + av_log(avctx, AV_LOG_ERROR, "Invalid sBIT size: %d, expected: %d\n", + bytestream2_get_bytes_left(gb), channels); return AVERROR_INVALIDDATA; + } for (int i = 0; i < channels; i++) { int b = bytestream2_get_byteu(gb); From 159270e3b2fc51f0d0c65411359a17c15bc520ed Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 23 Jul 2024 15:11:08 +0200 Subject: [PATCH 240/606] fftools/ffmpeg: prefer real errors over EOF in err_merge() Fixes an issue in 6.1 when reading a corrupted file with -xerror would exit with success. This specific issue is not present in master, but this should generally be a more robust behaviour. Reported-by: Andrej Peterka (cherry picked from commit d1fa39d08d3bce9c268cd02cb3c45a76e63b6ff4) Signed-off-by: Anton Khirnov --- fftools/ffmpeg.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg.h b/fftools/ffmpeg.h index 0983d026cd..25604e05a5 100644 --- a/fftools/ffmpeg.h +++ b/fftools/ffmpeg.h @@ -883,11 +883,12 @@ void update_benchmark(const char *fmt, ...); /** * Merge two return codes - return one of the error codes if at least one of * them was negative, 0 otherwise. - * Currently just picks the first one, eventually we might want to do something - * more sophisticated, like sorting them by priority. */ static inline int err_merge(int err0, int err1) { + // prefer "real" errors over EOF + if ((err0 >= 0 || err0 == AVERROR_EOF) && err1 < 0) + return err1; return (err0 < 0) ? err0 : FFMIN(err1, 0); } From 59029c2b1633dfa09b9372a02a9c16027e944433 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 May 2024 02:51:08 +0200 Subject: [PATCH 241/606] tools/enc_recon_frame_test: Assert that av_image_get_linesize() succeeds Helps: CID1524598 Improper use of negative value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b6fa2ed77e57e82f3155b83ca4f4b3be8da5ff5c) Signed-off-by: Michael Niedermayer --- tools/enc_recon_frame_test.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/enc_recon_frame_test.c b/tools/enc_recon_frame_test.c index d23accd49d..f471fb5a02 100644 --- a/tools/enc_recon_frame_test.c +++ b/tools/enc_recon_frame_test.c @@ -28,6 +28,7 @@ #include "decode_simple.h" #include "libavutil/adler32.h" +#include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/error.h" #include "libavutil/frame.h" @@ -88,6 +89,8 @@ static int frame_hash(FrameChecksum **pc, size_t *nb_c, int64_t ts, int linesize = av_image_get_linesize(frame->format, frame->width, p); uint32_t checksum = 0; + av_assert0(linesize >= 0); + for (int j = 0; j < frame->height >> shift_v[p]; j++) { checksum = av_adler32_update(checksum, data, linesize); data += frame->linesize[p]; From 66a140c0c0302746ef1fa6d49940d62e70823667 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 02:37:04 +0200 Subject: [PATCH 242/606] avcodec/tests/bitstream_template: Assert bits_init8() return Helps: CID1518967 Unchecked return value Helps: CID1518968 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e7775973f037724f26676015a364134fd728babf) Signed-off-by: Michael Niedermayer --- libavcodec/tests/bitstream_template.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/tests/bitstream_template.c b/libavcodec/tests/bitstream_template.c index ef59845154..b4c8821a90 100644 --- a/libavcodec/tests/bitstream_template.c +++ b/libavcodec/tests/bitstream_template.c @@ -61,6 +61,7 @@ int main(int argc, char **argv) uint64_t val, val1; int32_t sval, sval1; unsigned count; + int ret; /* generate random input, using a given or random seed */ if (argc > 1) @@ -74,7 +75,8 @@ int main(int argc, char **argv) for (unsigned i = 0; i < SIZE; i++) buf[i] = av_lfg_get(&lfg); - bits_init8 (&bc, buf, SIZE); + ret = bits_init8 (&bc, buf, SIZE); + av_assert0(ret >= 0); init_put_bits(&pb, dst, SIZE); /* use a random sequence of bitreading operations to transfer data From 6feea4ada8671e3bb128bf3b27cdbc6d93a91e1b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 23:25:42 +0200 Subject: [PATCH 243/606] avformat/demux: resurrect dead stores Fixes: CID1473512 Unused value Fixes: CID1529228 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 33da5f4e2717cc947cf44ad9a52668694ea4ee82) Signed-off-by: Michael Niedermayer --- libavformat/demux.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/demux.c b/libavformat/demux.c index 6f640b92b1..789e8371f8 100644 --- a/libavformat/demux.c +++ b/libavformat/demux.c @@ -2436,7 +2436,7 @@ static int extract_extradata(FFFormatContext *si, AVStream *st, const AVPacket * int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) { FFFormatContext *const si = ffformatcontext(ic); - int count = 0, ret = 0; + int count = 0, ret = 0, err; int64_t read_size; AVPacket *pkt1 = si->pkt; int64_t old_offset = avio_tell(ic->pb); @@ -2947,9 +2947,11 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) } } - ret = compute_chapters_end(ic); - if (ret < 0) + err = compute_chapters_end(ic); + if (err < 0) { + ret = err; goto find_stream_info_err; + } /* update the stream parameters from the internal codec contexts */ for (unsigned i = 0; i < ic->nb_streams; i++) { From 1b67de255fa03d28bfef603dc6a0f23b0a607083 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 00:50:02 +0200 Subject: [PATCH 244/606] avdevice/dshow: fix badly indented line Signed-off-by: Michael Niedermayer (cherry picked from commit c4004605b2fa6e2ecbd1cfc2a1da382e4f5237a5) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 5946a72cc2..fdea1ceb4a 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -1369,7 +1369,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, goto error; } } - if (ctx->device_filter[otherDevType]) { + if (ctx->device_filter[otherDevType]) { // avoid adding add two instances of the same device to the graph, one for video, one for audio // a few devices don't support this (could also do this check earlier to avoid double crossbars, etc. but they seem OK) if (strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { From 3edd95e79ee58844c4e62bff3bb04bc3337152c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2024 21:55:44 +0200 Subject: [PATCH 245/606] avutil/tests/dict: Check av_dict_set() before get for failure Failure is possible due to strdup() Fixes: CID1516764 Dereference null return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e8a1e1899d9ededd78f8ec4722fe80c345bbf8f7) Signed-off-by: Michael Niedermayer --- libavutil/tests/dict.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavutil/tests/dict.c b/libavutil/tests/dict.c index bececefb31..d60081889f 100644 --- a/libavutil/tests/dict.c +++ b/libavutil/tests/dict.c @@ -148,12 +148,15 @@ int main(void) //valgrind sensible test printf("\nTesting av_dict_set() with existing AVDictionaryEntry.key as key\n"); - av_dict_set(&dict, "key", "old", 0); + if (av_dict_set(&dict, "key", "old", 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); - av_dict_set(&dict, e->key, "new val OK", 0); + if (av_dict_set(&dict, e->key, "new val OK", 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); printf("%s\n", e->value); - av_dict_set(&dict, e->key, e->value, 0); + if (av_dict_set(&dict, e->key, e->value, 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); printf("%s\n", e->value); av_dict_free(&dict); From f1de1a9d808d5c89061d8b21076861fb1f8b9356 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2024 22:52:38 +0200 Subject: [PATCH 246/606] avutil/tests/opt: Check av_set_options_string() for failure This is test code after all so it should test things Fixes: CID1518990 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e3481730ed9b3b781a0d85370826bcc57d601958) Signed-off-by: Michael Niedermayer --- libavutil/tests/opt.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavutil/tests/opt.c b/libavutil/tests/opt.c index 5799e45c6a..2cc41647f1 100644 --- a/libavutil/tests/opt.c +++ b/libavutil/tests/opt.c @@ -217,6 +217,7 @@ int main(void) { TestContext test_ctx = { 0 }; char *buf; + int ret; test_ctx.class = &test_class; av_log_set_level(AV_LOG_QUIET); @@ -227,8 +228,10 @@ int main(void) av_opt_free(&test_ctx); memset(&test_ctx, 0, sizeof(test_ctx)); test_ctx.class = &test_class; - av_set_options_string(&test_ctx, buf, "=", ","); + ret = av_set_options_string(&test_ctx, buf, "=", ","); av_free(buf); + if (ret < 0) + printf("Error ret '%d'\n", ret); if (av_opt_serialize(&test_ctx, 0, 0, &buf, '=', ',') >= 0) { printf("%s\n", buf); av_free(buf); From cb2f3ec5cb5476595878329fa866241aa83d7239 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 May 2024 01:30:13 +0200 Subject: [PATCH 247/606] swscale/x86/swscale: use a clearer name for INPUT_PLANER_RGB_A_FUNC_CASE related: CID1497114 Missing break in switch Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 3f9daf1c18c2f0fb9e6d0b94af8e92cafc0cf010) Signed-off-by: Michael Niedermayer --- libswscale/x86/swscale.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libswscale/x86/swscale.c b/libswscale/x86/swscale.c index ff16398988..fff8bb4396 100644 --- a/libswscale/x86/swscale.c +++ b/libswscale/x86/swscale.c @@ -649,7 +649,7 @@ switch(c->dstBpc){ \ } -#define INPUT_PLANER_RGB_A_FUNC_CASE(fmt, name, opt) \ +#define INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(fmt, name, opt) \ case fmt: \ c->readAlpPlanar = ff_planar_##name##_to_a_##opt; @@ -672,15 +672,15 @@ switch(c->dstBpc){ \ break; #define INPUT_PLANER_RGBAXX_YUVA_FUNC_CASE(rgb_fmt, rgba_fmt, name, opt) \ - INPUT_PLANER_RGB_A_FUNC_CASE(rgba_fmt##LE, name##le, opt) \ + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(rgba_fmt##LE, name##le, opt) \ INPUT_PLANER_RGB_YUV_FUNC_CASE(rgb_fmt##LE, name##le, opt) \ - INPUT_PLANER_RGB_A_FUNC_CASE(rgba_fmt##BE, name##be, opt) \ + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(rgba_fmt##BE, name##be, opt) \ INPUT_PLANER_RGB_YUV_FUNC_CASE(rgb_fmt##BE, name##be, opt) #define INPUT_PLANER_RGBAXX_UVA_FUNC_CASE(rgb_fmt, rgba_fmt, name, opt) \ - INPUT_PLANER_RGB_A_FUNC_CASE(rgba_fmt##LE, name##le, opt) \ + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(rgba_fmt##LE, name##le, opt) \ INPUT_PLANER_RGB_UV_FUNC_CASE(rgb_fmt##LE, name##le, opt) \ - INPUT_PLANER_RGB_A_FUNC_CASE(rgba_fmt##BE, name##be, opt) \ + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(rgba_fmt##BE, name##be, opt) \ INPUT_PLANER_RGB_UV_FUNC_CASE(rgb_fmt##BE, name##be, opt) #define INPUT_PLANER_RGBAXX_YUV_FUNC_CASE(rgb_fmt, rgba_fmt, name, opt) \ @@ -696,7 +696,7 @@ switch(c->dstBpc){ \ INPUT_PLANER_RGB_UV_FUNC_CASE(rgb_fmt##BE, name##be, opt) #define INPUT_PLANER_RGB_YUVA_ALL_CASES(opt) \ - INPUT_PLANER_RGB_A_FUNC_CASE( AV_PIX_FMT_GBRAP, rgb, opt) \ + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(AV_PIX_FMT_GBRAP, rgb, opt) \ INPUT_PLANER_RGB_YUV_FUNC_CASE( AV_PIX_FMT_GBRP, rgb, opt) \ INPUT_PLANER_RGBXX_YUV_FUNC_CASE( AV_PIX_FMT_GBRP9, rgb9, opt) \ INPUT_PLANER_RGBAXX_YUVA_FUNC_CASE(AV_PIX_FMT_GBRP10, AV_PIX_FMT_GBRAP10, rgb10, opt) \ @@ -708,7 +708,7 @@ switch(c->dstBpc){ \ if (EXTERNAL_SSE2(cpu_flags)) { switch (c->srcFormat) { - INPUT_PLANER_RGB_A_FUNC_CASE( AV_PIX_FMT_GBRAP, rgb, sse2); + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(AV_PIX_FMT_GBRAP, rgb, sse2); INPUT_PLANER_RGB_UV_FUNC_CASE( AV_PIX_FMT_GBRP, rgb, sse2); INPUT_PLANER_RGBXX_UV_FUNC_CASE( AV_PIX_FMT_GBRP9, rgb9, sse2); INPUT_PLANER_RGBAXX_UVA_FUNC_CASE( AV_PIX_FMT_GBRP10, AV_PIX_FMT_GBRAP10, rgb10, sse2); From 188ffc18eff6f0b3513fd692d38e06cdc6db26e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 May 2024 01:35:08 +0200 Subject: [PATCH 248/606] swscale/yuv2rgb: Use 64bit for brightness computation This will not overflow for normal values Fixes: CID1500280 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bfc22f364d31d8f2dc2acae1bd03d5894a00b8c5) Signed-off-by: Michael Niedermayer --- libswscale/yuv2rgb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 9c3f5e23c6..26282d1ef1 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -831,7 +831,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], cbu = (cbu * contrast * saturation) >> 32; cgu = (cgu * contrast * saturation) >> 32; cgv = (cgv * contrast * saturation) >> 32; - oy -= 256 * brightness; + oy -= 256LL * brightness; c->uOffset = 0x0400040004000400LL; c->vOffset = 0x0400040004000400LL; From 6b89f87fd9e6969b214e1b3fd25dba06d4561164 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 May 2024 02:24:17 +0200 Subject: [PATCH 249/606] tools/decode_simple: Check avcodec_send_packet() for errors on flushing This will not error but the API allows errors so we should check it Fixes: CID1489999 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6df8bd64ffa5ea3864a433c5e78b8d8f642c1305) Signed-off-by: Michael Niedermayer --- tools/decode_simple.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/decode_simple.c b/tools/decode_simple.c index 6532e368d4..e8c1d6a407 100644 --- a/tools/decode_simple.c +++ b/tools/decode_simple.c @@ -94,8 +94,9 @@ int ds_run(DecodeContext *dc) goto finish; } - avcodec_send_packet(dc->decoder, NULL); - ret = decode_read(dc, 1); + ret = avcodec_send_packet(dc->decoder, NULL); + if (ret >= 0) + ret = decode_read(dc, 1); if (ret < 0) { fprintf(stderr, "Error flushing: %d\n", ret); return ret; From c8907643fb3d665273d0ddf8cbaf1843bde5c3e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2024 23:53:28 +0200 Subject: [PATCH 250/606] avcodec/tiff: Assert init_get_bits8() success in horizontal_fill() Helps: CID1441167 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8814cedb079d5827e07a92e9424c2314bd0a6047) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index adb49e4525..593188c824 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -427,7 +427,8 @@ static void av_always_inline horizontal_fill(TiffContext *s, uint8_t shift = is_dng ? 0 : 16 - bpp; GetBitContext gb; - init_get_bits8(&gb, src, width); + int ret = init_get_bits8(&gb, src, width); + av_assert1(ret >= 0); for (int i = 0; i < s->width; i++) { dst16[i] = get_bits(&gb, bpp) << shift; } From 0241e87624efab7630a198354b70bfdcda4dc14d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2024 23:58:30 +0200 Subject: [PATCH 251/606] avcodec/tiff: Assert init_get_bits8() success in unpack_gray() Helps: CID1441939 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a287f17db22c0c85f0445a1d31139cc70e73205e) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 593188c824..6569e406b5 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -462,7 +462,8 @@ static void unpack_gray(TiffContext *s, AVFrame *p, GetBitContext gb; uint16_t *dst = (uint16_t *)(p->data[0] + lnum * p->linesize[0]); - init_get_bits8(&gb, src, width); + int ret = init_get_bits8(&gb, src, width); + av_assert1(ret >= 0); for (int i = 0; i < s->width; i++) { dst[i] = get_bits(&gb, bpp); From 47fd81fda3d120e08a7291c2feefe598c14274cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 May 2024 02:45:39 +0200 Subject: [PATCH 252/606] avcodec/vlc: Cleanup on multi table alloc failure in ff_vlc_init_multi_from_lengths() Fixes: CID1544630 Resource leak Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 62d7106c36037d1bedd5a2e216540740f8f735eb) Signed-off-by: Michael Niedermayer --- libavcodec/vlc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c index 4adec2da70..79eb8142e1 100644 --- a/libavcodec/vlc.c +++ b/libavcodec/vlc.c @@ -458,7 +458,7 @@ int ff_vlc_init_multi_from_lengths(VLC *vlc, VLC_MULTI *multi, int nb_bits, int multi->table = av_malloc(sizeof(*multi->table) << nb_bits); if (!multi->table) - return AVERROR(ENOMEM); + goto fail; j = code = 0; for (int i = 0; i < nb_codes; i++, lens += lens_wrap) { From 2e632394ddb4f5063eeb4914a3da232b88c1d048 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 01:25:50 +0200 Subject: [PATCH 253/606] avdevice/pulse_audio_enc: Use av_rescale() to avoid integer overflow Fixes: CID1503075 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6f52b64bcc345842a88a40ddf3873559f1160e34) Signed-off-by: Michael Niedermayer --- libavdevice/pulse_audio_enc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavdevice/pulse_audio_enc.c b/libavdevice/pulse_audio_enc.c index 5acbf798ef..2a12456789 100644 --- a/libavdevice/pulse_audio_enc.c +++ b/libavdevice/pulse_audio_enc.c @@ -471,10 +471,11 @@ static av_cold int pulse_write_header(AVFormatContext *h) s->nonblocking = (h->flags & AVFMT_FLAG_NONBLOCK); if (s->buffer_duration) { - int64_t bytes = s->buffer_duration; - bytes *= st->codecpar->ch_layout.nb_channels * st->codecpar->sample_rate * - av_get_bytes_per_sample(st->codecpar->format); - bytes /= 1000; + int64_t bytes = av_rescale(s->buffer_duration, + st->codecpar->ch_layout.nb_channels * + (int64_t)st->codecpar->sample_rate * + av_get_bytes_per_sample(st->codecpar->format), + 1000); buffer_attributes.tlength = FFMAX(s->buffer_size, av_clip64(bytes, 0, UINT32_MAX - 1)); av_log(s, AV_LOG_DEBUG, "Buffer duration: %ums recalculated into %"PRId64" bytes buffer.\n", From 18193cfadbb5c7207fb84d682cc0614d7bf211e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 01:43:42 +0200 Subject: [PATCH 254/606] avformat/ac4dec: Check remaining space in ac4_probe() Fixes: CID1538298 Untrusted loop bound Fixes: undefined behavior Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2f04cb673cb394b6e1cda160af8faa733b62bae2) Signed-off-by: Michael Niedermayer --- libavformat/ac4dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ac4dec.c b/libavformat/ac4dec.c index 71950f52dc..2952036c25 100644 --- a/libavformat/ac4dec.c +++ b/libavformat/ac4dec.c @@ -42,6 +42,8 @@ static int ac4_probe(const AVProbeData *p) size += 4; if (buf[1] == 0x41) size += 2; + if (left < size) + break; max_frames++; left -= size; buf += size; From d0092f4ef29ac68f86b2868f21f1c795a4964ed7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 01:51:53 +0200 Subject: [PATCH 255/606] avformat/ape: Use 64bit for final frame size Fixes: CID1505963 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a2b8d03347930c051358fcbbdc557e57e157d9c9) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index 92e9ac7cb1..c3dae5ca55 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -290,7 +290,7 @@ static int ape_read_header(AVFormatContext * s) final_size -= final_size & 3; } if (file_size <= 0 || final_size <= 0) - final_size = ape->finalframeblocks * 8; + final_size = ape->finalframeblocks * 8LL; ape->frames[ape->totalframes - 1].size = final_size; for (i = 0; i < ape->totalframes; i++) { From c00fd50092292a47a40db9a4c9cfd92a11eae1a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 02:12:09 +0200 Subject: [PATCH 256/606] avformat/argo_asf: Use 64bit in offset intermediate Fixes: CID1467435 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d9d1f65308d40502015272a3d1cc9f805c77e075) Signed-off-by: Michael Niedermayer --- libavformat/argo_asf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/argo_asf.c b/libavformat/argo_asf.c index 5f38b68b6a..9bfa417b85 100644 --- a/libavformat/argo_asf.c +++ b/libavformat/argo_asf.c @@ -258,7 +258,7 @@ static int argo_asf_seek(AVFormatContext *s, int stream_index, return -1; offset = asf->fhdr.chunk_offset + ASF_CHUNK_HEADER_SIZE + - (block * st->codecpar->block_align); + block * (int64_t)st->codecpar->block_align; if ((offset = avio_seek(s->pb, offset, SEEK_SET)) < 0) return offset; From 980d1e530eaba0458f1842733a90b2229cf55520 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 02:27:28 +0200 Subject: [PATCH 257/606] avformat/asfdec_f: Use 64bit for preroll computation Fixes: CID1500342 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 70b499476213a198ac0f39450cddaea4b34662f5) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index a579c3e894..a556ba890b 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -674,7 +674,7 @@ static int asf_read_marker(AVFormatContext *s) avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time - pres_time = av_sat_sub64(pres_time, asf->hdr.preroll * 10000); + pres_time = av_sat_sub64(pres_time, asf->hdr.preroll * 10000LL); avio_rl16(pb); // entry length avio_rl32(pb); // send time avio_rl32(pb); // flags From 8255f469bfa2c91a0ee62f9dc93f4c82d0c3c31e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 02:33:37 +0200 Subject: [PATCH 258/606] avcodec/sga: Make it clear that the return is intentionally not checked Related: CID1473496 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 00d029d5c0b7029720265d579389a348220decfb) Signed-off-by: Michael Niedermayer --- libavcodec/sga.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sga.c b/libavcodec/sga.c index 4ced6e9890..f474ffba9a 100644 --- a/libavcodec/sga.c +++ b/libavcodec/sga.c @@ -72,7 +72,7 @@ static int decode_palette(GetByteContext *gb, uint32_t *pal) return AVERROR_INVALIDDATA; memset(pal, 0, 16 * sizeof(*pal)); - init_get_bits8(&gbit, gb->buffer, 18); + (void)init_get_bits8(&gbit, gb->buffer, 18); for (int RGBIndex = 0; RGBIndex < 3; RGBIndex++) { for (int index = 0; index < 16; index++) { From 5477c6dc66d95b0a56a1ab2858adacf177123df0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 May 2024 13:18:13 +0200 Subject: [PATCH 259/606] avformat/fwse: Remove always false expression Fixes: CID1460758 Operands don't affect result Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 348c3a7ffe0c3aecf35f1a26a9f321a4e608dab7) Signed-off-by: Michael Niedermayer --- libavformat/fwse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/fwse.c b/libavformat/fwse.c index 28a322d9d6..78a9e975ff 100644 --- a/libavformat/fwse.c +++ b/libavformat/fwse.c @@ -66,7 +66,7 @@ static int fwse_read_header(AVFormatContext *s) av_channel_layout_default(&par->ch_layout, channels); st->duration = avio_rl32(pb); par->sample_rate = avio_rl32(pb); - if (par->sample_rate <= 0 || par->sample_rate > INT_MAX) + if (par->sample_rate <= 0) return AVERROR_INVALIDDATA; par->block_align = 1; From 729c68f86f05f0d7353d9cbab8ae9a35c8869377 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 22:07:31 +0200 Subject: [PATCH 260/606] avcodec/tests/jpeg2000dwt: Use 64bit in err2 computation This issue cannot happen with the current function parameters Fixes: CID1500309 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 847a53f264db0b22dcc5a23ca9ade71a627f1c6c) Signed-off-by: Michael Niedermayer --- libavcodec/tests/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tests/jpeg2000dwt.c b/libavcodec/tests/jpeg2000dwt.c index 0e5a6ed947..6148f0dacf 100644 --- a/libavcodec/tests/jpeg2000dwt.c +++ b/libavcodec/tests/jpeg2000dwt.c @@ -57,7 +57,7 @@ static int test_dwt(int *array, int *ref, int border[2][2], int decomp_levels, i j, array[j], ref[j],decomp_levels, border[0][0], border[0][1], border[1][0], border[1][1]); return 2; } - err2 += (array[j] - ref[j]) * (array[j] - ref[j]); + err2 += (array[j] - ref[j]) * (int64_t)(array[j] - ref[j]); array[j] = ref[j]; } ff_dwt_destroy(s); From 846d2f7d71badc7ff34aefe38d97a1c94ac59da3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 22:07:32 +0200 Subject: [PATCH 261/606] avcodec/tests/jpeg2000dwt: Use 64bit in comparission Found while reviewing: CID1500309 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 12391b732f811fc6e868be2f08dc188e508d2567) Signed-off-by: Michael Niedermayer --- libavcodec/tests/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tests/jpeg2000dwt.c b/libavcodec/tests/jpeg2000dwt.c index 6148f0dacf..520ecc05a3 100644 --- a/libavcodec/tests/jpeg2000dwt.c +++ b/libavcodec/tests/jpeg2000dwt.c @@ -52,7 +52,7 @@ static int test_dwt(int *array, int *ref, int border[2][2], int decomp_levels, i return 1; } for (j = 0; j max_diff) { + if (FFABS(array[j] - (int64_t)ref[j]) > max_diff) { fprintf(stderr, "missmatch at %d (%d != %d) decomp:%d border %d %d %d %d\n", j, array[j], ref[j],decomp_levels, border[0][0], border[0][1], border[1][0], border[1][1]); return 2; From c630e08d41d65a17d3b03020e7acfa2cb5215509 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 04:49:15 +0200 Subject: [PATCH 262/606] avcodec/wavpackenc: Use unsigned for potential 31bit shift Fixes: CID1465481 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6f976db251864ad698c935130370774783bf12f4) Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 33a5dfcc89..923eae55fc 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -1978,7 +1978,7 @@ static void encode_flush(WavPackEncodeContext *s) put_bits(pb, 31, 0x7FFFFFFF); cbits -= 31; } else { - put_bits(pb, cbits, (1 << cbits) - 1); + put_bits(pb, cbits, (1U << cbits) - 1); cbits = 0; } } while (cbits); @@ -2007,7 +2007,7 @@ static void encode_flush(WavPackEncodeContext *s) put_bits(pb, 31, 0x7FFFFFFF); cbits -= 31; } else { - put_bits(pb, cbits, (1 << cbits) - 1); + put_bits(pb, cbits, (1U << cbits) - 1); cbits = 0; } } while (cbits); From 8d348dc635bc4ad365578f3166881b9fe4a13da9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 May 2024 04:13:14 +0200 Subject: [PATCH 263/606] avcodec/rv34: assert that size is not 0 in rv34_gen_vlc_ext() Helps: CID1548380 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e5098589b0ca74b3f52e09bae277306a1fc0cd43) Signed-off-by: Michael Niedermayer --- libavcodec/rv34.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 152c62fa07..3768d05400 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -97,6 +97,8 @@ static void rv34_gen_vlc(const uint8_t *bits, int size, VLC *vlc, const uint8_t uint16_t cw[MAX_VLC_SIZE]; int maxbits; + av_assert1(size > 0); + for (int i = 0; i < size; i++) counts[bits[i]]++; From 6696741957d4abce1f73e11d1120806a7705ecbf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 May 2024 21:16:00 +0200 Subject: [PATCH 264/606] avcodec/scpr3: Check add_dec() for failure Fixes: CID1441459 Improper use of negative value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d741638042d827aed994b819857d6587121627ab) Signed-off-by: Michael Niedermayer --- libavcodec/scpr3.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c index 5271717ac7..e91c198308 100644 --- a/libavcodec/scpr3.c +++ b/libavcodec/scpr3.c @@ -465,6 +465,8 @@ static int decode_adaptive6(PixelModel3 *m, uint32_t code, uint32_t *value, return 0; grow_dec(m); c = add_dec(m, q, g, f); + if (c < 0) + return AVERROR_INVALIDDATA; } incr_cntdec(m, c); @@ -868,11 +870,11 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t sync_code3(gb, rc); break; case 6: - if (!decode_adaptive6(m, code, value, &a, &b)) { + ret = decode_adaptive6(m, code, value, &a, &b); + if (!ret) ret = update_model6_to_7(m); - if (ret < 0) - return AVERROR_INVALIDDATA; - } + if (ret < 0) + return ret; decode3(gb, rc, a, b); sync_code3(gb, rc); break; From 11e8eeca4d13517effa5926b36bca41e929d0683 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2024 00:46:24 +0200 Subject: [PATCH 265/606] avcodec/tests/dct: Use 64bit in intermediate for error computation Fixes: CID1500284 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 161d0aa2a8d18f1f8a01cbc4c1061eadcbe592e5) Signed-off-by: Michael Niedermayer --- libavcodec/tests/dct.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/tests/dct.c b/libavcodec/tests/dct.c index 010d0c1ac3..17a0814459 100644 --- a/libavcodec/tests/dct.c +++ b/libavcodec/tests/dct.c @@ -226,8 +226,8 @@ static int dct_error(const struct algo *dct, int test, int is_idct, int speed, c v = abs(err); if (v > err_inf) err_inf = v; - err2_matrix[i] += v * v; - err2 += v * v; + err2_matrix[i] += v * (int64_t)v; + err2 += v * (int64_t)v; sysErr[i] += block[i] - block1[i]; blockSumErr += v; if (abs(block[i]) > maxout) From 537a893560a8b7c48f257915f443fd4f329cc4d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2024 00:45:29 +0200 Subject: [PATCH 266/606] avcodec/notchlc: Check init_get_bits8() for failure Fixes: CID1500300 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 19db9636c52c040d364fe9af94ddeeb1ecfd2c2a) Signed-off-by: Michael Niedermayer --- libavcodec/notchlc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c index 0feb0918f0..6351a313f8 100644 --- a/libavcodec/notchlc.c +++ b/libavcodec/notchlc.c @@ -242,7 +242,9 @@ static int decode_blocks(AVCodecContext *avctx, AVFrame *p, bytestream2_seek(&dgb, s->y_data_offset + row_offset, SEEK_SET); - init_get_bits8(&bit, dgb.buffer, bytestream2_get_bytes_left(&dgb)); + ret = init_get_bits8(&bit, dgb.buffer, bytestream2_get_bytes_left(&dgb)); + if (ret < 0) + return ret; for (int x = 0; x < avctx->width; x += 4) { unsigned item = bytestream2_get_le32(gb); unsigned y_min = item & 4095; From e04470d816500a1c9d3654b22613259611d210af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2024 01:14:21 +0200 Subject: [PATCH 267/606] avcodec/pcm-dvdenc: 64bit pkt-size It seems nothing prevents such overflow even though odd Fixes: CID1441934 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 160b81ce2a87b0835125da7c72ab7ed8c0918c45) Signed-off-by: Michael Niedermayer --- libavcodec/pcm-dvdenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pcm-dvdenc.c b/libavcodec/pcm-dvdenc.c index a2e5cbdc2e..7261c0f5b9 100644 --- a/libavcodec/pcm-dvdenc.c +++ b/libavcodec/pcm-dvdenc.c @@ -116,7 +116,7 @@ static int pcm_dvd_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, { PCMDVDContext *s = avctx->priv_data; int samples = frame->nb_samples * avctx->ch_layout.nb_channels; - int64_t pkt_size = (frame->nb_samples / s->samples_per_block) * s->block_size + 3; + int64_t pkt_size = (int64_t)(frame->nb_samples / s->samples_per_block) * s->block_size + 3; int blocks = (pkt_size - 3) / s->block_size; const int16_t *src16; const int32_t *src32; From ad636886cad2c780dbcfdaf1c04b90ab172d74c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2024 01:22:18 +0200 Subject: [PATCH 268/606] avcodec/proresenc_anatoliy: Assert that AV_PROFILE_UNKNOWN is replaced If its not replaced we would have a negative index used in an array potentially Helps: CID1440385 Negative array index read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6106177ad66ab28f44520534f386239d2405eeab) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_anatoliy.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/proresenc_anatoliy.c b/libavcodec/proresenc_anatoliy.c index e7114f1646..dd3abbb79c 100644 --- a/libavcodec/proresenc_anatoliy.c +++ b/libavcodec/proresenc_anatoliy.c @@ -884,7 +884,8 @@ static av_cold int prores_encode_init(AVCodecContext *avctx) avctx->profile = AV_PROFILE_PRORES_4444; av_log(avctx, AV_LOG_INFO, "encoding with ProRes 4444+ (ap4h) profile\n"); - } + } else + av_assert0(0); } else if (avctx->profile < AV_PROFILE_PRORES_PROXY || avctx->profile > AV_PROFILE_PRORES_XQ) { av_log( From 79f79179390c41a04720b5716e039167558291be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 23:50:40 +0200 Subject: [PATCH 269/606] avcodec/vp8: Check mutex init Fixes: CID1598556 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4ac7405aafb8e66dff2ac926f33b7ff755f224cf) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 6f21b9dd1a..e65a655985 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -260,7 +260,11 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) return AVERROR(ENOMEM); } #if HAVE_THREADS - pthread_mutex_init(&s->thread_data[i].lock, NULL); + ret = pthread_mutex_init(&s->thread_data[i].lock, NULL); + if (ret) { + free_buffers(s); + return AVERROR(ret); + } pthread_cond_init(&s->thread_data[i].cond, NULL); #endif } From 18b0e31390d3ffe28cff9b68ed80710659b3049e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 23:50:40 +0200 Subject: [PATCH 270/606] avcodec/vp8: Check cond init Fixes: CID1598563 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9b76e49061a321467df23f7b1c8e8e715c8dec71) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index e65a655985..6d9e7bb843 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -265,7 +265,11 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) free_buffers(s); return AVERROR(ret); } - pthread_cond_init(&s->thread_data[i].cond, NULL); + ret = pthread_cond_init(&s->thread_data[i].cond, NULL); + if (ret) { + free_buffers(s); + return AVERROR(ret); + } #endif } From 22d2a4eb342d8c7ff85334fa7fd7c5a998f2d72a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 May 2024 23:30:49 +0200 Subject: [PATCH 271/606] avcodec/ilbcdec: Remove dead code Yes the same dead code is in "iLBC Speech Coder ANSI-C Source Code" Fixes: CID1509370 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8a64a003b5d567354e82af679e056615c8464a6f) Signed-off-by: Michael Niedermayer --- libavcodec/ilbcdec.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c index 4ecdff4183..ba1da168bc 100644 --- a/libavcodec/ilbcdec.c +++ b/libavcodec/ilbcdec.c @@ -1095,12 +1095,6 @@ static void do_plc(int16_t *plc_residual, /* (o) concealed residual */ if (s->consPLICount * s->block_samples > 320) { use_gain = 29491; /* 0.9 in Q15 */ - } else if (s->consPLICount * s->block_samples > 640) { - use_gain = 22938; /* 0.7 in Q15 */ - } else if (s->consPLICount * s->block_samples > 960) { - use_gain = 16384; /* 0.5 in Q15 */ - } else if (s->consPLICount * s->block_samples > 1280) { - use_gain = 0; /* 0.0 in Q15 */ } /* Compute mixing factor of picth repeatition and noise: From 6b4165643dcfbf6ead55c00f68406874d7e1a9d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 May 2024 04:07:40 +0200 Subject: [PATCH 272/606] avformat/sdp: Check before appending "," Found by reviewing code related to CID1500301 String not null terminated Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 5b82852519e92a2b94de0f22da1a81df5b3e0412) Signed-off-by: Michael Niedermayer --- libavformat/sdp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sdp.c b/libavformat/sdp.c index 6888936290..69e285afe6 100644 --- a/libavformat/sdp.c +++ b/libavformat/sdp.c @@ -202,6 +202,8 @@ static int extradata2psets(AVFormatContext *s, const AVCodecParameters *par, continue; } if (p != (psets + strlen(pset_string))) { + if (p - psets >= MAX_PSET_SIZE) + goto fail_in_loop; *p = ','; p++; } @@ -212,6 +214,7 @@ static int extradata2psets(AVFormatContext *s, const AVCodecParameters *par, if (!av_base64_encode(p, MAX_PSET_SIZE - (p - psets), r, r1 - r)) { av_log(s, AV_LOG_ERROR, "Cannot Base64-encode %"PTRDIFF_SPECIFIER" %"PTRDIFF_SPECIFIER"!\n", MAX_PSET_SIZE - (p - psets), r1 - r); +fail_in_loop: av_free(psets); av_free(tmpbuf); From dcf26aa3a2e7d5195445a5373063def3c0508d5b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 00:53:51 +0200 Subject: [PATCH 273/606] fftools/cmdutils: Add protective () to FLAGS issue found while reviewing CID1452612 Free of array-typed value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d9b9fc4be26014eb7221d9bbc297a5323d5ad40b) Signed-off-by: Michael Niedermayer --- fftools/cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fftools/cmdutils.c b/fftools/cmdutils.c index 156c13801a..8f39aa59a5 100644 --- a/fftools/cmdutils.c +++ b/fftools/cmdutils.c @@ -512,7 +512,7 @@ static const AVOption *opt_find(void *obj, const char *name, const char *unit, return o; } -#define FLAGS (o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0 +#define FLAGS ((o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0) int opt_default(void *optctx, const char *opt, const char *arg) { const AVOption *o; From 42d9464f6f2ee0b3ccb3b11a8526722d200d32bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Jun 2024 23:32:43 +0200 Subject: [PATCH 274/606] avdevice/xcbgrab: Check sscanf() return Alot more input checking can be performed, this is only checking the obvious missing case Fixes: CID1598562 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 78d6d13babc62fa14727ee590e5a9661f23a0d9f) Signed-off-by: Michael Niedermayer --- libavdevice/xcbgrab.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavdevice/xcbgrab.c b/libavdevice/xcbgrab.c index 64a68ba497..e76af06331 100644 --- a/libavdevice/xcbgrab.c +++ b/libavdevice/xcbgrab.c @@ -826,7 +826,10 @@ static av_cold int xcbgrab_read_header(AVFormatContext *s) if (!sscanf(s->url, "%[^+]+%d,%d", display_name, &c->x, &c->y)) { *display_name = 0; - sscanf(s->url, "+%d,%d", &c->x, &c->y); + if(sscanf(s->url, "+%d,%d", &c->x, &c->y) != 2) { + if (*s->url) + av_log(s, AV_LOG_WARNING, "Ambigous URL: %s\n", s->url); + } } c->conn = xcb_connect(display_name[0] ? display_name : NULL, &screen_num); From ae964c585160f11ad8e3ab5f651ac11c43455109 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 00:16:18 +0200 Subject: [PATCH 275/606] avformat/imfdec: Simplify get_next_track_with_minimum_timestamp() This also makes the code more robust Fixes: CID1512414 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Reviewed-by: Pierre-Anthony Lemieux Signed-off-by: Michael Niedermayer (cherry picked from commit f10493f6fc2a79f706138d90420a4369b9655a47) Signed-off-by: Michael Niedermayer --- libavformat/imfdec.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavformat/imfdec.c b/libavformat/imfdec.c index 818b5e590b..10c16461e8 100644 --- a/libavformat/imfdec.c +++ b/libavformat/imfdec.c @@ -700,12 +700,9 @@ static int imf_read_header(AVFormatContext *s) static IMFVirtualTrackPlaybackCtx *get_next_track_with_minimum_timestamp(AVFormatContext *s) { IMFContext *c = s->priv_data; - IMFVirtualTrackPlaybackCtx *track; + IMFVirtualTrackPlaybackCtx *track = NULL; AVRational minimum_timestamp = av_make_q(INT32_MAX, 1); - if (!c->track_count) - return NULL; - for (uint32_t i = c->track_count; i > 0; i--) { av_log(s, AV_LOG_TRACE, "Compare track %d timestamp " AVRATIONAL_FORMAT " to minimum " AVRATIONAL_FORMAT From ba5343eefbf2584ad74b8913edaa0e946ba87b0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 00:28:16 +0200 Subject: [PATCH 276/606] avformat/img2dec: Move DQT after unrelated if() Fixes: CID1494636 Missing break in switch Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7d04c6016b0971fecb890d3a0afe4e6706a1a68e) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 2761cb37a4..51c238bdba 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -792,7 +792,6 @@ static int jpeg_probe(const AVProbeData *p) return 0; state = EOI; break; - case DQT: case APP0: if (AV_RL32(&b[i + 4]) == MKTAG('J','F','I','F')) got_header = 1; @@ -813,6 +812,7 @@ static int jpeg_probe(const AVProbeData *p) case APP13: case APP14: case APP15: + case DQT: /* fallthrough */ case COM: i += AV_RB16(&b[i + 2]) + 1; break; From d06f35f2854fe6bab5ef1cf3bded674e39c0424c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 00:56:31 +0200 Subject: [PATCH 277/606] avformat/img2dec: Little JFIF / Exif cleanup This changes the behavior and makes it behave how it probably was intended. Either way this is unlikely to result in any user visible change Fixes: CID1494637 Missing break in switch Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 5712f36dd0ee0144b92edd2147e24b3724d7ec89) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 51c238bdba..eafd9cc54f 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -793,11 +793,13 @@ static int jpeg_probe(const AVProbeData *p) state = EOI; break; case APP0: - if (AV_RL32(&b[i + 4]) == MKTAG('J','F','I','F')) + if (c == APP0 && AV_RL32(&b[i + 4]) == MKTAG('J','F','I','F')) got_header = 1; + /* fallthrough */ case APP1: - if (AV_RL32(&b[i + 4]) == MKTAG('E','x','i','f')) + if (c == APP1 && AV_RL32(&b[i + 4]) == MKTAG('E','x','i','f')) got_header = 1; + /* fallthrough */ case APP2: case APP3: case APP4: From bde8a67e92db0345cf04ad5c90edf4127ad7ffa3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 01:19:36 +0200 Subject: [PATCH 278/606] avformat/libzmq: Check av_strstart() Fixes: CID1453457 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0263b6a48caaff839e4c28df15b299b89c7da92d) Signed-off-by: Michael Niedermayer --- libavformat/libzmq.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/libzmq.c b/libavformat/libzmq.c index 04c72ac601..f4bb849e46 100644 --- a/libavformat/libzmq.c +++ b/libavformat/libzmq.c @@ -94,7 +94,10 @@ static int zmq_proto_open(URLContext *h, const char *uri, int flags) return AVERROR_EXTERNAL; } - av_strstart(uri, "zmq:", &uri); + if (av_strstart(uri, "zmq:", &uri)) { + av_log(h, AV_LOG_ERROR, "URL %s lacks prefix\n", uri); + return AVERROR(EINVAL); + } /*publish during write*/ if (h->flags & AVIO_FLAG_WRITE) { From d081214a704419e8cf067f60391f72f14caf2239 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 01:25:59 +0200 Subject: [PATCH 279/606] avformat/matroskadec: Assert that num_levels is non negative Maybe Closes: CID1452496 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 019fce18bb0628ac8bc47a81d647a23d604b6123) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 57d2038635..171863a925 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4197,7 +4197,7 @@ static int matroska_parse_cluster(MatroskaDemuxContext *matroska) MatroskaBlock *block = &cluster->block; int res; - av_assert0(matroska->num_levels <= 2); + av_assert0(matroska->num_levels <= 2U); if (matroska->num_levels == 1) { res = ebml_parse(matroska, matroska_segment, NULL); From 0df8b97e097c7f9696902ecb0b162d3728863823 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 03:17:27 +0200 Subject: [PATCH 280/606] avformat/mov: Use 64bit in intermediate for current_dts Fixes: CID1500304 Unintentional integer overflow Fixes: CID1500318 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0c977d37aad609f6ed7d148c012da8bc83df8f0b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index d5ec35c99c..06e6ffd73a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3212,12 +3212,12 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) corrected_dts += sample_duration * sample_count; } - current_dts += sc->stts_data[i].duration * sample_count; + current_dts += sc->stts_data[i].duration * (int64_t)sample_count; if (current_dts > corrected_dts) { int64_t drift = (current_dts - corrected_dts)/FFMAX(sample_count, 1); uint32_t correction = (sc->stts_data[i].duration > drift) ? drift : sc->stts_data[i].duration - 1; - current_dts -= correction * sample_count; + current_dts -= correction * (uint64_t)sample_count; sc->stts_data[i].duration -= correction; } From 2b8c96074b8a7f4d07669cc0abcb750170acc39d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 03:20:41 +0200 Subject: [PATCH 281/606] avformat/mov: Use int64_t in intermediate for corrected_dts Fixes: CID1500312 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 034054b3706bea8524cf8846813e17636ca5ab33) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 06e6ffd73a..a87c8c1260 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3209,7 +3209,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc->stts_data[i].duration = 1; corrected_dts += (delta_magnitude < 0 ? (int64_t)delta_magnitude : 1) * sample_count; } else { - corrected_dts += sample_duration * sample_count; + corrected_dts += sample_duration * (int64_t)sample_count; } current_dts += sc->stts_data[i].duration * (int64_t)sample_count; From 7e634b9731152ba8b8adc2e37b5be733ebb0cada Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 19:51:49 +0200 Subject: [PATCH 282/606] avfilter/vf_rotate: Check ff_draw_init2() return value Fixes: NULL pointer dereference Fixes: 3_343 Found-by: De3mond Signed-off-by: Michael Niedermayer (cherry picked from commit 9c9f095e30c196c0e3d510dc5300182ddb49a803) Signed-off-by: Michael Niedermayer --- libavfilter/vf_rotate.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_rotate.c b/libavfilter/vf_rotate.c index 96c250a459..2bbbb779d7 100644 --- a/libavfilter/vf_rotate.c +++ b/libavfilter/vf_rotate.c @@ -288,7 +288,9 @@ static int config_props(AVFilterLink *outlink) double res; char *expr; - ff_draw_init(&rot->draw, inlink->format, 0); + ret = ff_draw_init(&rot->draw, inlink->format, 0); + if (ret < 0) + return ret; ff_draw_color(&rot->draw, &rot->color, rot->fillcolor); rot->hsub = pixdesc->log2_chroma_w; From 8cef0f267311a7c4ae41fe9c3a7e7bbc3a59681f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Jun 2024 19:37:15 +0200 Subject: [PATCH 283/606] doc/developer: Provide information about git send-email and gmail The 2 links are the clearest i found. Signed-off-by: Michael Niedermayer (cherry picked from commit 959cb2e2e36cad50b88d45c1201c2c3d64d4e48c) Signed-off-by: Michael Niedermayer --- doc/developer.texi | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/developer.texi b/doc/developer.texi index a55599d4fa..3795e2c5ed 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -644,6 +644,11 @@ patch is inline or attached per mail. You can check @url{https://patchwork.ffmpeg.org}, if your patch does not show up, its mime type likely was wrong. +@subheading How to setup git send-email? + +Please see @url{https://git-send-email.io/}. +For gmail additionally see @url{https://shallowsky.com/blog/tech/email/gmail-app-passwds.html}. + @subheading Sending patches from email clients Using @code{git send-email} might not be desirable for everyone. The following trick allows to send patches via email clients in a safe From aab4eb20caec96581c1f80ed9851f135f362bb19 Mon Sep 17 00:00:00 2001 From: Lynne Date: Mon, 1 Jan 2024 00:00:00 +0000 Subject: [PATCH 284/606] configure: update copyright year (cherry picked from commit b95ee2ec5f84054de8bf6db9fe1b1119d569f269) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 126772b164..5af693c954 100755 --- a/configure +++ b/configure @@ -7996,7 +7996,7 @@ cat > $TMPH < Date: Sun, 16 Jun 2024 22:32:03 +0200 Subject: [PATCH 285/606] MAINTAINERS: Update the entries for the release maintainer for FFmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97ecfb5a193c43eef2e47b3e45afd3fc629c107d) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index b66c3d09a6..3ecc3a69dd 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -588,10 +588,12 @@ wm4 Releases ======== +7.0 Michael Niedermayer +6.1 Michael Niedermayer +5.1 Michael Niedermayer +4.4 Michael Niedermayer +3.4 Michael Niedermayer 2.8 Michael Niedermayer -2.7 Michael Niedermayer -2.6 Michael Niedermayer -2.5 Michael Niedermayer If you want to maintain an older release, please contact us From 4d059884974b5a195acc5482fdc1c92737302537 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 01:08:28 +0200 Subject: [PATCH 286/606] avcodec/libvpxenc: Cleanup on error This or fifo needs to be freed on errors explicitly Fixes: memleak Fixes: 68937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVPX_VP8_fuzzer-4830831016214528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Zern Signed-off-by: Michael Niedermayer (cherry picked from commit 2b2ced61eba03a1afc83e37614c6635ee9f2b551) Signed-off-by: Michael Niedermayer --- libavcodec/libvpxenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index 80988a2608..ca1d531efb 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -2041,6 +2041,7 @@ const FFCodec ff_libvpx_vp8_encoder = { FF_CODEC_ENCODE_CB(vpx_encode), .close = vpx_free, .caps_internal = FF_CODEC_CAP_NOT_INIT_THREADSAFE | + FF_CODEC_CAP_INIT_CLEANUP | FF_CODEC_CAP_AUTO_THREADS, .p.pix_fmts = (const enum AVPixelFormat[]){ AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUVA420P, AV_PIX_FMT_NONE }, .p.priv_class = &class_vp8, @@ -2117,6 +2118,7 @@ FFCodec ff_libvpx_vp9_encoder = { FF_CODEC_ENCODE_CB(vpx_encode), .close = vpx_free, .caps_internal = FF_CODEC_CAP_NOT_INIT_THREADSAFE | + FF_CODEC_CAP_INIT_CLEANUP | FF_CODEC_CAP_AUTO_THREADS, .defaults = defaults, .init_static_data = vp9_init_static, From 4c004c350c6f1047a217697288e5e270ada30fff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 02:32:13 +0200 Subject: [PATCH 287/606] avformat/mxfdec: Check container_ul->desc before use MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: CID1592939 Dereference after null check Sponsored-by: Sovereign Tech Fund Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4cab028bd0e381f2ed4ccb7f139407f1f6f537c0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index de78b781d4..d0f9625fa1 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3064,6 +3064,7 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) if (container_ul->desc) av_dict_set(&st->metadata, "data_type", container_ul->desc, 0); if (mxf->eia608_extract && + container_ul->desc && !strcmp(container_ul->desc, "vbi_vanc_smpte_436M")) { st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_EIA_608; From a412dd186351564f49fd2b0dd3f76a64da5be684 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2023 01:19:48 +0200 Subject: [PATCH 288/606] tools/target_dec_fuzzer: Adjust threshold for jpeg2000 Fixes: Timeout Fixes: 57385/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5394334324490240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 749994194cc222f6ee01762b16c0574a947e0e9f) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 62085cf080..f19b89d938 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -248,7 +248,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_IFF_ILBM: maxpixels /= 128; break; case AV_CODEC_ID_INDEO4: maxpixels /= 128; break; case AV_CODEC_ID_INTERPLAY_ACM: maxsamples /= 16384; break; - case AV_CODEC_ID_JPEG2000: maxpixels /= 4096; break; + case AV_CODEC_ID_JPEG2000: maxpixels /= 16384; break; case AV_CODEC_ID_LAGARITH: maxpixels /= 1024; break; case AV_CODEC_ID_LOCO: maxpixels /= 1024; break; case AV_CODEC_ID_VORBIS: maxsamples /= 1024; break; From a9e55f409f2f7e6b32d5b6cc1dd67ed454cafbca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Dec 2023 23:07:16 +0100 Subject: [PATCH 289/606] tools/target_dec_fuzzer: Adjust threshold for MV30 Fixes: 60867/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-6381933108527104 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f81602fb3ac5b5ff68a3d5425117c1562371242f) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index f19b89d938..4c4be4584f 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -261,6 +261,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_MSS2: maxpixels /= 16384; break; case AV_CODEC_ID_MSZH: maxpixels /= 128; break; case AV_CODEC_ID_MTS2: maxpixels /= 4096; break; + case AV_CODEC_ID_MV30: maxpixels /= 128; break; case AV_CODEC_ID_MVC2: maxpixels /= 128; break; case AV_CODEC_ID_MVHA: maxpixels /= 16384; break; case AV_CODEC_ID_MVDV: maxpixels /= 1024; break; From c9d1d0f0d71aeadc0e33d6060b534164ca02f600 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2024 15:48:23 +0200 Subject: [PATCH 290/606] avcodec/snowenc: MV limits due to mv_penalty table size Fixes: out of array read Fixes: 69673/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5476592894148608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3a9292aff320d7b5048b371b1babea2f9b3c4e69) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index c215215346..525fbd1af2 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -411,6 +411,7 @@ static int encode_q_branch(SnowEncContext *enc, int level, int x, int y) int my_context= av_log2(2*FFABS(left->my - top->my)); int s_context= 2*left->level + 2*top->level + tl->level + tr->level; int ref, best_ref, ref_score, ref_mx, ref_my; + int range = MAX_MV >> (1 + qpel); av_assert0(sizeof(s->block_state) >= 256); if(s->keyframe){ @@ -452,6 +453,11 @@ static int encode_q_branch(SnowEncContext *enc, int level, int x, int y) c->xmax = - (x+1)*block_w + (w<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3; c->ymax = - (y+1)*block_w + (h<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3; + c->xmin = FFMAX(c->xmin,-range); + c->xmax = FFMIN(c->xmax, range); + c->ymin = FFMAX(c->ymin,-range); + c->ymax = FFMIN(c->ymax, range); + if(P_LEFT[0] > (c->xmax<xmax< (c->ymax<ymax< (c->xmax<xmax< Date: Tue, 18 Jun 2024 15:48:24 +0200 Subject: [PATCH 291/606] avcodec/jfdctint_template: Fewer integer anomalies Fixes: signed integer overflow: 105788 * -20995 cannot be represented in type 'int' Fixes: signed integer overflow: 923211729 + 2073948236 cannot be represented in type 'int' Fixes: signed integer overflow: 1281179284 + 2073948236 cannot be represented in type 'int' Fixes: 68975/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_fuzzer-6266769177116672 Fixes: 68997/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-6284237161431040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 228f255b5d9b839149cd53f0537ce76b068228ae) Signed-off-by: Michael Niedermayer --- libavcodec/jfdctint_template.