From 5108323aa90fac4a491a608b563cfcf11bea4b79 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Dec 2014 00:47:17 +0100 Subject: [PATCH 001/700] Update for 2.5 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index 5360d2ef3f..95e3ba8192 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.4.git +2.5 diff --git a/doc/Doxyfile b/doc/Doxyfile index 8697e6c551..a5b96402de 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 2.5 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 36e7385d0eb7e3f40040ad469a911b67dd86b8d0 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 4 Dec 2014 01:35:47 +0100 Subject: [PATCH 002/700] Fix standalone compilation of the iec61883 input device. (cherry picked from commit 963aa1daf88066d43c7495803b870800c5faaa4d) Signed-off-by: Michael Niedermayer --- libavdevice/iec61883.c | 4 ++-- libavformat/Makefile | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/libavdevice/iec61883.c b/libavdevice/iec61883.c index 0900ffadf7..b29aad1d48 100644 --- a/libavdevice/iec61883.c +++ b/libavdevice/iec61883.c @@ -350,7 +350,7 @@ static int iec61883_read_header(AVFormatContext *context) if (!dv->max_packets) dv->max_packets = 100; - if (dv->type == IEC61883_HDV) { + if (CONFIG_MPEGTS_DEMUXER && dv->type == IEC61883_HDV) { /* Init HDV receive */ @@ -444,7 +444,7 @@ static int iec61883_close(AVFormatContext *context) pthread_mutex_destroy(&dv->mutex); #endif - if (dv->type == IEC61883_HDV) { + if (CONFIG_MPEGTS_DEMUXER && dv->type == IEC61883_HDV) { iec61883_mpeg2_recv_stop(dv->iec61883_mpeg2); iec61883_mpeg2_close(dv->iec61883_mpeg2); avpriv_mpegts_parse_close(dv->mpeg_demux); diff --git a/libavformat/Makefile b/libavformat/Makefile index c1b5acee93..f0900c4343 100644 --- a/libavformat/Makefile +++ b/libavformat/Makefile @@ -519,6 +519,9 @@ OBJS-$(CONFIG_UNIX_PROTOCOL) += unix.o OBJS-$(HAVE_LIBC_MSVCRT) += file_open.o +# libavdevice dependencies +OBJS-$(CONFIG_IEC61883_INDEV) += dv.o + # Windows resource file SLIBOBJS-$(HAVE_GNU_WINDRES) += avformatres.o From a588e1e5609c19c1a1ee8c61739c858444ffa110 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Dec 2014 01:47:55 +0100 Subject: [PATCH 003/700] avcodec/aacdec: reduce noisiness of missing channel elements Signed-off-by: Michael Niedermayer (cherry picked from commit 5fe026f2bda68a129d70b9609c4902917db9ca2e) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index db2a9b676e..d00b3d0d27 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -2780,7 +2780,7 @@ static void spectral_to_sample(AACContext *ac) apply_channel_coupling(ac, che, type, i, AFTER_IMDCT, apply_independent_coupling); che->present = 0; } else if (che) { - av_log(ac->avctx, AV_LOG_WARNING, "ChannelElement %d.%d missing \n", type, i); + av_log(ac->avctx, AV_LOG_VERBOSE, "ChannelElement %d.%d missing \n", type, i); } } } From d9bdf7d9ae6c22e7a36597bb733cab12505e4a6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Dec 2014 02:16:20 +0100 Subject: [PATCH 004/700] Changelog: release is 2.5 not "next" Signed-off-by: Michael Niedermayer --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 98bd2c6b9d..0130ca87ac 100644 --- a/Changelog +++ b/Changelog @@ -1,7 +1,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. -version : +version 2.5: - HEVC/H.265 RTP payload format (draft v6) packetizer - SUP/PGS subtitle demuxer - ffprobe -show_pixel_formats option From bb8614cb7b5ca27984f0a686c7a6cecabdeed60a Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Thu, 4 Dec 2014 06:06:07 +0100 Subject: [PATCH 005/700] Changelog/RELEASE_NOTES: Add APNG decoder Signed-off-by: Timothy Gu --- Changelog | 2 +- RELEASE_NOTES | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 0130ca87ac..7187a15cf2 100644 --- a/Changelog +++ b/Changelog @@ -16,7 +16,7 @@ version 2.5: - creating DASH compatible fragmented MP4, MPEG-DASH segmenting muxer - WebP muxer with animated WebP support - zygoaudio decoding support -- APNG demuxer +- APNG decoder and demuxer - postproc visualization support diff --git a/RELEASE_NOTES b/RELEASE_NOTES index a1ddd35dbf..b78efe36b9 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -56,6 +56,7 @@ • libutvideo YUV 4:2:2 10bit support • animated WebP decoding support • zygoaudio decoding support + • APNG decoder ┌────────────────────────────┐ │ libavdevice │ From 192d46e6d1e5229d74e54515b5dfceaa15d3be5e Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Wed, 3 Dec 2014 20:10:33 -0800 Subject: [PATCH 006/700] Update RELEASE_NOTES Signed-off-by: Timothy Gu Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index b78efe36b9..5bd3273d37 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -2,9 +2,13 @@ │ RELEASE NOTES for FFmpeg 2.5 "Bohr" │ └────────────────────────────────────────┘ - The FFmpeg Project proudly presents FFmpeg 2.5 "Bohr", just 2.5 months - after the release of 2.4. Since this wasn't a long time ago, the Changelog - is a bit short this time. + The FFmpeg Project proudly presents FFmpeg 2.5 "Bohr", 2.5 months after the + release of 2.4. + + The most important new features are AVFoundation screen-grabbing support, + animated WebP decoding support, and Animated PNG support. In addition, many + exciting features for video streaming are also implemented, including MPEG- + DASH fragmenting muxer, HEVC RTP payload muxer, and UDP Lite support. As usual, if you have any question on this release or any FFmpeg related topic, feel free to join us on the #ffmpeg IRC channel (on @@ -73,7 +77,8 @@ • SUP/PGS subtitle demuxer • STL subtitle demuxer • UDP-Lite support (RFC 3828) - • creating DASH compatible fragmented MP4, MPEG-DASH segmenting muxer + • MPEG-DASH segmenting muxer, which allows creating DASH compatible + fragmented MP4 • WebP muxer • APNG demuxer @@ -94,7 +99,3 @@ └────────────────────────────┘ • visualization support - - ┌────────────────────────────┐ - │ ⚠ Behaviour changes │ - └────────────────────────────┘ From 968e733b2e9f4a39bee3606ec0303c9b03b2bc68 Mon Sep 17 00:00:00 2001 From: Rong Yan Date: Thu, 4 Dec 2014 05:51:30 +0000 Subject: [PATCH 007/700] avcodec/ppc/vc1dsp_altivec: add POWER LE support to vc1_inv_trans_8x4_altivec() Signed-off-by: Michael Niedermayer (cherry picked from commit 36cd2bcbc343c299241dc7275cb85cbc3fc6b8ad) Signed-off-by: Michael Niedermayer --- libavcodec/ppc/vc1dsp_altivec.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/ppc/vc1dsp_altivec.c b/libavcodec/ppc/vc1dsp_altivec.c index 2128b56d05..35bb280842 100644 --- a/libavcodec/ppc/vc1dsp_altivec.c +++ b/libavcodec/ppc/vc1dsp_altivec.c @@ -304,16 +304,23 @@ static void vc1_inv_trans_8x4_altivec(uint8_t *dest, int stride, int16_t *block) src2 = vec_pack(s2, sA); src3 = vec_pack(s3, sB); +#if HAVE_BIGENDIAN p0 = vec_lvsl (0, dest); p1 = vec_lvsl (stride, dest); p = vec_splat_u8 (-1); perm0 = vec_mergeh (p, p0); perm1 = vec_mergeh (p, p1); +#define GET_TMP2(dst, p) \ + tmp = vec_ld (0, dest); \ + tmp2 = (vector signed short)vec_perm (tmp, vec_splat_u8(0), p); +#else +#define GET_TMP2(dst,p) \ + tmp = vec_vsx_ld (0, dst); \ + tmp2 = (vector signed short)vec_mergeh (tmp, vec_splat_u8(0)); +#endif #define ADD(dest,src,perm) \ - /* *(uint64_t *)&tmp = *(uint64_t *)dest; */ \ - tmp = vec_ld (0, dest); \ - tmp2 = (vector signed short)vec_perm (tmp, vec_splat_u8(0), perm); \ + GET_TMP2(dest, perm); \ tmp3 = vec_adds (tmp2, src); \ tmp = vec_packsu (tmp3, tmp3); \ vec_ste ((vector unsigned int)tmp, 0, (unsigned int *)dest); \ From aac467ae174b16bc17d58f77b7ca4c1d98045ad3 Mon Sep 17 00:00:00 2001 From: Rong Yan Date: Thu, 4 Dec 2014 10:34:02 +0000 Subject: [PATCH 008/700] avcodec/ppc/vp8dsp_altivec.c: POWER LE support put_vp8_epel_h_altivec_core() put_vp8_epel_v_altivec_core() put_vp8_pixels16_altivec() add marcos GET_PIXHL() GET_OUTER() LOAD_HL() Signed-off-by: Michael Niedermayer (cherry picked from commit d23e8832486f0a37c7ad708b504b723bcfa2f71d) Signed-off-by: Michael Niedermayer --- libavcodec/ppc/vp8dsp_altivec.c | 86 +++++++++++++++++++-------------- 1 file changed, 49 insertions(+), 37 deletions(-) diff --git a/libavcodec/ppc/vp8dsp_altivec.c b/libavcodec/ppc/vp8dsp_altivec.c index 91ff8cc8ff..23e4ace7da 100644 --- a/libavcodec/ppc/vp8dsp_altivec.c +++ b/libavcodec/ppc/vp8dsp_altivec.c @@ -59,17 +59,30 @@ static const vec_s8 h_subpel_filters_outer[3] = vec_s8 filter_outerh = h_subpel_filters_outer[(i)>>1]; \ vec_s8 filter_outerl = vec_sld(filter_outerh, filter_outerh, 2) +#if HAVE_BIGENDIAN +#define GET_PIXHL(offset) \ + a = vec_ld((offset)-is6tap-1, src); \ + b = vec_ld((offset)-is6tap-1+15, src); \ + pixh = vec_perm(a, b, permh##offset); \ + pixl = vec_perm(a, b, perml##offset) + +#define GET_OUTER(offset) outer = vec_perm(a, b, perm_6tap##offset) +#else +#define GET_PIXHL(offset) \ + a = vec_vsx_ld((offset)-is6tap-1, src); \ + pixh = vec_perm(a, a, perm_inner); \ + pixl = vec_perm(a, a, vec_add(perm_inner, vec_splat_u8(4))) + +#define GET_OUTER(offset) outer = vec_perm(a, a, perm_outer) +#endif + #define FILTER_H(dstv, off) \ - a = vec_ld((off)-is6tap-1, src); \ - b = vec_ld((off)-is6tap-1+15, src); \ -\ - pixh = vec_perm(a, b, permh##off); \ - pixl = vec_perm(a, b, perml##off); \ + GET_PIXHL(off); \ filth = vec_msum(filter_inner, pixh, c64); \ filtl = vec_msum(filter_inner, pixl, c64); \ \ if (is6tap) { \ - outer = vec_perm(a, b, perm_6tap##off); \ + GET_OUTER(off); \ filth = vec_msum(filter_outerh, outer, filth); \ filtl = vec_msum(filter_outerl, outer, filtl); \ } \ @@ -84,9 +97,12 @@ void put_vp8_epel_h_altivec_core(uint8_t *dst, ptrdiff_t dst_stride, int h, int mx, int w, int is6tap) { LOAD_H_SUBPEL_FILTER(mx-1); - vec_u8 align_vec0, align_vec8, permh0, permh8, filt; +#if HAVE_BIGENDIAN + vec_u8 align_vec0, align_vec8, permh0, permh8; vec_u8 perm_6tap0, perm_6tap8, perml0, perml8; - vec_u8 a, b, pixh, pixl, outer; + vec_u8 b; +#endif + vec_u8 filt, a, pixh, pixl, outer; vec_s16 f16h, f16l; vec_s32 filth, filtl; @@ -97,6 +113,7 @@ void put_vp8_epel_h_altivec_core(uint8_t *dst, ptrdiff_t dst_stride, vec_s32 c64 = vec_sl(vec_splat_s32(1), vec_splat_u32(6)); vec_u16 c7 = vec_splat_u16(7); +#if HAVE_BIGENDIAN align_vec0 = vec_lvsl( -is6tap-1, src); align_vec8 = vec_lvsl(8-is6tap-1, src); @@ -107,6 +124,7 @@ void put_vp8_epel_h_altivec_core(uint8_t *dst, ptrdiff_t dst_stride, perml8 = vec_perm(align_vec8, align_vec8, perm_inner); perm_6tap0 = vec_perm(align_vec0, align_vec0, perm_outer); perm_6tap8 = vec_perm(align_vec8, align_vec8, perm_outer); +#endif while (h --> 0) { FILTER_H(f16h, 0); @@ -164,6 +182,12 @@ static const vec_u8 v_subpel_filters[7] = dstv = vec_adds(dstv, c64); \ dstv = vec_sra(dstv, c7) +#if HAVE_BIGENDIAN +#define LOAD_HL(off, s, perm) load_with_perm_vec(off, s, perm) +#else +#define LOAD_HL(off, s, perm) vec_mergeh(vec_vsx_ld(off,s), vec_vsx_ld(off+8,s)) +#endif + static av_always_inline void put_vp8_epel_v_altivec_core(uint8_t *dst, ptrdiff_t dst_stride, uint8_t *src, ptrdiff_t src_stride, @@ -175,6 +199,7 @@ void put_vp8_epel_v_altivec_core(uint8_t *dst, ptrdiff_t dst_stride, vec_s16 c64 = vec_sl(vec_splat_s16(1), vec_splat_u16(6)); vec_u16 c7 = vec_splat_u16(7); +#if HAVE_BIGENDIAN // we want pixels 0-7 to be in the even positions and 8-15 in the odd, // so combine this permute with the alignment permute vector align_vech = vec_lvsl(0, src); @@ -183,22 +208,23 @@ void put_vp8_epel_v_altivec_core(uint8_t *dst, ptrdiff_t dst_stride, perm_vec = vec_mergeh(align_vech, align_vecl); else perm_vec = vec_mergeh(align_vech, align_vech); +#endif if (is6tap) - s0 = load_with_perm_vec(-2*src_stride, src, perm_vec); - s1 = load_with_perm_vec(-1*src_stride, src, perm_vec); - s2 = load_with_perm_vec( 0*src_stride, src, perm_vec); - s3 = load_with_perm_vec( 1*src_stride, src, perm_vec); + s0 = LOAD_HL(-2*src_stride, src, perm_vec); + s1 = LOAD_HL(-1*src_stride, src, perm_vec); + s2 = LOAD_HL( 0*src_stride, src, perm_vec); + s3 = LOAD_HL( 1*src_stride, src, perm_vec); if (is6tap) - s4 = load_with_perm_vec( 2*src_stride, src, perm_vec); + s4 = LOAD_HL( 2*src_stride, src, perm_vec); src += (2+is6tap)*src_stride; while (h --> 0) { if (is6tap) - s5 = load_with_perm_vec(0, src, perm_vec); + s5 = LOAD_HL(0, src, perm_vec); else - s4 = load_with_perm_vec(0, src, perm_vec); + s4 = LOAD_HL(0, src, perm_vec); FILTER_V(f16h, vec_mule); @@ -272,39 +298,25 @@ EPEL_HV(4, 4,4) static void put_vp8_pixels16_altivec(uint8_t *dst, ptrdiff_t dstride, uint8_t *src, ptrdiff_t sstride, int h, int mx, int my) { - register vector unsigned char pixelsv1, pixelsv2; - register vector unsigned char pixelsv1B, pixelsv2B; - register vector unsigned char pixelsv1C, pixelsv2C; - register vector unsigned char pixelsv1D, pixelsv2D; - - register vector unsigned char perm = vec_lvsl(0, src); + register vector unsigned char perm; int i; register ptrdiff_t dstride2 = dstride << 1, sstride2 = sstride << 1; register ptrdiff_t dstride3 = dstride2 + dstride, sstride3 = sstride + sstride2; register ptrdiff_t dstride4 = dstride << 2, sstride4 = sstride << 2; +#if HAVE_BIGENDIAN + perm = vec_lvsl(0, src); +#endif // hand-unrolling the loop by 4 gains about 15% // mininum execution time goes from 74 to 60 cycles // it's faster than -funroll-loops, but using // -funroll-loops w/ this is bad - 74 cycles again. // all this is on a 7450, tuning for the 7450 for (i = 0; i < h; i += 4) { - pixelsv1 = vec_ld( 0, src); - pixelsv2 = vec_ld(15, src); - pixelsv1B = vec_ld(sstride, src); - pixelsv2B = vec_ld(15 + sstride, src); - pixelsv1C = vec_ld(sstride2, src); - pixelsv2C = vec_ld(15 + sstride2, src); - pixelsv1D = vec_ld(sstride3, src); - pixelsv2D = vec_ld(15 + sstride3, src); - vec_st(vec_perm(pixelsv1, pixelsv2, perm), - 0, (unsigned char*)dst); - vec_st(vec_perm(pixelsv1B, pixelsv2B, perm), - dstride, (unsigned char*)dst); - vec_st(vec_perm(pixelsv1C, pixelsv2C, perm), - dstride2, (unsigned char*)dst); - vec_st(vec_perm(pixelsv1D, pixelsv2D, perm), - dstride3, (unsigned char*)dst); + vec_st(load_with_perm_vec(0, src, perm), 0, dst); + vec_st(load_with_perm_vec(sstride, src, perm), dstride, dst); + vec_st(load_with_perm_vec(sstride2, src, perm), dstride2, dst); + vec_st(load_with_perm_vec(sstride3, src, perm), dstride3, dst); src += sstride4; dst += dstride4; } From 91f88eab32b58549393e1becc2047d4687867ce2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Dec 2014 14:24:59 +0100 Subject: [PATCH 009/700] MAINTAINERS: add 2.5 Signed-off-by: Michael Niedermayer (cherry picked from commit a4f21a8dd9d8b327334d706a96c0cb5c41bd82b6) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index 15b976fee7..0f2faeda2f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -537,6 +537,7 @@ x86 Michael Niedermayer Releases ======== +2.5 Michael Niedermayer 2.4 Michael Niedermayer 2.2 Michael Niedermayer 1.2 Michael Niedermayer From 3bcd1daad7993d2d23704582260fe45f4823a16d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Dec 2014 18:58:38 +0100 Subject: [PATCH 010/700] doc/examples/transcoding: check encoder before using it Fixes null pointer exception Found-by: stoupeace Signed-off-by: Michael Niedermayer (cherry picked from commit bde27e1e617dfeb3c026f530f48a77f5ed8aa2ea) Signed-off-by: Michael Niedermayer --- doc/examples/transcoding.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/examples/transcoding.c b/doc/examples/transcoding.c index 759c628e93..5572461616 100644 --- a/doc/examples/transcoding.c +++ b/doc/examples/transcoding.c @@ -116,6 +116,10 @@ static int open_output_file(const char *filename) || dec_ctx->codec_type == AVMEDIA_TYPE_AUDIO) { /* in this example, we choose transcoding to same codec */ encoder = avcodec_find_encoder(dec_ctx->codec_id); + if (!encoder) { + av_log(NULL, AV_LOG_FATAL, "Neccessary encoder not found\n"); + return AVERROR_INVALIDDATA; + } /* In this example, we transcode to same properties (picture size, * sample rate etc.). These properties can be changed for output From aa24dd487f1a4d5d4ed8b63a58ab4490afa8dc76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Dec 2014 04:27:49 +0100 Subject: [PATCH 011/700] avcodec/mpegaudiodec_template: only allocate fdsp when its used Fixes memleak Signed-off-by: Michael Niedermayer (cherry picked from commit a7ebd0b011f9576c843a86bd6a1828ecaa6faf3a) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudiodec_template.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index bbd07c5f0b..138a107b85 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -428,9 +428,11 @@ static av_cold int decode_init(AVCodecContext * avctx) s->avctx = avctx; +#if USE_FLOATS s->fdsp = avpriv_float_dsp_alloc(avctx->flags & CODEC_FLAG_BITEXACT); if (!s->fdsp) return AVERROR(ENOMEM); +#endif ff_mpadsp_init(&s->mpadsp); From 542332e523cd5c055bd9a97a055008f3342b4edc Mon Sep 17 00:00:00 2001 From: Piotr Fusik Date: Fri, 5 Dec 2014 15:47:05 +0100 Subject: [PATCH 012/700] doc/examples/filtering_video: fix frame rate Signed-off-by: Michael Niedermayer (cherry picked from commit c99e5191ab846d4897dfc565ba446ec960e04aa9) Signed-off-by: Michael Niedermayer --- doc/examples/filtering_video.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/examples/filtering_video.c b/doc/examples/filtering_video.c index 8d595735b3..601c3d87f0 100644 --- a/doc/examples/filtering_video.c +++ b/doc/examples/filtering_video.c @@ -90,6 +90,7 @@ static int init_filters(const char *filters_descr) AVFilter *buffersink = avfilter_get_by_name("buffersink"); AVFilterInOut *outputs = avfilter_inout_alloc(); AVFilterInOut *inputs = avfilter_inout_alloc(); + AVRational time_base = fmt_ctx->streams[video_stream_index]->time_base; enum AVPixelFormat pix_fmts[] = { AV_PIX_FMT_GRAY8, AV_PIX_FMT_NONE }; filter_graph = avfilter_graph_alloc(); @@ -102,7 +103,7 @@ static int init_filters(const char *filters_descr) snprintf(args, sizeof(args), "video_size=%dx%d:pix_fmt=%d:time_base=%d/%d:pixel_aspect=%d/%d", dec_ctx->width, dec_ctx->height, dec_ctx->pix_fmt, - dec_ctx->time_base.num, dec_ctx->time_base.den, + time_base.num, time_base.den, dec_ctx->sample_aspect_ratio.num, dec_ctx->sample_aspect_ratio.den); ret = avfilter_graph_create_filter(&buffersrc_ctx, buffersrc, "in", From f7b536665706b5cb941b15abafd28f67ae2b0604 Mon Sep 17 00:00:00 2001 From: wm4 Date: Sat, 6 Dec 2014 16:53:30 +0100 Subject: [PATCH 013/700] avformat/matroskadec: fix handling of recursive SeekHead elements When matroska_execute_seekhead() is called, it goes through the list of seekhead entries and attempts to read elements not read yet. When doing this, the parser can find further SeekHead elements, and will extend the matroska->seekhead list. This can lead to a (practically) infinite loop with certain broken files. (Maybe it can happen even with valid files. The demuxer doesn't seem to check correctly whether an element has already been read.) Fix this by ignoring elements that were added to the seekhead field during executing seekhead entries. This does not fix the possible situation when multiple SeekHead elements after the file header (i.e. occur after the "before_pos" file position) point to the same elements. These elements will probably be parsed multiple times, likely leading to bugs. Fixes ticket #4162. Signed-off-by: Michael Niedermayer (cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index c81b5a04af..e9ba1e967e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1414,13 +1414,17 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) EbmlList *seekhead_list = &matroska->seekhead; int64_t before_pos = avio_tell(matroska->ctx->pb); int i; + int nb_elem; // we should not do any seeking in the streaming case if (!matroska->ctx->pb->seekable || (matroska->ctx->flags & AVFMT_FLAG_IGNIDX)) return; - for (i = 0; i < seekhead_list->nb_elem; i++) { + // do not read entries that are added while parsing seekhead entries + nb_elem = seekhead_list->nb_elem; + + for (i = 0; i < nb_elem; i++) { MatroskaSeekhead *seekhead = seekhead_list->elem; if (seekhead[i].pos <= before_pos) continue; From 6ec5a199ea7718d24d574b47176b224f6bdca6af Mon Sep 17 00:00:00 2001 From: Rong Yan Date: Mon, 8 Dec 2014 08:00:59 +0000 Subject: [PATCH 014/700] avcodec/ppc/vp3dsp_altivec: POWER LE support to vp3_idct_add_altivec() add GET_VDST16() macro Signed-off-by: Michael Niedermayer (cherry picked from commit 9bd8f2cc32c2616c2bc010dd50f542ce6a85162b) Signed-off-by: Michael Niedermayer --- libavcodec/ppc/vp3dsp_altivec.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/libavcodec/ppc/vp3dsp_altivec.c b/libavcodec/ppc/vp3dsp_altivec.c index 9d81b3f265..4a367b655e 100644 --- a/libavcodec/ppc/vp3dsp_altivec.c +++ b/libavcodec/ppc/vp3dsp_altivec.c @@ -32,8 +32,13 @@ static const vec_s16 constants = {0, 64277, 60547, 54491, 46341, 36410, 25080, 12785}; +#if HAVE_BIGENDIAN static const vec_u8 interleave_high = {0, 1, 16, 17, 4, 5, 20, 21, 8, 9, 24, 25, 12, 13, 28, 29}; +#else +static const vec_u8 interleave_high = + {2, 3, 18, 19, 6, 7, 22, 23, 10, 11, 26, 27, 14, 15, 30, 31}; +#endif #define IDCT_START \ vec_s16 A, B, C, D, Ad, Bd, Cd, Dd, E, F, G, H;\ @@ -156,9 +161,18 @@ static void vp3_idct_add_altivec(uint8_t *dst, int stride, int16_t block[64]) TRANSPOSE8(b0, b1, b2, b3, b4, b5, b6, b7); IDCT_1D(ADD8, SHIFT4) -#define ADD(a)\ +#if HAVE_BIGENDIAN +#define GET_VDST16\ vdst = vec_ld(0, dst);\ - vdst_16 = (vec_s16)vec_perm(vdst, zero_u8v, vdst_mask);\ + vdst_16 = (vec_s16)vec_perm(vdst, zero_u8v, vdst_mask); +#else +#define GET_VDST16\ + vdst = vec_vsx_ld(0,dst);\ + vdst_16 = (vec_s16)vec_mergeh(vdst, zero_u8v); +#endif + +#define ADD(a)\ + GET_VDST16;\ vdst_16 = vec_adds(a, vdst_16);\ t = vec_packsu(vdst_16, vdst_16);\ vec_ste((vec_u32)t, 0, (unsigned int *)dst);\ From d5af3fb1c53e55654f409904a3491e77db02fa5a Mon Sep 17 00:00:00 2001 From: Moritz Barsnick Date: Mon, 8 Dec 2014 16:08:20 +0100 Subject: [PATCH 015/700] configure: use use_pkg_config() instead of check_pkg_config() for libsmbclient This ensures that the CFLAGS and LDFLAGS are actually applied. Fixes an incorrect change introduced with the clean-up in commit cfcaf6b38e39ed6e788abb1a5a44f23660dce2f6. Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 754f4957d7a7e5be0df0e9de1d31aebeecdc4476) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index c046e3484d..ed506289d5 100755 --- a/configure +++ b/configure @@ -4883,7 +4883,7 @@ enabled libquvi && require_pkg_config libquvi quvi/quvi.h quvi_init enabled librtmp && require_pkg_config librtmp librtmp/rtmp.h RTMP_Socket enabled libschroedinger && require_pkg_config schroedinger-1.0 schroedinger/schro.h schro_init enabled libshine && require_pkg_config shine shine/layer3.h shine_encode_buffer -enabled libsmbclient && { check_pkg_config smbclient libsmbclient.h smbc_init || +enabled libsmbclient && { use_pkg_config smbclient libsmbclient.h smbc_init || require smbclient libsmbclient.h smbc_init -lsmbclient; } enabled libsoxr && require libsoxr soxr.h soxr_create -lsoxr enabled libssh && require_pkg_config libssh libssh/sftp.h sftp_init From 0103bc67fdd54f68c864de483e350014700b4740 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Dec 2014 19:58:56 +0100 Subject: [PATCH 016/700] avformat/crypto: fix key vs iv typo Fixes Ticket 4167 Signed-off-by: Michael Niedermayer (cherry picked from commit 2d0117f816b92510546caf26414961ee6088f961) Signed-off-by: Michael Niedermayer --- libavformat/crypto.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/crypto.c b/libavformat/crypto.c index c1754b0b11..22529fb521 100644 --- a/libavformat/crypto.c +++ b/libavformat/crypto.c @@ -122,7 +122,7 @@ static int crypto_open2(URLContext *h, const char *uri, int flags, AVDictionary c->key, c->keylen, "decryption key")) < 0) goto err; if ((ret = set_aes_arg(c, &c->decrypt_iv, &c->decrypt_ivlen, - c->key, c->keylen, "decryption IV")) < 0) + c->iv, c->ivlen, "decryption IV")) < 0) goto err; } @@ -132,7 +132,7 @@ static int crypto_open2(URLContext *h, const char *uri, int flags, AVDictionary if (ret < 0) goto err; if ((ret = set_aes_arg(c, &c->encrypt_iv, &c->encrypt_ivlen, - c->key, c->keylen, "encryption IV")) < 0) + c->iv, c->ivlen, "encryption IV")) < 0) goto err; } From 0e4efad93c1defa12e8e2c103f7b92b91a7608dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Dec 2014 13:30:51 +0100 Subject: [PATCH 017/700] avformat/flvdec: fix potential use of uninitialized variables Signed-off-by: Michael Niedermayer (cherry picked from commit 0fadbd3623cf9132832f48810c0edb93aa63f51b) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 17d1313d60..c64b3a9d92 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -459,11 +459,11 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, } if (key) { + acodec = astream ? astream->codec : NULL; + vcodec = vstream ? vstream->codec : NULL; + // stream info doesn't live any deeper than the first object if (depth == 1) { - acodec = astream ? astream->codec : NULL; - vcodec = vstream ? vstream->codec : NULL; - if (amf_type == AMF_DATA_TYPE_NUMBER || amf_type == AMF_DATA_TYPE_BOOL) { if (!strcmp(key, "duration")) From 9783d5bfda33ab7b4da30f88cea3fcfd8d9d3957 Mon Sep 17 00:00:00 2001 From: Rob Sykes Date: Sat, 13 Dec 2014 21:12:56 +0100 Subject: [PATCH 018/700] swresample/soxr_resample: fix error handling Fixes CID1257659 Signed-off-by: Michael Niedermayer (cherry picked from commit 4b6f2253741f3023928e61ae5105ccd4b1c515fb) Signed-off-by: Michael Niedermayer --- libswresample/soxr_resample.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libswresample/soxr_resample.c b/libswresample/soxr_resample.c index 064451df45..9e87f2fc4b 100644 --- a/libswresample/soxr_resample.c +++ b/libswresample/soxr_resample.c @@ -76,8 +76,12 @@ static int process( AudioData *src, int src_size, int *consumed){ size_t idone, odone; soxr_error_t error = soxr_set_error((soxr_t)c, soxr_set_num_channels((soxr_t)c, src->ch_count)); - error = soxr_process((soxr_t)c, src->ch, (size_t)src_size, - &idone, dst->ch, (size_t)dst_size, &odone); + if (!error) + error = soxr_process((soxr_t)c, src->ch, (size_t)src_size, + &idone, dst->ch, (size_t)dst_size, &odone); + else + idone = 0; + *consumed = (int)idone; return error? -1 : odone; } From 13244abcd3db1e3972123efe0f0efe24a27dcf77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Dec 2014 17:26:11 +0100 Subject: [PATCH 019/700] avformat/aviobuf: Check that avio_seek() target is non negative Fixes out of array access Suggested-by: Andrew Scherkus Signed-off-by: Michael Niedermayer (cherry picked from commit ed86dbd05d61363dc1c0d33f3267e2177c985fdd) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index f374314fba..0b0748e954 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -223,6 +223,9 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) return offset1; offset += offset1; } + if (offset < 0) + return AVERROR(EINVAL); + offset1 = offset - pos; if (!s->must_flush && (!s->direct || !s->seek) && offset1 >= 0 && offset1 <= buffer_size) { From 3b3a3c3d448edf071203632c0b68776ecb9d46e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Dec 2014 19:46:31 +0100 Subject: [PATCH 020/700] avformat/utils: Do not update programs streams from program-less streams in update_wrap_reference() Fixes Ticket3686 Signed-off-by: Michael Niedermayer (cherry picked from commit a29524bf2e197dd8d582445de0fe17f03b79f79d) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 798c6123e0..ae6347a49f 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -594,6 +594,8 @@ static int update_wrap_reference(AVFormatContext *s, AVStream *st, int stream_in int default_stream_index = av_find_default_stream_index(s); if (s->streams[default_stream_index]->pts_wrap_reference == AV_NOPTS_VALUE) { for (i = 0; i < s->nb_streams; i++) { + if (av_find_program_from_stream(s, NULL, i)) + continue; s->streams[i]->pts_wrap_reference = pts_wrap_reference; s->streams[i]->pts_wrap_behavior = pts_wrap_behavior; } From 135c733125e322e343b23fa522233a34fd354e60 Mon Sep 17 00:00:00 2001 From: wm4 Date: Mon, 15 Dec 2014 04:32:58 +0100 Subject: [PATCH 021/700] lavu/frame: fix malloc error path in av_frame_copy_props() The error path frees all side data, but forgets to reset the side data count. This can blow up later in av_frame_unref() and free_side_data(). Signed-off-by: Michael Niedermayer (cherry picked from commit a400edbb6d00c0211de38e4f1b4f593681db91d8) Signed-off-by: Michael Niedermayer --- libavutil/frame.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/frame.c b/libavutil/frame.c index 4ee06306ce..5c9aa2914c 100644 --- a/libavutil/frame.c +++ b/libavutil/frame.c @@ -503,6 +503,7 @@ int av_frame_copy_props(AVFrame *dst, const AVFrame *src) free_side_data(&dst->side_data[i]); } av_freep(&dst->side_data); + dst->nb_side_data = 0; return AVERROR(ENOMEM); } memcpy(sd_dst->data, sd_src->data, sd_src->size); From 5e26152ee496d1ade0ea0b413ae46e90c08f78ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Dec 2014 15:30:31 +0100 Subject: [PATCH 022/700] Update for FFmpeg 2.5.1 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index 95e3ba8192..73462a5a13 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.5 +2.5.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index a5b96402de..73c16ce0e4 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.5 +PROJECT_NUMBER = 2.5.1 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 2c01dd2ea5e39238261945185d2b30e11979cf4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Dec 2014 23:52:03 +0100 Subject: [PATCH 023/700] Update Changelog for 2.5.1 Signed-off-by: Michael Niedermayer --- Changelog | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/Changelog b/Changelog index 7187a15cf2..ea7774d7f5 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,22 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.5.1: +- lavu/frame: fix malloc error path in av_frame_copy_props() +- avformat/aviobuf: Check that avio_seek() target is non negative +- swresample/soxr_resample: fix error handling +- avformat/flvdec: fix potential use of uninitialized variables +- avformat/crypto: fix key vs iv typo +- configure: use use_pkg_config() instead of check_pkg_config() for libsmbclient +- avcodec/ppc/vp3dsp_altivec: POWER LE support to vp3_idct_add_altivec() +- avformat/matroskadec: fix handling of recursive SeekHead elements +- doc/examples/filtering_video: fix frame rate +- avcodec/mpegaudiodec_template: only allocate fdsp when its used +- doc/examples/transcoding: check encoder before using it +- update MAINTAINERS file +- POWER LE support in put_vp8_epel_h_altivec_core() put_vp8_epel_v_altivec_core() put_vp8_pixels16_altivec() +- POWER LE support in vc1_inv_trans_8x4_altivec() + version 2.5: - HEVC/H.265 RTP payload format (draft v6) packetizer - SUP/PGS subtitle demuxer From f295f9488a3013c9f13e8fece926d866ca1cac88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sat, 20 Dec 2014 00:17:21 +0100 Subject: [PATCH 024/700] avformat/apngdec: make tag_buf string larger av_get_codec_tag_string() uses more that 1 char for unprintable characters. (cherry picked from commit d60fb4f7946272d2ef39703762b54c5f3a1b5789) --- libavformat/apngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c index d97b015a79..5e7a4a1150 100644 --- a/libavformat/apngdec.c +++ b/libavformat/apngdec.c @@ -404,7 +404,7 @@ static int apng_read_packet(AVFormatContext *s, AVPacket *pkt) return 0; default: { - char tag_buf[5]; + char tag_buf[32]; av_get_codec_tag_string(tag_buf, sizeof(tag_buf), tag); avpriv_request_sample(s, "In-stream tag=%s (0x%08X) len=%"PRIu32, tag_buf, tag, len); From 7e130ca5b42c03df51fc8b4b5205d38760546a87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sat, 20 Dec 2014 00:17:43 +0100 Subject: [PATCH 025/700] avformat/rsd: make tag_buf string larger av_get_codec_tag_string() uses more that 1 char for unprintable characters. (cherry picked from commit edbbb11488e1fce9b9703535936d2e1731e2e318) --- libavformat/rsd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rsd.c b/libavformat/rsd.c index bb2f3bc7a2..1eff5de7e6 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -70,7 +70,7 @@ static int rsd_read_header(AVFormatContext *s) codec->codec_tag = avio_rl32(pb); codec->codec_id = ff_codec_get_id(rsd_tags, codec->codec_tag); if (!codec->codec_id) { - char tag_buf[5]; + char tag_buf[32]; av_get_codec_tag_string(tag_buf, sizeof(tag_buf), codec->codec_tag); for (i=0; i < FF_ARRAY_ELEMS(rsd_unsupported_tags); i++) { From b85a939633c72f122ecd770856707f7f7d88e48f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Dec 2014 04:32:23 +0100 Subject: [PATCH 026/700] configure: create the tests directory like the doc directory This fixes an issue where the tests directory is not created for out of tree builds before its needed Tested-by: Dave Yeo Signed-off-by: Michael Niedermayer (cherry picked from commit e631872f13b6be0583603d45a11e53319754bc8d) Signed-off-by: Michael Niedermayer --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index ed506289d5..d25f155cdc 100755 --- a/configure +++ b/configure @@ -5706,6 +5706,7 @@ enabled getenv || echo "#define getenv(x) NULL" >> $TMPH mkdir -p doc +mkdir -p tests echo "@c auto-generated by configure" > doc/config.texi print_config ARCH_ "$config_files" $ARCH_LIST From 3a8ad4b878192729ac7feafb7f96b016b7912057 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 15:01:05 +0100 Subject: [PATCH 027/700] avformat/hdsenc: Use av_freep() avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit 16d763fa45b95783c6770edc559769d9a83d6a10) Signed-off-by: Michael Niedermayer --- libavformat/hdsenc.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/hdsenc.c b/libavformat/hdsenc.c index 33d7c3a3a8..a161b642c9 100644 --- a/libavformat/hdsenc.c +++ b/libavformat/hdsenc.c @@ -145,15 +145,15 @@ static void hds_free(AVFormatContext *s) if (os->ctx && os->ctx_inited) av_write_trailer(os->ctx); if (os->ctx && os->ctx->pb) - av_free(os->ctx->pb); + av_freep(&os->ctx->pb); if (os->ctx) avformat_free_context(os->ctx); - av_free(os->metadata); + av_freep(&os->metadata); for (j = 0; j < os->nb_extra_packets; j++) - av_free(os->extra_packets[j]); + av_freep(&os->extra_packets[j]); for (j = 0; j < os->nb_fragments; j++) - av_free(os->fragments[j]); - av_free(os->fragments); + av_freep(&os->fragments[j]); + av_freep(&os->fragments); } av_freep(&c->streams); } @@ -499,7 +499,7 @@ static int hds_flush(AVFormatContext *s, OutputStream *os, int final, if (remove > 0) { for (i = 0; i < remove; i++) { unlink(os->fragments[i]->file); - av_free(os->fragments[i]); + av_freep(&os->fragments[i]); } os->nb_fragments -= remove; memmove(os->fragments, os->fragments + remove, From 23a17b4a3d522568ad99237a3c33ccde639c53aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 15:03:32 +0100 Subject: [PATCH 028/700] avformat/flvdec: Use av_freep() avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit 91ea466551c148bd897706a1b6a168e783761a06) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index c64b3a9d92..54f2f56dba 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -623,7 +623,7 @@ static int flv_read_close(AVFormatContext *s) static int flv_get_extradata(AVFormatContext *s, AVStream *st, int size) { - av_free(st->codec->extradata); + av_freep(&st->codec->extradata); if (ff_get_extradata(st->codec, s->pb, size) < 0) return AVERROR(ENOMEM); return 0; From b850b01533b8e153d9dde5014d2a0e8f366fdd31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 16:24:55 +0100 Subject: [PATCH 029/700] avcodec/vmdvideo: Check len before using it in method 3 Fixes out of array access Fixes: asan_heap-oob_4d23ba_91_cov_3853393937_128.vmd Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3030fb7e0d41836f8add6399e9a7c7b740b48bfd) Signed-off-by: Michael Niedermayer --- libavcodec/vmdvideo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vmdvideo.c b/libavcodec/vmdvideo.c index fa0fbe32d4..a2ba1c959b 100644 --- a/libavcodec/vmdvideo.c +++ b/libavcodec/vmdvideo.c @@ -339,6 +339,9 @@ static int vmd_decode(VmdVideoContext *s, AVFrame *frame) ofs += slen; bytestream2_skip(&gb, len); } else { + if (ofs + len > frame_width || + bytestream2_get_bytes_left(&gb) < len) + return AVERROR_INVALIDDATA; bytestream2_get_buffer(&gb, &dp[ofs], len); ofs += len; } From 991ef3a67ec66b3f4e11752eff48b6ae925a1ba7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 18:57:54 +0100 Subject: [PATCH 030/700] avcodec/xface: correct the XFACE_MAX_* values Fixes out of array access Fixes: asan_stack-oob_32c12e5_2536_cov_2442316831_lena.xface Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 93a5a16f136d095d23610f57bdad10ba88120fba) Signed-off-by: Michael Niedermayer --- libavcodec/xface.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/xface.h b/libavcodec/xface.h index 63df5d3308..0236d713ad 100644 --- a/libavcodec/xface.h +++ b/libavcodec/xface.h @@ -41,17 +41,17 @@ /* * Image is encoded as a big integer, using characters from '~' to * '!', for a total of 94 symbols. In order to express - * 48x48*2=8*XFACE_MAX_WORDS=4608 - * bits, we need a total of 704 digits, as given by: - * ceil(lg_94(2^4608)) = 704 + * 48x48 pixels with the worst case encoding 666 symbols should + * be sufficient. */ -#define XFACE_MAX_DIGITS 704 +#define XFACE_MAX_DIGITS 666 #define XFACE_BITSPERWORD 8 #define XFACE_WORDCARRY (1 << XFACE_BITSPERWORD) #define XFACE_WORDMASK (XFACE_WORDCARRY - 1) -#define XFACE_MAX_WORDS ((XFACE_PIXELS * 2 + XFACE_BITSPERWORD - 1) / XFACE_BITSPERWORD) +// This must be larger or equal to log256(94^XFACE_MAX_DIGITS) +#define XFACE_MAX_WORDS 546 /* Portable, very large unsigned integer arithmetic is needed. * Implementation uses arrays of WORDs. */ From 71b1abe6385601a7ef2a797c8e659f388a247dc3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 18:09:16 +0100 Subject: [PATCH 031/700] avcodec/xface: Add asserts to limit nb_words from becoming too large Approved-by: Stefano Sabatini Signed-off-by: Michael Niedermayer (cherry picked from commit 211200e0c0efa48b2815ce93fda10dab43526d1b) Signed-off-by: Michael Niedermayer --- libavcodec/xface.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/xface.c b/libavcodec/xface.c index 0ebf2f2ec0..8c0cbfdb84 100644 --- a/libavcodec/xface.c +++ b/libavcodec/xface.c @@ -24,6 +24,8 @@ * X-Face common data and utilities definition. */ +#include "libavutil/avassert.h" + #include "xface.h" void ff_big_add(BigInt *b, uint8_t a) @@ -43,6 +45,7 @@ void ff_big_add(BigInt *b, uint8_t a) c >>= XFACE_BITSPERWORD; } if (i == b->nb_words && c) { + av_assert0(b->nb_words < XFACE_MAX_WORDS); b->nb_words++; *w = c & XFACE_WORDMASK; } @@ -98,6 +101,7 @@ void ff_big_mul(BigInt *b, uint8_t a) return; if (a == 0) { /* treat this as a == WORDCARRY and just shift everything left a WORD */ + av_assert0(b->nb_words < XFACE_MAX_WORDS); i = b->nb_words++; w = b->words + i; while (i--) { @@ -116,6 +120,7 @@ void ff_big_mul(BigInt *b, uint8_t a) c >>= XFACE_BITSPERWORD; } if (c) { + av_assert0(b->nb_words < XFACE_MAX_WORDS); b->nb_words++; *w = c & XFACE_WORDMASK; } From 3d1972d182c009472a5172c9d9272c3454301a44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 20:45:31 +0100 Subject: [PATCH 032/700] avcodec/utvideodec: Fix handling of slice_height=0 Fixes out of array accesses Fixes: asan_heap-oob_25bcd7e_3783_cov_3553517262_utvideo_rgba_median.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3881606240953b9275a247a1c98a567f3c44890f) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index b565c1076c..3a3c46e0bc 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -215,6 +215,8 @@ static void restore_median(uint8_t *src, int step, int stride, slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; + if (!slice_height) + continue; bsrc = src + slice_start * stride; // first line - left neighbour prediction @@ -270,6 +272,8 @@ static void restore_median_il(uint8_t *src, int step, int stride, slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; slice_height >>= 1; + if (!slice_height) + continue; bsrc = src + slice_start * stride; From d85e25fe0b52fd37cbcc9cffb440219fbdd9bb3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 21:14:40 +0100 Subject: [PATCH 033/700] avformat/mov: check atom nesting depth Fixes call stack overflow Fixes: case1_call_stack_overflow.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer (cherry picked from commit caa7a3914f499f74b3ee346f26d598ebdc0ec210) Signed-off-by: Michael Niedermayer --- libavformat/isom.h | 1 + libavformat/mov.c | 13 ++++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/isom.h b/libavformat/isom.h index e3160d00f8..249c3ab795 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -189,6 +189,7 @@ typedef struct MOVContext { int has_looked_for_mfra; MOVFragmentIndex** fragment_index_data; unsigned fragment_index_count; + int atom_depth; } MOVContext; int ff_mp4_read_descr_len(AVIOContext *pb); diff --git a/libavformat/mov.c b/libavformat/mov.c index 8d66c0afdd..76a39c984b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3388,6 +3388,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVAtom a; int i; + if (c->atom_depth > 10) { + av_log(c->fc, AV_LOG_ERROR, "Atoms too deeply nested\n"); + return AVERROR_INVALIDDATA; + } + c->atom_depth ++; + if (atom.size < 0) atom.size = INT64_MAX; while (total_size + 8 <= atom.size && !avio_feof(pb)) { @@ -3417,6 +3423,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) { av_log(c->fc, AV_LOG_ERROR, "Broken file, trak/mdat not at top-level\n"); avio_skip(pb, -8); + c->atom_depth --; return 0; } } @@ -3453,13 +3460,16 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) int64_t start_pos = avio_tell(pb); int64_t left; int err = parse(c, pb, a); - if (err < 0) + if (err < 0) { + c->atom_depth --; return err; + } if (c->found_moov && c->found_mdat && ((!pb->seekable || c->fc->flags & AVFMT_FLAG_IGNIDX) || start_pos + a.size == avio_size(pb))) { if (!pb->seekable || c->fc->flags & AVFMT_FLAG_IGNIDX) c->next_root_atom = start_pos + a.size; + c->atom_depth --; return 0; } left = a.size - avio_tell(pb) + start_pos; @@ -3479,6 +3489,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (total_size < atom.size && atom.size < 0x7ffff) avio_skip(pb, atom.size - total_size); + c->atom_depth --; return 0; } From 4400385d5fd6a9d0b3381fe8be5c5ff7357561ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 21:29:27 +0100 Subject: [PATCH 034/700] avformat/mov: fix integer overflow of size Fixes: case1_call_stack_overflow.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer (cherry picked from commit be9ce6e10a8d53b8bc346c9337d75a5a30631a2a) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 76a39c984b..57e4524e35 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1550,7 +1550,7 @@ static void mov_parse_stsd_audio(MOVContext *c, AVIOContext *pb, static void mov_parse_stsd_subtitle(MOVContext *c, AVIOContext *pb, AVStream *st, MOVStreamContext *sc, - int size) + int64_t size) { // ttxt stsd contains display flags, justification, background // color, fonts, and default styles, so fake an atom to read it @@ -1615,10 +1615,10 @@ static int mov_rewrite_dvd_sub_extradata(AVStream *st) static int mov_parse_stsd_data(MOVContext *c, AVIOContext *pb, AVStream *st, MOVStreamContext *sc, - int size) + int64_t size) { if (st->codec->codec_tag == MKTAG('t','m','c','d')) { - if (ff_get_extradata(st->codec, pb, size) < 0) + if ((int)size != size || ff_get_extradata(st->codec, pb, size) < 0) return AVERROR(ENOMEM); if (size > 16) { MOVStreamContext *tmcd_ctx = st->priv_data; From c9b25252cbce962250ba6ccf2b3797d58d183e3c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 22:21:21 +0100 Subject: [PATCH 035/700] swscale: increase yuv2rgb table headroom Fixes out of array access Fixes: case2_bad_read_yuv2rgbx32.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer (cherry picked from commit 2a983ff7fe076ae93926eb33cfb44ca49183dacc) Signed-off-by: Michael Niedermayer --- libswscale/swscale_internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h index 63b4eca829..37c2b37548 100644 --- a/libswscale/swscale_internal.h +++ b/libswscale/swscale_internal.h @@ -39,7 +39,7 @@ #define STR(s) AV_TOSTRING(s) // AV_STRINGIFY is too long -#define YUVRGB_TABLE_HEADROOM 128 +#define YUVRGB_TABLE_HEADROOM 256 #define MAX_FILTER_SIZE SWS_MAX_FILTER_SIZE From 4b4d0b029045c8e41a9055175cc1743ebc5ac174 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 01:31:48 +0100 Subject: [PATCH 036/700] avcodec/h264: make the first field of H264Context an AVClass Fixes use of freed memory Fixes: asan_heap-uaf_3660f67_757_cov_1257014655_Hi422FR1_SONY_A.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f3b5b139ad853b6f69c6a0b036815a60e7b3f261) Signed-off-by: Michael Niedermayer --- libavcodec/h264.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index b94f06b6d1..cb7e6f9246 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -338,6 +338,7 @@ typedef struct H264Picture { * H264Context */ typedef struct H264Context { + AVClass *av_class; AVCodecContext *avctx; MECmpContext mecc; VideoDSPContext vdsp; From 3a5b749d7caf6e58f4056874ee09ee7426b52ae6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 03:14:21 +0100 Subject: [PATCH 037/700] avcodec/indeo3: use signed variables to avoid underflow Fixes out of array read Fixes: signal_sigsegv_1b0a4da_1865_cov_2167818389_computer_anger.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3305acdc92fa37869f160a11a87741c8a0de0454) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index d38765ea40..cafed5172b 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -94,7 +94,7 @@ typedef struct Indeo3DecodeContext { int16_t width, height; uint32_t frame_num; ///< current frame number (zero-based) - uint32_t data_size; ///< size of the frame data in bytes + int data_size; ///< size of the frame data in bytes uint16_t frame_flags; ///< frame properties uint8_t cb_offset; ///< needed for selecting VQ tables uint8_t buf_sel; ///< active frame buffer: 0 - primary, 1 -secondary @@ -899,7 +899,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, GetByteContext gb; const uint8_t *bs_hdr; uint32_t frame_num, word2, check_sum, data_size; - uint32_t y_offset, u_offset, v_offset, starts[3], ends[3]; + int y_offset, u_offset, v_offset; + uint32_t starts[3], ends[3]; uint16_t height, width; int i, j; From 5aead5ee053742717c7cb2ccaf3a34bcf8a67567 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 15:33:05 +0100 Subject: [PATCH 038/700] avcodec/dcadec: Check that the added xch channel isnt already there Fixes null pointer dereference Fixes: signal_sigsegv_369609d_623_cov_2008234281_ES_6.1_16bit.dts Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7d593495e42e92693cc8f3ce9b42cf3edcea377a) Signed-off-by: Michael Niedermayer --- libavcodec/dcadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index a36f69b2ae..40d8e9e2f0 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -2360,6 +2360,10 @@ FF_ENABLE_DEPRECATION_WARNINGS #else if (s->xch_present && !s->xch_disable) { #endif + if (avctx->channel_layout & AV_CH_BACK_CENTER) { + avpriv_request_sample(avctx, "XCh with Back center channel"); + return AVERROR_INVALIDDATA; + } avctx->channel_layout |= AV_CH_BACK_CENTER; if (s->lfe) { avctx->channel_layout |= AV_CH_LOW_FREQUENCY; From e911f125fc30bcb271ee30b34400eb55c623fd56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 19:42:57 +0100 Subject: [PATCH 039/700] avcodec/hevc: clear filter_slice_edges() on allocation This avoids use of uninitialized memory Fixes: asan_static-oob_17aa046_582_cov_212287884_DBLK_G_VIXS_1.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8aa8d12554868c32436750f881954193087219c8) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index d4dc52c9dd..9b683d99df 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -108,7 +108,7 @@ static int pic_arrays_init(HEVCContext *s, const HEVCSPS *sps) if (!s->tab_ipm || !s->cbf_luma || !s->is_pcm) goto fail; - s->filter_slice_edges = av_malloc(ctb_count); + s->filter_slice_edges = av_mallocz(ctb_count); s->tab_slice_address = av_malloc_array(pic_size_in_ctb, sizeof(*s->tab_slice_address)); s->qp_y_tab = av_malloc_array(pic_size_in_ctb, From 0663aab1d9affd79f699462063412aa6d705a2ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 21:27:37 +0100 Subject: [PATCH 040/700] avcodec/h264: Clear delayed_pic on deallocation Fixes use of freed memory Fixes: case5_av_frame_copy_props.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer (cherry picked from commit e8714f6f93d1a32f4e4655209960afcf4c185214) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 222bf58b10..06d8dec82e 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -391,6 +391,7 @@ void ff_h264_free_tables(H264Context *h, int free_rbsp) if (free_rbsp && h->DPB) { for (i = 0; i < H264_MAX_PICTURE_COUNT; i++) ff_h264_unref_picture(h, &h->DPB[i]); + memset(h->delayed_pic, 0, sizeof(h->delayed_pic)); av_freep(&h->DPB); } else if (h->DPB) { for (i = 0; i < H264_MAX_PICTURE_COUNT; i++) From bf2c9e1ad4ba08158f79ddd870b35094d667ff78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Dec 2014 02:09:23 +0100 Subject: [PATCH 041/700] avcodec/hevc_ps: Check diff_cu_qp_delta_depth Fixes undefined behavior Fixes: asan_static-oob_17aa046_582_cov_1577759978_DBLK_G_VIXS_1.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3281fa892599d71b4dc298a426af8296419cd90e) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 6b5e13fc5b..11e6eb6132 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1255,6 +1255,14 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) if (pps->cu_qp_delta_enabled_flag) pps->diff_cu_qp_delta_depth = get_ue_golomb_long(gb); + if (pps->diff_cu_qp_delta_depth < 0 || + pps->diff_cu_qp_delta_depth > sps->log2_diff_max_min_coding_block_size) { + av_log(s->avctx, AV_LOG_ERROR, "diff_cu_qp_delta_depth %d is invalid\n", + pps->diff_cu_qp_delta_depth); + ret = AVERROR_INVALIDDATA; + goto err; + } + pps->cb_qp_offset = get_se_golomb(gb); if (pps->cb_qp_offset < -12 || pps->cb_qp_offset > 12) { av_log(s->avctx, AV_LOG_ERROR, "pps_cb_qp_offset out of range: %d\n", From f13e6ec7a610b665a5f57404e4b37ebabc9367bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Dec 2014 03:16:39 +0100 Subject: [PATCH 042/700] avcodec/h264: Check *log2_weight_denom Fixes undefined behavior Fixes: signal_sigsegv_14768d2_2248_cov_3629497219_h264_h264___pi_20070614T182942.h264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 61296d41e2de3b41304339e4631dd44c2e15f805) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 06d8dec82e..e5073089d9 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -991,6 +991,16 @@ int ff_pred_weight_table(H264Context *h) h->luma_log2_weight_denom = get_ue_golomb(&h->gb); if (h->sps.chroma_format_idc) h->chroma_log2_weight_denom = get_ue_golomb(&h->gb); + + if (h->luma_log2_weight_denom > 7U) { + av_log(h->avctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is out of range\n", h->luma_log2_weight_denom); + h->luma_log2_weight_denom = 0; + } + if (h->chroma_log2_weight_denom > 7U) { + av_log(h->avctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", h->chroma_log2_weight_denom); + h->chroma_log2_weight_denom = 0; + } + luma_def = 1 << h->luma_log2_weight_denom; chroma_def = 1 << h->chroma_log2_weight_denom; From 1344e91f33c87e4dba08e8dc316cb6532dec8ba7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Dec 2014 18:57:27 +0100 Subject: [PATCH 043/700] avcodec/indeo3: ensure offsets are non negative Signed-off-by: Michael Niedermayer (cherry picked from commit 368642361f3a589d7b0c23ea327d988edb434e3f) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index cafed5172b..9fde0fdf6c 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -982,7 +982,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, ctx->y_data_size = ends[0] - starts[0]; ctx->v_data_size = ends[1] - starts[1]; ctx->u_data_size = ends[2] - starts[2]; - if (FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || + if (FFMIN3(y_offset, v_offset, u_offset) < 0 || + FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || FFMIN3(y_offset, v_offset, u_offset) < gb.buffer - bs_hdr + 16 || FFMIN3(ctx->y_data_size, ctx->v_data_size, ctx->u_data_size) <= 0) { av_log(avctx, AV_LOG_ERROR, "One of the y/u/v offsets is invalid\n"); From 50f4543c6b37c2f16f3d40712db82abbe07c7887 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Dec 2014 21:01:59 +0100 Subject: [PATCH 044/700] jvdec: check frame dimensions The frame size must be set by the caller and each dimension must be a multiple of 8. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer See: 105654e376a736d243aef4a1d121abebce912e6b These should be redundant, but are backported for saftey anyway --- libavcodec/jvdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index 47e8edcae6..9c4a8d4ca3 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -43,6 +43,13 @@ static av_cold int decode_init(AVCodecContext *avctx) { JvContext *s = avctx->priv_data; + if (!avctx->width || !avctx->height || + (avctx->width & 7) || (avctx->height & 7)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); From f5631d23e06ac3d1a8148a2989bef4e29ee28e09 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Dec 2014 21:01:59 +0100 Subject: [PATCH 045/700] mmvideo: check frame dimensions The frame size must be set by the caller and each dimension must be a multiple of 2. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer See: 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e These should be redundant, but are backported for saftey anyway --- libavcodec/mmvideo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 9a7c10c3ab..8b04965d59 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -61,6 +61,13 @@ static av_cold int mm_decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_PAL8; + if (!avctx->width || !avctx->height || + (avctx->width & 1) || (avctx->height & 1)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); From 9f8cdd520b24d8d73fb495d607bf2d73b6cea2e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Dec 2014 18:04:40 +0100 Subject: [PATCH 046/700] Add FFMPEG_VERSION into the binary libs This simplifies identifying from which revision a binary of a lib came from Signed-off-by: Michael Niedermayer (cherry picked from commit 649c158e8c94ac0cff7f03e97d6ea8bbf71b7f02) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ libavdevice/avdevice.c | 3 +++ libavfilter/avfilter.c | 3 +++ libavformat/utils.c | 3 +++ libavutil/utils.c | 3 +++ libpostproc/postprocess.c | 3 +++ libswresample/swresample.c | 3 +++ 7 files changed, 21 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 66fe62cc85..410a05fda5 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -66,6 +66,9 @@ #include "compat/os2threads.h" #endif +#include "libavutil/ffversion.h" +const char av_codec_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + #if HAVE_PTHREADS || HAVE_W32THREADS || HAVE_OS2THREADS static int default_lockmgr_cb(void **arg, enum AVLockOp op) { diff --git a/libavdevice/avdevice.c b/libavdevice/avdevice.c index 755f251727..c68126faa3 100644 --- a/libavdevice/avdevice.c +++ b/libavdevice/avdevice.c @@ -23,6 +23,9 @@ #include "avdevice.h" #include "config.h" +#include "libavutil/ffversion.h" +const char av_device_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + #define E AV_OPT_FLAG_ENCODING_PARAM #define D AV_OPT_FLAG_DECODING_PARAM #define A AV_OPT_FLAG_AUDIO_PARAM diff --git a/libavfilter/avfilter.c b/libavfilter/avfilter.c index 963f5e6479..b37ff1f2c8 100644 --- a/libavfilter/avfilter.c +++ b/libavfilter/avfilter.c @@ -37,6 +37,9 @@ #include "formats.h" #include "internal.h" +#include "libavutil/ffversion.h" +const char av_filter_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + static int ff_filter_frame_framed(AVFilterLink *link, AVFrame *frame); void ff_tlog_ref(void *ctx, AVFrame *ref, int end) diff --git a/libavformat/utils.c b/libavformat/utils.c index ae6347a49f..5da110da66 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -53,6 +53,9 @@ #include "riff.h" #include "url.h" +#include "libavutil/ffversion.h" +const char av_format_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + /** * @file * various utility functions for use within FFmpeg diff --git a/libavutil/utils.c b/libavutil/utils.c index aafd3b909e..da8b5ae2d3 100644 --- a/libavutil/utils.c +++ b/libavutil/utils.c @@ -27,6 +27,9 @@ * various utility functions */ +#include "libavutil/ffversion.h" +const char av_util_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + unsigned avutil_version(void) { static int checks_done; diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index f8fb356391..c11debcd70 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -89,6 +89,9 @@ try to unroll inner for(x=0 ... loop to avoid these damn if(x ... checks #include "postprocess_internal.h" #include "libavutil/avstring.h" +#include "libavutil/ffversion.h" +const char postproc_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + unsigned postproc_version(void) { av_assert0(LIBPOSTPROC_VERSION_MICRO >= 100); diff --git a/libswresample/swresample.c b/libswresample/swresample.c index b0bd697e04..eb6effa8ef 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -28,6 +28,9 @@ #define ALIGN 32 +#include "libavutil/ffversion.h" +const char swr_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + unsigned swresample_version(void) { av_assert0(LIBSWRESAMPLE_VERSION_MICRO >= 100); From c96c75532016678a036b841e75cfea0afa4d7ba3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Dec 2014 04:09:01 +0100 Subject: [PATCH 047/700] Makefile: add dependencies which require ffversion.h Without this ffversion.h could sometimes be built too late Signed-off-by: Michael Niedermayer (cherry picked from commit 4ae87554f3c8bc54db572873f5049427a7e6cb31) Signed-off-by: Michael Niedermayer --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 1e1dbb3cd4..845a274953 100644 --- a/Makefile +++ b/Makefile @@ -112,7 +112,7 @@ endef $(foreach P,$(PROGS),$(eval $(call DOPROG,$(P:$(PROGSSUF)$(EXESUF)=)))) -ffprobe.o cmdutils.o : libavutil/ffversion.h +ffprobe.o cmdutils.o libavcodec/utils.o libavformat/utils.o libavdevice/avdevice.o libavfilter/avfilter.o libavutil/utils.o libpostproc/postprocess.o libswresample/swresample.o libswscale/utils.o : libavutil/ffversion.h $(PROGS): %$(PROGSSUF)$(EXESUF): %$(PROGSSUF)_g$(EXESUF) $(CP) $< $@ From 46db3121c6658767f56c5ebea8c39d8d00b5dc62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Dec 2014 03:41:27 +0100 Subject: [PATCH 048/700] update for 2.5.2 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index 73462a5a13..f225a78adf 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.5.1 +2.5.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index 73c16ce0e4..1cde20bd2f 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.5.1 +PROJECT_NUMBER = 2.5.2 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 959ab06c68f8c74a0f31bcaf2692cbbdaf5702f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Dec 2014 04:28:09 +0100 Subject: [PATCH 049/700] Changelog: update for 2.5.2 Signed-off-by: Michael Niedermayer --- Changelog | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/Changelog b/Changelog index ea7774d7f5..4f5651bd7f 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,24 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.5.2: +- avcodec/indeo3: ensure offsets are non negative +- avcodec/h264: Check *log2_weight_denom +- avcodec/hevc_ps: Check diff_cu_qp_delta_depth +- avcodec/h264: Clear delayed_pic on deallocation +- avcodec/hevc: clear filter_slice_edges() on allocation +- avcodec/dcadec: Check that the added xch channel isnt already there +- avcodec/indeo3: use signed variables to avoid underflow +- swscale: increase yuv2rgb table headroom +- avformat/mov: fix integer overflow of size +- avformat/mov: check atom nesting depth +- avcodec/utvideodec: Fix handling of slice_height=0 +- avcodec/xface: correct the XFACE_MAX_* values +- avcodec/vmdvideo: Check len before using it in method 3 +- configure: create the tests directory like the doc directory +- mmvideo: check frame dimensions +- jvdec: check frame dimensions + version 2.5.1: - lavu/frame: fix malloc error path in av_frame_copy_props() - avformat/aviobuf: Check that avio_seek() target is non negative From 93cbdcd4d30c9b673496df2649b6f91f40791dcc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 9 Dec 2014 12:13:54 +0200 Subject: [PATCH 050/700] libavformat: Build hevc.o when building the RTP muxer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The RTP muxer enables the actual codepaths within sdp.c, which depend on hevc.o since e5cfc8fd. This fixes builds with --disable-everything --enable-muxer=rtp. Signed-off-by: Martin Storsjö (cherry picked from commit fccfc22d1f304aef42a0b960e4c1d55ce67107f5) --- libavformat/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/Makefile b/libavformat/Makefile index f0900c4343..6bf0761b21 100644 --- a/libavformat/Makefile +++ b/libavformat/Makefile @@ -377,7 +377,7 @@ OBJS-$(CONFIG_RTP_MUXER) += rtp.o \ rtpenc_h264.o \ rtpenc_vp8.o \ rtpenc_xiph.o \ - avc.o + avc.o hevc.o OBJS-$(CONFIG_RTSP_DEMUXER) += rtsp.o rtspdec.o httpauth.o \ urldecode.o OBJS-$(CONFIG_RTSP_MUXER) += rtsp.o rtspenc.o httpauth.o \ From bcd7f35717dbcb4bae3790912c9c08889c6b588e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Dec 2014 12:38:20 +0100 Subject: [PATCH 051/700] avformat/segment: Use av_freep() avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit 68fa549230af35179df2a2af2bdb84ee6c825bed) Signed-off-by: Michael Niedermayer --- libavformat/segment.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index 2cad6e3dab..56ffcdcd7c 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -343,7 +343,7 @@ static int segment_end(AVFormatContext *s, int write_trailer, int is_last) if (seg->list_size && seg->segment_count >= seg->list_size) { entry = seg->segment_list_entries; seg->segment_list_entries = seg->segment_list_entries->next; - av_free(entry->filename); + av_freep(&entry->filename); av_freep(&entry); } @@ -501,10 +501,10 @@ static int open_null_ctx(AVIOContext **ctx) return 0; } -static void close_null_ctx(AVIOContext *pb) +static void close_null_ctxp(AVIOContext **pb) { - av_free(pb->buffer); - av_free(pb); + av_freep(&(*pb)->buffer); + av_freep(pb); } static int select_reference_stream(AVFormatContext *s) @@ -687,7 +687,7 @@ static int seg_write_header(AVFormatContext *s) s->avoid_negative_ts = 1; if (!seg->write_header_trailer) { - close_null_ctx(oc->pb); + close_null_ctxp(&oc->pb); if ((ret = avio_open2(&oc->pb, oc->filename, AVIO_FLAG_WRITE, &s->interrupt_callback, NULL)) < 0) goto fail; @@ -820,7 +820,7 @@ static int seg_write_trailer(struct AVFormatContext *s) goto fail; open_null_ctx(&oc->pb); ret = av_write_trailer(oc); - close_null_ctx(oc->pb); + close_null_ctxp(&oc->pb); } else { ret = segment_end(s, 1, 1); } @@ -836,7 +836,7 @@ fail: cur = seg->segment_list_entries; while (cur) { next = cur->next; - av_free(cur->filename); + av_freep(&cur->filename); av_free(cur); cur = next; } From 68c63470895d8b8016931af2f94e1dd29b4d8b26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Dec 2014 21:41:46 +0100 Subject: [PATCH 052/700] avformat/cdxl: Fix integer overflow of image_size Signed-off-by: Michael Niedermayer (cherry picked from commit 3eb5cbe0c50d0a0bbe10bcabbd6b16d73d93c128) Signed-off-by: Michael Niedermayer --- libavformat/cdxl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cdxl.c b/libavformat/cdxl.c index e3e379aef7..6d8e750b83 100644 --- a/libavformat/cdxl.c +++ b/libavformat/cdxl.c @@ -127,6 +127,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt) height = AV_RB16(&cdxl->header[16]); palette_size = AV_RB16(&cdxl->header[20]); audio_size = AV_RB16(&cdxl->header[22]); + if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) + return AVERROR_INVALIDDATA; image_size = FFALIGN(width, 16) * height * cdxl->header[19] / 8; video_size = palette_size + image_size; From eac0451e47381300fc2944268faf9cda550e6481 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jan 2015 18:07:24 +0100 Subject: [PATCH 053/700] avformat/flvdec: do not inject dts=0 metadata packets which failed to be parsed into a new data stream Such data streams (which then contain no other packets except the faulty one) confuse some user applications, like VLC Works around vlcticket 12389 Signed-off-by: Michael Niedermayer (cherry picked from commit 322f0f5960a743cac47252d90a0f1ea7a025feff) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 54f2f56dba..568a654e53 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -558,13 +558,13 @@ static int flv_read_metabody(AVFormatContext *s, int64_t next_pos) type = avio_r8(ioc); if (type != AMF_DATA_TYPE_STRING || amf_get_string(ioc, buffer, sizeof(buffer)) < 0) - return -1; + return 2; if (!strcmp(buffer, "onTextData")) return 1; if (strcmp(buffer, "onMetaData") && strcmp(buffer, "onCuePoint")) - return -1; + return 2; // find the streams now so that amf_parse_object doesn't need to do // the lookup every time it is called. @@ -822,7 +822,7 @@ static int flv_read_packet(AVFormatContext *s, AVPacket *pkt) stream_type=FLV_STREAM_TYPE_DATA; if (size > 13 + 1 + 4 && dts == 0) { // Header-type metadata stuff meta_pos = avio_tell(s->pb); - if (flv_read_metabody(s, next) == 0) { + if (flv_read_metabody(s, next) <= 0) { goto skip; } avio_seek(s->pb, meta_pos, SEEK_SET); From 5bb31e856d7c4f0aa3cefbe0d199be4f1cc0c4fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jan 2015 18:15:16 +0100 Subject: [PATCH 054/700] avformat/flvdec: Increase string array size Fixes parsing httphostheader of Scarlatti\,\ Pieter-Jan\ Belder\ -\ Sonata\ K113\ in\ A\ major\ -\ Alle.flv Signed-off-by: Michael Niedermayer (cherry picked from commit eb767a276bfdb9a0493bdb0b38203638230b7ccb) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 568a654e53..da277a1218 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -390,7 +390,7 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, FLVContext *flv = s->priv_data; AVIOContext *ioc; AMFDataType amf_type; - char str_val[256]; + char str_val[1024]; double num_val; num_val = 0; From 252ba4a9259fcaf18f5f340da364e7d536bc6788 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jan 2015 01:03:26 +0100 Subject: [PATCH 055/700] avfilter/vf_sab: fix filtering tiny images Fixes out of array reads Signed-off-by: Michael Niedermayer (cherry picked from commit 9bff052b51f27f6cce04e8d7d8b405c710d7ad67) Signed-off-by: Michael Niedermayer --- libavfilter/vf_sab.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/libavfilter/vf_sab.c b/libavfilter/vf_sab.c index aa38b533fe..b8af27cdcd 100644 --- a/libavfilter/vf_sab.c +++ b/libavfilter/vf_sab.c @@ -220,6 +220,19 @@ static int config_props(AVFilterLink *inlink) #define NB_PLANES 4 +static inline int mirror(int x, int w) +{ + if (!w) + return 0; + + while ((unsigned)x > (unsigned)w) { + x = -x; + if (x < 0) + x += 2 * w; + } + return x; +} + static void blur(uint8_t *dst, const int dst_linesize, const uint8_t *src, const int src_linesize, const int w, const int h, FilterParam *fp) @@ -253,8 +266,7 @@ static void blur(uint8_t *dst, const int dst_linesize, for (dy = 0; dy < radius*2 + 1; dy++) { int dx; int iy = y+dy - radius; - if (iy < 0) iy = -iy; - else if (iy >= h) iy = h+h-iy-1; + iy = mirror(iy, h-1); for (dx = 0; dx < radius*2 + 1; dx++) { const int ix = x+dx - radius; @@ -265,13 +277,11 @@ static void blur(uint8_t *dst, const int dst_linesize, for (dy = 0; dy < radius*2+1; dy++) { int dx; int iy = y+dy - radius; - if (iy < 0) iy = -iy; - else if (iy >= h) iy = h+h-iy-1; + iy = mirror(iy, h-1); for (dx = 0; dx < radius*2 + 1; dx++) { int ix = x+dx - radius; - if (ix < 0) ix = -ix; - else if (ix >= w) ix = w+w-ix-1; + ix = mirror(ix, w-1); UPDATE_FACTOR; } } From e0a12b3dc3a252412e91416ebbbf9449e82e4bd0 Mon Sep 17 00:00:00 2001 From: wm4 Date: Mon, 5 Jan 2015 04:45:26 +0100 Subject: [PATCH 056/700] avcodec/dvdsubdec: fix out of bounds accesses The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer (cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 39604f3ada..20b9d41426 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -108,6 +108,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, int x, y, len, color; uint8_t *d; + if (start >= buf_size) + return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); @@ -359,10 +362,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->num_rects = 1; sub_header->rects[0]->pict.data[0] = bitmap; - decode_rle(bitmap, w * 2, w, (h + 1) / 2, - buf, offset1, buf_size, is_8bit); - decode_rle(bitmap + w, w * 2, w, h / 2, - buf, offset2, buf_size, is_8bit); + if (decode_rle(bitmap, w * 2, w, (h + 1) / 2, + buf, offset1, buf_size, is_8bit) < 0) + goto fail; + if (decode_rle(bitmap + w, w * 2, w, h / 2, + buf, offset2, buf_size, is_8bit) < 0) + goto fail; sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); if (is_8bit) { if (!yuv_palette) From 022bfd3dd47c3a2b59ce3eb1142aecc199f320ed Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 5 Jan 2015 16:19:09 -0800 Subject: [PATCH 057/700] mov: Avoid overflow with mov_metadata_raw() The code previously added 1 to len without checking its size, resulting in an overflow which can corrupt value[-1] -- which may be used to store unaligned ptr information for certain allocators. Found-by: Paul Mehta Signed-off-by: Dale Curtis --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 57e4524e35..b888c6736d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -210,6 +210,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + // Check for overflow. + if (len >= INT_MAX) + return AVERROR(EINVAL); char *value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); From 9143ab0e5a75519c899cae2996d07b3f69bcfb24 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Tue, 6 Jan 2015 04:00:43 +0100 Subject: [PATCH 058/700] mov: Fix overflow and error handling in read_tfra(). Under abnormal conditions the item_count may exceed the max allocation size on 32-bit systems, this causes the allocated size to overflow and become too small for the given count. Additionally, if av_reallocp() fails its allocation, the fragment_index_count is not correctly decremented. Ensuring further havoc may be wrought, the error code for read_tfra() is not checked upon return. Found-by: Paul Mehta positive return code and use of _array functions by commiter Signed-off-by: Michael Niedermayer (cherry picked from commit db42d93a61be26873be6115c57f5921b4dfdec14) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 36 +++++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index b888c6736d..3a93897a96 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3782,35 +3782,39 @@ static void export_orphan_timecode(AVFormatContext *s) static int read_tfra(MOVContext *mov, AVIOContext *f) { MOVFragmentIndex* index = NULL; - int version, fieldlength, i, j, err; + int version, fieldlength, i, j; int64_t pos = avio_tell(f); uint32_t size = avio_rb32(f); + void *tmp; + if (avio_rb32(f) != MKBETAG('t', 'f', 'r', 'a')) { - return -1; + return 1; } av_log(mov->fc, AV_LOG_VERBOSE, "found tfra\n"); index = av_mallocz(sizeof(MOVFragmentIndex)); if (!index) { return AVERROR(ENOMEM); } - mov->fragment_index_count++; - if ((err = av_reallocp(&mov->fragment_index_data, - mov->fragment_index_count * - sizeof(MOVFragmentIndex*))) < 0) { + + tmp = av_realloc_array(mov->fragment_index_data, + mov->fragment_index_count + 1, + sizeof(MOVFragmentIndex*)); + if (!tmp) { av_freep(&index); - return err; + return AVERROR(ENOMEM); } - mov->fragment_index_data[mov->fragment_index_count - 1] = - index; + mov->fragment_index_data = tmp; + mov->fragment_index_data[mov->fragment_index_count++] = index; version = avio_r8(f); avio_rb24(f); index->track_id = avio_rb32(f); fieldlength = avio_rb32(f); index->item_count = avio_rb32(f); - index->items = av_mallocz( - index->item_count * sizeof(MOVFragmentIndexItem)); + index->items = av_mallocz_array( + index->item_count, sizeof(MOVFragmentIndexItem)); if (!index->items) { + index->item_count = 0; return AVERROR(ENOMEM); } for (i = 0; i < index->item_count; i++) { @@ -3864,11 +3868,13 @@ static int mov_read_mfra(MOVContext *c, AVIOContext *f) av_log(c->fc, AV_LOG_DEBUG, "doesn't look like mfra (tag mismatch)\n"); goto fail; } - ret = 0; av_log(c->fc, AV_LOG_VERBOSE, "stream has mfra\n"); - while (!read_tfra(c, f)) { - /* Empty */ - } + do { + ret = read_tfra(c, f); + if (ret < 0) + goto fail; + } while (!ret); + ret = 0; fail: seek_ret = avio_seek(f, original_pos, SEEK_SET); if (seek_ret < 0) { From 25312a427bda360a98c6a38be7af9e5f686c9902 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 04:29:10 +0100 Subject: [PATCH 059/700] avformat/mov: fix integer overflow in mov_read_udta_string() Found-by: Paul Mehta Signed-off-by: Michael Niedermayer (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3a93897a96..11fdcf0194 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -355,7 +355,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; - if (atom.size < 0) + if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size_alloc = str_size << 1; // worst-case requirement for output string in case of utf8 coded input From 0ce35b8ce8b9e06a4dedc62b4fe10261db67f0a3 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 5 Jan 2015 16:34:17 -0800 Subject: [PATCH 060/700] mov: Fix negative size calculation in mov_read_default(). The previous code assumed if an atom was marked with a 64-bit size extension, it actually had that data available. The new code verfies there's enough data in the atom for this to be done. Failure to verify causes total_size > atom.size which will result in negative size calculations later on. Found-by: Paul Mehta Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 3ebd76a9c57558e284e94da367dd23b435e6a6d0) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 11fdcf0194..47f0073df0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3431,7 +3431,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) } } total_size += 8; - if (a.size == 1) { /* 64 bit extended size */ + if (a.size == 1 && total_size + 8 <= atom.size) { /* 64 bit extended size */ a.size = avio_rb64(pb) - 8; total_size += 8; } From c7a2ac6b6bd5e3f4d11f06caaeff064c263ad829 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 6 Jan 2015 09:42:59 +0000 Subject: [PATCH 061/700] lavfi: check av_strdup() return value Signed-off-by: Paul B Mahol (cherry picked from commit 145a84717b62e086cdb5f26649ad9f1b51ef38d0) Signed-off-by: Michael Niedermayer --- libavfilter/af_amix.c | 2 ++ libavfilter/af_join.c | 2 ++ libavfilter/split.c | 2 ++ libavfilter/src_movie.c | 2 ++ 4 files changed, 8 insertions(+) diff --git a/libavfilter/af_amix.c b/libavfilter/af_amix.c index e40969f70c..fd9d13556f 100644 --- a/libavfilter/af_amix.c +++ b/libavfilter/af_amix.c @@ -496,6 +496,8 @@ static av_cold int init(AVFilterContext *ctx) snprintf(name, sizeof(name), "input%d", i); pad.type = AVMEDIA_TYPE_AUDIO; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); pad.filter_frame = filter_frame; ff_insert_inpad(ctx, i, &pad); diff --git a/libavfilter/af_join.c b/libavfilter/af_join.c index a1717c63b9..71a454bba7 100644 --- a/libavfilter/af_join.c +++ b/libavfilter/af_join.c @@ -214,6 +214,8 @@ static av_cold int join_init(AVFilterContext *ctx) snprintf(name, sizeof(name), "input%d", i); pad.type = AVMEDIA_TYPE_AUDIO; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); pad.filter_frame = filter_frame; pad.needs_fifo = 1; diff --git a/libavfilter/split.c b/libavfilter/split.c index 6abd5ee2e0..7353810677 100644 --- a/libavfilter/split.c +++ b/libavfilter/split.c @@ -52,6 +52,8 @@ static av_cold int split_init(AVFilterContext *ctx) snprintf(name, sizeof(name), "output%d", i); pad.type = ctx->filter->inputs[0].type; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); ff_insert_outpad(ctx, i, &pad); } diff --git a/libavfilter/src_movie.c b/libavfilter/src_movie.c index 0b97b827e4..908c03e1d3 100644 --- a/libavfilter/src_movie.c +++ b/libavfilter/src_movie.c @@ -289,6 +289,8 @@ static av_cold int movie_common_init(AVFilterContext *ctx) snprintf(name, sizeof(name), "out%d", i); pad.type = movie->st[i].st->codec->codec_type; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); pad.config_props = movie_config_output_props; pad.request_frame = movie_request_frame; ff_insert_outpad(ctx, i, &pad); From 0d3a07852c3ccada8948c15e593669a21089e316 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 12:45:25 +0100 Subject: [PATCH 062/700] avformat/mov: use av_freep() to avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit 383c6a3a07b71981bd32d083496f5a4935f620f9) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 47f0073df0..231367476c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1153,7 +1153,7 @@ static int mov_read_wave(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->codec->codec_id == AV_CODEC_ID_QDMC || st->codec->codec_id == AV_CODEC_ID_SPEEX) { // pass all frma atom to codec, needed at least for QDMC and QDM2 - av_free(st->codec->extradata); + av_freep(&st->codec->extradata); if (ff_get_extradata(st->codec, pb, atom.size) < 0) return AVERROR(ENOMEM); } else if (atom.size > 8) { /* to read frma, esds atoms */ @@ -1193,7 +1193,7 @@ static int mov_read_glbl(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c, AV_LOG_WARNING, "ignoring multiple glbl\n"); return 0; } - av_free(st->codec->extradata); + av_freep(&st->codec->extradata); if (ff_get_extradata(st->codec, pb, atom.size) < 0) return AVERROR(ENOMEM); @@ -1218,7 +1218,7 @@ static int mov_read_dvc1(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; avio_seek(pb, 6, SEEK_CUR); - av_free(st->codec->extradata); + av_freep(&st->codec->extradata); if ((ret = ff_get_extradata(st->codec, pb, atom.size - 7)) < 0) return ret; @@ -1244,7 +1244,7 @@ static int mov_read_strf(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR_INVALIDDATA; avio_skip(pb, 40); - av_free(st->codec->extradata); + av_freep(&st->codec->extradata); if (ff_get_extradata(st->codec, pb, atom.size - 40) < 0) return AVERROR(ENOMEM); return 0; @@ -4113,7 +4113,7 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) #if CONFIG_DV_DEMUXER if (mov->dv_demux && sc->dv_audio_container) { avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); - av_free(pkt->data); + av_freep(&pkt->data); pkt->size = 0; ret = avpriv_dv_get_packet(mov->dv_demux, pkt); if (ret < 0) From 2791eba1d78af65884b1b02d482c930b1d301e54 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 12:48:38 +0100 Subject: [PATCH 063/700] avformat/matroskadec: Use av_freep() to avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit 6e70e4aca50696040cc9256ec96e5c31d9641432) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index e9ba1e967e..3f327fd8c5 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1080,7 +1080,7 @@ static void ebml_free(EbmlSyntax *syntax, void *data) for (j = 0; j < list->nb_elem; j++, ptr += syntax[i].list_elem_size) ebml_free(syntax[i].def.n, ptr); - av_free(list->elem); + av_freep(&list->elem); } else ebml_free(syntax[i].def.n, data_off); default: @@ -2134,7 +2134,7 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska, { if (matroska->num_packets > 0) { memcpy(pkt, matroska->packets[0], sizeof(AVPacket)); - av_free(matroska->packets[0]); + av_freep(&matroska->packets[0]); if (matroska->num_packets > 1) { void *newpackets; memmove(&matroska->packets[0], &matroska->packets[1], @@ -2165,7 +2165,7 @@ static void matroska_clear_queue(MatroskaDemuxContext *matroska) int n; for (n = 0; n < matroska->num_packets; n++) { av_free_packet(matroska->packets[n]); - av_free(matroska->packets[n]); + av_freep(&matroska->packets[n]); } av_freep(&matroska->packets); matroska->num_packets = 0; @@ -3003,7 +3003,7 @@ static int matroska_read_close(AVFormatContext *s) for (n = 0; n < matroska->tracks.nb_elem; n++) if (tracks[n].type == MATROSKA_TRACK_TYPE_AUDIO) - av_free(tracks[n].audio.buf); + av_freep(&tracks[n].audio.buf); ebml_free(matroska_cluster, &matroska->current_cluster); ebml_free(matroska_segment, matroska); From 918ed73b70a9ab7c48969256a399b2c2a4f0893c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 12:53:53 +0100 Subject: [PATCH 064/700] avformat/utils: Clear pointer in ff_alloc_extradata() to avoid leaving a stale pointer in memory Signed-off-by: Michael Niedermayer (cherry picked from commit bbfca8e84b0e69abba523d665536c0135fc1c00e) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 5da110da66..5a282a7ce7 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2829,6 +2829,7 @@ int ff_alloc_extradata(AVCodecContext *avctx, int size) int ret; if (size < 0 || size >= INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) { + avctx->extradata = NULL; avctx->extradata_size = 0; return AVERROR(EINVAL); } From b3c082412cdaa2a2c82dcca91a57e9cbf1f2a84d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 13:12:22 +0100 Subject: [PATCH 065/700] cmdutils: Use 64bit for file size/offset related variable in cmdutils_read_file() Signed-off-by: Michael Niedermayer (cherry picked from commit 369b4cd4120bf67aa5187b6bc72574970a24ca22) Signed-off-by: Michael Niedermayer --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index b68dae9753..708b536a68 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -1860,7 +1860,7 @@ int read_yesno(void) int cmdutils_read_file(const char *filename, char **bufptr, size_t *size) { - int ret; + int64_t ret; FILE *f = av_fopen_utf8(filename, "rb"); if (!f) { From d0041dc8c4d79cf269650d0790956e0eeeb3dc31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 19:51:38 +0100 Subject: [PATCH 066/700] avformat/mov: Fix mixed declaration and statement warning Signed-off-by: Michael Niedermayer (cherry picked from commit db27f50e0658e91758e8a17fdcf390e6bc93c1d2) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 231367476c..7455e3b5e5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -210,10 +210,11 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + char *value; // Check for overflow. if (len >= INT_MAX) return AVERROR(EINVAL); - char *value = av_malloc(len + 1); + value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); avio_read(pb, value, len); From b834dc14da082473e532da2baff1b28ce85f2b49 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 3 Jan 2015 01:40:02 -0300 Subject: [PATCH 067/700] configure: bump year Happy new year! (cherry picked from commit b8db25a3338b67186837c49580fe538d63dd73c7) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index d25f155cdc..9190c4e4cd 100755 --- a/configure +++ b/configure @@ -5678,7 +5678,7 @@ cat > $TMPH < Date: Wed, 7 Jan 2015 23:57:50 +0100 Subject: [PATCH 068/700] avcodec/dvdsubdec: error on bitmaps with size 0 Attemtping to decode them could lead to invalid writes with some fuzzed samples. Signed-off-by: Michael Niedermayer (cherry picked from commit bcaa9099b3648b47060e1724a97dc98b63c83702) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 20b9d41426..08e4195c82 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -111,6 +111,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, if (start >= buf_size) return -1; + if (w <= 0 || h <= 0) + return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); From b895e29941f06ec7c96a8a0a5036cc11274fdb51 Mon Sep 17 00:00:00 2001 From: wm4 Date: Thu, 8 Jan 2015 17:19:17 +0100 Subject: [PATCH 069/700] avcodec/dvdsubdec: fix accessing dangling pointers dvdsub_decode() can call append_to_cached_buf() 2 times, the second time with ctx->buf as argument. If the second append_to_cached_buf() reallocs ctx->buf, the argument will be a pointer to the previous, freed block. This can cause invalid reads at least with some fuzzed files - and possibly with valid files. Since packets can apparently not be larger than 64K (even if packets are combined), just use a fixed size buffer. It will be allocated as part of the DVDSubContext, and although some memory is "wasted", it's relatively minimal by modern standards and should be acceptable. Signed-off-by: Michael Niedermayer (cherry picked from commit 816577716bc6170bccfea3b9e865618b69a4b426) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 08e4195c82..222c71bdcf 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -39,7 +39,7 @@ typedef struct DVDSubContext int has_palette; uint8_t colormap[4]; uint8_t alpha[256]; - uint8_t *buf; + uint8_t buf[0x10000]; int buf_size; int forced_subs_only; #ifdef DEBUG @@ -509,15 +509,11 @@ static int append_to_cached_buf(AVCodecContext *avctx, { DVDSubContext *ctx = avctx->priv_data; - if (ctx->buf_size > 0xffff - buf_size) { + if (ctx->buf_size >= sizeof(ctx->buf) - buf_size) { av_log(avctx, AV_LOG_WARNING, "Attempt to reconstruct " "too large SPU packets aborted.\n"); - av_freep(&ctx->buf); return AVERROR_INVALIDDATA; } - ctx->buf = av_realloc(ctx->buf, ctx->buf_size + buf_size); - if (!ctx->buf) - return AVERROR(ENOMEM); memcpy(ctx->buf + ctx->buf_size, buf, buf_size); ctx->buf_size += buf_size; return 0; @@ -533,7 +529,7 @@ static int dvdsub_decode(AVCodecContext *avctx, AVSubtitle *sub = data; int is_menu; - if (ctx->buf) { + if (ctx->buf_size) { int ret = append_to_cached_buf(avctx, buf, buf_size); if (ret < 0) { *data_size = 0; @@ -575,7 +571,6 @@ static int dvdsub_decode(AVCodecContext *avctx, } #endif - av_freep(&ctx->buf); ctx->buf_size = 0; *data_size = 1; return buf_size; @@ -719,7 +714,6 @@ static av_cold int dvdsub_init(AVCodecContext *avctx) static av_cold int dvdsub_close(AVCodecContext *avctx) { DVDSubContext *ctx = avctx->priv_data; - av_freep(&ctx->buf); ctx->buf_size = 0; return 0; } From f9bbc26e691fb0adbef03e8fd1ea556287fe2af7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Jan 2015 23:02:30 +0100 Subject: [PATCH 070/700] ffmpeg: Clear error message array at init. This avoids printing uninitialized bytes if no error message is set Signed-off-by: Michael Niedermayer (cherry picked from commit 6d1a2efb8ac399a003ea7d3b6f8c641d192567ee) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index eef774bda7..2be1004b8d 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2521,7 +2521,7 @@ static int transcode_init(void) AVFormatContext *oc; OutputStream *ost; InputStream *ist; - char error[1024]; + char error[1024] = {0}; int want_sdp = 1; for (i = 0; i < nb_filtergraphs; i++) { From 3032291b3a88fb25e3cf0d09a61792768e84a578 Mon Sep 17 00:00:00 2001 From: wm4 Date: Fri, 9 Jan 2015 02:13:36 +0100 Subject: [PATCH 071/700] vp9: fix parser return values in error case The parser must always set the out_size and out_data pointers. The API seems to require it, and the common code in parser.c also relies on it. Signed-off-by: Michael Niedermayer (cherry picked from commit b88e80589bd11ef935a5e9dab53d4edb00de16e4) Signed-off-by: Michael Niedermayer --- libavcodec/vp9_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp9_parser.c b/libavcodec/vp9_parser.c index af033c25e6..922f36f381 100644 --- a/libavcodec/vp9_parser.c +++ b/libavcodec/vp9_parser.c @@ -77,6 +77,8 @@ static int parse(AVCodecParserContext *ctx, idx += a; \ if (sz > size) { \ s->n_frames = 0; \ + *out_size = 0; \ + *out_data = data; \ av_log(avctx, AV_LOG_ERROR, \ "Superframe packet size too big: %u > %d\n", \ sz, size); \ From a7dd37169c9ac74cd99a99aaaa3ff04679b13fbd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Jan 2015 17:37:34 +0100 Subject: [PATCH 072/700] Update for 2.5.3 Signed-off-by: Michael Niedermayer --- Changelog | 17 +++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 4f5651bd7f..60eaea0216 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,23 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.5.3: +- vp9: fix parser return values in error case +- ffmpeg: Clear error message array at init. +- avcodec/dvdsubdec: fix accessing dangling pointers +- avcodec/dvdsubdec: error on bitmaps with size 0 +- cmdutils: Use 64bit for file size/offset related variable in cmdutils_read_file() +- mov: Fix negative size calculation in mov_read_default(). +- avformat/mov: fix integer overflow in mov_read_udta_string() +- mov: Fix overflow and error handling in read_tfra(). +- mov: Avoid overflow with mov_metadata_raw() +- avcodec/dvdsubdec: fix out of bounds accesses +- avfilter/vf_sab: fix filtering tiny images +- avformat/flvdec: Increase string array size +- avformat/flvdec: do not inject dts=0 metadata packets which failed to be parsed into a new data stream +- avformat/cdxl: Fix integer overflow of image_size +- libavformat: Build hevc.o when building the RTP muxer + version 2.5.2: - avcodec/indeo3: ensure offsets are non negative - avcodec/h264: Check *log2_weight_denom diff --git a/RELEASE b/RELEASE index f225a78adf..aedc15bb0c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.5.2 +2.5.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 1cde20bd2f..4138903697 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.5.2 +PROJECT_NUMBER = 2.5.3 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From b089b582500ffd3c6370e1cd8d91fe7a7f21cc17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jan 2015 03:43:54 +0100 Subject: [PATCH 073/700] avformat/movenc: workaround bug in "PathScale EKOPath(tm) Compiler Suite Version 4.0.12.1" Signed-off-by: Michael Niedermayer (cherry picked from commit 7824dc5150c0ea44ffa7cd4d57803f9a9697e7d7) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 10e883c923..ef250412b9 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -2499,7 +2499,8 @@ static int mov_write_mvhd_tag(AVIOContext *pb, MOVMuxContext *mov) } version = max_track_len < UINT32_MAX ? 0 : 1; - (version == 1) ? avio_wb32(pb, 120) : avio_wb32(pb, 108); /* size */ + avio_wb32(pb, version == 1 ? 120 : 108); /* size */ + ffio_wfourcc(pb, "mvhd"); avio_w8(pb, version); avio_wb24(pb, 0); /* flags */ From 07d508e4f55f6045b83df3346448b149faab5d7d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 9 Jan 2015 17:50:27 +0100 Subject: [PATCH 074/700] doc/examples: fix lib math dep for decoding_encoding It uses at least sin(). Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit f97f2a3527eac2cf60ba86206d1bae9a970a7e71) Signed-off-by: Michael Niedermayer --- doc/examples/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/examples/Makefile b/doc/examples/Makefile index 07251fe3c2..9f03f04b57 100644 --- a/doc/examples/Makefile +++ b/doc/examples/Makefile @@ -29,6 +29,7 @@ OBJS=$(addsuffix .o,$(EXAMPLES)) # the following examples make explicit use of the math library avcodec: LDLIBS += -lm +decoding_encoding: LDLIBS += -lm muxing: LDLIBS += -lm resampling_audio: LDLIBS += -lm From 763e6ecf8336c1fffd226f5c3df0f95a5c0af767 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sat, 31 Jan 2015 10:01:37 +0100 Subject: [PATCH 075/700] lavc/aarch64: Do not use the neon horizontal chroma loop filter for H.264 4:2:2. (cherry picked from commit 4faea46bd906b3897018736208123aa36c3f45d5) --- libavcodec/aarch64/h264dsp_init_aarch64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aarch64/h264dsp_init_aarch64.c b/libavcodec/aarch64/h264dsp_init_aarch64.c index ed5e4bdd9b..e0f378f5ab 100644 --- a/libavcodec/aarch64/h264dsp_init_aarch64.c +++ b/libavcodec/aarch64/h264dsp_init_aarch64.c @@ -78,6 +78,7 @@ av_cold void ff_h264dsp_init_aarch64(H264DSPContext *c, const int bit_depth, c->h264_v_loop_filter_luma = ff_h264_v_loop_filter_luma_neon; c->h264_h_loop_filter_luma = ff_h264_h_loop_filter_luma_neon; c->h264_v_loop_filter_chroma = ff_h264_v_loop_filter_chroma_neon; + if (chroma_format_idc <= 1) c->h264_h_loop_filter_chroma = ff_h264_h_loop_filter_chroma_neon; c->weight_h264_pixels_tab[0] = ff_weight_h264_pixels_16_neon; From 8a6770a214190550ce3431b3679785ea8fbbe985 Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 13 Jan 2015 14:47:47 +0100 Subject: [PATCH 076/700] qpeg: avoid pointless invalid memcpy() If refdata was NULL, the memcpy() ended up copying the same memory block onto itself, which is not only pointless, but also undefined behavior. Signed-off-by: Michael Niedermayer (cherry picked from commit 921706691a87c3ea5f5b92afd9b423e5f8c6e9d9) Signed-off-by: Michael Niedermayer --- libavcodec/qpeg.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index d61bceafd7..71f322b828 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -120,12 +120,13 @@ static void av_noinline qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, int filled = 0; int orig_height; - if(!refdata) - refdata= dst; - - /* copy prev frame */ - for(i = 0; i < height; i++) - memcpy(dst + (i * stride), refdata + (i * stride), width); + if (refdata) { + /* copy prev frame */ + for (i = 0; i < height; i++) + memcpy(dst + (i * stride), refdata + (i * stride), width); + } else { + refdata = dst; + } orig_height = height; height--; From 4f8814964ccbab10eebaa83a6fc62d382438c211 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Jan 2015 18:51:33 +0100 Subject: [PATCH 077/700] avcodec/hevc: Fix handling of skipped_bytes() reallocation failures Fixes CID1260704 Signed-off-by: Michael Niedermayer (cherry picked from commit e172f5e53ae4dbbcdcf81c9a3b962dc9f5a8a98d) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 9b683d99df..fd557f4c2f 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2870,17 +2870,30 @@ static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length) if (s->nals_allocated < s->nb_nals + 1) { int new_size = s->nals_allocated + 1; - HEVCNAL *tmp = av_realloc_array(s->nals, new_size, sizeof(*tmp)); + void *tmp = av_realloc_array(s->nals, new_size, sizeof(*s->nals)); + ret = AVERROR(ENOMEM); if (!tmp) { - ret = AVERROR(ENOMEM); goto fail; } s->nals = tmp; memset(s->nals + s->nals_allocated, 0, - (new_size - s->nals_allocated) * sizeof(*tmp)); - av_reallocp_array(&s->skipped_bytes_nal, new_size, sizeof(*s->skipped_bytes_nal)); - av_reallocp_array(&s->skipped_bytes_pos_size_nal, new_size, sizeof(*s->skipped_bytes_pos_size_nal)); - av_reallocp_array(&s->skipped_bytes_pos_nal, new_size, sizeof(*s->skipped_bytes_pos_nal)); + (new_size - s->nals_allocated) * sizeof(*s->nals)); + + tmp = av_realloc_array(s->skipped_bytes_nal, new_size, sizeof(*s->skipped_bytes_nal)); + if (!tmp) + goto fail; + s->skipped_bytes_nal = tmp; + + tmp = av_realloc_array(s->skipped_bytes_pos_size_nal, new_size, sizeof(*s->skipped_bytes_pos_size_nal)); + if (!tmp) + goto fail; + s->skipped_bytes_pos_size_nal = tmp; + + tmp = av_realloc_array(s->skipped_bytes_pos_nal, new_size, sizeof(*s->skipped_bytes_pos_nal)); + if (!tmp) + goto fail; + s->skipped_bytes_pos_nal = tmp; + s->skipped_bytes_pos_size_nal[s->nals_allocated] = 1024; // initial buffer size s->skipped_bytes_pos_nal[s->nals_allocated] = av_malloc_array(s->skipped_bytes_pos_size_nal[s->nals_allocated], sizeof(*s->skipped_bytes_pos)); s->nals_allocated = new_size; From 9e9cde6afab06674b2ae6e4fd7f74fef740bda30 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 9 Jan 2015 17:32:09 +0100 Subject: [PATCH 078/700] configure: enable vsx together with altivec for ppc64el The altivec optimizations on little endian ppc64 don't work without vsx. Signed-off-by: Michael Niedermayer (cherry picked from commit 6108485cf70f04dbf4708bd84ce749da871fa3f1) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 9190c4e4cd..b0da05f6a3 100755 --- a/configure +++ b/configure @@ -4413,7 +4413,7 @@ unsigned int endian = 'B' << 24 | 'I' << 16 | 'G' << 8 | 'E'; EOF od -t x1 $TMPO | grep -q '42 *49 *47 *45' && enable bigendian -if [ "$cpu" = "power7" ] || [ "$cpu" = "power8" ] ;then +if [ "$cpu" = "power7" ] || [ "$cpu" = "power8" ] || enabled ppc64; then if ! enabled bigendian && enabled altivec ;then enable vsx fi From 8acbba0ec3b267512842537011172457c57361ba Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 17 Dec 2014 16:02:08 +0100 Subject: [PATCH 079/700] vp8: improve memory allocation checks Check memory earlier, check one more allocation and clean up on error. CC: libav-stable@libav.org Bug-Id: CID 1257773 (cherry picked from commit 014b6b416fec89777cb9cff61bcf7896eaf7cf39) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 6ad26f3a7b..5d3123d4c2 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -176,19 +176,25 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) s->top_border = av_mallocz((s->mb_width + 1) * sizeof(*s->top_border)); s->thread_data = av_mallocz(MAX_THREADS * sizeof(VP8ThreadData)); + if (!s->macroblocks_base || !s->top_nnz || !s->top_border || + !s->thread_data || (!s->intra4x4_pred_mode_top && !s->mb_layout)) { + free_buffers(s); + return AVERROR(ENOMEM); + } + for (i = 0; i < MAX_THREADS; i++) { s->thread_data[i].filter_strength = av_mallocz(s->mb_width * sizeof(*s->thread_data[0].filter_strength)); + if (!s->thread_data[i].filter_strength) { + free_buffers(s); + return AVERROR(ENOMEM); + } #if HAVE_THREADS pthread_mutex_init(&s->thread_data[i].lock, NULL); pthread_cond_init(&s->thread_data[i].cond, NULL); #endif } - if (!s->macroblocks_base || !s->top_nnz || !s->top_border || - (!s->intra4x4_pred_mode_top && !s->mb_layout)) - return AVERROR(ENOMEM); - s->macroblocks = s->macroblocks_base + 1; return 0; From e3b6144e0c51f61ea509f8ef79a0769068b6b059 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Jan 2015 02:10:35 +0100 Subject: [PATCH 080/700] avdevice: Use av_format_get_control_message_cb() This is required as the location of this field could change and is specified in libavformat not avdevice Signed-off-by: Michael Niedermayer (cherry picked from commit ba97cf2c4562b60fbef89103b61516891e31845e) Signed-off-by: Michael Niedermayer --- libavdevice/avdevice.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavdevice/avdevice.c b/libavdevice/avdevice.c index c68126faa3..844b20089c 100644 --- a/libavdevice/avdevice.c +++ b/libavdevice/avdevice.c @@ -134,9 +134,9 @@ int avdevice_app_to_dev_control_message(struct AVFormatContext *s, enum AVAppToD int avdevice_dev_to_app_control_message(struct AVFormatContext *s, enum AVDevToAppMessageType type, void *data, size_t data_size) { - if (!s->control_message_cb) + if (!av_format_get_control_message_cb(s)) return AVERROR(ENOSYS); - return s->control_message_cb(s, type, data, data_size); + return av_format_get_control_message_cb(s)(s, type, data, data_size); } int avdevice_capabilities_create(AVDeviceCapabilitiesQuery **caps, AVFormatContext *s, From 65074a5daebcb2c6399673af1d9b0ae1f276c5f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Jan 2015 21:36:26 +0100 Subject: [PATCH 081/700] avfilter/vf_framepack: Check and update frame_rate The frame_rate update was missing leaving the output frame rate wrong. Signed-off-by: Michael Niedermayer (cherry picked from commit a46a23d30fea9c8a5570e07ec4d9c9b4eaa6eb4f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_framepack.c | 13 +++++++++++- tests/ref/fate/filter-framepack-frameseq | 26 ++++++++++++------------ 2 files changed, 25 insertions(+), 14 deletions(-) diff --git a/libavfilter/vf_framepack.c b/libavfilter/vf_framepack.c index 8a7d4e8f32..f5215fed9d 100644 --- a/libavfilter/vf_framepack.c +++ b/libavfilter/vf_framepack.c @@ -82,6 +82,7 @@ static int config_output(AVFilterLink *outlink) int width = ctx->inputs[LEFT]->w; int height = ctx->inputs[LEFT]->h; AVRational time_base = ctx->inputs[LEFT]->time_base; + AVRational frame_rate = ctx->inputs[LEFT]->frame_rate; // check size and fps match on the other input if (width != ctx->inputs[RIGHT]->w || @@ -93,11 +94,18 @@ static int config_output(AVFilterLink *outlink) return AVERROR_INVALIDDATA; } else if (av_cmp_q(time_base, ctx->inputs[RIGHT]->time_base) != 0) { av_log(ctx, AV_LOG_ERROR, - "Left and right framerates differ (%d/%d vs %d/%d).\n", + "Left and right time bases differ (%d/%d vs %d/%d).\n", time_base.num, time_base.den, ctx->inputs[RIGHT]->time_base.num, ctx->inputs[RIGHT]->time_base.den); return AVERROR_INVALIDDATA; + } else if (av_cmp_q(frame_rate, ctx->inputs[RIGHT]->frame_rate) != 0) { + av_log(ctx, AV_LOG_ERROR, + "Left and right framerates differ (%d/%d vs %d/%d).\n", + frame_rate.num, frame_rate.den, + ctx->inputs[RIGHT]->frame_rate.num, + ctx->inputs[RIGHT]->frame_rate.den); + return AVERROR_INVALIDDATA; } s->pix_desc = av_pix_fmt_desc_get(outlink->format); @@ -108,6 +116,8 @@ static int config_output(AVFilterLink *outlink) switch (s->format) { case AV_STEREO3D_FRAMESEQUENCE: time_base.den *= 2; + frame_rate.num *= 2; + s->double_pts = AV_NOPTS_VALUE; break; case AV_STEREO3D_COLUMNS: @@ -126,6 +136,7 @@ static int config_output(AVFilterLink *outlink) outlink->w = width; outlink->h = height; outlink->time_base = time_base; + outlink->frame_rate= frame_rate; return 0; } diff --git a/tests/ref/fate/filter-framepack-frameseq b/tests/ref/fate/filter-framepack-frameseq index c3d2a15e8e..83c08a0324 100644 --- a/tests/ref/fate/filter-framepack-frameseq +++ b/tests/ref/fate/filter-framepack-frameseq @@ -1,16 +1,16 @@ -#tb 0: 1/25 +#tb 0: 1/50 0, 0, 0, 1, 152064, 0x05b789ef 0, 1, 1, 1, 152064, 0x05b789ef 0, 2, 2, 1, 152064, 0x4bb46551 -0, 3, 3, 1, 152064, 0x9dddf64a -0, 4, 4, 1, 152064, 0x2a8380b0 -0, 5, 5, 1, 152064, 0x4de3b652 -0, 6, 6, 1, 152064, 0xedb5a8e6 -0, 7, 7, 1, 152064, 0xe20f7c23 -0, 8, 8, 1, 152064, 0x5ab58bac -0, 9, 9, 1, 152064, 0x1f1b8026 -0, 10, 10, 1, 152064, 0x91373915 -0, 11, 11, 1, 152064, 0x02344760 -0, 12, 12, 1, 152064, 0x30f5fcd5 -0, 13, 13, 1, 152064, 0xc711ad61 -0, 14, 14, 1, 152064, 0x24eca223 +0, 3, 3, 1, 152064, 0x4bb46551 +0, 4, 4, 1, 152064, 0x9dddf64a +0, 5, 5, 1, 152064, 0x9dddf64a +0, 6, 6, 1, 152064, 0x2a8380b0 +0, 7, 7, 1, 152064, 0x2a8380b0 +0, 8, 8, 1, 152064, 0x4de3b652 +0, 9, 9, 1, 152064, 0x4de3b652 +0, 10, 10, 1, 152064, 0xedb5a8e6 +0, 11, 11, 1, 152064, 0xedb5a8e6 +0, 12, 12, 1, 152064, 0xe20f7c23 +0, 13, 13, 1, 152064, 0xe20f7c23 +0, 14, 14, 1, 152064, 0x5ab58bac From edec2a4da38f8fff91a57bd1174d4b0b6334dbb7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jan 2015 01:56:03 +0100 Subject: [PATCH 082/700] avcodec/flac_parser: fix handling EOF if no headers are found Fixes assertion failure Fixes Ticket4269 Signed-off-by: Michael Niedermayer (cherry picked from commit c4d85fc23c100f7a27d9bad710eb153214868e27) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 0e45ab0fed..b74be29a80 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -697,7 +697,7 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, handle_error: *poutbuf = NULL; *poutbuf_size = 0; - return read_end - buf; + return buf_size ? read_end - buf : 0; } static av_cold int flac_parse_init(AVCodecParserContext *c) From 7caee172049a80e8c048e3d04202d409a06beeca Mon Sep 17 00:00:00 2001 From: wm4 Date: Fri, 12 Dec 2014 22:22:55 +0100 Subject: [PATCH 083/700] avformat/utils: check for malloc failure Signed-off-by: Michael Niedermayer (cherry picked from commit a66893ac949864352b36b39e48c4cd72bbd81e54) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 5a282a7ce7..5662092139 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3650,6 +3650,11 @@ AVStream *avformat_new_stream(AVFormatContext *s, const AVCodec *c) st->info->last_dts = AV_NOPTS_VALUE; st->codec = avcodec_alloc_context3(c); + if (!st->codec) { + av_free(st->info); + av_free(st); + return NULL; + } if (s->iformat) { /* no default bitrate if decoding */ st->codec->bit_rate = 0; From 28fba553066afafefb3862682fecb001681aca62 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Thu, 18 Dec 2014 20:26:57 +0100 Subject: [PATCH 084/700] opt: check memory allocation Bug-Id: CID 1257771 Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavutil/opt.c b/libavutil/opt.c index d873bd205e..31434638db 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -143,6 +143,8 @@ static int set_string_binary(void *obj, const AVOption *o, const char *val, uint len /= 2; ptr = bin = av_malloc(len); + if (!ptr) + return AVERROR(ENOMEM); while (*val) { int a = hexchar2int(*val++); int b = hexchar2int(*val++); From 7f8d0cf93a98d78551833e77508bf7121f049bc1 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 17 Dec 2014 16:02:07 +0100 Subject: [PATCH 085/700] swscale: check memory allocations Bug-Id: CID 1257779 (cherry picked from commit 1dd797e3c9f179f957316a0becbec048b42df8aa) Signed-off-by: Michael Niedermayer --- libswscale/yuv2rgb.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 8e92e6da3e..24b02665ae 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -771,9 +771,13 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], av_freep(&c->yuvTable); +#define ALLOC_YUV_TABLE(x) \ + c->yuvTable = av_malloc(x); \ + if (!c->yuvTable) \ + return AVERROR(ENOMEM); switch (bpp) { case 1: - c->yuvTable = av_malloc(1024); + ALLOC_YUV_TABLE(1024); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024 - 110; i++) { @@ -788,7 +792,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? 3 : 0; gbase = 1; bbase = isRgb ? 0 : 3; - c->yuvTable = av_malloc(1024 * 3); + ALLOC_YUV_TABLE(1024 * 3); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024 - 110; i++) { @@ -807,7 +811,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? 5 : 0; gbase = isRgb ? 2 : 3; bbase = isRgb ? 0 : 6; - c->yuvTable = av_malloc(1024 * 3); + ALLOC_YUV_TABLE(1024 * 3); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024 - 38; i++) { @@ -826,7 +830,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? 8 : 0; gbase = 4; bbase = isRgb ? 0 : 8; - c->yuvTable = av_malloc(1024 * 3 * 2); + ALLOC_YUV_TABLE(1024 * 3 * 2); y_table16 = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { @@ -849,7 +853,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? bpp - 5 : 0; gbase = 5; bbase = isRgb ? 0 : (bpp - 5); - c->yuvTable = av_malloc(1024 * 3 * 2); + ALLOC_YUV_TABLE(1024 * 3 * 2); y_table16 = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { @@ -869,7 +873,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], break; case 24: case 48: - c->yuvTable = av_malloc(1024); + ALLOC_YUV_TABLE(1024); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { @@ -891,7 +895,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], needAlpha = CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat); if (!needAlpha) abase = (base + 24) & 31; - c->yuvTable = av_malloc(1024 * 3 * 4); + ALLOC_YUV_TABLE(1024 * 3 * 4); y_table32 = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { From 4d74bb24e39fdadd0aed3c3fdb5fa156468c7ea6 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 17 Dec 2014 14:53:43 +0100 Subject: [PATCH 086/700] aacenc: correctly check returned value (cherry picked from commit 971099ff5a85377579eb5b8d3620e283957f097e) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index d9c72155b1..635123e46d 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -753,10 +753,10 @@ static av_cold int aac_encode_init(AVCodecContext *avctx) s->chan_map = aac_chan_configs[s->channels-1]; - if (ret = dsp_init(avctx, s)) + if ((ret = dsp_init(avctx, s)) < 0) goto fail; - if (ret = alloc_buffers(avctx, s)) + if ((ret = alloc_buffers(avctx, s)) < 0) goto fail; avctx->extradata_size = 5; @@ -768,7 +768,8 @@ static av_cold int aac_encode_init(AVCodecContext *avctx) lengths[1] = ff_aac_num_swb_128[i]; for (i = 0; i < s->chan_map[0]; i++) grouping[i] = s->chan_map[i + 1] == TYPE_CPE; - if (ret = ff_psy_init(&s->psy, avctx, 2, sizes, lengths, s->chan_map[0], grouping)) + if ((ret = ff_psy_init(&s->psy, avctx, 2, sizes, lengths, + s->chan_map[0], grouping)) < 0) goto fail; s->psypp = ff_psy_preprocess_init(avctx); s->coder = &ff_aac_coders[s->options.aac_coder]; From 5fbf63ea394e6a3ab2abf34628721cfa53e81182 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 17 Dec 2014 13:50:06 +0200 Subject: [PATCH 087/700] rtpdec_h263_rfc2190: Clear the stored bits if discarding buffered data If we throw away the buffered incomplete frame, make sure to also throw away the buffered bits of an incomplete byte at the same time. (cherry picked from commit df07c07b3de0a5e8890078944de1eb5cb8372ef8) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec_h263_rfc2190.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/rtpdec_h263_rfc2190.c b/libavformat/rtpdec_h263_rfc2190.c index a2279013dc..8a36e5334c 100644 --- a/libavformat/rtpdec_h263_rfc2190.c +++ b/libavformat/rtpdec_h263_rfc2190.c @@ -83,6 +83,7 @@ static int h263_handle_packet(AVFormatContext *ctx, PayloadContext *data, avio_close_dyn_buf(data->buf, &p); av_free(p); data->buf = NULL; + data->endbyte_bits = 0; } if (len < 4) { From 0bdc64e8b9c1010c7756874ba913108a5f27addc Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 10 Dec 2014 01:41:44 +0000 Subject: [PATCH 088/700] hevc: always clip luma_log2_weight_denom Its value shall be between 0 and 7 according to the specifications. Bug-Id: CID 1257502 --- libavcodec/hevc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index fd557f4c2f..8fac87d889 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -144,7 +144,7 @@ static void pred_weight_table(HEVCContext *s, GetBitContext *gb) uint8_t luma_weight_l1_flag[16]; uint8_t chroma_weight_l1_flag[16]; - s->sh.luma_log2_weight_denom = get_ue_golomb_long(gb); + s->sh.luma_log2_weight_denom = av_clip_c(get_ue_golomb_long(gb), 0, 7); if (s->sps->chroma_format_idc != 0) { int delta = get_se_golomb(gb); s->sh.chroma_log2_weight_denom = av_clip(s->sh.luma_log2_weight_denom + delta, 0, 7); From a45402d4c0afca2fc8ba656fddc502ddb4914b1a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Dec 2014 22:33:09 +0100 Subject: [PATCH 089/700] avformat/mpeg: do not count PES packets inside PES packets during probing Fixes: misdetection of test2.mp3 Signed-off-by: Michael Niedermayer (cherry picked from commit e15b29bb18bee8b65fab5a3c873540e01fd20afe) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 827a3c2c5f..8e1848c9ca 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -70,20 +70,23 @@ static int mpegps_probe(AVProbeData *p) int i; int sys = 0, pspack = 0, priv1 = 0, vid = 0; int audio = 0, invalid = 0, score = 0; + int endpes = 0; for (i = 0; i < p->buf_size; i++) { code = (code << 8) + p->buf[i]; if ((code & 0xffffff00) == 0x100) { int len = p->buf[i + 1] << 8 | p->buf[i + 2]; - int pes = check_pes(p->buf + i, p->buf + p->buf_size); + int pes = endpes <= i && check_pes(p->buf + i, p->buf + p->buf_size); int pack = check_pack_header(p->buf + i); if (code == SYSTEM_HEADER_START_CODE) sys++; else if (code == PACK_START_CODE && pack) pspack++; - else if ((code & 0xf0) == VIDEO_ID && pes) + else if ((code & 0xf0) == VIDEO_ID && pes) { + endpes = i + len; vid++; + } // skip pes payload to avoid start code emulation for private // and audio streams else if ((code & 0xe0) == AUDIO_ID && pes) {audio++; i+=len;} From a443b48ccfca1ac82f86f9402c3f4f06d727826d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Dec 2014 00:18:29 +0100 Subject: [PATCH 090/700] avformat/rmdec: Check for overflow in ff_rm_read_mdpr_codecdata() Signed-off-by: Michael Niedermayer (cherry picked from commit 03abf55f252945c70f4a79eaf4d609cee4d98710) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 19bd7a7a0b..65982efe79 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -412,7 +412,11 @@ ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, skip: /* skip codec info */ size = avio_tell(pb) - codec_pos; - avio_skip(pb, codec_data_size - size); + if (codec_data_size >= size) { + avio_skip(pb, codec_data_size - size); + } else { + av_log(s, AV_LOG_WARNING, "codec_data_size %u < size %d\n", codec_data_size, size); + } return 0; } From a45b8af839fd44e52b77a2436a465939969a6d11 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 20 Jan 2015 18:46:01 +0100 Subject: [PATCH 091/700] libavcodec/ppc/mpegvideoencdsp.c: fix stack smashing in pix_norm1_altivec() and pix_sum_altivec() The vec_ste calls were mistakenly changed to vec_vsx_st in c5ca76a, which caused stack smashing. Changing them back fixes crashes on ppc64el, when configured with --toolchain=hardened. Signed-off-by: Michael Niedermayer (cherry picked from commit 840c3c05316a59c70a7470ed27aaa9c2f3ba410a) Signed-off-by: Michael Niedermayer --- libavcodec/ppc/mpegvideoencdsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ppc/mpegvideoencdsp.c b/libavcodec/ppc/mpegvideoencdsp.c index e91ba5d25f..3e6765ce15 100644 --- a/libavcodec/ppc/mpegvideoencdsp.c +++ b/libavcodec/ppc/mpegvideoencdsp.c @@ -55,7 +55,7 @@ static int pix_norm1_altivec(uint8_t *pix, int line_size) /* Sum up the four partial sums, and put the result into s. */ sum = vec_sums((vector signed int) sv, (vector signed int) zero); sum = vec_splat(sum, 3); - vec_vsx_st(sum, 0, &s); + vec_ste(sum, 0, &s); return s; } #else @@ -113,7 +113,7 @@ static int pix_sum_altivec(uint8_t *pix, int line_size) /* Sum up the four partial sums, and put the result into s. */ sumdiffs = vec_sums((vector signed int) sad, (vector signed int) zero); sumdiffs = vec_splat(sumdiffs, 3); - vec_vsx_st(sumdiffs, 0, &s); + vec_ste(sumdiffs, 0, &s); return s; } #else From b62b3e1a25aaf4fe8ad0a46a0ee0f9e361e0187d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Jan 2015 20:14:34 +0100 Subject: [PATCH 092/700] swscale/input: Fix alpha of YA16 input Fixes Ticket4278 Signed-off-by: Michael Niedermayer (cherry picked from commit 95d04690aa4f43f6b61640713a11a9649cbf85e9) Signed-off-by: Michael Niedermayer --- libswscale/input.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libswscale/input.c b/libswscale/input.c index 6716f0dcec..1928223951 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -1249,11 +1249,9 @@ av_cold void ff_sws_init_input_funcs(SwsContext *c) #endif case AV_PIX_FMT_YA16LE: c->lumToYV12 = read_ya16le_gray_c; - c->alpToYV12 = read_ya16le_alpha_c; break; case AV_PIX_FMT_YA16BE: c->lumToYV12 = read_ya16be_gray_c; - c->alpToYV12 = read_ya16be_alpha_c; break; case AV_PIX_FMT_YUYV422: case AV_PIX_FMT_YVYU422: @@ -1375,6 +1373,12 @@ av_cold void ff_sws_init_input_funcs(SwsContext *c) case AV_PIX_FMT_YA8: c->alpToYV12 = uyvyToY_c; break; + case AV_PIX_FMT_YA16LE: + c->alpToYV12 = read_ya16le_alpha_c; + break; + case AV_PIX_FMT_YA16BE: + c->alpToYV12 = read_ya16be_alpha_c; + break; case AV_PIX_FMT_PAL8 : c->alpToYV12 = palToA_c; break; From f07e2ff6979380ec7c18de55216bdd92db4856a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Jan 2015 20:23:45 +0100 Subject: [PATCH 093/700] swscale/input: fix rgba64 alpha non native Signed-off-by: Michael Niedermayer (cherry picked from commit f30798584fd9709e83644f831107fdc9e26b1311) Signed-off-by: Michael Niedermayer --- libswscale/input.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libswscale/input.c b/libswscale/input.c index 1928223951..7b3b7060e6 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -412,14 +412,24 @@ static void gbr24pToUV_half_c(uint8_t *_dstU, uint8_t *_dstV, } } -static void rgba64ToA_c(uint8_t *_dst, const uint8_t *_src, const uint8_t *unused1, - const uint8_t *unused2, int width, uint32_t *unused) +static void rgba64leToA_c(uint8_t *_dst, const uint8_t *_src, const uint8_t *unused1, + const uint8_t *unused2, int width, uint32_t *unused) { int16_t *dst = (int16_t *)_dst; const uint16_t *src = (const uint16_t *)_src; int i; for (i = 0; i < width; i++) - dst[i] = src[4 * i + 3]; + dst[i] = AV_RL16(src + 4 * i + 3); +} + +static void rgba64beToA_c(uint8_t *_dst, const uint8_t *_src, const uint8_t *unused1, + const uint8_t *unused2, int width, uint32_t *unused) +{ + int16_t *dst = (int16_t *)_dst; + const uint16_t *src = (const uint16_t *)_src; + int i; + for (i = 0; i < width; i++) + dst[i] = AV_RB16(src + 4 * i + 3); } static void abgrToA_c(uint8_t *_dst, const uint8_t *src, const uint8_t *unused1, const uint8_t *unused2, int width, uint32_t *unused) @@ -1359,9 +1369,9 @@ av_cold void ff_sws_init_input_funcs(SwsContext *c) } switch (srcFormat) { case AV_PIX_FMT_BGRA64LE: + case AV_PIX_FMT_RGBA64LE: c->alpToYV12 = rgba64leToA_c; break; case AV_PIX_FMT_BGRA64BE: - case AV_PIX_FMT_RGBA64LE: - case AV_PIX_FMT_RGBA64BE: c->alpToYV12 = rgba64ToA_c; break; + case AV_PIX_FMT_RGBA64BE: c->alpToYV12 = rgba64beToA_c; break; case AV_PIX_FMT_BGRA: case AV_PIX_FMT_RGBA: c->alpToYV12 = rgbaToA_c; From 6ac8ac0109de494d09803df21b5a5caf7c3b3908 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Jan 2015 13:09:21 +0100 Subject: [PATCH 094/700] doc/APIchanges: Fill in some more missing hash values Signed-off-by: Michael Niedermayer (cherry picked from commit bbdd940f36662d4b6156464b1bda5131fc382465) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index abb83b84c7..a8636045a9 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -200,7 +200,7 @@ API changes, most recent first: Increase FF_INPUT_BUFFER_PADDING_SIZE to 32 due to some corner cases needing it -2014-06-10 - xxxxxxx - lavf 55.43.100 - avformat.h +2014-06-10 - 5482780 - lavf 55.43.100 - avformat.h New field int64_t max_analyze_duration2 instead of deprecated int max_analyze_duration. @@ -224,7 +224,7 @@ API changes, most recent first: Add strict_std_compliance and related AVOptions to support experimental muxing. -2014-05-26 - xxxxxxx - lavu 52.87.100 - threadmessage.h +2014-05-26 - 55cc60c - lavu 52.87.100 - threadmessage.h Add thread message queue API. 2014-05-26 - c37d179 - lavf 55.41.100 - avformat.h @@ -234,7 +234,7 @@ API changes, most recent first: Add av_stream_get_side_data() to access stream-level side data in the same way as av_packet_get_side_data(). -2014-05-xx - xxxxxxx - lavu 52.86.100 - fifo.h +2014-05-xx - 7336e39 - lavu 52.86.100 - fifo.h Add av_fifo_alloc_array() function. 