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/jfdctint_template.c b/libavcodec/jfdctint_template.c index ca17300c32..aa2680132e 100644 --- a/libavcodec/jfdctint_template.c +++ b/libavcodec/jfdctint_template.c @@ -69,7 +69,7 @@ #define GLOBAL(x) x #define RIGHT_SHIFT(x, n) ((x) >> (n)) #define MULTIPLY16C16(var,const) ((var)*(const)) -#define DESCALE(x,n) RIGHT_SHIFT((x) + (1 << ((n) - 1)), n) +#define DESCALE(x,n) RIGHT_SHIFT((int)(x) + (1 << ((n) - 1)), n) /* @@ -175,7 +175,7 @@ #if BITS_IN_JSAMPLE == 8 && CONST_BITS<=13 && PASS1_BITS<=2 #define MULTIPLY(var,const) MULTIPLY16C16(var,const) #else -#define MULTIPLY(var,const) ((var) * (const)) +#define MULTIPLY(var,const) (int)((var) * (unsigned)(const)) #endif @@ -261,7 +261,7 @@ FUNC(ff_jpeg_fdct_islow)(int16_t *data) { int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7; int tmp10, tmp11, tmp12, tmp13; - int z1, z2, z3, z4, z5; + unsigned z1, z2, z3, z4, z5; int16_t *dataptr; int ctr; From ac9045e9939695c3251019465d3da31e19473109 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 23:42:37 +0200 Subject: [PATCH 292/606] avcodec/r210enc: Use av_rescale for bitrate Fixes: signed integer overflow: 281612954574848 * 65344 cannot be represented in type 'long' Fixes: 68956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_R210_fuzzer-6459074458746880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d34d4b6a7ce7fa72239c47d22ab6592d0687ac86) Signed-off-by: Michael Niedermayer --- libavcodec/r210enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/r210enc.c b/libavcodec/r210enc.c index 91e3452874..ec1ebc8d60 100644 --- a/libavcodec/r210enc.c +++ b/libavcodec/r210enc.c @@ -35,7 +35,7 @@ static av_cold int encode_init(AVCodecContext *avctx) avctx->bits_per_coded_sample = 32; if (avctx->width > 0) - avctx->bit_rate = ff_guess_coded_bitrate(avctx) * aligned_width / avctx->width; + avctx->bit_rate = av_rescale(ff_guess_coded_bitrate(avctx), aligned_width, avctx->width); return 0; } From cc8f0276b51f6be6daf807de9c9ecb6ba738189c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 19:33:02 +0200 Subject: [PATCH 293/606] avcodec/targaenc: Allocate space for the palette Fixes: out of array access Fixes: 68927/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5105665067515904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a7220bd5c1871827ee0edba14fc88f63173e169) Signed-off-by: Michael Niedermayer --- libavcodec/targaenc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/targaenc.c b/libavcodec/targaenc.c index d9c500b97d..8f496c62bd 100644 --- a/libavcodec/targaenc.c +++ b/libavcodec/targaenc.c @@ -21,6 +21,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" @@ -89,10 +90,11 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, TargaContext *s = avctx->priv_data; int bpp, picsize, datasize = -1, ret, i; uint8_t *out; + int maxpal = 32*32; picsize = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); - if ((ret = ff_alloc_packet(avctx, pkt, picsize + 45)) < 0) + if ((ret = ff_alloc_packet(avctx, pkt, picsize + 45 + maxpal)) < 0) return ret; /* zero out the header and only set applicable fields */ @@ -125,6 +127,7 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, AV_WL24(pkt->data + 18 + 3 * i, *(uint32_t *)(p->data[1] + i * 4)); } out += 32 * pal_bpp; /* skip past the palette we just output */ + av_assert0(32 * pal_bpp <= maxpal); break; } case AV_PIX_FMT_GRAY8: From 60af592bdd95a4a527213cab3fcdca67cea561d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 01:51:22 +0200 Subject: [PATCH 294/606] swscale/output: alpha can become negative after scaling, use multiply Fixes: left shift of negative value -3245 Fixes: 69047/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6571511551950848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e6c5b6e865a6b1b9c3a471fc06143f11e69d71b) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index b234f9c6b9..f9ce43dde8 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1221,8 +1221,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { - A1 = abuf0[i * 2 ] << 11; - A2 = abuf0[i * 2 + 1] << 11; + A1 = abuf0[i * 2 ] * (1 << 11); + A2 = abuf0[i * 2 + 1] * (1 << 11); A1 += 1 << 13; A2 += 1 << 13; @@ -1267,8 +1267,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { - A1 = abuf0[i * 2 ] << 11; - A2 = abuf0[i * 2 + 1] << 11; + A1 = abuf0[i * 2 ] * (1 << 11); + A2 = abuf0[i * 2 + 1] * (1 << 11); A1 += 1 << 13; A2 += 1 << 13; @@ -1439,7 +1439,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y += (1 << 13) - (1 << 29); if (hasAlpha) { - A = abuf0[i] << 11; + A = abuf0[i] * (1 << 11); A += 1 << 13; } @@ -1472,7 +1472,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y += (1 << 13) - (1 << 29); if (hasAlpha) { - A = abuf0[i] << 11; + A = abuf0[i] * (1 << 11); A += 1 << 13; } From aeb81a7fdc460b1bdeb413d33818c465bee49f77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 01:59:23 +0200 Subject: [PATCH 295/606] swscale/output: Avoid undefined overflow in yuv2rgb_write_full() Fixes: signed integer overflow: -140140 * 16525 cannot be represented in type 'int' Fixes: 68859/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4516387130245120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c221c7422f07f2245db5c4cdc958b42ca25eb2b7) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index f9ce43dde8..0e6181b3e0 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1925,9 +1925,9 @@ static av_always_inline void yuv2rgb_write_full(SwsContext *c, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; Y += 1 << 21; - R = (unsigned)Y + V*c->yuv2rgb_v2r_coeff; - G = (unsigned)Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff; - B = (unsigned)Y + U*c->yuv2rgb_u2b_coeff; + R = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2r_coeff; + G = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2g_coeff + U*(unsigned)c->yuv2rgb_u2g_coeff; + B = (unsigned)Y + U*(unsigned)c->yuv2rgb_u2b_coeff; if ((R | G | B) & 0xC0000000) { R = av_clip_uintp2(R, 30); G = av_clip_uintp2(G, 30); From de3331843ceb557d4da7d8fbfab9064efe9cc082 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2024 18:38:28 +0200 Subject: [PATCH 296/606] MAINTAINERS: Add Timo Rothenpieler to server admins Signed-off-by: Michael Niedermayer (cherry picked from commit ca4ff242d897c4bb0dbff49cb9d7a758ffc5f2a5) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 3ecc3a69dd..96403e1c28 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -34,8 +34,8 @@ Miscellaneous Areas =================== documentation Stefano Sabatini, Mike Melanson, Timothy Gu, Gyan Doshi -project server day to day operations Árpád Gereöffy, Michael Niedermayer, Reimar Doeffinger, Alexander Strasser, Nikolay Aleksandrov -project server emergencies Árpád Gereöffy, Reimar Doeffinger, Alexander Strasser, Nikolay Aleksandrov +project server day to day operations Árpád Gereöffy, Michael Niedermayer, Reimar Doeffinger, Alexander Strasser, Nikolay Aleksandrov, Timo Rothenpieler +project server emergencies Árpád Gereöffy, Reimar Doeffinger, Alexander Strasser, Nikolay Aleksandrov, Timo Rothenpieler presets Robert Swain metadata subsystem Aurelien Jacobs release management Michael Niedermayer From a9c838f6f7d974de70c261eb7405a6031e664f0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2024 22:23:06 +0200 Subject: [PATCH 297/606] fftools/ffmpeg: Check read() for failure Fixes: CID1591932 Ignoring number of bytes read Sponsored-by: Sovereign Tech Fund Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 34fd247c3bf06418c1eaafacf0d6052e3bbe4f5e) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index 46a85b41a8..4c2cae15d4 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -325,8 +325,9 @@ static int read_key(void) } //Read it if(nchars != 0) { - read(0, &ch, 1); - return ch; + if (read(0, &ch, 1) == 1) + return ch; + return 0; }else{ return -1; } From dad619078e025eb234ad6437492a9949da6c0518 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Mar 2024 03:13:50 +0100 Subject: [PATCH 298/606] avformat/mov: Check edit list for overflow Fixes: 67492/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5778297231310848 Fixes: signed integer overflow: 2314885530818453536 + 7782220156096217088 cannot be represented in type 'long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2882d30e3acfc3155e2be11db653c7c721f94f34) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index a87c8c1260..113587a178 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3509,6 +3509,10 @@ static int get_edit_list_entry(MOVContext *mov, } *edit_list_duration = av_rescale(*edit_list_duration, msc->time_scale, global_timescale); + + if (*edit_list_duration + (uint64_t)*edit_list_media_time > INT64_MAX) + *edit_list_duration = 0; + return 1; } From 2334e8e2d23efd043f24b70dfcf21bb8b9cd8097 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Apr 2024 22:20:25 +0200 Subject: [PATCH 299/606] fftools/ffmpeg_enc: simplify opaque_ref check Found-while-revieweing: CID1520670 Dereference after null check Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 97b2ab15de964d9455aa902ab616881f76d2cb67) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fftools/ffmpeg_enc.c b/fftools/ffmpeg_enc.c index fa4539664f..f91b4023ab 100644 --- a/fftools/ffmpeg_enc.c +++ b/fftools/ffmpeg_enc.c @@ -492,7 +492,7 @@ void enc_stats_write(OutputStream *ost, EncStats *es, const FrameData *fd; - if ((frame && frame->opaque_ref) || (pkt && pkt->opaque_ref)) { + if (frame ? frame->opaque_ref : pkt->opaque_ref) { fd = (const FrameData*)(frame ? frame->opaque_ref->data : pkt->opaque_ref->data); tbi = fd->dec.tb; ptsi = fd->dec.pts; From b4d190ca32db2ca280506f6ca7d7aa9fe5976e90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Apr 2024 22:25:41 +0200 Subject: [PATCH 300/606] fftools/ffmpeg_enc: Initialize fd Fixes: CID1520677 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 462bd44b032c660abb8d450d342adea3aba89e06) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fftools/ffmpeg_enc.c b/fftools/ffmpeg_enc.c index f91b4023ab..f7dc900ddb 100644 --- a/fftools/ffmpeg_enc.c +++ b/fftools/ffmpeg_enc.c @@ -490,7 +490,7 @@ void enc_stats_write(OutputStream *ost, EncStats *es, AVRational tbi = (AVRational){ 0, 1}; int64_t ptsi = INT64_MAX; - const FrameData *fd; + const FrameData *fd = NULL; if (frame ? frame->opaque_ref : pkt->opaque_ref) { fd = (const FrameData*)(frame ? frame->opaque_ref->data : pkt->opaque_ref->data); From 29852104f53ea1a50492f434e005c4b8c97d70ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 22:33:14 +0200 Subject: [PATCH 301/606] avcodec/cbs_jpeg: Try to move the read entity to one side in a test The checked entity should be alone on one side of the check, this avoids complex considerations of overflows. This fixes a issue of bad style in our code and a coverity issue. Fixes: CID1439654 Untrusted pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 385784a148d2886884aac69acc31bf179fac3ac2) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c index 5921d624a1..f2aa496610 100644 --- a/libavcodec/cbs_jpeg.c +++ b/libavcodec/cbs_jpeg.c @@ -145,13 +145,13 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, } } else { i = start; - if (i + 2 > frag->data_size) { + if (i > frag->data_size - 2) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: " "truncated at %02x marker.\n", marker); return AVERROR_INVALIDDATA; } length = AV_RB16(frag->data + i); - if (i + length > frag->data_size) { + if (length > frag->data_size - i) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: " "truncated at %02x marker segment.\n", marker); return AVERROR_INVALIDDATA; From 3e02fd22a35a11d80c5fac201c7513692f4cbe8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 May 2024 04:15:50 +0200 Subject: [PATCH 302/606] avformat/img2dec: assert no pipe on ts_from_file Help coverity with CID1500302 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4824156fa06bd60b27f9f0673fbd6a3cfc780e56) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index eafd9cc54f..785fd3849b 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -25,6 +25,7 @@ #define _DEFAULT_SOURCE #define _BSD_SOURCE #include +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/log.h" #include "libavutil/opt.h" @@ -502,6 +503,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) pkt->flags |= AV_PKT_FLAG_KEY; if (s->ts_from_file) { struct stat img_stat; + av_assert0(!s->is_pipe); // The ts_from_file option is not supported by piped input demuxers if (stat(filename, &img_stat)) { res = AVERROR(EIO); goto fail; From 74bacfc00b4274b918415677ec1d5ff1a385d4df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 May 2022 01:45:44 +0200 Subject: [PATCH 303/606] avcodec/vc1_loopfilter: Factor duplicate code in vc1_b_h_intfi_loop_filter() Fixes: CID1435168 Signed-off-by: Michael Niedermayer (cherry picked from commit 63ecce9ba87867b21a7cdcd677bb268c0d807db1) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_loopfilter.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/vc1_loopfilter.c b/libavcodec/vc1_loopfilter.c index 0f990cccef..ee694ede28 100644 --- a/libavcodec/vc1_loopfilter.c +++ b/libavcodec/vc1_loopfilter.c @@ -1125,10 +1125,7 @@ static av_always_inline void vc1_b_h_intfi_loop_filter(VC1Context *v, uint8_t *d dst = dest + (block_num & 2) * 4 * s->linesize + (block_num & 1) * 8; if (!(flags & RIGHT_EDGE) || !(block_num & 5)) { - if (block_num > 3) - v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); - else - v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); + v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); } tt = ttblk[0] >> (block_num * 4) & 0xf; From adc6730d51aaa2282845660541623fa770d69e43 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:18 +0200 Subject: [PATCH 304/606] avcodec/mfenc: check IMFSample_ConvertToContiguousBuffer() for failure Fixes: CID1591911 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 86cd7c68bc65df6703391f0cdcdbf7c57d6c4780) Signed-off-by: Michael Niedermayer --- libavcodec/mfenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mfenc.c b/libavcodec/mfenc.c index 3c50a6c074..204728b038 100644 --- a/libavcodec/mfenc.c +++ b/libavcodec/mfenc.c @@ -248,7 +248,7 @@ static int mf_sample_to_avpacket(AVCodecContext *avctx, IMFSample *sample, AVPac if ((ret = ff_get_encode_buffer(avctx, avpkt, len, 0)) < 0) return ret; - IMFSample_ConvertToContiguousBuffer(sample, &buffer); + hr = IMFSample_ConvertToContiguousBuffer(sample, &buffer); if (FAILED(hr)) return AVERROR_EXTERNAL; From b736844c5fa0cac5fc7a23a92843b0f807fdcb61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:25 +0200 Subject: [PATCH 305/606] avdevice/dshow: Check ICaptureGraphBuilder2_SetFiltergraph() for failure Fixes: CID1591939 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4c285bb2789667bcf014ede8b0ab06ebbbee833f) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index fdea1ceb4a..977890f152 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -1464,7 +1464,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, av_log(avctx, AV_LOG_ERROR, "Could not create CaptureGraphBuilder2\n"); goto error; } - ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph); + r = ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph); if (r != S_OK) { av_log(avctx, AV_LOG_ERROR, "Could not set graph for CaptureGraphBuilder2\n"); goto error; From 002c1b4ddbe30e4637064d0ee893a645e66befd0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 00:55:46 +0200 Subject: [PATCH 306/606] avformat/mxfenc: resurrects the error print Fixes: CID1524681 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a469e48b6dd8c9dfd0cd7dba7b28d1987168ed8b) Signed-off-by: Michael Niedermayer --- libavformat/mxfenc.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index 53bd6aedca..8f7f330ba7 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -2494,9 +2494,6 @@ static int mxf_parse_ffv1_frame(AVFormatContext *s, AVStream *st, AVPacket *pkt) ff_build_rac_states(&c, 0.05 * (1LL << 32), 256 - 8); v = get_ffv1_unsigned_symbol(&c, state); av_assert0(v >= 2); - if (v > 4) { - return 0; - } if (v > 4) { av_log(s, AV_LOG_ERROR, "unsupported ffv1 version %d\n", v); return 0; From 9c52069b83224ea239bc6cd652e688026bd791f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 00:19:01 +0200 Subject: [PATCH 307/606] avformat/mpeg: Check len in mpegps_probe() Fixes: CID1473590 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ca237a841e9e78ac02694124d81ff78c74b0bf72) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 781c3162d6..8e70533056 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -75,6 +75,9 @@ static int mpegps_probe(const AVProbeData *p) int pes = endpes <= i && check_pes(p->buf + i, p->buf + p->buf_size); int pack = check_pack_header(p->buf + i); + if (len > INT_MAX - i) + break; + if (code == SYSTEM_HEADER_START_CODE) sys++; else if (code == PACK_START_CODE && pack) From 807b53c1917bebd9f6863962cefb402bb6e072e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 01:50:00 +0200 Subject: [PATCH 308/606] avformat/rdt: Check pkt_len Fixes: CID1473553 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0d0373de3bc6aa6fa5c71247191afccfaf20723d) Signed-off-by: Michael Niedermayer --- libavformat/rdt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rdt.c b/libavformat/rdt.c index b9b02a371f..138f110906 100644 --- a/libavformat/rdt.c +++ b/libavformat/rdt.c @@ -204,6 +204,8 @@ ff_rdt_parse_header(const uint8_t *buf, int len, return -1; /* not followed by a data packet */ pkt_len = AV_RB16(buf+3); + if (pkt_len > len) + return AVERROR_INVALIDDATA; buf += pkt_len; len -= pkt_len; consumed += pkt_len; From 96a63346eea3783d8e3bc04db33c4999e5d2dbeb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Jun 2024 22:44:46 +0200 Subject: [PATCH 309/606] avfilter/avf_showcwt: Check av_parse_video_rate() for failure Fixes: CID1539147 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit aab0c344c5d1d5b1020f87c62da3e523161a660f) Signed-off-by: Michael Niedermayer --- libavfilter/avf_showcwt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/avf_showcwt.c b/libavfilter/avf_showcwt.c index d5bc920a4b..c19cbd291f 100644 --- a/libavfilter/avf_showcwt.c +++ b/libavfilter/avf_showcwt.c @@ -1000,6 +1000,8 @@ static int config_output(AVFilterLink *outlink) s->auto_frame_rate = av_make_q(inlink->sample_rate, s->hop_size); if (strcmp(s->rate_str, "auto")) { ret = av_parse_video_rate(&s->frame_rate, s->rate_str); + if (ret < 0) + return ret; } else { s->frame_rate = s->auto_frame_rate; } From 371c42dd81cad9514d9ad1a6b4a982d9621a253c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Jun 2024 22:53:14 +0200 Subject: [PATCH 310/606] avfilter/drawutils: Fix depthb computation Fixes: CID1496940 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 34f821e44821804e1954ca6eb38269183978a62c) Signed-off-by: Michael Niedermayer --- libavfilter/drawutils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/drawutils.c b/libavfilter/drawutils.c index 1081938d86..95525d38b4 100644 --- a/libavfilter/drawutils.c +++ b/libavfilter/drawutils.c @@ -61,6 +61,7 @@ int ff_fill_rgba_map(uint8_t *rgba_map, enum AVPixelFormat pix_fmt) had0 |= pos == 0; rgba_map[i] = pos; + depthb = db; } if (desc->nb_components == 3) From 3666a36472a8e908c98e9f82e15e7d6e2f49d676 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Jun 2024 23:43:37 +0200 Subject: [PATCH 311/606] avfilter/vf_avgblur: Check plane instead of AVFrame Fixes: CID1551694 Use after free (false positive based on assuming that out == in and one is freed and one used) Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c296d4fdec198a32ea3995e312cede7be83352c7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_avgblur.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_avgblur.c b/libavfilter/vf_avgblur.c index 8ff6111bcc..d1ce029b5c 100644 --- a/libavfilter/vf_avgblur.c +++ b/libavfilter/vf_avgblur.c @@ -287,7 +287,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) const int width = s->planewidth[plane]; if (!(s->planes & (1 << plane))) { - if (out != in) + if (out->data[plane] != in->data[plane]) av_image_copy_plane(out->data[plane], out->linesize[plane], in->data[plane], in->linesize[plane], width * ((s->depth + 7) / 8), height); From 252464c49b636f8501f684a5bff19926d876b26b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jul 2024 23:18:47 +0200 Subject: [PATCH 312/606] tools/coverity: Phase 1 study of anti-halicogenic for coverity av_rescale() Signed-off-by: Michael Niedermayer (cherry picked from commit 380a8213b165d1fda419c566241d2641cb6f5c3c) Signed-off-by: Michael Niedermayer --- tools/coverity.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tools/coverity.c b/tools/coverity.c index 19a132a976..541e108238 100644 --- a/tools/coverity.c +++ b/tools/coverity.c @@ -31,6 +31,17 @@ #define NULL (void *)0 +typedef long long int64_t; + +enum AVRounding { + AV_ROUND_ZERO = 0, + AV_ROUND_INF = 1, + AV_ROUND_DOWN = 2, + AV_ROUND_UP = 3, + AV_ROUND_NEAR_INF = 5, + AV_ROUND_PASS_MINMAX = 8192, +}; + // Based on https://scan.coverity.com/models void *av_malloc(size_t size) { int has_memory; @@ -77,3 +88,10 @@ void *av_free(void *ptr) { __coverity_mark_as_afm_freed__(ptr, "av_free"); } + +int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) { + __coverity_negative_sink__(b); + __coverity_negative_sink__(c); + + return (double)a * (double)b / (double)c; +} From bea691ffc110ac28470b35e3d1f384ec51d47c82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 21:24:47 +0200 Subject: [PATCH 313/606] avfilter/af_aresample: Cleanup on av_channel_layout_copy() failure Fixes: CID1503078 Resource leak Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7a0ea15c7afb8abd823303b9a525cc5e6572f199) Signed-off-by: Michael Niedermayer --- libavfilter/af_aresample.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/af_aresample.c b/libavfilter/af_aresample.c index f4bcc45616..9e6b9719f3 100644 --- a/libavfilter/af_aresample.c +++ b/libavfilter/af_aresample.c @@ -201,8 +201,11 @@ FF_DISABLE_DEPRECATION_WARNINGS FF_ENABLE_DEPRECATION_WARNINGS #endif ret = av_channel_layout_copy(&outsamplesref->ch_layout, &outlink->ch_layout); - if (ret < 0) + if (ret < 0) { + av_frame_free(&outsamplesref); + av_frame_free(&insamplesref); return ret; + } outsamplesref->sample_rate = outlink->sample_rate; if(insamplesref->pts != AV_NOPTS_VALUE) { From 4d7d183ccbe6b58422241e42c27c45ba2074b790 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 21:58:51 +0200 Subject: [PATCH 314/606] avfilter/af_channelsplit: Assert that av_channel_layout_channel_from_index() succeeds Maybe Helps: CID1503077 Bad bit shift operation Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cef720ab429244ac9e56f48d983d6086e0a227a7) Signed-off-by: Michael Niedermayer --- libavfilter/af_channelsplit.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/af_channelsplit.c b/libavfilter/af_channelsplit.c index bd4afff122..cbdefff675 100644 --- a/libavfilter/af_channelsplit.c +++ b/libavfilter/af_channelsplit.c @@ -22,7 +22,7 @@ * * Split an audio stream into per-channel streams. */ - +#include "libavutil/avassert.h" #include "libavutil/attributes.h" #include "libavutil/channel_layout.h" #include "libavutil/internal.h" @@ -162,6 +162,8 @@ static int filter_frame(AVFilterLink *outlink, AVFrame *buf) enum AVChannel channel = av_channel_layout_channel_from_index(&buf->ch_layout, s->map[i]); int ret; + av_assert1(channel >= 0); + AVFrame *buf_out = av_frame_clone(buf); if (!buf_out) return AVERROR(ENOMEM); From bdd1a93e4bdbee2638203c8ecacd4bfa4a04172c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 23:18:53 +0200 Subject: [PATCH 315/606] avfilter/af_mcompand: compute half frequency in double Fixes: CID1422217 Result is not floating-point Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2d0d502ff10378e545a1fe42a9503ab44d19fa67) Signed-off-by: Michael Niedermayer --- libavfilter/af_mcompand.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/af_mcompand.c b/libavfilter/af_mcompand.c index 1267cd9f34..9347f06d87 100644 --- a/libavfilter/af_mcompand.c +++ b/libavfilter/af_mcompand.c @@ -417,8 +417,8 @@ static int config_output(AVFilterLink *outlink) } new_nb_items += sscanf(tstr2, "%lf", &s->bands[i].topfreq) == 1; - if (s->bands[i].topfreq < 0 || s->bands[i].topfreq >= outlink->sample_rate / 2) { - av_log(ctx, AV_LOG_ERROR, "crossover_frequency: %f, should be >=0 and lower than half of sample rate: %d.\n", s->bands[i].topfreq, outlink->sample_rate / 2); + if (s->bands[i].topfreq < 0 || s->bands[i].topfreq >= outlink->sample_rate / 2.0) { + av_log(ctx, AV_LOG_ERROR, "crossover_frequency: %f, should be >=0 and lower than half of sample rate: %f.\n", s->bands[i].topfreq, outlink->sample_rate / 2.0); return AVERROR(EINVAL); } From a1b6a6907b9049f434bb7e92f7a02673bf9c4906 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sun, 22 Oct 2023 19:35:52 +0100 Subject: [PATCH 316/606] cbs_av1: Reject thirty-two zero bits in uvlc code The spec allows at least thirty-two zero bits followed by a one to mean 2^32-1, with no constraint on the number of zeroes. The libaom reference decoder does not match this, instead reading thirty-two zeroes but not the following one to mean 2^32-1. These two interpretations are incompatible and other implementations may follow one or the other. Therefore reject thirty-two zeroes because the intended behaviour is not clear. Signed-off-by: Michael Niedermayer (cherry picked from commit 7110a36ba07f85ca2996d3b99898a4819e72d9bb) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index fb82996022..458381f038 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -36,7 +36,7 @@ static int cbs_av1_read_uvlc(CodedBitstreamContext *ctx, GetBitContext *gbc, CBS_TRACE_READ_START(); zeroes = 0; - while (1) { + while (zeroes < 32) { if (get_bits_left(gbc) < 1) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid uvlc code at " "%s: bitstream ended.\n", name); @@ -49,10 +49,18 @@ static int cbs_av1_read_uvlc(CodedBitstreamContext *ctx, GetBitContext *gbc, } if (zeroes >= 32) { - // Note that the spec allows an arbitrarily large number of - // zero bits followed by a one bit in this case, but the - // libaom implementation does not support it. - value = MAX_UINT_BITS(32); + // The spec allows at least thirty-two zero bits followed by a + // one to mean 2^32-1, with no constraint on the number of + // zeroes. The libaom reference decoder does not match this, + // instead reading thirty-two zeroes but not the following one + // to mean 2^32-1. These two interpretations are incompatible + // and other implementations may follow one or the other. + // Therefore we reject thirty-two zeroes because the intended + // behaviour is not clear. + av_log(ctx->log_ctx, AV_LOG_ERROR, "Thirty-two zero bits in " + "%s uvlc code: considered invalid due to conflicting " + "standard and reference decoder behaviour.\n", name); + return AVERROR_INVALIDDATA; } else { if (get_bits_left(gbc) < zeroes) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid uvlc code at " From c773ce84359ae49a731636b933d19cbf97589b51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 23:41:07 +0200 Subject: [PATCH 317/606] avfilter/af_pan: check nb_output_channels before use Fixes: CID1500281 Out-of-bounds write Fixes: CID1500331 Out-of-bounds write Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 5fe8bf4aa51350b14d0babd47b0314232e703caf) Signed-off-by: Michael Niedermayer --- libavfilter/af_pan.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index cfed9f146a..1a63d52536 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -118,6 +118,14 @@ static av_cold int init(AVFilterContext *ctx) if (ret < 0) goto fail; + if (pan->nb_output_channels > MAX_CHANNELS) { + av_log(ctx, AV_LOG_ERROR, + "af_pan supports a maximum of %d channels. " + "Feel free to ask for a higher limit.\n", MAX_CHANNELS); + ret = AVERROR_PATCHWELCOME; + goto fail; + } + /* parse channel specifications */ while ((arg = arg0 = av_strtok(NULL, "|", &tokenizer))) { int used_in_ch[MAX_CHANNELS] = {0}; From 40b801870dd72fd7fd9fa2b7c9d20e0d8db36e01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 14:53:44 +0200 Subject: [PATCH 318/606] avfilter/af_afftdn: Assert format Maybe helps: CID1515514 Uninitialized scalar variable Maybe helps: CID1515517 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8f9a6c4ea8de3e58f32622424c97203e6ba582c3) Signed-off-by: Michael Niedermayer --- libavfilter/af_afftdn.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/af_afftdn.c b/libavfilter/af_afftdn.c index b509d40eb5..37c3ef3b72 100644 --- a/libavfilter/af_afftdn.c +++ b/libavfilter/af_afftdn.c @@ -20,6 +20,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/channel_layout.h" #include "libavutil/opt.h" @@ -375,6 +376,8 @@ static void process_frame(AVFilterContext *ctx, case AV_SAMPLE_FMT_DBLP: noisy_data[i] = mag = hypot(fft_data_dbl[i].re, fft_data_dbl[i].im); break; + default: + av_assert2(0); } power = mag * mag; @@ -969,6 +972,8 @@ static void sample_noise_block(AudioFFTDeNoiseContext *s, mag2 = fft_out_dbl[n].re * fft_out_dbl[n].re + fft_out_dbl[n].im * fft_out_dbl[n].im; break; + default: + av_assert2(0); } mag2 = fmax(mag2, s->sample_floor); From ac8ac10e3331ebd7188b2df905ad39103da8ee0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 14:53:44 +0200 Subject: [PATCH 319/606] avfilter/af_afir: Assert format Maybe helps: CID1516805 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a5c815f937a80d7689bc0f2deb3ac968f2630176) Signed-off-by: Michael Niedermayer --- libavfilter/af_afir.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/af_afir.c b/libavfilter/af_afir.c index 5d3f4070a7..1bc937a633 100644 --- a/libavfilter/af_afir.c +++ b/libavfilter/af_afir.c @@ -25,6 +25,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/cpu.h" #include "libavutil/tx.h" #include "libavutil/avstring.h" @@ -247,6 +248,8 @@ static int init_segment(AVFilterContext *ctx, AudioFIRSegment *seg, int selir, iscale.d = 1.0 / sqrt(2.0 * part_size); tx_type = AV_TX_DOUBLE_RDFT; break; + default: + av_assert1(0); } for (int ch = 0; ch < ctx->inputs[0]->ch_layout.nb_channels && part_size >= 1; ch++) { From 405723c4cd5f9a6ea4aaa0c710c742e646894c0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 16:31:28 +0200 Subject: [PATCH 320/606] swscale/swscale: Use ptrdiff_t for linesize computations This is unlikely to make a difference Fixes: CID1591896 Unintentional integer overflow Fixes: CID1591901 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 66b60bae68a3124fb176b0c2d4580f0f76c31dc4) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index fe0e74f871..f08f2ac3b7 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -1172,7 +1172,7 @@ int sws_receive_slice(struct SwsContext *c, unsigned int slice_start, } for (int i = 0; i < FF_ARRAY_ELEMS(dst); i++) { - ptrdiff_t offset = c->frame_dst->linesize[i] * (slice_start >> c->chrDstVSubSample); + ptrdiff_t offset = c->frame_dst->linesize[i] * (ptrdiff_t)(slice_start >> c->chrDstVSubSample); dst[i] = FF_PTR_ADD(c->frame_dst->data[i], offset); } @@ -1233,7 +1233,7 @@ void ff_sws_slice_worker(void *priv, int jobnr, int threadnr, for (int i = 0; i < FF_ARRAY_ELEMS(dst) && parent->frame_dst->data[i]; i++) { const int vshift = (i == 1 || i == 2) ? c->chrDstVSubSample : 0; const ptrdiff_t offset = parent->frame_dst->linesize[i] * - ((slice_start + parent->dst_slice_start) >> vshift); + (ptrdiff_t)((slice_start + parent->dst_slice_start) >> vshift); dst[i] = parent->frame_dst->data[i] + offset; } From f504e2e9f59aab88c0907e1f9d300d80fed657d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:46 +0200 Subject: [PATCH 321/606] avfilter/af_aderivative: Free out on error Fixes: CID1197065 Resource leak Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 382e9e79f3a0011d93af4b11ca6ba6b85113a09a) Signed-off-by: Michael Niedermayer --- libavfilter/af_aderivative.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/af_aderivative.c b/libavfilter/af_aderivative.c index eeaa23ff88..4883972dcf 100644 --- a/libavfilter/af_aderivative.c +++ b/libavfilter/af_aderivative.c @@ -126,6 +126,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) s->prev = ff_get_audio_buffer(inlink, 1); if (!s->prev) { av_frame_free(&in); + av_frame_free(&out); return AVERROR(ENOMEM); } } From 25ba51aad7aad96239f27caafd213a7c8d681d17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 10:17:42 +0200 Subject: [PATCH 322/606] avformat/rtpenc_vc2hq: Check sizes Fixes: CID1452585 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7a9ddb705152d5090d2cb815f905bf592cc487f5) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_vc2hq.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavformat/rtpenc_vc2hq.c b/libavformat/rtpenc_vc2hq.c index 085204fa64..cf548191d2 100644 --- a/libavformat/rtpenc_vc2hq.c +++ b/libavformat/rtpenc_vc2hq.c @@ -45,7 +45,7 @@ static void send_packet(AVFormatContext *ctx, uint8_t parse_code, int info_hdr_s ff_rtp_send_data(ctx, rtp_ctx->buf, RTP_VC2HQ_PL_HEADER_SIZE + info_hdr_size + size, rtp_m); } -static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced) +static int send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced) { RTPMuxContext *rtp_ctx = ctx->priv_data; GetBitContext gc; @@ -54,6 +54,9 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int uint16_t frag_len; char *info_hdr = &rtp_ctx->buf[4]; + if (size < DIRAC_PIC_NR_SIZE) + return AVERROR(EINVAL); + pic_nr = AV_RB32(&buf[0]); buf += DIRAC_PIC_NR_SIZE; size -= DIRAC_PIC_NR_SIZE; @@ -97,6 +100,7 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int send_packet(ctx, DIRAC_RTP_PCODE_HQ_PIC_FRAGMENT, 16, buf, frag_len, interlaced, second_field, size > 0 ? 0 : 1); buf += frag_len; } + return 0; } void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame_size, int interlaced) @@ -110,16 +114,21 @@ void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame parse_code = unit[4]; unit_size = AV_RB32(&unit[5]); + if (unit_size > end - unit) + break; + switch (parse_code) { /* sequence header */ /* end of sequence */ case DIRAC_PCODE_SEQ_HEADER: case DIRAC_PCODE_END_SEQ: - send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0); + if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE) + send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0); break; /* HQ picture */ case DIRAC_PCODE_PICTURE_HQ: - send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced); + if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE) + send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced); break; /* parse codes without specification */ case DIRAC_PCODE_AUX: From a0c4d98072847336900c52abb725b2b93d8b9f0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 18:23:47 +0200 Subject: [PATCH 323/606] avformat/rtsp: use < 0 for error check Found while reviewing CID1473532 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9bb38ba2b782cdb6052ddcb415ef1554b0462401) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 7d1d3a75d4..3761b70ccf 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1427,7 +1427,7 @@ retry: cur_auth_type = rt->auth_state.auth_type; if ((ret = rtsp_send_cmd_with_content_async(s, method, url, header, send_content, - send_content_length))) + send_content_length)) < 0) return ret; if ((ret = ff_rtsp_read_reply(s, reply, content_ptr, 0, method) ) < 0) From 1b0a93466c73a0ad59303377e393c1b2d5a2e6d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 18:28:49 +0200 Subject: [PATCH 324/606] avformat/rtsp: initialize reply1 It seems reply1 is initialized by ff_rtsp_send_cmd() in most cases but there are code paths like "continue" which look like they could skip it but even if not writing this so a complex loop after several layers of calls initialized a local variable through a pointer is just bad design. This patch simply initialized the variable. Fixes: CID1473532 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 498ce4e8b82e2312690613df45f87e592dcb91a9) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 3761b70ccf..1d41e13c75 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1460,6 +1460,8 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, char cmd[MAX_URL_SIZE]; const char *trans_pref; + memset(&reply1, 0, sizeof(reply1)); + if (rt->transport == RTSP_TRANSPORT_RDT) trans_pref = "x-pn-tng"; else if (rt->transport == RTSP_TRANSPORT_RAW) From aa1bcef3ccaadcad23c980fcae2253c5d35ed510 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 19:43:15 +0200 Subject: [PATCH 325/606] avformat/rtsp: Check that lower transport is handled in one of the if() Fixes: CID1473554 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c8200d382503f5fd839a72af7ba93d53880ad4b7) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 1d41e13c75..49bf37cacf 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1576,7 +1576,11 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, else if (lower_transport == RTSP_LOWER_TRANSPORT_UDP_MULTICAST) { snprintf(transport, sizeof(transport) - 1, "%s/UDP;multicast", trans_pref); + } else { + err = AVERROR(EINVAL); + goto fail; // transport would be uninitialized } + if (s->oformat) { av_strlcat(transport, ";mode=record", sizeof(transport)); } else if (rt->server_type == RTSP_SERVER_REAL || From dfed9fc7bd0032ac7ff3f8907eb447fb6f36fedf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 20:45:32 +0200 Subject: [PATCH 326/606] avformat/subfile: Merge if into switch() Found while reviewing CID1452449 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2a0a7d964bfd5da8859c715627eeb7a048bddb79) Signed-off-by: Michael Niedermayer --- libavformat/subfile.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/subfile.c b/libavformat/subfile.c index 633a9e3c62..eedac1524e 100644 --- a/libavformat/subfile.c +++ b/libavformat/subfile.c @@ -123,9 +123,9 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence) return end; } - if (whence == AVSEEK_SIZE) - return end - c->start; switch (whence) { + case AVSEEK_SIZE: + return end - c->start; case SEEK_SET: new_pos = c->start + pos; break; From 49d34302a6cbf952f0dbf0ad47ce633e7342816b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 20:46:28 +0200 Subject: [PATCH 327/606] avformat/subfile: Assert that whence is a known case This may help CID1452449 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 426d8c84c37064eef93bbcfaffd886d00a9a4ee8) Signed-off-by: Michael Niedermayer --- libavformat/subfile.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/subfile.c b/libavformat/subfile.c index eedac1524e..be48ef72ef 100644 --- a/libavformat/subfile.c +++ b/libavformat/subfile.c @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/opt.h" #include "url.h" @@ -135,6 +136,8 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence) case SEEK_END: new_pos = end + pos; break; + default: + av_assert0(0); } if (new_pos < c->start) return AVERROR(EINVAL); From 1164095eca058bf16e34929ff1ae22e6f16a2bb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 00:09:24 +0200 Subject: [PATCH 328/606] avformat/tls_schannel: Initialize ret Fixes: CID1591881 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f022afea77ced5067f511530dd8ff137967db1d9) Signed-off-by: Michael Niedermayer --- libavformat/tls_schannel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c index d4959f75fa..bbeb8a81f2 100644 --- a/libavformat/tls_schannel.c +++ b/libavformat/tls_schannel.c @@ -388,7 +388,7 @@ static int tls_read(URLContext *h, uint8_t *buf, int len) SECURITY_STATUS sspi_ret = SEC_E_OK; SecBuffer inbuf[4]; SecBufferDesc inbuf_desc; - int size, ret; + int size, ret = 0; int min_enc_buf_size = len + SCHANNEL_FREE_BUFFER_SIZE; /* If we have some left-over data from previous network activity, From 6c9b5078413334ea64d0f036464a5d17f5ad2224 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 00:42:01 +0200 Subject: [PATCH 329/606] avformat/usmdec: Initialize value Fixes: CID1551685 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 06191386396344ee1906c6016b7d94ee8754fd61) Signed-off-by: Michael Niedermayer --- libavformat/usmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/usmdec.c b/libavformat/usmdec.c index ee403e7a84..8b6a387f23 100644 --- a/libavformat/usmdec.c +++ b/libavformat/usmdec.c @@ -119,7 +119,7 @@ static int parse_utf(AVFormatContext *s, AVIOContext *pb, for (int i = 0; i < nb_items; i++) { GetByteContext *xgb; uint8_t key[256]; - int64_t value; + int64_t value = -1; int n = 0; type = bytestream2_get_byte(&gb); From e0a079be2aa34c2da826af9bc2f52b9206488a19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Jul 2024 01:47:33 +0200 Subject: [PATCH 330/606] doc/examples/vaapi_encode: Try to check fwrite() for failure Fixes: CID1604548 Unused value Sponsored-by: Sovereign Tech Fund Reviewed-by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit 3e4bfff21192aed328c906c85424737128b108f1) Signed-off-by: Michael Niedermayer --- doc/examples/vaapi_encode.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/examples/vaapi_encode.c b/doc/examples/vaapi_encode.c index d5f472f6dd..ff3ebb1e2b 100644 --- a/doc/examples/vaapi_encode.c +++ b/doc/examples/vaapi_encode.c @@ -88,6 +88,10 @@ static int encode_write(AVCodecContext *avctx, AVFrame *frame, FILE *fout) enc_pkt->stream_index = 0; ret = fwrite(enc_pkt->data, enc_pkt->size, 1, fout); av_packet_unref(enc_pkt); + if (ret != enc_pkt->size) { + ret = AVERROR(errno); + break; + } } end: From b220f7dc94a8869d21443bfe216ddedc79f64e38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:41 +0200 Subject: [PATCH 331/606] avutil/hwcontext_d3d11va: correct sizeof AVD3D11FrameDescriptor Fixes: CID1591909 Wrong sizeof argument Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit 698ed0d5a5a3a1219179facb5538eea463fae13f) Signed-off-by: Michael Niedermayer --- libavutil/hwcontext_d3d11va.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/hwcontext_d3d11va.c b/libavutil/hwcontext_d3d11va.c index 26cebbb650..db8b2da83f 100644 --- a/libavutil/hwcontext_d3d11va.c +++ b/libavutil/hwcontext_d3d11va.c @@ -196,7 +196,7 @@ static AVBufferRef *wrap_texture_buf(AVHWFramesContext *ctx, ID3D11Texture2D *te desc->texture = tex; desc->index = index; - buf = av_buffer_create((uint8_t *)desc, sizeof(desc), free_texture, tex, 0); + buf = av_buffer_create((uint8_t *)desc, sizeof(*desc), free_texture, tex, 0); if (!buf) { ID3D11Texture2D_Release(tex); av_free(desc); From 00c45302e756fd0e9d377c52dff93fd48429a00a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:42 +0200 Subject: [PATCH 332/606] avutil/hwcontext_d3d11va: Free AVD3D11FrameDescriptor on error Fixes: CID1598558 Resource leak Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit cf22f944d55c8eb0119fb20354a625f8c41eb11f) Signed-off-by: Michael Niedermayer --- libavutil/hwcontext_d3d11va.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/hwcontext_d3d11va.c b/libavutil/hwcontext_d3d11va.c index db8b2da83f..34711ae107 100644 --- a/libavutil/hwcontext_d3d11va.c +++ b/libavutil/hwcontext_d3d11va.c @@ -184,6 +184,7 @@ static AVBufferRef *wrap_texture_buf(AVHWFramesContext *ctx, ID3D11Texture2D *te sizeof(*frames_hwctx->texture_infos)); if (!frames_hwctx->texture_infos) { ID3D11Texture2D_Release(tex); + av_free(desc); return NULL; } s->nb_surfaces = s->nb_surfaces_used + 1; From ffb0a4c6478a8413ff7953cfe6cf301575f4c375 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:43 +0200 Subject: [PATCH 333/606] avutil/hwcontext_d3d11va: correct sizeof IDirect3DSurface9 Fixes: CID1591944 Wrong sizeof argument Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit 628ba061c8d5ae018c3e8aa8ce05b8dfcdfd8410) Signed-off-by: Michael Niedermayer --- libavutil/hwcontext_dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/hwcontext_dxva2.c b/libavutil/hwcontext_dxva2.c index 2c11f151ff..1b7c692cc8 100644 --- a/libavutil/hwcontext_dxva2.c +++ b/libavutil/hwcontext_dxva2.c @@ -141,7 +141,7 @@ static AVBufferRef *dxva2_pool_alloc(void *opaque, size_t size) if (s->nb_surfaces_used < hwctx->nb_surfaces) { s->nb_surfaces_used++; return av_buffer_create((uint8_t*)s->surfaces_internal[s->nb_surfaces_used - 1], - sizeof(*hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); + sizeof(**hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); } return NULL; From c872336df5c9faf314c2f873b9fc283d5a1e3588 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:44 +0200 Subject: [PATCH 334/606] avutil/wchar_filename: Correct sizeof Fixes: CID1591930 Wrong sizeof argument Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit e9e8bea2e79bc3c481a6f81f75f6c871e3e0f367) Signed-off-by: Michael Niedermayer --- libavutil/wchar_filename.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/wchar_filename.h b/libavutil/wchar_filename.h index 868a30b532..23cc92aa2d 100644 --- a/libavutil/wchar_filename.h +++ b/libavutil/wchar_filename.h @@ -57,7 +57,7 @@ static inline int wchartocp(unsigned int code_page, const wchar_t *filename_w, errno = EINVAL; return -1; } - *filename = (char*)av_malloc_array(num_chars, sizeof *filename); + *filename = av_malloc_array(num_chars, sizeof **filename); if (!*filename) { errno = ENOMEM; return -1; From 5af1fe569360655b86220e808b3f950c007527df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 21:57:40 +0200 Subject: [PATCH 335/606] avformat/rmdec: use 64bit for audio_framesize checks It is not entirely clear what would prevent such overflow so even if it is not possible, it is better to use 64bit Fixes: CID1491898 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 665be4fa2f47910bf85a6f17b6cac9dabc6591f0) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 0f1534b582..e156f57bd8 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -267,9 +267,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, case DEINT_ID_INT4: if (ast->coded_framesize > ast->audio_framesize || sub_packet_h <= 1 || - ast->coded_framesize * (uint64_t)sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) + ast->coded_framesize * (uint64_t)sub_packet_h > (2LL + (sub_packet_h & 1)) * ast->audio_framesize) return AVERROR_INVALIDDATA; - if (ast->coded_framesize * (uint64_t)sub_packet_h != 2*ast->audio_framesize) { + if (ast->coded_framesize * (uint64_t)sub_packet_h != 2LL*ast->audio_framesize) { avpriv_request_sample(s, "mismatching interleaver parameters"); return AVERROR_INVALIDDATA; } From f6b059008feddc19c681559b4408579f72c16bd7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 23:05:47 +0200 Subject: [PATCH 336/606] avformat/rtmppkt: Simplify and deobfuscate amf_tag_skip() slightly Found while reviewing: CID1530313 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cedbef03946625bc0f7f96e9f77ad59c512b9900) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index a602bf6a96..905469c14f 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -441,7 +441,6 @@ static int amf_tag_skip(GetByteContext *gb) { AMFDataType type; unsigned nb = -1; - int parse_key = 1; if (bytestream2_get_bytes_left(gb) < 1) return -1; @@ -466,13 +465,12 @@ static int amf_tag_skip(GetByteContext *gb) bytestream2_skip(gb, 10); return 0; case AMF_DATA_TYPE_ARRAY: - parse_key = 0; case AMF_DATA_TYPE_MIXEDARRAY: nb = bytestream2_get_be32(gb); case AMF_DATA_TYPE_OBJECT: - while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) { + while (type != AMF_DATA_TYPE_ARRAY || nb-- > 0) { int t; - if (parse_key) { + if (type != AMF_DATA_TYPE_ARRAY) { int size = bytestream2_get_be16(gb); if (!size) { bytestream2_get_byte(gb); From b92c0e54fc4aa02ead1d2b97eb9e2955abb9e8cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 00:13:59 +0200 Subject: [PATCH 337/606] avformat/rtpenc_rfc4175: Use 64bit in computation if copy_offset Found while reviewing: CID1494441 Untrusted value as argument Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f13ae632591b043cb69b66de01e8b178037cdd0e) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_rfc4175.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rtpenc_rfc4175.c b/libavformat/rtpenc_rfc4175.c index 257d072cd3..2120274f01 100644 --- a/libavformat/rtpenc_rfc4175.c +++ b/libavformat/rtpenc_rfc4175.c @@ -116,7 +116,7 @@ void ff_rtp_send_raw_rfc4175(AVFormatContext *s1, const uint8_t *buf, int size, int l_field; int l_line; int l_off; - int copy_offset; + int64_t copy_offset; length = (headers[0] << 8) | headers[1]; l_field = (headers[2] & 0x80) >> 7; @@ -127,7 +127,7 @@ void ff_rtp_send_raw_rfc4175(AVFormatContext *s1, const uint8_t *buf, int size, if (interlaced) l_line = 2 * l_line + l_field; - copy_offset = (l_line * width + l_off) * pgroup / xinc; + copy_offset = (l_line * (int64_t)width + l_off) * pgroup / xinc; if (copy_offset + length > size) break; memcpy (dest, buf + copy_offset, length); From ba0c1fc015ff5bca7e0905f361d5fcee2996ef39 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2024 15:48:26 +0200 Subject: [PATCH 338/606] avcodec/proresenc_kostya: use unsigned alpha for rotation Fixes: left shift of negative value -208 Fixes: 69073/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-4745020002336768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93e0265e27e6dd567812a8661988109421c5447a) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index 0bee01e157..15101c991c 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -367,7 +367,7 @@ static void get_slice_data(ProresContext *ctx, const uint16_t *src, static void get_alpha_data(ProresContext *ctx, const uint16_t *src, ptrdiff_t linesize, int x, int y, int w, int h, - int16_t *blocks, int mbs_per_slice, int abits) + uint16_t *blocks, int mbs_per_slice, int abits) { const int slice_width = 16 * mbs_per_slice; int i, j, copy_w, copy_h; From 05e38d8362561864a36297a0029fb64c8674f492 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2024 22:00:04 +0200 Subject: [PATCH 339/606] doc/examples/mux: remove nop Found through code review related to CID1604493 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e6c0c5731e85f00b5840d9a7d14e38cc3e07d5bc) Signed-off-by: Michael Niedermayer --- doc/examples/mux.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/examples/mux.c b/doc/examples/mux.c index b034aad56f..0f3a2bb125 100644 --- a/doc/examples/mux.c +++ b/doc/examples/mux.c @@ -347,8 +347,7 @@ static int write_audio_frame(AVFormatContext *oc, OutputStream *ost) if (frame) { /* convert samples from native format to destination codec format, using the resampler */ /* compute destination number of samples */ - dst_nb_samples = av_rescale_rnd(swr_get_delay(ost->swr_ctx, c->sample_rate) + frame->nb_samples, - c->sample_rate, c->sample_rate, AV_ROUND_UP); + dst_nb_samples = swr_get_delay(ost->swr_ctx, c->sample_rate) + frame->nb_samples; av_assert0(dst_nb_samples == frame->nb_samples); /* when we pass a frame to the encoder, it may keep a reference to it From f99867ef796beda2f09bc9a09100828eb7bdba3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2024 17:49:56 +0200 Subject: [PATCH 340/606] avutil/imgutils: av_image_check_size2() ensure width and height fit in 32bit width and height > 32bit is not supported and its easier to check in a central place Signed-off-by: Michael Niedermayer (cherry picked from commit ba63e329572b74207045fd82c93fcc0fa0479bc4) Signed-off-by: Michael Niedermayer --- libavutil/imgutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index da3812698e..6028faddb1 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -298,7 +298,7 @@ int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enu stride = 8LL*w; stride += 128*8; - if ((int)w<=0 || (int)h<=0 || stride >= INT_MAX || stride*(uint64_t)(h+128) >= INT_MAX) { + if (w==0 || h==0 || w > INT32_MAX || h > INT32_MAX || stride >= INT_MAX || stride*(h + 128ULL) >= INT_MAX) { av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h); return AVERROR(EINVAL); } From 343a76e123aae00016d2751659797cc5b6848bb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:42 +0200 Subject: [PATCH 341/606] avcodec/xsubdec: Check parse_timecode() Fixes: CID1604490 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 96fd9417e250540f228d1ad5b43a77c120208eba) Signed-off-by: Michael Niedermayer --- libavcodec/xsubdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/xsubdec.c b/libavcodec/xsubdec.c index f86b7c58e7..b804a90298 100644 --- a/libavcodec/xsubdec.c +++ b/libavcodec/xsubdec.c @@ -59,6 +59,7 @@ static int decode_frame(AVCodecContext *avctx, AVSubtitle *sub, int64_t packet_time = 0; GetBitContext gb; int has_alpha = avctx->codec_tag == MKTAG('D','X','S','A'); + int64_t start_display_time, end_display_time; // check that at least header fits if (buf_size < 27 + 7 * 2 + 4 * (3 + has_alpha)) { @@ -73,8 +74,14 @@ static int decode_frame(AVCodecContext *avctx, AVSubtitle *sub, } if (avpkt->pts != AV_NOPTS_VALUE) packet_time = av_rescale_q(avpkt->pts, AV_TIME_BASE_Q, (AVRational){1, 1000}); - sub->start_display_time = parse_timecode(buf + 1, packet_time); - sub->end_display_time = parse_timecode(buf + 14, packet_time); + + sub->start_display_time = start_display_time = parse_timecode(buf + 1, packet_time); + sub->end_display_time = end_display_time = parse_timecode(buf + 14, packet_time); + if (sub->start_display_time != start_display_time || + sub-> end_display_time != end_display_time) { + av_log(avctx, AV_LOG_ERROR, "time code not representable in 32bit\n"); + return -1; + } buf += 27; // read header From 0a2278742350928e3cb30b728c5b2adf5fb62020 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:43 +0200 Subject: [PATCH 342/606] avcodec/cri: Check length Fixes: CID1604394 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 69dcd123f19acf851f85166159a3719565813fd0) Signed-off-by: Michael Niedermayer --- libavcodec/cri.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cri.c b/libavcodec/cri.c index 0380a0c665..012b67d313 100644 --- a/libavcodec/cri.c +++ b/libavcodec/cri.c @@ -235,10 +235,14 @@ static int cri_decode_frame(AVCodecContext *avctx, AVFrame *p, s->data_size = length; goto skip; case 105: + if (length <= 0) + return AVERROR_INVALIDDATA; hflip = bytestream2_get_byte(gb) != 0; length--; goto skip; case 106: + if (length <= 0) + return AVERROR_INVALIDDATA; vflip = bytestream2_get_byte(gb) != 0; length--; goto skip; From 6b20dadc817e672c3b1fb6e87dd459177713ae60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:44 +0200 Subject: [PATCH 343/606] avcodec/dxv: Fix type in get_opcodes() Found by code review related to CID1604386 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e5af1c6e91e86b184101ef2abb49178ff409703b) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index 5923811b29..089cf78d53 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -440,7 +440,7 @@ static int get_opcodes(GetByteContext *gb, uint32_t *table, uint8_t *dst, int op size_in_bits = bytestream2_get_le32(gb); endoffset = ((size_in_bits + 7) >> 3) - 4; - if (endoffset <= 0 || bytestream2_get_bytes_left(gb) < endoffset) + if ((int)endoffset <= 0 || bytestream2_get_bytes_left(gb) < endoffset) return AVERROR_INVALIDDATA; offset = endoffset; From d4d971efbb9466d1266a7da6f08c1d066f212706 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:45 +0200 Subject: [PATCH 344/606] avcodec/golomb: Document return for get_ur_golomb_jpegls() and get_sr_golomb_flac() Found while reviewing code related to CID1604409 Overflowed return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7cf5b83f6fa367f99aefc1321bafc0a7e8db33cd) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 164c2583b6..9f60fe0397 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -424,6 +424,8 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit, /** * read unsigned golomb rice code (jpegls). + * + * @returns -1 on error */ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int esc_len) @@ -535,6 +537,8 @@ static inline int get_sr_golomb(GetBitContext *gb, int k, int limit, /** * read signed golomb rice code (flac). + * + * @returns INT_MIN on error */ static inline int get_sr_golomb_flac(GetBitContext *gb, int k, int limit, int esc_len) From c543847ddd0156788626a7f1c52b93decf405922 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:46 +0200 Subject: [PATCH 345/606] avcodec/golomb: Assert that k is in the supported range for get_ur/sr_golomb() Found by code review related to CID1604563 Overflowed return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b2aaeb81f65aaa61238d74a77034b118055340d3) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 9f60fe0397..742334978d 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -402,6 +402,7 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit, log = av_log2(buf); if (log > 31 - limit) { + av_assert2(log >= k); buf >>= log - k; buf += (30U - log) << k; LAST_SKIP_BITS(re, gb, 32 + k - log); From 1b0f37bbb6e1c1d54589369e49d1bdbced3cee1c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:48 +0200 Subject: [PATCH 346/606] avcodec/iff: Use signed count This is more a style fix than a bugfix (CID1604392 Overflowed constant) Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cfe66dfebb8a1e1394bcf834b6cc785f280ccecf) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index faf4e21c42..32d771b887 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -522,7 +522,7 @@ static int decode_byterun2(uint8_t *dst, int height, int line_size, GetByteContext *gb) { GetByteContext cmds; - unsigned count; + int count; int i, y_pos = 0, x_pos = 0; if (bytestream2_get_be32(gb) != MKBETAG('V', 'D', 'A', 'T')) @@ -530,7 +530,7 @@ static int decode_byterun2(uint8_t *dst, int height, int line_size, bytestream2_skip(gb, 4); count = bytestream2_get_be16(gb) - 2; - if (bytestream2_get_bytes_left(gb) < count) + if (count < 0 || bytestream2_get_bytes_left(gb) < count) return 0; bytestream2_init(&cmds, gb->buffer, count); From 99c3834f612736d8dbed24e298c9ab489a3b6b8c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:49 +0200 Subject: [PATCH 347/606] avcodec/imm4: check cbphi for error Fixes: CID1604356 Overflowed constant Fixes: CID1604573 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6e4c037833c3ca0e0bd3e348701c4c0dc58bed91) Signed-off-by: Michael Niedermayer --- libavcodec/imm4.