2014-05-19 - ef1d4ee / bddd8cb - lavu 52.85.100 / 53.15.0 - frame.h, display.h From 8026606497eab7220991f97535e9193a744fa8ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Jan 2015 12:27:36 +0100 Subject: [PATCH 095/700] doc/APIchanges: Add av_find_best_pix_fmt_of_2() and av_get_pix_fmt_loss() also add deprecation note for avcodec_get_pix_fmt_loss(), avcodec_find_best_pix_fmt_of_2() Found-by: wm4 Signed-off-by: Michael Niedermayer (cherry picked from commit f7a1c5e4d2294a8970ede7f6deb2fe0a64e202a5) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/APIchanges b/doc/APIchanges index a8636045a9..e08ee3fcd7 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -288,6 +288,10 @@ API changes, most recent first: Deprecate CODEC_FLAG_INPUT_PRESERVED. Its functionality is replaced by passing reference-counted frames to encoders. +2014-04-30 - 617e866 - lavu 52.81.100 - pixdesc.h + Add av_find_best_pix_fmt_of_2(), av_get_pix_fmt_loss() + Deprecate avcodec_get_pix_fmt_loss(), avcodec_find_best_pix_fmt_of_2() + 2014-04-29 - 1bf6396 - lavc 55.60.100 - avcodec.h Add AVCodecDescriptor.mime_types field. From 164083434e7808f8a7a6137461d8d62b7a443237 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Jan 2015 14:24:08 +0100 Subject: [PATCH 096/700] doc/APIchanges: fill in and correct some values Signed-off-by: Michael Niedermayer (cherry picked from commit 0d64982828aee5f3495a71050e4930fa2898ca15) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index e08ee3fcd7..c075de6a0d 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -266,7 +266,7 @@ API changes, most recent first: 2014-05-11 - 14aef38 / 66e6c8a - lavu 52.83.100 / 53.14.0 - pixfmt.h Add AV_PIX_FMT_VDA for new-style VDA acceleration. -2014-05-xx - xxxxxxx - lavu 52.82.100 - fifo.h +2014-05-07 - 351f611 - lavu 52.82.100 - fifo.h Add av_fifo_freep() function. 2014-05-02 - ba52fb11 - lavu 52.81.100 - opt.h @@ -295,7 +295,7 @@ API changes, most recent first: 2014-04-29 - 1bf6396 - lavc 55.60.100 - avcodec.h Add AVCodecDescriptor.mime_types field. -2014-04-29 - xxxxxxx - lavu 52.80.0 - hash.h +2014-04-29 - b804eb4 - lavu 52.80.100 - hash.h Add av_hash_final_bin(), av_hash_final_hex() and av_hash_final_b64(). 2014-03-07 - 8b2a130 - lavc 55.50.0 / 55.53.100 - dxva2.h @@ -307,7 +307,7 @@ API changes, most recent first: 2014-04-17 - a8d01a7 / 0983d48 - lavu 53.12.0 / 52.77.100 - crc.h Add AV_CRC_16_ANSI_LE crc variant. -2014-04-XX - xxxxxxx - lavf xx.xx.1xx - avformat.h +2014-04-15 - ef818d8 - lavf 55.37.101 - avformat.h Add av_format_inject_global_side_data() 2014-04-12 - 4f698be - lavu 52.76.100 - log.h From 25fc0faccb0142379eee87a5c80beff3cf9de1c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Jan 2015 15:09:21 +0100 Subject: [PATCH 097/700] doc/APIchanges: fill in more missing hash values and dates all values before 2.5 seem to be filled in now Signed-off-by: Michael Niedermayer (cherry picked from commit 8c8ee17e8d2800144116ec52f26a435a06b49420) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index c075de6a0d..13b435c2a0 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -234,7 +234,7 @@ API changes, most recent first: Add av_stream_get_side_data() to access stream-level side data in the same way as av_packet_get_side_data(). -2014-05-xx - 7336e39 - lavu 52.86.100 - fifo.h +2014-05-20 - 7336e39 - lavu 52.86.100 - fifo.h Add av_fifo_alloc_array() function. 2014-05-19 - ef1d4ee / bddd8cb - lavu 52.85.100 / 53.15.0 - frame.h, display.h @@ -387,7 +387,7 @@ API changes, most recent first: 2014-02-19 - f4c8d00 / 6bb8720 - lavu 52.64.101 / 53.3.1 - opt.h Deprecate unused AV_OPT_FLAG_METADATA. -2014-02-xx - xxxxxxx - lavd 55.10.100 - avdevice.h +2014-02-16 - 81c3f81 - lavd 55.10.100 - avdevice.h Add avdevice_list_devices() and avdevice_free_list_devices() 2014-02-16 - db3c970 - lavf 55.33.100 - avio.h @@ -428,7 +428,7 @@ API changes, most recent first: 2014-01-19 - 1a193c4 - lavf 55.25.100 - avformat.h Add avformat_get_mov_video_tags() and avformat_get_mov_audio_tags(). -2014-01-19 - xxxxxxx - lavu 52.63.100 - rational.h +2014-01-19 - 3532dd5 - lavu 52.63.100 - rational.h Add av_make_q() function. 2014-01-05 - 4cf4da9 / 5b4797a - lavu 52.62.100 / 53.2.0 - frame.h From 675fb3a8af6b0f8fcccdfc6276212f0556896622 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:19:25 +0100 Subject: [PATCH 098/700] avformat/utils: Fix number suffixes in tb_unreliable() Signed-off-by: Michael Niedermayer (cherry picked from commit 4b15bba2aec93776bfdc69a1bca42a4795a7d191) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 5662092139..78653d1f1c 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2812,8 +2812,8 @@ static int get_std_framerate(int i) * And there are "variable" fps files this needs to detect as well. */ static int tb_unreliable(AVCodecContext *c) { - if (c->time_base.den >= 101L * c->time_base.num || - c->time_base.den < 5L * c->time_base.num || + if (c->time_base.den >= 101LL * c->time_base.num || + c->time_base.den < 5LL * c->time_base.num || // c->codec_tag == AV_RL32("DIVX") || // c->codec_tag == AV_RL32("XVID") || c->codec_tag == AV_RL32("mp4v") || From 1e366c15ed5974496722b9173a8a1a3f2f16fa41 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:27:00 +0100 Subject: [PATCH 099/700] swresample/dither: Cleanup number suffixes The <<31 case needs LL Signed-off-by: Michael Niedermayer (cherry picked from commit c77cc2c1766666cdb5f14daee0f75e397bf7a194) Signed-off-by: Michael Niedermayer --- libswresample/dither.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libswresample/dither.c b/libswresample/dither.c index b8b592a7ce..8121f11c2f 100644 --- a/libswresample/dither.c +++ b/libswresample/dither.c @@ -84,14 +84,14 @@ int swri_dither_init(SwrContext *s, enum AVSampleFormat out_fmt, enum AVSampleFo in_fmt = av_get_packed_sample_fmt( in_fmt); if(in_fmt == AV_SAMPLE_FMT_FLT || in_fmt == AV_SAMPLE_FMT_DBL){ - if(out_fmt == AV_SAMPLE_FMT_S32) scale = 1.0/(1L<<31); - if(out_fmt == AV_SAMPLE_FMT_S16) scale = 1.0/(1L<<15); - if(out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1.0/(1L<< 7); + if(out_fmt == AV_SAMPLE_FMT_S32) scale = 1.0/(1LL<<31); + if(out_fmt == AV_SAMPLE_FMT_S16) scale = 1.0/(1LL<<15); + if(out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1.0/(1LL<< 7); } if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_S32 && (s->dither.output_sample_bits&31)) scale = 1; - if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_S16) scale = 1L<<16; - if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1L<<24; - if(in_fmt == AV_SAMPLE_FMT_S16 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1L<<8; + if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_S16) scale = 1<<16; + if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1<<24; + if(in_fmt == AV_SAMPLE_FMT_S16 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1<<8; scale *= s->dither.scale; From bac6554c74dc4567a16ced1ae57160a99df692fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:29:20 +0100 Subject: [PATCH 100/700] avcodec/dxtory: Use LL instead of L number suffix This is probably unneeded and normal int would be fine, but its safer to use LL and this isnt speed relevant Signed-off-by: Michael Niedermayer (cherry picked from commit b4ad2853c50d055e9ba8c29f2e1c83b292f29d7a) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 4d8b7b29a6..91d87f08d9 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -65,7 +65,7 @@ static int dxtory_decode_v1_410(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y1, *Y2, *Y3, *Y4, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 9L / 8) { + if (src_size < avctx->width * avctx->height * 9LL / 8) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } @@ -108,7 +108,7 @@ static int dxtory_decode_v1_420(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y1, *Y2, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 3L / 2) { + if (src_size < avctx->width * avctx->height * 3LL / 2) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } @@ -145,7 +145,7 @@ static int dxtory_decode_v1_444(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 3L) { + if (src_size < avctx->width * avctx->height * 3LL) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } From 260e5c6dbe198332d575842639575f46a4b11f57 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:34:52 +0100 Subject: [PATCH 101/700] avformat/matroskadec: Fix number suffixes Signed-off-by: Michael Niedermayer (cherry picked from commit fc3cdb00d084222a107e61e7168903bf3d3d0b47) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 3f327fd8c5..9c13484c9a 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1926,8 +1926,8 @@ static int matroska_parse_tracks(AVFormatContext *s) av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, 1000000000, track->default_duration, 30000); #if FF_API_R_FRAME_RATE - if ( st->avg_frame_rate.num < st->avg_frame_rate.den * 1000L - && st->avg_frame_rate.num > st->avg_frame_rate.den * 5L) + if ( st->avg_frame_rate.num < st->avg_frame_rate.den * 1000LL + && st->avg_frame_rate.num > st->avg_frame_rate.den * 5LL) st->r_frame_rate = st->avg_frame_rate; #endif } From a3ef410b9c46016d602a5dd9db9ce6365cd936a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:36:13 +0100 Subject: [PATCH 102/700] avformat/smacker: Fix number suffix Signed-off-by: Michael Niedermayer (cherry picked from commit 465f3705b1ef832fd6904750d018f81f9044f3ab) Signed-off-by: Michael Niedermayer --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 284cdc196a..5dcf4adafe 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -321,7 +321,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) int err; size = avio_rl32(s->pb) - 4; - if (!size || size + 4L > frame_size) { + if (!size || size + 4LL > frame_size) { av_log(s, AV_LOG_ERROR, "Invalid audio part size\n"); return AVERROR_INVALIDDATA; } From d11bca8043ddaf001aae83840df414732e3a5831 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:36:36 +0100 Subject: [PATCH 103/700] avformat/omadec: fix number suffix Signed-off-by: Michael Niedermayer (cherry picked from commit f1f7f5903ab49b84789af5341492afbaba808a70) Signed-off-by: Michael Niedermayer --- libavformat/omadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 9f3d3aa860..42954130bc 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -174,7 +174,7 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size, taglen = AV_RB32(&enc_header[pos + 32]); datalen = AV_RB32(&enc_header[pos + 36]) >> 4; - pos += 44L + taglen; + pos += 44LL + taglen; if (pos + (((uint64_t)datalen) << 4) > size) return -1; From 979a54ed1833f667dc9c46e7290cd3cb50fa9aab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:39:22 +0100 Subject: [PATCH 104/700] avcodec/h264_cabac: use int instead of long for mbb_xy The mb address fits in int Signed-off-by: Michael Niedermayer (cherry picked from commit 592ba6ec106206f97133c9345313010c76361e12) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 6455ee7b2d..a411efed8c 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1282,7 +1282,7 @@ void ff_h264_init_cabac_states(H264Context *h) { } static int decode_cabac_field_decoding_flag(H264Context *h) { - const long mbb_xy = h->mb_xy - 2L*h->mb_stride; + const int mbb_xy = h->mb_xy - 2*h->mb_stride; unsigned long ctx = 0; From 2f5c5767d1c36f4d4d28932a19e9d20ee10d7c29 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:40:13 +0100 Subject: [PATCH 105/700] avcodec/mpegvideo_enc: Fix number suffixes in rc_buffer_size calculation Signed-off-by: Michael Niedermayer (cherry picked from commit 4531e2c489d279bfc90d54ca26ed898c5b265a7f) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 27153cf6a8..666c983f24 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -395,18 +395,18 @@ av_cold int ff_mpv_encode_init(AVCodecContext *avctx) switch(avctx->codec_id) { case AV_CODEC_ID_MPEG1VIDEO: case AV_CODEC_ID_MPEG2VIDEO: - avctx->rc_buffer_size = FFMAX(avctx->rc_max_rate, 15000000) * 112L / 15000000 * 16384; + avctx->rc_buffer_size = FFMAX(avctx->rc_max_rate, 15000000) * 112LL / 15000000 * 16384; break; case AV_CODEC_ID_MPEG4: case AV_CODEC_ID_MSMPEG4V1: case AV_CODEC_ID_MSMPEG4V2: case AV_CODEC_ID_MSMPEG4V3: if (avctx->rc_max_rate >= 15000000) { - avctx->rc_buffer_size = 320 + (avctx->rc_max_rate - 15000000L) * (760-320) / (38400000 - 15000000); + avctx->rc_buffer_size = 320 + (avctx->rc_max_rate - 15000000LL) * (760-320) / (38400000 - 15000000); } else if(avctx->rc_max_rate >= 2000000) { - avctx->rc_buffer_size = 80 + (avctx->rc_max_rate - 2000000L) * (320- 80) / (15000000 - 2000000); + avctx->rc_buffer_size = 80 + (avctx->rc_max_rate - 2000000LL) * (320- 80) / (15000000 - 2000000); } else if(avctx->rc_max_rate >= 384000) { - avctx->rc_buffer_size = 40 + (avctx->rc_max_rate - 384000L) * ( 80- 40) / ( 2000000 - 384000); + avctx->rc_buffer_size = 40 + (avctx->rc_max_rate - 384000LL) * ( 80- 40) / ( 2000000 - 384000); } else avctx->rc_buffer_size = 40; avctx->rc_buffer_size *= 16384; From b0b6d8de7ec88f1099efaf93d5b5bb43b9dfea22 Mon Sep 17 00:00:00 2001 From: Rong Yan Date: Tue, 3 Feb 2015 03:04:33 +0000 Subject: [PATCH 106/700] avcodec/ppc/idctdsp.c: POWER LE support in idct_add_altivec() also add GET_TMP2() macro Signed-off-by: Michael Niedermayer (cherry picked from commit fc35df893175cedd65c14a4f7ebab6f33aeae4a6) Signed-off-by: Michael Niedermayer --- libavcodec/ppc/idctdsp.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/libavcodec/ppc/idctdsp.c b/libavcodec/ppc/idctdsp.c index 5ef514b51b..ea56a70948 100644 --- a/libavcodec/ppc/idctdsp.c +++ b/libavcodec/ppc/idctdsp.c @@ -209,16 +209,26 @@ static void idct_add_altivec(uint8_t *dest, int stride, int16_t *blk) IDCT; +#if HAVE_BIGENDIAN p0 = vec_lvsl(0, dest); p1 = vec_lvsl(stride, dest); p = vec_splat_u8(-1); perm0 = vec_mergeh(p, p0); perm1 = vec_mergeh(p, p1); +#endif + +#if HAVE_BIGENDIAN +#define GET_TMP2(dest, prm) \ + tmp = vec_ld(0, dest); \ + tmp2 = (vec_s16) vec_perm(tmp, (vec_u8) zero, prm); +#else +#define GET_TMP2(dest, prm) \ + tmp = vec_vsx_ld(0, dest); \ + tmp2 = (vec_s16) vec_mergeh(tmp, (vec_u8) zero) +#endif #define ADD(dest, src, perm) \ - /* *(uint64_t *) &tmp = *(uint64_t *) dest; */ \ - tmp = vec_ld(0, dest); \ - tmp2 = (vec_s16) vec_perm(tmp, (vec_u8) zero, perm); \ + GET_TMP2(dest, perm); \ tmp3 = vec_adds(tmp2, src); \ tmp = vec_packsu(tmp3, tmp3); \ vec_ste((vec_u32) tmp, 0, (unsigned int *) dest); \ From 563e542b31e2174693207c1a391b71eac978187a Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 14:41:10 +0100 Subject: [PATCH 107/700] avformat/tta: fix crash with corrupted files av_add_index_entry() can fail, for example because the parameters are invalid, or because memory allocation fails. Check this; it can actually happen with corrupted files. The second hunk is just for robustness. Just in case functions like ff_reduce_index() remove entries. (Not sure if this can actually happen.) Fixes ticket #4294. Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 6a0cd529a35190d9374b0b26504e71857cd67b83) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/tta.c b/libavformat/tta.c index 7174fd5438..d3b3fb0471 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -118,8 +118,10 @@ static int tta_read_header(AVFormatContext *s) ffio_init_checksum(s->pb, tta_check_crc, UINT32_MAX); for (i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); - av_add_index_entry(st, framepos, i * c->frame_size, size, 0, - AVINDEX_KEYFRAME); + int r; + if ((r = av_add_index_entry(st, framepos, i * c->frame_size, size, 0, + AVINDEX_KEYFRAME)) < 0) + return r; framepos += size; } crc = ffio_get_checksum(s->pb) ^ UINT32_MAX; @@ -153,6 +155,11 @@ static int tta_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->currentframe >= c->totalframes) return AVERROR_EOF; + if (st->nb_index_entries < c->totalframes) { + av_log(s, AV_LOG_ERROR, "Index entry disappeared\n"); + return AVERROR_INVALIDDATA; + } + size = st->index_entries[c->currentframe].size; ret = av_get_packet(s->pb, pkt, size); From 193440f5662cc7183798d7eba961f98075361dcd Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 19:04:12 +0100 Subject: [PATCH 108/700] avformat/mpc8: fix hang with fuzzed file This can lead to an endless loop by seeking back a few bytes after each attempted chunk read. Assuming negative sizes are always invalid, this is easy to fix. Other code in this demuxer treats negative sizes as invalid as well. Fixes ticket #4262. Signed-off-by: Michael Niedermayer (cherry picked from commit 56cc024220886927350cfc26ee695062ca7ecaf4) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index a15dc25a69..722d0ee05f 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -223,6 +223,10 @@ static int mpc8_read_header(AVFormatContext *s) while(!avio_feof(pb)){ pos = avio_tell(pb); mpc8_get_chunk_header(pb, &tag, &size); + if (size < 0) { + av_log(s, AV_LOG_ERROR, "Invalid chunk length\n"); + return AVERROR_INVALIDDATA; + } if(tag == TAG_STREAMHDR) break; mpc8_handle_chunk(s, tag, pos, size); From 352d17086fd00e48fa0885113abaedc58a40adc8 Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 19:04:11 +0100 Subject: [PATCH 109/700] avformat/mpc8: fix broken pointer math MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This could overflow and crash at least on 32 bit systems. Reviewed-by: Reimar Döffinger Signed-off-by: Michael Niedermayer (cherry picked from commit b737a2c52857b214be246ff615c6293730033cfa) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 722d0ee05f..6524c7e489 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -91,7 +91,7 @@ static int mpc8_probe(AVProbeData *p) size = bs_get_v(&bs); if (size < 2) return 0; - if (bs + size - 2 >= bs_end) + if (size >= bs_end - bs + 2) return AVPROBE_SCORE_EXTENSION - 1; // seems to be valid MPC but no header yet if (header_found) { if (size < 11 || size > 28) From 657dc91b44fd02a22db8ec1dc723c3a233fb51c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 14:47:41 +0100 Subject: [PATCH 110/700] avformat/mpc8: Use uint64_t in *_get_v() to avoid undefined behavior Signed-off-by: Michael Niedermayer (cherry picked from commit 05e161952954acf247e0fd1fdef00559675c4d4d) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 6524c7e489..684a0eeae0 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -57,7 +57,7 @@ typedef struct { static inline int64_t bs_get_v(const uint8_t **bs) { - int64_t v = 0; + uint64_t v = 0; int br = 0; int c; @@ -108,7 +108,7 @@ static int mpc8_probe(AVProbeData *p) static inline int64_t gb_get_v(GetBitContext *gb) { - int64_t v = 0; + uint64_t v = 0; int bits = 0; while(get_bits1(gb) && bits < 64-7){ v <<= 7; From 0ae93844d0e85a2a8ce4a1454361bd08416081ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 20:13:18 +0100 Subject: [PATCH 111/700] avcodec/mjpegdec: Check escape sequence validity Fixes assertion failure Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit afa92907f3c6a0c3bdad766ec8d938ee17ee1c9e) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index a29a533826..3e098ee636 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1904,6 +1904,10 @@ int ff_mjpeg_find_marker(MJpegDecodeContext *s, put_bits(&pb, 8, x); if (x == 0xFF) { x = src[b++]; + if (x & 0x80) { + av_log(s->avctx, AV_LOG_WARNING, "Invalid escape sequence\n"); + x &= 0x7f; + } put_bits(&pb, 7, x); bit_count--; } From 58096b70fa9868bf8f40a998e9870e58fb4630ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 20:48:30 +0100 Subject: [PATCH 112/700] avcodec/mjpegdec: Check number of components for JPEG-LS Fixes out of array accesses Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit fabbfaa095660982cc0bc63242c459561fa37037) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 3e098ee636..17b6993aaa 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -561,9 +561,12 @@ unk_pixfmt: } if (s->ls) { s->upscale_h = s->upscale_v = 0; - if (s->nb_components > 1) + if (s->nb_components == 3) { s->avctx->pix_fmt = AV_PIX_FMT_RGB24; - else if (s->palette_index && s->bits <= 8) + } else if (s->nb_components != 1) { + av_log(s->avctx, AV_LOG_ERROR, "Unsupported number of components %d\n", s->nb_components); + return AVERROR_PATCHWELCOME; + } else if (s->palette_index && s->bits <= 8) s->avctx->pix_fmt = AV_PIX_FMT_PAL8; else if (s->bits <= 8) s->avctx->pix_fmt = AV_PIX_FMT_GRAY8; From c65a731b6f603789a16cf5ac275b67d85c6d92a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 22:30:08 +0100 Subject: [PATCH 113/700] avcodec/mpegvideo_motion: Fix gmc chroma dimensions Fixes integer overflow and out of array read Fixes: asan_heap-oob_1fb2f9b_3780_cov_3984375136_usf.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit fd52d2d3d1ee41822a9801dffd41c0e1a2db32a8) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_motion.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c index e7a585dd5f..e320511947 100644 --- a/libavcodec/mpegvideo_motion.c +++ b/libavcodec/mpegvideo_motion.c @@ -178,7 +178,7 @@ static void gmc_motion(MpegEncContext *s, s->sprite_delta[0][0], s->sprite_delta[0][1], s->sprite_delta[1][0], s->sprite_delta[1][1], a + 1, (1 << (2 * a + 1)) - s->no_rounding, - s->h_edge_pos >> 1, s->v_edge_pos >> 1); + (s->h_edge_pos + 1) >> 1, (s->v_edge_pos + 1) >> 1); ptr = ref_picture[2]; s->mdsp.gmc(dest_cr, ptr, uvlinesize, 8, @@ -186,7 +186,7 @@ static void gmc_motion(MpegEncContext *s, s->sprite_delta[0][0], s->sprite_delta[0][1], s->sprite_delta[1][0], s->sprite_delta[1][1], a + 1, (1 << (2 * a + 1)) - s->no_rounding, - s->h_edge_pos >> 1, s->v_edge_pos >> 1); + (s->h_edge_pos + 1) >> 1, (s->v_edge_pos + 1) >> 1); } static inline int hpel_motion(MpegEncContext *s, From 6252e9141ba5cc1fb3a270e0405f107ac16a36f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Feb 2015 00:12:08 +0100 Subject: [PATCH 114/700] swscale/utils: Limit filter shifting so as not to read from prior the array Fixes out of array read Fixes: asan_heap-oob_1fb2f9b_3780_cov_3984375136_usf.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 692b22626ec9a9585f667c124a186b1a9796e432) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index ab494ed79c..fd58d3aeb8 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -611,14 +611,15 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, } if ((*filterPos)[i] + filterSize > srcW) { - int shift = (*filterPos)[i] + filterSize - srcW; + int shift = (*filterPos)[i] + FFMIN(filterSize - srcW, 0); + // move filter coefficients right to compensate for filterPos for (j = filterSize - 2; j >= 0; j--) { int right = FFMIN(j + shift, filterSize - 1); filter[i * filterSize + right] += filter[i * filterSize + j]; filter[i * filterSize + j] = 0; } - (*filterPos)[i]= srcW - filterSize; + (*filterPos)[i]-= shift; } } From 0f642909d866c5189677b1ec864c777a6da49963 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Feb 2015 03:45:21 +0100 Subject: [PATCH 115/700] avformat/thp: Check av_get_packet() for failure not only for partial output Fixes null pointer dereference Fixes: signal_sigsegv_db2c1f_3108_cov_163322880_pikmin2_opening1_partial.thp Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f2579dbb4b31e6ae731e7f5555680528ef3020ab) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index 714cec6cd3..91fa90f942 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -184,6 +184,8 @@ static int thp_read_packet(AVFormatContext *s, pkt->stream_index = thp->video_stream_index; } else { ret = av_get_packet(pb, pkt, thp->audiosize); + if (ret < 0) + return ret; if (ret != thp->audiosize) { av_free_packet(pkt); return AVERROR(EIO); From 25da8d84a46ef262a979d62ca9c58432dcdb2ccf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Feb 2015 23:52:01 +0100 Subject: [PATCH 116/700] avcodec/x86/lossless_audiodsp: Make scalarproduct_and_madd_int16 prototypes more similar This is needed as the mmx code is used as fallback from the ssse3 code Suggested-by: jamrial Tested-by: wm4 Signed-off-by: Michael Niedermayer (cherry picked from commit 3b4ffba3af968ae702e3a44f6b5f53445efc7363) Signed-off-by: Michael Niedermayer --- libavcodec/x86/lossless_audiodsp.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/lossless_audiodsp.asm b/libavcodec/x86/lossless_audiodsp.asm index 39395fecca..5dff835902 100644 --- a/libavcodec/x86/lossless_audiodsp.asm +++ b/libavcodec/x86/lossless_audiodsp.asm @@ -122,7 +122,7 @@ align 16 ; int ff_scalarproduct_and_madd_int16(int16_t *v1, int16_t *v2, int16_t *v3, ; int order, int mul) INIT_XMM ssse3 -cglobal scalarproduct_and_madd_int16, 4,5,10, v1, v2, v3, order, mul +cglobal scalarproduct_and_madd_int16, 4,4,10, v1, v2, v3, order, mul test orderq, 8 jnz scalarproduct_and_madd_int16_fallback shl orderq, 1 From 3572eaaf02f9611ed6f5c4ccba7e75befaf43ecf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 01:57:23 +0100 Subject: [PATCH 117/700] avcodec/x86/lossless_audiodsp: Move order&8 fallback into C code This is simpler and more robust, and fixes mismatching XMM save restore mismatches Signed-off-by: Michael Niedermayer (cherry picked from commit f1214763af1abf5d7f49b98f88c06e13b98932a6) Signed-off-by: Michael Niedermayer --- libavcodec/x86/lossless_audiodsp.asm | 8 ------- libavcodec/x86/lossless_audiodsp_init.c | 28 +++++++++++++++++++++++-- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/libavcodec/x86/lossless_audiodsp.asm b/libavcodec/x86/lossless_audiodsp.asm index 5dff835902..084ed9a093 100644 --- a/libavcodec/x86/lossless_audiodsp.asm +++ b/libavcodec/x86/lossless_audiodsp.asm @@ -26,12 +26,6 @@ SECTION_TEXT ; int ff_scalarproduct_and_madd_int16(int16_t *v1, int16_t *v2, int16_t *v3, ; int order, int mul) cglobal scalarproduct_and_madd_int16, 4,4,8, v1, v2, v3, order, mul -%if mmsize == 16 - test orderq, 8 - jnz scalarproduct_and_madd_int16_fallback -%else - scalarproduct_and_madd_int16_fallback -%endif shl orderq, 1 movd m7, mulm %if mmsize == 16 @@ -123,8 +117,6 @@ align 16 ; int order, int mul) INIT_XMM ssse3 cglobal scalarproduct_and_madd_int16, 4,4,10, v1, v2, v3, order, mul - test orderq, 8 - jnz scalarproduct_and_madd_int16_fallback shl orderq, 1 movd m7, mulm pshuflw m7, m7, 0 diff --git a/libavcodec/x86/lossless_audiodsp_init.c b/libavcodec/x86/lossless_audiodsp_init.c index 4879dff1de..2c13e1e31c 100644 --- a/libavcodec/x86/lossless_audiodsp_init.c +++ b/libavcodec/x86/lossless_audiodsp_init.c @@ -31,6 +31,30 @@ int32_t ff_scalarproduct_and_madd_int16_ssse3(int16_t *v1, const int16_t *v2, const int16_t *v3, int order, int mul); +static int32_t scalarproduct_and_madd_int16_sse2(int16_t *v1, const int16_t *v2, + const int16_t *v3, + int order, int mul) +{ +#if HAVE_SSE2_EXTERNAL + if (order & 8) + return ff_scalarproduct_and_madd_int16_mmxext(v1, v2, v3, order, mul); + else + return ff_scalarproduct_and_madd_int16_sse2(v1, v2, v3, order, mul); +#endif +} + +static int32_t scalarproduct_and_madd_int16_ssse3(int16_t *v1, const int16_t *v2, + const int16_t *v3, + int order, int mul) +{ +#if HAVE_SSSE3_EXTERNAL + if (order & 8) + return ff_scalarproduct_and_madd_int16_mmxext(v1, v2, v3, order, mul); + else + return ff_scalarproduct_and_madd_int16_ssse3(v1, v2, v3, order, mul); +#endif +} + av_cold void ff_llauddsp_init_x86(LLAudDSPContext *c) { int cpu_flags = av_get_cpu_flags(); @@ -39,9 +63,9 @@ av_cold void ff_llauddsp_init_x86(LLAudDSPContext *c) c->scalarproduct_and_madd_int16 = ff_scalarproduct_and_madd_int16_mmxext; if (EXTERNAL_SSE2(cpu_flags)) - c->scalarproduct_and_madd_int16 = ff_scalarproduct_and_madd_int16_sse2; + c->scalarproduct_and_madd_int16 = scalarproduct_and_madd_int16_sse2; if (EXTERNAL_SSSE3(cpu_flags) && !(cpu_flags & (AV_CPU_FLAG_SSE42 | AV_CPU_FLAG_3DNOW))) // cachesplit - c->scalarproduct_and_madd_int16 = ff_scalarproduct_and_madd_int16_ssse3; + c->scalarproduct_and_madd_int16 = scalarproduct_and_madd_int16_ssse3; } From 09425294c97cb427137c7247cc65d2f9e166e37c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 02:31:45 +0100 Subject: [PATCH 118/700] Revert "avcodec/x86/lossless_audiodsp: Make scalarproduct_and_madd_int16 prototypes more similar" This reverts commit 3b4ffba3af968ae702e3a44f6b5f53445efc7363. Unbreaks the SSSE3 code on mingw32 Conflicts: libavcodec/x86/lossless_audiodsp.asm Signed-off-by: Michael Niedermayer (cherry picked from commit a6c2c8fe3f076d14c0170b4d1965a0dea0393b8d) Signed-off-by: Michael Niedermayer --- libavcodec/x86/lossless_audiodsp.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/lossless_audiodsp.asm b/libavcodec/x86/lossless_audiodsp.asm index 084ed9a093..64b769f7d4 100644 --- a/libavcodec/x86/lossless_audiodsp.asm +++ b/libavcodec/x86/lossless_audiodsp.asm @@ -116,7 +116,7 @@ align 16 ; int ff_scalarproduct_and_madd_int16(int16_t *v1, int16_t *v2, int16_t *v3, ; int order, int mul) INIT_XMM ssse3 -cglobal scalarproduct_and_madd_int16, 4,4,10, v1, v2, v3, order, mul +cglobal scalarproduct_and_madd_int16, 4,5,10, v1, v2, v3, order, mul shl orderq, 1 movd m7, mulm pshuflw m7, m7, 0 From a75787a71a4b1991b561de2859705316ec5dca1b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 04:11:56 +0100 Subject: [PATCH 119/700] avcodec/h264_ps: More completely check the bit depths Fixes out of array read Fixes: asan_static-oob_30328b6_719_cov_3325483287_H264_artifacts_motion.h264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 69aa79365c1e8e1cb597d33e77bf1062c2ef47d4) Signed-off-by: Michael Niedermayer --- libavcodec/h264_ps.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 4070490e46..c2747ac84c 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -371,7 +371,8 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) "Different chroma and luma bit depth"); goto fail; } - if (sps->bit_depth_luma > 14U || sps->bit_depth_chroma > 14U) { + if (sps->bit_depth_luma < 8 || sps->bit_depth_luma > 14 || + sps->bit_depth_chroma < 8 || sps->bit_depth_chroma > 14) { av_log(h->avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n", sps->bit_depth_luma, sps->bit_depth_chroma); goto fail; From eeab3e1b204582b35944bfc3ee1c28b593f083a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 15:01:17 +0100 Subject: [PATCH 120/700] avcodec/h264: Be more strict on rejecting pps_id changes Fixes race condition Signed-off-by: Michael Niedermayer (cherry picked from commit 31cc9c04ca386dce289864021982da62190982ab) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index e5073089d9..438c43f613 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1515,8 +1515,8 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size, continue; again: - if ( !(avctx->active_thread_type & FF_THREAD_FRAME) - || nals_needed >= nal_index) + if ( (!(avctx->active_thread_type & FF_THREAD_FRAME) || nals_needed >= nal_index) + && !h->current_slice) h->au_pps_id = -1; /* Ignore per frame NAL unit type during extradata * parsing. Decoding slices is not possible in codec init From 756d85dc144aaf124e8f37cf878d6d9237f29f0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 15:09:54 +0100 Subject: [PATCH 121/700] avcodec/h264: Be more strict on rejecting pps/sps changes Fixes race condition Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 6fafc62b0bd0e206deb77a7aabbf3a370ad80789) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 53f61caa7d..d5e85c2fa2 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1305,6 +1305,8 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) int must_reinit; int needs_reinit = 0; int field_pic_flag, bottom_field_flag; + int first_slice = h == h0 && !h0->current_slice; + PPS *pps; h->qpel_put = h->h264qpel.put_h264_qpel_pixels_tab; h->qpel_avg = h->h264qpel.avg_h264_qpel_pixels_tab; @@ -1378,18 +1380,27 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) h0->au_pps_id, pps_id); return AVERROR_INVALIDDATA; } - h->pps = *h0->pps_buffers[pps_id]; - if (!h0->sps_buffers[h->pps.sps_id]) { + pps = h0->pps_buffers[pps_id]; + + if (!h0->sps_buffers[pps->sps_id]) { av_log(h->avctx, AV_LOG_ERROR, "non-existing SPS %u referenced\n", h->pps.sps_id); return AVERROR_INVALIDDATA; } + if (first_slice) + h->pps = *h0->pps_buffers[pps_id]; - if (h->pps.sps_id != h->sps.sps_id || - h->pps.sps_id != h->current_sps_id || - h0->sps_buffers[h->pps.sps_id]->new) { + if (pps->sps_id != h->sps.sps_id || + pps->sps_id != h->current_sps_id || + h0->sps_buffers[pps->sps_id]->new) { + + if (!first_slice) { + av_log(h->avctx, AV_LOG_ERROR, + "SPS changed in the middle of the frame\n"); + return AVERROR_INVALIDDATA; + } h->sps = *h0->sps_buffers[h->pps.sps_id]; From 78c314e39e9267885e74ba9d9a98a0a74547e235 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 22:14:15 +0100 Subject: [PATCH 122/700] avutil/opt: Fix types used to access AV_OPT_TYPE_PIXEL_FMT Signed-off-by: Michael Niedermayer (cherry picked from commit a0640e63463e6428b80422c89e1bfc96147ecfc6) Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index 31434638db..c4596db6e3 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -65,7 +65,7 @@ static int read_number(const AVOption *o, const void *dst, double *num, int *den { switch (o->type) { case AV_OPT_TYPE_FLAGS: *intnum = *(unsigned int*)dst;return 0; - case AV_OPT_TYPE_PIXEL_FMT: + case AV_OPT_TYPE_PIXEL_FMT: *intnum = *(enum AVPixelFormat *)dst;return 0; case AV_OPT_TYPE_SAMPLE_FMT: case AV_OPT_TYPE_INT: *intnum = *(int *)dst;return 0; case AV_OPT_TYPE_CHANNEL_LAYOUT: @@ -100,8 +100,8 @@ static int write_number(void *obj, const AVOption *o, void *dst, double num, int } switch (o->type) { + case AV_OPT_TYPE_PIXEL_FMT: *(enum AVPixelFormat *)dst = llrint(num/den) * intnum; break; case AV_OPT_TYPE_FLAGS: - case AV_OPT_TYPE_PIXEL_FMT: case AV_OPT_TYPE_SAMPLE_FMT: case AV_OPT_TYPE_INT: *(int *)dst= llrint(num/den)*intnum; break; case AV_OPT_TYPE_DURATION: From 137a0003779d1e355a747de08165e66edfe822dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 22:16:08 +0100 Subject: [PATCH 123/700] avutil/opt: Fix type used to access AV_OPT_TYPE_SAMPLE_FMT Signed-off-by: Michael Niedermayer (cherry picked from commit 1750b45cdf7498d0a05bea29cafcb26aa576d595) Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index c4596db6e3..95004ad383 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -66,7 +66,7 @@ static int read_number(const AVOption *o, const void *dst, double *num, int *den switch (o->type) { case AV_OPT_TYPE_FLAGS: *intnum = *(unsigned int*)dst;return 0; case AV_OPT_TYPE_PIXEL_FMT: *intnum = *(enum AVPixelFormat *)dst;return 0; - case AV_OPT_TYPE_SAMPLE_FMT: + case AV_OPT_TYPE_SAMPLE_FMT:*intnum = *(enum AVSampleFormat*)dst;return 0; case AV_OPT_TYPE_INT: *intnum = *(int *)dst;return 0; case AV_OPT_TYPE_CHANNEL_LAYOUT: case AV_OPT_TYPE_DURATION: @@ -101,8 +101,8 @@ static int write_number(void *obj, const AVOption *o, void *dst, double num, int switch (o->type) { case AV_OPT_TYPE_PIXEL_FMT: *(enum AVPixelFormat *)dst = llrint(num/den) * intnum; break; + case AV_OPT_TYPE_SAMPLE_FMT:*(enum AVSampleFormat*)dst = llrint(num/den) * intnum; break; case AV_OPT_TYPE_FLAGS: - case AV_OPT_TYPE_SAMPLE_FMT: case AV_OPT_TYPE_INT: *(int *)dst= llrint(num/den)*intnum; break; case AV_OPT_TYPE_DURATION: case AV_OPT_TYPE_CHANNEL_LAYOUT: From e8058269037bc9561753f65ae5f51060ac734eee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Feb 2015 02:06:20 +0100 Subject: [PATCH 124/700] avcodec/h264_slice: Do not change frame_num after the first slice Fixes potential race condition Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f906982c9411f3062e3ce68013309b37c213c4dd) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index d5e85c2fa2..ecbba3d0ee 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1306,6 +1306,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) int needs_reinit = 0; int field_pic_flag, bottom_field_flag; int first_slice = h == h0 && !h0->current_slice; + int frame_num; PPS *pps; h->qpel_put = h->h264qpel.put_h264_qpel_pixels_tab; @@ -1515,7 +1516,15 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) h264_init_dequant_tables(h); } - h->frame_num = get_bits(&h->gb, h->sps.log2_max_frame_num); + frame_num = get_bits(&h->gb, h->sps.log2_max_frame_num); + if (!first_slice) { + if (h0->frame_num != frame_num) { + av_log(h->avctx, AV_LOG_ERROR, "Frame num change from %d to %d\n", + h0->frame_num, frame_num); + return AVERROR_INVALIDDATA; + } + } + h->frame_num = frame_num; h->mb_mbaff = 0; h->mb_aff_frame = 0; From 7997ec54c9d2d555293c3cca91b7ce64fa4b7607 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Feb 2015 02:22:44 +0100 Subject: [PATCH 125/700] avcodec/h264_slice: Check picture structure before setting the related fields This might fix a hypothetical race condition Signed-off-by: Michael Niedermayer (cherry picked from commit f111831ed61103f9fa8fdda41473a23da016bdaa) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index ecbba3d0ee..0120cf4460 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1306,7 +1306,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) int needs_reinit = 0; int field_pic_flag, bottom_field_flag; int first_slice = h == h0 && !h0->current_slice; - int frame_num; + int frame_num, picture_structure, droppable; PPS *pps; h->qpel_put = h->h264qpel.put_h264_qpel_pixels_tab; @@ -1524,39 +1524,35 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) return AVERROR_INVALIDDATA; } } - h->frame_num = frame_num; h->mb_mbaff = 0; h->mb_aff_frame = 0; last_pic_structure = h0->picture_structure; last_pic_droppable = h0->droppable; - h->droppable = h->nal_ref_idc == 0; + droppable = h->nal_ref_idc == 0; if (h->sps.frame_mbs_only_flag) { - h->picture_structure = PICT_FRAME; + picture_structure = PICT_FRAME; } else { if (!h->sps.direct_8x8_inference_flag && slice_type == AV_PICTURE_TYPE_B) { av_log(h->avctx, AV_LOG_ERROR, "This stream was generated by a broken encoder, invalid 8x8 inference\n"); return -1; } field_pic_flag = get_bits1(&h->gb); + if (field_pic_flag) { bottom_field_flag = get_bits1(&h->gb); - h->picture_structure = PICT_TOP_FIELD + bottom_field_flag; + picture_structure = PICT_TOP_FIELD + bottom_field_flag; } else { - h->picture_structure = PICT_FRAME; + picture_structure = PICT_FRAME; h->mb_aff_frame = h->sps.mb_aff; } } - h->mb_field_decoding_flag = h->picture_structure != PICT_FRAME; - - if (h0->current_slice != 0) { - if (last_pic_structure != h->picture_structure || - last_pic_droppable != h->droppable) { + if (h0->current_slice) { + if (last_pic_structure != picture_structure || + last_pic_droppable != droppable) { av_log(h->avctx, AV_LOG_ERROR, "Changing field mode (%d -> %d) between slices is not allowed\n", last_pic_structure, h->picture_structure); - h->picture_structure = last_pic_structure; - h->droppable = last_pic_droppable; return AVERROR_INVALIDDATA; } else if (!h0->cur_pic_ptr) { av_log(h->avctx, AV_LOG_ERROR, @@ -1564,7 +1560,14 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) h0->current_slice + 1); return AVERROR_INVALIDDATA; } - } else { + } + + h->picture_structure = picture_structure; + h->droppable = droppable; + h->frame_num = frame_num; + h->mb_field_decoding_flag = picture_structure != PICT_FRAME; + + if (h0->current_slice == 0) { /* Shorten frame num gaps so we don't have to allocate reference * frames just to throw them away */ if (h->frame_num != h->prev_frame_num) { From b20409c6907c4e446968bb55cef1a2307f2b9683 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Feb 2015 03:34:48 +0100 Subject: [PATCH 126/700] avcodec/h264_slice: ignore SAR changes in slices after the first Fixes race condition and null pointer dereference Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 38d5241b7f36c1571a88517a0650caade16dd5f4) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 0120cf4460..aedfa3ec11 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1431,13 +1431,15 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) || 16*h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) != h->avctx->coded_height || h->avctx->bits_per_raw_sample != h->sps.bit_depth_luma || h->cur_chroma_format_idc != h->sps.chroma_format_idc - || av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio) || h->mb_width != h->sps.mb_width || h->mb_height != h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) )); if (non_j_pixfmt(h0->avctx->pix_fmt) != non_j_pixfmt(get_pixel_format(h0, 0))) must_reinit = 1; + if (first_slice && av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio)) + must_reinit = 1; + h->mb_width = h->sps.mb_width; h->mb_height = h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag); h->mb_num = h->mb_width * h->mb_height; From 0cbf53bdf51623f42938ffaddb5c3fd06295995e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Feb 2015 03:45:14 +0100 Subject: [PATCH 127/700] avcodec/h264_slice: assert that reinit does not occur after the first slice Signed-off-by: Michael Niedermayer (cherry picked from commit 2fd9ce92af43e6dcbc8ed7c26c00b052de48ccad) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index aedfa3ec11..f03ab4ebfb 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1480,6 +1480,8 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) return AVERROR_INVALIDDATA; } + av_assert1(first_slice); + ff_h264_flush_change(h); if ((ret = get_pixel_format(h, 1)) < 0) From 345962121d76aaf2faf841a50577221457fb8ee0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Feb 2015 03:33:53 +0100 Subject: [PATCH 128/700] avcodec/mjpegdec: Skip blocks which are outside the visible area Fixes out of array accesses Fixes: ffmpeg_mjpeg_crash.avi Found-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit 08509c8f86626815a3e9e68d600d1aacbb8df4bf) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 17b6993aaa..bf674581d3 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1251,13 +1251,18 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, if (s->interlaced && s->bottom_field) block_offset += linesize[c] >> 1; - ptr = data[c] + block_offset; + if ( 8*(h * mb_x + x) < s->width + && 8*(v * mb_y + y) < s->height) { + ptr = data[c] + block_offset; + } else + ptr = NULL; if (!s->progressive) { - if (copy_mb) - mjpeg_copy_block(s, ptr, reference_data[c] + block_offset, - linesize[c], s->avctx->lowres); + if (copy_mb) { + if (ptr) + mjpeg_copy_block(s, ptr, reference_data[c] + block_offset, + linesize[c], s->avctx->lowres); - else { + } else { s->bdsp.clear_block(s->block); if (decode_block(s, s->block, i, s->dc_index[i], s->ac_index[i], @@ -1266,9 +1271,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, "error y=%d x=%d\n", mb_y, mb_x); return AVERROR_INVALIDDATA; } - s->idsp.idct_put(ptr, linesize[c], s->block); - if (s->bits & 7) - shift_output(s, ptr, linesize[c]); + if (ptr) { + s->idsp.idct_put(ptr, linesize[c], s->block); + if (s->bits & 7) + shift_output(s, ptr, linesize[c]); + } } } else { int block_idx = s->block_stride[c] * (v * mb_y + y) + From 0f671dfeac1f8872ca2fc1fe8a424a87487d366e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Feb 2015 16:35:29 +0100 Subject: [PATCH 129/700] avcodec/arm/videodsp_armv5te: Fix linking failure with "g++ -shared -D__STDC_CONSTANT_MACROS -o test.so ... libavcodec.a" Tested-by: Andreas Haupt Signed-off-by: Michael Niedermayer (cherry picked from commit cab6302534962331753fb69c674df86a458b098d) Signed-off-by: Michael Niedermayer --- libavcodec/arm/videodsp_armv5te.S | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/arm/videodsp_armv5te.S b/libavcodec/arm/videodsp_armv5te.S index 55bcce5cb6..aff1161ada 100644 --- a/libavcodec/arm/videodsp_armv5te.S +++ b/libavcodec/arm/videodsp_armv5te.S @@ -23,9 +23,10 @@ #include "libavutil/arm/asm.S" function ff_prefetch_arm, export=1 +1: subs r2, r2, #1 pld [r0] add r0, r0, r1 - bne X(ff_prefetch_arm) + bne 1b bx lr endfunc From 48ae72e50193b2bc9157acc316df323081926b12 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Dec 2014 11:49:35 +0100 Subject: [PATCH 130/700] avformat/os_support: Use av_freep() to avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer --- libavformat/os_support.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/os_support.c b/libavformat/os_support.c index f9d6eeaf90..7950e44889 100644 --- a/libavformat/os_support.c +++ b/libavformat/os_support.c @@ -159,9 +159,9 @@ void ff_freeaddrinfo(struct addrinfo *res) } #endif /* HAVE_WINSOCK2_H */ - av_free(res->ai_canonname); - av_free(res->ai_addr); - av_free(res); + av_freep(&res->ai_canonname); + av_freep(&res->ai_addr); + av_freep(&res); } int ff_getnameinfo(const struct sockaddr *sa, int salen, From bd78b9416d54fe0b3f4a69907420c7fa3ebc4ff8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Dec 2014 11:51:55 +0100 Subject: [PATCH 131/700] avformat/riffdec: Use av_freep() to avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer --- libavformat/riffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c index 88e2229a77..fd3b583af2 100644 --- a/libavformat/riffdec.c +++ b/libavformat/riffdec.c @@ -114,7 +114,7 @@ int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size) size -= 22; } if (cbSize > 0) { - av_free(codec->extradata); + av_freep(&codec->extradata); if (ff_get_extradata(codec, pb, cbSize) < 0) return AVERROR(ENOMEM); size -= cbSize; From 5262c88bb0778caf9e553a03cc887f985a336d8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Dec 2014 11:52:22 +0100 Subject: [PATCH 132/700] avformat/rtmpproto: Use av_freep() to avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer --- libavformat/rtmpproto.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index ebc1628855..3d7cdaab2d 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -217,9 +217,8 @@ static void free_tracked_methods(RTMPContext *rt) int i; for (i = 0; i < rt->nb_tracked_methods; i ++) - av_free(rt->tracked_methods[i].name); - av_free(rt->tracked_methods); - rt->tracked_methods = NULL; + av_freep(&rt->tracked_methods[i].name); + av_freep(&rt->tracked_methods); rt->tracked_methods_size = 0; rt->nb_tracked_methods = 0; } @@ -2552,7 +2551,7 @@ static int inject_fake_duration_metadata(RTMPContext *rt) // Increase the size by the injected packet rt->flv_size += 55; // Delete the old FLV data - av_free(old_flv_data); + av_freep(&old_flv_data); p = rt->flv_data + 13; bytestream_put_byte(&p, FLV_TAG_TYPE_META); From c7e967a7cb0c3daabd73230889f4a5574d1640e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Feb 2015 17:38:05 +0100 Subject: [PATCH 133/700] Update for 2.5.4 Signed-off-by: Michael Niedermayer --- Changelog | 40 ++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 42 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 60eaea0216..84b98f7176 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,46 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.5.4: +- avcodec/arm/videodsp_armv5te: Fix linking failure with shared libs +- avcodec/mjpegdec: Skip blocks which are outside the visible area +- avcodec/h264_slice: ignore SAR changes in slices after the first +- avcodec/h264_slice: Check picture structure before setting the related fields +- avcodec/h264_slice: Do not change frame_num after the first slice +- avutil/opt: Fix type used to access AV_OPT_TYPE_SAMPLE_FMT +- avutil/opt: Fix types used to access AV_OPT_TYPE_PIXEL_FMT +- avcodec/h264: Be more strict on rejecting pps/sps changes +- avcodec/h264: Be more strict on rejecting pps_id changes +- avcodec/h264_ps: More completely check the bit depths +- avformat/thp: Check av_get_packet() for failure not only for partial output +- swscale/utils: Limit filter shifting so as not to read from prior the array +- avcodec/mpegvideo_motion: Fix gmc chroma dimensions +- avcodec/mjpegdec: Check number of components for JPEG-LS +- avcodec/mjpegdec: Check escape sequence validity +- avformat/mpc8: Use uint64_t in *_get_v() to avoid undefined behavior +- avformat/mpc8: fix broken pointer math +- avformat/mpc8: fix hang with fuzzed file +- avformat/tta: fix crash with corrupted files +- avcodec/ppc/idctdsp.c: POWER LE support in idct_add_altivec() +- swscale/input: fix rgba64 alpha non native +- swscale/input: Fix alpha of YA16 input +- libavcodec/ppc/mpegvideoencdsp.c: fix stack smashing in pix_norm1_altivec() and pix_sum_altivec() +- avformat/rmdec: Check for overflow in ff_rm_read_mdpr_codecdata() +- avformat/mpeg: do not count PES packets inside PES packets during probing +- hevc: always clip luma_log2_weight_denom +- rtpdec_h263_rfc2190: Clear the stored bits if discarding buffered data +- aacenc: correctly check returned value +- swscale: check memory allocations +- opt: check memory allocation +- avformat/utils: check for malloc failure +- avcodec/flac_parser: fix handling EOF if no headers are found +- avfilter/vf_framepack: Check and update frame_rate +- vp8: improve memory allocation checks +- configure: enable vsx together with altivec for ppc64el +- avcodec/hevc: Fix handling of skipped_bytes() reallocation failures +- qpeg: avoid pointless invalid memcpy() + + version 2.5.3: - vp9: fix parser return values in error case - ffmpeg: Clear error message array at init. diff --git a/RELEASE b/RELEASE index aedc15bb0c..fe16b348d9 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.5.3 +2.5.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index 4138903697..3426b975a3 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.5.3 +PROJECT_NUMBER = 2.5.4 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 2a6d16ba5f84fc13a1ad6c718ec08ee42639dc79 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 31 Dec 2014 02:15:08 -0300 Subject: [PATCH 134/700] x86/swr: add missing alignment check to pack_6ch functions Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 5f14f9e9849579b3418aebfde8a162d9c172d0ea) --- libswresample/x86/audio_convert.asm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libswresample/x86/audio_convert.asm b/libswresample/x86/audio_convert.asm index 57d3a8951f..9bccf3f842 100644 --- a/libswresample/x86/audio_convert.asm +++ b/libswresample/x86/audio_convert.asm @@ -221,6 +221,8 @@ cglobal pack_6ch_%2_to_%1_%3, 2,8,7, dst, src, src1, src2, src3, src4, src5, len jne pack_6ch_%2_to_%1_u_int %+ SUFFIX test srcq, mmsize-1 jne pack_6ch_%2_to_%1_u_int %+ SUFFIX + test src1q, mmsize-1 + jne pack_6ch_%2_to_%1_u_int %+ SUFFIX test src2q, mmsize-1 jne pack_6ch_%2_to_%1_u_int %+ SUFFIX test src3q, mmsize-1 From 9bc62da980336ad01495efbcae248aacdd0b831e Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 12 Jan 2015 13:48:52 -0300 Subject: [PATCH 135/700] avutil/opencl: don't include config.h It's not an installed header. Tested-by: Thilo Borgmann Tested-by: Wei Gao Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 3aaff803489af21011b8cf03847e17b29643c922) --- configure | 2 -- libavutil/opencl.h | 7 +++---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/configure b/configure index b0da05f6a3..8e0119306d 100755 --- a/configure +++ b/configure @@ -1635,7 +1635,6 @@ HEADERS_LIST=" asm_types_h cdio_paranoia_h cdio_paranoia_paranoia_h - CL_cl_h dev_bktr_ioctl_bt848_h dev_bktr_ioctl_meteor_h dev_ic_bt8xx_h @@ -4756,7 +4755,6 @@ check_func_headers glob.h glob enabled xlib && check_func_headers "X11/Xlib.h X11/extensions/Xvlib.h" XvGetPortAttribute -lXv -lX11 -lXext -check_header cl/cl.h check_header direct.h check_header dlfcn.h check_header dxva.h diff --git a/libavutil/opencl.h b/libavutil/opencl.h index 4655cba552..0b7b8d4764 100644 --- a/libavutil/opencl.h +++ b/libavutil/opencl.h @@ -32,11 +32,10 @@ #ifndef LIBAVUTIL_OPENCL_H #define LIBAVUTIL_OPENCL_H -#include "config.h" -#if HAVE_CL_CL_H -#include -#else +#ifdef __APPLE__ #include +#else +#include #endif #include #include "dict.h" From ee902d3d2d78b1aed7d1c562d58128b450a54b02 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 6 Feb 2015 03:46:43 -0300 Subject: [PATCH 136/700] x86/lossless_audiodsp: fix compilation with --disable-yasm Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 383fddeec65f4cebcb197eae702dfefdc6192eb0) Found-by: jamrial Signed-off-by: Michael Niedermayer --- libavcodec/x86/lossless_audiodsp_init.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/lossless_audiodsp_init.c b/libavcodec/x86/lossless_audiodsp_init.c index 2c13e1e31c..da1e9e8efc 100644 --- a/libavcodec/x86/lossless_audiodsp_init.c +++ b/libavcodec/x86/lossless_audiodsp_init.c @@ -31,32 +31,31 @@ int32_t ff_scalarproduct_and_madd_int16_ssse3(int16_t *v1, const int16_t *v2, const int16_t *v3, int order, int mul); +#if HAVE_YASM static int32_t scalarproduct_and_madd_int16_sse2(int16_t *v1, const int16_t *v2, const int16_t *v3, int order, int mul) { -#if HAVE_SSE2_EXTERNAL if (order & 8) return ff_scalarproduct_and_madd_int16_mmxext(v1, v2, v3, order, mul); else return ff_scalarproduct_and_madd_int16_sse2(v1, v2, v3, order, mul); -#endif } static int32_t scalarproduct_and_madd_int16_ssse3(int16_t *v1, const int16_t *v2, const int16_t *v3, int order, int mul) { -#if HAVE_SSSE3_EXTERNAL if (order & 8) return ff_scalarproduct_and_madd_int16_mmxext(v1, v2, v3, order, mul); else return ff_scalarproduct_and_madd_int16_ssse3(v1, v2, v3, order, mul); -#endif } +#endif av_cold void ff_llauddsp_init_x86(LLAudDSPContext *c) { +#if HAVE_YASM int cpu_flags = av_get_cpu_flags(); if (EXTERNAL_MMXEXT(cpu_flags)) @@ -68,4 +67,5 @@ av_cold void ff_llauddsp_init_x86(LLAudDSPContext *c) if (EXTERNAL_SSSE3(cpu_flags) && !(cpu_flags & (AV_CPU_FLAG_SSE42 | AV_CPU_FLAG_3DNOW))) // cachesplit c->scalarproduct_and_madd_int16 = scalarproduct_and_madd_int16_ssse3; +#endif } From 3429714f3d046f4e2235848a60b6f63bd084e01f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 8 Feb 2015 14:27:51 +0100 Subject: [PATCH 137/700] avfilter/dctdnoiz: fix slice_h computation ceilf() can only work if the reminder of the division is not 0. This fixes memory errors with for instance: ffmpeg -f lavfi -i testsrc=s=800x500 -threads 3 -vf dctdnoiz -frames:v 1 -f null - (cherry picked from commit eb7efaa9244720c5f2051d76d76faeec864eca7a) --- libavfilter/vf_dctdnoiz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_dctdnoiz.c b/libavfilter/vf_dctdnoiz.c index a9017b1f1c..7246b01d0b 100644 --- a/libavfilter/vf_dctdnoiz.c +++ b/libavfilter/vf_dctdnoiz.c @@ -534,7 +534,7 @@ static int config_input(AVFilterLink *inlink) /* each slice will need to (pre & re)process the top and bottom block of * the previous one in in addition to its processing area. This is because * each pixel is averaged by all the surrounding blocks */ - slice_h = (int)ceilf(s->pr_height / s->nb_threads) + (s->bsize - 1) * 2; + slice_h = (int)ceilf(s->pr_height / (float)s->nb_threads) + (s->bsize - 1) * 2; for (i = 0; i < s->nb_threads; i++) { s->slices[i] = av_malloc_array(linesize, slice_h * sizeof(*s->slices[i])); if (!s->slices[i]) From e5cc73e0a589e8f12e40e09d2453d86a297a834e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Mon, 16 Feb 2015 17:23:34 +0100 Subject: [PATCH 138/700] avcodec/gif: fix off by one in column offsetting finding (cherry picked from commit f9240ec01abb097263fe578d2b6fb076bb7b9263) --- libavcodec/gif.c | 4 ++-- tests/ref/fate/gifenc-bgr8 | 10 +++++----- tests/ref/fate/gifenc-rgb8 | 10 +++++----- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/gif.c b/libavcodec/gif.c index 27d054e512..def1b83e9d 100644 --- a/libavcodec/gif.c +++ b/libavcodec/gif.c @@ -105,7 +105,7 @@ static int gif_image_write_image(AVCodecContext *avctx, /* skip common columns */ while (x_start < x_end) { int same_column = 1; - for (y = y_start; y < y_end; y++) { + for (y = y_start; y <= y_end; y++) { if (ref[y*ref_linesize + x_start] != buf[y*linesize + x_start]) { same_column = 0; break; @@ -117,7 +117,7 @@ static int gif_image_write_image(AVCodecContext *avctx, } while (x_end > x_start) { int same_column = 1; - for (y = y_start; y < y_end; y++) { + for (y = y_start; y <= y_end; y++) { if (ref[y*ref_linesize + x_end] != buf[y*linesize + x_end]) { same_column = 0; break; diff --git a/tests/ref/fate/gifenc-bgr8 b/tests/ref/fate/gifenc-bgr8 index 9f4a593f4d..f3b7772785 100644 --- a/tests/ref/fate/gifenc-bgr8 +++ b/tests/ref/fate/gifenc-bgr8 @@ -35,15 +35,15 @@ 0, 33, 33, 1, 4295, 0xf71b0b38, S=1, 1024, 0xf351799f 0, 34, 34, 1, 2044, 0x5adcb93b, S=1, 1024, 0xf351799f 0, 35, 35, 1, 3212, 0xcf79eeed, S=1, 1024, 0xf351799f -0, 36, 36, 1, 2281, 0x68464d30, S=1, 1024, 0xf351799f +0, 36, 36, 1, 2292, 0xb4386334, S=1, 1024, 0xf351799f 0, 37, 37, 1, 3633, 0x0010992f, S=1, 1024, 0xf351799f 0, 38, 38, 1, 3552, 0x23697490, S=1, 1024, 0xf351799f 0, 39, 39, 1, 3690, 0x62afdbb8, S=1, 1024, 0xf351799f -0, 40, 40, 1, 1558, 0x7a13e53b, S=1, 1024, 0xf351799f -0, 41, 41, 1, 940, 0xb1b6cba2, S=1, 1024, 0xf351799f +0, 40, 40, 1, 1559, 0x5baef54a, S=1, 1024, 0xf351799f +0, 41, 41, 1, 954, 0xca75ca79, S=1, 1024, 0xf351799f 0, 42, 42, 1, 273, 0x3687799b, S=1, 1024, 0xf351799f 0, 43, 43, 1, 930, 0x29f3b0c4, S=1, 1024, 0xf351799f -0, 44, 44, 1, 271, 0xe7af807c, S=1, 1024, 0xf351799f +0, 44, 44, 1, 271, 0x305e8094, S=1, 1024, 0xf351799f 0, 45, 45, 1, 196, 0xf5ab51ee, S=1, 1024, 0xf351799f 0, 46, 46, 1, 4299, 0x67ec0d55, S=1, 1024, 0xf351799f 0, 47, 47, 1, 4895, 0xb394406c, S=1, 1024, 0xf351799f @@ -56,7 +56,7 @@ 0, 54, 54, 1, 5179, 0x860fc6a1, S=1, 1024, 0xf351799f 0, 55, 55, 1, 5046, 0xce9183d3, S=1, 1024, 0xf351799f 0, 56, 56, 1, 5140, 0xa6d7b9af, S=1, 1024, 0xf351799f -0, 57, 57, 1, 4289, 0xb415f717, S=1, 1024, 0xf351799f +0, 57, 57, 1, 4301, 0x03b6ef3f, S=1, 1024, 0xf351799f 0, 58, 58, 1, 5079, 0xa8d59e01, S=1, 1024, 0xf351799f 0, 59, 59, 1, 5284, 0xea34e3b3, S=1, 1024, 0xf351799f 0, 60, 60, 1, 5426, 0x556a15cd, S=1, 1024, 0xf351799f diff --git a/tests/ref/fate/gifenc-rgb8 b/tests/ref/fate/gifenc-rgb8 index a894173225..d1a990d07e 100644 --- a/tests/ref/fate/gifenc-rgb8 +++ b/tests/ref/fate/gifenc-rgb8 @@ -35,15 +35,15 @@ 0, 33, 33, 1, 4295, 0xc1850a80, S=1, 1024, 0xcfc8799f 0, 34, 34, 1, 2044, 0x0440c072, S=1, 1024, 0xcfc8799f 0, 35, 35, 1, 3212, 0xe91af08f, S=1, 1024, 0xcfc8799f -0, 36, 36, 1, 2281, 0x6a414aa1, S=1, 1024, 0xcfc8799f +0, 36, 36, 1, 2292, 0x6765633e, S=1, 1024, 0xcfc8799f 0, 37, 37, 1, 3633, 0xac779aa3, S=1, 1024, 0xcfc8799f 0, 38, 38, 1, 3552, 0xed2c75b2, S=1, 1024, 0xcfc8799f 0, 39, 39, 1, 3690, 0x2020dd0d, S=1, 1024, 0xcfc8799f -0, 40, 40, 1, 1558, 0x2c14e4b2, S=1, 1024, 0xcfc8799f -0, 41, 41, 1, 940, 0x4927cd90, S=1, 1024, 0xcfc8799f +0, 40, 40, 1, 1559, 0x596ef330, S=1, 1024, 0xcfc8799f +0, 41, 41, 1, 954, 0xac12c9c5, S=1, 1024, 0xcfc8799f 0, 42, 42, 1, 273, 0x138c7831, S=1, 1024, 0xcfc8799f 0, 43, 43, 1, 930, 0xf1c3ae3f, S=1, 1024, 0xcfc8799f -0, 44, 44, 1, 271, 0x6d338044, S=1, 1024, 0xcfc8799f +0, 44, 44, 1, 271, 0x921a80af, S=1, 1024, 0xcfc8799f 0, 45, 45, 1, 196, 0xa5de5322, S=1, 1024, 0xcfc8799f 0, 46, 46, 1, 4299, 0x5bac0d86, S=1, 1024, 0xcfc8799f 0, 47, 47, 1, 4895, 0xc43639a6, S=1, 1024, 0xcfc8799f @@ -56,7 +56,7 @@ 0, 54, 54, 1, 5179, 0x97aac3a1, S=1, 1024, 0xcfc8799f 0, 55, 55, 1, 5046, 0x836a80cd, S=1, 1024, 0xcfc8799f 0, 56, 56, 1, 5140, 0xa725c1e7, S=1, 1024, 0xcfc8799f -0, 57, 57, 1, 4289, 0x7b3afbc0, S=1, 1024, 0xcfc8799f +0, 57, 57, 1, 4301, 0x0203f239, S=1, 1024, 0xcfc8799f 0, 58, 58, 1, 5079, 0xb2e7a2de, S=1, 1024, 0xcfc8799f 0, 59, 59, 1, 5284, 0xb757dfe1, S=1, 1024, 0xcfc8799f 0, 60, 60, 1, 5426, 0xf9f11e57, S=1, 1024, 0xcfc8799f From d0aa3d13facbcbfa788d19de8211659e14418d09 Mon Sep 17 00:00:00 2001 From: Srikanth G Date: Wed, 4 Mar 2015 18:48:54 -0600 Subject: [PATCH 139/700] avutil/opencl: is_compiled flag not being cleared in av_opencl_uninit When OpenCL kernels are compiled, is_compiled flag is being set for each kernel. But, in opencl uninit, this flag is not being cleared. This causes an error when an OpenCL kernel is tried on different OpenCL devices on same platform. Here is the patch with a fix Reviewed-by; Wei Gao Signed-off-by: Michael Niedermayer (cherry picked from commit 0f2359b86926ed33da4bd64ca76d84d03d5ad380) --- libavutil/opencl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavutil/opencl.c b/libavutil/opencl.c index 36cb6fe81d..a3866cae1d 100644 --- a/libavutil/opencl.c +++ b/libavutil/opencl.c @@ -611,6 +611,9 @@ void av_opencl_uninit(void) } opencl_ctx.context = NULL; } + for (i = 0; i < opencl_ctx.kernel_code_count; i++) { + opencl_ctx.kernel_code[i].is_compiled = 0; + } free_device_list(&opencl_ctx.device_list); end: if (opencl_ctx.init_count <= 0) From 79c9d9b1343284007babe5db4f62ed3847408bcf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Mar 2015 09:59:27 +0100 Subject: [PATCH 140/700] Revert "avutil/opencl: is_compiled flag not being cleared in av_opencl_uninit" Fixed build with opencl enabled Found-by: WJ Liu This reverts commit 0f2359b86926ed33da4bd64ca76d84d03d5ad380. (cherry picked from commit ebd59d271c24601e08c3569681b129cd27bf4070) --- libavutil/opencl.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavutil/opencl.c b/libavutil/opencl.c index a3866cae1d..36cb6fe81d 100644 --- a/libavutil/opencl.c +++ b/libavutil/opencl.c @@ -611,9 +611,6 @@ void av_opencl_uninit(void) } opencl_ctx.context = NULL; } - for (i = 0; i < opencl_ctx.kernel_code_count; i++) { - opencl_ctx.kernel_code[i].is_compiled = 0; - } free_device_list(&opencl_ctx.device_list); end: if (opencl_ctx.init_count <= 0) From 1456ed2dd55e0ceece13dbca98d8189513ae25b5 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 13 Mar 2015 08:49:03 +0100 Subject: [PATCH 141/700] lavf: Do not list mov-only codecs in riff.c. Instead check for all mov code-points when demuxing avi and print a warning if a video codec is found like this. Fixes ticket #4307. (cherry picked from commit 2e0b5f5c90a4bc1440703ba5e8bf7139ff42f367) Conflicts: libavformat/riff.c --- libavformat/avidec.c | 7 +++++++ libavformat/riff.c | 1 - 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 78a6deae7d..032731dc4d 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -36,6 +36,7 @@ #include "riff.h" #include "libavcodec/bytestream.h" #include "libavcodec/exif.h" +#include "libavformat/isom.h" typedef struct AVIStream { int64_t frame_offset; /* current frame (video) or byte (audio) counter @@ -771,6 +772,12 @@ static int avi_read_header(AVFormatContext *s) st->codec->codec_tag = tag1; st->codec->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag1); + if (!st->codec->codec_id) { + st->codec->codec_id = ff_codec_get_id(ff_codec_movvideo_tags, + tag1); + if (st->codec->codec_id) + av_log(s, AV_LOG_WARNING, "mov tag found in avi\n"); + } /* This is needed to get the pict type which is necessary * for generating correct pts. */ st->need_parsing = AVSTREAM_PARSE_HEADERS; diff --git a/libavformat/riff.c b/libavformat/riff.c index 8d7b1c2c61..c63e406be4 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -362,7 +362,6 @@ const AVCodecTag ff_codec_bmp_tags[] = { { AV_CODEC_ID_G2M, MKTAG('G', '2', 'M', '4') }, { AV_CODEC_ID_G2M, MKTAG('G', '2', 'M', '5') }, { AV_CODEC_ID_FIC, MKTAG('F', 'I', 'C', 'V') }, - { AV_CODEC_ID_PRORES, MKTAG('A', 'P', 'C', 'N') }, { AV_CODEC_ID_NONE, 0 } }; From 303ecfc373a5c03434b934e44014daae30dc7a5b Mon Sep 17 00:00:00 2001 From: Rodger Combs Date: Fri, 20 Feb 2015 09:30:04 -0600 Subject: [PATCH 142/700] wtvdec: fix integer overflow resulting in errors with large files This fixes a regression in 9fbc613f0df1628e7e78bca791fa8833846f8210 Signed-off-by: Michael Niedermayer (cherry picked from commit 62e95757d5749e578b2abd407e3009d15a85adb0) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 4009964824..a73e0bab06 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -965,7 +965,7 @@ static int read_header(AVFormatContext *s) uint8_t root[WTV_SECTOR_SIZE]; AVIOContext *pb; int64_t timeline_pos; - int ret; + int64_t ret; wtv->epoch = wtv->pts = From c7565b143c44af15025e0a4a8d6f57f89ba6840a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 19:29:12 +0100 Subject: [PATCH 143/700] avformat/asfdec: Use 64bit ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit d4936d28a11fac6c9c4b4df9625185f93b086986) Signed-off-by: Michael Niedermayer --- libavformat/asfdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 7f7bb4d5d4..ffd9591edd 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -1484,7 +1484,7 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index) ff_asf_guid g; ASFContext *asf = s->priv_data; int64_t current_pos = avio_tell(s->pb); - int ret = 0; + int64_t ret; if((ret = avio_seek(s->pb, asf->data_object_offset + asf->data_object_size, SEEK_SET)) < 0) { return ret; @@ -1554,7 +1554,7 @@ static int asf_read_seek(AVFormatContext *s, int stream_index, /* Try using the protocol's read_seek if available */ if (s->pb) { - int ret = avio_seek_time(s->pb, stream_index, pts, flags); + int64_t ret = avio_seek_time(s->pb, stream_index, pts, flags); if (ret >= 0) asf_reset_header(s); if (ret != AVERROR(ENOSYS)) From 7fe22c3fe62df36f5f9f3a5c0792d294f29fb3b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 19:31:10 +0100 Subject: [PATCH 144/700] avformat/apngdec: Use 64bit ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 0e3d6e17dea758fdb7d0adfc57f7655551ab32b3) Signed-off-by: Michael Niedermayer --- libavformat/apngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c index 5e7a4a1150..a0a475a350 100644 --- a/libavformat/apngdec.c +++ b/libavformat/apngdec.c @@ -321,7 +321,7 @@ static int decode_fctl_chunk(AVFormatContext *s, APNGDemuxContext *ctx, AVPacket static int apng_read_packet(AVFormatContext *s, AVPacket *pkt) { APNGDemuxContext *ctx = s->priv_data; - int ret; + int64_t ret; int64_t size; AVIOContext *pb = s->pb; uint32_t len, tag; From 5a829ee69e23d87cbd5359c3e80c585f99c46ab5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:13:06 +0100 Subject: [PATCH 145/700] avformat/idcin: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit d1923d15a3544cbb94563a59e7169291db76b312) Signed-off-by: Michael Niedermayer --- libavformat/idcin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/idcin.c b/libavformat/idcin.c index d7a46a17fd..4e455bfcee 100644 --- a/libavformat/idcin.c +++ b/libavformat/idcin.c @@ -359,7 +359,7 @@ static int idcin_read_seek(AVFormatContext *s, int stream_index, IdcinDemuxContext *idcin = s->priv_data; if (idcin->first_pkt_pos > 0) { - int ret = avio_seek(s->pb, idcin->first_pkt_pos, SEEK_SET); + int64_t ret = avio_seek(s->pb, idcin->first_pkt_pos, SEEK_SET); if (ret < 0) return ret; ff_update_cur_dts(s, s->streams[idcin->video_stream_index], 0); From 727730e27978d785b076d7bae7b8fcf4dc6c68ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:14:56 +0100 Subject: [PATCH 146/700] avformat/gxf: Use 64bit for res to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 12987f89007ee82b9d3a6090085dfaef8461ab8b) Signed-off-by: Michael Niedermayer --- libavformat/gxf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/gxf.c b/libavformat/gxf.c index 6c624f00a8..d9b629d7de 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -560,7 +560,7 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) { } static int gxf_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { - int res = 0; + int64_t res = 0; uint64_t pos; uint64_t maxlen = 100 * 1024 * 1024; AVStream *st = s->streams[0]; From 4ef32aa2a69c13c326d1926a6aced3cb11e742f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:38:14 +0100 Subject: [PATCH 147/700] avformat/apngdec: Use 64bit for ret to avoid overflow Missed this hunk in first commit Signed-off-by: Michael Niedermayer (cherry picked from commit 80a851aa5ef2c848449f741365968c8f0ccf4531) Signed-off-by: Michael Niedermayer --- libavformat/apngdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c index a0a475a350..6deff3b66b 100644 --- a/libavformat/apngdec.c +++ b/libavformat/apngdec.c @@ -150,7 +150,8 @@ static int apng_read_header(AVFormatContext *s) AVIOContext *pb = s->pb; uint32_t len, tag; AVStream *st; - int ret = AVERROR_INVALIDDATA, acTL_found = 0; + int acTL_found = 0; + int64_t ret = AVERROR_INVALIDDATA; /* verify PNGSIG */ if (avio_rb64(pb) != PNGSIG) From 96807933d8a9d3fe4348a8e3d58ee2ea730fe455 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:41:35 +0100 Subject: [PATCH 148/700] avformat/mvdec: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 26c0cc154e06cb0064b3a3da49447ac44d82444f) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index c8a5ebf119..7aa6452f66 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -408,7 +408,7 @@ static int mv_read_packet(AVFormatContext *avctx, AVPacket *pkt) AVStream *st = avctx->streams[mv->stream_index]; const AVIndexEntry *index; int frame = mv->frame[mv->stream_index]; - int ret; + int64_t ret; uint64_t pos; if (frame < st->nb_index_entries) { From 6faf18acbd520cae62f07dcab1d3fd0f1863e820 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:57:31 +0100 Subject: [PATCH 149/700] avformat/wtvdec: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit d44e0d8b930732a4a247b4884d75cf62b4ad3664) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index a73e0bab06..2a65ec2374 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -767,7 +767,7 @@ static int recover(WtvContext *wtv, uint64_t broken_pos) int i; for (i = 0; i < wtv->nb_index_entries; i++) { if (wtv->index_entries[i].pos > broken_pos) { - int ret = avio_seek(pb, wtv->index_entries[i].pos, SEEK_SET); + int64_t ret = avio_seek(pb, wtv->index_entries[i].pos, SEEK_SET); if (ret < 0) return ret; wtv->pts = wtv->index_entries[i].timestamp; From a2cfb784fb080935fb4b37343dce2fbdf7c81302 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 21:00:57 +0100 Subject: [PATCH 150/700] avformat/vqf: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit cb08687180683a755d0fe9d425280d0e4d1e6db2) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 15e8246432..a8a639d8dc 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -261,7 +261,7 @@ static int vqf_read_seek(AVFormatContext *s, { VqfContext *c = s->priv_data; AVStream *st; - int ret; + int64_t ret; int64_t pos; st = s->streams[stream_index]; From 4f694182e0c896c8bc7b11225c6caab19ba86e1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 21:01:54 +0100 Subject: [PATCH 151/700] avformat/omadec: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 0f55bc29d41585d110b126cb4ed4b395fd46d7ac) Signed-off-by: Michael Niedermayer --- libavformat/omadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 42954130bc..7cf1e1a4b2 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -464,7 +464,7 @@ static int oma_read_seek(struct AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { OMAContext *oc = s->priv_data; - int err = ff_pcm_read_seek(s, stream_index, timestamp, flags); + int64_t err = ff_pcm_read_seek(s, stream_index, timestamp, flags); if (!oc->encrypted) return err; From 84341627d795a330cd9edf291b6d62e5cea383e0 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 12 Feb 2015 13:06:49 +0100 Subject: [PATCH 152/700] h264: initialize H264Context.avctx in init_thread_copy This prevents using a wrong (first thread's) AVCodecContext if decoding a frame in the first pass over all threads fails. (cherry picked from commit a06b0b1295c51d100101e0ca0434e199ad6de6b5) Conflicts: libavcodec/h264.c Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 438c43f613..ac8adf3b11 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -727,6 +727,7 @@ static int decode_init_thread_copy(AVCodecContext *avctx) memset(h->sps_buffers, 0, sizeof(h->sps_buffers)); memset(h->pps_buffers, 0, sizeof(h->pps_buffers)); + h->avctx = avctx; h->rbsp_buffer[0] = NULL; h->rbsp_buffer[1] = NULL; h->rbsp_buffer_size[0] = 0; From cb1c9294f3c20622effb63593822ce3be3fc0436 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Feb 2015 16:25:29 +0100 Subject: [PATCH 153/700] avcodec/x86/mlpdsp_init: Simplify mlp_filter_channel_x86() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on patch by Francisco Blas Izquierdo Riera Commit message partly taken from carl fixes a compilation error in mlpdsp_init.c with -fstack-check and some gcc compilers (I reproduced the issue with gcc 4.7.3) by simplifying the code. See also https://bugs.gentoo.org/show_bug.cgi?id=471756 $ make libavcodec/x86/mlpdsp_init.o libavcodec/x86/mlpdsp_init.c: In function ‘mlp_filter_channel_x86’: libavcodec/x86/mlpdsp_init.c:142:5: error: can’t find a register in class ‘GENERAL_REGS’ while reloading ‘asm’ libavcodec/x86/mlpdsp_init.c:142:5: error: ‘asm’ operand has impossible constraints 4551 -> 4509 dezicycles Reviewed-by: Ramiro Polla Signed-off-by: Michael Niedermayer (cherry picked from commit 03f39fbb2a558153a3c464edec1378d637a755fe) Signed-off-by: Michael Niedermayer --- libavcodec/x86/mlpdsp_init.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/mlpdsp_init.c b/libavcodec/x86/mlpdsp_init.c index dc0bc585c7..e9d9b1bf18 100644 --- a/libavcodec/x86/mlpdsp_init.c +++ b/libavcodec/x86/mlpdsp_init.c @@ -148,8 +148,8 @@ static void mlp_filter_channel_x86(int32_t *state, const int32_t *coeff, FIRMUL (ff_mlp_firorder_6, 0x14 ) FIRMUL (ff_mlp_firorder_5, 0x10 ) FIRMUL (ff_mlp_firorder_4, 0x0c ) - FIRMULREG(ff_mlp_firorder_3, 0x08,10) - FIRMULREG(ff_mlp_firorder_2, 0x04, 9) + FIRMUL (ff_mlp_firorder_3, 0x08 ) + FIRMUL (ff_mlp_firorder_2, 0x04 ) FIRMULREG(ff_mlp_firorder_1, 0x00, 8) LABEL_MANGLE(ff_mlp_firorder_0)":\n\t" "jmp *%6 \n\t" @@ -178,8 +178,6 @@ static void mlp_filter_channel_x86(int32_t *state, const int32_t *coeff, : /* 4*/"r"((x86_reg)mask), /* 5*/"r"(firjump), /* 6*/"r"(iirjump) , /* 7*/"c"(filter_shift) , /* 8*/"r"((int64_t)coeff[0]) - , /* 9*/"r"((int64_t)coeff[1]) - , /*10*/"r"((int64_t)coeff[2]) : "rax", "rdx", "rsi" #else /* ARCH_X86_32 */ /* 3*/"+m"(blocksize) From 99d2d1404c7daeac5f4c0495a44eabcc86a386e6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 22 Feb 2015 20:43:30 +0100 Subject: [PATCH 154/700] avcodec/a64multienc: use av_frame_ref instead of copying the frame This fixes freeing the frame buffer twice on cleanup leading to a crash. Signed-off-by: Michael Niedermayer (cherry picked from commit 39e4ed7c1d8d840be47f6d604704d47a59a9ae5d) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index fc00d3fc62..60644a2644 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -317,7 +317,9 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } else { /* fill up mc_meta_charset with data until lifetime exceeds */ if (c->mc_frame_counter < c->mc_lifetime) { - *p = *pict; + ret = av_frame_ref(p, pict); + if (ret < 0) + return ret; p->pict_type = AV_PICTURE_TYPE_I; p->key_frame = 1; to_meta_with_crop(avctx, p, meta + 32000 * c->mc_frame_counter); From 804e1e1610528ac8cbe9dec389e14eabde359997 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Feb 2015 01:21:30 +0100 Subject: [PATCH 155/700] avcodec/a64multienc: don't set incorrect packet size This fixes invalid reads of the packet buffer in av_dup_packet Based on patch by Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit d96142e9af92ded84f2580620c571ab96c4bb657) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index 60644a2644..889e8eb670 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -336,8 +336,8 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, req_size = 0; /* any frames to encode? */ if (c->mc_lifetime) { - req_size = charset_size + c->mc_lifetime*(screen_size + colram_size); - if ((ret = ff_alloc_packet2(avctx, pkt, req_size)) < 0) + int alloc_size = charset_size + c->mc_lifetime*(screen_size + colram_size); + if ((ret = ff_alloc_packet2(avctx, pkt, alloc_size)) < 0) return ret; buf = pkt->data; @@ -353,6 +353,7 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, /* advance pointers */ buf += charset_size; + req_size += charset_size; } /* write x frames to buf */ From 2ed0a77b7beceae1b75a1e02a81b6241c048e166 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 22 Feb 2015 20:47:50 +0100 Subject: [PATCH 156/700] avcodec/a64multienc: initialize mc_meta_charset to zero This fixes the use of uninitialized values in avpriv_do_elbg. Signed-off-by: Michael Niedermayer (cherry picked from commit ab759f8f4a3f7178361e32ab719e6bc49d8afecb) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index 889e8eb670..9f3bc0d64d 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -220,7 +220,7 @@ static av_cold int a64multi_encode_init(AVCodecContext *avctx) a64_palette[mc_colors[a]][2] * 0.11; } - if (!(c->mc_meta_charset = av_malloc_array(c->mc_lifetime, 32000 * sizeof(int))) || + if (!(c->mc_meta_charset = av_mallocz_array(c->mc_lifetime, 32000 * sizeof(int))) || !(c->mc_best_cb = av_malloc(CHARSET_CHARS * 32 * sizeof(int))) || !(c->mc_charmap = av_mallocz_array(c->mc_lifetime, 1000 * sizeof(int))) || !(c->mc_colram = av_mallocz(CHARSET_CHARS * sizeof(uint8_t))) || From 9783f9fb98a77eebde7a6ee9284bbff2a3e10df5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 22 Feb 2015 20:48:38 +0100 Subject: [PATCH 157/700] avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop Averaging over 2 pixels doesn't work correctly for the last pixel, because the rest of the buffer is not initialized. Signed-off-by: Michael Niedermayer (cherry picked from commit 87513d654546a99f8ddb045ca4fa5d33778a617e) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index 9f3bc0d64d..d54b37e222 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -78,9 +78,13 @@ static void to_meta_with_crop(AVCodecContext *avctx, AVFrame *p, int *dest) for (y = blocky; y < blocky + 8 && y < C64YRES; y++) { for (x = blockx; x < blockx + 8 && x < C64XRES; x += 2) { if(x < width && y < height) { - /* build average over 2 pixels */ - luma = (src[(x + 0 + y * p->linesize[0])] + - src[(x + 1 + y * p->linesize[0])]) / 2; + if (x + 1 < width) { + /* build average over 2 pixels */ + luma = (src[(x + 0 + y * p->linesize[0])] + + src[(x + 1 + y * p->linesize[0])]) / 2; + } else { + luma = src[(x + y * p->linesize[0])]; + } /* write blocks as linear data now so they are suitable for elbg */ dest[0] = luma; } From 99d58a0da45283fa6f6d135129b9c1166386b5a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Feb 2015 00:55:13 +0100 Subject: [PATCH 158/700] avcodec/a64multienc: simplify frame handling code This also fixes a memleak Signed-off-by: Michael Niedermayer (cherry picked from commit 4da351ff0cff460db2110cf22f2e3eded8733a58) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 23 ++++------------------- 1 file changed, 4 insertions(+), 19 deletions(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index d54b37e222..34e5b2dc99 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -65,7 +65,7 @@ static const int mc_colors[5]={0x0,0xb,0xc,0xf,0x1}; //static const int mc_colors[5]={0x0,0x8,0xa,0xf,0x7}; //static const int mc_colors[5]={0x0,0x9,0x8,0xa,0x3}; -static void to_meta_with_crop(AVCodecContext *avctx, AVFrame *p, int *dest) +static void to_meta_with_crop(AVCodecContext *avctx, const AVFrame *p, int *dest) { int blockx, blocky, x, y; int luma = 0; @@ -190,7 +190,6 @@ static void render_charset(AVCodecContext *avctx, uint8_t *charset, static av_cold int a64multi_close_encoder(AVCodecContext *avctx) { A64Context *c = avctx->priv_data; - av_frame_free(&avctx->coded_frame); av_freep(&c->mc_meta_charset); av_freep(&c->mc_best_cb); av_freep(&c->mc_charset); @@ -242,14 +241,6 @@ static av_cold int a64multi_encode_init(AVCodecContext *avctx) AV_WB32(avctx->extradata, c->mc_lifetime); AV_WB32(avctx->extradata + 16, INTERLACED); - avctx->coded_frame = av_frame_alloc(); - if (!avctx->coded_frame) { - a64multi_close_encoder(avctx); - return AVERROR(ENOMEM); - } - - avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I; - avctx->coded_frame->key_frame = 1; if (!avctx->codec_tag) avctx->codec_tag = AV_RL32("a64m"); @@ -274,10 +265,9 @@ static void a64_compress_colram(unsigned char *buf, int *charmap, uint8_t *colra } static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, - const AVFrame *pict, int *got_packet) + const AVFrame *p, int *got_packet) { A64Context *c = avctx->priv_data; - AVFrame *const p = avctx->coded_frame; int frame; int x, y; @@ -308,7 +298,7 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } /* no data, means end encoding asap */ - if (!pict) { + if (!p) { /* all done, end encoding */ if (!c->mc_lifetime) return 0; /* no more frames in queue, prepare to flush remaining frames */ @@ -321,15 +311,10 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } else { /* fill up mc_meta_charset with data until lifetime exceeds */ if (c->mc_frame_counter < c->mc_lifetime) { - ret = av_frame_ref(p, pict); - if (ret < 0) - return ret; - p->pict_type = AV_PICTURE_TYPE_I; - p->key_frame = 1; to_meta_with_crop(avctx, p, meta + 32000 * c->mc_frame_counter); c->mc_frame_counter++; if (c->next_pts == AV_NOPTS_VALUE) - c->next_pts = pict->pts; + c->next_pts = p->pts; /* lifetime is not reached so wait for next frame first */ return 0; } From 728051d9b10790b1fa3eafafe4f3f179df09301d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Feb 2015 01:58:11 +0100 Subject: [PATCH 159/700] avcodec/a64multienc: Assert that the Packet size does not grow Signed-off-by: Michael Niedermayer (cherry picked from commit 29bbc1be488ea4fc591d3e0ef12f0fc7c8812afb) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index 34e5b2dc99..0d926672f6 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -28,6 +28,7 @@ #include "a64tables.h" #include "elbg.h" #include "internal.h" +#include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/intreadwrite.h" @@ -379,6 +380,7 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, pkt->pts = pkt->dts = c->next_pts; c->next_pts = AV_NOPTS_VALUE; + av_assert0(pkt->size >= req_size); pkt->size = req_size; pkt->flags |= AV_PKT_FLAG_KEY; *got_packet = !!req_size; From fe8c81a0f36bc42904c3f41c16c330a10d51e310 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Feb 2015 00:32:39 +0100 Subject: [PATCH 160/700] swscale/utils: More carefully merge and clear coefficients outside the input Fixes out of array read Fixes: asan_heap-oob_35ca682_1474_cov_3230122439_aletrek_tga_16bit.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1895d414aaacece3b57d7bf19502305e9a064fae) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index fd58d3aeb8..1fc9fc42bf 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -612,14 +612,24 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, if ((*filterPos)[i] + filterSize > srcW) { int shift = (*filterPos)[i] + FFMIN(filterSize - srcW, 0); + int64_t acc = 0; - // move filter coefficients right to compensate for filterPos - for (j = filterSize - 2; j >= 0; j--) { - int right = FFMIN(j + shift, filterSize - 1); - filter[i * filterSize + right] += filter[i * filterSize + j]; - filter[i * filterSize + j] = 0; + for (j = filterSize - 1; j >= 0; j--) { + if ((*filterPos)[i] + j >= srcW) { + acc += filter[i * filterSize + j]; + filter[i * filterSize + j] = 0; + } } + for (j = filterSize - 1; j >= 0; j--) { + if (j < shift) { + filter[i * filterSize + j] = 0; + } else { + filter[i * filterSize + j] = filter[i * filterSize + j - shift]; + } + } + (*filterPos)[i]-= shift; + filter[i * filterSize + srcW - 1 - (*filterPos)[i]] += acc; } } From db1a99a209e62d733d13cc63f9b31e74ea39df0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Feb 2015 03:12:22 +0100 Subject: [PATCH 161/700] avcodec/snowdec: Fix ref value check Fixes integer overflow and out of array read. Fixes: signal_sigsegv_24169e6_3445_cov_3778346427_snow_chroma_bug.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8f4cbf940212079a34753c7f4d6c6b5a43586d30) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 327157b0d2..c5fa20339a 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -152,7 +152,7 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ int l = left->color[0]; int cb= left->color[1]; int cr= left->color[2]; - int ref = 0; + unsigned ref = 0; int ref_context= av_log2(2*left->ref) + av_log2(2*top->ref); int mx_context= av_log2(2*FFABS(left->mx - top->mx)) + 0*av_log2(2*FFABS(tr->mx - top->mx)); int my_context= av_log2(2*FFABS(left->my - top->my)) + 0*av_log2(2*FFABS(tr->my - top->my)); From 9a63a36dc6e15f0b764425f17bb4cb8e7e61f3e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Feb 2015 20:49:07 +0100 Subject: [PATCH 162/700] avcodec/h264: Only reinit quant tables if a new PPS is allowed Fixes null pointer dereference Fixes: signal_sigsegv_3042097_3007_cov_1741463594_non_monotone_timestamps1.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c23a0e77dd492d6c794f89dbff3a438c95745e70) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index f03ab4ebfb..d08dd1511c 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1515,7 +1515,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) } } - if (h == h0 && h->dequant_coeff_pps != pps_id) { + if (first_slice && h->dequant_coeff_pps != pps_id) { h->dequant_coeff_pps = pps_id; h264_init_dequant_tables(h); } From 711374b62691ed42099ea9350ba6e6f9846012a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Feb 2015 12:29:10 +0100 Subject: [PATCH 163/700] avcodec/zmbv: Check len before reading in decode_frame() Fixes out of array read Fixes: asan_heap-oob_4d4eb0_3994_cov_3169972261_zmbv_15bit.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1f5c7781e63d6519192ada59c1e36bcecc92791d) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index c16d912117..82ae169ef4 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -410,11 +410,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int hi_ver, lo_ver, ret; /* parse header */ + if (len < 1) + return AVERROR_INVALIDDATA; c->flags = buf[0]; buf++; len--; if (c->flags & ZMBV_KEYFRAME) { void *decode_intra = NULL; c->decode_intra= NULL; + + if (len < 6) + return AVERROR_INVALIDDATA; hi_ver = buf[0]; lo_ver = buf[1]; c->comp = buf[2]; From 6168fe32f1af32b5e3fa13d258aa436451b7cef6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Feb 2015 15:51:28 +0100 Subject: [PATCH 164/700] avcodec/hevc_ps: Sanity checks for some log2_* values log2 values which imply numeric overflow are not supported Signed-off-by: Michael Niedermayer (cherry picked from commit 205b2ba3d677330e023aac2f4bd3f624039256b9) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 11e6eb6132..3309377455 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -895,11 +895,30 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) sps->log2_max_trafo_size = log2_diff_max_min_transform_block_size + sps->log2_min_tb_size; - if (sps->log2_min_tb_size >= sps->log2_min_cb_size) { + if (sps->log2_min_cb_size < 3 || sps->log2_min_cb_size > 30) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid value %d for log2_min_cb_size", sps->log2_min_cb_size); + ret = AVERROR_INVALIDDATA; + goto err; + } + + if (sps->log2_diff_max_min_coding_block_size > 30) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid value %d for log2_diff_max_min_coding_block_size", sps->log2_diff_max_min_coding_block_size); + ret = AVERROR_INVALIDDATA; + goto err; + } + + if (sps->log2_min_tb_size >= sps->log2_min_cb_size || sps->log2_min_tb_size < 2) { av_log(s->avctx, AV_LOG_ERROR, "Invalid value for log2_min_tb_size"); ret = AVERROR_INVALIDDATA; goto err; } + + if (log2_diff_max_min_transform_block_size < 0 || log2_diff_max_min_transform_block_size > 30) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid value %d for log2_diff_max_min_transform_block_size", log2_diff_max_min_transform_block_size); + ret = AVERROR_INVALIDDATA; + goto err; + } + sps->max_transform_hierarchy_depth_inter = get_ue_golomb_long(gb); sps->max_transform_hierarchy_depth_intra = get_ue_golomb_long(gb); From a81b6a662aa6ae9eec3d88322bee839c6e84c09b Mon Sep 17 00:00:00 2001 From: James Cowgill Date: Thu, 26 Feb 2015 13:42:52 +0000 Subject: [PATCH 165/700] mips/acelp_filters: fix incorrect register constraint Change register constraint on the v variable from = to +. This was causing GCC to think that the v variable was never read and therefore not initialize it. This fixes about 20 fate failures on mips64el. Signed-off-by: James Cowgill Signed-off-by: Michael Niedermayer (cherry picked from commit b9de1303a6414174ab2f3bccefa801bfabcf0f88) Signed-off-by: Michael Niedermayer --- libavcodec/mips/acelp_filters_mips.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mips/acelp_filters_mips.c b/libavcodec/mips/acelp_filters_mips.c index c8d980aa00..ffc0fe6250 100644 --- a/libavcodec/mips/acelp_filters_mips.c +++ b/libavcodec/mips/acelp_filters_mips.c @@ -89,7 +89,7 @@ static void ff_acelp_interpolatef_mips(float *out, const float *in, "addu %[p_filter_coeffs_m], %[p_filter_coeffs_m], %[prec] \n\t" "madd.s %[v],%[v],%[in_val_m], %[fc_val_m] \n\t" - : [v] "=&f" (v),[p_in_p] "+r" (p_in_p), [p_in_m] "+r" (p_in_m), + : [v] "+&f" (v),[p_in_p] "+r" (p_in_p), [p_in_m] "+r" (p_in_m), [p_filter_coeffs_p] "+r" (p_filter_coeffs_p), [in_val_p] "=&f" (in_val_p), [in_val_m] "=&f" (in_val_m), [fc_val_p] "=&f" (fc_val_p), [fc_val_m] "=&f" (fc_val_m), From 429347afa7484773378191ab5846a199545e6b47 Mon Sep 17 00:00:00 2001 From: Dyami Caliri Date: Thu, 26 Feb 2015 10:17:01 -0800 Subject: [PATCH 166/700] Fix buffer_size argument to init_put_bits() in multiple encoders. Several encoders were multiplying the buffer size by 8, in order to get a bit size. However, the buffer_size argument is for the byte size of the buffer. We had experienced crashes encoding prores (Anatoliy) at size 4096x4096. (cherry picked from commit 50833c9f7b4e1922197a8955669f8ab3589c8cef) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 2 +- libavcodec/adpcmenc.c | 4 ++-- libavcodec/faxcompr.c | 2 +- libavcodec/flashsv2enc.c | 2 +- libavcodec/flashsvenc.c | 2 +- libavcodec/nellymoserenc.c | 2 +- libavcodec/proresenc_anatoliy.c | 2 +- libavcodec/proresenc_kostya.c | 2 +- libavcodec/s302menc.c | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 635123e46d..7937eb0162 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -165,7 +165,7 @@ static void put_audio_specific_config(AVCodecContext *avctx) PutBitContext pb; AACEncContext *s = avctx->priv_data; - init_put_bits(&pb, avctx->extradata, avctx->extradata_size*8); + init_put_bits(&pb, avctx->extradata, avctx->extradata_size); put_bits(&pb, 5, 2); //object type - AAC-LC put_bits(&pb, 4, s->samplerate_index); //sample rate index put_bits(&pb, 4, s->channels); diff --git a/libavcodec/adpcmenc.c b/libavcodec/adpcmenc.c index ea6cc23e97..7692db4d67 100644 --- a/libavcodec/adpcmenc.c +++ b/libavcodec/adpcmenc.c @@ -541,7 +541,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, case AV_CODEC_ID_ADPCM_IMA_QT: { PutBitContext pb; - init_put_bits(&pb, dst, pkt_size * 8); + init_put_bits(&pb, dst, pkt_size); for (ch = 0; ch < avctx->channels; ch++) { ADPCMChannelStatus *status = &c->status[ch]; @@ -571,7 +571,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, case AV_CODEC_ID_ADPCM_SWF: { PutBitContext pb; - init_put_bits(&pb, dst, pkt_size * 8); + init_put_bits(&pb, dst, pkt_size); n = frame->nb_samples - 1; diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 155f78da66..ba7096d3b1 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -251,7 +251,7 @@ static void put_line(uint8_t *dst, int size, int width, const int *runs) PutBitContext pb; int run, mode = ~0, pix_left = width, run_idx = 0; - init_put_bits(&pb, dst, size * 8); + init_put_bits(&pb, dst, size); while (pix_left > 0) { run = runs[run_idx++]; mode = ~mode; diff --git a/libavcodec/flashsv2enc.c b/libavcodec/flashsv2enc.c index 1c016f2265..c7bb410f6f 100644 --- a/libavcodec/flashsv2enc.c +++ b/libavcodec/flashsv2enc.c @@ -287,7 +287,7 @@ static int write_header(FlashSV2Context * s, uint8_t * buf, int buf_size) if (buf_size < 5) return -1; - init_put_bits(&pb, buf, buf_size * 8); + init_put_bits(&pb, buf, buf_size); put_bits(&pb, 4, (s->block_width >> 4) - 1); put_bits(&pb, 12, s->image_width); diff --git a/libavcodec/flashsvenc.c b/libavcodec/flashsvenc.c index a6d7caa97b..14e8adab2e 100644 --- a/libavcodec/flashsvenc.c +++ b/libavcodec/flashsvenc.c @@ -151,7 +151,7 @@ static int encode_bitstream(FlashSVContext *s, const AVFrame *p, uint8_t *buf, int buf_pos, res; int pred_blocks = 0; - init_put_bits(&pb, buf, buf_size * 8); + init_put_bits(&pb, buf, buf_size); put_bits(&pb, 4, block_width / 16 - 1); put_bits(&pb, 12, s->image_width); diff --git a/libavcodec/nellymoserenc.c b/libavcodec/nellymoserenc.c index 48caba23b9..148dbd9c77 100644 --- a/libavcodec/nellymoserenc.c +++ b/libavcodec/nellymoserenc.c @@ -308,7 +308,7 @@ static void encode_block(NellyMoserEncodeContext *s, unsigned char *output, int apply_mdct(s); - init_put_bits(&pb, output, output_size * 8); + init_put_bits(&pb, output, output_size); i = 0; for (band = 0; band < NELLY_BANDS; band++) { diff --git a/libavcodec/proresenc_anatoliy.c b/libavcodec/proresenc_anatoliy.c index f471f4987e..801d58ed7b 100644 --- a/libavcodec/proresenc_anatoliy.c +++ b/libavcodec/proresenc_anatoliy.c @@ -304,7 +304,7 @@ static int encode_slice_plane(AVCodecContext *avctx, int mb_count, } blocks_per_slice = mb_count << (2 - chroma); - init_put_bits(&pb, buf, buf_size << 3); + init_put_bits(&pb, buf, buf_size); encode_dc_coeffs(&pb, blocks, blocks_per_slice, qmat); encode_ac_coeffs(avctx, &pb, blocks, blocks_per_slice, qmat); diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index 5f432a97cd..ab295aa924 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -1058,7 +1058,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, slice_hdr = pkt->data + (slice_hdr - start); tmp = pkt->data + (tmp - start); } - init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf)) * 8); + init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf))); ret = encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice); if (ret < 0) diff --git a/libavcodec/s302menc.c b/libavcodec/s302menc.c index 540ac29dab..e738f09d19 100644 --- a/libavcodec/s302menc.c +++ b/libavcodec/s302menc.c @@ -82,7 +82,7 @@ static int s302m_encode2_frame(AVCodecContext *avctx, AVPacket *avpkt, return ret; o = avpkt->data; - init_put_bits(&pb, o, buf_size * 8); + init_put_bits(&pb, o, buf_size); put_bits(&pb, 16, buf_size - AES3_HEADER_LEN); put_bits(&pb, 2, (avctx->channels - 2) >> 1); // number of channels put_bits(&pb, 8, 0); // channel ID From 4005a71def6f9608b01f81e2ca28248cf451f50b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 26 Feb 2015 01:06:57 +0100 Subject: [PATCH 167/700] avformat/adxdec: set avctx->channels in adx_read_header It is used in adx_read_packet, which currently depends on the decoder/parser setting this value between reading the file header and demuxing the first packet. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 64ea4a0598e7ca61b95cf6c93fd409151a448001) Signed-off-by: Michael Niedermayer --- libavformat/adxdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/adxdec.c b/libavformat/adxdec.c index ddaa201179..e57d0516dc 100644 --- a/libavformat/adxdec.c +++ b/libavformat/adxdec.c @@ -83,8 +83,14 @@ static int adx_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Invalid extradata size.\n"); return AVERROR_INVALIDDATA; } + avctx->channels = AV_RB8(avctx->extradata + 7); avctx->sample_rate = AV_RB32(avctx->extradata + 8); + if (avctx->channels <= 0) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d\n", avctx->channels); + return AVERROR_INVALIDDATA; + } + st->codec->codec_type = AVMEDIA_TYPE_AUDIO; st->codec->codec_id = s->iformat->raw_codec_id; From 7f97231d97d56e4589795a0cea67ff24fb2d54ba Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 25 Feb 2015 22:55:44 +0100 Subject: [PATCH 168/700] avformat/adxdec: check avctx->channels for invalid values This avoids a null pointer dereference of pkt->data. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 7faa40af982960608b117e20fec999b48011e5e0) Signed-off-by: Michael Niedermayer --- libavformat/adxdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/adxdec.c b/libavformat/adxdec.c index e57d0516dc..e7107ac579 100644 --- a/libavformat/adxdec.c +++ b/libavformat/adxdec.c @@ -40,6 +40,11 @@ static int adx_read_packet(AVFormatContext *s, AVPacket *pkt) AVCodecContext *avctx = s->streams[0]->codec; int ret, size; + if (avctx->channels <= 0) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d\n", avctx->channels); + return AVERROR_INVALIDDATA; + } + size = BLOCK_SIZE * avctx->channels; pkt->pos = avio_tell(s->pb); From 0540d5c5fc1b573cac86c641c338ec1cb7a5e8ea Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 26 Feb 2015 21:38:50 +0100 Subject: [PATCH 169/700] avformat/bit: check that pkt->size is 10 in write_packet Ohter packet sizes are not supported by this muxer. This avoids a null pointer dereference of pkt->data. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit eeda2c3de8a8484d9e7d1e47ac836bec850b31fc) Signed-off-by: Michael Niedermayer --- libavformat/bit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/bit.c b/libavformat/bit.c index 7b807b9bc1..5d05da0f81 100644 --- a/libavformat/bit.c +++ b/libavformat/bit.c @@ -133,6 +133,9 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) GetBitContext gb; int i; + if (pkt->size != 10) + return AVERROR(EINVAL); + avio_wl16(pb, SYNC_WORD); avio_wl16(pb, 8 * 10); From 29e435ca3381284297f8fed6f181ef14bb767e08 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 26 Feb 2015 21:42:02 +0100 Subject: [PATCH 170/700] avformat/bit: only accept the g729 codec and 1 channel Other codecs/channel numbers are not supported by this muxer. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit d0b8640f75ff7569c98d6fdb03d83451104e088c) Signed-off-by: Michael Niedermayer --- libavformat/bit.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/bit.c b/libavformat/bit.c index 5d05da0f81..138d2feadb 100644 --- a/libavformat/bit.c +++ b/libavformat/bit.c @@ -119,8 +119,12 @@ static int write_header(AVFormatContext *s) { AVCodecContext *enc = s->streams[0]->codec; - enc->codec_id = AV_CODEC_ID_G729; - enc->channels = 1; + if ((enc->codec_id != AV_CODEC_ID_G729) || enc->channels != 1) { + av_log(s, AV_LOG_ERROR, + "only codec g729 with 1 channel is supported by this format\n"); + return AVERROR(EINVAL); + } + enc->bits_per_coded_sample = 16; enc->block_align = (enc->bits_per_coded_sample * enc->channels) >> 3; From 61147f58ab6a212fdc1a1e1da68778f8640356a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Feb 2015 03:12:23 +0100 Subject: [PATCH 171/700] swscale/utils: clear formatConvBuffer on allocation Fixes use of uninitialized memory Fixes: asan_heap-oob_35ca682_1474_cov_3230122439_aletrek_tga_16bit.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 007498fc1a639ecee2cda1892cbcff66c7c8c951) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 1fc9fc42bf..fd8e72abc6 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1177,7 +1177,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, c->chrDstW = FF_CEIL_RSHIFT(dstW, c->chrDstHSubSample); c->chrDstH = FF_CEIL_RSHIFT(dstH, c->chrDstVSubSample); - FF_ALLOC_OR_GOTO(c, c->formatConvBuffer, FFALIGN(srcW*2+78, 16) * 2, fail); + FF_ALLOCZ_OR_GOTO(c, c->formatConvBuffer, FFALIGN(srcW*2+78, 16) * 2, fail); c->srcBpc = 1 + desc_src->comp[0].depth_minus1; if (c->srcBpc < 8) From 3791436eb58822f3af9c5fb4de744e7523b7046e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Feb 2015 21:57:11 +0100 Subject: [PATCH 172/700] avutil/imgutils: correctly check for negative SAR components These could trigger assert failures previously Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 5705dc527687fd84d94c934169b6bd753459744f) Signed-off-by: Michael Niedermayer --- libavutil/imgutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index 7f3032bdf3..a12079d228 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -245,7 +245,7 @@ int av_image_check_sar(unsigned int w, unsigned int h, AVRational sar) { int64_t scaled_dim; - if (!sar.den) + if (sar.den <= 0 || sar.num < 0) return AVERROR(EINVAL); if (!sar.num || sar.num == sar.den) From e6b18f5700f447ba16857ca707f0400a094333cb Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 28 Feb 2015 20:11:36 +0100 Subject: [PATCH 173/700] avcodec/utils: use correct printf specifier in ff_set_sar Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 732c3ebffaff5005367d7f947fa903f3b6e92f68) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 410a05fda5..b3bcec095e 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -246,7 +246,7 @@ int ff_set_sar(AVCodecContext *avctx, AVRational sar) int ret = av_image_check_sar(avctx->width, avctx->height, sar); if (ret < 0) { - av_log(avctx, AV_LOG_WARNING, "ignoring invalid SAR: %u/%u\n", + av_log(avctx, AV_LOG_WARNING, "ignoring invalid SAR: %d/%d\n", sar.num, sar.den); avctx->sample_aspect_ratio = (AVRational){ 0, 1 }; return ret; From e6bc1fe10c56d7f9712679a31cb9a79457556b1c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 28 Feb 2015 20:58:31 +0100 Subject: [PATCH 174/700] avformat/flvenc: check that the codec_tag fits in the available bits flags is later written with avio_w8 and if it doesn't fit in one byte it triggers an av_assert2. Signed-off-by: Michael Niedermayer (cherry picked from commit e8565d21c276ab9ac5ce785549420321fbd0b093) Signed-off-by: Michael Niedermayer --- libavformat/flvenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index 5468c4d0e9..009f97558f 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -521,7 +521,7 @@ static int flv_write_packet(AVFormatContext *s, AVPacket *pkt) avio_w8(pb, FLV_TAG_TYPE_VIDEO); flags = enc->codec_tag; - if (flags == 0) { + if (flags <= 0 || flags > 15) { av_log(s, AV_LOG_ERROR, "Video codec '%s' is not compatible with FLV\n", avcodec_get_name(enc->codec_id)); From 55637b2e5e9a27c6176e3ccd0a8730cc16206530 Mon Sep 17 00:00:00 2001 From: Steve Lhomme Date: Tue, 3 Mar 2015 12:06:40 +0100 Subject: [PATCH 175/700] fix VP9 packet decoder returning 0 instead of the used data size See https://trac.videolan.org/vlc/ticket/14022#comment:6 Signed-off-by: Michael Niedermayer (cherry picked from commit 4851db80a4f80ddade1d50d2ec741375c763f001) Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 07df9ef75d..a956567254 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -3748,7 +3748,7 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame, if ((res = av_frame_ref(frame, s->refs[ref].f)) < 0) return res; *got_frame = 1; - return 0; + return pkt->size; } data += res; size -= res; @@ -3972,7 +3972,7 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame, *got_frame = 1; } - return 0; + return pkt->size; } static void vp9_decode_flush(AVCodecContext *ctx) From 73dd8f0a2431851d99f3a94acfd608a2e820b6ab Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Thu, 5 Mar 2015 12:05:17 +0100 Subject: [PATCH 176/700] doc/protocols/tcp: fix units of listen_timeout option value, from microseconds to milliseconds s->listen_timeout is passed to ff_listen_bind(), which accepts a timeout value expressed in milliseconds. The unit was incorrectly set in 1b4da43ce02452843a1e9bb976da1a39e18a945c. (cherry picked from commit 6db20926c32ea297418f1f819585007c6b7b6160) Signed-off-by: Michael Niedermayer --- doc/protocols.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/protocols.texi b/doc/protocols.texi index d165bda0e4..006324c68d 100644 --- a/doc/protocols.texi +++ b/doc/protocols.texi @@ -1081,8 +1081,8 @@ Set raise error timeout, expressed in microseconds. This option is only relevant in read mode: if no data arrived in more than this time interval, raise error. -@item listen_timeout=@var{microseconds} -Set listen timeout, expressed in microseconds. +@item listen_timeout=@var{milliseconds} +Set listen timeout, expressed in milliseconds. @end table The following example shows how to setup a listening TCP connection From 57c7922331d5f2c0999046845bd9bf24ac74c2b7 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 5 Mar 2015 22:48:28 +0100 Subject: [PATCH 177/700] webp: ensure that each transform is only used once According to the WebP Lossless Bitstream Specification "each transform is allowed to be used only once". If a transform is more than once this can lead to memory corruption. Signed-off-by: Michael Niedermayer (cherry picked from commit c089e720c1b753790c746a13053636d7facf6bf0) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 4b1c8e7f8b..802b03c826 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1099,7 +1099,7 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, unsigned int data_size, int is_alpha_chunk) { WebPContext *s = avctx->priv_data; - int w, h, ret, i; + int w, h, ret, i, used; if (!is_alpha_chunk) { s->lossless = 1; @@ -1149,8 +1149,16 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, /* parse transformations */ s->nb_transforms = 0; s->reduced_width = 0; + used = 0; while (get_bits1(&s->gb)) { enum TransformType transform = get_bits(&s->gb, 2); + if (used & (1 << transform)) { + av_log(avctx, AV_LOG_ERROR, "Transform %d used more than once\n", + transform); + ret = AVERROR_INVALIDDATA; + goto free_and_return; + } + used |= (1 << transform); s->transforms[s->nb_transforms++] = transform; switch (transform) { case PREDICTOR_TRANSFORM: From 032476f8309bdbed00b2a4da03eb5b64ec5877c2 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 6 Mar 2015 21:07:54 -0500 Subject: [PATCH 178/700] vp9: fix segmentation map retention with threading enabled. Fixes ticket 4359. Signed-off-by: Michael Niedermayer (cherry picked from commit efff3854f05d171f5ad3e4f4206533b255a6d267) Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index a956567254..c10f85efe3 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -279,7 +279,8 @@ static int vp9_alloc_frame(AVCodecContext *ctx, VP9Frame *f) // retain segmentation map if it doesn't update if (s->segmentation.enabled && !s->segmentation.update_map && - !s->intraonly && !s->keyframe && !s->errorres) { + !s->intraonly && !s->keyframe && !s->errorres && + ctx->active_thread_type != FF_THREAD_FRAME) { memcpy(f->segmentation_map, s->frames[LAST_FRAME].segmentation_map, sz); } @@ -1351,9 +1352,18 @@ static void decode_mode(AVCodecContext *ctx) if (!s->last_uses_2pass) ff_thread_await_progress(&s->frames[LAST_FRAME].tf, row >> 3, 0); - for (y = 0; y < h4; y++) + for (y = 0; y < h4; y++) { + int idx_base = (y + row) * 8 * s->sb_cols + col; for (x = 0; x < w4; x++) - pred = FFMIN(pred, refsegmap[(y + row) * 8 * s->sb_cols + x + col]); + pred = FFMIN(pred, refsegmap[idx_base + x]); + if (!s->segmentation.update_map && ctx->active_thread_type == FF_THREAD_FRAME) { + // FIXME maybe retain reference to previous frame as + // segmap reference instead of copying the whole map + // into a new buffer + memcpy(&s->frames[CUR_FRAME].segmentation_map[idx_base], + &refsegmap[idx_base], w4); + } + } av_assert1(pred < 8); b->seg_id = pred; } else { From 21533730fc9b8d39d1cc3d79254264723c7224a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Mar 2015 14:30:34 +0100 Subject: [PATCH 179/700] avcodec/utils: Align YUV411 by as much as the other YUV variants Fixes out of array accesses Fixes: ffmpeg_mjpeg_crash2.avi Found-by: Thomas Lindroth Tested-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit e3201c38d53d2b8b24d0bc95d726b2cb1752dc12) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index b3bcec095e..d30ad2e72e 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -374,7 +374,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, case AV_PIX_FMT_YUVJ411P: case AV_PIX_FMT_UYYVYY411: w_align = 32; - h_align = 8; + h_align = 16 * 2; break; case AV_PIX_FMT_YUV410P: if (s->codec_id == AV_CODEC_ID_SVQ1) { From 50f50379479384a7e972e235a1b7031eebb52f8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Mar 2015 15:11:39 +0100 Subject: [PATCH 180/700] avcodec/opusdec: Clear out pointers per packet This is safer than to assume that all error pathes cleared them and nothing will use uncleared pointers. Signed-off-by: Michael Niedermayer (cherry picked from commit 1ae092587fc196da5098dea346d7ece81ec35153) Signed-off-by: Michael Niedermayer --- libavcodec/opusdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/opusdec.c b/libavcodec/opusdec.c index 759eaa529c..0825fc084e 100644 --- a/libavcodec/opusdec.c +++ b/libavcodec/opusdec.c @@ -452,6 +452,12 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, int decoded_samples = 0; int i, ret; + for (i = 0; i < c->nb_streams; i++) { + OpusStreamContext *s = &c->streams[i]; + s->out[0] = + s->out[1] = NULL; + } + /* decode the header of the first sub-packet to find out the sample count */ if (buf) { OpusPacket *pkt = &c->streams[0].packet; From 90fa2460c0728a0bc08dc5165476b6691c057a7b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Mar 2015 15:34:19 +0100 Subject: [PATCH 181/700] avcodec/opusdec: Fix delayed sample value Fixes out of array access Fixes: ffmpeg_opus_crash1.ogg This solution is likely not optimal in terms of error concealment but its simple and fixes the out of array access. Found-by: Thomas Lindroth Tested-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit 6c583e9048fe9db2ed4d7bbc75f4f1d76e82761a) Signed-off-by: Michael Niedermayer --- libavcodec/opusdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/opusdec.c b/libavcodec/opusdec.c index 0825fc084e..04c9218840 100644 --- a/libavcodec/opusdec.c +++ b/libavcodec/opusdec.c @@ -451,11 +451,13 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, int coded_samples = 0; int decoded_samples = 0; int i, ret; + int delayed_samples = 0; for (i = 0; i < c->nb_streams; i++) { OpusStreamContext *s = &c->streams[i]; s->out[0] = s->out[1] = NULL; + delayed_samples = FFMAX(delayed_samples, s->delayed_samples); } /* decode the header of the first sub-packet to find out the sample count */ @@ -470,7 +472,7 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, c->streams[0].silk_samplerate = get_silk_samplerate(pkt->config); } - frame->nb_samples = coded_samples + c->streams[0].delayed_samples; + frame->nb_samples = coded_samples + delayed_samples; /* no input or buffered data => nothing to do */ if (!frame->nb_samples) { From 9bb7e2bd90f393c6fc9b4bfa8a523018434b7aa4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 8 Mar 2015 00:19:45 +0200 Subject: [PATCH 182/700] mxfdec: Fix the error handling for when strftime fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The str variable is a char ** here. Signed-off-by: Martin Storsjö (cherry picked from commit 6448f15af02f2c3cf0df8cb8237957e426041f2d) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 0c88a8ae9c..636a3d8932 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1976,7 +1976,7 @@ static int mxf_timestamp_to_str(uint64_t timestamp, char **str) if (!*str) return AVERROR(ENOMEM); if (!strftime(*str, 32, "%Y-%m-%d %H:%M:%S", &time)) - str[0] = '\0'; + (*str)[0] = '\0'; return 0; } From 07df052d8d92405ce0c89f9e3389aeefb5026be5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 7 Mar 2015 19:36:07 +0100 Subject: [PATCH 183/700] doc: avoid the incorrect phrase 'allow to' Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 10fd7ff814f2a35b5b49a9c3b0d426ead6c7e83f) Signed-off-by: Michael Niedermayer --- doc/faq.texi | 2 +- doc/ffserver.texi | 2 +- doc/filters.texi | 2 +- doc/formats.texi | 4 ++-- doc/indevs.texi | 2 +- doc/utils.texi | 4 ++-- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/faq.texi b/doc/faq.texi index fdcb46d334..54b61fc9ea 100644 --- a/doc/faq.texi +++ b/doc/faq.texi @@ -298,7 +298,7 @@ FFmpeg has a @url{http://ffmpeg.org/ffmpeg-protocols.html#concat, @code{concat}} protocol designed specifically for that, with examples in the documentation. -A few multimedia containers (MPEG-1, MPEG-2 PS, DV) allow to concatenate +A few multimedia containers (MPEG-1, MPEG-2 PS, DV) allow one to concatenate video by merely concatenating the files containing them. Hence you may concatenate your multimedia files by first transcoding them to diff --git a/doc/ffserver.texi b/doc/ffserver.texi index 83b6520dd1..0394c3636b 100644 --- a/doc/ffserver.texi +++ b/doc/ffserver.texi @@ -71,7 +71,7 @@ the HTTP server (configured through the @option{HTTPPort} option), and configuration file. Each feed is associated to a file which is stored on disk. This stored -file is used to allow to send pre-recorded data to a player as fast as +file is used to send pre-recorded data to a player as fast as possible when new content is added in real-time to the stream. A "live-stream" or "stream" is a resource published by diff --git a/doc/filters.texi b/doc/filters.texi index 8c16c7a546..31334da2f2 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -3378,7 +3378,7 @@ Set number overlapping pixels for each block. Since the filter can be slow, you may want to reduce this value, at the cost of a less effective filter and the risk of various artefacts. -If the overlapping value doesn't allow to process the whole input width or +If the overlapping value doesn't permit processing the whole input width or height, a warning will be displayed and according borders won't be denoised. Default value is @var{blocksize}-1, which is the best possible setting. diff --git a/doc/formats.texi b/doc/formats.texi index 41387098b7..cbbdc1032c 100644 --- a/doc/formats.texi +++ b/doc/formats.texi @@ -23,7 +23,7 @@ Reduce buffering. @item probesize @var{integer} (@emph{input}) Set probing size in bytes, i.e. the size of the data to analyze to get -stream information. A higher value will allow to detect more +stream information. A higher value will enable detecting more information in case it is dispersed into the stream, but will increase latency. Must be an integer not lesser than 32. It is 5000000 by default. @@ -67,7 +67,7 @@ Default is 0. @item analyzeduration @var{integer} (@emph{input}) Specify how many microseconds are analyzed to probe the input. A -higher value will allow to detect more accurate information, but will +higher value will enable detecting more accurate information, but will increase latency. It defaults to 5,000,000 microseconds = 5 seconds. @item cryptokey @var{hexadecimal string} (@emph{input}) diff --git a/doc/indevs.texi b/doc/indevs.texi index ad823abad4..84cdeb5d3a 100644 --- a/doc/indevs.texi +++ b/doc/indevs.texi @@ -1,7 +1,7 @@ @chapter Input Devices @c man begin INPUT DEVICES -Input devices are configured elements in FFmpeg which allow to access +Input devices are configured elements in FFmpeg which enable accessing the data coming from a multimedia device attached to your system. When you configure your FFmpeg build, all the supported input devices diff --git a/doc/utils.texi b/doc/utils.texi index b0455af00c..79bf2a22ac 100644 --- a/doc/utils.texi +++ b/doc/utils.texi @@ -844,7 +844,7 @@ Return 1.0 if @var{x} is +/-INFINITY, 0.0 otherwise. Return 1.0 if @var{x} is NAN, 0.0 otherwise. @item ld(var) -Allow to load the value of the internal variable with number +Load the value of the internal variable with number @var{var}, which was previously stored with st(@var{var}, @var{expr}). The function returns the loaded value. @@ -912,7 +912,7 @@ Compute the square root of @var{expr}. This is equivalent to Compute expression @code{1/(1 + exp(4*x))}. @item st(var, expr) -Allow to store the value of the expression @var{expr} in an internal +Store the value of the expression @var{expr} in an internal variable. @var{var} specifies the number of the variable where to store the value, and it is a value ranging from 0 to 9. The function returns the value stored in the internal variable. From c5b2ef3bdf23d16ded3e3aaa66763963e130259d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Mar 2015 23:27:43 +0100 Subject: [PATCH 184/700] avcodec/tiff: move bpp check to after "end:" This ensures that all current and future code-pathes get bpp checked Signed-off-by: Michael Niedermayer (cherry picked from commit d5e9fc782150d4596c72440a0aa02b7f4f1254b1) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index ee16d7805d..b00bc1c217 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -839,13 +839,6 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->bpp = -1; } } - if (s->bpp > 64U) { - av_log(s->avctx, AV_LOG_ERROR, - "This format is not supported (bpp=%d, %d components)\n", - s->bpp, count); - s->bpp = 0; - return AVERROR_INVALIDDATA; - } break; case TIFF_SAMPLES_PER_PIXEL: if (count != 1) { @@ -1158,6 +1151,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) } } end: + if (s->bpp > 64U) { + av_log(s->avctx, AV_LOG_ERROR, + "This format is not supported (bpp=%d, %d components)\n", + s->bpp, count); + s->bpp = 0; + return AVERROR_INVALIDDATA; + } bytestream2_seek(&s->gb, start, SEEK_SET); return 0; } From 9246eb1ec50402eda3cf5873749c95688d074a8e Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Fri, 27 Feb 2015 19:00:25 +0000 Subject: [PATCH 185/700] aic: Fix decoding files with odd dimensions Normally the aic decoder finds the proper slice combination (multiple of some number less than 32) but in case of odd width, it resorts to the default values, which were actually swapped. The number of slices is modified to account for such odd width cases. CC: libav-stable@libav.org (cherry picked from commit e878ec0d47cd6228c367b2f3128b76d7523f7255) Signed-off-by: Michael Niedermayer --- libavcodec/aic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aic.c b/libavcodec/aic.c index 3472301f53..5882bf1b9a 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -438,8 +438,8 @@ static av_cold int aic_decode_init(AVCodecContext *avctx) ctx->mb_width = FFALIGN(avctx->width, 16) >> 4; ctx->mb_height = FFALIGN(avctx->height, 16) >> 4; - ctx->num_x_slices = 16; - ctx->slice_width = ctx->mb_width / 16; + ctx->num_x_slices = (ctx->mb_width + 15) >> 4; + ctx->slice_width = 16; for (i = 1; i < 32; i++) { if (!