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/imm4.c b/libavcodec/imm4.c index d4011b33c1..1a2e563080 100644 --- a/libavcodec/imm4.c +++ b/libavcodec/imm4.c @@ -219,12 +219,15 @@ static int decode_intra(AVCodecContext *avctx, GetBitContext *gb, AVFrame *frame for (y = 0; y < avctx->height; y += 16) { for (x = 0; x < avctx->width; x += 16) { - unsigned flag, cbphi, cbplo; + unsigned flag, cbplo; + int cbphi; cbplo = get_vlc2(gb, cbplo_tab.table, CBPLO_VLC_BITS, 1); flag = get_bits1(gb); cbphi = get_cbphi(gb, 1); + if (cbphi < 0) + return cbphi; ret = decode_blocks(avctx, gb, cbplo | (cbphi << 2), 0, offset, flag); if (ret < 0) @@ -272,7 +275,8 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb, for (y = 0; y < avctx->height; y += 16) { for (x = 0; x < avctx->width; x += 16) { int reverse, intra_block, value; - unsigned cbphi, cbplo, flag2 = 0; + unsigned cbplo, flag2 = 0; + int cbphi; if (get_bits1(gb)) { copy_block16(frame->data[0] + y * frame->linesize[0] + x, @@ -298,6 +302,9 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb, cbplo = value >> 4; cbphi = get_cbphi(gb, reverse); + if (cbphi < 0) + return cbphi; + if (intra_block) { ret = decode_blocks(avctx, gb, cbplo | (cbphi << 2), 0, offset, flag2); if (ret < 0) From 41c5289c7ef3401bc5565d936acf2ee3e141ee06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:51 +0200 Subject: [PATCH 348/606] avcodec/loco: check get_ur_golomb_jpegls() for failure Fixes: CID1604400 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b9899866418cb3bd930846271470e3096917f5f6) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 3d11823284..65168d52be 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -92,10 +92,15 @@ static inline int loco_get_rice(RICEContext *r) if (get_bits_left(&r->gb) < 1) return INT_MIN; v = get_ur_golomb_jpegls(&r->gb, loco_get_rice_param(r), INT_MAX, 0); + if (v == -1) + return INT_MIN; loco_update_rice_param(r, (v + 1) >> 1); if (!v) { if (r->save >= 0) { - r->run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0); + int run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0); + if (run == -1) + return INT_MIN; + r->run = run; if (r->run > 1) r->save += r->run + 1; else From 21d7ac3a071c11ceb270f795e20876591cbddd5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:52 +0200 Subject: [PATCH 349/606] avcodec/loco: Check loco_get_rice() for failure Fixes: CID1604495 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d55327684349b4db5d5905eefaa7d2aec597908d) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 65168d52be..8cc270acbb 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -157,6 +157,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh /* restore top left pixel */ val = loco_get_rice(&rc); + if (val == INT_MIN) + return AVERROR_INVALIDDATA; data[0] = 128 + val; /* restore top line */ for (i = 1; i < width; i++) { From d39d90e51068bae2decd7e2e01143b3a092172ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:54 +0200 Subject: [PATCH 350/606] avcodec/mlpenc: Use 64 for ml, mr Fixes: CID1604429 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 06f01d9fa0ecfa7dd785b3dfe2957999472930b2) Signed-off-by: Michael Niedermayer --- libavcodec/mlpenc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/mlpenc.c b/libavcodec/mlpenc.c index 895362faca..53a78e3ccd 100644 --- a/libavcodec/mlpenc.c +++ b/libavcodec/mlpenc.c @@ -1414,7 +1414,8 @@ static int estimate_coeff(MLPEncodeContext *ctx, MLPSubstream *s, int32_t maxl = INT32_MIN, maxr = INT32_MIN, minl = INT32_MAX, minr = INT32_MAX; int64_t summ = 0, sums = 0, suml = 0, sumr = 0, enl = 0, enr = 0; const int shift = 14 - ctx->rematrix_precision; - int32_t cf0, cf1, e[4], d[4], ml, mr; + int32_t cf0, cf1, e[4], d[4]; + int64_t ml, mr; int i, count = 0; for (int j = 0; j <= ctx->cur_restart_interval; j++) { @@ -1447,8 +1448,8 @@ static int estimate_coeff(MLPEncodeContext *ctx, MLPSubstream *s, summ -= FFABS(suml + sumr); sums -= FFABS(suml - sumr); - ml = maxl - minl; - mr = maxr - minr; + ml = maxl - (int64_t)minl; + mr = maxr - (int64_t)minr; if (!summ && !sums) return 0; From 6498053b900d9237107e14c149b0e199ecd0310c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:55 +0200 Subject: [PATCH 351/606] avcodec/motion_est: Fix score squaring overflow Fixes: CID1604552 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f18b442370d714b930e3e983c2e5d789229f3356) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index df9d1befa8..2091acbbec 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1446,7 +1446,7 @@ static inline int direct_search(MpegEncContext * s, int mb_x, int mb_y) s->b_direct_mv_table[mot_xy][0]= 0; s->b_direct_mv_table[mot_xy][1]= 0; - return 256*256*256*64; + return 256*256*256*64-1; } c->xmin= xmin; From 85dbf6d8e41f559db955dd169c702f46cdc77110 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:56 +0200 Subject: [PATCH 352/606] avcodec/pixlet: Simplify pfx computation Found by reviewing code related to CID1604365 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0474614e6cf8edcd0077b95772c29fae894a7db9) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 6e925308b8..914f0636bc 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -230,8 +230,8 @@ static int read_high_coeffs(AVCodecContext *avctx, const uint8_t *src, int16_t * if (cnt1 >= length) { cnt1 = get_bits(bc, nbits); } else { - pfx = 14 + ((((uint64_t)(value - 14)) >> 32) & (value - 14)); - if (pfx < 1 || pfx > 25) + pfx = FFMIN(value, 14); + if (pfx < 1) return AVERROR_INVALIDDATA; cnt1 *= (1 << pfx) - 1; shbits = show_bits(bc, pfx); From 18025bf362a1ac00efb78616404f821acf734352 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2024 21:35:48 +0200 Subject: [PATCH 353/606] avcodec/osq: avoid signed overflow in downsample path Fixes: signed integer overflow: 865309950 * 256 cannot be represented in type 'int' Fixes: 69191/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6310214413385728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ed34b0c54ebdce7f741d9fb6a9ac11a1816df59c) Signed-off-by: Michael Niedermayer --- libavcodec/osq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/osq.c b/libavcodec/osq.c index 650cfcd98c..fa4aeee35e 100644 --- a/libavcodec/osq.c +++ b/libavcodec/osq.c @@ -320,7 +320,7 @@ static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int cb->prev = prev; if (downsample) - dst[n] *= 256; + dst[n] *= 256U; dst[E] = dst[D]; dst[D] = dst[C]; From 02606b6ae42859b7900e5e685ea7f9e20c317142 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 May 2024 01:51:59 +0200 Subject: [PATCH 354/606] avcodec/flac_parser: Assert that we do not overrun the link_penalty array Helps: CID1454676 Out-of-bounds read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9af348bd1aa41ea10d6719c56ed2b4eda97642f3) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index bd91cc1a05..99460e7ea6 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -519,6 +519,8 @@ static int check_header_mismatch(FLACParseContext *fpc, for (i = 0; i < FLAC_MAX_SEQUENTIAL_HEADERS && curr != child; i++) curr = curr->next; + av_assert0(i < FLAC_MAX_SEQUENTIAL_HEADERS); + if (header->link_penalty[i] < FLAC_HEADER_CRC_FAIL_PENALTY || header->link_penalty[i] == FLAC_HEADER_NOT_PENALIZED_YET) { FLACHeaderMarker *start, *end; From 769d857430828e9ab6aac37821f69e096169706e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:34:48 +0200 Subject: [PATCH 355/606] avdevice/dshow_filter: Use wcscpy_s() Fixes: CID1591929 Copy into fixed size buffer Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit daf61dddc8e27424c320d5c3abe3e0c5182cd5c0) Signed-off-by: Michael Niedermayer --- libavdevice/dshow_filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow_filter.c b/libavdevice/dshow_filter.c index 4642ac077c..2122c84626 100644 --- a/libavdevice/dshow_filter.c +++ b/libavdevice/dshow_filter.c @@ -135,7 +135,7 @@ long WINAPI ff_dshow_filter_JoinFilterGraph(DShowFilter *this, IFilterGraph *gra this->info.pGraph = graph; if (name) - wcscpy(this->info.achName, name); + wcscpy_s(this->info.achName, sizeof(this->info.achName) / sizeof(wchar_t), name); return S_OK; } From d735717614f34cdbe73c6b752cdbf7fc47c20c05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:26 +0200 Subject: [PATCH 356/606] avdevice/dshow: Cleanup also on av_log case Fixes: CID1598550 Resource leak Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 25f9211bdd61641cb8739efcb45bf31b46557178) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 977890f152..2cd7c2153a 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -1000,7 +1000,7 @@ dshow_cycle_formats(AVFormatContext *avctx, enum dshowDeviceType devtype, " ch=%2u, bits=%2u, rate=%6lu\n", fx->nChannels, fx->wBitsPerSample, fx->nSamplesPerSec ); - continue; + goto next; } if ( (requested_sample_rate && requested_sample_rate != fx->nSamplesPerSec) || From c3badb1cd86e216796cc9478c6720ceee2fd8e4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:24 +0200 Subject: [PATCH 357/606] avdevice/dshow: Check device_filter_unique_name before use Fixes: CID1591931 Explicit null dereferenced Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 175c19166824bd93b02f60c5178365014212366e) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 2cd7c2153a..68478ca762 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -1372,7 +1372,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, if (ctx->device_filter[otherDevType]) { // avoid adding add two instances of the same device to the graph, one for video, one for audio // a few devices don't support this (could also do this check earlier to avoid double crossbars, etc. but they seem OK) - if (strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { + if (!device_filter_unique_name || strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { av_log(avctx, AV_LOG_DEBUG, "reusing previous graph capture filter... %s\n", device_filter_unique_name); IBaseFilter_Release(device_filter); device_filter = ctx->device_filter[otherDevType]; From 09c9cc0cc21e9c9f98eadee621651d8ca7afb2be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:27 +0200 Subject: [PATCH 358/606] avdevice/dshow: check ff_dshow_pin_ConnectionMediaType() for failure Maybe Fixes: CID1598557 Explicit null dereferenced Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 2c2e72708831ca0cc76f72368676a8ccf624a2fe) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 68478ca762..a40572b928 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -1545,7 +1545,10 @@ dshow_add_device(AVFormatContext *avctx, ctx->capture_filter[devtype]->stream_index = st->index; - ff_dshow_pin_ConnectionMediaType(ctx->capture_pin[devtype], &type); + if (ff_dshow_pin_ConnectionMediaType(ctx->capture_pin[devtype], &type) != S_OK) { + ret = AVERROR(EIO); + goto error; + } fmt_info = dshow_get_format_info(&type); if (!fmt_info) { ret = AVERROR(EIO); From 24717b7be692ac3b2e3b2555702651b0b8a37b42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:22 +0200 Subject: [PATCH 359/606] avdevice/dshow: Remove NULL check on pin The pointer is used before the check Fixes: CID1591884 Dereference before null check Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 989e11acb65e640d336d0d911e958a6008311a9d) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index a40572b928..023c9db052 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -431,8 +431,8 @@ dshow_get_device_media_types(AVFormatContext *avctx, enum dshowDeviceType devtyp IEnumMediaTypes_Release(types); if (p) IKsPropertySet_Release(p); - if (pin) - IPin_Release(pin); + + IPin_Release(pin); } IEnumPins_Release(pins); From 02694abdafd0feaa4495b41e12415eed2c2daaea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2024 00:22:10 +0200 Subject: [PATCH 360/606] avfilter/vf_bm3d: Dont round MSE2SSE to an integer Fixes: CID1439581 Result is not floating-point Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ec18ec9fc1080c37a02f3709afda5c4b08d4ea89) Signed-off-by: Michael Niedermayer --- libavfilter/vf_bm3d.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_bm3d.c b/libavfilter/vf_bm3d.c index cdced50ba3..e0b93879c8 100644 --- a/libavfilter/vf_bm3d.c +++ b/libavfilter/vf_bm3d.c @@ -273,7 +273,7 @@ static void do_block_matching_multi(BM3DContext *s, const uint8_t *src, int src_ int r_y, int r_x, int plane, int jobnr) { SliceContext *sc = &s->slices[jobnr]; - double MSE2SSE = s->group_size * s->block_size * s->block_size * src_range * src_range / (s->max * s->max); + double MSE2SSE = s->group_size * s->block_size * s->block_size * src_range * src_range / (double)(s->max * s->max); double distMul = 1. / MSE2SSE; double th_sse = th_mse * MSE2SSE; int index = sc->nb_match_blocks; From 0b5ef2198bf4d8aa9576ffb82237aa80515fa8ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2024 00:22:11 +0200 Subject: [PATCH 361/606] avfilter/vf_convolution_opencl: Assert that the filter name is one of the filters Helps with: CID1439572 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 19a5a8997c93d72d6fe169c42a2a04ad4bb6e03a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_convolution_opencl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_convolution_opencl.c b/libavfilter/vf_convolution_opencl.c index 0eff9f40d3..40938436f2 100644 --- a/libavfilter/vf_convolution_opencl.c +++ b/libavfilter/vf_convolution_opencl.c @@ -20,6 +20,7 @@ #include "config_components.h" +#include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/imgutils.h" #include "libavutil/mem.h" @@ -80,6 +81,8 @@ static int convolution_opencl_init(AVFilterContext *avctx) kernel_name = "prewitt_global"; } else if (!strcmp(avctx->filter->name, "roberts_opencl")){ kernel_name = "roberts_global"; + } else { + av_assert0(0); } ctx->kernel = clCreateKernel(ctx->ocf.program, kernel_name, &cle); CL_FAIL_ON_ERROR(AVERROR(EIO), "Failed to create " From 5743c33946671a0ff2640e0cc5dfb404981cae47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2024 20:47:24 +0200 Subject: [PATCH 362/606] avcodec/tiff: Check value on positive signed targets Fixes: CID1604593 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 66d6b8033b4bf8e9b33f26729c4ab9f9b328c5a2) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 6569e406b5..c52b4963e2 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1303,9 +1303,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->is_thumbnail = (value != 0); break; case TIFF_WIDTH: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->width = value; break; case TIFF_HEIGHT: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->height = value; break; case TIFF_BPP: @@ -1437,12 +1441,18 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->tile_byte_counts_offset = off; break; case TIFF_TILE_LENGTH: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->tile_length = value; break; case TIFF_TILE_WIDTH: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->tile_width = value; break; case TIFF_PREDICTOR: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->predictor = value; break; case TIFF_SUB_IFDS: @@ -1587,12 +1597,18 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) } break; case TIFF_T4OPTIONS: - if (s->compr == TIFF_G3) + if (s->compr == TIFF_G3) { + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->fax_opts = value; + } break; case TIFF_T6OPTIONS: - if (s->compr == TIFF_G4) + if (s->compr == TIFF_G4) { + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->fax_opts = value; + } break; #define ADD_METADATA(count, name, sep)\ if ((ret = add_metadata(count, type, name, sep, s, frame)) < 0) {\ From 74d626d3d55e4f709924dd209281db78c693fef0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2024 20:47:27 +0200 Subject: [PATCH 363/606] avdevice/dshow_capture: Fix error handling in ff_dshow_##prefix##_Create() Untested, needs review Fixes: CID1591856 Resource leak Fixes: CID1591887 Resource leak Fixes: CID1591874 Resource leak Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 348968e9f7d8abb743a5dfca8e522ae0cf1ddc8b) Signed-off-by: Michael Niedermayer --- libavdevice/dshow_capture.h | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavdevice/dshow_capture.h b/libavdevice/dshow_capture.h index 81e684b9be..bb39d4947a 100644 --- a/libavdevice/dshow_capture.h +++ b/libavdevice/dshow_capture.h @@ -124,14 +124,15 @@ void ff_dshow_##prefix##_Destroy(class *this) \ class *ff_dshow_##prefix##_Create(__VA_ARGS__) \ { \ class *this = CoTaskMemAlloc(sizeof(class)); \ - void *vtbl = CoTaskMemAlloc(sizeof(*this->vtbl)); \ dshowdebug("ff_dshow_"AV_STRINGIFY(prefix)"_Create(%p)\n", this); \ - if (!this || !vtbl) \ + if (!this) \ goto fail; \ ZeroMemory(this, sizeof(class)); \ - ZeroMemory(vtbl, sizeof(*this->vtbl)); \ + this->vtbl = CoTaskMemAlloc(sizeof(*this->vtbl)); \ + if (!this->vtbl) \ + goto fail; \ + ZeroMemory(this->vtbl, sizeof(*this->vtbl)); \ this->ref = 1; \ - this->vtbl = vtbl; \ if (!setup) \ goto fail; \ dshowdebug("created ff_dshow_"AV_STRINGIFY(prefix)" %p\n", this); \ From 573987e8aac8a55515ef219bb76e68e3c90f367b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Jun 2024 00:44:08 +0200 Subject: [PATCH 364/606] avcodec/mpegvideo_enc: Do not duplicate pictures on shifting Fixes: out of array access Fixes: 69098/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-6107989688778752 Fixes: 69599/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4848626296225792.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c8881cb3534b257d6e6539f563006599cd96b48) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index c4c174a02e..5fab302148 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1252,6 +1252,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) /* shift buffer entries */ for (int i = flush_offset; i <= MAX_B_FRAMES; i++) s->input_picture[i - flush_offset] = s->input_picture[i]; + for (int i = MAX_B_FRAMES + 1 - flush_offset; i <= MAX_B_FRAMES; i++) + s->input_picture[i] = NULL; s->input_picture[encoding_delay] = pic; From 4a554ffb9b3f9d252ec92ffae3001852014f96ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 22:43:22 +0200 Subject: [PATCH 365/606] avcodec/vc2enc: Fix overflows with storing large values Fixes: left shift of 1431634944 by 2 places cannot be represented in type 'int' Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: 69061/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC2_fuzzer-6325700826038272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit af9935835335cae1ae5a4ec7fc14c1b5e25c1f2d) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index d978c67a3b..9e5e491b6d 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -185,7 +185,9 @@ typedef struct VC2EncContext { static av_always_inline void put_vc2_ue_uint(PutBitContext *pb, uint32_t val) { int i; - int pbits = 0, bits = 0, topbit = 1, maxval = 1; + int bits = 0; + unsigned topbit = 1, maxval = 1; + uint64_t pbits = 0; if (!val++) { put_bits(pb, 1, 1); @@ -202,12 +204,13 @@ static av_always_inline void put_vc2_ue_uint(PutBitContext *pb, uint32_t val) for (i = 0; i < bits; i++) { topbit >>= 1; + av_assert2(pbits <= UINT64_MAX>>3); pbits <<= 2; if (val & topbit) pbits |= 0x1; } - put_bits(pb, bits*2 + 1, (pbits << 1) | 1); + put_bits64(pb, bits*2 + 1, (pbits << 1) | 1); } static av_always_inline int count_vc2_ue_uint(uint32_t val) From 62a9b53e198326806cba377494901b8b9c5477b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2024 20:58:05 +0200 Subject: [PATCH 366/606] avcodec/j2kenc: Merge dwt_norm into lambda This moves computations out of a loop This may help with UB in vsynth*-jpeg2000-yuva444p16 Fixes: signed integer overflow: 31665934879948800 * 9998 cannot be represented in type 'long' Fixes: 69024/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5949662967169024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a84fbd747119841942c67d2f55cc796ab25cd245) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index 5f95b772d1..b25dbfa0db 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1348,7 +1348,7 @@ static void makelayers(Jpeg2000EncoderContext *s, Jpeg2000Tile *tile) } } -static int getcut(Jpeg2000Cblk *cblk, uint64_t lambda, int dwt_norm) +static int getcut(Jpeg2000Cblk *cblk, uint64_t lambda) { int passno, res = 0; for (passno = 0; passno < cblk->npasses; passno++){ @@ -1360,7 +1360,7 @@ static int getcut(Jpeg2000Cblk *cblk, uint64_t lambda, int dwt_norm) dd = cblk->passes[passno].disto - (res ? cblk->passes[res-1].disto : 0); - if (((dd * dwt_norm) >> WMSEDEC_SHIFT) * dwt_norm >= dr * lambda) + if (dd >= dr * lambda) res = passno+1; } return res; @@ -1383,11 +1383,12 @@ static void truncpasses(Jpeg2000EncoderContext *s, Jpeg2000Tile *tile) Jpeg2000Band *band = reslevel->band + bandno; Jpeg2000Prec *prec = band->prec + precno; + int64_t dwt_norm = dwt_norms[codsty->transform == FF_DWT53][bandpos][lev] * (int64_t)band->i_stepsize >> 15; + int64_t lambda_prime = av_rescale(s->lambda, 1 << WMSEDEC_SHIFT, dwt_norm * dwt_norm); for (cblkno = 0; cblkno < prec->nb_codeblocks_height * prec->nb_codeblocks_width; cblkno++){ Jpeg2000Cblk *cblk = prec->cblk + cblkno; - cblk->ninclpasses = getcut(cblk, s->lambda, - (int64_t)dwt_norms[codsty->transform == FF_DWT53][bandpos][lev] * (int64_t)band->i_stepsize >> 15); + cblk->ninclpasses = getcut(cblk, lambda_prime); cblk->layers[0].data_start = cblk->data; cblk->layers[0].cum_passes = cblk->ninclpasses; cblk->layers[0].npasses = cblk->ninclpasses; From 04885dde13fae6eac0e024f365302fc2938c842c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2024 23:55:01 +0200 Subject: [PATCH 367/606] avcodec/utvideoenc: Use unsigned shift to build flags Fixes: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 69083/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_fuzzer-5608202363273216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 69e90491f15d8eef643f8dfd1b75805829496678) Signed-off-by: Michael Niedermayer --- libavcodec/utvideoenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utvideoenc.c b/libavcodec/utvideoenc.c index 1fcb6854f2..6adb217416 100644 --- a/libavcodec/utvideoenc.c +++ b/libavcodec/utvideoenc.c @@ -239,7 +239,7 @@ static av_cold int utvideo_encode_init(AVCodecContext *avctx) * - Compression mode (none/huff) * And write the flags. */ - c->flags = (c->slices - 1) << 24; + c->flags = (c->slices - 1U) << 24; c->flags |= 0 << 11; // bit field to signal interlaced encoding mode c->flags |= c->compression; From 88336d81fa19b582f00d60f570280e49680fccd1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Jun 2024 00:05:12 +0200 Subject: [PATCH 368/606] avcodec/mpeg12enc: Use av_rescale() in vbv_buffer_size computation Fixes: signed integer overflow: 20 * 2314885530818453759 cannot be represented in type 'long' Fixes: 69098/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-6107989688778752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0993ef675f06042402a97b08a60155c65dae8ba7) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index 0135623c0e..b91ec244dc 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -333,7 +333,7 @@ static void mpeg1_encode_sequence_header(MpegEncContext *s) else /* VBV calculation: Scaled so that a VCD has the proper * VBV size of 40 kilobytes */ - vbv_buffer_size = ((20 * s->bit_rate) / (1151929 / 2)) * 8 * 1024; + vbv_buffer_size = av_rescale_rnd(s->bit_rate, 20, 1151929 / 2, AV_ROUND_ZERO) * 8 * 1024; vbv_buffer_size = (vbv_buffer_size + 16383) / 16384; put_sbits(&s->pb, 18, v); From d0ce252930357406a0435d0d783db4b1467345aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Jul 2024 21:12:54 +0200 Subject: [PATCH 369/606] avcodec/pnmdec: Use 64bit for input size check Fixes: out of array read Fixes: poc3 Reported-by: VulDB CNA Team Found-by: CookedMelon Signed-off-by: Michael Niedermayer (cherry picked from commit 3faadbe2a27e74ff5bb5f7904ec27bb1f5287dc8) Signed-off-by: Michael Niedermayer --- libavcodec/pnmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index acd77ea810..40cc2ae868 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -264,7 +264,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, AVFrame *p, break; case AV_PIX_FMT_GBRPF32: if (!s->half) { - if (avctx->width * avctx->height * 12 > s->bytestream_end - s->bytestream) + if (avctx->width * avctx->height * 12LL > s->bytestream_end - s->bytestream) return AVERROR_INVALIDDATA; scale = 1.f / s->scale; if (s->endian) { From bc1b078bd1b06f7d3bc29c1ce3af56c488048647 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Jul 2024 21:23:40 +0200 Subject: [PATCH 370/606] avutil/timecode: Use a 64bit framenum internally Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 68550/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6424065930756096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d5ca373d7efa37d2d3911f0afbc85fad0dc86b38) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index bd879bd3cc..f40a10eb38 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -100,11 +100,12 @@ uint32_t av_timecode_get_smpte(AVRational rate, int drop, int hh, int mm, int ss return tc; } -char *av_timecode_make_string(const AVTimecode *tc, char *buf, int framenum) +char *av_timecode_make_string(const AVTimecode *tc, char *buf, int framenum_arg) { int fps = tc->fps; int drop = tc->flags & AV_TIMECODE_FLAG_DROPFRAME; int hh, mm, ss, ff, ff_len, neg = 0; + int64_t framenum = framenum_arg; framenum += tc->start; if (drop) From c08ff45cb21a277b2b6387c7238d3e8f67fd03c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Jul 2024 21:31:21 +0200 Subject: [PATCH 371/606] avformat/mxfdec: Reorder elements of expression in bisect loop Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long' Fixes: 68578/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6032171648221184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8d288479d3431d65318d957aab710b13714fc05) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index d0f9625fa1..e2d8eecbb8 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3856,8 +3856,7 @@ static int mxf_get_next_track_edit_unit(MXFContext *mxf, MXFTrack *track, int64_ a = -1; b = track->original_duration; - - while (b - a > 1) { + while (b - 1 > a) { m = (a + b) >> 1; if (mxf_edit_unit_absolute_offset(mxf, t, m, track->edit_rate, NULL, &offset, NULL, 0) < 0) return -1; From 160ecb2b367fb6b1c47d060ae4222e9dd03951c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Jul 2024 23:44:04 +0200 Subject: [PATCH 372/606] swscale/output: Fix integer overflows in yuv2rgba64_X_c_template Fixes: signed integer overflow: -1082982400 + -1068681048 cannot be represented in type 'int' Fixes: 69995/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6285740271534080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcab9789ef750670277956e79736bca442aec2ff) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 0e6181b3e0..e8dd2145ce 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1059,8 +1059,8 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, for (i = 0; i < ((dstW + 1) >> 1); i++) { int j; - int Y1 = -0x40000000; - int Y2 = -0x40000000; + unsigned Y1 = -0x40000000; + unsigned Y2 = -0x40000000; int U = -(128 << 23); // 19 int V = -(128 << 23); int R, G, B; @@ -1088,9 +1088,9 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, } // 8 bits: 12+15=27; 16 bits: 12+19=31 - Y1 >>= 14; // 10 + Y1 = (int)Y1 >> 14; // 10 Y1 += 0x10000; - Y2 >>= 14; + Y2 = (int)Y2 >> 14; Y2 += 0x10000; U >>= 14; V >>= 14; @@ -1109,20 +1109,20 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8 bits: 30 - 22 = 8 bits, 16 bits: 30 bits - 14 = 16 bits - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From f3a360a00dd7a0fc4014f8c9f81e4665ec317082 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 14 Jun 2024 01:50:15 +0200 Subject: [PATCH 373/606] avfilter/vf_deshake_opencl: Ensure that the first iteration initializes the best variables Fixes: CID1452759 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9385847af47211e8c618198499ffea99614bb55d) Signed-off-by: Michael Niedermayer --- libavfilter/vf_deshake_opencl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_deshake_opencl.c b/libavfilter/vf_deshake_opencl.c index cddd5558e2..5177f24acd 100644 --- a/libavfilter/vf_deshake_opencl.c +++ b/libavfilter/vf_deshake_opencl.c @@ -703,7 +703,7 @@ static int minimize_error( total_err += deshake_ctx->ransac_err[j]; } - if (total_err < best_err) { + if (i == 0 || total_err < best_err) { for (int mi = 0; mi < 6; ++mi) { best_model[mi] = model[mi]; } From d10954e620ccf8e87df133e713ed916c9e05854a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 00:45:45 +0200 Subject: [PATCH 374/606] avfilter/vf_elbg: Use unsigned for shifting into the top bit Fixes: part of CID1355110 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2af95b9214a6bf75f946440d36c349963396e23b) Signed-off-by: Michael Niedermayer --- libavfilter/vf_elbg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_elbg.c b/libavfilter/vf_elbg.c index 17947e226a..863366ccc2 100644 --- a/libavfilter/vf_elbg.c +++ b/libavfilter/vf_elbg.c @@ -194,7 +194,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) p0 = (uint8_t *)out->data[0]; for (i = 0; i < elbg->codebook_length; i++) { - const int al = elbg->use_alpha ? elbg->codebook[i*4+3] : 0xff; + const unsigned al = elbg->use_alpha ? elbg->codebook[i*4+3] : 0xff; pal[i] = al << 24 | (elbg->codebook[i*4+2] << 16) | (elbg->codebook[i*4+1] << 8) | From 05ef16425505ccc78de3569b75f83c32f1d721e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 01:33:11 +0200 Subject: [PATCH 375/606] avfilter/vf_lut3d: Check av_scanf() Fixes: CID1604398 Unchecked return value Fixes: CID1604542 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ace2e25720b8a26906b15aab7eebbac860bb7bf0) Signed-off-by: Michael Niedermayer --- libavfilter/vf_lut3d.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_lut3d.c b/libavfilter/vf_lut3d.c index 4edcc2c7a7..1341ad4921 100644 --- a/libavfilter/vf_lut3d.c +++ b/libavfilter/vf_lut3d.c @@ -702,7 +702,8 @@ try_again: else if (!strncmp(line + 7, "MAX ", 4)) vals = max; if (!vals) return AVERROR_INVALIDDATA; - av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2); + if (av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2) != 3) + return AVERROR_INVALIDDATA; av_log(ctx, AV_LOG_DEBUG, "min: %f %f %f | max: %f %f %f\n", min[0], min[1], min[2], max[0], max[1], max[2]); goto try_again; @@ -1733,12 +1734,14 @@ try_again: else if (!strncmp(line + 7, "MAX ", 4)) vals = max; if (!vals) return AVERROR_INVALIDDATA; - av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2); + if (av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2) != 3) + return AVERROR_INVALIDDATA; av_log(ctx, AV_LOG_DEBUG, "min: %f %f %f | max: %f %f %f\n", min[0], min[1], min[2], max[0], max[1], max[2]); goto try_again; } else if (!strncmp(line, "LUT_1D_INPUT_RANGE ", 19)) { - av_sscanf(line + 19, "%f %f", min, max); + if (av_sscanf(line + 19, "%f %f", min, max) != 2) + return AVERROR_INVALIDDATA; min[1] = min[2] = min[0]; max[1] = max[2] = max[0]; goto try_again; From 38c029131a23fff9d954bbdfce6d4acfcd5e5bcb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 22:01:29 +0200 Subject: [PATCH 376/606] avfilter/scale_eval: Use 64bit, check values in ff_scale_adjust_dimensions() Found by reviewing CID1513722 Operands don't affect result Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ad9df8bcfebc1085cb8b42dae9ab688af824cdab) Signed-off-by: Michael Niedermayer --- libavfilter/scale_eval.c | 9 ++++++--- libavfilter/scale_eval.h | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/libavfilter/scale_eval.c b/libavfilter/scale_eval.c index 75ed503f15..dc8d522b1e 100644 --- a/libavfilter/scale_eval.c +++ b/libavfilter/scale_eval.c @@ -114,7 +114,7 @@ int ff_scale_adjust_dimensions(AVFilterLink *inlink, int *ret_w, int *ret_h, int force_original_aspect_ratio, int force_divisible_by) { - int w, h; + int64_t w, h; int factor_w, factor_h; w = *ret_w; @@ -149,9 +149,9 @@ int ff_scale_adjust_dimensions(AVFilterLink *inlink, * unless force_divisible_by is defined as well */ if (force_original_aspect_ratio) { // Including force_divisible_by here rounds to the nearest multiple of it. - int tmp_w = av_rescale(h, inlink->w, inlink->h * (int64_t)force_divisible_by) + int64_t tmp_w = av_rescale(h, inlink->w, inlink->h * (int64_t)force_divisible_by) * force_divisible_by; - int tmp_h = av_rescale(w, inlink->h, inlink->w * (int64_t)force_divisible_by) + int64_t tmp_h = av_rescale(w, inlink->h, inlink->w * (int64_t)force_divisible_by) * force_divisible_by; if (force_original_aspect_ratio == 1) { @@ -173,6 +173,9 @@ int ff_scale_adjust_dimensions(AVFilterLink *inlink, } } + if ((int32_t)w != w || (int32_t)h != h) + return AVERROR(EINVAL); + *ret_w = w; *ret_h = h; diff --git a/libavfilter/scale_eval.h b/libavfilter/scale_eval.h index 2eb6970aad..b489528404 100644 --- a/libavfilter/scale_eval.h +++ b/libavfilter/scale_eval.h @@ -41,7 +41,7 @@ int ff_scale_eval_dimensions(void *ctx, * force_original_aspect_ratio is set. force_divisible_by is used only when * force_original_aspect_ratio is set and must be at least 1. * - * Returns 0. + * Returns negative error code on error or non negative on success */ int ff_scale_adjust_dimensions(AVFilterLink *inlink, int *ret_w, int *ret_h, From 90b99445fbef3dd1154815a54030d5093974eac3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 22:42:44 +0200 Subject: [PATCH 377/606] avfilter/vf_scale: Check ff_scale_adjust_dimensions() for failure Helps: CID1513722 Operands don't affect result Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2a8fb3c2cc07e741bca556eee8aea704fda4c33f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_scale.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 23335cef4b..774f137353 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -529,10 +529,13 @@ static int config_props(AVFilterLink *outlink) outlink->w = scale->w; outlink->h = scale->h; - ff_scale_adjust_dimensions(inlink, &outlink->w, &outlink->h, + ret = ff_scale_adjust_dimensions(inlink, &outlink->w, &outlink->h, scale->force_original_aspect_ratio, scale->force_divisible_by); + if (ret < 0) + goto fail; + if (outlink->w > INT_MAX || outlink->h > INT_MAX || (outlink->h * inlink->w) > INT_MAX || From bab5b22af243626c30b6b542472877c84dec4168 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 17:38:08 +0200 Subject: [PATCH 378/606] avformat/asfdec_o: Check size of index object We subtract 24 so it must be at least 24 Fixes: CID1604482 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 891bc070f0294e564a02f9a71f6591b6a62c90cc) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 10942ecfa0..d127f1df97 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -866,6 +866,9 @@ static int asf_read_simple_index(AVFormatContext *s, const GUIDParseTable *g) int64_t offset; uint64_t size = avio_rl64(pb); + if (size < 24) + return AVERROR_INVALIDDATA; + // simple index objects should be ordered by stream number, this loop tries to find // the first not indexed video stream for (i = 0; i < asf->nb_streams; i++) { From f60c294f6d4450eab500f18c17bd748e981c9493 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 18:10:00 +0200 Subject: [PATCH 379/606] avformat/bintext: Check avio_size() return Fixes: CID1604503 Overflowed constant Fixes: CID1604566 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bf61f811e73dc62d1b53ed4ef6044b4e9e195113) Signed-off-by: Michael Niedermayer --- libavformat/bintext.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/libavformat/bintext.c b/libavformat/bintext.c index b6f14a03e5..a691018080 100644 --- a/libavformat/bintext.c +++ b/libavformat/bintext.c @@ -92,9 +92,12 @@ static int next_tag_read(AVFormatContext *avctx, uint64_t *fsize) AVIOContext *pb = avctx->pb; char buf[36]; int len; - uint64_t start_pos = avio_size(pb) - 256; + int64_t start_pos = avio_size(pb); - avio_seek(pb, start_pos, SEEK_SET); + if (start_pos < 256) + return AVERROR_INVALIDDATA; + + avio_seek(pb, start_pos - 256, SEEK_SET); if (avio_read(pb, buf, sizeof(next_magic)) != sizeof(next_magic)) return -1; if (memcmp(buf, next_magic, sizeof(next_magic))) @@ -244,7 +247,10 @@ static int xbin_read_header(AVFormatContext *s) return AVERROR(EIO); if (pb->seekable & AVIO_SEEKABLE_NORMAL) { - bin->fsize = avio_size(pb) - 9 - st->codecpar->extradata_size; + int64_t fsize = avio_size(pb); + if (fsize < 9 + st->codecpar->extradata_size) + return 0; + bin->fsize = fsize - 9 - st->codecpar->extradata_size; ff_sauce_read(s, &bin->fsize, NULL, 0); avio_seek(pb, 9 + st->codecpar->extradata_size, SEEK_SET); } @@ -284,7 +290,10 @@ static int adf_read_header(AVFormatContext *s) if (pb->seekable & AVIO_SEEKABLE_NORMAL) { int got_width = 0; - bin->fsize = avio_size(pb) - 1 - 192 - 4096; + int64_t fsize = avio_size(pb); + if (fsize < 1 + 192 + 4096) + return 0; + bin->fsize = fsize - 1 - 192 - 4096; st->codecpar->width = 80<<3; ff_sauce_read(s, &bin->fsize, &got_width, 0); if (st->codecpar->width < 8) @@ -317,6 +326,7 @@ static int idf_read_header(AVFormatContext *s) AVIOContext *pb = s->pb; AVStream *st; int got_width = 0, ret; + int64_t fsize; if (!(pb->seekable & AVIO_SEEKABLE_NORMAL)) return AVERROR(EIO); @@ -331,14 +341,18 @@ static int idf_read_header(AVFormatContext *s) st->codecpar->extradata[0] = 16; st->codecpar->extradata[1] = BINTEXT_PALETTE|BINTEXT_FONT; - avio_seek(pb, avio_size(pb) - 4096 - 48, SEEK_SET); + fsize = avio_size(pb); + if (fsize < 12 + 4096 + 48) + return AVERROR_INVALIDDATA; + bin->fsize = fsize - 12 - 4096 - 48; + + avio_seek(pb, bin->fsize + 12, SEEK_SET); if (avio_read(pb, st->codecpar->extradata + 2 + 48, 4096) < 0) return AVERROR(EIO); if (avio_read(pb, st->codecpar->extradata + 2, 48) < 0) return AVERROR(EIO); - bin->fsize = avio_size(pb) - 12 - 4096 - 48; ff_sauce_read(s, &bin->fsize, &got_width, 0); if (st->codecpar->width < 8) return AVERROR_INVALIDDATA; From 3a661757bae0e687ed7edd9527735b45007c68cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 18:37:54 +0200 Subject: [PATCH 380/606] avformat/hlsenc: Check ret Fixes: CID1609624 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7e577165c101513b4d8afe164e604cbef6901546) Signed-off-by: Michael Niedermayer --- libavformat/hlsenc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 0b89a7f508..2c2b14e09b 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -2590,8 +2590,10 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) " will retry with a new http session.\n"); ff_format_io_close(s, &vs->out); ret = hlsenc_io_open(s, &vs->out, filename, &options); - reflush_dynbuf(vs, &range_length); - ret = hlsenc_io_close(s, &vs->out, filename); + if (ret >= 0) { + reflush_dynbuf(vs, &range_length); + ret = hlsenc_io_close(s, &vs->out, filename); + } } av_dict_free(&options); av_freep(&vs->temp_buffer); @@ -2602,6 +2604,9 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) hls_rename_temp_file(s, oc); } + if (ret < 0) + return ret; + old_filename = av_strdup(oc->url); if (!old_filename) { return AVERROR(ENOMEM); From c16a71e757c5625fe5e1bc115fe4ac63327175c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 18:40:46 +0200 Subject: [PATCH 381/606] avformat/hnm: Check *chunk_size Fixes: CID1604419 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 291356f58b8a1af491c692a89e6c4e70e9496f9d) Signed-off-by: Michael Niedermayer --- libavformat/hnm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/hnm.c b/libavformat/hnm.c index 97990b2673..faa2044dff 100644 --- a/libavformat/hnm.c +++ b/libavformat/hnm.c @@ -113,6 +113,8 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt) if (hnm->superchunk_remaining == 0) { /* parse next superchunk */ superchunk_size = avio_rl24(pb); + if (superchunk_size < 4) + return AVERROR_INVALIDDATA; avio_skip(pb, 1); hnm->superchunk_remaining = superchunk_size - 4; @@ -123,7 +125,7 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt) chunk_id = avio_rl16(pb); avio_skip(pb, 2); - if (chunk_size > hnm->superchunk_remaining || !chunk_size) { + if (chunk_size > hnm->superchunk_remaining || chunk_size < 8) { av_log(s, AV_LOG_ERROR, "invalid chunk size: %"PRIu32", offset: %"PRId64"\n", chunk_size, avio_tell(pb)); From fea96888397a9dc2d5bb1aa719b1058626f7c963 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 19:29:14 +0200 Subject: [PATCH 382/606] avformat/mm: Check length Fixes: CID1220824 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 139bf412464e62a83984cd49093936dcaa7a0865) Signed-off-by: Michael Niedermayer --- libavformat/mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mm.c b/libavformat/mm.c index 1d44f41a94..de2998642a 100644 --- a/libavformat/mm.c +++ b/libavformat/mm.c @@ -94,7 +94,7 @@ static int read_header(AVFormatContext *s) type = avio_rl16(pb); length = avio_rl32(pb); - if (type != MM_TYPE_HEADER) + if (type != MM_TYPE_HEADER || length < 10) return AVERROR_INVALIDDATA; /* read header */ From 7271c1b5237d80e99ebccb1534d38d16487f3651 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:03:45 +0200 Subject: [PATCH 383/606] avformat/mov: Use 64bit for str_size We assign a 64bit variable to it before checking Fixes: CID1604544 Overflowed integer argument Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 046d069552f5c2824f36fcf95d409670208dc94b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 113587a178..d3418beab1 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -303,7 +303,8 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) char *str = NULL; const char *key = NULL; uint16_t langcode = 0; - uint32_t data_type = 0, str_size, str_size_alloc; + uint32_t data_type = 0, str_size_alloc; + uint64_t str_size; int (*parse)(MOVContext*, AVIOContext*, unsigned, const char*) = NULL; int raw = 0; int num = 0; From 3b8cb4dc26afbec0fdccbc498581e91eecb2f476 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:17:00 +0200 Subject: [PATCH 384/606] avformat/mp3dec; Check for avio_size() failure Fixes: CID1608710 Improper use of negative value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bb936a1a720856a51c48bf907475daa8065920c9) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index a0edb195b5..26c1e0783b 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -137,9 +137,10 @@ static void read_xing_toc(AVFormatContext *s, int64_t filesize, int64_t duration int fill_index = (mp3->usetoc || fast_seek) && duration > 0; if (!filesize && - !(filesize = avio_size(s->pb))) { + (filesize = avio_size(s->pb)) <= 0) { av_log(s, AV_LOG_WARNING, "Cannot determine file size, skipping TOC table.\n"); fill_index = 0; + filesize = 0; } for (i = 0; i < XING_TOC_COUNT; i++) { From 3a308dffde26ad89a205a4c8d04f18fba5a42c50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:20:53 +0200 Subject: [PATCH 385/606] avformat/mp3dec: Check header_filesize Fixes: CID1608714 Division or modulo by float zero Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cea4dbc903eaf8cb7a4ea53b281deff495ff8fa0) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 26c1e0783b..58cbab326a 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -585,7 +585,7 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, if (best_pos < 0) return best_pos; - if (mp3->is_cbr && ie == &ie1 && mp3->frames) { + if (mp3->is_cbr && ie == &ie1 && mp3->frames && mp3->header_filesize > 0) { int frame_duration = av_rescale(st->duration, 1, mp3->frames); ie1.timestamp = frame_duration * av_rescale(best_pos - si->data_offset, mp3->frames, mp3->header_filesize); } From b83407f9839a505240929c7e7750aabc70b3b066 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:29:10 +0200 Subject: [PATCH 386/606] avformat/nsvdec: Check asize for PCM Fixes: CID1604527 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e83e24650489e63f6b31e8c72a973db6367947b9) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index b28576ea11..97f5076e1c 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -615,7 +615,7 @@ null_chunk_retry: pkt = &nsv->ahead[NSV_ST_AUDIO]; /* read raw audio specific header on the first audio chunk... */ /* on ALL audio chunks ?? seems so! */ - if (asize && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) { + if (asize >= 4 && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) { uint8_t bps; uint8_t channels; uint16_t samplerate; From e4056afd4cb22f888867276a672050c8c46e7b68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:44:45 +0200 Subject: [PATCH 387/606] avformat/sapdec: Check ffurl_get_file_handle() for error Fixes: CID1604506 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 3e305a0e703843765d4dd7042092c3a38c0f97af) Signed-off-by: Michael Niedermayer --- libavformat/sapdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sapdec.c b/libavformat/sapdec.c index 59141448f4..2874714f38 100644 --- a/libavformat/sapdec.c +++ b/libavformat/sapdec.c @@ -196,6 +196,9 @@ static int sap_fetch_packet(AVFormatContext *s, AVPacket *pkt) struct pollfd p = {fd, POLLIN, 0}; uint8_t recvbuf[RTP_MAX_PACKET_LENGTH]; + if (fd < 0) + return fd; + if (sap->eof) return AVERROR_EOF; From 5d62f99b0824dc861af35047e173dbf5c155c824 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:49:08 +0200 Subject: [PATCH 388/606] avformat/sauce: Check avio_size() for failure Fixes: CID1604592 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 759aae590c0298414db4d2925a33b084d7f9e7f9) Signed-off-by: Michael Niedermayer --- libavformat/sauce.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/sauce.c b/libavformat/sauce.c index 5ac9ca9d14..a9ee9697a3 100644 --- a/libavformat/sauce.c +++ b/libavformat/sauce.c @@ -34,7 +34,12 @@ int ff_sauce_read(AVFormatContext *avctx, uint64_t *fsize, int *got_width, int g AVIOContext *pb = avctx->pb; char buf[36]; int datatype, filetype, t1, t2, nb_comments; - uint64_t start_pos = avio_size(pb) - 128; + int64_t start_pos = avio_size(pb); + + if (start_pos < 128) + return AVERROR_INVALIDDATA; + + start_pos -= 128; avio_seek(pb, start_pos, SEEK_SET); if (avio_read(pb, buf, 7) != 7) From 479f3e353651328a59dad7d8d8b0df2805eb81d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:58:21 +0200 Subject: [PATCH 389/606] avformat/siff: Basic pkt_size check Fixes: half of CID1258461 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 124a97dd8b7636fb52e042b2e85a44cce40ab5e7) Signed-off-by: Michael Niedermayer --- libavformat/siff.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/siff.c b/libavformat/siff.c index 99756574b4..423534da64 100644 --- a/libavformat/siff.c +++ b/libavformat/siff.c @@ -198,7 +198,10 @@ static int siff_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->cur_frame >= c->frames) return AVERROR_EOF; if (c->curstrm == -1) { - c->pktsize = avio_rl32(s->pb) - 4; + unsigned pktsize = avio_rl32(s->pb); + if (pktsize < 4) + return AVERROR_INVALIDDATA; + c->pktsize = pktsize - 4; c->flags = avio_rl16(s->pb); if (c->flags & VB_HAS_AUDIO && !c->has_audio) return AVERROR_INVALIDDATA; From d29377143474938860d932e869414453ad2df810 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 21:05:20 +0200 Subject: [PATCH 390/606] avformat/tty: Check avio_size() Fixes: CID1220824 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 41745e550a0274571bd9fbfb12b36ff1743d4e9c) Signed-off-by: Michael Niedermayer --- libavformat/tty.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavformat/tty.c b/libavformat/tty.c index fbea3196fa..5a6b641d30 100644 --- a/libavformat/tty.c +++ b/libavformat/tty.c @@ -122,13 +122,16 @@ static int read_header(AVFormatContext *avctx) s->chars_per_frame = FFMAX(av_q2d(st->time_base)*s->chars_per_frame, 1); if (avctx->pb->seekable & AVIO_SEEKABLE_NORMAL) { - s->fsize = avio_size(avctx->pb); - st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame; + int64_t fsize = avio_size(avctx->pb); + if (fsize > 0) { + s->fsize = fsize; + st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame; - if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0) - efi_read(avctx, s->fsize - 51); + if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0) + efi_read(avctx, s->fsize - 51); - avio_seek(avctx->pb, 0, SEEK_SET); + avio_seek(avctx->pb, 0, SEEK_SET); + } } fail: From cdf0627ee569d8f428a79664ddc794b3d0892fc3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 21:53:58 +0200 Subject: [PATCH 391/606] avformat/ty: rec_size seems to only need 32bit May help CID1604560 Overflowed integer argument Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit be30913538d4be9a50672ceb683f8745d8aa75a9) Signed-off-by: Michael Niedermayer --- libavformat/ty.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ty.c b/libavformat/ty.c index 760dfda54c..a77ea3afd5 100644 --- a/libavformat/ty.c +++ b/libavformat/ty.c @@ -47,7 +47,7 @@ static const uint8_t ty_AC3AudioPacket[] = { 0x00, 0x00, 0x01, 0xbd }; #define CHUNK_PEEK_COUNT 3 /* number of chunks to probe */ typedef struct TyRecHdr { - int64_t rec_size; + int32_t rec_size; uint8_t ex[2]; uint8_t rec_type; uint8_t subrec_type; From f65ed0f0e738c045841fb3805f6482a8fc22ec4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 22:37:54 +0200 Subject: [PATCH 392/606] avformat/xmv: Check this_packet_size Fixes: CID1604489 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 696685df0ccf437083d15f40358a6ec86f5748ac) Signed-off-by: Michael Niedermayer --- libavformat/xmv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 4bff63297a..1a8b6903bb 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -219,6 +219,8 @@ static int xmv_read_header(AVFormatContext *s) /* Initialize the packet context */ xmv->next_packet_offset = avio_tell(pb); + if (this_packet_size < xmv->next_packet_offset) + return AVERROR_INVALIDDATA; xmv->next_packet_size = this_packet_size - xmv->next_packet_offset; xmv->stream_count = xmv->audio_track_count + 1; From 1ec463fc790726ee0a2e568031a7bef6090ef545 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 22:55:31 +0200 Subject: [PATCH 393/606] avutil/buffer: Check ff_mutex_init() for failure Fixes: CID1604487 Unchecked return value Fixes: CID1604494 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 82f5b20ff5be4fccbf42f4b90f155db0076c0462) Signed-off-by: Michael Niedermayer --- libavutil/buffer.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavutil/buffer.c b/libavutil/buffer.c index e4562a79b1..a8101d83f0 100644 --- a/libavutil/buffer.c +++ b/libavutil/buffer.c @@ -264,7 +264,10 @@ AVBufferPool *av_buffer_pool_init2(size_t size, void *opaque, if (!pool) return NULL; - ff_mutex_init(&pool->mutex, NULL); + if (ff_mutex_init(&pool->mutex, NULL)) { + av_free(pool); + return NULL; + } pool->size = size; pool->opaque = opaque; @@ -283,7 +286,10 @@ AVBufferPool *av_buffer_pool_init(size_t size, AVBufferRef* (*alloc)(size_t size if (!pool) return NULL; - ff_mutex_init(&pool->mutex, NULL); + if (ff_mutex_init(&pool->mutex, NULL)) { + av_free(pool); + return NULL; + } pool->size = size; pool->alloc = alloc ? alloc : av_buffer_alloc; From da76e55b933ee8dea6977716d2965bc68daca8d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 23:04:42 +0200 Subject: [PATCH 394/606] avutil/frame: Check log2_crop_align Fixes: CID1604586 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 15540b3d28676d5e797764a04f6681dcd01736f8) Signed-off-by: Michael Niedermayer --- libavutil/frame.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/frame.c b/libavutil/frame.c index a3f07ca089..6f4e6ea570 100644 --- a/libavutil/frame.c +++ b/libavutil/frame.c @@ -1040,7 +1040,7 @@ int av_frame_apply_cropping(AVFrame *frame, int flags) if (log2_crop_align < min_log2_align) return AVERROR_BUG; - if (min_log2_align < 5) { + if (min_log2_align < 5 && log2_crop_align != INT_MAX) { frame->crop_left &= ~((1 << (5 + log2_crop_align - min_log2_align)) - 1); calc_cropping_offsets(offsets, frame, desc); } From cd261553d50a2688d925e95feb678bf5135cafbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 23:27:34 +0200 Subject: [PATCH 395/606] avutil/slicethread: Check pthread_*_init() for failure Fixes: CID1604383 Unchecked return value Fixes: CID1604439 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 23851c9ee0f231122c58955e795e17cfe8ca5d98) Signed-off-by: Michael Niedermayer --- libavutil/slicethread.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/libavutil/slicethread.c b/libavutil/slicethread.c index 115b099736..e6b82e31b6 100644 --- a/libavutil/slicethread.c +++ b/libavutil/slicethread.c @@ -102,6 +102,7 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv, { AVSliceThread *ctx; int nb_workers, i; + int ret; av_assert0(nb_threads >= 0); if (!nb_threads) { @@ -135,16 +136,37 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv, atomic_init(&ctx->first_job, 0); atomic_init(&ctx->current_job, 0); - pthread_mutex_init(&ctx->done_mutex, NULL); - pthread_cond_init(&ctx->done_cond, NULL); + ret = pthread_mutex_init(&ctx->done_mutex, NULL); + if (ret) { + av_freep(&ctx->workers); + av_freep(pctx); + return AVERROR(ret); + } + ret = pthread_cond_init(&ctx->done_cond, NULL); + if (ret) { + ctx->nb_threads = main_func ? 0 : 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } ctx->done = 0; for (i = 0; i < nb_workers; i++) { WorkerContext *w = &ctx->workers[i]; int ret; w->ctx = ctx; - pthread_mutex_init(&w->mutex, NULL); - pthread_cond_init(&w->cond, NULL); + ret = pthread_mutex_init(&w->mutex, NULL); + if (ret) { + ctx->nb_threads = main_func ? i : i + 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } + ret = pthread_cond_init(&w->cond, NULL); + if (ret) { + pthread_mutex_destroy(&w->mutex); + ctx->nb_threads = main_func ? i : i + 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } pthread_mutex_lock(&w->mutex); w->done = 0; From 498bfba547ee8634047f72b2adc9a2b1991c4dd6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Jul 2024 00:28:14 +0200 Subject: [PATCH 396/606] avfilter/vf_xfade: Check ff_inlink_consume_frame() for failure Fixes: CID1458043 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 73ca4e75eb0ae7d15965b90ffe7c041443a0421f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_xfade.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_xfade.c b/libavfilter/vf_xfade.c index 890995a608..088f34de6a 100644 --- a/libavfilter/vf_xfade.c +++ b/libavfilter/vf_xfade.c @@ -2288,8 +2288,11 @@ static int xfade_activate(AVFilterContext *avctx) // Check if we are not yet transitioning, in which case // just request and forward the input frame. if (s->start_pts > s->pts) { + int ret; s->passthrough = 1; - ff_inlink_consume_frame(in_a, &s->xf[0]); + ret = ff_inlink_consume_frame(in_a, &s->xf[0]); + if (ret < 0) + return ret; return ff_filter_frame(outlink, s->xf[0]); } s->passthrough = 0; @@ -2297,8 +2300,14 @@ static int xfade_activate(AVFilterContext *avctx) // We are transitioning, so we need a frame from second input if (ff_inlink_check_available_frame(in_b)) { int ret; - ff_inlink_consume_frame(avctx->inputs[0], &s->xf[0]); - ff_inlink_consume_frame(avctx->inputs[1], &s->xf[1]); + ret = ff_inlink_consume_frame(avctx->inputs[0], &s->xf[0]); + if (ret < 0) + return ret; + ret = ff_inlink_consume_frame(avctx->inputs[1], &s->xf[1]); + if (ret < 0) { + av_frame_free(&s->xf[0]); + return ret; + } // Calculate PTS offset to first input if (s->inputs_offset_pts == AV_NOPTS_VALUE) From 4841d48e042d64939e740ffbc75f5656fc4c238b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jun 2024 23:17:24 +0200 Subject: [PATCH 397/606] avcodec/hevc/hevcdec: Do not allow slices to depend on failed slices An alternative would be to leave the context unchanged on failure of hls_slice_header() Fixes: out of array access Fixes: NULL pointer dereference Fixes: 69584/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5931086299856896 Fixes: 69724/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5104066422702080 Fixes: 70422/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5908731129298944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d9544cfb03d8597aa2b0037def3a4679949cec6) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index b47975a9b5..3c4a9b0818 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -651,6 +651,10 @@ static int hls_slice_header(HEVCContext *s) if (s->ps.pps->dependent_slice_segments_enabled_flag) sh->dependent_slice_segment_flag = get_bits1(gb); + if (sh->dependent_slice_segment_flag && !s->slice_initialized) { + av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n"); + return AVERROR_INVALIDDATA; + } slice_address_length = av_ceil_log2(s->ps.sps->ctb_width * s->ps.sps->ctb_height); @@ -939,9 +943,6 @@ static int hls_slice_header(HEVCContext *s) } else { sh->slice_loop_filter_across_slices_enabled_flag = s->ps.pps->seq_loop_filter_across_slices_enabled_flag; } - } else if (!s->slice_initialized) { - av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n"); - return AVERROR_INVALIDDATA; } sh->num_entry_point_offsets = 0; @@ -3015,8 +3016,11 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) case HEVC_NAL_RASL_N: case HEVC_NAL_RASL_R: ret = hls_slice_header(s); - if (ret < 0) + if (ret < 0) { + // hls_slice_header() does not cleanup on failure thus the state now is inconsistant so we cannot use it on depandant slices + s->slice_initialized = 0; return ret; + } if (ret == 1) { ret = AVERROR_INVALIDDATA; goto fail; From f175858f1028ea3f6a44cf9ad50dda9315a249ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 17:08:22 +0200 Subject: [PATCH 398/606] avcodec/alsdec: Clear shift_value (the exact issue is unreproducable but the use of uninitialized data is reproducable) Should fix: signed integer overflow: -2147483648 - 127 cannot be represented in type 'int' Should fix: 69881/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-4751301204836352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6194cb87cb81ef97adfa2690e489f473182eaffe) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index c64d1032a4..7262cdb4b3 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -2110,8 +2110,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (sconf->floating) { ctx->acf = av_malloc_array(channels, sizeof(*ctx->acf)); - ctx->shift_value = av_malloc_array(channels, sizeof(*ctx->shift_value)); - ctx->last_shift_value = av_malloc_array(channels, sizeof(*ctx->last_shift_value)); + ctx->shift_value = av_calloc(channels, sizeof(*ctx->shift_value)); + ctx->last_shift_value = av_calloc(channels, sizeof(*ctx->last_shift_value)); ctx->last_acf_mantissa = av_malloc_array(channels, sizeof(*ctx->last_acf_mantissa)); ctx->raw_mantissa = av_calloc(channels, sizeof(*ctx->raw_mantissa)); From 5bb8f8e2dd3cd7c08dbb608cbc6d3158f8c73ca3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 19:21:41 +0200 Subject: [PATCH 399/606] avcodec/proresdec: Consider negative bits left Fixes: 70036/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_fuzzer-6298797647396864 Fixes: shift exponent 40 is too large for 32-bit type 'uint32_t' (aka 'unsigned int') Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 419eee63565f81aca67b29582297841c59deaab8) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 3a5b753430..faf6dfc976 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -510,7 +510,7 @@ static av_always_inline int decode_ac_coeffs(AVCodecContext *avctx, GetBitContex for (pos = block_mask;;) { bits_left = gb->size_in_bits - re_index; - if (!bits_left || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left))) + if (bits_left <= 0 || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left))) break; DECODE_CODEWORD(run, run_to_cb[FFMIN(run, 15)], LAST_SKIP_BITS); From 04bded41ad420c0158d810d86c01596b23d5170a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 22:29:15 +0200 Subject: [PATCH 400/606] avcodec/vaapi_encode: Check hwctx Fixes: null pointer dereference Fixes: 70376/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_VAAPI_fuzzer-4733551250046976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3cd077e2820679e8b9f8eb10954b4f5701191c48) Signed-off-by: Michael Niedermayer --- libavcodec/vaapi_encode.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vaapi_encode.c b/libavcodec/vaapi_encode.c index 6c3e41fb31..e146869f12 100644 --- a/libavcodec/vaapi_encode.c +++ b/libavcodec/vaapi_encode.c @@ -2982,12 +2982,14 @@ av_cold int ff_vaapi_encode_close(AVCodecContext *avctx) av_buffer_pool_uninit(&ctx->output_buffer_pool); if (ctx->va_context != VA_INVALID_ID) { - vaDestroyContext(ctx->hwctx->display, ctx->va_context); + if (ctx->hwctx) + vaDestroyContext(ctx->hwctx->display, ctx->va_context); ctx->va_context = VA_INVALID_ID; } if (ctx->va_config != VA_INVALID_ID) { - vaDestroyConfig(ctx->hwctx->display, ctx->va_config); + if (ctx->hwctx) + vaDestroyConfig(ctx->hwctx->display, ctx->va_config); ctx->va_config = VA_INVALID_ID; } From addd5cfee3a677f1cdf22319a892ecd1ff3457a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Sep 2023 00:49:41 +0200 Subject: [PATCH 401/606] avcodec/osq: avoid using too large numbers for shifts and integers in update_residue_parameter() Fixes: 2.96539e+09 is outside the range of representable values of type 'int' Fixes: Assertion n>=0 && n<=32 failed at libavcodec/get_bits.h:423 Fixes: 62241/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-4525761925873664 Fixes: 70406/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6545326804434944 Signed-off-by: Michael Niedermayer (cherry picked from commit 56c334d732dbbce43b0c8fc0809ec545b7946832) Signed-off-by: Michael Niedermayer --- libavcodec/osq.