(ctx->mb_width % i) && (ctx->mb_width / i < 32)) { ctx->slice_width = ctx->mb_width / i; From bb508ddb8b7099d69ffea412229960c8d3007fae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 18 Feb 2015 00:40:06 +0200 Subject: [PATCH 186/700] arm: Suppress tags about used cpu arch and extensions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When all the codepaths using manually set .arch/.fpu code is behind runtime detection, the elf attributes should be suppressed. This allows tools to know that the final built binary doesn't strictly require these extensions. Signed-off-by: Martin Storsjö (cherry picked from commit dcae2e32f7d8a1ca5fb8c1e4aa81313be854dd73) Signed-off-by: Michael Niedermayer --- configure | 6 ++++++ libavutil/arm/asm.S | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/configure b/configure index 8e0119306d..37172aaa5f 100755 --- a/configure +++ b/configure @@ -1760,6 +1760,7 @@ SYSTEM_FUNCS=" TOOLCHAIN_FEATURES=" as_dn_directive as_func + as_object_arch asm_mod_q attribute_may_alias attribute_packed @@ -4462,6 +4463,11 @@ if enabled_any arm aarch64 || enabled_all ppc altivec && enabled asm; then check_as < Date: Thu, 5 Mar 2015 23:38:00 +0200 Subject: [PATCH 187/700] configure: Move the .object_arch check to the right place MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit b77e335e441040a40fc6156b8e4a134745d10233) Signed-off-by: Michael Niedermayer --- configure | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/configure b/configure index 37172aaa5f..104d2bff4c 100755 --- a/configure +++ b/configure @@ -4463,11 +4463,6 @@ if enabled_any arm aarch64 || enabled_all ppc altivec && enabled asm; then check_as < Date: Wed, 18 Feb 2015 12:11:43 +0000 Subject: [PATCH 188/700] mdec: check for out of bounds read Bug-Id: CID 1257501 CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit 2c63081b48d98f3a0d0bed7b0ec3c0347b99144c) Signed-off-by: Michael Niedermayer --- libavcodec/mdec.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c index 051adaefe2..5fd06f4aa6 100644 --- a/libavcodec/mdec.c +++ b/libavcodec/mdec.c @@ -88,7 +88,12 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) if (level == 127) { break; } else if (level != 0) { - i += run; + i += run; + if (i > 63) { + av_log(a->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y); + return AVERROR_INVALIDDATA; + } j = scantable[i]; level = (level * qscale * quant_matrix[j]) >> 3; level = (level ^ SHOW_SBITS(re, &a->gb, 1)) - SHOW_SBITS(re, &a->gb, 1); @@ -98,8 +103,13 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) run = SHOW_UBITS(re, &a->gb, 6)+1; LAST_SKIP_BITS(re, &a->gb, 6); UPDATE_CACHE(re, &a->gb); level = SHOW_SBITS(re, &a->gb, 10); SKIP_BITS(re, &a->gb, 10); - i += run; - j = scantable[i]; + i += run; + if (i > 63) { + av_log(a->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y); + return AVERROR_INVALIDDATA; + } + j = scantable[i]; if (level < 0) { level = -level; level = (level * qscale * quant_matrix[j]) >> 3; @@ -110,10 +120,6 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) level = (level - 1) | 1; } } - if (i > 63) { - av_log(a->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y); - return AVERROR_INVALIDDATA; - } block[j] = level; } From 2684ff3573a68037aa298bedd93b00a126c48a30 Mon Sep 17 00:00:00 2001 From: Federico Tomassetti Date: Wed, 18 Feb 2015 12:11:44 +0000 Subject: [PATCH 189/700] eamad: check for out of bounds read Bug-Id: CID 1257500 CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit 061c489895d29049a88dc6118e4b639a273b31d6) Conflicts: libavcodec/eamad.c --- libavcodec/eamad.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index 813a2d1cdb..6b7134a98d 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -151,6 +151,11 @@ static inline int decode_block_intra(MadContext *s, int16_t * block) break; } else if (level != 0) { i += run; + if (i > 63) { + av_log(s->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); + return -1; + } j = scantable[i]; level = (level*quant_matrix[j]) >> 4; level = (level-1)|1; @@ -165,6 +170,11 @@ static inline int decode_block_intra(MadContext *s, int16_t * block) run = SHOW_UBITS(re, &s->gb, 6)+1; LAST_SKIP_BITS(re, &s->gb, 6); i += run; + if (i > 63) { + av_log(s->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); + return -1; + } j = scantable[i]; if (level < 0) { level = -level; @@ -176,10 +186,6 @@ static inline int decode_block_intra(MadContext *s, int16_t * block) level = (level-1)|1; } } - if (i > 63) { - av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); - return -1; - } block[j] = level; } From f18fc45d18940b8a4e8489d448654d09717925c4 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 2 Mar 2015 20:27:26 +0100 Subject: [PATCH 190/700] avcodec/rv10: check size of s->mb_width * s->mb_height If it doesn't fit into 12 bits it triggers an assertion. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 2578a546183da09d49d5bba8ab5e982dece1dede) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.h | 2 +- libavcodec/mpegvideo_enc.c | 7 +++++-- libavcodec/rv10enc.c | 7 ++++++- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index cadf6f2450..f1a3d8e51c 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -883,7 +883,7 @@ extern const uint8_t ff_aic_dc_scale_table[32]; extern const uint8_t ff_h263_chroma_qscale_table[32]; /* rv10.c */ -void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number); +int ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number); int ff_rv_decode_dc(MpegEncContext *s, int n); void ff_rv20_encode_picture_header(MpegEncContext *s, int picture_number); diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 666c983f24..00bf65f22f 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -3706,8 +3706,11 @@ static int encode_picture(MpegEncContext *s, int picture_number) ff_msmpeg4_encode_picture_header(s, picture_number); else if (CONFIG_MPEG4_ENCODER && s->h263_pred) ff_mpeg4_encode_picture_header(s, picture_number); - else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) - ff_rv10_encode_picture_header(s, picture_number); + else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) { + ret = ff_rv10_encode_picture_header(s, picture_number); + if (ret < 0) + return ret; + } else if (CONFIG_RV20_ENCODER && s->codec_id == AV_CODEC_ID_RV20) ff_rv20_encode_picture_header(s, picture_number); else if (CONFIG_FLV_ENCODER && s->codec_id == AV_CODEC_ID_FLV1) diff --git a/libavcodec/rv10enc.c b/libavcodec/rv10enc.c index 25411322a6..37efe6cca4 100644 --- a/libavcodec/rv10enc.c +++ b/libavcodec/rv10enc.c @@ -28,7 +28,7 @@ #include "mpegvideo.h" #include "put_bits.h" -void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) +int ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) { int full_frame= 0; @@ -48,12 +48,17 @@ void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) /* if multiple packets per frame are sent, the position at which to display the macroblocks is coded here */ if(!full_frame){ + if (s->mb_width * s->mb_height >= (1U << 12)) { + avpriv_report_missing_feature(s, "Encoding frames with 4096 or more macroblocks"); + return AVERROR(ENOSYS); + } put_bits(&s->pb, 6, 0); /* mb_x */ put_bits(&s->pb, 6, 0); /* mb_y */ put_bits(&s->pb, 12, s->mb_width * s->mb_height); } put_bits(&s->pb, 3, 0); /* ignored */ + return 0; } FF_MPV_GENERIC_CLASS(rv10) From 1a2aaa74970c63a6cfa7fa966ea3a21e78618849 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 2 Mar 2015 20:47:57 +0100 Subject: [PATCH 191/700] avcodec/webp: validate the distance prefix code According to the WebP Lossless Bitstream Specification the highest allowed value for a prefix code is 39. If prefix_code is too large, the calculated extra_bits has an invalid value and triggers an assertion in get_bits. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 5de2dab12b951b2fe121eb18503accfc91cd1565) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 802b03c826..f299550056 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -694,6 +694,11 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, length = offset + get_bits(&s->gb, extra_bits) + 1; } prefix_code = huff_reader_get_symbol(&hg[HUFF_IDX_DIST], &s->gb); + if (prefix_code > 39) { + av_log(s->avctx, AV_LOG_ERROR, + "distance prefix code too large: %d\n", prefix_code); + return AVERROR_INVALIDDATA; + } if (prefix_code < 4) { distance = prefix_code + 1; } else { From 25b8d52fdd158b524c08947526b8abdf968bac19 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 2 Mar 2015 15:46:44 +0100 Subject: [PATCH 192/700] avformat/rm: limit packet size The chunk size is limited to 0xFFFF (written by avio_wb16), so make sure that the packet size is not too large. Such large frames need to be split into slices smaller than 64 kB, but that is currently supported neither by the rv10/rv20 encoders nor the rm muxer. Signed-off-by: Andreas Cadhalpun See Ticket244 Signed-off-by: Michael Niedermayer (cherry picked from commit 08728f400b8367dc8c983036cb2eff3a2891322b) Signed-off-by: Michael Niedermayer --- libavformat/rmenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/rmenc.c b/libavformat/rmenc.c index 2e50ed338c..27b5d8264d 100644 --- a/libavformat/rmenc.c +++ b/libavformat/rmenc.c @@ -394,6 +394,11 @@ static int rm_write_video(AVFormatContext *s, const uint8_t *buf, int size, int /* Well, I spent some time finding the meaning of these bits. I am not sure I understood everything, but it works !! */ #if 1 + /* 0xFFFF is the maximal chunk size; header needs at most 7 + 4 + 12 B */ + if (size > 0xFFFF - 7 - 4 - 12) { + av_log(s, AV_LOG_ERROR, "large packet size %d not supported\n", size); + return AVERROR_PATCHWELCOME; + } write_packet_header(s, stream, size + 7 + (size >= 0x4000)*4, key_frame); /* bit 7: '1' if final packet of a frame converted in several packets */ avio_w8(pb, 0x81); From b36bda3c82cb80a90c250e7384e9bc0a50ace2b3 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 8 Mar 2015 22:52:47 +0100 Subject: [PATCH 193/700] ffmdec: initialize f_cprv, f_stvi and f_stau They are used in a switch statement, but it is not guaranteed that the COMM case (where they are set to 0) is reached before the other cases. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 66879ee125944b0efde673d9fbebbe9489853e59) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 987f419c96..280a24cb38 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -261,7 +261,7 @@ static int ffm2_read_header(AVFormatContext *s) AVIOContext *pb = s->pb; AVCodecContext *codec; int ret; - int f_main = 0, f_cprv, f_stvi, f_stau; + int f_main = 0, f_cprv = -1, f_stvi = -1, f_stau = -1; AVCodec *enc; char *buffer; From 819955f0c68ef81c840ce88401ef205b7386739f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 8 Mar 2015 23:31:48 +0100 Subject: [PATCH 194/700] ffmdec: fix infinite loop at EOF If EOF is reached, while skipping bytes, avio_tell(pb) won't change anymore, resulting in an infinite loop. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 6fa98822eba501a4898fdec5b75acd3026201005) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 280a24cb38..96527a3aa5 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -434,7 +434,7 @@ static int ffm2_read_header(AVFormatContext *s) } /* get until end of block reached */ - while ((avio_tell(pb) % ffm->packet_size) != 0) + while ((avio_tell(pb) % ffm->packet_size) != 0 && !pb->eof_reached) avio_r8(pb); /* init packet demux */ @@ -561,7 +561,7 @@ static int ffm_read_header(AVFormatContext *s) } /* get until end of block reached */ - while ((avio_tell(pb) % ffm->packet_size) != 0) + while ((avio_tell(pb) % ffm->packet_size) != 0 && !pb->eof_reached) avio_r8(pb); /* init packet demux */ From 0e16c3843a3b2cd06b90898c04d85ed3d82266bb Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 8 Mar 2015 23:12:59 +0100 Subject: [PATCH 195/700] ffmdec: make sure the time base is valid A negative time base can trigger assertions. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 4c91d81be23ffacfa3897b2bcfa77445bb0c2f89) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 96527a3aa5..ee34e73451 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -331,6 +331,12 @@ static int ffm2_read_header(AVFormatContext *s) } codec->time_base.num = avio_rb32(pb); codec->time_base.den = avio_rb32(pb); + if (codec->time_base.num <= 0 || codec->time_base.den <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid time base %d/%d\n", + codec->time_base.num, codec->time_base.den); + ret = AVERROR_INVALIDDATA; + goto fail; + } codec->width = avio_rb16(pb); codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); @@ -503,6 +509,11 @@ static int ffm_read_header(AVFormatContext *s) case AVMEDIA_TYPE_VIDEO: codec->time_base.num = avio_rb32(pb); codec->time_base.den = avio_rb32(pb); + if (codec->time_base.num <= 0 || codec->time_base.den <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid time base %d/%d\n", + codec->time_base.num, codec->time_base.den); + goto fail; + } codec->width = avio_rb16(pb); codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); From 93a0682b1d73f114720cd5c5bd69740546f78cdb Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 9 Mar 2015 14:59:44 +0100 Subject: [PATCH 196/700] ffmdec: limit the backward seek to the last resync position If resyncing leads to the same position as previously, it will again lead to a resync attempt, resulting in an infinite loop. Thus don't seek back beyond the last syncpoint. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 6b8263b03ab3d16d70525ae1893cb106be7852f1) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index ee34e73451..33bbde04b0 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -82,6 +82,7 @@ static int ffm_read_data(AVFormatContext *s, FFMContext *ffm = s->priv_data; AVIOContext *pb = s->pb; int len, fill_size, size1, frame_offset, id; + int64_t last_pos = -1; size1 = size; while (size > 0) { @@ -101,9 +102,11 @@ static int ffm_read_data(AVFormatContext *s, avio_seek(pb, tell, SEEK_SET); } id = avio_rb16(pb); /* PACKET_ID */ - if (id != PACKET_ID) + if (id != PACKET_ID) { if (ffm_resync(s, id) < 0) return -1; + last_pos = avio_tell(pb); + } fill_size = avio_rb16(pb); ffm->dts = avio_rb64(pb); frame_offset = avio_rb16(pb); @@ -117,7 +120,9 @@ static int ffm_read_data(AVFormatContext *s, if (!frame_offset) { /* This packet has no frame headers in it */ if (avio_tell(pb) >= ffm->packet_size * 3LL) { - avio_seek(pb, -ffm->packet_size * 2LL, SEEK_CUR); + int64_t seekback = FFMIN(ffm->packet_size * 2LL, avio_tell(pb) - last_pos); + seekback = FFMAX(seekback, 0); + avio_seek(pb, -seekback, SEEK_CUR); goto retry_read; } /* This is bad, we cannot find a valid frame header */ From 94354e368d71c973ecc0bd4518082c8118c17b09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Mar 2015 03:42:00 +0100 Subject: [PATCH 197/700] avcodec/options_table: remove extradata_size from the AVOptions table allowing access to the size but not the extradata itself is not useful and could lead to potential problems if writing happens through this field Reviewed-by: Andreas Cadhalpun Reviewed-by: Lukasz Marek Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 1f4088b28540080ce1d42345c5614be3e1a6a197) Signed-off-by: Michael Niedermayer --- libavcodec/options_table.h | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/options_table.h b/libavcodec/options_table.h index 1d5b07884a..9ac67ea4f1 100644 --- a/libavcodec/options_table.h +++ b/libavcodec/options_table.h @@ -103,7 +103,6 @@ static const AVOption avcodec_options[] = { {"hex", "hex motion estimation", 0, AV_OPT_TYPE_CONST, {.i64 = ME_HEX }, INT_MIN, INT_MAX, V|E, "me_method" }, {"umh", "umh motion estimation", 0, AV_OPT_TYPE_CONST, {.i64 = ME_UMH }, INT_MIN, INT_MAX, V|E, "me_method" }, {"iter", "iter motion estimation", 0, AV_OPT_TYPE_CONST, {.i64 = ME_ITER }, INT_MIN, INT_MAX, V|E, "me_method" }, -{"extradata_size", NULL, OFFSET(extradata_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX}, {"time_base", NULL, OFFSET(time_base), AV_OPT_TYPE_RATIONAL, {.dbl = 0}, INT_MIN, INT_MAX}, {"g", "set the group of picture (GOP) size", OFFSET(gop_size), AV_OPT_TYPE_INT, {.i64 = 12 }, INT_MIN, INT_MAX, V|E}, {"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E}, From 86960b1101fac5c32ce6c1863caf140295ee48d5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 9 Mar 2015 19:24:09 +0100 Subject: [PATCH 198/700] roqvideoenc: set enc->avctx in roq_encode_init So far it is only set in roq_encode_frame, but it is used in roq_encode_end to free the coded_frame. This currently segfaults if roq_encode_frame is not called between roq_encode_init and roq_encode_end. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit cf82c426fadf90105e1fb9d5ecd267cc3aa2b288) Signed-off-by: Michael Niedermayer --- libavcodec/roqvideoenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/roqvideoenc.c b/libavcodec/roqvideoenc.c index 694792e059..b3eb58aa3a 100644 --- a/libavcodec/roqvideoenc.c +++ b/libavcodec/roqvideoenc.c @@ -966,6 +966,8 @@ static av_cold int roq_encode_init(AVCodecContext *avctx) av_lfg_init(&enc->randctx, 1); + enc->avctx = avctx; + enc->framesSinceKeyframe = 0; if ((avctx->width & 0xf) || (avctx->height & 0xf)) { av_log(avctx, AV_LOG_ERROR, "Dimensions must be divisible by 16\n"); From 8d853dc341d563543759b22e5ac710f8546c5158 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 9 Mar 2015 19:31:39 +0100 Subject: [PATCH 199/700] asfenc: fix leaking asf->index_ptr on error Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 2c8cff2be4a044c66e4904efa156dafd0d332d25) Signed-off-by: Michael Niedermayer --- libavformat/asfenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/asfenc.c b/libavformat/asfenc.c index fbf6158cef..58449d81bf 100644 --- a/libavformat/asfenc.c +++ b/libavformat/asfenc.c @@ -664,6 +664,7 @@ static int asf_write_header(AVFormatContext *s) * It is needed to use asf as a streamable format. */ if (asf_write_header1(s, 0, DATA_HEADER_SIZE) < 0) { //av_free(asf); + av_freep(&asf->index_ptr); return -1; } From 2b408d257fed340eb7b27aa25dd1b7bc6eb38a4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Mar 2015 20:21:14 +0100 Subject: [PATCH 200/700] avcodec/012v: Check dimensions more completely Fixes division by 0 Found-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit d3b25383daffac154846daeb4e4fb46569e728db) Signed-off-by: Michael Niedermayer --- libavcodec/012v.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/012v.c b/libavcodec/012v.c index c2b6a35041..7526e8fcba 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -45,8 +45,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, const uint8_t *line_end, *src = avpkt->data; int stride = avctx->width * 8 / 3; - if (width == 1) { - av_log(avctx, AV_LOG_ERROR, "Width 1 not supported.\n"); + if (width <= 1 || avctx->height <= 0) { + av_log(avctx, AV_LOG_ERROR, "Dimensions %dx%d not supported.\n", width, avctx->height); return AVERROR_INVALIDDATA; } From 749cd89ca94d3540601f4837052cbb961eb99e06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Mar 2015 19:18:34 +0100 Subject: [PATCH 201/700] avcodec/012v: redesign main loop Fixes out of array accesses Fixes: ffmpeg_012v_crash.ts Found-by: Thomas Lindroth Reviewed-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit 48df30d36c3ca360c407d84f96749888d1fbe853) Signed-off-by: Michael Niedermayer --- libavcodec/012v.c | 82 ++++++++++++++++++++++------------------------- 1 file changed, 39 insertions(+), 43 deletions(-) diff --git a/libavcodec/012v.c b/libavcodec/012v.c index 7526e8fcba..b87551e0a5 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -38,7 +38,7 @@ static av_cold int zero12v_decode_init(AVCodecContext *avctx) static int zero12v_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { - int line = 0, ret; + int line, ret; const int width = avctx->width; AVFrame *pic = data; uint16_t *y, *u, *v; @@ -67,45 +67,45 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, pic->pict_type = AV_PICTURE_TYPE_I; pic->key_frame = 1; - y = (uint16_t *)pic->data[0]; - u = (uint16_t *)pic->data[1]; - v = (uint16_t *)pic->data[2]; line_end = avpkt->data + stride; + for (line = 0; line < avctx->height; line++) { + uint16_t y_temp[6] = {0x8000, 0x8000, 0x8000, 0x8000, 0x8000, 0x8000}; + uint16_t u_temp[3] = {0x8000, 0x8000, 0x8000}; + uint16_t v_temp[3] = {0x8000, 0x8000, 0x8000}; + int x; + y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); + u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); + v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); - while (line++ < avctx->height) { - while (1) { - uint32_t t = AV_RL32(src); + for (x = 0; x < width; x += 6) { + uint32_t t; + + if (width - x < 6 || line_end - src < 16) { + y = y_temp; + u = u_temp; + v = v_temp; + } + + if (line_end - src < 4) + break; + + t = AV_RL32(src); src += 4; *u++ = t << 6 & 0xFFC0; *y++ = t >> 4 & 0xFFC0; *v++ = t >> 14 & 0xFFC0; - if (src >= line_end - 1) { - *y = 0x80; - src++; - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + if (line_end - src < 4) break; - } t = AV_RL32(src); src += 4; *y++ = t << 6 & 0xFFC0; *u++ = t >> 4 & 0xFFC0; *y++ = t >> 14 & 0xFFC0; - if (src >= line_end - 2) { - if (!(width & 1)) { - *y = 0x80; - src += 2; - } - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + + if (line_end - src < 4) break; - } t = AV_RL32(src); src += 4; @@ -113,15 +113,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, *y++ = t >> 4 & 0xFFC0; *u++ = t >> 14 & 0xFFC0; - if (src >= line_end - 1) { - *y = 0x80; - src++; - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + if (line_end - src < 4) break; - } t = AV_RL32(src); src += 4; @@ -129,18 +122,21 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, *v++ = t >> 4 & 0xFFC0; *y++ = t >> 14 & 0xFFC0; - if (src >= line_end - 2) { - if (width & 1) { - *y = 0x80; - src += 2; - } - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + if (width - x < 6) break; - } } + + if (x < width) { + y = x + (uint16_t *)(pic->data[0] + line * pic->linesize[0]); + u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]); + v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + memcpy(y, y_temp, sizeof(*y) * (width - x)); + memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2); + memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2); + } + + line_end += stride; + src = line_end - stride; } *got_frame = 1; From 6d14bea8b56866b45453ba2c5c5202852fad39eb Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 13 Mar 2015 22:28:42 +0100 Subject: [PATCH 202/700] ac3dec_fixed: always use the USE_FIXED=1 variant of the AC3DecodeContext The AC3DecodeContext has a float (USE_FIXED=0) and an integer (USE_FIXED=1) variant, both of which can be present in the same binary. This is not only very confusing, but it also breaks horribly, when one variant is used by code expecting the other. This currently happens, because eac3dec.c is only compiled for the float variant, but also used from ac3dec_fixed.c, which uses the integer variant. The result is memory corruption, leading to crashes. So compile eac3dec.c once for each variant and adapt it, so that it works with the integer variant. A loss of precission and scaling bug has been fixed by the committer Signed-off-by: Michael Niedermayer (cherry picked from commit 7b05b5093ea67a3397b0c37cf398bab471e1ce2b) Signed-off-by: Michael Niedermayer --- libavcodec/Makefile | 2 +- libavcodec/ac3dec.h | 6 +++--- libavcodec/ac3dec_fixed.c | 1 + libavcodec/ac3dec_float.c | 1 + libavcodec/eac3dec.c | 13 ++++++++----- 5 files changed, 14 insertions(+), 9 deletions(-) diff --git a/libavcodec/Makefile b/libavcodec/Makefile index fa0f53d70e..4c901fe10a 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -210,7 +210,7 @@ OBJS-$(CONFIG_DVVIDEO_DECODER) += dvdec.o dv.o dvdata.o OBJS-$(CONFIG_DVVIDEO_ENCODER) += dvenc.o dv.o dvdata.o OBJS-$(CONFIG_DXA_DECODER) += dxa.o OBJS-$(CONFIG_DXTORY_DECODER) += dxtory.o -OBJS-$(CONFIG_EAC3_DECODER) += eac3dec.o eac3_data.o +OBJS-$(CONFIG_EAC3_DECODER) += eac3_data.o OBJS-$(CONFIG_EAC3_ENCODER) += eac3enc.o eac3_data.o OBJS-$(CONFIG_EACMV_DECODER) += eacmv.o OBJS-$(CONFIG_EAMAD_DECODER) += eamad.o eaidct.o mpeg12.o \ diff --git a/libavcodec/ac3dec.h b/libavcodec/ac3dec.h index be29f00b14..5259c60009 100644 --- a/libavcodec/ac3dec.h +++ b/libavcodec/ac3dec.h @@ -243,19 +243,19 @@ typedef struct AC3DecodeContext { * Parse the E-AC-3 frame header. * This parses both the bit stream info and audio frame header. */ -int ff_eac3_parse_header(AC3DecodeContext *s); +static int ff_eac3_parse_header(AC3DecodeContext *s); /** * Decode mantissas in a single channel for the entire frame. * This is used when AHT mode is enabled. */ -void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch); +static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch); /** * Apply spectral extension to each channel by copying lower frequency * coefficients to higher frequency bins and applying side information to * approximate the original high frequency signal. */ -void ff_eac3_apply_spectral_extension(AC3DecodeContext *s); +static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s); #endif /* AVCODEC_AC3DEC_H */ diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index cb3b251589..b4beee6dd7 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -164,6 +164,7 @@ static void ac3_downmix_c_fixed16(int16_t **samples, int16_t (*matrix)[2], } } +#include "eac3dec.c" #include "ac3dec.c" static const AVOption options[] = { diff --git a/libavcodec/ac3dec_float.c b/libavcodec/ac3dec_float.c index e7fc5cbed1..d74a0df68d 100644 --- a/libavcodec/ac3dec_float.c +++ b/libavcodec/ac3dec_float.c @@ -28,6 +28,7 @@ * Upmix delay samples from stereo to original channel layout. */ #include "ac3dec.h" +#include "eac3dec.c" #include "ac3dec.c" static const AVOption options[] = { diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index 8e931fddeb..cd2eec8d00 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -63,7 +63,7 @@ typedef enum { #define EAC3_SR_CODE_REDUCED 3 -void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) +static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) { int bin, bnd, ch, i; uint8_t wrapflag[SPX_MAX_BANDS]={1,0,}, num_copy_sections, copy_sizes[SPX_MAX_BANDS]; @@ -101,7 +101,7 @@ void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) for (i = 0; i < num_copy_sections; i++) { memcpy(&s->transform_coeffs[ch][bin], &s->transform_coeffs[ch][s->spx_dst_start_freq], - copy_sizes[i]*sizeof(float)); + copy_sizes[i]*sizeof(INTFLOAT)); bin += copy_sizes[i]; } @@ -124,7 +124,7 @@ void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) bin = s->spx_src_start_freq - 2; for (bnd = 0; bnd < s->num_spx_bands; bnd++) { if (wrapflag[bnd]) { - float *coeffs = &s->transform_coeffs[ch][bin]; + INTFLOAT *coeffs = &s->transform_coeffs[ch][bin]; coeffs[0] *= atten_tab[0]; coeffs[1] *= atten_tab[1]; coeffs[2] *= atten_tab[2]; @@ -142,6 +142,9 @@ void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) for (bnd = 0; bnd < s->num_spx_bands; bnd++) { float nscale = s->spx_noise_blend[ch][bnd] * rms_energy[bnd] * (1.0f / INT32_MIN); float sscale = s->spx_signal_blend[ch][bnd]; +#if USE_FIXED + nscale *= 1.0 / (1<<23); +#endif for (i = 0; i < s->spx_band_sizes[bnd]; i++) { float noise = nscale * (int32_t)av_lfg_get(&s->dith_state); s->transform_coeffs[ch][bin] *= sscale; @@ -195,7 +198,7 @@ static void idct6(int pre_mant[6]) pre_mant[5] = even0 - odd0; } -void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) +static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) { int bin, blk, gs; int end_bap, gaq_mode; @@ -288,7 +291,7 @@ void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) } } -int ff_eac3_parse_header(AC3DecodeContext *s) +static int ff_eac3_parse_header(AC3DecodeContext *s) { int i, blk, ch; int ac3_exponent_strategy, parse_aht_info, parse_spx_atten_data; From c657b08fd76a5d09bb36db13dedca839b5bc1ede Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Sat, 14 Mar 2015 11:48:57 +0000 Subject: [PATCH 203/700] ac3_fixed: fix out-of-bound read Should also improve decoding, but actually doesn't... Signed-off-by: Michael Niedermayer (cherry picked from commit b0834400608b3980c06bf6d2cf747116e60d10c7) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index d3e8713e03..19903ee16f 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -872,7 +872,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) start_subband += start_subband - 7; end_subband = get_bits(gbc, 3) + 5; #if USE_FIXED - s->spx_dst_end_freq = end_freq_inv_tab[end_subband]; + s->spx_dst_end_freq = end_freq_inv_tab[end_subband-5]; #endif if (end_subband > 7) end_subband += end_subband - 7; From 6915dd49c7c6bf1f2b10f880cf1bb5a11c1d790d Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Sat, 14 Mar 2015 11:48:58 +0000 Subject: [PATCH 204/700] ac3_fixed: fix computation of spx_noise_blend It was set to 1 instead of sqrt(3) Signed-off-by: Michael Niedermayer (cherry picked from commit c4bf3833f4663fd484441907f73c5bc4700021a4) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 19903ee16f..dbf20a81f1 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -939,7 +939,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) nblend = 0; sblend = 0x800000; } else if (nratio > 0x7fffff) { - nblend = 0x800000; + nblend = 14529495; // sqrt(3) in FP.23 sblend = 0; } else { nblend = fixed_sqrt(nratio, 23); From 808d5444c4072dd5c3f6e7f7341d0c94f54133e5 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Sat, 14 Mar 2015 11:48:59 +0000 Subject: [PATCH 205/700] eac3dec: fix scaling This is the remaining error, the output on the SPX samples, respectively csi_miami_stereo_128_spx.eac3 and csi_miami_5.1_256_spx.eac3, goes from: stddev: 8.71 PSNR: 77.52 MAXDIFF: 235 stddev:24270.51 PSNR: 22.17 MAXDIFF:47166 to: stddev: 0.12 PSNR:114.12 MAXDIFF: 1 stddev: 0.12 PSNR:114.73 MAXDIFF: 1 Signed-off-by: Michael Niedermayer (cherry picked from commit 0c3339f4bd7aceebfd74deb437ba2e5c04ef3d0e) Signed-off-by: Michael Niedermayer --- libavcodec/eac3dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index cd2eec8d00..ef815afb55 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -143,7 +143,9 @@ static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) float nscale = s->spx_noise_blend[ch][bnd] * rms_energy[bnd] * (1.0f / INT32_MIN); float sscale = s->spx_signal_blend[ch][bnd]; #if USE_FIXED + // spx_noise_blend and spx_signal_blend are both FP.23 nscale *= 1.0 / (1<<23); + sscale *= 1.0 / (1<<23); #endif for (i = 0; i < s->spx_band_sizes[bnd]; i++) { float noise = nscale * (int32_t)av_lfg_get(&s->dith_state); From 50fd06ea32e0e2fa994484ebeb6d81773130e120 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Mar 2015 21:23:32 +0100 Subject: [PATCH 206/700] avformat/mov: Use sizeof(filename) instead of a literal number Signed-off-by: Michael Niedermayer (cherry picked from commit 21a53dd08dce7cc5b3fdf9c4826b4b74d8300ea0) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7455e3b5e5..39f30e432c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2486,9 +2486,9 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, filename[src_path - src] = 0; for (i = 1; i < ref->nlvl_from; i++) - av_strlcat(filename, "../", 1024); + av_strlcat(filename, "../", sizeof(filename)); - av_strlcat(filename, ref->path + l + 1, 1024); + av_strlcat(filename, ref->path + l + 1, sizeof(filename)); if (!avio_open2(pb, filename, AVIO_FLAG_READ, int_cb, NULL)) return 0; From b0cd6fb590810174296e65b362cc1d62a5b63051 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Mar 2015 21:24:54 +0100 Subject: [PATCH 207/700] avformat/mov: Check for string truncation in mov_open_dref() Signed-off-by: Michael Niedermayer (cherry picked from commit 8003816e1619e77d8de051883264aa090e0d78cc) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 39f30e432c..01600799ca 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2460,7 +2460,7 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, /* try relative path, we do not try the absolute because it can leak information about our system to an attacker */ if (ref->nlvl_to > 0 && ref->nlvl_from > 0) { - char filename[1024]; + char filename[1025]; const char *src_path; int i, l; @@ -2490,6 +2490,8 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, av_strlcat(filename, ref->path + l + 1, sizeof(filename)); + if (strlen(filename) + 1 == sizeof(filename)) + return AVERROR(ENOENT); if (!avio_open2(pb, filename, AVIO_FLAG_READ, int_cb, NULL)) return 0; } From 38d6ff31b7a5556731ace24fdc41cbc7b9f536e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Mar 2015 21:32:35 +0100 Subject: [PATCH 208/700] avformat/mov: Disallow ".." in dref unless use_absolute_path is set as this kind of allows to circumvent it to some extend. We also could add a separate parameter or value to choose this Found-by: ramiro Signed-off-by: Michael Niedermayer (cherry picked from commit 1e4d0498df6621143da1a550006ddc3526ad51cb) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 01600799ca..367752e1c9 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2489,6 +2489,9 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, av_strlcat(filename, "../", sizeof(filename)); av_strlcat(filename, ref->path + l + 1, sizeof(filename)); + if (!use_absolute_path) + if(strstr(ref->path + l + 1, "..") || ref->nlvl_from > 1) + return AVERROR(ENOENT); if (strlen(filename) + 1 == sizeof(filename)) return AVERROR(ENOENT); From 61dbd3f3d09a6b569c41946a4c07dac0f21d413a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Mar 2015 23:28:39 +0100 Subject: [PATCH 209/700] avcodec/dnxhddec: Check that the frame is interlaced before using cur_field Fixes Ticket4227 Signed-off-by: Michael Niedermayer (cherry picked from commit 2c660e34cf3c2b77cd2bef6f292920334dfd9192) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 06800746d1..a8cf0800aa 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -363,7 +363,7 @@ static int dnxhd_decode_macroblock(DNXHDContext *ctx, AVFrame *frame, dest_u = frame->data[1] + ((y * dct_linesize_chroma) << 4) + (x << (3 + shift1 + ctx->is_444)); dest_v = frame->data[2] + ((y * dct_linesize_chroma) << 4) + (x << (3 + shift1 + ctx->is_444)); - if (ctx->cur_field) { + if (frame->interlaced_frame && ctx->cur_field) { dest_y += frame->linesize[0]; dest_u += frame->linesize[1]; dest_v += frame->linesize[2]; From 4be1cc7b1d6b1b8bd14b1916e842390288ab315c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Mar 2015 02:35:00 +0100 Subject: [PATCH 210/700] Update for 2.5.5 Signed-off-by: Michael Niedermayer --- Changelog | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 59 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 84b98f7176..3cfd2d563c 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,63 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.5.5: +- avformat/mov: Disallow ".." in dref unless use_absolute_path is set +- eac3dec: fix scaling +- ac3_fixed: fix computation of spx_noise_blend +- ac3_fixed: fix out-of-bound read +- ac3dec_fixed: always use the USE_FIXED=1 variant of the AC3DecodeContext +- avcodec/012v: redesign main loop +- avcodec/012v: Check dimensions more completely +- asfenc: fix leaking asf->index_ptr on error +- avcodec/options_table: remove extradata_size from the AVOptions table +- ffmdec: limit the backward seek to the last resync position +- ffmdec: make sure the time base is valid +- ffmdec: fix infinite loop at EOF +- ffmdec: initialize f_cprv, f_stvi and f_stau +- avformat/rm: limit packet size +- avcodec/webp: validate the distance prefix code +- avcodec/rv10: check size of s->mb_width * s->mb_height +- eamad: check for out of bounds read +- mdec: check for out of bounds read +- arm: Suppress tags about used cpu arch and extensions +- aic: Fix decoding files with odd dimensions +- avcodec/tiff: move bpp check to after "end:" +- mxfdec: Fix the error handling for when strftime fails +- avcodec/opusdec: Fix delayed sample value +- avcodec/opusdec: Clear out pointers per packet +- avcodec/utils: Align YUV411 by as much as the other YUV variants +- vp9: fix segmentation map retention with threading enabled. +- webp: ensure that each transform is only used once +- doc/protocols/tcp: fix units of listen_timeout option value, from microseconds to milliseconds +- fix VP9 packet decoder returning 0 instead of the used data size +- avformat/flvenc: check that the codec_tag fits in the available bits +- avcodec/utils: use correct printf specifier in ff_set_sar +- avutil/imgutils: correctly check for negative SAR components +- swscale/utils: clear formatConvBuffer on allocation +- avformat/bit: only accept the g729 codec and 1 channel +- avformat/bit: check that pkt->size is 10 in write_packet +- avformat/adxdec: check avctx->channels for invalid values +- avformat/adxdec: set avctx->channels in adx_read_header +- Fix buffer_size argument to init_put_bits() in multiple encoders. +- mips/acelp_filters: fix incorrect register constraint +- avcodec/hevc_ps: Sanity checks for some log2_* values +- avcodec/zmbv: Check len before reading in decode_frame() +- avcodec/h264: Only reinit quant tables if a new PPS is allowed +- avcodec/snowdec: Fix ref value check +- swscale/utils: More carefully merge and clear coefficients outside the input +- avcodec/a64multienc: Assert that the Packet size does not grow +- avcodec/a64multienc: simplify frame handling code +- avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop +- avcodec/a64multienc: initialize mc_meta_charset to zero +- avcodec/a64multienc: don't set incorrect packet size +- avcodec/a64multienc: use av_frame_ref instead of copying the frame +- avcodec/x86/mlpdsp_init: Simplify mlp_filter_channel_x86() +- h264: initialize H264Context.avctx in init_thread_copy +- wtvdec: fix integer overflow resulting in errors with large files +- avcodec/gif: fix off by one in column offsetting finding + + version 2.5.4: - avcodec/arm/videodsp_armv5te: Fix linking failure with shared libs - avcodec/mjpegdec: Skip blocks which are outside the visible area diff --git a/RELEASE b/RELEASE index fe16b348d9..0cadbc1e33 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.5.4 +2.5.5 diff --git a/doc/Doxyfile b/doc/Doxyfile index 3426b975a3..6d75bb961c 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.5.4 +PROJECT_NUMBER = 2.5.5 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 1e86b7108ef67734badba484d2ed102d1e0518f1 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sat, 21 Mar 2015 17:12:48 -0300 Subject: [PATCH 211/700] vp9: make above buffer pointer 32-byte aligned. Fixes ticket #4383 Signed-off-by: James Almer (cherry picked from commit 1fd1f58bd6a58f2067a8d6b4919e1a0f34eb1f22) --- libavcodec/vp9.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index c10f85efe3..a0512845b0 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -2506,7 +2506,7 @@ static void intra_recon(AVCodecContext *ctx, ptrdiff_t y_off, ptrdiff_t uv_off) for (x = 0; x < end_x; x += uvstep1d, ptr += 4 * uvstep1d, ptr_r += 4 * uvstep1d, n += step) { int mode = b->uvmode; - uint8_t *a = &a_buf[16]; + uint8_t *a = &a_buf[32]; int eob = b->skip ? 0 : b->uvtx > TX_8X8 ? AV_RN16A(&s->uveob[p][n]) : s->uveob[p][n]; mode = check_intra_mode(s, mode, &a, ptr_r, From eb6f2a183acdc57b2f52e5b1d2c0772c5c883f46 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 21 Mar 2015 15:07:35 -0300 Subject: [PATCH 212/700] Update Changelog --- Changelog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Changelog b/Changelog index 3cfd2d563c..d8755304df 100644 --- a/Changelog +++ b/Changelog @@ -2,7 +2,11 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 2.5.5: +- vp9: make above buffer pointer 32-byte aligned. +- avcodec/dnxhddec: Check that the frame is interlaced before using cur_field - avformat/mov: Disallow ".." in dref unless use_absolute_path is set +- avformat/mov: Check for string truncation in mov_open_dref() +- avformat/mov: Use sizeof(filename) instead of a literal number - eac3dec: fix scaling - ac3_fixed: fix computation of spx_noise_blend - ac3_fixed: fix out-of-bound read From 742d7e9a6e4e7dce6c2559b5a8f5cab4c111e430 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 20 Mar 2015 21:28:34 +0100 Subject: [PATCH 213/700] hevc: make the crop sizes unsigned (cherry picked from commit c929659bdd7d2d5848ea52e685a3164c7b901bb0) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index 8fdefbbdcf..d88c7a527f 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -298,10 +298,10 @@ typedef struct RefPicListTab { } RefPicListTab; typedef struct HEVCWindow { - int left_offset; - int right_offset; - int top_offset; - int bottom_offset; + unsigned int left_offset; + unsigned int right_offset; + unsigned int top_offset; + unsigned int bottom_offset; } HEVCWindow; typedef struct VUI { From d0599a3516c5da31c7009af7574abbff360b9ce6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Mar 2015 12:54:16 +0100 Subject: [PATCH 214/700] avcodec/hevc_ps: Check cropping parameters more correctly Signed-off-by: Michael Niedermayer (cherry picked from commit 06c70d45373dedc600f28e345685b130b60203c1) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 3309377455..d7e78b1b77 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1040,7 +1040,8 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) (sps->output_window.left_offset + sps->output_window.right_offset); sps->output_height = sps->height - (sps->output_window.top_offset + sps->output_window.bottom_offset); - if (sps->output_width <= 0 || sps->output_height <= 0) { + if (sps->width <= sps->output_window.left_offset + (int64_t)sps->output_window.right_offset || + sps->height <= sps->output_window.top_offset + (int64_t)sps->output_window.bottom_offset) { av_log(s->avctx, AV_LOG_WARNING, "Invalid visible frame dimensions: %dx%d.\n", sps->output_width, sps->output_height); if (s->avctx->err_recognition & AV_EF_EXPLODE) { From b46840475ed607d743e839827d825ceca31b2a96 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 26 Mar 2015 02:11:55 -0300 Subject: [PATCH 215/700] avutil/cpu: add missing check for mmxext to av_force_cpu_flags Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 1f5d1eed78fad63f1c80a3766d3dc2421b99104d) --- libavutil/cpu.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/cpu.c b/libavutil/cpu.c index 53c12273ef..1617464980 100644 --- a/libavutil/cpu.c +++ b/libavutil/cpu.c @@ -49,6 +49,7 @@ static int flags, checked; void av_force_cpu_flags(int arg){ if ( (arg & ( AV_CPU_FLAG_3DNOW | AV_CPU_FLAG_3DNOWEXT | + AV_CPU_FLAG_MMXEXT | AV_CPU_FLAG_SSE | AV_CPU_FLAG_SSE2 | AV_CPU_FLAG_SSE2SLOW | From 7e05c70bb025813398949d9e1be109bb5b7b88e1 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 10 Apr 2015 20:51:11 -0300 Subject: [PATCH 216/700] doc: add missing x86 cpuflags to fftools documentation Signed-off-by: James Almer (cherry picked from commit 410c93cfd5ab509d8c9f907f88ae09a87fb743e6) --- doc/fftools-common-opts.texi | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/fftools-common-opts.texi b/doc/fftools-common-opts.texi index 0e8f849b9d..52296d4fcc 100644 --- a/doc/fftools-common-opts.texi +++ b/doc/fftools-common-opts.texi @@ -253,10 +253,14 @@ Possible flags for this option are: @item sse4.1 @item sse4.2 @item avx +@item avx2 @item xop +@item fma3 @item fma4 @item 3dnow @item 3dnowext +@item bmi1 +@item bmi2 @item cmov @end table @item ARM From 60f2f332a3970a7cda8c396e14cd24784fefc23d Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 10 Apr 2015 20:51:35 -0300 Subject: [PATCH 217/700] doc: add missing arm cpuflags to fftools documentation Signed-off-by: James Almer (cherry picked from commit 666ec9bd097201eaacb9c04da526cb2710cb9cab) --- doc/fftools-common-opts.texi | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/fftools-common-opts.texi b/doc/fftools-common-opts.texi index 52296d4fcc..46d5ea6cc9 100644 --- a/doc/fftools-common-opts.texi +++ b/doc/fftools-common-opts.texi @@ -271,6 +271,7 @@ Possible flags for this option are: @item vfp @item vfpv3 @item neon +@item setend @end table @item PowerPC @table @samp From 43fdd89a3f07af315d17a9d8ea6cd13a91e589ee Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 10 Apr 2015 20:52:29 -0300 Subject: [PATCH 218/700] doc: add aarch64 cpuflags to fftools documentation Signed-off-by: James Almer (cherry picked from commit 9fc45681e0c4736e4475966a70402d22c76a2965) --- doc/fftools-common-opts.texi | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/fftools-common-opts.texi b/doc/fftools-common-opts.texi index 46d5ea6cc9..c3e60dbd66 100644 --- a/doc/fftools-common-opts.texi +++ b/doc/fftools-common-opts.texi @@ -273,6 +273,12 @@ Possible flags for this option are: @item neon @item setend @end table +@item AArch64 +@table @samp +@item armv8 +@item vfp +@item neon +@end table @item PowerPC @table @samp @item altivec From a376ef4a17edb947bbcf54171daa914bd4585a4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Mar 2015 15:50:12 +0100 Subject: [PATCH 219/700] avcodec/msrledec: restructure msrle_decode_pal4() based on the line number instead of the pixel pointer Fixes out of array access Fixes: da14e86d8462be6493eab16bc2d40f88/asan_heap-oob_204cfd2_528_cov_340150052_COMPRESS.BMP Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f7e1367f58263593e6cee3c282f7277d7ee9d553) Signed-off-by: Michael Niedermayer --- libavcodec/msrledec.c | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index 4d3da5ba17..deb6f86523 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -37,16 +37,14 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, unsigned char extra_byte, odd_pixel; unsigned char stream_byte; unsigned int pixel_ptr = 0; - int row_dec = pic->linesize[0]; - int row_ptr = (avctx->height - 1) * row_dec; - int frame_size = row_dec * avctx->height; + int line = avctx->height - 1; int i; - while (row_ptr >= 0) { + while (line >= 0 && pixel_ptr <= avctx->width) { if (bytestream2_get_bytes_left(gb) <= 0) { av_log(avctx, AV_LOG_ERROR, - "MS RLE: bytestream overrun, %d rows left\n", - row_ptr); + "MS RLE: bytestream overrun, %dx%d left\n", + avctx->width - pixel_ptr, line); return AVERROR_INVALIDDATA; } rle_code = stream_byte = bytestream2_get_byteu(gb); @@ -55,7 +53,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, stream_byte = bytestream2_get_byte(gb); if (stream_byte == 0) { /* line is done, goto the next one */ - row_ptr -= row_dec; + line--; pixel_ptr = 0; } else if (stream_byte == 1) { /* decode is done */ @@ -65,13 +63,12 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, stream_byte = bytestream2_get_byte(gb); pixel_ptr += stream_byte; stream_byte = bytestream2_get_byte(gb); - row_ptr -= stream_byte * row_dec; } else { // copy pixels from encoded stream odd_pixel = stream_byte & 1; rle_code = (stream_byte + 1) / 2; extra_byte = rle_code & 0x01; - if (row_ptr + pixel_ptr + stream_byte > frame_size || + if (pixel_ptr + 2*rle_code - odd_pixel > avctx->width || bytestream2_get_bytes_left(gb) < rle_code) { av_log(avctx, AV_LOG_ERROR, "MS RLE: frame/stream ptr just went out of bounds (copy)\n"); @@ -82,13 +79,13 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, if (pixel_ptr >= avctx->width) break; stream_byte = bytestream2_get_byteu(gb); - pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4; pixel_ptr++; if (i + 1 == rle_code && odd_pixel) break; if (pixel_ptr >= avctx->width) break; - pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F; pixel_ptr++; } @@ -98,7 +95,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, } } else { // decode a run of data - if (row_ptr + pixel_ptr + stream_byte > frame_size) { + if (pixel_ptr + rle_code > avctx->width + 1) { av_log(avctx, AV_LOG_ERROR, "MS RLE: frame ptr just went out of bounds (run)\n"); return AVERROR_INVALIDDATA; @@ -108,9 +105,9 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, if (pixel_ptr >= avctx->width) break; if ((i & 1) == 0) - pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4; else - pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F; pixel_ptr++; } } From 2f67222780be4412a4b1f896a3c32ca75dac0717 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Mar 2015 04:37:42 +0200 Subject: [PATCH 220/700] avutil/pca: Check for av_malloc* failures Signed-off-by: Michael Niedermayer (cherry picked from commit dadc43eee4d9036aa532665a04720238cc15e922) Signed-off-by: Michael Niedermayer --- libavutil/pca.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavutil/pca.c b/libavutil/pca.c index f7ae350b48..1d88ff300a 100644 --- a/libavutil/pca.c +++ b/libavutil/pca.c @@ -41,12 +41,20 @@ PCA *ff_pca_init(int n){ return NULL; pca= av_mallocz(sizeof(*pca)); + if (!pca) + return NULL; + pca->n= n; pca->z = av_malloc_array(n, sizeof(*pca->z)); pca->count=0; pca->covariance= av_calloc(n*n, sizeof(double)); pca->mean= av_calloc(n, sizeof(double)); + if (!pca->z || !pca->covariance || !pca->mean) { + ff_pca_free(pca); + return NULL; + } + return pca; } From 071eb56a6a50c49c2341f3d2c69367fc5074f089 Mon Sep 17 00:00:00 2001 From: Rainer Hochecker Date: Tue, 31 Mar 2015 08:27:01 +0200 Subject: [PATCH 221/700] h264: avoid unnecessary calls to get_format Signed-off-by: Michael Niedermayer (cherry picked from commit 2197b4018920e5cd7ac465de007b675565687b23) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index d08dd1511c..24bef59d7c 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1434,7 +1434,8 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) || h->mb_width != h->sps.mb_width || h->mb_height != h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) )); - if (non_j_pixfmt(h0->avctx->pix_fmt) != non_j_pixfmt(get_pixel_format(h0, 0))) + if (h0->avctx->pix_fmt == AV_PIX_FMT_NONE + || (non_j_pixfmt(h0->avctx->pix_fmt) != non_j_pixfmt(get_pixel_format(h0, 0)))) must_reinit = 1; if (first_slice && av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio)) From 52ba406b94d659dfdb2d8d119a6535474876c205 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Apr 2015 19:28:33 +0200 Subject: [PATCH 222/700] avcodec/h264: Fail for invalid mixed IDR / non IDR frames in slice threading mode Fixes Ticket4408 Signed-off-by: Michael Niedermayer (cherry picked from commit fc58d5c43b4c7396fc69081eb0dfe5b6a21cb10d) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index ac8adf3b11..88fc270ed9 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1554,8 +1554,14 @@ again: ret = -1; goto end; } - if(!idr_cleared) + if(!idr_cleared) { + if (h->current_slice && (avctx->active_thread_type & FF_THREAD_SLICE)) { + av_log(h, AV_LOG_ERROR, "invalid mixed IDR / non IDR frames cannot be decoded in slice multithreading mode\n"); + ret = AVERROR_INVALIDDATA; + goto end; + } idr(h); // FIXME ensure we don't lose some frames if there is reordering + } idr_cleared = 1; h->has_recovery_point = 1; case NAL_SLICE: From 76b289bcf2c5e43b6d6704183e1b69ec63e78c50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Apr 2015 18:08:23 +0200 Subject: [PATCH 223/700] avcodec/h264_refs: Do not set reference to things which dont exist Fixes deadlock Fixes Ticket4428 Fixes Ticket4429 Signed-off-by: Michael Niedermayer (cherry picked from commit 429de043202286a2b5bcc082cc02de860b734db2) Signed-off-by: Michael Niedermayer --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 12da9210be..045f1846d3 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -707,7 +707,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count) */ if (h->short_ref_count && h->short_ref[0] == h->cur_pic_ptr) { /* Just mark the second field valid */ - h->cur_pic_ptr->reference = PICT_FRAME; + h->cur_pic_ptr->reference |= h->picture_structure; } else if (h->cur_pic_ptr->long_ref) { av_log(h->avctx, AV_LOG_ERROR, "illegal short term reference " "assignment for second field " From 043cb40becb230cc53fc038cca26b4bb4b6ca7d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Apr 2015 23:44:38 +0200 Subject: [PATCH 224/700] ffmpeg: Fix extradata allocation Signed-off-by: Michael Niedermayer (cherry picked from commit 4d02dfbde475d249916eb19c360e890059aa6aa5) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 2be1004b8d..7bf93bdb0f 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2620,11 +2620,13 @@ static int transcode_init(void) enc_ctx->rc_max_rate = dec_ctx->rc_max_rate; enc_ctx->rc_buffer_size = dec_ctx->rc_buffer_size; enc_ctx->field_order = dec_ctx->field_order; - enc_ctx->extradata = av_mallocz(extra_size); - if (!enc_ctx->extradata) { - return AVERROR(ENOMEM); + if (dec_ctx->extradata_size) { + enc_ctx->extradata = av_mallocz(extra_size); + if (!enc_ctx->extradata) { + return AVERROR(ENOMEM); + } + memcpy(enc_ctx->extradata, dec_ctx->extradata, dec_ctx->extradata_size); } - memcpy(enc_ctx->extradata, dec_ctx->extradata, dec_ctx->extradata_size); enc_ctx->extradata_size= dec_ctx->extradata_size; enc_ctx->bits_per_coded_sample = dec_ctx->bits_per_coded_sample; From 8968de6c61935da8942f1d9a152412a7c2d0ddc5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Apr 2015 04:20:51 +0200 Subject: [PATCH 225/700] avformat/utils: avoid discarded streams in av_find_default_stream_index() Fixes Ticket2010 Signed-off-by: Michael Niedermayer (cherry picked from commit ff6841c6bb2d35f8d461419e45d59be7542d03fe) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 78653d1f1c..1ab8bb646b 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1583,6 +1583,9 @@ int av_find_default_stream_index(AVFormatContext *s) score += 50; } + if (st->discard != AVDISCARD_ALL) + score += 200; + if (score > best_score) { best_score = score; best_stream = i; From 48f616ceeecd296e033456926fbfe7223a318759 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Apr 2015 00:40:21 +0200 Subject: [PATCH 226/700] avcodec/h264: Fix race between slices where one overwrites data from the next Fixes non deterministic crash in ticket4408/fuzz2.264 Likely fixes other samples as well Signed-off-by: Michael Niedermayer (cherry picked from commit 43b434210e597d484aef57c4139c3126d22b7e2b) Conflicts: libavcodec/h264.h libavcodec/h264_slice.c (cherry picked from commit dbbc42858e87cdd04e6c3b7694f8b394d4bfcdc6) Signed-off-by: Michael Niedermayer --- libavcodec/h264.h | 1 + libavcodec/h264_slice.c | 43 ++++++++++++++++++++++++++++++++++++----- 2 files changed, 39 insertions(+), 5 deletions(-) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index cb7e6f9246..ec0b023267 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -539,6 +539,7 @@ typedef struct H264Context { int mb_x, mb_y; int resync_mb_x; int resync_mb_y; + int mb_index_end; int mb_skip_run; int mb_height, mb_width; int mb_stride; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 24bef59d7c..560b24f9e6 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -2445,8 +2445,17 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) for (;;) { // START_TIMER - int ret = ff_h264_decode_mb_cabac(h); - int eos; + int ret, eos; + + if (h->mb_x + h->mb_y * h->mb_width >= h->mb_index_end) { + av_log(h->avctx, AV_LOG_ERROR, "Slice overlaps next at %d\n", + h->mb_index_end); + er_add_slice(h, h->resync_mb_x, h->resync_mb_y, h->mb_x, + h->mb_y, ER_MB_ERROR); + return AVERROR_INVALIDDATA; + } + + ret = ff_h264_decode_mb_cabac(h); // STOP_TIMER("decode_mb_cabac") if (ret >= 0) @@ -2508,7 +2517,17 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) } } else { for (;;) { - int ret = ff_h264_decode_mb_cavlc(h); + int ret; + + if (h->mb_x + h->mb_y * h->mb_width >= h->mb_index_end) { + av_log(h->avctx, AV_LOG_ERROR, "Slice overlaps next at %d\n", + h->mb_index_end); + er_add_slice(h, h->resync_mb_x, h->resync_mb_y, h->mb_x, + h->mb_y, ER_MB_ERROR); + return AVERROR_INVALIDDATA; + } + + ret = ff_h264_decode_mb_cavlc(h); if (ret >= 0) ff_h264_hl_decode_mb(h); @@ -2596,19 +2615,33 @@ int ff_h264_execute_decode_slices(H264Context *h, unsigned context_count) av_assert0(h->mb_y < h->mb_height); + h->mb_index_end = INT_MAX; + if (h->avctx->hwaccel || h->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU) return 0; if (context_count == 1) { return decode_slice(avctx, &h); } else { + int j, mb_index; av_assert0(context_count > 0); - for (i = 1; i < context_count; i++) { + for (i = 0; i < context_count; i++) { + int mb_index_end = h->mb_width * h->mb_height; hx = h->thread_context[i]; - if (CONFIG_ERROR_RESILIENCE) { + mb_index = hx->resync_mb_x + hx->resync_mb_y * h->mb_width; + if (CONFIG_ERROR_RESILIENCE && i) { hx->er.error_count = 0; } hx->x264_build = h->x264_build; + for (j = 0; j < context_count; j++) { + H264Context *sl2 = h->thread_context[j]; + int mb_index2 = sl2->resync_mb_x + sl2->resync_mb_y * h->mb_width; + + if (i==j || mb_index > mb_index2) + continue; + mb_index_end = FFMIN(mb_index_end, mb_index2); + } + hx->mb_index_end = mb_index_end; } avctx->execute(avctx, decode_slice, h->thread_context, From 7fa861dfe06ef184d8e2b3e2545b8890b36bf07e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Apr 2015 02:47:36 +0200 Subject: [PATCH 227/700] avcodec/h264: finish previous slices before switching to single thread mode Fixes null pointer dereference Fixes Ticket4438 Signed-off-by: Michael Niedermayer (cherry picked from commit c4b2017ba66e1623da9f527704c61c86a6e74844) Conflicts: libavcodec/h264.c (cherry picked from commit 09cc7aee3f4d1bd1d7107d38520f782c62c14036) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 88fc270ed9..0dd71dd878 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1736,6 +1736,12 @@ again: av_log(h->avctx, AV_LOG_ERROR, "decode_slice_header error\n"); h->ref_count[0] = h->ref_count[1] = h->list_count = 0; } else if (err == SLICE_SINGLETHREAD) { + if (context_count > 1) { + ret = ff_h264_execute_decode_slices(h, context_count - 1); + if (ret < 0 && (h->avctx->err_recognition & AV_EF_EXPLODE)) + goto end; + context_count = 0; + } /* Slice could not be decoded in parallel mode, copy down * NAL unit stuff to context 0 and restart. Note that * rbsp_buffer is not transferred, but since we no longer From f96fdb46b773eadcfa5de34e800ec456c0e545b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Apr 2015 12:29:47 +0200 Subject: [PATCH 228/700] avcodec/h264_slice: Dont reset mb_aff_frame per slice Fixes null pointer dereference Fixes Ticket4440 Signed-off-by: Michael Niedermayer (cherry picked from commit 386601286fed2dff5e1955bc21a0256f6f35ab19) Conflicts: libavcodec/h264_slice.c (cherry picked from commit ce6d38e9ed0842870f3cd5414937bb6d1f2417d9) --- libavcodec/h264_slice.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 560b24f9e6..b667da3956 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1307,6 +1307,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) int field_pic_flag, bottom_field_flag; int first_slice = h == h0 && !h0->current_slice; int frame_num, picture_structure, droppable; + int mb_aff_frame, last_mb_aff_frame; PPS *pps; h->qpel_put = h->h264qpel.put_h264_qpel_pixels_tab; @@ -1531,7 +1532,8 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) } h->mb_mbaff = 0; - h->mb_aff_frame = 0; + mb_aff_frame = 0; + last_mb_aff_frame = h0->mb_aff_frame; last_pic_structure = h0->picture_structure; last_pic_droppable = h0->droppable; droppable = h->nal_ref_idc == 0; @@ -1549,12 +1551,13 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) picture_structure = PICT_TOP_FIELD + bottom_field_flag; } else { picture_structure = PICT_FRAME; - h->mb_aff_frame = h->sps.mb_aff; + mb_aff_frame = h->sps.mb_aff; } } if (h0->current_slice) { if (last_pic_structure != picture_structure || - last_pic_droppable != droppable) { + last_pic_droppable != droppable || + last_mb_aff_frame != mb_aff_frame) { av_log(h->avctx, AV_LOG_ERROR, "Changing field mode (%d -> %d) between slices is not allowed\n", last_pic_structure, h->picture_structure); @@ -1570,6 +1573,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) h->picture_structure = picture_structure; h->droppable = droppable; h->frame_num = frame_num; + h->mb_aff_frame = mb_aff_frame; h->mb_field_decoding_flag = picture_structure != PICT_FRAME; if (h0->current_slice == 0) { From fe2df122b4c3441d4213a287c4d8f312a6e5a04a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Apr 2015 13:38:55 +0200 Subject: [PATCH 229/700] avcodec/h264: reset the counts in the correct context Fixes null pointer dereference Signed-off-by: Michael Niedermayer (cherry picked from commit 8f8d632220100bfde26587b27da73901b05cb774) --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 0dd71dd878..d7b146e5f2 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1734,7 +1734,7 @@ again: if (err < 0 || err == SLICE_SKIPED) { if (err < 0) av_log(h->avctx, AV_LOG_ERROR, "decode_slice_header error\n"); - h->ref_count[0] = h->ref_count[1] = h->list_count = 0; + hx->ref_count[0] = hx->ref_count[1] = hx->list_count = 0; } else if (err == SLICE_SINGLETHREAD) { if (context_count > 1) { ret = ff_h264_execute_decode_slices(h, context_count - 1); From 3e30424961202d098a44eccc2c13ac965bc359a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Apr 2015 00:04:44 +0200 Subject: [PATCH 230/700] avcodec/aacdec: Fix storing state before PCE decode Fixes Ticket4460 Signed-off-by: Michael Niedermayer (cherry picked from commit e88b3852aefaa39b2170ef185ad03dda18732821) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index d00b3d0d27..381e316994 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -425,7 +425,7 @@ static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags) * Save current output configuration if and only if it has been locked. */ static void push_output_configuration(AACContext *ac) { - if (ac->oc[1].status == OC_LOCKED) { + if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) { ac->oc[0] = ac->oc[1]; } ac->oc[1].status = OC_NONE; From 9333ee7c0db1d360eb2fa84cd129e286df83b817 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Apr 2015 13:50:07 +0200 Subject: [PATCH 231/700] avcodec/h264: Be more tolerant to changing pps id between slices Fixes Ticket4446 Signed-off-by: Michael Niedermayer (cherry picked from commit 98d0c4236c7542c87f012228d3bc88aea67bddc2) Conflicts: libavcodec/h264.c (cherry picked from commit 0cd0fa9d0baabd2dc0442ed8b53ba65282733b61) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index d7b146e5f2..42f24fe81f 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1516,9 +1516,6 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size, continue; again: - if ( (!(avctx->active_thread_type & FF_THREAD_FRAME) || nals_needed >= nal_index) - && !h->current_slice) - h->au_pps_id = -1; /* Ignore per frame NAL unit type during extradata * parsing. Decoding slices is not possible in codec init * with frame-mt */ @@ -1570,6 +1567,10 @@ again: hx->inter_gb_ptr = &hx->gb; hx->data_partitioning = 0; + if ( nals_needed >= nal_index + || (!(avctx->active_thread_type & FF_THREAD_FRAME) && !context_count)) + h->au_pps_id = -1; + if ((err = ff_h264_decode_slice_header(hx, h))) break; From 6f02d93c0fbf29e717ef99ad36272c1958f34dc8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Apr 2015 22:18:35 +0200 Subject: [PATCH 232/700] avcodec/h264_ps: Move truncation check from VUI to SPS This more completely checks for truncation Signed-off-by: Michael Niedermayer (cherry picked from commit 32e06c485be94a4967bff87022cbb065d3cbfd0d) Signed-off-by: Michael Niedermayer --- libavcodec/h264_ps.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index c2747ac84c..a9c199fe62 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -241,12 +241,6 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps) } } - if (get_bits_left(&h->gb) < 0) { - av_log(h->avctx, AV_LOG_ERROR, - "Overread VUI by %d bits\n", -get_bits_left(&h->gb)); - return AVERROR_INVALIDDATA; - } - return 0; } @@ -523,6 +517,12 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) goto fail; } + if (get_bits_left(&h->gb) < 0) { + av_log(h->avctx, AV_LOG_ERROR, + "Overread %s by %d bits\n", sps->vui_parameters_present_flag ? "VUI" : "SPS", -get_bits_left(&h->gb)); + goto fail; + } + if (!sps->sar.den) sps->sar.den = 1; From 8c0fd44317b0f1c4e891692a673fd60eb1b5d1d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Apr 2015 18:35:07 +0200 Subject: [PATCH 233/700] avcodec/h264: Do not fail with randomly truncated VUIs Fixes Ticket4445 Tested-by: Vittorio Giovara Signed-off-by: Michael Niedermayer (cherry picked from commit bc48c88918f767e0dffcd138ae8e5c3052e8a92f) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 9 +++++++-- libavcodec/h264.h | 2 +- libavcodec/h264_parser.c | 2 +- libavcodec/h264_ps.c | 7 ++++--- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 42f24fe81f..436a079f57 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1692,7 +1692,9 @@ again: break; case NAL_SPS: init_get_bits(&h->gb, ptr, bit_length); - if (ff_h264_decode_seq_parameter_set(h) < 0 && (h->is_avc ? nalsize : 1)) { + if (ff_h264_decode_seq_parameter_set(h, 0) >= 0) + break; + if (h->is_avc ? nalsize : 1) { av_log(h->avctx, AV_LOG_DEBUG, "SPS decoding failure, trying again with the complete NAL\n"); if (h->is_avc) @@ -1701,8 +1703,11 @@ again: break; init_get_bits(&h->gb, &buf[buf_index + 1 - consumed], 8*(next_avc - buf_index + consumed - 1)); - ff_h264_decode_seq_parameter_set(h); + if (ff_h264_decode_seq_parameter_set(h, 0) >= 0) + break; } + init_get_bits(&h->gb, ptr, bit_length); + ff_h264_decode_seq_parameter_set(h, 1); break; case NAL_PPS: diff --git a/libavcodec/h264.h b/libavcodec/h264.h index ec0b023267..2c975934a2 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -779,7 +779,7 @@ int ff_h264_decode_sei(H264Context *h); /** * Decode SPS */ -int ff_h264_decode_seq_parameter_set(H264Context *h); +int ff_h264_decode_seq_parameter_set(H264Context *h, int ignore_truncation); /** * compute profile from sps diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index 6e87efabe8..0c4282add8 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -271,7 +271,7 @@ static inline int parse_nal_units(AVCodecParserContext *s, init_get_bits(&h->gb, ptr, 8 * dst_length); switch (h->nal_unit_type) { case NAL_SPS: - ff_h264_decode_seq_parameter_set(h); + ff_h264_decode_seq_parameter_set(h, 0); break; case NAL_PPS: ff_h264_decode_picture_parameter_set(h, h->gb.size_in_bits); diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index a9c199fe62..fa4bc78d9d 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -297,7 +297,7 @@ static void decode_scaling_matrices(H264Context *h, SPS *sps, } } -int ff_h264_decode_seq_parameter_set(H264Context *h) +int ff_h264_decode_seq_parameter_set(H264Context *h, int ignore_truncation) { int profile_idc, level_idc, constraint_set_flags = 0; unsigned int sps_id; @@ -518,9 +518,10 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) } if (get_bits_left(&h->gb) < 0) { - av_log(h->avctx, AV_LOG_ERROR, + av_log(h->avctx, ignore_truncation ? AV_LOG_WARNING : AV_LOG_ERROR, "Overread %s by %d bits\n", sps->vui_parameters_present_flag ? "VUI" : "SPS", -get_bits_left(&h->gb)); - goto fail; + if (!ignore_truncation) + goto fail; } if (!sps->sar.den) From 74fb9df48b12acd42b0fe81a67dbbede5ffb88b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Apr 2015 19:43:08 +0200 Subject: [PATCH 234/700] swresample: Allow reinitialization without ever setting channel counts Signed-off-by: Michael Niedermayer (cherry picked from commit d7b9cb2f7a51351586791e65fa22e6536ee58c9f) Signed-off-by: Michael Niedermayer --- libswresample/options.c | 12 ++++++------ libswresample/swresample.c | 4 ++++ libswresample/swresample_internal.h | 4 ++++ 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/libswresample/options.c b/libswresample/options.c index 01cdb1e141..e970d3bac8 100644 --- a/libswresample/options.c +++ b/libswresample/options.c @@ -35,12 +35,12 @@ #define PARAM AV_OPT_FLAG_AUDIO_PARAM static const AVOption options[]={ -{"ich" , "set input channel count" , OFFSET( in.ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, -{"in_channel_count" , "set input channel count" , OFFSET( in.ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, -{"och" , "set output channel count" , OFFSET(out.ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, -{"out_channel_count" , "set output channel count" , OFFSET(out.ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, -{"uch" , "set used channel count" , OFFSET(used_ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, -{"used_channel_count" , "set used channel count" , OFFSET(used_ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"ich" , "set input channel count" , OFFSET(user_in_ch_count ), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"in_channel_count" , "set input channel count" , OFFSET(user_in_ch_count ), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"och" , "set output channel count" , OFFSET(user_out_ch_count ), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"out_channel_count" , "set output channel count" , OFFSET(user_out_ch_count ), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"uch" , "set used channel count" , OFFSET(user_used_ch_count), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"used_channel_count" , "set used channel count" , OFFSET(user_used_ch_count), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, {"isr" , "set input sample rate" , OFFSET( in_sample_rate), AV_OPT_TYPE_INT , {.i64=0 }, 0 , INT_MAX , PARAM}, {"in_sample_rate" , "set input sample rate" , OFFSET( in_sample_rate), AV_OPT_TYPE_INT , {.i64=0 }, 0 , INT_MAX , PARAM}, {"osr" , "set output sample rate" , OFFSET(out_sample_rate), AV_OPT_TYPE_INT , {.i64=0 }, 0 , INT_MAX , PARAM}, diff --git a/libswresample/swresample.c b/libswresample/swresample.c index eb6effa8ef..d7344b12a6 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -164,6 +164,10 @@ av_cold int swr_init(struct SwrContext *s){ return AVERROR(EINVAL); } + s->out.ch_count = s-> user_out_ch_count; + s-> in.ch_count = s-> user_in_ch_count; + s->used_ch_count = s->user_used_ch_count; + if(av_get_channel_layout_nb_channels(s-> in_ch_layout) > SWR_CH_MAX) { av_log(s, AV_LOG_WARNING, "Input channel layout 0x%"PRIx64" is invalid or unsupported.\n", s-> in_ch_layout); s->in_ch_layout = 0; diff --git a/libswresample/swresample_internal.h b/libswresample/swresample_internal.h index 3761843e3b..b892fea379 100644 --- a/libswresample/swresample_internal.h +++ b/libswresample/swresample_internal.h @@ -90,6 +90,10 @@ struct SwrContext { int used_ch_count; ///< number of used input channels (mapped channel count if channel_map, otherwise in.ch_count) enum SwrEngine engine; + int user_in_ch_count; ///< User set input channel count + int user_out_ch_count; ///< User set output channel count + int user_used_ch_count; ///< User set used channel count + struct DitherContext dither; int filter_size; /**< length of each FIR filter in the resampling filterbank relative to the cutoff frequency */ From 84fedd3be7685780de8a278f86d0ecb090e6b1c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Apr 2015 20:50:53 +0200 Subject: [PATCH 235/700] swresample: Allow reinitialization without ever setting channel layouts (cherry picked from commit 80a28c7509a11114e1aea5b208d56c6646d69c07) Signed-off-by: Michael Niedermayer --- libswresample/options.c | 8 ++++---- libswresample/rematrix.c | 4 ++-- libswresample/swresample.c | 7 +++++-- libswresample/swresample_internal.h | 2 ++ 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/libswresample/options.c b/libswresample/options.c index e970d3bac8..de84672834 100644 --- a/libswresample/options.c +++ b/libswresample/options.c @@ -51,10 +51,10 @@ static const AVOption options[]={ {"out_sample_fmt" , "set output sample format" , OFFSET(out_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, {"tsf" , "set internal sample format" , OFFSET(int_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, {"internal_sample_fmt" , "set internal sample format" , OFFSET(int_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, -{"icl" , "set input channel layout" , OFFSET( in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, -{"in_channel_layout" , "set input channel layout" , OFFSET( in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, -{"ocl" , "set output channel layout" , OFFSET(out_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, -{"out_channel_layout" , "set output channel layout" , OFFSET(out_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, +{"icl" , "set input channel layout" , OFFSET(user_in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, +{"in_channel_layout" , "set input channel layout" , OFFSET(user_in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, +{"ocl" , "set output channel layout" , OFFSET(user_out_ch_layout), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, +{"out_channel_layout" , "set output channel layout" , OFFSET(user_out_ch_layout), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, {"clev" , "set center mix level" , OFFSET(clev ), AV_OPT_TYPE_FLOAT, {.dbl=C_30DB }, -32 , 32 , PARAM}, {"center_mix_level" , "set center mix level" , OFFSET(clev ), AV_OPT_TYPE_FLOAT, {.dbl=C_30DB }, -32 , 32 , PARAM}, {"slev" , "set surround mix level" , OFFSET(slev ), AV_OPT_TYPE_FLOAT, {.dbl=C_30DB }, -32 , 32 , PARAM}, diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index 6552a2fea2..2238f0aae3 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -65,8 +65,8 @@ int swr_set_matrix(struct SwrContext *s, const double *matrix, int stride) if (!s || s->in_convert) // s needs to be allocated but not initialized return AVERROR(EINVAL); memset(s->matrix, 0, sizeof(s->matrix)); - nb_in = av_get_channel_layout_nb_channels(s->in_ch_layout); - nb_out = av_get_channel_layout_nb_channels(s->out_ch_layout); + nb_in = av_get_channel_layout_nb_channels(s->user_in_ch_layout); + nb_out = av_get_channel_layout_nb_channels(s->user_out_ch_layout); for (out = 0; out < nb_out; out++) { for (in = 0; in < nb_in; in++) s->matrix[out][in] = matrix[in]; diff --git a/libswresample/swresample.c b/libswresample/swresample.c index d7344b12a6..c9e5e4d4ae 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -86,10 +86,10 @@ struct SwrContext *swr_alloc_set_opts(struct SwrContext *s, if (av_opt_set_int(s, "tsf", AV_SAMPLE_FMT_NONE, 0) < 0) goto fail; - if (av_opt_set_int(s, "ich", av_get_channel_layout_nb_channels(s-> in_ch_layout), 0) < 0) + if (av_opt_set_int(s, "ich", av_get_channel_layout_nb_channels(s-> user_in_ch_layout), 0) < 0) goto fail; - if (av_opt_set_int(s, "och", av_get_channel_layout_nb_channels(s->out_ch_layout), 0) < 0) + if (av_opt_set_int(s, "och", av_get_channel_layout_nb_channels(s->user_out_ch_layout), 0) < 0) goto fail; av_opt_set_int(s, "uch", 0, 0); @@ -168,6 +168,9 @@ av_cold int swr_init(struct SwrContext *s){ s-> in.ch_count = s-> user_in_ch_count; s->used_ch_count = s->user_used_ch_count; + s-> in_ch_layout = s-> user_in_ch_layout; + s->out_ch_layout = s->user_out_ch_layout; + if(av_get_channel_layout_nb_channels(s-> in_ch_layout) > SWR_CH_MAX) { av_log(s, AV_LOG_WARNING, "Input channel layout 0x%"PRIx64" is invalid or unsupported.\n", s-> in_ch_layout); s->in_ch_layout = 0; diff --git a/libswresample/swresample_internal.h b/libswresample/swresample_internal.h index b892fea379..1bc6837926 100644 --- a/libswresample/swresample_internal.h +++ b/libswresample/swresample_internal.h @@ -93,6 +93,8 @@ struct SwrContext { int user_in_ch_count; ///< User set input channel count int user_out_ch_count; ///< User set output channel count int user_used_ch_count; ///< User set used channel count + int64_t user_in_ch_layout; ///< User set input channel layout + int64_t user_out_ch_layout; ///< User set output channel layout struct DitherContext dither; From 07ea57c5bbbed5c6806acf5af28d787da965767f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Apr 2015 21:08:09 +0200 Subject: [PATCH 236/700] swresample: Check channel layouts and channels against each other and print human readable error messages Signed-off-by: Michael Niedermayer (cherry picked from commit 3c77bb5f23b2e149495c814759beab7eedeede6c) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index c9e5e4d4ae..80efe58c53 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -152,6 +152,7 @@ av_cold void swr_close(SwrContext *s){ av_cold int swr_init(struct SwrContext *s){ int ret; + char l1[1024], l2[1024]; clear_context(s); @@ -278,10 +279,18 @@ av_cold int swr_init(struct SwrContext *s){ return -1; } + av_get_channel_layout_string(l1, sizeof(l1), s-> in.ch_count, s-> in_ch_layout); + av_get_channel_layout_string(l2, sizeof(l2), s->out.ch_count, s->out_ch_layout); + if (s->out_ch_layout && s->out.ch_count != av_get_channel_layout_nb_channels(s->out_ch_layout)) { + av_log(s, AV_LOG_ERROR, "Output channel layout %s mismatches specified channel count %d\n", l2, s->out.ch_count); + return AVERROR(EINVAL); + } + if (s->in_ch_layout && s->used_ch_count != av_get_channel_layout_nb_channels(s->in_ch_layout)) { + av_log(s, AV_LOG_ERROR, "Input channel layout %s mismatches specified channel count %d\n", l1, s->used_ch_count); + return AVERROR(EINVAL); + } + if ((!s->out_ch_layout || !s->in_ch_layout) && s->used_ch_count != s->out.ch_count && !s->rematrix_custom) { - char l1[1024], l2[1024]; - av_get_channel_layout_string(l1, sizeof(l1), s-> in.ch_count, s-> in_ch_layout); - av_get_channel_layout_string(l2, sizeof(l2), s->out.ch_count, s->out_ch_layout); av_log(s, AV_LOG_ERROR, "Rematrix is needed between %s and %s " "but there is not enough information to do it\n", l1, l2); return -1; From 41b15817ce1eee80f2206c9d0b554f58ed322a03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Apr 2015 22:08:52 +0200 Subject: [PATCH 237/700] swresample/swresample-test: Randomly wipe out channel counts Signed-off-by: Michael Niedermayer (cherry picked from commit ff50b1b13be965c93a9a7169edb62631a928e308) Signed-off-by: Michael Niedermayer --- libswresample/swresample-test.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libswresample/swresample-test.c b/libswresample/swresample-test.c index c0162cd646..694880648a 100644 --- a/libswresample/swresample-test.c +++ b/libswresample/swresample-test.c @@ -314,6 +314,11 @@ int main(int argc, char **argv){ fprintf(stderr, "Failed to init backw_ctx\n"); return 1; } + if (uint_rand(rand_seed) % 3 == 0) + av_opt_set_int(forw_ctx, "ich", 0, 0); + if (uint_rand(rand_seed) % 3 == 0) + av_opt_set_int(forw_ctx, "och", 0, 0); + if(swr_init( forw_ctx) < 0) fprintf(stderr, "swr_init(->) failed\n"); if(swr_init(backw_ctx) < 0) From 9a241d95efa1f6cc545a098160609fd3ba64d844 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 16 Apr 2015 14:49:08 +0200 Subject: [PATCH 238/700] msrledec: use signed pixel_ptr in msrle_decode_pal4 This fixes segmentation faults, when pic->linesize[0] is negative. In that case 'line * pic->linesize[0] + pixel_ptr' is treated as unsigned and wraps around. This reverts commit 7d78a964. The problem was introduced in commit f7e1367f, which should obsolete that commit. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit ae6fd7300b4e9f81d3b5ba201096ffe7cccf26fb) Signed-off-by: Michael Niedermayer --- libavcodec/msrledec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index deb6f86523..200221a0ee 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -36,7 +36,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, unsigned char rle_code; unsigned char extra_byte, odd_pixel; unsigned char stream_byte; - unsigned int pixel_ptr = 0; + int pixel_ptr = 0; int line = avctx->height - 1; int i; From 621f1a2e63647251472b59ab9712174570647d5e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 16 Apr 2015 16:58:32 +0200 Subject: [PATCH 239/700] aacdec: consistently use avctx for logging in decode_eld_specific_config ac may be NULL and then accessing ac->avctx results in a segmentation fault. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 5b75689b987e4c4dd4f34d5c8be389547e9cc701) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 381e316994..1aa1a80675 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -904,7 +904,7 @@ static int decode_eld_specific_config(AACContext *ac, AVCodecContext *avctx, if (len == 15 + 255) len += get_bits(gb, 16); if (get_bits_left(gb) < len * 8 + 4) { - av_log(ac->avctx, AV_LOG_ERROR, overread_err); + av_log(avctx, AV_LOG_ERROR, overread_err); return AVERROR_INVALIDDATA; } skip_bits_long(gb, 8 * len); From d846d3e88efd4c90e22e8a5f2b2b745e5a6a6166 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 16 Apr 2015 19:12:02 +0200 Subject: [PATCH 240/700] aasc: return correct buffer size from aasc_decode_frame Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 0be54ad280cf114c02306b7063147e8379f8ed1e) Signed-off-by: Michael Niedermayer --- libavcodec/aasc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c index 65ef782688..469fc5eef6 100644 --- a/libavcodec/aasc.c +++ b/libavcodec/aasc.c @@ -137,7 +137,7 @@ static int aasc_decode_frame(AVCodecContext *avctx, return ret; /* report that the buffer was completely consumed */ - return buf_size; + return avpkt->size; } static av_cold int aasc_decode_end(AVCodecContext *avctx) From 1d0f9c92c5505ada35a20d6812fb41a47aa0d14a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 16 Apr 2015 20:04:54 +0200 Subject: [PATCH 241/700] aacpsy: avoid psy_band->threshold becoming NaN If band->thr is 0.0f, the division is undefined, making norm_fac not a number or infinity, which causes psy_band->threshold to become NaN. This is passed on to other variables until it finally reaches sce->sf_idx and is converted to an integer (-2147483648). This causes a segmentation fault when it is used as array index. Signed-off-by: Andreas Cadhalpun Reviewed-by: Claudio Freire Signed-off-by: Michael Niedermayer (cherry picked from commit e224aa41917454e7b5c23d9f2541425743ce595a) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsy.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c index 9eeb836523..cee4bf2921 100644 --- a/libavcodec/aacpsy.c +++ b/libavcodec/aacpsy.c @@ -727,7 +727,10 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel, if (active_lines > 0.0f) band->thr = calc_reduced_thr_3gpp(band, coeffs[g].min_snr, reduction); pe += calc_pe_3gpp(band); - band->norm_fac = band->active_lines / band->thr; + if (band->thr > 0.0f) + band->norm_fac = band->active_lines / band->thr; + else + band->norm_fac = 0.0f; norm_fac += band->norm_fac; } } From b420354a8b6611d7a5af1f7acd04a5055ded0bb7 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 16 Apr 2015 21:25:26 +0200 Subject: [PATCH 242/700] ac3: validate end in ff_ac3_bit_alloc_calc_mask This fixes an invalid read if end is 0: band_end = ff_ac3_bin_to_band_tab[end-1] + 1; Depending on what is before the array, this can cause stack smashing, when band_end becomes too large. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit bc4fee7f2a51635fa3c0f61d1e5164da1efeded3) Signed-off-by: Michael Niedermayer --- libavcodec/ac3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/ac3.c b/libavcodec/ac3.c index 29e132f5d1..8d39bbe83b 100644 --- a/libavcodec/ac3.c +++ b/libavcodec/ac3.c @@ -131,6 +131,9 @@ int ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd, int band_start, band_end, begin, end1; int lowcomp, fastleak, slowleak; + if (end <= 0) + return AVERROR_INVALIDDATA; + /* excitation function */ band_start = ff_ac3_bin_to_band_tab[start]; band_end = ff_ac3_bin_to_band_tab[end-1] + 1; From 0683ef4b50c45d3ee7466d07b6514d62145f64e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Apr 2015 11:58:41 +0200 Subject: [PATCH 243/700] avcodec/atrac3plusdsp: fix on stack alignment Fixes fate failure on ARM (cherry picked from commit 38f67260684aec8a02d87ab4056b1a1fbf964c03) Signed-off-by: Michael Niedermayer --- libavcodec/atrac3plusdsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/atrac3plusdsp.c b/libavcodec/atrac3plusdsp.c index 3522af1e5a..3c68f74d25 100644 --- a/libavcodec/atrac3plusdsp.c +++ b/libavcodec/atrac3plusdsp.c @@ -599,8 +599,8 @@ void ff_atrac3p_ipqf(FFTContext *dct_ctx, Atrac3pIPQFChannelCtx *hist, const float *in, float *out) { int i, s, sb, t, pos_now, pos_next; - DECLARE_ALIGNED(32, float, idct_in)[ATRAC3P_SUBBANDS]; - DECLARE_ALIGNED(32, float, idct_out)[ATRAC3P_SUBBANDS]; + LOCAL_ALIGNED(32, float, idct_in, [ATRAC3P_SUBBANDS]); + LOCAL_ALIGNED(32, float, idct_out, [ATRAC3P_SUBBANDS]); memset(out, 0, ATRAC3P_FRAME_SAMPLES * sizeof(*out)); From 8a59dbbc68f7de2d911fe9627681049b1d5f7b8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Apr 2015 15:48:25 +0200 Subject: [PATCH 244/700] Update or 2.5.6 Signed-off-by: Michael Niedermayer --- Changelog | 22 ++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index d8755304df..0ca400c1f6 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,28 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.5.6 +- avcodec/atrac3plusdsp: fix on stack alignment +- ac3: validate end in ff_ac3_bit_alloc_calc_mask +- aacpsy: avoid psy_band->threshold becoming NaN +- aasc: return correct buffer size from aasc_decode_frame +- msrledec: use signed pixel_ptr in msrle_decode_pal4 +- swresample: Allow reinitialization without ever setting channel layouts (cherry picked from commit 80a28c7509a11114e1aea5b208d56c6646d69c07) +- swresample: Allow reinitialization without ever setting channel counts +- avcodec/h264: Do not fail with randomly truncated VUIs +- avcodec/h264_ps: Move truncation check from VUI to SPS +- avcodec/h264: Be more tolerant to changing pps id between slices +- avcodec/aacdec: Fix storing state before PCE decode +- avcodec/h264: reset the counts in the correct context +- avcodec/h264_slice: Do not reset mb_aff_frame per slice +- avcodec/h264: finish previous slices before switching to single thread mode +- avcodec/h264: Fix race between slices where one overwrites data from the next +- avcodec/h264_refs: Do not set reference to things which do not exist +- avcodec/h264: Fail for invalid mixed IDR / non IDR frames in slice threading mode +- h264: avoid unnecessary calls to get_format +- avcodec/msrledec: restructure msrle_decode_pal4() based on the line number instead of the pixel pointer + + version 2.5.5: - vp9: make above buffer pointer 32-byte aligned. - avcodec/dnxhddec: Check that the frame is interlaced before using cur_field diff --git a/RELEASE b/RELEASE index 0cadbc1e33..da6b0a8f16 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.5.5 +2.5.6 diff --git a/doc/Doxyfile b/doc/Doxyfile index 6d75bb961c..3a35d9c3ba 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.5.5 +PROJECT_NUMBER = 2.5.6 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 96c1421627aad9e9216e0d5d50419a880bdc34ee Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 18 Apr 2015 18:31:36 +0200 Subject: [PATCH 245/700] alsdec: ensure channel reordering is reversible If the same idx is used for more than one i, at least one entry in sconf->chan_pos remains uninitialized. This can cause segmentation faults. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit ef16501aebed43e34a3721336e8bee732eca2877) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index cfece44285..e5397951d0 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -357,11 +357,15 @@ static av_cold int read_specific_config(ALSDecContext *ctx) ctx->cs_switch = 1; + for (i = 0; i < avctx->channels; i++) { + sconf->chan_pos[i] = -1; + } + for (i = 0; i < avctx->channels; i++) { int idx; idx = get_bits(&gb, chan_pos_bits); - if (idx >= avctx->channels) { + if (idx >= avctx->channels || sconf->chan_pos[idx] != -1) { av_log(avctx, AV_LOG_WARNING, "Invalid channel reordering.\n"); ctx->cs_switch = 0; break; From 5be683d687b6b2b697d34274d7ae56af3f047549 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Apr 2015 20:50:23 +0200 Subject: [PATCH 246/700] avcodec/alsdec: Use av_mallocz_array() for chan_data to ensure the arrays never contain random data Signed-off-by: Michael Niedermayer (cherry picked from commit 7e104647a3556fc61a139483cee1cb7dfa2dc5bd) Conflicts: libavcodec/alsdec.c --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index e5397951d0..8a8bff15e9 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1731,9 +1731,9 @@ static av_cold int decode_init(AVCodecContext *avctx) // allocate and assign channel data buffer for mcc mode if (sconf->mc_coding) { - ctx->chan_data_buffer = av_malloc(sizeof(*ctx->chan_data_buffer) * + ctx->chan_data_buffer = av_mallocz(sizeof(*ctx->chan_data_buffer) * num_buffers * num_buffers); - ctx->chan_data = av_malloc(sizeof(*ctx->chan_data) * + ctx->chan_data = av_mallocz(sizeof(*ctx->chan_data) * num_buffers); ctx->reverted_channels = av_malloc(sizeof(*ctx->reverted_channels) * num_buffers); From faac8e43315dae5818816bcebe52d11777b064b2 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 18 Apr 2015 20:09:28 +0200 Subject: [PATCH 247/700] alsdec: validate time diff index If begin is smaller than t, the subtraction 'begin -= t' wraps around, because begin is unsigned. The same applies for end < t. This causes segmentation faults. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit faf9fe2c224ea81a98afd53e2f0be0a2e13aeca9) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 8a8bff15e9..0a6be7bf90 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1290,8 +1290,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, if (ch[dep].time_diff_sign) { t = -t; + if (t > 0 && begin < t) { + av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than time diff index %d.\n", begin, t); + return AVERROR_INVALIDDATA; + } begin -= t; } else { + if (t > 0 && end < t) { + av_log(ctx->avctx, AV_LOG_ERROR, "end %u smaller than time diff index %d.\n", end, t); + return AVERROR_INVALIDDATA; + } end -= t; } From 3f629c83b462bbafbc262fbc7f1488a2d8f3b13e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Apr 2015 23:59:53 +0200 Subject: [PATCH 248/700] avformat/img2dec: do not rewind custom io buffers Fixes double free with some applications Fixes vlc ticket14121 Signed-off-by: Michael Niedermayer (cherry picked from commit e6e8cc8ce9c2a398fbb51254a5067f4bd3c4fa8a) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index a20868cbaf..1a31ac870b 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -339,7 +339,10 @@ int ff_img_read_header(AVFormatContext *s1) break; } } - ffio_rewind_with_probe_data(s1->pb, &probe_buffer, probe_buffer_size); + if (s1->flags & AVFMT_FLAG_CUSTOM_IO) { + avio_seek(s1->pb, 0, SEEK_SET); + } else + ffio_rewind_with_probe_data(s1->pb, &probe_buffer, probe_buffer_size); } if (st->codec->codec_id == AV_CODEC_ID_NONE) st->codec->codec_id = ff_guess_image2_codec(s->path); From 5fd5b8ef79c074d5830f2213009601a399f9c952 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Apr 2015 22:22:31 +0200 Subject: [PATCH 249/700] avformat/utils: Ensure that AVFMT_FLAG_CUSTOM_IO is set before use Signed-off-by: Michael Niedermayer (cherry picked from commit ba631b791435c395361e2026fc7419b341e57813) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 1ab8bb646b..d1e0f7139d 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -418,6 +418,9 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, if (options) av_dict_copy(&tmp, *options, 0); + if (s->pb) // must be before any goto fail + s->flags |= AVFMT_FLAG_CUSTOM_IO; + if ((ret = av_opt_set_dict(s, &tmp)) < 0) goto fail; From a2ad7fdb3a262e14a8371f3201879ee647a4d287 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sun, 12 Apr 2015 08:28:42 -0700 Subject: [PATCH 250/700] fate: Include branch information in the payload header The server is properly equiped not to choke on that now. Signed-off-by: Michael Niedermayer (cherry picked from commit 7ad27f1221562b037178d1fb605510ba349f04cc) Signed-off-by: Michael Niedermayer --- tests/fate.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/fate.sh b/tests/fate.sh index 5a78018b42..b55d87efc0 100755 --- a/tests/fate.sh +++ b/tests/fate.sh @@ -83,8 +83,7 @@ clean(){ report(){ date=$(date -u +%Y%m%d%H%M%S) - echo "fate:0:${date}:${slot}:${version}:$1:$2:${comment}" >report -# echo "fate:1:${date}:${slot}:${version}:$1:$2:${branch}:${comment}" >report + echo "fate:1:${date}:${slot}:${version}:$1:$2:${branch}:${comment}" >report cat ${build}/config.fate >>report cat ${build}/tests/data/fate/*.rep >>report || for i in ${build}/tests/data/fate/*.rep ; do cat "$i" >>report ; done test -n "$fate_recv" && $tar report *.log | gzip | $fate_recv From 346c4f0ad0bd3c5c2ae26120da044824fef25066 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Mon, 19 Jan 2015 22:56:59 +0100 Subject: [PATCH 251/700] tests: drop bc dependency MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We already have a dependency on awk and bc is sometimes not found in the base system. Signed-off-by: Martin Storsjö (cherry picked from commit a982c5d74fbc7ff5bd2f2f73af61ae48e9b1bcc6) Signed-off-by: Timothy Gu Conflicts: doc/platform.texi --- doc/platform.texi | 4 +--- tests/fate-run.sh | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/doc/platform.texi b/doc/platform.texi index ca76492753..fa91ce2b6c 100644 --- a/doc/platform.texi +++ b/doc/platform.texi @@ -135,8 +135,6 @@ You will need the following prerequisites: (if using MSVC 2012 or earlier) @item @uref{http://www.mingw.org/, MSYS} @item @uref{http://yasm.tortall.net/, YASM} -@item @uref{http://gnuwin32.sourceforge.net/packages/bc.htm, bc for Windows} if -you want to run @uref{fate.html, FATE}. @end itemize To set up a proper environment in MSYS, you need to run @code{msys.bat} from @@ -283,7 +281,7 @@ binutils, gcc4-core, make, git, mingw-runtime, texinfo In order to run FATE you will also need the following "Utils" packages: @example -bc, diffutils +diffutils @end example If you want to build FFmpeg with additional libraries, download Cygwin diff --git a/tests/fate-run.sh b/tests/fate-run.sh index f78e4fcfd5..824d5f48d1 100755 --- a/tests/fate-run.sh +++ b/tests/fate-run.sh @@ -38,7 +38,7 @@ target_path(){ # $1=value1, $2=value2, $3=threshold # prints 0 if absolute difference between value1 and value2 is <= threshold compare(){ - echo "scale=2; v = $1 - $2; if (v < 0) v = -v; if (v > $3) r = 1; r" | bc + awk "BEGIN { v = $1 - $2; printf ((v < 0 ? -v : v) > $3) }" } do_tiny_psnr(){ From 836a66eeb05c678feba79c5f7f093d936f9723d2 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 25 Feb 2015 15:07:18 +0100 Subject: [PATCH 252/700] lavfi/fade: Do not overread input buffer. (cherry picked from commit ab3ff19f08b7a83e320c39ab066f289c242b8030) --- libavfilter/vf_fade.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_fade.c b/libavfilter/vf_fade.c index 80ce75dcda..a7597cdff0 100644 --- a/libavfilter/vf_fade.c +++ b/libavfilter/vf_fade.c @@ -138,7 +138,9 @@ static int config_props(AVFilterLink *inlink) s->hsub = pixdesc->log2_chroma_w; s->vsub = pixdesc->log2_chroma_h; - s->bpp = av_get_bits_per_pixel(pixdesc) >> 3; + s->bpp = pixdesc->flags & AV_PIX_FMT_FLAG_PLANAR ? + 1 : + av_get_bits_per_pixel(pixdesc) >> 3; s->alpha &= !!(pixdesc->flags & AV_PIX_FMT_FLAG_ALPHA); s->is_packed_rgb = ff_fill_rgba_map(s->rgba_map, inlink->format) >= 0; From af70697836bbe1e4f0e3cfbdc7f18b23290245b5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 21 Apr 2015 19:25:50 +0200 Subject: [PATCH 253/700] alsdec: check sample pointer range in revert_channel_correlation Also change the type of begin, end and smp to ptrdiff_t to make the comparison well-defined. Signed-off-by: Andreas Cadhalpun Reviewed-by: Thilo Borgmann Signed-off-by: Michael Niedermayer (cherry picked from commit afc7748d1f6abc4b3b1cc957b0fa6941837db3d0) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 0a6be7bf90..9ee33bf2e6 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1246,6 +1246,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, ALSChannelData *ch = cd[c]; unsigned int dep = 0; unsigned int channels = ctx->avctx->channels; + unsigned int channel_size = ctx->sconf.frame_length + ctx->sconf.max_order; if (reverted[c]) return 0; @@ -1276,9 +1277,9 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, bd->raw_samples = ctx->raw_samples[c] + offset; for (dep = 0; !ch[dep].stop_flag; dep++) { - unsigned int smp; - unsigned int begin = 1; - unsigned int end = bd->block_length - 1; + ptrdiff_t smp; + ptrdiff_t begin = 1; + ptrdiff_t end = bd->block_length - 1; int64_t y; int32_t *master = ctx->raw_samples[ch[dep].master_channel] + offset; @@ -1290,19 +1291,28 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, if (ch[dep].time_diff_sign) { t = -t; - if (t > 0 && begin < t) { - av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than time diff index %d.\n", begin, t); + if (begin < t) { + av_log(ctx->avctx, AV_LOG_ERROR, "begin %td smaller than time diff index %d.\n", begin, t); return AVERROR_INVALIDDATA; } begin -= t; } else { - if (t > 0 && end < t) { - av_log(ctx->avctx, AV_LOG_ERROR, "end %u smaller than time diff index %d.\n", end, t); + if (end < t) { + av_log(ctx->avctx, AV_LOG_ERROR, "end %td smaller than time diff index %d.\n", end, t); return AVERROR_INVALIDDATA; } end -= t; } + if (FFMIN(begin - 1, begin - 1 + t) < ctx->raw_buffer - master || + FFMAX(end + 1, end + 1 + t) > ctx->raw_buffer + channels * channel_size - master) { + av_log(ctx->avctx, AV_LOG_ERROR, + "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n", + master + FFMIN(begin - 1, begin - 1 + t), master + FFMAX(end + 1, end + 1 + t), + ctx->raw_buffer, ctx->raw_buffer + channels * channel_size); + return AVERROR_INVALIDDATA; + } + for (smp = begin; smp < end; smp++) { y = (1 << 6) + MUL64(ch[dep].weighting[0], master[smp - 1 ]) + @@ -1315,6 +1325,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, bd->raw_samples[smp] += y >> 7; } } else { + + if (begin - 1 < ctx->raw_buffer - master || + end + 1 > ctx->raw_buffer + channels * channel_size - master) { + av_log(ctx->avctx, AV_LOG_ERROR, + "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n", + master + begin - 1, master + end + 1, + ctx->raw_buffer, ctx->raw_buffer + channels * channel_size); + return AVERROR_INVALIDDATA; + } + for (smp = begin; smp < end; smp++) { y = (1 << 6) + MUL64(ch[dep].weighting[0], master[smp - 1]) + From 5ae8df8d37c2af50a3f35550a2010ba2a2760e75 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 22 Apr 2015 16:32:42 +0200 Subject: [PATCH 254/700] mpeg4videodec: only allow a positive length Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit b3408ae4c64cb674b1d5f0f30171759113ce722a) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 1daecfa76e..6a2e06acfa 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -189,14 +189,14 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int x = 0, y = 0; length = get_vlc2(gb, sprite_trajectory.table, SPRITE_TRAJ_VLC_BITS, 3); - if (length) + if (length > 0) x = get_xbits(gb, length); if (!(ctx->divx_version == 500 && ctx->divx_build == 413)) skip_bits1(gb); /* marker bit */ length = get_vlc2(gb, sprite_trajectory.table, SPRITE_TRAJ_VLC_BITS, 3); - if (length) + if (length > 0) y = get_xbits(gb, length); skip_bits1(gb); /* marker bit */ From 004064912f39377bc947af49d606e3e2c7a30cd7 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 22 Apr 2015 17:08:51 +0200 Subject: [PATCH 255/700] bink: check vst->index_entries before using it This fixes a NULL pointer dereference if vst->duration is 0. The problem was introduced in commit 0588acaf. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 86d00ede4f9acb02690a0615490173648e1d933c) Signed-off-by: Michael Niedermayer --- libavformat/bink.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/bink.c b/libavformat/bink.c index 395c8d9aa8..350c64f7bb 100644 --- a/libavformat/bink.c +++ b/libavformat/bink.c @@ -194,7 +194,10 @@ static int read_header(AVFormatContext *s) return ret; } - avio_seek(pb, vst->index_entries[0].pos, SEEK_SET); + if (vst->index_entries) + avio_seek(pb, vst->index_entries[0].pos, SEEK_SET); + else + avio_skip(pb, 4); bink->current_track = -1; return 0; From b8f5996071cca7aea705dc363a3a79891d66f246 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 22 Apr 2015 14:59:56 +0100 Subject: [PATCH 256/700] lavf: Reset global flag on deinit Signed-off-by: Michael Niedermayer (cherry picked from commit 32da94fa7f73ac749e0a1e2f20499fad2f6f57fe) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index d1e0f7139d..496b656378 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4098,6 +4098,7 @@ int avformat_network_deinit(void) #if CONFIG_NETWORK ff_network_close(); ff_tls_deinit(); + ff_network_inited_globally = 0; #endif return 0; } From 216ef1200a68ad4af5da35f38dc928b31141a5c6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 22 Apr 2015 16:03:41 +0200 Subject: [PATCH 257/700] alsdec: only adapt order for positive max_order For max_order = 0 the clipping range is invalid. (amin = 2, amax = 1) Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 58d605ee9b3277289278dc40e022311f8e083833) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 9ee33bf2e6..a55354b7fd 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -682,7 +682,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) if (!sconf->rlslms) { - if (sconf->adapt_order) { + if (sconf->adapt_order && sconf->max_order) { int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1, 2, sconf->max_order + 1)); *bd->opt_order = get_bits(gb, opt_order_length); From 4c01572a9480da7d4a7d7c3fd850cc23e94d6ca1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 24 Apr 2015 00:01:43 +0200 Subject: [PATCH 258/700] alac: reject rice_limit 0 if compression is used If rice_limit is 0, k can be 0 in decode_scalar, which calls show_bits(gb, k). Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 4b657a1b1eedcf38bcf36e89a2f4be6f76b5ce09) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index aec7bb4e4e..f5a5b86145 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -316,6 +316,11 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, int lpc_quant[2]; int rice_history_mult[2]; + if (!alac->rice_limit) { + avpriv_request_sample(alac->avctx, "Compression with rice limit 0"); + return AVERROR(ENOSYS); + } + decorr_shift = get_bits(&alac->gb, 8); decorr_left_weight = get_bits(&alac->gb, 8); From 3afb2653bdaa5b785e9af8bdd7f7d9e48abb0eb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Apr 2015 04:27:56 +0200 Subject: [PATCH 259/700] tests/fate-run: do not attempt to parse tiny_psnrs output if it failed This avoids confusing syntax errors with awk later Likely fixes awk errors at: http://buildd.debian-ports.org/status/fetch.php?pkg=ffmpeg&arch=sparc64&ver=7%3A2.6.2-1&stamp=1428928967 Reviewed-by: Timothy Gu Thanks-to: Andreas Cadhalpun for the link Signed-off-by: Michael Niedermayer (cherry picked from commit c0d847e457c1ef72843a63853f1135d52b74131e) Signed-off-by: Michael Niedermayer --- tests/fate-run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/fate-run.sh b/tests/fate-run.sh index 824d5f48d1..ed36a68440 100755 --- a/tests/fate-run.sh +++ b/tests/fate-run.sh @@ -42,7 +42,7 @@ compare(){ } do_tiny_psnr(){ - psnr=$(tests/tiny_psnr "$1" "$2" $cmp_unit $cmp_shift 0) + psnr=$(tests/tiny_psnr "$1" "$2" $cmp_unit $cmp_shift 0) || return 1 val=$(expr "$psnr" : ".*$3: *\([0-9.]*\)") size1=$(expr "$psnr" : '.*bytes: *\([0-9]*\)') size2=$(expr "$psnr" : '.*bytes:[ 0-9]*/ *\([0-9]*\)') From 2f85f511ffa33f49e5414c39f6d772fbf30ff136 Mon Sep 17 00:00:00 2001 From: James Zern Date: Tue, 21 Apr 2015 00:03:00 -0700 Subject: [PATCH 260/700] libvpxenc: only set noise reduction w/vp8 this quiets a warning: Failed to set VP8E_SET_NOISE_SENSITIVITY codec control: Unspecified internal error Reviewed-by: Michael Niedermayer Signed-off-by: James Zern (cherry picked from commit 238ec505e263e7d0363798a05c1c28f494a6300a) Signed-off-by: Michael Niedermayer --- libavcodec/libvpxenc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index c69acc00ef..d62a8037cd 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -441,9 +441,10 @@ static av_cold int vpx_init(AVCodecContext *avctx, codecctl_int(avctx, VP8E_SET_ARNR_STRENGTH, ctx->arnr_strength); if (ctx->arnr_type >= 0) codecctl_int(avctx, VP8E_SET_ARNR_TYPE, ctx->arnr_type); - codecctl_int(avctx, VP8E_SET_NOISE_SENSITIVITY, avctx->noise_reduction); - if (avctx->codec_id == AV_CODEC_ID_VP8) + if (avctx->codec_id == AV_CODEC_ID_VP8) { + codecctl_int(avctx, VP8E_SET_NOISE_SENSITIVITY, avctx->noise_reduction); codecctl_int(avctx, VP8E_SET_TOKEN_PARTITIONS, av_log2(avctx->slices)); + } #if FF_API_MPV_OPT FF_DISABLE_DEPRECATION_WARNINGS if (avctx->mb_threshold) { From cb63a8c646a33894f32cb098723efa5842ca0991 Mon Sep 17 00:00:00 2001 From: Rong Yan Date: Mon, 27 Apr 2015 03:19:45 +0000 Subject: [PATCH 261/700] swscale/ppc/swscale_altivec.c: POWER LE support in yuv2planeX_8() delete macro GET_VF() it was wrong GCC tool had a bug of PPC intrinsic interpret, which has been fixed in GCC 4.9.1. This bug lead to errors in two of our previous patches. We found this when we update our GCC tools to 4.9.1 and by reading the related info on GCC website. We fix our previous error in two separate commits Signed-off-by: Michael Niedermayer (cherry picked from commit 603c839398f89d3ef15c47530470fbb0051632c0) Signed-off-by: Michael Niedermayer --- libswscale/ppc/swscale_altivec.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/libswscale/ppc/swscale_altivec.c b/libswscale/ppc/swscale_altivec.c index a1548a7717..3f8cedb8d3 100644 --- a/libswscale/ppc/swscale_altivec.c +++ b/libswscale/ppc/swscale_altivec.c @@ -40,19 +40,11 @@ ls = vec_perm(a, l2, c);\ a = l2;\ } -#define GET_VF(a, b, c,d) {\ - a = vec_mergeh(c, d);\ - b = vec_mergel(c, d);\ - } #else #define GET_LS(a,b,c,s) {\ ls = a;\ a = vec_vsx_ld(((b) << 1) + 16, s);\ } -#define GET_VF(a, b, c, d) {\ - a = vec_mergel(d, c);\ - b = vec_mergeh(d, c);\ - } #endif #define yuv2planeX_8(d1, d2, l1, src, x, perm, filter) do {\ @@ -61,7 +53,8 @@ vector signed int i1 = vec_mule(filter, ls);\ vector signed int i2 = vec_mulo(filter, ls);\ vector signed int vf1, vf2;\ - GET_VF(vf1, vf2, i1, i2);\ + vf1 = vec_mergeh(i1, i2);\ + vf2 = vec_mergel(i1, i2);\ d1 = vec_add(d1, vf1);\ d2 = vec_add(d2, vf2);\ } while (0) From d269eb2c114f8ef24cd3aa79c1465d866087f072 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 00:30:51 +0200 Subject: [PATCH 262/700] apedec: set s->samples only when init_frame_decoder succeeded Otherwise range_start_decoding is not necessarily run and thus ctx->rc.range still 0 in range_dec_normalize leading to an infinite loop. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 464c49155ce7ffc88ed39eb2511e7a75565c24be) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 383b7fe669..2ccbdc8005 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1476,13 +1476,13 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, nblocks); return AVERROR_INVALIDDATA; } - s->samples = nblocks; /* Initialize the frame decoder */ if (init_frame_decoder(s) < 0) { av_log(avctx, AV_LOG_ERROR, "Error reading frame header\n"); return AVERROR_INVALIDDATA; } + s->samples = nblocks; } if (!s->data) { From 1e6352578ae4319b2427f9f2ffb8042e8d11894f Mon Sep 17 00:00:00 2001 From: Maneesh Gupta Date: Tue, 28 Apr 2015 13:08:31 +0530 Subject: [PATCH 263/700] OpenCL: Avoid potential buffer overflow in cmdutils_opencl.c The opt_opencl_bench function copied the device name using strcpy without checking if the source string was larger. This patch fixes this by replacing the strcpy with av_strlcpy, with the string copy size capped to the destination buffer size. Signed-off-by: Maneesh Gupta Signed-off-by: Michael Niedermayer (cherry picked from commit cf234552b83a9503ff96572de2658b921b8842eb) Signed-off-by: Michael Niedermayer --- cmdutils_opencl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cmdutils_opencl.c b/cmdutils_opencl.c index 3dfd156195..61478e27af 100644 --- a/cmdutils_opencl.c +++ b/cmdutils_opencl.c @@ -22,6 +22,7 @@ #include "libavutil/time.h" #include "libavutil/log.h" #include "libavutil/opencl.h" +#include "libavutil/avstring.h" #include "cmdutils.h" typedef struct { @@ -238,7 +239,8 @@ int opt_opencl_bench(void *optctx, const char *opt, const char *arg) devices[count].platform_idx = i; devices[count].device_idx = j; devices[count].runtime = score; - strcpy(devices[count].device_name, device_node->device_name); + av_strlcpy(devices[count].device_name, device_node->device_name, + sizeof(devices[count].device_name)); count++; } } From c946f2cc83cf33bd01e8de168e0345a05f68b2ce Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 11:13:43 +0200 Subject: [PATCH 264/700] apedec: prevent out of array writes in decode_array_0000 s->decoded_buffer is allocated with a min_size of: 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer) Then it is assigned to s->decoded[0] (and s->decoded_buffer + FFALIGN(blockstodecode, 8) to s->decoded[1]) and passed as out buffer to decode_array_0000. In this function 64 elements of the out buffer are written unconditionally and outside the array if blockstodecode is too small. This causes memory corruption, leading to segmentation faults or other crashes. Thus change decode_array_0000 to write at most blockstodecode elements of the out buffer. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 699341d647f7af785fb8ceed67604467b0b9ab12) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 2ccbdc8005..577d0aa260 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -601,14 +601,14 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb, int ksummax, ksummin; rice->ksum = 0; - for (i = 0; i < 5; i++) { + for (i = 0; i < FFMIN(blockstodecode, 5); i++) { out[i] = get_rice_ook(&ctx->gb, 10); rice->ksum += out[i]; } rice->k = av_log2(rice->ksum / 10) + 1; if (rice->k >= 24) return; - for (; i < 64; i++) { + for (; i < FFMIN(blockstodecode, 64); i++) { out[i] = get_rice_ook(&ctx->gb, rice->k); rice->ksum += out[i]; rice->k = av_log2(rice->ksum / ((i + 1) * 2)) + 1; From 260f6b44184bbc5fc2cac8b3b6feefb6ce68df49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Apr 2015 14:29:47 +0200 Subject: [PATCH 265/700] ffmpeg: remove incorrect network deinit Signed-off-by: Michael Niedermayer (cherry picked from commit e2877bdf3862325c2982c3237d9bf28f1bbf793f) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 1 - 1 file changed, 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index 7bf93bdb0f..6e640e387f 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -352,7 +352,6 @@ void term_init(void) signal(SIGQUIT, sigterm_handler); /* Quit (POSIX). */ } #endif - avformat_network_deinit(); signal(SIGINT , sigterm_handler); /* Interrupt (ANSI). */ signal(SIGTERM, sigterm_handler); /* Termination (ANSI). */ From b8627a63d89b578fce60767158ee20565210d0b4 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 20:31:56 +0200 Subject: [PATCH 266/700] nutdec: check for negative frame rate in decode_info_header A negative frame rate triggers an av_assert2 in av_rescale_rnd. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 6621105877ce0d65724a8ab60b3a50160adbe65d) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index ef29bdf79c..287496ed51 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -553,7 +553,8 @@ static int decode_info_header(NUTContext *nut) if (stream_id_plus1 && !strcmp(name, "r_frame_rate")) { sscanf(str_value, "%d/%d", &st->r_frame_rate.num, &st->r_frame_rate.den); - if (st->r_frame_rate.num >= 1000LL*st->r_frame_rate.den) + if (st->r_frame_rate.num >= 1000LL*st->r_frame_rate.den || + st->r_frame_rate.num < 0 || st->r_frame_rate.num < 0) st->r_frame_rate.num = st->r_frame_rate.den = 0; continue; } From 4158d55b9a9c9aad5641f13b73db2f618e83f8f5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 20:57:59 +0200 Subject: [PATCH 267/700] nutdec: check chapter creation in decode_info_header This fixes a segmentation fault when accessing the metadata. Signed-off-by: Michael Niedermayer (cherry picked from commit 3ff1af2b0db7132d5717be6395227a94c8abab07) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 287496ed51..0a81261376 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -505,6 +505,10 @@ static int decode_info_header(NUTContext *nut) nut->time_base[chapter_start % nut->time_base_count], start, start + chapter_len, NULL); + if (!chapter) { + av_log(s, AV_LOG_ERROR, "could not create chapter\n"); + return AVERROR(ENOMEM); + } metadata = &chapter->metadata; } else if (stream_id_plus1) { st = s->streams[stream_id_plus1 - 1]; From 8016800a64837332104fba122c2f73f926cb9f2a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 22:37:19 +0200 Subject: [PATCH 268/700] nutdec: fix illegal count check in decode_main_header The existing check has two problems: 1) i + count can overflow, so that the check '< 256' returns true. 2) In the (i == 'N') case occurs a j-- so that the loop runs once more. This can trigger the assertion 'nut->header_len[0] == 0' or cause segmentation faults or infinite hangs. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 7c24ca1bda2d4df1dc9b2b982941be532d60da21) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 0a81261376..02a4b1e11e 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -294,7 +294,7 @@ static int decode_main_header(NUTContext *nut) while (tmp_fields-- > 8) ffio_read_varlen(bc); - if (count == 0 || i + count > 256) { + if (count <= 0 || count > 256 - (i <= 'N') - i) { av_log(s, AV_LOG_ERROR, "illegal count %d at %d\n", count, i); return AVERROR_INVALIDDATA; } From 69f122abd9be9e0b51f81a061f4ae5fbe2bd021e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Apr 2015 03:03:31 +0200 Subject: [PATCH 269/700] avfilter/lavfutils: disable frame threads when decoding a single image The image decoding code does expect the image to be decoded immedeatly Signed-off-by: Michael Niedermayer (cherry picked from commit d2184bf3b65354e44c177e226a6c59c5d6fdbad4) Conflicts: libavfilter/lavfutils.c --- libavfilter/lavfutils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/lavfutils.c b/libavfilter/lavfutils.c index 80310d2fea..095f84baad 100644 --- a/libavfilter/lavfutils.c +++ b/libavfilter/lavfutils.c @@ -32,6 +32,7 @@ int ff_load_image(uint8_t *data[4], int linesize[4], AVFrame *frame; int frame_decoded, ret = 0; AVPacket pkt; + AVDictionary *opt=NULL; av_init_packet(&pkt); @@ -57,7 +58,8 @@ int ff_load_image(uint8_t *data[4], int linesize[4], goto end; } - if ((ret = avcodec_open2(codec_ctx, codec, NULL)) < 0) { + av_dict_set(&opt, "thread_type", "slice", 0); + if ((ret = avcodec_open2(codec_ctx, codec, &opt)) < 0) { av_log(log_ctx, AV_LOG_ERROR, "Failed to open codec\n"); goto end; } @@ -97,6 +99,7 @@ end: avcodec_close(codec_ctx); avformat_close_input(&format_ctx); av_freep(&frame); + av_dict_free(&opt); if (ret < 0) av_log(log_ctx, AV_LOG_ERROR, "Error loading image file '%s'\n", filename); From 31601db12a153b290434272db9d81fe37fa9fb90 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 14 Mar 2015 12:30:10 +0100 Subject: [PATCH 270/700] xcbgrab: Do not assume the non shm image data is always available Signed-off-by: Luca Barbato (cherry picked from commit 82a10225f817b2612fdd2b23af9d4f0a3408df3b) Signed-off-by: Michael Niedermayer --- libavdevice/xcbgrab.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/libavdevice/xcbgrab.c b/libavdevice/xcbgrab.c index df8de20459..e9f2fefa2b 100644 --- a/libavdevice/xcbgrab.c +++ b/libavdevice/xcbgrab.c @@ -144,13 +144,25 @@ static int xcbgrab_frame(AVFormatContext *s, AVPacket *pkt) xcb_get_image_cookie_t iq; xcb_get_image_reply_t *img; xcb_drawable_t drawable = c->screen->root; + xcb_generic_error_t *e = NULL; uint8_t *data; int length, ret; iq = xcb_get_image(c->conn, XCB_IMAGE_FORMAT_Z_PIXMAP, drawable, c->x, c->y, c->width, c->height, ~0); - img = xcb_get_image_reply(c->conn, iq, NULL); + img = xcb_get_image_reply(c->conn, iq, &e); + + if (e) { + av_log(s, AV_LOG_ERROR, + "Cannot get the image data " + "event_error: response_type:%u error_code:%u " + "sequence:%u resource_id:%u minor_code:%u major_code:%u.\n", + e->response_type, e->error_code, + e->sequence, e->resource_id, e->minor_code, e->major_code); + return AVERROR(EACCES); + } + if (!img) return AVERROR(EAGAIN); @@ -404,7 +416,7 @@ static int xcbgrab_read_packet(AVFormatContext *s, AVPacket *pkt) ret = xcbgrab_frame(s, pkt); #if CONFIG_LIBXCB_XFIXES - if (c->draw_mouse && p->same_screen) + if (ret >= 0 && c->draw_mouse && p->same_screen) xcbgrab_draw_mouse(s, pkt, p, geo); #endif From 77059eedb50e01bec38f63dfc4672d8f0a60fed5 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 14 Mar 2015 12:30:11 +0100 Subject: [PATCH 271/700] xcbgrab: Validate the capture area And notify why the capture is impossible. Signed-off-by: Luca Barbato (cherry picked from commit e8c4db0d4d07738fed716b1d2f20c85aac944641) Signed-off-by: Michael Niedermayer --- libavdevice/xcbgrab.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavdevice/xcbgrab.c b/libavdevice/xcbgrab.c index e9f2fefa2b..292597877b 100644 --- a/libavdevice/xcbgrab.c +++ b/libavdevice/xcbgrab.c @@ -527,8 +527,17 @@ static int create_stream(AVFormatContext *s) gc = xcb_get_geometry(c->conn, c->screen->root); geo = xcb_get_geometry_reply(c->conn, gc, NULL); - c->width = FFMIN(geo->width, c->width); - c->height = FFMIN(geo->height, c->height); + if (c->x + c->width >= geo->width || + c->y + c->height >= geo->height) { + av_log(s, AV_LOG_ERROR, + "Capture area %dx%d at position %d.%d " + "outside the screen size %dx%d\n", + c->width, c->height, + c->x, c->y, + geo->width, geo->height); + return AVERROR(EINVAL); + } + c->time_base = (AVRational){ st->avg_frame_rate.den, st->avg_frame_rate.num }; c->time_frame = av_gettime(); From 4d6d159069b678c0469025be5ddc434f45af403b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 May 2015 15:54:21 +0200 Subject: [PATCH 272/700] avcodec/wavpack: Check L/R values before use to avoid harmless integer overflow and undefined behavior in fate Signed-off-by: Michael Niedermayer (cherry picked from commit 042260cde4ecf716438c5fc92d15ad5f037ee2e1) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 1ad3901600..b51a21cc9d 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -472,6 +472,14 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, s->decorr[i].samplesB[0] = L; } } + + if (type == AV_SAMPLE_FMT_S16P) { + if (FFABS(L) + FFABS(R) > (1<<19)) { + av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R); + return AVERROR_INVALIDDATA; + } + } + pos = (pos + 1) & 7; if (s->joint) L += (R -= (L >> 1)); From c3653e2265d1d7f73d3b4596d2f67db12456116a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 3 May 2015 16:21:39 +0200 Subject: [PATCH 273/700] pngdec: check s->last_picture.f->data[0] before using it This check was removed in commit 08aec6f6, but s->last_picture.f->data[0] is still used in handle_p_frame_apng unconditionally. This fixes a segmentation fault. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 287dbb0771d558b336e377d0594e26c0a6291755) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 7e7b2858b3..314cccf20b 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1065,7 +1065,7 @@ exit_loop: /* handle p-frames only if a predecessor frame is available */ ref = s->dispose_op == APNG_DISPOSE_OP_PREVIOUS ? s->previous_picture.f : s->last_picture.f; - if (ref->data[0]) { + if (ref->data[0] && s->last_picture.f->data[0]) { if ( !(avpkt->flags & AV_PKT_FLAG_KEY) && avctx->codec_tag != AV_RL32("MPNG") && ref->width == p->width && ref->height== p->height From b04f6dfd3c52bdf1be8158b5d0b8822b60c82432 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 3 May 2015 17:50:26 +0200 Subject: [PATCH 274/700] pngdec: return correct error code from decode_frame_common During the loop ret can get changed. Since it is not set on all failure paths, decode_frame_common can return 0 even though an error occurred. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 8f760be4d312bb6e78f80d39b9d0062253332e08) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 314cccf20b..330db80456 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -963,7 +963,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, AVDictionary *metadata = NULL; uint32_t tag, length; int decode_next_dat = 0; - int ret = AVERROR_INVALIDDATA; + int ret; AVFrame *ref; for (;;) { @@ -979,12 +979,14 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, if ( s->state & PNG_ALLIMAGE && avctx->strict_std_compliance <= FF_COMPLIANCE_NORMAL) goto exit_loop; + ret = AVERROR_INVALIDDATA; goto fail; } length = bytestream2_get_be32(&s->gb); if (length > 0x7fffffff || length > bytestream2_get_bytes_left(&s->gb)) { av_log(avctx, AV_LOG_ERROR, "chunk too big\n"); + ret = AVERROR_INVALIDDATA; goto fail; } tag = bytestream2_get_le32(&s->gb); @@ -996,11 +998,11 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, ((tag >> 24) & 0xff), length); switch (tag) { case MKTAG('I', 'H', 'D', 'R'): - if (decode_ihdr_chunk(avctx, s, length) < 0) + if ((ret = decode_ihdr_chunk(avctx, s, length)) < 0) goto fail; break; case MKTAG('p', 'H', 'Y', 's'): - if (decode_phys_chunk(avctx, s) < 0) + if ((ret = decode_phys_chunk(avctx, s)) < 0) goto fail; break; case MKTAG('f', 'c', 'T', 'L'): @@ -1013,15 +1015,17 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, case MKTAG('f', 'd', 'A', 'T'): if (!CONFIG_APNG_DECODER || avctx->codec_id != AV_CODEC_ID_APNG) goto skip_tag; - if (!decode_next_dat) + if (!decode_next_dat) { + ret = AVERROR_INVALIDDATA; goto fail; + } bytestream2_get_be32(&s->gb); length -= 4; /* fallthrough */ case MKTAG('I', 'D', 'A', 'T'): if (CONFIG_APNG_DECODER && avctx->codec_id == AV_CODEC_ID_APNG && !decode_next_dat) goto skip_tag; - if (decode_idat_chunk(avctx, s, length, p) < 0) + if ((ret = decode_idat_chunk(avctx, s, length, p)) < 0) goto fail; break; case MKTAG('P', 'L', 'T', 'E'): @@ -1046,6 +1050,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, if (!(s->state & PNG_ALLIMAGE)) av_log(avctx, AV_LOG_ERROR, "IEND without all image\n"); if (!(s->state & (PNG_ALLIMAGE|PNG_IDAT))) { + ret = AVERROR_INVALIDDATA; goto fail; } bytestream2_skip(&s->gb, 4); /* crc */ From 9b12e4c1e366614c585c33401e31a2f035dfd196 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 3 May 2015 20:36:20 +0200 Subject: [PATCH 275/700] pngdec: don't use AV_PIX_FMT_MONOBLACK for apng AV_PIX_FMT_MONOBLACK has the AV_PIX_FMT_FLAG_BITSTREAM flag, i.e. linesize can be smaller than width. Since x_offset is only check against the width, this can lead to x_offset * bpp >= image_linesize. In this case ptr could be set to a position outside the image_buf in png_handle_row, leading to memory corruption and thus crashes. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 372aa0777aaacf726de7cd7dd0e6797026a124ee) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 330db80456..75feb04e51 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -617,7 +617,7 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, } else if ((s->bits_per_pixel == 1 || s->bits_per_pixel == 2 || s->bits_per_pixel == 4 || s->bits_per_pixel == 8) && s->color_type == PNG_COLOR_TYPE_PALETTE) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (s->bit_depth == 1 && s->bits_per_pixel == 1) { + } else if (s->bit_depth == 1 && s->bits_per_pixel == 1 && avctx->codec_id != AV_CODEC_ID_APNG) { avctx->pix_fmt = AV_PIX_FMT_MONOBLACK; } else if (s->bit_depth == 8 && s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { From 454f63181a197d672147ac19fa30b3562f055ce8 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 3 May 2015 23:07:20 +0200 Subject: [PATCH 276/700] matroskadec: use uint64_t instead of int for index_scale index_scale is set to matroska->time_scale of type uint64_t. When index_scale is int, the assignment can overflow and e.g. result in index_scale = 0. This causes a floating point exception due to the division by index_scale. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit eb9fb508b0e09d85d234fe694333b2005e1d7a7e) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 9c13484c9a..6963d54de6 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1447,7 +1447,7 @@ static void matroska_add_index_entries(MatroskaDemuxContext *matroska) { EbmlList *index_list; MatroskaIndex *index; - int index_scale = 1; + uint64_t index_scale = 1; int i, j; index_list = &matroska->index; From e337d5f1b1a6f41acfdff3302d9ff85c91b7a0bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 May 2015 13:37:26 +0200 Subject: [PATCH 277/700] avcodec/ffv1dec: Check chroma shift parameters Signed-off-by: Michael Niedermayer (cherry picked from commit d43cd6b08ed555c303478e3133717fbb2236be6e) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 5fbe51c5a5..9e4088143b 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -546,6 +546,12 @@ static int read_extra_header(FFV1Context *f) f->num_h_slices = 1 + get_symbol(c, state, 0); f->num_v_slices = 1 + get_symbol(c, state, 0); + if (f->chroma_h_shift > 4U || f->chroma_v_shift > 4U) { + av_log(f->avctx, AV_LOG_ERROR, "chroma shift parameters %d %d are invalid\n", + f->chroma_h_shift, f->chroma_v_shift); + return AVERROR_INVALIDDATA; + } + if (f->num_h_slices > (unsigned)f->width || !f->num_h_slices || f->num_v_slices > (unsigned)f->height || !f->num_v_slices ) { @@ -651,6 +657,12 @@ static int read_header(FFV1Context *f) } } + if (chroma_h_shift > 4U || chroma_v_shift > 4U) { + av_log(f->avctx, AV_LOG_ERROR, "chroma shift parameters %d %d are invalid\n", + chroma_h_shift, chroma_v_shift); + return AVERROR_INVALIDDATA; + } + f->colorspace = colorspace; f->avctx->bits_per_raw_sample = bits_per_raw_sample; f->chroma_planes = chroma_planes; From 39115c01f09e82740607fe22f54c5de8c0659ffb Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 3 May 2015 23:55:20 +0200 Subject: [PATCH 278/700] matroskadec: check s->streams[k] before using it This fixes a segmentation fault. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit e54540655f229d06667dc7fa7005f2a20e101e80) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 6963d54de6..20389415a9 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1948,7 +1948,7 @@ static int matroska_parse_tracks(AVFormatContext *s) snprintf(buf, sizeof(buf), "%s_%d", ff_matroska_video_stereo_plane[planes[j].type], i); for (k=0; k < matroska->tracks.nb_elem; k++) - if (planes[j].uid == tracks[k].uid) { + if (planes[j].uid == tracks[k].uid && s->streams[k]) { av_dict_set(&s->streams[k]->metadata, "stereo_mode", buf, 0); break; From d8bfa4bb94a6613e1b2066be06d0706b1170cb27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 May 2015 15:47:54 +0200 Subject: [PATCH 279/700] avformat/matroskadec: Use tracks[k]->stream instead of s->streams[k] The later is not correct Signed-off-by: Michael Niedermayer (cherry picked from commit 5d309d309108684f742bbf5fc2393f1c519cda72) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 20389415a9..8dc8428b77 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1948,8 +1948,8 @@ static int matroska_parse_tracks(AVFormatContext *s) snprintf(buf, sizeof(buf), "%s_%d", ff_matroska_video_stereo_plane[planes[j].type], i); for (k=0; k < matroska->tracks.nb_elem; k++) - if (planes[j].uid == tracks[k].uid && s->streams[k]) { - av_dict_set(&s->streams[k]->metadata, + if (planes[j].uid == tracks[k].uid && tracks[k].stream) { + av_dict_set(&tracks[k].stream->metadata, "stereo_mode", buf, 0); break; } From 84db3e6648860bb4ad630f989ca2e07877fbe36c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 4 May 2015 23:01:45 +0200 Subject: [PATCH 280/700] avidec: avoid infinite loop due to negative ast->sample_size If max in clean_index is set to a negative ast->sample_size, the following loop never ends: while (max < 1024) max += max; Thus set ast->sample_size to 0 if it would otherwise be negative. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit ca234639ac49a0dc073ac1f10977979acdb94f97) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 032731dc4d..91e8514b4b 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -686,6 +686,7 @@ static int avi_read_header(AVFormatContext *s) default: av_log(s, AV_LOG_INFO, "unknown stream type %X\n", tag1); } + ast->sample_size = FFMAX(ast->sample_size, 0); if (ast->sample_size == 0) { st->duration = st->nb_frames; if (st->duration > 0 && avi->io_fsize > 0 && avi->riff_end > avi->io_fsize) { From e67181a3518f6c6cc687aa5d4d625b067e252ad1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 5 May 2015 21:33:08 +0200 Subject: [PATCH 281/700] diracdec: prevent overflow in data_unit_size check buf_idx + data_unit_size can overflow, causing the '> buf_size' check to wrongly fail. This causes a segmentation fault. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 984f50deb2d48f6844d65e10991b996a6d29e87c) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index aa8e2b0db9..09ca077fe3 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1931,8 +1931,8 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, break; data_unit_size = AV_RB32(buf+buf_idx+5); - if (buf_idx + data_unit_size > buf_size || !data_unit_size) { - if(buf_idx + data_unit_size > buf_size) + if (data_unit_size > buf_size - buf_idx || !data_unit_size) { + if(data_unit_size > buf_size - buf_idx) av_log(s->avctx, AV_LOG_ERROR, "Data unit with size %d is larger than input buffer, discarding\n", data_unit_size); From 448d6488b14179462e28933594d84668aad20d1c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 5 May 2015 22:10:44 +0200 Subject: [PATCH 282/700] diracdec: avoid overflow of bytes*8 in decode_lowdelay If bytes is large enough, bytes*8 can overflow and become negative. In that case 'bufsize -= bytes*8' causes bufsize to increase instead of decrease. This leads to a segmentation fault. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 9e66b39aa87eb653a6e5d15f70b792ccbf719de7) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 09ca077fe3..edb56a6e99 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -799,7 +799,10 @@ static void decode_lowdelay(DiracContext *s) slice_num++; buf += bytes; - bufsize -= bytes*8; + if (bufsize/8 >= bytes) + bufsize -= bytes*8; + else + bufsize = 0; } avctx->execute(avctx, decode_lowdelay_slice, slices, NULL, slice_num, From 7d58774360feb20339b68d6e955974f0d632afa4 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 5 May 2015 23:51:48 +0200 Subject: [PATCH 283/700] diracdec: check if reference could not be allocated s->ref_pics[i] is later used as ref argument of interpolate_refplane, where it is dereferenced. If it is NULL, it causes a segmentation fault. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit d93181ef3eacdb862d93448f31c97765a523d1db) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index edb56a6e99..966c358786 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1739,6 +1739,12 @@ static int dirac_decode_picture_header(DiracContext *s) get_buffer_with_edge(s->avctx, s->ref_pics[i]->avframe, AV_GET_BUFFER_FLAG_REF); break; } + + if (!s->ref_pics[i]) { + av_log(s->avctx, AV_LOG_ERROR, "Reference could not be allocated\n"); + return -1; + } + } /* retire the reference frames that are not used anymore */ From b8568c546e185f9528e129d0620cac2f80403ad1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 6 May 2015 15:34:53 +0200 Subject: [PATCH 284/700] diracdec: check that block length is valid In init_planes p->xblen and p->yblen are set to: p->xblen = s->plane[0].xblen >> s->chroma_x_shift; p->yblen = s->plane[0].yblen >> s->chroma_y_shift; These are later used as block_w and block_h arguments of s->vdsp.emulated_edge_mc. If one of them is 0 it triggers an av_assert2 in emulated_edge_mc: av_assert2(start_x < end_x && block_w > 0); av_assert2(start_y < end_y && block_h > 0); Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 75fc81c8318505aa7946e05a9bee08d47241fc66) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 966c358786..1bfe6be0a4 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -899,6 +899,14 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) /*[DIRAC_STD] 11.2.4 motion_data_dimensions() Calculated in function dirac_unpack_block_motion_data */ + if (s->plane[0].xblen % (1 << s->chroma_x_shift) != 0 || + s->plane[0].yblen % (1 << s->chroma_y_shift) != 0 || + !s->plane[0].xblen || !s->plane[0].yblen) { + av_log(s->avctx, AV_LOG_ERROR, + "invalid x/y block length (%d/%d) for x/y chroma shift (%d/%d)\n", + s->plane[0].xblen, s->plane[0].yblen, s->chroma_x_shift, s->chroma_y_shift); + return AVERROR_INVALIDDATA; + } if (!s->plane[0].xbsep || !s->plane[0].ybsep || s->plane[0].xbsep < s->plane[0].xblen/2 || s->plane[0].ybsep < s->plane[0].yblen/2) { av_log(s->avctx, AV_LOG_ERROR, "Block separation too small\n"); return -1; From bb523c1b8666905f5101022c45fdffd19cbbea83 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 22 Apr 2015 15:23:24 +0200 Subject: [PATCH 285/700] aacsbr: break infinite loop in sbr_hf_calc_npatches Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 584cc1ade10a3297ef9c107ef3a2081c04024156) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 94a5685e98..29ec2d51a9 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -514,7 +514,7 @@ static int sbr_make_f_master(AACContext *ac, SpectralBandReplication *sbr, /// High Frequency Generation - Patch Construction (14496-3 sp04 p216 fig. 4.46) static int sbr_hf_calc_npatches(AACContext *ac, SpectralBandReplication *sbr) { - int i, k, sb = 0; + int i, k, last_k = -1, last_msb = -1, sb = 0; int msb = sbr->k[0]; int usb = sbr->kx[1]; int goal_sb = ((1000 << 11) + (sbr->sample_rate >> 1)) / sbr->sample_rate; @@ -528,6 +528,12 @@ static int sbr_hf_calc_npatches(AACContext *ac, SpectralBandReplication *sbr) do { int odd = 0; + if (k == last_k && msb == last_msb) { + av_log(ac->avctx, AV_LOG_ERROR, "patch construction failed\n"); + return AVERROR_INVALIDDATA; + } + last_k = k; + last_msb = msb; for (i = k; i == k || sb > (sbr->k[0] - 1 + msb - odd); i--) { sb = sbr->f_master[i]; odd = (sb + sbr->k[0]) & 1; From dc8f42e0374df901696edc9855b7cd208f9ea12d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2015 16:06:50 +0200 Subject: [PATCH 286/700] libavutil/mem: use size_t for the length in av_strdup() the string length is not constrained to INT_MAX Signed-off-by: Michael Niedermayer (cherry picked from commit 4950bd4ebedbb6289734234bb2a719820f565c41) Signed-off-by: Michael Niedermayer --- libavutil/mem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/mem.c b/libavutil/mem.c index 35a82e8a2d..9dc1ac7a49 100644 --- a/libavutil/mem.c +++ b/libavutil/mem.c @@ -259,7 +259,7 @@ char *av_strdup(const char *s) { char *ptr = NULL; if (s) { - int len = strlen(s) + 1; + size_t len = strlen(s) + 1; ptr = av_realloc(NULL, len); if (ptr) memcpy(ptr, s, len); From 466575c0e03f50e1683216bcbfc1a7e3c06862fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2015 16:09:07 +0200 Subject: [PATCH 287/700] avutil/dict: Use size_t for appending strings the string length is not constrained to INT_MAX Signed-off-by: Michael Niedermayer (cherry picked from commit 4c128ea1629116fc4936edc5f96bbd18f3ef1647) Conflicts: libavutil/dict.c --- libavutil/dict.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/dict.c b/libavutil/dict.c index 2983ea57a9..bfcc6151a5 100644 --- a/libavutil/dict.c +++ b/libavutil/dict.c @@ -103,7 +103,7 @@ int av_dict_set(AVDictionary **pm, const char *key, const char *value, if (flags & AV_DICT_DONT_STRDUP_VAL) { m->elems[m->count].value = (char*)(intptr_t)value; } else if (oldval && flags & AV_DICT_APPEND) { - int len = strlen(oldval) + strlen(value) + 1; + size_t len = strlen(oldval) + strlen(value) + 1; char *newval = av_mallocz(len); if (!newval) goto err_out; From 4d3450d62f2162bf0cbf60974a8f737d861fb5c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2015 15:23:51 +0200 Subject: [PATCH 288/700] avformat/vorbiscomment: Check entry length in ff_vorbiscomment_write() Signed-off-by: Michael Niedermayer (cherry picked from commit eca38864a6ce5053e463b8d3fc22b22bc9a49578) Signed-off-by: Michael Niedermayer --- libavformat/vorbiscomment.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/vorbiscomment.c b/libavformat/vorbiscomment.c index cc9b6620ef..e953d83d65 100644 --- a/libavformat/vorbiscomment.c +++ b/libavformat/vorbiscomment.c @@ -61,8 +61,10 @@ int ff_vorbiscomment_write(uint8_t **p, AVDictionary **m, AVDictionaryEntry *tag = NULL; bytestream_put_le32(p, count); while ((tag = av_dict_get(*m, "", tag, AV_DICT_IGNORE_SUFFIX))) { - unsigned int len1 = strlen(tag->key); - unsigned int len2 = strlen(tag->value); + int64_t len1 = strlen(tag->key); + int64_t len2 = strlen(tag->value); + if (len1+1+len2 > UINT32_MAX) + return AVERROR(EINVAL); bytestream_put_le32(p, len1+1+len2); bytestream_put_buffer(p, tag->key, len1); bytestream_put_byte(p, '='); From a9f003b8ac0328f21b0fa8024389528a074a7570 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2015 20:01:15 +0200 Subject: [PATCH 289/700] avutil/avstring: Use size_t in av_strlcatf() Signed-off-by: Michael Niedermayer (cherry picked from commit ae4eea8be45a0b212fd57ceaac1f11089ab81d98) Signed-off-by: Michael Niedermayer --- libavutil/avstring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/avstring.c b/libavutil/avstring.c index 25c65b4238..5200dd767f 100644 --- a/libavutil/avstring.c +++ b/libavutil/avstring.c @@ -100,7 +100,7 @@ size_t av_strlcat(char *dst, const char *src, size_t size) size_t av_strlcatf(char *dst, size_t size, const char *fmt, ...) { - int len = strlen(dst); + size_t len = strlen(dst); va_list vl; va_start(vl, fmt); From b2d31dcf04c2884ffc4df092643bd4c026e8c377 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2015 03:50:01 +0200 Subject: [PATCH 290/700] avformat/url: Use size_t for len from strlen() Signed-off-by: Michael Niedermayer (cherry picked from commit 95efc651294b3cf3e5ec4b3ed36e79d7261545ff) Signed-off-by: Michael Niedermayer --- libavformat/url.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/url.c b/libavformat/url.c index acfb0cf2f0..5dd28a253d 100644 --- a/libavformat/url.c +++ b/libavformat/url.c @@ -68,7 +68,7 @@ int ff_url_join(char *str, int size, const char *proto, av_strlcatf(str, size, ":%d", port); if (fmt) { va_list vl; - int len = strlen(str); + size_t len = strlen(str); va_start(vl, fmt); vsnprintf(str + len, size > len ? size - len : 0, fmt, vl); From e3d9bf1151c96e23815e90c65a028b05f5e752af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2015 15:38:40 +0200 Subject: [PATCH 291/700] avformat/subtitles: Use size_t for len MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit string length could theoretically be larger than int Reviewed-by: Clément Bœsch Signed-off-by: Michael Niedermayer (cherry picked from commit a633928d47057426a9c328da594407d1c7da8a5c) Signed-off-by: Michael Niedermayer --- libavformat/subtitles.c | 4 ++-- libavformat/subtitles.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index 67624fcf32..5bdbc8dc51 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -109,7 +109,7 @@ int ff_text_peek_r8(FFTextReader *r) } AVPacket *ff_subtitles_queue_insert(FFDemuxSubtitlesQueue *q, - const uint8_t *event, int len, int merge) + const uint8_t *event, size_t len, int merge) { AVPacket *subs, *sub; @@ -303,7 +303,7 @@ int ff_smil_extract_next_text_chunk(FFTextReader *tr, AVBPrint *buf, char *c) const char *ff_smil_get_attr_ptr(const char *s, const char *attr) { int in_quotes = 0; - const int len = strlen(attr); + const size_t len = strlen(attr); while (*s) { while (*s) { diff --git a/libavformat/subtitles.h b/libavformat/subtitles.h index eb719ea770..885285cc47 100644 --- a/libavformat/subtitles.h +++ b/libavformat/subtitles.h @@ -116,7 +116,7 @@ typedef struct { * previous one instead of adding a new entry, 0 otherwise */ AVPacket *ff_subtitles_queue_insert(FFDemuxSubtitlesQueue *q, - const uint8_t *event, int len, int merge); + const uint8_t *event, size_t len, int merge); /** * Set missing durations and sort subtitles by PTS, and then byte position. From cb1ecf08b2e7078a58a4a99991ff08b129e424d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2015 15:30:32 +0200 Subject: [PATCH 292/700] avformat/flacenc: Check length in flac_write_block_comment() Signed-off-by: Michael Niedermayer (cherry picked from commit 40a7700b82aec0036622f8673ce64e070a520891) Signed-off-by: Michael Niedermayer --- libavformat/flacenc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/flacenc.c b/libavformat/flacenc.c index 0eea94288f..aeac70ba4b 100644 --- a/libavformat/flacenc.c +++ b/libavformat/flacenc.c @@ -50,12 +50,14 @@ static int flac_write_block_comment(AVIOContext *pb, AVDictionary **m, int last_block, int bitexact) { const char *vendor = bitexact ? "ffmpeg" : LIBAVFORMAT_IDENT; - unsigned int len; + int64_t len; uint8_t *p, *p0; ff_metadata_conv(m, ff_vorbiscomment_metadata_conv, NULL); len = ff_vorbiscomment_length(*m, vendor); + if (len >= ((1<<24) - 4)) + return AVERROR(EINVAL); p0 = av_malloc(len+4); if (!p0) return AVERROR(ENOMEM); From ff0f0b1e835a38dc102d766003803314b159051c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2015 15:34:28 +0200 Subject: [PATCH 293/700] avformat/oggenc: Check ff_vorbiscomment_length in ogg_write_vorbiscomment() Signed-off-by: Michael Niedermayer (cherry picked from commit 0db5b2b9f8a96298eeba7988d43c4eb44220fab3) Signed-off-by: Michael Niedermayer --- libavformat/oggenc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/oggenc.c b/libavformat/oggenc.c index f3413c54c9..daec4eeefb 100644 --- a/libavformat/oggenc.c +++ b/libavformat/oggenc.c @@ -279,16 +279,18 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st, return 0; } -static uint8_t *ogg_write_vorbiscomment(int offset, int bitexact, +static uint8_t *ogg_write_vorbiscomment(int64_t offset, int bitexact, int *header_len, AVDictionary **m, int framing_bit) { const char *vendor = bitexact ? "ffmpeg" : LIBAVFORMAT_IDENT; - int size; + int64_t size; uint8_t *p, *p0; ff_metadata_conv(m, ff_vorbiscomment_metadata_conv, NULL); size = offset + ff_vorbiscomment_length(*m, vendor) + framing_bit; + if (size > INT_MAX) + return NULL; p = av_mallocz(size); if (!p) return NULL; From 699357dd4ea492a83d84baac287cfd363974f8b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2015 15:37:38 +0200 Subject: [PATCH 294/700] avformat/matroskaenc: Check ff_vorbiscomment_length in put_flac_codecpriv() Its currently guaranteed to be smaller but its safer to check anyway Signed-off-by: Michael Niedermayer (cherry picked from commit 66f26b3e8ec075298e7ba329a55893d085bafe96) Signed-off-by: Michael Niedermayer --- libavformat/matroskaenc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index e8e8da043f..fe81e119eb 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -543,12 +543,15 @@ static int put_flac_codecpriv(AVFormatContext *s, "Lavf" : LIBAVFORMAT_IDENT; AVDictionary *dict = NULL; uint8_t buf[32], *data, *p; - int len; + int64_t len; snprintf(buf, sizeof(buf), "0x%"PRIx64, codec->channel_layout); av_dict_set(&dict, "WAVEFORMATEXTENSIBLE_CHANNEL_MASK", buf, 0); len = ff_vorbiscomment_length(dict, vendor); + if (len >= ((1<<24) - 4)) + return AVERROR(EINVAL); + data = av_malloc(len + 4); if (!data) { av_dict_free(&dict); From 596b9d6ed88fc9a04f4e016380eb209f3f7ecd72 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 11 May 2015 20:07:49 +0200 Subject: [PATCH 295/700] id3v2: catch avio_read errors in check_tag Since len is an unsigned int, the comparison is currently treated as unsigned and thus ignores all errors from avio_read. Thus cast len to int, which is unproblematic, because at that point len is between 0 and 4. This fixes 'Conditional jump or move depends on uninitialised value' valgrind warnings in is_tag. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 0382c94f13b4b20456b7259e90b170dc020419b8) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index cbf43757fe..42c72477aa 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -204,7 +204,7 @@ static int check_tag(AVIOContext *s, int offset, unsigned int len) if (len > 4 || avio_seek(s, offset, SEEK_SET) < 0 || - avio_read(s, tag, len) < len) + avio_read(s, tag, len) < (int)len) return -1; else if (!AV_RB32(tag) || is_tag(tag, len)) return 1; From 9c10c0fdcd2f77d39fc019c403bec70c5db9feb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 03:59:30 +0200 Subject: [PATCH 296/700] tools/graph2dot: use larger data types than int for array/string sizes Signed-off-by: Michael Niedermayer (cherry picked from commit acf4925f444636a828534ab47d0f86c21a7a9b4e) Signed-off-by: Michael Niedermayer --- tools/graph2dot.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/graph2dot.c b/tools/graph2dot.c index 964322d080..868c62f0d8 100644 --- a/tools/graph2dot.c +++ b/tools/graph2dot.c @@ -153,7 +153,7 @@ int main(int argc, char **argv) /* read from infile and put it in a buffer */ { - unsigned int count = 0; + int64_t count = 0; struct line *line, *last_line, *first_line; char *p; last_line = first_line = av_malloc(sizeof(struct line)); @@ -169,7 +169,7 @@ int main(int argc, char **argv) graph_string = av_malloc(count + 1); p = graph_string; for (line = first_line; line->next; line = line->next) { - unsigned int l = strlen(line->data); + size_t l = strlen(line->data); memcpy(p, line->data, l); p += l; } From 1973b6ac5cf9424169d2e4774cd2b61c1e19ee77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 18:03:55 +0200 Subject: [PATCH 297/700] avformat/rtpdec_xiph: Check upper bound on len in xiph_handle_packet() Larger packets are not supported and would cause problems later Signed-off-by: Michael Niedermayer (cherry picked from commit aa5169935e160551fb1c290d1397da2f04325817) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec_xiph.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtpdec_xiph.c b/libavformat/rtpdec_xiph.c index dc34f9e224..da9a1e2c22 100644 --- a/libavformat/rtpdec_xiph.c +++ b/libavformat/rtpdec_xiph.c @@ -112,7 +112,7 @@ static int xiph_handle_packet(AVFormatContext *ctx, PayloadContext *data, return data->split_pkts > 0; } - if (len < 6) { + if (len < 6 || len > INT_MAX/2) { av_log(ctx, AV_LOG_ERROR, "Invalid %d byte packet\n", len); return AVERROR_INVALIDDATA; } From b8e0b6c70294ff2096020c4331856a9e3dedbe51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 17:55:40 +0200 Subject: [PATCH 298/700] avformat/rtpenc_jpeg: Check remaining buffer size for SOS Fixes CID1238818 Signed-off-by: Michael Niedermayer (cherry picked from commit 81198a68370e88f7d02f16de58db36713c2a50b6) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_jpeg.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/rtpenc_jpeg.c b/libavformat/rtpenc_jpeg.c index c35332953c..2e13e178b4 100644 --- a/libavformat/rtpenc_jpeg.c +++ b/libavformat/rtpenc_jpeg.c @@ -84,6 +84,11 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size) } else if (buf[i + 1] == SOS) { /* SOS is last marker in the header */ i += AV_RB16(&buf[i + 2]) + 2; + if (i > size) { + av_log(s1, AV_LOG_ERROR, + "Insufficient data. Aborted!\n"); + return; + } break; } } From 2012a226d281de87e0466baed7d3da7d0fe3a1a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 18:20:23 +0200 Subject: [PATCH 299/700] avformat/nutdec: Fix use of uinitialized value Fixes CID1041175 Signed-off-by: Michael Niedermayer (cherry picked from commit 56abf35151c635caa3eb04bbb90454bae5463a09) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 02a4b1e11e..0a9fea2c16 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -524,6 +524,8 @@ static int decode_info_header(NUTContext *nut) for (i = 0; i < count; i++) { get_str(bc, name, sizeof(name)); value = get_s(bc); + str_value[0] = 0; + if (value == -1) { type = "UTF-8"; get_str(bc, str_value, sizeof(str_value)); From b7a3a3a8d2845ba662d772b475812332be4b92cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 18:32:12 +0200 Subject: [PATCH 300/700] avformat/matroskadec: Cleanup error handling for bz2 & zlib Fixes CID703652 Signed-off-by: Michael Niedermayer (cherry picked from commit 171af59d58fc67d82dce8ff7ed11fa671108baa5) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 8dc8428b77..0bfa9dc264 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1218,15 +1218,13 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, newpktdata = av_realloc(pkt_data, pkt_size); if (!newpktdata) { inflateEnd(&zstream); + result = AVERROR(ENOMEM); goto failed; } pkt_data = newpktdata; zstream.avail_out = pkt_size - zstream.total_out; zstream.next_out = pkt_data + zstream.total_out; - if (pkt_data) { - result = inflate(&zstream, Z_NO_FLUSH); - } else - result = Z_MEM_ERROR; + result = inflate(&zstream, Z_NO_FLUSH); } while (result == Z_OK && pkt_size < 10000000); pkt_size = zstream.total_out; inflateEnd(&zstream); @@ -1253,15 +1251,13 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, newpktdata = av_realloc(pkt_data, pkt_size); if (!newpktdata) { BZ2_bzDecompressEnd(&bzstream); + result = AVERROR(ENOMEM); goto failed; } pkt_data = newpktdata; bzstream.avail_out = pkt_size - bzstream.total_out_lo32; bzstream.next_out = pkt_data + bzstream.total_out_lo32; - if (pkt_data) { - result = BZ2_bzDecompress(&bzstream); - } else - result = BZ_MEM_ERROR; + result = BZ2_bzDecompress(&bzstream); } while (result == BZ_OK && pkt_size < 10000000); pkt_size = bzstream.total_out_lo32; BZ2_bzDecompressEnd(&bzstream); From 05c2801413b117e369d6b339dff4955f387f32ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 19:09:06 +0200 Subject: [PATCH 301/700] avformat/hevc: Check cpb_cnt_minus1 Fixes CID1239014 Signed-off-by: Michael Niedermayer (cherry picked from commit 2cddc0b19a20dd061dbf199bf88005b37c540d2f) Signed-off-by: Michael Niedermayer --- libavformat/hevc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 45b00c45bc..8ef3c1f986 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -189,7 +189,7 @@ static void skip_sub_layer_hrd_parameters(GetBitContext *gb, } } -static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag, +static int skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag, unsigned int max_sub_layers_minus1) { unsigned int i; @@ -246,8 +246,11 @@ static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag, else low_delay_hrd_flag = get_bits1(gb); - if (!low_delay_hrd_flag) + if (!low_delay_hrd_flag) { cpb_cnt_minus1 = get_ue_golomb_long(gb); + if (cpb_cnt_minus1 > 31) + return AVERROR_INVALIDDATA; + } if (nal_hrd_parameters_present_flag) skip_sub_layer_hrd_parameters(gb, cpb_cnt_minus1, @@ -257,6 +260,8 @@ static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag, skip_sub_layer_hrd_parameters(gb, cpb_cnt_minus1, sub_pic_hrd_params_present_flag); } + + return 0; } static void skip_timing_info(GetBitContext *gb) From 254e3af60f7e56b9c9ba870c1ea55066e3508f78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 19:28:15 +0200 Subject: [PATCH 302/700] avformat/hevc: Check num_negative_pics and num_positive_pics Fixes CID1238994 Signed-off-by: Michael Niedermayer (cherry picked from commit b62b3292d8e25d3240e462c1b1cd8ac69195c46b) Signed-off-by: Michael Niedermayer --- libavformat/hevc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 8ef3c1f986..c92e9eb118 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -462,6 +462,9 @@ static int parse_rps(GetBitContext *gb, unsigned int rps_idx, unsigned int num_negative_pics = get_ue_golomb_long(gb); unsigned int num_positive_pics = get_ue_golomb_long(gb); + if ((num_positive_pics + (uint64_t)num_negative_pics) * 2 > get_bits_left(gb)) + return AVERROR_INVALIDDATA; + num_delta_pocs[rps_idx] = num_negative_pics + num_positive_pics; for (i = 0; i < num_negative_pics; i++) { From 7d45230d812171da3976d9360a2d273e4027b5d6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 12 May 2015 20:27:21 +0200 Subject: [PATCH 303/700] aacdec: don't return frames without data Since commit 676a395a aac->frame->data is not necessarily allocated at the end of aac_decode_frame_int if avctx->channels is 0. In this case a bogus frame without any data, but non-zero nb_samples is returned. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit ec38a1ba404b8cb8d71ccee2b8dcd6f3fcbde273) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 1aa1a80675..61efc2579b 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -3059,6 +3059,12 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, AV_WL32(side, 2*AV_RL32(side)); } + if (!ac->frame->data[0] && samples) { + av_log(avctx, AV_LOG_ERROR, "no frame data found\n"); + err = AVERROR_INVALIDDATA; + goto fail; + } + *got_frame_ptr = !!samples; if (samples) { ac->frame->nb_samples = samples; From 00223d461bb78756033479e80c6a10a5570658bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 00:41:38 +0200 Subject: [PATCH 304/700] avcodec/vqavideo: Check chunk size Fixes CID1239154 Signed-off-by: Michael Niedermayer (cherry picked from commit 8a62b80ce6c8e87e7937f9a5d68f83882c1c8da2) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 4dcebd4849..bf55571fe9 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -231,6 +231,12 @@ static int decode_format80(VqaContext *s, int src_size, unsigned char color; int i; + if (src_size < 0 || src_size > bytestream2_get_bytes_left(&s->gb)) { + av_log(s->avctx, AV_LOG_ERROR, "Chunk size %d is out of range\n", + src_size); + return AVERROR_INVALIDDATA; + } + start = bytestream2_tell(&s->gb); while (bytestream2_tell(&s->gb) - start < src_size) { opcode = bytestream2_get_byte(&s->gb); From 885f501f7a1331bf24a310a16543dc550eabf729 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 01:31:15 +0200 Subject: [PATCH 305/700] avcodec/hevc_sei: Check num_sps_ids_minus1 value Fixes CID1271794 Signed-off-by: Michael Niedermayer (cherry picked from commit 93b0ee21a2f534f6d3b812686f3acde110e94f18) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_sei.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index 5bb5c9010a..13ebcd3ede 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -126,6 +126,11 @@ static int active_parameter_sets(HEVCContext *s) get_bits(gb, 1); // num_sps_ids_minus1 num_sps_ids_minus1 = get_ue_golomb_long(gb); // num_sps_ids_minus1 + if (num_sps_ids_minus1 < 0 || num_sps_ids_minus1 > 15) { + av_log(s->avctx, AV_LOG_ERROR, "num_sps_ids_minus1 %d invalid\n", num_sps_ids_minus1); + return AVERROR_INVALIDDATA; + } + active_seq_parameter_set_id = get_ue_golomb_long(gb); if (active_seq_parameter_set_id >= MAX_SPS_COUNT) { av_log(s->avctx, AV_LOG_ERROR, "active_parameter_set_id %d invalid\n", active_seq_parameter_set_id); From ef5fa5099b4a7993da03968cca3773d52c13b02e Mon Sep 17 00:00:00 2001 From: Nick Lewycky Date: Tue, 12 May 2015 18:07:57 -0700 Subject: [PATCH 306/700] libswscale/x86/hscale_fast_bilinear_simd.c: Include BX in the clobber list on x86_64, because it isn't implicitly included when PIC is on. Signed-off-by: Michael Niedermayer (cherry picked from commit 48e9f68384a2af257b9ca7633bf14f0c2748edc6) Signed-off-by: Michael Niedermayer --- libswscale/x86/hscale_fast_bilinear_simd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/x86/hscale_fast_bilinear_simd.c b/libswscale/x86/hscale_fast_bilinear_simd.c index 103793d27a..7887b6b651 100644 --- a/libswscale/x86/hscale_fast_bilinear_simd.c +++ b/libswscale/x86/hscale_fast_bilinear_simd.c @@ -277,7 +277,7 @@ void ff_hyscale_fast_mmxext(SwsContext *c, int16_t *dst, ,"m"(retsave) #endif : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D -#if !defined(PIC) +#if ARCH_X86_64 || !defined(PIC) ,"%"REG_b #endif ); @@ -361,7 +361,7 @@ void ff_hcscale_fast_mmxext(SwsContext *c, int16_t *dst1, int16_t *dst2, ,"m"(retsave) #endif : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D -#if !defined(PIC) +#if ARCH_X86_64 || !defined(PIC) ,"%"REG_b #endif ); From 0230a8efc6c9d505dc4be36e2909d9230b0813a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 13:13:07 +0200 Subject: [PATCH 307/700] avcodec/hevc: Check offset_len Fixes CID1239099 part 1 Signed-off-by: Michael Niedermayer (cherry picked from commit 3e9d5e16ad9799f6b6faae4f21120d23146b84c9) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 8fac87d889..aec1f1bf55 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -679,6 +679,13 @@ static int hls_slice_header(HEVCContext *s) int offset_len = get_ue_golomb_long(gb) + 1; int segments = offset_len >> 4; int rest = (offset_len & 15); + + if (offset_len < 1 || offset_len > 32) { + sh->num_entry_point_offsets = 0; + av_log(s->avctx, AV_LOG_ERROR, "offset_len %d is invalid\n", offset_len); + return AVERROR_INVALIDDATA; + } + av_freep(&sh->entry_point_offset); av_freep(&sh->offset); av_freep(&sh->size); From 58f310f4966950e6abb7567230187669ae961122 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 13:21:52 +0200 Subject: [PATCH 308/700] avcodec/hevc: Check num_entry_point_offsets Fixes CID1239099 part 2 Signed-off-by: Michael Niedermayer (cherry picked from commit 1c6ae98d4a9ff9ea607df87908393eda4ebdf4e8) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index aec1f1bf55..2ba70ac345 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -674,7 +674,14 @@ static int hls_slice_header(HEVCContext *s) sh->num_entry_point_offsets = 0; if (s->pps->tiles_enabled_flag || s->pps->entropy_coding_sync_enabled_flag) { - sh->num_entry_point_offsets = get_ue_golomb_long(gb); + unsigned num_entry_point_offsets = get_ue_golomb_long(gb); + // It would be possible to bound this tighter but this here is simpler + if (sh->num_entry_point_offsets > get_bits_left(gb)) { + av_log(s->avctx, AV_LOG_ERROR, "num_entry_point_offsets %d is invalid\n", num_entry_point_offsets); + return AVERROR_INVALIDDATA; + } + + sh->num_entry_point_offsets = num_entry_point_offsets; if (sh->num_entry_point_offsets > 0) { int offset_len = get_ue_golomb_long(gb) + 1; int segments = offset_len >> 4; From 502684348b3479563f6ad28d9180c47c083c1514 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 13:35:37 +0200 Subject: [PATCH 309/700] avcodec/hevc_ps: More completely check vps_num_layer_sets Fixes CID1239052 part1 Signed-off-by: Michael Niedermayer (cherry picked from commit 16c95b107365cdbfcde1945370b59fc7e17e0309) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index d7e78b1b77..45b92e14fb 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -424,7 +424,8 @@ int ff_hevc_decode_nal_vps(HEVCContext *s) vps->vps_max_layer_id = get_bits(gb, 6); vps->vps_num_layer_sets = get_ue_golomb_long(gb) + 1; - if ((vps->vps_num_layer_sets - 1LL) * (vps->vps_max_layer_id + 1LL) > get_bits_left(gb)) { + if (vps->vps_num_layer_sets < 1 || vps->vps_num_layer_sets > 1024 || + (vps->vps_num_layer_sets - 1LL) * (vps->vps_max_layer_id + 1LL) > get_bits_left(gb)) { av_log(s->avctx, AV_LOG_ERROR, "too many layer_id_included_flags\n"); goto err; } From 1ed8a10487db9e03221f69d68722e3a210bad19b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 13:35:57 +0200 Subject: [PATCH 310/700] avcodec/hevc_ps: Check vps_num_hrd_parameters Fix CID1239052 part2 Signed-off-by: Michael Niedermayer (cherry picked from commit b195aa5d529040f43ab3acf0079cecbeb111bd57) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 45b92e14fb..8fe9a0c216 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -442,6 +442,11 @@ int ff_hevc_decode_nal_vps(HEVCContext *s) if (vps->vps_poc_proportional_to_timing_flag) vps->vps_num_ticks_poc_diff_one = get_ue_golomb_long(gb) + 1; vps->vps_num_hrd_parameters = get_ue_golomb_long(gb); + if (vps->vps_num_hrd_parameters > (unsigned)vps->vps_num_layer_sets) { + av_log(s->avctx, AV_LOG_ERROR, + "vps_num_hrd_parameters %d is invalid\n", vps->vps_num_hrd_parameters); + goto err; + } for (i = 0; i < vps->vps_num_hrd_parameters; i++) { int common_inf_present = 1; From 2cab5f4ad05098c007b0468d80ede59b8360dfa8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 13:53:33 +0200 Subject: [PATCH 311/700] avcodec/hevc_ps: Explicitly check num_tile_* for negative values This fixes nothing but maybe helps coverity which does not see that this is failing later Signed-off-by: Michael Niedermayer (cherry picked from commit 65e5032955cb5022f0f39160aa3839f0799456bd) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 8fe9a0c216..8d80e19692 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1315,14 +1315,14 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) if (pps->tiles_enabled_flag) { pps->num_tile_columns = get_ue_golomb_long(gb) + 1; pps->num_tile_rows = get_ue_golomb_long(gb) + 1; - if (pps->num_tile_columns == 0 || + if (pps->num_tile_columns <= 0 || pps->num_tile_columns >= sps->width) { av_log(s->avctx, AV_LOG_ERROR, "num_tile_columns_minus1 out of range: %d\n", pps->num_tile_columns - 1); ret = AVERROR_INVALIDDATA; goto err; } - if (pps->num_tile_rows == 0 || + if (pps->num_tile_rows <= 0 || pps->num_tile_rows >= sps->height) { av_log(s->avctx, AV_LOG_ERROR, "num_tile_rows_minus1 out of range: %d\n", pps->num_tile_rows - 1); From bf2254bffd50d4bfcd5bb1373662d72fedc2f54c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 15:15:55 +0200 Subject: [PATCH 312/700] avcodec/jpeg2000dec: fix boolean operator Fixes CID1271791 #7-6 Signed-off-by: Michael Niedermayer (cherry picked from commit f8f155a18ac454e7ff3312e0e0c3a70eb4359143) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 17ee5418c0..555b3e962d 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1559,7 +1559,7 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) int cn = bytestream2_get_be16(&s->g); int av_unused typ = bytestream2_get_be16(&s->g); int asoc = bytestream2_get_be16(&s->g); - if (cn < 4 || asoc < 4) + if (cn < 4 && asoc < 4) s->cdef[cn] = asoc; } } From 4c6224b1cde6c71d8e33718db1b41384ddfcb3a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 18:36:19 +0200 Subject: [PATCH 313/700] avcodec/mjpegdec: fix len computation in ff_mjpeg_decode_dqt() Signed-off-by: Michael Niedermayer (cherry picked from commit 81cf9108563510dee24f73b2c5d94a7bd07ff747) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index bf674581d3..af38364e78 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -182,7 +182,7 @@ int ff_mjpeg_decode_dqt(MJpegDecodeContext *s) s->quant_matrixes[index][s->scantable.permutated[8]]) >> 1; av_log(s->avctx, AV_LOG_DEBUG, "qscale[%d]: %d\n", index, s->qscale[index]); - len -= 65; + len -= 1 + 64 * (1+pr); } return 0; } From 63d484c3426e75c9afbc2644150607d561f516d4 Mon Sep 17 00:00:00 2001 From: Rainer Hochecker Date: Wed, 13 May 2015 18:31:27 +0200 Subject: [PATCH 314/700] swr: fix alignment issue caused by 8ch sse functions Fix crash when doing 8 ch conversion from apps compiled with MSVS Thanks to Ronald for giving this hint: https://ffmpeg.org/pipermail/ffmpeg-devel/2015-May/173049.html Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit adb7372f7495927a226edf9b8e1d0ac9453985ea) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 80efe58c53..a29dc6215e 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -23,6 +23,7 @@ #include "audioconvert.h" #include "libavutil/avassert.h" #include "libavutil/channel_layout.h" +#include "libavutil/internal.h" #include @@ -664,8 +665,8 @@ int swr_is_initialized(struct SwrContext *s) { return !!s->in_buffer.ch_count; } -int swr_convert(struct SwrContext *s, uint8_t *out_arg[SWR_CH_MAX], int out_count, - const uint8_t *in_arg [SWR_CH_MAX], int in_count){ +int attribute_align_arg swr_convert(struct SwrContext *s, uint8_t *out_arg[SWR_CH_MAX], int out_count, + const uint8_t *in_arg [SWR_CH_MAX], int in_count){ AudioData * in= &s->in; AudioData *out= &s->out; From 4858ee1d9c1fda4257930fccde8a7c229d3ef790 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 May 2015 00:09:56 +0200 Subject: [PATCH 315/700] avcodec/mpeg4audio: add some padding/alignment to MAX_PCE_SIZE This avoids potential accesses over the end Signed-off-by: Michael Niedermayer (cherry picked from commit 93cfa7d1692c25cff045f99ba1af2c9e5772c45e) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4audio.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4audio.h b/libavcodec/mpeg4audio.h index 0f410455f5..a1f3ffc59b 100644 --- a/libavcodec/mpeg4audio.h +++ b/libavcodec/mpeg4audio.h @@ -101,7 +101,7 @@ enum AudioObjectType { AOT_USAC, ///< N Unified Speech and Audio Coding }; -#define MAX_PCE_SIZE 304 /// Date: Thu, 14 May 2015 01:01:35 +0200 Subject: [PATCH 316/700] avcodec/on2avc: Check run more carefully Fixes CID1239106 Signed-off-by: Michael Niedermayer (cherry picked from commit 22f15f5735389e992ec9aed43b0680e75746b3a1) Signed-off-by: Michael Niedermayer --- libavcodec/on2avc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c index 01977e5bbc..7d2e81a57f 100644 --- a/libavcodec/on2avc.c +++ b/libavcodec/on2avc.c @@ -119,12 +119,12 @@ static int on2avc_decode_band_types(On2AVCContext *c, GetBitContext *gb) run_len = 1; do { run = get_bits(gb, bits_per_sect); + if (run > num_bands - band - run_len) { + av_log(c->avctx, AV_LOG_ERROR, "Invalid band type run\n"); + return AVERROR_INVALIDDATA; + } run_len += run; } while (run == esc_val); - if (band + run_len > num_bands) { - av_log(c->avctx, AV_LOG_ERROR, "Invalid band type run\n"); - return AVERROR_INVALIDDATA; - } for (i = band; i < band + run_len; i++) { c->band_type[i] = band_type; c->band_run_end[i] = band + run_len; From ebdbb13108687804c6e58eacc94d621cf370b010 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 May 2015 17:54:40 +0200 Subject: [PATCH 317/700] avcodec/cavsdec: Check esc_code Signed-off-by: Michael Niedermayer (cherry picked from commit 139e1c8009df7729a53eaaae7036ca01071aced5) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index b5304eab9e..034c5d696d 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -563,6 +563,11 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, return AVERROR_INVALIDDATA; } esc_code = get_ue_code(gb, esc_golomb_order); + if (esc_code < 0 || esc_code > 32767) { + av_log(h->avctx, AV_LOG_ERROR, "esc_code invalid\n"); + return AVERROR_INVALIDDATA; + } + level = esc_code + (run > r->max_run ? 1 : r->level_add[run]); while (level > r->inc_limit) r++; From db00ecbc96a4056f2c9890f45839f422cae2b799 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 May 2015 18:08:33 +0200 Subject: [PATCH 318/700] avcodec/cavsdec: Use ff_set_dimensions() Fixes CID1239111 part2 Signed-off-by: Michael Niedermayer (cherry picked from commit f6b8b966076fcd358f734c6d00ed642edc02b4cd) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 034c5d696d..1ae897b774 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1123,6 +1123,7 @@ static int decode_seq_header(AVSContext *h) { int frame_rate_code; int width, height; + int ret; h->profile = get_bits(&h->gb, 8); h->level = get_bits(&h->gb, 8); @@ -1139,9 +1140,6 @@ static int decode_seq_header(AVSContext *h) av_log(h->avctx, AV_LOG_ERROR, "Dimensions invalid\n"); return AVERROR_INVALIDDATA; } - h->width = width; - h->height = height; - skip_bits(&h->gb, 2); //chroma format skip_bits(&h->gb, 3); //sample_precision h->aspect_ratio = get_bits(&h->gb, 4); @@ -1150,11 +1148,16 @@ static int decode_seq_header(AVSContext *h) skip_bits1(&h->gb); //marker_bit skip_bits(&h->gb, 12); //bit_rate_upper h->low_delay = get_bits1(&h->gb); + + ret = ff_set_dimensions(h->avctx, width, height); + if (ret < 0) + return ret; + + h->width = width; + h->height = height; h->mb_width = (h->width + 15) >> 4; h->mb_height = (h->height + 15) >> 4; h->avctx->framerate = ff_mpeg12_frame_rate_tab[frame_rate_code]; - h->avctx->width = h->width; - h->avctx->height = h->height; if (!h->top_qp) ff_cavs_init_top_lines(h); return 0; From 02c1074f18f6d696122e1fc098bff8e9b6adcae8 Mon Sep 17 00:00:00 2001 From: wm4 Date: Thu, 14 May 2015 18:27:31 +0200 Subject: [PATCH 319/700] hevc: make avcodec_decode_video2() fail if get_format() fails Personally, I need the decoder to back out if get_format() returns no usable pixel format. This didn't work because the error code was not propagated down the call chain. This in turn happened because the variable declaration removed in this patch shadowed the variable, whose value is returned at the end of the function. Consequently, failures of decode_nal_unit() were ignored in this place. Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit cc5e4bb48476a89cc8ce0c41bc2bd2e8fda9b37c) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 2ba70ac345..9b563cdf62 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2943,7 +2943,6 @@ static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length) /* parse the NAL units */ for (i = 0; i < s->nb_nals; i++) { - int ret; s->skipped_bytes = s->skipped_bytes_nal[i]; s->skipped_bytes_pos = s->skipped_bytes_pos_nal[i]; From 474bfd54388566f752b09eb9df8a038f04d238ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 May 2015 20:49:25 +0200 Subject: [PATCH 320/700] avcodec/dcadec: Check nchans Fixes CID1239110 Signed-off-by: Michael Niedermayer (cherry picked from commit a6a45774d045007f8262cd7c614804390e53122e) Signed-off-by: Michael Niedermayer --- libavcodec/dcadec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index 40d8e9e2f0..3e994daa10 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -584,6 +584,14 @@ static int dca_parse_audio_coding_header(DCAContext *s, int base_channel, } nchans = get_bits(&s->gb, 3) + 1; + if (xxch && nchans >= 3) { + av_log(s->avctx, AV_LOG_ERROR, "nchans %d is too large\n", nchans); + return AVERROR_INVALIDDATA; + } else if (nchans + base_channel > DCA_PRIM_CHANNELS_MAX) { + av_log(s->avctx, AV_LOG_ERROR, "channel sum %d + %d is too large\n", nchans, base_channel); + return AVERROR_INVALIDDATA; + } + s->total_channels = nchans + base_channel; s->prim_channels = s->total_channels; From 4a49f1e764d2fe2060f38f6b671fd3c0d3bbfa13 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 May 2015 21:29:19 +0200 Subject: [PATCH 321/700] avcodec/dcadec: Check subsubframes Fixes: CID1239152 Signed-off-by: Michael Niedermayer (cherry picked from commit a9bf628bfdad142763880a3d1ccb6058040dda57) Signed-off-by: Michael Niedermayer --- libavcodec/dcadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index 3e994daa10..a78986ab4d 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -856,6 +856,10 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index) if (!base_channel) { s->subsubframes[s->current_subframe] = get_bits(&s->gb, 2) + 1; + if (block_index + s->subsubframes[s->current_subframe] > s->sample_blocks/8) { + s->subsubframes[s->current_subframe] = 1; + return AVERROR_INVALIDDATA; + } s->partial_samples[s->current_subframe] = get_bits(&s->gb, 3); } From 9fb1c02f3097cc411f0816655349e95f0c7c1624 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 May 2015 13:07:00 +0200 Subject: [PATCH 322/700] ffmpeg_opt: Fix -timestamp parsing Signed-off-by: Michael Niedermayer (cherry picked from commit 107e4da47644fe615ea821d6a19682d73789aca7) Signed-off-by: Michael Niedermayer --- ffmpeg_opt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index 1f281f605a..ad082ac282 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -2825,7 +2825,7 @@ const OptionDef options[] = { { "itsscale", HAS_ARG | OPT_DOUBLE | OPT_SPEC | OPT_EXPERT | OPT_INPUT, { .off = OFFSET(ts_scale) }, "set the input ts scale", "scale" }, - { "timestamp", HAS_ARG | OPT_PERFILE, { .func_arg = opt_recording_timestamp }, + { "timestamp", HAS_ARG | OPT_PERFILE | OPT_OUTPUT, { .func_arg = opt_recording_timestamp }, "set the recording timestamp ('now' to set the current time)", "time" }, { "metadata", HAS_ARG | OPT_STRING | OPT_SPEC | OPT_OUTPUT, { .off = OFFSET(metadata) }, "add metadata", "string=string" }, From c14359f24d612e4de7ac4c47c47965ec01bedb9b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 15:23:32 +0200 Subject: [PATCH 323/700] avcodec/proresdec2: Reset slice_count on deallocation Signed-off-by: Michael Niedermayer (cherry picked from commit c4c6aea397f62421bf8ef0449b2b465a53e4ab4d) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 4d04a0ad85..a1d497f049 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -183,6 +183,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons if (ctx->slice_count != slice_count || !ctx->slices) { av_freep(&ctx->slices); + ctx->slice_count = 0; ctx->slices = av_mallocz_array(slice_count, sizeof(*ctx->slices)); if (!ctx->slices) return AVERROR(ENOMEM); From d2fbf8b5691fe3dc58137c06135fd44286f81f5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 16:58:51 +0200 Subject: [PATCH 324/700] avcodec/shorten: Fix code depending on signed overflow behavior Signed-off-by: Michael Niedermayer (cherry picked from commit 2d15588124ab1d4c0612cab66f02a716f1509211) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 4c9cc0636c..925d9ca213 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -129,8 +129,7 @@ static int allocate_buffers(ShortenContext *s) av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n"); return AVERROR_INVALIDDATA; } - if (s->blocksize + s->nwrap >= UINT_MAX / sizeof(int32_t) || - s->blocksize + s->nwrap <= (unsigned)s->nwrap) { + if (s->blocksize + (uint64_t)s->nwrap >= UINT_MAX / sizeof(int32_t)) { av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n"); return AVERROR_INVALIDDATA; From 71689e78632de55e593aa90ba2c80860c0b00eb6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 16:48:31 +0200 Subject: [PATCH 325/700] avcodec/shorten: Check skip_bytes() Fixes CID1210526 Signed-off-by: Michael Niedermayer (cherry picked from commit d201becfc0d89c6a5dfe44e96f1044fbc2aadb70) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 925d9ca213..04e868fecd 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -369,6 +369,11 @@ static int read_header(ShortenContext *s) s->nmean = get_uint(s, 0); skip_bytes = get_uint(s, NSKIPSIZE); + if ((unsigned)skip_bytes > get_bits_left(&s->gb)/8) { + av_log(s->avctx, AV_LOG_ERROR, "invalid skip_bytes: %d\n", skip_bytes); + return AVERROR_INVALIDDATA; + } + for (i = 0; i < skip_bytes; i++) skip_bits(&s->gb, 8); } From cb0cc44f3ac355077e6ebef7cabc39db7529a592 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 17:02:28 +0200 Subject: [PATCH 326/700] avcodec/shorten: More complete pred_order check Fixes CID1239055 Signed-off-by: Michael Niedermayer (cherry picked from commit 294469416d8193a28710d802bb0c46e5fa09fad7) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 04e868fecd..6ea5d0c644 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -277,7 +277,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, if (command == FN_QLPC) { /* read/validate prediction order */ pred_order = get_ur_golomb_shorten(&s->gb, LPCQSIZE); - if (pred_order > s->nwrap) { + if ((unsigned)pred_order > s->nwrap) { av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n", pred_order); return AVERROR(EINVAL); From 8d02ba5b7b08fd816f1a6229b1de4a330784bdf7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 17:21:10 +0200 Subject: [PATCH 327/700] avcodec/smvjpegdec: check avcodec_decode_video2() return code Fixes CID1271810 Signed-off-by: Michael Niedermayer (cherry picked from commit cdd25f9a3df3905543a5546cf6076d2eaf895736) Signed-off-by: Michael Niedermayer --- libavcodec/smvjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smvjpegdec.c b/libavcodec/smvjpegdec.c index 375c9d91c3..c99b029c87 100644 --- a/libavcodec/smvjpegdec.c +++ b/libavcodec/smvjpegdec.c @@ -155,6 +155,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz if (!cur_frame) { av_frame_unref(mjpeg_data); ret = avcodec_decode_video2(s->avctx, mjpeg_data, &s->mjpeg_data_size, avpkt); + if (ret < 0) { + s->mjpeg_data_size = 0; + return ret; + } } else if (!s->mjpeg_data_size) return AVERROR(EINVAL); From 43f9ec7113a4bc66d95a6b32e637221177d91fe6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 17:26:25 +0200 Subject: [PATCH 328/700] avcodec/sonic: check memory allocations Signed-off-by: Michael Niedermayer (cherry picked from commit c131a9fead5bf63215b6e1172b3c5c183cf90b85) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index a5e573a7aa..81fe1ef5c8 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -497,12 +497,15 @@ static int predictor_calc_error(int *k, int *state, int order, int error) // copes better with quantization, and calculates the // actual whitened result as it goes. -static void modified_levinson_durbin(int *window, int window_entries, +static int modified_levinson_durbin(int *window, int window_entries, int *out, int out_entries, int channels, int *tap_quant) { int i; int *state = av_calloc(window_entries, sizeof(*state)); + if (!state) + return AVERROR(ENOMEM); + memcpy(state, window, 4* window_entries); for (i = 0; i < out_entries; i++) @@ -567,6 +570,7 @@ static void modified_levinson_durbin(int *window, int window_entries, } av_free(state); + return 0; } static inline int code_samplerate(int samplerate) @@ -627,6 +631,9 @@ static av_cold int sonic_encode_init(AVCodecContext *avctx) // generate taps s->tap_quant = av_calloc(s->num_taps, sizeof(*s->tap_quant)); + if (!s->tap_quant) + return AVERROR(ENOMEM); + for (i = 0; i < s->num_taps; i++) s->tap_quant[i] = ff_sqrt(i+1); @@ -656,7 +663,7 @@ static av_cold int sonic_encode_init(AVCodecContext *avctx) s->window_size = ((2*s->tail_size)+s->frame_size); s->window = av_calloc(s->window_size, sizeof(*s->window)); - if (!s->window) + if (!s->window || !s->int_samples) return AVERROR(ENOMEM); avctx->extradata = av_mallocz(16); @@ -769,8 +776,11 @@ static int sonic_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, s->tail[i] = s->int_samples[s->frame_size - s->tail_size + i]; // generate taps - modified_levinson_durbin(s->window, s->window_size, + ret = modified_levinson_durbin(s->window, s->window_size, s->predictor_k, s->num_taps, s->channels, s->tap_quant); + if (ret < 0) + return ret; + if ((ret = intlist_write(&c, state, s->predictor_k, s->num_taps, 0)) < 0) return ret; @@ -913,6 +923,9 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) // generate taps s->tap_quant = av_calloc(s->num_taps, sizeof(*s->tap_quant)); + if (!s->tap_quant) + return AVERROR(ENOMEM); + for (i = 0; i < s->num_taps; i++) s->tap_quant[i] = ff_sqrt(i+1); @@ -932,6 +945,8 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) return AVERROR(ENOMEM); } s->int_samples = av_calloc(s->frame_size, sizeof(*s->int_samples)); + if (!s->int_samples) + return AVERROR(ENOMEM); avctx->sample_fmt = AV_SAMPLE_FMT_S16; return 0; From 665b343f9252d9d47f8c1ba5b8db74549affa33d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 17:31:58 +0200 Subject: [PATCH 329/700] avcodec/sonic: More completely check sample_rate_index and channels Fixes CID1271783 Signed-off-by: Michael Niedermayer (cherry picked from commit ade8a46154cb45c88b1cb5c616eaa6320c941187) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 81fe1ef5c8..3db77f30a3 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -883,13 +883,19 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) if (s->version >= 1) { + int sample_rate_index; s->channels = get_bits(&gb, 2); - s->samplerate = samplerate_table[get_bits(&gb, 4)]; + sample_rate_index = get_bits(&gb, 4); + if (sample_rate_index >= FF_ARRAY_ELEMS(samplerate_table)) { + av_log(avctx, AV_LOG_ERROR, "Invalid sample_rate_index %d\n", sample_rate_index); + return AVERROR_INVALIDDATA; + } + s->samplerate = samplerate_table[sample_rate_index]; av_log(avctx, AV_LOG_INFO, "Sonicv2 chans: %d samprate: %d\n", s->channels, s->samplerate); } - if (s->channels > MAX_CHANNELS) + if (s->channels > MAX_CHANNELS || s->channels < 1) { av_log(avctx, AV_LOG_ERROR, "Only mono and stereo streams are supported by now\n"); return AVERROR_INVALIDDATA; From ba82b23a1d079530281ea3ac71eaaea9126c7429 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 18:04:12 +0200 Subject: [PATCH 330/700] avcodec/dcadec: Check scale table index Fixes CID1297594 part 1 Signed-off-by: Michael Niedermayer (cherry picked from commit 0f3e6959bfa67d12cd5a173b86eb15abd7d9e4d5) Conflicts: libavcodec/dcadec.c --- libavcodec/dcadec.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index a78986ab4d..b2e5c7faa4 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -1866,23 +1866,34 @@ static int dca_xbr_parse_frame(DCAContext *s) for(i = 0; i < n_xbr_ch[chset]; i++) { const uint32_t *scale_table; int nbits; + int scale_table_size; if (s->scalefactor_huffman[chan_base+i] == 6) { scale_table = scale_factor_quant7; + scale_table_size = FF_ARRAY_ELEMS(scale_factor_quant7); } else { scale_table = scale_factor_quant6; + scale_table_size = FF_ARRAY_ELEMS(scale_factor_quant6); } nbits = anctemp[i]; for(j = 0; j < active_bands[chset][i]; j++) { if(abits_high[i][j] > 0) { - scale_table_high[i][j][0] = - scale_table[get_bits(&s->gb, nbits)]; + int index = get_bits(&s->gb, nbits); + if (index >= scale_table_size) { + av_log(s->avctx, AV_LOG_ERROR, "scale table index %d invalid\n", index); + return AVERROR_INVALIDDATA; + } + scale_table_high[i][j][0] = scale_table[index]; if(xbr_tmode && s->transition_mode[i][j]) { - scale_table_high[i][j][1] = - scale_table[get_bits(&s->gb, nbits)]; + int index = get_bits(&s->gb, nbits); + if (index >= scale_table_size) { + av_log(s->avctx, AV_LOG_ERROR, "scale table index %d invalid\n", index); + return AVERROR_INVALIDDATA; + } + scale_table_high[i][j][1] = scale_table[index]; } } } From 228f7c7eed04729d85aa8f4cdf1d753f7a8acbdc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 18:29:40 +0200 Subject: [PATCH 331/700] avcodec/dcadec: Check active_bands Fixes CID1297594 part2 Signed-off-by: Michael Niedermayer (cherry picked from commit fc624ec9ba7e5c4e8d905ac10f605a43d123f95a) Signed-off-by: Michael Niedermayer --- libavcodec/dcadec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index b2e5c7faa4..907e49b64d 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -1823,8 +1823,13 @@ static int dca_xbr_parse_frame(DCAContext *s) for(i = 0; i < num_chsets; i++) { n_xbr_ch[i] = get_bits(&s->gb, 3) + 1; k = get_bits(&s->gb, 2) + 5; - for(j = 0; j < n_xbr_ch[i]; j++) + for(j = 0; j < n_xbr_ch[i]; j++) { active_bands[i][j] = get_bits(&s->gb, k) + 1; + if (active_bands[i][j] > DCA_SUBBANDS) { + av_log(s->avctx, AV_LOG_ERROR, "too many active subbands (%d)\n", active_bands[i][j]); + return AVERROR_INVALIDDATA; + } + } } /* skip to the end of the header */ From d3c9d87eea960dc62d9714371f52be25b9e941ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 22:02:12 +0200 Subject: [PATCH 332/700] avcodec/libtheoraenc: Check for av_malloc failure Fixes CID1257799 Signed-off-by: Michael Niedermayer (cherry picked from commit c64b2d480b4a35d4face9928b4265a0fda3f3dd9) Signed-off-by: Michael Niedermayer --- libavcodec/libtheoraenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/libtheoraenc.c b/libavcodec/libtheoraenc.c index 4c90822439..36d48fbbb3 100644 --- a/libavcodec/libtheoraenc.c +++ b/libavcodec/libtheoraenc.c @@ -108,6 +108,8 @@ static int get_stats(AVCodecContext *avctx, int eos) // libtheora generates a summary header at the end memcpy(h->stats, buf, bytes); avctx->stats_out = av_malloc(b64_size); + if (!avctx->stats_out) + return AVERROR(ENOMEM); av_base64_encode(avctx->stats_out, b64_size, h->stats, h->stats_offset); } return 0; From 1bf416dfc39f0768904d081cf82856d5dd2f2803 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 22:12:08 +0200 Subject: [PATCH 333/700] avcodec/hevc: Fix typo in num_entry_point_offsets check Signed-off-by: Michael Niedermayer (cherry picked from commit 3051e7fa712dfe2136f19b7157211453895f2a3c) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 9b563cdf62..cfd420b046 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -676,7 +676,7 @@ static int hls_slice_header(HEVCContext *s) if (s->pps->tiles_enabled_flag || s->pps->entropy_coding_sync_enabled_flag) { unsigned num_entry_point_offsets = get_ue_golomb_long(gb); // It would be possible to bound this tighter but this here is simpler - if (sh->num_entry_point_offsets > get_bits_left(gb)) { + if (num_entry_point_offsets > get_bits_left(gb)) { av_log(s->avctx, AV_LOG_ERROR, "num_entry_point_offsets %d is invalid\n", num_entry_point_offsets); return AVERROR_INVALIDDATA; } From 7e3d413f122cadcccecc51f59a81fd5994f8c0d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 May 2015 13:50:38 +0200 Subject: [PATCH 334/700] avformat/mov: Print reason of loci parsing failure Signed-off-by: Michael Niedermayer (cherry picked from commit 9e4f0cfc8ff4ab635ea12bdbd8d85d8bb1ba25f9) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 367752e1c9..7bab0baa40 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -230,8 +230,10 @@ static int mov_metadata_loci(MOVContext *c, AVIOContext *pb, unsigned len) double longitude, latitude; const char *key = "location"; - if (len < 4 + 2 + 1 + 1 + 4 + 4 + 4) + if (len < 4 + 2 + 1 + 1 + 4 + 4 + 4) { + av_log(c->fc, AV_LOG_ERROR, "loci too short\n"); return AVERROR_INVALIDDATA; + } avio_skip(pb, 4); // version+flags langcode = avio_rb16(pb); @@ -239,13 +241,17 @@ static int mov_metadata_loci(MOVContext *c, AVIOContext *pb, unsigned len) len -= 6; len -= avio_get_str(pb, len, buf, sizeof(buf)); // place name - if (len < 1) + if (len < 1) { + av_log(c->fc, AV_LOG_ERROR, "place name too long\n"); return AVERROR_INVALIDDATA; + } avio_skip(pb, 1); // role len -= 1; - if (len < 14) + if (len < 14) { + av_log(c->fc, AV_LOG_ERROR, "no space for coordinates left (%d)\n", len); return AVERROR_INVALIDDATA; + } longitude = ((int32_t) avio_rb32(pb)) / (float) (1 << 16); latitude = ((int32_t) avio_rb32(pb)) / (float) (1 << 16); From 10b77a34714838beaf0361da64dd85c842960604 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 May 2015 13:51:18 +0200 Subject: [PATCH 335/700] avformat/mov: Fix parsing short loci Fixes Ticket4557 Signed-off-by: Michael Niedermayer (cherry picked from commit 50393bce31a5618f5125aaaf97bb69886fc4261d) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7bab0baa40..6d943384de 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -248,7 +248,7 @@ static int mov_metadata_loci(MOVContext *c, AVIOContext *pb, unsigned len) avio_skip(pb, 1); // role len -= 1; - if (len < 14) { + if (len < 12) { av_log(c->fc, AV_LOG_ERROR, "no space for coordinates left (%d)\n", len); return AVERROR_INVALIDDATA; } From 8b95fc6d8dcc6509bd2b3067508c034b0b6effbd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 May 2015 19:07:17 +0200 Subject: [PATCH 336/700] avcodec/golomb: get_ur_golomb_jpegls: Fix reading huge k values Signed-off-by: Michael Niedermayer (cherry picked from commit c720b9ce9850710e74a103d9626869e397a89faa) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 81d8aeef9e..a65c17e326 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -346,8 +346,16 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, if (i < limit - 1) { if (k) { - buf = SHOW_UBITS(re, gb, k); - LAST_SKIP_BITS(re, gb, k); + if (k > MIN_CACHE_BITS - 1) { + buf = SHOW_UBITS(re, gb, 16) << (k-16); + LAST_SKIP_BITS(re, gb, 16); + UPDATE_CACHE(re, gb); + buf |= SHOW_UBITS(re, gb, k-16); + LAST_SKIP_BITS(re, gb, k-16); + } else { + buf = SHOW_UBITS(re, gb, k); + LAST_SKIP_BITS(re, gb, k); + } } else { buf = 0; } From 1aaf9613a8741430a48c4470b14e3389d3cf46e6 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 6 May 2015 11:53:19 +0200 Subject: [PATCH 337/700] lavd/xcbgrab: fix comparison with screen size. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 7971fa9ce0ead8d2e8a79dbe422e91dcef8222ba) Signed-off-by: Michael Niedermayer --- libavdevice/xcbgrab.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavdevice/xcbgrab.c b/libavdevice/xcbgrab.c index 292597877b..1a06d33b41 100644 --- a/libavdevice/xcbgrab.c +++ b/libavdevice/xcbgrab.c @@ -527,8 +527,8 @@ static int create_stream(AVFormatContext *s) gc = xcb_get_geometry(c->conn, c->screen->root); geo = xcb_get_geometry_reply(c->conn, gc, NULL); - if (c->x + c->width >= geo->width || - c->y + c->height >= geo->height) { + if (c->x + c->width > geo->width || + c->y + c->height > geo->height) { av_log(s, AV_LOG_ERROR, "Capture area %dx%d at position %d.%d " "outside the screen size %dx%d\n", From 64c82912a74aee655618f67998c99eda36d2c6bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Feb 2015 19:59:44 +0100 Subject: [PATCH 338/700] avformat/mp3dec: properly allocate dummy AVCodecContext Fixes (harmless) use of uninitialized variable Found-by: jamrial Signed-off-by: Michael Niedermayer (cherry picked from commit 6ad42b3e15478284321dd285acaf189a16590854) Conflicts: libavformat/mp3dec.c --- libavformat/mp3dec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index c4c1bb7ca5..030b11f3b7 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -61,7 +61,7 @@ static int mp3_read_probe(AVProbeData *p) int fsize, frames, sample_rate; uint32_t header; const uint8_t *buf, *buf0, *buf2, *end; - AVCodecContext avctx; + AVCodecContext *avctx = avcodec_alloc_context3(NULL); buf0 = p->buf; end = p->buf + p->buf_size - sizeof(uint32_t); @@ -78,7 +78,7 @@ static int mp3_read_probe(AVProbeData *p) for(frames = 0; buf2 < end; frames++) { header = AV_RB32(buf2); - fsize = avpriv_mpa_decode_header(&avctx, header, &sample_rate, &sample_rate, &sample_rate, &sample_rate); + fsize = avpriv_mpa_decode_header(avctx, header, &sample_rate, &sample_rate, &sample_rate, &sample_rate); if(fsize < 0) break; buf2 += fsize; @@ -87,6 +87,7 @@ static int mp3_read_probe(AVProbeData *p) if(buf == buf0) first_frames= frames; } + avcodec_free_context(&avctx); // keep this in sync with ac3 probe, both need to avoid // issues with MPEG-files! if (first_frames>=4) return AVPROBE_SCORE_EXTENSION + 1; From 458ba000a57ca246b0ca5b8734ec6c1e28cff236 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Feb 2015 20:11:19 +0100 Subject: [PATCH 339/700] avformat/mp3dec: Check for avcodec_alloc_context3() failure Signed-off-by: Michael Niedermayer (cherry picked from commit b851bc20c6931c084710e69f7eec30d8c1bdb68e) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 030b11f3b7..d981874582 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -63,6 +63,9 @@ static int mp3_read_probe(AVProbeData *p) const uint8_t *buf, *buf0, *buf2, *end; AVCodecContext *avctx = avcodec_alloc_context3(NULL); + if (!avctx) + return 0; + buf0 = p->buf; end = p->buf + p->buf_size - sizeof(uint32_t); while(buf0 < end && !*buf0) From 3d65a272dab66329effd628533bcbbc67af73bf8 Mon Sep 17 00:00:00 2001 From: Andrey Utkin Date: Sat, 11 Apr 2015 00:54:10 +0300 Subject: [PATCH 340/700] rtpenc_jpeg: handle case of picture dimensions not dividing by 8 This fixes the calculation of the number of needed blocks to make sure that ALL pixels are represented by the result. Reviewed-by: Thomas Volkert Signed-off-by: Michael Niedermayer (cherry picked from commit 7f64a7503b19b39f1251e4380987034c569bebf5) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_jpeg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rtpenc_jpeg.c b/libavformat/rtpenc_jpeg.c index 2e13e178b4..7ee26c435e 100644 --- a/libavformat/rtpenc_jpeg.c +++ b/libavformat/rtpenc_jpeg.c @@ -40,8 +40,8 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size) s->timestamp = s->cur_timestamp; /* convert video pixel dimensions from pixels to blocks */ - w = s1->streams[0]->codec->width >> 3; - h = s1->streams[0]->codec->height >> 3; + w = FF_CEIL_RSHIFT(s1->streams[0]->codec->width, 3); + h = FF_CEIL_RSHIFT(s1->streams[0]->codec->height, 3); /* get the pixel format type or fail */ if (s1->streams[0]->codec->pix_fmt == AV_PIX_FMT_YUVJ422P || From 6b7c6218393082bf6c91f08944a6d2087e2170e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 24 Apr 2015 12:38:09 +0300 Subject: [PATCH 341/700] rtsp: Make sure we don't write too many transport entries into a fixed-size array (cherry picked from commit b90adb0aba073f9c1b4abca852119947393ced4c) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index ae62252a22..6b9b544256 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -931,6 +931,8 @@ static void rtsp_parse_transport(RTSPMessageHeader *reply, const char *p) p++; reply->nb_transports++; + if (reply->nb_transports >= RTSP_MAX_TRANSPORTS) + break; } } From 23e88c81d67b66bed5423295636e0df69e66862f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 20:58:21 +0200 Subject: [PATCH 342/700] nutdec: fix memleaks on error in nut_read_header Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 361702660d2c37a63b7d6381d39e1e1de8405260) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 0a9fea2c16..c4d56ce1ec 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -747,12 +747,14 @@ fail: return ret; } +static int nut_read_close(AVFormatContext *s); + static int nut_read_header(AVFormatContext *s) { NUTContext *nut = s->priv_data; AVIOContext *bc = s->pb; int64_t pos; - int initialized_stream_count; + int initialized_stream_count, ret = 0; nut->avf = s; @@ -762,7 +764,8 @@ static int nut_read_header(AVFormatContext *s) pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1; if (pos < 0 + 1) { av_log(s, AV_LOG_ERROR, "No main startcode found.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto end; } } while (decode_main_header(nut) < 0); @@ -772,7 +775,8 @@ static int nut_read_header(AVFormatContext *s) pos = find_startcode(bc, STREAM_STARTCODE, pos) + 1; if (pos < 0 + 1) { av_log(s, AV_LOG_ERROR, "Not all stream headers found.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto end; } if (decode_stream_header(nut) >= 0) initialized_stream_count++; @@ -786,7 +790,8 @@ static int nut_read_header(AVFormatContext *s) if (startcode == 0) { av_log(s, AV_LOG_ERROR, "EOF before video frames\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto end; } else if (startcode == SYNCPOINT_STARTCODE) { nut->next_startcode = startcode; break; @@ -808,7 +813,10 @@ static int nut_read_header(AVFormatContext *s) ff_metadata_conv_ctx(s, NULL, ff_nut_metadata_conv); - return 0; +end: + if (ret < 0) + nut_read_close(s); + return FFMIN(ret, 0); } static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int is_meta, int64_t maxpos) From e7e1832cfd8b64cd950aeb91a4b471953b9f09b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 May 2015 17:13:15 +0200 Subject: [PATCH 343/700] avformat/nutdec: Return error on EOF from get_str() Signed-off-by: Michael Niedermayer (cherry picked from commit 6bbb2f8f4da67af374d62403742482cc5962aa21) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index c4d56ce1ec..a0a88b3ccc 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -52,6 +52,8 @@ static int get_str(AVIOContext *bc, char *string, unsigned int maxlen) if (maxlen) string[FFMIN(len, maxlen - 1)] = 0; + if (bc->eof_reached) + return AVERROR_EOF; if (maxlen == len) return -1; else From 682ccd41670222d5719cedd55b0fa15cbbcf08af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 May 2015 17:32:48 +0200 Subject: [PATCH 344/700] avformat/nutdec: Fix recovery when immedeately after seeking a failure happens Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit b3496b4a33e806b7afdcbbf6f468b0332b676d7c) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index a0a88b3ccc..2188066fe4 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1209,6 +1209,7 @@ static int read_seek(AVFormatContext *s, int stream_index, av_log(NULL, AV_LOG_DEBUG, "SEEKTO: %"PRId64"\n", pos2); pos = find_startcode(s->pb, SYNCPOINT_STARTCODE, pos2); avio_seek(s->pb, pos, SEEK_SET); + nut->last_syncpoint_pos = pos; av_log(NULL, AV_LOG_DEBUG, "SP: %"PRId64"\n", pos); if (pos2 > pos || pos2 + 15 < pos) av_log(NULL, AV_LOG_ERROR, "no syncpoint at backptr pos\n"); From 3c7ea2c46ef719244a1723d5d6b52f0733095ae1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 May 2015 21:42:38 +0200 Subject: [PATCH 345/700] Update for 2.5.7 Signed-off-by: Michael Niedermayer --- Changelog | 40 ++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 42 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 0ca400c1f6..9c37faca14 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,46 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.5.7 +- avformat/nutdec: Fix recovery when immedeately after seeking a failure happens +- nutdec: fix memleaks on error in nut_read_header +- rtpenc_jpeg: handle case of picture dimensions not dividing by 8 +- avformat/mov: Fix parsing short loci +- avcodec/shorten: Fix code depending on signed overflow behavior +- avcodec/proresdec2: Reset slice_count on deallocation +- ffmpeg_opt: Fix -timestamp parsing +- hevc: make avcodec_decode_video2() fail if get_format() fails +- avcodec/mpeg4audio: add some padding/alignment to MAX_PCE_SIZE +- swr: fix alignment issue caused by 8ch sse functions +- libswscale/x86/hscale_fast_bilinear_simd.c: Include BX in the clobber list on x86_64, because it isn't implicitly included when PIC is on. +- aacdec: don't return frames without data +- avformat/matroskadec: Cleanup error handling for bz2 & zlib +- avformat/nutdec: Fix use of uinitialized value +- tools/graph2dot: use larger data types than int for array/string sizes +- id3v2: catch avio_read errors in check_tag +- aacsbr: break infinite loop in sbr_hf_calc_npatches +- diracdec: avoid overflow of bytes*8 in decode_lowdelay +- diracdec: prevent overflow in data_unit_size check +- avidec: avoid infinite loop due to negative ast->sample_size +- pngdec: don't use AV_PIX_FMT_MONOBLACK for apng +- avcodec/wavpack: Check L/R values before use to avoid harmless integer overflow and undefined behavior in fate +- xcbgrab: Validate the capture area +- xcbgrab: Do not assume the non shm image data is always available +- avfilter/lavfutils: disable frame threads when decoding a single image +- nutdec: fix illegal count check in decode_main_header +- ffmpeg: remove incorrect network deinit +- OpenCL: Avoid potential buffer overflow in cmdutils_opencl.c +- apedec: set s->samples only when init_frame_decoder succeeded +- swscale/ppc/swscale_altivec.c: POWER LE support in yuv2planeX_8() delete macro GET_VF() +- libvpxenc: only set noise reduction w/vp8 +- tests/fate-run: do not attempt to parse tiny_psnrs output if it failed +- alac: reject rice_limit 0 if compression is used +- alsdec: only adapt order for positive max_order +- alsdec: check sample pointer range in revert_channel_correlation +- tests: drop bc dependency +- fate: Include branch information in the payload header + + version 2.5.6 - avcodec/atrac3plusdsp: fix on stack alignment - ac3: validate end in ff_ac3_bit_alloc_calc_mask diff --git a/RELEASE b/RELEASE index da6b0a8f16..35d16fb1a7 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.5.6 +2.5.7 diff --git a/doc/Doxyfile b/doc/Doxyfile index 3a35d9c3ba..b23f76dc20 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.5.6 +PROJECT_NUMBER = 2.5.7 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 3ea101b234485d43c0f538d77b208311aec4023b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 May 2015 00:23:05 +0200 Subject: [PATCH 346/700] avformat/nutdec: Check X in 2nd branch of index reading Prevents read of uninitialized variable Based on patch by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit ebb0ca3d70465ab6d369a66b2ef43bb059705db8) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 2188066fe4..72a24368ca 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -706,6 +706,10 @@ static int find_and_decode_index(NUTContext *nut) has_keyframe[n++] = flag; has_keyframe[n++] = !flag; } else { + if (x <= 1) { + av_log(s, AV_LOG_ERROR, "index: x %"PRIu64" is invalid\n", x); + goto fail; + } while (x != 1) { if (n >= syncpoint_count + 1) { av_log(s, AV_LOG_ERROR, "index overflow B\n"); From ffb4362bf0b6e6cd6a87b6479177f599419dfb8c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 20 May 2015 00:06:05 +0200 Subject: [PATCH 347/700] nutdec: fix infinite resync loops nut->last_syncpoint_pos doesn't necessarily change between resync attempts, so find_any_startcode can return the same startcode again. Thus remember where the last resync happened and don't try to resync before that. This can't be done locally in nut_read_packet, because this wouldn't prevent infinite resync loops, where after the resync a packet is returned and while reading a following packet the resync happens again. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 37e679881d364b6da817d829d35869d657218ab3) Signed-off-by: Michael Niedermayer --- libavformat/nut.h | 1 + libavformat/nutdec.c | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/nut.h b/libavformat/nut.h index 943081caf6..0c678a51b9 100644 --- a/libavformat/nut.h +++ b/libavformat/nut.h @@ -102,6 +102,7 @@ typedef struct NUTContext { unsigned int max_distance; unsigned int time_base_count; int64_t last_syncpoint_pos; + int64_t last_resync_pos; int header_count; AVRational *time_base; struct AVTreeNode *syncpoints; diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 72a24368ca..3c2ffd8927 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1119,7 +1119,8 @@ static int nut_read_packet(AVFormatContext *s, AVPacket *pkt) default: resync: av_log(s, AV_LOG_DEBUG, "syncing from %"PRId64"\n", pos); - tmp = find_any_startcode(bc, nut->last_syncpoint_pos + 1); + tmp = find_any_startcode(bc, FFMAX(nut->last_syncpoint_pos, nut->last_resync_pos) + 1); + nut->last_resync_pos = avio_tell(bc); if (tmp == 0) return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "sync\n"); @@ -1220,6 +1221,8 @@ static int read_seek(AVFormatContext *s, int stream_index, for (i = 0; i < s->nb_streams; i++) nut->stream[i].skip_until_key_frame = 1; + nut->last_resync_pos = 0; + return 0; } From af27254eb30c7f7d3910555f3b10c272b93fae59 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 20 May 2015 00:31:24 +0200 Subject: [PATCH 348/700] nutdec: stop skipping bytes at EOF This can unnecessarily waste a lot of time. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit fa7dec8cb00d2d0dd96ff9863ccda38428610a21) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 3c2ffd8927..62c270dca0 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -47,6 +47,8 @@ static int get_str(AVIOContext *bc, char *string, unsigned int maxlen) while (len > maxlen) { avio_r8(bc); len--; + if (bc->eof_reached) + len = maxlen; } if (maxlen) @@ -213,8 +215,11 @@ static int skip_reserved(AVIOContext *bc, int64_t pos) avio_seek(bc, pos, SEEK_CUR); return AVERROR_INVALIDDATA; } else { - while (pos--) + while (pos--) { + if (bc->eof_reached) + return AVERROR_INVALIDDATA; avio_r8(bc); + } return 0; } } @@ -293,8 +298,13 @@ static int decode_main_header(NUTContext *nut) if (tmp_fields > 7) tmp_head_idx = ffio_read_varlen(bc); - while (tmp_fields-- > 8) + while (tmp_fields-- > 8) { + if (bc->eof_reached) { + av_log(s, AV_LOG_ERROR, "reached EOF while decoding main header\n"); + return AVERROR_INVALIDDATA; + } ffio_read_varlen(bc); + } if (count <= 0 || count > 256 - (i <= 'N') - i) { av_log(s, AV_LOG_ERROR, "illegal count %d at %d\n", count, i); @@ -985,8 +995,13 @@ static int decode_frame_header(NUTContext *nut, int64_t *pts, int *stream_id, *header_idx = ffio_read_varlen(bc); if (flags & FLAG_RESERVED) reserved_count = ffio_read_varlen(bc); - for (i = 0; i < reserved_count; i++) + for (i = 0; i < reserved_count; i++) { + if (bc->eof_reached) { + av_log(s, AV_LOG_ERROR, "reached EOF while decoding frame header\n"); + return AVERROR_INVALIDDATA; + } ffio_read_varlen(bc); + } if (*header_idx >= (unsigned)nut->header_count) { av_log(s, AV_LOG_ERROR, "header_idx invalid\n"); From 21d0ae829f72ec327aff31b0cb1af1261b56596c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 20 May 2015 00:34:42 +0200 Subject: [PATCH 349/700] nutdec: abort if EOF is reached in decode_info_header/read_sm_data These loops can take a lot of time if count is very large. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit bb23a15df507440deb0dcf25099d321d0f73dc28) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 62c270dca0..f5fd5b5447 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -492,7 +492,7 @@ static int decode_info_header(NUTContext *nut) AVIOContext *bc = s->pb; uint64_t tmp, chapter_start, chapter_len; unsigned int stream_id_plus1, count; - int chapter_id, i; + int chapter_id, i, ret; int64_t value, end; char name[256], str_value[1024], type_str[256]; const char *type; @@ -534,7 +534,11 @@ static int decode_info_header(NUTContext *nut) } for (i = 0; i < count; i++) { - get_str(bc, name, sizeof(name)); + ret = get_str(bc, name, sizeof(name)); + if (ret < 0) { + av_log(s, AV_LOG_ERROR, "get_str failed while decoding info header\n"); + return ret; + } value = get_s(bc); str_value[0] = 0; @@ -845,14 +849,18 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int int sample_rate = 0; int width = 0; int height = 0; - int i; + int i, ret; for (i=0; i= maxpos) return AVERROR_INVALIDDATA; - get_str(bc, name, sizeof(name)); + ret = get_str(bc, name, sizeof(name)); + if (ret < 0) { + av_log(s, AV_LOG_ERROR, "get_str failed while reading sm data\n"); + return ret; + } value = get_s(bc); if (value == -1) { From f621ae6a6dd8690ba68eb25dd282727d2171d21e Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 6 Jun 2015 15:56:06 +0000 Subject: [PATCH 350/700] avcodec/exr: fix crash caused by merge Various header informations need to be reset when decoding next frame. Regression since: 95582b5c Fixes ticket #4597. Signed-off-by: Paul B Mahol (cherry picked from commit a03b69478b7f1c0c31e53acb0cf392917c0f967a) --- libavcodec/exr.c | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index b56fe2e7f6..0e62f4e2d7 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1012,6 +1012,22 @@ static int decode_header(EXRContext *s) int current_channel_offset = 0; int magic_number, version, flags, i; + s->xmin = ~0; + s->xmax = ~0; + s->ymin = ~0; + s->ymax = ~0; + s->xdelta = ~0; + s->ydelta = ~0; + s->channel_offsets[0] = -1; + s->channel_offsets[1] = -1; + s->channel_offsets[2] = -1; + s->channel_offsets[3] = -1; + s->pixel_type = EXR_UNKNOWN; + s->compression = EXR_UNKN; + s->nb_channels = 0; + s->w = 0; + s->h = 0; + if (bytestream2_get_bytes_left(&s->gb) < 10) { av_log(s->avctx, AV_LOG_ERROR, "Header too short to parse.\n"); return AVERROR_INVALIDDATA; @@ -1352,21 +1368,6 @@ static av_cold int decode_init(AVCodecContext *avctx) float one_gamma = 1.0f / s->gamma; s->avctx = avctx; - s->xmin = ~0; - s->xmax = ~0; - s->ymin = ~0; - s->ymax = ~0; - s->xdelta = ~0; - s->ydelta = ~0; - s->channel_offsets[0] = -1; - s->channel_offsets[1] = -1; - s->channel_offsets[2] = -1; - s->channel_offsets[3] = -1; - s->pixel_type = EXR_UNKNOWN; - s->compression = EXR_UNKN; - s->nb_channels = 0; - s->w = 0; - s->h = 0; if ( one_gamma > 0.9999f && one_gamma < 1.0001f ) { for ( i = 0; i < 65536; ++i ) { From e29f68cf9e336b685362f56e6a45d574af97a770 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2015 05:11:09 +0200 Subject: [PATCH 351/700] avcodec/x86/h264_weight: handle weight1=128 Fix ticket4596 Signed-off-by: Michael Niedermayer (cherry picked from commit e1009665759d4a3938dd2dd07b7e84d8bc9c5290) --- libavcodec/x86/h264_weight.asm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/x86/h264_weight.asm b/libavcodec/x86/h264_weight.asm index b4fb9db309..1e1219ddde 100644 --- a/libavcodec/x86/h264_weight.asm +++ b/libavcodec/x86/h264_weight.asm @@ -135,8 +135,11 @@ WEIGHT_FUNC_HALF_MM 8, 8 add off_regd, 1 or off_regd, 1 add r4, 1 + cmp r6d, 128 + je .nonnormal cmp r5, 128 jne .normal +.nonnormal sar r5, 1 sar r6, 1 sar off_regd, 1 From 2d55d3483b8e6aa81f32bf8f8c1b797cc59e0af6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Jun 2015 18:03:21 +0200 Subject: [PATCH 352/700] avcodec/hevc_ps: Only discard overread VPS if a previous is available Fixes Ticket4621 Signed-off-by: Michael Niedermayer (cherry picked from commit 57078e4d255a06246fef27846073f5ffb312b5dc) --- libavcodec/hevc_ps.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 8d80e19692..5f5bad224f 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -461,7 +461,8 @@ int ff_hevc_decode_nal_vps(HEVCContext *s) if (get_bits_left(gb) < 0) { av_log(s->avctx, AV_LOG_ERROR, "Overread VPS by %d bits\n", -get_bits_left(gb)); - goto err; + if (s->vps_list[vps_id]) + goto err; } av_buffer_unref(&s->vps_list[vps_id]); From d4c7a1ecb8ced6001303b9607a571e396e268632 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 May 2015 01:26:55 +0200 Subject: [PATCH 353/700] avformat/mov: Mark avio context of decompressed atoms as seekable Fixes Ticket4329 Signed-off-by: Michael Niedermayer (cherry picked from commit 8ce564ea280b61d21eebf8a2fd741f792ce81638) --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6d943384de..783ad0d76d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3162,6 +3162,7 @@ static int mov_read_cmov(MOVContext *c, AVIOContext *pb, MOVAtom atom) goto free_and_return; if (ffio_init_context(&ctx, moov_data, moov_len, 0, NULL, NULL, NULL, NULL) != 0) goto free_and_return; + ctx.seekable = AVIO_SEEKABLE_NORMAL; atom.type = MKTAG('m','o','o','v'); atom.size = moov_len; ret = mov_read_default(c, &ctx, atom); From 2e210e19b1561ca198b635272fcb057373210586 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 May 2015 04:12:13 +0200 Subject: [PATCH 354/700] avcodec/mpegvideo: Factor ff_mpv_reallocate_putbitbuffer() out Signed-off-by: Michael Niedermayer (cherry picked from commit 00f3bb2ef2bb25fc41b7a905376f00d104f70185) --- libavcodec/mpegvideo.h | 1 + libavcodec/mpegvideo_enc.c | 55 ++++++++++++++++++++++---------------- 2 files changed, 33 insertions(+), 23 deletions(-) diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index f1a3d8e51c..40c269846c 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -773,6 +773,7 @@ void ff_mpv_encode_init_x86(MpegEncContext *s); int ff_mpv_encode_end(AVCodecContext *avctx); int ff_mpv_encode_picture(AVCodecContext *avctx, AVPacket *pkt, const AVFrame *frame, int *got_packet); +int ff_mpv_reallocate_putbitbuffer(MpegEncContext *s, size_t threshold, size_t size_increase); void ff_clean_intra_table_entries(MpegEncContext *s); void ff_mpeg_draw_horiz_band(MpegEncContext *s, int y, int h); diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 00bf65f22f..f303a35f34 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -2718,6 +2718,35 @@ static void update_mb_info(MpegEncContext *s, int startcode) write_mb_info(s); } +int ff_mpv_reallocate_putbitbuffer(MpegEncContext *s, size_t threshold, size_t size_increase) +{ + if ( s->pb.buf_end - s->pb.buf - (put_bits_count(&s->pb)>>3) < threshold + && s->slice_context_count == 1 + && s->pb.buf == s->avctx->internal->byte_buffer) { + int lastgob_pos = s->ptr_lastgob - s->pb.buf; + int vbv_pos = s->vbv_delay_ptr - s->pb.buf; + + uint8_t *new_buffer = NULL; + int new_buffer_size = 0; + + av_fast_padded_malloc(&new_buffer, &new_buffer_size, + s->avctx->internal->byte_buffer_size + size_increase); + if (!new_buffer) + return AVERROR(ENOMEM); + + memcpy(new_buffer, s->avctx->internal->byte_buffer, s->avctx->internal->byte_buffer_size); + av_free(s->avctx->internal->byte_buffer); + s->avctx->internal->byte_buffer = new_buffer; + s->avctx->internal->byte_buffer_size = new_buffer_size; + rebase_put_bits(&s->pb, new_buffer, new_buffer_size); + s->ptr_lastgob = s->pb.buf + lastgob_pos; + s->vbv_delay_ptr = s->pb.buf + vbv_pos; + } + if (s->pb.buf_end - s->pb.buf - (put_bits_count(&s->pb)>>3) < threshold) + return AVERROR(EINVAL); + return 0; +} + static int encode_thread(AVCodecContext *c, void *arg){ MpegEncContext *s= *(void**)arg; int mb_x, mb_y, pdif = 0; @@ -2794,30 +2823,10 @@ static int encode_thread(AVCodecContext *c, void *arg){ // int d; int dmin= INT_MAX; int dir; + int size_increase = s->avctx->internal->byte_buffer_size/4 + + s->mb_width*MAX_MB_BYTES; - if ( s->pb.buf_end - s->pb.buf - (put_bits_count(&s->pb)>>3) < MAX_MB_BYTES - && s->slice_context_count == 1 - && s->pb.buf == s->avctx->internal->byte_buffer) { - int new_size = s->avctx->internal->byte_buffer_size - + s->avctx->internal->byte_buffer_size/4 - + s->mb_width*MAX_MB_BYTES; - int lastgob_pos = s->ptr_lastgob - s->pb.buf; - int vbv_pos = s->vbv_delay_ptr - s->pb.buf; - - uint8_t *new_buffer = NULL; - int new_buffer_size = 0; - - av_fast_padded_malloc(&new_buffer, &new_buffer_size, new_size); - if (new_buffer) { - memcpy(new_buffer, s->avctx->internal->byte_buffer, s->avctx->internal->byte_buffer_size); - av_free(s->avctx->internal->byte_buffer); - s->avctx->internal->byte_buffer = new_buffer; - s->avctx->internal->byte_buffer_size = new_buffer_size; - rebase_put_bits(&s->pb, new_buffer, new_buffer_size); - s->ptr_lastgob = s->pb.buf + lastgob_pos; - s->vbv_delay_ptr = s->pb.buf + vbv_pos; - } - } + ff_mpv_reallocate_putbitbuffer(s, MAX_MB_BYTES, size_increase); if(s->pb.buf_end - s->pb.buf - (put_bits_count(&s->pb)>>3) < MAX_MB_BYTES){ av_log(s->avctx, AV_LOG_ERROR, "encoded frame too large\n"); return -1; From 11f597ed848641727e4d823052cde9502e075a3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 May 2015 14:35:35 +0200 Subject: [PATCH 355/700] avcodec/mjpegenc_common: Use ff_mpv_reallocate_putbitbuffer() Fixes assertion failure Fixes Ticket4396 Signed-off-by: Michael Niedermayer (cherry picked from commit c50904fd7899e37516324e711b3b8edfe7214da8) --- libavcodec/mjpegenc_common.c | 12 +++++++++++- libavcodec/mjpegenc_common.h | 2 +- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegenc_common.c b/libavcodec/mjpegenc_common.c index 8a5b99f227..8ff37288a7 100644 --- a/libavcodec/mjpegenc_common.c +++ b/libavcodec/mjpegenc_common.c @@ -337,20 +337,30 @@ void ff_mjpeg_escape_FF(PutBitContext *pb, int start) } } -void ff_mjpeg_encode_stuffing(MpegEncContext *s) +int ff_mjpeg_encode_stuffing(MpegEncContext *s) { int i; PutBitContext *pbc = &s->pb; int mb_y = s->mb_y - !s->mb_x; + int ret = ff_mpv_reallocate_putbitbuffer(s, put_bits_count(&s->pb) / 8 + 100, + put_bits_count(&s->pb) / 4 + 1000); + if (ret < 0) { + av_log(s->avctx, AV_LOG_ERROR, "Buffer reallocation failed\n"); + goto fail; + } + ff_mjpeg_escape_FF(pbc, s->esc_pos); if((s->avctx->active_thread_type & FF_THREAD_SLICE) && mb_y < s->mb_height) put_marker(pbc, RST0 + (mb_y&7)); s->esc_pos = put_bits_count(pbc) >> 3; +fail: for(i=0; i<3; i++) s->last_dc[i] = 128 << s->intra_dc_precision; + + return ret; } void ff_mjpeg_encode_picture_trailer(PutBitContext *pb, int header_bits) diff --git a/libavcodec/mjpegenc_common.h b/libavcodec/mjpegenc_common.h index 38b9b3f9f0..87f150550d 100644 --- a/libavcodec/mjpegenc_common.h +++ b/libavcodec/mjpegenc_common.h @@ -34,7 +34,7 @@ void ff_mjpeg_encode_picture_header(AVCodecContext *avctx, PutBitContext *pb, uint16_t chroma_intra_matrix[64]); void ff_mjpeg_encode_picture_trailer(PutBitContext *pb, int header_bits); void ff_mjpeg_escape_FF(PutBitContext *pb, int start); -void ff_mjpeg_encode_stuffing(MpegEncContext *s); +int ff_mjpeg_encode_stuffing(MpegEncContext *s); void ff_mjpeg_init_hvsample(AVCodecContext *avctx, int hsample[3], int vsample[3]); void ff_mjpeg_encode_dc(PutBitContext *pb, int val, From e9502ee26ae14383fe1963f2de6a04ef07dd31f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 May 2015 04:31:30 +0200 Subject: [PATCH 356/700] avfilter/x86/vf_hqdn3d: Fix register types Fixes Ticket4301 Signed-off-by: Michael Niedermayer (cherry picked from commit 52fc3e372f8ed4de5735abed1f7f7569fe37b023) --- libavfilter/x86/vf_hqdn3d.asm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/x86/vf_hqdn3d.asm b/libavfilter/x86/vf_hqdn3d.asm index 961127e670..e3b1bdca53 100644 --- a/libavfilter/x86/vf_hqdn3d.asm +++ b/libavfilter/x86/vf_hqdn3d.asm @@ -27,8 +27,8 @@ SECTION .text %if lut_bits != 8 sar %1q, 8-lut_bits %endif - movsx %1d, word [%3q+%1q*2] - add %1d, %2d + movsx %1q, word [%3q+%1q*2] + add %1q, %2q %endmacro %macro LOAD 3 ; dstreg, x, bitdepth From 51a624bb80b3a79b75c9a8b813f74da45365d646 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Jul 2015 02:43:02 +0200 Subject: [PATCH 357/700] avformat/swfdec: Do not error out on pixel format changes Instead print an error and continue Fixes Ticket4702 Signed-off-by: Michael Niedermayer (cherry picked from commit 6a1204a1a46674084b1e6b92562f81aaab7aac69) --- libavformat/swfdec.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index 528bc236f2..b2c652eb9c 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -390,10 +390,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) } if (st->codec->pix_fmt != AV_PIX_FMT_NONE && st->codec->pix_fmt != pix_fmt) { av_log(s, AV_LOG_ERROR, "pixel format change unsupported\n"); - res = AVERROR_PATCHWELCOME; - goto bitmap_end; - } - st->codec->pix_fmt = pix_fmt; + }else + st->codec->pix_fmt = pix_fmt; if (linesize * height > pkt->size) { res = AVERROR_INVALIDDATA; From f1a4af4dc27c41e13e15ff5e7e9f5af3551a1b2e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 May 2015 12:03:38 +0200 Subject: [PATCH 358/700] avformat/wavdec: Increase probe_packets limit Fixes DTS detection of b2429e5ba9.dts Signed-off-by: Michael Niedermayer (cherry picked from commit 9f5769437aaab30a359cde254f39d9a28b1ce657) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 9c4e2dfa14..763e2e4926 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -114,7 +114,7 @@ static void handle_stream_probing(AVStream *st) { if (st->codec->codec_id == AV_CODEC_ID_PCM_S16LE) { st->request_probe = AVPROBE_SCORE_EXTENSION; - st->probe_packets = FFMIN(st->probe_packets, 14); + st->probe_packets = FFMIN(st->probe_packets, 20); } } From 9e1a818a2df1a5c023780bb3d9b0bcafbe7bf20e Mon Sep 17 00:00:00 2001 From: Rodger Combs Date: Sat, 23 May 2015 14:07:14 +0200 Subject: [PATCH 359/700] avformat/wavdec: Increase dts packet threshold to fix more misdetections Signed-off-by: Michael Niedermayer (cherry picked from commit 40a3e1e9c54997e4dfc7802b5a758b68ceb64982) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 763e2e4926..66fd7664f7 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -114,7 +114,7 @@ static void handle_stream_probing(AVStream *st) { if (st->codec->codec_id == AV_CODEC_ID_PCM_S16LE) { st->request_probe = AVPROBE_SCORE_EXTENSION; - st->probe_packets = FFMIN(st->probe_packets, 20); + st->probe_packets = FFMIN(st->probe_packets, 32); } } From 962ad32891c82906cdca3a5e4c3e1d3e92b384bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 May 2015 04:53:09 +0200 Subject: [PATCH 360/700] avcodec/put_bits: Update size_in_bits in set_put_bits_buffer_size() Signed-off-by: Michael Niedermayer (cherry picked from commit e4c2ec879b1121c02279cd60a54643da0d249e40) Signed-off-by: Michael Niedermayer --- libavcodec/put_bits.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index 8858caaacc..8dbbd094df 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -253,6 +253,7 @@ static inline void skip_put_bits(PutBitContext *s, int n) static inline void set_put_bits_buffer_size(PutBitContext *s, int size) { s->buf_end = s->buf + size; + s->size_in_bits = 8*size; } #endif /* AVCODEC_PUT_BITS_H */ From e83d99863418104adb1ea12825a19343ced5227c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 May 2015 04:54:41 +0200 Subject: [PATCH 361/700] avcodec/mpegvideo_enc: Update the buffer size as more slices are merged Signed-off-by: Michael Niedermayer (cherry picked from commit 561d3a57aaa95c7e8e65e96b36dd069100603650) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index f303a35f34..dbcbb8a9c6 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -3742,6 +3742,8 @@ static int encode_picture(MpegEncContext *s, int picture_number) } s->avctx->execute(s->avctx, encode_thread, &s->thread_context[0], NULL, context_count, sizeof(void*)); for(i=1; ipb.buf_end == s->thread_context[i]->pb.buf) + set_put_bits_buffer_size(&s->pb, FFMIN(s->thread_context[i]->pb.buf_end - s->pb.buf, INT_MAX/8-32)); merge_context_after_encode(s, s->thread_context[i]); } emms_c(); From 4ac8b94a73218aa176226a431a222a1946199e7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 May 2015 03:45:38 +0200 Subject: [PATCH 362/700] avcodec/put_bits: Assert that there is enough space left in skip_put_bytes() Signed-off-by: Michael Niedermayer (cherry picked from commit 8f5ffed183e099128a732a00976f69fdc641d093) Signed-off-by: Michael Niedermayer --- libavcodec/put_bits.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index 8dbbd094df..08f6826ee3 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -230,6 +230,7 @@ static inline void skip_put_bytes(PutBitContext *s, int n) { av_assert2((put_bits_count(s) & 7) == 0); av_assert2(s->bit_left == 32); + av_assert0(n <= s->buf_end - s->buf_ptr); s->buf_ptr += n; } From 8d98fbef16554c3b889c426c75155823d6be2f37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 May 2015 03:48:45 +0200 Subject: [PATCH 363/700] avcodec/bitstream: Assert that there is enough space left in avpriv_copy_bits() Signed-off-by: Michael Niedermayer (cherry picked from commit 291ad5cc9cf815eb110b062487980fab2d107936) Signed-off-by: Michael Niedermayer --- libavcodec/bitstream.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index d041643eff..2e102df71b 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -69,6 +69,8 @@ void avpriv_copy_bits(PutBitContext *pb, const uint8_t *src, int length) if (length == 0) return; + av_assert0(length <= put_bits_left(pb)); + if (CONFIG_SMALL || words < 16 || put_bits_count(pb) & 7) { for (i = 0; i < words; i++) put_bits(pb, 16, AV_RB16(src + 2 * i)); From a61759596dc76448d265a66aaa5c3f452d729097 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 May 2015 12:13:53 +0200 Subject: [PATCH 364/700] ffmpeg_opt: Set the video VBV parameters only for the video stream from -target Signed-off-by: Michael Niedermayer (cherry picked from commit 2ce6e419113f8276f417a9a8b50122c5467d9bc5) Signed-off-by: Michael Niedermayer --- ffmpeg_opt.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index ad082ac282..ea16a11c33 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -2248,9 +2248,9 @@ static int opt_target(void *optctx, const char *opt, const char *arg) opt_default(NULL, "g", norm == PAL ? "15" : "18"); opt_default(NULL, "b:v", "1150000"); - opt_default(NULL, "maxrate", "1150000"); - opt_default(NULL, "minrate", "1150000"); - opt_default(NULL, "bufsize", "327680"); // 40*1024*8; + opt_default(NULL, "maxrate:v", "1150000"); + opt_default(NULL, "minrate:v", "1150000"); + opt_default(NULL, "bufsize:v", "327680"); // 40*1024*8; opt_default(NULL, "b:a", "224000"); parse_option(o, "ar", "44100", options); @@ -2277,9 +2277,9 @@ static int opt_target(void *optctx, const char *opt, const char *arg) opt_default(NULL, "g", norm == PAL ? "15" : "18"); opt_default(NULL, "b:v", "2040000"); - opt_default(NULL, "maxrate", "2516000"); - opt_default(NULL, "minrate", "0"); // 1145000; - opt_default(NULL, "bufsize", "1835008"); // 224*1024*8; + opt_default(NULL, "maxrate:v", "2516000"); + opt_default(NULL, "minrate:v", "0"); // 1145000; + opt_default(NULL, "bufsize:v", "1835008"); // 224*1024*8; opt_default(NULL, "scan_offset", "1"); opt_default(NULL, "b:a", "224000"); @@ -2299,9 +2299,9 @@ static int opt_target(void *optctx, const char *opt, const char *arg) opt_default(NULL, "g", norm == PAL ? "15" : "18"); opt_default(NULL, "b:v", "6000000"); - opt_default(NULL, "maxrate", "9000000"); - opt_default(NULL, "minrate", "0"); // 1500000; - opt_default(NULL, "bufsize", "1835008"); // 224*1024*8; + opt_default(NULL, "maxrate:v", "9000000"); + opt_default(NULL, "minrate:v", "0"); // 1500000; + opt_default(NULL, "bufsize:v", "1835008"); // 224*1024*8; opt_default(NULL, "packetsize", "2048"); // from www.mpucoder.com: DVD sectors contain 2048 bytes of data, this is also the size of one pack. opt_default(NULL, "muxrate", "10080000"); // from mplex project: data_rate = 1260000. mux_rate = data_rate * 8 From 6b2163caabadf3bd5618ce78720035946b5493f3 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 25 May 2015 22:30:10 +0200 Subject: [PATCH 365/700] h264: Make sure reinit failures mark the context as not initialized (cherry picked from commit 0181ae9af2de1526464d23209b82e6674d362f5d) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index b667da3956..6b1db1a53a 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1472,6 +1472,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) if (h->context_initialized && (must_reinit || needs_reinit)) { + h->context_initialized = 0; if (h != h0) { av_log(h->avctx, AV_LOG_ERROR, "changing width %d -> %d / height %d -> %d on " From fd989ff9ca4dfe3fb9b5b41737740d58b6c5a873 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Jun 2015 00:48:29 +0200 Subject: [PATCH 366/700] swresample: Check the return value of resampler->init() Signed-off-by: Michael Niedermayer (cherry picked from commit 02915602d9313aa4b108342a3081244b9d2422bf) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index a29dc6215e..c5ac1b35b6 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -255,6 +255,10 @@ av_cold int swr_init(struct SwrContext *s){ if (s->out_sample_rate!=s->in_sample_rate || (s->flags & SWR_FLAG_RESAMPLE)){ s->resample = s->resampler->init(s->resample, s->out_sample_rate, s->in_sample_rate, s->filter_size, s->phase_shift, s->linear_interp, s->cutoff, s->int_sample_fmt, s->filter_type, s->kaiser_beta, s->precision, s->cheby); + if (!s->resample) { + av_log(s, AV_LOG_ERROR, "Failed to initilaize resampler\n"); + return AVERROR(ENOMEM); + } }else s->resampler->free(&s->resample); if( s->int_sample_fmt != AV_SAMPLE_FMT_S16P From 42c54f8f4dd9b43dcb9cfc484b9f5ce82d1a812e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 1 Jun 2015 00:51:30 +0200 Subject: [PATCH 367/700] libopenjpegenc: add NULL check for img before accessing it If opj_image_create fails to allocate an image it returns NULL, which causes a segmentation fault at 'img->x0 = 0'. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1577526b47439f33a999339efdec5d624b70e1da) Signed-off-by: Michael Niedermayer --- libavcodec/libopenjpegenc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/libopenjpegenc.c b/libavcodec/libopenjpegenc.c index 66633f4ad2..458cf7c2c1 100644 --- a/libavcodec/libopenjpegenc.c +++ b/libavcodec/libopenjpegenc.c @@ -164,6 +164,9 @@ static opj_image_t *mj2_create_image(AVCodecContext *avctx, opj_cparameters_t *p img = opj_image_create(numcomps, cmptparm, color_space); + if (!img) + return NULL; + // x0, y0 is the top left corner of the image // x1, y1 is the width, height of the reference grid img->x0 = 0; From 3dc303a05192b2a7863b4ce4df10646b501ebe4e Mon Sep 17 00:00:00 2001 From: Ganesh Ajjanagadde Date: Tue, 2 Jun 2015 23:17:48 -0400 Subject: [PATCH 368/700] swresample/dither: check memory allocation check memory allocation in swri_get_dither() Signed-off-by: Michael Niedermayer (cherry picked from commit 196b885a5f0aa3ca022c1fa99509f47341239784) Signed-off-by: Michael Niedermayer --- libswresample/dither.c | 6 +++++- libswresample/swresample.c | 3 ++- libswresample/swresample_internal.h | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/libswresample/dither.c b/libswresample/dither.c index 8121f11c2f..23e7e12ede 100644 --- a/libswresample/dither.c +++ b/libswresample/dither.c @@ -23,12 +23,15 @@ #include "noise_shaping_data.c" -void swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt) { +int swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt) { double scale = s->dither.noise_scale; #define TMP_EXTRA 2 double *tmp = av_malloc_array(len + TMP_EXTRA, sizeof(double)); int i; + if (!tmp) + return AVERROR(ENOMEM); + for(i=0; idither.noise.ch_count; ch++) - swri_get_dither(s, s->dither.noise.ch[ch], s->dither.noise.count, 12345678913579<dither.noise.fmt); + if((ret=swri_get_dither(s, s->dither.noise.ch[ch], s->dither.noise.count, 12345678913579<dither.noise.fmt))<0) + return ret; av_assert0(s->dither.noise.ch_count == preout->ch_count); if(s->dither.noise_pos + out_count > s->dither.noise.count) diff --git a/libswresample/swresample_internal.h b/libswresample/swresample_internal.h index 1bc6837926..fcc63a676c 100644 --- a/libswresample/swresample_internal.h +++ b/libswresample/swresample_internal.h @@ -191,7 +191,7 @@ void swri_rematrix_free(SwrContext *s); int swri_rematrix(SwrContext *s, AudioData *out, AudioData *in, int len, int mustcopy); void swri_rematrix_init_x86(struct SwrContext *s); -void swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt); +int swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt); int swri_dither_init(SwrContext *s, enum AVSampleFormat out_fmt, enum AVSampleFormat in_fmt); void swri_audio_convert_init_aarch64(struct AudioConvert *ac, From f569422d669ff2232e52ee4345eea0742d37c67c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jun 2015 21:35:02 +0200 Subject: [PATCH 369/700] avformat/mxfenc: Accept MXF D-10 with 49.999840 Mbit/sec This is the maximum rate possible based on the frame size limit of MXF D-10 Previous version reviewed by tim nicholson Signed-off-by: Michael Niedermayer (cherry picked from commit d7a762553c6f6c422adb6632354bcc4ff577b701) Signed-off-by: Michael Niedermayer --- libavformat/mxfenc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index a850239375..36503f3d19 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1840,9 +1840,10 @@ static int mxf_write_header(AVFormatContext *s) return ret; sc->video_bit_rate = st->codec->bit_rate ? st->codec->bit_rate : st->codec->rc_max_rate; if (s->oformat == &ff_mxf_d10_muxer) { - if (sc->video_bit_rate == 50000000) { - if (mxf->time_base.den == 25) sc->index = 3; - else sc->index = 5; + if ((sc->video_bit_rate == 50000000) && (mxf->time_base.den == 25)) { + sc->index = 3; + } else if ((sc->video_bit_rate == 49999840 || sc->video_bit_rate == 50000000) && (mxf->time_base.den != 25)) { + sc->index = 5; } else if (sc->video_bit_rate == 40000000) { if (mxf->time_base.den == 25) sc->index = 7; else sc->index = 9; From 1728aa3442d7e3a18268a9b8ae8fcb5ff914fa33 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Jun 2015 22:39:27 +0200 Subject: [PATCH 370/700] Revert "avformat/rtpenc: check av_packet_get_side_data() return, fix null ptr dereference" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was simply wrong Found-by: Martin Storsjö This reverts commit 5d8e4f6da03c0342157e6ac7fab1a8ac3a87a8b0. (cherry picked from commit 3e34b7498f14c04baadde1700a6f73a7e9e86fa6) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/libavformat/rtpenc.c b/libavformat/rtpenc.c index c608dfb46a..cbe0faea48 100644 --- a/libavformat/rtpenc.c +++ b/libavformat/rtpenc.c @@ -576,10 +576,6 @@ static int rtp_write_packet(AVFormatContext *s1, AVPacket *pkt) const uint8_t *mb_info = av_packet_get_side_data(pkt, AV_PKT_DATA_H263_MB_INFO, &mb_info_size); - if (!mb_info) { - av_log(s1, AV_LOG_ERROR, "failed to allocate side data\n"); - return AVERROR(ENOMEM); - } ff_rtp_send_h263_rfc2190(s1, pkt->data, size, mb_info, mb_info_size); break; } From de943a3460a8a0f88cbdbfa1ef16ae93dbbbee29 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jun 2015 03:47:55 +0200 Subject: [PATCH 371/700] swresample/swresample: Cleanup on init failure. This avoids leaks if the user doest call swr_close() after a failed init Found-by: James Almer Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit c3f87f7545d42520921bc448b9fbd7324c574e49) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 2cd9d45420..6dde73b666 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -267,7 +267,8 @@ av_cold int swr_init(struct SwrContext *s){ && s->int_sample_fmt != AV_SAMPLE_FMT_DBLP && s->resample){ av_log(s, AV_LOG_ERROR, "Resampling only supported with internal s16/s32/flt/dbl\n"); - return -1; + ret = AVERROR(EINVAL); + goto fail; } #define RSC 1 //FIXME finetune @@ -281,24 +282,28 @@ av_cold int swr_init(struct SwrContext *s){ if(!s-> in.ch_count){ av_assert0(!s->in_ch_layout); av_log(s, AV_LOG_ERROR, "Input channel count and layout are unset\n"); - return -1; + ret = AVERROR(EINVAL); + goto fail; } av_get_channel_layout_string(l1, sizeof(l1), s-> in.ch_count, s-> in_ch_layout); av_get_channel_layout_string(l2, sizeof(l2), s->out.ch_count, s->out_ch_layout); if (s->out_ch_layout && s->out.ch_count != av_get_channel_layout_nb_channels(s->out_ch_layout)) { av_log(s, AV_LOG_ERROR, "Output channel layout %s mismatches specified channel count %d\n", l2, s->out.ch_count); - return AVERROR(EINVAL); + ret = AVERROR(EINVAL); + goto fail; } if (s->in_ch_layout && s->used_ch_count != av_get_channel_layout_nb_channels(s->in_ch_layout)) { av_log(s, AV_LOG_ERROR, "Input channel layout %s mismatches specified channel count %d\n", l1, s->used_ch_count); - return AVERROR(EINVAL); + ret = AVERROR(EINVAL); + goto fail; } if ((!s->out_ch_layout || !s->in_ch_layout) && s->used_ch_count != s->out.ch_count && !s->rematrix_custom) { av_log(s, AV_LOG_ERROR, "Rematrix is needed between %s and %s " "but there is not enough information to do it\n", l1, l2); - return -1; + ret = AVERROR(EINVAL); + goto fail; } av_assert0(s->used_ch_count); @@ -320,8 +325,10 @@ av_assert0(s->out.ch_count); s->out_convert= swri_audio_convert_alloc(s->out_sample_fmt, s->int_sample_fmt, s->out.ch_count, NULL, 0); - if (!s->in_convert || !s->out_convert) - return AVERROR(ENOMEM); + if (!s->in_convert || !s->out_convert) { + ret = AVERROR(ENOMEM); + goto fail; + } s->postin= s->in; s->preout= s->out; @@ -348,12 +355,19 @@ av_assert0(s->out.ch_count); } if ((ret = swri_dither_init(s, s->out_sample_fmt, s->int_sample_fmt)) < 0) - return ret; + goto fail; - if(s->rematrix || s->dither.method) - return swri_rematrix_init(s); + if(s->rematrix || s->dither.method) { + ret = swri_rematrix_init(s); + if (ret < 0) + goto fail; + } return 0; +fail: + swr_close(s); + return ret; + } int swri_realloc_audio(AudioData *a, int count){ From 3dd5c6a4ba805f7b6c4c80897571cb14b9aa4496 Mon Sep 17 00:00:00 2001 From: Nedeljko Babic Date: Wed, 3 Jun 2015 16:17:39 +0200 Subject: [PATCH 372/700] libavutil/softfloat: Fix av_normalize1_sf bias. av_normalize1_sf doesn't properly address border case when mantis is exactly -0x40000000. Signed-off-by: Michael Niedermayer (cherry picked from commit 7131aba916d1f562bdaf6a81319f1421ce175b1e) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index 8647e6a4fc..a487c34af3 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -59,7 +59,7 @@ static av_const SoftFloat av_normalize_sf(SoftFloat a){ static inline av_const SoftFloat av_normalize1_sf(SoftFloat a){ #if 1 - if((int32_t)(a.mant + 0x40000000U) < 0){ + if((int32_t)(a.mant + 0x40000000U) <= 0){ a.exp++; a.mant>>=1; } From 177014a49437869971310c8c6c171255c391a636 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jun 2015 22:47:24 +0200 Subject: [PATCH 373/700] avcodec/atrac3plusdec: consume only as many bytes as available Signed-off-by: Michael Niedermayer (cherry picked from commit 6b6ae7c3ead5dee786a4aea929820076a7c82da4) Signed-off-by: Michael Niedermayer --- libavcodec/atrac3plusdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac3plusdec.c b/libavcodec/atrac3plusdec.c index 78121e8467..50cf74ec43 100644 --- a/libavcodec/atrac3plusdec.c +++ b/libavcodec/atrac3plusdec.c @@ -383,7 +383,7 @@ static int atrac3p_decode_frame(AVCodecContext *avctx, void *data, *got_frame_ptr = 1; - return avctx->block_align; + return FFMIN(avctx->block_align, avpkt->size); } AVCodec ff_atrac3p_decoder = { From 5ebae729b9a9cbeb553056eca25a2caedbe03c5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jun 2015 22:59:34 +0200 Subject: [PATCH 374/700] avcodec/alsdec: Check for overread Signed-off-by: Michael Niedermayer (cherry picked from commit c2657633187e325a439e3297fd9ccd0522ab2e39) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index a55354b7fd..708c71418a 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1493,6 +1493,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) // TODO: read_diff_float_data + if (get_bits_left(gb) < 0) { + av_log(ctx->avctx, AV_LOG_ERROR, "Overread %d\n", -get_bits_left(gb)); + return AVERROR_INVALIDDATA; + } + return 0; } From cdd594e24ba1729f9850bbefc4b8d87a7adb1740 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jun 2015 22:34:12 +0200 Subject: [PATCH 375/700] avcodec/adpcm: Check for overreads See: vlc ticket 14649 Reported-by: carl Signed-off-by: Michael Niedermayer (cherry picked from commit 3c803ed9cb23e5a8d76b6c31d8a8c71cac27e769) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 2f95a6ff45..f7ca208993 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -574,6 +574,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, case AV_CODEC_ID_ADPCM_IMA_DK4: if (avctx->block_align > 0) buf_size = FFMIN(buf_size, avctx->block_align); + if (buf_size < 4 * ch) + return AVERROR_INVALIDDATA; nb_samples = 1 + (buf_size - 4 * ch) * 2 / ch; break; case AV_CODEC_ID_ADPCM_IMA_RAD: @@ -587,13 +589,15 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, int bsamples = ff_adpcm_ima_block_samples[avctx->bits_per_coded_sample - 2]; if (avctx->block_align > 0) buf_size = FFMIN(buf_size, avctx->block_align); + if (buf_size < 4 * ch) + return AVERROR_INVALIDDATA; nb_samples = 1 + (buf_size - 4 * ch) / (bsize * ch) * bsamples; break; } case AV_CODEC_ID_ADPCM_MS: if (avctx->block_align > 0) buf_size = FFMIN(buf_size, avctx->block_align); - nb_samples = 2 + (buf_size - 7 * ch) * 2 / ch; + nb_samples = (buf_size - 6 * ch) * 2 / ch; break; case AV_CODEC_ID_ADPCM_SBPRO_2: case AV_CODEC_ID_ADPCM_SBPRO_3: @@ -606,6 +610,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, case AV_CODEC_ID_ADPCM_SBPRO_4: samples_per_byte = 2; break; } if (!s->status[0].step_index) { + if (buf_size < ch) + return AVERROR_INVALIDDATA; nb_samples++; buf_size -= ch; } @@ -1524,6 +1530,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, *got_frame_ptr = 1; + if (avpkt->size < bytestream2_tell(&gb)) { + av_log(avctx, AV_LOG_ERROR, "Overread of %d < %d\n", avpkt->size, bytestream2_tell(&gb)); + return avpkt->size; + } + return bytestream2_tell(&gb); } From 057d6e1cd62055c58db1087b553e6beb871509ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jun 2015 14:55:10 +0200 Subject: [PATCH 376/700] avformat/ffmdec: Check ffio_set_buf_size() return value Signed-off-by: Michael Niedermayer (cherry picked from commit dc55477a64cefebf8dcc611f026be71382814ae2) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 33bbde04b0..57df43b912 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -98,7 +98,9 @@ static int ffm_read_data(AVFormatContext *s, retry_read: if (pb->buffer_size != ffm->packet_size) { int64_t tell = avio_tell(pb); - ffio_set_buf_size(pb, ffm->packet_size); + int ret = ffio_set_buf_size(pb, ffm->packet_size); + if (ret < 0) + return ret; avio_seek(pb, tell, SEEK_SET); } id = avio_rb16(pb); /* PACKET_ID */ From 062f63e46cd8d4d8094928ce78566e8fb0830aa5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2015 00:37:26 +0200 Subject: [PATCH 377/700] avcodec/jpeg2000dec: Check that coords match before applying ICT This avoid potential out of array accesses Signed-off-by: Michael Niedermayer (cherry picked from commit 12ba1b2b4d5592c0e27b0fcc83db929e8d6a8eee) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 555b3e962d..4f5b32f516 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1148,11 +1148,16 @@ static inline void mct_decode(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile) int i, csize = 1; void *src[3]; - for (i = 1; i < 3; i++) + for (i = 1; i < 3; i++) { if (tile->codsty[0].transform != tile->codsty[i].transform) { av_log(s->avctx, AV_LOG_ERROR, "Transforms mismatch, MCT not supported\n"); return; } + if (memcmp(tile->comp[0].coord, tile->comp[i].coord, sizeof(tile->comp[0].coord))) { + av_log(s->avctx, AV_LOG_ERROR, "Coords mismatch, MCT not supported\n"); + return; + } + } for (i = 0; i < 3; i++) if (tile->codsty[0].transform == FF_DWT97) From fb22fc0c46bb4bee48cdcdf43c8cb1d18aa04e20 Mon Sep 17 00:00:00 2001 From: Simon Thelen Date: Tue, 9 Jun 2015 04:55:57 +0200 Subject: [PATCH 378/700] libavutil/channel_layout: Correctly return layout when channel specification ends with a trailing 'c'. Return layout when FF_API_GET_CHANNEL_LAYOUT_COMPAT is set even if the layout itself is not in the deprecated style. Signed-off-by: Simon Thelen Signed-off-by: Michael Niedermayer (cherry picked from commit 83307a32eb0c9f0843f655c44bb65e3e999153f8) Signed-off-by: Michael Niedermayer --- libavutil/channel_layout.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/channel_layout.c b/libavutil/channel_layout.c index 4c0677f794..cd5cf426d4 100644 --- a/libavutil/channel_layout.c +++ b/libavutil/channel_layout.c @@ -138,8 +138,8 @@ static uint64_t get_channel_layout_single(const char *name, int name_len) "switch to the syntax '%.*sc' otherwise it will be interpreted as a " "channel layout number in a later version\n", name_len, name, name_len, name); - return layout; } + return layout; } } else { #endif From a2a545d8db8e9081dfae02e8f2ccfac8796783f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jun 2015 00:47:43 +0200 Subject: [PATCH 379/700] avdevice/lavfi: do not rescale AV_NOPTS_VALUE in lavfi_read_packet() Signed-off-by: Michael Niedermayer (cherry picked from commit 913685f55208efd78bfc34d82b261bd449e69774) Signed-off-by: Michael Niedermayer --- libavdevice/lavfi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/lavfi.c b/libavdevice/lavfi.c index 1398ece508..f6c92bcac2 100644 --- a/libavdevice/lavfi.c +++ b/libavdevice/lavfi.c @@ -339,7 +339,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt) continue; } else if (ret < 0) return ret; - d = av_rescale_q(frame->pts, tb, AV_TIME_BASE_Q); + d = av_rescale_q_rnd(frame->pts, tb, AV_TIME_BASE_Q, AV_ROUND_NEAR_INF|AV_ROUND_PASS_MINMAX); av_dlog(avctx, "sink_idx:%d time:%f\n", i, d); av_frame_unref(frame); From f5a73058b0f26133bb366f8644711563db76fb74 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jun 2015 11:37:48 +0200 Subject: [PATCH 380/700] avcodec/h264_slice: Use AVFrame diemensions for grayscale handling The AVFrame values are closer to the AVFrame bitmap changed instead of the AVCodecContext values, so this should be more robust Signed-off-by: Michael Niedermayer (cherry picked from commit aef0e0f009802f1a5e21eb6465498632071e4475) Conflicts: libavcodec/h264_slice.c --- libavcodec/h264_slice.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 6b1db1a53a..d439f9bcee 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -278,11 +278,11 @@ static int alloc_picture(H264Context *h, H264Picture *pic) av_pix_fmt_get_chroma_sub_sample(pic->f.format, &h_chroma_shift, &v_chroma_shift); - for(i=0; iavctx->height, v_chroma_shift); i++) { + for(i=0; if.height, v_chroma_shift); i++) { memset(pic->f.data[1] + pic->f.linesize[1]*i, - 0x80, FF_CEIL_RSHIFT(h->avctx->width, h_chroma_shift)); + 0x80, FF_CEIL_RSHIFT(pic->f.width, h_chroma_shift)); memset(pic->f.data[2] + pic->f.linesize[2]*i, - 0x80, FF_CEIL_RSHIFT(h->avctx->width, h_chroma_shift)); + 0x80, FF_CEIL_RSHIFT(pic->f.width, h_chroma_shift)); } } From 3c99f8b4ada2076d40e01a14f125f69e3fcbe10a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 10 Jun 2015 00:12:38 +0200 Subject: [PATCH 381/700] takdec: ensure chan2 is a valid channel index If chan2 is not smaller than the number of channels, it can cause segmentation faults due to dereferencing a NULL pointer. Signed-off-by: Andreas Cadhalpun Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 05c57ba2f42324da2fdc93d83d65bb68dd637613) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 5810a01c24..614385803d 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -799,6 +799,12 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, if (s->mcdparams[i].present) { s->mcdparams[i].index = get_bits(gb, 2); s->mcdparams[i].chan2 = get_bits(gb, 4); + if (s->mcdparams[i].chan2 >= avctx->channels) { + av_log(avctx, AV_LOG_ERROR, + "invalid channel 2 (%d) for %d channel(s)\n", + s->mcdparams[i].chan2, avctx->channels); + return AVERROR_INVALIDDATA; + } if (s->mcdparams[i].index == 1) { if ((nbit == s->mcdparams[i].chan2) || (ch_mask & 1 << s->mcdparams[i].chan2)) From bda906a19561f6e4cc60c9dd494eef1669a438b9 Mon Sep 17 00:00:00 2001 From: Deliang Fu Date: Wed, 10 Jun 2015 12:30:46 +0800 Subject: [PATCH 382/700] avformat: Fix bug in parse_rps for HEVC. Make the logic in libavformat/hevc.c parse_rps align with libavcodec/hevc_ps.c ff_hevc_decode_short_term_rps Signed-off-by: Michael Niedermayer (cherry picked from commit 6e1f8780c833ef55815111d4771b95ff78567cdb) Signed-off-by: Michael Niedermayer --- libavformat/hevc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index c92e9eb118..32192badca 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -449,7 +449,7 @@ static int parse_rps(GetBitContext *gb, unsigned int rps_idx, * * NumDeltaPocs[RefRpsIdx]: num_delta_pocs[rps_idx - 1] */ - for (i = 0; i < num_delta_pocs[rps_idx - 1]; i++) { + for (i = 0; i <= num_delta_pocs[rps_idx - 1]; i++) { uint8_t use_delta_flag = 0; uint8_t used_by_curr_pic_flag = get_bits1(gb); if (!used_by_curr_pic_flag) From 7d03a9156da3df077feb4a5235d9393d313cd5ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Jun 2015 15:36:20 +0200 Subject: [PATCH 383/700] ffmpeg_opt: Check for localtime() failure Found-by: Daemon404 Signed-off-by: Michael Niedermayer (cherry picked from commit 8e91d9652ea5048d9014e7636e12c6ed4732d7b7) Signed-off-by: Michael Niedermayer --- ffmpeg_opt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index ea16a11c33..e0c48cee82 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -2345,6 +2345,9 @@ static int opt_vstats(void *optctx, const char *opt, const char *arg) time_t today2 = time(NULL); struct tm *today = localtime(&today2); + if (!today) + return AVERROR(errno); + snprintf(filename, sizeof(filename), "vstats_%02d%02d%02d.log", today->tm_hour, today->tm_min, today->tm_sec); return opt_vstats_file(NULL, opt, filename); From 7a12379463b5d9cf31424d339f4b02cfd7d9e22f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 23 May 2015 23:32:12 +0200 Subject: [PATCH 384/700] mov: abort on EOF in ff_mov_read_chan Otherwise the loop can take a lot of time if num_descr is very large. Signed-off-by: Andreas Cadhalpun (cherry picked from commit a5718863da99b54b6c853d45c84871c4a96a57c0) Signed-off-by: Michael Niedermayer --- libavformat/mov_chan.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov_chan.c b/libavformat/mov_chan.c index 3b91ed7054..b63310b270 100644 --- a/libavformat/mov_chan.c +++ b/libavformat/mov_chan.c @@ -566,6 +566,11 @@ int ff_mov_read_chan(AVFormatContext *s, AVIOContext *pb, AVStream *st, label_mask = 0; for (i = 0; i < num_descr; i++) { uint32_t label; + if (pb->eof_reached) { + av_log(s, AV_LOG_ERROR, + "reached EOF while reading channel layout\n"); + return AVERROR_INVALIDDATA; + } label = avio_rb32(pb); // mChannelLabel avio_rb32(pb); // mChannelFlags avio_rl32(pb); // mCoordinates[0] From a1879d347e6268635e19fcf4fd31cc4dfa0e161c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 30 May 2015 16:18:48 +0200 Subject: [PATCH 385/700] libopenjpegdec: check existence of image component data libopenjpeg can return images with components without data. This fixes segmentation faults. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 3ef5702926c495232ffe685303ba8661bdff1149) Signed-off-by: Michael Niedermayer --- libavcodec/libopenjpegdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/libopenjpegdec.c b/libavcodec/libopenjpegdec.c index 0cf46e613d..33c570fd8a 100644 --- a/libavcodec/libopenjpegdec.c +++ b/libavcodec/libopenjpegdec.c @@ -356,6 +356,15 @@ static int libopenjpeg_decode_frame(AVCodecContext *avctx, goto done; } + for (i = 0; i < image->numcomps; i++) { + if (!image->comps[i].data) { + av_log(avctx, AV_LOG_ERROR, + "Image component %d contains no data.\n", i); + ret = AVERROR_INVALIDDATA; + goto done; + } + } + desc = av_pix_fmt_desc_get(avctx->pix_fmt); pixel_size = desc->comp[0].step_minus1 + 1; ispacked = libopenjpeg_ispacked(avctx->pix_fmt); From b4d265e2dcd9f714df83c5b7468e28dc1e274397 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 4 Jun 2015 23:07:44 +0200 Subject: [PATCH 386/700] arm: only enable setend on ARMv6 Without this check it causes SIGILL crashes on ARMv5. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 5bf84a584e9ce681b439a5747671e2809a019c83) Signed-off-by: Michael Niedermayer --- libavutil/arm/cpu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/arm/cpu.c b/libavutil/arm/cpu.c index f1683e8d76..02def0b470 100644 --- a/libavutil/arm/cpu.c +++ b/libavutil/arm/cpu.c @@ -128,7 +128,7 @@ int ff_get_cpu_flags_arm(void) trickle down. */ if (flags & (AV_CPU_FLAG_VFPV3 | AV_CPU_FLAG_NEON)) flags |= AV_CPU_FLAG_ARMV6T2; - else + else if (flags & (AV_CPU_FLAG_ARMV6T2 | AV_CPU_FLAG_ARMV6)) /* Some functions use the 'setend' instruction which is deprecated on ARMv8 * and serializing on some ARMv7 cores. This ensures such functions * are only enabled on ARMv6. */ From e4e3b14bba127bdce9521a78446b294f6bc8e43b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 7 Jun 2015 18:50:43 +0200 Subject: [PATCH 387/700] vp9: change type of tile_size from unsigned to int64_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Otherwise the check 'tile_size < size' treats a negative size as unsigned, causing the check to pass. This subsequently leads to segmentation faults. This was originally fixed as part of Libav commit 72ca83, so the original author is one of the following developers: Anton Khirnov Diego Biurrun Luca Barbato Martin Storsjö Reviewed-by: Ronald S. Bultje Signed-off-by: Andreas Cadhalpun (cherry picked from commit b18eac7ff22332c9344769af15f7b245dd13cc64) Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index a0512845b0..8cf649ed8a 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -3856,7 +3856,7 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame, tile_row, s->tiling.log2_tile_rows, s->sb_rows); if (s->pass != 2) { for (tile_col = 0; tile_col < s->tiling.tile_cols; tile_col++) { - unsigned tile_size; + int64_t tile_size; if (tile_col == s->tiling.tile_cols - 1 && tile_row == s->tiling.tile_rows - 1) { From 27d50fb2d52bc1fb85d13b968f61a70ea8defc9e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 8 Jun 2015 22:38:29 +0200 Subject: [PATCH 388/700] vp8: change mv_{min,max}.{x,y} type to int If one of the dimensions is larger than 8176, s->mb_width or s->mb_height is larger than 511, leading to an int16_t overflow of s->mv_max.{x,y}. This then causes av_clip to be called with amin > amax. Changing the type to int avoids the overflow and has no negative effect, because s->mv_max is only used in clamp_mv for clipping. Since mv_max.{x,y} is positive and mv_min.{x,y} negative, av_clip can't increase the absolute value. The input to av_clip is an int16_t, and thus the output fits into int16_t as well. For additional safety, s->mv_{min,max}.{x,y} are clipped to int16_t range before use. Reviewed-by: Ronald S. Bultje Signed-off-by: Andreas Cadhalpun (cherry picked from commit 6fdbaa2b7fb56623ab2163f861952bc1408c39b3) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 ++++-- libavcodec/vp8.h | 9 +++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 5d3123d4c2..86eb4e9881 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -757,8 +757,10 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si static av_always_inline void clamp_mv(VP8Context *s, VP56mv *dst, const VP56mv *src) { - dst->x = av_clip(src->x, s->mv_min.x, s->mv_max.x); - dst->y = av_clip(src->y, s->mv_min.y, s->mv_max.y); + dst->x = av_clip(src->x, av_clip(s->mv_min.x, INT16_MIN, INT16_MAX), + av_clip(s->mv_max.x, INT16_MIN, INT16_MAX)); + dst->y = av_clip(src->y, av_clip(s->mv_min.y, INT16_MIN, INT16_MAX), + av_clip(s->mv_max.y, INT16_MIN, INT16_MAX)); } /** diff --git a/libavcodec/vp8.h b/libavcodec/vp8.h index b650892735..2135bd9d83 100644 --- a/libavcodec/vp8.h +++ b/libavcodec/vp8.h @@ -134,6 +134,11 @@ typedef struct VP8Frame { AVBufferRef *seg_map; } VP8Frame; +typedef struct VP8intmv { + int x; + int y; +} VP8intmv; + #define MAX_THREADS 8 typedef struct VP8Context { VP8ThreadData *thread_data; @@ -152,8 +157,8 @@ typedef struct VP8Context { uint8_t deblock_filter; uint8_t mbskip_enabled; uint8_t profile; - VP56mv mv_min; - VP56mv mv_max; + VP8intmv mv_min; + VP8intmv mv_max; int8_t sign_bias[4]; ///< one state [0, 1] per ref frame type int ref_count[3]; From da13957525a7939599cf7f425c2feb00ea58888a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 9 Jun 2015 22:41:24 +0200 Subject: [PATCH 389/700] sonic: set avctx->channels in sonic_decode_init Otherwise it can be 0 in sonic_decode_frame, causing SIGFPE crashes. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 58995f647b5fa2e1efa33ae4f8b8a76a81ec99df) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 3db77f30a3..c5076f9d8e 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -900,6 +900,7 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "Only mono and stereo streams are supported by now\n"); return AVERROR_INVALIDDATA; } + avctx->channels = s->channels; s->lossless = get_bits1(&gb); if (!s->lossless) From 58a0dc1bdf67d11fbb2a46a1726ba9abc2550a9f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 14 Jun 2015 12:40:18 +0200 Subject: [PATCH 390/700] h264: er: Copy from the previous reference only if compatible Also use the frame pixel format instead of the one from the codec context, which is more robust. Signed-off-by: Luca Barbato Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit fdc64a104410f5fcc7f35b62287b0ae502b7061a) Conflicts: libavcodec/h264_slice.c Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index d439f9bcee..13b7482485 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1687,12 +1687,15 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) * vectors. Given we are concealing a lost frame, this probably * is not noticeable by comparison, but it should be fixed. */ if (h->short_ref_count) { - if (prev) { + if (prev && + h->short_ref[0]->f.width == prev->f.width && + h->short_ref[0]->f.height == prev->f.height && + h->short_ref[0]->f.format == prev->f.format) { av_image_copy(h->short_ref[0]->f.data, h->short_ref[0]->f.linesize, (const uint8_t **)prev->f.data, prev->f.linesize, - h->avctx->pix_fmt, + prev->f.format, h->mb_width * 16, h->mb_height * 16); h->short_ref[0]->poc = prev->poc + 2; From 3903a60d4beeb46cda5d830be2eb2bac76171ce8 Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 17 Jun 2015 00:21:02 +0200 Subject: [PATCH 391/700] avio: fix potential crashes when combining ffio_ensure_seekback + crc Calling ffio_ensure_seekback() if ffio_init_checksum() has been called on the same context can lead to out of bounds memory accesses and crashes. The reason is that ffio_ensure_seekback() does not update checksum_ptr after reallocating the buffer, resulting in a dangling pointer. This effectively fixes potential crashes when opening mp3 files. Signed-off-by: Michael Niedermayer (cherry picked from commit dc87758775e2ce8be84e4fe598e12416e83d2845) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 0b0748e954..4ce18e4d17 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -785,6 +785,7 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size) int max_buffer_size = s->max_packet_size ? s->max_packet_size : IO_BUFFER_SIZE; int filled = s->buf_end - s->buffer; + ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1; buf_size += s->buf_ptr - s->buffer + max_buffer_size; @@ -802,6 +803,8 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size) s->buf_end = buffer + (s->buf_end - s->buffer); s->buffer = buffer; s->buffer_size = buf_size; + if (checksum_ptr_offset >= 0) + s->checksum_ptr = s->buffer + checksum_ptr_offset; return 0; } From 568c1b8166b111d41e6b416e6d98244072fb087a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Jun 2015 05:27:08 +0200 Subject: [PATCH 392/700] ffmpeg: Free last_frame instead of just unref Fixes Ticket4611 Signed-off-by: Michael Niedermayer (cherry picked from commit d1050d9950610aa2b27878b67bb2b902dd717e7c) Conflicts: ffmpeg.c --- ffmpeg.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index 6e640e387f..60d8e8905f 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1142,7 +1142,10 @@ static void do_video_out(AVFormatContext *s, if (!ost->last_frame) ost->last_frame = av_frame_alloc(); av_frame_unref(ost->last_frame); - av_frame_ref(ost->last_frame, next_picture); + if (next_picture) + av_frame_ref(ost->last_frame, next_picture); + else + av_frame_free(&ost->last_frame); } static double psnr(double d) From dd141a50ccb3913d6e9b46478cac7a640e76ddc4 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 18 Jun 2015 20:15:12 +0200 Subject: [PATCH 393/700] postproc: fix unaligned access QP_store is only 8-bit-aligned, so accessing it as uint32_t causes SIGBUS crashes on sparc. The AV_RN32/AV_WN32 macros only do unaligned access in the HAVE_FAST_UNALIGNED case. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 590743101dc934043f34013f1c9bb9fb261355b0) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index c11debcd70..1b90a516a6 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -76,6 +76,7 @@ try to unroll inner for(x=0 ... loop to avoid these damn if(x ... checks #include "config.h" #include "libavutil/avutil.h" #include "libavutil/avassert.h" +#include "libavutil/intreadwrite.h" #include #include #include @@ -1024,7 +1025,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], int i; const int count= FFMAX(mbHeight * QPStride, mbWidth); for(i=0; i<(count>>2); i++){ - ((uint32_t*)c->nonBQPTable)[i] = ((const uint32_t*)QP_store)[i] & 0x3F3F3F3F; + AV_WN32(c->nonBQPTable + (i<<2), AV_RN32(QP_store + (i<<2)) & 0x3F3F3F3F); } for(i<<=2; inonBQPTable[i] = QP_store[i] & 0x3F; From fc0df14de1a6f75be52b77e067608d833a68c05c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jun 2015 16:46:06 +0200 Subject: [PATCH 394/700] avcodec/dpxenc: implement write16/32 as functions Fixes undefined behavior and segfault Signed-off-by: Michael Niedermayer (cherry picked from commit 8edc17b639c4ac47913c467107ffb43c67c64890) Signed-off-by: Michael Niedermayer --- libavcodec/dpxenc.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/libavcodec/dpxenc.c b/libavcodec/dpxenc.c index aca745bb58..76aa0cc473 100644 --- a/libavcodec/dpxenc.c +++ b/libavcodec/dpxenc.c @@ -75,17 +75,20 @@ static av_cold int encode_init(AVCodecContext *avctx) return 0; } -#define write16(p, value) \ -do { \ - if (s->big_endian) AV_WB16(p, value); \ - else AV_WL16(p, value); \ -} while(0) +static av_always_inline void write16_internal(int big_endian, void *p, int value) +{ + if (big_endian) AV_WB16(p, value); + else AV_WL16(p, value); +} -#define write32(p, value) \ -do { \ - if (s->big_endian) AV_WB32(p, value); \ - else AV_WL32(p, value); \ -} while(0) +static av_always_inline void write32_internal(int big_endian, void *p, int value) +{ + if (big_endian) AV_WB32(p, value); + else AV_WL32(p, value); +} + +#define write16(p, value) write16_internal(s->big_endian, p, value) +#define write32(p, value) write32_internal(s->big_endian, p, value) static void encode_rgb48_10bit(AVCodecContext *avctx, const AVPicture *pic, uint8_t *dst) { From 5464da89056698856d919585256bb422558eb554 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 15 Jun 2015 21:06:51 +0200 Subject: [PATCH 395/700] matroskadec: validate audio channels and bitdepth In the TTA extradata re-construction the values are written with avio_wl16 and if they don't fit into uint16_t, this triggers an av_assert2 in avio_w8. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 92e79a2f7bf2f8bb0cb2d1a3e4d76737557071c4) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 0bfa9dc264..0654b31ee4 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1799,6 +1799,18 @@ static int matroska_parse_tracks(AVFormatContext *s) NULL, NULL, NULL, NULL); avio_write(&b, "TTA1", 4); avio_wl16(&b, 1); + if (track->audio.channels > UINT16_MAX || + track->audio.bitdepth > UINT16_MAX) { + av_log(matroska->ctx, AV_LOG_WARNING, + "Too large audio channel number %"PRIu64 + " or bitdepth %"PRIu64". Skipping track.\n", + track->audio.channels, track->audio.bitdepth); + av_freep(&extradata); + if (matroska->ctx->error_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; + else + continue; + } avio_wl16(&b, track->audio.channels); avio_wl16(&b, track->audio.bitdepth); if (track->audio.out_samplerate < 0 || track->audio.out_samplerate > INT_MAX) From a5bc5dd49ae1ed29489f9c8ba88387322c376bf1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 15 Jun 2015 20:59:22 +0200 Subject: [PATCH 396/700] matroskadec: check audio sample rate And default to 8000 if it is invalid. An invalid sample rate can trigger av_assert2 in av_rescale_rnd. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 5b76c82fd7a5f4f36bb901b8c43d7f7319599599) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 0654b31ee4..120a554d20 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1604,6 +1604,14 @@ static int matroska_parse_tracks(AVFormatContext *s) if (!track->codec_id) continue; + if (track->audio.samplerate < 0 || track->audio.samplerate > INT_MAX || + isnan(track->audio.samplerate)) { + av_log(matroska->ctx, AV_LOG_WARNING, + "Invalid sample rate %f, defaulting to 8000 instead.\n", + track->audio.samplerate); + track->audio.samplerate = 8000; + } + if (track->type == MATROSKA_TRACK_TYPE_VIDEO) { if (!track->default_duration && track->video.frame_rate > 0) track->default_duration = 1000000000 / track->video.frame_rate; From 7ff8f9a604f09e208c6d017c4ab88dd8c0ba6430 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jun 2015 18:27:27 +0200 Subject: [PATCH 397/700] swr: Remember previously set int_sample_format from user Signed-off-by: Michael Niedermayer (cherry picked from commit d4325b2fea9e2f4f4a17d0b929f12425e9c39964) Signed-off-by: Michael Niedermayer --- libswresample/options.c | 4 ++-- libswresample/swresample.c | 2 ++ libswresample/swresample_internal.h | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/libswresample/options.c b/libswresample/options.c index de84672834..1bc1a70510 100644 --- a/libswresample/options.c +++ b/libswresample/options.c @@ -49,8 +49,8 @@ static const AVOption options[]={ {"in_sample_fmt" , "set input sample format" , OFFSET( in_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, {"osf" , "set output sample format" , OFFSET(out_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, {"out_sample_fmt" , "set output sample format" , OFFSET(out_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, -{"tsf" , "set internal sample format" , OFFSET(int_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, -{"internal_sample_fmt" , "set internal sample format" , OFFSET(int_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, +{"tsf" , "set internal sample format" , OFFSET(user_int_sample_fmt), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, +{"internal_sample_fmt" , "set internal sample format" , OFFSET(user_int_sample_fmt), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, {"icl" , "set input channel layout" , OFFSET(user_in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, {"in_channel_layout" , "set input channel layout" , OFFSET(user_in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, {"ocl" , "set output channel layout" , OFFSET(user_out_ch_layout), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 6dde73b666..dbcb42e817 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -173,6 +173,8 @@ av_cold int swr_init(struct SwrContext *s){ s-> in_ch_layout = s-> user_in_ch_layout; s->out_ch_layout = s->user_out_ch_layout; + s->int_sample_fmt= s->user_int_sample_fmt; + if(av_get_channel_layout_nb_channels(s-> in_ch_layout) > SWR_CH_MAX) { av_log(s, AV_LOG_WARNING, "Input channel layout 0x%"PRIx64" is invalid or unsupported.\n", s-> in_ch_layout); s->in_ch_layout = 0; diff --git a/libswresample/swresample_internal.h b/libswresample/swresample_internal.h index fcc63a676c..f55bd9df6d 100644 --- a/libswresample/swresample_internal.h +++ b/libswresample/swresample_internal.h @@ -95,6 +95,7 @@ struct SwrContext { int user_used_ch_count; ///< User set used channel count int64_t user_in_ch_layout; ///< User set input channel layout int64_t user_out_ch_layout; ///< User set output channel layout + enum AVSampleFormat user_int_sample_fmt; ///< User set internal sample format struct DitherContext dither; From f9dbe8ab2a03c8843c45536589b5d4fe9546ae8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jun 2015 22:23:22 +0200 Subject: [PATCH 398/700] swscale/rgb2rgb_template: Disable shuffle_bytes_2103_c on big endian The function is specific to little endian Signed-off-by: Michael Niedermayer (cherry picked from commit 4df3cf90bf7a54793e90304bd1b6c7599673f36a) Signed-off-by: Michael Niedermayer --- libswscale/rgb2rgb_template.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libswscale/rgb2rgb_template.c b/libswscale/rgb2rgb_template.c index f9a98a8701..70294aec97 100644 --- a/libswscale/rgb2rgb_template.c +++ b/libswscale/rgb2rgb_template.c @@ -929,7 +929,9 @@ static av_cold void rgb2rgb_init_c(void) rgb24to15 = rgb24to15_c; rgb24to16 = rgb24to16_c; rgb24tobgr24 = rgb24tobgr24_c; +#if !HAVE_BIGENDIAN shuffle_bytes_2103 = shuffle_bytes_2103_c; +#endif rgb32tobgr16 = rgb32tobgr16_c; rgb32tobgr15 = rgb32tobgr15_c; yv12toyuy2 = yv12toyuy2_c; From 17b7262b4f9dca6a69dc35ac236c3407476cb21a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Jun 2015 04:36:02 +0200 Subject: [PATCH 399/700] swscale/rgb2rgb_template: Implement shuffle_bytes_0321_c and fix shuffle_bytes_2103_c on BE Signed-off-by: Michael Niedermayer (cherry picked from commit abb833c5681b84d7025c083e2191140eaa30dca7) Signed-off-by: Michael Niedermayer --- libswscale/rgb2rgb.c | 2 +- libswscale/rgb2rgb.h | 2 +- libswscale/rgb2rgb_template.c | 20 +++++++++++++++++++- 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/libswscale/rgb2rgb.c b/libswscale/rgb2rgb.c index 5b1fcf73ca..340174fd65 100644 --- a/libswscale/rgb2rgb.c +++ b/libswscale/rgb2rgb.c @@ -51,6 +51,7 @@ void (*rgb16to15)(const uint8_t *src, uint8_t *dst, int src_size); void (*rgb15to16)(const uint8_t *src, uint8_t *dst, int src_size); void (*rgb15to32)(const uint8_t *src, uint8_t *dst, int src_size); +void (*shuffle_bytes_0321)(const uint8_t *src, uint8_t *dst, int src_size); void (*shuffle_bytes_2103)(const uint8_t *src, uint8_t *dst, int src_size); void (*yv12toyuy2)(const uint8_t *ysrc, const uint8_t *usrc, @@ -333,7 +334,6 @@ void shuffle_bytes_ ## a ## b ## c ## d(const uint8_t *src, \ } \ } -DEFINE_SHUFFLE_BYTES(0, 3, 2, 1) DEFINE_SHUFFLE_BYTES(1, 2, 3, 0) DEFINE_SHUFFLE_BYTES(3, 0, 1, 2) DEFINE_SHUFFLE_BYTES(3, 2, 1, 0) diff --git a/libswscale/rgb2rgb.h b/libswscale/rgb2rgb.h index 5df5dea420..8faebe6a43 100644 --- a/libswscale/rgb2rgb.h +++ b/libswscale/rgb2rgb.h @@ -50,6 +50,7 @@ extern void (*rgb24to15)(const uint8_t *src, uint8_t *dst, int src_size); extern void (*rgb32tobgr16)(const uint8_t *src, uint8_t *dst, int src_size); extern void (*rgb32tobgr15)(const uint8_t *src, uint8_t *dst, int src_size); +extern void (*shuffle_bytes_0321)(const uint8_t *src, uint8_t *dst, int src_size); extern void (*shuffle_bytes_2103)(const uint8_t *src, uint8_t *dst, int src_size); void rgb64tobgr48_nobswap(const uint8_t *src, uint8_t *dst, int src_size); @@ -71,7 +72,6 @@ void rgb15tobgr15(const uint8_t *src, uint8_t *dst, int src_size); void rgb12tobgr12(const uint8_t *src, uint8_t *dst, int src_size); void rgb12to15(const uint8_t *src, uint8_t *dst, int src_size); -void shuffle_bytes_0321(const uint8_t *src, uint8_t *dst, int src_size); void shuffle_bytes_1230(const uint8_t *src, uint8_t *dst, int src_size); void shuffle_bytes_3012(const uint8_t *src, uint8_t *dst, int src_size); void shuffle_bytes_3210(const uint8_t *src, uint8_t *dst, int src_size); diff --git a/libswscale/rgb2rgb_template.c b/libswscale/rgb2rgb_template.c index 70294aec97..5b446debfa 100644 --- a/libswscale/rgb2rgb_template.c +++ b/libswscale/rgb2rgb_template.c @@ -328,6 +328,20 @@ static inline void shuffle_bytes_2103_c(const uint8_t *src, uint8_t *dst, } } +static inline void shuffle_bytes_0321_c(const uint8_t *src, uint8_t *dst, + int src_size) +{ + int idx = 15 - src_size; + const uint8_t *s = src - idx; + uint8_t *d = dst - idx; + + for (; idx < 15; idx += 4) { + register unsigned v = *(const uint32_t *)&s[idx], g = v & 0x00ff00ff; + v &= 0xff00ff00; + *(uint32_t *)&d[idx] = (v >> 16) + g + (v << 16); + } +} + static inline void rgb24tobgr24_c(const uint8_t *src, uint8_t *dst, int src_size) { unsigned i; @@ -929,7 +943,11 @@ static av_cold void rgb2rgb_init_c(void) rgb24to15 = rgb24to15_c; rgb24to16 = rgb24to16_c; rgb24tobgr24 = rgb24tobgr24_c; -#if !HAVE_BIGENDIAN +#if HAVE_BIGENDIAN + shuffle_bytes_0321 = shuffle_bytes_2103_c; + shuffle_bytes_2103 = shuffle_bytes_0321_c; +#else + shuffle_bytes_0321 = shuffle_bytes_0321_c; shuffle_bytes_2103 = shuffle_bytes_2103_c; #endif rgb32tobgr16 = rgb32tobgr16_c; From 7085f68c14ba1c46b5b315b718ec4068abac9c12 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Jun 2015 05:09:11 +0200 Subject: [PATCH 400/700] swscale/rgb2rgb_template: Fix signedness of v in shuffle_bytes_2103_c() Signed-off-by: Michael Niedermayer (cherry picked from commit 7604358018229f345dfdf88b16c8930a67984435) Signed-off-by: Michael Niedermayer --- libswscale/rgb2rgb_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/rgb2rgb_template.c b/libswscale/rgb2rgb_template.c index 5b446debfa..1cc28cdd13 100644 --- a/libswscale/rgb2rgb_template.c +++ b/libswscale/rgb2rgb_template.c @@ -322,7 +322,7 @@ static inline void shuffle_bytes_2103_c(const uint8_t *src, uint8_t *dst, uint8_t *d = dst - idx; for (; idx < 15; idx += 4) { - register int v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; + register unsigned v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; v &= 0xff00ff; *(uint32_t *)&d[idx] = (v >> 16) + g + (v << 16); } From 8f067955332dc185003f30387c5deb41fe954786 Mon Sep 17 00:00:00 2001 From: Sebastien Zwickert Date: Sat, 20 Jun 2015 13:19:29 +0200 Subject: [PATCH 401/700] vda: unlock the pixel buffer base address. The pixel buffer base address is never unlocked this causes a bug with some pixel format types that are produced natively by the hardware decoder: the first buffer was always used. Unlock the pixel buffer base address fixes the issue. (cherry picked from commit c06fdacc3dc706e70d953917fea845532d3703ca) Signed-off-by: Michael Niedermayer --- ffmpeg_vda.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffmpeg_vda.c b/ffmpeg_vda.c index b9f0975f55..fded39e79b 100644 --- a/ffmpeg_vda.c +++ b/ffmpeg_vda.c @@ -77,6 +77,8 @@ static int vda_retrieve_data(AVCodecContext *s, AVFrame *frame) frame->width, frame->height); ret = av_frame_copy_props(vda->tmp_frame, frame); + CVPixelBufferUnlockBaseAddress(pixbuf, kCVPixelBufferLock_ReadOnly); + if (ret < 0) return ret; From 3528822f969ebbec0b63316ba341e2749a94be4d Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 23 Jun 2015 01:14:16 -0300 Subject: [PATCH 402/700] swscale/x86/rgb2rgb_template: add missing xmm clobbers Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 910eeab48026060b5f7780b2560445c069eb4d6b) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index e71c7ebfe3..fd04923dae 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1905,7 +1905,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui "cmp %3, %%"REG_a" \n\t" " jb 1b \n\t" ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) - : "memory", "%"REG_a"" + : "memory", XMM_CLOBBERS("xmm0", "xmm1", "xmm2",) "%"REG_a ); #else __asm__( From 1fc2a1f3367c69a21da380a0cb76cf2a74ad0de1 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 23 Jun 2015 01:15:07 -0300 Subject: [PATCH 403/700] swscale/x86/rgb2rgb_template: fix signedness of v in shuffle_bytes_2103_{mmx,mmxext} Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit e22edbfd413242dda720dc5191fc00a51c24d74c) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index fd04923dae..e9b131e033 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1090,7 +1090,7 @@ static inline void RENAME(shuffle_bytes_2103)(const uint8_t *src, uint8_t *dst, : "r" (s), "r" (d), "m" (mask32b), "m" (mask32r), "m" (mmx_one) : "memory"); for (; idx<15; idx+=4) { - register int v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; + register unsigned v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; v &= 0xff00ff; *(uint32_t *)&d[idx] = (v>>16) + g + (v<<16); } From 98d916300afeb5291f2a8eb8c0deb9fc33f545dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jun 2015 13:27:39 +0200 Subject: [PATCH 404/700] ffmpeg: Do not use the data/size of a bitstream filter after failure Found-by: Rodger Combs Signed-off-by: Michael Niedermayer (cherry picked from commit 8f0f678f090d9939b0014ba85641e2cb83d39cb8) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ffmpeg.c b/ffmpeg.c index 60d8e8905f..0636304320 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -650,6 +650,7 @@ static void write_frame(AVFormatContext *s, AVPacket *pkt, OutputStream *ost) if (!new_pkt.buf) exit_program(1); } else if (a < 0) { + new_pkt = *pkt; av_log(NULL, AV_LOG_ERROR, "Failed to open bitstream filter %s for stream %d with codec %s", bsfc->filter->name, pkt->stream_index, avctx->codec ? avctx->codec->name : "copy"); From bf44ab5181d42ee74768c32b07128a176d38b0c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jun 2015 13:51:43 +0200 Subject: [PATCH 405/700] swscale/swscale_unscaled: Fix rounding difference with RGBA output between little and big endian Fixes fate/dds-rgb16 on big endian Signed-off-by: Michael Niedermayer (cherry picked from commit f6ab967eae497733f6adc12b30075980fd6eea98) Conflicts: tests/ref/fate/dds-rgb16 --- libswscale/swscale_unscaled.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index da457dfbdb..d3d0cf30b2 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -1242,6 +1242,11 @@ static rgbConvFn findRgbConvFn(SwsContext *c) if ((dstFormat == AV_PIX_FMT_RGB32_1 || dstFormat == AV_PIX_FMT_BGR32_1) && !isRGBA32(srcFormat) && ALT32_CORR<0) return NULL; + // Maintain symmetry between endianness + if (c->flags & SWS_BITEXACT) + if ((dstFormat == AV_PIX_FMT_RGB32 || dstFormat == AV_PIX_FMT_BGR32 ) && !isRGBA32(srcFormat) && ALT32_CORR>0) + return NULL; + return conv; } From 755c3222e2c6b1f2da47361e5e10df528857f16a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 28 Jun 2015 12:40:12 +0200 Subject: [PATCH 406/700] wmavoice: limit wmavoice_decode_packet return value to packet size Claiming to have decoded more bytes than the packet size is wrong. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 2a4700a4f03280fa8ba4fc0f8a9987bb550f0d1e) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index c2737abd47..1c9958891f 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1982,7 +1982,14 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data, *got_frame_ptr) { cnt += s->spillover_nbits; s->skip_bits_next = cnt & 7; - return cnt >> 3; + res = cnt >> 3; + if (res > avpkt->size) { + av_log(ctx, AV_LOG_ERROR, + "Trying to skip %d bytes in packet of size %d\n", + res, avpkt->size); + return AVERROR_INVALIDDATA; + } + return res; } else skip_bits_long (gb, s->spillover_nbits - cnt + get_bits_count(gb)); // resync @@ -2001,7 +2008,14 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data, } else if (*got_frame_ptr) { int cnt = get_bits_count(gb); s->skip_bits_next = cnt & 7; - return cnt >> 3; + res = cnt >> 3; + if (res > avpkt->size) { + av_log(ctx, AV_LOG_ERROR, + "Trying to skip %d bytes in packet of size %d\n", + res, avpkt->size); + return AVERROR_INVALIDDATA; + } + return res; } else if ((s->sframe_cache_size = pos) > 0) { /* rewind bit reader to start of last (incomplete) superframe... */ init_get_bits(gb, avpkt->data, size << 3); From d661cfad02afc2f8cb17d5b89c1aced1189dab82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jun 2015 21:08:05 +0200 Subject: [PATCH 407/700] avcodec/pngdec: Only allow one IHDR chunk Multiple IHDR chunks are forbidden in PNG Fixes inconsistency and out of array accesses Fixes: asan_heap-oob_4d5c5a_1738_cov_2638287726_c-m2-8f2b481b7fd9bd745e620b7c01a18df2.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 47f4e2d8960ca756ca153ab8e3e93d80449b8c91) Conflicts: libavcodec/pngdec.c Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 75feb04e51..092528ee3e 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -538,6 +538,11 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } + if (s->state & PNG_IHDR) { + av_log(avctx, AV_LOG_ERROR, "Multiple IHDR\n"); + return AVERROR_INVALIDDATA; + } + s->width = s->cur_w = bytestream2_get_be32(&s->gb); s->height = s->cur_h = bytestream2_get_be32(&s->gb); if (av_image_check_size(s->width, s->height, 0, avctx)) { From 0628dfd99427037ddb535c6c0e248d192e678c7b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jun 2015 21:57:12 +0200 Subject: [PATCH 408/700] avcodec/pngdec: Require a IHDR chunk before fctl This is required by the APNG spec Signed-off-by: Michael Niedermayer (cherry picked from commit a1736926e9ae51706b537776722e816a4d1f6b36) Conflicts: libavcodec/pngdec.c --- libavcodec/pngdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 092528ee3e..b60b2a0238 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -813,6 +813,11 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, if (length != 26) return AVERROR_INVALIDDATA; + if (!(s->state & PNG_IHDR)) { + av_log(avctx, AV_LOG_ERROR, "fctl before IHDR\n"); + return AVERROR_INVALIDDATA; + } + sequence_number = bytestream2_get_be32(&s->gb); s->cur_w = bytestream2_get_be32(&s->gb); s->cur_h = bytestream2_get_be32(&s->gb); From 6a71e748b3a5d916c056b8dd5bb96671d8ee254e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jun 2015 22:32:02 +0200 Subject: [PATCH 409/700] avcodec/pngdec: Check values before updating context in decode_fctl_chunk() Signed-off-by: Michael Niedermayer (cherry picked from commit b54ac8403bfea4e7fab0799ccfe728ba76959a38) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index b60b2a0238..d5ad14e9bc 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -809,6 +809,7 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, uint32_t length) { uint32_t sequence_number; + int cur_w, cur_h, x_offset, y_offset, dispose_op, blend_op; if (length != 26) return AVERROR_INVALIDDATA; @@ -819,23 +820,23 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, } sequence_number = bytestream2_get_be32(&s->gb); - s->cur_w = bytestream2_get_be32(&s->gb); - s->cur_h = bytestream2_get_be32(&s->gb); - s->x_offset = bytestream2_get_be32(&s->gb); - s->y_offset = bytestream2_get_be32(&s->gb); + cur_w = bytestream2_get_be32(&s->gb); + cur_h = bytestream2_get_be32(&s->gb); + x_offset = bytestream2_get_be32(&s->gb); + y_offset = bytestream2_get_be32(&s->gb); bytestream2_skip(&s->gb, 4); /* delay_num (2), delay_den (2) */ - s->dispose_op = bytestream2_get_byte(&s->gb); - s->blend_op = bytestream2_get_byte(&s->gb); + dispose_op = bytestream2_get_byte(&s->gb); + blend_op = bytestream2_get_byte(&s->gb); bytestream2_skip(&s->gb, 4); /* crc */ if (sequence_number == 0 && - (s->cur_w != s->width || - s->cur_h != s->height || - s->x_offset != 0 || - s->y_offset != 0) || - s->cur_w <= 0 || s->cur_h <= 0 || - s->x_offset < 0 || s->y_offset < 0 || - s->cur_w > s->width - s->x_offset|| s->cur_h > s->height - s->y_offset) + (cur_w != s->width || + cur_h != s->height || + x_offset != 0 || + y_offset != 0) || + cur_w <= 0 || cur_h <= 0 || + x_offset < 0 || y_offset < 0 || + cur_w > s->width - x_offset|| cur_h > s->height - y_offset) return AVERROR_INVALIDDATA; /* always (re)start with a clean frame */ @@ -849,6 +850,13 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, s->dispose_op = APNG_DISPOSE_OP_NONE; } + s->cur_w = cur_w; + s->cur_h = cur_h; + s->x_offset = x_offset; + s->y_offset = y_offset; + s->dispose_op = dispose_op; + s->blend_op = blend_op; + return 0; } From c7cb598bdd8ac914ca300be7031cbe0208eb85e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2015 16:01:15 +0200 Subject: [PATCH 410/700] avfilter/vf_transpose: Fix rounding error Fixes out of array access Fixes: asan_heap-oob_7f875d_3482_cov_1818465256_ssudec.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0083c16605aa5997534e87e68f97ef85a8c3b7b8) Signed-off-by: Michael Niedermayer --- libavfilter/vf_transpose.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_transpose.c b/libavfilter/vf_transpose.c index d9b165cfeb..6ae5fce815 100644 --- a/libavfilter/vf_transpose.c +++ b/libavfilter/vf_transpose.c @@ -152,7 +152,7 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int hsub = plane == 1 || plane == 2 ? trans->hsub : 0; int vsub = plane == 1 || plane == 2 ? trans->vsub : 0; int pixstep = trans->pixsteps[plane]; - int inh = in->height >> vsub; + int inh = FF_CEIL_RSHIFT(in->height, vsub); int outw = FF_CEIL_RSHIFT(out->width, hsub); int outh = FF_CEIL_RSHIFT(out->height, vsub); int start = (outh * jobnr ) / nb_jobs; From 68650eda95228c9e94a1781166914ee35262d7d7 Mon Sep 17 00:00:00 2001 From: James Zern Date: Mon, 29 Jun 2015 23:03:14 -0700 Subject: [PATCH 411/700] vp9/update_prob: prevent out of bounds table read the max value of the lookup in expanded form is: (((1 << 7) - 1) << 1) - 65 + 1 + 64 = 254 add one entry of padding to inv_map_table[] to prevent out of bounds access with non-conforming / fuzzed bitstreams Signed-off-by: James Zern Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit e91f860ea74e11e9178500fe8794c47f57dbf48c) Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 8cf649ed8a..b3c5f621a7 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -410,7 +410,7 @@ static av_always_inline int inv_recenter_nonneg(int v, int m) // differential forward probability updates static int update_prob(VP56RangeCoder *c, int p) { - static const int inv_map_table[254] = { + static const int inv_map_table[255] = { 7, 20, 33, 46, 59, 72, 85, 98, 111, 124, 137, 150, 163, 176, 189, 202, 215, 228, 241, 254, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 21, 22, 23, 24, @@ -429,7 +429,7 @@ static int update_prob(VP56RangeCoder *c, int p) 207, 208, 209, 210, 211, 212, 213, 214, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, - 252, 253, + 252, 253, 253, }; int d; @@ -459,6 +459,7 @@ static int update_prob(VP56RangeCoder *c, int p) if (d >= 65) d = (d << 1) - 65 + vp8_rac_get(c); d += 64; + av_assert2(d < FF_ARRAY_ELEMS(inv_map_table)); } return p <= 128 ? 1 + inv_recenter_nonneg(inv_map_table[d], p - 1) : From 58070590b1fc6a1d59326d7c87d03a2ee3a9a6b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2015 19:37:12 +0200 Subject: [PATCH 412/700] avcodec/h264_slice: Use w/h from the AVFrame instead of mb_w/h Fixes out of array access Fixes: asan_heap-oob_4d5bb0_682_cov_3124593265_Fraunhofer__a_driving_force_in_innovation__small.mp4 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 330863c9f19a23c500ba7901a23f1cc377b353bb) Conflicts: libavcodec/h264_slice.c --- libavcodec/h264_slice.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 13b7482485..425de8dce5 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1696,8 +1696,8 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) (const uint8_t **)prev->f.data, prev->f.linesize, prev->f.format, - h->mb_width * 16, - h->mb_height * 16); + prev->f.width, + prev->f.height); h->short_ref[0]->poc = prev->poc + 2; } h->short_ref[0]->frame_num = h->prev_frame_num; From 1b15487e903b107559524bbf1f3663e04cc12cb5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jul 2015 02:05:43 +0200 Subject: [PATCH 413/700] avcodec/aacsbr: check that the element type matches before applying SBR Fixes out of array access Fixes: signal_sigsegv_3670fc0_2818_cov_2307326154_moon.mux Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 79a98294da6cd85f8c86b34764c5e0c43b09eea3) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 8 ++++++++ libavcodec/sbr.h | 1 + 2 files changed, 9 insertions(+) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 29ec2d51a9..eb00f88f1e 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1018,6 +1018,8 @@ static unsigned int read_sbr_data(AACContext *ac, SpectralBandReplication *sbr, { unsigned int cnt = get_bits_count(gb); + sbr->id_aac = id_aac; + if (id_aac == TYPE_SCE || id_aac == TYPE_CCE) { if (read_sbr_single_channel_element(ac, sbr, gb)) { sbr_turnoff(sbr); @@ -1694,6 +1696,12 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac, int nch = (id_aac == TYPE_CPE) ? 2 : 1; int err; + if (id_aac != sbr->id_aac) { + av_log(ac->avctx, AV_LOG_ERROR, + "element type mismatch %d != %d\n", id_aac, sbr->id_aac); + sbr_turnoff(sbr); + } + if (!sbr->kx_and_m_pushed) { sbr->kx[0] = sbr->kx[1]; sbr->m[0] = sbr->m[1]; diff --git a/libavcodec/sbr.h b/libavcodec/sbr.h index e28fccda09..ff00acba0d 100644 --- a/libavcodec/sbr.h +++ b/libavcodec/sbr.h @@ -137,6 +137,7 @@ typedef struct AACSBRContext { struct SpectralBandReplication { int sample_rate; int start; + int id_aac; int reset; SpectrumParameters spectrum_params; int bs_amp_res_header; From dec0316c0f3bdf991ef4473566ebde1daaeefc86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jul 2015 02:08:25 +0200 Subject: [PATCH 414/700] avcodec/aacsbr: Assert that bs_num_env is positive Signed-off-by: Michael Niedermayer (cherry picked from commit 2e13a45b1a9a69456631e582bbb06954d169eb55) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index eb00f88f1e..1c06aba832 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1725,6 +1725,7 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac, sbr->c.sbr_hf_inverse_filter(&sbr->dsp, sbr->alpha0, sbr->alpha1, (const float (*)[40][2]) sbr->X_low, sbr->k[0]); sbr_chirp(sbr, &sbr->data[ch]); + av_assert0(sbr->data[ch].bs_num_env > 0); sbr_hf_gen(ac, sbr, sbr->X_high, (const float (*)[40][2]) sbr->X_low, (const float (*)[2]) sbr->alpha0, From e9deb5581075bfa79f22a6c228a23849f8199157 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Jul 2015 20:00:15 +0200 Subject: [PATCH 415/700] avcodec/rawenc: Use ff_alloc_packet() instead of ff_alloc_packet2() the later is not optimal when the buffer size is well known at allocation time This avoids a memcpy() Overall 2.5% speedup with a random 1920x1080 video Signed-off-by: Michael Niedermayer (cherry picked from commit 47496eb97cff8130991313d1b7292613620d8592) Signed-off-by: Michael Niedermayer --- libavcodec/rawenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rawenc.c b/libavcodec/rawenc.c index c579230013..9bcf5c4cc6 100644 --- a/libavcodec/rawenc.c +++ b/libavcodec/rawenc.c @@ -51,7 +51,7 @@ static int raw_encode(AVCodecContext *avctx, AVPacket *pkt, if (ret < 0) return ret; - if ((ret = ff_alloc_packet2(avctx, pkt, ret)) < 0) + if ((ret = ff_alloc_packet(pkt, ret)) < 0) return ret; if ((ret = avpicture_layout((const AVPicture *)frame, avctx->pix_fmt, avctx->width, avctx->height, pkt->data, pkt->size)) < 0) From 29a97823ba7c534d88ff414394a85f6d36ab6434 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 3 Jul 2015 00:01:56 +0200 Subject: [PATCH 416/700] wmalosslessdec: avoid reading 0 bits with get_bits Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit f9020d514e9ed5043496a710b36daba1ab182e97) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index e6e34767bb..ee4eb03bc6 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -486,7 +486,7 @@ static int decode_cdlms(WmallDecodeCtx *s) if ((1 << cbits) < s->cdlms[c][i].scaling + 1) cbits++; - s->cdlms[c][i].bitsend = get_bits(&s->gb, cbits) + 2; + s->cdlms[c][i].bitsend = (cbits ? get_bits(&s->gb, cbits) : 0) + 2; shift_l = 32 - s->cdlms[c][i].bitsend; shift_r = 32 - s->cdlms[c][i].scaling - 2; for (j = 0; j < s->cdlms[c][i].coefsend; j++) From dcfd83fb8e3c115cd294ae80304db10f7085efe9 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 3 Jul 2015 00:02:44 +0200 Subject: [PATCH 417/700] wmalosslessdec: reset frame->nb_samples on packet loss Otherwise a frame with non-zero nb_samples but without any data can be returned. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 42e7a5b3c704985c2c18970cc94a837b413df9d9) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index ee4eb03bc6..72535d5030 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1028,6 +1028,7 @@ static int decode_frame(WmallDecodeCtx *s) if ((ret = ff_get_buffer(s->avctx, s->frame, 0)) < 0) { /* return an error if no frame could be decoded at all */ s->packet_loss = 1; + s->frame->nb_samples = 0; return ret; } for (i = 0; i < s->num_channels; i++) { From 4f4ff23ccb88a6e815b9e8cbb95133491f1fb28c Mon Sep 17 00:00:00 2001 From: Chris Watkins Date: Tue, 7 Jul 2015 10:23:44 -0700 Subject: [PATCH 418/700] oggparsedirac: check return value of init_get_bits If init_get_bits fails the GetBitContext is invalid and must not be used. Check the return value in dirac_header and propogate the error. Signed-off-by: Michael Niedermayer (cherry picked from commit 4f5c2e651a95b950f6a3fb36f2342cbc32515f17) Signed-off-by: Michael Niedermayer --- libavformat/oggparsedirac.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavformat/oggparsedirac.c b/libavformat/oggparsedirac.c index 10fb07e92d..ab40f96c63 100644 --- a/libavformat/oggparsedirac.c +++ b/libavformat/oggparsedirac.c @@ -31,14 +31,19 @@ static int dirac_header(AVFormatContext *s, int idx) AVStream *st = s->streams[idx]; dirac_source_params source; GetBitContext gb; + int ret; // already parsed the header if (st->codec->codec_id == AV_CODEC_ID_DIRAC) return 0; - init_get_bits(&gb, os->buf + os->pstart + 13, (os->psize - 13) * 8); - if (avpriv_dirac_parse_sequence_header(st->codec, &gb, &source) < 0) - return -1; + ret = init_get_bits8(&gb, os->buf + os->pstart + 13, (os->psize - 13)); + if (ret < 0) + return ret; + + ret = avpriv_dirac_parse_sequence_header(st->codec, &gb, &source); + if (ret < 0) + return ret; st->codec->codec_type = AVMEDIA_TYPE_VIDEO; st->codec->codec_id = AV_CODEC_ID_DIRAC; From d137bb92b29895207d0d2fccb34c235451771671 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jul 2015 22:16:15 +0200 Subject: [PATCH 419/700] avcodec/mpegvideo: Clear pointers in ff_mpv_common_init() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This ensures that no stale pointers leak through on any path Fixes: signal_sigsegv_c3097a_991_xtrem_e2_m64q15_a32sxx.3gp Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b160fc290cf49b516c5b6ee0730fd9da7fc623b1) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 82 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 78 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index f84557b4d3..ade85e97ac 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1286,6 +1286,82 @@ fail: return AVERROR(ENOMEM); } +static void clear_context(MpegEncContext *s) +{ + int i, j, k; + + memset(&s->next_picture, 0, sizeof(s->next_picture)); + memset(&s->last_picture, 0, sizeof(s->last_picture)); + memset(&s->current_picture, 0, sizeof(s->current_picture)); + memset(&s->new_picture, 0, sizeof(s->new_picture)); + + memset(s->thread_context, 0, sizeof(s->thread_context)); + + s->me.map = NULL; + s->me.score_map = NULL; + s->dct_error_sum = NULL; + s->block = NULL; + s->blocks = NULL; + memset(s->pblocks, 0, sizeof(s->pblocks)); + s->ac_val_base = NULL; + s->ac_val[0] = + s->ac_val[1] = + s->ac_val[2] =NULL; + s->edge_emu_buffer = NULL; + s->me.scratchpad = NULL; + s->me.temp = + s->rd_scratchpad = + s->b_scratchpad = + s->obmc_scratchpad = NULL; + + s->parse_context.buffer = NULL; + s->parse_context.buffer_size = 0; + s->bitstream_buffer = NULL; + s->allocated_bitstream_buffer_size = 0; + s->picture = NULL; + s->mb_type = NULL; + s->p_mv_table_base = NULL; + s->b_forw_mv_table_base = NULL; + s->b_back_mv_table_base = NULL; + s->b_bidir_forw_mv_table_base = NULL; + s->b_bidir_back_mv_table_base = NULL; + s->b_direct_mv_table_base = NULL; + s->p_mv_table = NULL; + s->b_forw_mv_table = NULL; + s->b_back_mv_table = NULL; + s->b_bidir_forw_mv_table = NULL; + s->b_bidir_back_mv_table = NULL; + s->b_direct_mv_table = NULL; + for (i = 0; i < 2; i++) { + for (j = 0; j < 2; j++) { + for (k = 0; k < 2; k++) { + s->b_field_mv_table_base[i][j][k] = NULL; + s->b_field_mv_table[i][j][k] = NULL; + } + s->b_field_select_table[i][j] = NULL; + s->p_field_mv_table_base[i][j] = NULL; + s->p_field_mv_table[i][j] = NULL; + } + s->p_field_select_table[i] = NULL; + } + + s->dc_val_base = NULL; + s->coded_block_base = NULL; + s->mbintra_table = NULL; + s->cbp_table = NULL; + s->pred_dir_table = NULL; + + s->mbskip_table = NULL; + + s->er.error_status_table = NULL; + s->er.er_temp_buffer = NULL; + s->mb_index2xy = NULL; + s->lambda_table = NULL; + + s->cplx_tab = NULL; + s->bits_tab = NULL; +} + /** * init common structure for both encoder and decoder. * this assumes that some variables like width/height are already set @@ -1297,6 +1373,8 @@ av_cold int ff_mpv_common_init(MpegEncContext *s) s->avctx->active_thread_type & FF_THREAD_SLICE) ? s->avctx->thread_count : 1; + clear_context(s); + if (s->encoding && s->avctx->slices) nb_slices = s->avctx->slices; @@ -1344,10 +1422,6 @@ av_cold int ff_mpv_common_init(MpegEncContext *s) if (!s->picture[i].f) goto fail; } - memset(&s->next_picture, 0, sizeof(s->next_picture)); - memset(&s->last_picture, 0, sizeof(s->last_picture)); - memset(&s->current_picture, 0, sizeof(s->current_picture)); - memset(&s->new_picture, 0, sizeof(s->new_picture)); s->next_picture.f = av_frame_alloc(); if (!s->next_picture.f) goto fail; From 80e091853d1e6ea2bcbc1972b87ce662f9eefff5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jul 2015 02:01:17 +0200 Subject: [PATCH 420/700] avcodec/utils: use a minimum 32pixel width in avcodec_align_dimensions2() for H.264 Fixes Assertion failure Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 7ef6656b1e5bfbc7499013d3b38b093b6b2f31ec) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index d30ad2e72e..0cc1f903db 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -424,10 +424,12 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, *width = FFALIGN(*width, w_align); *height = FFALIGN(*height, h_align); - if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) + if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) { // some of the optimized chroma MC reads one line too much // which is also done in mpeg decoders with lowres > 0 *height += 2; + *width = FFMAX(*width, 32); + } for (i = 0; i < 4; i++) linesize_align[i] = STRIDE_ALIGN; From abe503329de0cdd988ba45e19aa72383fce23f8b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 10 Jul 2015 09:31:24 +0200 Subject: [PATCH 421/700] bytestream2: set the reader to the end when reading more than available This prevents possible infinite loops with the calling code along the lines of while (bytestream2_get_bytes_left()) { ... }, where the reader does not advance. CC: libav-stable@libav.org (cherry picked from commit 86eee85daddb682fa072c2e2657c90a514b855e3) Signed-off-by: Michael Niedermayer --- libavcodec/bytestream.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/bytestream.h b/libavcodec/bytestream.h index c2cb601806..7c05ea6cf5 100644 --- a/libavcodec/bytestream.h +++ b/libavcodec/bytestream.h @@ -71,8 +71,10 @@ static av_always_inline type bytestream2_get_ ## name ## u(GetByteContext *g) \ } \ static av_always_inline type bytestream2_get_ ## name(GetByteContext *g) \ { \ - if (g->buffer_end - g->buffer < bytes) \ + if (g->buffer_end - g->buffer < bytes) { \ + g->buffer = g->buffer_end; \ return 0; \ + } \ return bytestream2_get_ ## name ## u(g); \ } \ static av_always_inline type bytestream2_peek_ ## name(GetByteContext *g) \ From 3489693051a7eaa43b219fc55286cb5e0c280902 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jul 2015 15:46:10 +0200 Subject: [PATCH 422/700] avcodec/alac: Clear pointers in allocate_buffers() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 06a4edb39ad8a9883175f9bd428334a2_signal_sigsegv_7ffff713351a_706_mov__alac__ALAC_6ch.mov Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f7068bf277a37479aecde2832208d820682b35e6) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index f5a5b86145..48013f6472 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -533,6 +533,12 @@ static int allocate_buffers(ALACContext *alac) int ch; int buf_size = alac->max_samples_per_frame * sizeof(int32_t); + for (ch = 0; ch < 2; ch++) { + alac->predict_error_buffer[ch] = NULL; + alac->output_samples_buffer[ch] = NULL; + alac->extra_bits_buffer[ch] = NULL; + } + for (ch = 0; ch < FFMIN(alac->channels, 2); ch++) { FF_ALLOC_OR_GOTO(alac->avctx, alac->predict_error_buffer[ch], buf_size, buf_alloc_fail); From 1cb19f4f08d5681464fc19eb8d327775921de2c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jul 2015 16:05:21 +0200 Subject: [PATCH 423/700] avcodec/sanm: Reset sizes in destroy_buffers() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes crash in 1288a2fe8e9ae6b00ca40e089d08ca65_signal_sigsegv_7ffff71426a7_354_accident.san with allocation limit 65536 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 39bbdebb1ed8eb9c9b0cd6db85afde6ba89d86e4) Signed-off-by: Michael Niedermayer --- libavcodec/sanm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 9e5ec5400e..2547abb840 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -457,6 +457,7 @@ static void destroy_buffers(SANMVideoContext *ctx) ctx->frm0_size = ctx->frm1_size = ctx->frm2_size = 0; + init_sizes(ctx, 0, 0); } static av_cold int init_buffers(SANMVideoContext *ctx) From 95d8912bfdc5e0eca54d9f3b251f67c19b88b6a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jul 2015 21:19:04 +0200 Subject: [PATCH 424/700] avcodec/pthread_frame: check avctx on deallocation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes null pointer dereferences Fixes: af1a5a33e67e479f439239097bd0d4fd_signal_sigsegv_7ffff713351a_152_Dolby_Rain_Logo.pmp with memlimit of 8388608 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5d346feafa817c4fbc30f7ed0b93b2dad6cef15b) Signed-off-by: Michael Niedermayer --- libavcodec/pthread_frame.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index 5a4ab84a4a..e7ac377e3c 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -571,7 +571,7 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) pthread_join(p->thread, NULL); p->thread_init=0; - if (codec->close) + if (codec->close && p->avctx) codec->close(p->avctx); avctx->codec = NULL; @@ -591,12 +591,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) av_packet_unref(&p->avpkt); av_freep(&p->released_buffers); - if (i) { + if (i && p->avctx) { av_freep(&p->avctx->priv_data); av_freep(&p->avctx->slice_offset); } - av_freep(&p->avctx->internal); + if (p->avctx) + av_freep(&p->avctx->internal); av_freep(&p->avctx); } From 3e167497c78f0f562fa6b5d05977bf3028ad8780 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jul 2015 23:33:18 +0200 Subject: [PATCH 425/700] ffmpeg: Fix cleanup with ost = NULL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 09e670595acbdafb226974b08dab66e3_signal_sigabrt_7ffff70eccc9_991_xtrem_e2_m64q15_a32sxx.3gp with memlimit of 1048576 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 503ec7139f887bf8ed8d57da07ce93c4e88447a6) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index 0636304320..baaa101c11 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -466,7 +466,12 @@ static void ffmpeg_cleanup(int ret) } for (i = 0; i < nb_output_streams; i++) { OutputStream *ost = output_streams[i]; - AVBitStreamFilterContext *bsfc = ost->bitstream_filters; + AVBitStreamFilterContext *bsfc; + + if (!ost) + continue; + + bsfc = ost->bitstream_filters; while (bsfc) { AVBitStreamFilterContext *next = bsfc->next; av_bitstream_filter_close(bsfc); From 40f5222e9c17b0ae759e38e2ba783017f183729b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Jul 2015 13:02:19 +0200 Subject: [PATCH 426/700] ffmpeg: Fix crash with ost->last_frame allocation failure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 1013dbde2c360d939cc2dfc33e4f275c_signal_sigsegv_a0500f_45_320vp3.nsv with memlimit of 536870912 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit fd4c87fa3becaf8a6c480db915daf51e297b76c5) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index baaa101c11..43762edcd7 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1148,7 +1148,7 @@ static void do_video_out(AVFormatContext *s, if (!ost->last_frame) ost->last_frame = av_frame_alloc(); av_frame_unref(ost->last_frame); - if (next_picture) + if (next_picture && ost->last_frame) av_frame_ref(ost->last_frame, next_picture); else av_frame_free(&ost->last_frame); From 3953c497e2751bbbfd5063e4b7b54c868f46e031 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Jul 2015 14:14:16 +0200 Subject: [PATCH 427/700] avformat/mov: Fix deallocation when MOVStreamContext failed to allocate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 260813283176b57b3c9974fe284eebc3_signal_sigsegv_7ffff713351a_991_xtrem_e2_m64q15_a32sxx.3gp with memlimit of 262144 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 15629129dde771446a005282ee33c4ea1199e696) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 783ad0d76d..137bc6006b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3717,6 +3717,9 @@ static int mov_read_close(AVFormatContext *s) AVStream *st = s->streams[i]; MOVStreamContext *sc = st->priv_data; + if (!sc) + continue; + av_freep(&sc->ctts_data); for (j = 0; j < sc->drefs_count; j++) { av_freep(&sc->drefs[j].path); From d819a2c9869cacfc58ab7ef55bf74532bd6dad20 Mon Sep 17 00:00:00 2001 From: Zhang Rui Date: Tue, 14 Jul 2015 14:47:26 +0800 Subject: [PATCH 428/700] avutil/fifo: Fix the case where func() returns less bytes than requested in av_fifo_generic_write() Signed-off-by: Michael Niedermayer (cherry picked from commit fcbea93cf8777bbef2a393d26942b5d3c70a448d) Signed-off-by: Michael Niedermayer --- libavutil/fifo.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavutil/fifo.c b/libavutil/fifo.c index 4ff3194c5f..f2fe93de75 100644 --- a/libavutil/fifo.c +++ b/libavutil/fifo.c @@ -129,7 +129,8 @@ int av_fifo_generic_write(AVFifoBuffer *f, void *src, int size, do { int len = FFMIN(f->end - wptr, size); if (func) { - if (func(src, wptr, len) <= 0) + len = func(src, wptr, len); + if (len <= 0) break; } else { memcpy(wptr, src, len); From 46236b0bae230df903e9c4ebaa79d14ddd7dd303 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Jul 2015 19:20:19 +0200 Subject: [PATCH 429/700] swscale/utils: Clear pix buffers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes use of uninitialized memory Fixes: a96874b9466b6edc660a519c7ad47977_signal_sigsegv_7ffff713351a_744_nc_sample.avi with memlimit 2147483648 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a5d44d5c220e12ca0cb7a4eceb0f74759cb13111) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index fd8e72abc6..475c3ed85d 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1410,9 +1410,9 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, /* Allocate pixbufs (we use dynamic allocation because otherwise we would * need to allocate several megabytes to handle all possible cases) */ - FF_ALLOC_OR_GOTO(c, c->lumPixBuf, c->vLumBufSize * 3 * sizeof(int16_t *), fail); - FF_ALLOC_OR_GOTO(c, c->chrUPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); - FF_ALLOC_OR_GOTO(c, c->chrVPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); + FF_ALLOCZ_OR_GOTO(c, c->lumPixBuf, c->vLumBufSize * 3 * sizeof(int16_t *), fail); + FF_ALLOCZ_OR_GOTO(c, c->chrUPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); + FF_ALLOCZ_OR_GOTO(c, c->chrVPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat) && isALPHA(c->dstFormat)) FF_ALLOCZ_OR_GOTO(c, c->alpPixBuf, c->vLumBufSize * 3 * sizeof(int16_t *), fail); /* Note we need at least one pixel more at the end because of the MMX code From b7c8d072ea1bde2edd8f2b1b83d3463b6ca4c844 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jul 2015 11:52:33 +0200 Subject: [PATCH 430/700] avcodec/pthread_frame: clear priv_data, avoid stale pointer in error case MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: b4b47bc2b3fb7ca710bfffe5aa969e37_signal_sigabrt_7ffff70eccc9_744_nc_sample2.avi with memlimit of 4194304 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f1a38264f20382731cf2cc75fdd98f4c9a84a626) Signed-off-by: Michael Niedermayer --- libavcodec/pthread_frame.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index e7ac377e3c..41fafcefd4 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -669,6 +669,7 @@ int ff_frame_thread_init(AVCodecContext *avctx) copy->internal = av_malloc(sizeof(AVCodecInternal)); if (!copy->internal) { + copy->priv_data = NULL; err = AVERROR(ENOMEM); goto error; } From 384f6801a2ed1611e01df358ffbb08c689e38670 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Jul 2015 20:27:25 +0200 Subject: [PATCH 431/700] avfilter/af_aresample: Check ff_all_* for allocation failures MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signal_sigabrt_7ffff70eccc9_498_divx502.avi with memlimit 1572864 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 2ea8a480832acad3095783bcb11d5f290bec56cf) Signed-off-by: Michael Niedermayer --- libavfilter/af_aresample.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/libavfilter/af_aresample.c b/libavfilter/af_aresample.c index 57ac3978be..6cb765df1b 100644 --- a/libavfilter/af_aresample.c +++ b/libavfilter/af_aresample.c @@ -87,15 +87,24 @@ static int query_formats(AVFilterContext *ctx) AVFilterLink *inlink = ctx->inputs[0]; AVFilterLink *outlink = ctx->outputs[0]; - AVFilterFormats *in_formats = ff_all_formats(AVMEDIA_TYPE_AUDIO); - AVFilterFormats *out_formats; - AVFilterFormats *in_samplerates = ff_all_samplerates(); - AVFilterFormats *out_samplerates; - AVFilterChannelLayouts *in_layouts = ff_all_channel_counts(); - AVFilterChannelLayouts *out_layouts; + AVFilterFormats *in_formats, *out_formats; + AVFilterFormats *in_samplerates, *out_samplerates; + AVFilterChannelLayouts *in_layouts, *out_layouts; + + in_formats = ff_all_formats(AVMEDIA_TYPE_AUDIO); + if (!in_formats) + return AVERROR(ENOMEM); ff_formats_ref (in_formats, &inlink->out_formats); + + in_samplerates = ff_all_samplerates(); + if (!in_samplerates) + return AVERROR(ENOMEM); ff_formats_ref (in_samplerates, &inlink->out_samplerates); + + in_layouts = ff_all_channel_counts(); + if (!in_layouts) + return AVERROR(ENOMEM); ff_channel_layouts_ref(in_layouts, &inlink->out_channel_layouts); if(out_rate > 0) { From 8696762b9a3b66b7dac4bd7b8022a4ba0f72153a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2015 11:24:45 +0200 Subject: [PATCH 432/700] avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Avoids leaving stale pointers Fixes: signal_sigabrt_7ffff70eccc9_819_sabtriple.rm with memlimit 536870912 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3197c0aa87a3b7190e17d49e6fbc7b554e4b3f0a) Signed-off-by: Michael Niedermayer --- libavcodec/rv34.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index a232ab2593..6e86ebd35e 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1534,7 +1534,14 @@ int ff_rv34_decode_init_thread_copy(AVCodecContext *avctx) if (avctx->internal->is_copy) { r->tmp_b_block_base = NULL; + r->cbp_chroma = NULL; + r->cbp_luma = NULL; + r->deblock_coefs = NULL; + r->intra_types_hist = NULL; + r->mb_type = NULL; + ff_mpv_idct_init(&r->s); + if ((err = ff_mpv_common_init(&r->s)) < 0) return err; if ((err = rv34_decoder_alloc(r)) < 0) { From c72c1b871602079f4d867bf5c04fa0a3f51ec7c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2015 17:55:19 +0200 Subject: [PATCH 433/700] avcodec/diracdec: Check for hpel_base allocation failure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes null pointer dereference Fixes: signal_sigsegv_b02a96_280_RL_420p_ffdirac.drc with memlimit of 67108864 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1c5b712c0a643a039d6f34269b4102de313a050a) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 1bfe6be0a4..6b93d8632b 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1561,7 +1561,7 @@ static void select_dsp_funcs(DiracContext *s, int width, int height, int xblen, } } -static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, int width, int height) +static int interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, int width, int height) { /* chroma allocates an edge of 8 when subsampled which for 4:2:2 means an h edge of 16 and v edge of 8 @@ -1573,11 +1573,14 @@ static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, in /* no need for hpel if we only have fpel vectors */ if (!s->mv_precision) - return; + return 0; for (i = 1; i < 4; i++) { if (!ref->hpel_base[plane][i]) ref->hpel_base[plane][i] = av_malloc((height+2*edge) * ref->avframe->linesize[plane] + 32); + if (!ref->hpel_base[plane][i]) { + return AVERROR(ENOMEM); + } /* we need to be 16-byte aligned even for chroma */ ref->hpel[plane][i] = ref->hpel_base[plane][i] + edge*ref->avframe->linesize[plane] + 16; } @@ -1591,6 +1594,8 @@ static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, in s->mpvencdsp.draw_edges(ref->hpel[plane][3], ref->avframe->linesize[plane], width, height, edge, edge, EDGE_TOP | EDGE_BOTTOM); } ref->interpolated[plane] = 1; + + return 0; } /** @@ -1640,8 +1645,11 @@ static int dirac_decode_frame_internal(DiracContext *s) select_dsp_funcs(s, p->width, p->height, p->xblen, p->yblen); - for (i = 0; i < s->num_refs; i++) - interpolate_refplane(s, s->ref_pics[i], comp, p->width, p->height); + for (i = 0; i < s->num_refs; i++) { + int ret = interpolate_refplane(s, s->ref_pics[i], comp, p->width, p->height); + if (ret < 0) + return ret; + } memset(s->mctmp, 0, 4*p->yoffset*p->stride); From 1166d9245ab1ee76905a8ec7355a7f03f611ed83 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2015 19:02:26 +0200 Subject: [PATCH 434/700] avcodec/vp8: Fix null pointer dereference in ff_vp8_decode_free() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signal_sigsegv_d5de23_967_vp80_00_comprehensive_010.ivf with memlimit 524288 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a84f0e8d8f293df3c535f9b893730a835bed6520) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 86eb4e9881..8313544c35 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2689,6 +2689,9 @@ av_cold int ff_vp8_decode_free(AVCodecContext *avctx) VP8Context *s = avctx->priv_data; int i; + if (!s) + return 0; + vp8_decode_flush_impl(avctx, 1); for (i = 0; i < FF_ARRAY_ELEMS(s->frames); i++) av_frame_free(&s->frames[i].tf.f); From be369f6e4034bee7630ea70d7b516bdee25ff40f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2015 19:18:24 +0200 Subject: [PATCH 435/700] avcodec/vp8: Check buffer size in vp8_decode_frame_header() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit avoids null pointer dereference Fixes: signal_sigsegv_d5de40_964_vp80-00-comprehensive-010.ivf with memlimit of 1048576 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 599d746e07319dc792ed2e511b666fe482f1ff88) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 8313544c35..944db5ef6d 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -639,6 +639,11 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si int width = s->avctx->width; int height = s->avctx->height; + if (buf_size < 3) { + av_log(s->avctx, AV_LOG_ERROR, "Insufficent data (%d) for header\n", buf_size); + return AVERROR_INVALIDDATA; + } + s->keyframe = !(buf[0] & 1); s->profile = (buf[0]>>1) & 7; s->invisible = !(buf[0] & 0x10); From ad03cef4208b564f63354cdce6610e854cd51a48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jul 2015 03:23:43 +0200 Subject: [PATCH 436/700] Update for 2.5.8 Signed-off-by: Michael Niedermayer --- Changelog | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 91 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 9c37faca14..9cfeeff116 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,95 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.5.8 +- avcodec/vp8: Check buffer size in vp8_decode_frame_header() +- avcodec/vp8: Fix null pointer dereference in ff_vp8_decode_free() +- avcodec/diracdec: Check for hpel_base allocation failure +- avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy() +- avfilter/af_aresample: Check ff_all_* for allocation failures +- avcodec/pthread_frame: clear priv_data, avoid stale pointer in error case +- swscale/utils: Clear pix buffers +- avutil/fifo: Fix the case where func() returns less bytes than requested in av_fifo_generic_write() +- avformat/mov: Fix deallocation when MOVStreamContext failed to allocate +- ffmpeg: Fix crash with ost->last_frame allocation failure +- ffmpeg: Fix cleanup with ost = NULL +- avcodec/pthread_frame: check avctx on deallocation +- avcodec/sanm: Reset sizes in destroy_buffers() +- avcodec/alac: Clear pointers in allocate_buffers() +- bytestream2: set the reader to the end when reading more than available +- avcodec/utils: use a minimum 32pixel width in avcodec_align_dimensions2() for H.264 +- avcodec/mpegvideo: Clear pointers in ff_mpv_common_init() +- oggparsedirac: check return value of init_get_bits +- wmalosslessdec: reset frame->nb_samples on packet loss +- wmalosslessdec: avoid reading 0 bits with get_bits +- avcodec/rawenc: Use ff_alloc_packet() instead of ff_alloc_packet2() +- avcodec/aacsbr: Assert that bs_num_env is positive +- avcodec/aacsbr: check that the element type matches before applying SBR +- avcodec/h264_slice: Use w/h from the AVFrame instead of mb_w/h +- vp9/update_prob: prevent out of bounds table read +- avfilter/vf_transpose: Fix rounding error +- avcodec/pngdec: Check values before updating context in decode_fctl_chunk() +- avcodec/pngdec: Require a IHDR chunk before fctl +- avcodec/pngdec: Only allow one IHDR chunk +- wmavoice: limit wmavoice_decode_packet return value to packet size +- swscale/swscale_unscaled: Fix rounding difference with RGBA output between little and big endian +- ffmpeg: Do not use the data/size of a bitstream filter after failure +- swscale/x86/rgb2rgb_template: fix signedness of v in shuffle_bytes_2103_{mmx,mmxext} +- swscale/x86/rgb2rgb_template: add missing xmm clobbers +- vda: unlock the pixel buffer base address. +- swscale/rgb2rgb_template: Fix signedness of v in shuffle_bytes_2103_c() +- swscale/rgb2rgb_template: Implement shuffle_bytes_0321_c and fix shuffle_bytes_2103_c on BE +- swscale/rgb2rgb_template: Disable shuffle_bytes_2103_c on big endian +- swr: Remember previously set int_sample_format from user +- matroskadec: check audio sample rate +- matroskadec: validate audio channels and bitdepth +- avcodec/dpxenc: implement write16/32 as functions +- postproc: fix unaligned access +- ffmpeg: Free last_frame instead of just unref +- avio: fix potential crashes when combining ffio_ensure_seekback + crc +- h264: er: Copy from the previous reference only if compatible +- sonic: set avctx->channels in sonic_decode_init +- vp8: change mv_{min,max}.{x,y} type to int +- vp9: change type of tile_size from unsigned to int64_t +- arm: only enable setend on ARMv6 +- libopenjpegdec: check existence of image component data +- mov: abort on EOF in ff_mov_read_chan +- ffmpeg_opt: Check for localtime() failure +- avformat: Fix bug in parse_rps for HEVC. +- takdec: ensure chan2 is a valid channel index +- avcodec/h264_slice: Use AVFrame diemensions for grayscale handling +- avdevice/lavfi: do not rescale AV_NOPTS_VALUE in lavfi_read_packet() +- libavutil/channel_layout: Correctly return layout when channel specification ends with a trailing 'c'. +- avcodec/jpeg2000dec: Check that coords match before applying ICT +- avformat/ffmdec: Check ffio_set_buf_size() return value +- avcodec/adpcm: Check for overreads +- avcodec/alsdec: Check for overread +- avcodec/atrac3plusdec: consume only as many bytes as available +- libavutil/softfloat: Fix av_normalize1_sf bias. +- swresample/swresample: Cleanup on init failure. +- Revert "avformat/rtpenc: check av_packet_get_side_data() return, fix null ptr dereference" +- avformat/mxfenc: Accept MXF D-10 with 49.999840 Mbit/sec +- swresample/dither: check memory allocation +- libopenjpegenc: add NULL check for img before accessing it +- swresample: Check the return value of resampler->init() +- h264: Make sure reinit failures mark the context as not initialized +- ffmpeg_opt: Set the video VBV parameters only for the video stream from -target +- avcodec/bitstream: Assert that there is enough space left in avpriv_copy_bits() +- avcodec/put_bits: Assert that there is enough space left in skip_put_bytes() +- avcodec/mpegvideo_enc: Update the buffer size as more slices are merged +- avcodec/put_bits: Update size_in_bits in set_put_bits_buffer_size() +- avformat/wavdec: Increase dts packet threshold to fix more misdetections +- avformat/wavdec: Increase probe_packets limit +- avformat/swfdec: Do not error out on pixel format changes +- avfilter/x86/vf_hqdn3d: Fix register types +- avcodec/mjpegenc_common: Use ff_mpv_reallocate_putbitbuffer() +- avcodec/mpegvideo: Factor ff_mpv_reallocate_putbitbuffer() out +- avformat/mov: Mark avio context of decompressed atoms as seekable +- avcodec/hevc_ps: Only discard overread VPS if a previous is available +- avcodec/x86/h264_weight: handle weight1=128 +- avcodec/exr: fix crash caused by merge + + version 2.5.7 - avformat/nutdec: Fix recovery when immedeately after seeking a failure happens - nutdec: fix memleaks on error in nut_read_header diff --git a/RELEASE b/RELEASE index 35d16fb1a7..ecd7ee50cb 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.5.7 +2.5.8 diff --git a/doc/Doxyfile b/doc/Doxyfile index b23f76dc20..e1b1a95809 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.5.7 +PROJECT_NUMBER = 2.5.8 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From ef905b1b27d5785930d130ad786fd99514d207a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jan 2015 17:25:05 +0100 Subject: [PATCH 437/700] avcodec/diracdec: Check slices malloc and propagate error code Signed-off-by: Michael Niedermayer (cherry picked from commit a4d3cf10b2ece441ae25849a66b1c11d838f9381) Signed-off-by: Andreas Cadhalpun --- libavcodec/diracdec.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 6b93d8632b..9640c82e83 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -772,7 +772,7 @@ static int decode_lowdelay_slice(AVCodecContext *avctx, void *arg) * Dirac Specification -> * 13.5.1 low_delay_transform_data() */ -static void decode_lowdelay(DiracContext *s) +static int decode_lowdelay(DiracContext *s) { AVCodecContext *avctx = s->avctx; int slice_x, slice_y, bytes, bufsize; @@ -781,6 +781,8 @@ static void decode_lowdelay(DiracContext *s) int slice_num = 0; slices = av_mallocz_array(s->lowdelay.num_x, s->lowdelay.num_y * sizeof(struct lowdelay_slice)); + if (!slices) + return AVERROR(ENOMEM); align_get_bits(&s->gb); /*[DIRAC_STD] 13.5.2 Slices. slice(sx,sy) */ @@ -811,6 +813,7 @@ static void decode_lowdelay(DiracContext *s) intra_dc_prediction(&s->plane[1].band[0][0]); /* [DIRAC_STD] 13.3 intra_dc_prediction() */ intra_dc_prediction(&s->plane[2].band[0][0]); /* [DIRAC_STD] 13.3 intra_dc_prediction() */ av_free(slices); + return 0; } static void init_planes(DiracContext *s) @@ -1606,6 +1609,7 @@ static int dirac_decode_frame_internal(DiracContext *s) { DWTContext d; int y, i, comp, dsty; + int ret; if (s->low_delay) { /* [DIRAC_STD] 13.5.1 low_delay_transform_data() */ @@ -1613,8 +1617,10 @@ static int dirac_decode_frame_internal(DiracContext *s) Plane *p = &s->plane[comp]; memset(p->idwt_buf, 0, p->idwt_stride * p->idwt_height * sizeof(IDWTELEM)); } - if (!s->zero_res) - decode_lowdelay(s); + if (!s->zero_res) { + if ((ret = decode_lowdelay(s)) < 0) + return ret; + } } for (comp = 0; comp < 3; comp++) { From ff68bf7a1bf32bd497f758c231fd7d816f07d86c Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 27 Jan 2015 18:09:32 +0000 Subject: [PATCH 438/700] avformat/nut: support WavPack Signed-off-by: Paul B Mahol (cherry picked from commit 64815d1f0c782a632447806e40d9c7ee71f31b92) Signed-off-by: Andreas Cadhalpun --- libavformat/nut.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/nut.c b/libavformat/nut.c index 86a03015af..6cd34458ac 100644 --- a/libavformat/nut.c +++ b/libavformat/nut.c @@ -182,6 +182,7 @@ const AVCodecTag ff_nut_audio_extra_tags[] = { { AV_CODEC_ID_PCM_ALAW, MKTAG('A', 'L', 'A', 'W') }, { AV_CODEC_ID_PCM_MULAW, MKTAG('U', 'L', 'A', 'W') }, { AV_CODEC_ID_MP3, MKTAG('M', 'P', '3', ' ') }, + { AV_CODEC_ID_WAVPACK, MKTAG('w', 'v', 'p', 'k') }, { AV_CODEC_ID_NONE, 0 } }; From 74a88a509c6e60bec20cb74291b69b9d5dff0a0d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 4 May 2015 21:07:52 +0200 Subject: [PATCH 439/700] avidec: check for valid bit_rate range If bit_rate is negative, it can trigger an av_assert2 in av_rescale_rnd. Since av_rescale returns int64_t, but st->codec_bit_rate is int, it can also overflow into a negative value. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 0eec40b713eee84e2aec8af35ccce059817cad2a) Signed-off-by: Andreas Cadhalpun --- libavformat/avidec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 91e8514b4b..621bd5f9fa 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -448,6 +448,7 @@ static int calculate_bitrate(AVFormatContext *s) int64_t len = 0; AVStream *st = s->streams[i]; int64_t duration; + int64_t bitrate; for (j = 0; j < st->nb_index_entries; j++) len += st->index_entries[j].size; @@ -455,7 +456,10 @@ static int calculate_bitrate(AVFormatContext *s) if (st->nb_index_entries < 2 || st->codec->bit_rate > 0) continue; duration = st->index_entries[j-1].timestamp - st->index_entries[0].timestamp; - st->codec->bit_rate = av_rescale(8*len, st->time_base.den, duration * st->time_base.num); + bitrate = av_rescale(8*len, st->time_base.den, duration * st->time_base.num); + if (bitrate <= INT_MAX && bitrate > 0) { + st->codec->bit_rate = bitrate; + } } return 1; } From 18189ebab3cfb2f2fe8ff53a404557bc5f7a12c6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 24 May 2015 15:44:31 +0200 Subject: [PATCH 440/700] libshine: fix support for shine 3.0 shine_encode_buffer expects written to be an int pointer, while the previous shine_encode_frame expected it to be a long pointer. Thus encoding with libshine currently always fails with "internal buffer too small", because a negative return value of shine_encode_buffer is interpreted as a very large long value. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit e48a9ac9af5f6e652735aa44a86420b5e7258895) Signed-off-by: Andreas Cadhalpun --- libavcodec/libshine.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libshine.c b/libavcodec/libshine.c index 48333bb3c7..27c1a5f43f 100644 --- a/libavcodec/libshine.c +++ b/libavcodec/libshine.c @@ -71,7 +71,7 @@ static int libshine_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, SHINEContext *s = avctx->priv_data; MPADecodeHeader hdr; unsigned char *data; - long written; + int written; int ret, len; if (frame) From 98aedbf9fe38dac810cb94e3ee1217fad3088c53 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 26 Jun 2015 00:27:54 +0200 Subject: [PATCH 441/700] mpegaudiodec: copy AVFloatDSPContext from first context to all contexts This fixes a segfault when decoding multi-channel MP3onMP4 files. This is similar to commit cb72230d for MPADSPContext. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 151dbe4579601a81662b4b366d0e10df3c00027a) Signed-off-by: Andreas Cadhalpun --- libavcodec/mpegaudiodec_template.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index 138a107b85..0aa14b7463 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -1893,6 +1893,7 @@ static av_cold int decode_init_mp3on4(AVCodecContext * avctx) s->mp3decctx[i]->adu_mode = 1; s->mp3decctx[i]->avctx = avctx; s->mp3decctx[i]->mpadsp = s->mp3decctx[0]->mpadsp; + s->mp3decctx[i]->fdsp = s->mp3decctx[0]->fdsp; } return 0; From 983dc64772a0d1ae621b48d926daa903171a718b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 25 Jun 2015 22:47:38 +0200 Subject: [PATCH 442/700] vc1dec: use get_bits_long and limit the read bits to 32 get_bits should not be used with more than 25 bits. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1f1e0a2971b2a01f275bb5088c2e36166514be64) Signed-off-by: Andreas Cadhalpun --- libavcodec/vc1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index da6724ca39..e5725b4b2a 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -465,7 +465,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) count = avctx->extradata_size*8 - get_bits_count(&gb); if (count > 0) { av_log(avctx, AV_LOG_INFO, "Extra data: %i bits left, value: %X\n", - count, get_bits(&gb, count)); + count, get_bits_long(&gb, FFMIN(count, 32))); } else if (count < 0) { av_log(avctx, AV_LOG_INFO, "Read %i bits in overflow\n", -count); } From d8c82ed321da59469406327f33c8d580ef32186f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 28 Jun 2015 11:21:54 +0200 Subject: [PATCH 443/700] huffyuvdec: validate image size Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9a345802edf7f430b3335f486aecdd8552f8367b) Signed-off-by: Andreas Cadhalpun --- libavcodec/huffyuvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 98c6128470..a99ac71a89 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -37,6 +37,7 @@ #include "huffyuv.h" #include "huffyuvdsp.h" #include "thread.h" +#include "libavutil/imgutils.h" #include "libavutil/pixdesc.h" #define classic_shift_luma_table_size 42 @@ -291,6 +292,10 @@ static av_cold int decode_init(AVCodecContext *avctx) HYuvContext *s = avctx->priv_data; int ret; + ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); + if (ret < 0) + return ret; + ff_huffyuvdsp_init(&s->hdsp); memset(s->vlc, 0, 4 * sizeof(VLC)); From ffcfab882b6683278585fd41218c1803dea443f5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 9 Jul 2015 19:50:34 +0200 Subject: [PATCH 444/700] snow: remove an obsolete av_assert2 It asserts that the frame linesize is larger than 37, but it can be smaller and decoding such frames works. Before commit cc884a35 src_stride > 7*MB_SIZE was necessary, because the blocks were interleaved in the tmp buffer and the last block was added with an offset of 6*MB_SIZE. It was changed for src_stride <= 7*MB_SIZE to write the blocks sequentially, hence the larger tmp_step. After that the assert was only necessary to make sure that the buffer remained large enough. Since commit bd2b6b33 s->scratchbuf is used as tmp buffer. As part of commit 86e107a7 the minimal scratchbuf size was increased to 256*7*MB_SIZE, which is enough for any src_stride <= 7*MB_SIZE. Also add a comment explaining the tmp_step calculation. Signed-off-by: Andreas Cadhalpun (cherry picked from commit 3526a120f92929cb0a4009e403ee2f141030c487) Signed-off-by: Andreas Cadhalpun --- libavcodec/snow.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index 6f1fca378c..12aad1874a 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -298,6 +298,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer BlockNode *lb= lt+b_stride; BlockNode *rb= lb+1; uint8_t *block[4]; + // When src_stride is large enough, it is possible to interleave the blocks. + // Otherwise the blocks are written sequentially in the tmp buffer. int tmp_step= src_stride >= 7*MB_SIZE ? MB_SIZE : MB_SIZE*src_stride; uint8_t *tmp = s->scratchbuf; uint8_t *ptmp; @@ -341,8 +343,6 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer if(b_w<=0 || b_h<=0) return; - av_assert2(src_stride > 2*MB_SIZE + 5); - if(!sliced && offset_dst) dst += src_x + src_y*dst_stride; dst8+= src_x + src_y*src_stride; From 5e833d958c09e79be873f40df88d75425132ba16 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 30 Jul 2015 18:54:25 +0200 Subject: [PATCH 445/700] Changelog update Signed-off-by: Andreas Cadhalpun --- Changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Changelog b/Changelog index 9cfeeff116..8d010d976e 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,14 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 2.5.8 +- snow: remove an obsolete av_assert2 +- huffyuvdec: validate image size +- vc1dec: use get_bits_long and limit the read bits to 32 +- mpegaudiodec: copy AVFloatDSPContext from first context to all contexts +- libshine: fix support for shine 3.0 +- avidec: check for valid bit_rate range +- avformat/nut: support WavPack +- avcodec/diracdec: Check slices malloc and propagate error code - avcodec/vp8: Check buffer size in vp8_decode_frame_header() - avcodec/vp8: Fix null pointer dereference in ff_vp8_decode_free() - avcodec/diracdec: Check for hpel_base allocation failure From c809cf1c5b1b66fbc14795f3de0dde41c6861356 Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 29 Jul 2015 22:11:18 +0200 Subject: [PATCH 446/700] rawdec: fix mjpeg probing There can be other headers than "Content-Type:" (in this case, a "Content-Length:" header was following), so checking for a trailing newline is wrong. Signed-off-by: Michael Niedermayer (cherry picked from commit bf51fcd304d5594a4d8eed2bedf0ef0f68fa65f8) Signed-off-by: Michael Niedermayer --- libavformat/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rawdec.c b/libavformat/rawdec.c index bbb76b6c95..6a9085a925 100644 --- a/libavformat/rawdec.c +++ b/libavformat/rawdec.c @@ -188,7 +188,7 @@ static int mjpeg_probe(AVProbeData *p) } if (nb_invalid*4 + 1 < nb_frames) { - static const char ct_jpeg[] = "\r\nContent-Type: image/jpeg\r\n\r\n"; + static const char ct_jpeg[] = "\r\nContent-Type: image/jpeg\r\n"; int i; for (i=0; ibuf_size - sizeof(ct_jpeg), 100); i++) From 1eb646ec9f87ed488f52561867e107eaee89e20c Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 29 Jul 2015 22:33:44 +0200 Subject: [PATCH 447/700] rawdec: fix mjpeg probing buffer size check Signed-off-by: Michael Niedermayer (cherry picked from commit 4c6beaed9210f01290e5a5a4e377f93f145172cc) Signed-off-by: Michael Niedermayer --- libavformat/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rawdec.c b/libavformat/rawdec.c index 6a9085a925..d8dc1c3940 100644 --- a/libavformat/rawdec.c +++ b/libavformat/rawdec.c @@ -191,7 +191,7 @@ static int mjpeg_probe(AVProbeData *p) static const char ct_jpeg[] = "\r\nContent-Type: image/jpeg\r\n"; int i; - for (i=0; ibuf_size - sizeof(ct_jpeg), 100); i++) + for (i=0; ibuf_size - (int)sizeof(ct_jpeg), 100); i++) if (!memcmp(p->buf + i, ct_jpeg, sizeof(ct_jpeg) - 1)) return AVPROBE_SCORE_EXTENSION; From af098adca39dd399fb641e69d246021bba8f3ac1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 31 Jul 2015 15:54:38 +0200 Subject: [PATCH 448/700] MAINTAINERS: Remove myself as leader Signed-off-by: Michael Niedermayer (cherry picked from commit f2c58931e629343f7d68258cc2b2d62c5f501ba5) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 - 1 file changed, 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 0f2faeda2f..4f5bf8ba56 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -14,7 +14,6 @@ patches and related discussions. Project Leader ============== -Michael Niedermayer final design decisions From 628479b096fe4d74841e6c2904cc9646544424b1 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 20 Sep 2015 23:20:43 -0300 Subject: [PATCH 449/700] doc: mention libavcodec can decode Opus natively Signed-off-by: James Almer (cherry picked from commit fd9ac48dc8aebcbd601af34336234d5102b36e21) --- doc/general.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/general.texi b/doc/general.texi index dd19fcc101..508d587ea9 100644 --- a/doc/general.texi +++ b/doc/general.texi @@ -936,8 +936,8 @@ following image formats are supported: @item Musepack SV8 @tab @tab X @item Nellymoser Asao @tab X @tab X @item On2 AVC (Audio for Video Codec) @tab @tab X -@item Opus @tab E @tab E - @tab supported through external library libopus +@item Opus @tab E @tab X + @tab encoding supported through external library libopus @item PCM A-law @tab X @tab X @item PCM mu-law @tab X @tab X @item PCM signed 8-bit planar @tab X @tab X From 2e575c1e8dd7ab5e050caf431693fbf8b69f2c7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Thu, 1 Oct 2015 11:48:45 +0200 Subject: [PATCH 450/700] avformat/srtdec: more lenient first line probing Fixes Ticket #4898 (cherry picked from commit 7218352e0228028dfa009a3799ec93fd041065f1) --- libavformat/srtdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/srtdec.c b/libavformat/srtdec.c index b35e50fc36..7fee0fc2d1 100644 --- a/libavformat/srtdec.c +++ b/libavformat/srtdec.c @@ -41,9 +41,11 @@ static int srt_probe(AVProbeData *p) ff_text_r8(&tr); /* Check if the first non-empty line is a number. We do not check what the - * number is because in practice it can be anything. */ + * number is because in practice it can be anything. + * Also, that number can be followed by random garbage, so we can not + * unfortunately check that we only have a number. */ if (ff_subtitles_read_line(&tr, buf, sizeof(buf)) < 0 || - strtol(buf, &pbuf, 10) < 0 || *pbuf) + strtol(buf, &pbuf, 10) < 0) return 0; /* Check if the next line matches a SRT timestamp */ From f2c07de0a5a7ea1c48fc872f1057974cf0df3ca7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Fri, 9 Oct 2015 10:52:58 +0200 Subject: [PATCH 451/700] avformat/srtdec: make sure we probe a number Fixes regression since 7218352e0228028dfa009a3799ec93fd041065f1: WebVTT files were matching the SRT probing. (cherry picked from commit 40d9d6de90c3652f4c468ab14976c7faf5e40c07) --- libavformat/srtdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/srtdec.c b/libavformat/srtdec.c index 7fee0fc2d1..3b1373f559 100644 --- a/libavformat/srtdec.c +++ b/libavformat/srtdec.c @@ -45,7 +45,7 @@ static int srt_probe(AVProbeData *p) * Also, that number can be followed by random garbage, so we can not * unfortunately check that we only have a number. */ if (ff_subtitles_read_line(&tr, buf, sizeof(buf)) < 0 || - strtol(buf, &pbuf, 10) < 0) + strtol(buf, &pbuf, 10) < 0 || pbuf == buf) return 0; /* Check if the next line matches a SRT timestamp */ From 9177bcc06ca5fa583608b5a6d77c6d2bebe9def6 Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 30 Sep 2015 14:53:35 +0200 Subject: [PATCH 452/700] avcodec/mp3: fix skipping zeros Commits 43bc5cf9 and c5371f77 add code for skipping initial zeros in mp3 packets. This code forgot to report to the user that data was skipped at all. Since audio codecs allow partial packet decoding, the user application has to rely on the return value. It will remove the data reported as consumed by the decoder, and feed it to the decoder again. This resulted in the mp3 frame after the zero region to be decoded over and over again, until the zero region was finally skipped by the application. Fix this by including the amount of skipped bytes to the number of consumed bytes returned by the decode call. Fixes trac ticket #4890. (cherry picked from commit cb1da9fb8d71bb611a7b0028914c97afc3f5711d) --- libavcodec/mpegaudiodec_template.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index 0aa14b7463..dcbde7c6aa 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -1657,9 +1657,11 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, uint32_t header; int ret; + int skipped = 0; while(buf_size && !*buf){ buf++; buf_size--; + skipped++; } if (buf_size < HEADER_SIZE) @@ -1714,7 +1716,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, return ret; } s->frame_size = 0; - return buf_size; + return buf_size + skipped; } static void mp_flush(MPADecodeContext *ctx) From eb681e1fac2cdbdf81d535217934144ead347166 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Przemys=C5=82aw=20Sobala?= Date: Tue, 29 Sep 2015 15:25:07 +0200 Subject: [PATCH 453/700] lavf/img2dec: Fix memory leak Fixes #4886 Signed-off-by: Michael Niedermayer (cherry picked from commit 01dd7e025c246d9001f1a30f4a5d8fa2936d1a5e) --- libavformat/img2dec.c | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 1a31ac870b..78e2102308 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -440,14 +440,17 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } res = av_new_packet(pkt, size[0] + size[1] + size[2]); - if (res < 0) - return res; + if (res < 0) { + goto fail; + } pkt->stream_index = 0; pkt->flags |= AV_PKT_FLAG_KEY; if (s->ts_from_file) { struct stat img_stat; - if (stat(filename, &img_stat)) - return AVERROR(EIO); + if (stat(filename, &img_stat)) { + res = AVERROR(EIO); + goto fail; + } pkt->pts = (int64_t)img_stat.st_mtime; #if HAVE_STRUCT_STAT_ST_MTIM_TV_NSEC if (s->ts_from_file == 2) @@ -481,18 +484,29 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) if (ret[0] <= 0 || ret[1] < 0 || ret[2] < 0) { av_free_packet(pkt); if (ret[0] < 0) { - return ret[0]; + res = ret[0]; } else if (ret[1] < 0) { - return ret[1]; - } else if (ret[2] < 0) - return ret[2]; - return AVERROR_EOF; + res = ret[1]; + } else if (ret[2] < 0) { + res = ret[2]; + } else { + res = AVERROR_EOF; + } + goto fail; } else { s->img_count++; s->img_number++; s->pts++; return 0; } + +fail: + if (!s->is_pipe) { + for (i = 0; i < 3; i++) { + avio_closep(&f[i]); + } + } + return res; } static int img_read_close(struct AVFormatContext* s1) From 3b7d4d8bd63cdcef8916d05c95d1789d2b858570 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Sep 2015 23:49:30 +0200 Subject: [PATCH 454/700] avcodec/ffv1: seperate slice_count from max_slice_count Fix segfault with too large slice_count Fixes Ticket4879 Signed-off-by: Michael Niedermayer (cherry picked from commit aa6c43f3fdec8a7518534b9dab20c9eb4be11568) Conflicts: libavcodec/ffv1enc.c libavcodec/ffv1.c --- libavcodec/ffv1.c | 14 +++++++------- libavcodec/ffv1.h | 1 + libavcodec/ffv1dec.c | 8 +++++--- libavcodec/ffv1enc.c | 4 +++- 4 files changed, 16 insertions(+), 11 deletions(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index ab58a6074f..6073bc4461 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -101,7 +101,7 @@ av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs) av_cold int ffv1_init_slices_state(FFV1Context *f) { int i, ret; - for (i = 0; i < f->slice_count; i++) { + for (i = 0; i < f->max_slice_count; i++) { FFV1Context *fs = f->slice_context[i]; if ((ret = ffv1_init_slice_state(f, fs)) < 0) return AVERROR(ENOMEM); @@ -113,10 +113,10 @@ av_cold int ffv1_init_slice_contexts(FFV1Context *f) { int i; - f->slice_count = f->num_h_slices * f->num_v_slices; - av_assert0(f->slice_count > 0); + f->max_slice_count = f->num_h_slices * f->num_v_slices; + av_assert0(f->max_slice_count > 0); - for (i = 0; i < f->slice_count; i++) { + for (i = 0; i < f->max_slice_count; i++) { FFV1Context *fs = av_mallocz(sizeof(*fs)); int sx = i % f->num_h_slices; int sy = i / f->num_h_slices; @@ -201,7 +201,7 @@ av_cold int ffv1_close(AVCodecContext *avctx) ff_thread_release_buffer(avctx, &s->last_picture); av_frame_free(&s->last_picture.f); - for (j = 0; j < s->slice_count; j++) { + for (j = 0; j < s->max_slice_count; j++) { FFV1Context *fs = s->slice_context[j]; for (i = 0; i < s->plane_count; i++) { PlaneContext *p = &fs->plane[i]; @@ -215,14 +215,14 @@ av_cold int ffv1_close(AVCodecContext *avctx) av_freep(&avctx->stats_out); for (j = 0; j < s->quant_table_count; j++) { av_freep(&s->initial_states[j]); - for (i = 0; i < s->slice_count; i++) { + for (i = 0; i < s->max_slice_count; i++) { FFV1Context *sf = s->slice_context[i]; av_freep(&sf->rc_stat2[j]); } av_freep(&s->rc_stat2[j]); } - for (i = 0; i < s->slice_count; i++) + for (i = 0; i < s->max_slice_count; i++) av_freep(&s->slice_context[i]); return 0; diff --git a/libavcodec/ffv1.h b/libavcodec/ffv1.h index 5081397f54..cc354c385e 100644 --- a/libavcodec/ffv1.h +++ b/libavcodec/ffv1.h @@ -117,6 +117,7 @@ typedef struct FFV1Context { struct FFV1Context *slice_context[MAX_SLICES]; int slice_count; + int max_slice_count; int num_v_slices; int num_h_slices; int slice_width; diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 9e4088143b..e4c020b7c9 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -770,6 +770,7 @@ static int read_header(FFV1Context *f) av_log(f->avctx, AV_LOG_ERROR, "read_quant_table error\n"); return AVERROR_INVALIDDATA; } + f->slice_count = f->max_slice_count; } else if (f->version < 3) { f->slice_count = get_symbol(c, state, 0); } else { @@ -784,8 +785,8 @@ static int read_header(FFV1Context *f) p -= size + trailer; } } - if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0) { - av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid\n", f->slice_count); + if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0 || f->slice_count > f->max_slice_count) { + av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid (max=%d)\n", f->slice_count, f->max_slice_count); return AVERROR_INVALIDDATA; } @@ -1008,6 +1009,7 @@ static int init_thread_copy(AVCodecContext *avctx) f->picture.f = NULL; f->last_picture.f = NULL; f->sample_buffer = NULL; + f->max_slice_count = 0; f->slice_count = 0; for (i = 0; i < f->quant_table_count; i++) { @@ -1083,7 +1085,7 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src) av_assert0(!fdst->sample_buffer); } - av_assert1(fdst->slice_count == fsrc->slice_count); + av_assert1(fdst->max_slice_count == fsrc->max_slice_count); ff_thread_release_buffer(dst, &fdst->picture); diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index cf2a13dc6b..25b70d673e 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -961,6 +961,7 @@ slices_ok: if ((ret = ffv1_init_slice_contexts(s)) < 0) return ret; + s->slice_count = s->max_slice_count; if ((ret = ffv1_init_slices_state(s)) < 0) return ret; @@ -970,7 +971,7 @@ slices_ok: if (!avctx->stats_out) return AVERROR(ENOMEM); for (i = 0; i < s->quant_table_count; i++) - for (j = 0; j < s->slice_count; j++) { + for (j = 0; j < s->max_slice_count; j++) { FFV1Context *sf = s->slice_context[j]; av_assert0(!sf->rc_stat2[i]); sf->rc_stat2[i] = av_mallocz(s->context_count[i] * @@ -1194,6 +1195,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, for (i = 0; i < f->quant_table_count; i++) memset(f->rc_stat2[i], 0, f->context_count[i] * sizeof(*f->rc_stat2[i])); + av_assert0(f->slice_count == f->max_slice_count); for (j = 0; j < f->slice_count; j++) { FFV1Context *fs = f->slice_context[j]; for (i = 0; i < 256; i++) { From cac62c8ad9f17fa8733d425c28b984d2be833351 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 20 Sep 2015 12:39:14 +0200 Subject: [PATCH 455/700] hevc: fix wpp threading deadlock. Fixes ticket 4258. (cherry picked from commit 74e4948235bc8f8946eeca20525258bbf383f75d) --- libavcodec/hevc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index cfd420b046..5a71a8b09c 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2350,6 +2350,8 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int if (more_data < 0) { s->tab_slice_address[ctb_addr_rs] = -1; + avpriv_atomic_int_set(&s1->wpp_err, 1); + ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP); return more_data; } From 7b6fced6b49f2e1c9a53a3a398a05d27d7ec932d Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Sat, 12 Sep 2015 21:50:24 +0200 Subject: [PATCH 456/700] hevc: properly handle no_rasl_output_flag when removing pictures from the DPB Fixes ticket #4185. Reviewed-By: Mickael Raulet Signed-off-by: Hendrik Leppkes (cherry picked from commit 0118158efa8e45761f9f65a3bb74f33907bd2aec) --- libavcodec/hevc.c | 5 +++++ libavcodec/hevc.h | 1 + libavcodec/hevc_refs.c | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 5a71a8b09c..2f440a6daf 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -769,6 +769,8 @@ static int hls_slice_header(HEVCContext *s) s->HEVClc->tu.cu_qp_offset_cb = 0; s->HEVClc->tu.cu_qp_offset_cr = 0; + s->no_rasl_output_flag = IS_IDR(s) || IS_BLA(s) || (s->nal_unit_type == NAL_CRA_NUT && s->last_eos); + return 0; } @@ -3292,6 +3294,7 @@ static int hevc_update_thread_context(AVCodecContext *dst, s->pocTid0 = s0->pocTid0; s->max_ra = s0->max_ra; s->eos = s0->eos; + s->no_rasl_output_flag = s0->no_rasl_output_flag; s->is_nalff = s0->is_nalff; s->nal_length_size = s0->nal_length_size; @@ -3386,6 +3389,7 @@ static av_cold int hevc_decode_init(AVCodecContext *avctx) s->enable_parallel_tiles = 0; s->picture_struct = 0; + s->eos = 1; if(avctx->active_thread_type & FF_THREAD_SLICE) s->threads_number = avctx->thread_count; @@ -3427,6 +3431,7 @@ static void hevc_decode_flush(AVCodecContext *avctx) HEVCContext *s = avctx->priv_data; ff_hevc_flush_dpb(s); s->max_ra = INT_MAX; + s->eos = 1; } #define OFFSET(x) offsetof(HEVCContext, x) diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index d88c7a527f..564e66e3e6 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -835,6 +835,7 @@ typedef struct HEVCContext { int bs_height; int is_decoded; + int no_rasl_output_flag; HEVCPredContext hpc; HEVCDSPContext hevcdsp; diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index b3a97871d5..dc35d3591a 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -158,7 +158,7 @@ int ff_hevc_output_frame(HEVCContext *s, AVFrame *out, int flush) int min_poc = INT_MAX; int i, min_idx, ret; - if (s->sh.no_output_of_prior_pics_flag == 1) { + if (s->sh.no_output_of_prior_pics_flag == 1 && s->no_rasl_output_flag == 1) { for (i = 0; i < FF_ARRAY_ELEMS(s->DPB); i++) { HEVCFrame *frame = &s->DPB[i]; if (!(frame->flags & HEVC_FRAME_FLAG_BUMPING) && frame->poc != s->poc && From 66b6ab355dc2c30d23983cbd31b02c0dee7f615d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Sep 2015 04:01:27 +0200 Subject: [PATCH 457/700] avformat/avidec: Workaround broken initial frame Fixes Ticket4851 Signed-off-by: Michael Niedermayer (cherry picked from commit 3e2ef00394b8079e93835d47c993868229f07502) --- libavformat/avidec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 621bd5f9fa..41d44c28a0 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1548,7 +1548,8 @@ static int avi_read_idx1(AVFormatContext *s, int size) ast = st->priv_data; if (first_packet && first_packet_pos) { - data_offset = first_packet_pos - pos; + if (avi->movi_list + 4 != pos || pos + 500 > first_packet_pos) + data_offset = first_packet_pos - pos; first_packet = 0; } pos += data_offset; From 1024bcab6272ef4656e46c432074228f5bf743a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Aug 2015 04:08:42 +0200 Subject: [PATCH 458/700] avformat/oggenc: Check segments_count for headers too Fixes infinite loop and segfault in ogg_buffer_data() Fixes Ticket4806 Signed-off-by: Michael Niedermayer (cherry picked from commit 81a8701eb52d2b6469ae16ef442ce425388141b7) --- libavformat/oggenc.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavformat/oggenc.c b/libavformat/oggenc.c index daec4eeefb..321bee8587 100644 --- a/libavformat/oggenc.c +++ b/libavformat/oggenc.c @@ -257,7 +257,7 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st, if (i == total_segments) page->granule = granule; - if (!header) { + { AVStream *st = s->streams[page->stream_index]; int64_t start = av_rescale_q(page->start_granule, st->time_base, @@ -265,10 +265,13 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st, int64_t next = av_rescale_q(page->granule, st->time_base, AV_TIME_BASE_Q); - if (page->segments_count == 255 || - (ogg->pref_size > 0 && page->size >= ogg->pref_size) || - (ogg->pref_duration > 0 && next - start >= ogg->pref_duration)) { + if (page->segments_count == 255) { ogg_buffer_page(s, oggstream); + } else if (!header) { + if ((ogg->pref_size > 0 && page->size >= ogg->pref_size) || + (ogg->pref_duration > 0 && next - start >= ogg->pref_duration)) { + ogg_buffer_page(s, oggstream); + } } } } From 8b158bf62cbdc7cf66b2938041465ba269206355 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 02:49:21 +0200 Subject: [PATCH 459/700] avcodec/h264_mp4toannexb_bsf: Reorder operations in nal_size check Fixes Ticket4778 Signed-off-by: Michael Niedermayer (cherry picked from commit 2bb54b82b5094fd906aa28c0443be08c95662a31) --- libavcodec/h264_mp4toannexb_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index ae96ee953d..2187264c2f 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -182,7 +182,7 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, buf += ctx->length_size; unit_type = *buf & 0x1f; - if (buf + nal_size > buf_end || nal_size < 0) + if (nal_size > buf_end - buf || nal_size < 0) goto fail; if (unit_type == 7) From 11579f7e4e9914a49a44c6f41468f9f017659be3 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 23 Oct 2015 11:11:53 -0400 Subject: [PATCH 460/700] videodsp: don't overread edges in vfix3 emu_edge. Fixes trac ticket 3226. Also see Andreas' analysis in https://bugs.debian.org/801745, which was very helpful. (cherry picked from commit 52f84d82bdf1851ecfcc412c1719e5f6f3396209) --- libavcodec/x86/videodsp.asm | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/videodsp.asm b/libavcodec/x86/videodsp.asm index 25d43640ab..48f5ac0ce6 100644 --- a/libavcodec/x86/videodsp.asm +++ b/libavcodec/x86/videodsp.asm @@ -194,8 +194,12 @@ hvar_fn %elif (%2-%%off) == 2 mov valw, [srcq+%2-2] %elifidn %1, body - mov vald, [srcq+%2-3] -%else + mov valb, [srcq+%2-1] + sal vald, 16 + mov valw, [srcq+%2-3] +%elifidn %1, bottom + movd mm %+ %%mmx_idx, [srcq+%2-4] +%else ; top movd mm %+ %%mmx_idx, [srcq+%2-3] %endif %endif ; (%2-%%off) >= 1 @@ -251,12 +255,15 @@ hvar_fn mov [dstq+%2-2], valw %elifidn %1, body mov [dstq+%2-3], valw - shr vald, 16 + sar vald, 16 mov [dstq+%2-1], valb %else movd vald, mm %+ %%mmx_idx +%ifidn %1, bottom + sar vald, 8 +%endif mov [dstq+%2-3], valw - shr vald, 16 + sar vald, 16 mov [dstq+%2-1], valb %endif %endif ; (%2-%%off) >= 1 From 22dbde85e7ffd54c9260d528eab069ff55e271c6 Mon Sep 17 00:00:00 2001 From: wm4 Date: Sat, 10 Jan 2015 18:00:08 +0100 Subject: [PATCH 461/700] vp9: avoid infinite loop with broken files With a certain fuzzed file, the parser will always return 0 consumed bytes, which makes calling code call the parser infinitely. Return the full packet size on error instead. (Here it would be nice if parsers could return errors at all.) Additionally, _if_ there's some data left, return that too, which might help with somewhat broken but still somehow playable files. Fixes ticket #4242. Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 09b4ad15681be197fff8c57ce7c988a4718d6e03) Signed-off-by: Andreas Cadhalpun --- libavcodec/vp9_parser.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp9_parser.c b/libavcodec/vp9_parser.c index 922f36f381..b188785456 100644 --- a/libavcodec/vp9_parser.c +++ b/libavcodec/vp9_parser.c @@ -43,6 +43,7 @@ static int parse(AVCodecParserContext *ctx, const uint8_t *data, int size) { VP9ParseContext *s = ctx->priv_data; + int full_size = size; int marker; if (size <= 0) { @@ -77,12 +78,12 @@ static int parse(AVCodecParserContext *ctx, idx += a; \ if (sz > size) { \ s->n_frames = 0; \ - *out_size = 0; \ + *out_size = size; \ *out_data = data; \ av_log(avctx, AV_LOG_ERROR, \ "Superframe packet size too big: %u > %d\n", \ sz, size); \ - return size; \ + return full_size; \ } \ if (first) { \ first = 0; \ From cd76447d3d2473a9a4596c7fc7b2330d6f3e600e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 18 Apr 2015 20:29:13 +0200 Subject: [PATCH 462/700] alsdec: limit avctx->bits_per_raw_sample to 32 avctx->bits_per_raw_sample is used in get_sbits_long, which only supports up to 32 bits. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 4c2b88678b436f59132386d9be2fc143e3ee480d) Signed-off-by: Andreas Cadhalpun --- libavcodec/alsdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 708c71418a..1855f53921 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1702,6 +1702,12 @@ static av_cold int decode_init(AVCodecContext *avctx) avctx->sample_fmt = sconf->resolution > 1 ? AV_SAMPLE_FMT_S32 : AV_SAMPLE_FMT_S16; avctx->bits_per_raw_sample = (sconf->resolution + 1) * 8; + if (avctx->bits_per_raw_sample > 32) { + av_log(avctx, AV_LOG_ERROR, "Bits per raw sample %d larger than 32.\n", + avctx->bits_per_raw_sample); + ret = AVERROR_INVALIDDATA; + goto fail; + } } // set maximum Rice parameter for progressive decoding based on resolution From 1548223d29c939366d20923732b594f41d167253 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 21 Apr 2015 20:54:51 -0400 Subject: [PATCH 463/700] vp9: add support for resolution changes in inter frames. Signed-off-by: Michael Niedermayer (cherry picked from commit e8b4f6d6befc5062db74916ea8a4d830e83022a8) Signed-off-by: Andreas Cadhalpun --- libavcodec/vp9.c | 316 ++++++++++++++++++----------------- libavcodec/vp9_mc_template.c | 171 +++++++++++++++++++ libavcodec/vp9_parser.c | 5 +- libavcodec/vp9dsp.c | 205 +++++++++++++++++++++-- libavcodec/vp9dsp.h | 9 + 5 files changed, 535 insertions(+), 171 deletions(-) create mode 100644 libavcodec/vp9_mc_template.c diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index b3c5f621a7..28e6bc9109 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -240,7 +240,7 @@ typedef struct VP9Context { // whole-frame cache uint8_t *intra_pred_data[3]; struct VP9Filter *lflvl; - DECLARE_ALIGNED(32, uint8_t, edge_emu_buffer)[71*80]; + DECLARE_ALIGNED(32, uint8_t, edge_emu_buffer)[135*144]; // block reconstruction intermediates int block_alloc_using_2pass; @@ -249,6 +249,8 @@ typedef struct VP9Context { struct { int x, y; } min_mv, max_mv; DECLARE_ALIGNED(32, uint8_t, tmp_y)[64*64]; DECLARE_ALIGNED(32, uint8_t, tmp_uv)[2][32*32]; + uint16_t mvscale[3][2]; + uint8_t mvstep[3][2]; } VP9Context; static const uint8_t bwh_tab[2][N_BS_SIZES][2] = { @@ -583,6 +585,26 @@ static int decode_frame_header(AVCodecContext *ctx, s->varcompref[1] = 2; } } + + for (i = 0; i < 3; i++) { + AVFrame *ref = s->refs[s->refidx[i]].f; + int refw = ref->width, refh = ref->height; + + if (refw == w && refh == h) { + s->mvscale[i][0] = s->mvscale[i][1] = 0; + } else { + if (w * 2 < refw || h * 2 < refh || w > 16 * refw || h > 16 * refh) { + av_log(ctx, AV_LOG_ERROR, + "Invalid ref frame dimensions %dx%d for frame size %dx%d\n", + refw, refh, w, h); + return AVERROR_INVALIDDATA; + } + s->mvscale[i][0] = (refw << 14) / w; + s->mvscale[i][1] = (refh << 14) / h; + s->mvstep[i][0] = 16 * s->mvscale[i][0] >> 14; + s->mvstep[i][1] = 16 * s->mvscale[i][1] >> 14; + } + } } } s->refreshctx = s->errorres ? 