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/osq.c b/libavcodec/osq.c index fa4aeee35e..333ca506ea 100644 --- a/libavcodec/osq.c +++ b/libavcodec/osq.c @@ -160,11 +160,15 @@ static int update_residue_parameter(OSQChannel *cb) sum = cb->sum; x = sum / cb->count; - rice_k = av_ceil_log2(x); + rice_k = ceil(log2(x)); if (rice_k >= 30) { - rice_k = floor(sum / 1.4426952 + 0.5); - if (rice_k < 1) + double f = floor(sum / 1.4426952 + 0.5); + if (f <= 1) { rice_k = 1; + } else if (f >= 31) { + rice_k = 31; + } else + rice_k = f; } return rice_k; From c7ea86bc16209c837761a4261fec98baedce2fa1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Sep 2023 00:49:41 +0200 Subject: [PATCH 402/606] avcodec/osq: fix integer overflow when applying factor Fixes: signed integer overflow: -35511773 * 256 cannot be represented in type 'int' Fixes: 70406/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6545326804434944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6420c1bf30884d5feb69d0a6f116eaceac02dacc) Signed-off-by: Michael Niedermayer --- libavcodec/osq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/osq.c b/libavcodec/osq.c index 333ca506ea..1663f0b15f 100644 --- a/libavcodec/osq.c +++ b/libavcodec/osq.c @@ -355,7 +355,7 @@ static int osq_decode_block(AVCodecContext *avctx, AVFrame *frame) const int nb_channels = avctx->ch_layout.nb_channels; const int nb_samples = frame->nb_samples; OSQContext *s = avctx->priv_data; - const int factor = s->factor; + const unsigned factor = s->factor; int ret, decorrelate, downsample; GetBitContext *gb = &s->gb; From d731a88093ddc15282853aa547def79a0673a045 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 22:50:00 +0200 Subject: [PATCH 403/606] avcodec/cfhdenc: Allocate more space Fixes: Assertion failure Fixes: 68979/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5375874714107904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a308d79e4dedea11667cb2ad42c6676ce96e8ee1) Signed-off-by: Michael Niedermayer --- libavcodec/cfhdenc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/cfhdenc.c b/libavcodec/cfhdenc.c index f447438491..51e7927428 100644 --- a/libavcodec/cfhdenc.c +++ b/libavcodec/cfhdenc.c @@ -553,7 +553,7 @@ static int cfhd_encode_frame(AVCodecContext *avctx, AVPacket *pkt, width, height * 2); } - ret = ff_alloc_packet(avctx, pkt, 256LL + s->planes * (2LL * avctx->width * (avctx->height + 15) + 2048LL)); + ret = ff_alloc_packet(avctx, pkt, 256LL + s->planes * (4LL * avctx->width * (avctx->height + 15) + 2048LL)); if (ret < 0) return ret; @@ -761,7 +761,6 @@ static int cfhd_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } else if (count > 0) { count = put_runcode(pb, count, rb); } - put_bits(pb, cb[index].size, cb[index].bits); } From e1af7a6d83c4373e0e73262a9c727e799d489e4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 23:19:52 +0200 Subject: [PATCH 404/606] avcodec/cfhdenc: Height of 16 is not supported Fixes: out of array access Fixes: 68941/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5990952685600768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5dde255abdeb50aefb0dcf8b060277e37d180ec6) Signed-off-by: Michael Niedermayer --- libavcodec/cfhdenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cfhdenc.c b/libavcodec/cfhdenc.c index 51e7927428..40b7c3d9e5 100644 --- a/libavcodec/cfhdenc.c +++ b/libavcodec/cfhdenc.c @@ -258,8 +258,8 @@ static av_cold int cfhd_encode_init(AVCodecContext *avctx) if (ret < 0) return ret; - if (avctx->height < 4) { - av_log(avctx, AV_LOG_ERROR, "Height must be >= 4.\n"); + if (avctx->height < 32) { + av_log(avctx, AV_LOG_ERROR, "Height must be >= 32.\n"); return AVERROR_INVALIDDATA; } From 586ce3cf95d76b1409e04f9c7c4a6bedde24e36b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 23:45:27 +0200 Subject: [PATCH 405/606] avcodec/hdrenc: Allocate more space This needs to be double checked or a checking way of writing should be used Fixes: out of array access Fixes: 70007/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HDR_fuzzer-5478704150020096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 204f7f8cc73109d14c3f76b7b57f6b36fe041ee8) Signed-off-by: Michael Niedermayer --- libavcodec/hdrenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hdrenc.c b/libavcodec/hdrenc.c index 40d283ee61..54682d0a77 100644 --- a/libavcodec/hdrenc.c +++ b/libavcodec/hdrenc.c @@ -124,7 +124,7 @@ static int hdr_encode_frame(AVCodecContext *avctx, AVPacket *pkt, uint8_t *buf; int ret; - packet_size = avctx->width * avctx->height * 4LL + 1024LL; + packet_size = avctx->height * 4LL + avctx->width * avctx->height * 8LL + 1024LL; if ((ret = ff_get_encode_buffer(avctx, pkt, packet_size, 0)) < 0) return ret; From 54aaa70530ccf74c5da74140d2cc7b6b9079158d Mon Sep 17 00:00:00 2001 From: Jens Frederich Date: Mon, 15 Jul 2024 06:51:29 +0000 Subject: [PATCH 406/606] avdevice/dshow: Don't skip audio devices if no video device is present The search of the current DirectShow device list has been customized so that audio devices are always found even if no video device is connected. Signed-off-by: Jens Frederich Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 60b1750134963e8326476c4fbae41cea1772ff5b) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 023c9db052..506b1fe4dc 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -644,7 +644,7 @@ static int dshow_get_device_list(AVFormatContext *avctx, AVDeviceInfoList *devic } ret = dshow_cycle_devices(avctx, devenum, VideoDevice, VideoSourceDevice, NULL, NULL, &device_list); - if (ret < S_OK) + if (ret < S_OK && ret != AVERROR(EIO)) goto error; ret = dshow_cycle_devices(avctx, devenum, AudioDevice, AudioSourceDevice, NULL, NULL, &device_list); From 0e3bdf68b2de8c88929113e25a34e7ac4894b744 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jul 2024 17:07:09 +0200 Subject: [PATCH 407/606] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 233 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 233 insertions(+) diff --git a/Changelog b/Changelog index d8bbe1b08a..e84ce60cdc 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,239 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 6.1.2 + avdevice/dshow: Don't skip audio devices if no video device is present + avcodec/hdrenc: Allocate more space + avcodec/cfhdenc: Height of 16 is not supported + avcodec/cfhdenc: Allocate more space + avcodec/osq: fix integer overflow when applying factor + avcodec/osq: avoid using too large numbers for shifts and integers in update_residue_parameter() + avcodec/vaapi_encode: Check hwctx + avcodec/proresdec: Consider negative bits left + avcodec/alsdec: Clear shift_value + avcodec/hevc/hevcdec: Do not allow slices to depend on failed slices + avfilter/vf_xfade: Check ff_inlink_consume_frame() for failure + avutil/slicethread: Check pthread_*_init() for failure + avutil/frame: Check log2_crop_align + avutil/buffer: Check ff_mutex_init() for failure + avformat/xmv: Check this_packet_size + avformat/ty: rec_size seems to only need 32bit + avformat/tty: Check avio_size() + avformat/siff: Basic pkt_size check + avformat/sauce: Check avio_size() for failure + avformat/sapdec: Check ffurl_get_file_handle() for error + avformat/nsvdec: Check asize for PCM + avformat/mp3dec: Check header_filesize + avformat/mp3dec; Check for avio_size() failure + avformat/mov: Use 64bit for str_size + avformat/mm: Check length + avformat/hnm: Check *chunk_size + avformat/hlsenc: Check ret + avformat/bintext: Check avio_size() return + avformat/asfdec_o: Check size of index object + avfilter/vf_scale: Check ff_scale_adjust_dimensions() for failure + avfilter/scale_eval: Use 64bit, check values in ff_scale_adjust_dimensions() + avfilter/vf_lut3d: Check av_scanf() + avfilter/vf_elbg: Use unsigned for shifting into the top bit + avfilter/vf_deshake_opencl: Ensure that the first iteration initializes the best variables + swscale/output: Fix integer overflows in yuv2rgba64_X_c_template + avformat/mxfdec: Reorder elements of expression in bisect loop + avutil/timecode: Use a 64bit framenum internally + avcodec/pnmdec: Use 64bit for input size check + avcodec/mpeg12enc: Use av_rescale() in vbv_buffer_size computation + avcodec/utvideoenc: Use unsigned shift to build flags + avcodec/j2kenc: Merge dwt_norm into lambda + avcodec/vc2enc: Fix overflows with storing large values + avcodec/mpegvideo_enc: Do not duplicate pictures on shifting + avdevice/dshow_capture: Fix error handling in ff_dshow_##prefix##_Create() + avcodec/tiff: Check value on positive signed targets + avfilter/vf_convolution_opencl: Assert that the filter name is one of the filters + avfilter/vf_bm3d: Dont round MSE2SSE to an integer + avdevice/dshow: Remove NULL check on pin + avdevice/dshow: check ff_dshow_pin_ConnectionMediaType() for failure + avdevice/dshow: Check device_filter_unique_name before use + avdevice/dshow: Cleanup also on av_log case + avdevice/dshow_filter: Use wcscpy_s() + avcodec/flac_parser: Assert that we do not overrun the link_penalty array + avcodec/osq: avoid signed overflow in downsample path + avcodec/pixlet: Simplify pfx computation + avcodec/motion_est: Fix score squaring overflow + avcodec/mlpenc: Use 64 for ml, mr + avcodec/loco: Check loco_get_rice() for failure + avcodec/loco: check get_ur_golomb_jpegls() for failure + avcodec/imm4: check cbphi for error + avcodec/iff: Use signed count + avcodec/golomb: Assert that k is in the supported range for get_ur/sr_golomb() + avcodec/golomb: Document return for get_ur_golomb_jpegls() and get_sr_golomb_flac() + avcodec/dxv: Fix type in get_opcodes() + avcodec/cri: Check length + avcodec/xsubdec: Check parse_timecode() + avutil/imgutils: av_image_check_size2() ensure width and height fit in 32bit + doc/examples/mux: remove nop + avcodec/proresenc_kostya: use unsigned alpha for rotation + avformat/rtpenc_rfc4175: Use 64bit in computation if copy_offset + avformat/rtmppkt: Simplify and deobfuscate amf_tag_skip() slightly + avformat/rmdec: use 64bit for audio_framesize checks + avutil/wchar_filename: Correct sizeof + avutil/hwcontext_d3d11va: correct sizeof IDirect3DSurface9 + avutil/hwcontext_d3d11va: Free AVD3D11FrameDescriptor on error + avutil/hwcontext_d3d11va: correct sizeof AVD3D11FrameDescriptor + doc/examples/vaapi_encode: Try to check fwrite() for failure + avformat/usmdec: Initialize value + avformat/tls_schannel: Initialize ret + avformat/subfile: Assert that whence is a known case + avformat/subfile: Merge if into switch() + avformat/rtsp: Check that lower transport is handled in one of the if() + avformat/rtsp: initialize reply1 + avformat/rtsp: use < 0 for error check + avformat/rtpenc_vc2hq: Check sizes + avfilter/af_aderivative: Free out on error + swscale/swscale: Use ptrdiff_t for linesize computations + avfilter/af_afir: Assert format + avfilter/af_afftdn: Assert format + avfilter/af_pan: check nb_output_channels before use + cbs_av1: Reject thirty-two zero bits in uvlc code + avfilter/af_mcompand: compute half frequency in double + avfilter/af_channelsplit: Assert that av_channel_layout_channel_from_index() succeeds + avfilter/af_aresample: Cleanup on av_channel_layout_copy() failure + tools/coverity: Phase 1 study of anti-halicogenic for coverity av_rescale() + avfilter/vf_avgblur: Check plane instead of AVFrame + avfilter/drawutils: Fix depthb computation + avfilter/avf_showcwt: Check av_parse_video_rate() for failure + avformat/rdt: Check pkt_len + avformat/mpeg: Check len in mpegps_probe() + avformat/mxfenc: resurrects the error print + avdevice/dshow: Check ICaptureGraphBuilder2_SetFiltergraph() for failure + avcodec/mfenc: check IMFSample_ConvertToContiguousBuffer() for failure + avcodec/vc1_loopfilter: Factor duplicate code in vc1_b_h_intfi_loop_filter() + avformat/img2dec: assert no pipe on ts_from_file + avcodec/cbs_jpeg: Try to move the read entity to one side in a test + fftools/ffmpeg_enc: Initialize fd + fftools/ffmpeg_enc: simplify opaque_ref check + avformat/mov: Check edit list for overflow + fftools/ffmpeg: Check read() for failure + MAINTAINERS: Add Timo Rothenpieler to server admins + swscale/output: Avoid undefined overflow in yuv2rgb_write_full() + swscale/output: alpha can become negative after scaling, use multiply + avcodec/targaenc: Allocate space for the palette + avcodec/r210enc: Use av_rescale for bitrate + avcodec/jfdctint_template: Fewer integer anomalies + avcodec/snowenc: MV limits due to mv_penalty table size + tools/target_dec_fuzzer: Adjust threshold for MV30 + tools/target_dec_fuzzer: Adjust threshold for jpeg2000 + avformat/mxfdec: Check container_ul->desc before use + avcodec/libvpxenc: Cleanup on error + MAINTAINERS: Update the entries for the release maintainer for FFmpeg + configure: update copyright year + doc/developer: Provide information about git send-email and gmail + avfilter/vf_rotate: Check ff_draw_init2() return value + avformat/mov: Use int64_t in intermediate for corrected_dts + avformat/mov: Use 64bit in intermediate for current_dts + avformat/matroskadec: Assert that num_levels is non negative + avformat/libzmq: Check av_strstart() + avformat/img2dec: Little JFIF / Exif cleanup + avformat/img2dec: Move DQT after unrelated if() + avformat/imfdec: Simplify get_next_track_with_minimum_timestamp() + avdevice/xcbgrab: Check sscanf() return + fftools/cmdutils: Add protective () to FLAGS + avformat/sdp: Check before appending "," + avcodec/ilbcdec: Remove dead code + avcodec/vp8: Check cond init + avcodec/vp8: Check mutex init + avcodec/proresenc_anatoliy: Assert that AV_PROFILE_UNKNOWN is replaced + avcodec/pcm-dvdenc: 64bit pkt-size + avcodec/notchlc: Check init_get_bits8() for failure + avcodec/tests/dct: Use 64bit in intermediate for error computation + avcodec/scpr3: Check add_dec() for failure + avcodec/rv34: assert that size is not 0 in rv34_gen_vlc_ext() + avcodec/wavpackenc: Use unsigned for potential 31bit shift + avcodec/tests/jpeg2000dwt: Use 64bit in comparission + avcodec/tests/jpeg2000dwt: Use 64bit in err2 computation + avformat/fwse: Remove always false expression + avcodec/sga: Make it clear that the return is intentionally not checked + avformat/asfdec_f: Use 64bit for preroll computation + avformat/argo_asf: Use 64bit in offset intermediate + avformat/ape: Use 64bit for final frame size + avformat/ac4dec: Check remaining space in ac4_probe() + avdevice/pulse_audio_enc: Use av_rescale() to avoid integer overflow + avcodec/vlc: Cleanup on multi table alloc failure in ff_vlc_init_multi_from_lengths() + avcodec/tiff: Assert init_get_bits8() success in unpack_gray() + avcodec/tiff: Assert init_get_bits8() success in horizontal_fill() + tools/decode_simple: Check avcodec_send_packet() for errors on flushing + swscale/yuv2rgb: Use 64bit for brightness computation + swscale/x86/swscale: use a clearer name for INPUT_PLANER_RGB_A_FUNC_CASE + avutil/tests/opt: Check av_set_options_string() for failure + avutil/tests/dict: Check av_dict_set() before get for failure + avdevice/dshow: fix badly indented line + avformat/demux: resurrect dead stores + avcodec/tests/bitstream_template: Assert bits_init8() return + tools/enc_recon_frame_test: Assert that av_image_get_linesize() succeeds + fftools/ffmpeg: prefer real errors over EOF in err_merge() + avcodec/png: more informative error message for invalid sBIT size + avcodec/pngdec: avoid erroring with sBIT on indexed-color images + avcodec/nvenc: fix segfault in intra-only mode + aarch64: Add OpenBSD runtime detection of dotprod and i8mm using sysctl + qsv: Initialize impl_value + avutil/hwcontext_qsv: fix GCC 14.1 warnings + lavc/vp9: reset segmentation fields when segmentation isn't enabled + configure: enable ffnvcodec, nvenc, nvdec for FreeBSD + avcodec/mscc & mwsc: Check loop counts before use + avcodec/mpegvideo_enc: Fix potential overflow in RD + avcodec/mpeg4videodec: assert impossible wrap points + avcodec/mpeg12dec: Use 64bit in bit computation + avcodec/vqcdec: Check init_get_bits8() for failure + avcodec/vble: Check av_image_get_buffer_size() for failure + avcodec/vp3: Replace check by assert + avcodec/vp8: Forward return of ff_vpx_init_range_decoder() + avcodec/jpeg2000dec: remove ST=3 case + avcodec/qsvdec: Check av_image_get_buffer_size() for failure + avcodec/exr: Fix preview overflow + avcodec/decode: decode_simple_internal() only implements audio and video + avcodec/fmvc: remove dead assignment + avcodec/h2645_sei: Remove dead checks + avcodec/h264_slice: Remove dead sps check + avcodec/lpc: copy levenson coeffs only when they have been computed + avutil/tests/base64: Check with too short output array + libavutil/base64: Try not to write over the array end + avcodec/cbs_av1: Avoid shift overflow + fftools/ffplay: Check return of swr_alloc_set_opts2() + tools/opt_common: Check for malloc failure + doc/examples/demux_decode: Simplify loop + avformat/concatdec: Check file + avcodec/mpegvideo_enc: Fix 1 line and one column images + avcodec/amrwbdec: assert mode to be valid in decode_fixed_vector() + avcodec/wavarc: fix integer overflow in decode_5elp() block type 2 + swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() + swscale/output: Fix integer overflow in yuv2rgba64_1_c_template + avcodec/av1dec: Change bit_depth to int + avcodec/av1dec: bit_depth cannot be another values than 8,10,12 + avcodec/avs3_parser: assert the return value of init_get_bits() + avcodec/avs2_parser: Assert init_get_bits8() success with const size 15 + avformat/mxfdec: Check body_offset + avformat/kvag: Check sample_rate + avcodec/atrac9dec: Check init_get_bits8() for failure + avcodec/ac3_parser: Check init_get_bits8() for failure + avcodec/pngdec: Check last AVFrame before deref + avcodec/hevcdec: Check ref frame + doc/examples/qsv_transcode: Initialize pointer before free + doc/examples/qsv_transcode: Simplify str_to_dict() loop + doc/examples/vaapi_transcode: Simplify loop + doc/examples/qsv_transcode: Simplify loop + avcodec/cbs_h2645: Check NAL space + avfilter/vf_thumbnail_cuda: Set ret before checking it + avfilter/signature_lookup: Dont copy uninitialized stuff around + avfilter/signature_lookup: Fix 2 differences to the refernce SW + avcodec/x86/vp3dsp_init: Set correct function pointer, fix crash + avformat/mp3dec: change bogus error message if read_header encounters EOF + avformat/mp3dec: simplify inner frame size check in mp3_read_header + avformat/mp3dec: only call ffio_ensure_seekback once + avutil/thread: fix pthread_setname_np parameters for NetBSD and Apple + avutil/thread: add support for setting thread name on *bsd and solaris + avutil/ppc/cpu: Also use the machdep.altivec sysctl on NetBSD + lavd/v4l2: Use proper field type for second parameter of ioctl() with BSD's + avfilter/avfilter: fix OOM case for default activate + avfilter/buffersrc: switch to activate + avcodec/mediacodecenc: set quality in cq mode + Update for 6.1.2 fate/subtitles: Ignore line endings for sub-scc test avformat/mxfdec: Check index_edit_rate swscale/utils: Fix xInc overflow From a339afbe3c2f2455872e741ce2479dea913508b2 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Tue, 16 Jul 2024 20:59:52 +0800 Subject: [PATCH 408/606] avcodec/videotoolboxenc: Fix bitrate doesn't work as expected Commit 4ef5e7d4722 add qmin/qmax support to videotoolbox encoder. The default value of (qmin, qmax) is (2, 31), which makes bitrate control doesn't work as users' expectations. Signed-off-by: Zhao Zhili (cherry picked from commit d07da7539d54c0ce71e06a577eb1fa3036467449) --- libavcodec/videotoolboxenc.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/videotoolboxenc.c b/libavcodec/videotoolboxenc.c index b0e827d14a..3e74b59629 100644 --- a/libavcodec/videotoolboxenc.c +++ b/libavcodec/videotoolboxenc.c @@ -2890,6 +2890,12 @@ static const AVOption h264_options[] = { { NULL }, }; +static const FFCodecDefault vt_defaults[] = { + {"qmin", "-1"}, + {"qmax", "-1"}, + {NULL}, +}; + static const AVClass h264_videotoolbox_class = { .class_name = "h264_videotoolbox", .item_name = av_default_item_name, @@ -2905,6 +2911,7 @@ const FFCodec ff_h264_videotoolbox_encoder = { .p.capabilities = AV_CODEC_CAP_DR1 | AV_CODEC_CAP_DELAY, .priv_data_size = sizeof(VTEncContext), .p.pix_fmts = avc_pix_fmts, + .defaults = vt_defaults, .init = vtenc_init, FF_CODEC_ENCODE_CB(vtenc_frame), .close = vtenc_close, @@ -2942,6 +2949,7 @@ const FFCodec ff_hevc_videotoolbox_encoder = { AV_CODEC_CAP_HARDWARE, .priv_data_size = sizeof(VTEncContext), .p.pix_fmts = hevc_pix_fmts, + .defaults = vt_defaults, .init = vtenc_init, FF_CODEC_ENCODE_CB(vtenc_frame), .close = vtenc_close, @@ -2981,6 +2989,7 @@ const FFCodec ff_prores_videotoolbox_encoder = { AV_CODEC_CAP_HARDWARE, .priv_data_size = sizeof(VTEncContext), .p.pix_fmts = prores_pix_fmts, + .defaults = vt_defaults, .init = vtenc_init, FF_CODEC_ENCODE_CB(vtenc_frame), .close = vtenc_close, From 6662b0cdd12c01b9020e6dd73f8fef3a071df790 Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Fri, 19 Jul 2024 12:04:19 -0400 Subject: [PATCH 409/606] avcodec/pngdec: use 8-bit sBIT cap for indexed PNGs per spec The PNG specification[1] says that sBIT entries must be at most the bit depth specified in IHDR, unless the PNG is indexed-color, in which case sBIT must be between 1 and 8. We should not reject valid sBITs on PNGs with indexed color. [1]: https://www.w3.org/TR/png-3/#11sBIT Regression since 84b454935fae2633a8a5dd075e22393f3e8f932f. Signed-off-by: Leo Izen Reported-by: Ramiro Polla --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 4b6fc4471f..d418986b3e 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1036,7 +1036,7 @@ static int decode_sbit_chunk(AVCodecContext *avctx, PNGDecContext *s, bits = FFMAX(b, bits); } - if (bits < 0 || bits > s->bit_depth) { + if (bits <= 0 || bits > (s->color_type & PNG_COLOR_MASK_PALETTE ? 8 : s->bit_depth)) { av_log(avctx, AV_LOG_ERROR, "Invalid significant bits: %d\n", bits); return AVERROR_INVALIDDATA; } From 0bd31a8f91bb65b370bbe9234e2636a1f359a4cd Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Fri, 19 Jul 2024 12:04:20 -0400 Subject: [PATCH 410/606] avcodec/pngenc: fix sBIT writing for indexed-color PNGs We currently write invalid sBIT entries for indexed PNGs, which by PNG specification[1] must be 3-bytes long. The values also are capped at 8 for indexed-color PNGs, not the palette depth. This patch fixes both of these issues previously fixed in the decoder, but not the encoder. [1]: https://www.w3.org/TR/png-3/#11sBIT Regression since: c125860892e931d9b10f88ace73c91484815c3a8. Signed-off-by: Leo Izen Reported-by: Ramiro Polla: --- libavcodec/pngenc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c index f0650962d2..f570ed5d08 100644 --- a/libavcodec/pngenc.c +++ b/libavcodec/pngenc.c @@ -442,8 +442,9 @@ static int encode_headers(AVCodecContext *avctx, const AVFrame *pict) if (png_get_gama(pict->color_trc, s->buf)) png_write_chunk(&s->bytestream, MKTAG('g', 'A', 'M', 'A'), s->buf, 4); - if (avctx->bits_per_raw_sample > 0 && avctx->bits_per_raw_sample < s->bit_depth) { - int len = ff_png_get_nb_channels(s->color_type); + if (avctx->bits_per_raw_sample > 0 && + avctx->bits_per_raw_sample < (s->color_type & PNG_COLOR_MASK_PALETTE ? 8 : s->bit_depth)) { + int len = s->color_type & PNG_COLOR_MASK_PALETTE ? 3 : ff_png_get_nb_channels(s->color_type); memset(s->buf, avctx->bits_per_raw_sample, len); png_write_chunk(&s->bytestream, MKTAG('s', 'B', 'I', 'T'), s->buf, len); } From 68b5f822654b437478646c70fedcb04d99e495e1 Mon Sep 17 00:00:00 2001 From: Shiyou Yin Date: Thu, 25 Jul 2024 17:39:21 +0800 Subject: [PATCH 411/606] swscale: [loongarch] Fix checkasm-sw_yuv2rgb failure. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: 陈昊 Signed-off-by: Michael Niedermayer (cherry picked from commit 4713a5cc2478ac94150541918749913d05a54b7f) Signed-off-by: Michael Niedermayer --- libswscale/loongarch/swscale_init_loongarch.c | 104 +++++++++--------- libswscale/loongarch/yuv2rgb_lasx.c | 4 +- 2 files changed, 56 insertions(+), 52 deletions(-) diff --git a/libswscale/loongarch/swscale_init_loongarch.c b/libswscale/loongarch/swscale_init_loongarch.c index 53e4f970b6..51bfdd56de 100644 --- a/libswscale/loongarch/swscale_init_loongarch.c +++ b/libswscale/loongarch/swscale_init_loongarch.c @@ -93,60 +93,64 @@ av_cold SwsFunc ff_yuv2rgb_init_loongarch(SwsContext *c) int cpu_flags = av_get_cpu_flags(); #if HAVE_LASX if (have_lasx(cpu_flags)) { - switch (c->dstFormat) { - case AV_PIX_FMT_RGB24: - return yuv420_rgb24_lasx; - case AV_PIX_FMT_BGR24: - return yuv420_bgr24_lasx; - case AV_PIX_FMT_RGBA: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_rgba32_lasx; - case AV_PIX_FMT_ARGB: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_argb32_lasx; - case AV_PIX_FMT_BGRA: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_bgra32_lasx; - case AV_PIX_FMT_ABGR: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_abgr32_lasx; + if (c->srcFormat == AV_PIX_FMT_YUV420P) { + switch (c->dstFormat) { + case AV_PIX_FMT_RGB24: + return yuv420_rgb24_lasx; + case AV_PIX_FMT_BGR24: + return yuv420_bgr24_lasx; + case AV_PIX_FMT_RGBA: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_rgba32_lasx; + case AV_PIX_FMT_ARGB: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_argb32_lasx; + case AV_PIX_FMT_BGRA: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_bgra32_lasx; + case AV_PIX_FMT_ABGR: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_abgr32_lasx; + } } } #endif // #if HAVE_LASX if (have_lsx(cpu_flags)) { - switch (c->dstFormat) { - case AV_PIX_FMT_RGB24: - return yuv420_rgb24_lsx; - case AV_PIX_FMT_BGR24: - return yuv420_bgr24_lsx; - case AV_PIX_FMT_RGBA: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_rgba32_lsx; - case AV_PIX_FMT_ARGB: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_argb32_lsx; - case AV_PIX_FMT_BGRA: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_bgra32_lsx; - case AV_PIX_FMT_ABGR: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_abgr32_lsx; + if (c->srcFormat == AV_PIX_FMT_YUV420P) { + switch (c->dstFormat) { + case AV_PIX_FMT_RGB24: + return yuv420_rgb24_lsx; + case AV_PIX_FMT_BGR24: + return yuv420_bgr24_lsx; + case AV_PIX_FMT_RGBA: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_rgba32_lsx; + case AV_PIX_FMT_ARGB: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_argb32_lsx; + case AV_PIX_FMT_BGRA: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_bgra32_lsx; + case AV_PIX_FMT_ABGR: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_abgr32_lsx; + } } } return NULL; diff --git a/libswscale/loongarch/yuv2rgb_lasx.c b/libswscale/loongarch/yuv2rgb_lasx.c index 64e434f50c..0ce553005a 100644 --- a/libswscale/loongarch/yuv2rgb_lasx.c +++ b/libswscale/loongarch/yuv2rgb_lasx.c @@ -82,8 +82,8 @@ #define YUV2RGB_RES \ m_y1 = __lasx_xvldrepl_d(py_1, 0); \ m_y2 = __lasx_xvldrepl_d(py_2, 0); \ - m_u = __lasx_xvldrepl_d(pu, 0); \ - m_v = __lasx_xvldrepl_d(pv, 0); \ + m_u = __lasx_xvldrepl_w(pu, 0); \ + m_v = __lasx_xvldrepl_w(pv, 0); \ m_y1 = __lasx_xvilvl_d(m_y2, m_y1); \ m_u = __lasx_xvilvl_b(m_u, m_u); \ m_v = __lasx_xvilvl_b(m_v, m_v); \ From b169821e8f68e685a0164ff2146c1a0c7f93d1a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 13:31:02 +0200 Subject: [PATCH 412/606] avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow The snow encoder uses block based motion estimation which can read out of array if insufficient alignment is used It may be better to only apply this for the encoder, as it would safe a few bytes of memory for the decoder. Until then, this fixes the issue in a simple way. Fixes: out of array access Fixes: 68963/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4979988435632128 Fixes: 68969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6239933667803136.fuzz Fixed: 70497/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5751882631413760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 58fbeb59e74ac9a4ca81e9bc44141abcbff8ab6d) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 39b83c7791..f96504fa44 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -259,6 +259,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, if (s->codec_id == AV_CODEC_ID_SVQ1) { w_align = 64; h_align = 64; + } else if (s->codec_id == AV_CODEC_ID_SNOW) { + w_align = 16; + h_align = 16; } break; case AV_PIX_FMT_RGB555: From f4c70a83cfdd9379061db72823e6c61f8fbe3d72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jul 2024 21:43:39 +0200 Subject: [PATCH 413/606] avcodec/snow: Fix off by 1 error in run_buffer Fixes: out of array access Fixes: 70741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5703668010647552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 06f5ed40f8fceb2542add052c57608121eda2f41) Signed-off-by: Michael Niedermayer --- libavcodec/snow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snow.c b/libavcodec/snow.c index 59815d00d9..1b0fc6dc7d 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -427,7 +427,7 @@ av_cold int ff_snow_common_init(AVCodecContext *avctx){ !FF_ALLOCZ_TYPED_ARRAY(s->spatial_dwt_buffer, width * height) || //FIXME this does not belong here !FF_ALLOCZ_TYPED_ARRAY(s->temp_dwt_buffer, width) || !FF_ALLOCZ_TYPED_ARRAY(s->temp_idwt_buffer, width) || - !FF_ALLOCZ_TYPED_ARRAY(s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1))) + !FF_ALLOCZ_TYPED_ARRAY(s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1) + 1)) return AVERROR(ENOMEM); for(i=0; i Date: Fri, 2 Aug 2024 00:57:11 +0200 Subject: [PATCH 414/606] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog b/Changelog index e84ce60cdc..1ee8b060f3 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,13 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 6.1.2 + avcodec/snow: Fix off by 1 error in run_buffer + avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow + swscale: [loongarch] Fix checkasm-sw_yuv2rgb failure. + avcodec/pngenc: fix sBIT writing for indexed-color PNGs + avcodec/pngdec: use 8-bit sBIT cap for indexed PNGs per spec + avcodec/videotoolboxenc: Fix bitrate doesn't work as expected + Changelog: update avdevice/dshow: Don't skip audio devices if no video device is present avcodec/hdrenc: Allocate more space avcodec/cfhdenc: Height of 16 is not supported From 4c688845a50f7dce3af9afebe60f0f7a493c4f07 Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Fri, 9 Aug 2024 11:32:00 +0100 Subject: [PATCH 415/606] libavcodec/arm/mlpdsp_armv5te: fix label format to work with binutils 2.43 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit binutils 2.43 has stricter validation for labels[1] and results in errors when building ffmpeg for armv5: src/libavcodec/arm/mlpdsp_armv5te.S:232: Error: junk at end of line, first unrecognized character is `0' Remove the leading zero in the "01" label to resolve this error. [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=226749d5a6ff0d5c607d6428d6c81e1e7e7a994b Signed-off-by: Ross Burton Signed-off-by: Martin Storsjö (cherry picked from commit 654bd47716c4f36719fb0f3f7fd8386d5ed0b916) --- libavcodec/arm/mlpdsp_armv5te.S | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/arm/mlpdsp_armv5te.S b/libavcodec/arm/mlpdsp_armv5te.S index 4f9aa485fd..d31568611c 100644 --- a/libavcodec/arm/mlpdsp_armv5te.S +++ b/libavcodec/arm/mlpdsp_armv5te.S @@ -229,7 +229,7 @@ A .endif .endif // Begin loop -01: +1: .if TOTAL_TAPS == 0 // Things simplify a lot in this case // In fact this could be pipelined further if it's worth it... @@ -241,7 +241,7 @@ A .endif str ST0, [PST, #-4]! str ST0, [PST, #4 * (MAX_BLOCKSIZE + MAX_FIR_ORDER)] str ST0, [PSAMP], #4 * MAX_CHANNELS - bne 01b + bne 1b .else .if \fir_taps & 1 .set LOAD_REG, 1 @@ -333,7 +333,7 @@ T orr AC0, AC0, AC1 str ST3, [PST, #-4]! str ST2, [PST, #4 * (MAX_BLOCKSIZE + MAX_FIR_ORDER)] str ST3, [PSAMP], #4 * MAX_CHANNELS - bne 01b + bne 1b .endif b 99f From b534cc666e0a770a4bb474d71569378635e9d464 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Fri, 16 Aug 2024 02:01:12 +0200 Subject: [PATCH 416/606] avformat/hlsenc: correctly reset subtitle stream counter per-varstream Without resetting it, if there was a previous set of varstreams with subtitles, it would subtract from all the streams, leading to chaos and segfaults when trying to access for example stream -1. --- libavformat/hlsenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 2c2b14e09b..da18ffc60c 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -2416,7 +2416,6 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) int is_ref_pkt = 1; int ret = 0, can_split = 1, i, j; int stream_index = 0; - int subtitle_streams = 0; int range_length = 0; const char *proto = NULL; int use_temp_file = 0; @@ -2424,6 +2423,7 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) char *old_filename = NULL; for (i = 0; i < hls->nb_varstreams; i++) { + int subtitle_streams = 0; vs = &hls->var_streams[i]; for (j = 0; j < vs->nb_streams; j++) { if (vs->streams[j]->codecpar->codec_type == AVMEDIA_TYPE_SUBTITLE) { From 60593d6c06c9b610359bd6af26a268feff1293eb Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Wed, 3 Jul 2024 00:30:08 +0200 Subject: [PATCH 417/606] configure: restore autodetection of v4l2 and fbdev The detection logic for v4l2 and fbdev was accidentally modified to depend on v4l2-m2m in 43b3412. (cherry picked from commit 7405f1ad5351cc24b91a0227aeeaf24ff9d12278) Signed-off-by: Brad Smith --- configure | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/configure b/configure index 5af693c954..687a3ded03 100755 --- a/configure +++ b/configure @@ -6985,11 +6985,12 @@ pod2man --help > /dev/null 2>&1 && enable pod2man || disable pod2man rsync --help 2> /dev/null | grep -q 'contimeout' && enable rsync_contimeout || disable rsync_contimeout xmllint --version > /dev/null 2>&1 && enable xmllint || disable xmllint +check_headers linux/fb.h +check_headers linux/videodev2.h +test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete + # check V4L2 codecs available in the API if enabled v4l2_m2m; then - check_headers linux/fb.h - check_headers linux/videodev2.h - test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete check_cc v4l2_m2m linux/videodev2.h "int i = V4L2_CAP_VIDEO_M2M_MPLANE | V4L2_CAP_VIDEO_M2M | V4L2_BUF_FLAG_LAST;" check_cc vc1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VC1_ANNEX_G;" check_cc mpeg1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG1;" From f71076c009f84917e7a0f2f1ece86b718de2d8d3 Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Thu, 29 Aug 2024 15:40:00 +0200 Subject: [PATCH 418/606] configure: improve check for POSIX ioctl Instead of relying on system #ifdefs which may or may not be correct, detect the POSIX ioctl signature at configure time. (cherry picked from commit 00b64fca55a3a009c9d0e391c85f4fd3291e5d12) Signed-off-by: Brad Smith --- configure | 2 ++ libavdevice/v4l2.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 687a3ded03..ff11033a01 100755 --- a/configure +++ b/configure @@ -2450,6 +2450,7 @@ HAVE_LIST=" opencl_vaapi_intel_media perl pod2man + posix_ioctl texi2html xmllint zlib_gzip @@ -6988,6 +6989,7 @@ xmllint --version > /dev/null 2>&1 && enable xmllint || disable xmllint check_headers linux/fb.h check_headers linux/videodev2.h test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete +test_code cc sys/ioctl.h "int ioctl(int, int, ...)" && enable posix_ioctl # check V4L2 codecs available in the API if enabled v4l2_m2m; then diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index 33bd26ead9..c042bdb9d5 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -107,7 +107,7 @@ struct video_data { int (*open_f)(const char *file, int oflag, ...); int (*close_f)(int fd); int (*dup_f)(int fd); -#if defined(__sun) || defined(__BIONIC__) || defined(__musl__) /* POSIX-like */ +#if HAVE_POSIX_IOCTL int (*ioctl_f)(int fd, int request, ...); #else int (*ioctl_f)(int fd, unsigned long int request, ...); From a041b7be2c1b2b02d283dac883c0ce5e57c31112 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 26 Aug 2024 23:07:35 +0200 Subject: [PATCH 419/606] avformat/libzmq: fix check for zmq protocol prefix Fixes ticket #11134. Signed-off-by: Marton Balint (cherry picked from commit a87a96105e9150dba07e3a660e41f78557f3356c) --- libavformat/libzmq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/libzmq.c b/libavformat/libzmq.c index f4bb849e46..da84efee73 100644 --- a/libavformat/libzmq.c +++ b/libavformat/libzmq.c @@ -94,7 +94,7 @@ static int zmq_proto_open(URLContext *h, const char *uri, int flags) return AVERROR_EXTERNAL; } - if (av_strstart(uri, "zmq:", &uri)) { + if (!av_strstart(uri, "zmq:", &uri)) { av_log(h, AV_LOG_ERROR, "URL %s lacks prefix\n", uri); return AVERROR(EINVAL); } From f749aaf108696fcfc2be6a9f6c1059415474caf3 Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Sun, 11 Aug 2024 12:51:50 +0530 Subject: [PATCH 420/606] lavc/libx265: unbreak build for X265_BUILD >= 210 x265 added support for alpha starting with build 210. While doing so, x265_encoder_encode() changed its fifth arg to an array of pointers to x265_picture. This broke building lavc/libx265.c This patch simply unbreaks the build and maintains existing single-layer non-alpha encoding support. Fixes #11130 --- libavcodec/libx265.c | 40 ++++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) diff --git a/libavcodec/libx265.c b/libavcodec/libx265.c index 447e6da25f..29fc26eab4 100644 --- a/libavcodec/libx265.c +++ b/libavcodec/libx265.c @@ -581,7 +581,13 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, { libx265Context *ctx = avctx->priv_data; x265_picture x265pic; - x265_picture x265pic_out = { 0 }; +#if X265_BUILD >= 210 + x265_picture x265pic_layers_out[MAX_SCALABLE_LAYERS]; + x265_picture* x265pic_lyrptr_out[MAX_SCALABLE_LAYERS]; +#else + x265_picture x265pic_solo_out = { 0 }; +#endif + x265_picture* x265pic_out; x265_nal *nal; x265_sei *sei; uint8_t *dst; @@ -704,8 +710,16 @@ FF_ENABLE_DEPRECATION_WARNINGS } } +#if X265_BUILD >= 210 + for (i = 0; i < MAX_SCALABLE_LAYERS; i++) + x265pic_lyrptr_out[i] = &x265pic_layers_out[i]; + ret = ctx->api->encoder_encode(ctx->encoder, &nal, &nnal, - pic ? &x265pic : NULL, &x265pic_out); + pic ? &x265pic : NULL, x265pic_lyrptr_out); +#else + ret = ctx->api->encoder_encode(ctx->encoder, &nal, &nnal, + pic ? &x265pic : NULL, &x265pic_solo_out); +#endif for (i = 0; i < sei->numPayloads; i++) av_free(sei->payloads[i].payload); @@ -735,10 +749,16 @@ FF_ENABLE_DEPRECATION_WARNINGS pkt->flags |= AV_PKT_FLAG_KEY; } - pkt->pts = x265pic_out.pts; - pkt->dts = x265pic_out.dts; +#if X265_BUILD >= 210 + x265pic_out = x265pic_lyrptr_out[0]; +#else + x265pic_out = &x265pic_solo_out; +#endif - switch (x265pic_out.sliceType) { + pkt->pts = x265pic_out->pts; + pkt->dts = x265pic_out->dts; + + switch (x265pic_out->sliceType) { case X265_TYPE_IDR: case X265_TYPE_I: pict_type = AV_PICTURE_TYPE_I; @@ -756,16 +776,16 @@ FF_ENABLE_DEPRECATION_WARNINGS } #if X265_BUILD >= 130 - if (x265pic_out.sliceType == X265_TYPE_B) + if (x265pic_out->sliceType == X265_TYPE_B) #else - if (x265pic_out.frameData.sliceType == 'b') + if (x265pic_out->frameData.sliceType == 'b') #endif pkt->flags |= AV_PKT_FLAG_DISPOSABLE; - ff_side_data_set_encoder_stats(pkt, x265pic_out.frameData.qp * FF_QP2LAMBDA, NULL, 0, pict_type); + ff_side_data_set_encoder_stats(pkt, x265pic_out->frameData.qp * FF_QP2LAMBDA, NULL, 0, pict_type); - if (x265pic_out.userData) { - int idx = (int)(intptr_t)x265pic_out.userData - 1; + if (x265pic_out->userData) { + int idx = (int)(intptr_t)x265pic_out->userData - 1; ReorderedData *rd = &ctx->rd[idx]; #if FF_API_REORDERED_OPAQUE From 86c595cc1b63cda75ba752330b3d1a66db104f7c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 1 Sep 2024 15:41:24 +0200 Subject: [PATCH 421/606] lavc/hevc: check framerate num/den to be strictly positive Rather than just != 0. These values are read as uint32 and can become negative when cast to int. (cherry picked from commit eec1a7a6bb952c09945d908d2d5de35909516778) Signed-off-by: Anton Khirnov (cherry picked from commit 9cadadb9a12aaf30b196c896073c473d91a2bdf0) Signed-off-by: Anton Khirnov --- libavcodec/hevc_parser.c | 2 +- libavcodec/hevcdec.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc_parser.c b/libavcodec/hevc_parser.c index 87270cffb4..9bedee5f03 100644 --- a/libavcodec/hevc_parser.c +++ b/libavcodec/hevc_parser.c @@ -105,7 +105,7 @@ static int hevc_parse_slice_header(AVCodecParserContext *s, H2645NAL *nal, den = ps->sps->vui.vui_time_scale; } - if (num != 0 && den != 0) + if (num > 0 && den > 0) av_reduce(&avctx->framerate.den, &avctx->framerate.num, num, den, 1 << 30); diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 3c4a9b0818..13316eebf3 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -372,7 +372,7 @@ static void export_stream_params(HEVCContext *s, const HEVCSPS *sps) den = sps->vui.vui_time_scale; } - if (num != 0 && den != 0) + if (num > 0 && den > 0) av_reduce(&avctx->framerate.den, &avctx->framerate.num, num, den, 1 << 30); } From f00f71f590f02bc4a280c9efed3988ceb06d32e1 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 4 Sep 2024 12:09:03 +0200 Subject: [PATCH 422/606] lavc/hevcdec: set per-CTB filter parameters for WPP Fixes #10887 (cherry picked from commit 536bb988889eec08c5a1d5fd733f9e98569ae65e) Signed-off-by: Anton Khirnov (cherry picked from commit f705bc5b7333ed45d476f473df8f6bf893e867e2) Signed-off-by: Anton Khirnov --- libavcodec/hevcdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 13316eebf3..d6be8140ff 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -2628,6 +2628,11 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *hevc_lclist, if (ret < 0) goto error; hls_sao_param(lc, x_ctb >> s->ps.sps->log2_ctb_size, y_ctb >> s->ps.sps->log2_ctb_size); + + s->deblock[ctb_addr_rs].beta_offset = s->sh.beta_offset; + s->deblock[ctb_addr_rs].tc_offset = s->sh.tc_offset; + s->filter_slice_edges[ctb_addr_rs] = s->sh.slice_loop_filter_across_slices_enabled_flag; + more_data = hls_coding_quadtree(lc, x_ctb, y_ctb, s->ps.sps->log2_ctb_size, 0); if (more_data < 0) { From 4571c80b404fef48d649c71a059d8d00c5275c95 Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Sat, 5 Oct 2024 10:08:31 +0530 Subject: [PATCH 423/606] avcodec/libx265: unbreak build for X265_BUILD >= 213 Earlier, x265 made an API change to support alpha and other multiple layer pictures. We added guards to accommodate that in 1f801dfdb5 They have now reverted that API change in https://bitbucket.org/multicoreware/x265_git/commits/78e5b703b1 Updated our wrapper guards to unbreak build again. --- libavcodec/libx265.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/libx265.c b/libavcodec/libx265.c index 29fc26eab4..4bf7f7a83d 100644 --- a/libavcodec/libx265.c +++ b/libavcodec/libx265.c @@ -581,7 +581,7 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, { libx265Context *ctx = avctx->priv_data; x265_picture x265pic; -#if X265_BUILD >= 210 +#if (X265_BUILD >= 210) && (X265_BUILD < 213) x265_picture x265pic_layers_out[MAX_SCALABLE_LAYERS]; x265_picture* x265pic_lyrptr_out[MAX_SCALABLE_LAYERS]; #else @@ -710,7 +710,7 @@ FF_ENABLE_DEPRECATION_WARNINGS } } -#if X265_BUILD >= 210 +#if (X265_BUILD >= 210) && (X265_BUILD < 213) for (i = 0; i < MAX_SCALABLE_LAYERS; i++) x265pic_lyrptr_out[i] = &x265pic_layers_out[i]; @@ -749,7 +749,7 @@ FF_ENABLE_DEPRECATION_WARNINGS pkt->flags |= AV_PKT_FLAG_KEY; } -#if X265_BUILD >= 210 +#if (X265_BUILD >= 210) && (X265_BUILD < 213) x265pic_out = x265pic_lyrptr_out[0]; #else x265pic_out = &x265pic_solo_out; From 4d40898657659f8251a351af3f1f2a93584ccd58 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Tue, 22 Oct 2024 19:49:16 +0200 Subject: [PATCH 424/606] avutil/wchar_filename: re-introduce explicit cast of void* to char* Fixes compile error on windows with decklink: In file included from ./libavformat/os_support.h:175, from ./libavformat/internal.h:30, from libavdevice/decklink_common.cpp:25: ./libavutil/wchar_filename.h: In function 'int wchartocp(unsigned int, const wchar_t*, char**)': ./libavutil/wchar_filename.h:59:32: error: invalid conversion from 'void*' to 'char*' [-fpermissive] 59 | *filename = av_malloc_array(num_chars, sizeof **filename); | ~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | void* Regression since e9e8bea2e79bc3c481a6f81f75f6c871e3e0f367. Fixes ticket #11103. Signed-off-by: Marton Balint (cherry picked from commit 9b0128aa766221f8a32e13cf3c1d3e6d75a2d829) --- libavutil/wchar_filename.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/wchar_filename.h b/libavutil/wchar_filename.h index 23cc92aa2d..1370a084c9 100644 --- a/libavutil/wchar_filename.h +++ b/libavutil/wchar_filename.h @@ -57,7 +57,7 @@ static inline int wchartocp(unsigned int code_page, const wchar_t *filename_w, errno = EINVAL; return -1; } - *filename = av_malloc_array(num_chars, sizeof **filename); + *filename = (char *)av_malloc_array(num_chars, sizeof **filename); if (!*filename) { errno = ENOMEM; return -1; From 7d79d0a43b5533ff584249332bc1db7fedbab1d2 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Tue, 20 Feb 2024 20:08:55 +0800 Subject: [PATCH 425/606] avutil/hwcontext: Don't assume frames_uninit is reentrant Fix heap use after free when vulkan_frames_init failed. Signed-off-by: Zhao Zhili (cherry picked from commit 3bb00c0a420c3ce83c6fafee30270d69622ccad7) --- libavutil/hwcontext.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c index 3650d4653a..0ef34796f6 100644 --- a/libavutil/hwcontext.c +++ b/libavutil/hwcontext.c @@ -363,7 +363,7 @@ int av_hwframe_ctx_init(AVBufferRef *ref) if (ctx->internal->hw_type->frames_init) { ret = ctx->internal->hw_type->frames_init(ctx); if (ret < 0) - goto fail; + return ret; } if (ctx->internal->pool_internal && !ctx->pool) @@ -373,14 +373,10 @@ int av_hwframe_ctx_init(AVBufferRef *ref) if (ctx->initial_pool_size > 0) { ret = hwframe_pool_prealloc(ref); if (ret < 0) - goto fail; + return ret; } return 0; -fail: - if (ctx->internal->hw_type->frames_uninit) - ctx->internal->hw_type->frames_uninit(ctx); - return ret; } int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref, From d0852a36cf920e09077239c37f4231038bee3ec8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Fri, 1 Nov 2024 13:50:38 +0100 Subject: [PATCH 426/606] avcodec/jpegxl_parser: check entropy_decoder_read_symbol return value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found by OSS-Fuzz. Signed-off-by: Kacper Michajłow --- libavcodec/jpegxl_parser.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c index 300134be5d..f9b5f167f2 100644 --- a/libavcodec/jpegxl_parser.c +++ b/libavcodec/jpegxl_parser.c @@ -1311,7 +1311,7 @@ static int parse_frame_header(void *avctx, JXLParseContext *ctx, GetBitContext * // permuted toc if (get_bits1(gb)) { JXLEntropyDecoder dec; - uint32_t end, lehmer = 0; + int64_t end, lehmer = 0; ret = entropy_decoder_init(avctx, gb, &dec, 8); if (ret < 0) return ret; @@ -1320,13 +1320,13 @@ static int parse_frame_header(void *avctx, JXLParseContext *ctx, GetBitContext * return AVERROR_BUFFER_TOO_SMALL; } end = entropy_decoder_read_symbol(gb, &dec, toc_context(toc_count)); - if (end > toc_count) { + if (end < 0 || end > toc_count) { entropy_decoder_close(&dec); return AVERROR_INVALIDDATA; } for (uint32_t i = 0; i < end; i++) { lehmer = entropy_decoder_read_symbol(gb, &dec, toc_context(lehmer)); - if (get_bits_left(gb) < 0) { + if (lehmer < 0 || get_bits_left(gb) < 0) { entropy_decoder_close(&dec); return AVERROR_BUFFER_TOO_SMALL; } From b45da36a2948fd9954902d3405cf2bad2ce582a9 Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Thu, 7 Nov 2024 11:31:49 -0500 Subject: [PATCH 427/606] avcodec/jpegxl_parser: fix reading lz77-pair as initial entropy symbol MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The JPEG XL parser has an entropy decoder inside, which supports LZ77 length-distance pairs. If the first symbol from the entropy stream is an LZ77 pair, the bitstream is invalid, so we should abort immediately rather than attempt to read it anyway (which would read from the uninitialized starting window). Reported-by: Kacper Michajłow Found-by: ossfuzz Fixes: 368725676/clusterfuzz-testcase-minimized-fuzzer_protocol_file-6022251122589696-cut Fixes: 42537758/clusterfuzz-testcase-minimized-fuzzer_protocol_file-5818969469026304-cut Signed-off-by: Leo Izen --- libavcodec/jpegxl_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c index f9b5f167f2..16a6263d56 100644 --- a/libavcodec/jpegxl_parser.c +++ b/libavcodec/jpegxl_parser.c @@ -352,6 +352,8 @@ static int decode_hybrid_varlen_uint(GetBitContext *gb, JXLEntropyDecoder *dec, if (bundle->lz77_enabled && token >= bundle->lz77_min_symbol) { const JXLSymbolDistribution *lz77dist = &bundle->dists[bundle->cluster_map[bundle->num_dist - 1]]; + if (!dec->num_decoded) + return AVERROR_INVALIDDATA; ret = read_hybrid_uint(gb, &bundle->lz_len_conf, token - bundle->lz77_min_symbol, &dec->num_to_copy); if (ret < 0) return ret; @@ -531,6 +533,7 @@ static int read_dist_clustering(GetBitContext *gb, JXLEntropyDecoder *dec, JXLDi dec->state = -1; /* it's not going to necessarily be zero after reading */ dec->num_to_copy = 0; + dec->num_decoded = 0; dist_bundle_close(&nested); if (use_mtf) { uint8_t mtf[256]; From 2b6be6ba90adefa0ffdfaf309a4d9d51d430b6f4 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sun, 3 Nov 2024 22:32:51 +0100 Subject: [PATCH 428/606] avfilter/f_loop: fix length of aloop leftover buffer If the audio loop stops inside an audio frame, the leftover buffer contains the end of the frame, which is not looped. The length supposed to be the part which was not written to the loop buffer, so we need to drain exactly that number of bytes from the leftover buffer. Signed-off-by: Marton Balint (cherry picked from commit b33a59416072ad31a5840f33f9975d88acf45add) --- libavfilter/f_loop.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavfilter/f_loop.c b/libavfilter/f_loop.c index 0b08a2ead3..f2829ecb2b 100644 --- a/libavfilter/f_loop.c +++ b/libavfilter/f_loop.c @@ -169,14 +169,13 @@ static int afilter_frame(AVFilterLink *inlink, AVFrame *frame) s->pts += av_rescale_q(s->start - s->ignored_samples, (AVRational){1, outlink->sample_rate}, outlink->time_base); } s->nb_samples += ret - drain; - drain = frame->nb_samples - written; - if (s->nb_samples == s->size && drain > 0) { + if (s->nb_samples == s->size && frame->nb_samples > written) { int ret2; ret2 = av_audio_fifo_write(s->left, (void **)frame->extended_data, frame->nb_samples); if (ret2 < 0) return ret2; - av_audio_fifo_drain(s->left, drain); + av_audio_fifo_drain(s->left, written); } frame->nb_samples = ret; s->pts += av_rescale_q(ret, (AVRational){1, outlink->sample_rate}, outlink->time_base); From a6a07eebdf46c87be394a905c021dc01120d566f Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 4 Nov 2024 00:43:06 +0100 Subject: [PATCH 429/606] avfilter/f_loop: fix aloop activate logic The logic did not follow the documented behaviour and that caused skipping of some audio in the loop and in the leftover buffer. Example command line which should produce a smooth sine wave for the whole duration of the output: ffmpeg -f lavfi -i "sine=r=48000:f=480:d=4" -af "aloop=loop=4:start=48000:size=48000" out.wav Fixes ticket #11283. Signed-off-by: Marton Balint (cherry picked from commit fe18ed3f2a9221af0beaec7b04b7804849db1f2f) --- libavfilter/f_loop.c | 70 ++++++++++++++++++-------------------------- 1 file changed, 28 insertions(+), 42 deletions(-) diff --git a/libavfilter/f_loop.c b/libavfilter/f_loop.c index f2829ecb2b..3936d1c1b0 100644 --- a/libavfilter/f_loop.c +++ b/libavfilter/f_loop.c @@ -21,6 +21,7 @@ #include "config_components.h" #include "libavutil/audio_fifo.h" +#include "libavutil/avassert.h" #include "libavutil/internal.h" #include "libavutil/opt.h" #include "avfilter.h" @@ -104,7 +105,7 @@ static av_cold void auninit(AVFilterContext *ctx) av_audio_fifo_free(s->left); } -static int push_samples(AVFilterContext *ctx, int nb_samples) +static int push_samples(AVFilterContext *ctx, int nb_samples, AVFrame **frame) { AVFilterLink *outlink = ctx->outputs[0]; LoopContext *s = ctx->priv; @@ -126,9 +127,7 @@ static int push_samples(AVFilterContext *ctx, int nb_samples) i += out->nb_samples; s->current_sample += out->nb_samples; - ret = ff_filter_frame(outlink, out); - if (ret < 0) - return ret; + *frame = out; if (s->current_sample >= s->nb_samples) { s->current_sample = 0; @@ -136,6 +135,8 @@ static int push_samples(AVFilterContext *ctx, int nb_samples) if (s->loop > 0) s->loop--; } + + return 0; } return ret; @@ -181,10 +182,7 @@ static int afilter_frame(AVFilterLink *inlink, AVFrame *frame) s->pts += av_rescale_q(ret, (AVRational){1, outlink->sample_rate}, outlink->time_base); ret = ff_filter_frame(outlink, frame); } else { - int nb_samples = frame->nb_samples; - - av_frame_free(&frame); - ret = push_samples(ctx, nb_samples); + av_assert0(0); } } else { s->ignored_samples += frame->nb_samples; @@ -196,7 +194,7 @@ static int afilter_frame(AVFilterLink *inlink, AVFrame *frame) return ret; } -static int arequest_frame(AVFilterLink *outlink) +static int arequest_frame(AVFilterLink *outlink, AVFrame **frame) { AVFilterContext *ctx = outlink->src; LoopContext *s = ctx->priv; @@ -216,17 +214,11 @@ static int arequest_frame(AVFilterLink *outlink) av_audio_fifo_read(s->left, (void **)out->extended_data, nb_samples); out->pts = s->pts; s->pts += av_rescale_q(nb_samples, (AVRational){1, outlink->sample_rate}, outlink->time_base); - ret = ff_filter_frame(outlink, out); - if (ret < 0) - return ret; + *frame = out; } - ret = ff_request_frame(ctx->inputs[0]); + return 0; } else { - ret = push_samples(ctx, 1024); - } - - if (s->eof && s->nb_samples > 0 && s->loop != 0) { - ret = push_samples(ctx, 1024); + ret = push_samples(ctx, 1024, frame); } return ret; @@ -244,37 +236,31 @@ static int aactivate(AVFilterContext *ctx) update_time(ctx, inlink->time_base); - if (!s->eof && (s->nb_samples < s->size || !s->loop || !s->size)) { - const int in_nb_samples = FFMIN(1024, s->size - s->nb_samples); - if (in_nb_samples == 0) - ret = ff_inlink_consume_frame(inlink, &frame); - else - ret = ff_inlink_consume_samples(inlink, in_nb_samples, in_nb_samples, &frame); - if (ret < 0) - return ret; - if (ret > 0) - return afilter_frame(inlink, frame); - } +retry: + ret = arequest_frame(outlink, &frame); + if (ret < 0) + return ret; + if (frame) + return ff_filter_frame(outlink, frame); - if (!s->eof && ff_inlink_acknowledge_status(inlink, &status, &s->eof_pts)) { - if (status == AVERROR_EOF) { + ret = ff_inlink_consume_frame(inlink, &frame); + if (ret < 0) + return ret; + if (ret > 0) + return afilter_frame(inlink, frame); + + ret = ff_inlink_acknowledge_status(inlink, &status, &s->eof_pts); + if (ret) { + if (status == AVERROR_EOF && !s->eof) { s->size = s->nb_samples; s->eof = 1; + goto retry; } - } - - if (s->eof && (!s->loop || !s->size)) { - ff_outlink_set_status(outlink, AVERROR_EOF, s->eof_pts + s->pts_offset); + ff_outlink_set_status(outlink, status, s->eof_pts); return 0; } - if (!s->eof && (!s->size || - (s->nb_samples < s->size) || - (s->nb_samples >= s->size && s->loop == 0))) { - FF_FILTER_FORWARD_WANTED(outlink, inlink); - } else if (s->loop && s->nb_samples == s->size) { - return arequest_frame(outlink); - } + FF_FILTER_FORWARD_WANTED(outlink, inlink); return FFERROR_NOT_READY; } From 30cd0d7bd0605db6249fdae056ddc0d83a3d9774 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= Date: Tue, 5 Dec 2023 17:54:26 +0200 Subject: [PATCH 430/606] riscv: test for assembler support This should fix the build on LLVM 16 and earlier, at the cost of turning all non-RVV optimisations off. (cherry picked from commit b3825bbe452c8e4f129fa90bba1fed0ee7b87d71) Signed-off-by: Brad Smith --- Makefile | 6 +++--- configure | 5 ++++- ffbuild/arch.mak | 1 + libavcodec/riscv/Makefile | 16 ++++++++-------- libavcodec/riscv/ac3dsp_init.c | 2 ++ libavcodec/riscv/audiodsp_init.c | 2 ++ libavcodec/riscv/bswapdsp_init.c | 2 ++ libavcodec/riscv/pixblockdsp_init.c | 2 ++ libswscale/riscv/Makefile | 2 +- libswscale/riscv/rgb2rgb.c | 2 ++ tests/checkasm/Makefile | 2 +- tests/checkasm/checkasm.h | 5 ++++- 12 files changed, 32 insertions(+), 15 deletions(-) diff --git a/Makefile b/Makefile index 78652c47bd..2fc3e538c1 100644 --- a/Makefile +++ b/Makefile @@ -93,10 +93,10 @@ ffbuild/.config: $(CONFIGURABLE_COMPONENTS) SUBDIR_VARS := CLEANFILES FFLIBS HOSTPROGS TESTPROGS TOOLS \ HEADERS ARCH_HEADERS BUILT_HEADERS SKIPHEADERS \ ARMV5TE-OBJS ARMV6-OBJS ARMV8-OBJS VFP-OBJS NEON-OBJS \ - ALTIVEC-OBJS VSX-OBJS RVV-OBJS MMX-OBJS X86ASM-OBJS \ + ALTIVEC-OBJS VSX-OBJS MMX-OBJS X86ASM-OBJS \ MIPSFPU-OBJS MIPSDSPR2-OBJS MIPSDSP-OBJS MSA-OBJS \ - MMI-OBJS LSX-OBJS LASX-OBJS OBJS SLIBOBJS SHLIBOBJS \ - STLIBOBJS HOSTOBJS TESTOBJS + MMI-OBJS LSX-OBJS LASX-OBJS RV-OBJS RVV-OBJS \ + OBJS SLIBOBJS SHLIBOBJS STLIBOBJS HOSTOBJS TESTOBJS define RESET $(1) := diff --git a/configure b/configure index ff11033a01..05e8eb587a 100755 --- a/configure +++ b/configure @@ -2150,6 +2150,7 @@ ARCH_EXT_LIST_PPC=" " ARCH_EXT_LIST_RISCV=" + rv rvv " @@ -2678,7 +2679,8 @@ ppc4xx_deps="ppc" vsx_deps="altivec" power8_deps="vsx" -rvv_deps="riscv" +rv_deps="riscv" +rvv_deps="rv" loongson2_deps="mips" loongson3_deps="mips" @@ -6218,6 +6220,7 @@ elif enabled ppc; then elif enabled riscv; then + enabled rv && check_inline_asm rv '".option arch, +zbb\nrev8 t0, t1"' enabled rvv && check_inline_asm rvv '".option arch, +v\nvsetivli zero, 0, e8, m1, ta, ma"' elif enabled x86; then diff --git a/ffbuild/arch.mak b/ffbuild/arch.mak index 39d76ee152..23a3feb090 100644 --- a/ffbuild/arch.mak +++ b/ffbuild/arch.mak @@ -15,6 +15,7 @@ OBJS-$(HAVE_LASX) += $(LASX-OBJS) $(LASX-OBJS-yes) OBJS-$(HAVE_ALTIVEC) += $(ALTIVEC-OBJS) $(ALTIVEC-OBJS-yes) OBJS-$(HAVE_VSX) += $(VSX-OBJS) $(VSX-OBJS-yes) +OBJS-$(HAVE_RV) += $(RV-OBJS) $(RV-OBJS-yes) OBJS-$(HAVE_RVV) += $(RVV-OBJS) $(RVV-OBJS-yes) OBJS-$(HAVE_MMX) += $(MMX-OBJS) $(MMX-OBJS-yes) diff --git a/libavcodec/riscv/Makefile b/libavcodec/riscv/Makefile index 31ad493cd3..7c4e06cbc9 100644 --- a/libavcodec/riscv/Makefile +++ b/libavcodec/riscv/Makefile @@ -1,14 +1,14 @@ OBJS-$(CONFIG_AAC_DECODER) += riscv/aacpsdsp_init.o RVV-OBJS-$(CONFIG_AAC_DECODER) += riscv/aacpsdsp_rvv.o -OBJS-$(CONFIG_AC3DSP) += riscv/ac3dsp_init.o \ - riscv/ac3dsp_rvb.o +OBJS-$(CONFIG_AC3DSP) += riscv/ac3dsp_init.o +RV-OBJS-$(CONFIG_AC3DSP) += riscv/ac3dsp_rvb.o OBJS-$(CONFIG_ALAC_DECODER) += riscv/alacdsp_init.o RVV-OBJS-$(CONFIG_ALAC_DECODER) += riscv/alacdsp_rvv.o -OBJS-$(CONFIG_AUDIODSP) += riscv/audiodsp_init.o \ - riscv/audiodsp_rvf.o +OBJS-$(CONFIG_AUDIODSP) += riscv/audiodsp_init.o +RV-OBJS-$(CONFIG_AUDIODSP) += riscv/audiodsp_rvf.o RVV-OBJS-$(CONFIG_AUDIODSP) += riscv/audiodsp_rvv.o -OBJS-$(CONFIG_BSWAPDSP) += riscv/bswapdsp_init.o \ - riscv/bswapdsp_rvb.o +OBJS-$(CONFIG_BSWAPDSP) += riscv/bswapdsp_init.o +RV-OBJS-$(CONFIG_BSWAPDSP) += riscv/bswapdsp_rvb.o RVV-OBJS-$(CONFIG_BSWAPDSP) += riscv/bswapdsp_rvv.o OBJS-$(CONFIG_EXR_DECODER) += riscv/exrdsp_init.o RVV-OBJS-$(CONFIG_EXR_DECODER) += riscv/exrdsp_rvv.o @@ -22,8 +22,8 @@ OBJS-$(CONFIG_IDCTDSP) += riscv/idctdsp_init.o RVV-OBJS-$(CONFIG_IDCTDSP) += riscv/idctdsp_rvv.o OBJS-$(CONFIG_OPUS_DECODER) += riscv/opusdsp_init.o RVV-OBJS-$(CONFIG_OPUS_DECODER) += riscv/opusdsp_rvv.o -OBJS-$(CONFIG_PIXBLOCKDSP) += riscv/pixblockdsp_init.o \ - riscv/pixblockdsp_rvi.o +OBJS-$(CONFIG_PIXBLOCKDSP) += riscv/pixblockdsp_init.o +RV-OBJS-$(CONFIG_PIXBLOCKDSP) += riscv/pixblockdsp_rvi.o RVV-OBJS-$(CONFIG_PIXBLOCKDSP) += riscv/pixblockdsp_rvv.o OBJS-$(CONFIG_VORBIS_DECODER) += riscv/vorbisdsp_init.o RVV-OBJS-$(CONFIG_VORBIS_DECODER) += riscv/vorbisdsp_rvv.o diff --git a/libavcodec/riscv/ac3dsp_init.c b/libavcodec/riscv/ac3dsp_init.c index 20f294f1de..92678ea810 100644 --- a/libavcodec/riscv/ac3dsp_init.c +++ b/libavcodec/riscv/ac3dsp_init.c @@ -29,10 +29,12 @@ void ff_extract_exponents_rvb(uint8_t *exp, int32_t *coef, int nb_coefs); av_cold void ff_ac3dsp_init_riscv(AC3DSPContext *c) { +#if HAVE_RV int flags = av_get_cpu_flags(); if (flags & AV_CPU_FLAG_RVB_ADDR) { if (flags & AV_CPU_FLAG_RVB_BASIC) c->extract_exponents = ff_extract_exponents_rvb; } +#endif } diff --git a/libavcodec/riscv/audiodsp_init.c b/libavcodec/riscv/audiodsp_init.c index 9ab59c011e..f606406429 100644 --- a/libavcodec/riscv/audiodsp_init.c +++ b/libavcodec/riscv/audiodsp_init.c @@ -33,6 +33,7 @@ void ff_vector_clipf_rvv(float *dst, const float *src, int len, float min, float av_cold void ff_audiodsp_init_riscv(AudioDSPContext *c) { +#if HAVE_RV int flags = av_get_cpu_flags(); if (flags & AV_CPU_FLAG_RVF) @@ -47,4 +48,5 @@ av_cold void ff_audiodsp_init_riscv(AudioDSPContext *c) c->vector_clipf = ff_vector_clipf_rvv; } #endif +#endif } diff --git a/libavcodec/riscv/bswapdsp_init.c b/libavcodec/riscv/bswapdsp_init.c index ed666c9b3a..d490c434e7 100644 --- a/libavcodec/riscv/bswapdsp_init.c +++ b/libavcodec/riscv/bswapdsp_init.c @@ -30,6 +30,7 @@ void ff_bswap16_buf_rvv(uint16_t *dst, const uint16_t *src, int len); av_cold void ff_bswapdsp_init_riscv(BswapDSPContext *c) { +#if HAVE_RV int flags = av_get_cpu_flags(); if (flags & AV_CPU_FLAG_RVB_ADDR) { @@ -42,4 +43,5 @@ av_cold void ff_bswapdsp_init_riscv(BswapDSPContext *c) c->bswap16_buf = ff_bswap16_buf_rvv; #endif } +#endif } diff --git a/libavcodec/riscv/pixblockdsp_init.c b/libavcodec/riscv/pixblockdsp_init.c index aa39a8a665..f43d78e630 100644 --- a/libavcodec/riscv/pixblockdsp_init.c +++ b/libavcodec/riscv/pixblockdsp_init.c @@ -43,6 +43,7 @@ av_cold void ff_pixblockdsp_init_riscv(PixblockDSPContext *c, AVCodecContext *avctx, unsigned high_bit_depth) { +#if HAVE_RV int cpu_flags = av_get_cpu_flags(); if (cpu_flags & AV_CPU_FLAG_RVI) { @@ -62,4 +63,5 @@ av_cold void ff_pixblockdsp_init_riscv(PixblockDSPContext *c, c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_rvv; } #endif +#endif } diff --git a/libswscale/riscv/Makefile b/libswscale/riscv/Makefile index 7b371d5a86..48afaf62aa 100644 --- a/libswscale/riscv/Makefile +++ b/libswscale/riscv/Makefile @@ -1,3 +1,3 @@ OBJS += riscv/rgb2rgb.o -OBJS += riscv/rgb2rgb_rvb.o +RV-OBJS += riscv/rgb2rgb_rvb.o RVV-OBJS += riscv/rgb2rgb_rvv.o diff --git a/libswscale/riscv/rgb2rgb.c b/libswscale/riscv/rgb2rgb.c index 565f0b77f1..cea4c3db41 100644 --- a/libswscale/riscv/rgb2rgb.c +++ b/libswscale/riscv/rgb2rgb.c @@ -42,6 +42,7 @@ void ff_yuyvtoyuv422_rvv(uint8_t *ydst, uint8_t *udst, uint8_t *vdst, av_cold void rgb2rgb_init_riscv(void) { +#if HAVE_RV int flags = av_get_cpu_flags(); #if (__riscv_xlen == 64) @@ -59,4 +60,5 @@ av_cold void rgb2rgb_init_riscv(void) yuyvtoyuv422 = ff_yuyvtoyuv422_rvv; } #endif +#endif } diff --git a/tests/checkasm/Makefile b/tests/checkasm/Makefile index 594db4df9d..8ebf03c55d 100644 --- a/tests/checkasm/Makefile +++ b/tests/checkasm/Makefile @@ -66,7 +66,7 @@ CHECKASMOBJS-$(CONFIG_AVUTIL) += $(AVUTILOBJS) CHECKASMOBJS-$(ARCH_AARCH64) += aarch64/checkasm.o CHECKASMOBJS-$(HAVE_ARMV5TE_EXTERNAL) += arm/checkasm.o -CHECKASMOBJS-$(ARCH_RISCV) += riscv/checkasm.o +CHECKASMOBJS-$(HAVE_RV) += riscv/checkasm.o CHECKASMOBJS-$(HAVE_X86ASM) += x86/checkasm.o CHECKASMOBJS += $(CHECKASMOBJS-yes) checkasm.o diff --git a/tests/checkasm/checkasm.h b/tests/checkasm/checkasm.h index 51523c258b..1e6d120fb9 100644 --- a/tests/checkasm/checkasm.h +++ b/tests/checkasm/checkasm.h @@ -212,11 +212,14 @@ void checkasm_checked_call(void *func, ...); void checkasm_set_function(void *); void *checkasm_get_wrapper(void); -#if (__riscv_xlen == 64) && defined (__riscv_d) +#if HAVE_RV && (__riscv_xlen == 64) && defined (__riscv_d) #define declare_new(ret, ...) \ ret (*checked_call)(__VA_ARGS__) = checkasm_get_wrapper(); #define call_new(...) \ (checkasm_set_function(func_new), checked_call(__VA_ARGS__)) +#else +#define declare_new(ret, ...) +#define call_new(...) ((func_type *)func_new)(__VA_ARGS__) #endif #else #define declare_new(ret, ...) From 7f0d4aa61c5584804d86b4a39641495c80afcebf Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:38 +0100 Subject: [PATCH 431/606] aarch64: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter This reduces the amount the horizontal filters read beyond the filter width to a consistent 1 pixel. The data is not used so this is usually not noticeable. It becomes a problem when the application allocates frame buffers only for the aligned picture size and the end of it is at a page boundary. This happens for picture sizes which are a multiple of the page size like 1280x640. The frame buffer allocation is based on its most likely done via mmap + MAP_ANONYMOUS so start and end of the buffer are page aligned and the previous and next page are not necessarily mapped. Under these conditions like seen by Firefox a read beyond the end of the buffer results in a segfault. After the over-read is reduced to a single pixel it's reasonable to use VP9's emulated edge motion compensation for this. Fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1881185 Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit 430c38f698a65d597e863330810b05e083682be6) --- libavcodec/aarch64/vp9mc_neon.S | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/aarch64/vp9mc_neon.S b/libavcodec/aarch64/vp9mc_neon.S index abf2bae9db..38f44ca56d 100644 --- a/libavcodec/aarch64/vp9mc_neon.S +++ b/libavcodec/aarch64/vp9mc_neon.S @@ -230,6 +230,9 @@ function \type\()_8tap_\size\()h_\idx1\idx2 // reduced dst stride .if \size >= 16 sub x1, x1, x5 +.elseif \size == 4 + add x12, x2, #8 + add x13, x7, #8 .endif // size >= 16 loads two qwords and increments x2, // for size 4/8 it's enough with one qword and no @@ -248,9 +251,14 @@ function \type\()_8tap_\size\()h_\idx1\idx2 .if \size >= 16 ld1 {v4.8b, v5.8b, v6.8b}, [x2], #24 ld1 {v16.8b, v17.8b, v18.8b}, [x7], #24 -.else +.elseif \size == 8 ld1 {v4.8b, v5.8b}, [x2] ld1 {v16.8b, v17.8b}, [x7] +.else // \size == 4 + ld1 {v4.8b}, [x2] + ld1 {v16.8b}, [x7] + ld1 {v5.s}[0], [x12], x3 + ld1 {v17.s}[0], [x13], x3 .endif uxtl v4.8h, v4.8b uxtl v5.8h, v5.8b From 6a2b9d4c29be57f130597d1eff86770aa825ff0e Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:39 +0100 Subject: [PATCH 432/606] arm: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter This reduces the amount the horizontal filters read beyond the filter width to a consistent 1 pixel. The data is not used so this is usually not noticeable. It becomes a problem when the application allocates frame buffers only for the aligned picture size and the end of it is at a page boundary. This happens for picture sizes which are a multiple of the page size like 1280x640. The frame buffer allocation is based on its most likely done via mmap + MAP_ANONYMOUS so start and end of the buffer are page aligned and the previous and next page are not necessarily mapped. This mirrors the aarch64 change. Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit f3662562156c9b908588b1e58e4203fd09217cb6) --- libavcodec/arm/vp9mc_neon.S | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/arm/vp9mc_neon.S b/libavcodec/arm/vp9mc_neon.S index bd8cda7c30..2ec729bb31 100644 --- a/libavcodec/arm/vp9mc_neon.S +++ b/libavcodec/arm/vp9mc_neon.S @@ -279,11 +279,13 @@ function \type\()_8tap_\size\()h_\idx1\idx2 sub r1, r1, r5 .endif @ size >= 16 loads two qwords and increments r2, - @ for size 4/8 it's enough with one qword and no - @ postincrement + @ size 4 loads 1 d word, increments r2 and loads 1 32-bit lane + @ for size 8 it's enough with one qword and no postincrement .if \size >= 16 sub r3, r3, r5 sub r3, r3, #8 +.elseif \size == 4 + sub r3, r3, #8 .endif @ Load the filter vector vld1.16 {q0}, [r12,:128] @@ -295,9 +297,14 @@ function \type\()_8tap_\size\()h_\idx1\idx2 .if \size >= 16 vld1.8 {d18, d19, d20}, [r2]! vld1.8 {d24, d25, d26}, [r7]! -.else +.elseif \size == 8 vld1.8 {q9}, [r2] vld1.8 {q12}, [r7] +.else @ size == 4 + vld1.8 {d18}, [r2]! + vld1.8 {d24}, [r7]! + vld1.32 {d19[0]}, [r2] + vld1.32 {d25[0]}, [r7] .endif vmovl.u8 q8, d18 vmovl.u8 q9, d19 From 2a29fe87c42a47e4b93fea206bb1fbf1c2357ca6 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:40 +0100 Subject: [PATCH 433/606] vp9: recon: Use emulated edge to prevent buffer overflows The arm/aarch64 horizontal filter reads one additional pixel beyond what the filter uses. This can become an issue if the application does not allocate larger buffers than what's required for the pixel data. If the motion vector points to the bottom right edge of the picture this becomes a read buffer overflow. This triggers segfaults in Firefox for video resolutions which result in a page aligned picture size like 1280x640. Prevent this by using emulated edge in this case. Fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1881185 Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit 060464105bdca82b8cfb91c7a6fb56df4c7cd9d0) --- libavcodec/vp9recon.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/vp9recon.c b/libavcodec/vp9recon.c index 073c04b47d..b8071f39b0 100644 --- a/libavcodec/vp9recon.c +++ b/libavcodec/vp9recon.c @@ -318,7 +318,11 @@ static av_always_inline void mc_luma_unscaled(VP9TileData *td, const vp9_mc_func // The arm/aarch64 _hv filters read one more row than what actually is // needed, so switch to emulated edge one pixel sooner vertically // (!!my * 5) than horizontally (!!mx * 4). + // The arm/aarch64 _h filters read one more pixel than what actually is + // needed, so switch to emulated edge if that would read beyond the bottom + // right block. if (x < !!mx * 3 || y < !!my * 3 || + ((ARCH_AARCH64 || ARCH_ARM) && (x + !!mx * 5 > w - bw) && (y + !!my * 5 + 1 > h - bh)) || x + !!mx * 4 > w - bw || y + !!my * 5 > h - bh) { s->vdsp.emulated_edge_mc(td->edge_emu_buffer, ref - !!my * 3 * ref_stride - !!mx * 3 * bytesperpixel, @@ -357,7 +361,11 @@ static av_always_inline void mc_chroma_unscaled(VP9TileData *td, const vp9_mc_fu // The arm/aarch64 _hv filters read one more row than what actually is // needed, so switch to emulated edge one pixel sooner vertically // (!!my * 5) than horizontally (!!mx * 4). + // The arm/aarch64 _h filters read one more pixel than what actually is + // needed, so switch to emulated edge if that would read beyond the bottom + // right block. if (x < !!mx * 3 || y < !!my * 3 || + ((ARCH_AARCH64 || ARCH_ARM) && (x + !!mx * 5 > w - bw) && (y + !!my * 5 + 1 > h - bh)) || x + !!mx * 4 > w - bw || y + !!my * 5 > h - bh) { s->vdsp.emulated_edge_mc(td->edge_emu_buffer, ref_u - !!my * 3 * src_stride_u - !!mx * 3 * bytesperpixel, From d0c887017a574ab4923971f8f06c7c4c6e87d7e5 Mon Sep 17 00:00:00 2001 From: Bin Peng Date: Mon, 16 Dec 2024 10:31:23 +0800 Subject: [PATCH 434/606] lavc/aarch64: Fix ff_pred8x8_plane_neon_10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix test failure on aarch64: ./tests/checkasm/checkasm --test=h264pred 479612 The mismatch between neon and C functions can also be reproduced using the following bitstream and command line. wget https://streams.videolan.org/ffmpeg/incoming/intra8x8pred_10bit.264 ./ffmpeg -cpuflags 0 -threads 1 -i intra8x8pred_10bit.264 -f framemd5 -y md5_ref ./ffmpeg -threads 1 -i intra8x8pred_10bit.264 -f framemd5 -y md5_neon Signed-off-by: Bin Peng Signed-off-by: Martin Storsjö (cherry picked from commit decc9e643cc3ac5537f42b465e2637fbefbf41cc) --- libavcodec/aarch64/h264pred_neon.S | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/aarch64/h264pred_neon.S b/libavcodec/aarch64/h264pred_neon.S index ea37689f34..168f8191ad 100644 --- a/libavcodec/aarch64/h264pred_neon.S +++ b/libavcodec/aarch64/h264pred_neon.S @@ -595,12 +595,11 @@ function ff_pred8x8_plane_neon_10, export=1 ssubl v2.4s, v2.4h, v3.4h ext v0.16b, v0.16b, v0.16b, #14 mov v0.h[0], wzr - mul v0.8h, v0.8h, v5.h[0] dup v1.4s, v2.s[0] dup v2.4s, v2.s[0] dup v3.8h, v5.h[1] - saddw v1.4s, v1.4s, v0.4h - saddw2 v2.4s, v2.4s, v0.8h + smlal v1.4s, v0.4h, v5.h[0] + smlal2 v2.4s, v0.8h, v5.h[0] mov w3, #8 mvni v4.8h, #0xFC, lsl #8 // 1023 for clipping 1: From ac60bc2bb0f66dfdbda51b4eef82ac6f8e8caef0 Mon Sep 17 00:00:00 2001 From: Bin Peng Date: Fri, 13 Dec 2024 22:19:47 +0800 Subject: [PATCH 435/606] lavc/aarch64: Fix ff_pred16x16_plane_neon_10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix test failure on aarch64: ./tests/checkasm/checkasm --test=h264pred 367840 Signed-off-by: Peng Bin Signed-off-by: Martin Storsjö (cherry picked from commit 72a3656e8468a394373b6397aacc906d7f7794c2) --- libavcodec/aarch64/h264pred_neon.S | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/libavcodec/aarch64/h264pred_neon.S b/libavcodec/aarch64/h264pred_neon.S index 168f8191ad..d0999938ef 100644 --- a/libavcodec/aarch64/h264pred_neon.S +++ b/libavcodec/aarch64/h264pred_neon.S @@ -502,28 +502,27 @@ function ff_pred16x16_plane_neon_10, export=1 add v7.4h, v7.4h, v0.4h shl v2.4h, v7.4h, #4 ssubl v2.4s, v2.4h, v3.4h - shl v3.4h, v4.4h, #4 ext v0.16b, v0.16b, v0.16b, #14 - ssubl v6.4s, v5.4h, v3.4h + sxtl v6.4s, v5.4h // c mov v0.h[0], wzr mul v0.8h, v0.8h, v4.h[0] dup v16.4s, v2.s[0] dup v17.4s, v2.s[0] - dup v2.8h, v4.h[0] - dup v3.4s, v6.s[0] - shl v2.8h, v2.8h, #3 + dup v2.8h, v4.h[0] // b + dup v3.4s, v6.s[0] // c + sshll v2.4s, v2.4h, #3 // b * 8 saddw v16.4s, v16.4s, v0.4h saddw2 v17.4s, v17.4s, v0.8h - saddw v3.4s, v3.4s, v2.4h + sub v3.4s, v3.4s, v2.4s mov w3, #16 mvni v4.8h, #0xFC, lsl #8 // 1023 for clipping 1: sqshrun v0.4h, v16.4s, #5 sqshrun2 v0.8h, v17.4s, #5 - saddw v16.4s, v16.4s, v2.4h - saddw v17.4s, v17.4s, v2.4h + add v16.4s, v16.4s, v2.4s + add v17.4s, v17.4s, v2.4s sqshrun v1.4h, v16.4s, #5 sqshrun2 v1.8h, v17.4s, #5 add v16.4s, v16.4s, v3.4s From b1baad4a5ffcbc932f242f27165bb329782b4375 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 23 Feb 2024 09:06:46 +0100 Subject: [PATCH 436/606] lavc/hevcdec: pass an actual codec context to ff_h2645_sei_to_frame() Needed by following commit. (cherry picked from commit d9f1b321cf58a85518d29c5a3d220d67b1a68b92) --- libavcodec/hevcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index d6be8140ff..c8776e9e9d 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -2779,7 +2779,7 @@ static int set_side_data(HEVCContext *s) s->sei.common.content_light.present--; } - ret = ff_h2645_sei_to_frame(out, &s->sei.common, AV_CODEC_ID_HEVC, NULL, + ret = ff_h2645_sei_to_frame(out, &s->sei.common, AV_CODEC_ID_HEVC, s->avctx, &s->ps.sps->vui.common, s->ps.sps->bit_depth, s->ps.sps->bit_depth_chroma, s->ref->poc /* no poc_offset in HEVC */); From 7492c2e9e46bdc0cf9fab276bc429c412440f349 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 23 Jan 2025 12:53:10 +0200 Subject: [PATCH 437/606] rtmpproto: Avoid rare crashes in the fail: codepath in rtmp_open MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When running the cleanup in rtmp_close on failures in rtmp_open, we can in rare cases end up using rt->playpath, assuming that it is still set. The crash could happen if we hit the fail codepath in rtmp_open while publishing (rt->is_input == 0) with rt->state set to a value > STATE_FCPUBLISH. This would normally not happen while publishing; either we have an error (and rt->state <= STATE_FCPUBLISH) or we reach rt->state = STATE_PUBLISHING, and then we also return successfully from rtmp_open. The unexpected combination of states could happen if the server responds with e.g. "NetStream.Play.Stop" while expecting "NetStream.Publish.Start"; this sets rt->state to STATE_STOPPED, which also fulfills the condition "> STATE_FCPUBLISH". We don't need to free the rt->playpath/tcurl/flashver strings here; they're handled via AVOption, and thus are freed automatically when the protocol instance is freed (that's why they aren't freed manually within the rtmp_close function either). We also don't need to free the AVDictionary with options; it's owned by the caller. A smaller fix would be to just call rtmp_close before freeing the strings and dictionary, but as we don't need to free them at all, let's remove that redundant code. Signed-off-by: Martin Storsjö (cherry picked from commit 8f4819ce01584e0858fdc312aa8a17c55e350a92) --- libavformat/rtmpproto.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 98718bc6da..0292fa10e1 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -2917,10 +2917,6 @@ reconnect: return 0; fail: - av_freep(&rt->playpath); - av_freep(&rt->tcurl); - av_freep(&rt->flashver); - av_dict_free(opts); rtmp_close(s); return ret; } From 138f52a3a1c49843d8bf2b693b6f6781356020f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 24 Jan 2025 23:32:52 +0200 Subject: [PATCH 438/606] configure: Improve the check for the rsync --contimeout option MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Traditionally, macOS has shipped an old version of rsync that lacked support for this option, hence this check (added in a8b3f0c5cf548f654e30c981988bb71981a3f8d3). However, in macOS 15.x, Apple have switched to providing rsync as a different tool, openrsync. The version of openrsync in at least macOS 15.2 does include "[--contimeout]" (note the lack of "=" after the option), in the output of "rsync --help", but when used, the tool errors out with "rsync: --contimeout=60: unknown option". So apparently the tool erroenously lists the option as supported, while it really isn't. The original rsync tool (with a new enough version) prints "--contimeout=SECONDS" in the output of "rsync --help". It is unclear which version of openrsync Apple are shipping; the latest upstream openrsync from OpenBSD does support the option and includes "[--contimeout=seconds]" in the output of "--help", and older versions don't seem to include the option as listed at all. Therefore, check for "--conntimeout=" with the "=", this should properly detect both new enough rsync and openrsync. This fixes running "fate-rsync" on macOS 15.x. Signed-off-by: Martin Storsjö (cherry picked from commit 3cd4e8470a1ef82223d124523f8219691dfefb60) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 05e8eb587a..8be78ad46e 100755 --- a/configure +++ b/configure @@ -6986,7 +6986,7 @@ enabled makeinfo \ disabled makeinfo_html && texi2html --help 2> /dev/null | grep -q 'init-file' && enable texi2html || disable texi2html perl -v > /dev/null 2>&1 && enable perl || disable perl pod2man --help > /dev/null 2>&1 && enable pod2man || disable pod2man -rsync --help 2> /dev/null | grep -q 'contimeout' && enable rsync_contimeout || disable rsync_contimeout +rsync --help 2> /dev/null | grep -q 'contimeout=' && enable rsync_contimeout || disable rsync_contimeout xmllint --version > /dev/null 2>&1 && enable xmllint || disable xmllint check_headers linux/fb.h From 39cac587c4f78f7c26e0f0e5da664943d4e9fade Mon Sep 17 00:00:00 2001 From: Pavel Koshevoy Date: Sun, 23 Feb 2025 09:43:56 -0700 Subject: [PATCH 439/606] avformat/mov: (v4) fix get_eia608_packet The problem is reproducible with "Test for Quicktime 608 CC file.mov" from https://samples.ffmpeg.org/MPEG2/subcc/ ffmpeg -i "Test for Quicktime 608 CC file.mov" -map 0 -c copy -y remuxed.mov See https://trac.ffmpeg.org/ticket/11470 --- libavformat/mov.c | 70 +++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 59 insertions(+), 11 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index d3418beab1..85675398e8 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8921,25 +8921,73 @@ static int mov_change_extradata(MOVStreamContext *sc, AVPacket *pkt) return 0; } -static int get_eia608_packet(AVIOContext *pb, AVPacket *pkt, int size) +static int get_eia608_packet(AVIOContext *pb, AVPacket *pkt, int src_size) { - int new_size, ret; + /* We can't make assumptions about the structure of the payload, + because it may include multiple cdat and cdt2 samples. */ + const uint32_t cdat = AV_RB32("cdat"); + const uint32_t cdt2 = AV_RB32("cdt2"); + int ret, out_size = 0; - if (size <= 8) + /* a valid payload must have size, 4cc, and at least 1 byte pair: */ + if (src_size < 10) return AVERROR_INVALIDDATA; - new_size = ((size - 8) / 2) * 3; - ret = av_new_packet(pkt, new_size); + + /* avoid an int overflow: */ + if ((src_size - 8) / 2 >= INT_MAX / 3) + return AVERROR_INVALIDDATA; + + ret = av_new_packet(pkt, ((src_size - 8) / 2) * 3); if (ret < 0) return ret; - avio_skip(pb, 8); - for (int j = 0; j < new_size; j += 3) { - pkt->data[j] = 0xFC; - pkt->data[j+1] = avio_r8(pb); - pkt->data[j+2] = avio_r8(pb); + /* parse and re-format the c608 payload in one pass. */ + while (src_size >= 10) { + const uint32_t atom_size = avio_rb32(pb); + const uint32_t atom_type = avio_rb32(pb); + const uint32_t data_size = atom_size - 8; + const uint8_t cc_field = + atom_type == cdat ? 1 : + atom_type == cdt2 ? 2 : + 0; + + /* account for bytes consumed for atom size and type. */ + src_size -= 8; + + /* make sure the data size stays within the buffer boundaries. */ + if (data_size < 2 || data_size > src_size) { + ret = AVERROR_INVALIDDATA; + break; + } + + /* make sure the data size is consistent with N byte pairs. */ + if (data_size % 2 != 0) { + ret = AVERROR_INVALIDDATA; + break; + } + + if (!cc_field) { + /* neither cdat or cdt2 ... skip it */ + avio_skip(pb, data_size); + src_size -= data_size; + continue; + } + + for (uint32_t i = 0; i < data_size; i += 2) { + pkt->data[out_size] = (0x1F << 3) | (1 << 2) | (cc_field - 1); + pkt->data[out_size + 1] = avio_r8(pb); + pkt->data[out_size + 2] = avio_r8(pb); + out_size += 3; + src_size -= 2; + } } - return 0; + if (src_size > 0) + /* skip any remaining unread portion of the input payload */ + avio_skip(pb, src_size); + + av_shrink_packet(pkt, out_size); + return ret; } static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) From 9c235c2c75f4c834720cfb8f42160bff9e5ecb2f Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Fri, 18 Aug 2023 15:32:39 -0400 Subject: [PATCH 440/606] lsws/ppc/yuv2rgb_altivec: Fix build in non-VSX environments with Clang Add a check for the existence of the vec_xl() function. Clang provides the function even with VSX not enabled. (cherry picked from commit 30a8641465f7b7923e92d8724ef6a595fccb9e58) Signed-off-by: Brad Smith --- configure | 8 ++++++++ libswscale/ppc/yuv2rgb_altivec.c | 4 ++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 8be78ad46e..7328f06721 100755 --- a/configure +++ b/configure @@ -2146,6 +2146,7 @@ ARCH_EXT_LIST_PPC=" ldbrx power8 ppc4xx + vec_xl vsx " @@ -2676,6 +2677,7 @@ altivec_deps="ppc" dcbzl_deps="ppc" ldbrx_deps="ppc" ppc4xx_deps="ppc" +vec_xl_deps="altivec" vsx_deps="altivec" power8_deps="vsx" @@ -6218,6 +6220,11 @@ elif enabled ppc; then check_cpp_condition power8 "altivec.h" "defined(_ARCH_PWR8)" fi + if enabled altivec && disabled vsx; then + check_cc vec_xl altivec.h "const unsigned char *y1i = { 0 }; + vector unsigned char y0 = vec_xl(0, y1i);" + fi + elif enabled riscv; then enabled rv && check_inline_asm rv '".option arch, +zbb\nrev8 t0, t1"' @@ -7754,6 +7761,7 @@ if enabled ppc; then echo "POWER8 enabled ${power8-no}" echo "PPC 4xx optimizations ${ppc4xx-no}" echo "dcbzl available ${dcbzl-no}" + echo "vec_xl available ${vec_xl-no}" fi if enabled loongarch; then echo "LSX enabled ${lsx-no}" diff --git a/libswscale/ppc/yuv2rgb_altivec.c b/libswscale/ppc/yuv2rgb_altivec.c index 5e1033a973..8b0a93796f 100644 --- a/libswscale/ppc/yuv2rgb_altivec.c +++ b/libswscale/ppc/yuv2rgb_altivec.c @@ -284,7 +284,7 @@ static inline void cvtyuvtoRGB(SwsContext *c, vector signed short Y, * ------------------------------------------------------------------------------ */ -#if !HAVE_VSX +#if !HAVE_VEC_XL static inline vector unsigned char vec_xl(signed long long offset, const ubyte *addr) { const vector unsigned char *v_addr = (const vector unsigned char *) (addr + offset); @@ -292,7 +292,7 @@ static inline vector unsigned char vec_xl(signed long long offset, const ubyte * return (vector unsigned char) vec_perm(v_addr[0], v_addr[1], align_perm); } -#endif /* !HAVE_VSX */ +#endif /* !HAVE_VEC_XL */ #define DEFCSP420_CVT(name, out_pixels) \ static int altivec_ ## name(SwsContext *c, const unsigned char **in, \ From e16ff06adb9acd647c0c33aa3c27438e1009b822 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Tue, 11 Mar 2025 00:31:47 -0400 Subject: [PATCH 441/606] lsws/ppc/yuv2rgb_altivec: Fix build in non-VSX environments with Clang v2 v2: test for function if AltiVec is enabled instead of with AltiVec and without VSX (cherry picked from commit 49c8f33262d7c113c71cee9cd30b990a92afa0a1) Signed-off-by: Brad Smith --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 7328f06721..17bc0d7b85 100755 --- a/configure +++ b/configure @@ -6220,7 +6220,7 @@ elif enabled ppc; then check_cpp_condition power8 "altivec.h" "defined(_ARCH_PWR8)" fi - if enabled altivec && disabled vsx; then + if enabled altivec; then check_cc vec_xl altivec.h "const unsigned char *y1i = { 0 }; vector unsigned char y0 = vec_xl(0, y1i);" fi From 7d383ac18b4df017d74af95ad5ccab626ef41b2a Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Fri, 9 May 2025 00:18:29 +0200 Subject: [PATCH 442/606] avformat/wavdec: increase requested probe score for codec probe Codec probing was primarily added to the wav demuxer to support DTS-in-wav files, but DTS probing functions return AVPROBE_SCORE_EXTENSION+1, so we can be a bit more strict with the required score. This fixes MP3 misdetections for some wav files. Fixes ticket #11581. Signed-off-by: Marton Balint (cherry picked from commit ce01c7fb58597f525e130f47a13ff77f1db62bf4) --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 4639f849b5..506d0b47c0 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -169,7 +169,7 @@ static void handle_stream_probing(AVStream *st) { if (st->codecpar->codec_id == AV_CODEC_ID_PCM_S16LE) { FFStream *const sti = ffstream(st); - sti->request_probe = AVPROBE_SCORE_EXTENSION; + sti->request_probe = AVPROBE_SCORE_EXTENSION + 1; sti->probe_packets = FFMIN(sti->probe_packets, 32); } } From 8723e83699471edff046279e5411ca8e6c1a1ea6 Mon Sep 17 00:00:00 2001 From: Pavel Koshevoy Date: Sun, 18 May 2025 08:57:31 -0600 Subject: [PATCH 443/606] avformat/mpegts: update stream info when PMT ES stream_type changes I have several .ts captures where video and audio codec changes even though the PMT version does not change and the PIDs stay the same. This happens during transition to/from slate (mpeg2 video and audio) to network broadcast (hevc video and eac3 audio in private PES). I've updated fate ts-demux expected results. --- libavformat/mpegts.c | 4 +++- tests/ref/fate/ts-demux | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index e70fe90f06..dc94c10b53 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -939,6 +939,8 @@ static int mpegts_set_stream_info(AVStream *st, PESContext *pes, mpegts_find_stream_type(st, pes->stream_type, ISO_types); if (pes->stream_type == 4 || pes->stream_type == 0x0f) sti->request_probe = 50; + if (pes->stream_type == STREAM_TYPE_PRIVATE_DATA) + sti->request_probe = AVPROBE_SCORE_STREAM_RETRY; if ((prog_reg_desc == AV_RL32("HDMV") || prog_reg_desc == AV_RL32("HDPR")) && st->codecpar->codec_id == AV_CODEC_ID_NONE) { @@ -2491,7 +2493,7 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len if (!st) goto out; - if (pes && !pes->stream_type) + if (pes && pes->stream_type != stream_type) mpegts_set_stream_info(st, pes, stream_type, prog_reg_desc); add_pid_to_program(prg, pid); diff --git a/tests/ref/fate/ts-demux b/tests/ref/fate/ts-demux index cbf018fa8b..2a27b0d4d0 100644 --- a/tests/ref/fate/ts-demux +++ b/tests/ref/fate/ts-demux @@ -24,6 +24,6 @@ packet|codec_type=video|stream_index=0|pts=3912686363|pts_time=43474.292922|dts= packet|codec_type=audio|stream_index=1|pts=3912644825|pts_time=43473.831389|dts=3912644825|dts_time=43473.831389|duration=2880|duration_time=0.032000|size=906|pos=474888|flags=K__|data_hash=CRC32:0893d398 packet|codec_type=audio|stream_index=2|pts=3912645580|pts_time=43473.839778|dts=3912645580|dts_time=43473.839778|duration=2880|duration_time=0.032000|size=354|pos=491808|flags=K__|data_hash=CRC32:f5963fa6 stream|index=0|codec_name=mpeg2video|profile=4|codec_type=video|codec_tag_string=[2][0][0][0]|codec_tag=0x0002|width=1280|height=720|coded_width=0|coded_height=0|closed_captions=0|film_grain=0|has_b_frames=1|sample_aspect_ratio=1:1|display_aspect_ratio=16:9|pix_fmt=yuv420p|level=4|color_range=tv|color_space=unknown|color_transfer=unknown|color_primaries=unknown|chroma_location=left|field_order=progressive|refs=1|ts_packetsize=188|id=0x31|r_frame_rate=60000/1001|avg_frame_rate=60000/1001|time_base=1/90000|start_pts=3912669846|start_time=43474.109400|duration_ts=19519|duration=0.216878|bit_rate=15000000|max_bit_rate=N/A|bits_per_raw_sample=N/A|nb_frames=N/A|nb_read_frames=N/A|nb_read_packets=15|extradata_size=150|extradata_hash=CRC32:53134fa8|disposition:default=0|disposition:dub=0|disposition:original=0|disposition:comment=0|disposition:lyrics=0|disposition:karaoke=0|disposition:forced=0|disposition:hearing_impaired=0|disposition:visual_impaired=0|disposition:clean_effects=0|disposition:attached_pic=0|disposition:timed_thumbnails=0|disposition:non_diegetic=0|disposition:captions=0|disposition:descriptions=0|disposition:metadata=0|disposition:dependent=0|disposition:still_image=0|side_datum/cpb_properties:side_data_type=CPB properties|side_datum/cpb_properties:max_bitrate=15000000|side_datum/cpb_properties:min_bitrate=0|side_datum/cpb_properties:avg_bitrate=0|side_datum/cpb_properties:buffer_size=9781248|side_datum/cpb_properties:vbv_delay=-1 -stream|index=1|codec_name=ac3|profile=unknown|codec_type=audio|codec_tag_string=[4][0][0][0]|codec_tag=0x0004|sample_fmt=fltp|sample_rate=48000|channels=6|channel_layout=5.1(side)|bits_per_sample=0|initial_padding=0|ts_packetsize=188|id=0x34|r_frame_rate=0/0|avg_frame_rate=0/0|time_base=1/90000|start_pts=3912633305|start_time=43473.703389|duration_ts=14400|duration=0.160000|bit_rate=384000|max_bit_rate=N/A|bits_per_raw_sample=N/A|nb_frames=N/A|nb_read_frames=N/A|nb_read_packets=5|disposition:default=0|disposition:dub=0|disposition:original=0|disposition:comment=0|disposition:lyrics=0|disposition:karaoke=0|disposition:forced=0|disposition:hearing_impaired=0|disposition:visual_impaired=0|disposition:clean_effects=0|disposition:attached_pic=0|disposition:timed_thumbnails=0|disposition:non_diegetic=0|disposition:captions=0|disposition:descriptions=0|disposition:metadata=0|disposition:dependent=0|disposition:still_image=0|tag:language=eng -stream|index=2|codec_name=ac3|profile=unknown|codec_type=audio|codec_tag_string=[4][0][0][0]|codec_tag=0x0004|sample_fmt=fltp|sample_rate=48000|channels=2|channel_layout=stereo|bits_per_sample=0|initial_padding=0|ts_packetsize=188|id=0x35|r_frame_rate=0/0|avg_frame_rate=0/0|time_base=1/90000|start_pts=3912634060|start_time=43473.711778|duration_ts=14400|duration=0.160000|bit_rate=192000|max_bit_rate=N/A|bits_per_raw_sample=N/A|nb_frames=N/A|nb_read_frames=N/A|nb_read_packets=5|disposition:default=0|disposition:dub=0|disposition:original=0|disposition:comment=0|disposition:lyrics=0|disposition:karaoke=0|disposition:forced=0|disposition:hearing_impaired=0|disposition:visual_impaired=0|disposition:clean_effects=0|disposition:attached_pic=0|disposition:timed_thumbnails=0|disposition:non_diegetic=0|disposition:captions=0|disposition:descriptions=0|disposition:metadata=0|disposition:dependent=0|disposition:still_image=0|tag:language=es +stream|index=1|codec_name=ac3|profile=unknown|codec_type=audio|codec_tag_string=[6][0][0][0]|codec_tag=0x0006|sample_fmt=fltp|sample_rate=48000|channels=6|channel_layout=5.1(side)|bits_per_sample=0|initial_padding=0|ts_packetsize=188|id=0x34|r_frame_rate=0/0|avg_frame_rate=0/0|time_base=1/90000|start_pts=3912633305|start_time=43473.703389|duration_ts=14400|duration=0.160000|bit_rate=384000|max_bit_rate=N/A|bits_per_raw_sample=N/A|nb_frames=N/A|nb_read_frames=N/A|nb_read_packets=5|disposition:default=0|disposition:dub=0|disposition:original=0|disposition:comment=0|disposition:lyrics=0|disposition:karaoke=0|disposition:forced=0|disposition:hearing_impaired=0|disposition:visual_impaired=0|disposition:clean_effects=0|disposition:attached_pic=0|disposition:timed_thumbnails=0|disposition:non_diegetic=0|disposition:captions=0|disposition:descriptions=0|disposition:metadata=0|disposition:dependent=0|disposition:still_image=0|tag:language=eng +stream|index=2|codec_name=ac3|profile=unknown|codec_type=audio|codec_tag_string=[6][0][0][0]|codec_tag=0x0006|sample_fmt=fltp|sample_rate=48000|channels=2|channel_layout=stereo|bits_per_sample=0|initial_padding=0|ts_packetsize=188|id=0x35|r_frame_rate=0/0|avg_frame_rate=0/0|time_base=1/90000|start_pts=3912634060|start_time=43473.711778|duration_ts=14400|duration=0.160000|bit_rate=192000|max_bit_rate=N/A|bits_per_raw_sample=N/A|nb_frames=N/A|nb_read_frames=N/A|nb_read_packets=5|disposition:default=0|disposition:dub=0|disposition:original=0|disposition:comment=0|disposition:lyrics=0|disposition:karaoke=0|disposition:forced=0|disposition:hearing_impaired=0|disposition:visual_impaired=0|disposition:clean_effects=0|disposition:attached_pic=0|disposition:timed_thumbnails=0|disposition:non_diegetic=0|disposition:captions=0|disposition:descriptions=0|disposition:metadata=0|disposition:dependent=0|disposition:still_image=0|tag:language=es format|filename=mp3ac325-4864-small.ts|nb_streams=3|nb_programs=1|format_name=mpegts|start_time=43473.703389|duration=0.622889|size=512000|bit_rate=6575810|probe_score=50 From b8fe1bc38e35e810fcf7310213199364b097bd15 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Thu, 22 May 2025 21:21:24 +0000 Subject: [PATCH 444/606] avfilter/avfiltergraph: fix regression in picking channel layout Signed-off-by: James Almer (cherry picked from commit 1b3f4842c18409dba5a345ef9e7b3de7a4fa3657) --- libavfilter/avfiltergraph.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index 68daa93e61..f40131a0ae 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -941,8 +941,8 @@ static void swap_channel_layouts_on_filter(AVFilterContext *filter) } /* no penalty for LFE channel mismatch */ - if (av_channel_layout_channel_from_index(&in_chlayout, AV_CHAN_LOW_FREQUENCY) >= 0 && - av_channel_layout_channel_from_index(&out_chlayout, AV_CHAN_LOW_FREQUENCY) >= 0) + if (av_channel_layout_index_from_channel(&in_chlayout, AV_CHAN_LOW_FREQUENCY) >= 0 && + av_channel_layout_index_from_channel(&out_chlayout, AV_CHAN_LOW_FREQUENCY) >= 0) score += 10; av_channel_layout_from_mask(&in_chlayout, av_channel_layout_subset(&in_chlayout, ~AV_CH_LOW_FREQUENCY)); av_channel_layout_from_mask(&out_chlayout, av_channel_layout_subset(&out_chlayout, ~AV_CH_LOW_FREQUENCY)); From f120f66838b04b41913d135f56b90792f85a33a6 Mon Sep 17 00:00:00 2001 From: Coia Prant Date: Fri, 23 May 2025 17:32:00 +0800 Subject: [PATCH 445/606] configure: Use MSYSTEM_CARCH for default arch on msys2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On msys2, `uname -m` returns the architecture of the base msys2 layer. On Windows on arm64, the base msys2 layer itself is still x86_64 only, even if running with e.g. the clangarm64 where the windows native applications are built as aarch64. If MSYSTEM_CARCH is set, use this instead of `uname -m` for the default architecture. This gives the correct behaviour for the clangarm64 environments. It also gives the correct default for the 32 bit x86 environments such as `mingw32`. (On `mingw32`, the fact that `uname -m` returned `x86_64` hasn't been an issue, as both that and `i686` gets normalized into `x86` internally in ffmpeg's configure.) Signed-off-by: Coia Prant Signed-off-by: Martin Storsjö (cherry picked from commit df967d095ae6a42a46cd4c46b96d61cc1c319b23) --- configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure b/configure index 17bc0d7b85..5f78f75db9 100755 --- a/configure +++ b/configure @@ -3965,6 +3965,8 @@ if test "$target_os_default" = aix; then arch_default=$(uname -p) strip_default="strip -X32_64" nm_default="nm -g -X32_64" +elif test "$MSYSTEM_CARCH" != ""; then + arch_default="$MSYSTEM_CARCH" else arch_default=$(uname -m) fi From 5d0dfdadb092afb7d3542c3af48d5929a8c76c01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Jun 2025 13:29:29 +0200 Subject: [PATCH 446/606] Revert "avformat/mpegts: update stream info when PMT ES stream_type changes" This fixes mixing up contexts, use of uninitialized data and crashes. More specifically: ==1001752== Conditional jump or move depends on uninitialised value(s) ==1001752== at 0xA9ED82: avpriv_h264_has_num_reorder_frames (h264dec.c:64) ==1001752== by 0x668C7E: has_decode_delay_been_guessed (demux.c:757) ==1001752== by 0x66AB13: compute_pkt_fields (demux.c:1137) ==1001752== by 0x66B2E9: parse_packet (demux.c:1265) ==1001752== by 0x66BD84: read_frame_internal (demux.c:1449) ==1001752== by 0x67085B: avformat_find_stream_info (demux.c:2692) ==1001752== by 0x25157C: ifile_open (ffmpeg_demux.c:1814) ==1001752== by 0x272B15: open_files (ffmpeg_opt.c:1366) ==1001752== by 0x272D85: ffmpeg_parse_options (ffmpeg_opt.c:1415) ==1001752== by 0x2925C9: main (ffmpeg.c:991) ==1001752== Uninitialised value was created by a heap allocation ==1001752== at 0x483E0F0: memalign (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1001752== by 0x483E212: posix_memalign (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1001752== by 0x14882CE: av_malloc (mem.c:107) ==1001752== by 0x1463785: av_buffer_alloc (buffer.c:82) ==1001752== by 0x146423F: pool_alloc_buffer (buffer.c:369) ==1001752== by 0x14643C4: av_buffer_pool_get (buffer.c:407) ==1001752== by 0x752C4B: buffer_pool_get (mpegts.c:1142) ==1001752== by 0x7538F2: mpegts_push_data (mpegts.c:1407) ==1001752== by 0x758893: handle_packet (mpegts.c:2909) ==1001752== by 0x758E90: handle_packets (mpegts.c:3048) ==1001752== by 0x759B1D: mpegts_read_packet (mpegts.c:3290) ==1001752== by 0x6687A3: ff_read_packet (demux.c:649) ==1001752== by 0x66B594: read_frame_internal (demux.c:1346) ==1001752== by 0x67085B: avformat_find_stream_info (demux.c:2692) ==1001752== by 0x25157C: ifile_open (ffmpeg_demux.c:1814) ==1001752== by 0x272B15: open_files (ffmpeg_opt.c:1366) ==1001752== by 0x272D85: ffmpeg_parse_options (ffmpeg_opt.c:1415) ==1001752== by 0x2925C9: main (ffmpeg.c:991) Found-by: Alexander A. Shvedov CC: Pavel Koshevoy This reverts commit 0021484d05f9b0f032fa319399de6e24eea0c04f. --- libavformat/mpegts.c | 4 +--- tests/ref/fate/ts-demux | 4 ++-- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index dc94c10b53..e70fe90f06 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -939,8 +939,6 @@ static int mpegts_set_stream_info(AVStream *st, PESContext *pes, mpegts_find_stream_type(st, pes->stream_type, ISO_types); if (pes->stream_type == 4 || pes->stream_type == 0x0f) sti->request_probe = 50; - if (pes->stream_type == STREAM_TYPE_PRIVATE_DATA) - sti->request_probe = AVPROBE_SCORE_STREAM_RETRY; if ((prog_reg_desc == AV_RL32("HDMV") || prog_reg_desc == AV_RL32("HDPR")) && st->codecpar->codec_id == AV_CODEC_ID_NONE) { @@ -2493,7 +2491,7 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len if (!st) goto out; - if (pes && pes->stream_type != stream_type) + if (pes && !pes->stream_type) mpegts_set_stream_info(st, pes, stream_type, prog_reg_desc); add_pid_to_program(prg, pid); diff --git a/tests/ref/fate/ts-demux b/tests/ref/fate/ts-demux index 2a27b0d4d0..cbf018fa8b 100644 --- a/tests/ref/fate/ts-demux +++ b/tests/ref/fate/ts-demux @@ -24,6 +24,6 @@ packet|codec_type=video|stream_index=0|pts=3912686363|pts_time=43474.292922|dts= packet|codec_type=audio|stream_index=1|pts=3912644825|pts_time=43473.831389|dts=3912644825|dts_time=43473.831389|duration=2880|duration_time=0.032000|size=906|pos=474888|flags=K__|data_hash=CRC32:0893d398 packet|codec_type=audio|stream_index=2|pts=3912645580|pts_time=43473.839778|dts=3912645580|dts_time=43473.839778|duration=2880|duration_time=0.032000|size=354|pos=491808|flags=K__|data_hash=CRC32:f5963fa6 stream|index=0|codec_name=mpeg2video|profile=4|codec_type=video|codec_tag_string=[2][0][0][0]|codec_tag=0x0002|width=1280|height=720|coded_width=0|coded_height=0|closed_captions=0|film_grain=0|has_b_frames=1|sample_aspect_ratio=1:1|display_aspect_ratio=16:9|pix_fmt=yuv420p|level=4|color_range=tv|color_space=unknown|color_transfer=unknown|color_primaries=unknown|chroma_location=left|field_order=progressive|refs=1|ts_packetsize=188|id=0x31|r_frame_rate=60000/1001|avg_frame_rate=60000/1001|time_base=1/90000|start_pts=3912669846|start_time=43474.109400|duration_ts=19519|duration=0.216878|bit_rate=15000000|max_bit_rate=N/A|bits_per_raw_sample=N/A|nb_frames=N/A|nb_read_frames=N/A|nb_read_packets=15|extradata_size=150|extradata_hash=CRC32:53134fa8|disposition:default=0|disposition:dub=0|disposition:original=0|disposition:comment=0|disposition:lyrics=0|disposition:karaoke=0|disposition:forced=0|disposition:hearing_impaired=0|disposition:visual_impaired=0|disposition:clean_effects=0|disposition:attached_pic=0|disposition:timed_thumbnails=0|disposition:non_diegetic=0|disposition:captions=0|disposition:descriptions=0|disposition:metadata=0|disposition:dependent=0|disposition:still_image=0|side_datum/cpb_properties:side_data_type=CPB properties|side_datum/cpb_properties:max_bitrate=15000000|side_datum/cpb_properties:min_bitrate=0|side_datum/cpb_properties:avg_bitrate=0|side_datum/cpb_properties:buffer_size=9781248|side_datum/cpb_properties:vbv_delay=-1 -stream|index=1|codec_name=ac3|profile=unknown|codec_type=audio|codec_tag_string=[6][0][0][0]|codec_tag=0x0006|sample_fmt=fltp|sample_rate=48000|channels=6|channel_layout=5.1(side)|bits_per_sample=0|initial_padding=0|ts_packetsize=188|id=0x34|r_frame_rate=0/0|avg_frame_rate=0/0|time_base=1/90000|start_pts=3912633305|start_time=43473.703389|duration_ts=14400|duration=0.160000|bit_rate=384000|max_bit_rate=N/A|bits_per_raw_sample=N/A|nb_frames=N/A|nb_read_frames=N/A|nb_read_packets=5|disposition:default=0|disposition:dub=0|disposition:original=0|disposition:comment=0|disposition:lyrics=0|disposition:karaoke=0|disposition:forced=0|disposition:hearing_impaired=0|disposition:visual_impaired=0|disposition:clean_effects=0|disposition:attached_pic=0|disposition:timed_thumbnails=0|disposition:non_diegetic=0|disposition:captions=0|disposition:descriptions=0|disposition:metadata=0|disposition:dependent=0|disposition:still_image=0|tag:language=eng -stream|index=2|codec_name=ac3|profile=unknown|codec_type=audio|codec_tag_string=[6][0][0][0]|codec_tag=0x0006|sample_fmt=fltp|sample_rate=48000|channels=2|channel_layout=stereo|bits_per_sample=0|initial_padding=0|ts_packetsize=188|id=0x35|r_frame_rate=0/0|avg_frame_rate=0/0|time_base=1/90000|start_pts=3912634060|start_time=43473.711778|duration_ts=14400|duration=0.160000|bit_rate=192000|max_bit_rate=N/A|bits_per_raw_sample=N/A|nb_frames=N/A|nb_read_frames=N/A|nb_read_packets=5|disposition:default=0|disposition:dub=0|disposition:original=0|disposition:comment=0|disposition:lyrics=0|disposition:karaoke=0|disposition:forced=0|disposition:hearing_impaired=0|disposition:visual_impaired=0|disposition:clean_effects=0|disposition:attached_pic=0|disposition:timed_thumbnails=0|disposition:non_diegetic=0|disposition:captions=0|disposition:descriptions=0|disposition:metadata=0|disposition:dependent=0|disposition:still_image=0|tag:language=es +stream|index=1|codec_name=ac3|profile=unknown|codec_type=audio|codec_tag_string=[4][0][0][0]|codec_tag=0x0004|sample_fmt=fltp|sample_rate=48000|channels=6|channel_layout=5.1(side)|bits_per_sample=0|initial_padding=0|ts_packetsize=188|id=0x34|r_frame_rate=0/0|avg_frame_rate=0/0|time_base=1/90000|start_pts=3912633305|start_time=43473.703389|duration_ts=14400|duration=0.160000|bit_rate=384000|max_bit_rate=N/A|bits_per_raw_sample=N/A|nb_frames=N/A|nb_read_frames=N/A|nb_read_packets=5|disposition:default=0|disposition:dub=0|disposition:original=0|disposition:comment=0|disposition:lyrics=0|disposition:karaoke=0|disposition:forced=0|disposition:hearing_impaired=0|disposition:visual_impaired=0|disposition:clean_effects=0|disposition:attached_pic=0|disposition:timed_thumbnails=0|disposition:non_diegetic=0|disposition:captions=0|disposition:descriptions=0|disposition:metadata=0|disposition:dependent=0|disposition:still_image=0|tag:language=eng +stream|index=2|codec_name=ac3|profile=unknown|codec_type=audio|codec_tag_string=[4][0][0][0]|codec_tag=0x0004|sample_fmt=fltp|sample_rate=48000|channels=2|channel_layout=stereo|bits_per_sample=0|initial_padding=0|ts_packetsize=188|id=0x35|r_frame_rate=0/0|avg_frame_rate=0/0|time_base=1/90000|start_pts=3912634060|start_time=43473.711778|duration_ts=14400|duration=0.160000|bit_rate=192000|max_bit_rate=N/A|bits_per_raw_sample=N/A|nb_frames=N/A|nb_read_frames=N/A|nb_read_packets=5|disposition:default=0|disposition:dub=0|disposition:original=0|disposition:comment=0|disposition:lyrics=0|disposition:karaoke=0|disposition:forced=0|disposition:hearing_impaired=0|disposition:visual_impaired=0|disposition:clean_effects=0|disposition:attached_pic=0|disposition:timed_thumbnails=0|disposition:non_diegetic=0|disposition:captions=0|disposition:descriptions=0|disposition:metadata=0|disposition:dependent=0|disposition:still_image=0|tag:language=es format|filename=mp3ac325-4864-small.ts|nb_streams=3|nb_programs=1|format_name=mpegts|start_time=43473.703389|duration=0.622889|size=512000|bit_rate=6575810|probe_score=50 From e3970eb15dc60420dc72374ef4baab4d59b2fc8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2024 19:45:15 +0200 Subject: [PATCH 447/606] avformat/wavdec: Check if there are 16 bytes before testing them Fixes: use-of-uninitialized-value Fixes: 70839/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5212907590189056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79a1cf30d1289f90da682263ba160f6e4a5a7bf1) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 506d0b47c0..1f8c7f30e1 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -864,8 +864,7 @@ static int w64_read_header(AVFormatContext *s) uint8_t guid[16]; int ret; - avio_read(pb, guid, 16); - if (memcmp(guid, ff_w64_guid_riff, 16)) + if (avio_read(pb, guid, 16) != 16 || memcmp(guid, ff_w64_guid_riff, 16)) return AVERROR_INVALIDDATA; /* riff + wave + fmt + sizes */ From b1ed7a38e81fe983a2241dee74454eb58df1da19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:00:35 +0200 Subject: [PATCH 448/606] avformat/img2dec: Clear padding data after EOF Fixes: use-of-uninitialized-value Fixes: 70852/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5179190066872320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 3978e81809a3daf278199849f7bbeacbffb9fa09) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 785fd3849b..e2b4b01587 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -561,6 +561,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } goto fail; } else { + memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE); s->img_count++; s->img_number++; s->pts++; From 94cfbd42c00209619117c154347d35bb10674f53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Thu, 27 Jun 2024 02:40:37 +0200 Subject: [PATCH 449/606] avformat/jpegxl_anim_dec: ensure input padding is zeroed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes use of uninitialized value, reported by MSAN. Found by OSS-Fuzz. Signed-off-by: Kacper Michajłow Fixes: 70837/clusterfuzz-testcase-minimized-ffmpeg_dem_JPEGXL_ANIM_fuzzer-5089407768526848 Signed-off-by: Michael Niedermayer (cherry picked from commit 2b5f000d3f6f9e737e918a5438e6c881f65e70e2) Signed-off-by: Michael Niedermayer --- libavformat/jpegxl_anim_dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c index 54cd6e4e9d..4e806573d0 100644 --- a/libavformat/jpegxl_anim_dec.c +++ b/libavformat/jpegxl_anim_dec.c @@ -123,6 +123,8 @@ static int jpegxl_anim_read_header(AVFormatContext *s) } } + memset(head + headsize, 0, AV_INPUT_BUFFER_PADDING_SIZE); + /* offset in bits of the animation header */ ret = ff_jpegxl_parse_codestream_header(head, headsize, &meta, 0); if (ret < 0 || meta.animation_offset <= 0) From f10edfe2181542d43a52ef22e915671e4792a859 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Thu, 27 Jun 2024 02:40:35 +0200 Subject: [PATCH 450/606] avcodec/parser: ensure input padding is zeroed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes use of uninitialized value, reported by MSAN. Found by OSS-Fuzz. Signed-off-by: Kacper Michajłow Fixes: 70852/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5179190066872320 Signed-off-by: Michael Niedermayer (cherry picked from commit 5dfc0cc84129758b4eab2acdc3e186c3116deacd) Signed-off-by: Michael Niedermayer --- libavcodec/parser.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/parser.c b/libavcodec/parser.c index efc28b8918..fea8d7a4c5 100644 --- a/libavcodec/parser.c +++ b/libavcodec/parser.c @@ -236,6 +236,7 @@ int ff_combine_frame(ParseContext *pc, int next, } pc->buffer = new_buffer; memcpy(&pc->buffer[pc->index], *buf, *buf_size); + memset(&pc->buffer[pc->index + *buf_size], 0, AV_INPUT_BUFFER_PADDING_SIZE); pc->index += *buf_size; return -1; } From 960c31117de4c68230a169f4e7e26e8efae86a97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2024 00:18:51 +0200 Subject: [PATCH 451/606] avformat/wtvdec: clear sectors The code can leave uninitialized holes in the array. Fixes: use of uninitialized values Fixes: 70883/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6698694567591936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit c95ea0310468e0a0906fa7d590ff7406c39d6991) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index e70470f79b..bd75fded27 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -184,7 +184,7 @@ static AVIOContext * wtvfile_open_sector(unsigned first_sector, uint64_t length, int nb_sectors1 = read_ints(s->pb, sectors1, WTV_SECTOR_SIZE / 4); int i; - wf->sectors = av_malloc_array(nb_sectors1, 1 << WTV_SECTOR_BITS); + wf->sectors = av_calloc(nb_sectors1, 1 << WTV_SECTOR_BITS); if (!wf->sectors) { av_free(wf); return NULL; From f95693192d39be480b4ca71437d836387a8a727b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2024 00:18:53 +0200 Subject: [PATCH 452/606] avformat/wtvdec: Check length of read mpeg2_descriptor Fixes: Use of uninitialized value Fixes: 70900/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6286909377150976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit c390234da2e3c7a8884f5592f0b9b4928c482b3e) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index bd75fded27..7d449d0bdf 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -845,7 +845,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p } buf_size = FFMIN(len - consumed, sizeof(buf)); - avio_read(pb, buf, buf_size); + if (avio_read(pb, buf, buf_size) != buf_size) + return AVERROR_INVALIDDATA; consumed += buf_size; ff_parse_mpeg2_descriptor(s, st, 0, &pbuf, buf + buf_size, NULL, 0, 0, NULL); } From b9c8e0212a2f85ad173cbae3c30786c3774dbd03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2024 00:18:52 +0200 Subject: [PATCH 453/606] tools/target_dec_fuzzer: Use av_buffer_allocz() to avoid missing slices to have unpredictable content This matches production code which also zeros these buffers Fixes: use of uninitialized values Fixes: 70885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP6F_fuzzer-4610946029387776 (and likely others) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b8d95da3a4a5c9441238928a36b653da693c286) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 4c4be4584f..41e241c20a 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -128,7 +128,7 @@ static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame) frame->extended_data = frame->data; for (i = 0; i < 4 && size[i]; i++) { - frame->buf[i] = av_buffer_alloc(size[i]); + frame->buf[i] = av_buffer_allocz(size[i]); if (!frame->buf[i]) goto fail; frame->data[i] = frame->buf[i]->data; From 8d4cbca37bd0198b7252c3fb870d04211cac7a89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jul 2024 09:16:48 +0200 Subject: [PATCH 454/606] avformat/lmlm4: Eliminate some AVERROR(EIO) Found by code review related to CID732224 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 191a685010319cb0d248771574c7c61d76e4eb95) Signed-off-by: Michael Niedermayer --- libavformat/lmlm4.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/lmlm4.c b/libavformat/lmlm4.c index b0bfad001b..bb8ac23c55 100644 --- a/libavformat/lmlm4.c +++ b/libavformat/lmlm4.c @@ -94,15 +94,15 @@ static int lmlm4_read_packet(AVFormatContext *s, AVPacket *pkt) if (frame_type > LMLM4_MPEG1L2 || frame_type == LMLM4_INVALID) { av_log(s, AV_LOG_ERROR, "invalid or unsupported frame_type\n"); - return AVERROR(EIO); + return AVERROR_INVALIDDATA; } if (packet_size > LMLM4_MAX_PACKET_SIZE || packet_size<=8) { av_log(s, AV_LOG_ERROR, "packet size %d is invalid\n", packet_size); - return AVERROR(EIO); + return AVERROR_INVALIDDATA; } if ((ret = av_get_packet(pb, pkt, frame_size)) <= 0) - return AVERROR(EIO); + return ret < 0 ? ret : AVERROR(EIO); avio_skip(pb, padding); From bd002dfc3d474b6cce3ccf0ddcf228549ab35aee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Jul 2024 00:28:14 +0200 Subject: [PATCH 455/606] avfilter/vf_xfade_opencl: Check ff_inlink_consume_frame() for failure Fixes: CID1458127 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 43b62b7e0c85c0a1038ac2bc90ae06597e3ef706) Signed-off-by: Michael Niedermayer --- libavfilter/vf_xfade_opencl.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_xfade_opencl.c b/libavfilter/vf_xfade_opencl.c index fb567aa7fd..c7d545fc3a 100644 --- a/libavfilter/vf_xfade_opencl.c +++ b/libavfilter/vf_xfade_opencl.c @@ -293,7 +293,9 @@ static int xfade_opencl_activate(AVFilterContext *avctx) if (ctx->first_pts + ctx->offset_pts > ctx->xf[0]->pts) { ctx->xf[0] = NULL; ctx->need_second = 0; - ff_inlink_consume_frame(avctx->inputs[0], &in); + ret = ff_inlink_consume_frame(avctx->inputs[0], &in); + if (ret < 0) + return ret; return ff_filter_frame(outlink, in); } @@ -302,8 +304,14 @@ static int xfade_opencl_activate(AVFilterContext *avctx) } if (ctx->xf[0] && ff_inlink_queued_frames(avctx->inputs[1]) > 0) { - ff_inlink_consume_frame(avctx->inputs[0], &ctx->xf[0]); - ff_inlink_consume_frame(avctx->inputs[1], &ctx->xf[1]); + ret = ff_inlink_consume_frame(avctx->inputs[0], &ctx->xf[0]); + if (ret < 0) + return ret; + ret = ff_inlink_consume_frame(avctx->inputs[1], &ctx->xf[1]); + if (ret < 0) { + av_frame_free(&ctx->xf[0]); + return ret; + } ctx->last_pts = ctx->xf[1]->pts; ctx->pts = ctx->xf[0]->pts; From 3581e7ce1d6173712cd0b4b0a6abc0a3e33a8709 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Jul 2024 22:16:13 +0200 Subject: [PATCH 456/606] avfilter/af_surround: Check output format Fixes: CID1516994 Out-of-bounds access Fixes: CID1516996 Out-of-bounds access Fixes: CID1516999 Out-of-bounds access Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 22ee55a1da8218fb00c536723d488b7ca9344bd3) Signed-off-by: Michael Niedermayer --- libavfilter/af_surround.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/libavfilter/af_surround.c b/libavfilter/af_surround.c index 64abf1fded..35a89c90fe 100644 --- a/libavfilter/af_surround.c +++ b/libavfilter/af_surround.c @@ -1136,6 +1136,31 @@ static av_cold int init(AVFilterContext *ctx) s->create_lfe = av_channel_layout_index_from_channel(&s->out_ch_layout, AV_CHAN_LOW_FREQUENCY) >= 0; + switch (out_channel_layout) { + case AV_CH_LAYOUT_MONO: + case AV_CH_LAYOUT_STEREO: + case AV_CH_LAYOUT_2POINT1: + case AV_CH_LAYOUT_2_1: + case AV_CH_LAYOUT_2_2: + case AV_CH_LAYOUT_SURROUND: + case AV_CH_LAYOUT_3POINT1: + case AV_CH_LAYOUT_QUAD: + case AV_CH_LAYOUT_4POINT0: + case AV_CH_LAYOUT_4POINT1: + case AV_CH_LAYOUT_5POINT0: + case AV_CH_LAYOUT_5POINT1: + case AV_CH_LAYOUT_5POINT0_BACK: + case AV_CH_LAYOUT_5POINT1_BACK: + case AV_CH_LAYOUT_6POINT0: + case AV_CH_LAYOUT_6POINT1: + case AV_CH_LAYOUT_7POINT0: + case AV_CH_LAYOUT_7POINT1: + case AV_CH_LAYOUT_OCTAGONAL: + break; + default: + goto fail; + } + switch (in_channel_layout) { case AV_CH_LAYOUT_STEREO: s->filter = filter_stereo; From b4cd76b4830004f761f3a3c0e9fee05e59eb54da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2024 23:47:46 +0200 Subject: [PATCH 457/606] avfilter/vf_tonemap_opencl: Dereference after NULL check Fixes: CID1437472 Dereference before null check Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e5c0f56ca09b4cb4ea87a61547218f9c818b52d7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_tonemap_opencl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_tonemap_opencl.c b/libavfilter/vf_tonemap_opencl.c index 84bf394e75..0f6065cc72 100644 --- a/libavfilter/vf_tonemap_opencl.c +++ b/libavfilter/vf_tonemap_opencl.c @@ -343,8 +343,7 @@ static int tonemap_opencl_filter_frame(AVFilterLink *inlink, AVFrame *input) int err; double peak = ctx->peak; - AVHWFramesContext *input_frames_ctx = - (AVHWFramesContext*)input->hw_frames_ctx->data; + AVHWFramesContext *input_frames_ctx; av_log(ctx, AV_LOG_DEBUG, "Filter input: %s, %ux%u (%"PRId64").