0 : get_bits1(&s->gb); @@ -2525,12 +2547,118 @@ static void intra_recon(AVCodecContext *ctx, ptrdiff_t y_off, ptrdiff_t uv_off) } } -static av_always_inline void mc_luma_dir(VP9Context *s, vp9_mc_func (*mc)[2], - uint8_t *dst, ptrdiff_t dst_stride, - const uint8_t *ref, ptrdiff_t ref_stride, - ThreadFrame *ref_frame, - ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, - int bw, int bh, int w, int h) +static av_always_inline void mc_luma_scaled(VP9Context *s, vp9_scaled_mc_func smc, + uint8_t *dst, ptrdiff_t dst_stride, + const uint8_t *ref, ptrdiff_t ref_stride, + ThreadFrame *ref_frame, + ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, + int bw, int bh, int w, int h, + const uint16_t *scale, const uint8_t *step) +{ +#define scale_mv(n, dim) (((int64_t)n * scale[dim]) >> 14) + // BUG libvpx seems to scale the two components separately. This introduces + // rounding errors but we have to reproduce them to be exactly compatible + // with the output from libvpx... + int mx = scale_mv(mv->x * 2, 0) + scale_mv(x * 16, 0); + int my = scale_mv(mv->y * 2, 1) + scale_mv(y * 16, 1); + int refbw_m1, refbh_m1; + int th; + + y = my >> 4; + x = mx >> 4; + ref += y * ref_stride + x; + mx &= 15; + my &= 15; + refbw_m1 = ((bw - 1) * step[0] + mx) >> 4; + refbh_m1 = ((bh - 1) * step[1] + my) >> 4; + // FIXME bilinear filter only needs 0/1 pixels, not 3/4 + // we use +7 because the last 7 pixels of each sbrow can be changed in + // the longest loopfilter of the next sbrow + th = (y + refbh_m1 + 4 + 7) >> 6; + ff_thread_await_progress(ref_frame, FFMAX(th, 0), 0); + if (x < 3 || y < 3 || x + 4 >= w - refbw_m1 || y + 4 >= h - refbh_m1) { + s->vdsp.emulated_edge_mc(s->edge_emu_buffer, + ref - 3 * ref_stride - 3, + 144, ref_stride, + refbw_m1 + 8, refbh_m1 + 8, + x - 3, y - 3, w, h); + ref = s->edge_emu_buffer + 3 * 144 + 3; + ref_stride = 144; + } + smc(dst, dst_stride, ref, ref_stride, bh, mx, my, step[0], step[1]); +} + +static av_always_inline void mc_chroma_scaled(VP9Context *s, vp9_scaled_mc_func smc, + uint8_t *dst_u, uint8_t *dst_v, + ptrdiff_t dst_stride, + const uint8_t *ref_u, ptrdiff_t src_stride_u, + const uint8_t *ref_v, ptrdiff_t src_stride_v, + ThreadFrame *ref_frame, + ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, + int bw, int bh, int w, int h, + const uint16_t *scale, const uint8_t *step) +{ + // BUG https://code.google.com/p/webm/issues/detail?id=820 + int mx = scale_mv(mv->x, 0) + (scale_mv(x * 16, 0) & ~15) + (scale_mv(x * 32, 0) & 15); + int my = scale_mv(mv->y, 1) + (scale_mv(y * 16, 1) & ~15) + (scale_mv(y * 32, 1) & 15); +#undef scale_mv + int refbw_m1, refbh_m1; + int th; + + y = my >> 4; + x = mx >> 4; + ref_u += y * src_stride_u + x; + ref_v += y * src_stride_v + x; + mx &= 15; + my &= 15; + refbw_m1 = ((bw - 1) * step[0] + mx) >> 4; + refbh_m1 = ((bh - 1) * step[1] + my) >> 4; + // FIXME bilinear filter only needs 0/1 pixels, not 3/4 + // we use +7 because the last 7 pixels of each sbrow can be changed in + // the longest loopfilter of the next sbrow + th = (y + refbh_m1 + 4 + 7) >> 5; + ff_thread_await_progress(ref_frame, FFMAX(th, 0), 0); + if (x < 3 || y < 3 || x + 4 >= w - refbw_m1 || y + 4 >= h - refbh_m1) { + s->vdsp.emulated_edge_mc(s->edge_emu_buffer, + ref_u - 3 * src_stride_u - 3, + 144, src_stride_u, + refbw_m1 + 8, refbh_m1 + 8, + x - 3, y - 3, w, h); + ref_u = s->edge_emu_buffer + 3 * 144 + 3; + smc(dst_u, dst_stride, ref_u, 144, bh, mx, my, step[0], step[1]); + + s->vdsp.emulated_edge_mc(s->edge_emu_buffer, + ref_v - 3 * src_stride_v - 3, + 144, src_stride_v, + refbw_m1 + 8, refbh_m1 + 8, + x - 3, y - 3, w, h); + ref_v = s->edge_emu_buffer + 3 * 144 + 3; + smc(dst_v, dst_stride, ref_v, 144, bh, mx, my, step[0], step[1]); + } else { + smc(dst_u, dst_stride, ref_u, src_stride_u, bh, mx, my, step[0], step[1]); + smc(dst_v, dst_stride, ref_v, src_stride_v, bh, mx, my, step[0], step[1]); + } +} + +#define FN(x) x##_scaled +#define mc_luma_dir(s, mc, dst, dst_ls, src, src_ls, tref, row, col, mv, bw, bh, w, h, i) \ + mc_luma_scaled(s, s->dsp.s##mc, dst, dst_ls, src, src_ls, tref, row, col, \ + mv, bw, bh, w, h, s->mvscale[b->ref[i]], s->mvstep[b->ref[i]]) +#define mc_chroma_dir(s, mc, dstu, dstv, dst_ls, srcu, srcu_ls, srcv, srcv_ls, tref, \ + row, col, mv, bw, bh, w, h, i) \ + mc_chroma_scaled(s, s->dsp.s##mc, dstu, dstv, dst_ls, srcu, srcu_ls, srcv, srcv_ls, tref, \ + row, col, mv, bw, bh, w, h, s->mvscale[b->ref[i]], s->mvstep[b->ref[i]]) +#include "vp9_mc_template.c" +#undef mc_luma_dir +#undef mc_chroma_dir +#undef FN + +static av_always_inline void mc_luma_unscaled(VP9Context *s, vp9_mc_func (*mc)[2], + uint8_t *dst, ptrdiff_t dst_stride, + const uint8_t *ref, ptrdiff_t ref_stride, + ThreadFrame *ref_frame, + ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, + int bw, int bh, int w, int h) { int mx = mv->x, my = mv->y, th; @@ -2557,14 +2685,14 @@ static av_always_inline void mc_luma_dir(VP9Context *s, vp9_mc_func (*mc)[2], mc[!!mx][!!my](dst, dst_stride, ref, ref_stride, bh, mx << 1, my << 1); } -static av_always_inline void mc_chroma_dir(VP9Context *s, vp9_mc_func (*mc)[2], - uint8_t *dst_u, uint8_t *dst_v, - ptrdiff_t dst_stride, - const uint8_t *ref_u, ptrdiff_t src_stride_u, - const uint8_t *ref_v, ptrdiff_t src_stride_v, - ThreadFrame *ref_frame, - ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, - int bw, int bh, int w, int h) +static av_always_inline void mc_chroma_unscaled(VP9Context *s, vp9_mc_func (*mc)[2], + uint8_t *dst_u, uint8_t *dst_v, + ptrdiff_t dst_stride, + const uint8_t *ref_u, ptrdiff_t src_stride_u, + const uint8_t *ref_v, ptrdiff_t src_stride_v, + ThreadFrame *ref_frame, + ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, + int bw, int bh, int w, int h) { int mx = mv->x, my = mv->y, th; @@ -2602,156 +2730,32 @@ static av_always_inline void mc_chroma_dir(VP9Context *s, vp9_mc_func (*mc)[2], } } +#define FN(x) x +#define mc_luma_dir(s, mc, dst, dst_ls, src, src_ls, tref, row, col, mv, bw, bh, w, h, i) \ + mc_luma_unscaled(s, s->dsp.mc, dst, dst_ls, src, src_ls, tref, row, col, \ + mv, bw, bh, w, h) +#define mc_chroma_dir(s, mc, dstu, dstv, dst_ls, srcu, srcu_ls, srcv, srcv_ls, tref, \ + row, col, mv, bw, bh, w, h, i) \ + mc_chroma_unscaled(s, s->dsp.mc, dstu, dstv, dst_ls, srcu, srcu_ls, srcv, srcv_ls, tref, \ + row, col, mv, bw, bh, w, h) +#include "vp9_mc_template.c" +#undef mc_luma_dir_dir +#undef mc_chroma_dir_dir +#undef FN + static void inter_recon(AVCodecContext *ctx) { - static const uint8_t bwlog_tab[2][N_BS_SIZES] = { - { 0, 0, 1, 1, 1, 2, 2, 2, 3, 3, 3, 4, 4 }, - { 1, 1, 2, 2, 2, 3, 3, 3, 4, 4, 4, 4, 4 }, - }; VP9Context *s = ctx->priv_data; VP9Block *b = s->b; int row = s->row, col = s->col; - ThreadFrame *tref1 = &s->refs[s->refidx[b->ref[0]]], *tref2; - AVFrame *ref1 = tref1->f, *ref2; - int w1 = ref1->width, h1 = ref1->height, w2, h2; - ptrdiff_t ls_y = s->y_stride, ls_uv = s->uv_stride; - if (b->comp) { - tref2 = &s->refs[s->refidx[b->ref[1]]]; - ref2 = tref2->f; - w2 = ref2->width; - h2 = ref2->height; - } - - // y inter pred - if (b->bs > BS_8x8) { - if (b->bs == BS_8x4) { - mc_luma_dir(s, s->dsp.mc[3][b->filter][0], s->dst[0], ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, col << 3, &b->mv[0][0], 8, 4, w1, h1); - mc_luma_dir(s, s->dsp.mc[3][b->filter][0], - s->dst[0] + 4 * ls_y, ls_y, - ref1->data[0], ref1->linesize[0], tref1, - (row << 3) + 4, col << 3, &b->mv[2][0], 8, 4, w1, h1); - - if (b->comp) { - mc_luma_dir(s, s->dsp.mc[3][b->filter][1], s->dst[0], ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, col << 3, &b->mv[0][1], 8, 4, w2, h2); - mc_luma_dir(s, s->dsp.mc[3][b->filter][1], - s->dst[0] + 4 * ls_y, ls_y, - ref2->data[0], ref2->linesize[0], tref2, - (row << 3) + 4, col << 3, &b->mv[2][1], 8, 4, w2, h2); - } - } else if (b->bs == BS_4x8) { - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], s->dst[0], ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, col << 3, &b->mv[0][0], 4, 8, w1, h1); - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], s->dst[0] + 4, ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, (col << 3) + 4, &b->mv[1][0], 4, 8, w1, h1); - - if (b->comp) { - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], s->dst[0], ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, col << 3, &b->mv[0][1], 4, 8, w2, h2); - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], s->dst[0] + 4, ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, (col << 3) + 4, &b->mv[1][1], 4, 8, w2, h2); - } - } else { - av_assert2(b->bs == BS_4x4); - - // FIXME if two horizontally adjacent blocks have the same MV, - // do a w8 instead of a w4 call - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], s->dst[0], ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, col << 3, &b->mv[0][0], 4, 4, w1, h1); - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], s->dst[0] + 4, ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, (col << 3) + 4, &b->mv[1][0], 4, 4, w1, h1); - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], - s->dst[0] + 4 * ls_y, ls_y, - ref1->data[0], ref1->linesize[0], tref1, - (row << 3) + 4, col << 3, &b->mv[2][0], 4, 4, w1, h1); - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], - s->dst[0] + 4 * ls_y + 4, ls_y, - ref1->data[0], ref1->linesize[0], tref1, - (row << 3) + 4, (col << 3) + 4, &b->mv[3][0], 4, 4, w1, h1); - - if (b->comp) { - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], s->dst[0], ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, col << 3, &b->mv[0][1], 4, 4, w2, h2); - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], s->dst[0] + 4, ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, (col << 3) + 4, &b->mv[1][1], 4, 4, w2, h2); - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], - s->dst[0] + 4 * ls_y, ls_y, - ref2->data[0], ref2->linesize[0], tref2, - (row << 3) + 4, col << 3, &b->mv[2][1], 4, 4, w2, h2); - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], - s->dst[0] + 4 * ls_y + 4, ls_y, - ref2->data[0], ref2->linesize[0], tref2, - (row << 3) + 4, (col << 3) + 4, &b->mv[3][1], 4, 4, w2, h2); - } - } + if (s->mvscale[b->ref[0]][0] || (b->comp && s->mvscale[b->ref[1]][0])) { + inter_pred_scaled(ctx); } else { - int bwl = bwlog_tab[0][b->bs]; - int bw = bwh_tab[0][b->bs][0] * 4, bh = bwh_tab[0][b->bs][1] * 4; - - mc_luma_dir(s, s->dsp.mc[bwl][b->filter][0], s->dst[0], ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, col << 3, &b->mv[0][0],bw, bh, w1, h1); - - if (b->comp) - mc_luma_dir(s, s->dsp.mc[bwl][b->filter][1], s->dst[0], ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, col << 3, &b->mv[0][1], bw, bh, w2, h2); + inter_pred(ctx); } - - // uv inter pred - { - int bwl = bwlog_tab[1][b->bs]; - int bw = bwh_tab[1][b->bs][0] * 4, bh = bwh_tab[1][b->bs][1] * 4; - VP56mv mvuv; - - w1 = (w1 + 1) >> 1; - h1 = (h1 + 1) >> 1; - if (b->comp) { - w2 = (w2 + 1) >> 1; - h2 = (h2 + 1) >> 1; - } - if (b->bs > BS_8x8) { - mvuv.x = ROUNDED_DIV(b->mv[0][0].x + b->mv[1][0].x + b->mv[2][0].x + b->mv[3][0].x, 4); - mvuv.y = ROUNDED_DIV(b->mv[0][0].y + b->mv[1][0].y + b->mv[2][0].y + b->mv[3][0].y, 4); - } else { - mvuv = b->mv[0][0]; - } - - mc_chroma_dir(s, s->dsp.mc[bwl][b->filter][0], - s->dst[1], s->dst[2], ls_uv, - ref1->data[1], ref1->linesize[1], - ref1->data[2], ref1->linesize[2], tref1, - row << 2, col << 2, &mvuv, bw, bh, w1, h1); - - if (b->comp) { - if (b->bs > BS_8x8) { - mvuv.x = ROUNDED_DIV(b->mv[0][1].x + b->mv[1][1].x + b->mv[2][1].x + b->mv[3][1].x, 4); - mvuv.y = ROUNDED_DIV(b->mv[0][1].y + b->mv[1][1].y + b->mv[2][1].y + b->mv[3][1].y, 4); - } else { - mvuv = b->mv[0][1]; - } - mc_chroma_dir(s, s->dsp.mc[bwl][b->filter][1], - s->dst[1], s->dst[2], ls_uv, - ref2->data[1], ref2->linesize[1], - ref2->data[2], ref2->linesize[2], tref2, - row << 2, col << 2, &mvuv, bw, bh, w2, h2); - } - } - if (!b->skip) { - /* mostly copied intra_reconn() */ + /* mostly copied intra_recon() */ int w4 = bwh_tab[1][b->bs][0] << 1, step1d = 1 << b->tx, n; int h4 = bwh_tab[1][b->bs][1] << 1, x, y, step = 1 << (b->tx * 2); diff --git a/libavcodec/vp9_mc_template.c b/libavcodec/vp9_mc_template.c new file mode 100644 index 0000000000..c6ae432e26 --- /dev/null +++ b/libavcodec/vp9_mc_template.c @@ -0,0 +1,171 @@ +/* + * VP9 compatible video decoder + * + * Copyright (C) 2013 Ronald S. Bultje + * Copyright (C) 2013 Clément Bœsch + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +static void FN(inter_pred)(AVCodecContext *ctx) +{ + static const uint8_t bwlog_tab[2][N_BS_SIZES] = { + { 0, 0, 1, 1, 1, 2, 2, 2, 3, 3, 3, 4, 4 }, + { 1, 1, 2, 2, 2, 3, 3, 3, 4, 4, 4, 4, 4 }, + }; + VP9Context *s = ctx->priv_data; + VP9Block *b = s->b; + int row = s->row, col = s->col; + ThreadFrame *tref1 = &s->refs[s->refidx[b->ref[0]]], *tref2; + AVFrame *ref1 = tref1->f, *ref2; + int w1 = ref1->width, h1 = ref1->height, w2, h2; + ptrdiff_t ls_y = s->y_stride, ls_uv = s->uv_stride; + + if (b->comp) { + tref2 = &s->refs[s->refidx[b->ref[1]]]; + ref2 = tref2->f; + w2 = ref2->width; + h2 = ref2->height; + } + + // y inter pred + if (b->bs > BS_8x8) { + if (b->bs == BS_8x4) { + mc_luma_dir(s, mc[3][b->filter][0], s->dst[0], ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, col << 3, &b->mv[0][0], 8, 4, w1, h1, 0); + mc_luma_dir(s, mc[3][b->filter][0], + s->dst[0] + 4 * ls_y, ls_y, + ref1->data[0], ref1->linesize[0], tref1, + (row << 3) + 4, col << 3, &b->mv[2][0], 8, 4, w1, h1, 0); + + if (b->comp) { + mc_luma_dir(s, mc[3][b->filter][1], s->dst[0], ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, col << 3, &b->mv[0][1], 8, 4, w2, h2, 1); + mc_luma_dir(s, mc[3][b->filter][1], + s->dst[0] + 4 * ls_y, ls_y, + ref2->data[0], ref2->linesize[0], tref2, + (row << 3) + 4, col << 3, &b->mv[2][1], 8, 4, w2, h2, 1); + } + } else if (b->bs == BS_4x8) { + mc_luma_dir(s, mc[4][b->filter][0], s->dst[0], ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, col << 3, &b->mv[0][0], 4, 8, w1, h1, 0); + mc_luma_dir(s, mc[4][b->filter][0], s->dst[0] + 4, ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, (col << 3) + 4, &b->mv[1][0], 4, 8, w1, h1, 0); + + if (b->comp) { + mc_luma_dir(s, mc[4][b->filter][1], s->dst[0], ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, col << 3, &b->mv[0][1], 4, 8, w2, h2, 1); + mc_luma_dir(s, mc[4][b->filter][1], s->dst[0] + 4, ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, (col << 3) + 4, &b->mv[1][1], 4, 8, w2, h2, 1); + } + } else { + av_assert2(b->bs == BS_4x4); + + // FIXME if two horizontally adjacent blocks have the same MV, + // do a w8 instead of a w4 call + mc_luma_dir(s, mc[4][b->filter][0], s->dst[0], ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, col << 3, &b->mv[0][0], 4, 4, w1, h1, 0); + mc_luma_dir(s, mc[4][b->filter][0], s->dst[0] + 4, ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, (col << 3) + 4, &b->mv[1][0], 4, 4, w1, h1, 0); + mc_luma_dir(s, mc[4][b->filter][0], + s->dst[0] + 4 * ls_y, ls_y, + ref1->data[0], ref1->linesize[0], tref1, + (row << 3) + 4, col << 3, &b->mv[2][0], 4, 4, w1, h1, 0); + mc_luma_dir(s, mc[4][b->filter][0], + s->dst[0] + 4 * ls_y + 4, ls_y, + ref1->data[0], ref1->linesize[0], tref1, + (row << 3) + 4, (col << 3) + 4, &b->mv[3][0], 4, 4, w1, h1, 0); + + if (b->comp) { + mc_luma_dir(s, mc[4][b->filter][1], s->dst[0], ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, col << 3, &b->mv[0][1], 4, 4, w2, h2, 1); + mc_luma_dir(s, mc[4][b->filter][1], s->dst[0] + 4, ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, (col << 3) + 4, &b->mv[1][1], 4, 4, w2, h2, 1); + mc_luma_dir(s, mc[4][b->filter][1], + s->dst[0] + 4 * ls_y, ls_y, + ref2->data[0], ref2->linesize[0], tref2, + (row << 3) + 4, col << 3, &b->mv[2][1], 4, 4, w2, h2, 1); + mc_luma_dir(s, mc[4][b->filter][1], + s->dst[0] + 4 * ls_y + 4, ls_y, + ref2->data[0], ref2->linesize[0], tref2, + (row << 3) + 4, (col << 3) + 4, &b->mv[3][1], 4, 4, w2, h2, 1); + } + } + } else { + int bwl = bwlog_tab[0][b->bs]; + int bw = bwh_tab[0][b->bs][0] * 4, bh = bwh_tab[0][b->bs][1] * 4; + + mc_luma_dir(s, mc[bwl][b->filter][0], s->dst[0], ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, col << 3, &b->mv[0][0],bw, bh, w1, h1, 0); + + if (b->comp) + mc_luma_dir(s, mc[bwl][b->filter][1], s->dst[0], ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, col << 3, &b->mv[0][1], bw, bh, w2, h2, 1); + } + + // uv inter pred + { + int bwl = bwlog_tab[1][b->bs]; + int bw = bwh_tab[1][b->bs][0] * 4, bh = bwh_tab[1][b->bs][1] * 4; + VP56mv mvuv; + + w1 = (w1 + 1) >> 1; + h1 = (h1 + 1) >> 1; + if (b->comp) { + w2 = (w2 + 1) >> 1; + h2 = (h2 + 1) >> 1; + } + if (b->bs > BS_8x8) { + mvuv.x = ROUNDED_DIV(b->mv[0][0].x + b->mv[1][0].x + b->mv[2][0].x + b->mv[3][0].x, 4); + mvuv.y = ROUNDED_DIV(b->mv[0][0].y + b->mv[1][0].y + b->mv[2][0].y + b->mv[3][0].y, 4); + } else { + mvuv = b->mv[0][0]; + } + + mc_chroma_dir(s, mc[bwl][b->filter][0], + s->dst[1], s->dst[2], ls_uv, + ref1->data[1], ref1->linesize[1], + ref1->data[2], ref1->linesize[2], tref1, + row << 2, col << 2, &mvuv, bw, bh, w1, h1, 0); + + if (b->comp) { + if (b->bs > BS_8x8) { + mvuv.x = ROUNDED_DIV(b->mv[0][1].x + b->mv[1][1].x + b->mv[2][1].x + b->mv[3][1].x, 4); + mvuv.y = ROUNDED_DIV(b->mv[0][1].y + b->mv[1][1].y + b->mv[2][1].y + b->mv[3][1].y, 4); + } else { + mvuv = b->mv[0][1]; + } + mc_chroma_dir(s, mc[bwl][b->filter][1], + s->dst[1], s->dst[2], ls_uv, + ref2->data[1], ref2->linesize[1], + ref2->data[2], ref2->linesize[2], tref2, + row << 2, col << 2, &mvuv, bw, bh, w2, h2, 1); + } + } +} diff --git a/libavcodec/vp9_parser.c b/libavcodec/vp9_parser.c index b188785456..8e55d2593e 100644 --- a/libavcodec/vp9_parser.c +++ b/libavcodec/vp9_parser.c @@ -1,5 +1,8 @@ /* - * Copyright (C) 2008 Michael Niedermayer + * VP9 compatible video decoder + * + * Copyright (C) 2013 Ronald S. Bultje + * Copyright (C) 2013 Clément Bœsch * * This file is part of FFmpeg. * diff --git a/libavcodec/vp9dsp.c b/libavcodec/vp9dsp.c index 6356adde32..95b7eb5c71 100644 --- a/libavcodec/vp9dsp.c +++ b/libavcodec/vp9dsp.c @@ -1707,8 +1707,9 @@ copy_avg_fn(4) #undef fpel_fn #undef copy_avg_fn -static const int8_t vp9_subpel_filters[3][15][8] = { +static const int16_t vp9_subpel_filters[3][16][8] = { [FILTER_8TAP_REGULAR] = { + { 0, 0, 0, 128, 0, 0, 0, 0 }, { 0, 1, -5, 126, 8, -3, 1, 0 }, { -1, 3, -10, 122, 18, -6, 2, 0 }, { -1, 4, -13, 118, 27, -9, 3, -1 }, @@ -1725,6 +1726,7 @@ static const int8_t vp9_subpel_filters[3][15][8] = { { 0, 2, -6, 18, 122, -10, 3, -1 }, { 0, 1, -3, 8, 126, -5, 1, 0 }, }, [FILTER_8TAP_SHARP] = { + { 0, 0, 0, 128, 0, 0, 0, 0 }, { -1, 3, -7, 127, 8, -3, 1, 0 }, { -2, 5, -13, 125, 17, -6, 3, -1 }, { -3, 7, -17, 121, 27, -10, 5, -2 }, @@ -1741,6 +1743,7 @@ static const int8_t vp9_subpel_filters[3][15][8] = { { -1, 3, -6, 17, 125, -13, 5, -2 }, { 0, 1, -3, 8, 127, -7, 3, -1 }, }, [FILTER_8TAP_SMOOTH] = { + { 0, 0, 0, 128, 0, 0, 0, 0 }, { -3, -1, 32, 64, 38, 1, -3, 0 }, { -2, -2, 29, 63, 41, 2, -3, 0 }, { -2, -2, 26, 63, 43, 4, -4, 0 }, @@ -1772,7 +1775,7 @@ static const int8_t vp9_subpel_filters[3][15][8] = { static av_always_inline void do_8tap_1d_c(uint8_t *dst, ptrdiff_t dst_stride, const uint8_t *src, ptrdiff_t src_stride, int w, int h, ptrdiff_t ds, - const int8_t *filter, int avg) + const int16_t *filter, int avg) { do { int x; @@ -1792,7 +1795,7 @@ static av_always_inline void do_8tap_1d_c(uint8_t *dst, ptrdiff_t dst_stride, #define filter_8tap_1d_fn(opn, opa, dir, ds) \ static av_noinline void opn##_8tap_1d_##dir##_c(uint8_t *dst, ptrdiff_t dst_stride, \ const uint8_t *src, ptrdiff_t src_stride, \ - int w, int h, const int8_t *filter) \ + int w, int h, const int16_t *filter) \ { \ do_8tap_1d_c(dst, dst_stride, src, src_stride, w, h, ds, filter, opa); \ } @@ -1806,8 +1809,8 @@ filter_8tap_1d_fn(avg, 1, h, 1) static av_always_inline void do_8tap_2d_c(uint8_t *dst, ptrdiff_t dst_stride, const uint8_t *src, ptrdiff_t src_stride, - int w, int h, const int8_t *filterx, - const int8_t *filtery, int avg) + int w, int h, const int16_t *filterx, + const int16_t *filtery, int avg) { int tmp_h = h + 7; uint8_t tmp[64 * 71], *tmp_ptr = tmp; @@ -1842,8 +1845,8 @@ static av_always_inline void do_8tap_2d_c(uint8_t *dst, ptrdiff_t dst_stride, #define filter_8tap_2d_fn(opn, opa) \ static av_noinline void opn##_8tap_2d_hv_c(uint8_t *dst, ptrdiff_t dst_stride, \ const uint8_t *src, ptrdiff_t src_stride, \ - int w, int h, const int8_t *filterx, \ - const int8_t *filtery) \ + int w, int h, const int16_t *filterx, \ + const int16_t *filtery) \ { \ do_8tap_2d_c(dst, dst_stride, src, src_stride, w, h, filterx, filtery, opa); \ } @@ -1853,15 +1856,13 @@ filter_8tap_2d_fn(avg, 1) #undef filter_8tap_2d_fn -#undef FILTER_8TAP - #define filter_fn_1d(sz, dir, dir_m, type, type_idx, avg) \ static void avg##_8tap_##type##_##sz##dir##_c(uint8_t *dst, ptrdiff_t dst_stride, \ const uint8_t *src, ptrdiff_t src_stride, \ int h, int mx, int my) \ { \ avg##_8tap_1d_##dir##_c(dst, dst_stride, src, src_stride, sz, h, \ - vp9_subpel_filters[type_idx][dir_m - 1]); \ + vp9_subpel_filters[type_idx][dir_m]); \ } #define filter_fn_2d(sz, type, type_idx, avg) \ @@ -1870,8 +1871,8 @@ static void avg##_8tap_##type##_##sz##hv_c(uint8_t *dst, ptrdiff_t dst_stride, \ int h, int mx, int my) \ { \ avg##_8tap_2d_hv_c(dst, dst_stride, src, src_stride, sz, h, \ - vp9_subpel_filters[type_idx][mx - 1], \ - vp9_subpel_filters[type_idx][my - 1]); \ + vp9_subpel_filters[type_idx][mx], \ + vp9_subpel_filters[type_idx][my]); \ } #define FILTER_BILIN(src, x, mxy, stride) \ @@ -1957,8 +1958,6 @@ bilin_2d_fn(avg, 1) #undef bilin_2d_fn -#undef FILTER_BILIN - #define bilinf_fn_1d(sz, dir, dir_m, avg) \ static void avg##_bilin_##sz##dir##_c(uint8_t *dst, ptrdiff_t dst_stride, \ const uint8_t *src, ptrdiff_t src_stride, \ @@ -2053,12 +2052,190 @@ static av_cold void vp9dsp_mc_init(VP9DSPContext *dsp) #undef init_subpel3 } +static av_always_inline void do_scaled_8tap_c(uint8_t *dst, ptrdiff_t dst_stride, + const uint8_t *src, ptrdiff_t src_stride, + int w, int h, int mx, int my, + int dx, int dy, int avg, + const int16_t (*filters)[8]) +{ + int tmp_h = (((h - 1) * dy + my) >> 4) + 8; + uint8_t tmp[64 * 135], *tmp_ptr = tmp; + + src -= src_stride * 3; + do { + int x; + int imx = mx, ioff = 0; + + for (x = 0; x < w; x++) { + tmp_ptr[x] = FILTER_8TAP(src, ioff, filters[imx], 1); + imx += dx; + ioff += imx >> 4; + imx &= 0xf; + } + + tmp_ptr += 64; + src += src_stride; + } while (--tmp_h); + + tmp_ptr = tmp + 64 * 3; + do { + int x; + const int16_t *filter = filters[my]; + + for (x = 0; x < w; x++) + if (avg) { + dst[x] = (dst[x] + FILTER_8TAP(tmp_ptr, x, filter, 64) + 1) >> 1; + } else { + dst[x] = FILTER_8TAP(tmp_ptr, x, filter, 64); + } + + my += dy; + tmp_ptr += (my >> 4) * 64; + my &= 0xf; + dst += dst_stride; + } while (--h); +} + +#define scaled_filter_8tap_fn(opn, opa) \ +static av_noinline void opn##_scaled_8tap_c(uint8_t *dst, ptrdiff_t dst_stride, \ + const uint8_t *src, ptrdiff_t src_stride, \ + int w, int h, int mx, int my, int dx, int dy, \ + const int16_t (*filters)[8]) \ +{ \ + do_scaled_8tap_c(dst, dst_stride, src, src_stride, w, h, mx, my, dx, dy, \ + opa, filters); \ +} + +scaled_filter_8tap_fn(put, 0) +scaled_filter_8tap_fn(avg, 1) + +#undef scaled_filter_8tap_fn + +#undef FILTER_8TAP + +#define scaled_filter_fn(sz, type, type_idx, avg) \ +static void avg##_scaled_##type##_##sz##_c(uint8_t *dst, ptrdiff_t dst_stride, \ + const uint8_t *src, ptrdiff_t src_stride, \ + int h, int mx, int my, int dx, int dy) \ +{ \ + avg##_scaled_8tap_c(dst, dst_stride, src, src_stride, sz, h, mx, my, dx, dy, \ + vp9_subpel_filters[type_idx]); \ +} + +static av_always_inline void do_scaled_bilin_c(uint8_t *dst, ptrdiff_t dst_stride, + const uint8_t *src, ptrdiff_t src_stride, + int w, int h, int mx, int my, + int dx, int dy, int avg) +{ + uint8_t tmp[64 * 129], *tmp_ptr = tmp; + int tmp_h = (((h - 1) * dy + my) >> 4) + 2; + + do { + int x; + int imx = mx, ioff = 0; + + for (x = 0; x < w; x++) { + tmp_ptr[x] = FILTER_BILIN(src, ioff, imx, 1); + imx += dx; + ioff += imx >> 4; + imx &= 0xf; + } + + tmp_ptr += 64; + src += src_stride; + } while (--tmp_h); + + tmp_ptr = tmp; + do { + int x; + + for (x = 0; x < w; x++) + if (avg) { + dst[x] = (dst[x] + FILTER_BILIN(tmp_ptr, x, my, 64) + 1) >> 1; + } else { + dst[x] = FILTER_BILIN(tmp_ptr, x, my, 64); + } + + my += dy; + tmp_ptr += (my >> 4) * 64; + my &= 0xf; + dst += dst_stride; + } while (--h); +} + +#define scaled_bilin_fn(opn, opa) \ +static av_noinline void opn##_scaled_bilin_c(uint8_t *dst, ptrdiff_t dst_stride, \ + const uint8_t *src, ptrdiff_t src_stride, \ + int w, int h, int mx, int my, int dx, int dy) \ +{ \ + do_scaled_bilin_c(dst, dst_stride, src, src_stride, w, h, mx, my, dx, dy, opa); \ +} + +scaled_bilin_fn(put, 0) +scaled_bilin_fn(avg, 1) + +#undef scaled_bilin_fn + +#undef FILTER_BILIN + +#define scaled_bilinf_fn(sz, avg) \ +static void avg##_scaled_bilin_##sz##_c(uint8_t *dst, ptrdiff_t dst_stride, \ + const uint8_t *src, ptrdiff_t src_stride, \ + int h, int mx, int my, int dx, int dy) \ +{ \ + avg##_scaled_bilin_c(dst, dst_stride, src, src_stride, sz, h, mx, my, dx, dy); \ +} + +#define scaled_filter_fns(sz, avg) \ +scaled_filter_fn(sz, regular, FILTER_8TAP_REGULAR, avg) \ +scaled_filter_fn(sz, smooth, FILTER_8TAP_SMOOTH, avg) \ +scaled_filter_fn(sz, sharp, FILTER_8TAP_SHARP, avg) \ +scaled_bilinf_fn(sz, avg) + +#define scaled_filter_fn_set(avg) \ +scaled_filter_fns(64, avg) \ +scaled_filter_fns(32, avg) \ +scaled_filter_fns(16, avg) \ +scaled_filter_fns(8, avg) \ +scaled_filter_fns(4, avg) + +scaled_filter_fn_set(put) +scaled_filter_fn_set(avg) + +#undef scaled_filter_fns +#undef scaled_filter_fn_set +#undef scaled_filter_fn +#undef scaled_bilinf_fn + +static av_cold void vp9dsp_scaled_mc_init(VP9DSPContext *dsp) +{ +#define init_scaled(idx1, idx2, sz, type) \ + dsp->smc[idx1][FILTER_8TAP_SMOOTH ][idx2] = type##_scaled_smooth_##sz##_c; \ + dsp->smc[idx1][FILTER_8TAP_REGULAR][idx2] = type##_scaled_regular_##sz##_c; \ + dsp->smc[idx1][FILTER_8TAP_SHARP ][idx2] = type##_scaled_sharp_##sz##_c; \ + dsp->smc[idx1][FILTER_BILINEAR ][idx2] = type##_scaled_bilin_##sz##_c + +#define init_scaled_put_avg(idx, sz) \ + init_scaled(idx, 0, sz, put); \ + init_scaled(idx, 1, sz, avg) + + init_scaled_put_avg(0, 64); + init_scaled_put_avg(1, 32); + init_scaled_put_avg(2, 16); + init_scaled_put_avg(3, 8); + init_scaled_put_avg(4, 4); + +#undef init_scaled_put_avg +#undef init_scaled +} + av_cold void ff_vp9dsp_init(VP9DSPContext *dsp) { vp9dsp_intrapred_init(dsp); vp9dsp_itxfm_init(dsp); vp9dsp_loopfilter_init(dsp); vp9dsp_mc_init(dsp); + vp9dsp_scaled_mc_init(dsp); if (ARCH_X86) ff_vp9dsp_init_x86(dsp); } diff --git a/libavcodec/vp9dsp.h b/libavcodec/vp9dsp.h index db0a92e210..33dfc09acd 100644 --- a/libavcodec/vp9dsp.h +++ b/libavcodec/vp9dsp.h @@ -32,6 +32,9 @@ typedef void (*vp9_mc_func)(uint8_t *dst, ptrdiff_t dst_stride, const uint8_t *ref, ptrdiff_t ref_stride, int h, int mx, int my); +typedef void (*vp9_scaled_mc_func)(uint8_t *dst, ptrdiff_t dst_stride, + const uint8_t *ref, ptrdiff_t ref_stride, + int h, int mx, int my, int dx, int dy); typedef struct VP9DSPContext { /* @@ -109,6 +112,12 @@ typedef struct VP9DSPContext { * dst/stride are aligned by hsize */ vp9_mc_func mc[5][4][2][2][2]; + + /* + * for scalable MC, first 3 dimensions identical to above, the other two + * don't exist since it changes per stepsize. + */ + vp9_scaled_mc_func smc[5][4][2]; } VP9DSPContext; void ff_vp9dsp_init(VP9DSPContext *dsp); From 761bd6df06ec03aa32872712583852b20133d8ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jun 2015 00:59:16 +0200 Subject: [PATCH 464/700] avcodec/s302m: Only set the sample rate when some data is output This way ffplay chooses the mp2 stream for Ticket3890 Signed-off-by: Michael Niedermayer (cherry picked from commit 802cca5905abe1fe8392e85a812462b959889aaa) Signed-off-by: Andreas Cadhalpun --- libavcodec/s302m.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/s302m.c b/libavcodec/s302m.c index 7639a0f1c9..2ce1038330 100644 --- a/libavcodec/s302m.c +++ b/libavcodec/s302m.c @@ -79,7 +79,6 @@ static int s302m_parse_frame_header(AVCodecContext *avctx, const uint8_t *buf, case 8: avctx->channel_layout = AV_CH_LAYOUT_5POINT1_BACK | AV_CH_LAYOUT_STEREO_DOWNMIX; } - avctx->sample_rate = 48000; avctx->bit_rate = 48000 * avctx->channels * (avctx->bits_per_raw_sample + 4) + 32 * (48000 / (buf_size * 8 / (avctx->channels * @@ -146,6 +145,8 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, } } + avctx->sample_rate = 48000; + *got_frame_ptr = 1; return avpkt->size; From d4aeaa21732898b0a09943ff2d885e04254e3a68 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 26 Jun 2015 19:31:03 +0200 Subject: [PATCH 465/700] s302m: fix arithmetic exception If nb_samples is zero, the bit_rate calculation results in a division by zero. Since ff_get_buffer fails if frame->nb_samples is zero, this can be fixed by moving the bit_rate calculation after that function call. That also makes it possible to reuse the already calculated frame->nb_samples value. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 04dfbc9441beed93984568c1547f1ed588122627) Signed-off-by: Andreas Cadhalpun --- libavcodec/s302m.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/s302m.c b/libavcodec/s302m.c index 2ce1038330..61c0fe8f96 100644 --- a/libavcodec/s302m.c +++ b/libavcodec/s302m.c @@ -79,10 +79,6 @@ static int s302m_parse_frame_header(AVCodecContext *avctx, const uint8_t *buf, case 8: avctx->channel_layout = AV_CH_LAYOUT_5POINT1_BACK | AV_CH_LAYOUT_STEREO_DOWNMIX; } - avctx->bit_rate = 48000 * avctx->channels * (avctx->bits_per_raw_sample + 4) + - 32 * (48000 / (buf_size * 8 / - (avctx->channels * - (avctx->bits_per_raw_sample + 4)))); return frame_size; } @@ -108,6 +104,8 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; + avctx->bit_rate = 48000 * avctx->channels * (avctx->bits_per_raw_sample + 4) + + 32 * 48000 / frame->nb_samples; buf_size = (frame->nb_samples * avctx->channels / 2) * block_size; if (avctx->bits_per_raw_sample == 24) { From 85ef06c666d1b114c2a5370b21dfe43f365d57fa Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 27 Jun 2015 17:50:56 +0200 Subject: [PATCH 466/700] nutdec: check maxpos in read_sm_data before returning success Otherwise sm_size can be larger than size, which results in a negative packet size. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 6b9fdf7f4f07926557048070cc2af3cfd0e3fe50) Signed-off-by: Andreas Cadhalpun --- libavformat/nutdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index f5fd5b5447..cd1da9f13e 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -950,6 +950,9 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int AV_WL32(dst+4, skip_end); } + if (avio_tell(bc) >= maxpos) + return AVERROR_INVALIDDATA; + return 0; } From 87781f952b257beb582d6488b778e7f47516ed0a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 27 Jun 2015 20:16:12 +0200 Subject: [PATCH 467/700] wavpack: use get_bits_long to read up to 32 bits get_bits should not be used for more than 25 bits. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit f9883a669c3df05a5c453428e080298c6511a17e) Signed-off-by: Andreas Cadhalpun --- libavcodec/wavpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index b51a21cc9d..d91b66cf2a 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -155,7 +155,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, if (t >= 2) { if (get_bits_left(gb) < t - 1) goto error; - t = get_bits(gb, t - 1) | (1 << (t - 1)); + t = get_bits_long(gb, t - 1) | (1 << (t - 1)); } else { if (get_bits_left(gb) < 0) goto error; @@ -186,7 +186,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, } else { if (get_bits_left(gb) < t2 - 1) goto error; - t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + t += get_bits_long(gb, t2 - 1) | (1 << (t2 - 1)); } } From 10bf3c25591852b2f68cf206a3ffe604bda58275 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 2 Jul 2015 23:05:05 +0200 Subject: [PATCH 468/700] wavpack: limit extra_bits to 32 and use get_bits_long More than 32 bits can't be stored in an integer and get_bits should not be used with more than 25 bits. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit d0eff8857ceff2601f85037c930cbe61a88b611e) Signed-off-by: Andreas Cadhalpun --- libavcodec/wavpack.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index d91b66cf2a..554367b32f 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -271,7 +271,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, if (s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits) { - S |= get_bits(&s->gb_extra_bits, s->extra_bits); + S |= get_bits_long(&s->gb_extra_bits, s->extra_bits); *crc = *crc * 9 + (S & 0xffff) * 3 + ((unsigned)S >> 16); } } @@ -835,7 +835,11 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, continue; } bytestream2_get_buffer(&gb, val, 4); - if (val[0]) { + if (val[0] > 32) { + av_log(avctx, AV_LOG_ERROR, + "Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]); + continue; + } else if (val[0]) { s->extra_bits = val[0]; } else if (val[1]) { s->shift = val[1]; From 6c36f0b57c6e80b7e5980fc3755c5f396254e622 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 10 Jul 2015 21:50:50 +0200 Subject: [PATCH 469/700] imc: use correct position for flcoeffs2 calculation flcoeffs2[pos] should be the log2 of flcoeffs1[pos]. flcoeffs1[0] can be 0 here, thus flcoeffs2[pos] gets set to -inf, causing problems further down. This seems to have been copied from imc_decode_level_coefficients in commit 4eb4bb3 without updating the position. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 75fd5ce4c1c0b2d96d71c74b650cefaaef519d27) Signed-off-by: Andreas Cadhalpun --- libavcodec/imc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/imc.c b/libavcodec/imc.c index 6c9ffd7980..422d834a4e 100644 --- a/libavcodec/imc.c +++ b/libavcodec/imc.c @@ -426,7 +426,7 @@ static void imc_decode_level_coefficients_raw(IMCContext *q, int *levlCoeffBuf, pos = q->coef0_pos; flcoeffs1[pos] = 20000.0 / pow (2, levlCoeffBuf[0] * 0.18945); // 0.18945 = log2(10) * 0.05703125 - flcoeffs2[pos] = log2f(flcoeffs1[0]); + flcoeffs2[pos] = log2f(flcoeffs1[pos]); tmp = flcoeffs1[pos]; tmp2 = flcoeffs2[pos]; From 4202e9d9724471c339b207af647c13cc6689c615 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Jul 2015 15:21:15 +0200 Subject: [PATCH 470/700] Merge commit 'd80811c94e068085aab797f9ba35790529126f85' * commit 'd80811c94e068085aab797f9ba35790529126f85': riff: Use the correct logging context Conflicts: libavformat/asfdec_o.c libavformat/avidec.c libavformat/dxa.c libavformat/matroskadec.c libavformat/mov.c libavformat/riff.h libavformat/riffdec.c libavformat/wavdec.c libavformat/wtvdec.c libavformat/xwma.c Merged-by: Michael Niedermayer (cherry picked from commit ba77fb61f741d9ab3bd12935527556055b2ffb2e) Signed-off-by: Andreas Cadhalpun --- libavformat/act.c | 2 +- libavformat/asfdec.c | 2 +- libavformat/avidec.c | 2 +- libavformat/dxa.c | 2 +- libavformat/matroskadec.c | 2 +- libavformat/mlvdec.c | 2 +- libavformat/mov.c | 2 +- libavformat/riff.h | 2 +- libavformat/riffdec.c | 5 +++-- libavformat/wavdec.c | 4 ++-- libavformat/wtvdec.c | 2 +- libavformat/xwma.c | 2 +- 12 files changed, 15 insertions(+), 14 deletions(-) diff --git a/libavformat/act.c b/libavformat/act.c index 3f223d57b6..faa693ccb9 100644 --- a/libavformat/act.c +++ b/libavformat/act.c @@ -75,7 +75,7 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 16); size=avio_rl32(pb); - ff_get_wav_header(pb, st->codec, size); + ff_get_wav_header(s, pb, st->codec, size); /* 8000Hz (Fine-rec) file format has 10 bytes long diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index ffd9591edd..fcb4be42b2 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -423,7 +423,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) st->codec->codec_type = type; if (type == AVMEDIA_TYPE_AUDIO) { - int ret = ff_get_wav_header(pb, st->codec, type_specific_size); + int ret = ff_get_wav_header(s, pb, st->codec, type_specific_size); if (ret < 0) return ret; if (is_dvr_ms_audio) { diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 41d44c28a0..161e76a1dc 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -806,7 +806,7 @@ static int avi_read_header(AVFormatContext *s) // avio_skip(pb, size - 5 * 4); break; case AVMEDIA_TYPE_AUDIO: - ret = ff_get_wav_header(pb, st->codec, size); + ret = ff_get_wav_header(s, pb, st->codec, size); if (ret < 0) return ret; ast->dshow_block_align = st->codec->block_align; diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 6ad1c9ffac..9ddfbc3212 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -106,7 +106,7 @@ static int dxa_read_header(AVFormatContext *s) ast = avformat_new_stream(s, NULL); if (!ast) return AVERROR(ENOMEM); - ret = ff_get_wav_header(pb, ast->codec, fsize); + ret = ff_get_wav_header(s, pb, ast->codec, fsize); if (ret < 0) return ret; if (ast->codec->sample_rate > 0) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 120a554d20..126625fa2e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1716,7 +1716,7 @@ static int matroska_parse_tracks(AVFormatContext *s) ffio_init_context(&b, track->codec_priv.data, track->codec_priv.size, 0, NULL, NULL, NULL, NULL); - ret = ff_get_wav_header(&b, st->codec, track->codec_priv.size); + ret = ff_get_wav_header(s, &b, st->codec, track->codec_priv.size); if (ret < 0) return ret; codec_id = st->codec->codec_id; diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 17bdb17e72..8db41e565e 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -142,7 +142,7 @@ static int scan_file(AVFormatContext *avctx, AVStream *vst, AVStream *ast, int f vst->codec->codec_tag = MKTAG('B', 'I', 'T', 16); size -= 164; } else if (ast && type == MKTAG('W', 'A', 'V', 'I') && size >= 16) { - ret = ff_get_wav_header(pb, ast->codec, 16); + ret = ff_get_wav_header(avctx, pb, ast->codec, 16); if (ret < 0) return ret; size -= 16; diff --git a/libavformat/mov.c b/libavformat/mov.c index 137bc6006b..fb5d402105 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -700,7 +700,7 @@ static int mov_read_wfex(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; st = c->fc->streams[c->fc->nb_streams-1]; - if ((ret = ff_get_wav_header(pb, st->codec, atom.size)) < 0) + if ((ret = ff_get_wav_header(c->fc, pb, st->codec, atom.size)) < 0) av_log(c->fc, AV_LOG_WARNING, "get_wav_header failed\n"); return ret; diff --git a/libavformat/riff.h b/libavformat/riff.h index e9256344f8..31345ec9e7 100644 --- a/libavformat/riff.h +++ b/libavformat/riff.h @@ -62,7 +62,7 @@ void ff_put_bmp_header(AVIOContext *pb, AVCodecContext *enc, const AVCodecTag *t int ff_put_wav_header(AVIOContext *pb, AVCodecContext *enc, int flags); enum AVCodecID ff_wav_codec_get_id(unsigned int tag, int bps); -int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size); +int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, AVCodecContext *codec, int size); extern const AVCodecTag ff_codec_bmp_tags[]; // exposed through avformat_get_riff_video_tags() extern const AVCodecTag ff_codec_wav_tags[]; diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c index fd3b583af2..567b2a4734 100644 --- a/libavformat/riffdec.c +++ b/libavformat/riffdec.c @@ -80,7 +80,8 @@ static void parse_waveformatex(AVIOContext *pb, AVCodecContext *c) } } -int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size) +int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, + AVCodecContext *codec, int size) { int id; @@ -125,7 +126,7 @@ int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size) avio_skip(pb, size); } if (codec->sample_rate <= 0) { - av_log(NULL, AV_LOG_ERROR, + av_log(s, AV_LOG_ERROR, "Invalid sample rate: %d\n", codec->sample_rate); return AVERROR_INVALIDDATA; } diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 66fd7664f7..cf824d834e 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -128,7 +128,7 @@ static int wav_parse_fmt_tag(AVFormatContext *s, int64_t size, AVStream **st) if (!*st) return AVERROR(ENOMEM); - ret = ff_get_wav_header(pb, (*st)->codec, size); + ret = ff_get_wav_header(s, pb, (*st)->codec, size); if (ret < 0) return ret; handle_stream_probing(*st); @@ -662,7 +662,7 @@ static int w64_read_header(AVFormatContext *s) if (!memcmp(guid, ff_w64_guid_fmt, 16)) { /* subtract chunk header size - normal wav file doesn't count it */ - ret = ff_get_wav_header(pb, st->codec, size - 24); + ret = ff_get_wav_header(s, pb, st->codec, size - 24); if (ret < 0) return ret; avio_skip(pb, FFALIGN(size, INT64_C(8)) - size); diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 2a65ec2374..da02978d2a 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -670,7 +670,7 @@ static AVStream * parse_media_type(AVFormatContext *s, AVStream *st, int sid, if (!st) return NULL; if (!ff_guidcmp(formattype, ff_format_waveformatex)) { - int ret = ff_get_wav_header(pb, st->codec, size); + int ret = ff_get_wav_header(s, pb, st->codec, size); if (ret < 0) return NULL; } else { diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 5d29d0b99e..dec1c3ea53 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -75,7 +75,7 @@ static int xwma_read_header(AVFormatContext *s) if (!st) return AVERROR(ENOMEM); - ret = ff_get_wav_header(pb, st->codec, size); + ret = ff_get_wav_header(s, pb, st->codec, size); if (ret < 0) return ret; st->need_parsing = AVSTREAM_PARSE_NONE; From 0cf02e015bacdd7059db243847c71e0ef780997a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 11 Jul 2015 00:09:46 +0200 Subject: [PATCH 471/700] riffdec: prevent negative bit rate Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 189420cb561929e05f5cc4224cdca83740a24a32) Signed-off-by: Andreas Cadhalpun --- libavformat/riffdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c index 567b2a4734..d200116a87 100644 --- a/libavformat/riffdec.c +++ b/libavformat/riffdec.c @@ -94,6 +94,14 @@ int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, codec->sample_rate = avio_rl32(pb); codec->bit_rate = avio_rl32(pb) * 8; codec->block_align = avio_rl16(pb); + if (codec->bit_rate < 0) { + av_log(s, AV_LOG_WARNING, + "Invalid bit rate: %d\n", codec->bit_rate); + if (s->error_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; + else + codec->bit_rate = 0; + } if (size == 14) { /* We're dealing with plain vanilla WAVEFORMAT */ codec->bits_per_coded_sample = 8; } else From 54133b7aebbcd485bd631c514be08aede9c3475c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Nov 2015 00:56:04 +0100 Subject: [PATCH 472/700] avcodec/mpeg12dec: Do not call show_bits() with invalid bits Fixes assertion failure Fixes: 63e50545709a6440d3d59f6426d58db9/signal_sigabrt_7ffff6ae7cc9_8189_3272a3010fd98ddf947c662bbde1ac13.ts Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 973c3dba27d0b1a88c70f6661b6a90d2f2e50665) Signed-off-by: Andreas Cadhalpun --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 78888c7309..848b5f8d06 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1909,7 +1909,7 @@ static int mpeg_decode_slice(MpegEncContext *s, int mb_y, (left && show_bits(&s->gb, FFMIN(left, 23)) && !is_d10) || ((avctx->err_recognition & (AV_EF_BITSTREAM | AV_EF_AGGRESSIVE)) && left > 8)) { av_log(avctx, AV_LOG_ERROR, "end mismatch left=%d %0X\n", - left, show_bits(&s->gb, FFMIN(left, 23))); + left, left>0 ? show_bits(&s->gb, FFMIN(left, 23)) : 0); return -1; } else goto eos; From 4636eb8968807fc41154b361383b8df4f1b28984 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 6 Nov 2015 21:04:34 +0100 Subject: [PATCH 473/700] jvdec: avoid unsigned overflow in comparison The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size is 3, the right side overflows leading to a wrong result of the comparison and subsequently a heap buffer overflow. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit db374790c75fa4ef947abcb5019fcf21d0b2de85) Signed-off-by: Andreas Cadhalpun --- libavformat/jvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c index 21eb14d265..9053c61cf2 100644 --- a/libavformat/jvdec.c +++ b/libavformat/jvdec.c @@ -54,7 +54,7 @@ typedef struct { static int read_probe(AVProbeData *pd) { - if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) <= pd->buf_size - 4 && + if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) + 4 <= pd->buf_size && !memcmp(pd->buf + 4, MAGIC, strlen(MAGIC))) return AVPROBE_SCORE_MAX; return 0; From 8beb5d17f1e135bdf14ceea4a59e2c00360e8c33 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Nov 2015 20:05:27 +0100 Subject: [PATCH 474/700] avcodec/takdec: Use memove, avoid undefined memcpy() use Fixes: e214333cbd94c91228e624ff39329ce6/asan_generic_4a5159_6412_96cda2530e80607210ab41ccae3d456d.tak Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7cea3430a56fb0ff6ef60f08620fd3875e7bfeb6) Signed-off-by: Andreas Cadhalpun --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 614385803d..0e29c6283e 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -656,7 +656,7 @@ static int decorrelate(TAKDecContext *s, int c1, int c2, int length) *p1++ = v; } - memcpy(s->residues, &s->residues[tmp], 2 * filter_order); + memmove(s->residues, &s->residues[tmp], 2 * filter_order); } emms_c(); From b6a4abc7705f3bfea14f468ed5d45fcd88873be5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 10 Nov 2015 22:14:39 +0100 Subject: [PATCH 475/700] dvdsubdec: validate offset2 similar to offset1 If it is negative, it causes segmentation faults in decode_rle. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit f621749d1181987b3f815c6766ea66d6c5d55198) Signed-off-by: Andreas Cadhalpun --- libavcodec/dvdsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 222c71bdcf..62c9348668 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -346,7 +346,7 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, } } the_end: - if (offset1 >= 0) { + if (offset1 >= 0 && offset2 >= 0) { int w, h; uint8_t *bitmap; From d52df5cffa18860ae73bb5410c4430b40f25e4d6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 14 Nov 2015 22:46:46 +0100 Subject: [PATCH 476/700] mpegvideo: clear overread in clear_context Otherwise the h263p decoder can try to copy overread bytes, even though buffer is NULL. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 6a69a175e7b5c5393528ed0f5753e41573fa0df2) Signed-off-by: Andreas Cadhalpun --- libavcodec/mpegvideo.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index ade85e97ac..53d1873a94 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1316,6 +1316,7 @@ static void clear_context(MpegEncContext *s) s->parse_context.buffer = NULL; s->parse_context.buffer_size = 0; + s->parse_context.overread = 0; s->bitstream_buffer = NULL; s->allocated_bitstream_buffer_size = 0; s->picture = NULL; From cc0e35c44153f79401b97f988ab5d8bb26efcde3 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 15 Nov 2015 17:46:08 +0100 Subject: [PATCH 477/700] mxfdec: check edit_rate also for physical_track Previously only the edit_rate of material_track was checked. If it's negative, it causes assertion failures in av_rescale_rnd. Reviewed-by: Tim Nicholson Signed-off-by: Andreas Cadhalpun (cherry picked from commit 047bf82c181c1220b3087b37f28445f8b87a7a23) Signed-off-by: Andreas Cadhalpun --- libavformat/mxfdec.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 636a3d8932..34ec5527cf 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1596,6 +1596,16 @@ static int mxf_parse_physical_source_package(MXFContext *mxf, MXFTrack *source_t continue; } + if (physical_track->edit_rate.num <= 0 || + physical_track->edit_rate.den <= 0) { + av_log(mxf->fc, AV_LOG_WARNING, + "Invalid edit rate (%d/%d) found on structural" + " component #%d, defaulting to 25/1\n", + physical_track->edit_rate.num, + physical_track->edit_rate.den, i); + physical_track->edit_rate = (AVRational){25, 1}; + } + for (k = 0; k < physical_track->sequence->structural_components_count; k++) { if (!(mxf_tc = mxf_resolve_timecode_component(mxf, &physical_track->sequence->structural_components_refs[k]))) continue; From 3d1cbf388da79b203cdad9ca0046df33b47da476 Mon Sep 17 00:00:00 2001 From: Emanuel Czirai Date: Mon, 3 Aug 2015 00:58:46 +0200 Subject: [PATCH 478/700] libavcodec/aacdec_template: Use init_get_bits8() in aac_decode_frame() related to ticket4749 Signed-off-by: Michael Niedermayer (cherry picked from commit 7ab1c57a64b629455805d7fa74a8a20c689fc1f6) Conflicts: libavcodec/aacdec_template.c (cherry picked from commit dabb6dd98af52a22a922bca4a9196acf68b084dd) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 61efc2579b..44066f13e3 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -3134,7 +3134,7 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data, if (INT_MAX / 8 <= buf_size) return AVERROR_INVALIDDATA; - if ((err = init_get_bits(&gb, buf, buf_size * 8)) < 0) + if ((err = init_get_bits8(&gb, buf, buf_size)) < 0) return err; switch (ac->oc[1].m4ac.object_type) { From 27ffd266fce440a3d13bf4192d7febd1e7aaca99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Aug 2015 03:11:15 +0200 Subject: [PATCH 479/700] avcodec/dcaenc: clear bitstream end This avoids leaving uninitialized bits in the output Signed-off-by: Michael Niedermayer (cherry picked from commit e322b7061f873e8fd33b9e518caa19b87616a528) Signed-off-by: Michael Niedermayer --- libavcodec/dcaenc.c | 4 ++++ tests/fate/acodec.mak | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dcaenc.c b/libavcodec/dcaenc.c index 905cdc9ade..182494a208 100644 --- a/libavcodec/dcaenc.c +++ b/libavcodec/dcaenc.c @@ -939,6 +939,10 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *avpkt, for (i = 0; i < SUBFRAMES; i++) put_subframe(c, i); + + for (i = put_bits_count(&c->pb); i < 8*c->frame_size; i++) + put_bits(&c->pb, 1, 0); + flush_put_bits(&c->pb); avpkt->pts = frame->pts; diff --git a/tests/fate/acodec.mak b/tests/fate/acodec.mak index 325bbd9e32..37fc688730 100644 --- a/tests/fate/acodec.mak +++ b/tests/fate/acodec.mak @@ -103,7 +103,7 @@ fate-acodec-dca: tests/data/asynth-44100-2.wav fate-acodec-dca: SRC = tests/data/asynth-44100-2.wav fate-acodec-dca: CMD = md5 -i $(TARGET_PATH)/$(SRC) -c:a dca -strict -2 -f dts -flags +bitexact fate-acodec-dca: CMP = oneline -fate-acodec-dca: REF = fe28cef432ed88de4ee01b87537fd2bd +fate-acodec-dca: REF = c54ca9a13711755ef90fa143a9b38386 FATE_ACODEC-$(call ENCDEC, DCA, WAV) += fate-acodec-dca2 fate-acodec-dca2: CMD = enc_dec_pcm dts wav s16le $(SRC) -c:a dca -strict -2 -flags +bitexact From 0bdf0cfa00e58c6f10cc017e75aa0c8aefd94229 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Aug 2015 14:54:36 +0200 Subject: [PATCH 480/700] avcodec/svq1enc: Check dimensions Fixes assertion failure Signed-off-by: Michael Niedermayer (cherry picked from commit 88fe45e0fe379d7ea86c8ac1e1e8cf2c3f62389f) Signed-off-by: Michael Niedermayer --- libavcodec/svq1enc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index 2a0d78043a..493027dfb5 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -514,6 +514,11 @@ static av_cold int svq1_encode_init(AVCodecContext *avctx) SVQ1EncContext *const s = avctx->priv_data; int ret; + if (avctx->width >= 4096 || avctx->height >= 4096) { + av_log(avctx, AV_LOG_ERROR, "Dimensions too large, maximum is 4095x4095\n"); + return AVERROR(EINVAL); + } + ff_hpeldsp_init(&s->hdsp, avctx->flags); ff_me_cmp_init(&s->mecc, avctx); ff_mpegvideoencdsp_init(&s->m.mpvencdsp, avctx); From e11f85a4a524f73e13222981ea55f6971e96c019 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Aug 2015 15:21:04 +0200 Subject: [PATCH 481/700] avcodec/flashsvenc: Correct max dimension in error message Signed-off-by: Michael Niedermayer (cherry picked from commit b1f59bb6606721ef5eeade4ada541630d51510fe) Signed-off-by: Michael Niedermayer --- libavcodec/flashsvenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flashsvenc.c b/libavcodec/flashsvenc.c index 14e8adab2e..2a6854750d 100644 --- a/libavcodec/flashsvenc.c +++ b/libavcodec/flashsvenc.c @@ -111,7 +111,7 @@ static av_cold int flashsv_encode_init(AVCodecContext *avctx) if (avctx->width > 4095 || avctx->height > 4095) { av_log(avctx, AV_LOG_ERROR, - "Input dimensions too large, input must be max 4096x4096 !\n"); + "Input dimensions too large, input must be max 4095x4095 !\n"); return AVERROR_INVALIDDATA; } From 905853cd402e1c32e634ea6f7ddfcaf59972515d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Aug 2015 03:35:10 +0200 Subject: [PATCH 482/700] avformat/mux: Update sidedata in ff_write_chained() Fixes Ticket4777 Signed-off-by: Michael Niedermayer (cherry picked from commit db91e0edb63afc682ae709f73e3732a4c832944d) Signed-off-by: Michael Niedermayer --- libavformat/mux.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mux.c b/libavformat/mux.c index 023832c336..a0165738f6 100644 --- a/libavformat/mux.c +++ b/libavformat/mux.c @@ -998,6 +998,8 @@ int ff_write_chained(AVFormatContext *dst, int dst_stream, AVPacket *pkt, if (interleave) ret = av_interleaved_write_frame(dst, &local_pkt); else ret = av_write_frame(dst, &local_pkt); pkt->buf = local_pkt.buf; + pkt->side_data = local_pkt.side_data; + pkt->side_data_elems = local_pkt.side_data_elems; pkt->destruct = local_pkt.destruct; return ret; } From 60e398f280d257ac56b1a90e5bffae8cd7dad364 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 02:02:05 +0200 Subject: [PATCH 483/700] ffmpeg: check avpicture_fill() return value Signed-off-by: Michael Niedermayer (cherry picked from commit 15ff3f3fdfc788c0e4e584badd7ec300abfbd716) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index 43762edcd7..343728bd7d 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1759,7 +1759,11 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p if (ost->st->codec->codec_type == AVMEDIA_TYPE_VIDEO && (of->ctx->oformat->flags & AVFMT_RAWPICTURE)) { /* store AVPicture in AVPacket, as expected by the output format */ - avpicture_fill(&pict, opkt.data, ost->st->codec->pix_fmt, ost->st->codec->width, ost->st->codec->height); + int ret = avpicture_fill(&pict, opkt.data, ost->st->codec->pix_fmt, ost->st->codec->width, ost->st->codec->height); + if (ret < 0) { + av_log(NULL, AV_LOG_FATAL, "avpicture_fill failed\n"); + exit_program(1); + } opkt.data = (uint8_t *)&pict; opkt.size = sizeof(AVPicture); opkt.flags |= AV_PKT_FLAG_KEY; From 5ab1f188534aaf44a43ccebccf0ffacd914beef5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 02:16:31 +0200 Subject: [PATCH 484/700] ffmpeg: Check for RAWVIDEO and do not relay only on AVFMT_RAWPICTURE The null muxer has AVFMT_RAWPICTURE set but can be fed with non-raw material related to Ticket4778 Signed-off-by: Michael Niedermayer (cherry picked from commit c8890941d63df786bb7a8cab92677416499bb7c3) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index 343728bd7d..751483fe0f 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1757,7 +1757,9 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p } av_copy_packet_side_data(&opkt, pkt); - if (ost->st->codec->codec_type == AVMEDIA_TYPE_VIDEO && (of->ctx->oformat->flags & AVFMT_RAWPICTURE)) { + if (ost->st->codec->codec_type == AVMEDIA_TYPE_VIDEO && + ost->st->codec->codec_id == AV_CODEC_ID_RAWVIDEO && + (of->ctx->oformat->flags & AVFMT_RAWPICTURE)) { /* store AVPicture in AVPacket, as expected by the output format */ int ret = avpicture_fill(&pict, opkt.data, ost->st->codec->pix_fmt, ost->st->codec->width, ost->st->codec->height); if (ret < 0) { From 58e424cdeedcbdceadd9bc8444745ea2da277d13 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 03:02:55 +0200 Subject: [PATCH 485/700] ffmpeg: Check av_parser_change() for failure No testcase known Signed-off-by: Michael Niedermayer (cherry picked from commit ac0ba6f233698f02ebb75b03242e94333dbe13d4) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 751483fe0f..65bb381489 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1743,10 +1743,15 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p && ost->enc_ctx->codec_id != AV_CODEC_ID_MPEG2VIDEO && ost->enc_ctx->codec_id != AV_CODEC_ID_VC1 ) { - if (av_parser_change(ost->parser, ost->st->codec, + int ret = av_parser_change(ost->parser, ost->st->codec, &opkt.data, &opkt.size, pkt->data, pkt->size, - pkt->flags & AV_PKT_FLAG_KEY)) { + pkt->flags & AV_PKT_FLAG_KEY); + if (ret < 0) { + av_log(NULL, AV_LOG_FATAL, "av_parser_change failed\n"); + exit_program(1); + } + if (ret) { opkt.buf = av_buffer_create(opkt.data, opkt.size, av_buffer_default_free, NULL, 0); if (!opkt.buf) exit_program(1); From 00ae76c3d00233a5897ba117a0ec5b00025bb29d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 03:04:41 +0200 Subject: [PATCH 486/700] ffmpeg: Use correct codec_id for av_parser_change() check No testcase known Signed-off-by: Michael Niedermayer (cherry picked from commit 45f3d4e63e7807ff3d281f269625ed83f11e4cdc) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 65bb381489..a392d98d93 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1736,12 +1736,11 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p opkt.duration = av_rescale_q(pkt->duration, ist->st->time_base, ost->st->time_base); opkt.flags = pkt->flags; - // FIXME remove the following 2 lines they shall be replaced by the bitstream filters - if ( ost->enc_ctx->codec_id != AV_CODEC_ID_H264 - && ost->enc_ctx->codec_id != AV_CODEC_ID_MPEG1VIDEO - && ost->enc_ctx->codec_id != AV_CODEC_ID_MPEG2VIDEO - && ost->enc_ctx->codec_id != AV_CODEC_ID_VC1 + if ( ost->st->codec->codec_id != AV_CODEC_ID_H264 + && ost->st->codec->codec_id != AV_CODEC_ID_MPEG1VIDEO + && ost->st->codec->codec_id != AV_CODEC_ID_MPEG2VIDEO + && ost->st->codec->codec_id != AV_CODEC_ID_VC1 ) { int ret = av_parser_change(ost->parser, ost->st->codec, &opkt.data, &opkt.size, From df27f8d5fd727135bbfefb9a1e45fd4569773a70 Mon Sep 17 00:00:00 2001 From: Arthur Grant Date: Mon, 24 Aug 2015 12:19:03 +0200 Subject: [PATCH 487/700] avformat/hevc: Fix parsing errors Signed-off-by: Michael Niedermayer (cherry picked from commit 781efd07415cdf6f676cca5b22147e5d6be0a4c4) Signed-off-by: Michael Niedermayer --- libavformat/hevc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 32192badca..9932d92298 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -565,7 +565,8 @@ static int hvcc_parse_sps(GetBitContext *gb, } if (get_bits1(gb)) { // long_term_ref_pics_present_flag - for (i = 0; i < get_ue_golomb_long(gb); i++) { // num_long_term_ref_pics_sps + unsigned num_long_term_ref_pics_sps = get_ue_golomb_long(gb); + for (i = 0; i < num_long_term_ref_pics_sps; i++) { // num_long_term_ref_pics_sps int len = FFMIN(log2_max_pic_order_cnt_lsb_minus4 + 4, 16); skip_bits (gb, len); // lt_ref_pic_poc_lsb_sps[i] skip_bits1(gb); // used_by_curr_pic_lt_sps_flag[i] @@ -616,11 +617,12 @@ static int hvcc_parse_pps(GetBitContext *gb, get_se_golomb_long(gb); // pps_cr_qp_offset /* + * pps_slice_chroma_qp_offsets_present_flag u(1) * weighted_pred_flag u(1) * weighted_bipred_flag u(1) * transquant_bypass_enabled_flag u(1) */ - skip_bits(gb, 3); + skip_bits(gb, 4); tiles_enabled_flag = get_bits1(gb); entropy_coding_sync_enabled_flag = get_bits1(gb); From 221abc1ef63ae962e57bc98801f61b6f580d17ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Aug 2015 13:04:38 +0200 Subject: [PATCH 488/700] avformat/hevc: Check num_long_term_ref_pics_sps to avoid potentially long loops Signed-off-by: Michael Niedermayer (cherry picked from commit ee155c18a2c50b339ba5f6f223fbb6dc343fd471) Signed-off-by: Michael Niedermayer --- libavformat/hevc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 9932d92298..f403e1c522 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -566,6 +566,8 @@ static int hvcc_parse_sps(GetBitContext *gb, if (get_bits1(gb)) { // long_term_ref_pics_present_flag unsigned num_long_term_ref_pics_sps = get_ue_golomb_long(gb); + if (num_long_term_ref_pics_sps > 31U) + return AVERROR_INVALIDDATA; for (i = 0; i < num_long_term_ref_pics_sps; i++) { // num_long_term_ref_pics_sps int len = FFMIN(log2_max_pic_order_cnt_lsb_minus4 + 4, 16); skip_bits (gb, len); // lt_ref_pic_poc_lsb_sps[i] From 377d68f9f4ab8f7affa9a8db640dc58fe1ed96d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Aug 2015 12:44:31 +0200 Subject: [PATCH 489/700] avcodec/libopusenc: Fix infinite loop on flushing after 0 input Signed-off-by: Michael Niedermayer (cherry picked from commit 6701c92fa4269872856c70c3170a9b3291b46247) Signed-off-by: Michael Niedermayer --- libavcodec/libopusenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c index 6bb48628ab..1d665b9b7c 100644 --- a/libavcodec/libopusenc.c +++ b/libavcodec/libopusenc.c @@ -326,7 +326,7 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, } else audio = frame->data[0]; } else { - if (!opus->afq.remaining_samples) + if (!opus->afq.remaining_samples || (!opus->afq.frame_alloc && !opus->afq.frame_count)) return 0; audio = opus->samples; memset(audio, 0, opus->opts.packet_size * sample_size); From ffa2f97e01bb3fe16e6e92cd35add22102e93438 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Sep 2015 02:45:10 +0200 Subject: [PATCH 490/700] avcodec/mpeg12dec: Set dimensions in mpeg1_decode_sequence() only in absence of errors Fixes assertion failure Fixes: 56dcafde14a8397161bb61a16c511179/signal_sigabrt_7ffff6ac8cc9_686_cov_1897408623_microsoft_new_way_to_shove_mpeg2_in_asf.dvr_ms Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b54e03c9dc2a05324c08b503bfe7535c49c0f281) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 848b5f8d06..be48162969 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2133,8 +2133,6 @@ static int mpeg1_decode_sequence(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "Marker in sequence header missing\n"); return AVERROR_INVALIDDATA; } - s->width = width; - s->height = height; s->avctx->rc_buffer_size = get_bits(&s->gb, 10) * 1024 * 16; skip_bits(&s->gb, 1); @@ -2166,6 +2164,9 @@ static int mpeg1_decode_sequence(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } + s->width = width; + s->height = height; + /* We set MPEG-2 parameters so that it emulates MPEG-1. */ s->progressive_sequence = 1; s->progressive_frame = 1; From 93f5d0c536c3400e772ae37185598b6a9618befb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Sep 2015 04:57:22 +0200 Subject: [PATCH 491/700] avcodec/truemotion1: Check for even width Fixes out of array access Fixes: 87196d8bbc633629fc9dd851fce73e70/asan_heap-oob_26f6853_862_cov_585961513_sonic3dblast_intro-partial.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 63fb5a6aefb4223334001fd2c0d82a5e22e3b528) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 660ecf5413..b2de889c46 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -402,6 +402,10 @@ static int truemotion1_decode_header(TrueMotion1Context *s) new_pix_fmt = AV_PIX_FMT_RGB555; // RGB565 is supported as well s->w >>= width_shift; + if (s->w & 1) { + avpriv_request_sample(s->avctx, "Frame with odd width"); + return AVERROR_PATCHWELCOME; + } if (s->w != s->avctx->width || s->h != s->avctx->height || new_pix_fmt != s->avctx->pix_fmt) { From 9bbe777f8f2297f40042733b3dd948356be9aa09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Sep 2015 02:49:44 +0200 Subject: [PATCH 492/700] avformat/dump: Fix integer overflow in aspect ratio calculation Fixes: unknown_unknown_19e_414_cov_764838672_bellhamlam.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d1bdaf3fb2c45020f72a378bb64eab1bf136581c) Signed-off-by: Michael Niedermayer --- libavformat/dump.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dump.c b/libavformat/dump.c index 56b37ff7d8..df102e6c65 100644 --- a/libavformat/dump.c +++ b/libavformat/dump.c @@ -371,8 +371,8 @@ static void dump_stream_format(AVFormatContext *ic, int i, av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio)) { AVRational display_aspect_ratio; av_reduce(&display_aspect_ratio.num, &display_aspect_ratio.den, - st->codec->width * st->sample_aspect_ratio.num, - st->codec->height * st->sample_aspect_ratio.den, + st->codec->width * (int64_t)st->sample_aspect_ratio.num, + st->codec->height * (int64_t)st->sample_aspect_ratio.den, 1024 * 1024); av_log(NULL, AV_LOG_INFO, ", SAR %d:%d DAR %d:%d", st->sample_aspect_ratio.num, st->sample_aspect_ratio.den, From b2d7e555844225ad78660238ff8fa8618700d87b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Sep 2015 02:00:05 +0200 Subject: [PATCH 493/700] avutil/common: Document FFABS() corner case Signed-off-by: Michael Niedermayer (cherry picked from commit 733511fb53fedd3adaaeabc5db9d0b29e71ea1d3) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavutil/common.h b/libavutil/common.h index c82a3a6240..a48959d82a 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -58,6 +58,12 @@ : ((a) + (1<<(b)) - 1) >> (b)) #define FFUDIV(a,b) (((a)>0 ?(a):(a)-(b)+1) / (b)) #define FFUMOD(a,b) ((a)-(b)*FFUDIV(a,b)) + +/** + * Absolute value, Note, INT_MIN / INT64_MIN result in undefined behavior as they + * are not representable as absolute values of their type. This is the same + * as with *abs() + */ #define FFABS(a) ((a) >= 0 ? (a) : (-(a))) #define FFSIGN(a) ((a) > 0 ? 1 : -1) From 8ebeefecf71ed6dbc285a240f9852077086a06d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Sep 2015 02:17:24 +0200 Subject: [PATCH 494/700] avutil/common: Add FFNABS() This macro avoids the undefined corner case with the *_MIN values Previous version Reviewed-by: Ganesh Ajjanagadde Signed-off-by: Michael Niedermayer (cherry picked from commit d6cd614dac579850076ae312c29c4188f8659e46) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavutil/common.h b/libavutil/common.h index a48959d82a..526f5c6e51 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -63,10 +63,19 @@ * Absolute value, Note, INT_MIN / INT64_MIN result in undefined behavior as they * are not representable as absolute values of their type. This is the same * as with *abs() + * @see FFNABS() */ #define FFABS(a) ((a) >= 0 ? (a) : (-(a))) #define FFSIGN(a) ((a) > 0 ? 1 : -1) +/** + * Negative Absolute value. + * this works for all integers of all types. + * As with many macros, this evaluates its argument twice, it thus must not have + * a sideeffect, that is FFNABS(x++) has undefined behavior. + */ +#define FFNABS(a) ((a) <= 0 ? (a) : (-(a))) + #define FFMAX(a,b) ((a) > (b) ? (a) : (b)) #define FFMAX3(a,b,c) FFMAX(FFMAX(a,b),c) #define FFMIN(a,b) ((a) > (b) ? (b) : (a)) From 4531c0dc8fe13128702972fae7b355f3bfdcf058 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Sep 2015 09:20:23 +0200 Subject: [PATCH 495/700] avformat/mov: Fix integer overflow in FFABS Fixes: unknown_unknown_19e_414_cov_764838672_bellhamlam.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 053e80f6eaf8d87521fe58ea96886b6ee0bbe59d) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index fb5d402105..d0eb63404b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2177,7 +2177,7 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_dlog(c->fc, "count=%d, duration=%d\n", count, duration); - if (FFABS(duration) > (1<<28) && i+2fc, AV_LOG_WARNING, "CTTS invalid\n"); av_freep(&sc->ctts_data); sc->ctts_count = 0; From 2c08fc9b28aebb3ecdf3d42b5075cfd085292fdf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Sep 2015 09:22:31 +0200 Subject: [PATCH 496/700] swresample/swresample: Fix integer overflow in seed calculation Fixes CID1322333 Signed-off-by: Michael Niedermayer (cherry picked from commit 32f53958b8f6ed4c3c2a7447c1e47d012796fae2) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index dbcb42e817..bf41332ee0 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -644,7 +644,7 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co return ret; if(ret) for(ch=0; chdither.noise.ch_count; ch++) - if((ret=swri_get_dither(s, s->dither.noise.ch[ch], s->dither.noise.count, 12345678913579<dither.noise.fmt))<0) + if((ret=swri_get_dither(s, s->dither.noise.ch[ch], s->dither.noise.count, (12345678913579ULL*ch + 3141592) % 2718281828U, s->dither.noise.fmt))<0) return ret; av_assert0(s->dither.noise.ch_count == preout->ch_count); From 7528e36774e2a47507a1fa12cb50b4075901816f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Sep 2015 01:18:13 +0200 Subject: [PATCH 497/700] avcodec/tta: Check init_get_bits8() for failure Fixes: CID1322319 Signed-off-by: Michael Niedermayer (cherry picked from commit f1593e4ca564cdb7f3194a9eee1dea16df41142d) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 01584d957e..81f5dddf69 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -123,6 +123,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) TTAContext *s = avctx->priv_data; GetBitContext gb; int total_frames; + int ret; s->avctx = avctx; @@ -131,7 +132,10 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) return AVERROR_INVALIDDATA; s->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE); - init_get_bits8(&gb, avctx->extradata, avctx->extradata_size); + ret = init_get_bits8(&gb, avctx->extradata, avctx->extradata_size); + if (ret < 0) + return ret; + if (show_bits_long(&gb, 32) == AV_RL32("TTA1")) { /* signature */ skip_bits_long(&gb, 32); From 86f0534b48ef7074424d9d77b0ccc7248bd4cf8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Sep 2015 01:18:13 +0200 Subject: [PATCH 498/700] avcodec/svq1dec: Check init_get_bits8() for failure Fixes: CID1322313 Signed-off-by: Michael Niedermayer (cherry picked from commit a51d4246d8ac96acee735e7e5dedb9d9ef27a594) Signed-off-by: Michael Niedermayer --- libavcodec/svq1dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 052b61839e..52147f595b 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -617,9 +617,12 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data, uint8_t *current; int result, i, x, y, width, height; svq1_pmv *pmv; + int ret; /* initialize bit buffer */ - init_get_bits8(&s->gb, buf, buf_size); + ret = init_get_bits8(&s->gb, buf, buf_size); + if (ret < 0) + return ret; /* decode frame header */ s->frame_code = get_bits(&s->gb, 22); From 9f825fa96e78cc60baa42e0122a8f8c2665f38f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Sep 2015 12:10:02 +0200 Subject: [PATCH 499/700] avcodec/g2meet: Fix potential overflow in tile dimensions check Fixes CID1322351 Signed-off-by: Michael Niedermayer (cherry picked from commit 71ec8e1ed6cf4947e204e3e4b5929a44c054f5fb) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 0cd502bc08..e99eba4feb 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -738,7 +738,7 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data, c->tile_height = bytestream2_get_be32(&bc); if (c->tile_width <= 0 || c->tile_height <= 0 || ((c->tile_width | c->tile_height) & 0xF) || - c->tile_width * 4LL * c->tile_height >= INT_MAX + c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4 ) { av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions %dx%d\n", From 7353f529c2b5253eabfc14696edabc3410e9d81e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Sep 2015 12:11:46 +0200 Subject: [PATCH 500/700] avcodec/g2meet: Also clear tile dimensions on header_fail Signed-off-by: Michael Niedermayer (cherry picked from commit fb0466699575724923aeddc4490302180dfdf4af) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index e99eba4feb..83298d4a76 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -869,6 +869,8 @@ header_fail: c->height = 0; c->tiles_x = c->tiles_y = 0; + c->tile_width = + c->tile_height = 0; return ret; } From 24e9640c049bf5d89771519715016f8d92fd8152 Mon Sep 17 00:00:00 2001 From: Ganesh Ajjanagadde Date: Sat, 5 Sep 2015 20:42:02 -0700 Subject: [PATCH 501/700] avfilter/af_asyncts: use llabs for int64_t long may not be 64 bit on all platforms; so labs on int64_t is unsafe. This fixes a warning reported in: http://fate.ffmpeg.org/log.cgi?time=20150905071512&log=compile&slot=i386-darwin-clang-polly-3.7 Signed-off-by: Ganesh Ajjanagadde Signed-off-by: Michael Niedermayer (cherry picked from commit d74123d03eb1047b844bc39fbde26f199c72cbcb) Signed-off-by: Michael Niedermayer --- libavfilter/af_asyncts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_asyncts.c b/libavfilter/af_asyncts.c index 5f8e1f61cc..4be093b194 100644 --- a/libavfilter/af_asyncts.c +++ b/libavfilter/af_asyncts.c @@ -205,7 +205,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *buf) delta = pts - s->pts - get_delay(s); out_size = avresample_available(s->avr); - if (labs(delta) > s->min_delta || + if (llabs(delta) > s->min_delta || (s->first_frame && delta && s->first_pts != AV_NOPTS_VALUE)) { av_log(ctx, AV_LOG_VERBOSE, "Discontinuity - %"PRId64" samples.\n", delta); out_size = av_clipl_int32((int64_t)out_size + delta); From 93fc958f22499c37bfa5fb9bfd89e2eb75df3bc7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Sep 2015 13:28:51 +0200 Subject: [PATCH 502/700] avcodec/mjpegdec: Fix decoding RGBA RCT LJPEG Signed-off-by: Michael Niedermayer (cherry picked from commit 055e56e9f76da3298f1b59bf5ea46f570e844600) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index af38364e78..1edbe5df9c 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -971,7 +971,14 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p skip_bits(&s->gb, 16); /* skip RSTn */ } } - if (s->nb_components == 4) { + if (s->rct && s->nb_components == 4) { + for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + ptr[4*mb_x + 2] = buffer[mb_x][0] - ((buffer[mb_x][1] + buffer[mb_x][2] - 0x200) >> 2); + ptr[4*mb_x + 1] = buffer[mb_x][1] + ptr[4*mb_x + 2]; + ptr[4*mb_x + 3] = buffer[mb_x][2] + ptr[4*mb_x + 2]; + ptr[4*mb_x + 0] = buffer[mb_x][3]; + } + } else if (s->nb_components == 4) { for(i=0; icomp_index[i]; if (s->bits <= 8) { From 89b7e5cb2a8adff452ad2f10243d5940e6444995 Mon Sep 17 00:00:00 2001 From: Simon Thelen Date: Fri, 11 Sep 2015 21:49:07 +0200 Subject: [PATCH 503/700] lavf/webvttenc: Require webvtt file to contain exactly one WebVTT stream. Not requiring this can end up producing hilariously broken files together with -c:s copy (e.g. a webvtt file containing binary subtitle data). Signed-off-by: Simon Thelen Signed-off-by: Michael Niedermayer (cherry picked from commit b84232694ef0c6897e82b52326c9ea4027c69ec4) Signed-off-by: Michael Niedermayer --- libavformat/webvttenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/webvttenc.c b/libavformat/webvttenc.c index b93993d55c..c386538718 100644 --- a/libavformat/webvttenc.c +++ b/libavformat/webvttenc.c @@ -46,8 +46,14 @@ static void webvtt_write_time(AVIOContext *pb, int64_t millisec) static int webvtt_write_header(AVFormatContext *ctx) { AVStream *s = ctx->streams[0]; + AVCodecContext *avctx = ctx->streams[0]->codec; AVIOContext *pb = ctx->pb; + if (ctx->nb_streams != 1 || avctx->codec_id != AV_CODEC_ID_WEBVTT) { + av_log(ctx, AV_LOG_ERROR, "Exactly one WebVTT stream is needed.\n"); + return AVERROR(EINVAL); + } + avpriv_set_pts_info(s, 64, 1, 1000); avio_printf(pb, "WEBVTT\n"); From 9c0fb2548f862224be6c557a763b548d7cfc7db1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Sep 2015 14:26:14 +0200 Subject: [PATCH 504/700] avcodec/rangecoder: Check e Fixes hang.nut Found-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b2955b6c5aed11026ec5c7164462899a10cdb937) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 ++++- libavcodec/snow.h | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index e4c020b7c9..9c6e3cfced 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -47,8 +47,11 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state, else { int i, e, a; e = 0; - while (get_rac(c, state + 1 + FFMIN(e, 9))) // 1..10 + while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10 e++; + if (e > 31) + return AVERROR_INVALIDDATA; + } a = 1; for (i = e - 1; i >= 0; i--) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index 12aad1874a..23e04bd66f 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -557,6 +557,8 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, int is_signed){ e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; + if (e > 31) + return AVERROR_INVALIDDATA; } a= 1; From 54bc18389777a0ac39d68e07ab6e1ccd0a1e6440 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2015 13:09:59 +0200 Subject: [PATCH 505/700] avcodec/ffv1dec: Explicitly check read_quant_table() return value Forwards the error code, avoids potential integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 10bbf6cf622f8a954c6cc694ca07c24f989c99af) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 9c6e3cfced..d5f7a2b42a 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -503,7 +503,10 @@ static int read_quant_tables(RangeCoder *c, int context_count = 1; for (i = 0; i < 5; i++) { - context_count *= read_quant_table(c, quant_table[i], context_count); + int ret = read_quant_table(c, quant_table[i], context_count); + if (ret < 0) + return ret; + context_count *= ret; if (context_count > 32768U) { return AVERROR_INVALIDDATA; } From 8bfe8b422a8ee23faaa668a40d585ac9dcab09cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2015 13:20:59 +0200 Subject: [PATCH 506/700] avcodec/ffv1dec: Fix off by 1 error in quant_table_count check Fixes: invalid_read.nut Found-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2d221d9e069e6269cb41f3678f2734800171d87b) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index d5f7a2b42a..c338200bbc 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -306,7 +306,7 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs) for (i = 0; i < f->plane_count; i++) { PlaneContext * const p = &fs->plane[i]; int idx = get_symbol(c, state, 0); - if (idx > (unsigned)f->quant_table_count) { + if (idx >= (unsigned)f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant_table_index out of range\n"); return -1; } From 2205fcd3dea8ec6779a942932bdb96f56f63b3f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Sep 2015 13:08:48 +0200 Subject: [PATCH 507/700] avcodec/x86/sbrdsp: Fix using uninitialized upper 32bit of noise Fixes crash Fixes: flicker-1.scout3d21443372922.28.m4a Found-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 1b82b934a166e60f64e966eaa97512ba9dcb615b) Signed-off-by: Michael Niedermayer --- libavcodec/x86/sbrdsp.asm | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/x86/sbrdsp.asm b/libavcodec/x86/sbrdsp.asm index 6f2e4f48d9..f7f7fe9a14 100644 --- a/libavcodec/x86/sbrdsp.asm +++ b/libavcodec/x86/sbrdsp.asm @@ -381,6 +381,7 @@ apply_noise_main: %else %define count m_maxq %endif + movsxdifnidn noiseq, noised dec noiseq shl count, 2 %ifdef PIC From 630ef0976615a6a6b9a1721a5733c9376e1e8fd5 Mon Sep 17 00:00:00 2001 From: Andrey Utkin Date: Thu, 1 Oct 2015 13:56:31 +0300 Subject: [PATCH 508/700] avformat/httpauth: Add space after commas in HTTP/RTSP auth header This fixes access to Grandstream cameras, which return 401 to ffmpeg otherwise. VLC sends Authorization: header with spaces between parameters, and it is known to work with Grandstream devices and broad range of other HTTP and RTSP servers, so author considers switching to such behaviour safe. Just for record - RFC 2617 (HTTP Auth) does not specify the need in spaces, so this is not a bug of FFmpeg. Signed-off-by: Michael Niedermayer (cherry picked from commit fdb32838723effb4560a345013387ea37b85ff20) Signed-off-by: Michael Niedermayer --- libavformat/httpauth.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c index dbe3eff48f..18cf36bcfe 100644 --- a/libavformat/httpauth.c +++ b/libavformat/httpauth.c @@ -220,21 +220,21 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username, /* TODO: Escape the quoted strings properly. */ av_strlcatf(authstr, len, "username=\"%s\"", username); - av_strlcatf(authstr, len, ",realm=\"%s\"", state->realm); - av_strlcatf(authstr, len, ",nonce=\"%s\"", digest->nonce); - av_strlcatf(authstr, len, ",uri=\"%s\"", uri); - av_strlcatf(authstr, len, ",response=\"%s\"", response); + av_strlcatf(authstr, len, ", realm=\"%s\"", state->realm); + av_strlcatf(authstr, len, ", nonce=\"%s\"", digest->nonce); + av_strlcatf(authstr, len, ", uri=\"%s\"", uri); + av_strlcatf(authstr, len, ", response=\"%s\"", response); // we are violating the RFC and use "" because all others seem to do that too. if (digest->algorithm[0]) - av_strlcatf(authstr, len, ",algorithm=\"%s\"", digest->algorithm); + av_strlcatf(authstr, len, ", algorithm=\"%s\"", digest->algorithm); if (digest->opaque[0]) - av_strlcatf(authstr, len, ",opaque=\"%s\"", digest->opaque); + av_strlcatf(authstr, len, ", opaque=\"%s\"", digest->opaque); if (digest->qop[0]) { - av_strlcatf(authstr, len, ",qop=\"%s\"", digest->qop); - av_strlcatf(authstr, len, ",cnonce=\"%s\"", cnonce); - av_strlcatf(authstr, len, ",nc=%s", nc); + av_strlcatf(authstr, len, ", qop=\"%s\"", digest->qop); + av_strlcatf(authstr, len, ", cnonce=\"%s\"", cnonce); + av_strlcatf(authstr, len, ", nc=%s", nc); } av_strlcatf(authstr, len, "\r\n"); From 46c7b1169fdf72c2b9b01365704807289542abc0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2015 20:15:48 +0200 Subject: [PATCH 509/700] avcodec/ffv1dec: Clear slice coordinates if they are invalid or slice header decoding fails for other reasons Fixes Ticket4931 Signed-off-by: Michael Niedermayer (cherry picked from commit 4c2d4e8700cd3db59bc11ab196c0002215cf601f) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index c338200bbc..968c1b8cc4 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -409,6 +409,7 @@ static int decode_slice(AVCodecContext *c, void *arg) if (ffv1_init_slice_state(f, fs) < 0) return AVERROR(ENOMEM); if (decode_slice_header(f, fs) < 0) { + fs->slice_x = fs->slice_y = fs->slice_height = fs->slice_width = 0; fs->slice_damaged = 1; return AVERROR_INVALIDDATA; } From 20a21bce34e5f2b574aa49db4fa37f54ae5d4a64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2015 22:25:20 +0200 Subject: [PATCH 510/700] avcodec/ffv1dec: update progress in case of broken pointer chains Fixes deadlock Fixes Ticket4932 Signed-off-by: Michael Niedermayer (cherry picked from commit 5063a18f5635008b2a45ada1f8c1e21e20450029) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 968c1b8cc4..4d1c324736 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -935,6 +935,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac else v = buf_p - c->bytestream_start; if (buf_p - c->bytestream_start < v) { av_log(avctx, AV_LOG_ERROR, "Slice pointer chain broken\n"); + ff_thread_report_progress(&f->picture, INT_MAX, 0); return AVERROR_INVALIDDATA; } buf_p -= v; From 31a5bde1bf1f5271527fc9aa7f7e4db0a65f4aa3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2015 02:13:42 +0200 Subject: [PATCH 511/700] avcodec/ffv1: Initialize vlc_state on allocation This ensures that they are always set to valid values Fixes Ticket4939 Signed-off-by: Michael Niedermayer (cherry picked from commit a878dfa4f57d068eb69fb6614f7a4a20f769ee7b) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 6073bc4461..89c4e61d17 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -66,7 +66,7 @@ av_cold int ffv1_common_init(AVCodecContext *avctx) av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs) { - int j; + int j, i; fs->plane_count = f->plane_count; fs->transparency = f->transparency; @@ -80,10 +80,15 @@ av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs) if (!p->state) return AVERROR(ENOMEM); } else { - if (!p->vlc_state) - p->vlc_state = av_malloc_array(p->context_count, sizeof(VlcState)); - if (!p->vlc_state) - return AVERROR(ENOMEM); + if (!p->vlc_state) { + p->vlc_state = av_mallocz_array(p->context_count, sizeof(VlcState)); + if (!p->vlc_state) + return AVERROR(ENOMEM); + for (i = 0; i < p->context_count; i++) { + p->vlc_state[i].error_sum = 4; + p->vlc_state[i].count = 1; + } + } } } From cde478f52691c142514ce3dc80dfbb3d7741cd2b Mon Sep 17 00:00:00 2001 From: Kieran Kunhya Date: Mon, 26 Oct 2015 23:09:44 +0000 Subject: [PATCH 512/700] opusdec: Don't run vector_fmul_scalar on zero length arrays Fixes crashes on fuzzed files Fixes Ticket4969 part2 Signed-off-by: Michael Niedermayer (cherry picked from commit b3e5f15b95f04a35821f63f6fd89ddd60f666a59) Signed-off-by: Michael Niedermayer --- libavcodec/opusdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/opusdec.c b/libavcodec/opusdec.c index 04c9218840..ab81de1aa7 100644 --- a/libavcodec/opusdec.c +++ b/libavcodec/opusdec.c @@ -542,7 +542,7 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, memset(frame->extended_data[i], 0, frame->linesize[0]); } - if (c->gain_i) { + if (c->gain_i && decoded_samples > 0) { c->fdsp->vector_fmul_scalar((float*)frame->extended_data[i], (float*)frame->extended_data[i], c->gain, FFALIGN(decoded_samples, 8)); From 3ce0dcfaab8ef7bbeaa6c86c9b06d16e84865157 Mon Sep 17 00:00:00 2001 From: Tobias Rapp Date: Thu, 29 Oct 2015 09:11:37 +0100 Subject: [PATCH 513/700] avutil/file_open: avoid file handle inheritance on Windows Avoids inheritance of file handles on Windows systems similar to the O_CLOEXEC/FD_CLOEXEC flag on Linux. Fixes file lock issues in Windows applications when a child process is started with handle inheritance enabled (standard input/output redirection) while a FFmpeg transcoding is running in the parent process. Links relevant to the subject: https://msdn.microsoft.com/en-us/library/w7sa2b22.aspx Describes the _wsopen() function and the O_NOINHERIT flag. File handles opened by _wsopen() are inheritable by default. https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx Describes handle inheritance when creating new processes. Handle inheritance must be enabled (bInheritHandles = TRUE) e.g. when you want to pass handles for stdin/stdout via lpStartupInfo. Signed-off-by: Tobias Rapp Signed-off-by: Michael Niedermayer (cherry picked from commit 474665346616e446ecd1407002fdf5f88201bf72) Signed-off-by: Michael Niedermayer --- libavutil/file_open.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavutil/file_open.c b/libavutil/file_open.c index 3f9a67c3fc..9e76127919 100644 --- a/libavutil/file_open.c +++ b/libavutil/file_open.c @@ -77,6 +77,9 @@ int avpriv_open(const char *filename, int flags, ...) #ifdef O_CLOEXEC flags |= O_CLOEXEC; #endif +#ifdef O_NOINHERIT + flags |= O_NOINHERIT; +#endif fd = open(filename, flags, mode); #if HAVE_FCNTL From f2b161319d29d19d9113b4d06bc28be8745fa35c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2015 18:08:52 +0100 Subject: [PATCH 514/700] avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it Fixes: 04715144ba237443010554be0d05343f/asan_heap-oob_1eafc76_1737_c685b48041a563461839e4e7ab97abb8.jpg Fixes out of array access Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d24888ef19ba38b787b11d1ee091a3d94920c76a) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 1edbe5df9c..dcaa0dfede 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1069,7 +1069,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, dc = mjpeg_decode_dc(s, s->dc_index[i]); if(dc == 0xFFFFF) return -1; - if(bits<=8){ + if ( h * mb_x + x >= s->width + || v * mb_y + y >= s->height) { + // Nothing to do + } else if (bits<=8) { ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap if(y==0 && toprow){ if(x==0 && leftcol){ @@ -1137,7 +1140,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, dc = mjpeg_decode_dc(s, s->dc_index[i]); if(dc == 0xFFFFF) return -1; - if(bits<=8){ + if ( h * mb_x + x >= s->width + || v * mb_y + y >= s->height) { + // Nothing to do + } else if (bits<=8) { ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap From aed64448d6115f9a845ab3eea0ca279eb9765aa0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2015 21:27:04 +0100 Subject: [PATCH 515/700] avcodec/mjpegdec: Reinitialize IDCT on BPP changes Fixes misaligned access Fixes: dc9262a469f6f315f74c087a7b3a7f35/signal_sigsegv_2e95bcd_9_9c0f9f4a9ba82aa9b3ab2b91ce4d5277.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit cc35f6f4768ffe57cc4fcfa56ecb89aee409e3d5) Conflicts: libavcodec/mjpegdec.c --- libavcodec/mjpegdec.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index dcaa0dfede..a1141e7147 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -96,6 +96,15 @@ static void parse_avid(MJpegDecodeContext *s, uint8_t *buf, int len) av_log(s->avctx, AV_LOG_INFO, "AVID: len:%d %d\n", len, len > 14 ? buf[12] : -1); } +static void init_idct(AVCodecContext *avctx) +{ + MJpegDecodeContext *s = avctx->priv_data; + + ff_idctdsp_init(&s->idsp, avctx); + ff_init_scantable(s->idsp.idct_permutation, &s->scantable, + ff_zigzag_direct); +} + av_cold int ff_mjpeg_decode_init(AVCodecContext *avctx) { MJpegDecodeContext *s = avctx->priv_data; @@ -110,9 +119,7 @@ av_cold int ff_mjpeg_decode_init(AVCodecContext *avctx) s->avctx = avctx; ff_blockdsp_init(&s->bdsp, avctx); ff_hpeldsp_init(&s->hdsp, avctx->flags); - ff_idctdsp_init(&s->idsp, avctx); - ff_init_scantable(s->idsp.idct_permutation, &s->scantable, - ff_zigzag_direct); + init_idct(avctx); s->buffer_size = 0; s->buffer = NULL; s->start_code = -1; @@ -254,7 +261,6 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); - s->avctx->bits_per_raw_sample = bits = get_bits(&s->gb, 8); if (bits > 16 || bits < 1) { @@ -262,6 +268,11 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) return AVERROR_INVALIDDATA; } + if (s->avctx->bits_per_raw_sample != bits) { + av_log(s->avctx, AV_LOG_INFO, "Changeing bps to %d\n", bits); + s->avctx->bits_per_raw_sample = bits; + init_idct(s->avctx); + } if (s->pegasus_rct) bits = 9; if (bits == 9 && !s->pegasus_rct) From 86018daa419db0721ede248328492292f9513c65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2015 00:36:59 +0100 Subject: [PATCH 516/700] avcodec/ffv1dec: Check for 0 quant tables Fixes assertion failure Fixes: 07ec1fc3c1cbf2d3edcd7d9b52ca156c/asan_heap-oob_13624c5_491_ecd4720a03e697ba750b235690656c8f.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5745cf799a4389bc5d14f2b4daf32fe4631c50bc) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 4d1c324736..d8f535a61c 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -567,7 +567,7 @@ static int read_extra_header(FFV1Context *f) } f->quant_table_count = get_symbol(c, state, 0); - if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES) + if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) return AVERROR_INVALIDDATA; for (i = 0; i < f->quant_table_count; i++) { From 312895a6d707b57cc184a9f3ecb0c847276e8824 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2015 19:24:33 +0100 Subject: [PATCH 517/700] libavutil/channel_layout: Check strtol*() for failure Fixes assertion failure Fixes: 4f5814bb15d2dda6fc18ef9791b13816/signal_sigabrt_7ffff6ae7cc9_65_7209d160d168b76f311be6cd64a548eb.wv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c9bfd6a8c35a2102e730aca12f6e09d1627f76b3) Conflicts: libavutil/channel_layout.c --- libavutil/channel_layout.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavutil/channel_layout.c b/libavutil/channel_layout.c index cd5cf426d4..45249c4367 100644 --- a/libavutil/channel_layout.c +++ b/libavutil/channel_layout.c @@ -125,6 +125,8 @@ static uint64_t get_channel_layout_single(const char *name, int name_len) strlen(channel_names[i].name) == name_len && !memcmp(channel_names[i].name, name, name_len)) return (int64_t)1 << i; + + errno = 0; i = strtol(name, &end, 10); #if FF_API_GET_CHANNEL_LAYOUT_COMPAT @@ -143,14 +145,15 @@ static uint64_t get_channel_layout_single(const char *name, int name_len) } } else { #endif - if ((end + 1 - name == name_len && *end == 'c')) + if (!errno && (end + 1 - name == name_len && *end == 'c')) return av_get_default_channel_layout(i); #if FF_API_GET_CHANNEL_LAYOUT_COMPAT } #endif + errno = 0; layout = strtoll(name, &end, 0); - if (end - name == name_len) + if (!errno && end - name == name_len) return FFMAX(layout, 0); return 0; } From 46cece74c31a0badd9e3100189ab92fe15da8302 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Nov 2015 02:11:01 +0100 Subject: [PATCH 518/700] avformat/xmv: factor return check out of if/else Signed-off-by: Michael Niedermayer (cherry picked from commit 9b6fac11da470274d4b93d46ef66527aa1824179) Signed-off-by: Michael Niedermayer --- libavformat/xmv.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 6eac4d21e8..cee2c806de 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -547,16 +547,14 @@ static int xmv_read_packet(AVFormatContext *s, /* Fetch a video frame */ result = xmv_fetch_video_packet(s, pkt); - if (result) - return result; - } else { /* Fetch an audio frame */ result = xmv_fetch_audio_packet(s, pkt, xmv->current_stream - 1); - if (result) - return result; } + if (result) + return result; + /* Increase our counters */ if (++xmv->current_stream >= xmv->stream_count) { From fd7bb09e8a33b30d0d4f8542b266f6ada7051cc2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Nov 2015 02:13:36 +0100 Subject: [PATCH 519/700] avformat/xmv: Discard remainder of packet on error Fixes infinite loop Fixes: 9c48ae2680c5f23bca3d20ff0f325fd8/asan_generic_4c254d_1374_993f1e5967dd6f844b8d72f978ce2a6c.pss Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 79c4a338e4b2bf0bc6f81c9f455994f673a92f78) Signed-off-by: Michael Niedermayer --- libavformat/xmv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index cee2c806de..1410bff8ee 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -552,8 +552,11 @@ static int xmv_read_packet(AVFormatContext *s, result = xmv_fetch_audio_packet(s, pkt, xmv->current_stream - 1); } - if (result) + if (result) { + xmv->current_stream = 0; + xmv->video.current_frame = xmv->video.frame_count; return result; + } /* Increase our counters */ From 1497b0bb939d706264019212fcf3f94573e0cede Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Nov 2015 21:58:42 +0100 Subject: [PATCH 520/700] avcodec/dirac_parser: Fix undefined memcpy() use Fixes: 9d375e415486edd1a0c826f2307d89a4/asan_generic_4a5159_1577_faa333e83dacdd9e4dd322380aeed537.iss Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit daefd8ab2f2aeb90cd53cb75445faffdc7a3cc79) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 45ded5a779..83c35a2010 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -123,7 +123,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, DiracParseContext *pc = s->priv_data; if (pc->overread_index) { - memcpy(pc->buffer, pc->buffer + pc->overread_index, + memmove(pc->buffer, pc->buffer + pc->overread_index, pc->index - pc->overread_index); pc->index -= pc->overread_index; pc->overread_index = 0; From 5bb599d0c013cfdb9d8ac84b34df87fe91048dd2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Nov 2015 22:24:23 +0100 Subject: [PATCH 521/700] avcodec/microdvddec: Check for string end in 'P' case Fixes out of array read Fixes: a9502b60f4cecc19475382aee255f73c/asan_heap-oob_1e87fba_2548_a8ad47f6dde36644fe9cdc444d4632d0.sub Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c719cd6cf79ec21d974b81ba874580f4b8e9eb90) Signed-off-by: Michael Niedermayer --- libavcodec/microdvddec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/microdvddec.c b/libavcodec/microdvddec.c index 96034a042a..9035892205 100644 --- a/libavcodec/microdvddec.c +++ b/libavcodec/microdvddec.c @@ -164,6 +164,8 @@ static char *microdvd_load_tags(struct microdvd_tag *tags, char *s) /* Position */ case 'P': + if (!*s) + break; tag.persistent = MICRODVD_PERSISTENT_ON; tag.data1 = (*s++ == '1'); if (*s != '}') From 9e755b9b99c3c28a27a34d276a182b84f8563eff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Nov 2015 02:16:11 +0100 Subject: [PATCH 522/700] avcodec/jpeg2000dec: Clip all tile coordinates Fixes out of array access Fixes: b877a6b788a25c70e8b1d014f8628549/asan_heap-oob_1da2c3f_2324_5a1b329b0b3c4bb6b1d775660ac56717.r3d Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 43492ff3ab68a343c1264801baa1d5a02de10167) Conflicts: libavcodec/jpeg2000dec.c --- libavcodec/jpeg2000dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 4f5b32f516..7063e420bf 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -686,10 +686,10 @@ static int init_tile(Jpeg2000DecoderContext *s, int tileno) Jpeg2000QuantStyle *qntsty = tile->qntsty + compno; int ret; // global bandno - comp->coord_o[0][0] = FFMAX(tilex * s->tile_width + s->tile_offset_x, s->image_offset_x); - comp->coord_o[0][1] = FFMIN((tilex + 1) * s->tile_width + s->tile_offset_x, s->width); - comp->coord_o[1][0] = FFMAX(tiley * s->tile_height + s->tile_offset_y, s->image_offset_y); - comp->coord_o[1][1] = FFMIN((tiley + 1) * s->tile_height + s->tile_offset_y, s->height); + comp->coord_o[0][0] = av_clip(tilex * s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); + comp->coord_o[0][1] = av_clip((tilex + 1) * s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); + comp->coord_o[1][0] = av_clip(tiley * s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); + comp->coord_o[1][1] = av_clip((tiley + 1) * s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); comp->coord[0][0] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][0], s->reduction_factor); comp->coord[0][1] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][1], s->reduction_factor); From be4b41b6cb7cd3c962cfcde6305d5e7537645bf2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 00:51:56 +0100 Subject: [PATCH 523/700] avcodec/jpeg2000dec: Check for duplicate SIZ marker Fixes: 0231a17345734228011c6f35a64e4594/asan_heap-oob_1d92a72_3218_1213809a9e3affec77e4c191fdfdc0a9.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 44a7f17d0b20e6f8d836b2957e3e357b639f19a2) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 7063e420bf..787fb994b9 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1356,6 +1356,7 @@ static void jpeg2000_dec_cleanup(Jpeg2000DecoderContext *s) memset(s->codsty, 0, sizeof(s->codsty)); memset(s->qntsty, 0, sizeof(s->qntsty)); s->numXtiles = s->numYtiles = 0; + s->ncomponents = 0; } static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s) @@ -1410,6 +1411,10 @@ static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s) switch (marker) { case JPEG2000_SIZ: + if (s->ncomponents) { + av_log(s->avctx, AV_LOG_ERROR, "Duplicate SIZ\n"); + return AVERROR_INVALIDDATA; + } ret = get_siz(s); if (!s->tile) s->numXtiles = s->numYtiles = 0; From 72ac69bd05ef65221473766b62756749fb4f4456 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 01:35:08 +0100 Subject: [PATCH 524/700] avcodec/utils: Better check for channels in av_get_audio_frame_duration() Fixes integer overflow Fixes: 0c2625f236ced104d402b4a03c0d65c7/asan_generic_274e1ce_5990_9314e7a67c26aecf011b178ade9f217c.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4e16ad2868a1819de6680fc355a8eb20164adaea) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 0cc1f903db..ad61ac37e7 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -3371,7 +3371,7 @@ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes) return frame_bytes * 8 / bps; } - if (ch > 0) { + if (ch > 0 && ch < INT_MAX/16) { /* calc from frame_bytes and channels */ switch (id) { case AV_CODEC_ID_ADPCM_AFC: From ffaea7a790778ec4f23a22bbb445b77471dbddb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 02:36:22 +0100 Subject: [PATCH 525/700] avcodec/ivi: Check image dimensions Fixes integer overflow Fixes: 1e32c6c591d940337c20b197ec1c4d3d/asan_heap-oob_4a52e5_8946_0bb0d9e863def56005e49f1d89bdc94d.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit df91aa034b82b77a3c4e01791f4a2b2ff6c82066) Signed-off-by: Michael Niedermayer --- libavcodec/ivi_common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 379508123f..80b0676287 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -30,6 +30,7 @@ #define BITSTREAM_READER_LE #include "libavutil/attributes.h" +#include "libavutil/imgutils.h" #include "libavutil/timer.h" #include "avcodec.h" #include "get_bits.h" @@ -310,7 +311,7 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg, ivi_free_buffers(planes); - if (cfg->pic_width < 1 || cfg->pic_height < 1 || + if (av_image_check_size(cfg->pic_width, cfg->pic_height, 0, NULL) < 0 || cfg->luma_bands < 1 || cfg->chroma_bands < 1) return AVERROR_INVALIDDATA; From 93ff48fd2e41b0d02655aaabb11b76a6549703a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 13:34:02 +0100 Subject: [PATCH 526/700] avcodec/flashsv: Check size before updating it Fixes out of array read Fixes: 3c857d4d90365731524716e6d051e43a/signal_sigsegv_7f4f59bcc29e_1386_20abd2c8e655cb9c75b24368e65fe3b1.flv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 17705f5d4f57c15f9b9bb9cfcbbb4621fed2fc70) Signed-off-by: Michael Niedermayer --- libavcodec/flashsv.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index 8791a2d750..f777f24e19 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -413,6 +413,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, } if (has_diff) { + if (size < 3) { + av_log(avctx, AV_LOG_ERROR, "size too small for diff\n"); + return AVERROR_INVALIDDATA; + } if (!s->keyframe) { av_log(avctx, AV_LOG_ERROR, "Inter frame without keyframe\n"); @@ -440,6 +444,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, int row = get_bits(&gb, 8); av_log(avctx, AV_LOG_DEBUG, "%dx%d zlibprime_curr %dx%d\n", i, j, col, row); + if (size < 3) { + av_log(avctx, AV_LOG_ERROR, "size too small for zlibprime_curr\n"); + return AVERROR_INVALIDDATA; + } size -= 2; avpriv_request_sample(avctx, "zlibprime_curr"); return AVERROR_PATCHWELCOME; From 19c931fe66bc2c524fdafdfb92484ee746ad36f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 14:29:02 +0100 Subject: [PATCH 527/700] avcodec/dpx: Move need_align to act per line Fixes out of array read Fixes: 61cf123c081ee2bb774d307c75bdb99e/asan_heap-oob_1224f76_5546_bee833ffae73f752b489b9eeaac52db7.dpx Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c8aaae8e0f1519bc99bd717ea3067c9cfdb68def) Signed-off-by: Michael Niedermayer --- libavcodec/dpx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c index 3b78486bb3..60f5107622 100644 --- a/libavcodec/dpx.c +++ b/libavcodec/dpx.c @@ -334,11 +334,11 @@ static int decode_frame(AVCodecContext *avctx, // For 12 bit, ignore alpha if (elements == 4) buf += 2; - // Jump to next aligned position - buf += need_align; } for (i = 0; i < 3; i++) ptr[i] += p->linesize[i]; + // Jump to next aligned position + buf += need_align; } break; case 16: From 44d82a8fa16c105b239aae2f2364c5bbf91e456d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 21:11:52 +0100 Subject: [PATCH 528/700] avcodec/error_resilience: avoid accessing previous or next frames tables beyond height The height of tables can be rounded up for MBAFF but this does not imply that is also true for the previous frames Fixes out of array reads Fixes: c106b36fa36db8ff8f3ed0c82be7bea2/asan_heap-oob_32699f0_6321_467b9a1d7e03d7cfd310b7e65dc53bcc.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a105f52855d08e4ab1ed7306da8e32fc90d6d647) Signed-off-by: Michael Niedermayer --- libavcodec/error_resilience.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index c72c562078..fb71a71df7 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -377,14 +377,19 @@ static void guess_mv(ERContext *s) #define MV_UNCHANGED 1 const int mb_stride = s->mb_stride; const int mb_width = s->mb_width; - const int mb_height = s->mb_height; + int mb_height = s->mb_height; int i, depth, num_avail; int mb_x, mb_y, mot_step, mot_stride; + if (s->last_pic.f && s->last_pic.f->data[0]) + mb_height = FFMIN(mb_height, (s->last_pic.f->height+15)>>4); + if (s->next_pic.f && s->next_pic.f->data[0]) + mb_height = FFMIN(mb_height, (s->next_pic.f->height+15)>>4); + set_mv_strides(s, &mot_step, &mot_stride); num_avail = 0; - for (i = 0; i < s->mb_num; i++) { + for (i = 0; i < mb_width * mb_height; i++) { const int mb_xy = s->mb_index2xy[i]; int f = 0; int error = s->error_status_table[mb_xy]; @@ -409,7 +414,7 @@ static void guess_mv(ERContext *s) if ((!(s->avctx->error_concealment&FF_EC_GUESS_MVS)) || num_avail <= mb_width / 2) { - for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + for (mb_y = 0; mb_y < mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { const int mb_xy = mb_x + mb_y * s->mb_stride; int mv_dir = (s->last_pic.f && s->last_pic.f->data[0]) ? MV_DIR_FORWARD : MV_DIR_BACKWARD; @@ -438,7 +443,7 @@ static void guess_mv(ERContext *s) int score_sum = 0; changed = 0; - for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + for (mb_y = 0; mb_y < mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { const int mb_xy = mb_x + mb_y * s->mb_stride; int mv_predictor[8][2] = { { 0 } }; @@ -671,7 +676,7 @@ skip_last_mv: if (none_left) return; - for (i = 0; i < s->mb_num; i++) { + for (i = 0; i < mb_width * mb_height; i++) { int mb_xy = s->mb_index2xy[i]; if (fixed[mb_xy]) fixed[mb_xy] = MV_FROZEN; From f43b6a094c095a4f30735634e8411920307baa34 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 00:25:11 +0100 Subject: [PATCH 529/700] avcodec/dxtory: Fix input size check in dxtory_decode_v1_420() Fixes out of array read Fixes: c50c4aa6cefda71b19a31ea12302980c/asan_heap-oob_12be5fd_7011_33ebd015a74976215934add72b9c8352.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 9caa9414ccf2dcf8aee2695377dee830a5024c82) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 91d87f08d9..bc3e8383ea 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -108,7 +108,7 @@ static int dxtory_decode_v1_420(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y1, *Y2, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 3LL / 2) { + if (src_size < FFALIGN(avctx->width, 2) * FFALIGN(avctx->height, 2) * 3LL / 2) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } From ac7cc433adde3db441243e528c59280f6bb70e7e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 00:25:11 +0100 Subject: [PATCH 530/700] avcodec/dxtory: Fix input size check in dxtory_decode_v1_410() Fixes potential out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 76b6f4b7d91901929177cc61d9810dcca0bb40c1) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index bc3e8383ea..2fa8b4fa8e 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -65,7 +65,7 @@ static int dxtory_decode_v1_410(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y1, *Y2, *Y3, *Y4, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 9LL / 8) { + if (src_size < FFALIGN(avctx->width, 4) * FFALIGN(avctx->height, 4) * 9LL / 8) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } From 6816644f3482d68d20e79400134b03a6ddcd0041 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 01:22:31 +0100 Subject: [PATCH 531/700] avcodec/takdec: Skip last p2 sample (which is unused) Fixes out of array read Fixes: cb3f38b08b4541523974667c7d1eee9e/asan_heap-oob_2659e18_9838_021fd5cd635bf76cede6398cd9ecbcdd.tak Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 08b520636e96ba6888b669b9b3f4c414631ea1d2) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 0e29c6283e..0b1484958e 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -632,7 +632,7 @@ static int decorrelate(TAKDecContext *s, int c1, int c2, int length) for (; length2 > 0; length2 -= tmp) { tmp = FFMIN(length2, x); - for (i = 0; i < tmp; i++) + for (i = 0; i < tmp - (tmp == length2); i++) s->residues[filter_order + i] = *p2++ >> dshift; for (i = 0; i < tmp; i++) { From 2b0cda395f2330fc0dbebadb612b758bf46ccf47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 14:52:08 +0100 Subject: [PATCH 532/700] avcodec/smacker: Check that the data size is a multiple of a sample vector Fixes out of array access Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4a9af07a49295e014b059c1ab624c40345af5892) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index b5538c7494..7b30664f38 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -668,6 +668,10 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ frame->nb_samples = unp_size / (avctx->channels * (bits + 1)); + if (unp_size % (avctx->channels * (bits + 1))) { + av_log(avctx, AV_LOG_ERROR, "unp_size %d is odd\n", unp_size); + return AVERROR(EINVAL); + } if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; samples = (int16_t *)frame->data[0]; From be280f3e8b22f7283fc3787ead22575754f1c866 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 18:18:40 +0100 Subject: [PATCH 533/700] avcodec/wmaprodec: Check for overread in decode_packet() Fixes assertion failure Fixes: 0256e92df2df7e933b43a2c70e4c8040/signal_sigabrt_7ffff6ae7cc9_1358_999ac18684788221490757582ce9af84.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7ad698e24e6b9dde57c4e01c145bcddfe9d6e4a3) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index cc7ad0d408..a94da0f67c 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1623,6 +1623,11 @@ static int decode_packet(AVCodecContext *avctx, void *data, s->packet_done = 1; } + if (remaining_bits(s, gb) < 0) { + av_log(avctx, AV_LOG_ERROR, "Overread %d\n", -remaining_bits(s, gb)); + s->packet_loss = 1; + } + if (s->packet_done && !s->packet_loss && remaining_bits(s, gb) > 0) { /** save the rest of the data so that it can be decoded From 7468cb847c4ffbb8afeb22e4293e245686e8e13a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 20:03:39 +0100 Subject: [PATCH 534/700] avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component() Signed-off-by: Michael Niedermayer (cherry picked from commit 016fd413f9168816924f21c0c1ffb578f7226221) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index 644e25d399..2fe20387c1 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -28,6 +28,7 @@ #include "libavutil/attributes.h" #include "libavutil/avassert.h" #include "libavutil/common.h" +#include "libavutil/imgutils.h" #include "libavutil/mem.h" #include "avcodec.h" #include "jpeg2000.h" @@ -210,7 +211,10 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, codsty->nreslevels2decode - 1, codsty->transform)) return ret; - // component size comp->coord is uint16_t so ir cannot overflow + + if (av_image_check_size(comp->coord[0][1] - comp->coord[0][0], + comp->coord[1][1] - comp->coord[1][0], 0, avctx)) + return AVERROR_INVALIDDATA; csize = (comp->coord[0][1] - comp->coord[0][0]) * (comp->coord[1][1] - comp->coord[1][0]); From 58fa73a4d0904d469c276bc78cfcfafc956d4d75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 20:49:17 +0100 Subject: [PATCH 535/700] avcodec/jpeg2000: Check comp coords to be within the supported size Fixes assertion failure Fixes: 03e0abe721b1174856d41a1eb5d6a896/signal_sigabrt_7ffff6ae7cc9_3813_e71bf3541abed3ccba031cd5ba0269a4.avi This fix is choosen to be simple to backport, better solution for master is planed Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a1a8cbcb35ef2759a66b4f0875785e4b3f277057) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index 2fe20387c1..2023978b0c 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -217,6 +217,11 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, return AVERROR_INVALIDDATA; csize = (comp->coord[0][1] - comp->coord[0][0]) * (comp->coord[1][1] - comp->coord[1][0]); + if (comp->coord[0][1] > 32768 || + comp->coord[1][1] > 32768) { + av_log(avctx, AV_LOG_ERROR, "component size too large\n"); + return AVERROR_PATCHWELCOME; + } if (codsty->transform == FF_DWT97) { comp->i_data = NULL; From 13434d5f9f778a8e60a660c0f9993831da592abd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 21:12:50 +0100 Subject: [PATCH 536/700] avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range Fixes potential integer overflows Fixes: 03e0abe721b1174856d41a1eb5d6a896/signal_sigabrt_7ffff6ae7cc9_3813_e71bf3541abed3ccba031cd5ba0269a4.avi This fix is choosen to be simple to backport, better solution for master is planed Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 6ef819c40bcc2175edba7ce9e20c3036c01b36b9) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 787fb994b9..f926ab8478 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -252,6 +252,10 @@ static int get_siz(Jpeg2000DecoderContext *s) avpriv_request_sample(s->avctx, "Support for image offsets"); return AVERROR_PATCHWELCOME; } + if (s->width > 32768U || s->height > 32768U) { + avpriv_request_sample(s->avctx, "Large Dimensions"); + return AVERROR_PATCHWELCOME; + } if (ncomponents <= 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid number of components: %d\n", From cd7598fb1bbacb3f1d95bd7e36d51cba3910e876 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 21:17:05 +0100 Subject: [PATCH 537/700] avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions Signed-off-by: Michael Niedermayer (cherry picked from commit 65d3359fb366ea265a8468d76a111cb7352f0b55) Conflicts: libavcodec/jpeg2000dec.c --- libavcodec/jpeg2000dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index f926ab8478..ae0c9bb82e 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -690,10 +690,10 @@ static int init_tile(Jpeg2000DecoderContext *s, int tileno) Jpeg2000QuantStyle *qntsty = tile->qntsty + compno; int ret; // global bandno - comp->coord_o[0][0] = av_clip(tilex * s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); - comp->coord_o[0][1] = av_clip((tilex + 1) * s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); - comp->coord_o[1][0] = av_clip(tiley * s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); - comp->coord_o[1][1] = av_clip((tiley + 1) * s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); + comp->coord_o[0][0] = av_clip(tilex * (int64_t)s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); + comp->coord_o[0][1] = av_clip((tilex + 1) * (int64_t)s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); + comp->coord_o[1][0] = av_clip(tiley * (int64_t)s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); + comp->coord_o[1][1] = av_clip((tiley + 1) * (int64_t)s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); comp->coord[0][0] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][0], s->reduction_factor); comp->coord[0][1] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][1], s->reduction_factor); From fddf95da951204a75f52690a5f4cdb58fc3e5396 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 23:41:14 +0100 Subject: [PATCH 538/700] avformat/utils: Do not init parser if probing is unfinished Fixes assertion failure Fixes: 136f8b8d47af7892306625e597dee655/signal_sigabrt_7ffff6ae7cc9_8941_ab11bea57c84796418f481f873dc31ba.dvr_ms Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1ef336e912a7a3a13a9933825a56c421f891e44b) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 496b656378..3413a7ff50 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3037,7 +3037,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) st->codec->time_base = st->time_base; } // only for the split stuff - if (!st->parser && !(ic->flags & AVFMT_FLAG_NOPARSE)) { + if (!st->parser && !(ic->flags & AVFMT_FLAG_NOPARSE) && st->request_probe <= 0) { st->parser = av_parser_init(st->codec->codec_id); if (st->parser) { if (st->need_parsing == AVSTREAM_PARSE_HEADERS) { From eb2f0a44650db8c295ffe9c28eea98fd0ecfc8f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Nov 2015 18:19:01 +0100 Subject: [PATCH 539/700] avformat/matroskadec: Check subtitle stream before dereferencing Unrecognized streams are not allocated Fixes: flicker-1.color1.vp91447030769.08.webm Found-by: Chris Cunningham Signed-off-by: Michael Niedermayer (cherry picked from commit a5034b324cad4c29d47ef285a30b0705e6eb0384) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 126625fa2e..9107815615 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2971,6 +2971,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, tracks[i].audio.buf_timecode = AV_NOPTS_VALUE; tracks[i].end_timecode = 0; if (tracks[i].type == MATROSKA_TRACK_TYPE_SUBTITLE && + tracks[i].stream && tracks[i].stream->discard != AVDISCARD_ALL) { index_sub = av_index_search_timestamp( tracks[i].stream, st->index_entries[index].timestamp, From 795908eff4a219c49d9e52be5ffb86765ab0a39e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Nov 2015 21:42:02 +0200 Subject: [PATCH 540/700] rtmpcrypt: Do the xtea decryption in little endian mode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The XTEA algorithm operates on 32 bit numbers, not on byte sequences. The XTEA implementation in libavutil is written assuming big endian numbers, while the rtmpe signature encryption assumes little endian. This fixes rtmpe communication with rtmpe servers that use signature type 8 (XTEA), e.g. crunchyroll. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit e7728319b92dbb4fb949155e33de7ff5358ddff3) Signed-off-by: Michael Niedermayer --- libavformat/rtmpcrypt.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/rtmpcrypt.c b/libavformat/rtmpcrypt.c index 2312527d37..fb46449a67 100644 --- a/libavformat/rtmpcrypt.c +++ b/libavformat/rtmpcrypt.c @@ -184,9 +184,14 @@ int ff_rtmpe_compute_secret_key(URLContext *h, const uint8_t *serverdata, static void rtmpe8_sig(const uint8_t *in, uint8_t *out, int key_id) { struct AVXTEA ctx; + uint8_t tmpbuf[8]; av_xtea_init(&ctx, rtmpe8_keys[key_id]); - av_xtea_crypt(&ctx, out, in, 1, NULL, 0); + AV_WB32(tmpbuf, AV_RL32(in)); + AV_WB32(tmpbuf + 4, AV_RL32(in + 4)); + av_xtea_crypt(&ctx, tmpbuf, tmpbuf, 1, NULL, 0); + AV_WL32(out, AV_RB32(tmpbuf)); + AV_WL32(out + 4, AV_RB32(tmpbuf + 4)); } static void rtmpe9_sig(const uint8_t *in, uint8_t *out, int key_id) From 608f928c74d821f74747e22819b4c6dfc90acbb5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Sep 2015 13:10:48 +0200 Subject: [PATCH 541/700] avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup The variable is not a constant and can lead to race conditions Fixes: repro.webm (not reproducable with FFmpeg alone) Found-by: Dale Curtis Tested-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit dabea74d0e82ea80cd344f630497cafcb3ef872c) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 944db5ef6d..167f8f8765 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -164,7 +164,7 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) s->mb_height = (s->avctx->coded_height + 15) / 16; s->mb_layout = is_vp7 || avctx->active_thread_type == FF_THREAD_SLICE && - FFMIN(s->num_coeff_partitions, avctx->thread_count) > 1; + avctx->thread_count > 1; if (!s->mb_layout) { // Frame threading and one thread s->macroblocks_base = av_mallocz((s->mb_width + s->mb_height * 2 + 1) * sizeof(*s->macroblocks)); From 9ba0cb7c270385ec844d8ab0dcbc359d35174413 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Nov 2015 22:12:37 +0100 Subject: [PATCH 542/700] avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized Fixes out of array access Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2049_f2192b6829ab6e0eefcb035329c03c60.