\n", av_get_pix_fmt_name(input->format), @@ -352,6 +351,7 @@ static int tonemap_opencl_filter_frame(AVFilterLink *inlink, AVFrame *input) if (!input->hw_frames_ctx) return AVERROR(EINVAL); + input_frames_ctx = (AVHWFramesContext*)input->hw_frames_ctx->data; output = ff_get_video_buffer(outlink, outlink->w, outlink->h); if (!output) { From f316f0309a9b22dd8fc5f0d236791b45b9e46517 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 00:10:45 +0200 Subject: [PATCH 458/606] avfilter/vf_v360: Assert that vf was initialized Maybe helps: CID1504571 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f802d65de0fe419563705a6846a73b77b020ef14) Signed-off-by: Michael Niedermayer --- libavfilter/vf_v360.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/vf_v360.c b/libavfilter/vf_v360.c index 2ac9b688dc..d3c4306a3b 100644 --- a/libavfilter/vf_v360.c +++ b/libavfilter/vf_v360.c @@ -3787,6 +3787,8 @@ static int barrelsplit_to_xyz(const V360Context *s, case 3: // back bottom vf = (y * 2.f - 1.5f) / scaleh + 3.f - facef; break; + default: + av_assert0(0); } l_x = (0.5f - uf) / scalew; l_y = 0.5f * dir_vert; From 0a80dadb96b7ea5904b4c09be15c08315b66415a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 00:17:39 +0200 Subject: [PATCH 459/606] avfilter/vf_xfade: Compute w2, h2 with float Fixes: CID1458148 Result is not floating-point Fixes: CID1458149 Result is not floating-point Fixes: CID1458150 Result is not floating-point Fixes: CID1458151 Result is not floating-point Fixes: CID1458152 Result is not floating-point Fixes: CID1458154 Result is not floating-point Fixes: CID1458155 Result is not floating-point Fixes: CID1458156 Result is not floating-point Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b98125e5a52c2f96dc02380f8f7e3bb16752765b) Signed-off-by: Michael Niedermayer --- libavfilter/vf_xfade.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_xfade.c b/libavfilter/vf_xfade.c index 088f34de6a..1f9de66990 100644 --- a/libavfilter/vf_xfade.c +++ b/libavfilter/vf_xfade.c @@ -956,7 +956,7 @@ static void vertopen##name##_transition(AVFilterContext *ctx, { \ XFadeContext *s = ctx->priv; \ const int width = out->width; \ - const float w2 = out->width / 2; \ + const float w2 = out->width / 2.0; \ \ for (int y = slice_start; y < slice_end; y++) { \ for (int x = 0; x < width; x++) { \ @@ -984,7 +984,7 @@ static void vertclose##name##_transition(AVFilterContext *ctx, XFadeContext *s = ctx->priv; \ const int nb_planes = s->nb_planes; \ const int width = out->width; \ - const float w2 = out->width / 2; \ + const float w2 = out->width / 2.0; \ \ for (int y = slice_start; y < slice_end; y++) { \ for (int x = 0; x < width; x++) { \ @@ -1012,7 +1012,7 @@ static void horzopen##name##_transition(AVFilterContext *ctx, XFadeContext *s = ctx->priv; \ const int nb_planes = s->nb_planes; \ const int width = out->width; \ - const float h2 = out->height / 2; \ + const float h2 = out->height / 2.0; \ \ for (int y = slice_start; y < slice_end; y++) { \ const float smooth = 2.f - fabsf((y - h2) / h2) - progress * 2.f; \ @@ -1040,7 +1040,7 @@ static void horzclose##name##_transition(AVFilterContext *ctx, XFadeContext *s = ctx->priv; \ const int nb_planes = s->nb_planes; \ const int width = out->width; \ - const float h2 = out->height / 2; \ + const float h2 = out->height / 2.0; \ \ for (int y = slice_start; y < slice_end; y++) { \ const float smooth = 1.f + fabsf((y - h2) / h2) - progress * 2.f; \ From d06d312baa8889662019c08f85ca846ad63d2706 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:13:28 +0200 Subject: [PATCH 460/606] avcodec/dxva2: Initialize dxva_size and check it Related: CID1591878 Uninitialized scalar variable Related: CID1591928 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c8c59e99295f9ef572b5d6f0fd9075bb2b79acbd) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index d7bc587562..32dd06a58e 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -800,7 +800,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx, unsigned type, const void *data, unsigned size, unsigned mb_count) { - void *dxva_data; + void *dxva_data = NULL; unsigned dxva_size; int result; HRESULT hr = 0; @@ -822,7 +822,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx, type, (unsigned)hr); return -1; } - if (size <= dxva_size) { + if (dxva_data && size <= dxva_size) { memcpy(dxva_data, data, size); #if CONFIG_D3D11VA From 76604d8d47a2eaddacf7ceec5eec7f78e2d6fa8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:23:16 +0200 Subject: [PATCH 461/606] avcodec/dxva2: Initialize ConfigBitstreamRaw Related: CID1591894 Uninitialized scalar variable Related: CID1591906 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 489c05b9c3ea7d856b7a81abce247721b3b3d6e8) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index 32dd06a58e..b9ade3af55 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -117,7 +117,7 @@ static int dxva_get_decoder_configuration(AVCodecContext *avctx, for (i = 0; i < cfg_count; i++) { unsigned score; - UINT ConfigBitstreamRaw; + UINT ConfigBitstreamRaw = 0; GUID guidConfigBitstreamEncryption; #if CONFIG_D3D11VA From 9d9f3cd2ca4e6364c9c934282603780a65a8a722 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:28:04 +0200 Subject: [PATCH 462/606] avcodec/dxva2: initialize validate Related: CID1591915 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2232c4cc8c3d64dec4e4399b58e057f5dbb9ff98) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index b9ade3af55..47c50afce8 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -268,7 +268,7 @@ static int dxva_get_decoder_guid(AVCodecContext *avctx, void *service, void *sur *decoder_guid = ff_GUID_NULL; for (i = 0; dxva_modes[i].guid; i++) { const dxva_mode *mode = &dxva_modes[i]; - int validate; + int validate = 0; if (!dxva_check_codec_compatibility(avctx, mode)) continue; From 0de517a2e0d2de194953cc1171554708cc78a3d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:33:11 +0200 Subject: [PATCH 463/606] avcodec/dxva2: initialize hr in ff_dxva2_common_end_frame() Related: CID1591924 Uninitialized scalar variable Related: CID1591938 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 1d6a2aebae202652feb5964a2d62bdba4e5cc6e4) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index 47c50afce8..9b260c18cc 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -900,7 +900,7 @@ int ff_dxva2_common_end_frame(AVCodecContext *avctx, AVFrame *frame, #endif DECODER_BUFFER_DESC *buffer = NULL, *buffer_slice = NULL; int result, runs = 0; - HRESULT hr; + HRESULT hr = -1; unsigned type; FFDXVASharedContext *sctx = DXVA_SHARED_CONTEXT(avctx); From c61592d2746f690dc14a3b3146039d3db053b32b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:24:09 +0200 Subject: [PATCH 464/606] avdevice/dshow: Initialize 2 pointers Coverity claims these are used uninitilaized in CID1598561 Uninitialized pointer write and CID1598565 Uninitialized pointer write Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 43cde54fc14bc4644374b4736b2b7fff05359171) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 506b1fe4dc..321bb1a63c 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -897,8 +897,8 @@ dshow_cycle_formats(AVFormatContext *avctx, enum dshowDeviceType devtype, if (devtype == VideoDevice) { VIDEO_STREAM_CONFIG_CAPS *vcaps = caps; - BITMAPINFOHEADER *bih; - int64_t *fr; + BITMAPINFOHEADER *bih = NULL; + int64_t *fr = NULL; #if DSHOWDEBUG ff_print_VIDEO_STREAM_CONFIG_CAPS(vcaps); #endif From c34c6f5f866ef2d7d1f7e5a7ba81c2a8eefcfe34 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2024 15:23:56 +0200 Subject: [PATCH 465/606] tools/target_dec_fuzzer: Check that FFv1 doesnt leave uninitialized memory in its buffers Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e40b23c52abe3356effa552549b2e989708a6e70) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 41e241c20a..0396f8f67a 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -128,7 +128,14 @@ static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame) frame->extended_data = frame->data; for (i = 0; i < 4 && size[i]; i++) { - frame->buf[i] = av_buffer_allocz(size[i]); + switch(ctx->codec_id) { + case AV_CODEC_ID_FFV1: + frame->buf[i] = av_buffer_alloc(size[i]); + break; + default: + frame->buf[i] = av_buffer_allocz(size[i]); + } + if (!frame->buf[i]) goto fail; frame->data[i] = frame->buf[i]->data; From cccb8250ea20e317c8906177c51edebb2e366ea8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2024 18:20:33 +0200 Subject: [PATCH 466/606] avcodec/sga: av_assert1 check init_get_bits8() Related: CID1473562 Unchecked return value Related: CID1473592 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0f4524f07a93bf9061f9034ffa510d4bf9b582e8) Signed-off-by: Michael Niedermayer --- libavcodec/sga.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/sga.c b/libavcodec/sga.c index f474ffba9a..acf8cec7f3 100644 --- a/libavcodec/sga.c +++ b/libavcodec/sga.c @@ -253,11 +253,13 @@ static int decode_palmapdata(AVCodecContext *avctx) const int bits = (s->nb_pal + 1) / 2; GetByteContext *gb = &s->gb; GetBitContext pm; + int ret; bytestream2_seek(gb, s->palmapdata_offset, SEEK_SET); if (bytestream2_get_bytes_left(gb) < s->palmapdata_size) return AVERROR_INVALIDDATA; - init_get_bits8(&pm, gb->buffer, s->palmapdata_size); + ret = init_get_bits8(&pm, gb->buffer, s->palmapdata_size); + av_assert1(ret >= 0); for (int y = 0; y < s->tiles_h; y++) { uint8_t *dst = s->palmapindex_data + y * s->tiles_w; @@ -276,11 +278,13 @@ static int decode_tiledata(AVCodecContext *avctx) SGAVideoContext *s = avctx->priv_data; GetByteContext *gb = &s->gb; GetBitContext tm; + int ret; bytestream2_seek(gb, s->tiledata_offset, SEEK_SET); if (bytestream2_get_bytes_left(gb) < s->tiledata_size) return AVERROR_INVALIDDATA; - init_get_bits8(&tm, gb->buffer, s->tiledata_size); + ret = init_get_bits8(&tm, gb->buffer, s->tiledata_size); + av_assert1(ret >= 0); for (int n = 0; n < s->nb_tiles; n++) { uint8_t *dst = s->tileindex_data + n * 64; From be1eb5d585afb1321840207ebc0d18e6730efdf2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Aug 2024 18:02:58 +0200 Subject: [PATCH 467/606] avformat/segafilm: Set keyframe Fixes: use of uninitialized value Fixes: 70871/clusterfuzz-testcase-minimized-ffmpeg_dem_SEGAFILM_fuzzer-5883617752973312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dc7dfe65aaa21801a907c66592b92b05da921dc) Signed-off-by: Michael Niedermayer --- libavformat/segafilm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 4c6b68426c..800f8e7287 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -233,6 +233,7 @@ static int film_read_header(AVFormatContext *s) else if (film->audio_type != AV_CODEC_ID_NONE) audio_frame_counter += (film->sample_table[i].sample_size / (film->audio_channels * film->audio_bits / 8)); + film->sample_table[i].keyframe = 1; } else { film->sample_table[i].stream = film->video_stream_index; film->sample_table[i].pts = AV_RB32(&scratch[8]) & 0x7FFFFFFF; From 960489607a63b4988e8ef80eb602f22a9dc9676c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2024 13:30:28 +0200 Subject: [PATCH 468/606] bsf/media100_to_mjpegb: Clear output buffer padding Fixes: use-of-uninitialized-value Fixes: 70855/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MEDIA100_fuzzer-5537446610141184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0f22218f74e3af73492e05e6696546b0da8d40e) Signed-off-by: Michael Niedermayer --- libavcodec/media100_to_mjpegb_bsf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/media100_to_mjpegb_bsf.c b/libavcodec/media100_to_mjpegb_bsf.c index 6e117ae20f..4b2dc1a35a 100644 --- a/libavcodec/media100_to_mjpegb_bsf.c +++ b/libavcodec/media100_to_mjpegb_bsf.c @@ -148,6 +148,7 @@ second_field: AV_WB32(out->data + second_field_offset + 36, sod_offset[1] - second_field_offset); out->size = bytestream2_tell_p(&pb); + memset(out->data + out->size, 0, AV_INPUT_BUFFER_PADDING_SIZE); ret = av_packet_copy_props(out, in); if (ret < 0) From ba60cf9e7bf3eed262320736bb2e903d34b79241 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2024 19:11:33 +0200 Subject: [PATCH 469/606] avcodec/mvha: Clear remaining space after inflate() Fixes: use-of-uninitialized-value Fixes: 70838/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-4878509466517504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cba4e2e40dec1ff2ce534fec87c7e3e8bef7ff9b) Signed-off-by: Michael Niedermayer --- libavcodec/mvha.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mvha.c b/libavcodec/mvha.c index 356cebc64e..87fe3c7100 100644 --- a/libavcodec/mvha.c +++ b/libavcodec/mvha.c @@ -183,6 +183,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, av_log(avctx, AV_LOG_ERROR, "Inflate error: %d\n", ret); return AVERROR_EXTERNAL; } + if (zstream->avail_out > 0) + memset(zstream->next_out, 0, zstream->avail_out); } } } else if (type == MKTAG('H','U','F','Y')) { From cf425cf10af914de78198ff39970e5218041a08c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 21:20:55 +0200 Subject: [PATCH 470/606] avcodec/apac: Clean padding space Fixes: use-of-uninitialized-value Fixes: 70842/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APAC_fuzzer-5758325067677696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ca072a373f5e2b6689a8649c79a03d12db5eb0b) Signed-off-by: Michael Niedermayer --- libavcodec/apac.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/apac.c b/libavcodec/apac.c index b6cb6c669e..24ddcdb864 100644 --- a/libavcodec/apac.c +++ b/libavcodec/apac.c @@ -160,6 +160,7 @@ static int apac_decode(AVCodecContext *avctx, AVFrame *frame, buf = &s->bitstream[s->bitstream_index]; buf_size += s->bitstream_size; s->bitstream_size = buf_size; + memset(buf + buf_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); frame->nb_samples = s->bitstream_size * 16 * 8; if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) From 018ad1dd301bf64c7175173f63b1cad98a6838cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 21:27:44 +0200 Subject: [PATCH 471/606] avformat/mpeg: Check an avio_read() for failure Fixes: use-of-uninitialized-value Fixes: 70849/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGPS_fuzzer-4684401009557504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 66ee75d76ce56a3553a99d67e74b8a9970c18f5b) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 8e70533056..1240e2ddff 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -562,7 +562,9 @@ redo: static const unsigned char avs_seqh[4] = { 0, 0, 1, 0xb0 }; unsigned char buf[8]; - avio_read(s->pb, buf, 8); + ret = avio_read(s->pb, buf, 8); + if (ret != 8) + return AVERROR_INVALIDDATA; avio_seek(s->pb, -8, SEEK_CUR); if (!memcmp(buf, avs_seqh, 4) && (buf[6] != 0 || buf[7] != 1)) codec_id = AV_CODEC_ID_CAVS; From a767fc7eb38c7b9e93e17ca4af64c0bcf30f3745 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:10:48 +0200 Subject: [PATCH 472/606] avcodec/shorten: clear padding Fixes: use-of-uninitialized-value Fixes: 70854/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5533480570650624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e44349ee88418ac16051bbc9231c1bfdc25d3504) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 0ad95bf97e..66ff8dea3b 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -562,6 +562,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, AVFrame *frame, buf = &s->bitstream[s->bitstream_index]; buf_size += s->bitstream_size; s->bitstream_size = buf_size; + memset(buf + buf_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); /* do not decode until buffer has at least max_framesize bytes or * the end of the file has been reached */ From 89f8f866a64d22ce6173c7ea3e509a25784919c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:15:08 +0200 Subject: [PATCH 473/606] avcodec/vc1dec: Clear mb_type_base and ttblk_base Fixes: two use-of-uninitialized-value Fixes: 70856/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5539349918187520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50471f96c4a68874575ab21f799c5999ed920838) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 534128d6ee..739f619430 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -354,7 +354,7 @@ static av_cold int vc1_decode_init_alloc_tables(VC1Context *v) if (!v->block || !v->cbp_base) return AVERROR(ENOMEM); v->cbp = v->cbp_base + 2 * s->mb_stride; - v->ttblk_base = av_malloc(sizeof(v->ttblk_base[0]) * 3 * s->mb_stride); + v->ttblk_base = av_mallocz(sizeof(v->ttblk_base[0]) * 3 * s->mb_stride); if (!v->ttblk_base) return AVERROR(ENOMEM); v->ttblk = v->ttblk_base + 2 * s->mb_stride; @@ -368,7 +368,7 @@ static av_cold int vc1_decode_init_alloc_tables(VC1Context *v) v->luma_mv = v->luma_mv_base + 2 * s->mb_stride; /* allocate block type info in that way so it could be used with s->block_index[] */ - v->mb_type_base = av_malloc(s->b8_stride * (mb_height * 2 + 1) + s->mb_stride * (mb_height + 1) * 2); + v->mb_type_base = av_mallocz(s->b8_stride * (mb_height * 2 + 1) + s->mb_stride * (mb_height + 1) * 2); if (!v->mb_type_base) return AVERROR(ENOMEM); v->mb_type[0] = v->mb_type_base + s->b8_stride + 1; From 97b0e63719068e40460f8fc329fdbf8a7842d570 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:30:03 +0200 Subject: [PATCH 474/606] avcodec/aic: Clear slice_data Fixes: use-of-uninitialized-value Fixes: 70865/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AIC_fuzzer-4874102695854080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de3f6c8888bcf3df4ca6cb265a83507b95c884cd) Signed-off-by: Michael Niedermayer --- libavcodec/aic.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/aic.c b/libavcodec/aic.c index f8b0f60354..48a125d956 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -466,8 +466,7 @@ static av_cold int aic_decode_init(AVCodecContext *avctx) } } - ctx->slice_data = av_malloc_array(ctx->slice_width, AIC_BAND_COEFFS - * sizeof(*ctx->slice_data)); + ctx->slice_data = av_calloc(ctx->slice_width, AIC_BAND_COEFFS * sizeof(*ctx->slice_data)); if (!ctx->slice_data) { av_log(avctx, AV_LOG_ERROR, "Error allocating slice buffer\n"); From 15d1b93cb9087a63bed94ecc9fa5309a84f028de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:32:31 +0200 Subject: [PATCH 475/606] avcodec/alsdec: clear last_acf_mantissa Fixes: use-of-uninitialized-value Fixes: 70869/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5476567461986304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db843c8910781eb72a4658780283ef4e2da4591d) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 7262cdb4b3..0b78f75ea6 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -2112,7 +2112,7 @@ static av_cold int decode_init(AVCodecContext *avctx) ctx->acf = av_malloc_array(channels, sizeof(*ctx->acf)); ctx->shift_value = av_calloc(channels, sizeof(*ctx->shift_value)); ctx->last_shift_value = av_calloc(channels, sizeof(*ctx->last_shift_value)); - ctx->last_acf_mantissa = av_malloc_array(channels, sizeof(*ctx->last_acf_mantissa)); + ctx->last_acf_mantissa = av_calloc(channels, sizeof(*ctx->last_acf_mantissa)); ctx->raw_mantissa = av_calloc(channels, sizeof(*ctx->raw_mantissa)); ctx->larray = av_malloc_array(ctx->cur_frame_length * 4, sizeof(*ctx->larray)); From a3e8eff1824b8bf98a5691d14b88e5e092493b78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Aug 2024 18:46:10 +0200 Subject: [PATCH 476/606] =?UTF-8?q?avcodec/apac:=20Fix=20discards=20?= =?UTF-8?q?=E2=80=98const=E2=80=99=20qualifier?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found-by: courmisch Signed-off-by: Michael Niedermayer (cherry picked from commit 45ee6b1e3d4f762e372e09505c9c8ca37c1321a0) Signed-off-by: Michael Niedermayer --- libavcodec/apac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apac.c b/libavcodec/apac.c index 24ddcdb864..98c34b9996 100644 --- a/libavcodec/apac.c +++ b/libavcodec/apac.c @@ -130,7 +130,7 @@ static int apac_decode(AVCodecContext *avctx, AVFrame *frame, APACContext *s = avctx->priv_data; GetBitContext *gb = &s->gb; int ret, n, buf_size, input_buf_size; - const uint8_t *buf; + uint8_t *buf; int nb_samples; if (!pkt->size && s->bitstream_size <= 0) { From 004ca6e6227202a858843e72d2c603bc5b6b9330 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2024 18:35:48 +0200 Subject: [PATCH 477/606] avformat/av1dec: Better fix for 70872/clusterfuzz-testcase-minimized-ffmpeg_dem_OBU_fuzzer-6005782487826432 Signed-off-by: Michael Niedermayer (cherry picked from commit 7ad937f0c8cb9f120c50f3e792a699076923768e) Signed-off-by: Michael Niedermayer --- libavformat/av1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/av1dec.c b/libavformat/av1dec.c index 8a06445958..48d67c5e5e 100644 --- a/libavformat/av1dec.c +++ b/libavformat/av1dec.c @@ -378,6 +378,7 @@ static int obu_get_packet(AVFormatContext *s, AVPacket *pkt) if (size < 0) return size; + memset(header + size, 0, AV_INPUT_BUFFER_PADDING_SIZE); len = read_obu_with_size(header, size, &obu_size, &type); if (len < 0) { av_log(c, AV_LOG_ERROR, "Failed to read obu\n"); From 1bf01620a73147809f9fedb93139abb4be6eb5f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Aug 2024 01:11:50 +0200 Subject: [PATCH 478/606] avcodec/avcodec: Warn about data returned from get_buffer*() Text based on suggestion by: epirat07@gmail.com Signed-off-by: Michael Niedermayer (cherry picked from commit 93444c46fce195e378c4ebb1a20ea662e7f0123b) Signed-off-by: Michael Niedermayer --- libavcodec/avcodec.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 7fb44e28f4..da4d7a6219 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1190,6 +1190,10 @@ typedef struct AVCodecContext { * this callback and filled with the extra buffers if there are more * buffers than buf[] can hold. extended_buf will be freed in * av_frame_unref(). + * Decoders will generally initialize the whole buffer before it is output + * but it can in rare error conditions happen that uninitialized data is passed + * through. \important The buffers returned by get_buffer* should thus not contain sensitive + * data. * * If AV_CODEC_CAP_DR1 is not set then get_buffer2() must call * avcodec_default_get_buffer2() instead of providing buffers allocated by From 4f9dac5ea9357ec66471d09796d50755f1f594f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2024 16:25:27 +0200 Subject: [PATCH 479/606] avcodec/magicyuvenc: better slice height Fixes: Use of uninitialized value Fixes: 71072/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-4835252046987264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b08776e3ae9a5315c19e8619ca71921006c1abe1) Signed-off-by: Michael Niedermayer --- libavcodec/magicyuvenc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/magicyuvenc.c b/libavcodec/magicyuvenc.c index ccd6a54936..09dabc7bf5 100644 --- a/libavcodec/magicyuvenc.c +++ b/libavcodec/magicyuvenc.c @@ -375,11 +375,14 @@ static int count_plane_slice(AVCodecContext *avctx, int n, int plane) Slice *sl = &s->slices[n * s->planes + plane]; const uint8_t *dst = sl->slice; PTable *counts = sl->counts; + const int slice_height = s->slice_height; + const int last_height = FFMIN(slice_height, avctx->height - n * slice_height); + const int height = (n < (s->nb_slices - 1)) ? slice_height : last_height; memset(counts, 0, sizeof(sl->counts)); count_usage(dst, AV_CEIL_RSHIFT(avctx->width, s->hshift[plane]), - AV_CEIL_RSHIFT(s->slice_height, s->vshift[plane]), counts); + AV_CEIL_RSHIFT(height, s->vshift[plane]), counts); return 0; } From 901b8c8b7e21a6805265c2a0c7dd1257f6907e94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2024 17:02:12 +0200 Subject: [PATCH 480/606] avformat/apetag: Check APETAGEX Fixes: Use of uninitialized value Fixes: 71074/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5697034877730816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 796ff2d599449ed798b69ab798ebcbcc0a5853f5) Signed-off-by: Michael Niedermayer --- libavformat/apetag.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/apetag.c b/libavformat/apetag.c index f2794c46f2..8316abc07c 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -120,7 +120,8 @@ int64_t ff_ape_parse_tag(AVFormatContext *s) avio_seek(pb, file_size - APE_TAG_FOOTER_BYTES, SEEK_SET); - avio_read(pb, buf, 8); /* APETAGEX */ + if(avio_read(pb, buf, 8) != 8) /* APETAGEX */ + return 0; if (strncmp(buf, APE_TAG_PREAMBLE, 8)) { return 0; } From 8d67d595bc67c07f57eb31c099bb71d8b7e4a5f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2024 20:02:41 +0200 Subject: [PATCH 481/606] avcodec/vc1_block: propagate error codes Fixes: use of uninitialized value Fixes: 71228/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-6188476880453632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01910ca6037379804572c5ec9bbd0b94e7e4b83e) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 59 ++++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 19 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 1baa6a9bf6..4806f604d9 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1312,6 +1312,7 @@ static int vc1_decode_p_mb(VC1Context *v) int dst_idx, off; int skipped, fourmv; int block_cbp = 0, pat, block_tt = 0, block_intra = 0; + int ret; mquant = v->pq; /* lossy initialization */ @@ -1370,8 +1371,10 @@ static int vc1_decode_p_mb(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1473,8 +1476,10 @@ static int vc1_decode_p_mb(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, is_coded[i], mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, is_coded[i], mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1545,6 +1550,7 @@ static int vc1_decode_p_mb_intfr(VC1Context *v) int block_cbp = 0, pat, block_tt = 0; int idx_mbmode = 0, mvbp; int fieldtx; + int ret; mquant = v->pq; /* Lossy initialization */ @@ -1617,8 +1623,10 @@ static int vc1_decode_p_mb_intfr(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1754,6 +1762,7 @@ static int vc1_decode_p_mb_intfi(VC1Context *v) int pred_flag = 0; int block_cbp = 0, pat, block_tt = 0; int idx_mbmode = 0; + int ret; mquant = v->pq; /* Lossy initialization */ @@ -1785,8 +1794,10 @@ static int vc1_decode_p_mb_intfi(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1877,6 +1888,7 @@ static int vc1_decode_b_mb(VC1Context *v) int skipped, direct; int dmv_x[2], dmv_y[2]; int bmvtype = BMV_TYPE_BACKWARD; + int ret; mquant = v->pq; /* lossy initialization */ s->mb_intra = 0; @@ -1989,8 +2001,10 @@ static int vc1_decode_b_mb(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, s->block[i], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, s->block[i], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); @@ -2036,6 +2050,7 @@ static int vc1_decode_b_mb_intfi(VC1Context *v) int bmvtype = BMV_TYPE_BACKWARD; int block_cbp = 0, pat, block_tt = 0; int idx_mbmode; + int ret; mquant = v->pq; /* Lossy initialization */ s->mb_intra = 0; @@ -2068,8 +2083,10 @@ static int vc1_decode_b_mb_intfi(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, s->block[i], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, s->block[i], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); @@ -2206,6 +2223,7 @@ static int vc1_decode_b_mb_intfr(VC1Context *v) int stride_y, fieldtx; int bmvtype = BMV_TYPE_BACKWARD; int dir, dir2; + int ret; mquant = v->pq; /* Lossy initialization */ s->mb_intra = 0; @@ -2262,8 +2280,10 @@ static int vc1_decode_b_mb_intfr(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, s->block[i], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, s->block[i], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && i > 3 && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); @@ -2797,6 +2817,7 @@ static void vc1_decode_p_blocks(VC1Context *v) { MpegEncContext *s = &v->s; int apply_loop_filter; + int ret; /* select coding mode used for VLC tables selection */ switch (v->c_ac_table_index) { @@ -2839,22 +2860,22 @@ static void vc1_decode_p_blocks(VC1Context *v) } if (v->fcm == ILACE_FIELD) { - vc1_decode_p_mb_intfi(v); + ret = vc1_decode_p_mb_intfi(v); if (apply_loop_filter) ff_vc1_p_loop_filter(v); } else if (v->fcm == ILACE_FRAME) { - vc1_decode_p_mb_intfr(v); + ret = vc1_decode_p_mb_intfr(v); if (apply_loop_filter) ff_vc1_p_intfr_loop_filter(v); } else { - vc1_decode_p_mb(v); + ret = vc1_decode_p_mb(v); if (apply_loop_filter) ff_vc1_p_loop_filter(v); } - if (get_bits_left(&s->gb) < 0 || get_bits_count(&s->gb) < 0) { + if (ret < 0 || get_bits_left(&s->gb) < 0 || get_bits_count(&s->gb) < 0) { // TODO: may need modification to handle slice coding ff_er_add_slice(&s->er, 0, s->start_mb_y, s->mb_x, s->mb_y, ER_MB_ERROR); - av_log(s->avctx, AV_LOG_ERROR, "Bits overconsumption: %i > %i at %ix%i\n", + av_log(s->avctx, AV_LOG_ERROR, "Error or Bits overconsumption: %i > %i at %ix%i\n", get_bits_count(&s->gb), s->gb.size_in_bits, s->mb_x, s->mb_y); return; } From 3b31f5cfee0654f8e2dd83ee68d9dab895c43886 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2024 20:37:56 +0200 Subject: [PATCH 482/606] avcodec/notchlc: Check bytes left before reading Fixes: Use of uninitialized value Fixes: 71230/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NOTCHLC_fuzzer-4624502095413248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b9c7f50c7de9b7d8c533eae173c9b77a6719346c) Signed-off-by: Michael Niedermayer --- libavcodec/notchlc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c index 6351a313f8..f8c104b33c 100644 --- a/libavcodec/notchlc.c +++ b/libavcodec/notchlc.c @@ -92,6 +92,9 @@ static int lz4_decompress(AVCodecContext *avctx, } while (current == 255); } + if (bytestream2_get_bytes_left(gb) < num_literals) + return AVERROR_INVALIDDATA; + if (pos + num_literals < HISTORY_SIZE) { bytestream2_get_buffer(gb, history + pos, num_literals); pos += num_literals; From 5615bb5391b37a741fdaed29d8f679d9e5f79fc0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2024 22:17:48 +0200 Subject: [PATCH 483/606] avformat/argo_brp: Check that ASF chunk header is completely read Fixes: Use of uninitialized value Fixes: 71280/clusterfuzz-testcase-minimized-ffmpeg_dem_ARGO_BRP_fuzzer-4692991866896384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 815d00868101956e2f1f9f8dd509c11af5a63684) Signed-off-by: Michael Niedermayer --- libavformat/argo_brp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/argo_brp.c b/libavformat/argo_brp.c index 2ccdbd3e5b..96928db5ef 100644 --- a/libavformat/argo_brp.c +++ b/libavformat/argo_brp.c @@ -379,8 +379,8 @@ static int argo_brp_read_packet(AVFormatContext *s, AVPacket *pkt) if (blk.size < ASF_CHUNK_HEADER_SIZE) return AVERROR_INVALIDDATA; - if ((ret = avio_read(s->pb, buf, ASF_CHUNK_HEADER_SIZE)) < 0) - return ret; + if (avio_read(s->pb, buf, ASF_CHUNK_HEADER_SIZE) != ASF_CHUNK_HEADER_SIZE) + return AVERROR_INVALIDDATA; ff_argo_asf_parse_chunk_header(&ckhdr, buf); From 9385f0f8571ebd8e498a12d84815a0b30c60b6e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2024 00:37:04 +0200 Subject: [PATCH 484/606] avcodec/wmavoice: Do not use uninitialized pitch[0] Fixes: use of uninitialized value Fixes: 70850/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-4806127362048000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53387079301690f1bd38b97fdf31d63194201d17) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index dd7cc64d63..19313615fa 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1505,6 +1505,8 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, /* Parse frame type ("frame header"), see frame_descs */ int bd_idx = s->vbm_tree[get_vlc2(gb, frame_type_vlc.table, 6, 3)], block_nsamples; + pitch[0] = INT_MAX; + if (bd_idx < 0) { av_log(ctx, AV_LOG_ERROR, "Invalid frame type VLC code, skipping\n"); @@ -1622,6 +1624,9 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, double i_lsps[MAX_LSPS]; float lpcs[MAX_LSPS]; + if(frame_descs[bd_idx].fcb_type >= FCB_TYPE_AW_PULSES && pitch[0] == INT_MAX) + return AVERROR_INVALIDDATA; + for (n = 0; n < s->lsps; n++) // LSF -> LSP i_lsps[n] = cos(0.5 * (prev_lsps[n] + lsps[n])); ff_acelp_lspd2lpc(i_lsps, lpcs, s->lsps >> 1); From 25ed81a6d26aa1d4d91aa78acb54de68a82f373d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2024 00:37:05 +0200 Subject: [PATCH 485/606] avformat/mvdec: Check if name was fully read Fixes: use of uninitialized value Fixes: 70901/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-6341913949569024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4e39795c75e664ef06f17473adec8c75fcf9de6f) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index b37fe2ce69..388a5f07d1 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -254,7 +254,8 @@ static int read_table(AVFormatContext *avctx, AVStream *st, if (avio_feof(pb)) return AVERROR_EOF; - avio_read(pb, name, 16); + if (avio_read(pb, name, 16) != 16) + return AVERROR_INVALIDDATA; name[sizeof(name) - 1] = 0; size = avio_rb32(pb); if (size < 0) { From ae51c55998511f15fdd289cc62ded5291db63afb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 20:03:55 +0200 Subject: [PATCH 486/606] avcodec/vc2enc: basic sanity check on slice_max_bytes Fixes: left shift of 896021632 by 3 places cannot be represented in type 'int' Fixes: 70544/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC2_fuzzer-6685593652756480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6df9a0292ca6c29ef3b220fbf9b257924cabf035) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index 9e5e491b6d..86e13da37f 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -985,7 +985,7 @@ static av_cold int vc2_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } s->slice_min_bytes = s->slice_max_bytes - s->slice_max_bytes*(s->tolerance/100.0f); - if (s->slice_min_bytes < 0) + if (s->slice_min_bytes < 0 || s->slice_max_bytes > INT_MAX >> 3) return AVERROR(EINVAL); ret = encode_frame(s, avpkt, frame, aux_data, header_size, s->interlaced); From 681c911ff9a897653e51554b8029643ab81c1d9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 20:08:42 +0200 Subject: [PATCH 487/606] swscale/swscale: Use unsigned operation to avoid undefined behavior I have not checked that the constant is correct, this just fixes the undefined behavior Fixes: signed integer overflow: -646656 * 3517 cannot be represented in type 'int Fixes: 70559/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5209368631508992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44c5641ae82387fcfce94820f5b53ce8e9dcd27f) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index f08f2ac3b7..87314c2edb 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -223,7 +223,7 @@ static void lumRangeFromJpeg16_c(int16_t *_dst, int width) int i; int32_t *dst = (int32_t *) _dst; for (i = 0; i < width; i++) - dst[i] = (dst[i]*(14071/4) + (33561947<<4)/4)>>12; + dst[i] = ((int)(dst[i]*(14071U/4) + (33561947<<4)/4)) >> 12; } From dd75f38d7884c13c4e391b467cf0b23f77bbd93d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 22:51:53 +0200 Subject: [PATCH 488/606] swscale/output: Fix undefined integer overflow in yuv2rgba64_2_c_template() Fixes: signed integer overflow: -1082982400 + -1083218484 cannot be represented in type 'int' Fixes: 70657/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6707819712675840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bd80c97391969f9dbb312d6c498211ad85bb67cb) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index e8dd2145ce..d5b457541c 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1150,8 +1150,8 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], av_assert2(uvalpha <= 4096U); for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] * yalpha1 + buf1[i * 2] * yalpha) >> 14; - int Y2 = (buf0[i * 2 + 1] * yalpha1 + buf1[i * 2 + 1] * yalpha) >> 14; + unsigned Y1 = (buf0[i * 2] * yalpha1 + buf1[i * 2] * yalpha) >> 14; + unsigned Y2 = (buf0[i * 2 + 1] * yalpha1 + buf1[i * 2 + 1] * yalpha) >> 14; int U = (ubuf0[i] * uvalpha1 + ubuf1[i] * uvalpha - (128 << 23)) >> 14; int V = (vbuf0[i] * uvalpha1 + vbuf1[i] * uvalpha - (128 << 23)) >> 14; int R, G, B; @@ -1175,20 +1175,20 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], A2 += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From 8080c0276d297ee73e4acbb4c4751f486d265214 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 22:29:04 +0200 Subject: [PATCH 489/606] avformat/mxfdec: More offset_temp checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 9223372036854775807 - -1927491430256034080 cannot be represented in type 'long' Fixes: 70607/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5282235077951488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 5a96aa435af0d66bdec52ee115cf4dd971855fcd) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index e2d8eecbb8..6369a601d2 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1931,6 +1931,11 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t return mxf_absolute_bodysid_offset(mxf, index_table->body_sid, offset_temp, offset_out, partition_out); } else { /* EditUnitByteCount == 0 for VBR indexes, which is fine since they use explicit StreamOffsets */ + if (s->edit_unit_byte_count && (s->index_duration > INT64_MAX / s->edit_unit_byte_count || + s->edit_unit_byte_count * s->index_duration > INT64_MAX - offset_temp) + ) + return AVERROR_INVALIDDATA; + offset_temp += s->edit_unit_byte_count * s->index_duration; } } From dc9b056e2afa4c171de35d7e703edd8f5677f755 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 22:05:24 +0200 Subject: [PATCH 490/606] avformat/mxfdec: Check timecode for overflow Fixes: signed integer overflow: 9223372036840103968 + 538976288 cannot be represented in type 'long' Fixes: 70604/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4844090340999168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6be3786c828edfd60d810c98a42a43eeac4f050c) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 6369a601d2..edb0de6df4 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2403,6 +2403,9 @@ static int mxf_parse_physical_source_package(MXFContext *mxf, MXFTrack *source_t physical_track->edit_rate, source_track->edit_rate); + if (av_sat_add64(start_position, mxf_tc->start_frame) != start_position + (uint64_t)mxf_tc->start_frame) + return AVERROR_INVALIDDATA; + if (av_timecode_init(&tc, mxf_tc->rate, flags, start_position + mxf_tc->start_frame, mxf->fc) == 0) { mxf_add_timecode_metadata(&st->metadata, "timecode", &tc); return 0; From 63623f15c3d43fe8e9d2d40ec661d69772227b6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 19:43:03 +0200 Subject: [PATCH 491/606] avcodec/osq: Treat sum = 0 as k = 0 We have no valid sample that triggers this so we do not know if this would decode correctly, but -inf is not the correct k value Fixes: Assertion n>=0 && n<=32 failed at libavcodec/get_bits.h:423 Fixes: -inf is outside the range of representable values of type 'int' Fixes: 70709/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6223623839350784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit ad35eaf848bb605d9b2b3a638265ac9d385878e3) Signed-off-by: Michael Niedermayer --- libavcodec/osq.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/osq.c b/libavcodec/osq.c index 1663f0b15f..826b9f1454 100644 --- a/libavcodec/osq.c +++ b/libavcodec/osq.c @@ -159,6 +159,8 @@ static int update_residue_parameter(OSQChannel *cb) int rice_k; sum = cb->sum; + if (!sum) + return 0; x = sum / cb->count; rice_k = ceil(log2(x)); if (rice_k >= 30) { From 532b51def0953e2926ba77f478ae1ffafad24871 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 19:56:48 +0200 Subject: [PATCH 492/606] avformat/asf: Check picsize Fixes: signed integer overflow: 1073750247 * 2 cannot be represented in type 'int' Fixes: 70722/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5447231587549184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fde8637fda8e5ac4ccfa4b137a7467e16cd631b6) Signed-off-by: Michael Niedermayer --- libavformat/asf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/asf.c b/libavformat/asf.c index 1285062220..2a5859ed68 100644 --- a/libavformat/asf.c +++ b/libavformat/asf.c @@ -89,8 +89,8 @@ static int asf_read_picture(AVFormatContext *s, int len) return 0; } - if (picsize >= len) { - av_log(s, AV_LOG_ERROR, "Invalid attached picture data size: %d >= %d.\n", + if (picsize >= len || ((int64_t)len - picsize) * 2 + 1 > INT_MAX) { + av_log(s, AV_LOG_ERROR, "Invalid attached picture data size: %d (len = %d).\n", picsize, len); return AVERROR_INVALIDDATA; } From 12fd2386fc6645c8c1de3e5d9c6b837fad8ed011 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 21:57:09 +0200 Subject: [PATCH 493/606] avcodec/jfdctint_template: use unsigned z* in row_fdct() Fixes: signed integer overflow: 856827136 + 2123580416 cannot be represented in type 'int' Fixes: 70772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-5180569961431040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f27c8b04d3059fa538db8f2db6503cbb586eb3ad) Signed-off-by: Michael Niedermayer --- libavcodec/jfdctint_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jfdctint_template.c b/libavcodec/jfdctint_template.c index aa2680132e..58827b677e 100644 --- a/libavcodec/jfdctint_template.c +++ b/libavcodec/jfdctint_template.c @@ -183,7 +183,7 @@ static av_always_inline void FUNC(row_fdct)(int16_t *data) { int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7; int tmp10, tmp11, tmp12, tmp13; - int z1, z2, z3, z4, z5; + unsigned z1, z2, z3, z4, z5; int16_t *dataptr; int ctr; From f9f80bb9541c07c3d7c2dc49ee3283227b19053d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 22:03:37 +0200 Subject: [PATCH 494/606] avcodec/osq: use unsigned for decorrelation Fixes: signed integer overflow: 1205469696 + 1901074655 cannot be represented in type 'int' Fixes: 70773/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-5419594888577024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e9f588af9530e5e6f9422ffa0d8e8dc8f80a2ae1) Signed-off-by: Michael Niedermayer --- libavcodec/osq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/osq.c b/libavcodec/osq.c index 826b9f1454..6db25a3ffc 100644 --- a/libavcodec/osq.c +++ b/libavcodec/osq.c @@ -341,7 +341,7 @@ static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int if (nb_channels == 2 && ch == 1) { if (decorrelate) - dst[n] += s->decode_buffer[0][OFFSET+n]; + dst[n] += (unsigned)s->decode_buffer[0][OFFSET+n]; } if (downsample) From b20ee0c9564df7853653735465d7585ab07fb302 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 22:32:36 +0200 Subject: [PATCH 495/606] avcodec/cbs_h266_syntax_template: Check bit depth with range extension Fixes: shift exponent 62 is too large for 32-bit type 'int' Fixes: 71020/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-6444916325023744 Fixes: 71285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4761971281428480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9d25b9665edb45c31ad6dda9612fd6e63fc289f3) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h266_syntax_template.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index 439d863b8f..b903e4c91f 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -1616,6 +1616,8 @@ static int FUNC(sps)(CodedBitstreamContext *ctx, RWContext *rw, ub(7, sps_extension_7bits); if (current->sps_range_extension_flag) { + if (current->sps_bitdepth_minus8 <= 10 - 8) + return AVERROR_INVALIDDATA; CHECK(FUNC(sps_range_extension)(ctx, rw, current)); } else { infer(sps_extended_precision_flag, 0); From 0203e0c78a20426a9ccc3663338b9023db8fb3df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 23:33:49 +0200 Subject: [PATCH 496/606] avcodec/encode: Check bitrate Fixes: -1.80923e+19 is outside the range of representable values of type 'long' Fixes: 71103/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6542773681979392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74385dd496bdcda9a6e029fabf4946f2234a0d13) Signed-off-by: Michael Niedermayer --- libavcodec/encode.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/encode.c b/libavcodec/encode.c index a436be2657..111f8f10cc 100644 --- a/libavcodec/encode.c +++ b/libavcodec/encode.c @@ -753,6 +753,11 @@ int ff_encode_preinit(AVCodecContext *avctx) return AVERROR(EINVAL); } + if (avctx->bit_rate < 0) { + av_log(avctx, AV_LOG_ERROR, "The encoder bitrate is negative.\n"); + return AVERROR(EINVAL); + } + if (avctx->flags & AV_CODEC_FLAG_COPY_OPAQUE && !(avctx->codec->capabilities & AV_CODEC_CAP_ENCODER_REORDERED_OPAQUE)) { av_log(avctx, AV_LOG_ERROR, "The copy_opaque flag is set, but the " From 5b7bd5b7e13a86089b66f516d187a28956f5e962 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 23:41:39 +0200 Subject: [PATCH 497/606] tools/target_dec_fuzzer: Adapt threshold for RASC Fixes: Timeout Fixes: 71108/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-4799330484027392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a823fbcfae33c8022086cbdea94e8e6d7b32ec1) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 0396f8f67a..39b6449ba1 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -283,7 +283,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_PRORES: maxpixels /= 256; break; case AV_CODEC_ID_RKA: maxsamples /= 65536; break; case AV_CODEC_ID_RSCC: maxpixels /= 256; break; - case AV_CODEC_ID_RASC: maxpixels /= 16; break; + case AV_CODEC_ID_RASC: maxpixels /= 256; break; case AV_CODEC_ID_RTV1: maxpixels /= 16; break; case AV_CODEC_ID_SANM: maxpixels /= 16; break; case AV_CODEC_ID_SCPR: maxpixels /= 32; break; From b614243a5e3ad8f21423854e9eab1154eb1a3393 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 23:57:31 +0200 Subject: [PATCH 498/606] avcodec/eacmv: Check input size for intra frames Fixes: Timeout Fixes: 71135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EACMV_fuzzer-6251879028293632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c3a1cbbf5d99337b5e99260eb95c84e65c7587f6) Signed-off-by: Michael Niedermayer --- libavcodec/eacmv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index 43dba20fae..15d3550cb8 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -194,12 +194,15 @@ static int cmv_decode_frame(AVCodecContext *avctx, AVFrame *frame, if ((ret = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0) return ret; + buf += EA_PREAMBLE_SIZE; + if (!(buf[0]&1) && buf_end - buf < s->width * s->height * (int64_t)(100 - s->avctx->discard_damaged_percentage) / 100) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; memcpy(frame->data[1], s->palette, AVPALETTE_SIZE); - buf += EA_PREAMBLE_SIZE; if ((buf[0]&1)) { // subtype cmv_decode_inter(s, frame, buf+2, buf_end); frame->flags &= ~AV_FRAME_FLAG_KEY; From 3c961c4b2915e8e29ba7409bdd61fbb8370ae1ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Sep 2024 20:31:58 +0200 Subject: [PATCH 499/606] avcodec/svq3: Check for minimum size input Fixes: Timeout Fixes: 71295/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-4999941125111808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 050b5e85cbe61414ba9b78f76a04b2488e816f42) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 2d03dbc457..bafde0b946 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1399,6 +1399,9 @@ static int svq3_decode_frame(AVCodecContext *avctx, AVFrame *rframe, if (svq3_decode_slice_header(avctx)) return -1; + if (avpkt->size < s->mb_width * s->mb_height / 8) + return AVERROR_INVALIDDATA; + s->pict_type = s->slice_type; if (s->pict_type != AV_PICTURE_TYPE_B) From 33982114f453c03e6f53184c27bbc2eca611fb12 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Sep 2024 22:47:03 +0200 Subject: [PATCH 500/606] avcodec/imm4: Check input size Fixes: Timeout Fixes: 71324/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IMM4_fuzzer-5388489435185152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8367d7e184562f8b9f410c0f325596f7e041884f) Signed-off-by: Michael Niedermayer --- libavcodec/imm4.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/imm4.c b/libavcodec/imm4.c index 1a2e563080..345b7f8001 100644 --- a/libavcodec/imm4.c +++ b/libavcodec/imm4.c @@ -452,6 +452,10 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, if (ret < 0) return ret; + if (((avctx->width + 15) / 16) * ((avctx->height + 15) / 16) > get_bits_left(gb)) + return AVERROR_INVALIDDATA; + + if ((ret = ff_get_buffer(avctx, frame, (frame->flags & AV_FRAME_FLAG_KEY) ? AV_GET_BUFFER_FLAG_REF : 0)) < 0) return ret; From ac69261b7b7320f65d463e5bbbbe61d26a5f5816 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Sep 2024 23:15:35 +0200 Subject: [PATCH 501/606] avcodec/xan: Add basic input size check Fixes: Timeout Fixes: 71739/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XAN_WC3_fuzzer-6170301405134848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpe Signed-off-by: Michael Niedermayer (cherry picked from commit 56bef2fd58d0ed30dbe940083c30ada2b0404491) Signed-off-by: Michael Niedermayer --- libavcodec/xan.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index cc0ecea5eb..56675dbbb1 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -607,6 +607,9 @@ static int xan_decode_frame(AVCodecContext *avctx, AVFrame *frame, return AVERROR_INVALIDDATA; } + if (buf_size < 9) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; From 5f748c34f60f2443f4b2d7df5901a55e516902a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2024 23:43:09 +0200 Subject: [PATCH 502/606] avcodec/ffv1enc: Fix >8bit context size Fixes: Ticket5405 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a9c83e43f2fc9128e20851291b0270add1a6b95f) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 2778c63012..65074e96b8 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -722,19 +722,21 @@ static av_cold int encode_init(AVCodecContext *avctx) s->quant_tables[1][2][i]= 11*11*quant5 [i]; s->quant_tables[1][3][i]= 5*11*11*quant5 [i]; s->quant_tables[1][4][i]= 5*5*11*11*quant5 [i]; + s->context_count[0] = (11 * 11 * 11 + 1) / 2; + s->context_count[1] = (11 * 11 * 5 * 5 * 5 + 1) / 2; } else { s->quant_tables[0][0][i]= quant9_10bit[i]; - s->quant_tables[0][1][i]= 11*quant9_10bit[i]; - s->quant_tables[0][2][i]= 11*11*quant9_10bit[i]; + s->quant_tables[0][1][i]= 9*quant9_10bit[i]; + s->quant_tables[0][2][i]= 9*9*quant9_10bit[i]; s->quant_tables[1][0][i]= quant9_10bit[i]; - s->quant_tables[1][1][i]= 11*quant9_10bit[i]; - s->quant_tables[1][2][i]= 11*11*quant5_10bit[i]; - s->quant_tables[1][3][i]= 5*11*11*quant5_10bit[i]; - s->quant_tables[1][4][i]= 5*5*11*11*quant5_10bit[i]; + s->quant_tables[1][1][i]= 9*quant9_10bit[i]; + s->quant_tables[1][2][i]= 9*9*quant5_10bit[i]; + s->quant_tables[1][3][i]= 5*9*9*quant5_10bit[i]; + s->quant_tables[1][4][i]= 5*5*9*9*quant5_10bit[i]; + s->context_count[0] = (9 * 9 * 9 + 1) / 2; + s->context_count[1] = (9 * 9 * 5 * 5 * 5 + 1) / 2; } } - s->context_count[0] = (11 * 11 * 11 + 1) / 2; - s->context_count[1] = (11 * 11 * 5 * 5 * 5 + 1) / 2; memcpy(s->quant_table, s->quant_tables[s->context_model], sizeof(s->quant_table)); From 5c7df3f446501214572462842063cad9288719f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2024 23:42:50 +0200 Subject: [PATCH 503/606] avcodec/ffv1enc: 2Pass mode is not possible with golomb coding "Fixes" Ticket7063 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 417b163c00555ccda201a963e797bfa663a26ff5) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 65074e96b8..d10a68e5ac 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -526,6 +526,11 @@ static av_cold int encode_init(AVCodecContext *avctx) avctx->slices > 1) s->version = FFMAX(s->version, 2); + if ((avctx->flags & (AV_CODEC_FLAG_PASS1 | AV_CODEC_FLAG_PASS2)) && s->ac == AC_GOLOMB_RICE) { + av_log(avctx, AV_LOG_ERROR, "2 Pass mode is not possible with golomb coding\n"); + return AVERROR(EINVAL); + } + // Unspecified level & slices, we choose version 1.2+ to ensure multithreaded decodability if (avctx->slices == 0 && avctx->level < 0 && avctx->width * avctx->height > 720*576) s->version = FFMAX(s->version, 2); From a196cbd88c6a1dca3bc3f0bea8402677d63def3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Oct 2023 22:23:33 +0200 Subject: [PATCH 504/606] avcodec/ffv1enc: Slice combination is unsupported We always write minimal slices, the size calculation is wrong in some corner cases but as its always 1x1 (minus1) we can for now just hard-code it This helps with ticket 5548 Signed-off-by: Michael Niedermayer (cherry picked from commit 7d514655bfa47c6e5cc1b81fbba8e750e368036e) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index d10a68e5ac..d080ec3923 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -921,8 +921,8 @@ static void encode_slice_header(FFV1Context *f, FFV1Context *fs) put_symbol(c, state, (fs->slice_x +1)*f->num_h_slices / f->width , 0); put_symbol(c, state, (fs->slice_y +1)*f->num_v_slices / f->height , 0); - put_symbol(c, state, (fs->slice_width +1)*f->num_h_slices / f->width -1, 0); - put_symbol(c, state, (fs->slice_height+1)*f->num_v_slices / f->height-1, 0); + put_symbol(c, state, 0, 0); + put_symbol(c, state, 0, 0); for (j=0; jplane_count; j++) { put_symbol(c, state, f->plane[j].quant_table_index, 0); av_assert0(f->plane[j].quant_table_index == f->context_model); From eb27af78bebafd3faad7bd28712bef3a96d96a95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2024 22:04:58 +0200 Subject: [PATCH 505/606] avcodec/ffv1enc: Correct error message about unsupported version Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 556c767786e9e3c072f7666d60a68a31a3400438) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index d080ec3923..900052bdc6 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -555,7 +555,7 @@ static av_cold int encode_init(AVCodecContext *avctx) s->version = FFMAX(s->version, 3); if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) { - av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n"); + av_log(avctx, AV_LOG_ERROR, "Version 2 or 4 needed for requested features but version 2 or 4 is experimental and not enabled\n"); return AVERROR_INVALIDDATA; } From 32caf9cf567c4cde210baed40a526932dd86838c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jul 2024 20:53:49 +0200 Subject: [PATCH 506/606] avformat/mov: Avoid overflow in dts This basically ignores the overflow without undefined behavior, alternatively we could detect and error out Fixes: signed integer overflow: 6310596683470275584 + 7660622966157213696 cannot be represented in type 'long' Fixes: 70433/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5483347233538048 Fixes: 369662284/clusterfuzz-testcase-minimized-media_metadata_parser_fuzzer-5327368763670528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 057b8c2066da3554072565744f4f00435cc3342b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 85675398e8..7f4ac9f36b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3210,10 +3210,10 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc->stts_data[i].duration = 1; corrected_dts += (delta_magnitude < 0 ? (int64_t)delta_magnitude : 1) * sample_count; } else { - corrected_dts += sample_duration * (int64_t)sample_count; + corrected_dts += sample_duration * (uint64_t)sample_count; } - current_dts += sc->stts_data[i].duration * (int64_t)sample_count; + current_dts += sc->stts_data[i].duration * (uint64_t)sample_count; if (current_dts > corrected_dts) { int64_t drift = (current_dts - corrected_dts)/FFMAX(sample_count, 1); From 8d26e6b36f9a797c1ccca766fff11012adee2326 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jul 2024 22:08:23 +0200 Subject: [PATCH 507/606] avformat/matroskadec: Check desc_bytes so bits fit in 64bit Likely a tighter check can be done Fixes: signed integer overflow: 3305606804154370442 * 8 cannot be represented in type 'long' Fixes: 70449/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4771166007918592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c4122406f6d2726aea833480a2a8e345833dd881) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 171863a925..236c0532e0 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4585,7 +4585,7 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset; int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns; double desc_sec, calc_bits_per_second, percent, mod_bits_per_second; - if (desc_bytes <= 0) + if (desc_bytes <= 0 || desc_bytes > INT64_MAX/8) return -1; desc_sec = desc_ns / nano_seconds_per_second; From 6b004f3269448fda6e3c57a90f06483149ae4680 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2024 22:06:40 +0200 Subject: [PATCH 508/606] avcodec/ffv1enc: Prevent generation of files with broken slices Fixes: Ticket5548 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b7ff66a35804275b25c1176cad560540785e8750) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1.c | 7 +++++++ libavcodec/ffv1.h | 1 + libavcodec/ffv1enc.c | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index b6204740ed..2660cae208 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -103,6 +103,13 @@ av_cold int ff_ffv1_init_slices_state(FFV1Context *f) return 0; } +int ff_need_new_slices(int width, int num_h_slices, int chroma_shift) { + int mpw = 1<num_h_slices * f->num_v_slices; diff --git a/libavcodec/ffv1.h b/libavcodec/ffv1.h index 04869da5c9..bbe0839868 100644 --- a/libavcodec/ffv1.h +++ b/libavcodec/ffv1.h @@ -142,6 +142,7 @@ int ff_ffv1_init_slice_contexts(FFV1Context *f); int ff_ffv1_allocate_initial_states(FFV1Context *f); void ff_ffv1_clear_slice_state(const FFV1Context *f, FFV1Context *fs); int ff_ffv1_close(AVCodecContext *avctx); +int ff_need_new_slices(int width, int num_h_slices, int chroma_shift); static av_always_inline int fold(int diff, int bits) { diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 900052bdc6..51c3d2099a 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -873,6 +873,10 @@ static av_cold int encode_init(AVCodecContext *avctx) continue; if (maxw * maxh * (int64_t)(s->bits_per_raw_sample+1) * plane_count > 8<<24) continue; + if (s->version < 4) + if ( ff_need_new_slices(avctx->width , s->num_h_slices, s->chroma_h_shift) + ||ff_need_new_slices(avctx->height, s->num_v_slices, s->chroma_v_shift)) + continue; if (avctx->slices == s->num_h_slices * s->num_v_slices && avctx->slices <= MAX_SLICES || !avctx->slices) goto slices_ok; } From 49a3e45d228d7b3cfca364329ed7ae43474dd9fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Oct 2024 20:39:23 +0200 Subject: [PATCH 509/606] avcodec/ffv1dec: Fix end computation with ec=2 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 10e5af15bf220d9da128ca12d2d474ff6ab0076e) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 97877b9106..65404bfb5d 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -363,7 +363,7 @@ static int decode_slice(AVCodecContext *c, void *arg) if (fs->ac != AC_GOLOMB_RICE && f->version > 2) { int v; get_rac(&fs->c, (uint8_t[]) { 129 }); - v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*f->ec; + v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*!!f->ec; if (v) { av_log(f->avctx, AV_LOG_ERROR, "bytestream end mismatching by %d\n", v); fs->slice_damaged = 1; From 75424dcad8ee646ef33e5b582c478e7c98f05141 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Oct 2024 14:39:20 +0200 Subject: [PATCH 510/606] avcodec/rangecoder: only perform renorm check/loop for callers that need it Signed-off-by: Michael Niedermayer (cherry picked from commit d147b3d7ecba2bd40cb45284f920238da97a95ee) Signed-off-by: Michael Niedermayer --- libavcodec/rangecoder.