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4ea4d2f438c9a7eba37980c9a87be4b34943e4d5) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 425de8dce5..5de2fcda68 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1208,6 +1208,7 @@ static int h264_slice_header_init(H264Context *h, int reinit) nb_slices = max_slices; } h->slice_context_count = nb_slices; + h->max_contexts = FFMIN(h->max_contexts, nb_slices); if (!HAVE_THREADS || !(h->avctx->active_thread_type & FF_THREAD_SLICE)) { ret = ff_h264_context_init(h); From 5c2f083abbfcc5bb01f80dbc1f130db84cf2262e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Nov 2015 17:55:08 +0100 Subject: [PATCH 543/700] Update for 2.5.9 Signed-off-by: Michael Niedermayer --- Changelog | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 100 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 8d010d976e..8deb149426 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,104 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.5.9 +- avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized +- avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup +- rtmpcrypt: Do the xtea decryption in little endian mode +- avformat/matroskadec: Check subtitle stream before dereferencing +- avformat/utils: Do not init parser if probing is unfinished +- avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions +- avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range +- avcodec/jpeg2000: Check comp coords to be within the supported size +- avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component() +- avcodec/wmaprodec: Check for overread in decode_packet() +- avcodec/smacker: Check that the data size is a multiple of a sample vector +- avcodec/takdec: Skip last p2 sample (which is unused) +- avcodec/dxtory: Fix input size check in dxtory_decode_v1_410() +- avcodec/dxtory: Fix input size check in dxtory_decode_v1_420() +- avcodec/error_resilience: avoid accessing previous or next frames tables beyond height +- avcodec/dpx: Move need_align to act per line +- avcodec/flashsv: Check size before updating it +- avcodec/ivi: Check image dimensions +- avcodec/utils: Better check for channels in av_get_audio_frame_duration() +- avcodec/jpeg2000dec: Check for duplicate SIZ marker +- avcodec/jpeg2000dec: Clip all tile coordinates +- avcodec/microdvddec: Check for string end in 'P' case +- avcodec/dirac_parser: Fix undefined memcpy() use +- avformat/xmv: Discard remainder of packet on error +- avformat/xmv: factor return check out of if/else +- libavutil/channel_layout: Check strtol*() for failure +- avcodec/ffv1dec: Check for 0 quant tables +- avcodec/mjpegdec: Reinitialize IDCT on BPP changes +- avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it +- avutil/file_open: avoid file handle inheritance on Windows +- opusdec: Don't run vector_fmul_scalar on zero length arrays +- avcodec/ffv1: Initialize vlc_state on allocation +- avcodec/ffv1dec: update progress in case of broken pointer chains +- avcodec/ffv1dec: Clear slice coordinates if they are invalid or slice header decoding fails for other reasons +- avformat/httpauth: Add space after commas in HTTP/RTSP auth header +- avcodec/x86/sbrdsp: Fix using uninitialized upper 32bit of noise +- avcodec/ffv1dec: Fix off by 1 error in quant_table_count check +- avcodec/ffv1dec: Explicitly check read_quant_table() return value +- avcodec/rangecoder: Check e +- lavf/webvttenc: Require webvtt file to contain exactly one WebVTT stream. +- avcodec/mjpegdec: Fix decoding RGBA RCT LJPEG +- avfilter/af_asyncts: use llabs for int64_t +- avcodec/g2meet: Also clear tile dimensions on header_fail +- avcodec/g2meet: Fix potential overflow in tile dimensions check +- avcodec/svq1dec: Check init_get_bits8() for failure +- avcodec/tta: Check init_get_bits8() for failure +- swresample/swresample: Fix integer overflow in seed calculation +- avformat/mov: Fix integer overflow in FFABS +- avutil/common: Add FFNABS() +- avutil/common: Document FFABS() corner case +- avformat/dump: Fix integer overflow in aspect ratio calculation +- avcodec/truemotion1: Check for even width +- avcodec/mpeg12dec: Set dimensions in mpeg1_decode_sequence() only in absence of errors +- avcodec/libopusenc: Fix infinite loop on flushing after 0 input +- avformat/hevc: Check num_long_term_ref_pics_sps to avoid potentially long loops +- avformat/hevc: Fix parsing errors +- ffmpeg: Use correct codec_id for av_parser_change() check +- ffmpeg: Check av_parser_change() for failure +- ffmpeg: Check for RAWVIDEO and do not relay only on AVFMT_RAWPICTURE +- ffmpeg: check avpicture_fill() return value +- avformat/mux: Update sidedata in ff_write_chained() +- avcodec/flashsvenc: Correct max dimension in error message +- avcodec/svq1enc: Check dimensions +- avcodec/dcaenc: clear bitstream end +- libavcodec/aacdec_template: Use init_get_bits8() in aac_decode_frame() +- mxfdec: check edit_rate also for physical_track +- mpegvideo: clear overread in clear_context +- dvdsubdec: validate offset2 similar to offset1 +- avcodec/takdec: Use memove, avoid undefined memcpy() use +- jvdec: avoid unsigned overflow in comparison +- avcodec/mpeg12dec: Do not call show_bits() with invalid bits +- riffdec: prevent negative bit rate +- Merge commit 'd80811c94e068085aab797f9ba35790529126f85' +- imc: use correct position for flcoeffs2 calculation +- wavpack: limit extra_bits to 32 and use get_bits_long +- wavpack: use get_bits_long to read up to 32 bits +- nutdec: check maxpos in read_sm_data before returning success +- s302m: fix arithmetic exception +- avcodec/s302m: Only set the sample rate when some data is output +- vp9: add support for resolution changes in inter frames. +- alsdec: limit avctx->bits_per_raw_sample to 32 +- vp9: avoid infinite loop with broken files +- videodsp: don't overread edges in vfix3 emu_edge. +- avcodec/h264_mp4toannexb_bsf: Reorder operations in nal_size check +- avformat/oggenc: Check segments_count for headers too +- avformat/avidec: Workaround broken initial frame +- hevc: properly handle no_rasl_output_flag when removing pictures from the DPB +- hevc: fix wpp threading deadlock. +- avcodec/ffv1: separate slice_count from max_slice_count +- lavf/img2dec: Fix memory leak +- avcodec/mp3: fix skipping zeros +- avformat/srtdec: make sure we probe a number +- avformat/srtdec: more lenient first line probing +- doc: mention libavcodec can decode Opus natively +- MAINTAINERS: Remove myself as leader + + version 2.5.8 - snow: remove an obsolete av_assert2 - huffyuvdec: validate image size diff --git a/RELEASE b/RELEASE index ecd7ee50cb..30f69e8cc5 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.5.8 +2.5.9 diff --git a/doc/Doxyfile b/doc/Doxyfile index e1b1a95809..af39cb809a 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.5.8 +PROJECT_NUMBER = 2.5.9 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From dc5bec14ab7d686b72aa85c38937dd29cf3e0289 Mon Sep 17 00:00:00 2001 From: Andrey Utkin Date: Tue, 1 Dec 2015 21:15:53 +0200 Subject: [PATCH 544/700] doc/filters/drawtext: fix centering example Signed-off-by: Andrey Utkin Signed-off-by: Lou Logan (cherry picked from commit 648b26acc5e25ab40c43fddc54b50e9f0b13ebd8) Signed-off-by: Timothy Gu --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index 31334da2f2..64b91ec284 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -4135,7 +4135,7 @@ within the parameter list. @item Show the text at the center of the video frame: @example -drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h-line_h)/2" +drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h)/2" @end example @item From b622d6f6f65d778ed3011482686ce6d4df9f7450 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2015 01:25:50 +0100 Subject: [PATCH 545/700] avcodec/ffv1dec: Print an error if the quant table count is invalid Signed-off-by: Michael Niedermayer (cherry picked from commit a8b254e436dce2f5c8c6459108dab4b02cc6b79b) --- libavcodec/ffv1dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index d8f535a61c..abd7bf85f1 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -567,8 +567,10 @@ static int read_extra_header(FFV1Context *f) } f->quant_table_count = get_symbol(c, state, 0); - if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) + if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { + av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); return AVERROR_INVALIDDATA; + } for (i = 0; i < f->quant_table_count; i++) { f->context_count[i] = read_quant_tables(c, f->quant_tables[i]); From fa3df7ae415be860377d52e13202c8a0f7bf7316 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 13:21:58 +0100 Subject: [PATCH 546/700] avcodec/ffv1dec: Clear quant_table_count if its invalid Fixes deallocation of corrupted pointer Fixes: 343dfbe142a38b521ed069dc4ea7c03b/signal_sigsegv_421427_4074_ffb11959610278cd40dbc153464aa254.avi No releases affected Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e04126072e984f8db5db9da9303c89ae01f7d6bb) Fixes ticket #5052. --- libavcodec/ffv1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index abd7bf85f1..ebcb2b0d2b 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -569,6 +569,7 @@ static int read_extra_header(FFV1Context *f) f->quant_table_count = get_symbol(c, state, 0); if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); + f->quant_table_count = 0; return AVERROR_INVALIDDATA; } From cc80478463dd1816836ffd2b8b92f4daa957021d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 12:11:29 +0100 Subject: [PATCH 547/700] avcodec/cabac_functions: Fix "left shift of negative value -31767" Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer (cherry picked from commit a1f6b05f5228979dab0e149deca7a30d22e98af5) Signed-off-by: Michael Niedermayer --- libavcodec/cabac_functions.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 15dba29f8e..4e132535e1 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -74,7 +74,8 @@ static inline void renorm_cabac_decoder_once(CABACContext *c){ #ifndef get_cabac_inline static void refill2(CABACContext *c){ - int i, x; + int i; + unsigned x; x= c->low ^ (c->low-1); i= 7 - ff_h264_norm_shift[x>>(CABAC_BITS-1)]; From d3de02d9d44256dd2b5c5239bdb2f3830ba8da44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 13:37:50 +0100 Subject: [PATCH 548/700] avcodec/cabac: Check initial cabac decoder state Fixes integer overflows Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer (cherry picked from commit 8000d484b83aafa752d84fbdbfb352ffe0dc64f8) Conflicts: libavcodec/cabac.h Conflicts: libavcodec/h264_cabac.c libavcodec/h264_slice.c --- libavcodec/cabac.c | 5 ++++- libavcodec/cabac.h | 2 +- libavcodec/cabac_functions.h | 3 ++- libavcodec/h264_cabac.c | 5 ++++- libavcodec/h264_slice.c | 5 ++++- 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 81a75dd52a..48f70ca30e 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -51,7 +51,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size){ * * @param buf_size size of buf in bits */ -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ c->bytestream_start= c->bytestream= buf; c->bytestream_end= buf + buf_size; @@ -64,6 +64,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ #endif c->low+= ((*c->bytestream++)<<2) + 2; c->range= 0x1FE; + if ((c->range<<(CABAC_BITS+1)) < c->low) + return AVERROR_INVALIDDATA; + return 0; } void ff_init_cabac_states(void) diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h index f9eafed105..857211c9d9 100644 --- a/libavcodec/cabac.h +++ b/libavcodec/cabac.h @@ -56,7 +56,7 @@ typedef struct CABACContext{ }CABACContext; void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size); -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); void ff_init_cabac_states(void); #endif /* AVCODEC_CABAC_H */ diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 4e132535e1..2d1d2a6b89 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -191,7 +191,8 @@ static av_unused const uint8_t* skip_bytes(CABACContext *c, int n) { #endif if ((int) (c->bytestream_end - ptr) < n) return NULL; - ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n); + if (ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n) < 0) + return NULL; return ptr; } diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index a411efed8c..1492d8d9d0 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2000,6 +2000,7 @@ decode_intra_mb: const int mb_size = ff_h264_mb_sizes[h->sps.chroma_format_idc] * h->sps.bit_depth_luma >> 3; const uint8_t *ptr; + int ret; // We assume these blocks are very rare so we do not optimize it. // FIXME The two following lines get the bitstream position in the cabac @@ -2016,7 +2017,9 @@ decode_intra_mb: h->intra_pcm_ptr = ptr; ptr += mb_size; - ff_init_cabac_decoder(&h->cabac, ptr, h->cabac.bytestream_end - ptr); + ret = ff_init_cabac_decoder(&h->cabac, ptr, h->cabac.bytestream_end - ptr); + if (ret < 0) + return ret; // All blocks are present h->cbp_table[mb_xy] = 0xf7ef; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 5de2fcda68..57a135efc6 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -2442,13 +2442,16 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) } if (h->pps.cabac) { + int ret; /* realign */ align_get_bits(&h->gb); /* init cabac */ - ff_init_cabac_decoder(&h->cabac, + ret = ff_init_cabac_decoder(&h->cabac, h->gb.buffer + get_bits_count(&h->gb) / 8, (get_bits_left(&h->gb) + 7) / 8); + if (ret < 0) + return ret; ff_h264_init_cabac_states(h); From c6b81e252e7a808d506adf0ee8520a7970426ff7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 18:30:05 +0100 Subject: [PATCH 549/700] avcodec/hevc: Check entry_point_offsets Fixes out of array read Fixes: 007c4a36608ebdf27ee260ad60a81184/asan_heap-oob_32076b4_2243_116b1cb29d91cc4974d6680e3d10bd91.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ef9f7bbfa47317f9d46bf46982a394d2be78503c) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 2f440a6daf..5bba4bb8c1 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2391,7 +2391,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) HEVCLocalContext *lc = s->HEVClc; int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); - int offset; + int64_t offset; int startheader, cmpt = 0; int i, j, res = 0; @@ -2432,6 +2432,11 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) } if (s->sh.num_entry_point_offsets != 0) { offset += s->sh.entry_point_offset[s->sh.num_entry_point_offsets - 1] - cmpt; + if (length < offset) { + av_log(s->avctx, AV_LOG_ERROR, "entry_point_offset table is corrupted\n"); + res = AVERROR_INVALIDDATA; + goto error; + } s->sh.size[s->sh.num_entry_point_offsets - 1] = length - offset; s->sh.offset[s->sh.num_entry_point_offsets - 1] = offset; @@ -2458,6 +2463,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) for (i = 0; i <= s->sh.num_entry_point_offsets; i++) res += ret[i]; +error: av_free(ret); av_free(arg); return res; From 551e18aa920585ffaa1562a9b6438abcf57193e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 20:52:39 +0100 Subject: [PATCH 550/700] avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*() Fixes out of array access Fixes: 01859c9a9ac6cd60a008274123275574/asan_heap-oob_1dff571_8250_50d3d1611e294c3519fd1fa82198b69b.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 75422280fbcdfbe9dc56bde5525b4d8b280f1bc5) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index ceceda36dc..015a4fec27 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -555,6 +555,9 @@ int ff_dwt_encode(DWTContext *s, void *t) int ff_dwt_decode(DWTContext *s, void *t) { + if (s->ndeclevels == 0) + return 0; + switch (s->type) { case FF_DWT97: dwt_decode97_float(s, t); From 6bc2f5cc0b23227e5a77636d77772eb132c222e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 21:02:13 +0100 Subject: [PATCH 551/700] avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*() Signed-off-by: Michael Niedermayer (cherry picked from commit feb3f39614b88c113211a98dda1bc2fe5c3c6957) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 015a4fec27..925adea13b 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -540,6 +540,9 @@ int ff_jpeg2000_dwt_init(DWTContext *s, uint16_t border[2][2], int ff_dwt_encode(DWTContext *s, void *t) { + if (s->ndeclevels == 0) + return 0; + switch(s->type){ case FF_DWT97: dwt_encode97_float(s, t); break; From f9d6d02fd1d6ea4e98d7f115232d797e68096fb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 22:45:46 +0100 Subject: [PATCH 552/700] avcodec/hevc_cabac: Fix multiple integer overflows Fixes: 04ec80eefa77aecd7a49a442cc02baea/asan_heap-oob_19544fa_3303_1905796cd9d8e15f86d664332caabc00.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d5028f61e44b7607b6a547f218f7d85217490a5b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 3862df7bdf..9fe99da8f5 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -883,11 +883,13 @@ static av_always_inline int mvd_decode(HEVCContext *s) int k = 1; while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) { - ret += 1 << k; + ret += 1U << k; k++; } - if (k == CABAC_MAX_BIN) + if (k == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); + return 0; + } while (k--) ret += get_cabac_bypass(&s->HEVClc->cc) << k; return get_cabac_bypass_sign(&s->HEVClc->cc, -ret); @@ -1025,8 +1027,10 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) prefix++; - if (prefix == CABAC_MAX_BIN) + if (prefix == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); + return 0; + } if (prefix < 3) { for (i = 0; i < rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc); From d8c0546ecdb0514cbc44a4ec656563710dd8b25a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 23:33:03 +0100 Subject: [PATCH 553/700] avcodec/hevc: allocate entries unconditionally Fixes out of array access Fixes: 08664a2a7921ef48172f26495c7455be/asan_heap-oob_23036c6_3301_523388ef84285a0270caf67a43247b59.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d85aa76115214183e7e3b7d65e950da61474959a) Signed-off-by: Michael Niedermayer Conflicts: libavcodec/hevc.c --- libavcodec/hevc.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 5bba4bb8c1..54f0accb60 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2395,11 +2395,9 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) int startheader, cmpt = 0; int i, j, res = 0; + ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); if (!s->sList[1]) { - ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); - - for (i = 1; i < s->threads_number; i++) { s->sList[i] = av_malloc(sizeof(HEVCContext)); memcpy(s->sList[i], s, sizeof(HEVCContext)); From 2b9e849c37124ce571c8697a10b6b6124c4c2840 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 00:23:54 +0100 Subject: [PATCH 554/700] avcodec/vp3: Clear context on reinitialization failure Fixes null pointer dereference Fixes: 1536b9b096a8f95b742bae9d3d761cc6/signal_sigsegv_294aaed_2039_8d1797aeb823ea43858d0fa45c9eb899.ogv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 6105b7219a90438deae71b0dc5a034c71ee30fc0) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 8aca83ae09..7df406ca2e 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2010,17 +2010,19 @@ static int vp3_decode_frame(AVCodecContext *avctx, vp3_decode_end(avctx); ret = theora_decode_header(avctx, &gb); + if (ret >= 0) + ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); - } else - ret = vp3_decode_init(avctx); + } return ret; } else if (type == 2) { ret = theora_decode_tables(avctx, &gb); + if (ret >= 0) + ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); - } else - ret = vp3_decode_init(avctx); + } return ret; } From 6e28d0d0475f986eeaac307a433a60aa1a442b67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 17:26:05 +0100 Subject: [PATCH 555/700] avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string() Fixes integer overflow Fixes: 3a45b2ae02f2cf12b7bd99543cdcdae5/asan_heap-oob_1dff502_8022_899f75e1e81046ebd7b6c2394a1419f4.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4f03bebc79f76df3a3e5bb9e1bc32baabfb7797c) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index ad61ac37e7..7deb777a1f 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -3068,8 +3068,8 @@ void avcodec_string(char *buf, int buf_size, AVCodecContext *enc, int encode) if (enc->sample_aspect_ratio.num) { av_reduce(&display_aspect_ratio.num, &display_aspect_ratio.den, - enc->width * enc->sample_aspect_ratio.num, - enc->height * enc->sample_aspect_ratio.den, + enc->width * (int64_t)enc->sample_aspect_ratio.num, + enc->height * (int64_t)enc->sample_aspect_ratio.den, 1024 * 1024); snprintf(buf + strlen(buf), buf_size - strlen(buf), " [SAR %d:%d DAR %d:%d]", From e5d162ae9bd59711cd945c7b4b3dc85d896208bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 20:08:46 +0100 Subject: [PATCH 556/700] avcodec/utils: Clear dimensions in ff_get_buffer() on failure Fixes out of array access Fixes: 482d8f2fd17c9f532b586458a33f267c/asan_heap-oob_4a52b6_7417_1d08d477736d66cdadd833d146bb8bae.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit abee0a1c60612e8638640a8a3738fffb65e16dbf) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 7deb777a1f..e70c464126 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1028,8 +1028,10 @@ end: int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame, int flags) { int ret = get_buffer_internal(avctx, frame, flags); - if (ret < 0) + if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + frame->width = frame->height = 0; + } return ret; } From 439452a851f025d50ceef813c1c02d09baf5b0e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 12:40:32 +0100 Subject: [PATCH 557/700] avformat/dump: Fix integer overflow in av_dump_format() Fixes part of mozilla bug 1229167 Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 8e7f4520226d2d9ad6a58ad6c32d1455a8b244b2) Signed-off-by: Michael Niedermayer --- libavformat/dump.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dump.c b/libavformat/dump.c index df102e6c65..71bb5bd057 100644 --- a/libavformat/dump.c +++ b/libavformat/dump.c @@ -444,7 +444,7 @@ void av_dump_format(AVFormatContext *ic, int index, av_log(NULL, AV_LOG_INFO, " Duration: "); if (ic->duration != AV_NOPTS_VALUE) { int hours, mins, secs, us; - int64_t duration = ic->duration + 5000; + int64_t duration = ic->duration + (ic->duration <= INT64_MAX - 5000 ? 5000 : 0); secs = duration / AV_TIME_BASE; us = duration % AV_TIME_BASE; mins = secs / 60; From 60369668ca34a85f784cd221b0fcecd9ae5e7f97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 12:41:43 +0100 Subject: [PATCH 558/700] avutil/integer: Fix av_mod_i() with negative dividend Signed-off-by: Michael Niedermayer (cherry picked from commit 3a9cb18855d29c96a5d9d2f5ad30448cae3a2ddf) Signed-off-by: Michael Niedermayer --- libavutil/integer.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavutil/integer.c b/libavutil/integer.c index 5bcde0dc6e..6d6855fa1b 100644 --- a/libavutil/integer.c +++ b/libavutil/integer.c @@ -29,6 +29,8 @@ #include "integer.h" #include "avassert.h" +static const AVInteger zero_i; + AVInteger av_add_i(AVInteger a, AVInteger b){ int i, carry=0; @@ -111,6 +113,12 @@ AVInteger av_mod_i(AVInteger *quot, AVInteger a, AVInteger b){ AVInteger quot_temp; if(!quot) quot = "_temp; + if ((int16_t)a.v[AV_INTEGER_SIZE-1] < 0) { + a = av_mod_i(quot, av_sub_i(zero_i, a), b); + *quot = av_sub_i(zero_i, *quot); + return av_sub_i(zero_i, a); + } + av_assert2((int16_t)a.v[AV_INTEGER_SIZE-1] >= 0 && (int16_t)b.v[AV_INTEGER_SIZE-1] >= 0); av_assert2(av_log2_i(b)>=0); From 582a6035bc8d36565821c020187fa6b86f40ef94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 12:44:23 +0100 Subject: [PATCH 559/700] avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd The code expects actual positive numbers and gives completely wrong results if INT64_MIN is treated as positive Instead clip it into the valid range that is add 1 and treat it as negative Signed-off-by: Michael Niedermayer (cherry picked from commit 25e37f5ea92d4201976a59ae306ce848d257a7e6) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index 126cffc3f0..b1ffd652de 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -76,8 +76,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) rnd -= AV_ROUND_PASS_MINMAX; } - if (a < 0 && a != INT64_MIN) - return -av_rescale_rnd(-a, b, c, rnd ^ ((rnd >> 1) & 1)); + if (a < 0) + return -av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); if (rnd == AV_ROUND_NEAR_INF) r = c / 2; From 73870147f85508299f2bc557a5320d71204b64b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Nov 2015 23:44:40 +0100 Subject: [PATCH 560/700] avcodec/mpeg4videodec: Check available data before reading custom matrix Fixes: out of array read Fixes: 76c515fc3779d1b838667c61ea13ce92/asan_heap-oob_1fc0d07_8913_794a4629a264ebdb25b58d3a94ed1785.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 891dc8f87536ac2ec695c70d081345224524ad99) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 6a2e06acfa..174d60e126 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1874,6 +1874,10 @@ static int decode_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) int last = 0; for (i = 0; i < 64; i++) { int j; + if (get_bits_left(gb) < 8) { + av_log(s->avctx, AV_LOG_ERROR, "insufficient data for custom matrix\n"); + return AVERROR_INVALIDDATA; + } v = get_bits(gb, 8); if (v == 0) break; @@ -1897,6 +1901,10 @@ static int decode_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) int last = 0; for (i = 0; i < 64; i++) { int j; + if (get_bits_left(gb) < 8) { + av_log(s->avctx, AV_LOG_ERROR, "insufficient data for custom matrix\n"); + return AVERROR_INVALIDDATA; + } v = get_bits(gb, 8); if (v == 0) break; From 9b28bbb10c6b5aee2c8abf9ca3a811f3cdeef269 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Nov 2015 03:32:36 +0100 Subject: [PATCH 561/700] avcodec/vp3: always set pix_fmt in theora_decode_header() Fixes assertion failure Fixes: d0bb0662da342ec65f8f2a081222e6b9/signal_sigabrt_7ffff6ae7cc9_5471_82964f0a9ac2f4d3d59390c15473f6f7.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a814f1d364ba912adf61adef158168c5f7604e93) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 7df406ca2e..869b6a5f7a 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2299,7 +2299,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) return AVERROR_INVALIDDATA; } skip_bits(gb, 3); /* reserved */ - } + } else + avctx->pix_fmt = AV_PIX_FMT_YUV420P; // align_get_bits(gb); From eff24a1f13b1f5b495e94283c53beeb0531154b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Dec 2015 21:16:27 +0100 Subject: [PATCH 562/700] avcodec/apedec: Check length in long_filter_high_3800() Fixes out of array read Fixes: 0a7ff0c1d93da9cef28a315ec91b692a/asan_heap-oob_4a52e5_3604_9c56dbb20e308f4faeef7b35f688521a.ape Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit cd7524fdd13dc8d0cf22e2cfd8300a245542b13a) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 577d0aa260..7893bc320f 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -905,6 +905,9 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int i, j; int32_t dotprod, sign; + if (order >= length) + return; + memset(coeffs, 0, order * sizeof(*coeffs)); for (i = 0; i < order; i++) delay[i] = buffer[i]; From 238c7c8276e5a3819f92f91f87abcf619007e788 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 13:32:31 +0100 Subject: [PATCH 563/700] avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for overflows Fixes integer overflow Fixes: mozilla bug 1229167 Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit f03c2ceec174877e03bb302f5971fbe9ffbe4856) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index b1ffd652de..4d8467b8c8 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -77,7 +77,7 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) } if (a < 0) - return -av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); + return -(uint64_t)av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); if (rnd == AV_ROUND_NEAR_INF) r = c / 2; @@ -87,8 +87,13 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) if (b <= INT_MAX && c <= INT_MAX) { if (a <= INT_MAX) return (a * b + r) / c; - else - return a / c * b + (a % c * b + r) / c; + else { + int64_t ad = a / c; + int64_t a2 = (a % c * b + r) / c; + if (ad >= INT32_MAX && ad > (INT64_MAX - a2) / b) + return INT64_MIN; + return ad * b + a2; + } } else { #if 1 uint64_t a0 = a & 0xFFFFFFFF; @@ -112,6 +117,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) t1++; } } + if (t1 > INT64_MAX) + return INT64_MIN; return t1; } #else From c8ca4b32754265f5a06dc59d77f88eed07ff141d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2015 03:14:11 +0100 Subject: [PATCH 564/700] avutil/timecode: Fix fps check The fps variable is explicitly set to -1 in case of some errors, the check must thus be signed or the code setting it needs to use 0 as error code the type of the field could be changed as well but its in an installed header Fixes: integer overflow Fixes: 9982cc157b1ea90429435640a989122f/asan_generic_3ad004a_3799_22cf198d9cd09928e2d9ad250474fa58.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b46dcd5209a77254345ae098b83a872634c5591b) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 1dfd040868..bf463ed515 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -151,7 +151,7 @@ static int check_fps(int fps) static int check_timecode(void *log_ctx, AVTimecode *tc) { - if (tc->fps <= 0) { + if ((int)tc->fps <= 0) { av_log(log_ctx, AV_LOG_ERROR, "Timecode frame rate must be specified\n"); return AVERROR(EINVAL); } From cfd1bc581099d403b4a70981f508252f3a2e3e31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Sat, 28 Nov 2015 08:27:39 +0200 Subject: [PATCH 565/700] mpegencts: Fix overflow in cbr mode period calculations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ts->mux_rate is int (signed 32-bit) type. The period calculations will start to overflow when mux_rate > 5mbps. This fixes overflows by converting first to 64-bit type. Fixes #5044. Signed-off-by: Timo Teräs Signed-off-by: Michael Niedermayer (cherry picked from commit 64f7db554ee83846f207e82a08946a6a5a6acfe2) Signed-off-by: Michael Niedermayer --- libavformat/mpegtsenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index a32c6d6787..fd23430659 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -739,11 +739,11 @@ static int mpegts_write_header(AVFormatContext *s) ts_st = pcr_st->priv_data; if (ts->mux_rate > 1) { - service->pcr_packet_period = (ts->mux_rate * ts->pcr_period) / + service->pcr_packet_period = (int64_t)ts->mux_rate * ts->pcr_period / (TS_PACKET_SIZE * 8 * 1000); - ts->sdt_packet_period = (ts->mux_rate * SDT_RETRANS_TIME) / + ts->sdt_packet_period = (int64_t)ts->mux_rate * SDT_RETRANS_TIME / (TS_PACKET_SIZE * 8 * 1000); - ts->pat_packet_period = (ts->mux_rate * PAT_RETRANS_TIME) / + ts->pat_packet_period = (int64_t)ts->mux_rate * PAT_RETRANS_TIME / (TS_PACKET_SIZE * 8 * 1000); if (ts->copyts < 1) From f41c1d3bfeca1b9dfbf2c3735f0f2f3ed6591632 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 12:47:20 +0100 Subject: [PATCH 566/700] avcodec/vp3: Fix "runtime error: left shift of negative value" Fixes: 5c6129154b356b80bcab86f9e3ee5d29/signal_sigabrt_7ffff6ae7cc9_7322_d26ac6d7cb6567db1b8be0159b387d0b.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 18268f761bffb37552f59f87542fef3d5c80618c) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 869b6a5f7a..44291f205f 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -206,8 +206,8 @@ typedef struct Vp3DecodeContext { int16_t *dct_tokens[3][64]; int16_t *dct_tokens_base; #define TOKEN_EOB(eob_run) ((eob_run) << 2) -#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) << 9) + ((zero_run) << 2) + 1) -#define TOKEN_COEFF(coeff) (((coeff) << 2) + 2) +#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) * 512) + ((zero_run) << 2) + 1) +#define TOKEN_COEFF(coeff) (((coeff) * 4) + 2) /** * number of blocks that contain DCT coefficients at From c108dfc6ccd81002dc5d9dd3e7dc996eb3df4d9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 13:06:16 +0100 Subject: [PATCH 567/700] avformat/smacker: fix integer overflow with pts_inc Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7ed47e97297fd5ef473d0cc93f0455adbadaac83) Signed-off-by: Michael Niedermayer --- libavformat/smacker.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 5dcf4adafe..de8bbdb07a 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -120,6 +120,11 @@ static int smacker_read_header(AVFormatContext *s) smk->height = avio_rl32(pb); smk->frames = avio_rl32(pb); smk->pts_inc = (int32_t)avio_rl32(pb); + if (smk->pts_inc > INT_MAX / 100) { + av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", smk->pts_inc); + return AVERROR_INVALIDDATA; + } + smk->flags = avio_rl32(pb); if(smk->flags & SMACKER_FLAG_RING_FRAME) smk->frames++; From 4b77e0a33ee73da1d1c0f4182b4c81ac0450c87a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 13:11:23 +0100 Subject: [PATCH 568/700] avcodec/wmaprodec: Fix overflow of cutoff Fixes: 129ca3e28d73af7b1e24a9d4118e7a2d/signal_sigabrt_7ffff6ae7cc9_836_762b310fc3ef6087bd7771e5d8e90b9b.asf Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0c56f8303e676556ea09bfac73d881c6c9057259) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index a94da0f67c..fe3adb2df0 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -477,7 +477,7 @@ static av_cold int decode_init(AVCodecContext *avctx) /** calculate subwoofer cutoff values */ for (i = 0; i < num_possible_block_sizes; i++) { int block_size = s->samples_per_frame >> i; - int cutoff = (440*block_size + 3 * (s->avctx->sample_rate >> 1) - 1) + int cutoff = (440*block_size + 3LL * (s->avctx->sample_rate >> 1) - 1) / s->avctx->sample_rate; s->subwoofer_cutoffs[i] = av_clip(cutoff, 4, block_size); } From 38c1ab17ea7e7074bd178f9994a41ded030b21c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 13:48:06 +0100 Subject: [PATCH 569/700] avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows Fixes: 549d5aab1480d10f2a775ed90b0342f1/signal_sigabrt_7ffff6ae7cc9_5643_96bbb0cfe3e28be1dadfce1075016345.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 66e05f6ff5e5c105bdd7bf3a49234ddac1b592c5) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index fe3adb2df0..fb4e1e3815 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -300,6 +300,12 @@ static av_cold int decode_init(AVCodecContext *avctx) s->decode_flags = AV_RL16(edata_ptr+14); channel_mask = AV_RL32(edata_ptr+2); s->bits_per_sample = AV_RL16(edata_ptr); + + if (s->bits_per_sample > 32 || s->bits_per_sample < 1) { + avpriv_request_sample(avctx, "bits per sample is %d", s->bits_per_sample); + return AVERROR_PATCHWELCOME; + } + /** dump the extradata */ for (i = 0; i < avctx->extradata_size; i++) av_dlog(avctx, "[%x] ", avctx->extradata[i]); From 752a6591b2dbc0edcbf19eec8a5ff509e097fbc2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 17:11:54 +0100 Subject: [PATCH 570/700] avcodec/dirac_parser: Fix potential overflows in pointer checks Signed-off-by: Michael Niedermayer (cherry picked from commit 79798f7c57b098c78e0bbc6becd64b9888b013d1) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 83c35a2010..12f1a60145 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -100,10 +100,12 @@ typedef struct DiracParseUnit { static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc, int offset) { - uint8_t *start = pc->buffer + offset; - uint8_t *end = pc->buffer + pc->index; - if (start < pc->buffer || (start + 13 > end)) + int8_t *start; + + if (offset < 0 || pc->index - 13 < offset) return 0; + + start = pc->buffer + offset; pu->pu_type = start[4]; pu->next_pu_offset = AV_RB32(start + 5); From 87dbcf7cd28e4c3b2e17c653b580f19c8566b0ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 17:14:36 +0100 Subject: [PATCH 571/700] avcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset Signed-off-by: Michael Niedermayer (cherry picked from commit c7d6ec947c053699950af90f695413a5640b3872) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 12f1a60145..c7c4b697c8 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -114,6 +114,15 @@ static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc, if (pu->pu_type == 0x10 && pu->next_pu_offset == 0) pu->next_pu_offset = 13; + if (pu->next_pu_offset && pu->next_pu_offset < 13) { + av_log(NULL, AV_LOG_ERROR, "next_pu_offset %d is invalid\n", pu->next_pu_offset); + return 0; + } + if (pu->prev_pu_offset && pu->prev_pu_offset < 13) { + av_log(NULL, AV_LOG_ERROR, "prev_pu_offset %d is invalid\n", pu->prev_pu_offset); + return 0; + } + return 1; } From 9ce8308ee3641f2cfc95a9fa7963b21f24f24302 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 17:15:38 +0100 Subject: [PATCH 572/700] avcodec/dirac_parser: Check that there is a previous PU before accessing it Fixes out of array read Fixes: 99d142c47e6ba3510a74b872a1a2ae72/asan_heap-oob_11b36f4_3811_0f5c69e7609a88a580135678de1df844.dxa Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a08681f1e614152184615e2bcd71c3d63835f810) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index c7c4b697c8..1ca7e31f1c 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -201,7 +201,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, } /* Get the picture number to set the pts and dts*/ - if (parse_timing_info) { + if (parse_timing_info && pu1.prev_pu_offset >= 13) { uint8_t *cur_pu = pc->buffer + pc->index - 13 - pu1.prev_pu_offset; int pts = AV_RB32(cur_pu + 13); From 5c0be549efc2fcf13a2ebcb86920841958a6c445 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 22:08:59 +0100 Subject: [PATCH 573/700] avcodec/hevc: Fix integer overflow of entry_point_offset Fixes out of array read Fixes: d41d8cd98f00b204e9800998ecf8427e/signal_sigsegv_321165b_7641_077dfcd8cbc80b1c0b470c8554cd6ffb.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 214085852491448631dcecb008b5d172c11b8892) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 4 ++-- libavcodec/hevc.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 54f0accb60..ae47ba0c55 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -696,7 +696,7 @@ static int hls_slice_header(HEVCContext *s) av_freep(&sh->entry_point_offset); av_freep(&sh->offset); av_freep(&sh->size); - sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); + sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(unsigned)); sh->offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); sh->size = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); if (!sh->entry_point_offset || !sh->offset || !sh->size) { @@ -2392,7 +2392,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int64_t offset; - int startheader, cmpt = 0; + int64_t startheader, cmpt = 0; int i, j, res = 0; ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index 564e66e3e6..40beb52884 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -607,7 +607,7 @@ typedef struct SliceHeader { unsigned int max_num_merge_cand; ///< 5 - 5_minus_max_num_merge_cand - int *entry_point_offset; + unsigned *entry_point_offset; int * offset; int * size; int num_entry_point_offsets; From 5b41c961469a17efe2c2035935f45db74bc4a161 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 21:44:05 +0100 Subject: [PATCH 574/700] swscale/utils: Fix for runtime error: left shift of negative value -1 Fixes: c106b36fa36db8ff8f3ed0c82be7bea2/asan_heap-oob_32699f0_6321_467b9a1d7e03d7cfd310b7e65dc53bcc.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 325b59368dae3c3f2f5cc39873002b4cf133ccbc) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 475c3ed85d..4d91f2d4a8 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -380,7 +380,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, xDstInSrc = ((dstPos*(int64_t)xInc)>>7) - ((srcPos*0x10000LL)>>7); for (i = 0; i < dstW; i++) { - int xx = (xDstInSrc - ((int64_t)(filterSize - 2) << 16)) / (1 << 17); + int xx = (xDstInSrc - (filterSize - 2) * (1LL<<16)) / (1 << 17); int j; (*filterPos)[i] = xx; for (j = 0; j < filterSize; j++) { From e4f90cbd0dd0b222fa71d7d75de14f901c0b794c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 21:38:12 +0100 Subject: [PATCH 575/700] avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int Fixes: b293a6479bb4b5286cff24d356bfd955/asan_generic_225c3c9_7819_cc526b657450c6cdef1371b526499626.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4f2419888ba49245761f4ab343679c38e7880cfe) Signed-off-by: Michael Niedermayer --- libavcodec/pgssubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 36f1f8265a..3c39e7ac63 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -33,7 +33,7 @@ #include "libavutil/imgutils.h" #include "libavutil/opt.h" -#define RGBA(r,g,b,a) (((a) << 24) | ((r) << 16) | ((g) << 8) | (b)) +#define RGBA(r,g,b,a) (((unsigned)(a) << 24) | ((r) << 16) | ((g) << 8) | (b)) #define MAX_EPOCH_PALETTES 8 // Max 8 allowed per PGS epoch #define MAX_EPOCH_OBJECTS 64 // Max 64 allowed per PGS epoch #define MAX_OBJECT_REFS 2 // Max objects per display set From f217aca5ba799ad597d19b66ff769c323c4e6fa6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 16:23:24 +0100 Subject: [PATCH 576/700] avcodec/jpeg2000dec: Check bpno in decode_cblk() Fixes: undefined shift Fixes: c409ef86f892335a0a164b5871174d5a/asan_heap-oob_1dff564_2159_162b7234616deab02b544410455eb07b.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a85b02dcf70f62a6a433a607143f1f78fa5648bb) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index ae0c9bb82e..39e99cc295 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1081,6 +1081,10 @@ static int decode_cblk(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty, ff_mqc_initdec(&t1->mqc, cblk->data); while (passno--) { + if (bpno < 0) { + av_log(s->avctx, AV_LOG_ERROR, "bpno became negative\n"); + return AVERROR_INVALIDDATA; + } switch(pass_t) { case 0: decode_sigpass(t1, width, height, bpno + 1, bandpos, From 4a91e424dae80c2ca63e616a65259ad039af4a9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Dec 2015 22:59:56 +0100 Subject: [PATCH 577/700] avcodec/vp3: ensure header is parsed successfully before tables Fixes assertion failure Fixes: 266ee543812e934f7b4a72923a2701d4/signal_sigabrt_7ffff6ae7cc9_7322_85218d61759d461bdf7387180e8000c9.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 26379d4fddc17cac853ef297ff327b58c44edbad) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 44291f205f..14f9e3f548 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -131,7 +131,7 @@ static const uint8_t hilbert_offset[16][2] = { typedef struct Vp3DecodeContext { AVCodecContext *avctx; - int theora, theora_tables; + int theora, theora_tables, theora_header; int version; int width, height; int chroma_x_shift, chroma_y_shift; @@ -2240,6 +2240,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) int ret; AVRational fps, aspect; + s->theora_header = 0; s->theora = get_bits_long(gb, 24); av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora); @@ -2323,6 +2324,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) avctx->color_trc = AVCOL_TRC_BT709; } + s->theora_header = 1; return 0; } @@ -2331,6 +2333,9 @@ static int theora_decode_tables(AVCodecContext *avctx, GetBitContext *gb) Vp3DecodeContext *s = avctx->priv_data; int i, n, matrices, inter, plane; + if (!s->theora_header) + return AVERROR_INVALIDDATA; + if (s->theora >= 0x030200) { n = get_bits(gb, 3); /* loop filter limit values table */ From f0ae57aca4c9e72be050d8d2c100580094ada75f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 13:42:05 +0100 Subject: [PATCH 578/700] avcodec/hevc: Check max ctb addresses for WPP Fixes out of array read Fixes: 2f95ddd996db8a6281d2e18c184595a7/asan_heap-oob_192fe91_3330_58e4441181e30a66c19f743dcb392347.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit dad354f38ddc9bfc834bc21358a1d0ad41532ca0) Signed-off-by: Michael Niedermayer Conflicts: libavcodec/hevc.c Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index ae47ba0c55..5735e68351 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2395,6 +2395,15 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) int64_t startheader, cmpt = 0; int i, j, res = 0; + if (s->sh.slice_ctb_addr_rs + s->sh.num_entry_point_offsets * s->sps->ctb_width >= s->sps->ctb_width * s->sps->ctb_height) { + av_log(s->avctx, AV_LOG_ERROR, "WPP ctb addresses are wrong (%d %d %d %d)\n", + s->sh.slice_ctb_addr_rs, s->sh.num_entry_point_offsets, + s->sps->ctb_width, s->sps->ctb_height + ); + res = AVERROR_INVALIDDATA; + goto error; + } + ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); if (!s->sList[1]) { From ffe40ef9b4942b4be4e82f1cb31f2b41ab2c1685 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Dec 2015 02:31:14 +0100 Subject: [PATCH 579/700] Update Changelog Signed-off-by: Michael Niedermayer --- Changelog | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/Changelog b/Changelog index 8deb149426..e1c1d57634 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,41 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 2.5.9 +- avcodec/hevc: Check max ctb addresses for WPP +- avcodec/vp3: ensure header is parsed successfully before tables +- avcodec/jpeg2000dec: Check bpno in decode_cblk() +- avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int +- swscale/utils: Fix for runtime error: left shift of negative value -1 +- avcodec/hevc: Fix integer overflow of entry_point_offset +- avcodec/dirac_parser: Check that there is a previous PU before accessing it +- avcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset +- avcodec/dirac_parser: Fix potential overflows in pointer checks +- avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows +- avcodec/wmaprodec: Fix overflow of cutoff +- avformat/smacker: fix integer overflow with pts_inc +- avcodec/vp3: Fix "runtime error: left shift of negative value" +- mpegencts: Fix overflow in cbr mode period calculations +- avutil/timecode: Fix fps check +- avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for overflows +- avcodec/apedec: Check length in long_filter_high_3800() +- avcodec/vp3: always set pix_fmt in theora_decode_header() +- avcodec/mpeg4videodec: Check available data before reading custom matrix +- avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd +- avutil/integer: Fix av_mod_i() with negative dividend +- avformat/dump: Fix integer overflow in av_dump_format() +- avcodec/utils: Clear dimensions in ff_get_buffer() on failure +- avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string() +- avcodec/vp3: Clear context on reinitialization failure +- avcodec/hevc: allocate entries unconditionally +- avcodec/hevc_cabac: Fix multiple integer overflows +- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*() +- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*() +- avcodec/hevc: Check entry_point_offsets +- avcodec/cabac: Check initial cabac decoder state +- avcodec/cabac_functions: Fix "left shift of negative value -31767" +- avcodec/ffv1dec: Clear quant_table_count if its invalid +- avcodec/ffv1dec: Print an error if the quant table count is invalid +- doc/filters/drawtext: fix centering example - avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized - avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup - rtmpcrypt: Do the xtea decryption in little endian mode From d52b5f85f2837b0de9bdefe2a650d8d1b0e02ec1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 2 Dec 2015 21:52:23 +0100 Subject: [PATCH 580/700] mjpegdec: consider chroma subsampling in size check If the chroma components are subsampled, smaller buffers are allocated for them. In that case the maximal block_offset for the chroma components is not as large as for the luma component. This fixes out of bounds writes causing segmentation faults or memory corruption. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 5adb5d9d894aa495e7bf9557b4c78350cbfc9d32) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index a1141e7147..d2624f0c4d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1222,7 +1222,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, int mb_bitmask_size, const AVFrame *reference) { - int i, mb_x, mb_y; + int i, mb_x, mb_y, chroma_h_shift, chroma_v_shift, chroma_width, chroma_height; uint8_t *data[MAX_COMPONENTS]; const uint8_t *reference_data[MAX_COMPONENTS]; int linesize[MAX_COMPONENTS]; @@ -1239,6 +1239,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, s->restart_count = 0; + av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, &chroma_h_shift, + &chroma_v_shift); + chroma_width = FF_CEIL_RSHIFT(s->width, chroma_h_shift); + chroma_height = FF_CEIL_RSHIFT(s->height, chroma_v_shift); + for (i = 0; i < nb_components; i++) { int c = s->comp_index[i]; data[c] = s->picture_ptr->data[c]; @@ -1275,8 +1280,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, if (s->interlaced && s->bottom_field) block_offset += linesize[c] >> 1; - if ( 8*(h * mb_x + x) < s->width - && 8*(v * mb_y + y) < s->height) { + if ( 8*(h * mb_x + x) < ((c == 1) || (c == 2) ? chroma_width : s->width) + && 8*(v * mb_y + y) < ((c == 1) || (c == 2) ? chroma_height : s->height)) { ptr = data[c] + block_offset; } else ptr = NULL; From f8b83cfa1c8504f3f43a0e8d05bd6d3ac689bf7f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Dec 2015 02:06:04 +0100 Subject: [PATCH 581/700] swscale/x86/rgb2rgb_template: Do not crash on misaligend stride Fixes Ticket5013 Signed-off-by: Michael Niedermayer (cherry picked from commit 80bfce35ccd11458e97f68f417fc094c5347070c) --- libswscale/x86/rgb2rgb_template.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index e9b131e033..03153fd573 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1887,8 +1887,10 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; - if (width >= 16) + if (width >= 16 #if COMPILE_TEMPLATE_SSE2 + && !((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15) + ) __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1908,6 +1910,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui : "memory", XMM_CLOBBERS("xmm0", "xmm1", "xmm2",) "%"REG_a ); #else + ) __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" From dbc37977793bb21f3b2dd3fe8f21b701d617aed5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Dec 2015 02:50:20 +0100 Subject: [PATCH 582/700] swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE* This also as a sideeffect fixes the non aligned case Signed-off-by: Michael Niedermayer (cherry picked from commit a066ff89bcbae6033c2ffda9271cad84f6c1b807) --- libswscale/x86/rgb2rgb_template.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index 03153fd573..6f218ddbb7 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1887,10 +1887,9 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; - if (width >= 16 + if (width >= 16) { #if COMPILE_TEMPLATE_SSE2 - && !((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15) - ) + if (!((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15)) { __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1909,8 +1908,8 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) : "memory", XMM_CLOBBERS("xmm0", "xmm1", "xmm2",) "%"REG_a ); -#else - ) + } else +#endif __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1936,7 +1935,8 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) : "memory", "%"REG_a ); -#endif + + } for (w= (width&(~15)); w < width; w++) { dest[2*w+0] = src1[w]; dest[2*w+1] = src2[w]; From cc77012329f0b68373f6fadc2fda19e0d1f661cb Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 2 Dec 2015 22:47:12 +0100 Subject: [PATCH 583/700] ffmdec: reject zero-sized chunks If size is zero, avio_get_str fails, leaving the buffer uninitialized. This causes invalid reads in av_set_options_string. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit a611375db532c3d5363d97b10fadd0211811a4fd) Signed-off-by: Andreas Cadhalpun --- libavformat/ffmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 57df43b912..87cf546fbc 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -414,7 +414,7 @@ static int ffm2_read_header(AVFormatContext *s) } break; case MKBETAG('S', '2', 'V', 'I'): - if (f_stvi++) { + if (f_stvi++ || !size) { ret = AVERROR(EINVAL); goto fail; } @@ -429,7 +429,7 @@ static int ffm2_read_header(AVFormatContext *s) goto fail; break; case MKBETAG('S', '2', 'A', 'U'): - if (f_stau++) { + if (f_stau++ || !size) { ret = AVERROR(EINVAL); goto fail; } From 26b74a7213bf720f2818e9b5e8c8359cbadf9207 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 4 Dec 2015 18:13:07 +0100 Subject: [PATCH 584/700] aaccoder: prevent crash of anmr coder If minq is negative, the range of sf_idx can be larger than SCALE_MAX_DIFF allows, causing assertion failures later in encode_scale_factors. Reviewed-by: Claudio Freire Signed-off-by: Andreas Cadhalpun (cherry picked from commit 7a4652dd5da0502ff21c183b5ca7d76b1cfd6c51) Signed-off-by: Andreas Cadhalpun --- libavcodec/aaccoder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c index 5bf6a9c155..4b915da2c1 100644 --- a/libavcodec/aaccoder.c +++ b/libavcodec/aaccoder.c @@ -691,7 +691,7 @@ static void search_for_quantizers_anmr(AVCodecContext *avctx, AACEncContext *s, } while (idx) { sce->sf_idx[bandaddr[idx]] = minq + q0; - minq = paths[idx][minq].prev; + minq = FFMAX(paths[idx][minq].prev, 0); idx--; } //set the same quantizers inside window groups From 5478e7bbc106b5781b7a49429b2b9db0f2d4f378 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 14 Dec 2015 22:11:55 +0100 Subject: [PATCH 585/700] ffm: reject invalid codec_id and codec_type A negative codec_id cannot be handled by the found_decoder API of AVStream->info: if the codec_id is not recognized, found_decoder is set to -codec_id, which has to be '<0' according to the API documentation. This can cause NULL pointer dereferencing in try_decode_frame. Also make sure the codec_type matches the expected one for codec_id. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ecf63b7cc24b9fd3e6d604313325dd1ada4db662) Signed-off-by: Andreas Cadhalpun --- libavformat/ffmdec.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 87cf546fbc..b1cc14a0bd 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -267,6 +267,7 @@ static int ffm2_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; + const AVCodecDescriptor *codec_desc; int ret; int f_main = 0, f_cprv = -1, f_stvi = -1, f_stau = -1; AVCodec *enc; @@ -321,7 +322,20 @@ static int ffm2_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); + codec_desc = avcodec_descriptor_get(codec->codec_id); + if (!codec_desc) { + av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); + codec->codec_id = AV_CODEC_ID_NONE; + goto fail; + } codec->codec_type = avio_r8(pb); + if (codec->codec_type != codec_desc->type) { + av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); + codec->codec_id = AV_CODEC_ID_NONE; + codec->codec_type = AVMEDIA_TYPE_UNKNOWN; + goto fail; + } codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); @@ -469,6 +483,7 @@ static int ffm_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; + const AVCodecDescriptor *codec_desc; int i, nb_streams; uint32_t tag; @@ -506,7 +521,20 @@ static int ffm_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); + codec_desc = avcodec_descriptor_get(codec->codec_id); + if (!codec_desc) { + av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); + codec->codec_id = AV_CODEC_ID_NONE; + goto fail; + } codec->codec_type = avio_r8(pb); /* codec_type */ + if (codec->codec_type != codec_desc->type) { + av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); + codec->codec_id = AV_CODEC_ID_NONE; + codec->codec_type = AVMEDIA_TYPE_UNKNOWN; + goto fail; + } codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); From 31d6900161221f6b83b76aa85221de49b7adbf32 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 15 Dec 2015 22:00:31 +0100 Subject: [PATCH 586/700] opus_silk: fix typo causing overflow in silk_stabilize_lsf Due to this typo max_center can be too large, causing nlsf to be set to too large values, which in turn can cause nlsf[i - 1] + min_delta[i] to overflow to a negative value, which is not allowed for nlsf and can cause an out of bounds read in silk_lsf2lpc. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit f61d44b74aaae1d306d8a0d38b7b3d4292c89ced) Signed-off-by: Andreas Cadhalpun --- libavcodec/opus_silk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 7a89479fb9..4c64cdfce6 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -824,7 +824,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_ /* upper extent */ for (i = order; i > k; i--) - max_center -= min_delta[k]; + max_center -= min_delta[i]; max_center -= min_delta[k] >> 1; /* move apart */ From 46e7a63b6e011b47d87b54659b2a3799056e5753 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 15 Dec 2015 23:43:03 +0100 Subject: [PATCH 587/700] sonic: make sure num_taps * channels is not larger than frame_size If that is the case, the loop setting predictor_state in sonic_decode_frame causes out of bounds reads of int_samples, which has only frame_size number of elements. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9637c2531f7eb040ad1c3cb46cb40a63dfc77b80) Signed-off-by: Andreas Cadhalpun --- libavcodec/sonic.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index c5076f9d8e..ab947c47b0 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -925,6 +925,13 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) s->frame_size = s->channels*s->block_align*s->downsampling; // avctx->frame_size = s->block_align; + if (s->num_taps * s->channels > s->frame_size) { + av_log(avctx, AV_LOG_ERROR, + "number of taps times channels (%d * %d) larger than frame size %d\n", + s->num_taps, s->channels, s->frame_size); + return AVERROR_INVALIDDATA; + } + av_log(avctx, AV_LOG_INFO, "Sonic: ver: %d.%d ls: %d dr: %d taps: %d block: %d frame: %d downsamp: %d\n", s->version, s->minor_version, s->lossless, s->decorrelation, s->num_taps, s->block_align, s->frame_size, s->downsampling); From 105be66545ec3fa250e3a4e4792b097cec7f62a1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 16 Dec 2015 16:48:19 +0100 Subject: [PATCH 588/700] on2avc: limit number of bits to 30 in get_egolomb More don't fit into the integer output. Also use get_bits_long, since get_bits only supports reading up to 25 bits, while get_bits_long supports the full integer range. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 4d5c3b02e9d2c9a630ca433fabca43285879e0b8) Signed-off-by: Andreas Cadhalpun --- libavcodec/on2avc.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c index 7d2e81a57f..15b75e6b09 100644 --- a/libavcodec/on2avc.c +++ b/libavcodec/on2avc.c @@ -211,9 +211,16 @@ static inline int get_egolomb(GetBitContext *gb) { int v = 4; - while (get_bits1(gb)) v++; + while (get_bits1(gb)) { + v++; + if (v > 30) { + av_log(NULL, AV_LOG_WARNING, "Too large golomb code in get_egolomb.\n"); + v = 30; + break; + } + } - return (1 << v) + get_bits(gb, v); + return (1 << v) + get_bits_long(gb, v); } static int on2avc_decode_pairs(On2AVCContext *c, GetBitContext *gb, float *dst, From 79d75f1554de110d020a8035c86458a80dd7d773 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 13 Dec 2015 23:17:09 +0100 Subject: [PATCH 589/700] exr: fix out of bounds read in get_code This macro unconditionally used out[-1], which causes an out of bounds read, if out is the very beginning of the buffer. Signed-off-by: Andreas Cadhalpun (cherry picked from commit 90b99a81071d10e6b5efe86a4602d54d4f45bbcb) Signed-off-by: Andreas Cadhalpun --- libavcodec/exr.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 0e62f4e2d7..9088581b91 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -461,7 +461,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, lc += 8; \ } -#define get_code(po, rlc, c, lc, gb, out, oe) \ +#define get_code(po, rlc, c, lc, gb, out, oe, outb) \ { \ if (po == rlc) { \ if (lc < 8) \ @@ -470,7 +470,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, \ cs = c >> lc; \ \ - if (out + cs > oe) \ + if (out + cs > oe || out == outb) \ return AVERROR_INVALIDDATA; \ \ s = out[-1]; \ @@ -503,7 +503,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; - get_code(pl.lit, rlc, c, lc, gb, out, oe); + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { int j; @@ -520,7 +520,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if ((hcode[pl.p[j]] >> 6) == ((c >> (lc - l)) & ((1LL << l) - 1))) { lc -= l; - get_code(pl.p[j], rlc, c, lc, gb, out, oe); + get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb); break; } } @@ -541,7 +541,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; - get_code(pl.lit, rlc, c, lc, gb, out, oe); + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { return AVERROR_INVALIDDATA; } From 0f1e398874399ddf0586b54735d8c85ff1228c85 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 18 Dec 2015 15:18:47 +0100 Subject: [PATCH 590/700] nutdec: only copy the header if it exists Fixes ubsan runtime error: null pointer passed as argument 2, which is declared to never be null Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9) Signed-off-by: Andreas Cadhalpun --- libavformat/nutdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index cd1da9f13e..a28c632977 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1069,7 +1069,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code) ret = av_new_packet(pkt, size + nut->header_len[header_idx]); if (ret < 0) return ret; - memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); + if (nut->header[header_idx]) + memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); pkt->pos = avio_tell(bc); // FIXME if (stc->last_flags & FLAG_SM_DATA) { int sm_size; From 882391f9758ea13643639e21de81e3f7978b0695 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 18 Dec 2015 19:28:51 +0100 Subject: [PATCH 591/700] xwddec: prevent overflow of lsize * avctx->height This is used to check if the input buffer is large enough, so if this overflows it can cause a false negative leading to a segmentation fault in bytestream2_get_bufferu. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9d38f06d05efbb9d6196c27668eb943e934943ae) Signed-off-by: Andreas Cadhalpun --- libavcodec/xwddec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 62dfdace16..18b1f93d2e 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + avctx->height * lsize) { + if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + (uint64_t)avctx->height * lsize) { av_log(avctx, AV_LOG_ERROR, "input buffer too small\n"); return AVERROR_INVALIDDATA; } From 2db78f83bad187012f446ca43f6edcb845e7f513 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 19 Dec 2015 12:02:56 +0100 Subject: [PATCH 592/700] nutdec: reject negative value_len in read_sm_data If it is negative, it can cause the byte position to move backwards in avio_skip, which in turn makes sm_size negative and thus size larger than the size of the packet buffer, causing invalid writes in avio_read. Also fix potential overflow of avio_tell(bc) + value_len. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ce10f572c12b0d172c72d31d8c979afce602bf0c) Signed-off-by: Andreas Cadhalpun --- libavformat/nutdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index a28c632977..6ace90abcb 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -872,7 +872,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int get_str(bc, type_str, sizeof(type_str)); value_len = ffio_read_varlen(bc); - if (avio_tell(bc) + value_len >= maxpos) + if (value_len < 0 || value_len >= maxpos - avio_tell(bc)) return AVERROR_INVALIDDATA; if (!strcmp(name, "Palette")) { dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, value_len); From 94711d3719a1d829d7381e7a317f108b97e4f795 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 19 Dec 2015 23:44:53 +0100 Subject: [PATCH 593/700] mlvdec: check that index_entries exist This fixes NULL pointer dereferencing. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9fcfe4a3cdf9a5af0c37758b178965b7b99582d4) Signed-off-by: Andreas Cadhalpun --- libavformat/mlvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 8db41e565e..e6400dad10 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -363,6 +363,11 @@ static int read_header(AVFormatContext *avctx) if (ast) ast->duration = ast->nb_index_entries; + if ((vst && !vst->nb_index_entries) || (ast && !ast->nb_index_entries)) { + av_log(avctx, AV_LOG_ERROR, "no index entries found\n"); + return AVERROR_INVALIDDATA; + } + if (vst && ast) avio_seek(pb, FFMIN(vst->index_entries[0].pos, ast->index_entries[0].pos), SEEK_SET); else if (vst) From 06edade7ee8a33e26e8c4b8919fde61f492c213c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 19 Dec 2015 23:45:06 +0100 Subject: [PATCH 594/700] rawdec: only exempt BIT0 with need_copy from buffer sanity check Otherwise the too small buffer is directly used in the frame, causing segmentation faults, when trying to use the frame. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 699e68371ec7e381e5cc48e3d96e29c669261af7) Signed-off-by: Andreas Cadhalpun --- libavcodec/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 647dfa9a0a..568553923b 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -258,7 +258,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, buf += buf_size - context->frame_size; len = context->frame_size - (avctx->pix_fmt==AV_PIX_FMT_PAL8 ? AVPALETTE_SIZE : 0); - if (buf_size < len && (avctx->codec_tag & 0xFFFFFF) != MKTAG('B','I','T', 0)) { + if (buf_size < len && ((avctx->codec_tag & 0xFFFFFF) != MKTAG('B','I','T', 0) || !need_copy)) { av_log(avctx, AV_LOG_ERROR, "Invalid buffer size, packet size %d < expected frame_size %d\n", buf_size, len); av_buffer_unref(&frame->buf[0]); return AVERROR(EINVAL); From eca27eeea95f906c7d887cd98e5406e8531f1e44 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 16 Dec 2015 20:52:39 +0100 Subject: [PATCH 595/700] nuv: sanitize negative fps rate Signed-off-by: Andreas Cadhalpun (cherry picked from commit f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce) Signed-off-by: Andreas Cadhalpun --- libavformat/nuv.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/nuv.c b/libavformat/nuv.c index e7f0eeae8e..f1bc93e2f8 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -171,6 +171,15 @@ static int nuv_header(AVFormatContext *s) if (aspect > 0.9999 && aspect < 1.0001) aspect = 4.0 / 3.0; fps = av_int2double(avio_rl64(pb)); + if (fps < 0.0f) { + if (s->error_recognition & AV_EF_EXPLODE) { + av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps); + return AVERROR_INVALIDDATA; + } else { + av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 0.\n", fps); + fps = 0.0f; + } + } // number of packets per stream type, -1 means unknown, e.g. streaming v_packs = avio_rl32(pb); From 8cd0e23be83d7967ce6d0c1e933e1bd0819c8cb6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2015 23:21:33 +0100 Subject: [PATCH 596/700] avcodec/mpeg4videodec: also for empty partitioned slices Fixes assertion failure Fixes: id_acf3e47f864e1ee4c7b86c0653e0ff31e5bde56e.m4v Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 70f13abb4f9a376ddc0d2c566739bc3c6a0c47e7) Signed-off-by: Andreas Cadhalpun --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 174d60e126..526e0e347c 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -881,7 +881,7 @@ int ff_mpeg4_decode_partitions(Mpeg4DecContext *ctx) const int part_a_end = s->pict_type == AV_PICTURE_TYPE_I ? (ER_DC_END | ER_MV_END) : ER_MV_END; mb_num = mpeg4_decode_partition_a(ctx); - if (mb_num < 0) { + if (mb_num <= 0) { ff_er_add_slice(&s->er, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, part_a_error); return -1; From 4bcbeaa337ea18b57868bd62f24e735bbaac667c Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 8 Jan 2016 12:08:56 -0300 Subject: [PATCH 597/700] x86/float_dsp: zero extend offset from ff_scalarproduct_float_sse Reviewed-by: Christophe Gisquet Signed-off-by: James Almer (cherry picked from commit dc79824deb6ac0ce236589c618744b33629201cd) --- libavutil/x86/float_dsp.asm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/x86/float_dsp.asm b/libavutil/x86/float_dsp.asm index ec3d22b230..c4484a28e6 100644 --- a/libavutil/x86/float_dsp.asm +++ b/libavutil/x86/float_dsp.asm @@ -332,10 +332,10 @@ VECTOR_FMUL_REVERSE ; float scalarproduct_float_sse(const float *v1, const float *v2, int len) INIT_XMM sse cglobal scalarproduct_float, 3,3,2, v1, v2, offset + shl offsetd, 2 + add v1q, offsetq + add v2q, offsetq neg offsetq - shl offsetq, 2 - sub v1q, offsetq - sub v2q, offsetq xorps xmm0, xmm0 .loop: movaps xmm1, [v1q+offsetq] From 5d865cb375c49227d3966858728908ad1d1044f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2015 17:39:38 +0100 Subject: [PATCH 598/700] avutil/mathematics: Fix division by 0 Fixes: CID1341571 Signed-off-by: Michael Niedermayer (cherry picked from commit bc8b1e694cc395fdf5e2917377ef11263c937d85) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index 4d8467b8c8..78a87d8457 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -90,7 +90,7 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) else { int64_t ad = a / c; int64_t a2 = (a % c * b + r) / c; - if (ad >= INT32_MAX && ad > (INT64_MAX - a2) / b) + if (ad >= INT32_MAX && b && ad > (INT64_MAX - a2) / b) return INT64_MIN; return ad * b + a2; } From 65e7ad746fab4320235a04a8ba274ed40bcafa95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2015 16:16:46 +0100 Subject: [PATCH 599/700] avformat/matroskaenc: Check codecdelay before use Fixes CID1238790 Signed-off-by: Michael Niedermayer (cherry picked from commit e6971db12b8ae49712b77378fa8141de4904082b) Signed-off-by: Michael Niedermayer --- libavformat/matroskaenc.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index fe81e119eb..ee90c31a3c 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -881,14 +881,18 @@ static int mkv_write_track(AVFormatContext *s, MatroskaMuxContext *mkv, } if (codec->codec_type == AVMEDIA_TYPE_AUDIO && codec->initial_padding && codec->codec_id == AV_CODEC_ID_OPUS) { + int64_t codecdelay = av_rescale_q(codec->initial_padding, + (AVRational){ 1, codec->sample_rate }, + (AVRational){ 1, 1000000000 }); + if (codecdelay < 0) { + av_log(s, AV_LOG_ERROR, "Initial padding is invalid\n"); + return AVERROR(EINVAL); + } // mkv->tracks[i].ts_offset = av_rescale_q(codec->initial_padding, // (AVRational){ 1, codec->sample_rate }, // st->time_base); - put_ebml_uint(pb, MATROSKA_ID_CODECDELAY, - av_rescale_q(codec->initial_padding, - (AVRational){ 1, codec->sample_rate }, - (AVRational){ 1, 1000000000 })); + put_ebml_uint(pb, MATROSKA_ID_CODECDELAY, codecdelay); } if (codec->codec_id == AV_CODEC_ID_OPUS) { put_ebml_uint(pb, MATROSKA_ID_SEEKPREROLL, OPUS_SEEK_PREROLL); From 50aacb334a341b941603f22b3a0d841046dc4887 Mon Sep 17 00:00:00 2001 From: Rainer Hochecker Date: Sun, 15 Nov 2015 13:58:50 +0100 Subject: [PATCH 600/700] avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec Fixes a mpegts file with hevc that fails estimating duration. Increasing number of retries fixes the issue. Signed-off-by: Michael Niedermayer (cherry picked from commit 2d8c2f1a28073d451c7db31291c333cb15ca3d0b) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 3413a7ff50..b116a45c75 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2361,7 +2361,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) } #define DURATION_MAX_READ_SIZE 250000LL -#define DURATION_MAX_RETRY 4 +#define DURATION_MAX_RETRY 6 /* only usable for MPEG-PS streams */ static void estimate_timings_from_pts(AVFormatContext *ic, int64_t old_offset) From 07b96325311bcc5f79f02a2ff20e6f54b3c4a459 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Dec 2015 16:13:22 +0100 Subject: [PATCH 601/700] avformat/mxfenc: Do not crash if there is no packet in the first stream Fixes: Ticket4914 Signed-off-by: Michael Niedermayer (cherry picked from commit b51e7554e74cbf007a1cab83c7bed3ad9fa2793a) Signed-off-by: Michael Niedermayer --- libavformat/mxfenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index 36503f3d19..7607f959e6 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -2122,6 +2122,10 @@ static int mxf_write_packet(AVFormatContext *s, AVPacket *pkt) } mxf->edit_units_count++; } else if (!mxf->edit_unit_byte_count && st->index == 1) { + if (!mxf->edit_units_count) { + av_log(s, AV_LOG_ERROR, "No packets in first stream\n"); + return AVERROR_PATCHWELCOME; + } mxf->index_entries[mxf->edit_units_count-1].slice_offset = mxf->body_offset - mxf->index_entries[mxf->edit_units_count-1].offset; } From 75e4949ec128ac0cc9e0c4648da27adbbcbebad4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Dec 2015 18:56:13 +0100 Subject: [PATCH 602/700] avfilter/vf_mpdecimate: Add missing emms_c() Signed-off-by: Michael Niedermayer (cherry picked from commit 997de2e8107cc4256e50611463d609b18fe9619f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_mpdecimate.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_mpdecimate.c b/libavfilter/vf_mpdecimate.c index 3ed96024c3..94c9e0bd9d 100644 --- a/libavfilter/vf_mpdecimate.c +++ b/libavfilter/vf_mpdecimate.c @@ -120,10 +120,13 @@ static int decimate_frame(AVFilterContext *ctx, cur->data[plane], cur->linesize[plane], ref->data[plane], ref->linesize[plane], FF_CEIL_RSHIFT(ref->width, hsub), - FF_CEIL_RSHIFT(ref->height, vsub))) + FF_CEIL_RSHIFT(ref->height, vsub))) { + emms_c(); return 0; + } } + emms_c(); return 1; } From a5b4b807757fda3dc920d4b23599f8391c21409b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2015 21:59:42 +0100 Subject: [PATCH 603/700] avcodec/h264_refs: Fix long_idx check Fixes out of array read Fixes mozilla bug 1233606 Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit b92b4775a0d07cacfdd2b4be6511f3cb362c977b) Signed-off-by: Michael Niedermayer --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 045f1846d3..d0a902c06e 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -283,7 +283,7 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h) long_idx = pic_num_extract(h, pic_id, &pic_structure); - if (long_idx > 31) { + if (long_idx > 31U) { av_log(h->avctx, AV_LOG_ERROR, "long_term_pic_idx overflow\n"); return AVERROR_INVALIDDATA; From c1521dd418db3ad63019a7f7f2bbc985a3adf31c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Dec 2015 21:46:15 +0100 Subject: [PATCH 604/700] swscale/utils: Fix intermediate format for cascaded alpha downscaling Fixes Ticket4926 Signed-off-by: Michael Niedermayer (cherry picked from commit b83d8be6bff7d645469a623aee0b380541da15cf) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libswscale/utils.c b/libswscale/utils.c index 4d91f2d4a8..b496b8f525 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1521,6 +1521,9 @@ fail: // FIXME replace things by appropriate error codes int tmpH = sqrt(srcH * (int64_t)dstH); enum AVPixelFormat tmpFormat = AV_PIX_FMT_YUV420P; + if (isALPHA(srcFormat)) + tmpFormat = AV_PIX_FMT_YUVA420P; + if (srcW*(int64_t)srcH <= 4LL*dstW*dstH) return AVERROR(EINVAL); From f48392197d365f2a3a62e7ee8786fa4e9a41f3e9 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 31 Dec 2015 16:55:43 +0100 Subject: [PATCH 605/700] mjpegdec: extend check for incompatible values of s->rgb and s->ls This can happen if s->ls changes from 0 to 1, but picture allocation is skipped due to s->interlaced. In that case ff_jpegls_decode_picture could be called even though the s->picture_ptr frame has the wrong pixel format and thus a wrong linesize, which results in a too small zero buffer being allocated. This fixes an out-of-bounds read in ls_decode_line. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 7ea2db6eafa0a8a9497aab20be2cfc8742a59072) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index d2624f0c4d..67db2bbd14 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -609,7 +609,8 @@ unk_pixfmt: av_log(s->avctx, AV_LOG_DEBUG, "decode_sof0: error, len(%d) mismatch\n", len); } - if (s->rgb && !s->lossless && !s->ls) { + if ((s->rgb && !s->lossless && !s->ls) || + (!s->rgb && s->ls && s->nb_components > 1)) { av_log(s->avctx, AV_LOG_ERROR, "Unsupported coding and pixel format combination\n"); return AVERROR_PATCHWELCOME; } From 1363d0759df3c6016bcbc30db016e3706ad5e6a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Jan 2016 02:41:06 +0100 Subject: [PATCH 606/700] avcodec/put_bits: Always check buffer end before writing This causes a overall slowdown of 0.1 % (tested with mpeg4 single thread encoding of matrixbench at QP=3) Signed-off-by: Michael Niedermayer (cherry picked from commit cccb0ffccc3723acc7aab3a859b24743596dd9c0) Conflicts: libavcodec/put_bits.h --- libavcodec/put_bits.h | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index 08f6826ee3..ca4f08668d 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -164,9 +164,13 @@ static inline void put_bits(PutBitContext *s, int n, unsigned int value) #ifdef BITSTREAM_WRITER_LE bit_buf |= value << (32 - bit_left); if (n >= bit_left) { - av_assert2(s->buf_ptr+3buf_end); - AV_WL32(s->buf_ptr, bit_buf); - s->buf_ptr += 4; + if (3 < s->buf_end - s->buf_ptr) { + AV_WL32(s->buf_ptr, bit_buf); + s->buf_ptr += 4; + } else { + av_log(NULL, AV_LOG_ERROR, "Internal error, put_bits buffer too small\n"); + av_assert2(0); + } bit_buf = (bit_left == 32) ? 0 : value >> bit_left; bit_left += 32; } @@ -178,9 +182,13 @@ static inline void put_bits(PutBitContext *s, int n, unsigned int value) } else { bit_buf <<= bit_left; bit_buf |= value >> (n - bit_left); - av_assert2(s->buf_ptr+3buf_end); - AV_WB32(s->buf_ptr, bit_buf); - s->buf_ptr += 4; + if (3 < s->buf_end - s->buf_ptr) { + AV_WB32(s->buf_ptr, bit_buf); + s->buf_ptr += 4; + } else { + av_log(NULL, AV_LOG_ERROR, "Internal error, put_bits buffer too small\n"); + av_assert2(0); + } bit_left += 32 - n; bit_buf = value; } From c3abdd0f44615f0bbfde3ebcd1fddabd23d0b332 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Jan 2016 23:22:25 +0100 Subject: [PATCH 607/700] swscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny dimensions Fixes Ticket4960 Signed-off-by: Michael Niedermayer (cherry picked from commit 1edf129cbc897447a289ca8b045853df5df1bab3) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libswscale/utils.c b/libswscale/utils.c index b496b8f525..82c8e5e532 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1045,6 +1045,12 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, srcW, srcH, dstW, dstH); return AVERROR(EINVAL); } + if (flags & SWS_FAST_BILINEAR) { + if (srcW < 8 || dstW < 8) { + flags ^= SWS_FAST_BILINEAR | SWS_BILINEAR; + c->flags = flags; + } + } if (!dstFilter) dstFilter = &dummyFilter; From d472b83abc765cc84e569b3778c746c6179a5d2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jan 2016 01:06:18 +0100 Subject: [PATCH 608/700] avcodec/h264_slice: Fix integer overflow in implicit weight computation Fixes mozilla bug 1230423 Signed-off-by: Michael Niedermayer (cherry picked from commit 7cc01c25727a96eaaa0c177234b626e47c8ea491) Conflicts: libavcodec/h264_slice.c Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 57a135efc6..b24978a95a 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -924,7 +924,7 @@ static void implicit_weight_table(H264Context *h, int field) cur_poc = h->cur_pic_ptr->field_poc[h->picture_structure - 1]; } if (h->ref_count[0] == 1 && h->ref_count[1] == 1 && !FRAME_MBAFF(h) && - h->ref_list[0][0].poc + h->ref_list[1][0].poc == 2 * cur_poc) { + h->ref_list[0][0].poc + (int64_t)h->ref_list[1][0].poc == 2 * cur_poc) { h->use_weight = 0; h->use_weight_chroma = 0; return; @@ -945,7 +945,7 @@ static void implicit_weight_table(H264Context *h, int field) h->chroma_log2_weight_denom = 5; for (ref0 = ref_start; ref0 < ref_count0; ref0++) { - int poc0 = h->ref_list[0][ref0].poc; + int64_t poc0 = h->ref_list[0][ref0].poc; for (ref1 = ref_start; ref1 < ref_count1; ref1++) { int w = 32; if (!h->ref_list[0][ref0].long_ref && !h->ref_list[1][ref1].long_ref) { From 1b3dffc0c7ff260e296573a0977735fe9e60d273 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jan 2016 14:41:04 +0100 Subject: [PATCH 609/700] avcodec/motion_est: Fix mv_penalty table size Fixes out of array read Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 5b4da8a38a5ed211df9504c85ce401c30af86b97) Conflicts: libavcodec/motion_est.h --- libavcodec/ituh263enc.c | 6 +++--- libavcodec/motion_est.c | 16 ++++++++-------- libavcodec/mpeg12enc.c | 6 +++--- libavcodec/mpegvideo.h | 3 ++- libavcodec/mpegvideo_enc.c | 2 +- libavcodec/snowenc.c | 2 +- 6 files changed, 18 insertions(+), 17 deletions(-) diff --git a/libavcodec/ituh263enc.c b/libavcodec/ituh263enc.c index 43ad08026f..7a91dc0e86 100644 --- a/libavcodec/ituh263enc.c +++ b/libavcodec/ituh263enc.c @@ -43,7 +43,7 @@ /** * Table of number of bits a motion vector component needs. */ -static uint8_t mv_penalty[MAX_FCODE+1][MAX_MV*2+1]; +static uint8_t mv_penalty[MAX_FCODE+1][MAX_DMV*2+1]; /** * Minimal fcode that a motion vector component would need. @@ -676,7 +676,7 @@ static av_cold void init_mv_penalty_and_fcode(MpegEncContext *s) int mv; for(f_code=1; f_code<=MAX_FCODE; f_code++){ - for(mv=-MAX_MV; mv<=MAX_MV; mv++){ + for(mv=-MAX_DMV; mv<=MAX_DMV; mv++){ int len; if(mv==0) len= ff_mvtab[0][1]; @@ -697,7 +697,7 @@ static av_cold void init_mv_penalty_and_fcode(MpegEncContext *s) } } - mv_penalty[f_code][mv+MAX_MV]= len; + mv_penalty[f_code][mv+MAX_DMV]= len; } } diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 901fafdf26..100e503eb3 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -906,7 +906,7 @@ void ff_estimate_p_frame_motion(MpegEncContext * s, c->penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_cmp); c->sub_penalty_factor= get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_sub_cmp); c->mb_penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->mb_cmp); - c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_DMV; get_limits(s, 16*mb_x, 16*mb_y); c->skip=0; @@ -1082,7 +1082,7 @@ int ff_pre_estimate_p_frame_motion(MpegEncContext * s, av_assert0(s->quarter_sample==0 || s->quarter_sample==1); c->pre_penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_pre_cmp); - c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_DMV; get_limits(s, 16*mb_x, 16*mb_y); c->skip=0; @@ -1131,7 +1131,7 @@ static int estimate_motion_b(MpegEncContext *s, int mb_x, int mb_y, const int shift= 1+s->quarter_sample; const int mot_stride = s->mb_stride; const int mot_xy = mb_y*mot_stride + mb_x; - uint8_t * const mv_penalty= c->mv_penalty[f_code] + MAX_MV; + uint8_t * const mv_penalty= c->mv_penalty[f_code] + MAX_DMV; int mv_scale; c->penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_cmp); @@ -1205,8 +1205,8 @@ static inline int check_bidir_mv(MpegEncContext * s, //FIXME better f_code prediction (max mv & distance) //FIXME pointers MotionEstContext * const c= &s->me; - uint8_t * const mv_penalty_f= c->mv_penalty[s->f_code] + MAX_MV; // f_code of the prev frame - uint8_t * const mv_penalty_b= c->mv_penalty[s->b_code] + MAX_MV; // f_code of the prev frame + uint8_t * const mv_penalty_f= c->mv_penalty[s->f_code] + MAX_DMV; // f_code of the prev frame + uint8_t * const mv_penalty_b= c->mv_penalty[s->b_code] + MAX_DMV; // f_code of the prev frame int stride= c->stride; uint8_t *dest_y = c->scratchpad; uint8_t *ptr; @@ -1419,7 +1419,7 @@ static inline int direct_search(MpegEncContext * s, int mb_x, int mb_y) int mx, my, xmin, xmax, ymin, ymax; int16_t (*mv_table)[2]= s->b_direct_mv_table; - c->current_mv_penalty= c->mv_penalty[1] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[1] + MAX_DMV; ymin= xmin=(-32)>>shift; ymax= xmax= 31>>shift; @@ -1555,11 +1555,11 @@ void ff_estimate_b_frame_motion(MpegEncContext * s, if(s->flags & CODEC_FLAG_INTERLACED_ME){ //FIXME mb type penalty c->skip=0; - c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_DMV; fimin= interlaced_search(s, 0, s->b_field_mv_table[0], s->b_field_select_table[0], s->b_forw_mv_table[xy][0], s->b_forw_mv_table[xy][1], 0); - c->current_mv_penalty= c->mv_penalty[s->b_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->b_code] + MAX_DMV; bimin= interlaced_search(s, 2, s->b_field_mv_table[1], s->b_field_select_table[1], s->b_back_mv_table[xy][0], s->b_back_mv_table[xy][1], 0); diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index 9795b7f648..451463c0cd 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -52,7 +52,7 @@ static const uint8_t svcd_scan_offset_placeholder[] = { 0x81, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, }; -static uint8_t mv_penalty[MAX_FCODE + 1][MAX_MV * 2 + 1]; +static uint8_t mv_penalty[MAX_FCODE + 1][MAX_DMV * 2 + 1]; static uint8_t fcode_tab[MAX_MV * 2 + 1]; static uint8_t uni_mpeg1_ac_vlc_len[64 * 64 * 2]; @@ -1051,7 +1051,7 @@ av_cold void ff_mpeg1_encode_init(MpegEncContext *s) } for (f_code = 1; f_code <= MAX_FCODE; f_code++) - for (mv = -MAX_MV; mv <= MAX_MV; mv++) { + for (mv = -MAX_DMV; mv <= MAX_DMV; mv++) { int len; if (mv == 0) { @@ -1074,7 +1074,7 @@ av_cold void ff_mpeg1_encode_init(MpegEncContext *s) 2 + bit_size; } - mv_penalty[f_code][mv + MAX_MV] = len; + mv_penalty[f_code][mv + MAX_DMV] = len; } diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 40c269846c..2c768b732c 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -66,6 +66,7 @@ enum OutputFormat { #define MAX_FCODE 7 #define MAX_MV 4096 +#define MAX_DMV (2*MAX_MV) #define MAX_THREADS 32 #define MAX_PICTURE_COUNT 36 @@ -198,7 +199,7 @@ typedef struct MotionEstContext{ op_pixels_func (*hpel_avg)[4]; qpel_mc_func (*qpel_put)[16]; qpel_mc_func (*qpel_avg)[16]; - uint8_t (*mv_penalty)[MAX_MV*2+1]; ///< amount of bits needed to encode a MV + uint8_t (*mv_penalty)[MAX_DMV*2+1]; ///< amount of bits needed to encode a MV uint8_t *current_mv_penalty; int (*sub_motion_search)(struct MpegEncContext * s, int *mx_ptr, int *my_ptr, int dmin, diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index dbcbb8a9c6..9b95f33976 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -70,7 +70,7 @@ static int sse_mb(MpegEncContext *s); static void denoise_dct_c(MpegEncContext *s, int16_t *block); static int dct_quantize_trellis_c(MpegEncContext *s, int16_t *block, int n, int qscale, int *overflow); -static uint8_t default_mv_penalty[MAX_FCODE + 1][MAX_MV * 2 + 1]; +static uint8_t default_mv_penalty[MAX_FCODE + 1][MAX_DMV * 2 + 1]; static uint8_t default_fcode_tab[MAX_MV * 2 + 1]; const AVOption ff_mpv_generic_options[] = { diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index cbc89c985b..24efdc0bf0 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -285,7 +285,7 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ c->penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_cmp); c->sub_penalty_factor= get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_sub_cmp); c->mb_penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->mb_cmp); - c->current_mv_penalty= c->mv_penalty[s->m.f_code=1] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->m.f_code=1] + MAX_DMV; c->xmin = - x*block_w - 16+3; c->ymin = - y*block_w - 16+3; From 53025e8681c141883662ab9882ac2f7769c6ed4d Mon Sep 17 00:00:00 2001 From: Thomas Mundt Date: Thu, 31 Dec 2015 00:01:21 +0100 Subject: [PATCH 610/700] avfilter/vf_scale: set proper out frame color range Prevents that following scalers in the filter chain will do unintentional color range conversions. Fixes Ticket #5096 Signed-off-by: Thomas Mundt Signed-off-by: Michael Niedermayer (cherry picked from commit 73ce8162f3499cf0e86d1d80dea53324bd62bcb3) Signed-off-by: Michael Niedermayer --- libavfilter/vf_scale.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 64b88c2357..237f3b8b5e 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -512,6 +512,8 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) sws_setColorspaceDetails(scale->isws[1], inv_table, in_full, table, out_full, brightness, contrast, saturation); + + av_frame_set_color_range(out, out_full ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG); } av_reduce(&out->sample_aspect_ratio.num, &out->sample_aspect_ratio.den, From 2111d5161926cef343031efcaf09662afb14db25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Jan 2016 00:22:56 +0100 Subject: [PATCH 611/700] avcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range Fixes out of array read Fixes: test_case-mdc.264 (b47be15a120979f5a1a945c938cbef33) Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 13f266b50cc7554028d22480b7e4383968e64a63) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 9b95f33976..6b997f121f 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -315,6 +315,7 @@ av_cold int ff_mpv_encode_init(AVCodecContext *avctx) break; } + avctx->bits_per_raw_sample = av_clip(avctx->bits_per_raw_sample, 0, 8); s->bit_rate = avctx->bit_rate; s->width = avctx->width; s->height = avctx->height; From 7974642cfd609d6321ef3e2e4d8f2c84aad1bd9b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Jan 2016 10:49:23 +0100 Subject: [PATCH 612/700] avformat: Add integer fps from 31 to 60 to get_std_framerate() Fixes Ticket 5106 Signed-off-by: Michael Niedermayer (cherry picked from commit 2039b3e7511ef183dae206575114e15b6d99c134) Signed-off-by: Michael Niedermayer --- libavformat/avformat.h | 2 +- libavformat/utils.c | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 2e54ed1f01..6654694102 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -916,7 +916,7 @@ typedef struct AVStream { /** * Stream information used internally by av_find_stream_info() */ -#define MAX_STD_TIMEBASES (30*12+7+6) +#define MAX_STD_TIMEBASES (30*12+30+3+6) struct { int64_t last_dts; int64_t duration_gcd; diff --git a/libavformat/utils.c b/libavformat/utils.c index b116a45c75..bbf67ef49e 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2802,10 +2802,14 @@ static int get_std_framerate(int i) return (i + 1) * 1001; i -= 30*12; - if (i < 7) - return ((const int[]) { 40, 48, 50, 60, 80, 120, 240})[i] * 1001 * 12; + if (i < 30) + return (i + 31) * 1001 * 12; + i -= 30; - i -= 7; + if (i < 3) + return ((const int[]) { 80, 120, 240})[i] * 1001 * 12; + + i -= 3; return ((const int[]) { 24, 30, 60, 12, 15, 48 })[i] * 1000 * 12; } From 4c6b48a08e5a975fba644e7eafa1ce5ee35ac618 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Jan 2016 12:19:48 +0100 Subject: [PATCH 613/700] avcodec/mss2: Check for repeat overflow Fixes: mss2_left_shift.wmv Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit e273dade78943e22b71d0ddb67cd0d737fc26edf) Signed-off-by: Michael Niedermayer --- libavcodec/mss2.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c index 4d53f8ab8f..ea448dabc5 100644 --- a/libavcodec/mss2.c +++ b/libavcodec/mss2.c @@ -209,8 +209,13 @@ static int decode_555(GetByteContext *gB, uint16_t *dst, int stride, last_symbol = b << 8 | bytestream2_get_byte(gB); else if (b > 129) { repeat = 0; - while (b-- > 130) + while (b-- > 130) { + if (repeat >= (INT_MAX >> 8) - 1) { + av_log(NULL, AV_LOG_ERROR, "repeat overflow\n"); + return AVERROR_INVALIDDATA; + } repeat = (repeat << 8) + bytestream2_get_byte(gB) + 1; + } if (last_symbol == -2) { int skip = FFMIN((unsigned)repeat, dst + w - p); repeat -= skip; From e2285e7cc83f0429acabd09d6fc94a84d1763265 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Jan 2016 15:52:09 +0100 Subject: [PATCH 614/700] avcodec/mjpegdec: Fix negative shift Fixes: mjpeg_left_shift.avi Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit d86d7b2486cd5c31db8e820d8a89554abf19567e) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 67db2bbd14..439365f7ef 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -975,7 +975,7 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p return -1; left[i] = buffer[mb_x][i] = - mask & (pred + (dc << point_transform)); + mask & (pred + (dc * (1 << point_transform))); } if (s->restart_interval && !--s->restart_count) { From 1d02458c06720278698ec96f3e7c1f6ff47c01fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Jan 2016 17:43:56 +0100 Subject: [PATCH 615/700] avcodec/dvdec: Fix "left shift of negative value -254" Fixes: dvdec_left_shift.avi Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 93ac72a98dff592ffc174cfb36a8975dfbf145ae) Signed-off-by: Michael Niedermayer --- libavcodec/dvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdec.c b/libavcodec/dvdec.c index 99fe1f4981..4728e429e9 100644 --- a/libavcodec/dvdec.c +++ b/libavcodec/dvdec.c @@ -333,7 +333,7 @@ static int dv_decode_video_segment(AVCodecContext *avctx, void *arg) dct_mode * 22 * 64 + (quant + ff_dv_quant_offset[class1]) * 64]; } - dc = dc << 2; + dc = dc * 4; /* convert to unsigned because 128 is not added in the * standard IDCT */ dc += 1024; From 71b640230ec891f0dc2803b776faa1b6322da1b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Jan 2016 18:32:32 +0100 Subject: [PATCH 616/700] avcodec/wavpackenc: Headers are per channel Fixes: 1b8b83a53bfa751f01b1daa65a4758db/signal_sigabrt_7ffff6ae7cb7_7488_403f71d1a2565b598d01b6cb110fac8f.aiff Fixes: assertion failure Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 26757b0279b4b93c6066c2151d4d3dbd2ec266bf) Conflicts: libavcodec/wavpackenc.c Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 63971c6755..ecc4a2eea2 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -2882,7 +2882,7 @@ static int wavpack_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } buf_size = s->block_samples * avctx->channels * 8 - + 200 /* for headers */; + + 200 * avctx->channels /* for headers */; if ((ret = ff_alloc_packet2(avctx, avpkt, buf_size)) < 0) return ret; buf = avpkt->data; From 4865d66b76f7bb85b837bcadb9f9d7b7337f137a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Jan 2016 18:58:08 +0100 Subject: [PATCH 617/700] avcodec/wavpackenc: Check the number of channels They are stored in a byte, thus more than 255 is not possible Signed-off-by: Michael Niedermayer (cherry picked from commit 59c915a403af32c4ff5126625b0cc7e38f4beff9) Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index ecc4a2eea2..2d98e53b95 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -128,6 +128,11 @@ static av_cold int wavpack_encode_init(AVCodecContext *avctx) s->avctx = avctx; + if (avctx->channels > 255) { + av_log(avctx, AV_LOG_ERROR, "Too many channels\n", avctx->channels); + return AVERROR(EINVAL); + } + if (!avctx->frame_size) { int block_samples; if (!(avctx->sample_rate & 1)) From 1c99807cb704cf923d9912688f22a413d7ce772b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2016 03:03:01 +0100 Subject: [PATCH 618/700] avcodec/mpeg4video: Check time_incr Fixes assertion failure Fixes out of memory access Fixes: test_casex.ivf Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 7c97946d6131b31340954a3f603b6bf92590a9a5) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4video.h | 2 +- libavcodec/mpeg4videoenc.c | 10 +++++++++- libavcodec/mpegvideo_enc.c | 8 +++++--- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/libavcodec/mpeg4video.h b/libavcodec/mpeg4video.h index e83692cc87..fa92e999bd 100644 --- a/libavcodec/mpeg4video.h +++ b/libavcodec/mpeg4video.h @@ -137,7 +137,7 @@ void ff_mpeg4_encode_mb(MpegEncContext *s, void ff_mpeg4_pred_ac(MpegEncContext *s, int16_t *block, int n, int dir); void ff_set_mpeg4_time(MpegEncContext *s); -void ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number); +int ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number); int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb); void ff_mpeg4_encode_video_packet_header(MpegEncContext *s); diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index 5751432a31..c47b6e8410 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -1086,7 +1086,7 @@ static void mpeg4_encode_vol_header(MpegEncContext *s, } /* write mpeg4 VOP header */ -void ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) +int ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) { int time_incr; int time_div, time_mod; @@ -1112,6 +1112,12 @@ void ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) time_mod = FFUMOD(s->time, s->avctx->time_base.den); time_incr = time_div - s->last_time_base; av_assert0(time_incr >= 0); + + // This limits the frame duration to max 1 hour + if (time_incr > 3600) { + av_log(s->avctx, AV_LOG_ERROR, "time_incr %d too large\n", time_incr); + return AVERROR(EINVAL); + } while (time_incr--) put_bits(&s->pb, 1, 1); @@ -1137,6 +1143,8 @@ void ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) put_bits(&s->pb, 3, s->f_code); /* fcode_for */ if (s->pict_type == AV_PICTURE_TYPE_B) put_bits(&s->pb, 3, s->b_code); /* fcode_back */ + + return 0; } static av_cold void init_uni_dc_tab(void) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 6b997f121f..2bc7709970 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -3714,9 +3714,11 @@ static int encode_picture(MpegEncContext *s, int picture_number) ff_wmv2_encode_picture_header(s, picture_number); else if (CONFIG_MSMPEG4_ENCODER && s->msmpeg4_version) ff_msmpeg4_encode_picture_header(s, picture_number); - else if (CONFIG_MPEG4_ENCODER && s->h263_pred) - ff_mpeg4_encode_picture_header(s, picture_number); - else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) { + else if (CONFIG_MPEG4_ENCODER && s->h263_pred) { + ret = ff_mpeg4_encode_picture_header(s, picture_number); + if (ret < 0) + return ret; + } else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) { ret = ff_rv10_encode_picture_header(s, picture_number); if (ret < 0) return ret; From 8419971a42a84e6e72d498a4c2e3c91ea604d881 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2016 18:49:20 +0100 Subject: [PATCH 619/700] avformat/asfenc: Check pts Fixes integer overflow Fixes: 0063df8be3aaa30dd6d76f59c8f818c8/signal_sigsegv_7b7b59_3634_bf418b6822bbfa68734411d96b667be3.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7c0b84d89911b2035161f5ef51aafbfcc84aa9e2) Signed-off-by: Michael Niedermayer --- libavformat/asfenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/asfenc.c b/libavformat/asfenc.c index 58449d81bf..d4a72da893 100644 --- a/libavformat/asfenc.c +++ b/libavformat/asfenc.c @@ -929,6 +929,11 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) pts = (pkt->pts != AV_NOPTS_VALUE) ? pkt->pts : pkt->dts; av_assert0(pts != AV_NOPTS_VALUE); + if ( pts < - PREROLL_TIME + || pts > (INT_MAX-3)/10000LL * ASF_INDEXED_INTERVAL - PREROLL_TIME) { + av_log(s, AV_LOG_ERROR, "input pts %"PRId64" is invalid\n", pts); + return AVERROR(EINVAL); + } pts *= 10000; asf->duration = FFMAX(asf->duration, pts + pkt->duration * 10000); From a7dea6f2cdce5877845b5cce810e3784628f9388 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 Jan 2016 02:31:59 +0100 Subject: [PATCH 620/700] avformat/aviobuf: Fix end check in put_str16() Fixes out of array read Fixes: 03c406ec9530e594a074ce2979f8a1f0/asan_heap-oob_7dec26_4664_37c52495b2870a2eaac65f53958e76c1.flac Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 115fb6d03ef6310732b42258d8c3cd1839cfb74b) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 4ce18e4d17..20621baa0c 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -358,6 +358,8 @@ int avio_put_str16le(AVIOContext *s, const char *str) invalid: av_log(s, AV_LOG_ERROR, "Invaid UTF8 sequence in avio_put_str16le\n"); err = AVERROR(EINVAL); + if (!*(q-1)) + break; } avio_wl16(s, 0); if (err) From e183075dc11b2033f3f84bf8c94bd4b31266e90d Mon Sep 17 00:00:00 2001 From: Maxim Andreev Date: Wed, 13 Jan 2016 11:51:12 +0300 Subject: [PATCH 621/700] avformat/hls: forbid all protocols except http(s) & file Signed-off-by: Michael Niedermayer (cherry picked from commit 7145e80b4f78cff5ed5fee04d4c4d53daaa0e077) Conflicts: libavformat/hls.c --- libavformat/hls.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index f17b826f30..1bd4678b97 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -927,6 +927,12 @@ static int open_input(HLSContext *c, struct playlist *pls) seg->url, seg->url_offset, pls->index); if (seg->key_type == KEY_NONE) { + const char *proto_name = avio_find_protocol_name(seg->url); + if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) { + ret = AVERROR_INVALIDDATA; + goto cleanup; + } + ret = ffurl_open(&pls->input, seg->url, AVIO_FLAG_READ, &pls->parent->interrupt_callback, &opts); @@ -934,6 +940,11 @@ static int open_input(HLSContext *c, struct playlist *pls) char iv[33], key[33], url[MAX_URL_SIZE]; if (strcmp(seg->key, pls->key_url)) { URLContext *uc; + const char *proto_name = avio_find_protocol_name(seg->key); + if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) { + ret = AVERROR_INVALIDDATA; + goto cleanup; + } if (ffurl_open(&uc, seg->key, AVIO_FLAG_READ, &pls->parent->interrupt_callback, &opts2) == 0) { if (ffurl_read_complete(uc, pls->key, sizeof(pls->key)) From 9c67c52acc9491640d8f8aab1bdfe7ffb79ec4f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2016 12:36:41 +0100 Subject: [PATCH 622/700] swscale/yuv2rgb: Factor YUVRGB_TABLE_LUMA_HEADROOM out Signed-off-by: Michael Niedermayer (cherry picked from commit 5e5f82a28737fba4402259617500911cc37e3674) Signed-off-by: Michael Niedermayer --- libswscale/swscale_internal.h | 1 + libswscale/yuv2rgb.c | 89 ++++++++++++++++++----------------- 2 files changed, 46 insertions(+), 44 deletions(-) diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h index 37c2b37548..b1a507271f 100644 --- a/libswscale/swscale_internal.h +++ b/libswscale/swscale_internal.h @@ -40,6 +40,7 @@ #define STR(s) AV_TOSTRING(s) // AV_STRINGIFY is too long #define YUVRGB_TABLE_HEADROOM 256 +#define YUVRGB_TABLE_LUMA_HEADROOM 0 #define MAX_FILTER_SIZE SWS_MAX_FILTER_SIZE diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 24b02665ae..86de94cfe7 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -720,7 +720,8 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], uint16_t *y_table16; uint32_t *y_table32; int i, base, rbase, gbase, bbase, av_uninit(abase), needAlpha; - const int yoffs = fullRange ? 384 : 326; + const int yoffs = (fullRange ? 384 : 326) + YUVRGB_TABLE_LUMA_HEADROOM; + const int table_plane_size = 1024 + 2*YUVRGB_TABLE_LUMA_HEADROOM; int64_t crv = inv_table[0]; int64_t cbu = inv_table[1]; @@ -777,10 +778,10 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], return AVERROR(ENOMEM); switch (bpp) { case 1: - ALLOC_YUV_TABLE(1024); + ALLOC_YUV_TABLE(table_plane_size); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024 - 110; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size - 110; i++) { y_table[i + 110] = av_clip_uint8((yb + 0x8000) >> 16) >> 7; yb += cy; } @@ -792,60 +793,60 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? 3 : 0; gbase = 1; bbase = isRgb ? 0 : 3; - ALLOC_YUV_TABLE(1024 * 3); + ALLOC_YUV_TABLE(table_plane_size * 3); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024 - 110; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size - 110; i++) { int yval = av_clip_uint8((yb + 0x8000) >> 16); y_table[i + 110] = (yval >> 7) << rbase; - y_table[i + 37 + 1024] = ((yval + 43) / 85) << gbase; - y_table[i + 110 + 2048] = (yval >> 7) << bbase; + y_table[i + 37 + table_plane_size] = ((yval + 43) / 85) << gbase; + y_table[i + 110 + 2*table_plane_size] = (yval >> 7) << bbase; yb += cy; } fill_table(c->table_rV, 1, crv, y_table + yoffs); - fill_table(c->table_gU, 1, cgu, y_table + yoffs + 1024); - fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2048); + fill_table(c->table_gU, 1, cgu, y_table + yoffs + table_plane_size); + fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 1, cgv); break; case 8: rbase = isRgb ? 5 : 0; gbase = isRgb ? 2 : 3; bbase = isRgb ? 0 : 6; - ALLOC_YUV_TABLE(1024 * 3); + ALLOC_YUV_TABLE(table_plane_size * 3); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024 - 38; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size - 38; i++) { int yval = av_clip_uint8((yb + 0x8000) >> 16); y_table[i + 16] = ((yval + 18) / 36) << rbase; - y_table[i + 16 + 1024] = ((yval + 18) / 36) << gbase; - y_table[i + 37 + 2048] = ((yval + 43) / 85) << bbase; + y_table[i + 16 + table_plane_size] = ((yval + 18) / 36) << gbase; + y_table[i + 37 + 2*table_plane_size] = ((yval + 43) / 85) << bbase; yb += cy; } fill_table(c->table_rV, 1, crv, y_table + yoffs); - fill_table(c->table_gU, 1, cgu, y_table + yoffs + 1024); - fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2048); + fill_table(c->table_gU, 1, cgu, y_table + yoffs + table_plane_size); + fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 1, cgv); break; case 12: rbase = isRgb ? 8 : 0; gbase = 4; bbase = isRgb ? 0 : 8; - ALLOC_YUV_TABLE(1024 * 3 * 2); + ALLOC_YUV_TABLE(table_plane_size * 3 * 2); y_table16 = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { uint8_t yval = av_clip_uint8((yb + 0x8000) >> 16); y_table16[i] = (yval >> 4) << rbase; - y_table16[i + 1024] = (yval >> 4) << gbase; - y_table16[i + 2048] = (yval >> 4) << bbase; + y_table16[i + table_plane_size] = (yval >> 4) << gbase; + y_table16[i + 2*table_plane_size] = (yval >> 4) << bbase; yb += cy; } if (isNotNe) - for (i = 0; i < 1024 * 3; i++) + for (i = 0; i < table_plane_size * 3; i++) y_table16[i] = av_bswap16(y_table16[i]); fill_table(c->table_rV, 2, crv, y_table16 + yoffs); - fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + 1024); - fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2048); + fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + table_plane_size); + fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 2, cgv); break; case 15: @@ -853,30 +854,30 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? bpp - 5 : 0; gbase = 5; bbase = isRgb ? 0 : (bpp - 5); - ALLOC_YUV_TABLE(1024 * 3 * 2); + ALLOC_YUV_TABLE(table_plane_size * 3 * 2); y_table16 = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { uint8_t yval = av_clip_uint8((yb + 0x8000) >> 16); y_table16[i] = (yval >> 3) << rbase; - y_table16[i + 1024] = (yval >> (18 - bpp)) << gbase; - y_table16[i + 2048] = (yval >> 3) << bbase; + y_table16[i + table_plane_size] = (yval >> (18 - bpp)) << gbase; + y_table16[i + 2*table_plane_size] = (yval >> 3) << bbase; yb += cy; } if (isNotNe) - for (i = 0; i < 1024 * 3; i++) + for (i = 0; i < table_plane_size * 3; i++) y_table16[i] = av_bswap16(y_table16[i]); fill_table(c->table_rV, 2, crv, y_table16 + yoffs); - fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + 1024); - fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2048); + fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + table_plane_size); + fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 2, cgv); break; case 24: case 48: - ALLOC_YUV_TABLE(1024); + ALLOC_YUV_TABLE(table_plane_size); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { y_table[i] = av_clip_uint8((yb + 0x8000) >> 16); yb += cy; } @@ -895,20 +896,20 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], needAlpha = CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat); if (!needAlpha) abase = (base + 24) & 31; - ALLOC_YUV_TABLE(1024 * 3 * 4); + ALLOC_YUV_TABLE(table_plane_size * 3 * 4); y_table32 = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { unsigned yval = av_clip_uint8((yb + 0x8000) >> 16); y_table32[i] = (yval << rbase) + (needAlpha ? 0 : (255u << abase)); - y_table32[i + 1024] = yval << gbase; - y_table32[i + 2048] = yval << bbase; + y_table32[i + table_plane_size] = yval << gbase; + y_table32[i + 2*table_plane_size] = yval << bbase; yb += cy; } fill_table(c->table_rV, 4, crv, y_table32 + yoffs); - fill_table(c->table_gU, 4, cgu, y_table32 + yoffs + 1024); - fill_table(c->table_bU, 4, cbu, y_table32 + yoffs + 2048); + fill_table(c->table_gU, 4, cgu, y_table32 + yoffs + table_plane_size); + fill_table(c->table_bU, 4, cbu, y_table32 + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 4, cgv); break; default: From dc6a9162a2d26b4fea089e00bd574f67d9ee4e91 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2016 03:05:11 +0100 Subject: [PATCH 623/700] swscale/yuv2rgb: Increase YUV2RGB table headroom This makes SWS more robust Fixes: 07650a772d98aa63b0fed6370dc89037/asan_heap-oob_27ddeaf_2657_2c81ff264dee5d9712cb3251fb9c3bbb.264 Fixes: out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8f3a9a8c278acf886f70a1d743bc07b6f9c7b51a) Signed-off-by: Michael Niedermayer --- libswscale/swscale_internal.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h index b1a507271f..a3e7e267f8 100644 --- a/libswscale/swscale_internal.h +++ b/libswscale/swscale_internal.h @@ -39,8 +39,8 @@ #define STR(s) AV_TOSTRING(s) // AV_STRINGIFY is too long -#define YUVRGB_TABLE_HEADROOM 256 -#define YUVRGB_TABLE_LUMA_HEADROOM 0 +#define YUVRGB_TABLE_HEADROOM 512 +#define YUVRGB_TABLE_LUMA_HEADROOM 512 #define MAX_FILTER_SIZE SWS_MAX_FILTER_SIZE From 4089af67ab93b062f1b91c72d6a60547029235c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2016 15:11:48 +0100 Subject: [PATCH 624/700] swscale/utils: Detect and skip unneeded sws_setColorspaceDetails() calls This avoids running various table inits unnecessarily Signed-off-by: Michael Niedermayer (cherry picked from commit cc538e9dbd14b61d1ac8c9fa687d83289673fe90) Conflicts: libswscale/utils.c --- libswscale/utils.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 82c8e5e532..4032b5701a 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -818,8 +818,6 @@ int sws_setColorspaceDetails(struct SwsContext *c, const int inv_table[4], const AVPixFmtDescriptor *desc_dst; const AVPixFmtDescriptor *desc_src; int need_reinit = 0; - memmove(c->srcColorspaceTable, inv_table, sizeof(int) * 4); - memmove(c->dstColorspaceTable, table, sizeof(int) * 4); handle_formats(c); desc_dst = av_pix_fmt_desc_get(c->dstFormat); @@ -830,11 +828,24 @@ int sws_setColorspaceDetails(struct SwsContext *c, const int inv_table[4], if(!isYUV(c->srcFormat) && !isGray(c->srcFormat)) srcRange = 0; + if (c->srcRange != srcRange || + c->dstRange != dstRange || + c->brightness != brightness || + c->contrast != contrast || + c->saturation != saturation || + memcmp(c->srcColorspaceTable, inv_table, sizeof(int) * 4) || + memcmp(c->dstColorspaceTable, table, sizeof(int) * 4) + ) + need_reinit = 1; + + memmove(c->srcColorspaceTable, inv_table, sizeof(int) * 4); + memmove(c->dstColorspaceTable, table, sizeof(int) * 4); + + + c->brightness = brightness; c->contrast = contrast; c->saturation = saturation; - if (c->srcRange != srcRange || c->dstRange != dstRange) - need_reinit = 1; c->srcRange = srcRange; c->dstRange = dstRange; @@ -849,6 +860,9 @@ int sws_setColorspaceDetails(struct SwsContext *c, const int inv_table[4], c->dstFormatBpp = av_get_bits_per_pixel(desc_dst); c->srcFormatBpp = av_get_bits_per_pixel(desc_src); + if (!need_reinit) + return 0; + if (!isYUV(c->dstFormat) && !isGray(c->dstFormat)) { ff_yuv2rgb_c_init_tables(c, inv_table, srcRange, brightness, contrast, saturation); From 8d5060192cf2bdd9e504e640bc5aafee3a04b99b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Jan 2016 13:29:38 +0100 Subject: [PATCH 625/700] avformat/hls: More strict url checks No case is known where these are needed Signed-off-by: Michael Niedermayer (cherry picked from commit 6ba42b6482c725a59eb468391544dc0c75b8c6f0) Conflicts: libavformat/hls.c Signed-off-by: Michael Niedermayer Conflicts: libavformat/hls.c --- libavformat/hls.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 1bd4678b97..de40b6de9d 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -900,6 +900,20 @@ static void intercept_id3(struct playlist *pls, uint8_t *buf, pls->is_id3_timestamped = (pls->id3_mpegts_timestamp != AV_NOPTS_VALUE); } + +static int check_url(const char *url) { + const char *proto_name = avio_find_protocol_name(url); + if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) + return AVERROR_INVALIDDATA; + + if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':') + return 0; + else if (strcmp(proto_name, "file") || !strcmp(url, "file,")) + return AVERROR_INVALIDDATA; + + return 0; +} + static int open_input(HLSContext *c, struct playlist *pls) { AVDictionary *opts = NULL; @@ -927,11 +941,9 @@ static int open_input(HLSContext *c, struct playlist *pls) seg->url, seg->url_offset, pls->index); if (seg->key_type == KEY_NONE) { - const char *proto_name = avio_find_protocol_name(seg->url); - if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) { - ret = AVERROR_INVALIDDATA; + ret = check_url(seg->url); + if (ret < 0) goto cleanup; - } ret = ffurl_open(&pls->input, seg->url, AVIO_FLAG_READ, &pls->parent->interrupt_callback, &opts); @@ -940,11 +952,10 @@ static int open_input(HLSContext *c, struct playlist *pls) char iv[33], key[33], url[MAX_URL_SIZE]; if (strcmp(seg->key, pls->key_url)) { URLContext *uc; - const char *proto_name = avio_find_protocol_name(seg->key); - if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) { - ret = AVERROR_INVALIDDATA; + ret = check_url(seg->key); + if (ret < 0) goto cleanup; - } + if (ffurl_open(&uc, seg->key, AVIO_FLAG_READ, &pls->parent->interrupt_callback, &opts2) == 0) { if (ffurl_read_complete(uc, pls->key, sizeof(pls->key)) From 83913c6e7e1e2f0d2e5550800e93ec64f31a0077 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Jan 2016 15:29:22 +0100 Subject: [PATCH 626/700] avformat/hls: Even stricter URL checks This fixes a null pointer dereference at least Signed-off-by: Michael Niedermayer (cherry picked from commit cfda1bea4c18ec1edbc11ecc465f788b02851488) Conflicts: libavformat/hls.c --- libavformat/hls.