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/rangecoder.h b/libavcodec/rangecoder.h index 89d178ac31..110908d6bd 100644 --- a/libavcodec/rangecoder.h +++ b/libavcodec/rangecoder.h @@ -62,7 +62,6 @@ void ff_build_rac_states(RangeCoder *c, int factor, int max_p); static inline void renorm_encoder(RangeCoder *c) { // FIXME: optimize - while (c->range < 0x100) { if (c->outstanding_byte < 0) { c->outstanding_byte = c->low >> 8; } else if (c->low <= 0xFF00) { @@ -81,7 +80,6 @@ static inline void renorm_encoder(RangeCoder *c) c->low = (c->low & 0xFF) << 8; c->range <<= 8; - } } static inline int get_rac_count(RangeCoder *c) @@ -108,7 +106,8 @@ static inline void put_rac(RangeCoder *c, uint8_t *const state, int bit) *state = c->one_state[*state]; } - renorm_encoder(c); + while (c->range < 0x100) + renorm_encoder(c); } static inline void refill(RangeCoder *c) From fcf27d5792ff6f08bedde0e130a012b3e9d3d227 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2024 20:39:07 +0200 Subject: [PATCH 511/606] swscale/output: used unsigned for bit accumulation Fixes: Integer overflow Fixes: 368725672/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5009093023563776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3fe3014405494503a03c2e6eff4743db91a21c00) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index d5b457541c..1fb188f87c 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -664,7 +664,7 @@ yuv2mono_2_c_template(SwsContext *c, const int16_t *buf[2], if (c->dither == SWS_DITHER_ED) { int err = 0; - int acc = 0; + unsigned acc = 0; for (i = 0; i < dstW; i +=2) { int Y; @@ -686,7 +686,8 @@ yuv2mono_2_c_template(SwsContext *c, const int16_t *buf[2], c->dither_error[0][i] = err; } else { for (i = 0; i < dstW; i += 8) { - int Y, acc = 0; + int Y; + unsigned acc = 0; Y = (buf0[i + 0] * yalpha1 + buf1[i + 0] * yalpha) >> 19; accumulate_bit(acc, Y + d128[0]); @@ -721,7 +722,7 @@ yuv2mono_1_c_template(SwsContext *c, const int16_t *buf0, if (c->dither == SWS_DITHER_ED) { int err = 0; - int acc = 0; + unsigned acc = 0; for (i = 0; i < dstW; i +=2) { int Y; @@ -743,7 +744,7 @@ yuv2mono_1_c_template(SwsContext *c, const int16_t *buf0, c->dither_error[0][i] = err; } else { for (i = 0; i < dstW; i += 8) { - int acc = 0; + unsigned acc = 0; accumulate_bit(acc, ((buf0[i + 0] + 64) >> 7) + d128[0]); accumulate_bit(acc, ((buf0[i + 1] + 64) >> 7) + d128[1]); accumulate_bit(acc, ((buf0[i + 2] + 64) >> 7) + d128[2]); From 6175ec0e854fee7b8a214119cd9d75c985440f04 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2024 20:47:34 +0200 Subject: [PATCH 512/606] avformat/mxfdec: Fix overflow in midpoint computation Fixes: signed integer overflow: 4611686016549392399 + 9223372033098784800 cannot be represented in type 'long long' Fixes: 368503277/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5928227458056192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 23088a5ff2b549fa4fc037bb9ed833fffbc89ca0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index edb0de6df4..ffd7f3734a 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3865,7 +3865,7 @@ static int mxf_get_next_track_edit_unit(MXFContext *mxf, MXFTrack *track, int64_ a = -1; b = track->original_duration; while (b - 1 > a) { - m = (a + b) >> 1; + m = (a + (uint64_t)b) >> 1; if (mxf_edit_unit_absolute_offset(mxf, t, m, track->edit_rate, NULL, &offset, NULL, 0) < 0) return -1; if (offset < current_offset) From 69c2996b8cd1434d46401db724b60f026f0365c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2024 23:44:00 +0200 Subject: [PATCH 513/606] avformat/mpegts: Initialize predefined_SLConfigDescriptor_seen Fixes: use of uninitialized variable Fixes: 368729566/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTS_fuzzer-6044501804646400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db7b4fc89fb18d5ff0a1426bd433c234555a3fff) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index e70fe90f06..692e0dfe15 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1673,6 +1673,8 @@ static int mp4_read_iods(AVFormatContext *s, const uint8_t *buf, unsigned size, MP4DescrParseContext d; int ret; + d.predefined_SLConfigDescriptor_seen = 0; + ret = init_MP4DescrParseContext(&d, s, buf, size, descr, max_descr_count); if (ret < 0) return ret; From 0a9edbc14d072ca6f1cd39deb32643de3ab7c16b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Nov 2024 18:23:50 +0100 Subject: [PATCH 514/606] INSTALL: explain the circular dependency issue and solution Sponsored-by: Sovereign Tech Fund Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit df00705e0010cc2c53d17d51944f847c2c852189) Signed-off-by: Michael Niedermayer --- INSTALL.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/INSTALL.md b/INSTALL.md index 3b220bc6ff..bdf5814014 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -15,3 +15,11 @@ NOTICE ------ - Non system dependencies (e.g. libx264, libvpx) are disabled by default. + +NOTICE for Package Maintainers +------------------------------ + + - It is recommended to build FFmpeg twice, first with minimal external dependencies so + that 3rd party packages, which depend on FFmpegs libavutil/libavfilter/libavcodec/libavformat + can then be built. And last build FFmpeg with full dependancies (which may in turn depend on + some of these 3rd party packages). This avoids circular dependencies during build. From 86bb517500bde4eb822f01dde9644e0d580d6a77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:08:07 +0100 Subject: [PATCH 515/606] avformat/rpl: check channels Fixes: 42537199/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5447162658357248 Fixes: runtime error: signed integer overflow: -3330498059201358222 * 4 cannot be represented in type 'int64_t' (aka 'long') Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit beca13a42e9fb5341e8bd6356fd7d9c2d18aac9b) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 427738bbdb..70a6cf7595 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -202,6 +202,8 @@ static int rpl_read_header(AVFormatContext *s) ast->codecpar->codec_tag = audio_format; ast->codecpar->sample_rate = read_line_and_int(pb, &error); // audio bitrate channels = read_line_and_int(pb, &error); // number of audio channels + if (channels <= 0) + return AVERROR_INVALIDDATA; error |= read_line(pb, line, sizeof(line)); ast->codecpar->bits_per_coded_sample = read_int(line, &endptr, &error); // audio bits per sample av_strlcpy(audio_type, endptr, RPL_LINE_LENGTH); From c0b5b173a3c888745654444e2e3bb61d6fdbb2c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:18:36 +0100 Subject: [PATCH 516/606] avformat/mccdec: Initialize and check rate.den Fixes: Assertion c > 0 failed at libavutil/mathematics.c:61 Fixes: use-of-uninitialized-value Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-5939605805793280 Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit bf8e43083f68c383b9d905d2c8c791ac33ecc7bc) Signed-off-by: Michael Niedermayer --- libavformat/mccdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mccdec.c b/libavformat/mccdec.c index 8c36b27f12..e6652b3ae7 100644 --- a/libavformat/mccdec.c +++ b/libavformat/mccdec.c @@ -92,7 +92,7 @@ static int mcc_read_header(AVFormatContext *s) { MCCContext *mcc = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); - AVRational rate; + AVRational rate = {0}; int64_t ts, pos; uint8_t out[4096]; char line[4096]; @@ -138,7 +138,7 @@ static int mcc_read_header(AVFormatContext *s) continue; } - if (av_sscanf(line, "%d:%d:%d:%d", &hh, &mm, &ss, &fs) != 4) + if (av_sscanf(line, "%d:%d:%d:%d", &hh, &mm, &ss, &fs) != 4 || rate.den <= 0) continue; ts = av_sat_add64(av_rescale(hh * 3600LL + mm * 60LL + ss, rate.num, rate.den), fs); From 56f582a0511a968b7cd37acf800177dd8997527a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:43:21 +0100 Subject: [PATCH 517/606] avformat/nistspheredec: Clear buffer Fixes: use-of-uninitialized-value Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-6515855798632448-cut Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 898f6582eb51bf77b1f88e8f55eab67ee6ee13b8) Signed-off-by: Michael Niedermayer --- libavformat/nistspheredec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c index 85aa5e2cbf..860feff9c1 100644 --- a/libavformat/nistspheredec.c +++ b/libavformat/nistspheredec.c @@ -34,7 +34,7 @@ static int nist_probe(const AVProbeData *p) static int nist_read_header(AVFormatContext *s) { - char buffer[256], coding[32] = "pcm", format[32] = "01"; + char buffer[256]= {0}, coding[32] = "pcm", format[32] = "01"; int bps = 0, be = 0; int32_t header_size = -1; AVStream *st; From f9afec08e164983260886103a252b064c0ddbae4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:47:07 +0100 Subject: [PATCH 518/606] avformat/ilbc: Check avio_read() for failure Fixes: use of uninitialized value Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-6656646223298560-cut Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit e30d957a9bacf7f7307c640aa0bd1e70cb3bbe7e) Signed-off-by: Michael Niedermayer --- libavformat/ilbc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/ilbc.c b/libavformat/ilbc.c index 6b5bb33b62..4c2cc531cd 100644 --- a/libavformat/ilbc.c +++ b/libavformat/ilbc.c @@ -71,7 +71,8 @@ static int ilbc_read_header(AVFormatContext *s) AVStream *st; uint8_t header[9]; - avio_read(pb, header, 9); + if (avio_read(pb, header, 9) != 9) + return AVERROR_INVALIDDATA; st = avformat_new_stream(s, NULL); if (!st) From 5b1eac14f312bf5d414218c281f36e8ea3d67aaf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:54:29 +0100 Subject: [PATCH 519/606] avformat/vividas: Check avio_read() for failure Fixes: use of uninitialized value (untested) Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5505802505355264 Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 96d45c3b212689f82bff2530c3637405df9e9369) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 2f47d65c7c..a52ac90a63 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -565,7 +565,8 @@ static int viv_read_header(AVFormatContext *s) v = avio_r8(pb); avio_seek(pb, v, SEEK_CUR); - avio_read(pb, keybuffer, 187); + if (avio_read(pb, keybuffer, 187) != 187) + return AVERROR_INVALIDDATA; key = decode_key(keybuffer); viv->sb_key = key; From ca0bafde6e2c9bd495696d8e01fbca4ac4067724 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Nov 2024 21:32:53 +0100 Subject: [PATCH 520/606] doc/developer: Document relationship between git accounts and MAINTAINERS This should have been documented long ago and i thought it was Signed-off-by: Michael Niedermayer (cherry picked from commit 7051825b0171bd5d566c5a5cc78852c5f3aa3072) Signed-off-by: Michael Niedermayer --- doc/developer.texi | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/doc/developer.texi b/doc/developer.texi index 3795e2c5ed..4672b42bc7 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -933,6 +933,25 @@ In case you need finer control over how valgrind is invoked, use the @code{--target-exec='valgrind } option in your configure line instead. +@anchor{Maintenance} +@chapter Maintenance process + +@anchor{MAINTAINERS} +@section MAINTAINERS + +The developers maintaining each part of the codebase are listed in @file{MAINTAINERS}. +Being listed in @file{MAINTAINERS}, gives one the right to have git write access to +the specific repository. + +@anchor{Becoming a maintainer} +@section Becoming a maintainer + +People add themselves to @file{MAINTAINERS} by sending a patch like any other code +change. These get reviewed by the community like any other patch. It is expected +that, if someone has an objection to a new maintainer, she is willing to object +in public with her full name and is willing to take over maintainership for the area. + + @anchor{Release process} @chapter Release process From acebef4efc7b563ac3c76c0fcffedf78f0e2ce9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 11:07:27 +0100 Subject: [PATCH 521/606] avformat/icodec: fix integer overflow with nb_pal Fixes: runtime error: signed integer overflow Fixes: 42536949/clusterfuzz-testcase-minimized-fuzzer_loadfile-6199846684393472 Found-by: ossfuzz Reported-by: Kacper Michajlow Tested-by: Kacper Michajlow Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 84569b6c22cb4eda9c682aabeb5f658112126780) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 85dab3bca0..ae1436397a 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -196,7 +196,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) AV_WL32(buf + 32, image->nb_pal); } - if (image->nb_pal > INT_MAX / 4 - 14 - 40) + if (image->nb_pal > INT_MAX / 4 - 14 - 40U) return AVERROR_INVALIDDATA; AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4); From 0bbd0c0eee0006609a86e5cbddceb2449b8e46ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2024 23:55:05 +0100 Subject: [PATCH 522/606] avcodec/mjpegdec: Disallow progressive bayer images Fixes: Null pointer dereference Fixes: sample1.dng Found-by: South East <8billion.people@gmail.com> Signed-off-by: Michael Niedermayer (cherry picked from commit 6d8285633d8965658dfa6cd0b201cca36184c467) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 8676155ecf..7b3528c429 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -468,6 +468,10 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) if (s->avctx->height <= 0) return AVERROR_INVALIDDATA; } + if (s->bayer && s->progressive) { + avpriv_request_sample(s->avctx, "progressively coded bayer picture"); + return AVERROR_INVALIDDATA; + } if (s->got_picture && s->interlaced && (s->bottom_field == !s->interlace_polarity)) { if (s->progressive) { From d2077aeb8e13ff894b671f3bd40e0244f70ec062 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2024 03:22:27 +0100 Subject: [PATCH 523/606] avcodec/h2645_parse: Ignore NAL with nuh_layer_id == 63 Comply with "For purposes other than determining the amount of data in the decoding units of the bitstream, decoders shall ignore all data that follow the value 63 for nuh_layer_id in a NAL unit" Rec. ITU-T H.265 v8 (08/2021) Page 67 Fixes: index 63 out of bounds for type 'const int8_t[63]' (aka 'const signed char[63]') Fixes: clusterfuzz-testcase-fuzzer_loadfile-5109286752026624 Reported-by: Kacper Michajlow Found-by: ossfuzz Signed-off-by: Michael Niedermayer (cherry picked from commit 360e7cafd0e65fdf4b186c95e2517a94b9f3fa4f) Signed-off-by: Michael Niedermayer --- libavcodec/h2645_parse.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index 28db465059..6b0a256357 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -578,9 +578,11 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, if (codec_id == AV_CODEC_ID_VVC) ret = vvc_parse_nal_header(nal, logctx); - else if (codec_id == AV_CODEC_ID_HEVC) + else if (codec_id == AV_CODEC_ID_HEVC) { ret = hevc_parse_nal_header(nal, logctx); - else + if (nal->nuh_layer_id == 63) + continue; + } else ret = h264_parse_nal_header(nal, logctx); if (ret < 0) { av_log(logctx, AV_LOG_WARNING, "Invalid NAL unit %d, skipping.\n", From d1cdc5a187405ab3d37b3be4789729416e5b78aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2024 00:08:03 +0200 Subject: [PATCH 524/606] swscale/slice: clear allocated memory in alloc_lines() Fixes: use of uninitialized memory in hScale16To15_c() Fixes: 373924007/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5841199968092160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aeec39f3c1be82863efe64ce95242de58e075e8f) Signed-off-by: Michael Niedermayer --- libswscale/slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/slice.c b/libswscale/slice.c index db1c696727..9dff91c18d 100644 --- a/libswscale/slice.c +++ b/libswscale/slice.c @@ -59,7 +59,7 @@ static int alloc_lines(SwsSlice *s, int size, int width) for (j = 0; j < n; ++j) { // chroma plane line U and V are expected to be contiguous in memory // by mmx vertical scaler code - s->plane[i].line[j] = av_malloc(size * 2 + 32); + s->plane[i].line[j] = av_mallocz(size * 2 + 32); if (!s->plane[i].line[j]) { free_lines(s); return AVERROR(ENOMEM); From 2b8db70e2317ea8b98f22caa9c69b6a0d341d491 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2024 01:15:53 +0200 Subject: [PATCH 525/606] avformat/dxa: check bpc Fixes: integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 373971762/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-4880491112103936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7e020f21413269418180eea7933a94ecb6bf2ef8) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index b4d9d00529..69d528b4c4 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -119,6 +119,8 @@ static int dxa_read_header(AVFormatContext *s) avio_skip(pb, fsize); } c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames; + if (c->bpc < 0) + return AVERROR_INVALIDDATA; if(ast->codecpar->block_align) { if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) return AVERROR_INVALIDDATA; From 496c9f42b8e91ee029c40afafe8ffebdbf59f49c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2024 20:52:02 +0200 Subject: [PATCH 526/606] avcodec/eatgq: Check bytestream2_get_buffer() for failure Fixes: Use of uninitialized memory Fixes: 71546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-5607656650244096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4949e34d96cc751aedaace02123c2fb02b5ac174) Signed-off-by: Michael Niedermayer --- libavcodec/eatgq.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c index 0f0ed3585f..6a19de93f0 100644 --- a/libavcodec/eatgq.c +++ b/libavcodec/eatgq.c @@ -178,7 +178,8 @@ static int tgq_decode_mb(TgqContext *s, GetByteContext *gbyte, dc[4] = bytestream2_get_byte(gbyte); dc[5] = bytestream2_get_byte(gbyte); } else if (mode == 6) { - bytestream2_get_buffer(gbyte, dc, 6); + if (bytestream2_get_buffer(gbyte, dc, 6) != 6) + return AVERROR_INVALIDDATA; } else if (mode == 12) { for (i = 0; i < 6; i++) { dc[i] = bytestream2_get_byte(gbyte); From 7bebe9f1da71a01f1fabe0f74ff16f184f7942c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2024 20:55:17 +0200 Subject: [PATCH 527/606] avformat/qcp: Check for read failure in header Fixes: Use of uninitialized value Fixes: 71551/clusterfuzz-testcase-minimized-ffmpeg_dem_QCP_fuzzer-4647386712965120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f52b9d05837c23b0c55013551bc28dce4922de0b) Signed-off-by: Michael Niedermayer --- libavformat/qcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/qcp.c b/libavformat/qcp.c index 8d80b726a5..cbc5d0a065 100644 --- a/libavformat/qcp.c +++ b/libavformat/qcp.c @@ -104,7 +104,8 @@ static int qcp_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_MONO; - avio_read(pb, buf, 16); + if (avio_read(pb, buf, 16) != 16) + return AVERROR_INVALIDDATA; if (is_qcelp_13k_guid(buf)) { st->codecpar->codec_id = AV_CODEC_ID_QCELP; } else if (!memcmp(buf, guid_evrc, 16)) { From 001c3399712b4454f0019ea9ea394d2eca282a55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2024 19:57:28 +0200 Subject: [PATCH 528/606] avcodec/ilbcdec: Initialize tempbuff2 Fixes: Use of uninitialized value Fixes: 71350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ILBC_fuzzer-6322020827070464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4482218440534804d067de00ee1a4bc493c8b41d) Signed-off-by: Michael Niedermayer --- libavcodec/ilbcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c index ba1da168bc..7fea39b43c 100644 --- a/libavcodec/ilbcdec.c +++ b/libavcodec/ilbcdec.c @@ -658,7 +658,7 @@ static void get_codebook(int16_t * cbvec, /* (o) Constructed codebook vector * int16_t k, base_size; int16_t lag; /* Stack based */ - int16_t tempbuff2[SUBL + 5]; + int16_t tempbuff2[SUBL + 5] = {0}; /* Determine size of codebook sections */ base_size = lMem - cbveclen + 1; From 3b48c20bce235b1f5a7c38500f8ce8473708faa5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Aug 2024 16:00:01 +0200 Subject: [PATCH 529/606] avcodec/webp: Check ref_x/y Fixes: 70991/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WEBP_fuzzer-5544067620995072 Fixes: use of uninintailized value Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c1e732ad2e240af5afe9ffea443c91bb233aa65) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 54b3fde6dc..089b3b46f0 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -703,6 +703,9 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, ref_x = FFMAX(0, ref_x); ref_y = FFMAX(0, ref_y); + if (ref_y == y && ref_x >= x) + return AVERROR_INVALIDDATA; + /* copy pixels * source and dest regions can overlap and wrap lines, so just * copy per-pixel */ From c17e374ff643c1ad67bb03363021eeac05e2022b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Dec 2024 00:28:21 +0100 Subject: [PATCH 530/606] avutil/timecode: Avoid fps overflow in av_timecode_get_smpte_from_framenum() Fix from c94875471e3ba3dc396c6919ff3ec9b14539cd71 Found-by: Youngjae Choi Signed-off-by: Michael Niedermayer (cherry picked from commit 6ba33b50f51b17eef0449f20b3524f174dc9c3cc) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index f40a10eb38..f454466f97 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -61,8 +61,8 @@ uint32_t av_timecode_get_smpte_from_framenum(const AVTimecode *tc, int framenum) framenum = av_timecode_adjust_ntsc_framenum2(framenum, tc->fps); ff = framenum % fps; ss = framenum / fps % 60; - mm = framenum / (fps*60) % 60; - hh = framenum / (fps*3600) % 24; + mm = framenum / (fps*60LL) % 60; + hh = framenum / (fps*3600LL) % 24; return av_timecode_get_smpte(tc->rate, drop, hh, mm, ss, ff); } From fe28f871fb75f650b8ec5c0bccdfcafac1cd05a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Dec 2024 00:32:38 +0100 Subject: [PATCH 531/606] tools/target_dec_fuzzer: Adjust Threshold for indeo5 Fixes: 379768251/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO5_fuzzer-5981329084186624 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 89efc6c97c4faf97dfed558b7bce2f64f8bd61e1) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 39b6449ba1..f8bcad2720 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -254,6 +254,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_HQ_HQA: maxpixels /= 128; break; case AV_CODEC_ID_IFF_ILBM: maxpixels /= 128; break; case AV_CODEC_ID_INDEO4: maxpixels /= 128; break; + case AV_CODEC_ID_INDEO5: maxpixels /= 1024; break; case AV_CODEC_ID_INTERPLAY_ACM: maxsamples /= 16384; break; case AV_CODEC_ID_JPEG2000: maxpixels /= 16384; break; case AV_CODEC_ID_LAGARITH: maxpixels /= 1024; break; From 9adc2243d50d164c3ee4e3e2430bc6def53c69dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Dec 2024 03:04:16 +0100 Subject: [PATCH 532/606] tools/target_dec_fuzzer: Adjust threshold for MVC1 Fixes: Timeout Fixes: 378231213/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVC1_fuzzer-6640960500465664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7230bc503a1180e6eb76f956e9c6b61352936e4) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index f8bcad2720..84c6bab91b 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -270,6 +270,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_MSZH: maxpixels /= 128; break; case AV_CODEC_ID_MTS2: maxpixels /= 4096; break; case AV_CODEC_ID_MV30: maxpixels /= 128; break; + case AV_CODEC_ID_MVC1: maxpixels /= 1024; break; case AV_CODEC_ID_MVC2: maxpixels /= 128; break; case AV_CODEC_ID_MVHA: maxpixels /= 16384; break; case AV_CODEC_ID_MVDV: maxpixels /= 1024; break; From d4f147d4f753613656f30cfd6f23465adc8a30b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2024 21:24:00 +0100 Subject: [PATCH 533/606] tools/target_dec_fuzzer: Adjust threshold for EACMV Fixes: Timeout Fixes: 382988735/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EACMV_fuzzer-5278721465974784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8f4eb0fe03aca552d375e2bce019a5da785f50d5) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 84c6bab91b..f6181fed78 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -236,6 +236,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_DVB_SUBTITLE: av_dict_set_int(&opts, "compute_clut", -2, 0); break; case AV_CODEC_ID_DXA: maxpixels /= 32; break; case AV_CODEC_ID_DXV: maxpixels /= 32; break; + case AV_CODEC_ID_CMV: maxpixels /= 256; break; case AV_CODEC_ID_EXR: maxpixels /= 1024; break; case AV_CODEC_ID_FFV1: maxpixels /= 32; break; case AV_CODEC_ID_FFWAVESYNTH: maxsamples /= 16384; break; From 34fab8337a75d7735e18991a1ce387ad7f85f02c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2024 21:36:11 +0100 Subject: [PATCH 534/606] avformat/matroskadec: Check pre_ns for overflow Fixes: signed integer overflow: -3483479120376300096 - 7442323944145700864 cannot be represented in type 'long' Fixes: 383187489/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4561470580391936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 361d24e6d920e4f7e4e5fa1fd6fbb6922bff35f2) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 236c0532e0..783b39683a 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4570,9 +4570,10 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t // The prebuffer ends in the last Cue. Estimate how much data was // prebuffered. pre_bytes = desc_end.end_offset - desc_end.start_offset; - pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; - if (pre_ns <= 0) + if (desc_end.end_time_ns <= desc_end.start_time_ns || + desc_end.end_time_ns - (uint64_t)desc_end.start_time_ns > INT64_MAX) return -1; + pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; pre_sec = pre_ns / nano_seconds_per_second; prebuffer_bytes += pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec); From 6155ea6641251b3d1cce9ddb596a93632adc5436 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2024 22:37:07 +0100 Subject: [PATCH 535/606] avcodec/utils: Fix block align overflow for ADPCM_IMA_WAV Fixes: signed integer overflow: 529008646 * 8 cannot be represented in type 'int' Fixes: 383379145/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6674045107503104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93270930798da368d5b1954a73ef7ff9dfa48f73) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index f96504fa44..60fa792179 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -734,7 +734,7 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_ADPCM_IMA_WAV: if (bps < 2 || bps > 5) return 0; - tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8); + tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8LL); break; case AV_CODEC_ID_ADPCM_IMA_DK3: tmp = blocks * (((ba - 16LL) * 2 / 3 * 4) / ch); From 036a6e43ff0241230b65ced5932a17958552f376 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Dec 2024 05:13:02 +0100 Subject: [PATCH 536/606] avformat/mlvdec: Check avio_read() Fixes: use-of-uninitialized-value Fixes: 383170476/clusterfuzz-testcase-minimized-ffmpeg_dem_MLV_fuzzer-4696002884337664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit bb85423142103d694d97bad1967bd3dc55440e71) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index b706898cb3..261d66c252 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -81,13 +81,15 @@ static int check_file_header(AVIOContext *pb, uint64_t guid) static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, unsigned size) { char * value = av_malloc(size + 1); + int ret; + if (!value) { avio_skip(pb, size); return; } - avio_read(pb, value, size); - if (!value[0]) { + ret = avio_read(pb, value, size); + if (ret != size || !value[0]) { av_free(value); return; } From 1c2ef891cec247a6f2b07ff6c8a7c487feeb21cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2024 04:09:11 +0100 Subject: [PATCH 537/606] avformat/rpl: Fix check for negative values Fixes: signed integer overflow: 10 * -1923267925333400000 cannot be represented in type 'int64_t' (aka 'long') Fixes: 378891963/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5714338935013376 Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit eab65379bf89c55d8ec4bc6f00e04f15b37d3d85) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 70a6cf7595..101166fc42 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -101,7 +101,7 @@ static AVRational read_fps(const char* line, int* error) line++; for (; *line>='0' && *line<='9'; line++) { // Truncate any numerator too large to fit into an int64_t - if (num > (INT64_MAX - 9) / 10 || den > INT64_MAX / 10) + if (num > (INT64_MAX - 9) / 10ULL || den > INT64_MAX / 10ULL) break; num = 10 * num + (*line - '0'); den *= 10; From bf6233c85eb1bd9fa0216b23c76f69e2433c8131 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Aug 2024 22:53:47 +0200 Subject: [PATCH 538/606] avformat/mxfdec: Check that key was read sucessfull Fixes: use of uninitialized value Fixes: 70932/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4870202133643264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4c62cbcae2612acbc7ab5e8a7e7815674a6e8df4) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index ffd7f3734a..c232c2ce50 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1534,7 +1534,8 @@ static int mxf_read_indirect_value(void *arg, AVIOContext *pb, int size) if (size <= 17) return 0; - avio_read(pb, key, 17); + if (avio_read(pb, key, 17) != 17) + return AVERROR_INVALIDDATA; /* TODO: handle other types of of indirect values */ if (memcmp(key, mxf_indirect_value_utf16le, 17) == 0) { return mxf_read_utf16le_string(pb, size - 17, &tagged_value->value); From 00345ada4487ec5850566414598ed277a99e9f31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Aug 2024 23:15:32 +0200 Subject: [PATCH 539/606] avcodec/hapdec: Clear tex buffer The code following makes no attempt to initialize all of the buffer Fixes: use of uninitialized value Fixes: 70980/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5329909059223552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7eeeda703b599847aa89c7c08bb433d0b3da9590) Signed-off-by: Michael Niedermayer --- libavcodec/hapdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/hapdec.c b/libavcodec/hapdec.c index fee3c04d84..09e8188a3d 100644 --- a/libavcodec/hapdec.c +++ b/libavcodec/hapdec.c @@ -309,6 +309,7 @@ static int hap_decode(AVCodecContext *avctx, AVFrame *frame, ret = av_reallocp(&ctx->tex_buf, ctx->tex_size); if (ret < 0) return ret; + memset(ctx->tex_buf, 0, ctx->tex_size); avctx->execute2(avctx, decompress_chunks_thread, NULL, ctx->chunk_results, ctx->chunk_count); From d2da4b50a904ca08dad9ce8bb0ee372d2d4fa638 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2024 22:55:03 +0200 Subject: [PATCH 540/606] avcodec/cfhdenc: Clear dwt_tmp This occurs on a 32x32 input Fixes: use of uninitialized value Fixes: 70897/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5960860961406976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9de721de709fa9cc06a3ce3f542a1e7d45b2b0bf) Signed-off-by: Michael Niedermayer --- libavcodec/cfhdenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cfhdenc.c b/libavcodec/cfhdenc.c index 40b7c3d9e5..0c9f168c8a 100644 --- a/libavcodec/cfhdenc.c +++ b/libavcodec/cfhdenc.c @@ -286,7 +286,7 @@ static av_cold int cfhd_encode_init(AVCodecContext *avctx) s->plane[i].dwt_buf = av_calloc(h8 * 8 * w8 * 8, sizeof(*s->plane[i].dwt_buf)); s->plane[i].dwt_tmp = - av_malloc_array(h8 * 8 * w8 * 8, sizeof(*s->plane[i].dwt_tmp)); + av_calloc(h8 * 8 * w8 * 8, sizeof(*s->plane[i].dwt_tmp)); if (!s->plane[i].dwt_buf || !s->plane[i].dwt_tmp) return AVERROR(ENOMEM); From 1a53d2aad3c47da3c0016ad252bad9535218d579 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Aug 2024 14:47:42 +0200 Subject: [PATCH 541/606] avformat/rmdec: check that buf if completely filled Fixes: use of uninitialized value Fixes: 70988/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5298245077630976 Signed-off-by: Michael Niedermayer (cherry picked from commit 9578c135d00dd9cc01491b8559d7fad5a387e90d) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index e156f57bd8..99ef573d93 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -187,7 +187,8 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, st->codecpar->ch_layout.nb_channels = avio_rb16(pb); if (version == 5) { ast->deint_id = avio_rl32(pb); - avio_read(pb, buf, 4); + if (avio_read(pb, buf, 4) != 4) + return AVERROR_INVALIDDATA; buf[4] = 0; } else { AV_WL32(buf, 0); From c4cf76068a18ab4f665db1087e1798049d947bd4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Aug 2024 16:33:43 +0200 Subject: [PATCH 542/606] avformat/jpegxl_anim_dec: clear buffer padding Fixes: use of uninitialized value Fixes: 70992/clusterfuzz-testcase-minimized-ffmpeg_dem_IMAGE2_fuzzer-5735819170611200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3f0b95bb176445a509d99e7497e90f20355b8411) Signed-off-by: Michael Niedermayer --- libavformat/jpegxl_anim_dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c index 4e806573d0..c2750b1988 100644 --- a/libavformat/jpegxl_anim_dec.c +++ b/libavformat/jpegxl_anim_dec.c @@ -42,7 +42,7 @@ typedef struct JXLAnimDemuxContext { static int jpegxl_anim_probe(const AVProbeData *p) { - uint8_t buffer[4096 + AV_INPUT_BUFFER_PADDING_SIZE]; + uint8_t buffer[4096 + AV_INPUT_BUFFER_PADDING_SIZE] = {0}; int copied = 0, ret; FFJXLMetadata meta = { 0 }; From c1b50c8188bdca86592bdb72b960bd49f02b94c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Aug 2024 17:30:45 +0200 Subject: [PATCH 543/606] avcodec/get_buffer: Use av_buffer_mallocz() for audio same as its done for video Fixes: Use of uninintialized value Fixes: 70993/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-6378949754552320 Fixes: 71104/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5001538727116800 For the AAC/USAC/SBR code which reads uninitialized memory, it would be good, if it did not a fix for that is welcome! Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b9b4c9ebf07748993ad91ba9b9b9f06914d67865) Signed-off-by: Michael Niedermayer --- libavcodec/get_buffer.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/get_buffer.c b/libavcodec/get_buffer.c index 647f8a3df7..891c424d8b 100644 --- a/libavcodec/get_buffer.c +++ b/libavcodec/get_buffer.c @@ -152,7 +152,10 @@ FF_ENABLE_DEPRECATION_WARNINGS if (ret < 0) goto fail; - pool->pools[0] = av_buffer_pool_init(pool->linesize[0], NULL); + pool->pools[0] = av_buffer_pool_init(pool->linesize[0], + CONFIG_MEMORY_POISONING ? + NULL : + av_buffer_allocz); if (!pool->pools[0]) { ret = AVERROR(ENOMEM); goto fail; From 01010e2ca74a8cab936a903810f635aeacb3412f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Jan 2025 02:36:25 +0100 Subject: [PATCH 544/606] avfilter/vf_addroi: Add missing NULL termination to addroi_var_names[]() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: out of array read Found-by: Elias Myllymäki Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit b72de492959fb19eab37368232e65a4371c367f7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_addroi.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/vf_addroi.c b/libavfilter/vf_addroi.c index e7ad916214..24efd62d5d 100644 --- a/libavfilter/vf_addroi.c +++ b/libavfilter/vf_addroi.c @@ -39,6 +39,7 @@ enum { static const char *const addroi_var_names[] = { "iw", "ih", + NULL, }; typedef struct AddROIContext { From a89a8548b1ed6e653cc152e4236257b2cdf2f01b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jan 2025 05:06:10 +0100 Subject: [PATCH 545/606] avfilter/vf_grayworld: Use the correct pointer for av_log() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: crash Found-by: Elias Myllymäki Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 9ffa127aa6853790acb40004fbab97f13ff4c72e) Signed-off-by: Michael Niedermayer --- libavfilter/vf_grayworld.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_grayworld.c b/libavfilter/vf_grayworld.c index e9c959416e..236e3d4417 100644 --- a/libavfilter/vf_grayworld.c +++ b/libavfilter/vf_grayworld.c @@ -275,10 +275,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } /* input and output transfer will be linear */ if (in->color_trc == AVCOL_TRC_UNSPECIFIED) { - av_log(s, AV_LOG_WARNING, "Untagged transfer, assuming linear light.\n"); + av_log(ctx, AV_LOG_WARNING, "Untagged transfer, assuming linear light.\n"); out->color_trc = AVCOL_TRC_LINEAR; } else if (in->color_trc != AVCOL_TRC_LINEAR) { - av_log(s, AV_LOG_WARNING, "Gray world color correction works on linear light only.\n"); + av_log(ctx, AV_LOG_WARNING, "Gray world color correction works on linear light only.\n"); } td.in = in; From 43f64690ad9df72976bcbd6ea9e41b2542db2464 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jan 2025 22:01:39 +0100 Subject: [PATCH 546/606] avfilter/af_pan: Fix sscanf() use Fixes: Memory Data Leak Found-by: Simcha Kosman Signed-off-by: Michael Niedermayer (cherry picked from commit b5b6391d64807578ab872dc58fb8aa621dcfc38a) Signed-off-by: Michael Niedermayer --- libavfilter/af_pan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 1a63d52536..a5414b9ffb 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -173,7 +173,7 @@ static av_cold int init(AVFilterContext *ctx) sign = 1; while (1) { gain = 1; - if (sscanf(arg, "%lf%n *%n", &gain, &len, &len)) + if (sscanf(arg, "%lf%n *%n", &gain, &len, &len) >= 1) arg += len; if (parse_channel_name(&arg, &in_ch_id, &named)){ av_log(ctx, AV_LOG_ERROR, From 894c8c8e08c625fe00be494424a073687bb9167f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 03:25:09 +0100 Subject: [PATCH 547/606] swscale/output: Fix undefined overflow in yuv2rgba64_full_X_c_template() Fixes: signed integer overflow: -1082982400 + -1195645138 cannot be represented in type 'int' Fixes: 376136843/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4791844321427456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 56faee21c136942c491f30a2e82cfbbfce180beb) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 1fb188f87c..4ca6be8977 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1352,9 +1352,9 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8bit: 30 - 22 = 8bit, 16bit: 30bit - 14 = 16bit - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y)>>14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y)>>14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y)>>14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + (unsigned)Y)>>14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + (unsigned)Y)>>14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + (unsigned)Y)>>14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From 05d0d1a0c52ad8e3da15948409f24f61ceff862e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 03:31:56 +0100 Subject: [PATCH 548/606] avcodec/osq: Fixes several undefined overflows in do_decode() Fixes: signed integer overflow: 1239596184 + 2119376059 cannot be represented in type 'int' Fixes: 376136844/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6581164455821312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0f511b4518fa4337f603275f865eb13ac5520d0f) Signed-off-by: Michael Niedermayer --- libavcodec/osq.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/osq.c b/libavcodec/osq.c index 6db25a3ffc..17dec52fcc 100644 --- a/libavcodec/osq.c +++ b/libavcodec/osq.c @@ -299,7 +299,7 @@ static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int dst[n] += (int)(P2 + P3) / 2 + (unsigned)p; break; case 8: - dst[n] += (int)(P2 + P3) / 2; + dst[n] += (int)(P2 + P3) / 2 + 0U; break; case 9: dst[n] += (int)(P2 * 2 + P3) / 3 + (unsigned)p; @@ -308,13 +308,13 @@ static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int dst[n] += (int)(P2 + P3 * 2) / 3 + (unsigned)p; break; case 11: - dst[n] += (int)((unsigned)dst[A] + dst[B]) / 2; + dst[n] += (int)((unsigned)dst[A] + dst[B]) / 2 + 0U; break; case 12: dst[n] += (unsigned)dst[B]; break; case 13: - dst[n] += (int)(unsigned)(dst[D] + dst[B]) / 2; + dst[n] += (int)((unsigned)dst[D] + dst[B]) / 2 + 0U; break; case 14: dst[n] += (int)((unsigned)P2 + dst[A]) / 2 + (unsigned)p; From d1546cbe26aef13179af6d60b5a1ded672bee9a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 22:27:18 +0100 Subject: [PATCH 549/606] avcodec/aacsbr_template: Clear n_q on error Fixes: index 5 out of bounds for type 'uint8_t [5]' Fixes: 377748135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5167109774049280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3f029bfb7f9ca1c73fecb8d0eacf3c4e0550f771) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_template.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index b33ffd4295..5b96fbb234 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -607,6 +607,7 @@ static int sbr_make_f_derived(AACContext *ac, SpectralBandReplication *sbr) if (sbr->n_q > 5) { av_log(ac->avctx, AV_LOG_ERROR, "Too many noise floor scale factors: %d\n", sbr->n_q); + sbr->n_q = 1; return -1; } From 7e0583b565a91288234fcab0257d1a80c903b8fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 23:30:55 +0100 Subject: [PATCH 550/606] avcodec/vc1dec: Clear block_index in vc1_decode_reset() Fixes: 377965565/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-4504434689769472 Fixes: out of array access Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 251de1791e645f16e80b09d82999d4a5e24b1ad1) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 739f619430..ceada7975c 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -796,6 +796,7 @@ av_cold int ff_vc1_decode_end(AVCodecContext *avctx) for (i = 0; i < 4; i++) av_freep(&v->sr_rows[i >> 1][i & 1]); ff_mpv_common_end(&v->s); + memset(v->s.block_index, 0, sizeof(v->s.block_index)); av_freep(&v->mv_type_mb_plane); av_freep(&v->direct_mb_plane); av_freep(&v->forward_mb_plane); From 924d743cd8ef8849ed5fd087a2161154faa9e26c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jan 2025 21:35:06 +0100 Subject: [PATCH 551/606] avcodec/ffv1enc: Fix handling of 32bit unsigned symbols This may be needed for floats Sponsored-by: Sovereign Tech Fund Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 402824e9e99461f1c9e74a6730ced40894669560) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 51c3d2099a..dbb864e97c 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -199,7 +199,7 @@ static av_always_inline av_flatten void put_symbol_inline(RangeCoder *c, } while (0) if (v) { - const int a = FFABS(v); + const unsigned a = is_signed ? FFABS(v) : v; const int e = av_log2(a); put_rac(c, state + 0, 0); if (e <= 9) { From 12307f4af5bf6f5f2959d875b1ff80034b767a06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Jan 2025 02:59:28 +0100 Subject: [PATCH 552/606] avcodec/mpegvideo_enc: Check FLV1 resolution limits MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found-by: Elias Myllymäki Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 827c073154f4cc17d1bd3777dff3b58370210bcb) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 5fab302148..c1228f21e5 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -526,6 +526,12 @@ av_cold int ff_mpv_encode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "H.263 does not support resolutions above 2048x1152\n"); return AVERROR(EINVAL); } + if (s->codec_id == AV_CODEC_ID_FLV1 && + (avctx->width > 65535 || + avctx->height > 65535 )) { + av_log(avctx, AV_LOG_ERROR, "FLV does not support resolutions above 16bit\n"); + return AVERROR(EINVAL); + } if ((s->codec_id == AV_CODEC_ID_H263 || s->codec_id == AV_CODEC_ID_H263P || s->codec_id == AV_CODEC_ID_RV20) && From e5036fe010b0ad797e6d0752de2185334fa5fc74 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Jan 2025 03:11:02 +0100 Subject: [PATCH 553/606] avfilter/vf_v360: Fix NULL pointer use MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: applying zero offset to null pointer partly Fixes: verysmall.flv Found-by: Elias Myllymäki Signed-off-by: Michael Niedermayer (cherry picked from commit 66e9888bf418984a274beddbc3e87e9f1b8f5077) Signed-off-by: Michael Niedermayer --- libavfilter/vf_v360.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_v360.c b/libavfilter/vf_v360.c index d3c4306a3b..2a4c4cfcfe 100644 --- a/libavfilter/vf_v360.c +++ b/libavfilter/vf_v360.c @@ -4253,8 +4253,8 @@ static int v360_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) int16_t *u = r->u[p] + ((j - slice_start) * uv_linesize + i) * elements; int16_t *v = r->v[p] + ((j - slice_start) * uv_linesize + i) * elements; int16_t *ker = r->ker[p] + ((j - slice_start) * uv_linesize + i) * elements; - uint8_t *mask8 = p ? NULL : r->mask + ((j - slice_start) * s->pr_width[0] + i); - uint16_t *mask16 = p ? NULL : (uint16_t *)r->mask + ((j - slice_start) * s->pr_width[0] + i); + uint8_t *mask8 = (p || !r->mask) ? NULL : r->mask + ((j - slice_start) * s->pr_width[0] + i); + uint16_t *mask16 = (p || !r->mask) ? NULL : (uint16_t *)r->mask + ((j - slice_start) * s->pr_width[0] + i); int in_mask, out_mask; if (s->out_transpose) From b884a849d7310d23d984a57087f0803aae8df9f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Jan 2025 03:30:21 +0100 Subject: [PATCH 554/606] avutil/avstring: dont mess with NULL pointers in av_match_list() Fixes: applying zero offset to null pointer Signed-off-by: Michael Niedermayer (cherry picked from commit c6c54943d161812b3c4034116cb14f3f5c05dc43) Signed-off-by: Michael Niedermayer --- libavutil/avstring.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/avstring.c b/libavutil/avstring.c index 8751ce5576..f51aa3e8fe 100644 --- a/libavutil/avstring.c +++ b/libavutil/avstring.c @@ -452,10 +452,12 @@ int av_match_list(const char *name, const char *list, char separator) if (k && (!p[k] || p[k] == separator)) return 1; q = strchr(q, separator); - q += !!q; + if(q) + q++; } p = strchr(p, separator); - p += !!p; + if (p) + p++; } return 0; From ceacc83011a0a5057769626faf14b9256bd3baa7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jan 2025 00:22:05 +0100 Subject: [PATCH 555/606] avformat/dashdec: Check whitelist Fixes: CVE-2023-6602, V. DASH Playlist SSRF Found-by: Harvey Phillips of Amazon Element55 (element55) Signed-off-by: Michael Niedermayer (cherry picked from commit 4c96d6bf75357ab13808efc9f08c1b41b1bf5bdf) Signed-off-by: Michael Niedermayer --- libavformat/dashdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index 1215407f3c..e2609ac192 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -445,7 +445,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, av_freep(pb); av_dict_copy(&tmp, *opts, 0); av_dict_copy(&tmp, opts2, 0); - ret = avio_open2(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp); + ret = ffio_open_whitelist(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp, s->protocol_whitelist, s->protocol_blacklist); if (ret >= 0) { // update cookies on http response with setcookies. char *new_cookies = NULL; @@ -1224,7 +1224,7 @@ static int parse_manifest(AVFormatContext *s, const char *url, AVIOContext *in) close_in = 1; av_dict_copy(&opts, c->avio_opts, 0); - ret = avio_open2(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts); + ret = ffio_open_whitelist(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts, s->protocol_whitelist, s->protocol_blacklist); av_dict_free(&opts); if (ret < 0) return ret; From 242ac527003eb2851b8106ff0c09561fb7a6b9bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 01:46:49 +0100 Subject: [PATCH 556/606] avformat/vqf: Check avio_read() in add_metadata() Fixes: use of uninitialized data Fixes: 383825642/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5380168801124352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c43dbecbdad152a91eadc7538b545852eee562ae) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 1671d03b2c..67f8084a27 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -61,7 +61,8 @@ static void add_metadata(AVFormatContext *s, uint32_t tag, buf = av_malloc(len+1); if (!buf) return; - avio_read(s->pb, buf, len); + if (len != avio_read(s->pb, buf, len)) + return; buf[len] = 0; AV_WL32(key, tag); av_dict_set(&s->metadata, key, buf, AV_DICT_DONT_STRDUP_VAL); From fbee480fdf88bb26415edba731d466b431d76370 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 31 Dec 2024 04:13:25 +0100 Subject: [PATCH 557/606] avformat/vqf: Propagate errors from add_metadata() Suggested-by: Marton Balint Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 49fa3f6c5ba6d43cc4b3ade4f8d9dc2fdbc71f0a) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 67f8084a27..db49fdcfd9 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -49,23 +49,28 @@ static int vqf_probe(const AVProbeData *probe_packet) return AVPROBE_SCORE_EXTENSION; } -static void add_metadata(AVFormatContext *s, uint32_t tag, +static int add_metadata(AVFormatContext *s, uint32_t tag, unsigned int tag_len, unsigned int remaining) { int len = FFMIN(tag_len, remaining); char *buf, key[5] = {0}; + int ret; if (len == UINT_MAX) - return; + return AVERROR_INVALIDDATA; buf = av_malloc(len+1); if (!buf) - return; - if (len != avio_read(s->pb, buf, len)) - return; + return AVERROR(ENOMEM); + + ret = avio_read(s->pb, buf, len); + if (ret < 0) + return ret; + if (len != ret) + return AVERROR_INVALIDDATA; buf[len] = 0; AV_WL32(key, tag); - av_dict_set(&s->metadata, key, buf, AV_DICT_DONT_STRDUP_VAL); + return av_dict_set(&s->metadata, key, buf, AV_DICT_DONT_STRDUP_VAL); } static const AVMetadataConv vqf_metadata_conv[] = { @@ -163,7 +168,9 @@ static int vqf_read_header(AVFormatContext *s) avio_skip(s->pb, FFMIN(len, header_size)); break; default: - add_metadata(s, chunk_tag, len, header_size); + ret = add_metadata(s, chunk_tag, len, header_size); + if (ret < 0) + return ret; break; } From 10722208d94f59f9f8abd36295256190be7c0b34 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jan 2025 05:03:08 +0100 Subject: [PATCH 558/606] avcodec/cbs_vp9: Initialize VP9RawSuperframeIndex Fixes: use-of-uninitialized-value Fixes: 70907/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_METADATA_fuzzer-6339363208757248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e81d410242ea604c4f667da4a415836c1575d72f) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_vp9.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c index 816d06da04..ff99fe32fb 100644 --- a/libavcodec/cbs_vp9.c +++ b/libavcodec/cbs_vp9.c @@ -375,7 +375,7 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx, superframe_header = frag->data[frag->data_size - 1]; if ((superframe_header & 0xe0) == 0xc0) { - VP9RawSuperframeIndex sfi; + VP9RawSuperframeIndex sfi = {0}; GetBitContext gbc; size_t index_size, pos; int i; From 3eb06ef817a4b314fb1bdd4bb4147b01bdc79f8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 02:53:45 +0100 Subject: [PATCH 559/606] avformat/wtvdec: Initialize buf ff_parse_mpeg2_descriptor() reads over what is initialized Fixes: use of uninitialized memory Fixes: 383825645/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5144130618982400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 17b019c517af26c6d2f0c6266938c60d36db1fa3) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 7d449d0bdf..e3e91e218b 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -832,7 +832,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p int stream_index = ff_find_stream_index(s, sid); if (stream_index >= 0) { AVStream *st = s->streams[stream_index]; - uint8_t buf[258]; + uint8_t buf[258] = {0}; const uint8_t *pbuf = buf; int buf_size; From 3448f9bcc829d3ac3502c83acb58d1a54a946ba0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 03:07:51 +0100 Subject: [PATCH 560/606] avformat/ipmovie: Check signature_buffer read Fixes: use of uninitilaized data Fixes: 385167047/clusterfuzz-testcase-minimized-ffmpeg_dem_IPMOVIE_fuzzer-5941477505564672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 788abe0d253b2034af15876d7889265d4746df2b) Signed-off-by: Michael Niedermayer --- libavformat/ipmovie.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/ipmovie.c b/libavformat/ipmovie.c index 4f5c164d3f..f19fc9d7e7 100644 --- a/libavformat/ipmovie.c +++ b/libavformat/ipmovie.c @@ -614,7 +614,8 @@ static int ipmovie_read_header(AVFormatContext *s) ipmovie->avf = s; - avio_read(pb, signature_buffer, sizeof(signature_buffer)); + if (avio_read(pb, signature_buffer, sizeof(signature_buffer)) != sizeof(signature_buffer)) + return AVERROR_INVALIDDATA; while (memcmp(signature_buffer, signature, sizeof(signature))) { memmove(signature_buffer, signature_buffer + 1, sizeof(signature_buffer) - 1); signature_buffer[sizeof(signature_buffer) - 1] = avio_r8(pb); From 072ee0c8ef21c7c1e241600771078e121a3cc04c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Nov 2024 01:48:22 +0100 Subject: [PATCH 561/606] avcodec/huffyuvdec: Initialize whole output for decode_gray_bitstream() Fixes: use of uninitialized memory Fixes: 375286238/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-6352546854141952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ef71552cf970876085d99834abdb8e429aea9730) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index ce6d4d4c59..b77f3808a6 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -773,6 +773,8 @@ static void decode_gray_bitstream(HYuvDecContext *s, int count) for (i = 0; i < count && BITS_LEFT(re, &s->gb) > 0; i++) { READ_2PIX(s->temp[0][2 * i], s->temp[0][2 * i + 1], 0); } + for (; i < count; i++) + s->temp[0][2 * i] = s->temp[0][2 * i + 1] = 0; } else { for (i = 0; i < count; i++) { READ_2PIX(s->temp[0][2 * i], s->temp[0][2 * i + 1], 0); From 94014c83412fa0cbac23a877cf53263367fd9a15 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2024 20:05:37 +0200 Subject: [PATCH 562/606] avformat/mxfdec: Check avio_read() success in mxf_decrypt_triplet() Fixes: Use of uninitialized memory Fixes: 71444/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5448597561212928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ecc96f4d08d74b0590ab03f39f93f386910c4c0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index c232c2ce50..6965cfc174 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -673,7 +673,8 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv if (size < 32 || size - 32 < orig_size || (int)orig_size != orig_size) return AVERROR_INVALIDDATA; avio_read(pb, ivec, 16); - avio_read(pb, tmpbuf, 16); + if (avio_read(pb, tmpbuf, 16) != 16) + return AVERROR_INVALIDDATA; if (mxf->aesc) av_aes_crypt(mxf->aesc, tmpbuf, tmpbuf, 1, ivec, 1); if (memcmp(tmpbuf, checkv, 16)) From c599745377199fa75fffb30058fb2a6f39d64ab7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jan 2025 01:28:46 +0100 Subject: [PATCH 563/606] avformat/hls: Be more picky on extensions This blocks disallowed extensions from probing It also requires all available segments to have matching extensions to the format mpegts is treated independent of the extension It is recommended to set the whitelists correctly instead of depending on extensions, but this should help a bit, and this is easier to backport Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification The other parts of CVE-2023-6602 have been fixed by prior commits Found-by: Harvey Phillips of Amazon Element55 (element55) Signed-off-by: Michael Niedermayer (cherry picked from commit 91d96dc8ddaebe0b6cb393f672085e6bfaf15a31) Signed-off-by: Michael Niedermayer --- doc/demuxers.texi | 7 +++++++ libavformat/hls.