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index de40b6de9d..7fc761ac8c 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -903,12 +903,16 @@ static void intercept_id3(struct playlist *pls, uint8_t *buf, static int check_url(const char *url) { const char *proto_name = avio_find_protocol_name(url); + + if (!proto_name) + return AVERROR_INVALIDDATA; + if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) return AVERROR_INVALIDDATA; if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':') return 0; - else if (strcmp(proto_name, "file") || !strcmp(url, "file,")) + else if (strcmp(proto_name, "file") || !strncmp(url, "file,", 5)) return AVERROR_INVALIDDATA; return 0; From 6456043ff76ebc005c3028f379ffb1e185fe9639 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 2 Jan 2016 16:28:31 -0300 Subject: [PATCH 627/700] configure: bump copyright year to 2016 Signed-off-by: James Almer (cherry picked from commit 78129978f02f27d76ecaf2cd1a7bf7a47253fdab) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 104d2bff4c..c52c006279 100755 --- a/configure +++ b/configure @@ -5682,7 +5682,7 @@ cat > $TMPH < Date: Fri, 15 Jan 2016 17:49:08 +0100 Subject: [PATCH 628/700] Update for 2.5.10 Signed-off-by: Michael Niedermayer --- Changelog | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 52 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index e1c1d57634..177e064ef5 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,56 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.5.10 +- configure: bump copyright year to 2016 +- avformat/hls: Even stricter URL checks +- avformat/hls: More strict url checks +- swscale/utils: Detect and skip unneeded sws_setColorspaceDetails() calls +- swscale/yuv2rgb: Increase YUV2RGB table headroom +- swscale/yuv2rgb: Factor YUVRGB_TABLE_LUMA_HEADROOM out +- avformat/hls: forbid all protocols except http(s) & file +- avformat/aviobuf: Fix end check in put_str16() +- avformat/asfenc: Check pts +- avcodec/mpeg4video: Check time_incr +- avcodec/wavpackenc: Check the number of channels +- avcodec/wavpackenc: Headers are per channel +- avcodec/dvdec: Fix "left shift of negative value -254" +- avcodec/mjpegdec: Fix negative shift +- avcodec/mss2: Check for repeat overflow +- avformat: Add integer fps from 31 to 60 to get_std_framerate() +- avcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range +- avfilter/vf_scale: set proper out frame color range +- avcodec/motion_est: Fix mv_penalty table size +- avcodec/h264_slice: Fix integer overflow in implicit weight computation +- swscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny dimensions +- avcodec/put_bits: Always check buffer end before writing +- mjpegdec: extend check for incompatible values of s->rgb and s->ls +- swscale/utils: Fix intermediate format for cascaded alpha downscaling +- avcodec/h264_refs: Fix long_idx check +- avfilter/vf_mpdecimate: Add missing emms_c() +- avformat/mxfenc: Do not crash if there is no packet in the first stream +- avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec +- avformat/matroskaenc: Check codecdelay before use +- avutil/mathematics: Fix division by 0 +- x86/float_dsp: zero extend offset from ff_scalarproduct_float_sse +- avcodec/mpeg4videodec: also for empty partitioned slices +- nuv: sanitize negative fps rate +- rawdec: only exempt BIT0 with need_copy from buffer sanity check +- mlvdec: check that index_entries exist +- nutdec: reject negative value_len in read_sm_data +- xwddec: prevent overflow of lsize * avctx->height +- nutdec: only copy the header if it exists +- exr: fix out of bounds read in get_code +- on2avc: limit number of bits to 30 in get_egolomb +- sonic: make sure num_taps * channels is not larger than frame_size +- opus_silk: fix typo causing overflow in silk_stabilize_lsf +- ffm: reject invalid codec_id and codec_type +- aaccoder: prevent crash of anmr coder +- ffmdec: reject zero-sized chunks +- swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE* +- swscale/x86/rgb2rgb_template: Do not crash on misaligend stride + + version 2.5.9 - avcodec/hevc: Check max ctb addresses for WPP - avcodec/vp3: ensure header is parsed successfully before tables diff --git a/RELEASE b/RELEASE index 30f69e8cc5..ff3b2cd990 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.5.9 +2.5.10 diff --git a/doc/Doxyfile b/doc/Doxyfile index af39cb809a..c06700033f 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.5.9 +PROJECT_NUMBER = 2.5.10 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 7e297b4bc6afc15b96b9b6b57a5cfc514733fcce Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 13 Jan 2016 19:26:40 -0300 Subject: [PATCH 629/700] avcodec/wavpackenc: print channel count in av_log call Fixes a warning with -Wformat-extra-args (cherry picked from commit 17e7fdf61a04f52c499e2d06eab2cf2d22343aa9) Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 2d98e53b95..4bfeadb2e6 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -129,7 +129,7 @@ static av_cold int wavpack_encode_init(AVCodecContext *avctx) s->avctx = avctx; if (avctx->channels > 255) { - av_log(avctx, AV_LOG_ERROR, "Too many channels\n", avctx->channels); + av_log(avctx, AV_LOG_ERROR, "Invalid channel count: %d\n", avctx->channels); return AVERROR(EINVAL); } From 1a65265131cda99717d0040b6c7e8c132fea82cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Fri, 6 Mar 2015 20:39:45 +0100 Subject: [PATCH 630/700] avcodec/samidec: make sure to properly restore parsing context after a tag (cherry picked from commit 70082a1e533deed6688938232e6e66abbd62b0fa) Signed-off-by: Andreas Cadhalpun --- libavcodec/samidec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/samidec.c b/libavcodec/samidec.c index 7705f93e7b..47850e2126 100644 --- a/libavcodec/samidec.c +++ b/libavcodec/samidec.c @@ -91,6 +91,7 @@ static int sami_paragraph_to_ass(AVCodecContext *avctx, const char *src) break; if (*p == '>') p++; + continue; } if (!av_isspace(*p)) av_bprint_chars(dst, *p, 1); From bf446993145ae2e3bb440292255dadc735675b72 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 1 Nov 2015 17:02:26 +0100 Subject: [PATCH 631/700] avformat/ipmovie: put video decoding_map_size into packet and use it in decoder The size of decoding map can differ from one calculated internally, producing artifacts while decoding video. Signed-off-by: Paul B Mahol (cherry picked from commit c293ef258cbb2c058e23651a26edf46e3bc05050) Signed-off-by: Andreas Cadhalpun --- libavcodec/interplayvideo.c | 14 +++++++++----- libavformat/ipmovie.c | 7 ++++--- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index 96c0cd1397..f9e74b0a85 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -38,6 +38,7 @@ #include #include +#include "libavutil/intreadwrite.h" #include "avcodec.h" #include "bytestream.h" #include "hpeldsp.h" @@ -949,7 +950,7 @@ static void ipvideo_decode_opcodes(IpvideoContext *s, AVFrame *frame) } } if (bytestream2_get_bytes_left(&s->stream_ptr) > 1) { - av_log(s->avctx, AV_LOG_ERROR, + av_log(s->avctx, AV_LOG_DEBUG, "decode finished with %d bytes left over\n", bytestream2_get_bytes_left(&s->stream_ptr)); } @@ -987,12 +988,15 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, AVFrame *frame = data; int ret; + if (buf_size < 2) + return AVERROR_INVALIDDATA; + /* decoding map contains 4 bits of information per 8x8 block */ - s->decoding_map_size = avctx->width * avctx->height / (8 * 8 * 2); + s->decoding_map_size = AV_RL16(avpkt->data); /* compressed buffer needs to be large enough to at least hold an entire * decoding map */ - if (buf_size < s->decoding_map_size) + if (buf_size < s->decoding_map_size + 2) return buf_size; if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) { @@ -1000,8 +1004,8 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, av_frame_unref(s->second_last_frame); } - s->decoding_map = buf; - bytestream2_init(&s->stream_ptr, buf + s->decoding_map_size, + s->decoding_map = buf + 2; + bytestream2_init(&s->stream_ptr, buf + 2 + s->decoding_map_size, buf_size - s->decoding_map_size); if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) diff --git a/libavformat/ipmovie.c b/libavformat/ipmovie.c index 01e70e858f..0112009d9b 100644 --- a/libavformat/ipmovie.c +++ b/libavformat/ipmovie.c @@ -156,7 +156,7 @@ static int load_ipmovie_packet(IPMVEContext *s, AVIOContext *pb, /* send both the decode map and the video data together */ - if (av_new_packet(pkt, s->decode_map_chunk_size + s->video_chunk_size)) + if (av_new_packet(pkt, 2 + s->decode_map_chunk_size + s->video_chunk_size)) return CHUNK_NOMEM; if (s->has_palette) { @@ -178,7 +178,8 @@ static int load_ipmovie_packet(IPMVEContext *s, AVIOContext *pb, avio_seek(pb, s->decode_map_chunk_offset, SEEK_SET); s->decode_map_chunk_offset = 0; - if (avio_read(pb, pkt->data, s->decode_map_chunk_size) != + AV_WL16(pkt->data, s->decode_map_chunk_size); + if (avio_read(pb, pkt->data + 2, s->decode_map_chunk_size) != s->decode_map_chunk_size) { av_free_packet(pkt); return CHUNK_EOF; @@ -187,7 +188,7 @@ static int load_ipmovie_packet(IPMVEContext *s, AVIOContext *pb, avio_seek(pb, s->video_chunk_offset, SEEK_SET); s->video_chunk_offset = 0; - if (avio_read(pb, pkt->data + s->decode_map_chunk_size, + if (avio_read(pb, pkt->data + 2 + s->decode_map_chunk_size, s->video_chunk_size) != s->video_chunk_size) { av_free_packet(pkt); return CHUNK_EOF; From 3b535bbf88576ee0b8a439052514cbb9e89e56a2 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 2 Jan 2016 16:27:02 +0100 Subject: [PATCH 632/700] ffmdec: reset packet_end in case of failure This fixes segmentation faults caused by passing a packet_ptr of NULL to memcpy. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 40eb2531b279abe008012c5c2c292552d3e62449) Signed-off-by: Andreas Cadhalpun --- libavformat/ffmdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index b1cc14a0bd..b5135f18cd 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -113,9 +113,10 @@ static int ffm_read_data(AVFormatContext *s, ffm->dts = avio_rb64(pb); frame_offset = avio_rb16(pb); avio_read(pb, ffm->packet, ffm->packet_size - FFM_HEADER_SIZE); - ffm->packet_end = ffm->packet + (ffm->packet_size - FFM_HEADER_SIZE - fill_size); - if (ffm->packet_end < ffm->packet || frame_offset < 0) + if (ffm->packet_size < FFM_HEADER_SIZE + fill_size || frame_offset < 0) { return -1; + } + ffm->packet_end = ffm->packet + (ffm->packet_size - FFM_HEADER_SIZE - fill_size); /* if first packet or resynchronization packet, we must handle it specifically */ if (ffm->first_packet || (frame_offset & 0x8000)) { @@ -131,8 +132,10 @@ static int ffm_read_data(AVFormatContext *s, return 0; } ffm->first_packet = 0; - if ((frame_offset & 0x7fff) < FFM_HEADER_SIZE) + if ((frame_offset & 0x7fff) < FFM_HEADER_SIZE) { + ffm->packet_end = ffm->packet_ptr; return -1; + } ffm->packet_ptr = ffm->packet + (frame_offset & 0x7fff) - FFM_HEADER_SIZE; if (!header) break; From b6fb6ccda40a3dd13784e4811ba7da1587fab64b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 3 Jan 2016 19:20:54 +0100 Subject: [PATCH 633/700] vorbisdec: reject channel mapping with less than two channels It causes the angle channel number to equal the magnitude channel number, which makes the stream undecodable according to the specification. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit b4b13848dec5420fa5dd9e1a7d4dfae5de1932d5) Signed-off-by: Andreas Cadhalpun --- libavcodec/vorbisdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index fb1609920d..a42b803d67 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -784,6 +784,11 @@ static int vorbis_parse_setup_hdr_mappings(vorbis_context *vc) if (get_bits1(gb)) { mapping_setup->coupling_steps = get_bits(gb, 8) + 1; + if (vc->audio_channels < 2) { + av_log(vc->avctx, AV_LOG_ERROR, + "Square polar channel mapping with less than two channels is not compliant with the Vorbis I specification.\n"); + return AVERROR_INVALIDDATA; + } mapping_setup->magnitude = av_mallocz(mapping_setup->coupling_steps * sizeof(*mapping_setup->magnitude)); mapping_setup->angle = av_mallocz(mapping_setup->coupling_steps * From 641a010157274c4986bf78112485ea3df006cd4e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 3 Jan 2016 19:11:24 +0100 Subject: [PATCH 634/700] vorbisdec: reject rangebits 0 with non-0 partitions This causes non-unique elements in floor_setup->data.t1.list, which makes the stream undecodable according to the specification. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit e7a7b3135a4e5ba4bd2e144444d95a7563f53e9b) Signed-off-by: Andreas Cadhalpun --- libavcodec/vorbisdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index a42b803d67..624092f837 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -568,6 +568,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) return AVERROR(ENOMEM); rangebits = get_bits(gb, 4); + if (!rangebits && floor_setup->data.t1.partitions) { + av_log(vc->avctx, AV_LOG_ERROR, + "A rangebits value of 0 is not compliant with the Vorbis I specification.\n"); + return AVERROR_INVALIDDATA; + } rangemax = (1 << rangebits); if (rangemax > vc->blocksize[1] / 2) { av_log(vc->avctx, AV_LOG_ERROR, From a90a7594a81eb891366412e677eacd95c4559361 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 4 Jan 2016 12:57:38 +0100 Subject: [PATCH 635/700] brstm: make sure an ADPC chunk was read for adpcm_thp This fixes NULL pointer dereferencing. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit d7d37c479fa71639650751648275615e979beb33) Signed-off-by: Andreas Cadhalpun --- libavformat/brstm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/brstm.c b/libavformat/brstm.c index 19a4a2a96b..9228fa7488 100644 --- a/libavformat/brstm.c +++ b/libavformat/brstm.c @@ -260,6 +260,11 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) if (codec->codec_id == AV_CODEC_ID_ADPCM_THP) { uint8_t *dst; + if (!b->adpc) { + av_log(s, AV_LOG_ERROR, "adpcm_thp requires ADPC chunk, but none was found.\n"); + return AVERROR_INVALIDDATA; + } + if (av_new_packet(pkt, 8 + (32 + 4) * codec->channels + size) < 0) return AVERROR(ENOMEM); dst = pkt->data; From cdedd71a7e1355c5d3a56302e11bf9ac05da6cd5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 4 Jan 2016 12:53:20 +0100 Subject: [PATCH 636/700] brstm: also allocate b->table in read_packet This fixes NULL pointer dereferencing if the codec is forced to adpcm_thp even though a different one was detected. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit bcf4ee26a0a1ed349ec7489925540401002b87cc) Signed-off-by: Andreas Cadhalpun --- libavformat/brstm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/brstm.c b/libavformat/brstm.c index 9228fa7488..aba3770ee6 100644 --- a/libavformat/brstm.c +++ b/libavformat/brstm.c @@ -263,6 +263,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) if (!b->adpc) { av_log(s, AV_LOG_ERROR, "adpcm_thp requires ADPC chunk, but none was found.\n"); return AVERROR_INVALIDDATA; + if (!b->table) { + b->table = av_mallocz(32 * codec->channels); + if (!b->table) + return AVERROR(ENOMEM); } if (av_new_packet(pkt, 8 + (32 + 4) * codec->channels + size) < 0) From f2fd5b9eb2677eddfe6c9be6b2235390476cfce6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 4 Jan 2016 13:44:16 +0100 Subject: [PATCH 637/700] brstm: fix missing closing brace Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1cb2331eca0dbde1bc63bc715a0e98771dda8b80) Signed-off-by: Andreas Cadhalpun --- libavformat/brstm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/brstm.c b/libavformat/brstm.c index aba3770ee6..6afae73b2f 100644 --- a/libavformat/brstm.c +++ b/libavformat/brstm.c @@ -263,6 +263,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) if (!b->adpc) { av_log(s, AV_LOG_ERROR, "adpcm_thp requires ADPC chunk, but none was found.\n"); return AVERROR_INVALIDDATA; + } if (!b->table) { b->table = av_mallocz(32 * codec->channels); if (!b->table) From 873a0dfa26dfeda29f5f7539ffd1cd563ce5437c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 13 Jan 2016 00:52:58 +0100 Subject: [PATCH 638/700] dca: fix misaligned access in avpriv_dca_convert_bitstream src and dst are only 8-bit-aligned, so accessing them as uint16_t causes SIGBUS crashes on architectures like sparc. This fixes ubsan runtime error: load of misaligned address for type 'const uint16_t', which requires 2 byte alignment Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 44ac13eed49593f4f8efdb72ab0d5b48e05aa305) Signed-off-by: Andreas Cadhalpun --- libavcodec/dca.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index 22be88fe1a..57c65150da 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -40,8 +40,6 @@ int avpriv_dca_convert_bitstream(const uint8_t *src, int src_size, uint8_t *dst, { uint32_t mrk; int i, tmp; - const uint16_t *ssrc = (const uint16_t *) src; - uint16_t *sdst = (uint16_t *) dst; PutBitContext pb; if ((unsigned) src_size > (unsigned) max_size) @@ -53,8 +51,11 @@ int avpriv_dca_convert_bitstream(const uint8_t *src, int src_size, uint8_t *dst, memcpy(dst, src, src_size); return src_size; case DCA_MARKER_RAW_LE: - for (i = 0; i < (src_size + 1) >> 1; i++) - *sdst++ = av_bswap16(*ssrc++); + for (i = 0; i < (src_size + 1) >> 1; i++) { + AV_WB16(dst, AV_RL16(src)); + src += 2; + dst += 2; + } return src_size; case DCA_MARKER_14B_BE: case DCA_MARKER_14B_LE: From d1fc87529f381657470669afe5f01f3b694eebda Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Aug 2015 03:08:10 +0200 Subject: [PATCH 639/700] swscale/swscale-test: Fix slice height in random reference data creation. Found-by: Pedro Arthur Signed-off-by: Michael Niedermayer --- libswscale/swscale-test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale-test.c b/libswscale/swscale-test.c index 661ff5b7b2..b79bb2373a 100644 --- a/libswscale/swscale-test.c +++ b/libswscale/swscale-test.c @@ -399,7 +399,7 @@ bad_option: for (y = 0; y < H; y++) for (x = 0; x < W * 4; x++) rgb_data[ x + y * 4 * W] = av_lfg_get(&rand); - sws_scale(sws, rgb_src, rgb_stride, 0, H, src, stride); + sws_scale(sws, rgb_src, rgb_stride, 0, H / 12, src, stride); sws_freeContext(sws); av_free(rgb_data); From b515a23f76287b546c2ddd3fcdc85aed2cec0073 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jan 2016 18:32:07 +0100 Subject: [PATCH 640/700] avcodec/aacenc: Check both channels for finiteness Fixes null pointer dereference Fixes: 10412fc52ecc6eab40ed67f82ca7b372/signal_sigsegv_2618c99_2129_f808373959e46afb165593332799ffbc.aif Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 057549a9ccc9fd32df71678e6abe69e10668186a) Conflicts: libavcodec/aacenc.c --- libavcodec/aacenc.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 7937eb0162..edf28f2aa6 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -567,8 +567,16 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, ics->group_len[w] = wi[ch].grouping[w]; apply_window_and_mdct(s, &cpe->ch[ch], overlap); - if (isnan(cpe->ch->coeffs[0])) { - av_log(avctx, AV_LOG_ERROR, "Input contains NaN\n"); + + if (isnan(cpe->ch[ch].coeffs[ 0]) || isinf(cpe->ch[ch].coeffs[ 0]) || + isnan(cpe->ch[ch].coeffs[ 128]) || isinf(cpe->ch[ch].coeffs[ 128]) || + isnan(cpe->ch[ch].coeffs[2*128]) || isinf(cpe->ch[ch].coeffs[2*128]) || + isnan(cpe->ch[ch].coeffs[3*128]) || isinf(cpe->ch[ch].coeffs[3*128]) || + isnan(cpe->ch[ch].coeffs[4*128]) || isinf(cpe->ch[ch].coeffs[4*128]) || + isnan(cpe->ch[ch].coeffs[5*128]) || isinf(cpe->ch[ch].coeffs[5*128]) || + isnan(cpe->ch[ch].coeffs[6*128]) || isinf(cpe->ch[ch].coeffs[6*128]) || + isnan(cpe->ch[ch].coeffs[7*128]) || isinf(cpe->ch[ch].coeffs[7*128])) { + av_log(avctx, AV_LOG_ERROR, "Input contains NaN/+-Inf\n"); return AVERROR(EINVAL); } } From 262192a48b598c4fc08567aff93966f9360632fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2016 00:55:44 +0100 Subject: [PATCH 641/700] swscale/swscale_unscaled: Fix odd height inputs for bayer_to_rgb24_wrapper() Fixes: 372d2df1f04b49e25f109f07f90b1505/asan_heap-oob_2835d2e_8501_99e0114d7ba3a6db885d0b4684d200c1.cine Fixes out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ad3b6fa7d83db7de951ed891649af93a47e74be5) Signed-off-by: Michael Niedermayer --- libswscale/swscale_unscaled.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index d3d0cf30b2..9e24623140 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -1058,6 +1058,8 @@ static int bayer_to_rgb24_wrapper(SwsContext *c, const uint8_t* src[], int srcSt default: return 0; } + av_assert0(srcSliceH > 1); + copy(srcPtr, srcStride[0], dstPtr, dstStride[0], c->srcW); srcPtr += 2 * srcStride[0]; dstPtr += 2 * dstStride[0]; @@ -1068,7 +1070,10 @@ static int bayer_to_rgb24_wrapper(SwsContext *c, const uint8_t* src[], int srcSt dstPtr += 2 * dstStride[0]; } - copy(srcPtr, srcStride[0], dstPtr, dstStride[0], c->srcW); + if (i + 1 == srcSliceH) { + copy(srcPtr, -srcStride[0], dstPtr, -dstStride[0], c->srcW); + } else if (i < srcSliceH) + copy(srcPtr, srcStride[0], dstPtr, dstStride[0], c->srcW); return srcSliceH; } From 93c675d6a6c98e94ddce1a4b04bc1507f562249f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2016 00:55:44 +0100 Subject: [PATCH 642/700] swscale/swscale_unscaled: Fix odd height inputs for bayer_to_yv12_wrapper() Fixes: 372d2df1f04b49e25f109f07f90b1505/asan_heap-oob_2835d2e_8501_99e0114d7ba3a6db885d0b4684d200c1.cine Fixes out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 757248ea3cd917a7755cb15f817a9b1f15578718) Signed-off-by: Michael Niedermayer --- libswscale/swscale_unscaled.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index 9e24623140..60f8c619b3 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -1109,6 +1109,8 @@ static int bayer_to_yv12_wrapper(SwsContext *c, const uint8_t* src[], int srcStr default: return 0; } + av_assert0(srcSliceH > 1); + copy(srcPtr, srcStride[0], dstY, dstU, dstV, dstStride[0], c->srcW, c->input_rgb2yuv_table); srcPtr += 2 * srcStride[0]; dstY += 2 * dstStride[0]; @@ -1123,7 +1125,10 @@ static int bayer_to_yv12_wrapper(SwsContext *c, const uint8_t* src[], int srcStr dstV += dstStride[1]; } - copy(srcPtr, srcStride[0], dstY, dstU, dstV, dstStride[0], c->srcW, c->input_rgb2yuv_table); + if (i + 1 == srcSliceH) { + copy(srcPtr, -srcStride[0], dstY, dstU, dstV, -dstStride[0], c->srcW, c->input_rgb2yuv_table); + } else if (i < srcSliceH) + copy(srcPtr, srcStride[0], dstY, dstU, dstV, dstStride[0], c->srcW, c->input_rgb2yuv_table); return srcSliceH; } From 9631209eeaf035e5394a759542371875f837d0db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2016 12:33:50 +0100 Subject: [PATCH 643/700] swscale/x86/rgb2rgb_template: Fix planar2x() for short width Fixes: 451b3e0cf956c0bd2f27ed753ac24050/asan_heap-oob_2873c01_3231_7ed10a9464d15f0d57277f5917c566a8.AVI Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c8a9aaab2695e0f9921db946a3b9f14bea880167) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index 6f218ddbb7..73af74e6aa 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1434,7 +1434,9 @@ static inline void RENAME(planar2x)(const uint8_t *src, uint8_t *dst, int srcWid dst+= dstStride; for (y=1; y> 2; + dst[dstStride] = (src[0] + 3 * src[srcStride]) >> 2; + } for (x=mmxSize-1; x>2; From 0f956cde937b748268ad0ed9bd396864a1c209ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2016 18:57:01 +0100 Subject: [PATCH 644/700] swscale/swscale: Add some sanity checks for srcSlice* parameters Signed-off-by: Michael Niedermayer (cherry picked from commit 321e85e1769ca1fc1567025ae264760790ee7fc9) Conflicts: libswscale/swscale.c Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 16a31cee40..a29e2ae50f 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -895,11 +895,19 @@ int attribute_align_arg sws_scale(struct SwsContext *c, const uint8_t *src2[4]; uint8_t *dst2[4]; uint8_t *rgb0_tmp = NULL; + int macro_height = isBayer(c->srcFormat) ? 2 : (1 << c->chrSrcVSubSample); if (!srcStride || !dstStride || !dst || !srcSlice) { av_log(c, AV_LOG_ERROR, "One of the input parameters to sws_scale() is NULL, please check the calling code\n"); return 0; } + + if ((srcSliceY & (macro_height-1)) || + ((srcSliceH& (macro_height-1)) && srcSliceY + srcSliceH != c->srcH) || + srcSliceY + srcSliceH > c->srcH) { + av_log(c, AV_LOG_ERROR, "Slice parameters %d, %d are invalid\n", srcSliceY, srcSliceH); + return AVERROR(EINVAL); + } if (c->cascaded_context[0] && srcSliceY == 0 && srcSliceH == c->cascaded_context[0]->srcH) { ret = sws_scale(c->cascaded_context[0], srcSlice, srcStride, srcSliceY, srcSliceH, From dee25a5fa5da52acf720dc74a5534471b18eb13f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Jan 2016 03:31:25 +0100 Subject: [PATCH 645/700] avcodec/tiff: Check subsample & rps values more completely Fixes out of array access Fixes: 83aedfb29af669c4d6e10f1bfad974d2/asan_heap-oob_1ab42fe_4984_9f6ec14462f8d8a00ea24b320572a963.tif Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 89f464e9c229006e16f6bb5403c5529fdd0a9edd) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index b00bc1c217..df43ed2c87 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1000,8 +1000,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) av_log(s->avctx, AV_LOG_ERROR, "subsample count invalid\n"); return AVERROR_INVALIDDATA; } - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { s->subsampling[i] = ff_tget(&s->gb, type, s->le); + if (s->subsampling[i] <= 0) { + av_log(s->avctx, AV_LOG_ERROR, "subsampling %d is invalid\n", s->subsampling[i]); + return AVERROR_INVALIDDATA; + } + } break; case TIFF_T4OPTIONS: if (s->compr == TIFF_G3) @@ -1249,7 +1254,7 @@ static int decode_frame(AVCodecContext *avctx, avpkt->size - s->strippos); } - if (s->rps <= 0) { + if (s->rps <= 0 || s->rps % s->subsampling[1]) { av_log(avctx, AV_LOG_ERROR, "rps %d invalid\n", s->rps); return AVERROR_INVALIDDATA; } From 22e20a1d833e5ce8c560a6c0d6f4b4e78b075385 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Jan 2016 17:13:55 +0100 Subject: [PATCH 646/700] avcodec/put_bits: Assert buf_ptr in flush_put_bits() Signed-off-by: Michael Niedermayer (cherry picked from commit 3ef5de0f19774e2c3dd9b08ba2e8ab7241a4862a) Signed-off-by: Michael Niedermayer --- libavcodec/put_bits.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index ca4f08668d..81fe039811 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -106,7 +106,7 @@ static inline void flush_put_bits(PutBitContext *s) s->bit_buf <<= s->bit_left; #endif while (s->bit_left < 32) { - /* XXX: should test end of buffer */ + av_assert0(s->buf_ptr < s->buf_end); #ifdef BITSTREAM_WRITER_LE *s->buf_ptr++ = s->bit_buf; s->bit_buf >>= 8; From 9f30eafd0f31c2b5c4f7c86fecabbdde1282e079 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Jan 2016 19:20:03 +0100 Subject: [PATCH 647/700] avcodec/gif: Fix lzw buffer size Fixes out of array access Fixes: aaa479088e6fb40b04837b3119f47b04/asan_heap-oob_e38c68_8576_9d653078b2470700e2834636f12ff557.tga Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 03d83ba34b2070878909eae18dfac0f519503777) Signed-off-by: Michael Niedermayer --- libavcodec/gif.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/gif.c b/libavcodec/gif.c index def1b83e9d..b56d58c4df 100644 --- a/libavcodec/gif.c +++ b/libavcodec/gif.c @@ -43,6 +43,7 @@ typedef struct { const AVClass *class; LZWState *lzw; uint8_t *buf; + int buf_size; AVFrame *last_frame; int flags; uint32_t palette[AVPALETTE_COUNT]; ///< local reference palette for !pal8 @@ -168,7 +169,7 @@ static int gif_image_write_image(AVCodecContext *avctx, bytestream_put_byte(bytestream, 0x08); - ff_lzw_encode_init(s->lzw, s->buf, 2 * width * height, + ff_lzw_encode_init(s->lzw, s->buf, s->buf_size, 12, FF_LZW_GIF, put_bits); ptr = buf + y_start*linesize + x_start; @@ -224,7 +225,8 @@ static av_cold int gif_encode_init(AVCodecContext *avctx) avctx->coded_frame->key_frame = 1; s->lzw = av_mallocz(ff_lzw_encode_state_size); - s->buf = av_malloc(avctx->width*avctx->height*2); + s->buf_size = avctx->width*avctx->height*2 + 1000; + s->buf = av_malloc(s->buf_size); s->tmpl = av_malloc(avctx->width); if (!s->tmpl || !s->buf || !s->lzw) return AVERROR(ENOMEM); @@ -283,6 +285,7 @@ static int gif_encode_close(AVCodecContext *avctx) av_freep(&s->lzw); av_freep(&s->buf); + s->buf_size = 0; av_frame_free(&s->last_frame); av_freep(&s->tmpl); return 0; From dd957b56e6148ef4d09255d9db37a99a3daf7fe4 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Fri, 15 Jan 2016 17:03:49 +0000 Subject: [PATCH 648/700] mov: Add an option to toggle dref opening This feature is mostly only used by NLE software, and is both of dubious value being enabled by default, and a possible security risk. Signed-off-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit 712d962a6a29b1099cd872cfb07867175a93ac4c) Conflicts: libavformat/isom.h libavformat/mov.c libavformat/version.h Signed-off-by: Michael Niedermayer Conflicts: libavformat/mov.c --- libavformat/isom.h | 1 + libavformat/mov.c | 22 +++++++++++++++++----- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/libavformat/isom.h b/libavformat/isom.h index 249c3ab795..9aafe12125 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -190,6 +190,7 @@ typedef struct MOVContext { MOVFragmentIndex** fragment_index_data; unsigned fragment_index_count; int atom_depth; + int enable_drefs; } MOVContext; int ff_mp4_read_descr_len(AVIOContext *pb); diff --git a/libavformat/mov.c b/libavformat/mov.c index d0eb63404b..a51884677c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2559,13 +2559,23 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (sc->dref_id-1 < sc->drefs_count && sc->drefs[sc->dref_id-1].path) { MOVDref *dref = &sc->drefs[sc->dref_id - 1]; - if (mov_open_dref(&sc->pb, c->fc->filename, dref, &c->fc->interrupt_callback, - c->use_absolute_path, c->fc) < 0) - av_log(c->fc, AV_LOG_ERROR, - "stream %d, error opening alias: path='%s', dir='%s', " - "filename='%s', volume='%s', nlvl_from=%d, nlvl_to=%d\n", + if (c->enable_drefs) { + if (mov_open_dref(&sc->pb, c->fc->filename, dref, &c->fc->interrupt_callback, + c->use_absolute_path, c->fc) < 0) + av_log(c->fc, AV_LOG_ERROR, + "stream %d, error opening alias: path='%s', dir='%s', " + "filename='%s', volume='%s', nlvl_from=%d, nlvl_to=%d\n", + st->index, dref->path, dref->dir, dref->filename, + dref->volume, dref->nlvl_from, dref->nlvl_to); + } else { + av_log(c->fc, AV_LOG_WARNING, + "Skipped opening external track: " + "stream %d, alias: path='%s', dir='%s', " + "filename='%s', volume='%s', nlvl_from=%d, nlvl_to=%d." + "Set enable_drefs to allow this.\n", st->index, dref->path, dref->dir, dref->filename, dref->volume, dref->nlvl_from, dref->nlvl_to); + } } else { sc->pb = c->fc->pb; sc->pb_is_copied = 1; @@ -4250,6 +4260,8 @@ static const AVOption mov_options[] = { AV_OPT_FLAG_VIDEO_PARAM|AV_OPT_FLAG_DECODING_PARAM, "use_mfra_for" }, { "export_all", "Export unrecognized metadata entries", OFFSET(export_all), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = FLAGS }, + { "enable_drefs", "Enable external track support.", OFFSET(enable_drefs), AV_OPT_TYPE_INT, + {.i64 = 0}, 0, 1, FLAGS }, { NULL }, }; From 7ee0b1937a258e5251b0c1875e60be9a4aeff3ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2016 15:39:11 +0100 Subject: [PATCH 649/700] avcodec/ass_split: Fix null pointer dereference in ff_ass_style_get() Fixes: 55d71971da50365d542ed14b65565fe1/signal_sigsegv_4765a4_8499_f146af090a94f591d6254515c7700ef5.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 158f0545d81b2aca1c936490f80d13988616910e) Signed-off-by: Michael Niedermayer --- libavcodec/ass_split.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ass_split.c b/libavcodec/ass_split.c index cc4f961c4d..cdf4d845db 100644 --- a/libavcodec/ass_split.c +++ b/libavcodec/ass_split.c @@ -523,7 +523,7 @@ ASSStyle *ff_ass_style_get(ASSSplitContext *ctx, const char *style) if (!style || !*style) style = "Default"; for (i=0; istyles_count; i++) - if (!strcmp(ass->styles[i].name, style)) + if (ass->styles[i].name && !strcmp(ass->styles[i].name, style)) return ass->styles + i; return NULL; } From 30463a0c9985c44e8064b1630e242debc48bc755 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 09:43:54 +0100 Subject: [PATCH 650/700] avformat/avio: Limit url option parsing to the documented cases This feature is not know much or used much AFAIK, and it might be helpfull in exploits. No specific case is known where it can be used in an exploit though subsequent commits depend on this commit though Signed-off-by: Michael Niedermayer (cherry picked from commit 984d58a3440d513f66344b5332f6b589c0a6bbc6) Signed-off-by: Michael Niedermayer --- libavformat/avio.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/avio.c b/libavformat/avio.c index 326bb0aa78..78d15cc40d 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -155,9 +155,16 @@ static int url_alloc_for_protocol(URLContext **puc, struct URLProtocol *up, char sep= *++p; char *key, *val; p++; + + if (strcmp(up->name, "subfile")) + ret = AVERROR(EINVAL); + while(ret >= 0 && (key= strchr(p, sep)) && ppriv_data, p, key+1, 0); + if (strcmp(p, "start") && strcmp(p, "end")) { + ret = AVERROR_OPTION_NOT_FOUND; + } else + ret= av_opt_set(uc->priv_data, p, key+1, 0); if (ret == AVERROR_OPTION_NOT_FOUND) av_log(uc, AV_LOG_ERROR, "Key '%s' not found.\n", p); *val= *key= sep; @@ -222,7 +229,7 @@ static struct URLProtocol *url_find_protocol(const char *filename) size_t proto_len = strspn(filename, URL_SCHEME_CHARS); if (filename[proto_len] != ':' && - (filename[proto_len] != ',' || !strchr(filename + proto_len + 1, ':')) || + (strncmp(filename, "subfile,", 8) || !strchr(filename + proto_len + 1, ':')) || is_dos_path(filename)) strcpy(proto_str, "file"); else From 3fc75e79cf033fbe575b663d9e8b56cc835b95ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jan 2016 00:36:51 +0100 Subject: [PATCH 651/700] avcodec/mpeg12enc: Move high resolution thread check to before initializing threads Cleaner solution is welcome! Signed-off-by: Michael Niedermayer (cherry picked from commit a53fbda9dc92273054a103db7539d2bb6e9632b2) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12enc.c | 3 --- libavcodec/pthread_slice.c | 6 ++++++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index 451463c0cd..8baa60ee0b 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -144,9 +144,6 @@ static av_cold int encode_init(AVCodecContext *avctx) { MpegEncContext *s = avctx->priv_data; - if (avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO && avctx->height > 2800) - avctx->thread_count = 1; - if (ff_mpv_encode_init(avctx) < 0) return -1; diff --git a/libavcodec/pthread_slice.c b/libavcodec/pthread_slice.c index b948e16d24..a3bcd21fea 100644 --- a/libavcodec/pthread_slice.c +++ b/libavcodec/pthread_slice.c @@ -181,6 +181,12 @@ int ff_slice_thread_init(AVCodecContext *avctx) w32thread_init(); #endif + // We cannot do this in the encoder init as the threads are created before + if (av_codec_is_encoder(avctx->codec) && + avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO && + avctx->height > 2800) + thread_count = avctx->thread_count = 1; + if (!thread_count) { int nb_cpus = av_cpu_count(); if (avctx->height) From 65bb07d4bed287db0e2baa6fb16253eb991b47d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jan 2016 02:38:05 +0100 Subject: [PATCH 652/700] avcodec/wmaenc: Check ff_wma_init() for failure Fixes null pointer dereference Fixes: c4faf8280ba366bf00a79d425f2910a8/signal_sigsegv_1f96477_5177_1448ba7e4125faceb966f44ceb69abfa.qcp Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 19e456d48c90a1e3ceeb9e6241383384cc73dfdf) Signed-off-by: Michael Niedermayer --- libavcodec/wmaenc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c index 08d45e9273..d78c4357e8 100644 --- a/libavcodec/wmaenc.c +++ b/libavcodec/wmaenc.c @@ -32,6 +32,7 @@ static av_cold int encode_init(AVCodecContext *avctx) WMACodecContext *s = avctx->priv_data; int i, flags1, flags2, block_align; uint8_t *extradata; + int ret; s->avctx = avctx; @@ -78,7 +79,8 @@ static av_cold int encode_init(AVCodecContext *avctx) if (avctx->channels == 2) s->ms_stereo = 1; - ff_wma_init(avctx, flags2); + if ((ret = ff_wma_init(avctx, flags2)) < 0) + return ret; /* init MDCT */ for (i = 0; i < s->nb_block_sizes; i++) From 2df2c0aab0cacf89d1e8f6f8ec6baafe70e7df02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 21:01:08 +0100 Subject: [PATCH 653/700] avformat/avformat: Replace some references to filenames by urls Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 41e07390e04cf369d84f0cc7ff5858c273290770) Signed-off-by: Michael Niedermayer --- libavformat/avformat.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 6654694102..be929a588d 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -88,10 +88,10 @@ * cleanup. * * @section lavf_decoding_open Opening a media file - * The minimum information required to open a file is its URL or filename, which + * The minimum information required to open a file is its URL, which * is passed to avformat_open_input(), as in the following code: * @code - * const char *url = "in.mp3"; + * const char *url = "file:in.mp3"; * AVFormatContext *s = NULL; * int ret = avformat_open_input(&s, url, NULL, NULL); * if (ret < 0) @@ -1985,7 +1985,7 @@ AVInputFormat *av_probe_input_format3(AVProbeData *pd, int is_opened, int *score * * @param pb the bytestream to probe * @param fmt the input format is put here - * @param filename the filename of the stream + * @param url the url of the stream * @param logctx the log context * @param offset the offset within the bytestream to probe from * @param max_probe_size the maximum probe buffer size (zero for default) @@ -1994,14 +1994,14 @@ AVInputFormat *av_probe_input_format3(AVProbeData *pd, int is_opened, int *score * AVERROR code otherwise */ int av_probe_input_buffer2(AVIOContext *pb, AVInputFormat **fmt, - const char *filename, void *logctx, + const char *url, void *logctx, unsigned int offset, unsigned int max_probe_size); /** * Like av_probe_input_buffer2() but returns 0 on success */ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, - const char *filename, void *logctx, + const char *url, void *logctx, unsigned int offset, unsigned int max_probe_size); /** @@ -2012,7 +2012,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, * May be a pointer to NULL, in which case an AVFormatContext is allocated by this * function and written into ps. * Note that a user-supplied AVFormatContext will be freed on failure. - * @param filename Name of the stream to open. + * @param url URL of the stream to open. * @param fmt If non-NULL, this parameter forces a specific input format. * Otherwise the format is autodetected. * @param options A dictionary filled with AVFormatContext and demuxer-private options. @@ -2023,7 +2023,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, * * @note If you want to use custom IO, preallocate the format context and set its pb field. */ -int avformat_open_input(AVFormatContext **ps, const char *filename, AVInputFormat *fmt, AVDictionary **options); +int avformat_open_input(AVFormatContext **ps, const char *url, AVInputFormat *fmt, AVDictionary **options); attribute_deprecated int av_demuxer_open(AVFormatContext *ic); From 0ec1ffcb4db43d0a635e3bfcdc648c1a372fdb0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jan 2016 15:39:43 +0100 Subject: [PATCH 654/700] avcodec/mpegvideo_enc: Check for integer overflow in ff_mpv_reallocate_putbitbuffer() Fixes assertion failure Fixes: 6568d187979ce17878b6fe5fbbb89142/signal_sigabrt_7ffff6ae7cb7_7176_564bbc6741bdcf907f5c4e685c9a77a2.mpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b65efbc0f4195421c15d2a6c228d331eec5b31c3) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 2bc7709970..2084a3ac75 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -2730,6 +2730,11 @@ int ff_mpv_reallocate_putbitbuffer(MpegEncContext *s, size_t threshold, size_t s uint8_t *new_buffer = NULL; int new_buffer_size = 0; + if ((s->avctx->internal->byte_buffer_size + size_increase) >= INT_MAX/8) { + av_log(s->avctx, AV_LOG_ERROR, "Cannot reallocate putbit buffer\n"); + return AVERROR(ENOMEM); + } + av_fast_padded_malloc(&new_buffer, &new_buffer_size, s->avctx->internal->byte_buffer_size + size_increase); if (!new_buffer) From 58ea532cad816858e0bffefd8c00e5256b531472 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jan 2016 21:01:47 +0100 Subject: [PATCH 655/700] avcodec/mjpegdec: Check for end for both bytes in unescaping Fixes assertion failure Fixes: c40c779601b77dc6e19aaea0b04b9751/signal_sigabrt_7ffff6ae7cb7_5769_b94f6ec70caecb2d3d76b4771b109ac1.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 509c9e74e548139285f30ed8dcc9baf1d64359fa) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 439365f7ef..d77940f3ef 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1942,7 +1942,7 @@ int ff_mjpeg_find_marker(MJpegDecodeContext *s, while (b < t) { uint8_t x = src[b++]; put_bits(&pb, 8, x); - if (x == 0xFF) { + if (x == 0xFF && b < t) { x = src[b++]; if (x & 0x80) { av_log(s->avctx, AV_LOG_WARNING, "Invalid escape sequence\n"); From e46999ccf4402ace9e2e829a44036eb5fe9177c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 16:49:43 +0100 Subject: [PATCH 656/700] doc/demuxers: Document enable_drefs and use_absolute_path Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 9a8034b8bc1d1cd7a8889dc385d41744be47b159) Signed-off-by: Michael Niedermayer --- doc/demuxers.texi | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index 11dfe1b9c1..3a1d899cfb 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -359,6 +359,23 @@ ffmpeg -framerate 10 -pattern_type glob -i "*.png" out.mkv @end example @end itemize +@section mov/mp4/3gp/Quicktme + +Quicktime / MP4 demuxer. + +This demuxer accepts the following options: +@table @option +@item enable_drefs +Enable loading of external tracks, disabled by default. +Enabling this can theoretically leak information in some use cases. + +@item use_absolute_path +Allows loading of external tracks via absolute paths, disabled by default. +Enabling this poses a security risk. It should only be enabled if the source +is known to be non malicious. + +@end table + @section mpegts MPEG-2 transport stream demuxer. From dde76f2d0414ccab335bb4f31f1a75ab15166dcc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 11:10:27 +0100 Subject: [PATCH 657/700] avformat/concat: Check protocol prefix Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 8e32d014322eada1812af268d7ea9d53169d279c) Signed-off-by: Michael Niedermayer --- libavformat/concat.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/concat.c b/libavformat/concat.c index 81fe97082c..7bcc27905e 100644 --- a/libavformat/concat.c +++ b/libavformat/concat.c @@ -65,7 +65,10 @@ static av_cold int concat_open(URLContext *h, const char *uri, int flags) struct concat_data *data = h->priv_data; struct concat_nodes *nodes; - av_strstart(uri, "concat:", &uri); + if (!av_strstart(uri, "concat:", &uri)) { + av_log(h, AV_LOG_ERROR, "URL %s lacks prefix\n", uri); + return AVERROR(EINVAL); + } for (i = 0, len = 1; uri[i]; i++) { if (uri[i] == *AV_CAT_SEPARATOR) { From 0251cd6cf328455d4c25f7280f223523711d1e58 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 15:25:32 +0100 Subject: [PATCH 658/700] avformat/libquvi: Set default demuxer and protocol limitations Signed-off-by: Michael Niedermayer (cherry picked from commit 15cc98a0f38ac45444d177186cfbf28e14bd5f1f) Signed-off-by: Michael Niedermayer --- libavformat/libquvi.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/libavformat/libquvi.c b/libavformat/libquvi.c index 0a593cc9cf..9d47692f8b 100644 --- a/libavformat/libquvi.c +++ b/libavformat/libquvi.c @@ -79,6 +79,20 @@ static int libquvi_read_header(AVFormatContext *s) if ((ret = ff_copy_whitelists(qc->fmtctx, s)) < 0) goto end; + if (!qc->fmtctx->format_whitelist) { + qc->fmtctx->format_whitelist = av_strdup("avi,asf,flv,mov,mpeg,mpegts,aac,h264,hevc,mp3,ogg,matroska,mxf,mp2"); + if (!qc->fmtctx->format_whitelist) { + avformat_free_context(qc->fmtctx); + qc->fmtctx = NULL; + goto err_quvi_cleanup; + } + } + if (strncmp(media_url, "http:", 5) && strncmp(media_url, "https:", 6)) { + avformat_free_context(qc->fmtctx); + qc->fmtctx = NULL; + goto err_quvi_cleanup; + } + ret = avformat_open_input(&qc->fmtctx, media_url, NULL, NULL); if (ret < 0) goto end; From 7bcf142c02e0b3f462b61a1377e963c6366597e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Jan 2016 00:35:46 +0100 Subject: [PATCH 659/700] avformat: Document urls a bit Spell-checked-by: Moritz Barsnick Signed-off-by: Michael Niedermayer (cherry picked from commit 3130556c0eb09f3da3c9de6473a97937a4648d62) Signed-off-by: Michael Niedermayer --- libavformat/avformat.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/avformat.h b/libavformat/avformat.h index be929a588d..c2cef3cc4a 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -78,6 +78,18 @@ * if its AVClass is non-NULL, and the protocols layer. See the discussion on * nesting in @ref avoptions documentation to learn how to access those. * + * @section urls + * URL strings in libavformat are made of a scheme/protocol, a ':', and a + * scheme specific string. URLs without a scheme and ':' used for local files + * are supported but deprecated. "file:" should be used for local files. + * + * It is important that the scheme string is not taken from untrusted + * sources without checks. + * + * Note that some schemes/protocols are quite powerful, allowing access to + * both local and remote files, parts of them, concatenations of them, local + * audio and video devices and so on. + * * @defgroup lavf_decoding Demuxing * @{ * Demuxers read a media file and split it into chunks of data (@em packets). A From d7c0287fbdac7d52f441f2017c55f5e0483c077e Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 24 Jan 2016 20:47:49 +0100 Subject: [PATCH 660/700] avcodec/flacenc: fix calculation of bits required in case of custom sample rate Sample rate of 11025 takes 16 bits but previous code would pick only 8. Fixes assertion failure. Reviewed-by: Rostislav Pehlivanov Signed-off-by: Paul B Mahol (cherry picked from commit 3e7d6849120d61bb354376d52786c26f20e20835) Signed-off-by: Michael Niedermayer --- libavcodec/flacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacenc.c b/libavcodec/flacenc.c index e66ef3db5e..5d3e002aa9 100644 --- a/libavcodec/flacenc.c +++ b/libavcodec/flacenc.c @@ -916,7 +916,7 @@ static int count_frame_header(FlacEncodeContext *s) count += 16; /* explicit sample rate */ - count += ((s->sr_code[0] == 12) + (s->sr_code[0] > 12)) * 8; + count += ((s->sr_code[0] == 12) + (s->sr_code[0] > 12) * 2) * 8; /* frame header CRC-8 */ count += 8; From 3fa6ecca763225adada3b275806eafcbf0472dda Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Jan 2016 03:42:46 +0100 Subject: [PATCH 661/700] avutil/opt: check for and handle errors in av_opt_set_dict2() Previously errors could result in random entries to be lost. Signed-off-by: Michael Niedermayer (cherry picked from commit f3ace85d8869c3dddd2d28d064002d0d912e3624) Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index 95004ad383..ed7e983d59 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -1463,10 +1463,11 @@ int av_opt_set_dict2(void *obj, AVDictionary **options, int search_flags) while ((t = av_dict_get(*options, "", t, AV_DICT_IGNORE_SUFFIX))) { ret = av_opt_set(obj, t->key, t->value, search_flags); if (ret == AVERROR_OPTION_NOT_FOUND) - av_dict_set(&tmp, t->key, t->value, 0); - else if (ret < 0) { + ret = av_dict_set(&tmp, t->key, t->value, 0); + if (ret < 0) { av_log(obj, AV_LOG_ERROR, "Error setting option %s to value %s.\n", t->key, t->value); - break; + av_dict_free(&tmp); + return ret; } ret = 0; } From 69e191f854f75815f17099a9a5f911dc30075c70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Jan 2016 17:13:10 +0100 Subject: [PATCH 662/700] avcodec/jpeg2000dec: More completely check cdef Fixes out of array access Fixes: j2k-poc.bin Found-by: Lucas Leong Signed-off-by: Michael Niedermayer (cherry picked from commit 0aada30510d809bccfd539a90ea37b61188f2cb4) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 39e99cc295..2430c73e2e 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1245,11 +1245,15 @@ static int jpeg2000_decode_tile(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, if (tile->codsty[0].mct) mct_decode(s, tile); - if (s->cdef[0] < 0) { - for (x = 0; x < s->ncomponents; x++) - s->cdef[x] = x + 1; - if ((s->ncomponents & 1) == 0) - s->cdef[s->ncomponents-1] = 0; + for (x = 0; x < s->ncomponents; x++) { + if (s->cdef[x] < 0) { + for (x = 0; x < s->ncomponents; x++) { + s->cdef[x] = x + 1; + } + if ((s->ncomponents & 1) == 0) + s->cdef[s->ncomponents-1] = 0; + break; + } } if (s->precision <= 8) { From 5eca7ba16b8c5335650a8c9030169df25d33bf8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2016 00:45:17 +0100 Subject: [PATCH 663/700] MAINTAINERS: remove unmaintained releases Signed-off-by: Michael Niedermayer --- MAINTAINERS | 3 --- 1 file changed, 3 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 4f5bf8ba56..b991341e17 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -537,9 +537,6 @@ Releases ======== 2.5 Michael Niedermayer -2.4 Michael Niedermayer -2.2 Michael Niedermayer -1.2 Michael Niedermayer If you want to maintain an older release, please contact us From 60eebbbf22f34155e751e51eb254da796115c6a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Feb 2016 20:44:56 +0100 Subject: [PATCH 664/700] Update for 2.5.11 Signed-off-by: Michael Niedermayer --- Changelog | 36 ++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 177e064ef5..872a97d20e 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,42 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.5.11 +- MAINTAINERS: remove unmaintained releases +- avcodec/jpeg2000dec: More completely check cdef +- avutil/opt: check for and handle errors in av_opt_set_dict2() +- avcodec/flacenc: fix calculation of bits required in case of custom sample rate +- avformat: Document urls a bit +- avformat/libquvi: Set default demuxer and protocol limitations +- avformat/concat: Check protocol prefix +- doc/demuxers: Document enable_drefs and use_absolute_path +- avcodec/mjpegdec: Check for end for both bytes in unescaping +- avcodec/mpegvideo_enc: Check for integer overflow in ff_mpv_reallocate_putbitbuffer() +- avformat/avformat: Replace some references to filenames by urls +- avcodec/wmaenc: Check ff_wma_init() for failure +- avcodec/mpeg12enc: Move high resolution thread check to before initializing threads +- avformat/avio: Limit url option parsing to the documented cases +- avcodec/ass_split: Fix null pointer dereference in ff_ass_style_get() +- mov: Add an option to toggle dref opening +- avcodec/gif: Fix lzw buffer size +- avcodec/put_bits: Assert buf_ptr in flush_put_bits() +- avcodec/tiff: Check subsample & rps values more completely +- swscale/swscale: Add some sanity checks for srcSlice* parameters +- swscale/x86/rgb2rgb_template: Fix planar2x() for short width +- swscale/swscale_unscaled: Fix odd height inputs for bayer_to_yv12_wrapper() +- swscale/swscale_unscaled: Fix odd height inputs for bayer_to_rgb24_wrapper() +- avcodec/aacenc: Check both channels for finiteness +- swscale/swscale-test: Fix slice height in random reference data creation. +- dca: fix misaligned access in avpriv_dca_convert_bitstream +- brstm: fix missing closing brace +- brstm: also allocate b->table in read_packet +- brstm: make sure an ADPC chunk was read for adpcm_thp +- vorbisdec: reject rangebits 0 with non-0 partitions +- vorbisdec: reject channel mapping with less than two channels +- ffmdec: reset packet_end in case of failure +- avformat/ipmovie: put video decoding_map_size into packet and use it in decoder +- avcodec/samidec: make sure to properly restore parsing context after a tag + version 2.5.10 - configure: bump copyright year to 2016 - avformat/hls: Even stricter URL checks diff --git a/RELEASE b/RELEASE index ff3b2cd990..398d0dac7e 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.5.10 +2.5.11 diff --git a/doc/Doxyfile b/doc/Doxyfile index c06700033f..a524a5c240 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.5.10 +PROJECT_NUMBER = 2.5.11 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From c40ee0a107d4b196cde7a2e137e347c901ad5063 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 2 Mar 2016 11:20:07 +0100 Subject: [PATCH 665/700] doc/utils: fix typo for min() description Signed-off-by: Paul B Mahol (cherry picked from commit bdf474bcff29f5b40fe14f6fa1dbe10e69c73ab7) Signed-off-by: Timothy Gu --- doc/utils.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/utils.texi b/doc/utils.texi index 79bf2a22ac..00d6c31c11 100644 --- a/doc/utils.texi +++ b/doc/utils.texi @@ -861,7 +861,7 @@ Return 1 if @var{x} is lesser than or equal to @var{y}, 0 otherwise. Return the maximum between @var{x} and @var{y}. @item min(x, y) -Return the maximum between @var{x} and @var{y}. +Return the minimum between @var{x} and @var{y}. @item mod(x, y) Compute the remainder of division of @var{x} by @var{y}. From 3b931399eb32b0778e7e5464b9b14be49c971df1 Mon Sep 17 00:00:00 2001 From: KO Myung-Hun Date: Mon, 15 Feb 2016 13:16:23 +0900 Subject: [PATCH 666/700] MAINTAINERS: add myself as an OS/2 maintainer Signed-off-by: Michael Niedermayer (cherry picked from commit 346ec917646c18fc9e26bddf04bfa8f8f1e2e18f) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index b991341e17..11ca678747 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -531,6 +531,7 @@ Windows ICL Matthew Oliver ADI/Blackfin DSP Marc Hoffman Sparc Roman Shaposhnik x86 Michael Niedermayer +OS/2 KO Myung-Hun Releases From a3db73c44dc7d60fe95f0e13f296e0611cf7f4d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Feb 2016 04:15:29 +0100 Subject: [PATCH 667/700] swscale/x86/output: Move code into yuv2planeX_mainloop Reviewed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit d07f6e5f1c36be675e0900edba3e40a32f05f0f4) Signed-off-by: Michael Niedermayer --- libswscale/x86/output.asm | 141 +++++++++++++++++++------------------- 1 file changed, 72 insertions(+), 69 deletions(-) diff --git a/libswscale/x86/output.asm b/libswscale/x86/output.asm index 9ea4af9535..9570969cea 100644 --- a/libswscale/x86/output.asm +++ b/libswscale/x86/output.asm @@ -54,75 +54,7 @@ SECTION .text ; int32_t if $output_size is 16. $filter is 12-bits. $filterSize is a multiple ; of 2. $offset is either 0 or 3. $dither holds 8 values. ;----------------------------------------------------------------------------- - -%macro yuv2planeX_fn 3 - -%if ARCH_X86_32 -%define cntr_reg fltsizeq -%define movsx mov -%else -%define cntr_reg r7 -%define movsx movsxd -%endif - -cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset -%if %1 == 8 || %1 == 9 || %1 == 10 - pxor m6, m6 -%endif ; %1 == 8/9/10 - -%if %1 == 8 -%if ARCH_X86_32 -%assign pad 0x2c - (stack_offset & 15) - SUB rsp, pad -%define m_dith m7 -%else ; x86-64 -%define m_dith m9 -%endif ; x86-32 - - ; create registers holding dither - movq m_dith, [ditherq] ; dither - test offsetd, offsetd - jz .no_rot -%if mmsize == 16 - punpcklqdq m_dith, m_dith -%endif ; mmsize == 16 - PALIGNR m_dith, m_dith, 3, m0 -.no_rot: -%if mmsize == 16 - punpcklbw m_dith, m6 -%if ARCH_X86_64 - punpcklwd m8, m_dith, m6 - pslld m8, 12 -%else ; x86-32 - punpcklwd m5, m_dith, m6 - pslld m5, 12 -%endif ; x86-32/64 - punpckhwd m_dith, m6 - pslld m_dith, 12 -%if ARCH_X86_32 - mova [rsp+ 0], m5 - mova [rsp+16], m_dith -%endif -%else ; mmsize == 8 - punpcklbw m5, m_dith, m6 - punpckhbw m_dith, m6 - punpcklwd m4, m5, m6 - punpckhwd m5, m6 - punpcklwd m3, m_dith, m6 - punpckhwd m_dith, m6 - pslld m4, 12 - pslld m5, 12 - pslld m3, 12 - pslld m_dith, 12 - mova [rsp+ 0], m4 - mova [rsp+ 8], m5 - mova [rsp+16], m3 - mova [rsp+24], m_dith -%endif ; mmsize == 8/16 -%endif ; %1 == 8 - - xor r5, r5 - +%macro yuv2planeX_mainloop 1 .pixelloop: %assign %%i 0 ; the rep here is for the 8bit output mmx case, where dither covers @@ -233,6 +165,77 @@ cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset %assign %%i %%i+2 %endrep jg .pixelloop +%endmacro + +%macro yuv2planeX_fn 3 + +%if ARCH_X86_32 +%define cntr_reg fltsizeq +%define movsx mov +%else +%define cntr_reg r7 +%define movsx movsxd +%endif + +cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset +%if %1 == 8 || %1 == 9 || %1 == 10 + pxor m6, m6 +%endif ; %1 == 8/9/10 + +%if %1 == 8 +%if ARCH_X86_32 +%assign pad 0x2c - (stack_offset & 15) + SUB rsp, pad +%define m_dith m7 +%else ; x86-64 +%define m_dith m9 +%endif ; x86-32 + + ; create registers holding dither + movq m_dith, [ditherq] ; dither + test offsetd, offsetd + jz .no_rot +%if mmsize == 16 + punpcklqdq m_dith, m_dith +%endif ; mmsize == 16 + PALIGNR m_dith, m_dith, 3, m0 +.no_rot: +%if mmsize == 16 + punpcklbw m_dith, m6 +%if ARCH_X86_64 + punpcklwd m8, m_dith, m6 + pslld m8, 12 +%else ; x86-32 + punpcklwd m5, m_dith, m6 + pslld m5, 12 +%endif ; x86-32/64 + punpckhwd m_dith, m6 + pslld m_dith, 12 +%if ARCH_X86_32 + mova [rsp+ 0], m5 + mova [rsp+16], m_dith +%endif +%else ; mmsize == 8 + punpcklbw m5, m_dith, m6 + punpckhbw m_dith, m6 + punpcklwd m4, m5, m6 + punpckhwd m5, m6 + punpcklwd m3, m_dith, m6 + punpckhwd m_dith, m6 + pslld m4, 12 + pslld m5, 12 + pslld m3, 12 + pslld m_dith, 12 + mova [rsp+ 0], m4 + mova [rsp+ 8], m5 + mova [rsp+16], m3 + mova [rsp+24], m_dith +%endif ; mmsize == 8/16 +%endif ; %1 == 8 + + xor r5, r5 + +yuv2planeX_mainloop %1 %if %1 == 8 %if ARCH_X86_32 From 39664fb6472aa9daffe4968c5c2a181e7f77fe2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Feb 2016 00:14:56 +0100 Subject: [PATCH 668/700] swscale/x86/output: Fix yuv2planeX_16* with unaligned destination Reviewed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit f6492a2ea8df80be0ed9591aee4019cef0e36e99) Signed-off-by: Michael Niedermayer --- libswscale/x86/output.asm | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/libswscale/x86/output.asm b/libswscale/x86/output.asm index 9570969cea..133817cb71 100644 --- a/libswscale/x86/output.asm +++ b/libswscale/x86/output.asm @@ -54,8 +54,8 @@ SECTION .text ; int32_t if $output_size is 16. $filter is 12-bits. $filterSize is a multiple ; of 2. $offset is either 0 or 3. $dither holds 8 values. ;----------------------------------------------------------------------------- -%macro yuv2planeX_mainloop 1 -.pixelloop: +%macro yuv2planeX_mainloop 2 +.pixelloop_%2: %assign %%i 0 ; the rep here is for the 8bit output mmx case, where dither covers ; 8 pixels but we can only handle 2 pixels per register, and thus 4 @@ -82,7 +82,7 @@ SECTION .text mova m2, m1 %endif ; %1 == 8/9/10/16 movsx cntr_reg, fltsizem -.filterloop_ %+ %%i: +.filterloop_%2_ %+ %%i: ; input pixels mov r6, [srcq+gprsize*cntr_reg-2*gprsize] %if %1 == 16 @@ -129,7 +129,7 @@ SECTION .text %endif ; %1 == 8/9/10/16 sub cntr_reg, 2 - jg .filterloop_ %+ %%i + jg .filterloop_%2_ %+ %%i %if %1 == 16 psrad m2, 31 - %1 @@ -156,7 +156,7 @@ SECTION .text %endif ; mmxext/sse2/sse4/avx pminsw m2, [yuv2yuvX_%1_upper] %endif ; %1 == 9/10/16 - mova [dstq+r5*2], m2 + mov%2 [dstq+r5*2], m2 %endif ; %1 == 8/9/10/16 add r5, mmsize/2 @@ -164,7 +164,7 @@ SECTION .text %assign %%i %%i+2 %endrep - jg .pixelloop + jg .pixelloop_%2 %endmacro %macro yuv2planeX_fn 3 @@ -235,7 +235,16 @@ cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset xor r5, r5 -yuv2planeX_mainloop %1 +%if mmsize == 8 || %1 == 8 + yuv2planeX_mainloop %1, a +%else ; mmsize == 16 + test dstq, 15 + jnz .unaligned + yuv2planeX_mainloop %1, a + REP_RET +.unaligned: + yuv2planeX_mainloop %1, u +%endif ; mmsize == 8/16 %if %1 == 8 %if ARCH_X86_32 From e44775580f6ca035e9e5a4704a0c3037253a3a16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Feb 2016 03:31:34 +0100 Subject: [PATCH 669/700] avutil/pixdesc: Make get_color_type() aware of CIE XYZ formats Signed-off-by: Michael Niedermayer (cherry picked from commit 1ec7a703806049265991723a8826bd61555edef4) Signed-off-by: Michael Niedermayer --- libavutil/pixdesc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/pixdesc.c b/libavutil/pixdesc.c index 648d014daa..fd269f6452 100644 --- a/libavutil/pixdesc.c +++ b/libavutil/pixdesc.c @@ -2143,6 +2143,7 @@ enum AVPixelFormat av_pix_fmt_swap_endianness(enum AVPixelFormat pix_fmt) #define FF_COLOR_GRAY 1 /**< gray color space */ #define FF_COLOR_YUV 2 /**< YUV color space. 16 <= Y <= 235, 16 <= U, V <= 240 */ #define FF_COLOR_YUV_JPEG 3 /**< YUV color space. 0 <= Y <= 255, 0 <= U, V <= 255 */ +#define FF_COLOR_XYZ 4 #define pixdesc_has_alpha(pixdesc) \ ((pixdesc)->nb_components == 2 || (pixdesc)->nb_components == 4 || (pixdesc)->flags & AV_PIX_FMT_FLAG_PAL) @@ -2158,6 +2159,9 @@ static int get_color_type(const AVPixFmtDescriptor *desc) { if(desc->name && !strncmp(desc->name, "yuvj", 4)) return FF_COLOR_YUV_JPEG; + if(desc->name && !strncmp(desc->name, "xyz", 3)) + return FF_COLOR_XYZ; + if(desc->flags & AV_PIX_FMT_FLAG_RGB) return FF_COLOR_RGB; From d8586b7aca36eab39eadd3acaee8524b9a419258 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 23 Feb 2016 15:50:28 +0100 Subject: [PATCH 670/700] postproc: fix unaligned access Based on 59074310 by Andreas Cadhalpun. Fixes ticket #5259. (cherry picked from commit 2aa21eec1adcb3737be59f0eab7081c5a790faa9) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index 1b90a516a6..d95b682c3c 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -1000,7 +1000,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], int i; const int count= FFMAX(mbHeight * absQPStride, mbWidth); for(i=0; i<(count>>2); i++){ - ((uint32_t*)c->stdQPTable)[i] = (((const uint32_t*)QP_store)[i]>>1) & 0x7F7F7F7F; + AV_WN32(c->stdQPTable + (i<<2), AV_RN32(QP_store + (i<<2)) >> 1 & 0x7F7F7F7F); } for(i<<=2; istdQPTable[i] = QP_store[i]>>1; From 8c40fc62ceb04c3ac361c7cdd3fb61becaacc660 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Feb 2016 23:14:03 +0100 Subject: [PATCH 671/700] swscale/input: Fix GBRAP16 input Fixes part of Ticket5264 Signed-off-by: Michael Niedermayer (cherry picked from commit df36257a53561a51af969a6ea6319dd2579509b9) Signed-off-by: Michael Niedermayer --- libswscale/input.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libswscale/input.c b/libswscale/input.c index 7b3b7060e6..5dcae8cd7d 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -818,6 +818,19 @@ static av_always_inline void planar_rgb16_to_y(uint8_t *_dst, const uint8_t *_sr } } +static av_always_inline void planar_rgb16_to_a(uint8_t *_dst, const uint8_t *_src[4], + int width, int bpc, int is_be, int32_t *rgb2yuv) +{ + int i; + const uint16_t **src = (const uint16_t **)_src; + uint16_t *dst = (uint16_t *)_dst; + int shift = bpc < 16 ? bpc : 14; + + for (i = 0; i < width; i++) { + dst[i] = rdpx(src[3] + i) << (14 - shift); + } +} + static av_always_inline void planar_rgb16_to_uv(uint8_t *_dstU, uint8_t *_dstV, const uint8_t *_src[4], int width, int bpc, int is_be, int32_t *rgb2yuv) @@ -846,6 +859,11 @@ static void planar_rgb##nbits##endian_name##_to_y(uint8_t *dst, const uint8_t *s { \ planar_rgb16_to_y(dst, src, w, nbits, endian, rgb2yuv); \ } \ +static void planar_rgb##nbits##endian_name##_to_a(uint8_t *dst, const uint8_t *src[4], \ + int w, int32_t *rgb2yuv) \ +{ \ + planar_rgb16_to_a(dst, src, w, nbits, endian, rgb2yuv); \ +} \ static void planar_rgb##nbits##endian_name##_to_uv(uint8_t *dstU, uint8_t *dstV, \ const uint8_t *src[4], int w, int32_t *rgb2yuv) \ { \ @@ -1168,6 +1186,7 @@ av_cold void ff_sws_init_input_funcs(SwsContext *c) c->readLumPlanar = planar_rgb14le_to_y; break; case AV_PIX_FMT_GBRAP16LE: + c->readAlpPlanar = planar_rgb16le_to_a; case AV_PIX_FMT_GBRP16LE: c->readLumPlanar = planar_rgb16le_to_y; break; @@ -1184,6 +1203,7 @@ av_cold void ff_sws_init_input_funcs(SwsContext *c) c->readLumPlanar = planar_rgb14be_to_y; break; case AV_PIX_FMT_GBRAP16BE: + c->readAlpPlanar = planar_rgb16be_to_a; case AV_PIX_FMT_GBRP16BE: c->readLumPlanar = planar_rgb16be_to_y; break; From 0b51d15a0e577b7b3bbc05ce1105850cf5ca7732 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Feb 2016 23:48:11 +0100 Subject: [PATCH 672/700] swscale/utils: Fix chrSrcHSubSample for GBRAP16 Fixes part of Ticket5264 Signed-off-by: Michael Niedermayer (cherry picked from commit 67e5bd0c501f7568fc8d93284d0f7eb40663ab06) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/utils.c b/libswscale/utils.c index 4032b5701a..2baf1f47ef 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1187,6 +1187,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, srcFormat != AV_PIX_FMT_GBRP12BE && srcFormat != AV_PIX_FMT_GBRP12LE && srcFormat != AV_PIX_FMT_GBRP14BE && srcFormat != AV_PIX_FMT_GBRP14LE && srcFormat != AV_PIX_FMT_GBRP16BE && srcFormat != AV_PIX_FMT_GBRP16LE && + srcFormat != AV_PIX_FMT_GBRAP16BE && srcFormat != AV_PIX_FMT_GBRAP16LE && ((dstW >> c->chrDstHSubSample) <= (srcW >> 1) || (flags & SWS_FAST_BILINEAR))) c->chrSrcHSubSample = 1; From 0438cc2bc0eeb2371789b5b6a2878674778513a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Feb 2016 15:48:28 +0100 Subject: [PATCH 673/700] avcodec/avpacket: clear priv in av_init_packet() This should fix leaving uninitialized pointers in priv which can confuse user applications. See: https://github.com/golang/go/issues/14426 Only or release branches Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer --- libavcodec/avpacket.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index 3c26046dad..03332ac8aa 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -58,6 +58,7 @@ void av_init_packet(AVPacket *pkt) #if FF_API_DESTRUCT_PACKET FF_DISABLE_DEPRECATION_WARNINGS pkt->destruct = NULL; + pkt->priv = NULL; FF_ENABLE_DEPRECATION_WARNINGS #endif pkt->buf = NULL; From 4c6870695859611e05eaed3a3f44fe52956a3b08 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Feb 2016 18:10:23 +0100 Subject: [PATCH 674/700] avcodec/mjpegdec: Fix decoding slightly odd progressive jpeg Fixes: ebd58db6-dc86-11e5-91c2-59daeddf50c7.jpg Signed-off-by: Michael Niedermayer (cherry picked from commit c6f4720b8664e6e22eb5b3da6bb48ed5b113f746) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index d77940f3ef..bc87c1ef0e 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1357,12 +1357,10 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, return AVERROR_INVALIDDATA; } - if (!Al) { - // s->coefs_finished is a bitmask for coefficients coded - // ss and se are parameters telling start and end coefficients - s->coefs_finished[c] |= (2ULL << se) - (1ULL << ss); - last_scan = !~s->coefs_finished[c]; - } + // s->coefs_finished is a bitmask for coefficients coded + // ss and se are parameters telling start and end coefficients + s->coefs_finished[c] |= (2ULL << se) - (1ULL << ss); + last_scan = !Al && !~s->coefs_finished[c]; if (s->interlaced && s->bottom_field) data += linesize >> 1; From b42ade51eb5b103950eb0ea8089c13cf04c9f792 Mon Sep 17 00:00:00 2001 From: Rodger Combs Date: Thu, 18 Feb 2016 12:57:37 -0600 Subject: [PATCH 675/700] lavf/mov: fix sidx with edit lists (cherry picked from commit 3617e69d50dd9dd07b5011dfb9477a9d1a630354) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index a51884677c..cebd0b8b4c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3078,7 +3078,7 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) } av_log(c->fc, AV_LOG_DEBUG, "calculated into dts %"PRId64"\n", dts); } else { - dts = frag->time; + dts = frag->time - sc->time_offset; av_log(c->fc, AV_LOG_DEBUG, "found frag time %"PRId64 ", using it for dts\n", dts); } From 1578642853d31f8c52bd31e720bc338f924e4358 Mon Sep 17 00:00:00 2001 From: Boris Nagels Date: Sun, 6 Mar 2016 16:31:36 +0100 Subject: [PATCH 676/700] avformat/rtpenc: Fix integer overflow in NTP_TO_RTP_FORMAT RTCP synchronization packet was broken since commit in ffmpeg version > 2.8.3 (commit: e04b039b1528f4c7df5c2b93865651bfea168a19) Since this commit (2e814d0329aded98c811d0502839618f08642685) "rtpenc: Simplify code by introducing a macro for rescaling NTP timestamps", NTP_TO_RTP_FORMAT uses av_rescale_rnd() function to add the data to the packet. This causes an overflow in the av_rescale_rnd() function and it will return INT64_MIN. Causing the NTP stamp in the RTCP packet to have an invalid value. Github: Closes #182 Reverting commit '2e814d0329aded98c811d0502839618f08642685' solves the problem. (cherry picked from commit 1109ed7973c7fd1e7001898adc4976590d862122) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/rtpenc.c b/libavformat/rtpenc.c index cbe0faea48..93538d9203 100644 --- a/libavformat/rtpenc.c +++ b/libavformat/rtpenc.c @@ -292,7 +292,8 @@ static void rtcp_send_sr(AVFormatContext *s1, int64_t ntp_time, int bye) avio_w8(s1->pb, RTCP_SR); avio_wb16(s1->pb, 6); /* length in words - 1 */ avio_wb32(s1->pb, s->ssrc); - avio_wb64(s1->pb, NTP_TO_RTP_FORMAT(ntp_time)); + avio_wb32(s1->pb, ntp_time / 1000000); + avio_wb32(s1->pb, ((ntp_time % 1000000) << 32) / 1000000); avio_wb32(s1->pb, rtp_ts); avio_wb32(s1->pb, s->packet_count); avio_wb32(s1->pb, s->octet_count); From 59648ab954caa582595db9020c7c1d94b84bf31f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Jan 2016 22:13:14 +0100 Subject: [PATCH 677/700] avformat/concatdec: set safe mode to enabled instead of auto This is safer, as a selected demuxer could still mean that it was auto-detected by a user application Reviewed-previously-by: Nicolas George Reviewed-previously-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 689211d5727231c3fe92762d224dbadebdbf4e30) Conflicts: libavformat/concatdec.c --- doc/demuxers.texi | 6 ++++-- libavformat/concatdec.c | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index 3a1d899cfb..fa5af02d5a 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -98,7 +98,7 @@ All subsequent file-related directives apply to that file. @item @code{ffconcat version 1.0} Identify the script type and version. It also sets the @option{safe} option -to 1 if it was to its default -1. +to 1 if it was -1. To make FFmpeg recognize the format automatically, this directive must appears exactly as is (no extra space or byte-order-mark) on the very first @@ -145,7 +145,9 @@ component. If set to 0, any file name is accepted. -The default is -1, it is equivalent to 1 if the format was automatically +The default is 1. + +-1 is equivalent to 1 if the format was automatically probed and 0 otherwise. @item auto_convert diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index a2584d70e2..14e1cf663a 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -619,7 +619,7 @@ static int concat_seek(AVFormatContext *avf, int stream, static const AVOption options[] = { { "safe", "enable safe mode", - OFFSET(safe), AV_OPT_TYPE_INT, {.i64 = -1}, -1, 1, DEC }, + OFFSET(safe), AV_OPT_TYPE_INT, {.i64 = 1}, -1, 1, DEC }, { "auto_convert", "automatically convert bitstream format", OFFSET(auto_convert), AV_OPT_TYPE_INT, {.i64 = 0}, 0, 1, DEC }, { NULL } From 3433e52d48ace11f5cbfd438ee127f7ae6eccb1b Mon Sep 17 00:00:00 2001 From: Martin Cracauer Date: Tue, 1 Dec 2015 17:59:36 -0500 Subject: [PATCH 678/700] avutil/channel_layout: AV_CH_LAYOUT_6POINT1_BACK not reachable in parsing Trying to make heads and tails out of DTS 6.1 I can across this typo. I also noticed that this wiki page is incorrect or misleading, the channel order for 6.1 given does not match the source code. At the least it should be clarified that the layout given does not apply to DTS. https://trac.ffmpeg.org/wiki/AudioChannelManipulation Signed-off-by: Michael Niedermayer (cherry picked from commit 73d1398f0c4ce2de16790f46e05a79242137d153) Signed-off-by: Michael Niedermayer --- libavutil/channel_layout.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/channel_layout.c b/libavutil/channel_layout.c index 45249c4367..7aceb81971 100644 --- a/libavutil/channel_layout.c +++ b/libavutil/channel_layout.c @@ -94,7 +94,7 @@ static const struct { { "6.0(front)", 6, AV_CH_LAYOUT_6POINT0_FRONT }, { "hexagonal", 6, AV_CH_LAYOUT_HEXAGONAL }, { "6.1", 7, AV_CH_LAYOUT_6POINT1 }, - { "6.1", 7, AV_CH_LAYOUT_6POINT1_BACK }, + { "6.1(back)", 7, AV_CH_LAYOUT_6POINT1_BACK }, { "6.1(front)", 7, AV_CH_LAYOUT_6POINT1_FRONT }, { "7.0", 7, AV_CH_LAYOUT_7POINT0 }, { "7.0(front)", 7, AV_CH_LAYOUT_7POINT0_FRONT }, From 3097c10ee341b253a1a7a6e6035af96e9e7e900d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2015 15:18:53 +0100 Subject: [PATCH 679/700] avutil/random_seed: Add the runtime in cycles of the main loop to the entropy pool This should theoretically improve the randomness slightly Signed-off-by: Michael Niedermayer (cherry picked from commit 2540d884f3fd7cfac503e048112098967be2569a) Signed-off-by: Michael Niedermayer --- libavutil/random_seed.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavutil/random_seed.c b/libavutil/random_seed.c index 8aa8c3879b..5af8e9e524 100644 --- a/libavutil/random_seed.c +++ b/libavutil/random_seed.c @@ -97,8 +97,13 @@ static uint32_t get_generic_seed(void) last_t = t; } - if(TEST) + if(TEST) { buffer[0] = buffer[1] = 0; + } else { +#ifdef AV_READ_TIME + buffer[111] += AV_READ_TIME(); +#endif + } av_sha_init(sha, 160); av_sha_update(sha, (const uint8_t *)buffer, sizeof(buffer)); From bbc3395a0bb07fd9aee95d04f8e2c21ab48f7a9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Przemys=C5=82aw=20Sobala?= Date: Fri, 18 Sep 2015 15:40:58 +0200 Subject: [PATCH 680/700] avcodec/imgconvert: Support non-planar colorspaces while padding Signed-off-by: Michael Niedermayer (cherry picked from commit 0d097a869c38850c9ac09bccef60a229470f489b) Signed-off-by: Michael Niedermayer --- libavcodec/imgconvert.c | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 158bc739a1..c6e52b381a 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -236,9 +236,41 @@ int av_picture_pad(AVPicture *dst, const AVPicture *src, int height, int width, int x_shift; int yheight; int i, y; + int max_step[4]; - if (pix_fmt < 0 || pix_fmt >= AV_PIX_FMT_NB || - !is_yuv_planar(desc)) return -1; + if (pix_fmt < 0 || pix_fmt >= AV_PIX_FMT_NB) + return -1; + + if (!is_yuv_planar(desc)) { + if (src) + return -1; //TODO: Not yet implemented + + av_image_fill_max_pixsteps(max_step, NULL, desc); + + if (padtop || padleft) { + memset(dst->data[0], color[0], + dst->linesize[0] * padtop + (padleft * max_step[0])); + } + + if (padleft || padright) { + optr = dst->data[0] + dst->linesize[0] * padtop + + (dst->linesize[0] - (padright * max_step[0])); + yheight = height - 1 - (padtop + padbottom); + for (y = 0; y < yheight; y++) { + memset(optr, color[0], (padleft + padright) * max_step[0]); + optr += dst->linesize[0]; + } + } + + if (padbottom || padright) { + optr = dst->data[0] + dst->linesize[0] * (height - padbottom) - + (padright * max_step[0]); + memset(optr, color[0], dst->linesize[0] * padbottom + + (padright * max_step[0])); + } + + return 0; + } for (i = 0; i < 3; i++) { x_shift = i ? desc->log2_chroma_w : 0; @@ -284,6 +316,7 @@ int av_picture_pad(AVPicture *dst, const AVPicture *src, int height, int width, (padbottom >> y_shift) + (padright >> x_shift)); } } + return 0; } From 55937c49df425fafd2494df14d6b51713aa44e74 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Feb 2016 19:58:18 -0500 Subject: [PATCH 681/700] indeo2data: K&R formatting cosmetics Signed-off-by: Vittorio Giovara Signed-off-by: Diego Biurrun (cherry picked from commit d4066a702407352a0648af882c34ea81a404fa2b) (cherry picked from commit 522ab0b9a92962edda7156a91a494a1e2b8a7f64) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2data.h | 208 ++++++++++++++++++++-------------------- 1 file changed, 104 insertions(+), 104 deletions(-) diff --git a/libavcodec/indeo2data.h b/libavcodec/indeo2data.h index 0d6d82f22c..8fd664c6ab 100644 --- a/libavcodec/indeo2data.h +++ b/libavcodec/indeo2data.h @@ -27,115 +27,115 @@ #define IR2_CODES 143 static const uint16_t ir2_codes[IR2_CODES][2] = { #ifdef BITSTREAM_READER_LE -{0x0000, 3}, {0x0004, 3}, {0x0006, 3}, {0x0001, 5}, -{0x0009, 5}, {0x0019, 5}, {0x000D, 5}, {0x001D, 5}, -{0x0023, 6}, {0x0013, 6}, {0x0033, 6}, {0x000B, 6}, -{0x002B, 6}, {0x001B, 6}, {0x0007, 8}, {0x0087, 8}, -{0x0027, 8}, {0x00A7, 8}, {0x0067, 8}, {0x00E7, 8}, -{0x0097, 8}, {0x0057, 8}, {0x0037, 8}, {0x00B7, 8}, -{0x00F7, 8}, {0x000F, 9}, {0x008F, 9}, {0x018F, 9}, -{0x014F, 9}, {0x00CF, 9}, {0x002F, 9}, {0x012F, 9}, -{0x01AF, 9}, {0x006F, 9}, {0x00EF, 9}, {0x01EF, 9}, -{0x001F, 10}, {0x021F, 10}, {0x011F, 10}, {0x031F, 10}, -{0x009F, 10}, {0x029F, 10}, {0x019F, 10}, {0x039F, 10}, -{0x005F, 10}, {0x025F, 10}, {0x015F, 10}, {0x035F, 10}, -{0x00DF, 10}, {0x02DF, 10}, {0x01DF, 10}, {0x03DF, 10}, -{0x003F, 13}, {0x103F, 13}, {0x083F, 13}, {0x183F, 13}, -{0x043F, 13}, {0x143F, 13}, {0x0C3F, 13}, {0x1C3F, 13}, -{0x023F, 13}, {0x123F, 13}, {0x0A3F, 13}, {0x1A3F, 13}, -{0x063F, 13}, {0x163F, 13}, {0x0E3F, 13}, {0x1E3F, 13}, -{0x013F, 13}, {0x113F, 13}, {0x093F, 13}, {0x193F, 13}, -{0x053F, 13}, {0x153F, 13}, {0x0D3F, 13}, {0x1D3F, 13}, -{0x033F, 13}, {0x133F, 13}, {0x0B3F, 13}, {0x1B3F, 13}, -{0x073F, 13}, {0x173F, 13}, {0x0F3F, 13}, {0x1F3F, 13}, -{0x00BF, 13}, {0x10BF, 13}, {0x08BF, 13}, {0x18BF, 13}, -{0x04BF, 13}, {0x14BF, 13}, {0x0CBF, 13}, {0x1CBF, 13}, -{0x02BF, 13}, {0x12BF, 13}, {0x0ABF, 13}, {0x1ABF, 13}, -{0x06BF, 13}, {0x16BF, 13}, {0x0EBF, 13}, {0x1EBF, 13}, -{0x01BF, 13}, {0x11BF, 13}, {0x09BF, 13}, {0x19BF, 13}, -{0x05BF, 13}, {0x15BF, 13}, {0x0DBF, 13}, {0x1DBF, 13}, -{0x03BF, 13}, {0x13BF, 13}, {0x0BBF, 13}, {0x1BBF, 13}, -{0x07BF, 13}, {0x17BF, 13}, {0x0FBF, 13}, {0x1FBF, 13}, -{0x007F, 14}, {0x207F, 14}, {0x107F, 14}, {0x307F, 14}, -{0x087F, 14}, {0x287F, 14}, {0x187F, 14}, {0x387F, 14}, -{0x047F, 14}, {0x247F, 14}, {0x147F, 14}, {0x0002, 3}, -{0x0011, 5}, {0x0005, 5}, {0x0015, 5}, {0x0003, 6}, -{0x003B, 6}, {0x0047, 8}, {0x00C7, 8}, {0x0017, 8}, -{0x00D7, 8}, {0x0077, 8}, {0x010F, 9}, {0x004F, 9}, -{0x01CF, 9}, {0x00AF, 9}, {0x016F, 9}, + { 0x0000, 3 }, { 0x0004, 3 }, { 0x0006, 3 }, { 0x0001, 5 }, + { 0x0009, 5 }, { 0x0019, 5 }, { 0x000D, 5 }, { 0x001D, 5 }, + { 0x0023, 6 }, { 0x0013, 6 }, { 0x0033, 6 }, { 0x000B, 6 }, + { 0x002B, 6 }, { 0x001B, 6 }, { 0x0007, 8 }, { 0x0087, 8 }, + { 0x0027, 8 }, { 0x00A7, 8 }, { 0x0067, 8 }, { 0x00E7, 8 }, + { 0x0097, 8 }, { 0x0057, 8 }, { 0x0037, 8 }, { 0x00B7, 8 }, + { 0x00F7, 8 }, { 0x000F, 9 }, { 0x008F, 9 }, { 0x018F, 9 }, + { 0x014F, 9 }, { 0x00CF, 9 }, { 0x002F, 9 }, { 0x012F, 9 }, + { 0x01AF, 9 }, { 0x006F, 9 }, { 0x00EF, 9 }, { 0x01EF, 9 }, + { 0x001F, 10 }, { 0x021F, 10 }, { 0x011F, 10 }, { 0x031F, 10 }, + { 0x009F, 10 }, { 0x029F, 10 }, { 0x019F, 10 }, { 0x039F, 10 }, + { 0x005F, 10 }, { 0x025F, 10 }, { 0x015F, 10 }, { 0x035F, 10 }, + { 0x00DF, 10 }, { 0x02DF, 10 }, { 0x01DF, 10 }, { 0x03DF, 10 }, + { 0x003F, 13 }, { 0x103F, 13 }, { 0x083F, 13 }, { 0x183F, 13 }, + { 0x043F, 13 }, { 0x143F, 13 }, { 0x0C3F, 13 }, { 0x1C3F, 13 }, + { 0x023F, 13 }, { 0x123F, 13 }, { 0x0A3F, 13 }, { 0x1A3F, 13 }, + { 0x063F, 13 }, { 0x163F, 13 }, { 0x0E3F, 13 }, { 0x1E3F, 13 }, + { 0x013F, 13 }, { 0x113F, 13 }, { 0x093F, 13 }, { 0x193F, 13 }, + { 0x053F, 13 }, { 0x153F, 13 }, { 0x0D3F, 13 }, { 0x1D3F, 13 }, + { 0x033F, 13 }, { 0x133F, 13 }, { 0x0B3F, 13 }, { 0x1B3F, 13 }, + { 0x073F, 13 }, { 0x173F, 13 }, { 0x0F3F, 13 }, { 0x1F3F, 13 }, + { 0x00BF, 13 }, { 0x10BF, 13 }, { 0x08BF, 13 }, { 0x18BF, 13 }, + { 0x04BF, 13 }, { 0x14BF, 13 }, { 0x0CBF, 13 }, { 0x1CBF, 13 }, + { 0x02BF, 13 }, { 0x12BF, 13 }, { 0x0ABF, 13 }, { 0x1ABF, 13 }, + { 0x06BF, 13 }, { 0x16BF, 13 }, { 0x0EBF, 13 }, { 0x1EBF, 13 }, + { 0x01BF, 13 }, { 0x11BF, 13 }, { 0x09BF, 13 }, { 0x19BF, 13 }, + { 0x05BF, 13 }, { 0x15BF, 13 }, { 0x0DBF, 13 }, { 0x1DBF, 13 }, + { 0x03BF, 13 }, { 0x13BF, 13 }, { 0x0BBF, 13 }, { 0x1BBF, 13 }, + { 0x07BF, 13 }, { 0x17BF, 13 }, { 0x0FBF, 13 }, { 0x1FBF, 13 }, + { 0x007F, 14 }, { 0x207F, 14 }, { 0x107F, 14 }, { 0x307F, 14 }, + { 0x087F, 14 }, { 0x287F, 14 }, { 0x187F, 14 }, { 0x387F, 14 }, + { 0x047F, 14 }, { 0x247F, 14 }, { 0x147F, 14 }, { 0x0002, 3 }, + { 0x0011, 5 }, { 0x0005, 5 }, { 0x0015, 5 }, { 0x0003, 6 }, + { 0x003B, 6 }, { 0x0047, 8 }, { 0x00C7, 8 }, { 0x0017, 8 }, + { 0x00D7, 8 }, { 0x0077, 8 }, { 0x010F, 9 }, { 0x004F, 9 }, + { 0x01CF, 9 }, { 0x00AF, 9 }, { 0x016F, 9 }, #else - {0x0000, 3}, {0x0001, 3}, {0x0003, 3}, {0x0010, 5}, - {0x0012, 5}, {0x0013, 5}, {0x0016, 5}, {0x0017, 5}, - {0x0031, 6}, {0x0032, 6}, {0x0033, 6}, {0x0034, 6}, - {0x0035, 6}, {0x0036, 6}, {0x00E0, 8}, {0x00E1, 8}, - {0x00E4, 8}, {0x00E5, 8}, {0x00E6, 8}, {0x00E7, 8}, - {0x00E9, 8}, {0x00EA, 8}, {0x00EC, 8}, {0x00ED, 8}, - {0x00EF, 8}, {0x01E0, 9}, {0x01E2, 9}, {0x01E3, 9}, - {0x01E5, 9}, {0x01E6, 9}, {0x01E8, 9}, {0x01E9, 9}, - {0x01EB, 9}, {0x01EC, 9}, {0x01EE, 9}, {0x01EF, 9}, - {0x03E0, 10}, {0x03E1, 10}, {0x03E2, 10}, {0x03E3, 10}, - {0x03E4, 10}, {0x03E5, 10}, {0x03E6, 10}, {0x03E7, 10}, - {0x03E8, 10}, {0x03E9, 10}, {0x03EA, 10}, {0x03EB, 10}, - {0x03EC, 10}, {0x03ED, 10}, {0x03EE, 10}, {0x03EF, 10}, - {0x1F80, 13}, {0x1F81, 13}, {0x1F82, 13}, {0x1F83, 13}, - {0x1F84, 13}, {0x1F85, 13}, {0x1F86, 13}, {0x1F87, 13}, - {0x1F88, 13}, {0x1F89, 13}, {0x1F8A, 13}, {0x1F8B, 13}, - {0x1F8C, 13}, {0x1F8D, 13}, {0x1F8E, 13}, {0x1F8F, 13}, - {0x1F90, 13}, {0x1F91, 13}, {0x1F92, 13}, {0x1F93, 13}, - {0x1F94, 13}, {0x1F95, 13}, {0x1F96, 13}, {0x1F97, 13}, - {0x1F98, 13}, {0x1F99, 13}, {0x1F9A, 13}, {0x1F9B, 13}, - {0x1F9C, 13}, {0x1F9D, 13}, {0x1F9E, 13}, {0x1F9F, 13}, - {0x1FA0, 13}, {0x1FA1, 13}, {0x1FA2, 13}, {0x1FA3, 13}, - {0x1FA4, 13}, {0x1FA5, 13}, {0x1FA6, 13}, {0x1FA7, 13}, - {0x1FA8, 13}, {0x1FA9, 13}, {0x1FAA, 13}, {0x1FAB, 13}, - {0x1FAC, 13}, {0x1FAD, 13}, {0x1FAE, 13}, {0x1FAF, 13}, - {0x1FB0, 13}, {0x1FB1, 13}, {0x1FB2, 13}, {0x1FB3, 13}, - {0x1FB4, 13}, {0x1FB5, 13}, {0x1FB6, 13}, {0x1FB7, 13}, - {0x1FB8, 13}, {0x1FB9, 13}, {0x1FBA, 13}, {0x1FBB, 13}, - {0x1FBC, 13}, {0x1FBD, 13}, {0x1FBE, 13}, {0x1FBF, 13}, - {0x3F80, 14}, {0x3F81, 14}, {0x3F82, 14}, {0x3F83, 14}, - {0x3F84, 14}, {0x3F85, 14}, {0x3F86, 14}, {0x3F87, 14}, - {0x3F88, 14}, {0x3F89, 14}, {0x3F8A, 14}, {0x0002, 3}, - {0x0011, 5}, {0x0014, 5}, {0x0015, 5}, {0x0030, 6}, - {0x0037, 6}, {0x00E2, 8}, {0x00E3, 8}, {0x00E8, 8}, - {0x00EB, 8}, {0x00EE, 8}, {0x01E1, 9}, {0x01E4, 9}, - {0x01E7, 9}, {0x01EA, 9}, {0x01ED, 9} + { 0x0000, 3 }, { 0x0001, 3 }, { 0x0003, 3 }, { 0x0010, 5 }, + { 0x0012, 5 }, { 0x0013, 5 }, { 0x0016, 5 }, { 0x0017, 5 }, + { 0x0031, 6 }, { 0x0032, 6 }, { 0x0033, 6 }, { 0x0034, 6 }, + { 0x0035, 6 }, { 0x0036, 6 }, { 0x00E0, 8 }, { 0x00E1, 8 }, + { 0x00E4, 8 }, { 0x00E5, 8 }, { 0x00E6, 8 }, { 0x00E7, 8 }, + { 0x00E9, 8 }, { 0x00EA, 8 }, { 0x00EC, 8 }, { 0x00ED, 8 }, + { 0x00EF, 8 }, { 0x01E0, 9 }, { 0x01E2, 9 }, { 0x01E3, 9 }, + { 0x01E5, 9 }, { 0x01E6, 9 }, { 0x01E8, 9 }, { 0x01E9, 9 }, + { 0x01EB, 9 }, { 0x01EC, 9 }, { 0x01EE, 9 }, { 0x01EF, 9 }, + { 0x03E0, 10 }, { 0x03E1, 10 }, { 0x03E2, 10 }, { 0x03E3, 10 }, + { 0x03E4, 10 }, { 0x03E5, 10 }, { 0x03E6, 10 }, { 0x03E7, 10 }, + { 0x03E8, 10 }, { 0x03E9, 10 }, { 0x03EA, 10 }, { 0x03EB, 10 }, + { 0x03EC, 10 }, { 0x03ED, 10 }, { 0x03EE, 10 }, { 0x03EF, 10 }, + { 0x1F80, 13 }, { 0x1F81, 13 }, { 0x1F82, 13 }, { 0x1F83, 13 }, + { 0x1F84, 13 }, { 0x1F85, 13 }, { 0x1F86, 13 }, { 0x1F87, 13 }, + { 0x1F88, 13 }, { 0x1F89, 13 }, { 0x1F8A, 13 }, { 0x1F8B, 13 }, + { 0x1F8C, 13 }, { 0x1F8D, 13 }, { 0x1F8E, 13 }, { 0x1F8F, 13 }, + { 0x1F90, 13 }, { 0x1F91, 13 }, { 0x1F92, 13 }, { 0x1F93, 13 }, + { 0x1F94, 13 }, { 0x1F95, 13 }, { 0x1F96, 13 }, { 0x1F97, 13 }, + { 0x1F98, 13 }, { 0x1F99, 13 }, { 0x1F9A, 13 }, { 0x1F9B, 13 }, + { 0x1F9C, 13 }, { 0x1F9D, 13 }, { 0x1F9E, 13 }, { 0x1F9F, 13 }, + { 0x1FA0, 13 }, { 0x1FA1, 13 }, { 0x1FA2, 13 }, { 0x1FA3, 13 }, + { 0x1FA4, 13 }, { 0x1FA5, 13 }, { 0x1FA6, 13 }, { 0x1FA7, 13 }, + { 0x1FA8, 13 }, { 0x1FA9, 13 }, { 0x1FAA, 13 }, { 0x1FAB, 13 }, + { 0x1FAC, 13 }, { 0x1FAD, 13 }, { 0x1FAE, 13 }, { 0x1FAF, 13 }, + { 0x1FB0, 13 }, { 0x1FB1, 13 }, { 0x1FB2, 13 }, { 0x1FB3, 13 }, + { 0x1FB4, 13 }, { 0x1FB5, 13 }, { 0x1FB6, 13 }, { 0x1FB7, 13 }, + { 0x1FB8, 13 }, { 0x1FB9, 13 }, { 0x1FBA, 13 }, { 0x1FBB, 13 }, + { 0x1FBC, 13 }, { 0x1FBD, 13 }, { 0x1FBE, 13 }, { 0x1FBF, 13 }, + { 0x3F80, 14 }, { 0x3F81, 14 }, { 0x3F82, 14 }, { 0x3F83, 14 }, + { 0x3F84, 14 }, { 0x3F85, 14 }, { 0x3F86, 14 }, { 0x3F87, 14 }, + { 0x3F88, 14 }, { 0x3F89, 14 }, { 0x3F8A, 14 }, { 0x0002, 3 }, + { 0x0011, 5 }, { 0x0014, 5 }, { 0x0015, 5 }, { 0x0030, 6 }, + { 0x0037, 6 }, { 0x00E2, 8 }, { 0x00E3, 8 }, { 0x00E8, 8 }, + { 0x00EB, 8 }, { 0x00EE, 8 }, { 0x01E1, 9 }, { 0x01E4, 9 }, + { 0x01E7, 9 }, { 0x01EA, 9 }, { 0x01ED, 9 }, #endif }; static const uint8_t ir2_luma_table[256] = { - 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, - 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, - 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, - 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, - 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, - 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, - 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, - 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, - 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, - 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, - 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, - 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, - 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, - 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, - 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, - 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, - 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, - 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, - 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, - 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, - 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, - 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, - 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, - 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, - 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, - 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, - 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, - 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, - 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, - 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, - 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, - 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80 + 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, + 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, + 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, + 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, + 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, + 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, + 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, + 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, + 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, + 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, + 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, + 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, + 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, + 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, + 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, + 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, + 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, + 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, + 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, + 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, + 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, + 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, + 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, + 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, + 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, + 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, + 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, + 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, + 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, + 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, + 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, + 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80, }; #endif /* AVCODEC_INDEO2DATA_H */ From d604b84f9191fa28822ee43934f951626b2da11f Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Feb 2016 19:58:19 -0500 Subject: [PATCH 682/700] indeo2: Fix banding artefacts Rename luma table to delta table and change how it is used. CC: libav-stable@libav.org Signed-off-by: Vittorio Giovara Signed-off-by: Diego Biurrun (cherry picked from commit f8c34f4b8d62afad3f63cf3d9617d73735bef8c1) (cherry picked from commit 73f3c8f73edf0a69502233b2c50fa9e7104f99ec) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 15 ++-- libavcodec/indeo2data.h | 162 ++++++++++++++++++++++++++++++++-------- 2 files changed, 138 insertions(+), 39 deletions(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 39735c2e4b..b2656686a2 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -146,6 +146,7 @@ static int ir2_decode_frame(AVCodecContext *avctx, AVFrame *picture = data; AVFrame * const p = s->picture; int start, ret; + int ltab, ctab; if ((ret = ff_reget_buffer(avctx, p)) < 0) return ret; @@ -167,34 +168,36 @@ static int ir2_decode_frame(AVCodecContext *avctx, init_get_bits(&s->gb, buf + start, (buf_size - start) * 8); + ltab = buf[0x22] & 3; + ctab = buf[0x22] >> 2; if (s->decode_delta) { /* intraframe */ if ((ret = ir2_decode_plane(s, avctx->width, avctx->height, p->data[0], p->linesize[0], - ir2_luma_table)) < 0) + ir2_delta_table[ltab])) < 0) return ret; /* swapped U and V */ if ((ret = ir2_decode_plane(s, avctx->width >> 2, avctx->height >> 2, p->data[2], p->linesize[2], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; if ((ret = ir2_decode_plane(s, avctx->width >> 2, avctx->height >> 2, p->data[1], p->linesize[1], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; } else { /* interframe */ if ((ret = ir2_decode_plane_inter(s, avctx->width, avctx->height, p->data[0], p->linesize[0], - ir2_luma_table)) < 0) + ir2_delta_table[ltab])) < 0) return ret; /* swapped U and V */ if ((ret = ir2_decode_plane_inter(s, avctx->width >> 2, avctx->height >> 2, p->data[2], p->linesize[2], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; if ((ret = ir2_decode_plane_inter(s, avctx->width >> 2, avctx->height >> 2, p->data[1], p->linesize[1], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; } diff --git a/libavcodec/indeo2data.h b/libavcodec/indeo2data.h index 8fd664c6ab..e05c91ff58 100644 --- a/libavcodec/indeo2data.h +++ b/libavcodec/indeo2data.h @@ -103,39 +103,135 @@ static const uint16_t ir2_codes[IR2_CODES][2] = { #endif }; -static const uint8_t ir2_luma_table[256] = { - 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, - 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, - 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, - 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, - 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, - 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, - 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, - 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, - 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, - 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, - 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, - 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, - 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, - 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, - 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, - 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, - 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, - 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, - 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, - 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, - 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, - 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, - 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, - 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, - 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, - 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, - 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, - 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, - 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, - 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, - 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, - 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80, +static const uint8_t ir2_delta_table[4][256] = { + { 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, + 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, + 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, + 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, + 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, + 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, + 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, + 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, + 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, + 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, + 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, + 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, + 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, + 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, + 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, + 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, + 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, + 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, + 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, + 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, + 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, + 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, + 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, + 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, + 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, + 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, + 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, + 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, + 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, + 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, + 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, + 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80, }, + { 0x80, 0x80, 0x85, 0x85, 0x7B, 0x7B, 0x7E, 0x87, + 0x82, 0x79, 0x87, 0x7E, 0x79, 0x82, 0x8F, 0x8F, + 0x71, 0x71, 0x84, 0x8F, 0x7C, 0x71, 0x8F, 0x84, + 0x71, 0x7C, 0x75, 0x8B, 0x8B, 0x75, 0x8B, 0x75, + 0x75, 0x8B, 0x8E, 0x9A, 0x72, 0x66, 0x9A, 0x8E, + 0x66, 0x72, 0x7B, 0x93, 0x85, 0x6D, 0x93, 0x7B, + 0x6D, 0x85, 0x9B, 0x9B, 0x65, 0x65, 0x82, 0x9D, + 0x7E, 0x63, 0x9D, 0x82, 0x63, 0x7E, 0x9B, 0xA8, + 0x65, 0x58, 0xA8, 0x9B, 0x58, 0x65, 0xA9, 0xA9, + 0x57, 0x57, 0x8D, 0xAA, 0x73, 0x56, 0xAA, 0x8D, + 0x56, 0x73, 0x6E, 0x99, 0x92, 0x67, 0x99, 0x6E, + 0x67, 0x92, 0x76, 0xA2, 0x8A, 0x5E, 0xA2, 0x76, + 0x5E, 0x8A, 0x7F, 0xAF, 0x81, 0x51, 0xAF, 0x7F, + 0x51, 0x81, 0xAB, 0xBA, 0x55, 0x46, 0xBA, 0xAB, + 0x46, 0x55, 0x9A, 0xBB, 0x66, 0x45, 0xBB, 0x9A, + 0x45, 0x66, 0xBB, 0xBB, 0x45, 0x45, 0x60, 0xA0, + 0xA0, 0x60, 0xA0, 0x60, 0x60, 0xA0, 0x8B, 0xBE, + 0x75, 0x42, 0xBE, 0x8B, 0x42, 0x75, 0x66, 0xAA, + 0x9A, 0x56, 0xAA, 0x66, 0x56, 0x9A, 0x70, 0xB5, + 0x90, 0x4B, 0xB5, 0x70, 0x4B, 0x90, 0xBE, 0xCF, + 0x42, 0x31, 0xCF, 0xBE, 0x31, 0x42, 0xAB, 0xD0, + 0x55, 0x30, 0xD0, 0xAB, 0x30, 0x55, 0xD1, 0xD1, + 0x2F, 0x2F, 0x9A, 0xD3, 0x66, 0x2D, 0xD3, 0x9A, + 0x2D, 0x66, 0x7B, 0xC5, 0x85, 0x3B, 0xC5, 0x7B, + 0x3B, 0x85, 0x54, 0xB4, 0xAC, 0x4C, 0xB4, 0x54, + 0x4C, 0xAC, 0x5E, 0xBE, 0xA2, 0x42, 0xBE, 0x5E, + 0x42, 0xA2, 0x87, 0xD8, 0x79, 0x28, 0xD8, 0x87, + 0x28, 0x79, 0xC0, 0xE8, 0x40, 0x18, 0xE8, 0xC0, + 0x18, 0x40, 0xD5, 0xE8, 0x2B, 0x18, 0xE8, 0xD5, + 0x18, 0x2B, 0xAB, 0xE9, 0x55, 0x17, 0xE9, 0xAB, + 0x17, 0x55, 0x68, 0xCD, 0x98, 0x33, 0xCD, 0x68, + 0x33, 0x98, 0xEA, 0xEA, 0x16, 0x16, 0x80, 0x80, }, + { 0x80, 0x80, 0x86, 0x86, 0x7A, 0x7A, 0x7E, 0x88, + 0x82, 0x78, 0x88, 0x7E, 0x78, 0x82, 0x92, 0x92, + 0x6E, 0x6E, 0x85, 0x92, 0x7B, 0x6E, 0x92, 0x85, + 0x6E, 0x7B, 0x73, 0x8D, 0x8D, 0x73, 0x8D, 0x73, + 0x73, 0x8D, 0x91, 0x9E, 0x6F, 0x62, 0x9E, 0x91, + 0x62, 0x6F, 0x79, 0x97, 0x87, 0x69, 0x97, 0x79, + 0x69, 0x87, 0xA0, 0xA0, 0x60, 0x60, 0x83, 0xA2, + 0x7D, 0x5E, 0xA2, 0x83, 0x5E, 0x7D, 0xA0, 0xB0, + 0x60, 0x50, 0xB0, 0xA0, 0x50, 0x60, 0xB1, 0xB1, + 0x4F, 0x4F, 0x8F, 0xB2, 0x71, 0x4E, 0xB2, 0x8F, + 0x4E, 0x71, 0x6B, 0x9E, 0x95, 0x62, 0x9E, 0x6B, + 0x62, 0x95, 0x74, 0xA9, 0x8C, 0x57, 0xA9, 0x74, + 0x57, 0x8C, 0x7F, 0xB8, 0x81, 0x48, 0xB8, 0x7F, + 0x48, 0x81, 0xB4, 0xC5, 0x4C, 0x3B, 0xC5, 0xB4, + 0x3B, 0x4C, 0x9F, 0xC6, 0x61, 0x3A, 0xC6, 0x9F, + 0x3A, 0x61, 0xC6, 0xC6, 0x3A, 0x3A, 0x59, 0xA7, + 0xA7, 0x59, 0xA7, 0x59, 0x59, 0xA7, 0x8D, 0xCA, + 0x73, 0x36, 0xCA, 0x8D, 0x36, 0x73, 0x61, 0xB2, + 0x9F, 0x4E, 0xB2, 0x61, 0x4E, 0x9F, 0x6D, 0xBF, + 0x93, 0x41, 0xBF, 0x6D, 0x41, 0x93, 0xCA, 0xDF, + 0x36, 0x21, 0xDF, 0xCA, 0x21, 0x36, 0xB3, 0xDF, + 0x4D, 0x21, 0xDF, 0xB3, 0x21, 0x4D, 0xE1, 0xE1, + 0x1F, 0x1F, 0x9F, 0xE3, 0x61, 0x1D, 0xE3, 0x9F, + 0x1D, 0x61, 0x7A, 0xD3, 0x86, 0x2D, 0xD3, 0x7A, + 0x2D, 0x86, 0x4C, 0xBE, 0xB4, 0x42, 0xBE, 0x4C, + 0x42, 0xB4, 0x57, 0xCA, 0xA9, 0x36, 0xCA, 0x57, + 0x36, 0xA9, 0x88, 0xE9, 0x78, 0x17, 0xE9, 0x88, + 0x17, 0x78, 0xCC, 0xFB, 0x34, 0x05, 0xFB, 0xCC, + 0x05, 0x34, 0xE6, 0xFB, 0x1A, 0x05, 0xFB, 0xE6, + 0x05, 0x1A, 0xB4, 0xFD, 0x4C, 0x03, 0xFD, 0xB4, + 0x03, 0x4C, 0x63, 0xDC, 0x9D, 0x24, 0xDC, 0x63, + 0x24, 0x9D, 0xFE, 0xFE, 0x02, 0x02, 0x80, 0x80, }, + { 0x80, 0x80, 0x87, 0x87, 0x79, 0x79, 0x7E, 0x89, + 0x82, 0x77, 0x89, 0x7E, 0x77, 0x82, 0x95, 0x95, + 0x6B, 0x6B, 0x86, 0x96, 0x7A, 0x6A, 0x96, 0x86, + 0x6A, 0x7A, 0x70, 0x90, 0x90, 0x70, 0x90, 0x70, + 0x70, 0x90, 0x94, 0xA4, 0x6C, 0x5C, 0xA4, 0x94, + 0x5C, 0x6C, 0x78, 0x9B, 0x88, 0x65, 0x9B, 0x78, + 0x65, 0x88, 0xA6, 0xA6, 0x5A, 0x5A, 0x83, 0xA9, + 0x7D, 0x57, 0xA9, 0x83, 0x57, 0x7D, 0xA6, 0xB9, + 0x5A, 0x47, 0xB9, 0xA6, 0x47, 0x5A, 0xBA, 0xBA, + 0x46, 0x46, 0x92, 0xBC, 0x6E, 0x44, 0xBC, 0x92, + 0x44, 0x6E, 0x67, 0xA3, 0x99, 0x5D, 0xA3, 0x67, + 0x5D, 0x99, 0x72, 0xB0, 0x8E, 0x50, 0xB0, 0x72, + 0x50, 0x8E, 0x7F, 0xC3, 0x81, 0x3D, 0xC3, 0x7F, + 0x3D, 0x81, 0xBE, 0xD2, 0x42, 0x2E, 0xD2, 0xBE, + 0x2E, 0x42, 0xA5, 0xD4, 0x5B, 0x2C, 0xD4, 0xA5, + 0x2C, 0x5B, 0xD4, 0xD4, 0x2C, 0x2C, 0x52, 0xAE, + 0xAE, 0x52, 0xAE, 0x52, 0x52, 0xAE, 0x8F, 0xD8, + 0x71, 0x28, 0xD8, 0x8F, 0x28, 0x71, 0x5B, 0xBB, + 0xA5, 0x45, 0xBB, 0x5B, 0x45, 0xA5, 0x69, 0xCB, + 0x97, 0x35, 0xCB, 0x69, 0x35, 0x97, 0xD8, 0xF0, + 0x28, 0x10, 0xF0, 0xD8, 0x10, 0x28, 0xBD, 0xF1, + 0x43, 0x0F, 0xF1, 0xBD, 0x0F, 0x43, 0xF3, 0xF3, + 0x0D, 0x0D, 0xA5, 0xF6, 0x5B, 0x0A, 0xF6, 0xA5, + 0x0A, 0x5B, 0x78, 0xE2, 0x88, 0x1E, 0xE2, 0x78, + 0x1E, 0x88, 0x42, 0xC9, 0xBE, 0x37, 0xC9, 0x42, + 0x37, 0xBE, 0x4F, 0xD8, 0xB1, 0x28, 0xD8, 0x4F, + 0x28, 0xB1, 0x8A, 0xFD, 0x76, 0x03, 0xFD, 0x8A, + 0x03, 0x76, 0xDB, 0xFF, 0x25, 0x01, 0xFF, 0xDB, + 0x01, 0x25, 0xF9, 0xFF, 0x07, 0x01, 0xFF, 0xF9, + 0x01, 0x07, 0xBE, 0xFF, 0x42, 0x01, 0xFF, 0xBE, + 0x01, 0x42, 0x5E, 0xED, 0xA2, 0x13, 0xED, 0x5E, + 0x13, 0xA2, 0xFF, 0xFF, 0x01, 0x01, 0x80, 0x80, }, }; #endif /* AVCODEC_INDEO2DATA_H */ From e1d771e8183a2bc75235687107d5ee16ea43d9d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Mar 2016 19:40:32 +0100 Subject: [PATCH 683/700] avcodec/resample: Remove disabled and faulty code Fixes Ticket5345 Signed-off-by: Michael Niedermayer (cherry picked from commit 50ef7361cb5f78c94da2323f3bae86c6bbd618c8) Signed-off-by: Michael Niedermayer --- libavcodec/resample.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/libavcodec/resample.c b/libavcodec/resample.c index c45aa16cd1..ec311c7bfb 100644 --- a/libavcodec/resample.c +++ b/libavcodec/resample.c @@ -290,12 +290,6 @@ int audio_resample(ReSampleContext *s, short *output, short *input, int nb_sampl short *output_bak = NULL; int lenout; - if (s->input_channels == s->output_channels && s->ratio == 1.0 && 0) { - /* nothing to do */ - memcpy(output, input, nb_samples * s->input_channels * sizeof(short)); - return nb_samples; - } - if (s->sample_fmt[0] != AV_SAMPLE_FMT_S16) { int istride[1] = { s->sample_size[0] }; int ostride[1] = { 2 }; From 2cdeb2c4f87a61e2e00e9b11aa3a9f6e1804c7e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Mar 2016 15:41:30 +0100 Subject: [PATCH 684/700] avcodec/mjpegenc_common: Store approximate aspect if exact cannot be stored Fixes Ticket5244 Signed-off-by: Michael Niedermayer (cherry picked from commit 068026b0f7845e0f1850094d974f60d181480d64) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegenc_common.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegenc_common.c b/libavcodec/mjpegenc_common.c index 8ff37288a7..1517bdce9e 100644 --- a/libavcodec/mjpegenc_common.c +++ b/libavcodec/mjpegenc_common.c @@ -117,14 +117,24 @@ static void jpeg_put_comments(AVCodecContext *avctx, PutBitContext *p) uint8_t *ptr; if (avctx->sample_aspect_ratio.num > 0 && avctx->sample_aspect_ratio.den > 0) { + AVRational sar = avctx->sample_aspect_ratio; + + if (sar.num > 65535 || sar.den > 65535) { + if (!av_reduce(&sar.num, &sar.den, avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den, 65535)) + av_log(avctx, AV_LOG_WARNING, + "Cannot store exact aspect ratio %d:%d\n", + avctx->sample_aspect_ratio.num, + avctx->sample_aspect_ratio.den); + } + /* JFIF header */ put_marker(p, APP0); put_bits(p, 16, 16); avpriv_put_string(p, "JFIF", 1); /* this puts the trailing zero-byte too */ put_bits(p, 16, 0x0102); /* v 1.02 */ put_bits(p, 8, 0); /* units type: 0 - aspect ratio */ - put_bits(p, 16, avctx->sample_aspect_ratio.num); - put_bits(p, 16, avctx->sample_aspect_ratio.den); + put_bits(p, 16, sar.num); + put_bits(p, 16, sar.den); put_bits(p, 8, 0); /* thumbnail width */ put_bits(p, 8, 0); /* thumbnail height */ } From f41e7b14db222730e9ef6a5d60a133d2b19b7c08 Mon Sep 17 00:00:00 2001 From: Ico Doornekamp Date: Thu, 24 Mar 2016 14:31:38 +0100 Subject: [PATCH 685/700] avformat/rtpdec_jpeg: fix low contrast image on low quality setting Original mail and my own followup on ffmpeg-user earlier today: I have a device sending out a MJPEG/RTP stream on a low quality setting. Decoding and displaying the video with libavformat results in a washed out, low contrast, greyish image. Playing the same stream with VLC results in proper color representation. Screenshots for comparison: http://zevv.nl/div/libav/shot-ffplay.jpg http://zevv.nl/div/libav/shot-vlc.jpg A pcap capture of a few seconds of video and SDP file for playing the stream are available at http://zevv.nl/div/libav/mjpeg.pcap http://zevv.nl/div/libav/mjpeg.sdp I believe the problem might be in the calculation of the quantization tables in the function create_default_qtables(), the attached patch solves the issue for me. The problem is that the argument 'q' is of the type uint8_t. According to the JPEG standard, if 1 <= q <= 50, the scale factor 'S' should be 5000 / Q. Because the create_default_qtables() reuses the variable 'q' to store the result of this calculation, for small values of q < 19, q wil subsequently overflow and give wrong results in the calculated quantization tables. The patch below uses a new variable 'S' (same name as in RFC2435) with the proper range to store the result of the division. Signed-off-by: Michael Niedermayer (cherry picked from commit e3e6a2cff4af9542455d416faec4584d5e823d5d) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec_jpeg.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/rtpdec_jpeg.c b/libavformat/rtpdec_jpeg.c index ccd80ad7e8..cefc00a370 100644 --- a/libavformat/rtpdec_jpeg.c +++ b/libavformat/rtpdec_jpeg.c @@ -207,16 +207,17 @@ static void create_default_qtables(uint8_t *qtables, uint8_t q) { int factor = q; int i; + uint16_t S; factor = av_clip(q, 1, 99); if (q < 50) - q = 5000 / factor; + S = 5000 / factor; else - q = 200 - factor * 2; + S = 200 - factor * 2; for (i = 0; i < 128; i++) { - int val = (default_quantizers[i] * q + 50) / 100; + int val = (default_quantizers[i] * S + 50) / 100; /* Limit the quantizers to 1 <= q <= 255. */ val = av_clip(val, 1, 255); From 7b551ba7320bf45d60ec65d872aaab5a8a099550 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Mar 2016 20:55:30 +0100 Subject: [PATCH 686/700] avcodec/libutvideodec: copy frame so it has reference counters when refcounted_frames is set Reviewed-by: maintainer Signed-off-by: Michael Niedermayer (cherry picked from commit 0cd9ff4e3aa23318a855c21d60b1c9035b2b99d2) Signed-off-by: Michael Niedermayer --- libavcodec/libutvideodec.cpp | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavcodec/libutvideodec.cpp b/libavcodec/libutvideodec.cpp index e4b87a8bbc..93fbcb4a51 100644 --- a/libavcodec/libutvideodec.cpp +++ b/libavcodec/libutvideodec.cpp @@ -222,9 +222,19 @@ static int utvideo_decode_frame(AVCodecContext *avctx, void *data, pic->data[0] = utv->buffer + utv->buf_size + pic->linesize[0]; break; } + pic->width = w; + pic->height = h; + pic->format = avctx->pix_fmt; + + if (avctx->refcounted_frames) { + int ret = av_frame_ref((AVFrame*)data, pic); + if (ret < 0) + return ret; + } else { + av_frame_move_ref((AVFrame*)data, pic); + } *got_frame = 1; - av_frame_move_ref((AVFrame*)data, pic); return avpkt->size; } From eae0a6582df3c658e9f32744c6c3252876db2570 Mon Sep 17 00:00:00 2001 From: Aaron Boxer Date: Thu, 31 Mar 2016 16:02:14 -0400 Subject: [PATCH 687/700] avcodec/j2kenc: Add attribution to OpenJPEG project: http://ghostscript.com/~tor/gs-browse/gs/openjpeg/libopenjpeg/t1.c Signed-off-by: Michael Niedermayer (cherry picked from commit b6b4b0a65e02495edf9d7e5b23bef99a92921147) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index ddb0b686cb..60e211e7e3 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -17,8 +17,46 @@ * You should have received a copy of the GNU Lesser General Public * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * + * ********************************************************************************************************************** + * + * + * + * This source code incorporates work covered by the following copyright and + * permission notice: + * + * Copyright (c) 2002-2007, Communications and Remote Sensing Laboratory, Universite catholique de Louvain (UCL), Belgium + * Copyright (c) 2002-2007, Professor Benoit Macq + * Copyright (c) 2001-2003, David Janssens + * Copyright (c) 2002-2003, Yannick Verschueren + * Copyright (c) 2003-2007, Francois-Olivier Devaux and Antonin Descampe + * Copyright (c) 2005, Herve Drolon, FreeImage Team + * Copyright (c) 2007, Callum Lerwick + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS `AS IS' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. */ + /** * JPEG2000 image encoder * @file From dc751a55e5ae243630b18f3f6bedc49ee9656b38 Mon Sep 17 00:00:00 2001 From: Marios Titas Date: Sat, 2 Apr 2016 21:11:44 +0300 Subject: [PATCH 688/700] avfilter/src_movie: fix how we check for overflows with seek_point Currently, if the movie source filter is used and a seek_point is specified on a file that has a negative start time, ffmpeg will fail. An easy way to reproduce this is as follows: $ ffmpeg -vsync passthrough -filter_complex 'color=d=10,setpts=PTS-1/TB' test.mp4 $ ffmpeg -filter_complex 'movie=filename=test.mp4:seek_point=2' -f null - The problem is caused by checking for int64_t overflow the wrong way. In general, to check whether a + b overflows, it is not enough to do: a > INT64_MAX - b because b might be negative; the correct way is: b > 0 && > a > INT64_MAX - b Signed-off-by: Michael Niedermayer (cherry picked from commit c1f9734f977f59bc0034096afbe8e43e40d93a5d) Signed-off-by: Michael Niedermayer --- libavfilter/src_movie.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/src_movie.c b/libavfilter/src_movie.c index 908c03e1d3..6df52f75cc 100644 --- a/libavfilter/src_movie.c +++ b/libavfilter/src_movie.c @@ -240,7 +240,7 @@ static av_cold int movie_common_init(AVFilterContext *ctx) timestamp = movie->seek_point; // add the stream start time, should it exist if (movie->format_ctx->start_time != AV_NOPTS_VALUE) { - if (timestamp > INT64_MAX - movie->format_ctx->start_time) { + if (timestamp > 0 && movie->format_ctx->start_time > INT64_MAX - timestamp) { av_log(ctx, AV_LOG_ERROR, "%s: seek value overflow with start_time:%"PRId64" seek_point:%"PRId64"\n", movie->file_name, movie->format_ctx->start_time, movie->seek_point); From 1e46629234aa19f3ad1e94d220cd90510ae58ca6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Apr 2016 15:10:31 +0200 Subject: [PATCH 689/700] avcodec/bmp_parser: Ensure remaining_size is not too small in startcode packet crossing corner case Fixes Ticket 5438 Signed-off-by: Michael Niedermayer (cherry picked from commit 8e26bdd59bf559d00c7e60c53fff292de10139ff) Signed-off-by: Michael Niedermayer --- libavcodec/bmp_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index c9493dc32d..7ab32a0b00 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -63,7 +63,7 @@ restart: continue; } bpc->pc.frame_start_found++; - bpc->remaining_size = bpc->fsize + i - 17; + bpc->remaining_size = bpc->fsize + FFMAX(i - 17, 0); if (bpc->pc.index + i > 17) { next = i - 17; From 2bb9f5d6074a08c9b7c1567c463e6cc3cdf2b450 Mon Sep 17 00:00:00 2001 From: Ivan Date: Tue, 12 Apr 2016 16:32:04 -0400 Subject: [PATCH 690/700] avcodec/h264: Fix for H.264 configuration parsing Sometimes video fails to decode if H.264 configuration changes mid stream. The reason is that configuration parser assumes that nal_ref_idc is equal to 11b while actually some codecs but 01b there. The H.264 spec is somewhat vague about this but it looks like it allows any non-zero nal_ref_idc for sps/pps. Signed-off-by: Michael Niedermayer (cherry picked from commit 3a727606c474d3d0b9efa3c900294a84bdb5e331) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 436a079f57..ba3d910b62 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1821,7 +1821,7 @@ static int is_extra(const uint8_t *buf, int buf_size) const uint8_t *p= buf+6; while(cnt--){ int nalsize= AV_RB16(p) + 2; - if(nalsize > buf_size - (p-buf) || p[2]!=0x67) + if(nalsize > buf_size - (p-buf) || (p[2] & 0x9F) != 7) return 0; p += nalsize; } @@ -1830,7 +1830,7 @@ static int is_extra(const uint8_t *buf, int buf_size) return 0; while(cnt--){ int nalsize= AV_RB16(p) + 2; - if(nalsize > buf_size - (p-buf) || p[2]!=0x68) + if(nalsize > buf_size - (p-buf) || (p[2] & 0x9F) != 8) return 0; p += nalsize; } From 9ae85f1468f41a9d56629e401c72ac7f342ca414 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Apr 2016 22:38:26 +0200 Subject: [PATCH 691/700] avcodec/avpacket: Fix off by 5 error Fixes out of array read Fixes: mozilla bug 1266129 Found-by: Tyson Smith Tested-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 9f36ea57ae6eefb42432220feab0350494f4144c) Conflicts: libavcodec/avpacket.c --- libavcodec/avpacket.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index 03332ac8aa..51b5c525ac 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -388,10 +388,12 @@ int av_packet_split_side_data(AVPacket *pkt){ p = pkt->data + pkt->size - 8 - 5; for (i=1; ; i++){ size = AV_RB32(p); - if (size>INT_MAX || p - pkt->data < size) + if (size>INT_MAX - 5 || p - pkt->data < size) return 0; if (p[4]&128) break; + if (p - pkt->data < size + 5) + return 0; p-= size+5; } @@ -402,7 +404,7 @@ int av_packet_split_side_data(AVPacket *pkt){ p= pkt->data + pkt->size - 8 - 5; for (i=0; ; i++){ size= AV_RB32(p); - av_assert0(size<=INT_MAX && p - pkt->data >= size); + av_assert0(size<=INT_MAX - 5 && p - pkt->data >= size); pkt->side_data[i].data = av_mallocz(size + FF_INPUT_BUFFER_PADDING_SIZE); pkt->side_data[i].size = size; pkt->side_data[i].type = p[4]&127; From 72b600de29c6ec854b961919253ac161ae7fa770 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 12 Apr 2016 10:51:30 +0200 Subject: [PATCH 692/700] avcodec/apedec: fix decoding of stereo files with one channel full of silence Signed-off-by: Paul B Mahol (cherry picked from commit 9149e9c0baaec122bc3da925d6068dffa60b5427) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7893bc320f..4b11b1b4bc 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1387,7 +1387,7 @@ static void ape_unpack_stereo(APEContext *ctx, int count) int32_t *decoded0 = ctx->decoded[0]; int32_t *decoded1 = ctx->decoded[1]; - if (ctx->frameflags & APE_FRAMECODE_STEREO_SILENCE) { + if ((ctx->frameflags & APE_FRAMECODE_STEREO_SILENCE) == APE_FRAMECODE_STEREO_SILENCE) { /* We are pure silence, so we're done. */ av_log(ctx->avctx, AV_LOG_DEBUG, "pure silence stereo\n"); return; From e196cd52348d99b5d9dbcff83f7b95751c58b8b0 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 20 Apr 2016 22:45:05 +0200 Subject: [PATCH 693/700] avcodec/takdec: add code that got somehow lost in process of REing Signed-off-by: Paul B Mahol (cherry picked from commit 38797a8033d061ade58b30b8ac86da222fe42a84) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 0b1484958e..2b72e8476c 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -224,6 +224,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length) int a3 = coeffs[2]; int a4 = a3 + a1; int a5 = a4 + a2; + coeffs[2] = a5; coeffs += 3; for (i = 0; i < length - 3; i++) { a3 += *coeffs; From 1d3843fc939ef74c7bc2840414998dba47466c5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Apr 2016 12:30:20 +0200 Subject: [PATCH 694/700] avfilter/vf_drawtext: Check return code of load_glyph() Fixes segfault Fixes Ticket5347 Signed-off-by: Michael Niedermayer (cherry picked from commit 2e67a99fbc6b99315925de40fc6fa7161576be10) Signed-off-by: Michael Niedermayer --- libavfilter/vf_drawtext.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c index d20f8055c4..864ff63e8c 100644 --- a/libavfilter/vf_drawtext.c +++ b/libavfilter/vf_drawtext.c @@ -1174,7 +1174,9 @@ static int draw_text(AVFilterContext *ctx, AVFrame *frame, dummy.code = code; glyph = av_tree_find(s->glyphs, &dummy, glyph_cmp, NULL); if (!glyph) { - load_glyph(ctx, &glyph, code); + ret = load_glyph(ctx, &glyph, code); + if (ret < 0) + return ret; } y_min = FFMIN(glyph->bbox.yMin, y_min); From 7e5e531ec68b297cd8f86c70cf7c51bc8bc4dc3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Apr 2016 04:08:21 +0200 Subject: [PATCH 695/700] avcodec/ac3dec: Reset SPX when switching from EAC3 to AC3 Fixes Ticket5319 Signed-off-by: Michael Niedermayer (cherry picked from commit 9ac154d1facd4756db6918f866dccf3e3ffb698c) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index dbf20a81f1..0ffd0a10a7 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -902,11 +902,13 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) ff_eac3_default_spx_band_struct, &s->num_spx_bands, s->spx_band_sizes); - } else { - for (ch = 1; ch <= fbw_channels; ch++) { - s->channel_uses_spx[ch] = 0; - s->first_spx_coords[ch] = 1; - } + } + } + if (!s->eac3 || !s->spx_in_use) { + s->spx_in_use = 0; + for (ch = 1; ch <= fbw_channels; ch++) { + s->channel_uses_spx[ch] = 0; + s->first_spx_coords[ch] = 1; } } From cba830c4636a6b60cb1d925b57fcea473a80d518 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ekstr=C3=B6m?= Date: Sun, 24 Apr 2016 17:30:56 +0300 Subject: [PATCH 696/700] pgssubdec: fix subpicture output colorspace and range Functionality used before didn't widen the values from limited to full range. Additionally, now the decoder uses BT.709 where it should be used according to the video resolution. Default for not yet set colorimetry is BT.709 due to most observed HDMV content being HD. BT.709 coefficients were gathered from the first two parts of BT.709 to BT.2020 conversion guide in ARIB STD-B62 (Pt. 1, Chapter 6.2.2). They were additionally confirmed by manually calculating values. Fixes #4637 (cherry picked from commit 9779b6262471d553c1ed811ff7312564e39d8adf) Signed-off-by: Michael Niedermayer --- libavcodec/pgssubdec.c | 10 ++++++++-- libavutil/colorspace.h | 10 ++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 3c39e7ac63..6603cc2927 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -354,8 +354,14 @@ static int parse_palette_segment(AVCodecContext *avctx, cb = bytestream_get_byte(&buf); alpha = bytestream_get_byte(&buf); - YUV_TO_RGB1(cb, cr); - YUV_TO_RGB2(r, g, b, y); + /* Default to BT.709 colorimetry. In case of <= 576 height use BT.601 */ + if (avctx->height <= 0 || avctx->height > 576) { + YUV_TO_RGB1_CCIR_BT709(cb, cr); + } else { + YUV_TO_RGB1_CCIR(cb, cr); + } + + YUV_TO_RGB2_CCIR(r, g, b, y); av_dlog(avctx, "Color %d := (%d,%d,%d,%d)\n", color_id, r, g, b, alpha); diff --git a/libavutil/colorspace.h b/libavutil/colorspace.h index f438159811..dbb0ce8b8e 100644 --- a/libavutil/colorspace.h +++ b/libavutil/colorspace.h @@ -41,6 +41,16 @@ b_add = FIX(1.77200*255.0/224.0) * cb + ONE_HALF;\ } +#define YUV_TO_RGB1_CCIR_BT709(cb1, cr1)\ +{\ + cb = (cb1) - 128;\ + cr = (cr1) - 128;\ + r_add = FIX(1.5747*255.0/224.0) * cr + ONE_HALF;\ + g_add = - FIX(0.1873*255.0/224.0) * cb - FIX(0.4682*255.0/224.0) * cr + \ + ONE_HALF;\ + b_add = FIX(1.8556*255.0/224.0) * cb + ONE_HALF;\ +} + #define YUV_TO_RGB2_CCIR(r, g, b, y1)\ {\ y = ((y1) - 16) * FIX(255.0/219.0);\ From fb15a0f42af35c9b837e3766c38ce633b38782a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Apr 2016 19:17:19 +0200 Subject: [PATCH 697/700] avcodec/ttaenc: Reallocate packet if its too small Fixes assertion failure Fixes Ticket5394 Signed-off-by: Michael Niedermayer (cherry picked from commit 005c61c6b8982f977e415aa69d2d2b42e6b7f3f2) Conflicts: libavcodec/ttaenc.c --- libavcodec/ttaenc.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/ttaenc.c b/libavcodec/ttaenc.c index ccd41a90c9..37624a9c62 100644 --- a/libavcodec/ttaenc.c +++ b/libavcodec/ttaenc.c @@ -114,9 +114,12 @@ static int tta_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, { TTAEncContext *s = avctx->priv_data; PutBitContext pb; - int ret, i, out_bytes, cur_chan = 0, res = 0, samples = 0; + int ret, i, out_bytes, cur_chan, res, samples; + int64_t pkt_size = frame->nb_samples * 2LL * avctx->channels * s->bps; - if ((ret = ff_alloc_packet2(avctx, avpkt, frame->nb_samples * 2 * avctx->channels * s->bps)) < 0) +pkt_alloc: + cur_chan = 0, res = 0, samples = 0; + if ((ret = ff_alloc_packet2(avctx, avpkt, pkt_size)) < 0) return ret; init_put_bits(&pb, avpkt->data, avpkt->size); @@ -174,6 +177,14 @@ static int tta_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, rice->k1++; unary = 1 + (outval >> k); + if (unary + 100LL > put_bits_left(&pb)) { + if (pkt_size < INT_MAX/2) { + pkt_size *= 2; + av_packet_unref(avpkt); + goto pkt_alloc; + } else + return AVERROR(ENOMEM); + } do { if (unary > 31) { put_bits(&pb, 31, 0x7FFFFFFF); From 95a8dace5cc70ad94f0820ed9fb9679276a385e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Apr 2016 22:50:48 +0200 Subject: [PATCH 698/700] avformat/ffmdec: Check pix_fmt Fixes crash Fixes Ticket5412 Signed-off-by: Michael Niedermayer (cherry picked from commit 78baa450d9939957f52d5187beb95d763d2f1f18) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index b5135f18cd..4faecacd10 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -26,6 +26,7 @@ #include "libavutil/opt.h" #include "libavutil/avassert.h" #include "libavutil/avstring.h" +#include "libavutil/pixdesc.h" #include "avformat.h" #include "internal.h" #include "ffm.h" @@ -365,6 +366,11 @@ static int ffm2_read_header(AVFormatContext *s) codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); codec->pix_fmt = avio_rb32(pb); + if (!av_pix_fmt_desc_get(codec->pix_fmt)) { + av_log(s, AV_LOG_ERROR, "Invalid pix fmt id: %d\n", codec->pix_fmt); + codec->pix_fmt = AV_PIX_FMT_NONE; + goto fail; + } codec->qmin = avio_r8(pb); codec->qmax = avio_r8(pb); codec->max_qdiff = avio_r8(pb); @@ -556,6 +562,11 @@ static int ffm_read_header(AVFormatContext *s) codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); codec->pix_fmt = avio_rb32(pb); + if (!av_pix_fmt_desc_get(codec->pix_fmt)) { + av_log(s, AV_LOG_ERROR, "Invalid pix fmt id: %d\n", codec->pix_fmt); + codec->pix_fmt = AV_PIX_FMT_NONE; + goto fail; + } codec->qmin = avio_r8(pb); codec->qmax = avio_r8(pb); codec->max_qdiff = avio_r8(pb); From 5141a0ceafd34a68723da1940a410cfacf116110 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 12 Jul 2016 17:05:42 -0300 Subject: [PATCH 699/700] avformat/oggparsevp8: fix pts calculation on pages ending with an invisible frame Signed-off-by: James Almer (cherry picked from commit 5adfbd391847fcdaea1e9b105fae2dd90af2a733) --- libavformat/oggparsevp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsevp8.c b/libavformat/oggparsevp8.c index 5959d32b6a..7c67cc55a3 100644 --- a/libavformat/oggparsevp8.c +++ b/libavformat/oggparsevp8.c @@ -79,7 +79,11 @@ static uint64_t vp8_gptopts(AVFormatContext *s, int idx, uint64_t granule, int64 struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; - uint64_t pts = (granule >> 32); + int invcnt = !((granule >> 30) & 3); + // If page granule is that of an invisible vp8 frame, its pts will be + // that of the end of the next visible frame. We substract 1 for those + // to prevent messing up pts calculations. + uint64_t pts = (granule >> 32) - invcnt; uint32_t dist = (granule >> 3) & 0x07ffffff; if (!dist) From 52a9f668eed6aec35804e362671ba4352a441c3c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 22 Jun 2016 06:36:31 +0200 Subject: [PATCH 700/700] librtmp: Avoid an infiniloop setting connection arguments The exit condition was missing. Signed-off-by: Timothy Gu (cherry picked from commit e85d38c20a8893cb59d7c86f74481f2497882196) Signed-off-by: Timothy Gu --- libavformat/librtmp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/librtmp.c b/libavformat/librtmp.c index 67939b912e..8c7345f0c8 100644 --- a/libavformat/librtmp.c +++ b/libavformat/librtmp.c @@ -189,6 +189,8 @@ static int rtmp_open(URLContext *s, const char *uri, int flags) if (sep) p = sep + 1; + else + break; } } if (ctx->playpath) {