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index ca1563abb0..c30b3f9ea5 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -405,6 +405,13 @@ prefer to use #EXT-X-START if it's in playlist instead of live_start_index. @item allowed_extensions ',' separated list of file extensions that hls is allowed to access. +@item extension_picky +This blocks disallowed extensions from probing +It also requires all available segments to have matching extensions to the format +except mpegts, which is always allowed. +It is recommended to set the whitelists correctly instead of depending on extensions +Enabled by default. + @item max_reload Maximum number of times a insufficient list is attempted to be reloaded. Default value is 1000. diff --git a/libavformat/hls.c b/libavformat/hls.c index f5f549b24d..99f2921e6c 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -222,6 +222,7 @@ typedef struct HLSContext { AVDictionary *avio_opts; AVDictionary *seg_format_opts; char *allowed_extensions; + int extension_picky; int max_reload; int http_persistent; int http_multiple; @@ -725,6 +726,40 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, return ret; } +static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct playlist *pls, struct segment *seg) +{ + HLSContext *c = s->priv_data; + int matchA = 3; + int matchF = 0; + + if (!c->extension_picky) + return 0; + + if (strcmp(c->allowed_extensions, "ALL")) + matchA = av_match_ext (seg->url, c->allowed_extensions) + + 2*(ff_match_url_ext(seg->url, c->allowed_extensions) > 0); + + if (!matchA) { + av_log(s, AV_LOG_ERROR, "URL %s is not in allowed_extensions\n", seg->url); + return AVERROR_INVALIDDATA; + } + + if (in_fmt) { + if (in_fmt->extensions) { + matchF = av_match_ext( seg->url, in_fmt->extensions) + + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0); + } else if (!strcmp(in_fmt->name, "mpegts")) + matchF = 3; + + if (!(matchA & matchF)) { + av_log(s, AV_LOG_ERROR, "detected format extension %s mismatches allowed extensions in url %s\n", in_fmt->extensions ? in_fmt->extensions : "none", seg->url); + return AVERROR_INVALIDDATA; + } + } + + return 0; +} + static int parse_playlist(HLSContext *c, const char *url, struct playlist *pls, AVIOContext *in) { @@ -983,6 +1018,14 @@ static int parse_playlist(HLSContext *c, const char *url, goto fail; } + ret = test_segment(c->ctx, pls->ctx ? pls->ctx->iformat : NULL, pls, seg); + if (ret < 0) { + av_free(seg->url); + av_free(seg->key); + av_free(seg); + goto fail; + } + if (duration < 0.001 * AV_TIME_BASE) { av_log(c->ctx, AV_LOG_WARNING, "Cannot get correct #EXTINF value of segment %s," " set to default value to 1ms.\n", seg->url); @@ -2105,6 +2148,11 @@ static int hls_read_header(AVFormatContext *s) pls->ctx->interrupt_callback = s->interrupt_callback; url = av_strdup(pls->segments[0]->url); ret = av_probe_input_buffer(&pls->pb.pub, &in_fmt, url, NULL, 0, 0); + + for (int n = 0; n < pls->n_segments; n++) + if (ret >= 0) + ret = test_segment(s, in_fmt, pls, pls->segments[n]); + if (ret < 0) { /* Free the ctx - it isn't initialized properly at this point, * so avformat_close_input shouldn't be called. If @@ -2565,6 +2613,8 @@ static const AVOption hls_options[] = { OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, INT_MIN, INT_MAX, FLAGS}, + {"extension_picky", "Be picky with all extensions matching", + OFFSET(extension_picky), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, FLAGS}, {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 3}, 0, INT_MAX, FLAGS}, {"m3u8_hold_counters", "The maximum number of times to load m3u8 when it refreshes without new segments", From cf2075a975905663e432000560102eb8467c38dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jan 2025 12:51:58 +0100 Subject: [PATCH 564/606] avformat/hls: Print input format in error message Signed-off-by: Michael Niedermayer (cherry picked from commit d8455331302c72cde2f0b72f255004a91189dd93) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 99f2921e6c..ef33fe0be0 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -752,7 +752,7 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct matchF = 3; if (!(matchA & matchF)) { - av_log(s, AV_LOG_ERROR, "detected format extension %s mismatches allowed extensions in url %s\n", in_fmt->extensions ? in_fmt->extensions : "none", seg->url); + av_log(s, AV_LOG_ERROR, "detected format %s extension %s mismatches allowed extensions in url %s\n", in_fmt->name, in_fmt->extensions ? in_fmt->extensions : "none", seg->url); return AVERROR_INVALIDDATA; } } From e5bfb7516f2190c3bae43aeba896de79081eba42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Jan 2025 02:28:32 +0100 Subject: [PATCH 565/606] avcodec/h263dec: Check against previous dimensions instead of coded Fixes: out of array access Fixes: crash-a41ef3db699013f669b076f02f36942925f5a98c Found-by: Kacper Michajlow Reviewed-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 0fe33c99a26a06a6875c4abfb96362a65145264b) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index eb1d87a2fe..0c9a31c09b 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -407,6 +407,7 @@ int ff_h263_decode_frame(AVCodecContext *avctx, AVFrame *pict, MpegEncContext *s = avctx->priv_data; int ret; int slice_ret = 0; + int bak_width, bak_height; /* no supplementary picture */ if (buf_size == 0) { @@ -458,6 +459,9 @@ retry: if (ret < 0) return ret; + bak_width = s->width; + bak_height = s->height; + /* let's go :-) */ if (CONFIG_WMV2_DECODER && s->msmpeg4_version == 5) { ret = ff_wmv2_decode_picture_header(s); @@ -475,11 +479,12 @@ retry: } if (ret < 0 || ret == FRAME_SKIPPED) { - if ( s->width != avctx->coded_width - || s->height != avctx->coded_height) { + if ( s->width != bak_width + || s->height != bak_height) { av_log(s->avctx, AV_LOG_WARNING, "Reverting picture dimensions change due to header decoding failure\n"); - s->width = avctx->coded_width; - s->height= avctx->coded_height; + s->width = bak_width; + s->height= bak_height; + } } if (ret == FRAME_SKIPPED) From 71b2c24ca9e26a52e2d76f0b2b71c23ff01984e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jan 2025 13:26:34 +0100 Subject: [PATCH 566/606] avformat/hls: .ts is always ok even if its a mov/mp4 Maybe fixes: 11435 Signed-off-by: Michael Niedermayer (cherry picked from commit 9e12572933dc1c49e9b35d772ddcae896c2ba8a8) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index ef33fe0be0..8fe19b3729 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -748,6 +748,10 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct if (in_fmt->extensions) { matchF = av_match_ext( seg->url, in_fmt->extensions) + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0); + if(av_match_name("mp4", in_fmt->name)) { + matchF |= av_match_ext( seg->url, "ts") + + 2*(ff_match_url_ext(seg->url, "ts") > 0); + } } else if (!strcmp(in_fmt->name, "mpegts")) matchF = 3; From fbdaceeaf6109b62b8c3c9ffb4cd72df04a6e076 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jan 2025 23:07:54 +0100 Subject: [PATCH 567/606] libavformat/hls: Be more restrictive on mpegts extensions Signed-off-by: Michael Niedermayer (cherry picked from commit 0113e30806b205111344e266bc69ff9657a3ca02) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 8fe19b3729..84d2525ed7 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -752,8 +752,10 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct matchF |= av_match_ext( seg->url, "ts") + 2*(ff_match_url_ext(seg->url, "ts") > 0); } - } else if (!strcmp(in_fmt->name, "mpegts")) - matchF = 3; + } else if (!strcmp(in_fmt->name, "mpegts")) { + matchF = av_match_ext( seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") + + 2*(ff_match_url_ext(seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") > 0); + } if (!(matchA & matchF)) { av_log(s, AV_LOG_ERROR, "detected format %s extension %s mismatches allowed extensions in url %s\n", in_fmt->name, in_fmt->extensions ? in_fmt->extensions : "none", seg->url); From 14503564e448443987777c8d6b7065707b9ed46c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Feb 2025 13:09:08 +0100 Subject: [PATCH 568/606] avformat/hls: Fix twitter Allow mp4 with all mpegts extensions Fixes: Ticket11435 Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit cef3422b4819e3b6f07086625fa7890eaa8d45e7) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 84d2525ed7..47234d712b 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -749,8 +749,8 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct matchF = av_match_ext( seg->url, in_fmt->extensions) + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0); if(av_match_name("mp4", in_fmt->name)) { - matchF |= av_match_ext( seg->url, "ts") - + 2*(ff_match_url_ext(seg->url, "ts") > 0); + matchF |= av_match_ext( seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") + + 2*(ff_match_url_ext(seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") > 0); } } else if (!strcmp(in_fmt->name, "mpegts")) { matchF = av_match_ext( seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") From 6abf144abcec5b3f71801f801e3ccae08751811a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 5 Feb 2025 03:47:52 +0100 Subject: [PATCH 569/606] avformat/mxfdec: Check edit unit for overflow in mxf_set_current_edit_unit() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long' Fixes: 392672068/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6232335892152320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 8a6ad9eab2f1c37a18c2f30e6660260edd7c0c16) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 6965cfc174..8b17381e5c 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3920,7 +3920,7 @@ static int64_t mxf_set_current_edit_unit(MXFContext *mxf, AVStream *st, int64_t int64_t new_edit_unit; MXFIndexTable *t = mxf_find_index_table(mxf, track->index_sid); - if (!t || track->wrapping == UnknownWrapped) + if (!t || track->wrapping == UnknownWrapped || edit_unit > INT64_MAX - track->edit_units_per_packet) return -1; if (mxf_edit_unit_absolute_offset(mxf, t, edit_unit + track->edit_units_per_packet, track->edit_rate, NULL, &next_ofs, NULL, 0) < 0 && From 621b78a39f56ab658f13d607c510dc87fbb62d8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Feb 2025 01:24:37 +0100 Subject: [PATCH 570/606] avformat/wavdec: Fix overflow of intermediate in block_align check Fixes: signed integer overflow: -251517880 * 32 cannot be represented in type 'int' Fixes: 385224934/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-4909298151915520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1afbc40875069312dd729b5959fb04950c3938db) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 1f8c7f30e1..f5f4f24afb 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -902,10 +902,10 @@ static int w64_read_header(AVFormatContext *s) if (st->codecpar->block_align && st->codecpar->ch_layout.nb_channels < FF_SANE_NB_CHANNELS && st->codecpar->bits_per_coded_sample < 128) { - int block_align = st->codecpar->block_align; + int64_t block_align = st->codecpar->block_align; block_align = FFMAX(block_align, - ((st->codecpar->bits_per_coded_sample + 7) / 8) * + ((st->codecpar->bits_per_coded_sample + 7LL) / 8) * st->codecpar->ch_layout.nb_channels); if (block_align > st->codecpar->block_align) { av_log(s, AV_LOG_WARNING, "invalid block_align: %d, broken file.\n", From 283aed84ab87fa2ec7ffeca76f6c511291f3323d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Feb 2025 02:33:21 +0100 Subject: [PATCH 571/606] avformat/mlvdec: fix size checks Fixes: heap-buffer-overflow Fixes: 391962476/clusterfuzz-testcase-minimized-ffmpeg_dem_MLV_fuzzer-5746746587676672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 251d43aef0df9262f2688c1c848af993bbb67d08) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 261d66c252..4b794462f4 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -436,19 +436,25 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) if (size < 16) return AVERROR_INVALIDDATA; avio_skip(pb, 12); //timestamp, frameNumber - if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) + size -= 12; + if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { + if (size < 8) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); // cropPosX, cropPosY, panPosX, panPosY + size -= 8; + } space = avio_rl32(pb); + if (size < space + 4LL) + return AVERROR_INVALIDDATA; avio_skip(pb, space); + size -= space; if ((mlv->class[st->id] & (MLV_CLASS_FLAG_DELTA|MLV_CLASS_FLAG_LZMA))) { ret = AVERROR_PATCHWELCOME; } else if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { ret = av_get_packet(pb, pkt, (st->codecpar->width * st->codecpar->height * st->codecpar->bits_per_coded_sample + 7) >> 3); } else { // AVMEDIA_TYPE_AUDIO - if (space > UINT_MAX - 24 || size < (24 + space)) - return AVERROR_INVALIDDATA; - ret = av_get_packet(pb, pkt, size - (24 + space)); + ret = av_get_packet(pb, pkt, size - 4); } if (ret < 0) From 5043830cdb98751c5ed27f9735966712f1b55964 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Feb 2025 01:28:17 +0100 Subject: [PATCH 572/606] avformat/iff: Check that we have a stream in read_dst_frame() Fixes: null pointer dereference Fixes: 385644864/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4551049565765632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 8668957ef604bd2b99175310638bc5031ae0d991) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 5bff0e9b6c..1061f9757e 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -358,6 +358,9 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) uint64_t chunk_pos, data_pos, data_size; int ret = AVERROR_EOF; + if (s->nb_streams < 1) + return AVERROR_INVALIDDATA; + while (!avio_feof(pb)) { chunk_pos = avio_tell(pb); if (chunk_pos >= iff->body_end) From a279a8620e2d630648d6b9d87a11682a7c6b35d4 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Fri, 29 Dec 2023 05:56:43 +0800 Subject: [PATCH 573/606] avfilter/vf_codecview: fix heap buffer overflow And improve the performance by a little bit. Signed-off-by: Zhao Zhili (cherry picked from commit 99debe5f823f45a482e1dc08de35879aa9c74bd2) Signed-off-by: Michael Niedermayer --- libavfilter/vf_codecview.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavfilter/vf_codecview.c b/libavfilter/vf_codecview.c index 55d9c8c04f..f65ccbda70 100644 --- a/libavfilter/vf_codecview.c +++ b/libavfilter/vf_codecview.c @@ -216,9 +216,6 @@ static void draw_block_rectangle(uint8_t *buf, int sx, int sy, int w, int h, ptr buf[sx + w - 1] = color; buf += stride; } - - for (int x = sx; x < sx + w; x++) - buf[x] = color; } static int filter_frame(AVFilterLink *inlink, AVFrame *frame) From a4b6e37ad5f50454974fa22cc8f19d83cdaff0eb Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 27 Nov 2023 12:08:20 +0100 Subject: [PATCH 574/606] avfilter/vf_colorcorrect: fix memory leaks (cherry picked from commit 5f87a68cf70dafeab2fb89b42e41a4c29053b89b) Signed-off-by: Michael Niedermayer --- libavfilter/vf_colorcorrect.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/vf_colorcorrect.c b/libavfilter/vf_colorcorrect.c index 1c4dea531b..6bdec2c9d8 100644 --- a/libavfilter/vf_colorcorrect.c +++ b/libavfilter/vf_colorcorrect.c @@ -497,6 +497,8 @@ static av_cold void uninit(AVFilterContext *ctx) ColorCorrectContext *s = ctx->priv; av_freep(&s->analyzeret); + av_freep(&s->uhistogram); + av_freep(&s->vhistogram); } static const AVFilterPad colorcorrect_inputs[] = { From dcf34f13f516aa0e214384f3185aff306feba01d Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 27 Nov 2023 11:45:34 +0100 Subject: [PATCH 575/606] avfilter/af_afwtdn: fix crash with EOF handling (cherry picked from commit b1942734c7cbcdc9034034373abcc9ecb9644c47) Signed-off-by: Michael Niedermayer --- libavfilter/af_afwtdn.c | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/libavfilter/af_afwtdn.c b/libavfilter/af_afwtdn.c index 0fcfa779f9..63b7f5fc25 100644 --- a/libavfilter/af_afwtdn.c +++ b/libavfilter/af_afwtdn.c @@ -408,6 +408,7 @@ typedef struct AudioFWTDNContext { uint64_t sn; int64_t eof_pts; + int eof; int wavelet_type; int channels; @@ -1069,7 +1070,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) s->drop_samples = 0; } else { if (s->padd_samples < 0 && eof) { - out->nb_samples += s->padd_samples; + out->nb_samples = FFMAX(0, out->nb_samples + s->padd_samples); s->padd_samples = 0; } if (!eof) @@ -1208,23 +1209,26 @@ static int activate(AVFilterContext *ctx) FF_FILTER_FORWARD_STATUS_BACK(outlink, inlink); - ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in); - if (ret < 0) - return ret; - if (ret > 0) - return filter_frame(inlink, in); + if (!s->eof) { + ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in); + if (ret < 0) + return ret; + if (ret > 0) + return filter_frame(inlink, in); + } if (ff_inlink_acknowledge_status(inlink, &status, &pts)) { - if (status == AVERROR_EOF) { - while (s->padd_samples != 0) { - ret = filter_frame(inlink, NULL); - if (ret < 0) - return ret; - } - ff_outlink_set_status(outlink, status, pts); - return ret; - } + if (status == AVERROR_EOF) + s->eof = 1; } + + if (s->eof && s->padd_samples != 0) { + return filter_frame(inlink, NULL); + } else if (s->eof) { + ff_outlink_set_status(outlink, AVERROR_EOF, s->eof_pts); + return 0; + } + FF_FILTER_FORWARD_WANTED(outlink, inlink); return FFERROR_NOT_READY; From c104119c6b5e00496c5ff14071c85f95c98b7ae5 Mon Sep 17 00:00:00 2001 From: Cosmin Stejerean Date: Wed, 6 Dec 2023 18:39:32 +0800 Subject: [PATCH 576/606] avfilter/bwdif: account for chroma sub-sampling in min size calculation The current logic for detecting frames that are too small for the algorithm does not account for chroma sub-sampling, and so a sample where the luma plane is large enough, but the chroma planes are not will not be rejected. In that event, a heap overflow will occur. This change adjusts the logic to consider the chroma planes and makes the change to all three bwdif implementations. Fixes #10688 Signed-off-by: Cosmin Stejerean Reviewed-by: Thomas Mundt Signed-off-by: Philip Langdale (cherry picked from commit 737ede405b11a37fdd61d19cf25df296a0cb0b75) Signed-off-by: Michael Niedermayer --- libavfilter/vf_bwdif.c | 9 +++++---- libavfilter/vf_bwdif_cuda.c | 11 ++++++----- libavfilter/vf_bwdif_vulkan.c | 11 +++++------ 3 files changed, 16 insertions(+), 15 deletions(-) diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c index 137cd5ef13..353cd0b61a 100644 --- a/libavfilter/vf_bwdif.c +++ b/libavfilter/vf_bwdif.c @@ -191,13 +191,14 @@ static int config_props(AVFilterLink *link) return ret; } - if (link->w < 3 || link->h < 4) { - av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or 4 lines is not supported\n"); + yadif->csp = av_pix_fmt_desc_get(link->format); + yadif->filter = filter; + + if (AV_CEIL_RSHIFT(link->w, yadif->csp->log2_chroma_w) < 3 || AV_CEIL_RSHIFT(link->h, yadif->csp->log2_chroma_h) < 4) { + av_log(ctx, AV_LOG_ERROR, "Video with planes less than 3 columns or 4 lines is not supported\n"); return AVERROR(EINVAL); } - yadif->csp = av_pix_fmt_desc_get(link->format); - yadif->filter = filter; ff_bwdif_init_filter_line(&s->dsp, yadif->csp->comp[0].depth); return 0; diff --git a/libavfilter/vf_bwdif_cuda.c b/libavfilter/vf_bwdif_cuda.c index a5ecfbadb6..418f15f989 100644 --- a/libavfilter/vf_bwdif_cuda.c +++ b/libavfilter/vf_bwdif_cuda.c @@ -296,15 +296,16 @@ static int config_output(AVFilterLink *link) link->frame_rate = av_mul_q(ctx->inputs[0]->frame_rate, (AVRational){2, 1}); - if (link->w < 3 || link->h < 3) { - av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or lines is not supported\n"); - ret = AVERROR(EINVAL); - goto exit; - } y->csp = av_pix_fmt_desc_get(output_frames->sw_format); y->filter = filter; + if (AV_CEIL_RSHIFT(link->w, y->csp->log2_chroma_w) < 3 || AV_CEIL_RSHIFT(link->h, y->csp->log2_chroma_h) < 3) { + av_log(ctx, AV_LOG_ERROR, "Video with planes less than 3 columns or lines is not supported\n"); + ret = AVERROR(EINVAL); + goto exit; + } + ret = CHECK_CU(cu->cuCtxPushCurrent(s->hwctx->cuda_ctx)); if (ret < 0) goto exit; diff --git a/libavfilter/vf_bwdif_vulkan.c b/libavfilter/vf_bwdif_vulkan.c index 690a89c4ba..c51df9aa26 100644 --- a/libavfilter/vf_bwdif_vulkan.c +++ b/libavfilter/vf_bwdif_vulkan.c @@ -362,15 +362,14 @@ static int bwdif_vulkan_config_output(AVFilterLink *outlink) outlink->frame_rate = av_mul_q(avctx->inputs[0]->frame_rate, (AVRational){2, 1}); - if (outlink->w < 4 || outlink->h < 4) { - av_log(avctx, AV_LOG_ERROR, "Video of less than 4 columns or lines is not " - "supported\n"); - return AVERROR(EINVAL); - } - y->csp = av_pix_fmt_desc_get(vkctx->frames->sw_format); y->filter = bwdif_vulkan_filter_frame; + if (AV_CEIL_RSHIFT(outlink->w, y->csp->log2_chroma_w) < 4 || AV_CEIL_RSHIFT(outlink->h, y->csp->log2_chroma_h) < 4) { + av_log(avctx, AV_LOG_ERROR, "Video with planes less than 4 columns or lines is not supported\n"); + return AVERROR(EINVAL); + } + return init_filter(avctx); } From efedc1d1b6aef2481cf613a11992b1dce6320055 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Thu, 23 Nov 2023 14:58:35 +0100 Subject: [PATCH 577/606] avfilter/asrc_afirsrc: fix by one smaller allocation of buffer (cherry picked from commit 4adb93dff05dd947878c67784d98c9a4e13b57a7) Signed-off-by: Michael Niedermayer --- libavfilter/asrc_afirsrc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/asrc_afirsrc.c b/libavfilter/asrc_afirsrc.c index e2359c159f..ea04c35759 100644 --- a/libavfilter/asrc_afirsrc.c +++ b/libavfilter/asrc_afirsrc.c @@ -480,7 +480,7 @@ static av_cold int config_eq_output(AVFilterLink *outlink) if (ret < 0) return ret; - s->magnitude = av_calloc(s->nb_magnitude, sizeof(*s->magnitude)); + s->magnitude = av_calloc(s->nb_magnitude + 1, sizeof(*s->magnitude)); if (!s->magnitude) return AVERROR(ENOMEM); memcpy(s->magnitude, eq_presets[s->preset].gains, sizeof(*s->magnitude) * s->nb_magnitude); From 49957e3f7dbcab87284186fd468c02c58c5182a8 Mon Sep 17 00:00:00 2001 From: softworkz Date: Thu, 27 Feb 2025 16:36:56 +0000 Subject: [PATCH 578/606] avformat/hls: Partially revert "reduce default max reload to 3" (setting to 100 as a reasonable compromise) The change has caused regressions for many users and consumers. Playlist reloads only happen when a playlist doesn't indicate that it has ended (via #EXT-X-ENDLIST), which means that the addition of future segments is still expected. It is well possible that an HLS server is temporarily unable to serve further segments but resumes after some time, either indicating a discontinuity or even by fully catching up. With a segment length of 3s, a max_reload value of 1000 corresponds to a duration of 50 minutes which appears to be a reasonable default. Signed-off-by: Michael Niedermayer (cherry picked from commit ace9f03a6c0a58b84a02701df1b6e5d5ac1d1b8e) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 47234d712b..e7c311fbae 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2622,7 +2622,7 @@ static const AVOption hls_options[] = { {"extension_picky", "Be picky with all extensions matching", OFFSET(extension_picky), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, FLAGS}, {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", - OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 3}, 0, INT_MAX, FLAGS}, + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 100}, 0, INT_MAX, FLAGS}, {"m3u8_hold_counters", "The maximum number of times to load m3u8 when it refreshes without new segments", OFFSET(m3u8_hold_counters), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, {"http_persistent", "Use persistent HTTP connections", From 4807b42ce18ec62e61f9e19901cf8a4cb0141f04 Mon Sep 17 00:00:00 2001 From: Lynne Date: Wed, 1 Jan 2025 18:03:33 +0900 Subject: [PATCH 579/606] configure: update copyright year On 01/01/2025 19:05, Peter Ross wrote: > FFmpeg turns 25 this year. (cherry picked from commit d3aa99a4f436e89773246339d9d363587a1d21df) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 5f78f75db9..9c5eda00e6 100755 --- a/configure +++ b/configure @@ -8012,7 +8012,7 @@ cat > $TMPH < Date: Tue, 1 Apr 2025 02:00:41 +0200 Subject: [PATCH 580/606] doc: replace http/git by https urls These are more secure Reviewed-by: Gyan Doshi Signed-off-by: Michael Niedermayer (cherry picked from commit b4d165c68fe74f4b9c7fa4cbc2e1467a0bafea37) Signed-off-by: Michael Niedermayer --- doc/fate_config.sh.template | 2 +- doc/git-howto.texi | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/fate_config.sh.template b/doc/fate_config.sh.template index ab1bda45e4..ab990c3a58 100644 --- a/doc/fate_config.sh.template +++ b/doc/fate_config.sh.template @@ -1,5 +1,5 @@ slot= # some unique identifier -repo=git://source.ffmpeg.org/ffmpeg.git # the source repository +repo=https://git.ffmpeg.org/ffmpeg.git # the source repository #branch=release/2.6 # the branch to test samples= # path to samples directory workdir= # directory in which to do all the work diff --git a/doc/git-howto.texi b/doc/git-howto.texi index f4e2f2ec23..1854b0d9ab 100644 --- a/doc/git-howto.texi +++ b/doc/git-howto.texi @@ -143,7 +143,7 @@ git log @end example You may also use the graphical tools like @command{gitview} or @command{gitk} -or the web interface available at @url{http://source.ffmpeg.org/}. +or the web interface available at @url{https://git.ffmpeg.org/ffmpeg.git}. @section Checking source tree status From e2b20632b8c71a4e174511f8ff6e8342e0c63bd3 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 30 Dec 2024 00:25:41 -0300 Subject: [PATCH 581/606] avfilter/buffersrc: check for valid sample rate A sample rate <= 0 is invalid. Fixes an assert in ffmpeg_enc.c that assumed a valid sample rate would be set. Fixes ticket #11385. Signed-off-by: James Almer (cherry picked from commit 1446e37d3d032e1452844778b3e6ba2c20f0c322) --- libavfilter/buffersrc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c index fbbf9b75e8..0c5736be7d 100644 --- a/libavfilter/buffersrc.c +++ b/libavfilter/buffersrc.c @@ -402,6 +402,11 @@ FF_ENABLE_DEPRECATION_WARNINGS av_channel_layout_describe(&s->ch_layout, buf, sizeof(buf)); } + if (s->sample_rate <= 0) { + av_log(ctx, AV_LOG_ERROR, "Sample rate not set\n"); + return AVERROR(EINVAL); + } + if (!s->time_base.num) s->time_base = (AVRational){1, s->sample_rate}; From a5d2764d5c5e138a4d67a8e3bac702e20f89c5b7 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 7 Feb 2025 00:04:25 -0300 Subject: [PATCH 582/606] avcodec/libtheora: fix setting keyframe_mask t_info.keyframe_granule_shift is set to the library default of 6, which is ok for gop sizes up to 63. Since there's apparently no way to query the updated value after having forced a gop value with TH_ENCCTL_SET_KEYFRAME_FREQUENCY_FORCE, calculate it manually instead. Fixes ticket #11454. Signed-off-by: James Almer (cherry picked from commit 22aa71d4da37a4ad2b0d28deeace64b57aa2ef50) Signed-off-by: Michael Niedermayer --- libavcodec/libtheoraenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libtheoraenc.c b/libavcodec/libtheoraenc.c index 06eeaae006..94078ad789 100644 --- a/libavcodec/libtheoraenc.c +++ b/libavcodec/libtheoraenc.c @@ -233,7 +233,7 @@ static av_cold int encode_init(AVCodecContext* avc_context) return AVERROR_EXTERNAL; } - h->keyframe_mask = (1 << t_info.keyframe_granule_shift) - 1; + h->keyframe_mask = (1 << av_ceil_log2(avc_context->gop_size)) - 1; /* Clear up theora_info struct */ th_info_clear(&t_info); From 4007277b68c7e52e70155477daac5f68a249f446 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Feb 2025 03:58:44 +0100 Subject: [PATCH 583/606] swscale/output: Fix integer overflow in yuv2gbrp_full_X_c() Fixes: signed integer overflow: 1966895953 + 210305024 cannot be represented in type 'int' Fixes: 391921975/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5916798905548800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce538ef97a7b1fdab6f2a3c8afc538c1cc3760d9) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 4ca6be8977..586b2e81eb 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -2289,9 +2289,9 @@ yuv2gbrp_full_X_c(SwsContext *c, const int16_t *lumFilter, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; Y += 1 << (SH-1); - R = Y + V * c->yuv2rgb_v2r_coeff; - G = Y + V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; - B = Y + U * c->yuv2rgb_u2b_coeff; + R = Y + V * (unsigned)c->yuv2rgb_v2r_coeff; + G = Y + V * (unsigned)c->yuv2rgb_v2g_coeff + U * (unsigned)c->yuv2rgb_u2g_coeff; + B = Y + U * (unsigned)c->yuv2rgb_u2b_coeff; if ((R | G | B) & 0xC0000000) { R = av_clip_uintp2(R, 30); From 1bf1f5269000ded7b6e77e65f3d8ebac16809e18 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Feb 2025 03:58:45 +0100 Subject: [PATCH 584/606] avcodec/osq: avoid undefined negation Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: 390646659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-5040277374435328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c6a889f3e09249d2a643a6beb7d44a8e42ea3541) Signed-off-by: Michael Niedermayer --- libavcodec/osq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/osq.c b/libavcodec/osq.c index 17dec52fcc..99a035c5c5 100644 --- a/libavcodec/osq.c +++ b/libavcodec/osq.c @@ -189,7 +189,7 @@ static uint32_t get_urice(GetBitContext *gb, int k) static int32_t get_srice(GetBitContext *gb, int x) { - int32_t y = get_urice(gb, x); + uint32_t y = get_urice(gb, x); return get_bits1(gb) ? -y : y; } From 7fadbbe65aeef3b2784ae51abbe172a840f34f3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Mar 2025 02:57:46 +0100 Subject: [PATCH 585/606] configure: Clearer documentation for "disable-safe-bitstream-reader" Signed-off-by: Michael Niedermayer (cherry picked from commit 979608dde7a833b7af50a9f6bad81fc483c1ff04) Signed-off-by: Michael Niedermayer --- configure | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 9c5eda00e6..8b17cd9627 100755 --- a/configure +++ b/configure @@ -420,7 +420,9 @@ Advanced options (experts only): --enable-hardcoded-tables use hardcoded tables instead of runtime generation --disable-safe-bitstream-reader disable buffer boundary checking in bitreaders - (faster, but may crash) + (This disables some security checks and can cause undefined behavior, + crashes and arbitrary code execution, it may be faster, but + should only be used with trusted input) --sws-max-filter-size=N the max filter size swscale uses [$sws_max_filter_size_default] Optimization options (experts only): From ab443c5b1a78945a76bc839cb577b4dd2fd27681 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Apr 2025 03:35:31 +0200 Subject: [PATCH 586/606] postproc/postprocess_template: Fix reading uninitialized pixels in dering_C() This issue was found through the new blocktest Signed-off-by: Michael Niedermayer (cherry picked from commit 0118f392be916784f92508474e8d64243fd6fa97) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess_altivec_template.c | 2 +- libpostproc/postprocess_template.c | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/libpostproc/postprocess_altivec_template.c b/libpostproc/postprocess_altivec_template.c index a9d4cd29a3..eebceb7bcd 100644 --- a/libpostproc/postprocess_altivec_template.c +++ b/libpostproc/postprocess_altivec_template.c @@ -530,7 +530,7 @@ static inline void doVertDefFilter_altivec(uint8_t src[], int stride, PPContext STORE(5) } -static inline void dering_altivec(uint8_t src[], int stride, PPContext *c) { +static inline void dering_altivec(uint8_t src[], int stride, PPContext *c, int leftborder, int rightborder) { const vector signed int vsint32_8 = vec_splat_s32(8); const vector unsigned int vuint32_4 = vec_splat_u32(4); const vector signed char neg1 = vec_splat_s8(-1); diff --git a/libpostproc/postprocess_template.c b/libpostproc/postprocess_template.c index ade1d6ce2b..36f7f123fb 100644 --- a/libpostproc/postprocess_template.c +++ b/libpostproc/postprocess_template.c @@ -828,7 +828,7 @@ static inline void RENAME(doVertDefFilter)(uint8_t src[], int stride, PPContext #endif //TEMPLATE_PP_ALTIVEC #if !TEMPLATE_PP_ALTIVEC -static inline void RENAME(dering)(uint8_t src[], int stride, PPContext *c) +static inline void RENAME(dering)(uint8_t src[], int stride, PPContext *c, int leftborder, int rightborder) { #if HAVE_7REGS && TEMPLATE_PP_MMXEXT DECLARE_ALIGNED(8, uint64_t, tmp)[3]; @@ -1044,7 +1044,7 @@ DERING_CORE((%0, %1, 8) ,(%%FF_REGd, %1, 4),%%mm2,%%mm4,%%mm0,%%mm3,%%mm5, for(y=0; y<10; y++){ int t = 0; - if(src[stride*y + 0] > avg) t+= 1; + if(!leftborder && src[stride*y + 0] > avg) t+= 1; if(src[stride*y + 1] > avg) t+= 2; if(src[stride*y + 2] > avg) t+= 4; if(src[stride*y + 3] > avg) t+= 8; @@ -1053,7 +1053,7 @@ DERING_CORE((%0, %1, 8) ,(%%FF_REGd, %1, 4),%%mm2,%%mm4,%%mm0,%%mm3,%%mm5, if(src[stride*y + 6] > avg) t+= 64; if(src[stride*y + 7] > avg) t+= 128; if(src[stride*y + 8] > avg) t+= 256; - if(src[stride*y + 9] > avg) t+= 512; + if(!rightborder && src[stride*y + 9] > avg) t+= 512; t |= (~t)<<16; t &= (t<<1) & (t>>1); @@ -1070,8 +1070,8 @@ DERING_CORE((%0, %1, 8) ,(%%FF_REGd, %1, 4),%%mm2,%%mm4,%%mm0,%%mm3,%%mm5, int x; int t = s[y-1]; - p= src + stride*y; - for(x=1; x<9; x++){ + p= src + stride*y + leftborder; + for(x=1+leftborder; x<9-rightborder; x++){ p++; if(t & (1<0) RENAME(dering)(dstBlock - stride - 8, stride, c); + if(y>0) RENAME(dering)(dstBlock - stride - 8, stride, c, x<=8, 0); } if(mode & TEMP_NOISE_FILTER) @@ -3230,7 +3230,7 @@ static void RENAME(postProcess)(const uint8_t src[], int srcStride, uint8_t dst[ } if(mode & DERING){ - if(y > 0) RENAME(dering)(dstBlock - dstStride - 8, dstStride, c); + if(y > 0) RENAME(dering)(dstBlock - dstStride - 8, dstStride, c, 0, 1); } if((mode & TEMP_NOISE_FILTER)){ From 253180a75aa159579a49c3b054b6788cb3d09633 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Apr 2025 12:30:04 +0200 Subject: [PATCH 587/606] avformat/hls: Add cmfv and cmfa to allowed_extensions Fixes: www.nicovideo.jp Fixes: Ticket11526 Signed-off-by: Michael Niedermayer (cherry picked from commit 2352145e416c7cbdcf9679ea690c9c1dee4a7936) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index e7c311fbae..d889aaff35 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2617,7 +2617,9 @@ static const AVOption hls_options[] = { OFFSET(prefer_x_start), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, FLAGS}, {"allowed_extensions", "List of file extensions that hls is allowed to access", OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, - {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, + {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,vtt,wav,webvtt" + ",cmfv,cmfa" // Ticket11526 www.nicovideo.jp + }, INT_MIN, INT_MAX, FLAGS}, {"extension_picky", "Be picky with all extensions matching", OFFSET(extension_picky), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, FLAGS}, From 9098b6c456b2041a1d8969bc112c0b7c2e973d0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Apr 2025 12:43:12 +0200 Subject: [PATCH 588/606] avformat/hls: Add ec3 to allowed_extensions Fixes part of Ticket11435 Fixes: Elisa Viihde (Finnish online recording service) Signed-off-by: Michael Niedermayer (cherry picked from commit 68644994fd7cf55613e8b17bcc95b29226285ec5) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index d889aaff35..91ad03534b 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2619,6 +2619,7 @@ static const AVOption hls_options[] = { OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,vtt,wav,webvtt" ",cmfv,cmfa" // Ticket11526 www.nicovideo.jp + ",ec3" // part of Ticket11435 (Elisa Viihde (Finnish online recording service)) }, INT_MIN, INT_MAX, FLAGS}, {"extension_picky", "Be picky with all extensions matching", From 592f4fd372af34891da8346110c9822c3add02c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Apr 2025 12:47:34 +0200 Subject: [PATCH 589/606] avformat/hls: add fmp4 to allowed_extensions Fixes: yt-dlp/issues/12700 Signed-off-by: Michael Niedermayer (cherry picked from commit d82016c7302e0ede8626fc3d92f1418c567fbab4) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index 91ad03534b..e4043016bf 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2620,6 +2620,7 @@ static const AVOption hls_options[] = { {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,vtt,wav,webvtt" ",cmfv,cmfa" // Ticket11526 www.nicovideo.jp ",ec3" // part of Ticket11435 (Elisa Viihde (Finnish online recording service)) + ",fmp4" // https://github.com/yt-dlp/yt-dlp/issues/12700 }, INT_MIN, INT_MAX, FLAGS}, {"extension_picky", "Be picky with all extensions matching", From bbfe48db30831b1a26703694badcd2e1f33b1967 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Apr 2025 18:52:05 +0200 Subject: [PATCH 590/606] avformat/hls: Fix Youtube AAC Fixes: Ticket11435 Fixes: yt-dlp -f 234+270 https://www.youtube.com/live/l8PMl7tUDIE Signed-off-by: Michael Niedermayer (cherry picked from commit 48c0dba23b3ce8c2bcb180bd2c8029c3c2875424) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index e4043016bf..12a4ce5b98 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -748,7 +748,8 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct if (in_fmt->extensions) { matchF = av_match_ext( seg->url, in_fmt->extensions) + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0); - if(av_match_name("mp4", in_fmt->name)) { + // Youtube uses aac files with .ts extension + if(av_match_name("mp4", in_fmt->name) || av_match_name("aac", in_fmt->name)) { matchF |= av_match_ext( seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") + 2*(ff_match_url_ext(seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") > 0); } From 6855b07da2efe28a7c8b78c54e0a531f07a51be6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Apr 2025 01:37:27 +0200 Subject: [PATCH 591/606] avformat/hls: Split allowed_segment_extensions off allowed_extensions This allows the user to set only the one that is needed to ALL or a specific "wrong" extension like html Signed-off-by: Michael Niedermayer (cherry picked from commit f99f223eb1ac9a6e36dab0e31756369214b5564f) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 12a4ce5b98..47242e0da9 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -222,6 +222,7 @@ typedef struct HLSContext { AVDictionary *avio_opts; AVDictionary *seg_format_opts; char *allowed_extensions; + char *allowed_segment_extensions; int extension_picky; int max_reload; int http_persistent; @@ -735,12 +736,12 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct if (!c->extension_picky) return 0; - if (strcmp(c->allowed_extensions, "ALL")) - matchA = av_match_ext (seg->url, c->allowed_extensions) - + 2*(ff_match_url_ext(seg->url, c->allowed_extensions) > 0); + if (strcmp(c->allowed_segment_extensions, "ALL")) + matchA = av_match_ext (seg->url, c->allowed_segment_extensions) + + 2*(ff_match_url_ext(seg->url, c->allowed_segment_extensions) > 0); if (!matchA) { - av_log(s, AV_LOG_ERROR, "URL %s is not in allowed_extensions\n", seg->url); + av_log(s, AV_LOG_ERROR, "URL %s is not in allowed_segment_extensions\n", seg->url); return AVERROR_INVALIDDATA; } @@ -2624,6 +2625,14 @@ static const AVOption hls_options[] = { ",fmp4" // https://github.com/yt-dlp/yt-dlp/issues/12700 }, INT_MIN, INT_MAX, FLAGS}, + {"allowed_segment_extensions", "List of file extensions that hls is allowed to access", + OFFSET(allowed_segment_extensions), AV_OPT_TYPE_STRING, + {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,vtt,wav,webvtt" + ",cmfv,cmfa" // Ticket11526 www.nicovideo.jp + ",ec3" // part of Ticket11435 (Elisa Viihde (Finnish online recording service)) + ",fmp4" // https://github.com/yt-dlp/yt-dlp/issues/12700 + }, + INT_MIN, INT_MAX, FLAGS}, {"extension_picky", "Be picky with all extensions matching", OFFSET(extension_picky), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, FLAGS}, {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", From 6dfa94926f1ae34728dec850135a7c92016c80e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Apr 2025 01:05:18 +0200 Subject: [PATCH 592/606] avformat/hls: Fix flash1.bogulus.cfd support Signed-off-by: Michael Niedermayer (cherry picked from commit 75be669ca1c986cc3510a5ad847e82785e2682e0) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 47242e0da9..121c9b9db8 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -755,8 +755,11 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct + 2*(ff_match_url_ext(seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") > 0); } } else if (!strcmp(in_fmt->name, "mpegts")) { - matchF = av_match_ext( seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") - + 2*(ff_match_url_ext(seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") > 0); + const char *str = "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts" + ",html" // https://flash1.bogulus.cfd/ + ; + matchF = av_match_ext( seg->url, str) + + 2*(ff_match_url_ext(seg->url, str) > 0); } if (!(matchA & matchF)) { @@ -2631,6 +2634,7 @@ static const AVOption hls_options[] = { ",cmfv,cmfa" // Ticket11526 www.nicovideo.jp ",ec3" // part of Ticket11435 (Elisa Viihde (Finnish online recording service)) ",fmp4" // https://github.com/yt-dlp/yt-dlp/issues/12700 + ",html" // https://flash1.bogulus.cfd/ }, INT_MIN, INT_MAX, FLAGS}, {"extension_picky", "Be picky with all extensions matching", From 45f3cee6c62bbf31b88e33803d781c3d40569da0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 May 2025 21:20:31 +0200 Subject: [PATCH 593/606] libpostproc: check minimum size Signed-off-by: Michael Niedermayer (cherry picked from commit 917c15435ae2e11a90de5d1a1153405bd3686fbe) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index 0586e458b4..6dcdf86de2 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -897,6 +897,11 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], int minStride= FFMAX(FFABS(srcStride[0]), FFABS(dstStride[0])); int absQPStride = FFABS(QPStride); + if (width < 16 || height < 16) { + av_log(c, AV_LOG_ERROR, "Postproc is designed to filter 16x16 macroblock based formats, the minimum size is 1 macroblock\n"); + return; + } + // c->stride and c->QPStride are always positive if(c->stride < minStride || c->qpStride < absQPStride) reallocBuffers(c, width, height, From ffd93a2de36d71b9ef160e6f082b0c83997acb9c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 May 2025 19:53:57 +0200 Subject: [PATCH 594/606] tests/fate/filter-video: Fix dependancy for codecview Signed-off-by: Michael Niedermayer (cherry picked from commit 1b643e3f65d75a4e6a25986466254bdd4fc1a01a) Signed-off-by: Michael Niedermayer --- tests/fate/filter-video.mak | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/fate/filter-video.mak b/tests/fate/filter-video.mak index 789ec6414c..12805e9546 100644 --- a/tests/fate/filter-video.mak +++ b/tests/fate/filter-video.mak @@ -488,7 +488,7 @@ fate-filter-pp7: CMD = framecrc -flags bitexact -export_side_data venc_params -i FATE_FILTER_VSYNTH1_MPEG4_QPRD-$(call FILTERDEMDEC, SPP, AVI, MPEG4) += spp fate-filter-spp: CMD = framecrc -flags bitexact -export_side_data venc_params -idct simple -i $(TARGET_PATH)/tests/data/fate/vsynth1-mpeg4-qprd.avi -frames:v 5 -flags +bitexact -vf "spp=idct=simple:dct=int" -FATE_FILTER_VSYNTH1_MPEG4_QPRD-$(call FILTERDEMDEC, PP, AVI, MPEG4) += codecview +FATE_FILTER_VSYNTH1_MPEG4_QPRD-$(call FILTERDEMDEC, CODECVIEW, AVI, MPEG4) += codecview fate-filter-codecview: CMD = framecrc -flags bitexact -idct simple -flags2 +export_mvs -i $(TARGET_PATH)/tests/data/fate/vsynth1-mpeg4-qprd.avi -frames:v 5 -flags +bitexact -vf codecview=mv=pf+bf+bb # The above tests use vsynth1-mpeg4-qprd.avi created by fate-vsynth1-mpeg4-qprd From ea2a3222feb36139ec3a927427904d803f97e358 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 May 2025 23:10:52 +0200 Subject: [PATCH 595/606] avformat/iff: Check nb_channels == 0 in MHDR Fixes: division by 0 Fixes: 395163171/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-542604339373670 Reviewed-by: Peter Ross Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce1fd73d637a34551161fd8054ce3d410631982c) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 1061f9757e..dac33fef21 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -495,6 +495,8 @@ static int iff_read_header(AVFormatContext *s) st->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_MONO; else if (st->codecpar->ch_layout.nb_channels == 2) st->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_STEREO; + else if (st->codecpar->ch_layout.nb_channels == 0) + return AVERROR_INVALIDDATA; break; case ID_ABIT: From 5f945182ae793ffd2cf8024589371f7934db140b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Apr 2025 16:49:31 +0200 Subject: [PATCH 596/606] avcodec/vorbisdec: Dont treat overread as error This differs from libvorbis by stddev: 2.44 PSNR: 88.58 MAXDIFF: 41 bytes: 834304/ 834304 for the file from the ticket Fixes: Ticket11427 Regression since: dc89cf804a811c0d25f4649a99f7fab4b5b416fa This is a similar solution to what james proposed earlier in [FFmpeg-devel] [PATCH] avcodec/vorbisdec: don't abort on EOD when decoding residuals Signed-off-by: Michael Niedermayer (cherry picked from commit fd5a3c5fed2c190446b2beb9bc532887db360cf7) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index bf26b13b83..caec075165 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1468,8 +1468,10 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, unsigned step = FASTDIV(vr->partition_size << 1, dim << 1); vorbis_codebook codebook = vc->codebooks[vqbook]; - if (get_bits_left(gb) <= 0) - return AVERROR_INVALIDDATA; + if (get_bits_left(gb) < 0) { + av_log(vc->avctx, AV_LOG_ERROR, "Overread %d bits\n", -get_bits_left(gb)); + return 0; + } if (vr_type == 0) { From d0b5e0bba43f3673b1379736c589e319fb9d24f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2025 02:25:00 +0200 Subject: [PATCH 597/606] avcodec/h264_mb: Fix tmp_cr for arm When decoding a bitstream with weighted-bipred enabled, the results on ARM and x86 platforms may differ. The reason for the inconsistency is that the value of STRIDE_ALIGN differs between platforms. And STRIDE_ALIGN is set to the buffer stride of temporary buffers for U and V components in mc_part_weighted. If the buffer stride is 32 or 64 (as on x86 platforms), the U and V pixels can be interleaved row by row without overlapping, resulting in correct output. However, on ARM platforms where the stride is 16, the V component did overwrite part of the U component's pixels, leading to incorrect predicted pixels. The bug can be reproduced by the following bitstream. https://trac.ffmpeg.org/attachment/ticket/11357/inter_weighted_bipred2.264 Fixes: ticket 11357 Commit-msg-mostly-by: Bin Peng Reviewed-by: Bin Peng Signed-off-by: Michael Niedermayer (cherry picked from commit 74fd2c3ddbaf1fef5c4777784aa72b5747ad389c) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mb.c b/libavcodec/h264_mb.c index 4e94136313..2db0670478 100644 --- a/libavcodec/h264_mb.c +++ b/libavcodec/h264_mb.c @@ -407,7 +407,7 @@ static av_always_inline void mc_part_weighted(const H264Context *h, H264SliceCon /* don't optimize for luma-only case, since B-frames usually * use implicit weights => chroma too. */ uint8_t *tmp_cb = sl->bipred_scratchpad; - uint8_t *tmp_cr = sl->bipred_scratchpad + (16 << pixel_shift); + uint8_t *tmp_cr = sl->bipred_scratchpad + (8 << pixel_shift + (chroma_idc == 3)); uint8_t *tmp_y = sl->bipred_scratchpad + 16 * sl->mb_uvlinesize; int refn0 = sl->ref_cache[0][scan8[n]]; int refn1 = sl->ref_cache[1][scan8[n]]; From 69c03845ffa5e29ecf54a9ccd54409252acead22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 May 2025 01:55:27 +0200 Subject: [PATCH 598/606] avformat/avidec: Ignore duplicate GAB2 Fixes: memleak Fixes: 398401912/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-4669849976766464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6a47046981d05c59f6ac766d5fbf6586261a216f) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 00bd7a98a9..e3d8373665 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1115,6 +1115,10 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) int size; AVProbeData pd; unsigned int desc_len; + + if (ast->sub_ctx) + return 0; + AVIOContext *pb = avio_alloc_context(pkt->data + 7, pkt->size - 7, 0, NULL, NULL, NULL, NULL); From 039af70fd3256b821d30ce8708eedf09574c5f8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 May 2025 23:39:53 +0200 Subject: [PATCH 599/606] avformat/mov: reject negative ELST durations Fixes: multiple integer overflows Fixes: 401016767/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6242067591790592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9fc2702f6f502064d0d2d75c97ece33f4b56eb84) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7f4ac9f36b..ed562810ef 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5841,6 +5841,11 @@ static int mov_read_elst(MOVContext *c, AVIOContext *pb, MOVAtom atom) c->fc->nb_streams-1, i, e->time); return AVERROR_INVALIDDATA; } + if (e->duration < 0) { + av_log(c->fc, AV_LOG_ERROR, "Track %d, edit %d: Invalid edit list duration=%"PRId64"\n", + c->fc->nb_streams-1, i, e->duration); + return AVERROR_INVALIDDATA; + } } sc->elst_count = i; From 0e114e89a6d65ac599a488434a72c071b8debfab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 May 2025 23:52:57 +0200 Subject: [PATCH 600/606] avformat/imf_cpl: do not continue looping forever Fixes: infinite loop Fixes: 401658595/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5756875014733824 Regression since: 61fa1e14e4178d3f2550c76f7a36484220f6dc0c Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 39800d78b07e65a6b29a69366d651f80105b95a1) Signed-off-by: Michael Niedermayer --- libavformat/imf_cpl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/imf_cpl.c b/libavformat/imf_cpl.c index 5f1a67443f..ff304d1676 100644 --- a/libavformat/imf_cpl.c +++ b/libavformat/imf_cpl.c @@ -709,8 +709,7 @@ static int fill_virtual_tracks(void *log_ctx, xmlNodePtr cpl_element, FFIMFCPL * av_log(log_ctx, AV_LOG_DEBUG, "Processing IMF CPL Segment\n"); sequence_list_elem = ff_imf_xml_get_child_element_by_name(segment_elem, "SequenceList"); - if (!sequence_list_elem) - continue; + if (sequence_list_elem) { sequence_elem = xmlFirstElementChild(sequence_list_elem); while (sequence_elem) { @@ -735,6 +734,7 @@ static int fill_virtual_tracks(void *log_ctx, xmlNodePtr cpl_element, FFIMFCPL * sequence_elem = xmlNextElementSibling(sequence_elem); } + } segment_elem = xmlNextElementSibling(segment_elem); } From 678923e8b41061bf8e8aad92fcf3d797c6d9df32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 May 2025 23:55:24 +0200 Subject: [PATCH 601/606] avformat/imf_cpl: fix indention after previous commit (cherry picked from commit d28bec8c4d1bcab3760463f501e14e51fd7b28c1) Signed-off-by: Michael Niedermayer --- libavformat/imf_cpl.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/libavformat/imf_cpl.c b/libavformat/imf_cpl.c index ff304d1676..235a72aca3 100644 --- a/libavformat/imf_cpl.c +++ b/libavformat/imf_cpl.c @@ -711,29 +711,29 @@ static int fill_virtual_tracks(void *log_ctx, xmlNodePtr cpl_element, FFIMFCPL * sequence_list_elem = ff_imf_xml_get_child_element_by_name(segment_elem, "SequenceList"); if (sequence_list_elem) { - sequence_elem = xmlFirstElementChild(sequence_list_elem); - while (sequence_elem) { - if (xmlStrcmp(sequence_elem->name, "MarkerSequence") == 0) - ret = push_marker_sequence(log_ctx, sequence_elem, cpl); + sequence_elem = xmlFirstElementChild(sequence_list_elem); + while (sequence_elem) { + if (xmlStrcmp(sequence_elem->name, "MarkerSequence") == 0) + ret = push_marker_sequence(log_ctx, sequence_elem, cpl); - else if (xmlStrcmp(sequence_elem->name, "MainImageSequence") == 0) - ret = push_main_image_2d_sequence(log_ctx, sequence_elem, cpl); + else if (xmlStrcmp(sequence_elem->name, "MainImageSequence") == 0) + ret = push_main_image_2d_sequence(log_ctx, sequence_elem, cpl); - else if (xmlStrcmp(sequence_elem->name, "MainAudioSequence") == 0) - ret = push_main_audio_sequence(log_ctx, sequence_elem, cpl); + else if (xmlStrcmp(sequence_elem->name, "MainAudioSequence") == 0) + ret = push_main_audio_sequence(log_ctx, sequence_elem, cpl); - else - av_log(log_ctx, - AV_LOG_INFO, - "The following Sequence is not supported and is ignored: %s\n", - sequence_elem->name); + else + av_log(log_ctx, + AV_LOG_INFO, + "The following Sequence is not supported and is ignored: %s\n", + sequence_elem->name); - /* abort parsing only if memory error occurred */ - if (ret == AVERROR(ENOMEM)) - return ret; + /* abort parsing only if memory error occurred */ + if (ret == AVERROR(ENOMEM)) + return ret; - sequence_elem = xmlNextElementSibling(sequence_elem); - } + sequence_elem = xmlNextElementSibling(sequence_elem); + } } segment_elem = xmlNextElementSibling(segment_elem); From 2f2fdf60a89ca03e8712de0d6a1b9b9b2b9589b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 May 2025 01:08:06 +0200 Subject: [PATCH 602/606] avcodec/sonic: Check num_taps The encoder uses max 128 taps, which is quiet a lot already If work is done to improve sonic, it will be more radical than changing the taps Fixes: Timeout Fixes: 402539974/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-6122944271286272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fd0a792766c8ae513dd849fc47fa9e899cc5664b) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 0544fecf46..055c1e13a2 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -923,6 +923,9 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) if (get_bits1(&gb)) // XXX FIXME av_log(avctx, AV_LOG_INFO, "Custom quant table\n"); + if (s->num_taps > 128) + return AVERROR_INVALIDDATA; + s->block_align = 2048LL*s->samplerate/(44100*s->downsampling); s->frame_size = s->channels*s->block_align*s->downsampling; // avctx->frame_size = s->block_align; From 01ac901c4036e5642e3f3ee13aed73e48443326d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 May 2025 01:35:29 +0200 Subject: [PATCH 603/606] avcodec/svq3: Check there are bits left before decompression Fixes: out of array read Fixes: 402587670/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-6343867775647744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c06f5b3ab97b1b1d0420309201568e38b3920860) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index bafde0b946..470cd8fd1d 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1252,6 +1252,7 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) uint8_t *buf; if (watermark_height <= 0 || + get_bits_left(&gb) <= 0 || (uint64_t)watermark_width * 4 > UINT_MAX / watermark_height) return AVERROR_INVALIDDATA; From 587ab03c6f91414731e945ec6931696a2f3e9275 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 May 2025 23:09:07 +0200 Subject: [PATCH 604/606] avcodec/takdec: Check remaining space for first predictors Fixes: Timeout Fixes: 403673829/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5498240154009600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e6db875afcd147d48718130fde4a05c3ac406db) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 5cbc2de6bd..bcf7a52a9a 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -433,6 +433,9 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, return AVERROR_INVALIDDATA; } + if (get_bits_left(gb) < 2*10 + 2*size) + return AVERROR_INVALIDDATA; + s->predictors[0] = get_sbits(gb, 10); s->predictors[1] = get_sbits(gb, 10); s->predictors[2] = get_sbits(gb, size) * (1 << (10 - size)); From 749f93de8d792d0f5ebf352e5ab4eb89a9327489 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 May 2025 23:18:19 +0200 Subject: [PATCH 605/606] avformat/matroskadec: check that channels fit in signed 32bit int Fixes: signed integer overflow: -1384566925600903168 * 16 cannot be represented in type 'long' Fixes: 407069502/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-5159255372267520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 05f8c8c4c2b8f3a0b206ecb7e1b5bba68a9820b8) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 783b39683a..fab7e2cd4f 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2824,6 +2824,8 @@ static int mka_parse_audio(MatroskaTrack *track, AVStream *st, par->sample_rate = track->audio.out_samplerate; // channel layout may be already set by codec private checks above if (!av_channel_layout_check(&par->ch_layout)) { + if (track->audio.channels > INT32_MAX) + return AVERROR_PATCHWELCOME; par->ch_layout.order = AV_CHANNEL_ORDER_UNSPEC; par->ch_layout.nb_channels = track->audio.channels; } From 78690eba61ccb0c06ca869acb899128c84178250 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 9 Jul 2025 16:45:05 -0300 Subject: [PATCH 606/606] fftools/ffmpeg_demux: don't flag timestamps as unreliable if they are generated Regardless of the source being an AVFMT_NOTIMESTAMPS format, if the timestamps are generated like when using the use_wallclock_as_timestamps demuxer option, then they are reliable. Fixes ticket #11268 Signed-off-by: James Almer (cherry picked from commit 1787fade209b1ecbd4b911c9d77a52bcdec13fa6) --- fftools/ffmpeg_demux.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/fftools/ffmpeg_demux.c b/fftools/ffmpeg_demux.c index 350f233ab7..1ca40eda5a 100644 --- a/fftools/ffmpeg_demux.c +++ b/fftools/ffmpeg_demux.c @@ -1363,6 +1363,8 @@ int ifile_open(const OptionsContext *o, const char *filename) char * data_codec_name = NULL; int scan_all_pmts_set = 0; + int64_t use_wallclock_as_timestamps; + int64_t start_time = o->start_time; int64_t start_time_eof = o->start_time_eof; int64_t stop_time = o->stop_time; @@ -1595,6 +1597,12 @@ int ifile_open(const OptionsContext *o, const char *filename) d->nb_streams_warn = ic->nb_streams; f->format_nots = !!(ic->iformat->flags & AVFMT_NOTIMESTAMPS); + ret = av_opt_get_int(ic, "use_wallclock_as_timestamps", 0, &use_wallclock_as_timestamps); + if (ret < 0) + return ret; + + if (use_wallclock_as_timestamps) + f->format_nots = 0; f->readrate = o->readrate ? o->readrate : 0.0; if (f->readrate < 0.0f) {